1. 14 Dec, 2017 40 commits
    • Steffen Klassert's avatar
      vti6: Don't report path MTU below IPV6_MIN_MTU. · f14f6fab
      Steffen Klassert authored
      
      [ Upstream commit e3dc847a ]
      
      In vti6_xmit(), the check for IPV6_MIN_MTU before we
      send a ICMPV6_PKT_TOOBIG message is missing. So we might
      report a PMTU below 1280. Fix this by adding the required
      check.
      
      Fixes: ccd740cb ("vti6: Add pmtu handling to vti6_xmit.")
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f14f6fab
    • Kees Cook's avatar
      ARM: 8657/1: uaccess: consistently check object sizes · 5d4d0a95
      Kees Cook authored
      
      [ Upstream commit 32b14363 ]
      
      In commit 76624175 ("arm64: uaccess: consistently check object sizes"),
      the object size checks are moved outside the access_ok() so that bad
      destinations are detected before hitting the "memset(dest, 0, size)" in the
      copy_from_user() failure path.
      
      This makes the same change for arm, with attention given to possibly
      extracting the uaccess routines into a common header file for all
      architectures in the future.
      Suggested-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5d4d0a95
    • Sasha Levin's avatar
      Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA" · 7c4615c8
      Sasha Levin authored
      
      This reverts commit dadab2d4.
      
      Not required on < 4.10.
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7c4615c8
    • Sasha Levin's avatar
      Revert "drm/armada: Fix compile fail" · b6c15a7c
      Sasha Levin authored
      
      This reverts commit 82f260d4.
      
      Not required on < 4.10.
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b6c15a7c
    • Kirill A. Shutemov's avatar
      mm: drop unused pmdp_huge_get_and_clear_notify() · 6a53078b
      Kirill A. Shutemov authored
      commit c0c379e2 upstream.
      
      Dave noticed that after fixing MADV_DONTNEED vs numa balancing race the
      last pmdp_huge_get_and_clear_notify() user is gone.
      
      Let's drop the helper.
      
      Link: http://lkml.kernel.org/r/20170306112047.24809-1-kirill.shutemov@linux.intel.comSigned-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [jwang: adjust context for 4.9]
      Signed-off-by: default avatarJack Wang <jinpu.wang@profitbricks.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a53078b
    • Kirill A. Shutemov's avatar
      thp: fix MADV_DONTNEED vs. numa balancing race · c2edc33d
      Kirill A. Shutemov authored
      commit ced10803 upstream.
      
      In case prot_numa, we are under down_read(mmap_sem).  It's critical to
      not clear pmd intermittently to avoid race with MADV_DONTNEED which is
      also under down_read(mmap_sem):
      
      	CPU0:				CPU1:
      				change_huge_pmd(prot_numa=1)
      				 pmdp_huge_get_and_clear_notify()
      madvise_dontneed()
       zap_pmd_range()
        pmd_trans_huge(*pmd) == 0 (without ptl)
        // skip the pmd
      				 set_pmd_at();
      				 // pmd is re-established
      
      The race makes MADV_DONTNEED miss the huge pmd and don't clear it
      which may break userspace.
      
      Found by code analysis, never saw triggered.
      
      Link: http://lkml.kernel.org/r/20170302151034.27829-3-kirill.shutemov@linux.intel.comSigned-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [jwang: adjust context for 4.9 ]
      Signed-off-by: default avatarJack Wang <jinpu.wang@profitbricks.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c2edc33d
    • Kirill A. Shutemov's avatar
      thp: reduce indentation level in change_huge_pmd() · 7bdd685c
      Kirill A. Shutemov authored
      commit 0a85e51d upstream.
      
      Patch series "thp: fix few MADV_DONTNEED races"
      
      For MADV_DONTNEED to work properly with huge pages, it's critical to not
      clear pmd intermittently unless you hold down_write(mmap_sem).
      
      Otherwise MADV_DONTNEED can miss the THP which can lead to userspace
      breakage.
      
      See example of such race in commit message of patch 2/4.
      
      All these races are found by code inspection.  I haven't seen them
      triggered.  I don't think it's worth to apply them to stable@.
      
      This patch (of 4):
      
      Restructure code in preparation for a fix.
      
      Link: http://lkml.kernel.org/r/20170302151034.27829-2-kirill.shutemov@linux.intel.comSigned-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [jwang: adjust context for 4.9]
      Signed-off-by: default avatarJack Wang <jinpu.wang@profitbricks.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7bdd685c
    • Russell King's avatar
      ARM: avoid faulting on qemu · 5bcb9c84
      Russell King authored
      commit 3aaf33be upstream.
      
      When qemu starts a kernel in a bare environment, the default SCR has
      the AW and FW bits clear, which means that the kernel can't modify
      the PSR A or PSR F bits, and means that FIQs and imprecise aborts are
      always masked.
      
      When running uboot under qemu, the AW and FW SCR bits are set, and the
      kernel functions normally - and this is how real hardware behaves.
      
      Fix this for qemu by ignoring the FIQ bit.
      
      Fixes: 8bafae20 ("ARM: BUG if jumping to usermode address in kernel mode")
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Cc: Alex Shi <alex.shi@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5bcb9c84
    • Russell King's avatar
      ARM: BUG if jumping to usermode address in kernel mode · 6192f870
      Russell King authored
      commit 8bafae20 upstream.
      
      Detect if we are returning to usermode via the normal kernel exit paths
      but the saved PSR value indicates that we are in kernel mode.  This
      could occur due to corrupted stack state, which has been observed with
      "ftracetest".
      
      This ensures that we catch the problem case before we get to user code.
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Cc: Alex Shi <alex.shi@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6192f870
    • John Keeping's avatar
      usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT · 112b8a8f
      John Keeping authored
      commit a3acc696 upstream.
      
      The specification says that the Reserved1 field in OS_DESC_EXT_COMPAT
      must have the value "1", but when this feature was first implemented we
      rejected any non-zero values.
      
