+++ /dev/null
-From 7b3eef0f60b36cee8ff2b751044a142c7b27af14 Mon Sep 17 00:00:00 2001
-From: YueHaibing <yuehaibing@huawei.com>
-Date: Thu, 21 Feb 2019 22:42:01 +0800
-Subject: mdio_bus: Fix use-after-free on device_register fails
-
-[ Upstream commit 6ff7b060535e87c2ae14dd8548512abfdda528fb ]
-
-KASAN has found use-after-free in fixed_mdio_bus_init,
-commit 0c692d07842a ("drivers/net/phy/mdio_bus.c: call
-put_device on device_register() failure") call put_device()
-while device_register() fails,give up the last reference
-to the device and allow mdiobus_release to be executed
-,kfreeing the bus. However in most drives, mdiobus_free
-be called to free the bus while mdiobus_register fails.
-use-after-free occurs when access bus again, this patch
-revert it to let mdiobus_free free the bus.
-
-KASAN report details as below:
-
-BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
-Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524
-
-CPU: 1 PID: 3524 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
-Call Trace:
- __dump_stack lib/dump_stack.c:77 [inline]
- dump_stack+0xfa/0x1ce lib/dump_stack.c:113
- print_address_description+0x65/0x270 mm/kasan/report.c:187
- kasan_report+0x149/0x18d mm/kasan/report.c:317
- mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
- fixed_mdio_bus_init+0x283/0x1000 [fixed_phy]
- ? 0xffffffffc0e40000
- ? 0xffffffffc0e40000
- ? 0xffffffffc0e40000
- do_one_initcall+0xfa/0x5ca init/main.c:887
- do_init_module+0x204/0x5f6 kernel/module.c:3460
- load_module+0x66b2/0x8570 kernel/module.c:3808
- __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
- do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-RIP: 0033:0x462e99
-Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
-RSP: 002b:00007f6215c19c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
-RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
-RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
-RBP: 00007f6215c19c70 R08: 0000000000000000 R09: 0000000000000000
-R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6215c1a6bc
-R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
-
-Allocated by task 3524:
- set_track mm/kasan/common.c:85 [inline]
- __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
- kmalloc include/linux/slab.h:545 [inline]
- kzalloc include/linux/slab.h:740 [inline]
- mdiobus_alloc_size+0x54/0x1b0 drivers/net/phy/mdio_bus.c:143
- fixed_mdio_bus_init+0x163/0x1000 [fixed_phy]
- do_one_initcall+0xfa/0x5ca init/main.c:887
- do_init_module+0x204/0x5f6 kernel/module.c:3460
- load_module+0x66b2/0x8570 kernel/module.c:3808
- __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
- do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-
-Freed by task 3524:
- set_track mm/kasan/common.c:85 [inline]
- __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
- slab_free_hook mm/slub.c:1409 [inline]
- slab_free_freelist_hook mm/slub.c:1436 [inline]
- slab_free mm/slub.c:2986 [inline]
- kfree+0xe1/0x270 mm/slub.c:3938
- device_release+0x78/0x200 drivers/base/core.c:919
- kobject_cleanup lib/kobject.c:662 [inline]
- kobject_release lib/kobject.c:691 [inline]
- kref_put include/linux/kref.h:67 [inline]
- kobject_put+0x146/0x240 lib/kobject.c:708
- put_device+0x1c/0x30 drivers/base/core.c:2060
- __mdiobus_register+0x483/0x560 drivers/net/phy/mdio_bus.c:382
- fixed_mdio_bus_init+0x26b/0x1000 [fixed_phy]
- do_one_initcall+0xfa/0x5ca init/main.c:887
- do_init_module+0x204/0x5f6 kernel/module.c:3460
- load_module+0x66b2/0x8570 kernel/module.c:3808
- __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
- do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-
-The buggy address belongs to the object at ffff8881dc824c80
- which belongs to the cache kmalloc-2k of size 2048
-The buggy address is located 248 bytes inside of
- 2048-byte region [ffff8881dc824c80, ffff8881dc825480)
