1. 19 Apr, 2018 33 commits
    • Szymon Janc's avatar
      Bluetooth: Fix connection if directed advertising and privacy is used · f58ef38e
      Szymon Janc authored
      commit 082f2300 upstream.
      
      Local random address needs to be updated before creating connection if
      RPA from LE Direct Advertising Report was resolved in host. Otherwise
      remote device might ignore connection request due to address mismatch.
      
      This was affecting following qualification test cases:
      GAP/CONN/SCEP/BV-03-C, GAP/CONN/GCEP/BV-05-C, GAP/CONN/DCEP/BV-05-C
      
      Before patch:
      < HCI Command: LE Set Random Address (0x08|0x0005) plen 6          #11350 [hci0] 84680.231216
              Address: 56:BC:E8:24:11:68 (Resolvable)
                Identity type: Random (0x01)
                Identity: F2:F1:06:3D:9C:42 (Static)
      > HCI Event: Command Complete (0x0e) plen 4                        #11351 [hci0] 84680.246022
            LE Set Random Address (0x08|0x0005) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7         #11352 [hci0] 84680.246417
              Type: Passive (0x00)
              Interval: 60.000 msec (0x0060)
              Window: 30.000 msec (0x0030)
              Own address type: Random (0x01)
              Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
      > HCI Event: Command Complete (0x0e) plen 4                        #11353 [hci0] 84680.248854
            LE Set Scan Parameters (0x08|0x000b) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2             #11354 [hci0] 84680.249466
              Scanning: Enabled (0x01)
              Filter duplicates: Enabled (0x01)
      > HCI Event: Command Complete (0x0e) plen 4                        #11355 [hci0] 84680.253222
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 18                          #11356 [hci0] 84680.458387
            LE Direct Advertising Report (0x0b)
              Num reports: 1
              Event type: Connectable directed - ADV_DIRECT_IND (0x01)
              Address type: Random (0x01)
              Address: 53:38:DA:46:8C:45 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Direct address type: Random (0x01)
              Direct address: 7C:D6:76:8C:DF:82 (Resolvable)
                Identity type: Random (0x01)
                Identity: F2:F1:06:3D:9C:42 (Static)
              RSSI: -74 dBm (0xb6)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2             #11357 [hci0] 84680.458737
              Scanning: Disabled (0x00)
              Filter duplicates: Disabled (0x00)
      > HCI Event: Command Complete (0x0e) plen 4                        #11358 [hci0] 84680.469982
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection (0x08|0x000d) plen 25          #11359 [hci0] 84680.470444
              Scan interval: 60.000 msec (0x0060)
              Scan window: 60.000 msec (0x0060)
              Filter policy: White list is not used (0x00)
              Peer address type: Random (0x01)
              Peer address: 53:38:DA:46:8C:45 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Own address type: Random (0x01)
              Min connection interval: 30.00 msec (0x0018)
              Max connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Min connection length: 0.000 msec (0x0000)
              Max connection length: 0.000 msec (0x0000)
      > HCI Event: Command Status (0x0f) plen 4                          #11360 [hci0] 84680.474971
            LE Create Connection (0x08|0x000d) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection Cancel (0x08|0x000e) plen 0    #11361 [hci0] 84682.545385
      > HCI Event: Command Complete (0x0e) plen 4                        #11362 [hci0] 84682.551014
            LE Create Connection Cancel (0x08|0x000e) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 19                          #11363 [hci0] 84682.551074
            LE Connection Complete (0x01)
              Status: Unknown Connection Identifier (0x02)
              Handle: 0
              Role: Master (0x00)
              Peer address type: Public (0x00)
              Peer address: 00:00:00:00:00:00 (OUI 00-00-00)
              Connection interval: 0.00 msec (0x0000)
              Connection latency: 0 (0x0000)
              Supervision timeout: 0 msec (0x0000)
              Master clock accuracy: 0x00
      
      After patch:
      < HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7    #210 [hci0] 667.152459
              Type: Passive (0x00)
              Interval: 60.000 msec (0x0060)
              Window: 30.000 msec (0x0030)
              Own address type: Random (0x01)
              Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
      > HCI Event: Command Complete (0x0e) plen 4                   #211 [hci0] 667.153613
            LE Set Scan Parameters (0x08|0x000b) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2        #212 [hci0] 667.153704
              Scanning: Enabled (0x01)
              Filter duplicates: Enabled (0x01)
      > HCI Event: Command Complete (0x0e) plen 4                   #213 [hci0] 667.154584
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 18                     #214 [hci0] 667.182619
            LE Direct Advertising Report (0x0b)
              Num reports: 1
              Event type: Connectable directed - ADV_DIRECT_IND (0x01)
              Address type: Random (0x01)
              Address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Direct address type: Random (0x01)
              Direct address: 7C:C1:57:A5:B7:A8 (Resolvable)
                Identity type: Random (0x01)
                Identity: F4:28:73:5D:38:B0 (Static)
              RSSI: -70 dBm (0xba)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2       #215 [hci0] 667.182704
              Scanning: Disabled (0x00)
              Filter duplicates: Disabled (0x00)
      > HCI Event: Command Complete (0x0e) plen 4                  #216 [hci0] 667.183599
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Random Address (0x08|0x0005) plen 6    #217 [hci0] 667.183645
              Address: 7C:C1:57:A5:B7:A8 (Resolvable)
                Identity type: Random (0x01)
                Identity: F4:28:73:5D:38:B0 (Static)
      > HCI Event: Command Complete (0x0e) plen 4                  #218 [hci0] 667.184590
            LE Set Random Address (0x08|0x0005) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection (0x08|0x000d) plen 25    #219 [hci0] 667.184613
              Scan interval: 60.000 msec (0x0060)
              Scan window: 60.000 msec (0x0060)
              Filter policy: White list is not used (0x00)
              Peer address type: Random (0x01)
              Peer address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Own address type: Random (0x01)
              Min connection interval: 30.00 msec (0x0018)
              Max connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Min connection length: 0.000 msec (0x0000)
              Max connection length: 0.000 msec (0x0000)
      > HCI Event: Command Status (0x0f) plen 4                    #220 [hci0] 667.186558
            LE Create Connection (0x08|0x000d) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 19                    #221 [hci0] 667.485824
            LE Connection Complete (0x01)
              Status: Success (0x00)
              Handle: 0
              Role: Master (0x00)
              Peer address type: Random (0x01)
              Peer address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Master clock accuracy: 0x07
      @ MGMT Event: Device Connected (0x000b) plen 13          {0x0002} [hci0] 667.485996
              LE Address: 11:22:33:44:55:66 (OUI 11-22-33)
              Flags: 0x00000000
              Data length: 0
      Signed-off-by: default avatarSzymon Janc <szymon.janc@codecoup.pl>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f58ef38e
    • Al Viro's avatar
      getname_kernel() needs to make sure that ->name != ->iname in long case · c3efeaa3
      Al Viro authored
      commit 30ce4d19 upstream.
      
      missed it in "kill struct filename.separate" several years ago.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c3efeaa3
    • Michael S. Tsirkin's avatar
      get_user_pages_fast(): return -EFAULT on access_ok failure · adea72f0
      Michael S. Tsirkin authored
      commit c61611f7 upstream.
      
      get_user_pages_fast is supposed to be a faster drop-in equivalent of
      get_user_pages.  As such, callers expect it to return a negative return
      code when passed an invalid address, and never expect it to return 0
      when passed a positive number of pages, since its documentation says:
      
       * Returns number of pages pinned. This may be fewer than the number
       * requested. If nr_pages is 0 or negative, returns 0. If no pages
       * were pinned, returns -errno.
      
