1. 21 Nov, 2018 40 commits
    • Amir Goldstein's avatar
      lockd: fix access beyond unterminated strings in prints · 63727655
      Amir Goldstein authored
      commit 93f38b6f upstream.
      
      printk format used %*s instead of %.*s, so hostname_len does not limit
      the number of bytes accessed from hostname.
      Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      63727655
    • Trond Myklebust's avatar
      nfsd: Fix an Oops in free_session() · e6914e1a
      Trond Myklebust authored
      commit bb6ad557 upstream.
      
      In call_xpt_users(), we delete the entry from the list, but we
      do not reinitialise it. This triggers the list poisoning when
      we later call unregister_xpt_user() in nfsd4_del_conns().
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e6914e1a
    • Trond Myklebust's avatar
      NFSv4.1: Fix the r/wsize checking · a88fd584
      Trond Myklebust authored
      commit 943cff67 upstream.
      
      The intention of nfs4_session_set_rwsize() was to cap the r/wsize to the
      buffer sizes negotiated by the CREATE_SESSION. The initial code had a
      bug whereby we would not check the values negotiated by nfs_probe_fsinfo()
      (the assumption being that CREATE_SESSION will always negotiate buffer values
      that are sane w.r.t. the server's preferred r/wsizes) but would only check
      values set by the user in the 'mount' command.
      
      The code was changed in 4.11 to _always_ set the r/wsize, meaning that we
      now never use the server preferred r/wsizes. This is the regression that
      this patch fixes.
      Also rename the function to nfs4_session_limit_rwsize() in order to avoid
      future confusion.
      
      Fixes: 03385332 (NFSv4.1 respect server's max size in CREATE_SESSION")
      Cc: stable@vger.kernel.org # v4.11+
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a88fd584
    • Lukas Wunner's avatar
      genirq: Fix race on spurious interrupt detection · 59ba1233
      Lukas Wunner authored
      commit 746a923b upstream.
      
      Commit 1e77d0a1 ("genirq: Sanitize spurious interrupt detection of
      threaded irqs") made detection of spurious interrupts work for threaded
      handlers by:
      
      a) incrementing a counter every time the thread returns IRQ_HANDLED, and
      b) checking whether that counter has increased every time the thread is
         woken.
      
      However for oneshot interrupts, the commit unmasks the interrupt before
      incrementing the counter.  If another interrupt occurs right after
      unmasking but before the counter is incremented, that interrupt is
      incorrectly considered spurious:
      
      time
       |  irq_thread()
       |    irq_thread_fn()
       |      action->thread_fn()
       |      irq_finalize_oneshot()
       |        unmask_threaded_irq()            /* interrupt is unmasked */
       |
       |                  /* interrupt fires, incorrectly deemed spurious */
       |
       |    atomic_inc(&desc->threads_handled); /* counter is incremented */
       v
      
      This is observed with a hi3110 CAN controller receiving data at high volume
      (from a separate machine sending with "cangen -g 0 -i -x"): The controller
      signals a huge number of interrupts (hundreds of millions per day) and
      every second there are about a dozen which are deemed spurious.
      
      In theory with high CPU load and the presence of higher priority tasks, the
      number of incorrectly detected spurious interrupts might increase beyond
      the 99,900 threshold and cause disablement of the interrupt.
      
      In practice it just increments the spurious interrupt count. But that can
      cause people to waste time investigating it over and over.
      
      Fix it by moving the accounting before the invocation of
      irq_finalize_oneshot().
      
      [ tglx: Folded change log update ]
      
      Fixes: 1e77d0a1 ("genirq: Sanitize spurious interrupt detection of threaded irqs")
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Mathias Duckeck <m.duckeck@kunbus.de>
      Cc: Akshay Bhat <akshay.bhat@timesys.com>
      Cc: Casey Fitzpatrick <casey.fitzpatrick@timesys.com>
      Cc: stable@vger.kernel.org # v3.16+
      Link: https://lkml.kernel.org/r/1dfd8bbd16163940648045495e3e9698e63b50ad.1539867047.git.lukas@wunner.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      59ba1233
    • He Zhe's avatar
      printk: Fix panic caused by passing log_buf_len to command line · d24a12ef
      He Zhe authored
      commit 277fcdb2 upstream.
      
      log_buf_len_setup does not check input argument before passing it to
      simple_strtoull. The argument would be a NULL pointer if "log_buf_len",
      without its value, is set in command line and thus causes the following
      panic.
      
      PANIC: early exception 0xe3 IP 10:ffffffffaaeacd0d error 0 cr2 0x0
      [    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc4-yocto-standard+ #1
      [    0.000000] RIP: 0010:_parse_integer_fixup_radix+0xd/0x70
      ...
      [    0.000000] Call Trace:
      [    0.000000]  simple_strtoull+0x29/0x70
      [    0.000000]  memparse+0x26/0x90
      [    0.000000]  log_buf_len_setup+0x17/0x22
      [    0.000000]  do_early_param+0x57/0x8e
      [    0.000000]  parse_args+0x208/0x320
      [    0.000000]  ? rdinit_setup+0x30/0x30
      [    0.000000]  parse_early_options+0x29/0x2d
      [    0.000000]  ? rdinit_setup+0x30/0x30
      [    0.000000]  parse_early_param+0x36/0x4d
      [    0.000000]  setup_arch+0x336/0x99e
      [    0.000000]  start_kernel+0x6f/0x4ee
      [    0.000000]  x86_64_start_reservations+0x24/0x26
      [    0.000000]  x86_64_start_kernel+0x6f/0x72
      [    0.000000]  secondary_startup_64+0xa4/0xb0
      
      This patch adds a check to prevent the panic.
      
