1. 17 Jun, 2017 8 commits
    • Anssi Hannula's avatar
      net: xilinx_emaclite: fix receive buffer overflow · a2901d01
      Anssi Hannula authored
      
      [ Upstream commit cd224553 ]
      
      xilinx_emaclite looks at the received data to try to determine the
      Ethernet packet length but does not properly clamp it if
      proto_type == ETH_P_IP or 1500 < proto_type <= 1518, causing a buffer
      overflow and a panic via skb_panic() as the length exceeds the allocated
      skb size.
      
      Fix those cases.
      
      Also add an additional unconditional check with WARN_ON() at the end.
      Signed-off-by: default avatarAnssi Hannula <anssi.hannula@bitwise.fi>
      Fixes: bb81b2dd ("net: add Xilinx emac lite device driver")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2901d01
    • Anssi Hannula's avatar
      net: xilinx_emaclite: fix freezes due to unordered I/O · bff3001a
      Anssi Hannula authored
      
      [ Upstream commit acf138f1 ]
      
      The xilinx_emaclite uses __raw_writel and __raw_readl for register
      accesses. Those functions do not imply any kind of memory barriers and
      they may be reordered.
      
      The driver does not seem to take that into account, though, and the
      driver does not satisfy the ordering requirements of the hardware.
      For clear examples, see xemaclite_mdio_write() and xemaclite_mdio_read()
      which try to set MDIO address before initiating the transaction.
      
      I'm seeing system freezes with the driver with GCC 5.4 and current
      Linux kernels on Zynq-7000 SoC immediately when trying to use the
      interface.
      
      In commit 123c1407 ("net: emaclite: Do not use microblaze and ppc
      IO functions") the driver was switched from non-generic
      in_be32/out_be32 (memory barriers, big endian) to
      __raw_readl/__raw_writel (no memory barriers, native endian), so
      apparently the device follows system endianness and the driver was
      originally written with the assumption of memory barriers.
      
      Rather than try to hunt for each case of missing barrier, just switch
      the driver to use iowrite32/ioread32/iowrite32be/ioread32be depending
      on endianness instead.
      
      Tested on little-endian Zynq-7000 ARM SoC FPGA.
      Signed-off-by: default avatarAnssi Hannula <anssi.hannula@bitwise.fi>
      Fixes: 123c1407 ("net: emaclite: Do not use microblaze and ppc IO
      functions")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bff3001a
    • Thomas Falcon's avatar
      ibmvnic: Fix endian error when requesting device capabilities · 65e72723
      Thomas Falcon authored
      
      [ Upstream commit 28f4d165 ]
      
      When a vNIC client driver requests a faulty device setting, the
      server returns an acceptable value for the client to request.
      This 64 bit value was incorrectly being swapped as a 32 bit value,
      resulting in loss of data. This patch corrects that by using
      the 64 bit swap function.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      65e72723
    • Thomas Falcon's avatar
      ibmvnic: Fix endian errors in error reporting output · b5a1aa81
      Thomas Falcon authored
      
      [ Upstream commit 75224c93 ]
      
      Error reports received from firmware were not being converted from
      big endian values, leading to bogus error codes reported on little
      endian systems.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b5a1aa81
    • Christophe Leroy's avatar
      netfilter: nf_conntrack_sip: fix wrong memory initialisation · d864e675
      Christophe Leroy authored
      commit da2f27e9 upstream.
      
      In commit 82de0be6 ("netfilter: Add helper array
      register/unregister functions"),
      struct nf_conntrack_helper sip[MAX_PORTS][4] was changed to
      sip[MAX_PORTS * 4], so the memory init should have been changed to
      memset(&sip[4 * i], 0, 4 * sizeof(sip[i]));
      
      But as the sip[] table is allocated in the BSS, it is already set to 0
      
      Fixes: 82de0be6 ("netfilter: Add helper array register/unregister functions")
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d864e675
    • Richard's avatar
      partitions/msdos: FreeBSD UFS2 file systems are not recognized · 220b67a1
      Richard authored
      commit 22322035 upstream.
      
