1. 16 Feb, 2018 32 commits
    • Jason Wang's avatar
      vhost_net: stop device during reset owner · 711df717
      Jason Wang authored
      
      [ Upstream commit 4cd87951 ]
      
      We don't stop device before reset owner, this means we could try to
      serve any virtqueue kick before reset dev->worker. This will result a
      warn since the work was pending at llist during owner resetting. Fix
      this by stopping device during owner reset.
      
      Reported-by: syzbot+eb17c6162478cc50632c@syzkaller.appspotmail.com
      Fixes: 3a4d5c94 ("vhost_net: a kernel-level virtio server")
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      711df717
    • Li RongQing's avatar
      tcp: release sk_frag.page in tcp_disconnect · 117991ed
      Li RongQing authored
      
      [ Upstream commit 9b42d55a ]
      
      socket can be disconnected and gets transformed back to a listening
      socket, if sk_frag.page is not released, which will be cloned into
      a new socket by sk_clone_lock, but the reference count of this page
      is increased, lead to a use after free or double free issue
      Signed-off-by: default avatarLi RongQing <lirongqing@baidu.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      117991ed
    • Chunhao Lin's avatar
      r8169: fix RTL8168EP take too long to complete driver initialization. · 9a0ef3cc
      Chunhao Lin authored
      
      [ Upstream commit 086ca23d ]
      
      Driver check the wrong register bit in rtl_ocp_tx_cond() that keep driver
      waiting until timeout.
      
      Fix this by waiting for the right register bit.
      Signed-off-by: default avatarChunhao Lin <hau@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9a0ef3cc
    • Junxiao Bi's avatar
      qlcnic: fix deadlock bug · 3cdf2975
      Junxiao Bi authored
      
      [ Upstream commit 233ac389 ]
      
      The following soft lockup was caught. This is a deadlock caused by
      recusive locking.
      
      Process kworker/u40:1:28016 was holding spin lock "mbx->queue_lock" in
      qlcnic_83xx_mailbox_worker(), while a softirq came in and ask the same spin
      lock in qlcnic_83xx_enqueue_mbx_cmd(). This lock should be hold by disable
      bh..
      
