Stable Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 4.19 00/57] 4.19.72-stable review
@ 2019-09-08 12:41 Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 01/57] mld: fix memory leak in mld_del_delrec() Greg Kroah-Hartman
                   ` (60 more replies)
  0 siblings, 61 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.19.72 release.
There are 57 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue 10 Sep 2019 12:09:36 PM UTC.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.72-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.19.72-rc1

Linus Torvalds <torvalds@linux-foundation.org>
    Revert "x86/apic: Include the LDR when clearing out APIC registers"

Luis Henriques <lhenriques@suse.com>
    libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer

Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    x86/boot/compressed/64: Fix missing initialization in find_trampoline_placement()

Andre Przywara <andre.przywara@arm.com>
    KVM: arm/arm64: VGIC: Properly initialise private IRQ affinity

David Howells <dhowells@redhat.com>
    afs: Fix leak in afs_lookup_cell_rcu()

Andrew Jones <drjones@redhat.com>
    KVM: arm/arm64: Only skip MMIO insn once

Luis Henriques <lhenriques@suse.com>
    ceph: fix buffer free while holding i_ceph_lock in fill_inode()

Luis Henriques <lhenriques@suse.com>
    ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob()

Luis Henriques <lhenriques@suse.com>
    ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr()

Vitaly Kuznetsov <vkuznets@redhat.com>
    selftests/kvm: make platform_info_test pass on AMD

Paolo Bonzini <pbonzini@redhat.com>
    selftests: kvm: fix state save/load on processors without XSAVE

Wenwen Wang <wenwen@cs.uga.edu>
    infiniband: hfi1: fix memory leaks

Wenwen Wang <wenwen@cs.uga.edu>
    infiniband: hfi1: fix a memory leak bug

Wenwen Wang <wenwen@cs.uga.edu>
    IB/mlx4: Fix memory leaks

Anton Eidelman <anton@lightbitslabs.com>
    nvme-multipath: fix possible I/O hang when paths are updated

Vitaly Kuznetsov <vkuznets@redhat.com>
    Tools: hv: kvp: eliminate 'may be used uninitialized' warning

Dexuan Cui <decui@microsoft.com>
    Input: hyperv-keyboard: Use in-place iterator API in the channel callback

Kirill A. Shutemov <kirill@shutemov.name>
    x86/boot/compressed/64: Fix boot on machines with broken E820 table

Benjamin Tissoires <benjamin.tissoires@redhat.com>
    HID: cp2112: prevent sleeping function called from invalid context

Andrea Righi <andrea.righi@canonical.com>
    kprobes: Fix potential deadlock in kprobe_optimizer()

Tho Vu <tho.vu.wh@rvc.renesas.com>
    ravb: Fix use-after-free ravb_tstamp_skb

Wenwen Wang <wenwen@cs.uga.edu>
    wimax/i2400m: fix a memory leak bug

Stephen Hemminger <stephen@networkplumber.org>
    net: cavium: fix driver name

Thomas Falcon <tlfalcon@linux.ibm.com>
    ibmvnic: Unmap DMA address of TX descriptor buffers after use

Wenwen Wang <wenwen@cs.uga.edu>
    net: kalmia: fix memory leaks

Wenwen Wang <wenwen@cs.uga.edu>
    cx82310_eth: fix a memory leak bug

Darrick J. Wong <darrick.wong@oracle.com>
    vfs: fix page locking deadlocks when deduping files

Wenwen Wang <wenwen@cs.uga.edu>
    lan78xx: Fix memory leaks

Wenwen Wang <wenwen@cs.uga.edu>
    net: myri10ge: fix memory leaks

Wenwen Wang <wenwen@cs.uga.edu>
    liquidio: add cleanup in octeon_setup_iq()

Wenwen Wang <wenwen@cs.uga.edu>
    cxgb4: fix a memory leak bug

Dmitry Fomichev <dmitry.fomichev@wdc.com>
    scsi: target: tcmu: avoid use-after-free after command timeout

Bill Kuzeja <William.Kuzeja@stratus.com>
    scsi: qla2xxx: Fix gnl.l memory leak on adapter init failure

Alexandre Courbot <acourbot@chromium.org>
    drm/mediatek: set DMA max segment size

Alexandre Courbot <acourbot@chromium.org>
    drm/mediatek: use correct device to import PRIME buffers

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nft_flow_offload: skip tcp rst and fin packets

YueHaibing <yuehaibing@huawei.com>
    gpio: Fix build error of function redefinition

Thomas Falcon <tlfalcon@linux.ibm.com>
    ibmveth: Convert multicast list size for little-endian system

Fabian Henneke <fabian.henneke@gmail.com>
    Bluetooth: hidp: Let hidp_send_message return number of queued bytes

Matthias Kaehlcke <mka@chromium.org>
    Bluetooth: btqca: Add a short delay before downloading the NVM

Nathan Chancellor <natechancellor@gmail.com>
    net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx

Dexuan Cui <decui@microsoft.com>
    hv_netvsc: Fix a warning of suspicious RCU usage

Jakub Kicinski <jakub.kicinski@netronome.com>
    tools: bpftool: fix error message (prog -> object)

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nf_tables: use-after-free in failing rule with bound set

Fuqian Huang <huangfq.daxian@gmail.com>
    net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq in IRQ context

Martin Sperl <kernel@martin.sperl.org>
    spi: bcm2835aux: fix corruptions for longer spi transfers

Martin Sperl <kernel@martin.sperl.org>
    spi: bcm2835aux: remove dangerous uncontrolled read of fifo

Martin Sperl <kernel@martin.sperl.org>
    spi: bcm2835aux: unifying code between polling and interrupt driven code

John S. Gruber <JohnSGruber@gmail.com>
    x86/boot: Preserve boot_params.secure_boot from sanitizing

Ka-Cheong Poon <ka-cheong.poon@oracle.com>
    net/rds: Fix info leak in rds6_inc_info_copy()

Eric Dumazet <edumazet@google.com>
    tcp: remove empty skb from write queue in error cases

Willem de Bruijn <willemb@google.com>
    tcp: inherit timestamp on mtu probe

Chen-Yu Tsai <wens@csie.org>
    net: stmmac: dwmac-rk: Don't fail if phy regulator is absent

Cong Wang <xiyou.wangcong@gmail.com>
    net_sched: fix a NULL pointer deref in ipt action

Vlad Buslov <vladbu@mellanox.com>
    net: sched: act_sample: fix psample group handling on overwrite

Feng Sun <loyou85@gmail.com>
    net: fix skb use after free in netpoll

Eric Dumazet <edumazet@google.com>
    mld: fix memory leak in mld_del_delrec()


-------------

Diffstat:

 Makefile                                           |  4 +-
 arch/x86/boot/compressed/pgtable_64.c              | 13 +++--
 arch/x86/include/asm/bootparam_utils.h             |  1 +
 arch/x86/kernel/apic/apic.c                        |  4 --
 drivers/bluetooth/btqca.c                          |  3 ++
 drivers/gpu/drm/mediatek/mtk_drm_drv.c             | 49 +++++++++++++++--
 drivers/gpu/drm/mediatek/mtk_drm_drv.h             |  2 +
 drivers/hid/hid-cp2112.c                           |  8 ++-
 drivers/infiniband/hw/hfi1/fault.c                 | 12 +++--
 drivers/infiniband/hw/mlx4/mad.c                   |  4 +-
 drivers/input/serio/hyperv-keyboard.c              | 35 +++---------
 drivers/net/ethernet/cavium/common/cavium_ptp.c    |  2 +-
 .../net/ethernet/cavium/liquidio/request_manager.c |  4 +-
 drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c |  4 +-
 drivers/net/ethernet/ibm/ibmveth.c                 |  9 ++--
 drivers/net/ethernet/ibm/ibmvnic.c                 | 11 +---
 drivers/net/ethernet/myricom/myri10ge/myri10ge.c   |  2 +-
 drivers/net/ethernet/renesas/ravb_main.c           |  8 ++-
 drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c     |  6 +--
 drivers/net/ethernet/toshiba/tc35815.c             |  2 +-
 drivers/net/ethernet/tundra/tsi108_eth.c           |  5 +-
 drivers/net/hyperv/netvsc_drv.c                    |  9 +++-
 drivers/net/usb/cx82310_eth.c                      |  3 +-
 drivers/net/usb/kalmia.c                           |  6 +--
 drivers/net/usb/lan78xx.c                          |  8 +--
 drivers/net/wimax/i2400m/fw.c                      |  4 +-
 drivers/nvme/host/multipath.c                      |  1 +
 drivers/scsi/qla2xxx/qla_attr.c                    |  2 +
 drivers/scsi/qla2xxx/qla_os.c                      | 11 +++-
 drivers/spi/spi-bcm2835aux.c                       | 62 +++++++---------------
 drivers/target/target_core_user.c                  |  9 +++-
 fs/afs/cell.c                                      |  4 ++
 fs/ceph/caps.c                                     |  5 +-
 fs/ceph/inode.c                                    |  7 +--
 fs/ceph/snap.c                                     |  4 +-
 fs/ceph/super.h                                    |  2 +-
 fs/ceph/xattr.c                                    | 19 +++++--
 fs/read_write.c                                    | 49 ++++++++++++++---
 include/linux/ceph/buffer.h                        |  3 +-
 include/linux/gpio.h                               | 24 ---------
 include/net/act_api.h                              |  4 +-
 include/net/netfilter/nf_tables.h                  |  9 +++-
 include/net/psample.h                              |  1 +
 kernel/kprobes.c                                   |  8 +--
 net/bluetooth/hidp/core.c                          |  9 +++-
 net/core/netpoll.c                                 |  6 +--
 net/ipv4/tcp.c                                     | 29 ++++++----
 net/ipv4/tcp_output.c                              |  3 +-
 net/ipv6/mcast.c                                   |  5 +-
 net/netfilter/nf_tables_api.c                      | 15 ++++--
 net/netfilter/nft_flow_offload.c                   |  9 ++--
 net/psample/psample.c                              |  2 +-
 net/rds/recv.c                                     |  5 +-
 net/sched/act_bpf.c                                |  2 +-
 net/sched/act_connmark.c                           |  2 +-
 net/sched/act_csum.c                               |  2 +-
 net/sched/act_gact.c                               |  2 +-
 net/sched/act_ife.c                                |  2 +-
 net/sched/act_ipt.c                                | 11 ++--
 net/sched/act_mirred.c                             |  2 +-
 net/sched/act_nat.c                                |  2 +-
 net/sched/act_pedit.c                              |  2 +-
 net/sched/act_police.c                             |  2 +-
 net/sched/act_sample.c                             |  7 ++-
 net/sched/act_simple.c                             |  2 +-
 net/sched/act_skbedit.c                            |  2 +-
 net/sched/act_skbmod.c                             |  2 +-
 net/sched/act_tunnel_key.c                         |  2 +-
 net/sched/act_vlan.c                               |  2 +-
 tools/bpf/bpftool/common.c                         |  2 +-
 tools/hv/hv_kvp_daemon.c                           |  2 +-
 tools/testing/selftests/kvm/lib/x86.c              | 16 +++---
 tools/testing/selftests/kvm/platform_info_test.c   |  2 +-
 virt/kvm/arm/mmio.c                                |  7 +++
 virt/kvm/arm/vgic/vgic-init.c                      | 30 +++++++----
 75 files changed, 382 insertions(+), 248 deletions(-)



^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 01/57] mld: fix memory leak in mld_del_delrec()
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 02/57] net: fix skb use after free in netpoll Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, David S. Miller

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit a84d016479896b5526a2cc54784e6ffc41c9d6f6 ]

Similar to the fix done for IPv4 in commit e5b1c6c6277d
("igmp: fix memory leak in igmpv3_del_delrec()"), we need to
make sure mca_tomb and mca_sources are not blindly overwritten.

Using swap() then a call to ip6_mc_clear_src() will take care
of the missing free.

BUG: memory leak
unreferenced object 0xffff888117d9db00 (size 64):
  comm "syz-executor247", pid 6918, jiffies 4294943989 (age 25.350s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 fe 88 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000005b463030>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<000000005b463030>] slab_post_alloc_hook mm/slab.h:522 [inline]
    [<000000005b463030>] slab_alloc mm/slab.c:3319 [inline]
    [<000000005b463030>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3548
    [<00000000939cbf94>] kmalloc include/linux/slab.h:552 [inline]
    [<00000000939cbf94>] kzalloc include/linux/slab.h:748 [inline]
    [<00000000939cbf94>] ip6_mc_add1_src net/ipv6/mcast.c:2236 [inline]
    [<00000000939cbf94>] ip6_mc_add_src+0x31f/0x420 net/ipv6/mcast.c:2356
    [<00000000d8972221>] ip6_mc_source+0x4a8/0x600 net/ipv6/mcast.c:449
    [<000000002b203d0d>] do_ipv6_setsockopt.isra.0+0x1b92/0x1dd0 net/ipv6/ipv6_sockglue.c:748
    [<000000001f1e2d54>] ipv6_setsockopt+0x89/0xd0 net/ipv6/ipv6_sockglue.c:944
    [<00000000c8f7bdf9>] udpv6_setsockopt+0x4e/0x90 net/ipv6/udp.c:1558
    [<000000005a9a0c5e>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3139
    [<00000000910b37b2>] __sys_setsockopt+0x10f/0x220 net/socket.c:2084
    [<00000000e9108023>] __do_sys_setsockopt net/socket.c:2100 [inline]
    [<00000000e9108023>] __se_sys_setsockopt net/socket.c:2097 [inline]
    [<00000000e9108023>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2097
    [<00000000f4818160>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:296
    [<000000008d367e8f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when set link down")
Fixes: 9c8bb163ae78 ("igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/mcast.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -791,14 +791,15 @@ static void mld_del_delrec(struct inet6_
 	if (pmc) {
 		im->idev = pmc->idev;
 		if (im->mca_sfmode == MCAST_INCLUDE) {
-			im->mca_tomb = pmc->mca_tomb;
-			im->mca_sources = pmc->mca_sources;
+			swap(im->mca_tomb, pmc->mca_tomb);
+			swap(im->mca_sources, pmc->mca_sources);
 			for (psf = im->mca_sources; psf; psf = psf->sf_next)
 				psf->sf_crcount = idev->mc_qrv;
 		} else {
 			im->mca_crcount = idev->mc_qrv;
 		}
 		in6_dev_put(pmc->idev);
+		ip6_mc_clear_src(pmc);
 		kfree(pmc);
 	}
 	spin_unlock_bh(&im->mca_lock);



^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 02/57] net: fix skb use after free in netpoll
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 01/57] mld: fix memory leak in mld_del_delrec() Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 03/57] net: sched: act_sample: fix psample group handling on overwrite Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Feng Sun, Xiaojun Zhao, David S. Miller

From: Feng Sun <loyou85@gmail.com>

[ Upstream commit 2c1644cf6d46a8267d79ed95cb9b563839346562 ]

After commit baeababb5b85d5c4e6c917efe2a1504179438d3b
("tun: return NET_XMIT_DROP for dropped packets"),
when tun_net_xmit drop packets, it will free skb and return NET_XMIT_DROP,
netpoll_send_skb_on_dev will run into following use after free cases:
1. retry netpoll_start_xmit with freed skb;
2. queue freed skb in npinfo->txq.
queue_process will also run into use after free case.

hit netpoll_send_skb_on_dev first case with following kernel log:

[  117.864773] kernel BUG at mm/slub.c:306!
[  117.864773] invalid opcode: 0000 [#1] SMP PTI
[  117.864774] CPU: 3 PID: 2627 Comm: loop_printmsg Kdump: loaded Tainted: P           OE     5.3.0-050300rc5-generic #201908182231
[  117.864775] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  117.864775] RIP: 0010:kmem_cache_free+0x28d/0x2b0
[  117.864781] Call Trace:
[  117.864781]  ? tun_net_xmit+0x21c/0x460
[  117.864781]  kfree_skbmem+0x4e/0x60
[  117.864782]  kfree_skb+0x3a/0xa0
[  117.864782]  tun_net_xmit+0x21c/0x460
[  117.864782]  netpoll_start_xmit+0x11d/0x1b0
[  117.864788]  netpoll_send_skb_on_dev+0x1b8/0x200
[  117.864789]  __br_forward+0x1b9/0x1e0 [bridge]
[  117.864789]  ? skb_clone+0x53/0xd0
[  117.864790]  ? __skb_clone+0x2e/0x120
[  117.864790]  deliver_clone+0x37/0x50 [bridge]
[  117.864790]  maybe_deliver+0x89/0xc0 [bridge]
[  117.864791]  br_flood+0x6c/0x130 [bridge]
[  117.864791]  br_dev_xmit+0x315/0x3c0 [bridge]
[  117.864792]  netpoll_start_xmit+0x11d/0x1b0
[  117.864792]  netpoll_send_skb_on_dev+0x1b8/0x200
[  117.864792]  netpoll_send_udp+0x2c6/0x3e8
[  117.864793]  write_msg+0xd9/0xf0 [netconsole]
[  117.864793]  console_unlock+0x386/0x4e0
[  117.864793]  vprintk_emit+0x17e/0x280
[  117.864794]  vprintk_default+0x29/0x50
[  117.864794]  vprintk_func+0x4c/0xbc
[  117.864794]  printk+0x58/0x6f
[  117.864795]  loop_fun+0x24/0x41 [printmsg_loop]
[  117.864795]  kthread+0x104/0x140
[  117.864795]  ? 0xffffffffc05b1000
[  117.864796]  ? kthread_park+0x80/0x80
[  117.864796]  ret_from_fork+0x35/0x40

Signed-off-by: Feng Sun <loyou85@gmail.com>
Signed-off-by: Xiaojun Zhao <xiaojunzhao141@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/netpoll.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -122,7 +122,7 @@ static void queue_process(struct work_st
 		txq = netdev_get_tx_queue(dev, q_index);
 		HARD_TX_LOCK(dev, txq, smp_processor_id());
 		if (netif_xmit_frozen_or_stopped(txq) ||
-		    netpoll_start_xmit(skb, dev, txq) != NETDEV_TX_OK) {
+		    !dev_xmit_complete(netpoll_start_xmit(skb, dev, txq))) {
 			skb_queue_head(&npinfo->txq, skb);
 			HARD_TX_UNLOCK(dev, txq);
 			local_irq_restore(flags);
@@ -335,7 +335,7 @@ void netpoll_send_skb_on_dev(struct netp
 
 				HARD_TX_UNLOCK(dev, txq);
 
-				if (status == NETDEV_TX_OK)
+				if (dev_xmit_complete(status))
 					break;
 
 			}
@@ -352,7 +352,7 @@ void netpoll_send_skb_on_dev(struct netp
 
 	}
 
-	if (status != NETDEV_TX_OK) {
+	if (!dev_xmit_complete(status)) {
 		skb_queue_tail(&npinfo->txq, skb);
 		schedule_delayed_work(&npinfo->tx_work,0);
 	}



^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 03/57] net: sched: act_sample: fix psample group handling on overwrite
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 01/57] mld: fix memory leak in mld_del_delrec() Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 02/57] net: fix skb use after free in netpoll Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 04/57] net_sched: fix a NULL pointer deref in ipt action Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vlad Buslov, David S. Miller

From: Vlad Buslov <vladbu@mellanox.com>

[ Upstream commit dbf47a2a094edf58983265e323ca4bdcdb58b5ee ]

Action sample doesn't properly handle psample_group pointer in overwrite
case. Following issues need to be fixed:

- In tcf_sample_init() function RCU_INIT_POINTER() is used to set
  s->psample_group, even though we neither setting the pointer to NULL, nor
  preventing concurrent readers from accessing the pointer in some way.
  Use rcu_swap_protected() instead to safely reset the pointer.

- Old value of s->psample_group is not released or deallocated in any way,
  which results resource leak. Use psample_group_put() on non-NULL value
  obtained with rcu_swap_protected().

- The function psample_group_put() that released reference to struct
  psample_group pointed by rcu-pointer s->psample_group doesn't respect rcu
  grace period when deallocating it. Extend struct psample_group with rcu
  head and use kfree_rcu when freeing it.

Fixes: 5c5670fae430 ("net/sched: Introduce sample tc action")
Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/psample.h  |    1 +
 net/psample/psample.c  |    2 +-
 net/sched/act_sample.c |    5 ++++-
 3 files changed, 6 insertions(+), 2 deletions(-)

--- a/include/net/psample.h
+++ b/include/net/psample.h
@@ -12,6 +12,7 @@ struct psample_group {
 	u32 group_num;
 	u32 refcount;
 	u32 seq;
+	struct rcu_head rcu;
 };
 
 struct psample_group *psample_group_get(struct net *net, u32 group_num);
--- a/net/psample/psample.c
+++ b/net/psample/psample.c
@@ -156,7 +156,7 @@ static void psample_group_destroy(struct
 {
 	psample_group_notify(group, PSAMPLE_CMD_DEL_GROUP);
 	list_del(&group->list);
-	kfree(group);
+	kfree_rcu(group, rcu);
 }
 
 static struct psample_group *
--- a/net/sched/act_sample.c
+++ b/net/sched/act_sample.c
@@ -99,7 +99,8 @@ static int tcf_sample_init(struct net *n
 	s->tcf_action = parm->action;
 	s->rate = rate;
 	s->psample_group_num = psample_group_num;
-	RCU_INIT_POINTER(s->psample_group, psample_group);
+	rcu_swap_protected(s->psample_group, psample_group,
+			   lockdep_is_held(&s->tcf_lock));
 
 	if (tb[TCA_SAMPLE_TRUNC_SIZE]) {
 		s->truncate = true;
@@ -107,6 +108,8 @@ static int tcf_sample_init(struct net *n
 	}
 	spin_unlock_bh(&s->tcf_lock);
 
+	if (psample_group)
+		psample_group_put(psample_group);
 	if (ret == ACT_P_CREATED)
 		tcf_idr_insert(tn, *a);
 	return ret;



^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 04/57] net_sched: fix a NULL pointer deref in ipt action
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 03/57] net: sched: act_sample: fix psample group handling on overwrite Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 05/57] net: stmmac: dwmac-rk: Dont fail if phy regulator is absent Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jamal Hadi Salim, Jiri Pirko,
	Cong Wang, David S. Miller, itugrok

From: Cong Wang <xiyou.wangcong@gmail.com>

[ Upstream commit 981471bd3abf4d572097645d765391533aac327d ]

The net pointer in struct xt_tgdtor_param is not explicitly
initialized therefore is still NULL when dereferencing it.
So we have to find a way to pass the correct net pointer to
ipt_destroy_target().

The best way I find is just saving the net pointer inside the per
netns struct tcf_idrinfo, which could make this patch smaller.

