Skip to content
Snippets Groups Projects
  1. Jun 30, 2020
    • Zhang Xiaoxu's avatar
      cifs/smb3: Fix data inconsistent when punch hole · fca24eff
      Zhang Xiaoxu authored
      
      [ Upstream commit acc91c2d ]
      
      When punch hole success, we also can read old data from file:
        # strace -e trace=pread64,fallocate xfs_io -f -c "pread 20 40" \
                 -c "fpunch 20 40" -c"pread 20 40" file
        pread64(3, " version 5.8.0-rc1+"..., 40, 20) = 40
        fallocate(3, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 20, 40) = 0
        pread64(3, " version 5.8.0-rc1+"..., 40, 20) = 40
      
      CIFS implements the fallocate(FALLOCATE_FL_PUNCH_HOLE) with send SMB
      ioctl(FSCTL_SET_ZERO_DATA) to server. It just set the range of the
      remote file to zero, but local page caches not updated, then the
      local page caches inconsistent with server.
      
      Also can be found by xfstests generic/316.
      
      So, we need to remove the page caches before send the SMB
      ioctl(FSCTL_SET_ZERO_DATA) to server.
      
      Fixes: 31742c5a ("enable fallocate punch hole ("fallocate -p") for SMB3")
      Suggested-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: default avatarZhang Xiaoxu <zhangxiaoxu5@huawei.com>
      Cc: stable@vger.kernel.org # v3.17
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fca24eff
    • Kai-Heng Feng's avatar
      xhci: Poll for U0 after disabling USB2 LPM · 09ec0436
      Kai-Heng Feng authored
      
      [ Upstream commit b3d71abd ]
      
      USB2 devices with LPM enabled may interrupt the system suspend:
      [  932.510475] usb 1-7: usb suspend, wakeup 0
      [  932.510549] hub 1-0:1.0: hub_suspend
      [  932.510581] usb usb1: bus suspend, wakeup 0
      [  932.510590] xhci_hcd 0000:00:14.0: port 9 not suspended
      [  932.510593] xhci_hcd 0000:00:14.0: port 8 not suspended
      ..
      [  932.520323] xhci_hcd 0000:00:14.0: Port change event, 1-7, id 7, portsc: 0x400e03
      ..
      [  932.591405] PM: pci_pm_suspend(): hcd_pci_suspend+0x0/0x30 returns -16
      [  932.591414] PM: dpm_run_callback(): pci_pm_suspend+0x0/0x160 returns -16
      [  932.591418] PM: Device 0000:00:14.0 failed to suspend async: error -16
      
      During system suspend, USB core will let HC suspends the device if it
      doesn't have remote wakeup enabled and doesn't have any children.
      However, from the log above we can see that the usb 1-7 doesn't get bus
      suspended due to not in U0. After a while the port finished U2 -> U0
      transition, interrupts the suspend process.
      
      The observation is that after disabling LPM, port doesn't transit to U0
      immediately and can linger in U2. xHCI spec 4.23.5.2 states that the
      maximum exit latency for USB2 LPM should be BESL + 10us. The BESL for
      the affected device is advertised as 400us, which is still not enough
      based on my testing result.
      
      So let's use the maximum permitted latency, 10000, to poll for U0
      status to solve the issue.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Link: https://lore.kernel.org/r/20200624135949.22611-6-mathias.nyman@linux.intel.com
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      09ec0436
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix OOB access of mixer element list · 137236fc
      Takashi Iwai authored
      
      [ Upstream commit 220345e9 ]
      
      The USB-audio mixer code holds a linked list of usb_mixer_elem_list,
      and several operations are performed for each mixer element.  A few of
      them (snd_usb_mixer_notify_id() and snd_usb_mixer_interrupt_v2())
      assume each mixer element being a usb_mixer_elem_info object that is a
      subclass of usb_mixer_elem_list, cast via container_of() and access it
      members.  This may result in an out-of-bound access when a
      non-standard list element has been added, as spotted by syzkaller
      recently.
      
      This patch adds a new field, is_std_info, in usb_mixer_elem_list to
      indicate that the element is the usb_mixer_elem_info type or not, and
      skip the access to such an element if needed.
      
      Reported-by: default avatar <syzbot+fb14314433463ad51625@syzkaller.appspotmail.com>
      Reported-by: default avatar <syzbot+2405ca3401e943c538b5@syzkaller.appspotmail.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200624122340.9615-1-tiwai@suse.de
      
      
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      137236fc
    • Takashi Iwai's avatar
      ALSA: usb-audio: Clean up mixer element list traverse · 17553ecd
      Takashi Iwai authored
      
      [ Upstream commit 8c558076 ]
      
      Introduce a new macro for iterating over mixer element list for
      avoiding the open codes in many places.  Also the open-coded
      container_of() and the forced cast to struct usb_mixer_elem_info are
      replaced with another simple macro, too.
      
      No functional changes but just readability improvement.
      
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      17553ecd
    • Daniel Mack's avatar
      ALSA: usb-audio: allow clock source validity interrupts · 98f9e54a
      Daniel Mack authored
      
      [ Upstream commit 191227d9 ]
      
      miniDSP USBStreamer UAC2 devices send clock validity changes with the
      control field set to zero. The current interrupt handler ignores all
      packets if the control field does not match the mixer element's, but
      it really should only do that in case that field is needed to
      distinguish multiple elements with the same ID.
      
      This patch implements a logic that lets notifications packets pass
      if the element ID is unique for a given device.
      
      Signed-off-by: default avatarDaniel Mack <daniel@zonque.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      98f9e54a
    • Julian Scheel's avatar
      ALSA: usb-audio: uac1: Invalidate ctl on interrupt · 5ac359df
      Julian Scheel authored
      
      [ Upstream commit b2500b58 ]
      
      When an interrupt occurs, the value of at least one of the belonging
      controls should have changed. To make sure they get re-read from device
      on the next read, invalidate the cache. This was correctly implemented
      for uac2 already, but missing for uac1.
      
      Signed-off-by: default avatarJulian Scheel <julian@jusst.de>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5ac359df
    • Joakim Tjernlund's avatar
      cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip · f5c6ecaa
      Joakim Tjernlund authored
      
      commit 03894573 upstream.
      
      USB_DEVICE(0x0424, 0x274e) can send data before cdc_acm is ready,
      causing garbage chars on the TTY causing stray input to the shell
      and/or login prompt.
      
