1. 20 Sep, 2017 8 commits
    • Arnd Bergmann's avatar
      qlge: avoid memcpy buffer overflow · 64dfc675
      Arnd Bergmann authored
      
      [ Upstream commit e58f9583 ]
      
      gcc-8.0.0 (snapshot) points out that we copy a variable-length string
      into a fixed length field using memcpy() with the destination length,
      and that ends up copying whatever follows the string:
      
          inlined from 'ql_core_dump' at drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:1106:2:
      drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:708:2: error: 'memcpy' reading 15 bytes from a region of size 14 [-Werror=stringop-overflow=]
        memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);
      
      Changing it to use strncpy() will instead zero-pad the destination,
      which seems to be the right thing to do here.
      
      The bug is probably harmless, but it seems like a good idea to address
      it in stable kernels as well, if only for the purpose of building with
      gcc-8 without warnings.
      
      Fixes: a61f8026 ("qlge: Add ethtool register dump function.")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64dfc675
    • Stefano Brivio's avatar
      sctp: Avoid out-of-bounds reads from address storage · 08d56d8a
      Stefano Brivio authored
      
      [ Upstream commit ee6c88bb ]
      
      inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() copy
      sizeof(sockaddr_storage) bytes to fill in sockaddr structs used
      to export diagnostic information to userspace.
      
      However, the memory allocated to store sockaddr information is
      smaller than that and depends on the address family, so we leak
      up to 100 uninitialized bytes to userspace. Just use the size of
      the source structs instead, in all the three cases this is what
      userspace expects. Zero out the remaining memory.
      
      Unused bytes (i.e. when IPv4 addresses are used) in source
      structs sctp_sockaddr_entry and sctp_transport are already
      cleared by sctp_add_bind_addr() and sctp_transport_new(),
      respectively.
      
      Noticed while testing KASAN-enabled kernel with 'ss':
      
