1. 02 Dec, 2016 37 commits
    • Suganath Prabu S's avatar
      scsi: mpt3sas: Unblock device after controller reset · f81c9001
      Suganath Prabu S authored
      commit 7ff723ad upstream.
      
      While issuing any ATA passthrough command to firmware the driver will
      block the device. But it will unblock the device only if the I/O
      completes through the ISR path. If a controller reset occurs before
      command completion the device will remain in blocked state.
      
      Make sure we unblock the device following a controller reset if an ATA
      passthrough command was queued.
      
      [mkp: clarified patch description]
      
      Fixes: ac6c2a93bd07 ("mpt3sas: Fix for SATA drive in blocked state, after diag reset")
      Signed-off-by: default avatarSuganath Prabu S <suganath-prabu.subramani@broadcom.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f81c9001
    • Eric Dumazet's avatar
      flow_dissect: call init_default_flow_dissectors() earlier · 3de3eebb
      Eric Dumazet authored
      commit c9b8af13 upstream.
      
      Andre Noll reported panics after my recent fix (commit 34fad54c
      "net: __skb_flow_dissect() must cap its return value")
      
      After some more headaches, Alexander root caused the problem to
      init_default_flow_dissectors() being called too late, in case
      a network driver like IGB is not a module and receives DHCP message
      very early.
      
      Fix is to call init_default_flow_dissectors() much earlier,
      as it is a core infrastructure and does not depend on another
      kernel service.
      
      Fixes: 06635a35 ("flow_dissect: use programable dissector in skb_flow_dissect and friends")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarAndre Noll <maan@tuebingen.mpg.de>
      Diagnosed-by: default avatarAlexander Duyck <alexander.h.duyck@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3de3eebb
    • Michal Hocko's avatar
      mm, oom: stop pre-mature high-order OOM killer invocations · 7838fbe2
      Michal Hocko authored
      31e49bfd ("mm, oom: protect !costly allocations some more for
      !CONFIG_COMPACTION") was an attempt to reduce chances of pre-mature OOM
      killer invocation for high order requests. It seemed to work for most
      users just fine but it is far from bullet proof and obviously not
      sufficient for Marc who has reported pre-mature OOM killer invocations
      with 4.8 based kernels. 4.9 will all the compaction improvements seems
      to be behaving much better but that would be too intrusive to backport
      to 4.8 stable kernels. Instead this patch simply never declares OOM for
      !costly high order requests. We rely on order-0 requests to do that in
      case we are really out of memory. Order-0 requests are much more common
      and so a risk of a livelock without any way forward is highly unlikely.
      Reported-by: default avatarMarc MERLIN <marc@merlins.org>
      Tested-by: default avatarMarc MERLIN <marc@merlins.org>
      Signed-off-by: default avatarMichal Hocko <mhocko@suse.com>
      7838fbe2
    • Oliver Hartkopp's avatar
      can: bcm: fix support for CAN FD frames · 374ff835
      Oliver Hartkopp authored
      commit 5499a6b2 upstream.
      
      Since commit 6f3b911d ("can: bcm: add support for CAN FD frames") the
      CAN broadcast manager supports CAN and CAN FD data frames.
      
      As these data frames are embedded in struct can[fd]_frames which have a
      different length the access to the provided array of CAN frames became
      dependend of op->cfsiz. By using a struct canfd_frame pointer for the array of
      CAN frames the new offset calculation based on op->cfsiz was accidently applied
      to CAN FD frame element lengths.
      
      This fix makes the pointer to the arrays of the different CAN frame types a
      void pointer so that the offset calculation in bytes accesses the correct CAN
      frame elements.
      
      Reference: http://marc.info/?l=linux-netdev&m=147980658909653Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      374ff835
    • Oliver O'Halloran's avatar
      powerpc/boot: Fix the early OPAL console wrappers · 7ed8d94b
      Oliver O'Halloran authored
      commit a1ff5741 upstream.
      
      When configured with CONFIG_PPC_EARLY_DEBUG_OPAL=y the kernel expects
      the OPAL entry and base addresses to be passed in r8 and r9
      respectively. Currently the wrapper does not attempt to restore these
      values before entering the decompressed kernel which causes the kernel
      to branch into whatever happens to be in r9 when doing a write to the
      OPAL console in early boot.
      
      This patch adds a platform_ops hook that can be used to branch into the
      new kernel. The OPAL console driver patches this at runtime so that if
      the console is used it will be restored just prior to entering the
      kernel.
      
      Fixes: 656ad58e ("powerpc/boot: Add OPAL console to epapr wrappers")
      Signed-off-by: default avatarOliver O'Halloran <oohall@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ed8d94b
    • Aneesh Kumar K.V's avatar
      powerpc/mm: Fixup kernel read only mapping · 7cbe9568
      Aneesh Kumar K.V authored
      commit 984d7a1e upstream.
      
      With commit e58e87ad ("powerpc/mm: Update _PAGE_KERNEL_RO") we
      started using the ppp value 0b110 to map kernel readonly. But that
      facility was only added as part of ISA 2.04. For earlier ISA version
      only supported ppp bit value for readonly mapping is 0b011. (This
      implies both user and kernel get mapped using the same ppp bit value for
      readonly mapping.).
      Update the code such that for earlier architecture version we use ppp
      value 0b011 for readonly mapping. We don't differentiate between power5+
      and power5 here and apply the new ppp bits only from power6 (ISA 2.05).
      This keep the changes minimal.
      
      This fixes issue with PS3 spu usage reported at
      https://lkml.kernel.org/r/rep.1421449714.geoff@infradead.org
      
      Fixes: e58e87ad ("powerpc/mm: Update _PAGE_KERNEL_RO")
      Tested-by: default avatarGeoff Levand <geoff@infradead.org>
      Signed-off-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7cbe9568
    • Benjamin Herrenschmidt's avatar
      powerpc: Set missing wakeup bit in LPCR on POWER9 · 30988ea3
      Benjamin Herrenschmidt authored
      commit 7a43906f upstream.
      
      There is a new bit, LPCR_PECE_HVEE (Hypervisor Virtualization Exit
      Enable), which controls wakeup from STOP states on Hypervisor
      Virtualization Interrupts (which happen to also be all external
      interrupts in host or bare metal mode).
      
      It needs to be set or we will miss wakeups.
      
      Fixes: 9baaef0a ("powerpc/irq: Add support for HV virtualization interrupts")
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      [mpe: Rename it to HVEE to match the name in the ISA]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      30988ea3
    • Dan Williams's avatar
      device-dax: fail all private mapping attempts · 8d248df4
      Dan Williams authored
      commit 4cb19355 upstream.
      