      When get_user_pages_fast fall back on get_user_pages this is exactly
      what happens.  Unfortunately the implementation is inconsistent: it
      returns 0 if passed a kernel address, confusing callers: for example,
      the following is pretty common but does not appear to do the right thing
      with a kernel address:
      
              ret = get_user_pages_fast(addr, 1, writeable, &page);
              if (ret < 0)
                      return ret;
      
      Change get_user_pages_fast to return -EFAULT when supplied a kernel
      address to make it match expectations.
      
      All callers have been audited for consistency with the documented
      semantics.
      
      Link: http://lkml.kernel.org/r/1522962072-182137-4-git-send-email-mst@redhat.com
      Fixes: 5b65c467 ("mm, x86/mm: Fix performance regression in get_user_pages_fast()")
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Reported-by: syzbot+6304bf97ef436580fede@syzkaller.appspotmail.com
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Huang Ying <ying.huang@intel.com>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Thorsten Leemhuis <regressions@leemhuis.info>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      adea72f0
    • Vasily Gorbik's avatar
      s390/ipl: ensure loadparm valid flag is set · 3da5723b
      Vasily Gorbik authored
      commit 15deb080 upstream.
      
      When loadparm is set in reipl parm block, the kernel should also set
      DIAG308_FLAGS_LP_VALID flag.
      
      This fixes loadparm ignoring during z/VM fcp -> ccw reipl and kvm direct
      boot -> ccw reipl.
      
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3da5723b
    • Julian Wiedmann's avatar
      s390/qdio: don't merge ERROR output buffers · c6c8e420
      Julian Wiedmann authored
      commit 0cf1e051 upstream.
      
      On an Output queue, both EMPTY and PENDING buffer states imply that the
      buffer is ready for completion-processing by the upper-layer drivers.
      
      So for a non-QEBSM Output queue, get_buf_states() merges mixed
      batches of PENDING and EMPTY buffers into one large batch of EMPTY
      buffers. The upper-layer driver (ie. qeth) later distuingishes PENDING
      from EMPTY by inspecting the slsb_state for
      QDIO_OUTBUF_STATE_FLAG_PENDING.
      
      But the merge logic in get_buf_states() contains a bug that causes us to
      erronously also merge ERROR buffers into such a batch of EMPTY buffers
      (ERROR is 0xaf, EMPTY is 0xa1; so ERROR & EMPTY == EMPTY).
      Effectively, most outbound ERROR buffers are currently discarded
      silently and processed as if they had succeeded.
      
      Note that this affects _all_ non-QEBSM device types, not just IQD with CQ.
      
      Fix it by explicitly spelling out the exact conditions for merging.
      
      For extracting the "get initial state" part out of the loop, this relies
      on the fact that get_buf_states() is never called with a count of 0. The
      QEBSM path already strictly requires this, and the two callers with
      variable 'count' make sure of it.
      
      Fixes: 104ea556 ("qdio: support asynchronous delivery of storage blocks")
      Cc: <stable@vger.kernel.org> #v3.2+
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Reviewed-by: default avatarUrsula Braun <ubraun@linux.vnet.ibm.com>
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c6c8e420
    • Julian Wiedmann's avatar
      s390/qdio: don't retry EQBS after CCQ 96 · b6366b15
      Julian Wiedmann authored
      commit dae55b6f upstream.
      
      Immediate retry of EQBS after CCQ 96 means that we potentially misreport
      the state of buffers inspected during the first EQBS call.
      
      This occurs when
      1. the first EQBS finds all inspected buffers still in the initial state
         set by the driver (ie INPUT EMPTY or OUTPUT PRIMED),
      2. the EQBS terminates early with CCQ 96, and
      3. by the time that the second EQBS comes around, the state of those
         previously inspected buffers has changed.
      
      If the state reported by the second EQBS is 'driver-owned', all we know
      is that the previous buffers are driver-owned now as well. But we can't
      tell if they all have the same state. So for instance
      - the second EQBS reports OUTPUT EMPTY, but any number of the previous
        buffers could be OUTPUT ERROR by now,
      - the second EQBS reports OUTPUT ERROR, but any number of the previous
        buffers could be OUTPUT EMPTY by now.
      
      Effectively, this can result in both over- and underreporting of errors.
      
      If the state reported by the second EQBS is 'HW-owned', that doesn't
      guarantee that the previous buffers have not been switched to
      driver-owned in the mean time. So for instance
      - the second EQBS reports INPUT EMPTY, but any number of the previous
        buffers could be INPUT PRIMED (or INPUT ERROR) by now.
      
      This would result in failure to process pending work on the queue. If
      it's the final check before yielding initiative, this can cause
      a (temporary) queue stall due to IRQ avoidance.
      
      Fixes: 25f269f1 ("[S390] qdio: EQBS retry after CCQ 96")
      Cc: <stable@vger.kernel.org> #v3.2+
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b6366b15
    • Dan Williams's avatar
      nfit: fix region registration vs block-data-window ranges · 3a6771e2
      Dan Williams authored
      commit 8d0d8ed3 upstream.
      
      Commit 1cf03c00 "nfit: scrub and register regions in a workqueue"
      mistakenly attempts to register a region per BLK aperture. There is
      nothing to register for individual apertures as they belong as a set to
      a BLK aperture group that are registered with a corresponding
      DIMM-control-region. Filter them for registration to prevent some
      needless devm_kzalloc() allocations.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 1cf03c00 ("nfit: scrub and register regions in a workqueue")
      Reviewed-by: default avatarDave Jiang <dave.jiang@intel.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a6771e2
    • Tetsuo Handa's avatar
      block/loop: fix deadlock after loop_set_status · 51a9580d
      Tetsuo Handa authored
      commit 1e047eaa upstream.
      
      syzbot is reporting deadlocks at __blkdev_get() [1].
      
