1. 16 Jan, 2019 31 commits
  2. 13 Jan, 2019 9 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.170 · b83b3fa7
      Greg Kroah-Hartman authored
      b83b3fa7
    • Lubomir Rintel's avatar
      power: supply: olpc_battery: correct the temperature units · 1bd63edb
      Lubomir Rintel authored
      commit ed54ffbe upstream.
      
      According to [1] and [2], the temperature values are in tenths of degree
      Celsius. Exposing the Celsius value makes the battery appear on fire:
      
        $ upower -i /org/freedesktop/UPower/devices/battery_olpc_battery
        ...
            temperature:         236.9 degrees C
      
      Tested on OLPC XO-1 and OLPC XO-1.75 laptops.
      
      [1] include/linux/power_supply.h
      [2] Documentation/power/power_supply_class.txt
      
      Fixes: fb972873 ("[BATTERY] One Laptop Per Child power/battery driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLubomir Rintel <lkundrak@v3.sk>
      Acked-by: default avatarPavel Machek <pavel@ucw.cz>
      Signed-off-by: default avatarSebastian Reichel <sebastian.reichel@collabora.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1bd63edb
    • Alexander Shishkin's avatar
      intel_th: msu: Fix an off-by-one in attribute store · b1892669
      Alexander Shishkin authored
      commit ec5b5ad6 upstream.
      
      The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated
      list of window sizes, passed from userspace. However, there is a bug in
      the string parsing logic wherein it doesn't exclude the comma character
      from the range of characters as it consumes them. This leads to an
      out-of-bounds access given a sufficiently long list. For example:
      
      > # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages
      > ==================================================================
      > BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40
      > Read of size 1 at addr ffff8803ffcebcd1 by task sh/825
      >
      > CPU: 3 PID: 825 Comm: npktest.sh Tainted: G        W         4.20.0-rc1+
      > Call Trace:
      >  dump_stack+0x7c/0xc0
      >  print_address_description+0x6c/0x23c
      >  ? memchr+0x1e/0x40
      >  kasan_report.cold.5+0x241/0x308
      >  memchr+0x1e/0x40
      >  nr_pages_store+0x203/0xd00 [intel_th_msu]
      
      Fix this by accounting for the comma character.
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Fixes: ba82664c ("intel_th: Add Memory Storage Unit driver")
      Cc: stable@vger.kernel.org # v4.4+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b1892669
    • Christian Borntraeger's avatar
      genwqe: Fix size check · 21c7b137
      Christian Borntraeger authored
      commit fdd66968 upstream.
      
      Calling the test program genwqe_cksum with the default buffer size of
      2MB triggers the following kernel warning on s390:
      
      WARNING: CPU: 30 PID: 9311 at mm/page_alloc.c:3189 __alloc_pages_nodemask+0x45c/0xbe0
      CPU: 30 PID: 9311 Comm: genwqe_cksum Kdump: loaded Not tainted 3.10.0-957.el7.s390x #1
      task: 00000005e5d13980 ti: 00000005e7c6c000 task.ti: 00000005e7c6c000
      Krnl PSW : 0704c00180000000 00000000002780ac (__alloc_pages_nodemask+0x45c/0xbe0)
                 R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3
      Krnl GPRS: 00000000002932b8 0000000000b73d7c 0000000000000010 0000000000000009
                 0000000000000041 00000005e7c6f9b8 0000000000000001 00000000000080d0
                 0000000000000000 0000000000b70500 0000000000000001 0000000000000000
                 0000000000b70528 00000000007682c0 0000000000277df2 00000005e7c6f9a0
      Krnl Code: 000000000027809e: de7195001000	ed	1280(114,%r9),0(%r1)
      	   00000000002780a4: a774fead		brc	7,277dfe
      	  #00000000002780a8: a7f40001		brc	15,2780aa
      	  >00000000002780ac: 92011000		mvi	0(%r1),1
      	   00000000002780b0: a7f4fea7		brc	15,277dfe
      	   00000000002780b4: 9101c6b6		tm	1718(%r12),1
      	   00000000002780b8: a784ff3a		brc	8,277f2c
      	   00000000002780bc: a7f4fe2e		brc	15,277d18
      Call Trace:
      ([<0000000000277df2>] __alloc_pages_nodemask+0x1a2/0xbe0)
       [<000000000013afae>] s390_dma_alloc+0xfe/0x310
       [<000003ff8065f362>] __genwqe_alloc_consistent+0xfa/0x148 [genwqe_card]
       [<000003ff80658f7a>] genwqe_mmap+0xca/0x248 [genwqe_card]
       [<00000000002b2712>] mmap_region+0x4e2/0x778
       [<00000000002b2c54>] do_mmap+0x2ac/0x3e0
       [<0000000000292d7e>] vm_mmap_pgoff+0xd6/0x118
       [<00000000002b081c>] SyS_mmap_pgoff+0xdc/0x268
       [<00000000002b0a34>] SyS_old_mmap+0x8c/0xb0
       [<000000000074e518>] sysc_tracego+0x14/0x1e
       [<000003ffacf87dc6>] 0x3ffacf87dc6
      
      turns out the check in __genwqe_alloc_consistent uses "> MAX_ORDER"
      while the mm code uses ">= MAX_ORDER". Fix genwqe.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarFrank Haverkamp <haver@linux.vnet.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      21c7b137
    • Yan, Zheng's avatar
      ceph: don't update importing cap's mseq when handing cap export · 5f6ce5ea
      Yan, Zheng authored
      commit 3c1392d4 upstream.
      
