1. 30 Mar, 2017 40 commits
    • Marek Szyprowski's avatar
      iommu/exynos: Block SYSMMU while invalidating FLPD cache · 03d92bd5
      Marek Szyprowski authored
      commit 7d2aa6b8 upstream.
      
      Documentation specifies that SYSMMU should be in blocked state while
      performing TLB/FLPD cache invalidation, so add needed calls to
      sysmmu_block/unblock.
      
      Fixes: 66a7ed84 ("iommu/exynos: Apply workaround of caching fault page table entries")
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      03d92bd5
    • Koos Vriezen's avatar
      iommu/vt-d: Fix NULL pointer dereference in device_to_iommu · b7d02d90
      Koos Vriezen authored
      commit 5003ae1e upstream.
      
      The function device_to_iommu() in the Intel VT-d driver
      lacks a NULL-ptr check, resulting in this oops at boot on
      some platforms:
      
       BUG: unable to handle kernel NULL pointer dereference at 00000000000007ab
       IP: [<ffffffff8132234a>] device_to_iommu+0x11a/0x1a0
       PGD 0
      
       [...]
      
       Call Trace:
         ? find_or_alloc_domain.constprop.29+0x1a/0x300
         ? dw_dma_probe+0x561/0x580 [dw_dmac_core]
         ? __get_valid_domain_for_dev+0x39/0x120
         ? __intel_map_single+0x138/0x180
         ? intel_alloc_coherent+0xb6/0x120
         ? sst_hsw_dsp_init+0x173/0x420 [snd_soc_sst_haswell_pcm]
         ? mutex_lock+0x9/0x30
         ? kernfs_add_one+0xdb/0x130
         ? devres_add+0x19/0x60
         ? hsw_pcm_dev_probe+0x46/0xd0 [snd_soc_sst_haswell_pcm]
         ? platform_drv_probe+0x30/0x90
         ? driver_probe_device+0x1ed/0x2b0
         ? __driver_attach+0x8f/0xa0
         ? driver_probe_device+0x2b0/0x2b0
         ? bus_for_each_dev+0x55/0x90
         ? bus_add_driver+0x110/0x210
         ? 0xffffffffa11ea000
         ? driver_register+0x52/0xc0
         ? 0xffffffffa11ea000
         ? do_one_initcall+0x32/0x130
         ? free_vmap_area_noflush+0x37/0x70
         ? kmem_cache_alloc+0x88/0xd0
         ? do_init_module+0x51/0x1c4
         ? load_module+0x1ee9/0x2430
         ? show_taint+0x20/0x20
         ? kernel_read_file+0xfd/0x190
         ? SyS_finit_module+0xa3/0xb0
         ? do_syscall_64+0x4a/0xb0
         ? entry_SYSCALL64_slow_path+0x25/0x25
       Code: 78 ff ff ff 4d 85 c0 74 ee 49 8b 5a 10 0f b6 9b e0 00 00 00 41 38 98 e0 00 00 00 77 da 0f b6 eb 49 39 a8 88 00 00 00 72 ce eb 8f <41> f6 82 ab 07 00 00 04 0f 85 76 ff ff ff 0f b6 4d 08 88 0e 49
       RIP  [<ffffffff8132234a>] device_to_iommu+0x11a/0x1a0
        RSP <ffffc90001457a78>
       CR2: 00000000000007ab
       ---[ end trace 16f974b6d58d0aad ]---
      
      Add the missing pointer check.
      
      Fixes: 1c387188 ("iommu/vt-d: Fix IOMMU lookup for SR-IOV Virtual Functions")
      Signed-off-by: default avatarKoos Vriezen <koos.vriezen@gmail.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b7d02d90
    • Ankur Arora's avatar
      xen/acpi: upload PM state from init-domain to Xen · fa477d80
      Ankur Arora authored
      commit 1914f0cd upstream.
      
      This was broken in commit cd979883 ("xen/acpi-processor:
      fix enabling interrupts on syscore_resume"). do_suspend (from
      xen/manage.c) and thus xen_resume_notifier never get called on
      the initial-domain at resume (it is if running as guest.)
      
      The rationale for the breaking change was that upload_pm_data()
      potentially does blocking work in syscore_resume(). This patch
      addresses the original issue by scheduling upload_pm_data() to
      execute in workqueue context.
      
      Cc: Stanislaw Gruszka <sgruszka@redhat.com>
      Based-on-patch-by: default avatarKonrad Wilk <konrad.wilk@oracle.com>
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Reviewed-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarAnkur Arora <ankur.a.arora@oracle.com>
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fa477d80
    • Alex Williamson's avatar
      vfio: Rework group release notifier warning · 8b0219e3
      Alex Williamson authored
      commit 65b1adeb upstream.
      
