Commit Graph

1653 Commits

Author SHA1 Message Date
96838d7d99 Add shortcut-fe module 2022-12-02 08:20:41 +00:00
143eeb9a8f Merge 4.19.220 into android-4.19-stable
Changes in 4.19.220
	shm: extend forced shm destroy to support objects from several IPC nses
	NFSv42: Fix pagecache invalidation after COPY/CLONE
	of: clk: Make <linux/of_clk.h> self-contained
	gfs2: Fix length of holes reported at end-of-file
	atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
	net: return correct error code
	platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
	s390/setup: avoid using memblock_enforce_memory_limit
	btrfs: check-integrity: fix a warning on write caching disabled disk
	thermal: core: Reset previous low and high trip during thermal zone init
	scsi: iscsi: Unblock session then wake up error handler
	ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile
	ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
	net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound
	net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
	perf hist: Fix memory leak of a perf_hpp_fmt
	vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
	kprobes: Limit max data_size of the kretprobe instances
	ipmi: Move remove_work to dedicated workqueue
	sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
	sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
	fs: add fget_many() and fput_many()
	fget: check that the fd still exists after getting a ref to it
	i2c: stm32f7: recover the bus on access timeout
	i2c: stm32f7: stop dma transfer in case of NACK
	natsemi: xtensa: fix section mismatch warnings
	net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
	net: mpls: Fix notifications when deleting a device
	siphash: use _unaligned version by default
	net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
	rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer()
	net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available
	net: annotate data-races on txq->xmit_lock_owner
	net/rds: correct socket tunable error in rds_tcp_tune()
	net/smc: Keep smc_close_final rc during active close
	drm/msm: Do hw_init() before capturing GPU state
	parisc: Fix KBUILD_IMAGE for self-extracting kernel
	parisc: Fix "make install" on newer debian releases
	vgacon: Propagate console boot parameters before calling `vc_resize'
	xhci: Fix commad ring abort, write all 64 bits to CRCR register.
	USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub
	usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
	x86/64/mm: Map all kernel memory into trampoline_pgd
	tty: serial: msm_serial: Deactivate RX DMA for polling support
	serial: pl011: Add ACPI SBSA UART match id
	serial: core: fix transmit-buffer reset and memleak
	parisc: Mark cr16 CPU clocksource unstable on all SMP machines
	ipmi: msghandler: Make symbol 'remove_work_wq' static
	Linux 4.19.220

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ie45b16f07f333542a48d2ebdf780ea4170f9741e
2021-12-08 09:06:55 +01:00
2fd949365f net: annotate data-races on txq->xmit_lock_owner
commit 7a10d8c810cfad3e79372d7d1c77899d86cd6662 upstream.

syzbot found that __dev_queue_xmit() is reading txq->xmit_lock_owner
without annotations.

No serious issue there, let's document what is happening there.

BUG: KCSAN: data-race in __dev_queue_xmit / __dev_queue_xmit

write to 0xffff888139d09484 of 4 bytes by interrupt on cpu 0:
 __netif_tx_unlock include/linux/netdevice.h:4437 [inline]
 __dev_queue_xmit+0x948/0xf70 net/core/dev.c:4229
 dev_queue_xmit_accel+0x19/0x20 net/core/dev.c:4265
 macvlan_queue_xmit drivers/net/macvlan.c:543 [inline]
 macvlan_start_xmit+0x2b3/0x3d0 drivers/net/macvlan.c:567
 __netdev_start_xmit include/linux/netdevice.h:4987 [inline]
 netdev_start_xmit include/linux/netdevice.h:5001 [inline]
 xmit_one+0x105/0x2f0 net/core/dev.c:3590
 dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3606
 sch_direct_xmit+0x1b2/0x7c0 net/sched/sch_generic.c:342
 __dev_xmit_skb+0x83d/0x1370 net/core/dev.c:3817
 __dev_queue_xmit+0x590/0xf70 net/core/dev.c:4194
 dev_queue_xmit+0x13/0x20 net/core/dev.c:4259
 neigh_hh_output include/net/neighbour.h:511 [inline]
 neigh_output include/net/neighbour.h:525 [inline]
 ip6_finish_output2+0x995/0xbb0 net/ipv6/ip6_output.c:126
 __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]
 ip6_finish_output+0x444/0x4c0 net/ipv6/ip6_output.c:201
 NF_HOOK_COND include/linux/netfilter.h:296 [inline]
 ip6_output+0x10e/0x210 net/ipv6/ip6_output.c:224
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ndisc_send_skb+0x486/0x610 net/ipv6/ndisc.c:508
 ndisc_send_rs+0x3b0/0x3e0 net/ipv6/ndisc.c:702
 addrconf_rs_timer+0x370/0x540 net/ipv6/addrconf.c:3898
 call_timer_fn+0x2e/0x240 kernel/time/timer.c:1421
 expire_timers+0x116/0x240 kernel/time/timer.c:1466
 __run_timers+0x368/0x410 kernel/time/timer.c:1734
 run_timer_softirq+0x2e/0x60 kernel/time/timer.c:1747
 __do_softirq+0x158/0x2de kernel/softirq.c:558
 __irq_exit_rcu kernel/softirq.c:636 [inline]
 irq_exit_rcu+0x37/0x70 kernel/softirq.c:648
 sysvec_apic_timer_interrupt+0x3e/0xb0 arch/x86/kernel/apic/apic.c:1097
 asm_sysvec_apic_timer_interrupt+0x12/0x20

read to 0xffff888139d09484 of 4 bytes by interrupt on cpu 1:
 __dev_queue_xmit+0x5e3/0xf70 net/core/dev.c:4213
 dev_queue_xmit_accel+0x19/0x20 net/core/dev.c:4265
 macvlan_queue_xmit drivers/net/macvlan.c:543 [inline]
 macvlan_start_xmit+0x2b3/0x3d0 drivers/net/macvlan.c:567
 __netdev_start_xmit include/linux/netdevice.h:4987 [inline]
 netdev_start_xmit include/linux/netdevice.h:5001 [inline]
 xmit_one+0x105/0x2f0 net/core/dev.c:3590
 dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3606
 sch_direct_xmit+0x1b2/0x7c0 net/sched/sch_generic.c:342
 __dev_xmit_skb+0x83d/0x1370 net/core/dev.c:3817
 __dev_queue_xmit+0x590/0xf70 net/core/dev.c:4194
 dev_queue_xmit+0x13/0x20 net/core/dev.c:4259
 neigh_resolve_output+0x3db/0x410 net/core/neighbour.c:1523
 neigh_output include/net/neighbour.h:527 [inline]
 ip6_finish_output2+0x9be/0xbb0 net/ipv6/ip6_output.c:126
 __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]
 ip6_finish_output+0x444/0x4c0 net/ipv6/ip6_output.c:201
 NF_HOOK_COND include/linux/netfilter.h:296 [inline]
 ip6_output+0x10e/0x210 net/ipv6/ip6_output.c:224
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ndisc_send_skb+0x486/0x610 net/ipv6/ndisc.c:508
 ndisc_send_rs+0x3b0/0x3e0 net/ipv6/ndisc.c:702
 addrconf_rs_timer+0x370/0x540 net/ipv6/addrconf.c:3898
 call_timer_fn+0x2e/0x240 kernel/time/timer.c:1421
 expire_timers+0x116/0x240 kernel/time/timer.c:1466
 __run_timers+0x368/0x410 kernel/time/timer.c:1734
 run_timer_softirq+0x2e/0x60 kernel/time/timer.c:1747
 __do_softirq+0x158/0x2de kernel/softirq.c:558
 __irq_exit_rcu kernel/softirq.c:636 [inline]
 irq_exit_rcu+0x37/0x70 kernel/softirq.c:648
 sysvec_apic_timer_interrupt+0x8d/0xb0 arch/x86/kernel/apic/apic.c:1097
 asm_sysvec_apic_timer_interrupt+0x12/0x20
 kcsan_setup_watchpoint+0x94/0x420 kernel/kcsan/core.c:443
 folio_test_anon include/linux/page-flags.h:581 [inline]
 PageAnon include/linux/page-flags.h:586 [inline]
 zap_pte_range+0x5ac/0x10e0 mm/memory.c:1347
 zap_pmd_range mm/memory.c:1467 [inline]
 zap_pud_range mm/memory.c:1496 [inline]
 zap_p4d_range mm/memory.c:1517 [inline]
 unmap_page_range+0x2dc/0x3d0 mm/memory.c:1538
 unmap_single_vma+0x157/0x210 mm/memory.c:1583
 unmap_vmas+0xd0/0x180 mm/memory.c:1615
 exit_mmap+0x23d/0x470 mm/mmap.c:3170
 __mmput+0x27/0x1b0 kernel/fork.c:1113
 mmput+0x3d/0x50 kernel/fork.c:1134
 exit_mm+0xdb/0x170 kernel/exit.c:507
 do_exit+0x608/0x17a0 kernel/exit.c:819
 do_group_exit+0xce/0x180 kernel/exit.c:929
 get_signal+0xfc3/0x1550 kernel/signal.c:2852
 arch_do_signal_or_restart+0x8c/0x2e0 arch/x86/kernel/signal.c:868
 handle_signal_work kernel/entry/common.c:148 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x113/0x190 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:300
 do_syscall_64+0x50/0xd0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae

value changed: 0x00000000 -> 0xffffffff

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 28712 Comm: syz-executor.0 Tainted: G        W         5.16.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20211130170155.2331929-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-08 08:50:14 +01:00
3bf28c82ae Revert "net: sched: update default qdisc visibility after Tx queue cnt changes"
This reverts commit aa90302e31 which is
commit 1e080f17750d1083e8a32f7b350584ae1cd7ff20 upstream.

It breaks the current kernel abi and is not necessary for Android
systems, so it can be safely reverted.

Bug: 161946584
Fixes: 31df731c8705 ("net: sched: update default qdisc visibility after Tx queue cnt changes")
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I9844bcc7deae772026e0dc7b1265b39e392342ec
2021-11-30 13:21:10 +01:00
47e51a7a22 Merge 4.19.218 into android-4.19-stable
Changes in 4.19.218
	xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay
	binder: use euid from cred instead of using task
	binder: use cred instead of task for selinux checks
	Input: elantench - fix misreporting trackpoint coordinates
	Input: i8042 - Add quirk for Fujitsu Lifebook T725
	libata: fix read log timeout value
	ocfs2: fix data corruption on truncate
	mmc: dw_mmc: Dont wait for DRTO on Write RSP error
	parisc: Fix ptrace check on syscall return
	tpm: Check for integer overflow in tpm2_map_response_body()
	firmware/psci: fix application of sizeof to pointer
	crypto: s5p-sss - Add error handling in s5p_aes_probe()
	media: ite-cir: IR receiver stop working after receive overflow
	media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers
	ALSA: hda/realtek: Add quirk for Clevo PC70HS
	ALSA: ua101: fix division by zero at probe
	ALSA: 6fire: fix control and bulk message timeouts
	ALSA: line6: fix control and interrupt message timeouts
	ALSA: usb-audio: Add registration quirk for JBL Quantum 400
	ALSA: synth: missing check for possible NULL after the call to kstrdup
	ALSA: timer: Fix use-after-free problem
	ALSA: timer: Unconditionally unlink slave instances, too
	x86/sme: Use #define USE_EARLY_PGTABLE_L5 in mem_encrypt_identity.c
	x86/irq: Ensure PI wakeup handler is unregistered before module unload
	cavium: Return negative value when pci_alloc_irq_vectors() fails
	scsi: qla2xxx: Fix unmap of already freed sgl
	cavium: Fix return values of the probe function
	sfc: Don't use netif_info before net_device setup
	hyperv/vmbus: include linux/bitops.h
	mmc: winbond: don't build on M68K
	drm: panel-orientation-quirks: Add quirk for Aya Neo 2021
	bpf: Prevent increasing bpf_jit_limit above max
	xen/netfront: stop tx queues during live migration
	spi: spl022: fix Microwire full duplex mode
	watchdog: Fix OMAP watchdog early handling
	vmxnet3: do not stop tx queues after netif_device_detach()
	btrfs: clear MISSING device status bit in btrfs_close_one_device
	btrfs: fix lost error handling when replaying directory deletes
	btrfs: call btrfs_check_rw_degradable only if there is a missing device
	ia64: kprobes: Fix to pass correct trampoline address to the handler
	hwmon: (pmbus/lm25066) Add offset coefficients
	regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled
	regulator: dt-bindings: samsung,s5m8767: correct s5m8767,pmic-buck-default-dvs-idx property
	EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell
	mwifiex: fix division by zero in fw download path
	ath6kl: fix division by zero in send path
	ath6kl: fix control-message timeout
	ath10k: fix control-message timeout
	ath10k: fix division by zero in send path
	PCI: Mark Atheros QCA6174 to avoid bus reset
	rtl8187: fix control-message timeouts
	evm: mark evm_fixmode as __ro_after_init
	wcn36xx: Fix HT40 capability for 2Ghz band
	mwifiex: Read a PCI register after writing the TX ring write pointer
	libata: fix checking of DMA state
	wcn36xx: handle connection loss indication
	rsi: fix occasional initialisation failure with BT coex
	rsi: fix key enabled check causing unwanted encryption for vap_id > 0
	rsi: fix rate mask set leading to P2P failure
	rsi: Fix module dev_oper_mode parameter description
	RDMA/qedr: Fix NULL deref for query_qp on the GSI QP
	signal: Remove the bogus sigkill_pending in ptrace_stop
	signal/mips: Update (_save|_restore)_fp_context to fail with -EFAULT
	power: supply: max17042_battery: Prevent int underflow in set_soc_threshold
	power: supply: max17042_battery: use VFSOC for capacity when no rsns
	powerpc/85xx: Fix oops when mpc85xx_smp_guts_ids node cannot be found
	serial: core: Fix initializing and restoring termios speed
	ALSA: mixer: oss: Fix racy access to slots
	ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume
	xen/balloon: add late_initcall_sync() for initial ballooning done
	PCI: aardvark: Do not clear status bits of masked interrupts
	PCI: aardvark: Do not unmask unused interrupts
	PCI: aardvark: Fix return value of MSI domain .alloc() method
	PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG
	quota: check block number when reading the block in quota file
	quota: correct error number in free_dqentry()
	pinctrl: core: fix possible memory leak in pinctrl_enable()
	iio: dac: ad5446: Fix ad5622_write() return value
	USB: serial: keyspan: fix memleak on probe errors
	USB: iowarrior: fix control-message timeouts
	drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 2-in-1
	Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()
	Bluetooth: fix use-after-free error in lock_sock_nested()
	platform/x86: wmi: do not fail if disabling fails
	MIPS: lantiq: dma: add small delay after reset
	MIPS: lantiq: dma: reset correct number of channel
	locking/lockdep: Avoid RCU-induced noinstr fail
	net: sched: update default qdisc visibility after Tx queue cnt changes
	smackfs: Fix use-after-free in netlbl_catmap_walk()
	x86: Increase exception stack sizes
	mwifiex: Run SET_BSS_MODE when changing from P2P to STATION vif-type
	mwifiex: Properly initialize private structure on interface type changes
	media: mt9p031: Fix corrupted frame after restarting stream
	media: netup_unidvb: handle interrupt properly according to the firmware
	media: uvcvideo: Set capability in s_param
	media: uvcvideo: Return -EIO for control errors
	media: s5p-mfc: fix possible null-pointer dereference in s5p_mfc_probe()
	media: s5p-mfc: Add checking to s5p_mfc_probe().
	media: mceusb: return without resubmitting URB in case of -EPROTO error.
	ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK
	media: rcar-csi2: Add checking to rcsi2_start_receiver()
	ACPICA: Avoid evaluating methods too early during system resume
	media: usb: dvd-usb: fix uninit-value bug in dibusb_read_eeprom_byte()
	tracefs: Have tracefs directories not set OTH permission bits by default
	ath: dfs_pattern_detector: Fix possible null-pointer dereference in channel_detector_create()
	ACPI: battery: Accept charges over the design capacity as full
	leaking_addresses: Always print a trailing newline
	memstick: r592: Fix a UAF bug when removing the driver
	lib/xz: Avoid overlapping memcpy() with invalid input with in-place decompression
	lib/xz: Validate the value before assigning it to an enum variable
	workqueue: make sysfs of unbound kworker cpumask more clever
	tracing/cfi: Fix cmp_entries_* functions signature mismatch
	mwl8k: Fix use-after-free in mwl8k_fw_state_machine()
	PM: hibernate: Get block device exclusively in swsusp_check()
	iwlwifi: mvm: disable RX-diversity in powersave
	smackfs: use __GFP_NOFAIL for smk_cipso_doi()
	ARM: clang: Do not rely on lr register for stacktrace
	gre/sit: Don't generate link-local addr if addr_gen_mode is IN6_ADDR_GEN_MODE_NONE
	ARM: 9136/1: ARMv7-M uses BE-8, not BE-32
	spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in bcm_qspi_probe()
	x86/hyperv: Protect set_hv_tscchange_cb() against getting preempted
	parisc: fix warning in flush_tlb_all
	task_stack: Fix end_of_stack() for architectures with upwards-growing stack
	parisc/unwind: fix unwinder when CONFIG_64BIT is enabled
	parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling
	Bluetooth: fix init and cleanup of sco_conn.timeout_work
	cgroup: Make rebind_subsystems() disable v2 controllers all at once
	net: dsa: rtl8366rb: Fix off-by-one bug
	drm/amdgpu: fix warning for overflow check
	media: em28xx: add missing em28xx_close_extension
	media: dvb-usb: fix ununit-value in az6027_rc_query
	media: mtk-vpu: Fix a resource leak in the error handling path of 'mtk_vpu_probe()'
	media: si470x: Avoid card name truncation
	media: cx23885: Fix snd_card_free call on null card pointer
	cpuidle: Fix kobject memory leaks in error paths
	media: em28xx: Don't use ops->suspend if it is NULL
	ath9k: Fix potential interrupt storm on queue reset
	media: dvb-frontends: mn88443x: Handle errors of clk_prepare_enable()
	crypto: qat - detect PFVF collision after ACK
	crypto: qat - disregard spurious PFVF interrupts
	hwrng: mtk - Force runtime pm ops for sleep ops
	b43legacy: fix a lower bounds test
	b43: fix a lower bounds test
	mmc: sdhci-omap: Fix NULL pointer exception if regulator is not configured
	memstick: avoid out-of-range warning
	memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host()
	hwmon: Fix possible memleak in __hwmon_device_register()
	hwmon: (pmbus/lm25066) Let compiler determine outer dimension of lm25066_coeff
	ath10k: fix max antenna gain unit
	drm/msm: uninitialized variable in msm_gem_import()
	net: stream: don't purge sk_error_queue in sk_stream_kill_queues()
	mmc: mxs-mmc: disable regulator on error and in the remove function
	platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning
	rsi: stop thread firstly in rsi_91x_init() error handling
	mwifiex: Send DELBA requests according to spec
	phy: micrel: ksz8041nl: do not use power down mode
	nvme-rdma: fix error code in nvme_rdma_setup_ctrl
	PM: hibernate: fix sparse warnings
	clocksource/drivers/timer-ti-dm: Select TIMER_OF
	drm/msm: Fix potential NULL dereference in DPU SSPP
	smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi
	s390/gmap: don't unconditionally call pte_unmap_unlock() in __gmap_zap()
	irq: mips: avoid nested irq_enter()
	tcp: don't free a FIN sk_buff in tcp_remove_empty_skb()
	samples/kretprobes: Fix return value if register_kretprobe() failed
	KVM: s390: Fix handle_sske page fault handling
	libertas_tf: Fix possible memory leak in probe and disconnect
	libertas: Fix possible memory leak in probe and disconnect
	wcn36xx: add proper DMA memory barriers in rx path
	net: amd-xgbe: Toggle PLL settings during rate change
	net: phylink: avoid mvneta warning when setting pause parameters
	crypto: pcrypt - Delay write to padata->info
	selftests/bpf: Fix fclose/pclose mismatch in test_progs
	ibmvnic: Process crqs after enabling interrupts
	RDMA/rxe: Fix wrong port_cap_flags
	ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc()
	arm64: dts: rockchip: Fix GPU register width for RK3328
	RDMA/bnxt_re: Fix query SRQ failure
	ARM: dts: at91: tse850: the emac<->phy interface is rmii
	scsi: dc395: Fix error case unwinding
	MIPS: loongson64: make CPU_LOONGSON64 depends on MIPS_FP_SUPPORT
	JFS: fix memleak in jfs_mount
	ALSA: hda: Reduce udelay() at SKL+ position reporting
	arm: dts: omap3-gta04a4: accelerometer irq fix
	soc/tegra: Fix an error handling path in tegra_powergate_power_up()
	memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe
	video: fbdev: chipsfb: use memset_io() instead of memset()
	serial: 8250_dw: Drop wrong use of ACPI_PTR()
	usb: gadget: hid: fix error code in do_config()
	power: supply: rt5033_battery: Change voltage values to µV
	scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn()
	RDMA/mlx4: Return missed an error if device doesn't support steering
	ASoC: cs42l42: Correct some register default values
	ASoC: cs42l42: Defer probe if request_threaded_irq() returns EPROBE_DEFER
	phy: qcom-qusb2: Fix a memory leak on probe
	serial: xilinx_uartps: Fix race condition causing stuck TX
	mips: cm: Convert to bitfield API to fix out-of-bounds access
	power: supply: bq27xxx: Fix kernel crash on IRQ handler register error
	apparmor: fix error check
	rpmsg: Fix rpmsg_create_ept return when RPMSG config is not defined
	pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds
	drm/plane-helper: fix uninitialized variable reference
	PCI: aardvark: Don't spam about PIO Response Status
	NFS: Fix deadlocks in nfs_scan_commit_list()
	fs: orangefs: fix error return code of orangefs_revalidate_lookup()
	mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare()
	dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro
	auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string
	auxdisplay: ht16k33: Connect backlight to fbdev
	auxdisplay: ht16k33: Fix frame buffer device blanking
	netfilter: nfnetlink_queue: fix OOB when mac header was cleared
	dmaengine: dmaengine_desc_callback_valid(): Check for `callback_result`
	m68k: set a default value for MEMORY_RESERVE
	watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT
	ar7: fix kernel builds for compiler test
	scsi: qla2xxx: Fix gnl list corruption
	scsi: qla2xxx: Turn off target reset during issue_lip
	i2c: xlr: Fix a resource leak in the error handling path of 'xlr_i2c_probe()'
	xen-pciback: Fix return in pm_ctrl_init()
	net: davinci_emac: Fix interrupt pacing disable
	ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses
	bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed
	mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and zs_unregister_migration()
	zram: off by one in read_block_state()
	llc: fix out-of-bound array index in llc_sk_dev_hash()
	nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
	arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions
	vsock: prevent unnecessary refcnt inc for nonblocking connect
	cxgb4: fix eeprom len when diagnostics not implemented
	USB: chipidea: fix interrupt deadlock
	ARM: 9155/1: fix early early_iounmap()
	ARM: 9156/1: drop cc-option fallbacks for architecture selection
	f2fs: should use GFP_NOFS for directory inodes
	9p/net: fix missing error check in p9_check_errors
	powerpc/lib: Add helper to check if offset is within conditional branch range
	powerpc/bpf: Validate branch ranges
	powerpc/bpf: Fix BPF_SUB when imm == 0x80000000
	powerpc/security: Add a helper to query stf_barrier type
	powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC
	mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks
	mm, oom: do not trigger out_of_memory from the #PF
	backlight: gpio-backlight: Correct initial power state handling
	video: backlight: Drop maximum brightness override for brightness zero
	s390/cio: check the subchannel validity for dev_busid
	s390/tape: fix timer initialization in tape_std_assign()
	PCI: Add PCI_EXP_DEVCTL_PAYLOAD_* macros
	fuse: truncate pagecache on atomic_o_trunc
	x86/cpu: Fix migration safety with X86_BUG_NULL_SEL
	ext4: fix lazy initialization next schedule time computation in more granular unit
	fortify: Explicitly disable Clang support
	parisc/entry: fix trace test in syscall exit path
	PCI/MSI: Destroy sysfs before freeing entries
	PCI/MSI: Deal with devices lying about their MSI mask capability
	PCI: Add MSI masking quirk for Nvidia ION AHCI
	erofs: remove the occupied parameter from z_erofs_pagevec_enqueue()
	erofs: fix unsafe pagevec reuse of hooked pclusters
	arm64: zynqmp: Do not duplicate flash partition label property
	arm64: zynqmp: Fix serial compatible string
	scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq()
	arm64: dts: hisilicon: fix arm,sp805 compatible string
	usb: musb: tusb6010: check return value after calling platform_get_resource()
	usb: typec: tipd: Remove WARN_ON in tps6598x_block_read
	arm64: dts: freescale: fix arm,sp805 compatible string
	ASoC: nau8824: Add DMI quirk mechanism for active-high jack-detect
	scsi: advansys: Fix kernel pointer leak
	firmware_loader: fix pre-allocated buf built-in firmware use
	ARM: dts: omap: fix gpmc,mux-add-data type
	usb: host: ohci-tmio: check return value after calling platform_get_resource()
	ALSA: ISA: not for M68K
	tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc
	MIPS: sni: Fix the build
	scsi: target: Fix ordered tag handling
	scsi: target: Fix alua_tg_pt_gps_count tracking
	powerpc/5200: dts: fix memory node unit name
	ALSA: gus: fix null pointer dereference on pointer block
	powerpc/dcr: Use cmplwi instead of 3-argument cmpli
	sh: check return code of request_irq
	maple: fix wrong return value of maple_bus_init().
	f2fs: fix up f2fs_lookup tracepoints
	sh: fix kconfig unmet dependency warning for FRAME_POINTER
	sh: define __BIG_ENDIAN for math-emu
	mips: BCM63XX: ensure that CPU_SUPPORTS_32BIT_KERNEL is set
	sched/core: Mitigate race cpus_share_cache()/update_top_cache_domain()
	drm/nouveau: hdmigv100.c: fix corrupted HDMI Vendor InfoFrame
	net: bnx2x: fix variable dereferenced before check
	iavf: check for null in iavf_fix_features
	iavf: Fix for the false positive ASQ/ARQ errors while issuing VF reset
	MIPS: generic/yamon-dt: fix uninitialized variable error
	mips: bcm63xx: add support for clk_get_parent()
	mips: lantiq: add support for clk_get_parent()
	platform/x86: hp_accel: Fix an error handling path in 'lis3lv02d_probe()'
	net: virtio_net_hdr_to_skb: count transport header in UFO
	i40e: Fix correct max_pkt_size on VF RX queue
	i40e: Fix NULL ptr dereference on VSI filter sync
	i40e: Fix changing previously set num_queue_pairs for PFs
	i40e: Fix display error code in dmesg
	NFC: reorganize the functions in nci_request
	NFC: reorder the logic in nfc_{un,}register_device
	perf/x86/intel/uncore: Fix filter_tid mask for CHA events on Skylake Server
	perf/x86/intel/uncore: Fix IIO event constraints for Skylake Server
	tun: fix bonding active backup with arp monitoring
	hexagon: export raw I/O routines for modules
	ipc: WARN if trying to remove ipc object which is absent
	mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag
	x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails
	udf: Fix crash after seekdir
	btrfs: fix memory ordering between normal and ordered work functions
	parisc/sticon: fix reverse colors
	cfg80211: call cfg80211_stop_ap when switch from P2P_GO type
	drm/udl: fix control-message timeout
	drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi connectors
	perf/core: Avoid put_page() when GUP fails
	batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN
	batman-adv: Consider fragmentation for needed_headroom
	batman-adv: Reserve needed_*room for fragments
	batman-adv: Don't always reallocate the fragmentation skb head
	RDMA/netlink: Add __maybe_unused to static inline in C file
	ASoC: DAPM: Cover regression by kctl change notification fix
	usb: max-3421: Use driver data instead of maintaining a list of bound devices
	soc/tegra: pmc: Fix imbalanced clock disabling in error code path
	Linux 4.19.218

