--- /dev/null
+From 889b331724c82c11e15ba0a60979cf7bded0a26c Mon Sep 17 00:00:00 2001
+From: Lu Shuaibing <shuaibinglu@126.com>
+Date: Mon, 3 Feb 2020 17:34:46 -0800
+Subject: ipc/msg.c: consolidate all xxxctl_down() functions
+
+From: Lu Shuaibing <shuaibinglu@126.com>
+
+commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream.
+
+A use of uninitialized memory in msgctl_down() because msqid64 in
+ksys_msgctl hasn't been initialized. The local | msqid64 | is created in
+ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64
+is never initialized before msgctl_down() checks msqid64->msg_qbytes.
+
+KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
+reports:
+
+==================================================================
+BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
+Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
+
+CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+Call Trace:
+ dump_stack+0x75/0xae
+ __kumsan_report+0x17c/0x3e6
+ kumsan_report+0xe/0x20
+ msgctl_down+0x94/0x300
+ ksys_msgctl.constprop.14+0xef/0x260
+ do_syscall_64+0x7e/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x4400e9
+Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
+R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
+R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
+
+The buggy address belongs to the page:
+page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0x100000000000000()
+raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
+raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: kumsan: bad access detected
+==================================================================
+
+Syzkaller reproducer:
+msgctl$IPC_RMID(0x0, 0x0)
+
+C reproducer:
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+int main(void)
+{
+ syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+ syscall(__NR_msgctl, 0, 0, 0);
+ return 0;
+}
+
+[natechancellor@gmail.com: adjust indentation in ksys_msgctl]
+ Link: https://github.com/ClangBuiltLinux/linux/issues/829
+ Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com
+Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com
+Signed-off-by: Lu Shuaibing <shuaibinglu@126.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Suggested-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: NeilBrown <neilb@suse.com>
+From: Andrew Morton <akpm@linux-foundation.org>
+Subject: ipc/msg.c: consolidate all xxxctl_down() functions
+
+Each line here overflows 80 cols by exactly one character. Delete one tab
+per line to fix.
+
+Cc: Shaohua Li <shli@fb.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/msg.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -377,7 +377,7 @@ copy_msqid_from_user(struct msqid64_ds *
+ * NOTE: no locks must be held, the rwsem is taken inside this function.
+ */
+ static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
+- struct msqid64_ds *msqid64)
++ struct ipc64_perm *perm, int msg_qbytes)
+ {
+ struct kern_ipc_perm *ipcp;
+ struct msg_queue *msq;
+@@ -387,7 +387,7 @@ static int msgctl_down(struct ipc_namesp
+ rcu_read_lock();
+
+ ipcp = ipcctl_obtain_check(ns, &msg_ids(ns), msqid, cmd,
+- &msqid64->msg_perm, msqid64->msg_qbytes);
++ perm, msg_qbytes);
+ if (IS_ERR(ipcp)) {
+ err = PTR_ERR(ipcp);
+ goto out_unlock1;
+@@ -409,18 +409,18 @@ static int msgctl_down(struct ipc_namesp
+ {
+ DEFINE_WAKE_Q(wake_q);
+
+- if (msqid64->msg_qbytes > ns->msg_ctlmnb &&
++ if (msg_qbytes > ns->msg_ctlmnb &&
+ !capable(CAP_SYS_RESOURCE)) {
+ err = -EPERM;
+ goto out_unlock1;
+ }
+
+ ipc_lock_object(&msq->q_perm);
+- err = ipc_update_perm(&msqid64->msg_perm, ipcp);
++ err = ipc_update_perm(perm, ipcp);
+ if (err)
+ goto out_unlock0;
+
+- msq->q_qbytes = msqid64->msg_qbytes;
++ msq->q_qbytes = msg_qbytes;
+
+ msq->q_ctime = ktime_get_real_seconds();
+ /*
+@@ -601,9 +601,10 @@ static long ksys_msgctl(int msqid, int c
+ case IPC_SET:
+ if (copy_msqid_from_user(&msqid64, buf, version))
+ return -EFAULT;
+- /* fallthru */
++ return msgctl_down(ns, msqid, cmd, &msqid64.msg_perm,
++ msqid64.msg_qbytes);
+ case IPC_RMID:
+- return msgctl_down(ns, msqid, cmd, &msqid64);
++ return msgctl_down(ns, msqid, cmd, NULL, 0);
+ default:
+ return -EINVAL;
+ }
+@@ -735,9 +736,9 @@ static long compat_ksys_msgctl(int msqid
+ case IPC_SET:
+ if (copy_compat_msqid_from_user(&msqid64, uptr, version))
+ return -EFAULT;
+- /* fallthru */
++ return msgctl_down(ns, msqid, cmd, &msqid64.msg_perm, msqid64.msg_qbytes);
+ case IPC_RMID:
+- return msgctl_down(ns, msqid, cmd, &msqid64);
++ return msgctl_down(ns, msqid, cmd, NULL, 0);
+ default:
+ return -EINVAL;
+ }
--- /dev/null
+From 68035c80e129c4cfec659aac4180354530b26527 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Fri, 8 Nov 2019 16:48:38 +0100
+Subject: media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors
+
+From: Will Deacon <will@kernel.org>
+
+commit 68035c80e129c4cfec659aac4180354530b26527 upstream.