      This was adjusted to accept all non-zero values (while now rejecting
      zero) in commit 53642399 ("usb: gadget: f_fs: Fix wrong check on
      reserved1 of OS_DESC_EXT_COMPAT"), but that breaks any userspace
      programs that worked previously by returning EINVAL when Reserved1 == 0
      which was previously the only value that succeeded!
      
      If we just set the field to "1" ourselves, both old and new userspace
      programs continue to work correctly and, as a bonus, old programs are
      now compliant with the specification without having to fix anything
      themselves.
      
      Fixes: 53642399 ("usb: gadget: f_fs: Fix wrong check on reserved1 of OS_DESC_EXT_COMPAT")
      Signed-off-by: default avatarJohn Keeping <john@metanate.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      112b8a8f
    • LEROY Christophe's avatar
      crypto: talitos - fix ctr-aes-talitos · 47ab7203
      LEROY Christophe authored
      commit 70d355cc upstream.
      
      ctr-aes-talitos test fails as follows on SEC2
      
      [    0.837427] alg: skcipher: Test 1 failed (invalid result) on encryption for ctr-aes-talitos
      [    0.845763] 00000000: 16 36 d5 ee 34 f8 06 25 d7 7f 8e 56 ca 88 43 45
      [    0.852345] 00000010: f9 3f f7 17 2a b2 12 23 30 43 09 15 82 dd e1 97
      [    0.858940] 00000020: a7 f7 32 b5 eb 25 06 13 9a ec f5 29 25 f8 4d 66
      [    0.865366] 00000030: b0 03 5b 8e aa 9a 42 b6 19 33 8a e2 9d 65 96 95
      
      This patch fixes the descriptor type which is special for CTR AES
      
      Fixes: 5e75ae1b ("crypto: talitos - add new crypto modes")
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47ab7203
    • LEROY Christophe's avatar
      crypto: talitos - fix use of sg_link_tbl_len · 24ab6e7f
      LEROY Christophe authored
      commit fbb22137 upstream.
      
      sg_link_tbl_len shall be used instead of cryptlen, otherwise
      SECs which perform HW CICV verification will fail.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24ab6e7f
    • LEROY Christophe's avatar
      crypto: talitos - fix AEAD for sha224 on non sha224 capable chips · 6bf30e66
      LEROY Christophe authored
      commit 6cda075a upstream.
      
      sha224 AEAD test fails with:
      
      [    2.803125] talitos ff020000.crypto: DEUISR 0x00000000_00000000
      [    2.808743] talitos ff020000.crypto: MDEUISR 0x80100000_00000000
      [    2.814678] talitos ff020000.crypto: DESCBUF 0x20731f21_00000018
      [    2.820616] talitos ff020000.crypto: DESCBUF 0x0628d64c_00000010
      [    2.826554] talitos ff020000.crypto: DESCBUF 0x0631005c_00000018
      [    2.832492] talitos ff020000.crypto: DESCBUF 0x0628d664_00000008
      [    2.838430] talitos ff020000.crypto: DESCBUF 0x061b13a0_00000080
      [    2.844369] talitos ff020000.crypto: DESCBUF 0x0631006c_00000080
      [    2.850307] talitos ff020000.crypto: DESCBUF 0x0631006c_00000018
      [    2.856245] talitos ff020000.crypto: DESCBUF 0x063100ec_00000000
      [    2.884972] talitos ff020000.crypto: failed to reset channel 0
      [    2.890503] talitos ff020000.crypto: done overflow, internal time out, or rngu error: ISR 0x20000000_00020000
      [    2.900652] alg: aead: encryption failed on test 1 for authenc-hmac-sha224-cbc-3des-talitos: ret=22
      
      This is due to SHA224 not being supported by the HW. Allthough for
      hash we are able to init the hash context by SW, it is not
      possible for AEAD. Therefore SHA224 AEAD has to be deactivated.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6bf30e66
    • LEROY Christophe's avatar
      crypto: talitos - fix setkey to check key weakness · 552f74cb
      LEROY Christophe authored
      commit f384cdc4 upstream.
      
      Crypto manager test report the following failures:
      [    3.061081] alg: skcipher: setkey failed on test 5 for ecb-des-talitos: flags=100
      [    3.069342] alg: skcipher-ddst: setkey failed on test 5 for ecb-des-talitos: flags=100
      [    3.077754] alg: skcipher-ddst: setkey failed on test 5 for ecb-des-talitos: flags=100
      
      This is due to setkey being expected to detect weak keys.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      552f74cb
    • LEROY Christophe's avatar
      crypto: talitos - fix memory corruption on SEC2 · 5272b0e1
      LEROY Christophe authored
      commit e04a61be upstream.
      
      On SEC2, when using the old descriptors type (hmac snoop no afeu)
      for doing IPsec, the CICV out pointeur points out of the allocated
      memory.
      
