1. 24 Nov, 2016 31 commits
    • Patrick Scheuring's avatar
      Input: i8042 - add XMG C504 to keyboard reset table · d95841d1
      Patrick Scheuring authored
      [ Upstream commit da25311c ]
      
      The Schenker XMG C504 is a rebranded Gigabyte P35 v2 laptop.
      Therefore it also needs a keyboard reset to detect the Elantech touchpad.
      Otherwise the touchpad appears to be dead.
      
      With this patch the touchpad is detected:
      
      $ dmesg | grep -E "(i8042|Elantech|elantech)"
      
      [    2.675399] i8042: PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at 0x60,0x64 irq 1,12
      [    2.680372] i8042: Attempting to reset device connected to KBD port
      [    2.789037] serio: i8042 KBD port at 0x60,0x64 irq 1
      [    2.791586] serio: i8042 AUX port at 0x60,0x64 irq 12
      [    2.813840] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input4
      [    3.811431] psmouse serio1: elantech: assuming hardware version 4 (with firmware version 0x361f0e)
      [    3.825424] psmouse serio1: elantech: Synaptics capabilities query result 0x00, 0x15, 0x0f.
      [    3.839424] psmouse serio1: elantech: Elan sample query result 03, 58, 74
      [    3.911349] input: ETPS/2 Elantech Touchpad as /devices/platform/i8042/serio1/input/input6
      Signed-off-by: default avatarPatrick Scheuring <patrick.scheuring.dev@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      d95841d1
    • Johannes Berg's avatar
      mac80211: discard multicast and 4-addr A-MSDUs · fa3fcdd3
      Johannes Berg authored
      [ Upstream commit ea720935 ]
      
      In mac80211, multicast A-MSDUs are accepted in many cases that
      they shouldn't be accepted in:
       * drop A-MSDUs with a multicast A1 (RA), as required by the
         spec in 9.11 (802.11-2012 version)
       * drop A-MSDUs with a 4-addr header, since the fourth address
         can't actually be useful for them; unless 4-address frame
         format is actually requested, even though the fourth address
         is still not useful in this case, but ignored
      
      Accepting the first case, in particular, is very problematic
      since it allows anyone else with possession of a GTK to send
      unicast frames encapsulated in a multicast A-MSDU, even when
      the AP has client isolation enabled.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      fa3fcdd3
    • Gerald Schaefer's avatar
      GenWQE: Fix bad page access during abort of resource allocation · 7d9ad295
      Gerald Schaefer authored
      [ Upstream commit a7a7aeef ]
      
      When interrupting an application which was allocating DMAable
      memory, it was possible, that the DMA memory was deallocated
      twice, leading to the error symptoms below.
      
      Thanks to Gerald, who analyzed the problem and provided this
      patch.
      
      I agree with his analysis of the problem: ddcb_cmd_fixups() ->
      genwqe_alloc_sync_sgl() (fails in f/lpage, but sgl->sgl != NULL
      and f/lpage maybe also != NULL) -> ddcb_cmd_cleanup() ->
      genwqe_free_sync_sgl() (double free, because sgl->sgl != NULL and
      f/lpage maybe also != NULL)
      
      In this scenario we would have exactly the kind of double free that
      would explain the WARNING / Bad page state, and as expected it is
      caused by broken error handling (cleanup).
      
      Using the Ubuntu git source, tag Ubuntu-4.4.0-33.52, he was able to reproduce
      the "Bad page state" issue, and with the patch on top he could not reproduce
      it any more.
      