      [161846.962125] NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [kworker/u40:1:28016]
      [161846.962367] Modules linked in: tun ocfs2 xen_netback xen_blkback xen_gntalloc xen_gntdev xen_evtchn xenfs xen_privcmd autofs4 ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc fcoe libfcoe libfc sunrpc 8021q mrp garp bridge stp llc bonding dm_round_robin dm_multipath iTCO_wdt iTCO_vendor_support pcspkr sb_edac edac_core i2c_i801 shpchp lpc_ich mfd_core ioatdma ipmi_devintf ipmi_si ipmi_msghandler sg ext4 jbd2 mbcache2 sr_mod cdrom sd_mod igb i2c_algo_bit i2c_core ahci libahci megaraid_sas ixgbe dca ptp pps_core vxlan udp_tunnel ip6_udp_tunnel qla2xxx scsi_transport_fc qlcnic crc32c_intel be2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio libiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi dm_mirror dm_region_hash dm_log dm_mod
      [161846.962454]
      [161846.962460] CPU: 1 PID: 28016 Comm: kworker/u40:1 Not tainted 4.1.12-94.5.9.el6uek.x86_64 #2
      [161846.962463] Hardware name: Oracle Corporation SUN SERVER X4-2L      /ASSY,MB,X4-2L         , BIOS 26050100 09/19/2017
      [161846.962489] Workqueue: qlcnic_mailbox qlcnic_83xx_mailbox_worker [qlcnic]
      [161846.962493] task: ffff8801f2e34600 ti: ffff88004ca5c000 task.ti: ffff88004ca5c000
      [161846.962496] RIP: e030:[<ffffffff810013aa>]  [<ffffffff810013aa>] xen_hypercall_sched_op+0xa/0x20
      [161846.962506] RSP: e02b:ffff880202e43388  EFLAGS: 00000206
      [161846.962509] RAX: 0000000000000000 RBX: ffff8801f6996b70 RCX: ffffffff810013aa
      [161846.962511] RDX: ffff880202e433cc RSI: ffff880202e433b0 RDI: 0000000000000003
      [161846.962513] RBP: ffff880202e433d0 R08: 0000000000000000 R09: ffff8801fe893200
      [161846.962516] R10: ffff8801fe400538 R11: 0000000000000206 R12: ffff880202e4b000
      [161846.962518] R13: 0000000000000050 R14: 0000000000000001 R15: 000000000000020d
      [161846.962528] FS:  0000000000000000(0000) GS:ffff880202e40000(0000) knlGS:ffff880202e40000
      [161846.962531] CS:  e033 DS: 0000 ES: 0000 CR0: 0000000080050033
      [161846.962533] CR2: 0000000002612640 CR3: 00000001bb796000 CR4: 0000000000042660
      [161846.962536] Stack:
      [161846.962538]  ffff880202e43608 0000000000000000 ffffffff813f0442 ffff880202e433b0
      [161846.962543]  0000000000000000 ffff880202e433cc ffffffff00000001 0000000000000000
      [161846.962547]  00000009813f03d6 ffff880202e433e0 ffffffff813f0460 ffff880202e43440
      [161846.962552] Call Trace:
      [161846.962555]  <IRQ>
      [161846.962565]  [<ffffffff813f0442>] ? xen_poll_irq_timeout+0x42/0x50
      [161846.962570]  [<ffffffff813f0460>] xen_poll_irq+0x10/0x20
      [161846.962578]  [<ffffffff81014222>] xen_lock_spinning+0xe2/0x110
      [161846.962583]  [<ffffffff81013f01>] __raw_callee_save_xen_lock_spinning+0x11/0x20
      [161846.962592]  [<ffffffff816e5c57>] ? _raw_spin_lock+0x57/0x80
      [161846.962609]  [<ffffffffa028acfc>] qlcnic_83xx_enqueue_mbx_cmd+0x7c/0xe0 [qlcnic]
      [161846.962623]  [<ffffffffa028e008>] qlcnic_83xx_issue_cmd+0x58/0x210 [qlcnic]
      [161846.962636]  [<ffffffffa028caf2>] qlcnic_83xx_sre_macaddr_change+0x162/0x1d0 [qlcnic]
      [161846.962649]  [<ffffffffa028cb8b>] qlcnic_83xx_change_l2_filter+0x2b/0x30 [qlcnic]
      [161846.962657]  [<ffffffff8160248b>] ? __skb_flow_dissect+0x18b/0x650
      [161846.962670]  [<ffffffffa02856e5>] qlcnic_send_filter+0x205/0x250 [qlcnic]
      [161846.962682]  [<ffffffffa0285c77>] qlcnic_xmit_frame+0x547/0x7b0 [qlcnic]
      [161846.962691]  [<ffffffff8160ac22>] xmit_one+0x82/0x1a0
      [161846.962696]  [<ffffffff8160ad90>] dev_hard_start_xmit+0x50/0xa0
      [161846.962701]  [<ffffffff81630112>] sch_direct_xmit+0x112/0x220
      [161846.962706]  [<ffffffff8160b80f>] __dev_queue_xmit+0x1df/0x5e0
      [161846.962710]  [<ffffffff8160bc33>] dev_queue_xmit_sk+0x13/0x20
      [161846.962721]  [<ffffffffa0575bd5>] bond_dev_queue_xmit+0x35/0x80 [bonding]
      [161846.962729]  [<ffffffffa05769fb>] __bond_start_xmit+0x1cb/0x210 [bonding]
      [161846.962736]  [<ffffffffa0576a71>] bond_start_xmit+0x31/0x60 [bonding]
      [161846.962740]  [<ffffffff8160ac22>] xmit_one+0x82/0x1a0
      [161846.962745]  [<ffffffff8160ad90>] dev_hard_start_xmit+0x50/0xa0
      [161846.962749]  [<ffffffff8160bb1e>] __dev_queue_xmit+0x4ee/0x5e0
      [161846.962754]  [<ffffffff8160bc33>] dev_queue_xmit_sk+0x13/0x20
      [161846.962760]  [<ffffffffa05cfa72>] vlan_dev_hard_start_xmit+0xb2/0x150 [8021q]
      [161846.962764]  [<ffffffff8160ac22>] xmit_one+0x82/0x1a0
      [161846.962769]  [<ffffffff8160ad90>] dev_hard_start_xmit+0x50/0xa0
      [161846.962773]  [<ffffffff8160bb1e>] __dev_queue_xmit+0x4ee/0x5e0
      [161846.962777]  [<ffffffff8160bc33>] dev_queue_xmit_sk+0x13/0x20
      [161846.962789]  [<ffffffffa05adf74>] br_dev_queue_push_xmit+0x54/0xa0 [bridge]
      [161846.962797]  [<ffffffffa05ae4ff>] br_forward_finish+0x2f/0x90 [bridge]
      [161846.962807]  [<ffffffff810b0dad>] ? ttwu_do_wakeup+0x1d/0x100
      [161846.962811]  [<ffffffff815f929b>] ? __alloc_skb+0x8b/0x1f0
      [161846.962818]  [<ffffffffa05ae04d>] __br_forward+0x8d/0x120 [bridge]
      [161846.962822]  [<ffffffff815f613b>] ? __kmalloc_reserve+0x3b/0xa0
      [161846.962829]  [<ffffffff810be55e>] ? update_rq_runnable_avg+0xee/0x230
      [161846.962836]  [<ffffffffa05ae176>] br_forward+0x96/0xb0 [bridge]
      [161846.962845]  [<ffffffffa05af85e>] br_handle_frame_finish+0x1ae/0x420 [bridge]
      [161846.962853]  [<ffffffffa05afc4f>] br_handle_frame+0x17f/0x260 [bridge]
      [161846.962862]  [<ffffffffa05afad0>] ? br_handle_frame_finish+0x420/0x420 [bridge]
      [161846.962867]  [<ffffffff8160d057>] __netif_receive_skb_core+0x1f7/0x870
      [161846.962872]  [<ffffffff8160d6f2>] __netif_receive_skb+0x22/0x70
      [161846.962877]  [<ffffffff8160d913>] netif_receive_skb_internal+0x23/0x90
      [161846.962884]  [<ffffffffa07512ea>] ? xenvif_idx_release+0xea/0x100 [xen_netback]
      [161846.962889]  [<ffffffff816e5a10>] ? _raw_spin_unlock_irqrestore+0x20/0x50
      [161846.962893]  [<ffffffff8160e624>] netif_receive_skb_sk+0x24/0x90
      [161846.962899]  [<ffffffffa075269a>] xenvif_tx_submit+0x2ca/0x3f0 [xen_netback]
      [161846.962906]  [<ffffffffa0753f0c>] xenvif_tx_action+0x9c/0xd0 [xen_netback]
      [161846.962915]  [<ffffffffa07567f5>] xenvif_poll+0x35/0x70 [xen_netback]
      [161846.962920]  [<ffffffff8160e01b>] napi_poll+0xcb/0x1e0
      [161846.962925]  [<ffffffff8160e1c0>] net_rx_action+0x90/0x1c0
      [161846.962931]  [<ffffffff8108aaba>] __do_softirq+0x10a/0x350
      [161846.962938]  [<ffffffff8108ae75>] irq_exit+0x125/0x130
      [161846.962943]  [<ffffffff813f03a9>] xen_evtchn_do_upcall+0x39/0x50
      [161846.962950]  [<ffffffff816e7ffe>] xen_do_hypervisor_callback+0x1e/0x40
      [161846.962952]  <EOI>
      [161846.962959]  [<ffffffff816e5c4a>] ? _raw_spin_lock+0x4a/0x80
      [161846.962964]  [<ffffffff816e5b1e>] ? _raw_spin_lock_irqsave+0x1e/0xa0
      [161846.962978]  [<ffffffffa028e279>] ? qlcnic_83xx_mailbox_worker+0xb9/0x2a0 [qlcnic]
      [161846.962991]  [<ffffffff810a14e1>] ? process_one_work+0x151/0x4b0
      [161846.962995]  [<ffffffff8100c3f2>] ? check_events+0x12/0x20
      [161846.963001]  [<ffffffff810a1960>] ? worker_thread+0x120/0x480
      [161846.963005]  [<ffffffff816e187b>] ? __schedule+0x30b/0x890
      [161846.963010]  [<ffffffff810a1840>] ? process_one_work+0x4b0/0x4b0
      [161846.963015]  [<ffffffff810a1840>] ? process_one_work+0x4b0/0x4b0
      [161846.963021]  [<ffffffff810a6b3e>] ? kthread+0xce/0xf0
      [161846.963025]  [<ffffffff810a6a70>] ? kthread_freezable_should_stop+0x70/0x70
      [161846.963031]  [<ffffffff816e6522>] ? ret_from_fork+0x42/0x70
      [161846.963035]  [<ffffffff810a6a70>] ? kthread_freezable_should_stop+0x70/0x70
      [161846.963037] Code: cc 51 41 53 b8 1c 00 00 00 0f 05 41 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 51 41 53 b8 1d 00 00 00 0f 05 <41> 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
      Signed-off-by: default avatarJunxiao Bi <junxiao.bi@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3cdf2975
    • Eric Dumazet's avatar
      net: igmp: add a missing rcu locking section · 47b32f06
      Eric Dumazet authored
      
      [ Upstream commit e7aadb27 ]
      
      Newly added igmpv3_get_srcaddr() needs to be called under rcu lock.
      
