Commit Graph

902105 Commits

Author SHA1 Message Date
Linus Torvalds 9d588f6360 s390 updates for 5.6-rc5
- Fix panic in gup_fast on large pud by providing an implementation of
   pud_write. This has been overlooked during migration to common gup code.
 
 - Fix unexpected write combining on PCI stores.
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEE3QHqV+H2a8xAv27vjYWKoQLXFBgFAl5jmrQACgkQjYWKoQLX
 FBi/iQf9E50AKMRH7x0CNdzItCC3owNT/t06IPxJP397OmKafXI2Ke9a6Xya/LpT
 C68ndxxMVd4RuYhLc1aOtW2Jo04Owc9E/wWdQVuIO7joK/evZj9JNR3jb6f4HhXc
 PXPs432LfYPTrCmC4JvDW7PQXuhKAcjav8iqwE9nlyTvGFOaBupuB+1qum0wIUeE
 bDvdkEgzRirWrK7TOqB680e+hRmBqeoy/HBSrmP30yxjv/9xv6C2VGiPajH4mOhU
 Cw6lY7G/qLNUUvANBREKLhIXlI+PuApn/zFBbb6iqihd67wQ+v8lun2kA2Anyvv8
 j0evq/fLXFwCYFGnJWiYzVody8ak0A==
 =vECk
 -----END PGP SIGNATURE-----

Merge tag 's390-5.6-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Pull s390 fixes from Vasily Gorbik:

 - Fix panic in gup_fast on large pud by providing an implementation of
   pud_write. This has been overlooked during migration to common gup
   code.

 - Fix unexpected write combining on PCI stores.

* tag 's390-5.6-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/pci: Fix unexpected write combine on resource
  s390/mm: fix panic in gup_fast on large pud
2020-03-07 08:12:47 -06:00
Linus Torvalds 5236647adb powerpc fixes for 5.6 #4
One fix for a recent regression to our breakpoint/watchpoint code.
 
 Another fix for our KUAP support, this time a missing annotation in a rarely
 used path in signal handling.
 
 A fix for our handling of a CPU feature that effects the PMU, when booting
 guests in some configurations.
 
 A minor fix to our linker script to explicitly include the .BTF section.
 
 Thanks to:
   Christophe Leroy, Desnes A. Nunes do Rosario, Leonardo Bras, Naveen N. Rao,
   Ravi Bangoria, Stefan Berger.
 -----BEGIN PGP SIGNATURE-----
 
 iQJHBAABCAAxFiEEJFGtCPCthwEv2Y/bUevqPMjhpYAFAl5jhLUTHG1wZUBlbGxl
 cm1hbi5pZC5hdQAKCRBR6+o8yOGlgIWYEACRI3ikfcO3V/QtV6wcgceBtXKyuEUz
 +E54neKhgpxRa66IUKXe9NgI4n9G6YTyG3Ee+iFfP4BR6bJpjiGxtypBSqTpDfql
 19QACPJtn+hft/YT2zy0S8SS6CE9TCC25PpOURYb7VVoAn3PG1nmdBj1zoEdsVoZ
 WZgkj2we03FQton8ctangP2Atd4L9ngUEUw7m1XvyX+MaMVE2Ev24Q5Es1Xu4tUs
 4U/g+TZvZeVB/Y44Km7bur3OTis0YcB7LBSD5goJSgj3PQXYhq9/7AegaH5cpiLu
 sDfBfEOjCnU5zuUwZkmlfmnm6YfqBinRpiUZzePuY3LTH5IjYlWXBzsFaiKUaP+8
 /mPypoR2ufhJ+pAKWqGs+iU19F5rqN0gVS0ELzxQTn7yT0yAPtVtpym4CyXYQTlF
 sQSqEK/S0U+NEP0jvHBnv9sIjwNXvGo+r8mdHDrxIYKFEm54fZDhS088/vq7Zc+2
 BrHfp6XCE7Eo0qn+5DV8ei456QkkR9McG2Ile6u0M1eh06EqqcnGfs6wrrD3nQe8
 Ptf+VWWdJM8W7Dv8dc7+JbLhtcVT+tRPyUOPdmRqT93ve/epsfNeujX5+ewhfIbG
 n22Ypm0zOIoq4ceaCY+vl56vUyXYXP5oz72WqjVuTncQrbAWjaNy2iklDyxbjQkI
 T25co1MTGsMjEA==
 =AjkM
 -----END PGP SIGNATURE-----

Merge tag 'powerpc-5.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

Pull powerpc fixes from Michael Ellerman:
 "Some more powerpc fixes for 5.6:

   - One fix for a recent regression to our breakpoint/watchpoint code.

   - Another fix for our KUAP support, this time a missing annotation in
     a rarely used path in signal handling.

   - A fix for our handling of a CPU feature that effects the PMU, when
     booting guests in some configurations.

   - A minor fix to our linker script to explicitly include the .BTF
     section.

  Thanks to: Christophe Leroy, Desnes A. Nunes do Rosario, Leonardo
  Bras, Naveen N. Rao, Ravi Bangoria, Stefan Berger"

* tag 'powerpc-5.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  powerpc/mm: Fix missing KUAP disable in flush_coherent_icache()
  powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems
  powerpc: Include .BTF section
  powerpc/watchpoint: Don't call dar_within_range() for Book3S
2020-03-07 08:10:34 -06:00
Linus Torvalds cbee7c8b44 xen: branch for v5.6-rc5
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQRTLbB6QfY48x44uB6AXGG7T9hjvgUCXmNp4AAKCRCAXGG7T9hj
 vmPeAP42nekgUNbUzEuei1/v4bJoepxIg22UXTVnjWwx9JVQKgEA+fgswmyy4NN2
 Ab7ty2zw1s3Vwhoq909lWNIJdz/+1wI=
 =C3CJ
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-5.6b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Pull xen fixes from Juergen Gross:
 "Four fixes and a small cleanup patch:

   - two fixes by Dongli Zhang fixing races in the xenbus driver

   - two fixes by me fixing issues introduced in 5.6

   - a small cleanup by Gustavo Silva replacing a zero-length array with
     a flexible-array"

* tag 'for-linus-5.6b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen/blkfront: fix ring info addressing
  xen/xenbus: fix locking
  xenbus: req->err should be updated before req->state
  xenbus: req->body should be updated before req->state
  xen: Replace zero-length array with flexible-array member
2020-03-07 08:04:54 -06:00
Linus Torvalds fa883d6afb for-linus-2020-03-07
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCXmNvpgAKCRCRxhvAZXjc
 ouFvAQDCzfOx1vcEP/nNhYBP2MPuafKclJcoJggC9rSmIvcLiQD/TI+LyHzplD+m
 MWSu9NZJ6h6qyjKJivja3/bs8DVEewU=
 =4gyS
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-2020-03-07' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux

Pull thread fixes from Christian Brauner:
 "Here are a few hopefully uncontroversial fixes:

   - Use RCU_INIT_POINTER() when initializing rcu protected members in
     task_struct to fix sparse warnings.

   - Add pidfd_fdinfo_test binary to .gitignore file"

* tag 'for-linus-2020-03-07' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux:
  selftests: pidfd: Add pidfd_fdinfo_test in .gitignore
  exit: Fix Sparse errors and warnings
  fork: Use RCU_INIT_POINTER() instead of rcu_access_pointer()
2020-03-07 08:01:43 -06:00
Linus Torvalds 676fc8de31 sound fixes for 5.6-rc5
The regular "bump-in-the-middle" updates, containing mostly ASoC-
 related fixes at this time.  All changes are reasonably small.
 A few entries are for ASoC and ALSA core parts (DAPM, PCM, topology)
 for followups of the recent changes and potential buffer overflow by
 snprintf(), while the rest are (both new and old) device-specific
 fixes for Intel, meson, tas2562, rt1015, as well as the usual
 HD-audio quirks.
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAl5jYRkOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE9m8A//e8LzyaIohaPa6bfC3wU5go0EVgTfEUF4oAEg
 it6dDm6ukxuigxXiMP1mIP2VATfBGUOIiOgzB2E9UJF00vbOUpdGaoIJYfejz6SI
 PYHDs8McMPbu0KtZANMccO7x52A7HeVcQ0166CqazhvcxBAxcqiGBLqo8z0WvBaA
 dbyiuh4TBcdObv6MFN/cCQejtmXP+W0vVbx+Kf0gs9lSOWnY26X5NXjlVI0WD60o
 fvBzoGcRGuBPALl20aSH0aybtD3My2Y17+xzDqP/Rlfzb9IAc/i3ifMuA7HWuVIT
 CYjCe/LGTsvPjwGCAvx0+aSV4Mq/zeQghF/Rg67QfdO+8iGyc2AYYxEFQzp0QW5F
 GsTpyawm3GXOUa9DzavzNjYB6wgA64+stm+OTr+HOrl/cYzRlgqEU4GCL8lKltWt
 Sqn1fXaBy6KlgkAdkEMabURN6JlegYJATzFZ0rConqIU3uKBZ2gWwuetfQW83guK
 MhUl6OGBrKjak08Un571XT5Y1bn/pWgVB5o4vOzImr75TFuZ1ledjNfefLHGuTTH
 IjyDh4O40IxOKQtT8Pau0oOUcMkSOXSLP0YzfYxflnJsC8Dj+0vLc+J9sVZisI2K
 WFcfVajiqWVzoS7oMkdNRYIWF4LXPA2v/73BfarmsBOrTnErKRzJ+FJGFLgBBg+5
 6EdUrUw=
 =zLTR
 -----END PGP SIGNATURE-----

Merge tag 'sound-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "The regular "bump-in-the-middle" updates, containing mostly ASoC-
  related fixes at this time. All changes are reasonably small.

