1. 18 Mar, 2018 15 commits
    • Colin Ian King's avatar
      MIPS: OCTEON: irq: Check for null return on kzalloc allocation · 175b57ba
      Colin Ian King authored
      commit 902f4d06 upstream.
      
      The allocation of host_data is not null checked, leading to a null
      pointer dereference if the allocation fails. Fix this by adding a null
      check and return with -ENOMEM.
      
      Fixes: 64b139f9 ("MIPS: OCTEON: irq: add CIB and other fixes")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Acked-by: default avatarDavid Daney <david.daney@cavium.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: "Steven J. Hill" <Steven.Hill@cavium.com>
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # 4.0+
      Patchwork: https://patchwork.linux-mips.org/patch/18658/Signed-off-by: default avatarJames Hogan <jhogan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      175b57ba
    • Colin Ian King's avatar
      MIPS: ath25: Check for kzalloc allocation failure · 6e127d70
      Colin Ian King authored
      commit 1b22b4b2 upstream.
      
      Currently there is no null check on a failed allocation of board_data,
      and hence a null pointer dereference will occurr. Fix this by checking
      for the out of memory null pointer.
      
      Fixes: a7473717 ("MIPS: ath25: add board configuration detection")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # 3.19+
      Patchwork: https://patchwork.linux-mips.org/patch/18657/Signed-off-by: default avatarJames Hogan <jhogan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e127d70
    • Justin Chen's avatar
      MIPS: BMIPS: Do not mask IPIs during suspend · 8cbec159
      Justin Chen authored
      commit 06a3f0c9 upstream.
      
      Commit a3e6c1ef ("MIPS: IRQ: Fix disable_irq on CPU IRQs") fixes an
      issue where disable_irq did not actually disable the irq. The bug caused
      our IPIs to not be disabled, which actually is the correct behavior.
      
      With the addition of commit a3e6c1ef ("MIPS: IRQ: Fix disable_irq on
      CPU IRQs"), the IPIs were getting disabled going into suspend, thus
      schedule_ipi() was not being called. This caused deadlocks where
      schedulable task were not being scheduled and other cpus were waiting
      for them to do something.
      
      Add the IRQF_NO_SUSPEND flag so an irq_disable will not be called on the
      IPIs during suspend.
      Signed-off-by: default avatarJustin Chen <justinpopo6@gmail.com>
      Fixes: a3e6c1ef ("MIPS: IRQ: Fix disabled_irq on CPU IRQs")
      Cc: Florian Fainelli <f.fainelli@gmail.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/17385/
      [jhogan@kernel.org: checkpatch: wrap long lines and fix commit refs]
      Signed-off-by: default avatarJames Hogan <jhogan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8cbec159
    • Alex Deucher's avatar
      drm/amdgpu: fix KV harvesting · 212dcfed
      Alex Deucher authored
      commit 545b0bcd upstream.
      
      Always set the graphics values to the max for the
      asic type.  E.g., some 1 RB chips are actually 1 RB chips,
      others are actually harvested 2 RB chips.
      
      Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=99353Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      212dcfed
    • Alex Deucher's avatar
      drm/radeon: fix KV harvesting · be1c6fff
      Alex Deucher authored
      commit 0b58d90f upstream.
      
      Always set the graphics values to the max for the
      asic type.  E.g., some 1 RB chips are actually 1 RB chips,
      others are actually harvested 2 RB chips.
      
      Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=99353Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be1c6fff
    • Rex Zhu's avatar
      drm/amdgpu: Notify sbios device ready before send request · 58f85220
      Rex Zhu authored
      commit 1bced75f upstream.
      
      it is required if a platform supports PCIe root complex
      core voltage reduction. After receiving this notification,
      SBIOS can apply default PCIe root complex power policy.
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarRex Zhu <Rex.Zhu@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      58f85220
    • Lukas Wunner's avatar
      drm/amdgpu: Fix deadlock on runtime suspend · 690a151a
      Lukas Wunner authored
      commit aa0aad57 upstream.
      
      amdgpu's ->runtime_suspend hook calls drm_kms_helper_poll_disable(),
      which waits for the output poll worker to finish if it's running.
      