      Signed-off-by: default avatarJoakim Tjernlund <joakim.tjernlund@infinera.com>
      Cc: stable@vger.kernel.org
      Acked-by: default avatarOliver Neukum <oneukum@suse.com>
      Link: https://lore.kernel.org/r/20200605105418.22263-1-joakim.tjernlund@infinera.com
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f5c6ecaa
    • Al Cooper's avatar
      xhci: Fix enumeration issue when setting max packet size for FS devices. · 08950ca6
      Al Cooper authored
      
      commit a73d9d9c upstream.
      
      Unable to complete the enumeration of a USB TV Tuner device.
      
      Per XHCI spec (4.6.5), the EP state field of the input context shall
      be cleared for a set address command. In the special case of an FS
      device that has "MaxPacketSize0 = 8", the Linux XHCI driver does
      not do this before evaluating the context. With an XHCI controller
      that checks the EP state field for parameter context error this
      causes a problem in cases such as the device getting reset again
      after enumeration.
      
      When that field is cleared, the problem does not occur.
      
      This was found and fixed by Sasi Kumar.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Cooper <alcooperx@gmail.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Link: https://lore.kernel.org/r/20200624135949.22611-3-mathias.nyman@linux.intel.com
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      08950ca6
    • Mathias Nyman's avatar
      xhci: Fix incorrect EP_STATE_MASK · 56ee5f30
      Mathias Nyman authored
      
      commit dceea670 upstream.
      
      EP_STATE_MASK should be 0x7 instead of 0xf
      
      xhci spec 6.2.3 shows that the EP state field in the endpoint context data
      structure consist of bits [2:0].
      The old value included a bit from the next field which fortunately is a
       RsvdZ region. So hopefully this hasn't caused too much harm
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Link: https://lore.kernel.org/r/20200624135949.22611-2-mathias.nyman@linux.intel.com
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      56ee5f30
    • Yick W. Tse's avatar
      ALSA: usb-audio: add quirk for Denon DCD-1500RE · 571b0abe
      Yick W. Tse authored
      
      commit c9808bbf upstream.
      
      fix error "clock source 41 is not valid, cannot use"
      
      [] New USB device found, idVendor=154e, idProduct=1002, bcdDevice= 1.00
      [] New USB device strings: Mfr=1, Product=2, SerialNumber=0
      [] Product: DCD-1500RE
      [] Manufacturer: D & M Holdings Inc.
      []
      [] clock source 41 is not valid, cannot use
      [] usbcore: registered new interface driver snd-usb-audio
      
      Signed-off-by: default avatarYick W. Tse <y_w_tse@yahoo.com.hk>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/1373857985.210365.1592048406997@mail.yahoo.com
      
      
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      571b0abe
    • Tang Bin's avatar
      usb: host: ehci-exynos: Fix error check in exynos_ehci_probe() · e79d2f7c
      Tang Bin authored
      
      commit 44ed240d upstream.
      
      If the function platform_get_irq() failed, the negative value
      returned will not be detected here. So fix error handling in
      exynos_ehci_probe(). And when get irq failed, the function
      platform_get_irq() logs an error message, so remove redundant
      message here.
      
      Fixes: 1bcc5aa8 ("USB: Add initial S5P EHCI driver")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarZhang Shengju <zhangshengju@cmss.chinamobile.com>
      Signed-off-by: default avatarTang Bin <tangbin@cmss.chinamobile.com>
      Link: https://lore.kernel.org/r/20200602114708.28620-1-tangbin@cmss.chinamobile.com
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e79d2f7c
    • Longfang Liu's avatar
      USB: ehci: reopen solution for Synopsys HC bug · 1805eda1
      Longfang Liu authored
      
      commit 1ddcb71a upstream.
      
      A Synopsys USB2.0 core used in Huawei Kunpeng920 SoC has a bug which
      might cause the host controller not issuing ping.
      
      Bug description:
      After indicating an Interrupt on Async Advance, the software uses the
      doorbell mechanism to delete the Next Link queue head of the last
      executed queue head. At this time, the host controller still references
      the removed queue head(the queue head is NULL). NULL reference causes
      the host controller to lose the USB device.
      
      Solution:
      After deleting the Next Link queue head, when has_synopsys_hc_bug set
      to 1,the software can write one of the valid queue head addresses to
      the ASYNCLISTADDR register to allow the host controller to get
      the valid queue head. in order to solve that problem, this patch set
      the flag for Huawei Kunpeng920
      
      There are detailed instructions and solutions in this patch:
      commit 2f7ac6c1 ("USB: ehci: add workaround for Synopsys HC bug")
      
      Signed-off-by: default avatarLongfang Liu <liulongfang@huawei.com>
      Cc: stable <stable@vger.kernel.org>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Link: https://lore.kernel.org/r/1591588019-44284-1-git-send-email-liulongfang@huawei.com
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1805eda1
    • Dongdong Liu's avatar
      PCI: Disable MSI for HiSilicon Hip06/Hip07 Root Ports · 5e3d9f68
      Dongdong Liu authored
      
      commit 72f2ff0d upstream.
      
      The PCIe Root Port in Hip06/Hip07 SoCs advertises an MSI capability, but it
      cannot generate MSIs.  It can transfer MSI/MSI-X from downstream devices,
      but does not support MSI/MSI-X itself.
      
      Add a quirk to prevent use of MSI/MSI-X by the Root Port.
      
      [bhelgaas: changelog, sort vendor ID #define, drop device ID #define]
      Signed-off-by: default avatarDongdong Liu <liudongdong3@huawei.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarGabriele Paoloni <gabriele.paoloni@huawei.com>
      Reviewed-by: default avatarZhou Wang <wangzhou1@hisilicon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e3d9f68
    • Tomasz Meresiński's avatar
      usb: add USB_QUIRK_DELAY_INIT for Logitech C922 · e04cbde4
      Tomasz Meresiński authored
      
      commit 5d802192 upstream.
      
      The Logitech C922, just like other Logitech webcams,
      needs the USB_QUIRK_DELAY_INIT or it will randomly
      not respond after device connection
      
      Signed-off-by: default avatarTomasz Meresiński <tomasz@meresinski.eu>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200603203347.7792-1-tomasz@meresinski.eu
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e04cbde4
    • Minas Harutyunyan's avatar
      usb: dwc2: Postponed gadget registration to the udc class driver · 736fa346
      Minas Harutyunyan authored
      
      commit 207324a3 upstream.
      
      During dwc2 driver probe, after gadget registration to the udc class
      driver, if exist any builtin function driver it immediately bound to
      dwc2 and after init host side (dwc2_hcd_init()) stucked in host mode.
      Patch postpone gadget registration after host side initialization done.
      
