1. 11 Mar, 2018 25 commits
    • Guillaume Nault's avatar
      ppp: prevent unregistered channels from connecting to PPP units · eae0a9ae
      Guillaume Nault authored
      
      [ Upstream commit 77f840e3 ]
      
      PPP units don't hold any reference on the channels connected to it.
      It is the channel's responsibility to ensure that it disconnects from
      its unit before being destroyed.
      In practice, this is ensured by ppp_unregister_channel() disconnecting
      the channel from the unit before dropping a reference on the channel.
      
      However, it is possible for an unregistered channel to connect to a PPP
      unit: register a channel with ppp_register_net_channel(), attach a
      /dev/ppp file to it with ioctl(PPPIOCATTCHAN), unregister the channel
      with ppp_unregister_channel() and finally connect the /dev/ppp file to
      a PPP unit with ioctl(PPPIOCCONNECT).
      
      Once in this situation, the channel is only held by the /dev/ppp file,
      which can be released at anytime and free the channel without letting
      the parent PPP unit know. Then the ppp structure ends up with dangling
      pointers in its ->channels list.
      
      Prevent this scenario by forbidding unregistered channels from
      connecting to PPP units. This maintains the code logic by keeping
      ppp_unregister_channel() responsible from disconnecting the channel if
      necessary and avoids modification on the reference counting mechanism.
      
      This issue seems to predate git history (successfully reproduced on
      Linux 2.6.26 and earlier PPP commits are unrelated).
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eae0a9ae
    • Nicolas Dichtel's avatar
      netlink: ensure to loop over all netns in genlmsg_multicast_allns() · 1b919f5a
      Nicolas Dichtel authored
      
      [ Upstream commit cb9f7a9a ]
      
      Nowadays, nlmsg_multicast() returns only 0 or -ESRCH but this was not the
      case when commit 134e6375 was pushed.
      However, there was no reason to stop the loop if a netns does not have
      listeners.
      Returns -ESRCH only if there was no listeners in all netns.
      
      To avoid having the same problem in the future, I didn't take the
      assumption that nlmsg_multicast() returns only 0 or -ESRCH.
      
      Fixes: 134e6375 ("genetlink: make netns aware")
      CC: Johannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b919f5a
    • Sabrina Dubroca's avatar
      net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68 · 94522bee
      Sabrina Dubroca authored
      
      [ Upstream commit c7272c2f ]
      
      According to RFC 1191 sections 3 and 4, ICMP frag-needed messages
      indicating an MTU below 68 should be rejected:
      
          A host MUST never reduce its estimate of the Path MTU below 68
          octets.
      
      and (talking about ICMP frag-needed's Next-Hop MTU field):
      
          This field will never contain a value less than 68, since every
          router "must be able to forward a datagram of 68 octets without
          fragmentation".
      
      Furthermore, by letting net.ipv4.route.min_pmtu be set to negative
      values, we can end up with a very large PMTU when (-1) is cast into u32.
      
      Let's also make ip_rt_min_pmtu a u32, since it's only ever compared to
      unsigned ints.
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      94522bee
    • Jakub Kicinski's avatar
      net: fix race on decreasing number of TX queues · 65fe24fd
      Jakub Kicinski authored
      
      [ Upstream commit ac5b7019 ]
      
      netif_set_real_num_tx_queues() can be called when netdev is up.
      That usually happens when user requests change of number of
      channels/rings with ethtool -L.  The procedure for changing
      the number of queues involves resetting the qdiscs and setting
      dev->num_tx_queues to the new value.  When the new value is
      lower than the old one, extra care has to be taken to ensure
      ordering of accesses to the number of queues vs qdisc reset.
      
      Currently the queues are reset before new dev->num_tx_queues
      is assigned, leaving a window of time where packets can be
      enqueued onto the queues going down, leading to a likely
      crash in the drivers, since most drivers don't check if TX
      skbs are assigned to an active queue.
      
