1. 18 Jul, 2017 40 commits
    • Dmitry Torokhov's avatar
      Input: i8042 - add Clevo P650RS to the i8042 reset list · 883aafc5
      Dmitry Torokhov authored
      commit 7c5bb4ac upstream.
      
      Clevo P650RS and other similar devices require i8042 to be reset in order
      to detect Synaptics touchpad.
      Reported-by: default avatarPaweł Bylica <chfast@gmail.com>
      Tested-by: default avatarEd Bordin <edbordin@gmail.com>
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=190301Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      883aafc5
    • Dan Carpenter's avatar
      net: tc35815: move free after the dereference · 4717cd19
      Dan Carpenter authored
      commit 11faa7b0 upstream.
      
      We dereference "skb" to get "skb->len" so we should probably do that
      step before freeing the skb.
      
      Fixes: eea221ce ("tc35815 driver update (take 2)")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4717cd19
    • Eric Dumazet's avatar
      cx82310_eth: use skb_cow_head() to deal with cloned skbs · 8d291d37
      Eric Dumazet authored
      commit a9e840a2 upstream.
      
      We need to ensure there is enough headroom to push extra header,
      but we also need to check if we are allowed to change headers.
      
      skb_cow_head() is the proper helper to deal with this.
      
      Fixes: cc28a20e ("introduce cx82310_eth: Conexant CX82310-based ADSL router USB ethernet driver")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: James Hughes <james.hughes@raspberrypi.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8d291d37
    • Eric Dumazet's avatar
      smsc75xx: use skb_cow_head() to deal with cloned skbs · 44c4e721
      Eric Dumazet authored
      commit b7c6d267 upstream.
      
      We need to ensure there is enough headroom to push extra header,
      but we also need to check if we are allowed to change headers.
      
      skb_cow_head() is the proper helper to deal with this.
      
      Fixes: d0cad871 ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: James Hughes <james.hughes@raspberrypi.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      44c4e721
    • Johannes Berg's avatar
      mac80211: reject ToDS broadcast data frames · a6dc29a3
      Johannes Berg authored
      commit 3018e947 upstream.
      
      AP/AP_VLAN modes don't accept any real 802.11 multicast data
      frames, but since they do need to accept broadcast management
      frames the same is currently permitted for data frames. This
      opens a security problem because such frames would be decrypted
      with the GTK, and could even contain unicast L3 frames.
      
      Since the spec says that ToDS frames must always have the BSSID
      as the RA (addr1), reject any other data frames.
      
      The problem was originally reported in "Predicting, Decrypting,
      and Abusing WPA2/802.11 Group Keys" at usenix
      https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/vanhoef
      and brought to my attention by Jouni.
      Reported-by: default avatarJouni Malinen <j@w1.fi>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      --
      Dave, I didn't want to send you a new pull request for a single
      commit yet again - can you apply this one patch as is?
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2: Put the new code in an else-block since the
       previous if-blocks may or may not return]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a6dc29a3
    • Steven Rostedt (VMware)'s avatar
      ring-buffer: Have ring_buffer_iter_empty() return true when empty · 1dc90d7f
      Steven Rostedt (VMware) authored
      commit 78f7a45d upstream.
      
      I noticed that reading the snapshot file when it is empty no longer gives a
      status. It suppose to show the status of the snapshot buffer as well as how
      to allocate and use it. For example:
      
       ># cat snapshot
       # tracer: nop
       #
       #
       # * Snapshot is allocated *
       #
       # Snapshot commands:
       # echo 0 > snapshot : Clears and frees snapshot buffer
       # echo 1 > snapshot : Allocates snapshot buffer, if not already allocated.
       #                      Takes a snapshot of the main buffer.
       # echo 2 > snapshot : Clears snapshot buffer (but does not allocate or free)
       #                      (Doesn't have to be '2' works with any number that
       #                       is not a '0' or '1')
      
      But instead it just showed an empty buffer:
      
       ># cat snapshot
       # tracer: nop
       #
       # entries-in-buffer/entries-written: 0/0   #P:4
       #
       #                              _-----=> irqs-off
       #                             / _----=> need-resched
       #                            | / _---=> hardirq/softirq
       #                            || / _--=> preempt-depth
       #                            ||| /     delay
       #           TASK-PID   CPU#  ||||    TIMESTAMP  FUNCTION
       #              | |       |   ||||       |         |
      
      What happened was that it was using the ring_buffer_iter_empty() function to
      see if it was empty, and if it was, it showed the status. But that function
      was returning false when it was empty. The reason was that the iter header
      page was on the reader page, and the reader page was empty, but so was the
      buffer itself. The check only tested to see if the iter was on the commit
      page, but the commit page was no longer pointing to the reader page, but as
      all pages were empty, the buffer is also.
      