      ----------------------------------------
      [   92.493919] systemd-udevd   D12696   525      1 0x00000000
      [   92.495891] Call Trace:
      [   92.501560]  schedule+0x23/0x80
      [   92.502923]  schedule_preempt_disabled+0x5/0x10
      [   92.504645]  __mutex_lock+0x416/0x9e0
      [   92.510760]  __blkdev_get+0x73/0x4f0
      [   92.512220]  blkdev_get+0x12e/0x390
      [   92.518151]  do_dentry_open+0x1c3/0x2f0
      [   92.519815]  path_openat+0x5d9/0xdc0
      [   92.521437]  do_filp_open+0x7d/0xf0
      [   92.527365]  do_sys_open+0x1b8/0x250
      [   92.528831]  do_syscall_64+0x6e/0x270
      [   92.530341]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      [   92.931922] 1 lock held by systemd-udevd/525:
      [   92.933642]  #0: 00000000a2849e25 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x73/0x4f0
      ----------------------------------------
      
      The reason of deadlock turned out that wait_event_interruptible() in
      blk_queue_enter() got stuck with bdev->bd_mutex held at __blkdev_put()
      due to q->mq_freeze_depth == 1.
      
      ----------------------------------------
      [   92.787172] a.out           S12584   634    633 0x80000002
      [   92.789120] Call Trace:
      [   92.796693]  schedule+0x23/0x80
      [   92.797994]  blk_queue_enter+0x3cb/0x540
      [   92.803272]  generic_make_request+0xf0/0x3d0
      [   92.807970]  submit_bio+0x67/0x130
      [   92.810928]  submit_bh_wbc+0x15e/0x190
      [   92.812461]  __block_write_full_page+0x218/0x460
      [   92.815792]  __writepage+0x11/0x50
      [   92.817209]  write_cache_pages+0x1ae/0x3d0
      [   92.825585]  generic_writepages+0x5a/0x90
      [   92.831865]  do_writepages+0x43/0xd0
      [   92.836972]  __filemap_fdatawrite_range+0xc1/0x100
      [   92.838788]  filemap_write_and_wait+0x24/0x70
      [   92.840491]  __blkdev_put+0x69/0x1e0
      [   92.841949]  blkdev_close+0x16/0x20
      [   92.843418]  __fput+0xda/0x1f0
      [   92.844740]  task_work_run+0x87/0xb0
      [   92.846215]  do_exit+0x2f5/0xba0
      [   92.850528]  do_group_exit+0x34/0xb0
      [   92.852018]  SyS_exit_group+0xb/0x10
      [   92.853449]  do_syscall_64+0x6e/0x270
      [   92.854944]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      [   92.943530] 1 lock held by a.out/634:
      [   92.945105]  #0: 00000000a2849e25 (&bdev->bd_mutex){+.+.}, at: __blkdev_put+0x3c/0x1e0
      ----------------------------------------
      
      The reason of q->mq_freeze_depth == 1 turned out that loop_set_status()
      forgot to call blk_mq_unfreeze_queue() at error paths for
      info->lo_encrypt_type != NULL case.
      
      ----------------------------------------
      [   37.509497] CPU: 2 PID: 634 Comm: a.out Tainted: G        W        4.16.0+ #457
      [   37.513608] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
      [   37.518832] RIP: 0010:blk_freeze_queue_start+0x17/0x40
      [   37.521778] RSP: 0018:ffffb0c2013e7c60 EFLAGS: 00010246
      [   37.524078] RAX: 0000000000000000 RBX: ffff8b07b1519798 RCX: 0000000000000000
      [   37.527015] RDX: 0000000000000002 RSI: ffffb0c2013e7cc0 RDI: ffff8b07b1519798
      [   37.529934] RBP: ffffb0c2013e7cc0 R08: 0000000000000008 R09: 47a189966239b898
      [   37.532684] R10: dad78b99b278552f R11: 9332dca72259d5ef R12: ffff8b07acd73678
      [   37.535452] R13: 0000000000004c04 R14: 0000000000000000 R15: ffff8b07b841e940
      [   37.538186] FS:  00007fede33b9740(0000) GS:ffff8b07b8e80000(0000) knlGS:0000000000000000
      [   37.541168] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   37.543590] CR2: 00000000206fdf18 CR3: 0000000130b30006 CR4: 00000000000606e0
      [   37.546410] Call Trace:
      [   37.547902]  blk_freeze_queue+0x9/0x30
      [   37.549968]  loop_set_status+0x67/0x3c0 [loop]
      [   37.549975]  loop_set_status64+0x3b/0x70 [loop]
      [   37.549986]  lo_ioctl+0x223/0x810 [loop]
      [   37.549995]  blkdev_ioctl+0x572/0x980
      [   37.550003]  block_ioctl+0x34/0x40
      [   37.550006]  do_vfs_ioctl+0xa7/0x6d0
      [   37.550017]  ksys_ioctl+0x6b/0x80
      [   37.573076]  SyS_ioctl+0x5/0x10
      [   37.574831]  do_syscall_64+0x6e/0x270
      [   37.576769]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
      ----------------------------------------
      
      [1] https://syzkaller.appspot.com/bug?id=cd662bc3f6022c0979d01a262c318fab2ee9b56fSigned-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reported-by: default avatarsyzbot <bot+48594378e9851eab70bcd6f99327c7db58c5a28a@syzkaller.appspotmail.com>
      Fixes: ecdd0959 ("block/loop: fix race between I/O and set_status")
      Cc: Ming Lei <tom.leiming@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: stable <stable@vger.kernel.org>
      Cc: Jens Axboe <axboe@fb.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      51a9580d
    • John Johansen's avatar
      apparmor: fix resource audit messages when auditing peer · 54b990ed
      John Johansen authored
      commit b5beb07a upstream.
      
      Resource auditing is using the peer field which is not available
      when the rlim data struct is used, because it is a different element
      of the same union. Accessing peer during resource auditing could
      cause garbage log entries or even oops the kernel.
      
      Move the rlim data block into the same struct as the peer field
      so they can be used together.
      
      CC: <stable@vger.kernel.org>
      Fixes: 86b92cb7 ("apparmor: move resource checks to using labels")
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      54b990ed
    • John Johansen's avatar
      apparmor: fix display of .ns_name for containers · a0358f60
      John Johansen authored
      commit 040d9e2b upstream.
      
      The .ns_name should not be virtualized by the current ns view. It
      needs to report the ns base name as that is being used during startup
      as part of determining apparmor policy namespace support.
      
      BugLink: http://bugs.launchpad.net/bugs/1746463
      Fixes: d9f02d9c ("apparmor: fix display of ns name")
      Cc: Stable <stable@vger.kernel.org>
      Reported-by: default avatarSerge Hallyn <serge@hallyn.com>
      Tested-by: default avatarSerge Hallyn <serge@hallyn.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a0358f60
    • John Johansen's avatar
      apparmor: fix logging of the existence test for signals · 1d0d8beb
      John Johansen authored
      commit 98cf5bbf upstream.
      
      The existence test is not being properly logged as the signal mapping
      maps it to the last entry in the named signal table. This is done
      to help catch bugs by making the 0 mapped signal value invalid so
      that we can catch the signal value not being filled in.
      
