1. 05 Sep, 2018 20 commits
  2. 24 Aug, 2018 20 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.9.124 · e8d49e42
      Greg Kroah-Hartman authored
      e8d49e42
    • Jann Horn's avatar
      reiserfs: fix broken xattr handling (heap corruption, bad retval) · 696d906b
      Jann Horn authored
      commit a13f085d upstream.
      
      This fixes the following issues:
      
      - When a buffer size is supplied to reiserfs_listxattr() such that each
        individual name fits, but the concatenation of all names doesn't fit,
        reiserfs_listxattr() overflows the supplied buffer.  This leads to a
        kernel heap overflow (verified using KASAN) followed by an out-of-bounds
        usercopy and is therefore a security bug.
      
      - When a buffer size is supplied to reiserfs_listxattr() such that a
        name doesn't fit, -ERANGE should be returned.  But reiserfs instead just
        truncates the list of names; I have verified that if the only xattr on a
        file has a longer name than the supplied buffer length, listxattr()
        incorrectly returns zero.
      
      With my patch applied, -ERANGE is returned in both cases and the memory
      corruption doesn't happen anymore.
      
      Credit for making me clean this code up a bit goes to Al Viro, who pointed
      out that the ->actor calling convention is suboptimal and should be
      changed.
      
      Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
      Fixes: 48b32a35 ("reiserfs: use generic xattr handlers")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarJeff Mahoney <jeffm@suse.com>
      Cc: Eric Biggers <ebiggers@google.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      696d906b
    • Esben Haabendal's avatar
      i2c: imx: Fix race condition in dma read · 44745bd1
      Esben Haabendal authored
      commit bed4ff1e upstream.
      
      This fixes a race condition, where the DMAEN bit ends up being set after
      I2C slave has transmitted a byte following the dummy read.  When that
      happens, an interrupt is generated instead, and no DMA request is generated
      to kickstart the DMA read, and a timeout happens after DMA_TIMEOUT (1 sec).
      
      Fixed by setting the DMAEN bit before the dummy read.
      Signed-off-by: default avatarEsben Haabendal <eha@deif.com>
      Acked-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Cc: stable@kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      44745bd1
    • Lukas Wunner's avatar
      PCI: pciehp: Fix unprotected list iteration in IRQ handler · 86a3d597
      Lukas Wunner authored
      commit 1204e35b upstream.
      
      Commit b440bde7 ("PCI: Add pci_ignore_hotplug() to ignore hotplug
      events for a device") iterates over the devices on a hotplug port's
      subordinate bus in pciehp's IRQ handler without acquiring pci_bus_sem.
      It is thus possible for a user to cause a crash by concurrently
      manipulating the device list, e.g. by disabling slot power via sysfs
      on a different CPU or by initiating a remove/rescan via sysfs.
      
      This can't be fixed by acquiring pci_bus_sem because it may sleep.
      The simplest fix is to avoid the list iteration altogether and just
      check the ignore_hotplug flag on the port itself.  This works because
      pci_ignore_hotplug() sets the flag both on the device as well as on its
      parent bridge.
      
      We do lose the ability to print the name of the device blocking hotplug
      in the debug message, but that's probably bearable.
      
      Fixes: b440bde7 ("PCI: Add pci_ignore_hotplug() to ignore hotplug events for a device")
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      86a3d597
    • Lukas Wunner's avatar
      PCI: pciehp: Fix use-after-free on unplug · 3fcdcdd5
      Lukas Wunner authored
      commit 281e878e upstream.
      
      When pciehp is unbound (e.g. on unplug of a Thunderbolt device), the
      hotplug_slot struct is deregistered and thus freed before freeing the
      IRQ.  The IRQ handler and the work items it schedules print the slot
      name referenced from the freed structure in various informational and
      debug log messages, each time resulting in a quadruple dereference of
      freed pointers (hotplug_slot -> pci_slot -> kobject -> name).
      