      The code in block/partitions/msdos.c recognizes FreeBSD, OpenBSD
      and NetBSD partitions and does a reasonable job picking out OpenBSD
      and NetBSD UFS subpartitions.
      
      But for FreeBSD the subpartitions are always "bad".
      
          Kernel: <bsd:bad subpartition - ignored
      
      Though all 3 of these BSD systems use UFS as a file system, only
      FreeBSD uses relative start addresses in the subpartition
      declarations.
      
      The following patch fixes this for FreeBSD partitions and leaves
      the code for OpenBSD and NetBSD intact:
      Signed-off-by: default avatarRichard Narron <comet.berkeley@gmail.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      220b67a1
    • Imre Deak's avatar
      drm/i915: Prevent the system suspend complete optimization · 7a7b2d5f
      Imre Deak authored
      commit 6ab92afc upstream.
      
      Since
      
      commit bac2a909
      Author: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
      Date:   Wed Jan 21 02:17:42 2015 +0100
      
          PCI / PM: Avoid resuming PCI devices during system suspend
      
      PCI devices will default to allowing the system suspend complete
      optimization where devices are not woken up during system suspend if
      they were already runtime suspended. This however breaks the i915/HDA
      drivers for two reasons:
      
      - The i915 driver has system suspend specific steps that it needs to
        run, that bring the device to a different state than its runtime
        suspended state.
      
      - The HDA driver's suspend handler requires power that it will request
        from the i915 driver's power domain handler. This in turn requires the
        i915 driver to runtime resume itself, but this won't be possible if the
        suspend complete optimization is in effect: in this case the i915
        runtime PM is disabled and trying to get an RPM reference returns
        -EACCESS.
      
      Solve this by requiring the PCI/PM core to resume the device during
      system suspend which in effect disables the suspend complete optimization.
      
      Regardless of the above commit the optimization stayed disabled for DRM
      devices until
      
      commit d14d2a84
      Author: Lukas Wunner <lukas@wunner.de>
      Date:   Wed Jun 8 12:49:29 2016 +0200
      
          drm: Remove dev_pm_ops from drm_class
      
      so this patch is in practice a fix for this commit. Another reason for
      the bug staying hidden for so long is that the optimization for a device
      is disabled if it's disabled for any of its children devices. i915 may
      have a backlight device as its child which doesn't support runtime PM
      and so doesn't allow the optimization either.  So if this backlight
      device got registered the bug stayed hidden.
      
      Credits to Marta, Tomi and David who enabled pstore logging,
      that caught one instance of this issue across a suspend/
      resume-to-ram and Ville who rememberd that the optimization was enabled
      for some devices at one point.
      
      The first WARN triggered by the problem:
      