      Link: http://lkml.kernel.org/r/1538239553-81805-1-git-send-email-zhe.he@windriver.com
      Cc: stable@vger.kernel.org
      Cc: rostedt@goodmis.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarHe Zhe <zhe.he@windriver.com>
      Reviewed-by: default avatarSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Signed-off-by: default avatarPetr Mladek <pmladek@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d24a12ef
    • Steve French's avatar
      smb3: on kerberos mount if server doesn't specify auth type use krb5 · aa21d67d
      Steve French authored
      commit 926674de upstream.
      
      Some servers (e.g. Azure) do not include a spnego blob in the SMB3
      negotiate protocol response, so on kerberos mounts ("sec=krb5")
      we can fail, as we expected the server to list its supported
      auth types (OIDs in the spnego blob in the negprot response).
      Change this so that on krb5 mounts we default to trying krb5 if the
      server doesn't list its supported protocol mechanisms.
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aa21d67d
    • Steve French's avatar
      smb3: do not attempt cifs operation in smb3 query info error path · ae83508d
      Steve French authored
      commit 1e77a8c2 upstream.
      
      If backupuid mount option is sent, we can incorrectly retry
      (on access denied on query info) with a cifs (FindFirst) operation
      on an smb3 mount which causes the server to force the session close.
      
      We set backup intent on open so no need for this fallback.
      
      See kernel bugzilla 201435
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      CC: Stable <stable@vger.kernel.org>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ae83508d
    • Steve French's avatar
      smb3: allow stats which track session and share reconnects to be reset · 39d6c4cd
      Steve French authored
      commit 2c887635 upstream.
      
      Currently, "echo 0 > /proc/fs/cifs/Stats" resets all of the stats
      except the session and share reconnect counts.  Fix it to
      reset those as well.
      
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      39d6c4cd
    • Andreas Kemnade's avatar
      w1: omap-hdq: fix missing bus unregister at removal · b0ef4712
      Andreas Kemnade authored
      commit a0077346 upstream.
      
      The bus master was not removed after unloading the module
      or unbinding the driver. That lead to oopses like this
      
      [  127.842987] Unable to handle kernel paging request at virtual address bf01d04c
      [  127.850646] pgd = 70e3cd9a
      [  127.853698] [bf01d04c] *pgd=8f908811, *pte=00000000, *ppte=00000000
      [  127.860412] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM
      [  127.866668] Modules linked in: bq27xxx_battery overlay [last unloaded: omap_hdq]
      [  127.874542] CPU: 0 PID: 1022 Comm: w1_bus_master1 Not tainted 4.19.0-rc4-00001-g2d51da718324 #12
      [  127.883819] Hardware name: Generic OMAP36xx (Flattened Device Tree)
      [  127.890441] PC is at 0xbf01d04c
      [  127.893798] LR is at w1_search_process_cb+0x4c/0xfc
      [  127.898956] pc : [<bf01d04c>]    lr : [<c05f9580>]    psr: a0070013
      [  127.905609] sp : cf885f48  ip : bf01d04c  fp : ddf1e11c
      [  127.911132] r10: cf8fe040  r9 : c05f8d00  r8 : cf8fe040
      [  127.916656] r7 : 000000f0  r6 : cf8fe02c  r5 : cf8fe000  r4 : cf8fe01c
      [  127.923553] r3 : c05f8d00  r2 : 000000f0  r1 : cf8fe000  r0 : dde1ef10
      [  127.930450] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      [  127.938018] Control: 10c5387d  Table: 8f8f0019  DAC: 00000051
      [  127.944091] Process w1_bus_master1 (pid: 1022, stack limit = 0x9135699f)
      [  127.951171] Stack: (0xcf885f48 to 0xcf886000)
      [  127.955810] 5f40:                   cf8fe000 00000000 cf884000 cf8fe090 000003e8 c05f8d00
      [  127.964477] 5f60: dde5fc34 c05f9700 ddf1e100 ddf1e540 cf884000 cf8fe000 c05f9694 00000000
      [  127.973114] 5f80: dde5fc34 c01499a4 00000000 ddf1e540 c0149874 00000000 00000000 00000000
      [  127.981781] 5fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
      [  127.990447] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      [  127.999114] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
      [  128.007781] [<c05f9580>] (w1_search_process_cb) from [<c05f9700>] (w1_process+0x6c/0x118)
      [  128.016479] [<c05f9700>] (w1_process) from [<c01499a4>] (kthread+0x130/0x148)
      [  128.024047] [<c01499a4>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
      [  128.031677] Exception stack(0xcf885fb0 to 0xcf885ff8)
      [  128.037017] 5fa0:                                     00000000 00000000 00000000 00000000
      [  128.045684] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      [  128.054351] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
      [  128.061340] Code: bad PC value
      [  128.064697] ---[ end trace af066e33c0e14119 ]---
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndreas Kemnade <andreas@kemnade.info>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b0ef4712
    • Eugen Hristev's avatar
      iio: adc: at91: fix wrong channel number in triggered buffer mode · cc8e1ff7
      Eugen Hristev authored
      commit aea835f2 upstream.
      
      When channels are registered, the hardware channel number is not the
      actual iio channel number.
      This is because the driver is probed with a certain number of accessible
      channels. Some pins are routed and some not, depending on the description of
      the board in the DT.
      Because of that, channels 0,1,2,3 can correspond to hardware channels
      2,3,4,5 for example.
      In the buffered triggered case, we need to do the translation accordingly.
      Fixed the channel number to stop reading the wrong channel.
      
