1. 15 Sep, 2018 13 commits
    • Xin Long's avatar
      sctp: hold transport before accessing its asoc in sctp_transport_get_next · 3c035a48
      Xin Long authored
      [ Upstream commit bab1be79 ]
      
      As Marcelo noticed, in sctp_transport_get_next, it is iterating over
      transports but then also accessing the association directly, without
      checking any refcnts before that, which can cause an use-after-free
      Read.
      
      So fix it by holding transport before accessing the association. With
      that, sctp_transport_hold calls can be removed in the later places.
      
      Fixes: 626d16f5 ("sctp: export some apis or variables for sctp_diag and reuse some for proc")
      Reported-by: syzbot+fe62a0c9aa6a85c6de16@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3c035a48
    • Jakub Kicinski's avatar
      nfp: wait for posted reconfigs when disabling the device · 456e46f0
      Jakub Kicinski authored
      [ Upstream commit 9ad716b9 ]
      
      To avoid leaking a running timer we need to wait for the
      posted reconfigs after netdev is unregistered.  In common
      case the process of deinitializing the device will perform
      synchronous reconfigs which wait for posted requests, but
      especially with VXLAN ports being actively added and removed
      there can be a race condition leaving a timer running after
      adapter structure is freed leading to a crash.
      
      Add an explicit flush after deregistering and for a good
      measure a warning to check if timer is running just before
      structures are freed.
      
      Fixes: 3d780b92 ("nfp: add async reconfiguration mechanism")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarDirk van der Merwe <dirk.vandermerwe@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      456e46f0
    • Cong Wang's avatar
      tipc: fix a missing rhashtable_walk_exit() · 8fed734d
      Cong Wang authored
      [ Upstream commit bd583fe3 ]
      
      rhashtable_walk_exit() must be paired with rhashtable_walk_enter().
      
      Fixes: 40f9f439 ("tipc: Fix tipc_sk_reinit race conditions")
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Ying Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8fed734d
    • Davide Caratti's avatar
      net/sched: act_pedit: fix dump of extended layered op · 417b068a
      Davide Caratti authored
      [ Upstream commit 85eb9af1 ]
      
      in the (rare) case of failure in nla_nest_start(), missing NULL checks in
      tcf_pedit_key_ex_dump() can make the following command
      
       # tc action add action pedit ex munge ip ttl set 64
      
      dereference a NULL pointer:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
       PGD 800000007d1cd067 P4D 800000007d1cd067 PUD 7acd3067 PMD 0
       Oops: 0002 [#1] SMP PTI
       CPU: 0 PID: 3336 Comm: tc Tainted: G            E     4.18.0.pedit+ #425
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:tcf_pedit_dump+0x19d/0x358 [act_pedit]
       Code: be 02 00 00 00 48 89 df 66 89 44 24 20 e8 9b b1 fd e0 85 c0 75 46 8b 83 c8 00 00 00 49 83 c5 08 48 03 83 d0 00 00 00 4d 39 f5 <66> 89 04 25 00 00 00 00 0f 84 81 01 00 00 41 8b 45 00 48 8d 4c 24
       RSP: 0018:ffffb5d4004478a8 EFLAGS: 00010246
       RAX: ffff8880fcda2070 RBX: ffff8880fadd2900 RCX: 0000000000000000
       RDX: 0000000000000002 RSI: ffffb5d4004478ca RDI: ffff8880fcda206e
       RBP: ffff8880fb9cb900 R08: 0000000000000008 R09: ffff8880fcda206e
       R10: ffff8880fadd2900 R11: 0000000000000000 R12: ffff8880fd26cf40
       R13: ffff8880fc957430 R14: ffff8880fc957430 R15: ffff8880fb9cb988
       FS:  00007f75a537a740(0000) GS:ffff8880fda00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000000 CR3: 000000007a2fa005 CR4: 00000000001606f0
       Call Trace:
        ? __nla_reserve+0x38/0x50
        tcf_action_dump_1+0xd2/0x130
        tcf_action_dump+0x6a/0xf0
        tca_get_fill.constprop.31+0xa3/0x120
        tcf_action_add+0xd1/0x170
        tc_ctl_action+0x137/0x150
        rtnetlink_rcv_msg+0x263/0x2d0
        ? _cond_resched+0x15/0x40
        ? rtnl_calcit.isra.30+0x110/0x110
        netlink_rcv_skb+0x4d/0x130
        netlink_unicast+0x1a3/0x250
        netlink_sendmsg+0x2ae/0x3a0
        sock_sendmsg+0x36/0x40
        ___sys_sendmsg+0x26f/0x2d0
        ? do_wp_page+0x8e/0x5f0
        ? handle_pte_fault+0x6c3/0xf50
        ? __handle_mm_fault+0x38e/0x520
        ? __sys_sendmsg+0x5e/0xa0
        __sys_sendmsg+0x5e/0xa0
        do_syscall_64+0x5b/0x180
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
       RIP: 0033:0x7f75a4583ba0
       Code: c3 48 8b 05 f2 62 2c 00 f7 db 64 89 18 48 83 cb ff eb dd 0f 1f 80 00 00 00 00 83 3d fd c3 2c 00 00 75 10 b8 2e 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ae cc 00 00 48 89 04 24
       RSP: 002b:00007fff60ee7418 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 00007fff60ee7540 RCX: 00007f75a4583ba0
       RDX: 0000000000000000 RSI: 00007fff60ee7490 RDI: 0000000000000003
       RBP: 000000005b842d3e R08: 0000000000000002 R09: 0000000000000000
       R10: 00007fff60ee6ea0 R11: 0000000000000246 R12: 0000000000000000
       R13: 00007fff60ee7554 R14: 0000000000000001 R15: 000000000066c100
       Modules linked in: act_pedit(E) ip6table_filter ip6_tables iptable_filter binfmt_misc crct10dif_pclmul ext4 crc32_pclmul mbcache ghash_clmulni_intel jbd2 pcbc snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd snd_timer cryptd glue_helper snd joydev pcspkr soundcore virtio_balloon i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi virtio_net net_failover virtio_blk virtio_console failover qxl crc32c_intel drm_kms_helper syscopyarea serio_raw sysfillrect sysimgblt fb_sys_fops ttm drm ata_piix virtio_pci libata virtio_ring i2c_core virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_pedit]
       CR2: 0000000000000000
      
      Like it's done for other TC actions, give up dumping pedit rules and return
      an error if nla_nest_start() returns NULL.
      
