1. 10 Mar, 2016 1 commit
    • Christian Borntraeger's avatar
      KVM: async_pf: do not warn on page allocation failures · e0b898dc
      Christian Borntraeger authored
      [ Upstream commit d7444794 ]
      
      In async_pf we try to allocate with NOWAIT to get an element quickly
      or fail. This code also handle failures gracefully. Lets silence
      potential page allocation failures under load.
      
      qemu-system-s39: page allocation failure: order:0,mode:0x2200000
      [...]
      Call Trace:
      ([<00000000001146b8>] show_trace+0xf8/0x148)
      [<000000000011476a>] show_stack+0x62/0xe8
      [<00000000004a36b8>] dump_stack+0x70/0x98
      [<0000000000272c3a>] warn_alloc_failed+0xd2/0x148
      [<000000000027709e>] __alloc_pages_nodemask+0x94e/0xb38
      [<00000000002cd36a>] new_slab+0x382/0x400
      [<00000000002cf7ac>] ___slab_alloc.constprop.30+0x2dc/0x378
      [<00000000002d03d0>] kmem_cache_alloc+0x160/0x1d0
      [<0000000000133db4>] kvm_setup_async_pf+0x6c/0x198
      [<000000000013dee8>] kvm_arch_vcpu_ioctl_run+0xd48/0xd58
      [<000000000012fcaa>] kvm_vcpu_ioctl+0x372/0x690
      [<00000000002f66f6>] do_vfs_ioctl+0x3be/0x510
      [<00000000002f68ec>] SyS_ioctl+0xa4/0xb8
      [<0000000000781c5e>] system_call+0xd6/0x264
      [<000003ffa24fa06a>] 0x3ffa24fa06a
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Reviewed-by: default avatarDominik Dingel <dingel@linux.vnet.ibm.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e0b898dc
  2. 08 Mar, 2016 24 commits
    • Mark Rutland's avatar
      KVM: arm/arm64: vgic: Ensure bitmaps are long enough · e720b3ba
      Mark Rutland authored
      [ Upstream commit 236cf17c ]
      
      When we allocate bitmaps in vgic_vcpu_init_maps, we divide the number of
      bits we need by 8 to figure out how many bytes to allocate. However,
      bitmap elements are always accessed as unsigned longs, and if we didn't
      happen to allocate a size such that size % sizeof(unsigned long) == 0,
      bitmap accesses may go past the end of the allocation.
      
      When using KASAN (which does byte-granular access checks), this results
      in a continuous stream of BUGs whenever these bitmaps are accessed:
      
      =============================================================================
      BUG kmalloc-128 (Tainted: G    B          ): kasan: bad access detected
      -----------------------------------------------------------------------------
      
      INFO: Allocated in vgic_init.part.25+0x55c/0x990 age=7493 cpu=3 pid=1730
      INFO: Slab 0xffffffbde6d5da40 objects=16 used=15 fp=0xffffffc935769700 flags=0x4000000000000080
      INFO: Object 0xffffffc935769500 @offset=1280 fp=0x          (null)
      
      Bytes b4 ffffffc9357694f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffffffc935769500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffffffc935769510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffffffc935769520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffffffc935769530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffffffc935769540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffffffc935769550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffffffc935769560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffffffc935769570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Padding ffffffc9357695b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Padding ffffffc9357695c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Padding ffffffc9357695d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Padding ffffffc9357695e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Padding ffffffc9357695f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      CPU: 3 PID: 1740 Comm: kvm-vcpu-0 Tainted: G    B           4.4.0+ #17
      Hardware name: ARM Juno development board (r1) (DT)
      Call trace:
      [<ffffffc00008e770>] dump_backtrace+0x0/0x280
      [<ffffffc00008ea04>] show_stack+0x14/0x20
      [<ffffffc000726360>] dump_stack+0x100/0x188
      [<ffffffc00030d324>] print_trailer+0xfc/0x168
      [<ffffffc000312294>] object_err+0x3c/0x50
      [<ffffffc0003140fc>] kasan_report_error+0x244/0x558
      [<ffffffc000314548>] __asan_report_load8_noabort+0x48/0x50
      [<ffffffc000745688>] __bitmap_or+0xc0/0xc8
      [<ffffffc0000d9e44>] kvm_vgic_flush_hwstate+0x1bc/0x650
      [<ffffffc0000c514c>] kvm_arch_vcpu_ioctl_run+0x2ec/0xa60
      [<ffffffc0000b9a6c>] kvm_vcpu_ioctl+0x474/0xa68
      [<ffffffc00036b7b0>] do_vfs_ioctl+0x5b8/0xcb0
      [<ffffffc00036bf34>] SyS_ioctl+0x8c/0xa0
      [<ffffffc000086cb0>] el0_svc_naked+0x24/0x28
      Memory state around the buggy address:
       ffffffc935769400: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffffffc935769480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffffffc935769500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
       ffffffc935769580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffffffc935769600: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
      ==================================================================
      
