* [PATCH AUTOSEL 4.14 02/14] gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free
2020-11-10 3:55 [PATCH AUTOSEL 4.14 01/14] usb: gadget: goku_udc: fix potential crashes in probe Sasha Levin
@ 2020-11-10 3:55 ` Sasha Levin
2020-11-10 3:55 ` [PATCH AUTOSEL 4.14 03/14] gfs2: Add missing truncate_inode_pages_final for sd_aspace Sasha Levin
` (11 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-11-10 3:55 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Bob Peterson, Andreas Gruenbacher, Sasha Levin, cluster-devel
From: Bob Peterson <rpeterso@redhat.com>
[ Upstream commit d0f17d3883f1e3f085d38572c2ea8edbd5150172 ]
Function gfs2_clear_rgrpd calls kfree(rgd->rd_bits) before calling
return_all_reservations, but return_all_reservations still dereferences
rgd->rd_bits in __rs_deltree. Fix that by moving the call to kfree below the
call to return_all_reservations.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/rgrp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
index 7cb0672294dfc..70a344d864447 100644
--- a/fs/gfs2/rgrp.c
+++ b/fs/gfs2/rgrp.c
@@ -720,9 +720,9 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp)
}
gfs2_free_clones(rgd);
+ return_all_reservations(rgd);
kfree(rgd->rd_bits);
rgd->rd_bits = NULL;
- return_all_reservations(rgd);
kmem_cache_free(gfs2_rgrpd_cachep, rgd);
}
}
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.14 03/14] gfs2: Add missing truncate_inode_pages_final for sd_aspace
2020-11-10 3:55 [PATCH AUTOSEL 4.14 01/14] usb: gadget: goku_udc: fix potential crashes in probe Sasha Levin
2020-11-10 3:55 ` [PATCH AUTOSEL 4.14 02/14] gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free Sasha Levin
@ 2020-11-10 3:55 ` Sasha Levin
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 04/14] gfs2: check for live vs. read-only file system in gfs2_fitrim Sasha Levin
` (10 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-11-10 3:55 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Bob Peterson, Andreas Gruenbacher, Sasha Levin, cluster-devel
From: Bob Peterson <rpeterso@redhat.com>
[ Upstream commit a9dd945ccef07a904e412f208f8de708a3d7159e ]
Gfs2 creates an address space for its rgrps called sd_aspace, but it never
called truncate_inode_pages_final on it. This confused vfs greatly which
tried to reference the address space after gfs2 had freed the superblock
that contained it.
This patch adds a call to truncate_inode_pages_final for sd_aspace, thus
avoiding the use-after-free.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/super.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
index c3f3f1ae4e1b7..639e2c86758a4 100644
--- a/fs/gfs2/super.c
+++ b/fs/gfs2/super.c
@@ -924,6 +924,7 @@ static void gfs2_put_super(struct super_block *sb)
gfs2_jindex_free(sdp);
/* Take apart glock structures and buffer lists */
gfs2_gl_hash_clear(sdp);
+ truncate_inode_pages_final(&sdp->sd_aspace);
gfs2_delete_debugfs_file(sdp);
/* Unmount the locking protocol */
gfs2_lm_unmount(sdp);
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.14 04/14] gfs2: check for live vs. read-only file system in gfs2_fitrim
2020-11-10 3:55 [PATCH AUTOSEL 4.14 01/14] usb: gadget: goku_udc: fix potential crashes in probe Sasha Levin
2020-11-10 3:55 ` [PATCH AUTOSEL 4.14 02/14] gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free Sasha Levin
2020-11-10 3:55 ` [PATCH AUTOSEL 4.14 03/14] gfs2: Add missing truncate_inode_pages_final for sd_aspace Sasha Levin
@ 2020-11-10 3:56 ` Sasha Levin
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 05/14] scsi: hpsa: Fix memory leak in hpsa_init_one() Sasha Levin
` (9 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-11-10 3:56 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Bob Peterson, Andreas Gruenbacher, Sasha Levin, cluster-devel
From: Bob Peterson <rpeterso@redhat.com>
[ Upstream commit c5c68724696e7d2f8db58a5fce3673208d35c485 ]
Before this patch, gfs2_fitrim was not properly checking for a "live" file
system. If the file system had something to trim and the file system
was read-only (or spectator) it would start the trim, but when it starts
the transaction, gfs2_trans_begin returns -EROFS (read-only file system)
and it errors out. However, if the file system was already trimmed so
there's no work to do, it never called gfs2_trans_begin. That code is
bypassed so it never returns the error. Instead, it returns a good
return code with 0 work. All this makes for inconsistent behavior:
The same fstrim command can return -EROFS in one case and 0 in another.