  A few entries are for ASoC and ALSA core parts (DAPM, PCM, topology)
  for followups of the recent changes and potential buffer overflow by
  snprintf(), while the rest are (both new and old) device-specific
  fixes for Intel, meson, tas2562, rt1015, as well as the usual HD-audio
  quirks"

* tag 'sound-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (25 commits)
  ALSA: sgio2audio: Remove usage of dropped hw_params/hw_free functions
  ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294
  ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master
  ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1
  ALSA: hda/realtek - Add Headset Mic supported
  ASoC: wm8741: Fix typo in Kconfig prompt
  ASoC: stm32: sai: manage rebind issue
  ASoC: SOF: Fix snd_sof_ipc_stream_posn()
  ASoC: rt1015: modify pre-divider for sysclk
  ASoC: rt1015: add operation callback function for rt1015_dai[]
  ASoC: soc-component: tidyup snd_soc_pcm_component_sync_stop()
  ASoC: dapm: Correct DAPM handling of active widgets during shutdown
  ASoC: tas2562: Fix sample rate error message
  ASoC: Intel: Skylake: Fix available clock counter incrementation
  ASoC: soc-pcm/soc-compress: don't use snd_soc_dapm_stream_stop()
  ASoC: meson: g12a: add tohdmitx reset
  ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
  ASoC: soc-core: fix for_rtd_codec_dai_rollback() macro
  ASoC: topology: Fix memleak in soc_tplg_manifest_load()
  ASoC: topology: Fix memleak in soc_tplg_link_elems_load()
  ...
2020-03-07 07:59:30 -06:00
H. Nikolaus Schaller 130ab8819d MIPS: DTS: CI20: fix interrupt for pcf8563 RTC
Interrupts should not be specified by interrupt line but by
gpio parent and reference.

Fixes: 73f2b94047 ("MIPS: CI20: DTS: Add I2C nodes")
Cc: stable@vger.kernel.org
Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Reviewed-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
2020-03-07 09:54:24 +01:00
H. Nikolaus Schaller e8d87a0b82 MIPS: DTS: CI20: fix PMU definitions for ACT8600
There is a ACT8600 on the CI20 board and the bindings of the
ACT8865 driver have changed without updating the CI20 device
tree. Therefore the PMU can not be probed successfully and
is running in power-on reset state.

Fix DT to match the latest act8865-regulator bindings.

Fixes: 73f2b94047 ("MIPS: CI20: DTS: Add I2C nodes")
Cc: stable@vger.kernel.org
Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Reviewed-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
2020-03-07 09:53:21 +01:00
Ingo Molnar 798048f850 perf/urgent fixes:
perf top:
 
   Tommi Rantala:
 
   - Fix stdio interface input handling with glibc 2.28+.
 
 perf bench:
 
   Tommi Rantala:
 
   - Restore thread count default to online CPU count in futex-wake bench.
 
 perf jevents:
 
   John Garry:
 
   - Fix leak of mapfile memory.
 
 perf diff:
 
   Nick Desaulniers:
 
   - Fix undefined string comparision spotted by clang's -Wstring-compare.
 
 misc:
 
   Ian Rogers:
 
   - Fix off-by 1 relative directory includes.
 
 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 
 iHQEABYIAB0WIQR2GiIUctdOfX2qHhGyPKLppCJ+JwUCXmKfTwAKCRCyPKLppCJ+
 J+R3AQCuVMrKX6q9I9zhi+0Lp6jDeJ/zjzonNbbcN9ROrMit1QD3WSBLuyTo6DwE
 D+llzC2Tkrl+OEXaSsYOWC4457sJCQ==
 =MsHw
 -----END PGP SIGNATURE-----

Merge tag 'perf-urgent-for-mingo-5.6-20200306' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent

Pull perf/urgent fixes from Arnaldo Carvalho de Melo:

perf top:

  Tommi Rantala:

  - Fix stdio interface input handling with glibc 2.28+.

perf bench:

  Tommi Rantala:

  - Restore thread count default to online CPU count in futex-wake bench.

perf jevents:

  John Garry:

  - Fix leak of mapfile memory.

perf diff:

  Nick Desaulniers:

  - Fix undefined string comparision spotted by clang's -Wstring-compare.

misc:

  Ian Rogers:

  - Fix off-by 1 relative directory includes.

Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2020-03-07 08:29:55 +01:00
Jonathan Neuschäfer aeaa925bff rhashtable: Document the right function parameters
rhashtable_lookup_get_insert_key doesn't have a parameter `data`. It
does have a parameter `key`, however.

Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-03-06 22:33:38 -08:00
Takashi Iwai 5a56996b0f ASoC: Fixes for v5.6
More fixes that have arrived since the merge window, spread out all
 over.  There's a few things like the operation callback addition for
 rt1015 and the meson reset addition which add small new bits of
 functionality to fix non-working systems, they're all very small and for
 parts of newly added functionality.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl5iebkTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0MR4B/wJq8zrpsPAA2jCoBfN0qMzrVBEt9QD
 5oF/r36ZH5G6x0QZzyiwVOUbapNT1TVs51tw0S5esxJ+npkT2kgABPlIMYF2tgp6
 rmLOaFEPC+Bgf/dNGIWLV21B+EZCHDxTz1zD7VjfaXLDPRop+sZg1VfXLR7IvXos
 1VQLVx1y6vFJRr56EU5xQo1CAeFGB1x5K52aF4D90ALL7lYT6dt7m/soBmxImEpq
 aZUCE6xwX8WMH4OX6sTfqOvB+g6q+DzshCP2+Fas/0OIQZQA9mmIKId+/xpb6QcY
 A0AzMlSv49uAsBsa3CZmSingGVqL/PEMkCI4wvJPl/paQXUsMi9HYV0E
 =YlPP
 -----END PGP SIGNATURE-----

Merge tag 'asoc-fix-v5.6-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v5.6

More fixes that have arrived since the merge window, spread out all
over.  There's a few things like the operation callback addition for
rt1015 and the meson reset addition which add small new bits of
functionality to fix non-working systems, they're all very small and for
parts of newly added functionality.
2020-03-07 07:24:36 +01:00
Jakub Kicinski 03138e2bf7 MAINTAINERS: remove bouncing pkaustub@cisco.com from enic
pkaustub@cisco.com is bouncing, remove it.

Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Christian Benvenuti <benve@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-03-06 22:05:32 -08:00
Shannon Nelson e396ce5f42 ionic: fix vf op lock usage
These are a couple of read locks that should be write locks.

Fixes: fbb39807e9 ("ionic: support sr-iov operations")
Signed-off-by: Shannon Nelson <snelson@pensando.io>
Reviewed-by: Parav Pandit <parav@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-03-06 22:02:29 -08:00
Eric Dumazet b7469e83d2 bonding/alb: make sure arp header is pulled before accessing it
Similar to commit 38f88c4540 ("bonding/alb: properly access headers
in bond_alb_xmit()"), we need to make sure arp header was pulled
in skb->head before blindly accessing it in rlb_arp_xmit().

Remove arp_pkt() private helper, since it is more readable/obvious
to have the following construct back to back :

	if (!pskb_network_may_pull(skb, sizeof(*arp)))
		return NULL;
	arp = (struct arp_pkt *)skb_network_header(skb);

syzbot reported :

BUG: KMSAN: uninit-value in bond_slave_has_mac_rx include/net/bonding.h:704 [inline]
BUG: KMSAN: uninit-value in rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline]
BUG: KMSAN: uninit-value in bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477
CPU: 0 PID: 12743 Comm: syz-executor.4 Not tainted 5.6.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x220 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
 bond_slave_has_mac_rx include/net/bonding.h:704 [inline]
 rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline]
 bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477
 __bond_start_xmit drivers/net/bonding/bond_main.c:4257 [inline]
 bond_start_xmit+0x85d/0x2f70 drivers/net/bonding/bond_main.c:4282
 __netdev_start_xmit include/linux/netdevice.h:4524 [inline]
 netdev_start_xmit include/linux/netdevice.h:4538 [inline]
 xmit_one net/core/dev.c:3470 [inline]
 dev_hard_start_xmit+0x531/0xab0 net/core/dev.c:3486
 __dev_queue_xmit+0x37de/0x4220 net/core/dev.c:4063
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:4096
 packet_snd net/packet/af_packet.c:2967 [inline]
 packet_sendmsg+0x8347/0x93b0 net/packet/af_packet.c:2992
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg net/socket.c:672 [inline]
 __sys_sendto+0xc1b/0xc50 net/socket.c:1998
 __do_sys_sendto net/socket.c:2010 [inline]
 __se_sys_sendto+0x107/0x130 net/socket.c:2006
 __x64_sys_sendto+0x6e/0x90 net/socket.c:2006
 do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45c479
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fc77ffbbc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc77ffbc6d4 RCX: 000000000045c479
RDX: 000000000000000e RSI: 00000000200004c0 RDI: 0000000000000003
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000a04 R14: 00000000004cc7b0 R15: 000000000076bf2c

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
 kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
 kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
 slab_alloc_node mm/slub.c:2793 [inline]
 __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
 __kmalloc_reserve net/core/skbuff.c:142 [inline]
 __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
 alloc_skb include/linux/skbuff.h:1051 [inline]
 alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766
 sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242
 packet_alloc_skb net/packet/af_packet.c:2815 [inline]
 packet_snd net/packet/af_packet.c:2910 [inline]
 packet_sendmsg+0x66a0/0x93b0 net/packet/af_packet.c:2992
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg net/socket.c:672 [inline]
 __sys_sendto+0xc1b/0xc50 net/socket.c:1998
 __do_sys_sendto net/socket.c:2010 [inline]
 __se_sys_sendto+0x107/0x130 net/socket.c:2006
 __x64_sys_sendto+0x6e/0x90 net/socket.c:2006
 do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Jay Vosburgh <j.vosburgh@gmail.com>
Cc: Veaceslav Falico <vfalico@gmail.com>
Cc: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-03-06 22:00:10 -08:00
David S. Miller 172fd3eb38 Merge branch 'QorIQ-DPAA-FMan-erratum-A050385-workaround'
Madalin Bucur says:

====================
QorIQ DPAA FMan erratum A050385 workaround

Changes in v2:
 - added CONFIG_DPAA_ERRATUM_A050385
 - removed unnecessary parenthesis
 - changed alignment defines to use only decimal values

The patch set implements the workaround for FMan erratum A050385:

FMAN DMA read or writes under heavy traffic load may cause FMAN
internal resource leak; thus stopping further packet processing.
To reproduce this issue when the workaround is not applied, one
needs to ensure the FMan DMA transaction queue is already full
when a transaction split occurs so the system must be under high
traffic load (i.e. multiple ports at line rate). After the errata
occurs, the traffic stops. The only SoC impacted by this is the
LS1043A, the other ARM DPAA 1 SoC or the PPC DPAA 1 SoCs do not
have this erratum.

