1. 17 Apr, 2019 24 commits
    • Bjørn Mork's avatar
      qmi_wwan: add Olicard 600 · be7e16e5
      Bjørn Mork authored
      [ Upstream commit 6289d0fa ]
      
      This is a Qualcomm based device with a QMI function on interface 4.
      It is mode switched from 2020:2030 using a standard eject message.
      
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  6 Spd=480  MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=2020 ProdID=2031 Rev= 2.32
      S:  Manufacturer=Mobile Connect
      S:  Product=Mobile Connect
      S:  SerialNumber=0123456789ABCDEF
      C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
      E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
      E:  Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be7e16e5
    • Andrea Righi's avatar
      openvswitch: fix flow actions reallocation · 94ef6b98
      Andrea Righi authored
      [ Upstream commit f28cd2af ]
      
      The flow action buffer can be resized if it's not big enough to contain
      all the requested flow actions. However, this resize doesn't take into
      account the new requested size, the buffer is only increased by a factor
      of 2x. This might be not enough to contain the new data, causing a
      buffer overflow, for example:
      
      [   42.044472] =============================================================================
      [   42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten
      [   42.046415] -----------------------------------------------------------------------------
      
      [   42.047715] Disabling lock debugging due to kernel taint
      [   42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc
      [   42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101
      [   42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb
      
      [   42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc                          ........
      [   42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00  kkkkkkkk....l...
      [   42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6  l...........x...
      [   42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00   ...............
      [   42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      [   42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      [   42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      [   42.059061] Redzone 8bf2c4a5: 00 00 00 00                                      ....
      [   42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
      
      Fix by making sure the new buffer is properly resized to contain all the
      requested data.
      
      BugLink: https://bugs.launchpad.net/bugs/1813244Signed-off-by: default avatarAndrea Righi <andrea.righi@canonical.com>
      Acked-by: default avatarPravin B Shelar <pshelar@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      94ef6b98
    • Nicolas Dichtel's avatar
      net/sched: fix ->get helper of the matchall cls · a54dc7b6
      Nicolas Dichtel authored
      [ Upstream commit 0db6f8be ]
      
      It returned always NULL, thus it was never possible to get the filter.
      
      Example:
      $ ip link add foo type dummy
      $ ip link add bar type dummy
      $ tc qdisc add dev foo clsact
      $ tc filter add dev foo protocol all pref 1 ingress handle 1234 \
      	matchall action mirred ingress mirror dev bar
      
      Before the patch:
      $ tc filter get dev foo protocol all pref 1 ingress handle 1234 matchall
      Error: Specified filter handle not found.
      We have an error talking to the kernel
      
      After:
      $ tc filter get dev foo protocol all pref 1 ingress handle 1234 matchall
      filter ingress protocol all pref 1 matchall chain 0 handle 0x4d2
        not_in_hw
              action order 1: mirred (Ingress Mirror to device bar) pipe
              index 1 ref 1 bind 1
      
      CC: Yotam Gigi <yotamg@mellanox.com>
      CC: Jiri Pirko <jiri@mellanox.com>
      Fixes: fd62d9f5 ("net/sched: matchall: Fix configuration race")
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a54dc7b6
    • Mao Wenan's avatar
      net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock(). · c8a88799
      Mao Wenan authored
      [ Upstream commit cb66ddd1 ]
      
      When it is to cleanup net namespace, rds_tcp_exit_net() will call
      rds_tcp_kill_sock(), if t_sock is NULL, it will not call
      rds_conn_destroy(), rds_conn_path_destroy() and rds_tcp_conn_free() to free
      connection, and the worker cp_conn_w is not stopped, afterwards the net is freed in
      net_drop_ns(); While cp_conn_w rds_connect_worker() will call rds_tcp_conn_path_connect()
      and reference 'net' which has already been freed.
      
      In rds_tcp_conn_path_connect(), rds_tcp_set_callbacks() will set t_sock = sock before
      sock->ops->connect, but if connect() is failed, it will call
      rds_tcp_restore_callbacks() and set t_sock = NULL, if connect is always
      failed, rds_connect_worker() will try to reconnect all the time, so
      rds_tcp_kill_sock() will never to cancel worker cp_conn_w and free the
      connections.
      
      Therefore, the condition !tc->t_sock is not needed if it is going to do
      cleanup_net->rds_tcp_exit_net->rds_tcp_kill_sock, because tc->t_sock is always
      NULL, and there is on other path to cancel cp_conn_w and free
      connection. So this patch is to fix this.
      
      rds_tcp_kill_sock():
      ...
      if (net != c_net || !tc->t_sock)
      ...
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      
      ==================================================================
      BUG: KASAN: use-after-free in inet_create+0xbcc/0xd28
      net/ipv4/af_inet.c:340
      Read of size 4 at addr ffff8003496a4684 by task kworker/u8:4/3721
      
      CPU: 3 PID: 3721 Comm: kworker/u8:4 Not tainted 5.1.0 #11
      Hardware name: linux,dummy-virt (DT)
      Workqueue: krdsd rds_connect_worker
      Call trace:
       dump_backtrace+0x0/0x3c0 arch/arm64/kernel/time.c:53
       show_stack+0x28/0x38 arch/arm64/kernel/traps.c:152
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x120/0x188 lib/dump_stack.c:113
       print_address_description+0x68/0x278 mm/kasan/report.c:253
       kasan_report_error mm/kasan/report.c:351 [inline]
       kasan_report+0x21c/0x348 mm/kasan/report.c:409
       __asan_report_load4_noabort+0x30/0x40 mm/kasan/report.c:429
       inet_create+0xbcc/0xd28 net/ipv4/af_inet.c:340
       __sock_create+0x4f8/0x770 net/socket.c:1276
       sock_create_kern+0x50/0x68 net/socket.c:1322
       rds_tcp_conn_path_connect+0x2b4/0x690 net/rds/tcp_connect.c:114
       rds_connect_worker+0x108/0x1d0 net/rds/threads.c:175
       process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
       worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
       kthread+0x2f0/0x378 kernel/kthread.c:255
       ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
      
      Allocated by task 687:
       save_stack mm/kasan/kasan.c:448 [inline]
       set_track mm/kasan/kasan.c:460 [inline]
       kasan_kmalloc+0xd4/0x180 mm/kasan/kasan.c:553
       kasan_slab_alloc+0x14/0x20 mm/kasan/kasan.c:490
       slab_post_alloc_hook mm/slab.h:444 [inline]
       slab_alloc_node mm/slub.c:2705 [inline]
       slab_alloc mm/slub.c:2713 [inline]
       kmem_cache_alloc+0x14c/0x388 mm/slub.c:2718
       kmem_cache_zalloc include/linux/slab.h:697 [inline]
       net_alloc net/core/net_namespace.c:384 [inline]
       copy_net_ns+0xc4/0x2d0 net/core/net_namespace.c:424
       create_new_namespaces+0x300/0x658 kernel/nsproxy.c:107
       unshare_nsproxy_namespaces+0xa0/0x198 kernel/nsproxy.c:206
       ksys_unshare+0x340/0x628 kernel/fork.c:2577
       __do_sys_unshare kernel/fork.c:2645 [inline]
       __se_sys_unshare kernel/fork.c:2643 [inline]
       __arm64_sys_unshare+0x38/0x58 kernel/fork.c:2643
       __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
       invoke_syscall arch/arm64/kernel/syscall.c:47 [inline]
       el0_svc_common+0x168/0x390 arch/arm64/kernel/syscall.c:83
       el0_svc_handler+0x60/0xd0 arch/arm64/kernel/syscall.c:129
       el0_svc+0x8/0xc arch/arm64/kernel/entry.S:960
      