This tripped up xfstests generic/537 which reports the error as:
+fstrim with unrecovered metadata just ate your filesystem
This patch adds a check for a "live" (iow, active journal, iow, RW)
file system, and if not, returns the error properly.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/rgrp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
index 70a344d864447..c4eb6a5fcea99 100644
--- a/fs/gfs2/rgrp.c
+++ b/fs/gfs2/rgrp.c
@@ -1361,6 +1361,9 @@ int gfs2_fitrim(struct file *filp, void __user *argp)
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
+ if (!test_bit(SDF_JOURNAL_LIVE, &sdp->sd_flags))
+ return -EROFS;
+
if (!blk_queue_discard(q))
return -EOPNOTSUPP;
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.14 05/14] scsi: hpsa: Fix memory leak in hpsa_init_one()
2020-11-10 3:55 [PATCH AUTOSEL 4.14 01/14] usb: gadget: goku_udc: fix potential crashes in probe Sasha Levin
` (2 preceding siblings ...)
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 04/14] gfs2: check for live vs. read-only file system in gfs2_fitrim Sasha Levin
@ 2020-11-10 3:56 ` Sasha Levin
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 06/14] drm/amdgpu: perform srbm soft reset always on SDMA resume Sasha Levin
` (8 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-11-10 3:56 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Keita Suzuki, Don Brace, Martin K . Petersen, Sasha Levin,
storagedev, linux-scsi
From: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
[ Upstream commit af61bc1e33d2c0ec22612b46050f5b58ac56a962 ]
When hpsa_scsi_add_host() fails, h->lastlogicals is leaked since it is
missing a free() in the error handler.
Fix this by adding free() when hpsa_scsi_add_host() fails.
Link: https://lore.kernel.org/r/20201027073125.14229-1-keitasuzuki.park@sslab.ics.keio.ac.jp
Tested-by: Don Brace <don.brace@microchip.com>
Acked-by: Don Brace <don.brace@microchip.com>
Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hpsa.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index 3b892918d8219..9ad9910cc0855 100644
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -8549,7 +8549,7 @@ static int hpsa_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
/* hook into SCSI subsystem */
rc = hpsa_scsi_add_host(h);
if (rc)
- goto clean7; /* perf, sg, cmd, irq, shost, pci, lu, aer/h */
+ goto clean8; /* lastlogicals, perf, sg, cmd, irq, shost, pci, lu, aer/h */
/* Monitor the controller for firmware lockups */
h->heartbeat_sample_interval = HEARTBEAT_SAMPLE_INTERVAL;
@@ -8564,6 +8564,8 @@ static int hpsa_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
HPSA_EVENT_MONITOR_INTERVAL);
return 0;
+clean8: /* lastlogicals, perf, sg, cmd, irq, shost, pci, lu, aer/h */
+ kfree(h->lastlogicals);
clean7: /* perf, sg, cmd, irq, shost, pci, lu, aer/h */
hpsa_free_performant_mode(h);
h->access.set_intr_mask(h, HPSA_INTR_OFF);
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.14 06/14] drm/amdgpu: perform srbm soft reset always on SDMA resume
2020-11-10 3:55 [PATCH AUTOSEL 4.14 01/14] usb: gadget: goku_udc: fix potential crashes in probe Sasha Levin
` (3 preceding siblings ...)
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 05/14] scsi: hpsa: Fix memory leak in hpsa_init_one() Sasha Levin
@ 2020-11-10 3:56 ` Sasha Levin
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 07/14] mac80211: fix use of skb payload instead of header Sasha Levin
` (7 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-11-10 3:56 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Evan Quan, Sandeep Raghuraman, Alex Deucher, Sasha Levin,
amd-gfx, dri-devel
From: Evan Quan <evan.quan@amd.com>
[ Upstream commit 253475c455eb5f8da34faa1af92709e7bb414624 ]
This can address the random SDMA hang after pci config reset
seen on Hawaii.
