OSDN Git Service
Linux Build Service Account [Tue, 3 Sep 2019 21:02:23 +0000 (14:02 -0700)]
Merge "mmc: sdhci-msm: Ping with known good phase"
Linux Build Service Account [Tue, 3 Sep 2019 21:02:22 +0000 (14:02 -0700)]
Merge "soc: qcom: Update ipc router sdio transport plugin"
Linux Build Service Account [Tue, 3 Sep 2019 21:02:20 +0000 (14:02 -0700)]
Merge "msm: diag: Add SDIO transport in diag"
Linux Build Service Account [Tue, 3 Sep 2019 21:02:19 +0000 (14:02 -0700)]
Merge "diag: Add diag over sdio support"
Linux Build Service Account [Tue, 3 Sep 2019 21:02:18 +0000 (14:02 -0700)]
Merge "Revert "msm: camera_v2: CPP AXI reset at close""
Linux Build Service Account [Tue, 3 Sep 2019 21:02:17 +0000 (14:02 -0700)]
Merge "qseecom: check invalid handle for app loaded query request"
Linux Build Service Account [Tue, 3 Sep 2019 21:02:15 +0000 (14:02 -0700)]
Merge "Asoc: apr: Fix sound card failure at stability runs"
Linux Build Service Account [Tue, 3 Sep 2019 21:02:14 +0000 (14:02 -0700)]
Merge "asoc: codecs: Fix LPASS register access during bootup"
Linux Build Service Account [Tue, 3 Sep 2019 21:02:13 +0000 (14:02 -0700)]
Merge "diag: dci: Prevent using uninitialized variables"
Linux Build Service Account [Tue, 3 Sep 2019 21:02:12 +0000 (14:02 -0700)]
Merge "ks_bridge: Kill anchored urbs in release callback"
Linux Build Service Account [Tue, 3 Sep 2019 21:02:10 +0000 (14:02 -0700)]
Merge "msm: ipa3: Fix to memory allocation failure"
Amandeep Singh [Wed, 24 Jul 2019 06:16:12 +0000 (11:46 +0530)]
mmc: sdhci-msm: Ping with known good phase
Ping with known good phase if last phase of tuning fails.
Change-Id: I3d8d8ce3d8a4dc00146668b815b69619d3a4cea8
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Wed, 24 Jul 2019 06:06:25 +0000 (11:36 +0530)]
qti_sdio_client: Drop read write request during removal
Update read write API to drop further messages during transport or
interface removal.
Change-Id: Ied43de8aa7cef1c36c9c520976357ba1e63017db
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Wed, 24 Jul 2019 06:00:29 +0000 (11:30 +0530)]
msm: qcn: Add dynamic add and remove of SDIO card
Add API to dynamically add and remove the SDIO card on demand.
Change-Id: I946115880da75804a6636616d9cf7cfb4a682b92
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Fri, 7 Jun 2019 10:37:58 +0000 (16:07 +0530)]
msm: qcn: Enable QCN SDIO core driver for compilation
Add QCN SDIO core diver config into Makefile and
Kconfig to enable its compilation.
Change-Id: I19d184c628658175179d9b5c52a3a8bd07dd7999
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Fri, 7 Jun 2019 10:35:07 +0000 (16:05 +0530)]
msm: qcn: Enable QCN SDIO client driver for compilation
Add QCN SDIO client driver config into Makefile and
Kconfig to enable its compilation.
Change-Id: I40ffa1844b2030aca53d0e36f1bee2900a3ea8d4
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Wed, 3 Jul 2019 06:17:52 +0000 (11:47 +0530)]
soc: qcom: Update ipc router sdio transport plugin
Update ipc router sdio plugin initial snapshot to support peripheral
device over sdio transport.
Change-Id: I097ad755b3bd2270cda74738bed409e88dee343c
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Tue, 4 Jun 2019 06:05:03 +0000 (11:35 +0530)]
soc: qcom: Add ipc router plugin for sdio transport
This snapshot is taken as of msm-4.4 commit
dc86ce0faae2 ("soc: qcom:
ipc_rtr_xprt: Add support to set version in transport").
Change-Id: I729d3c910372d2c3c0bbaaae74a42150c9929732
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Mon, 6 May 2019 10:10:51 +0000 (15:40 +0530)]
msm: diag: Add SDIO transport in diag
Add support for SDIO transport in diag core framework.
Change-Id: Ic3ccfec3acd60b36a96aebb49a5681219a25e643
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Wed, 3 Jul 2019 07:17:41 +0000 (12:47 +0530)]
diag: Update diag over sdio snapshot
Update code to support diag for peripheral devices over sdio bus.
Change-Id: I14678f301f94b239b61c4c94d3c0ff65204e739e
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Fri, 31 May 2019 08:57:11 +0000 (14:27 +0530)]
diag: Add diag over sdio support
This commit is taken as of msm-4.4 commit
f185067e3685 ("diag: Fix
HSIC read complete work function").
Change-Id: I629fe0d9ed697fb20fd9263ecea6009157181e63
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Tue, 25 Jun 2019 06:34:34 +0000 (12:04 +0530)]
msm: qcn: Update completion sequence during tx
Update the completion variable sequence to avoid multiple complete
call on a stale staack completion variable.
Change-Id: I582777431918c359cd10e4e072f33589dc600e62
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Fri, 7 Jun 2019 06:35:28 +0000 (12:05 +0530)]
msm: qcn: Add QCN bridge client driver
Add QCN bridge client driver to provide interface to QCN SDIO
core function-1 driver. This driver currently provides interfacing
for diag, IPC router and sahara application.
Change-Id: Ie992aec91347bb68e46a01ee6f67a1d07ce40ecc
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Mon, 24 Jun 2019 09:21:08 +0000 (14:51 +0530)]
msm: qcn: Synchronize clients operating at different modes
Add synchronization support between clients that operate on different
modes, i.e. synchronous or asynchronous. The synchronous client will
momentarily switch to asynchronous if any asynchronous transmission is
scheduled.
Change-Id: I41aec9bff950d2816a9ce55017e118e8504be77a
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Mon, 24 Jun 2019 08:54:19 +0000 (14:24 +0530)]
msm: qcn: Reserve 8 bufferes in RW queue for RX
The current QCN core driver support four concurrent clients,
and there can be only two CRQ's that can be raised per client
from device.
Reserve 8 bufferes for data reception from device to host.
Change-Id: Iac72b5dd51988ffd1139bf55ecb9799bded77710
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Mon, 24 Jun 2019 08:44:07 +0000 (14:14 +0530)]
msm: qcn: Increase RW queue size
Increase RW queue size to compensate higer data transfer from host
to device, when device is operating at lower frequencies.
Change-Id: I443aead06c757cde40ee99ea2c29a5f323249b8b
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Mon, 24 Jun 2019 08:24:00 +0000 (13:54 +0530)]
msm: qcn: Update read/write APIs
Update read/write API in QCN sdio core driver to issue CMD53
instead of CMD52 for data equal or greater than 4 bytes.
Change-Id: I5641f32fa8896d3fafb087b440ff69ad936a83ee
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Amandeep Singh [Thu, 6 Jun 2019 05:53:42 +0000 (11:23 +0530)]
msm: Add QCN SDIO core driver
Add QCN SDIO core driver as function-1 driver to provide streamlined
communication for peripheral device connected over sdio.
Change-Id: Ia8aec77807b59d3e1476b0a12ee7016809335b39
Signed-off-by: Amandeep Singh <amansing@codeaurora.org>
Linux Build Service Account [Tue, 3 Sep 2019 04:56:44 +0000 (21:56 -0700)]
Merge "Merge android-4.4.189 (
74c8219) into msm-4.4"
Linux Build Service Account [Tue, 3 Sep 2019 04:56:43 +0000 (21:56 -0700)]
Merge "Merge android-4.4.188 (
886d085) into msm-4.4"
Zhen Kong [Tue, 27 Aug 2019 21:02:35 +0000 (14:02 -0700)]
qseecom: check invalid handle for app loaded query request
Check if the handle data type received from userspace is valid
for app loaded query request to avoid the offset boundary check
for qseecom_send_modfd_resp is bypassed.
Change-Id: I5f3611a8f830d6904213781c5ba70cfc0ba3e2e0
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Venu Raidu [Fri, 30 Aug 2019 05:31:21 +0000 (22:31 -0700)]
Revert "msm: camera_v2: CPP AXI reset at close"
This reverts commit
e4250ce4ec84a9d511f390a8dcdab9979378efb4.
AB/IB voting is not required to reset CPP AXI/HW during
camera close.
Change-Id: I230276b9d2c821dbc651fc5dd2a458e4e987baf9
Signed-off-by: Venu Raidu <vraidu@codeaurora.org>
Soumya Managoli [Fri, 2 Aug 2019 05:31:33 +0000 (11:01 +0530)]
Asoc: apr: Fix sound card failure at stability runs
In stability reboot tests, deferred audio drivers
are not invoked after lpass loading sometimes and
results in sound card failure. Change APR to platform
device and after APR status changes to loaded state,
add dummy module child device under APR which invokes
deferred audio drivers and sound card registers successfully.
In analog codec driver defers until Q6 core ready.
Change-Id: I1c82d9da55e771299df356a2771de2b2e62348cf
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
Vijayavardhan Vennapusa [Fri, 23 Aug 2019 06:02:22 +0000 (11:32 +0530)]
ks_bridge: Kill anchored urbs in release callback
Currently ks_bridge driver queues requests to USB hardware in
open callback, but killing those urbs in disconnect() callback.
Due to this, USB host controller tries to ping on these endpoints
of ks_bridge driver, even though release callback is called. This
results in not using bandwidth for usecase data transfers in highspeed
mode. Fix this by killing those anchored urbs in release callback.
Change-Id: Iebe60125bfa3311337b0c9e5aaca44197a67c2be
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
Manoj Prabhu B [Tue, 20 Aug 2019 08:49:55 +0000 (14:19 +0530)]
diag: dci: Prevent using uninitialized variables
Presently chance of using uninitialized variables if a dci
command is not found is avoided by initializing command
structure variables.
Change-Id: I190299917ea6c7fadfc7686d43a7da098e0bc05e
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Soumya Managoli [Fri, 2 Aug 2019 05:26:44 +0000 (10:56 +0530)]
ARM: dts: msm: load audio-apr module
Entry for apr module and add audio apr dummy device
as child of apr device. This will invoke deferred probe
devices to address sound card failure issue.
Change-Id: I00aacb023f5a36b24da1f2b3d3c71646ffcfb47b
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
Soumya Managoli [Fri, 2 Aug 2019 05:29:47 +0000 (10:59 +0530)]
asoc: codecs: Fix LPASS register access during bootup
In analog codec and soundwire codec probe functions,
ADSP Audio PD up status is not checked which leads
to LPASS registers access during bootup
even before ADSP is ready.
Check for ADSP ready state in the respective
probe functions to fix this.
