1. 21 Nov, 2017 15 commits
    • Douglas Fischer's avatar
      USB: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update · 1922d5a0
      Douglas Fischer authored
      commit 771394a5 upstream.
      
      Add USB PID/VID for Sierra Wireless EM7355 LTE modem QDL firmware update
      mode.
      Signed-off-by: default avatarDouglas Fischer <douglas.fischer@outlook.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1922d5a0
    • Lu Baolu's avatar
      USB: serial: Change DbC debug device binding ID · ff6b0502
      Lu Baolu authored
      commit 12f28144 upstream.
      
      The product ID for "Linux USB GDB Target device" has been
      changed. Change the driver binding table accordingly.
      
      This patch should be back-ported to kernels as old as v4.12,
      that contain the commit 57fb4727 ("usb/serial: Add DBC
      debug device support to usb_debug").
      
      Cc: Johan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ff6b0502
    • Johan Hovold's avatar
      USB: serial: metro-usb: stop I/O after failed open · b55d4612
      Johan Hovold authored
      commit 2339536d upstream.
      
      Make sure to kill the interrupt-in URB after a failed open request.
      Apart from saving power (and avoiding stale input after a later
      successful open), this also prevents a NULL-deref in the completion
      handler if the port is manually unbound.
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Fixes: 70457786 ("USB: serial: metro-usb: get data from device in Uni-Directional mode.")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b55d4612
    • Andrew Gabbasov's avatar
      usb: gadget: f_fs: Fix use-after-free in ffs_free_inst · d74d5867
      Andrew Gabbasov authored
      commit cdafb6d8 upstream.
      
      KASAN enabled configuration reports an error
      
      BUG: KASAN: use-after-free in ffs_free_inst+... [usb_f_fs] at addr ...
      Write of size 8 by task ...
      
      This is observed after "ffs-test" is run and interrupted. If after that
      functionfs is unmounted and g_ffs module is unloaded, that use-after-free
      occurs during g_ffs module removal.
      
      Although the report indicates ffs_free_inst() function, the actual
      use-after-free condition occurs in _ffs_free_dev() function, which
      is probably inlined into ffs_free_inst().
      
      This happens due to keeping the ffs_data reference in device structure
      during functionfs unmounting, while ffs_data itself is freed as no longer
      needed. The fix is to clear that reference in ffs_closed() function,
      which is a counterpart of ffs_ready(), where the reference is stored.
      
      Fixes: 3262ad82 ("usb: gadget: f_fs: Stop ffs_closed NULL pointer dereference")
      Signed-off-by: default avatarAndrew Gabbasov <andrew_gabbasov@mentor.com>
      Acked-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d74d5867
    • Bernhard Rosenkraenzer's avatar
      USB: Add delay-init quirk for Corsair K70 LUX keyboards · 1e757758
      Bernhard Rosenkraenzer authored
      commit a0fea602 upstream.
      
      Without this patch, K70 LUX keyboards don't work, saying
      usb 3-3: unable to read config index 0 descriptor/all
      usb 3-3: can't read configurations, error -110
      usb usb3-port3: unable to enumerate USB device
      Signed-off-by: default avatarBernhard Rosenkraenzer <Bernhard.Rosenkranzer@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e757758
    • Alan Stern's avatar
      USB: usbfs: compute urb->actual_length for isochronous · 95b0ab9e
      Alan Stern authored
      commit 2ef47001 upstream.
      
      The USB kerneldoc says that the actual_length field "is read in
      non-iso completion functions", but the usbfs driver uses it for all
      URB types in processcompl().  Since not all of the host controller
      drivers set actual_length for isochronous URBs, programs using usbfs
      with some host controllers don't work properly.  For example, Minas
      reports that a USB camera controlled by libusb doesn't work properly
      with a dwc2 controller.
      
      It doesn't seem worthwhile to change the HCDs and the documentation,
      since the in-kernel USB class drivers evidently don't rely on
      actual_length for isochronous transfers.  The easiest solution is for
      usbfs to calculate the actual_length value for itself, by adding up
      the lengths of the individual packets in an isochronous transfer.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      CC: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
      Reported-and-tested-by: default avatarwlf <wulf@rock-chips.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      95b0ab9e
    • Lu Baolu's avatar
      USB: early: Use new USB product ID and strings for DbC device · 44efd1f1
      Lu Baolu authored
      commit c67678ec upstream.
      
      The DbC register set defines an interface for system software
      to specify the vendor id and product id for the debug device.
      These two values will be presented by the debug device in its
      device descriptor idVendor and idProduct fields.
      
      The current used product ID is a place holder. We now have a
      valid one. The description strings are changed accordingly.
      