      Fixes: 71d0ed70 ("net/act_pedit: Support using offset relative to the conventional network headers")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      417b068a
    • Alexey Kodanev's avatar
      vti6: remove !skb->ignore_df check from vti6_xmit() · 56af4184
      Alexey Kodanev authored
      [ Upstream commit 9f289546 ]
      
      Before the commit d6990976 ("vti6: fix PMTU caching and reporting
      on xmit") '!skb->ignore_df' check was always true because the function
      skb_scrub_packet() was called before it, resetting ignore_df to zero.
      
      In the commit, skb_scrub_packet() was moved below, and now this check
      can be false for the packet, e.g. when sending it in the two fragments,
      this prevents successful PMTU updates in such case. The next attempts
      to send the packet lead to the same tx error. Moreover, vti6 initial
      MTU value relies on PMTU adjustments.
      
      This issue can be reproduced with the following LTP test script:
          udp_ipsec_vti.sh -6 -p ah -m tunnel -s 2000
      
      Fixes: ccd740cb ("vti6: Add pmtu handling to vti6_xmit.")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Acked-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      56af4184
    • Florian Westphal's avatar
      tcp: do not restart timewait timer on rst reception · e4b6c5fd
      Florian Westphal authored
      [ Upstream commit 63cc357f ]
      
      RFC 1337 says:
       ''Ignore RST segments in TIME-WAIT state.
         If the 2 minute MSL is enforced, this fix avoids all three hazards.''
      
      So with net.ipv4.tcp_rfc1337=1, expected behaviour is to have TIME-WAIT sk
      expire rather than removing it instantly when a reset is received.
      
      However, Linux will also re-start the TIME-WAIT timer.
      
      This causes connect to fail when tying to re-use ports or very long
      delays (until syn retry interval exceeds MSL).
      
      packetdrill test case:
      // Demonstrate bogus rearming of TIME-WAIT timer in rfc1337 mode.
      `sysctl net.ipv4.tcp_rfc1337=1`
      
      0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
      0.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
      0.000 bind(3, ..., ...) = 0
      0.000 listen(3, 1) = 0
      
      0.100 < S 0:0(0) win 29200 <mss 1460,nop,nop,sackOK,nop,wscale 7>
      0.100 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 7>
      0.200 < . 1:1(0) ack 1 win 257
      0.200 accept(3, ..., ...) = 4
      
      // Receive first segment
      0.310 < P. 1:1001(1000) ack 1 win 46
      
      // Send one ACK
      0.310 > . 1:1(0) ack 1001
      
      // read 1000 byte
      0.310 read(4, ..., 1000) = 1000
      
      // Application writes 100 bytes
      0.350 write(4, ..., 100) = 100
      0.350 > P. 1:101(100) ack 1001
      
      // ACK
      0.500 < . 1001:1001(0) ack 101 win 257
      
      // close the connection
      0.600 close(4) = 0
      0.600 > F. 101:101(0) ack 1001 win 244
      
      // Our side is in FIN_WAIT_1 & waits for ack to fin
      0.7 < . 1001:1001(0) ack 102 win 244
      
      // Our side is in FIN_WAIT_2 with no outstanding data.
      0.8 < F. 1001:1001(0) ack 102 win 244
      0.8 > . 102:102(0) ack 1002 win 244
      
      // Our side is now in TIME_WAIT state, send ack for fin.
      0.9 < F. 1002:1002(0) ack 102 win 244
      0.9 > . 102:102(0) ack 1002 win 244
      
      // Peer reopens with in-window SYN:
      1.000 < S 1000:1000(0) win 9200 <mss 1460,nop,nop,sackOK,nop,wscale 7>
      
      // Therefore, reply with ACK.
      1.000 > . 102:102(0) ack 1002 win 244
      
      // Peer sends RST for this ACK.  Normally this RST results
      // in tw socket removal, but rfc1337=1 setting prevents this.
      1.100 < R 1002:1002(0) win 244
      
      // second syn. Due to rfc1337=1 expect another pure ACK.
      31.0 < S 1000:1000(0) win 9200 <mss 1460,nop,nop,sackOK,nop,wscale 7>
      31.0 > . 102:102(0) ack 1002 win 244
      
      // .. and another RST from peer.
      31.1 < R 1002:1002(0) win 244
      31.2 `echo no timer restart;ss -m -e -a -i -n -t -o state TIME-WAIT`
      
      // third syn after one minute.  Time-Wait socket should have expired by now.
      63.0 < S 1000:1000(0) win 9200 <mss 1460,nop,nop,sackOK,nop,wscale 7>
      
      // so we expect a syn-ack & 3whs to proceed from here on.
      63.0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 7>
      
      Without this patch, 'ss' shows restarts of tw timer and last packet is
      thus just another pure ack, more than one minute later.
      
      This restores the original code from commit 283fd6cf0be690a83
      ("Merge in ANK networking jumbo patch") in netdev-vger-cvs.git .
      
      For some reason the else branch was removed/lost in 1f28b683339f7
      ("Merge in TCP/UDP optimizations and [..]") and timer restart became
      unconditional.
      Reported-by: default avatarMichal Tesar <mtesar@redhat.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e4b6c5fd
    • Anthony Wong's avatar
      r8169: add support for NCube 8168 network card · 3eada53d
      Anthony Wong authored
      [ Upstream commit 9fd0e09a ]
      
      This card identifies itself as:
        Ethernet controller [0200]: NCube Device [10ff:8168] (rev 06)
        Subsystem: TP-LINK Technologies Co., Ltd. Device [7470:3468]
      
      Adding a new entry to rtl8169_pci_tbl makes the card work.
      