      [ 2326.885243] BUG: KASAN: slab-out-of-bounds in inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag] at addr ffff881be8779800
      [ 2326.896800] Read of size 128 by task ss/9527
      [ 2326.901564] CPU: 0 PID: 9527 Comm: ss Not tainted 4.11.0-22.el7a.x86_64 #1
      [ 2326.909236] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017
      [ 2326.917585] Call Trace:
      [ 2326.920312]  dump_stack+0x63/0x8d
      [ 2326.924014]  kasan_object_err+0x21/0x70
      [ 2326.928295]  kasan_report+0x288/0x540
      [ 2326.932380]  ? inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag]
      [ 2326.938500]  ? skb_put+0x8b/0xd0
      [ 2326.942098]  ? memset+0x31/0x40
      [ 2326.945599]  check_memory_region+0x13c/0x1a0
      [ 2326.950362]  memcpy+0x23/0x50
      [ 2326.953669]  inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag]
      [ 2326.959596]  ? inet_diag_msg_sctpasoc_fill+0x460/0x460 [sctp_diag]
      [ 2326.966495]  ? __lock_sock+0x102/0x150
      [ 2326.970671]  ? sock_def_wakeup+0x60/0x60
      [ 2326.975048]  ? remove_wait_queue+0xc0/0xc0
      [ 2326.979619]  sctp_diag_dump+0x44a/0x760 [sctp_diag]
      [ 2326.985063]  ? sctp_ep_dump+0x280/0x280 [sctp_diag]
      [ 2326.990504]  ? memset+0x31/0x40
      [ 2326.994007]  ? mutex_lock+0x12/0x40
      [ 2326.997900]  __inet_diag_dump+0x57/0xb0 [inet_diag]
      [ 2327.003340]  ? __sys_sendmsg+0x150/0x150
      [ 2327.007715]  inet_diag_dump+0x4d/0x80 [inet_diag]
      [ 2327.012979]  netlink_dump+0x1e6/0x490
      [ 2327.017064]  __netlink_dump_start+0x28e/0x2c0
      [ 2327.021924]  inet_diag_handler_cmd+0x189/0x1a0 [inet_diag]
      [ 2327.028045]  ? inet_diag_rcv_msg_compat+0x1b0/0x1b0 [inet_diag]
      [ 2327.034651]  ? inet_diag_dump_compat+0x190/0x190 [inet_diag]
      [ 2327.040965]  ? __netlink_lookup+0x1b9/0x260
      [ 2327.045631]  sock_diag_rcv_msg+0x18b/0x1e0
      [ 2327.050199]  netlink_rcv_skb+0x14b/0x180
      [ 2327.054574]  ? sock_diag_bind+0x60/0x60
      [ 2327.058850]  sock_diag_rcv+0x28/0x40
      [ 2327.062837]  netlink_unicast+0x2e7/0x3b0
      [ 2327.067212]  ? netlink_attachskb+0x330/0x330
      [ 2327.071975]  ? kasan_check_write+0x14/0x20
      [ 2327.076544]  netlink_sendmsg+0x5be/0x730
      [ 2327.080918]  ? netlink_unicast+0x3b0/0x3b0
      [ 2327.085486]  ? kasan_check_write+0x14/0x20
      [ 2327.090057]  ? selinux_socket_sendmsg+0x24/0x30
      [ 2327.095109]  ? netlink_unicast+0x3b0/0x3b0
      [ 2327.099678]  sock_sendmsg+0x74/0x80
      [ 2327.103567]  ___sys_sendmsg+0x520/0x530
      [ 2327.107844]  ? __get_locked_pte+0x178/0x200
      [ 2327.112510]  ? copy_msghdr_from_user+0x270/0x270
      [ 2327.117660]  ? vm_insert_page+0x360/0x360
      [ 2327.122133]  ? vm_insert_pfn_prot+0xb4/0x150
      [ 2327.126895]  ? vm_insert_pfn+0x32/0x40
      [ 2327.131077]  ? vvar_fault+0x71/0xd0
      [ 2327.134968]  ? special_mapping_fault+0x69/0x110
      [ 2327.140022]  ? __do_fault+0x42/0x120
      [ 2327.144008]  ? __handle_mm_fault+0x1062/0x17a0
      [ 2327.148965]  ? __fget_light+0xa7/0xc0
      [ 2327.153049]  __sys_sendmsg+0xcb/0x150
      [ 2327.157133]  ? __sys_sendmsg+0xcb/0x150
      [ 2327.161409]  ? SyS_shutdown+0x140/0x140
      [ 2327.165688]  ? exit_to_usermode_loop+0xd0/0xd0
      [ 2327.170646]  ? __do_page_fault+0x55d/0x620
      [ 2327.175216]  ? __sys_sendmsg+0x150/0x150
      [ 2327.179591]  SyS_sendmsg+0x12/0x20
      [ 2327.183384]  do_syscall_64+0xe3/0x230
      [ 2327.187471]  entry_SYSCALL64_slow_path+0x25/0x25
      [ 2327.192622] RIP: 0033:0x7f41d18fa3b0
      [ 2327.196608] RSP: 002b:00007ffc3b731218 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [ 2327.205055] RAX: ffffffffffffffda RBX: 00007ffc3b731380 RCX: 00007f41d18fa3b0
      [ 2327.213017] RDX: 0000000000000000 RSI: 00007ffc3b731340 RDI: 0000000000000003
      [ 2327.220978] RBP: 0000000000000002 R08: 0000000000000004 R09: 0000000000000040
      [ 2327.228939] R10: 00007ffc3b730f30 R11: 0000000000000246 R12: 0000000000000003
      [ 2327.236901] R13: 00007ffc3b731340 R14: 00007ffc3b7313d0 R15: 0000000000000084
      [ 2327.244865] Object at ffff881be87797e0, in cache kmalloc-64 size: 64
      [ 2327.251953] Allocated:
      [ 2327.254581] PID = 9484
      [ 2327.257215]  save_stack_trace+0x1b/0x20
      [ 2327.261485]  save_stack+0x46/0xd0
      [ 2327.265179]  kasan_kmalloc+0xad/0xe0
      [ 2327.269165]  kmem_cache_alloc_trace+0xe6/0x1d0
      [ 2327.274138]  sctp_add_bind_addr+0x58/0x180 [sctp]
      [ 2327.279400]  sctp_do_bind+0x208/0x310 [sctp]
      [ 2327.284176]  sctp_bind+0x61/0xa0 [sctp]
      [ 2327.288455]  inet_bind+0x5f/0x3a0
      [ 2327.292151]  SYSC_bind+0x1a4/0x1e0
      [ 2327.295944]  SyS_bind+0xe/0x10
      [ 2327.299349]  do_syscall_64+0xe3/0x230
      [ 2327.303433]  return_from_SYSCALL_64+0x0/0x6a
      [ 2327.308194] Freed:
      [ 2327.310434] PID = 4131
      [ 2327.313065]  save_stack_trace+0x1b/0x20
      [ 2327.317344]  save_stack+0x46/0xd0
      [ 2327.321040]  kasan_slab_free+0x73/0xc0
      [ 2327.325220]  kfree+0x96/0x1a0
      [ 2327.328530]  dynamic_kobj_release+0x15/0x40
      [ 2327.333195]  kobject_release+0x99/0x1e0
      [ 2327.337472]  kobject_put+0x38/0x70
      [ 2327.341266]  free_notes_attrs+0x66/0x80
      [ 2327.345545]  mod_sysfs_teardown+0x1a5/0x270
      [ 2327.350211]  free_module+0x20/0x2a0
      [ 2327.354099]  SyS_delete_module+0x2cb/0x2f0
      [ 2327.358667]  do_syscall_64+0xe3/0x230
      [ 2327.362750]  return_from_SYSCALL_64+0x0/0x6a
      [ 2327.367510] Memory state around the buggy address:
      [ 2327.372855]  ffff881be8779700: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
      [ 2327.380914]  ffff881be8779780: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00
      [ 2327.388972] >ffff881be8779800: 00 00 00 00 fc fc fc fc fb fb fb fb fb fb fb fb
      [ 2327.397031]                                ^
      [ 2327.401792]  ffff881be8779880: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
      [ 2327.409850]  ffff881be8779900: 00 00 00 00 00 04 fc fc fc fc fc fc 00 00 00 00
      [ 2327.417907] ==================================================================
      
