This is the start of the stable review cycle for the 4.19.123 release.
There are 48 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Fri, 15 May 2020 09:41:20 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.123-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.19.123-rc1
Oleg Nesterov <[email protected]>
ipc/mqueue.c: change __do_notify() to bypass check_kill_permission()
Ivan Delalande <[email protected]>
scripts/decodecode: fix trapping instruction formatting
Josh Poimboeuf <[email protected]>
objtool: Fix stack offset tracking for indirect CFAs
Arnd Bergmann <[email protected]>
netfilter: nf_osf: avoid passing pointer to local var
Guillaume Nault <[email protected]>
netfilter: nat: never update the UDP checksum when it's 0
Josh Poimboeuf <[email protected]>
x86/unwind/orc: Fix premature unwind stoppage due to IRET frames
Josh Poimboeuf <[email protected]>
x86/unwind/orc: Fix error path for bad ORC entry type
Josh Poimboeuf <[email protected]>
x86/unwind/orc: Prevent unwinding before ORC initialization
Miroslav Benes <[email protected]>
x86/unwind/orc: Don't skip the first frame for inactive tasks
Jann Horn <[email protected]>
x86/entry/64: Fix unwind hints in rewind_stack_do_exit()
Josh Poimboeuf <[email protected]>
x86/entry/64: Fix unwind hints in kernel exit path
Josh Poimboeuf <[email protected]>
x86/entry/64: Fix unwind hints in register clearing code
Xiyu Yang <[email protected]>
batman-adv: Fix refcnt leak in batadv_v_ogm_process
Xiyu Yang <[email protected]>
batman-adv: Fix refcnt leak in batadv_store_throughput_override
Xiyu Yang <[email protected]>
batman-adv: Fix refcnt leak in batadv_show_throughput_override
George Spelvin <[email protected]>
batman-adv: fix batadv_nc_random_weight_tq
Sean Christopherson <[email protected]>
KVM: VMX: Mark RCX, RDX and RSI as clobbered in vmx_vcpu_run()'s asm blob
Sean Christopherson <[email protected]>
KVM: VMX: Explicitly reference RCX as the vmx_vcpu pointer in asm blobs
Luis Chamberlain <[email protected]>
coredump: fix crash when umh is disabled
Oscar Carter <[email protected]>
staging: gasket: Check the return value of gasket_get_bar_index()
David Hildenbrand <[email protected]>
mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous()
Mark Rutland <[email protected]>
arm64: hugetlb: avoid potential NULL dereference
Marc Zyngier <[email protected]>
KVM: arm64: Fix 32bit PC wrap-around
Marc Zyngier <[email protected]>
KVM: arm: vgic: Fix limit condition when writing to GICD_I[CS]ACTIVER
Steven Rostedt (VMware) <[email protected]>
tracing: Add a vmalloc_sync_mappings() for safe measure
Oliver Neukum <[email protected]>
USB: serial: garmin_gps: add sanity checking for data length
Oliver Neukum <[email protected]>
USB: uas: add quirk for LaCie 2Big Quadra
Alan Stern <[email protected]>
HID: usbhid: Fix race between usbhid_close() and usbhid_stop()
Jere Leppänen <[email protected]>
sctp: Fix bundling of SHUTDOWN with COOKIE-ACK
Jason Gerecke <[email protected]>
HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices
Willem de Bruijn <[email protected]>
net: stricter validation of untrusted gso packets
Michael Chan <[email protected]>
bnxt_en: Fix VF anti-spoof filter setup.
Michael Chan <[email protected]>
bnxt_en: Improve AER slot reset.
Moshe Shemesh <[email protected]>
net/mlx5: Fix command entry leak in Internal Error State
Moshe Shemesh <[email protected]>
net/mlx5: Fix forced completion access non initialized command entry
Michael Chan <[email protected]>
bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features().
Tuong Lien <[email protected]>
tipc: fix partial topology connection closure
Eric Dumazet <[email protected]>
sch_sfq: validate silly quantum values
Eric Dumazet <[email protected]>
sch_choke: avoid potential panic in choke_reset()
Matt Jolly <[email protected]>
net: usb: qmi_wwan: add support for DW5816e
Eric Dumazet <[email protected]>
net_sched: sch_skbprio: add message validation to skbprio_change()
Tariq Toukan <[email protected]>
net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc()
Scott Dial <[email protected]>
net: macsec: preserve ingress frame ordering
Eric Dumazet <[email protected]>
fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks
Julia Lawall <[email protected]>
dp83640: reverse arguments to list_add_tail
Nicolas Pitre <[email protected]>
vt: fix unicode console freeing with a common interface
Masami Hiramatsu <[email protected]>
tracing/kprobes: Fix a double initialization typo
Matt Jolly <[email protected]>
USB: serial: qcserial: Add DW5816e support
-------------
Diffstat:
Makefile | 4 +-
arch/arm64/kvm/guest.c | 7 ++
arch/arm64/mm/hugetlbpage.c | 2 +
arch/x86/entry/calling.h | 40 +++++------
arch/x86/entry/entry_64.S | 9 +--
arch/x86/include/asm/unwind.h | 2 +-
arch/x86/kernel/unwind_orc.c | 61 ++++++++++++-----
arch/x86/kvm/vmx.c | 91 ++++++++++++++-----------
drivers/hid/usbhid/hid-core.c | 37 +++++++---
drivers/hid/usbhid/usbhid.h | 1 +
drivers/hid/wacom_sys.c | 4 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 18 +++--
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 -
drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 9 +--
drivers/net/ethernet/mellanox/mlx4/main.c | 4 +-
drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 +-
drivers/net/macsec.c | 3 +-
drivers/net/phy/dp83640.c | 2 +-
drivers/net/usb/qmi_wwan.c | 1 +
drivers/staging/gasket/gasket_core.c | 4 ++
drivers/tty/vt/vt.c | 9 ++-
drivers/usb/serial/garmin_gps.c | 4 +-
drivers/usb/serial/qcserial.c | 1 +
drivers/usb/storage/unusual_uas.h | 7 ++
fs/coredump.c | 8 +++
include/linux/virtio_net.h | 26 ++++++-
ipc/mqueue.c | 34 ++++++---
kernel/trace/trace.c | 13 ++++
kernel/trace/trace_kprobe.c | 2 +-
kernel/umh.c | 5 ++
mm/page_alloc.c | 1 +
net/batman-adv/bat_v_ogm.c | 2 +-
net/batman-adv/network-coding.c | 9 +--
net/batman-adv/sysfs.c | 3 +-
net/netfilter/nf_nat_proto_udp.c | 5 +-
net/netfilter/nfnetlink_osf.c | 12 ++--
net/sched/sch_choke.c | 3 +-
net/sched/sch_fq_codel.c | 2 +-
net/sched/sch_sfq.c | 9 +++
net/sched/sch_skbprio.c | 3 +
net/sctp/sm_statefuns.c | 6 +-
net/tipc/topsrv.c | 5 +-
scripts/decodecode | 2 +-
tools/objtool/check.c | 2 +-
virt/kvm/arm/hyp/aarch32.c | 8 ++-
virt/kvm/arm/vgic/vgic-mmio.c | 4 +-
46 files changed, 335 insertions(+), 156 deletions(-)
From: Josh Poimboeuf <[email protected]>
commit 98d0c8ebf77e0ba7c54a9ae05ea588f0e9e3f46e upstream.