      Fixes: 0e589d5f ("ARM: AT91: IIO: Add AT91 ADC driver.")
      Cc: Maxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: default avatarEugen Hristev <eugen.hristev@microchip.com>
      Acked-by: default avatarLudovic Desroches <ludovic.desroches@microchip.com>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cc8e1ff7
    • Eugen Hristev's avatar
      iio: adc: at91: fix acking DRDY irq on simple conversions · 6b2aa089
      Eugen Hristev authored
      commit bc1b4532 upstream.
      
      When doing simple conversions, the driver did not acknowledge the DRDY irq.
      If this irq status is not acked, it will be left pending, and as soon as a
      trigger is enabled, the irq handler will be called, it doesn't know why
      this status has occurred because no channel is pending, and then it will go
      int a irq loop and board will hang.
      To avoid this situation, read the LCDR after a raw conversion is done.
      
      Fixes: 0e589d5f ("ARM: AT91: IIO: Add AT91 ADC driver.")
      Cc: Maxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: default avatarEugen Hristev <eugen.hristev@microchip.com>
      Acked-by: default avatarLudovic Desroches <ludovic.desroches@microchip.com>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6b2aa089
    • Arnd Bergmann's avatar
      kbuild: fix kernel/bounds.c 'W=1' warning · 52458d09
      Arnd Bergmann authored
      commit 6a32c246 upstream.
      
      Building any configuration with 'make W=1' produces a warning:
      
      kernel/bounds.c:16:6: warning: no previous prototype for 'foo' [-Wmissing-prototypes]
      
      When also passing -Werror, this prevents us from building any other files.
      Nobody ever calls the function, but we can't make it 'static' either
      since we want the compiler output.
      
      Calling it 'main' instead however avoids the warning, because gcc
      does not insist on having a declaration for main.
      
      Link: http://lkml.kernel.org/r/20181005083313.2088252-1-arnd@arndb.deSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reported-by: default avatarKieran Bingham <kieran.bingham+renesas@ideasonboard.com>
      Reviewed-by: default avatarKieran Bingham <kieran.bingham+renesas@ideasonboard.com>
      Cc: David Laight <David.Laight@ACULAB.COM>
      Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      52458d09
    • Mike Kravetz's avatar
      hugetlbfs: dirty pages as they are added to pagecache · 4fdd46c9
      Mike Kravetz authored
      commit 22146c3c upstream.
      
      Some test systems were experiencing negative huge page reserve counts and
      incorrect file block counts.  This was traced to /proc/sys/vm/drop_caches
      removing clean pages from hugetlbfs file pagecaches.  When non-hugetlbfs
      explicit code removes the pages, the appropriate accounting is not
      performed.
      
      This can be recreated as follows:
       fallocate -l 2M /dev/hugepages/foo
       echo 1 > /proc/sys/vm/drop_caches
       fallocate -l 2M /dev/hugepages/foo
       grep -i huge /proc/meminfo
         AnonHugePages:         0 kB
         ShmemHugePages:        0 kB
         HugePages_Total:    2048
         HugePages_Free:     2047
         HugePages_Rsvd:    18446744073709551615
         HugePages_Surp:        0
         Hugepagesize:       2048 kB
         Hugetlb:         4194304 kB
       ls -lsh /dev/hugepages/foo
         4.0M -rw-r--r--. 1 root root 2.0M Oct 17 20:05 /dev/hugepages/foo
      
      To address this issue, dirty pages as they are added to pagecache.  This
      can easily be reproduced with fallocate as shown above.  Read faulted
      pages will eventually end up being marked dirty.  But there is a window
      where they are clean and could be impacted by code such as drop_caches.
      So, just dirty them all as they are added to the pagecache.
      
      Link: http://lkml.kernel.org/r/b5be45b8-5afe-56cd-9482-28384699a049@oracle.com
      Fixes: 6bda666a ("hugepages: fold find_or_alloc_pages into huge_no_page()")
      Signed-off-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Acked-by: default avatarMihcla Hocko <mhocko@suse.com>
      Reviewed-by: default avatarKhalid Aziz <khalid.aziz@oracle.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4fdd46c9
    • Eric Biggers's avatar
      ima: fix showing large 'violations' or 'runtime_measurements_count' · 34aa9612
      Eric Biggers authored
      commit 1e4c8daf upstream.
      
      The 12 character temporary buffer is not necessarily long enough to hold
      a 'long' value.  Increase it.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34aa9612
    • Ondrej Mosnacek's avatar
      crypto: lrw - Fix out-of bounds access on counter overflow · 00d3634c
      Ondrej Mosnacek authored
      commit fbe1a850 upstream.
      
      When the LRW block counter overflows, the current implementation returns
      128 as the index to the precomputed multiplication table, which has 128
      entries. This patch fixes it to return the correct value (127).
      
      Fixes: 64470f1b ("[CRYPTO] lrw: Liskov Rivest Wagner, a tweakable narrow block cipher mode")
      Cc: <stable@vger.kernel.org> # 2.6.20+
      Reported-by: default avatarEric Biggers <ebiggers@kernel.org>
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      00d3634c
    • Eric W. Biederman's avatar
      signal/GenWQE: Fix sending of SIGKILL · 5f894b3e
      Eric W. Biederman authored
      commit 0ab93e9c upstream.
      
      The genweq_add_file and genwqe_del_file by caching current without
      using reference counting embed the assumption that a file descriptor
      will never be passed from one process to another.  It even embeds the
      assumption that the the thread that opened the file will be in
      existence when the process terminates.   Neither of which are
      guaranteed to be true.
      
      Therefore replace caching the task_struct of the opener with
      pid of the openers thread group id.  All the knowledge of the
      opener is used for is as the target of SIGKILL and a SIGKILL
      will kill the entire process group.
      
      Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary
      signal argument, update it's ownly caller, and use kill_pid
      instead of force_sig.
      
      The work force_sig does in changing signal handling state is not
      relevant to SIGKILL sent as SEND_SIG_PRIV.  The exact same processess
      will be killed just with less work, and less confusion.  The work done
      by force_sig is really only needed for handling syncrhonous
      exceptions.
      
      It will still be possible to cause genwqe_device_remove to wait
      8 seconds by passing a file descriptor to another process but
      the possible user after free is fixed.
      
      Fixes: eaf4722d ("GenWQE Character device and DDCB queue")
      Cc: stable@vger.kernel.org
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Frank Haverkamp <haver@linux.vnet.ibm.com>
      Cc: Joerg-Stephan Vogt <jsvogt@de.ibm.com>
      Cc: Michael Jung <mijung@gmx.net>
      Cc: Michael Ruettger <michael@ibmra.de>
      Cc: Kleber Sacilotto de Souza <klebers@linux.vnet.ibm.com>
      Cc: Sebastian Ott <sebott@linux.vnet.ibm.com>
      Cc: Eberhard S. Amann <esa@linux.vnet.ibm.com>
      Cc: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
      Cc: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5f894b3e
    • Bin Meng's avatar
      PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk · d681d83d
      Bin Meng authored
      commit d0c9606b upstream.
      
      Add Device IDs to the Intel GPU "spurious interrupt" quirk table.
      
      For these devices, unplugging the VGA cable and plugging it in again causes
      spurious interrupts from the IGD.  Linux eventually disables the interrupt,
      but of course that disables any other devices sharing the interrupt.
      
      The theory is that this is a VGA BIOS defect: it should have disabled the
      IGD interrupt but failed to do so.
      
      See f67fd55f ("PCI: Add quirk for still enabled interrupts on Intel
      Sandy Bridge GPUs") and 7c82126a ("PCI: Add new ID for Intel GPU
      "spurious interrupt" quirk") for some history.
      
      [bhelgaas: See link below for discussion about how to fix this more
      generically instead of adding device IDs for every new Intel GPU.  I hope
      this is the last patch to add device IDs.]
      
      Link: https://lore.kernel.org/linux-pci/1537974841-29928-1-git-send-email-bmeng.cn@gmail.comSigned-off-by: default avatarBin Meng <bmeng.cn@gmail.com>
      [bhelgaas: changelog]
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Cc: stable@vger.kernel.org	# v3.4+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d681d83d
    • Breno Leitao's avatar
      HID: hiddev: fix potential Spectre v1 · 66f3e856
      Breno Leitao authored
      commit f1127439 upstream.
      
      uref->usage_index can be indirectly controlled by userspace, hence leading
      to a potential exploitation of the Spectre variant 1 vulnerability.
      
      This field is used as an array index by the hiddev_ioctl_usage() function,
      when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or
      HIDIOCSUSAGES.
      
      For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to
      field->maxusage and then used as an index to dereference field->usage
      array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where
      uref->usage_index is checked against an array maximum value and then it is
      used as an index in an array.
      
      This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the
      traditional Spectre V1 first load:
      
      	copy_from_user(uref, user_arg, sizeof(*uref))
      	if (uref->usage_index >= field->maxusage)
      		goto inval;
      	i = field->usage[uref->usage_index].collection_index;
      	return i;
      
      This patch fixes this by sanitizing field uref->usage_index before using it
      to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in
      HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarBreno Leitao <leitao@debian.org>
      v2: Contemplate cmd == HIDIOC{G,S}USAGES case
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66f3e856
    • Lukas Czerner's avatar
      ext4: initialize retries variable in ext4_da_write_inline_data_begin() · d396e539
      Lukas Czerner authored
      commit 625ef8a3 upstream.
      
      Variable retries is not initialized in ext4_da_write_inline_data_begin()
      which can lead to nondeterministic number of retries in case we hit
      ENOSPC. Initialize retries to zero as we do everywhere else.
      Signed-off-by: default avatarLukas Czerner <lczerner@redhat.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Fixes: bc0ca9df ("ext4: retry allocation when inline->extent conversion failed")
      Cc: stable@kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d396e539
    • Al Viro's avatar
      gfs2_meta: ->mount() can get NULL dev_name · 82a76725
      Al Viro authored
      commit 3df629d8 upstream.
      
      get in sync with mount_bdev() handling of the same
      
      Reported-by: syzbot+c54f8e94e6bba03b04e9@syzkaller.appspotmail.com
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      82a76725
    • Jan Kara's avatar
      jbd2: fix use after free in jbd2_log_do_checkpoint() · f4af4c73
      Jan Kara authored
      commit ccd3c437 upstream.
      
      The code cleaning transaction's lists of checkpoint buffers has a bug
      where it increases bh refcount only after releasing
      journal->j_list_lock. Thus the following race is possible:
      
      CPU0					CPU1
      jbd2_log_do_checkpoint()
      					jbd2_journal_try_to_free_buffers()
      					  __journal_try_to_free_buffer(bh)
        ...
        while (transaction->t_checkpoint_io_list)
        ...
          if (buffer_locked(bh)) {
      
      <-- IO completes now, buffer gets unlocked -->
      
            spin_unlock(&journal->j_list_lock);
      					    spin_lock(&journal->j_list_lock);
      					    __jbd2_journal_remove_checkpoint(jh);
      					    spin_unlock(&journal->j_list_lock);
      					  try_to_free_buffers(page);
            get_bh(bh) <-- accesses freed bh
      
      Fix the problem by grabbing bh reference before unlocking
      journal->j_list_lock.
      