      The intent of the original warning is make sure that the mdev vendor
      driver has removed any group notifiers at the point where the group
      is closed by the user.  Theoretically this would be through an
      orderly shutdown where any devices are release prior to the group
      release.  We can't always count on an orderly shutdown, the user can
      close the group before the notifier can be removed or the user task
      might be killed.  We'd like to add this sanity test when the group is
      idle and the only references are from the devices within the group
      themselves, but we don't have a good way to do that.  Instead check
      both when the group itself is removed and when the group is opened.
      A bit later than we'd prefer, but better than the current over
      aggressive approach.
      
      Fixes: ccd46dba ("vfio: support notifier chain in vfio_group")
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Cc: Jike Song <jike.song@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b0219e3
    • Eric Biggers's avatar
      fscrypt: remove broken support for detecting keyring key revocation · 0d05871e
      Eric Biggers authored
      commit 1b53cf98 upstream.
      
      Filesystem encryption ostensibly supported revoking a keyring key that
      had been used to "unlock" encrypted files, causing those files to become
      "locked" again.  This was, however, buggy for several reasons, the most
      severe of which was that when key revocation happened to be detected for
      an inode, its fscrypt_info was immediately freed, even while other
      threads could be using it for encryption or decryption concurrently.
      This could be exploited to crash the kernel or worse.
      
      This patch fixes the use-after-free by removing the code which detects
      the keyring key having been revoked, invalidated, or expired.  Instead,
      an encrypted inode that is "unlocked" now simply remains unlocked until
      it is evicted from memory.  Note that this is no worse than the case for
      block device-level encryption, e.g. dm-crypt, and it still remains
      possible for a privileged user to evict unused pages, inodes, and
      dentries by running 'sync; echo 3 > /proc/sys/vm/drop_caches', or by
      simply unmounting the filesystem.  In fact, one of those actions was
      already needed anyway for key revocation to work even somewhat sanely.
      This change is not expected to break any applications.
      
      In the future I'd like to implement a real API for fscrypt key
      revocation that interacts sanely with ongoing filesystem operations ---
      waiting for existing operations to complete and blocking new operations,
      and invalidating and sanitizing key material and plaintext from the VFS
      caches.  But this is a hard problem, and for now this bug must be fixed.
      
      This bug affected almost all versions of ext4, f2fs, and ubifs
      encryption, and it was potentially reachable in any kernel configured
      with encryption support (CONFIG_EXT4_ENCRYPTION=y,
      CONFIG_EXT4_FS_ENCRYPTION=y, CONFIG_F2FS_FS_ENCRYPTION=y, or
      CONFIG_UBIFS_FS_ENCRYPTION=y).  Note that older kernels did not use the
      shared fs/crypto/ code, but due to the potential security implications
      of this bug, it may still be worthwhile to backport this fix to them.
      
      Fixes: b7236e21 ("ext4 crypto: reorganize how we store keys in the inode")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Acked-by: default avatarMichael Halcrow <mhalcrow@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0d05871e
    • Gary R Hook's avatar
      crypto: ccp - Assign DMA commands to the channel's CCP · f115bf08
      Gary R Hook authored
      commit 7c468447 upstream.
      
      The CCP driver generally uses a round-robin approach when
      assigning operations to available CCPs. For the DMA engine,
      however, the DMA mappings of the SGs are associated with a
      specific CCP. When an IOMMU is enabled, the IOMMU is
      programmed based on this specific device.
      
      If the DMA operations are not performed by that specific
      CCP then addressing errors and I/O page faults will occur.
      
      Update the CCP driver to allow a specific CCP device to be
      requested for an operation and use this in the DMA engine
      support.
      Signed-off-by: default avatarGary R Hook <gary.hook@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f115bf08
    • Ryan Hsu's avatar
      ath10k: fix incorrect wlan_mac_base in qca6174_regs · c62625b6
      Ryan Hsu authored
      commit 6be3b6cc upstream.
      
      In the 'commit ebee76f7 ("ath10k: allow setting coverage class")',
      it inherits the design and the address offset from ath9k, but the address
      is not applicable to QCA6174, which leads to a random crash while doing the
      resume() operation, since the set_coverage_class.ops will be called from
      ieee80211_reconfig() when resume() (if the wow is not configured).
      
      Fix the incorrect address offset here to avoid the random crash.
      
      Verified on QCA6174/hw3.0 with firmware WLAN.RM.4.4-00022-QCARMSWPZ-2.
      
      kvalo: this also seems to fix a regression with firmware restart.
      
      Fixes: ebee76f7 ("ath10k: allow setting coverage class")
      Signed-off-by: default avatarRyan Hsu <ryanhsu@qca.qualcomm.com>
      Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c62625b6
    • Brian Norris's avatar
      mwifiex: pcie: don't leak DMA buffers when removing · 2f69745c
      Brian Norris authored
      commit 4e841d3e upstream.
      
      When PCIe FLR support was added, much of the remove/release code for
      PCIe was migrated to ->down_dev(), but ->down_dev() is never called for
      device removal. Let's refactor the cleanup to be done in both cases.
      
      Also, drop the comments above mwifiex_cleanup_pcie(), because they were
      clearly wrong, and it's better to have clear and obvious code than to
      detail the code steps in comments anyway.
      