      Fixes: 651e22f2 ("ring-buffer: Always reset iterator to reader page")
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1dc90d7f
    • Arnd Bergmann's avatar
      ACPI / power: Avoid maybe-uninitialized warning · ec042914
      Arnd Bergmann authored
      commit fe8c470a upstream.
      
      gcc -O2 cannot always prove that the loop in acpi_power_get_inferred_state()
      is enterered at least once, so it assumes that cur_state might not get
      initialized:
      
      drivers/acpi/power.c: In function 'acpi_power_get_inferred_state':
      drivers/acpi/power.c:222:9: error: 'cur_state' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      
      This sets the variable to zero at the start of the loop, to ensure that
      there is well-defined behavior even for an empty list. This gets rid of
      the warning.
      
      The warning first showed up when the -Os flag got removed in a bug fix
      patch in linux-4.11-rc5.
      
      I would suggest merging this addon patch on top of that bug fix to avoid
      introducing a new warning in the stable kernels.
      
      Fixes: 61b79e16 (ACPI: Fix incompatibility with mcount-based function graph tracing)
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ec042914
    • David Howells's avatar
      KEYS: Change the name of the dead type to ".dead" to prevent user access · 206659fc
      David Howells authored
      commit c1644fe0 upstream.
      
      This fixes CVE-2017-6951.
      
      Userspace should not be able to do things with the "dead" key type as it
      doesn't have some of the helper functions set upon it that the kernel
      needs.  Attempting to use it may cause the kernel to crash.
      
      Fix this by changing the name of the type to ".dead" so that it's rejected
      up front on userspace syscalls by key_get_type_from_user().
      
      Though this doesn't seem to affect recent kernels, it does affect older
      ones, certainly those prior to:
      
      	commit c06cfb08
      	Author: David Howells <dhowells@redhat.com>
      	Date:   Tue Sep 16 17:36:06 2014 +0100
      	KEYS: Remove key_type::match in favour of overriding default by match_preparse
      
      which went in before 3.18-rc1.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      206659fc
    • Al Viro's avatar
      p9_client_readdir() fix · 50282fcb
      Al Viro authored
      commit 71d6ad08 upstream.
      
      Don't assume that server is sane and won't return more data than
      asked for.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      50282fcb
    • Josh Poimboeuf's avatar
      ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram · 1883b91b
      Josh Poimboeuf authored
      commit 34a477e5 upstream.
      
      On x86-32, with CONFIG_FIRMWARE and multiple CPUs, if you enable function
      graph tracing and then suspend to RAM, it will triple fault and reboot when
      it resumes.
      
      The first fault happens when booting a secondary CPU:
      
      startup_32_smp()
        load_ucode_ap()
          prepare_ftrace_return()
            ftrace_graph_is_dead()
              (accesses 'kill_ftrace_graph')
      
      The early head_32.S code calls into load_ucode_ap(), which has an an
      ftrace hook, so it calls prepare_ftrace_return(), which calls
      ftrace_graph_is_dead(), which tries to access the global
      'kill_ftrace_graph' variable with a virtual address, causing a fault
      because the CPU is still in real mode.
      
      The fix is to add a check in prepare_ftrace_return() to make sure it's
      running in protected mode before continuing.  The check makes sure the
      stack pointer is a virtual kernel address.  It's a bit of a hack, but
      it's not very intrusive and it works well enough.
      
      For reference, here are a few other (more difficult) ways this could
      have potentially been fixed:
      
      - Move startup_32_smp()'s call to load_ucode_ap() down to *after* paging
        is enabled.  (No idea what that would break.)
      
      - Track down load_ucode_ap()'s entire callee tree and mark all the
        functions 'notrace'.  (Probably not realistic.)
      
      - Pause graph tracing in ftrace_suspend_notifier_call() or bringup_cpu()
        or __cpu_up(), and ensure that the pause facility can be queried from
        real mode.
      Reported-by: default avatarPaul Menzel <pmenzel@molgen.mpg.de>
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Tested-by: default avatarPaul Menzel <pmenzel@molgen.mpg.de>
      Reviewed-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Cc: "Rafael J . Wysocki" <rjw@rjwysocki.net>
      Cc: linux-acpi@vger.kernel.org
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Len Brown <lenb@kernel.org>
      Link: http://lkml.kernel.org/r/5c1272269a580660703ed2eccf44308e790c7a98.1492123841.git.jpoimboe@redhat.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1883b91b
    • Ben Hutchings's avatar
      cpupower: Fix turbo frequency reporting for pre-Sandy Bridge cores · aa780043
      Ben Hutchings authored
      commit 4cca0457 upstream.
      
      The switch that conditionally sets CPUPOWER_CAP_HAS_TURBO_RATIO and
      CPUPOWER_CAP_IS_SNB flags is missing a break, so all cores get both
      flags set and an assumed base clock of 100 MHz for turbo values.
      Reported-by: default avatarGSR <gsr.bugs@infernal-iceberg.com>
      Tested-by: default avatarGSR <gsr.bugs@infernal-iceberg.com>
      References: https://bugs.debian.org/859978
      Fixes: 8fb2e440 (cpupower: Show Intel turbo ratio support via ...)
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      aa780043
    • Takashi Iwai's avatar
      ALSA: seq: Don't break snd_use_lock_sync() loop by timeout · 6f19a876
      Takashi Iwai authored
      commit 4e7655fd upstream.
      