      Fixes: 117777b2 ("usb: dwc2: Move gadget probe function into platform code")
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Tested-by: default avatarMarek Vasut <marex@denx.de>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMinas Harutyunyan <hminas@synopsys.com>
      Link: https://lore.kernel.org/r/f21cb38fecc72a230b86155d94c7e60c9cb66f58.1591690938.git.hminas@synopsys.com
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      736fa346
    • Chuhong Yuan's avatar
      USB: ohci-sm501: Add missed iounmap() in remove · 2aefbfc6
      Chuhong Yuan authored
      
      commit 07c112fb upstream.
      
      This driver misses calling iounmap() in remove to undo the ioremap()
      called in probe.
      Add the missed call to fix it.
      
      Fixes: f54aab6e ("usb: ohci-sm501 driver")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarChuhong Yuan <hslester96@gmail.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Link: https://lore.kernel.org/r/20200610024844.3628408-1-hslester96@gmail.com
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2aefbfc6
    • Wang Hai's avatar
      mld: fix memory leak in ipv6_mc_destroy_dev() · 7f8a6bbe
      Wang Hai authored
      
      [ Upstream commit ea2fce88 ]
      
      Commit a84d0164 ("mld: fix memory leak in mld_del_delrec()") fixed
      the memory leak of MLD, but missing the ipv6_mc_destroy_dev() path, in
      which mca_sources are leaked after ma_put().
      
      Using ip6_mc_clear_src() to take care of the missing free.
      
      BUG: memory leak
      unreferenced object 0xffff8881113d3180 (size 64):
        comm "syz-executor071", pid 389, jiffies 4294887985 (age 17.943s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 ff 02 00 00 00 00 00 00  ................
          00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<000000002cbc483c>] kmalloc include/linux/slab.h:555 [inline]
          [<000000002cbc483c>] kzalloc include/linux/slab.h:669 [inline]
          [<000000002cbc483c>] ip6_mc_add1_src net/ipv6/mcast.c:2237 [inline]
          [<000000002cbc483c>] ip6_mc_add_src+0x7f5/0xbb0 net/ipv6/mcast.c:2357
          [<0000000058b8b1ff>] ip6_mc_source+0xe0c/0x1530 net/ipv6/mcast.c:449
          [<000000000bfc4fb5>] do_ipv6_setsockopt.isra.12+0x1b2c/0x3b30 net/ipv6/ipv6_sockglue.c:754
          [<00000000e4e7a722>] ipv6_setsockopt+0xda/0x150 net/ipv6/ipv6_sockglue.c:950
          [<0000000029260d9a>] rawv6_setsockopt+0x45/0x100 net/ipv6/raw.c:1081
          [<000000005c1b46f9>] __sys_setsockopt+0x131/0x210 net/socket.c:2132
          [<000000008491f7db>] __do_sys_setsockopt net/socket.c:2148 [inline]
          [<000000008491f7db>] __se_sys_setsockopt net/socket.c:2145 [inline]
          [<000000008491f7db>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2145
          [<00000000c7bc11c5>] do_syscall_64+0xa1/0x530 arch/x86/entry/common.c:295
          [<000000005fb7a3f3>] entry_SYSCALL_64_after_hwframe+0x49/0xb3
      
      Fixes: 1666d49e ("mld: do not remove mld souce list info when set link down")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarWang Hai <wanghai38@huawei.com>
      Acked-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7f8a6bbe
    • Taehee Yoo's avatar
      net: core: reduce recursion limit value · e1f795de
      Taehee Yoo authored
      
      [ Upstream commit fb7861d1 ]
      
      In the current code, ->ndo_start_xmit() can be executed recursively only
      10 times because of stack memory.
      But, in the case of the vxlan, 10 recursion limit value results in
      a stack overflow.
      In the current code, the nested interface is limited by 8 depth.
      There is no critical reason that the recursion limitation value should
      be 10.
      So, it would be good to be the same value with the limitation value of
      nesting interface depth.
      
      Test commands:
          ip link add vxlan10 type vxlan vni 10 dstport 4789 srcport 4789 4789
          ip link set vxlan10 up
          ip a a 192.168.10.1/24 dev vxlan10
          ip n a 192.168.10.2 dev vxlan10 lladdr fc:22:33:44:55:66 nud permanent
      
          for i in {9..0}
          do
              let A=$i+1
      	ip link add vxlan$i type vxlan vni $i dstport 4789 srcport 4789 4789
      	ip link set vxlan$i up
      	ip a a 192.168.$i.1/24 dev vxlan$i
      	ip n a 192.168.$i.2 dev vxlan$i lladdr fc:22:33:44:55:66 nud permanent
      	bridge fdb add fc:22:33:44:55:66 dev vxlan$A dst 192.168.$i.2 self
          done
          hping3 192.168.10.2 -2 -d 60000
      
      Splat looks like:
      [  103.814237][ T1127] =============================================================================
      [  103.871955][ T1127] BUG kmalloc-2k (Tainted: G    B            ): Padding overwritten. 0x00000000897a2e4f-0x000
      [  103.873187][ T1127] -----------------------------------------------------------------------------
      [  103.873187][ T1127]
      [  103.874252][ T1127] INFO: Slab 0x000000005cccc724 objects=5 used=5 fp=0x0000000000000000 flags=0x10000000001020
      [  103.881323][ T1127] CPU: 3 PID: 1127 Comm: hping3 Tainted: G    B             5.7.0+ #575
      [  103.882131][ T1127] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [  103.883006][ T1127] Call Trace:
      [  103.883324][ T1127]  dump_stack+0x96/0xdb
      [  103.883716][ T1127]  slab_err+0xad/0xd0
      [  103.884106][ T1127]  ? _raw_spin_unlock+0x1f/0x30
      [  103.884620][ T1127]  ? get_partial_node.isra.78+0x140/0x360
      [  103.885214][ T1127]  slab_pad_check.part.53+0xf7/0x160
      [  103.885769][ T1127]  ? pskb_expand_head+0x110/0xe10
      [  103.886316][ T1127]  check_slab+0x97/0xb0
      [  103.886763][ T1127]  alloc_debug_processing+0x84/0x1a0
      [  103.887308][ T1127]  ___slab_alloc+0x5a5/0x630
      [  103.887765][ T1127]  ? pskb_expand_head+0x110/0xe10
      [  103.888265][ T1127]  ? lock_downgrade+0x730/0x730
      [  103.888762][ T1127]  ? pskb_expand_head+0x110/0xe10
      [  103.889244][ T1127]  ? __slab_alloc+0x3e/0x80
      [  103.889675][ T1127]  __slab_alloc+0x3e/0x80
      [  103.890108][ T1127]  __kmalloc_node_track_caller+0xc7/0x420
      [ ... ]
      
      Fixes: 11a766ce ("net: Increase xmit RECURSION_LIMIT to 10.")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e1f795de
    • Tariq Toukan's avatar
      net: Do not clear the sock TX queue in sk_set_socket() · 31394a19
      Tariq Toukan authored
      
      [ Upstream commit 41b14fb8 ]
      
      Clearing the sock TX queue in sk_set_socket() might cause unexpected
      out-of-order transmit when called from sock_orphan(), as outstanding
      packets can pick a different TX queue and bypass the ones already queued.
      