      When fixing the off-by-one comparision logic the reporting of the
      existence test was broken, because the logic behind the mapped named
      table was hidden. Fix this by adding a define for the name lookup
      and using it.
      
      Cc: Stable <stable@vger.kernel.org>
      Fixes: f7dc4c9a ("apparmor: fix off-by-one comparison on MAXMAPPED_SIG")
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d0d8beb
    • Bill Kuzeja's avatar
      scsi: qla2xxx: Fix small memory leak in qla2x00_probe_one on probe failure · b18daa09
      Bill Kuzeja authored
      commit 6d634067 upstream.
      
      The code that fixes the crashes in the following commit introduced a small
      memory leak:
      
      commit 6a2cf8d3 ("scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure")
      
      Fixing this requires a bit of reworking, which I've explained. Also provide
      some code cleanup.
      
      There is a small window in qla2x00_probe_one where if qla2x00_alloc_queues
      fails, we end up never freeing req and rsp and leak 0xc0 and 0xc8 bytes
      respectively (the sizes of req and rsp).
      
      I originally put in checks to test for this condition which were based on
      the incorrect assumption that if ha->rsp_q_map and ha->req_q_map were
      allocated, then rsp and req were allocated as well. This is incorrect.
      There is a window between these allocations:
      
             ret = qla2x00_mem_alloc(ha, req_length, rsp_length, &req, &rsp);
                      goto probe_hw_failed;
      
      [if successful, both rsp and req allocated]
      
             base_vha = qla2x00_create_host(sht, ha);
                      goto probe_hw_failed;
      
             ret = qla2x00_request_irqs(ha, rsp);
                      goto probe_failed;
      
             if (qla2x00_alloc_queues(ha, req, rsp)) {
                      goto probe_failed;
      
      [if successful, now ha->rsp_q_map and ha->req_q_map allocated]
      
      To simplify this, we should just set req and rsp to NULL after we free
      them. Sounds simple enough? The problem is that req and rsp are pointers
      defined in the qla2x00_probe_one and they are not always passed by reference
      to the routines that free them.
      
      Here are paths which can free req and rsp:
      
      PATH 1:
      qla2x00_probe_one
         ret = qla2x00_mem_alloc(ha, req_length, rsp_length, &req, &rsp);
         [req and rsp are passed by reference, but if this fails, we currently
          do not NULL out req and rsp. Easily fixed]
      
      PATH 2:
      qla2x00_probe_one
         failing in qla2x00_request_irqs or qla2x00_alloc_queues
            probe_failed:
               qla2x00_free_device(base_vha);
                  qla2x00_free_req_que(ha, req)
                  qla2x00_free_rsp_que(ha, rsp)
      
      PATH 3:
      qla2x00_probe_one:
         failing in qla2x00_mem_alloc or qla2x00_create_host
            probe_hw_failed:
               qla2x00_free_req_que(ha, req)
               qla2x00_free_rsp_que(ha, rsp)
      
      PATH 1: This should currently work, but it doesn't because rsp and rsp are
      not set to NULL in qla2x00_mem_alloc. Easily remedied.
      
      PATH 2: req and rsp aren't passed in at all to qla2x00_free_device but are
      derived from ha->req_q_map[0] and ha->rsp_q_map[0]. These are only set up if
      qla2x00_alloc_queues succeeds.
      
      In qla2x00_free_queues, we are protected from crashing if these don't exist
      because req_qid_map and rsp_qid_map are only set on their allocation. We are
      guarded in this way:
      
              for (cnt = 0; cnt < ha->max_req_queues; cnt++) {
                      if (!test_bit(cnt, ha->req_qid_map))
                              continue;
      
      PATH 3: This works. We haven't freed req or rsp yet (or they were never
      allocated if qla2x00_mem_alloc failed), so we'll attempt to free them here.
      
      To summarize, there are a few small changes to make this work correctly and
      (and for some cleanup):
      
      1) (For PATH 1) Set *rsp and *req to NULL in case of failure in
      qla2x00_mem_alloc so these are correctly set to NULL back in
      qla2x00_probe_one
      
      2) After jumping to probe_failed: and calling qla2x00_free_device,
      explicitly set rsp and req to NULL so further calls with these pointers do
      not crash, i.e. the free queue calls in the probe_hw_failed section we fall
      through to.
      
      3) Fix return code check in the call to qla2x00_alloc_queues. We currently
      drop the return code on the floor. The probe fails but the caller of the
      probe doesn't have an error code, so it attaches to pci. This can result in
      a crash on module shutdown.
      
      4) Remove unnecessary NULL checks in qla2x00_free_req_que,
      qla2x00_free_rsp_que, and the egregious NULL checks before kfrees and vfrees
      in qla2x00_mem_free.
      
      I tested this out running a scenario where the card breaks at various times
      during initialization. I made sure I forced every error exit path in
      qla2x00_probe_one.
      
      Cc: <stable@vger.kernel.org> # v4.16
      Fixes: 6a2cf8d3 ("scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure")
      Signed-off-by: default avatarBill Kuzeja <william.kuzeja@stratus.com>
      Acked-by: default avatarHimanshu Madhani <himanshu.madhani@cavium.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b18daa09
    • Yazen Ghannam's avatar
      x86/MCE/AMD: Define a function to get SMCA bank type · 0ed20e4b
      Yazen Ghannam authored
      commit 11cf8877 upstream.
      
      Scalable MCA systems have various types of banks. The bank's type
      can determine how we handle errors from it. For example, if a bank
      represents a UMC (Unified Memory Controller) then we will need to
      convert its address from a normalized address to a system physical
      address before handling the error.
      
      [ bp: Verify m->bank is within range and use bank pointer. ]
      Signed-off-by: default avatarYazen Ghannam <yazen.ghannam@amd.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20171207203955.118171-1-Yazen.Ghannam@amd.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ed20e4b
    • Arnd Bergmann's avatar
      radeon: hide pointless #warning when compile testing · 8e52e2f4
      Arnd Bergmann authored
      commit c02216ac upstream.
      
      In randconfig testing, we sometimes get this warning:
      
      drivers/gpu/drm/radeon/radeon_object.c: In function 'radeon_bo_create':
      drivers/gpu/drm/radeon/radeon_object.c:242:2: error: #warning Please enable CONFIG_MTRR and CONFIG_X86_PAT for better performance thanks to write-combining [-Werror=cpp]
       #warning Please enable CONFIG_MTRR and CONFIG_X86_PAT for better performance \
      
      This is rather annoying since almost all other code produces no build-time
      output unless we have found a real bug. We already fixed this in the
      amdgpu driver in commit 31bb90f1 ("drm/amdgpu: shut up #warning for
      compile testing") by adding a CONFIG_COMPILE_TEST check last year and
      agreed to do the same here, but both Michel and I then forgot about it
      until I came across the issue again now.
      
      For stable kernels, as this is one of very few remaining randconfig
      warnings in 4.14.
      