      This patch should be back-ported to kernels as old as v4.12,
      that contain the commit aeb9dd1d ("usb/early: Add driver
      for xhci debug capability").
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      44efd1f1
    • raveendra padasalagi's avatar
      crypto: brcm - Explicity ACK mailbox message · 7d53b8eb
      raveendra padasalagi authored
      commit f0e2ce58 upstream.
      
      Add support to explicity ACK mailbox message
      because after sending message we can know
      the send status via error attribute of brcm_message.
      
      This is needed to support "txdone_ack" supported in
      mailbox controller driver.
      
      Fixes: 9d12ba86 ("crypto: brcm - Add Broadcom SPU driver")
      Signed-off-by: default avatarRaveendra Padasalagi <raveendra.padasalagi@broadcom.com>
      Reviewed-by: default avatarAnup Patel <anup.patel@broadcom.com>
      Reviewed-by: default avatarScott Branden <scott.branden@broadcom.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7d53b8eb
    • Eric Biggers's avatar
      crypto: dh - Don't permit 'key' or 'g' size longer than 'p' · 5e56be0e
      Eric Biggers authored
      commit ccd9888f upstream.
      
      The "qat-dh" DH implementation assumes that 'key' and 'g' can be copied
      into a buffer with size 'p_size'.  However it was never checked that
      that was actually the case, which most likely allowed users to cause a
      buffer underflow via KEYCTL_DH_COMPUTE.
      
      Fix this by updating crypto_dh_decode_key() to verify this precondition
      for all DH implementations.
      
      Fixes: c9839143 ("crypto: qat - Add DH support")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarTudor Ambarus <tudor.ambarus@microchip.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e56be0e
    • Eric Biggers's avatar
      crypto: dh - Don't permit 'p' to be 0 · 716b9ea8
      Eric Biggers authored
      commit 199512b1 upstream.
      
      If 'p' is 0 for the software Diffie-Hellman implementation, then
      dh_max_size() returns 0.  In the case of KEYCTL_DH_COMPUTE, this causes
      ZERO_SIZE_PTR to be passed to sg_init_one(), which with
      CONFIG_DEBUG_SG=y triggers the 'BUG_ON(!virt_addr_valid(buf));' in
      sg_set_buf().
      
      Fix this by making crypto_dh_decode_key() reject 0 for 'p'.  p=0 makes
      no sense for any DH implementation because 'p' is supposed to be a prime
      number.  Moreover, 'mod 0' is not mathematically defined.
      
      Bug report:
      
          kernel BUG at ./include/linux/scatterlist.h:140!
          invalid opcode: 0000 [#1] SMP KASAN
          CPU: 0 PID: 27112 Comm: syz-executor2 Not tainted 4.14.0-rc7-00010-gf5dbb5d0ce32-dirty #7
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014
          task: ffff88006caac0c0 task.stack: ffff88006c7c8000
          RIP: 0010:sg_set_buf include/linux/scatterlist.h:140 [inline]
          RIP: 0010:sg_init_one+0x1b3/0x240 lib/scatterlist.c:156
          RSP: 0018:ffff88006c7cfb08 EFLAGS: 00010216
          RAX: 0000000000010000 RBX: ffff88006c7cfe30 RCX: 00000000000064ee
          RDX: ffffffff81cf64c3 RSI: ffffc90000d72000 RDI: ffffffff92e937e0
          RBP: ffff88006c7cfb30 R08: ffffed000d8f9fab R09: ffff88006c7cfd30
          R10: 0000000000000005 R11: ffffed000d8f9faa R12: ffff88006c7cfd30
          R13: 0000000000000000 R14: 0000000000000010 R15: ffff88006c7cfc50
          FS:  00007fce190fa700(0000) GS:ffff88003ea00000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: 00007fffc6b33db8 CR3: 000000003cf64000 CR4: 00000000000006f0
          Call Trace:
           __keyctl_dh_compute+0xa95/0x19b0 security/keys/dh.c:360
           keyctl_dh_compute+0xac/0x100 security/keys/dh.c:434
           SYSC_keyctl security/keys/keyctl.c:1745 [inline]
           SyS_keyctl+0x72/0x2c0 security/keys/keyctl.c:1641
           entry_SYSCALL_64_fastpath+0x1f/0xbe
          RIP: 0033:0x4585c9
          RSP: 002b:00007fce190f9bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000fa
          RAX: ffffffffffffffda RBX: 0000000000738020 RCX: 00000000004585c9
          RDX: 000000002000d000 RSI: 0000000020000ff4 RDI: 0000000000000017
          RBP: 0000000000000046 R08: 0000000020008000 R09: 0000000000000000
          R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff6e610cde
          R13: 00007fff6e610cdf R14: 00007fce190fa700 R15: 0000000000000000
          Code: 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 33 5b 45 89 6c 24 14 41 5c 41 5d 41 5e 41 5f 5d c3 e8 fd 8f 68 ff <0f> 0b e8 f6 8f 68 ff 0f 0b e8 ef 8f 68 ff 0f 0b e8 e8 8f 68 ff 20
          RIP: sg_set_buf include/linux/scatterlist.h:140 [inline] RSP: ffff88006c7cfb08
          RIP: sg_init_one+0x1b3/0x240 lib/scatterlist.c:156 RSP: ffff88006c7cfb08
      