If the unwinder is called before the ORC data has been initialized,
orc_find() returns NULL, and it tries to fall back to using frame
pointers. This can cause some unexpected warnings during boot.
Move the 'orc_init' check from orc_find() to __unwind_init(), so that it
doesn't even try to unwind from an uninitialized state.
Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder")
Reviewed-by: Miroslav Benes <[email protected]>
Signed-off-by: Josh Poimboeuf <[email protected]>
Signed-off-by: Ingo Molnar <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Dave Jones <[email protected]>
Cc: Jann Horn <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Vince Weaver <[email protected]>
Link: https://lore.kernel.org/r/069d1499ad606d85532eb32ce39b2441679667d5.1587808742.git.jpoimboe@redhat.com
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/kernel/unwind_orc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/arch/x86/kernel/unwind_orc.c
+++ b/arch/x86/kernel/unwind_orc.c
@@ -131,9 +131,6 @@ static struct orc_entry *orc_find(unsign
{
static struct orc_entry *orc;
- if (!orc_init)
- return NULL;
-
if (ip == 0)
return &null_orc_entry;
@@ -563,6 +560,9 @@ EXPORT_SYMBOL_GPL(unwind_next_frame);
void __unwind_start(struct unwind_state *state, struct task_struct *task,
struct pt_regs *regs, unsigned long *first_frame)
{
+ if (!orc_init)
+ goto done;
+
memset(state, 0, sizeof(*state));
state->task = task;
From: Eric Dumazet <[email protected]>
[ Upstream commit 2761121af87de45951989a0adada917837d8fa82 ]
Do not assume the attribute has the right size.
Fixes: aea5f654e6b7 ("net/sched: add skbprio scheduler")
Signed-off-by: Eric Dumazet <[email protected]>
Reported-by: syzbot <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/sched/sch_skbprio.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/sched/sch_skbprio.c
+++ b/net/sched/sch_skbprio.c
@@ -173,6 +173,9 @@ static int skbprio_change(struct Qdisc *
{
struct tc_skbprio_qopt *ctl = nla_data(opt);
+ if (opt->nla_len != nla_attr_size(sizeof(*ctl)))
+ return -EINVAL;
+
sch->limit = ctl->limit;
return 0;
}
From: Julia Lawall <[email protected]>
[ Upstream commit 865308373ed49c9fb05720d14cbf1315349b32a9 ]
In this code, it appears that phyter_clocks is a list head, based on
the previous list_for_each, and that clock->list is intended to be a
list element, given that it has just been initialized in
dp83640_clock_init. Accordingly, switch the arguments to
list_add_tail, which takes the list head as the second argument.
Fixes: cb646e2b02b27 ("ptp: Added a clock driver for the National Semiconductor PHYTER.")
Signed-off-by: Julia Lawall <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/phy/dp83640.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/phy/dp83640.c
+++ b/drivers/net/phy/dp83640.c
@@ -1114,7 +1114,7 @@ static struct dp83640_clock *dp83640_clo
goto out;
}
dp83640_clock_init(clock, bus);
- list_add_tail(&phyter_clocks, &clock->list);
+ list_add_tail(&clock->list, &phyter_clocks);
out:
mutex_unlock(&phyter_clocks_lock);
From: Tuong Lien <[email protected]>
[ Upstream commit 980d69276f3048af43a045be2925dacfb898a7be ]
When an application connects to the TIPC topology server and subscribes
to some services, a new connection is created along with some objects -
'tipc_subscription' to store related data correspondingly...
However, there is one omission in the connection handling that when the
connection or application is orderly shutdown (e.g. via SIGQUIT, etc.),
the connection is not closed in kernel, the 'tipc_subscription' objects
are not freed too.
This results in:
- The maximum number of subscriptions (65535) will be reached soon, new
subscriptions will be rejected;
- TIPC module cannot be removed (unless the objects are somehow forced
to release first);
The commit fixes the issue by closing the connection if the 'recvmsg()'
returns '0' i.e. when the peer is shutdown gracefully. It also includes
the other unexpected cases.