-The buggy address belongs to the page:
-page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0
-flags: 0x2fffc0000010200(slab|head)
-raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800
-raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
-page dumped because: kasan: bad access detected
-
-Memory state around the buggy address:
- ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
->ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ^
- ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-
-Fixes: 0c692d07842a ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure")
-Signed-off-by: YueHaibing <yuehaibing@huawei.com>
-Reviewed-by: Andrew Lunn <andrew@lunn.ch>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/phy/mdio_bus.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
-index 50051f271b10..8dfd1aeb8fab 100644
---- a/drivers/net/phy/mdio_bus.c
-+++ b/drivers/net/phy/mdio_bus.c
-@@ -261,7 +261,6 @@ int mdiobus_register(struct mii_bus *bus)
- err = device_register(&bus->dev);
- if (err) {
- pr_err("mii_bus %s failed to register\n", bus->id);
-- put_device(&bus->dev);
- return -EINVAL;
- }
-
---
-2.19.1
-
+++ /dev/null
-From 28fce9c67b5f32cd28e88d55a3c78bc02688cf00 Mon Sep 17 00:00:00 2001
-From: John Garry <john.garry@huawei.com>
-Date: Fri, 15 Feb 2019 00:37:57 +0800
-Subject: scsi: libsas: Fix rphy phy_identifier for PHYs with end devices
- attached
-
-[ Upstream commit ffeafdd2bf0b280d67ec1a47ea6287910d271f3f ]
-
-The sysfs phy_identifier attribute for a sas_end_device comes from the rphy
-phy_identifier value.
-
-Currently this is not being set for rphys with an end device attached, so
-we see incorrect symlinks from systemd disk/by-path:
-
-root@localhost:~# ls -l /dev/disk/by-path/
-total 0
-lrwxrwxrwx 1 root root 9 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0 -> ../../sdb
-lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part1 -> ../../sdb1
-lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part2 -> ../../sdb2
-lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part3 -> ../../sdc3
-
-Indeed, each sas_end_device phy_identifier value is 0:
-
-root@localhost:/# more sys/class/sas_device/end_device-0\:0\:2/phy_identifier
-0
-root@localhost:/# more sys/class/sas_device/end_device-0\:0\:10/phy_identifier
-0
-
-This patch fixes the discovery code to set the phy_identifier. With this,
-we now get proper symlinks:
-
-root@localhost:~# ls -l /dev/disk/by-path/
-total 0
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy10-lun-0 -> ../../sdg
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy11-lun-0 -> ../../sdh
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0 -> ../../sda
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0-part1 -> ../../sda1
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0 -> ../../sdb
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part1 -> ../../sdb1
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part2 -> ../../sdb2
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0 -> ../../sdc
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part1 -> ../../sdc1
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part2 -> ../../sdc2
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part3 -> ../../sdc3
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy5-lun-0 -> ../../sdd
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0 -> ../../sde
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part1 -> ../../sde1
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part2 -> ../../sde2
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part3 -> ../../sde3
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0 -> ../../sdf
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part1 -> ../../sdf1
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part2 -> ../../sdf2
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part3 -> ../../sdf3