      [    2.502554] =============================================================================
      [    2.510740] BUG dma-kmalloc-256 (Not tainted): Redzone overwritten
      [    2.516907] -----------------------------------------------------------------------------
      [    2.516907]
      [    2.526535] Disabling lock debugging due to kernel taint
      [    2.531845] INFO: 0xde858108-0xde85810b. First byte 0xf8 instead of 0xcc
      [    2.538549] INFO: Allocated in 0x806181a9 age=0 cpu=0 pid=58
      [    2.544229] 	__kmalloc+0x374/0x564
      [    2.547649] 	talitos_edesc_alloc+0x17c/0x48c
      [    2.551929] 	aead_edesc_alloc+0x80/0x154
      [    2.555863] 	aead_encrypt+0x30/0xe0
      [    2.559368] 	__test_aead+0x5a0/0x1f3c
      [    2.563042] 	test_aead+0x2c/0x110
      [    2.566371] 	alg_test_aead+0x5c/0xf4
      [    2.569958] 	alg_test+0x1dc/0x5a0
      [    2.573305] 	cryptomgr_test+0x50/0x70
      [    2.576984] 	kthread+0xd8/0x134
      [    2.580155] 	ret_from_kernel_thread+0x5c/0x64
      [    2.584534] INFO: Freed in ipsec_esp_encrypt_done+0x130/0x240 age=6 cpu=0 pid=0
      [    2.591839] 	ipsec_esp_encrypt_done+0x130/0x240
      [    2.596395] 	flush_channel+0x1dc/0x488
      [    2.600161] 	talitos2_done_4ch+0x30/0x200
      [    2.604185] 	tasklet_action+0xa0/0x13c
      [    2.607948] 	__do_softirq+0x148/0x6cc
      [    2.611623] 	irq_exit+0xc0/0x124
      [    2.614869] 	call_do_irq+0x24/0x3c
      [    2.618292] 	do_IRQ+0x78/0x108
      [    2.621369] 	ret_from_except+0x0/0x14
      [    2.625055] 	finish_task_switch+0x58/0x350
      [    2.629165] 	schedule+0x80/0x134
      [    2.632409] 	schedule_preempt_disabled+0x38/0xc8
      [    2.637042] 	cpu_startup_entry+0xe4/0x190
      [    2.641074] 	start_kernel+0x3f4/0x408
      [    2.644741] 	0x3438
      [    2.646857] INFO: Slab 0xdffbdb00 objects=9 used=1 fp=0xde8581c0 flags=0x0080
      [    2.653978] INFO: Object 0xde858008 @offset=8 fp=0xca4395df
      [    2.653978]
      [    2.661032] Redzone de858000: cc cc cc cc cc cc cc cc                          ........
      [    2.669029] Object de858008: 00 00 00 02 00 00 00 02 00 6b 6b 6b 1e 83 ea 28  .........kkk...(
      [    2.677628] Object de858018: 00 00 00 70 1e 85 80 64 ff 73 1d 21 6b 6b 6b 6b  ...p...d.s.!kkkk
      [    2.686228] Object de858028: 00 20 00 00 1e 84 17 24 00 10 00 00 1e 85 70 00  . .....$......p.
      [    2.694829] Object de858038: 00 18 00 00 1e 84 17 44 00 08 00 00 1e 83 ea 28  .......D.......(
      [    2.703430] Object de858048: 00 80 00 00 1e 84 f0 00 00 80 00 00 1e 85 70 10  ..............p.
      [    2.712030] Object de858058: 00 20 6b 00 1e 85 80 f4 6b 6b 6b 6b 00 80 02 00  . k.....kkkk....
      [    2.720629] Object de858068: 1e 84 f0 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  ....kkkkkkkkkkkk
      [    2.729230] Object de858078: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      [    2.737830] Object de858088: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      [    2.746429] Object de858098: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      [    2.755029] Object de8580a8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      [    2.763628] Object de8580b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      [    2.772229] Object de8580c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      [    2.780829] Object de8580d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      [    2.789430] Object de8580e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 73 b0 ea 9f  kkkkkkkkkkkks...
      [    2.798030] Object de8580f8: e8 18 80 d6 56 38 44 c0 db e3 4f 71 f7 ce d1 d3  ....V8D...Oq....
      [    2.806629] Redzone de858108: f8 bd 3e 4f                                      ..>O
      [    2.814279] Padding de8581b0: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
      [    2.822283] CPU: 0 PID: 0 Comm: swapper Tainted: G    B           4.9.50-g995be12679 #179
      [    2.831819] Call Trace:
      [    2.834301] [dffefd20] [c01aa9a8] check_bytes_and_report+0x100/0x194 (unreliable)
      [    2.841801] [dffefd50] [c01aac3c] check_object+0x200/0x530
      [    2.847306] [dffefd80] [c01ae584] free_debug_processing+0x290/0x690
      [    2.853585] [dffefde0] [c01aec8c] __slab_free+0x308/0x628
      [    2.859000] [dffefe80] [c05057f4] ipsec_esp_encrypt_done+0x130/0x240
      [    2.865378] [dffefeb0] [c05002c4] flush_channel+0x1dc/0x488
      [    2.870968] [dffeff10] [c05007a8] talitos2_done_4ch+0x30/0x200
      [    2.876814] [dffeff30] [c002fe38] tasklet_action+0xa0/0x13c
      [    2.882399] [dffeff60] [c002f118] __do_softirq+0x148/0x6cc
      [    2.887896] [dffeffd0] [c002f954] irq_exit+0xc0/0x124
      [    2.892968] [dffefff0] [c0013adc] call_do_irq+0x24/0x3c
      [    2.898213] [c0d4be00] [c000757c] do_IRQ+0x78/0x108
      [    2.903113] [c0d4be30] [c0015c08] ret_from_except+0x0/0x14
      [    2.908634] --- interrupt: 501 at finish_task_switch+0x70/0x350
      [    2.908634]     LR = finish_task_switch+0x58/0x350
      [    2.919327] [c0d4bf20] [c085e1d4] schedule+0x80/0x134
      [    2.924398] [c0d4bf50] [c085e2c0] schedule_preempt_disabled+0x38/0xc8
      [    2.930853] [c0d4bf60] [c007f064] cpu_startup_entry+0xe4/0x190
      [    2.936707] [c0d4bfb0] [c096c434] start_kernel+0x3f4/0x408
      [    2.942198] [c0d4bff0] [00003438] 0x3438
      [    2.946137] FIX dma-kmalloc-256: Restoring 0xde858108-0xde85810b=0xcc
      [    2.946137]
      [    2.954158] FIX dma-kmalloc-256: Object at 0xde858008 not freed
      
      This patch reworks the handling of the CICV out in order
      to properly handle all cases.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5272b0e1
    • LEROY Christophe's avatar
      crypto: talitos - fix AEAD test failures · bde6667a
      LEROY Christophe authored
      commit ec8c7d14 upstream.
      
      AEAD tests fail when destination SG list has more than 1 element.
      