      This fixes CVE-2017-7558.
      
      References: https://bugzilla.redhat.com/show_bug.cgi?id=1480266
      Fixes: 8f840e47 ("sctp: add the sctp_diag.c file")
      Cc: Xin Long <lucien.xin@gmail.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      08d56d8a
    • Florian Fainelli's avatar
      fsl/man: Inherit parent device and of_node · 4d8ee193
      Florian Fainelli authored
      
      [ Upstream commit a1a50c8e ]
      
      Junote Cai reported that he was not able to get a DSA setup involving the
      Freescale DPAA/FMAN driver to work and narrowed it down to
      of_find_net_device_by_node(). This function requires the network device's
      device reference to be correctly set which is the case here, though we have
      lost any device_node association there.
      
      The problem is that dpaa_eth_add_device() allocates a "dpaa-ethernet" platform
      device, and later on dpaa_eth_probe() is called but SET_NETDEV_DEV() won't be
      propagating &pdev->dev.of_node properly. Fix this by inherenting both the parent
      device and the of_node when dpaa_eth_add_device() creates the platform device.
      
      Fixes: 39339616 ("fsl/fman: Add FMan MAC driver")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4d8ee193
    • Eric Dumazet's avatar
      udp: on peeking bad csum, drop packets even if not at head · 1e39e5c6
      Eric Dumazet authored
      
      [ Upstream commit fd6055a8 ]
      
      When peeking, if a bad csum is discovered, the skb is unlinked from
      the queue with __sk_queue_drop_skb and the peek operation restarted.
      
      __sk_queue_drop_skb only drops packets that match the queue head.
      
      This fails if the skb was found after the head, using SO_PEEK_OFF
      socket option. This causes an infinite loop.
      
      We MUST drop this problematic skb, and we can simply check if skb was
      already removed by another thread, by looking at skb->next :
      
      This pointer is set to NULL by the  __skb_unlink() operation, that might
      have happened only under the spinlock protection.
      
      Many thanks to syzkaller team (and particularly Dmitry Vyukov who
      provided us nice C reproducers exhibiting the lockup) and Willem de
      Bruijn who provided first version for this patch and a test program.
      
      Fixes: 627d2d6b ("udp: enable MSG_PEEK at non-zero offset")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e39e5c6
    • Sabrina Dubroca's avatar
      macsec: add genl family module alias · 4b4a194a
      Sabrina Dubroca authored
      
      [ Upstream commit 78362998 ]
      
      This helps tools such as wpa_supplicant can start even if the macsec
      module isn't loaded yet.
      
      Fixes: c09440f7 ("macsec: introduce IEEE 802.1AE driver")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4b4a194a
    • Wei Wang's avatar
      ipv6: fix sparse warning on rt6i_node · 43c792a8
      Wei Wang authored
      
      [ Upstream commit 4e587ea7 ]
      
      Commit c5cff856 adds rcu grace period before freeing fib6_node. This
      generates a new sparse warning on rt->rt6i_node related code:
        net/ipv6/route.c:1394:30: error: incompatible types in comparison
        expression (different address spaces)
        ./include/net/ip6_fib.h:187:14: error: incompatible types in comparison
        expression (different address spaces)
      
      This commit adds "__rcu" tag for rt6i_node and makes sure corresponding
      rcu API is used for it.
      After this fix, sparse no longer generates the above warning.
      