      The device-dax implementation originally tried to be tricky and allow
      private read-only mappings, but in the process allowed writable
      MAP_PRIVATE + MAP_NORESERVE mappings.  For simplicity and predictability
      just fail all private mapping attempts since device-dax memory is
      statically allocated and will never support overcommit.
      
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Fixes: dee41079 ("/dev/dax, core: file operations and dax-mmap")
      Reported-by: default avatarPawel Lebioda <pawel.lebioda@intel.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8d248df4
    • Dan Williams's avatar
      device-dax: check devm_nsio_enable() return value · f87a4831
      Dan Williams authored
      commit 6a84fb4b upstream.
      
      If the dax_pmem driver is passed a resource that is already busy the
      driver probe attempt should fail with a message like the following:
      
        dax_pmem dax0.1: could not reserve region [mem 0x100000000-0x11fffffff]
      
      However, if we do not catch the error we crash for the obvious reason of
      accessing memory that is not mapped.
      
       BUG: unable to handle kernel paging request at ffffc90020001000
       IP: [<ffffffff81496712>] __memcpy+0x12/0x20
       [..]
       Call Trace:
        [<ffffffff815c4960>] ? nsio_rw_bytes+0x60/0x180
        [<ffffffff815c6045>] nd_pfn_validate+0x75/0x320
        [<ffffffff815c63a9>] nvdimm_setup_pfn+0xb9/0x5d0
        [<ffffffff815c48ef>] ? devm_nsio_enable+0xff/0x110
        [<ffffffff815cb699>] dax_pmem_probe+0x59/0x260
      
      Fixes: ab68f262 ("/dev/dax, pmem: direct access to persistent memory")
      Reported-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f87a4831
    • Takashi Iwai's avatar
      xc2028: Fix use-after-free bug properly · 5b08489e
      Takashi Iwai authored
      commit 22a1e778 upstream.
      
      The commit 8dfbcc43 ("[media] xc2028: avoid use after free") tried
      to address the reported use-after-free by clearing the reference.
      
      However, it's clearing the wrong pointer; it sets NULL to
      priv->ctrl.fname, but it's anyway overwritten by the next line
      memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).
      
      OTOH, the actual code accessing the freed string is the strcmp() call
      with priv->fname:
      	if (!firmware_name[0] && p->fname &&
      	    priv->fname && strcmp(p->fname, priv->fname))
      		free_firmware(priv);
      
      where priv->fname points to the previous file name, and this was
      already freed by kfree().
      
      For fixing the bug properly, this patch does the following:
      
      - Keep the copy of firmware file name in only priv->fname,
        priv->ctrl.fname isn't changed;
      - The allocation is done only when the firmware gets loaded;
      - The kfree() is called in free_firmware() commonly
      
      Fixes: commit 8dfbcc43 ('[media] xc2028: avoid use after free')
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b08489e
    • Andrey Ryabinin's avatar
      X.509: Fix double free in x509_cert_parse() [ver #3] · 9030deb2
      Andrey Ryabinin authored
      commit 2b95fda2 upstream.
      
      We shouldn't free cert->pub->key in x509_cert_parse() because
      x509_free_certificate() also does this:
      	BUG: Double free or freeing an invalid pointer
      	...
      	Call Trace:
      	 [<ffffffff81896c20>] dump_stack+0x63/0x83
      	 [<ffffffff81356571>] kasan_object_err+0x21/0x70
      	 [<ffffffff81356ed9>] kasan_report_double_free+0x49/0x60
      	 [<ffffffff813561ad>] kasan_slab_free+0x9d/0xc0
      	 [<ffffffff81350b7a>] kfree+0x8a/0x1a0
      	 [<ffffffff81844fbf>] public_key_free+0x1f/0x30
      	 [<ffffffff818455d4>] x509_free_certificate+0x24/0x90
      	 [<ffffffff818460bc>] x509_cert_parse+0x2bc/0x300
      	 [<ffffffff81846cae>] x509_key_preparse+0x3e/0x330
      	 [<ffffffff818444cf>] asymmetric_key_preparse+0x6f/0x100
      	 [<ffffffff8178bec0>] key_create_or_update+0x260/0x5f0
      	 [<ffffffff8178e6d9>] SyS_add_key+0x199/0x2a0
      	 [<ffffffff821d823b>] entry_SYSCALL_64_fastpath+0x1e/0xad
      	Object at ffff880110bd1900, in cache kmalloc-512 size: 512
      	....
      	Freed:
      	PID = 2579
      	[<ffffffff8104283b>] save_stack_trace+0x1b/0x20
      	[<ffffffff813558f6>] save_stack+0x46/0xd0
      	[<ffffffff81356183>] kasan_slab_free+0x73/0xc0
      	[<ffffffff81350b7a>] kfree+0x8a/0x1a0
      	[<ffffffff818460a3>] x509_cert_parse+0x2a3/0x300
      	[<ffffffff81846cae>] x509_key_preparse+0x3e/0x330
      	[<ffffffff818444cf>] asymmetric_key_preparse+0x6f/0x100
      	[<ffffffff8178bec0>] key_create_or_update+0x260/0x5f0
      	[<ffffffff8178e6d9>] SyS_add_key+0x199/0x2a0
      	[<ffffffff821d823b>] entry_SYSCALL_64_fastpath+0x1e/0xad
      
      Fixes: db6c43bd ("crypto: KEYS: convert public key and digsig asym to the akcipher api")
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9030deb2
    • Andrey Ryabinin's avatar
      mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] · 0257b7e2
      Andrey Ryabinin authored
      commit f5527fff upstream.
      
      This fixes CVE-2016-8650.
      
      If mpi_powm() is given a zero exponent, it wants to immediately return
      either 1 or 0, depending on the modulus.  However, if the result was
      initalised with zero limb space, no limbs space is allocated and a
      NULL-pointer exception ensues.
      
      Fix this by allocating a minimal amount of limb space for the result when
      the 0-exponent case when the result is 1 and not touching the limb space
      when the result is 0.
      
      This affects the use of RSA keys and X.509 certificates that carry them.
      
      BUG: unable to handle kernel NULL pointer dereference at           (null)
      IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
      PGD 0
      Oops: 0002 [#1] SMP
      Modules linked in:
      CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278
      Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
      task: ffff8804011944c0 task.stack: ffff880401294000
      RIP: 0010:[<ffffffff8138ce5d>]  [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
      RSP: 0018:ffff880401297ad8  EFLAGS: 00010212
      RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0
      RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0
      RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000
      R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50
      FS:  00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0
      Stack:
       ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4
       0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30
       ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8
      Call Trace:
       [<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66
       [<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d
       [<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd
       [<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146
       [<ffffffff8132a95c>] rsa_verify+0x9d/0xee
       [<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb
       [<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1
       [<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228
       [<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4
       [<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1
       [<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1
       [<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61
       [<ffffffff812fc9f3>] key_create_or_update+0x145/0x399
       [<ffffffff812fe227>] SyS_add_key+0x154/0x19e
       [<ffffffff81001c2b>] do_syscall_64+0x80/0x191
       [<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25
      Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f
      RIP  [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
       RSP <ffff880401297ad8>
      CR2: 0000000000000000
      ---[ end trace d82015255d4a5d8d ]---
      
      Basically, this is a backport of a libgcrypt patch:
      
      	http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526
      
      Fixes: cdec9cb5 ("crypto: GnuPG based MPI lib - source files (part 1)")
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
      cc: linux-ima-devel@lists.sourceforge.net
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0257b7e2
    • Michael Walle's avatar
      mmc: sdhci-of-esdhc: fixup PRESENT_STATE read · bdab996a
      Michael Walle authored
      commit b0921d5c upstream.
      
