commit 71a46f012ed49baca901ed8afb87238a4ad219fd Author: Alexandre Frade Date: Sun Sep 22 12:16:56 2019 -0300 5.3.1-xanmod1 Signed-off-by: Alexandre Frade commit 5ab14c757d7218172335754ed30dfdaa383d4fdf Merge: 1a0a9be43145 c9a59a82366b Author: Alexandre Frade Date: Sun Sep 22 11:36:43 2019 -0300 Merge tag 'v5.3.1' into 5.3 This is the 5.3.1 stable release commit 1a0a9be43145228547b397cbb65b58c022d6a6c2 Author: graysky Date: Sun Sep 22 11:27:43 2019 -0300 x86/Kconfig: Enable additional cpu optimizations for gcc v9.1+ WARNING This patch works with gcc versions 9.1+ and with kernel version 4.13+ and should NOT be applied when compiling on older versions of gcc due to key name changes of the march flags introduced with the version 4.9 release of gcc.[1] Use the older version of this patch hosted on the same github for older versions of gcc. FEATURES This patch adds additional CPU options to the Linux kernel accessible under: Processor type and features ---> Processor family ---> The expanded microarchitectures include: * AMD Improved K8-family * AMD K10-family * AMD Family 10h (Barcelona) * AMD Family 14h (Bobcat) * AMD Family 16h (Jaguar) * AMD Family 15h (Bulldozer) * AMD Family 15h (Piledriver) * AMD Family 15h (Steamroller) * AMD Family 15h (Excavator) * AMD Family 17h (Zen) * AMD Family 17h (Zen 2) * Intel Silvermont low-power processors * Intel Goldmont low-power processors (Apollo Lake and Denverton) * Intel Goldmont Plus low-power processors (Gemini Lake) * Intel 1st Gen Core i3/i5/i7 (Nehalem) * Intel 1.5 Gen Core i3/i5/i7 (Westmere) * Intel 2nd Gen Core i3/i5/i7 (Sandybridge) * Intel 3rd Gen Core i3/i5/i7 (Ivybridge) * Intel 4th Gen Core i3/i5/i7 (Haswell) * Intel 5th Gen Core i3/i5/i7 (Broadwell) * Intel 6th Gen Core i3/i5/i7 (Skylake) * Intel 6th Gen Core i7/i9 (Skylake X) * Intel 8th Gen Core i3/i5/i7 (Cannon Lake) * Intel 10th Gen Core i7/i9 (Ice Lake) * Intel Xeon (Cascade Lake) It also offers to compile passing the 'native' option which, "selects the CPU to generate code for at compilation time by determining the processor type of the compiling machine. Using -march=native enables all instruction subsets supported by the local machine and will produce code optimized for the local machine under the constraints of the selected instruction set."[3] MINOR NOTES This patch also changes 'atom' to 'bonnell' in accordance with the gcc v4.9 changes. Note that upstream is using the deprecated 'match=atom' flags when I believe it should use the newer 'march=bonnell' flag for atom processors.[2] It is not recommended to compile on Atom-CPUs with the 'native' option.[4] The recommendation is to use the 'atom' option instead. BENEFITS Small but real speed increases are measurable using a make endpoint comparing a generic kernel to one built with one of the respective microarchs. See the following experimental evidence supporting this statement: https://github.com/graysky2/kernel_gcc_patch REQUIREMENTS linux version >=4.13 gcc version >=9.1 ACKNOWLEDGMENTS This patch builds on the seminal work by Jeroen.[5] REFERENCES 1. https://gcc.gnu.org/gcc-4.9/changes.html 2. https://bugzilla.kernel.org/show_bug.cgi?id=77461 3. https://gcc.gnu.org/onlinedocs/gcc/x86-Options.html 4. https://github.com/graysky2/kernel_gcc_patch/issues/15 5. http://www.linuxforge.net/docs/linux/linux-gcc.php commit ea23416ada1700e3c0669cf7a12f0d5e467bd30b Author: Alexandre Frade Date: Wed Oct 24 16:58:52 2018 -0300 net/sched: allow configuring cake qdisc as default Signed-off-by: Alexandre Frade commit dd58495ef086b8d140f2ecd5b97c493c2d381c76 Author: Alexandre Frade Date: Mon Jan 29 18:29:13 2018 +0000 sched/core: nr_migrate = 128 increases number of tasks to iterate in a single balance run. Signed-off-by: Alexandre Frade commit 10c115bc73b15cea5aa027e99867d8ed74d41566 Author: Alexandre Frade Date: Mon Jan 29 17:55:52 2018 +0000 cpufreq: tunes ondemand governor for performance Signed-off-by: Alexandre Frade commit 447a41bf23586b4eecb2745519e15235451c93a1 Author: Alexandre Frade Date: Mon Jan 29 17:41:29 2018 +0000 disable the localversion "+" tag of a git repo Signed-off-by: Alexandre Frade commit 3f3a5cd6c0ccc8bf4f0f829210a72cf8ffa1519a Author: Alexandre Frade Date: Mon Jan 29 17:36:22 2018 +0000 mm/zswap: set to use lz4 compressor Signed-off-by: Alexandre Frade commit c52e564e12e292ad699097ffb9434140ae24e7d9 Author: Alexandre Frade Date: Mon Jan 29 17:31:25 2018 +0000 mm/vmscan: vm_swappiness = 30 decreases the amount of swapping Signed-off-by: Alexandre Frade commit 