      ------------[ cut here ]------------
      WARNING: at /build/linux-o03cxz/linux-4.4.0/arch/s390/include/asm/pci_dma.h:141
      Modules linked in: qeth_l2 ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha256_s390 sha1_s390 sha_common genwqe_card qeth crc_itu_t qdio ccwgroup vmur dm_multipath dasd_eckd_mod dasd_mod
      CPU: 2 PID: 3293 Comm: genwqe_gunzip Not tainted 4.4.0-33-generic #52-Ubuntu
      task: 0000000032c7e270 ti: 00000000324e4000 task.ti: 00000000324e4000
      Krnl PSW : 0404c00180000000 0000000000156346 (dma_update_cpu_trans+0x9e/0xa8)
                 R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3
      Krnl GPRS: 00000000324e7bcd 0000000000c3c34a 0000000027628298 000000003215b400
                 0000000000000400 0000000000001fff 0000000000000400 0000000116853000
                 07000000324e7b1e 0000000000000001 0000000000000001 0000000000000001
                 0000000000001000 0000000116854000 0000000000156402 00000000324e7a38
      Krnl Code: 000000000015633a: 95001000           cli     0(%r1),0
                 000000000015633e: a774ffc3           brc     7,1562c4
                #0000000000156342: a7f40001           brc     15,156344
                >0000000000156346: 92011000           mvi     0(%r1),1
                 000000000015634a: a7f4ffbd           brc     15,1562c4
                 000000000015634e: 0707               bcr     0,%r7
                 0000000000156350: c00400000000       brcl    0,156350
                 0000000000156356: eb7ff0500024       stmg    %r7,%r15,80(%r15)
      Call Trace:
      ([<00000000001563e0>] dma_update_trans+0x90/0x228)
       [<00000000001565dc>] s390_dma_unmap_pages+0x64/0x160
       [<00000000001567c2>] s390_dma_free+0x62/0x98
       [<000003ff801310ce>] __genwqe_free_consistent+0x56/0x70 [genwqe_card]
       [<000003ff801316d0>] genwqe_free_sync_sgl+0xf8/0x160 [genwqe_card]
       [<000003ff8012bd6e>] ddcb_cmd_cleanup+0x86/0xa8 [genwqe_card]
       [<000003ff8012c1c0>] do_execute_ddcb+0x110/0x348 [genwqe_card]
       [<000003ff8012c914>] genwqe_ioctl+0x51c/0xc20 [genwqe_card]
       [<000000000032513a>] do_vfs_ioctl+0x3b2/0x518
       [<0000000000325344>] SyS_ioctl+0xa4/0xb8
       [<00000000007b86c6>] system_call+0xd6/0x264
       [<000003ff9e8e520a>] 0x3ff9e8e520a
      Last Breaking-Event-Address:
       [<0000000000156342>] dma_update_cpu_trans+0x9a/0xa8
      ---[ end trace 35996336235145c8 ]---
      BUG: Bad page state in process jbd2/dasdb1-8  pfn:3215b
      page:000003d100c856c0 count:-1 mapcount:0 mapping:          (null) index:0x0
      flags: 0x3fffc0000000000()
      page dumped because: nonzero _count
      Signed-off-by: default avatarGerald Schaefer <gerald.schaefer@de.ibm.com>
      Signed-off-by: default avatarFrank Haverkamp <haver@linux.vnet.ibm.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      7d9ad295
    • Chris Mason's avatar
      btrfs: fix races on root_log_ctx lists · 00736653
      Chris Mason authored
      [ Upstream commit 570dd450 ]
      
      btrfs_remove_all_log_ctxs takes a shortcut where it avoids walking the
      list because it knows all of the waiters are patiently waiting for the
      commit to finish.
      
      But, there's a small race where btrfs_sync_log can remove itself from
      the list if it finds a log commit is already done.  Also, it uses
      list_del_init() to remove itself from the list, but there's no way to
      know if btrfs_remove_all_log_ctxs has already run, so we don't know for
      sure if it is safe to call list_del_init().
      
      This gets rid of all the shortcuts for btrfs_remove_all_log_ctxs(), and
      just calls it with the proper locking.
      
      This is part two of the corruption fixed by cbd60aa7.  I should have
      done this in the first place, but convinced myself the optimizations were
      safe.  A 12 hour run of dbench 2048 will eventually trigger a list debug
      WARN_ON for the list_del_init() in btrfs_sync_log().
      
      Fixes: d1433debReported-by: default avatarDave Jones <davej@codemonkey.org.uk>
      cc: stable@vger.kernel.org # 3.15+
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      00736653
    • Scot Doyle's avatar
      vt: clear selection before resizing · 0b2a0a58
      Scot Doyle authored
      [ Upstream commit 009e39ae ]
      
      When resizing a vt its selection may exceed the new size, resulting in
      an invalid memory access [1]. Clear the selection before resizing.
      
      [1] http://lkml.kernel.org/r/CACT4Y+acDTwy4umEvf5ROBGiRJNrxHN4Cn5szCXE5Jw-d1B=Xw@mail.gmail.comReported-and-tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarScot Doyle <lkml14@scotdoyle.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      0b2a0a58
    • Dmitry Vyukov's avatar
      tty: limit terminal size to 4M chars · 78ad6d4c
      Dmitry Vyukov authored
      [ Upstream commit 32b2921e ]
      
      Size of kmalloc() in vc_do_resize() is controlled by user.
      Too large kmalloc() size triggers WARNING message on console.
      Put a reasonable upper bound on terminal size to prevent WARNINGs.
      Signed-off-by: default avatarDmitry Vyukov <dvyukov@google.com>
      CC: David Rientjes <rientjes@google.com>
      Cc: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Jiri Slaby <jslaby@suse.com>
      Cc: Peter Hurley <peter@hurleysoftware.com>
      Cc: linux-kernel@vger.kernel.org
      Cc: syzkaller@googlegroups.com
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      78ad6d4c
    • Marcel Hasler's avatar
      ALSA: usb-audio: Add quirk for Syntek STK1160 · 5352af8b
      Marcel Hasler authored
      [ Upstream commit bdc3478f ]
      
      The stk1160 chip needs QUIRK_AUDIO_ALIGN_TRANSFER. This patch resolves
      the issue reported on the mailing list
      (http://marc.info/?l=linux-sound&m=139223599126215&w=2) and also fixes
      bug 180071 (https://bugzilla.kernel.org/show_bug.cgi?id=180071).
      Signed-off-by: default avatarMarcel Hasler <mahasler@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      5352af8b
    • David Howells's avatar
      KEYS: Fix short sprintf buffer in /proc/keys show function · abe571f8
      David Howells authored
      [ Upstream commit 03dab869 ]
      
      This fixes CVE-2016-7042.
      
      Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
      is turned on, this can cause a panic due to stack corruption.
      