Signed-off-by: Evan Quan <evan.quan@amd.com>
Tested-by: Sandeep Raghuraman <sandy.8925@gmail.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/cik_sdma.c | 27 ++++++++++++---------------
1 file changed, 12 insertions(+), 15 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c
index 11beef7c595f2..d35e5d8e8a058 100644
--- a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c
+++ b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c
@@ -1098,22 +1098,19 @@ static int cik_sdma_soft_reset(void *handle)
{
u32 srbm_soft_reset = 0;
struct amdgpu_device *adev = (struct amdgpu_device *)handle;
- u32 tmp = RREG32(mmSRBM_STATUS2);
+ u32 tmp;
- if (tmp & SRBM_STATUS2__SDMA_BUSY_MASK) {
- /* sdma0 */
- tmp = RREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET);
- tmp |= SDMA0_F32_CNTL__HALT_MASK;
- WREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET, tmp);
- srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA_MASK;
- }
- if (tmp & SRBM_STATUS2__SDMA1_BUSY_MASK) {
- /* sdma1 */
- tmp = RREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET);
- tmp |= SDMA0_F32_CNTL__HALT_MASK;
- WREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET, tmp);
- srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA1_MASK;
- }
+ /* sdma0 */
+ tmp = RREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET);
+ tmp |= SDMA0_F32_CNTL__HALT_MASK;
+ WREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET, tmp);
+ srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA_MASK;
+
+ /* sdma1 */
+ tmp = RREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET);
+ tmp |= SDMA0_F32_CNTL__HALT_MASK;
+ WREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET, tmp);
+ srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA1_MASK;
if (srbm_soft_reset) {
tmp = RREG32(mmSRBM_SOFT_RESET);
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.14 07/14] mac80211: fix use of skb payload instead of header
2020-11-10 3:55 [PATCH AUTOSEL 4.14 01/14] usb: gadget: goku_udc: fix potential crashes in probe Sasha Levin
` (4 preceding siblings ...)
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 06/14] drm/amdgpu: perform srbm soft reset always on SDMA resume Sasha Levin
@ 2020-11-10 3:56 ` Sasha Levin
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 08/14] mac80211: always wind down STA state Sasha Levin
` (6 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-11-10 3:56 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Johannes Berg, syzbot+32fd1a1bfe355e93f1e2, Sasha Levin,
linux-wireless, netdev
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 14f46c1e5108696ec1e5a129e838ecedf108c7bf ]
When ieee80211_skb_resize() is called from ieee80211_build_hdr()
the skb has no 802.11 header yet, in fact it consist only of the
payload as the ethernet frame is removed. As such, we're using
the payload data for ieee80211_is_mgmt(), which is of course
completely wrong. This didn't really hurt us because these are
always data frames, so we could only have added more tailroom
than we needed if we determined it was a management frame and
sdata->crypto_tx_tailroom_needed_cnt was false.
However, syzbot found that of course there need not be any payload,
so we're using at best uninitialized memory for the check.
Fix this to pass explicitly the kind of frame that we have instead
of checking there, by replacing the "bool may_encrypt" argument
with an argument that can carry the three possible states - it's
not going to be encrypted, it's a management frame, or it's a data
frame (and then we check sdata->crypto_tx_tailroom_needed_cnt).
Reported-by: syzbot+32fd1a1bfe355e93f1e2@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Link: https://lore.kernel.org/r/20201009132538.e1fd7f802947.I799b288466ea2815f9d4c84349fae697dca2f189@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/tx.c | 35 +++++++++++++++++++++++------------
1 file changed, 23 insertions(+), 12 deletions(-)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 1b1f2d6cb3f4b..0ab710576673f 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1851,19 +1851,24 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
/* device xmit handlers */
+enum ieee80211_encrypt {
+ ENCRYPT_NO,
+ ENCRYPT_MGMT,
+ ENCRYPT_DATA,
+};
+
static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata,
struct sk_buff *skb,
- int head_need, bool may_encrypt)
+ int head_need,
+ enum ieee80211_encrypt encrypt)
{
struct ieee80211_local *local = sdata->local;
- struct ieee80211_hdr *hdr;
bool enc_tailroom;
int tail_need = 0;
- hdr = (struct ieee80211_hdr *) skb->data;
- enc_tailroom = may_encrypt &&
- (sdata->crypto_tx_tailroom_needed_cnt ||
- ieee80211_is_mgmt(hdr->frame_control));