Acked-by: Jon Maloy <[email protected]>
Acked-by: Ying Xue <[email protected]>
Signed-off-by: Tuong Lien <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/tipc/topsrv.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/tipc/topsrv.c
+++ b/net/tipc/topsrv.c
@@ -409,10 +409,11 @@ static int tipc_conn_rcv_from_sock(struc
read_lock_bh(&sk->sk_callback_lock);
ret = tipc_conn_rcv_sub(srv, con, &s);
read_unlock_bh(&sk->sk_callback_lock);
+ if (!ret)
+ return 0;
}
- if (ret < 0)
- tipc_conn_close(con);
+ tipc_conn_close(con);
return ret;
}
From: Oliver Neukum <[email protected]>
commit e9b3c610a05c1cdf8e959a6d89c38807ff758ee6 upstream.
We must not process packets shorter than a packet ID
Signed-off-by: Oliver Neukum <[email protected]>
Reported-and-tested-by: [email protected]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/usb/serial/garmin_gps.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/serial/garmin_gps.c
+++ b/drivers/usb/serial/garmin_gps.c
@@ -1138,8 +1138,8 @@ static void garmin_read_process(struct g
send it directly to the tty port */
if (garmin_data_p->flags & FLAGS_QUEUING) {
pkt_add(garmin_data_p, data, data_length);
- } else if (bulk_data ||
- getLayerId(data) == GARMIN_LAYERID_APPL) {
+ } else if (bulk_data || (data_length >= sizeof(u32) &&
+ getLayerId(data) == GARMIN_LAYERID_APPL)) {
spin_lock_irqsave(&garmin_data_p->lock, flags);
garmin_data_p->flags |= APP_RESP_SEEN;
On 13/05/2020 10:44, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.123 release.
> There are 48 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 15 May 2020 09:41:20 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.123-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests are passing for Tegra ...
Test results for stable-v4.19:
11 builds: 11 pass, 0 fail
22 boots: 22 pass, 0 fail
32 tests: 32 pass, 0 fail
Linux version: 4.19.123-rc1-g6d5c161fb73d
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra20-ventana,
tegra210-p2371-2180, tegra30-cardhu-a04
Cheers
Jon
--
nvpublic
On Wed, May 13, 2020 at 11:44:26AM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.123 release.
> There are 48 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
Build results:
total: 155 pass: 155 fail: 0
Qemu test results:
total: 421 pass: 421 fail: 0
Guenter
On Wed, 13 May 2020 at 15:17, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.19.123 release.
> There are 48 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 15 May 2020 09:41:20 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.123-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
NOTE:
While running LTP sched on stable-rc 4.19 branch kernel on arm64 hikey device.
Thermal alarm triggered and followed by kernel warnings and Internal error:
https://lore.kernel.org/stable/CA+G9fYvo2yUVicoZ7fOYf8=QxTtS8nW-Z2JGD4iLtU61E6xNdw@mail.gmail.com/T/#u
Summary
------------------------------------------------------------------------
kernel: 4.19.123-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.19.y
git commit: 6d5c161fb73d8e3d1a5a0efcf2d089b939a1e165
git describe: v4.19.122-49-g6d5c161fb73d
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.19-oe/build/v4.19.122-49-g6d5c161fb73d
No regressions (compared to build v4.19.122)
No fixes (compared to build v4.19.122)
Ran 32876 total tests in the following environments and test suites.
Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- juno-r2-compat
- juno-r2-kasan
- nxp-ls2088
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64
- x86-kasan
Test Suites
-----------
* build
* install-android-platform-tools-r2600
* install-android-platform-tools-r2800
* kselftest
* kselftest/drivers
* kselftest/filesystems
* kselftest/net
* kselftest/networking
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-hugetlb-tests
* ltp-ipc-tests
* ltp-mm-tests
* ltp-sched-tests
* perf
* v4l2-compliance
* kvm-unit-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-io-tests
* ltp-math-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* network-basic-tests
* ltp-open-posix-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-native/drivers
* kselftest-vsyscall-mode-native/filesystems
* kselftest-vsyscall-mode-native/net
* kselftest-vsyscall-mode-native/networking
* kselftest-vsyscall-mode-none
* kselftest-vsyscall-mode-none/drivers
* kselftest-vsyscall-mode-none/filesystems
* kselftest-vsyscall-mode-none/net
* kselftest-vsyscall-mode-none/networking
--
Linaro LKFT
https://lkft.linaro.org
Hello Greg,
> From: [email protected] <[email protected]> On
> Behalf Of Greg Kroah-Hartman
> Sent: 13 May 2020 10:44
>
> This is the start of the stable review cycle for the 4.19.123 release.
> There are 48 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
No build/boot issues seen for CIP configs for Linux 4.19.123-rc1 (6d5c161fb73d).
