1. 01 May, 2018 28 commits
  2. 29 Apr, 2018 12 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.9.97 · ba3cd579
      Greg Kroah-Hartman authored
      ba3cd579
    • Hans de Goede's avatar
      ACPI / video: Only default only_lcd to true on Win8-ready _desktops_ · 4959a913
      Hans de Goede authored
      commit 53fa1f6e upstream.
      
      Commit 5928c281 (ACPI / video: Default lcd_only to true on Win8-ready
      and newer machines) made only_lcd default to true on all machines where
      acpi_osi_is_win8() returns true, including laptops.
      
      The purpose of this is to avoid the bogus / non-working acpi backlight
      interface which many newer BIOS-es define on desktop machines.
      
      But this is causing a regression on some laptops, specifically on the
      Dell XPS 13 2013 model, which does not have the LCD flag set for its
      fully functional ACPI backlight interface.
      
      Rather then DMI quirking our way out of this, this commits changes the
      logic for setting only_lcd to true, to only do this on machines with
      a desktop (or server) dmi chassis-type.
      
      Note that we cannot simply only check the chassis-type and not register
      the backlight interface based on that as there are some laptops and
      tablets which have their chassis-type set to "3" aka desktop. Hopefully
      the combination of checking the LCD flag, but only on devices with
      a desktop(ish) chassis-type will avoid the needs for DMI quirks for this,
      or at least limit the amount of DMI quirks which we need to a minimum.
      
      Fixes: 5928c281 (ACPI / video: Default lcd_only to true on Win8-ready and newer machines)
      Reported-and-tested-by: default avatarJames Hogan <jhogan@kernel.org>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Cc: 4.15+ <stable@vger.kernel.org> # 4.15+
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4959a913
    • Heiko Carstens's avatar
      s390/uprobes: implement arch_uretprobe_is_alive() · bed2d762
      Heiko Carstens authored
      commit 783c3b53 upstream.
      
      Implement s390 specific arch_uretprobe_is_alive() to avoid SIGSEGVs
      observed with uretprobes in combination with setjmp/longjmp.
      
      See commit 2dea1d9c ("powerpc/uprobes: Implement
      arch_uretprobe_is_alive()") for more details.
      
      With this implemented all test cases referenced in the above commit
      pass.
      Reported-by: default avatarZiqian SUN <zsun@redhat.com>
      Cc: <stable@vger.kernel.org> # v4.3+
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bed2d762
    • Stefan Haberland's avatar
      s390/dasd: fix IO error for newly defined devices · a714a5f3
      Stefan Haberland authored
      commit 5d27a2bf upstream.
      
      When a new CKD storage volume is defined at the storage server, Linux
      may be relying on outdated information about that volume, which leads to
      the following errors:
      
      1. Command Reject Errors for minidisk on z/VM:
      
      dasd-eckd.b3193d: 0.0.XXXX: An error occurred in the DASD device driver,
      		  reason=09
      dasd(eckd): I/O status report for device 0.0.XXXX:
      dasd(eckd): in req: 00000000XXXXXXXX CC:00 FC:04 AC:00 SC:17 DS:02 CS:00
      	    RC:0
      dasd(eckd): device 0.0.2046: Failing CCW: 00000000XXXXXXXX
      dasd(eckd): Sense(hex)  0- 7: 80 00 00 00 00 00 00 00
      dasd(eckd): Sense(hex)  8-15: 00 00 00 00 00 00 00 00
      dasd(eckd): Sense(hex) 16-23: 00 00 00 00 e1 00 0f 00
      dasd(eckd): Sense(hex) 24-31: 00 00 40 e2 00 00 00 00
      dasd(eckd): 24 Byte: 0 MSG 0, no MSGb to SYSOP
      
      2. Equipment Check errors on LPAR or for dedicated devices on z/VM:
      
      dasd(eckd): I/O status report for device 0.0.XXXX:
      dasd(eckd): in req: 00000000XXXXXXXX CC:00 FC:04 AC:00 SC:17 DS:0E CS:40
      	    fcxs:01 schxs:00 RC:0
      dasd(eckd): device 0.0.9713: Failing TCW: 00000000XXXXXXXX
      dasd(eckd): Sense(hex)  0- 7: 10 00 00 00 13 58 4d 0f
      dasd(eckd): Sense(hex)  8-15: 67 00 00 00 00 00 00 04
      dasd(eckd): Sense(hex) 16-23: e5 18 05 33 97 01 0f 0f
      dasd(eckd): Sense(hex) 24-31: 00 00 40 e2 00 04 58 0d
      dasd(eckd): 24 Byte: 0 MSG f, no MSGb to SYSOP
      
      Fix this problem by using the up-to-date information provided during
      online processing via the device specific SNEQ to detect the case of
      outdated LCU data. If there is a difference, perform a re-read of that
      data.
      