+ enc_tailroom = encrypt == ENCRYPT_MGMT ||
+ (encrypt == ENCRYPT_DATA &&
+ sdata->crypto_tx_tailroom_needed_cnt);
if (enc_tailroom) {
tail_need = IEEE80211_ENCRYPT_TAILROOM;
@@ -1896,21 +1901,27 @@ void ieee80211_xmit(struct ieee80211_sub_if_data *sdata,
struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
int headroom;
- bool may_encrypt;
+ enum ieee80211_encrypt encrypt;
- may_encrypt = !(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT);
+ if (info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT)
+ encrypt = ENCRYPT_NO;
+ else if (ieee80211_is_mgmt(hdr->frame_control))
+ encrypt = ENCRYPT_MGMT;
+ else
+ encrypt = ENCRYPT_DATA;
headroom = local->tx_headroom;
- if (may_encrypt)
+ if (encrypt != ENCRYPT_NO)
headroom += sdata->encrypt_headroom;
headroom -= skb_headroom(skb);
headroom = max_t(int, 0, headroom);
- if (ieee80211_skb_resize(sdata, skb, headroom, may_encrypt)) {
+ if (ieee80211_skb_resize(sdata, skb, headroom, encrypt)) {
ieee80211_free_txskb(&local->hw, skb);
return;
}
+ /* reload after potential resize */
hdr = (struct ieee80211_hdr *) skb->data;
info->control.vif = &sdata->vif;
@@ -2692,7 +2703,7 @@ static struct sk_buff *ieee80211_build_hdr(struct ieee80211_sub_if_data *sdata,
head_need += sdata->encrypt_headroom;
head_need += local->tx_headroom;
head_need = max_t(int, 0, head_need);
- if (ieee80211_skb_resize(sdata, skb, head_need, true)) {
+ if (ieee80211_skb_resize(sdata, skb, head_need, ENCRYPT_DATA)) {
ieee80211_free_txskb(&local->hw, skb);
skb = NULL;
return ERR_PTR(-ENOMEM);
@@ -3352,7 +3363,7 @@ static bool ieee80211_xmit_fast(struct ieee80211_sub_if_data *sdata,
if (unlikely(ieee80211_skb_resize(sdata, skb,
max_t(int, extra_head + hw_headroom -
skb_headroom(skb), 0),
- false))) {
+ ENCRYPT_NO))) {
kfree_skb(skb);
return true;
}
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.14 08/14] mac80211: always wind down STA state
2020-11-10 3:55 [PATCH AUTOSEL 4.14 01/14] usb: gadget: goku_udc: fix potential crashes in probe Sasha Levin
` (5 preceding siblings ...)
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 07/14] mac80211: fix use of skb payload instead of header Sasha Levin
@ 2020-11-10 3:56 ` Sasha Levin
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 09/14] cfg80211: regulatory: Fix inconsistent format argument Sasha Levin
` (5 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-11-10 3:56 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Johannes Berg, syzbot+2e293dbd67de2836ba42, Sasha Levin,
linux-wireless, netdev
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit dcd479e10a0510522a5d88b29b8f79ea3467d501 ]
When (for example) an IBSS station is pre-moved to AUTHORIZED
before it's inserted, and then the insertion fails, we don't
clean up the fast RX/TX states that might already have been
created, since we don't go through all the state transitions
again on the way down.
Do that, if it hasn't been done already, when the station is
freed. I considered only freeing the fast TX/RX state there,
but we might add more state so it's more robust to wind down
the state properly.
Note that we warn if the station was ever inserted, it should
have been properly cleaned up in that case, and the driver
will probably not like things happening out of order.
Reported-by: syzbot+2e293dbd67de2836ba42@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20201009141710.7223b322a955.I95bd08b9ad0e039c034927cce0b75beea38e059b@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/sta_info.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 2a18687019003..b74551323f5fb 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -244,6 +244,24 @@ struct sta_info *sta_info_get_by_idx(struct ieee80211_sub_if_data *sdata,
*/
void sta_info_free(struct ieee80211_local *local, struct sta_info *sta)
{
+ /*
+ * If we had used sta_info_pre_move_state() then we might not
+ * have gone through the state transitions down again, so do
+ * it here now (and warn if it's inserted).
+ *
+ * This will clear state such as fast TX/RX that may have been
+ * allocated during state transitions.
+ */
+ while (sta->sta_state > IEEE80211_STA_NONE) {
+ int ret;
+
+ WARN_ON_ONCE(test_sta_flag(sta, WLAN_STA_INSERTED));
+
+ ret = sta_info_move_state(sta, sta->sta_state - 1);
+ if (WARN_ONCE(ret, "sta_info_move_state() returned %d\n", ret))
+ break;
+ }
+
if (sta->rate_ctrl)
rate_control_free_sta(sta);
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.14 09/14] cfg80211: regulatory: Fix inconsistent format argument
2020-11-10 3:55 [PATCH AUTOSEL 4.14 01/14] usb: gadget: goku_udc: fix potential crashes in probe Sasha Levin
` (6 preceding siblings ...)