      Fixes: 4c5dae59 ("mwifiex: add PCIe function level reset support")
      Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f69745c
    • Chen-Yu Tsai's avatar
      clk: sunxi-ng: mp: Adjust parent rate for pre-dividers · ad3b48d3
      Chen-Yu Tsai authored
      commit ac8616e4 upstream.
      
      The MP style clocks support an mux with pre-dividers. While the driver
      correctly accounted for them in the .determine_rate callback, it did
      not in the .recalc_rate and .set_rate callbacks.
      
      This means when calculating the factors in the .set_rate callback, they
      would be off by a factor of the active pre-divider. Same goes for
      reading back the clock rate after it is set.
      
      Fixes: 2ab836db ("clk: sunxi-ng: Add M-P factor clock support")
      Signed-off-by: default avatarChen-Yu Tsai <wens@csie.org>
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ad3b48d3
    • Chen-Yu Tsai's avatar
      clk: sunxi-ng: sun6i: Fix enable bit offset for hdmi-ddc module clock · 9300e322
      Chen-Yu Tsai authored
      commit 9ad0bb39 upstream.
      
      The enable bit offset for the hdmi-ddc module clock is wrong. It is
      pointing to the main hdmi module clock enable bit.
      Reported-by: default avatarBob Ham <rah@settrans.net>
      Fixes: c6e6c96d ("clk: sunxi-ng: Add A31/A31s clocks")
      Signed-off-by: default avatarChen-Yu Tsai <wens@csie.org>
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9300e322
    • Prarit Bhargava's avatar
      hwrng: geode - Revert managed API changes · 76b5eb51
      Prarit Bhargava authored
      commit 8c75704e upstream.
      
      After commit e9afc746 ("hwrng: geode - Use linux/io.h instead of
      asm/io.h") the geode-rng driver uses devres with pci_dev->dev to keep
      track of resources, but does not actually register a PCI driver.  This
      results in the following issues:
      
      1.  The driver leaks memory because the driver does not attach to a
      device.  The driver only uses the PCI device as a reference.   devm_*()
      functions will release resources on driver detach, which the geode-rng
      driver will never do.  As a result,
      
      2.  The driver cannot be reloaded because there is always a use of the
      ioport and region after the first load of the driver.
      
      Revert the changes made by  e9afc746 ("hwrng: geode - Use linux/io.h
      instead of asm/io.h").
      Signed-off-by: default avatarPrarit Bhargava <prarit@redhat.com>
      Fixes: 6e9b5e76 ("hwrng: geode - Migrate to managed API")
      Cc: Matt Mackall <mpm@selenic.com>
      Cc: Corentin LABBE <clabbe.montjoie@gmail.com>
      Cc: PrasannaKumar Muralidharan <prasannatsmkumar@gmail.com>
      Cc: Wei Yongjun <weiyongjun1@huawei.com>
      Cc: linux-crypto@vger.kernel.org
      Cc: linux-geode@lists.infradead.org
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      76b5eb51
    • Prarit Bhargava's avatar
      hwrng: amd - Revert managed API changes · 9b35f163
      Prarit Bhargava authored
      commit 69db7009 upstream.
      
      After commit 31b2a73c ("hwrng: amd - Migrate to managed API"), the
      amd-rng driver uses devres with pci_dev->dev to keep track of resources,
      but does not actually register a PCI driver.  This results in the
      following issues:
      
      1. The message
      
      WARNING: CPU: 2 PID: 621 at drivers/base/dd.c:349 driver_probe_device+0x38c
      
      is output when the i2c_amd756 driver loads and attempts to register a PCI
      driver.  The PCI & device subsystems assume that no resources have been
      registered for the device, and the WARN_ON() triggers since amd-rng has
      already do so.
      
      2.  The driver leaks memory because the driver does not attach to a
      device.  The driver only uses the PCI device as a reference.   devm_*()
      functions will release resources on driver detach, which the amd-rng
      driver will never do.  As a result,
      
      3.  The driver cannot be reloaded because there is always a use of the
      ioport and region after the first load of the driver.
      
      Revert the changes made by 31b2a73c ("hwrng: amd - Migrate to managed
      API").
      Signed-off-by: default avatarPrarit Bhargava <prarit@redhat.com>
      Fixes: 31b2a73c ("hwrng: amd - Migrate to managed API").
      Cc: Matt Mackall <mpm@selenic.com>
      Cc: Corentin LABBE <clabbe.montjoie@gmail.com>
      Cc: PrasannaKumar Muralidharan <prasannatsmkumar@gmail.com>
      Cc: Wei Yongjun <weiyongjun1@huawei.com>
      Cc: linux-crypto@vger.kernel.org
      Cc: linux-geode@lists.infradead.org
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9b35f163
    • Adrian Hunter's avatar
      mmc: sdhci-pci: Do not disable interrupts in sdhci_intel_set_power · ce6c155a
      Adrian Hunter authored
      commit 027fb89e upstream.
      