      Fixes: 802c7f1c ("crypto: dh - Add DH software implementation")
      Reviewed-by: default avatarTudor Ambarus <tudor.ambarus@microchip.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      716b9ea8
    • Eric Biggers's avatar
      crypto: dh - Fix double free of ctx->p · a37b2a1c
      Eric Biggers authored
      commit 12d41a02 upstream.
      
      When setting the secret with the software Diffie-Hellman implementation,
      if allocating 'g' failed (e.g. if it was longer than
      MAX_EXTERN_MPI_BITS), then 'p' was freed twice: once immediately, and
      once later when the crypto_kpp tfm was destroyed.
      
      Fix it by using dh_free_ctx() (renamed to dh_clear_ctx()) in the error
      paths, as that correctly sets the pointers to NULL.
      
      KASAN report:
      
          MPI: mpi too large (32760 bits)
          ==================================================================
          BUG: KASAN: use-after-free in mpi_free+0x131/0x170
          Read of size 4 at addr ffff88006c7cdf90 by task reproduce_doubl/367
      
          CPU: 1 PID: 367 Comm: reproduce_doubl Not tainted 4.14.0-rc7-00040-g05298abde6fe #7
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
          Call Trace:
           dump_stack+0xb3/0x10b
           ? mpi_free+0x131/0x170
           print_address_description+0x79/0x2a0
           ? mpi_free+0x131/0x170
           kasan_report+0x236/0x340
           ? akcipher_register_instance+0x90/0x90
           __asan_report_load4_noabort+0x14/0x20
           mpi_free+0x131/0x170
           ? akcipher_register_instance+0x90/0x90
           dh_exit_tfm+0x3d/0x140
           crypto_kpp_exit_tfm+0x52/0x70
           crypto_destroy_tfm+0xb3/0x250
           __keyctl_dh_compute+0x640/0xe90
           ? kasan_slab_free+0x12f/0x180
           ? dh_data_from_key+0x240/0x240
           ? key_create_or_update+0x1ee/0xb20
           ? key_instantiate_and_link+0x440/0x440
           ? lock_contended+0xee0/0xee0
           ? kfree+0xcf/0x210
           ? SyS_add_key+0x268/0x340
           keyctl_dh_compute+0xb3/0xf1
           ? __keyctl_dh_compute+0xe90/0xe90
           ? SyS_add_key+0x26d/0x340
           ? entry_SYSCALL_64_fastpath+0x5/0xbe
           ? trace_hardirqs_on_caller+0x3f4/0x560
           SyS_keyctl+0x72/0x2c0
           entry_SYSCALL_64_fastpath+0x1f/0xbe
          RIP: 0033:0x43ccf9
          RSP: 002b:00007ffeeec96158 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa
          RAX: ffffffffffffffda RBX: 000000000248b9b9 RCX: 000000000043ccf9
          RDX: 00007ffeeec96170 RSI: 00007ffeeec96160 RDI: 0000000000000017
          RBP: 0000000000000046 R08: 0000000000000000 R09: 0248b9b9143dc936
          R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000
          R13: 0000000000409670 R14: 0000000000409700 R15: 0000000000000000
      
          Allocated by task 367:
           save_stack_trace+0x16/0x20
           kasan_kmalloc+0xeb/0x180
           kmem_cache_alloc_trace+0x114/0x300
           mpi_alloc+0x4b/0x230
           mpi_read_raw_data+0xbe/0x360
           dh_set_secret+0x1dc/0x460
           __keyctl_dh_compute+0x623/0xe90
           keyctl_dh_compute+0xb3/0xf1
           SyS_keyctl+0x72/0x2c0
           entry_SYSCALL_64_fastpath+0x1f/0xbe
      
          Freed by task 367:
           save_stack_trace+0x16/0x20
           kasan_slab_free+0xab/0x180
           kfree+0xb5/0x210
           mpi_free+0xcb/0x170
           dh_set_secret+0x2d7/0x460
           __keyctl_dh_compute+0x623/0xe90
           keyctl_dh_compute+0xb3/0xf1
           SyS_keyctl+0x72/0x2c0
           entry_SYSCALL_64_fastpath+0x1f/0xbe
      
      Fixes: 802c7f1c ("crypto: dh - Add DH software implementation")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarTudor Ambarus <tudor.ambarus@microchip.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a37b2a1c
    • Andrey Konovalov's avatar
      media: dib0700: fix invalid dvb_detach argument · 75d9dd29
      Andrey Konovalov authored
      commit eb0c1994 upstream.
      
      dvb_detach(arg) calls symbol_put_addr(arg), where arg should be a pointer
      to a function. Right now a pointer to state->dib7000p_ops is passed to
      dvb_detach(), which causes a BUG() in symbol_put_addr() as discovered by
      syzkaller. Pass state->dib7000p_ops.set_wbd_ref instead.
      