540ecc64bd249ede38c5e24d752089ad97913f8d Author: Alexandre Frade Date: Mon Jan 29 17:26:15 2018 +0000 kconfig: add 500Hz timer interrupt kernel config option Signed-off-by: Alexandre Frade commit 4751495fe126b7bef3794d77b3ab839edff39582 Author: Alexandre Frade Date: Mon Jan 29 16:59:22 2018 +0000 dcache: cache_pressure = 50 decreases the rate at which VFS caches are reclaimed Signed-off-by: Alexandre Frade commit a44f4e43a72896a335a4ec3ce9be84eab123acbf Author: Alexandre Frade Date: Thu Jul 6 03:03:36 2017 +0000 add trace events for open(), exec() and uselib() Signed-off-by: Alexandre Frade commit 7f012fbd02bb6d59733fb0d1147d70d53c9f3724 Author: Mark Weiman Date: Sun Aug 12 11:36:21 2018 -0400 pci: Enable overrides for missing ACS capabilities This an updated version of Alex Williamson's patch from: https://lkml.org/lkml/2013/5/30/513 Original commit message follows: PCIe ACS (Access Control Services) is the PCIe 2.0+ feature that allows us to control whether transactions are allowed to be redirected in various subnodes of a PCIe topology. For instance, if two endpoints are below a root port or downsteam switch port, the downstream port may optionally redirect transactions between the devices, bypassing upstream devices. The same can happen internally on multifunction devices. The transaction may never be visible to the upstream devices. One upstream device that we particularly care about is the IOMMU. If a redirection occurs in the topology below the IOMMU, then the IOMMU cannot provide isolation between devices. This is why the PCIe spec encourages topologies to include ACS support. Without it, we have to assume peer-to-peer DMA within a hierarchy can bypass IOMMU isolation. Unfortunately, far too many topologies do not support ACS to make this a steadfast requirement. Even the latest chipsets from Intel are only sporadically supporting ACS. We have trouble getting interconnect vendors to include the PCIe spec required PCIe capability, let alone suggested features. Therefore, we need to add some flexibility. The pcie_acs_override= boot option lets users opt-in specific devices or sets of devices to assume ACS support. The "downstream" option assumes full ACS support on root ports and downstream switch ports. The "multifunction" option assumes the subset of ACS features available on multifunction endpoints and upstream switch ports are supported. The "id:nnnn:nnnn" option enables ACS support on devices matching the provided vendor and device IDs, allowing more strategic ACS overrides. These options may be combined in any order. A maximum of 16 id specific overrides are available. It's suggested to use the most limited set of options necessary to avoid completely disabling ACS across the topology. Note to hardware vendors, we have facilities to permanently quirk specific devices which enforce isolation but not provide an ACS capability. Please contact me to have your devices added and save your customers the hassle of this boot option. Signed-off-by: Mark Weiman commit 52868985a30e0ec43e777a6c7b7a3ec15a06e0b3 Author: Alexandre Frade Date: Fri May 10 14:32:50 2019 -0300 mm: set 2 megabytes for address_space-level file read-ahead pages size Signed-off-by: Alexandre Frade commit 2c5d6f1bee7c6164d6213c7fd742b16ac9fc1c49 Author: Alexandre Frade Date: Fri May 10 16:45:59 2019 -0300 block: set rq_affinity = 2 for full multithreading I/O requests Signed-off-by: Alexandre Frade commit c3de66a799478ccfe99c30072f57a47cdfc97270 Author: Alexandre Frade Date: Fri Dec 21 16:20:41 2018 -0200 elevator: set default scheduler to bfq for blk-mq Signed-off-by: Alexandre Frade commit 6658e6997345bf70294d557182e526f4b78de0c4 Author: Alexandre Frade Date: Sat Jul 20 21:01:57 2019 -0300 bmq: export can_nice symbol needed by android drivers Signed-off-by: Alexandre Frade commit 3bc1dbc05c0b297bd40d2debe25c30c7ec619ee9 Author: Ben Hutchings Date: Tue Jun 26 16:59:01 2018 +0100 Export symbols needed by Android drivers We want to enable use of the Android ashmem and binder drivers to support Anbox, but they should not be built-in as that would waste resources and increase security attack surface on systems that don't need them. Export the currently un-exported symbols they depend on. commit 81cb7a5ff22129523c52bdc9a591197d09acfebe Author: Ben Hutchings Date: Fri Jun 22 17:27:00 2018 +0100 android: Enable building ashmem and binder as modules We want to enable use of the Android ashmem and binder drivers to support Anbox, but they should not be built-in as that would waste resources and increase security