-
-Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
-Reported-by: dann frazier <dann.frazier@canonical.com>
-Signed-off-by: John Garry <john.garry@huawei.com>
-Reviewed-by: Jason Yan <yanaijie@huawei.com>
-Tested-by: dann frazier <dann.frazier@canonical.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/libsas/sas_expander.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
-index e2630aea4e9f..22450abf0a03 100644
---- a/drivers/scsi/libsas/sas_expander.c
-+++ b/drivers/scsi/libsas/sas_expander.c
-@@ -818,6 +818,7 @@ static struct domain_device *sas_ex_discover_end_dev(
- rphy = sas_end_device_alloc(phy->port);
- if (!rphy)
- goto out_free;
-+ rphy->identify.phy_identifier = phy_id;
-
- child->rphy = rphy;
- get_device(&rphy->dev);
-@@ -845,6 +846,7 @@ static struct domain_device *sas_ex_discover_end_dev(
-
- child->rphy = rphy;
- get_device(&rphy->dev);
-+ rphy->identify.phy_identifier = phy_id;
- sas_fill_in_rphy(child, rphy);
-
- list_add_tail(&child->disco_list_node, &parent->port->disco_list);
---
-2.19.1
-
crypto-ahash-fix-another-early-termination-in-hash-walk.patch
s390-dasd-fix-using-offset-into-zero-size-array-erro.patch
input-matrix_keypad-use-flush_delayed_work.patch
-team-avoid-complex-list-operations-in-team_nl_cmd_op.patch
mm-gup-fix-gup_pmd_range-for-dax.patch
i2c-cadence-fix-the-hold-bit-setting.patch
input-st-keyscan-fix-potential-zalloc-null-dereferen.patch
assoc_array-fix-shortcut-creation.patch
scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch
-scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch
net-systemport-fix-reception-of-bpdus.patch
net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch
arm64-relax-gic-version-check-during-early-boot.patch
net-marvell-mvneta-fix-dma-debug-warning.patch
tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch
-mdio_bus-fix-use-after-free-on-device_register-fails.patch-13169
net-set-static-variable-an-initial-value-in-atl2_pro.patch
+++ /dev/null
-From c677ba18b2cc94ea2e13bf60709085582121d36c Mon Sep 17 00:00:00 2001
-From: Cong Wang <xiyou.wangcong@gmail.com>
-Date: Mon, 11 Feb 2019 21:59:51 -0800
-Subject: team: avoid complex list operations in team_nl_cmd_options_set()
-
-[ Upstream commit 2fdeee2549231b1f989f011bb18191f5660d3745 ]
-
-The current opt_inst_list operations inside team_nl_cmd_options_set()
-is too complex to track:
-
- LIST_HEAD(opt_inst_list);
- nla_for_each_nested(...) {
- list_for_each_entry(opt_inst, &team->option_inst_list, list) {
- if (__team_option_inst_tmp_find(&opt_inst_list, opt_inst))
- continue;
- list_add(&opt_inst->tmp_list, &opt_inst_list);
- }
- }
- team_nl_send_event_options_get(team, &opt_inst_list);
-
-as while we retrieve 'opt_inst' from team->option_inst_list, it could
-be added to the local 'opt_inst_list' for multiple times. The
-__team_option_inst_tmp_find() doesn't work, as the setter
-team_mode_option_set() still calls team->ops.exit() which uses
-->tmp_list too in __team_options_change_check().
-
-Simplify the list operations by moving the 'opt_inst_list' and
-team_nl_send_event_options_get() into the nla_for_each_nested() loop so
-that it can be guranteed that we won't insert a same list entry for
-multiple times. Therefore, __team_option_inst_tmp_find() can be removed
-too.
-
-Fixes: 4fb0534fb7bb ("team: avoid adding twice the same option to the event list")
-Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message")
-Reported-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com
-Reported-by: syzbot+68ee510075cf64260cc4@syzkaller.appspotmail.com
-Cc: Jiri Pirko <jiri@resnulli.us>
-Cc: Paolo Abeni <pabeni@redhat.com>
-Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
-Acked-by: Jiri Pirko <jiri@mellanox.com>
-Reviewed-by: Paolo Abeni <pabeni@redhat.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/team/team.c | 27 +++++----------------------