      ------------[ cut here ]------------
      kernel BUG at kernel/module.c:1081!
      invalid opcode: 0000 [#1] PREEMPT SMP KASAN
      Modules linked in:
      CPU: 1 PID: 1151 Comm: kworker/1:1 Tainted: G        W
      4.14.0-rc1-42251-gebb2c243 #224
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      Workqueue: usb_hub_wq hub_event
      task: ffff88006a336300 task.stack: ffff88006a7c8000
      RIP: 0010:symbol_put_addr+0x54/0x60 kernel/module.c:1083
      RSP: 0018:ffff88006a7ce210 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: ffff880062a8d190 RCX: 0000000000000000
      RDX: dffffc0000000020 RSI: ffffffff85876d60 RDI: ffff880062a8d190
      RBP: ffff88006a7ce218 R08: 1ffff1000d4f9c12 R09: 1ffff1000d4f9ae4
      R10: 1ffff1000d4f9bed R11: 0000000000000000 R12: ffff880062a8d180
      R13: 00000000ffffffed R14: ffff880062a8d190 R15: ffff88006947c000
      FS:  0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f6416532000 CR3: 00000000632f5000 CR4: 00000000000006e0
      Call Trace:
       stk7070p_frontend_attach+0x515/0x610
      drivers/media/usb/dvb-usb/dib0700_devices.c:1013
       dvb_usb_adapter_frontend_init+0x32b/0x660
      drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286
       dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86
       dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162
       dvb_usb_device_init+0xf70/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277
       dib0700_probe+0x171/0x5a0 drivers/media/usb/dvb-usb/dib0700_core.c:886
       usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
       really_probe drivers/base/dd.c:413
       driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
       __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
       bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
       __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
       device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
       bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
       device_add+0xd0b/0x1660 drivers/base/core.c:1835
       usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
       generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
       usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
       really_probe drivers/base/dd.c:413
       driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
       __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
       bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
       __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
       device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
       bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
       device_add+0xd0b/0x1660 drivers/base/core.c:1835
       usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
       hub_port_connect drivers/usb/core/hub.c:4903
       hub_port_connect_change drivers/usb/core/hub.c:5009
       port_event drivers/usb/core/hub.c:5115
       hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
       process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
       worker_thread+0x221/0x1850 kernel/workqueue.c:2253
       kthread+0x3a1/0x470 kernel/kthread.c:231
       ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
      Code: ff ff 48 85 c0 74 24 48 89 c7 e8 48 ea ff ff bf 01 00 00 00 e8
      de 20 e3 ff 65 8b 05 b7 2f c2 7e 85 c0 75 c9 e8 f9 0b c1 ff eb c2 <0f>
      0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 b8 00 00
      RIP: symbol_put_addr+0x54/0x60 RSP: ffff88006a7ce210
      ---[ end trace b75b357739e7e116 ]---
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      75d9dd29
    • Arvind Yadav's avatar
      media: imon: Fix null-ptr-deref in imon_probe · 16edf1a6
      Arvind Yadav authored
      commit 58fd55e8 upstream.
      
      It seems that the return value of usb_ifnum_to_if() can be NULL and
      needs to be checked.
      Signed-off-by: default avatarArvind Yadav <arvind.yadav.cs@gmail.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16edf1a6
    • Adam Wallis's avatar
      dmaengine: dmatest: warn user when dma test times out · 34c45c1e
      Adam Wallis authored
      commit a9df21e3 upstream.
      
      Commit adfa543e ("dmatest: don't use set_freezable_with_signal()")
      introduced a bug (that is in fact documented by the patch commit text)
      that leaves behind a dangling pointer. Since the done_wait structure is
      allocated on the stack, future invocations to the DMATEST can produce
      undesirable results (e.g., corrupted spinlocks). Ideally, this would be
      cleaned up in the thread handler, but at the very least, the kernel
      is left in a very precarious scenario that can lead to some long debug
      sessions when the crash comes later.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197605Signed-off-by: default avatarAdam Wallis <awallis@codeaurora.org>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34c45c1e
    • Qiuxu Zhuo's avatar
      EDAC, sb_edac: Don't create a second memory controller if HA1 is not present · 5806ddd7
      Qiuxu Zhuo authored
      commit 15cc3ae0 upstream.
      