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 08/14] mac80211: always wind down STA state Sasha Levin
@ 2020-11-10 3:56 ` Sasha Levin
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 10/14] scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() Sasha Levin
` (4 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-11-10 3:56 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Ye Bin, Hulk Robot, Johannes Berg, Sasha Levin, linux-wireless, netdev
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit db18d20d1cb0fde16d518fb5ccd38679f174bc04 ]
Fix follow warning:
[net/wireless/reg.c:3619]: (warning) %d in format string (no. 2)
requires 'int' but the argument type is 'unsigned int'.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Ye Bin <yebin10@huawei.com>
Link: https://lore.kernel.org/r/20201009070215.63695-1-yebin10@huawei.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/reg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 9eb9d34cef7b1..db8cc505caf76 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -2846,7 +2846,7 @@ static void print_rd_rules(const struct ieee80211_regdomain *rd)
power_rule = ®_rule->power_rule;
if (reg_rule->flags & NL80211_RRF_AUTO_BW)
- snprintf(bw, sizeof(bw), "%d KHz, %d KHz AUTO",
+ snprintf(bw, sizeof(bw), "%d KHz, %u KHz AUTO",
freq_range->max_bandwidth_khz,
reg_get_max_bandwidth(rd, reg_rule));
else
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.14 10/14] scsi: scsi_dh_alua: Avoid crash during alua_bus_detach()
2020-11-10 3:55 [PATCH AUTOSEL 4.14 01/14] usb: gadget: goku_udc: fix potential crashes in probe Sasha Levin
` (7 preceding siblings ...)
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 09/14] cfg80211: regulatory: Fix inconsistent format argument Sasha Levin
@ 2020-11-10 3:56 ` Sasha Levin
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 11/14] iommu/amd: Increase interrupt remapping table limit to 512 entries Sasha Levin
` (3 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-11-10 3:56 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Hannes Reinecke, Brian Bunker, Jitendra Khasdev,
Martin K . Petersen, Sasha Levin, linux-scsi
From: Hannes Reinecke <hare@suse.de>
[ Upstream commit 5faf50e9e9fdc2117c61ff7e20da49cd6a29e0ca ]
alua_bus_detach() might be running concurrently with alua_rtpg_work(), so
we might trip over h->sdev == NULL and call BUG_ON(). The correct way of
handling it is to not set h->sdev to NULL in alua_bus_detach(), and call
rcu_synchronize() before the final delete to ensure that all concurrent
threads have left the critical section. Then we can get rid of the
BUG_ON() and replace it with a simple if condition.
Link: https://lore.kernel.org/r/1600167537-12509-1-git-send-email-jitendra.khasdev@oracle.com
Link: https://lore.kernel.org/r/20200924104559.26753-1-hare@suse.de
Cc: Brian Bunker <brian@purestorage.com>
Acked-by: Brian Bunker <brian@purestorage.com>
Tested-by: Jitendra Khasdev <jitendra.khasdev@oracle.com>
Reviewed-by: Jitendra Khasdev <jitendra.khasdev@oracle.com>
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/device_handler/scsi_dh_alua.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
index 135376ee2cbf0..ba68454109bae 100644
--- a/drivers/scsi/device_handler/scsi_dh_alua.c
+++ b/drivers/scsi/device_handler/scsi_dh_alua.c
@@ -653,8 +653,8 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg)
rcu_read_lock();
list_for_each_entry_rcu(h,
&tmp_pg->dh_list, node) {
- /* h->sdev should always be valid */
- BUG_ON(!h->sdev);
+ if (!h->sdev)
+ continue;
h->sdev->access_state = desc[0];
}
rcu_read_unlock();
@@ -700,7 +700,8 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg)
pg->expiry = 0;
rcu_read_lock();
list_for_each_entry_rcu(h, &pg->dh_list, node) {
- BUG_ON(!h->sdev);
+ if (!h->sdev)
+ continue;
h->sdev->access_state =
(pg->state & SCSI_ACCESS_STATE_MASK);
if (pg->pref)
@@ -1138,7 +1139,6 @@ static void alua_bus_detach(struct scsi_device *sdev)
spin_lock(&h->pg_lock);
pg = rcu_dereference_protected(h->pg, lockdep_is_held(&h->pg_lock));
rcu_assign_pointer(h->pg, NULL);
- h->sdev = NULL;
spin_unlock(&h->pg_lock);
if (pg) {
spin_lock_irq(&pg->lock);
@@ -1147,6 +1147,7 @@ static void alua_bus_detach(struct scsi_device *sdev)
kref_put(&pg->kref, release_port_group);
}
sdev->handler_data = NULL;
+ synchronize_rcu();
kfree(h);
}
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.14 11/14] iommu/amd: Increase interrupt remapping table limit to 512 entries
2020-11-10 3:55 [PATCH AUTOSEL 4.14 01/14] usb: gadget: goku_udc: fix potential crashes in probe Sasha Levin
` (8 preceding siblings ...)