      The snd_use_lock_sync() (thus its implementation
      snd_use_lock_sync_helper()) has the 5 seconds timeout to break out of
      the sync loop.  It was introduced from the beginning, just to be
      "safer", in terms of avoiding the stupid bugs.
      
      However, as Ben Hutchings suggested, this timeout rather introduces a
      potential leak or use-after-free that was apparently fixed by the
      commit 2d7d5400 ("ALSA: seq: Fix race during FIFO resize"):
      for example, snd_seq_fifo_event_in() -> snd_seq_event_dup() ->
      copy_from_user() could block for a long time, and snd_use_lock_sync()
      goes timeout and still leaves the cell at releasing the pool.
      
      For fixing such a problem, we remove the break by the timeout while
      still keeping the warning.
      Suggested-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6f19a876
    • James Hogan's avatar
      MIPS: KGDB: Use kernel context for sleeping threads · c38cb25b
      James Hogan authored
      commit 162b270c upstream.
      
      KGDB is a kernel debug stub and it can't be used to debug userland as it
      can only safely access kernel memory.
      
      On MIPS however KGDB has always got the register state of sleeping
      processes from the userland register context at the beginning of the
      kernel stack. This is meaningless for kernel threads (which never enter
      userland), and for user threads it prevents the user seeing what it is
      doing while in the kernel:
      
      (gdb) info threads
        Id   Target Id         Frame
        ...
        3    Thread 2 (kthreadd) 0x0000000000000000 in ?? ()
        2    Thread 1 (init)   0x000000007705c4b4 in ?? ()
        1    Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint () at arch/mips/kernel/kgdb.c:201
      
      Get the register state instead from the (partial) kernel register
      context stored in the task's thread_struct for resume() to restore. All
      threads now correctly appear to be in context_switch():
      
      (gdb) info threads
        Id   Target Id         Frame
        ...
        3    Thread 2 (kthreadd) context_switch (rq=<optimized out>, cookie=..., next=<optimized out>, prev=0x0) at kernel/sched/core.c:2903
        2    Thread 1 (init)   context_switch (rq=<optimized out>, cookie=..., next=<optimized out>, prev=0x0) at kernel/sched/core.c:2903
        1    Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint () at arch/mips/kernel/kgdb.c:201
      
      Call clobbered registers which aren't saved and exception registers
      (BadVAddr & Cause) which can't be easily determined without stack
      unwinding are reported as 0. The PC is taken from the return address,
      such that the state presented matches that found immediately after
      returning from resume().
      
      Fixes: 88547001 ("[MIPS] kgdb: add arch support for the kernel's kgdb core")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Jason Wessel <jason.wessel@windriver.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/15829/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c38cb25b
    • Thomas Gleixner's avatar
      x86/vdso: Plug race between mapping and ELF header setup · df1c5dfd
      Thomas Gleixner authored
      commit 6fdc6dd9 upstream.
      
      The vsyscall32 sysctl can racy against a concurrent fork when it switches
      from disabled to enabled:
      
          arch_setup_additional_pages()
      	if (vdso32_enabled)
                 --> No mapping
                                              sysctl.vsysscall32()
                                                --> vdso32_enabled = true
          create_elf_tables()
            ARCH_DLINFO_IA32
              if (vdso32_enabled) {
                 --> Add VDSO entry with NULL pointer
      
      Make ARCH_DLINFO_IA32 check whether the VDSO mapping has been set up for
      the newly forked process or not.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Mathias Krause <minipli@googlemail.com>
      Link: http://lkml.kernel.org/r/20170410151723.602367196@linutronix.deSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      [bwh: Backported to 3.2: change the flag passed to ARCH_DLINFO_IA32()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      df1c5dfd
    • Guillaume Nault's avatar
      l2tp: don't mask errors in pppol2tp_getsockopt() · 34b5dcc5
      Guillaume Nault authored
      commit 321a52a3 upstream.
      
      pppol2tp_getsockopt() doesn't take into account the error code returned
      by pppol2tp_tunnel_getsockopt() or pppol2tp_session_getsockopt(). If
      error occurs there, pppol2tp_getsockopt() continues unconditionally and
      reports erroneous values.
      
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      34b5dcc5
    • Guillaume Nault's avatar
      l2tp: don't mask errors in pppol2tp_setsockopt() · 7fa07017
      Guillaume Nault authored
      commit 364700cf upstream.
      
      pppol2tp_setsockopt() unconditionally overwrites the error value
      returned by pppol2tp_tunnel_setsockopt() or
      pppol2tp_session_setsockopt(), thus hiding errors from userspace.
      
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7fa07017
    • bsegall@google.com's avatar
      ptrace: fix PTRACE_LISTEN race corrupting task->state · 3e8dbd06
      bsegall@google.com authored
      commit 5402e97a upstream.
      
      In PT_SEIZED + LISTEN mode STOP/CONT signals cause a wakeup against
      __TASK_TRACED.  If this races with the ptrace_unfreeze_traced at the end
      of a PTRACE_LISTEN, this can wake the task /after/ the check against
      __TASK_TRACED, but before the reset of state to TASK_TRACED.  This
      causes it to instead clobber TASK_WAKING, allowing a subsequent wakeup
      against TRACED while the task is still on the rq wake_list, corrupting
      it.
      