      This is undesired in general. More specifically, it breaks the in-order
      scheduling property guarantee for device-offloaded TLS sockets.
      
      Remove the call to sk_tx_queue_clear() in sk_set_socket(), and add it
      explicitly only where needed.
      
      Fixes: e022f0b4 ("net: Introduce sk_tx_queue_mapping")
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Reviewed-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      31394a19
    • guodeqing's avatar
      net: Fix the arp error in some cases · c91b5162
      guodeqing authored
      
      [ Upstream commit 5eea3a63 ]
      
      ie.,
      $ ifconfig eth0 6.6.6.6 netmask 255.255.255.0
      
      $ ip rule add from 6.6.6.6 table 6666
      
      $ ip route add 9.9.9.9 via 6.6.6.6
      
      $ ping -I 6.6.6.6 9.9.9.9
      PING 9.9.9.9 (9.9.9.9) from 6.6.6.6 : 56(84) bytes of data.
      
      3 packets transmitted, 0 received, 100% packet loss, time 2079ms
      
      $ arp
      Address     HWtype  HWaddress           Flags Mask            Iface
      6.6.6.6             (incomplete)                              eth0
      
      The arp request address is error, this is because fib_table_lookup in
      fib_check_nh lookup the destnation 9.9.9.9 nexthop, the scope of
      the fib result is RT_SCOPE_LINK,the correct scope is RT_SCOPE_HOST.
      Here I add a check of whether this is RT_TABLE_MAIN to solve this problem.
      
      Fixes: 3bfd8472 ("net: Use passed in table for nexthop lookups")
      Signed-off-by: default avatarguodeqing <geffrey.guo@huawei.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c91b5162
    • Marcelo Ricardo Leitner's avatar
      sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket · 73ec90cc
      Marcelo Ricardo Leitner authored
      
      [ Upstream commit 471e39df ]
      
      If a socket is set ipv6only, it will still send IPv4 addresses in the
      INIT and INIT_ACK packets. This potentially misleads the peer into using
      them, which then would cause association termination.
      
      The fix is to not add IPv4 addresses to ipv6only sockets.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarCorey Minyard <cminyard@mvista.com>
      Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Tested-by: default avatarCorey Minyard <cminyard@mvista.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      73ec90cc
    • Eric Dumazet's avatar
      tcp: grow window for OOO packets only for SACK flows · 363031b3
      Eric Dumazet authored
      
      [ Upstream commit 66205121 ]
      
      Back in 2013, we made a change that broke fast retransmit
      for non SACK flows.
      
      Indeed, for these flows, a sender needs to receive three duplicate
      ACK before starting fast retransmit. Sending ACK with different
      receive window do not count.
      
      Even if enabling SACK is strongly recommended these days,
      there still are some cases where it has to be disabled.
      
      Not increasing the window seems better than having to
      rely on RTO.
      
      After the fix, following packetdrill test gives :
      
      // Initialize connection
          0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
         +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
         +0 bind(3, ..., ...) = 0
         +0 listen(3, 1) = 0
      
         +0 < S 0:0(0) win 32792 <mss 1000,nop,wscale 7>
         +0 > S. 0:0(0) ack 1 <mss 1460,nop,wscale 8>
         +0 < . 1:1(0) ack 1 win 514
      
         +0 accept(3, ..., ...) = 4
      
         +0 < . 1:1001(1000) ack 1 win 514
      // Quick ack
         +0 > . 1:1(0) ack 1001 win 264
      
         +0 < . 2001:3001(1000) ack 1 win 514
      // DUPACK : Normally we should not change the window
         +0 > . 1:1(0) ack 1001 win 264
      
         +0 < . 3001:4001(1000) ack 1 win 514
      // DUPACK : Normally we should not change the window
         +0 > . 1:1(0) ack 1001 win 264
      
         +0 < . 4001:5001(1000) ack 1 win 514
      // DUPACK : Normally we should not change the window
          +0 > . 1:1(0) ack 1001 win 264
      
         +0 < . 1001:2001(1000) ack 1 win 514
      // Hole is repaired.
         +0 > . 1:1(0) ack 5001 win 272
      
      Fixes: 4e4f1fc2 ("tcp: properly increase rcv_ssthresh for ofo packets")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarVenkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      363031b3
    • Taehee Yoo's avatar
      ip6_gre: fix use-after-free in ip6gre_tunnel_lookup() · b4a09240
      Taehee Yoo authored
      
      [ Upstream commit dafabb65 ]
      
      In the datapath, the ip6gre_tunnel_lookup() is used and it internally uses
      fallback tunnel device pointer, which is fb_tunnel_dev.
      This pointer variable should be set to NULL when a fb interface is deleted.
      But there is no routine to set fb_tunnel_dev pointer to NULL.
      So, this pointer will be still used after interface is deleted and
      it eventually results in the use-after-free problem.
      
      Test commands:
          ip netns add A
          ip netns add B
          ip link add eth0 type veth peer name eth1
          ip link set eth0 netns A
          ip link set eth1 netns B
      
          ip netns exec A ip link set lo up
          ip netns exec A ip link set eth0 up
          ip netns exec A ip link add ip6gre1 type ip6gre local fc:0::1 \
      	    remote fc:0::2
          ip netns exec A ip -6 a a fc:100::1/64 dev ip6gre1
          ip netns exec A ip link set ip6gre1 up
          ip netns exec A ip -6 a a fc:0::1/64 dev eth0
          ip netns exec A ip link set ip6gre0 up
      
          ip netns exec B ip link set lo up
          ip netns exec B ip link set eth1 up
          ip netns exec B ip link add ip6gre1 type ip6gre local fc:0::2 \
      	    remote fc:0::1
          ip netns exec B ip -6 a a fc:100::2/64 dev ip6gre1
          ip netns exec B ip link set ip6gre1 up
          ip netns exec B ip -6 a a fc:0::2/64 dev eth1
          ip netns exec B ip link set ip6gre0 up
          ip netns exec A ping fc:100::2 -s 60000 &
          ip netns del B
      