      Since commit 87a18a6a ("mmc: mmc: Use ->card_busy() to detect busy
      cards in __mmc_switch()") the ESDHC driver is broken:
        mmc0: Card stuck in programming state! __mmc_switch
        mmc0: error -110 whilst initialising MMC card
      
      Since this commit __mmc_switch() uses ->card_busy(), which is
      sdhci_card_busy() for the esdhc driver. sdhci_card_busy() uses the
      PRESENT_STATE register, specifically the DAT0 signal level bit. But the
      ESDHC uses a non-conformant PRESENT_STATE register, thus a read fixup is
      required to make the driver work again.
      Signed-off-by: default avatarMichael Walle <michael@walle.cc>
      Fixes: 87a18a6a ("mmc: mmc: Use ->card_busy() to detect busy cards in __mmc_switch()")
      Acked-by: default avatarYangbo Lu <yangbo.lu@nxp.com>
      Acked-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bdab996a
    • John David Anglin's avatar
      parisc: Also flush data TLB in flush_icache_page_asm · 0a80bef1
      John David Anglin authored
      commit 5035b230 upstream.
      
      This is the second issue I noticed in reviewing the parisc TLB code.
      
      The fic instruction may use either the instruction or data TLB in
      flushing the instruction cache.  Thus, on machines with a split TLB, we
      should also flush the data TLB after setting up the temporary alias
      registers.
      
      Although this has no functional impact, I changed the pdtlb and pitlb
      instructions to consistently use the index register %r0.  These
      instructions do not support integer displacements.
      
      Tested on rp3440 and c8000.
      Signed-off-by: default avatarJohn David Anglin  <dave.anglin@bell.net>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0a80bef1
    • John David Anglin's avatar
      parisc: Fix race in pci-dma.c · 09e35a83
      John David Anglin authored
      commit c0452fb9 upstream.
      
      We are still troubled by occasional random segmentation faults and
      memory memory corruption on SMP machines.  The causes quite a few
      package builds to fail on the Debian buildd machines for parisc.  When
      gcc-6 failed to build three times in a row, I looked again at the TLB
      related code.  I found a couple of issues.  This is the first.
      
      In general, we need to ensure page table updates and corresponding TLB
      purges are atomic.  The attached patch fixes an instance in pci-dma.c
      where the page table update was not guarded by the TLB lock.
      
      Tested on rp3440 and c8000.  So far, no further random segmentation
      faults have been observed.
      Signed-off-by: default avatarJohn David Anglin  <dave.anglin@bell.net>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      09e35a83
    • Helge Deller's avatar
      parisc: Switch to generic sched_clock implementation · 3cb2bc6f
      Helge Deller authored
      commit 43b1f6ab upstream.
      
      Drop the open-coded sched_clock() function and replace it by the provided
      GENERIC_SCHED_CLOCK implementation.  We have seen quite some hung tasks in the
      past, which seem to be fixed by this patch.
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3cb2bc6f
    • John David Anglin's avatar
      parisc: Fix races in parisc_setup_cache_timing() · 113b60ef
      John David Anglin authored
      commit 741dc7bf upstream.
      
      Helge reported to me the following startup crash:
      
      [    0.000000] Linux version 4.8.0-1-parisc64-smp (debian-kernel@lists.debian.org) (gcc version 5.4.1 20161019 (GCC) ) #1 SMP Debian 4.8.7-1 (2016-11-13)
      [    0.000000] The 64-bit Kernel has started...
      [    0.000000] Kernel default page size is 4 KB. Huge pages enabled with 1 MB physical and 2 MB virtual size.
      [    0.000000] Determining PDC firmware type: System Map.
      [    0.000000] model 9000/785/J5000
      [    0.000000] Total Memory: 2048 MB
      [    0.000000] Memory: 2018528K/2097152K available (9272K kernel code, 3053K rwdata, 1319K rodata, 1024K init, 840K bss, 78624K reserved, 0K cma-reserved)
      [    0.000000] virtual kernel memory layout:
      [    0.000000]     vmalloc : 0x0000000000008000 - 0x000000003f000000   (1007 MB)
      [    0.000000]     memory  : 0x0000000040000000 - 0x00000000c0000000   (2048 MB)
      [    0.000000]       .init : 0x0000000040100000 - 0x0000000040200000   (1024 kB)
      [    0.000000]       .data : 0x0000000040b0e000 - 0x0000000040f533e0   (4372 kB)
      [    0.000000]       .text : 0x0000000040200000 - 0x0000000040b0e000   (9272 kB)
      [    0.768910] Brought up 1 CPUs
      [    0.992465] NET: Registered protocol family 16
      [    2.429981] Releasing cpu 1 now, hpa=fffffffffffa2000
      [    2.635751] CPU(s): 2 out of 2 PA8500 (PCX-W) at 440.000000 MHz online
      [    2.726692] Setting cache flush threshold to 1024 kB
      [    2.729932] Not-handled unaligned insn 0x43ffff80
      [    2.798114] Setting TLB flush threshold to 140 kB
      [    2.928039] Unaligned handler failed, ret = -1
      [    3.000419]       _______________________________
      [    3.000419]      < Your System ate a SPARC! Gah! >
      [    3.000419]       -------------------------------
      [    3.000419]              \   ^__^
      [    3.000419]                  (__)\       )\/\
      [    3.000419]                   U  ||----w |
      [    3.000419]                      ||     ||
      [    9.340055] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.8.0-1-parisc64-smp #1 Debian 4.8.7-1
      [    9.448082] task: 00000000bfd48060 task.stack: 00000000bfd50000
      [    9.528040]
      [   10.760029] IASQ: 0000000000000000 0000000000000000 IAOQ: 000000004025d154 000000004025d158
      [   10.868052]  IIR: 43ffff80    ISR: 0000000000340000  IOR: 000001ff54150960
      [   10.960029]  CPU:        1   CR30: 00000000bfd50000 CR31: 0000000011111111
      [   11.052057]  ORIG_R28: 000000004021e3b4
      [   11.100045]  IAOQ[0]: irq_exit+0x94/0x120
      [   11.152062]  IAOQ[1]: irq_exit+0x98/0x120
      [   11.208031]  RP(r2): irq_exit+0xb8/0x120
      [   11.256074] Backtrace:
      [   11.288067]  [<00000000402cd944>] cpu_startup_entry+0x1e4/0x598
      [   11.368058]  [<0000000040109528>] smp_callin+0x2c0/0x2f0
      [   11.436308]  [<00000000402b53fc>] update_curr+0x18c/0x2d0
      [   11.508055]  [<00000000402b73b8>] dequeue_entity+0x2c0/0x1030
      [   11.584040]  [<00000000402b3cc0>] set_next_entity+0x80/0xd30
      [   11.660069]  [<00000000402c1594>] pick_next_task_fair+0x614/0x720
      [   11.740085]  [<000000004020dd34>] __schedule+0x394/0xa60
      [   11.808054]  [<000000004020e488>] schedule+0x88/0x118
      [   11.876039]  [<0000000040283d3c>] rescuer_thread+0x4d4/0x5b0
      [   11.948090]  [<000000004028fc4c>] kthread+0x1ec/0x248
      [   12.016053]  [<0000000040205020>] end_fault_vector+0x20/0xc0
      [   12.092239]  [<00000000402050c0>] _switch_to_ret+0x0/0xf40
      [   12.164044]
      [   12.184036] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.8.0-1-parisc64-smp #1 Debian 4.8.7-1
      [   12.244040] Backtrace:
      [   12.244040]  [<000000004021c480>] show_stack+0x68/0x80
      [   12.244040]  [<00000000406f332c>] dump_stack+0xec/0x168
      [   12.244040]  [<000000004021c74c>] die_if_kernel+0x25c/0x430
      [   12.244040]  [<000000004022d320>] handle_unaligned+0xb48/0xb50
      [   12.244040]
      [   12.632066] ---[ end trace 9ca05a7215c7bbb2 ]---
      [   12.692036] Kernel panic - not syncing: Attempted to kill the idle task!
      
