1. 27 Sep, 2017 1 commit
  2. 13 Sep, 2017 33 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.88 · b52c9082
      Greg Kroah-Hartman authored
      b52c9082
    • Richard Wareing's avatar
      xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present · ad390343
      Richard Wareing authored
      commit b31ff3cd upstream.
      
      If using a kernel with CONFIG_XFS_RT=y and we set the RHINHERIT flag on
      a directory in a filesystem that does not have a realtime device and
      create a new file in that directory, it gets marked as a real time file.
      When data is written and a fsync is issued, the filesystem attempts to
      flush a non-existent rt device during the fsync process.
      
      This results in a crash dereferencing a null buftarg pointer in
      xfs_blkdev_issue_flush():
      
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
        IP: xfs_blkdev_issue_flush+0xd/0x20
        .....
        Call Trace:
          xfs_file_fsync+0x188/0x1c0
          vfs_fsync_range+0x3b/0xa0
          do_fsync+0x3d/0x70
          SyS_fsync+0x10/0x20
          do_syscall_64+0x4d/0xb0
          entry_SYSCALL64_slow_path+0x25/0x25
      
      Setting RT inode flags does not require special privileges so any
      unprivileged user can cause this oops to occur.  To reproduce, confirm
      kernel is compiled with CONFIG_XFS_RT=y and run:
      
        # mkfs.xfs -f /dev/pmem0
        # mount /dev/pmem0 /mnt/test
        # mkdir /mnt/test/foo
        # xfs_io -c 'chattr +t' /mnt/test/foo
        # xfs_io -f -c 'pwrite 0 5m' -c fsync /mnt/test/foo/bar
      
      Or just run xfstests with MKFS_OPTIONS="-d rtinherit=1" and wait.
      
      Kernels built with CONFIG_XFS_RT=n are not exposed to this bug.
      
      Fixes: f538d4da ("[XFS] write barrier support")
      Signed-off-by: default avatarRichard Wareing <rwareing@fb.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ad390343
    • Trond Myklebust's avatar
      NFS: Fix 2 use after free issues in the I/O code · 677a8036
      Trond Myklebust authored
      commit 196639eb upstream.
      
      The writeback code wants to send a commit after processing the pages,
      which is why we want to delay releasing the struct path until after
      that's done.
      
      Also, the layout code expects that we do not free the inode before
      we've put the layout segments in pnfs_writehdr_free() and
      pnfs_readhdr_free()
      
      Fixes: 919e3bd9 ("NFS: Ensure we commit after writeback is complete")
      Fixes: 4714fb51 ("nfs: remove pgio_header refcount, related cleanup")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      677a8036
    • Mark Rutland's avatar
      ARM: 8692/1: mm: abort uaccess retries upon fatal signal · 84478477
      Mark Rutland authored
      commit 746a272e upstream.
      
      When there's a fatal signal pending, arm's do_page_fault()
      implementation returns 0. The intent is that we'll return to the
      faulting userspace instruction, delivering the signal on the way.
      
      However, if we take a fatal signal during fixing up a uaccess, this
      results in a return to the faulting kernel instruction, which will be
      instantly retried, resulting in the same fault being taken forever. As
      the task never reaches userspace, the signal is not delivered, and the
      task is left unkillable. While the task is stuck in this state, it can
      inhibit the forward progress of the system.
      
      To avoid this, we must ensure that when a fatal signal is pending, we
      apply any necessary fixup for a faulting kernel instruction. Thus we
      will return to an error path, and it is up to that code to make forward
      progress towards delivering the fatal signal.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Reviewed-by: default avatarSteve Capper <steve.capper@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      84478477
    • Ben Seri's avatar
      Bluetooth: Properly check L2CAP config option output buffer length · f7ec367c
      Ben Seri authored
      commit e860d2c9 upstream.
      
      Validate the output buffer length for L2CAP config requests and responses
      to avoid overflowing the stack buffer used for building the option blocks.
      Signed-off-by: default avatarBen Seri <ben@armis.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f7ec367c
    • Takashi Iwai's avatar
      ALSA: msnd: Optimize / harden DSP and MIDI loops · 55681470
      Takashi Iwai authored
      commit 20e2b791 upstream.
      
      The ISA msnd drivers have loops fetching the ring-buffer head, tail
      and size values inside the loops.  Such codes are inefficient and
      fragile.
      
      This patch optimizes it, and also adds the sanity check to avoid the
      endless loops.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196131
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196133Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatargrygorii tertychnyi <gtertych@cisco.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      55681470
    • Yang Shi's avatar
      locktorture: Fix potential memory leak with rw lock test · 10863607
      Yang Shi authored
      commit f4dbba59 upstream.
      
      When running locktorture module with the below commands with kmemleak enabled:
      
      $ modprobe locktorture torture_type=rw_lock_irq
      $ rmmod locktorture
      
      The below kmemleak got caught:
      
      root@10:~# echo scan > /sys/kernel/debug/kmemleak
      [  323.197029] kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
      root@10:~# cat /sys/kernel/debug/kmemleak
      unreferenced object 0xffffffc07592d500 (size 128):
        comm "modprobe", pid 368, jiffies 4294924118 (age 205.824s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 c3 7b 02 00 00 00 00 00  .........{......
          00 00 00 00 00 00 00 00 d7 9b 02 00 00 00 00 00  ................
        backtrace:
          [<ffffff80081e5a88>] create_object+0x110/0x288
          [<ffffff80086c6078>] kmemleak_alloc+0x58/0xa0
          [<ffffff80081d5acc>] __kmalloc+0x234/0x318
          [<ffffff80006fa130>] 0xffffff80006fa130
          [<ffffff8008083ae4>] do_one_initcall+0x44/0x138
          [<ffffff800817e28c>] do_init_module+0x68/0x1cc
          [<ffffff800811c848>] load_module+0x1a68/0x22e0
          [<ffffff800811d340>] SyS_finit_module+0xe0/0xf0
          [<ffffff80080836f0>] el0_svc_naked+0x24/0x28
          [<ffffffffffffffff>] 0xffffffffffffffff
      unreferenced object 0xffffffc07592d480 (size 128):
        comm "modprobe", pid 368, jiffies 4294924118 (age 205.824s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 3b 6f 01 00 00 00 00 00  ........;o......
          00 00 00 00 00 00 00 00 23 6a 01 00 00 00 00 00  ........#j......
        backtrace:
          [<ffffff80081e5a88>] create_object+0x110/0x288
          [<ffffff80086c6078>] kmemleak_alloc+0x58/0xa0
          [<ffffff80081d5acc>] __kmalloc+0x234/0x318
          [<ffffff80006fa22c>] 0xffffff80006fa22c
          [<ffffff8008083ae4>] do_one_initcall+0x44/0x138
          [<ffffff800817e28c>] do_init_module+0x68/0x1cc
          [<ffffff800811c848>] load_module+0x1a68/0x22e0
          [<ffffff800811d340>] SyS_finit_module+0xe0/0xf0
          [<ffffff80080836f0>] el0_svc_naked+0x24/0x28
          [<ffffffffffffffff>] 0xffffffffffffffff
      