Fixes: 0c66dc1ea3f0 ("netfilter: conntrack: register hooks in netns when needed by ruleset")
Reported-and-tested-by: itugrok@yahoo.com
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/act_api.h      |    4 +++-
 net/sched/act_bpf.c        |    2 +-
 net/sched/act_connmark.c   |    2 +-
 net/sched/act_csum.c       |    2 +-
 net/sched/act_gact.c       |    2 +-
 net/sched/act_ife.c        |    2 +-
 net/sched/act_ipt.c        |   11 ++++++-----
 net/sched/act_mirred.c     |    2 +-
 net/sched/act_nat.c        |    2 +-
 net/sched/act_pedit.c      |    2 +-
 net/sched/act_police.c     |    2 +-
 net/sched/act_sample.c     |    2 +-
 net/sched/act_simple.c     |    2 +-
 net/sched/act_skbedit.c    |    2 +-
 net/sched/act_skbmod.c     |    2 +-
 net/sched/act_tunnel_key.c |    2 +-
 net/sched/act_vlan.c       |    2 +-
 17 files changed, 24 insertions(+), 21 deletions(-)

--- a/include/net/act_api.h
+++ b/include/net/act_api.h
@@ -15,6 +15,7 @@
 struct tcf_idrinfo {
 	spinlock_t	lock;
 	struct idr	action_idr;
+	struct net	*net;
 };
 
 struct tc_action_ops;
@@ -107,7 +108,7 @@ struct tc_action_net {
 };
 
 static inline
-int tc_action_net_init(struct tc_action_net *tn,
+int tc_action_net_init(struct net *net, struct tc_action_net *tn,
 		       const struct tc_action_ops *ops)
 {
 	int err = 0;
@@ -116,6 +117,7 @@ int tc_action_net_init(struct tc_action_
 	if (!tn->idrinfo)
 		return -ENOMEM;
 	tn->ops = ops;
+	tn->idrinfo->net = net;
 	spin_lock_init(&tn->idrinfo->lock);
 	idr_init(&tn->idrinfo->action_idr);
 	return err;
--- a/net/sched/act_bpf.c
+++ b/net/sched/act_bpf.c
@@ -413,7 +413,7 @@ static __net_init int bpf_init_net(struc
 {
 	struct tc_action_net *tn = net_generic(net, bpf_net_id);
 
-	return tc_action_net_init(tn, &act_bpf_ops);
+	return tc_action_net_init(net, tn, &act_bpf_ops);
 }
 
 static void __net_exit bpf_exit_net(struct list_head *net_list)
--- a/net/sched/act_connmark.c
+++ b/net/sched/act_connmark.c
@@ -215,7 +215,7 @@ static __net_init int connmark_init_net(
 {
 	struct tc_action_net *tn = net_generic(net, connmark_net_id);
 
-	return tc_action_net_init(tn, &act_connmark_ops);
+	return tc_action_net_init(net, tn, &act_connmark_ops);
 }
 
 static void __net_exit connmark_exit_net(struct list_head *net_list)
--- a/net/sched/act_csum.c
+++ b/net/sched/act_csum.c
@@ -678,7 +678,7 @@ static __net_init int csum_init_net(stru
 {
 	struct tc_action_net *tn = net_generic(net, csum_net_id);
 
-	return tc_action_net_init(tn, &act_csum_ops);
+	return tc_action_net_init(net, tn, &act_csum_ops);
 }
 
 static void __net_exit csum_exit_net(struct list_head *net_list)
--- a/net/sched/act_gact.c
+++ b/net/sched/act_gact.c
@@ -263,7 +263,7 @@ static __net_init int gact_init_net(stru
 {
 	struct tc_action_net *tn = net_generic(net, gact_net_id);
 
-	return tc_action_net_init(tn, &act_gact_ops);
+	return tc_action_net_init(net, tn, &act_gact_ops);
 }
 
 static void __net_exit gact_exit_net(struct list_head *net_list)
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -887,7 +887,7 @@ static __net_init int ife_init_net(struc
 {
 	struct tc_action_net *tn = net_generic(net, ife_net_id);
 
-	return tc_action_net_init(tn, &act_ife_ops);
+	return tc_action_net_init(net, tn, &act_ife_ops);
 }
 
 static void __net_exit ife_exit_net(struct list_head *net_list)
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -65,12 +65,13 @@ static int ipt_init_target(struct net *n
 	return 0;
 }
 
-static void ipt_destroy_target(struct xt_entry_target *t)
+static void ipt_destroy_target(struct xt_entry_target *t, struct net *net)
 {
 	struct xt_tgdtor_param par = {
 		.target   = t->u.kernel.target,
 		.targinfo = t->data,
 		.family   = NFPROTO_IPV4,
+		.net      = net,
 	};
 	if (par.target->destroy != NULL)
 		par.target->destroy(&par);
@@ -82,7 +83,7 @@ static void tcf_ipt_release(struct tc_ac
 	struct tcf_ipt *ipt = to_ipt(a);
 
 	if (ipt->tcfi_t) {
-		ipt_destroy_target(ipt->tcfi_t);
+		ipt_destroy_target(ipt->tcfi_t, a->idrinfo->net);
 		kfree(ipt->tcfi_t);
 	}
 	kfree(ipt->tcfi_tname);
@@ -182,7 +183,7 @@ static int __tcf_ipt_init(struct net *ne
 
 	spin_lock_bh(&ipt->tcf_lock);
 	if (ret != ACT_P_CREATED) {
-		ipt_destroy_target(ipt->tcfi_t);
+		ipt_destroy_target(ipt->tcfi_t, net);
 		kfree(ipt->tcfi_tname);
 		kfree(ipt->tcfi_t);
 	}
@@ -353,7 +354,7 @@ static __net_init int ipt_init_net(struc
 {
 	struct tc_action_net *tn = net_generic(net, ipt_net_id);
 
-	return tc_action_net_init(tn, &act_ipt_ops);
+	return tc_action_net_init(net, tn, &act_ipt_ops);
 }
 
 static void __net_exit ipt_exit_net(struct list_head *net_list)
@@ -403,7 +404,7 @@ static __net_init int xt_init_net(struct
 {
 	struct tc_action_net *tn = net_generic(net, xt_net_id);
 
-	return tc_action_net_init(tn, &act_xt_ops);
+	return tc_action_net_init(net, tn, &act_xt_ops);
 }
 
 static void __net_exit xt_exit_net(struct list_head *net_list)
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -419,7 +419,7 @@ static __net_init int mirred_init_net(st
 {
 	struct tc_action_net *tn = net_generic(net, mirred_net_id);
 
-	return tc_action_net_init(tn, &act_mirred_ops);
+	return tc_action_net_init(net, tn, &act_mirred_ops);
 }
 
 static void __net_exit mirred_exit_net(struct list_head *net_list)
--- a/net/sched/act_nat.c
+++ b/net/sched/act_nat.c
@@ -317,7 +317,7 @@ static __net_init int nat_init_net(struc
 {
 	struct tc_action_net *tn = net_generic(net, nat_net_id);
 
-	return tc_action_net_init(tn, &act_nat_ops);
+	return tc_action_net_init(net, tn, &act_nat_ops);
 }
 
 static void __net_exit nat_exit_net(struct list_head *net_list)
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -488,7 +488,7 @@ static __net_init int pedit_init_net(str
 {
 	struct tc_action_net *tn = net_generic(net, pedit_net_id);
 
-	return tc_action_net_init(tn, &act_pedit_ops);
+	return tc_action_net_init(net, tn, &act_pedit_ops);
 }
 
 static void __net_exit pedit_exit_net(struct list_head *net_list)
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -342,7 +342,7 @@ static __net_init int police_init_net(st
 {
 	struct tc_action_net *tn = net_generic(net, police_net_id);
 
-	return tc_action_net_init(tn, &act_police_ops);
+	return tc_action_net_init(net, tn, &act_police_ops);
 }
 
 static void __net_exit police_exit_net(struct list_head *net_list)
--- a/net/sched/act_sample.c
+++ b/net/sched/act_sample.c
@@ -258,7 +258,7 @@ static __net_init int sample_init_net(st
 {
 	struct tc_action_net *tn = net_generic(net, sample_net_id);
 
-	return tc_action_net_init(tn, &act_sample_ops);
+	return tc_action_net_init(net, tn, &act_sample_ops);
 }
 
 static void __net_exit sample_exit_net(struct list_head *net_list)
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@@ -215,7 +215,7 @@ static __net_init int simp_init_net(stru
 {
 	struct tc_action_net *tn = net_generic(net, simp_net_id);
 
-	return tc_action_net_init(tn, &act_simp_ops);
+	return tc_action_net_init(net, tn, &act_simp_ops);
 }
 
 static void __net_exit simp_exit_net(struct list_head *net_list)
--- a/net/sched/act_skbedit.c
+++ b/net/sched/act_skbedit.c
@@ -316,7 +316,7 @@ static __net_init int skbedit_init_net(s
 {
 	struct tc_action_net *tn = net_generic(net, skbedit_net_id);
 
-	return tc_action_net_init(tn, &act_skbedit_ops);
+	return tc_action_net_init(net, tn, &act_skbedit_ops);
 }
 
 static void __net_exit skbedit_exit_net(struct list_head *net_list)
--- a/net/sched/act_skbmod.c
+++ b/net/sched/act_skbmod.c
@@ -277,7 +277,7 @@ static __net_init int skbmod_init_net(st
 {
 	struct tc_action_net *tn = net_generic(net, skbmod_net_id);
 
-	return tc_action_net_init(tn, &act_skbmod_ops);
+	return tc_action_net_init(net, tn, &act_skbmod_ops);
 }
 
 static void __net_exit skbmod_exit_net(struct list_head *net_list)
--- a/net/sched/act_tunnel_key.c
+++ b/net/sched/act_tunnel_key.c
@@ -579,7 +579,7 @@ static __net_init int tunnel_key_init_ne
 {
 	struct tc_action_net *tn = net_generic(net, tunnel_key_net_id);
 
-	return tc_action_net_init(tn, &act_tunnel_key_ops);
+	return tc_action_net_init(net, tn, &act_tunnel_key_ops);
 }
 
 static void __net_exit tunnel_key_exit_net(struct list_head *net_list)
--- a/net/sched/act_vlan.c
+++ b/net/sched/act_vlan.c
@@ -324,7 +324,7 @@ static __net_init int vlan_init_net(stru
 {
 	struct tc_action_net *tn = net_generic(net, vlan_net_id);
 
-	return tc_action_net_init(tn, &act_vlan_ops);
+	return tc_action_net_init(net, tn, &act_vlan_ops);
 }
 
 static void __net_exit vlan_exit_net(struct list_head *net_list)



^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 05/57] net: stmmac: dwmac-rk: Dont fail if phy regulator is absent
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 04/57] net_sched: fix a NULL pointer deref in ipt action Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 06/57] tcp: inherit timestamp on mtu probe Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chen-Yu Tsai, David S. Miller

From: Chen-Yu Tsai <wens@csie.org>

[ Upstream commit 3b25528e1e355c803e73aa326ce657b5606cda73 ]

The devicetree binding lists the phy phy as optional. As such, the
driver should not bail out if it can't find a regulator. Instead it
should just skip the remaining regulator related code and continue
on normally.

Skip the remainder of phy_power_on() if a regulator supply isn't
available. This also gets rid of the bogus return code.

Fixes: 2e12f536635f ("net: stmmac: dwmac-rk: Use standard devicetree property for phy regulator")
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
@@ -1203,10 +1203,8 @@ static int phy_power_on(struct rk_priv_d
 	int ret;
 	struct device *dev = &bsp_priv->pdev->dev;
 
-	if (!ldo) {
-		dev_err(dev, "no regulator found\n");
-		return -1;
-	}
+	if (!ldo)
+		return 0;
 
 	if (enable) {
 		ret = regulator_enable(ldo);



^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 06/57] tcp: inherit timestamp on mtu probe
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 05/57] net: stmmac: dwmac-rk: Dont fail if phy regulator is absent Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 07/57] tcp: remove empty skb from write queue in error cases Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Willem de Bruijn, Eric Dumazet,
	David S. Miller

From: Willem de Bruijn <willemb@google.com>

[ Upstream commit 888a5c53c0d8be6e98bc85b677f179f77a647873 ]

TCP associates tx timestamp requests with a byte in the bytestream.
If merging skbs in tcp_mtu_probe, migrate the tstamp request.

Similar to MSG_EOR, do not allow moving a timestamp from any segment
in the probe but the last. This to avoid merging multiple timestamps.

Tested with the packetdrill script at
https://github.com/wdebruij/packetdrill/commits/mtu_probe-1

Link: http://patchwork.ozlabs.org/patch/1143278/#2232897
Fixes: 4ed2d765dfac ("net-timestamp: TCP timestamping")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_output.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2046,7 +2046,7 @@ static bool tcp_can_coalesce_send_queue_
 		if (len <= skb->len)
 			break;
 
-		if (unlikely(TCP_SKB_CB(skb)->eor))
+		if (unlikely(TCP_SKB_CB(skb)->eor) || tcp_has_tx_tstamp(skb))
 			return false;
 
 		len -= skb->len;
@@ -2162,6 +2162,7 @@ static int tcp_mtu_probe(struct sock *sk
 			 * we need to propagate it to the new skb.
 			 */
 			TCP_SKB_CB(nskb)->eor = TCP_SKB_CB(skb)->eor;
+			tcp_skb_collapse_tstamp(nskb, skb);
 			tcp_unlink_write_queue(skb, sk);
 			sk_wmem_free_skb(sk, skb);
 		} else {



^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 07/57] tcp: remove empty skb from write queue in error cases
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 06/57] tcp: inherit timestamp on mtu probe Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 08/57] net/rds: Fix info leak in rds6_inc_info_copy() Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Jason Baron,
	Vladimir Rutsky, Soheil Hassas Yeganeh, Neal Cardwell,
	David S. Miller

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit fdfc5c8594c24c5df883583ebd286321a80e0a67 ]

Vladimir Rutsky reported stuck TCP sessions after memory pressure
events. Edge Trigger epoll() user would never receive an EPOLLOUT
notification allowing them to retry a sendmsg().

Jason tested the case of sk_stream_alloc_skb() returning NULL,
but there are other paths that could lead both sendmsg() and sendpage()
to return -1 (EAGAIN), with an empty skb queued on the write queue.

This patch makes sure we remove this empty skb so that
Jason code can detect that the queue is empty, and
call sk->sk_write_space(sk) accordingly.

Fixes: ce5ec440994b ("tcp: ensure epoll edge trigger wakeup when write queue is empty")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jason Baron <jbaron@akamai.com>
Reported-by: Vladimir Rutsky <rutsky@google.com>
Cc: Soheil Hassas Yeganeh <soheil@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp.c |   29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -934,6 +934,22 @@ static int tcp_send_mss(struct sock *sk,
 	return mss_now;
 }
 
+/* In some cases, both sendpage() and sendmsg() could have added
+ * an skb to the write queue, but failed adding payload on it.
+ * We need to remove it to consume less memory, but more
+ * importantly be able to generate EPOLLOUT for Edge Trigger epoll()
+ * users.
+ */
+static void tcp_remove_empty_skb(struct sock *sk, struct sk_buff *skb)
+{
+	if (skb && !skb->len) {
+		tcp_unlink_write_queue(skb, sk);
+		if (tcp_write_queue_empty(sk))
+			tcp_chrono_stop(sk, TCP_CHRONO_BUSY);
+		sk_wmem_free_skb(sk, skb);
+	}
+}
+
 ssize_t do_tcp_sendpages(struct sock *sk, struct page *page, int offset,
 			 size_t size, int flags)
 {
@@ -1056,6 +1072,7 @@ out:
 	return copied;
 
 do_error:
+	tcp_remove_empty_skb(sk, tcp_write_queue_tail(sk));
 	if (copied)
 		goto out;
 out_err:
@@ -1409,17 +1426,11 @@ out_nopush:
 	sock_zerocopy_put(uarg);
 	return copied + copied_syn;
 
+do_error:
+	skb = tcp_write_queue_tail(sk);
 do_fault:
-	if (!skb->len) {
-		tcp_unlink_write_queue(skb, sk);
-		/* It is the one place in all of TCP, except connection
-		 * reset, where we can be unlinking the send_head.
-		 */
-		tcp_check_send_head(sk, skb);
-		sk_wmem_free_skb(sk, skb);
-	}
+	tcp_remove_empty_skb(sk, skb);
 
-do_error:
 	if (copied + copied_syn)
 		goto out;
 out_err:



^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 08/57] net/rds: Fix info leak in rds6_inc_info_copy()
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 07/57] tcp: remove empty skb from write queue in error cases Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 09/57] x86/boot: Preserve boot_params.secure_boot from sanitizing Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, 黄ID蝴蝶,
	Dan Carpenter, Ka-Cheong Poon, Santosh Shilimkar,
	David S. Miller

From: Ka-Cheong Poon <ka-cheong.poon@oracle.com>

[ Upstream commit 7d0a06586b2686ba80c4a2da5f91cb10ffbea736 ]

The rds6_inc_info_copy() function has a couple struct members which
are leaking stack information.  The ->tos field should hold actual
information and the ->flags field needs to be zeroed out.

Fixes: 3eb450367d08 ("rds: add type of service(tos) infrastructure")
Fixes: b7ff8b1036f0 ("rds: Extend RDS API for IPv6 support")
Reported-by: 黄ID蝴蝶 <butterflyhuangxx@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/rds/recv.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/net/rds/recv.c
+++ b/net/rds/recv.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2018 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2019 Oracle and/or its affiliates. All rights reserved.
  *
  * This software is available to you under a choice of one of two
  * licenses.  You may choose to be licensed under the terms of the GNU
@@ -803,6 +803,7 @@ void rds6_inc_info_copy(struct rds_incom
 
 	minfo6.seq = be64_to_cpu(inc->i_hdr.h_sequence);
 	minfo6.len = be32_to_cpu(inc->i_hdr.h_len);
+	minfo6.tos = 0;
 
 	if (flip) {
 		minfo6.laddr = *daddr;
@@ -816,6 +817,8 @@ void rds6_inc_info_copy(struct rds_incom
 		minfo6.fport = inc->i_hdr.h_dport;
 	}
 
+	minfo6.flags = 0;
+
 	rds_info_copy(iter, &minfo6, sizeof(minfo6));
 }
 #endif



^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 09/57] x86/boot: Preserve boot_params.secure_boot from sanitizing
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 08/57] net/rds: Fix info leak in rds6_inc_info_copy() Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 10/57] spi: bcm2835aux: unifying code between polling and interrupt driven code Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John S. Gruber, Borislav Petkov,
	John Hubbard, H. Peter Anvin, Ingo Molnar, Juergen Gross,
	Mark Brown, Thomas Gleixner, x86-ml

From: John S. Gruber <JohnSGruber@gmail.com>

commit 29d9a0b50736768f042752070e5cdf4e4d4c00df upstream.

Commit

  a90118c445cc ("x86/boot: Save fields explicitly, zero out everything else")

now zeroes the secure boot setting information (enabled/disabled/...)
passed by the boot loader or by the kernel's EFI handover mechanism.

The problem manifests itself with signed kernels using the EFI handoff
protocol with grub and the kernel loses the information whether secure
boot is enabled in the firmware, i.e., the log message "Secure boot
enabled" becomes "Secure boot could not be determined".

efi_main() arch/x86/boot/compressed/eboot.c sets this field early but it
is subsequently zeroed by the above referenced commit.

Include boot_params.secure_boot in the preserve field list.

 [ bp: restructure commit message and massage. ]

Fixes: a90118c445cc ("x86/boot: Save fields explicitly, zero out everything else")
Signed-off-by: John S. Gruber <JohnSGruber@gmail.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: John Hubbard <jhubbard@nvidia.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: stable <stable@vger.kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/CAPotdmSPExAuQcy9iAHqX3js_fc4mMLQOTr5RBGvizyCOPcTQQ@mail.gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/bootparam_utils.h |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/x86/include/asm/bootparam_utils.h
+++ b/arch/x86/include/asm/bootparam_utils.h
@@ -71,6 +71,7 @@ static void sanitize_boot_params(struct
 			BOOT_PARAM_PRESERVE(eddbuf_entries),
 			BOOT_PARAM_PRESERVE(edd_mbr_sig_buf_entries),
 			BOOT_PARAM_PRESERVE(edd_mbr_sig_buffer),
+			BOOT_PARAM_PRESERVE(secure_boot),
 			BOOT_PARAM_PRESERVE(hdr),
 			BOOT_PARAM_PRESERVE(e820_table),
 			BOOT_PARAM_PRESERVE(eddbuf),



^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 10/57] spi: bcm2835aux: unifying code between polling and interrupt driven code
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 09/57] x86/boot: Preserve boot_params.secure_boot from sanitizing Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 11/57] spi: bcm2835aux: remove dangerous uncontrolled read of fifo Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Sperl, Stefan Wahren,
	Mark Brown, Sasha Levin

[ Upstream commit 7188a6f0eee3f1fae5d826cfc6d569657ff950ec ]

Sharing more code between polling and interrupt-driven mode.