      Fixes: c5cff856 ("ipv6: add rcu grace period before freeing fib6_node")
      Signed-off-by: default avatarWei Wang <weiwan@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      43c792a8
    • Wei Wang's avatar
      ipv6: add rcu grace period before freeing fib6_node · 7f8f23fc
      Wei Wang authored
      
      [ Upstream commit c5cff856 ]
      
      We currently keep rt->rt6i_node pointing to the fib6_node for the route.
      And some functions make use of this pointer to dereference the fib6_node
      from rt structure, e.g. rt6_check(). However, as there is neither
      refcount nor rcu taken when dereferencing rt->rt6i_node, it could
      potentially cause crashes as rt->rt6i_node could be set to NULL by other
      CPUs when doing a route deletion.
      This patch introduces an rcu grace period before freeing fib6_node and
      makes sure the functions that dereference it takes rcu_read_lock().
      
      Note: there is no "Fixes" tag because this bug was there in a very
      early stage.
      Signed-off-by: default avatarWei Wang <weiwan@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7f8f23fc
    • Stefano Brivio's avatar
      ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() · dccb31be
      Stefano Brivio authored
      
      [ Upstream commit 3de33e1b ]
      
      A packet length of exactly IPV6_MAXPLEN is allowed, we should
      refuse parsing options only if the size is 64KiB or more.
      
      While at it, remove one extra variable and one assignment which
      were also introduced by the commit that introduced the size
      check. Checking the sum 'offset + len' and only later adding
      'len' to 'offset' doesn't provide any advantage over directly
      summing to 'offset' and checking it.
      
      Fixes: 6399f1fa ("ipv6: avoid overflow of offset in ip6_find_1stfragopt")
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dccb31be
  2. 13 Sep, 2017 16 commits
  3. 10 Sep, 2017 1 commit
  4. 09 Sep, 2017 15 commits
    • John Stultz's avatar
      drm/bridge: adv7511: Switch to using drm_kms_helper_hotplug_event() · 8bc67f67
      John Stultz authored
      commit 6d5104c5 upstream.
      
      In chasing down a previous issue with EDID probing from calling
      drm_helper_hpd_irq_event() from irq context, Laurent noticed
      that the DRM documentation suggests that
      drm_kms_helper_hotplug_event() should be used instead.
      
      Thus this patch replaces drm_helper_hpd_irq_event() with
      drm_kms_helper_hotplug_event(), which requires we update the
      connector.status entry and only call _hotplug_event() when the
      status changes.
      
      Cc: David Airlie <airlied@linux.ie>
      Cc: Archit Taneja <architt@codeaurora.org>
      Cc: Wolfram Sang <wsa+renesas@sang-engineering.com>
      Cc: Lars-Peter Clausen <lars@metafoo.de>
      Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
      Cc: dri-devel@lists.freedesktop.org
      Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Tested-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarArchit Taneja <architt@codeaurora.org>
      Link: http://patchwork.freedesktop.org/patch/msgid/1484614372-15342-3-git-send-email-john.stultz@linaro.orgSigned-off-by: default avatarThong Ho <thong.ho.px@rvc.renesas.com>
      Signed-off-by: default avatarNhan Nguyen <nhan.nguyen.yb@renesas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8bc67f67
    • John Stultz's avatar
      drm/bridge: adv7511: Use work_struct to defer hotplug handing to out of irq context · 8b5a7e44
      John Stultz authored
      commit 518cb705 upstream.
      
      I was recently seeing issues with EDID probing, where
      the logic to wait for the EDID read bit to be set by the
      IRQ wasn't happening and the code would time out and fail.
      
      Digging deeper, I found this was due to the fact that
      IRQs were disabled as we were running in IRQ context from
      the HPD signal.
      
      Thus this patch changes the logic to handle the HPD signal
      via a work_struct so we can be out of irq context.
      
      With this patch, the EDID probing on hotplug does not time
      out.
      