      Freed by task 264:
       save_stack mm/kasan/kasan.c:448 [inline]
       set_track mm/kasan/kasan.c:460 [inline]
       __kasan_slab_free+0x114/0x220 mm/kasan/kasan.c:521
       kasan_slab_free+0x10/0x18 mm/kasan/kasan.c:528
       slab_free_hook mm/slub.c:1370 [inline]
       slab_free_freelist_hook mm/slub.c:1397 [inline]
       slab_free mm/slub.c:2952 [inline]
       kmem_cache_free+0xb8/0x3a8 mm/slub.c:2968
       net_free net/core/net_namespace.c:400 [inline]
       net_drop_ns.part.6+0x78/0x90 net/core/net_namespace.c:407
       net_drop_ns net/core/net_namespace.c:406 [inline]
       cleanup_net+0x53c/0x6d8 net/core/net_namespace.c:569
       process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
       worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
       kthread+0x2f0/0x378 kernel/kthread.c:255
       ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
      
      The buggy address belongs to the object at ffff8003496a3f80
       which belongs to the cache net_namespace of size 7872
      The buggy address is located 1796 bytes inside of
       7872-byte region [ffff8003496a3f80, ffff8003496a5e40)
      The buggy address belongs to the page:
      page:ffff7e000d25a800 count:1 mapcount:0 mapping:ffff80036ce4b000
      index:0x0 compound_mapcount: 0
      flags: 0xffffe0000008100(slab|head)
      raw: 0ffffe0000008100 dead000000000100 dead000000000200 ffff80036ce4b000
      raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8003496a4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8003496a4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff8003496a4680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
       ffff8003496a4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8003496a4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      
      Fixes: 467fa153("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarMao Wenan <maowenan@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c8a88799
    • Artemy Kovalyov's avatar
      net/mlx5: Decrease default mr cache size · 96d8f624
      Artemy Kovalyov authored
      [ Upstream commit e8b26b21 ]
      
      Delete initialization of high order entries in mr cache to decrease initial
      memory footprint. When required, the administrator can populate the
      entries with memory keys via the /sys interface.
      
      This approach is very helpful to significantly reduce the per HW function
      memory footprint in virtualization environments such as SRIOV.
      
      Fixes: 9603b61d ("mlx5: Move pci device handling from mlx5_ib to mlx5_core")
      Signed-off-by: default avatarArtemy Kovalyov <artemyko@mellanox.com>
      Signed-off-by: default avatarMoni Shoua <monis@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reported-by: default avatarShalom Toledo <shalomt@mellanox.com>
      Acked-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      96d8f624
    • Steffen Klassert's avatar
      net-gro: Fix GRO flush when receiving a GSO packet. · 23bfd229
      Steffen Klassert authored
      [ Upstream commit 0ab03f35 ]
      
      Currently we may merge incorrectly a received GSO packet
      or a packet with frag_list into a packet sitting in the
      gro_hash list. skb_segment() may crash case because
      the assumptions on the skb layout are not met.
      The correct behaviour would be to flush the packet in the
      gro_hash list and send the received GSO packet directly
      afterwards. Commit d61d072e ("net-gro: avoid reorders")
      sets NAPI_GRO_CB(skb)->flush in this case, but this is not
      checked before merging. This patch makes sure to check this
      flag and to not merge in that case.
      
      Fixes: d61d072e ("net-gro: avoid reorders")
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      23bfd229
    • Jiri Slaby's avatar
      kcm: switch order of device registration to fix a crash · 393c8b4c
      Jiri Slaby authored
      [ Upstream commit 3c446e6f ]
      
      When kcm is loaded while many processes try to create a KCM socket, a
      crash occurs:
       BUG: unable to handle kernel NULL pointer dereference at 000000000000000e
       IP: mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
       PGD 8000000016ef2067 P4D 8000000016ef2067 PUD 3d6e9067 PMD 0
       Oops: 0002 [#1] SMP KASAN PTI
       CPU: 0 PID: 7005 Comm: syz-executor.5 Not tainted 4.12.14-396-default #1 SLE15-SP1 (unreleased)
       RIP: 0010:mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
       RSP: 0018:ffff88000d487a00 EFLAGS: 00010246
       RAX: 0000000000000000 RBX: 000000000000000e RCX: 1ffff100082b0719
       ...
       CR2: 000000000000000e CR3: 000000004b1bc003 CR4: 0000000000060ef0
       Call Trace:
        kcm_create+0x600/0xbf0 [kcm]
        __sock_create+0x324/0x750 net/socket.c:1272
       ...
      
      This is due to race between sock_create and unfinished
      register_pernet_device. kcm_create tries to do "net_generic(net,
      kcm_net_id)". but kcm_net_id is not initialized yet.
      
      So switch the order of the two to close the race.
      
      This can be reproduced with mutiple processes doing socket(PF_KCM, ...)
      and one process doing module removal.
      
      Fixes: ab7ac4eb ("kcm: Kernel Connection Multiplexor module")
      Reviewed-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      393c8b4c
    • Lorenzo Bianconi's avatar
      ipv6: sit: reset ip header pointer in ipip6_rcv · b74c2990
      Lorenzo Bianconi authored
      [ Upstream commit bb9bd814 ]
      
      ipip6 tunnels run iptunnel_pull_header on received skbs. This can
      determine the following use-after-free accessing iph pointer since
      the packet will be 'uncloned' running pskb_expand_head if it is a
      cloned gso skb (e.g if the packet has been sent though a veth device)
      
      [  706.369655] BUG: KASAN: use-after-free in ipip6_rcv+0x1678/0x16e0 [sit]
      [  706.449056] Read of size 1 at addr ffffe01b6bd855f5 by task ksoftirqd/1/=
      [  706.669494] Hardware name: HPE ProLiant m400 Server/ProLiant m400 Server, BIOS U02 08/19/2016
      [  706.771839] Call trace:
      [  706.801159]  dump_backtrace+0x0/0x2f8
      [  706.845079]  show_stack+0x24/0x30
      [  706.884833]  dump_stack+0xe0/0x11c
      [  706.925629]  print_address_description+0x68/0x260
      [  706.982070]  kasan_report+0x178/0x340
      [  707.025995]  __asan_report_load1_noabort+0x30/0x40
      [  707.083481]  ipip6_rcv+0x1678/0x16e0 [sit]
      [  707.132623]  tunnel64_rcv+0xd4/0x200 [tunnel4]
      [  707.185940]  ip_local_deliver_finish+0x3b8/0x988
      [  707.241338]  ip_local_deliver+0x144/0x470
      [  707.289436]  ip_rcv_finish+0x43c/0x14b0
      [  707.335447]  ip_rcv+0x628/0x1138
      [  707.374151]  __netif_receive_skb_core+0x1670/0x2600
      [  707.432680]  __netif_receive_skb+0x28/0x190
      [  707.482859]  process_backlog+0x1d0/0x610
      [  707.529913]  net_rx_action+0x37c/0xf68
      [  707.574882]  __do_softirq+0x288/0x1018
      [  707.619852]  run_ksoftirqd+0x70/0xa8
      [  707.662734]  smpboot_thread_fn+0x3a4/0x9e8
      [  707.711875]  kthread+0x2c8/0x350
      [  707.750583]  ret_from_fork+0x10/0x18
      