Build/test pipeline/logs: https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/pipelines/145658864
GitLab CI pipeline: https://gitlab.com/cip-project/cip-testing/linux-cip-pipelines/-/blob/master/trees/linux-4.19.y.yml
Relevant LAVA jobs: https://lava.ciplatform.org/scheduler/alljobs?length=25&search=6d5c16#table
Kind regards, Chris
> Responses should be made by Fri, 15 May 2020 09:41:20 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-
> 4.19.123-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
> linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
> -------------
> Pseudo-Shortlog of commits:
>
> Greg Kroah-Hartman <[email protected]>
> Linux 4.19.123-rc1
>
> Oleg Nesterov <[email protected]>
> ipc/mqueue.c: change __do_notify() to bypass check_kill_permission()
>
> Ivan Delalande <[email protected]>
> scripts/decodecode: fix trapping instruction formatting
>
> Josh Poimboeuf <[email protected]>
> objtool: Fix stack offset tracking for indirect CFAs
>
> Arnd Bergmann <[email protected]>
> netfilter: nf_osf: avoid passing pointer to local var
>
> Guillaume Nault <[email protected]>
> netfilter: nat: never update the UDP checksum when it's 0
>
> Josh Poimboeuf <[email protected]>
> x86/unwind/orc: Fix premature unwind stoppage due to IRET frames
>
> Josh Poimboeuf <[email protected]>
> x86/unwind/orc: Fix error path for bad ORC entry type
>
> Josh Poimboeuf <[email protected]>
> x86/unwind/orc: Prevent unwinding before ORC initialization
>
> Miroslav Benes <[email protected]>
> x86/unwind/orc: Don't skip the first frame for inactive tasks
>
> Jann Horn <[email protected]>
> x86/entry/64: Fix unwind hints in rewind_stack_do_exit()
>
> Josh Poimboeuf <[email protected]>
> x86/entry/64: Fix unwind hints in kernel exit path
>
> Josh Poimboeuf <[email protected]>
> x86/entry/64: Fix unwind hints in register clearing code
>
> Xiyu Yang <[email protected]>
> batman-adv: Fix refcnt leak in batadv_v_ogm_process
>
> Xiyu Yang <[email protected]>
> batman-adv: Fix refcnt leak in batadv_store_throughput_override
>
> Xiyu Yang <[email protected]>
> batman-adv: Fix refcnt leak in batadv_show_throughput_override
>
> George Spelvin <[email protected]>
> batman-adv: fix batadv_nc_random_weight_tq
>
> Sean Christopherson <[email protected]>
> KVM: VMX: Mark RCX, RDX and RSI as clobbered in vmx_vcpu_run()'s asm blob
>
> Sean Christopherson <[email protected]>
> KVM: VMX: Explicitly reference RCX as the vmx_vcpu pointer in asm blobs
>
> Luis Chamberlain <[email protected]>
> coredump: fix crash when umh is disabled
>
> Oscar Carter <[email protected]>
> staging: gasket: Check the return value of gasket_get_bar_index()
>
> David Hildenbrand <[email protected]>
> mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous()
>
> Mark Rutland <[email protected]>
> arm64: hugetlb: avoid potential NULL dereference
>
> Marc Zyngier <[email protected]>
> KVM: arm64: Fix 32bit PC wrap-around
>
> Marc Zyngier <[email protected]>
> KVM: arm: vgic: Fix limit condition when writing to GICD_I[CS]ACTIVER
>
> Steven Rostedt (VMware) <[email protected]>
> tracing: Add a vmalloc_sync_mappings() for safe measure
>
> Oliver Neukum <[email protected]>
> USB: serial: garmin_gps: add sanity checking for data length
>
> Oliver Neukum <[email protected]>
> USB: uas: add quirk for LaCie 2Big Quadra
>
> Alan Stern <[email protected]>
> HID: usbhid: Fix race between usbhid_close() and usbhid_stop()
>
> Jere Leppänen <[email protected]>
> sctp: Fix bundling of SHUTDOWN with COOKIE-ACK
>
> Jason Gerecke <[email protected]>
> HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices
>
> Willem de Bruijn <[email protected]>
> net: stricter validation of untrusted gso packets
>
> Michael Chan <[email protected]>
> bnxt_en: Fix VF anti-spoof filter setup.
>
> Michael Chan <[email protected]>
> bnxt_en: Improve AER slot reset.
>
> Moshe Shemesh <[email protected]>
> net/mlx5: Fix command entry leak in Internal Error State
>
> Moshe Shemesh <[email protected]>
> net/mlx5: Fix forced completion access non initialized command entry
>
> Michael Chan <[email protected]>
> bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features().
>
> Tuong Lien <[email protected]>
> tipc: fix partial topology connection closure
>
> Eric Dumazet <[email protected]>
> sch_sfq: validate silly quantum values
>
> Eric Dumazet <[email protected]>
> sch_choke: avoid potential panic in choke_reset()
>
> Matt Jolly <[email protected]>
> net: usb: qmi_wwan: add support for DW5816e
>
> Eric Dumazet <[email protected]>
> net_sched: sch_skbprio: add message validation to skbprio_change()
>
> Tariq Toukan <[email protected]>
> net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc()
>
> Scott Dial <[email protected]>
> net: macsec: preserve ingress frame ordering
>
> Eric Dumazet <[email protected]>
> fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks
>
> Julia Lawall <[email protected]>
> dp83640: reverse arguments to list_add_tail
>
> Nicolas Pitre <[email protected]>
> vt: fix unicode console freeing with a common interface
>
> Masami Hiramatsu <[email protected]>
> tracing/kprobes: Fix a double initialization typo
>
> Matt Jolly <[email protected]>
> USB: serial: qcserial: Add DW5816e support
>
>
> -------------
>
> Diffstat:
>
> Makefile | 4 +-
> arch/arm64/kvm/guest.c | 7 ++
> arch/arm64/mm/hugetlbpage.c | 2 +
> arch/x86/entry/calling.h | 40 +++++------
> arch/x86/entry/entry_64.S | 9 +--
> arch/x86/include/asm/unwind.h | 2 +-
> arch/x86/kernel/unwind_orc.c | 61 ++++++++++++-----
> arch/x86/kvm/vmx.c | 91 ++++++++++++++-----------
> drivers/hid/usbhid/hid-core.c | 37 +++++++---
> drivers/hid/usbhid/usbhid.h | 1 +
> drivers/hid/wacom_sys.c | 4 +-
> drivers/net/ethernet/broadcom/bnxt/bnxt.c | 18 +++--
> drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 -
> drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 9 +--
> drivers/net/ethernet/mellanox/mlx4/main.c | 4 +-
> drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 +-
> drivers/net/macsec.c | 3 +-
> drivers/net/phy/dp83640.c | 2 +-
> drivers/net/usb/qmi_wwan.c | 1 +
> drivers/staging/gasket/gasket_core.c | 4 ++
> drivers/tty/vt/vt.c | 9 ++-
> drivers/usb/serial/garmin_gps.c | 4 +-
> drivers/usb/serial/qcserial.c | 1 +
> drivers/usb/storage/unusual_uas.h | 7 ++
> fs/coredump.c | 8 +++
> include/linux/virtio_net.h | 26 ++++++-
> ipc/mqueue.c | 34 ++++++---
> kernel/trace/trace.c | 13 ++++
> kernel/trace/trace_kprobe.c | 2 +-
> kernel/umh.c | 5 ++
> mm/page_alloc.c | 1 +
> net/batman-adv/bat_v_ogm.c | 2 +-
> net/batman-adv/network-coding.c | 9 +--
> net/batman-adv/sysfs.c | 3 +-
> net/netfilter/nf_nat_proto_udp.c | 5 +-
> net/netfilter/nfnetlink_osf.c | 12 ++--
> net/sched/sch_choke.c | 3 +-
> net/sched/sch_fq_codel.c | 2 +-
> net/sched/sch_sfq.c | 9 +++
> net/sched/sch_skbprio.c | 3 +
> net/sctp/sm_statefuns.c | 6 +-
> net/tipc/topsrv.c | 5 +-
> scripts/decodecode | 2 +-
> tools/objtool/check.c | 2 +-
> virt/kvm/arm/hyp/aarch32.c | 8 ++-
> virt/kvm/arm/vgic/vgic-mmio.c | 4 +-
> 46 files changed, 335 insertions(+), 156 deletions(-)
>
From: Moshe Shemesh <[email protected]>
[ Upstream commit f3cb3cebe26ed4c8036adbd9448b372129d3c371 ]
mlx5_cmd_flush() will trigger forced completions to all valid command
entries. Triggered by an asynch event such as fast teardown it can
happen at any stage of the command, including command initialization.