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3f87fc92fe2a7a19ddddb522916f74dba7929583
2021-11-26 15:19:33 +01:00
aa90302e31 net: sched: update default qdisc visibility after Tx queue cnt changes
[ Upstream commit 1e080f17750d1083e8a32f7b350584ae1cd7ff20 ]

mq / mqprio make the default child qdiscs visible. They only do
so for the qdiscs which are within real_num_tx_queues when the
device is registered. Depending on order of calls in the driver,
or if user space changes config via ethtool -L the number of
qdiscs visible under tc qdisc show will differ from the number
of queues. This is confusing to users and potentially to system
configuration scripts which try to make sure qdiscs have the
right parameters.

Add a new Qdisc_ops callback and make relevant qdiscs TTRT.

Note that this uncovers the "shortcut" created by
commit 1f27cde313 ("net: sched: use pfifo_fast for non real queues")
The default child qdiscs beyond initial real_num_tx are always
pfifo_fast, no matter what the sysfs setting is. Fixing this
gets a little tricky because we'd need to keep a reference
on whatever the default qdisc was at the time of creation.
In practice this is likely an non-issue the qdiscs likely have
to be configured to non-default settings, so whatever user space
is doing such configuration can replace the pfifos... now that
it will see them.

Reported-by: Matthew Massey <matthewmassey@fb.com>
Reviewed-by: Dave Taht <dave.taht@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-11-26 11:36:04 +01:00
0afef62d52 Merge 4.19.215 into android-4.19-stable
Changes in 4.19.215
	ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned
	ARM: 9134/1: remove duplicate memcpy() definition
	ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype
	ARM: 9141/1: only warn about XIP address when not compile testing
	powerpc/bpf: Fix BPF_MOD when imm == 1
	arm64: Avoid premature usercopy failure
	ARM: 8819/1: Remove '-p' from LDFLAGS
	usbnet: sanity check for maxpacket
	usbnet: fix error return code in usbnet_probe()
	ata: sata_mv: Fix the error handling of mv_chip_id()
	nfc: port100: fix using -ERRNO as command type mask
	Revert "net: mdiobus: Fix memory leak in __mdiobus_register"
	ipv4: use siphash instead of Jenkins in fnhe_hashfun()
	ipv6: use siphash in rt6_exception_hash()
	ipv6: make exception cache less predictible
	mmc: vub300: fix control-message timeouts
	mmc: cqhci: clear HALT state after CQE enable
	mmc: dw_mmc: exynos: fix the finding clock sample value
	mmc: sdhci: Map more voltage level to SDHCI_POWER_330
	mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit
	net: lan78xx: fix division by zero in send path
	RDMA/mlx5: Set user priority for DCT
	arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node
	regmap: Fix possible double-free in regcache_rbtree_exit()
	net: batman-adv: fix error handling
	net: Prevent infinite while loop in skb_tx_hash()
	nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST
	net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume fails
	net: ethernet: microchip: lan743x: Fix dma allocation failure by using dma_set_mask_and_coherent
	net: nxp: lpc_eth.c: avoid hang when bringing interface down
	sctp: use init_tag from inithdr for ABORT chunk
	sctp: fix the processing for COOKIE_ECHO chunk
	sctp: add vtag check in sctp_sf_violation
	sctp: add vtag check in sctp_sf_do_8_5_1_E_sa
	sctp: add vtag check in sctp_sf_ootb
	Linux 4.19.215

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I31d72c412edc330fea8f80def686cb20f3af5731
2021-11-03 09:46:48 +01:00
02302cbd52 net: Prevent infinite while loop in skb_tx_hash()
commit 0c57eeecc559ca6bc18b8c4e2808bc78dbe769b0 upstream.

Drivers call netdev_set_num_tc() and then netdev_set_tc_queue()
to set the queue count and offset for each TC.  So the queue count
and offset for the TCs may be zero for a short period after dev->num_tc
has been set.  If a TX packet is being transmitted at this time in the
code path netdev_pick_tx() -> skb_tx_hash(), skb_tx_hash() may see
nonzero dev->num_tc but zero qcount for the TC.  The while loop that
keeps looping while hash >= qcount will not end.

Fix it by checking the TC's qcount to be nonzero before using it.

Fixes: eadec877ce ("net: Add support for subordinate traffic classes to netdev_pick_tx")
Reviewed-by: Andy Gospodarek <gospo@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-11-02 18:26:45 +01:00
f758dd08c6 Merge 4.19.201 into android-4.19-stable
Changes in 4.19.201
	virtio_net: Do not pull payload in skb->head
	gro: ensure frag0 meets IP header alignment
	x86/asm: Ensure asm/proto.h can be included stand-alone
	btrfs: fix rw device counting in __btrfs_free_extra_devids
	x86/kvm: fix vcpu-id indexed array sizes
	ocfs2: fix zero out valid data
	ocfs2: issue zeroout to EOF blocks
	can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF
	can: mcba_usb_start(): add missing urb->transfer_dma initialization
	can: usb_8dev: fix memory leak
	can: ems_usb: fix memory leak
	can: esd_usb2: fix memory leak
	NIU: fix incorrect error return, missed in previous revert
	nfc: nfcsim: fix use after free during module unload
	cfg80211: Fix possible memory leak in function cfg80211_bss_update
	netfilter: conntrack: adjust stop timestamp to real expiry value
	netfilter: nft_nat: allow to specify layer 4 protocol NAT only
	i40e: Fix logic of disabling queues
	i40e: Fix log TC creation failure when max num of queues is exceeded
	tipc: fix sleeping in tipc accept routine
	mlx4: Fix missing error code in mlx4_load_one()
	net: llc: fix skb_over_panic
	net/mlx5: Fix flow table chaining
	sctp: fix return value check in __sctp_rcv_asconf_lookup
	tulip: windbond-840: Fix missing pci_disable_device() in probe and remove
	sis900: Fix missing pci_disable_device() in probe and remove
	can: hi311x: fix a signedness bug in hi3110_cmd()
	powerpc/pseries: Fix regression while building external modules
	Revert "perf map: Fix dso->nsinfo refcounting"
	i40e: Add additional info to PHY type error
	Linux 4.19.201

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I89f69eba9523274f96ea396a562f340b578d968c
2021-08-04 14:58:28 +02:00
d94d95ae0d gro: ensure frag0 meets IP header alignment
commit 38ec4944b593fd90c5ef42aaaa53e66ae5769d04 upstream.

After commit 0f6925b3e8da ("virtio_net: Do not pull payload in skb->head")
Guenter Roeck reported one failure in his tests using sh architecture.

After much debugging, we have been able to spot silent unaligned accesses
in inet_gro_receive()

The issue at hand is that upper networking stacks assume their header
is word-aligned. Low level drivers are supposed to reserve NET_IP_ALIGN
bytes before the Ethernet header to make that happen.

This patch hardens skb_gro_reset_offset() to not allow frag0 fast-path
if the fragment is not properly aligned.

Some arches like x86, arm64 and powerpc do not care and define NET_IP_ALIGN
as 0, this extra check will be a NOP for them.

Note that if frag0 is not used, GRO will call pskb_may_pull()
as many times as needed to pull network and transport headers.