      Fixes: dc6e8d66 ("jbd2: don't call get_bh() before calling __jbd2_journal_remove_checkpoint()")
      Fixes: be1158cc ("jbd2: fold __process_buffer() into jbd2_log_do_checkpoint()")
      Reported-by: syzbot+7f4a27091759e2fe7453@syzkaller.appspotmail.com
      CC: stable@vger.kernel.org
      Reviewed-by: default avatarLukas Czerner <lczerner@redhat.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f4af4c73
    • Alexander Duyck's avatar
      libnvdimm: Hold reference on parent while scheduling async init · 8954771a
      Alexander Duyck authored
      commit b6eae0f6 upstream.
      
      Unlike asynchronous initialization in the core we have not yet associated
      the device with the parent, and as such the device doesn't hold a reference
      to the parent.
      
      In order to resolve that we should be holding a reference on the parent
      until the asynchronous initialization has completed.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 4d88a97a ("libnvdimm: ...base ... infrastructure")
      Signed-off-by: default avatarAlexander Duyck <alexander.h.duyck@linux.intel.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8954771a
    • Stefan Nuernberger's avatar
      net/ipv4: defensive cipso option parsing · 7546540b
      Stefan Nuernberger authored
      commit 076ed3da upstream.
      
      commit 40413955 ("Cipso: cipso_v4_optptr enter infinite loop") fixed
      a possible infinite loop in the IP option parsing of CIPSO. The fix
      assumes that ip_options_compile filtered out all zero length options and
      that no other one-byte options beside IPOPT_END and IPOPT_NOOP exist.
      While this assumption currently holds true, add explicit checks for zero
      length and invalid length options to be safe for the future. Even though
      ip_options_compile should have validated the options, the introduction of
      new one-byte options can still confuse this code without the additional
      checks.
      Signed-off-by: default avatarStefan Nuernberger <snu@amazon.com>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Simon Veith <sveith@amazon.de>
      Cc: stable@vger.kernel.org
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7546540b
    • Juergen Gross's avatar
      xen: make xen_qlock_wait() nestable · 4f2f01aa
      Juergen Gross authored
      commit a8565319 upstream.
      
      xen_qlock_wait() isn't safe for nested calls due to interrupts. A call
      of xen_qlock_kick() might be ignored in case a deeper nesting level
      was active right before the call of xen_poll_irq():
      
      CPU 1:                                   CPU 2:
      spin_lock(lock1)
                                               spin_lock(lock1)
                                               -> xen_qlock_wait()
                                                  -> xen_clear_irq_pending()
                                                  Interrupt happens
      spin_unlock(lock1)
      -> xen_qlock_kick(CPU 2)
      spin_lock_irqsave(lock2)
                                               spin_lock_irqsave(lock2)
                                               -> xen_qlock_wait()
                                                  -> xen_clear_irq_pending()
                                                     clears kick for lock1
                                                  -> xen_poll_irq()
      spin_unlock_irq_restore(lock2)
      -> xen_qlock_kick(CPU 2)
                                                  wakes up
                                               spin_unlock_irq_restore(lock2)
                                               IRET
                                                 resumes in xen_qlock_wait()
                                                 -> xen_poll_irq()
                                                 never wakes up
      
      The solution is to disable interrupts in xen_qlock_wait() and not to
      poll for the irq in case xen_qlock_wait() is called in nmi context.
      
      Cc: stable@vger.kernel.org
      Cc: Waiman.Long@hp.com
      Cc: peterz@infradead.org
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f2f01aa
    • Juergen Gross's avatar
      xen: fix race in xen_qlock_wait() · a1a52e42
      Juergen Gross authored
      commit 2ac2a7d4 upstream.
      
      In the following situation a vcpu waiting for a lock might not be
      woken up from xen_poll_irq():
      
      CPU 1:                CPU 2:                      CPU 3:
      takes a spinlock
                            tries to get lock
                            -> xen_qlock_wait()
      frees the lock
      -> xen_qlock_kick(cpu2)
                              -> xen_clear_irq_pending()
      
      takes lock again
                                                        tries to get lock
                                                        -> *lock = _Q_SLOW_VAL
                              -> *lock == _Q_SLOW_VAL ?
                              -> xen_poll_irq()
      frees the lock
      -> xen_qlock_kick(cpu3)
      
      And cpu 2 will sleep forever.
      
      This can be avoided easily by modifying xen_qlock_wait() to call
      xen_poll_irq() only if the related irq was not pending and to call
      xen_clear_irq_pending() only if it was pending.
      
      Cc: stable@vger.kernel.org
      Cc: Waiman.Long@hp.com
      Cc: peterz@infradead.org
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a1a52e42
    • Dr. Greg Wettstein's avatar
      tpm: Restore functionality to xen vtpm driver. · 8cacd37f
      Dr. Greg Wettstein authored
      commit e487a0f5 upstream.
      
      Functionality of the xen-tpmfront driver was lost secondary to
      the introduction of xenbus multi-page support in commit ccc9d90a
      ("xenbus_client: Extend interface to support multi-page ring").
      
      In this commit pointer to location of where the shared page address
      is stored was being passed to the xenbus_grant_ring() function rather
      then the address of the shared page itself. This resulted in a situation
      where the driver would attach to the vtpm-stubdom but any attempt
      to send a command to the stub domain would timeout.
      
      A diagnostic finding for this regression is the following error
      message being generated when the xen-tpmfront driver probes for a
      device:
      
      <3>vtpm vtpm-0: tpm_transmit: tpm_send: error -62
      
      <3>vtpm vtpm-0: A TPM error (-62) occurred attempting to determine
      the timeouts
      
      This fix is relevant to all kernels from 4.1 forward which is the
      release in which multi-page xenbus support was introduced.
      