      [ 6250.746445] WARNING: CPU: 2 PID: 17384 at drivers/gpu/drm/i915/intel_runtime_pm.c:2846 intel_runtime_pm_get+0x6b/0xd0 [i915]
      [ 6250.746448] pm_runtime_get_sync() failed: -13
      [ 6250.746451] Modules linked in: snd_hda_intel i915 vgem snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul
      snd_hda_codec_realtek snd_hda_codec_generic ghash_clmulni_intel e1000e snd_hda_codec snd_hwdep snd_hda_core ptp mei_me pps_core snd_pcm lpc_ich mei prime_
      numbers i2c_hid i2c_designware_platform i2c_designware_core [last unloaded: i915]
      [ 6250.746512] CPU: 2 PID: 17384 Comm: kworker/u8:0 Tainted: G     U  W       4.11.0-rc5-CI-CI_DRM_334+ #1
      [ 6250.746515] Hardware name:                  /NUC5i5RYB, BIOS RYBDWi35.86A.0362.2017.0118.0940 01/18/2017
      [ 6250.746521] Workqueue: events_unbound async_run_entry_fn
      [ 6250.746525] Call Trace:
      [ 6250.746530]  dump_stack+0x67/0x92
      [ 6250.746536]  __warn+0xc6/0xe0
      [ 6250.746542]  ? pci_restore_standard_config+0x40/0x40
      [ 6250.746546]  warn_slowpath_fmt+0x46/0x50
      [ 6250.746553]  ? __pm_runtime_resume+0x56/0x80
      [ 6250.746584]  intel_runtime_pm_get+0x6b/0xd0 [i915]
      [ 6250.746610]  intel_display_power_get+0x1b/0x40 [i915]
      [ 6250.746646]  i915_audio_component_get_power+0x15/0x20 [i915]
      [ 6250.746654]  snd_hdac_display_power+0xc8/0x110 [snd_hda_core]
      [ 6250.746661]  azx_runtime_resume+0x218/0x280 [snd_hda_intel]
      [ 6250.746667]  pci_pm_runtime_resume+0x76/0xa0
      [ 6250.746672]  __rpm_callback+0xb4/0x1f0
      [ 6250.746677]  ? pci_restore_standard_config+0x40/0x40
      [ 6250.746682]  rpm_callback+0x1f/0x80
      [ 6250.746686]  ? pci_restore_standard_config+0x40/0x40
      [ 6250.746690]  rpm_resume+0x4ba/0x740
      [ 6250.746698]  __pm_runtime_resume+0x49/0x80
      [ 6250.746703]  pci_pm_suspend+0x57/0x140
      [ 6250.746709]  dpm_run_callback+0x6f/0x330
      [ 6250.746713]  ? pci_pm_freeze+0xe0/0xe0
      [ 6250.746718]  __device_suspend+0xf9/0x370
      [ 6250.746724]  ? dpm_watchdog_set+0x60/0x60
      [ 6250.746730]  async_suspend+0x1a/0x90
      [ 6250.746735]  async_run_entry_fn+0x34/0x160
      [ 6250.746741]  process_one_work+0x1f2/0x6d0
      [ 6250.746749]  worker_thread+0x49/0x4a0
      [ 6250.746755]  kthread+0x107/0x140
      [ 6250.746759]  ? process_one_work+0x6d0/0x6d0
      [ 6250.746763]  ? kthread_create_on_node+0x40/0x40
      [ 6250.746768]  ret_from_fork+0x2e/0x40
      [ 6250.746778] ---[ end trace 102a62fd2160f5e6 ]---
      
      v2:
      - Use the new pci_dev->needs_resume flag, to avoid any overhead during
        the ->pm_prepare hook. (Rafael)
      
      v3:
      - Update commit message to reference the actual regressing commit.
        (Lukas)
      
      v4:
      - Rebase on v4 of patch 1/2.
      
      Fixes: d14d2a84 ("drm: Remove dev_pm_ops from drm_class")
      References: https://bugs.freedesktop.org/show_bug.cgi?id=100378
      References: https://bugs.freedesktop.org/show_bug.cgi?id=100770
      Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
      Cc: Marta Lofstedt <marta.lofstedt@intel.com>
      Cc: David Weinehall <david.weinehall@linux.intel.com>
      Cc: Tomi Sarvela <tomi.p.sarvela@intel.com>
      Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
      Cc: Mika Kuoppala <mika.kuoppala@intel.com>
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: Takashi Iwai <tiwai@suse.de>
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Cc: Lukas Wunner <lukas@wunner.de>
      Cc: linux-pci@vger.kernel.org
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Reported-and-tested-by: default avatarMarta Lofstedt <marta.lofstedt@intel.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/1493726649-32094-2-git-send-email-imre.deak@intel.com
      (cherry picked from commit adfdf85d)
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7a7b2d5f
    • Imre Deak's avatar
      PCI/PM: Add needs_resume flag to avoid suspend complete optimization · b372d35a
      Imre Deak authored
      commit 4d071c32 upstream.
      
      Some drivers - like i915 - may not support the system suspend direct
      complete optimization due to differences in their runtime and system
      suspend sequence.  Add a flag that when set resumes the device before
      calling the driver's system suspend handlers which effectively disables
      the optimization.
      
      Needed by a future patch fixing suspend/resume on i915.
      
      Suggested by Rafael.
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Cc: stable@vger.kernel.org
      (rebased on v4.8, added kernel version to commit message stable tag)
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b372d35a
  2. 14 Jun, 2017 32 commits