Fixes: 0f6925b3e8da ("virtio_net: Do not pull payload in skb->head")
Fixes: 78a478d0ef ("gro: Inline skb_gro_header and cache frag0 virtual address")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Guenter Roeck <linux@roeck-us.net>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-08-04 12:23:44 +02:00
97fd50773c Merge 4.19.198 into android-4.19-stable
Changes in 4.19.198
	scsi: core: Retry I/O for Notify (Enable Spinup) Required error
	ALSA: usb-audio: fix rate on Ozone Z90 USB headset
	ALSA: usb-audio: Fix OOB access at proc output
	media: dvb-usb: fix wrong definition
	Input: usbtouchscreen - fix control-request directions
	net: can: ems_usb: fix use-after-free in ems_usb_disconnect()
	usb: gadget: eem: fix echo command packet response issue
	USB: cdc-acm: blacklist Heimann USB Appset device
	usb: dwc3: Fix debugfs creation flow
	usb: typec: Add the missed altmode_id_remove() in typec_register_altmode()
	xhci: solve a double free problem while doing s4
	ntfs: fix validity check for file name attribute
	iov_iter_fault_in_readable() should do nothing in xarray case
	Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
	arm_pmu: Fix write counter incorrect in ARMv7 big-endian mode
	ARM: dts: at91: sama5d4: fix pinctrl muxing
	btrfs: send: fix invalid path for unlink operations after parent orphanization
	btrfs: clear defrag status of a root if starting transaction fails
	ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle
	ext4: fix kernel infoleak via ext4_extent_header
	ext4: return error code when ext4_fill_flex_info() fails
	ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit
	ext4: remove check for zero nr_to_scan in ext4_es_scan()
	ext4: fix avefreec in find_group_orlov
	ext4: use ext4_grp_locked_error in mb_find_extent
	can: bcm: delay release of struct bcm_op after synchronize_rcu()
	can: gw: synchronize rcu operations before removing gw job entry
	can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue in TX path
	SUNRPC: Fix the batch tasks count wraparound.
	SUNRPC: Should wake up the privileged task firstly.
	s390/cio: dont call css_wait_for_slow_path() inside a lock
	rtc: stm32: Fix unbalanced clk_disable_unprepare() on probe error path
	iio: light: tcs3472: do not free unallocated IRQ
	iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too
	iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR
	iio: ltr501: ltr501_read_ps(): add missing endianness conversion
	serial: sh-sci: Stop dmaengine transfer in sci_stop_tx()
	serial_cs: Add Option International GSM-Ready 56K/ISDN modem
	serial_cs: remove wrong GLOBETROTTER.cis entry
	ath9k: Fix kernel NULL pointer dereference during ath_reset_internal()
	ssb: sdio: Don't overwrite const buffer if block_write fails
	rsi: Assign beacon rate settings to the correct rate_info descriptor field
	rsi: fix AP mode with WPA failure due to encrypted EAPOL
	tracing/histograms: Fix parsing of "sym-offset" modifier
	tracepoint: Add tracepoint_probe_register_may_exist() for BPF tracing
	seq_buf: Make trace_seq_putmem_hex() support data longer than 8
	powerpc/stacktrace: Fix spurious "stale" traces in raise_backtrace_ipi()
	evm: Execute evm_inode_init_security() only when an HMAC key is loaded
	evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded
	fuse: check connected before queueing on fpq->io
	spi: Make of_register_spi_device also set the fwnode
	spi: spi-loopback-test: Fix 'tx_buf' might be 'rx_buf'
	spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages()
	spi: omap-100k: Fix the length judgment problem
	regulator: uniphier: Add missing MODULE_DEVICE_TABLE
	crypto: nx - add missing MODULE_DEVICE_TABLE
	media: cpia2: fix memory leak in cpia2_usb_probe
	media: cobalt: fix race condition in setting HPD
	media: pvrusb2: fix warning in pvr2_i2c_core_done
	crypto: qat - check return code of qat_hal_rd_rel_reg()
	crypto: qat - remove unused macro in FW loader
	sched/fair: Fix ascii art by relpacing tabs
	media: em28xx: Fix possible memory leak of em28xx struct
	media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release
	media: bt8xx: Fix a missing check bug in bt878_probe
	media: st-hva: Fix potential NULL pointer dereferences
	media: dvd_usb: memory leak in cinergyt2_fe_attach
	mmc: via-sdmmc: add a check against NULL pointer dereference
	crypto: shash - avoid comparing pointers to exported functions under CFI
	media: dvb_net: avoid speculation from net slot
	media: siano: fix device register error path
	media: imx-csi: Skip first few frames from a BT.656 source
	btrfs: fix error handling in __btrfs_update_delayed_inode
	btrfs: abort transaction if we fail to update the delayed inode
	btrfs: disable build on platforms having page size 256K
	regulator: da9052: Ensure enough delay time for .set_voltage_time_sel
	HID: do not use down_interruptible() when unbinding devices
	EDAC/ti: Add missing MODULE_DEVICE_TABLE
	ACPI: processor idle: Fix up C-state latency if not ordered
	hv_utils: Fix passing zero to 'PTR_ERR' warning
	lib: vsprintf: Fix handling of number field widths in vsscanf
	ACPI: EC: Make more Asus laptops use ECDT _GPE
	block_dump: remove block_dump feature in mark_inode_dirty()
	fs: dlm: cancel work sync othercon
	random32: Fix implicit truncation warning in prandom_seed_state()
	fs: dlm: fix memory leak when fenced
	ACPICA: Fix memory leak caused by _CID repair function
	ACPI: bus: Call kobject_put() in acpi_init() error path
	platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard()
	clocksource: Retry clock read if long delays detected
	ACPI: tables: Add custom DSDT file as makefile prerequisite
	HID: wacom: Correct base usage for capacitive ExpressKey status bits
	ia64: mca_drv: fix incorrect array size calculation
	media: s5p_cec: decrement usage count if disabled
	crypto: ixp4xx - dma_unmap the correct address
	crypto: ux500 - Fix error return code in hash_hw_final()
	sata_highbank: fix deferred probing
	pata_rb532_cf: fix deferred probing
	media: I2C: change 'RST' to "RSET" to fix multiple build errors
	pata_octeon_cf: avoid WARN_ON() in ata_host_activate()
	evm: fix writing <securityfs>/evm overflow
	crypto: ccp - Fix a resource leak in an error handling path
	media: rc: i2c: Fix an error message
	pata_ep93xx: fix deferred probing
	media: exynos4-is: Fix a use after free in isp_video_release
	media: tc358743: Fix error return code in tc358743_probe_of()
	media: gspca/gl860: fix zero-length control requests
	media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2()
	mmc: usdhi6rol0: fix error return code in usdhi6_probe()
	media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx
	hwmon: (max31722) Remove non-standard ACPI device IDs
	hwmon: (max31790) Fix fan speed reporting for fan7..12
	btrfs: clear log tree recovering status if starting transaction fails
	spi: spi-sun6i: Fix chipselect/clock bug
	crypto: nx - Fix RCU warning in nx842_OF_upd_status
	ACPI: sysfs: Fix a buffer overrun problem with description_show()
	blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled()
	blk-wbt: make sure throttle is enabled properly
	ocfs2: fix snprintf() checking
	net: mvpp2: Put fwnode in error case during ->probe()
	net: pch_gbe: Propagate error from devm_gpio_request_one()
	drm/rockchip: cdn-dp-core: add missing clk_disable_unprepare() on error in cdn_dp_grf_write()
	ehea: fix error return code in ehea_restart_qps()
	RDMA/rxe: Fix failure during driver load
	drm: qxl: ensure surf.data is ininitialized
	tools/bpftool: Fix error return code in do_batch()
	wireless: carl9170: fix LEDS build errors & warnings
	ieee802154: hwsim: Fix possible memory leak in hwsim_subscribe_all_others
	wcn36xx: Move hal_buf allocation to devm_kmalloc in probe
	ssb: Fix error return code in ssb_bus_scan()
	brcmfmac: fix setting of station info chains bitmask
	brcmfmac: correctly report average RSSI in station info
	brcmsmac: mac80211_if: Fix a resource leak in an error handling path
	ath10k: Fix an error code in ath10k_add_interface()
	netlabel: Fix memory leak in netlbl_mgmt_add_common
	RDMA/mlx5: Don't add slave port to unaffiliated list
	netfilter: nft_exthdr: check for IPv6 packet before further processing
	netfilter: nft_osf: check for TCP packet before further processing
	netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols
	RDMA/rxe: Fix qp reference counting for atomic ops
	samples/bpf: Fix the error return code of xdp_redirect's main()
	net: ethernet: aeroflex: fix UAF in greth_of_remove
	net: ethernet: ezchip: fix UAF in nps_enet_remove
	net: ethernet: ezchip: fix error handling
	pkt_sched: sch_qfq: fix qfq_change_class() error path
	vxlan: add missing rcu_read_lock() in neigh_reduce()
	net/ipv4: swap flow ports when validating source
	ieee802154: hwsim: Fix memory leak in hwsim_add_one
	ieee802154: hwsim: avoid possible crash in hwsim_del_edge_nl()
	mac80211: remove iwlwifi specific workaround NDPs of null_response
	net: bcmgenet: Fix attaching to PYH failed on RPi 4B
	ipv6: exthdrs: do not blindly use init_net
	bpf: Do not change gso_size during bpf_skb_change_proto()
	i40e: Fix error handling in i40e_vsi_open
	i40e: Fix autoneg disabling for non-10GBaseT links
	Revert "ibmvnic: remove duplicate napi_schedule call in open function"
	ibmvnic: free tx_pool if tso_pool alloc fails
	ipv6: fix out-of-bound access in ip6_parse_tlv()
	Bluetooth: mgmt: Fix slab-out-of-bounds in tlv_data_is_valid
	Bluetooth: Fix handling of HCI_LE_Advertising_Set_Terminated event
	writeback: fix obtain a reference to a freeing memcg css
	net: lwtunnel: handle MTU calculation in forwading
	net: sched: fix warning in tcindex_alloc_perfect_hash
	RDMA/mlx5: Don't access NULL-cleared mpi pointer
	tty: nozomi: Fix a resource leak in an error handling function
	mwifiex: re-fix for unaligned accesses
	iio: adis_buffer: do not return ints in irq handlers
	iio: accel: bma180: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: accel: bma220: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: accel: hid: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: accel: kxcjk-1013: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: accel: stk8312: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: accel: stk8ba50: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: adc: ti-ads1015: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: adc: vf610: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: gyro: bmg160: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: humidity: am2315: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: prox: srf08: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: prox: pulsed-light: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: prox: as3935: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: light: isl29125: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: light: tcs3414: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: light: tcs3472: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: potentiostat: lmp91000: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()
	ASoC: hisilicon: fix missing clk_disable_unprepare() on error in hi6210_i2s_startup()
	ASoC: rsnd: tidyup loop on rsnd_adg_clk_query()
	Input: hil_kbd - fix error return code in hil_dev_connect()
	char: pcmcia: error out if 'num_bytes_read' is greater than 4 in set_protocol()
	tty: nozomi: Fix the error handling path of 'nozomi_card_init()'
	scsi: FlashPoint: Rename si_flags field
	fsi: core: Fix return of error values on failures
	fsi: scom: Reset the FSI2PIB engine for any error
	fsi/sbefifo: Clean up correct FIFO when receiving reset request from SBE
	fsi/sbefifo: Fix reset timeout
	visorbus: fix error return code in visorchipset_init()
	s390: appldata depends on PROC_SYSCTL
	eeprom: idt_89hpesx: Put fwnode in matching case during ->probe()
	eeprom: idt_89hpesx: Restore printing the unsupported fwnode name
	iio: adc: hx711: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: adc: mxs-lradc: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	iio: adc: ti-ads8688: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()
	staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt()
	staging: gdm724x: check for overflow in gdm_lte_netif_rx()
	staging: mt7621-dts: fix pci address for PCI memory range
	serial: 8250: Actually allow UPF_MAGIC_MULTIPLIER baud rates
	iio: prox: isl29501: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
	ASoC: cs42l42: Correct definition of CS42L42_ADC_PDN_MASK
	of: Fix truncation of memory sizes on 32-bit platforms
	mtd: rawnand: marvell: add missing clk_disable_unprepare() on error in marvell_nfc_resume()
	scsi: mpt3sas: Fix error return value in _scsih_expander_add()
	phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe()
	extcon: sm5502: Drop invalid register write in sm5502_reg_data
	extcon: max8997: Add missing modalias string
	ASoC: atmel-i2s: Fix usage of capture and playback at the same time
	configfs: fix memleak in configfs_release_bin_file
	leds: as3645a: Fix error return code in as3645a_parse_node()
	leds: ktd2692: Fix an error handling path
	powerpc: Offline CPU in stop_this_cpu()
	serial: mvebu-uart: correctly calculate minimal possible baudrate
	arm64: dts: marvell: armada-37xx: Fix reg for standard variant of UART
	vfio/pci: Handle concurrent vma faults
	mm/huge_memory.c: don't discard hugepage if other processes are mapping it
	selftests/vm/pkeys: fix alloc_random_pkey() to make it really, really random
	perf llvm: Return -ENOMEM when asprintf() fails
	mmc: block: Disable CMDQ on the ioctl path
	mmc: vub3000: fix control-request direction
	drm/mxsfb: Don't select DRM_KMS_FB_HELPER
	drm/zte: Don't select DRM_KMS_FB_HELPER
	drm/amd/amdgpu/sriov disable all ip hw status by default
	net: pch_gbe: Use proper accessors to BE data in pch_ptp_match()
	drm/amd/display: fix use_max_lb flag for 420 pixel formats
	hugetlb: clear huge pte during flush function on mips platform
	atm: iphase: fix possible use-after-free in ia_module_exit()
	mISDN: fix possible use-after-free in HFC_cleanup()
	atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
	net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT
	reiserfs: add check for invalid 1st journal block
	drm/virtio: Fix double free on probe failure
	udf: Fix NULL pointer dereference in udf_symlink function
	e100: handle eeprom as little endian
	clk: renesas: r8a77995: Add ZA2 clock
	clk: tegra: Ensure that PLLU configuration is applied properly
	ipv6: use prandom_u32() for ID generation
	RDMA/cxgb4: Fix missing error code in create_qp()
	dm space maps: don't reset space map allocation cursor when committing
	pinctrl: mcp23s08: fix race condition in irq handler
	ice: set the value of global config lock timeout longer
	virtio_net: Remove BUG() to avoid machine dead
	net: bcmgenet: check return value after calling platform_get_resource()
	net: mvpp2: check return value after calling platform_get_resource()
	net: micrel: check return value after calling platform_get_resource()
	fjes: check return value after calling platform_get_resource()
	selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC
	xfrm: Fix error reporting in xfrm_state_construct.
	wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP
	wl1251: Fix possible buffer overflow in wl1251_cmd_scan
	cw1200: add missing MODULE_DEVICE_TABLE
	net: fix mistake path for netdev_features_strings
	rtl8xxxu: Fix device info for RTL8192EU devices
	MIPS: add PMD table accounting into MIPS'pmd_alloc_one
	atm: nicstar: use 'dma_free_coherent' instead of 'kfree'
	atm: nicstar: register the interrupt handler in the right place
	vsock: notify server to shutdown when client has pending signal
	RDMA/rxe: Don't overwrite errno from ib_umem_get()
	iwlwifi: mvm: don't change band on bound PHY contexts
	iwlwifi: pcie: free IML DMA memory allocation
	sfc: avoid double pci_remove of VFs
	sfc: error code if SRIOV cannot be disabled
	wireless: wext-spy: Fix out-of-bounds warning
	media, bpf: Do not copy more entries than user space requested
	net: ip: avoid OOM kills with large UDP sends over loopback
	RDMA/cma: Fix rdma_resolve_route() memory leak
	Bluetooth: Fix the HCI to MGMT status conversion table
	Bluetooth: Shutdown controller after workqueues are flushed or cancelled
	Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc.
	sctp: validate from_addr_param return
	sctp: add size validation when walking chunks
	MIPS: set mips32r5 for virt extensions
	fscrypt: don't ignore minor_hash when hash is 0
	bdi: Do not use freezable workqueue
	serial: mvebu-uart: clarify the baud rate derivation
	serial: mvebu-uart: fix calculation of clock divisor
	fuse: reject internal errno
	powerpc/barrier: Avoid collision with clang's __lwsync macro
	usb: gadget: f_fs: Fix setting of device and driver data cross-references
	drm/radeon: Add the missed drm_gem_object_put() in radeon_user_framebuffer_create()
	drm/amd/display: fix incorrrect valid irq check
	pinctrl/amd: Add device HID for new AMD GPIO controller
	drm/msm/mdp4: Fix modifier support enabling
	mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode
	mmc: core: clear flags before allowing to retune
	mmc: core: Allow UHS-I voltage switch for SDSC cards if supported
	ata: ahci_sunxi: Disable DIPM
	cpu/hotplug: Cure the cpusets trainwreck
	clocksource/arm_arch_timer: Improve Allwinner A64 timer workaround
	ASoC: tegra: Set driver_name=tegra for all machine drivers
	qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute
	ipmi/watchdog: Stop watchdog timer when the current action is 'none'
	power: supply: ab8500: Fix an old bug
	seq_buf: Fix overflow in seq_buf_putmem_hex()
	tracing: Simplify & fix saved_tgids logic
	tracing: Resize tgid_map to pid_max, not PID_MAX_DEFAULT
	ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe
	coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()
	dm btree remove: assign new_root only when removal succeeds
	PCI: Leave Apple Thunderbolt controllers on for s2idle or standby
	PCI: aardvark: Fix checking for PIO Non-posted Request
	media: subdev: disallow ioctl for saa6588/davinci
	media: dtv5100: fix control-request directions
	media: zr364xx: fix memory leak in zr364xx_start_readpipe
	media: gspca/sq905: fix control-request direction
	media: gspca/sunplus: fix zero-length control requests
	media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K
	pinctrl: mcp23s08: Fix missing unlock on error in mcp23s08_irq()
	jfs: fix GPF in diFree
	smackfs: restrict bytes count in smk_set_cipso()
	KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is enabled
	KVM: X86: Disable hardware breakpoints unconditionally before kvm_x86->run()
	scsi: core: Fix bad pointer dereference when ehandler kthread is invalid
	tracing: Do not reference char * as a string in histograms
	PCI: aardvark: Don't rely on jiffies while holding spinlock
	PCI: aardvark: Fix kernel panic during PIO transfer
	tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero
	misc/libmasm/module: Fix two use after free in ibmasm_init_one
	Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro"
	w1: ds2438: fixing bug that would always get page0
	scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology
	scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs
	scsi: core: Cap scsi_host cmd_per_lun at can_queue
	ALSA: ac97: fix PM reference leak in ac97_bus_remove()
	tty: serial: 8250: serial_cs: Fix a memory leak in error handling path
	scsi: scsi_dh_alua: Check for negative result value
	fs/jfs: Fix missing error code in lmLogInit()
	scsi: iscsi: Add iscsi_cls_conn refcount helpers
	scsi: iscsi: Fix conn use after free during resets
	scsi: iscsi: Fix shost->max_id use
	scsi: qedi: Fix null ref during abort handling
	mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE
	s390/sclp_vt220: fix console name to match device
	selftests: timers: rtcpie: skip test if default RTC device does not exist
	ALSA: sb: Fix potential double-free of CSP mixer elements
	powerpc/ps3: Add dma_mask to ps3_dma_region
	gpio: zynq: Check return value of pm_runtime_get_sync
	ALSA: ppc: fix error return code in snd_pmac_probe()
	selftests/powerpc: Fix "no_handler" EBB selftest
	gpio: pca953x: Add support for the On Semi pca9655
	ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing()
	Input: hideep - fix the uninitialized use in hideep_nvm_unlock()
	ALSA: bebob: add support for ToneWeal FW66
	usb: gadget: f_hid: fix endianness issue with descriptors
	usb: gadget: hid: fix error return code in hid_bind()
	powerpc/boot: Fixup device-tree on little endian
	backlight: lm3630a: Fix return code of .update_status() callback
	ALSA: hda: Add IRQ check for platform_get_irq()
	staging: rtl8723bs: fix macro value for 2.4Ghz only device
	intel_th: Wait until port is in reset before programming it
	i2c: core: Disable client irq on reboot/shutdown
	lib/decompress_unlz4.c: correctly handle zero-padding around initrds.
	pwm: spear: Don't modify HW state in .remove callback
	power: supply: ab8500: Avoid NULL pointers
	power: supply: max17042: Do not enforce (incorrect) interrupt trigger type
	power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE
	ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1
	watchdog: Fix possible use-after-free in wdt_startup()
	watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff()
	watchdog: Fix possible use-after-free by calling del_timer_sync()
	watchdog: iTCO_wdt: Account for rebooting on second timeout
	x86/fpu: Return proper error codes from user access functions
	PCI: tegra: Add missing MODULE_DEVICE_TABLE
	orangefs: fix orangefs df output.
	ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty
	NFS: nfs_find_open_context() may only select open files
	power: supply: charger-manager: add missing MODULE_DEVICE_TABLE
	power: supply: ab8500: add missing MODULE_DEVICE_TABLE
	pwm: tegra: Don't modify HW state in .remove callback
	ACPI: AMBA: Fix resource name in /proc/iomem
	ACPI: video: Add quirk for the Dell Vostro 3350
	virtio-blk: Fix memory leak among suspend/resume procedure
	virtio_net: Fix error handling in virtnet_restore()
	virtio_console: Assure used length from device is limited
	f2fs: add MODULE_SOFTDEP to ensure crc32 is included in the initramfs
	PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun
	power: supply: rt5033_battery: Fix device tree enumeration
	NFSv4: Initialise connection to the server in nfs4_alloc_client()
	um: fix error return code in slip_open()
	um: fix error return code in winch_tramp()
	watchdog: aspeed: fix hardware timeout calculation
	nfs: fix acl memory leak of posix_acl_create()
	ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode
	PCI: iproc: Fix multi-MSI base vector number allocation
	PCI: iproc: Support multi-MSI only on uniprocessor kernel
	x86/fpu: Limit xstate copy size in xstateregs_set()
	virtio_net: move tx vq operation under tx queue lock
	ALSA: isa: Fix error return code in snd_cmi8330_probe()
	NFSv4/pNFS: Don't call _nfs4_pnfs_v3_ds_connect multiple times
	hexagon: use common DISCARDS macro
	reset: a10sr: add missing of_match_table reference
	ARM: dts: exynos: fix PWM LED max brightness on Odroid XU/XU3
	ARM: dts: exynos: fix PWM LED max brightness on Odroid HC1
	ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4
	memory: atmel-ebi: add missing of_node_put for loop iteration
	rtc: fix snprintf() checking in is_rtc_hctosys()
	arm64: dts: renesas: v3msk: Fix memory size
	ARM: dts: r8a7779, marzen: Fix DU clock names
	ARM: dts: BCM5301X: Fixup SPI binding
	reset: bail if try_module_get() fails
	memory: fsl_ifc: fix leak of IO mapping on probe failure
	memory: fsl_ifc: fix leak of private memory on probe failure
	ARM: dts: am335x: align ti,pindir-d0-out-d1-in property with dt-shema
	ARM: dts: am437x: align ti,pindir-d0-out-d1-in property with dt-shema
	ARM: dts: imx6q-dhcom: Fix ethernet reset time properties
	ARM: dts: imx6q-dhcom: Fix ethernet plugin detection problems
	ARM: dts: imx6q-dhcom: Add gpios pinctrl for i2c bus recovery
	scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe()
	mips: always link byteswap helpers into decompressor
	mips: disable branch profiling in boot/decompress.o
	MIPS: vdso: Invalid GIC access through VDSO
	net: bridge: multicast: fix PIM hello router port marking race
	scsi: scsi_dh_alua: Fix signedness bug in alua_rtpg()
	seq_file: disallow extremely large seq buffer allocations
	Linux 4.19.198

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Iaa8a95c4d30ca85021bae6c60b4818038797e04e
2021-07-20 16:38:59 +02:00
e626b6f873 net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT
[ Upstream commit 8380c81d5c4fced6f4397795a5ae65758272bbfd ]

__napi_schedule_irqoff() is an optimized version of __napi_schedule()
which can be used where it is known that interrupts are disabled,
e.g. in interrupt-handlers, spin_lock_irq() sections or hrtimer
callbacks.