      Oleg said:
       "The kernel can crash or this can lead to other hard-to-debug problems.
        In short, "task->state = TASK_TRACED" in ptrace_unfreeze_traced()
        assumes that nobody else can wake it up, but PTRACE_LISTEN breaks the
        contract. Obviusly it is very wrong to manipulate task->state if this
        task is already running, or WAKING, or it sleeps again"
      
      [akpm@linux-foundation.org: coding-style fixes]
      Fixes: 9899d11f ("ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL")
      Link: http://lkml.kernel.org/r/xm26y3vfhmkp.fsf_-_@bsegall-linux.mtv.corp.google.comSigned-off-by: default avatarBen Segall <bsegall@google.com>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3e8dbd06
    • Martin K. Petersen's avatar
      scsi: sd: Fix capacity calculation with 32-bit sector_t · 57ea1d3d
      Martin K. Petersen authored
      commit 7c856152 upstream.
      
      We previously made sure that the reported disk capacity was less than
      0xffffffff blocks when the kernel was not compiled with large sector_t
      support (CONFIG_LBDAF). However, this check assumed that the capacity
      was reported in units of 512 bytes.
      
      Add a sanity check function to ensure that we only enable disks if the
      entire reported capacity can be expressed in terms of sector_t.
      Reported-by: default avatarSteve Magnani <steve.magnani@digidescorp.com>
      Cc: Bart Van Assche <Bart.VanAssche@sandisk.com>
      Reviewed-by: default avatarBart Van Assche <Bart.VanAssche@sandisk.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      [bwh: Backported to 3.2: use integer literal instead of U32_MAX]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      57ea1d3d
    • Martin K. Petersen's avatar
      scsi: sr: Sanity check returned mode data · 584063be
      Martin K. Petersen authored
      commit a00a7862 upstream.
      
      Kefeng Wang discovered that old versions of the QEMU CD driver would
      return mangled mode data causing us to walk off the end of the buffer in
      an attempt to parse it. Sanity check the returned mode sense data.
      Reported-by: default avatarKefeng Wang <wangkefeng.wang@huawei.com>
      Tested-by: default avatarKefeng Wang <wangkefeng.wang@huawei.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      584063be
    • Juergen Gross's avatar
      xen, fbfront: fix connecting to backend · 581ebc29
      Juergen Gross authored
      commit 9121b15b upstream.
      
      Connecting to the backend isn't working reliably in xen-fbfront: in
      case XenbusStateInitWait of the backend has been missed the backend
      transition to XenbusStateConnected will trigger the connected state
      only without doing the actions required when the backend has
      connected.
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      581ebc29
    • Guillaume Nault's avatar
      l2tp: take reference on sessions being dumped · 2b846c84
      Guillaume Nault authored
      commit e08293a4 upstream.
      
      Take a reference on the sessions returned by l2tp_session_find_nth()
      (and rename it l2tp_session_get_nth() to reflect this change), so that
      caller is assured that the session isn't going to disappear while
      processing it.
      
      For procfs and debugfs handlers, the session is held in the .start()
      callback and dropped in .show(). Given that pppol2tp_seq_session_show()
      dereferences the associated PPPoL2TP socket and that
      l2tp_dfs_seq_session_show() might call pppol2tp_show(), we also need to
      call the session's .ref() callback to prevent the socket from going
      away from under us.
      
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Fixes: 0ad66140 ("l2tp: Add debugfs files for dumping l2tp debug info")
      Fixes: 309795f4 ("l2tp: Add netlink control API for L2TP")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2b846c84
    • Paul Mackerras's avatar
      powerpc: Don't try to fix up misaligned load-with-reservation instructions · dda727ef
      Paul Mackerras authored
      commit 48fe9e94 upstream.
      
      In the past, there was only one load-with-reservation instruction,
      lwarx, and if a program attempted a lwarx on a misaligned address, it
      would take an alignment interrupt and the kernel handler would emulate
      it as though it was lwzx, which was not really correct, but benign since
      it is loading the right amount of data, and the lwarx should be paired
      with a stwcx. to the same address, which would also cause an alignment
      interrupt which would result in a SIGBUS being delivered to the process.
      
      We now have 5 different sizes of load-with-reservation instruction. Of
      those, lharx and ldarx cause an immediate SIGBUS by luck since their
      entries in aligninfo[] overlap instructions which were not fixed up, but
      lqarx overlaps with lhz and will be emulated as such. lbarx can never
      generate an alignment interrupt since it only operates on 1 byte.
      
      To straighten this out and fix the lqarx case, this adds code to detect
      the l[hwdq]arx instructions and return without fixing them up, resulting
      in a SIGBUS being delivered to the process.
      Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      [bwh: Backported to 3.2: open-code get_xop()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dda727ef
    • Yuejie Shi's avatar
      af_key: Add lock to key dump · 02085b17
      Yuejie Shi authored
      commit 89e357d8 upstream.
      