      Fix the issue by always allocating a multiple of sizeof(unsigned long),
      as we do elsewhere in the vgic code.
      
      Fixes: c1bfb577 ("arm/arm64: KVM: vgic: switch to dynamic allocation")
      Cc: stable@vger.kernel.org
      Acked-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Acked-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e720b3ba
    • Stefan Hajnoczi's avatar
      sunrpc/cache: fix off-by-one in qword_get() · 7459f09b
      Stefan Hajnoczi authored
      [ Upstream commit b7052cd7 ]
      
      The qword_get() function NUL-terminates its output buffer.  If the input
      string is in hex format \xXXXX... and the same length as the output
      buffer, there is an off-by-one:
      
        int qword_get(char **bpp, char *dest, int bufsize)
        {
            ...
            while (len < bufsize) {
                ...
                *dest++ = (h << 4) | l;
                len++;
            }
            ...
            *dest = '\0';
            return len;
        }
      
      This patch ensures the NUL terminator doesn't fall outside the output
      buffer.
      Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7459f09b
    • Alex Deucher's avatar
      drm/radeon/pm: adjust display configuration after powerstate · ae5a9780
      Alex Deucher authored
      [ Upstream commit 39d42750 ]
      
      set_power_state defaults to no displays, so we need to update
      the display configuration after setting up the powerstate on the
      first call. In most cases this is not an issue since ends up
      getting called multiple times at any given modeset and the proper
      order is achieved in the display changed handling at the top of
      the function.
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Acked-by: default avatarJordan Lazare <Jordan.Lazare@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      ae5a9780
    • Martin Schwidefsky's avatar
      s390/compat: correct restore of high gprs on signal return · f5054278
      Martin Schwidefsky authored
      [ Upstream commit 342300cc ]
      
      git commit 80703617
      "s390: add support for vector extension"
      broke 31-bit compat processes in regard to signal handling.
      
      The restore_sigregs_ext32() function is used to restore the additional
      elements from the user space signal frame. Among the additional elements
      are the upper registers halves for 64-bit register support for 31-bit
      processes. The copy_from_user that is used to retrieve the high-gprs
      array from the user stack uses an incorrect length, 8 bytes instead of
      64 bytes. This causes incorrect upper register halves to get loaded.
      
      Cc: stable@vger.kernel.org # 3.8+
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      f5054278
    • Gerhard Uttenthaler's avatar
      can: ems_usb: Fix possible tx overflow · 2992a0a3
      Gerhard Uttenthaler authored
      [ Upstream commit 90cfde46 ]
      
      This patch fixes the problem that more CAN messages could be sent to the
      interface as could be send on the CAN bus. This was more likely for slow baud
      rates. The sleeping _start_xmit was woken up in the _write_bulk_callback. Under
      heavy TX load this produced another bulk transfer without checking the
      free_slots variable and hence caused the overflow in the interface.
      Signed-off-by: default avatarGerhard Uttenthaler <uttenthaler@ems-wuensche.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      2992a0a3
    • Peter Rosin's avatar
      hwmon: (ads1015) Handle negative conversion values correctly · 9ebc9c53
      Peter Rosin authored
      [ Upstream commit acc14694 ]
      
      Make the divisor signed as DIV_ROUND_CLOSEST is undefined for negative
      dividends when the divisor is unsigned.
      Signed-off-by: default avatarPeter Rosin <peda@axentia.se>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      9ebc9c53
    • Alexandra Yates's avatar
      Adding Intel Lewisburg device IDs for SATA · 0b17b1b0
      Alexandra Yates authored
      [ Upstream commit f5bdd66c ]
      
      This patch complements the list of device IDs previously
      added for lewisburg sata.
      Signed-off-by: default avatarAlexandra Yates <alexandra.yates@linux.intel.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      0b17b1b0
    • Alexandra Yates's avatar
      ahci: Order SATA device IDs for codename Lewisburg · 1c522e28
      Alexandra Yates authored
      [ Upstream commit 4d92f009 ]
      