On PREEMPT_RT enabled kernels this assumptions is not true. Force-
threaded interrupt handlers and spinlocks are not disabling interrupts
and the NAPI hrtimer callback is forced into softirq context which runs
with interrupts enabled as well.

Chasing all usage sites of __napi_schedule_irqoff() is a whack-a-mole
game so make __napi_schedule_irqoff() invoke __napi_schedule() for
PREEMPT_RT kernels.

The callers of ____napi_schedule() in the networking core have been
audited and are correct on PREEMPT_RT kernels as well.

Reported-by: Juri Lelli <juri.lelli@redhat.com>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-07-20 16:15:59 +02:00
4a20e9c32b Revert "can: dev: Move device back to init netns on owning netns delete"
This reverts commit 00e17e57a3 which is
commit 3a5ca857079ea022e0b1b17fc154f7ad7dbc150f upstream.

It breaks the networking api and we do not care about CAN devices in
Android systems at this point in time.

Bug: 161946584
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I5d5de8fccb077249478b7d1e136f91d6be0b20cd
2021-04-07 11:44:51 +02:00
f411297402 Merge 4.19.184 into android-4.19-stable
Changes in 4.19.184
	net: fec: ptp: avoid register access when ipg clock is disabled
	powerpc/4xx: Fix build errors from mfdcr()
	atm: eni: dont release is never initialized
	atm: lanai: dont run lanai_dev_close if not open
	Revert "r8152: adjust the settings about MAC clock speed down for RTL8153"
	ixgbe: Fix memleak in ixgbe_configure_clsu32
	net: tehuti: fix error return code in bdx_probe()
	sun/niu: fix wrong RXMAC_BC_FRM_CNT_COUNT count
	gianfar: fix jumbo packets+napi+rx overrun crash
	gpiolib: acpi: Add missing IRQF_ONESHOT
	nfs: fix PNFS_FLEXFILE_LAYOUT Kconfig default
	NFS: Correct size calculation for create reply length
	net: hisilicon: hns: fix error return code of hns_nic_clear_all_rx_fetch()
	net: wan: fix error return code of uhdlc_init()
	atm: uPD98402: fix incorrect allocation
	atm: idt77252: fix null-ptr-dereference
	sparc64: Fix opcode filtering in handling of no fault loads
	u64_stats,lockdep: Fix u64_stats_init() vs lockdep
	drm/radeon: fix AGP dependency
	nfs: we don't support removing system.nfs4_acl
	block: Suppress uevent for hidden device when removed
	ia64: fix ia64_syscall_get_set_arguments() for break-based syscalls
	ia64: fix ptrace(PTRACE_SYSCALL_INFO_EXIT) sign
	netsec: restore phy power state after controller reset
	platform/x86: intel-vbtn: Stop reporting SW_DOCK events
	squashfs: fix inode lookup sanity checks
	squashfs: fix xattr id and id lookup sanity checks
	arm64: dts: ls1046a: mark crypto engine dma coherent
	arm64: dts: ls1012a: mark crypto engine dma coherent
	arm64: dts: ls1043a: mark crypto engine dma coherent
	ARM: dts: at91-sama5d27_som1: fix phy address to 7
	dm ioctl: fix out of bounds array access when no devices
	bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD
	veth: Store queue_mapping independently of XDP prog presence
	libbpf: Fix INSTALL flag order
	macvlan: macvlan_count_rx() needs to be aware of preemption
	net: dsa: bcm_sf2: Qualify phydev->dev_flags based on port
	e1000e: add rtnl_lock() to e1000_reset_task
	e1000e: Fix error handling in e1000_set_d0_lplu_state_82571
	net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template
	ftgmac100: Restart MAC HW once
	netfilter: ctnetlink: fix dump of the expect mask attribute
	can: peak_usb: add forgotten supported devices
	can: flexcan: flexcan_chip_freeze(): fix chip freeze for missing bitrate
	can: c_can_pci: c_can_pci_remove(): fix use-after-free
	can: c_can: move runtime PM enable/disable to c_can_platform
	can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning
	mac80211: fix rate mask reset
	net: cdc-phonet: fix data-interface release on probe failure
	net: stmmac: dwmac-sun8i: Provide TX and RX fifo sizes
	drm/msm: fix shutdown hook in case GPU components failed to bind
	arm64: kdump: update ppos when reading elfcorehdr
	net/mlx5e: Fix error path for ethtool set-priv-flag
	RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server
	bpf: Don't do bpf_cgroup_storage_set() for kuprobe/tp programs
	Revert "netfilter: x_tables: Switch synchronization to RCU"
	netfilter: x_tables: Use correct memory barriers.
	Revert "netfilter: x_tables: Update remaining dereference to RCU"
	ACPI: scan: Rearrange memory allocation in acpi_device_add()
	ACPI: scan: Use unique number for instance_no
	dm verity: add root hash pkcs#7 signature verification
	perf auxtrace: Fix auxtrace queue conflict
	scsi: qedi: Fix error return code of qedi_alloc_global_queues()
	scsi: mpt3sas: Fix error return code of mpt3sas_base_attach()
	locking/mutex: Fix non debug version of mutex_lock_io_nested()
	x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc()
	can: dev: Move device back to init netns on owning netns delete
	net: sched: validate stab values
	net: qrtr: fix a kernel-infoleak in qrtr_recvmsg()
	mac80211: fix double free in ibss_leave
	ext4: add reclaim checks to xattr code
	can: peak_usb: Revert "can: peak_usb: add forgotten supported devices"
	xen-blkback: don't leak persistent grants from xen_blkbk_map()
	Linux 4.19.184

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I6126263d1365fef1ba4112b47b6c3013334f390a
2021-04-07 11:44:22 +02:00
00e17e57a3 can: dev: Move device back to init netns on owning netns delete
commit 3a5ca857079ea022e0b1b17fc154f7ad7dbc150f upstream.

When a non-initial netns is destroyed, the usual policy is to delete
all virtual network interfaces contained, but move physical interfaces
back to the initial netns. This keeps the physical interface visible
on the system.

CAN devices are somewhat special, as they define rtnl_link_ops even
if they are physical devices. If a CAN interface is moved into a
non-initial netns, destroying that netns lets the interface vanish
instead of moving it back to the initial netns. default_device_exit()
skips CAN interfaces due to having rtnl_link_ops set. Reproducer:

  ip netns add foo
  ip link set can0 netns foo
  ip netns delete foo

WARNING: CPU: 1 PID: 84 at net/core/dev.c:11030 ops_exit_list+0x38/0x60
CPU: 1 PID: 84 Comm: kworker/u4:2 Not tainted 5.10.19 #1
Workqueue: netns cleanup_net
[<c010e700>] (unwind_backtrace) from [<c010a1d8>] (show_stack+0x10/0x14)
[<c010a1d8>] (show_stack) from [<c086dc10>] (dump_stack+0x94/0xa8)
[<c086dc10>] (dump_stack) from [<c086b938>] (__warn+0xb8/0x114)
[<c086b938>] (__warn) from [<c086ba10>] (warn_slowpath_fmt+0x7c/0xac)
[<c086ba10>] (warn_slowpath_fmt) from [<c0629f20>] (ops_exit_list+0x38/0x60)
[<c0629f20>] (ops_exit_list) from [<c062a5c4>] (cleanup_net+0x230/0x380)
[<c062a5c4>] (cleanup_net) from [<c0142c20>] (process_one_work+0x1d8/0x438)
[<c0142c20>] (process_one_work) from [<c0142ee4>] (worker_thread+0x64/0x5a8)
[<c0142ee4>] (worker_thread) from [<c0148a98>] (kthread+0x148/0x14c)
[<c0148a98>] (kthread) from [<c0100148>] (ret_from_fork+0x14/0x2c)

To properly restore physical CAN devices to the initial netns on owning
netns exit, introduce a flag on rtnl_link_ops that can be set by drivers.
For CAN devices setting this flag, default_device_exit() considers them
non-virtual, applying the usual namespace move.

The issue was introduced in the commit mentioned below, as at that time
CAN devices did not have a dellink() operation.

Fixes: e008b5fc8d ("net: Simplfy default_device_exit and improve batching.")
Link: https://lore.kernel.org/r/20210302122423.872326-1-martin@strongswan.org
Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-03-30 14:37:03 +02:00
709f9b702e Merge 4.19.171 into android-4.19-stable
Changes in 4.19.171
	i2c: bpmp-tegra: Ignore unknown I2C_M flags
	ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info()
	ALSA: hda/via: Add minimum mute flag
	ACPI: scan: Make acpi_bus_get_device() clear return pointer on error
	btrfs: fix lockdep splat in btrfs_recover_relocation
	mmc: core: don't initialize block size from ext_csd if not present
	mmc: sdhci-xenon: fix 1.8v regulator stabilization
	dm: avoid filesystem lookup in dm_get_dev_t()
	dm integrity: fix a crash if "recalculate" used without "internal_hash"
	drm/atomic: put state on error path
	ASoC: Intel: haswell: Add missing pm_ops
	scsi: ufs: Correct the LUN used in eh_device_reset_handler() callback
	scsi: qedi: Correct max length of CHAP secret
	riscv: Fix kernel time_init()
	HID: Ignore battery for Elan touchscreen on ASUS UX550
	clk: tegra30: Add hda clock default rates to clock driver
	xen: Fix event channel callback via INTX/GSI
	drm/nouveau/bios: fix issue shadowing expansion ROMs
	drm/nouveau/privring: ack interrupts the same way as RM
	drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields
	drm/nouveau/mmu: fix vram heap sizing
	drm/nouveau/kms/nv50-: fix case where notifier buffer is at offset 0
	scsi: megaraid_sas: Fix MEGASAS_IOC_FIRMWARE regression
	i2c: octeon: check correct size of maximum RECV_LEN packet
	platform/x86: intel-vbtn: Drop HP Stream x360 Convertible PC 11 from allow-list
	selftests: net: fib_tests: remove duplicate log test
	can: dev: can_restart: fix use after free bug
	can: vxcan: vxcan_xmit: fix use after free bug
	can: peak_usb: fix use after free bugs
	iio: ad5504: Fix setting power-down state
	irqchip/mips-cpu: Set IPI domain parent chip
	intel_th: pci: Add Alder Lake-P support
	stm class: Fix module init return on allocation failure
	serial: mvebu-uart: fix tx lost characters at power off
	ehci: fix EHCI host controller initialization sequence
	USB: ehci: fix an interrupt calltrace error
	usb: gadget: aspeed: fix stop dma register setting.
	usb: udc: core: Use lock when write to soft_connect
	usb: bdc: Make bdc pci driver depend on BROKEN
	xhci: make sure TRB is fully written before giving it to the controller
	xhci: tegra: Delay for disabling LFPS detector
	driver core: Extend device_is_dependent()
	netfilter: rpfilter: mask ecn bits before fib lookup
	sh: dma: fix kconfig dependency for G2_DMA
	sh_eth: Fix power down vs. is_opened flag ordering
	skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too
	kasan: fix unaligned address is unhandled in kasan_remove_zero_shadow
	kasan: fix incorrect arguments passing in kasan_add_zero_shadow
	udp: mask TOS bits in udp_v4_early_demux()
	ipv6: create multicast route with RTPROT_KERNEL
	net_sched: avoid shift-out-of-bounds in tcindex_set_parms()
	net_sched: reject silly cell_log in qdisc_get_rtab()
	ipv6: set multicast flag on the multicast route
	net: mscc: ocelot: allow offloading of bridge on top of LAG
	net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled
	net: dsa: b53: fix an off by one in checking "vlan->vid"
	Linux 4.19.171

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I2be7d084a443bfc87e6a3d5753d9c233f54788ac
2021-01-27 11:45:59 +01:00
fffe7ab69d net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled
commit a3eb4e9d4c9218476d05c52dfd2be3d6fdce6b91 upstream.

With NETIF_F_HW_TLS_RX packets are decrypted in HW. This cannot be
logically done when RXCSUM offload is off.

Fixes: 14136564c8 ("net: Add TLS RX offload feature")
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Boris Pismenny <borisp@nvidia.com>
Link: https://lore.kernel.org/r/20210117151538.9411-1-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-01-27 11:05:44 +01:00
af4136af6b Merge 4.19.145 into android-4.19-stable
Changes in 4.19.145
	ALSA; firewire-tascam: exclude Tascam FE-8 from detection
	block: ensure bdi->io_pages is always initialized
	netlabel: fix problems with mapping removal
	net: usb: dm9601: Add USB ID of Keenetic Plus DSL
	sctp: not disable bh in the whole sctp_get_port_local()
	tipc: fix shutdown() of connectionless socket
	net: disable netpoll on fresh napis
	net/mlx5e: Don't support phys switch id if not in switchdev mode
	Linux 4.19.145

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I84b193f4c87a87efbba84219856368d3cfba907b
2020-09-12 14:23:25 +02:00
9f313bcb3b net: disable netpoll on fresh napis
[ Upstream commit 96e97bc07e90f175a8980a22827faf702ca4cb30 ]

napi_disable() makes sure to set the NAPI_STATE_NPSVC bit to prevent
netpoll from accessing rings before init is complete. However, the
same is not done for fresh napi instances in netif_napi_add(),
even though we expect NAPI instances to be added as disabled.

This causes crashes during driver reconfiguration (enabling XDP,
changing the channel count) - if there is any printk() after
netif_napi_add() but before napi_enable().

To ensure memory ordering is correct we need to use RCU accessors.

Reported-by: Rob Sherwood <rsher@fb.com>
Fixes: 2d8bff1269 ("netpoll: Close race condition between poll_one_napi and napi_disable")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-09-12 13:40:23 +02:00
204dd19a9b Merge 4.19.136 into android-4.19-stable
Changes in 4.19.136
	AX.25: Fix out-of-bounds read in ax25_connect()
	AX.25: Prevent out-of-bounds read in ax25_sendmsg()
	dev: Defer free of skbs in flush_backlog
	drivers/net/wan/x25_asy: Fix to make it work
	ip6_gre: fix null-ptr-deref in ip6gre_init_net()
	net-sysfs: add a newline when printing 'tx_timeout' by sysfs
	net: udp: Fix wrong clean up for IS_UDPLITE macro
	qrtr: orphan socket in qrtr_release()
	rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA
	tcp: allow at most one TLP probe per flight
	AX.25: Prevent integer overflows in connect and sendmsg
	sctp: shrink stream outq only when new outcnt < old outcnt
	sctp: shrink stream outq when fails to do addstream reconf
	udp: Copy has_conns in reuseport_grow().
	udp: Improve load balancing for SO_REUSEPORT.
	rtnetlink: Fix memory(net_device) leak when ->newlink fails
	regmap: debugfs: check count when read regmap file
	Linux 4.19.136

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I642a68276dffc3521d8809024f457c1049012348
2020-07-31 19:06:47 +02:00
68c46a0adc dev: Defer free of skbs in flush_backlog
[ Upstream commit 7df5cb75cfb8acf96c7f2342530eb41e0c11f4c3 ]

IRQs are disabled when freeing skbs in input queue.
Use the IRQ safe variant to free skbs here.