      A dump may come in the middle of another dump, modifying its dump
      structure members. This race condition will result in NULL pointer
      dereference in kernel. So add a lock to prevent that race.
      
      Fixes: 83321d6b ("[AF_KEY]: Dump SA/SP entries non-atomically")
      Signed-off-by: default avatarYuejie Shi <syjcnss@gmail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      [bwh: Backported to 3.2:
       - pfkey_dump() doesn't support filters
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      02085b17
    • Nicholas Bellinger's avatar
      iscsi-target: Drop work-around for legacy GlobalSAN initiator · 4c68c4f7
      Nicholas Bellinger authored
      commit 1c99de98 upstream.
      
      Once upon a time back in 2009, a work-around was added to support
      the GlobalSAN iSCSI initiator v3.3 for MacOSX, which during login
      did not propose nor respond to MaxBurstLength, FirstBurstLength,
      DefaultTime2Wait and DefaultTime2Retain keys.
      
      The work-around in iscsi_check_proposer_for_optional_reply()
      allowed the missing keys to be proposed, but did not require
      waiting for a response before moving to full feature phase
      operation.  This allowed GlobalSAN v3.3 to work out-of-the
      box, and for many years we didn't run into login interopt
      issues with any other initiators..
      
      Until recently, when Martin tried a QLogic 57840S iSCSI Offload
      HBA on Windows 2016 which completed login, but subsequently
      failed with:
      
          Got unknown iSCSI OpCode: 0x43
      
      The issue was QLogic MSFT side did not propose DefaultTime2Wait +
      DefaultTime2Retain, so LIO proposes them itself, and immediately
      transitions to full feature phase because of the GlobalSAN hack.
      However, the QLogic MSFT side still attempts to respond to
      DefaultTime2Retain + DefaultTime2Wait, even though LIO has set
      ISCSI_FLAG_LOGIN_NEXT_STAGE3 + ISCSI_FLAG_LOGIN_TRANSIT
      in last login response.
      
      So while the QLogic MSFT side should have been proposing these
      two keys to start, it was doing the correct thing per RFC-3720
      attempting to respond to proposed keys before transitioning to
      full feature phase.
      
      All that said, recent versions of GlobalSAN iSCSI (v5.3.0.541)
      does correctly propose the four keys during login, making the
      original work-around moot.
      
      So in order to allow QLogic MSFT to run unmodified as-is, go
      ahead and drop this long standing work-around.
      Reported-by: default avatarMartin Svec <martin.svec@zoner.cz>
      Cc: Martin Svec <martin.svec@zoner.cz>
      Cc: Himanshu Madhani <Himanshu.Madhani@cavium.com>
      Cc: Arun Easi <arun.easi@cavium.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4c68c4f7
    • Guillaume Nault's avatar
      l2tp: take a reference on sessions used in genetlink handlers · 0d3ab011
      Guillaume Nault authored
      commit 2777e2ab upstream.
      
      Callers of l2tp_nl_session_find() need to hold a reference on the
      returned session since there's no guarantee that it isn't going to
      disappear from under them.
      
      Relying on the fact that no l2tp netlink message may be processed
      concurrently isn't enough: sessions can be deleted by other means
      (e.g. by closing the PPPOL2TP socket of a ppp pseudowire).
      
      l2tp_nl_cmd_session_delete() is a bit special: it runs a callback
      function that may require a previous call to session->ref(). In
      particular, for ppp pseudowires, the callback is l2tp_session_delete(),
      which then calls pppol2tp_session_close() and dereferences the PPPOL2TP
      socket. The socket might already be gone at the moment
      l2tp_session_delete() calls session->ref(), so we need to take a
      reference during the session lookup. So we need to pass the do_ref
      variable down to l2tp_session_get() and l2tp_session_get_by_ifname().
      
      Since all callers have to be updated, l2tp_session_find_by_ifname() and
      l2tp_nl_session_find() are renamed to reflect their new behaviour.
      
      Fixes: 309795f4 ("l2tp: Add netlink control API for L2TP")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0d3ab011
    • Guillaume Nault's avatar
      l2tp: fix duplicate session creation · 0463e1a5
      Guillaume Nault authored
      commit dbdbc73b upstream.
      
      l2tp_session_create() relies on its caller for checking for duplicate
      sessions. This is racy since a session can be concurrently inserted
      after the caller's verification.
      
      Fix this by letting l2tp_session_create() verify sessions uniqueness
      upon insertion. Callers need to be adapted to check for
      l2tp_session_create()'s return code instead of calling
      l2tp_session_find().
      
      pppol2tp_connect() is a bit special because it has to work on existing
      sessions (if they're not connected) or to create a new session if none
      is found. When acting on a preexisting session, a reference must be
      held or it could go away on us. So we have to use l2tp_session_get()
      instead of l2tp_session_find() and drop the reference before exiting.
      
      Fixes: d9e31d17 ("l2tp: Add L2TP ethernet pseudowire support")
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2: add 'pos' parameter to
       hlist_for_each_entry{,_rcu}() calls]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0463e1a5
    • Guillaume Nault's avatar
      l2tp: ensure session can't get removed during pppol2tp_session_ioctl() · a1bf0abb
      Guillaume Nault authored
      commit 57377d63 upstream.
      