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 10/14] scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() Sasha Levin
@ 2020-11-10 3:56 ` Sasha Levin
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 12/14] net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition Sasha Levin
` (2 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-11-10 3:56 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Suravee Suthikulpanit, Joerg Roedel, Sasha Levin, iommu
From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
[ Upstream commit 73db2fc595f358460ce32bcaa3be1f0cce4a2db1 ]
Certain device drivers allocate IO queues on a per-cpu basis.
On AMD EPYC platform, which can support up-to 256 cpu threads,
this can exceed the current MAX_IRQ_PER_TABLE limit of 256,
and result in the error message:
AMD-Vi: Failed to allocate IRTE
This has been observed with certain NVME devices.
AMD IOMMU hardware can actually support upto 512 interrupt
remapping table entries. Therefore, update the driver to
match the hardware limit.
Please note that this also increases the size of interrupt remapping
table to 8KB per device when using the 128-bit IRTE format.
Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Link: https://lore.kernel.org/r/20201015025002.87997-1-suravee.suthikulpanit@amd.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/amd_iommu_types.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h
index 74c8638aac2b9..ac3cac052af9d 100644
--- a/drivers/iommu/amd_iommu_types.h
+++ b/drivers/iommu/amd_iommu_types.h
@@ -404,7 +404,11 @@ extern bool amd_iommu_np_cache;
/* Only true if all IOMMUs support device IOTLBs */
extern bool amd_iommu_iotlb_sup;
-#define MAX_IRQS_PER_TABLE 256
+/*
+ * AMD IOMMU hardware only support 512 IRTEs despite
+ * the architectural limitation of 2048 entries.
+ */
+#define MAX_IRQS_PER_TABLE 512
#define IRQ_TABLE_ALIGNMENT 128
struct irq_remap_table {
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.14 12/14] net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition
2020-11-10 3:55 [PATCH AUTOSEL 4.14 01/14] usb: gadget: goku_udc: fix potential crashes in probe Sasha Levin
` (9 preceding siblings ...)
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 11/14] iommu/amd: Increase interrupt remapping table limit to 512 entries Sasha Levin
@ 2020-11-10 3:56 ` Sasha Levin
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 13/14] kprobes: Tell lockdep about kprobe nesting Sasha Levin
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 14/14] vt: Disable KD_FONT_OP_COPY Sasha Levin
12 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-11-10 3:56 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Daniele Palmas, Bjørn Mork, Jakub Kicinski, Sasha Levin,
netdev, linux-usb
From: Daniele Palmas <dnlplm@gmail.com>
[ Upstream commit 5fd8477ed8ca77e64b93d44a6dae4aa70c191396 ]
Add support for Telit LE910Cx 0x1230 composition:
0x1230: tty, adb, rmnet, audio, tty, tty, tty, tty
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Acked-by: Bjørn Mork <bjorn@mork.no>
Link: https://lore.kernel.org/r/20201102110108.17244-1-dnlplm@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/qmi_wwan.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 2f79a5f1552d4..0e8177f0cc883 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -1257,6 +1257,7 @@ static const struct usb_device_id products[] = {
{QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */
{QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
{QMI_QUIRK_SET_DTR(0x1bc7, 0x1201, 2)}, /* Telit LE920, LE920A4 */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1230, 2)}, /* Telit LE910Cx */
{QMI_QUIRK_SET_DTR(0x1bc7, 0x1260, 2)}, /* Telit LE910Cx */
{QMI_QUIRK_SET_DTR(0x1bc7, 0x1261, 2)}, /* Telit LE910Cx */
{QMI_QUIRK_SET_DTR(0x1bc7, 0x1900, 1)}, /* Telit LN940 series */
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.14 13/14] kprobes: Tell lockdep about kprobe nesting
2020-11-10 3:55 [PATCH AUTOSEL 4.14 01/14] usb: gadget: goku_udc: fix potential crashes in probe Sasha Levin
` (10 preceding siblings ...)