The FMAN internal queue can overflow when FMAN splits single
read or write transactions into multiple smaller transactions
such that more than 17 AXI transactions are in flight from FMAN
to interconnect. When the FMAN internal queue overflows, it can
stall further packet processing. The issue can occur with any one
of the following three conditions:

  1. FMAN AXI transaction crosses 4K address boundary (Errata
         A010022)
  2. FMAN DMA address for an AXI transaction is not 16 byte
         aligned, i.e. the last 4 bits of an address are non-zero
  3. Scatter Gather (SG) frames have more than one SG buffer in
         the SG list and any one of the buffers, except the last
         buffer in the SG list has data size that is not a multiple
         of 16 bytes, i.e., other than 16, 32, 48, 64, etc.

With any one of the above three conditions present, there is
likelihood of stalled FMAN packet processing, especially under
stress with multiple ports injecting line-rate traffic.

To avoid situations that stall FMAN packet processing, all of the
above three conditions must be avoided; therefore, configure the
system with the following rules:

  1. Frame buffers must not span a 4KB address boundary, unless
         the frame start address is 256 byte aligned
  2. All FMAN DMA start addresses (for example, BMAN buffer
         address, FD[address] + FD[offset]) are 16B aligned
  3. SG table and buffer addresses are 16B aligned and the size
         of SG buffers are multiple of 16 bytes, except for the last
         SG buffer that can be of any size.

Additional workaround notes:
- Address alignment of 64 bytes is recommended for maximally
efficient system bus transactions (although 16 byte alignment is
sufficient to avoid the stall condition)
- To support frame sizes that are larger than 4K bytes, there are
two options:
  1. Large single buffer frames that span a 4KB page boundary can
         be converted into SG frames to avoid transaction splits at
         the 4KB boundary,
  2. Align the large single buffer to 256B address boundaries,
         ensure that the frame address plus offset is 256B aligned.
- If software generated SG frames have buffers that are unaligned
and with random non-multiple of 16 byte lengths, before
transmitting such frames via FMAN, frames will need to be copied
into a new single buffer or multiple buffer SG frame that is
compliant with the three rules listed above.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2020-03-06 21:55:32 -08:00
Madalin Bucur 3c68b8fffb dpaa_eth: FMan erratum A050385 workaround
Align buffers, data start, SG fragment length to avoid DMA splits.
These changes prevent the A050385 erratum to manifest itself:

FMAN DMA read or writes under heavy traffic load may cause FMAN
internal resource leak; thus stopping further packet processing.

The FMAN internal queue can overflow when FMAN splits single
read or write transactions into multiple smaller transactions
such that more than 17 AXI transactions are in flight from FMAN
to interconnect. When the FMAN internal queue overflows, it can
stall further packet processing. The issue can occur with any one
of the following three conditions:

  1. FMAN AXI transaction crosses 4K address boundary (Errata
	 A010022)
  2. FMAN DMA address for an AXI transaction is not 16 byte
	 aligned, i.e. the last 4 bits of an address are non-zero
  3. Scatter Gather (SG) frames have more than one SG buffer in
	 the SG list and any one of the buffers, except the last
	 buffer in the SG list has data size that is not a multiple
	 of 16 bytes, i.e., other than 16, 32, 48, 64, etc.

With any one of the above three conditions present, there is
likelihood of stalled FMAN packet processing, especially under
stress with multiple ports injecting line-rate traffic.

To avoid situations that stall FMAN packet processing, all of the
above three conditions must be avoided; therefore, configure the
system with the following rules:

  1. Frame buffers must not span a 4KB address boundary, unless
	 the frame start address is 256 byte aligned
  2. All FMAN DMA start addresses (for example, BMAN buffer
	 address, FD[address] + FD[offset]) are 16B aligned
  3. SG table and buffer addresses are 16B aligned and the size
	 of SG buffers are multiple of 16 bytes, except for the last
	 SG buffer that can be of any size.

Additional workaround notes:
- Address alignment of 64 bytes is recommended for maximally
efficient system bus transactions (although 16 byte alignment is
sufficient to avoid the stall condition)
- To support frame sizes that are larger than 4K bytes, there are
two options:
  1. Large single buffer frames that span a 4KB page boundary can
	 be converted into SG frames to avoid transaction splits at
	 the 4KB boundary,
  2. Align the large single buffer to 256B address boundaries,
	 ensure that the frame address plus offset is 256B aligned.
- If software generated SG frames have buffers that are unaligned
and with random non-multiple of 16 byte lengths, before
transmitting such frames via FMAN, frames will need to be copied
into a new single buffer or multiple buffer SG frame that is
compliant with the three rules listed above.

Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-03-06 21:55:32 -08:00
Madalin Bucur b281f7b93b fsl/fman: detect FMan erratum A050385
Detect the presence of the A050385 erratum.

Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-03-06 21:55:32 -08:00
Madalin Bucur b54d390086 arm64: dts: ls1043a: FMan erratum A050385
The LS1043A SoC is affected by the A050385 erratum stating that
FMAN DMA read or writes under heavy traffic load may cause FMAN
internal resource leak thus stopping further packet processing.

Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-03-06 21:55:32 -08:00
Madalin Bucur 26d5bb9e4c dt-bindings: net: FMan erratum A050385
FMAN DMA read or writes under heavy traffic load may cause FMAN
internal resource leak; thus stopping further packet processing.

The FMAN internal queue can overflow when FMAN splits single
read or write transactions into multiple smaller transactions
such that more than 17 AXI transactions are in flight from FMAN
to interconnect. When the FMAN internal queue overflows, it can
stall further packet processing. The issue can occur with any one
of the following three conditions:

  1. FMAN AXI transaction crosses 4K address boundary (Errata
     A010022)
  2. FMAN DMA address for an AXI transaction is not 16 byte
     aligned, i.e. the last 4 bits of an address are non-zero
  3. Scatter Gather (SG) frames have more than one SG buffer in
     the SG list and any one of the buffers, except the last
     buffer in the SG list has data size that is not a multiple
     of 16 bytes, i.e., other than 16, 32, 48, 64, etc.

With any one of the above three conditions present, there is
likelihood of stalled FMAN packet processing, especially under
stress with multiple ports injecting line-rate traffic.

To avoid situations that stall FMAN packet processing, all of the
above three conditions must be avoided; therefore, configure the
system with the following rules:

  1. Frame buffers must not span a 4KB address boundary, unless
     the frame start address is 256 byte aligned
  2. All FMAN DMA start addresses (for example, BMAN buffer
     address, FD[address] + FD[offset]) are 16B aligned
  3. SG table and buffer addresses are 16B aligned and the size
     of SG buffers are multiple of 16 bytes, except for the last
     SG buffer that can be of any size.

Additional workaround notes:
- Address alignment of 64 bytes is recommended for maximally
efficient system bus transactions (although 16 byte alignment is
sufficient to avoid the stall condition)
- To support frame sizes that are larger than 4K bytes, there are
two options:
  1. Large single buffer frames that span a 4KB page boundary can
     be converted into SG frames to avoid transaction splits at
     the 4KB boundary,
  2. Align the large single buffer to 256B address boundaries,
     ensure that the frame address plus offset is 256B aligned.
- If software generated SG frames have buffers that are unaligned
and with random non-multiple of 16 byte lengths, before
transmitting such frames via FMAN, frames will need to be copied
into a new single buffer or multiple buffer SG frame that is
compliant with the three rules listed above.

Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-03-06 21:55:32 -08:00
David S. Miller 357ddbb9bf Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Patches to bump position index from sysctl seq_next,
   from Vasilin Averin.

2) Release flowtable hook from error path, from Florian Westphal.

3) Patches to add missing netlink attribute validation,
   from Jakub Kicinski.

4) Missing NFTA_CHAIN_FLAGS in nf_tables_fill_chain_info().

5) Infinite loop in module autoload if extension is not available,
   from Florian Westphal.

6) Missing module ownership in inet/nat chain type definition.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2020-03-06 21:36:25 -08:00
Linus Torvalds 63849c8f41 linux-kselftest-5.6-rc5
This Kselftest update for Linux 5.6-rc5 consists of a cleanup patch
 to undo changes to global .gitignore that added selftests/lkdtm
 objects and add them to a local selftests/lkdtm/.gitignore.
 
 Summary of Linus's comments on local vs. global gitignore scope:
 
 - Keep local gitignore patterns in local files.
 - Put only global gitignore patterns in the top-level gitignore file.
 