+
+Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked
+up the following WARNING from the UVC chain scanning code:
+
+ | list_add double add: new=ffff880069084010, prev=ffff880069084010,
+ | next=ffff880067d22298.
+ | ------------[ cut here ]------------
+ | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0
+ | Modules linked in:
+ | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
+ | 4.14.0-rc2-42613-g1488251d1a98 #238
+ | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ | Workqueue: usb_hub_wq hub_event
+ | task: ffff88006b01ca40 task.stack: ffff880064358000
+ | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29
+ | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286
+ | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000
+ | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac
+ | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000
+ | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010
+ | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0
+ | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000
+ | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0
+ | Call Trace:
+ | __list_add ./include/linux/list.h:59
+ | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92
+ | uvc_scan_chain_forward.isra.8+0x373/0x416
+ | drivers/media/usb/uvc/uvc_driver.c:1471
+ | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585
+ | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769
+ | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104
+
+Looking into the output from usbmon, the interesting part is the
+following data packet:
+
+ ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080
+ 00090403 00000e01 00000924 03000103 7c003328 010204db
+
+If we drop the lead configuration and interface descriptors, we're left
+with an output terminal descriptor describing a generic display:
+
+ /* Output terminal descriptor */
+ buf[0] 09
+ buf[1] 24
+ buf[2] 03 /* UVC_VC_OUTPUT_TERMINAL */
+ buf[3] 00 /* ID */
+ buf[4] 01 /* type == 0x0301 (UVC_OTT_DISPLAY) */
+ buf[5] 03
+ buf[6] 7c
+ buf[7] 00 /* source ID refers to self! */
+ buf[8] 33
+
+The problem with this descriptor is that it is self-referential: the
+source ID of 0 matches itself! This causes the 'struct uvc_entity'
+representing the display to be added to its chain list twice during
+'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is
+processed directly from the 'dev->entities' list and then again
+immediately afterwards when trying to follow the source ID in
+'uvc_scan_chain_forward()'
+
+Add a check before adding an entity to a chain list to ensure that the
+entity is not already part of a chain.
+
+Link: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/
+
+Cc: <stable@vger.kernel.org>
+Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/uvc/uvc_driver.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -1493,6 +1493,11 @@ static int uvc_scan_chain_forward(struct
+ break;
+ if (forward == prev)
+ continue;
++ if (forward->chain.next || forward->chain.prev) {
++ uvc_trace(UVC_TRACE_DESCR, "Found reference to "
++ "entity %d already in chain.\n", forward->id);
++ return -EINVAL;
++ }
+
+ switch (UVC_ENTITY_TYPE(forward)) {
+ case UVC_VC_EXTENSION_UNIT:
+@@ -1574,6 +1579,13 @@ static int uvc_scan_chain_backward(struc
+ return -1;
+ }
+
++ if (term->chain.next || term->chain.prev) {
++ uvc_trace(UVC_TRACE_DESCR, "Found reference to "
++ "entity %d already in chain.\n",
++ term->id);
++ return -EINVAL;
++ }
++
+ if (uvc_trace_param & UVC_TRACE_PROBE)
+ printk(KERN_CONT " %d", term->id);
+
--- /dev/null
+From 2b8bd606b1e60ca28c765f69c1eedd7d2a2e9dca Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 21 Nov 2019 11:28:10 +0100
+Subject: mfd: dln2: More sanity checking for endpoints
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 2b8bd606b1e60ca28c765f69c1eedd7d2a2e9dca upstream.
+
+It is not enough to check for the number of endpoints.
+The types must also be correct.