      [    2.058752] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-aes-talitos
      [    2.066965] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
      00000010: c0 43 ff 74 c0 43 ff e0 de 83 d1 20 de 84 8e 54
      00000020: de 83 d7 c4
      [    2.082138] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-aes-talitos
      [    2.090435] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
      00000010: de 84 ea 58 c0 93 1a 24 de 84 e8 59 de 84 f1 20
      00000020: 00 00 00 00
      [    2.105721] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-3des-talitos
      [    2.114259] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
      00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
      00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
      00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
      00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
      00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
      00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
      00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
      00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
      00000090: c0 99 74 3c
      [    2.166410] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-3des-talitos
      [    2.174794] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
      00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
      00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
      00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
      00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
      00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
      00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
      00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
      00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
      00000090: c0 99 74 3c
      [    2.226486] alg: No test for authenc(hmac(sha224),cbc(aes)) (authenc-hmac-sha224-cbc-aes-talitos)
      [    2.236459] alg: No test for authenc(hmac(sha224),cbc(aes)) (authenc-hmac-sha224-cbc-aes-talitos)
      [    2.247196] alg: aead: Test 1 failed on encryption for authenc-hmac-sha224-cbc-3des-talitos
      [    2.255555] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
      00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
      00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
      00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
      00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
      00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
      00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
      00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
      00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
      00000090: c0 99 74 3c c0 96 e5 b8
      [    2.309004] alg: aead: Test 1 failed on encryption for authenc-hmac-sha224-cbc-3des-talitos
      [    2.317562] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
      00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
      00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
      00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
      00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
      00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
      00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
      00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
      00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
      00000090: c0 99 74 3c c0 96 e5 b8
      [    2.370710] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-aes-talitos
      [    2.379177] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
      00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
      00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
      [    2.397863] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-aes-talitos
      [    2.406134] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
      00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
      00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
      [    2.424789] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-3des-talitos
      [    2.433491] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
      00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
      00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
      00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
      00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
      00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
      00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
      00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
      00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
      00000090: c0 99 74 3c c0 96 e5 b8 c0 96 e9 20 c0 00 3d dc
      [    2.488832] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-3des-talitos
      [    2.497387] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
      00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
      00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
      00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
      00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
      00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
      00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
      00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
      00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
      00000090: c0 99 74 3c c0 96 e5 b8 c0 96 e9 20 c0 00 3d dc
      
      This patch fixes that.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bde6667a
    • Kim Phillips's avatar
      bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left. · 3f0597ae
      Kim Phillips authored
      commit b69f63eb upstream.
      
      Unregistering the driver before calling cpuhp_remove_multi_state() removes
      any remaining hotplug cpu instances so __cpuhp_remove_state_cpuslocked()
      doesn't emit this warning:
      
      [  268.748362] Error: Removing state 147 which has instances left.
      [  268.748373] ------------[ cut here ]------------
      [  268.748386] WARNING: CPU: 2 PID: 5476 at kernel/cpu.c:1734 __cpuhp_remove_state_cpuslocked+0x454/0x4f0
      [  268.748389] Modules linked in: arm_ccn(-) [last unloaded: arm_ccn]
      [  268.748403] CPU: 2 PID: 5476 Comm: rmmod Tainted: G        W       4.14.0-rc4+ #3
      [  268.748406] Hardware name: AMD Seattle/Seattle, BIOS 10:18:39 Dec  8 2016
      [  268.748410] task: ffff8001a18ca000 task.stack: ffff80019c120000
      [  268.748416] PC is at __cpuhp_remove_state_cpuslocked+0x454/0x4f0
      [  268.748421] LR is at __cpuhp_remove_state_cpuslocked+0x448/0x4f0
      [  268.748425] pc : [<ffff2000081729ec>] lr : [<ffff2000081729e0>] pstate: 60000145
      [  268.748427] sp : ffff80019c127d30
      [  268.748430] x29: ffff80019c127d30 x28: ffff8001a18ca000
      [  268.748437] x27: ffff20000c2cb000 x26: 1fffe4000042d490
      [  268.748443] x25: ffff20000216a480 x24: 0000000000000000
      [  268.748449] x23: ffff20000b08e000 x22: 0000000000000001
      [  268.748455] x21: 0000000000000093 x20: 00000000000016f8
      [  268.748460] x19: ffff20000c2cbb80 x18: 0000ffffb5fe7c58
      [  268.748466] x17: 00000000004402d0 x16: 1fffe40001864f01
      [  268.748472] x15: ffff20000c4bf8b0 x14: 0000000000000000
      [  268.748477] x13: 0000000000007032 x12: ffff20000829ae48
      [  268.748483] x11: ffff20000c4bf000 x10: 0000000000000004
      [  268.748488] x9 : 0000000000006fbc x8 : ffff20000c318a40
      [  268.748494] x7 : 0000000000000000 x6 : ffff040001864f02
      [  268.748500] x5 : 0000000000000000 x4 : 0000000000000000
      [  268.748505] x3 : 0000000000000007 x2 : dfff200000000000
      [  268.748510] x1 : 000000000000ad3d x0 : 00000000000001f0
      [  268.748516] Call trace:
      [  268.748521] Exception stack(0xffff80019c127bf0 to 0xffff80019c127d30)
      [  268.748526] 7be0:                                   00000000000001f0 000000000000ad3d
      [  268.748531] 7c00: dfff200000000000 0000000000000007 0000000000000000 0000000000000000
      [  268.748535] 7c20: ffff040001864f02 0000000000000000 ffff20000c318a40 0000000000006fbc
      [  268.748539] 7c40: 0000000000000004 ffff20000c4bf000 ffff20000829ae48 0000000000007032
      [  268.748544] 7c60: 0000000000000000 ffff20000c4bf8b0 1fffe40001864f01 00000000004402d0
      [  268.748548] 7c80: 0000ffffb5fe7c58 ffff20000c2cbb80 00000000000016f8 0000000000000093
      [  268.748553] 7ca0: 0000000000000001 ffff20000b08e000 0000000000000000 ffff20000216a480
      [  268.748557] 7cc0: 1fffe4000042d490 ffff20000c2cb000 ffff8001a18ca000 ffff80019c127d30
      [  268.748562] 7ce0: ffff2000081729e0 ffff80019c127d30 ffff2000081729ec 0000000060000145
      [  268.748566] 7d00: 00000000000001f0 0000000000000000 0001000000000000 0000000000000000
      [  268.748569] 7d20: ffff80019c127d30 ffff2000081729ec
      [  268.748575] [<ffff2000081729ec>] __cpuhp_remove_state_cpuslocked+0x454/0x4f0
      [  268.748580] [<ffff200008172adc>] __cpuhp_remove_state+0x54/0x80
      [  268.748597] [<ffff20000215dd84>] arm_ccn_exit+0x2c/0x70 [arm_ccn]
      [  268.748604] [<ffff20000834cfbc>] SyS_delete_module+0x5a4/0x708
      [  268.748607] Exception stack(0xffff80019c127ec0 to 0xffff80019c128000)
      [  268.748612] 7ec0: 0000000019bb7258 0000000000000800 ba64d0fb3d26a800 00000000000000da
      [  268.748616] 7ee0: 0000ffffb6144e28 0000ffffcd95b409 fefefefefefefeff 7f7f7f7f7f7f7f7f
      [  268.748621] 7f00: 000000000000006a 1999999999999999 0000ffffb6179000 0000000000bbcc6d
      [  268.748625] 7f20: 0000ffffb6176b98 0000ffffcd95c2d0 0000ffffb5fe7b58 0000ffffb6163000
      [  268.748630] 7f40: 0000ffffb60ad3e0 00000000004402d0 0000ffffb5fe7c58 0000000019bb71f0
      [  268.748634] 7f60: 0000ffffcd95c740 0000000000000000 0000000019bb71f0 0000000000416700
      [  268.748639] 7f80: 0000000000000000 00000000004402e8 0000000019bb6010 0000ffffcd95c748
      [  268.748643] 7fa0: 0000000000000000 0000ffffcd95c460 00000000004113a8 0000ffffcd95c460
      [  268.748648] 7fc0: 0000ffffb60ad3e8 0000000080000000 0000000019bb7258 000000000000006a
      [  268.748652] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      [  268.748657] [<ffff200008084f9c>] __sys_trace_return+0x0/0x4
      [  268.748661] ---[ end trace a996d358dcaa7f9c ]---
      