      The problem is that xbuf[] is not big enough to hold a 64-bit timeout
      rendered as weeks:
      
      	(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
      	$2 = 30500568904943
      
      That's 14 chars plus NUL, not 11 chars plus NUL.
      
      Expand the buffer to 16 chars.
      
      I think the unpatched code apparently works if the stack-protector is not
      enabled because on a 32-bit machine the buffer won't be overflowed and on a
      64-bit machine there's a 64-bit aligned pointer at one side and an int that
      isn't checked again on the other side.
      
      The panic incurred looks something like:
      
      Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
      CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
      Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
       ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
       ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
      Call Trace:
       [<ffffffff813d941f>] dump_stack+0x63/0x84
       [<ffffffff811b2cb6>] panic+0xde/0x22a
       [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
       [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
       [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
       [<ffffffff81350410>] ? key_validate+0x50/0x50
       [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
       [<ffffffff8126b31c>] seq_read+0x2cc/0x390
       [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
       [<ffffffff81244fc7>] __vfs_read+0x37/0x150
       [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
       [<ffffffff81246156>] vfs_read+0x96/0x130
       [<ffffffff81247635>] SyS_read+0x55/0xc0
       [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
      Reported-by: default avatarOndrej Kozina <okozina@redhat.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarOndrej Kozina <okozina@redhat.com>
      cc: stable@vger.kernel.org
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      abe571f8
    • Long Li's avatar
      hv: do not lose pending heartbeat vmbus packets · a9dd8df7
      Long Li authored
      [ Upstream commit 407a3aee ]
      
      The host keeps sending heartbeat packets independent of the
      guest responding to them.  Even though we respond to the heartbeat messages at
      interrupt level, we can have situations where there maybe multiple heartbeat
      messages pending that have not been responded to. For instance this occurs when the
      VM is paused and the host continues to send the heartbeat messages.
      Address this issue by draining and responding to all
      the heartbeat messages that maybe pending.
      Signed-off-by: default avatarLong Li <longli@microsoft.com>
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      a9dd8df7
    • Alexander Usyskin's avatar
      mei: txe: don't clean an unprocessed interrupt cause. · d70f2ee4
      Alexander Usyskin authored
      [ Upstream commit 43605e29 ]
      
      SEC registers are not accessible when the TXE device is in low power
      state, hence the SEC interrupt cannot be processed if device is not
      awake.
      
      In some rare cases entrance to low power state (aliveness off) and input
      ready bits can be signaled at the same time, resulting in communication
      stall as input ready won't be signaled again after waking up. To resolve
      this IPC_HHIER_SEC bit in HHISR_REG should not be cleaned if the
      interrupt is not processed.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAlexander Usyskin <alexander.usyskin@intel.com>
      Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      d70f2ee4
    • tang.junhui's avatar
      dm table: fix missing dm_put_target_type() in dm_table_add_target() · f596302c
      tang.junhui authored
      [ Upstream commit dafa724b ]
      
      dm_get_target_type() was previously called so any error returned from
      dm_table_add_target() must first call dm_put_target_type().  Otherwise
      the DM target module's reference count will leak and the associated
      kernel module will be unable to be removed.
      
      Also, leverage the fact that r is already -EINVAL and remove an extra
      newline.
      
      Fixes: 36a0456f ("dm table: add immutable feature")
      Fixes: cc6cbe14 ("dm table: add always writeable feature")
      Fixes: 3791e2fc ("dm table: add singleton feature")
      Cc: stable@vger.kernel.org # 3.2+
      Signed-off-by: default avatartang.junhui <tang.junhui@zte.com.cn>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      f596302c
    • Bryan Paluch's avatar
      usb: increase ohci watchdog delay to 275 msec · 6e64ac09
      Bryan Paluch authored
      [ Upstream commit ed6d6f8f ]
      
      Increase ohci watchout delay to 275 ms. Previous delay was 250 ms
      with 20 ms of slack, after removing slack time some ohci controllers don't
      respond in time. Logs from systems with controllers that have the
      issue would show "HcDoneHead not written back; disabled"
      Signed-off-by: default avatarBryan Paluch <bryanpaluch@gmail.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      6e64ac09
    • Johan Hovold's avatar
      USB: serial: fix potential NULL-dereference at probe · b6304f09
      Johan Hovold authored
      [ Upstream commit 126d26f6 ]
      
      Make sure we have at least one port before attempting to register a
      console.
      
      Currently, at least one driver binds to a "dummy" interface and requests
      zero ports for it. Should such an interface also lack endpoints, we get
      a NULL-deref during probe.
      