      Yi Zhang reported the following failure on a 2-socket Haswell (E5-2603v3)
      server (DELL PowerEdge 730xd):
      
        EDAC sbridge: Some needed devices are missing
        EDAC MC: Removed device 0 for sb_edac.c Haswell SrcID#0_Ha#0: DEV 0000:7f:12.0
        EDAC MC: Removed device 1 for sb_edac.c Haswell SrcID#1_Ha#0: DEV 0000:ff:12.0
        EDAC sbridge: Couldn't find mci handler
        EDAC sbridge: Couldn't find mci handler
        EDAC sbridge: Failed to register device with error -19.
      
      The refactored sb_edac driver creates the IMC1 (the 2nd memory
      controller) if any IMC1 device is present. In this case only
      HA1_TA of IMC1 was present, but the driver expected to find
      HA1/HA1_TM/HA1_TAD[0-3] devices too, leading to the above failure.
      
      The document [1] says the 'E5-2603 v3' CPU has 4 memory channels max. Yi
      Zhang inserted one DIMM per channel for each CPU, and did random error
      address injection test with this patch:
      
            4024  addresses fell in TOLM hole area
           12715  addresses fell in CPU_SrcID#0_Ha#0_Chan#0_DIMM#0
           12774  addresses fell in CPU_SrcID#0_Ha#0_Chan#1_DIMM#0
           12798  addresses fell in CPU_SrcID#0_Ha#0_Chan#2_DIMM#0
           12913  addresses fell in CPU_SrcID#0_Ha#0_Chan#3_DIMM#0
           12674  addresses fell in CPU_SrcID#1_Ha#0_Chan#0_DIMM#0
           12686  addresses fell in CPU_SrcID#1_Ha#0_Chan#1_DIMM#0
           12882  addresses fell in CPU_SrcID#1_Ha#0_Chan#2_DIMM#0
           12934  addresses fell in CPU_SrcID#1_Ha#0_Chan#3_DIMM#0
          106400  addresses were injected totally.
      
      The test result shows that all the 4 channels belong to IMC0 per CPU, so
      the server really only has one IMC per CPU.
      
      In the 1st page of chapter 2 in datasheet [2], it also says 'E5-2600 v3'
      implements either one or two IMCs. For CPUs with one IMC, IMC1 is not
      used and should be ignored.
      
      Thus, do not create a second memory controller if the key HA1 is absent.
      
      [1] http://ark.intel.com/products/83349/Intel-Xeon-Processor-E5-2603-v3-15M-Cache-1_60-GHz
      [2] https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/xeon-e5-v3-datasheet-vol-2.pdfReported-and-tested-by: default avatarYi Zhang <yizhan@redhat.com>
      Signed-off-by: default avatarQiuxu Zhuo <qiuxu.zhuo@intel.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: linux-edac <linux-edac@vger.kernel.org>
      Link: http://lkml.kernel.org/r/20170913104214.7325-1-qiuxu.zhuo@intel.com
      [ Massage commit message. ]
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5806ddd7
  2. 12 Nov, 2017 3 commits
    • Linus Torvalds's avatar
      Linux 4.14 · bebc6082
      Linus Torvalds authored
      bebc6082
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 152bbb43
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "A set of small fixes:
      
         - make KGDB work again which got broken by the conversion of WARN()
           to #UD. The WARN fixup needs to run before the notifier callchain,
           otherwise KGDB tries to handle it and crashes.
      
         - disable KASAN in the ORC unwinder to prevent false positive KASAN
           warnings
      
         - prevent default mapping above 47bit when 5 level page tables are
           enabled
      
         - make the delay calibration optimization work correctly, which had
           the conditionals the wrong way around and was operating on data
           which was not yet updated.
      
         - remove the bogus X86_TRAP_BP trap init from the default IDT init
           table, which broke 32bit int3 handling by overwriting the correct
           int3 setup.
      
         - replace this_cpu* with boot_cpu_data access in the preemptible
           oprofile init code"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/debug: Handle warnings before the notifier chain, to fix KGDB crash
        x86/mm: Fix ELF_ET_DYN_BASE for 5-level paging
        x86/idt: Remove X86_TRAP_BP initialization in idt_setup_traps()
        x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context
        x86/unwind: Disable KASAN checking in the ORC unwinder
        x86/smpboot: Make optimization of delay calibration work correctly
      152bbb43
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 69581c74
      Linus Torvalds authored
      Pull perf tool fixes from Thomas Gleixner:
       "A small set of fixes for perf tool:
      