      Link: http://launchpad.net/bugs/1788730Signed-off-by: default avatarAnthony Wong <anthony.wong@ubuntu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3eada53d
    • Manish Chopra's avatar
      qlge: Fix netdev features configuration. · d19688e3
      Manish Chopra authored
      [ Upstream commit 6750c870 ]
      
      qlge_fix_features() is not supposed to modify hardware or
      driver state, rather it is supposed to only fix requested
      fetures bits. Currently qlge_fix_features() also goes for
      interface down and up unnecessarily if there is not even
      any change in features set.
      
      This patch changes/fixes following -
      
      1) Move reload of interface or device re-config from
         qlge_fix_features() to qlge_set_features().
      2) Reload of interface in qlge_set_features() only if
         relevant feature bit (NETIF_F_HW_VLAN_CTAG_RX) is changed.
      3) Get rid of qlge_fix_features() since driver is not really
         required to fix any features bit.
      Signed-off-by: default avatarManish <manish.chopra@cavium.com>
      Reviewed-by: default avatarBenjamin Poirier <bpoirier@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d19688e3
    • Kees Cook's avatar
      net: sched: Fix memory exposure from short TCA_U32_SEL · 7f1e6ec4
      Kees Cook authored
      [ Upstream commit 98c8f125 ]
      
      Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink
      policy, so max length isn't enforced, only minimum. This means nkeys
      (from userspace) was being trusted without checking the actual size of
      nla_len(), which could lead to a memory over-read, and ultimately an
      exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within
      a namespace.
      Reported-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: netdev@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7f1e6ec4
    • Anssi Hannula's avatar
      net: macb: do not disable MDIO bus at open/close time · cb765f5c
      Anssi Hannula authored
      [ Upstream commit 0da70f80 ]
      
      macb_reset_hw() is called from macb_close() and indirectly from
      macb_open(). macb_reset_hw() zeroes the NCR register, including the MPE
      (Management Port Enable) bit.
      
      This will prevent accessing any other PHYs for other Ethernet MACs on
      the MDIO bus, which remains registered at macb_reset_hw() time, until
      macb_init_hw() is called from macb_open() which sets the MPE bit again.
      
      I.e. currently the MDIO bus has a short disruption at open time and is
      disabled at close time until the interface is opened again.
      
      Fix that by only touching the RE and TE bits when enabling and disabling
      RX/TX.
      
      v2: Make macb_init_hw() NCR write a single statement.
      
      Fixes: 6c36a707 ("macb: Use generic PHY layer")
      Signed-off-by: default avatarAnssi Hannula <anssi.hannula@bitwise.fi>
      Reviewed-by: default avatarClaudiu Beznea <claudiu.beznea@microchip.com>
      Tested-by: default avatarClaudiu Beznea <claudiu.beznea@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cb765f5c
    • Doug Berger's avatar
      net: bcmgenet: use MAC link status for fixed phy · 1ef819e4
      Doug Berger authored
      [ Upstream commit c3c397c1 ]
      
      When using the fixed PHY with GENET (e.g. MOCA) the PHY link
      status can be determined from the internal link status captured
      by the MAC. This allows the PHY state machine to use the correct
      link state with the fixed PHY even if MAC link event interrupts
      are missed when the net device is opened.
      
      Fixes: 8d88c6eb ("net: bcmgenet: enable MoCA link state change detection")
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1ef819e4
    • Eric Dumazet's avatar
      ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state · a16405ad
      Eric Dumazet authored
      [ Upstream commit 431280ee ]
      
      tcp uses per-cpu (and per namespace) sockets (net->ipv4.tcp_sk) internally
      to send some control packets.
      
      1) RST packets, through tcp_v4_send_reset()
      2) ACK packets in SYN-RECV and TIME-WAIT state, through tcp_v4_send_ack()
      
      These packets assert IP_DF, and also use the hashed IP ident generator
      to provide an IPv4 ID number.
      
      Geoff Alexander reported this could be used to build off-path attacks.
      
      These packets should not be fragmented, since their size is smaller than
      IPV4_MIN_MTU. Only some tunneled paths could eventually have to fragment,
      regardless of inner IPID.
      
      We really can use zero IPID, to address the flaw, and as a bonus,
      avoid a couple of atomic operations in ip_idents_reserve()
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarGeoff Alexander <alexandg@cs.unm.edu>
      Tested-by: default avatarGeoff Alexander <alexandg@cs.unm.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a16405ad
    • Cong Wang's avatar
      act_ife: fix a potential use-after-free · a08d7ea1
      Cong Wang authored
      [ Upstream commit 6d784f16 ]
      
      Immediately after module_put(), user could delete this
      module, so e->ops could be already freed before we call
      e->ops->release().
      
      Fix this by moving module_put() after ops->release().
      
      Fixes: ef6980b6 ("introduce IFE action")
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a08d7ea1
  2. 09 Sep, 2018 27 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.14.69 · 7fe7a0f4
      Greg Kroah-Hartman authored
      7fe7a0f4
    • James Morse's avatar
      arm64: mm: always enable CONFIG_HOLES_IN_ZONE · 29245d36
      James Morse authored
      commit f52bb98f upstream.
      
      Commit 6d526ee2 ("arm64: mm: enable CONFIG_HOLES_IN_ZONE for NUMA")
      only enabled HOLES_IN_ZONE for NUMA systems because the NUMA code was
      choking on the missing zone for nomap pages. This problem doesn't just
      apply to NUMA systems.
      
      If the architecture doesn't set HAVE_ARCH_PFN_VALID, pfn_valid() will
      return true if the pfn is part of a valid sparsemem section.
      
      When working with multiple pages, the mm code uses pfn_valid_within()
      to test each page it uses within the sparsemem section is valid. On
      most systems memory comes in MAX_ORDER_NR_PAGES chunks which all
      have valid/initialised struct pages. In this case pfn_valid_within()
      is optimised out.
      