      This change was to preserve the ascending order of device IDs.
      There was an exception with the first two Lewisburg device IDs to
      keep all device IDs of the same kind grouped by code name.
      Signed-off-by: default avatarAlexandra Yates <alexandra.yates@linux.intel.com>
      signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1c522e28
    • Bjørn Mork's avatar
      USB: option: add "4G LTE usb-modem U901" · a7da79b1
      Bjørn Mork authored
      [ Upstream commit d061c1ca ]
      
      Thomas reports:
      
      T:  Bus=01 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=05c6 ProdID=6001 Rev=00.00
      S:  Manufacturer=USB Modem
      S:  Product=USB Modem
      S:  SerialNumber=1234567890ABCDEF
      C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
      
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarThomas Schäfer <tschaefer@t-online.de>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a7da79b1
    • Barry Grussling's avatar
      usb: cp210x support SEL C662 Vendor/Device · b8f42d68
      Barry Grussling authored
      [ Upstream commit b579fa52 ]
      
      This patch adds support for the Schweitzer Engineering Laboratories
      C662 USB cable based off the CP210x driver.
      Signed-off-by: default avatarBarry Grussling <barry@grussling.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      b8f42d68
    • Ken Lin's avatar
      USB: cp210x: add IDs for GE B650V3 and B850V3 boards · 12690f70
      Ken Lin authored
      [ Upstream commit 6627ae19 ]
      
      Add USB ID for cp2104/5 devices on GE B650v3 and B850v3 boards.
      Signed-off-by: default avatarKen Lin <ken.lin@advantech.com.tw>
      Signed-off-by: default avatarAkshay Bhat <akshay.bhat@timesys.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      12690f70
    • Oliver Freyermuth's avatar
      USB: cp210x: add ID for ELV Marble Sound Board 1 · 83598dff
      Oliver Freyermuth authored
      [ Upstream commit f7d7f59a ]
      
      Add the USB device ID for ELV Marble Sound Board 1.
      Signed-off-by: default avatarOliver Freyermuth <o.freyermuth@googlemail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      83598dff
    • Andrey Skvortsov's avatar
      USB: option: add support for SIM7100E · 6034ffbd
      Andrey Skvortsov authored
      [ Upstream commit 3158a8d4 ]
      
      $ lsusb:
      Bus 001 Device 101: ID 1e0e:9001 Qualcomm / Option
      
      $ usb-devices:
      T:  Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#=101 Spd=480  MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  2
      P:  Vendor=1e0e ProdID=9001 Rev= 2.32
      S:  Manufacturer=SimTech, Incorporated
      S:  Product=SimTech, Incorporated
      S:  SerialNumber=0123456789ABCDEF
      C:* #Ifs= 7 Cfg#= 1 Atr=80 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
      
      The last interface (6) is used for Android Composite ADB interface.
      
      Serial port layout:
      0: QCDM/DIAG
      1: NMEA
      2: AT
      3: AT/PPP
      4: audio
      Signed-off-by: default avatarAndrey Skvortsov <andrej.skvortzov@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6034ffbd
    • Benjamin Coddington's avatar
      NFSv4: Fix a dentry leak on alias use · 655ea615
      Benjamin Coddington authored
      [ Upstream commit d9dfd8d7 ]
      
      In the case where d_add_unique() finds an appropriate alias to use it will
      have already incremented the reference count.  An additional dget() to swap
      the open context's dentry is unnecessary and will leak a reference.
      Signed-off-by: default avatarBenjamin Coddington <bcodding@redhat.com>
      Fixes: 275bb307 ("NFSv4: Move dentry instantiation into the NFSv4-...")
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      655ea615
    • John Youn's avatar
      usb: dwc3: Fix assignment of EP transfer resources · 174bf25d
      John Youn authored
      [ Upstream commit c4509601 ]
      
      The assignement of EP transfer resources was not handled properly in the
      dwc3 driver. Commit aebda618 ("usb: dwc3: Reset the transfer
      resource index on SET_INTERFACE") previously fixed one aspect of this
      where resources may be exhausted with multiple calls to SET_INTERFACE.
      However, it introduced an issue where composite devices with multiple
      interfaces can be assigned the same transfer resources for different
      endpoints. This patch solves both issues.
      