+
+Reported-and-tested-by: syzbot+48a2851be24583b864dc@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/dln2.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/mfd/dln2.c
++++ b/drivers/mfd/dln2.c
+@@ -722,6 +722,8 @@ static int dln2_probe(struct usb_interfa
+ const struct usb_device_id *usb_id)
+ {
+ struct usb_host_interface *hostif = interface->cur_altsetting;
++ struct usb_endpoint_descriptor *epin;
++ struct usb_endpoint_descriptor *epout;
+ struct device *dev = &interface->dev;
+ struct dln2_dev *dln2;
+ int ret;
+@@ -731,12 +733,19 @@ static int dln2_probe(struct usb_interfa
+ hostif->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
++ epin = &hostif->endpoint[0].desc;
++ epout = &hostif->endpoint[1].desc;
++ if (!usb_endpoint_is_bulk_out(epout))
++ return -ENODEV;
++ if (!usb_endpoint_is_bulk_in(epin))
++ return -ENODEV;
++
+ dln2 = kzalloc(sizeof(*dln2), GFP_KERNEL);
+ if (!dln2)
+ return -ENOMEM;
+
+- dln2->ep_out = hostif->endpoint[0].desc.bEndpointAddress;
+- dln2->ep_in = hostif->endpoint[1].desc.bEndpointAddress;
++ dln2->ep_out = epout->bEndpointAddress;
++ dln2->ep_in = epin->bEndpointAddress;
+ dln2->usb_dev = usb_get_dev(interface_to_usbdev(interface));
+ dln2->interface = interface;
+ usb_set_intfdata(interface, dln2);
--- /dev/null
+From 5038517119d50ed0240059b1d7fc2faa92371c08 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Kadlecsik=20J=C3=B3zsef?= <kadlec@blackhole.kfki.hu>
+Date: Sat, 25 Jan 2020 20:39:25 +0100
+Subject: netfilter: ipset: fix suspicious RCU usage in find_set_and_id
+
+From: Kadlecsik József <kadlec@blackhole.kfki.hu>
+
+commit 5038517119d50ed0240059b1d7fc2faa92371c08 upstream.
+
+find_set_and_id() is called when the NFNL_SUBSYS_IPSET mutex is held.
+However, in the error path there can be a follow-up recvmsg() without
+the mutex held. Use the start() function of struct netlink_dump_control
+instead of dump() to verify and report if the specified set does not
+exist.
+
+Thanks to Pablo Neira Ayuso for helping me to understand the subleties
+of the netlink protocol.
+
+Reported-by: syzbot+fc69d7cb21258ab4ae4d@syzkaller.appspotmail.com
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_core.c | 41 +++++++++++++++++++-------------------
+ 1 file changed, 21 insertions(+), 20 deletions(-)
+
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -1293,31 +1293,34 @@ ip_set_dump_policy[IPSET_ATTR_CMD_MAX +
+ };
+
+ static int
+-dump_init(struct netlink_callback *cb, struct ip_set_net *inst)
++ip_set_dump_start(struct netlink_callback *cb)
+ {
+ struct nlmsghdr *nlh = nlmsg_hdr(cb->skb);
+ int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
+ struct nlattr *cda[IPSET_ATTR_CMD_MAX + 1];
+ struct nlattr *attr = (void *)nlh + min_len;
++ struct sk_buff *skb = cb->skb;
++ struct ip_set_net *inst = ip_set_pernet(sock_net(skb->sk));
+ u32 dump_type;
+- ip_set_id_t index;
+ int ret;
+
+ ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, attr,
+ nlh->nlmsg_len - min_len,
+ ip_set_dump_policy, NULL);
+ if (ret)
+- return ret;
++ goto error;
+
+ cb->args[IPSET_CB_PROTO] = nla_get_u8(cda[IPSET_ATTR_PROTOCOL]);
+ if (cda[IPSET_ATTR_SETNAME]) {
++ ip_set_id_t index;
+ struct ip_set *set;
+
+ set = find_set_and_id(inst, nla_data(cda[IPSET_ATTR_SETNAME]),
+ &index);
+- if (!set)
+- return -ENOENT;
+-
++ if (!set) {
++ ret = -ENOENT;
++ goto error;
++ }
+ dump_type = DUMP_ONE;
+ cb->args[IPSET_CB_INDEX] = index;
+ } else {
+@@ -1333,10 +1336,17 @@ dump_init(struct netlink_callback *cb, s
+ cb->args[IPSET_CB_DUMP] = dump_type;
+
+ return 0;
++
++error:
++ /* We have to create and send the error message manually :-( */
++ if (nlh->nlmsg_flags & NLM_F_ACK) {
++ netlink_ack(cb->skb, nlh, ret, NULL);
++ }
++ return ret;
+ }
+
+ static int
+-ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
++ip_set_dump_do(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ ip_set_id_t index = IPSET_INVALID_ID, max;
+ struct ip_set *set = NULL;
+@@ -1347,18 +1357,8 @@ ip_set_dump_start(struct sk_buff *skb, s
+ bool is_destroyed;
+ int ret = 0;
+
+- if (!cb->args[IPSET_CB_DUMP]) {
+- ret = dump_init(cb, inst);
+- if (ret < 0) {
+- nlh = nlmsg_hdr(cb->skb);
+- /* We have to create and send the error message
+- * manually :-(
+- */
+- if (nlh->nlmsg_flags & NLM_F_ACK)
+- netlink_ack(cb->skb, nlh, ret, NULL);
+- return ret;
+- }
+- }
++ if (!cb->args[IPSET_CB_DUMP])
++ return -EINVAL;
+
+ if (cb->args[IPSET_CB_INDEX] >= inst->ip_set_max)
+ goto out;
+@@ -1494,7 +1494,8 @@ static int ip_set_dump(struct net *net,
+
+ {
+ struct netlink_dump_control c = {
+- .dump = ip_set_dump_start,
++ .start = ip_set_dump_start,
++ .dump = ip_set_dump_do,
+ .done = ip_set_dump_done,
+ };
+ return netlink_dump_start(ctnl, skb, nlh, &c);
--- /dev/null
+From 6935c3983b246d5fbfebd3b891c825e65c118f2d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 9 Oct 2019 14:21:54 -0700
+Subject: rcu: Avoid data-race in rcu_gp_fqs_check_wake()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 6935c3983b246d5fbfebd3b891c825e65c118f2d upstream.