      Disabling interrupts for even a millisecond can cause problems for some
      devices. That can happen when Intel host controllers wait for the present
      state to propagate.
      
      The spin lock is not necessary here. Anything that is racing with changes
      to the I/O state is already broken. The mmc core already provides
      synchronization via "claiming" the host.
      
      Although the spin lock probably should be removed from the code paths that
      lead to this point, such a patch would touch too much code to be suitable
      for stable trees. Consequently, for this patch, just drop the spin lock
      while waiting.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Tested-by: default avatarLudovic Desroches <ludovic.desroches@microchip.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce6c155a
    • Adrian Hunter's avatar
      mmc: sdhci: Do not disable interrupts while waiting for clock · f89c8a50
      Adrian Hunter authored
      commit e2ebfb21 upstream.
      
      Disabling interrupts for even a millisecond can cause problems for some
      devices. That can happen when sdhci changes clock frequency because it
      waits for the clock to become stable under a spin lock.
      
      The spin lock is not necessary here. Anything that is racing with changes
      to the I/O state is already broken. The mmc core already provides
      synchronization via "claiming" the host.
      
      Although the spin lock probably should be removed from the code paths that
      lead to this point, such a patch would touch too much code to be suitable
      for stable trees. Consequently, for this patch, just drop the spin lock
      while waiting.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Tested-by: default avatarLudovic Desroches <ludovic.desroches@microchip.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f89c8a50
    • Anssi Hannula's avatar
      mmc: sdhci-of-arasan: fix incorrect timeout clock · b821a0a5
      Anssi Hannula authored
      commit 16681037 upstream.
      
      sdhci_arasan_get_timeout_clock() divides the frequency it has with (1 <<
      (13 + divisor)).
      
      However, the divisor is not some Arasan-specific value, but instead is
      just the Data Timeout Counter Value from the SDHCI Timeout Control
      Register.
      
      Applying it here like this is wrong as the sdhci driver already takes
      that value into account when calculating timeouts, and in fact it *sets*
      that register value based on how long a timeout is wanted.
      
      Additionally, sdhci core interprets the .get_timeout_clock callback
      return value as if it were read from hardware registers, i.e. the unit
      should be kHz or MHz depending on SDHCI_TIMEOUT_CLK_UNIT capability bit.
      This bit is set at least on the tested Zynq-7000 SoC.
      
      With the tested hardware (SDHCI_TIMEOUT_CLK_UNIT set) this results in
      too high a timeout clock rate being reported, causing the core to use
      longer-than-needed timeouts. Additionally, on a partitioned MMC
      (therefore having erase_group_def bit set) mmc_calc_max_discard()
      disables discard support as it looks like controller does not support
      the long timeouts needed for that.
      
      Do not apply the extra divisor and return the timeout clock in the
      expected unit.
      
      Tested with a Zynq-7000 SoC and a partitioned Toshiba THGBMAG5A1JBAWR
      eMMC card.
      Signed-off-by: default avatarAnssi Hannula <anssi.hannula@bitwise.fi>
      Fixes: e3ec3a3d ("mmc: arasan: Add driver for Arasan SDHCI")
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b821a0a5
    • Romain Izard's avatar
      mmc: sdhci-of-at91: Support external regulators · 11641854
      Romain Izard authored
      commit 2ce0c7b6 upstream.
      
      The SDHCI controller in the SAMA5D2 chip requires a valid voltage set
      in the power control register, otherwise commands will fail with a
      timeout error.
      
      When using the regulator framework to specify the regulator used by the
      mmc device, the voltage is not configured, and it is not possible to use
      the connected device.
      
      Implement a custom 'set_power' function for this specific hardware, that
      configures the voltage in the register in all cases.
      Signed-off-by: default avatarRomain Izard <romain.izard.pro@gmail.com>
      Acked-by: default avatarLudovic Desroches <ludovic.desroches@microchip.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      11641854
    • Paul Moore's avatar
      audit: fix auditd/kernel connection state tracking · a0c48115
      Paul Moore authored
      commit 5b52330b upstream.
      
      What started as a rather straightforward race condition reported by
      Dmitry using the syzkaller fuzzer ended up revealing some major
      problems with how the audit subsystem managed its netlink sockets and
      its connection with the userspace audit daemon.  Fixing this properly
      had quite the cascading effect and what we are left with is this rather
      large and complicated patch.  My initial goal was to try and decompose
      this patch into multiple smaller patches, but the way these changes
      are intertwined makes it difficult to split these changes into
      meaningful pieces that don't break or somehow make things worse for
      the intermediate states.
      
      The patch makes a number of changes, but the most significant are
      highlighted below:
      
      * The auditd tracking variables, e.g. audit_sock, are now gone and
      replaced by a RCU/spin_lock protected variable auditd_conn which is
      a structure containing all of the auditd tracking information.
      