Fixes: 145dd5f9c8 ("net: flush the softnet backlog in process context")
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-31 18:37:47 +02:00
b3293788b9 Merge 4.19.131 into android-4.19-stable
Changes in 4.19.131
	net: be more gentle about silly gso requests coming from user
	block/bio-integrity: don't free 'buf' if bio_integrity_add_page() failed
	fanotify: fix ignore mask logic for events on child and on dir
	mtd: rawnand: marvell: Fix the condition on a return code
	net: bcmgenet: remove HFB_CTRL access
	net: sched: export __netdev_watchdog_up()
	EDAC/amd64: Add Family 17h Model 30h PCI IDs
	i2c: tegra: Cleanup kerneldoc comments
	i2c: tegra: Add missing kerneldoc for some fields
	i2c: tegra: Fix Maximum transfer size
	fix a braino in "sparc32: fix register window handling in genregs32_[gs]et()"
	ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294
	ALSA: hda/realtek: Enable mute LED on an HP system
	ALSA: hda/realtek - Enable micmute LED on and HP system
	apparmor: don't try to replace stale label in ptraceme check
	ibmveth: Fix max MTU limit
	mld: fix memory leak in ipv6_mc_destroy_dev()
	net: bridge: enfore alignment for ethernet address
	net: fix memleak in register_netdevice()
	net: place xmit recursion in softnet data
	net: use correct this_cpu primitive in dev_recursion_level
	net: increment xmit_recursion level in dev_direct_xmit()
	net: usb: ax88179_178a: fix packet alignment padding
	rocker: fix incorrect error handling in dma_rings_init
	rxrpc: Fix notification call on completion of discarded calls
	sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket
	tcp: don't ignore ECN CWR on pure ACK
	tcp: grow window for OOO packets only for SACK flows
	tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes
	ip6_gre: fix use-after-free in ip6gre_tunnel_lookup()
	net: phy: Check harder for errors in get_phy_id()
	ip_tunnel: fix use-after-free in ip_tunnel_lookup()
	sch_cake: don't try to reallocate or unshare skb unconditionally
	sch_cake: fix a few style nits
	tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT
	sch_cake: don't call diffserv parsing code when it is not needed
	net: Fix the arp error in some cases
	net: Do not clear the sock TX queue in sk_set_socket()
	net: core: reduce recursion limit value
	USB: ohci-sm501: Add missed iounmap() in remove
	usb: dwc2: Postponed gadget registration to the udc class driver
	usb: add USB_QUIRK_DELAY_INIT for Logitech C922
	USB: ehci: reopen solution for Synopsys HC bug
	usb: host: xhci-mtk: avoid runtime suspend when removing hcd
	xhci: Poll for U0 after disabling USB2 LPM
	usb: host: ehci-exynos: Fix error check in exynos_ehci_probe()
	usb: typec: tcpci_rt1711h: avoid screaming irq causing boot hangs
	ALSA: usb-audio: add quirk for Denon DCD-1500RE
	ALSA: usb-audio: add quirk for Samsung USBC Headset (AKG)
	ALSA: usb-audio: Fix OOB access of mixer element list
	scsi: zfcp: Fix panic on ERP timeout for previously dismissed ERP action
	xhci: Fix incorrect EP_STATE_MASK
	xhci: Fix enumeration issue when setting max packet size for FS devices.
	xhci: Return if xHCI doesn't support LPM
	cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip
	loop: replace kill_bdev with invalidate_bdev
	IB/mad: Fix use after free when destroying MAD agent
	cifs/smb3: Fix data inconsistent when punch hole
	cifs/smb3: Fix data inconsistent when zero file range
	xfrm: Fix double ESP trailer insertion in IPsec crypto offload.
	ASoC: q6asm: handle EOS correctly
	efi/esrt: Fix reference count leak in esre_create_sysfs_entry.
	regualtor: pfuze100: correct sw1a/sw2 on pfuze3000
	ASoC: fsl_ssi: Fix bclk calculation for mono channel
	ARM: dts: Fix duovero smsc interrupt for suspend
	x86/resctrl: Fix a NULL vs IS_ERR() static checker warning in rdt_cdp_peer_get()
	regmap: Fix memory leak from regmap_register_patch
	ARM: dts: NSP: Correct FA2 mailbox node
	rxrpc: Fix handling of rwind from an ACK packet
	RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532
	RDMA/cma: Protect bind_list and listen_list while finding matching cm id
	ASoC: rockchip: Fix a reference count leak.
	RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads()
	net: qed: fix left elements count calculation
	net: qed: fix NVMe login fails over VFs
	net: qed: fix excessive QM ILT lines consumption
	cxgb4: move handling L2T ARP failures to caller
	ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram()
	usb: gadget: udc: Potential Oops in error handling code
	netfilter: ipset: fix unaligned atomic access
	net: bcmgenet: use hardware padding of runt frames
	i2c: fsi: Fix the port number field in status register
	i2c: core: check returned size of emulated smbus block read
	sched/deadline: Initialize ->dl_boosted
	sched/core: Fix PI boosting between RT and DEADLINE tasks
	sata_rcar: handle pm_runtime_get_sync failure cases
	ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function
	drm/amd/display: Use kfree() to free rgb_user in calculate_user_regamma_ramp()
	riscv/atomic: Fix sign extension for RV64I
	hwrng: ks-sa - Fix runtime PM imbalance on error
	ibmvnic: Harden device login requests
	net: alx: fix race condition in alx_remove
	s390/ptrace: fix setting syscall number
	s390/vdso: fix vDSO clock_getres()
	arm64: sve: Fix build failure when ARM64_SVE=y and SYSCTL=n
	kbuild: improve cc-option to clean up all temporary files
	blktrace: break out of blktrace setup on concurrent calls
	RISC-V: Don't allow write+exec only page mapping request in mmap
	ALSA: hda: Add NVIDIA codec IDs 9a & 9d through a0 to patch table
	ALSA: hda/realtek - Add quirk for MSI GE63 laptop
	ACPI: sysfs: Fix pm_profile_attr type
	erofs: fix partially uninitialized misuse in z_erofs_onlinepage_fixup
	KVM: X86: Fix MSR range of APIC registers in X2APIC mode
	KVM: nVMX: Plumb L2 GPA through to PML emulation
	x86/asm/64: Align start of __clear_user() loop to 16-bytes
	btrfs: fix data block group relocation failure due to concurrent scrub
	btrfs: fix failure of RWF_NOWAIT write into prealloc extent beyond eof
	mm/slab: use memzero_explicit() in kzfree()
	ocfs2: avoid inode removal while nfsd is accessing it
	ocfs2: load global_inode_alloc
	ocfs2: fix value of OCFS2_INVALID_SLOT
	ocfs2: fix panic on nfs server over ocfs2
	arm64: perf: Report the PC value in REGS_ABI_32 mode
	tracing: Fix event trigger to accept redundant spaces
	ring-buffer: Zero out time extend if it is nested and not absolute
	drm: rcar-du: Fix build error
	drm/radeon: fix fb_div check in ni_init_smc_spll_table()
	Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate()
	sunrpc: fixed rollback in rpc_gssd_dummy_populate()
	SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment()
	pNFS/flexfiles: Fix list corruption if the mirror count changes
	NFSv4 fix CLOSE not waiting for direct IO compeletion
	dm writecache: correct uncommitted_block when discarding uncommitted entry
	dm writecache: add cond_resched to loop in persistent_memory_claim()
	xfs: add agf freeblocks verify in xfs_agf_verify
	Revert "tty: hvc: Fix data abort due to race in hvc_open"
	Linux 4.19.131

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I2c5abdfc2979e50d441bb0e0bcd499e03c61cefd
2020-07-01 13:11:06 +02:00
220e80d937 net: increment xmit_recursion level in dev_direct_xmit()
[ Upstream commit 0ad6f6e767ec2f613418cbc7ebe5ec4c35af540c ]

Back in commit f60e5990d9 ("ipv6: protect skb->sk accesses
from recursive dereference inside the stack") Hannes added code
so that IPv6 stack would not trust skb->sk for typical cases
where packet goes through 'standard' xmit path (__dev_queue_xmit())

Alas af_packet had a dev_direct_xmit() path that was not
dealing yet with xmit_recursion level.

Also change sk_mc_loop() to dump a stack once only.

Without this patch, syzbot was able to trigger :

[1]
[  153.567378] WARNING: CPU: 7 PID: 11273 at net/core/sock.c:721 sk_mc_loop+0x51/0x70
[  153.567378] Modules linked in: nfnetlink ip6table_raw ip6table_filter iptable_raw iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 nf_defrag_ipv6 iptable_filter macsec macvtap tap macvlan 8021q hsr wireguard libblake2s blake2s_x86_64 libblake2s_generic udp_tunnel ip6_udp_tunnel libchacha20poly1305 poly1305_x86_64 chacha_x86_64 libchacha curve25519_x86_64 libcurve25519_generic netdevsim batman_adv dummy team bridge stp llc w1_therm wire i2c_mux_pca954x i2c_mux cdc_acm ehci_pci ehci_hcd mlx4_en mlx4_ib ib_uverbs ib_core mlx4_core
[  153.567386] CPU: 7 PID: 11273 Comm: b159172088 Not tainted 5.8.0-smp-DEV #273
[  153.567387] RIP: 0010:sk_mc_loop+0x51/0x70
[  153.567388] Code: 66 83 f8 0a 75 24 0f b6 4f 12 b8 01 00 00 00 31 d2 d3 e0 a9 bf ef ff ff 74 07 48 8b 97 f0 02 00 00 0f b6 42 3a 83 e0 01 5d c3 <0f> 0b b8 01 00 00 00 5d c3 0f b6 87 18 03 00 00 5d c0 e8 04 83 e0
[  153.567388] RSP: 0018:ffff95c69bb93990 EFLAGS: 00010212
[  153.567388] RAX: 0000000000000011 RBX: ffff95c6e0ee3e00 RCX: 0000000000000007
[  153.567389] RDX: ffff95c69ae50000 RSI: ffff95c6c30c3000 RDI: ffff95c6c30c3000
[  153.567389] RBP: ffff95c69bb93990 R08: ffff95c69a77f000 R09: 0000000000000008
[  153.567389] R10: 0000000000000040 R11: 00003e0e00026128 R12: ffff95c6c30c3000
[  153.567390] R13: ffff95c6cc4fd500 R14: ffff95c6f84500c0 R15: ffff95c69aa13c00
[  153.567390] FS:  00007fdc3a283700(0000) GS:ffff95c6ff9c0000(0000) knlGS:0000000000000000
[  153.567390] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  153.567391] CR2: 00007ffee758e890 CR3: 0000001f9ba20003 CR4: 00000000001606e0
[  153.567391] Call Trace:
[  153.567391]  ip6_finish_output2+0x34e/0x550
[  153.567391]  __ip6_finish_output+0xe7/0x110
[  153.567391]  ip6_finish_output+0x2d/0xb0
[  153.567392]  ip6_output+0x77/0x120
[  153.567392]  ? __ip6_finish_output+0x110/0x110
[  153.567392]  ip6_local_out+0x3d/0x50
[  153.567392]  ipvlan_queue_xmit+0x56c/0x5e0
[  153.567393]  ? ksize+0x19/0x30
[  153.567393]  ipvlan_start_xmit+0x18/0x50
[  153.567393]  dev_direct_xmit+0xf3/0x1c0
[  153.567393]  packet_direct_xmit+0x69/0xa0
[  153.567394]  packet_sendmsg+0xbf0/0x19b0
[  153.567394]  ? plist_del+0x62/0xb0
[  153.567394]  sock_sendmsg+0x65/0x70
[  153.567394]  sock_write_iter+0x93/0xf0
[  153.567394]  new_sync_write+0x18e/0x1a0
[  153.567395]  __vfs_write+0x29/0x40
[  153.567395]  vfs_write+0xb9/0x1b0
[  153.567395]  ksys_write+0xb1/0xe0
[  153.567395]  __x64_sys_write+0x1a/0x20
[  153.567395]  do_syscall_64+0x43/0x70
[  153.567396]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  153.567396] RIP: 0033:0x453549
[  153.567396] Code: Bad RIP value.
[  153.567396] RSP: 002b:00007fdc3a282cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  153.567397] RAX: ffffffffffffffda RBX: 00000000004d32d0 RCX: 0000000000453549
[  153.567397] RDX: 0000000000000020 RSI: 0000000020000300 RDI: 0000000000000003
[  153.567398] RBP: 00000000004d32d8 R08: 0000000000000000 R09: 0000000000000000
[  153.567398] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d32dc
[  153.567398] R13: 00007ffee742260f R14: 00007fdc3a282dc0 R15: 00007fdc3a283700
[  153.567399] ---[ end trace c1d5ae2b1059ec62 ]---

f60e5990d9 ("ipv6: protect skb->sk accesses from recursive dereference inside the stack")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-30 23:17:04 -04:00
edbe653223 net: place xmit recursion in softnet data
commit 97cdcf37b57e3f204be3000b9eab9686f38b4356 upstream.

This fills a hole in softnet data, so no change in structure size.

Also prepares for xmit_more placement in the same spot;
skb->xmit_more will be removed in followup patch.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-30 23:17:04 -04:00
061abde395 net: fix memleak in register_netdevice()
[ Upstream commit 814152a89ed52c722ab92e9fbabcac3cb8a39245 ]

I got a memleak report when doing some fuzz test:

unreferenced object 0xffff888112584000 (size 13599):
  comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
  hex dump (first 32 bytes):
    74 61 70 30 00 00 00 00 00 00 00 00 00 00 00 00  tap0............
    00 ee d9 19 81 88 ff ff 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000002f60ba65>] __kmalloc_node+0x309/0x3a0
    [<0000000075b211ec>] kvmalloc_node+0x7f/0xc0
    [<00000000d3a97396>] alloc_netdev_mqs+0x76/0xfc0
    [<00000000609c3655>] __tun_chr_ioctl+0x1456/0x3d70
    [<000000001127ca24>] ksys_ioctl+0xe5/0x130
    [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
    [<00000000e1023498>] do_syscall_64+0x56/0xa0
    [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
unreferenced object 0xffff888111845cc0 (size 8):
  comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
  hex dump (first 8 bytes):
    74 61 70 30 00 88 ff ff                          tap0....
  backtrace:
    [<000000004c159777>] kstrdup+0x35/0x70
    [<00000000d8b496ad>] kstrdup_const+0x3d/0x50
    [<00000000494e884a>] kvasprintf_const+0xf1/0x180
    [<0000000097880a2b>] kobject_set_name_vargs+0x56/0x140
    [<000000008fbdfc7b>] dev_set_name+0xab/0xe0
    [<000000005b99e3b4>] netdev_register_kobject+0xc0/0x390
    [<00000000602704fe>] register_netdevice+0xb61/0x1250
    [<000000002b7ca244>] __tun_chr_ioctl+0x1cd1/0x3d70
    [<000000001127ca24>] ksys_ioctl+0xe5/0x130
    [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
    [<00000000e1023498>] do_syscall_64+0x56/0xa0
    [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
unreferenced object 0xffff88811886d800 (size 512):
  comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
  hex dump (first 32 bytes):
    00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........
    ff ff ff ff ff ff ff ff c0 66 3d a3 ff ff ff ff  .........f=.....
  backtrace:
    [<0000000050315800>] device_add+0x61e/0x1950
    [<0000000021008dfb>] netdev_register_kobject+0x17e/0x390
    [<00000000602704fe>] register_netdevice+0xb61/0x1250
    [<000000002b7ca244>] __tun_chr_ioctl+0x1cd1/0x3d70
    [<000000001127ca24>] ksys_ioctl+0xe5/0x130
    [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
    [<00000000e1023498>] do_syscall_64+0x56/0xa0
    [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

If call_netdevice_notifiers() failed, then rollback_registered()
calls netdev_unregister_kobject() which holds the kobject. The
reference cannot be put because the netdev won't be add to todo
list, so it will leads a memleak, we need put the reference to
avoid memleak.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-30 23:17:03 -04:00
b96549a28b Merge 4.19.130 into android-4.19-stable
Changes in 4.19.130
	power: supply: bq24257_charger: Replace depends on REGMAP_I2C with select
	clk: sunxi: Fix incorrect usage of round_down()
	ASoC: tegra: tegra_wm8903: Support nvidia, headset property
	i2c: piix4: Detect secondary SMBus controller on AMD AM4 chipsets
	iio: pressure: bmp280: Tolerate IRQ before registering
	remoteproc: Fix IDR initialisation in rproc_alloc()
	clk: qcom: msm8916: Fix the address location of pll->config_reg
	backlight: lp855x: Ensure regulators are disabled on probe failure
	ASoC: davinci-mcasp: Fix dma_chan refcnt leak when getting dma type
	ARM: integrator: Add some Kconfig selections
	scsi: qedi: Check for buffer overflow in qedi_set_path()
	ALSA: hda/realtek - Introduce polarity for micmute LED GPIO
	ALSA: isa/wavefront: prevent out of bounds write in ioctl
	PCI: Allow pci_resize_resource() for devices on root bus
	scsi: qla2xxx: Fix issue with adapter's stopping state
	iio: bmp280: fix compensation of humidity
	f2fs: report delalloc reserve as non-free in statfs for project quota
	i2c: pxa: clear all master action bits in i2c_pxa_stop_message()
	clk: samsung: Mark top ISP and CAM clocks on Exynos542x as critical
	usblp: poison URBs upon disconnect
	serial: 8250: Fix max baud limit in generic 8250 port
	dm mpath: switch paths in dm_blk_ioctl() code path
	PCI: aardvark: Don't blindly enable ASPM L0s and don't write to read-only register
	ps3disk: use the default segment boundary
	vfio/pci: fix memory leaks in alloc_perm_bits()
	RDMA/mlx5: Add init2init as a modify command
	m68k/PCI: Fix a memory leak in an error handling path
	gpio: dwapb: Call acpi_gpiochip_free_interrupts() on GPIO chip de-registration
	mfd: wm8994: Fix driver operation if loaded as modules
	scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event
	clk: clk-flexgen: fix clock-critical handling
	powerpc/perf/hv-24x7: Fix inconsistent output values incase multiple hv-24x7 events run
	nfsd: Fix svc_xprt refcnt leak when setup callback client failed
	PCI: vmd: Filter resource type bits from shadow register
	powerpc/crashkernel: Take "mem=" option into account
	pwm: img: Call pm_runtime_put() in pm_runtime_get_sync() failed case
	yam: fix possible memory leak in yam_init_driver
	NTB: ntb_pingpong: Choose doorbells based on port number
	NTB: Fix the default port and peer numbers for legacy drivers
	mksysmap: Fix the mismatch of '.L' symbols in System.map
	apparmor: fix introspection of of task mode for unconfined tasks
	apparmor: check/put label on apparmor_sk_clone_security()
	ASoC: meson: add missing free_irq() in error path
	scsi: sr: Fix sr_probe() missing deallocate of device minor
	scsi: ibmvscsi: Don't send host info in adapter info MAD after LPM
	apparmor: fix nnp subset test for unconfined
	x86/purgatory: Disable various profiling and sanitizing options
	staging: greybus: fix a missing-check bug in gb_lights_light_config()
	arm64: dts: mt8173: fix unit name warnings
	scsi: qedi: Do not flush offload work if ARP not resolved
	ARM: dts: sun8i-h2-plus-bananapi-m2-zero: Fix led polarity
	gpio: dwapb: Append MODULE_ALIAS for platform driver
	scsi: qedf: Fix crash when MFW calls for protocol stats while function is still probing
	pinctrl: rza1: Fix wrong array assignment of rza1l_swio_entries
	firmware: qcom_scm: fix bogous abuse of dma-direct internals
	staging: gasket: Fix mapping refcnt leak when put attribute fails
	staging: gasket: Fix mapping refcnt leak when register/store fails
	ALSA: usb-audio: Improve frames size computation
	ALSA: usb-audio: Fix racy list management in output queue
	s390/qdio: put thinint indicator after early error
	tty: hvc: Fix data abort due to race in hvc_open
	slimbus: ngd: get drvdata from correct device
	thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR
	usb: dwc3: gadget: Properly handle failed kick_transfer
	staging: sm750fb: add missing case while setting FB_VISUAL
	PCI: v3-semi: Fix a memory leak in v3_pci_probe() error handling paths
	i2c: pxa: fix i2c_pxa_scream_blue_murder() debug output
	serial: amba-pl011: Make sure we initialize the port.lock spinlock
	drivers: base: Fix NULL pointer exception in __platform_driver_probe() if a driver developer is foolish
	PCI: rcar: Fix incorrect programming of OB windows
	PCI/ASPM: Allow ASPM on links to PCIe-to-PCI/PCI-X Bridges
	scsi: qla2xxx: Fix warning after FC target reset
	power: supply: lp8788: Fix an error handling path in 'lp8788_charger_probe()'
	power: supply: smb347-charger: IRQSTAT_D is volatile
	scsi: mpt3sas: Fix double free warnings
	pinctrl: rockchip: fix memleak in rockchip_dt_node_to_map
	dlm: remove BUG() before panic()
	clk: ti: composite: fix memory leak
	PCI: Fix pci_register_host_bridge() device_register() error handling
	powerpc/64: Don't initialise init_task->thread.regs
	tty: n_gsm: Fix SOF skipping
	tty: n_gsm: Fix waking up upper tty layer when room available
	HID: Add quirks for Trust Panora Graphic Tablet
	ipmi: use vzalloc instead of kmalloc for user creation
	powerpc/pseries/ras: Fix FWNMI_VALID off by one
	powerpc/ps3: Fix kexec shutdown hang
	vfio-pci: Mask cap zero
	usb/ohci-platform: Fix a warning when hibernating
	drm/msm/mdp5: Fix mdp5_init error path for failed mdp5_kms allocation
	ASoC: Intel: bytcr_rt5640: Add quirk for Toshiba Encore WT8-A tablet
	USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe()
	tty: n_gsm: Fix bogus i++ in gsm_data_kick
	fpga: dfl: afu: Corrected error handling levels
	clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1
	scsi: target: tcmu: Userspace must not complete queued commands
	arm64: tegra: Fix ethernet phy-mode for Jetson Xavier
	powerpc/64s/pgtable: fix an undefined behaviour
	dm zoned: return NULL if dmz_get_zone_for_reclaim() fails to find a zone
	PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port
	PCI: dwc: Fix inner MSI IRQ domain registration
	IB/cma: Fix ports memory leak in cma_configfs
	watchdog: da9062: No need to ping manually before setting timeout
	usb: dwc2: gadget: move gadget resume after the core is in L0 state
	USB: gadget: udc: s3c2410_udc: Remove pointless NULL check in s3c2410_udc_nuke
	usb: gadget: lpc32xx_udc: don't dereference ep pointer before null check
	usb: gadget: fix potential double-free in m66592_probe.
	usb: gadget: Fix issue with config_ep_by_speed function
	RDMA/iw_cxgb4: cleanup device debugfs entries on ULD remove
	x86/apic: Make TSC deadline timer detection message visible
	ASoC: fix incomplete error-handling in img_i2s_in_probe.
	scsi: target: tcmu: Fix a use after free in tcmu_check_expired_queue_cmd()
	clk: bcm2835: Fix return type of bcm2835_register_gate
	scsi: ufs-qcom: Fix scheduling while atomic issue
	KVM: PPC: Book3S HV: Ignore kmemleak false positives
	clk: sprd: return correct type of value for _sprd_pll_recalc_rate
	net: sunrpc: Fix off-by-one issues in 'rpc_ntop6'
	NFSv4.1 fix rpc_call_done assignment for BIND_CONN_TO_SESSION
	of: Fix a refcounting bug in __of_attach_node_sysfs()
	powerpc/4xx: Don't unmap NULL mbase
	extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()'
	ASoC: fsl_asrc_dma: Fix dma_chan leak when config DMA channel failed
	vfio/mdev: Fix reference count leak in add_mdev_supported_type
	rxrpc: Adjust /proc/net/rxrpc/calls to display call->debug_id not user_ID
	openrisc: Fix issue with argument clobbering for clone/fork
	gfs2: Allow lock_nolock mount to specify jid=X
	scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj
	scsi: ufs: Don't update urgent bkops level when toggling auto bkops
	pinctrl: imxl: Fix an error handling path in 'imx1_pinctrl_core_probe()'
	pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()'
	crypto: omap-sham - add proper load balancing support for multicore
	geneve: change from tx_error to tx_dropped on missing metadata
	lib/zlib: remove outdated and incorrect pre-increment optimization
	include/linux/bitops.h: avoid clang shift-count-overflow warnings
	elfnote: mark all .note sections SHF_ALLOC
	selftests/vm/pkeys: fix alloc_random_pkey() to make it really random
	blktrace: use errno instead of bi_status
	blktrace: fix endianness in get_pdu_int()
	blktrace: fix endianness for blk_log_remap()
	gfs2: fix use-after-free on transaction ail lists
	ntb_perf: pass correct struct device to dma_alloc_coherent
	ntb_tool: pass correct struct device to dma_alloc_coherent
	NTB: ntb_tool: reading the link file should not end in a NULL byte
	NTB: Revert the change to use the NTB device dev for DMA allocations
	NTB: perf: Don't require one more memory window than number of peers
	NTB: perf: Fix support for hardware that doesn't have port numbers
	NTB: perf: Fix race condition when run with ntb_test
	NTB: ntb_test: Fix bug when counting remote files
	drivers/perf: hisi: Fix wrong value for all counters enable
	selftests/net: in timestamping, strncpy needs to preserve null byte
	afs: Fix memory leak in afs_put_sysnames()
	ASoC: core: only convert non DPCM link to DPCM link
	ASoC: Intel: bytcr_rt5640: Add quirk for Toshiba Encore WT10-A tablet
	ASoC: rt5645: Add platform-data for Asus T101HA
	drm/sun4i: hdmi ddc clk: Fix size of m divider
	scsi: acornscsi: Fix an error handling path in acornscsi_probe()
	x86/idt: Keep spurious entries unset in system_vectors
	net/filter: Permit reading NET in load_bytes_relative when MAC not set
	xdp: Fix xsk_generic_xmit errno
	usb/xhci-plat: Set PM runtime as active on resume
	usb: host: ehci-platform: add a quirk to avoid stuck
	usb/ehci-platform: Set PM runtime as active on resume
	perf report: Fix NULL pointer dereference in hists__fprintf_nr_sample_events()
	ext4: stop overwrite the errcode in ext4_setup_super
	bcache: fix potential deadlock problem in btree_gc_coalesce
	afs: Fix non-setting of mtime when writing into mmap
	afs: afs_write_end() should change i_size under the right lock
	block: Fix use-after-free in blkdev_get()
	arm64: hw_breakpoint: Don't invoke overflow handler on uaccess watchpoints
	libata: Use per port sync for detach
	drm: encoder_slave: fix refcouting error for modules
	drm/dp_mst: Reformat drm_dp_check_act_status() a bit
	drm/qxl: Use correct notify port address when creating cursor ring
	drm/amdgpu: Replace invalid device ID with a valid device ID
	selinux: fix double free
	ext4: fix partial cluster initialization when splitting extent
	ext4: avoid race conditions when remounting with options that change dax
	drm/dp_mst: Increase ACT retry timeout to 3s
	x86/boot/compressed: Relax sed symbol type regex for LLVM ld.lld
	block: nr_sects_write(): Disable preemption on seqcount write
	mtd: rawnand: Pass a nand_chip object to nand_scan()
	mtd: rawnand: Pass a nand_chip object to nand_release()
	mtd: rawnand: diskonchip: Fix the probe error path
	mtd: rawnand: sharpsl: Fix the probe error path
	mtd: rawnand: xway: Fix the probe error path
	mtd: rawnand: orion: Fix the probe error path
	mtd: rawnand: oxnas: Add of_node_put()
	mtd: rawnand: oxnas: Fix the probe error path
	mtd: rawnand: socrates: Fix the probe error path
	mtd: rawnand: plat_nand: Fix the probe error path
	mtd: rawnand: mtk: Fix the probe error path
	mtd: rawnand: tmio: Fix the probe error path
	s390: fix syscall_get_error for compat processes
	drm/i915: Whitelist context-local timestamp in the gen9 cmdparser
	drm/i915/icl+: Fix hotplug interrupt disabling after storm detection
	crypto: algif_skcipher - Cap recv SG list at ctx->used
	crypto: algboss - don't wait during notifier callback
	kprobes: Fix to protect kick_kprobe_optimizer() by kprobe_mutex
	e1000e: Do not wake up the system via WOL if device wakeup is disabled
	net: octeon: mgmt: Repair filling of RX ring
	kretprobe: Prevent triggering kretprobe from within kprobe_flush_task
	sched/rt, net: Use CONFIG_PREEMPTION.patch
	net: core: device_rename: Use rwsem instead of a seqcount
	Revert "dpaa_eth: fix usage as DSA master, try 3"
	md: add feature flag MD_FEATURE_RAID0_LAYOUT
	kvm: x86: Move kvm_set_mmio_spte_mask() from x86.c to mmu.c
	kvm: x86: Fix reserved bits related calculation errors caused by MKTME
	KVM: x86/mmu: Set mmio_value to '0' if reserved #PF can't be generated
	Linux 4.19.130