attack surface on systems that don't need them. - Add a MODULE_LICENSE declaration to ashmem - Change the Makefiles to build each driver as an object with the "_linux" suffix (which is what Anbox expects) - Change config symbol types to tristate commit 30952795f6ab26b3062bbd9c69edcf1a0d8db32d Author: Alfred Chen Date: Sun Sep 22 11:25:52 2019 -0300 sched/bmq: Introduce the BitMap Queue CPU scheduler v1.00 commit 367566b55d24738efe110f464af2db196b032d1a Author: J. R. Okajima Date: Sun Sep 22 11:23:35 2019 -0300 fs/aufs: Advanced Multi Layered Unification Filesystem version aufs5.x-rcN 20190909 commit f7c0f5dd3df32f25b9a03d6fae309103c304ab8d Author: William Douglas Date: Wed Jun 20 17:23:21 2018 +0000 Enable stateless firmware loading Prefer the order of specific version before generic and /etc before /lib to enable the user to give specific overrides for generic firmware and distribution firmware. commit ebd1d1f722e4a9b09687247ae9cac5961efc6c28 Author: Brett T. Warden Date: Mon Aug 13 04:01:21 2018 -0500 Add boot option to allow unsigned modules Add module.sig_unenforce boot parameter to allow loading unsigned kernel modules. Parameter is only effective if CONFIG_MODULE_SIG_FORCE is enabled and system is *not* SecureBooted. Signed-off-by: Brett T. Warden Signed-off-by: Miguel Bernal Marin commit 2421114fe38691f182e6f30bdfa1023941f5a244 Author: Arjan van de Ven Date: Thu Jun 2 23:36:32 2016 -0500 Initialize ata before graphics ATA init is the long pole in the boot process, and its asynchronous. move the graphics init after it so that ata and graphics initialize in parallel commit 194627f1267385203aa7661e56d41644264d035f Author: Jim Kukunas Date: Fri May 27 09:26:51 2016 -0400 raid6: add Kconfig option to skip raid6 benchmarking Adds CONFIG_RAID6_FORCE_ALGO, which causes the kernel to not benchmark each raid recovery and syndrome generation algorithm, and instead use the version selected via Kconfig (CONFIG_RAID6_FORCE_{INT,SSSE3,AVX2}). In the case, the selected algorithm is not supported by the processor at runtime, a fallback is used. Signed-off-by: Jim Kukunas commit 6773e6567a9353c3a9c758f6785ac49f8f1a3d37 Author: Arjan van de Ven Date: Sun Sep 22 11:12:35 2019 -0300 silence rapl commit c9a59a82366b700666ddda9e344c73198391b192 Author: Greg Kroah-Hartman Date: Sat Sep 21 07:19:47 2019 +0200 Linux 5.3.1 commit 4cb2667a5f331f83e1734a4bf5307f355bd0437a Author: Sean Young Date: Wed Jul 3 10:52:39 2019 -0400 media: technisat-usb2: break out of loop at end of buffer commit 0c4df39e504bf925ab666132ac3c98d6cbbe380b upstream. Ensure we do not access the buffer beyond the end if no 0xff byte is encountered. Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com Signed-off-by: Sean Young Reviewed-by: Kees Cook Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit b0f0ddf732704035344ca2aff5f70a9745754cb8 Author: Jann Horn Date: Tue Mar 26 23:03:48 2019 +0100 floppy: fix usercopy direction commit 52f6f9d74f31078964ca1574f7bb612da7877ac8 upstream. As sparse points out, these two copy_from_user() should actually be copy_to_user(). Fixes: 229b53c9bf4e ("take floppy compat ioctls to sodding floppy.c") Cc: stable@vger.kernel.org Acked-by: Alexander Popov Reviewed-by: Mukesh Ojha Signed-off-by: Jann Horn Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 0522179927debcb66cdece34ad1c63018ee058ec Author: Bjorn Andersson Date: Mon Aug 5 17:42:56 2019 -0700 phy: qcom-qmp: Correct ready status, again commit 14ced7e3a1ae9bed7051df3718c8c7b583854a5c upstream. Despite extensive testing of commit 885bd765963b ("phy: qcom-qmp: Correct READY_STATUS poll break condition") I failed to conclude that the PHYSTATUS bit of the PCS_STATUS register used in PCIe and USB3 falls as the PHY gets ready. Similar to the prior bug with UFS the code will generally get past the check before the transition and thereby "succeed". Correct the name of the register used PCIe and USB3 PHYs, replace mask_pcs_ready with a constant expression depending on the type of the PHY and check for the appropriate ready state. Cc: stable@vger.kernel.org Cc: Vivek Gautam Cc: Evan Green Cc: Niklas Cassel Reported-by: Marc Gonzalez Fixes: 885bd765963b ("phy: qcom-qmp: Correct READY_STATUS poll break condition") Signed-off-by: Bjorn Andersson Tested-by: Marc Gonzalez Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Greg Kroah-Hartman commit b66df96b7863a240a2247f920d103eac93f9c7c5 Author: Amir Goldstein Date: Fri Jul 12 15:24:34 2019 +0300 ovl: fix regression caused by overlapping layers detection commit 