Signed-off-by: Martin Sperl <kernel@martin.sperl.org>
Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-bcm2835aux.c | 51 +++++++++++++-----------------------
 1 file changed, 18 insertions(+), 33 deletions(-)

diff --git a/drivers/spi/spi-bcm2835aux.c b/drivers/spi/spi-bcm2835aux.c
index 3094d818cf06d..79306e654f735 100644
--- a/drivers/spi/spi-bcm2835aux.c
+++ b/drivers/spi/spi-bcm2835aux.c
@@ -178,23 +178,13 @@ static void bcm2835aux_spi_reset_hw(struct bcm2835aux_spi *bs)
 		      BCM2835_AUX_SPI_CNTL0_CLEARFIFO);
 }
 
-static irqreturn_t bcm2835aux_spi_interrupt(int irq, void *dev_id)
+static void bcm2835aux_spi_transfer_helper(struct bcm2835aux_spi *bs)
 {
-	struct spi_master *master = dev_id;
-	struct bcm2835aux_spi *bs = spi_master_get_devdata(master);
-	irqreturn_t ret = IRQ_NONE;
-
-	/* IRQ may be shared, so return if our interrupts are disabled */
-	if (!(bcm2835aux_rd(bs, BCM2835_AUX_SPI_CNTL1) &
-	      (BCM2835_AUX_SPI_CNTL1_TXEMPTY | BCM2835_AUX_SPI_CNTL1_IDLE)))
-		return ret;
-
 	/* check if we have data to read */
 	while (bs->rx_len &&
 	       (!(bcm2835aux_rd(bs, BCM2835_AUX_SPI_STAT) &
 		  BCM2835_AUX_SPI_STAT_RX_EMPTY))) {
 		bcm2835aux_rd_fifo(bs);
-		ret = IRQ_HANDLED;
 	}
 
 	/* check if we have data to write */
@@ -203,7 +193,6 @@ static irqreturn_t bcm2835aux_spi_interrupt(int irq, void *dev_id)
 	       (!(bcm2835aux_rd(bs, BCM2835_AUX_SPI_STAT) &
 		  BCM2835_AUX_SPI_STAT_TX_FULL))) {
 		bcm2835aux_wr_fifo(bs);
-		ret = IRQ_HANDLED;
 	}
 
 	/* and check if we have reached "done" */
@@ -211,8 +200,21 @@ static irqreturn_t bcm2835aux_spi_interrupt(int irq, void *dev_id)
 	       (!(bcm2835aux_rd(bs, BCM2835_AUX_SPI_STAT) &
 		  BCM2835_AUX_SPI_STAT_BUSY))) {
 		bcm2835aux_rd_fifo(bs);
-		ret = IRQ_HANDLED;
 	}
+}
+
+static irqreturn_t bcm2835aux_spi_interrupt(int irq, void *dev_id)
+{
+	struct spi_master *master = dev_id;
+	struct bcm2835aux_spi *bs = spi_master_get_devdata(master);
+
+	/* IRQ may be shared, so return if our interrupts are disabled */
+	if (!(bcm2835aux_rd(bs, BCM2835_AUX_SPI_CNTL1) &
+	      (BCM2835_AUX_SPI_CNTL1_TXEMPTY | BCM2835_AUX_SPI_CNTL1_IDLE)))
+		return IRQ_NONE;
+
+	/* do common fifo handling */
+	bcm2835aux_spi_transfer_helper(bs);
 
 	if (!bs->tx_len) {
 		/* disable tx fifo empty interrupt */
@@ -226,8 +228,7 @@ static irqreturn_t bcm2835aux_spi_interrupt(int irq, void *dev_id)
 		complete(&master->xfer_completion);
 	}
 
-	/* and return */
-	return ret;
+	return IRQ_HANDLED;
 }
 
 static int __bcm2835aux_spi_transfer_one_irq(struct spi_master *master,
@@ -273,7 +274,6 @@ static int bcm2835aux_spi_transfer_one_poll(struct spi_master *master,
 {
 	struct bcm2835aux_spi *bs = spi_master_get_devdata(master);
 	unsigned long timeout;
-	u32 stat;
 
 	/* configure spi */
 	bcm2835aux_wr(bs, BCM2835_AUX_SPI_CNTL1, bs->cntl[1]);
@@ -284,24 +284,9 @@ static int bcm2835aux_spi_transfer_one_poll(struct spi_master *master,
 
 	/* loop until finished the transfer */
 	while (bs->rx_len) {
-		/* read status */
-		stat = bcm2835aux_rd(bs, BCM2835_AUX_SPI_STAT);
-
-		/* fill in tx fifo with remaining data */
-		if ((bs->tx_len) && (!(stat & BCM2835_AUX_SPI_STAT_TX_FULL))) {
-			bcm2835aux_wr_fifo(bs);
-			continue;
-		}
 
-		/* read data from fifo for both cases */
-		if (!(stat & BCM2835_AUX_SPI_STAT_RX_EMPTY)) {
-			bcm2835aux_rd_fifo(bs);
-			continue;
-		}
-		if (!(stat & BCM2835_AUX_SPI_STAT_BUSY)) {
-			bcm2835aux_rd_fifo(bs);
-			continue;
-		}
+		/* do common fifo handling */
+		bcm2835aux_spi_transfer_helper(bs);
 
 		/* there is still data pending to read check the timeout */
 		if (bs->rx_len && time_after(jiffies, timeout)) {
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 11/57] spi: bcm2835aux: remove dangerous uncontrolled read of fifo
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 10/57] spi: bcm2835aux: unifying code between polling and interrupt driven code Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 12/57] spi: bcm2835aux: fix corruptions for longer spi transfers Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hubert Denkmair, Martin Sperl,
	Stefan Wahren, Mark Brown, Sasha Levin

[ Upstream commit c7de8500fd8ecbb544846dd5f11dca578c3777e1 ]

This read of the fifo is a potential candidate for a race condition
as the spi transfer is not necessarily finished and so can lead to
an early read of the fifo that still misses data.

So it has been removed.

Fixes: 1ea29b39f4c812ec ("spi: bcm2835aux: add bcm2835 auxiliary spi device...")
Suggested-by: Hubert Denkmair <h.denkmair@intence.de>
Signed-off-by: Martin Sperl <kernel@martin.sperl.org>
Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-bcm2835aux.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/drivers/spi/spi-bcm2835aux.c b/drivers/spi/spi-bcm2835aux.c
index 79306e654f735..b4217f9480014 100644
--- a/drivers/spi/spi-bcm2835aux.c
+++ b/drivers/spi/spi-bcm2835aux.c
@@ -194,13 +194,6 @@ static void bcm2835aux_spi_transfer_helper(struct bcm2835aux_spi *bs)
 		  BCM2835_AUX_SPI_STAT_TX_FULL))) {
 		bcm2835aux_wr_fifo(bs);
 	}
-
-	/* and check if we have reached "done" */
-	while (bs->rx_len &&
-	       (!(bcm2835aux_rd(bs, BCM2835_AUX_SPI_STAT) &
-		  BCM2835_AUX_SPI_STAT_BUSY))) {
-		bcm2835aux_rd_fifo(bs);
-	}
 }
 
 static irqreturn_t bcm2835aux_spi_interrupt(int irq, void *dev_id)
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 12/57] spi: bcm2835aux: fix corruptions for longer spi transfers
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 11/57] spi: bcm2835aux: remove dangerous uncontrolled read of fifo Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 13/57] net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq in IRQ context Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hubert Denkmair, Martin Sperl,
	Stefan Wahren, Mark Brown, Sasha Levin

[ Upstream commit 73b114ee7db1750c0b535199fae383b109bd61d0 ]

On long running tests with a mcp2517fd can controller it showed that
on rare occations the data read shows corruptions for longer spi transfers.

Example of a 22 byte transfer:

expected (as captured on logic analyzer):
FF FF 78 00 00 00 08 06 00 00 91 20 77 56 84 85 86 87 88 89 8a 8b

read by the driver:
FF FF 78 00 00 00 08 06 00 00 91 20 77 56 84 88 89 8a 00 00 8b 9b

To fix this use BCM2835_AUX_SPI_STAT_RX_LVL to determine when we may
read data from the fifo reliably without any corruption.

Surprisingly the only values ever empirically read in
BCM2835_AUX_SPI_STAT_RX_LVL are 0x00, 0x10, 0x20 and 0x30.
So whenever the mask is not 0 we can read from the fifo in a safe manner.

The patch has now been tested intensively and we are no longer
able to reproduce the "RX" issue any longer.

Fixes: 1ea29b39f4c812ec ("spi: bcm2835aux: add bcm2835 auxiliary spi device...")
Reported-by: Hubert Denkmair <h.denkmair@intence.de>
Signed-off-by: Martin Sperl <kernel@martin.sperl.org>
Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-bcm2835aux.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/spi/spi-bcm2835aux.c b/drivers/spi/spi-bcm2835aux.c
index b4217f9480014..12c1fa5b06c5b 100644
--- a/drivers/spi/spi-bcm2835aux.c
+++ b/drivers/spi/spi-bcm2835aux.c
@@ -180,12 +180,12 @@ static void bcm2835aux_spi_reset_hw(struct bcm2835aux_spi *bs)
 
 static void bcm2835aux_spi_transfer_helper(struct bcm2835aux_spi *bs)
 {
+	u32 stat = bcm2835aux_rd(bs, BCM2835_AUX_SPI_STAT);
+
 	/* check if we have data to read */
-	while (bs->rx_len &&
-	       (!(bcm2835aux_rd(bs, BCM2835_AUX_SPI_STAT) &
-		  BCM2835_AUX_SPI_STAT_RX_EMPTY))) {
+	for (; bs->rx_len && (stat & BCM2835_AUX_SPI_STAT_RX_LVL);
+	     stat = bcm2835aux_rd(bs, BCM2835_AUX_SPI_STAT))
 		bcm2835aux_rd_fifo(bs);
-	}
 
 	/* check if we have data to write */
 	while (bs->tx_len &&
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 13/57] net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq in IRQ context
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 12/57] spi: bcm2835aux: fix corruptions for longer spi transfers Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 14/57] netfilter: nf_tables: use-after-free in failing rule with bound set Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fuqian Huang, David S. Miller, Sasha Levin

[ Upstream commit 8c25d0887a8bd0e1ca2074ac0c6dff173787a83b ]

As spin_unlock_irq will enable interrupts.
Function tsi108_stat_carry is called from interrupt handler tsi108_irq.
Interrupts are enabled in interrupt handler.
Use spin_lock_irqsave/spin_unlock_irqrestore instead of spin_(un)lock_irq
in IRQ context to avoid this.

Signed-off-by: Fuqian Huang <huangfq.daxian@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/tundra/tsi108_eth.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/tundra/tsi108_eth.c b/drivers/net/ethernet/tundra/tsi108_eth.c
index edcd1e60b30d1..f076050c8ad37 100644
--- a/drivers/net/ethernet/tundra/tsi108_eth.c
+++ b/drivers/net/ethernet/tundra/tsi108_eth.c
@@ -383,9 +383,10 @@ tsi108_stat_carry_one(int carry, int carry_bit, int carry_shift,
 static void tsi108_stat_carry(struct net_device *dev)
 {
 	struct tsi108_prv_data *data = netdev_priv(dev);
+	unsigned long flags;
 	u32 carry1, carry2;
 
-	spin_lock_irq(&data->misclock);
+	spin_lock_irqsave(&data->misclock, flags);
 
 	carry1 = TSI_READ(TSI108_STAT_CARRY1);
 	carry2 = TSI_READ(TSI108_STAT_CARRY2);
@@ -453,7 +454,7 @@ static void tsi108_stat_carry(struct net_device *dev)
 			      TSI108_STAT_TXPAUSEDROP_CARRY,
 			      &data->tx_pause_drop);
 
-	spin_unlock_irq(&data->misclock);
+	spin_unlock_irqrestore(&data->misclock, flags);
 }
 
 /* Read a stat counter atomically with respect to carries.
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 14/57] netfilter: nf_tables: use-after-free in failing rule with bound set
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 13/57] net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq in IRQ context Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 15/57] tools: bpftool: fix error message (prog -> object) Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pablo Neira Ayuso, Sasha Levin

[ Upstream commit 6a0a8d10a3661a036b55af695542a714c429ab7c ]

If a rule that has already a bound anonymous set fails to be added, the
preparation phase releases the rule and the bound set. However, the
transaction object from the abort path still has a reference to the set
object that is stale, leading to a use-after-free when checking for the
set->bound field. Add a new field to the transaction that specifies if
the set is bound, so the abort path can skip releasing it since the rule
command owns it and it takes care of releasing it. After this update,
the set->bound field is removed.

[   24.649883] Unable to handle kernel paging request at virtual address 0000000000040434
[   24.657858] Mem abort info:
[   24.660686]   ESR = 0x96000004
[   24.663769]   Exception class = DABT (current EL), IL = 32 bits
[   24.669725]   SET = 0, FnV = 0
[   24.672804]   EA = 0, S1PTW = 0
[   24.675975] Data abort info:
[   24.678880]   ISV = 0, ISS = 0x00000004
[   24.682743]   CM = 0, WnR = 0
[   24.685723] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000428952000
[   24.692207] [0000000000040434] pgd=0000000000000000
[   24.697119] Internal error: Oops: 96000004 [#1] SMP
[...]
[   24.889414] Call trace:
[   24.891870]  __nf_tables_abort+0x3f0/0x7a0
[   24.895984]  nf_tables_abort+0x20/0x40
[   24.899750]  nfnetlink_rcv_batch+0x17c/0x588
[   24.904037]  nfnetlink_rcv+0x13c/0x190
[   24.907803]  netlink_unicast+0x18c/0x208
[   24.911742]  netlink_sendmsg+0x1b0/0x350
[   24.915682]  sock_sendmsg+0x4c/0x68
[   24.919185]  ___sys_sendmsg+0x288/0x2c8
[   24.923037]  __sys_sendmsg+0x7c/0xd0
[   24.926628]  __arm64_sys_sendmsg+0x2c/0x38
[   24.930744]  el0_svc_common.constprop.0+0x94/0x158
[   24.935556]  el0_svc_handler+0x34/0x90
[   24.939322]  el0_svc+0x8/0xc
[   24.942216] Code: 37280300 f9404023 91014262 aa1703e0 (f9401863)
[   24.948336] ---[ end trace cebbb9dcbed3b56f ]---

Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/net/netfilter/nf_tables.h |  9 +++++++--
 net/netfilter/nf_tables_api.c     | 15 ++++++++++-----
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index f2be5d041ba3a..7685cbda9f28b 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -418,8 +418,7 @@ struct nft_set {
 	unsigned char			*udata;
 	/* runtime data below here */
 	const struct nft_set_ops	*ops ____cacheline_aligned;
-	u16				flags:13,
-					bound:1,
+	u16				flags:14,
 					genmask:2;
 	u8				klen;
 	u8				dlen;
@@ -1337,12 +1336,15 @@ struct nft_trans_rule {
 struct nft_trans_set {
 	struct nft_set			*set;
 	u32				set_id;
+	bool				bound;
 };
 
 #define nft_trans_set(trans)	\
 	(((struct nft_trans_set *)trans->data)->set)
 #define nft_trans_set_id(trans)	\
 	(((struct nft_trans_set *)trans->data)->set_id)
+#define nft_trans_set_bound(trans)	\
+	(((struct nft_trans_set *)trans->data)->bound)
 
 struct nft_trans_chain {
 	bool				update;
@@ -1373,12 +1375,15 @@ struct nft_trans_table {
 struct nft_trans_elem {
 	struct nft_set			*set;
 	struct nft_set_elem		elem;
+	bool				bound;
 };
 
 #define nft_trans_elem_set(trans)	\
 	(((struct nft_trans_elem *)trans->data)->set)
 #define nft_trans_elem(trans)	\
 	(((struct nft_trans_elem *)trans->data)->elem)
+#define nft_trans_elem_set_bound(trans)	\
+	(((struct nft_trans_elem *)trans->data)->bound)
 
 struct nft_trans_obj {
 	struct nft_object		*obj;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 29ff59dd99ace..2145581d7b3dc 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -121,9 +121,14 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
 		return;
 
 	list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
-		if (trans->msg_type == NFT_MSG_NEWSET &&
-		    nft_trans_set(trans) == set) {
-			set->bound = true;
+		switch (trans->msg_type) {
+		case NFT_MSG_NEWSET:
+			if (nft_trans_set(trans) == set)
+				nft_trans_set_bound(trans) = true;
+			break;
+		case NFT_MSG_NEWSETELEM:
+			if (nft_trans_elem_set(trans) == set)
+				nft_trans_elem_set_bound(trans) = true;
 			break;
 		}
 	}
@@ -6656,7 +6661,7 @@ static int __nf_tables_abort(struct net *net)
 			break;
 		case NFT_MSG_NEWSET:
 			trans->ctx.table->use--;
-			if (nft_trans_set(trans)->bound) {
+			if (nft_trans_set_bound(trans)) {
 				nft_trans_destroy(trans);
 				break;
 			}
@@ -6668,7 +6673,7 @@ static int __nf_tables_abort(struct net *net)
 			nft_trans_destroy(trans);
 			break;
 		case NFT_MSG_NEWSETELEM:
-			if (nft_trans_elem_set(trans)->bound) {
+			if (nft_trans_elem_set_bound(trans)) {
 				nft_trans_destroy(trans);
 				break;
 			}
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 15/57] tools: bpftool: fix error message (prog -> object)
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 14/57] netfilter: nf_tables: use-after-free in failing rule with bound set Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 16/57] hv_netvsc: Fix a warning of suspicious RCU usage Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jakub Kicinski, Quentin Monnet,
	Daniel Borkmann, Sasha Levin

[ Upstream commit b3e78adcbf991a4e8b2ebb23c9889e968ec76c5f ]

Change an error message to work for any object being
pinned not just programs.

Fixes: 71bb428fe2c1 ("tools: bpf: add bpftool")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Quentin Monnet <quentin.monnet@netronome.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/bpf/bpftool/common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c
index fcaf00621102f..be7aebff0c1e5 100644
--- a/tools/bpf/bpftool/common.c
+++ b/tools/bpf/bpftool/common.c
@@ -238,7 +238,7 @@ int do_pin_any(int argc, char **argv, int (*get_fd_by_id)(__u32))
 
 	fd = get_fd_by_id(id);
 	if (fd < 0) {
-		p_err("can't get prog by id (%u): %s", id, strerror(errno));
+		p_err("can't open object by id (%u): %s", id, strerror(errno));
 		return -1;
 	}
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 16/57] hv_netvsc: Fix a warning of suspicious RCU usage
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 15/57] tools: bpftool: fix error message (prog -> object) Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 17/57] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dexuan Cui, David S. Miller, Sasha Levin

[ Upstream commit 6d0d779dca73cd5acb649c54f81401f93098b298 ]

This fixes a warning of "suspicious rcu_dereference_check() usage"
when nload runs.

Fixes: 776e726bfb34 ("netvsc: fix RCU warning in get_stats")
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/hyperv/netvsc_drv.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
index cc60ef9634db2..6f6c0dbd91fc8 100644
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -1248,12 +1248,15 @@ static void netvsc_get_stats64(struct net_device *net,
 			       struct rtnl_link_stats64 *t)
 {
 	struct net_device_context *ndev_ctx = netdev_priv(net);
-	struct netvsc_device *nvdev = rcu_dereference_rtnl(ndev_ctx->nvdev);
+	struct netvsc_device *nvdev;
 	struct netvsc_vf_pcpu_stats vf_tot;
 	int i;
 
+	rcu_read_lock();
+
+	nvdev = rcu_dereference(ndev_ctx->nvdev);
 	if (!nvdev)
-		return;
+		goto out;
 
 	netdev_stats_to_stats64(t, &net->stats);
 
@@ -1292,6 +1295,8 @@ static void netvsc_get_stats64(struct net_device *net,
 		t->rx_packets	+= packets;
 		t->multicast	+= multicast;
 	}
+out:
+	rcu_read_unlock();
 }
 
 static int netvsc_set_mac_addr(struct net_device *ndev, void *p)
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 17/57] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 16/57] hv_netvsc: Fix a warning of suspicious RCU usage Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 18/57] Bluetooth: btqca: Add a short delay before downloading the NVM Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, David S. Miller,
	Sasha Levin

[ Upstream commit 125b7e0949d4e72b15c2b1a1590f8cece985a918 ]

clang warns:

drivers/net/ethernet/toshiba/tc35815.c:1507:30: warning: use of logical
'&&' with constant operand [-Wconstant-logical-operand]
                        if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
                                                  ^  ~~~~~~~~~~~~
drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: use '&' for a
bitwise operation
                        if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
                                                  ^~
                                                  &
drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: remove constant to
silence this warning
                        if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
                                                 ~^~~~~~~~~~~~~~~
1 warning generated.

Explicitly check that NET_IP_ALIGN is not zero, which matches how this
is checked in other parts of the tree. Because NET_IP_ALIGN is a build
time constant, this check will be constant folded away during
optimization.

Fixes: 82a9928db560 ("tc35815: Enable StripCRC feature")
Link: https://github.com/ClangBuiltLinux/linux/issues/608
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/toshiba/tc35815.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/toshiba/tc35815.c b/drivers/net/ethernet/toshiba/tc35815.c
index cce9c9ed46aa9..9146068979d2c 100644
--- a/drivers/net/ethernet/toshiba/tc35815.c
+++ b/drivers/net/ethernet/toshiba/tc35815.c
@@ -1497,7 +1497,7 @@ tc35815_rx(struct net_device *dev, int limit)
 			pci_unmap_single(lp->pci_dev,
 					 lp->rx_skbs[cur_bd].skb_dma,
 					 RX_BUF_SIZE, PCI_DMA_FROMDEVICE);
-			if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
+			if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN != 0)
 				memmove(skb->data, skb->data - NET_IP_ALIGN,
 					pkt_len);
 			data = skb_put(skb, pkt_len);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 18/57] Bluetooth: btqca: Add a short delay before downloading the NVM
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 17/57] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 19/57] Bluetooth: hidp: Let hidp_send_message return number of queued bytes Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke, Marcel Holtmann,
	Sasha Levin

[ Upstream commit 8059ba0bd0e4694e51c2ee6438a77b325f06c0d5 ]

On WCN3990 downloading the NVM sometimes fails with a "TLV response
size mismatch" error:

[  174.949955] Bluetooth: btqca.c:qca_download_firmware() hci0: QCA Downloading qca/crnv21.bin
[  174.958718] Bluetooth: btqca.c:qca_tlv_send_segment() hci0: QCA TLV response size mismatch

It seems the controller needs a short time after downloading the
firmware before it is ready for the NVM. A delay as short as 1 ms
seems sufficient, make it 10 ms just in case. No event is received
during the delay, hence we don't just silently drop an extra event.

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/bluetooth/btqca.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
index ec9e03a6b7786..9e70f7c7e5659 100644
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -363,6 +363,9 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
 		return err;
 	}
 
+	/* Give the controller some time to get ready to receive the NVM */
+	msleep(10);
+
 	/* Download NVM configuration */
 	config.type = TLV_TYPE_NVM;
 	if (soc_type == QCA_WCN3990)
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 19/57] Bluetooth: hidp: Let hidp_send_message return number of queued bytes
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 18/57] Bluetooth: btqca: Add a short delay before downloading the NVM Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-09 12:15   ` Pavel Machek
  2019-09-08 12:41 ` [PATCH 4.19 20/57] ibmveth: Convert multicast list size for little-endian system Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  60 siblings, 1 reply; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fabian Henneke, Marcel Holtmann, Sasha Levin

[ Upstream commit 48d9cc9d85dde37c87abb7ac9bbec6598ba44b56 ]

Let hidp_send_message return the number of successfully queued bytes
instead of an unconditional 0.

With the return value fixed to 0, other drivers relying on hidp, such as
hidraw, can not return meaningful values from their respective
implementations of write(). In particular, with the current behavior, a
hidraw device's write() will have different return values depending on
whether the device is connected via USB or Bluetooth, which makes it
harder to abstract away the transport layer.

Signed-off-by: Fabian Henneke <fabian.henneke@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/hidp/core.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 253975cce943e..7a31aec0c4a36 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -101,6 +101,7 @@ static int hidp_send_message(struct hidp_session *session, struct socket *sock,
 {
 	struct sk_buff *skb;
 	struct sock *sk = sock->sk;
+	int ret;
 
 	BT_DBG("session %p data %p size %d", session, data, size);
 
@@ -114,13 +115,17 @@ static int hidp_send_message(struct hidp_session *session, struct socket *sock,
 	}
 
 	skb_put_u8(skb, hdr);
-	if (data && size > 0)
+	if (data && size > 0) {
 		skb_put_data(skb, data, size);
+		ret = size;
+	} else {
+		ret = 0;
+	}
 
 	skb_queue_tail(transmit, skb);
 	wake_up_interruptible(sk_sleep(sk));
 
-	return 0;
+	return ret;
 }
 
 static int hidp_send_ctrl_message(struct hidp_session *session,
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 20/57] ibmveth: Convert multicast list size for little-endian system
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 19/57] Bluetooth: hidp: Let hidp_send_message return number of queued bytes Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 21/57] gpio: Fix build error of function redefinition Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hangbin Liu, Thomas Falcon,
	Jakub Kicinski, Sasha Levin

[ Upstream commit 66cf4710b23ab2adda11155684a2c8826f4fe732 ]

The ibm,mac-address-filters property defines the maximum number of
addresses the hypervisor's multicast filter list can support. It is
encoded as a big-endian integer in the OF device tree, but the virtual
ethernet driver does not convert it for use by little-endian systems.
As a result, the driver is not behaving as it should on affected systems
when a large number of multicast addresses are assigned to the device.

Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/ibm/ibmveth.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c
index f70cb4d3c6846..40ad1e5032553 100644
--- a/drivers/net/ethernet/ibm/ibmveth.c
+++ b/drivers/net/ethernet/ibm/ibmveth.c
@@ -1618,7 +1618,7 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id)
 	struct net_device *netdev;
 	struct ibmveth_adapter *adapter;
 	unsigned char *mac_addr_p;
-	unsigned int *mcastFilterSize_p;
+	__be32 *mcastFilterSize_p;
 	long ret;
 	unsigned long ret_attr;
 
@@ -1640,8 +1640,9 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id)
 		return -EINVAL;
 	}
 
-	mcastFilterSize_p = (unsigned int *)vio_get_attribute(dev,
-						VETH_MCAST_FILTER_SIZE, NULL);
+	mcastFilterSize_p = (__be32 *)vio_get_attribute(dev,
+							VETH_MCAST_FILTER_SIZE,
+							NULL);
 	if (!mcastFilterSize_p) {
 		dev_err(&dev->dev, "Can't find VETH_MCAST_FILTER_SIZE "
 			"attribute\n");
@@ -1658,7 +1659,7 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id)
 
 	adapter->vdev = dev;
 	adapter->netdev = netdev;
-	adapter->mcastFilterSize = *mcastFilterSize_p;
+	adapter->mcastFilterSize = be32_to_cpu(*mcastFilterSize_p);
 	adapter->pool_config = 0;
 
 	netif_napi_add(netdev, &adapter->napi, ibmveth_poll, 16);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 21/57] gpio: Fix build error of function redefinition
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 20/57] ibmveth: Convert multicast list size for little-endian system Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-09 12:23   ` Pavel Machek
  2019-09-08 12:41 ` [PATCH 4.19 22/57] netfilter: nft_flow_offload: skip tcp rst and fin packets Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  60 siblings, 1 reply; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, YueHaibing,
	Linus Walleij, Sasha Levin

[ Upstream commit 68e03b85474a51ec1921b4d13204782594ef7223 ]

when do randbuilding, I got this error:

In file included from drivers/hwmon/pmbus/ucd9000.c:19:0:
./include/linux/gpio/driver.h:576:1: error: redefinition of gpiochip_add_pin_range
 gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name,
 ^~~~~~~~~~~~~~~~~~~~~~
In file included from drivers/hwmon/pmbus/ucd9000.c:18:0:
./include/linux/gpio.h:245:1: note: previous definition of gpiochip_add_pin_range was here
 gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name,
 ^~~~~~~~~~~~~~~~~~~~~~

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 964cb341882f ("gpio: move pincontrol calls to <linux/gpio/driver.h>")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190731123814.46624-1-yuehaibing@huawei.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/gpio.h | 24 ------------------------
 1 file changed, 24 deletions(-)

diff --git a/include/linux/gpio.h b/include/linux/gpio.h
index 39745b8bdd65d..b3115d1a7d494 100644
--- a/include/linux/gpio.h
+++ b/include/linux/gpio.h
@@ -240,30 +240,6 @@ static inline int irq_to_gpio(unsigned irq)
 	return -EINVAL;
 }
 
-static inline int
-gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name,
-		       unsigned int gpio_offset, unsigned int pin_offset,
-		       unsigned int npins)
-{
-	WARN_ON(1);
-	return -EINVAL;
-}
-
-static inline int
-gpiochip_add_pingroup_range(struct gpio_chip *chip,
-			struct pinctrl_dev *pctldev,
-			unsigned int gpio_offset, const char *pin_group)
-{
-	WARN_ON(1);
-	return -EINVAL;
-}
-
-static inline void
-gpiochip_remove_pin_ranges(struct gpio_chip *chip)
-{
-	WARN_ON(1);
-}
-
 static inline int devm_gpio_request(struct device *dev, unsigned gpio,
 				    const char *label)
 {
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 22/57] netfilter: nft_flow_offload: skip tcp rst and fin packets
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 21/57] gpio: Fix build error of function redefinition Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 23/57] drm/mediatek: use correct device to import PRIME buffers Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pablo Neira Ayuso, Sasha Levin

[ Upstream commit dfe42be15fde16232340b8b2a57c359f51cc10d9 ]

TCP rst and fin packets do not qualify to place a flow into the
flowtable. Most likely there will be no more packets after connection
closure. Without this patch, this flow entry expires and connection
tracking picks up the entry in ESTABLISHED state using the fixup
timeout, which makes this look inconsistent to the user for a connection
that is actually already closed.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nft_flow_offload.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 6e0c26025ab13..69decbe2c9884 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -71,11 +71,11 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
 {
 	struct nft_flow_offload *priv = nft_expr_priv(expr);
 	struct nf_flowtable *flowtable = &priv->flowtable->data;
+	struct tcphdr _tcph, *tcph = NULL;
 	enum ip_conntrack_info ctinfo;
 	struct nf_flow_route route;
 	struct flow_offload *flow;
 	enum ip_conntrack_dir dir;
-	bool is_tcp = false;
 	struct nf_conn *ct;
 	int ret;
 
@@ -88,7 +88,10 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
 
 	switch (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum) {
 	case IPPROTO_TCP:
-		is_tcp = true;
+		tcph = skb_header_pointer(pkt->skb, pkt->xt.thoff,
+					  sizeof(_tcph), &_tcph);
+		if (unlikely(!tcph || tcph->fin || tcph->rst))
+			goto out;
 		break;
 	case IPPROTO_UDP:
 		break;
@@ -115,7 +118,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
 	if (!flow)
 		goto err_flow_alloc;
 
-	if (is_tcp) {
+	if (tcph) {
 		ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
 		ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
 	}
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 23/57] drm/mediatek: use correct device to import PRIME buffers
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 22/57] netfilter: nft_flow_offload: skip tcp rst and fin packets Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 24/57] drm/mediatek: set DMA max segment size Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexandre Courbot, CK Hu, Sasha Levin

[ Upstream commit 4c6f3196e6ea111c456c6086dc3f57d4706b0b2d ]

PRIME buffers should be imported using the DMA device. To this end, use
a custom import function that mimics drm_gem_prime_import_dev(), but
passes the correct device.

Fixes: 119f5173628aa ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
Signed-off-by: Alexandre Courbot <acourbot@chromium.org>
Signed-off-by: CK Hu <ck.hu@mediatek.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
index fd83046d8376b..ffb997440851d 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
@@ -327,6 +327,18 @@ static const struct file_operations mtk_drm_fops = {
 	.compat_ioctl = drm_compat_ioctl,
 };
 
+/*
+ * We need to override this because the device used to import the memory is
+ * not dev->dev, as drm_gem_prime_import() expects.
+ */
+struct drm_gem_object *mtk_drm_gem_prime_import(struct drm_device *dev,
+						struct dma_buf *dma_buf)
+{
+	struct mtk_drm_private *private = dev->dev_private;
+
+	return drm_gem_prime_import_dev(dev, dma_buf, private->dma_dev);
+}
+
 static struct drm_driver mtk_drm_driver = {
 	.driver_features = DRIVER_MODESET | DRIVER_GEM | DRIVER_PRIME |
 			   DRIVER_ATOMIC,
@@ -338,7 +350,7 @@ static struct drm_driver mtk_drm_driver = {
 	.prime_handle_to_fd = drm_gem_prime_handle_to_fd,
 	.prime_fd_to_handle = drm_gem_prime_fd_to_handle,
 	.gem_prime_export = drm_gem_prime_export,
-	.gem_prime_import = drm_gem_prime_import,
+	.gem_prime_import = mtk_drm_gem_prime_import,
 	.gem_prime_get_sg_table = mtk_gem_prime_get_sg_table,
 	.gem_prime_import_sg_table = mtk_gem_prime_import_sg_table,
 	.gem_prime_mmap = mtk_drm_gem_mmap_buf,
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 24/57] drm/mediatek: set DMA max segment size
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 23/57] drm/mediatek: use correct device to import PRIME buffers Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 25/57] scsi: qla2xxx: Fix gnl.l memory leak on adapter init failure Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexandre Courbot, Tomasz Figa,
	CK Hu, Sasha Levin

[ Upstream commit 070955558e820b9a89c570b91b1f21762f62b288 ]

This driver requires imported PRIME buffers to appear contiguously in
its IO address space. Make sure this is the case by setting the maximum
DMA segment size to a more suitable value than the default 64KB.

Signed-off-by: Alexandre Courbot <acourbot@chromium.org>
Reviewed-by: Tomasz Figa <tfiga@chromium.org>
Signed-off-by: CK Hu <ck.hu@mediatek.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 35 ++++++++++++++++++++++++--
 drivers/gpu/drm/mediatek/mtk_drm_drv.h |  2 ++
 2 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
index ffb997440851d..f6389479fccb5 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
@@ -220,6 +220,7 @@ static int mtk_drm_kms_init(struct drm_device *drm)
 	struct mtk_drm_private *private = drm->dev_private;
 	struct platform_device *pdev;
 	struct device_node *np;
+	struct device *dma_dev;
 	int ret;
 
 	if (!iommu_present(&platform_bus_type))
@@ -282,7 +283,29 @@ static int mtk_drm_kms_init(struct drm_device *drm)
 		goto err_component_unbind;
 	}
 
-	private->dma_dev = &pdev->dev;
+	dma_dev = &pdev->dev;
+	private->dma_dev = dma_dev;
+
+	/*
+	 * Configure the DMA segment size to make sure we get contiguous IOVA
+	 * when importing PRIME buffers.
+	 */
+	if (!dma_dev->dma_parms) {
+		private->dma_parms_allocated = true;
+		dma_dev->dma_parms =
+			devm_kzalloc(drm->dev, sizeof(*dma_dev->dma_parms),
+				     GFP_KERNEL);
+	}
+	if (!dma_dev->dma_parms) {
+		ret = -ENOMEM;
+		goto err_component_unbind;
+	}
+
+	ret = dma_set_max_seg_size(dma_dev, (unsigned int)DMA_BIT_MASK(32));
+	if (ret) {
+		dev_err(dma_dev, "Failed to set DMA segment size\n");
+		goto err_unset_dma_parms;
+	}
 
 	/*
 	 * We don't use the drm_irq_install() helpers provided by the DRM
@@ -292,13 +315,16 @@ static int mtk_drm_kms_init(struct drm_device *drm)
 	drm->irq_enabled = true;
 	ret = drm_vblank_init(drm, MAX_CRTC);
 	if (ret < 0)
-		goto err_component_unbind;
+		goto err_unset_dma_parms;
 
 	drm_kms_helper_poll_init(drm);
 	drm_mode_config_reset(drm);
 
 	return 0;
 
+err_unset_dma_parms:
+	if (private->dma_parms_allocated)
+		dma_dev->dma_parms = NULL;
 err_component_unbind:
 	component_unbind_all(drm->dev, drm);
 err_config_cleanup:
@@ -309,9 +335,14 @@ err_config_cleanup:
 
 static void mtk_drm_kms_deinit(struct drm_device *drm)
 {
+	struct mtk_drm_private *private = drm->dev_private;
+
 	drm_kms_helper_poll_fini(drm);
 	drm_atomic_helper_shutdown(drm);
 
+	if (private->dma_parms_allocated)
+		private->dma_dev->dma_parms = NULL;
+
 	component_unbind_all(drm->dev, drm);
 	drm_mode_config_cleanup(drm);
 }
diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.h b/drivers/gpu/drm/mediatek/mtk_drm_drv.h
index ecc00ca3221da..8fa60d46f8605 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.h
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.h
@@ -59,6 +59,8 @@ struct mtk_drm_private {
 	} commit;
 
 	struct drm_atomic_state *suspend_state;
+
+	bool dma_parms_allocated;
 };
 
 extern struct platform_driver mtk_ddp_driver;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 25/57] scsi: qla2xxx: Fix gnl.l memory leak on adapter init failure
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 24/57] drm/mediatek: set DMA max segment size Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 26/57] scsi: target: tcmu: avoid use-after-free after command timeout Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bill Kuzeja, Himanshu Madhani,
	Martin K. Petersen, Sasha Levin

[ Upstream commit 26fa656e9a0cbccddf7db132ea020d2169dbe46e ]

If HBA initialization fails unexpectedly (exiting via probe_failed:), we
may fail to free vha->gnl.l. So that we don't attempt to double free, set
this pointer to NULL after a free and check for NULL at probe_failed: so we
know whether or not to call dma_free_coherent.

Signed-off-by: Bill Kuzeja <william.kuzeja@stratus.com>
Acked-by: Himanshu Madhani <hmadhani@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/qla2xxx/qla_attr.c |  2 ++
 drivers/scsi/qla2xxx/qla_os.c   | 11 ++++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
index f8f4d3ea67f3f..15d493f30810f 100644
--- a/drivers/scsi/qla2xxx/qla_attr.c
+++ b/drivers/scsi/qla2xxx/qla_attr.c
@@ -2191,6 +2191,8 @@ qla24xx_vport_delete(struct fc_vport *fc_vport)
 	dma_free_coherent(&ha->pdev->dev, vha->gnl.size, vha->gnl.l,
 	    vha->gnl.ldma);
 
+	vha->gnl.l = NULL;
+
 	vfree(vha->scan.l);
 
 	if (vha->qpair && vha->qpair->vp_idx == vha->vp_idx) {
diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 42b8f0d3e580d..02fa81f122c22 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -3395,6 +3395,12 @@ skip_dpc:
 	return 0;
 
 probe_failed:
+	if (base_vha->gnl.l) {
+		dma_free_coherent(&ha->pdev->dev, base_vha->gnl.size,
+				base_vha->gnl.l, base_vha->gnl.ldma);
+		base_vha->gnl.l = NULL;
+	}
+
 	if (base_vha->timer_active)
 		qla2x00_stop_timer(base_vha);
 	base_vha->flags.online = 0;
@@ -3624,7 +3630,7 @@ qla2x00_remove_one(struct pci_dev *pdev)
 	if (!atomic_read(&pdev->enable_cnt)) {
 		dma_free_coherent(&ha->pdev->dev, base_vha->gnl.size,
 		    base_vha->gnl.l, base_vha->gnl.ldma);
-
+		base_vha->gnl.l = NULL;
 		scsi_host_put(base_vha->host);
 		kfree(ha);
 		pci_set_drvdata(pdev, NULL);
@@ -3663,6 +3669,8 @@ qla2x00_remove_one(struct pci_dev *pdev)
 	dma_free_coherent(&ha->pdev->dev,
 		base_vha->gnl.size, base_vha->gnl.l, base_vha->gnl.ldma);
 
+	base_vha->gnl.l = NULL;
+
 	vfree(base_vha->scan.l);
 
 	if (IS_QLAFX00(ha))
@@ -4602,6 +4610,7 @@ struct scsi_qla_host *qla2x00_create_host(struct scsi_host_template *sht,
 		    "Alloc failed for scan database.\n");
 		dma_free_coherent(&ha->pdev->dev, vha->gnl.size,
 		    vha->gnl.l, vha->gnl.ldma);
+		vha->gnl.l = NULL;
 		scsi_remove_host(vha->host);
 		return NULL;
 	}
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 26/57] scsi: target: tcmu: avoid use-after-free after command timeout
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 25/57] scsi: qla2xxx: Fix gnl.l memory leak on adapter init failure Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 27/57] cxgb4: fix a memory leak bug Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Fomichev, Mike Christie,
	Damien Le Moal, Martin K. Petersen, Sasha Levin

[ Upstream commit a86a75865ff4d8c05f355d1750a5250aec89ab15 ]

In tcmu_handle_completion() function, the variable called read_len is
always initialized with a value taken from se_cmd structure. If this
function is called to complete an expired (timed out) out command, the
session command pointed by se_cmd is likely to be already deallocated by
the target core at that moment. As the result, this access triggers a
use-after-free warning from KASAN.

This patch fixes the code not to touch se_cmd when completing timed out
TCMU commands. It also resets the pointer to se_cmd at the time when the
TCMU_CMD_BIT_EXPIRED flag is set because it is going to become invalid
after calling target_complete_cmd() later in the same function,
tcmu_check_expired_cmd().

Signed-off-by: Dmitry Fomichev <dmitry.fomichev@wdc.com>
Acked-by: Mike Christie <mchristi@redhat.com>
Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/target/target_core_user.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index c46efa47d68a5..7159e8363b83b 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -1143,14 +1143,16 @@ static void tcmu_handle_completion(struct tcmu_cmd *cmd, struct tcmu_cmd_entry *
 	struct se_cmd *se_cmd = cmd->se_cmd;
 	struct tcmu_dev *udev = cmd->tcmu_dev;
 	bool read_len_valid = false;
-	uint32_t read_len = se_cmd->data_length;
+	uint32_t read_len;
 
 	/*
 	 * cmd has been completed already from timeout, just reclaim
 	 * data area space and free cmd
 	 */
-	if (test_bit(TCMU_CMD_BIT_EXPIRED, &cmd->flags))
+	if (test_bit(TCMU_CMD_BIT_EXPIRED, &cmd->flags)) {
+		WARN_ON_ONCE(se_cmd);
 		goto out;
+	}
 
 	list_del_init(&cmd->queue_entry);
 
@@ -1163,6 +1165,7 @@ static void tcmu_handle_completion(struct tcmu_cmd *cmd, struct tcmu_cmd_entry *
 		goto done;
 	}
 
+	read_len = se_cmd->data_length;
 	if (se_cmd->data_direction == DMA_FROM_DEVICE &&
 	    (entry->hdr.uflags & TCMU_UFLAG_READ_LEN) && entry->rsp.read_len) {
 		read_len_valid = true;
@@ -1318,6 +1321,7 @@ static int tcmu_check_expired_cmd(int id, void *p, void *data)
 		 */
 		scsi_status = SAM_STAT_CHECK_CONDITION;
 		list_del_init(&cmd->queue_entry);
+		cmd->se_cmd = NULL;
 	} else {
 		list_del_init(&cmd->queue_entry);
 		idr_remove(&udev->commands, id);
@@ -2036,6 +2040,7 @@ static void tcmu_reset_ring(struct tcmu_dev *udev, u8 err_level)
 
 		idr_remove(&udev->commands, i);
 		if (!test_bit(TCMU_CMD_BIT_EXPIRED, &cmd->flags)) {
+			WARN_ON(!cmd->se_cmd);
 			list_del_init(&cmd->queue_entry);
 			if (err_level == 1) {
 				/*
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 27/57] cxgb4: fix a memory leak bug
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 26/57] scsi: target: tcmu: avoid use-after-free after command timeout Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-09 13:06   ` Pavel Machek
  2019-09-08 12:41 ` [PATCH 4.19 28/57] liquidio: add cleanup in octeon_setup_iq() Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  60 siblings, 1 reply; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, David S. Miller, Sasha Levin

[ Upstream commit c554336efa9bbc28d6ec14efbee3c7d63c61a34f ]

In blocked_fl_write(), 't' is not deallocated if bitmap_parse_user() fails,
leading to a memory leak bug. To fix this issue, free t before returning
the error.

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
index 0f72f9c4ec74c..b429b726b987b 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
@@ -3276,8 +3276,10 @@ static ssize_t blocked_fl_write(struct file *filp, const char __user *ubuf,
 		return -ENOMEM;
 
 	err = bitmap_parse_user(ubuf, count, t, adap->sge.egr_sz);
-	if (err)
+	if (err) {
+		kvfree(t);
 		return err;
+	}
 
 	bitmap_copy(adap->sge.blocked_fl, t, adap->sge.egr_sz);
 	kvfree(t);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 28/57] liquidio: add cleanup in octeon_setup_iq()
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 27/57] cxgb4: fix a memory leak bug Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 29/57] net: myri10ge: fix memory leaks Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, David S. Miller, Sasha Levin

[ Upstream commit 6f967f8b1be7001b31c46429f2ee7d275af2190f ]

If oct->fn_list.enable_io_queues() fails, no cleanup is executed, leading
to memory/resource leaks. To fix this issue, invoke
octeon_delete_instr_queue() before returning from the function.

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/cavium/liquidio/request_manager.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/cavium/liquidio/request_manager.c b/drivers/net/ethernet/cavium/liquidio/request_manager.c
index 8f746e1348d4c..3deb3c07681fd 100644
--- a/drivers/net/ethernet/cavium/liquidio/request_manager.c
+++ b/drivers/net/ethernet/cavium/liquidio/request_manager.c
@@ -238,8 +238,10 @@ int octeon_setup_iq(struct octeon_device *oct,
 	}
 
 	oct->num_iqs++;
-	if (oct->fn_list.enable_io_queues(oct))
+	if (oct->fn_list.enable_io_queues(oct)) {
+		octeon_delete_instr_queue(oct, iq_no);
 		return 1;
+	}
 
 	return 0;
 }
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 29/57] net: myri10ge: fix memory leaks
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 28/57] liquidio: add cleanup in octeon_setup_iq() Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 30/57] lan78xx: Fix " Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, David S. Miller, Sasha Levin

[ Upstream commit 20fb7c7a39b5c719e2e619673b5f5729ee7d2306 ]

In myri10ge_probe(), myri10ge_alloc_slices() is invoked to allocate slices
related structures. Later on, myri10ge_request_irq() is used to get an irq.
However, if this process fails, the allocated slices related structures are
not deallocated, leading to memory leaks. To fix this issue, revise the
target label of the goto statement to 'abort_with_slices'.

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
index b2d2ec8c11e2d..6789eed78ff70 100644
--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
+++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
@@ -3922,7 +3922,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 	 * setup (if available). */
 	status = myri10ge_request_irq(mgp);
 	if (status != 0)
-		goto abort_with_firmware;
+		goto abort_with_slices;
 	myri10ge_free_irq(mgp);
 
 	/* Save configuration space to be restored if the
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 30/57] lan78xx: Fix memory leaks
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 29/57] net: myri10ge: fix memory leaks Greg Kroah-Hartman
@ 2019-09-08 12:41 ` " Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 31/57] vfs: fix page locking deadlocks when deduping files Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, David S. Miller, Sasha Levin

[ Upstream commit b9cbf8a64865b50fd0f4a3915fa00ac7365cdf8f ]

In lan78xx_probe(), a new urb is allocated through usb_alloc_urb() and
saved to 'dev->urb_intr'. However, in the following execution, if an error
occurs, 'dev->urb_intr' is not deallocated, leading to memory leaks. To fix
this issue, invoke usb_free_urb() to free the allocated urb before
returning from the function.