      [  707.811302] Allocated by task 16982:
      [  707.854182]  kasan_kmalloc.part.1+0x40/0x108
      [  707.905405]  kasan_kmalloc+0xb4/0xc8
      [  707.948291]  kasan_slab_alloc+0x14/0x20
      [  707.994309]  __kmalloc_node_track_caller+0x158/0x5e0
      [  708.053902]  __kmalloc_reserve.isra.8+0x54/0xe0
      [  708.108280]  __alloc_skb+0xd8/0x400
      [  708.150139]  sk_stream_alloc_skb+0xa4/0x638
      [  708.200346]  tcp_sendmsg_locked+0x818/0x2b90
      [  708.251581]  tcp_sendmsg+0x40/0x60
      [  708.292376]  inet_sendmsg+0xf0/0x520
      [  708.335259]  sock_sendmsg+0xac/0xf8
      [  708.377096]  sock_write_iter+0x1c0/0x2c0
      [  708.424154]  new_sync_write+0x358/0x4a8
      [  708.470162]  __vfs_write+0xc4/0xf8
      [  708.510950]  vfs_write+0x12c/0x3d0
      [  708.551739]  ksys_write+0xcc/0x178
      [  708.592533]  __arm64_sys_write+0x70/0xa0
      [  708.639593]  el0_svc_handler+0x13c/0x298
      [  708.686646]  el0_svc+0x8/0xc
      
      [  708.739019] Freed by task 17:
      [  708.774597]  __kasan_slab_free+0x114/0x228
      [  708.823736]  kasan_slab_free+0x10/0x18
      [  708.868703]  kfree+0x100/0x3d8
      [  708.905320]  skb_free_head+0x7c/0x98
      [  708.948204]  skb_release_data+0x320/0x490
      [  708.996301]  pskb_expand_head+0x60c/0x970
      [  709.044399]  __iptunnel_pull_header+0x3b8/0x5d0
      [  709.098770]  ipip6_rcv+0x41c/0x16e0 [sit]
      [  709.146873]  tunnel64_rcv+0xd4/0x200 [tunnel4]
      [  709.200195]  ip_local_deliver_finish+0x3b8/0x988
      [  709.255596]  ip_local_deliver+0x144/0x470
      [  709.303692]  ip_rcv_finish+0x43c/0x14b0
      [  709.349705]  ip_rcv+0x628/0x1138
      [  709.388413]  __netif_receive_skb_core+0x1670/0x2600
      [  709.446943]  __netif_receive_skb+0x28/0x190
      [  709.497120]  process_backlog+0x1d0/0x610
      [  709.544169]  net_rx_action+0x37c/0xf68
      [  709.589131]  __do_softirq+0x288/0x1018
      
      [  709.651938] The buggy address belongs to the object at ffffe01b6bd85580
                      which belongs to the cache kmalloc-1024 of size 1024
      [  709.804356] The buggy address is located 117 bytes inside of
                      1024-byte region [ffffe01b6bd85580, ffffe01b6bd85980)
      [  709.946340] The buggy address belongs to the page:
      [  710.003824] page:ffff7ff806daf600 count:1 mapcount:0 mapping:ffffe01c4001f600 index:0x0
      [  710.099914] flags: 0xfffff8000000100(slab)
      [  710.149059] raw: 0fffff8000000100 dead000000000100 dead000000000200 ffffe01c4001f600
      [  710.242011] raw: 0000000000000000 0000000000380038 00000001ffffffff 0000000000000000
      [  710.334966] page dumped because: kasan: bad access detected
      
      Fix it resetting iph pointer after iptunnel_pull_header
      
      Fixes: a09a4c8d ("tunnels: Remove encapsulation offloads on decap")
      Tested-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b74c2990
    • Junwei Hu's avatar
      ipv6: Fix dangling pointer when ipv6 fragment · 58ffe3e3
      Junwei Hu authored
      [ Upstream commit ef0efcd3 ]
      
      At the beginning of ip6_fragment func, the prevhdr pointer is
      obtained in the ip6_find_1stfragopt func.
      However, all the pointers pointing into skb header may change
      when calling skb_checksum_help func with
      skb->ip_summed = CHECKSUM_PARTIAL condition.
      The prevhdr pointe will be dangling if it is not reloaded after
      calling __skb_linearize func in skb_checksum_help func.
      
      Here, I add a variable, nexthdr_offset, to evaluate the offset,
      which does not changes even after calling __skb_linearize func.
      
      Fixes: 405c92f7 ("ipv6: add defensive check for CHECKSUM_PARTIAL skbs in ip_fragment")
      Signed-off-by: default avatarJunwei Hu <hujunwei4@huawei.com>
      Reported-by: default avatarWenhao Zhang <zhangwenhao8@huawei.com>
      Reported-by: syzbot+e8ce541d095e486074fc@syzkaller.appspotmail.com
      Reviewed-by: default avatarZhiqiang Liu <liuzhiqiang26@huawei.com>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      58ffe3e3
    • Greg Kroah-Hartman's avatar
      tty: ldisc: add sysctl to prevent autoloading of ldiscs · ad2548c9
      Greg Kroah-Hartman authored
      commit 7c0cca7c upstream.
      
      By default, the kernel will automatically load the module of any line
      dicipline that is asked for.  As this sometimes isn't the safest thing
      to do, provide a sysctl to disable this feature.
      
      By default, we set this to 'y' as that is the historical way that Linux
      has worked, and we do not want to break working systems.  But in the
      future, perhaps this can default to 'n' to prevent this functionality.
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Reviewed-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ad2548c9
    • Greg Kroah-Hartman's avatar
      tty: mark Siemens R3964 line discipline as BROKEN · 429977fd
      Greg Kroah-Hartman authored
      commit c7084edc upstream.
      
      The n_r3964 line discipline driver was written in a different time, when
      SMP machines were rare, and users were trusted to do the right thing.
      Since then, the world has moved on but not this code, it has stayed
      rooted in the past with its lovely hand-crafted list structures and
      loads of "interesting" race conditions all over the place.
      
      After attempting to clean up most of the issues, I just gave up and am
      now marking the driver as BROKEN so that hopefully someone who has this
      hardware will show up out of the woodwork (I know you are out there!)
      and will help with debugging a raft of changes that I had laying around
      for the code, but was too afraid to commit as odds are they would break
      things.
      
      Many thanks to Jann and Linus for pointing out the initial problems in
      this codebase, as well as many reviews of my attempts to fix the issues.
      It was a case of whack-a-mole, and as you can see, the mole won.
      Reported-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      429977fd
    • Yueyi Li's avatar
      arm64: kaslr: Reserve size of ARM64_MEMSTART_ALIGN in linear region · 8add7054
      Yueyi Li authored
      [ Upstream commit c8a43c18 ]
      
      When KASLR is enabled (CONFIG_RANDOMIZE_BASE=y), the top 4K of kernel
      virtual address space may be mapped to physical addresses despite being
      reserved for ERR_PTR values.
      
      Fix the randomization of the linear region so that we avoid mapping the
      last page of the virtual address space.
      