 Local scope keeps things much better separated. It also incidentally
 means that if a directory gets renamed, the gitignore file continues
 to work unless in the case of renaming the actual files themselves that
 are named in the gitignore.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEPZKym/RZuOCGeA/kCwJExA0NQxwFAl5izzwACgkQCwJExA0N
 QxxGpBAArJzDZp02xR8QfCrFyY8qXsFOEkFhjc22jNx6nl5cMb6nRUFbDszCEq05
 0QmVb1Hfh+tsz5PXtcugC/pfulUPmho8mN6sXEfwjqcyQFj/4y94wfpRig/KqMXj
 ECV3zjm39wb3iAh5PQxrymzWrv0ZmmKphpi9fpUDGCGEoG7cemsfIfwkRKBUFBOa
 O1PTz0sLbhMQs02N/5mwJk0WGxtjFQ5ShM5EQh1nzxgA3ObXcjybMarusWhVx2SN
 oO3UR7hrJTTozgcisiK8xz8SP4Hq1i6E11HE06PfE52YsVAEwNjsXf0KushKxWHo
 sm9B4dtkcy1qM+JfbVRKS9LPSyKiGEDUzmqKQy2dgVUX2K3ScJ6scXNnLSnPbqjX
 OPjaMTkIYUyxZ4Z4vn8a9+b3xc6fLxi9aiaxqfpdfbIJyiIyGhAvVwS1zWa1AUqW
 /mEPRE9BplpQTthkBHNHCdwG1NGAzV/gwtZHDeuiy/BdtlQNjzqr0vh26sTN1z0M
 NPMAl2Teqv2NOfOcHvhphyNXuuW9IE96ZoYDyFz6ZF6jN+J9jZtWpHRCnnd7dK9Q
 fLwbJUZtfr7v0r/1jsYag0MPJlyBaW1rvuEH9rpbF+Z/+ODrDPiAt05bPmrk9BYO
 hwmvcWsCalQUlOYQdhpEUFJgHoWoy4GJMMI3ao+xCooXiAylTt0=
 =8sYZ
 -----END PGP SIGNATURE-----

Merge tag 'linux-kselftest-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest

Pull kselftest update from Shuah Khan:
 "This consists of a cleanup patch to undo changes to global .gitignore
  that added selftests/lkdtm objects and add them to a local
  selftests/lkdtm/.gitignore.

  Summary of Linus's comments on local vs. global gitignore scope:

   - Keep local gitignore patterns in local files.

   - Put only global gitignore patterns in the top-level gitignore file.

  Local scope keeps things much better separated. It also incidentally
  means that if a directory gets renamed, the gitignore file continues
  to work unless in the case of renaming the actual files themselves
  that are named in the gitignore"

* tag 'linux-kselftest-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
  selftest/lkdtm: Use local .gitignore
2020-03-06 17:03:37 -06:00
Linus Torvalds 7e6582ef32 RISC-V Fixes for 5.6-rc5
This tag contains a handful of fixes that I would like to target for 5.6:
 
 * A pair of fixes to module loading, which we hope solve the last of the issues
   with module text being loaded too sparsely for our call relocations.
 * A Kconfig fix that disallows selecting memory models not supported by NOMMU.
 * A series of Kconfig updates to ease selecting the drivers necessary to run on
   QEMU's virt platform.
 * DTS updates for SiFive's HiFive Unleashed.
 * A fix to our seccomp support that avoids mangling restartable syscalls.
 -----BEGIN PGP SIGNATURE-----
 
 iQJHBAABCgAxFiEEKzw3R0RoQ7JKlDp6LhMZ81+7GIkFAl5iudATHHBhbG1lckBk
 YWJiZWx0LmNvbQAKCRAuExnzX7sYiUXbEACWGtDcZNmGbuZVnvqfYrA6GBYAdv24
 06Rh/y+jx2nye9Od8qI/K3TUYx44ZbdwAgeclvJ2H/XiL3W05ERdh8M5rLeK28DT
 Dt4xyG0FY0euWNXsUyPJLC8RAmvBR6aUnlHNbKbFYag2FpZ3Vfp8G+3x9Crj4rqw
 eQDpzx/aBHRUAs3IAjS9Wz17/wOP57AIwRxIpcQ4AOy8ZhECpPdkmBXH/9nGtQ54
 P5+lk59sw+KoVLo/uGyAbFINAMncfYIolcdlnH2rsNuYzeXhkoGqieMKGGwb2M5I
 0zhEPSNbiTe3uEyFtuywrYjzHwlGULAhx9me5Q0qBCwyIq56n5u7FEqPp3XukXU8
 OJXe/X8a8cPQn7gHaK3kffUeYUmmsgb8+Zf974B7yAiOryzn0sBpsFyV3u4uYnGq
 k4u3fLcSoRNU/1AuU1J5in1IrYsia/sxbQ58tG34z3W+zNrLthet/9bgtkaDK+TF
 Gm17BYPcQu0FPHa4p/smSn+AEyD3sNfZVVzBANo5qtGSkOhx9qpwM3ComrET5sDY
 +F7iaOHh7zyFhLaCFQ1aLniOuJ81pKis6HcZGcdKp++mlyKyDNvwXQO6Tl9KYbZC
 8cCQJysX3baILf00OpVfxV9P1oHaGhebyjHP1eWOGRonQhNI6KSUKINV2tb5vPxh
 758BLES4+e7lzQ==
 =3jih
 -----END PGP SIGNATURE-----

Merge tag 'riscv-for-linus-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux

Pull RISC-V fixes from Palmer Dabbelt:
 "This contains a handful of fixes that I would like to target for 5.6:

   - A pair of fixes to module loading, which we hope solve the last of
     the issues with module text being loaded too sparsely for our call
     relocations.

   - A Kconfig fix that disallows selecting memory models not supported
     by NOMMU.

   - A series of Kconfig updates to ease selecting the drivers necessary
     to run on QEMU's virt platform.

   - DTS updates for SiFive's HiFive Unleashed.

   - A fix to our seccomp support that avoids mangling restartable
     syscalls"

* tag 'riscv-for-linus-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
  riscv: fix seccomp reject syscall code path
  riscv: dts: Add GPIO reboot method to HiFive Unleashed DTS file
  RISC-V: Select Goldfish RTC driver for QEMU virt machine
  RISC-V: Select SYSCON Reboot and Poweroff for QEMU virt machine
  RISC-V: Enable QEMU virt machine support in defconfigs
  RISC-V: Add kconfig option for QEMU virt machine
  riscv: Fix range looking for kernel image memblock
  riscv: Force flat memory model with no-mmu
  riscv: Change code model of module to medany to improve data accessing
  riscv: avoid the PIC offset of static percpu data in module beyond 2G limits
2020-03-06 16:38:33 -06:00
Jonathan Neuschäfer 611d61f9ac parse-maintainers: Mark as executable
This makes the script more convenient to run.

Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-03-06 16:29:21 -06:00
Linus Torvalds bdf1ea7ca8 Devicetree fixes for v5.6, take 3:
- Fixes for warnings introduced by hierarchical PSCI binding changes
 
 - Fixes for broken doc references due to DT schema conversions
 
 - Several grammar and typo fixes
 
 - Fix a bunch of dtc warnings in examples
 -----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCgAuFiEEktVUI4SxYhzZyEuo+vtdtY28YcMFAl5iwicQHHJvYmhAa2Vy
 bmVsLm9yZwAKCRD6+121jbxhwxZQD/0VmRBeLZaCg1jiTfj2a+/AbR+x6sGh1izC
 yKI/GRRpVDuyYKN4vNZrY/Z3O5wNwbxZ4mRot/R1EL0on0WPKoLTbioyFFAO3kk0
 7ar6lQCKJHikAz7olT89D0vMD86KGCuUIa0Cju31SCRwdASRtgm36q7ozvs7kt9T
 jkTHfH121sLrSDQCHHq1NPBct6tL6ldtfbClqNSs4HsR/9Bzvnd5Sd3hsjLcotnO
 WpXezH5smBssguJJs0kHySg9gis2DCWnRkejb+7fGC7b8N/vTZA2EWierD0cvpy6
 45SRfRtUeCb8OuTn2V8J8CaPmYTmwUvxrSLR/l3vyB+BvxLULsAMFH9gE5AcgHVY
 eQAj2l8d+Q+bFSUaV3sKPhV3xquBTi6d26pu2uZDjK6MmeLIi3mkOW1bonD5xWbz
 o7KB67g36ENwleou01AbK/bs211hSSHfqKe1pCWIKq9t7xJAkBklSfymr3kAgj9/
 1mwnzwvm2dr8MWH8CNYmNcNb2NAgh2mSgS3yW6WjJcEOUeran+/kn7Ivs/fpDlxF
 JUyYD+ZGQxccYn1c+urrMbzG16HjtqyV6UWUHGJxA2YGs15kSLRvEEIPRbxIsARs
 YPymRSFchmggyb+CLr8XH5XxDDaHm/3ZTsqA3PgFuQopX7OdCmcb7CGGNCmvzhxk
 NC5jllsiLw==
 =sbhb
 -----END PGP SIGNATURE-----

Merge tag 'devicetree-fixes-for-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux

Pull devicetree fixes from Rob Herring:
 "Another batch of DT fixes. I think this should be the last of it, but
  sending pull requests seems to cause people to send more fixes.