      We have the insn 0x43ffff80 in IIR but from IAOQ we should have:
         4025d150:   0f f3 20 df     ldd,s r19(r31),r31
         4025d154:   0f 9f 00 9c     ldw r31(ret0),ret0
         4025d158:   bf 80 20 58     cmpb,*<> r0,ret0,4025d18c <irq_exit+0xcc>
      
      Cpu0 has just completed running parisc_setup_cache_timing:
      
      [    2.429981] Releasing cpu 1 now, hpa=fffffffffffa2000
      [    2.635751] CPU(s): 2 out of 2 PA8500 (PCX-W) at 440.000000 MHz online
      [    2.726692] Setting cache flush threshold to 1024 kB
      [    2.729932] Not-handled unaligned insn 0x43ffff80
      [    2.798114] Setting TLB flush threshold to 140 kB
      [    2.928039] Unaligned handler failed, ret = -1
      
      From the backtrace, cpu1 is in smp_callin:
      
      void __init smp_callin(void)
      {
             int slave_id = cpu_now_booting;
      
             smp_cpu_init(slave_id);
             preempt_disable();
      
             flush_cache_all_local(); /* start with known state */
             flush_tlb_all_local(NULL);
      
             local_irq_enable();  /* Interrupts have been off until now */
      
             cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
      
      So, it has just flushed its caches and the TLB. It would seem either the
      flushes in parisc_setup_cache_timing or smp_callin have corrupted kernel
      memory.
      
      The attached patch reworks parisc_setup_cache_timing to remove the races
      in setting the cache and TLB flush thresholds. It also corrects the
      number of bytes flushed in the TLB calculation.
      
      The patch flushes the cache and TLB on cpu0 before starting the
      secondary processors so that they are started from a known state.
      
      Tested with a few reboots on c8000.
      Signed-off-by: default avatarJohn David Anglin  <dave.anglin@bell.net>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      113b60ef
    • Jacob Pan's avatar
      thermal/powerclamp: add back module device table · b2f64572
      Jacob Pan authored
      commit ec638db8 upstream.
      
      Commit 3105f234 replaced module
      cpu id table with a cpu feature check, which is logically correct.
      But we need the module device table to allow module auto loading.
      
      Fixes:3105f234 thermal/powerclamp: correct cpu support check
      Signed-off-by: default avatarJacob Pan <jacob.jun.pan@linux.intel.com>
      Signed-off-by: default avatarZhang Rui <rui.zhang@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b2f64572
    • Peter Zijlstra's avatar
      perf/x86/intel: Cure bogus unwind from PEBS entries · 6dfe1643
      Peter Zijlstra authored
      commit b8000586 upstream.
      
      Vince Weaver reported that perf_fuzzer + KASAN detects that PEBS event
      unwinds sometimes do 'weird' things. In particular, we seemed to be
      ending up unwinding from random places on the NMI stack.
      
      While it was somewhat expected that the event record BP,SP would not
      match the interrupt BP,SP in that the interrupt is strictly later than
      the record event, it was overlooked that it could be on an already
      overwritten stack.
      
      Therefore, don't copy the recorded BP,SP over the interrupted BP,SP
      when we need stack unwinds.
      
      Note that its still possible the unwind doesn't full match the actual
      event, as its entirely possible to have done an (I)RET between record
      and interrupt, but on average it should still point in the general
      direction of where the event came from. Also, it's the best we can do,
      considering.
      
      The particular scenario that triggered the bogus NMI stack unwind was
      a PEBS event with very short period, upon enabling the event at the
      tail of the PMI handler (FREEZE_ON_PMI is not used), it instantly
      triggers a record (while still on the NMI stack) which in turn
      triggers the next PMI. This then causes back-to-back NMIs and we'll
      try and unwind the stack-frame from the last NMI, which obviously is
      now overwritten by our own.
      Analyzed-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Reported-by: default avatarVince Weaver <vincent.weaver@maine.edu>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@gmail.com>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: davej@codemonkey.org.uk <davej@codemonkey.org.uk>
      Cc: dvyukov@google.com <dvyukov@google.com>
      Fixes: ca037701 ("perf, x86: Add PEBS infrastructure")
      Link: http://lkml.kernel.org/r/20161117171731.GV3157@twins.programming.kicks-ass.netSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6dfe1643
    • Alexander Shishkin's avatar
      perf/core: Fix address filter parser · 403f47dd
      Alexander Shishkin authored
      commit e96271f3 upstream.
      
      The token table passed into match_token() must be null-terminated, which
      it currently is not in the perf's address filter string parser, as caught
      by Vince's perf_fuzzer and KASAN.
      
      It doesn't blow up otherwise because of the alignment padding of the table
      to the next element in the .rodata, which is luck.
      