+
+The rcu_gp_fqs_check_wake() function uses rcu_preempt_blocked_readers_cgp()
+to read ->gp_tasks while other cpus might overwrite this field.
+
+We need READ_ONCE()/WRITE_ONCE() pairs to avoid compiler
+tricks and KCSAN splats like the following :
+
+BUG: KCSAN: data-race in rcu_gp_fqs_check_wake / rcu_preempt_deferred_qs_irqrestore
+
+write to 0xffffffff85a7f190 of 8 bytes by task 7317 on cpu 0:
+ rcu_preempt_deferred_qs_irqrestore+0x43d/0x580 kernel/rcu/tree_plugin.h:507
+ rcu_read_unlock_special+0xec/0x370 kernel/rcu/tree_plugin.h:659
+ __rcu_read_unlock+0xcf/0xe0 kernel/rcu/tree_plugin.h:394
+ rcu_read_unlock include/linux/rcupdate.h:645 [inline]
+ __ip_queue_xmit+0x3b0/0xa40 net/ipv4/ip_output.c:533
+ ip_queue_xmit+0x45/0x60 include/net/ip.h:236
+ __tcp_transmit_skb+0xdeb/0x1cd0 net/ipv4/tcp_output.c:1158
+ __tcp_send_ack+0x246/0x300 net/ipv4/tcp_output.c:3685
+ tcp_send_ack+0x34/0x40 net/ipv4/tcp_output.c:3691
+ tcp_cleanup_rbuf+0x130/0x360 net/ipv4/tcp.c:1575
+ tcp_recvmsg+0x633/0x1a30 net/ipv4/tcp.c:2179
+ inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838
+ sock_recvmsg_nosec net/socket.c:871 [inline]
+ sock_recvmsg net/socket.c:889 [inline]
+ sock_recvmsg+0x92/0xb0 net/socket.c:885
+ sock_read_iter+0x15f/0x1e0 net/socket.c:967
+ call_read_iter include/linux/fs.h:1864 [inline]
+ new_sync_read+0x389/0x4f0 fs/read_write.c:414
+
+read to 0xffffffff85a7f190 of 8 bytes by task 10 on cpu 1:
+ rcu_gp_fqs_check_wake kernel/rcu/tree.c:1556 [inline]
+ rcu_gp_fqs_check_wake+0x93/0xd0 kernel/rcu/tree.c:1546
+ rcu_gp_fqs_loop+0x36c/0x580 kernel/rcu/tree.c:1611
+ rcu_gp_kthread+0x143/0x220 kernel/rcu/tree.c:1768
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 10 Comm: rcu_preempt Not tainted 5.3.0+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+[ paulmck: Added another READ_ONCE() for RCU CPU stall warnings. ]
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/rcu/tree_plugin.h | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/kernel/rcu/tree_plugin.h
++++ b/kernel/rcu/tree_plugin.h
+@@ -220,7 +220,7 @@ static void rcu_preempt_ctxt_queue(struc
+ * blocked tasks.