      It is because cxt.lwsa and cxt.lrsa don't get freed in module_exit, so free
      them in lock_torture_cleanup() and free writer_tasks if reader_tasks is
      failed at memory allocation.
      Signed-off-by: default avatarYang Shi <yang.shi@linaro.org>
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Reviewed-by: default avatarJosh Triplett <josh@joshtriplett.org>
      Cc: 石洋 <yang.s@alibaba-inc.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      10863607
    • Aleksa Sarai's avatar
      btrfs: resume qgroup rescan on rw remount · 693b7f62
      Aleksa Sarai authored
      commit 6c6b5a39 upstream.
      
      Several distributions mount the "proper root" as ro during initrd and
      then remount it as rw before pivot_root(2). Thus, if a rescan had been
      aborted by a previous shutdown, the rescan would never be resumed.
      
      This issue would manifest itself as several btrfs ioctl(2)s causing the
      entire machine to hang when btrfs_qgroup_wait_for_completion was hit
      (due to the fs_info->qgroup_rescan_running flag being set but the rescan
      itself not being resumed). Notably, Docker's btrfs storage driver makes
      regular use of BTRFS_QUOTA_CTL_DISABLE and BTRFS_IOC_QUOTA_RESCAN_WAIT
      (causing this problem to be manifested on boot for some machines).
      
      Cc: Jeff Mahoney <jeffm@suse.com>
      Fixes: b382a324 ("Btrfs: fix qgroup rescan resume on mount")
      Signed-off-by: default avatarAleksa Sarai <asarai@suse.de>
      Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
      Tested-by: default avatarNikolay Borisov <nborisov@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      693b7f62
    • John Stultz's avatar
      drm/bridge: adv7511: Re-write the i2c address before EDID probing · f4596ead
      John Stultz authored
      commit 3587c856 upstream.
      
      I've found that by just turning the chip on and off via the
      POWER_DOWN register, I end up getting i2c_transfer errors on
      HiKey.
      
      Investigating further, it turns out that some of the register
      state in hardware is getting lost, as the device registers are
      reset when the chip is powered down.
      
      Thus this patch simply re-writes the i2c address to the
      ADV7511_REG_EDID_I2C_ADDR register to ensure its properly set
      before we try to read the EDID data.
      
      Cc: David Airlie <airlied@linux.ie>
      Cc: Archit Taneja <architt@codeaurora.org>
      Cc: Wolfram Sang <wsa+renesas@sang-engineering.com>
      Cc: Lars-Peter Clausen <lars@metafoo.de>
      Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
      Cc: dri-devel@lists.freedesktop.org
      Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Tested-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarArchit Taneja <architt@codeaurora.org>
      Link: http://patchwork.freedesktop.org/patch/msgid/1484614372-15342-7-git-send-email-john.stultz@linaro.orgSigned-off-by: default avatarThong Ho <thong.ho.px@rvc.renesas.com>
      Signed-off-by: default avatarNhan Nguyen <nhan.nguyen.yb@renesas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f4596ead
    • John Stultz's avatar
      drm/bridge: adv7511: Switch to using drm_kms_helper_hotplug_event() · e22a4308
      John Stultz authored
      commit 6d5104c5 upstream.
      
      In chasing down a previous issue with EDID probing from calling
      drm_helper_hpd_irq_event() from irq context, Laurent noticed
      that the DRM documentation suggests that
      drm_kms_helper_hotplug_event() should be used instead.
      
      Thus this patch replaces drm_helper_hpd_irq_event() with
      drm_kms_helper_hotplug_event(), which requires we update the
      connector.status entry and only call _hotplug_event() when the
      status changes.
      
      Cc: David Airlie <airlied@linux.ie>
      Cc: Archit Taneja <architt@codeaurora.org>
      Cc: Wolfram Sang <wsa+renesas@sang-engineering.com>
      Cc: Lars-Peter Clausen <lars@metafoo.de>
      Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
      Cc: dri-devel@lists.freedesktop.org
      Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Tested-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarArchit Taneja <architt@codeaurora.org>
      Link: http://patchwork.freedesktop.org/patch/msgid/1484614372-15342-3-git-send-email-john.stultz@linaro.orgSigned-off-by: default avatarThong Ho <thong.ho.px@rvc.renesas.com>
      Signed-off-by: default avatarNhan Nguyen <nhan.nguyen.yb@renesas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e22a4308
    • John Stultz's avatar
      drm/bridge: adv7511: Use work_struct to defer hotplug handing to out of irq context · 9183e45d
      John Stultz authored
      commit 518cb705 upstream.
      
      I was recently seeing issues with EDID probing, where
      the logic to wait for the EDID read bit to be set by the
      IRQ wasn't happening and the code would time out and fail.
      
      Digging deeper, I found this was due to the fact that
      IRQs were disabled as we were running in IRQ context from
      the HPD signal.
      
      Thus this patch changes the logic to handle the HPD signal
      via a work_struct so we can be out of irq context.
      
      With this patch, the EDID probing on hotplug does not time
      out.
      