It will trigger forced completion and that can lead to completion on an
uninitialized command entry.
Setting MLX5_CMD_ENT_STATE_PENDING_COMP only after command entry is
initialized will ensure force completion is treated only if command
entry is initialized.
Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots")
Signed-off-by: Moshe Shemesh <[email protected]>
Signed-off-by: Eran Ben Elisha <[email protected]>
Signed-off-by: Saeed Mahameed <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -862,7 +862,6 @@ static void cmd_work_handler(struct work
}
cmd->ent_arr[ent->idx] = ent;
- set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state);
lay = get_inst(cmd, ent->idx);
ent->lay = lay;
memset(lay, 0, sizeof(*lay));
@@ -884,6 +883,7 @@ static void cmd_work_handler(struct work
if (ent->callback)
schedule_delayed_work(&ent->cb_timeout_work, cb_timeout);
+ set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state);
/* Skip sending command to fw if internal error */
if (pci_channel_offline(dev->pdev) ||
From: Eric Dumazet <[email protected]>
[ Upstream commit 14695212d4cd8b0c997f6121b6df8520038ce076 ]
My intent was to not let users set a zero drop_batch_size,
it seems I once again messed with min()/max().
Fixes: 9d18562a2278 ("fq_codel: add batch ability to fq_codel_drop()")
Signed-off-by: Eric Dumazet <[email protected]>
Acked-by: Toke Høiland-Jørgensen <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/sched/sch_fq_codel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -429,7 +429,7 @@ static int fq_codel_change(struct Qdisc
q->quantum = max(256U, nla_get_u32(tb[TCA_FQ_CODEL_QUANTUM]));
if (tb[TCA_FQ_CODEL_DROP_BATCH_SIZE])
- q->drop_batch_size = min(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE]));
+ q->drop_batch_size = max(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE]));
if (tb[TCA_FQ_CODEL_MEMORY_LIMIT])
q->memory_limit = min(1U << 31, nla_get_u32(tb[TCA_FQ_CODEL_MEMORY_LIMIT]));
From: Josh Poimboeuf <[email protected]>
commit a0f81bf26888048100bf017fadf438a5bdffa8d8 upstream.
If the ORC entry type is unknown, nothing else can be done other than
reporting an error. Exit the function instead of breaking out of the
switch statement.
Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder")
Reviewed-by: Miroslav Benes <[email protected]>
Signed-off-by: Josh Poimboeuf <[email protected]>
Signed-off-by: Ingo Molnar <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Dave Jones <[email protected]>
Cc: Jann Horn <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Vince Weaver <[email protected]>
Link: https://lore.kernel.org/r/a7fa668ca6eabbe81ab18b2424f15adbbfdc810a.1587808742.git.jpoimboe@redhat.com
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/kernel/unwind_orc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kernel/unwind_orc.c
+++ b/arch/x86/kernel/unwind_orc.c
@@ -509,7 +509,7 @@ bool unwind_next_frame(struct unwind_sta
default:
orc_warn("unknown .orc_unwind entry type %d for ip %pB\n",
orc->type, (void *)orig_ip);
- break;
+ goto err;
}
/* Find BP: */
From: Michael Chan <[email protected]>
[ Upstream commit c72cb303aa6c2ae7e4184f0081c6d11bf03fb96b ]
The current logic in bnxt_fix_features() will inadvertently turn on both
CTAG and STAG VLAN offload if the user tries to disable both. Fix it
by checking that the user is trying to enable CTAG or STAG before
enabling both. The logic is supposed to enable or disable both CTAG and
STAG together.
Fixes: 5a9f6b238e59 ("bnxt_en: Enable and disable RX CTAG and RX STAG VLAN acceleration together.")
Signed-off-by: Michael Chan <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -7562,6 +7562,7 @@ static netdev_features_t bnxt_fix_featur
netdev_features_t features)
{
struct bnxt *bp = netdev_priv(dev);
+ netdev_features_t vlan_features;
if ((features & NETIF_F_NTUPLE) && !bnxt_rfs_capable(bp))
features &= ~NETIF_F_NTUPLE;
@@ -7578,12 +7579,14 @@ static netdev_features_t bnxt_fix_featur
/* Both CTAG and STAG VLAN accelaration on the RX side have to be
* turned on or off together.