      Splat looks like:
      [   73.087285][    C1] BUG: KASAN: use-after-free in ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
      [   73.088361][    C1] Read of size 4 at addr ffff888040559218 by task ping/1429
      [   73.089317][    C1]
      [   73.089638][    C1] CPU: 1 PID: 1429 Comm: ping Not tainted 5.7.0+ #602
      [   73.090531][    C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [   73.091725][    C1] Call Trace:
      [   73.092160][    C1]  <IRQ>
      [   73.092556][    C1]  dump_stack+0x96/0xdb
      [   73.093122][    C1]  print_address_description.constprop.6+0x2cc/0x450
      [   73.094016][    C1]  ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
      [   73.094894][    C1]  ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
      [   73.095767][    C1]  ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
      [   73.096619][    C1]  kasan_report+0x154/0x190
      [   73.097209][    C1]  ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
      [   73.097989][    C1]  ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
      [   73.098750][    C1]  ? gre_del_protocol+0x60/0x60 [gre]
      [   73.099500][    C1]  gre_rcv+0x1c5/0x1450 [ip6_gre]
      [   73.100199][    C1]  ? ip6gre_header+0xf00/0xf00 [ip6_gre]
      [   73.100985][    C1]  ? rcu_read_lock_sched_held+0xc0/0xc0
      [   73.101830][    C1]  ? ip6_input_finish+0x5/0xf0
      [   73.102483][    C1]  ip6_protocol_deliver_rcu+0xcbb/0x1510
      [   73.103296][    C1]  ip6_input_finish+0x5b/0xf0
      [   73.103920][    C1]  ip6_input+0xcd/0x2c0
      [   73.104473][    C1]  ? ip6_input_finish+0xf0/0xf0
      [   73.105115][    C1]  ? rcu_read_lock_held+0x90/0xa0
      [   73.105783][    C1]  ? rcu_read_lock_sched_held+0xc0/0xc0
      [   73.106548][    C1]  ipv6_rcv+0x1f1/0x300
      [ ... ]
      
      Suggested-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Fixes: c12b395a ("gre: Support GRE over IPv6")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b4a09240
    • Neal Cardwell's avatar
      tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT · e7589b2b
      Neal Cardwell authored
      
      [ Upstream commit b344579c ]
      
      Mirja Kuehlewind reported a bug in Linux TCP CUBIC Hystart, where
      Hystart HYSTART_DELAY mechanism can exit Slow Start spuriously on an
      ACK when the minimum rtt of a connection goes down. From inspection it
      is clear from the existing code that this could happen in an example
      like the following:
      
      o The first 8 RTT samples in a round trip are 150ms, resulting in a
        curr_rtt of 150ms and a delay_min of 150ms.
      
      o The 9th RTT sample is 100ms. The curr_rtt does not change after the
        first 8 samples, so curr_rtt remains 150ms. But delay_min can be
        lowered at any time, so delay_min falls to 100ms. The code executes
        the HYSTART_DELAY comparison between curr_rtt of 150ms and delay_min
        of 100ms, and the curr_rtt is declared far enough above delay_min to
        force a (spurious) exit of Slow start.
      
      The fix here is simple: allow every RTT sample in a round trip to
      lower the curr_rtt.
      
      Fixes: ae27e98a ("[TCP] CUBIC v2.3")
      Reported-by: default avatarMirja Kuehlewind <mirja.kuehlewind@ericsson.com>
      Signed-off-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7589b2b
    • Taehee Yoo's avatar
      ip_tunnel: fix use-after-free in ip_tunnel_lookup() · aa0405f4
      Taehee Yoo authored
      
      [ Upstream commit ba61539c ]
      
      In the datapath, the ip_tunnel_lookup() is used and it internally uses
      fallback tunnel device pointer, which is fb_tunnel_dev.
      This pointer variable should be set to NULL when a fb interface is deleted.
      But there is no routine to set fb_tunnel_dev pointer to NULL.
      So, this pointer will be still used after interface is deleted and
      it eventually results in the use-after-free problem.
      
      Test commands:
          ip netns add A
          ip netns add B
          ip link add eth0 type veth peer name eth1
          ip link set eth0 netns A
          ip link set eth1 netns B
      
          ip netns exec A ip link set lo up
          ip netns exec A ip link set eth0 up
          ip netns exec A ip link add gre1 type gre local 10.0.0.1 \
      	    remote 10.0.0.2
          ip netns exec A ip link set gre1 up
          ip netns exec A ip a a 10.0.100.1/24 dev gre1
          ip netns exec A ip a a 10.0.0.1/24 dev eth0
      
          ip netns exec B ip link set lo up
          ip netns exec B ip link set eth1 up
          ip netns exec B ip link add gre1 type gre local 10.0.0.2 \
      	    remote 10.0.0.1
          ip netns exec B ip link set gre1 up
          ip netns exec B ip a a 10.0.100.2/24 dev gre1
          ip netns exec B ip a a 10.0.0.2/24 dev eth1
          ip netns exec A hping3 10.0.100.2 -2 --flood -d 60000 &
          ip netns del B
      
      Splat looks like:
      [   77.793450][    C3] ==================================================================
      [   77.794702][    C3] BUG: KASAN: use-after-free in ip_tunnel_lookup+0xcc4/0xf30
      [   77.795573][    C3] Read of size 4 at addr ffff888060bd9c84 by task hping3/2905
      [   77.796398][    C3]
      [   77.796664][    C3] CPU: 3 PID: 2905 Comm: hping3 Not tainted 5.8.0-rc1+ #616
      [   77.797474][    C3] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [   77.798453][    C3] Call Trace:
      [   77.798815][    C3]  <IRQ>
      [   77.799142][    C3]  dump_stack+0x9d/0xdb
      [   77.799605][    C3]  print_address_description.constprop.7+0x2cc/0x450
      [   77.800365][    C3]  ? ip_tunnel_lookup+0xcc4/0xf30
      [   77.800908][    C3]  ? ip_tunnel_lookup+0xcc4/0xf30
      [   77.801517][    C3]  ? ip_tunnel_lookup+0xcc4/0xf30
      [   77.802145][    C3]  kasan_report+0x154/0x190
      [   77.802821][    C3]  ? ip_tunnel_lookup+0xcc4/0xf30
      [   77.803503][    C3]  ip_tunnel_lookup+0xcc4/0xf30
      [   77.804165][    C3]  __ipgre_rcv+0x1ab/0xaa0 [ip_gre]
      [   77.804862][    C3]  ? rcu_read_lock_sched_held+0xc0/0xc0
      [   77.805621][    C3]  gre_rcv+0x304/0x1910 [ip_gre]
      [   77.806293][    C3]  ? lock_acquire+0x1a9/0x870
      [   77.806925][    C3]  ? gre_rcv+0xfe/0x354 [gre]
      [   77.807559][    C3]  ? erspan_xmit+0x2e60/0x2e60 [ip_gre]
      [   77.808305][    C3]  ? rcu_read_lock_sched_held+0xc0/0xc0
      [   77.809032][    C3]  ? rcu_read_lock_held+0x90/0xa0
      [   77.809713][    C3]  gre_rcv+0x1b8/0x354 [gre]
      [ ... ]
      
      Suggested-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Fixes: c5441932 ("GRE: Refactor GRE tunneling code.")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aa0405f4
    • David Christensen's avatar
      tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes · c55e6da8
      David Christensen authored
      
      [ Upstream commit 3a2656a2 ]
      
      The driver function tg3_io_error_detected() calls napi_disable twice,
      without an intervening napi_enable, when the number of EEH errors exceeds
      eeh_max_freezes, resulting in an indefinite sleep while holding rtnl_lock.
      