      The assignment of transfer resources cannot perfectly follow the data
      book due to the fact that the controller driver does not have all
      knowledge of the configuration in advance. It is given this information
      piecemeal by the composite gadget framework after every
      SET_CONFIGURATION and SET_INTERFACE. Trying to follow the databook
      programming model in this scenario can cause errors. For two reasons:
      
      1) The databook says to do DEPSTARTCFG for every SET_CONFIGURATION and
      SET_INTERFACE (8.1.5). This is incorrect in the scenario of multiple
      interfaces.
      
      2) The databook does not mention doing more DEPXFERCFG for new endpoint
      on alt setting (8.1.6).
      
      The following simplified method is used instead:
      
      All hardware endpoints can be assigned a transfer resource and this
      setting will stay persistent until either a core reset or hibernation.
      So whenever we do a DEPSTARTCFG(0) we can go ahead and do DEPXFERCFG for
      every hardware endpoint as well. We are guaranteed that there are as
      many transfer resources as endpoints.
      
      This patch triggers off of the calling dwc3_gadget_start_config() for
      EP0-out, which always happens first, and which should only happen in one
      of the above conditions.
      
      Fixes: aebda618 ("usb: dwc3: Reset the transfer resource index on SET_INTERFACE")
      Cc: <stable@vger.kernel.org> # v3.2+
      Reported-by: default avatarRavi Babu <ravibabu@ti.com>
      Signed-off-by: default avatarJohn Youn <johnyoun@synopsys.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      174bf25d
    • Hans Verkuil's avatar
      [media] adv7604: fix tx 5v detect regression · 39870068
      Hans Verkuil authored
      [ Upstream commit 0ba4581c ]
      
      The 5 volt detect functionality broke in 3.14: the code reads IO register 0x70
      again after it has already been cleared. Instead it should use the cached
      irq_reg_0x70 value and the io_write to 0x71 to clear 0x70 can be dropped since
      this has already been done.
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Cc: <stable@vger.kernel.org>      # for v3.14 and up
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      39870068
    • Konrad Rzeszutek Wilk's avatar
      xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted. · 39d8d5a0
      Konrad Rzeszutek Wilk authored
      [ Upstream commit 4d8c8bd6 ]
      
      Occasionaly PV guests would crash with:
      
      pciback 0000:00:00.1: Xen PCI mapped GSI0 to IRQ16
      BUG: unable to handle kernel paging request at 0000000d1a8c0be0
      .. snip..
        <ffffffff8139ce1b>] find_next_bit+0xb/0x10
        [<ffffffff81387f22>] cpumask_next_and+0x22/0x40
        [<ffffffff813c1ef8>] pci_device_probe+0xb8/0x120
        [<ffffffff81529097>] ? driver_sysfs_add+0x77/0xa0
        [<ffffffff815293e4>] driver_probe_device+0x1a4/0x2d0
        [<ffffffff813c1ddd>] ? pci_match_device+0xdd/0x110
        [<ffffffff81529657>] __device_attach_driver+0xa7/0xb0
        [<ffffffff815295b0>] ? __driver_attach+0xa0/0xa0
        [<ffffffff81527622>] bus_for_each_drv+0x62/0x90
        [<ffffffff8152978d>] __device_attach+0xbd/0x110
        [<ffffffff815297fb>] device_attach+0xb/0x10
        [<ffffffff813b75ac>] pci_bus_add_device+0x3c/0x70
        [<ffffffff813b7618>] pci_bus_add_devices+0x38/0x80
        [<ffffffff813dc34e>] pcifront_scan_root+0x13e/0x1a0
        [<ffffffff817a0692>] pcifront_backend_changed+0x262/0x60b
        [<ffffffff814644c6>] ? xenbus_gather+0xd6/0x160
        [<ffffffff8120900f>] ? put_object+0x2f/0x50
        [<ffffffff81465c1d>] xenbus_otherend_changed+0x9d/0xa0
        [<ffffffff814678ee>] backend_changed+0xe/0x10
        [<ffffffff81463a28>] xenwatch_thread+0xc8/0x190
        [<ffffffff810f22f0>] ? woken_wake_function+0x10/0x10
      
      which was the result of two things:
      
      When we call pci_scan_root_bus we would pass in 'sd' (sysdata)
      pointer which was an 'pcifront_sd' structure. However in the
      pci_device_add it expects that the 'sd' is 'struct sysdata' and
      sets the dev->node to what is in sd->node (offset 4):
      
      set_dev_node(&dev->dev, pcibus_to_node(bus));
      
       __pcibus_to_node(const struct pci_bus *bus)
      {
              const struct pci_sysdata *sd = bus->sysdata;
      
              return sd->node;
      }
      
      However our structure was pcifront_sd which had nothing at that
      offset:
      
      struct pcifront_sd {
              int                        domain;    /*     0     4 */
              /* XXX 4 bytes hole, try to pack */
              struct pcifront_device *   pdev;      /*     8     8 */
      }
      
      That is an hole - filled with garbage as we used kmalloc instead of
      kzalloc (the second problem).
      