      Fixes: e6484930 ("net: allocate tx queues in register_netdevice")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      65fe24fd
    • Arnd Bergmann's avatar
      ipv6 sit: work around bogus gcc-8 -Wrestrict warning · 2f9e04ca
      Arnd Bergmann authored
      
      [ Upstream commit ca79bec2 ]
      
      gcc-8 has a new warning that detects overlapping input and output arguments
      in memcpy(). It triggers for sit_init_net() calling ipip6_tunnel_clone_6rd(),
      which is actually correct:
      
      net/ipv6/sit.c: In function 'sit_init_net':
      net/ipv6/sit.c:192:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
      
      The problem here is that the logic detecting the memcpy() arguments finds them
      to be the same, but the conditional that tests for the input and output of
      ipip6_tunnel_clone_6rd() to be identical is not a compile-time constant.
      
      We know that netdev_priv(t->dev) is the same as t for a tunnel device,
      and comparing "dev" directly here lets the compiler figure out as well
      that 'dev == sitn->fb_tunnel_dev' when called from sit_init_net(), so
      it no longer warns.
      
      This code is old, so Cc stable to make sure that we don't get the warning
      for older kernels built with new gcc.
      
      Cc: Martin Sebor <msebor@gmail.com>
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83456Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f9e04ca
    • Denis Du's avatar
      hdlc_ppp: carrier detect ok, don't turn off negotiation · 830dd26a
      Denis Du authored
      
      [ Upstream commit b6c3bad1 ]
      
      Sometimes when physical lines have a just good noise to make the protocol
      handshaking fail, but the carrier detect still good. Then after remove of
      the noise, nobody will trigger this protocol to be start again to cause
      the link to never come back. The fix is when the carrier is still on, not
      terminate the protocol handshaking.
      Signed-off-by: default avatarDenis Du <dudenis2000@yahoo.ca>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      830dd26a
    • Stefano Brivio's avatar
      fib_semantics: Don't match route with mismatching tclassid · 7e70022d
      Stefano Brivio authored
      
      [ Upstream commit a8c6db1d ]
      
      In fib_nh_match(), if output interface or gateway are passed in
      the FIB configuration, we don't have to check next hops of
      multipath routes to conclude whether we have a match or not.
      
      However, we might still have routes with different realms
      matching the same output interface and gateway configuration,
      and this needs to cause the match to fail. Otherwise the first
      route inserted in the FIB will match, regardless of the realms:
      
       # ip route add 1.1.1.1 dev eth0 table 1234 realms 1/2
       # ip route append 1.1.1.1 dev eth0 table 1234 realms 3/4
       # ip route list table 1234
       1.1.1.1 dev eth0 scope link realms 1/2
       1.1.1.1 dev eth0 scope link realms 3/4
       # ip route del 1.1.1.1 dev ens3 table 1234 realms 3/4
       # ip route list table 1234
       1.1.1.1 dev ens3 scope link realms 3/4
      
      whereas route with realms 3/4 should have been deleted instead.
      
      Explicitly check for fc_flow passed in the FIB configuration
      (this comes from RTA_FLOW extracted by rtm_to_fib_config()) and
      fail matching if it differs from nh_tclassid.
      
      The handling of RTA_FLOW for multipath routes later in
      fib_nh_match() is still needed, as we can have multiple RTA_FLOW
      attributes that need to be matched against the tclassid of each
      next hop.
      
      v2: Check that fc_flow is set before discarding the match, so
          that the user can still select the first matching rule by
          not specifying any realm, as suggested by David Ahern.
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7e70022d
    • Xin Long's avatar
      bridge: check brport attr show in brport_show · 5a12bc77
      Xin Long authored
      
      [ Upstream commit 1b12580a ]
      
      Now br_sysfs_if file flush doesn't have attr show. To read it will
      cause kernel panic after users chmod u+r this file.
      
      Xiong found this issue when running the commands:
      
        ip link add br0 type bridge
        ip link add type veth
        ip link set veth0 master br0
        chmod u+r /sys/devices/virtual/net/veth0/brport/flush
        timeout 3 cat /sys/devices/virtual/net/veth0/brport/flush
      
      kernel crashed with NULL a pointer dereference call trace.
      
      This patch is to fix it by return -EINVAL when brport_attr->show
      is null, just the same as the check for brport_attr->store in
      brport_store().
      