+ */
+ if (!rnp->gp_tasks && (blkd_state & RCU_GP_BLKD)) {
+- rnp->gp_tasks = &t->rcu_node_entry;
++ WRITE_ONCE(rnp->gp_tasks, &t->rcu_node_entry);
+ WARN_ON_ONCE(rnp->completedqs == rnp->gp_seq);
+ }
+ if (!rnp->exp_tasks && (blkd_state & RCU_EXP_BLKD))
+@@ -340,7 +340,7 @@ EXPORT_SYMBOL_GPL(rcu_note_context_switc
+ */
+ static int rcu_preempt_blocked_readers_cgp(struct rcu_node *rnp)
+ {
+- return rnp->gp_tasks != NULL;
++ return READ_ONCE(rnp->gp_tasks) != NULL;
+ }
+
+ /* Bias and limit values for ->rcu_read_lock_nesting. */
+@@ -493,7 +493,7 @@ rcu_preempt_deferred_qs_irqrestore(struc
+ trace_rcu_unlock_preempted_task(TPS("rcu_preempt"),
+ rnp->gp_seq, t->pid);
+ if (&t->rcu_node_entry == rnp->gp_tasks)
+- rnp->gp_tasks = np;
++ WRITE_ONCE(rnp->gp_tasks, np);
+ if (&t->rcu_node_entry == rnp->exp_tasks)
+ rnp->exp_tasks = np;
+ if (IS_ENABLED(CONFIG_RCU_BOOST)) {
+@@ -663,7 +663,7 @@ static void rcu_preempt_check_blocked_ta
+ dump_blkd_tasks(rnp, 10);
+ if (rcu_preempt_has_tasks(rnp) &&
+ (rnp->qsmaskinit || rnp->wait_blkd_tasks)) {
+- rnp->gp_tasks = rnp->blkd_tasks.next;
++ WRITE_ONCE(rnp->gp_tasks, rnp->blkd_tasks.next);
+ t = container_of(rnp->gp_tasks, struct task_struct,
+ rcu_node_entry);
+ trace_rcu_unlock_preempted_task(TPS("rcu_preempt-GPS"),
+@@ -757,7 +757,8 @@ dump_blkd_tasks(struct rcu_node *rnp, in
+ pr_info("%s: %d:%d ->qsmask %#lx ->qsmaskinit %#lx ->qsmaskinitnext %#lx\n",
+ __func__, rnp1->grplo, rnp1->grphi, rnp1->qsmask, rnp1->qsmaskinit, rnp1->qsmaskinitnext);
+ pr_info("%s: ->gp_tasks %p ->boost_tasks %p ->exp_tasks %p\n",
+- __func__, rnp->gp_tasks, rnp->boost_tasks, rnp->exp_tasks);
++ __func__, READ_ONCE(rnp->gp_tasks), rnp->boost_tasks,
++ rnp->exp_tasks);
+ pr_info("%s: ->blkd_tasks", __func__);
+ i = 0;
+ list_for_each(lhp, &rnp->blkd_tasks) {
--- /dev/null
+From 15c7c972cd26d89a26788e609c53b5a465324a6c Mon Sep 17 00:00:00 2001
+From: "Paul E. McKenney" <paulmck@kernel.org>
+Date: Mon, 7 Oct 2019 18:53:18 -0700
+Subject: rcu: Use *_ONCE() to protect lockless ->expmask accesses
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+commit 15c7c972cd26d89a26788e609c53b5a465324a6c upstream.
+
+The rcu_node structure's ->expmask field is accessed locklessly when
+starting a new expedited grace period and when reporting an expedited
+RCU CPU stall warning. This commit therefore handles the former by
+taking a snapshot of ->expmask while the lock is held and the latter
+by applying READ_ONCE() to lockless reads and WRITE_ONCE() to the
+corresponding updates.