      Fixing by adding a null-terminator to the token table.
      Reported-by: default avatarVince Weaver <vincent.weaver@maine.edu>
      Tested-by: default avatarVince Weaver <vincent.weaver@maine.edu>
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: dvyukov@google.com
      Fixes: 375637bc ("perf/core: Introduce address range filtering")
      Link: http://lkml.kernel.org/r/877f81f264.fsf@ashishki-desk.ger.corp.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      403f47dd
    • Andy Lutomirski's avatar
      x86/traps: Ignore high word of regs->cs in early_fixup_exception() · c5795c5f
      Andy Lutomirski authored
      commit fc0e81b2 upstream.
      
      On the 80486 DX, it seems that some exceptions may leave garbage in
      the high bits of CS.  This causes sporadic failures in which
      early_fixup_exception() refuses to fix up an exception.
      
      As far as I can tell, this has been buggy for a long time, but the
      problem seems to have been exacerbated by commits:
      
        1e02ce4c ("x86: Store a per-cpu shadow copy of CR4")
        e1bfc11c ("x86/init: Fix cr4_init_shadow() on CR4-less machines")
      
      This appears to have broken for as long as we've had early
      exception handling.
      
      [ Note to stable maintainers: This patch is needed all the way back to 3.4,
        but it will only apply to 4.6 and up, as it depends on commit:
      
          0e861fbb ("x86/head: Move early exception panic code into early_fixup_exception()")
      
        If you want to backport to kernels before 4.6, please don't backport the
        prerequisites (there was a big chain of them that rewrote a lot of the
        early exception machinery); instead, ask me and I can send you a one-liner
        that will apply. ]
      Reported-by: default avatarMatthew Whitehead <tedheadster@gmail.com>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 4c5023a3 ("x86-32: Handle exception table entries during early boot")
      Link: http://lkml.kernel.org/r/cb32c69920e58a1a58e7b5cad975038a69c0ce7d.1479609510.git.luto@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c5795c5f
    • Yu-cheng Yu's avatar
      x86/fpu: Fix invalid FPU ptrace state after execve() · 885bad1e
      Yu-cheng Yu authored
      commit b22cbe40 upstream.
      
      Robert O'Callahan reported that after an execve PTRACE_GETREGSET
      NT_X86_XSTATE continues to return the pre-exec register values
      until the exec'ed task modifies FPU state.
      
      The test code is at:
      
        https://bugzilla.redhat.com/attachment.cgi?id=1164286.
      
      What is happening is fpu__clear() does not properly clear fpstate.
      Fix it by doing just that.
      Reported-by: default avatarRobert O'Callahan <robert@ocallahan.org>
      Signed-off-by: default avatarYu-cheng Yu <yu-cheng.yu@intel.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: David Hansen <dave.hansen@linux.intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ravi V. Shankar <ravi.v.shankar@intel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1479402695-6553-1-git-send-email-yu-cheng.yu@intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      885bad1e
    • Arnd Bergmann's avatar
      NFSv4.x: hide array-bounds warning · 1a42cd56
      Arnd Bergmann authored
      commit d55b352b upstream.
      
      A correct bugfix introduced a harmless warning that shows up with gcc-7:
      
      fs/nfs/callback.c: In function 'nfs_callback_up':
      fs/nfs/callback.c:214:14: error: array subscript is outside array bounds [-Werror=array-bounds]
      
      What happens here is that the 'minorversion == 0' check tells the
      compiler that we assume minorversion can be something other than 0,
      but when CONFIG_NFS_V4_1 is disabled that would be invalid and
      result in an out-of-bounds access.
      
      The added check for IS_ENABLED(CONFIG_NFS_V4_1) tells gcc that this
      really can't happen, which makes the code slightly smaller and also
      avoids the warning.
      
      The bugfix that introduced the warning is marked for stable backports,
      we want this one backported to the same releases.
      
      Fixes: 98b0f80c ("NFSv4.x: Fix a refcount leak in nfs_callback_up_net")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1a42cd56
    • John Johansen's avatar
      apparmor: fix change_hat not finding hat after policy replacement · 154c665b
      John Johansen authored
      commit 3d40658c upstream.
      
      After a policy replacement, the task cred may be out of date and need
      to be updated. However change_hat is using the stale profiles from
      the out of date cred resulting in either: a stale profile being applied
      or, incorrect failure when searching for a hat profile as it has been
      migrated to the new parent profile.
      
      Fixes: 01e2b670 (failure to find hat)
      Fixes: 898127c3 (stale policy being applied)
      Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000287Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      154c665b
    • Johannes Berg's avatar
      cfg80211: limit scan results cache size · 9c15a985
      Johannes Berg authored
      commit 9853a55e upstream.
      
      It's possible to make scanning consume almost arbitrary amounts
      of memory, e.g. by sending beacon frames with random BSSIDs at
      high rates while somebody is scanning.
      
      Limit the number of BSS table entries we're willing to cache to
      1000, limiting maximum memory usage to maybe 4-5MB, but lower
      in practice - that would be the case for having both full-sized
      beacon and probe response frames for each entry; this seems not
      possible in practice, so a limit of 1000 entries will likely be
      closer to 0.5 MB.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9c15a985
    • Chris Metcalf's avatar
      tile: avoid using clocksource_cyc2ns with absolute cycle count · f204d21e
      Chris Metcalf authored
      commit e658a6f1 upstream.
      
      For large values of "mult" and long uptimes, the intermediate
      result of "cycles * mult" can overflow 64 bits.  For example,
      the tile platform calls clocksource_cyc2ns with a 1.2 GHz clock;
      we have mult = 853, and after 208.5 days, we overflow 64 bits.
      
      Since clocksource_cyc2ns() is intended to be used for relative
      cycle counts, not absolute cycle counts, performance is more
      importance than accepting a wider range of cycle values.  So,
      just use mult_frac() directly in tile's sched_clock().
      
      Commit 4cecf6d4 ("sched, x86: Avoid unnecessary overflow
      in sched_clock") by Salman Qazi results in essentially the same
      generated code for x86 as this change does for tile.  In fact,
      a follow-on change by Salman introduced mult_frac() and switched
      to using it, so the C code was largely identical at that point too.
      
      Peter Zijlstra then added mul_u64_u32_shr() and switched x86
      to use it.  This is, in principle, better; by optimizing the
      64x64->64 multiplies to be 32x32->64 multiplies we can potentially
      save some time.  However, the compiler piplines the 64x64->64
      multiplies pretty well, and the conditional branch in the generic
      mul_u64_u32_shr() causes some bubbles in execution, with the
      result that it's pretty much a wash.  If tilegx provided its own
      implementation of mul_u64_u32_shr() without the conditional branch,
      we could potentially save 3 cycles, but that seems like small gain
      for a fair amount of additional build scaffolding; no other platform
      currently provides a mul_u64_u32_shr() override, and tile doesn't
      currently have an <asm/div64.h> header to put the override in.
      