*/
- if ((features & (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) !=
- (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) {
+ vlan_features = features & (NETIF_F_HW_VLAN_CTAG_RX |
+ NETIF_F_HW_VLAN_STAG_RX);
+ if (vlan_features != (NETIF_F_HW_VLAN_CTAG_RX |
+ NETIF_F_HW_VLAN_STAG_RX)) {
if (dev->features & NETIF_F_HW_VLAN_CTAG_RX)
features &= ~(NETIF_F_HW_VLAN_CTAG_RX |
NETIF_F_HW_VLAN_STAG_RX);
- else
+ else if (vlan_features)
features |= NETIF_F_HW_VLAN_CTAG_RX |
NETIF_F_HW_VLAN_STAG_RX;
}
From: Josh Poimboeuf <[email protected]>
commit 1fb143634a38095b641a3a21220774799772dc4c upstream.
In swapgs_restore_regs_and_return_to_usermode, after the stack is
switched to the trampoline stack, the existing UNWIND_HINT_REGS hint is
no longer valid, which can result in the following ORC unwinder warning:
WARNING: can't dereference registers at 000000003aeb0cdd for ip swapgs_restore_regs_and_return_to_usermode+0x93/0xa0
For full correctness, we could try to add complicated unwind hints so
the unwinder could continue to find the registers, but when when it's
this close to kernel exit, unwind hints aren't really needed anymore and
it's fine to just use an empty hint which tells the unwinder to stop.
For consistency, also move the UNWIND_HINT_EMPTY in
entry_SYSCALL_64_after_hwframe to a similar location.
Fixes: 3e3b9293d392 ("x86/entry/64: Return to userspace from the trampoline stack")
Reported-by: Vince Weaver <[email protected]>
Reported-by: Dave Jones <[email protected]>
Reported-by: Dr. David Alan Gilbert <[email protected]>
Reported-by: Joe Mario <[email protected]>
Reported-by: Jann Horn <[email protected]>
Reported-by: Linus Torvalds <[email protected]>
Reviewed-by: Miroslav Benes <[email protected]>
Signed-off-by: Josh Poimboeuf <[email protected]>
Signed-off-by: Ingo Molnar <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Link: https://lore.kernel.org/r/60ea8f562987ed2d9ace2977502fe481c0d7c9a0.1587808742.git.jpoimboe@redhat.com
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/entry/entry_64.S | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -312,7 +312,6 @@ GLOBAL(entry_SYSCALL_64_after_hwframe)
*/
syscall_return_via_sysret:
/* rcx and r11 are already restored (see code above) */
- UNWIND_HINT_EMPTY
POP_REGS pop_rdi=0 skip_r11rcx=1
/*
@@ -321,6 +320,7 @@ syscall_return_via_sysret:
*/
movq %rsp, %rdi
movq PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp
+ UNWIND_HINT_EMPTY
pushq RSP-RDI(%rdi) /* RSP */
pushq (%rdi) /* RDI */
@@ -700,6 +700,7 @@ GLOBAL(swapgs_restore_regs_and_return_to
*/
movq %rsp, %rdi
movq PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp
+ UNWIND_HINT_EMPTY
/* Copy the IRET frame to the trampoline stack. */
pushq 6*8(%rdi) /* SS */
From: Willem de Bruijn <[email protected]>
[ Upstream commit 9274124f023b5c56dc4326637d4f787968b03607 ]
Syzkaller again found a path to a kernel crash through bad gso input:
a packet with transport header extending beyond skb_headlen(skb).
Tighten validation at kernel entry:
- Verify that the transport header lies within the linear section.
To avoid pulling linux/tcp.h, verify just sizeof tcphdr.
tcp_gso_segment will call pskb_may_pull (th->doff * 4) before use.
- Match the gso_type against the ip_proto found by the flow dissector.
Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.")
Reported-by: syzbot <[email protected]>
Signed-off-by: Willem de Bruijn <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/virtio_net.h | 26 ++++++++++++++++++++++++--
1 file changed, 24 insertions(+), 2 deletions(-)
--- a/include/linux/virtio_net.h
+++ b/include/linux/virtio_net.h
@@ -3,6 +3,8 @@
#define _LINUX_VIRTIO_NET_H
#include <linux/if_vlan.h>
+#include <uapi/linux/tcp.h>
+#include <uapi/linux/udp.h>
#include <uapi/linux/virtio_net.h>
static inline int virtio_net_hdr_set_proto(struct sk_buff *skb,
@@ -28,17 +30,25 @@ static inline int virtio_net_hdr_to_skb(
bool little_endian)
{
unsigned int gso_type = 0;
+ unsigned int thlen = 0;
+ unsigned int ip_proto;
if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) {
case VIRTIO_NET_HDR_GSO_TCPV4:
gso_type = SKB_GSO_TCPV4;
+ ip_proto = IPPROTO_TCP;
+ thlen = sizeof(struct tcphdr);
break;
case VIRTIO_NET_HDR_GSO_TCPV6:
gso_type = SKB_GSO_TCPV6;
+ ip_proto = IPPROTO_TCP;
+ thlen = sizeof(struct tcphdr);
break;
case VIRTIO_NET_HDR_GSO_UDP:
gso_type = SKB_GSO_UDP;
+ ip_proto = IPPROTO_UDP;
+ thlen = sizeof(struct udphdr);
break;
default:
return -EINVAL;
@@ -57,16 +67,22 @@ static inline int virtio_net_hdr_to_skb(
if (!skb_partial_csum_set(skb, start, off))
return -EINVAL;
+
+ if (skb_transport_offset(skb) + thlen > skb_headlen(skb))
+ return -EINVAL;
} else {
/* gso packets without NEEDS_CSUM do not set transport_offset.
* probe and drop if does not match one of the above types.