      The output poll worker meanwhile calls pm_runtime_get_sync() in
      amdgpu's ->detect hooks, which waits for the ongoing suspend to finish,
      causing a deadlock.
      
      Fix by not acquiring a runtime PM ref if the ->detect hooks are called
      in the output poll worker's context.  This is safe because the poll
      worker is only enabled while runtime active and we know that
      ->runtime_suspend waits for it to finish.
      
      Fixes: d38ceaf9 ("drm/amdgpu: add core driver (v4)")
      Cc: stable@vger.kernel.org # v4.2+: 27d4ee03: workqueue: Allow retrieval of current task's work struct
      Cc: stable@vger.kernel.org # v4.2+: 25c058cc: drm: Allow determining if current task is output poll worker
      Cc: Alex Deucher <alexander.deucher@amd.com>
      Tested-by: default avatarMike Lothian <mike@fireburn.co.uk>
      Reviewed-by: default avatarLyude Paul <lyude@redhat.com>
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/4c9bf72aacae1eef062bd134cd112e0770a7f121.1518338789.git.lukas@wunner.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      690a151a
    • Lukas Wunner's avatar
      drm/radeon: Fix deadlock on runtime suspend · 40539a86
      Lukas Wunner authored
      commit 15734fef upstream.
      
      radeon's ->runtime_suspend hook calls drm_kms_helper_poll_disable(),
      which waits for the output poll worker to finish if it's running.
      
      The output poll worker meanwhile calls pm_runtime_get_sync() in
      radeon's ->detect hooks, which waits for the ongoing suspend to finish,
      causing a deadlock.
      
      Fix by not acquiring a runtime PM ref if the ->detect hooks are called
      in the output poll worker's context.  This is safe because the poll
      worker is only enabled while runtime active and we know that
      ->runtime_suspend waits for it to finish.
      
      Stack trace for posterity:
      
        INFO: task kworker/0:3:31847 blocked for more than 120 seconds
        Workqueue: events output_poll_execute [drm_kms_helper]
        Call Trace:
         schedule+0x3c/0x90
         rpm_resume+0x1e2/0x690
         __pm_runtime_resume+0x3f/0x60
         radeon_lvds_detect+0x39/0xf0 [radeon]
         output_poll_execute+0xda/0x1e0 [drm_kms_helper]
         process_one_work+0x14b/0x440
         worker_thread+0x48/0x4a0
      
        INFO: task kworker/2:0:10493 blocked for more than 120 seconds.
        Workqueue: pm pm_runtime_work
        Call Trace:
         schedule+0x3c/0x90
         schedule_timeout+0x1b3/0x240
         wait_for_common+0xc2/0x180
         wait_for_completion+0x1d/0x20
         flush_work+0xfc/0x1a0
         __cancel_work_timer+0xa5/0x1d0
         cancel_delayed_work_sync+0x13/0x20
         drm_kms_helper_poll_disable+0x1f/0x30 [drm_kms_helper]
         radeon_pmops_runtime_suspend+0x3d/0xa0 [radeon]
         pci_pm_runtime_suspend+0x61/0x1a0
         vga_switcheroo_runtime_suspend+0x21/0x70
         __rpm_callback+0x32/0x70
         rpm_callback+0x24/0x80
         rpm_suspend+0x12b/0x640
         pm_runtime_work+0x6f/0xb0
         process_one_work+0x14b/0x440
         worker_thread+0x48/0x4a0
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94147
      Fixes: 10ebc0bc ("drm/radeon: add runtime PM support (v2)")
      Cc: stable@vger.kernel.org # v3.13+: 27d4ee03: workqueue: Allow retrieval of current task's work struct
      Cc: stable@vger.kernel.org # v3.13+: 25c058cc: drm: Allow determining if current task is output poll worker
      Cc: Ismo Toijala <ismo.toijala@gmail.com>
      Cc: Alex Deucher <alexander.deucher@amd.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Reviewed-by: default avatarLyude Paul <lyude@redhat.com>
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/64ea02c44f91dda19bc563902b97bbc699040392.1518338789.git.lukas@wunner.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      40539a86
    • Lukas Wunner's avatar
      drm/nouveau: Fix deadlock on runtime suspend · cff2a8c5
      Lukas Wunner authored
      commit d61a5c10 upstream.
      