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 12/14] net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition Sasha Levin
@ 2020-11-10 3:56 ` Sasha Levin
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 14/14] vt: Disable KD_FONT_OP_COPY Sasha Levin
12 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-11-10 3:56 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Steven Rostedt (VMware), Peter Zijlstra, Masami Hiramatsu, Sasha Levin
From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
[ Upstream commit 645f224e7ba2f4200bf163153d384ceb0de5462e ]
Since the kprobe handlers have protection that prohibits other handlers from
executing in other contexts (like if an NMI comes in while processing a
kprobe, and executes the same kprobe, it will get fail with a "busy"
return). Lockdep is unaware of this protection. Use lockdep's nesting api to
differentiate between locks taken in INT3 context and other context to
suppress the false warnings.
Link: https://lore.kernel.org/r/20201102160234.fa0ae70915ad9e2b21c08b85@kernel.org
Cc: Peter Zijlstra <peterz@infradead.org>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/kprobes.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index fdf6656cce292..2eb3ea6d0f2ce 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1184,7 +1184,13 @@ __acquires(hlist_lock)
*head = &kretprobe_inst_table[hash];
hlist_lock = kretprobe_table_lock_ptr(hash);
- raw_spin_lock_irqsave(hlist_lock, *flags);
+ /*
+ * Nested is a workaround that will soon not be needed.
+ * There's other protections that make sure the same lock
+ * is not taken on the same CPU that lockdep is unaware of.
+ * Differentiate when it is taken in NMI context.
+ */
+ raw_spin_lock_irqsave_nested(hlist_lock, *flags, !!in_nmi());
}
NOKPROBE_SYMBOL(kretprobe_hash_lock);
@@ -1193,7 +1199,13 @@ static void kretprobe_table_lock(unsigned long hash,
__acquires(hlist_lock)
{
raw_spinlock_t *hlist_lock = kretprobe_table_lock_ptr(hash);
- raw_spin_lock_irqsave(hlist_lock, *flags);
+ /*
+ * Nested is a workaround that will soon not be needed.
+ * There's other protections that make sure the same lock
+ * is not taken on the same CPU that lockdep is unaware of.
+ * Differentiate when it is taken in NMI context.
+ */
+ raw_spin_lock_irqsave_nested(hlist_lock, *flags, !!in_nmi());
}
NOKPROBE_SYMBOL(kretprobe_table_lock);
@@ -1928,7 +1940,12 @@ static int pre_handler_kretprobe(struct kprobe *p, struct pt_regs *regs)
/* TODO: consider to only swap the RA after the last pre_handler fired */
hash = hash_ptr(current, KPROBE_HASH_BITS);
- raw_spin_lock_irqsave(&rp->lock, flags);
+ /*
+ * Nested is a workaround that will soon not be needed.
+ * There's other protections that make sure the same lock
+ * is not taken on the same CPU that lockdep is unaware of.
+ */
+ raw_spin_lock_irqsave_nested(&rp->lock, flags, 1);
if (!hlist_empty(&rp->free_instances)) {
ri = hlist_entry(rp->free_instances.first,
struct kretprobe_instance, hlist);
@@ -1939,7 +1956,7 @@ static int pre_handler_kretprobe(struct kprobe *p, struct pt_regs *regs)
ri->task = current;
if (rp->entry_handler && rp->entry_handler(ri, regs)) {
- raw_spin_lock_irqsave(&rp->lock, flags);
+ raw_spin_lock_irqsave_nested(&rp->lock, flags, 1);
hlist_add_head(&ri->hlist, &rp->free_instances);
raw_spin_unlock_irqrestore(&rp->lock, flags);
return 0;
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.14 14/14] vt: Disable KD_FONT_OP_COPY
2020-11-10 3:55 [PATCH AUTOSEL 4.14 01/14] usb: gadget: goku_udc: fix potential crashes in probe Sasha Levin
` (11 preceding siblings ...)