      Additionally, gcc currently has an optimization bug that prevents
      it from recognizing the opportunity to use a 32x32->64 multiply,
      and so the result would be no better than the existing mult_frac()
      until such time as the compiler is fixed.
      
      For now, just using mult_frac() seems like the right answer.
      Signed-off-by: default avatarChris Metcalf <cmetcalf@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f204d21e
    • Andrey Grodzovsky's avatar
      scsi: mpt3sas: Fix secure erase premature termination · c707019b
      Andrey Grodzovsky authored
      commit 18f6084a upstream.
      
      This is a work around for a bug with LSI Fusion MPT SAS2 when perfoming
      secure erase. Due to the very long time the operation takes, commands
      issued during the erase will time out and will trigger execution of the
      abort hook. Even though the abort hook is called for the specific
      command which timed out, this leads to entire device halt
      (scsi_state terminated) and premature termination of the secure erase.
      
      Set device state to busy while ATA passthrough commands are in progress.
      
      [mkp: hand applied to 4.9/scsi-fixes, tweaked patch description]
      Signed-off-by: default avatarAndrey Grodzovsky <andrey2805@gmail.com>
      Acked-by: default avatarSreekanth Reddy <Sreekanth.Reddy@broadcom.com>
      Cc: <linux-scsi@vger.kernel.org>
      Cc: Sathya Prakash <sathya.prakash@broadcom.com>
      Cc: Chaitra P B <chaitra.basappa@broadcom.com>
      Cc: Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>
      Cc: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c707019b
    • Petr Vandrovec's avatar
      Fix USB CB/CBI storage devices with CONFIG_VMAP_STACK=y · b33387f6
      Petr Vandrovec authored
      commit 2ce9d227 upstream.
      
      Some code (all error handling) submits CDBs that are allocated
      on the stack.  This breaks with CB/CBI code that tries to create
      URB directly from SCSI command buffer - which happens to be in
      vmalloced memory with vmalloced kernel stacks.
      
      Let's make copy of the command in usb_stor_CB_transport.
      Signed-off-by: default avatarPetr Vandrovec <petr@vandrovec.name>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b33387f6
    • Doug Brown's avatar
      USB: serial: ftdi_sio: add support for TI CC3200 LaunchPad · 89a28f3a
      Doug Brown authored
      commit 9bfef729 upstream.
      
      This patch adds support for the TI CC3200 LaunchPad board, which uses a
      custom USB vendor ID and product ID. Channel A is used for JTAG, and
      channel B is used for a UART.
      Signed-off-by: default avatarDoug Brown <doug@schmorgal.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      89a28f3a
    • Paul Jakma's avatar
      USB: serial: cp210x: add ID for the Zone DPMX · 6476f653
      Paul Jakma authored
      commit 2ab13292 upstream.
      
      The BRIM Brothers Zone DPMX is a bicycle powermeter. This ID is for the USB
      serial interface in its charging dock for the control pods, via which some
      settings for the pods can be modified.
      Signed-off-by: default avatarPaul Jakma <paul@jakma.org>
      Cc: Barry Redmond <barry@brimbrothers.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6476f653
    • Peter Chen's avatar
      usb: chipidea: move the lock initialization to core file · 7445ffb7
      Peter Chen authored
      commit a5d906bb upstream.
      
      This can fix below dump when the lock is accessed at host
      mode due to it is not initialized.
      
      [   46.119638] INFO: trying to register non-static key.
      [   46.124643] the code is fine but needs lockdep annotation.
      [   46.130144] turning off the locking correctness validator.
      [   46.135659] CPU: 0 PID: 690 Comm: cat Not tainted 4.9.0-rc3-00079-g4b75f1d #1210
      [   46.143075] Hardware name: Freescale i.MX6 SoloX (Device Tree)
      [   46.148923] Backtrace:
      [   46.151448] [<c010c460>] (dump_backtrace) from [<c010c658>] (show_stack+0x18/0x1c)
      [   46.159038]  r7:edf52000
      [   46.161412]  r6:60000193
      [   46.163967]  r5:00000000
      [   46.165035]  r4:c0e25c2c
      
      [   46.169109] [<c010c640>] (show_stack) from [<c03f58a4>] (dump_stack+0xb4/0xe8)
      [   46.176362] [<c03f57f0>] (dump_stack) from [<c016d690>] (register_lock_class+0x4fc/0x56c)
      [   46.184554]  r10:c0e25d24
      [   46.187014]  r9:edf53e70
      [   46.189569]  r8:c1642444
      [   46.190637]  r7:ee9da024
      [   46.193191]  r6:00000000
      [   46.194258]  r5:00000000
      [   46.196812]  r4:00000000
      [   46.199185]  r3:00000001
      
      [   46.203259] [<c016d194>] (register_lock_class) from [<c0171294>] (__lock_acquire+0x80/0x10f0)
      [   46.211797]  r10:c0e25d24
      [   46.214257]  r9:edf53e70
      [   46.216813]  r8:ee9da024
      [   46.217880]  r7:c1642444
      [   46.220435]  r6:edcd1800
      [   46.221502]  r5:60000193
      [   46.224057]  r4:00000000
      
      [   46.227953] [<c0171214>] (__lock_acquire) from [<c01726c0>] (lock_acquire+0x74/0x94)
      [   46.235710]  r10:00000001
      [   46.238169]  r9:edf53e70
      [   46.240723]  r8:edf53f80
      [   46.241790]  r7:00000001
      [   46.244344]  r6:00000001
      [   46.245412]  r5:60000193
      [   46.247966]  r4:00000000
      
      [   46.251866] [<c017264c>] (lock_acquire) from [<c096c8fc>] (_raw_spin_lock_irqsave+0x40/0x54)
      [   46.260319]  r7:ee1c6a00
      [   46.262691]  r6:c062a570
      [   46.265247]  r5:20000113
      [   46.266314]  r4:ee9da014
      
      [   46.270393] [<c096c8bc>] (_raw_spin_lock_irqsave) from [<c062a570>] (ci_port_test_show+0x2c/0x70)
      [   46.279280]  r6:eebd2000
      [   46.281652]  r5:ee9da010
      [   46.284207]  r4:ee9da014
      