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/lan78xx.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
index 8d140495da79d..e20266bd209e2 100644
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -3799,7 +3799,7 @@ static int lan78xx_probe(struct usb_interface *intf,
 	ret = register_netdev(netdev);
 	if (ret != 0) {
 		netif_err(dev, probe, netdev, "couldn't register the device\n");
-		goto out3;
+		goto out4;
 	}
 
 	usb_set_intfdata(intf, dev);
@@ -3814,12 +3814,14 @@ static int lan78xx_probe(struct usb_interface *intf,
 
 	ret = lan78xx_phy_init(dev);
 	if (ret < 0)
-		goto out4;
+		goto out5;
 
 	return 0;
 
-out4:
+out5:
 	unregister_netdev(netdev);
+out4:
+	usb_free_urb(dev->urb_intr);
 out3:
 	lan78xx_unbind(dev, intf);
 out2:
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 31/57] vfs: fix page locking deadlocks when deduping files
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 30/57] lan78xx: Fix " Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 32/57] cx82310_eth: fix a memory leak bug Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Darrick J. Wong, Bill ODonnell,
	Matthew Wilcox (Oracle),
	Sasha Levin

[ Upstream commit edc58dd0123b552453a74369bd0c8d890b497b4b ]

When dedupe wants to use the page cache to compare parts of two files
for dedupe, we must be very careful to handle locking correctly.  The
current code doesn't do this.  It must lock and unlock the page only
once if the two pages are the same, since the overlapping range check
doesn't catch this when blocksize < pagesize.  If the pages are distinct
but from the same file, we must observe page locking order and lock them
in order of increasing offset to avoid clashing with writeback locking.

Fixes: 876bec6f9bbfcb3 ("vfs: refactor clone/dedupe_file_range common functions")
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Bill O'Donnell <billodo@redhat.com>
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/read_write.c | 49 +++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 41 insertions(+), 8 deletions(-)

diff --git a/fs/read_write.c b/fs/read_write.c
index 85fd7a8ee29eb..5fb5ee5b8cd70 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -1888,10 +1888,7 @@ int vfs_clone_file_range(struct file *file_in, loff_t pos_in,
 }
 EXPORT_SYMBOL(vfs_clone_file_range);
 
-/*
- * Read a page's worth of file data into the page cache.  Return the page
- * locked.
- */
+/* Read a page's worth of file data into the page cache. */
 static struct page *vfs_dedupe_get_page(struct inode *inode, loff_t offset)
 {
 	struct address_space *mapping;
@@ -1907,10 +1904,32 @@ static struct page *vfs_dedupe_get_page(struct inode *inode, loff_t offset)
 		put_page(page);
 		return ERR_PTR(-EIO);
 	}
-	lock_page(page);
 	return page;
 }
 
+/*
+ * Lock two pages, ensuring that we lock in offset order if the pages are from
+ * the same file.
+ */
+static void vfs_lock_two_pages(struct page *page1, struct page *page2)
+{
+	/* Always lock in order of increasing index. */
+	if (page1->index > page2->index)
+		swap(page1, page2);
+
+	lock_page(page1);
+	if (page1 != page2)
+		lock_page(page2);
+}
+
+/* Unlock two pages, being careful not to unlock the same page twice. */
+static void vfs_unlock_two_pages(struct page *page1, struct page *page2)
+{
+	unlock_page(page1);
+	if (page1 != page2)
+		unlock_page(page2);
+}
+
 /*
  * Compare extents of two files to see if they are the same.
  * Caller must have locked both inodes to prevent write races.
@@ -1948,10 +1967,24 @@ int vfs_dedupe_file_range_compare(struct inode *src, loff_t srcoff,
 		dest_page = vfs_dedupe_get_page(dest, destoff);
 		if (IS_ERR(dest_page)) {
 			error = PTR_ERR(dest_page);
-			unlock_page(src_page);
 			put_page(src_page);
 			goto out_error;
 		}
+
+		vfs_lock_two_pages(src_page, dest_page);
+
+		/*
+		 * Now that we've locked both pages, make sure they're still
+		 * mapped to the file data we're interested in.  If not,
+		 * someone is invalidating pages on us and we lose.
+		 */
+		if (!PageUptodate(src_page) || !PageUptodate(dest_page) ||
+		    src_page->mapping != src->i_mapping ||
+		    dest_page->mapping != dest->i_mapping) {
+			same = false;
+			goto unlock;
+		}
+
 		src_addr = kmap_atomic(src_page);
 		dest_addr = kmap_atomic(dest_page);
 
@@ -1963,8 +1996,8 @@ int vfs_dedupe_file_range_compare(struct inode *src, loff_t srcoff,
 
 		kunmap_atomic(dest_addr);
 		kunmap_atomic(src_addr);
-		unlock_page(dest_page);
-		unlock_page(src_page);
+unlock:
+		vfs_unlock_two_pages(src_page, dest_page);
 		put_page(dest_page);
 		put_page(src_page);
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 32/57] cx82310_eth: fix a memory leak bug
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 31/57] vfs: fix page locking deadlocks when deduping files Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 33/57] net: kalmia: fix memory leaks Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, David S. Miller, Sasha Levin

[ Upstream commit 1eca92eef18719027d394bf1a2d276f43e7cf886 ]

In cx82310_bind(), 'dev->partial_data' is allocated through kmalloc().
Then, the execution waits for the firmware to become ready. If the firmware
is not ready in time, the execution is terminated. However, the allocated
'dev->partial_data' is not deallocated on this path, leading to a memory
leak bug. To fix this issue, free 'dev->partial_data' before returning the
error.

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/cx82310_eth.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c
index 947bea81d9241..dfbdea22fbad9 100644
--- a/drivers/net/usb/cx82310_eth.c
+++ b/drivers/net/usb/cx82310_eth.c
@@ -175,7 +175,8 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
 	}
 	if (!timeout) {
 		dev_err(&udev->dev, "firmware not ready in time\n");
-		return -ETIMEDOUT;
+		ret = -ETIMEDOUT;
+		goto err;
 	}
 
 	/* enable ethernet mode (?) */
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 33/57] net: kalmia: fix memory leaks
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 32/57] cx82310_eth: fix a memory leak bug Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 34/57] ibmvnic: Unmap DMA address of TX descriptor buffers after use Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, David S. Miller, Sasha Levin

[ Upstream commit f1472cb09f11ddb41d4be84f0650835cb65a9073 ]

In kalmia_init_and_get_ethernet_addr(), 'usb_buf' is allocated through
kmalloc(). In the following execution, if the 'status' returned by
kalmia_send_init_packet() is not 0, 'usb_buf' is not deallocated, leading
to memory leaks. To fix this issue, add the 'out' label to free 'usb_buf'.

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/kalmia.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/usb/kalmia.c b/drivers/net/usb/kalmia.c
index bd2ba36590288..0cc6993c279a2 100644
--- a/drivers/net/usb/kalmia.c
+++ b/drivers/net/usb/kalmia.c
@@ -117,16 +117,16 @@ kalmia_init_and_get_ethernet_addr(struct usbnet *dev, u8 *ethernet_addr)
 	status = kalmia_send_init_packet(dev, usb_buf, ARRAY_SIZE(init_msg_1),
 					 usb_buf, 24);
 	if (status != 0)
-		return status;
+		goto out;
 
 	memcpy(usb_buf, init_msg_2, 12);
 	status = kalmia_send_init_packet(dev, usb_buf, ARRAY_SIZE(init_msg_2),
 					 usb_buf, 28);
 	if (status != 0)
-		return status;
+		goto out;
 
 	memcpy(ethernet_addr, usb_buf + 10, ETH_ALEN);
-
+out:
 	kfree(usb_buf);
 	return status;
 }
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 34/57] ibmvnic: Unmap DMA address of TX descriptor buffers after use
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 33/57] net: kalmia: fix memory leaks Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:41 ` [PATCH 4.19 35/57] net: cavium: fix driver name Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Abdul Haleem, Devesh K. Singh,
	Thomas Falcon, David S. Miller, Sasha Levin

[ Upstream commit 80f0fe0934cd3daa13a5e4d48a103f469115b160 ]

There's no need to wait until a completion is received to unmap
TX descriptor buffers that have been passed to the hypervisor.
Instead unmap it when the hypervisor call has completed. This patch
avoids the possibility that a buffer will not be unmapped because
a TX completion is lost or mishandled.

Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Tested-by: Devesh K. Singh <devesh_singh@in.ibm.com>
Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/ibm/ibmvnic.c | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
index 0ae43d27cdcff..255de7d68cd33 100644
--- a/drivers/net/ethernet/ibm/ibmvnic.c
+++ b/drivers/net/ethernet/ibm/ibmvnic.c
@@ -1586,6 +1586,8 @@ static int ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev)
 		lpar_rc = send_subcrq_indirect(adapter, handle_array[queue_num],
 					       (u64)tx_buff->indir_dma,
 					       (u64)num_entries);
+		dma_unmap_single(dev, tx_buff->indir_dma,
+				 sizeof(tx_buff->indir_arr), DMA_TO_DEVICE);
 	} else {
 		tx_buff->num_entries = num_entries;
 		lpar_rc = send_subcrq(adapter, handle_array[queue_num],
@@ -2747,7 +2749,6 @@ static int ibmvnic_complete_tx(struct ibmvnic_adapter *adapter,
 	union sub_crq *next;
 	int index;
 	int i, j;
-	u8 *first;
 
 restart_loop:
 	while (pending_scrq(adapter, scrq)) {
@@ -2777,14 +2778,6 @@ restart_loop:
 
 				txbuff->data_dma[j] = 0;
 			}
-			/* if sub_crq was sent indirectly */
-			first = &txbuff->indir_arr[0].generic.first;
-			if (*first == IBMVNIC_CRQ_CMD) {
-				dma_unmap_single(dev, txbuff->indir_dma,
-						 sizeof(txbuff->indir_arr),
-						 DMA_TO_DEVICE);
-				*first = 0;
-			}
 
 			if (txbuff->last_frag) {
 				dev_kfree_skb_any(txbuff->skb);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 35/57] net: cavium: fix driver name
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 34/57] ibmvnic: Unmap DMA address of TX descriptor buffers after use Greg Kroah-Hartman
@ 2019-09-08 12:41 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 36/57] wimax/i2400m: fix a memory leak bug Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephen Hemminger, David S. Miller,
	Sasha Levin

[ Upstream commit 3434341004a380f4e47c3a03d4320d43982162a0 ]

The driver name gets exposed in sysfs under /sys/bus/pci/drivers
so it should look like other devices. Change it to be common
format (instead of "Cavium PTP").

This is a trivial fix that was observed by accident because
Debian kernels were building this driver into kernel (bug).

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/cavium/common/cavium_ptp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/cavium/common/cavium_ptp.c b/drivers/net/ethernet/cavium/common/cavium_ptp.c
index 6aeb1045c302a..1ab40c97403ba 100644
--- a/drivers/net/ethernet/cavium/common/cavium_ptp.c
+++ b/drivers/net/ethernet/cavium/common/cavium_ptp.c
@@ -10,7 +10,7 @@
 
 #include "cavium_ptp.h"
 
-#define DRV_NAME	"Cavium PTP Driver"
+#define DRV_NAME "cavium_ptp"
 
 #define PCI_DEVICE_ID_CAVIUM_PTP	0xA00C
 #define PCI_DEVICE_ID_CAVIUM_RST	0xA00E
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 36/57] wimax/i2400m: fix a memory leak bug
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2019-09-08 12:41 ` [PATCH 4.19 35/57] net: cavium: fix driver name Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 37/57] ravb: Fix use-after-free ravb_tstamp_skb Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, David S. Miller, Sasha Levin

[ Upstream commit 44ef3a03252844a8753479b0cea7f29e4a804bdc ]

In i2400m_barker_db_init(), 'options_orig' is allocated through kstrdup()
to hold the original command line options. Then, the options are parsed.
However, if an error occurs during the parsing process, 'options_orig' is
not deallocated, leading to a memory leak bug. To fix this issue, free
'options_orig' before returning the error.

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wimax/i2400m/fw.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wimax/i2400m/fw.c b/drivers/net/wimax/i2400m/fw.c
index e9fc168bb7345..489cba9b284d1 100644
--- a/drivers/net/wimax/i2400m/fw.c
+++ b/drivers/net/wimax/i2400m/fw.c
@@ -351,13 +351,15 @@ int i2400m_barker_db_init(const char *_options)
 			}
 			result = i2400m_barker_db_add(barker);
 			if (result < 0)
-				goto error_add;
+				goto error_parse_add;
 		}
 		kfree(options_orig);
 	}
 	return 0;
 
+error_parse_add:
 error_parse:
+	kfree(options_orig);
 error_add:
 	kfree(i2400m_barker_db);
 	return result;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 37/57] ravb: Fix use-after-free ravb_tstamp_skb
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 36/57] wimax/i2400m: fix a memory leak bug Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 38/57] kprobes: Fix potential deadlock in kprobe_optimizer() Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tho Vu, Kazuya Mizuguchi,
	Simon Horman, David S. Miller, Sasha Levin

[ Upstream commit cfef46d692efd852a0da6803f920cc756eea2855 ]

When a Tx timestamp is requested, a pointer to the skb is stored in the
ravb_tstamp_skb struct. This was done without an skb_get. There exists
the possibility that the skb could be freed by ravb_tx_free (when
ravb_tx_free is called from ravb_start_xmit) before the timestamp was
processed, leading to a use-after-free bug.

Use skb_get when filling a ravb_tstamp_skb struct, and add appropriate
frees/consumes when a ravb_tstamp_skb struct is freed.

Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
Signed-off-by: Tho Vu <tho.vu.wh@rvc.renesas.com>
Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/renesas/ravb_main.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
index 5f092bbd05148..5462d2e8a1b71 100644
--- a/drivers/net/ethernet/renesas/ravb_main.c
+++ b/drivers/net/ethernet/renesas/ravb_main.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0
 /* Renesas Ethernet AVB device driver
  *
- * Copyright (C) 2014-2015 Renesas Electronics Corporation
+ * Copyright (C) 2014-2019 Renesas Electronics Corporation
  * Copyright (C) 2015 Renesas Solutions Corp.
  * Copyright (C) 2015-2016 Cogent Embedded, Inc. <source@cogentembedded.com>
  *
@@ -514,7 +514,10 @@ static void ravb_get_tx_tstamp(struct net_device *ndev)
 			kfree(ts_skb);
 			if (tag == tfa_tag) {
 				skb_tstamp_tx(skb, &shhwtstamps);
+				dev_consume_skb_any(skb);
 				break;
+			} else {
+				dev_kfree_skb_any(skb);
 			}
 		}
 		ravb_modify(ndev, TCCR, TCCR_TFR, TCCR_TFR);
@@ -1556,7 +1559,7 @@ static netdev_tx_t ravb_start_xmit(struct sk_buff *skb, struct net_device *ndev)
 					 DMA_TO_DEVICE);
 			goto unmap;
 		}
-		ts_skb->skb = skb;
+		ts_skb->skb = skb_get(skb);
 		ts_skb->tag = priv->ts_skb_tag++;
 		priv->ts_skb_tag &= 0x3ff;
 		list_add_tail(&ts_skb->list, &priv->ts_skb_list);
@@ -1685,6 +1688,7 @@ static int ravb_close(struct net_device *ndev)
 	/* Clear the timestamp list */
 	list_for_each_entry_safe(ts_skb, ts_skb2, &priv->ts_skb_list, list) {
 		list_del(&ts_skb->list);
+		kfree_skb(ts_skb->skb);
 		kfree(ts_skb);
 	}
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 38/57] kprobes: Fix potential deadlock in kprobe_optimizer()
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 37/57] ravb: Fix use-after-free ravb_tstamp_skb Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 39/57] HID: cp2112: prevent sleeping function called from invalid context Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrea Righi, Masami Hiramatsu,
	Anil S Keshavamurthy, David S. Miller, Linus Torvalds,
	Naveen N. Rao, Peter Zijlstra, Thomas Gleixner, Ingo Molnar,
	Sasha Levin

[ Upstream commit f1c6ece23729257fb46562ff9224cf5f61b818da ]

lockdep reports the following deadlock scenario:

 WARNING: possible circular locking dependency detected

 kworker/1:1/48 is trying to acquire lock:
 000000008d7a62b2 (text_mutex){+.+.}, at: kprobe_optimizer+0x163/0x290

 but task is already holding lock:
 00000000850b5e2d (module_mutex){+.+.}, at: kprobe_optimizer+0x31/0x290

 which lock already depends on the new lock.

 the existing dependency chain (in reverse order) is:

 -> #1 (module_mutex){+.+.}:
        __mutex_lock+0xac/0x9f0
        mutex_lock_nested+0x1b/0x20
        set_all_modules_text_rw+0x22/0x90
        ftrace_arch_code_modify_prepare+0x1c/0x20
        ftrace_run_update_code+0xe/0x30
        ftrace_startup_enable+0x2e/0x50
        ftrace_startup+0xa7/0x100
        register_ftrace_function+0x27/0x70
        arm_kprobe+0xb3/0x130
        enable_kprobe+0x83/0xa0
        enable_trace_kprobe.part.0+0x2e/0x80
        kprobe_register+0x6f/0xc0
        perf_trace_event_init+0x16b/0x270
        perf_kprobe_init+0xa7/0xe0
        perf_kprobe_event_init+0x3e/0x70
        perf_try_init_event+0x4a/0x140
        perf_event_alloc+0x93a/0xde0
        __do_sys_perf_event_open+0x19f/0xf30
        __x64_sys_perf_event_open+0x20/0x30
        do_syscall_64+0x65/0x1d0
        entry_SYSCALL_64_after_hwframe+0x49/0xbe

 -> #0 (text_mutex){+.+.}:
        __lock_acquire+0xfcb/0x1b60
        lock_acquire+0xca/0x1d0
        __mutex_lock+0xac/0x9f0
        mutex_lock_nested+0x1b/0x20
        kprobe_optimizer+0x163/0x290
        process_one_work+0x22b/0x560
        worker_thread+0x50/0x3c0
        kthread+0x112/0x150
        ret_from_fork+0x3a/0x50

 other info that might help us debug this:

  Possible unsafe locking scenario:

        CPU0                    CPU1
        ----                    ----
   lock(module_mutex);
                                lock(text_mutex);
                                lock(module_mutex);
   lock(text_mutex);

  *** DEADLOCK ***

As a reproducer I've been using bcc's funccount.py
(https://github.com/iovisor/bcc/blob/master/tools/funccount.py),
for example:

 # ./funccount.py '*interrupt*'

That immediately triggers the lockdep splat.

Fix by acquiring text_mutex before module_mutex in kprobe_optimizer().

Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: d5b844a2cf50 ("ftrace/x86: Remove possible deadlock between register_kprobe() and ftrace_run_update_code()")
Link: http://lkml.kernel.org/r/20190812184302.GA7010@xps-13
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/kprobes.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 29ff6635d2597..714d63f60460b 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -483,6 +483,7 @@ static DECLARE_DELAYED_WORK(optimizing_work, kprobe_optimizer);
  */
 static void do_optimize_kprobes(void)
 {
+	lockdep_assert_held(&text_mutex);
 	/*
 	 * The optimization/unoptimization refers online_cpus via
 	 * stop_machine() and cpu-hotplug modifies online_cpus.
@@ -500,9 +501,7 @@ static void do_optimize_kprobes(void)
 	    list_empty(&optimizing_list))
 		return;
 
-	mutex_lock(&text_mutex);
 	arch_optimize_kprobes(&optimizing_list);
-	mutex_unlock(&text_mutex);
 }
 
 /*
@@ -513,6 +512,7 @@ static void do_unoptimize_kprobes(void)
 {
 	struct optimized_kprobe *op, *tmp;
 
+	lockdep_assert_held(&text_mutex);
 	/* See comment in do_optimize_kprobes() */
 	lockdep_assert_cpus_held();
 
@@ -520,7 +520,6 @@ static void do_unoptimize_kprobes(void)
 	if (list_empty(&unoptimizing_list))
 		return;
 
-	mutex_lock(&text_mutex);
 	arch_unoptimize_kprobes(&unoptimizing_list, &freeing_list);
 	/* Loop free_list for disarming */
 	list_for_each_entry_safe(op, tmp, &freeing_list, list) {
@@ -537,7 +536,6 @@ static void do_unoptimize_kprobes(void)
 		} else
 			list_del_init(&op->list);
 	}
-	mutex_unlock(&text_mutex);
 }
 
 /* Reclaim all kprobes on the free_list */
@@ -563,6 +561,7 @@ static void kprobe_optimizer(struct work_struct *work)
 {
 	mutex_lock(&kprobe_mutex);
 	cpus_read_lock();
+	mutex_lock(&text_mutex);
 	/* Lock modules while optimizing kprobes */
 	mutex_lock(&module_mutex);
 
@@ -590,6 +589,7 @@ static void kprobe_optimizer(struct work_struct *work)
 	do_free_cleaned_kprobes();
 
 	mutex_unlock(&module_mutex);
+	mutex_unlock(&text_mutex);
 	cpus_read_unlock();
 	mutex_unlock(&kprobe_mutex);
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 39/57] HID: cp2112: prevent sleeping function called from invalid context
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 38/57] kprobes: Fix potential deadlock in kprobe_optimizer() Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 40/57] x86/boot/compressed/64: Fix boot on machines with broken E820 table Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Benjamin Tissoires, Jiri Kosina, Sasha Levin

[ Upstream commit 2d05dba2b25ecb0f8fc3a0b4eb2232da6454a47b ]

When calling request_threaded_irq() with a CP2112, the function
cp2112_gpio_irq_startup() is called in a IRQ context.

Therefore we can not sleep, and we can not call
cp2112_gpio_direction_input() there.

Move the call to cp2112_gpio_direction_input() earlier to have a working
driver.

Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/hid-cp2112.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c
index 271f31461da42..6f65f52572368 100644
--- a/drivers/hid/hid-cp2112.c
+++ b/drivers/hid/hid-cp2112.c
@@ -1160,8 +1160,6 @@ static unsigned int cp2112_gpio_irq_startup(struct irq_data *d)
 
 	INIT_DELAYED_WORK(&dev->gpio_poll_worker, cp2112_gpio_poll_callback);
 
-	cp2112_gpio_direction_input(gc, d->hwirq);
-
 	if (!dev->gpio_poll) {
 		dev->gpio_poll = true;
 		schedule_delayed_work(&dev->gpio_poll_worker, 0);
@@ -1209,6 +1207,12 @@ static int __maybe_unused cp2112_allocate_irq(struct cp2112_device *dev,
 		return PTR_ERR(dev->desc[pin]);
 	}
 
+	ret = cp2112_gpio_direction_input(&dev->gc, pin);
+	if (ret < 0) {
+		dev_err(dev->gc.parent, "Failed to set GPIO to input dir\n");
+		goto err_desc;
+	}
+
 	ret = gpiochip_lock_as_irq(&dev->gc, pin);
 	if (ret) {
 		dev_err(dev->gc.parent, "Failed to lock GPIO as interrupt\n");
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 40/57] x86/boot/compressed/64: Fix boot on machines with broken E820 table
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 39/57] HID: cp2112: prevent sleeping function called from invalid context Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 41/57] Input: hyperv-keyboard: Use in-place iterator API in the channel callback Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kirill A. Shutemov, Borislav Petkov,
	H. Peter Anvin, Ingo Molnar, Thomas Gleixner, x86-ml,
	Sasha Levin

[ Upstream commit 0a46fff2f9108c2c44218380a43a736cf4612541 ]

BIOS on Samsung 500C Chromebook reports very rudimentary E820 table that
consists of 2 entries:

  BIOS-e820: [mem 0x0000000000000000-0x0000000000000fff] usable
  BIOS-e820: [mem 0x00000000fffff000-0x00000000ffffffff] reserved

It breaks logic in find_trampoline_placement(): bios_start lands on the
end of the first 4k page and trampoline start gets placed below 0.