      Add check for pcierr_recovery which skips code already executed for the
      "Frozen" state.
      
      Signed-off-by: default avatarDavid Christensen <drc@linux.vnet.ibm.com>
      Reviewed-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c55e6da8
    • Jeremy Kerr's avatar
      net: usb: ax88179_178a: fix packet alignment padding · 585fe306
      Jeremy Kerr authored
      
      [ Upstream commit e869e7a1 ]
      
      Using a AX88179 device (0b95:1790), I see two bytes of appended data on
      every RX packet. For example, this 48-byte ping, using 0xff as a
      payload byte:
      
        04:20:22.528472 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 2447, seq 1, length 64
      	0x0000:  000a cd35 ea50 000a cd35 ea4f 0800 4500
      	0x0010:  0054 c116 4000 4001 f63e c0a8 0101 c0a8
      	0x0020:  0102 0800 b633 098f 0001 87ea cd5e 0000
      	0x0030:  0000 dcf2 0600 0000 0000 ffff ffff ffff
      	0x0040:  ffff ffff ffff ffff ffff ffff ffff ffff
      	0x0050:  ffff ffff ffff ffff ffff ffff ffff ffff
      	0x0060:  ffff 961f
      
      Those last two bytes - 96 1f - aren't part of the original packet.
      
      In the ax88179 RX path, the usbnet rx_fixup function trims a 2-byte
      'alignment pseudo header' from the start of the packet, and sets the
      length from a per-packet field populated by hardware. It looks like that
      length field *includes* the 2-byte header; the current driver assumes
      that it's excluded.
      
      This change trims the 2-byte alignment header after we've set the packet
      length, so the resulting packet length is correct. While we're moving
      the comment around, this also fixes the spelling of 'pseudo'.
      
      Signed-off-by: default avatarJeremy Kerr <jk@ozlabs.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      585fe306
    • Yang Yingliang's avatar
      net: fix memleak in register_netdevice() · 81f8ebaa
      Yang Yingliang authored
      
      [ Upstream commit 814152a8 ]
      
      I got a memleak report when doing some fuzz test:
      
      unreferenced object 0xffff888112584000 (size 13599):
        comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
        hex dump (first 32 bytes):
          74 61 70 30 00 00 00 00 00 00 00 00 00 00 00 00  tap0............
          00 ee d9 19 81 88 ff ff 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<000000002f60ba65>] __kmalloc_node+0x309/0x3a0
          [<0000000075b211ec>] kvmalloc_node+0x7f/0xc0
          [<00000000d3a97396>] alloc_netdev_mqs+0x76/0xfc0
          [<00000000609c3655>] __tun_chr_ioctl+0x1456/0x3d70
          [<000000001127ca24>] ksys_ioctl+0xe5/0x130
          [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
          [<00000000e1023498>] do_syscall_64+0x56/0xa0
          [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      unreferenced object 0xffff888111845cc0 (size 8):
        comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
        hex dump (first 8 bytes):
          74 61 70 30 00 88 ff ff                          tap0....
        backtrace:
          [<000000004c159777>] kstrdup+0x35/0x70
          [<00000000d8b496ad>] kstrdup_const+0x3d/0x50
          [<00000000494e884a>] kvasprintf_const+0xf1/0x180
          [<0000000097880a2b>] kobject_set_name_vargs+0x56/0x140
          [<000000008fbdfc7b>] dev_set_name+0xab/0xe0
          [<000000005b99e3b4>] netdev_register_kobject+0xc0/0x390
          [<00000000602704fe>] register_netdevice+0xb61/0x1250
          [<000000002b7ca244>] __tun_chr_ioctl+0x1cd1/0x3d70
          [<000000001127ca24>] ksys_ioctl+0xe5/0x130
          [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
          [<00000000e1023498>] do_syscall_64+0x56/0xa0
          [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      unreferenced object 0xffff88811886d800 (size 512):
        comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
        hex dump (first 32 bytes):
          00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........
          ff ff ff ff ff ff ff ff c0 66 3d a3 ff ff ff ff  .........f=.....
        backtrace:
          [<0000000050315800>] device_add+0x61e/0x1950
          [<0000000021008dfb>] netdev_register_kobject+0x17e/0x390
          [<00000000602704fe>] register_netdevice+0xb61/0x1250
          [<000000002b7ca244>] __tun_chr_ioctl+0x1cd1/0x3d70
          [<000000001127ca24>] ksys_ioctl+0xe5/0x130
          [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
          [<00000000e1023498>] do_syscall_64+0x56/0xa0
          [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      If call_netdevice_notifiers() failed, then rollback_registered()
      calls netdev_unregister_kobject() which holds the kobject. The
      reference cannot be put because the netdev won't be add to todo
      list, so it will leads a memleak, we need put the reference to
      avoid memleak.
      
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      81f8ebaa
    • Al Viro's avatar
      fix a braino in "sparc32: fix register window handling in genregs32_[gs]et()" · 1a78856e
      Al Viro authored
      
      [ Upstream commit 9d964e1b ]
      
      lost npc in PTRACE_SETREGSET, breaking PTRACE_SETREGS as well
      
      Fixes: cf51e129 "sparc32: fix register window handling in genregs32_[gs]et()"
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1a78856e
    • Valentin Longchamp's avatar
      net: sched: export __netdev_watchdog_up() · ab1276b9
      Valentin Longchamp authored
      
      [ Upstream commit 1a3db27a ]
      
      Since the quiesce/activate rework, __netdev_watchdog_up() is directly
      called in the ucc_geth driver.
      
      Unfortunately, this function is not available for modules and thus
      ucc_geth cannot be built as a module anymore. Fix it by exporting
      __netdev_watchdog_up().
      
      Since the commit introducing the regression was backported to stable
      branches, this one should ideally be as well.
      