      Fixes: 9cf63747 ("bridge: add sysfs hook to flush forwarding table")
      Reported-by: default avatarXiong Zhou <xzhou@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a12bc77
    • Ben Hutchings's avatar
      Revert "led: core: Fix brightness setting when setting delay_off=0" · 3f3437fb
      Ben Hutchings authored
      This reverts commit 20ac8f72, which
      was commit 2b83ff96 upstream.
      The bug that it should fix was only introduced in Linux 4.7, and
      in 4.4 it causes a regression.
      Reported-by: default avatarJacek Anaszewski <jacek.anaszewski@gmail.com>
      Cc: Matthieu CASTET <matthieu.castet@parrot.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3f3437fb
    • Dan Carpenter's avatar
      x86/spectre: Fix an error message · c2da3bb9
      Dan Carpenter authored
      commit 9de29eac upstream.
      
      If i == ARRAY_SIZE(mitigation_options) then we accidentally print
      garbage from one space beyond the end of the mitigation_options[] array.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: KarimAllah Ahmed <karahmed@amazon.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: kernel-janitors@vger.kernel.org
      Fixes: 9005c683 ("x86/spectre: Simplify spectre_v2 command line parsing")
      Link: http://lkml.kernel.org/r/20180214071416.GA26677@mwandaSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c2da3bb9
    • Nathan Sullivan's avatar
      leds: do not overflow sysfs buffer in led_trigger_show · dff485e3
      Nathan Sullivan authored
      commit 3b9b9536 upstream.
      
      Per the documentation, use scnprintf instead of sprintf to ensure there
      is never more than PAGE_SIZE bytes of trigger names put into the
      buffer.
      Signed-off-by: default avatarNathan Sullivan <nathan.sullivan@ni.com>
      Signed-off-by: default avatarZach Brown <zach.brown@ni.com>
      Signed-off-by: default avatarJacek Anaszewski <j.anaszewski@samsung.com>
      Cc: Willy Tarreau <w@1wt.eu>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dff485e3
    • Thomas Gleixner's avatar
      x86/apic/vector: Handle legacy irq data correctly · 6bde0940
      Thomas Gleixner authored
      The backport of upstream commit 45d55e7b ("x86/apic/vector: Fix off by
      one in error path") missed to fixup the legacy interrupt data which is not
      longer available upstream.
      
      Handle legacy irq data correctly by clearing the legacy storage to prevent
      use after free.
      
      Fixes: 7fd13353 ("x86/apic/vector: Fix off by one in error path") - 4.4.y
      Fixes: c557481a ("x86/apic/vector: Fix off by one in error path") - 4.9.y
      Reported-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6bde0940
    • Adam Ford's avatar
      ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux · c86bfc7b
      Adam Ford authored
      commit 74402055 upstream.
      
      The pinmuxing was missing for I2C1 which was causing intermittent issues
      with the PMIC which is connected to I2C1.  The bootloader did not quite
      configure the I2C1 either, so when running at 2.6MHz, it was generating
      errors at time.
      
      This correctly sets the I2C1 pinmuxing so it can operate at 2.6MHz
      
      Fixes: 687c2767 ("ARM: dts: Add minimal support for LogicPD Torpedo
      DM3730 devkit")
      Signed-off-by: default avatarAdam Ford <aford173@gmail.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c86bfc7b
    • Jan Kara's avatar
      btrfs: Don't clear SGID when inheriting ACLs · aa75b56e
      Jan Kara authored
      commit b7f8a09f upstream.
      
      When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
      set, DIR1 is expected to have SGID bit set (and owning group equal to
      the owning group of 'DIR0'). However when 'DIR0' also has some default
      ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
      'DIR1' to get cleared if user is not member of the owning group.
      
      Fix the problem by moving posix_acl_update_mode() out of
      __btrfs_set_acl() into btrfs_set_acl(). That way the function will not be
      called when inheriting ACLs which is what we want as it prevents SGID
      bit clearing and the mode has been properly set by posix_acl_create()
      anyway.
      