         - synchronize the i915 drm header to avoid the 'out of date' warning
      
         - make sure that perf trace cleans up its temporary files on exit
      
         - unbreak the build with newer flex versions
      
         - add missing braces in the eBPF parsing rules"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        tooling/headers: Sync the tools/include/uapi/drm/i915_drm.h UAPI header
        perf trace: Call machine__exit() at exit
        perf tools: Fix eBPF event specification parsing
        perf tools: Add "reject" option for parse-events.l
      69581c74
  3. 11 Nov, 2017 8 commits
  4. 10 Nov, 2017 14 commits
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-4.14-rc9' of git://github.com/ceph/ceph-client · ca916599
      Linus Torvalds authored
      Pull ceph gix from Ilya Dryomov:
       "Memory allocation flags fix, marked for stable"
      
      * tag 'ceph-for-4.14-rc9' of git://github.com/ceph/ceph-client:
        rbd: use GFP_NOIO for parent stat and data requests
      ca916599
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 60cfc98b
      Linus Torvalds authored
      Pull input layer updates from Dmitry Torokhov:
      
       - a new ACPI ID for Elan touchpad found in yet another Ideapad model
      
       - Synaptics RMI4 will allow binding to controllers reporting SMB
         version 3 (note that we are not adding any new ACPI IDs to the
         Synaptics PS/2 drover so unless user explicitly enables intertouch
         support there is no user-visible change)
      
       - a fixup to TSC 2004/5 touchscreen driver to mark input devices as
         "direct" to help userspace identify the type of device they are
         dealing with
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: synaptics-rmi4 - RMI4 can also use SMBUS version 3
        Input: tsc200x-core - set INPUT_PROP_DIRECT
        Input: elan_i2c - add ELAN060C to the ACPI table
      60cfc98b
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 5cf2360b
      Linus Torvalds authored
      Pull KVM fix from Radim Krčmář:
       "Fix PPC HV host crash that can occur as a result of resizing the guest
        hashed page table"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: PPC: Book3S HV: Fix exclusion between HPT resizing and other HPT updates
      5cf2360b
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_4.14_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips · a579e949
      Linus Torvalds authored
      Pull MIPS fixes from James Hogan:
       "A final few MIPS fixes for 4.14:
      
         - fix BMIPS NULL pointer dereference (4.7)
      
         - fix AR7 early GPIO init allocation failure (3.19)
      
         - fix dead serial output on certain AR7 platforms (2.6.35)"
      
      * tag 'mips_fixes_4.14_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips:
        MIPS: AR7: Ensure that serial ports are properly set up
        MIPS: AR7: Defer registration of GPIO
        MIPS: BMIPS: Fix missing cbr address
      a579e949
    • Maciej W. Rozycki's avatar
      .mailmap: Add Maciej W. Rozycki's Imagination e-mail address · 085c17ff
      Maciej W. Rozycki authored
      Following my recent transition from Imagination Technologies to the=20
      reincarnated MIPS company add a .mailmap mapping for my work address,
      so that `scripts/get_maintainer.pl' gets it right for past commits.
      Signed-off-by: default avatarMaciej W. Rozycki <macro@mips.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      085c17ff
    • Linus Torvalds's avatar
      Revert "x86: CPU: Fix up "cpu MHz" in /proc/cpuinfo" · ea0ee339
      Linus Torvalds authored
      This reverts commit 941f5f0f.
      
      Sadly, it turns out that we really can't just do the cross-CPU IPI to
      all CPU's to get their proper frequencies, because it's much too
      expensive on systems with lots of cores.
      
      So we'll have to revert this for now, and revisit it using a smarter
      model (probably doing one system-wide IPI at open time, and doing all
      the frequency calculations in parallel).
      Reported-by: default avatarWANG Chao <chao.wang@ucloud.cn>
      Reported-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Rafael J Wysocki <rafael.j.wysocki@intel.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ea0ee339
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.14-rc9' of git://people.freedesktop.org/~airlied/linux · 3e81277a
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Last few patches to wrap up.
      
        Two i915 fixes that are on their way to stable, one vmware black
        screen bug, and one const patch that I was going to drop, but it was
        clearly a pretty safe one liner"
      
      * tag 'drm-fixes-for-v4.14-rc9' of git://people.freedesktop.org/~airlied/linux:
        drm/i915: Deconstruct struct sgt_dma initialiser
        drm/i915: Reject unknown syncobj flags
        drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue
        drm/vmwgfx: constify vmw_fence_ops
      3e81277a
    • Marek Vasut's avatar
      can: ifi: Fix transmitter delay calculation · 4f711675
      Marek Vasut authored
      The CANFD transmitter delay calculation formula was updated in the
      latest software drop from IFI and improves the behavior of the IFI
      CANFD core during bitrate switching. Use the new formula to improve
      stability of the CANFD operation.
      Signed-off-by: default avatarMarek Vasut <marex@denx.de>
      Cc: Markus Marb <markus@marb.org>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      4f711675
    • Yuchung Cheng's avatar
      tcp: fix tcp_fastretrans_alert warning · 0eb96bf7
      Yuchung Cheng authored
      This patch fixes the cause of an WARNING indicatng TCP has pending
      retransmission in Open state in tcp_fastretrans_alert().
      