  Summary:

   - Fixes for warnings introduced by hierarchical PSCI binding changes

   - Fixes for broken doc references due to DT schema conversions

   - Several grammar and typo fixes

   - Fix a bunch of dtc warnings in examples"

* tag 'devicetree-fixes-for-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
  dt-bindings: arm: Fixup the DT bindings for hierarchical PSCI states
  dt-bindings: power: Extend nodename pattern for power-domain providers
  MAINTAINERS: update ALLWINNER CPUFREQ DRIVER entry
  dt-bindings: bus: Drop empty compatible string in example
  dt-bindings: power: Convert domain-idle-states bindings to json-schema
  dt-bindings: arm: Fix cpu compatibles in the hierarchical example for PSCI
  dt-bindings: arm: Correct links to idle states definitions
  dt-bindings: mfd: Fix typo in file name of twl-familly.txt
  dt-bindings: mfd: tps65910: Improve grammar
  dt-bindings: mfd: zii,rave-sp: Fix a typo ("onborad")
  dt-bindings: arm: fsl: fix APF6Dev compatible
  dt-bindings: Fix dtc warnings in examples
  docs: dt: fix several broken doc references
  docs: dt: fix several broken references due to renames
  MAINTAINERS: clean up PCIE DRIVER FOR CAVIUM THUNDERX
2020-03-06 16:11:34 -06:00
Linus Torvalds 2f501bb180 one vgacon input check for stable
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEb4nG6jLu8Y5XI+PfTA9ye/CYqnEFAl5iu10ACgkQTA9ye/CY
 qnFOHQ//Z8JV3DmnvwfAYytRos08EVfMoZsZKXKXGPNTGklcytrWaunT3B0OQ8GN
 uv3HK18otmjTet6VPDezeHzLMDLV8O5bV/WGX01J7dSXsMH3lolasCv37l5ZHqvd
 WHRFYLUaTntn9bnLGqp9uqe50eAxC5yP9IHGIq+7PS2d3/8tX9ZCnbIYIpuWXGkZ
 eD9s/wMPb+bl03WEP5ghO/SQ/nb8IIDM/Mp220YmZ1dW9sV+G1g7b9Yu9q2ggo7s
 +P6etSDZjtgcICE+WlcyzM51HLiXEEngn3SWMI0gEqGkDzsDHEe4CKgl9g7FfJoV
 Gjc4+nw5cRUrhhOWNPQGY7c5YhlptRWTKy/I0ahXSe17CFoi3lNIzHD9azj2iib+
 Sio8yfZ58GWfocNamnlv9sBkpad39Xjj8djGMOWlGpkoqzM+P3N5qKPbtt3gy8Sz
 GeojqxLenMrNSNmXa+wsvxbZ8iZDwy4cYFKjLgNd6Q0sd18636iQXlNtP1JY1KeO
 ctgbXcoj7AMeS8Zigtie/L+nzKwxhw3r9VeE+02xj/9IkhvFSGIzzIof1uatMol6
 LWic1HdtdqwAzJ7256aEt2npzEZn0bg4QaOoN6LB9w+Yw30j7mPQ7YZjsP4g+oTo
 KIKz+GaMA8UgDZsf9WU2suEnXWhQ4VN72yo5EzoTGEtdosOVNk0=
 =38Vy
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2020-03-06-1' of git://anongit.freedesktop.org/drm/drm

Pull vgacon fix from Daniel Vetter:
 "One vgacon input check for stable"

* tag 'drm-fixes-2020-03-06-1' of git://anongit.freedesktop.org/drm/drm:
  vgacon: Fix a UAF in vgacon_invert_region
2020-03-06 16:08:48 -06:00
Gustavo A. R. Silva 2f920c0f0e auxdisplay: charlcd: replace zero-length array with flexible-array member
The current codebase makes use of the zero-length array language
extension to the C90 standard, but the preferred mechanism to declare
variable-length types such as these ones is a flexible array member[1][2],
introduced in C99:

struct foo {
        int stuff;
        struct boo array[];
};

By making use of the mechanism above, we will get a compiler warning
in case the flexible array does not occur last in the structure, which
will help us prevent some kind of undefined behavior bugs from being
inadvertently introduced[3] to the codebase from now on.

Also, notice that, dynamic memory allocations won't be affected by
this change:

"Flexible array members have incomplete type, and so the sizeof operator
may not be applied. As a quirk of the original implementation of
zero-length arrays, sizeof evaluates to zero."[1]

This issue was found with the help of Coccinelle.

[1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
[2] https://github.com/KSPP/linux/issues/21
[3] commit 7649773293 ("cxgb3/l2t: Fix undefined behaviour")

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
2020-03-06 22:18:07 +01:00
Yangtao Li e8897e4fe8 auxdisplay: img-ascii-lcd: convert to devm_platform_ioremap_resource
Use devm_platform_ioremap_resource() to simplify code.

Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
2020-03-06 22:07:10 +01:00
Krzysztof Kozlowski d568bbd2f8 auxdisplay: Fix Kconfig indentation
Adjust indentation from spaces to tab (+optional two spaces) as in
coding style with command like:
	$ sed -e 's/^        /\t/' -i */Kconfig

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
2020-03-06 22:01:54 +01:00
Linus Torvalds 30fe0d07fd for-5.6-rc4-tag
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE8rQSAMVO+zA4DBdWxWXV+ddtWDsFAl5iXe8ACgkQxWXV+ddt
 WDvWGg/+LFP+Y8Qz6xHTl3vXuGJKjCr7X/MIi69r2N0JFoCUeXyOdxeSlOuNCfhb
 HiLZzfA5TYoptsdLJAXQLy7nPKFCQcc+J19Mbt2+aebpdGqfgN+YZEGkltfKL8Ao
 xjOGu5HROFFpNTtnwa1dYOQkyVuZ8oafuJxwVJ8T28fxepRvBbi5jmy3lb1ypL3W
 NoIPBe+67g5z/W0ATFmBMF7cCbvS5gsEGWKpbbjh7r8ZHJkhUaxVU7YdxPqlXrAO
 ejZfiJUwi8rTGm0zd8A5TX/wsxSeBEXolvh91k5tatTljjzROHa028KRg2voUZIW
 C5/7X+Z2C3gzuT0o7TGLBOR6CkVhkSutDV8/QIE6hDjZ/aCMNi0mIFco1hG8jjd1
 jQfjemjj7PWuVEnZ6EuVSoHSXjZvBvX66of40YhTQEtSaJpcZU4jP26+8cXENN6+
 6WbWcQpEQbT0cp0YKWhWvAIwGMf0jmWESISeFMEaF0eQd8BtzrH1qYcs3JTmXvHC
 XmC47hoEJLhjQkAgQ4oNa5PZQzR1wEfW/4FPdqlADOR2frE1wDiKdrpN/dkAYHdQ
 edNlo9u0+bRWCP40p04i2IUX/aUAc+me9QxiZwxT3Fw0g5QBSE2035Ly4spvT8NZ
 gIvwnq1KGxmtrJSo5Lpkv4bjHYbByYMOiGJUMOTCIEdqajFI224=
 =06pr
 -----END PGP SIGNATURE-----

Merge tag 'for-5.6-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux

Pull btrfs fix from David Sterba:
 "One fixup for DIO when in use with the new checksums, a missed case
  where the checksum size was still assuming u32"

* tag 'for-5.6-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  btrfs: fix RAID direct I/O reads with alternate csums
2020-03-06 14:56:46 -06:00
Linus Torvalds 0b25d45803 File locking fixes for v5.6
-----BEGIN PGP SIGNATURE-----
 
 iQJHBAABCAAxFiEES8DXskRxsqGE6vXTAA5oQRlWghUFAl5igvYTHGpsYXl0b25A
 a2VybmVsLm9yZwAKCRAADmhBGVaCFdbFD/9ZP3XDY+ngnN5nsSYS4QuzudlncnZL
 ceRLD5YykNPLOAesr7DWI8EDky+IFL5w4wRHVxAbOeHpj3haySLefV9vsM/G6sm4
 CiHdikx7uls184r5WYK3jfB19UF3UIePUjTnAtxOpemjkLv58Z15nPNGGQv9lkFJ
 dJbCk1kdwaEA3LYEyXiGC/ianaxLtiqBy+C0d581OZn3ty551c8vmF0Ziz5tcuot
 aObPE3f8sYNxDuTDZcseRxvXUfMS1Qj/tMxeDDIXryX71zIsFbQ6PMPUNHGHGit/
 uoeuprDy90mLqGuEEuUfVaXjn8zEPFlW8IHy1OJ4fFNQ0X/HYa2/CFTA2BiVrpfM
 1lVYKWuMz+mCq9i8wzF/+ikQ9QVMG2cSb0i4kyuAb+RBP+PDjNTbTLjFeEIJVz6O
 yN9MUXWH5XS8liFq2F5VbITwpSJEk7vxiTGDT1zU38HXFdrxL0FRC60TKhkplLzO
 9xsj9jUBV/sD5ohwq9Ga+kcXOB/KA/9iW3TMfBApq7oWIxaEfW7rQ6A/O5tuF/hX
 q2mwrRoEx6tpCy77KFBLT89iF0gzV3xzadwWcnpDkFC7x2OkMmZPPr2nWeJS6qbN
 hPOD1fiWW/NXMXs7foQ9HZ7HdbQMDI7olnf1sjkh4pq2MKDWsJLvNB4fYwZUxhpn
 8K4B+9yfIofvpg==
 =H/ky
 -----END PGP SIGNATURE-----

Merge tag 'filelock-v5.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux

Pull file locking fixes from Jeff Layton:
 "Just a couple of late-breaking patches for the file locking code. The
  second patch (from yangerkun) fixes a rather nasty looking potential
  use-after-free that should go to stable.