Change-Id: I7c97833898b6e75806c4567fcdf1618759acb238
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
Srinivasarao P [Mon, 12 Aug 2019 05:13:01 +0000 (10:43 +0530)]
Merge android-4.4.189 (
74c8219) into msm-4.4
* refs/heads/tmp-
74c8219
Linux 4.4.189
x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS
x86/entry/64: Use JMP instead of JMPQ
x86/speculation: Enable Spectre v1 swapgs mitigations
x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations
x86/entry/64: Fix context tracking state warning when load_gs_index fails
x86: cpufeatures: Sort feature word 7
spi: bcm2835: Fix 3-wire mode if DMA is enabled
block: blk_init_allocated_queue() set q->fq as NULL in the fail case
compat_ioctl: pppoe: fix PPPOEIOCSFWD handling
bnx2x: Disable multi-cos feature.
net/mlx5: Use reversed order when unregister devices
net: sched: Fix a possible null-pointer dereference in dequeue_func()
tipc: compat: allow tipc commands without arguments
net: fix ifindex collision during namespace removal
net: bridge: delete local fdb on device init failure
atm: iphase: Fix Spectre v1 vulnerability
tcp: be more careful in tcp_fragment()
HID: Add quirk for HP X1200 PIXART OEM mouse
netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter
arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG}
arm64: cpufeature: Fix CTR_EL0 field definitions
UPSTREAM: net-ipv6-ndisc: add support for RFC7710 RA Captive Portal Identifier
Change-Id: I0bdf89783d0c83a3385d77f6b4c6f3d3b3fb0460
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Greg Kroah-Hartman [Sun, 11 Aug 2019 13:41:31 +0000 (15:41 +0200)]
Merge 4.4.189 into android-4.4
Changes in 4.4.189
arm64: cpufeature: Fix CTR_EL0 field definitions
arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG}
netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter
HID: Add quirk for HP X1200 PIXART OEM mouse
tcp: be more careful in tcp_fragment()
atm: iphase: Fix Spectre v1 vulnerability
net: bridge: delete local fdb on device init failure
net: fix ifindex collision during namespace removal
tipc: compat: allow tipc commands without arguments
net: sched: Fix a possible null-pointer dereference in dequeue_func()
net/mlx5: Use reversed order when unregister devices
bnx2x: Disable multi-cos feature.
compat_ioctl: pppoe: fix PPPOEIOCSFWD handling
block: blk_init_allocated_queue() set q->fq as NULL in the fail case
spi: bcm2835: Fix 3-wire mode if DMA is enabled
x86: cpufeatures: Sort feature word 7
x86/entry/64: Fix context tracking state warning when load_gs_index fails
x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations
x86/speculation: Enable Spectre v1 swapgs mitigations
x86/entry/64: Use JMP instead of JMPQ
x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS
Linux 4.4.189
Change-Id: I3d4e7965c8f5547ab025236686ea0d60e0b6e1f4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Greg Kroah-Hartman [Sun, 11 Aug 2019 10:20:49 +0000 (12:20 +0200)]
Linux 4.4.189
Thomas Gleixner [Wed, 17 Jul 2019 19:18:59 +0000 (21:18 +0200)]
x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS
commit
f36cf386e3fec258a341d446915862eded3e13d8 upstream.
Intel provided the following information:
On all current Atom processors, instructions that use a segment register
value (e.g. a load or store) will not speculatively execute before the
last writer of that segment retires. Thus they will not use a
speculatively written segment value.
That means on ATOMs there is no speculation through SWAPGS, so the SWAPGS
entry paths can be excluded from the extra LFENCE if PTI is disabled.
Create a separate bug flag for the through SWAPGS speculation and mark all
out-of-order ATOMs and AMD/HYGON CPUs as not affected. The in-order ATOMs
are excluded from the whole mitigation mess anyway.
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
[bwh: Backported to 4.4:
- There's no whitelist entry (or any support) for Hygon CPUs
- Adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Josh Poimboeuf [Mon, 15 Jul 2019 16:51:39 +0000 (11:51 -0500)]
x86/entry/64: Use JMP instead of JMPQ
commit
64dbc122b20f75183d8822618c24f85144a5a94d upstream.
Somehow the swapgs mitigation entry code patch ended up with a JMPQ
instruction instead of JMP, where only the short jump is needed. Some
assembler versions apparently fail to optimize JMPQ into a two-byte JMP
when possible, instead always using a 7-byte JMP with relocation. For
some reason that makes the entry code explode with a #GP during boot.
Change it back to "JMP" as originally intended.
Fixes:
18ec54fdd6d1 ("x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations")
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[bwh: Backported to 4.4: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Josh Poimboeuf [Mon, 8 Jul 2019 16:52:26 +0000 (11:52 -0500)]
x86/speculation: Enable Spectre v1 swapgs mitigations
commit
a2059825986a1c8143fd6698774fa9d83733bb11 upstream.
The previous commit added macro calls in the entry code which mitigate the
Spectre v1 swapgs issue if the X86_FEATURE_FENCE_SWAPGS_* features are
enabled. Enable those features where applicable.
The mitigations may be disabled with "nospectre_v1" or "mitigations=off".
There are different features which can affect the risk of attack:
- When FSGSBASE is enabled, unprivileged users are able to place any
value in GS, using the wrgsbase instruction. This means they can
write a GS value which points to any value in kernel space, which can
be useful with the following gadget in an interrupt/exception/NMI
handler:
if (coming from user space)
swapgs
mov %gs:<percpu_offset>, %reg1
// dependent load or store based on the value of %reg
// for example: mov %(reg1), %reg2
If an interrupt is coming from user space, and the entry code
speculatively skips the swapgs (due to user branch mistraining), it
may speculatively execute the GS-based load and a subsequent dependent
load or store, exposing the kernel data to an L1 side channel leak.
Note that, on Intel, a similar attack exists in the above gadget when
coming from kernel space, if the swapgs gets speculatively executed to
switch back to the user GS. On AMD, this variant isn't possible
because swapgs is serializing with respect to future GS-based
accesses.
NOTE: The FSGSBASE patch set hasn't been merged yet, so the above case
doesn't exist quite yet.
- When FSGSBASE is disabled, the issue is mitigated somewhat because
unprivileged users must use prctl(ARCH_SET_GS) to set GS, which
restricts GS values to user space addresses only. That means the
gadget would need an additional step, since the target kernel address
needs to be read from user space first. Something like:
if (coming from user space)
swapgs
mov %gs:<percpu_offset>, %reg1
mov (%reg1), %reg2
// dependent load or store based on the value of %reg2
// for example: mov %(reg2), %reg3
It's difficult to audit for this gadget in all the handlers, so while
there are no known instances of it, it's entirely possible that it
exists somewhere (or could be introduced in the future). Without
tooling to analyze all such code paths, consider it vulnerable.
Effects of SMAP on the !FSGSBASE case:
- If SMAP is enabled, and the CPU reports RDCL_NO (i.e., not
susceptible to Meltdown), the kernel is prevented from speculatively
reading user space memory, even L1 cached values. This effectively
disables the !FSGSBASE attack vector.
- If SMAP is enabled, but the CPU *is* susceptible to Meltdown, SMAP
still prevents the kernel from speculatively reading user space
memory. But it does *not* prevent the kernel from reading the
user value from L1, if it has already been cached. This is probably
only a small hurdle for an attacker to overcome.
Thanks to Dave Hansen for contributing the speculative_smap() function.
Thanks to Andrew Cooper for providing the inside scoop on whether swapgs
is serializing on AMD.
[ tglx: Fixed the USER fence decision and polished the comment as suggested
by Dave Hansen ]
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Dave Hansen <dave.hansen@intel.com>
[bwh: Backported to 4.4:
- Check for X86_FEATURE_KAISER instead of X86_FEATURE_PTI
- mitigations= parameter is x86-only here
- Don't use __ro_after_init
- Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Josh Poimboeuf [Mon, 8 Jul 2019 16:52:25 +0000 (11:52 -0500)]
x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations
commit
18ec54fdd6d18d92025af097cd042a75cf0ea24c upstream.
Spectre v1 isn't only about array bounds checks. It can affect any
conditional checks. The kernel entry code interrupt, exception, and NMI
handlers all have conditional swapgs checks. Those may be problematic in
the context of Spectre v1, as kernel code can speculatively run with a user
GS.
For example:
if (coming from user space)
swapgs
mov %gs:<percpu_offset>, %reg
mov (%reg), %reg1
When coming from user space, the CPU can speculatively skip the swapgs, and
then do a speculative percpu load using the user GS value. So the user can
speculatively force a read of any kernel value. If a gadget exists which
uses the percpu value as an address in another load/store, then the
contents of the kernel value may become visible via an L1 side channel
attack.
A similar attack exists when coming from kernel space. The CPU can
speculatively do the swapgs, causing the user GS to get used for the rest
of the speculative window.
The mitigation is similar to a traditional Spectre v1 mitigation, except:
a) index masking isn't possible; because the index (percpu offset)
isn't user-controlled; and
b) an lfence is needed in both the "from user" swapgs path and the
"from kernel" non-swapgs path (because of the two attacks described
above).
The user entry swapgs paths already have SWITCH_TO_KERNEL_CR3, which has a
CR3 write when PTI is enabled. Since CR3 writes are serializing, the
lfences can be skipped in those cases.
On the other hand, the kernel entry swapgs paths don't depend on PTI.
To avoid unnecessary lfences for the user entry case, create two separate
features for alternative patching:
X86_FEATURE_FENCE_SWAPGS_USER
X86_FEATURE_FENCE_SWAPGS_KERNEL
Use these features in entry code to patch in lfences where needed.
The features aren't enabled yet, so there's no functional change.
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Dave Hansen <dave.hansen@intel.com>
[bwh: Backported to 4.4:
- Assign the CPU feature bits from word 7
- Add FENCE_SWAPGS_KERNEL_ENTRY to NMI entry, since it does not
use paranoid_entry
- Include <asm/cpufeatures.h> in calling.h
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wanpeng Li [Fri, 30 Sep 2016 01:01:06 +0000 (09:01 +0800)]
x86/entry/64: Fix context tracking state warning when load_gs_index fails
commit
2fa5f04f85730d0c4f49f984b7efeb4f8d5bd1fc upstream.
This warning:
WARNING: CPU: 0 PID: 3331 at arch/x86/entry/common.c:45 enter_from_user_mode+0x32/0x50
CPU: 0 PID: 3331 Comm: ldt_gdt_64 Not tainted 4.8.0-rc7+ #13
Call Trace:
dump_stack+0x99/0xd0
__warn+0xd1/0xf0
warn_slowpath_null+0x1d/0x20
enter_from_user_mode+0x32/0x50
error_entry+0x6d/0xc0
? general_protection+0x12/0x30
? native_load_gs_index+0xd/0x20
? do_set_thread_area+0x19c/0x1f0
SyS_set_thread_area+0x24/0x30
do_int80_syscall_32+0x7c/0x220
entry_INT80_compat+0x38/0x50
... can be reproduced by running the GS testcase of the ldt_gdt test unit in
the x86 selftests.
do_int80_syscall_32() will call enter_form_user_mode() to convert context
tracking state from user state to kernel state. The load_gs_index() call
can fail with user gsbase, gsbase will be fixed up and proceed if this
happen.