      * We no longer track the auditd sock directly, instead we track it
      via the network namespace in which it resides and we use the audit
      socket associated with that namespace.  In spirit, this is what the
      code was trying to do prior to this patch (at least I think that is
      what the original authors intended), but it was done rather poorly
      and added a layer of obfuscation that only masked the underlying
      problems.
      
      * Big backlog queue cleanup, again.  In v4.10 we made some pretty big
      changes to how the audit backlog queues work, here we haven't changed
      the queue design so much as cleaned up the implementation.  Brought
      about by the locking changes, we've simplified kauditd_thread() quite
      a bit by consolidating the queue handling into a new helper function,
      kauditd_send_queue(), which allows us to eliminate a lot of very
      similar code and makes the looping logic in kauditd_thread() clearer.
      
      * All netlink messages sent to auditd are now sent via
      auditd_send_unicast_skb().  Other than just making sense, this makes
      the lock handling easier.
      
      * Change the audit_log_start() sleep behavior so that we never sleep
      on auditd events (unchanged) or if the caller is holding the
      audit_cmd_mutex (changed).  Previously we didn't sleep if the caller
      was auditd or if the message type fell between a certain range; the
      type check was a poor effort of doing what the cmd_mutex check now
      does.  Richard Guy Briggs originally proposed not sleeping the
      cmd_mutex owner several years ago but his patch wasn't acceptable
      at the time.  At least the idea lives on here.
      
      * A problem with the lost record counter has been resolved.  Steve
      Grubb and I both happened to notice this problem and according to
      some quick testing by Steve, this problem goes back quite some time.
      It's largely a harmless problem, although it may have left some
      careful sysadmins quite puzzled.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a0c48115
    • Nicholas Piggin's avatar
      powerpc/64s: Fix idle wakeup potential to clobber registers · 72c89fa6
      Nicholas Piggin authored
      commit 6d98ce0b upstream.
      
      We concluded there may be a window where the idle wakeup code could get
      to pnv_wakeup_tb_loss() (which clobbers non-volatile GPRs), but the
      hardware may set SRR1[46:47] to 01b (no state loss) which would result
      in the wakeup code failing to restore non-volatile GPRs.
      
      I was not able to trigger this condition with trivial tests on real
      hardware or simulator, but the ISA (at least 2.07) seems to allow for
      it, and Gautham says that it can happen if there is an exception pending
      when the sleep/winkle instruction is executed.
      
      Fixes: 17065671 ("powerpc/kvm: make hypervisor state restore a function")
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Acked-by: default avatarGautham R. Shenoy <ego@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      72c89fa6
    • Theodore Ts'o's avatar
      ext4: lock the xattr block before checksuming it · 35637b59
      Theodore Ts'o authored
      commit dac7a4b4 upstream.
      
      We must lock the xattr block before calculating or verifying the
      checksum in order to avoid spurious checksum failures.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=193661Reported-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      35637b59
    • Eric Biggers's avatar
      ext4: mark inode dirty after converting inline directory · 26512e52
      Eric Biggers authored
      commit b9cf625d upstream.
      
      If ext4_convert_inline_data() was called on a directory with inline
      data, the filesystem was left in an inconsistent state (as considered by
      e2fsck) because the file size was not increased to cover the new block.
      This happened because the inode was not marked dirty after i_disksize
      was updated.  Fix this by marking the inode dirty at the end of
      ext4_finish_convert_inline_dir().
      
      This bug was probably not noticed before because most users mark the
      inode dirty afterwards for other reasons.  But if userspace executed
      FS_IOC_SET_ENCRYPTION_POLICY with invalid parameters, as exercised by
      'kvm-xfstests -c adv generic/396', then the inode was never marked dirty
      after updating i_disksize.
      
      Fixes: 3c47d541Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      26512e52
    • Sudip Mukherjee's avatar
      ppdev: fix registering same device name · 76260279
      Sudip Mukherjee authored
      commit 9a69645d upstream.
      
      Usually every parallel port will have a single pardev registered with
      it. But ppdev driver is an exception. This userspace parallel port
      driver allows to create multiple parrallel port devices for a single
      parallel port. And as a result we were having a big warning like:
      "sysfs: cannot create duplicate filename '/devices/parport0/ppdev0.0'".
      And with that many parallel port printers stopped working.
      
      We have been using the minor number as the id field while registering
      a parralel port device with a parralel port. But when there are
      multiple parrallel port device for one single parallel port, they all
      tried to register with the same name like 'pardev0.0' and everything
      started failing.
      Use an incremented index as the id instead of the minor number.
      
      Fixes: 8b7d3a9d ("ppdev: use new parport device model")
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1414656
      Bugzilla: https://bugs.archlinux.org/task/52322Tested-by: default avatarJames Feeney <james@nurealm.net>
      Signed-off-by: default avatarSudip Mukherjee <sudip.mukherjee@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      76260279
    • Sudip Mukherjee's avatar
      parport: fix attempt to write duplicate procfiles · f8155f4e
      Sudip Mukherjee authored
      commit 03270c6a upstream.
      