+
+Link: https://lore.kernel.org/lkml/CANpmjNNmSOagbTpffHr4=Yedckx9Rm2NuGqC9UqE+AOz5f1-ZQ@mail.gmail.com
+Reported-by: syzbot+134336b86f728d6e55a0@syzkaller.appspotmail.com
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Acked-by: Marco Elver <elver@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/rcu/tree_exp.h | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/kernel/rcu/tree_exp.h
++++ b/kernel/rcu/tree_exp.h
+@@ -134,7 +134,7 @@ static void __maybe_unused sync_exp_rese
+ rcu_for_each_node_breadth_first(rnp) {
+ raw_spin_lock_irqsave_rcu_node(rnp, flags);
+ WARN_ON_ONCE(rnp->expmask);
+- rnp->expmask = rnp->expmaskinit;
++ WRITE_ONCE(rnp->expmask, rnp->expmaskinit);
+ raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
+ }
+ }
+@@ -211,7 +211,7 @@ static void __rcu_report_exp_rnp(struct
+ rnp = rnp->parent;
+ raw_spin_lock_rcu_node(rnp); /* irqs already disabled */
+ WARN_ON_ONCE(!(rnp->expmask & mask));
+- rnp->expmask &= ~mask;
++ WRITE_ONCE(rnp->expmask, rnp->expmask & ~mask);
+ }
+ }
+
+@@ -241,7 +241,7 @@ static void rcu_report_exp_cpu_mult(stru
+ raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
+ return;
+ }
+- rnp->expmask &= ~mask;
++ WRITE_ONCE(rnp->expmask, rnp->expmask & ~mask);
+ __rcu_report_exp_rnp(rnp, wake, flags); /* Releases rnp->lock. */
+ }
+
+@@ -372,12 +372,10 @@ static void sync_rcu_exp_select_node_cpu
+ raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
+
+ /* IPI the remaining CPUs for expedited quiescent state. */
+- for_each_leaf_node_cpu_mask(rnp, cpu, rnp->expmask) {
++ for_each_leaf_node_cpu_mask(rnp, cpu, mask_ofl_ipi) {
+ unsigned long mask = leaf_node_cpu_bit(rnp, cpu);
+ struct rcu_data *rdp = per_cpu_ptr(&rcu_data, cpu);
+
+- if (!(mask_ofl_ipi & mask))
+- continue;
+ retry_ipi:
+ if (rcu_dynticks_in_eqs_since(rdp, rdp->exp_dynticks_snap)) {
+ mask_ofl_test |= mask;
+@@ -491,7 +489,7 @@ static void synchronize_sched_expedited_
+ struct rcu_data *rdp;
+
+ mask = leaf_node_cpu_bit(rnp, cpu);
+- if (!(rnp->expmask & mask))
++ if (!(READ_ONCE(rnp->expmask) & mask))
+ continue;
+ ndetected++;
+ rdp = per_cpu_ptr(&rcu_data, cpu);
+@@ -503,7 +501,8 @@ static void synchronize_sched_expedited_
+ }
+ pr_cont(" } %lu jiffies s: %lu root: %#lx/%c\n",
+ jiffies - jiffies_start, rcu_state.expedited_sequence,
+- rnp_root->expmask, ".T"[!!rnp_root->exp_tasks]);
++ READ_ONCE(rnp_root->expmask),
++ ".T"[!!rnp_root->exp_tasks]);
+ if (ndetected) {
+ pr_err("blocking rcu_node structures:");
+ rcu_for_each_node_breadth_first(rnp) {
+@@ -513,7 +512,7 @@ static void synchronize_sched_expedited_
+ continue;
+ pr_cont(" l=%u:%d-%d:%#lx/%c",
+ rnp->level, rnp->grplo, rnp->grphi,
+- rnp->expmask,
++ READ_ONCE(rnp->expmask),
+ ".T"[!!rnp->exp_tasks]);
+ }
+ pr_cont("\n");
+@@ -521,7 +520,7 @@ static void synchronize_sched_expedited_
+ rcu_for_each_leaf_node(rnp) {
+ for_each_leaf_node_possible_cpu(rnp, cpu) {
+ mask = leaf_node_cpu_bit(rnp, cpu);
+- if (!(rnp->expmask & mask))
++ if (!(READ_ONCE(rnp->expmask) & mask))
+ continue;
+ dump_cpu_task(cpu);
+ }
--- /dev/null
+From c51f83c315c392d9776c33eb16a2fe1349d65c7f Mon Sep 17 00:00:00 2001
+From: "Paul E. McKenney" <paulmck@kernel.org>
+Date: Mon, 4 Nov 2019 08:22:45 -0800
+Subject: rcu: Use READ_ONCE() for ->expmask in rcu_read_unlock_special()
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+commit c51f83c315c392d9776c33eb16a2fe1349d65c7f upstream.
+
+The rcu_node structure's ->expmask field is updated only when holding the
+->lock, but is also accessed locklessly. This means that all ->expmask
+updates must use WRITE_ONCE() and all reads carried out without holding
+->lock must use READ_ONCE(). This commit therefore changes the lockless
+->expmask read in rcu_read_unlock_special() to use READ_ONCE().
+
+Reported-by: syzbot+99f4ddade3c22ab0cf23@syzkaller.appspotmail.com
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Acked-by: Marco Elver <elver@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/rcu/tree_plugin.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/rcu/tree_plugin.h
++++ b/kernel/rcu/tree_plugin.h
+@@ -612,7 +612,7 @@ static void rcu_read_unlock_special(stru
+
+ t->rcu_read_unlock_special.b.exp_hint = false;
+ exp = (t->rcu_blocked_node && t->rcu_blocked_node->exp_tasks) ||
+- (rdp->grpmask & rnp->expmask) ||
++ (rdp->grpmask & READ_ONCE(rnp->expmask)) ||
+ tick_nohz_full_cpu(rdp->cpu);
+ // Need to defer quiescent state until everything is enabled.