      Fixes: 8df03872 ("bus/arm-ccn: Use cpu-hp's multi instance support instead custom list")
      Signed-off-by: default avatarKim Phillips <kim.phillips@arm.com>
      Acked-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarPawel Moll <pawel.moll@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3f0597ae
    • Marc Zyngier's avatar
      bus: arm-ccn: Fix use of smp_processor_id() in preemptible context · 793eed33
      Marc Zyngier authored
      commit b18c2b94 upstream.
      
      Booting a DEBUG_PREEMPT enabled kernel on a CCN-based system
      results in the following splat:
      
      [...]
      arm-ccn e8000000.ccn: No access to interrupts, using timer.
      BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1
      caller is debug_smp_processor_id+0x1c/0x28
      CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.13.0 #6111
      Hardware name: AMD Seattle/Seattle, BIOS 17:08:23 Jun 26 2017
      Call trace:
      [<ffff000008089e78>] dump_backtrace+0x0/0x278
      [<ffff00000808a22c>] show_stack+0x24/0x30
      [<ffff000008bc3bc4>] dump_stack+0x8c/0xb0
      [<ffff00000852b534>] check_preemption_disabled+0xfc/0x100
      [<ffff00000852b554>] debug_smp_processor_id+0x1c/0x28
      [<ffff000008551bd8>] arm_ccn_probe+0x358/0x4f0
      [...]
      
      as we use smp_processor_id() in the wrong context.
      
      Turn this into a get_cpu()/put_cpu() that extends over the CPU hotplug
      registration, making sure that we don't race against a CPU down operation.
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarPawel Moll <pawel.moll@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      793eed33
    • Christophe JAILLET's avatar
      bus: arm-ccn: Check memory allocation failure · 595aca74
      Christophe JAILLET authored
      commit 24771179 upstream.
      
      Check memory allocation failures and return -ENOMEM in such cases
      
      This avoids a potential NULL pointer dereference.
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Acked-by: default avatarScott Branden <scott.branden@broadcom.com>
      Signed-off-by: default avatarPawel Moll <pawel.moll@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      595aca74
    • Marc Zyngier's avatar
      bus: arm-cci: Fix use of smp_processor_id() in preemptible context · a0a2f97d
      Marc Zyngier authored
      commit 4608af8a upstream.
      
      The ARM CCI driver seem to be using smp_processor_id() in a
      preemptible context, which is likely to make a DEBUG_PREMPT
      kernel scream at boot time.
      
      Turn this into a get_cpu()/put_cpu() that extends over the CPU
      hotplug registration, making sure that we don't race against
      a CPU down operation.
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarPawel Moll <pawel.moll@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a0a2f97d
    • Dave Martin's avatar
      arm64: fpsimd: Prevent registers leaking from dead tasks · a3922419
      Dave Martin authored
      commit 071b6d4a upstream.
      
      Currently, loading of a task's fpsimd state into the CPU registers
      is skipped if that task's state is already present in the registers
      of that CPU.
      
      However, the code relies on the struct fpsimd_state * (and by
      extension struct task_struct *) to unambiguously identify a task.
      
      There is a particular case in which this doesn't work reliably:
      when a task exits, its task_struct may be recycled to describe a
      new task.
      
      Consider the following scenario:
      
       1) Task P loads its fpsimd state onto cpu C.
              per_cpu(fpsimd_last_state, C) := P;
              P->thread.fpsimd_state.cpu := C;
      
       2) Task X is scheduled onto C and loads its fpsimd state on C.
              per_cpu(fpsimd_last_state, C) := X;
              X->thread.fpsimd_state.cpu := C;
      
       3) X exits, causing X's task_struct to be freed.
      
       4) P forks a new child T, which obtains X's recycled task_struct.
      	T == X.
      	T->thread.fpsimd_state.cpu == C (inherited from P).
      
       5) T is scheduled on C.
      	T's fpsimd state is not loaded, because
      	per_cpu(fpsimd_last_state, C) == T (== X) &&
      	T->thread.fpsimd_state.cpu == C.
      
              (This is the check performed by fpsimd_thread_switch().)
      
      So, T gets X's registers because the last registers loaded onto C
      were those of X, in (2).
      