      Fixes: 79dde73c ("net/ethernet/freescale: rework quiesce/activate for ucc_geth")
      Signed-off-by: default avatarValentin Longchamp <valentin@longchamp.me>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ab1276b9
    • Ridge Kennedy's avatar
      l2tp: Allow duplicate session creation with UDP · 387654fc
      Ridge Kennedy authored
      
      commit 0d0d9a38 upstream.
      
      In the past it was possible to create multiple L2TPv3 sessions with the
      same session id as long as the sessions belonged to different tunnels.
      The resulting sessions had issues when used with IP encapsulated tunnels,
      but worked fine with UDP encapsulated ones. Some applications began to
      rely on this behaviour to avoid having to negotiate unique session ids.
      
      Some time ago a change was made to require session ids to be unique across
      all tunnels, breaking the applications making use of this "feature".
      
      This change relaxes the duplicate session id check to allow duplicates
      if both of the colliding sessions belong to UDP encapsulated tunnels.
      
      Fixes: dbdbc73b ("l2tp: fix duplicate session creation")
      Signed-off-by: default avatarRidge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
      Acked-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      387654fc
    • Martin Wilck's avatar
      scsi: scsi_devinfo: handle non-terminated strings · de4700c2
      Martin Wilck authored
      
      commit ba69ead9 upstream.
      
      devinfo->vendor and devinfo->model aren't necessarily
      zero-terminated.
      
      Fixes: b8018b97 "scsi_devinfo: fixup string compare"
      Signed-off-by: default avatarMartin Wilck <mwilck@suse.com>
      Reviewed-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      de4700c2
    • Toke Høiland-Jørgensen's avatar
      net: Revert "pkt_sched: fq: use proper locking in fq_dump_stats()" · 1ab4cc9c
      Toke Høiland-Jørgensen authored
      
      This reverts commit 191cf872 which is
      commit 695b4ec0 upstream.
      
      That commit should never have been backported since it relies on a change in
      locking semantics that was introduced in v4.8 and not backported. Because of
      this, the backported commit to sch_fq leads to lockups because of the double
      locking.
      
      Signed-off-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1ab4cc9c
    • Ahmed S. Darwish's avatar
      net: core: device_rename: Use rwsem instead of a seqcount · 602c47fb
      Ahmed S. Darwish authored
      
      [ Upstream commit 11d6011c ]
      
      Sequence counters write paths are critical sections that must never be
      preempted, and blocking, even for CONFIG_PREEMPTION=n, is not allowed.
      
      Commit 5dbe7c17 ("net: fix kernel deadlock with interface rename and
      netdev name retrieval.") handled a deadlock, observed with
      CONFIG_PREEMPTION=n, where the devnet_rename seqcount read side was
      infinitely spinning: it got scheduled after the seqcount write side
      blocked inside its own critical section.
      
      To fix that deadlock, among other issues, the commit added a
      cond_resched() inside the read side section. While this will get the
      non-preemptible kernel eventually unstuck, the seqcount reader is fully
      exhausting its slice just spinning -- until TIF_NEED_RESCHED is set.
      
      The fix is also still broken: if the seqcount reader belongs to a
      real-time scheduling policy, it can spin forever and the kernel will
      livelock.
      
      Disabling preemption over the seqcount write side critical section will
      not work: inside it are a number of GFP_KERNEL allocations and mutex
      locking through the drivers/base/ :: device_rename() call chain.
      
      >From all the above, replace the seqcount with a rwsem.
      
      Fixes: 5dbe7c17 (net: fix kernel deadlock with interface rename and netdev name retrieval.)
      Fixes: 30e6c9fa (net: devnet_rename_seq should be a seqcount)
      Fixes: c91f6df2 (sockopt: Change getsockopt() of SO_BINDTODEVICE to return an interface name)
      Cc: <stable@vger.kernel.org>
      Reported-by: kbuild test robot <lkp@intel.com> [ v1 missing up_read() on error exit ]
      Reported-by: Dan Carpenter <dan.carpenter@oracle.com> [ v1 missing up_read() on error exit ]
      Signed-off-by: default avatarAhmed S. Darwish <a.darwish@linutronix.de>
      Reviewed-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      602c47fb
    • Thomas Gleixner's avatar
      sched/rt, net: Use CONFIG_PREEMPTION.patch · 20f05ba1
      Thomas Gleixner authored
      
      [ Upstream commit 2da2b32f ]
      
      CONFIG_PREEMPTION is selected by CONFIG_PREEMPT and by CONFIG_PREEMPT_RT.
      Both PREEMPT and PREEMPT_RT require the same functionality which today
      depends on CONFIG_PREEMPT.
      
      Update the comment to use CONFIG_PREEMPTION.
      
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: netdev@vger.kernel.org
      Link: https://lore.kernel.org/r/20191015191821.11479-22-bigeasy@linutronix.de
      
      
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      20f05ba1
    • Chen Yu's avatar
      e1000e: Do not wake up the system via WOL if device wakeup is disabled · 496fed53
      Chen Yu authored
      
      [ Upstream commit 6bf6be11 ]
      
      Currently the system will be woken up via WOL(Wake On LAN) even if the
      device wakeup ability has been disabled via sysfs:
       cat /sys/devices/pci0000:00/0000:00:1f.6/power/wakeup
       disabled
      
      The system should not be woken up if the user has explicitly
      disabled the wake up ability for this device.
      
      This patch clears the WOL ability of this network device if the
      user has disabled the wake up ability in sysfs.
      
      Fixes: bc7f75fa ("[E1000E]: New pci-express e1000 driver")
      Reported-by: default avatar"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarChen Yu <yu.c.chen@intel.com>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      496fed53
    • Jiri Olsa's avatar
      kretprobe: Prevent triggering kretprobe from within kprobe_flush_task · 7b692b96
      Jiri Olsa authored
      [ Upstream commit 9b38cc70 ]
      
      Ziqian reported lockup when adding retprobe on _raw_spin_lock_irqsave.
      My test was also able to trigger lockdep output:
      
       ============================================
       WARNING: possible recursive locking detected
       5.6.0-rc6+ #6 Not tainted
       --------------------------------------------
       sched-messaging/2767 is trying to acquire lock:
       ffffffff9a492798 (&(kretprobe_table_locks[i].lock)){-.-.}, at: kretprobe_hash_lock+0x52/0xa0
      
       but task is already holding lock:
       ffffffff9a491a18 (&(kretprobe_table_locks[i].lock)){-.-.}, at: kretprobe_trampoline+0x0/0x50
      
       other info that might help us debug this:
        Possible unsafe locking scenario:
      
              CPU0
              ----
         lock(&(kretprobe_table_locks[i].lock));
         lock(&(kretprobe_table_locks[i].lock));
      