  The other patch could technically wait for 5.7, but it's fairly
  innocuous so I figured we might as well take it"

* tag 'filelock-v5.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux:
  locks: fix a potential use-after-free problem when wakeup a waiter
  fcntl: Distribute switch variables for initialization
2020-03-06 14:55:27 -06:00
Linus Torvalds ae24a21bbd spi: Fixes for v5.6
A selection of small fixes, mostly for drivers, that have arrived since
 the merge window.  None of them are earth shattering in themselves but
 all useful for affected systems.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl5iiroTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0ALxB/0TAEys4X1IxDku7N4E9vivlTQP+Yy5
 LmJ7Oc+z1aCWX3LrpMa3M9JInnY44iahjariaZgcQ9GXXTO4rEoOSTVL99fXzj0h
 wRS23p+h8GNFQ0s6Bzni8HSITz+vzCUJjYQe4i8iJIpQBRIErFSrqzB4uRGd7SPI
 PIgYeTSA3rFuVvdAgijRg3hPTW2rpn328G/k35JpUNo9OdZ/v6NDQl1Sbg/FedFu
 iY0feUaQ1FafHGkja/+OYN43bCraDo7Fo4COyF9cHGIJ8nBzMZJumhjgei26nviM
 OQ15zRewFpnLGlK8ffPykrnynOhqo3GF7JbFWvI5pga/G5XzzLY8mi19
 =bFsu
 -----END PGP SIGNATURE-----

Merge tag 'spi-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi

Pull spi fixes from Mark Brown:
 "A selection of small fixes, mostly for drivers, that have arrived
  since the merge window. None of them are earth shattering in
  themselves but all useful for affected systems"

* tag 'spi-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
  spi: spi_register_controller(): free bus id on error paths
  spi: bcm63xx-hsspi: Really keep pll clk enabled
  spi: atmel-quadspi: fix possible MMIO window size overrun
  spi/zynqmp: remove entry that causes a cs glitch
  spi: pxa2xx: Add CS control clock quirk
  spi: spidev: Fix CS polarity if GPIO descriptors are used
  spi: qup: call spi_qup_pm_resume_runtime before suspending
  spi: spi-omap2-mcspi: Support probe deferral for DMA channels
  spi: spi-omap2-mcspi: Handle DMA size restriction on AM65x
2020-03-06 14:50:16 -06:00
Miguel Ojeda 11a4a8f73b clang-format: Update with the latest for_each macro list
Re-run the shell fragment that generated the original list.

Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
2020-03-06 21:50:05 +01:00
Linus Torvalds 43c63729c9 regulator: Fixes for v5.6
A couple of small fixes, one for a minor issue in the stm32-vrefbuf
 driver and a documentation fix in the Qualcomm code.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl5ie5ITHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0J5lB/wOdphcQj9YKbq1fO5Z2i4zROn85dbT
 JREqpS5SNY+znox3WFct08L7xyrUBwFgZwzlF0KTnoBfNLznjcdY34YNSswWMZzY
 vo0frRtEzdetjtQOYzuKfr+cWSozNLFCz4rGb9eMZicR28yaU+WluKlNLtwgkgq0
 WEqyDZKK1KhVZYDJPVY6gb3NgTYlUvaJyRKEFGxSNHTDR9qL5koP7ym1yIqBjAu/
 N596CtL8A24z9x7Wlmt2I9m13S/YXPUbDibYU10UC6amFWfsiuZ0hi577ToXvr1X
 PruiRr63WgFlHGedAjsyfW1y1O9oBvGksb9rlBmwYzssgnuqV5DTuxsB
 =s+Ng
 -----END PGP SIGNATURE-----

Merge tag 'regulator-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

Pull regulator fixes from Mark Brown:
 "A couple of small fixes, one for a minor issue in the stm32-vrefbuf
  driver and a documentation fix in the Qualcomm code"

* tag 'regulator-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: stm32-vrefbuf: fix a possible overshoot when re-enabling
  regulator: qcom_spmi: Fix docs for PM8004
2020-03-06 14:48:30 -06:00
Linus Torvalds 08e39fcb92 hwmon fixes for v5.6-rc5
Fix an error return in the adt7462 driver, bad voltage limits
 reported by the xdpe12284 driver, and a broken documentation
 reference in the adm1177 driver documentation.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEiHPvMQj9QTOCiqgVyx8mb86fmYEFAl5idy0ACgkQyx8mb86f
 mYFiRQ//Xp5JP1QMSTJqcGlM98ai/ZesCM0OB7ocBTt592T/VON8D2eEJapuECve
 /065OGs1L25HBqPV+1riPUZ+Q9bkhnqyqXZuDx92ShClOpSK9Yy7GQXhXT3Y6D5g
 bdrwnJK0dwGMR0nkNPKomSodeXP+qub3z5am/5QGIqfhG+ssckNhWYI7eYaKV0js
 +4L/NcRAJF+hvcmeWQ+mOxKOWkcCAXYCIxo7iJWnnc3BeNplFjKRknUu9FER/bDh
 gb9tJFZ7zVdH4TsPvl1axJtWYN2whTRljv/Xn5gSeJUM+0X1nrFJ2vP72nOm4goV
 TZG2vTu3PZvw7uvCXC7P/q0qalgju2cdGr6b91brjrOCzxzj9uijzMGmmEG58rD2
 Ls5qnWl5gyit5KuKjKyiyMzkZi0q5OycZaZeIKHenu9TqmHB1tj9h5S9EzKT+gJ/
 8wWEsNR8kw73iTKtB09loxXnAUhxNtNcCzx05zPP5m+MG/iVgJslfaRRxmwnprxG
 bq4VWT6DQwMCx+98olVURASkl+bIwpkKXvCMIzKRg8oAy7/WKqw0YgXZWUFop7Hi
 qsWqBjjYTZfB1nz/i9gTRarpLtYAi7xQ8ib6VTP3qsOA/Nws43ffOqDqIZD5YGob
 fA5Ytdk+c5cwO5Wrjsh9v7TuWpXlC+AQbZkD3icuXWlN9orD4Ck=
 =AHoG
 -----END PGP SIGNATURE-----

Merge tag 'hwmon-for-v5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull hwmon fixes from Guenter Roeck:
 "Fix an error return in the adt7462 driver, bad voltage limits reported
  by the xdpe12284 driver, and a broken documentation reference in the
  adm1177 driver documentation"

* tag 'hwmon-for-v5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
  hwmon: (pmbus/xdpe12284) Add callback for vout limits conversion
  docs: adm1177: fix a broken reference
2020-03-06 14:47:06 -06:00
Linus Torvalds c20c4a084a arm64 fixes for -rc5
- Fix misreporting of ASID limit when KPTI is enabled
 
 - Fix busted NULL pointer checks for GICC structure in ACPI PMU code
 
 - Avoid nobbling the "fsl_imx8_ddr" PMU counters when disabling them
 -----BEGIN PGP SIGNATURE-----
 
 iQFEBAABCgAuFiEEPxTL6PPUbjXGY88ct6xw3ITBYzQFAl5iMUgQHHdpbGxAa2Vy
 bmVsLm9yZwAKCRC3rHDchMFjNMpPB/9OH2pp6QaosJKz6zHawyvG6K1RxCQC7TZw
 PCXKWF1N9b1z/ZBq47goDC0rRxVzx+OAO9MY4DMLojWvv51GT/Z/LhrYkpXek48I
 Dkfz8ZmhSyO54M8LDQQ79zKG4FzpLVsvVP2z9bMaq9Ut5BSNcKmjvY7h27/znk7N
 fW0lRVBt3C7Cu5DTBqq3BN3AXEwoANb4QvqmmA6D/pZvl5MUXolulww6czknYyIE
 VD7m7s6A3bPUWWVSWHuYxL9/N8fP7HbcBL09dEtIKI4n1O+mvvCx9uHxxokBGuSV
 ENu7BWfm0LJ5JibbW/rSOT8u2tw4xY4njhXu06PnxWXQSF8RcaOV
 =7zhy
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Will Deacon:
 "Here are another three arm64 fixes for 5.6, all pretty minor. Main
  thing is fixing a silly bug in the fsl_imx8_ddr PMU driver where we
  would zero the counters when disabling them.

   - Fix misreporting of ASID limit when KPTI is enabled

   - Fix busted NULL pointer checks for GICC structure in ACPI PMU code

   - Avoid nobbling the "fsl_imx8_ddr" PMU counters when disabling them"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64: context: Fix ASID limit in boot messages
  drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer
  drivers/perf: fsl_imx8_ddr: Correct the CLEAR bit definition
2020-03-06 14:35:47 -06:00
Zhang Xiaoxu 513dc792d6 vgacon: Fix a UAF in vgacon_invert_region
When syzkaller tests, there is a UAF:
  BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
    ffff880000100000
  Read of size 2 by task syz-executor.1/16489
  page:ffffea0000004000 count:0 mapcount:-127 mapping:          (null)
  index:0x0
  page flags: 0xfffff00000000()
  page dumped because: kasan: bad access detected
  CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
  Call Trace:
    [<ffffffffb119f309>] dump_stack+0x1e/0x20
    [<ffffffffb04af957>] kasan_report+0x577/0x950
    [<ffffffffb04ae652>] __asan_load2+0x62/0x80
    [<ffffffffb090f26d>] vgacon_invert_region+0x9d/0x110
    [<ffffffffb0a39d95>] invert_screen+0xe5/0x470
    [<ffffffffb0a21dcb>] set_selection+0x44b/0x12f0
    [<ffffffffb0a3bfae>] tioclinux+0xee/0x490
    [<ffffffffb0a1d114>] vt_ioctl+0xff4/0x2670
    [<ffffffffb0a0089a>] tty_ioctl+0x46a/0x1a10
    [<ffffffffb052db3d>] do_vfs_ioctl+0x5bd/0xc40
    [<ffffffffb052e2f2>] SyS_ioctl+0x132/0x170
    [<ffffffffb11c9b1b>] system_call_fastpath+0x22/0x27
    Memory state around the buggy address:
     ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00
     ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00 00
    >ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff

It can be reproduce in the linux mainline by the program:
  #include <stdio.h>
  #include <stdlib.h>
  #include <unistd.h>
  #include <fcntl.h>
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <sys/ioctl.h>
  #include <linux/vt.h>

  struct tiocl_selection {
    unsigned short xs;      /* X start */
    unsigned short ys;      /* Y start */
    unsigned short xe;      /* X end */
    unsigned short ye;      /* Y end */
    unsigned short sel_mode; /* selection mode */
  };

  #define TIOCL_SETSEL    2
  struct tiocl {
    unsigned char type;
    unsigned char pad;
    struct tiocl_selection sel;
  };

  int main()
  {
    int fd = 0;
    const char *dev = "/dev/char/4:1";

    struct vt_consize v = {0};
    struct tiocl tioc = {0};

    fd = open(dev, O_RDWR, 0);

    v.v_rows = 3346;
    ioctl(fd, VT_RESIZEX, &v);

    tioc.type = TIOCL_SETSEL;
    ioctl(fd, TIOCLINUX, &tioc);

    return 0;
  }

When resize the screen, update the 'vc->vc_size_row' to the new_row_size,
but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
the offset, it maybe larger than the vga_vram_size in vgacon driver, then
bad access.
Also, if set an larger screenbuf firstly, then set an more larger
screenbuf, when copy old_origin to new_origin, a bad access may happen.