      Systems where this isn't true (e.g. due to nomap) should set
      HOLES_IN_ZONE and provide HAVE_ARCH_PFN_VALID so that mm tests each
      page as it works with it.
      
      Currently non-NUMA arm64 systems can't enable HOLES_IN_ZONE, leading to
      a VM_BUG_ON():
      
      | page:fffffdff802e1780 is uninitialized and poisoned
      | raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff
      | raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff
      | page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
      | ------------[ cut here ]------------
      | kernel BUG at include/linux/mm.h:978!
      | Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
      [...]
      | CPU: 1 PID: 25236 Comm: dd Not tainted 4.18.0 #7
      | Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
      | pstate: 40000085 (nZcv daIf -PAN -UAO)
      | pc : move_freepages_block+0x144/0x248
      | lr : move_freepages_block+0x144/0x248
      | sp : fffffe0071177680
      [...]
      | Process dd (pid: 25236, stack limit = 0x0000000094cc07fb)
      | Call trace:
      |  move_freepages_block+0x144/0x248
      |  steal_suitable_fallback+0x100/0x16c
      |  get_page_from_freelist+0x440/0xb20
      |  __alloc_pages_nodemask+0xe8/0x838
      |  new_slab+0xd4/0x418
      |  ___slab_alloc.constprop.27+0x380/0x4a8
      |  __slab_alloc.isra.21.constprop.26+0x24/0x34
      |  kmem_cache_alloc+0xa8/0x180
      |  alloc_buffer_head+0x1c/0x90
      |  alloc_page_buffers+0x68/0xb0
      |  create_empty_buffers+0x20/0x1ec
      |  create_page_buffers+0xb0/0xf0
      |  __block_write_begin_int+0xc4/0x564
      |  __block_write_begin+0x10/0x18
      |  block_write_begin+0x48/0xd0
      |  blkdev_write_begin+0x28/0x30
      |  generic_perform_write+0x98/0x16c
      |  __generic_file_write_iter+0x138/0x168
      |  blkdev_write_iter+0x80/0xf0
      |  __vfs_write+0xe4/0x10c
      |  vfs_write+0xb4/0x168
      |  ksys_write+0x44/0x88
      |  sys_write+0xc/0x14
      |  el0_svc_naked+0x30/0x34
      | Code: aa1303e0 90001a01 91296421 94008902 (d4210000)
      | ---[ end trace 1601ba47f6e883fe ]---
      
      Remove the NUMA dependency.
      
      Link: https://www.spinics.net/lists/arm-kernel/msg671851.html
      Cc: <stable@vger.kernel.org>
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Reported-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Reviewed-by: default avatarPavel Tatashin <pavel.tatashin@microsoft.com>
      Tested-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarJames Morse <james.morse@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      29245d36
    • Jeremy Cline's avatar
      fs/quota: Fix spectre gadget in do_quotactl · 3098933c
      Jeremy Cline authored
      commit 7b6924d9 upstream.
      
      'type' is user-controlled, so sanitize it after the bounds check to
      avoid using it in speculative execution. This covers the following
      potential gadgets detected with the help of smatch:
      
      * fs/ext4/super.c:5741 ext4_quota_read() warn: potential spectre issue
        'sb_dqopt(sb)->files' [r]
      * fs/ext4/super.c:5778 ext4_quota_write() warn: potential spectre issue
        'sb_dqopt(sb)->files' [r]
      * fs/f2fs/super.c:1552 f2fs_quota_read() warn: potential spectre issue
        'sb_dqopt(sb)->files' [r]
      * fs/f2fs/super.c:1608 f2fs_quota_write() warn: potential spectre issue
        'sb_dqopt(sb)->files' [r]
      * fs/quota/dquot.c:412 mark_info_dirty() warn: potential spectre issue
        'sb_dqopt(sb)->info' [w]
      * fs/quota/dquot.c:933 dqinit_needed() warn: potential spectre issue
        'dquots' [r]
      * fs/quota/dquot.c:2112 dquot_commit_info() warn: potential spectre
        issue 'dqopt->ops' [r]
      * fs/quota/dquot.c:2362 vfs_load_quota_inode() warn: potential spectre
        issue 'dqopt->files' [w] (local cap)
      * fs/quota/dquot.c:2369 vfs_load_quota_inode() warn: potential spectre
        issue 'dqopt->ops' [w] (local cap)
      * fs/quota/dquot.c:2370 vfs_load_quota_inode() warn: potential spectre
        issue 'dqopt->info' [w] (local cap)
      * fs/quota/quota.c:110 quota_getfmt() warn: potential spectre issue
        'sb_dqopt(sb)->info' [r]
      * fs/quota/quota_v2.c:84 v2_check_quota_file() warn: potential spectre
        issue 'quota_magics' [w]
      * fs/quota/quota_v2.c:85 v2_check_quota_file() warn: potential spectre
        issue 'quota_versions' [w]
      * fs/quota/quota_v2.c:96 v2_read_file_info() warn: potential spectre
        issue 'dqopt->info' [r]
      * fs/quota/quota_v2.c:172 v2_write_file_info() warn: potential spectre
        issue 'dqopt->info' [r]
      
      Additionally, a quick inspection indicates there are array accesses with
      'type' in quota_on() and quota_off() functions which are also addressed
      by this.
      
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJeremy Cline <jcline@redhat.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3098933c
    • Horia Geantă's avatar
      crypto: caam/qi - fix error path in xts setkey · 0682e027
      Horia Geantă authored
      commit ad876a18 upstream.
      
      xts setkey callback returns 0 on some error paths.
      Fix this by returning -EINVAL.
      
      Cc: <stable@vger.kernel.org> # 4.12+
      Fixes: b189817c ("crypto: caam/qi - add ablkcipher and authenc algorithms")
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0682e027
    • Horia Geantă's avatar
      crypto: caam/jr - fix descriptor DMA unmapping · ccb38942
      Horia Geantă authored
      commit cc98963d upstream.
      
      Descriptor address needs to be swapped to CPU endianness before being
      DMA unmapped.
      