      Cc: David Airlie <airlied@linux.ie>
      Cc: Archit Taneja <architt@codeaurora.org>
      Cc: Wolfram Sang <wsa+renesas@sang-engineering.com>
      Cc: Lars-Peter Clausen <lars@metafoo.de>
      Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
      Cc: dri-devel@lists.freedesktop.org
      Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Tested-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarArchit Taneja <architt@codeaurora.org>
      Link: http://patchwork.freedesktop.org/patch/msgid/1484614372-15342-2-git-send-email-john.stultz@linaro.orgSigned-off-by: default avatarThong Ho <thong.ho.px@rvc.renesas.com>
      Signed-off-by: default avatarNhan Nguyen <nhan.nguyen.yb@renesas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9183e45d
    • Archit Taneja's avatar
      drm/bridge: adv7511: Fix mutex deadlock when interrupts are disabled · c634ceca
      Archit Taneja authored
      commit f0bfcc22 upstream.
      
      When the adv7511 i2c client doesn't have an interrupt line, we observe a
      deadlock on caused by trying to lock drm device's mode_config.mutex twice
      in the same context.
      
      Here is the sequence that causes it:
      
      ioctl DRM_IOCTL_MODE_GETCONNECTOR from userspace
        drm_mode_getconnector (acquires mode_config mutex)
          connector->fill_modes()
          drm_helper_probe_single_connector_modes
            connector_funcs->get_modes
      	adv7511_encoder_get_modes
      	  adv7511_get_edid_block
      	    adv7511_irq_process
      	      drm_helper_hpd_irq_event (acquires mode_config mutex again)
      
      In adv7511_irq_process, don't call drm_helper_hpd_irq_event when not
      called from the interrupt handler. It doesn't serve any purpose there
      anyway.
      Signed-off-by: default avatarArchit Taneja <architt@codeaurora.org>
      Signed-off-by: default avatarThong Ho <thong.ho.px@rvc.renesas.com>
      Signed-off-by: default avatarNhan Nguyen <nhan.nguyen.yb@renesas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c634ceca
    • Wolfram Sang's avatar
      drm: adv7511: really enable interrupts for EDID detection · aea7e5ce
      Wolfram Sang authored
      commit d0be8584 upstream.
      
      The interrupts for EDID_READY or DDC_ERROR were never enabled in this
      driver, so reading EDID always timed out when chip was powered down and
      interrupts were used. Fix this and also remove clearing the interrupt
      flags, they are cleared in POWER_DOWN mode anyhow (unlike the interrupt
      enable flags) according to docs and my tests.
      Signed-off-by: default avatarWolfram Sang <wsa+renesas@sang-engineering.com>
      Tested-by: default avatarArchit Taneja <architt@codeaurora.org>
      Signed-off-by: default avatarThong Ho <thong.ho.px@rvc.renesas.com>
      Signed-off-by: default avatarNhan Nguyen <nhan.nguyen.yb@renesas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aea7e5ce
    • Todd Poynor's avatar
      scsi: sg: recheck MMAP_IO request length with lock held · a2e71dcf
      Todd Poynor authored
      commit 8d26f491 upstream.
      
      Commit 1bc0eb04 ("scsi: sg: protect accesses to 'reserved' page
      array") adds needed concurrency protection for the "reserve" buffer.
      Some checks that are initially made outside the lock are replicated once
      the lock is taken to ensure the checks and resulting decisions are made
      using consistent state.
      
      The check that a request with flag SG_FLAG_MMAP_IO set fits in the
      reserve buffer also needs to be performed again under the lock to ensure
      the reserve buffer length compared against matches the value in effect
      when the request is linked to the reserve buffer.  An -ENOMEM should be
      returned in this case, instead of switching over to an indirect buffer
      as for non-MMAP_IO requests.
      Signed-off-by: default avatarTodd Poynor <toddpoynor@google.com>
      Acked-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2e71dcf
    • Todd Poynor's avatar
      scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE · 0d7592a0
      Todd Poynor authored
      commit 6a8dadcc upstream.
      
      Take f_mutex around mmap() processing to protect against races with the
      SG_SET_RESERVED_SIZE ioctl.  Ensure the reserve buffer length remains
      consistent during the mapping operation, and set the "mmap called" flag
      to prevent further changes to the reserved buffer size as an atomic
      operation with the mapping.
      
      [mkp: fixed whitespace]
      Signed-off-by: default avatarTodd Poynor <toddpoynor@google.com>
      Acked-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0d7592a0
    • Andrey Korolyov's avatar
      cs5536: add support for IDE controller variant · 9a4cabf3
      Andrey Korolyov authored
      commit 591b6bb6 upstream.
      
      Several legacy devices such as Geode-based Cisco ASA appliances
      and DB800 development board do possess CS5536 IDE controller
      with different PCI id than existing one. Using pata_generic is
      not always feasible as at least DB800 requires MSR quirk from
      pata_cs5536 to be used with vendor firmware.
      Signed-off-by: default avatarAndrey Korolyov <andrey@xdel.ru>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9a4cabf3
    • Ben Hutchings's avatar
      workqueue: Fix flag collision · 30236499
      Ben Hutchings authored
      commit fbf1c41f upstream.
      
      Commit 0a94efb5 ("workqueue: implicit ordered attribute should be
      overridable") introduced a __WQ_ORDERED_EXPLICIT flag but gave it the
      same value as __WQ_LEGACY.  I don't believe these were intended to
      mean the same thing, so renumber __WQ_ORDERED_EXPLICIT.
      
      Fixes: 0a94efb5 ("workqueue: implicit ordered attribute should be ...")
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      30236499
    • Ilia Mirkin's avatar
      drm/nouveau/pci/msi: disable MSI on big-endian platforms by default · 966e3a2d
      Ilia Mirkin authored
      commit bc60c90f upstream.
      
      It appears that MSI does not work on either G5 PPC nor on a E5500-based
      platform, where other hardware is reported to work fine with MSI.
      
      Both tests were conducted with NV4x hardware, so perhaps other (or even
      this) hardware can be made to work. It's still possible to force-enable
      with config=NvMSI=1 on load.
      Signed-off-by: default avatarIlia Mirkin <imirkin@alum.mit.edu>
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      966e3a2d
    • Brian Norris's avatar
      mwifiex: correct channel stat buffer overflows · 4a9c294d
      Brian Norris authored
      commit 4b5dde2d upstream.
      
      mwifiex records information about various channels as it receives scan
      information. It does this by appending to a buffer that was sized
      to the max number of supported channels on any band, but there are
      numerous problems:
      
      (a) scans can return info from more than one band (e.g., both 2.4 and 5
          GHz), so the determined "max" is not large enough
      (b) some firmware appears to return multiple results for a given
          channel, so the max *really* isn't large enough
      (c) there is no bounds checking when stashing these stats, so problems
          (a) and (b) can easily lead to buffer overflows
      
      Let's patch this by setting a slightly-more-correct max (that accounts
      for a combination of both 2.4G and 5G bands) and adding a bounds check
      when writing to our statistics buffer.
      