      Daniel De Graaf formulated the fix by code inspection after the
      regression point was located.
      
      Fixes: ccc9d90a ("xenbus_client: Extend interface to support multi-page ring")
      Signed-off-by: default avatarDr. Greg Wettstein <greg@enjellic.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      [boris: Updated commit message, added Fixes tag]
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: stable@vger.kernel.org # v4.1+
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      8cacd37f
    • Joe Jin's avatar
      xen-swiotlb: use actually allocated size on check physical continuous · cf9e0f77
      Joe Jin authored
      commit 7250f422 upstream.
      
      xen_swiotlb_{alloc,free}_coherent() allocate/free memory based on the
      order of the pages and not size argument (bytes). This is inconsistent with
      range_straddles_page_boundary and memset which use the 'size' value,
      which may lead to not exchanging memory with Xen (range_straddles_page_boundary()
      returned true). And then the call to xen_swiotlb_free_coherent() would
      actually try to exchange the memory with Xen, leading to the kernel
      hitting an BUG (as the hypercall returned an error).
      
      This patch fixes it by making the 'size' variable be of the same size
      as the amount of memory allocated.
      
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarJoe Jin <joe.jin@oracle.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: Christoph Helwig <hch@lst.de>
      Cc: Dongli Zhang <dongli.zhang@oracle.com>
      Cc: John Sobecki <john.sobecki@oracle.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf9e0f77
    • Takashi Iwai's avatar
      ALSA: hda: Check the non-cached stream buffers more explicitly · a9d21a73
      Takashi Iwai authored
      [ Upstream commit 78c9be61 ]
      
      Introduce a new flag, uc_buffer, to indicate that the controller
      requires the non-cached pages for stream buffers, either as a
      chip-specific requirement or specified via snoop=0 option.
      This improves the code-readability.
      
      Also, this patch fixes the incorrect behavior for C-Media chip where
      the stream buffers were never handled as non-cached due to the check
      of driver_type even if you pass snoop=0 option.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a9d21a73
    • Paul Cercueil's avatar
      dmaengine: dma-jz4780: Return error if not probed from DT · 7e41dd0f
      Paul Cercueil authored
      [ Upstream commit 54f919a0 ]
      
      The driver calls clk_get() with the clock name set to NULL, which means
      that the driver could only work when probed from devicetree. From now
      on, we explicitly require the driver to be probed from devicetree.
      Signed-off-by: default avatarPaul Cercueil <paul@crapouillou.net>
      Tested-by: default avatarMathieu Malaterre <malat@debian.org>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7e41dd0f
    • Eric W. Biederman's avatar
      signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init · 9ab9fc44
      Eric W. Biederman authored
      [ Upstream commit 3597dfe0 ]
      
      Instead of playing whack-a-mole and changing SEND_SIG_PRIV to
      SEND_SIG_FORCED throughout the kernel to ensure a pid namespace init
      gets signals sent by the kernel, stop allowing a pid namespace init to
      ignore SIGKILL or SIGSTOP sent by the kernel.  A pid namespace init is
      only supposed to be able to ignore signals sent from itself and
      children with SIG_DFL.
      
      Fixes: 921cf9f6 ("signals: protect cinit from unblocked SIG_DFL signals")
      Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ab9fc44
    • James Smart's avatar
      scsi: lpfc: Correct soft lockup when running mds diagnostics · c9debbd2
      James Smart authored
      [ Upstream commit 0ef01a2d ]
      
      When running an mds diagnostic that passes frames with the switch, soft
      lockups are detected. The driver is in a CQE processing loop and has
      sufficient amount of traffic that it never exits the ring processing routine,
      thus the "lockup".
      
      Cap the number of elements in the work processing routine to 64 elements. This
      ensures that the cpu will be given up and the handler reschedule to process
      additional items.
      Signed-off-by: default avatarDick Kennedy <dick.kennedy@broadcom.com>
      Signed-off-by: default avatarJames Smart <james.smart@broadcom.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c9debbd2
    • Alexandre Belloni's avatar
      uio: ensure class is registered before devices · 2d62826e
      Alexandre Belloni authored
      [ Upstream commit ae61cf5b ]
      
      When both uio and the uio drivers are built in the kernel, it is possible
      for a driver to register devices before the uio class is registered.
      
      This may result in a NULL pointer dereference later on in
      get_device_parent() when accessing the class glue_dirs spinlock.
      
      The trace looks like that:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000140
      [...]
      [<ffff0000089cc234>] _raw_spin_lock+0x14/0x48
      [<ffff0000084f56bc>] device_add+0x154/0x6a0
      [<ffff0000084f5e48>] device_create_groups_vargs+0x120/0x128
      [<ffff0000084f5edc>] device_create+0x54/0x60
      [<ffff0000086e72c0>] __uio_register_device+0x120/0x4a8
      [<ffff000008528b7c>] jaguar2_pci_probe+0x2d4/0x558
      [<ffff0000083fc18c>] local_pci_probe+0x3c/0xb8
      [<ffff0000083fd81c>] pci_device_probe+0x11c/0x180
      [<ffff0000084f88bc>] driver_probe_device+0x22c/0x2d8
      [<ffff0000084f8a24>] __driver_attach+0xbc/0xc0
      [<ffff0000084f69fc>] bus_for_each_dev+0x4c/0x98
      [<ffff0000084f81b8>] driver_attach+0x20/0x28
      [<ffff0000084f7d08>] bus_add_driver+0x1b8/0x228
      [<ffff0000084f93c0>] driver_register+0x60/0xf8
      [<ffff0000083fb918>] __pci_register_driver+0x40/0x48
      
