1. 28 Oct, 2017 10 commits
  2. 27 Oct, 2017 2 commits
  3. 26 Oct, 2017 11 commits
  4. 25 Oct, 2017 10 commits
    • Michael J. Ruhl's avatar
      RDMA/netlink: OOPs in rdma_nl_rcv_msg() from misinterpreted flag · b4d91aeb
      Michael J. Ruhl authored
      rdma_nl_rcv_msg() checks to see if it should use the .dump() callback
      or the .doit() callback.  The check is done with this check:
      
      if (flags & NLM_F_DUMP) ...
      
      The NLM_F_DUMP flag is two bits (NLM_F_ROOT | NLM_F_MATCH).
      
      When an RDMA_NL_LS message (response) is received, the bit used for
      indicating an error is the same bit as NLM_F_ROOT.
      
      NLM_F_ROOT == (0x100) == RDMA_NL_LS_F_ERR.
      
      ibacm sends a response with the RDMA_NL_LS_F_ERR bit set if an error
      occurs in the service.  The current code then misinterprets the
      NLM_F_DUMP bit and trys to call the .dump() callback.
      
      If the .dump() callback for the specified request is not available
      (which is true for the RDMA_NL_LS messages) the following Oops occurs:
      
      [ 4555.960256] BUG: unable to handle kernel NULL pointer dereference at
         (null)
      [ 4555.969046] IP:           (null)
      [ 4555.972664] PGD 10543f1067 P4D 10543f1067 PUD 1033f93067 PMD 0
      [ 4555.979287] Oops: 0010 [#1] SMP
      [ 4555.982809] Modules linked in: rpcrdma ib_isert iscsi_target_mod
      target_core_mod ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_ucm ib_ucm
      ib_uverbs ib_umad rdma_cm ib_cm iw_cm dm_mirror dm_region_hash dm_log dm_mod
      dax sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm irqbypass
      crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel crypto_simd
      glue_helper cryptd hfi1 rdmavt iTCO_wdt iTCO_vendor_support ib_core mei_me
      lpc_ich pcspkr mei ioatdma sg shpchp i2c_i801 mfd_core wmi ipmi_si ipmi_devintf
      ipmi_msghandler acpi_power_meter acpi_pad nfsd auth_rpcgss nfs_acl lockd grace
      sunrpc ip_tables ext4 mbcache jbd2 sd_mod mgag200 drm_kms_helper syscopyarea
      sysfillrect sysimgblt fb_sys_fops ttm igb ahci crc32c_intel ptp libahci
      pps_core drm dca libata i2c_algo_bit i2c_core
      [ 4556.061190] CPU: 54 PID: 9841 Comm: ibacm Tainted: G          I
      4.14.0-rc2+ #6
      [ 4556.069667] Hardware name: Intel Corporation S2600WT2/S2600WT2, BIOS
      SE5C610.86B.01.01.0008.021120151325 02/11/2015
      [ 4556.081339] task: ffff880855f42d00 task.stack: ffffc900246b4000
      [ 4556.087967] RIP: 0010:          (null)
      [ 4556.092166] RSP: 0018:ffffc900246b7bc8 EFLAGS: 00010246
      [ 4556.098018] RAX: ffffffff81dbe9e0 RBX: ffff881058bb1000 RCX:
      0000000000000000
      [ 4556.105997] RDX: 0000000000001100 RSI: ffff881058bb1320 RDI:
      ffff881056362000
      [ 4556.113984] RBP: ffffc900246b7bf8 R08: 0000000000000ec0 R09:
      0000000000001100
      [ 4556.121971] R10: ffff8810573a5000 R11: 0000000000000000 R12:
      ffff881056362000
      [ 4556.129957] R13: 0000000000000ec0 R14: ffff881058bb1320 R15:
      0000000000000ec0
      [ 4556.137945] FS:  00007fe0ba5a38c0(0000) GS:ffff88105f080000(0000)
      knlGS:0000000000000000
      [ 4556.147000] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 4556.153433] CR2: 0000000000000000 CR3: 0000001056f5d003 CR4:
      00000000001606e0
      [ 4556.161419] Call Trace:
      [ 4556.164167]  ? netlink_dump+0x12c/0x290
      [ 4556.168468]  __netlink_dump_start+0x186/0x1f0
      [ 4556.173357]  rdma_nl_rcv_msg+0x193/0x1b0 [ib_core]
      [ 4556.178724]  rdma_nl_rcv+0xdc/0x130 [ib_core]
      [ 4556.183604]  netlink_unicast+0x181/0x240
      [ 4556.187998]  netlink_sendmsg+0x2c2/0x3b0
      [ 4556.192392]  sock_sendmsg+0x38/0x50
      [ 4556.196299]  SYSC_sendto+0x102/0x190
      [ 4556.200308]  ? __audit_syscall_entry+0xaf/0x100
      [ 4556.205387]  ? syscall_trace_enter+0x1d0/0x2b0
      [ 4556.210366]  ? __audit_syscall_exit+0x209/0x290
      [ 4556.215442]  SyS_sendto+0xe/0x10
      [ 4556.219060]  do_syscall_64+0x67/0x1b0
      [ 4556.223165]  entry_SYSCALL64_slow_path+0x25/0x25
      [ 4556.228328] RIP: 0033:0x7fe0b9db2a63
      [ 4556.232333] RSP: 002b:00007ffc55edc260 EFLAGS: 00000293 ORIG_RAX:
      000000000000002c
      [ 4556.240808] RAX: ffffffffffffffda RBX: 0000000000000010 RCX:
      00007fe0b9db2a63
      [ 4556.248796] RDX: 0000000000000010 RSI: 00007ffc55edc280 RDI:
      000000000000000d
      [ 4556.256782] RBP: 00007ffc55edc670 R08: 00007ffc55edc270 R09:
      000000000000000c
      [ 4556.265321] R10: 0000000000000000 R11: 0000000000000293 R12:
      00007ffc55edc280
      [ 4556.273846] R13: 000000000260b400 R14: 000000000000000d R15:
      0000000000000001
      [ 4556.282368] Code:  Bad RIP value.
      [ 4556.286629] RIP:           (null) RSP: ffffc900246b7bc8
      [ 4556.293013] CR2: 0000000000000000
      [ 4556.297292] ---[ end trace 8d67abcfd10ec209 ]---
      [ 4556.305465] Kernel panic - not syncing: Fatal exception
      [ 4556.313786] Kernel Offset: disabled
      [ 4556.321563] ---[ end Kernel panic - not syncing: Fatal exception
      [ 4556.328960] ------------[ cut here ]------------
      