      Timer callbacks do not ensure this locking.
      
      =============================
      WARNING: suspicious RCU usage
      4.15.0+ #200 Not tainted
      -----------------------------
      ./include/linux/inetdevice.h:216 suspicious rcu_dereference_check() usage!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 2, debug_locks = 1
      3 locks held by syzkaller616973/4074:
       #0:  (&mm->mmap_sem){++++}, at: [<00000000bfce669e>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1355
       #1:  ((&im->timer)){+.-.}, at: [<00000000619d2f71>] lockdep_copy_map include/linux/lockdep.h:178 [inline]
       #1:  ((&im->timer)){+.-.}, at: [<00000000619d2f71>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1316
       #2:  (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] spin_lock_bh include/linux/spinlock.h:315 [inline]
       #2:  (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] igmpv3_send_report+0x98/0x5b0 net/ipv4/igmp.c:600
      
      stack backtrace:
      CPU: 0 PID: 4074 Comm: syzkaller616973 Not tainted 4.15.0+ #200
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x194/0x257 lib/dump_stack.c:53
       lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592
       __in_dev_get_rcu include/linux/inetdevice.h:216 [inline]
       igmpv3_get_srcaddr net/ipv4/igmp.c:329 [inline]
       igmpv3_newpack+0xeef/0x12e0 net/ipv4/igmp.c:389
       add_grhead.isra.27+0x235/0x300 net/ipv4/igmp.c:432
       add_grec+0xbd3/0x1170 net/ipv4/igmp.c:565
       igmpv3_send_report+0xd5/0x5b0 net/ipv4/igmp.c:605
       igmp_send_report+0xc43/0x1050 net/ipv4/igmp.c:722
       igmp_timer_expire+0x322/0x5c0 net/ipv4/igmp.c:831
       call_timer_fn+0x228/0x820 kernel/time/timer.c:1326
       expire_timers kernel/time/timer.c:1363 [inline]
       __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666
       run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
       __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
       invoke_softirq kernel/softirq.c:365 [inline]
       irq_exit+0x1cc/0x200 kernel/softirq.c:405
       exiting_irq arch/x86/include/asm/apic.h:541 [inline]
       smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
       apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:938
      
      Fixes: a46182b0 ("net: igmp: Use correct source address on IGMPv3 reports")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47b32f06
    • Nikolay Aleksandrov's avatar
      ip6mr: fix stale iterator · fff4f776
      Nikolay Aleksandrov authored
      
      [ Upstream commit 4adfa79f ]
      
      When we dump the ip6mr mfc entries via proc, we initialize an iterator
      with the table to dump but we don't clear the cache pointer which might
      be initialized from a prior read on the same descriptor that ended. This
      can result in lock imbalance (an unnecessary unlock) leading to other
      crashes and hangs. Clear the cache pointer like ipmr does to fix the issue.
      Thanks for the reliable reproducer.
      
      Here's syzbot's trace:
       WARNING: bad unlock balance detected!
       4.15.0-rc3+ #128 Not tainted
       syzkaller971460/3195 is trying to release lock (mrt_lock) at:
       [<000000006898068d>] ipmr_mfc_seq_stop+0xe1/0x130 net/ipv6/ip6mr.c:553
       but there are no more locks to release!
      
       other info that might help us debug this:
       1 lock held by syzkaller971460/3195:
        #0:  (&p->lock){+.+.}, at: [<00000000744a6565>] seq_read+0xd5/0x13d0
       fs/seq_file.c:165
      