      Fixes: e5b1e206 ("USB: serial: make minor allocation dynamic")
      Cc: stable <stable@vger.kernel.org>	# 3.11
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      b6304f09
    • Mathias Nyman's avatar
      xhci: add restart quirk for Intel Wildcatpoint PCH · e42afd00
      Mathias Nyman authored
      [ Upstream commit 4c39135a ]
      
      xHC in Wildcatpoint-LP PCH is similar to LynxPoint-LP and need the
      same quirks to prevent machines from spurious restart while
      shutting them down.
      Reported-by: default avatarHasan Mahmood <hasan.mahm@gmail.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      e42afd00
    • Darrick J. Wong's avatar
      libxfs: clean up _calc_dquots_per_chunk · da512d38
      Darrick J. Wong authored
      [ Upstream commit 58d78967 ]
      
      The function xfs_calc_dquots_per_chunk takes a parameter in units
      of basic blocks.  The kernel seems to get the units wrong, but
      userspace got 'fixed' by commenting out the unnecessary conversion.
      Fix both.
      
      cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: default avatarEric Sandeen <sandeen@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      da512d38
    • Dinesh Israni's avatar
      target: Don't override EXTENDED_COPY xcopy_pt_cmd SCSI status code · 6848fad2
      Dinesh Israni authored
      [ Upstream commit 926317de ]
      
      This patch addresses a bug where a local EXTENDED_COPY WRITE or READ
      backend I/O request would always return SAM_STAT_CHECK_CONDITION,
      even if underlying xcopy_pt_cmd->se_cmd generated a different
      SCSI status code.
      
      ESX host environments expect to hit SAM_STAT_RESERVATION_CONFLICT
      for certain scenarios, and SAM_STAT_CHECK_CONDITION results in
      non-retriable status for these cases.
      
      Tested on v4.1.y with ESX v5.5u2+ with local IBLOCK backend copy.
      Reported-by: default avatarNixon Vincent <nixon.vincent@calsoftinc.com>
      Tested-by: default avatarNixon Vincent <nixon.vincent@calsoftinc.com>
      Cc: Nixon Vincent <nixon.vincent@calsoftinc.com>
      Tested-by: default avatarDinesh Israni <ddi@datera.io>
      Signed-off-by: default avatarDinesh Israni <ddi@datera.io>
      Cc: Dinesh Israni <ddi@datera.io>
      Cc: stable@vger.kernel.org # 3.14+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      6848fad2
    • Richard Weinberger's avatar
      ubifs: Fix xattr_names length in exit paths · c30d39a0
      Richard Weinberger authored
      [ Upstream commit 843741c5 ]
      
      When the operation fails we also have to undo the changes
      we made to ->xattr_names. Otherwise listxattr() will report
      wrong lengths.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      c30d39a0
    • Frederic Barrat's avatar
      powerpc/mm: Prevent unlikely crash in copro_calculate_slb() · 1ef14328
      Frederic Barrat authored
      [ Upstream commit d2cf909c ]
      
      If a cxl adapter faults on an invalid address for a kernel context, we
      may enter copro_calculate_slb() with a NULL mm pointer (kernel
      context) and an effective address which looks like a user
      address. Which will cause a crash when dereferencing mm. It is clearly
      an AFU bug, but there's no reason to crash either. So return an error,
      so that cxl can ack the interrupt with an address error.
      
      Fixes: 73d16a6e ("powerpc/cell: Move data segment faulting code out of cell platform")
      Cc: stable@vger.kernel.org # v3.18+
      Signed-off-by: default avatarFrederic Barrat <fbarrat@linux.vnet.ibm.com>
      Acked-by: default avatarIan Munsie <imunsie@au1.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      1ef14328
    • Jan Kara's avatar
      isofs: Do not return EACCES for unknown filesystems · 249ed62d
      Jan Kara authored
      [ Upstream commit a2ed0b39 ]
      
      When isofs_mount() is called to mount a device read-write, it returns
      EACCES even before it checks that the device actually contains an isofs
      filesystem. This may confuse mount(8) which then tries to mount all
      subsequent filesystem types in read-only mode.
      
      Fix the problem by returning EACCES only once we verify that the device
      indeed contains an iso9660 filesystem.
      
      CC: stable@vger.kernel.org
      Fixes: 17b7f7cfReported-by: default avatarKent Overstreet <kent.overstreet@gmail.com>
      Reported-by: default avatarKarel Zak <kzak@redhat.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      249ed62d
    • Stefan Tauner's avatar
      USB: serial: ftdi_sio: add support for Infineon TriBoard TC2X7 · 836308dc
      Stefan Tauner authored
      [ Upstream commit ca006f78 ]
      
      This adds support to ftdi_sio for the Infineon TriBoard TC2X7
      engineering board for first-generation Aurix SoCs with Tricore CPUs.
      Mere addition of the device IDs does the job.
      Signed-off-by: default avatarStefan Tauner <stefan.tauner@technikum-wien.at>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      836308dc
    • Ulf Hansson's avatar
      memstick: rtsx_usb_ms: Manage runtime PM when accessing the device · 85f89aaf
      Ulf Hansson authored
      [ Upstream commit 9158cb29 ]
      
      Accesses to the rtsx usb device, which is the parent of the rtsx memstick
      device, must not be done unless it's runtime resumed. This is currently not
      the case and it could trigger various errors.
      
      Fix this by properly deal with runtime PM in this regards. This means
      making sure the device is runtime resumed, when serving requests via the
      ->request() callback or changing settings via the ->set_param() callbacks.
      
      Cc: <stable@vger.kernel.org>
      Cc: Ritesh Raj Sarraf <rrs@researchut.com>
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      85f89aaf
    • Alan Stern's avatar
      memstick: rtsx_usb_ms: Runtime resume the device when polling for cards · a5eade90
      Alan Stern authored
      [ Upstream commit 796aa46a ]
      
      Accesses to the rtsx usb device, which is the parent of the rtsx memstick
      device, must not be done unless it's runtime resumed.
      