However, enter_from_user_mode() will be called again in the fixed up path
though it is context tracking kernel state currently.
This patch fixes it by just fixing up gsbase and telling lockdep that IRQs
are off once load_gs_index() failed with user gsbase.
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1475197266-3440-1-git-send-email-wanpeng.li@hotmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ben Hutchings [Thu, 8 Aug 2019 19:03:32 +0000 (20:03 +0100)]
x86: cpufeatures: Sort feature word 7
This will make it clearer which bits are allocated, in case we need to
assign more feature bits for later backports.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Lukas Wunner [Wed, 3 Jul 2019 10:29:31 +0000 (12:29 +0200)]
spi: bcm2835: Fix 3-wire mode if DMA is enabled
commit
8d8bef50365847134b51c1ec46786bc2873e4e47 upstream.
Commit
6935224da248 ("spi: bcm2835: enable support of 3-wire mode")
added 3-wire support to the BCM2835 SPI driver by setting the REN bit
(Read Enable) in the CS register when receiving data. The REN bit puts
the transmitter in high-impedance state. The driver recognizes that
data is to be received by checking whether the rx_buf of a transfer is
non-NULL.
Commit
3ecd37edaa2a ("spi: bcm2835: enable dma modes for transfers
meeting certain conditions") subsequently broke 3-wire support because
it set the SPI_MASTER_MUST_RX flag which causes spi_map_msg() to replace
rx_buf with a dummy buffer if it is NULL. As a result, rx_buf is
*always* non-NULL if DMA is enabled.
Reinstate 3-wire support by not only checking whether rx_buf is non-NULL,
but also checking that it is not the dummy buffer.
Fixes:
3ecd37edaa2a ("spi: bcm2835: enable dma modes for transfers meeting certain conditions")
Reported-by: Nuno Sá <nuno.sa@analog.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v4.2+
Cc: Martin Sperl <kernel@martin.sperl.org>
Acked-by: Stefan Wahren <wahrenst@gmx.net>
Link: https://lore.kernel.org/r/328318841455e505370ef8ecad97b646c033dc8a.1562148527.git.lukas@wunner.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
xiao jin [Mon, 30 Jul 2018 06:11:12 +0000 (14:11 +0800)]
block: blk_init_allocated_queue() set q->fq as NULL in the fail case
commit
54648cf1ec2d7f4b6a71767799c45676a138ca24 upstream.
We find the memory use-after-free issue in __blk_drain_queue()
on the kernel 4.14. After read the latest kernel 4.18-rc6 we
think it has the same problem.
Memory is allocated for q->fq in the blk_init_allocated_queue().
If the elevator init function called with error return, it will
run into the fail case to free the q->fq.
Then the __blk_drain_queue() uses the same memory after the free
of the q->fq, it will lead to the unpredictable event.
The patch is to set q->fq as NULL in the fail case of
blk_init_allocated_queue().
Fixes: commit
7c94e1c157a2 ("block: introduce blk_flush_queue to drive flush machinery")
Cc: <stable@vger.kernel.org>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
Signed-off-by: xiao jin <jin.xiao@intel.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[groeck: backport to v4.4.y/v4.9.y (context change)]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Alessio Balsini <balsini@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arnd Bergmann [Tue, 30 Jul 2019 19:25:20 +0000 (21:25 +0200)]
compat_ioctl: pppoe: fix PPPOEIOCSFWD handling
[ Upstream commit
055d88242a6046a1ceac3167290f054c72571cd9 ]
Support for handling the PPPOEIOCSFWD ioctl in compat mode was added in
linux-2.5.69 along with hundreds of other commands, but was always broken
sincen only the structure is compatible, but the command number is not,
due to the size being sizeof(size_t), or at first sizeof(sizeof((struct
sockaddr_pppox)), which is different on 64-bit architectures.
Guillaume Nault adds:
And the implementation was broken until 2016 (see
29e73269aa4d ("pppoe:
fix reference counting in PPPoE proxy")), and nobody ever noticed. I
should probably have removed this ioctl entirely instead of fixing it.
Clearly, it has never been used.
Fix it by adding a compat_ioctl handler for all pppoe variants that
translates the command number and then calls the regular ioctl function.
All other ioctl commands handled by pppoe are compatible between 32-bit
and 64-bit, and require compat_ptr() conversion.
This should apply to all stable kernels.
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sudarsana Reddy Kalluru [Wed, 24 Jul 2019 02:32:41 +0000 (19:32 -0700)]
bnx2x: Disable multi-cos feature.
[ Upstream commit
d1f0b5dce8fda09a7f5f04c1878f181d548e42f5 ]
Commit
3968d38917eb ("bnx2x: Fix Multi-Cos.") which enabled multi-cos
feature after prolonged time in driver added some regression causing
numerous issues (sudden reboots, tx timeout etc.) reported by customers.
We plan to backout this commit and submit proper fix once we have root
cause of issues reported with this feature enabled.
Fixes:
3968d38917eb ("bnx2x: Fix Multi-Cos.")
Signed-off-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
Signed-off-by: Manish Chopra <manishc@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mark Zhang [Tue, 9 Jul 2019 02:37:12 +0000 (05:37 +0300)]
net/mlx5: Use reversed order when unregister devices
[ Upstream commit
08aa5e7da6bce1a1963f63cf32c2e7ad434ad578 ]
When lag is active, which is controlled by the bonded mlx5e netdev, mlx5
interface unregestering must happen in the reverse order where rdma is
unregistered (unloaded) first, to guarantee all references to the lag
context in hardware is removed, then remove mlx5e netdev interface which
will cleanup the lag context from hardware.
Without this fix during destroy of LAG interface, we observed following
errors:
* mlx5_cmd_check:752:(pid 12556): DESTROY_LAG(0x843) op_mod(0x0) failed,
status bad parameter(0x3), syndrome (0xe4ac33)
* mlx5_cmd_check:752:(pid 12556): DESTROY_LAG(0x843) op_mod(0x0) failed,
status bad parameter(0x3), syndrome (0xa5aee8).
Fixes:
a31208b1e11d ("net/mlx5_core: New init and exit flow for mlx5_core")
Reviewed-by: Parav Pandit <parav@mellanox.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Mark Zhang <markz@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jia-Ju Bai [Mon, 29 Jul 2019 08:24:33 +0000 (16:24 +0800)]
net: sched: Fix a possible null-pointer dereference in dequeue_func()
[ Upstream commit
051c7b39be4a91f6b7d8c4548444e4b850f1f56c ]
In dequeue_func(), there is an if statement on line 74 to check whether
skb is NULL:
if (skb)
When skb is NULL, it is used on line 77:
prefetch(&skb->end);
Thus, a possible null-pointer dereference may occur.
To fix this bug, skb->end is used when skb is not NULL.
This bug is found by a static analysis tool STCheck written by us.
Fixes:
76e3cc126bb2 ("codel: Controlled Delay AQM")
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Taras Kondratiuk [Mon, 29 Jul 2019 22:15:07 +0000 (22:15 +0000)]
tipc: compat: allow tipc commands without arguments
[ Upstream commit
4da5f0018eef4c0de31675b670c80e82e13e99d1 ]
Commit
2753ca5d9009 ("tipc: fix uninit-value in tipc_nl_compat_doit")
broke older tipc tools that use compat interface (e.g. tipc-config from
tipcutils package):
% tipc-config -p
operation not supported
The commit started to reject TIPC netlink compat messages that do not
have attributes. It is too restrictive because some of such messages are
valid (they don't need any arguments):
% grep 'tx none' include/uapi/linux/tipc_config.h
#define TIPC_CMD_NOOP 0x0000 /* tx none, rx none */
#define TIPC_CMD_GET_MEDIA_NAMES 0x0002 /* tx none, rx media_name(s) */
#define TIPC_CMD_GET_BEARER_NAMES 0x0003 /* tx none, rx bearer_name(s) */
#define TIPC_CMD_SHOW_PORTS 0x0006 /* tx none, rx ultra_string */
#define TIPC_CMD_GET_REMOTE_MNG 0x4003 /* tx none, rx unsigned */
#define TIPC_CMD_GET_MAX_PORTS 0x4004 /* tx none, rx unsigned */
#define TIPC_CMD_GET_NETID 0x400B /* tx none, rx unsigned */
#define TIPC_CMD_NOT_NET_ADMIN 0xC001 /* tx none, rx none */
This patch relaxes the original fix and rejects messages without
arguments only if such arguments are expected by a command (reg_type is
non zero).
Fixes:
2753ca5d9009 ("tipc: fix uninit-value in tipc_nl_compat_doit")
Cc: stable@vger.kernel.org
Signed-off-by: Taras Kondratiuk <takondra@cisco.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jiri Pirko [Sun, 28 Jul 2019 12:56:36 +0000 (14:56 +0200)]
net: fix ifindex collision during namespace removal
[ Upstream commit
55b40dbf0e76b4bfb9d8b3a16a0208640a9a45df ]
Commit
aca51397d014 ("netns: Fix arbitrary net_device-s corruptions
on net_ns stop.") introduced a possibility to hit a BUG in case device
is returning back to init_net and two following conditions are met:
1) dev->ifindex value is used in a name of another "dev%d"
device in init_net.
2) dev->name is used by another device in init_net.
Under real life circumstances this is hard to get. Therefore this has
been present happily for over 10 years. To reproduce:
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff
3: enp0s2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
$ ip netns add ns1
$ ip -n ns1 link add dummy1ns1 type dummy
$ ip -n ns1 link add dummy2ns1 type dummy
$ ip link set enp0s2 netns ns1
$ ip -n ns1 link set enp0s2 name dummy0
[ 100.858894] virtio_net virtio0 dummy0: renamed from enp0s2
$ ip link add dev4 type dummy
$ ip -n ns1 a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: dummy1ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 16:63:4c:38:3e:ff brd ff:ff:ff:ff:ff:ff
3: dummy2ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether aa:9e:86:dd:6b:5d brd ff:ff:ff:ff:ff:ff
4: dummy0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff
4: dev4: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 5a:e1:4a:b6:ec:f8 brd ff:ff:ff:ff:ff:ff
$ ip netns del ns1
[ 158.717795] default_device_exit: failed to move dummy0 to init_net: -17
[ 158.719316] ------------[ cut here ]------------
[ 158.720591] kernel BUG at net/core/dev.c:9824!