      Cc: <stable@vger.kernel.org> # 4.8+
      Fixes: 261ea058 ("crypto: caam - handle core endianness != caam endianness")
      Reported-by: default avatarLaurentiu Tudor <laurentiu.tudor@nxp.com>
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ccb38942
    • Horia Geantă's avatar
      crypto: caam - fix DMA mapping direction for RSA forms 2 & 3 · be6f98b2
      Horia Geantă authored
      commit f1bf9e60 upstream.
      
      Crypto engine needs some temporary locations in external memory for
      running RSA decrypt forms 2 and 3 (CRT).
      These are named "tmp1" and "tmp2" in the PDB.
      
      Update DMA mapping direction of tmp1 and tmp2 from TO_DEVICE to
      BIDIRECTIONAL, since engine needs r/w access.
      
      Cc: <stable@vger.kernel.org> # 4.13+
      Fixes: 52e26d77 ("crypto: caam - add support for RSA key form 2")
      Fixes: 4a651b12 ("crypto: caam - add support for RSA key form 3")
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be6f98b2
    • Ondrej Mosnacek's avatar
      crypto: vmx - Fix sleep-in-atomic bugs · 9f830cf2
      Ondrej Mosnacek authored
      commit 0522236d upstream.
      
      This patch fixes sleep-in-atomic bugs in AES-CBC and AES-XTS VMX
      implementations. The problem is that the blkcipher_* functions should
      not be called in atomic context.
      
      The bugs can be reproduced via the AF_ALG interface by trying to
      encrypt/decrypt sufficiently large buffers (at least 64 KiB) using the
      VMX implementations of 'cbc(aes)' or 'xts(aes)'. Such operations then
      trigger BUG in crypto_yield():
      
      [  891.863680] BUG: sleeping function called from invalid context at include/crypto/algapi.h:424
      [  891.864622] in_atomic(): 1, irqs_disabled(): 0, pid: 12347, name: kcapi-enc
      [  891.864739] 1 lock held by kcapi-enc/12347:
      [  891.864811]  #0: 00000000f5d42c46 (sk_lock-AF_ALG){+.+.}, at: skcipher_recvmsg+0x50/0x530
      [  891.865076] CPU: 5 PID: 12347 Comm: kcapi-enc Not tainted 4.19.0-0.rc0.git3.1.fc30.ppc64le #1
      [  891.865251] Call Trace:
      [  891.865340] [c0000003387578c0] [c000000000d67ea4] dump_stack+0xe8/0x164 (unreliable)
      [  891.865511] [c000000338757910] [c000000000172a58] ___might_sleep+0x2f8/0x310
      [  891.865679] [c000000338757990] [c0000000006bff74] blkcipher_walk_done+0x374/0x4a0
      [  891.865825] [c0000003387579e0] [d000000007e73e70] p8_aes_cbc_encrypt+0x1c8/0x260 [vmx_crypto]
      [  891.865993] [c000000338757ad0] [c0000000006c0ee0] skcipher_encrypt_blkcipher+0x60/0x80
      [  891.866128] [c000000338757b10] [c0000000006ec504] skcipher_recvmsg+0x424/0x530
      [  891.866283] [c000000338757bd0] [c000000000b00654] sock_recvmsg+0x74/0xa0
      [  891.866403] [c000000338757c10] [c000000000b00f64] ___sys_recvmsg+0xf4/0x2f0
      [  891.866515] [c000000338757d90] [c000000000b02bb8] __sys_recvmsg+0x68/0xe0
      [  891.866631] [c000000338757e30] [c00000000000bbe4] system_call+0x5c/0x70
      
      Fixes: 8c755ace ("crypto: vmx - Adding CBC routines for VMX module")
      Fixes: c07f5d3d ("crypto: vmx - Adding support for XTS")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9f830cf2
    • Adrian Hunter's avatar
      perf auxtrace: Fix queue resize · 300ec47a
      Adrian Hunter authored
      commit 99cbbe56 upstream.
      
      When the number of queues grows beyond 32, the array of queues is
      resized but not all members were being copied. Fix by also copying
      'tid', 'cpu' and 'set'.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: stable@vger.kernel.org
      Fixes: e5027893 ("perf auxtrace: Add helpers for queuing AUX area tracing data")
      Link: http://lkml.kernel.org/r/20180814084608.6563-1-adrian.hunter@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      300ec47a
    • Eddie.Horng's avatar
      cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias() · 5a842ecc
      Eddie.Horng authored
      commit 355139a8 upstream.
      
      The code in cap_inode_getsecurity(), introduced by commit 8db6c34f
      ("Introduce v3 namespaced file capabilities"), should use
      d_find_any_alias() instead of d_find_alias() do handle unhashed dentry
      correctly. This is needed, for example, if execveat() is called with an
      open but unlinked overlayfs file, because overlayfs unhashes dentry on
      unlink.
      This is a regression of real life application, first reported at
      https://www.spinics.net/lists/linux-unionfs/msg05363.html
      
      Below reproducer and setup can reproduce the case.
        const char* exec="echo";
        const char *newargv[] = { "echo", "hello", NULL};
        const char *newenviron[] = { NULL };
        int fd, err;
      
        fd = open(exec, O_PATH);
        unlink(exec);
        err = syscall(322/*SYS_execveat*/, fd, "", newargv, newenviron,
      AT_EMPTY_PATH);
        if(err<0)
          fprintf(stderr, "execveat: %s\n", strerror(errno));
      
      gcc compile into ~/test/a.out
      mount -t overlay -orw,lowerdir=/mnt/l,upperdir=/mnt/u,workdir=/mnt/w
      none /mnt/m
      cd /mnt/m
      cp /bin/echo .
      ~/test/a.out
      
      Expected result:
      hello
      Actually result:
      execveat: Invalid argument
      dmesg:
      Invalid argument reading file caps for /dev/fd/3
      