      Special case RDMA_NL_LS response messages to call the appropriate
      callback.
      
      Additionally, make sure that the .dump() callback is not NULL
      before calling it.
      
      Fixes: 647c75ac ("RDMA/netlink: Convert LS to doit callback")
      Reviewed-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Reviewed-by: default avatarKaike Wan <kaike.wan@intel.com>
      Reviewed-by: default avatarAlex Estrin <alex.estrin@intel.com>
      Signed-off-by: default avatarMichael J. Ruhl <michael.j.ruhl@intel.com>
      Reviewed-by: default avatarShiraz Saleem <shiraz.saleem@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      b4d91aeb
    • Juergen Gross's avatar
      xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap() · 298d275d
      Juergen Gross authored
      In case gntdev_mmap() succeeds only partially in mapping grant pages
      it will leave some vital information uninitialized needed later for
      cleanup. This will lead to an out of bounds array access when unmapping
      the already mapped pages.
      
      So just initialize the data needed for unmapping the pages a little bit
      earlier.
      
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarArthur Borsboom <arthurborsboom@gmail.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      298d275d
    • Miklos Szeredi's avatar
      fuse: fix READDIRPLUS skipping an entry · c6cdd514
      Miklos Szeredi authored
      Marios Titas running a Haskell program noticed a problem with fuse's
      readdirplus: when it is interrupted by a signal, it skips one directory
      entry.
      