[ 158.722260] invalid opcode: 0000 [#1] SMP KASAN PTI
[ 158.723728] CPU: 0 PID: 56 Comm: kworker/u2:1 Not tainted 5.3.0-rc1+ #18
[ 158.725422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
[ 158.727508] Workqueue: netns cleanup_net
[ 158.728915] RIP: 0010:default_device_exit.cold+0x1d/0x1f
[ 158.730683] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e
[ 158.736854] RSP: 0018:
ffff8880347e7b90 EFLAGS:
00010282
[ 158.738752] RAX:
000000000000003b RBX:
00000000ffffffef RCX:
0000000000000000
[ 158.741369] RDX:
0000000000000000 RSI:
ffffffff8128013d RDI:
ffffed10068fcf64
[ 158.743418] RBP:
ffff888033550170 R08:
000000000000003b R09:
fffffbfff0b94b9c
[ 158.745626] R10:
fffffbfff0b94b9b R11:
ffffffff85ca5cdf R12:
ffff888032f28000
[ 158.748405] R13:
dffffc0000000000 R14:
ffff8880335501b8 R15:
1ffff110068fcf72
[ 158.750638] FS:
0000000000000000(0000) GS:
ffff888036000000(0000) knlGS:
0000000000000000
[ 158.752944] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 158.755245] CR2:
00007fe8b45d21d0 CR3:
00000000340b4005 CR4:
0000000000360ef0
[ 158.757654] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 158.760012] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[ 158.762758] Call Trace:
[ 158.763882] ? dev_change_net_namespace+0xbb0/0xbb0
[ 158.766148] ? devlink_nl_cmd_set_doit+0x520/0x520
[ 158.768034] ? dev_change_net_namespace+0xbb0/0xbb0
[ 158.769870] ops_exit_list.isra.0+0xa8/0x150
[ 158.771544] cleanup_net+0x446/0x8f0
[ 158.772945] ? unregister_pernet_operations+0x4a0/0x4a0
[ 158.775294] process_one_work+0xa1a/0x1740
[ 158.776896] ? pwq_dec_nr_in_flight+0x310/0x310
[ 158.779143] ? do_raw_spin_lock+0x11b/0x280
[ 158.780848] worker_thread+0x9e/0x1060
[ 158.782500] ? process_one_work+0x1740/0x1740
[ 158.784454] kthread+0x31b/0x420
[ 158.786082] ? __kthread_create_on_node+0x3f0/0x3f0
[ 158.788286] ret_from_fork+0x3a/0x50
[ 158.789871] ---[ end trace
defd6c657c71f936 ]---
[ 158.792273] RIP: 0010:default_device_exit.cold+0x1d/0x1f
[ 158.795478] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e
[ 158.804854] RSP: 0018:
ffff8880347e7b90 EFLAGS:
00010282
[ 158.807865] RAX:
000000000000003b RBX:
00000000ffffffef RCX:
0000000000000000
[ 158.811794] RDX:
0000000000000000 RSI:
ffffffff8128013d RDI:
ffffed10068fcf64
[ 158.816652] RBP:
ffff888033550170 R08:
000000000000003b R09:
fffffbfff0b94b9c
[ 158.820930] R10:
fffffbfff0b94b9b R11:
ffffffff85ca5cdf R12:
ffff888032f28000
[ 158.825113] R13:
dffffc0000000000 R14:
ffff8880335501b8 R15:
1ffff110068fcf72
[ 158.829899] FS:
0000000000000000(0000) GS:
ffff888036000000(0000) knlGS:
0000000000000000
[ 158.834923] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 158.838164] CR2:
00007fe8b45d21d0 CR3:
00000000340b4005 CR4:
0000000000360ef0
[ 158.841917] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 158.845149] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
Fix this by checking if a device with the same name exists in init_net
and fallback to original code - dev%d to allocate name - in case it does.
This was found using syzkaller.
Fixes:
aca51397d014 ("netns: Fix arbitrary net_device-s corruptions on net_ns stop.")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Nikolay Aleksandrov [Mon, 29 Jul 2019 09:28:41 +0000 (12:28 +0300)]
net: bridge: delete local fdb on device init failure
[ Upstream commit
d7bae09fa008c6c9a489580db0a5a12063b97f97 ]
On initialization failure we have to delete the local fdb which was
inserted due to the default pvid creation. This problem has been present
since the inception of default_pvid. Note that currently there are 2 cases:
1) in br_dev_init() when br_multicast_init() fails
2) if register_netdevice() fails after calling ndo_init()
This patch takes care of both since br_vlan_flush() is called on both
occasions. Also the new fdb delete would be a no-op on normal bridge
device destruction since the local fdb would've been already flushed by
br_dev_delete(). This is not an issue for ports since nbp_vlan_init() is
called last when adding a port thus nothing can fail after it.
Reported-by: syzbot+88533dc8b582309bf3ee@syzkaller.appspotmail.com
Fixes:
5be5a2df40f0 ("bridge: Add filtering support for default_pvid")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gustavo A. R. Silva [Wed, 31 Jul 2019 03:21:41 +0000 (22:21 -0500)]
atm: iphase: Fix Spectre v1 vulnerability
[ Upstream commit
ea443e5e98b5b74e317ef3d26bcaea54931ccdee ]
board is controlled by user-space, hence leading to a potential
exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
drivers/atm/iphase.c:2765 ia_ioctl() warn: potential spectre issue 'ia_dev' [r] (local cap)
drivers/atm/iphase.c:2774 ia_ioctl() warn: possible spectre second half. 'iadev'
drivers/atm/iphase.c:2782 ia_ioctl() warn: possible spectre second half. 'iadev'
drivers/atm/iphase.c:2816 ia_ioctl() warn: possible spectre second half. 'iadev'
drivers/atm/iphase.c:2823 ia_ioctl() warn: possible spectre second half. 'iadev'
drivers/atm/iphase.c:2830 ia_ioctl() warn: potential spectre issue '_ia_dev' [r] (local cap)
drivers/atm/iphase.c:2845 ia_ioctl() warn: possible spectre second half. 'iadev'
drivers/atm/iphase.c:2856 ia_ioctl() warn: possible spectre second half. 'iadev'
Fix this by sanitizing board before using it to index ia_dev and _ia_dev
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://lore.kernel.org/lkml/
20180423164740.GY17484@dhcp22.suse.cz/
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Tue, 6 Aug 2019 15:09:14 +0000 (17:09 +0200)]
tcp: be more careful in tcp_fragment()
[ Upstream commit
b617158dc096709d8600c53b6052144d12b89fab ]
Some applications set tiny SO_SNDBUF values and expect
TCP to just work. Recent patches to address CVE-2019-11478
broke them in case of losses, since retransmits might
be prevented.
We should allow these flows to make progress.
This patch allows the first and last skb in retransmit queue
to be split even if memory limits are hit.
It also adds the some room due to the fact that tcp_sendmsg()
and tcp_sendpage() might overshoot sk_wmem_queued by about one full
TSO skb (64KB size). Note this allowance was already present
in stable backports for kernels < 4.15
Note for < 4.15 backports :
tcp_rtx_queue_tail() will probably look like :
static inline struct sk_buff *tcp_rtx_queue_tail(const struct sock *sk)
{
struct sk_buff *skb = tcp_send_head(sk);
return skb ? tcp_write_queue_prev(sk, skb) : tcp_write_queue_tail(sk);
}
Fixes:
f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrew Prout <aprout@ll.mit.edu>
Tested-by: Andrew Prout <aprout@ll.mit.edu>
Tested-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Tested-by: Michal Kubecek <mkubecek@suse.cz>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Christoph Paasch <cpaasch@apple.com>
Cc: Jonathan Looney <jtl@netflix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Sebastian Parschauer [Wed, 24 Jul 2019 18:40:03 +0000 (20:40 +0200)]
HID: Add quirk for HP X1200 PIXART OEM mouse
commit
49869d2ea9eecc105a10724c1abf035151a3c4e2 upstream.
The PixArt OEM mice are known for disconnecting every minute in
runlevel 1 or 3 if they are not always polled. So add quirk
ALWAYS_POLL for this one as well.
Jonathan Teh (@jonathan-teh) reported and tested the quirk.
Reference: https://github.com/sriemer/fix-linux-mouse/issues/15
Signed-off-by: Sebastian Parschauer <s.parschauer@gmx.de>
CC: stable@vger.kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Phil Turnbull [Tue, 3 May 2016 20:39:19 +0000 (16:39 -0400)]
netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter
[ Upstream commit
eda3fc50daa93b08774a18d51883c5a5d8d85e15 ]
If a quota bit is set in NFACCT_FLAGS but the NFACCT_QUOTA parameter is
missing then a NULL pointer dereference is triggered. CAP_NET_ADMIN is
required to trigger the bug.
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Will Deacon [Mon, 5 Aug 2019 17:13:08 +0000 (18:13 +0100)]
arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG}
commit
147b9635e6347104b91f48ca9dca61eb0fbf2a54 upstream.
If CTR_EL0.{CWG,ERG} are 0b0000 then they must be interpreted to have
their architecturally maximum values, which defeats the use of
FTR_HIGHER_SAFE when sanitising CPU ID registers on heterogeneous
machines.
Introduce FTR_HIGHER_OR_ZERO_SAFE so that these fields effectively
saturate at zero.
Fixes:
3c739b571084 ("arm64: Keep track of CPU feature registers")
Cc: <stable@vger.kernel.org> # 4.4.y only
Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Will Deacon [Mon, 5 Aug 2019 17:13:07 +0000 (18:13 +0100)]
arm64: cpufeature: Fix CTR_EL0 field definitions
commit
be68a8aaf925aaf35574260bf820bb09d2f9e07f upstream.
Our field definitions for CTR_EL0 suffer from a number of problems:
- The IDC and DIC fields are missing, which causes us to enable CTR
trapping on CPUs with either of these returning non-zero values.
- The ERG is FTR_LOWER_SAFE, whereas it should be treated like CWG as
FTR_HIGHER_SAFE so that applications can use it to avoid false sharing.
- [nit] A RES1 field is described as "RAO"
This patch updates the CTR_EL0 field definitions to fix these issues.
Cc: <stable@vger.kernel.org> # 4.4.y only
Cc: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Pooja Kumari [Wed, 31 Jul 2019 09:50:19 +0000 (15:20 +0530)]
msm: ipa3: Fix to memory allocation failure
During device reboot when IPA is going for shutdown,
the allocation for memory request fails. Add change in
IPA to not sleep while memory allocation.
Change-Id: I0bdbf0f622770566ad1135c76f6edc2790285420
Signed-off-by: Pooja Kumari <kumarip@codeaurora.org>
Maciej Żenczykowski [Fri, 19 Jul 2019 06:30:03 +0000 (23:30 -0700)]
UPSTREAM: net-ipv6-ndisc: add support for RFC7710 RA Captive Portal Identifier
This is trivial since we already have support for the entirely
identical (from the kernel's point of view) RDNSS and DNSSL that
also contain opaque data that needs to be passed down to userspace.
As specified in RFC7710, Captive Portal option contains a URL.
8-bit identifier of the option type as assigned by the IANA is 37.
This option should also be treated as userland.