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I8fff23470852b747c3d75461b45f9d77460062d3
2020-06-27 09:50:13 +02:00
29d1d0c724 net: core: device_rename: Use rwsem instead of a seqcount
[ Upstream commit 11d6011c2cf29f7c8181ebde6c8bc0c4d83adcd7 ]

Sequence counters write paths are critical sections that must never be
preempted, and blocking, even for CONFIG_PREEMPTION=n, is not allowed.

Commit 5dbe7c178d ("net: fix kernel deadlock with interface rename and
netdev name retrieval.") handled a deadlock, observed with
CONFIG_PREEMPTION=n, where the devnet_rename seqcount read side was
infinitely spinning: it got scheduled after the seqcount write side
blocked inside its own critical section.

To fix that deadlock, among other issues, the commit added a
cond_resched() inside the read side section. While this will get the
non-preemptible kernel eventually unstuck, the seqcount reader is fully
exhausting its slice just spinning -- until TIF_NEED_RESCHED is set.

The fix is also still broken: if the seqcount reader belongs to a
real-time scheduling policy, it can spin forever and the kernel will
livelock.

Disabling preemption over the seqcount write side critical section will
not work: inside it are a number of GFP_KERNEL allocations and mutex
locking through the drivers/base/ :: device_rename() call chain.

>From all the above, replace the seqcount with a rwsem.

Fixes: 5dbe7c178d (net: fix kernel deadlock with interface rename and netdev name retrieval.)
Fixes: 30e6c9fa93 (net: devnet_rename_seq should be a seqcount)
Fixes: c91f6df2db (sockopt: Change getsockopt() of SO_BINDTODEVICE to return an interface name)
Cc: <stable@vger.kernel.org>
Reported-by: kbuild test robot <lkp@intel.com> [ v1 missing up_read() on error exit ]
Reported-by: Dan Carpenter <dan.carpenter@oracle.com> [ v1 missing up_read() on error exit ]
Signed-off-by: Ahmed S. Darwish <a.darwish@linutronix.de>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-06-25 15:33:10 +02:00
b855db2a12 sched/rt, net: Use CONFIG_PREEMPTION.patch
[ Upstream commit 2da2b32fd9346009e9acdb68c570ca8d3966aba7 ]

CONFIG_PREEMPTION is selected by CONFIG_PREEMPT and by CONFIG_PREEMPT_RT.
Both PREEMPT and PREEMPT_RT require the same functionality which today
depends on CONFIG_PREEMPT.

Update the comment to use CONFIG_PREEMPTION.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: David S. Miller <davem@davemloft.net>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: netdev@vger.kernel.org
Link: https://lore.kernel.org/r/20191015191821.11479-22-bigeasy@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-06-25 15:33:10 +02:00
beb44e8562 Merge 4.19.126 into android-4.19-stable
Changes in 4.19.126
	ax25: fix setsockopt(SO_BINDTODEVICE)
	dpaa_eth: fix usage as DSA master, try 3
	net: dsa: mt7530: fix roaming from DSA user ports
	__netif_receive_skb_core: pass skb by reference
	net: inet_csk: Fix so_reuseport bind-address cache in tb->fast*
	net: ipip: fix wrong address family in init error path
	net/mlx5: Add command entry handling completion
	net: qrtr: Fix passing invalid reference to qrtr_local_enqueue()
	net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()"
	net sched: fix reporting the first-time use timestamp
	r8152: support additional Microsoft Surface Ethernet Adapter variant
	sctp: Don't add the shutdown timer if its already been added
	sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed
	net/mlx5e: Update netdev txq on completions during closure
	net/mlx5: Annotate mutex destroy for root ns
	net: sun: fix missing release regions in cas_init_one().
	net/mlx4_core: fix a memory leak bug.
	mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails
	ARM: dts: rockchip: fix phy nodename for rk3228-evb
	arm64: dts: rockchip: fix status for &gmac2phy in rk3328-evb.dts
	arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node
	ARM: dts: rockchip: swap clock-names of gpu nodes
	ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi
	gpio: tegra: mask GPIO IRQs during IRQ shutdown
	ALSA: usb-audio: add mapping for ASRock TRX40 Creator
	net: microchip: encx24j600: add missed kthread_stop
	gfs2: move privileged user check to gfs2_quota_lock_check
	cachefiles: Fix race between read_waiter and read_copier involving op->to_do
	usb: dwc3: pci: Enable extcon driver for Intel Merrifield
	usb: gadget: legacy: fix redundant initialization warnings
	net: freescale: select CONFIG_FIXED_PHY where needed
	IB/i40iw: Remove bogus call to netdev_master_upper_dev_get()
	riscv: stacktrace: Fix undefined reference to `walk_stackframe'
	cifs: Fix null pointer check in cifs_read
	samples: bpf: Fix build error
	Input: usbtouchscreen - add support for BonXeon TP
	Input: evdev - call input_flush_device() on release(), not flush()
	Input: xpad - add custom init packet for Xbox One S controllers
	Input: dlink-dir685-touchkeys - fix a typo in driver name
	Input: i8042 - add ThinkPad S230u to i8042 reset list
	Input: synaptics-rmi4 - really fix attn_data use-after-free
	Input: synaptics-rmi4 - fix error return code in rmi_driver_probe()
	ARM: 8970/1: decompressor: increase tag size
	ARM: 8843/1: use unified assembler in headers
	ARM: uaccess: consolidate uaccess asm to asm/uaccess-asm.h
	ARM: uaccess: integrate uaccess_save and uaccess_restore
	ARM: uaccess: fix DACR mismatch with nested exceptions
	gpio: exar: Fix bad handling for ida_simple_get error path
	IB/qib: Call kobject_put() when kobject_init_and_add() fails
	ARM: dts/imx6q-bx50v3: Set display interface clock parents
	ARM: dts: bcm2835-rpi-zero-w: Fix led polarity
	ARM: dts: bcm: HR2: Fix PPI interrupt types
	mmc: block: Fix use-after-free issue for rpmb
	RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe()
	ALSA: hwdep: fix a left shifting 1 by 31 UB bug
	ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround
	ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC
	exec: Always set cap_ambient in cap_bprm_set_creds
	ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio
	ALSA: hda/realtek - Add new codec supported for ALC287
	libceph: ignore pool overlay and cache logic on redirects
	IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode
	mm: remove VM_BUG_ON(PageSlab()) from page_mapcount()
	fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
	include/asm-generic/topology.h: guard cpumask_of_node() macro argument
	iommu: Fix reference count leak in iommu_group_alloc.
	parisc: Fix kernel panic in mem_init()
	mmc: core: Fix recursive locking issue in CQE recovery path
	RDMA/core: Fix double destruction of uobject
	mac80211: mesh: fix discovery timer re-arming issue / crash
	x86/dma: Fix max PFN arithmetic overflow on 32 bit systems
	copy_xstate_to_kernel(): don't leave parts of destination uninitialized
	xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input
	xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output
	xfrm interface: fix oops when deleting a x-netns interface
	xfrm: fix a warning in xfrm_policy_insert_list
	xfrm: fix a NULL-ptr deref in xfrm_local_error
	xfrm: fix error in comment
	vti4: eliminated some duplicate code.
	ip_vti: receive ipip packet by calling ip_tunnel_rcv
	netfilter: nft_reject_bridge: enable reject with bridge vlan
	netfilter: ipset: Fix subcounter update skip
	netfilter: nfnetlink_cthelper: unbreak userspace helper support
	netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code
	esp6: get the right proto for transport mode in esp6_gso_encap
	bnxt_en: Fix accumulation of bp->net_stats_prev.
	xsk: Add overflow check for u64 division, stored into u32
	qlcnic: fix missing release in qlcnic_83xx_interrupt_test.
	crypto: chelsio/chtls: properly set tp->lsndtime
	bonding: Fix reference count leak in bond_sysfs_slave_add.
	netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build
	mm/vmalloc.c: don't dereference possible NULL pointer in __vunmap()
	Linux 4.19.126

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ic7ffeb4cbc4d3f1b49c60d97a5d113fcad1d098a
2020-06-03 09:23:15 +02:00
96b2f1c0b0 __netif_receive_skb_core: pass skb by reference
[ Upstream commit c0bbbdc32febd4f034ecbf3ea17865785b2c0652 ]

__netif_receive_skb_core may change the skb pointer passed into it (e.g.
in rx_handler). The original skb may be freed as a result of this
operation.

The callers of __netif_receive_skb_core may further process original skb
by using pt_prev pointer returned by __netif_receive_skb_core thus
leading to unpleasant effects.

The solution is to pass skb by reference into __netif_receive_skb_core.

v2: Added Fixes tag and comment regarding ppt_prev and skb invariant.

Fixes: 88eb1944e1 ("net: core: propagate SKB lists through packet_type lookup")
Signed-off-by: Boris Sukholitko <boris.sukholitko@broadcom.com>
Acked-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-03 08:19:05 +02:00
91d4544b24 Merge 4.19.124 into android-4.19-stable
Changes in 4.19.124
	net: dsa: Do not make user port errors fatal
	shmem: fix possible deadlocks on shmlock_user_lock
	net/sonic: Fix a resource leak in an error handling path in 'jazz_sonic_probe()'
	net: moxa: Fix a potential double 'free_irq()'
	drop_monitor: work around gcc-10 stringop-overflow warning
	virtio-blk: handle block_device_operations callbacks after hot unplug
	scsi: sg: add sg_remove_request in sg_write
	mmc: sdhci-acpi: Add SDHCI_QUIRK2_BROKEN_64_BIT_DMA for AMDI0040
	net: fix a potential recursive NETDEV_FEAT_CHANGE
	netlabel: cope with NULL catmap
	net: phy: fix aneg restart in phy_ethtool_set_eee
	pppoe: only process PADT targeted at local interfaces
	Revert "ipv6: add mtu lock check in __ip6_rt_update_pmtu"
	tcp: fix error recovery in tcp_zerocopy_receive()
	virtio_net: fix lockdep warning on 32 bit
	hinic: fix a bug of ndo_stop
	net: dsa: loop: Add module soft dependency
	net: ipv4: really enforce backoff for redirects
	netprio_cgroup: Fix unlimited memory leak of v2 cgroups
	net: tcp: fix rx timestamp behavior for tcp_recvmsg
	tcp: fix SO_RCVLOWAT hangs with fat skbs
	riscv: fix vdso build with lld
	dmaengine: pch_dma.c: Avoid data race between probe and irq handler
	dmaengine: mmp_tdma: Reset channel error on release
	cpufreq: intel_pstate: Only mention the BIOS disabling turbo mode once
	ALSA: hda/hdmi: fix race in monitor detection during probe
	drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper()
	ipc/util.c: sysvipc_find_ipc() incorrectly updates position index
	ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse
	gfs2: Another gfs2_walk_metadata fix
	pinctrl: baytrail: Enable pin configuration setting for GPIO chip
	pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler
	i40iw: Fix error handling in i40iw_manage_arp_cache()
	mmc: core: Check request type before completing the request
	mmc: block: Fix request completion in the CQE timeout path
	NFS: Fix fscache super_cookie index_key from changing after umount
	nfs: fscache: use timespec64 in inode auxdata
	NFSv4: Fix fscache cookie aux_data to ensure change_attr is included
	netfilter: conntrack: avoid gcc-10 zero-length-bounds warning
	arm64: fix the flush_icache_range arguments in machine_kexec
	netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start()
	IB/mlx4: Test return value of calls to ib_get_cached_pkey
	hwmon: (da9052) Synchronize access with mfd
	pnp: Use list_for_each_entry() instead of open coding
	gcc-10 warnings: fix low-hanging fruit
	kbuild: compute false-positive -Wmaybe-uninitialized cases in Kconfig
	Stop the ad-hoc games with -Wno-maybe-initialized
	gcc-10: disable 'zero-length-bounds' warning for now
	gcc-10: disable 'array-bounds' warning for now
	gcc-10: disable 'stringop-overflow' warning for now
	gcc-10: disable 'restrict' warning for now
	gcc-10: avoid shadowing standard library 'free()' in crypto
	ALSA: hda/realtek - Limit int mic boost for Thinkpad T530
	ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
	ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset
	usb: core: hub: limit HUB_QUIRK_DISABLE_AUTOSUSPEND to USB5534B
	usb: host: xhci-plat: keep runtime active when removing host
	USB: gadget: fix illegal array access in binding with UDC
	usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list
	ARM: dts: dra7: Fix bus_dma_limit for PCIe
	ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries
	cifs: fix leaked reference on requeued write
	x86: Fix early boot crash on gcc-10, third try
	x86/unwind/orc: Fix error handling in __unwind_start()
	exec: Move would_dump into flush_old_exec
	clk: rockchip: fix incorrect configuration of rk3228 aclk_gpu* clocks
	dwc3: Remove check for HWO flag in dwc3_gadget_ep_reclaim_trb_sg()
	usb: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()'
	usb: gadget: audio: Fix a missing error return value in audio_bind()
	usb: gadget: legacy: fix error return code in gncm_bind()
	usb: gadget: legacy: fix error return code in cdc_bind()
	Revert "ALSA: hda/realtek: Fix pop noise on ALC225"
	clk: Unlink clock if failed to prepare or enable
	arm64: dts: rockchip: Replace RK805 PMIC node name with "pmic" on rk3328 boards
	arm64: dts: rockchip: Rename dwc3 device nodes on rk3399 to make dtc happy
	ARM: dts: r8a73a4: Add missing CMT1 interrupts
	arm64: dts: renesas: r8a77980: Fix IPMMU VIP[01] nodes
	ARM: dts: r8a7740: Add missing extal2 to CPG node
	KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce
	Makefile: disallow data races on gcc-10 as well
	Linux 4.19.124

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3d253f677cc08337e64d316005a0ec0c33717940
2020-05-20 11:37:46 +02:00
2ef834fec2 net: fix a potential recursive NETDEV_FEAT_CHANGE
[ Upstream commit dd912306ff008891c82cd9f63e8181e47a9cb2fb ]

syzbot managed to trigger a recursive NETDEV_FEAT_CHANGE event
between bonding master and slave. I managed to find a reproducer
for this:

  ip li set bond0 up
  ifenslave bond0 eth0
  brctl addbr br0
  ethtool -K eth0 lro off
  brctl addif br0 bond0
  ip li set br0 up

When a NETDEV_FEAT_CHANGE event is triggered on a bonding slave,
it captures this and calls bond_compute_features() to fixup its
master's and other slaves' features. However, when syncing with
its lower devices by netdev_sync_lower_features() this event is
triggered again on slaves when the LRO feature fails to change,
so it goes back and forth recursively until the kernel stack is
exhausted.