Detect underflow and don't touch bios_start for such cases. It makes
kernel ignore E820 table on machines that doesn't have two usable pages
below BIOS_START_MAX.

Fixes: 1b3a62643660 ("x86/boot/compressed/64: Validate trampoline placement against E820")
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=203463
Link: https://lkml.kernel.org/r/20190813131654.24378-1-kirill.shutemov@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/boot/compressed/pgtable_64.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/arch/x86/boot/compressed/pgtable_64.c b/arch/x86/boot/compressed/pgtable_64.c
index f8debf7aeb4c1..f0537a1f7fc25 100644
--- a/arch/x86/boot/compressed/pgtable_64.c
+++ b/arch/x86/boot/compressed/pgtable_64.c
@@ -73,6 +73,8 @@ static unsigned long find_trampoline_placement(void)
 
 	/* Find the first usable memory region under bios_start. */
 	for (i = boot_params->e820_entries - 1; i >= 0; i--) {
+		unsigned long new;
+
 		entry = &boot_params->e820_table[i];
 
 		/* Skip all entries above bios_start. */
@@ -85,15 +87,20 @@ static unsigned long find_trampoline_placement(void)
 
 		/* Adjust bios_start to the end of the entry if needed. */
 		if (bios_start > entry->addr + entry->size)
-			bios_start = entry->addr + entry->size;
+			new = entry->addr + entry->size;
 
 		/* Keep bios_start page-aligned. */
-		bios_start = round_down(bios_start, PAGE_SIZE);
+		new = round_down(new, PAGE_SIZE);
 
 		/* Skip the entry if it's too small. */
-		if (bios_start - TRAMPOLINE_32BIT_SIZE < entry->addr)
+		if (new - TRAMPOLINE_32BIT_SIZE < entry->addr)
 			continue;
 
+		/* Protect against underflow. */
+		if (new - TRAMPOLINE_32BIT_SIZE > bios_start)
+			break;
+
+		bios_start = new;
 		break;
 	}
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 41/57] Input: hyperv-keyboard: Use in-place iterator API in the channel callback
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 40/57] x86/boot/compressed/64: Fix boot on machines with broken E820 table Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 42/57] Tools: hv: kvp: eliminate may be used uninitialized warning Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dexuan Cui, Dmitry Torokhov, Sasha Levin

[ Upstream commit d09bc83640d524b8467a660db7b1d15e6562a1de ]

Simplify the ring buffer handling with the in-place API.

Also avoid the dynamic allocation and the memory leak in the channel
callback function.

Signed-off-by: Dexuan Cui <decui@microsoft.com>
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/input/serio/hyperv-keyboard.c | 35 +++++----------------------
 1 file changed, 6 insertions(+), 29 deletions(-)

diff --git a/drivers/input/serio/hyperv-keyboard.c b/drivers/input/serio/hyperv-keyboard.c
index a8b9be3e28db7..7d0a5ccf57751 100644
--- a/drivers/input/serio/hyperv-keyboard.c
+++ b/drivers/input/serio/hyperv-keyboard.c
@@ -245,40 +245,17 @@ static void hv_kbd_handle_received_packet(struct hv_device *hv_dev,
 
 static void hv_kbd_on_channel_callback(void *context)
 {
+	struct vmpacket_descriptor *desc;
 	struct hv_device *hv_dev = context;
-	void *buffer;
-	int bufferlen = 0x100; /* Start with sensible size */
 	u32 bytes_recvd;
 	u64 req_id;
-	int error;
 
-	buffer = kmalloc(bufferlen, GFP_ATOMIC);
-	if (!buffer)
-		return;
-
-	while (1) {
-		error = vmbus_recvpacket_raw(hv_dev->channel, buffer, bufferlen,
-					     &bytes_recvd, &req_id);
-		switch (error) {
-		case 0:
-			if (bytes_recvd == 0) {
-				kfree(buffer);
-				return;
-			}
-
-			hv_kbd_handle_received_packet(hv_dev, buffer,
-						      bytes_recvd, req_id);
-			break;
+	foreach_vmbus_pkt(desc, hv_dev->channel) {
+		bytes_recvd = desc->len8 * 8;
+		req_id = desc->trans_id;
 
-		case -ENOBUFS:
-			kfree(buffer);
-			/* Handle large packet */
-			bufferlen = bytes_recvd;
-			buffer = kmalloc(bytes_recvd, GFP_ATOMIC);
-			if (!buffer)
-				return;
-			break;
-		}
+		hv_kbd_handle_received_packet(hv_dev, desc, bytes_recvd,
+					      req_id);
 	}
 }
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 42/57] Tools: hv: kvp: eliminate may be used uninitialized warning
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 41/57] Input: hyperv-keyboard: Use in-place iterator API in the channel callback Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 43/57] nvme-multipath: fix possible I/O hang when paths are updated Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vitaly Kuznetsov, Sasha Levin

[ Upstream commit 89eb4d8d25722a0a0194cf7fa47ba602e32a6da7 ]

When building hv_kvp_daemon GCC-8.3 complains:

hv_kvp_daemon.c: In function ‘kvp_get_ip_info.constprop’:
hv_kvp_daemon.c:812:30: warning: ‘ip_buffer’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  struct hv_kvp_ipaddr_value *ip_buffer;

this seems to be a false positive: we only use ip_buffer when
op == KVP_OP_GET_IP_INFO and it is only unset when op == KVP_OP_ENUMERATE.

Silence the warning by initializing ip_buffer to NULL.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/hv/hv_kvp_daemon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c
index 0ce50c319cfd6..ef8a82f29f024 100644
--- a/tools/hv/hv_kvp_daemon.c
+++ b/tools/hv/hv_kvp_daemon.c
@@ -809,7 +809,7 @@ kvp_get_ip_info(int family, char *if_name, int op,
 	int sn_offset = 0;
 	int error = 0;
 	char *buffer;
-	struct hv_kvp_ipaddr_value *ip_buffer;
+	struct hv_kvp_ipaddr_value *ip_buffer = NULL;
 	char cidr_mask[5]; /* /xyz */
 	int weight;
 	int i;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 43/57] nvme-multipath: fix possible I/O hang when paths are updated
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 42/57] Tools: hv: kvp: eliminate may be used uninitialized warning Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 44/57] IB/mlx4: Fix memory leaks Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Anton Eidelman,
	Sagi Grimberg, Jens Axboe, Sasha Levin

[ Upstream commit 504db087aaccdb32af61539916409f7dca31ceb5 ]

nvme_state_set_live() making a path available triggers requeue_work
in order to resubmit requests that ended up on requeue_list when no
paths were available.

This requeue_work may race with concurrent nvme_ns_head_make_request()
that do not observe the live path yet.
Such concurrent requests may by made by either:
- New IO submission.
- Requeue_work triggered by nvme_failover_req() or another ana_work.

A race may cause requeue_work capture the state of requeue_list before
more requests get onto the list. These requests will stay on the list
forever unless requeue_work is triggered again.

In order to prevent such race, nvme_state_set_live() should
synchronize_srcu(&head->srcu) before triggering the requeue_work and
prevent nvme_ns_head_make_request referencing an old snapshot of the
path list.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Anton Eidelman <anton@lightbitslabs.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/host/multipath.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
index 05d6371c7f385..f57feb8fdea45 100644
--- a/drivers/nvme/host/multipath.c
+++ b/drivers/nvme/host/multipath.c
@@ -323,6 +323,7 @@ static void nvme_mpath_set_live(struct nvme_ns *ns)
 				 "failed to create id group.\n");
 	}
 
+	synchronize_srcu(&ns->head->srcu);
 	kblockd_schedule_work(&ns->head->requeue_work);
 }
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 44/57] IB/mlx4: Fix memory leaks
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 43/57] nvme-multipath: fix possible I/O hang when paths are updated Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 45/57] infiniband: hfi1: fix a memory leak bug Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Leon Romanovsky,
	Doug Ledford, Sasha Levin

[ Upstream commit 5c1baaa82cea2c815a5180ded402a7cd455d1810 ]

In mlx4_ib_alloc_pv_bufs(), 'tun_qp->tx_ring' is allocated through
kcalloc(). However, it is not always deallocated in the following execution
if an error occurs, leading to memory leaks. To fix this issue, free
'tun_qp->tx_ring' whenever an error occurs.

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Acked-by: Leon Romanovsky <leonro@mellanox.com>
Link: https://lore.kernel.org/r/1566159781-4642-1-git-send-email-wenwen@cs.uga.edu
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/mlx4/mad.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c
index e5466d786bb1e..5aaa2a6c431b6 100644
--- a/drivers/infiniband/hw/mlx4/mad.c
+++ b/drivers/infiniband/hw/mlx4/mad.c
@@ -1668,8 +1668,6 @@ tx_err:
 				    tx_buf_size, DMA_TO_DEVICE);
 		kfree(tun_qp->tx_ring[i].buf.addr);
 	}
-	kfree(tun_qp->tx_ring);
-	tun_qp->tx_ring = NULL;
 	i = MLX4_NUM_TUNNEL_BUFS;
 err:
 	while (i > 0) {
@@ -1678,6 +1676,8 @@ err:
 				    rx_buf_size, DMA_FROM_DEVICE);
 		kfree(tun_qp->ring[i].addr);
 	}
+	kfree(tun_qp->tx_ring);
+	tun_qp->tx_ring = NULL;
 	kfree(tun_qp->ring);
 	tun_qp->ring = NULL;
 	return -ENOMEM;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 45/57] infiniband: hfi1: fix a memory leak bug
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 44/57] IB/mlx4: Fix memory leaks Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 46/57] infiniband: hfi1: fix memory leaks Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Leon Romanovsky,
	Dennis Dalessandro, Doug Ledford, Sasha Levin

[ Upstream commit b08afa064c320e5d85cdc27228426b696c4c8dae ]

In fault_opcodes_read(), 'data' is not deallocated if debugfs_file_get()
fails, leading to a memory leak. To fix this bug, introduce the 'free_data'
label to free 'data' before returning the error.

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Acked-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Link: https://lore.kernel.org/r/1566156571-4335-1-git-send-email-wenwen@cs.uga.edu
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/hfi1/fault.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/hfi1/fault.c b/drivers/infiniband/hw/hfi1/fault.c
index 7eaff4dcbfd77..72ca0dc5f3b59 100644
--- a/drivers/infiniband/hw/hfi1/fault.c
+++ b/drivers/infiniband/hw/hfi1/fault.c
@@ -214,7 +214,7 @@ static ssize_t fault_opcodes_read(struct file *file, char __user *buf,
 		return -ENOMEM;
 	ret = debugfs_file_get(file->f_path.dentry);
 	if (unlikely(ret))
-		return ret;
+		goto free_data;
 	bit = find_first_bit(fault->opcodes, bitsize);
 	while (bit < bitsize) {
 		zero = find_next_zero_bit(fault->opcodes, bitsize, bit);
@@ -232,6 +232,7 @@ static ssize_t fault_opcodes_read(struct file *file, char __user *buf,
 	data[size - 1] = '\n';
 	data[size] = '\0';
 	ret = simple_read_from_buffer(buf, len, pos, data, size);
+free_data:
 	kfree(data);
 	return ret;
 }
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 46/57] infiniband: hfi1: fix memory leaks
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 45/57] infiniband: hfi1: fix a memory leak bug Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 47/57] selftests: kvm: fix state save/load on processors without XSAVE Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Leon Romanovsky,
	Dennis Dalessandro, Doug Ledford, Sasha Levin

[ Upstream commit 2323d7baab2b18d87d9bc267452e387aa9f0060a ]

In fault_opcodes_write(), 'data' is allocated through kcalloc(). However,
it is not deallocated in the following execution if an error occurs,
leading to memory leaks. To fix this issue, introduce the 'free_data' label
to free 'data' before returning the error.

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Acked-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Link: https://lore.kernel.org/r/1566154486-3713-1-git-send-email-wenwen@cs.uga.edu
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/hfi1/fault.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/infiniband/hw/hfi1/fault.c b/drivers/infiniband/hw/hfi1/fault.c
index 72ca0dc5f3b59..5bc811b7e6cf9 100644
--- a/drivers/infiniband/hw/hfi1/fault.c
+++ b/drivers/infiniband/hw/hfi1/fault.c
@@ -141,12 +141,14 @@ static ssize_t fault_opcodes_write(struct file *file, const char __user *buf,
 	if (!data)
 		return -ENOMEM;
 	copy = min(len, datalen - 1);
-	if (copy_from_user(data, buf, copy))
-		return -EFAULT;
+	if (copy_from_user(data, buf, copy)) {
+		ret = -EFAULT;
+		goto free_data;
+	}
 
 	ret = debugfs_file_get(file->f_path.dentry);
 	if (unlikely(ret))
-		return ret;
+		goto free_data;
 	ptr = data;
 	token = ptr;
 	for (ptr = data; *ptr; ptr = end + 1, token = ptr) {
@@ -195,6 +197,7 @@ static ssize_t fault_opcodes_write(struct file *file, const char __user *buf,
 	ret = len;
 
 	debugfs_file_put(file->f_path.dentry);
+free_data:
 	kfree(data);
 	return ret;
 }
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 47/57] selftests: kvm: fix state save/load on processors without XSAVE
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 46/57] infiniband: hfi1: fix memory leaks Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 48/57] selftests/kvm: make platform_info_test pass on AMD Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paolo Bonzini, Sasha Levin

[ Upstream commit 54577e5018a8c0cb79c9a0fa118a55c68715d398 ]

state_test and smm_test are failing on older processors that do not
have xcr0.  This is because on those processor KVM does provide
support for KVM_GET/SET_XSAVE (to avoid having to rely on the older
KVM_GET/SET_FPU) but not for KVM_GET/SET_XCRS.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/kvm/lib/x86.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/tools/testing/selftests/kvm/lib/x86.c b/tools/testing/selftests/kvm/lib/x86.c
index a3122f1949a8e..4d35eba73dc97 100644
--- a/tools/testing/selftests/kvm/lib/x86.c
+++ b/tools/testing/selftests/kvm/lib/x86.c
@@ -809,9 +809,11 @@ struct kvm_x86_state *vcpu_save_state(struct kvm_vm *vm, uint32_t vcpuid)
         TEST_ASSERT(r == 0, "Unexpected result from KVM_GET_XSAVE, r: %i",
                 r);
 
-	r = ioctl(vcpu->fd, KVM_GET_XCRS, &state->xcrs);
-        TEST_ASSERT(r == 0, "Unexpected result from KVM_GET_XCRS, r: %i",
-                r);
+	if (kvm_check_cap(KVM_CAP_XCRS)) {
+		r = ioctl(vcpu->fd, KVM_GET_XCRS, &state->xcrs);
+		TEST_ASSERT(r == 0, "Unexpected result from KVM_GET_XCRS, r: %i",
+			    r);
+	}
 
 	r = ioctl(vcpu->fd, KVM_GET_SREGS, &state->sregs);
         TEST_ASSERT(r == 0, "Unexpected result from KVM_GET_SREGS, r: %i",
@@ -858,9 +860,11 @@ void vcpu_load_state(struct kvm_vm *vm, uint32_t vcpuid, struct kvm_x86_state *s
         TEST_ASSERT(r == 0, "Unexpected result from KVM_SET_XSAVE, r: %i",
                 r);
 
-	r = ioctl(vcpu->fd, KVM_SET_XCRS, &state->xcrs);
-        TEST_ASSERT(r == 0, "Unexpected result from KVM_SET_XCRS, r: %i",
-                r);
+	if (kvm_check_cap(KVM_CAP_XCRS)) {
+		r = ioctl(vcpu->fd, KVM_SET_XCRS, &state->xcrs);
+		TEST_ASSERT(r == 0, "Unexpected result from KVM_SET_XCRS, r: %i",
+			    r);
+	}
 
 	r = ioctl(vcpu->fd, KVM_SET_SREGS, &state->sregs);
         TEST_ASSERT(r == 0, "Unexpected result from KVM_SET_SREGS, r: %i",
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 48/57] selftests/kvm: make platform_info_test pass on AMD
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 47/57] selftests: kvm: fix state save/load on processors without XSAVE Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 49/57] ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vitaly Kuznetsov, Paolo Bonzini, Sasha Levin

[ Upstream commit e4427372398c31f57450565de277f861a4db5b3b ]

test_msr_platform_info_disabled() generates EXIT_SHUTDOWN but VMCB state
is undefined after that so an attempt to launch this guest again from
test_msr_platform_info_enabled() fails. Reorder the tests to make test
pass.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/kvm/platform_info_test.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/kvm/platform_info_test.c b/tools/testing/selftests/kvm/platform_info_test.c
index 3764e71212650..65db510dddc34 100644
--- a/tools/testing/selftests/kvm/platform_info_test.c
+++ b/tools/testing/selftests/kvm/platform_info_test.c
@@ -100,8 +100,8 @@ int main(int argc, char *argv[])
 	msr_platform_info = vcpu_get_msr(vm, VCPU_ID, MSR_PLATFORM_INFO);
 	vcpu_set_msr(vm, VCPU_ID, MSR_PLATFORM_INFO,
 		msr_platform_info | MSR_PLATFORM_INFO_MAX_TURBO_RATIO);
-	test_msr_platform_info_disabled(vm);
 	test_msr_platform_info_enabled(vm);
+	test_msr_platform_info_disabled(vm);
 	vcpu_set_msr(vm, VCPU_ID, MSR_PLATFORM_INFO, msr_platform_info);
 
 	kvm_vm_free(vm);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 49/57] ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr()
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 48/57] selftests/kvm: make platform_info_test pass on AMD Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 50/57] ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob() Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luis Henriques, Jeff Layton,
	Ilya Dryomov, Sasha Levin

[ Upstream commit 86968ef21596515958d5f0a40233d02be78ecec0 ]

Calling ceph_buffer_put() in __ceph_setxattr() may end up freeing the
i_xattrs.prealloc_blob buffer while holding the i_ceph_lock.  This can be
fixed by postponing the call until later, when the lock is released.

The following backtrace was triggered by fstests generic/117.

  BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
  in_atomic(): 1, irqs_disabled(): 0, pid: 650, name: fsstress
  3 locks held by fsstress/650:
   #0: 00000000870a0fe8 (sb_writers#8){.+.+}, at: mnt_want_write+0x20/0x50
   #1: 00000000ba0c4c74 (&type->i_mutex_dir_key#6){++++}, at: vfs_setxattr+0x55/0xa0
   #2: 000000008dfbb3f2 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: __ceph_setxattr+0x297/0x810
  CPU: 1 PID: 650 Comm: fsstress Not tainted 5.2.0+ #437
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
  Call Trace:
   dump_stack+0x67/0x90
   ___might_sleep.cold+0x9f/0xb1
   vfree+0x4b/0x60
   ceph_buffer_release+0x1b/0x60
   __ceph_setxattr+0x2b4/0x810
   __vfs_setxattr+0x66/0x80
   __vfs_setxattr_noperm+0x59/0xf0
   vfs_setxattr+0x81/0xa0
   setxattr+0x115/0x230
   ? filename_lookup+0xc9/0x140
   ? rcu_read_lock_sched_held+0x74/0x80
   ? rcu_sync_lockdep_assert+0x2e/0x60
   ? __sb_start_write+0x142/0x1a0
   ? mnt_want_write+0x20/0x50
   path_setxattr+0xba/0xd0
   __x64_sys_lsetxattr+0x24/0x30
   do_syscall_64+0x50/0x1c0
   entry_SYSCALL_64_after_hwframe+0x49/0xbe
  RIP: 0033:0x7ff23514359a

Signed-off-by: Luis Henriques <lhenriques@suse.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ceph/xattr.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
index 0a2d4898ee163..71ea45b0231f9 100644
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -1011,6 +1011,7 @@ int __ceph_setxattr(struct inode *inode, const char *name,
 	struct ceph_inode_info *ci = ceph_inode(inode);
 	struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc;
 	struct ceph_cap_flush *prealloc_cf = NULL;
+	struct ceph_buffer *old_blob = NULL;
 	int issued;
 	int err;
 	int dirty = 0;
@@ -1084,13 +1085,15 @@ retry:
 		struct ceph_buffer *blob;
 
 		spin_unlock(&ci->i_ceph_lock);
-		dout(" preaallocating new blob size=%d\n", required_blob_size);
+		ceph_buffer_put(old_blob); /* Shouldn't be required */
+		dout(" pre-allocating new blob size=%d\n", required_blob_size);
 		blob = ceph_buffer_new(required_blob_size, GFP_NOFS);
 		if (!blob)
 			goto do_sync_unlocked;
 		spin_lock(&ci->i_ceph_lock);
+		/* prealloc_blob can't be released while holding i_ceph_lock */
 		if (ci->i_xattrs.prealloc_blob)
-			ceph_buffer_put(ci->i_xattrs.prealloc_blob);
+			old_blob = ci->i_xattrs.prealloc_blob;
 		ci->i_xattrs.prealloc_blob = blob;
 		goto retry;
 	}
@@ -1106,6 +1109,7 @@ retry:
 	}
 
 	spin_unlock(&ci->i_ceph_lock);
+	ceph_buffer_put(old_blob);
 	if (lock_snap_rwsem)
 		up_read(&mdsc->snap_rwsem);
 	if (dirty)
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 50/57] ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob()
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 49/57] ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 51/57] ceph: fix buffer free while holding i_ceph_lock in fill_inode() Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luis Henriques, Jeff Layton,
	Ilya Dryomov, Sasha Levin

[ Upstream commit 12fe3dda7ed89c95cc0ef7abc001ad1ad3e092f8 ]

Calling ceph_buffer_put() in __ceph_build_xattrs_blob() may result in
freeing the i_xattrs.blob buffer while holding the i_ceph_lock.  This can
be fixed by having this function returning the old blob buffer and have
the callers of this function freeing it when the lock is released.

The following backtrace was triggered by fstests generic/117.

  BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
  in_atomic(): 1, irqs_disabled(): 0, pid: 649, name: fsstress
  4 locks held by fsstress/649:
   #0: 00000000a7478e7e (&type->s_umount_key#19){++++}, at: iterate_supers+0x77/0xf0
   #1: 00000000f8de1423 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: ceph_check_caps+0x7b/0xc60
   #2: 00000000562f2b27 (&s->s_mutex){+.+.}, at: ceph_check_caps+0x3bd/0xc60
   #3: 00000000f83ce16a (&mdsc->snap_rwsem){++++}, at: ceph_check_caps+0x3ed/0xc60
  CPU: 1 PID: 649 Comm: fsstress Not tainted 5.2.0+ #439
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
  Call Trace:
   dump_stack+0x67/0x90
   ___might_sleep.cold+0x9f/0xb1
   vfree+0x4b/0x60
   ceph_buffer_release+0x1b/0x60
   __ceph_build_xattrs_blob+0x12b/0x170
   __send_cap+0x302/0x540
   ? __lock_acquire+0x23c/0x1e40
   ? __mark_caps_flushing+0x15c/0x280
   ? _raw_spin_unlock+0x24/0x30
   ceph_check_caps+0x5f0/0xc60
   ceph_flush_dirty_caps+0x7c/0x150
   ? __ia32_sys_fdatasync+0x20/0x20
   ceph_sync_fs+0x5a/0x130
   iterate_supers+0x8f/0xf0
   ksys_sync+0x4f/0xb0
   __ia32_sys_sync+0xa/0x10
   do_syscall_64+0x50/0x1c0
   entry_SYSCALL_64_after_hwframe+0x49/0xbe
  RIP: 0033:0x7fc6409ab617

Signed-off-by: Luis Henriques <lhenriques@suse.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ceph/caps.c  |  5 ++++-
 fs/ceph/snap.c  |  4 +++-
 fs/ceph/super.h |  2 +-
 fs/ceph/xattr.c | 11 ++++++++---
 4 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
index a11fa0b6b34d5..db547af01b593 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -1280,6 +1280,7 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap,
 {
 	struct ceph_inode_info *ci = cap->ci;
 	struct inode *inode = &ci->vfs_inode;
+	struct ceph_buffer *old_blob = NULL;
 	struct cap_msg_args arg;
 	int held, revoking;
 	int wake = 0;
@@ -1344,7 +1345,7 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap,
 	ci->i_requested_max_size = arg.max_size;
 
 	if (flushing & CEPH_CAP_XATTR_EXCL) {
-		__ceph_build_xattrs_blob(ci);
+		old_blob = __ceph_build_xattrs_blob(ci);
 		arg.xattr_version = ci->i_xattrs.version;
 		arg.xattr_buf = ci->i_xattrs.blob;
 	} else {
@@ -1379,6 +1380,8 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap,
 
 	spin_unlock(&ci->i_ceph_lock);
 
+	ceph_buffer_put(old_blob);
+
 	ret = send_cap_msg(&arg);
 	if (ret < 0) {
 		dout("error sending cap msg, must requeue %p\n", inode);
diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c
index 1f46b02f73149..5cf7b5f4db947 100644
--- a/fs/ceph/snap.c
+++ b/fs/ceph/snap.c
@@ -460,6 +460,7 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci)
 	struct inode *inode = &ci->vfs_inode;
 	struct ceph_cap_snap *capsnap;
 	struct ceph_snap_context *old_snapc, *new_snapc;
+	struct ceph_buffer *old_blob = NULL;
 	int used, dirty;
 
 	capsnap = kzalloc(sizeof(*capsnap), GFP_NOFS);
@@ -536,7 +537,7 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci)
 	capsnap->gid = inode->i_gid;
 
 	if (dirty & CEPH_CAP_XATTR_EXCL) {
-		__ceph_build_xattrs_blob(ci);
+		old_blob = __ceph_build_xattrs_blob(ci);
 		capsnap->xattr_blob =
 			ceph_buffer_get(ci->i_xattrs.blob);
 		capsnap->xattr_version = ci->i_xattrs.version;
@@ -579,6 +580,7 @@ update_snapc:
 	}
 	spin_unlock(&ci->i_ceph_lock);
 
+	ceph_buffer_put(old_blob);
 	kfree(capsnap);
 	ceph_put_snap_context(old_snapc);
 }
diff --git a/fs/ceph/super.h b/fs/ceph/super.h
index d8579a56e5dc2..0180193097905 100644
--- a/fs/ceph/super.h
+++ b/fs/ceph/super.h
@@ -896,7 +896,7 @@ extern int ceph_getattr(const struct path *path, struct kstat *stat,
 int __ceph_setxattr(struct inode *, const char *, const void *, size_t, int);
 ssize_t __ceph_getxattr(struct inode *, const char *, void *, size_t);
 extern ssize_t ceph_listxattr(struct dentry *, char *, size_t);
-extern void __ceph_build_xattrs_blob(struct ceph_inode_info *ci);
+extern struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci);
 extern void __ceph_destroy_xattrs(struct ceph_inode_info *ci);
 extern void __init ceph_xattr_init(void);
 extern void ceph_xattr_exit(void);
diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
index 71ea45b0231f9..5e4f3f833e85e 100644
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -734,12 +734,15 @@ static int __get_required_blob_size(struct ceph_inode_info *ci, int name_size,
 
 /*
  * If there are dirty xattrs, reencode xattrs into the prealloc_blob
- * and swap into place.
+ * and swap into place.  It returns the old i_xattrs.blob (or NULL) so
+ * that it can be freed by the caller as the i_ceph_lock is likely to be
+ * held.
  */
-void __ceph_build_xattrs_blob(struct ceph_inode_info *ci)
+struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci)
 {
 	struct rb_node *p;
 	struct ceph_inode_xattr *xattr = NULL;
+	struct ceph_buffer *old_blob = NULL;
 	void *dest;
 
 	dout("__build_xattrs_blob %p\n", &ci->vfs_inode);
@@ -770,12 +773,14 @@ void __ceph_build_xattrs_blob(struct ceph_inode_info *ci)
 			dest - ci->i_xattrs.prealloc_blob->vec.iov_base;
 
 		if (ci->i_xattrs.blob)
-			ceph_buffer_put(ci->i_xattrs.blob);
+			old_blob = ci->i_xattrs.blob;
 		ci->i_xattrs.blob = ci->i_xattrs.prealloc_blob;
 		ci->i_xattrs.prealloc_blob = NULL;
 		ci->i_xattrs.dirty = false;
 		ci->i_xattrs.version++;
 	}
+
+	return old_blob;
 }
 
 static inline int __get_request_mask(struct inode *in) {
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 51/57] ceph: fix buffer free while holding i_ceph_lock in fill_inode()
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 50/57] ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob() Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 52/57] KVM: arm/arm64: Only skip MMIO insn once Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luis Henriques, Jeff Layton,
	Ilya Dryomov, Sasha Levin

[ Upstream commit af8a85a41734f37b67ba8ce69d56b685bee4ac48 ]

Calling ceph_buffer_put() in fill_inode() may result in freeing the
i_xattrs.blob buffer while holding the i_ceph_lock.  This can be fixed by
postponing the call until later, when the lock is released.

The following backtrace was triggered by fstests generic/070.

  BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
  in_atomic(): 1, irqs_disabled(): 0, pid: 3852, name: kworker/0:4
  6 locks held by kworker/0:4/3852:
   #0: 000000004270f6bb ((wq_completion)ceph-msgr){+.+.}, at: process_one_work+0x1b8/0x5f0
   #1: 00000000eb420803 ((work_completion)(&(&con->work)->work)){+.+.}, at: process_one_work+0x1b8/0x5f0
   #2: 00000000be1c53a4 (&s->s_mutex){+.+.}, at: dispatch+0x288/0x1476
   #3: 00000000559cb958 (&mdsc->snap_rwsem){++++}, at: dispatch+0x2eb/0x1476
   #4: 000000000d5ebbae (&req->r_fill_mutex){+.+.}, at: dispatch+0x2fc/0x1476
   #5: 00000000a83d0514 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: fill_inode.isra.0+0xf8/0xf70
  CPU: 0 PID: 3852 Comm: kworker/0:4 Not tainted 5.2.0+ #441
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
  Workqueue: ceph-msgr ceph_con_workfn
  Call Trace:
   dump_stack+0x67/0x90
   ___might_sleep.cold+0x9f/0xb1
   vfree+0x4b/0x60
   ceph_buffer_release+0x1b/0x60
   fill_inode.isra.0+0xa9b/0xf70
   ceph_fill_trace+0x13b/0xc70
   ? dispatch+0x2eb/0x1476
   dispatch+0x320/0x1476
   ? __mutex_unlock_slowpath+0x4d/0x2a0
   ceph_con_workfn+0xc97/0x2ec0
   ? process_one_work+0x1b8/0x5f0
   process_one_work+0x244/0x5f0
   worker_thread+0x4d/0x3e0
   kthread+0x105/0x140
   ? process_one_work+0x5f0/0x5f0
   ? kthread_park+0x90/0x90
   ret_from_fork+0x3a/0x50

Signed-off-by: Luis Henriques <lhenriques@suse.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ceph/inode.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index 3e518c2ae2bf9..11f19432a74c4 100644
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -742,6 +742,7 @@ static int fill_inode(struct inode *inode, struct page *locked_page,
 	int issued, new_issued, info_caps;
 	struct timespec64 mtime, atime, ctime;
 	struct ceph_buffer *xattr_blob = NULL;
+	struct ceph_buffer *old_blob = NULL;
 	struct ceph_string *pool_ns = NULL;
 	struct ceph_cap *new_cap = NULL;
 	int err = 0;
@@ -878,7 +879,7 @@ static int fill_inode(struct inode *inode, struct page *locked_page,
 	if ((ci->i_xattrs.version == 0 || !(issued & CEPH_CAP_XATTR_EXCL))  &&
 	    le64_to_cpu(info->xattr_version) > ci->i_xattrs.version) {
 		if (ci->i_xattrs.blob)
-			ceph_buffer_put(ci->i_xattrs.blob);
+			old_blob = ci->i_xattrs.blob;
 		ci->i_xattrs.blob = xattr_blob;
 		if (xattr_blob)
 			memcpy(ci->i_xattrs.blob->vec.iov_base,
@@ -1017,8 +1018,8 @@ static int fill_inode(struct inode *inode, struct page *locked_page,
 out:
 	if (new_cap)
 		ceph_put_cap(mdsc, new_cap);
-	if (xattr_blob)
-		ceph_buffer_put(xattr_blob);
+	ceph_buffer_put(old_blob);
+	ceph_buffer_put(xattr_blob);
 	ceph_put_string(pool_ns);
 	return err;
 }
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 52/57] KVM: arm/arm64: Only skip MMIO insn once
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 51/57] ceph: fix buffer free while holding i_ceph_lock in fill_inode() Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 53/57] afs: Fix leak in afs_lookup_cell_rcu() Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Andrew Jones,
	Marc Zyngier, Sasha Levin

[ Upstream commit 2113c5f62b7423e4a72b890bd479704aa85c81ba ]

If after an MMIO exit to userspace a VCPU is immediately run with an
immediate_exit request, such as when a signal is delivered or an MMIO
emulation completion is needed, then the VCPU completes the MMIO
emulation and immediately returns to userspace. As the exit_reason
does not get changed from KVM_EXIT_MMIO in these cases we have to
be careful not to complete the MMIO emulation again, when the VCPU is
eventually run again, because the emulation does an instruction skip
(and doing too many skips would be a waste of guest code :-) We need
to use additional VCPU state to track if the emulation is complete.
As luck would have it, we already have 'mmio_needed', which even
appears to be used in this way by other architectures already.

Fixes: 0d640732dbeb ("arm64: KVM: Skip MMIO insn after emulation")
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrew Jones <drjones@redhat.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 virt/kvm/arm/mmio.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/virt/kvm/arm/mmio.c b/virt/kvm/arm/mmio.c
index 08443a15e6be8..3caee91bca089 100644
--- a/virt/kvm/arm/mmio.c
+++ b/virt/kvm/arm/mmio.c
@@ -98,6 +98,12 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
 	unsigned int len;
 	int mask;
 
+	/* Detect an already handled MMIO return */
+	if (unlikely(!vcpu->mmio_needed))
+		return 0;
+
+	vcpu->mmio_needed = 0;
+
 	if (!run->mmio.is_write) {
 		len = run->mmio.len;
 		if (len > sizeof(unsigned long))
@@ -200,6 +206,7 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run,
 	run->mmio.is_write	= is_write;
 	run->mmio.phys_addr	= fault_ipa;
 	run->mmio.len		= len;
+	vcpu->mmio_needed	= 1;
 
 	if (!ret) {
 		/* We handled the access successfully in the kernel. */
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 53/57] afs: Fix leak in afs_lookup_cell_rcu()
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 52/57] KVM: arm/arm64: Only skip MMIO insn once Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 54/57] KVM: arm/arm64: VGIC: Properly initialise private IRQ affinity Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Howells, Sasha Levin

[ Upstream commit a5fb8e6c02d6a518fb2b1a2b8c2471fa77b69436 ]

Fix a leak on the cell refcount in afs_lookup_cell_rcu() due to
non-clearance of the default error in the case a NULL cell name is passed
and the workstation default cell is used.

Also put a bit at the end to make sure we don't leak a cell ref if we're
going to be returning an error.

This leak results in an assertion like the following when the kafs module is
unloaded:

	AFS: Assertion failed
	2 == 1 is false
	0x2 == 0x1 is false
	------------[ cut here ]------------
	kernel BUG at fs/afs/cell.c:770!
	...
	RIP: 0010:afs_manage_cells+0x220/0x42f [kafs]
	...
	 process_one_work+0x4c2/0x82c
	 ? pool_mayday_timeout+0x1e1/0x1e1
	 ? do_raw_spin_lock+0x134/0x175
	 worker_thread+0x336/0x4a6
	 ? rescuer_thread+0x4af/0x4af
	 kthread+0x1de/0x1ee
	 ? kthread_park+0xd4/0xd4
	 ret_from_fork+0x24/0x30

Fixes: 989782dcdc91 ("afs: Overhaul cell database management")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/afs/cell.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/afs/cell.c b/fs/afs/cell.c
index 6127f0fcd62c4..ee07162d35c7a 100644
--- a/fs/afs/cell.c
+++ b/fs/afs/cell.c
@@ -76,6 +76,7 @@ struct afs_cell *afs_lookup_cell_rcu(struct afs_net *net,
 			cell = rcu_dereference_raw(net->ws_cell);
 			if (cell) {
 				afs_get_cell(cell);
+				ret = 0;
 				break;
 			}
 			ret = -EDESTADDRREQ;
@@ -110,6 +111,9 @@ struct afs_cell *afs_lookup_cell_rcu(struct afs_net *net,
 
 	done_seqretry(&net->cells_lock, seq);
 
+	if (ret != 0 && cell)
+		afs_put_cell(net, cell);
+
 	return ret == 0 ? cell : ERR_PTR(ret);
 }
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 54/57] KVM: arm/arm64: VGIC: Properly initialise private IRQ affinity
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 53/57] afs: Fix leak in afs_lookup_cell_rcu() Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 55/57] x86/boot/compressed/64: Fix missing initialization in find_trampoline_placement() Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andre Przywara, Dave Martin,
	Julien Grall, Marc Zyngier, Sasha Levin

[ Upstream commit 2e16f3e926ed48373c98edea85c6ad0ef69425d1 ]

At the moment we initialise the target *mask* of a virtual IRQ to the
VCPU it belongs to, even though this mask is only defined for GICv2 and
quickly runs out of bits for many GICv3 guests.
This behaviour triggers an UBSAN complaint for more than 32 VCPUs:
------
[ 5659.462377] UBSAN: Undefined behaviour in virt/kvm/arm/vgic/vgic-init.c:223:21
[ 5659.471689] shift exponent 32 is too large for 32-bit type 'unsigned int'
------
Also for GICv3 guests the reporting of TARGET in the "vgic-state" debugfs
dump is wrong, due to this very same problem.

Because there is no requirement to create the VGIC device before the
VCPUs (and QEMU actually does it the other way round), we can't safely
initialise mpidr or targets in kvm_vgic_vcpu_init(). But since we touch
every private IRQ for each VCPU anyway later (in vgic_init()), we can
just move the initialisation of those fields into there, where we
definitely know the VGIC type.

On the way make sure we really have either a VGICv2 or a VGICv3 device,
since the existing code is just checking for "VGICv3 or not", silently
ignoring the uninitialised case.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reported-by: Dave Martin <dave.martin@arm.com>
Tested-by: Julien Grall <julien.grall@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 virt/kvm/arm/vgic/vgic-init.c | 30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/virt/kvm/arm/vgic/vgic-init.c b/virt/kvm/arm/vgic/vgic-init.c
index 8196e4f8731fb..cd75df25fe140 100644
--- a/virt/kvm/arm/vgic/vgic-init.c
+++ b/virt/kvm/arm/vgic/vgic-init.c
@@ -19,6 +19,7 @@
 #include <linux/cpu.h>
 #include <linux/kvm_host.h>
 #include <kvm/arm_vgic.h>
+#include <asm/kvm_emulate.h>
 #include <asm/kvm_mmu.h>
 #include "vgic.h"
 
@@ -175,12 +176,18 @@ static int kvm_vgic_dist_init(struct kvm *kvm, unsigned int nr_spis)
 		irq->vcpu = NULL;
 		irq->target_vcpu = vcpu0;
 		kref_init(&irq->refcount);
-		if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V2) {
+		switch (dist->vgic_model) {
+		case KVM_DEV_TYPE_ARM_VGIC_V2:
 			irq->targets = 0;
 			irq->group = 0;
-		} else {
+			break;
+		case KVM_DEV_TYPE_ARM_VGIC_V3:
 			irq->mpidr = 0;
 			irq->group = 1;
+			break;
+		default:
+			kfree(dist->spis);
+			return -EINVAL;
 		}
 	}
 	return 0;
@@ -220,7 +227,6 @@ int kvm_vgic_vcpu_init(struct kvm_vcpu *vcpu)
 		irq->intid = i;
 		irq->vcpu = NULL;
 		irq->target_vcpu = vcpu;
-		irq->targets = 1U << vcpu->vcpu_id;
 		kref_init(&irq->refcount);
 		if (vgic_irq_is_sgi(i)) {
 			/* SGIs */
@@ -230,11 +236,6 @@ int kvm_vgic_vcpu_init(struct kvm_vcpu *vcpu)
 			/* PPIs */
 			irq->config = VGIC_CONFIG_LEVEL;
 		}
-
-		if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3)
-			irq->group = 1;
-		else
-			irq->group = 0;
 	}
 
 	if (!irqchip_in_kernel(vcpu->kvm))
@@ -297,10 +298,19 @@ int vgic_init(struct kvm *kvm)
 
 		for (i = 0; i < VGIC_NR_PRIVATE_IRQS; i++) {
 			struct vgic_irq *irq = &vgic_cpu->private_irqs[i];
-			if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3)
+			switch (dist->vgic_model) {
+			case KVM_DEV_TYPE_ARM_VGIC_V3:
 				irq->group = 1;
-			else
+				irq->mpidr = kvm_vcpu_get_mpidr_aff(vcpu);
+				break;
+			case KVM_DEV_TYPE_ARM_VGIC_V2:
 				irq->group = 0;
+				irq->targets = 1U << idx;
+				break;
+			default:
+				ret = -EINVAL;
+				goto out;
+			}
 		}
 	}
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 55/57] x86/boot/compressed/64: Fix missing initialization in find_trampoline_placement()
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 54/57] KVM: arm/arm64: VGIC: Properly initialise private IRQ affinity Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 56/57] libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva,
	Kirill A. Shutemov, Thomas Gleixner, Sasha Levin

[ Upstream commit c96e8483cb2da6695c8b8d0896fe7ae272a07b54 ]

Gustavo noticed that 'new' can be left uninitialized if 'bios_start'
happens to be less or equal to 'entry->addr + entry->size'.

Initialize the variable at the begin of the iteration to the current value
of 'bios_start'.

Fixes: 0a46fff2f910 ("x86/boot/compressed/64: Fix boot on machines with broken E820 table")
Reported-by: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190826133326.7cxb4vbmiawffv2r@box
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/boot/compressed/pgtable_64.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/boot/compressed/pgtable_64.c b/arch/x86/boot/compressed/pgtable_64.c
index f0537a1f7fc25..76e1edf5bf12a 100644
--- a/arch/x86/boot/compressed/pgtable_64.c
+++ b/arch/x86/boot/compressed/pgtable_64.c
@@ -73,7 +73,7 @@ static unsigned long find_trampoline_placement(void)
 
 	/* Find the first usable memory region under bios_start. */
 	for (i = boot_params->e820_entries - 1; i >= 0; i--) {
-		unsigned long new;
+		unsigned long new = bios_start;
 
 		entry = &boot_params->e820_table[i];
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 56/57] libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 55/57] x86/boot/compressed/64: Fix missing initialization in find_trampoline_placement() Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-08 12:42 ` [PATCH 4.19 57/57] Revert "x86/apic: Include the LDR when clearing out APIC registers" Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luis Henriques, Jeff Layton,
	Ilya Dryomov, Sasha Levin

[ Upstream commit 5c498950f730aa17c5f8a2cdcb903524e4002ed2 ]

Signed-off-by: Luis Henriques <lhenriques@suse.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/ceph/buffer.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/linux/ceph/buffer.h b/include/linux/ceph/buffer.h
index 5e58bb29b1a36..11cdc7c60480f 100644
--- a/include/linux/ceph/buffer.h
+++ b/include/linux/ceph/buffer.h
@@ -30,7 +30,8 @@ static inline struct ceph_buffer *ceph_buffer_get(struct ceph_buffer *b)
 
 static inline void ceph_buffer_put(struct ceph_buffer *b)
 {
-	kref_put(&b->kref, ceph_buffer_release);
+	if (b)
+		kref_put(&b->kref, ceph_buffer_release);
 }
 
 extern int ceph_decode_buffer(struct ceph_buffer **b, void **p, void *end);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH 4.19 57/57] Revert "x86/apic: Include the LDR when clearing out APIC registers"
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 56/57] libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer Greg Kroah-Hartman
@ 2019-09-08 12:42 ` Greg Kroah-Hartman
  2019-09-09  3:12 ` [PATCH 4.19 00/57] 4.19.72-stable review Naresh Kamboju
                   ` (3 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-08 12:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Wilson, Thomas Gleixner,
	Bandan Das, Linus Torvalds, Sasha Levin

[ Upstream commit 950b07c14e8c59444e2359f15fd70ed5112e11a0 ]

This reverts commit 558682b5291937a70748d36fd9ba757fb25b99ae.

Chris Wilson reports that it breaks his CPU hotplug test scripts.  In
particular, it breaks offlining and then re-onlining the boot CPU, which
we treat specially (and the BIOS does too).

The symptoms are that we can offline the CPU, but it then does not come
back online again:

    smpboot: CPU 0 is now offline
    smpboot: Booting Node 0 Processor 0 APIC 0x0
    smpboot: do_boot_cpu failed(-1) to wakeup CPU#0

Thomas says he knows why it's broken (my personal suspicion: our magic
handling of the "cpu0_logical_apicid" thing), but for 5.3 the right fix
is to just revert it, since we've never touched the LDR bits before, and
it's not worth the risk to do anything else at this stage.

[ Hotpluging of the boot CPU is special anyway, and should be off by
  default. See the "BOOTPARAM_HOTPLUG_CPU0" config option and the
  cpu0_hotplug kernel parameter.

  In general you should not do it, and it has various known limitations
  (hibernate and suspend require the boot CPU, for example).