      Cc: stable@vger.kernel.org
      Link: https://patchwork.kernel.org/patch/9550009/Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8e52e2f4
    • Prashant Bhole's avatar
      perf/core: Fix use-after-free in uprobe_perf_close() · 6f22be4b
      Prashant Bhole authored
      commit 621b6d2e upstream.
      
      A use-after-free bug was caught by KASAN while running usdt related
      code (BCC project. bcc/tests/python/test_usdt2.py):
      
      	==================================================================
      	BUG: KASAN: use-after-free in uprobe_perf_close+0x222/0x3b0
      	Read of size 4 at addr ffff880384f9b4a4 by task test_usdt2.py/870
      
      	CPU: 4 PID: 870 Comm: test_usdt2.py Tainted: G        W         4.16.0-next-20180409 #215
      	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      	Call Trace:
      	 dump_stack+0xc7/0x15b
      	 ? show_regs_print_info+0x5/0x5
      	 ? printk+0x9c/0xc3
      	 ? kmsg_dump_rewind_nolock+0x6e/0x6e
      	 ? uprobe_perf_close+0x222/0x3b0
      	 print_address_description+0x83/0x3a0
      	 ? uprobe_perf_close+0x222/0x3b0
      	 kasan_report+0x1dd/0x460
      	 ? uprobe_perf_close+0x222/0x3b0
      	 uprobe_perf_close+0x222/0x3b0
      	 ? probes_open+0x180/0x180
      	 ? free_filters_list+0x290/0x290
      	 trace_uprobe_register+0x1bb/0x500
      	 ? perf_event_attach_bpf_prog+0x310/0x310
      	 ? probe_event_disable+0x4e0/0x4e0
      	 perf_uprobe_destroy+0x63/0xd0
      	 _free_event+0x2bc/0xbd0
      	 ? lockdep_rcu_suspicious+0x100/0x100
      	 ? ring_buffer_attach+0x550/0x550
      	 ? kvm_sched_clock_read+0x1a/0x30
      	 ? perf_event_release_kernel+0x3e4/0xc00
      	 ? __mutex_unlock_slowpath+0x12e/0x540
      	 ? wait_for_completion+0x430/0x430
      	 ? lock_downgrade+0x3c0/0x3c0
      	 ? lock_release+0x980/0x980
      	 ? do_raw_spin_trylock+0x118/0x150
      	 ? do_raw_spin_unlock+0x121/0x210
      	 ? do_raw_spin_trylock+0x150/0x150
      	 perf_event_release_kernel+0x5d4/0xc00
      	 ? put_event+0x30/0x30
      	 ? fsnotify+0xd2d/0xea0
      	 ? sched_clock_cpu+0x18/0x1a0
      	 ? __fsnotify_update_child_dentry_flags.part.0+0x1b0/0x1b0
      	 ? pvclock_clocksource_read+0x152/0x2b0
      	 ? pvclock_read_flags+0x80/0x80
      	 ? kvm_sched_clock_read+0x1a/0x30
      	 ? sched_clock_cpu+0x18/0x1a0
      	 ? pvclock_clocksource_read+0x152/0x2b0
      	 ? locks_remove_file+0xec/0x470
      	 ? pvclock_read_flags+0x80/0x80
      	 ? fcntl_setlk+0x880/0x880
      	 ? ima_file_free+0x8d/0x390
      	 ? lockdep_rcu_suspicious+0x100/0x100
      	 ? ima_file_check+0x110/0x110
      	 ? fsnotify+0xea0/0xea0
      	 ? kvm_sched_clock_read+0x1a/0x30
      	 ? rcu_note_context_switch+0x600/0x600
      	 perf_release+0x21/0x40
      	 __fput+0x264/0x620
      	 ? fput+0xf0/0xf0
      	 ? do_raw_spin_unlock+0x121/0x210
      	 ? do_raw_spin_trylock+0x150/0x150
      	 ? SyS_fchdir+0x100/0x100
      	 ? fsnotify+0xea0/0xea0
      	 task_work_run+0x14b/0x1e0
      	 ? task_work_cancel+0x1c0/0x1c0
      	 ? copy_fd_bitmaps+0x150/0x150
      	 ? vfs_read+0xe5/0x260
      	 exit_to_usermode_loop+0x17b/0x1b0
      	 ? trace_event_raw_event_sys_exit+0x1a0/0x1a0
      	 do_syscall_64+0x3f6/0x490
      	 ? syscall_return_slowpath+0x2c0/0x2c0
      	 ? lockdep_sys_exit+0x1f/0xaa
      	 ? syscall_return_slowpath+0x1a3/0x2c0
      	 ? lockdep_sys_exit+0x1f/0xaa
      	 ? prepare_exit_to_usermode+0x11c/0x1e0
      	 ? enter_from_user_mode+0x30/0x30
      	random: crng init done
      	 ? __put_user_4+0x1c/0x30
      	 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      	RIP: 0033:0x7f41d95f9340
      	RSP: 002b:00007fffe71e4268 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
      	RAX: 0000000000000000 RBX: 000000000000000d RCX: 00007f41d95f9340
      	RDX: 0000000000000000 RSI: 0000000000002401 RDI: 000000000000000d
      	RBP: 0000000000000000 R08: 00007f41ca8ff700 R09: 00007f41d996dd1f
      	R10: 00007fffe71e41e0 R11: 0000000000000246 R12: 00007fffe71e4330
      	R13: 0000000000000000 R14: fffffffffffffffc R15: 00007fffe71e4290
      
      	Allocated by task 870:
      	 kasan_kmalloc+0xa0/0xd0
      	 kmem_cache_alloc_node+0x11a/0x430
      	 copy_process.part.19+0x11a0/0x41c0
      	 _do_fork+0x1be/0xa20
      	 do_syscall_64+0x198/0x490
      	 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      	Freed by task 0:
      	 __kasan_slab_free+0x12e/0x180
      	 kmem_cache_free+0x102/0x4d0
      	 free_task+0xfe/0x160
      	 __put_task_struct+0x189/0x290
      	 delayed_put_task_struct+0x119/0x250
      	 rcu_process_callbacks+0xa6c/0x1b60
      	 __do_softirq+0x238/0x7ae
      
      	The buggy address belongs to the object at ffff880384f9b480
      	 which belongs to the cache task_struct of size 12928
      
      It occurs because task_struct is freed before perf_event which refers
      to the task and task flags are checked while teardown of the event.
      perf_event_alloc() assigns task_struct to hw.target of perf_event,
      but there is no reference counting for it.
      
      As a fix we get_task_struct() in perf_event_alloc() at above mentioned
      assignment and put_task_struct() in _free_event().
      Signed-off-by: default avatarPrashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
      Reviewed-by: default avatarOleg Nesterov <oleg@redhat.com>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <stable@kernel.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 63b6da39 ("perf: Fix perf_event_exit_task() race")
      Link: http://lkml.kernel.org/r/20180409100346.6416-1-bhole_prashant_q7@lab.ntt.co.jpSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6f22be4b
    • Adrian Hunter's avatar
      perf intel-pt: Fix timestamp following overflow · 674e18de
      Adrian Hunter authored
      commit 91d29b28 upstream.
      
      timestamp_insn_cnt is used to estimate the timestamp based on the number of
      instructions since the last known timestamp.
      