      Usually every parallel port will have a single pardev registered with
      it. But ppdev driver is an exception. This userspace parallel port
      driver allows to create multiple parrallel port devices for a single
      parallel port. And as a result we were having a nice warning like:
      "sysctl table check failed:
      /dev/parport/parport0/devices/ppdev0/timeslice Sysctl already exists"
      
      Use the same logic as used in parport_register_device() and register
      the proc files only once for each parallel port.
      
      Fixes: 6fa45a22 ("parport: add device-model to parport subsystem")
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1414656
      Bugzilla: https://bugs.archlinux.org/task/52322Tested-by: default avatarJames Feeney <james@nurealm.net>
      Signed-off-by: default avatarSudip Mukherjee <sudip.mukherjee@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8155f4e
    • Alexander Usyskin's avatar
      mei: don't wait for os version message reply · c3a22b5f
      Alexander Usyskin authored
      commit c6240cac upstream.
      
      The driver still struggles with firmwares that do not replay to the OS
      version request. It is safe not waiting for the replay. First, the driver
      doesn't do anything with the replay second the connection is closed
      immediately, hence the packet will be just safely discarded in case it
      is received and last the driver won't get stuck if the firmware won't
      reply.
      Signed-off-by: default avatarAlexander Usyskin <alexander.usyskin@intel.com>
      Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c3a22b5f
    • Tomas Winkler's avatar
      mei: fix deadlock on mei reset · 0dc119af
      Tomas Winkler authored
      commit a733ded5 upstream.
      
      This patch fixes 'mei: synchronize irq before initiating a reset'
      The patch had introduced a deadlock between irq thread and mei_reset()
      as they are both holding the same device lock.
      
      ---> device_lock:
      	mei_reset()
                              <---- interrupt thread
      	                        device_lock
      ---> synchornize_irq()
             wait on interrupt thread == (dead lock)
      
      The fix is to call synchronize_irq
      prior to call locked mei_reset function.
      
      Fixes: f302bb0de6ac (mei: synchronize irq before initiating a reset)
      Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0dc119af
    • Dmitry Torokhov's avatar
      iio: magnetometer: ak8974: remove incorrect __exit markups · bf1aedff
      Dmitry Torokhov authored
      commit 3ff861f5 upstream.
      
      Even if bus is not hot-pluggable, devices can be unbound from the
      driver via sysfs, so we should not be using __exit annotations on
      remove() methods. The only exception is drivers registered with
      platform_driver_probe() which specifically disables sysfs bind/unbind
      attributes.
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bf1aedff
    • Song Hongyan's avatar
      iio: hid-sensor-trigger: Change get poll value function order to avoid sensor... · 6c2aab07
      Song Hongyan authored
      iio: hid-sensor-trigger: Change get poll value function order to avoid sensor properties losing after resume from S3
      
      commit 3bec2474 upstream.
      
      In function _hid_sensor_power_state(), when hid_sensor_read_poll_value()
      is called, sensor's all properties will be updated by the value from
      sensor hardware/firmware.
      In some implementation, sensor hardware/firmware will do a power cycle
      during S3. In this case, after resume, once hid_sensor_read_poll_value()
      is called, sensor's all properties which are kept by driver during S3
      will be changed to default value.
      But instead, if a set feature function is called first, sensor
      hardware/firmware will be recovered to the last status. So change the
      sensor_hub_set_feature() calling order to behind of set feature function
      to avoid sensor properties lose.
      Signed-off-by: default avatarSong Hongyan <hongyan.song@intel.com>
      Acked-by: default avatarSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      6c2aab07
    • Lars-Peter Clausen's avatar
      iio: sw-device: Fix config group initialization · 9323d92a
      Lars-Peter Clausen authored
      commit c42f8218 upstream.
      
      Use the IS_ENABLED() helper macro to ensure that the configfs group is
      initialized either when configfs is built-in or when configfs is built as a
      module. Otherwise software device creation will result in undefined
      behaviour when configfs is built as a module since the configfs group for
      the device not properly initialized.
      
      Similar to commit b2f0c096 ("iio: sw-trigger: Fix config group
      initialization").
      
      Fixes: 0f3a8c3f ("iio: Add support for creating IIO devices via configfs")
      Reported-by: default avatarMiguel Robles <miguel.robles@farole.net>
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Acked-by: default avatarDaniel Baluta <daniel.baluta@gmail.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9323d92a
    • Michael Engl's avatar
      iio: adc: ti_am335x_adc: fix fifo overrun recovery · a12d1ead
      Michael Engl authored
      commit e83bb3e6 upstream.
      
      The tiadc_irq_h(int irq, void *private) function is handling FIFO
      overruns by clearing flags, disabling and enabling the ADC to
      recover.
      
      If the ADC is running in continuous mode a FIFO overrun happens
      regularly. If the disabling of the ADC happens concurrently with
      a new conversion. It might happen that the enabling of the ADC
      is ignored by the hardware. This stops the ADC permanently. No
      more interrupts are triggered.
      