      Therefore when the rtsx_usb_ms driver polls for inserted memstick cards,
      let's add pm_runtime_get|put*() to make sure accesses is done when the
      rtsx usb device is runtime resumed.
      Reported-by: default avatarRitesh Raj Sarraf <rrs@researchut.com>
      Tested-by: default avatarRitesh Raj Sarraf <rrs@researchut.com>
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      a5eade90
    • Ulf Hansson's avatar
      mmc: rtsx_usb_sdmmc: Handle runtime PM while changing the led · b2580c4b
      Ulf Hansson authored
      [ Upstream commit 4f48aa7a ]
      
      Accesses of the rtsx sdmmc's parent device, which is the rtsx usb device,
      must be done when it's runtime resumed. Currently this isn't case when
      changing the led, so let's fix this by adding a pm_runtime_get_sync() and
      a pm_runtime_put() around those operations.
      Reported-by: default avatarRitesh Raj Sarraf <rrs@researchut.com>
      Tested-by: default avatarRitesh Raj Sarraf <rrs@researchut.com>
      Cc: <stable@vger.kernel.org>
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      b2580c4b
    • Ulf Hansson's avatar
      mmc: rtsx_usb_sdmmc: Avoid keeping the device runtime resumed when unused · 29cce652
      Ulf Hansson authored
      [ Upstream commit 31cf742f ]
      
      The rtsx_usb_sdmmc driver may bail out in its ->set_ios() callback when no
      SD card is inserted. This is wrong, as it could cause the device to remain
      runtime resumed when it's unused. Fix this behaviour.
      Tested-by: default avatarRitesh Raj Sarraf <rrs@researchut.com>
      Cc: <stable@vger.kernel.org>
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      29cce652
    • Haibo Chen's avatar
      mmc: sdhci: cast unsigned int to unsigned long long to avoid unexpeted error · 3ee23181
      Haibo Chen authored
      [ Upstream commit 02265cd6 ]
      
      Potentially overflowing expression 1000000 * data->timeout_clks with
      type unsigned int is evaluated using 32-bit arithmetic, and then used
      in a context that expects an expression of type unsigned long long.
      
      To avoid overflow, cast 1000000U to type unsigned long long.
      Special thanks to Coverity.
      
      Fixes: 7f05538a ("mmc: sdhci: fix data timeout (part 2)")
      Signed-off-by: default avatarHaibo Chen <haibo.chen@nxp.com>
      Cc: stable@vger.kernel.org # v3.15+
      Acked-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      3ee23181
    • Felipe Balbi's avatar
      usb: gadget: function: u_ether: don't starve tx request queue · 27c87285
      Felipe Balbi authored
      [ Upstream commit 6c83f772 ]
      
      If we don't guarantee that we will always get an
      interrupt at least when we're queueing our very last
      request, we could fall into situation where we queue
      every request with 'no_interrupt' set. This will
      cause the link to get stuck.
      
      The behavior above has been triggered with g_ether
      and dwc3.
      
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      27c87285
    • Dan Carpenter's avatar
      irqchip/gicv3: Handle loop timeout proper · 60299e35
      Dan Carpenter authored
      [ Upstream commit d102eb5c ]
      
      The timeout loop terminates when the loop count is zero, but the decrement
      of the count variable is post check. So count is -1 when we check for the
      timeout and therefor the error message is supressed.
      
      Change it to predecrement, so the error message is emitted.
      
      [ tglx: Massaged changelog ]
      
      Fixes: a2c22510 ("irqchip: gic-v3: Refactor gic_enable_redist to support both enabling and disabling")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarSudeep Holla <sudeep.holla@arm.com>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Cc: kernel-janitors@vger.kernel.org
      Cc: Jason Cooper <jason@lakedaemon.net>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/20161014072534.GA15168@mwandaSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      60299e35
    • Alex Deucher's avatar
      drm/radeon: change vblank_time's calculation method to reduce computational error. · 5617a135
      Alex Deucher authored
      [ Upstream commit 02cfb5fc ]
      
      Ported from Rex's amdgpu change.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      5617a135
    • Taesoo Kim's avatar
      jbd2: fix incorrect unlock on j_list_lock · 74407793
      Taesoo Kim authored
      [ Upstream commit 559cce69 ]
      
      When 'jh->b_transaction == transaction' (asserted by below)
      
        J_ASSERT_JH(jh, (jh->b_transaction == transaction || ...
      
      'journal->j_list_lock' will be incorrectly unlocked, since
      the the lock is aquired only at the end of if / else-if
      statements (missing the else case).
      Signed-off-by: default avatarTaesoo Kim <tsgatesv@gmail.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarAndreas Dilger <adilger@dilger.ca>
      Fixes: 6e4862a5
      Cc: stable@vger.kernel.org # 3.14+
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      74407793
    • Ming Lei's avatar
      scsi: Fix use-after-free · 37f487e0
      Ming Lei authored
      [ Upstream commit bcd8f2e9 ]
      
      This patch fixes one use-after-free report[1] by KASAN.
      
      In __scsi_scan_target(), when a type 31 device is probed,
      SCSI_SCAN_TARGET_PRESENT is returned and the target will be scanned
      again.
      