2020-11-10 3:56 ` [PATCH AUTOSEL 4.14 13/14] kprobes: Tell lockdep about kprobe nesting Sasha Levin
@ 2020-11-10 3:56 ` Sasha Levin
12 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-11-10 3:56 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Daniel Vetter, Peilin Ye, Minh Yuan, Greg KH, Tetsuo Handa,
Daniel Vetter, Greg Kroah-Hartman, Sasha Levin
From: Daniel Vetter <daniel.vetter@ffwll.ch>
[ Upstream commit 3c4e0dff2095c579b142d5a0693257f1c58b4804 ]
It's buggy:
On Fri, Nov 06, 2020 at 10:30:08PM +0800, Minh Yuan wrote:
> We recently discovered a slab-out-of-bounds read in fbcon in the latest
> kernel ( v5.10-rc2 for now ). The root cause of this vulnerability is that
> "fbcon_do_set_font" did not handle "vc->vc_font.data" and
> "vc->vc_font.height" correctly, and the patch
> <https://lkml.org/lkml/2020/9/27/223> for VT_RESIZEX can't handle this
> issue.
>
> Specifically, we use KD_FONT_OP_SET to set a small font.data for tty6, and
> use KD_FONT_OP_SET again to set a large font.height for tty1. After that,
> we use KD_FONT_OP_COPY to assign tty6's vc_font.data to tty1's vc_font.data
> in "fbcon_do_set_font", while tty1 retains the original larger
> height. Obviously, this will cause an out-of-bounds read, because we can
> access a smaller vc_font.data with a larger vc_font.height.
Further there was only one user ever.
- Android's loadfont, busybox and console-tools only ever use OP_GET
and OP_SET
- fbset documentation only mentions the kernel cmdline font: option,
not anything else.
- systemd used OP_COPY before release 232 published in Nov 2016
Now unfortunately the crucial report seems to have gone down with
gmane, and the commit message doesn't say much. But the pull request
hints at OP_COPY being broken
https://github.com/systemd/systemd/pull/3651
So in other words, this never worked, and the only project which
foolishly every tried to use it, realized that rather quickly too.
Instead of trying to fix security issues here on dead code by adding
missing checks, fix the entire thing by removing the functionality.
Note that systemd code using the OP_COPY function ignored the return
value, so it doesn't matter what we're doing here really - just in
case a lone server somewhere happens to be extremely unlucky and
running an affected old version of systemd. The relevant code from
font_copy_to_all_vcs() in systemd was:
/* copy font from active VT, where the font was uploaded to */
cfo.op = KD_FONT_OP_COPY;
cfo.height = vcs.v_active-1; /* tty1 == index 0 */
(void) ioctl(vcfd, KDFONTOP, &cfo);
Note this just disables the ioctl, garbage collecting the now unused
callbacks is left for -next.
v2: Tetsuo found the old mail, which allowed me to find it on another
archive. Add the link too.
Acked-by: Peilin Ye <yepeilin.cs@gmail.com>
Reported-by: Minh Yuan <yuanmingbuaa@gmail.com>
References: https://lists.freedesktop.org/archives/systemd-devel/2016-June/036935.html
References: https://github.com/systemd/systemd/pull/3651
Cc: Greg KH <greg@kroah.com>
Cc: Peilin Ye <yepeilin.cs@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: https://lore.kernel.org/r/20201108153806.3140315-1-daniel.vetter@ffwll.ch
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/vt/vt.c | 24 ++----------------------
1 file changed, 2 insertions(+), 22 deletions(-)
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 781d95113742f..2fb8180cc844b 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -4227,27 +4227,6 @@ static int con_font_default(struct vc_data *vc, struct console_font_op *op)
return rc;
}
-static int con_font_copy(struct vc_data *vc, struct console_font_op *op)
-{
- int con = op->height;
- int rc;
-
-
- console_lock();
- if (vc->vc_mode != KD_TEXT)
- rc = -EINVAL;
- else if (!vc->vc_sw->con_font_copy)
- rc = -ENOSYS;
- else if (con < 0 || !vc_cons_allocated(con))
- rc = -ENOTTY;
- else if (con == vc->vc_num) /* nothing to do */
- rc = 0;
- else
- rc = vc->vc_sw->con_font_copy(vc, con);
- console_unlock();
- return rc;
-}
-
int con_font_op(struct vc_data *vc, struct console_font_op *op)
{
switch (op->op) {
@@ -4258,7 +4237,8 @@ int con_font_op(struct vc_data *vc, struct console_font_op *op)
case KD_FONT_OP_SET_DEFAULT:
return con_font_default(vc, op);
case KD_FONT_OP_COPY:
- return con_font_copy(vc, op);
+ /* was buggy and never really used */
+ return -EINVAL;
}
return -ENOSYS;
}
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread