1. 24 Apr, 2018 40 commits
    • Takashi Iwai's avatar
      ALSA: pcm: Fix UAF at PCM release via PCM timer access · bb256eea
      Takashi Iwai authored
      commit a820ccbe upstream.
      
      The PCM runtime object is created and freed dynamically at PCM stream
      open / close time.  This is tracked via substream->runtime, and it's
      cleared at snd_pcm_detach_substream().
      
      The runtime object assignment is protected by PCM open_mutex, so for
      all PCM operations, it's safely handled.  However, each PCM substream
      provides also an ALSA timer interface, and user-space can access to
      this while closing a PCM substream.  This may eventually lead to a
      UAF, as snd_pcm_timer_resolution() tries to access the runtime while
      clearing it in other side.
      
      Fortunately, it's the only concurrent access from the PCM timer, and
      it merely reads runtime->timer_resolution field.  So, we can avoid the
      race by reordering kfree() and wrapping the substream->runtime
      clearance with the corresponding timer lock.
      
      Reported-by: syzbot+8e62ff4e07aa2ce87826@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bb256eea
    • Roland Dreier's avatar
      RDMA/ucma: Don't allow setting RDMA_OPTION_IB_PATH without an RDMA device · fe8fd32f
      Roland Dreier authored
      commit 8435168d upstream.
      
      Check to make sure that ctx->cm_id->device is set before we use it.
      Otherwise userspace can trigger a NULL dereference by doing
      RDMA_USER_CM_CMD_SET_OPTION on an ID that is not bound to a device.
      
      Cc: <stable@vger.kernel.org>
      Reported-by: <syzbot+a67bc93e14682d92fc2f@syzkaller.appspotmail.com>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fe8fd32f
    • Theodore Ts'o's avatar
      ext4: fail ext4_iget for root directory if unallocated · 99025131
      Theodore Ts'o authored
      commit 8e4b5eae upstream.
      
      If the root directory has an i_links_count of zero, then when the file
      system is mounted, then when ext4_fill_super() notices the problem and
      tries to call iput() the root directory in the error return path,
      ext4_evict_inode() will try to free the inode on disk, before all of
      the file system structures are set up, and this will result in an OOPS
      caused by a NULL pointer dereference.
      
      This issue has been assigned CVE-2018-1092.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=199179
      https://bugzilla.redhat.com/show_bug.cgi?id=1560777Reported-by: default avatarWen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99025131
    • Theodore Ts'o's avatar
      ext4: don't update checksum of new initialized bitmaps · 51e3b81b
      Theodore Ts'o authored
      commit 044e6e3d upstream.
      
      When reading the inode or block allocation bitmap, if the bitmap needs
      to be initialized, do not update the checksum in the block group
      descriptor.  That's because we're not set up to journal those changes.
      Instead, just set the verified bit on the bitmap block, so that it's
      not necessary to validate the checksum.
      
      When a block or inode allocation actually happens, at that point the
      checksum will be calculated, and update of the bg descriptor block
      will be properly journalled.
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      51e3b81b
    • Theodore Ts'o's avatar
      jbd2: if the journal is aborted then don't allow update of the log tail · 10c62408
      Theodore Ts'o authored
      commit 85e0c4e8 upstream.
      
      This updates the jbd2 superblock unnecessarily, and on an abort we
      shouldn't truncate the log.
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      10c62408
    • Theodore Ts'o's avatar
      random: use a tighter cap in credit_entropy_bits_safe() · 010f0fb4
      Theodore Ts'o authored
      commit 9f886f4d upstream.
      
      This fixes a harmless UBSAN where root could potentially end up
      causing an overflow while bumping the entropy_total field (which is
      ignored once the entropy pool has been initialized, and this generally
      is completed during the boot sequence).
      
      This is marginal for the stable kernel series, but it's a really
      trivial patch, and it fixes UBSAN warning that might cause security
      folks to get overly excited for no reason.
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reported-by: default avatarChen Feng <puck.chen@hisilicon.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      010f0fb4
    • Mika Westerberg's avatar
      thunderbolt: Resume control channel after hibernation image is created · 00cf298f
      Mika Westerberg authored
      commit f2a659f7 upstream.
      
      The driver misses implementation of PM hook that undoes what
      ->freeze_noirq() does after the hibernation image is created. This means
      the control channel is not resumed properly and the Thunderbolt bus
      becomes useless in later stages of hibernation (when the image is stored
      or if the operation fails).
      
      Fix this by pointing ->thaw_noirq to driver nhi_resume_noirq(). This
      makes sure the control channel is resumed properly.
      
      Fixes: 23dd5bb4 ("thunderbolt: Add suspend/hibernate support")
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Reviewed-by: default avatarAndy Shevchenko <andy.shevchenko@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      00cf298f
    • James Kelly's avatar
      ASoC: ssm2602: Replace reg_default_raw with reg_default · 9a8b65d4
      James Kelly authored
      commit a01df75c upstream.
      
      SSM2602 driver is broken on recent kernels (at least
      since 4.9). User space applications such as amixer or
      alsamixer get EIO when attempting to access codec
      controls via the relevant IOCTLs.
      
      Root cause of these failures is the regcache_hw_init
      function in drivers/base/regmap/regcache.c, which
      prevents regmap cache initalization from the
      reg_defaults_raw element of the regmap_config structure
      when registers are write only. It also disables the
      regmap cache entirely when all registers are write only
      or volatile as is the case for the SSM2602 driver.
      
      Using the reg_defaults element of the regmap_config
      structure rather than the reg_defaults_raw element to
      initalize the regmap cache avoids the logic in the
      regcache_hw_init function entirely. It also makes this
      driver consistent with other ASoC codec drivers, as
      this driver was the ONLY codec driver that used the
      reg_defaults_raw element to initalize the cache.
      
      Tested on Digilent Zybo Z7 development board which has
      a SSM2603 codec chip connected to a Xilinx Zynq SoC.
      Signed-off-by: default avatarJames Kelly <jamespeterkelly@gmail.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9a8b65d4
    • Aaron Ma's avatar
      HID: core: Fix size as type u32 · 60f6c860
      Aaron Ma authored
      commit 6de0b13c upstream.
      
      When size is negative, calling memset will make segment fault.
      Declare the size as type u32 to keep memset safe.
      
      size in struct hid_report is unsigned, fix return type of
      hid_report_len to u32.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAaron Ma <aaron.ma@canonical.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      60f6c860
    • Aaron Ma's avatar
      HID: Fix hid_report_len usage · 8d7610e1
      Aaron Ma authored
      commit 3064a03b upstream.
      
      Follow the change of return type u32 of hid_report_len,
      fix all the types of variables those get the return value of
      hid_report_len to u32, and all other code already uses u32.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAaron Ma <aaron.ma@canonical.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8d7610e1
    • Nicholas Piggin's avatar
      powerpc/powernv: Fix OPAL NVRAM driver OPAL_BUSY loops · dace93d0
      Nicholas Piggin authored
      commit 3b807033 upstream.
      
      The OPAL NVRAM driver does not sleep in case it gets OPAL_BUSY or
      OPAL_BUSY_EVENT from firmware, which causes large scheduling
      latencies, and various lockup errors to trigger (again, BMC reboot
      can cause it).
      
      Fix this by converting it to the standard form OPAL_BUSY loop that
      sleeps.
      
      Fixes: 628daa8d ("powerpc/powernv: Add RTC and NVRAM support plus RTAS fallbacks")
      Depends-on: 34dd25de ("powerpc/powernv: define a standard delay for OPAL_BUSY type retry loops")
      Cc: stable@vger.kernel.org # v3.2+
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dace93d0
    • Nicholas Piggin's avatar
      powerpc/powernv: define a standard delay for OPAL_BUSY type retry loops · 16d770bd
      Nicholas Piggin authored
      commit 34dd25de upstream.
      
      This is the start of an effort to tidy up and standardise all the
      delays. Existing loops have a range of delay/sleep periods from 1ms
      to 20ms, and some have no delay. They all loop forever except rtc,
      which times out after 10 retries, and that uses 10ms delays. So use
      10ms as our standard delay. The OPAL maintainer agrees 10ms is a
      reasonable starting point.
      
      The idea is to use the same recipe everywhere, once this is proven to
      work then it will be documented as an OPAL API standard. Then both
      firmware and OS can agree, and if a particular call needs something
      else, then that can be documented with reasoning.
      
      This is not the end-all of this effort, it's just a relatively easy
      change that fixes some existing high latency delays. There should be
      provision for standardising timeouts and/or interruptible loops where
      possible, so non-fatal firmware errors don't cause hangs.
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Cc: Nathan Chancellor <natechancellor@gmail.com>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16d770bd
    • Nicholas Piggin's avatar
      powerpc/64: Fix smp_wmb barrier definition use use lwsync consistently · dcc29e3f
      Nicholas Piggin authored
      commit 0bfdf598 upstream.
      
      asm/barrier.h is not always included after asm/synch.h, which meant
      it was missing __SUBARCH_HAS_LWSYNC, so in some files smp_wmb() would
      be eieio when it should be lwsync. kernel/time/hrtimer.c is one case.
      
      __SUBARCH_HAS_LWSYNC is only used in one place, so just fold it in
      to where it's used. Previously with my small simulator config, 377
      instances of eieio in the tree. After this patch there are 55.
      
      Fixes: 46d075be ("powerpc: Optimise smp_wmb")
      Cc: stable@vger.kernel.org # v2.6.29+
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dcc29e3f
    • Nicholas Piggin's avatar
      powerpc/powernv: Handle unknown OPAL errors in opal_nvram_write() · c8d4770e
      Nicholas Piggin authored
      commit 741de617 upstream.
      
      opal_nvram_write currently just assumes success if it encounters an
      error other than OPAL_BUSY or OPAL_BUSY_EVENT. Have it return -EIO
      on other errors instead.
      
      Fixes: 628daa8d ("powerpc/powernv: Add RTC and NVRAM support plus RTAS fallbacks")
      Cc: stable@vger.kernel.org # v3.2+
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Reviewed-by: default avatarVasant Hegde <hegdevasant@linux.vnet.ibm.com>
      Acked-by: default avatarStewart Smith <stewart@linux.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c8d4770e
    • Aaron Ma's avatar
      HID: i2c-hid: fix size check and type usage · dbae9a8d
      Aaron Ma authored
      commit ac75a041 upstream.
      
      When convert char array with signed int, if the inbuf[x] is negative then
      upper bits will be set to 1. Fix this by using u8 instead of char.
      
      ret_size has to be at least 3, hid_input_report use it after minus 2 bytes.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAaron Ma <aaron.ma@canonical.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dbae9a8d
    • Thinh Nguyen's avatar
      usb: dwc3: pci: Properly cleanup resource · 0ab6b8c9
      Thinh Nguyen authored
      commit cabdf83d upstream.
      
      Platform device is allocated before adding resources. Make sure to
      properly cleanup on error case.
      
      Cc: <stable@vger.kernel.org>
      Fixes: f1c7e710 ("usb: dwc3: convert to pcim_enable_device()")
      Signed-off-by: default avatarThinh Nguyen <thinhn@synopsys.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ab6b8c9
    • Zhengjun Xing's avatar
      USB:fix USB3 devices behind USB3 hubs not resuming at hibernate thaw · b286fd4a
      Zhengjun Xing authored
      commit 64627388 upstream.
      
      USB3 hubs don't support global suspend.
      
      USB3 specification 10.10, Enhanced SuperSpeed hubs only support selective
      suspend and resume, they do not support global suspend/resume where the
      hub downstream facing ports states are not affected.
      
      When system enters hibernation it first enters freeze process where only
      the root hub enters suspend, usb_port_suspend() is not called for other
      devices, and suspend status flags are not set for them. Other devices are
      expected to suspend globally. Some external USB3 hubs will suspend the
      downstream facing port at global suspend. These devices won't be resumed
      at thaw as the suspend status flag is not set.
      
      A USB3 removable hard disk connected through a USB3 hub that won't resume
      at thaw will fail to synchronize SCSI cache, return “cmd cmplt err -71”
      error, and needs a 60 seconds timeout which causing system hang for 60s
      before the USB host reset the port for the USB3 removable hard disk to
      recover.
      
      Fix this by always calling usb_port_suspend() during freeze for USB3
      devices.
      Signed-off-by: default avatarZhengjun Xing <zhengjun.xing@linux.intel.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b286fd4a
    • Mika Westerberg's avatar
      ACPI / hotplug / PCI: Check presence of slot itself in get_slot_status() · 63aa8d89
      Mika Westerberg authored
      commit 13d3047c upstream.
      
      Mike Lothian reported that plugging in a USB-C device does not work
      properly in his Dell Alienware system.  This system has an Intel Alpine
      Ridge Thunderbolt controller providing USB-C functionality.  In these
      systems the USB controller (xHCI) is hotplugged whenever a device is
      connected to the port using ACPI-based hotplug.
      
      The ACPI description of the root port in question is as follows:
      
        Device (RP01)
        {
            Name (_ADR, 0x001C0000)
      
            Device (PXSX)
            {
                Name (_ADR, 0x02)
      
                Method (_RMV, 0, NotSerialized)
                {
                    // ...
                }
            }
      
      Here _ADR 0x02 means device 0, function 2 on the bus under root port (RP01)
      but that seems to be incorrect because device 0 is the upstream port of the
      Alpine Ridge PCIe switch and it has no functions other than 0 (the bridge
      itself).  When we get ACPI Notify() to the root port resulting from
      connecting a USB-C device, Linux tries to read PCI_VENDOR_ID from device 0,
      function 2 which of course always returns 0xffffffff because there is no
      such function and we never find the device.
      
      In Windows this works fine.
      
      Now, since we get ACPI Notify() to the root port and not to the PXSX device
      we should actually start our scan from there as well and not from the
      non-existent PXSX device.  Fix this by checking presence of the slot itself
      (function 0) if we fail to do that otherwise.
      
      While there use pci_bus_read_dev_vendor_id() in get_slot_status(), which is
      the recommended way to read Device and Vendor IDs of devices on PCI buses.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=198557Reported-by: default avatarMike Lothian <mike@fireburn.co.uk>
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      63aa8d89
    • Hans de Goede's avatar
      ACPI / video: Add quirk to force acpi-video backlight on Samsung 670Z5E · bd69c85f
      Hans de Goede authored
      commit bbf03861 upstream.
      
      Just like many other Samsung models, the 670Z5E needs to use the acpi-video
      backlight interface rather then the native one for backlight control to
      work, add a quirk for this.
      
      Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1557060
      Cc: All applicable <stable@vger.kernel.org>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bd69c85f
    • Dan Carpenter's avatar
      regmap: Fix reversed bounds check in regmap_raw_write() · d8ad6cb0
      Dan Carpenter authored
      commit f00e7109 upstream.
      
      We're supposed to be checking that "val_len" is not too large but
      instead we check if it is smaller than the max.
      
      The only function affected would be regmap_i2c_smbus_i2c_write() in
      drivers/base/regmap/regmap-i2c.c.  Strangely that function has its own
      limit check which returns an error if (count >= I2C_SMBUS_BLOCK_MAX) so
      it doesn't look like it has ever been able to do anything except return
      an error.
      
      Fixes: c335931e ("regmap: Add raw_write/read checks for max_raw_write/read sizes")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d8ad6cb0
    • Jason Andryuk's avatar
      xen-netfront: Fix hang on device removal · 4c65e94e
      Jason Andryuk authored
      commit c2d2e673 upstream.
      
      A toolstack may delete the vif frontend and backend xenstore entries
      while xen-netfront is in the removal code path.  In that case, the
      checks for xenbus_read_driver_state would return XenbusStateUnknown, and
      xennet_remove would hang indefinitely.  This hang prevents system
      shutdown.
      
      xennet_remove must be able to handle XenbusStateUnknown, and
      netback_changed must also wake up the wake_queue for that state as well.
      
      Fixes: 5b5971df ("xen-netfront: remove warning when unloading module")
      Signed-off-by: default avatarJason Andryuk <jandryuk@gmail.com>
      Cc: Eduardo Otubo <otubo@redhat.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4c65e94e
    • Santiago Esteban's avatar
      ARM: dts: at91: sama5d4: fix pinctrl compatible string · 318a306c
      Santiago Esteban authored
      commit 9a06757d upstream.
      
      The compatible string is incorrect. Add atmel,sama5d3-pinctrl since
      it's the appropriate compatible string. Remove the
      atmel,at91rm9200-pinctrl compatible string, this fallback is
      useless, there are too many changes.
      Signed-off-by: default avatarSantiago Esteban <Santiago.Esteban@microchip.com>
      Signed-off-by: default avatarLudovic Desroches <ludovic.desroches@microchip.com>
      Cc: stable@vger.kernel.org #v3.18
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      318a306c
    • Nicolas Ferre's avatar
      ARM: dts: at91: at91sam9g25: fix mux-mask pinctrl property · 31118e88
      Nicolas Ferre authored
      commit e8fd0adf upstream.
      
      There are only 19 PIOB pins having primary names PB0-PB18. Not all of them
      have a 'C' function. So the pinctrl property mask ends up being the same as the
      other SoC of the at91sam9x5 series.
      Reported-by: default avatarMarek Sieranski <marek.sieranski@microchip.com>
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Cc: <stable@vger.kernel.org> # v3.8+
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      31118e88
    • Heinrich Schuchardt's avatar
      usb: musb: gadget: misplaced out of bounds check · e2300789
      Heinrich Schuchardt authored
      commit af6f8529 upstream.
      
      musb->endpoints[] has array size MUSB_C_NUM_EPS.
      We must check array bounds before accessing the array and not afterwards.
      Signed-off-by: default avatarHeinrich Schuchardt <xypron.glpk@gmx.de>
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2300789
    • Vlastimil Babka's avatar
      mm, slab: reschedule cache_reap() on the same CPU · 5a310ab0
      Vlastimil Babka authored
      commit a9f2a846 upstream.
      
      cache_reap() is initially scheduled in start_cpu_timer() via
      schedule_delayed_work_on(). But then the next iterations are scheduled
      via schedule_delayed_work(), i.e. using WORK_CPU_UNBOUND.
      
      Thus since commit ef557180 ("workqueue: schedule WORK_CPU_UNBOUND
      work on wq_unbound_cpumask CPUs") there is no guarantee the future
      iterations will run on the originally intended cpu, although it's still
      preferred.  I was able to demonstrate this with
      /sys/module/workqueue/parameters/debug_force_rr_cpu.  IIUC, it may also
      happen due to migrating timers in nohz context.  As a result, some cpu's
      would be calling cache_reap() more frequently and others never.
      
      This patch uses schedule_delayed_work_on() with the current cpu when
      scheduling the next iteration.
      
      Link: http://lkml.kernel.org/r/20180411070007.32225-1-vbabka@suse.cz
      Fixes: ef557180 ("workqueue: schedule WORK_CPU_UNBOUND work on wq_unbound_cpumask CPUs")
      Signed-off-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Acked-by: default avatarPekka Enberg <penberg@kernel.org>
      Acked-by: default avatarChristoph Lameter <cl@linux.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Lai Jiangshan <jiangshanlai@gmail.com>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Stephen Boyd <sboyd@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a310ab0
    • Eric Biggers's avatar
      ipc/shm: fix use-after-free of shm file via remap_file_pages() · b7e06a79
      Eric Biggers authored
      commit 3f05317d upstream.
      
      syzbot reported a use-after-free of shm_file_data(file)->file->f_op in
      shm_get_unmapped_area(), called via sys_remap_file_pages().
      
      Unfortunately it couldn't generate a reproducer, but I found a bug which
      I think caused it.  When remap_file_pages() is passed a full System V
      shared memory segment, the memory is first unmapped, then a new map is
      created using the ->vm_file.  Between these steps, the shm ID can be
      removed and reused for a new shm segment.  But, shm_mmap() only checks
      whether the ID is currently valid before calling the underlying file's
      ->mmap(); it doesn't check whether it was reused.  Thus it can use the
      wrong underlying file, one that was already freed.
      
      Fix this by making the "outer" shm file (the one that gets put in
      ->vm_file) hold a reference to the real shm file, and by making
      __shm_open() require that the file associated with the shm ID matches
      the one associated with the "outer" file.
      
      Taking the reference to the real shm file is needed to fully solve the
      problem, since otherwise sfd->file could point to a freed file, which
      then could be reallocated for the reused shm ID, causing the wrong shm
      segment to be mapped (and without the required permission checks).
      
      Commit 1ac0b6de ("ipc/shm: handle removed segments gracefully in
      shm_mmap()") almost fixed this bug, but it didn't go far enough because
      it didn't consider the case where the shm ID is reused.
      
      The following program usually reproduces this bug:
      
      	#include <stdlib.h>
      	#include <sys/shm.h>
      	#include <sys/syscall.h>
      	#include <unistd.h>
      
      	int main()
      	{
      		int is_parent = (fork() != 0);
      		srand(getpid());
      		for (;;) {
      			int id = shmget(0xF00F, 4096, IPC_CREAT|0700);
      			if (is_parent) {
      				void *addr = shmat(id, NULL, 0);
      				usleep(rand() % 50);
      				while (!syscall(__NR_remap_file_pages, addr, 4096, 0, 0, 0));
      			} else {
      				usleep(rand() % 50);
      				shmctl(id, IPC_RMID, NULL);
      			}
      		}
      	}
      
      It causes the following NULL pointer dereference due to a 'struct file'
      being used while it's being freed.  (I couldn't actually get a KASAN
      use-after-free splat like in the syzbot report.  But I think it's
      possible with this bug; it would just take a more extraordinary race...)
      
      	BUG: unable to handle kernel NULL pointer dereference at 0000000000000058
      	PGD 0 P4D 0
      	Oops: 0000 [#1] SMP NOPTI
      	CPU: 9 PID: 258 Comm: syz_ipc Not tainted 4.16.0-05140-gf8cf2f16 #189
      	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
      	RIP: 0010:d_inode include/linux/dcache.h:519 [inline]
      	RIP: 0010:touch_atime+0x25/0xd0 fs/inode.c:1724
      	[...]
      	Call Trace:
      	 file_accessed include/linux/fs.h:2063 [inline]
      	 shmem_mmap+0x25/0x40 mm/shmem.c:2149
      	 call_mmap include/linux/fs.h:1789 [inline]
      	 shm_mmap+0x34/0x80 ipc/shm.c:465
      	 call_mmap include/linux/fs.h:1789 [inline]
      	 mmap_region+0x309/0x5b0 mm/mmap.c:1712
      	 do_mmap+0x294/0x4a0 mm/mmap.c:1483
      	 do_mmap_pgoff include/linux/mm.h:2235 [inline]
      	 SYSC_remap_file_pages mm/mmap.c:2853 [inline]
      	 SyS_remap_file_pages+0x232/0x310 mm/mmap.c:2769
      	 do_syscall_64+0x64/0x1a0 arch/x86/entry/common.c:287
      	 entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      [ebiggers@google.com: add comment]
        Link: http://lkml.kernel.org/r/20180410192850.235835-1-ebiggers3@gmail.com
      Link: http://lkml.kernel.org/r/20180409043039.28915-1-ebiggers3@gmail.com
      Reported-by: syzbot+d11f321e7f1923157eac80aa990b446596f46439@syzkaller.appspotmail.com
      Fixes: c8d78c18 ("mm: replace remap_file_pages() syscall with emulation")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Acked-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Cc: "Eric W . Biederman" <ebiederm@xmission.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b7e06a79
    • Takashi Iwai's avatar
      resource: fix integer overflow at reallocation · 0a2f9fe1
      Takashi Iwai authored
      commit 60bb83b8 upstream.
      
      We've got a bug report indicating a kernel panic at booting on an x86-32
      system, and it turned out to be the invalid PCI resource assigned after
      reallocation.  __find_resource() first aligns the resource start address
      and resets the end address with start+size-1 accordingly, then checks
      whether it's contained.  Here the end address may overflow the integer,
      although resource_contains() still returns true because the function
      validates only start and end address.  So this ends up with returning an
      invalid resource (start > end).
      
      There was already an attempt to cover such a problem in the commit
      47ea91b4 ("Resource: fix wrong resource window calculation"), but
      this case is an overseen one.
      
      This patch adds the validity check of the newly calculated resource for
      avoiding the integer overflow problem.
      
      Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1086739
      Link: http://lkml.kernel.org/r/s5hpo37d5l8.wl-tiwai@suse.de
      Fixes: 23c570a6 ("resource: ability to resize an allocated resource")
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Reported-by: default avatarMichael Henders <hendersm@shaw.ca>
      Tested-by: default avatarMichael Henders <hendersm@shaw.ca>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Ram Pai <linuxram@us.ibm.com>
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0a2f9fe1
    • Andrew Morton's avatar
      fs/reiserfs/journal.c: add missing resierfs_warning() arg · bc6305c0
      Andrew Morton authored
      commit 9ad553ab upstream.
      
      One use of the reiserfs_warning() macro in journal_init_dev() is missing
      a parameter, causing the following warning:
      
        REISERFS warning (device loop0): journal_init_dev: Cannot open '%s': %i journal_init_dev:
      
      This also causes a WARN_ONCE() warning in the vsprintf code, and then a
      panic if panic_on_warn is set.
      
        Please remove unsupported %/ in format string
        WARNING: CPU: 1 PID: 4480 at lib/vsprintf.c:2138 format_decode+0x77f/0x830 lib/vsprintf.c:2138
        Kernel panic - not syncing: panic_on_warn set ...
      
      Just add another string argument to the macro invocation.
      
      Addresses https://syzkaller.appspot.com/bug?id=0627d4551fdc39bf1ef5d82cd9eef587047f7718
      
      Link: http://lkml.kernel.org/r/d678ebe1-6f54-8090-df4c-b9affad62293@infradead.orgSigned-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Reported-by: <syzbot+6bd77b88c1977c03f584@syzkaller.appspotmail.com>
      Tested-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Acked-by: default avatarJeff Mahoney <jeffm@suse.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Jan Kara <jack@suse.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bc6305c0
    • Richard Weinberger's avatar
      ubi: Reject MLC NAND · 78cc9472
      Richard Weinberger authored
      commit b5094b7f upstream.
      
      While UBI and UBIFS seem to work at first sight with MLC NAND, you will
      most likely lose all your data upon a power-cut or due to read/write
      disturb.
      In order to protect users from bad surprises, refuse to attach to MLC
      NAND.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Acked-by: default avatarBoris Brezillon <boris.brezillon@bootlin.com>
      Acked-by: default avatarArtem Bityutskiy <dedekind1@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      78cc9472
    • Romain Izard's avatar
      ubi: Fix error for write access · 782635ba
      Romain Izard authored
      commit 78a8dfba upstream.
      
      When opening a device with write access, ubiblock_open returns an error
      code. Currently, this error code is -EPERM, but this is not the right
      value.
      
      The open function for other block devices returns -EROFS when opening
      read-only devices with FMODE_WRITE set. When used with dm-verity, the
      veritysetup userspace tool is expecting EROFS, and refuses to use the
      ubiblock device.
      
      Use -EROFS for ubiblock as well. As a result, veritysetup accepts the
      ubiblock device as valid.
      
      Cc: stable@vger.kernel.org
      Fixes: 9d54c8a3 (UBI: R/O block driver on top of UBI volumes)
      Signed-off-by: default avatarRomain Izard <romain.izard.pro@gmail.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      782635ba
    • Richard Weinberger's avatar
      ubi: fastmap: Don't flush fastmap work on detach · 75ee8566
      Richard Weinberger authored
      commit 29b7a6fa upstream.
      
      At this point UBI volumes have already been free()'ed and fastmap can no
      longer access these data structures.
      Reported-by: default avatarMartin Townsend <mtownsend1973@gmail.com>
      Fixes: 74cdaf24 ("UBI: Fastmap: Fix memory leaks while closing the WL sub-system")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      75ee8566
    • Richard Weinberger's avatar
      ubifs: Check ubifs_wbuf_sync() return code · a4e98ec0
      Richard Weinberger authored
      commit aac17948 upstream.
      
      If ubifs_wbuf_sync() fails we must not write a master node with the
      dirty marker cleared.
      Otherwise it is possible that in case of an IO error while syncing we
      mark the filesystem as clean and UBIFS refuses to recover upon next
      mount.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a4e98ec0
    • Tejun Heo's avatar
      tty: make n_tty_read() always abort if hangup is in progress · 12ed237c
      Tejun Heo authored
      commit 28b0f8a6 upstream.
      
      A tty is hung up by __tty_hangup() setting file->f_op to
      hung_up_tty_fops, which is skipped on ttys whose write operation isn't
      tty_write().  This means that, for example, /dev/console whose write
      op is redirected_tty_write() is never actually marked hung up.
      
      Because n_tty_read() uses the hung up status to decide whether to
      abort the waiting readers, the lack of hung-up marking can lead to the
      following scenario.
      
       1. A session contains two processes.  The leader and its child.  The
          child ignores SIGHUP.
      
       2. The leader exits and starts disassociating from the controlling
          terminal (/dev/console).
      
       3. __tty_hangup() skips setting f_op to hung_up_tty_fops.
      
       4. SIGHUP is delivered and ignored.
      
       5. tty_ldisc_hangup() is invoked.  It wakes up the waits which should
          clear the read lockers of tty->ldisc_sem.
      
       6. The reader wakes up but because tty_hung_up_p() is false, it
          doesn't abort and goes back to sleep while read-holding
          tty->ldisc_sem.
      
       7. The leader progresses to tty_ldisc_lock() in tty_ldisc_hangup()
          and is now stuck in D sleep indefinitely waiting for
          tty->ldisc_sem.
      
      The following is Alan's explanation on why some ttys aren't hung up.
      
       http://lkml.kernel.org/r/20171101170908.6ad08580@alans-desktop
      
       1. It broke the serial consoles because they would hang up and close
          down the hardware. With tty_port that *should* be fixable properly
          for any cases remaining.
      
       2. The console layer was (and still is) completely broken and doens't
          refcount properly. So if you turn on console hangups it breaks (as
          indeed does freeing consoles and half a dozen other things).
      
      As neither can be fixed quickly, this patch works around the problem
      by introducing a new flag, TTY_HUPPING, which is used solely to tell
      n_tty_read() that hang-up is in progress for the console and the
      readers should be aborted regardless of the hung-up status of the
      device.
      
      The following is a sample hung task warning caused by this issue.
      
        INFO: task agetty:2662 blocked for more than 120 seconds.
              Not tainted 4.11.3-dbg-tty-lockup-02478-gfd6c7ee-dirty #28
        "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
            0  2662      1 0x00000086
        Call Trace:
         __schedule+0x267/0x890
         schedule+0x36/0x80
         schedule_timeout+0x23c/0x2e0
         ldsem_down_write+0xce/0x1f6
         tty_ldisc_lock+0x16/0x30
         tty_ldisc_hangup+0xb3/0x1b0
         __tty_hangup+0x300/0x410
         disassociate_ctty+0x6c/0x290
         do_exit+0x7ef/0xb00
         do_group_exit+0x3f/0xa0
         get_signal+0x1b3/0x5d0
         do_signal+0x28/0x660
         exit_to_usermode_loop+0x46/0x86
         do_syscall_64+0x9c/0xb0
         entry_SYSCALL64_slow_path+0x25/0x25
      
      The following is the repro.  Run "$PROG /dev/console".  The parent
      process hangs in D state.
      