- 1 file changed, 5 insertions(+), 22 deletions(-)
-
-diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
-index 3e0f7116380d..eb04b348edf3 100644
---- a/drivers/net/team/team.c
-+++ b/drivers/net/team/team.c
-@@ -253,17 +253,6 @@ static void __team_option_inst_mark_removed_port(struct team *team,
- }
- }
-
--static bool __team_option_inst_tmp_find(const struct list_head *opts,
-- const struct team_option_inst *needle)
--{
-- struct team_option_inst *opt_inst;
--
-- list_for_each_entry(opt_inst, opts, tmp_list)
-- if (opt_inst == needle)
-- return true;
-- return false;
--}
--
- static int __team_options_register(struct team *team,
- const struct team_option *option,
- size_t option_count)
-@@ -2435,7 +2424,6 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
- int err = 0;
- int i;
- struct nlattr *nl_option;
-- LIST_HEAD(opt_inst_list);
-
- team = team_nl_team_get(info);
- if (!team)
-@@ -2451,6 +2439,7 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
- struct nlattr *opt_attrs[TEAM_ATTR_OPTION_MAX + 1];
- struct nlattr *attr;
- struct nlattr *attr_data;
-+ LIST_HEAD(opt_inst_list);
- enum team_option_type opt_type;
- int opt_port_ifindex = 0; /* != 0 for per-port options */
- u32 opt_array_index = 0;
-@@ -2554,23 +2543,17 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
- if (err)
- goto team_put;
- opt_inst->changed = true;
--
-- /* dumb/evil user-space can send us duplicate opt,
-- * keep only the last one
-- */
-- if (__team_option_inst_tmp_find(&opt_inst_list,
-- opt_inst))
-- continue;
--
- list_add(&opt_inst->tmp_list, &opt_inst_list);
- }
- if (!opt_found) {
- err = -ENOENT;
- goto team_put;
- }
-- }
-
-- err = team_nl_send_event_options_get(team, &opt_inst_list);
-+ err = team_nl_send_event_options_get(team, &opt_inst_list);
-+ if (err)
-+ break;
-+ }
-
- team_put:
- team_nl_team_put(team);
---
-2.19.1
-
Cc: Matthias Maennich <maennich@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c
-index f02d452ceeb9..1244c246d0c4 100644
---- a/drivers/media/common/videobuf2/videobuf2-v4l2.c
-+++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c
-@@ -158,7 +158,6 @@ static void vb2_warn_zero_bytesused(struct vb2_buffer *vb)
+---
+ drivers/media/v4l2-core/videobuf2-v4l2.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/videobuf2-v4l2.c
++++ b/drivers/media/v4l2-core/videobuf2-v4l2.c
+@@ -145,7 +145,6 @@ static void vb2_warn_zero_bytesused(stru
return;
check_once = true;
crypto-ahash-fix-another-early-termination-in-hash-walk.patch
crypto-rockchip-fix-scatterlist-nents-error.patch
crypto-rockchip-update-new-iv-to-device-in-multiple-operations.patch
-media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch
drm-imx-ignore-plane-updates-on-disabled-crtcs.patch
gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch
drm-imx-imx-ldb-add-missing-of_node_puts.patch
nfp-bpf-fix-alu32-high-bits-clearance-bug.patch
net-set-static-variable-an-initial-value-in-atl2_pro.patch
tmpfs-fix-uninitialized-return-value-in-shmem_link.patch
+media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch
+++ /dev/null
-From 511c96a278c67054621e55aa6ca74fbb701cf41f Mon Sep 17 00:00:00 2001
-From: YueHaibing <yuehaibing@huawei.com>
-Date: Thu, 21 Feb 2019 22:42:01 +0800
-Subject: mdio_bus: Fix use-after-free on device_register fails
-
-[ Upstream commit 6ff7b060535e87c2ae14dd8548512abfdda528fb ]
-
-KASAN has found use-after-free in fixed_mdio_bus_init,
-commit 0c692d07842a ("drivers/net/phy/mdio_bus.c: call
-put_device on device_register() failure") call put_device()
-while device_register() fails,give up the last reference
-to the device and allow mdiobus_release to be executed
-,kfreeing the bus. However in most drives, mdiobus_free
-be called to free the bus while mdiobus_register fails.
-use-after-free occurs when access bus again, this patch
-revert it to let mdiobus_free free the bus.