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarliyueyi <liyueyi@live.com>
      [will: rewrote commit message; merged in suggestion from Ard]
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarSasha Levin (Microsoft) <sashal@kernel.org>
      8add7054
    • Gilad Ben-Yossef's avatar
      stating: ccree: revert "staging: ccree: fix leak of import() after init()" · 83b4ccf2
      Gilad Ben-Yossef authored
      commit 293edc27 upstream
      
      This reverts commit c5f39d07 ("staging: ccree: fix leak of import()
      after init()") and commit aece0902 ("staging: ccree: Uninitialized
      return in ssi_ahash_import()").
      
      This is the wrong solution and ends up relying on uninitialized memory,
      although it was not obvious to me at the time.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGilad Ben-Yossef <gilad@benyossef.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      83b4ccf2
    • Nick Desaulniers's avatar
      lib/string.c: implement a basic bcmp · 56dbdae0
      Nick Desaulniers authored
      [ Upstream commit 5f074f3e ]
      
      A recent optimization in Clang (r355672) lowers comparisons of the
      return value of memcmp against zero to comparisons of the return value
      of bcmp against zero.  This helps some platforms that implement bcmp
      more efficiently than memcmp.  glibc simply aliases bcmp to memcmp, but
      an optimized implementation is in the works.
      
      This results in linkage failures for all targets with Clang due to the
      undefined symbol.  For now, just implement bcmp as a tailcail to memcmp
      to unbreak the build.  This routine can be further optimized in the
      future.
      
      Other ideas discussed:
      
       * A weak alias was discussed, but breaks for architectures that define
         their own implementations of memcmp since aliases to declarations are
         not permitted (only definitions). Arch-specific memcmp
         implementations typically declare memcmp in C headers, but implement
         them in assembly.
      
       * -ffreestanding also is used sporadically throughout the kernel.
      
       * -fno-builtin-bcmp doesn't work when doing LTO.
      
      Link: https://bugs.llvm.org/show_bug.cgi?id=41035
      Link: https://code.woboq.org/userspace/glibc/string/memcmp.c.html#bcmp
      Link: https://github.com/llvm/llvm-project/commit/8e16d73346f8091461319a7dfc4ddd18eedcff13
      Link: https://github.com/ClangBuiltLinux/linux/issues/416
      Link: http://lkml.kernel.org/r/20190313211335.165605-1-ndesaulniers@google.comSigned-off-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Reported-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Reported-by: default avatarAdhemerval Zanella <adhemerval.zanella@linaro.org>
      Suggested-by: default avatarArnd Bergmann <arnd@arndb.de>
      Suggested-by: default avatarJames Y Knight <jyknight@google.com>
      Suggested-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Suggested-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Suggested-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Acked-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Reviewed-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Tested-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Reviewed-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: David Laight <David.Laight@ACULAB.COM>
      Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      56dbdae0
    • Nick Desaulniers's avatar
      x86/vdso: Drop implicit common-page-size linker flag · 625c8206
      Nick Desaulniers authored
      commit ac3e233d upstream.
      
      GNU linker's -z common-page-size's default value is based on the target
      architecture. arch/x86/entry/vdso/Makefile sets it to the architecture
      default, which is implicit and redundant. Drop it.
      
      Fixes: 2aae950b ("x86_64: Add vDSO for x86-64 with gettimeofday/clock_gettime/getcpu")
      Reported-by: default avatarDmitry Golovin <dima@golovin.in>
      Reported-by: default avatarBill Wendling <morbo@google.com>
      Suggested-by: default avatarDmitry Golovin <dima@golovin.in>
      Suggested-by: default avatarRui Ueyama <ruiu@google.com>
      Signed-off-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Acked-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Andi Kleen <andi@firstfloor.org>
      Cc: Fangrui Song <maskray@google.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20181206191231.192355-1-ndesaulniers@google.com
      Link: https://bugs.llvm.org/show_bug.cgi?id=38774
      Link: https://github.com/ClangBuiltLinux/linux/issues/31Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      625c8206
    • Alistair Strachan's avatar
      x86: vdso: Use $LD instead of $CC to link · 3d4b1ffc
      Alistair Strachan authored
      commit 379d98dd upstream.
      
      The vdso{32,64}.so can fail to link with CC=clang when clang tries to find
      a suitable GCC toolchain to link these libraries with.
      
      /usr/bin/ld: arch/x86/entry/vdso/vclock_gettime.o:
        access beyond end of merged section (782)
      
      This happens because the host environment leaked into the cross compiler
      environment due to the way clang searches for suitable GCC toolchains.
      
      Clang is a retargetable compiler, and each invocation of it must provide
      --target=<something> --gcc-toolchain=<something> to allow it to find the
      correct binutils for cross compilation. These flags had been added to
      KBUILD_CFLAGS, but the vdso code uses CC and not KBUILD_CFLAGS (for various
      reasons) which breaks clang's ability to find the correct linker when cross
      compiling.
      
      Most of the time this goes unnoticed because the host linker is new enough
      to work anyway, or is incompatible and skipped, but this cannot be reliably
      assumed.
      
      This change alters the vdso makefile to just use LD directly, which
      bypasses clang and thus the searching problem. The makefile will just use
      ${CROSS_COMPILE}ld instead, which is always what we want. This matches the
      method used to link vmlinux.
      
      This drops references to DISABLE_LTO; this option doesn't seem to be set
      anywhere, and not knowing what its possible values are, it's not clear how
      to convert it from CC to LD flag.
      Signed-off-by: default avatarAlistair Strachan <astrachan@google.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: kernel-team@android.com
      Cc: joel@joelfernandes.org
      Cc: Andi Kleen <andi.kleen@intel.com>
      Link: https://lkml.kernel.org/r/20180803173931.117515-1-astrachan@google.comSigned-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3d4b1ffc
    • Nick Desaulniers's avatar
      kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD · 1efb2cae
      Nick Desaulniers authored
      commit ad15006c upstream.
      
      This causes an issue when trying to build with `make LD=ld.lld` if
      ld.lld and the rest of your cross tools aren't in the same directory
      (ex. /usr/local/bin) (as is the case for Android's build system), as the
      GCC_TOOLCHAIN_DIR then gets set based on `which $(LD)` which will point
      where LLVM tools are, not GCC/binutils tools are located.
      
      Instead, select the GCC_TOOLCHAIN_DIR based on another tool provided by
      binutils for which LLVM does not provide a substitute for, such as
      elfedit.
      
      Fixes: 785f11aa ("kbuild: Add better clang cross build support")
      Link: https://github.com/ClangBuiltLinux/linux/issues/341Suggested-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Reviewed-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Tested-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1efb2cae
    • Breno Leitao's avatar
      powerpc/tm: Limit TM code inside PPC_TRANSACTIONAL_MEM · 7f8e322e
      Breno Leitao authored
      [ Upstream commit 897bc3df ]
      
      Commit e1c3743e ("powerpc/tm: Set MSR[TS] just prior to recheckpoint")
      moved a code block around and this block uses a 'msr' variable outside of
      the CONFIG_PPC_TRANSACTIONAL_MEM, however the 'msr' variable is declared
      inside a CONFIG_PPC_TRANSACTIONAL_MEM block, causing a possible error when
      CONFIG_PPC_TRANSACTION_MEM is not defined.
      
      	error: 'msr' undeclared (first use in this function)
      
      This is not causing a compilation error in the mainline kernel, because
      'msr' is being used as an argument of MSR_TM_ACTIVE(), which is defined as
      the following when CONFIG_PPC_TRANSACTIONAL_MEM is *not* set:
      
      	#define MSR_TM_ACTIVE(x) 0
      
      This patch just fixes this issue avoiding the 'msr' variable usage outside
      the CONFIG_PPC_TRANSACTIONAL_MEM block, avoiding trusting in the
      MSR_TM_ACTIVE() definition.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarChristoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
      Fixes: e1c3743e ("powerpc/tm: Set MSR[TS] just prior to recheckpoint")
      Signed-off-by: default avatarBreno Leitao <leitao@debian.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7f8e322e
    • Yan Zhao's avatar
      drm/i915/gvt: do not let pin count of shadow mm go negative · 3cb115e6
      Yan Zhao authored
      [ Upstream commit 663a50ce ]
      
      shadow mm's pin count got increased in workload preparation phase, which
      is after workload scanning.
      it will get decreased in complete_current_workload() anyway after
      workload completion.
      Sometimes, if a workload meets a scanning error, its shadow mm pin count
      will not get increased but will get decreased in the end.
      This patch lets shadow mm's pin count not go below 0.
      