       stack backtrace:
       CPU: 1 PID: 3195 Comm: syzkaller971460 Not tainted 4.15.0-rc3+ #128
       Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
       Google 01/01/2011
       Call Trace:
        __dump_stack lib/dump_stack.c:17 [inline]
        dump_stack+0x194/0x257 lib/dump_stack.c:53
        print_unlock_imbalance_bug+0x12f/0x140 kernel/locking/lockdep.c:3561
        __lock_release kernel/locking/lockdep.c:3775 [inline]
        lock_release+0x5f9/0xda0 kernel/locking/lockdep.c:4023
        __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline]
        _raw_read_unlock+0x1a/0x30 kernel/locking/spinlock.c:255
        ipmr_mfc_seq_stop+0xe1/0x130 net/ipv6/ip6mr.c:553
        traverse+0x3bc/0xa00 fs/seq_file.c:135
        seq_read+0x96a/0x13d0 fs/seq_file.c:189
        proc_reg_read+0xef/0x170 fs/proc/inode.c:217
        do_loop_readv_writev fs/read_write.c:673 [inline]
        do_iter_read+0x3db/0x5b0 fs/read_write.c:897
        compat_readv+0x1bf/0x270 fs/read_write.c:1140
        do_compat_preadv64+0xdc/0x100 fs/read_write.c:1189
        C_SYSC_preadv fs/read_write.c:1209 [inline]
        compat_SyS_preadv+0x3b/0x50 fs/read_write.c:1203
        do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
        do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
        entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
       RIP: 0023:0xf7f73c79
       RSP: 002b:00000000e574a15c EFLAGS: 00000292 ORIG_RAX: 000000000000014d
       RAX: ffffffffffffffda RBX: 000000000000000f RCX: 0000000020a3afb0
       RDX: 0000000000000001 RSI: 0000000000000067 RDI: 0000000000000000
       RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
       R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
       R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
       BUG: sleeping function called from invalid context at lib/usercopy.c:25
       in_atomic(): 1, irqs_disabled(): 0, pid: 3195, name: syzkaller971460
       INFO: lockdep is turned off.
       CPU: 1 PID: 3195 Comm: syzkaller971460 Not tainted 4.15.0-rc3+ #128
       Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
       Google 01/01/2011
       Call Trace:
        __dump_stack lib/dump_stack.c:17 [inline]
        dump_stack+0x194/0x257 lib/dump_stack.c:53
        ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6060
        __might_sleep+0x95/0x190 kernel/sched/core.c:6013
        __might_fault+0xab/0x1d0 mm/memory.c:4525
        _copy_to_user+0x2c/0xc0 lib/usercopy.c:25
        copy_to_user include/linux/uaccess.h:155 [inline]
        seq_read+0xcb4/0x13d0 fs/seq_file.c:279
        proc_reg_read+0xef/0x170 fs/proc/inode.c:217
        do_loop_readv_writev fs/read_write.c:673 [inline]
        do_iter_read+0x3db/0x5b0 fs/read_write.c:897
        compat_readv+0x1bf/0x270 fs/read_write.c:1140
        do_compat_preadv64+0xdc/0x100 fs/read_write.c:1189
        C_SYSC_preadv fs/read_write.c:1209 [inline]
        compat_SyS_preadv+0x3b/0x50 fs/read_write.c:1203
        do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
        do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
        entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
       RIP: 0023:0xf7f73c79
       RSP: 002b:00000000e574a15c EFLAGS: 00000292 ORIG_RAX: 000000000000014d
       RAX: ffffffffffffffda RBX: 000000000000000f RCX: 0000000020a3afb0
       RDX: 0000000000000001 RSI: 0000000000000067 RDI: 0000000000000000
       RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
       R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
       R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
       WARNING: CPU: 1 PID: 3195 at lib/usercopy.c:26 _copy_to_user+0xb5/0xc0
       lib/usercopy.c:26
      Reported-by: default avatarsyzbot <bot+eceb3204562c41a438fa1f2335e0fe4f6886d669@syzkaller.appspotmail.com>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fff4f776
    • Josh Poimboeuf's avatar
      x86/asm: Fix inline asm call constraints for GCC 4.4 · 69f9dc4b
      Josh Poimboeuf authored
      commit 520a13c5 upstream.
      
      The kernel test bot (run by Xiaolong Ye) reported that the following commit:
      
        f5caf621 ("x86/asm: Fix inline asm call constraints for Clang")
      
      is causing double faults in a kernel compiled with GCC 4.4.
      
      Linus subsequently diagnosed the crash pattern and the buggy commit and found that
      the issue is with this code:
      
        register unsigned int __asm_call_sp asm("esp");
        #define ASM_CALL_CONSTRAINT "+r" (__asm_call_sp)
      
      Even on a 64-bit kernel, it's using ESP instead of RSP.  That causes GCC
      to produce the following bogus code:
      
        ffffffff8147461d:       89 e0                   mov    %esp,%eax
        ffffffff8147461f:       4c 89 f7                mov    %r14,%rdi
        ffffffff81474622:       4c 89 fe                mov    %r15,%rsi
        ffffffff81474625:       ba 20 00 00 00          mov    $0x20,%edx
        ffffffff8147462a:       89 c4                   mov    %eax,%esp
        ffffffff8147462c:       e8 bf 52 05 00          callq  ffffffff814c98f0 <copy_user_generic_unrolled>
      
      Despite the absurdity of it backing up and restoring the stack pointer
      for no reason, the bug is actually the fact that it's only backing up
      and restoring the lower 32 bits of the stack pointer.  The upper 32 bits
      are getting cleared out, corrupting the stack pointer.
      
      So change the '__asm_call_sp' register variable to be associated with
      the actual full-size stack pointer.
      
      This also requires changing the __ASM_SEL() macro to be based on the
      actual compiled arch size, rather than the CONFIG value, because
      CONFIG_X86_64 compiles some files with '-m32' (e.g., realmode and vdso).
      Otherwise Clang fails to build the kernel because it complains about the
      use of a 64-bit register (RSP) in a 32-bit file.
      Reported-and-Bisected-and-Tested-by: default avatarkernel test robot <xiaolong.ye@intel.com>
      Diagnosed-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Dmitriy Vyukov <dvyukov@google.com>
      Cc: LKP <lkp@01.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Matthias Kaehlcke <mka@chromium.org>
      Cc: Miguel Bernal Marin <miguel.bernal.marin@linux.intel.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: f5caf621 ("x86/asm: Fix inline asm call constraints for Clang")
      Link: http://lkml.kernel.org/r/20170928215826.6sdpmwtkiydiytim@trebleSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Matthias Kaehlcke <mka@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      69f9dc4b
    • Laurent Pinchart's avatar
      drm: rcar-du: Fix race condition when disabling planes at CRTC stop · eb0a0e27
      Laurent Pinchart authored
      commit 641307df upstream.
      
      When stopping the CRTC the driver must disable all planes and wait for
      the change to take effect at the next vblank. Merely calling
      drm_crtc_wait_one_vblank() is not enough, as the function doesn't
      include any mechanism to handle the race with vblank interrupts.
      
      Replace the drm_crtc_wait_one_vblank() call with a manual mechanism that
      handles the vblank interrupt race.
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
      Reviewed-by: default avatarKieran Bingham <kieran.bingham+renesas@ideasonboard.com>
      Signed-off-by: default avatarthongsyho <thong.ho.px@rvc.renesas.com>
      Signed-off-by: default avatarNhan Nguyen <nhan.nguyen.yb@renesas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eb0a0e27
    • Laurent Pinchart's avatar
      drm: rcar-du: Use the VBK interrupt for vblank events · a2f17cb2
      Laurent Pinchart authored
      commit cbbb90b0 upstream.
      
      When implementing support for interlaced modes, the driver switched from
      reporting vblank events on the vertical blanking (VBK) interrupt to the
      frame end interrupt (FRM). This incorrectly divided the reported refresh
      rate by two. Fix it by moving back to the VBK interrupt.
      