-
-KASAN report details as below:
-
-BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
-Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524
-
-CPU: 1 PID: 3524 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
-Call Trace:
- __dump_stack lib/dump_stack.c:77 [inline]
- dump_stack+0xfa/0x1ce lib/dump_stack.c:113
- print_address_description+0x65/0x270 mm/kasan/report.c:187
- kasan_report+0x149/0x18d mm/kasan/report.c:317
- mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
- fixed_mdio_bus_init+0x283/0x1000 [fixed_phy]
- ? 0xffffffffc0e40000
- ? 0xffffffffc0e40000
- ? 0xffffffffc0e40000
- do_one_initcall+0xfa/0x5ca init/main.c:887
- do_init_module+0x204/0x5f6 kernel/module.c:3460
- load_module+0x66b2/0x8570 kernel/module.c:3808
- __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
- do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-RIP: 0033:0x462e99
-Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
-RSP: 002b:00007f6215c19c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
-RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
-RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
-RBP: 00007f6215c19c70 R08: 0000000000000000 R09: 0000000000000000
-R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6215c1a6bc
-R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
-
-Allocated by task 3524:
- set_track mm/kasan/common.c:85 [inline]
- __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
- kmalloc include/linux/slab.h:545 [inline]
- kzalloc include/linux/slab.h:740 [inline]
- mdiobus_alloc_size+0x54/0x1b0 drivers/net/phy/mdio_bus.c:143
- fixed_mdio_bus_init+0x163/0x1000 [fixed_phy]
- do_one_initcall+0xfa/0x5ca init/main.c:887
- do_init_module+0x204/0x5f6 kernel/module.c:3460
- load_module+0x66b2/0x8570 kernel/module.c:3808
- __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
- do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-
-Freed by task 3524:
- set_track mm/kasan/common.c:85 [inline]
- __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
- slab_free_hook mm/slub.c:1409 [inline]
- slab_free_freelist_hook mm/slub.c:1436 [inline]
- slab_free mm/slub.c:2986 [inline]
- kfree+0xe1/0x270 mm/slub.c:3938
- device_release+0x78/0x200 drivers/base/core.c:919
- kobject_cleanup lib/kobject.c:662 [inline]
- kobject_release lib/kobject.c:691 [inline]
- kref_put include/linux/kref.h:67 [inline]
- kobject_put+0x146/0x240 lib/kobject.c:708
- put_device+0x1c/0x30 drivers/base/core.c:2060
- __mdiobus_register+0x483/0x560 drivers/net/phy/mdio_bus.c:382
- fixed_mdio_bus_init+0x26b/0x1000 [fixed_phy]
- do_one_initcall+0xfa/0x5ca init/main.c:887
- do_init_module+0x204/0x5f6 kernel/module.c:3460
- load_module+0x66b2/0x8570 kernel/module.c:3808
- __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
- do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-
-The buggy address belongs to the object at ffff8881dc824c80
- which belongs to the cache kmalloc-2k of size 2048
-The buggy address is located 248 bytes inside of
- 2048-byte region [ffff8881dc824c80, ffff8881dc825480)
-The buggy address belongs to the page:
-page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0
-flags: 0x2fffc0000010200(slab|head)
-raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800
-raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
-page dumped because: kasan: bad access detected
-
-Memory state around the buggy address:
- ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
->ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ^
- ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-
-Fixes: 0c692d07842a ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure")
-Signed-off-by: YueHaibing <yuehaibing@huawei.com>
-Reviewed-by: Andrew Lunn <andrew@lunn.ch>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/phy/mdio_bus.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
-index 88cb4592b6fb..ccefba7af960 100644
---- a/drivers/net/phy/mdio_bus.c
-+++ b/drivers/net/phy/mdio_bus.c
-@@ -267,7 +267,6 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
- err = device_register(&bus->dev);
- if (err) {
- pr_err("mii_bus %s failed to register\n", bus->id);
-- put_device(&bus->dev);
- return -EINVAL;
- }
-
---
-2.19.1
-
+++ /dev/null
-From 5ee06cd33773481fbce4c8db4c553aacc9d2894e Mon Sep 17 00:00:00 2001
-From: John Garry <john.garry@huawei.com>
-Date: Fri, 15 Feb 2019 00:37:57 +0800
-Subject: scsi: libsas: Fix rphy phy_identifier for PHYs with end devices
- attached
-
-[ Upstream commit ffeafdd2bf0b280d67ec1a47ea6287910d271f3f ]
-
-The sysfs phy_identifier attribute for a sas_end_device comes from the rphy
-phy_identifier value.