*/
if (gso_type && skb->network_header) {
+ struct flow_keys_basic keys;
+
if (!skb->protocol)
virtio_net_hdr_set_proto(skb, hdr);
retry:
- skb_probe_transport_header(skb, -1);
- if (!skb_transport_header_was_set(skb)) {
+ if (!skb_flow_dissect_flow_keys_basic(skb, &keys,
+ NULL, 0, 0, 0,
+ 0)) {
/* UFO does not specify ipv4 or 6: try both */
if (gso_type & SKB_GSO_UDP &&
skb->protocol == htons(ETH_P_IP)) {
@@ -75,6 +91,12 @@ retry:
}
return -EINVAL;
}
+
+ if (keys.control.thoff + thlen > skb_headlen(skb) ||
+ keys.basic.ip_proto != ip_proto)
+ return -EINVAL;
+
+ skb_set_transport_header(skb, keys.control.thoff);
}
}
From: Josh Poimboeuf <[email protected]>
commit d8dd25a461e4eec7190cb9d66616aceacc5110ad upstream.
When the current frame address (CFA) is stored on the stack (i.e.,
cfa->base == CFI_SP_INDIRECT), objtool neglects to adjust the stack
offset when there are subsequent pushes or pops. This results in bad
ORC data at the end of the ENTER_IRQ_STACK macro, when it puts the
previous stack pointer on the stack and does a subsequent push.
This fixes the following unwinder warning:
WARNING: can't dereference registers at 00000000f0a6bdba for ip interrupt_entry+0x9f/0xa0
Fixes: 627fce14809b ("objtool: Add ORC unwind table generation")
Reported-by: Vince Weaver <[email protected]>
Reported-by: Dave Jones <[email protected]>
Reported-by: Steven Rostedt <[email protected]>
Reported-by: Vegard Nossum <[email protected]>
Reported-by: Joe Mario <[email protected]>
Reviewed-by: Miroslav Benes <[email protected]>
Signed-off-by: Josh Poimboeuf <[email protected]>
Signed-off-by: Ingo Molnar <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Jann Horn <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Link: https://lore.kernel.org/r/853d5d691b29e250333332f09b8e27410b2d9924.1587808742.git.jpoimboe@redhat.com
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
tools/objtool/check.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -1315,7 +1315,7 @@ static int update_insn_state_regs(struct
struct cfi_reg *cfa = &state->cfa;
struct stack_op *op = &insn->stack_op;
- if (cfa->base != CFI_SP)
+ if (cfa->base != CFI_SP && cfa->base != CFI_SP_INDIRECT)
return 0;
/* push */
From: Jere Leppänen <[email protected]>
commit 145cb2f7177d94bc54563ed26027e952ee0ae03c upstream.
When we start shutdown in sctp_sf_do_dupcook_a(), we want to bundle
the SHUTDOWN with the COOKIE-ACK to ensure that the peer receives them
at the same time and in the correct order. This bundling was broken by
commit 4ff40b86262b ("sctp: set chunk transport correctly when it's a
new asoc"), which assigns a transport for the COOKIE-ACK, but not for
the SHUTDOWN.
Fix this by passing a reference to the COOKIE-ACK chunk as an argument
to sctp_sf_do_9_2_start_shutdown() and onward to
sctp_make_shutdown(). This way the SHUTDOWN chunk is assigned the same
transport as the COOKIE-ACK chunk, which allows them to be bundled.
In sctp_sf_do_9_2_start_shutdown(), the void *arg parameter was
previously unused. Now that we're taking it into use, it must be a
valid pointer to a chunk, or NULL. There is only one call site where
it's not, in sctp_sf_autoclose_timer_expire(). Fix that too.
Fixes: 4ff40b86262b ("sctp: set chunk transport correctly when it's a new asoc")
Signed-off-by: Jere Leppänen <[email protected]>
Acked-by: Marcelo Ricardo Leitner <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Cc: Guenter Roeck <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/sctp/sm_statefuns.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1880,7 +1880,7 @@ static enum sctp_disposition sctp_sf_do_
*/
sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
return sctp_sf_do_9_2_start_shutdown(net, ep, asoc,
- SCTP_ST_CHUNK(0), NULL,
+ SCTP_ST_CHUNK(0), repl,
commands);
} else {
sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
@@ -5483,7 +5483,7 @@ enum sctp_disposition sctp_sf_do_9_2_sta
* in the Cumulative TSN Ack field the last sequential TSN it
* has received from the peer.
*/
- reply = sctp_make_shutdown(asoc, NULL);
+ reply = sctp_make_shutdown(asoc, arg);
if (!reply)
goto nomem;
@@ -6081,7 +6081,7 @@ enum sctp_disposition sctp_sf_autoclose_
disposition = SCTP_DISPOSITION_CONSUME;
if (sctp_outq_is_empty(&asoc->outqueue)) {
disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
- arg, commands);
+ NULL, commands);
}
return disposition;
Hi!
> From: Josh Poimboeuf <[email protected]>
>
> commit 98d0c8ebf77e0ba7c54a9ae05ea588f0e9e3f46e upstream.
>
> If the unwinder is called before the ORC data has been initialized,
> orc_find() returns NULL, and it tries to fall back to using frame
> pointers. This can cause some unexpected warnings during boot.
>
> Move the 'orc_init' check from orc_find() to __unwind_init(), so that it
> doesn't even try to unwind from an uninitialized state.
> @@ -563,6 +560,9 @@ EXPORT_SYMBOL_GPL(unwind_next_frame);
> void __unwind_start(struct unwind_state *state, struct task_struct *task,
> struct pt_regs *regs, unsigned long *first_frame)
> {
> + if (!orc_init)
> + goto done;
> +
> memset(state, 0, sizeof(*state));
> state->task = task;
>
As this returns the *state to the caller, should the "goto done" move
below the memset? Otherwise we are returning partialy-initialized
struct, which is ... weird.
Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
On 5/13/20 3:44 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.123 release.