      Fixes: 906eff7f ("drm: rcar-du: Implement support for interlaced modes")
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
      Reviewed-by: default avatarKieran Bingham <kieran.bingham+renesas@ideasonboard.com>
      Signed-off-by: default avatarthongsyho <thong.ho.px@rvc.renesas.com>
      Signed-off-by: default avatarNhan Nguyen <nhan.nguyen.yb@renesas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2f17cb2
    • Kuninori Morimoto's avatar
      ASoC: rsnd: avoid duplicate free_irq() · 1e5ed917
      Kuninori Morimoto authored
      commit e0936c34 upstream.
      
      commit 1f8754d4 ("ASoC: rsnd: don't call free_irq() on
      Parent SSI") fixed Parent SSI duplicate free_irq().
      But on Renesas Sound, not only Parent SSI but also Multi SSI
      have same issue.
      This patch avoid duplicate free_irq() if it was not pure SSI.
      
      Fixes: 1f8754d4 ("ASoC: rsnd: don't call free_irq() on Parent SSI")
      Signed-off-by: default avatarKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarthongsyho <thong.ho.px@rvc.renesas.com>
      Signed-off-by: default avatarNhan Nguyen <nhan.nguyen.yb@renesas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e5ed917
    • Kuninori Morimoto's avatar
      ASoC: rsnd: don't call free_irq() on Parent SSI · e09eea94
      Kuninori Morimoto authored
      commit 1f8754d4 upstream.
      
      If SSI uses shared pin, some SSI will be used as parent SSI.
      Then, normal SSI's remove and Parent SSI's remove
      (these are same SSI) will be called when unbind or remove timing.
      In this case, free_irq() will be called twice.
      This patch solve this issue.
      Signed-off-by: default avatarKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Tested-by: default avatarHiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
      Reported-by: default avatarHiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarthongsyho <thong.ho.px@rvc.renesas.com>
      Signed-off-by: default avatarNhan Nguyen <nhan.nguyen.yb@renesas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e09eea94
    • Julian Scheel's avatar
      ASoC: simple-card: Fix misleading error message · 69fcbf02
      Julian Scheel authored
      commit 7ac45d16 upstream.
      
      In case cpu could not be found the error message would always refer to
      /codec/ not being found in DT. Fix this by catching the cpu node not found
      case explicitly.
      Signed-off-by: default avatarJulian Scheel <julian@jusst.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarthongsyho <thong.ho.px@rvc.renesas.com>
      Signed-off-by: default avatarNhan Nguyen <nhan.nguyen.yb@renesas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      69fcbf02
    • Matthias Hintzmann's avatar
      net: cdc_ncm: initialize drvflags before usage · 197ceb5f
      Matthias Hintzmann authored
      ctx->drvflags is checked in the if clause before beeing initialized.
      Move initialization before first usage.
      
      Note, that the if clause was backported with commit 75f82a70
      ("cdc_ncm: Set NTB format again after altsetting switch for Huawei
      devices") from mainline (upstream commit 2b02c20c ("cdc_ncm: Set NTB
      format again after altsetting switch for Huawei devices").  In mainline,
      the initialization is at the right place before the if clause.
      
      [mrkiko.rs@gmail.com: commit message tweaks]
      
      Fixes: 75f82a70 ("cdc_ncm: Set NTB format again after altsetting switch for Huawei devices")
      Signed-off-by: default avatarMatthias Hintzmann <matthias.dev@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      197ceb5f
    • Shuah Khan's avatar
      usbip: fix 3eee23c3ec14 tcp_socket address still in the status file · 1a2018a7
      Shuah Khan authored
      Commit 3eee23c3ec14 ("usbip: prevent vhci_hcd driver from leaking a
      socket pointer address") backported the following commit from mailine.
      However, backport error caused the tcp_socket address to still leak.
      
      commit 2f2d0088 ("usbip: prevent vhci_hcd driver from leaking a
      socket pointer address")
      
      When a client has a USB device attached over IP, the vhci_hcd driver is
      locally leaking a socket pointer address via the
      
      /sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
      output when "usbip --debug port" is run.
      
      Fix it to not leak. The socket pointer address is not used at the moment
      and it was made visible as a convenient way to find IP address from
      socket pointer address by looking up /proc/net/{tcp,tcp6}.
      
      As this opens a security hole, the fix replaces socket pointer address
      with sockfd.
      Reported-by: default avatarEric Biggers <ebiggers3@gmail.com>
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1a2018a7
    • Shuah Khan's avatar
      usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit · c8e40901
      Shuah Khan authored
      Upstream commit 1c9de5bf ("usbip: vhci-hcd: Add USB3 SuperSpeed
      support")
      
      vhci_hcd clears all the bits port_status bits instead of clearing
      just the USB_PORT_STAT_POWER bit when it handles ClearPortFeature:
      USB_PORT_FEAT_POWER. This causes vhci_hcd attach to fail in a bad
      state, leaving device unusable by the client. The device is still
      attached and however client can't use it.
      
      The problem was fixed as part of larger change to add USB3 Super Speed
      support.
      
      This patch isolates the one line fix to clear the USB_PORT_STAT_POWER
      from the original patch.
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c8e40901
    • Jesse Chan's avatar
      ASoC: pcm512x: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE · f056ba2f
      Jesse Chan authored
      commit 0cab20ce upstream.
      
      This change resolves a new compile-time warning
      when built as a loadable module:
      
      WARNING: modpost: missing MODULE_LICENSE() in sound/soc/codecs/snd-soc-pcm512x-spi.o
      see include/linux/module.h for more information
      
      This adds the license as "GPL v2", which matches the header of the file.
      
      MODULE_DESCRIPTION and MODULE_AUTHOR are also added.
      Signed-off-by: default avatarJesse Chan <jc@linux.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f056ba2f
    • Michael Ellerman's avatar
      powerpc/64s: Allow control of RFI flush via debugfs · b074e0bd
      Michael Ellerman authored
      commit 236003e6 upstream.
      
      Expose the state of the RFI flush (enabled/disabled) via debugfs, and
      allow it to be enabled/disabled at runtime.
      
      eg: $ cat /sys/kernel/debug/powerpc/rfi_flush
          1
          $ echo 0 > /sys/kernel/debug/powerpc/rfi_flush
          $ cat /sys/kernel/debug/powerpc/rfi_flush
          0
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Reviewed-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b074e0bd
    • Michael Ellerman's avatar
      powerpc/64s: Wire up cpu_show_meltdown() · 1e8014e7
      Michael Ellerman authored
      commit fd6e440f upstream.
      
      The recent commit 87590ce6 ("sysfs/cpu: Add vulnerability folder")
      added a generic folder and set of files for reporting information on
      CPU vulnerabilities. One of those was for meltdown:
      
        /sys/devices/system/cpu/vulnerabilities/meltdown
      
      This commit wires up that file for 64-bit Book3S powerpc.
      