      According to the AM335x Reference Manual (SPRUH73H October 2011 -
      Revised April 2013 - Chapter 12.4 and 12.5) it is necessary to
      check the ADC FSM bits in REG_ADCFSM before enabling the ADC
      again. Because the disabling of the ADC is done right after the
      current conversion has been finished.
      
      To trigger this bug it is necessary to run the ADC in continuous
      mode. The ADC values of all channels need to be read in an endless
      loop. The bug appears within the first 6 hours (~5.4 million
      handled FIFO overruns). The user space application will hang on
      reading new values from the character device.
      
      Fixes: ca9a5638 ("iio: ti_am335x_adc: Add continuous sampling support")
      Signed-off-by: default avatarMichael Engl <michael.engl@wjw-solutions.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a12d1ead
    • Guenter Roeck's avatar
      mmc: core: Fix access to HS400-ES devices · f4004c87
      Guenter Roeck authored
      commit 773dc118 upstream.
      
      HS400-ES devices fail to initialize with the following error messages.
      
      mmc1: power class selection to bus width 8 ddr 0 failed
      mmc1: error -110 whilst initialising MMC card
      
      This was seen on Samsung Chromebook Plus. Code analysis points to
      commit 3d4ef329 ("mmc: core: fix multi-bit bus width without
      high-speed mode"), which attempts to set the bus width for all but
      HS200 devices unconditionally. However, for HS400-ES, the bus width
      is already selected.
      
      Cc: Anssi Hannula <anssi.hannula@bitwise.fi>
      Cc: Douglas Anderson <dianders@chromium.org>
      Cc: Brian Norris <briannorris@chromium.org>
      Fixes: 3d4ef329 ("mmc: core: fix multi-bit bus width ...")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Reviewed-by: default avatarShawn Lin <shawn.lin@rock-chip.com>
      Tested-by: default avatarHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f4004c87
    • Johannes Berg's avatar
      nl80211: fix dumpit error path RTNL deadlocks · a56eba20
      Johannes Berg authored
      commit ea90e0dc upstream.
      
      Sowmini pointed out Dmitry's RTNL deadlock report to me, and it turns out
      to be perfectly accurate - there are various error paths that miss unlock
      of the RTNL.
      
      To fix those, change the locking a bit to not be conditional in all those
      nl80211_prepare_*_dump() functions, but make those require the RTNL to
      start with, and fix the buggy error paths. This also let me use sparse
      (by appropriately overriding the rtnl_lock/rtnl_unlock functions) to
      validate the changes.
      Reported-by: default avatarSowmini Varadhan <sowmini.varadhan@oracle.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a56eba20
    • Johan Hovold's avatar
      mmc: ushc: fix NULL-deref at probe · f876c103
      Johan Hovold authored
      commit 181302dc upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Fixes: 53f3a9e2 ("mmc: USB SD Host Controller (USHC) driver")
      Cc: David Vrabel <david.vrabel@csr.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f876c103
    • Johan Hovold's avatar
      uwb: hwa-rc: fix NULL-deref at probe · 90c2bb66
      Johan Hovold authored
      commit daf229b1 upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Note that the dereference happens in the start callback which is called
      during probe.
      
      Fixes: de520b8b ("uwb: add HWA radio controller driver")
      Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
      Cc: David Vrabel <david.vrabel@csr.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      90c2bb66
    • Johan Hovold's avatar
      uwb: i1480-dfu: fix NULL-deref at probe · 05393cce
      Johan Hovold authored
      commit 4ce36271 upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Note that the dereference happens in the cmd and wait_init_done
      callbacks which are called during probe.
      
      Fixes: 1ba47da5 ("uwb: add the i1480 DFU driver")
      Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
      Cc: David Vrabel <david.vrabel@csr.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      05393cce
    • Johan Hovold's avatar
      USB: usbtmc: fix probe error path · bb486e80
      Johan Hovold authored
      commit 2e47c535 upstream.
      
      Make sure to initialise the return value to avoid having allocation
      failures going unnoticed when allocating interrupt-endpoint resources.
      
      This prevents use-after-free or worse when the device is later unbound.
      
      Fixes: dbf3e7f6 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
      Cc: Dave Penkler <dpenkler@gmail.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bb486e80
    • Johan Hovold's avatar
      USB: usbtmc: add missing endpoint sanity check · ad1bbccd
      Johan Hovold authored
      commit 687e0687 upstream.
      
      USBTMC devices are required to have a bulk-in and a bulk-out endpoint,
      but the driver failed to verify this, something which could lead to the
      endpoint addresses being taken from uninitialised memory.
      
      Make sure to zero all private data as part of allocation, and add the
      missing endpoint sanity check.
      
      Note that this also addresses a more recently introduced issue, where
      the interrupt-in-presence flag would also be uninitialised whenever the
      optional interrupt-in endpoint is not present. This in turn could lead
      to an interrupt urb being allocated, initialised and submitted based on
      uninitialised values.
      