      This patch fixes the issue by:
       1) Use kzalloc to initialize to a well known state.
       2) Put 'struct pci_sysdata' at the start of 'pcifront_sd'. That
          way access to the 'node' will access the right offset.
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      39d8d5a0
    • Konrad Rzeszutek Wilk's avatar
      xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set. · 3d0ec7c0
      Konrad Rzeszutek Wilk authored
      [ Upstream commit 408fb0e5 ]
      
      commit f598282f ("PCI: Fix the NIU MSI-X problem in a better way")
      teaches us that dealing with MSI-X can be troublesome.
      
      Further checks in the MSI-X architecture shows that if the
      PCI_COMMAND_MEMORY bit is turned of in the PCI_COMMAND we
      may not be able to access the BAR (since they are memory regions).
      
      Since the MSI-X tables are located in there.. that can lead
      to us causing PCIe errors. Inhibit us performing any
      operation on the MSI-X unless the MEMORY bit is set.
      
      Note that Xen hypervisor with:
      "x86/MSI-X: access MSI-X table only after having enabled MSI-X"
      will return:
      xen_pciback: 0000:0a:00.1: error -6 enabling MSI-X for guest 3!
      
      When the generic MSI code tries to setup the PIRQ without
      MEMORY bit set. Which means with later versions of Xen
      (4.6) this patch is not neccessary.
      
      This is part of XSA-157
      
      CC: stable@vger.kernel.org
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      3d0ec7c0
    • Konrad Rzeszutek Wilk's avatar
      xen/pciback: Return error on XEN_PCI_OP_enable_msix when device has MSI or MSI-X enabled · f4993f38
      Konrad Rzeszutek Wilk authored
      [ Upstream commit 5e0ce145 ]
      
      The guest sequence of:
      
        a) XEN_PCI_OP_enable_msix
        b) XEN_PCI_OP_enable_msix
      
      results in hitting an NULL pointer due to using freed pointers.
      
      The device passed in the guest MUST have MSI-X capability.
      
      The a) constructs and SysFS representation of MSI and MSI groups.
      The b) adds a second set of them but adding in to SysFS fails (duplicate entry).
      'populate_msi_sysfs' frees the newly allocated msi_irq_groups (note that
      in a) pdev->msi_irq_groups is still set) and also free's ALL of the
      MSI-X entries of the device (the ones allocated in step a) and b)).
      
      The unwind code: 'free_msi_irqs' deletes all the entries and tries to
      delete the pdev->msi_irq_groups (which hasn't been set to NULL).
      However the pointers in the SysFS are already freed and we hit an
      NULL pointer further on when 'strlen' is attempted on a freed pointer.
      
      The patch adds a simple check in the XEN_PCI_OP_enable_msix to guard
      against that. The check for msi_enabled is not stricly neccessary.
      
      This is part of XSA-157
      
      CC: stable@vger.kernel.org
      Reviewed-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      f4993f38
    • Konrad Rzeszutek Wilk's avatar
      xen/pciback: Save xen_pci_op commands before processing it · c801e64a
      Konrad Rzeszutek Wilk authored
      [ Upstream commit 8135cf8b ]
      
      Double fetch vulnerabilities that happen when a variable is
      fetched twice from shared memory but a security check is only
      performed the first time.
      
      The xen_pcibk_do_op function performs a switch statements on the op->cmd
      value which is stored in shared memory. Interestingly this can result
      in a double fetch vulnerability depending on the performed compiler
      optimization.
      
      This patch fixes it by saving the xen_pci_op command before
      processing it. We also use 'barrier' to make sure that the
      compiler does not perform any optimization.
      
      This is part of XSA155.
      