      The 2nd reproducer and setup emulates similar case but for
      regular filesystem:
        const char* exec="echo";
        int fd, err;
        char buf[256];
      
        fd = open(exec, O_RDONLY);
        unlink(exec);
        err = fgetxattr(fd, "security.capability", buf, 256);
        if(err<0)
          fprintf(stderr, "fgetxattr: %s\n", strerror(errno));
      
      gcc compile into ~/test_fgetxattr
      
      cd /tmp
      cp /bin/echo .
      ~/test_fgetxattr
      
      Result:
      fgetxattr: Invalid argument
      
      On regular filesystem, for example, ext4 read xattr from
      disk and return to execveat(), will not trigger this issue, however,
      the overlay attr handler pass real dentry to vfs_getxattr() will.
      This reproducer calls fgetxattr() with an unlinked fd, involkes
      vfs_getxattr() then reproduced the case that d_find_alias() in
      cap_inode_getsecurity() can't find the unlinked dentry.
      Suggested-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Acked-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Acked-by: default avatarSerge E. Hallyn <serge@hallyn.com>
      Fixes: 8db6c34f ("Introduce v3 namespaced file capabilities")
      Cc: <stable@vger.kernel.org> # v4.14
      Signed-off-by: default avatarEddie Horng <eddie.horng@mediatek.com>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a842ecc
    • Shan Hai's avatar
      bcache: release dc->writeback_lock properly in bch_writeback_thread() · d1a265da
      Shan Hai authored
      commit 3943b040 upstream.
      
      The writeback thread would exit with a lock held when the cache device
      is detached via sysfs interface, fix it by releasing the held lock
      before exiting the while-loop.
      
      Fixes: fadd94e0 (bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set)
      Signed-off-by: default avatarShan Hai <shan.hai@oracle.com>
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Tested-by: default avatarShenghui Wang <shhuiw@foxmail.com>
      Cc: stable@vger.kernel.org #4.17+
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d1a265da
    • Vishal Verma's avatar
      libnvdimm: fix ars_status output length calculation · c8d875b4
      Vishal Verma authored
      commit 286e8771 upstream.
      
      Commit efda1b5d ("acpi, nfit, libnvdimm: fix / harden ars_status output length handling")
      Introduced additional hardening for ambiguity in the ACPI spec for
      ars_status output sizing. However, it had a couple of cases mixed up.
      Where it should have been checking for (and returning) "out_field[1] -
      4" it was using "out_field[1] - 8" and vice versa.
      
      This caused a four byte discrepancy in the buffer size passed on to
      the command handler, and in some cases, this caused memory corruption
      like:
      
        ./daxdev-errors.sh: line 76: 24104 Aborted   (core dumped) ./daxdev-errors $busdev $region
        malloc(): memory corruption
        Program received signal SIGABRT, Aborted.
        [...]
        #5  0x00007ffff7865a2e in calloc () from /lib64/libc.so.6
        #6  0x00007ffff7bc2970 in ndctl_bus_cmd_new_ars_status (ars_cap=ars_cap@entry=0x6153b0) at ars.c:136
        #7  0x0000000000401644 in check_ars_status (check=0x7fffffffdeb0, bus=0x604c20) at daxdev-errors.c:144
        #8  test_daxdev_clear_error (region_name=<optimized out>, bus_name=<optimized out>)
            at daxdev-errors.c:332
      
      Cc: <stable@vger.kernel.org>
      Cc: Dave Jiang <dave.jiang@intel.com>
      Cc: Keith Busch <keith.busch@intel.com>
      Cc: Lukasz Dorau <lukasz.dorau@intel.com>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Fixes: efda1b5d ("acpi, nfit, libnvdimm: fix / harden ars_status output length handling")
      Signed-off-by: default avatarVishal Verma <vishal.l.verma@intel.com>
      Reviewed-by: default avatarKeith Busch <keith.busch@intel.com>
      Signed-of-by: default avatarDave Jiang <dave.jiang@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c8d875b4
    • Christian Brauner's avatar
      getxattr: use correct xattr length · ff0791f4
      Christian Brauner authored
      commit 82c9a927 upstream.
      
      When running in a container with a user namespace, if you call getxattr
      with name = "system.posix_acl_access" and size % 8 != 4, then getxattr
      silently skips the user namespace fixup that it normally does resulting in
      un-fixed-up data being returned.
      This is caused by posix_acl_fix_xattr_to_user() being passed the total
      buffer size and not the actual size of the xattr as returned by
      vfs_getxattr().
      This commit passes the actual length of the xattr as returned by
      vfs_getxattr() down.
      
      A reproducer for the issue is:
      
        touch acl_posix
      
        setfacl -m user:0:rwx acl_posix
      
      and the compile:
      
        #define _GNU_SOURCE
        #include <errno.h>
        #include <stdio.h>
        #include <stdlib.h>
        #include <string.h>
        #include <sys/types.h>
        #include <unistd.h>
        #include <attr/xattr.h>
      
        /* Run in user namespace with nsuid 0 mapped to uid != 0 on the host. */
        int main(int argc, void **argv)
        {
                ssize_t ret1, ret2;
                char buf1[128], buf2[132];
                int fret = EXIT_SUCCESS;
                char *file;
      
                if (argc < 2) {
                        fprintf(stderr,
                                "Please specify a file with "
                                "\"system.posix_acl_access\" permissions set\n");
                        _exit(EXIT_FAILURE);
                }
                file = argv[1];
      
                ret1 = getxattr(file, "system.posix_acl_access",
                                buf1, sizeof(buf1));
                if (ret1 < 0) {
                        fprintf(stderr, "%s - Failed to retrieve "
                                        "\"system.posix_acl_access\" "
                                        "from \"%s\"\n", strerror(errno), file);
                        _exit(EXIT_FAILURE);
                }
      
                ret2 = getxattr(file, "system.posix_acl_access",
                                buf2, sizeof(buf2));
                if (ret2 < 0) {
                        fprintf(stderr, "%s - Failed to retrieve "
                                        "\"system.posix_acl_access\" "
                                        "from \"%s\"\n", strerror(errno), file);
                        _exit(EXIT_FAILURE);
                }
      
                if (ret1 != ret2) {
                        fprintf(stderr, "The value of \"system.posix_acl_"
                                        "access\" for file \"%s\" changed "
                                        "between two successive calls\n", file);
                        _exit(EXIT_FAILURE);
                }
      
                for (ssize_t i = 0; i < ret2; i++) {
                        if (buf1[i] == buf2[i])
                                continue;
      