So, If the screen size larger than vga_vram, resize screen should be
failed. This alse fix CVE-2020-8649 and CVE-2020-8647.

Linus pointed out that overflow checking seems absent. We're saved by
the existing bounds checks in vc_do_resize() with rather strict
limits:

	if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
		return -EINVAL;

Fixes: 0aec4867dc ("[PATCH] SVGATextMode fix")
Reference: CVE-2020-8647 and CVE-2020-8649
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[danvet: augment commit message to point out overflow safety]
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com
2020-03-06 21:06:34 +01:00
Ulf Hansson d2334a91a3 dt-bindings: arm: Fixup the DT bindings for hierarchical PSCI states
The hierarchical topology with power-domain should be described through
child nodes, rather than as currently described in the PSCI root node. Fix
this by adding a patternProperties with a corresponding reference to the
power-domain DT binding.

Additionally, update the example to conform to the new pattern, but also to
the adjusted domain-idle-state DT binding.

Fixes: a3f048b542 ("dt: psci: Update DT bindings to support hierarchical PSCI states")
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[robh: Add missing allOf, tweak power-domain node name]
Signed-off-by: Rob Herring <robh@kernel.org>
2020-03-06 12:12:21 -06:00
Ulf Hansson 14ee09a05e dt-bindings: power: Extend nodename pattern for power-domain providers
The existing binding requires the nodename to have a '@', which is a bit
limiting for the wider use case. Therefore, let's extend the pattern to
allow either '@' or '-'.

Fixes: a3f048b542 ("dt: psci: Update DT bindings to support hierarchical PSCI states")
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[robh: drop example change]
Signed-off-by: Rob Herring <robh@kernel.org>
2020-03-06 12:12:20 -06:00
Jens Axboe c1e2148f8e io_uring: free fixed_file_data after RCU grace period
The percpu refcount protects this structure, and we can have an atomic
switch in progress when exiting. This makes it unsafe to just free the
struct normally, and can trigger the following KASAN warning:

BUG: KASAN: use-after-free in percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
Read of size 1 at addr ffff888181a19a30 by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc4+ #5747
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 <IRQ>
 dump_stack+0x76/0xa0
 print_address_description.constprop.0+0x3b/0x60
 ? percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
 ? percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
 __kasan_report.cold+0x1a/0x3d
 ? percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
 percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
 rcu_core+0x370/0x830
 ? percpu_ref_exit+0x50/0x50
 ? rcu_note_context_switch+0x7b0/0x7b0
 ? run_rebalance_domains+0x11d/0x140
 __do_softirq+0x10a/0x3e9
 irq_exit+0xd5/0xe0
 smp_apic_timer_interrupt+0x86/0x200
 apic_timer_interrupt+0xf/0x20
 </IRQ>
RIP: 0010:default_idle+0x26/0x1f0

Fix this by punting the final exit and free of the struct to RCU, then
we know that it's safe to do so. Jann suggested the approach of using a
double rcu callback to achieve this. It's important that we do a nested
call_rcu() callback, as otherwise the free could be ordered before the
atomic switch, even if the latter was already queued.

Reported-by: syzbot+e017e49c39ab484ac87a@syzkaller.appspotmail.com
Suggested-by: Jann Horn <jannh@google.com>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-06 10:15:21 -07:00
Pablo Neira Ayuso 6a42cefb25 netfilter: nft_chain_nat: inet family is missing module ownership
Set owner to THIS_MODULE, otherwise the nft_chain_nat module might be
removed while there are still inet/nat chains in place.

[  117.942096] BUG: unable to handle page fault for address: ffffffffa0d5e040
[  117.942101] #PF: supervisor read access in kernel mode
[  117.942103] #PF: error_code(0x0000) - not-present page
[  117.942106] PGD 200c067 P4D 200c067 PUD 200d063 PMD 3dc909067 PTE 0
[  117.942113] Oops: 0000 [#1] PREEMPT SMP PTI
[  117.942118] CPU: 3 PID: 27 Comm: kworker/3:0 Not tainted 5.6.0-rc3+ #348
[  117.942133] Workqueue: events nf_tables_trans_destroy_work [nf_tables]
[  117.942145] RIP: 0010:nf_tables_chain_destroy.isra.0+0x94/0x15a [nf_tables]
[  117.942149] Code: f6 45 54 01 0f 84 d1 00 00 00 80 3b 05 74 44 48 8b 75 e8 48 c7 c7 72 be de a0 e8 56 e6 2d e0 48 8b 45 e8 48 c7 c7 7f be de a0 <48> 8b 30 e8 43 e6 2d e0 48 8b 45 e8 48 8b 40 10 48 85 c0 74 5b 8b
[  117.942152] RSP: 0018:ffffc9000015be10 EFLAGS: 00010292
[  117.942155] RAX: ffffffffa0d5e040 RBX: ffff88840be87fc2 RCX: 0000000000000007
[  117.942158] RDX: 0000000000000007 RSI: 0000000000000086 RDI: ffffffffa0debe7f
[  117.942160] RBP: ffff888403b54b50 R08: 0000000000001482 R09: 0000000000000004
[  117.942162] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8883eda7e540
[  117.942164] R13: dead000000000122 R14: dead000000000100 R15: ffff888403b3db80
[  117.942167] FS:  0000000000000000(0000) GS:ffff88840e4c0000(0000) knlGS:0000000000000000
[  117.942169] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  117.942172] CR2: ffffffffa0d5e040 CR3: 00000003e4c52002 CR4: 00000000001606e0
[  117.942174] Call Trace:
[  117.942188]  nf_tables_trans_destroy_work.cold+0xd/0x12 [nf_tables]
[  117.942196]  process_one_work+0x1d6/0x3b0
[  117.942200]  worker_thread+0x45/0x3c0
[  117.942203]  ? process_one_work+0x3b0/0x3b0
[  117.942210]  kthread+0x112/0x130
[  117.942214]  ? kthread_create_worker_on_cpu+0x40/0x40
[  117.942221]  ret_from_fork+0x35/0x40

nf_tables_chain_destroy() crashes on module_put() because the module is
gone.

Fixes: d164385ec5 ("netfilter: nat: add inet family nat support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2020-03-06 18:00:43 +01:00
yangerkun 6d390e4b5d locks: fix a potential use-after-free problem when wakeup a waiter
'16306a61d3b7 ("fs/locks: always delete_block after waiting.")' add the
logic to check waiter->fl_blocker without blocked_lock_lock. And it will
trigger a UAF when we try to wakeup some waiter:

Thread 1 has create a write flock a on file, and now thread 2 try to
unlock and delete flock a, thread 3 try to add flock b on the same file.

Thread2                         Thread3
                                flock syscall(create flock b)
	                        ...flock_lock_inode_wait
				    flock_lock_inode(will insert
				    our fl_blocked_member list
				    to flock a's fl_blocked_requests)
				   sleep
flock syscall(unlock)
...flock_lock_inode_wait
    locks_delete_lock_ctx
    ...__locks_wake_up_blocks
        __locks_delete_blocks(
	b->fl_blocker = NULL)
	...
                                   break by a signal
				   locks_delete_block
				    b->fl_blocker == NULL &&
				    list_empty(&b->fl_blocked_requests)
	                            success, return directly
				 locks_free_lock b
	wake_up(&b->fl_waiter)
	trigger UAF

Fix it by remove this logic, and this patch may also fix CVE-2019-19769.

Cc: stable@vger.kernel.org
Fixes: 16306a61d3 ("fs/locks: always delete_block after waiting.")
Signed-off-by: yangerkun <yangerkun@huawei.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
2020-03-06 11:54:13 -05:00
Carlo Nonato 14afc59361 block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group()
The bfq_find_set_group() function takes as input a blkcg (which represents
a cgroup) and retrieves the corresponding bfq_group, then it updates the
bfq internal group hierarchy (see comments inside the function for why
this is needed) and finally it returns the bfq_group.
In the hierarchy update cycle, the pointer holding the correct bfq_group
that has to be returned is mistakenly used to traverse the hierarchy
bottom to top, meaning that in each iteration it gets overwritten with the
parent of the current group. Since the update cycle stops at root's
children (depth = 2), the overwrite becomes a problem only if the blkcg
describes a cgroup at a hierarchy level deeper than that (depth > 2). In
this case the root's child that happens to be also an ancestor of the
correct bfq_group is returned. The main consequence is that processes
contained in a cgroup at depth greater than 2 are wrongly placed in the
group described above by BFQ.

This commits fixes this problem by using a different bfq_group pointer in
the update cycle in order to avoid the overwrite of the variable holding
the original group reference.