      Fixes: 07393101
      CC: stable@vger.kernel.org
      CC: linux-btrfs@vger.kernel.org
      CC: David Sterba <dsterba@suse.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarNikolay Borisov <nborisov@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aa75b56e
    • Jiri Slaby's avatar
      x86/syscall: Sanitize syscall table de-references under speculation fix · 5fed0b35
      Jiri Slaby authored
      In 4.4.118, we have commit c8961332 (x86/syscall: Sanitize syscall
      table de-references under speculation), which is a backport of upstream
      commit 2fbd7af5. But it fixed only the C part of the upstream patch
      -- the IA32 sysentry. So it ommitted completely the assembly part -- the
      64bit sysentry.
      
      Fix that in this patch by explicit array_index_mask_nospec written in
      assembly. The same was used in lib/getuser.S.
      
      However, to have "sbb" working properly, we have to switch from "cmp"
      against (NR_syscalls-1) to (NR_syscalls), otherwise the last syscall
      number would be "and"ed by 0. It is because the original "ja" relies on
      "CF" or "ZF", but we rely only on "CF" in "sbb". That means: switch to
      "jae" conditional jump too.
      
      Final note: use rcx for mask as this is exactly what is overwritten by
      the 4th syscall argument (r10) right after.
      Reported-by: default avatarJan Beulich <JBeulich@suse.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-arch@vger.kernel.org
      Cc: kernel-hardening@lists.openwall.com
      Cc: gregkh@linuxfoundation.org
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: alan@linux.intel.com
      Cc: Jinpu Wang <jinpu.wang@profitbricks.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5fed0b35
    • Wanpeng Li's avatar
      KVM: mmu: Fix overlap between public and private memslots · 42f587fa
      Wanpeng Li authored
      commit b28676bb upstream.
      
      Reported by syzkaller:
      
          pte_list_remove: ffff9714eb1f8078 0->BUG
          ------------[ cut here ]------------
          kernel BUG at arch/x86/kvm/mmu.c:1157!
          invalid opcode: 0000 [#1] SMP
          RIP: 0010:pte_list_remove+0x11b/0x120 [kvm]
          Call Trace:
           drop_spte+0x83/0xb0 [kvm]
           mmu_page_zap_pte+0xcc/0xe0 [kvm]
           kvm_mmu_prepare_zap_page+0x81/0x4a0 [kvm]
           kvm_mmu_invalidate_zap_all_pages+0x159/0x220 [kvm]
           kvm_arch_flush_shadow_all+0xe/0x10 [kvm]
           kvm_mmu_notifier_release+0x6c/0xa0 [kvm]
           ? kvm_mmu_notifier_release+0x5/0xa0 [kvm]
           __mmu_notifier_release+0x79/0x110
           ? __mmu_notifier_release+0x5/0x110
           exit_mmap+0x15a/0x170
           ? do_exit+0x281/0xcb0
           mmput+0x66/0x160
           do_exit+0x2c9/0xcb0
           ? __context_tracking_exit.part.5+0x4a/0x150
           do_group_exit+0x50/0xd0
           SyS_exit_group+0x14/0x20
           do_syscall_64+0x73/0x1f0
           entry_SYSCALL64_slow_path+0x25/0x25
      
      The reason is that when creates new memslot, there is no guarantee for new
      memslot not overlap with private memslots. This can be triggered by the
      following program:
      
         #include <fcntl.h>
         #include <pthread.h>
         #include <setjmp.h>
         #include <signal.h>
         #include <stddef.h>
         #include <stdint.h>
         #include <stdio.h>
         #include <stdlib.h>
         #include <string.h>
         #include <sys/ioctl.h>
         #include <sys/stat.h>
         #include <sys/syscall.h>
         #include <sys/types.h>
         #include <unistd.h>
         #include <linux/kvm.h>
      
         long r[16];
      
         int main()
         {
      	void *p = valloc(0x4000);
      
      	r[2] = open("/dev/kvm", 0);
      	r[3] = ioctl(r[2], KVM_CREATE_VM, 0x0ul);
      
      	uint64_t addr = 0xf000;
      	ioctl(r[3], KVM_SET_IDENTITY_MAP_ADDR, &addr);
      	r[6] = ioctl(r[3], KVM_CREATE_VCPU, 0x0ul);
      	ioctl(r[3], KVM_SET_TSS_ADDR, 0x0ul);
      	ioctl(r[6], KVM_RUN, 0);
      	ioctl(r[6], KVM_RUN, 0);
      
      	struct kvm_userspace_memory_region mr = {
      		.slot = 0,
      		.flags = KVM_MEM_LOG_DIRTY_PAGES,
      		.guest_phys_addr = 0xf000,
      		.memory_size = 0x4000,
      		.userspace_addr = (uintptr_t) p
      	};
      	ioctl(r[3], KVM_SET_USER_MEMORY_REGION, &mr);
      	return 0;
         }
      
      This patch fixes the bug by not adding a new memslot even if it
      overlaps with private memslots.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Eric Biggers <ebiggers3@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
      42f587fa
    • Ulf Magnusson's avatar
      ARM: mvebu: Fix broken PL310_ERRATA_753970 selects · d95280bd
      Ulf Magnusson authored
      commit 8aa36a8d upstream.
      
      The MACH_ARMADA_375 and MACH_ARMADA_38X boards select ARM_ERRATA_753970,
      but it was renamed to PL310_ERRATA_753970 by commit fa0ce403 ("ARM:
      7162/1: errata: tidy up Kconfig options for PL310 errata workarounds").
      
      Fix the selects to use the new name.
      
      Discovered with the
      https://github.com/ulfalizer/Kconfiglib/blob/master/examples/list_undefined.py
      script.
      Fixes: fa0ce403 ("ARM: 7162/1: errata: tidy up Kconfig options for
      PL310 errata workarounds"
      cc: stable@vger.kernel.org
      Signed-off-by: default avatarUlf Magnusson <ulfalizer@gmail.com>
      Signed-off-by: default avatarGregory CLEMENT <gregory.clement@bootlin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d95280bd
    • Rasmus Villemoes's avatar
      nospec: Allow index argument to have const-qualified type · f78124cc
      Rasmus Villemoes authored
      commit b98c6a16 upstream.
      
      The last expression in a statement expression need not be a bare
      variable, quoting gcc docs
      
        The last thing in the compound statement should be an expression
        followed by a semicolon; the value of this subexpression serves as the
        value of the entire construct.
      
      and we already use that in e.g. the min/max macros which end with a
      ternary expression.
      
      This way, we can allow index to have const-qualified type, which will in
      some cases avoid the need for introducing a local copy of index of
      non-const qualified type. That, in turn, can prevent readers not
      familiar with the internals of array_index_nospec from wondering about
      the seemingly redundant extra variable, and I think that's worthwhile
      considering how confusing the whole _nospec business is.
      
      The expression _i&_mask has type unsigned long (since that is the type
      of _mask, and the BUILD_BUG_ONs guarantee that _i will get promoted to
      that), so in order not to change the type of the whole expression, add
      a cast back to typeof(_i).
      Signed-off-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Arjan van de Ven <arjan@linux.intel.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: linux-arch@vger.kernel.org
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/151881604837.17395.10812767547837568328.stgit@dwillia2-desk3.amr.corp.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f78124cc
    • Mauro Carvalho Chehab's avatar
      media: m88ds3103: don't call a non-initalized function · 0dfc2fb6
      Mauro Carvalho Chehab authored
      commit b9c97c67 upstream.
      
      If m88d3103 chip ID is not recognized, the device is not initialized.
      