      If the estimate is not accurate enough decoding might not be correctly
      synchronized with side-band events causing more trace errors.
      
      However there are always timestamps following an overflow, so the
      estimate is not needed and can indeed result in more errors.
      
      Suppress the estimate by setting timestamp_insn_cnt to zero.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/1520431349-30689-5-git-send-email-adrian.hunter@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      674e18de
    • Adrian Hunter's avatar
      perf intel-pt: Fix error recovery from missing TIP packet · 4039579f
      Adrian Hunter authored
      commit 1c196a6c upstream.
      
      When a TIP packet is expected but there is a different packet, it is an
      error. However the unexpected packet might be something important like a
      TSC packet, so after the error, it is necessary to continue from there,
      rather than the next packet. That is achieved by setting pkt_step to
      zero.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/1520431349-30689-4-git-send-email-adrian.hunter@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4039579f
    • Adrian Hunter's avatar
      perf intel-pt: Fix sync_switch · 0733facf
      Adrian Hunter authored
      commit 63d8e38f upstream.
      
      sync_switch is a facility to synchronize decoding more closely with the
      point in the kernel when the context actually switched.
      
      The flag when sync_switch is enabled was global to the decoding, whereas
      it is really specific to the CPU.
      
      The trace data for different CPUs is put on different queues, so add
      sync_switch to the intel_pt_queue structure and use that in preference
      to the global setting in the intel_pt structure.
      
      That fixes problems decoding one CPU's trace because sync_switch was
      disabled on a different CPU's queue.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/1520431349-30689-3-git-send-email-adrian.hunter@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0733facf
    • Adrian Hunter's avatar
      perf intel-pt: Fix overlap detection to identify consecutive buffers correctly · ff295906
      Adrian Hunter authored
      commit 117db4b2 upstream.
      
      Overlap detection was not not updating the buffer's 'consecutive' flag.
      Marking buffers consecutive has the advantage that decoding begins from
      the start of the buffer instead of the first PSB. Fix overlap detection
      to identify consecutive buffers correctly.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/1520431349-30689-2-git-send-email-adrian.hunter@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ff295906
    • Nicholas Piggin's avatar
      KVM: PPC: Book3S HV: trace_tlbie must not be called in realmode · 42b53a13
      Nicholas Piggin authored
      commit 19ce7909 upstream.
      
      This crashes with a "Bad real address for load" attempting to load
      from the vmalloc region in realmode (faulting address is in DAR).
      
        Oops: Bad interrupt in KVM entry/exit code, sig: 6 [#1]
        LE SMP NR_CPUS=2048 NUMA PowerNV
        CPU: 53 PID: 6582 Comm: qemu-system-ppc Not tainted 4.16.0-01530-g43d1859f0994
        NIP:  c0000000000155ac LR: c0000000000c2430 CTR: c000000000015580
        REGS: c000000fff76dd80 TRAP: 0200   Not tainted  (4.16.0-01530-g43d1859f0994)
        MSR:  9000000000201003 <SF,HV,ME,RI,LE>  CR: 48082222  XER: 00000000
        CFAR: 0000000102900ef0 DAR: d00017fffd941a28 DSISR: 00000040 SOFTE: 3
        NIP [c0000000000155ac] perf_trace_tlbie+0x2c/0x1a0
        LR [c0000000000c2430] do_tlbies+0x230/0x2f0
      
      I suspect the reason is the per-cpu data is not in the linear chunk.
      This could be restored if that was able to be fixed, but for now,
      just remove the tracepoints.
      
      Fixes: 0428491c ("powerpc/mm: Trace tlbie(l) instructions")
      Cc: stable@vger.kernel.org # v4.13+
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      42b53a13
    • Dexuan Cui's avatar
      PCI: hv: Serialize the present and eject work items · 5661d43b
      Dexuan Cui authored
      commit 021ad274 upstream.
      
      When we hot-remove the device, we first receive a PCI_EJECT message and
      then receive a PCI_BUS_RELATIONS message with bus_rel->device_count == 0.
      
      The first message is offloaded to hv_eject_device_work(), and the second
      is offloaded to pci_devices_present_work(). Both the paths can be running
      list_del(&hpdev->list_entry), causing general protection fault, because
      system_wq can run them concurrently.
      
      The patch eliminates the race condition.
      
      Since access to present/eject work items is serialized, we do not need the
      hbus->enum_sem anymore, so remove it.
      
      Fixes: 4daace0d ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs")
      Link: https://lkml.kernel.org/r/KL1P15301MB00064DA6B4D221123B5241CFBFD70@KL1P15301MB0006.APCP153.PROD.OUTLOOK.COMTested-by: default avatarAdrian Suhov <v-adsuho@microsoft.com>
      Tested-by: default avatarChris Valean <v-chvale@microsoft.com>
      Signed-off-by: default avatarDexuan Cui <decui@microsoft.com>
      [lorenzo.pieralisi@arm.com: squashed semaphore removal patch]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Reviewed-by: default avatarMichael Kelley <mikelley@microsoft.com>
      Acked-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Cc: <stable@vger.kernel.org> # v4.6+
      Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
      Cc: Jack Morgenstein <jackm@mellanox.com>
      Cc: Stephen Hemminger <sthemmin@microsoft.com>
      Cc: K. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5661d43b
    • Dexuan Cui's avatar
      Drivers: hv: vmbus: do not mark HV_PCIE as perf_device · a160105b
      Dexuan Cui authored
      commit 238064f1 upstream.
      
      The pci-hyperv driver's channel callback hv_pci_onchannelcallback() is not
      really a hot path, so we don't need to mark it as a perf_device, meaning
      with this patch all HV_PCIE channels' target_cpu will be CPU0.
      Signed-off-by: default avatarDexuan Cui <decui@microsoft.com>
      Cc: stable@vger.kernel.org
      Cc: Stephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a160105b
    • Helge Deller's avatar
      parisc: Fix HPMC handler by increasing size to multiple of 16 bytes · abd9fd4a
      Helge Deller authored
      commit d5654e15 upstream.
      
      Make sure that the HPMC (High Priority Machine Check) handler is 16-byte
      aligned and that it's length in the IVT is a multiple of 16 bytes.
      Otherwise PDC may decide not to call the HPMC crash handler.
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      abd9fd4a
    • Helge Deller's avatar
      parisc: Fix out of array access in match_pci_device() · 08be2c1b
      Helge Deller authored
      commit 615b2665 upstream.
      