-
-Currently this is not being set for rphys with an end device attached, so
-we see incorrect symlinks from systemd disk/by-path:
-
-root@localhost:~# ls -l /dev/disk/by-path/
-total 0
-lrwxrwxrwx 1 root root 9 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0 -> ../../sdb
-lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part1 -> ../../sdb1
-lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part2 -> ../../sdb2
-lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part3 -> ../../sdc3
-
-Indeed, each sas_end_device phy_identifier value is 0:
-
-root@localhost:/# more sys/class/sas_device/end_device-0\:0\:2/phy_identifier
-0
-root@localhost:/# more sys/class/sas_device/end_device-0\:0\:10/phy_identifier
-0
-
-This patch fixes the discovery code to set the phy_identifier. With this,
-we now get proper symlinks:
-
-root@localhost:~# ls -l /dev/disk/by-path/
-total 0
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy10-lun-0 -> ../../sdg
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy11-lun-0 -> ../../sdh
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0 -> ../../sda
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0-part1 -> ../../sda1
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0 -> ../../sdb
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part1 -> ../../sdb1
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part2 -> ../../sdb2
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0 -> ../../sdc
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part1 -> ../../sdc1
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part2 -> ../../sdc2
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part3 -> ../../sdc3
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy5-lun-0 -> ../../sdd
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0 -> ../../sde
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part1 -> ../../sde1
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part2 -> ../../sde2
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part3 -> ../../sde3
-lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0 -> ../../sdf
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part1 -> ../../sdf1
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part2 -> ../../sdf2
-lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part3 -> ../../sdf3
-
-Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
-Reported-by: dann frazier <dann.frazier@canonical.com>
-Signed-off-by: John Garry <john.garry@huawei.com>
-Reviewed-by: Jason Yan <yanaijie@huawei.com>
-Tested-by: dann frazier <dann.frazier@canonical.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/libsas/sas_expander.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
-index 12886f96b286..7be581f7c35d 100644
---- a/drivers/scsi/libsas/sas_expander.c
-+++ b/drivers/scsi/libsas/sas_expander.c
-@@ -818,6 +818,7 @@ static struct domain_device *sas_ex_discover_end_dev(
- rphy = sas_end_device_alloc(phy->port);
- if (!rphy)
- goto out_free;
-+ rphy->identify.phy_identifier = phy_id;
-
- child->rphy = rphy;
- get_device(&rphy->dev);
-@@ -845,6 +846,7 @@ static struct domain_device *sas_ex_discover_end_dev(
-
- child->rphy = rphy;
- get_device(&rphy->dev);
-+ rphy->identify.phy_identifier = phy_id;
- sas_fill_in_rphy(child, rphy);
-
- list_add_tail(&child->disco_list_node, &parent->port->disco_list);
---
-2.19.1
-
s390-dasd-fix-using-offset-into-zero-size-array-erro.patch
arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch
input-matrix_keypad-use-flush_delayed_work.patch
-team-avoid-complex-list-operations-in-team_nl_cmd_op.patch
i2c-cadence-fix-the-hold-bit-setting.patch
input-st-keyscan-fix-potential-zalloc-null-dereferen.patch
arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch
assoc_array-fix-shortcut-creation.patch
scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch
-scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch
net-systemport-fix-reception-of-bpdus.patch
pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch
net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch
arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch
phonet-fix-building-with-clang.patch
mac80211_hwsim-propagate-genlmsg_reply-return-code.patch
-mdio_bus-fix-use-after-free-on-device_register-fails.patch-26729
net-set-static-variable-an-initial-value-in-atl2_pro.patch
tmpfs-fix-uninitialized-return-value-in-shmem_link.patch
+++ /dev/null
-From 42133293dc97f30e37d814582583b780662cfca3 Mon Sep 17 00:00:00 2001
-From: Cong Wang <xiyou.wangcong@gmail.com>
-Date: Mon, 11 Feb 2019 21:59:51 -0800
-Subject: team: avoid complex list operations in team_nl_cmd_options_set()
-
-[ Upstream commit 2fdeee2549231b1f989f011bb18191f5660d3745 ]
-
-The current opt_inst_list operations inside team_nl_cmd_options_set()
-is too complex to track:
-
- LIST_HEAD(opt_inst_list);
- nla_for_each_nested(...) {
- list_for_each_entry(opt_inst, &team->option_inst_list, list) {
- if (__team_option_inst_tmp_find(&opt_inst_list, opt_inst))
- continue;
- list_add(&opt_inst->tmp_list, &opt_inst_list);
- }
- }
- team_nl_send_event_options_get(team, &opt_inst_list);
-
-as while we retrieve 'opt_inst' from team->option_inst_list, it could
-be added to the local 'opt_inst_list' for multiple times. The
-__team_option_inst_tmp_find() doesn't work, as the setter
-team_mode_option_set() still calls team->ops.exit() which uses
-->tmp_list too in __team_options_change_check().