      CC: stable@vger.kernel.org
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarJan Beulich <JBeulich@suse.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c801e64a
    • Sasha Levin's avatar
      iwlwifi: mvm: don't allow sched scans without matches to be started · c1efb92f
      Sasha Levin authored
      [ Upstream commit 5e56276e ]
      
      The firmware can perform a scheduled scan with not matchsets passed,
      but it can't send notification that results were found.  Since the
      userspace then cannot know when we got new results and the firmware
      wouldn't trigger a wake in case we are sleeping, it's better not to
      allow scans without matchsets.
      
      This fixes https://bugzilla.kernel.org/show_bug.cgi?id=110831
      
      Cc: <stable@vger.kernel.org> [3.17+]
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      [SL: Backport to 4.1]
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c1efb92f
    • Arnd Bergmann's avatar
      libata: fix HDIO_GET_32BIT ioctl · 6e9c571a
      Arnd Bergmann authored
      [ Upstream commit 287e6611 ]
      
      As reported by Soohoon Lee, the HDIO_GET_32BIT ioctl does not
      work correctly in compat mode with libata.
      
      I have investigated the issue further and found multiple problems
      that all appeared with the same commit that originally introduced
      HDIO_GET_32BIT handling in libata back in linux-2.6.8 and presumably
      also linux-2.4, as the code uses "copy_to_user(arg, &val, 1)" to copy
      a 'long' variable containing either 0 or 1 to user space.
      
      The problems with this are:
      
      * On big-endian machines, this will always write a zero because it
        stores the wrong byte into user space.
      
      * In compat mode, the upper three bytes of the variable are updated
        by the compat_hdio_ioctl() function, but they now contain
        uninitialized stack data.
      
      * The hdparm tool calling this ioctl uses a 'static long' variable
        to store the result. This means at least the upper bytes are
        initialized to zero, but calling another ioctl like HDIO_GET_MULTCOUNT
        would fill them with data that remains stale when the low byte
        is overwritten. Fortunately libata doesn't implement any of the
        affected ioctl commands, so this would only happen when we query
        both an IDE and an ATA device in the same command such as
        "hdparm -N -c /dev/hda /dev/sda"
      
      * The libata code for unknown reasons started using ATA_IOC_GET_IO32
        and ATA_IOC_SET_IO32 as aliases for HDIO_GET_32BIT and HDIO_SET_32BIT,
        while the ioctl commands that were added later use the normal
        HDIO_* names. This is harmless but rather confusing.
      
      This addresses all four issues by changing the code to use put_user()
      on an 'unsigned long' variable in HDIO_GET_32BIT, like the IDE subsystem
      does, and by clarifying the names of the ioctl commands.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reported-by: default avatarSoohoon Lee <Soohoon.Lee@f5.com>
      Tested-by: default avatarSoohoon Lee <Soohoon.Lee@f5.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6e9c571a
    • Christoph Hellwig's avatar
      nfs: fix nfs_size_to_loff_t · 57c104f1
      Christoph Hellwig authored
      [ Upstream commit 50ab8ec7 ]
      
      See http: //www.infradead.org/rpr.html
      X-Evolution-Source: 1451162204.2173.11@leira.trondhjem.org
      Content-Transfer-Encoding: 8bit
      Mime-Version: 1.0
      
      We support OFFSET_MAX just fine, so don't round down below it.  Also
      switch to using min_t to make the helper more readable.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Fixes: 433c9237 ("NFS: Clean up nfs_size_to_loff_t()")
      Cc: stable@vger.kernel.org # 2.6.23+
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      57c104f1
    • Juergen Gross's avatar
      xen/scsiback: correct frontend counting · e95f1916
      Juergen Gross authored
      [ Upstream commit f285aa8d ]
      
      When adding a new frontend to xen-scsiback don't decrement the number
      of active frontends in case of no error. Doing so results in a failure
      when trying to remove the xen-pvscsi nexus even if no domain is using
      it.
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e95f1916
  3. 07 Mar, 2016 1 commit
  4. 06 Mar, 2016 7 commits
    • Nicholas Bellinger's avatar
      target: Fix race with SCF_SEND_DELAYED_TAS handling · 857b2493
      Nicholas Bellinger authored
      commit 310d3d31 upstream.
      
      This patch fixes a race between setting of SCF_SEND_DELAYED_TAS
      in transport_send_task_abort(), and check of the same bit in
      transport_check_aborted_status().
      
      It adds a __transport_check_aborted_status() version that is
      used by target_execute_cmd() when se_cmd->t_state_lock is
      held, and a transport_check_aborted_status() wrapper for
      all other existing callers.
      