      Due to problem (b), we still might not properly report all known survey
      information (e.g., with "iw <dev> survey dump"), since duplicate results
      (or otherwise "larger than expected" results) will cause some
      truncation. But that's a problem for a future bugfix.
      
      (And because of this known deficiency, only log the excess at the WARN
      level, since that isn't visible by default in this driver and would
      otherwise be a bit too noisy.)
      
      Fixes: bf354433 ("mwifiex: channel statistics support for mwifiex")
      Cc: Avinash Patil <patila@marvell.com>
      Cc: Xinming Hu <huxm@marvell.com>
      Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
      Reviewed-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Reviewed-by: default avatarGanapathi Bhat <gbhat@marvell.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4a9c294d
    • Edwin Török's avatar
      dlm: avoid double-free on error path in dlm_device_{register,unregister} · 926374f5
      Edwin Török authored
      commit 55acdd92 upstream.
      
      Can be reproduced when running dlm_controld (tested on 4.4.x, 4.12.4):
       # seq 1 100 | xargs -P0 -n1 dlm_tool join
       # seq 1 100 | xargs -P0 -n1 dlm_tool leave
      
      misc_register fails due to duplicate sysfs entry, which causes
      dlm_device_register to free ls->ls_device.name.
      In dlm_device_deregister the name was freed again, causing memory
      corruption.
      
      According to the comment in dlm_device_deregister the name should've been
      set to NULL when registration fails,
      so this patch does that.
      
      sysfs: cannot create duplicate filename '/dev/char/10:1'
      ------------[ cut here ]------------
      warning: cpu: 1 pid: 4450 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x56/0x70
      modules linked in: msr rfcomm dlm ccm bnep dm_crypt uvcvideo
      videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core videodev
      btusb media btrtl btbcm btintel bluetooth ecdh_generic intel_rapl
      x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm
      snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul
      ghash_clmulni_intel thinkpad_acpi pcbc nvram snd_seq_midi
      snd_seq_midi_event aesni_intel snd_hda_codec_realtek snd_hda_codec_generic
      snd_rawmidi aes_x86_64 crypto_simd glue_helper snd_hda_intel snd_hda_codec
      cryptd intel_cstate arc4 snd_hda_core snd_seq snd_seq_device snd_hwdep
      iwldvm intel_rapl_perf mac80211 joydev input_leds iwlwifi serio_raw
      cfg80211 snd_pcm shpchp snd_timer snd mac_hid mei_me lpc_ich mei soundcore
      sunrpc parport_pc ppdev lp parport autofs4 i915 psmouse
       e1000e ahci libahci i2c_algo_bit sdhci_pci ptp drm_kms_helper sdhci
      pps_core syscopyarea sysfillrect sysimgblt fb_sys_fops drm wmi video
      cpu: 1 pid: 4450 comm: dlm_test.exe not tainted 4.12.4-041204-generic
      hardware name: lenovo 232425u/232425u, bios g2et82ww (2.02 ) 09/11/2012
      task: ffff96b0cbabe140 task.stack: ffffb199027d0000
      rip: 0010:sysfs_warn_dup+0x56/0x70
      rsp: 0018:ffffb199027d3c58 eflags: 00010282
      rax: 0000000000000038 rbx: ffff96b0e2c49158 rcx: 0000000000000006
      rdx: 0000000000000000 rsi: 0000000000000086 rdi: ffff96b15e24dcc0
      rbp: ffffb199027d3c70 r08: 0000000000000001 r09: 0000000000000721
      r10: ffffb199027d3c00 r11: 0000000000000721 r12: ffffb199027d3cd1
      r13: ffff96b1592088f0 r14: 0000000000000001 r15: ffffffffffffffef
      fs:  00007f78069c0700(0000) gs:ffff96b15e240000(0000)
      knlgs:0000000000000000
      cs:  0010 ds: 0000 es: 0000 cr0: 0000000080050033
      cr2: 000000178625ed28 cr3: 0000000091d3e000 cr4: 00000000001406e0
      call trace:
       sysfs_do_create_link_sd.isra.2+0x9e/0xb0
       sysfs_create_link+0x25/0x40
       device_add+0x5a9/0x640
       device_create_groups_vargs+0xe0/0xf0
       device_create_with_groups+0x3f/0x60
       ? snprintf+0x45/0x70
       misc_register+0x140/0x180
       device_write+0x6a8/0x790 [dlm]
       __vfs_write+0x37/0x160
       ? apparmor_file_permission+0x1a/0x20
       ? security_file_permission+0x3b/0xc0
       vfs_write+0xb5/0x1a0
       sys_write+0x55/0xc0
       ? sys_fcntl+0x5d/0xb0
       entry_syscall_64_fastpath+0x1e/0xa9
      rip: 0033:0x7f78083454bd
      rsp: 002b:00007f78069bbd30 eflags: 00000293 orig_rax: 0000000000000001
      rax: ffffffffffffffda rbx: 0000000000000006 rcx: 00007f78083454bd
      rdx: 000000000000009c rsi: 00007f78069bee00 rdi: 0000000000000005
      rbp: 00007f77f8000a20 r08: 000000000000fcf0 r09: 0000000000000032
      r10: 0000000000000024 r11: 0000000000000293 r12: 00007f78069bde00
      r13: 00007f78069bee00 r14: 000000000000000a r15: 00007f78069bbd70
      code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef e8 2c c8
      ff ff 4c 89 e2 48 89 de 48 c7 c7 b0 8e 0c a8 e8 41 e8 ed ff <0f> ff 48 89
      df e8 00 d5 f4 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84
      ---[ end trace 40412246357cc9e0 ]---
      