      However, it returns from probe without any error, causing this OOPS:
      
      [    7.689289] Unable to handle kernel NULL pointer dereference at virtual address 00000000
      [    7.689297] pgd = 7b0bd7a7
      [    7.689302] [00000000] *pgd=00000000
      [    7.689318] Internal error: Oops: 80000005 [#1] SMP ARM
      [    7.689322] Modules linked in: dvb_usb_dvbsky(+) m88ds3103 dvb_usb_v2 dvb_core videobuf2_vmalloc videobuf2_memops videobuf2_core crc32_arm_ce videodev media
      [    7.689358] CPU: 3 PID: 197 Comm: systemd-udevd Not tainted 4.15.0-mcc+ #23
      [    7.689361] Hardware name: BCM2835
      [    7.689367] PC is at 0x0
      [    7.689382] LR is at m88ds3103_attach+0x194/0x1d0 [m88ds3103]
      [    7.689386] pc : [<00000000>]    lr : [<bf0ae1ec>]    psr: 60000013
      [    7.689391] sp : ed8e5c20  ip : ed8c1e00  fp : ed8945c0
      [    7.689395] r10: ed894000  r9 : ed894378  r8 : eda736c0
      [    7.689400] r7 : ed894070  r6 : ed8e5c44  r5 : bf0bb040  r4 : eda77600
      [    7.689405] r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : eda77600
      [    7.689412] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      [    7.689417] Control: 10c5383d  Table: 2d8e806a  DAC: 00000051
      [    7.689423] Process systemd-udevd (pid: 197, stack limit = 0xe9dbfb63)
      [    7.689428] Stack: (0xed8e5c20 to 0xed8e6000)
      [    7.689439] 5c20: ed853a80 eda73640 ed894000 ed8942c0 ed853a80 bf0b9e98 ed894070 bf0b9f10
      [    7.689449] 5c40: 00000000 00000000 bf08c17c c08dfc50 00000000 00000000 00000000 00000000
      [    7.689459] 5c60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      [    7.689468] 5c80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      [    7.689479] 5ca0: 00000000 00000000 ed8945c0 ed8942c0 ed894000 ed894830 bf0b9e98 00000000
      [    7.689490] 5cc0: ed894378 bf0a3cb4 bf0bc3b0 0000533b ed920540 00000000 00000034 bf0a6434
      [    7.689500] 5ce0: ee952070 ed826600 bf0a7038 bf0a2dd8 00000001 bf0a6768 bf0a2f90 ed8943c0
      [    7.689511] 5d00: 00000000 c08eca68 ed826620 ed826620 00000000 ee952070 bf0bc034 ee952000
      [    7.689521] 5d20: ed826600 bf0bb080 ffffffed c0aa9e9c c0aa9dac ed826620 c16edf6c c168c2c8
      [    7.689531] 5d40: c16edf70 00000000 bf0bc034 0000000d 00000000 c08e268c bf0bb080 ed826600
      [    7.689541] 5d60: bf0bc034 ed826654 ed826620 bf0bc034 c164c8bc 00000000 00000001 00000000
      [    7.689553] 5d80: 00000028 c08e2948 00000000 bf0bc034 c08e2848 c08e0778 ee9f0a58 ed88bab4
      [    7.689563] 5da0: bf0bc034 ed90ba80 c168c1f0 c08e1934 bf0bb3bc c17045ac bf0bc034 c164c8bc
      [    7.689574] 5dc0: bf0bc034 bf0bb3bc ed91f564 c08e34ec bf0bc000 c164c8bc bf0bc034 c0aa8dc4
      [    7.689584] 5de0: ffffe000 00000000 bf0bf000 ed91f600 ed91f564 c03021e4 00000001 00000000
      [    7.689595] 5e00: c166e040 8040003f ed853a80 bf0bc448 00000000 c1678174 ed853a80 f0f22000