      Cc: David Airlie <airlied@linux.ie>
      Cc: Archit Taneja <architt@codeaurora.org>
      Cc: Wolfram Sang <wsa+renesas@sang-engineering.com>
      Cc: Lars-Peter Clausen <lars@metafoo.de>
      Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
      Cc: dri-devel@lists.freedesktop.org
      Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Tested-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarArchit Taneja <architt@codeaurora.org>
      Link: http://patchwork.freedesktop.org/patch/msgid/1484614372-15342-2-git-send-email-john.stultz@linaro.orgSigned-off-by: default avatarThong Ho <thong.ho.px@rvc.renesas.com>
      Signed-off-by: default avatarNhan Nguyen <nhan.nguyen.yb@renesas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b5a7e44
    • Todd Poynor's avatar
      scsi: sg: recheck MMAP_IO request length with lock held · 7791b591
      Todd Poynor authored
      commit 8d26f491 upstream.
      
      Commit 1bc0eb04 ("scsi: sg: protect accesses to 'reserved' page
      array") adds needed concurrency protection for the "reserve" buffer.
      Some checks that are initially made outside the lock are replicated once
      the lock is taken to ensure the checks and resulting decisions are made
      using consistent state.
      
      The check that a request with flag SG_FLAG_MMAP_IO set fits in the
      reserve buffer also needs to be performed again under the lock to ensure
      the reserve buffer length compared against matches the value in effect
      when the request is linked to the reserve buffer.  An -ENOMEM should be
      returned in this case, instead of switching over to an indirect buffer
      as for non-MMAP_IO requests.
      Signed-off-by: default avatarTodd Poynor <toddpoynor@google.com>
      Acked-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7791b591
    • Todd Poynor's avatar
      scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE · b06e1abf
      Todd Poynor authored
      commit 6a8dadcc upstream.
      
      Take f_mutex around mmap() processing to protect against races with the
      SG_SET_RESERVED_SIZE ioctl.  Ensure the reserve buffer length remains
      consistent during the mapping operation, and set the "mmap called" flag
      to prevent further changes to the reserved buffer size as an atomic
      operation with the mapping.
      
      [mkp: fixed whitespace]
      Signed-off-by: default avatarTodd Poynor <toddpoynor@google.com>
      Acked-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b06e1abf
    • Andrey Korolyov's avatar
      cs5536: add support for IDE controller variant · 5b9c6a54
      Andrey Korolyov authored
      commit 591b6bb6 upstream.
      
      Several legacy devices such as Geode-based Cisco ASA appliances
      and DB800 development board do possess CS5536 IDE controller
      with different PCI id than existing one. Using pata_generic is
      not always feasible as at least DB800 requires MSR quirk from
      pata_cs5536 to be used with vendor firmware.
      Signed-off-by: default avatarAndrey Korolyov <andrey@xdel.ru>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b9c6a54
    • Ben Hutchings's avatar
      workqueue: Fix flag collision · ec552ece
      Ben Hutchings authored
      commit fbf1c41f upstream.
      
      Commit 0a94efb5 ("workqueue: implicit ordered attribute should be
      overridable") introduced a __WQ_ORDERED_EXPLICIT flag but gave it the
      same value as __WQ_LEGACY.  I don't believe these were intended to
      mean the same thing, so renumber __WQ_ORDERED_EXPLICIT.
      
      Fixes: 0a94efb5 ("workqueue: implicit ordered attribute should be ...")
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ec552ece
    • Ilia Mirkin's avatar
      drm/nouveau/pci/msi: disable MSI on big-endian platforms by default · 25bdc516
      Ilia Mirkin authored
      commit bc60c90f upstream.
      
      It appears that MSI does not work on either G5 PPC nor on a E5500-based
      platform, where other hardware is reported to work fine with MSI.
      
      Both tests were conducted with NV4x hardware, so perhaps other (or even
      this) hardware can be made to work. It's still possible to force-enable
      with config=NvMSI=1 on load.
      Signed-off-by: default avatarIlia Mirkin <imirkin@alum.mit.edu>
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      25bdc516
    • Christian Borntraeger's avatar
      s390/mm: avoid empty zero pages for KVM guests to avoid postcopy hangs · 07886674
      Christian Borntraeger authored
      commit fa41ba0d upstream.
      
      Right now there is a potential hang situation for postcopy migrations,
      if the guest is enabling storage keys on the target system during the
      postcopy process.
      
      For storage key virtualization, we have to forbid the empty zero page as
      the storage key is a property of the physical page frame.  As we enable
      storage key handling lazily we then drop all mappings for empty zero
      pages for lazy refaulting later on.
      
      This does not work with the postcopy migration, which relies on the
      empty zero page never triggering a fault again in the future. The reason
      is that postcopy migration will simply read a page on the target system
      if that page is a known zero page to fault in an empty zero page.  At
      the same time postcopy remembers that this page was already transferred
      - so any future userfault on that page will NOT be retransmitted again
      to avoid races.
      