      dlm: 59f24629-ae39-44e2-9030-397ebc2eda26: leaving the lockspace group...
      bug: unable to handle kernel null pointer dereference at 0000000000000001
      ip: [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140
      pgd 0
      oops: 0000 [#1] smp
      modules linked in: dlm 8021q garp mrp stp llc openvswitch nf_defrag_ipv6
      nf_conntrack libcrc32c iptable_filter dm_multipath crc32_pclmul dm_mod
      aesni_intel psmouse aes_x86_64 sg ablk_helper cryptd lrw gf128mul
      glue_helper i2c_piix4 nls_utf8 tpm_tis tpm isofs nfsd auth_rpcgss
      oid_registry nfs_acl lockd grace sunrpc xen_wdt ip_tables x_tables autofs4
      hid_generic usbhid hid sr_mod cdrom sd_mod ata_generic pata_acpi 8139too
      serio_raw ata_piix 8139cp mii uhci_hcd ehci_pci ehci_hcd libata
      scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_mod ipv6
      cpu: 0 pid: 394 comm: systemd-udevd tainted: g w 4.4.0+0 #1
      hardware name: xen hvm domu, bios 4.7.2-2.2 05/11/2017
      task: ffff880002410000 ti: ffff88000243c000 task.ti: ffff88000243c000
      rip: e030:[<ffffffff811a3b4a>] [<ffffffff811a3b4a>]
      kmem_cache_alloc+0x7a/0x140
      rsp: e02b:ffff88000243fd90 eflags: 00010202
      rax: 0000000000000000 rbx: ffff8800029864d0 rcx: 000000000007b36c
      rdx: 000000000007b36b rsi: 00000000024000c0 rdi: ffff880036801c00
      rbp: ffff88000243fdc0 r08: 0000000000018880 r09: 0000000000000054
      r10: 000000000000004a r11: ffff880034ace6c0 r12: 00000000024000c0
      r13: ffff880036801c00 r14: 0000000000000001 r15: ffffffff8118dcc2
      fs: 00007f0ab77548c0(0000) gs:ffff880036e00000(0000) knlgs:0000000000000000
      cs: e033 ds: 0000 es: 0000 cr0: 0000000080050033
      cr2: 0000000000000001 cr3: 000000000332d000 cr4: 0000000000040660
      stack:
      ffffffff8118dc90 ffff8800029864d0 0000000000000000 ffff88003430b0b0
      ffff880034b78320 ffff88003430b0b0 ffff88000243fdf8 ffffffff8118dcc2
      ffff8800349c6700 ffff8800029864d0 000000000000000b 00007f0ab7754b90
      call trace:
      [<ffffffff8118dc90>] ? anon_vma_fork+0x60/0x140
      [<ffffffff8118dcc2>] anon_vma_fork+0x92/0x140
      [<ffffffff8107033e>] copy_process+0xcae/0x1a80
      [<ffffffff8107128b>] _do_fork+0x8b/0x2d0
      [<ffffffff81071579>] sys_clone+0x19/0x20
      [<ffffffff815a30ae>] entry_syscall_64_fastpath+0x12/0x71
      ] code: f6 75 1c 4c 89 fa 44 89 e6 4c 89 ef e8 a7 e4 00 00 41 f7 c4 00 80
      00 00 49 89 c6 74 47 eb 32 49 63 45 20 48 8d 4a 01 4d 8b 45 00 <49> 8b 1c
      06 4c 89 f0 65 49 0f c7 08 0f 94 c0 84 c0 74 ac 49 63
      rip [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140
      rsp <ffff88000243fd90>
      cr2: 0000000000000001
      --[ end trace 70cb9fd1b164a0e8 ]--
      Signed-off-by: default avatarEdwin Török <edvin.torok@citrix.com>
      Signed-off-by: default avatarDavid Teigland <teigland@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      926374f5
    • Dmitry Tunin's avatar
      Bluetooth: Add support of 13d3:3494 RTL8723BE device · bf3a0acc
      Dmitry Tunin authored
      commit a81d72d2 upstream.
      
      T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=03 Dev#= 4 Spd=12 MxCh= 0
      D: Ver= 2.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
      P: Vendor=13d3 ProdID=3494 Rev= 2.00
      S: Manufacturer=Realtek
      S: Product=Bluetooth Radio
      S: SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
      E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
      E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
      I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
      I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
      I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
      I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
      I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
      Signed-off-by: default avatarDmitry Tunin <hanipouspilot@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bf3a0acc
    • Malcolm Priestley's avatar
      rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter · ca245a64
      Malcolm Priestley authored
      commit fc81bab5 upstream.
      
      _rtl_pci_find_adapter fail path will jump to label fail3 for
      unsupported adapter types.
      
      However, on course for fail3 there will be call rtl_deinit_core
      before rtl_init_core.
      
      For the inclusion of checking pci_iounmap this fail can be moved to
      fail2.
      
      Fixes
      [    4.492963] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [    4.493067] IP: rtl_deinit_core+0x31/0x90 [rtlwifi]
      Signed-off-by: default avatarMalcolm Priestley <tvboxspy@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ca245a64
    • Oscar Campos's avatar
      Input: trackpoint - assume 3 buttons when buttons detection fails · c5b8e1dd
      Oscar Campos authored
      commit 293b915f upstream.
      
      Trackpoint buttons detection fails on ThinkPad 570 and 470 series,
      this makes the middle button of the trackpoint to not being recogized.
      As I don't believe there is any trackpoint with less than 3 buttons this
      patch just assumes three buttons when the extended button information
      read fails.
      Signed-off-by: default avatarOscar Campos <oscar.campos@member.fsf.org>
      Acked-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarAaron Ma <aaron.ma@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c5b8e1dd
    • Rakesh Pillai's avatar
      ath10k: fix memory leak in rx ring buffer allocation · 2c654940
      Rakesh Pillai authored
      commit f35a7f91 upstream.
      
      The rx ring buffers are added to a hash table if
      firmware support full rx reorder. If the full rx
      reorder support flag is not set before allocating
      the rx ring buffers, none of the buffers are added
      to the hash table.
      