      As found by the ubsan checker, the value of the 'index' variable can be
      out of range for the bc[] array:
      
      UBSAN: Undefined behaviour in arch/parisc/kernel/drivers.c:655:21
      index 6 is out of range for type 'char [6]'
      Backtrace:
       [<104fa850>] __ubsan_handle_out_of_bounds+0x68/0x80
       [<1019d83c>] check_parent+0xc0/0x170
       [<1019d91c>] descend_children+0x30/0x6c
       [<1059e164>] device_for_each_child+0x60/0x98
       [<1019cd54>] parse_tree_node+0x40/0x54
       [<1019d86c>] check_parent+0xf0/0x170
       [<1019d91c>] descend_children+0x30/0x6c
       [<1059e164>] device_for_each_child+0x60/0x98
       [<1019d938>] descend_children+0x4c/0x6c
       [<1059e164>] device_for_each_child+0x60/0x98
       [<1019cd54>] parse_tree_node+0x40/0x54
       [<1019cffc>] hwpath_to_device+0xa4/0xc4
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      08be2c1b
    • Kieran Bingham's avatar
      media: v4l: vsp1: Fix header display list status check in continuous mode · 4d167edf
      Kieran Bingham authored
      commit 613928e8 upstream.
      
      To allow dual pipelines utilising two WPF entities when available, the
      VSP was updated to support header-mode display list in continuous
      pipelines.
      
      A small bug in the status check of the command register causes the
      second pipeline to be directly afflicted by the running of the first;
      appearing as a perceived performance issue with stuttering display.
      
      Fix the vsp1_dl_list_hw_update_pending() call to ensure that the read
      comparison corresponds to the correct pipeline.
      
      Fixes: eaf4bfad ("v4l: vsp1: Add support for header display lists in continuous mode")
      
      Cc: "Stable v4.14+" <stable@vger.kernel.org>
      Signed-off-by: default avatarKieran Bingham <kieran.bingham+renesas@ideasonboard.com>
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4d167edf
    • Mauro Carvalho Chehab's avatar
      media: v4l2-compat-ioctl32: don't oops on overlay · e7a4d7c2
      Mauro Carvalho Chehab authored
      commit 85ea29f1 upstream.
      
      At put_v4l2_window32(), it tries to access kp->clips. However,
      kp points to an userspace pointer. So, it should be obtained
      via get_user(), otherwise it can OOPS:
      
       vivid-000: ==================  END STATUS  ==================
       BUG: unable to handle kernel paging request at 00000000fffb18e0
       IP: [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
       PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 800000042548f067
       Oops: 0001 [#1] SMP
       Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media]
       CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ #107
       Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
       task: ffff8804293f8000 ti: ffff8803f5640000 task.ti: ffff8803f5640000
       RIP: 0010:[<ffffffffc05468d9>]  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
       RSP: 0018:ffff8803f5643e28  EFLAGS: 00010246
       RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffb1ab4
       RDX: 00000000fffb1a68 RSI: 00000000fffb18d8 RDI: 00000000fffb1aa8
       RBP: ffff8803f5643e48 R08: 0000000000000001 R09: ffff8803f54b0378
       R10: 0000000000000000 R11: 0000000000000168 R12: 00000000fffb18c0
       R13: 00000000fffb1a94 R14: 00000000fffb18c8 R15: 0000000000000000
       FS:  0000000000000000(0000) GS:ffff880456d00000(0063) knlGS:00000000f7100980
       CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
       CR2: 00000000fffb18e0 CR3: 00000003f552b000 CR4: 00000000003407e0
       Stack:
        00000000fffb1a94 00000000c0cc5640 0000000000000056 ffff8804274f3600
        ffff8803f5643ed0 ffffffffc0547e16 0000000000000003 ffff8803f5643eb0
        ffffffff81301460 ffff88009db44b01 ffff880441942520 ffff8800c0d05640
       Call Trace:
        [<ffffffffc0547e16>] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev]
        [<ffffffff81301460>] ? file_has_perm+0x70/0xc0
        [<ffffffff81252a2c>] compat_SyS_ioctl+0xec/0x1200
        [<ffffffff8173241a>] sysenter_dispatch+0x7/0x21
       Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f
       RIP  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
       RSP <ffff8803f5643e28>
       CR2: 00000000fffb18e0
      
      Tested with vivid driver on Kernel v3.18.102.
      
      Same bug happens upstream too:
      
       BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev]
       Read of size 8 at addr 00000000ffe48400 by task v4l2-compliance/8713
      
       CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ #108
       Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
       Call Trace:
        dump_stack+0x5c/0x7c
        kasan_report+0x164/0x380
        ? __put_v4l2_format32+0x98/0x4d0 [videodev]
        __put_v4l2_format32+0x98/0x4d0 [videodev]
        v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
        ? __fsnotify_inode_delete+0x20/0x20
        ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
        compat_SyS_ioctl+0x646/0x14d0
        ? do_ioctl+0x30/0x30
        do_fast_syscall_32+0x191/0x3f4
        entry_SYSENTER_compat+0x6b/0x7a
       ==================================================================
       Disabling lock debugging due to kernel taint
       BUG: unable to handle kernel paging request at 00000000ffe48400
       IP: __put_v4l2_format32+0x98/0x4d0 [videodev]
       PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 80000003256af067
       Oops: 0001 [#1] SMP KASAN
       Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device snd_timer intel_rapl_perf
        drm ptp snd mei_me mei lpc_ich pps_core soundcore video crc32c_intel
       CPU: 0 PID: 8713 Comm: v4l2-compliance Tainted: G    B            4.16.0-rc4+ #108
       Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
       RIP: 0010:__put_v4l2_format32+0x98/0x4d0 [videodev]
       RSP: 0018:ffff8803b9be7d30 EFLAGS: 00010282
       RAX: 0000000000000000 RBX: ffff8803ac983e80 RCX: ffffffff8cd929f2
       RDX: 1ffffffff1d0a149 RSI: 0000000000000297 RDI: 0000000000000297
       RBP: 00000000ffe485c0 R08: fffffbfff1cf5123 R09: ffffffff8e7a8948
       R10: 0000000000000001 R11: fffffbfff1cf5122 R12: 00000000ffe483e0
       R13: 00000000ffe485c4 R14: ffff8803ac985918 R15: 00000000ffe483e8
       FS:  0000000000000000(0000) GS:ffff880407400000(0063) knlGS:00000000f7a46980
       CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
       CR2: 00000000ffe48400 CR3: 00000003a83f2003 CR4: 00000000003606f0
       Call Trace:
        v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
        ? __fsnotify_inode_delete+0x20/0x20
        ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
        compat_SyS_ioctl+0x646/0x14d0
        ? do_ioctl+0x30/0x30
        do_fast_syscall_32+0x191/0x3f4
        entry_SYSENTER_compat+0x6b/0x7a
       Code: 4c 89 f7 4d 8d 7c 24 08 e8 e6 a4 69 cb 48 8b 83 98 1a 00 00 48 83 e8 10 49 39 c7 0f 87 9d 01 00 00 49 8d 7c 24 20 e8 c8 a4 69 cb <4d> 8b 74 24 20 4c 89 ef 4c 89 fe ba 10 00 00 00 e8 23 d9 08 cc
       RIP: __put_v4l2_format32+0x98/0x4d0 [videodev] RSP: ffff8803b9be7d30
       CR2: 00000000ffe48400
      
      cc: stable@vger.kernel.org
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Reviewed-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Reviewed-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7a4d7c2
    • Phil Elwell's avatar
      lan78xx: Correctly indicate invalid OTP · c0e0cd65
      Phil Elwell authored
      
      [ Upstream commit 4bfc3380 ]
      
      lan78xx_read_otp tries to return -EINVAL in the event of invalid OTP
      content, but the value gets overwritten before it is returned and the
      read goes ahead anyway. Make the read conditional as it should be
      and preserve the error code.
      