      If now the guest enters the storage key mode while in postcopy, we will
      break this assumption of postcopy.
      
      The solution is to disable the empty zero page for KVM guests early on
      and not during storage key enablement. With this change, the postcopy
      migration process is guaranteed to start after no zero pages are left.
      
      As guest pages are very likely not empty zero pages anyway the memory
      overhead is also pretty small.
      
      While at it this also adds proper page table locking to the zero page
      removal.
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Acked-by: default avatarJanosch Frank <frankja@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      07886674
    • Michael Moese's avatar
      MCB: add support for SC31 to mcb-lpc · c193beca
      Michael Moese authored
      commit acf5e051 upstream.
      
      This patch adds the resources and DMI ID's for the MEN SC31,
      which uses a different address region to map the LPC bus than
      the one used for the existing SC24.
      Signed-off-by: default avatarMichael Moese <michael.moese@men.de>
      [jth add stable tag]
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c193beca
    • Brian Norris's avatar
      mwifiex: correct channel stat buffer overflows · 0e720cd7
      Brian Norris authored
      commit 4b5dde2d upstream.
      
      mwifiex records information about various channels as it receives scan
      information. It does this by appending to a buffer that was sized
      to the max number of supported channels on any band, but there are
      numerous problems:
      
      (a) scans can return info from more than one band (e.g., both 2.4 and 5
          GHz), so the determined "max" is not large enough
      (b) some firmware appears to return multiple results for a given
          channel, so the max *really* isn't large enough
      (c) there is no bounds checking when stashing these stats, so problems
          (a) and (b) can easily lead to buffer overflows
      
      Let's patch this by setting a slightly-more-correct max (that accounts
      for a combination of both 2.4G and 5G bands) and adding a bounds check
      when writing to our statistics buffer.
      
      Due to problem (b), we still might not properly report all known survey
      information (e.g., with "iw <dev> survey dump"), since duplicate results
      (or otherwise "larger than expected" results) will cause some
      truncation. But that's a problem for a future bugfix.
      
      (And because of this known deficiency, only log the excess at the WARN
      level, since that isn't visible by default in this driver and would
      otherwise be a bit too noisy.)
      
      Fixes: bf354433 ("mwifiex: channel statistics support for mwifiex")
      Cc: Avinash Patil <patila@marvell.com>
      Cc: Xinming Hu <huxm@marvell.com>
      Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
      Reviewed-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Reviewed-by: default avatarGanapathi Bhat <gbhat@marvell.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0e720cd7
    • Edwin Török's avatar
      dlm: avoid double-free on error path in dlm_device_{register,unregister} · 5c23d3ed
      Edwin Török authored
      commit 55acdd92 upstream.
      
      Can be reproduced when running dlm_controld (tested on 4.4.x, 4.12.4):
       # seq 1 100 | xargs -P0 -n1 dlm_tool join
       # seq 1 100 | xargs -P0 -n1 dlm_tool leave
      
      misc_register fails due to duplicate sysfs entry, which causes
      dlm_device_register to free ls->ls_device.name.
      In dlm_device_deregister the name was freed again, causing memory
      corruption.
      
      According to the comment in dlm_device_deregister the name should've been
      set to NULL when registration fails,
      so this patch does that.
      