      For now we default to "Vulnerable" unless the RFI flush is enabled.
      That may not actually be true on all hardware, further patches will
      refine the reporting based on the CPU/platform etc. But for now we
      default to being pessimists.
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e8014e7
    • Oliver O'Halloran's avatar
      powerpc/powernv: Check device-tree for RFI flush settings · 95e4f102
      Oliver O'Halloran authored
      commit 6e032b35 upstream.
      
      New device-tree properties are available which tell the hypervisor
      settings related to the RFI flush. Use them to determine the
      appropriate flush instruction to use, and whether the flush is
      required.
      Signed-off-by: default avatarOliver O'Halloran <oohall@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      95e4f102
    • Michael Neuling's avatar
      powerpc/pseries: Query hypervisor for RFI flush settings · a46ca307
      Michael Neuling authored
      commit 8989d568 upstream.
      
      A new hypervisor call is available which tells the guest settings
      related to the RFI flush. Use it to query the appropriate flush
      instruction(s), and whether the flush is required.
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      a46ca307
    • Michael Ellerman's avatar
      powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti · 11c76e64
      Michael Ellerman authored
      commit bc9c9304 upstream.
      
      Because there may be some performance overhead of the RFI flush, add
      kernel command line options to disable it.
      
      We add a sensibly named 'no_rfi_flush' option, but we also hijack the
      x86 option 'nopti'. The RFI flush is not the same as KPTI, but if we
      see 'nopti' we can guess that the user is trying to avoid any overhead
      of Meltdown mitigations, and it means we don't have to educate every
      one about a different command line option.
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      11c76e64
    • Michael Ellerman's avatar
      powerpc/64s: Add support for RFI flush of L1-D cache · c3892946
      Michael Ellerman authored
      commit aa8a5e00 upstream.
      
      On some CPUs we can prevent the Meltdown vulnerability by flushing the
      L1-D cache on exit from kernel to user mode, and from hypervisor to
      guest.
      
      This is known to be the case on at least Power7, Power8 and Power9. At
      this time we do not know the status of the vulnerability on other CPUs
      such as the 970 (Apple G5), pasemi CPUs (AmigaOne X1000) or Freescale
      CPUs. As more information comes to light we can enable this, or other
      mechanisms on those CPUs.
      
      The vulnerability occurs when the load of an architecturally
      inaccessible memory region (eg. userspace load of kernel memory) is
      speculatively executed to the point where its result can influence the
      address of a subsequent speculatively executed load.
      
      In order for that to happen, the first load must hit in the L1,
      because before the load is sent to the L2 the permission check is
      performed. Therefore if no kernel addresses hit in the L1 the
      vulnerability can not occur. We can ensure that is the case by
      flushing the L1 whenever we return to userspace. Similarly for
      hypervisor vs guest.
      
      In order to flush the L1-D cache on exit, we add a section of nops at
      each (h)rfi location that returns to a lower privileged context, and
      patch that with some sequence. Newer firmwares are able to advertise
      to us that there is a special nop instruction that flushes the L1-D.
      If we do not see that advertised, we fall back to doing a displacement
      flush in software.
      
      For guest kernels we support migration between some CPU versions, and
      different CPUs may use different flush instructions. So that we are
      prepared to migrate to a machine with a different flush instruction
      activated, we may have to patch more than one flush instruction at
      boot if the hypervisor tells us to.
      
      In the end this patch is mostly the work of Nicholas Piggin and
      Michael Ellerman. However a cast of thousands contributed to analysis
      of the issue, earlier versions of the patch, back ports testing etc.
      Many thanks to all of them.
      Tested-by: default avatarJon Masters <jcm@redhat.com>
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      [Balbir - back ported to stable with changes]
      Signed-off-by: default avatarBalbir Singh <bsingharora@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c3892946
    • Nicholas Piggin's avatar
      powerpc/64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL · 973439da
      Nicholas Piggin authored
      commit c7305645 upstream.
      
      In the SLB miss handler we may be returning to user or kernel. We need
      to add a check early on and save the result in the cr4 register, and
      then we bifurcate the return path based on that.
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      [mpe: Backport to 4.4 based on patch from Balbir]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      973439da
    • Nicholas Piggin's avatar
      powerpc/64: Convert the syscall exit path to use RFI_TO_USER/KERNEL · 8dd311f1
      Nicholas Piggin authored
      commit b8e90cb7 upstream.
      
      In the syscall exit path we may be returning to user or kernel
      context. We already have a test for that, because we conditionally
      restore r13. So use that existing test and branch, and bifurcate the
      return based on that.
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8dd311f1
    • Nicholas Piggin's avatar
      powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL · 9bfecafe
      Nicholas Piggin authored
      commit a08f828c upstream.
      
      Similar to the syscall return path, in fast_exception_return we may be
      returning to user or kernel context. We already have a test for that,
      because we conditionally restore r13. So use that existing test and
      branch, and bifurcate the return based on that.
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9bfecafe
    • Nicholas Piggin's avatar
      powerpc/64s: Simple RFI macro conversions · 7ca8316c
      Nicholas Piggin authored
      commit 222f20f1 upstream.
      
      This commit does simple conversions of rfi/rfid to the new macros that
      include the expected destination context. By simple we mean cases
      where there is a single well known destination context, and it's
      simply a matter of substituting the instruction for the appropriate
      macro.
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      [Balbir fixed issues with backporting to stable]
      Signed-off-by: default avatarBalbir Singh <bsingharora@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ca8316c
    • Nicholas Piggin's avatar
      powerpc/64: Add macros for annotating the destination of rfid/hrfid · a8a9925f
      Nicholas Piggin authored
      commit 50e51c13 upstream.
      
      The rfid/hrfid ((Hypervisor) Return From Interrupt) instruction is
      used for switching from the kernel to userspace, and from the
      hypervisor to the guest kernel. However it can and is also used for
      other transitions, eg. from real mode kernel code to virtual mode
      kernel code, and it's not always clear from the code what the
      destination context is.
      
      To make it clearer when reading the code, add macros which encode the
      expected destination context.
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a8a9925f
    • Michael Neuling's avatar
      powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper · e1c11440
      Michael Neuling authored
      commit 191eccb1 upstream.
      