      Fixes: 2707e444 ("drm/i915/gvt: vGPU graphics memory virtualization")
      Cc: zhenyuw@linux.intel.com
      Cc: stable@vger.kernel.org #4.14+
      Signed-off-by: default avatarYan Zhao <yan.y.zhao@intel.com>
      Signed-off-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3cb115e6
    • Andy Lutomirski's avatar
      x86/power: Make restore_processor_context() sane · 9b0cc293
      Andy Lutomirski authored
      [ Upstream commit 7ee18d67 ]
      
      My previous attempt to fix a couple of bugs in __restore_processor_context():
      
        5b06bbcf ("x86/power: Fix some ordering bugs in __restore_processor_context()")
      
      ... introduced yet another bug, breaking suspend-resume.
      
      Rather than trying to come up with a minimal fix, let's try to clean it up
      for real.  This patch fixes quite a few things:
      
       - The old code saved a nonsensical subset of segment registers.
         The only registers that need to be saved are those that contain
         userspace state or those that can't be trivially restored without
         percpu access working.  (On x86_32, we can restore percpu access
         by writing __KERNEL_PERCPU to %fs.  On x86_64, it's easier to
         save and restore the kernel's GSBASE.)  With this patch, we
         restore hardcoded values to the kernel state where applicable and
         explicitly restore the user state after fixing all the descriptor
         tables.
      
       - We used to use an unholy mix of inline asm and C helpers for
         segment register access.  Let's get rid of the inline asm.
      
      This fixes the reported s2ram hangs and make the code all around
      more logical.
      Analyzed-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Reported-by: default avatarJarkko Nikula <jarkko.nikula@linux.intel.com>
      Reported-by: default avatarPavel Machek <pavel@ucw.cz>
      Tested-by: default avatarJarkko Nikula <jarkko.nikula@linux.intel.com>
      Tested-by: default avatarPavel Machek <pavel@ucw.cz>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Acked-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Borislav Petkov <bpetkov@suse.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Rafael J. Wysocki <rjw@rjwysocki.net>
      Cc: Zhang Rui <rui.zhang@intel.com>
      Fixes: 5b06bbcf ("x86/power: Fix some ordering bugs in __restore_processor_context()")
      Link: http://lkml.kernel.org/r/398ee68e5c0f766425a7b746becfc810840770ff.1513286253.git.luto@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9b0cc293
    • Andy Lutomirski's avatar
      x86/power/32: Move SYSENTER MSR restoration to fix_processor_context() · 28c25a93
      Andy Lutomirski authored
      [ Upstream commit 896c80be ]
      
      x86_64 restores system call MSRs in fix_processor_context(), and
      x86_32 restored them along with segment registers.  The 64-bit
      variant makes more sense, so move the 32-bit code to match the
      64-bit code.
      
      No side effects are expected to runtime behavior.
      Tested-by: default avatarJarkko Nikula <jarkko.nikula@linux.intel.com>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Acked-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Borislav Petkov <bpetkov@suse.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Pavel Machek <pavel@ucw.cz>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Rafael J. Wysocki <rjw@rjwysocki.net>
      Cc: Zhang Rui <rui.zhang@intel.com>
      Link: http://lkml.kernel.org/r/65158f8d7ee64dd6bbc6c1c83b3b34aaa854e3ae.1513286253.git.luto@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      28c25a93
    • Andy Lutomirski's avatar
      x86/power/64: Use struct desc_ptr for the IDT in struct saved_context · c4cafb8a
      Andy Lutomirski authored
      [ Upstream commit 090edbe2 ]
      
      x86_64's saved_context nonsensically used separate idt_limit and
      idt_base fields and then cast &idt_limit to struct desc_ptr *.
      
      This was correct (with -fno-strict-aliasing), but it's confusing,
      served no purpose, and required #ifdeffery. Simplify this by
      using struct desc_ptr directly.
      
      No change in functionality.
      Tested-by: default avatarJarkko Nikula <jarkko.nikula@linux.intel.com>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Acked-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Borislav Petkov <bpetkov@suse.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Pavel Machek <pavel@ucw.cz>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Rafael J. Wysocki <rjw@rjwysocki.net>
      Cc: Zhang Rui <rui.zhang@intel.com>
      Link: http://lkml.kernel.org/r/967909ce38d341b01d45eff53e278e2728a3a93a.1513286253.git.luto@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c4cafb8a
    • Andy Lutomirski's avatar
      x86/power: Fix some ordering bugs in __restore_processor_context() · 3363914c
      Andy Lutomirski authored
      [ Upstream commit 5b06bbcf ]
      
      __restore_processor_context() had a couple of ordering bugs.  It
      restored GSBASE after calling load_gs_index(), and the latter can
      call into tracing code.  It also tried to restore segment registers
      before restoring the LDT, which is straight-up wrong.
      
      Reorder the code so that we restore GSBASE, then the descriptor
      tables, then the segments.
      
      This fixes two bugs.  First, it fixes a regression that broke resume
      under certain configurations due to irqflag tracing in
      native_load_gs_index().  Second, it fixes resume when the userspace
      process that initiated suspect had funny segments.  The latter can be
      reproduced by compiling this:
      
      // SPDX-License-Identifier: GPL-2.0
      /*
       * ldt_echo.c - Echo argv[1] while using an LDT segment
       */
      
      int main(int argc, char **argv)
      {
      	int ret;
      	size_t len;
      	char *buf;
      
      	const struct user_desc desc = {
                      .entry_number    = 0,
                      .base_addr       = 0,
                      .limit           = 0xfffff,
                      .seg_32bit       = 1,
                      .contents        = 0, /* Data, grow-up */
                      .read_exec_only  = 0,
                      .limit_in_pages  = 1,
                      .seg_not_present = 0,
                      .useable         = 0
              };
      
      	if (argc != 2)
      		errx(1, "Usage: %s STRING", argv[0]);
      
      	len = asprintf(&buf, "%s\n", argv[1]);
      	if (len < 0)
      		errx(1, "Out of memory");
      
      	ret = syscall(SYS_modify_ldt, 1, &desc, sizeof(desc));
      	if (ret < -1)
      		errno = -ret;
      	if (ret)
      		err(1, "modify_ldt");
      
      	asm volatile ("movw %0, %%es" :: "rm" ((unsigned short)7));
      	write(1, buf, len);
      	return 0;
      }
      
      and running ldt_echo >/sys/power/mem
      
      Without the fix, the latter causes a triple fault on resume.
      