      This patch fixes the problem by ensuring that the sched-in check
      fails in (5): fpsimd_flush_task_state(T) is called when T is
      forked, so that T->thread.fpsimd_state.cpu == C cannot be true.
      This relies on the fact that T is not schedulable until after
      copy_thread() completes.
      
      Once T's fpsimd state has been loaded on some CPU C there may still
      be other cpus D for which per_cpu(fpsimd_last_state, D) ==
      &X->thread.fpsimd_state.  But D is necessarily != C in this case,
      and the check in (5) must fail.
      
      An alternative fix would be to do refcounting on task_struct.  This
      would result in each CPU holding a reference to the last task whose
      fpsimd state was loaded there.  It's not clear whether this is
      preferable, and it involves higher overhead than the fix proposed
      in this patch.  It would also move all the task_struct freeing
      work into the context switch critical section, or otherwise some
      deferred cleanup mechanism would need to be introduced, neither of
      which seems obviously justified.
      
      Fixes: 005f78cd ("arm64: defer reloading a task's FPSIMD state to userland resume")
      Signed-off-by: default avatarDave Martin <Dave.Martin@arm.com>
      Reviewed-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      [will: word-smithed the comment so it makes more sense]
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a3922419
    • Marc Zyngier's avatar
      KVM: arm/arm64: vgic-its: Check result of allocation before use · 7df3dbef
      Marc Zyngier authored
      commit 686f294f upstream.
      
      We miss a test against NULL after allocation.
      
      Fixes: 6d03a68f ("KVM: arm64: vgic-its: Turn device_id validation into generic ID validation")
      Reported-by: default avatarAKASHI Takahiro <takahiro.akashi@linaro.org>
      Acked-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7df3dbef
    • Marc Zyngier's avatar
      KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation · 42c3f4c5
      Marc Zyngier authored
      commit 150009e2 upstream.
      
      Using the size of the structure we're allocating is a good idea
      and avoids any surprise... In this case, we're happilly confusing
      kvm_kernel_irq_routing_entry and kvm_irq_routing_entry...
      
      Fixes: 95b110ab ("KVM: arm/arm64: Enable irqchip routing")
      Reported-by: default avatarAKASHI Takahiro <takahiro.akashi@linaro.org>
      Reviewed-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      42c3f4c5
    • Christoffer Dall's avatar
      KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion · cf6668d5
      Christoffer Dall authored
      commit fc396e06 upstream.
      
      We are incorrectly rearranging 32-bit words inside a 64-bit typed value
      for big endian systems, which would result in never marking a virtual
      interrupt as inactive on big endian systems (assuming 32 or fewer LRs on
      the hardware).  Fix this by not doing any word order manipulation for
      the typed values.
      Acked-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf6668d5
    • Andrew Honig's avatar
      KVM: VMX: remove I/O port 0x80 bypass on Intel hosts · 6ead44d4
      Andrew Honig authored
      commit d59d51f0 upstream.
      
      This fixes CVE-2017-1000407.
      
      KVM allows guests to directly access I/O port 0x80 on Intel hosts.  If
      the guest floods this port with writes it generates exceptions and
      instability in the host kernel, leading to a crash.  With this change
      guest writes to port 0x80 on Intel will behave the same as they
      currently behave on AMD systems.
      
      Prevent the flooding by removing the code that sets port 0x80 as a
      passthrough port.  This is essentially the same as upstream patch
      99f85a28, except that patch was
      for AMD chipsets and this patch is for Intel.
      Signed-off-by: default avatarAndrew Honig <ahonig@google.com>
      Signed-off-by: default avatarJim Mattson <jmattson@google.com>
      Fixes: fdef3ad1 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ead44d4
    • Marc Zyngier's avatar
      arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one · 6ed45971
      Marc Zyngier authored
      commit 5553b142 upstream.
      
      VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
      VTTBR address. It seems to currently be off by one, thereby only
      allowing up to 39-bit addresses (instead of 40-bit) and also
      insufficiently checking the alignment. This patch fixes it.
      
      This patch is the 32bit pendent of Kristina's arm64 fix, and
      she deserves the actual kudos for pinpointing that one.
      
      Fixes: f7ed45be ("KVM: ARM: World-switch implementation")
      Reported-by: default avatarKristina Martsenko <kristina.martsenko@arm.com>
      Reviewed-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ed45971
    • Kristina Martsenko's avatar
      arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one · 63fba9ff
      Kristina Martsenko authored
      commit 26aa7b3b upstream.
      
      VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
      VTTBR address. It seems to currently be off by one, thereby only
      allowing up to 47-bit addresses (instead of 48-bit) and also
      insufficiently checking the alignment. This patch fixes it.
      
      As an example, with 4k pages, before this patch we have:
      
        PHYS_MASK_SHIFT = 48
        VTTBR_X = 37 - 24 = 13
        VTTBR_BADDR_SHIFT = 13 - 1 = 12
        VTTBR_BADDR_MASK = ((1 << 35) - 1) << 12 = 0x00007ffffffff000
      
      Which is wrong, because the mask doesn't allow bit 47 of the VTTBR
      address to be set, and only requires the address to be 12-bit (4k)
      aligned, while it actually needs to be 13-bit (8k) aligned because we
      concatenate two 4k tables.
      
      With this patch, the mask becomes 0x0000ffffffffe000, which is what we
      want.
      
      Fixes: 0369f6a3 ("arm64: KVM: EL2 register definitions")
      Reviewed-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      Reviewed-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarKristina Martsenko <kristina.martsenko@arm.com>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      63fba9ff
    • Laurent Caumont's avatar
    • Marek Szyprowski's avatar
      drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU · 4f128c8a
      Marek Szyprowski authored
      commit 120a264f upstream.
      