      Holding a reference on session is required before calling
      pppol2tp_session_ioctl(). The session could get freed while processing the
      ioctl otherwise. Since pppol2tp_session_ioctl() uses the session's socket,
      we also need to take a reference on it in l2tp_session_get().
      
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a1bf0abb
    • Guillaume Nault's avatar
      l2tp: fix race in l2tp_recv_common() · 63a763d0
      Guillaume Nault authored
      commit 61b9a047 upstream.
      
      Taking a reference on sessions in l2tp_recv_common() is racy; this
      has to be done by the callers.
      
      To this end, a new function is required (l2tp_session_get()) to
      atomically lookup a session and take a reference on it. Callers then
      have to manually drop this reference.
      
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2:
       - Drop changes to l2tp_ip6.c
       - Add 'pos' parameter to hlist_for_each_entry{,_rcu}() calls
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      63a763d0
    • Uwe Kleine-König's avatar
      serial: mxs-auart: Fix baudrate calculation · 2a14908e
      Uwe Kleine-König authored
      commit a6040bc6 upstream.
      
      The reference manual for the i.MX28 recommends to calculate the divisor
      as
      
      	divisor = (UARTCLK * 32) / baud rate, rounded to the nearest integer
      
      , so let's do this. For a typical setup of UARTCLK = 24 MHz and baud
      rate = 115200 this changes the divisor from 6666 to 6667 and so the
      actual baud rate improves from 115211.521 Bd (error ≅ 0.01 %) to
      115194.240 Bd (error ≅ 0.005 %).
      Signed-off-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust context, indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2a14908e
    • Stefan Wahren's avatar
      serial: mxs-auart: fix baud rate range · c1b36780
      Stefan Wahren authored
      commit df57cf6a upstream.
      
      Currently mxs-auart doesn't care correctly about the baud rate divisor.
      According to reference manual the baud rate divisor must be between
      0x000000EC and 0x003FFFC0. So calculate the possible baud rate range
      and use it for uart_get_baud_rate().
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Reviewed-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c1b36780
    • Hans de Goede's avatar
      mmc: sdhci: Disable runtime pm when the sdio_irq is enabled · 2b3dce5b
      Hans de Goede authored
      commit 923713b3 upstream.
      
      SDIO cards may need clock to send the card interrupt to the host.
      
      On a cherrytrail tablet with a RTL8723BS wifi chip, without this patch
      pinging the tablet results in:
      
      PING 192.168.1.14 (192.168.1.14) 56(84) bytes of data.
      64 bytes from 192.168.1.14: icmp_seq=1 ttl=64 time=78.6 ms
      64 bytes from 192.168.1.14: icmp_seq=2 ttl=64 time=1760 ms
      64 bytes from 192.168.1.14: icmp_seq=3 ttl=64 time=753 ms
      64 bytes from 192.168.1.14: icmp_seq=4 ttl=64 time=3.88 ms
      64 bytes from 192.168.1.14: icmp_seq=5 ttl=64 time=795 ms
      64 bytes from 192.168.1.14: icmp_seq=6 ttl=64 time=1841 ms
      64 bytes from 192.168.1.14: icmp_seq=7 ttl=64 time=810 ms
      64 bytes from 192.168.1.14: icmp_seq=8 ttl=64 time=1860 ms
      64 bytes from 192.168.1.14: icmp_seq=9 ttl=64 time=812 ms
      64 bytes from 192.168.1.14: icmp_seq=10 ttl=64 time=48.6 ms
      
      Where as with this patch I get:
      
      PING 192.168.1.14 (192.168.1.14) 56(84) bytes of data.
      64 bytes from 192.168.1.14: icmp_seq=1 ttl=64 time=3.96 ms
      64 bytes from 192.168.1.14: icmp_seq=2 ttl=64 time=1.97 ms
      64 bytes from 192.168.1.14: icmp_seq=3 ttl=64 time=17.2 ms
      64 bytes from 192.168.1.14: icmp_seq=4 ttl=64 time=2.46 ms
      64 bytes from 192.168.1.14: icmp_seq=5 ttl=64 time=2.83 ms
      64 bytes from 192.168.1.14: icmp_seq=6 ttl=64 time=1.40 ms
      64 bytes from 192.168.1.14: icmp_seq=7 ttl=64 time=2.10 ms
      64 bytes from 192.168.1.14: icmp_seq=8 ttl=64 time=1.40 ms
      64 bytes from 192.168.1.14: icmp_seq=9 ttl=64 time=2.04 ms
      64 bytes from 192.168.1.14: icmp_seq=10 ttl=64 time=1.40 ms
      
      Cc: Dong Aisheng <b29396@freescale.com>
      Cc: Ian W MORRISON <ianwmorrison@gmail.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Acked-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Acked-by: default avatarDong Aisheng <aisheng.dong@nxp.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2b3dce5b
    • Thomas Hellstrom's avatar
      drm/vmwgfx: Remove getparam error message · e584bdbb
      Thomas Hellstrom authored
      commit 53e16798 upstream.
      