      A new hypervisor call has been defined to communicate various
      characteristics of the CPU to guests. Add definitions for the hcall
      number, flags and a wrapper function.
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      [Balbir fixed conflicts in backport]
      Signed-off-by: default avatarBalbir Singh <bsingharora@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e1c11440
    • Alan Modra's avatar
      powerpc: Simplify module TOC handling · fa343035
      Alan Modra authored
      commit c153693d upstream.
      
      PowerPC64 uses the symbol .TOC. much as other targets use
      _GLOBAL_OFFSET_TABLE_. It identifies the value of the GOT pointer (or in
      powerpc parlance, the TOC pointer). Global offset tables are generally
      local to an executable or shared library, or in the kernel, module. Thus
      it does not make sense for a module to resolve a relocation against
      .TOC. to the kernel's .TOC. value. A module has its own .TOC., and
      indeed the powerpc64 module relocation processing ignores the kernel
      value of .TOC. and instead calculates a module-local value.
      
      This patch removes code involved in exporting the kernel .TOC., tweaks
      modpost to ignore an undefined .TOC., and the module loader to twiddle
      the section symbol so that .TOC. isn't seen as undefined.
      
      Note that if the kernel was compiled with -msingle-pic-base then ELFv2
      would not have function global entry code setting up r2. In that case
      the module call stubs would need to be modified to set up r2 using the
      kernel .TOC. value, requiring some of this code to be reinstated.
      
      mpe: Furthermore a change in binutils master (not yet released) causes
      the current way we handle the TOC to no longer work when building with
      MODVERSIONS=y and RELOCATABLE=n. The symptom is that modules can not be
      loaded due to there being no version found for TOC.
      Signed-off-by: default avatarAlan Modra <amodra@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fa343035
    • Benjamin Herrenschmidt's avatar
      powerpc: Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC · e1397247
      Benjamin Herrenschmidt authored
      commit 5a69aec9 upstream.
      
      VSX uses a combination of the old vector registers, the old FP
      registers and new "second halves" of the FP registers.
      
      Thus when we need to see the VSX state in the thread struct
      (flush_vsx_to_thread()) or when we'll use the VSX in the kernel
      (enable_kernel_vsx()) we need to ensure they are all flushed into
      the thread struct if either of them is individually enabled.
      
      Unfortunately we only tested if the whole VSX was enabled, not if they
      were individually enabled.
      
      Fixes: 72cd7b44 ("powerpc: Uncomment and make enable_kernel_vsx() routine available")
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      [mpe: Backported due to changed context]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e1397247
    • Oliver O'Halloran's avatar
      powerpc/64: Fix flush_(d|i)cache_range() called from modules · 1f675813
      Oliver O'Halloran authored
      commit 8f5f525d upstream.
      
      When the kernel is compiled to use 64bit ABIv2 the _GLOBAL() macro does
      not include a global entry point. A function's global entry point is
      used when the function is called from a different TOC context and in the
      kernel this typically means a call from a module into the vmlinux (or
      vice-versa).
      
      There are a few exported asm functions declared with _GLOBAL() and
      calling them from a module will likely crash the kernel since any TOC
      relative load will yield garbage.
      
      flush_icache_range() and flush_dcache_range() are both exported to
      modules, and use the TOC, so must use _GLOBAL_TOC().
      
      Fixes: 721aeaa9 ("powerpc: Build little endian ppc64 kernel with ABIv2")
      Signed-off-by: default avatarOliver O'Halloran <oohall@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1f675813
    • Naveen N. Rao's avatar
      powerpc/bpf/jit: Disable classic BPF JIT on ppc64le · 98c977e6
      Naveen N. Rao authored
      commit 844e3be4 upstream.
      
      Classic BPF JIT was never ported completely to work on little endian
      powerpc. However, it can be enabled and will crash the system when used.
      As such, disable use of BPF JIT on ppc64le.
      
      Fixes: 7c105b63 ("powerpc: Add CONFIG_CPU_LITTLE_ENDIAN kernel config option.")
      Reported-by: default avatarThadeu Lima de Souza Cascardo <cascardo@redhat.com>
      Signed-off-by: default avatarNaveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
      Acked-by: default avatarThadeu Lima de Souza Cascardo <cascardo@redhat.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      98c977e6
  2. 03 Feb, 2018 8 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.115 · f0feeec9
      Greg Kroah-Hartman authored
      f0feeec9
    • Stefan Agner's avatar
      spi: imx: do not access registers while clocks disabled · f84a8d44
      Stefan Agner authored
      commit d593574a upstream.
      
      Since clocks are disabled except during message transfer clocks
      are also disabled when spi_imx_remove gets called. Accessing
      registers leads to a freeeze at least on a i.MX 6ULL. Enable
      clocks before disabling accessing the MXC_CSPICTRL register.
      
      Fixes: 9e556dcc ("spi: spi-imx: only enable the clocks when we start to transfer a message")
      Signed-off-by: default avatarStefan Agner <stefan@agner.ch>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f84a8d44
    • Fabio Estevam's avatar
      serial: imx: Only wakeup via RTSDEN bit if the system has RTS/CTS · ec73ade6
      Fabio Estevam authored
      commit 38b1f0fb upstream.
      
      The wakeup mechanism via RTSDEN bit relies on the system using the RTS/CTS
      lines, so only allow such wakeup method when the system actually has
      RTS/CTS support.
      
      Fixes: bc85734b ("serial: imx: allow waking up on RTSD")
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@nxp.com>
      Reviewed-by: default avatarMartin Kaiser <martin@kaiser.cx>
      Acked-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ec73ade6
    • Mark Salyzyn's avatar
      selinux: general protection fault in sock_has_perm · d489d1e0
      Mark Salyzyn authored
      In the absence of commit a4298e45 ("net: add SOCK_RCU_FREE socket
      flag") and all the associated infrastructure changes to take advantage
      of a RCU grace period before freeing, there is a heightened
      possibility that a security check is performed while an ill-timed
      setsockopt call races in from user space.  It then is prudent to null
      check sk_security, and if the case, reject the permissions.
      
      Because of the nature of this problem, hard to duplicate, no clear
      path, this patch is a simplified band-aid for stable trees lacking the
      infrastructure for the series of commits leading up to providing a
      suitable RCU grace period.  This adjustment is orthogonal to
      infrastructure improvements that may nullify the needed check, but
      could be added as good code hygiene in all trees.
      