      When no IOMMU is available, all GEM buffers allocated by Exynos DRM driver
      are contiguous, because of the underlying dma_alloc_attrs() function
      provides only such buffers. In such case it makes no sense to keep
      BO_NONCONTIG flag for the allocated GEM buffers. This allows to avoid
      failures for buffer contiguity checks in the subsequent operations on GEM
      objects.
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Signed-off-by: default avatarInki Dae <inki.dae@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f128c8a
    • Daniel Thompson's avatar
      kdb: Fix handling of kallsyms_symbol_next() return value · 30b18ee2
      Daniel Thompson authored
      commit c07d3533 upstream.
      
      kallsyms_symbol_next() returns a boolean (true on success). Currently
      kdb_read() tests the return value with an inequality that
      unconditionally evaluates to true.
      
      This is fixed in the obvious way and, since the conditional branch is
      supposed to be unreachable, we also add a WARN_ON().
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
      Signed-off-by: default avatarJason Wessel <jason.wessel@windriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      30b18ee2
    • Arend Van Spriel's avatar
      brcmfmac: change driver unbind order of the sdio function devices · 4a70f07d
      Arend Van Spriel authored
      commit 5c3de777 upstream.
      
      In the function brcmf_sdio_firmware_callback() the driver is
      unbound from the sdio function devices in the error path.
      However, the order in which it is done resulted in a use-after-free
      issue (see brcmf_ops_sdio_remove() in bcmsdh.c). Hence change
      the order and first unbind sdio function #2 device and then
      unbind sdio function #1 device.
      
      Fixes: 7a51461f ("brcmfmac: unbind all devices upon failure in firmware callback")
      Reported-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Reviewed-by: default avatarHante Meuleman <hante.meuleman@broadcom.com>
      Reviewed-by: default avatarPieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
      Reviewed-by: default avatarFranky Lin <franky.lin@broadcom.com>
      Signed-off-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4a70f07d
    • Nicholas Piggin's avatar
      powerpc/64s: Initialize ISAv3 MMU registers before setting partition table · 8950c982
      Nicholas Piggin authored
      commit 371b8044 upstream.
      
      kexec can leave MMU registers set when booting into a new kernel,
      the PIDR (Process Identification Register) in particular. The boot
      sequence does not zero PIDR, so it only gets set when CPUs first
      switch to a userspace processes (until then it's running a kernel
      thread with effective PID = 0).
      
      This leaves a window where a process table entry and page tables are
      set up due to user processes running on other CPUs, that happen to
      match with a stale PID. The CPU with that PID may cause speculative
      accesses that address quadrant 0 (aka userspace addresses), which will
      result in cached translations and PWC (Page Walk Cache) for that
      process, on a CPU which is not in the mm_cpumask and so they will not
      be invalidated properly.
      
      The most common result is the kernel hanging in infinite page fault
      loops soon after kexec (usually in schedule_tail, which is usually the
      first non-speculative quadrant 0 access to a new PID) due to a stale
      PWC. However being a stale translation error, it could result in
      anything up to security and data corruption problems.
      
      Fix this by zeroing out PIDR at boot and kexec.
      
      Fixes: 7e381c0f ("powerpc/mm/radix: Add mmu context handling callback for radix")
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8950c982
    • Janosch Frank's avatar
      KVM: s390: Fix skey emulation permission check · ffb17c0c
      Janosch Frank authored
      commit ca76ec9c upstream.
      
      All skey functions call skey_check_enable at their start, which checks
      if we are in the PSTATE and injects a privileged operation exception
      if we are.
      
      Unfortunately they continue processing afterwards and perform the
      operation anyhow as skey_check_enable does not deliver an error if the
      exception injection was successful.
      
      Let's move the PSTATE check into the skey functions and exit them on
      such an occasion, also we now do not enable skey handling anymore in
      such a case.
      Signed-off-by: default avatarJanosch Frank <frankja@linux.vnet.ibm.com>
      Reviewed-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Fixes: a7e19ab5 ("KVM: s390: handle missing storage-key facility")
      Reviewed-by: default avatarCornelia Huck <cohuck@redhat.com>
      Reviewed-by: default avatarThomas Huth <thuth@redhat.com>
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ffb17c0c
    • Heiko Carstens's avatar
      s390: fix compat system call table · bd6a7055
      Heiko Carstens authored
      commit e779498d upstream.
      
      When wiring up the socket system calls the compat entries were
      incorrectly set. Not all of them point to the corresponding compat
      wrapper functions, which clear the upper 33 bits of user space
      pointers, like it is required.
      
      Fixes: 977108f8 ("s390: wire up separate socketcalls system calls")
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bd6a7055
    • Lai Jiangshan's avatar
      smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place · ff3d4fd5
      Lai Jiangshan authored
      commit 46febd37 upstream.
      
      Commit 31487f83 ("smp/cfd: Convert core to hotplug state machine")
      accidently put this step on the wrong place. The step should be at the
      cpuhp_ap_states[] rather than the cpuhp_bp_states[].
      
      grep smpcfd /sys/devices/system/cpu/hotplug/states
       40: smpcfd:prepare
      129: smpcfd:dying
      
      "smpcfd:dying" was missing before.
      So was the invocation of the function smpcfd_dying_cpu().
      
      Fixes: 31487f83 ("smp/cfd: Convert core to hotplug state machine")
      Signed-off-by: default avatarLai Jiangshan <jiangshanlai@gmail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Link: https://lkml.kernel.org/r/20171128131954.81229-1-jiangshanlai@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ff3d4fd5
    • Robin Murphy's avatar
      iommu/vt-d: Fix scatterlist offset handling · e17f2b51
      Robin Murphy authored
      commit 29a90b70 upstream.
      
      The intel-iommu DMA ops fail to correctly handle scatterlists where
      sg->offset is greater than PAGE_SIZE - the IOVA allocation is computed
      appropriately based on the page-aligned portion of the offset, but the
      mapping is set up relative to sg->page, which means it fails to actually
      cover the whole buffer (and in the worst case doesn't cover it at all):
      
          (sg->dma_address + sg->dma_len) ----+
          sg->dma_address ---------+          |
          iov_pfn------+           |          |
                       |           |          |
                       v           v          v
      iova:   a        b        c        d        e        f
              |--------|--------|--------|--------|--------|
                                <...calculated....>
                       [_____mapped______]
      pfn:    0        1        2        3        4        5
              |--------|--------|--------|--------|--------|
                       ^           ^          ^
                       |           |          |
          sg->page ----+           |          |
          sg->offset --------------+          |
          (sg->offset + sg->length) ----------+
      
      As a result, the caller ends up overrunning the mapping into whatever
      lies beyond, which usually goes badly:
      
      [  429.645492] DMAR: DRHD: handling fault status reg 2
      [  429.650847] DMAR: [DMA Write] Request device [02:00.4] fault addr f2682000 ...
      