      There is a race condition between rx ring refill and
      rx buffer replenish from napi poll. The interrupts are
      enabled in hif start, before the rx ring is refilled during init.
      We replenish buffers from napi poll due to the interrupts which
      get enabled after hif start. Hence before the entire rx ring is
      refilled during the init, the napi poll replenishes a few buffers
      in steps of 100 buffers per attempt. During this rx ring replenish
      from napi poll, the rx reorder flag has not been set due to which
      the replenished buffers are not added to the hash table
      
      Set the rx full reorder support flag before we allocate
      the rx ring buffer to avoid the memory leak.
      Signed-off-by: default avatarRakesh Pillai <pillair@qti.qualcomm.com>
      Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
      Cc: Christian Lamparter <chunkeey@googlemail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2c654940
    • Alexander Shishkin's avatar
      intel_th: pci: Add Cannon Lake PCH-LP support · 69eeacb5
      Alexander Shishkin authored
      commit efb3669e upstream.
      
      This adds Intel(R) Trace Hub PCI ID for Cannon Lake PCH-LP.
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      69eeacb5
    • Alexander Shishkin's avatar
      intel_th: pci: Add Cannon Lake PCH-H support · eb98d15d
      Alexander Shishkin authored
      commit 84331e13 upstream.
      
      This adds Intel(R) Trace Hub PCI ID for Cannon Lake PCH-H.
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eb98d15d
    • Christophe JAILLET's avatar
      driver core: bus: Fix a potential double free · 1875ed81
      Christophe JAILLET authored
      commit 0f9b011d upstream.
      
      The .release function of driver_ktype is 'driver_release()'.
      This function frees the container_of this kobject.
      
      So, this memory must not be freed explicitly in the error handling path of
      'bus_add_driver()'. Otherwise a double free will occur.
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1875ed81
    • Colin Ian King's avatar
      staging/rts5208: fix incorrect shift to extract upper nybble · f3584d55
      Colin Ian King authored
      commit 34ff1bf4 upstream.
      
      The mask of sns_key_info1 suggests the upper nybble is being extracted
      however the following shift of 8 bits is too large and always results in
      0.  Fix this by shifting only by 4 bits to correctly get the upper nybble.
      
      Detected by CoverityScan, CID#142891 ("Operands don't affect result")
      
      Fixes: fa590c22 ("staging: rts5208: add support for rts5208 and rts5288")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3584d55
    • Douglas Anderson's avatar
      USB: core: Avoid race of async_completed() w/ usbdev_release() · 812e4841
      Douglas Anderson authored
      commit ed62ca2f upstream.
      
      While running reboot tests w/ a specific set of USB devices (and
      slub_debug enabled), I found that once every few hours my device would
      be crashed with a stack that looked like this:
      
      [   14.012445] BUG: spinlock bad magic on CPU#0, modprobe/2091
      [   14.012460]  lock: 0xffffffc0cb055978, .magic: ffffffc0, .owner: cryption contexts: %lu/%lu
      [   14.012460] /1025536097, .owner_cpu: 0
      [   14.012466] CPU: 0 PID: 2091 Comm: modprobe Not tainted 4.4.79 #352
      [   14.012468] Hardware name: Google Kevin (DT)
      [   14.012471] Call trace:
      [   14.012483] [<....>] dump_backtrace+0x0/0x160
      [   14.012487] [<....>] show_stack+0x20/0x28
      [   14.012494] [<....>] dump_stack+0xb4/0xf0
      [   14.012500] [<....>] spin_dump+0x8c/0x98
      [   14.012504] [<....>] spin_bug+0x30/0x3c
      [   14.012508] [<....>] do_raw_spin_lock+0x40/0x164
      [   14.012515] [<....>] _raw_spin_lock_irqsave+0x64/0x74
      [   14.012521] [<....>] __wake_up+0x2c/0x60
      [   14.012528] [<....>] async_completed+0x2d0/0x300
      [   14.012534] [<....>] __usb_hcd_giveback_urb+0xc4/0x138
      [   14.012538] [<....>] usb_hcd_giveback_urb+0x54/0xf0
      [   14.012544] [<....>] xhci_irq+0x1314/0x1348
      [   14.012548] [<....>] usb_hcd_irq+0x40/0x50
      [   14.012553] [<....>] handle_irq_event_percpu+0x1b4/0x3f0
      [   14.012556] [<....>] handle_irq_event+0x4c/0x7c
      [   14.012561] [<....>] handle_fasteoi_irq+0x158/0x1c8
      [   14.012564] [<....>] generic_handle_irq+0x30/0x44
      [   14.012568] [<....>] __handle_domain_irq+0x90/0xbc
      [   14.012572] [<....>] gic_handle_irq+0xcc/0x18c
      
      Investigation using kgdb() found that the wait queue that was passed
      into wake_up() had been freed (it was filled with slub_debug poison).
      
      I analyzed and instrumented the code and reproduced.  My current
      belief is that this is happening:
      
      1. async_completed() is called (from IRQ).  Moves "as" onto the
         completed list.
      2. On another CPU, proc_reapurbnonblock_compat() calls
         async_getcompleted().  Blocks on spinlock.
      3. async_completed() releases the lock; keeps running; gets blocked
         midway through wake_up().
      4. proc_reapurbnonblock_compat() => async_getcompleted() gets the
         lock; removes "as" from completed list and frees it.
      5. usbdev_release() is called.  Frees "ps".
      6. async_completed() finally continues running wake_up().  ...but
         wake_up() has a pointer to the freed "ps".
      
      The instrumentation that led me to believe this was based on adding
      some trace_printk() calls in a select few functions and then using
      kdb's "ftdump" at crash time.  The trace follows (NOTE: in the trace
      below I cheated a little bit and added a udelay(1000) in
      async_completed() after releasing the spinlock because I wanted it to
      trigger quicker):
      
      <...>-2104   0d.h2 13759034us!: async_completed at start: as=ffffffc0cc638200
      mtpd-2055    3.... 13759356us : async_getcompleted before spin_lock_irqsave
      mtpd-2055    3d..1 13759362us : async_getcompleted after list_del_init: as=ffffffc0cc638200
      mtpd-2055    3.... 13759371us+: proc_reapurbnonblock_compat: free_async(ffffffc0cc638200)
      mtpd-2055    3.... 13759422us+: async_getcompleted before spin_lock_irqsave
      mtpd-2055    3.... 13759479us : usbdev_release at start: ps=ffffffc0cc042080
      mtpd-2055    3.... 13759487us : async_getcompleted before spin_lock_irqsave
      mtpd-2055    3.... 13759497us!: usbdev_release after kfree(ps): ps=ffffffc0cc042080
      <...>-2104   0d.h2 13760294us : async_completed before wake_up(): as=ffffffc0cc638200
      
      To fix this problem we can just move the wake_up() under the ps->lock.
      There should be no issues there that I'm aware of.
      Signed-off-by: default avatarDouglas Anderson <dianders@chromium.org>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      812e4841
    • Sandeep Singh's avatar
      usb:xhci:Fix regression when ATI chipsets detected · 9f1d78c6
      Sandeep Singh authored
      commit e6b422b8 upstream.
      