-
-Simplify the list operations by moving the 'opt_inst_list' and
-team_nl_send_event_options_get() into the nla_for_each_nested() loop so
-that it can be guranteed that we won't insert a same list entry for
-multiple times. Therefore, __team_option_inst_tmp_find() can be removed
-too.
-
-Fixes: 4fb0534fb7bb ("team: avoid adding twice the same option to the event list")
-Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message")
-Reported-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com
-Reported-by: syzbot+68ee510075cf64260cc4@syzkaller.appspotmail.com
-Cc: Jiri Pirko <jiri@resnulli.us>
-Cc: Paolo Abeni <pabeni@redhat.com>
-Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
-Acked-by: Jiri Pirko <jiri@mellanox.com>
-Reviewed-by: Paolo Abeni <pabeni@redhat.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/team/team.c | 27 +++++----------------------
- 1 file changed, 5 insertions(+), 22 deletions(-)
-
-diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
-index 33ffb573fd67..267a90423154 100644
---- a/drivers/net/team/team.c
-+++ b/drivers/net/team/team.c
-@@ -247,17 +247,6 @@ static void __team_option_inst_mark_removed_port(struct team *team,
- }
- }
-
--static bool __team_option_inst_tmp_find(const struct list_head *opts,
-- const struct team_option_inst *needle)
--{
-- struct team_option_inst *opt_inst;
--
-- list_for_each_entry(opt_inst, opts, tmp_list)
-- if (opt_inst == needle)
-- return true;
-- return false;
--}
--
- static int __team_options_register(struct team *team,
- const struct team_option *option,
- size_t option_count)
-@@ -2447,7 +2436,6 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
- int err = 0;
- int i;
- struct nlattr *nl_option;
-- LIST_HEAD(opt_inst_list);
-
- team = team_nl_team_get(info);
- if (!team)
-@@ -2463,6 +2451,7 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
- struct nlattr *opt_attrs[TEAM_ATTR_OPTION_MAX + 1];
- struct nlattr *attr;
- struct nlattr *attr_data;
-+ LIST_HEAD(opt_inst_list);
- enum team_option_type opt_type;
- int opt_port_ifindex = 0; /* != 0 for per-port options */
- u32 opt_array_index = 0;
-@@ -2566,23 +2555,17 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
- if (err)
- goto team_put;
- opt_inst->changed = true;
--
-- /* dumb/evil user-space can send us duplicate opt,
-- * keep only the last one
-- */
-- if (__team_option_inst_tmp_find(&opt_inst_list,
-- opt_inst))
-- continue;
--
- list_add(&opt_inst->tmp_list, &opt_inst_list);
- }
- if (!opt_found) {
- err = -ENOENT;
- goto team_put;
- }
-- }
-
-- err = team_nl_send_event_options_get(team, &opt_inst_list);
-+ err = team_nl_send_event_options_get(team, &opt_inst_list);
-+ if (err)
-+ break;
-+ }
-
- team_put:
- team_nl_team_put(team);
---
-2.19.1
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