      Whilst this is a fairly rare occurrence, it can happen from the result
      of intermediate scatterlist processing such as scatterwalk_ffwd() in the
      crypto layer. Whilst that particular site could be fixed up, it still
      seems worthwhile to bring intel-iommu in line with other DMA API
      implementations in handling this robustly.
      
      To that end, fix the intel_map_sg() path to line up the mapping
      correctly (in units of MM pages rather than VT-d pages to match the
      aligned_nrpages() calculation) regardless of the offset, and use
      sg_phys() consistently for clarity.
      Reported-by: default avatarHarsh Jain <Harsh@chelsio.com>
      Signed-off-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Reviewed by: Ashok Raj <ashok.raj@intel.com>
      Tested by: Jacob Pan <jacob.jun.pan@intel.com>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e17f2b51
    • Jaejoong Kim's avatar
      ALSA: usb-audio: Add check return value for usb_string() · 173c8c34
      Jaejoong Kim authored
      commit 89b89d12 upstream.
      
      snd_usb_copy_string_desc() returns zero if usb_string() fails.
      In case of failure, we need to check the snd_usb_copy_string_desc()'s
      return value and add an exception case
      Signed-off-by: default avatarJaejoong Kim <climbbb.kim@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      173c8c34
    • Jaejoong Kim's avatar
      ALSA: usb-audio: Fix out-of-bound error · c40457c9
      Jaejoong Kim authored
      commit 251552a2 upstream.
      
      The snd_usb_copy_string_desc() retrieves the usb string corresponding to
      the index number through the usb_string(). The problem is that the
      usb_string() returns the length of the string (>= 0) when successful, but
      it can also return a negative value about the error case or status of
      usb_control_msg().
      
      If iClockSource is '0' as shown below, usb_string() will returns -EINVAL.
      This will result in '0' being inserted into buf[-22], and the following
      KASAN out-of-bound error message will be output.
      
      AudioControl Interface Descriptor:
        bLength                 8
        bDescriptorType        36
        bDescriptorSubtype     10 (CLOCK_SOURCE)
        bClockID                1
        bmAttributes         0x07 Internal programmable Clock (synced to SOF)
        bmControls           0x07
        Clock Frequency Control (read/write)
        Clock Validity Control (read-only)
        bAssocTerminal          0
        iClockSource            0
      
      To fix it, check usb_string()'return value and bail out.
      
      ==================================================================
      BUG: KASAN: stack-out-of-bounds in parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
      Write of size 1 at addr ffff88007e66735a by task systemd-udevd/18376
      
      CPU: 0 PID: 18376 Comm: systemd-udevd Not tainted 4.13.0+ #3
      Hardware name: LG Electronics                   15N540-RFLGL/White Tip Mountain, BIOS 15N5
      Call Trace:
      dump_stack+0x63/0x8d
      print_address_description+0x70/0x290
      ? parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
      kasan_report+0x265/0x350
      __asan_store1+0x4a/0x50
      parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
      ? save_stack+0xb5/0xd0
      ? save_stack_trace+0x1b/0x20
      ? save_stack+0x46/0xd0
      ? kasan_kmalloc+0xad/0xe0
      ? kmem_cache_alloc_trace+0xff/0x230
      ? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
      ? usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
      ? usb_probe_interface+0x1f5/0x440
      ? driver_probe_device+0x3ed/0x660
      ? build_feature_ctl+0xb10/0xb10 [snd_usb_audio]
      ? save_stack_trace+0x1b/0x20
      ? init_object+0x69/0xa0
      ? snd_usb_find_csint_desc+0xa8/0xf0 [snd_usb_audio]
      snd_usb_mixer_controls+0x1dc/0x370 [snd_usb_audio]
      ? build_audio_procunit+0x890/0x890 [snd_usb_audio]
      ? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
      ? kmem_cache_alloc_trace+0xff/0x230
      ? usb_ifnum_to_if+0xbd/0xf0
      snd_usb_create_mixer+0x25b/0x4b0 [snd_usb_audio]
      ? snd_usb_create_stream+0x255/0x2c0 [snd_usb_audio]
      usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
      ? snd_usb_autosuspend.part.7+0x30/0x30 [snd_usb_audio]
      ? __pm_runtime_idle+0x90/0x90
      ? kernfs_activate+0xa6/0xc0
      ? usb_match_one_id_intf+0xdc/0x130
      ? __pm_runtime_set_status+0x2d4/0x450
      usb_probe_interface+0x1f5/0x440
      Signed-off-by: default avatarJaejoong Kim <climbbb.kim@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c40457c9
    • Takashi Iwai's avatar
      ALSA: seq: Remove spurious WARN_ON() at timer check · 20ca63e0
      Takashi Iwai authored
      commit 43a35428 upstream.
      
      The use of snd_BUG_ON() in ALSA sequencer timer may lead to a spurious
      WARN_ON() when a slave timer is deployed as its backend and a
      corresponding master timer stops meanwhile.  The symptom was triggered
      by syzkaller spontaneously.
      
      Since the NULL timer is valid there, rip off snd_BUG_ON().
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20ca63e0
    • Robb Glasser's avatar
      ALSA: pcm: prevent UAF in snd_pcm_info · 45ddff3c
      Robb Glasser authored
      commit 362bca57 upstream.
      
      When the device descriptor is closed, the `substream->runtime` pointer
      is freed. But another thread may be in the ioctl handler, case
      SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
      calls snd_pcm_info() which accesses the now freed `substream->runtime`.
      
      Note: this fixes CVE-2017-0861
      Signed-off-by: default avatarRobb Glasser <rglasser@google.com>
      Signed-off-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      45ddff3c