        *** DEADLOCK ***
      
        May be due to missing lock nesting notation
      
       1 lock held by sched-messaging/2767:
        #0: ffffffff9a491a18 (&(kretprobe_table_locks[i].lock)){-.-.}, at: kretprobe_trampoline+0x0/0x50
      
       stack backtrace:
       CPU: 3 PID: 2767 Comm: sched-messaging Not tainted 5.6.0-rc6+ #6
       Call Trace:
        dump_stack+0x96/0xe0
        __lock_acquire.cold.57+0x173/0x2b7
        ? native_queued_spin_lock_slowpath+0x42b/0x9e0
        ? lockdep_hardirqs_on+0x590/0x590
        ? __lock_acquire+0xf63/0x4030
        lock_acquire+0x15a/0x3d0
        ? kretprobe_hash_lock+0x52/0xa0
        _raw_spin_lock_irqsave+0x36/0x70
        ? kretprobe_hash_lock+0x52/0xa0
        kretprobe_hash_lock+0x52/0xa0
        trampoline_handler+0xf8/0x940
        ? kprobe_fault_handler+0x380/0x380
        ? find_held_lock+0x3a/0x1c0
        kretprobe_trampoline+0x25/0x50
        ? lock_acquired+0x392/0xbc0
        ? _raw_spin_lock_irqsave+0x50/0x70
        ? __get_valid_kprobe+0x1f0/0x1f0
        ? _raw_spin_unlock_irqrestore+0x3b/0x40
        ? finish_task_switch+0x4b9/0x6d0
        ? __switch_to_asm+0x34/0x70
        ? __switch_to_asm+0x40/0x70
      
      The code within the kretprobe handler checks for probe reentrancy,
      so we won't trigger any _raw_spin_lock_irqsave probe in there.
      
      The problem is in outside kprobe_flush_task, where we call:
      
        kprobe_flush_task
          kretprobe_table_lock
            raw_spin_lock_irqsave
              _raw_spin_lock_irqsave
      
      where _raw_spin_lock_irqsave triggers the kretprobe and installs
      kretprobe_trampoline handler on _raw_spin_lock_irqsave return.
      
      The kretprobe_trampoline handler is then executed with already
      locked kretprobe_table_locks, and first thing it does is to
      lock kretprobe_table_locks ;-) the whole lockup path like:
      
        kprobe_flush_task
          kretprobe_table_lock
            raw_spin_lock_irqsave
              _raw_spin_lock_irqsave ---> probe triggered, kretprobe_trampoline installed
      
              ---> kretprobe_table_locks locked
      
              kretprobe_trampoline
                trampoline_handler
                  kretprobe_hash_lock(current, &head, &flags);  <--- deadlock
      
      Adding kprobe_busy_begin/end helpers that mark code with fake
      probe installed to prevent triggering of another kprobe within
      this code.
      
      Using these helpers in kprobe_flush_task, so the probe recursion
      protection check is hit and the probe is never set to prevent
      above lockup.
      
      Link: http://lkml.kernel.org/r/158927059835.27680.7011202830041561604.stgit@devnote2
      
      
      
      Fixes: ef53d9c5 ("kprobes: improve kretprobe scalability with hashed locking")
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: "Gustavo A . R . Silva" <gustavoars@kernel.org>
      Cc: Anders Roxell <anders.roxell@linaro.org>
      Cc: "Naveen N . Rao" <naveen.n.rao@linux.ibm.com>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: David Miller <davem@davemloft.net>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: stable@vger.kernel.org
      Reported-by: default avatar"Ziqian SUN (Zamir)" <zsun@redhat.com>
      Acked-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7b692b96
    • Masami Hiramatsu's avatar
      x86/kprobes: Avoid kretprobe recursion bug · 7f0e8bc7
      Masami Hiramatsu authored
      
      [ Upstream commit b191fa96 ]
      
      Avoid kretprobe recursion loop bg by setting a dummy
      kprobes to current_kprobe per-CPU variable.
      
      This bug has been introduced with the asm-coded trampoline
      code, since previously it used another kprobe for hooking
      the function return placeholder (which only has a nop) and
      trampoline handler was called from that kprobe.
      
      This revives the old lost kprobe again.
      
      With this fix, we don't see deadlock anymore.
      
      And you can see that all inner-called kretprobe are skipped.
      
        event_1                                  235               0
        event_2                                19375           19612
      
      The 1st column is recorded count and the 2nd is missed count.
      Above shows (event_1 rec) + (event_2 rec) ~= (event_2 missed)
      (some difference are here because the counter is racy)
      
      Reported-by: default avatarAndrea Righi <righi.andrea@gmail.com>
      Tested-by: default avatarAndrea Righi <righi.andrea@gmail.com>
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Acked-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      Fixes: c9becf58 ("[PATCH] kretprobe: kretprobe-booster")
      Link: http://lkml.kernel.org/r/155094064889.6137.972160690963039.stgit@devbox
      
      
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7f0e8bc7
    • Naveen N. Rao's avatar
      powerpc/kprobes: Fixes for kprobe_lookup_name() on BE · 190d2217
      Naveen N. Rao authored
      
      [ Upstream commit 30176466 ]
      
      Fix two issues with kprobes.h on BE which were exposed with the
      optprobes work:
        - one, having to do with a missing include for linux/module.h for
          MODULE_NAME_LEN -- this didn't show up previously since the only
          users of kprobe_lookup_name were in kprobes.c, which included
          linux/module.h through other headers, and
        - two, with a missing const qualifier for a local variable which ends
          up referring a string literal. Again, this is unique to how
          kprobe_lookup_name is being invoked in optprobes.c
      
      Signed-off-by: default avatarNaveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      190d2217
    • Masami Hiramatsu's avatar
      kprobes: Fix to protect kick_kprobe_optimizer() by kprobe_mutex · f637e2c7
      Masami Hiramatsu authored
      [ Upstream commit 1a0aa991 ]
      
      In kprobe_optimizer() kick_kprobe_optimizer() is called
      without kprobe_mutex, but this can race with other caller
      which is protected by kprobe_mutex.
      
      To fix that, expand kprobe_mutex protected area to protect
      kick_kprobe_optimizer() call.
      
      Link: http://lkml.kernel.org/r/158927057586.27680.5036330063955940456.stgit@devnote2
      
      
      
      Fixes: cd7ebe22 ("kprobes: Use text_poke_smp_batch for optimizing")
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: "Gustavo A . R . Silva" <gustavoars@kernel.org>
      Cc: Anders Roxell <anders.roxell@linaro.org>
      Cc: "Naveen N . Rao" <naveen.n.rao@linux.ibm.com>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: David Miller <davem@davemloft.net>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ziqian SUN <zsun@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f637e2c7
Loading