      nouveau's ->runtime_suspend hook calls drm_kms_helper_poll_disable(),
      which waits for the output poll worker to finish if it's running.
      
      The output poll worker meanwhile calls pm_runtime_get_sync() in
      nouveau_connector_detect() which waits for the ongoing suspend to finish,
      causing a deadlock.
      
      Fix by not acquiring a runtime PM ref if nouveau_connector_detect() is
      called in the output poll worker's context.  This is safe because
      the poll worker is only enabled while runtime active and we know that
      ->runtime_suspend waits for it to finish.
      
      Other contexts calling nouveau_connector_detect() do require a runtime
      PM ref, these comprise:
      
        status_store() drm sysfs interface
        ->fill_modes drm callback
        drm_fb_helper_probe_connector_modes()
        drm_mode_getconnector()
        nouveau_connector_hotplug()
        nouveau_display_hpd_work()
        nv17_tv_set_property()
      
      Stack trace for posterity:
      
        INFO: task kworker/0:1:58 blocked for more than 120 seconds.
        Workqueue: events output_poll_execute [drm_kms_helper]
        Call Trace:
         schedule+0x28/0x80
         rpm_resume+0x107/0x6e0
         __pm_runtime_resume+0x47/0x70
         nouveau_connector_detect+0x7e/0x4a0 [nouveau]
         nouveau_connector_detect_lvds+0x132/0x180 [nouveau]
         drm_helper_probe_detect_ctx+0x85/0xd0 [drm_kms_helper]
         output_poll_execute+0x11e/0x1c0 [drm_kms_helper]
         process_one_work+0x184/0x380
         worker_thread+0x2e/0x390
      
        INFO: task kworker/0:2:252 blocked for more than 120 seconds.
        Workqueue: pm pm_runtime_work
        Call Trace:
         schedule+0x28/0x80
         schedule_timeout+0x1e3/0x370
         wait_for_completion+0x123/0x190
         flush_work+0x142/0x1c0
         nouveau_pmops_runtime_suspend+0x7e/0xd0 [nouveau]
         pci_pm_runtime_suspend+0x5c/0x180
         vga_switcheroo_runtime_suspend+0x1e/0xa0
         __rpm_callback+0xc1/0x200
         rpm_callback+0x1f/0x70
         rpm_suspend+0x13c/0x640
         pm_runtime_work+0x6e/0x90
         process_one_work+0x184/0x380
         worker_thread+0x2e/0x390
      
      Bugzilla: https://bugs.archlinux.org/task/53497
      Bugzilla: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870523
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=70388#c33
      Fixes: 5addcf0a ("nouveau: add runtime PM support (v0.9)")
      Cc: stable@vger.kernel.org # v3.12+: 27d4ee03: workqueue: Allow retrieval of current task's work struct
      Cc: stable@vger.kernel.org # v3.12+: 25c058cc: drm: Allow determining if current task is output poll worker
      Cc: Ben Skeggs <bskeggs@redhat.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Reviewed-by: default avatarLyude Paul <lyude@redhat.com>
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/b7d2cbb609a80f59ccabfdf479b9d5907c603ea1.1518338789.git.lukas@wunner.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cff2a8c5
    • Lukas Wunner's avatar
      drm: Allow determining if current task is output poll worker · 1112c0a3
      Lukas Wunner authored
      commit 25c058cc upstream.
      