      Return EPROBE_DEFER in that case so the driver can register the device
      later.
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2d62826e
    • Waiman Long's avatar
      driver/dma/ioat: Call del_timer_sync() without holding prep_lock · d7a7df4c
      Waiman Long authored
      [ Upstream commit cfb03be6 ]
      
      The following lockdep splat was observed:
      
      [ 1222.241750] ======================================================
      [ 1222.271301] WARNING: possible circular locking dependency detected
      [ 1222.301060] 4.16.0-10.el8+5.x86_64+debug #1 Not tainted
      [ 1222.326659] ------------------------------------------------------
      [ 1222.356565] systemd-shutdow/1 is trying to acquire lock:
      [ 1222.382660]  ((&ioat_chan->timer)){+.-.}, at: [<00000000f71e1a28>] del_timer_sync+0x5/0xf0
      [ 1222.422928]
      [ 1222.422928] but task is already holding lock:
      [ 1222.451743]  (&(&ioat_chan->prep_lock)->rlock){+.-.}, at: [<000000008ea98b12>] ioat_shutdown+0x86/0x100 [ioatdma]
         :
      [ 1223.524987] Chain exists of:
      [ 1223.524987]   (&ioat_chan->timer) --> &(&ioat_chan->cleanup_lock)->rlock --> &(&ioat_chan->prep_lock)->rlock
      [ 1223.524987]
      [ 1223.594082]  Possible unsafe locking scenario:
      [ 1223.594082]
      [ 1223.622630]        CPU0                    CPU1
      [ 1223.645080]        ----                    ----
      [ 1223.667404]   lock(&(&ioat_chan->prep_lock)->rlock);
      [ 1223.691535]                                lock(&(&ioat_chan->cleanup_lock)->rlock);
      [ 1223.728657]                                lock(&(&ioat_chan->prep_lock)->rlock);
      [ 1223.765122]   lock((&ioat_chan->timer));
      [ 1223.784095]
      [ 1223.784095]  *** DEADLOCK ***
      [ 1223.784095]
      [ 1223.813492] 4 locks held by systemd-shutdow/1:
      [ 1223.834677]  #0:  (reboot_mutex){+.+.}, at: [<0000000056d33456>] SYSC_reboot+0x10f/0x300
      [ 1223.873310]  #1:  (&dev->mutex){....}, at: [<00000000258dfdd7>] device_shutdown+0x1c8/0x660
      [ 1223.913604]  #2:  (&dev->mutex){....}, at: [<0000000068331147>] device_shutdown+0x1d6/0x660
      [ 1223.954000]  #3:  (&(&ioat_chan->prep_lock)->rlock){+.-.}, at: [<000000008ea98b12>] ioat_shutdown+0x86/0x100 [ioatdma]
      
      In the ioat_shutdown() function:
      
      	spin_lock_bh(&ioat_chan->prep_lock);
      	set_bit(IOAT_CHAN_DOWN, &ioat_chan->state);
      	del_timer_sync(&ioat_chan->timer);
      	spin_unlock_bh(&ioat_chan->prep_lock);
      
      According to the synchronization rule for the del_timer_sync() function,
      the caller must not hold locks which would prevent completion of the
      timer's handler.
      
      The timer structure has its own lock that manages its synchronization.
      Setting the IOAT_CHAN_DOWN bit should prevent other CPUs from
      trying to use that device anyway, there is probably no need to call
      del_timer_sync() while holding the prep_lock. So the del_timer_sync()
      call is now moved outside of the prep_lock critical section to prevent
      the circular lock dependency.
      Signed-off-by: default avatarWaiman Long <longman@redhat.com>
      Reviewed-by: default avatarDave Jiang <dave.jiang@intel.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7a7df4c
    • Loic Poulain's avatar
      usb: chipidea: Prevent unbalanced IRQ disable · d986aedc
      Loic Poulain authored
      [ Upstream commit 8b97d73c ]
      
      The ChipIdea IRQ is disabled before scheduling the otg work and
      re-enabled on otg work completion. However if the job is already
      scheduled we have to undo the effect of disable_irq int order to
      balance the IRQ disable-depth value.
      
      Fixes: be6b0c1b ("usb: chipidea: using one inline function to cover queue work operations")
      Signed-off-by: default avatarLoic Poulain <loic.poulain@linaro.org>
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d986aedc
    • Shaohua Li's avatar
      MD: fix invalid stored role for a disk · 8f177fb6
      Shaohua Li authored
      [ Upstream commit d595567d ]
      
      If we change the number of array's device after device is removed from array,
      then add the device back to array, we can see that device is added as active
      role instead of spare which we expected.
      
      Please see the below link for details:
      https://marc.info/?l=linux-raid&m=153736982015076&w=2
      
      This is caused by that we prefer to use device's previous role which is
      recorded by saved_raid_disk, but we should respect the new number of
      conf->raid_disks since it could be changed after device is removed.
      Reported-by: default avatarGioh Kim <gi-oh.kim@profitbricks.com>
      Tested-by: default avatarGioh Kim <gi-oh.kim@profitbricks.com>
      Acked-by: default avatarGuoqing Jiang <gqjiang@suse.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f177fb6
    • Theodore Ts'o's avatar
      ext4: fix argument checking in EXT4_IOC_MOVE_EXT · c87fb36e
      Theodore Ts'o authored
      [ Upstream commit f18b2b83 ]
      
      If the starting block number of either the source or destination file
      exceeds the EOF, EXT4_IOC_MOVE_EXT should return EINVAL.
      