      Also, it handles the case where the check happens before
      transport_send_task_abort() gets called.  For this, go
      ahead and set SCF_SEND_DELAYED_TAS early when necessary,
      and have transport_send_task_abort() send the abort.
      
      Cc: Quinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      857b2493
    • Nicholas Bellinger's avatar
      target: Fix remote-port TMR ABORT + se_cmd fabric stop · 2c1ae9df
      Nicholas Bellinger authored
      commit 0f4a9431 upstream.
      
      To address the bug where fabric driver level shutdown
      of se_cmd occurs at the same time when TMR CMD_T_ABORTED
      is happening resulting in a -1 ->cmd_kref, this patch
      adds a CMD_T_FABRIC_STOP bit that is used to determine
      when TMR + driver I_T nexus shutdown is happening
      concurrently.
      
      It changes target_sess_cmd_list_set_waiting() to obtain
      se_cmd->cmd_kref + set CMD_T_FABRIC_STOP, and drop local
      reference in target_wait_for_sess_cmds() and invoke extra
      target_put_sess_cmd() during Task Aborted Status (TAS)
      when necessary.
      
      Also, it adds a new target_wait_free_cmd() wrapper around
      transport_wait_for_tasks() for the special case within
      transport_generic_free_cmd() to set CMD_T_FABRIC_STOP,
      and is now aware of CMD_T_ABORTED + CMD_T_TAS status
      bits to know when an extra transport_put_cmd() during
      TAS is required.
      
      Note transport_generic_free_cmd() is expected to block on
      cmd->cmd_wait_comp in order to follow what iscsi-target
      expects during iscsi_conn context se_cmd shutdown.
      
      Cc: Quinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@daterainc.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      2c1ae9df
    • Nicholas Bellinger's avatar
      target: Fix TAS handling for multi-session se_node_acls · 84f48a25
      Nicholas Bellinger authored
      commit ebde1ca5 upstream.
      
      This patch fixes a bug in TMR task aborted status (TAS)
      handling when multiple sessions are connected to the
      same target WWPN endpoint and se_node_acl descriptor,
      resulting in TASK_ABORTED status to not be generated
      for aborted se_cmds on the remote port.
      
      This is due to core_tmr_handle_tas_abort() incorrectly
      comparing se_node_acl instead of se_session, for which
      the multi-session case is expected to be sharing the
      same se_node_acl.
      
      Instead, go ahead and update core_tmr_handle_tas_abort()
      to compare tmr_sess + cmd->se_sess in order to determine
      if the LUN_RESET was received on a different I_T nexus,
      and TASK_ABORTED status response needs to be generated.
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Cc: Quinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      84f48a25
    • Nicholas Bellinger's avatar
      target: Fix LUN_RESET active I/O handling for ACK_KREF · 61c88d64
      Nicholas Bellinger authored
      commit febe562c upstream.
      
      This patch fixes a NULL pointer se_cmd->cmd_kref < 0
      refcount bug during TMR LUN_RESET with active se_cmd
      I/O, that can be triggered during se_cmd descriptor
      shutdown + release via core_tmr_drain_state_list() code.
      
      To address this bug, add common __target_check_io_state()
      helper for ABORT_TASK + LUN_RESET w/ CMD_T_COMPLETE
      checking, and set CMD_T_ABORTED + obtain ->cmd_kref for
      both cases ahead of last target_put_sess_cmd() after
      TFO->aborted_task() -> transport_cmd_finish_abort()
      callback has completed.
      
      It also introduces SCF_ACK_KREF to determine when
      transport_cmd_finish_abort() needs to drop the second
      extra reference, ahead of calling target_put_sess_cmd()
      for the final kref_put(&se_cmd->cmd_kref).
      
      It also updates transport_cmd_check_stop() to avoid
      holding se_cmd->t_state_lock while dropping se_cmd
      device state via target_remove_from_state_list(), now
      that core_tmr_drain_state_list() is holding the
      se_device lock while checking se_cmd state from
      within TMR logic.
      
      Finally, move transport_put_cmd() release of SGL +
      TMR + extended CDB memory into target_free_cmd_mem()
      in order to avoid potential resource leaks in TMR
      ABORT_TASK + LUN_RESET code-paths.  Also update
      target_release_cmd_kref() accordingly.
      Reviewed-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      61c88d64
    • Jan Engelhardt's avatar
      target: fix COMPARE_AND_WRITE non zero SGL offset data corruption · f66800d3
      Jan Engelhardt authored
      [ Upstream commit d94e5a61 ]
      
      target_core_sbc's compare_and_write functionality suffers from taking
      data at the wrong memory location when writing a CAW request to disk
      when a SGL offset is non-zero.
      