> There are 48 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 15 May 2020 09:41:20 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.123-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
thanks,
-- Shuah
On Wed, May 13, 2020 at 11:52:10PM +0200, Pavel Machek wrote:
> Hi!
>
> > From: Josh Poimboeuf <[email protected]>
> >
> > commit 98d0c8ebf77e0ba7c54a9ae05ea588f0e9e3f46e upstream.
> >
> > If the unwinder is called before the ORC data has been initialized,
> > orc_find() returns NULL, and it tries to fall back to using frame
> > pointers. This can cause some unexpected warnings during boot.
> >
> > Move the 'orc_init' check from orc_find() to __unwind_init(), so that it
> > doesn't even try to unwind from an uninitialized state.
>
> > @@ -563,6 +560,9 @@ EXPORT_SYMBOL_GPL(unwind_next_frame);
> > void __unwind_start(struct unwind_state *state, struct task_struct *task,
> > struct pt_regs *regs, unsigned long *first_frame)
> > {
> > + if (!orc_init)
> > + goto done;
> > +
> > memset(state, 0, sizeof(*state));
> > state->task = task;
> >
>
> As this returns the *state to the caller, should the "goto done" move
> below the memset? Otherwise we are returning partialy-initialized
> struct, which is ... weird.
Yeah, it is a little weird. In most cases it should be fine, but there
is an edge case where if there's a corrupt ORC table and this returns
early, 'arch_stack_walk_reliable() -> unwind_error()' could check an
uninitialized value.
Also the __unwind_start() error handling needs to set that error bit
anyway, in its error cases. I'll fix it up.
--
Josh
Hi!
> > > From: Josh Poimboeuf <[email protected]>
> > >
> > > commit 98d0c8ebf77e0ba7c54a9ae05ea588f0e9e3f46e upstream.
> > >
> > > If the unwinder is called before the ORC data has been initialized,
> > > orc_find() returns NULL, and it tries to fall back to using frame
> > > pointers. This can cause some unexpected warnings during boot.
> > >
> > > Move the 'orc_init' check from orc_find() to __unwind_init(), so that it
> > > doesn't even try to unwind from an uninitialized state.
> >
> > > @@ -563,6 +560,9 @@ EXPORT_SYMBOL_GPL(unwind_next_frame);
> > > void __unwind_start(struct unwind_state *state, struct task_struct *task,
> > > struct pt_regs *regs, unsigned long *first_frame)
> > > {
> > > + if (!orc_init)
> > > + goto done;
> > > +
> > > memset(state, 0, sizeof(*state));
> > > state->task = task;
> > >
> >
> > As this returns the *state to the caller, should the "goto done" move
> > below the memset? Otherwise we are returning partialy-initialized
> > struct, which is ... weird.
>
> Yeah, it is a little weird. In most cases it should be fine, but there
> is an edge case where if there's a corrupt ORC table and this returns
> early, 'arch_stack_walk_reliable() -> unwind_error()' could check an
> uninitialized value.
>
> Also the __unwind_start() error handling needs to set that error bit
> anyway, in its error cases. I'll fix it up.
I did this in the mean time. It moves goto around memset, and I
believe that 8 in get_reg should have been sizeof(long) [not that it
matters, x86-32 is protected by build bug on.]
Signed-off-by: Pavel Machek <[email protected]>
Best regards,
Pavel
diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
index 169b96492b7c..90cb3cb2b4f1 100644
--- a/arch/x86/kernel/unwind_orc.c
+++ b/arch/x86/kernel/unwind_orc.c
@@ -375,7 +375,7 @@ static bool deref_stack_iret_regs(struct unwind_state *state, unsigned long addr
static bool get_reg(struct unwind_state *state, unsigned int reg_off,
unsigned long *val)
{
- unsigned int reg = reg_off/8;
+ unsigned int reg = reg_off/sizeof(long);
if (!state->regs)
return false;
@@ -589,12 +589,12 @@ EXPORT_SYMBOL_GPL(unwind_next_frame);
void __unwind_start(struct unwind_state *state, struct task_struct *task,
struct pt_regs *regs, unsigned long *first_frame)
{
- if (!orc_init)
- goto done;
-
memset(state, 0, sizeof(*state));
state->task = task;
+ if (!orc_init)
+ goto done;
+
/*
* Refuse to unwind the stack of a task while it's executing on another
* CPU. This check is racy, but that's ok: the unwinder has other
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
On Thu, May 14, 2020 at 10:13:40PM +0200, Pavel Machek wrote:
> > > > @@ -563,6 +560,9 @@ EXPORT_SYMBOL_GPL(unwind_next_frame);
> > > > void __unwind_start(struct unwind_state *state, struct task_struct *task,
> > > > struct pt_regs *regs, unsigned long *first_frame)
> > > > {
> > > > + if (!orc_init)
> > > > + goto done;
> > > > +
> > > > memset(state, 0, sizeof(*state));
> > > > state->task = task;
> > > >
> > >
> > > As this returns the *state to the caller, should the "goto done" move
> > > below the memset? Otherwise we are returning partialy-initialized
> > > struct, which is ... weird.
> >
> > Yeah, it is a little weird. In most cases it should be fine, but there
> > is an edge case where if there's a corrupt ORC table and this returns
> > early, 'arch_stack_walk_reliable() -> unwind_error()' could check an
> > uninitialized value.
> >
> > Also the __unwind_start() error handling needs to set that error bit
> > anyway, in its error cases. I'll fix it up.
>
> I did this in the mean time. It moves goto around memset, and I
> believe that 8 in get_reg should have been sizeof(long) [not that it
> matters, x86-32 is protected by build bug on.]
>
> Signed-off-by: Pavel Machek <[email protected]>
I already have the same memset patch (along with other error-handling
fixes) which I'll be posting shortly once it runs through my testing.
Since the sizeof(long) thing isn't really a bug, I'll make that change
later, along with some other pending improvements I have.
--
Josh