      At best the slot name is logged as "(null)", at worst kernel memory is
      exposed in logs or the driver crashes:
      
        pciehp 0000:10:00.0:pcie204: Slot((null)): Card not present
      
      An attacker may provoke the bug by unplugging multiple devices on a
      Thunderbolt daisy chain at once.  Unplugging can also be simulated by
      powering down slots via sysfs.  The bug is particularly easy to trigger
      in poll mode.
      
      It has been present since the driver's introduction in 2004:
      https://git.kernel.org/tglx/history/c/c16b4b14d980
      
      Fix by rearranging teardown such that the IRQ is freed first.  Run the
      work items queued by the IRQ handler to completion before freeing the
      hotplug_slot struct by draining the work queue from the ->release_slot
      callback which is invoked by pci_hp_deregister().
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Cc: stable@vger.kernel.org # v2.6.4
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3fcdcdd5
    • Myron Stowe's avatar
      PCI: Skip MPS logic for Virtual Functions (VFs) · 73aae596
      Myron Stowe authored
      commit 3dbe97ef upstream.
      
      PCIe r4.0, sec 9.3.5.4, "Device Control Register", shows both
      Max_Payload_Size (MPS) and Max_Read_request_Size (MRRS) to be 'RsvdP' for
      VFs.  Just prior to the table it states:
      
        "PF and VF functionality is defined in Section 7.5.3.4 except where
         noted in Table 9-16.  For VF fields marked 'RsvdP', the PF setting
         applies to the VF."
      
      All of which implies that with respect to Max_Payload_Size Supported
      (MPSS), MPS, and MRRS values, we should not be paying any attention to the
      VF's fields, but rather only to the PF's.  Only looking at the PF's fields
      also logically makes sense as it's the sole physical interface to the PCIe
      bus.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=200527
      Fixes: 27d868b5 ("PCI: Set MPS to match upstream bridge")
      Signed-off-by: default avatarMyron Stowe <myron.stowe@redhat.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Cc: stable@vger.kernel.org # 4.3+
      Cc: Keith Busch <keith.busch@intel.com>
      Cc: Sinan Kaya <okaya@kernel.org>
      Cc: Dongdong Liu <liudongdong3@huawei.com>
      Cc: Jon Mason <jdmason@kudzu.us>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      73aae596
    • Lukas Wunner's avatar
      PCI: hotplug: Don't leak pci_slot on registration failure · f2842452
      Lukas Wunner authored
      commit 4ce64358 upstream.
      
      If addition of sysfs files fails on registration of a hotplug slot, the
      struct pci_slot as well as the entry in the slot_list is leaked.  The
      issue has been present since the hotplug core was introduced in 2002:
      https://git.kernel.org/tglx/history/c/a8a2069f432c
      
      Perhaps the idea was that even though sysfs addition fails, the slot
      should still be usable.  But that's not how drivers use the interface,
      they abort probe if a non-zero value is returned.
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Cc: stable@vger.kernel.org # v2.4.15+
      Cc: Greg Kroah-Hartman <greg@kroah.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2842452
    • John David Anglin's avatar
      parisc: Remove unnecessary barriers from spinlock.h · eba0611e
      John David Anglin authored
      commit 3b885ac1 upstream.
      
      Now that mb() is an instruction barrier, it will slow performance if we issue
      unnecessary barriers.
      
      The spinlock defines have a number of unnecessary barriers.  The __ldcw()
      define is both a hardware and compiler barrier.  The mb() barriers in the
      routines using __ldcw() serve no purpose.
      
      The only barrier needed is the one in arch_spin_unlock().  We need to ensure
      all accesses are complete prior to releasing the lock.
      Signed-off-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Cc: stable@vger.kernel.org # 4.0+
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eba0611e
    • Willem de Bruijn's avatar
      packet: refine ring v3 block size test to hold one frame · 59629848
      Willem de Bruijn authored
      commit 4576cd46 upstream.
      
      TPACKET_V3 stores variable length frames in fixed length blocks.
      Blocks must be able to store a block header, optional private space
      and at least one minimum sized frame.
      