      The mesa winsys sometimes uses unimplemented parameter requests to
      check for features. Remove the error message to avoid bloating the
      kernel log.
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Reviewed-by: default avatarBrian Paul <brianp@vmware.com>
      Reviewed-by: default avatarSinclair Yeh <syeh@vmware.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e584bdbb
    • Murray McAllister's avatar
      drm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl() · 4a98780b
      Murray McAllister authored
      commit 63774069 upstream.
      
      In vmw_get_cap_3d_ioctl(), a user can supply 0 for a size that is
      used in vzalloc(). This eventually calls dump_stack() (in warn_alloc()),
      which can leak useful addresses to dmesg.
      
      Add check to avoid a size of 0.
      Signed-off-by: default avatarMurray McAllister <murray.mcallister@insomniasec.com>
      Reviewed-by: default avatarSinclair Yeh <syeh@vmware.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4a98780b
    • Thomas Hellstrom's avatar
      drm/vmwgfx: Type-check lookups of fence objects · 5b989fa8
      Thomas Hellstrom authored
      commit f7652afa upstream.
      
      A malicious caller could otherwise hand over handles to other objects
      causing all sorts of interesting problems.
      
      Testing done: Ran a Fedora 25 desktop using both Xorg and
      gnome-shell/Wayland.
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Reviewed-by: default avatarSinclair Yeh <syeh@vmware.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5b989fa8
    • Sebastian Siewior's avatar
      ubi/upd: Always flush after prepared for an update · b6d24893
      Sebastian Siewior authored
      commit 9cd9a21c upstream.
      
      In commit 6afaf8a4 ("UBI: flush wl before clearing update marker") I
      managed to trigger and fix a similar bug. Now here is another version of
      which I assumed it wouldn't matter back then but it turns out UBI has a
      check for it and will error out like this:
      
      |ubi0 warning: validate_vid_hdr: inconsistent used_ebs
      |ubi0 error: validate_vid_hdr: inconsistent VID header at PEB 592
      
      All you need to trigger this is? "ubiupdatevol /dev/ubi0_0 file" + a
      powercut in the middle of the operation.
      ubi_start_update() sets the update-marker and puts all EBs on the erase
      list. After that userland can proceed to write new data while the old EB
      aren't erased completely. A powercut at this point is usually not that
      much of a tragedy. UBI won't give read access to the static volume
      because it has the update marker. It will most likely set the corrupted
      flag because it misses some EBs.
      So we are all good. Unless the size of the image that has been written
      differs from the old image in the magnitude of at least one EB. In that
      case UBI will find two different values for `used_ebs' and refuse to
      attach the image with the error message mentioned above.
      
      So in order not to get in the situation, the patch will ensure that we
      wait until everything is removed before it tries to write any data.
      The alternative would be to detect such a case and remove all EBs at the
      attached time after we processed the volume-table and see the
      update-marker set. The patch looks bigger and I doubt it is worth it
      since usually the write() will wait from time to time for a new EB since
      usually there not that many spare EB that can be used.
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      [bwh: Backported to 3.2: ubi_wl_flush() only takes 1 parameter]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b6d24893
    • Mathias Nyman's avatar
      xhci: Manually give back cancelled URB if we can't queue it for cancel · a61f12b5
      Mathias Nyman authored
      commit d3519b9d upstream.
      
      xhci needs to take care of four scenarios when asked to cancel a URB.
      
      1 URB is not queued or already given back.
        usb_hcd_check_unlink_urb() will return an error, we pass the error on
      
      2 We fail to find xhci internal structures from urb private data such as
        virtual device and endpoint ring.
        Give back URB immediately, can't do anything about internal structures.
      
      3 URB private data has valid pointers to xhci internal data, but host is
        not  responding.
        give back URB immedately and remove the URB from the endpoint lists.
      
      4 Everyting is working
        add URB to cancel list, queue a command to stop the endpoint, after
        which the URB can be turned to no-op or skipped, removed from lists,
        and given back.
      
      We failed to give back the urb in case 2 where the correct device and
      endpoint pointers could not be retrieved from URB private data.
      
      This caused a hang on Dell Inspiron 5558/0VNM2T at resume from suspend
      as urb was never returned.
      
      [  245.270505] INFO: task rtsx_usb_ms_1:254 blocked for more than 120 seconds.
      [  245.272244]       Tainted: G        W       4.11.0-rc3-ARCH #2
      [  245.273983] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [  245.275737] rtsx_usb_ms_1   D    0   254      2 0x00000000
      [  245.277524] Call Trace:
      [  245.279278]  __schedule+0x2d3/0x8a0
      [  245.281077]  schedule+0x3d/0x90
      [  245.281961]  usb_kill_urb.part.3+0x6c/0xa0 [usbcore]
      [  245.282861]  ? wake_atomic_t_function+0x60/0x60
      [  245.283760]  usb_kill_urb+0x21/0x30 [usbcore]
      [  245.284649]  usb_start_wait_urb+0xe5/0x170 [usbcore]
      [  245.285541]  ? try_to_del_timer_sync+0x53/0x80
      [  245.286434]  usb_bulk_msg+0xbd/0x160 [usbcore]
      [  245.287326]  rtsx_usb_send_cmd+0x63/0x90 [rtsx_usb]
      
      Reported-by: diego.viola@gmail.com
      Tested-by: diego.viola@gmail.com
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2:
       - Move debug logging along with endpoint lookup
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a61f12b5
    • Josh Poimboeuf's avatar
      ACPI: Fix incompatibility with mcount-based function graph tracing · 506c53a2
      Josh Poimboeuf authored
      commit 61b79e16 upstream.
      