                        fprintf(stderr,
                                "Unexpected different in byte %zd: "
                                "%02x != %02x\n", i, buf1[i], buf2[i]);
                        fret = EXIT_FAILURE;
                }
      
                if (fret == EXIT_SUCCESS)
                        fprintf(stderr, "Test passed\n");
                else
                        fprintf(stderr, "Test failed\n");
      
                _exit(fret);
        }
      and run:
      
        ./tester acl_posix
      
      On a non-fixed up kernel this should return something like:
      
        root@c1:/# ./t
        Unexpected different in byte 16: ffffffa0 != 00
        Unexpected different in byte 17: ffffff86 != 00
        Unexpected different in byte 18: 01 != 00
      
      and on a fixed kernel:
      
        root@c1:~# ./t
        Test passed
      
      Cc: stable@vger.kernel.org
      Fixes: 2f6f0654 ("userns: Convert vfs posix_acl support to use kuids and kgids")
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=199945Reported-by: default avatarColin Watson <cjwatson@ubuntu.com>
      Signed-off-by: default avatarChristian Brauner <christian@brauner.io>
      Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ff0791f4
    • Mikulas Patocka's avatar
      udlfb: set optimal write delay · 19b99719
      Mikulas Patocka authored
      commit bb24153a upstream.
      
      The default delay 5 jiffies is too much when the kernel is compiled with
      HZ=100 - it results in jumpy cursor in Xwindow.
      
      In order to find out the optimal delay, I benchmarked the driver on
      1280x720x30fps video. I found out that with HZ=1000, 10ms is acceptable,
      but with HZ=250 or HZ=300, we need 4ms, so that the video is played
      without any frame skips.
      
      This patch changes the delay to this value.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19b99719
    • Mikulas Patocka's avatar
      fb: fix lost console when the user unplugs a USB adapter · d0f2eb3a
      Mikulas Patocka authored
      commit 8c5b0442 upstream.
      
      I have a USB display adapter using the udlfb driver and I use it on an ARM
      board that doesn't have any graphics card. When I plug the adapter in, the
      console is properly displayed, however when I unplug and re-plug the
      adapter, the console is not displayed and I can't access it until I reboot
      the board.
      
      The reason is this:
      When the adapter is unplugged, dlfb_usb_disconnect calls
      unlink_framebuffer, then it waits until the reference count drops to zero
      and then it deallocates the framebuffer. However, the console that is
      attached to the framebuffer device keeps the reference count non-zero, so
      the framebuffer device is never destroyed. When the USB adapter is plugged
      again, it creates a new device /dev/fb1 and the console is not attached to
      it.
      
      This patch fixes the bug by unbinding the console from unlink_framebuffer.
      The code to unbind the console is moved from do_unregister_framebuffer to
      a function unbind_console. When the console is unbound, the reference
      count drops to zero and the udlfb driver frees the framebuffer. When the
      adapter is plugged back, a new framebuffer is created and the console is
      attached to it.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Bernie Thompson <bernie@plugable.com>
      Cc: Ladislav Michl <ladis@linux-mips.org>
      Cc: stable@vger.kernel.org
      [b.zolnierkie: preserve old behavior for do_unregister_framebuffer()]
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d0f2eb3a
    • Vignesh R's avatar
      pwm: tiehrpwm: Fix disabling of output of PWMs · 9b0dd656
      Vignesh R authored
      commit 38dabd91 upstream.
      
      pwm-tiehrpwm driver disables PWM output by putting it in low output
      state via active AQCSFRC register in ehrpwm_pwm_disable(). But, the
      AQCSFRC shadow register is not updated. Therefore, when shadow AQCSFRC
      register is re-enabled in ehrpwm_pwm_enable() (say to enable second PWM
      output), previous settings are lost as shadow register value is loaded
      into active register. This results in things like PWMA getting enabled
      automatically, when PWMB is enabled and vice versa. Fix this by
      updating AQCSFRC shadow register as well during ehrpwm_pwm_disable().
      
      Fixes: 19891b20 ("pwm: pwm-tiehrpwm: PWM driver support for EHRPWM")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarVignesh R <vigneshr@ti.com>
      Signed-off-by: default avatarThierry Reding <thierry.reding@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9b0dd656
    • Vignesh R's avatar
      pwm: tiehrpwm: Don't use emulation mode bits to control PWM output · 0ef9c771
      Vignesh R authored
      commit aa49d628 upstream.
      
      As per AM335x TRM SPRUH73P "15.2.2.11 ePWM Behavior During Emulation",
      TBCTL[15:14] only have effect during emulation suspend events (IOW,
      to stop PWM when debugging using a debugger). These bits have no effect
      on PWM output during normal running of system. Hence, remove code
      accessing these bits as they have no role in enabling/disabling PWMs.
      
      Fixes: 19891b20 ("pwm: pwm-tiehrpwm: PWM driver support for EHRPWM")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarVignesh R <vigneshr@ti.com>
      Signed-off-by: default avatarThierry Reding <thierry.reding@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ef9c771
    • Richard Weinberger's avatar
      ubifs: Fix synced_i_size calculation for xattr inodes · 63bbaa14
      Richard Weinberger authored
      commit 59965593 upstream.
      
      In ubifs_jnl_update() we sync parent and child inodes to the flash,
      in case of xattrs, the parent inode (AKA host inode) has a non-zero
      data_len. Therefore we need to adjust synced_i_size too.
      