      The reason is that fuse erronously updates ctx->pos after a failed
      dir_emit().
      
      The issue originates from the patch adding readdirplus support.
      Reported-by: default avatarJakob Unterwurzacher <jakobunt@gmail.com>
      Tested-by: Marios Titas <redneb@gmx.com> 
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Fixes: 0b05b183 ("fuse: implement NFS-like readdirplus support")
      Cc: <stable@vger.kernel.org> # v3.9
      c6cdd514
    • Mark Brown's avatar
      Merge remote-tracking branches 'spi/fix/armada', 'spi/fix/idr',... · 7555aa76
      Mark Brown authored
      Merge remote-tracking branches 'spi/fix/armada', 'spi/fix/idr', 'spi/fix/qspi', 'spi/fix/stm32' and 'spi/fix/uapi' into spi-linus
      7555aa76
    • Ard Biesheuvel's avatar
      efi/libstub/arm: Don't randomize runtime regions when CONFIG_HIBERNATION=y · 38fb6652
      Ard Biesheuvel authored
      Commit:
      
        e69176d6 ("ef/libstub/arm/arm64: Randomize the base of the UEFI rt services region")
      
      implemented randomization of the virtual mapping that the OS chooses for
      the UEFI runtime services. This was motivated by the fact that UEFI usually
      does not bother to specify any permission restrictions for those regions,
      making them prime real estate for exploitation now that the OS is getting
      more and more careful not to leave any R+W+X mapped regions lying around.
      
      However, this randomization breaks assumptions in the resume from
      hibernation code, which expects all memory regions populated by UEFI to
      remain in the same place, including their virtual mapping into the OS
      memory space. While this assumption may not be entirely reasonable in the
      first place, breaking it deliberately does not make a lot of sense either.
      So let's refrain from this randomization pass if CONFIG_HIBERNATION=y.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: James Morse <james.morse@arm.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Matt Fleming <matt@codeblueprint.co.uk>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-efi@vger.kernel.org
      Link: http://lkml.kernel.org/r/20171025100448.26056-3-ard.biesheuvel@linaro.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      38fb6652
    • Dan Carpenter's avatar
      efi/efi_test: Prevent an Oops in efi_runtime_query_capsulecaps() · 092e72c9
      Dan Carpenter authored
      If "qcaps.capsule_count" is ULONG_MAX then "qcaps.capsule_count + 1"
      will overflow to zero and kcalloc() will return the ZERO_SIZE_PTR.  We
      try to dereference it inside the loop and crash.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarMatt Fleming <matt@codeblueprint.co.uk>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Acked-by: default avatarIvan Hu <ivan.hu@canonical.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-efi@vger.kernel.org
      Fixes: ff6301da ("efi: Add efi_test driver for exporting UEFI runtime service interfaces")
      Link: http://lkml.kernel.org/r/20171025100448.26056-2-ard.biesheuvel@linaro.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      092e72c9
    • Jeff Layton's avatar
      ceph: unlock dangling spinlock in try_flush_caps() · 6c2838fb
      Jeff Layton authored
      sparse warns:
      
        fs/ceph/caps.c:2042:9: warning: context imbalance in 'try_flush_caps' - wrong count at exit
      
      We need to exit this function with the lock unlocked, but a couple of
      cases leave it locked.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Reviewed-by: default avatar"Yan, Zheng" <zyan@redhat.com>
      Reviewed-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      6c2838fb
    • Martin Schwidefsky's avatar
      s390/kvm: fix detection of guest machine checks · 0a5e2ec2
      Martin Schwidefsky authored
      The new detection code for guest machine checks added a check based
      on %r11 to .Lcleanup_sie to distinguish between normal asynchronous
      interrupts and machine checks. But the funtion is called from the
      program check handler as well with an undefined value in %r11.
      