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarJan Hoeppner <hoeppner@linux.ibm.com>
      Signed-off-by: default avatarStefan Haberland <sth@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a714a5f3
    • Sebastian Ott's avatar
      s390/cio: update chpid descriptor after resource accessibility event · 04f87299
      Sebastian Ott authored
      commit af2e460a upstream.
      
      Channel path descriptors have been seen as something stable (as
      long as the chpid is configured). Recent tests have shown that the
      descriptor can also be altered when the link state of a channel path
      changes. Thus it is necessary to update the descriptor during
      handling of resource accessibility events.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarSebastian Ott <sebott@linux.ibm.com>
      Reviewed-by: default avatarPeter Oberparleiter <oberpar@linux.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      04f87299
    • Dan Carpenter's avatar
      cdrom: information leak in cdrom_ioctl_media_changed() · 4bd744b8
      Dan Carpenter authored
      commit 9de4ee40 upstream.
      
      This cast is wrong.  "cdi->capacity" is an int and "arg" is an unsigned
      long.  The way the check is written now, if one of the high 32 bits is
      set then we could read outside the info->slots[] array.
      
      This bug is pretty old and it predates git.
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4bd744b8
    • Martin K. Petersen's avatar
      scsi: mptsas: Disable WRITE SAME · 70f2351e
      Martin K. Petersen authored
      commit 94e5395d upstream.
      
      First generation MPT Fusion controllers can not translate WRITE SAME
      when the attached device is a SATA drive. Disable WRITE SAME support.
      Reported-by: default avatarNikola Ciprich <nikola.ciprich@linuxbox.cz>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      70f2351e
    • Doron Roberts-Kedes's avatar
      strparser: Fix incorrect strp->need_bytes value. · 2f7be126
      Doron Roberts-Kedes authored
      
      [ Upstream commit 9d0c75bf ]
      
      strp_data_ready resets strp->need_bytes to 0 if strp_peek_len indicates
      that the remainder of the message has been received. However,
      do_strp_work does not reset strp->need_bytes to 0. If do_strp_work
      completes a partial message, the value of strp->need_bytes will continue
      to reflect the needed bytes of the previous message, causing
      future invocations of strp_data_ready to return early if
      strp->need_bytes is less than strp_peek_len. Resetting strp->need_bytes
      to 0 in __strp_recv on handing a full message to the upper layer solves
      this problem.
      
      __strp_recv also calculates strp->need_bytes using stm->accum_len before
      stm->accum_len has been incremented by cand_len. This can cause
      strp->need_bytes to be equal to the full length of the message instead
      of the full length minus the accumulated length. This, in turn, causes
      strp_data_ready to return early, even when there is sufficient data to
      complete the partial message. Incrementing stm->accum_len before using
      it to calculate strp->need_bytes solves this problem.
      
      Found while testing net/tls_sw recv path.
      
      Fixes: 43a0c675 ("strparser: Stream parser for messages")
      Signed-off-by: default avatarDoron Roberts-Kedes <doronrk@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f7be126
    • Eric Dumazet's avatar
      ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy · e2956fc8
      Eric Dumazet authored
      
      [ Upstream commit aa8f8778 ]
      
      KMSAN reported use of uninit-value that I tracked to lack
      of proper size check on RTA_TABLE attribute.
      
      I also believe RTA_PREFSRC lacks a similar check.
      
      Fixes: 86872cb5 ("[IPv6] route: FIB6 configuration using struct fib6_config")
      Fixes: c3968a85 ("ipv6: RTA_PREFSRC support for ipv6 route source address selection")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2956fc8
    • Eric Dumazet's avatar
      net: af_packet: fix race in PACKET_{R|T}X_RING · 55ca7b1d
      Eric Dumazet authored
      
      [ Upstream commit 5171b37d ]
      
      In order to remove the race caught by syzbot [1], we need
      to lock the socket before using po->tp_version as this could
      change under us otherwise.
      
      This means lock_sock() and release_sock() must be done by
      packet_set_ring() callers.
      