Reported-by: Kwon Je Oh <kwonje.oh2@gmail.com>
Signed-off-by: Carlo Nonato <carlo.nonato95@gmail.com>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-06 07:00:58 -07:00
Linus Torvalds aeb542a1b5 Merge branch 'akpm' (patches from Andrew)
Merge misc fixes from Andrew Morton:
 "7 fixes"

* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
  arch/Kconfig: update HAVE_RELIABLE_STACKTRACE description
  mm, hotplug: fix page online with DEBUG_PAGEALLOC compiled but not enabled
  mm/z3fold.c: do not include rwlock.h directly
  fat: fix uninit-memory access for partial initialized inode
  mm: avoid data corruption on CoW fault into PFN-mapped VMA
  mm: fix possible PMD dirty bit lost in set_pmd_migration_entry()
  mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa
2020-03-06 07:18:36 -06:00
Michael Walle 2b2e71fe65 tty: serial: fsl_lpuart: free IDs allocated by IDA
Since commit 3bc3206e1c ("serial: fsl_lpuart: Remove the alias node
dependence") the port line number can also be allocated by IDA, but in
case of an error the ID will no be removed again. More importantly, any
ID will be freed in remove(), even if it wasn't allocated but instead
fetched by of_alias_get_id(). If it was not allocated by IDA there will
be a warning:
  WARN(1, "ida_free called for id=%d which is not allocated.\n", id);

Move the ID allocation more to the end of the probe() so that we still
can use plain return in the first error cases.

Fixes: 3bc3206e1c ("serial: fsl_lpuart: Remove the alias node dependence")
Signed-off-by: Michael Walle <michael@walle.cc>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200303174306.6015-3-michael@walle.cc
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-03-06 14:10:44 +01:00
Michael Walle 0e28ed6c9d Revert "tty: serial: fsl_lpuart: drop EARLYCON_DECLARE"
This reverts commit a659652f61.

This broke the earlycon on LS1021A processors because the order of the
earlycon_setup() functions were changed. Before the commit the normal
lpuart32_early_console_setup() was called. After the commit the
lpuart32_imx_early_console_setup() is called instead.

Fixes: a659652f61 ("tty: serial: fsl_lpuart: drop EARLYCON_DECLARE")
Signed-off-by: Michael Walle <michael@walle.cc>
Link: https://lore.kernel.org/r/20200303174306.6015-2-michael@walle.cc
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-03-06 14:10:44 +01:00
Ronald Tschalär 35d4670aae serdev: Fix detection of UART devices on Apple machines.
On Apple devices the _CRS method returns an empty resource template, and
the resource settings are instead provided by the _DSM method. But
commit 33364d63c7 (serdev: Add ACPI
devices by ResourceSource field) changed the search for serdev devices
to require valid, non-empty resource template, thereby breaking Apple
devices and causing bluetooth devices to not be found.

This expands the check so that if we don't find a valid template, and
we're on an Apple machine, then just check for the device being an
immediate child of the controller and having a "baud" property.

Cc: <stable@vger.kernel.org> # 5.5
Fixes: 33364d63c7 ("serdev: Add ACPI devices by ResourceSource field")
Signed-off-by: Ronald Tschalär <ronald@innovation.ch>
Link: https://lore.kernel.org/r/20200211194723.486217-1-ronald@innovation.ch
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-03-06 14:10:44 +01:00
Miroslav Benes 140d7e88bb arch/Kconfig: update HAVE_RELIABLE_STACKTRACE description
save_stack_trace_tsk_reliable() is not the only function providing the
reliable stack traces anymore.  Architecture might define ARCH_STACKWALK
which provides a newer stack walking interface and has
arch_stack_walk_reliable() function.  Update the description accordingly.

Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Miroslav Benes <mbenes@suse.cz>
Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
Link: http://lkml.kernel.org/r/20200120154042.9934-1-mbenes@suse.cz
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-03-06 07:06:09 -06:00
Vlastimil Babka c87cbc1f00 mm, hotplug: fix page online with DEBUG_PAGEALLOC compiled but not enabled
Commit cd02cf1ace ("mm/hotplug: fix an imbalance with DEBUG_PAGEALLOC")
fixed memory hotplug with debug_pagealloc enabled, where onlining a page
goes through page freeing, which removes the direct mapping.  Some arches
don't like when the page is not mapped in the first place, so
generic_online_page() maps it first.  This is somewhat wasteful, but
better than special casing page freeing fast paths.

The commit however missed that DEBUG_PAGEALLOC configured doesn't mean
it's actually enabled.  One has to test debug_pagealloc_enabled() since
031bc5743f ("mm/debug-pagealloc: make debug-pagealloc boottime
configurable"), or alternatively debug_pagealloc_enabled_static() since
8e57f8acbb ("mm, debug_pagealloc: don't rely on static keys too early"),
but this is not done.

As a result, a s390 kernel with DEBUG_PAGEALLOC configured but not enabled
will crash:

Unable to handle kernel pointer dereference in virtual kernel address space
Failing address: 0000000000000000 TEID: 0000000000000483
Fault in home space mode while using kernel ASCE.
AS:0000001ece13400b R2:000003fff7fd000b R3:000003fff7fcc007 S:000003fff7fd7000 P:000000000000013d
Oops: 0004 ilc:2 [#1] SMP
CPU: 1 PID: 26015 Comm: chmem Kdump: loaded Tainted: GX 5.3.18-5-default #1 SLE15-SP2 (unreleased)
Krnl PSW : 0704e00180000000 0000001ecd281b9e (__kernel_map_pages+0x166/0x188)
R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
Krnl GPRS: 0000000000000000 0000000000000800 0000400b00000000 0000000000000100
0000000000000001 0000000000000000 0000000000000002 0000000000000100
0000001ece139230 0000001ecdd98d40 0000400b00000100 0000000000000000
000003ffa17e4000 001fffe0114f7d08 0000001ecd4d93ea 001fffe0114f7b20
Krnl Code: 0000001ecd281b8e: ec17ffff00d8 ahik %r1,%r7,-1
0000001ecd281b94: ec111dbc0355 risbg %r1,%r1,29,188,3
>0000001ecd281b9e: 94fb5006 ni 6(%r5),251
0000001ecd281ba2: 41505008 la %r5,8(%r5)
0000001ecd281ba6: ec51fffc6064 cgrj %r5,%r1,6,1ecd281b9e
0000001ecd281bac: 1a07 ar %r0,%r7
0000001ecd281bae: ec03ff584076 crj %r0,%r3,4,1ecd281a5e
Call Trace:
[<0000001ecd281b9e>] __kernel_map_pages+0x166/0x188
[<0000001ecd4d9516>] online_pages_range+0xf6/0x128
[<0000001ecd2a8186>] walk_system_ram_range+0x7e/0xd8
[<0000001ecda28aae>] online_pages+0x2fe/0x3f0
[<0000001ecd7d02a6>] memory_subsys_online+0x8e/0xc0
[<0000001ecd7add42>] device_online+0x5a/0xc8
[<0000001ecd7d0430>] state_store+0x88/0x118
[<0000001ecd5b9f62>] kernfs_fop_write+0xc2/0x200
[<0000001ecd5064b6>] vfs_write+0x176/0x1e0
[<0000001ecd50676a>] ksys_write+0xa2/0x100
[<0000001ecda315d4>] system_call+0xd8/0x2c8

Fix this by checking debug_pagealloc_enabled_static() before calling
kernel_map_pages(). Backports for kernel before 5.5 should use
debug_pagealloc_enabled() instead. Also add comments.

Fixes: cd02cf1ace ("mm/hotplug: fix an imbalance with DEBUG_PAGEALLOC")
Reported-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: David Hildenbrand <david@redhat.com>
Cc: <stable@vger.kernel.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Qian Cai <cai@lca.pw>
Link: http://lkml.kernel.org/r/20200224094651.18257-1-vbabka@suse.cz
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-03-06 07:06:09 -06:00
Sebastian Andrzej Siewior a8198fedd9 mm/z3fold.c: do not include rwlock.h directly
rwlock.h should not be included directly. Instead linux/splinlock.h
should be included. One thing it does is to break the RT build.

Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Vitaly Wool <vitaly.wool@konsulko.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20200224133631.1510569-1-bigeasy@linutronix.de
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-03-06 07:06:09 -06:00
OGAWA Hirofumi bc87302a09 fat: fix uninit-memory access for partial initialized inode
When get an error in the middle of reading an inode, some fields in the
inode might be still not initialized.  And then the evict_inode path may
access those fields via iput().

To fix, this makes sure that inode fields are initialized.

Reported-by: syzbot+9d82b8de2992579da5d0@syzkaller.appspotmail.com
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/871rqnreqx.fsf@mail.parknet.co.jp
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-03-06 07:06:09 -06:00
Kirill A. Shutemov c3e5ea6ee5 mm: avoid data corruption on CoW fault into PFN-mapped VMA
Jeff Moyer has reported that one of xfstests triggers a warning when run
on DAX-enabled filesystem:

	WARNING: CPU: 76 PID: 51024 at mm/memory.c:2317 wp_page_copy+0xc40/0xd50
	...
	wp_page_copy+0x98c/0xd50 (unreliable)
	do_wp_page+0xd8/0xad0
	__handle_mm_fault+0x748/0x1b90
	handle_mm_fault+0x120/0x1f0
	__do_page_fault+0x240/0xd70
	do_page_fault+0x38/0xd0
	handle_page_fault+0x10/0x30

The warning happens on failed __copy_from_user_inatomic() which tries to
copy data into a CoW page.

This happens because of race between MADV_DONTNEED and CoW page fault:

	CPU0					CPU1
 handle_mm_fault()
   do_wp_page()
     wp_page_copy()
       do_wp_page()
					madvise(MADV_DONTNEED)
					  zap_page_range()
					    zap_pte_range()
					      ptep_get_and_clear_full()
					      <TLB flush>
	 __copy_from_user_inatomic()
	 sees empty PTE and fails
	 WARN_ON_ONCE(1)
	 clear_page()

The solution is to re-try __copy_from_user_inatomic() under PTL after
checking that PTE is matches the orig_pte.

The second copy attempt can still fail, like due to non-readable PTE, but
there's nothing reasonable we can do about, except clearing the CoW page.

Reported-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Tested-by: Jeff Moyer <jmoyer@redhat.com>
Cc: <stable@vger.kernel.org>
Cc: Justin He <Justin.He@arm.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Link: http://lkml.kernel.org/r/20200218154151.13349-1-kirill.shutemov@linux.intel.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-03-06 07:06:09 -06:00