      This issue was reported by ubifs self tests unter a xattr related work
      load.
      UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: ui_size is 4, synced_i_size is 0, but inode is clean
      UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: i_ino 65, i_mode 0x81a4, i_size 4
      
      Cc: <stable@vger.kernel.org>
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: Richard Weinberger's avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      63bbaa14
    • Richard Weinberger's avatar
      ubifs: xattr: Don't operate on deleted inodes · 8a23348d
      Richard Weinberger authored
      commit 11a6fc3d upstream.
      
      xattr operations can race with unlink and the following assert triggers:
      UBIFS assert failed in ubifs_jnl_change_xattr at 1606 (pid 6256)
      
      Fix this by checking i_nlink before working on the host inode.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: Richard Weinberger's avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8a23348d
    • Richard Weinberger's avatar
      ubifs: Check data node size before truncate · f6d7acc1
      Richard Weinberger authored
      commit 95a22d20 upstream.
      
      Check whether the size is within bounds before using it.
      If the size is not correct, abort and dump the bad data node.
      
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Silvio Cesare <silvio.cesare@gmail.com>
      Cc: stable@vger.kernel.org
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Reported-by: default avatarSilvio Cesare <silvio.cesare@gmail.com>
      Signed-off-by: Richard Weinberger's avatarRichard Weinberger <richard@nod.at>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: Richard Weinberger's avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f6d7acc1
    • Richard Weinberger's avatar
      Revert "UBIFS: Fix potential integer overflow in allocation" · 3259dd71
      Richard Weinberger authored
      commit 08acbdd6 upstream.
      
      This reverts commit 353748a3.
      It bypassed the linux-mtd review process and fixes the issue not as it
      should.
      
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Silvio Cesare <silvio.cesare@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: Richard Weinberger's avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3259dd71
    • Richard Weinberger's avatar
      ubifs: Fix memory leak in lprobs self-check · a230db38
      Richard Weinberger authored
      commit eef19816 upstream.
      
      Allocate the buffer after we return early.
      Otherwise memory is being leaked.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: Richard Weinberger's avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a230db38
    • Jann Horn's avatar
      userns: move user access out of the mutex · 656d6e6f
      Jann Horn authored
      commit 5820f140 upstream.
      
      The old code would hold the userns_state_mutex indefinitely if
      memdup_user_nul stalled due to e.g. a userfault region. Prevent that by
      moving the memdup_user_nul in front of the mutex_lock().
      
      Note: This changes the error precedence of invalid buf/count/*ppos vs
      map already written / capabilities missing.
      
      Fixes: 22d917d8 ("userns: Rework the user_namespace adding uid/gid...")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarChristian Brauner <christian@brauner.io>
      Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      656d6e6f
    • Jann Horn's avatar
      sys: don't hold uts_sem while accessing userspace memory · b692c405
      Jann Horn authored
      commit 42a0cc34 upstream.
      
      Holding uts_sem as a writer while accessing userspace memory allows a
      namespace admin to stall all processes that attempt to take uts_sem.
      Instead, move data through stack buffers and don't access userspace memory
      while uts_sem is held.
      
      Cc: stable@vger.kernel.org
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b692c405
    • Jacob Pan's avatar
      iommu/vt-d: Fix dev iotlb pfsid use · c2ea292b
      Jacob Pan authored
      commit 1c48db44 upstream.
      
      PFSID should be used in the invalidation descriptor for flushing
      device IOTLBs on SRIOV VFs.
      Signed-off-by: default avatarJacob Pan <jacob.jun.pan@linux.intel.com>
      Cc: stable@vger.kernel.org
      Cc: "Ashok Raj" <ashok.raj@intel.com>
      Cc: "Lu Baolu" <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c2ea292b
    • Jacob Pan's avatar
      iommu/vt-d: Add definitions for PFSID · eb58c404
      Jacob Pan authored
      commit 0f725561 upstream.
      
      When SRIOV VF device IOTLB is invalidated, we need to provide
      the PF source ID such that IOMMU hardware can gauge the depth
      of invalidation queue which is shared among VFs. This is needed
      when device invalidation throttle (DIT) capability is supported.
      
      This patch adds bit definitions for checking and tracking PFSID.
      Signed-off-by: default avatarJacob Pan <jacob.jun.pan@linux.intel.com>
      Cc: stable@vger.kernel.org
      Cc: "Ashok Raj" <ashok.raj@intel.com>
      Cc: "Lu Baolu" <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eb58c404
    • Peter Zijlstra's avatar
      mm/tlb: Remove tlb_remove_table() non-concurrent condition · 7cf82f3b
      Peter Zijlstra authored
      commit a6f57208 upstream.
      
      Will noted that only checking mm_users is incorrect; we should also
      check mm_count in order to cover CPUs that have a lazy reference to
      this mm (and could do speculative TLB operations).
      
      If removing this turns out to be a performance issue, we can
      re-instate a more complete check, but in tlb_table_flush() eliding the
      call_rcu_sched().
      
      Fixes: 26723911 ("mm, powerpc: move the RCU page-table freeing into generic code")
      Reported-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarRik van Riel <riel@surriel.com>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Cc: Nicholas Piggin <npiggin@gmail.com>
      Cc: David Miller <davem@davemloft.net>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7cf82f3b
    • Jon Hunter's avatar
      ARM: tegra: Fix Tegra30 Cardhu PCA954x reset · ddcb9270
      Jon Hunter authored
      commit 6e181190 upstream.
      
      On all versions of Tegra30 Cardhu, the reset signal to the NXP PCA9546
      I2C mux is connected to the Tegra GPIO BB0. Currently, this pin on the
      Tegra is not configured as a GPIO but as a special-function IO (SFIO)
      that is multiplexing the pin to an I2S controller. On exiting system
      suspend, I2C commands sent to the PCA9546 are failing because there is
      no ACK. Although it is not possible to see exactly what is happening
      to the reset during suspend, by ensuring it is configured as a GPIO
      and driven high, to de-assert the reset, the failures are no longer
      seen.
      
      Please note that this GPIO is also used to drive the reset signal
      going to the camera connector on the board. However, given that there
      is no camera support currently for Cardhu, this should not have any
      impact.
      
      Fixes: 40431d16 ("ARM: tegra: enable PCA9546 on Cardhu")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Signed-off-by: default avatarThierry Reding <treding@nvidia.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ddcb9270