  But it should work, even if the boot CPU is special and needs careful
  treatment       - Linus ]

Link: https://lore.kernel.org/lkml/156785100521.13300.14461504732265570003@skylake-alporthouse-com/
Reported-by: Chris Wilson <chris@chris-wilson.co.uk>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Bandan Das <bsd@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kernel/apic/apic.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
index 90be3a1506d3f..b316bd61a6ace 100644
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1140,10 +1140,6 @@ void clear_local_APIC(void)
 	apic_write(APIC_LVT0, v | APIC_LVT_MASKED);
 	v = apic_read(APIC_LVT1);
 	apic_write(APIC_LVT1, v | APIC_LVT_MASKED);
-	if (!x2apic_enabled()) {
-		v = apic_read(APIC_LDR) & ~APIC_LDR_MASK;
-		apic_write(APIC_LDR, v);
-	}
 	if (maxlvt >= 4) {
 		v = apic_read(APIC_LVTPC);
 		apic_write(APIC_LVTPC, v | APIC_LVT_MASKED);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 69+ messages in thread

* Re: [PATCH 4.19 00/57] 4.19.72-stable review
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2019-09-08 12:42 ` [PATCH 4.19 57/57] Revert "x86/apic: Include the LDR when clearing out APIC registers" Greg Kroah-Hartman
@ 2019-09-09  3:12 ` Naresh Kamboju
  2019-09-09 19:39 ` Guenter Roeck
                   ` (2 subsequent siblings)
  60 siblings, 0 replies; 69+ messages in thread
From: Naresh Kamboju @ 2019-09-09  3:12 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Shuah Khan, patches, lkft-triage, Ben Hutchings,
	linux- stable, Andrew Morton, Linus Torvalds, Guenter Roeck

On Sun, 8 Sep 2019 at 18:20, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.19.72 release.
> There are 57 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue 10 Sep 2019 12:09:36 PM UTC.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.72-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 4.19.72-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.19.y
git commit: 20f1e9f544166cca04c111f8719286155a5b9b09
git describe: v4.19.70-60-g20f1e9f54416
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.19-oe/build/v4.19.70-60-g20f1e9f54416


No regressions (compared to build v4.19.70)


No fixes (compared to build v4.19.70)

Ran 22190 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* libgpiod
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-timers-tests
* network-basic-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* ltp-open-posix-tests
* kvm-unit-tests
* ssuite
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 69+ messages in thread

* Re: [PATCH 4.19 19/57] Bluetooth: hidp: Let hidp_send_message return number of queued bytes
  2019-09-08 12:41 ` [PATCH 4.19 19/57] Bluetooth: hidp: Let hidp_send_message return number of queued bytes Greg Kroah-Hartman
@ 2019-09-09 12:15   ` Pavel Machek
  2019-09-09 13:00     ` Fabian Henneke
  0 siblings, 1 reply; 69+ messages in thread
From: Pavel Machek @ 2019-09-09 12:15 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, Fabian Henneke, Marcel Holtmann, Sasha Levin

[-- Attachment #1: Type: text/plain, Size: 906 bytes --]

Hi!

> [ Upstream commit 48d9cc9d85dde37c87abb7ac9bbec6598ba44b56 ]
> 
> Let hidp_send_message return the number of successfully queued bytes
> instead of an unconditional 0.
> 
> With the return value fixed to 0, other drivers relying on hidp, such as
> hidraw, can not return meaningful values from their respective
> implementations of write(). In particular, with the current behavior, a
> hidraw device's write() will have different return values depending on
> whether the device is connected via USB or Bluetooth, which makes it
> harder to abstract away the transport layer.

So, does this change any actual behaviour?

Is it fixing a bug, or is it just preparation for a patch that is not
going to make it to stable?
							Pavel
							
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

^ permalink raw reply	[flat|nested] 69+ messages in thread

* Re: [PATCH 4.19 21/57] gpio: Fix build error of function redefinition
  2019-09-08 12:41 ` [PATCH 4.19 21/57] gpio: Fix build error of function redefinition Greg Kroah-Hartman
@ 2019-09-09 12:23   ` Pavel Machek
  0 siblings, 0 replies; 69+ messages in thread
From: Pavel Machek @ 2019-09-09 12:23 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, Hulk Robot, YueHaibing, Linus Walleij, Sasha Levin

[-- Attachment #1: Type: text/plain, Size: 1138 bytes --]

On Sun 2019-09-08 13:41:45, Greg Kroah-Hartman wrote:
> [ Upstream commit 68e03b85474a51ec1921b4d13204782594ef7223 ]
> 
> when do randbuilding, I got this error:
> 
> In file included from drivers/hwmon/pmbus/ucd9000.c:19:0:
> ./include/linux/gpio/driver.h:576:1: error: redefinition of gpiochip_add_pin_range
>  gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name,
>  ^~~~~~~~~~~~~~~~~~~~~~
> In file included from drivers/hwmon/pmbus/ucd9000.c:18:0:
> ./include/linux/gpio.h:245:1: note: previous definition of gpiochip_add_pin_range was here
>  gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name,
>  ^~~~~~~~~~~~~~~~~~~~~~
>

I'm pretty sure this will cause problems.

driver.h versions return zero and are conditional on !CONFIG_PINCTRL.

gpio.h versions did return error and did warn... and are conditional
on !CONFIG_GPIOLIB.

So this introduces error in !CONFIG_PINCTRL && !CONFIG_GPIOLIB case.

Best regards,
									Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

^ permalink raw reply	[flat|nested] 69+ messages in thread

* Re: [PATCH 4.19 19/57] Bluetooth: hidp: Let hidp_send_message return number of queued bytes
  2019-09-09 12:15   ` Pavel Machek
@ 2019-09-09 13:00     ` Fabian Henneke
  2019-09-09 22:59       ` Greg Kroah-Hartman
  0 siblings, 1 reply; 69+ messages in thread
From: Fabian Henneke @ 2019-09-09 13:00 UTC (permalink / raw)
  To: Pavel Machek
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Marcel Holtmann, Sasha Levin

Hi,

On Mon, Sep 9, 2019 at 2:15 PM Pavel Machek <pavel@denx.de> wrote:

> Hi!
>
> > [ Upstream commit 48d9cc9d85dde37c87abb7ac9bbec6598ba44b56 ]
> >
> > Let hidp_send_message return the number of successfully queued bytes
> > instead of an unconditional 0.
> >
> > With the return value fixed to 0, other drivers relying on hidp, such as
> > hidraw, can not return meaningful values from their respective
> > implementations of write(). In particular, with the current behavior, a
> > hidraw device's write() will have different return values depending on
> > whether the device is connected via USB or Bluetooth, which makes it
> > harder to abstract away the transport layer.
>
> So, does this change any actual behaviour?
>
> Is it fixing a bug, or is it just preparation for a patch that is not
> going to make it to stable?
>

I created this patch specifically in order to ensure that user space
applications can use HID devices with hidraw without needing to care about
whether the transport is USB or Bluetooth. Without the patch, every
hidraw-backed Bluetooth device needs to be treated specially as its write()
violates the usual return value contract, which could be viewed as a bug.

Please note that a later patch (
https://www.spinics.net/lists/linux-input/msg63291.html) fixes some
important error checks that were relying on the old behavior (and were
unfortunately missed by me).

Best regards,
Fabian

>                                                         Pavel
>
> --
> (english) http://www.livejournal.com/~pavelmachek
> (cesky, pictures)
> http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
>


^ permalink raw reply	[flat|nested] 69+ messages in thread

* Re: [PATCH 4.19 27/57] cxgb4: fix a memory leak bug
  2019-09-08 12:41 ` [PATCH 4.19 27/57] cxgb4: fix a memory leak bug Greg Kroah-Hartman
@ 2019-09-09 13:06   ` Pavel Machek
  0 siblings, 0 replies; 69+ messages in thread
From: Pavel Machek @ 2019-09-09 13:06 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, Wenwen Wang, David S. Miller, Sasha Levin

[-- Attachment #1: Type: text/plain, Size: 1536 bytes --]

On Sun 2019-09-08 13:41:51, Greg Kroah-Hartman wrote:
> [ Upstream commit c554336efa9bbc28d6ec14efbee3c7d63c61a34f ]
> 
> In blocked_fl_write(), 't' is not deallocated if bitmap_parse_user() fails,
> leading to a memory leak bug. To fix this issue, free t before returning
> the error.

The code is quite strange ... it seems to use kvfree when free would
be enough. Is that worth fixing? blocked_fl_read() seems to have same
problem.

Best regards,

								Pavel

> Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
>  drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
> index 0f72f9c4ec74c..b429b726b987b 100644
> --- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
> +++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
> @@ -3276,8 +3276,10 @@ static ssize_t blocked_fl_write(struct file *filp, const char __user *ubuf,
>  		return -ENOMEM;
>  
>  	err = bitmap_parse_user(ubuf, count, t, adap->sge.egr_sz);
> -	if (err)
> +	if (err) {
> +		kvfree(t);
>  		return err;
> +	}
>  
>  	bitmap_copy(adap->sge.blocked_fl, t, adap->sge.egr_sz);
>  	kvfree(t);

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

^ permalink raw reply	[flat|nested] 69+ messages in thread

* Re: [PATCH 4.19 00/57] 4.19.72-stable review
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2019-09-09  3:12 ` [PATCH 4.19 00/57] 4.19.72-stable review Naresh Kamboju
@ 2019-09-09 19:39 ` Guenter Roeck
  2019-09-10  9:20 ` Jon Hunter
  2019-09-10  9:27 ` Jack Wang
  60 siblings, 0 replies; 69+ messages in thread
From: Guenter Roeck @ 2019-09-09 19:39 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Sun, Sep 08, 2019 at 01:41:24PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.72 release.
> There are 57 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Tue 10 Sep 2019 12:09:36 PM UTC.
> Anything received after that time might be too late.
> 

Build results:
	total: 156 pass: 156 fail: 0
Qemu test results:
	total: 390 pass: 390 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 69+ messages in thread

* Re: [PATCH 4.19 19/57] Bluetooth: hidp: Let hidp_send_message return number of queued bytes
  2019-09-09 13:00     ` Fabian Henneke
@ 2019-09-09 22:59       ` Greg Kroah-Hartman
  2019-09-10  6:27         ` Fabian Henneke
  0 siblings, 1 reply; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-09 22:59 UTC (permalink / raw)
  To: Fabian Henneke
  Cc: Pavel Machek, linux-kernel, stable, Marcel Holtmann, Sasha Levin

On Mon, Sep 09, 2019 at 03:00:46PM +0200, Fabian Henneke wrote:
> Hi,
> 
> On Mon, Sep 9, 2019 at 2:15 PM Pavel Machek <pavel@denx.de> wrote:
> 
> > Hi!
> >
> > > [ Upstream commit 48d9cc9d85dde37c87abb7ac9bbec6598ba44b56 ]
> > >
> > > Let hidp_send_message return the number of successfully queued bytes
> > > instead of an unconditional 0.
> > >
> > > With the return value fixed to 0, other drivers relying on hidp, such as
> > > hidraw, can not return meaningful values from their respective
> > > implementations of write(). In particular, with the current behavior, a
> > > hidraw device's write() will have different return values depending on
> > > whether the device is connected via USB or Bluetooth, which makes it
> > > harder to abstract away the transport layer.
> >
> > So, does this change any actual behaviour?
> >
> > Is it fixing a bug, or is it just preparation for a patch that is not
> > going to make it to stable?
> >
> 
> I created this patch specifically in order to ensure that user space
> applications can use HID devices with hidraw without needing to care about
> whether the transport is USB or Bluetooth. Without the patch, every
> hidraw-backed Bluetooth device needs to be treated specially as its write()
> violates the usual return value contract, which could be viewed as a bug.
> 
> Please note that a later patch (
> https://www.spinics.net/lists/linux-input/msg63291.html) fixes some
> important error checks that were relying on the old behavior (and were
> unfortunately missed by me).

As that patch doesn't seem to be in Linus's tree yet, we should postpone
taking this one in the stable tree right now, correct?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 69+ messages in thread

* Re: [PATCH 4.19 19/57] Bluetooth: hidp: Let hidp_send_message return number of queued bytes
  2019-09-09 22:59       ` Greg Kroah-Hartman
@ 2019-09-10  6:27         ` Fabian Henneke
  2019-09-10  9:29           ` Greg Kroah-Hartman
  0 siblings, 1 reply; 69+ messages in thread
From: Fabian Henneke @ 2019-09-10  6:27 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Pavel Machek, linux-kernel, stable, Marcel Holtmann, Sasha Levin



On 10.09.19 00:59, Greg Kroah-Hartman wrote:
> On Mon, Sep 09, 2019 at 03:00:46PM +0200, Fabian Henneke wrote:
>> Hi,
>>
>> On Mon, Sep 9, 2019 at 2:15 PM Pavel Machek <pavel@denx.de> wrote:
>>
>>> Hi!
>>>
>>>> [ Upstream commit 48d9cc9d85dde37c87abb7ac9bbec6598ba44b56 ]
>>>>
>>>> Let hidp_send_message return the number of successfully queued bytes
>>>> instead of an unconditional 0.
>>>>
>>>> With the return value fixed to 0, other drivers relying on hidp, such as
>>>> hidraw, can not return meaningful values from their respective
>>>> implementations of write(). In particular, with the current behavior, a
>>>> hidraw device's write() will have different return values depending on
>>>> whether the device is connected via USB or Bluetooth, which makes it
>>>> harder to abstract away the transport layer.
>>>
>>> So, does this change any actual behaviour?
>>>
>>> Is it fixing a bug, or is it just preparation for a patch that is not
>>> going to make it to stable?
>>>
>>
>> I created this patch specifically in order to ensure that user space
>> applications can use HID devices with hidraw without needing to care about
>> whether the transport is USB or Bluetooth. Without the patch, every
>> hidraw-backed Bluetooth device needs to be treated specially as its write()
>> violates the usual return value contract, which could be viewed as a bug.
>>
>> Please note that a later patch (
>> https://www.spinics.net/lists/linux-input/msg63291.html) fixes some
>> important error checks that were relying on the old behavior (and were
>> unfortunately missed by me).
> 
> As that patch doesn't seem to be in Linus's tree yet, we should postpone
> taking this one in the stable tree right now, correct?
> 
> thanks,
> 
> greg k-h
> 

Yes, please wait for the other patch if it's not in his tree yet and apply the two together.

Thank you,
Fabian

^ permalink raw reply	[flat|nested] 69+ messages in thread

* Re: [PATCH 4.19 00/57] 4.19.72-stable review
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2019-09-09 19:39 ` Guenter Roeck
@ 2019-09-10  9:20 ` Jon Hunter
  2019-09-10  9:27 ` Jack Wang
  60 siblings, 0 replies; 69+ messages in thread
From: Jon Hunter @ 2019-09-10  9:20 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 08/09/2019 13:41, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.72 release.
> There are 57 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Tue 10 Sep 2019 12:09:36 PM UTC.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.72-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

All tests are passing for Tegra ...

Test results for stable-v4.19:
    12 builds:	12 pass, 0 fail
    22 boots:	22 pass, 0 fail
    32 tests:	32 pass, 0 fail

Linux version:	4.19.72-rc1-g20f1e9f54416
Boards tested:	tegra124-jetson-tk1, tegra186-p2771-0000,
                tegra194-p2972-0000, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 69+ messages in thread

* Re: [PATCH 4.19 00/57] 4.19.72-stable review
  2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2019-09-10  9:20 ` Jon Hunter
@ 2019-09-10  9:27 ` Jack Wang
  60 siblings, 0 replies; 69+ messages in thread
From: Jack Wang @ 2019-09-10  9:27 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, Linus Torvalds, akpm, Guenter Roeck, shuah,
	patches, Ben Hutchings, lkft-triage, stable

Greg Kroah-Hartman <gregkh@linuxfoundation.org> 于2019年9月9日周一 下午12:19写道:
>
> This is the start of the stable review cycle for the 4.19.72 release.
> There are 57 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue 10 Sep 2019 12:09:36 PM UTC.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.72-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Merged, boot and tested on my testing machine, no regression found.

Thanks,
Jack Wang

^ permalink raw reply	[flat|nested] 69+ messages in thread

* Re: [PATCH 4.19 19/57] Bluetooth: hidp: Let hidp_send_message return number of queued bytes
  2019-09-10  6:27         ` Fabian Henneke
@ 2019-09-10  9:29           ` Greg Kroah-Hartman
  0 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-10  9:29 UTC (permalink / raw)
  To: Fabian Henneke
  Cc: Pavel Machek, linux-kernel, stable, Marcel Holtmann, Sasha Levin

On Tue, Sep 10, 2019 at 08:27:10AM +0200, Fabian Henneke wrote:
> 
> 
> On 10.09.19 00:59, Greg Kroah-Hartman wrote:
> > On Mon, Sep 09, 2019 at 03:00:46PM +0200, Fabian Henneke wrote:
> >> Hi,
> >>
> >> On Mon, Sep 9, 2019 at 2:15 PM Pavel Machek <pavel@denx.de> wrote:
> >>
> >>> Hi!
> >>>
> >>>> [ Upstream commit 48d9cc9d85dde37c87abb7ac9bbec6598ba44b56 ]
> >>>>
> >>>> Let hidp_send_message return the number of successfully queued bytes
> >>>> instead of an unconditional 0.
> >>>>
> >>>> With the return value fixed to 0, other drivers relying on hidp, such as
> >>>> hidraw, can not return meaningful values from their respective
> >>>> implementations of write(). In particular, with the current behavior, a
> >>>> hidraw device's write() will have different return values depending on
> >>>> whether the device is connected via USB or Bluetooth, which makes it
> >>>> harder to abstract away the transport layer.
> >>>
> >>> So, does this change any actual behaviour?
> >>>
> >>> Is it fixing a bug, or is it just preparation for a patch that is not
> >>> going to make it to stable?
> >>>
> >>
> >> I created this patch specifically in order to ensure that user space
> >> applications can use HID devices with hidraw without needing to care about
> >> whether the transport is USB or Bluetooth. Without the patch, every
> >> hidraw-backed Bluetooth device needs to be treated specially as its write()
> >> violates the usual return value contract, which could be viewed as a bug.
> >>
> >> Please note that a later patch (
> >> https://www.spinics.net/lists/linux-input/msg63291.html) fixes some
> >> important error checks that were relying on the old behavior (and were
> >> unfortunately missed by me).
> > 
> > As that patch doesn't seem to be in Linus's tree yet, we should postpone
> > taking this one in the stable tree right now, correct?
> > 
> > thanks,
> > 
> > greg k-h
> > 
> 
> Yes, please wait for the other patch if it's not in his tree yet and apply the two together.

Ok, will move it out and wait for the fixup patch to hit Linus's tree,
thanks!

greg k-h

^ permalink raw reply	[flat|nested] 69+ messages in thread

end of thread, back to index

Thread overview: 69+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-08 12:41 [PATCH 4.19 00/57] 4.19.72-stable review Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 01/57] mld: fix memory leak in mld_del_delrec() Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 02/57] net: fix skb use after free in netpoll Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 03/57] net: sched: act_sample: fix psample group handling on overwrite Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 04/57] net_sched: fix a NULL pointer deref in ipt action Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 05/57] net: stmmac: dwmac-rk: Dont fail if phy regulator is absent Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 06/57] tcp: inherit timestamp on mtu probe Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 07/57] tcp: remove empty skb from write queue in error cases Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 08/57] net/rds: Fix info leak in rds6_inc_info_copy() Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 09/57] x86/boot: Preserve boot_params.secure_boot from sanitizing Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 10/57] spi: bcm2835aux: unifying code between polling and interrupt driven code Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 11/57] spi: bcm2835aux: remove dangerous uncontrolled read of fifo Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 12/57] spi: bcm2835aux: fix corruptions for longer spi transfers Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 13/57] net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq in IRQ context Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 14/57] netfilter: nf_tables: use-after-free in failing rule with bound set Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 15/57] tools: bpftool: fix error message (prog -> object) Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 16/57] hv_netvsc: Fix a warning of suspicious RCU usage Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 17/57] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 18/57] Bluetooth: btqca: Add a short delay before downloading the NVM Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 19/57] Bluetooth: hidp: Let hidp_send_message return number of queued bytes Greg Kroah-Hartman
2019-09-09 12:15   ` Pavel Machek
2019-09-09 13:00     ` Fabian Henneke
2019-09-09 22:59       ` Greg Kroah-Hartman
2019-09-10  6:27         ` Fabian Henneke
2019-09-10  9:29           ` Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 20/57] ibmveth: Convert multicast list size for little-endian system Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 21/57] gpio: Fix build error of function redefinition Greg Kroah-Hartman
2019-09-09 12:23   ` Pavel Machek
2019-09-08 12:41 ` [PATCH 4.19 22/57] netfilter: nft_flow_offload: skip tcp rst and fin packets Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 23/57] drm/mediatek: use correct device to import PRIME buffers Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 24/57] drm/mediatek: set DMA max segment size Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 25/57] scsi: qla2xxx: Fix gnl.l memory leak on adapter init failure Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 26/57] scsi: target: tcmu: avoid use-after-free after command timeout Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 27/57] cxgb4: fix a memory leak bug Greg Kroah-Hartman
2019-09-09 13:06   ` Pavel Machek
2019-09-08 12:41 ` [PATCH 4.19 28/57] liquidio: add cleanup in octeon_setup_iq() Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 29/57] net: myri10ge: fix memory leaks Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 30/57] lan78xx: Fix " Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 31/57] vfs: fix page locking deadlocks when deduping files Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 32/57] cx82310_eth: fix a memory leak bug Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 33/57] net: kalmia: fix memory leaks Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 34/57] ibmvnic: Unmap DMA address of TX descriptor buffers after use Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.19 35/57] net: cavium: fix driver name Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 36/57] wimax/i2400m: fix a memory leak bug Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 37/57] ravb: Fix use-after-free ravb_tstamp_skb Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 38/57] kprobes: Fix potential deadlock in kprobe_optimizer() Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 39/57] HID: cp2112: prevent sleeping function called from invalid context Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 40/57] x86/boot/compressed/64: Fix boot on machines with broken E820 table Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 41/57] Input: hyperv-keyboard: Use in-place iterator API in the channel callback Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 42/57] Tools: hv: kvp: eliminate may be used uninitialized warning Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 43/57] nvme-multipath: fix possible I/O hang when paths are updated Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 44/57] IB/mlx4: Fix memory leaks Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 45/57] infiniband: hfi1: fix a memory leak bug Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 46/57] infiniband: hfi1: fix memory leaks Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 47/57] selftests: kvm: fix state save/load on processors without XSAVE Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 48/57] selftests/kvm: make platform_info_test pass on AMD Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 49/57] ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 50/57] ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob() Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 51/57] ceph: fix buffer free while holding i_ceph_lock in fill_inode() Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 52/57] KVM: arm/arm64: Only skip MMIO insn once Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 53/57] afs: Fix leak in afs_lookup_cell_rcu() Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 54/57] KVM: arm/arm64: VGIC: Properly initialise private IRQ affinity Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 55/57] x86/boot/compressed/64: Fix missing initialization in find_trampoline_placement() Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 56/57] libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.19 57/57] Revert "x86/apic: Include the LDR when clearing out APIC registers" Greg Kroah-Hartman
2019-09-09  3:12 ` [PATCH 4.19 00/57] 4.19.72-stable review Naresh Kamboju
2019-09-09 19:39 ` Guenter Roeck
2019-09-10  9:20 ` Jon Hunter
2019-09-10  9:27 ` Jack Wang

Stable Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \
		stable@vger.kernel.org stable@archiver.kernel.org
	public-inbox-index stable

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.stable


AGPL code for this site: git clone https://public-inbox.org/ public-inbox