      [   46.286810] [<c062a544>] (ci_port_test_show) from [<c0248d04>] (seq_read+0x1ac/0x4f8)
      [   46.294655]  r9:edf53e70
      [   46.297028]  r8:edf53f80
      [   46.299583]  r7:ee1c6a00
      [   46.300650]  r6:00000001
      [   46.303205]  r5:00000000
      [   46.304273]  r4:eebd2000
      [   46.306850] [<c0248b58>] (seq_read) from [<c039e864>] (full_proxy_read+0x54/0x6c)
      [   46.314348]  r10:00000000
      [   46.316808]  r9:c0a6ad30
      [   46.319363]  r8:edf53f80
      [   46.320430]  r7:00020000
      [   46.322986]  r6:b6de3000
      [   46.324053]  r5:ee1c6a00
      [   46.326607]  r4:c0248b58
      
      [   46.330505] [<c039e810>] (full_proxy_read) from [<c021ec98>] (__vfs_read+0x34/0x118)
      [   46.338262]  r9:edf52000
      [   46.340635]  r8:c0107fc4
      [   46.343190]  r7:00020000
      [   46.344257]  r6:edf53f80
      [   46.346812]  r5:c039e810
      [   46.347879]  r4:ee1c6a00
      [   46.350447] [<c021ec64>] (__vfs_read) from [<c021fbd0>] (vfs_read+0x8c/0x11c)
      [   46.357597]  r9:edf52000
      [   46.359969]  r8:c0107fc4
      [   46.362524]  r7:edf53f80
      [   46.363592]  r6:b6de3000
      [   46.366147]  r5:ee1c6a00
      [   46.367214]  r4:00020000
      [   46.369782] [<c021fb44>] (vfs_read) from [<c0220a4c>] (SyS_read+0x4c/0xa8)
      [   46.376672]  r8:c0107fc4
      [   46.379045]  r7:00020000
      [   46.381600]  r6:b6de3000
      [   46.382667]  r5:ee1c6a00
      [   46.385222]  r4:ee1c6a00
      
      [   46.387817] [<c0220a00>] (SyS_read) from [<c0107e20>] (ret_fast_syscall+0x0/0x1c)
      [   46.395314]  r7:00000003
      [   46.397687]  r6:b6de3000
      [   46.400243]  r5:00020000
      [   46.401310]  r4:00020000
      
      Fixes: 26c696c6 ("USB: Chipidea: rename struct ci13xxx variables from udc to ci")
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7445ffb7
    • Radim Krčmář's avatar
      KVM: x86: check for pic and ioapic presence before use · 32fe669c
      Radim Krčmář authored
      commit df492896 upstream.
      
      Split irqchip allows pic and ioapic routes to be used without them being
      created, which results in NULL access.  Check for NULL and avoid it.
      (The setup is too racy for a nicer solutions.)
      
      Found by syzkaller:
      
        general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
        Dumping ftrace buffer:
           (ftrace buffer empty)
        Modules linked in:
        CPU: 3 PID: 11923 Comm: kworker/3:2 Not tainted 4.9.0-rc5+ #27
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Workqueue: events irqfd_inject
        task: ffff88006a06c7c0 task.stack: ffff880068638000
        RIP: 0010:[...]  [...] __lock_acquire+0xb35/0x3380 kernel/locking/lockdep.c:3221
        RSP: 0000:ffff88006863ea20  EFLAGS: 00010006
        RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000
        RDX: 0000000000000039 RSI: 0000000000000000 RDI: 1ffff1000d0c7d9e
        RBP: ffff88006863ef58 R08: 0000000000000001 R09: 0000000000000000
        R10: 00000000000001c8 R11: 0000000000000000 R12: ffff88006a06c7c0
        R13: 0000000000000001 R14: ffffffff8baab1a0 R15: 0000000000000001
        FS:  0000000000000000(0000) GS:ffff88006d100000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00000000004abdd0 CR3: 000000003e2f2000 CR4: 00000000000026e0
        Stack:
         ffffffff894d0098 1ffff1000d0c7d56 ffff88006863ecd0 dffffc0000000000
         ffff88006a06c7c0 0000000000000000 ffff88006863ecf8 0000000000000082
         0000000000000000 ffffffff815dd7c1 ffffffff00000000 ffffffff00000000
        Call Trace:
         [...] lock_acquire+0x2a2/0x790 kernel/locking/lockdep.c:3746
         [...] __raw_spin_lock include/linux/spinlock_api_smp.h:144
         [...] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151
         [...] spin_lock include/linux/spinlock.h:302
         [...] kvm_ioapic_set_irq+0x4c/0x100 arch/x86/kvm/ioapic.c:379
         [...] kvm_set_ioapic_irq+0x8f/0xc0 arch/x86/kvm/irq_comm.c:52
         [...] kvm_set_irq+0x239/0x640 arch/x86/kvm/../../../virt/kvm/irqchip.c:101
         [...] irqfd_inject+0xb4/0x150 arch/x86/kvm/../../../virt/kvm/eventfd.c:60
         [...] process_one_work+0xb40/0x1ba0 kernel/workqueue.c:2096
         [...] worker_thread+0x214/0x18a0 kernel/workqueue.c:2230
         [...] kthread+0x328/0x3e0 kernel/kthread.c:209
         [...] ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:433
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Fixes: 49df6397 ("KVM: x86: Split the APIC from the rest of IRQCHIP.")
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      32fe669c
    • Radim Krčmář's avatar
      KVM: x86: fix out-of-bounds accesses of rtc_eoi map · c02d1380
      Radim Krčmář authored
      commit 81cdb259 upstream.
      
      KVM was using arrays of size KVM_MAX_VCPUS with vcpu_id, but ID can be
      bigger that the maximal number of VCPUs, resulting in out-of-bounds
      access.
      
      Found by syzkaller:
      
        BUG: KASAN: slab-out-of-bounds in __apic_accept_irq+0xb33/0xb50 at addr [...]
        Write of size 1 by task a.out/27101
        CPU: 1 PID: 27101 Comm: a.out Not tainted 4.9.0-rc5+ #49
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
         [...]
        Call Trace:
         [...] __apic_accept_irq+0xb33/0xb50 arch/x86/kvm/lapic.c:905
         [...] kvm_apic_set_irq+0x10e/0x180 arch/x86/kvm/lapic.c:495
         [...] kvm_irq_delivery_to_apic+0x732/0xc10 arch/x86/kvm/irq_comm.c:86
         [...] ioapic_service+0x41d/0x760 arch/x86/kvm/ioapic.c:360
         [...] ioapic_set_irq+0x275/0x6c0 arch/x86/kvm/ioapic.c:222
         [...] kvm_ioapic_inject_all arch/x86/kvm/ioapic.c:235
         [...] kvm_set_ioapic+0x223/0x310 arch/x86/kvm/ioapic.c:670
         [...] kvm_vm_ioctl_set_irqchip arch/x86/kvm/x86.c:3668
         [...] kvm_arch_vm_ioctl+0x1a08/0x23c0 arch/x86/kvm/x86.c:3999
         [...] kvm_vm_ioctl+0x1fa/0x1a70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3099
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Fixes: af1bae54 ("KVM: x86: bump KVM_MAX_VCPU_ID to 1023")
      Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c02d1380
    • Radim Krčmář's avatar
      KVM: x86: drop error recovery in em_jmp_far and em_ret_far · 39b65301
      Radim Krčmář authored
      commit 2117d539 upstream.
      
      em_jmp_far and em_ret_far assumed that setting IP can only fail in 64
      bit mode, but syzkaller proved otherwise (and SDM agrees).
      Code segment was restored upon failure, but it was left uninitialized
      outside of long mode, which could lead to a leak of host kernel stack.
      We could have fixed that by always saving and restoring the CS, but we
      take a simpler approach and just break any guest that manages to fail
      as the error recovery is error-prone and modern CPUs don't need emulator
      for this.
      