      sysfs: cannot create duplicate filename '/dev/char/10:1'
      ------------[ cut here ]------------
      warning: cpu: 1 pid: 4450 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x56/0x70
      modules linked in: msr rfcomm dlm ccm bnep dm_crypt uvcvideo
      videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core videodev
      btusb media btrtl btbcm btintel bluetooth ecdh_generic intel_rapl
      x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm
      snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul
      ghash_clmulni_intel thinkpad_acpi pcbc nvram snd_seq_midi
      snd_seq_midi_event aesni_intel snd_hda_codec_realtek snd_hda_codec_generic
      snd_rawmidi aes_x86_64 crypto_simd glue_helper snd_hda_intel snd_hda_codec
      cryptd intel_cstate arc4 snd_hda_core snd_seq snd_seq_device snd_hwdep
      iwldvm intel_rapl_perf mac80211 joydev input_leds iwlwifi serio_raw
      cfg80211 snd_pcm shpchp snd_timer snd mac_hid mei_me lpc_ich mei soundcore
      sunrpc parport_pc ppdev lp parport autofs4 i915 psmouse
       e1000e ahci libahci i2c_algo_bit sdhci_pci ptp drm_kms_helper sdhci
      pps_core syscopyarea sysfillrect sysimgblt fb_sys_fops drm wmi video
      cpu: 1 pid: 4450 comm: dlm_test.exe not tainted 4.12.4-041204-generic
      hardware name: lenovo 232425u/232425u, bios g2et82ww (2.02 ) 09/11/2012
      task: ffff96b0cbabe140 task.stack: ffffb199027d0000
      rip: 0010:sysfs_warn_dup+0x56/0x70
      rsp: 0018:ffffb199027d3c58 eflags: 00010282
      rax: 0000000000000038 rbx: ffff96b0e2c49158 rcx: 0000000000000006
      rdx: 0000000000000000 rsi: 0000000000000086 rdi: ffff96b15e24dcc0
      rbp: ffffb199027d3c70 r08: 0000000000000001 r09: 0000000000000721
      r10: ffffb199027d3c00 r11: 0000000000000721 r12: ffffb199027d3cd1
      r13: ffff96b1592088f0 r14: 0000000000000001 r15: ffffffffffffffef
      fs:  00007f78069c0700(0000) gs:ffff96b15e240000(0000)
      knlgs:0000000000000000
      cs:  0010 ds: 0000 es: 0000 cr0: 0000000080050033
      cr2: 000000178625ed28 cr3: 0000000091d3e000 cr4: 00000000001406e0
      call trace:
       sysfs_do_create_link_sd.isra.2+0x9e/0xb0
       sysfs_create_link+0x25/0x40
       device_add+0x5a9/0x640
       device_create_groups_vargs+0xe0/0xf0
       device_create_with_groups+0x3f/0x60
       ? snprintf+0x45/0x70
       misc_register+0x140/0x180
       device_write+0x6a8/0x790 [dlm]
       __vfs_write+0x37/0x160
       ? apparmor_file_permission+0x1a/0x20
       ? security_file_permission+0x3b/0xc0
       vfs_write+0xb5/0x1a0
       sys_write+0x55/0xc0
       ? sys_fcntl+0x5d/0xb0
       entry_syscall_64_fastpath+0x1e/0xa9
      rip: 0033:0x7f78083454bd
      rsp: 002b:00007f78069bbd30 eflags: 00000293 orig_rax: 0000000000000001
      rax: ffffffffffffffda rbx: 0000000000000006 rcx: 00007f78083454bd
      rdx: 000000000000009c rsi: 00007f78069bee00 rdi: 0000000000000005
      rbp: 00007f77f8000a20 r08: 000000000000fcf0 r09: 0000000000000032
      r10: 0000000000000024 r11: 0000000000000293 r12: 00007f78069bde00
      r13: 00007f78069bee00 r14: 000000000000000a r15: 00007f78069bbd70
      code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef e8 2c c8
      ff ff 4c 89 e2 48 89 de 48 c7 c7 b0 8e 0c a8 e8 41 e8 ed ff <0f> ff 48 89
      df e8 00 d5 f4 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84
      ---[ end trace 40412246357cc9e0 ]---
      