      Inside the following scsi_report_lun_scan(), one new scsi_device
      instance is allocated, and scsi_probe_and_add_lun() is called again to
      probe the target and still see type 31 device, finally
      __scsi_remove_device() is called to remove & free the device at the end
      of scsi_probe_and_add_lun(), so cause use-after-free in
      scsi_report_lun_scan().
      
      And the following SCSI log can be observed:
      
      	scsi 0:0:2:0: scsi scan: INQUIRY pass 1 length 36
      	scsi 0:0:2:0: scsi scan: INQUIRY successful with code 0x0
      	scsi 0:0:2:0: scsi scan: peripheral device type of 31, no device added
      	scsi 0:0:2:0: scsi scan: Sending REPORT LUNS to (try 0)
      	scsi 0:0:2:0: scsi scan: REPORT LUNS successful (try 0) result 0x0
      	scsi 0:0:2:0: scsi scan: REPORT LUN scan
      	scsi 0:0:2:0: scsi scan: INQUIRY pass 1 length 36
      	scsi 0:0:2:0: scsi scan: INQUIRY successful with code 0x0
      	scsi 0:0:2:0: scsi scan: peripheral device type of 31, no device added
      	BUG: KASAN: use-after-free in __scsi_scan_target+0xbf8/0xe40 at addr ffff88007b44a104
      
      This patch fixes the issue by moving the putting reference at
      the end of scsi_report_lun_scan().
      
      [1] KASAN report
      ==================================================================
      [    3.274597] PM: Adding info for serio:serio1
      [    3.275127] BUG: KASAN: use-after-free in __scsi_scan_target+0xd87/0xdf0 at addr ffff880254d8c304
      [    3.275653] Read of size 4 by task kworker/u10:0/27
      [    3.275903] CPU: 3 PID: 27 Comm: kworker/u10:0 Not tainted 4.8.0 #2121
      [    3.276258] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [    3.276797] Workqueue: events_unbound async_run_entry_fn
      [    3.277083]  ffff880254d8c380 ffff880259a37870 ffffffff94bbc6c1 ffff880078402d80
      [    3.277532]  ffff880254d8bb80 ffff880259a37898 ffffffff9459fec1 ffff880259a37930
      [    3.277989]  ffff880254d8bb80 ffff880078402d80 ffff880259a37920 ffffffff945a0165
      [    3.278436] Call Trace:
      [    3.278528]  [<ffffffff94bbc6c1>] dump_stack+0x65/0x84
      [    3.278797]  [<ffffffff9459fec1>] kasan_object_err+0x21/0x70
      [    3.279063] device: 'psaux': device_add
      [    3.279616]  [<ffffffff945a0165>] kasan_report_error+0x205/0x500
      [    3.279651] PM: Adding info for No Bus:psaux
      [    3.280202]  [<ffffffff944ecd22>] ? kfree_const+0x22/0x30
      [    3.280486]  [<ffffffff94bc2dc9>] ? kobject_release+0x119/0x370
      [    3.280805]  [<ffffffff945a0543>] __asan_report_load4_noabort+0x43/0x50
      [    3.281170]  [<ffffffff9507e1f7>] ? __scsi_scan_target+0xd87/0xdf0
      [    3.281506]  [<ffffffff9507e1f7>] __scsi_scan_target+0xd87/0xdf0
      [    3.281848]  [<ffffffff9507d470>] ? scsi_add_device+0x30/0x30
      [    3.282156]  [<ffffffff94f7f660>] ? pm_runtime_autosuspend_expiration+0x60/0x60
      [    3.282570]  [<ffffffff956ddb07>] ? _raw_spin_lock+0x17/0x40
      [    3.282880]  [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160
      [    3.283200]  [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0
      [    3.283563]  [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250
      [    3.283882]  [<ffffffff9507efc1>] do_scan_async+0x41/0x450
      [    3.284173]  [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610
      [    3.284492]  [<ffffffff941a8954>] ? pwq_dec_nr_in_flight+0x124/0x2a0
      [    3.284876]  [<ffffffff941d1770>] ? preempt_count_add+0x130/0x160
      [    3.285207]  [<ffffffff941a9a84>] process_one_work+0x544/0x12d0
      [    3.285526]  [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0
      [    3.285844]  [<ffffffff941aa810>] ? process_one_work+0x12d0/0x12d0
      [    3.286182]  [<ffffffff941bb365>] kthread+0x1c5/0x260
      [    3.286443]  [<ffffffff940855cd>] ? __switch_to+0x88d/0x1430
      [    3.286745]  [<ffffffff941bb1a0>] ? kthread_worker_fn+0x5a0/0x5a0
      [    3.287085]  [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40
      [    3.287368]  [<ffffffff941bb1a0>] ? kthread_worker_fn+0x5a0/0x5a0
      [    3.287697] Object at ffff880254d8bb80, in cache kmalloc-2048 size: 2048
      [    3.288064] Allocated:
      [    3.288147] PID = 27
      [    3.288218]  [<ffffffff940b27ab>] save_stack_trace+0x2b/0x50
      [    3.288531]  [<ffffffff9459f246>] save_stack+0x46/0xd0
      [    3.288806]  [<ffffffff9459f4bd>] kasan_kmalloc+0xad/0xe0
      [    3.289098]  [<ffffffff9459c07e>] __kmalloc+0x13e/0x250
      [    3.289378]  [<ffffffff95078e5a>] scsi_alloc_sdev+0xea/0xcf0
      [    3.289701]  [<ffffffff9507de76>] __scsi_scan_target+0xa06/0xdf0
      [    3.290034]  [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160
      [    3.290362]  [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0
      [    3.290724]  [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250
      [    3.291055]  [<ffffffff9507efc1>] do_scan_async+0x41/0x450
      [    3.291354]  [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610
      [    3.291695]  [<ffffffff941a9a84>] process_one_work+0x544/0x12d0
      [    3.292022]  [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0
      [    3.292325]  [<ffffffff941bb365>] kthread+0x1c5/0x260
      [    3.292594]  [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40
      [    3.292886] Freed:
      [    3.292945] PID = 27
      [    3.293016]  [<ffffffff940b27ab>] save_stack_trace+0x2b/0x50
      [    3.293327]  [<ffffffff9459f246>] save_stack+0x46/0xd0
      [    3.293600]  [<ffffffff9459fa61>] kasan_slab_free+0x71/0xb0
      [    3.293916]  [<ffffffff9459bac2>] kfree+0xa2/0x1f0
      [    3.294168]  [<ffffffff9508158a>] scsi_device_dev_release_usercontext+0x50a/0x730
      [    3.294598]  [<ffffffff941ace9a>] execute_in_process_context+0xda/0x130
      [    3.294974]  [<ffffffff9508107c>] scsi_device_dev_release+0x1c/0x20
      [    3.295322]  [<ffffffff94f566f6>] device_release+0x76/0x1e0
      [    3.295626]  [<ffffffff94bc2db7>] kobject_release+0x107/0x370
      [    3.295942]  [<ffffffff94bc29ce>] kobject_put+0x4e/0xa0
      [    3.296222]  [<ffffffff94f56e17>] put_device+0x17/0x20
      [    3.296497]  [<ffffffff9505201c>] scsi_device_put+0x7c/0xa0
      [    3.296801]  [<ffffffff9507e1bc>] __scsi_scan_target+0xd4c/0xdf0
      [    3.297132]  [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160
      [    3.297458]  [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0
      [    3.297829]  [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250
      [    3.298156]  [<ffffffff9507efc1>] do_scan_async+0x41/0x450
      [    3.298453]  [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610
      [    3.298777]  [<ffffffff941a9a84>] process_one_work+0x544/0x12d0
      [    3.299105]  [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0
      [    3.299408]  [<ffffffff941bb365>] kthread+0x1c5/0x260
      [    3.299676]  [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40
      [    3.299967] Memory state around the buggy address:
      [    3.300209]  ffff880254d8c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    3.300608]  ffff880254d8c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    3.300986] >ffff880254d8c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    3.301408]                    ^
      [    3.301550]  ffff880254d8c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [    3.301987]  ffff880254d8c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [    3.302396]
      ==================================================================
      