      Introduce a helper to determine if the current task is an output poll
      worker.
      
      This allows us to fix a long-standing deadlock in several DRM drivers
      wherein the ->runtime_suspend callback waits for the output poll worker
      to finish and the worker in turn calls a ->detect callback which waits
      for runtime suspend to finish.  The ->detect callback is invoked from
      multiple call sites and waiting for runtime suspend to finish is the
      correct thing to do except if it's executing in the context of the
      worker.
      
      v2: Expand kerneldoc to specifically mention deadlock between
          output poll worker and autosuspend worker as use case. (Lyude)
      
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Ben Skeggs <bskeggs@redhat.com>
      Cc: Alex Deucher <alexander.deucher@amd.com>
      Reviewed-by: default avatarLyude Paul <lyude@redhat.com>
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/3549ce32e7f1467102e70d3e9cbf70c46bfe108e.1518593424.git.lukas@wunner.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1112c0a3
    • Lukas Wunner's avatar
      workqueue: Allow retrieval of current task's work struct · e235f151
      Lukas Wunner authored
      commit 27d4ee03 upstream.
      
      Introduce a helper to retrieve the current task's work struct if it is
      a workqueue worker.
      
      This allows us to fix a long-standing deadlock in several DRM drivers
      wherein the ->runtime_suspend callback waits for a specific worker to
      finish and that worker in turn calls a function which waits for runtime
      suspend to finish.  That function is invoked from multiple call sites
      and waiting for runtime suspend to finish is the correct thing to do
      except if it's executing in the context of the worker.
      
      Cc: Lai Jiangshan <jiangshanlai@gmail.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Ben Skeggs <bskeggs@redhat.com>
      Cc: Alex Deucher <alexander.deucher@amd.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Reviewed-by: default avatarLyude Paul <lyude@redhat.com>
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/2d8f603074131eb87e588d2b803a71765bd3a2fd.1518338788.git.lukas@wunner.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e235f151
    • himanshu.madhani@cavium.com's avatar
      scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS · 8bf4bc93
      himanshu.madhani@cavium.com authored
      commit 1514839b upstream.
      
      This patch fixes NULL pointer crash due to active timer running for abort
      IOCB.
      
      From crash dump analysis it was discoverd that get_next_timer_interrupt()
      encountered a corrupted entry on the timer list.
      
       #9 [ffff95e1f6f0fd40] page_fault at ffffffff914fe8f8
          [exception RIP: get_next_timer_interrupt+440]
          RIP: ffffffff90ea3088  RSP: ffff95e1f6f0fdf0  RFLAGS: 00010013
          RAX: ffff95e1f6451028  RBX: 000218e2389e5f40  RCX: 00000001232ad600
          RDX: 0000000000000001  RSI: ffff95e1f6f0fdf0  RDI: 0000000001232ad6
          RBP: ffff95e1f6f0fe40   R8: ffff95e1f6451188   R9: 0000000000000001
          R10: 0000000000000016  R11: 0000000000000016  R12: 00000001232ad5f6
          R13: ffff95e1f6450000  R14: ffff95e1f6f0fdf8  R15: ffff95e1f6f0fe10
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
      
      Looking at the assembly of get_next_timer_interrupt(), address came
      from %r8 (ffff95e1f6451188) which is pointing to list_head with single
      entry at ffff95e5ff621178.
      