0be0bfd2de9dfdd2098a9c5b14bdd8f739c9165d upstream. Once upon a time, commit 2cac0c00a6cd ("ovl: get exclusive ownership on upper/work dirs") in v4.13 added some sanity checks on overlayfs layers. This change caused a docker regression. The root cause was mount leaks by docker, which as far as I know, still exist. To mitigate the regression, commit 85fdee1eef1a ("ovl: fix regression caused by exclusive upper/work dir protection") in v4.14 turned the mount errors into warnings for the default index=off configuration. Recently, commit 146d62e5a586 ("ovl: detect overlapping layers") in v5.2, re-introduced exclusive upper/work dir checks regardless of index=off configuration. This changes the status quo and mount leak related bug reports have started to re-surface. Restore the status quo to fix the regressions. To clarify, index=off does NOT relax overlapping layers check for this ovelayfs mount. index=off only relaxes exclusive upper/work dir checks with another overlayfs mount. To cover the part of overlapping layers detection that used the exclusive upper/work dir checks to detect overlap with self upper/work dir, add a trap also on the work base dir. Link: https://github.com/moby/moby/issues/34672 Link: https://lore.kernel.org/linux-fsdevel/20171006121405.GA32700@veci.piliscsaba.szeredi.hu/ Link: https://github.com/containers/libpod/issues/3540 Fixes: 146d62e5a586 ("ovl: detect overlapping layers") Cc: # v4.19+ Signed-off-by: Amir Goldstein Tested-by: Colin Walters Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit bcf36285df497b68c0c43e82bd32ba9e255ccc2e Author: Will Deacon Date: Thu Aug 22 14:58:37 2019 +0100 Revert "arm64: Remove unnecessary ISBs from set_{pte,pmd,pud}" commit d0b7a302d58abe24ed0f32a0672dd4c356bb73db upstream. This reverts commit 24fe1b0efad4fcdd32ce46cffeab297f22581707. Commit 24fe1b0efad4fcdd ("arm64: Remove unnecessary ISBs from set_{pte,pmd,pud}") removed ISB instructions immediately following updates to the page table, on the grounds that they are not required by the architecture and a DSB alone is sufficient to ensure that subsequent data accesses use the new translation: DDI0487E_a, B2-128: | ... no instruction that appears in program order after the DSB | instruction can alter any state of the system or perform any part of | its functionality until the DSB completes other than: | | * Being fetched from memory and decoded | * Reading the general-purpose, SIMD and floating-point, | Special-purpose, or System registers that are directly or indirectly | read without causing side-effects. However, the same document also states the following: DDI0487E_a, B2-125: | DMB and DSB instructions affect reads and writes to the memory system | generated by Load/Store instructions and data or unified cache | maintenance instructions being executed by the PE. Instruction fetches | or accesses caused by a hardware translation table access are not | explicit accesses. which appears to claim that the DSB alone is insufficient. Unfortunately, some CPU designers have followed the second clause above, whereas in Linux we've been relying on the first. This means that our mapping sequence: MOV X0, STR X0, [Xptep] // Store new PTE to page table DSB ISHST LDR X1, [X2] // Translates using the new PTE can actually raise a translation fault on the load instruction because the translation can be performed speculatively before the page table update and then marked as "faulting" by the CPU. For user PTEs, this is ok because we can handle the spurious fault, but for kernel PTEs and intermediate table entries this results in a panic(). Revert the offending commit to reintroduce the missing barriers. Cc: Fixes: 24fe1b0efad4fcdd ("arm64: Remove unnecessary ISBs from set_{pte,pmd,pud}") Reviewed-by: Mark Rutland Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 27c4c40c8f6178ae172299be4ff835bcf5b33eb8 Author: Masashi Honma Date: Sun Sep 8 09:56:53 2019 +0900 nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds commit 4b2c5a14cd8005a900075f7dfec87473c6ee66fb upstream. commit 1222a1601488 ("nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds") was incomplete and requires one more fix to prevent accessing to rssi_thresholds[n] because user can control rssi_thresholds[i] values to make i reach to n. For example, rssi_thresholds = {-400, -300, -200, -100} when last is -34. Cc: stable@vger.kernel.org Fixes: 1222a1601488 ("nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds") Reported-by: Dan Carpenter Signed-off-by: Masashi Honma Link: https://lore.kernel.org/r/20190908005653.17433-1-masashi.honma@gmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit e5581ce3a688f8780a846f89a8543dea98faf3db Author: Razvan Stefanescu Date: Tue Aug 13 10:40:25 2019 +0300 tty/serial: atmel: reschedule TX after RX was started commit d2ace81bf902a9f11d52e59e5d232d2255a0e353 upstream. When half-duplex RS485 communication is used, after RX is started, TX tasklet still needs to be scheduled tasklet. This avoids console freezing when more data is to be transmitted, if the serial communication is not closed. Fixes: 69646d7a3689 ("tty/serial: atmel: RS485 HD w/DMA: enable RX after TX is stopped") Signed-off-by: Razvan Stefanescu Cc: stable Link: https://lore.kernel.org/r/20190813074025.16218-1-razvan.stefanescu@microchip.com Signed-off-by: Greg Kroah-Hartman commit 2177f6383e59b9846a1b8cfb55881b9d9d102d23 Author: Chunyan Zhang Date: Thu Sep 5 15:41:51 2019 +0800 serial: sprd: correct the wrong sequence of arguments commit 9c801e313195addaf11c16e155f50789d6ebfd19 upstream. The sequence of arguments which was passed to handle_lsr_errors() didn't match the parameters defined in that function, &lsr was passed to flag and &flag was passed to lsr, this patch fixed that. Fixes: b7396a38fb28 ("tty/serial: Add Spreadtrum sc9836-uart driver support") Signed-off-by: Chunyan Zhang Signed-off-by: Chunyan Zhang Cc: stable Link: https://lore.kernel.org/r/20190905074151.5268-1-zhang.lyra@gmail.com Signed-off-by: Greg Kroah-Hartman commit 357e8b344c4e0a51b9bee7715d07b8c7f64a9045 Author: Hung-Te Lin Date: Fri Aug 30 10:23:58 2019 +0800 firmware: google: check if size is valid when decoding VPD data commit 4b708b7b1a2c09fbdfff6b942ebe3a160213aacd upstream. The VPD implementation from Chromium Vital Product Data project used to parse data from untrusted input without checking if the meta data is invalid or corrupted. For example, the size from decoded content may be negative value, or larger than whole input buffer. Such invalid data may cause buffer overflow. To fix that, the size parameters passed to vpd_decode functions should be changed to unsigned integer (u32) type, and the parsing of entry header should be refactored so every size field is correctly verified before starting to decode. Fixes: ad2ac9d5c5e0 ("firmware: Google VPD: import lib_vpd source files") Signed-off-by: Hung-Te Lin Cc: stable Reviewed-by: Guenter Roeck Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/20190830022402.214442-1-hungte@chromium.org Signed-off-by: Greg Kroah-Hartman commit 9695dcbc8868d6a0695e232bfb7d9365ee5ad740 Author: Jonathan Neuschäfer Date: Mon Aug 12 18:07:04 2019 +0200 Documentation: sphinx: Add missing comma to list of strings commit 11fec009d97e5bd2329ef7d52d71e9f6763f1048 upstream. In Python, like in C, when a comma is omitted in a list of strings, the two strings around the missing comma are concatenated. Cc: stable@vger.kernel.org # v5.2 only Signed-off-by: Jonathan Neuschäfer Reviewed-by: Mauro Carvalho Chehab Signed-off-by: Jonathan Corbet Signed-off-by: Greg Kroah-Hartman commit 6a2503b7ae2d58f52c3d1f47978abc4d2fd1b049 Author: Matt Delco Date: Mon Sep 16 14:16:54 2019 -0700 KVM: coalesced_mmio: add bounds checking commit b60fe990c6b07ef6d4df67bc0530c7c90a62623a upstream. The first/last indexes are typically shared with a user app. The app can change the 'last' index that the kernel uses to store the next result. This change sanity checks the index before using it for writing to a potentially arbitrary address. This fixes CVE-2019-14821. Cc: stable@vger.kernel.org Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)") Signed-off-by: Matt Delco Signed-off-by: Jim Mattson Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com [Use READ_ONCE. - Paolo] Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 951328b933c0082e47364fdf1874aaf735a5fd4c Author: Jose Abreu Date: Fri Sep 13 11:50:32 2019 +0200 net: stmmac: Hold rtnl lock in suspend/resume callbacks [ Upstream commit 19e13cb27b998ff49f07e399b5871bfe5ba7e3f0 ] We need to hold rnl lock in suspend and resume callbacks because phylink requires it. Otherwise we will get a WARN() in suspend and resume. Also, move phylink start and stop callbacks to inside device's internal lock so that we prevent concurrent HW accesses. Fixes: 74371272f97f ("net: stmmac: Convert to phylink and remove phylib logic") Reported-by: Christophe ROULLIER Tested-by: Christophe ROULLIER Signed-off-by: Jose Abreu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a2c430eb2b670db010cd76cd38b1cae8c233206f Author: Andrew Lunn