+ if (irqs_were_disabled && use_softirq &&
maintainers-correct-entries-for-isdn-misdn-section.patch
netdevsim-fix-stack-out-of-bounds-in-nsim_dev_debugfs_init.patch
bnxt_en-fix-logic-that-disables-bus-master-during-firmware-reset.patch
+media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch
+mfd-dln2-more-sanity-checking-for-endpoints.patch
+netfilter-ipset-fix-suspicious-rcu-usage-in-find_set_and_id.patch
+ipc-msg.c-consolidate-all-xxxctl_down-functions.patch
+tracing-kprobes-have-uname-use-__get_str-in-print_fmt.patch
+tracing-fix-sched-switch-start-stop-refcount-racy-updates.patch
+rcu-use-_once-to-protect-lockless-expmask-accesses.patch
+rcu-avoid-data-race-in-rcu_gp_fqs_check_wake.patch
+srcu-apply-_once-to-srcu_last_gp_end.patch
+rcu-use-read_once-for-expmask-in-rcu_read_unlock_special.patch
--- /dev/null
+From 844a378de3372c923909681706d62336d702531e Mon Sep 17 00:00:00 2001
+From: "Paul E. McKenney" <paulmck@kernel.org>
+Date: Mon, 4 Nov 2019 08:08:30 -0800
+Subject: srcu: Apply *_ONCE() to ->srcu_last_gp_end
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+commit 844a378de3372c923909681706d62336d702531e upstream.
+
+The ->srcu_last_gp_end field is accessed from any CPU at any time
+by synchronize_srcu(), so non-initialization references need to use
+READ_ONCE() and WRITE_ONCE(). This commit therefore makes that change.
+
+Reported-by: syzbot+08f3e9d26e5541e1ecf2@syzkaller.appspotmail.com
+Acked-by: Marco Elver <elver@google.com>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/rcu/srcutree.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/kernel/rcu/srcutree.c
++++ b/kernel/rcu/srcutree.c
+@@ -530,7 +530,7 @@ static void srcu_gp_end(struct srcu_stru
+ idx = rcu_seq_state(ssp->srcu_gp_seq);
+ WARN_ON_ONCE(idx != SRCU_STATE_SCAN2);
+ cbdelay = srcu_get_delay(ssp);
+- ssp->srcu_last_gp_end = ktime_get_mono_fast_ns();
++ WRITE_ONCE(ssp->srcu_last_gp_end, ktime_get_mono_fast_ns());
+ rcu_seq_end(&ssp->srcu_gp_seq);
+ gpseq = rcu_seq_current(&ssp->srcu_gp_seq);
+ if (ULONG_CMP_LT(ssp->srcu_gp_seq_needed_exp, gpseq))
+@@ -762,6 +762,7 @@ static bool srcu_might_be_idle(struct sr
+ unsigned long flags;
+ struct srcu_data *sdp;
+ unsigned long t;
++ unsigned long tlast;
+
+ /* If the local srcu_data structure has callbacks, not idle. */
+ local_irq_save(flags);
+@@ -780,9 +781,9 @@ static bool srcu_might_be_idle(struct sr
+
+ /* First, see if enough time has passed since the last GP. */
+ t = ktime_get_mono_fast_ns();
++ tlast = READ_ONCE(ssp->srcu_last_gp_end);
+ if (exp_holdoff == 0 ||
+- time_in_range_open(t, ssp->srcu_last_gp_end,
+- ssp->srcu_last_gp_end + exp_holdoff))
++ time_in_range_open(t, tlast, tlast + exp_holdoff))
+ return false; /* Too soon after last GP. */
+
+ /* Next, check for probable idleness. */
--- /dev/null
+From 64ae572bc7d0060429e40e1c8d803ce5eb31a0d6 Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Sat, 17 Aug 2019 10:12:08 -0400
+Subject: tracing: Fix sched switch start/stop refcount racy updates
+
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+
+commit 64ae572bc7d0060429e40e1c8d803ce5eb31a0d6 upstream.
+
+Reading the sched_cmdline_ref and sched_tgid_ref initial state within
+tracing_start_sched_switch without holding the sched_register_mutex is
+racy against concurrent updates, which can lead to tracepoint probes
+being registered more than once (and thus trigger warnings within
+tracepoint.c).