       0xffffffff90ea307a <get_next_timer_interrupt+426>:      mov    (%r8),%rdx
       0xffffffff90ea307d <get_next_timer_interrupt+429>:      cmp    %r8,%rdx
       0xffffffff90ea3080 <get_next_timer_interrupt+432>:      je     0xffffffff90ea30a7 <get_next_timer_interrupt+471>
       0xffffffff90ea3082 <get_next_timer_interrupt+434>:      nopw   0x0(%rax,%rax,1)
       0xffffffff90ea3088 <get_next_timer_interrupt+440>:      testb  $0x1,0x18(%rdx)
      
       crash> rd ffff95e1f6451188 10
       ffff95e1f6451188:  ffff95e5ff621178 ffff95e5ff621178   x.b.....x.b.....
       ffff95e1f6451198:  ffff95e1f6451198 ffff95e1f6451198   ..E.......E.....
       ffff95e1f64511a8:  ffff95e1f64511a8 ffff95e1f64511a8   ..E.......E.....
       ffff95e1f64511b8:  ffff95e77cf509a0 ffff95e77cf509a0   ...|.......|....
       ffff95e1f64511c8:  ffff95e1f64511c8 ffff95e1f64511c8   ..E.......E.....
      
       crash> rd ffff95e5ff621178 10
       ffff95e5ff621178:  0000000000000001 ffff95e15936aa00   ..........6Y....
       ffff95e5ff621188:  0000000000000000 00000000ffffffff   ................
       ffff95e5ff621198:  00000000000000a0 0000000000000010   ................
       ffff95e5ff6211a8:  ffff95e5ff621198 000000000000000c   ..b.............
       ffff95e5ff6211b8:  00000f5800000000 ffff95e751f8d720   ....X... ..Q....
      
       ffff95e5ff621178 belongs to freed mempool object at ffff95e5ff621080.
      
       CACHE            NAME                 OBJSIZE  ALLOCATED     TOTAL  SLABS  SSIZE
       ffff95dc7fd74d00 mnt_cache                384      19785     24948    594    16k
         SLAB              MEMORY            NODE  TOTAL  ALLOCATED  FREE
         ffffdc5dabfd8800  ffff95e5ff620000     1     42         29    13
         FREE / [ALLOCATED]
          ffff95e5ff621080  (cpu 6 cache)
      
      Examining the contents of that memory reveals a pointer to a constant string
      in the driver, "abort\0", which is set by qla24xx_async_abort_cmd().
      
       crash> rd ffffffffc059277c 20
       ffffffffc059277c:  6e490074726f6261 0074707572726574   abort.Interrupt.
       ffffffffc059278c:  00676e696c6c6f50 6920726576697244   Polling.Driver i
       ffffffffc059279c:  646f6d207325206e 6974736554000a65   n %s mode..Testi
       ffffffffc05927ac:  636976656420676e 786c252074612065   ng device at %lx
       ffffffffc05927bc:  6b63656843000a2e 646f727020676e69   ...Checking prod
       ffffffffc05927cc:  6f20444920746375 0a2e706968632066   uct ID of chip..
       ffffffffc05927dc:  5120646e756f4600 204130303232414c   .Found QLA2200A
       ffffffffc05927ec:  43000a2e70696843 20676e696b636568   Chip...Checking
       ffffffffc05927fc:  65786f626c69616d 6c636e69000a2e73   mailboxes...incl
       ffffffffc059280c:  756e696c2f656475 616d2d616d642f78   ude/linux/dma-ma
      
       crash> struct -ox srb_iocb
       struct srb_iocb {
                 union {
                     struct {...} logio;
                     struct {...} els_logo;
                     struct {...} tmf;
                     struct {...} fxiocb;
                     struct {...} abt;
                     struct ct_arg ctarg;
                     struct {...} mbx;
                     struct {...} nack;
          [0x0 ] } u;
          [0xb8] struct timer_list timer;
          [0x108] void (*timeout)(void *);
       }
       SIZE: 0x110
      
       crash> ! bc
       ibase=16
       obase=10
       B8+40
       F8
      
      The object is a srb_t, and at offset 0xf8 within that structure
      (i.e. ffff95e5ff621080 + f8 -> ffff95e5ff621178) is a struct timer_list.
      