      Updating mseq makes client think importer mds has accepted all prior
      cap messages and importer mds knows what caps client wants. Actually
      some cap messages may have been dropped because of mseq mismatch.
      
      If mseq is left untouched, importing cap's mds_wanted later will get
      reset by cap import message.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatar"Yan, Zheng" <zyan@redhat.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5f6ce5ea
    • Sohil Mehta's avatar
      iommu/vt-d: Handle domain agaw being less than iommu agaw · 0216bf65
      Sohil Mehta authored
      commit 3569dd07 upstream.
      
      The Intel IOMMU driver opportunistically skips a few top level page
      tables from the domain paging directory while programming the IOMMU
      context entry. However there is an implicit assumption in the code that
      domain's adjusted guest address width (agaw) would always be greater
      than IOMMU's agaw.
      
      The IOMMU capabilities in an upcoming platform cause the domain's agaw
      to be lower than IOMMU's agaw. The issue is seen when the IOMMU supports
      both 4-level and 5-level paging. The domain builds a 4-level page table
      based on agaw of 2. However the IOMMU's agaw is set as 3 (5-level). In
      this case the code incorrectly tries to skip page page table levels.
      This causes the IOMMU driver to avoid programming the context entry. The
      fix handles this case and programs the context entry accordingly.
      
      Fixes: de24e553 ("iommu/vt-d: Simplify domain_context_mapping_one")
      Cc: <stable@vger.kernel.org>
      Cc: Ashok Raj <ashok.raj@intel.com>
      Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
      Cc: Lu Baolu <baolu.lu@linux.intel.com>
      Reviewed-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Reported-by: default avatarRamos Falcon, Ernesto R <ernesto.r.ramos.falcon@intel.com>
      Tested-by: default avatarRicardo Neri <ricardo.neri-calderon@linux.intel.com>
      Signed-off-by: default avatarSohil Mehta <sohil.mehta@intel.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0216bf65
    • Dominique Martinet's avatar
      9p/net: put a lower bound on msize · 2d750144
      Dominique Martinet authored
      commit 574d356b upstream.
      
      If the requested msize is too small (either from command line argument
      or from the server version reply), we won't get any work done.
      If it's *really* too small, nothing will work, and this got caught by
      syzbot recently (on a new kmem_cache_create_usercopy() call)
      
      Just set a minimum msize to 4k in both code paths, until someone
      complains they have a use-case for a smaller msize.
      
      We need to check in both mount option and server reply individually
      because the msize for the first version request would be unchecked
      with just a global check on clnt->msize.
      
      Link: http://lkml.kernel.org/r/1541407968-31350-1-git-send-email-asmadeus@codewreck.org
      Reported-by: syzbot+0c1d61e4db7db94102ca@syzkaller.appspotmail.com
      Signed-off-by: default avatarDominique Martinet <dominique.martinet@cea.fr>
      Cc: Eric Van Hensbergen <ericvh@gmail.com>
      Cc: Latchesar Ionkov <lucho@ionkov.net>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2d750144
    • Larry Finger's avatar
      b43: Fix error in cordic routine · c820ac33
      Larry Finger authored
      commit 8ea3819c upstream.
      
      The cordic routine for calculating sines and cosines that was added in
      commit 6f98e62a ("b43: update cordic code to match current specs")
      contains an error whereby a quantity declared u32 can in fact go negative.
      
      This problem was detected by Priit Laes who is switching b43 to use the
      routine in the library functions of the kernel.
      
      Fixes: 98650454 ("b43: make cordic common (LP-PHY and N-PHY need it)")
      Reported-by: default avatarPriit Laes <plaes@plaes.org>
      Cc: Rafał Miłecki <zajec5@gmail.com>
      Cc: Stable <stable@vger.kernel.org> # 2.6.34
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarPriit Laes <plaes@plaes.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c820ac33
    • Andreas Gruenbacher's avatar
      gfs2: Fix loop in gfs2_rbm_find · 18451898
      Andreas Gruenbacher authored
      commit 2d29f6b9 upstream.
      
      Fix the resource group wrap-around logic in gfs2_rbm_find that commit
      e579ed4f broke.  The bug can lead to unnecessary repeated scanning of the
      same bitmaps; there is a risk that future changes will turn this into an
      endless loop.
      
      Fixes: e579ed4f ("GFS2: Introduce rbm field bii")
      Cc: stable@vger.kernel.org # v3.13+
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18451898