      Fixes: ca37e57b ("x86/entry/64: Add missing irqflags tracing to native_load_gs_index()")
      Reported-by: default avatarJarkko Nikula <jarkko.nikula@linux.intel.com>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Tested-by: default avatarJarkko Nikula <jarkko.nikula@linux.intel.com>
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Link: https://lkml.kernel.org/r/6b31721ea92f51ea839e79bd97ade4a75b1eeea2.1512057304.git.luto@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3363914c
    • Marek Behún's avatar
      net: sfp: move sfp_register_socket call from sfp_remove to sfp_probe · f5393c36
      Marek Behún authored
      Commit c4ba68b8 backported from upstream to 4.14 stable was
      probably applied wrongly, and instead of calling sfp_register_socket in
      sfp_probe, the socket registering code was put into sfp_remove. This is
      obviously wrong.
      
      The commit first appeared in 4.14.104. Fix it for the next 4.14 release.
      
      Fixes: c4ba68b8 ("net: sfp: do not probe SFP module before we're attached")
      Cc: stable <stable@vger.kernel.org>
      Cc: Russell King <rmk+kernel@armlinux.org.uk>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Sasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarMarek Behún <marek.behun@nic.cz>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f5393c36
  2. 05 Apr, 2019 16 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.14.111 · 1ec8f1f0
      Greg Kroah-Hartman authored
      1ec8f1f0
    • Hans de Goede's avatar
      ACPI / video: Extend chassis-type detection with a "Lunch Box" check · 30d7823d
      Hans de Goede authored
      [ Upstream commit d693c008 ]
      
      Commit 53fa1f6e ("ACPI / video: Only default only_lcd to true on
      Win8-ready _desktops_") introduced chassis type detection, limiting the
      lcd_only check for the backlight to devices where the chassis-type
      indicates their is no builtin LCD panel.
      
      The purpose of the lcd_only check is to avoid advertising a backlight
      interface on desktops, since skylake and newer machines seem to always
      have a backlight interface even if there is no LCD panel. The limiting
      of this check to desktops only was done to avoid breaking backlight
      support on some laptops which do not have the lcd flag set.
      
      The Fujitsu ESPRIMO Q910 which is a compact (NUC like) desktop machine
      has a chassis type of 0x10 aka "Lunch Box". Without the lcd_only check
      we end up falsely advertising backlight/brightness control on this
      device. This commit extend the dmi_is_desktop check to return true
      for type 0x10 to fix this.
      
      Fixes: 53fa1f6e ("ACPI / video: Only default only_lcd to true ...")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      30d7823d
    • Ville Syrjälä's avatar
      drm/dp/mst: Configure no_stop_bit correctly for remote i2c xfers · 5cf6953f
      Ville Syrjälä authored
      [ Upstream commit c978ae9b ]
      
      We aren't supposed to force a stop+start between every i2c msg
      when performing multi message transfers. This should eg. cause
      the DDC segment address to be reset back to 0 between writing
      the segment address and reading the actual EDID extension block.
      
      To quote the E-DDC spec:
      "... this standard requires that the segment pointer be
       reset to 00h when a NO ACK or a STOP condition is received."
      
      Since we're going to touch this might as well consult the
      I2C_M_STOP flag to determine whether we want to force the stop
      or not.
      
      Cc: Brian Vincent <brainn@gmail.com>
      References: https://bugs.freedesktop.org/show_bug.cgi?id=108081Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20180928180403.22499-1-ville.syrjala@linux.intel.comReviewed-by: default avatarDhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5cf6953f
    • Ben Dooks's avatar
      dmaengine: tegra: avoid overflow of byte tracking · cf44af74
      Ben Dooks authored
      [ Upstream commit e486df39 ]
      
      The dma_desc->bytes_transferred counter tracks the number of bytes
      moved by the DMA channel. This is then used to calculate the information
      passed back in the in the tegra_dma_tx_status callback, which is usually
      fine.
      
      When the DMA channel is configured as continous, then the bytes_transferred
      counter will increase over time and eventually overflow to become negative
      so the residue count will become invalid and the ALSA sound-dma code will
      report invalid hardware pointer values to the application. This results in
      some users becoming confused about the playout position and putting audio
      data in the wrong place.
      
      To fix this issue, always ensure the bytes_transferred field is modulo the
      size of the request. We only do this for the case of the cyclic transfer
      done ISR as anyone attempting to move 2GiB of DMA data in one transfer
      is unlikely.
      
      Note, we don't fix the issue that we should /never/ transfer a negative
      number of bytes so we could make those fields unsigned.
      Reviewed-by: default avatarDmitry Osipenko <digetx@gmail.com>
      Signed-off-by: default avatarBen Dooks <ben.dooks@codethink.co.uk>
      Acked-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      cf44af74
    • Katsuhiro Suzuki's avatar
      clk: rockchip: fix frac settings of GPLL clock for rk3328 · 80433260
      Katsuhiro Suzuki authored
      [ Upstream commit a0e447b0 ]
      
      This patch fixes settings of GPLL frequency in fractional mode for
      rk3328. In this mode, FOUTVCO is calcurated by following formula:
        FOUTVCO = FREF * FBDIV / REFDIV + ((FREF * FRAC / REFDIV) >> 24)
      
      The problem is in FREF * FRAC >> 24 term. This result always lacks
      one from target value is specified by rate member. For example first
      itme of rk3328_pll_frac_rate originally has
        - rate  : 1016064000
        - refdiv: 3
        - fbdiv : 127
        - frac  : 134217
        - FREF * FBDIV / REFDIV        = 1016000000
        - (FREF * FRAC / REFDIV) >> 24 = 63999
      Thus calculated rate is 1016063999. It seems wrong.
      
      If frac has 134218 (it is increased 1 from original value), second
      term is 64000. All other items have same situation. So this patch
      adds 1 to frac member in all items of rk3328_pll_frac_rate.
      Signed-off-by: default avatarKatsuhiro Suzuki <katsuhiro@katsuster.net>
      Acked-by: default avatarElaine Zhang <zhangqing@rock-chips.com>
      Signed-off-by: default avatarHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      80433260
    • Rafael Ávila de Espíndola's avatar
      x86/build: Mark per-CPU symbols as absolute explicitly for LLD · 1d0961c1
      Rafael Ávila de Espíndola authored
      [ Upstream commit d071ae09 ]
      
      Accessing per-CPU variables is done by finding the offset of the
      variable in the per-CPU block and adding it to the address of the
      respective CPU's block.
      
      Section 3.10.8 of ld.bfd's documentation states:
      
        For expressions involving numbers, relative addresses and absolute
        addresses, ld follows these rules to evaluate terms:
      
        Other binary operations, that is, between two relative addresses
        not in the same section, or between a relative address and an
        absolute address, first convert any non-absolute term to an
        absolute address before applying the operator."
      
      Note that LLVM's linker does not adhere to the GNU ld's implementation
      and as such requires implicitly-absolute terms to be explicitly marked
      as absolute in the linker script. If not, it fails currently with:
      
        ld.lld: error: ./arch/x86/kernel/vmlinux.lds:153: at least one side of the expression must be absolute
        ld.lld: error: ./arch/x86/kernel/vmlinux.lds:154: at least one side of the expression must be absolute
        Makefile:1040: recipe for target 'vmlinux' failed
      
      This is not a functional change for ld.bfd which converts the term to an
      absolute symbol anyways as specified above.
      