      [    7.689605] 5e20: f0f21fff 8040003f 014000c0 ed91e700 ed91e700 c16d8e68 00000001 ed91e6c0
      [    7.689615] 5e40: bf0bc400 00000001 bf0bc400 ed91f564 00000001 00000000 00000028 c03c9a24
      [    7.689625] 5e60: 00000001 c03c8c94 ed8e5f50 ed8e5f50 00000001 bf0bc400 ed91f540 c03c8cb0
      [    7.689637] 5e80: bf0bc40c 00007fff bf0bc400 c03c60b0 00000000 bf0bc448 00000028 c0e09684
      [    7.689647] 5ea0: 00000002 bf0bc530 c1234bf8 bf0bc5dc bf0bc514 c10ebbe8 ffffe000 bf000000
      [    7.689657] 5ec0: 00011538 00000000 ed8e5f48 00000000 00000000 00000000 00000000 00000000
      [    7.689666] 5ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      [    7.689676] 5f00: 00000000 00000000 7fffffff 00000000 00000013 b6e55a18 0000017b c0309104
      [    7.689686] 5f20: ed8e4000 00000000 00510af0 c03c9430 7fffffff 00000000 00000003 00000000
      [    7.689697] 5f40: 00000000 f0f0f000 00011538 00000000 f0f107b0 f0f0f000 00011538 f0f1fdb8
      [    7.689707] 5f60: f0f1fbe8 f0f1b974 00004000 000041e0 bf0bc3d0 00000001 00000000 000024c4
      [    7.689717] 5f80: 0000002d 0000002e 00000019 00000000 00000010 00000000 16894000 00000000
      [    7.689727] 5fa0: 00000000 c0308f20 16894000 00000000 00000013 b6e55a18 00000000 b6e5652c
      [    7.689737] 5fc0: 16894000 00000000 00000000 0000017b 00020000 00508110 00000000 00510af0
      [    7.689748] 5fe0: bef68948 bef68938 b6e4d3d0 b6d32590 60000010 00000013 00000000 00000000
      [    7.689790] [<bf0ae1ec>] (m88ds3103_attach [m88ds3103]) from [<bf0b9f10>] (dvbsky_s960c_attach+0x78/0x280 [dvb_usb_dvbsky])
      [    7.689821] [<bf0b9f10>] (dvbsky_s960c_attach [dvb_usb_dvbsky]) from [<bf0a3cb4>] (dvb_usbv2_probe+0xa3c/0x1024 [dvb_usb_v2])
      [    7.689849] [<bf0a3cb4>] (dvb_usbv2_probe [dvb_usb_v2]) from [<c0aa9e9c>] (usb_probe_interface+0xf0/0x2a8)
      [    7.689869] [<c0aa9e9c>] (usb_probe_interface) from [<c08e268c>] (driver_probe_device+0x2f8/0x4b4)
      [    7.689881] [<c08e268c>] (driver_probe_device) from [<c08e2948>] (__driver_attach+0x100/0x11c)
      [    7.689895] [<c08e2948>] (__driver_attach) from [<c08e0778>] (bus_for_each_dev+0x4c/0x9c)
      [    7.689909] [<c08e0778>] (bus_for_each_dev) from [<c08e1934>] (bus_add_driver+0x1c0/0x264)
      [    7.689919] [<c08e1934>] (bus_add_driver) from [<c08e34ec>] (driver_register+0x78/0xf4)
      [    7.689931] [<c08e34ec>] (driver_register) from [<c0aa8dc4>] (usb_register_driver+0x70/0x134)
      [    7.689946] [<c0aa8dc4>] (usb_register_driver) from [<c03021e4>] (do_one_initcall+0x44/0x168)
      [    7.689963] [<c03021e4>] (do_one_initcall) from [<c03c9a24>] (do_init_module+0x64/0x1f4)
      [    7.689979] [<c03c9a24>] (do_init_module) from [<c03c8cb0>] (load_module+0x20a0/0x25c8)
      [    7.689993] [<c03c8cb0>] (load_module) from [<c03c9430>] (SyS_finit_module+0xb4/0xec)
      [    7.690007] [<c03c9430>] (SyS_finit_module) from [<c0308f20>] (ret_fast_syscall+0x0/0x54)
      [    7.690018] Code: bad PC value
      