      Cc: <stable@vger.kernel.org> #4.4+
      Fixes: 4440e46d ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous handling.")
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@cavium.com>
      Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8bf4bc93
    • Leon Romanovsky's avatar
      RDMA/mlx5: Fix integer overflow while resizing CQ · 6f8b6627
      Leon Romanovsky authored
      commit 28e9091e upstream.
      
      The user can provide very large cqe_size which will cause to integer
      overflow as it can be seen in the following UBSAN warning:
      
      =======================================================================
      UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53
      signed integer overflow:
      64870 * 65536 cannot be represented in type 'int'
      CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware
      name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      Call Trace:
       dump_stack+0xde/0x164
       ? dma_virt_map_sg+0x22c/0x22c
       ubsan_epilogue+0xe/0x81
       handle_overflow+0x1f3/0x251
       ? __ubsan_handle_negate_overflow+0x19b/0x19b
       ? lock_acquire+0x440/0x440
       mlx5_ib_resize_cq+0x17e7/0x1e40
       ? cyc2ns_read_end+0x10/0x10
       ? native_read_msr_safe+0x6c/0x9b
       ? cyc2ns_read_end+0x10/0x10
       ? mlx5_ib_modify_cq+0x220/0x220
       ? sched_clock_cpu+0x18/0x200
       ? lookup_get_idr_uobject+0x200/0x200
       ? rdma_lookup_get_uobject+0x145/0x2f0
       ib_uverbs_resize_cq+0x207/0x3e0
       ? ib_uverbs_ex_create_cq+0x250/0x250
       ib_uverbs_write+0x7f9/0xef0
       ? cyc2ns_read_end+0x10/0x10
       ? print_irqtrace_events+0x280/0x280
       ? ib_uverbs_ex_create_cq+0x250/0x250
       ? uverbs_devnode+0x110/0x110
       ? sched_clock_cpu+0x18/0x200
       ? do_raw_spin_trylock+0x100/0x100
       ? __lru_cache_add+0x16e/0x290
       __vfs_write+0x10d/0x700
       ? uverbs_devnode+0x110/0x110
       ? kernel_read+0x170/0x170
       ? sched_clock_cpu+0x18/0x200
       ? security_file_permission+0x93/0x260
       vfs_write+0x1b0/0x550
       SyS_write+0xc7/0x1a0
       ? SyS_read+0x1a0/0x1a0
       ? trace_hardirqs_on_thunk+0x1a/0x1c
       entry_SYSCALL_64_fastpath+0x1e/0x8b
      RIP: 0033:0x433549
      RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217
      =======================================================================
      
      Cc: syzkaller <syzkaller@googlegroups.com>
      Cc: <stable@vger.kernel.org> # 3.13
      Fixes: bde51583 ("IB/mlx5: Add support for resize CQ")
      Reported-by: default avatarNoa Osherovich <noaos@mellanox.com>
      Reviewed-by: default avatarYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6f8b6627
    • Leon Romanovsky's avatar
      RDMA/ucma: Check that user doesn't overflow QP state · 52179bea
      Leon Romanovsky authored
      commit a5880b84 upstream.
      
      The QP state is limited and declared in enum ib_qp_state,
      but ucma user was able to supply any possible (u32) value.
      
      Reported-by: syzbot+0df1ab766f8924b1edba@syzkaller.appspotmail.com
      Fixes: 75216638 ("RDMA/cma: Export rdma cm interface to userspace")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      52179bea
    • Leon Romanovsky's avatar
      RDMA/ucma: Limit possible option size · 42228fa0
      Leon Romanovsky authored
      commit 6a21dfc0 upstream.
      
      Users of ucma are supposed to provide size of option level,
      in most paths it is supposed to be equal to u8 or u16, but
      it is not the case for the IB path record, where it can be
      multiple of struct ib_path_rec_data.
      
      This patch takes simplest possible approach and prevents providing
      values more than possible to allocate.
      
      Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com
      Fixes: 7ce86409 ("RDMA/ucma: Allow user space to set service type")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      42228fa0
  2. 11 Mar, 2018 25 commits