      The root cause is a bad interaction between path mtu probing,
      if enabled, and the RACK loss detection. Upong receiving a SACK
      above the sequence of the MTU probing packet, RACK could mark the
      probe packet lost in tcp_fastretrans_alert(), prior to calling
      tcp_simple_retransmit().
      
      tcp_simple_retransmit() only enters Loss state if it newly marks
      the probe packet lost. If the probe packet is already identified as
      lost by RACK, the sender remains in Open state with some packets
      marked lost and retransmitted. Then the next SACK would trigger
      the warning. The likely scenario is that the probe packet was
      lost due to its size or network congestion. The actual impact of
      this warning is small by potentially entering fast recovery an
      ACK later.
      
      The simple fix is always entering recovery (Loss) state if some
      packet is marked lost during path MTU probing.
      
      Fixes: a0370b3f ("tcp: enable RACK loss detection to trigger recovery")
      Reported-by: default avatarOleksandr Natalenko <oleksandr@natalenko.name>
      Reported-by: default avatarAlexei Starovoitov <alexei.starovoitov@gmail.com>
      Reported-by: default avatarRoman Gushchin <guro@fb.com>
      Signed-off-by: default avatarYuchung Cheng <ycheng@google.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0eb96bf7
    • Eric Dumazet's avatar
      tcp: gso: avoid refcount_t warning from tcp_gso_segment() · 7ec318fe
      Eric Dumazet authored
      When a GSO skb of truesize O is segmented into 2 new skbs of truesize N1
      and N2, we want to transfer socket ownership to the new fresh skbs.
      
      In order to avoid expensive atomic operations on a cache line subject to
      cache bouncing, we replace the sequence :
      
      refcount_add(N1, &sk->sk_wmem_alloc);
      refcount_add(N2, &sk->sk_wmem_alloc); // repeated by number of segments
      
      refcount_sub(O, &sk->sk_wmem_alloc);
      
      by a single
      
      refcount_add(sum_of(N) - O, &sk->sk_wmem_alloc);
      
      Problem is :
      
      In some pathological cases, sum(N) - O might be a negative number, and
      syzkaller bot was apparently able to trigger this trace [1]
      
      atomic_t was ok with this construct, but we need to take care of the
      negative delta with refcount_t
      
      [1]
      refcount_t: saturated; leaking memory.
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 8404 at lib/refcount.c:77 refcount_add_not_zero+0x198/0x200 lib/refcount.c:77
      Kernel panic - not syncing: panic_on_warn set ...
      
      CPU: 0 PID: 8404 Comm: syz-executor2 Not tainted 4.14.0-rc5-mm1+ #20
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:16 [inline]
       dump_stack+0x194/0x257 lib/dump_stack.c:52
       panic+0x1e4/0x41c kernel/panic.c:183
       __warn+0x1c4/0x1e0 kernel/panic.c:546
       report_bug+0x211/0x2d0 lib/bug.c:183
       fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:177
       do_trap_no_signal arch/x86/kernel/traps.c:211 [inline]
       do_trap+0x260/0x390 arch/x86/kernel/traps.c:260
       do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:297
       do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:310
       invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905
      RIP: 0010:refcount_add_not_zero+0x198/0x200 lib/refcount.c:77
      RSP: 0018:ffff8801c606e3a0 EFLAGS: 00010282
      RAX: 0000000000000026 RBX: 0000000000001401 RCX: 0000000000000000
      RDX: 0000000000000026 RSI: ffffc900036fc000 RDI: ffffed0038c0dc68
      RBP: ffff8801c606e430 R08: 0000000000000001 R09: 0000000000000000
      R10: ffff8801d97f5eba R11: 0000000000000000 R12: ffff8801d5acf73c
      R13: 1ffff10038c0dc75 R14: 00000000ffffffff R15: 00000000fffff72f
       refcount_add+0x1b/0x60 lib/refcount.c:101
       tcp_gso_segment+0x10d0/0x16b0 net/ipv4/tcp_offload.c:155
       tcp4_gso_segment+0xd4/0x310 net/ipv4/tcp_offload.c:51
       inet_gso_segment+0x60c/0x11c0 net/ipv4/af_inet.c:1271
       skb_mac_gso_segment+0x33f/0x660 net/core/dev.c:2749
       __skb_gso_segment+0x35f/0x7f0 net/core/dev.c:2821
       skb_gso_segment include/linux/netdevice.h:3971 [inline]
       validate_xmit_skb+0x4ba/0xb20 net/core/dev.c:3074
       __dev_queue_xmit+0xe49/0x2070 net/core/dev.c:3497
       dev_queue_xmit+0x17/0x20 net/core/dev.c:3538
       neigh_hh_output include/net/neighbour.h:471 [inline]
       neigh_output include/net/neighbour.h:479 [inline]
       ip_finish_output2+0xece/0x1460 net/ipv4/ip_output.c:229
       ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317
       NF_HOOK_COND include/linux/netfilter.h:238 [inline]
       ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
       dst_output include/net/dst.h:459 [inline]
       ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
       ip_queue_xmit+0x8c6/0x18e0 net/ipv4/ip_output.c:504
       tcp_transmit_skb+0x1ab7/0x3840 net/ipv4/tcp_output.c:1137
       tcp_write_xmit+0x663/0x4de0 net/ipv4/tcp_output.c:2341
       __tcp_push_pending_frames+0xa0/0x250 net/ipv4/tcp_output.c:2513
       tcp_push_pending_frames include/net/tcp.h:1722 [inline]
       tcp_data_snd_check net/ipv4/tcp_input.c:5050 [inline]
       tcp_rcv_established+0x8c7/0x18a0 net/ipv4/tcp_input.c:5497
       tcp_v4_do_rcv+0x2ab/0x7d0 net/ipv4/tcp_ipv4.c:1460
       sk_backlog_rcv include/net/sock.h:909 [inline]
       __release_sock+0x124/0x360 net/core/sock.c:2264
       release_sock+0xa4/0x2a0 net/core/sock.c:2776
       tcp_sendmsg+0x3a/0x50 net/ipv4/tcp.c:1462
       inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
       sock_sendmsg_nosec net/socket.c:632 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:642
       ___sys_sendmsg+0x31c/0x890 net/socket.c:2048
       __sys_sendmmsg+0x1e6/0x5f0 net/socket.c:2138
      