        #include <sys/types.h>
        #include <sys/stat.h>
        #include <sys/wait.h>
        #include <sys/ioctl.h>
        #include <fcntl.h>
        #include <unistd.h>
        #include <stdio.h>
        #include <stdlib.h>
        #include <errno.h>
        #include <signal.h>
        #include <time.h>
        #include <termios.h>
      
        int main(int argc, char **argv)
        {
      	  struct sigaction sact = { .sa_handler = SIG_IGN };
      	  struct timespec ts1s = { .tv_sec = 1 };
      	  pid_t pid;
      	  int fd;
      
      	  if (argc < 2) {
      		  fprintf(stderr, "test-hung-tty /dev/$TTY\n");
      		  return 1;
      	  }
      
      	  /* fork a child to ensure that it isn't already the session leader */
      	  pid = fork();
      	  if (pid < 0) {
      		  perror("fork");
      		  return 1;
      	  }
      
      	  if (pid > 0) {
      		  /* top parent, wait for everyone */
      		  while (waitpid(-1, NULL, 0) >= 0)
      			  ;
      		  if (errno != ECHILD)
      			  perror("waitpid");
      		  return 0;
      	  }
      
      	  /* new session, start a new session and set the controlling tty */
      	  if (setsid() < 0) {
      		  perror("setsid");
      		  return 1;
      	  }
      
      	  fd = open(argv[1], O_RDWR);
      	  if (fd < 0) {
      		  perror("open");
      		  return 1;
      	  }
      
      	  if (ioctl(fd, TIOCSCTTY, 1) < 0) {
      		  perror("ioctl");
      		  return 1;
      	  }
      
      	  /* fork a child, sleep a bit and exit */
      	  pid = fork();
      	  if (pid < 0) {
      		  perror("fork");
      		  return 1;
      	  }
      
      	  if (pid > 0) {
      		  nanosleep(&ts1s, NULL);
      		  printf("Session leader exiting\n");
      		  exit(0);
      	  }
      
      	  /*
      	   * The child ignores SIGHUP and keeps reading from the controlling
      	   * tty.  Because SIGHUP is ignored, the child doesn't get killed on
      	   * parent exit and the bug in n_tty makes the read(2) block the
      	   * parent's control terminal hangup attempt.  The parent ends up in
      	   * D sleep until the child is explicitly killed.
      	   */
      	  sigaction(SIGHUP, &sact, NULL);
      	  printf("Child reading tty\n");
      	  while (1) {
      		  char buf[1024];
      
      		  if (read(fd, buf, sizeof(buf)) < 0) {
      			  perror("read");
      			  return 1;
      		  }
      	  }
      
      	  return 0;
        }
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Alan Cox <alan@llwyncelyn.cymru>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      12ed237c
    • Ville Syrjälä's avatar
      x86/hweight: Don't clobber %rdi · 34a6851c
      Ville Syrjälä authored
      commit 65ea11ec upstream.
      
      The caller expects %rdi to remain intact, push+pop it make that happen.
      
      Fixes the following kind of explosions on my core2duo machine when
      trying to reboot or shut down:
      
        general protection fault: 0000 [#1] PREEMPT SMP
        Modules linked in: i915 i2c_algo_bit drm_kms_helper cfbfillrect syscopyarea cfbimgblt sysfillrect sysimgblt fb_sys_fops cfbcopyarea drm netconsole configfs binfmt_misc iTCO_wdt psmouse pcspkr snd_hda_codec_idt e100 coretemp hwmon snd_hda_codec_generic i2c_i801 mii i2c_smbus lpc_ich mfd_core snd_hda_intel uhci_hcd snd_hda_codec snd_hwdep snd_hda_core ehci_pci 8250 ehci_hcd snd_pcm 8250_base usbcore evdev serial_core usb_common parport_pc parport snd_timer snd soundcore
        CPU: 0 PID: 3070 Comm: reboot Not tainted 4.8.0-rc1-perf-dirty #69
        Hardware name:                  /D946GZIS, BIOS TS94610J.86A.0087.2007.1107.1049 11/07/2007
        task: ffff88012a0b4080 task.stack: ffff880123850000
        RIP: 0010:[<ffffffff81003c92>]  [<ffffffff81003c92>] x86_perf_event_update+0x52/0xc0
        RSP: 0018:ffff880123853b60  EFLAGS: 00010087
        RAX: 0000000000000001 RBX: ffff88012fc0a3c0 RCX: 000000000000001e
        RDX: 0000000000000000 RSI: 0000000040000000 RDI: ffff88012b014800
        RBP: ffff880123853b88 R08: ffffffffffffffff R09: 0000000000000000
        R10: ffffea0004a012c0 R11: ffffea0004acedc0 R12: ffffffff80000001
        R13: ffff88012b0149c0 R14: ffff88012b014800 R15: 0000000000000018
        FS:  00007f8b155cd700(0000) GS:ffff88012fc00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00007f8b155f5000 CR3: 000000012a2d7000 CR4: 00000000000006f0
        Stack:
         ffff88012fc0a3c0 ffff88012b014800 0000000000000004 0000000000000001
         ffff88012fc1b750 ffff880123853bb0 ffffffff81003d59 ffff88012b014800
         ffff88012fc0a3c0 ffff88012b014800 ffff880123853bd8 ffffffff81003e13
        Call Trace:
         [<ffffffff81003d59>] x86_pmu_stop+0x59/0xd0
         [<ffffffff81003e13>] x86_pmu_del+0x43/0x140
         [<ffffffff8111705d>] event_sched_out.isra.105+0xbd/0x260
         [<ffffffff8111738d>] __perf_remove_from_context+0x2d/0xb0
         [<ffffffff8111745d>] __perf_event_exit_context+0x4d/0x70
         [<ffffffff810c8826>] generic_exec_single+0xb6/0x140
         [<ffffffff81117410>] ? __perf_remove_from_context+0xb0/0xb0
         [<ffffffff81117410>] ? __perf_remove_from_context+0xb0/0xb0
         [<ffffffff810c898f>] smp_call_function_single+0xdf/0x140
         [<ffffffff81113d27>] perf_event_exit_cpu_context+0x87/0xc0
         [<ffffffff81113d73>] perf_reboot+0x13/0x40
         [<ffffffff8107578a>] notifier_call_chain+0x4a/0x70
         [<ffffffff81075ad7>] __blocking_notifier_call_chain+0x47/0x60
         [<ffffffff81075b06>] blocking_notifier_call_chain+0x16/0x20
         [<ffffffff81076a1d>] kernel_restart_prepare+0x1d/0x40
         [<ffffffff81076ae2>] kernel_restart+0x12/0x60
         [<ffffffff81076d56>] SYSC_reboot+0xf6/0x1b0
         [<ffffffff811a823c>] ? mntput_no_expire+0x2c/0x1b0
         [<ffffffff811a83e4>] ? mntput+0x24/0x40
         [<ffffffff811894fc>] ? __fput+0x16c/0x1e0
         [<ffffffff811895ae>] ? ____fput+0xe/0x10
         [<ffffffff81072fc3>] ? task_work_run+0x83/0xa0
         [<ffffffff81001623>] ? exit_to_usermode_loop+0x53/0xc0
         [<ffffffff8100105a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
         [<ffffffff81076e6e>] SyS_reboot+0xe/0x10
         [<ffffffff814c4ba5>] entry_SYSCALL_64_fastpath+0x18/0xa3
        Code: 7c 4c 8d af c0 01 00 00 49 89 fe eb 10 48 09 c2 4c 89 e0 49 0f b1 55 00 4c 39 e0 74 35 4d 8b a6 c0 01 00 00 41 8b 8e 60 01 00 00 <0f> 33 8b 35 6e 02 8c 00 48 c1 e2 20 85 f6 7e d2 48 89 d3 89 cf
        RIP  [<ffffffff81003c92>] x86_perf_event_update+0x52/0xc0
         RSP <ffff880123853b60>
        ---[ end trace 7ec95181faf211be ]---
        note: reboot[3070] exited with preempt_count 2
      