      [1] :
      BUG: KMSAN: uninit-value in packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
      CPU: 0 PID: 20195 Comm: syzkaller707632 Not tainted 4.16.0+ #83
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
       packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
       packet_setsockopt+0x12c6/0x5a90 net/packet/af_packet.c:3662
       SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
       SyS_setsockopt+0x76/0xa0 net/socket.c:1828
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x449099
      RSP: 002b:00007f42b5307ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 000000000070003c RCX: 0000000000449099
      RDX: 0000000000000005 RSI: 0000000000000107 RDI: 0000000000000003
      RBP: 0000000000700038 R08: 000000000000001c R09: 0000000000000000
      R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000
      R13: 000000000080eecf R14: 00007f42b53089c0 R15: 0000000000000001
      
      Local variable description: ----req_u@packet_setsockopt
      Variable was created at:
       packet_setsockopt+0x13f/0x5a90 net/packet/af_packet.c:3612
       SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
      
      Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      55ca7b1d
    • Eric Dumazet's avatar
      tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets · 228ce13c
      Eric Dumazet authored
      
      [ Upstream commit 72123032 ]
      
      syzbot/KMSAN reported an uninit-value in tcp_parse_options() [1]
      
      I believe this was caused by a TCP_MD5SIG being set on live
      flow.
      
      This is highly unexpected, since TCP option space is limited.
      
      For instance, presence of TCP MD5 option automatically disables
      TCP TimeStamp option at SYN/SYNACK time, which we can not do
      once flow has been established.
      
      Really, adding/deleting an MD5 key only makes sense on sockets
      in CLOSE or LISTEN state.
      
      [1]
      BUG: KMSAN: uninit-value in tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720
      CPU: 1 PID: 6177 Comm: syzkaller192004 Not tainted 4.16.0+ #83
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
       tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720
       tcp_fast_parse_options net/ipv4/tcp_input.c:3858 [inline]
       tcp_validate_incoming+0x4f1/0x2790 net/ipv4/tcp_input.c:5184
       tcp_rcv_established+0xf60/0x2bb0 net/ipv4/tcp_input.c:5453
       tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469
       sk_backlog_rcv include/net/sock.h:908 [inline]
       __release_sock+0x2d6/0x680 net/core/sock.c:2271
       release_sock+0x97/0x2a0 net/core/sock.c:2786
       tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464
       inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
       sock_sendmsg_nosec net/socket.c:630 [inline]
       sock_sendmsg net/socket.c:640 [inline]
       SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
       SyS_sendto+0x8a/0xb0 net/socket.c:1715
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x448fe9
      RSP: 002b:00007fd472c64d38 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00000000006e5a30 RCX: 0000000000448fe9
      RDX: 000000000000029f RSI: 0000000020a88f88 RDI: 0000000000000004
      RBP: 00000000006e5a34 R08: 0000000020e68000 R09: 0000000000000010
      R10: 00000000200007fd R11: 0000000000000216 R12: 0000000000000000
      R13: 00007fff074899ef R14: 00007fd472c659c0 R15: 0000000000000009
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
       kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
       slab_post_alloc_hook mm/slab.h:445 [inline]
       slab_alloc_node mm/slub.c:2737 [inline]
       __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:984 [inline]
       tcp_send_ack+0x18c/0x910 net/ipv4/tcp_output.c:3624
       __tcp_ack_snd_check net/ipv4/tcp_input.c:5040 [inline]
       tcp_ack_snd_check net/ipv4/tcp_input.c:5053 [inline]
       tcp_rcv_established+0x2103/0x2bb0 net/ipv4/tcp_input.c:5469
       tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469
       sk_backlog_rcv include/net/sock.h:908 [inline]
       __release_sock+0x2d6/0x680 net/core/sock.c:2271
       release_sock+0x97/0x2a0 net/core/sock.c:2786
       tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464
       inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
       sock_sendmsg_nosec net/socket.c:630 [inline]
       sock_sendmsg net/socket.c:640 [inline]
       SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
       SyS_sendto+0x8a/0xb0 net/socket.c:1715
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      Fixes: cfb6eeb4 ("[TCP]: MD5 Signature Option (RFC2385) support.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      228ce13c
    • Wolfgang Bumiller's avatar
      net: fix deadlock while clearing neighbor proxy table · 581cb195
      Wolfgang Bumiller authored
      
      [ Upstream commit 53b76cdf ]
      
      When coming from ndisc_netdev_event() in net/ipv6/ndisc.c,
      neigh_ifdown() is called with &nd_tbl, locking this while
      clearing the proxy neighbor entries when eg. deleting an
      interface. Calling the table's pndisc_destructor() with the
      lock still held, however, can cause a deadlock: When a
      multicast listener is available an IGMP packet of type
      ICMPV6_MGM_REDUCTION may be sent out. When reaching
      ip6_finish_output2(), if no neighbor entry for the target
      address is found, __neigh_create() is called with &nd_tbl,
      which it'll want to lock.
      
      Move the elements into their own list, then unlock the table
      and perform the destruction.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199289
      Fixes: 6fd6ce20 ("ipv6: Do not depend on rt->n in ip6_finish_output2().")
      Signed-off-by: default avatarWolfgang Bumiller <w.bumiller@proxmox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      581cb195