Commit 17b85d29e8 intentionally lets __netdev_update_features()
return -1 for such a failure case, so we have to just rely on
the existing check inside netdev_sync_lower_features() and skip
NETDEV_FEAT_CHANGE event only for this specific failure case.

Fixes: fd867d51f8 ("net/core: generic support for disabling netdev features down stack")
Reported-by: syzbot+e73ceacfd8560cc8a3ca@syzkaller.appspotmail.com
Reported-by: syzbot+c2fb6f9ddcea95ba49b5@syzkaller.appspotmail.com
Cc: Jarod Wilson <jarod@redhat.com>
Cc: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Jann Horn <jannh@google.com>
Reviewed-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-05-20 08:18:35 +02:00
fd8a9d61cf Merge 4.19.117 into android-4.19
Changes in 4.19.117
	amd-xgbe: Use __napi_schedule() in BH context
	hsr: check protocol version in hsr_newlink()
	net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin
	net: ipv6: do not consider routes via gateways for anycast address check
	net: qrtr: send msgs from local of same id as broadcast
	net: revert default NAPI poll timeout to 2 jiffies
	net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes
	net: dsa: mt7530: fix tagged frames pass-through in VLAN-unaware mode
	ovl: fix value of i_ino for lower hardlink corner case
	scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic
	jbd2: improve comments about freeing data buffers whose page mapping is NULL
	pwm: pca9685: Fix PWM/GPIO inter-operation
	ext4: fix incorrect group count in ext4_fill_super error message
	ext4: fix incorrect inodes per group in error message
	ASoC: Intel: mrfld: fix incorrect check on p->sink
	ASoC: Intel: mrfld: return error codes when an error occurs
	ALSA: usb-audio: Filter error from connector kctl ops, too
	ALSA: usb-audio: Don't override ignore_ctl_error value from the map
	ALSA: usb-audio: Don't create jack controls for PCM terminals
	ALSA: usb-audio: Check mapping at creating connector controls, too
	keys: Fix proc_keys_next to increase position index
	tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation
	btrfs: check commit root generation in should_ignore_root
	mac80211_hwsim: Use kstrndup() in place of kasprintf()
	usb: dwc3: gadget: don't enable interrupt when disabling endpoint
	usb: dwc3: gadget: Don't clear flags before transfer ended
	drm/amd/powerplay: force the trim of the mclk dpm_levels if OD is enabled
	ext4: do not zeroout extents beyond i_disksize
	kvm: x86: Host feature SSBD doesn't imply guest feature SPEC_CTRL_SSBD
	scsi: target: remove boilerplate code
	scsi: target: fix hang when multiple threads try to destroy the same iscsi session
	x86/microcode/AMD: Increase microcode PATCH_MAX_SIZE
	x86/resctrl: Preserve CDP enable over CPU hotplug
	x86/resctrl: Fix invalid attempt at removing the default resource group
	wil6210: check rx_buff_mgmt before accessing it
	wil6210: ignore HALP ICR if already handled
	wil6210: add general initialization/size checks
	wil6210: make sure Rx ring sizes are correlated
	wil6210: remove reset file from debugfs
	mm/vmalloc.c: move 'area->pages' after if statement
	Linux 4.19.117

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ib4ab9aa34c22c034887be15902a625ecc5622b35
2020-04-21 10:20:12 +02:00
f7379c0050 net: revert default NAPI poll timeout to 2 jiffies
[ Upstream commit a4837980fd9fa4c70a821d11831698901baef56b ]

For HZ < 1000 timeout 2000us rounds up to 1 jiffy but expires randomly
because next timer interrupt could come shortly after starting softirq.

For commonly used CONFIG_HZ=1000 nothing changes.

Fixes: 7acf8a1e8a ("Replace 2 jiffies with sysctl netdev_budget_usecs to enable softirq tuning")
Reported-by: Dmitry Yakunin <zeil@yandex-team.ru>
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-04-21 09:03:04 +02:00
2d2af525a7 Merge 4.19.115 into android-4.19
Changes in 4.19.115
	ipv4: fix a RCU-list lock in fib_triestat_seq_show
	net, ip_tunnel: fix interface lookup with no key
	sctp: fix refcount bug in sctp_wfree
	sctp: fix possibly using a bad saddr with a given dst
	nvme-rdma: Avoid double freeing of async event data
	drm/amd/display: Add link_rate quirk for Apple 15" MBP 2017
	drm/bochs: downgrade pci_request_region failure from error to warning
	initramfs: restore default compression behavior
	drm/amdgpu: fix typo for vcn1 idle check
	tools/power turbostat: Fix gcc build warnings
	tools/power turbostat: Fix missing SYS_LPI counter on some Chromebooks
	drm/etnaviv: replace MMU flush marker with flush sequence
	media: rc: IR signal for Panasonic air conditioner too long
	misc: rtsx: set correct pcr_ops for rts522A
	misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices
	misc: pci_endpoint_test: Avoid using module parameter to determine irqtype
	coresight: do not use the BIT() macro in the UAPI header
	mei: me: add cedar fork device ids
	extcon: axp288: Add wakeup support
	power: supply: axp288_charger: Add special handling for HP Pavilion x2 10
	ALSA: hda/ca0132 - Add Recon3Di quirk to handle integrated sound on EVGA X99 Classified motherboard
	rxrpc: Fix sendmsg(MSG_WAITALL) handling
	net: Fix Tx hash bound checking
	padata: always acquire cpu_hotplug_lock before pinst->lock
	bitops: protect variables in set_mask_bits() macro
	include/linux/notifier.h: SRCU: fix ctags
	mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
	ipv6: don't auto-add link-local address to lag ports
	net: dsa: bcm_sf2: Do not register slave MDIO bus with OF
	net: dsa: bcm_sf2: Ensure correct sub-node is parsed
	net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers
	net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting
	slcan: Don't transmit uninitialized stack data in padding
	mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE
	random: always use batched entropy for get_random_u{32,64}
	usb: dwc3: gadget: Wrap around when skip TRBs
	tools/accounting/getdelays.c: fix netlink attribute length
	hwrng: imx-rngc - fix an error path
	ASoC: jz4740-i2s: Fix divider written at incorrect offset in register
	IB/hfi1: Call kobject_put() when kobject_init_and_add() fails
	IB/hfi1: Fix memory leaks in sysfs registration and unregistration
	ceph: remove the extra slashes in the server path
	ceph: canonicalize server path in place
	RDMA/ucma: Put a lock around every call to the rdma_cm layer
	RDMA/cma: Teach lockdep about the order of rtnl and lock
	Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl
	RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow
	fbcon: fix null-ptr-deref in fbcon_switch
	clk: qcom: rcg: Return failure for RCG update
	drm/msm: stop abusing dma_map/unmap for cache
	arm64: Fix size of __early_cpu_boot_status
	rpmsg: glink: Remove chunk size word align warning
	usb: dwc3: don't set gadget->is_otg flag
	drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read()
	drm/msm: Use the correct dma_sync calls in msm_gem
	Linux 4.19.115

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Idc17d8aa387491167efc60df0a9764b82e4344da
2020-04-13 13:09:17 +02:00
b1cb7f2bc9 net: Fix Tx hash bound checking
commit 6e11d1578fba8d09d03a286740ffcf336d53928c upstream.

Fixes the lower and upper bounds when there are multiple TCs and
traffic is on the the same TC on the same device.

The lower bound is represented by 'qoffset' and the upper limit for
hash value is 'qcount + qoffset'. This gives a clean Rx to Tx queue
mapping when there are multiple TCs, as the queue indices for upper TCs
will be offset by 'qoffset'.

v2: Fixed commit description based on comments.

Fixes: 1b837d489e ("net: Revoke export for __skb_tx_hash, update it to just be static skb_tx_hash")
Fixes: eadec877ce ("net: Add support for subordinate traffic classes to netdev_pick_tx")
Signed-off-by: Amritha Nambiar <amritha.nambiar@intel.com>
Reviewed-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Reviewed-by: Sridhar Samudrala <sridhar.samudrala@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-04-13 10:45:05 +02:00
8ba14953de ANDROID: GKI: net: Add the get current NAPI context API
Commit 69235aa80090 ("net: Remove the get current NAPI context API")
removed the definition of get_current_napi_context() as rmnet_data
was no longer using it. However, the rmnet_data change to use its
NAPI in multiple contexts was prone to race in hotplug scenarios.

Add back get_current_napi_context() and current_napi to the
softnet_data struct.

Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
(cherry picked from commit 05b3252cf566eb04c7c5484c912ae6f8f9fb1dd5)
[surenb cherry-picked from
05b3252cf566 net: Add the get current NAPI context API
to fix ABI diffs caused by get_current_napi_context function]

Bug: 151108843
Test: build
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I4d5b81c734e4a5daa2fae3cb7d6538821d46ff64
Merged-In: I4d5b81c734e4a5daa2fae3cb7d6538821d46ff64
2020-04-02 23:22:33 +00:00
ce754a3149 core: Don't skip generic XDP program execution for cloned SKBs
[ Upstream commit ad1e03b2b3d4430baaa109b77bc308dc73050de3 ]

The current generic XDP handler skips execution of XDP programs entirely if
an SKB is marked as cloned. This leads to some surprising behaviour, as
packets can end up being cloned in various ways, which will make an XDP
program not see all the traffic on an interface.

This was discovered by a simple test case where an XDP program that always
returns XDP_DROP is installed on a veth device. When combining this with
the Scapy packet sniffer (which uses an AF_PACKET) socket on the sending
side, SKBs reliably end up in the cloned state, causing them to be passed
through to the receiving interface instead of being dropped. A minimal
reproducer script for this is included below.

This patch fixed the issue by simply triggering the existing linearisation
code for cloned SKBs instead of skipping the XDP program execution. This
behaviour is in line with the behaviour of the native XDP implementation
for the veth driver, which will reallocate and copy the SKB data if the SKB
is marked as shared.

Reproducer Python script (requires BCC and Scapy):

from scapy.all import TCP, IP, Ether, sendp, sniff, AsyncSniffer, Raw, UDP
from bcc import BPF
import time, sys, subprocess, shlex

SKB_MODE = (1 << 1)
DRV_MODE = (1 << 2)
PYTHON=sys.executable

def client():
    time.sleep(2)
    # Sniffing on the sender causes skb_cloned() to be set
    s = AsyncSniffer()
    s.start()

    for p in range(10):
        sendp(Ether(dst="aa:aa:aa:aa:aa:aa", src="cc:cc:cc:cc:cc:cc")/IP()/UDP()/Raw("Test"),
              verbose=False)
        time.sleep(0.1)

    s.stop()
    return 0

def server(mode):
    prog = BPF(text="int dummy_drop(struct xdp_md *ctx) {return XDP_DROP;}")
    func = prog.load_func("dummy_drop", BPF.XDP)
    prog.attach_xdp("a_to_b", func, mode)

    time.sleep(1)

    s = sniff(iface="a_to_b", count=10, timeout=15)
    if len(s):
        print(f"Got {len(s)} packets - should have gotten 0")
        return 1
    else:
        print("Got no packets - as expected")
        return 0

if len(sys.argv) < 2:
    print(f"Usage: {sys.argv[0]} <skb|drv>")
    sys.exit(1)

if sys.argv[1] == "client":
    sys.exit(client())
elif sys.argv[1] == "server":
    mode = SKB_MODE if sys.argv[2] == 'skb' else DRV_MODE
    sys.exit(server(mode))
else:
    try:
        mode = sys.argv[1]
        if mode not in ('skb', 'drv'):
            print(f"Usage: {sys.argv[0]} <skb|drv>")
            sys.exit(1)
        print(f"Running in {mode} mode")

        for cmd in [
                'ip netns add netns_a',
                'ip netns add netns_b',
                'ip -n netns_a link add a_to_b type veth peer name b_to_a netns netns_b',
                # Disable ipv6 to make sure there's no address autoconf traffic
                'ip netns exec netns_a sysctl -qw net.ipv6.conf.a_to_b.disable_ipv6=1',
                'ip netns exec netns_b sysctl -qw net.ipv6.conf.b_to_a.disable_ipv6=1',
                'ip -n netns_a link set dev a_to_b address aa:aa:aa:aa:aa:aa',
                'ip -n netns_b link set dev b_to_a address cc:cc:cc:cc:cc:cc',
                'ip -n netns_a link set dev a_to_b up',
                'ip -n netns_b link set dev b_to_a up']:
            subprocess.check_call(shlex.split(cmd))

        server = subprocess.Popen(shlex.split(f"ip netns exec netns_a {PYTHON} {sys.argv[0]} server {mode}"))
        client = subprocess.Popen(shlex.split(f"ip netns exec netns_b {PYTHON} {sys.argv[0]} client"))

        client.wait()
        server.wait()
        sys.exit(server.returncode)

    finally:
        subprocess.run(shlex.split("ip netns delete netns_a"))
        subprocess.run(shlex.split("ip netns delete netns_b"))

Fixes: d445516966 ("net: xdp: support xdp generic on virtual devices")
Reported-by: Stepan Horacek <shoracek@redhat.com>
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-24 08:34:34 +01:00
b4b0f1fc19 net-sysfs: Fix reference count leak
[ Upstream commit cb626bf566eb4433318d35681286c494f04fedcc ]

Netdev_register_kobject is calling device_initialize. In case of error
reference taken by device_initialize is not given up.

Drivers are supposed to call free_netdev in case of error. In non-error
case the last reference is given up there and device release sequence
is triggered. In error case this reference is kept and the release
sequence is never started.

Fix this by setting reg_state as NETREG_UNREGISTERED if registering
fails.

This is the rootcause for couple of memory leaks reported by Syzkaller:

BUG: memory leak unreferenced object 0xffff8880675ca008 (size 256):
  comm "netdev_register", pid 281, jiffies 4294696663 (age 6.808s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  backtrace:
    [<0000000058ca4711>] kmem_cache_alloc_trace+0x167/0x280
    [<000000002340019b>] device_add+0x882/0x1750
    [<000000001d588c3a>] netdev_register_kobject+0x128/0x380
    [<0000000011ef5535>] register_netdevice+0xa1b/0xf00
    [<000000007fcf1c99>] __tun_chr_ioctl+0x20d5/0x3dd0
    [<000000006a5b7b2b>] tun_chr_ioctl+0x2f/0x40
    [<00000000f30f834a>] do_vfs_ioctl+0x1c7/0x1510
    [<00000000fba062ea>] ksys_ioctl+0x99/0xb0
    [<00000000b1c1b8d2>] __x64_sys_ioctl+0x78/0xb0
    [<00000000984cabb9>] do_syscall_64+0x16f/0x580
    [<000000000bde033d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [<00000000e6ca2d9f>] 0xffffffffffffffff

BUG: memory leak
unreferenced object 0xffff8880668ba588 (size 8):
  comm "kobject_set_nam", pid 286, jiffies 4294725297 (age 9.871s)
  hex dump (first 8 bytes):
    6e 72 30 00 cc be df 2b                          nr0....+
  backtrace:
    [<00000000a322332a>] __kmalloc_track_caller+0x16e/0x290
    [<00000000236fd26b>] kstrdup+0x3e/0x70
    [<00000000dd4a2815>] kstrdup_const+0x3e/0x50
    [<0000000049a377fc>] kvasprintf_const+0x10e/0x160
    [<00000000627fc711>] kobject_set_name_vargs+0x5b/0x140
    [<0000000019eeab06>] dev_set_name+0xc0/0xf0
    [<0000000069cb12bc>] netdev_register_kobject+0xc8/0x320
    [<00000000f2e83732>] register_netdevice+0xa1b/0xf00
    [<000000009e1f57cc>] __tun_chr_ioctl+0x20d5/0x3dd0
    [<000000009c560784>] tun_chr_ioctl+0x2f/0x40
    [<000000000d759e02>] do_vfs_ioctl+0x1c7/0x1510
    [<00000000351d7c31>] ksys_ioctl+0x99/0xb0
    [<000000008390040a>] __x64_sys_ioctl+0x78/0xb0
    [<0000000052d196b7>] do_syscall_64+0x16f/0x580
    [<0000000019af9236>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [<00000000bc384531>] 0xffffffffffffffff

v3 -> v4:
  Set reg_state to NETREG_UNREGISTERED if registering fails

v2 -> v3:
* Replaced BUG_ON with WARN_ON in free_netdev and netdev_release

v1 -> v2:
* Relying on driver calling free_netdev rather than calling
  put_device directly in error path

Reported-by: syzbot+ad8ca40ecd77896d51e2@syzkaller.appspotmail.com
Cc: David Miller <davem@davemloft.net>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-01-29 16:43:17 +01:00
be1a2be7a7 net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link()
[ Upstream commit d836f5c69d87473ff65c06a6123e5b2cf5e56f5b ]

rtnl_create_link() needs to apply dev->min_mtu and dev->max_mtu
checks that we apply in do_setlink()

Otherwise malicious users can crash the kernel, for example after
an integer overflow :

BUG: KASAN: use-after-free in memset include/linux/string.h:365 [inline]
BUG: KASAN: use-after-free in __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238
Write of size 32 at addr ffff88819f20b9c0 by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:639
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
 memset+0x24/0x40 mm/kasan/common.c:108
 memset include/linux/string.h:365 [inline]
 __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238
 alloc_skb include/linux/skbuff.h:1049 [inline]
 alloc_skb_with_frags+0x93/0x590 net/core/skbuff.c:5664
 sock_alloc_send_pskb+0x7ad/0x920 net/core/sock.c:2242
 sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2259
 mld_newpack+0x1d7/0x7f0 net/ipv6/mcast.c:1609
 add_grhead.isra.0+0x299/0x370 net/ipv6/mcast.c:1713
 add_grec+0x7db/0x10b0 net/ipv6/mcast.c:1844
 mld_send_cr net/ipv6/mcast.c:1970 [inline]
 mld_ifc_timer_expire+0x3d3/0x950 net/ipv6/mcast.c:2477
 call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404
 expire_timers kernel/time/timer.c:1449 [inline]
 __run_timers kernel/time/timer.c:1773 [inline]
 __run_timers kernel/time/timer.c:1740 [inline]
 run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786
 __do_softirq+0x262/0x98c kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x19b/0x1e0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
 </IRQ>
RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
Code: 98 6b ea f9 eb 8a cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 44 1c 60 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 34 1c 60 00 fb f4 <c3> cc 55 48 89 e5 41 57 41 56 41 55 41 54 53 e8 4e 5d 9a f9 e8 79
RSP: 0018:ffffffff89807ce8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff13266ae RBX: ffffffff8987a1c0 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffffffff8987aa54
RBP: ffffffff89807d18 R08: ffffffff8987a1c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffffff8a799980 R14: 0000000000000000 R15: 0000000000000000
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:690
 default_idle_call+0x84/0xb0 kernel/sched/idle.c:94
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x3c8/0x6e0 kernel/sched/idle.c:269
 cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:361
 rest_init+0x23b/0x371 init/main.c:451
 arch_call_rest_init+0xe/0x1b
 start_kernel+0x904/0x943 init/main.c:784
 x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490
 x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:471
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242

The buggy address belongs to the page:
page:ffffea00067c82c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
raw: 057ffe0000000000 ffffea00067c82c8 ffffea00067c82c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88819f20b880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88819f20b900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88819f20b980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                           ^
 ffff88819f20ba00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88819f20ba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Fixes: 61e84623ac ("net: centralize net_device min/max MTU checking")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-01-29 16:43:16 +01:00
50176c0d22 net: fix bpf_xdp_adjust_head regression for generic-XDP
[ Upstream commit 065af355470519bd184019a93ac579f22b036045 ]

When generic-XDP was moved to a later processing step by commit
458bf2f224f0 ("net: core: support XDP generic on stacked devices.")
a regression was introduced when using bpf_xdp_adjust_head.