Hence, treat ND option 37 as userland (Captive Portal support)
See:
https://tools.ietf.org/html/rfc7710
https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
Fixes:
e35f30c131a56
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Cc: Lorenzo Colitti <lorenzo@google.com>
Cc: Remin Nguyen Van <reminv@google.com>
Cc: Alexey I. Froloff <raorn@raorn.name>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug:
137914568
Change-Id: I73c12c45660e6371c1e193f799c0da7d97bd5435
(cherry picked from commit
66b5f1c439843bcbab01cc7f3854ae2742f3d1e3)
Linux Build Service Account [Thu, 8 Aug 2019 16:34:53 +0000 (09:34 -0700)]
Merge "scsi: ufs: sysfs: health descriptor"
Linux Build Service Account [Thu, 8 Aug 2019 16:34:52 +0000 (09:34 -0700)]
Merge "msm: vidc: Ensure size of the data available before typecasting"
Linux Build Service Account [Thu, 8 Aug 2019 16:34:51 +0000 (09:34 -0700)]
Merge "diag: dci: Prevent using uninitialized variables"
Linux Build Service Account [Thu, 8 Aug 2019 16:34:50 +0000 (09:34 -0700)]
Merge "ASoC: msm: qdsp6v2: Remove param_size from pkt_size of apr header"
Linux Build Service Account [Thu, 8 Aug 2019 16:34:49 +0000 (09:34 -0700)]
Merge "msm: mdss: hdmi: adjust HDMI DDC speed configuration"
Linux Build Service Account [Thu, 8 Aug 2019 16:34:48 +0000 (09:34 -0700)]
Merge "drm/msm/dsi-staging: Add length check before copying to user space"
Linux Build Service Account [Thu, 8 Aug 2019 16:34:47 +0000 (09:34 -0700)]
Merge "msm: mdss: hdcp: handle hdcp off gracefully"
Linux Build Service Account [Thu, 8 Aug 2019 06:24:23 +0000 (23:24 -0700)]
Merge "icnss: Synchronize idle shutdown and restart"
Stanislav Nijnikov [Thu, 15 Feb 2018 12:14:05 +0000 (14:14 +0200)]
scsi: ufs: sysfs: health descriptor
This patch introduces a sysfs group entry for the UFS health descriptor
parameters. The group adds "health_descriptor" folder under the UFS driver
sysfs entry (/sys/bus/platform/drivers/ufshcd/*). The parameters are shown
as hexadecimal numbers. The full information about the parameters could be
found at UFS specifications 2.1.
Change-Id: I059d6be2914dbb58ac337ddf7509f36a534b531f
Signed-off-by: Stanislav Nijnikov <stanislav.nijnikov@wdc.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Git-commit:
c648c2d27f168ae4faeb43f8c3074226aae3862c
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Anjana <ahari@codeaurora.org>
Priyanka Gujjula [Thu, 9 May 2019 15:05:09 +0000 (20:35 +0530)]
msm: vidc: Ensure size of the data available before typecasting
Ensure the available data size with in the packet before type
casting from smaller data type to larger data type in order
to avoid information leak or packet out of boundary access.
Change-Id: I8614a8b3f930c87af8aa49f77ea9d768a73ea203
Signed-off-by: Priyanka Gujjula <pgujjula@codeaurora.org>
Srinivasarao P [Wed, 7 Aug 2019 05:39:26 +0000 (11:09 +0530)]
Merge android-4.4.188 (
886d085) into msm-4.4
* refs/heads/tmp-
886d085
Linux 4.4.188
xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
s390/dasd: fix endless loop after read unit address configuration
selinux: fix memory leak in policydb_init()
x86/kvm: Don't call kvm_spurious_fault() from .fixup
ipc/mqueue.c: only perform resource calculation if user valid
uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers
coda: fix build using bare-metal toolchain
coda: add error handling for fget
mm/cma.c: fail if fixed declaration can't be honored
x86: math-emu: Hide clang warnings for 16-bit overflow
x86/apic: Silence -Wtype-limits compiler warnings
be2net: Signal that the device cannot transmit during reconfiguration
ACPI: fix false-positive -Wuninitialized warning
scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized
ceph: fix improper use of smp_mb__before_atomic()
btrfs: fix minimum number of chunk errors for DUP
fs/adfs: super: fix use-after-free bug
dmaengine: rcar-dmac: Reject zero-length slave DMA requests
MIPS: lantiq: Fix bitfield masking
kernel/module.c: Only return -EEXIST for modules that have finished loading
ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend
ARM: riscpc: fix DMA
Change-Id: I5117beda77a1297c46e7b105bd70d1d726dd6d2b
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Srinivasarao P [Wed, 7 Aug 2019 05:19:25 +0000 (10:49 +0530)]
Merge android-4.4.187 (
8eb3d65) into msm-4.4
* refs/heads/tmp-
8eb3d65
Linux 4.4.187
ceph: hold i_ceph_lock when removing caps for freeing inode
drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl
sched/fair: Don't free p->numa_faults with concurrent readers
Bluetooth: hci_uart: check for missing tty operations
media: radio-raremono: change devm_k*alloc to k*alloc
media: cpia2_usb: first wake up, then free in disconnect
ISDN: hfcsusb: checking idx of ep configuration
tcp: reset sk_send_head in tcp_write_queue_purge
ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
mm, vmstat: make quiet_vmstat lighter
vmstat: Remove BUG_ON from vmstat_update
access: avoid the RCU grace period for the temporary subjective credentials
powerpc/tm: Fix oops on sigreturn on systems without TM
ALSA: hda - Add a conexant codec entry to let mute led work
ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1
hpet: Fix division by zero in hpet_time_div()
x86/speculation/mds: Apply more accurate check on hypervisor platform
x86/sysfb_efi: Add quirks for some devices with swapped width and height
usb: pci-quirks: Correct AMD PLL quirk detection
usb: wusbcore: fix unbalanced get/put cluster_id
locking/lockdep: Hide unused 'class' variable
locking/lockdep: Fix lock used or unused stats error
mm/mmu_notifier: use hlist_add_head_rcu()
9p: pass the correct prototype to read_cache_page
mm/kmemleak.c: fix check for softirq context
sh: prevent warnings when using iounmap
powerpc/eeh: Handle hugepages in ioremap space
mailbox: handle failed named mailbox channel request
f2fs: avoid out-of-range memory access
perf test mmap-thread-lookup: Initialize variable to suppress memory sanitizer warning
kallsyms: exclude kasan local symbols on s390
serial: sh-sci: Fix TX DMA buffer flushing and workqueue races
powerpc/4xx/uic: clear pending interrupt after irq type/pol change
um: Silence lockdep complaint about mmap_sem
mfd: arizona: Fix undefined behavior
mfd: core: Set fwnode for created devices
recordmcount: Fix spurious mcount entries on powerpc
iio: iio-utils: Fix possible incorrect mask calculation
PCI: sysfs: Ignore lockdep for remove attribute
powerpc/pci/of: Fix OF flags parsing for 64bit BARs
usb: gadget: Zero ffs_io_data
phy: renesas: rcar-gen2: Fix memory leak at error paths
drm/virtio: Add memory barriers for capset cache.
tty: serial: msm_serial: avoid system lockup condition
tty/serial: digicolor: Fix digicolor-usart already registered warning
memstick: Fix error cleanup path of memstick_init
tty: serial: cpm_uart - fix init when SMC is relocated
pinctrl: rockchip: fix leaked of_node references
tty: max310x: Fix invalid baudrate divisors calculator
usb: core: hub: Disable hub-initiated U1/U2
drm/panel: simple: Fix panel_simple_dsi_probe
nfsd: Fix overflow causing non-working mounts on 1 TB machines
nfsd: fix performance-limiting session calculation
nfsd: give out fewer session slots as limit approaches
nfsd: increase DRC cache limit
NFSv4: Fix open create exclusive when the server reboots
elevator: fix truncation of icq_cache_name
net: bridge: stp: don't cache eth dest pointer before skb pull
net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query
net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
bonding: validate ip header before check IPPROTO_IGMP
tcp: Reset bytes_acked and bytes_received when disconnecting
netrom: hold sock when setting skb->destructor
netrom: fix a memory leak in nr_rx_frame()
sky2: Disable MSI on ASUS P6T
nfc: fix potential illegal memory access
net: neigh: fix multiple neigh timer scheduling
net: bcmgenet: use promisc for unsupported filters
ipv4: don't set IPv6 only flags to IPv4 addresses
caif-hsi: fix possible deadlock in cfhsi_exit_module()
bnx2x: Prevent load reordering in tx completion processing
dm bufio: fix deadlock with loop device
usb: Handle USB3 remote wakeup for LPM enabled devices correctly
Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
intel_th: msu: Fix single mode with disabled IOMMU
eCryptfs: fix a couple type promotion bugs
powerpc/watchpoint: Restore NV GPRs while returning from exception
powerpc/32s: fix suspend/resume when IBATs 4-7 are used
parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
coda: pass the host file in vma->vm_file on mmap
floppy: fix out-of-bounds read in copy_buffer
floppy: fix invalid pointer dereference in drive_name
floppy: fix out-of-bounds read in next_valid_format
floppy: fix div-by-zero in setup_format_params
take floppy compat ioctls to sodding floppy.c
PCI: Do not poll for PME if the device is in D3cold
9p/virtio: Add cleanup path in p9_virtio_init
padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
drm/nouveau/i2c: Enable i2c pads & busses during preinit
KVM: x86/vPMU: refine kvm_pmu err msg when event creation failed
media: coda: Remove unbalanced and unneeded mutex unlock
media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom()
ALSA: seq: Break too long mutex context in the write loop
lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE
NFSv4: Handle the special Linux file open access mode
tracing/snapshot: Resize spare buffer if size changed
regulator: s2mps11: Fix buck7 and buck8 wrong voltages
Input: gtco - bounds check collection indent level
crypto: arm64/sha2-ce - correct digest for empty data in finup
crypto: arm64/sha1-ce - correct digest for empty data in finup
crypto: ghash - fix unaligned memory access in ghash_setkey()
Bluetooth: validate BLE connection interval updates
Bluetooth: Check state in l2cap_disconnect_rsp
Bluetooth: 6lowpan: search for destination address in all peers
Bluetooth: hci_bcsp: Fix memory leak in rx_skb
bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
ixgbe: Check DDM existence in transceiver before access
rslib: Fix handling of of caller provided syndrome
rslib: Fix decoding of shortened codes
ath10k: fix PCIE device wake up failed
mt7601u: fix possible memory leak when the device is disconnected
x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
mt7601u: do not schedule rx_tasklet when the device has been disconnected
media: coda: increment sequence offset for the last returned frame
media: coda: fix mpeg2 sequence number handling
acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
timer_list: Guard procfs specific code
ntp: Limit TAI-UTC offset
media: i2c: fix warning same module names
EDAC/sysfs: Fix memory leak when creating a csrow object
vhost_net: disable zerocopy by default
perf evsel: Make perf_evsel__name() accept a NULL argument
xfrm: fix sa selector validation
rcu: Force inlining of rcu_read_lock()
bpf: silence warning messages in core
regmap: fix bulk writes on paged registers
gpio: omap: ensure irq is enabled before wakeup
gpio: omap: fix lack of irqstatus_raw0 for OMAP4
perf test 6: Fix missing kvm module load for s390
s390/qdio: handle PENDING state for QEBSM devices
net: axienet: Fix race condition causing TX hang
net: fec: Do not use netdev messages too early
cpupower : frequency-set -r option misses the last cpu in related cpu list
media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
locking/lockdep: Fix merging of hlocks with non-zero references
tua6100: Avoid build warnings.
net: phy: Check against net_device being NULL
media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails.
xfrm: Fix xfrm sel prefix length validation
af_key: fix leaks in key_pol_get_resp and dump_sp.
signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
net: stmmac: dwmac1000: Clear unused address entries
media: vpss: fix a potential NULL pointer dereference
media: marvell-ccic: fix DMA s/g desc number calculation
crypto: talitos - fix skcipher failure due to wrong output IV
media: dvb: usb: fix use after free in dvb_usb_device_exit
batman-adv: fix for leaked TVLV handler.
ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
ath6kl: add some bounds checking
ath9k: Check for errors when reading SREV register
ath10k: Do not send probe response template for mesh
dmaengine: imx-sdma: fix use-after-free on probe error path
MIPS: fix build on non-linux hosts
MIPS: ath79: fix ar933x uart parity mode
f2fs: use EINVAL for superblock with invalid magic
f2fs: fix to read source block before invalidating it
f2fs: remove redundant check from f2fs_setflags_common()
f2fs: use generic checking and prep function for FS_IOC_SETFLAGS
ANDROID: overlayfs: Fix a regression in commit
b24be4acd
ANDROID: xfrm: remove in_compat_syscall() checks
ANDROID: enable CONFIG_RTC_DRV_TEST on cuttlefish
BACKPORT: binder: Set end of SG buffer area properly.
f2fs: improve print log in f2fs_sanity_check_ckpt()
f2fs: avoid out-of-range memory access
f2fs: fix to avoid long latency during umount
f2fs: allow all the users to pin a file
f2fs: support swap file w/ DIO
f2fs: allocate blocks for pinned file
f2fs: fix is_idle() check for discard type
f2fs: add a rw_sem to cover quota flag changes
f2fs: set SBI_NEED_FSCK for xattr corruption case
f2fs: use generic EFSBADCRC/EFSCORRUPTED
f2fs: Use DIV_ROUND_UP() instead of open-coding
f2fs: print kernel message if filesystem is inconsistent
f2fs: introduce f2fs_<level> macros to wrap f2fs_printk()
f2fs: avoid get_valid_blocks() for cleanup
f2fs: ioctl for removing a range from F2FS
f2fs: only set project inherit bit for directory
f2fs: separate f2fs i_flags from fs_flags and ext4 i_flags
f2fs: Add option to limit required GC for checkpoint=disable
f2fs: Fix accounting for unusable blocks
f2fs: Fix root reserved on remount
f2fs: Lower threshold for disable_cp_again
f2fs: fix sparse warning
f2fs: fix f2fs_show_options to show nodiscard mount option
f2fs: add error prints for debugging mount failure
f2fs: fix to do sanity check on segment bitmap of LFS curseg
f2fs: add missing sysfs entries in documentation
f2fs: fix to avoid deadloop if data_flush is on
f2fs: always assume that the device is idle under gc_urgent
f2fs: add bio cache for IPU
f2fs: allow ssr block allocation during checkpoint=disable period
f2fs: fix to check layout on last valid checkpoint park
Conflicts:
drivers/net/wireless/ath/ath10k/hw.c
fs/ecryptfs/crypto.c
mm/vmstat.c
Change-Id: Ic268e845f4992a9dbdf5c985cfe9359a56a5c72e
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Greg Kroah-Hartman [Tue, 6 Aug 2019 16:34:01 +0000 (18:34 +0200)]
Merge 4.4.188 into android-4.4
Changes in 4.4.188
ARM: riscpc: fix DMA
ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend
kernel/module.c: Only return -EEXIST for modules that have finished loading
MIPS: lantiq: Fix bitfield masking
dmaengine: rcar-dmac: Reject zero-length slave DMA requests
fs/adfs: super: fix use-after-free bug
btrfs: fix minimum number of chunk errors for DUP
ceph: fix improper use of smp_mb__before_atomic()
scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized
ACPI: fix false-positive -Wuninitialized warning
be2net: Signal that the device cannot transmit during reconfiguration
x86/apic: Silence -Wtype-limits compiler warnings
x86: math-emu: Hide clang warnings for 16-bit overflow
mm/cma.c: fail if fixed declaration can't be honored
coda: add error handling for fget
coda: fix build using bare-metal toolchain
uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers
ipc/mqueue.c: only perform resource calculation if user valid
x86/kvm: Don't call kvm_spurious_fault() from .fixup
selinux: fix memory leak in policydb_init()
s390/dasd: fix endless loop after read unit address configuration
xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
Linux 4.4.188
Change-Id: Id4d8157fe94d0c6be18731ff0612500394eafec2
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Greg Kroah-Hartman [Tue, 6 Aug 2019 16:28:29 +0000 (18:28 +0200)]
Linux 4.4.188
Juergen Gross [Fri, 14 Jun 2019 05:46:02 +0000 (07:46 +0200)]
xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
commit
50f6393f9654c561df4cdcf8e6cfba7260143601 upstream.
The condition in xen_swiotlb_free_coherent() for deciding whether to
call xen_destroy_contiguous_region() is wrong: in case the region to
be freed is not contiguous calling xen_destroy_contiguous_region() is
the wrong thing to do: it would result in inconsistent mappings of
multiple PFNs to the same MFN. This will lead to various strange
crashes or data corruption.
Instead of calling xen_destroy_contiguous_region() in that case a
warning should be issued as that situation should never occur.
Cc: stable@vger.kernel.org
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stefan Haberland [Thu, 1 Aug 2019 11:06:30 +0000 (13:06 +0200)]
s390/dasd: fix endless loop after read unit address configuration
commit
41995342b40c418a47603e1321256d2c4a2ed0fb upstream.
After getting a storage server event that causes the DASD device driver
to update its unit address configuration during a device shutdown there is
the possibility of an endless loop in the device driver.
In the system log there will be ongoing DASD error messages with RC: -19.
The reason is that the loop starting the ruac request only terminates when
the retry counter is decreased to 0. But in the sleep_on function there are
early exit paths that do not decrease the retry counter.
Prevent an endless loop by handling those cases separately.
Remove the unnecessary do..while loop since the sleep_on function takes
care of retries by itself.
Fixes:
8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1")
Cc: stable@vger.kernel.org # 2.6.25+
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ondrej Mosnacek [Thu, 25 Jul 2019 10:52:43 +0000 (12:52 +0200)]
selinux: fix memory leak in policydb_init()
commit
45385237f65aeee73641f1ef737d7273905a233f upstream.
Since roles_init() adds some entries to the role hash table, we need to
destroy also its keys/values on error, otherwise we get a memory leak in
the error path.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+fee3a14d4cdf92646287@syzkaller.appspotmail.com
Fixes:
1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Josh Poimboeuf [Thu, 18 Jul 2019 01:36:39 +0000 (20:36 -0500)]
x86/kvm: Don't call kvm_spurious_fault() from .fixup
[ Upstream commit
3901336ed9887b075531bffaeef7742ba614058b ]
After making a change to improve objtool's sibling call detection, it
started showing the following warning:
arch/x86/kvm/vmx/nested.o: warning: objtool: .fixup+0x15: sibling call from callable instruction with modified stack frame
The problem is the ____kvm_handle_fault_on_reboot() macro. It does a
fake call by pushing a fake RIP and doing a jump. That tricks the
unwinder into printing the function which triggered the exception,
rather than the .fixup code.
Instead of the hack to make it look like the original function made the
call, just change the macro so that the original function actually does
make the call. This allows removal of the hack, and also makes objtool
happy.
I triggered a vmx instruction exception and verified that the stack
trace is still sane:
kernel BUG at arch/x86/kvm/x86.c:358!
invalid opcode: 0000 [#1] SMP PTI
CPU: 28 PID: 4096 Comm: qemu-kvm Not tainted 5.2.0+ #16
Hardware name: Lenovo THINKSYSTEM SD530 -[7X2106Z000]-/-[7X2106Z000]-, BIOS -[TEE113Z-1.00]- 07/17/2017
RIP: 0010:kvm_spurious_fault+0x5/0x10
Code: 00 00 00 00 00 8b 44 24 10 89 d2 45 89 c9 48 89 44 24 10 8b 44 24 08 48 89 44 24 08 e9 d4 40 22 00 0f 1f 40 00 0f 1f 44 00 00 <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41
RSP: 0018:
ffffbf91c683bd00 EFLAGS:
00010246
RAX:
000061f040000000 RBX:
ffff9e159c77bba0 RCX:
ffff9e15a5c87000
RDX:
0000000665c87000 RSI:
ffff9e15a5c87000 RDI:
ffff9e159c77bba0
RBP:
0000000000000000 R08:
0000000000000000 R09:
ffff9e15a5c87000
R10:
0000000000000000 R11:
fffff8f2d99721c0 R12:
ffff9e159c77bba0
R13:
ffffbf91c671d960 R14:
ffff9e159c778000 R15:
0000000000000000
FS:
00007fa341cbe700(0000) GS:
ffff9e15b7400000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
00007fdd38356804 CR3:
00000006759de003 CR4:
00000000007606e0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
PKRU:
55555554
Call Trace:
loaded_vmcs_init+0x4f/0xe0
alloc_loaded_vmcs+0x38/0xd0
vmx_create_vcpu+0xf7/0x600
kvm_vm_ioctl+0x5e9/0x980
? __switch_to_asm+0x40/0x70
? __switch_to_asm+0x34/0x70
? __switch_to_asm+0x40/0x70
? __switch_to_asm+0x34/0x70
? free_one_page+0x13f/0x4e0
do_vfs_ioctl+0xa4/0x630
ksys_ioctl+0x60/0x90
__x64_sys_ioctl+0x16/0x20
do_syscall_64+0x55/0x1c0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fa349b1ee5b
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/64a9b64d127e87b6920a97afde8e96ea76f6524e.1563413318.git.jpoimboe@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Kees Cook [Tue, 16 Jul 2019 23:30:21 +0000 (16:30 -0700)]
ipc/mqueue.c: only perform resource calculation if user valid
[ Upstream commit
a318f12ed8843cfac53198390c74a565c632f417 ]
Andreas Christoforou reported:
UBSAN: Undefined behaviour in ipc/mqueue.c:414:49 signed integer overflow:
9 *
2305843009213693951 cannot be represented in type 'long int'
...