      Paul Menzel reported a warning:
      
        WARNING: CPU: 0 PID: 774 at /build/linux-ROBWaj/linux-4.9.13/kernel/trace/trace_functions_graph.c:233 ftrace_return_to_handler+0x1aa/0x1e0
        Bad frame pointer: expected f6919d98, received f6919db0
          from func acpi_pm_device_sleep_wake return to c43b6f9d
      
      The warning means that function graph tracing is broken for the
      acpi_pm_device_sleep_wake() function.  That's because the ACPI Makefile
      unconditionally sets the '-Os' gcc flag to optimize for size.  That's an
      issue because mcount-based function graph tracing is incompatible with
      '-Os' on x86, thanks to the following gcc bug:
      
        https://gcc.gnu.org/bugzilla/show_bug.cgi?id=42109
      
      I have another patch pending which will ensure that mcount-based
      function graph tracing is never used with CONFIG_CC_OPTIMIZE_FOR_SIZE on
      x86.
      
      But this patch is needed in addition to that one because the ACPI
      Makefile overrides that config option for no apparent reason.  It has
      had this flag since the beginning of git history, and there's no related
      comment, so I don't know why it's there.  As far as I can tell, there's
      no reason for it to be there.  The appropriate behavior is for it to
      honor CONFIG_CC_OPTIMIZE_FOR_{SIZE,PERFORMANCE} like the rest of the
      kernel.
      Reported-by: default avatarPaul Menzel <pmenzel@molgen.mpg.de>
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Acked-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      506c53a2
    • James Morse's avatar
      ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal · eaff01dc
      James Morse authored
      commit 7d64f82c upstream.
      
      When removing a GHES device notified by SCI, list_del_rcu() is used,
      ghes_remove() should call synchronize_rcu() before it goes on to call
      kfree(ghes), otherwise concurrent RCU readers may still hold this list
      entry after it has been freed.
      Signed-off-by: default avatarJames Morse <james.morse@arm.com>
      Reviewed-by: default avatar"Huang, Ying" <ying.huang@intel.com>
      Fixes: 81e88fdc (ACPI, APEI, Generic Hardware Error Source POLL/IRQ/NMI notification type support)
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      eaff01dc
    • Arnd Bergmann's avatar
      virtio_balloon: prevent uninitialized variable use · b833c96e
      Arnd Bergmann authored
      commit f0bb2d50 upstream.
      
      The latest gcc-7.0.1 snapshot reports a new warning:
      
      virtio/virtio_balloon.c: In function 'update_balloon_stats':
      virtio/virtio_balloon.c:258:26: error: 'events[2]' is used uninitialized in this function [-Werror=uninitialized]
      virtio/virtio_balloon.c:260:26: error: 'events[3]' is used uninitialized in this function [-Werror=uninitialized]
      virtio/virtio_balloon.c:261:56: error: 'events[18]' is used uninitialized in this function [-Werror=uninitialized]
      virtio/virtio_balloon.c:262:56: error: 'events[17]' is used uninitialized in this function [-Werror=uninitialized]
      
      This seems absolutely right, so we should add an extra check to
      prevent copying uninitialized stack data into the statistics.
      >From all I can tell, this has been broken since the statistics code
      was originally added in 2.6.34.
      
      Fixes: 9564e138 ("virtio: Add memory statistics reporting to the balloon driver (V4)")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarLadi Prosek <lprosek@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b833c96e
    • Ladi Prosek's avatar
      virtio_balloon: init 1st buffer in stats vq · 6918f844
      Ladi Prosek authored
      commit fc865322 upstream.
      
      When init_vqs runs, virtio_balloon.stats is either uninitialized or
      contains stale values. The host updates its state with garbage data
      because it has no way of knowing that this is just a marker buffer
      used for signaling.
      
      This patch updates the stats before pushing the initial buffer.
      
      Alternative fixes:
      * Push an empty buffer in init_vqs. Not easily done with the current
        virtio implementation and violates the spec "Driver MUST supply the
        same subset of statistics in all buffers submitted to the statsq".
      * Push a buffer with invalid tags in init_vqs. Violates the same
        spec clause, plus "invalid tag" is not really defined.
      
      Note: the spec says:
      	When using the legacy interface, the device SHOULD ignore all values in
      	the first buffer in the statsq supplied by the driver after device
      	initialization. Note: Historically, drivers supplied an uninitialized
      	buffer in the first buffer.
      
      Unfortunately QEMU does not seem to implement the recommendation
      even for the legacy interface.
      Signed-off-by: default avatarLadi Prosek <lprosek@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6918f844