      This may happen on normal circumstances, if, for some reason, the demod
      hangs and start returning an invalid chip ID:
      
      [   10.394395] m88ds3103 3-0068: Unknown device. Chip_id=00
      
      So, change the logic to cause probe to fail with -ENODEV, preventing
      the OOPS.
      
      Detected while testing DVB MMAP patches on Raspberry Pi 3 with
      DVBSky S960CI.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0dfc2fb6
    • Viresh Kumar's avatar
      cpufreq: s3c24xx: Fix broken s3c_cpufreq_init() · baf311ed
      Viresh Kumar authored
      commit 0373ca74 upstream.
      
      commit a307a1e6 "cpufreq: s3c: use cpufreq_generic_init()"
      accidentally broke cpufreq on s3c2410 and s3c2412.
      
      These two platforms don't have a CPU frequency table and used to skip
      calling cpufreq_table_validate_and_show() for them.  But with the
      above commit, we started calling it unconditionally and that will
      eventually fail as the frequency table pointer is NULL.
      
      Fix this by calling cpufreq_table_validate_and_show() conditionally
      again.
      
      Fixes: a307a1e6 "cpufreq: s3c: use cpufreq_generic_init()"
      Cc: 3.13+ <stable@vger.kernel.org> # v3.13+
      Signed-off-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      baf311ed
    • Hans de Goede's avatar
      ALSA: hda: Add a power_save blacklist · 4fdc12f6
      Hans de Goede authored
      commit 1ba8f9d3 upstream.
      
      On some boards setting power_save to a non 0 value leads to clicking /
      popping sounds when ever we enter/leave powersaving mode. Ideally we would
      figure out how to avoid these sounds, but that is not always feasible.
      
      This commit adds a blacklist for devices where powersaving is known to
      cause problems and disables it on these devices.
      
      Note I tried to put this blacklist in userspace first:
      https://github.com/systemd/systemd/pull/8128
      
      But the systemd maintainers rightfully pointed out that it would be
      impossible to then later remove entries once we actually find a way to
      make power-saving work on listed boards without issues. Having this list
      in the kernel will allow removal of the blacklist entry in the same commit
      which fixes the clicks / plops.
      
      The blacklist only applies to the default power_save module-option value,
      if a user explicitly sets the module-option then the blacklist is not
      used.
      
      [ added an ifdef CONFIG_PM for the build error -- tiwai]
      
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1525104
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198611
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4fdc12f6
    • Erik Veijola's avatar
      ALSA: usb-audio: Add a quirck for B&W PX headphones · b43e8110
      Erik Veijola authored
      commit 240a8af9 upstream.
      
      The capture interface doesn't work and the playback interface only
      supports 48 kHz sampling rate even though it advertises more rates.
      Signed-off-by: default avatarErik Veijola <erik.veijola@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b43e8110
    • Jeremy Boone's avatar
      tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus · 9cc4d1f5
      Jeremy Boone authored
      commit f9d4d9b5 upstream.
      
      Discrete TPMs are often connected over slow serial buses which, on
      some platforms, can have glitches causing bit flips.  In all the
      driver _recv() functions, we need to use a u32 to unmarshal the
      response size, otherwise a bit flip of the 31st bit would cause the
      expected variable to go negative, which would then try to read a huge
      amount of data.  Also sanity check that the expected amount of data is
      large enough for the TPM header.
      Signed-off-by: default avatarJeremy Boone <jeremy.boone@nccgroup.trust>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9cc4d1f5
    • Jeremy Boone's avatar
      tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus · 309de32e
      Jeremy Boone authored
      commit 9b8cb28d upstream.
      
      Discrete TPMs are often connected over slow serial buses which, on
      some platforms, can have glitches causing bit flips.  In all the
      driver _recv() functions, we need to use a u32 to unmarshal the
      response size, otherwise a bit flip of the 31st bit would cause the
      expected variable to go negative, which would then try to read a huge
      amount of data.  Also sanity check that the expected amount of data is
      large enough for the TPM header.
      Signed-off-by: default avatarJeremy Boone <jeremy.boone@nccgroup.trust>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      309de32e
    • Jeremy Boone's avatar
      tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus · f9accc38
      Jeremy Boone authored
      commit 6d24cd18 upstream.
      
      Discrete TPMs are often connected over slow serial buses which, on
      some platforms, can have glitches causing bit flips.  In all the
      driver _recv() functions, we need to use a u32 to unmarshal the
      response size, otherwise a bit flip of the 31st bit would cause the
      expected variable to go negative, which would then try to read a huge
      amount of data.  Also sanity check that the expected amount of data is
      large enough for the TPM header.
      Signed-off-by: default avatarJeremy Boone <jeremy.boone@nccgroup.trust>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f9accc38
  2. 03 Mar, 2018 15 commits