      Frames, even for a zero snaplen packet, store metadata headers and
      optional reserved space.
      
      In the block size bounds check, ensure that the frame of the
      chosen configuration fits. This includes sockaddr_ll and optional
      tp_reserve.
      
      Syzbot was able to construct a ring with insuffient room for the
      sockaddr_ll in the header of a zero-length frame, triggering an
      out-of-bounds write in dev_parse_header.
      
      Convert the comparison to less than, as zero is a valid snap len.
      This matches the test for minimum tp_frame_size immediately below.
      
      Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.")
      Fixes: eb73190f ("net/packet: refine check for priv area size")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      59629848
    • Florian Westphal's avatar
      netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state · f29eb8ee
      Florian Westphal authored
      commit 6613b617 upstream.
      
      When first DCCP packet is SYNC or SYNCACK, we insert a new conntrack
      that has an un-initialized timeout value, i.e. such entry could be
      reaped at any time.
      
      Mark them as INVALID and only ignore SYNC/SYNCACK when connection had
      an old state.
      
      Reported-by: syzbot+6f18401420df260e37ed@syzkaller.appspotmail.com
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f29eb8ee
    • Eric Dumazet's avatar
      xfrm_user: prevent leaking 2 bytes of kernel memory · 2038a9e1
      Eric Dumazet authored
      commit 45c180bc upstream.
      
      struct xfrm_userpolicy_type has two holes, so we should not
      use C99 style initializer.
      
      KMSAN report:
      
      BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
      BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
      CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
       kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
       kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
       copyout lib/iov_iter.c:140 [inline]
       _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
       copy_to_iter include/linux/uio.h:106 [inline]
       skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
       skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
       netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
       sock_recvmsg_nosec net/socket.c:802 [inline]
       sock_recvmsg+0x1d6/0x230 net/socket.c:809
       ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
       __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
       do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
       __do_sys_recvmmsg net/socket.c:2485 [inline]
       __se_sys_recvmmsg net/socket.c:2481 [inline]
       __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
       do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x446ce9
      RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
      RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
      RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
      RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
      R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
      R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001
      
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
       kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
       kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
       __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
       __nla_put lib/nlattr.c:569 [inline]
       nla_put+0x276/0x340 lib/nlattr.c:627
       copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
       dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
       xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
       xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
       netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
       __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
       netlink_dump_start include/linux/netlink.h:214 [inline]
       xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
       netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
       xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg net/socket.c:639 [inline]
       ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
       __sys_sendmsg net/socket.c:2155 [inline]
       __do_sys_sendmsg net/socket.c:2164 [inline]
       __se_sys_sendmsg net/socket.c:2162 [inline]
       __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
       do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Local variable description: ----upt.i@dump_one_policy
      Variable was created at:
       dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
       xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
      
      Byte 130 of 137 is uninitialized
      Memory access starts at ffff88019550407f
      
      Fixes: c0144bea ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2038a9e1
    • John David Anglin's avatar
      parisc: Remove ordered stores from syscall.S · 8725807e
      John David Anglin authored
      commit 7797167f upstream.
      
      Now that we use a sync prior to releasing the locks in syscall.S, we don't need
      the PA 2.0 ordered stores used to release some locks.  Using an ordered store,
      potentially slows the release and subsequent code.
      
      There are a number of other ordered stores and loads that serve no purpose.  I
      have converted these to normal stores.
      Signed-off-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Cc: stable@vger.kernel.org # 4.0+
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8725807e
    • Jeremy Cline's avatar
      ext4: fix spectre gadget in ext4_mb_regular_allocator() · 51ada110
      Jeremy Cline authored
      commit 1a5d5e5d upstream.
      