+
+[ May be the fix for this bug ]
+Link: https://lore.kernel.org/r/000000000000ab6f84056c786b93@google.com
+
+Link: http://lkml.kernel.org/r/20190817141208.15226-1-mathieu.desnoyers@efficios.com
+
+Cc: stable@vger.kernel.org
+CC: Steven Rostedt (VMware) <rostedt@goodmis.org>
+CC: Joel Fernandes (Google) <joel@joelfernandes.org>
+CC: Peter Zijlstra <peterz@infradead.org>
+CC: Thomas Gleixner <tglx@linutronix.de>
+CC: Paul E. McKenney <paulmck@linux.ibm.com>
+Reported-by: syzbot+774fddf07b7ab29a1e55@syzkaller.appspotmail.com
+Fixes: d914ba37d7145 ("tracing: Add support for recording tgid of tasks")
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_sched_switch.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_sched_switch.c
++++ b/kernel/trace/trace_sched_switch.c
+@@ -89,8 +89,10 @@ static void tracing_sched_unregister(voi
+
+ static void tracing_start_sched_switch(int ops)
+ {
+- bool sched_register = (!sched_cmdline_ref && !sched_tgid_ref);
++ bool sched_register;
++
+ mutex_lock(&sched_register_mutex);
++ sched_register = (!sched_cmdline_ref && !sched_tgid_ref);
+
+ switch (ops) {
+ case RECORD_CMDLINE:
--- /dev/null
+From 20279420ae3a8ef4c5d9fedc360a2c37a1dbdf1b Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Fri, 24 Jan 2020 10:07:42 -0500
+Subject: tracing/kprobes: Have uname use __get_str() in print_fmt
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 20279420ae3a8ef4c5d9fedc360a2c37a1dbdf1b upstream.
+
+Thomas Richter reported:
+
+> Test case 66 'Use vfs_getname probe to get syscall args filenames'
+> is broken on s390, but works on x86. The test case fails with:
+>
+> [root@m35lp76 perf]# perf test -F 66
+> 66: Use vfs_getname probe to get syscall args filenames
+> :Recording open file:
+> [ perf record: Woken up 1 times to write data ]
+> [ perf record: Captured and wrote 0.004 MB /tmp/__perf_test.perf.data.TCdYj\
+> (20 samples) ]
+> Looking at perf.data file for vfs_getname records for the file we touched:
+> FAILED!
+> [root@m35lp76 perf]#
+
+The root cause was the print_fmt of the kprobe event that referenced the
+"ustring"
+
+> Setting up the kprobe event using perf command:
+>
+> # ./perf probe "vfs_getname=getname_flags:72 pathname=filename:ustring"
+>
+> generates this format file:
+> [root@m35lp76 perf]# cat /sys/kernel/debug/tracing/events/probe/\
+> vfs_getname/format
+> name: vfs_getname
+> ID: 1172
+> format:
+> field:unsigned short common_type; offset:0; size:2; signed:0;
+> field:unsigned char common_flags; offset:2; size:1; signed:0;
+> field:unsigned char common_preempt_count; offset:3; size:1; signed:0;
+> field:int common_pid; offset:4; size:4; signed:1;
+>
+> field:unsigned long __probe_ip; offset:8; size:8; signed:0;
+> field:__data_loc char[] pathname; offset:16; size:4; signed:1;
+>
+> print fmt: "(%lx) pathname=\"%s\"", REC->__probe_ip, REC->pathname
+
+Instead of using "__get_str(pathname)" it referenced it directly.
+
+Link: http://lkml.kernel.org/r/20200124100742.4050c15e@gandalf.local.home
+
+Cc: stable@vger.kernel.org
+Fixes: 88903c464321 ("tracing/probe: Add ustring type for user-space string")
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reported-by: Thomas Richter <tmricht@linux.ibm.com>
+Tested-by: Thomas Richter <tmricht@linux.ibm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_probe.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -876,7 +876,8 @@ static int __set_print_fmt(struct trace_
+ for (i = 0; i < tp->nr_args; i++) {
+ parg = tp->args + i;
+ if (parg->count) {
+- if (strcmp(parg->type->name, "string") == 0)
++ if ((strcmp(parg->type->name, "string") == 0) ||
++ (strcmp(parg->type->name, "ustring") == 0))
+ fmt = ", __get_str(%s[%d])";
+ else
+ fmt = ", REC->%s[%d]";
+@@ -884,7 +885,8 @@ static int __set_print_fmt(struct trace_
+ pos += snprintf(buf + pos, LEN_OR_ZERO,
+ fmt, parg->name, j);
+ } else {
+- if (strcmp(parg->type->name, "string") == 0)
++ if ((strcmp(parg->type->name, "string") == 0) ||
++ (strcmp(parg->type->name, "ustring") == 0))
+ fmt = ", __get_str(%s)";
+ else
+ fmt = ", REC->%s";
projects / thirdparty / kernel / stable-queue.git / commitdiff