Call Trace:
mqueue_evict_inode+0x8e7/0xa10 ipc/mqueue.c:414
evict+0x472/0x8c0 fs/inode.c:558
iput_final fs/inode.c:1547 [inline]
iput+0x51d/0x8c0 fs/inode.c:1573
mqueue_get_inode+0x8eb/0x1070 ipc/mqueue.c:320
mqueue_create_attr+0x198/0x440 ipc/mqueue.c:459
vfs_mkobj+0x39e/0x580 fs/namei.c:2892
prepare_open ipc/mqueue.c:731 [inline]
do_mq_open+0x6da/0x8e0 ipc/mqueue.c:771
Which could be triggered by:
struct mq_attr attr = {
.mq_flags = 0,
.mq_maxmsg = 9,
.mq_msgsize = 0x1fffffffffffffff,
.mq_curmsgs = 0,
};
if (mq_open("/testing", 0x40, 3, &attr) == (mqd_t) -1)
perror("mq_open");
mqueue_get_inode() was correctly rejecting the giant mq_msgsize, and
preparing to return -EINVAL. During the cleanup, it calls
mqueue_evict_inode() which performed resource usage tracking math for
updating "user", before checking if there was a valid "user" at all
(which would indicate that the calculations would be sane). Instead,
delay this check to after seeing a valid "user".
The overflow was real, but the results went unused, so while the flaw is
harmless, it's noisy for kernel fuzzers, so just fix it by moving the
calculation under the non-NULL "user" where it actually gets used.
Link: http://lkml.kernel.org/r/201906072207.ECB65450@keescook
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Andreas Christoforou <andreaschristofo@gmail.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Mikko Rapeli [Tue, 16 Jul 2019 23:28:10 +0000 (16:28 -0700)]
uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers
[ Upstream commit
f90fb3c7e2c13ae829db2274b88b845a75038b8a ]
Only users of upc_req in kernel side fs/coda/psdev.c and
fs/coda/upcall.c already include linux/coda_psdev.h.
Suggested by Jan Harkes <jaharkes@cs.cmu.edu> in
https://lore.kernel.org/lkml/
20150531111913.GA23377@cs.cmu.edu/
Fixes these include/uapi/linux/coda_psdev.h compilation errors in userspace:
linux/coda_psdev.h:12:19: error: field `uc_chain' has incomplete type
struct list_head uc_chain;
^
linux/coda_psdev.h:13:2: error: unknown type name `caddr_t'
caddr_t uc_data;
^
linux/coda_psdev.h:14:2: error: unknown type name `u_short'
u_short uc_flags;
^
linux/coda_psdev.h:15:2: error: unknown type name `u_short'
u_short uc_inSize; /* Size is at most 5000 bytes */
^
linux/coda_psdev.h:16:2: error: unknown type name `u_short'
u_short uc_outSize;
^
linux/coda_psdev.h:17:2: error: unknown type name `u_short'
u_short uc_opcode; /* copied from data to save lookup */
^
linux/coda_psdev.h:19:2: error: unknown type name `wait_queue_head_t'
wait_queue_head_t uc_sleep; /* process' wait queue */
^
Link: http://lkml.kernel.org/r/9f99f5ce6a0563d5266e6cf7aa9585aac2cae971.1558117389.git.jaharkes@cs.cmu.edu
Signed-off-by: Mikko Rapeli <mikko.rapeli@iki.fi>
Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Colin Ian King <colin.king@canonical.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Fabian Frederick <fabf@skynet.be>
Cc: Sam Protsenko <semen.protsenko@linaro.org>
Cc: Yann Droneaud <ydroneaud@opteya.com>
Cc: Zhouyang Jia <jiazhouyang09@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Sam Protsenko [Tue, 16 Jul 2019 23:28:20 +0000 (16:28 -0700)]
coda: fix build using bare-metal toolchain
[ Upstream commit
b2a57e334086602be56b74958d9f29b955cd157f ]
The kernel is self-contained project and can be built with bare-metal
toolchain. But bare-metal toolchain doesn't define __linux__. Because
of this u_quad_t type is not defined when using bare-metal toolchain and
codafs build fails. This patch fixes it by defining u_quad_t type
unconditionally.
Link: http://lkml.kernel.org/r/3cbb40b0a57b6f9923a9d67b53473c0b691a3eaa.1558117389.git.jaharkes@cs.cmu.edu
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Colin Ian King <colin.king@canonical.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Fabian Frederick <fabf@skynet.be>
Cc: Mikko Rapeli <mikko.rapeli@iki.fi>
Cc: Yann Droneaud <ydroneaud@opteya.com>
Cc: Zhouyang Jia <jiazhouyang09@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Zhouyang Jia [Tue, 16 Jul 2019 23:28:13 +0000 (16:28 -0700)]
coda: add error handling for fget
[ Upstream commit
02551c23bcd85f0c68a8259c7b953d49d44f86af ]
When fget fails, the lack of error-handling code may cause unexpected
results.
This patch adds error-handling code after calling fget.
Link: http://lkml.kernel.org/r/2514ec03df9c33b86e56748513267a80dd8004d9.1558117389.git.jaharkes@cs.cmu.edu
Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Colin Ian King <colin.king@canonical.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Fabian Frederick <fabf@skynet.be>
Cc: Mikko Rapeli <mikko.rapeli@iki.fi>
Cc: Sam Protsenko <semen.protsenko@linaro.org>
Cc: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Doug Berger [Tue, 16 Jul 2019 23:26:24 +0000 (16:26 -0700)]
mm/cma.c: fail if fixed declaration can't be honored
[ Upstream commit
c633324e311243586675e732249339685e5d6faa ]
The description of cma_declare_contiguous() indicates that if the
'fixed' argument is true the reserved contiguous area must be exactly at
the address of the 'base' argument.
However, the function currently allows the 'base', 'size', and 'limit'
arguments to be silently adjusted to meet alignment constraints. This
commit enforces the documented behavior through explicit checks that
return an error if the region does not fit within a specified region.
Link: http://lkml.kernel.org/r/1561422051-16142-1-git-send-email-opendmb@gmail.com
Fixes:
5ea3b1b2f8ad ("cma: add placement specifier for "cma=" kernel parameter")
Signed-off-by: Doug Berger <opendmb@gmail.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Cc: Yue Hu <huyue2@yulong.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Arnd Bergmann [Fri, 12 Jul 2019 09:08:05 +0000 (11:08 +0200)]
x86: math-emu: Hide clang warnings for 16-bit overflow
[ Upstream commit
29e7e9664aec17b94a9c8c5a75f8d216a206aa3a ]
clang warns about a few parts of the math-emu implementation
where a 16-bit integer becomes negative during assignment:
arch/x86/math-emu/poly_tan.c:88:35: error: implicit conversion from 'int' to 'short' changes value from 49216 to -16320 [-Werror,-Wconstant-conversion]
(0x41 + EXTENDED_Ebias) | SIGN_Negative);
~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~
arch/x86/math-emu/fpu_emu.h:180:58: note: expanded from macro 'setexponent16'
#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (y); }
~ ^
arch/x86/math-emu/reg_constant.c:37:32: error: implicit conversion from 'int' to 'short' changes value from 49085 to -16451 [-Werror,-Wconstant-conversion]
FPU_REG const CONST_PI2extra = MAKE_REG(NEG, -66,
^~~~~~~~~~~~~~~~~~
arch/x86/math-emu/reg_constant.c:21:25: note: expanded from macro 'MAKE_REG'
((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) }
~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~
arch/x86/math-emu/reg_constant.c:48:28: error: implicit conversion from 'int' to 'short' changes value from 65535 to -1 [-Werror,-Wconstant-conversion]
FPU_REG const CONST_QNaN = MAKE_REG(NEG, EXP_OVER, 0x00000000, 0xC0000000);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
arch/x86/math-emu/reg_constant.c:21:25: note: expanded from macro 'MAKE_REG'
((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) }
~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~
The code is correct as is, so add a typecast to shut up the warnings.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190712090816.350668-1-arnd@arndb.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
Qian Cai [Mon, 8 Jul 2019 21:36:45 +0000 (17:36 -0400)]
x86/apic: Silence -Wtype-limits compiler warnings
[ Upstream commit
ec6335586953b0df32f83ef696002063090c7aef ]
There are many compiler warnings like this,
In file included from ./arch/x86/include/asm/smp.h:13,
from ./arch/x86/include/asm/mmzone_64.h:11,
from ./arch/x86/include/asm/mmzone.h:5,
from ./include/linux/mmzone.h:969,
from ./include/linux/gfp.h:6,
from ./include/linux/mm.h:10,
from arch/x86/kernel/apic/io_apic.c:34:
arch/x86/kernel/apic/io_apic.c: In function 'check_timer':
./arch/x86/include/asm/apic.h:37:11: warning: comparison of unsigned
expression >= 0 is always true [-Wtype-limits]
if ((v) <= apic_verbosity) \
^~
arch/x86/kernel/apic/io_apic.c:2160:2: note: in expansion of macro
'apic_printk'
apic_printk(APIC_QUIET, KERN_INFO "..TIMER: vector=0x%02X "
^~~~~~~~~~~
./arch/x86/include/asm/apic.h:37:11: warning: comparison of unsigned
expression >= 0 is always true [-Wtype-limits]
if ((v) <= apic_verbosity) \
^~
arch/x86/kernel/apic/io_apic.c:2207:4: note: in expansion of macro
'apic_printk'
apic_printk(APIC_QUIET, KERN_ERR "..MP-BIOS bug: "
^~~~~~~~~~~
APIC_QUIET is 0, so silence them by making apic_verbosity type int.
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/1562621805-24789-1-git-send-email-cai@lca.pw
Signed-off-by: Sasha Levin <sashal@kernel.org>
Benjamin Poirier [Tue, 16 Jul 2019 08:16:55 +0000 (17:16 +0900)]
be2net: Signal that the device cannot transmit during reconfiguration
[ Upstream commit
7429c6c0d9cb086d8e79f0d2a48ae14851d2115e ]
While changing the number of interrupt channels, be2net stops adapter
operation (including netif_tx_disable()) but it doesn't signal that it
cannot transmit. This may lead dev_watchdog() to falsely trigger during
that time.
Add the missing call to netif_carrier_off(), following the pattern used in
many other drivers. netif_carrier_on() is already taken care of in
be_open().
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Arnd Bergmann [Fri, 12 Jul 2019 09:01:21 +0000 (11:01 +0200)]
ACPI: fix false-positive -Wuninitialized warning
[ Upstream commit
dfd6f9ad36368b8dbd5f5a2b2f0a4705ae69a323 ]
clang gets confused by an uninitialized variable in what looks
to it like a never executed code path:
arch/x86/kernel/acpi/boot.c:618:13: error: variable 'polarity' is uninitialized when used here [-Werror,-Wuninitialized]
polarity = polarity ? ACPI_ACTIVE_LOW : ACPI_ACTIVE_HIGH;
^~~~~~~~
arch/x86/kernel/acpi/boot.c:606:32: note: initialize the variable 'polarity' to silence this warning
int rc, irq, trigger, polarity;
^
= 0
arch/x86/kernel/acpi/boot.c:617:12: error: variable 'trigger' is uninitialized when used here [-Werror,-Wuninitialized]
trigger = trigger ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE;
^~~~~~~
arch/x86/kernel/acpi/boot.c:606:22: note: initialize the variable 'trigger' to silence this warning
int rc, irq, trigger, polarity;
^
= 0
This is unfortunately a design decision in clang and won't be fixed.