      The effect is that all program exceptions pointing to the SIE instruction
      will set the CIF_MCCK_GUEST bit. The bit stays set for the CPU until the
       next machine check comes in which will incorrectly be interpreted as a
      guest machine check.
      
      The simplest fix is to stop using .Lcleanup_sie in the program check
      handler and duplicate a few instructions.
      
      Fixes: c929500d ("s390/nmi: s390: New low level handling for machine check happening in guest")
      Cc: <stable@vger.kernel.org> # v4.13+
      Reviewed-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      0a5e2ec2
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-4.14-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · f3415787
      Linus Torvalds authored
      Pull NFS client bugfixes from Trond Myklebust:
      
       - Fix a list corruption in xprt_release()
      
       - Fix a workqueue lockdep warning due to unsafe use of
         cancel_work_sync()
      
      * tag 'nfs-for-4.14-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        SUNRPC: Destroy transport from the system workqueue
        SUNRPC: fix a list corruption issue in xprt_release()
      f3415787
    • Josef Bacik's avatar
      nbd: handle interrupted sendmsg with a sndtimeo set · 32e67a3a
      Josef Bacik authored
      If you do not set sk_sndtimeo you will get -ERESTARTSYS if there is a
      pending signal when you enter sendmsg, which we handle properly.
      However if you set a timeout for your commands we'll set sk_sndtimeo to
      that timeout, which means that sendmsg will start returning -EINTR
      instead of -ERESTARTSYS.  Fix this by checking either cases and doing
      the correct thing.
      
      Cc: stable@vger.kernel.org
      Fixes: dc88e34d ("nbd: set sk->sk_sndtimeo for our sockets")
      Reported-and-tested-by: default avatarDaniel Xu <dlxu@fb.com>
      Signed-off-by: default avatarJosef Bacik <jbacik@fb.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      32e67a3a
  5. 24 Oct, 2017 7 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · ae59df03
      Linus Torvalds authored
      Pull KVM fixes from Radim Krčmář:
       "PPC fixes for potential host oops and hangs"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: PPC: Book3S HV: Add more barriers in XIVE load/unload code
        KVM: PPC: Book3S: Protect kvmppc_gpa_to_ua() with SRCU
        KVM: PPC: Book3S HV: POWER9 more doorbell fixes
        KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM
      ae59df03
    • Amir Goldstein's avatar
      ovl: do not cleanup unsupported index entries · fa0096e3
      Amir Goldstein authored
      With index=on, ovl_indexdir_cleanup() tries to cleanup invalid index
      entries (e.g. bad index name). This behavior could result in cleaning of
      entries created by newer kernels and is therefore undesirable.
      Instead, abort mount if such entries are encountered. We still cleanup
      'stale' entries and 'orphan' entries, both those cases can be a result
      of offline changes to lower and upper dirs.
      
      When encoutering an index entry of type directory or whiteout, kernel
      was supposed to fallback to read-only mount, but the fill_super()
      operation returns EROFS in this case instead of returning success with
      read-only mount flag, so mount fails when encoutering directory or
      whiteout index entries. Bless this behavior by returning -EINVAL on
      directory and whiteout index entries as we do for all unsupported index
      entries.
      
      Fixes: 61b67471 ("ovl: do not cleanup directory and whiteout index..")
      Cc: <stable@vger.kernel.org> # v4.13
      Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
      fa0096e3
    • Amir Goldstein's avatar
      ovl: handle ENOENT on index lookup · 7937a56f
      Amir Goldstein authored
      Treat ENOENT from index entry lookup the same way as treating a returned
      negative dentry. Apparently, either could be returned if file is not
      found, depending on the underlying file system.
      
      Fixes: 359f392c ("ovl: lookup index entry for copy up origin")
      Cc: <stable@vger.kernel.org> # v4.13
      Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
      7937a56f
    • Amir Goldstein's avatar
      ovl: fix EIO from lookup of non-indexed upper · 6eaf0111
      Amir Goldstein authored
      Commit fbaf94ee ("ovl: don't set origin on broken lower hardlink")
      attempt to avoid the condition of non-indexed upper inode with lower
      hardlink as origin. If this condition is found, lookup returns EIO.
      