      This can happen with loopback and vhost-scsi fabric drivers when
      SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC is used to map existing user-space
      SGL memory into COMPARE_AND_WRITE READ/WRITE payload buffers.
      
      Given the following sample LIO subtopology,
      
      % targetcli ls /loopback/
      o- loopback ................................. [1 Target]
        o- naa.6001405ebb8df14a ....... [naa.60014059143ed2b3]
          o- luns ................................... [2 LUNs]
            o- lun0 ................ [iblock/ram0 (/dev/ram0)]
            o- lun1 ................ [iblock/ram1 (/dev/ram1)]
      % lsscsi -g
      [3:0:1:0]    disk    LIO-ORG  IBLOCK           4.0   /dev/sdc   /dev/sg3
      [3:0:1:1]    disk    LIO-ORG  IBLOCK           4.0   /dev/sdd   /dev/sg4
      
      the following bug can be observed in Linux 4.3 and 4.4~rc1:
      
      % perl -e 'print chr$_ for 0..255,reverse 0..255' >rand
      % perl -e 'print "\0" x 512' >zero
      % cat rand >/dev/sdd
      % sg_compare_and_write -i rand -D zero --lba 0 /dev/sdd
      % sg_compare_and_write -i zero -D rand --lba 0 /dev/sdd
      Miscompare reported
      % hexdump -Cn 512 /dev/sdd
      00000000  0f 0e 0d 0c 0b 0a 09 08  07 06 05 04 03 02 01 00
      00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
      *
      00000200
      
      Rather than writing all-zeroes as instructed with the -D file, it
      corrupts the data in the sector by splicing some of the original
      bytes in. The page of the first entry of cmd->t_data_sg includes the
      CDB, and sg->offset is set to a position past the CDB. I presume that
      sg->offset is also the right choice to use for subsequent sglist
      members.
      Signed-off-by: default avatarJan Engelhardt <jengelh@netitwork.de>
      Tested-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      f66800d3
    • Nicholas Bellinger's avatar
      target: Fix race for SCF_COMPARE_AND_WRITE_POST checking · 88343147
      Nicholas Bellinger authored
      [ Upstream commit 057085e5 ]
      
      This patch addresses a race + use after free where the first
      stage of COMPARE_AND_WRITE in compare_and_write_callback()
      is rescheduled after the backend sends the secondary WRITE,
      resulting in second stage compare_and_write_post() callback
      completing in target_complete_ok_work() before the first
      can return.
      
      Because current code depends on checking se_cmd->se_cmd_flags
      after return from se_cmd->transport_complete_callback(),
      this results in first stage having SCF_COMPARE_AND_WRITE_POST
      set, which incorrectly falls through into second stage CAW
      processing code, eventually triggering a NULL pointer
      dereference due to use after free.
      
      To address this bug, pass in a new *post_ret parameter into
      se_cmd->transport_complete_callback(), and depend upon this
      value instead of ->se_cmd_flags to determine when to return
      or fall through into ->queue_status() code for CAW.
      
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      88343147
    • Nicholas Bellinger's avatar
      iscsi-target: Fix rx_login_comp hang after login failure · eebeb74b
      Nicholas Bellinger authored
      [ Upstream commit ca82c2bd ]
      
      This patch addresses a case where iscsi_target_do_tx_login_io()
      fails sending the last login response PDU, after the RX/TX
      threads have already been started.
      
      The case centers around iscsi_target_rx_thread() not invoking
      allow_signal(SIGINT) before the send_sig(SIGINT, ...) occurs
      from the failure path, resulting in RX thread hanging
      indefinately on iscsi_conn->rx_login_comp.
      
      Note this bug is a regression introduced by:
      
        commit e5419865
        Author: Nicholas Bellinger <nab@linux-iscsi.org>
        Date:   Wed Jul 22 23:14:19 2015 -0700
      
            iscsi-target: Fix iscsit_start_kthreads failure OOPs
      
      To address this bug, complete ->rx_login_complete for good
      measure in the failure path, and immediately return from
      RX thread context if connection state did not actually reach
      full feature phase (TARG_CONN_STATE_LOGGED_IN).
      
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: <stable@vger.kernel.org> # v3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      eebeb74b
  5. 04 Mar, 2016 7 commits