      Also fixed the helper function mext_check_coverage() so that if the
      logical block is beyond EOF, make it return immediately, instead of
      looping until the block number wraps all the away around.  This takes
      long enough that if there are multiple threads trying to do pound on
      an the same inode doing non-sensical things, it can end up triggering
      the kernel's soft lockup detector.
      
      Reported-by: syzbot+c61979f6f2cba5cb3c06@syzkaller.appspotmail.com
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c87fb36e
    • Javier Martinez Canillas's avatar
      tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated · 3cf68396
      Javier Martinez Canillas authored
      [ Upstream commit 0d6d0d62 ]
      
      For TPM 1.2 chips the system setup utility allows to set the TPM device in
      one of the following states:
      
        * Active: Security chip is functional
        * Inactive: Security chip is visible, but is not functional
        * Disabled: Security chip is hidden and is not functional
      
      When choosing the "Inactive" state, the TPM 1.2 device is enumerated and
      registered, but sending TPM commands fail with either TPM_DEACTIVATED or
      TPM_DISABLED depending if the firmware deactivated or disabled the TPM.
      
      Since these TPM 1.2 error codes don't have special treatment, inactivating
      the TPM leads to a very noisy kernel log buffer that shows messages like
      the following:
      
        tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78)
        tpm tpm0: A TPM error (6) occurred attempting to read a pcr value
        tpm tpm0: TPM is disabled/deactivated (0x6)
        tpm tpm0: A TPM error (6) occurred attempting get random
        tpm tpm0: A TPM error (6) occurred attempting to read a pcr value
        ima: No TPM chip found, activating TPM-bypass! (rc=6)
        tpm tpm0: A TPM error (6) occurred attempting get random
        tpm tpm0: A TPM error (6) occurred attempting get random
        tpm tpm0: A TPM error (6) occurred attempting get random
        tpm tpm0: A TPM error (6) occurred attempting get random
      
      Let's just suppress error log messages for the TPM_{DEACTIVATED,DISABLED}
      return codes, since this is expected when the TPM 1.2 is set to Inactive.
      
      In that case the kernel log is cleaner and less confusing for users, i.e:
      
        tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78)
        tpm tpm0: TPM is disabled/deactivated (0x6)
        ima: No TPM chip found, activating TPM-bypass! (rc=6)
      Reported-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarJavier Martinez Canillas <javierm@redhat.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3cf68396
    • Wenwen Wang's avatar
      scsi: megaraid_sas: fix a missing-check bug · be1851b9
      Wenwen Wang authored
      [ Upstream commit 47db7873 ]
      
      In megasas_mgmt_compat_ioctl_fw(), to handle the structure
      compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
      'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle
      the packet. Since the two data structures have different fields, the data
      is copied from 'cioc' to 'ioc' field by field. In the copy process,
      'sense_ptr' is prepared if the field 'sense_len' is not null, because it
      will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
      user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and
      saved to kernel-space variables 'local_sense_off' and 'user_sense_off'
      respectively. Given that 'ioc->sense_off' is also copied from
      'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
      same value. However, 'cioc' is in the user space and a malicious user can
      race to change the value of 'cioc->sense_off' after it is copied to
      'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing
      so, the attacker can inject different values into 'local_sense_off' and
      'user_sense_off'. This can cause undefined behavior in the following
      execution, because the two variables are supposed to be same.
      
      This patch enforces a check on the two kernel variables 'local_sense_off'
      and 'user_sense_off' to make sure they are the same after the copy. In
      case they are not, an error code EINVAL will be returned.
      Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
      Acked-by: default avatarSumit Saxena <sumit.saxena@broadcom.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be1851b9
    • Finn Thain's avatar
      scsi: esp_scsi: Track residual for PIO transfers · 8c00d5d7
      Finn Thain authored
      [ Upstream commit fd47d919 ]
      
      If a target disconnects during a PIO data transfer the command may fail
      when the target reconnects:
      
      scsi host1: DMA length is zero!
      scsi host1: cur adr[04380000] len[00000000]
      
      The scsi bus is then reset. This happens because the residual reached
      zero before the transfer was completed.
      
      The usual residual calculation relies on the Transfer Count registers.
      That works for DMA transfers but not for PIO transfers. Fix the problem
      by storing the PIO transfer residual and using that to correctly
      calculate bytes_sent.
      
      Fixes: 6fe07aaf ("[SCSI] m68k: new mac_esp scsi driver")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Tested-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c00d5d7
    • Martin Willi's avatar
      ath10k: schedule hardware restart if WMI command times out · 93ceb8dc
      Martin Willi authored
      [ Upstream commit a9911937 ]
      
      When running in AP mode, ath10k sometimes suffers from TX credit
      starvation. The issue is hard to reproduce and shows up once in a
      few days, but has been repeatedly seen with QCA9882 and a large
      range of firmwares, including 10.2.4.70.67.
      
      Once the module is in this state, TX credits are never replenished,
      which results in "SWBA overrun" errors, as no beacons can be sent.
      Even worse, WMI commands run in a timeout while holding the conf
      mutex for three seconds each, making any further operations slow
      and the whole system unresponsive.
      
      The firmware/driver never recovers from that state automatically,
      and triggering TX flush or warm restarts won't work over WMI. So
      issue a hardware restart if a WMI command times out due to missing
      TX credits. This implies a connectivity outage of about 1.4s in AP
      mode, but brings back the interface and the whole system to a usable
      state. WMI command timeouts have not been seen in absent of this
      specific issue, so taking such drastic actions seems legitimate.
      Signed-off-by: default avatarMartin Willi <martin@strongswan.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      93ceb8dc