      Cc: Borislav Petkov <bp@suse.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@kernel.org>
      Fixes: f5967101 ("x86/hweight: Get rid of the special calling convention")
      Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Matthias Kaehlcke <mka@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34a6851c
    • Borislav Petkov's avatar
      x86/hweight: Get rid of the special calling convention · c597f987
      Borislav Petkov authored
      commit f5967101 upstream.
      
      People complained about ARCH_HWEIGHT_CFLAGS and how it throws a wrench
      into kcov, lto, etc, experimentations.
      
      Add asm versions for __sw_hweight{32,64}() and do explicit saving and
      restoring of clobbered registers. This gets rid of the special calling
      convention. We get to call those functions on !X86_FEATURE_POPCNT CPUs.
      
      We still need to hardcode POPCNT and register operands as some old gas
      versions which we support, do not know about POPCNT.
      
      Btw, remove redundant REX prefix from 32-bit POPCNT because alternatives
      can do padding now.
      Suggested-by: default avatarH. Peter Anvin <hpa@zytor.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1464605787-20603-1-git-send-email-bp@alien8.deSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c597f987
    • Phil Elwell's avatar
      lan78xx: Correctly indicate invalid OTP · 3d069960
      Phil Elwell authored
      
      [ Upstream commit 4bfc3380 ]
      
      lan78xx_read_otp tries to return -EINVAL in the event of invalid OTP
      content, but the value gets overwritten before it is returned and the
      read goes ahead anyway. Make the read conditional as it should be
      and preserve the error code.
      
      Fixes: 55d7de9d ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
      Signed-off-by: default avatarPhil Elwell <phil@raspberrypi.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3d069960
    • Tejaswi Tanikella's avatar
      slip: Check if rstate is initialized before uncompressing · 46043941
      Tejaswi Tanikella authored
      
      [ Upstream commit 3f01ddb9 ]
      
      On receiving a packet the state index points to the rstate which must be
      used to fill up IP and TCP headers. But if the state index points to a
      rstate which is unitialized, i.e. filled with zeros, it gets stuck in an
      infinite loop inside ip_fast_csum trying to compute the ip checsum of a
      header with zero length.
      
      89.666953:   <2> [<ffffff9dd3e94d38>] slhc_uncompress+0x464/0x468
      89.666965:   <2> [<ffffff9dd3e87d88>] ppp_receive_nonmp_frame+0x3b4/0x65c
      89.666978:   <2> [<ffffff9dd3e89dd4>] ppp_receive_frame+0x64/0x7e0
      89.666991:   <2> [<ffffff9dd3e8a708>] ppp_input+0x104/0x198
      89.667005:   <2> [<ffffff9dd3e93868>] pppopns_recv_core+0x238/0x370
      89.667027:   <2> [<ffffff9dd4428fc8>] __sk_receive_skb+0xdc/0x250
      89.667040:   <2> [<ffffff9dd3e939e4>] pppopns_recv+0x44/0x60
      89.667053:   <2> [<ffffff9dd4426848>] __sock_queue_rcv_skb+0x16c/0x24c
      89.667065:   <2> [<ffffff9dd4426954>] sock_queue_rcv_skb+0x2c/0x38
      89.667085:   <2> [<ffffff9dd44f7358>] raw_rcv+0x124/0x154
      89.667098:   <2> [<ffffff9dd44f7568>] raw_local_deliver+0x1e0/0x22c
      89.667117:   <2> [<ffffff9dd44c8ba0>] ip_local_deliver_finish+0x70/0x24c
      89.667131:   <2> [<ffffff9dd44c92f4>] ip_local_deliver+0x100/0x10c
      
      ./scripts/faddr2line vmlinux slhc_uncompress+0x464/0x468 output:
       ip_fast_csum at arch/arm64/include/asm/checksum.h:40
       (inlined by) slhc_uncompress at drivers/net/slip/slhc.c:615
      
      Adding a variable to indicate if the current rstate is initialized. If
      such a packet arrives, move to toss state.
      Signed-off-by: default avatarTejaswi Tanikella <tejaswit@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      46043941
    • Bassem Boubaker's avatar
      cdc_ether: flag the Cinterion AHS8 modem by gemalto as WWAN · 085c9c4b
      Bassem Boubaker authored
      
      [ Upstream commit 53765341 ]
      
      The Cinterion AHS8 is a 3G device with one embedded WWAN interface
      using cdc_ether as a driver.
      
      The modem is controlled via AT commands through the exposed TTYs.
      
      AT+CGDCONT write command can be used to activate or deactivate a WWAN
      connection for a PDP context defined with the same command. UE
      supports one WWAN adapter.
      Signed-off-by: default avatarBassem Boubaker <bassem.boubaker@actia.fr>
      Acked-by: default avatarOliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      085c9c4b
    • Marek Szyprowski's avatar
      hwmon: (ina2xx) Fix access to uninitialized mutex · 09293a7b
      Marek Szyprowski authored
      commit 0c4c5860 upstream.
      