      The protection of commit mentioned above does not cover the case of lower
      that is not a hardlink when it is copied up (with either index=off/on)
      and then lower is hardlinked while overlay is offline.
      
      Changes to lower layer while overlayfs is offline should not result in
      unexpected behavior, so a permanent EIO error after creating a link in
      lower layer should not be considered as correct behavior.
      
      This fix replaces EIO error with success in cases where upper has origin
      but no index is found, or index is found that does not match upper
      inode. In those cases, lookup will not fail and the returned overlay inode
      will be hashed by upper inode instead of by lower origin inode.
      
      Fixes: 359f392c ("ovl: lookup index entry for copy up origin")
      Cc: <stable@vger.kernel.org> # v4.13
      Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      6eaf0111
    • Rafael J. Wysocki's avatar
      PM / QoS: Fix device resume latency PM QoS · 0cc2b4e5
      Rafael J. Wysocki authored
      The special value of 0 for device resume latency PM QoS means
      "no restriction", but there are two problems with that.
      
      First, device resume latency PM QoS requests with 0 as the
      value are always put in front of requests with positive
      values in the priority lists used internally by the PM QoS
      framework, causing 0 to be chosen as an effective constraint
      value.  However, that 0 is then interpreted as "no restriction"
      effectively overriding the other requests with specific
      restrictions which is incorrect.
      
      Second, the users of device resume latency PM QoS have no
      way to specify that *any* resume latency at all should be
      avoided, which is an artificial limitation in general.
      
      To address these issues, modify device resume latency PM QoS to
      use S32_MAX as the "no constraint" value and 0 as the "no
      latency at all" one and rework its users (the cpuidle menu
      governor, the genpd QoS governor and the runtime PM framework)
      to follow these changes.
      
      Also add a special "n/a" value to the corresponding user space I/F
      to allow user space to indicate that it cannot accept any resume
      latencies at all for the given device.
      
      Fixes: 85dc0b8a (PM / QoS: Make it possible to expose PM QoS latency constraints)
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=197323Reported-by: default avatarReinette Chatre <reinette.chatre@intel.com>
      Tested-by: default avatarReinette Chatre <reinette.chatre@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Acked-by: default avatarAlex Shi <alex.shi@linaro.org>
      Cc: All applicable <stable@vger.kernel.org>
      0cc2b4e5
    • Guenter Roeck's avatar
      hwmon: (tmp102) Fix first temperature reading · d0725439
      Guenter Roeck authored
      Commit 3d8f7a89 ("hwmon: (tmp102) Improve handling of initial read
      delay") reduced the initial temperature read delay and made it dependent
      on the chip's shutdown mode. If the chip was not in shutdown mode at probe,
      the read delay no longer applies.
      
      This ignores the fact that the chip initialization changes the temperature
      sensor resolution, and that the temperature register values change when
      the resolution is changed. As a result, the reported temperature is twice
      as high as the real temperature until the first temperature conversion
      after the configuration change is complete. This can result in unexpected
      behavior and, worst case, in a system shutdown. To fix the problem,
      let's just always wait for a conversion to complete before reporting
      a temperature.
      
      Fixes: 3d8f7a89 ("hwmon: (tmp102) Improve handling of initial read delay")
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=197167Reported-by: default avatarRalf Goebel <ralf.goebel@imago-technologies.com>
      Cc: Ralf Goebel <ralf.goebel@imago-technologies.com>
      Reviewed-by: default avatarJean Delvare <jdelvare@suse.de>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      d0725439
    • Hui Wang's avatar
      ALSA: hda - fix headset mic problem for Dell machines with alc236 · f265788c
      Hui Wang authored
      We have several Dell laptops which use the codec alc236, the headset
      mic can't work on these machines. Following the commit 736f20a7, we
      add the pin cfg table to make the headset mic work.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      f265788c