Changing the acpi_get_override_irq() macro to an inline function
reliably avoids the issue.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Benjamin Block [Tue, 2 Jul 2019 21:02:02 +0000 (23:02 +0200)]
scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized
[ Upstream commit
484647088826f2f651acbda6bcf9536b8a466703 ]
GCC v9 emits this warning:
CC drivers/s390/scsi/zfcp_erp.o
drivers/s390/scsi/zfcp_erp.c: In function 'zfcp_erp_action_enqueue':
drivers/s390/scsi/zfcp_erp.c:217:26: warning: 'erp_action' may be used uninitialized in this function [-Wmaybe-uninitialized]
217 | struct zfcp_erp_action *erp_action;
| ^~~~~~~~~~
This is a possible false positive case, as also documented in the GCC
documentations:
https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wmaybe-uninitialized
The actual code-sequence is like this:
Various callers can invoke the function below with the argument "want"
being one of:
ZFCP_ERP_ACTION_REOPEN_ADAPTER,
ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
ZFCP_ERP_ACTION_REOPEN_PORT, or
ZFCP_ERP_ACTION_REOPEN_LUN.
zfcp_erp_action_enqueue(want, ...)
...
need = zfcp_erp_required_act(want, ...)
need = want
...
maybe: need = ZFCP_ERP_ACTION_REOPEN_PORT
maybe: need = ZFCP_ERP_ACTION_REOPEN_ADAPTER
...
return need
...
zfcp_erp_setup_act(need, ...)
struct zfcp_erp_action *erp_action; // <== line 217
...
switch(need) {
case ZFCP_ERP_ACTION_REOPEN_LUN:
...
erp_action = &zfcp_sdev->erp_action;
WARN_ON_ONCE(erp_action->port != port); // <== access
...
break;
case ZFCP_ERP_ACTION_REOPEN_PORT:
case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED:
...
erp_action = &port->erp_action;
WARN_ON_ONCE(erp_action->port != port); // <== access
...
break;
case ZFCP_ERP_ACTION_REOPEN_ADAPTER:
...
erp_action = &adapter->erp_action;
WARN_ON_ONCE(erp_action->port != NULL); // <== access
...
break;
}
...
WARN_ON_ONCE(erp_action->adapter != adapter); // <== access
When zfcp_erp_setup_act() is called, 'need' will never be anything else
than one of the 4 possible enumeration-names that are used in the
switch-case, and 'erp_action' is initialized for every one of them, before
it is used. Thus the warning is a false positive, as documented.
We introduce the extra if{} in the beginning to create an extra code-flow,
so the compiler can be convinced that the switch-case will never see any
other value.
BUG_ON()/BUG() is intentionally not used to not crash anything, should
this ever happen anyway - right now it's impossible, as argued above; and
it doesn't introduce a 'default:' switch-case to retain warnings should
'enum zfcp_erp_act_type' ever be extended and no explicit case be
introduced. See also v5.0 commit
399b6c8bc9f7 ("scsi: zfcp: drop old
default switch case which might paper over missing case").
Signed-off-by: Benjamin Block <bblock@linux.ibm.com>
Reviewed-by: Jens Remus <jremus@linux.ibm.com>
Reviewed-by: Steffen Maier <maier@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Andrea Parri [Mon, 20 May 2019 17:23:58 +0000 (19:23 +0200)]
ceph: fix improper use of smp_mb__before_atomic()
[ Upstream commit
749607731e26dfb2558118038c40e9c0c80d23b5 ]
This barrier only applies to the read-modify-write operations; in
particular, it does not apply to the atomic64_set() primitive.
Replace the barrier with an smp_mb().
Fixes:
fdd4e15838e59 ("ceph: rework dcache readdir")
Reported-by: "Paul E. McKenney" <paulmck@linux.ibm.com>
Reported-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com>
Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
David Sterba [Fri, 17 May 2019 09:43:13 +0000 (11:43 +0200)]
btrfs: fix minimum number of chunk errors for DUP
[ Upstream commit
0ee5f8ae082e1f675a2fb6db601c31ac9958a134 ]
The list of profiles in btrfs_chunk_max_errors lists DUP as a profile
DUP able to tolerate 1 device missing. Though this profile is special
with 2 copies, it still needs the device, unlike the others.
Looking at the history of changes, thre's no clear reason why DUP is
there, functions were refactored and blocks of code merged to one
helper.
d20983b40e828 Btrfs: fix writing data into the seed filesystem
- factor code to a helper
de11cc12df173 Btrfs: don't pre-allocate btrfs bio
- unrelated change, DUP still in the list with max errors 1
a236aed14ccb0 Btrfs: Deal with failed writes in mirrored configurations
- introduced the max errors, leaves DUP and RAID1 in the same group
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Russell King [Tue, 4 Jun 2019 13:50:14 +0000 (14:50 +0100)]
fs/adfs: super: fix use-after-free bug
[ Upstream commit
5808b14a1f52554de612fee85ef517199855e310 ]
Fix a use-after-free bug during filesystem initialisation, where we
access the disc record (which is stored in a buffer) after we have
released the buffer.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Geert Uytterhoeven [Mon, 24 Jun 2019 12:38:18 +0000 (14:38 +0200)]
dmaengine: rcar-dmac: Reject zero-length slave DMA requests
[ Upstream commit
78efb76ab4dfb8f74f290ae743f34162cd627f19 ]
While the .device_prep_slave_sg() callback rejects empty scatterlists,
it still accepts single-entry scatterlists with a zero-length segment.
These may happen if a driver calls dmaengine_prep_slave_single() with a
zero len parameter. The corresponding DMA request will never complete,
leading to messages like:
rcar-dmac
e7300000.dma-controller: Channel Address Error happen
and DMA timeouts.
Although requesting a zero-length DMA request is a driver bug, rejecting
it early eases debugging. Note that the .device_prep_dma_memcpy()
callback already rejects requests to copy zero bytes.
Reported-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Analyzed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Petr Cvek [Thu, 20 Jun 2019 21:39:37 +0000 (23:39 +0200)]
MIPS: lantiq: Fix bitfield masking
[ Upstream commit
ba1bc0fcdeaf3bf583c1517bd2e3e29cf223c969 ]
The modification of EXIN register doesn't clean the bitfield before
the writing of a new value. After a few modifications the bitfield would
accumulate only '1's.
Signed-off-by: Petr Cvek <petrcvekcz@gmail.com>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: hauke@hauke-m.de
Cc: john@phrozen.org
Cc: linux-mips@vger.kernel.org
Cc: openwrt-devel@lists.openwrt.org
Cc: pakahmar@hotmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Prarit Bhargava [Wed, 29 May 2019 11:26:25 +0000 (07:26 -0400)]
kernel/module.c: Only return -EEXIST for modules that have finished loading
[ Upstream commit
6e6de3dee51a439f76eb73c22ae2ffd2c9384712 ]
Microsoft HyperV disables the X86_FEATURE_SMCA bit on AMD systems, and
linux guests boot with repeated errors:
amd64_edac_mod: Unknown symbol amd_unregister_ecc_decoder (err -2)
amd64_edac_mod: Unknown symbol amd_register_ecc_decoder (err -2)
amd64_edac_mod: Unknown symbol amd_report_gart_errors (err -2)
amd64_edac_mod: Unknown symbol amd_unregister_ecc_decoder (err -2)
amd64_edac_mod: Unknown symbol amd_register_ecc_decoder (err -2)
amd64_edac_mod: Unknown symbol amd_report_gart_errors (err -2)
The warnings occur because the module code erroneously returns -EEXIST
for modules that have failed to load and are in the process of being
removed from the module list.
module amd64_edac_mod has a dependency on module edac_mce_amd. Using
modules.dep, systemd will load edac_mce_amd for every request of
amd64_edac_mod. When the edac_mce_amd module loads, the module has
state MODULE_STATE_UNFORMED and once the module load fails and the state
becomes MODULE_STATE_GOING. Another request for edac_mce_amd module
executes and add_unformed_module() will erroneously return -EEXIST even
though the previous instance of edac_mce_amd has MODULE_STATE_GOING.
Upon receiving -EEXIST, systemd attempts to load amd64_edac_mod, which
fails because of unknown symbols from edac_mce_amd.
add_unformed_module() must wait to return for any case other than
MODULE_STATE_LIVE to prevent a race between multiple loads of
dependent modules.
Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: Barret Rhoden <brho@google.com>
Cc: David Arcari <darcari@redhat.com>
Cc: Jessica Yu <jeyu@kernel.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Douglas Anderson [Tue, 21 May 2019 23:49:33 +0000 (16:49 -0700)]
ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend
[ Upstream commit
8ef1ba39a9fa53d2205e633bc9b21840a275908e ]
This is similar to commit
e6186820a745 ("arm64: dts: rockchip: Arch
counter doesn't tick in system suspend"). Specifically on the rk3288
it can be seen that the timer stops ticking in suspend if we end up
running through the "osc_disable" path in rk3288_slp_mode_set(). In
that path the 24 MHz clock will turn off and the timer stops.
To test this, I ran this on a Chrome OS filesystem:
before=$(date); \
suspend_stress_test -c1 --suspend_min=30 --suspend_max=31; \
echo ${before}; date
...and I found that unless I plug in a device that requests USB wakeup
to be active that the two calls to "date" would show that fewer than
30 seconds passed.
NOTE: deep suspend (where the 24 MHz clock gets disabled) isn't
supported yet on upstream Linux so this was tested on a downstream
kernel.
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Russell King [Thu, 2 May 2019 16:19:18 +0000 (17:19 +0100)]
ARM: riscpc: fix DMA
[ Upstream commit
ffd9a1ba9fdb7f2bd1d1ad9b9243d34e96756ba2 ]
DMA got broken a while back in two different ways:
1) a change in the behaviour of disable_irq() to wait for the interrupt
to finish executing causes us to deadlock at the end of DMA.
2) a change to avoid modifying the scatterlist left the first transfer
uninitialised.
DMA is only used with expansion cards, so has gone unnoticed.
Fixes:
fa4e99899932 ("[ARM] dma: RiscPC: don't modify DMA SG entries")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Manoj Prabhu B [Mon, 5 Aug 2019 08:44:18 +0000 (14:14 +0530)]
diag: dci: Prevent using uninitialized variables
Avoid using uninitialized variables by initializing to prevent
invalid behavior.
Change-Id: I5c04874d63f0250b84f4967d48f79e6b4b733bc1
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>