      Fixes: 55d7de9d ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
      Signed-off-by: default avatarPhil Elwell <phil@raspberrypi.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c0e0cd65
    • Eric Auger's avatar
      vhost: Fix vhost_copy_to_user() · 2ea541eb
      Eric Auger authored
      
      [ Upstream commit 7ced6c98 ]
      
      vhost_copy_to_user is used to copy vring used elements to userspace.
      We should use VHOST_ADDR_USED instead of VHOST_ADDR_DESC.
      
      Fixes: f8894913 ("vhost: introduce O(1) vq metadata cache")
      Signed-off-by: default avatarEric Auger <eric.auger@redhat.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ea541eb
    • Stefan Hajnoczi's avatar
      vhost: fix vhost_vq_access_ok() log check · e240ffd5
      Stefan Hajnoczi authored
      
      [ Upstream commit d14d2b78 ]
      
      Commit d65026c6 ("vhost: validate log
      when IOTLB is enabled") introduced a regression.  The logic was
      originally:
      
        if (vq->iotlb)
            return 1;
        return A && B;
      
      After the patch the short-circuit logic for A was inverted:
      
        if (A || vq->iotlb)
            return A;
        return B;
      
      This patch fixes the regression by rewriting the checks in the obvious
      way, no longer returning A when vq->iotlb is non-NULL (which is hard to
      understand).
      
      Reported-by: syzbot+65a84dde0214b0387ccd@syzkaller.appspotmail.com
      Cc: Jason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e240ffd5
    • Tejaswi Tanikella's avatar
      slip: Check if rstate is initialized before uncompressing · 381ebff2
      Tejaswi Tanikella authored
      
      [ Upstream commit 3f01ddb9 ]
      
      On receiving a packet the state index points to the rstate which must be
      used to fill up IP and TCP headers. But if the state index points to a
      rstate which is unitialized, i.e. filled with zeros, it gets stuck in an
      infinite loop inside ip_fast_csum trying to compute the ip checsum of a
      header with zero length.
      
      89.666953:   <2> [<ffffff9dd3e94d38>] slhc_uncompress+0x464/0x468
      89.666965:   <2> [<ffffff9dd3e87d88>] ppp_receive_nonmp_frame+0x3b4/0x65c
      89.666978:   <2> [<ffffff9dd3e89dd4>] ppp_receive_frame+0x64/0x7e0
      89.666991:   <2> [<ffffff9dd3e8a708>] ppp_input+0x104/0x198
      89.667005:   <2> [<ffffff9dd3e93868>] pppopns_recv_core+0x238/0x370
      89.667027:   <2> [<ffffff9dd4428fc8>] __sk_receive_skb+0xdc/0x250
      89.667040:   <2> [<ffffff9dd3e939e4>] pppopns_recv+0x44/0x60
      89.667053:   <2> [<ffffff9dd4426848>] __sock_queue_rcv_skb+0x16c/0x24c
      89.667065:   <2> [<ffffff9dd4426954>] sock_queue_rcv_skb+0x2c/0x38
      89.667085:   <2> [<ffffff9dd44f7358>] raw_rcv+0x124/0x154
      89.667098:   <2> [<ffffff9dd44f7568>] raw_local_deliver+0x1e0/0x22c
      89.667117:   <2> [<ffffff9dd44c8ba0>] ip_local_deliver_finish+0x70/0x24c
      89.667131:   <2> [<ffffff9dd44c92f4>] ip_local_deliver+0x100/0x10c
      
      ./scripts/faddr2line vmlinux slhc_uncompress+0x464/0x468 output:
       ip_fast_csum at arch/arm64/include/asm/checksum.h:40
       (inlined by) slhc_uncompress at drivers/net/slip/slhc.c:615
      
      Adding a variable to indicate if the current rstate is initialized. If
      such a packet arrives, move to toss state.
      Signed-off-by: default avatarTejaswi Tanikella <tejaswit@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      381ebff2
    • Ka-Cheong Poon's avatar
      rds: MP-RDS may use an invalid c_path · 427b8a14
      Ka-Cheong Poon authored
      
      [ Upstream commit a43cced9 ]
      
      rds_sendmsg() calls rds_send_mprds_hash() to find a c_path to use to
      send a message.  Suppose the RDS connection is not yet up.  In
      rds_send_mprds_hash(), it does
      
      	if (conn->c_npaths == 0)
      		wait_event_interruptible(conn->c_hs_waitq,
      					 (conn->c_npaths != 0));
      
      If it is interrupted before the connection is set up,
      rds_send_mprds_hash() will return a non-zero hash value.  Hence
      rds_sendmsg() will use a non-zero c_path to send the message.  But if
      the RDS connection ends up to be non-MP capable, the message will be
      lost as only the zero c_path can be used.
      Signed-off-by: default avatarKa-Cheong Poon <ka-cheong.poon@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      427b8a14
    • Bassem Boubaker's avatar
      cdc_ether: flag the Cinterion AHS8 modem by gemalto as WWAN · 856d5d07
      Bassem Boubaker authored
      
      [ Upstream commit 53765341 ]
      
      The Cinterion AHS8 is a 3G device with one embedded WWAN interface
      using cdc_ether as a driver.
      
      The modem is controlled via AT commands through the exposed TTYs.
      
      AT+CGDCONT write command can be used to activate or deactivate a WWAN
      connection for a PDP context defined with the same command. UE
      supports one WWAN adapter.
      Signed-off-by: default avatarBassem Boubaker <bassem.boubaker@actia.fr>
      Acked-by: default avatarOliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      856d5d07
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: Missing nfnl_lock()/nfnl_unlock() is added to ip_set_net_exit() · 073e8270
      Jozsef Kadlecsik authored
      commit f998b6b1 upstream.
      
      Patch "netfilter: ipset: use nfnl_mutex_is_locked" is added the real
      mutex locking check, which revealed the missing locking in ip_set_net_exit().
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Reported-by: syzbot+36b06f219f2439fe62e1@syzkaller.appspotmail.com
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      073e8270
  2. 12 Apr, 2018 7 commits