      Based on a previous submission by Tri Vo <trong@android.com>.
      Reported-by: default avatarDmitry Golovin <dima@golovin.in>
      Signed-off-by: default avatarRafael Ávila de Espíndola <rafael@espindo.la>
      [ Update commit message per Boris' and Michael's suggestions. ]
      Signed-off-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      [ Massage commit message more, fix typos. ]
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Tested-by: default avatarDmitry Golovin <dima@golovin.in>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Brijesh Singh <brijesh.singh@amd.com>
      Cc: Cao Jin <caoj.fnst@cn.fujitsu.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Joerg Roedel <jroedel@suse.de>
      Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tri Vo <trong@android.com>
      Cc: dima@golovin.in
      Cc: morbo@google.com
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20181219190145.252035-1-ndesaulniers@google.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      1d0961c1
    • Zumeng Chen's avatar
      wlcore: Fix memory leak in case wl12xx_fetch_firmware failure · d2a1b60a
      Zumeng Chen authored
      [ Upstream commit ba2ffc96 ]
      
      Release fw_status, raw_fw_status, and tx_res_if when wl12xx_fetch_firmware
      failed instead of meaningless goto out to avoid the following memory leak
      reports(Only the last one listed):
      
      unreferenced object 0xc28a9a00 (size 512):
        comm "kworker/0:4", pid 31298, jiffies 2783204 (age 203.290s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
        backtrace:
          [<6624adab>] kmemleak_alloc+0x40/0x74
          [<500ddb31>] kmem_cache_alloc_trace+0x1ac/0x270
          [<db4d731d>] wl12xx_chip_wakeup+0xc4/0x1fc [wlcore]
          [<76c5db53>] wl1271_op_add_interface+0x4a4/0x8f4 [wlcore]
          [<cbf30777>] drv_add_interface+0xa4/0x1a0 [mac80211]
          [<65bac325>] ieee80211_reconfig+0x9c0/0x1644 [mac80211]
          [<2817c80e>] ieee80211_restart_work+0x90/0xc8 [mac80211]
          [<7e1d425a>] process_one_work+0x284/0x42c
          [<55f9432e>] worker_thread+0x2fc/0x48c
          [<abb582c6>] kthread+0x148/0x160
          [<63144b13>] ret_from_fork+0x14/0x2c
          [< (null)>] (null)
          [<1f6e7715>] 0xffffffff
      Signed-off-by: default avatarZumeng Chen <zumeng.chen@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d2a1b60a
    • Ondrej Mosnacek's avatar
      selinux: do not override context on context mounts · 0ce68e86
      Ondrej Mosnacek authored
      [ Upstream commit 53e0c2aa ]
      
      Ignore all selinux_inode_notifysecctx() calls on mounts with SBLABEL_MNT
      flag unset. This is achived by returning -EOPNOTSUPP for this case in
      selinux_inode_setsecurtity() (because that function should not be called
      in such case anyway) and translating this error to 0 in
      selinux_inode_notifysecctx().
      
      This fixes behavior of kernfs-based filesystems when mounted with the
      'context=' option. Before this patch, if a node's context had been
      explicitly set to a non-default value and later the filesystem has been
      remounted with the 'context=' option, then this node would show up as
      having the manually-set context and not the mount-specified one.
      
      Steps to reproduce:
          # mount -t cgroup2 cgroup2 /sys/fs/cgroup/unified
          # chcon unconfined_u:object_r:user_home_t:s0 /sys/fs/cgroup/unified/cgroup.stat
          # ls -lZ /sys/fs/cgroup/unified
          total 0
          -r--r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.controllers
          -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.max.depth
          -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.max.descendants
          -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.procs
          -r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat
          -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.subtree_control
          -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.threads
          # umount /sys/fs/cgroup/unified
          # mount -o context=system_u:object_r:tmpfs_t:s0 -t cgroup2 cgroup2 /sys/fs/cgroup/unified
      
      Result before:
          # ls -lZ /sys/fs/cgroup/unified
          total 0
          -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.controllers
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.max.depth
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.max.descendants
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.procs
          -r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.subtree_control
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.threads
      
      Result after:
          # ls -lZ /sys/fs/cgroup/unified
          total 0
          -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.controllers
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.depth
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.descendants
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.procs
          -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.stat
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.subtree_control
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.threads
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Reviewed-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0ce68e86
    • George Rimar's avatar
      x86/build: Specify elf_i386 linker emulation explicitly for i386 objects · 621f35e5
      George Rimar authored
      [ Upstream commit 927185c1 ]
      
      The kernel uses the OUTPUT_FORMAT linker script command in it's linker
      scripts. Most of the time, the -m option is passed to the linker with
      correct architecture, but sometimes (at least for x86_64) the -m option
      contradicts the OUTPUT_FORMAT directive.
      
      Specifically, arch/x86/boot and arch/x86/realmode/rm produce i386 object
      files, but are linked with the -m elf_x86_64 linker flag when building
      for x86_64.
      
      The GNU linker manpage doesn't explicitly state any tie-breakers between
      -m and OUTPUT_FORMAT. But with BFD and Gold linkers, OUTPUT_FORMAT
      overrides the emulation value specified with the -m option.
      
      LLVM lld has a different behavior, however. When supplied with
      contradicting -m and OUTPUT_FORMAT values it fails with the following
      error message:
      
        ld.lld: error: arch/x86/realmode/rm/header.o is incompatible with elf_x86_64
      
      Therefore, just add the correct -m after the incorrect one (it overrides
      it), so the linker invocation looks like this:
      
        ld -m elf_x86_64 -z max-page-size=0x200000 -m elf_i386 --emit-relocs -T \
          realmode.lds header.o trampoline_64.o stack.o reboot.o -o realmode.elf
      
      This is not a functional change for GNU ld, because (although not
      explicitly documented) OUTPUT_FORMAT overrides -m EMULATION.
      
      Tested by building x86_64 kernel with GNU gcc/ld toolchain and booting
      it in QEMU.
      
       [ bp: massage and clarify text. ]
      Suggested-by: default avatarDmitry Golovin <dima@golovin.in>
      Signed-off-by: default avatarGeorge Rimar <grimar@accesssoftek.com>
      Signed-off-by: default avatarTri Vo <trong@android.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Tested-by: default avatarTri Vo <trong@android.com>
      Tested-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Michael Matz <matz@suse.de>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: morbo@google.com
      Cc: ndesaulniers@google.com
      Cc: ruiu@google.com
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20190111201012.71210-1-trong@android.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      621f35e5
    • Daniel Vetter's avatar
      drm/nouveau: Stop using drm_crtc_force_disable · 3025691e
      Daniel Vetter authored
      [ Upstream commit 934c5b32 ]
      
      The correct way for legacy drivers to update properties that need to
      do a full modeset, is to do a full modeset.
      
      Note that we don't need to call the drm_mode_config_internal helper
      because we're not changing any of the refcounted paramters.
      
      v2: Fixup error handling (Ville). Since the old code didn't bother
      I decided to just delete it instead of adding even more code for just
      error handling.
      
      Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
      Reviewed-by: Alex Deucher <alexander.deucher@amd.com> (v1)
      Cc: Sean Paul <seanpaul@chromium.org>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20181217194303.14397-2-daniel.vetter@ffwll.chSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      3025691e
    • Paul Kocialkowski's avatar
      drm: Auto-set allow_fb_modifiers when given modifiers at plane init · 0cab1159
      Paul Kocialkowski authored
      [ Upstream commit 890880dd ]
      
      When drivers pass non-empty lists of modifiers for initializing their
      planes, we can infer that they allow framebuffer modifiers and set the
      driver's allow_fb_modifiers mode config element.
      