      The following commit cause a regression on ATI chipsets.
      'commit e788787e ("usb:xhci:Add quirk for Certain
      failing HP keyboard on reset after resume")'
      
      This causes pinfo->smbus_dev to be wrongly set to NULL on
      systems with the ATI chipset that this function checks for first.
      
      Added conditional check for AMD chipsets to avoid the overwriting
      pinfo->smbus_dev.
      Reported-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Fixes: e788787e ("usb:xhci:Add quirk for Certain
      failing HP keyboard on reset after resume")
      cc: Nehal Shah <Nehal-bakulchandra.Shah@amd.com>
      Signed-off-by: default avatarSandeep Singh <Sandeep.Singh@amd.com>
      Signed-off-by: default avatarShyam Sundar S K <Shyam-sundar.S-k@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9f1d78c6
    • Dmitry Fleytman's avatar
      usb: Add device quirk for Logitech HD Pro Webcam C920-C · b3e92cd7
      Dmitry Fleytman authored
      commit a1279ef7 upstream.
      
      Commit e0429362
      ("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e")
      introduced quirk to workaround an issue with some Logitech webcams.
      
      Apparently model C920-C has the same issue so applying
      the same quirk as well.
      
      See aforementioned commit message for detailed explanation of the problem.
      Signed-off-by: default avatarDmitry Fleytman <dmitry@daynix.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b3e92cd7
    • Maciej S. Szmigiero's avatar
      USB: serial: option: add support for D-Link DWM-157 C1 · 6e957a81
      Maciej S. Szmigiero authored
      commit 169e8654 upstream.
      
      This commit adds support (an ID, really) for D-Link DWM-157 hardware
      version C1 USB modem to option driver.
      
      According to manufacturer-provided Windows INF file the device has four
      serial ports:
      "D-Link HSPA+DataCard Diagnostics Interface" (interface 2; modem port),
      "D-Link HSPA+DataCard NMEA Device" (interface 3),
      "D-Link HSPA+DataCard Speech Port" (interface 4),
      "D-Link HSPA+DataCard Debug Port" (interface 5).
      
      usb-devices output:
      T:  Bus=05 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#=  3 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=2001 ProdID=7d0e Rev=03.00
      S:  Manufacturer=D-Link,Inc
      S:  Product=D-Link DWM-157
      C:  #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=02 Prot=01 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 6 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
      Signed-off-by: default avatarMaciej S. Szmigiero <mail@maciej.szmigiero.name>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e957a81
    • Kai-Heng Feng's avatar
      usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard · f7a0f731
      Kai-Heng Feng authored
      commit de3af5bf upstream.
      
      Corsair Strafe RGB keyboard has trouble to initialize:
      
      [ 1.679455] usb 3-6: new full-speed USB device number 4 using xhci_hcd
      [ 6.871136] usb 3-6: unable to read config index 0 descriptor/all
      [ 6.871138] usb 3-6: can't read configurations, error -110
      [ 6.991019] usb 3-6: new full-speed USB device number 5 using xhci_hcd
      [ 12.246642] usb 3-6: unable to read config index 0 descriptor/all
      [ 12.246644] usb 3-6: can't read configurations, error -110
      [ 12.366555] usb 3-6: new full-speed USB device number 6 using xhci_hcd
      [ 17.622145] usb 3-6: unable to read config index 0 descriptor/all
      [ 17.622147] usb 3-6: can't read configurations, error -110
      [ 17.742093] usb 3-6: new full-speed USB device number 7 using xhci_hcd
      [ 22.997715] usb 3-6: unable to read config index 0 descriptor/all
      [ 22.997716] usb 3-6: can't read configurations, error -110
      
      Although it may work after several times unpluging/pluging:
      
      [ 68.195240] usb 3-6: new full-speed USB device number 11 using xhci_hcd
      [ 68.337459] usb 3-6: New USB device found, idVendor=1b1c, idProduct=1b20
      [ 68.337463] usb 3-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
      [ 68.337466] usb 3-6: Product: Corsair STRAFE RGB Gaming Keyboard
      [ 68.337468] usb 3-6: Manufacturer: Corsair
      [ 68.337470] usb 3-6: SerialNumber: 0F013021AEB8046755A93ED3F5001941
      
      Tried three quirks: USB_QUIRK_DELAY_INIT, USB_QUIRK_NO_LPM and
      USB_QUIRK_DEVICE_QUALIFIER, user confirmed that USB_QUIRK_DELAY_INIT alone
      can workaround this issue. Hence add the quirk for Corsair Strafe RGB.
      
      BugLink: https://bugs.launchpad.net/bugs/1678477Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f7a0f731
  3. 07 Sep, 2017 6 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.87 · 573b59e1
      Greg Kroah-Hartman authored
      573b59e1
    • Stephan Mueller's avatar
      crypto: algif_skcipher - only call put_page on referenced and used pages · d9582749
      Stephan Mueller authored
      commit 445a5827 upstream.
      
      For asynchronous operation, SGs are allocated without a page mapped to
      them or with a page that is not used (ref-counted). If the SGL is freed,
      the code must only call put_page for an SG if there was a page assigned
      and ref-counted in the first place.
      
      This fixes a kernel crash when using io_submit with more than one iocb
      using the sendmsg and sendpage (vmsplice/splice) interface.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      d9582749
    • Oleg Nesterov's avatar
      epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove() · ab3ee6b5
      Oleg Nesterov authored
      commit 138e4ad6 upstream.
      
      The race was introduced by me in commit 971316f0 ("epoll:
      ep_unregister_pollwait() can use the freed pwq->whead").  I did not
      realize that nothing can protect eventpoll after ep_poll_callback() sets
      ->whead = NULL, only whead->lock can save us from the race with
      ep_free() or ep_remove().
      