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMing Lei <tom.leiming@gmail.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      37f487e0
    • Jiri Slaby's avatar
      mmc: core: Annotate cmd_hdr as __le32 · 4a2ede59
      Jiri Slaby authored
      [ Upstream commit 3f2d2664 ]
      
      Commit f68381a7 (mmc: block: fix packed command header endianness)
      correctly fixed endianness handling of packed_cmd_hdr in
      mmc_blk_packed_hdr_wrq_prep.
      
      But now, sparse complains about incorrect types:
      drivers/mmc/card/block.c:1613:27: sparse: incorrect type in assignment (different base types)
      drivers/mmc/card/block.c:1613:27:    expected unsigned int [unsigned] [usertype] <noident>
      drivers/mmc/card/block.c:1613:27:    got restricted __le32 [usertype] <noident>
      ...
      
      So annotate cmd_hdr properly using __le32 to make everyone happy.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Fixes: f68381a7 (mmc: block: fix packed command header endianness)
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      4a2ede59
  2. 19 Nov, 2016 1 commit
    • Eric Dumazet's avatar
      udp: properly support MSG_PEEK with truncated buffers · 69335972
      Eric Dumazet authored
      [ Upstream commit 197c949e ]
      
      Backport of this upstream commit into stable kernels :
      89c22d8c ("net: Fix skb csum races when peeking")
      exposed a bug in udp stack vs MSG_PEEK support, when user provides
      a buffer smaller than skb payload.
      
      In this case,
      skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
                                       msg->msg_iov);
      returns -EFAULT.
      
      This bug does not happen in upstream kernels since Al Viro did a great
      job to replace this into :
      skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
      This variant is safe vs short buffers.
      
      For the time being, instead reverting Herbert Xu patch and add back
      skb->ip_summed invalid changes, simply store the result of
      udp_lib_checksum_complete() so that we avoid computing the checksum a
      second time, and avoid the problematic
      skb_copy_and_csum_datagram_iovec() call.
      