      dlm: 59f24629-ae39-44e2-9030-397ebc2eda26: leaving the lockspace group...
      bug: unable to handle kernel null pointer dereference at 0000000000000001
      ip: [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140
      pgd 0
      oops: 0000 [#1] smp
      modules linked in: dlm 8021q garp mrp stp llc openvswitch nf_defrag_ipv6
      nf_conntrack libcrc32c iptable_filter dm_multipath crc32_pclmul dm_mod
      aesni_intel psmouse aes_x86_64 sg ablk_helper cryptd lrw gf128mul
      glue_helper i2c_piix4 nls_utf8 tpm_tis tpm isofs nfsd auth_rpcgss
      oid_registry nfs_acl lockd grace sunrpc xen_wdt ip_tables x_tables autofs4
      hid_generic usbhid hid sr_mod cdrom sd_mod ata_generic pata_acpi 8139too
      serio_raw ata_piix 8139cp mii uhci_hcd ehci_pci ehci_hcd libata
      scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_mod ipv6
      cpu: 0 pid: 394 comm: systemd-udevd tainted: g w 4.4.0+0 #1
      hardware name: xen hvm domu, bios 4.7.2-2.2 05/11/2017
      task: ffff880002410000 ti: ffff88000243c000 task.ti: ffff88000243c000
      rip: e030:[<ffffffff811a3b4a>] [<ffffffff811a3b4a>]
      kmem_cache_alloc+0x7a/0x140
      rsp: e02b:ffff88000243fd90 eflags: 00010202
      rax: 0000000000000000 rbx: ffff8800029864d0 rcx: 000000000007b36c
      rdx: 000000000007b36b rsi: 00000000024000c0 rdi: ffff880036801c00
      rbp: ffff88000243fdc0 r08: 0000000000018880 r09: 0000000000000054
      r10: 000000000000004a r11: ffff880034ace6c0 r12: 00000000024000c0
      r13: ffff880036801c00 r14: 0000000000000001 r15: ffffffff8118dcc2
      fs: 00007f0ab77548c0(0000) gs:ffff880036e00000(0000) knlgs:0000000000000000
      cs: e033 ds: 0000 es: 0000 cr0: 0000000080050033
      cr2: 0000000000000001 cr3: 000000000332d000 cr4: 0000000000040660
      stack:
      ffffffff8118dc90 ffff8800029864d0 0000000000000000 ffff88003430b0b0
      ffff880034b78320 ffff88003430b0b0 ffff88000243fdf8 ffffffff8118dcc2
      ffff8800349c6700 ffff8800029864d0 000000000000000b 00007f0ab7754b90
      call trace:
      [<ffffffff8118dc90>] ? anon_vma_fork+0x60/0x140
      [<ffffffff8118dcc2>] anon_vma_fork+0x92/0x140
      [<ffffffff8107033e>] copy_process+0xcae/0x1a80
      [<ffffffff8107128b>] _do_fork+0x8b/0x2d0
      [<ffffffff81071579>] sys_clone+0x19/0x20
      [<ffffffff815a30ae>] entry_syscall_64_fastpath+0x12/0x71
      ] code: f6 75 1c 4c 89 fa 44 89 e6 4c 89 ef e8 a7 e4 00 00 41 f7 c4 00 80
      00 00 49 89 c6 74 47 eb 32 49 63 45 20 48 8d 4a 01 4d 8b 45 00 <49> 8b 1c
      06 4c 89 f0 65 49 0f c7 08 0f 94 c0 84 c0 74 ac 49 63
      rip [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140
      rsp <ffff88000243fd90>
      cr2: 0000000000000001
      --[ end trace 70cb9fd1b164a0e8 ]--
      Signed-off-by: default avatarEdwin Török <edvin.torok@citrix.com>
      Signed-off-by: default avatarDavid Teigland <teigland@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c23d3ed
    • Luca Coelho's avatar
      iwlwifi: pci: add new PCI ID for 7265D · 23b7d4f5
      Luca Coelho authored
      commit 3f7a5e13 upstream.
      
      We have a new PCI subsystem ID for 7265D.  Add it to the list.
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      23b7d4f5
    • Dmitry Tunin's avatar
      Bluetooth: Add support of 13d3:3494 RTL8723BE device · 74756261
      Dmitry Tunin authored
      commit a81d72d2 upstream.
      
      T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=03 Dev#= 4 Spd=12 MxCh= 0
      D: Ver= 2.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
      P: Vendor=13d3 ProdID=3494 Rev= 2.00
      S: Manufacturer=Realtek
      S: Product=Bluetooth Radio
      S: SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
      E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
      E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
      I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
      I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
      I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
      I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
      I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
      Signed-off-by: default avatarDmitry Tunin <hanipouspilot@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      74756261
    • Malcolm Priestley's avatar
      rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter · b48f7183
      Malcolm Priestley authored
      commit fc81bab5 upstream.
      
      _rtl_pci_find_adapter fail path will jump to label fail3 for
      unsupported adapter types.
      
      However, on course for fail3 there will be call rtl_deinit_core
      before rtl_init_core.
      
      For the inclusion of checking pci_iounmap this fail can be moved to
      fail2.
      
      Fixes
      [    4.492963] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [    4.493067] IP: rtl_deinit_core+0x31/0x90 [rtlwifi]
      Signed-off-by: default avatarMalcolm Priestley <tvboxspy@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b48f7183
    • Oscar Campos's avatar
      Input: trackpoint - assume 3 buttons when buttons detection fails · ed7a384a
      Oscar Campos authored
      commit 293b915f upstream.
      
      Trackpoint buttons detection fails on ThinkPad 570 and 470 series,
      this makes the middle button of the trackpoint to not being recogized.
      As I don't believe there is any trackpoint with less than 3 buttons this
      patch just assumes three buttons when the extended button information
      read fails.
      Signed-off-by: default avatarOscar Campos <oscar.campos@member.fsf.org>
      Acked-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarAaron Ma <aaron.ma@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ed7a384a