Date: Thu Sep 12 15:16:45 2019 +0200 net: dsa: Fix load order between DSA drivers and taggers [ Upstream commit 23426a25e55a417dc104df08781b6eff95e65f3f ] The DSA core, DSA taggers and DSA drivers all make use of module_init(). Hence they get initialised at device_initcall() time. The ordering is non-deterministic. It can be a DSA driver is bound to a device before the needed tag driver has been initialised, resulting in the message: No tagger for this switch Rather than have this be fatal, return -EPROBE_DEFER so that it is tried again later once all the needed drivers have been loaded. Fixes: d3b8c04988ca ("dsa: Add boilerplate helper to register DSA tag driver modules") Signed-off-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0f584be1231f718467ba7976526926d5e274394c Author: Dongli Zhang Date: Mon Sep 16 11:46:59 2019 +0800 xen-netfront: do not assume sk_buff_head list is empty in error handling [ Upstream commit 00b368502d18f790ab715e055869fd4bb7484a9b ] When skb_shinfo(skb) is not able to cache extra fragment (that is, skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS), xennet_fill_frags() assumes the sk_buff_head list is already empty. As a result, cons is increased only by 1 and returns to error handling path in xennet_poll(). However, if the sk_buff_head list is not empty, queue->rx.rsp_cons may be set incorrectly. That is, queue->rx.rsp_cons would point to the rx ring buffer entries whose queue->rx_skbs[i] and queue->grant_rx_ref[i] are already cleared to NULL. This leads to NULL pointer access in the next iteration to process rx ring buffer entries. Below is how xennet_poll() does error handling. All remaining entries in tmpq are accounted to queue->rx.rsp_cons without assuming how many outstanding skbs are remained in the list. 985 static int xennet_poll(struct napi_struct *napi, int budget) ... ... 1032 if (unlikely(xennet_set_skb_gso(skb, gso))) { 1033 __skb_queue_head(&tmpq, skb); 1034 queue->rx.rsp_cons += skb_queue_len(&tmpq); 1035 goto err; 1036 } It is better to always have the error handling in the same way. Fixes: ad4f15dc2c70 ("xen/netfront: don't bug in case of too many frags") Signed-off-by: Dongli Zhang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2053770ee6bbe237551df09fdec84282658083a2 Author: Willem de Bruijn Date: Thu Sep 12 21:16:39 2019 -0400 udp: correct reuseport selection with connected sockets [ Upstream commit acdcecc61285faed359f1a3568c32089cc3a8329 ] UDP reuseport groups can hold a mix unconnected and connected sockets. Ensure that connections only receive all traffic to their 4-tuple. Fast reuseport returns on the first reuseport match on the assumption that all matches are equal. Only if connections are present, return to the previous behavior of scoring all sockets. Record if connections are present and if so (1) treat such connected sockets as an independent match from the group, (2) only return 2-tuple matches from reuseport and (3) do not return on the first 2-tuple reuseport match to allow for a higher scoring match later. New field has_conns is set without locks. No other fields in the bitmap are modified at runtime and the field is only ever set unconditionally, so an RMW cannot miss a change. Fixes: e32ea7e74727 ("soreuseport: fast reuseport UDP socket selection") Link: http://lkml.kernel.org/r/CA+FuTSfRP09aJNYRt04SS6qj22ViiOEWaWmLAwX0psk8-PGNxw@mail.gmail.com Signed-off-by: Willem de Bruijn Acked-by: Paolo Abeni Acked-by: Craig Gallek Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8e18aa20f4f0e5eb8688f6ab9250dfa83517c474 Author: Cong Wang Date: Thu Sep 12 10:22:30 2019 -0700 net_sched: let qdisc_put() accept NULL pointer [ Upstream commit 6efb971ba8edfbd80b666f29de12882852f095ae ] When tcf_block_get() fails in sfb_init(), q->qdisc is still a NULL pointer which leads to a crash in sfb_destroy(). Similar for sch_dsmark. Instead of fixing each separately, Linus suggested to just accept NULL pointer in qdisc_put(), which would make callers easier. (For sch_dsmark, the bug probably exists long before commit 6529eaba33f0.) Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure") Reported-by: syzbot+d5870a903591faaca4ae@syzkaller.appspotmail.com Suggested-by: Linus Torvalds Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Acked-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e0426ee9ad505871f8ed12bfd20d7d3ffbdbd241 Author: Paolo Abeni Date: Thu Sep 12 12:02:42 2019 +0200 net/sched: fix race between deactivation and dequeue for NOLOCK qdisc [ Upstream commit d518d2ed8640c1cbbbb6f63939e3e65471817367 ] The test implemented by some_qdisc_is_busy() is somewhat loosy for NOLOCK qdisc, as we may hit the following scenario: CPU1 CPU2 // in net_tx_action() clear_bit(__QDISC_STATE_SCHED...); // in some_qdisc_is_busy() val = (qdisc_is_running(q) || test_bit(__QDISC_STATE_SCHED, &q->state)); // here val is 0 but... qdisc_run(q) // ... CPU1 is going to run the qdisc next As a conseguence qdisc_run() in net_tx_action() can race with qdisc_reset() in dev_qdisc_reset(). Such race is not possible for !NOLOCK qdisc as both the above bit operations are under the root qdisc lock(). After commit 021a17ed796b ("pfifo_fast: drop unneeded additional lock on dequeue") the race can cause use after free and/or null ptr dereference, but the root cause is likely older. This patch addresses the issue explicitly checking for deactivation under the seqlock for NOLOCK qdisc, so that the qdisc_run() in the critical scenario becomes a no-op. Note that the enqueue() op can still execute concurrently with dev_qdisc_reset(), but that is safe due to the skb_array() locking, and we can't avoid that for NOLOCK qdiscs. Fixes: 021a17ed796b ("pfifo_fast: drop unneeded additional lock on dequeue") Reported-by: Li Shuang Reported-and-tested-by: Davide Caratti Signed-off-by: Paolo Abeni Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a4ffb9801cc61441b85d1173d16dc703a00774fc Author: Xin Long Date: Fri Sep 13 17:45:47 2019 +0800 ip6_gre: fix a dst leak in ip6erspan_tunnel_xmit [ Upstream commit 28e486037747c2180470b77c290d4090ad42f259 ] In ip6erspan_tunnel_xmit(), if the skb will not be sent out, it has to be freed on the tx_err path. Otherwise when deleting a netns, it would cause dst/dev to leak, and dmesg shows: unregister_netdevice: waiting for lo to become free. Usage count = 1 Fixes: ef7baf5e083c ("ip6_gre: add ip6 erspan collect_md mode") Signed-off-by: Xin Long Acked-by: William Tu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 80691afb66dcc5aca818977ae6fc5b63c4d0ec2b Author: Yoshihiro Shimoda Date: Tue Aug 6 17:51:19 2019 +0900 phy: renesas: rcar-gen3-usb2: Disable clearing VBUS in over-current commit e6839c31a608e79f2057fab987dd814f5d3477e6 upstream. The hardware manual should be revised, but the initial value of VBCTRL.OCCLREN is set to 1 actually. If the bit is set, the hardware clears VBCTRL.VBOUT and ADPCTRL.DRVVBUS registers automatically when the hardware detects over-current signal from a USB power switch. However, since the hardware doesn't have any registers which indicates over-current, the driver cannot handle it at all. So, if "is_otg_channel" hardware detects over-current, since ADPCTRL.DRVVBUS register is cleared automatically, the channel cannot be used after that. To resolve this behavior, this patch sets the VBCTRL.OCCLREN to 0 to keep ADPCTRL.DRVVBUS even if the "is_otg_channel" hardware detects over-current. (We assume a USB power switch itself protects over-current and turns the VBUS off.) This patch is inspired by a BSP patch from Kazuya Mizuguchi. Fixes: 1114e2d31731 ("phy: rcar-gen3-usb2: change the mode to OTG on the combined channel") Cc: # v4.5+ Signed-off-by: Yoshihiro Shimoda Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Greg Kroah-Hartman commit b7f870510384cefdf5dfd5ed2da26e7780cd0901 Author: Sean Young Date: Tue Aug 13 13:45:09 2019 -0300 media: tm6000: double free if usb disconnect while streaming commit 699bf94114151aae4dceb2d9dbf1a6312839dcae upstream. The usb_bulk_urb will kfree'd on disconnect, so ensure the pointer is set to NULL after each free. stop stream urb killing urb buffer free tm6000: got start feed request tm6000_start_feed tm6000: got start stream request tm6000_start_stream tm6000: pipe reset tm6000: got start feed request tm6000_start_feed tm6000: got start feed request tm6000_start_feed tm6000: got start feed request tm6000_start_feed tm6000: got start feed request tm6000_start_feed tm6000: IR URB failure: status: -71, length 0 xhci_hcd 0000:00:14.0: ERROR unknown event type 37 xhci_hcd 0000:00:14.0: ERROR unknown event type 37 tm6000: error tm6000_urb_received usb 1-2: USB disconnect, device number 5 tm6000: disconnecting tm6000 #0 ================================================================== BUG: KASAN: use-after-free in dvb_fini+0x75/0x140 [tm6000_dvb] Read of size 8 at addr ffff888241044060 by task kworker/2:0/22 CPU: 2 PID: 22 Comm: kworker/2:0 Tainted: G W 5.3.0-rc4+ #1 Hardware name: LENOVO 20KHCTO1WW/20KHCTO1WW, BIOS N23ET65W (1.40 ) 07/02/2019 Workqueue: usb_hub_wq hub_event Call Trace: dump_stack+0x9a/0xf0 print_address_description.cold+0xae/0x34f __kasan_report.cold+0x75/0x93 ? tm6000_fillbuf+0x390/0x3c0 [tm6000_alsa] ? dvb_fini+0x75/0x140 [tm6000_dvb] kasan_report+0xe/0x12 dvb_fini+0x75/0x140 [tm6000_dvb] tm6000_close_extension+0x51/0x80 [tm6000] tm6000_usb_disconnect.cold+0xd4/0x105 [tm6000] usb_unbind_interface+0xe4/0x390 device_release_driver_internal+0x121/0x250 bus_remove_device+0x197/0x260 device_del+0x268/0x550 ? __device_links_no_driver+0xd0/0xd0 ? usb_remove_ep_devs+0x30/0x3b usb_disable_device+0x122/0x400 usb_disconnect+0x153/0x430 hub_event+0x800/0x1e40 ? trace_hardirqs_on_thunk+0x1a/0x20 ? hub_port_debounce+0x1f0/0x1f0 ? retint_kernel+0x10/0x10 ? lock_is_held_type+0xf1/0x130 ? hub_port_debounce+0x1f0/0x1f0 ? process_one_work+0x4ae/0xa00 process_one_work+0x4ba/0xa00 ? pwq_dec_nr_in_flight+0x160/0x160 ? do_raw_spin_lock+0x10a/0x1d0 worker_thread+0x7a/0x5c0 ? process_one_work+0xa00/0xa00 kthread+0x1d5/0x200 ? kthread_create_worker_on_cpu+0xd0/0xd0 ret_from_fork+0x3a/0x50 Allocated by task 2682: save_stack+0x1b/0x80 __kasan_kmalloc.constprop.0+0xc2/0xd0 usb_alloc_urb+0x28/0x60 tm6000_start_feed+0x10a/0x300 [tm6000_dvb] dmx_ts_feed_start_filtering+0x86/0x120 [dvb_core] dvb_dmxdev_start_feed+0x121/0x180 [dvb_core] dvb_dmxdev_filter_start+0xcb/0x540 [dvb_core] dvb_demux_do_ioctl+0x7ed/0x890 [dvb_core] dvb_usercopy+0x97/0x1f0 [dvb_core] dvb_demux_ioctl+0x11/0x20 [dvb_core] do_vfs_ioctl+0x5d8/0x9d0 ksys_ioctl+0x5e/0x90 __x64_sys_ioctl+0x3d/0x50 do_syscall_64+0x74/0xe0 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 22: save_stack+0x1b/0x80 __kasan_slab_free+0x12c/0x170 kfree+0xfd/0x3a0 xhci_giveback_urb_in_irq+0xfe/0x230 xhci_td_cleanup+0x276/0x340 xhci_irq+0x1129/0x3720 __handle_irq_event_percpu+0x6e/0x420 handle_irq_event_percpu+0x6f/0x100 handle_irq_event+0x55/0x84 handle_edge_irq+0x108/0x3b0 handle_irq+0x2e/0x40 do_IRQ+0x83/0x1a0 Cc: stable@vger.kernel.org Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 9f8dd40c68c176f2c3f1fc8b87bc81756856938f Author: Alan Stern Date: Wed Sep 4 11:56:27 2019 -0400 USB: usbcore: Fix slab-out-of-bounds bug during device reset commit 3dd550a2d36596a1b0ee7955da3b611c031d3873 upstream. The syzbot fuzzer provoked a slab-out-of-bounds error in the USB core: BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904 Read of size 1 at addr ffff8881d175bed6 by task kworker/0:3/2746 CPU: 0 PID: 2746 Comm: kworker/0:3 Not tainted 5.3.0-rc5+ #28 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xca/0x13e lib/dump_stack.c:113 print_address_description+0x6a/0x32c mm/kasan/report.c:351 __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 kasan_report+0xe/0x12 mm/kasan/common.c:612 memcmp+0xa6/0xb0 lib/string.c:904 memcmp include/linux/string.h:400 [inline] descriptors_changed drivers/usb/core/hub.c:5579 [inline] usb_reset_and_verify_device+0x564/0x1300 drivers/usb/core/hub.c:5729 usb_reset_device+0x4c1/0x920 drivers/usb/core/hub.c:5898 rt2x00usb_probe+0x53/0x7af drivers/net/wireless/ralink/rt2x00/rt2x00usb.c:806 The error occurs when the descriptors_changed() routine (called during a device reset) attempts to compare the old and new BOS and capability descriptors. The length it uses for the comparison is the wTotalLength value stored in BOS descriptor, but this value is not necessarily the same as the length actually allocated for the descriptors. If it is larger the routine will call memcmp() with a length that is too big, thus reading beyond the end of the allocated region and leading to this fault. The kernel reads the BOS descriptor twice: first to get the total length of all the capability descriptors, and second to read it along with all those other descriptors. A malicious (or very faulty) device may send different values for the BOS descriptor fields each time. The memory area will be allocated using the wTotalLength value read the first time, but stored within it will be the value read the second time. To prevent this possibility from causing any errors, this patch modifies the BOS descriptor after it has been read the second time: It sets the wTotalLength field to the actual length of the descriptors that were read in and validated. Then the memcpy() call, or any other code using these descriptors, will be able to rely on wTotalLength being valid. Reported-and-tested-by: syzbot+35f4d916c623118d576e@syzkaller.appspotmail.com Signed-off-by: Alan Stern CC: Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1909041154260.1722-100000@iolanthe.rowland.org Signed-off-by: Greg Kroah-Hartman