      Fixes: 14afee4b ("net: convert sock.sk_wmem_alloc from atomic_t to refcount_t")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7ec318fe
    • Stephane Grosjean's avatar
      can: peak: Add support for new PCIe/M2 CAN FD interfaces · 4cbdd0ee
      Stephane Grosjean authored
      This adds support for the following PEAK-System CAN FD interfaces:
      
      PCAN-cPCIe FD         CAN FD Interface for cPCI Serial (2 or 4 channels)
      PCAN-PCIe/104-Express CAN FD Interface for PCIe/104-Express (1, 2 or 4 ch.)
      PCAN-miniPCIe FD      CAN FD Interface for PCIe Mini (1, 2 or 4 channels)
      PCAN-PCIe FD OEM      CAN FD Interface for PCIe OEM version (1, 2 or 4 ch.)
      PCAN-M.2              CAN FD Interface for M.2 (1 or 2 channels)
      
      Like the PCAN-PCIe FD interface, all of these boards run the same IP Core
      that is able to handle CAN FD (see also http://www.peak-system.com).
      Signed-off-by: default avatarStephane Grosjean <s.grosjean@peak-system.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      4cbdd0ee
    • Gerhard Bertelsmann's avatar
      can: sun4i: handle overrun in RX FIFO · 4dcf924c
      Gerhard Bertelsmann authored
      SUN4Is CAN IP has a 64 byte deep FIFO buffer. If the buffer is not
      drained fast enough (overrun) it's getting mangled. Already received
      frames are dropped - the data can't be restored.
      Signed-off-by: default avatarGerhard Bertelsmann <info@gerhard-bertelsmann.de>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      4dcf924c
    • Richard Schütz's avatar
      can: c_can: don't indicate triple sampling support for D_CAN · fb5f0b3e
      Richard Schütz authored
      The D_CAN controller doesn't provide a triple sampling mode, so don't set
      the CAN_CTRLMODE_3_SAMPLES flag in ctrlmode_supported. Currently enabling
      triple sampling is a no-op.
      Signed-off-by: default avatarRichard Schütz <rschuetz@uni-koblenz.de>
      Cc: linux-stable <stable@vger.kernel.org> # >= v3.6
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      fb5f0b3e
    • Alexander Shishkin's avatar
      x86/debug: Handle warnings before the notifier chain, to fix KGDB crash · b8347c21
      Alexander Shishkin authored
      Commit:
      
        9a93848f ("x86/debug: Implement __WARN() using UD0")
      
      turned warnings into UD0, but the fixup code only runs after the
      notify_die() chain. This is a problem, in particular, with kgdb,
      which kicks in as if it was a BUG().
      
      Fix this by running the fixup code before the notifier chain in
      the invalid op handler path.
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Tested-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Acked-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
      Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Jason Wessel <jason.wessel@windriver.com>
      Cc: Arjan van de Ven <arjan@linux.intel.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Richard Weinberger <richard.weinberger@gmail.com>
      Cc: <stable@vger.kernel.org> # v4.12+
      Link: http://lkml.kernel.org/r/20170724100428.19173-1-alexander.shishkin@linux.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      b8347c21