      This patch can be applied on recent kernels as it avoids a double
      checksumming, then backported to stable kernels as a bug fix.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      69335972
  3. 22 Oct, 2016 4 commits
    • Sasha Levin's avatar
      Linux 3.18.44 · a6846cfd
      Sasha Levin authored
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      a6846cfd
    • Mathias Nyman's avatar
      xhci: fix usb2 resume timing and races. · c003797a
      Mathias Nyman authored
      [ Upstream commit f69115fd ]
      
      According to USB 2 specs ports need to signal resume for at least 20ms,
      in practice even longer, before moving to U0 state.
      Both host and devices can initiate resume.
      
      On device initiated resume, a port status interrupt with the port in resume
      state in issued. The interrupt handler tags a resume_done[port]
      timestamp with current time + USB_RESUME_TIMEOUT, and kick roothub timer.
      Root hub timer requests for port status, finds the port in resume state,
      checks if resume_done[port] timestamp passed, and set port to U0 state.
      
      On host initiated resume, current code sets the port to resume state,
      sleep 20ms, and finally sets the port to U0 state. This should also
      be changed to work in a similar way as the device initiated resume, with
      timestamp tagging, but that is not yet tested and will be a separate
      fix later.
      
      There are a few issues with this approach
      
      1. A host initiated resume will also generate a resume event. The event
         handler will find the port in resume state, believe it's a device
         initiated resume, and act accordingly.
      
      2. A port status request might cut the resume signalling short if a
         get_port_status request is handled during the host resume signalling.
         The port will be found in resume state. The timestamp is not set leading
         to time_after_eq(jiffies, timestamp) returning true, as timestamp = 0.
         get_port_status will proceed with moving the port to U0.
      
      3. If an error, or anything else happens to the port during device
         initiated resume signalling it will leave all the device resume
         parameters hanging uncleared, preventing further suspend, returning
         -EBUSY, and cause the pm thread to busyloop trying to enter suspend.
      
      Fix this by using the existing resuming_ports bitfield to indicate that
      resume signalling timing is taken care of.
      Check if the resume_done[port] is set before using it for timestamp
      comparison, and also clear out any resume signalling related variables
      if port is not in U0 or Resume state
      
      This issue was discovered when a PM thread busylooped, trying to runtime
      suspend the xhci USB 2 roothub on a Dell XPS
      
      Cc: stable <stable@vger.kernel.org>
      Reported-by: default avatarDaniel J Blueman <daniel@quora.org>
      Tested-by: default avatarDaniel J Blueman <daniel@quora.org>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      c003797a
    • Andrew Cooper's avatar
      x86/cpu: Fix SMAP check in PVOPS environments · bb2f5ed8
      Andrew Cooper authored
      [ Upstream commit 581b7f15 ]
      
      There appears to be no formal statement of what pv_irq_ops.save_fl() is
      supposed to return precisely.  Native returns the full flags, while lguest and
      Xen only return the Interrupt Flag, and both have comments by the
      implementations stating that only the Interrupt Flag is looked at.  This may
      have been true when initially implemented, but no longer is.
      
      To make matters worse, the Xen PVOP leaves the upper bits undefined, making
      the BUG_ON() undefined behaviour.  Experimentally, this now trips for 32bit PV
      guests on Broadwell hardware.  The BUG_ON() is consistent for an individual
      build, but not consistent for all builds.  It has also been a sitting timebomb
      since SMAP support was introduced.
      
      Use native_save_fl() instead, which will obtain an accurate view of the AC
      flag.
      Signed-off-by: default avatarAndrew Cooper <andrew.cooper3@citrix.com>
      Reviewed-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Tested-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: <lguest@lists.ozlabs.org>
      Cc: Xen-devel <xen-devel@lists.xen.org>
      CC: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/1433323874-6927-1-git-send-email-andrew.cooper3@citrix.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      bb2f5ed8
    • Linus Torvalds's avatar
      mm: remove gup_flags FOLL_WRITE games from __get_user_pages() · e45a502b
      Linus Torvalds authored
      [ Upstream commit 19be0eaf ]
      
      This is an ancient bug that was actually attempted to be fixed once
      (badly) by me eleven years ago in commit 4ceb5db9 ("Fix
      get_user_pages() race for write access") but that was then undone due to
      problems on s390 by commit f33ea7f4 ("fix get_user_pages bug").
      
      In the meantime, the s390 situation has long been fixed, and we can now
      fix it by checking the pte_dirty() bit properly (and do it better).  The
      s390 dirty bit was implemented in abf09bed ("s390/mm: implement
      software dirty bits") which made it into v3.9.  Earlier kernels will
      have to look at the page state itself.
      
      Also, the VM has become more scalable, and what used a purely
      theoretical race back then has become easier to trigger.
      
      To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
      we already did a COW" rather than play racy games with FOLL_WRITE that
      is very fundamental, and then use the pte dirty flag to validate that
      the FOLL_COW flag is still valid.
      Reported-and-tested-by: default avatarPhil "not Paul" Oester <kernel@linuxace.com>
      Acked-by: default avatarHugh Dickins <hughd@google.com>
      Reviewed-by: default avatarMichal Hocko <mhocko@suse.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Willy Tarreau <w@1wt.eu>
      Cc: Nick Piggin <npiggin@gmail.com>
      Cc: Greg Thelen <gthelen@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      e45a502b
  4. 10 Oct, 2016 4 commits