      Initialize data->config_lock mutex before it is used by the driver code.
      
      This fixes following warning on Odroid XU3 boards:
      
      INFO: trying to register non-static key.
      the code is fine but needs lockdep annotation.
      turning off the locking correctness validator.
      CPU: 5 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc7-next-20180115-00001-gb75575dee3f2 #107
      Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
      [<c0111504>] (unwind_backtrace) from [<c010dbec>] (show_stack+0x10/0x14)
      [<c010dbec>] (show_stack) from [<c09b3f74>] (dump_stack+0x90/0xc8)
      [<c09b3f74>] (dump_stack) from [<c0179528>] (register_lock_class+0x1c0/0x59c)
      [<c0179528>] (register_lock_class) from [<c017bd1c>] (__lock_acquire+0x78/0x1850)
      [<c017bd1c>] (__lock_acquire) from [<c017de30>] (lock_acquire+0xc8/0x2b8)
      [<c017de30>] (lock_acquire) from [<c09ca59c>] (__mutex_lock+0x60/0xa0c)
      [<c09ca59c>] (__mutex_lock) from [<c09cafd0>] (mutex_lock_nested+0x1c/0x24)
      [<c09cafd0>] (mutex_lock_nested) from [<c068b0d0>] (ina2xx_set_shunt+0x70/0xb0)
      [<c068b0d0>] (ina2xx_set_shunt) from [<c068b218>] (ina2xx_probe+0x88/0x1b0)
      [<c068b218>] (ina2xx_probe) from [<c0673d90>] (i2c_device_probe+0x1e0/0x2d0)
      [<c0673d90>] (i2c_device_probe) from [<c053a268>] (driver_probe_device+0x2b8/0x4a0)
      [<c053a268>] (driver_probe_device) from [<c053a54c>] (__driver_attach+0xfc/0x120)
      [<c053a54c>] (__driver_attach) from [<c05384cc>] (bus_for_each_dev+0x58/0x7c)
      [<c05384cc>] (bus_for_each_dev) from [<c0539590>] (bus_add_driver+0x174/0x250)
      [<c0539590>] (bus_add_driver) from [<c053b5e0>] (driver_register+0x78/0xf4)
      [<c053b5e0>] (driver_register) from [<c0675ef0>] (i2c_register_driver+0x38/0xa8)
      [<c0675ef0>] (i2c_register_driver) from [<c0102b40>] (do_one_initcall+0x48/0x18c)
      [<c0102b40>] (do_one_initcall) from [<c0e00df0>] (kernel_init_freeable+0x110/0x1d4)
      [<c0e00df0>] (kernel_init_freeable) from [<c09c8120>] (kernel_init+0x8/0x114)
      [<c09c8120>] (kernel_init) from [<c01010b4>] (ret_from_fork+0x14/0x20)
      
      Fixes: 5d389b12 ("hwmon: (ina2xx) Make calibration register value fixed")
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      [backport to v4.4.y/v4.9.y: context changes]
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      09293a7b
    • Sudhir Sreedharan's avatar
      rtl8187: Fix NULL pointer dereference in priv->conf_mutex · 2f2c030c
      Sudhir Sreedharan authored
      commit 7972326a upstream.
      
      This can be reproduced by bind/unbind the driver multiple times
      in AM3517 board.
      
      Analysis revealed that rtl8187_start() was invoked before probe
      finishes(ie. before the mutex is initialized).
      
       INFO: trying to register non-static key.
       the code is fine but needs lockdep annotation.
       turning off the locking correctness validator.
       CPU: 0 PID: 821 Comm: wpa_supplicant Not tainted 4.9.80-dirty #250
       Hardware name: Generic AM3517 (Flattened Device Tree)
       [<c010e0d8>] (unwind_backtrace) from [<c010beac>] (show_stack+0x10/0x14)
       [<c010beac>] (show_stack) from [<c017401c>] (register_lock_class+0x4f4/0x55c)
       [<c017401c>] (register_lock_class) from [<c0176fe0>] (__lock_acquire+0x74/0x1938)
       [<c0176fe0>] (__lock_acquire) from [<c0178cfc>] (lock_acquire+0xfc/0x23c)
       [<c0178cfc>] (lock_acquire) from [<c08aa2f8>] (mutex_lock_nested+0x50/0x3b0)
       [<c08aa2f8>] (mutex_lock_nested) from [<c05f5bf8>] (rtl8187_start+0x2c/0xd54)
       [<c05f5bf8>] (rtl8187_start) from [<c082dea0>] (drv_start+0xa8/0x320)
       [<c082dea0>] (drv_start) from [<c084d1d4>] (ieee80211_do_open+0x2bc/0x8e4)
       [<c084d1d4>] (ieee80211_do_open) from [<c069be94>] (__dev_open+0xb8/0x120)
       [<c069be94>] (__dev_open) from [<c069c11c>] (__dev_change_flags+0x88/0x14c)
       [<c069c11c>] (__dev_change_flags) from [<c069c1f8>] (dev_change_flags+0x18/0x48)
       [<c069c1f8>] (dev_change_flags) from [<c0710b08>] (devinet_ioctl+0x738/0x840)
       [<c0710b08>] (devinet_ioctl) from [<c067925c>] (sock_ioctl+0x164/0x2f4)
       [<c067925c>] (sock_ioctl) from [<c02883f8>] (do_vfs_ioctl+0x8c/0x9d0)
       [<c02883f8>] (do_vfs_ioctl) from [<c0288da8>] (SyS_ioctl+0x6c/0x7c)
       [<c0288da8>] (SyS_ioctl) from [<c0107760>] (ret_fast_syscall+0x0/0x1c)
       Unable to handle kernel NULL pointer dereference at virtual address 00000000
       pgd = cd1ec000
       [00000000] *pgd=8d1de831, *pte=00000000, *ppte=00000000
       Internal error: Oops: 817 [#1] PREEMPT ARM
       Modules linked in:
       CPU: 0 PID: 821 Comm: wpa_supplicant Not tainted 4.9.80-dirty #250
       Hardware name: Generic AM3517 (Flattened Device Tree)
       task: ce73eec0 task.stack: cd1ea000
       PC is at mutex_lock_nested+0xe8/0x3b0
       LR is at mutex_lock_nested+0xd0/0x3b0
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSudhir Sreedharan <ssreedharan@mvista.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f2c030c