      In case the allow_fb_modifiers element was not set (some drivers tend
      to set them after registering planes), the modifiers will still be
      registered but won't be available to userspace unless the flag is set
      later. However in that case, the IN_FORMATS blob won't be created.
      
      In order to avoid this case and generally reduce the trouble associated
      with the flag, always set allow_fb_modifiers when a non-empty list of
      format modifiers is passed at plane init.
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarPaul Kocialkowski <paul.kocialkowski@bootlin.com>
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@bootlin.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190104085610.5829-1-paul.kocialkowski@bootlin.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      0cab1159
    • Axel Lin's avatar
      regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting · 8fbaad2c
      Axel Lin authored
      [ Upstream commit f01a7beb ]
      
      The act8600_sudcdc_voltage_ranges setting does not match the datasheet.
      
      The problems in below entry:
        REGULATOR_LINEAR_RANGE(19000000, 191, 255, 400000),
      
      1. The off-by-one min_sel causes wrong volatage calculation.
         The min_sel should be 192.
      2. According to the datasheet[1] Table 7. (on page 43):
         The selector 248 (0b11111000) ~ 255 (0b11111111) are 41.400V.
      
      Also fix off-by-one for ACT8600_SUDCDC_VOLTAGE_NUM.
      
      [1] https://active-semi.com/wp-content/uploads/ACT8600_Datasheet.pdf
      
      Fixes: df3a950e ("regulator: act8865: Add act8600 support")
      Signed-off-by: default avatarAxel Lin <axel.lin@ingics.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8fbaad2c
    • Pawe? Chmiel's avatar
      media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration · 644bdba7
      Pawe? Chmiel authored
      [ Upstream commit 49710c32 ]
      
      Previously when doing format enumeration, it was returning all
       formats supported by driver, even if they're not supported by hw.
      Add missing check for fmt_ver_flag, so it'll be fixed and only those
       supported by hw will be returned. Similar thing is already done
       in s5p_jpeg_find_format.
      
      It was found by using v4l2-compliance tool and checking result
       of VIDIOC_ENUM_FMT/FRAMESIZES/FRAMEINTERVALS test
      and using v4l2-ctl to get list of all supported formats.
      
      Tested on s5pv210-galaxys (Samsung i9000 phone).
      
      Fixes: bb677f3a ("[media] Exynos4 JPEG codec v4l2 driver")
      Signed-off-by: default avatarPawe? Chmiel <pawel.mikolaj.chmiel@gmail.com>
      Reviewed-by: default avatarJacek Anaszewski <jacek.anaszewski@gmail.com>
      [hverkuil-cisco@xs4all.nl: fix a few alignment issues]
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      644bdba7
    • Florian Westphal's avatar
      netfilter: physdev: relax br_netfilter dependency · 2230f5e2
      Florian Westphal authored
      [ Upstream commit 8e2f311a ]
      
      Following command:
        iptables -D FORWARD -m physdev ...
      causes connectivity loss in some setups.
      
      Reason is that iptables userspace will probe kernel for the module revision
      of the physdev patch, and physdev has an artificial dependency on
      br_netfilter (xt_physdev use makes no sense unless a br_netfilter module
      is loaded).
      
      This causes the "phydev" module to be loaded, which in turn enables the
      "call-iptables" infrastructure.
      
      bridged packets might then get dropped by the iptables ruleset.
      
      The better fix would be to change the "call-iptables" defaults to 0 and
      enforce explicit setting to 1, but that breaks backwards compatibility.
      
      This does the next best thing: add a request_module call to checkentry.
      This was a stray '-D ... -m physdev' won't activate br_netfilter
      anymore.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2230f5e2
    • Shunyong Yang's avatar
      dmaengine: qcom_hidma: initialize tx flags in hidma_prep_dma_* · 0999f638
      Shunyong Yang authored
      [ Upstream commit 875aac8a ]
      
      In async_tx_test_ack(), it uses flags in struct dma_async_tx_descriptor
      to check the ACK status. As hidma reuses the descriptor in a free list
      when hidma_prep_dma_*(memcpy/memset) is called, the flag will keep ACKed
      if the descriptor has been used before. This will cause a BUG_ON in
      async_tx_quiesce().
      
        kernel BUG at crypto/async_tx/async_tx.c:282!
        Internal error: Oops - BUG: 0 1 SMP
        ...
        task: ffff8017dd3ec000 task.stack: ffff8017dd3e8000
        PC is at async_tx_quiesce+0x54/0x78 [async_tx]
        LR is at async_trigger_callback+0x98/0x110 [async_tx]
      
      This patch initializes flags in dma_async_tx_descriptor by the flags
      passed from the caller when hidma_prep_dma_*(memcpy/memset) is called.
      
      Cc: Joey Zheng <yu.zheng@hxt-semitech.com>
      Reviewed-by: default avatarSinan Kaya <okaya@kernel.org>
      Signed-off-by: default avatarShunyong Yang <shunyong.yang@hxt-semitech.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0999f638
    • Shunyong Yang's avatar
      dmaengine: qcom_hidma: assign channel cookie correctly · c67ed493
      Shunyong Yang authored
      [ Upstream commit 546c0547 ]
      
      When dma_cookie_complete() is called in hidma_process_completed(),
      dma_cookie_status() will return DMA_COMPLETE in hidma_tx_status(). Then,
      hidma_txn_is_success() will be called to use channel cookie
      mchan->last_success to do additional DMA status check. Current code
      assigns mchan->last_success after dma_cookie_complete(). This causes
      a race condition of dma_cookie_status() returns DMA_COMPLETE before
      mchan->last_success is assigned correctly. The race will cause
      hidma_tx_status() return DMA_ERROR but the transaction is actually a
      success. Moreover, in async_tx case, it will cause a timeout panic
      in async_tx_quiesce().
      
       Kernel panic - not syncing: async_tx_quiesce: DMA error waiting for
       transaction
       ...
       Call trace:
       [<ffff000008089994>] dump_backtrace+0x0/0x1f4
       [<ffff000008089bac>] show_stack+0x24/0x2c
       [<ffff00000891e198>] dump_stack+0x84/0xa8
       [<ffff0000080da544>] panic+0x12c/0x29c
       [<ffff0000045d0334>] async_tx_quiesce+0xa4/0xc8 [async_tx]
       [<ffff0000045d03c8>] async_trigger_callback+0x70/0x1c0 [async_tx]
       [<ffff0000048b7d74>] raid_run_ops+0x86c/0x1540 [raid456]
       [<ffff0000048bd084>] handle_stripe+0x5e8/0x1c7c [raid456]
       [<ffff0000048be9ec>] handle_active_stripes.isra.45+0x2d4/0x550 [raid456]
       [<ffff0000048beff4>] raid5d+0x38c/0x5d0 [raid456]
       [<ffff000008736538>] md_thread+0x108/0x168
       [<ffff0000080fb1cc>] kthread+0x10c/0x138
       [<ffff000008084d34>] ret_from_fork+0x10/0x18
      
      Cc: Joey Zheng <yu.zheng@hxt-semitech.com>
      Reviewed-by: default avatarSinan Kaya <okaya@kernel.org>
      Signed-off-by: default avatarShunyong Yang <shunyong.yang@hxt-semitech.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c67ed493