      Move ->whead = NULL to the end of ep_poll_callback() and add the
      necessary barriers.
      
      TODO: cleanup the ewake/EPOLLEXCLUSIVE logic, it was confusing even
      before this patch.
      
      Hopefully this explains use-after-free reported by syzcaller:
      
      	BUG: KASAN: use-after-free in debug_spin_lock_before
      	...
      	 _raw_spin_lock_irqsave+0x4a/0x60 kernel/locking/spinlock.c:159
      	 ep_poll_callback+0x29f/0xff0 fs/eventpoll.c:1148
      
      this is spin_lock(eventpoll->lock),
      
      	...
      	Freed by task 17774:
      	...
      	 kfree+0xe8/0x2c0 mm/slub.c:3883
      	 ep_free+0x22c/0x2a0 fs/eventpoll.c:865
      
      Fixes: 971316f0 ("epoll: ep_unregister_pollwait() can use the freed pwq->whead")
      Reported-by: default avatar范龙飞 <long7573@126.com>
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      ab3ee6b5
    • Suzuki K Poulose's avatar
      kvm: arm/arm64: Force reading uncached stage2 PGD · 628212c8
      Suzuki K Poulose authored
      commit 2952a607 upstream.
      
      Make sure we don't use a cached value of the KVM stage2 PGD while
      resetting the PGD.
      
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      Reviewed-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      628212c8
    • Suzuki K Poulose's avatar
      kvm: arm/arm64: Fix race in resetting stage2 PGD · 57ff696f
      Suzuki K Poulose authored
      commit 6c0d706b upstream.
      
      In kvm_free_stage2_pgd() we check the stage2 PGD before holding
      the lock and proceed to take the lock if it is valid. And we unmap
      the page tables, followed by releasing the lock. We reset the PGD
      only after dropping this lock, which could cause a race condition
      where another thread waiting on or even holding the lock, could
      potentially see that the PGD is still valid and proceed to perform
      a stage2 operation and later encounter a NULL PGD.
      
      [223090.242280] Unable to handle kernel NULL pointer dereference at
      virtual address 00000040
      [223090.262330] PC is at unmap_stage2_range+0x8c/0x428
      [223090.262332] LR is at kvm_unmap_hva_handler+0x2c/0x3c
      [223090.262531] Call trace:
      [223090.262533] [<ffff0000080adb78>] unmap_stage2_range+0x8c/0x428
      [223090.262535] [<ffff0000080adf40>] kvm_unmap_hva_handler+0x2c/0x3c
      [223090.262537] [<ffff0000080ace2c>] handle_hva_to_gpa+0xb0/0x104
      [223090.262539] [<ffff0000080af988>] kvm_unmap_hva+0x5c/0xbc
      [223090.262543] [<ffff0000080a2478>]
      kvm_mmu_notifier_invalidate_page+0x50/0x8c
      [223090.262547] [<ffff0000082274f8>]
      __mmu_notifier_invalidate_page+0x5c/0x84
      [223090.262551] [<ffff00000820b700>] try_to_unmap_one+0x1d0/0x4a0
      [223090.262553] [<ffff00000820c5c8>] rmap_walk+0x1cc/0x2e0
      [223090.262555] [<ffff00000820c90c>] try_to_unmap+0x74/0xa4
      [223090.262557] [<ffff000008230ce4>] migrate_pages+0x31c/0x5ac
      [223090.262561] [<ffff0000081f869c>] compact_zone+0x3fc/0x7ac
      [223090.262563] [<ffff0000081f8ae0>] compact_zone_order+0x94/0xb0
      [223090.262564] [<ffff0000081f91c0>] try_to_compact_pages+0x108/0x290
      [223090.262569] [<ffff0000081d5108>] __alloc_pages_direct_compact+0x70/0x1ac
      [223090.262571] [<ffff0000081d64a0>] __alloc_pages_nodemask+0x434/0x9f4
      [223090.262572] [<ffff0000082256f0>] alloc_pages_vma+0x230/0x254
      [223090.262574] [<ffff000008235e5c>] do_huge_pmd_anonymous_page+0x114/0x538
      [223090.262576] [<ffff000008201bec>] handle_mm_fault+0xd40/0x17a4
      [223090.262577] [<ffff0000081fb324>] __get_user_pages+0x12c/0x36c
      [223090.262578] [<ffff0000081fb804>] get_user_pages_unlocked+0xa4/0x1b8
      [223090.262579] [<ffff0000080a3ce8>] __gfn_to_pfn_memslot+0x280/0x31c
      [223090.262580] [<ffff0000080a3dd0>] gfn_to_pfn_prot+0x4c/0x5c
      [223090.262582] [<ffff0000080af3f8>] kvm_handle_guest_abort+0x240/0x774
      [223090.262584] [<ffff0000080b2bac>] handle_exit+0x11c/0x1ac
      [223090.262586] [<ffff0000080ab99c>] kvm_arch_vcpu_ioctl_run+0x31c/0x648
      [223090.262587] [<ffff0000080a1d78>] kvm_vcpu_ioctl+0x378/0x768
      [223090.262590] [<ffff00000825df5c>] do_vfs_ioctl+0x324/0x5a4
      [223090.262591] [<ffff00000825e26c>] SyS_ioctl+0x90/0xa4
      [223090.262595] [<ffff000008085d84>] el0_svc_naked+0x38/0x3c
      
      This patch moves the stage2 PGD manipulation under the lock.
      Reported-by: default avatarAlexander Graf <agraf@suse.de>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Reviewed-by: default avatarChristoffer Dall <cdall@linaro.org>
      Reviewed-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      57ff696f
    • Xiangliang.Yu's avatar
      drm/ttm: Fix accounting error when fail to get pages for pool · 94183009
      Xiangliang.Yu authored
      commit 9afae271 upstream.
      
      When fail to get needed page for pool, need to put allocated pages
      into pool. But current code has a miscalculation of allocated pages,
      correct it.
      Signed-off-by: default avatarXiangliang.Yu <Xiangliang.Yu@amd.com>
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Reviewed-by: default avatarMonk Liu <monk.liu@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      94183009