      Fixes: dbf3e7f6 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
      Fixes: 5b775f67 ("USB: add USB test and measurement class driver")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ad1bbccd
    • Guenter Roeck's avatar
      usb: hub: Fix crash after failure to read BOS descriptor · 9ec00274
      Guenter Roeck authored
      commit 7b2db29f upstream.
      
      If usb_get_bos_descriptor() returns an error, usb->bos will be NULL.
      Nevertheless, it is dereferenced unconditionally in
      hub_set_initial_usb2_lpm_policy() if usb2_hw_lpm_capable is set.
      This results in a crash.
      
      usb 5-1: unable to get BOS descriptor
      ...
      Unable to handle kernel NULL pointer dereference at virtual address 00000008
      pgd = ffffffc00165f000
      [00000008] *pgd=000000000174f003, *pud=000000000174f003,
      		*pmd=0000000001750003, *pte=00e8000001751713
      Internal error: Oops: 96000005 [#1] PREEMPT SMP
      Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac [ ... ]
      CPU: 5 PID: 3353 Comm: kworker/5:3 Tainted: G    B 4.4.52 #480
      Hardware name: Google Kevin (DT)
      Workqueue: events driver_set_config_work
      task: ffffffc0c3690000 ti: ffffffc0ae9a8000 task.ti: ffffffc0ae9a8000
      PC is at hub_port_init+0xc3c/0xd10
      LR is at hub_port_init+0xc3c/0xd10
      ...
      Call trace:
      [<ffffffc0007fbbfc>] hub_port_init+0xc3c/0xd10
      [<ffffffc0007fbe2c>] usb_reset_and_verify_device+0x15c/0x82c
      [<ffffffc0007fc5e0>] usb_reset_device+0xe4/0x298
      [<ffffffbffc0e3fcc>] rtl8152_probe+0x84/0x9b0 [r8152]
      [<ffffffc00080ca8c>] usb_probe_interface+0x244/0x2f8
      [<ffffffc000774a24>] driver_probe_device+0x180/0x3b4
      [<ffffffc000774e48>] __device_attach_driver+0xb4/0xe0
      [<ffffffc000772168>] bus_for_each_drv+0xb4/0xe4
      [<ffffffc0007747ec>] __device_attach+0xd0/0x158
      [<ffffffc000775080>] device_initial_probe+0x24/0x30
      [<ffffffc0007739d4>] bus_probe_device+0x50/0xe4
      [<ffffffc000770bd0>] device_add+0x414/0x738
      [<ffffffc000809fe8>] usb_set_configuration+0x89c/0x914
      [<ffffffc00080a120>] driver_set_config_work+0xc0/0xf0
      [<ffffffc000249bb8>] process_one_work+0x390/0x6b8
      [<ffffffc00024abcc>] worker_thread+0x480/0x610
      [<ffffffc000251a80>] kthread+0x164/0x178
      [<ffffffc0002045d0>] ret_from_fork+0x10/0x40
      
      Since we don't know anything about LPM capabilities without BOS descriptor,
      don't attempt to enable LPM if it is not available.
      
      Fixes: 890dae88 ("xhci: Enable LPM support only for hardwired ...")
      Cc: Mathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Acked-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ec00274
    • Bin Liu's avatar
      usb: musb: cppi41: don't check early-TX-interrupt for Isoch transfer · 9eae384a
      Bin Liu authored
      commit 0090114d upstream.
      
      The CPPI 4.1 driver polls register to workaround the premature TX
      interrupt issue, but it causes audio playback underrun when triggered in
      Isoch transfers.
      
      Isoch doesn't do back-to-back transfers, the TX should be done by the
      time the next transfer is scheduled. So skip this polling workaround for
      Isoch transfer.
      
      Fixes: a655f481 ("usb: musb: musb_cppi41: handle pre-mature TX complete interrupt")
      Reported-by: default avatarAlexandre Bailon <abailon@baylibre.com>
      Acked-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Tested-by: default avatarAlexandre Bailon <abailon@baylibre.com>
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9eae384a
    • Johan Hovold's avatar
      USB: wusbcore: fix NULL-deref at probe · a769fe27
      Johan Hovold authored
      commit 03ace948 upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer or accessing memory beyond the endpoint array should a
      malicious device lack the expected endpoints.
      
      This specifically fixes the NULL-pointer dereference when probing HWA HC
      devices.
      
      Fixes: df365423 ("wusb: add the Wire Adapter (WA) core")
      Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
      Cc: David Vrabel <david.vrabel@csr.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a769fe27
    • Johan Hovold's avatar
      USB: idmouse: fix NULL-deref at probe · bcf394ac
      Johan Hovold authored
      commit b0addd3f upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bcf394ac
    • Johan Hovold's avatar
      USB: lvtest: fix NULL-deref at probe · f615aa74
      Johan Hovold authored
      commit 1dc56c52 upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should the probed device lack endpoints.
      
      Note that this driver does not bind to any devices by default.
      
      Fixes: ce21bfe6 ("USB: Add LVS Test device driver")
      Cc: Pratyush Anand <pratyush.anand@gmail.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f615aa74