The issue is that after this commit the skb->network_header is now
changed prior to calling generic XDP and not after. Thus, if the header
is changed by XDP (via bpf_xdp_adjust_head), then skb->network_header
also need to be updated again.  Fix by calling skb_reset_network_header().

Fixes: 458bf2f224f0 ("net: core: support XDP generic on stacked devices.")
Reported-by: Brandon Cazander <brandon.cazander@multapplied.net>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-01-27 14:51:03 +01:00
6c350e974c net: core: support XDP generic on stacked devices.
[ Upstream commit 458bf2f224f04a513b0be972f8708e78ee2c986e ]

When a device is stacked like (team, bonding, failsafe or netvsc) the
XDP generic program for the parent device was not called.

Move the call to XDP generic inside __netif_receive_skb_core where
it can be done multiple times for stacked case.

Fixes: d445516966 ("net: xdp: support xdp generic on virtual devices")
Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-01-27 14:50:52 +01:00
a2e065542a net: core: limit nested device depth
[ Upstream commit 5343da4c17429efaa5fb1594ea96aee1a283e694 ]

Current code doesn't limit the number of nested devices.
Nested devices would be handled recursively and this needs huge stack
memory. So, unlimited nested devices could make stack overflow.

This patch adds upper_level and lower_level, they are common variables
and represent maximum lower/upper depth.
When upper/lower device is attached or dettached,
{lower/upper}_level are updated. and if maximum depth is bigger than 8,
attach routine fails and returns -EMLINK.

In addition, this patch converts recursive routine of
netdev_walk_all_{lower/upper} to iterator routine.

Test commands:
    ip link add dummy0 type dummy
    ip link add link dummy0 name vlan1 type vlan id 1
    ip link set vlan1 up

    for i in {2..55}
    do
	    let A=$i-1

	    ip link add vlan$i link vlan$A type vlan id $i
    done
    ip link del dummy0

Splat looks like:
[  155.513226][  T908] BUG: KASAN: use-after-free in __unwind_start+0x71/0x850
[  155.514162][  T908] Write of size 88 at addr ffff8880608a6cc0 by task ip/908
[  155.515048][  T908]
[  155.515333][  T908] CPU: 0 PID: 908 Comm: ip Not tainted 5.4.0-rc3+ #96
[  155.516147][  T908] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  155.517233][  T908] Call Trace:
[  155.517627][  T908]
[  155.517918][  T908] Allocated by task 0:
[  155.518412][  T908] (stack is not available)
[  155.518955][  T908]
[  155.519228][  T908] Freed by task 0:
[  155.519885][  T908] (stack is not available)
[  155.520452][  T908]
[  155.520729][  T908] The buggy address belongs to the object at ffff8880608a6ac0
[  155.520729][  T908]  which belongs to the cache names_cache of size 4096
[  155.522387][  T908] The buggy address is located 512 bytes inside of
[  155.522387][  T908]  4096-byte region [ffff8880608a6ac0, ffff8880608a7ac0)
[  155.523920][  T908] The buggy address belongs to the page:
[  155.524552][  T908] page:ffffea0001822800 refcount:1 mapcount:0 mapping:ffff88806c657cc0 index:0x0 compound_mapcount:0
[  155.525836][  T908] flags: 0x100000000010200(slab|head)
[  155.526445][  T908] raw: 0100000000010200 ffffea0001813808 ffffea0001a26c08 ffff88806c657cc0
[  155.527424][  T908] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[  155.528429][  T908] page dumped because: kasan: bad access detected
[  155.529158][  T908]
[  155.529410][  T908] Memory state around the buggy address:
[  155.530060][  T908]  ffff8880608a6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  155.530971][  T908]  ffff8880608a6c00: fb fb fb fb fb f1 f1 f1 f1 00 f2 f2 f2 f3 f3 f3
[  155.531889][  T908] >ffff8880608a6c80: f3 fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  155.532806][  T908]                                            ^
[  155.533509][  T908]  ffff8880608a6d00: fb fb fb fb fb fb fb fb fb f1 f1 f1 f1 00 00 00
[  155.534436][  T908]  ffff8880608a6d80: f2 f3 f3 f3 f3 fb fb fb 00 00 00 00 00 00 00 00
[ ... ]

Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-01-09 10:19:09 +01:00
d80d67cdaf inet: protect against too small mtu values.
[ Upstream commit 501a90c945103e8627406763dac418f20f3837b2 ]

syzbot was once again able to crash a host by setting a very small mtu
on loopback device.

Let's make inetdev_valid_mtu() available in include/net/ip.h,
and use it in ip_setup_cork(), so that we protect both ip_append_page()
and __ip_append_data()

Also add a READ_ONCE() when the device mtu is read.

Pairs this lockless read with one WRITE_ONCE() in __dev_set_mtu(),
even if other code paths might write over this field.

Add a big comment in include/linux/netdevice.h about dev->mtu
needing READ_ONCE()/WRITE_ONCE() annotations.

Hopefully we will add the missing ones in followup patches.

[1]

refcount_t: saturated; leaking memory.
WARNING: CPU: 0 PID: 9464 at lib/refcount.c:22 refcount_warn_saturate+0x138/0x1f0 lib/refcount.c:22
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 9464 Comm: syz-executor850 Not tainted 5.4.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 panic+0x2e3/0x75c kernel/panic.c:221
 __warn.cold+0x2f/0x3e kernel/panic.c:582
 report_bug+0x289/0x300 lib/bug.c:195
 fixup_bug arch/x86/kernel/traps.c:174 [inline]
 fixup_bug arch/x86/kernel/traps.c:169 [inline]
 do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267
 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286
 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x138/0x1f0 lib/refcount.c:22
Code: 06 31 ff 89 de e8 c8 f5 e6 fd 84 db 0f 85 6f ff ff ff e8 7b f4 e6 fd 48 c7 c7 e0 71 4f 88 c6 05 56 a6 a4 06 01 e8 c7 a8 b7 fd <0f> 0b e9 50 ff ff ff e8 5c f4 e6 fd 0f b6 1d 3d a6 a4 06 31 ff 89
RSP: 0018:ffff88809689f550 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815e4336 RDI: ffffed1012d13e9c
RBP: ffff88809689f560 R08: ffff88809c50a3c0 R09: fffffbfff15d31b1
R10: fffffbfff15d31b0 R11: ffffffff8ae98d87 R12: 0000000000000001
R13: 0000000000040100 R14: ffff888099041104 R15: ffff888218d96e40
 refcount_add include/linux/refcount.h:193 [inline]
 skb_set_owner_w+0x2b6/0x410 net/core/sock.c:1999
 sock_wmalloc+0xf1/0x120 net/core/sock.c:2096
 ip_append_page+0x7ef/0x1190 net/ipv4/ip_output.c:1383
 udp_sendpage+0x1c7/0x480 net/ipv4/udp.c:1276
 inet_sendpage+0xdb/0x150 net/ipv4/af_inet.c:821
 kernel_sendpage+0x92/0xf0 net/socket.c:3794
 sock_sendpage+0x8b/0xc0 net/socket.c:936
 pipe_to_sendpage+0x2da/0x3c0 fs/splice.c:458
 splice_from_pipe_feed fs/splice.c:512 [inline]
 __splice_from_pipe+0x3ee/0x7c0 fs/splice.c:636
 splice_from_pipe+0x108/0x170 fs/splice.c:671
 generic_splice_sendpage+0x3c/0x50 fs/splice.c:842
 do_splice_from fs/splice.c:861 [inline]
 direct_splice_actor+0x123/0x190 fs/splice.c:1035
 splice_direct_to_actor+0x3b4/0xa30 fs/splice.c:990
 do_splice_direct+0x1da/0x2a0 fs/splice.c:1078
 do_sendfile+0x597/0xd00 fs/read_write.c:1464
 __do_sys_sendfile64 fs/read_write.c:1525 [inline]
 __se_sys_sendfile64 fs/read_write.c:1511 [inline]
 __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441409
Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffb64c4f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441409
RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000005
RBP: 0000000000073b8a R08: 0000000000000010 R09: 0000000000000010
R10: 0000000000010001 R11: 0000000000000246 R12: 0000000000402180
R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..

Fixes: 1470ddf7f8 ("inet: Remove explicit write references to sk/inet in ip_append_data")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-12-21 10:57:08 +01:00
f9fca78e6c net: do not abort bulk send on BQL status
[ Upstream commit fe60faa5063822f2d555f4f326c7dd72a60929bf ]

Before calling dev_hard_start_xmit(), upper layers tried
to cook optimal skb list based on BQL budget.

Problem is that GSO packets can end up comsuming more than
the BQL budget.

Breaking the loop is not useful, since requeued packets
are ahead of any packets still in the qdisc.

It is also more expensive, since next TX completion will
push these packets later, while skbs are not in cpu caches.

It is also a behavior difference with TSO packets, that can
break the BQL limit by a large amount.

Note that drivers should use __netdev_tx_sent_queue()
in order to have optimal xmit_more support, and avoid
useless atomic operations as shown in the following patch.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-12-01 09:17:15 +01:00
312de5a09d net: fix generic XDP to handle if eth header was mangled
[ Upstream commit 2972495699320229b55b8e5065a310be5c81485b ]

XDP can modify (and resize) the Ethernet header in the packet.

There is a bug in generic-XDP, because skb->protocol and skb->pkt_type
are setup before reaching (netif_receive_)generic_xdp.

This bug was hit when XDP were popping VLAN headers (changing
eth->h_proto), as skb->protocol still contains VLAN-indication
(ETH_P_8021Q) causing invocation of skb_vlan_untag(skb), which corrupt
the packet (basically popping the VLAN again).

This patch catch if XDP changed eth header in such a way, that SKB
fields needs to be updated.

V2: on request from Song Liu, use ETH_HLEN instead of mac_len,
in __skb_push() as eth_type_trans() use ETH_HLEN in paired skb_pull_inline().

Fixes: d445516966 ("net: xdp: support xdp generic on virtual devices")
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-11-24 08:20:54 +01:00
40400fdd31 netns: fix GFP flags in rtnl_net_notifyid()
[ Upstream commit d4e4fdf9e4a27c87edb79b1478955075be141f67 ]

In rtnl_net_notifyid(), we certainly can't pass a null GFP flag to
rtnl_notify(). A GFP_KERNEL flag would be fine in most circumstances,
but there are a few paths calling rtnl_net_notifyid() from atomic
context or from RCU critical sections. The later also precludes the use
of gfp_any() as it wouldn't detect the RCU case. Also, the nlmsg_new()
call is wrong too, as it uses GFP_KERNEL unconditionally.

Therefore, we need to pass the GFP flags as parameter and propagate it
through function calls until the proper flags can be determined.

In most cases, GFP_KERNEL is fine. The exceptions are:
  * openvswitch: ovs_vport_cmd_get() and ovs_vport_cmd_dump()
    indirectly call rtnl_net_notifyid() from RCU critical section,

  * rtnetlink: rtmsg_ifinfo_build_skb() already receives GFP flags as
    parameter.

Also, in ovs_vport_cmd_build_info(), let's change the GFP flags used
by nlmsg_new(). The function is allowed to sleep, so better make the
flags consistent with the ones used in the following
ovs_vport_cmd_fill_info() call.

Found by code inspection.

Fixes: 9a9634545c ("netns: notify netns id events")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-11-10 11:27:42 +01:00
88a46756f0 net: Fix null de-reference of device refcount
[ Upstream commit 10cc514f451a0f239aa34f91bc9dc954a9397840 ]

In event of failure during register_netdevice, free_netdev is
invoked immediately. free_netdev assumes that all the netdevice
refcounts have been dropped prior to it being called and as a
result frees and clears out the refcount pointer.

However, this is not necessarily true as some of the operations
in the NETDEV_UNREGISTER notifier handlers queue RCU callbacks for
invocation after a grace period. The IPv4 callback in_dev_rcu_put
tries to access the refcount after free_netdev is called which
leads to a null de-reference-

44837.761523:   <6> Unable to handle kernel paging request at
                    virtual address 0000004a88287000
44837.761651:   <2> pc : in_dev_finish_destroy+0x4c/0xc8
44837.761654:   <2> lr : in_dev_finish_destroy+0x2c/0xc8
44837.762393:   <2> Call trace:
44837.762398:   <2>  in_dev_finish_destroy+0x4c/0xc8
44837.762404:   <2>  in_dev_rcu_put+0x24/0x30
44837.762412:   <2>  rcu_nocb_kthread+0x43c/0x468
44837.762418:   <2>  kthread+0x118/0x128
44837.762424:   <2>  ret_from_fork+0x10/0x1c

Fix this by waiting for the completion of the call_rcu() in
case of register_netdevice errors.

Fixes: 93ee31f14f ("[NET]: Fix free_netdev on register_netdev failure.")
Cc: Sean Tranchetti <stranche@codeaurora.org>
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-09-19 09:09:29 +02:00
edb7ad69c4 net: fix ifindex collision during namespace removal
[ Upstream commit 55b40dbf0e76b4bfb9d8b3a16a0208640a9a45df ]

Commit aca51397d0 ("netns: Fix arbitrary net_device-s corruptions
on net_ns stop.") introduced a possibility to hit a BUG in case device
is returning back to init_net and two following conditions are met:
1) dev->ifindex value is used in a name of another "dev%d"
   device in init_net.
2) dev->name is used by another device in init_net.

Under real life circumstances this is hard to get. Therefore this has
been present happily for over 10 years. To reproduce:

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff
3: enp0s2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
$ ip netns add ns1
$ ip -n ns1 link add dummy1ns1 type dummy
$ ip -n ns1 link add dummy2ns1 type dummy
$ ip link set enp0s2 netns ns1
$ ip -n ns1 link set enp0s2 name dummy0
[  100.858894] virtio_net virtio0 dummy0: renamed from enp0s2
$ ip link add dev4 type dummy
$ ip -n ns1 a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: dummy1ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 16:63:4c:38:3e:ff brd ff:ff:ff:ff:ff:ff
3: dummy2ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether aa:9e:86:dd:6b:5d brd ff:ff:ff:ff:ff:ff
4: dummy0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff
4: dev4: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 5a:e1:4a:b6:ec:f8 brd ff:ff:ff:ff:ff:ff
$ ip netns del ns1
[  158.717795] default_device_exit: failed to move dummy0 to init_net: -17
[  158.719316] ------------[ cut here ]------------
[  158.720591] kernel BUG at net/core/dev.c:9824!
[  158.722260] invalid opcode: 0000 [#1] SMP KASAN PTI
[  158.723728] CPU: 0 PID: 56 Comm: kworker/u2:1 Not tainted 5.3.0-rc1+ #18
[  158.725422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
[  158.727508] Workqueue: netns cleanup_net
[  158.728915] RIP: 0010:default_device_exit.cold+0x1d/0x1f
[  158.730683] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e
[  158.736854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282
[  158.738752] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000
[  158.741369] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64
[  158.743418] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c
[  158.745626] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000
[  158.748405] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72
[  158.750638] FS:  0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000
[  158.752944] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  158.755245] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0
[  158.757654] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  158.760012] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  158.762758] Call Trace:
[  158.763882]  ? dev_change_net_namespace+0xbb0/0xbb0
[  158.766148]  ? devlink_nl_cmd_set_doit+0x520/0x520
[  158.768034]  ? dev_change_net_namespace+0xbb0/0xbb0
[  158.769870]  ops_exit_list.isra.0+0xa8/0x150
[  158.771544]  cleanup_net+0x446/0x8f0
[  158.772945]  ? unregister_pernet_operations+0x4a0/0x4a0
[  158.775294]  process_one_work+0xa1a/0x1740
[  158.776896]  ? pwq_dec_nr_in_flight+0x310/0x310
[  158.779143]  ? do_raw_spin_lock+0x11b/0x280
[  158.780848]  worker_thread+0x9e/0x1060
[  158.782500]  ? process_one_work+0x1740/0x1740
[  158.784454]  kthread+0x31b/0x420
[  158.786082]  ? __kthread_create_on_node+0x3f0/0x3f0
[  158.788286]  ret_from_fork+0x3a/0x50
[  158.789871] ---[ end trace defd6c657c71f936 ]---
[  158.792273] RIP: 0010:default_device_exit.cold+0x1d/0x1f
[  158.795478] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e
[  158.804854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282
[  158.807865] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000
[  158.811794] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64
[  158.816652] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c
[  158.820930] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000
[  158.825113] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72
[  158.829899] FS:  0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000
[  158.834923] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  158.838164] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0
[  158.841917] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  158.845149] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Fix this by checking if a device with the same name exists in init_net
and fallback to original code - dev%d to allocate name - in case it does.

This was found using syzkaller.

Fixes: aca51397d0 ("netns: Fix arbitrary net_device-s corruptions on net_ns stop.")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-08-09 17:52:31 +02:00
0276ebf166 jump_label: move 'asm goto' support test to Kconfig
commit e9666d10a5677a494260d60d1fa0b73cc7646eb3 upstream.

Currently, CONFIG_JUMP_LABEL just means "I _want_ to use jump label".

The jump label is controlled by HAVE_JUMP_LABEL, which is defined
like this:

  #if defined(CC_HAVE_ASM_GOTO) && defined(CONFIG_JUMP_LABEL)
  # define HAVE_JUMP_LABEL
  #endif

We can improve this by testing 'asm goto' support in Kconfig, then
make JUMP_LABEL depend on CC_HAS_ASM_GOTO.

Ugly #ifdef HAVE_JUMP_LABEL will go away, and CONFIG_JUMP_LABEL will
match to the real kernel capability.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
[nc: Fix trivial conflicts in 4.19
     arch/xtensa/kernel/jump_label.c doesn't exist yet
     Ensured CC_HAVE_ASM_GOTO and HAVE_JUMP_LABEL were sufficiently
     eliminated]
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-04 08:02:34 +02:00