      'ac->ac_g_ex.fe_len' is a user-controlled value which is used in the
      derivation of 'ac->ac_2order'. 'ac->ac_2order', in turn, is used to
      index arrays which makes it a potential spectre gadget. Fix this by
      sanitizing the value assigned to 'ac->ac2_order'.  This covers the
      following accesses found with the help of smatch:
      
      * fs/ext4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential
        spectre issue 'grp->bb_counters' [w] (local cap)
      
      * fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue
        'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap)
      
      * fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue
        'EXT4_SB(e4b->bd_sb)->s_mb_maxs' [r] (local cap)
      Suggested-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: default avatarJeremy Cline <jcline@redhat.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      51ada110
    • Paolo Bonzini's avatar
      KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer · 1cd0c7d7
      Paolo Bonzini authored
      commit 9432a317 upstream.
      
      A comment warning against this bug is there, but the code is not doing what
      the comment says.  Therefore it is possible that an EPOLLHUP races against
      irq_bypass_register_consumer.  The EPOLLHUP handler schedules irqfd_shutdown,
      and if that runs soon enough, you get a use-after-free.
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1cd0c7d7
    • Randy Dunlap's avatar
      tcp: identify cryptic messages as TCP seq # bugs · e63303e6
      Randy Dunlap authored
      [ Upstream commit e56b8ce3 ]
      
      Attempt to make cryptic TCP seq number error messages clearer by
      (1) identifying the source of the message as "TCP", (2) identifying the
      errors as "seq # bug", and (3) grouping the field identifiers and values
      by separating them with commas.
      
      E.g., the following message is changed from:
      
      recvmsg bug 2: copied 73BCB6CD seq 70F17CBE rcvnxt 73BCB9AA fl 0
      WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:1881 tcp_recvmsg+0x649/0xb90
      
      to:
      
      TCP recvmsg seq # bug 2: copied 73BCB6CD, seq 70F17CBE, rcvnxt 73BCB9AA, fl 0
      WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:2011 tcp_recvmsg+0x694/0xba0
      Suggested-by: default avatar積丹尼 Dan Jacobson <jidanni@jidanni.org>
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e63303e6
    • Stefan Wahren's avatar
      net: qca_spi: Fix log level if probe fails · 1e155425
      Stefan Wahren authored
      [ Upstream commit 50973993 ]
      
      In cases the probing fails the log level of the messages should
      be an error.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e155425
    • Stefan Wahren's avatar
      net: qca_spi: Make sure the QCA7000 reset is triggered · c8697ad8
      Stefan Wahren authored
      [ Upstream commit 711c62df ]
      
      In case the SPI thread is not running, a simple reset of sync
      state won't fix the transmit timeout. We also need to wake up the kernel
      thread.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Fixes: ed7d42e2 ("net: qca_spi: fix transmit queue timeout handling")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c8697ad8
    • Stefan Wahren's avatar
      net: qca_spi: Avoid packet drop during initial sync · 167e93c3
      Stefan Wahren authored
      [ Upstream commit b2bab426 ]
      
      As long as the synchronization with the QCA7000 isn't finished, we
      cannot accept packets from the upper layers. So let the SPI thread
      enable the TX queue after sync and avoid unwanted packet drop.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Fixes: 291ab06e ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      167e93c3
    • Sergei Shtylyov's avatar
      PCI: versatile: Fix I/O space page leak · 90788ea4
      Sergei Shtylyov authored
      [ Upstream commit 0018b265 ]
      
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      The Versatile PCI controller driver has the same issue.
      Replace pci_remap_iospace() with the devm_ managed version to fix the bug.
      
      Fixes: b7e78170 ("PCI: versatile: Add DT-based ARM Versatile PB PCIe host driver")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      90788ea4
    • Sergei Shtylyov's avatar
      PCI: OF: Fix I/O space page leak · 3934e010
      Sergei Shtylyov authored
      commit a5fb9fb0 upstream.
      
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      Introduce the devm_pci_remap_iospace() managed API and replace the
      pci_remap_iospace() call with it to fix the bug.
      
      Fixes: dbf9826d ("PCI: generic: Convert to DT resource parsing API")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: split commit/updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3934e010