      Found by syzkaller:
      
        WARNING: CPU: 2 PID: 3668 at arch/x86/kvm/emulate.c:2217 em_ret_far+0x428/0x480
        Kernel panic - not syncing: panic_on_warn set ...
      
        CPU: 2 PID: 3668 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
         [...]
        Call Trace:
         [...] __dump_stack lib/dump_stack.c:15
         [...] dump_stack+0xb3/0x118 lib/dump_stack.c:51
         [...] panic+0x1b7/0x3a3 kernel/panic.c:179
         [...] __warn+0x1c4/0x1e0 kernel/panic.c:542
         [...] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
         [...] em_ret_far+0x428/0x480 arch/x86/kvm/emulate.c:2217
         [...] em_ret_far_imm+0x17/0x70 arch/x86/kvm/emulate.c:2227
         [...] x86_emulate_insn+0x87a/0x3730 arch/x86/kvm/emulate.c:5294
         [...] x86_emulate_instruction+0x520/0x1ba0 arch/x86/kvm/x86.c:5545
         [...] emulate_instruction arch/x86/include/asm/kvm_host.h:1116
         [...] complete_emulated_io arch/x86/kvm/x86.c:6870
         [...] complete_emulated_mmio+0x4e9/0x710 arch/x86/kvm/x86.c:6934
         [...] kvm_arch_vcpu_ioctl_run+0x3b7a/0x5a90 arch/x86/kvm/x86.c:6978
         [...] kvm_vcpu_ioctl+0x61e/0xdd0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2557
         [...] vfs_ioctl fs/ioctl.c:43
         [...] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
         [...] SYSC_ioctl fs/ioctl.c:694
         [...] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
         [...] entry_SYSCALL_64_fastpath+0x1f/0xc2
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Fixes: d1442d85 ("KVM: x86: Handle errors when RIP is set during far jumps")
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      39b65301
    • Radim Krčmář's avatar
      KVM: x86: fix out-of-bounds access in lapic · 3c22c813
      Radim Krčmář authored
      commit 444fdad8 upstream.
      
      Cluster xAPIC delivery incorrectly assumed that dest_id <= 0xff.
      With enabled KVM_X2APIC_API_USE_32BIT_IDS in KVM_CAP_X2APIC_API, a
      userspace can send an interrupt with dest_id that results in
      out-of-bounds access.
      
      Found by syzkaller:
      
        BUG: KASAN: slab-out-of-bounds in kvm_irq_delivery_to_apic_fast+0x11fa/0x1210 at addr ffff88003d9ca750
        Read of size 8 by task syz-executor/22923
        CPU: 0 PID: 22923 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
         [...]
        Call Trace:
         [...] __dump_stack lib/dump_stack.c:15
         [...] dump_stack+0xb3/0x118 lib/dump_stack.c:51
         [...] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
         [...] print_address_description mm/kasan/report.c:194
         [...] kasan_report_error mm/kasan/report.c:283
         [...] kasan_report+0x231/0x500 mm/kasan/report.c:303
         [...] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:329
         [...] kvm_irq_delivery_to_apic_fast+0x11fa/0x1210 arch/x86/kvm/lapic.c:824
         [...] kvm_irq_delivery_to_apic+0x132/0x9a0 arch/x86/kvm/irq_comm.c:72
         [...] kvm_set_msi+0x111/0x160 arch/x86/kvm/irq_comm.c:157
         [...] kvm_send_userspace_msi+0x201/0x280 arch/x86/kvm/../../../virt/kvm/irqchip.c:74
         [...] kvm_vm_ioctl+0xba5/0x1670 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3015
         [...] vfs_ioctl fs/ioctl.c:43
         [...] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
         [...] SYSC_ioctl fs/ioctl.c:694
         [...] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
         [...] entry_SYSCALL_64_fastpath+0x1f/0xc2
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Fixes: e45115b6 ("KVM: x86: use physical LAPIC array for logical x2APIC")
      Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3c22c813
    • Ashok Raj's avatar
      iommu/vt-d: Fix IOMMU lookup for SR-IOV Virtual Functions · eb060c1a
      Ashok Raj authored
      commit 1c387188 upstream.
      
      The VT-d specification (§8.3.3) says:
          ‘Virtual Functions’ of a ‘Physical Function’ are under the scope
          of the same remapping unit as the ‘Physical Function’.
      
      The BIOS is not required to list all the possible VFs in the scope
      tables, and arguably *shouldn't* make any attempt to do so, since there
      could be a huge number of them.
      
      This has been broken basically for ever — the VF is never going to match
      against a specific unit's scope, so it ends up being assigned to the
      INCLUDE_ALL IOMMU. Which was always actually correct by coincidence, but
      now we're looking at Root-Complex integrated devices with SR-IOV support
      it's going to start being wrong.
      
      Fix it to simply use pci_physfn() before doing the lookup for PCI devices.
      Signed-off-by: default avatarSainath Grandhi <sainath.grandhi@intel.com>
      Signed-off-by: default avatarAshok Raj <ashok.raj@intel.com>
      Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eb060c1a
    • David Woodhouse's avatar
      iommu/vt-d: Fix PASID table allocation · 8b23f163
      David Woodhouse authored
      commit 91017044 upstream.
      
      Somehow I ended up with an off-by-three error in calculating the size of
      the PASID and PASID State tables, which triggers allocations failures as
      those tables unfortunately have to be physically contiguous.
      
      In fact, even the *correct* maximum size of 8MiB is problematic and is
      wont to lead to allocation failures. Since I have extracted a promise
      that this *will* be fixed in hardware, I'm happy to limit it on the
      current hardware to a maximum of 0x20000 PASIDs, which gives us 1MiB
      tables — still not ideal, but better than before.
      
      Reported by Mika Kuoppala <mika.kuoppala@linux.intel.com> and also by
      Xunlei Pang <xlpang@redhat.com> who submitted a simpler patch to fix
      only the allocation (and not the free) to the "correct" limit... which
      was still problematic.
      Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b23f163
  2. 26 Nov, 2016 3 commits