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 14233 Comm: syz-executor2 Not tainted 4.4.112-g5f6325b #28
      task: ffff8801d1095f00 task.stack: ffff8800b5950000
      RIP: 0010:[<ffffffff81b69b7e>]  [<ffffffff81b69b7e>] sock_has_perm+0x1fe/0x3e0 security/selinux/hooks.c:4069
      RSP: 0018:ffff8800b5957ce0  EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 1ffff10016b2af9f RCX: ffffffff81b69b51
      RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000010
      RBP: ffff8800b5957de0 R08: 0000000000000001 R09: 0000000000000001
      R10: 0000000000000000 R11: 1ffff10016b2af68 R12: ffff8800b5957db8
      R13: 0000000000000000 R14: ffff8800b7259f40 R15: 00000000000000d7
      FS:  00007f72f5ae2700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000a2fa38 CR3: 00000001d7980000 CR4: 0000000000160670
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Stack:
       ffffffff81b69a1f ffff8800b5957d58 00008000b5957d30 0000000041b58ab3
       ffffffff83fc82f2 ffffffff81b69980 0000000000000246 ffff8801d1096770
       ffff8801d3165668 ffffffff8157844b ffff8801d1095f00
       ffff880000000001
      Call Trace:
      [<ffffffff81b6a19d>] selinux_socket_setsockopt+0x4d/0x80 security/selinux/hooks.c:4338
      [<ffffffff81b4873d>] security_socket_setsockopt+0x7d/0xb0 security/security.c:1257
      [<ffffffff82df1ac8>] SYSC_setsockopt net/socket.c:1757 [inline]
      [<ffffffff82df1ac8>] SyS_setsockopt+0xe8/0x250 net/socket.c:1746
      [<ffffffff83776499>] entry_SYSCALL_64_fastpath+0x16/0x92
      Code: c2 42 9b b6 81 be 01 00 00 00 48 c7 c7 a0 cb 2b 84 e8
      f7 2f 6d ff 49 8d 7d 10 48 b8 00 00 00 00 00 fc ff df 48 89
      fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 83 01 00
      00 41 8b 75 10 31
      RIP  [<ffffffff81b69b7e>] sock_has_perm+0x1fe/0x3e0 security/selinux/hooks.c:4069
      RSP <ffff8800b5957ce0>
      ---[ end trace 7b5aaf788fef6174 ]---
      Signed-off-by: default avatarMark Salyzyn <salyzyn@android.com>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: selinux@tycho.nsa.gov
      Cc: linux-security-module@vger.kernel.org
      Cc: Eric Paris <eparis@parisplace.org>
      Cc: Serge E. Hallyn <serge@hallyn.com>
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d489d1e0
    • Oliver Neukum's avatar
      usb: uas: unconditionally bring back host after reset · 1bbdf764
      Oliver Neukum authored
      commit cbeef22f upstream.
      
      Quoting Hans:
      
      If we return 1 from our post_reset handler, then our disconnect handler
      will be called immediately afterwards. Since pre_reset blocks all scsi
      requests our disconnect handler will then hang in the scsi_remove_host
      call.
      
      This is esp. bad because our disconnect handler hanging for ever also
      stops the USB subsys from enumerating any new USB devices, causes commands
      like lsusb to hang, etc.
      
      In practice this happens when unplugging some uas devices because the hub
      code may see the device as needing a warm-reset and calls usb_reset_device
      before seeing the disconnect. In this case uas_configure_endpoints fails
      with -ENODEV. We do not want to print an error for this, so this commit
      also silences the shost_printk for -ENODEV.
      
      ENDQUOTE
      
      However, if we do that we better drop any unconditional execution
      and report to the SCSI subsystem that we have undergone a reset
      but we are not operational now.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Reported-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1bbdf764
    • Hemant Kumar's avatar
      usb: f_fs: Prevent gadget unbind if it is already unbound · 68b43caf
      Hemant Kumar authored
      commit ce5bf9a5 upstream.
      
      Upon usb composition switch there is possibility of ep0 file
      release happening after gadget driver bind. In case of composition
      switch from adb to a non-adb composition gadget will never gets
      bound again resulting into failure of usb device enumeration. Fix
      this issue by checking FFS_FL_BOUND flag and avoid extra
      gadget driver unbind if it is already done as part of composition
      switch.
      
      This fixes adb reconnection error reported on Android running
      v4.4 and above kernel versions. Verified on Hikey running vanilla
      v4.15-rc7 + few out of tree Mali patches.
      
      Reviewed-at: https://android-review.googlesource.com/#/c/582632/
      
      Cc: Felipe Balbi <balbi@kernel.org>
      Cc: Greg KH <gregkh@linux-foundation.org>
      Cc: Michal Nazarewicz <mina86@mina86.com>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Dmitry Shmidt <dimitrysh@google.com>
      Cc: Badhri <badhri@google.com>
      Cc: Android Kernel Team <kernel-team@android.com>
      Signed-off-by: default avatarHemant Kumar <hemantk@codeaurora.org>
      [AmitP: Cherry-picked it from android-4.14 and updated the commit log]
      Signed-off-by: default avatarAmit Pundir <amit.pundir@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      68b43caf
    • Johan Hovold's avatar
      USB: serial: simple: add Motorola Tetra driver · bab3a0da
      Johan Hovold authored
      commit 46fe895e upstream.
      
      Add new Motorola Tetra (simple) driver for Motorola Solutions TETRA PEI
      devices.
      
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=0cad ProdID=9011 Rev=24.16
      S:  Manufacturer=Motorola Solutions Inc.
      S:  Product=Motorola Solutions TETRA PEI interface
      C:  #Ifs= 2 Cfg#= 1 Atr=80 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      I:  If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      
      Note that these devices do not support the CDC SET_CONTROL_LINE_STATE
      request (for any interface).
      Reported-by: default avatarMax Schulze <max.schulze@posteo.de>
      Tested-by: default avatarMax Schulze <max.schulze@posteo.de>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bab3a0da
    • Shuah Khan's avatar
      usbip: list: don't list devices attached to vhci_hcd · 46c651ae
      Shuah Khan authored
      commit ef824501 upstream.
      
      usbip host lists devices attached to vhci_hcd on the same server
      when user does attach over localhost or specifies the server as the
      remote.
      
      usbip attach -r localhost -b busid
      or
      usbip attach -r servername (or server IP)
      
      Fix it to check and not list devices that are attached to vhci_hcd.
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      46c651ae