1. 17 Apr, 2015 1 commit
  2. 09 Apr, 2015 17 commits
  3. 04 Apr, 2015 1 commit
  4. 28 Mar, 2015 21 commits
    • Nicholas Bellinger's avatar
      target/pscsi: Fix NULL pointer dereference in get_device_type · 4c23efb4
      Nicholas Bellinger authored
      [ Upstream commit 215a8fe4 ]
      
      This patch fixes a NULL pointer dereference OOPs with pSCSI backends
      within target_core_stat.c code.  The bug is caused by a configfs attr
      read if no pscsi_dev_virt->pdv_sd has been configured.
      Reported-by: default avatarOlaf Hering <olaf@aepfle.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      4c23efb4
    • Nicholas Bellinger's avatar
      iscsi-target: Avoid early conn_logout_comp for iser connections · af8524b0
      Nicholas Bellinger authored
      [ Upstream commit f068fbc8 ]
      
      This patch fixes a iser specific logout bug where early complete()
      of conn->conn_logout_comp in iscsit_close_connection() was causing
      isert_wait4logout() to complete too soon, triggering a use after
      free NULL pointer dereference of iscsi_conn memory.
      
      The complete() was originally added for traditional iscsi-target
      when a ISCSI_LOGOUT_OP failed in iscsi_target_rx_opcode(), but given
      iser-target does not wait in logout failure, this special case needs
      to be avoided.
      Reported-by: default avatarSagi Grimberg <sagig@mellanox.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Slava Shwartsman <valyushash@gmail.com>
      Cc: <stable@vger.kernel.org> # v3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      af8524b0
    • Nicholas Bellinger's avatar
      target: Fix virtual LUN=0 target_configure_device failure OOPs · b54521a3
      Nicholas Bellinger authored
      [ Upstream commit 5f7da044 ]
      
      This patch fixes a NULL pointer dereference triggered by a late
      target_configure_device() -> alloc_workqueue() failure that results
      in target_free_device() being called with DF_CONFIGURED already set,
      which subsequently OOPses in destroy_workqueue() code.
      
      Currently this only happens at modprobe target_core_mod time when
      core_dev_setup_virtual_lun0() -> target_configure_device() fails,
      and the explicit target_free_device() gets called.
      
      To address this bug originally introduced by commit 0fd97ccf, go
      ahead and move DF_CONFIGURED to end of target_configure_device()
      code to handle this special failure case.
      Reported-by: default avatarClaudio Fleiner <cmf@daterainc.com>
      Cc: Claudio Fleiner <cmf@daterainc.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: <stable@vger.kernel.org> # v3.7+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      b54521a3
    • Bart Van Assche's avatar
      target: Fix reference leak in target_get_sess_cmd() error path · 6526d32f
      Bart Van Assche authored
      [ Upstream commit 7544e597 ]
      
      This patch fixes a se_cmd->cmd_kref leak buf when se_sess->sess_tearing_down
      is true within target_get_sess_cmd() submission path code.
      
      This se_cmd reference leak can occur during active session shutdown when
      ack_kref=1 is passed by target_submit_cmd_[map_sgls,tmr]() callers.
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Cc: <stable@vger.kernel.org> # 3.6+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6526d32f
    • Vignesh R's avatar
      ARM: dts: am43xx-clocks: Fix ehrpwm tbclk data on am43xx · 5ef7008b
      Vignesh R authored
      [ Upstream commit 7d53d255 ]
      
      ehrpwm tbclk is wrongly modelled as deriving from dpll_per_m2_ck.
      The TRM says tbclk is derived from SYSCLKOUT. SYSCLKOUT nothing but the
      functional clock of pwmss (l4ls_gclk).
      Fix this by changing source of ehrpwmx_tbclk to l4ls_gclk.
      
      Fixes: 4da1c677 ("add tbclk data for ehrpwm")
      Signed-off-by: default avatarVignesh R <vigneshr@ti.com>
      Acked-by: default avatarTero Kristo <t-kristo@ti.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      5ef7008b
    • Vignesh R's avatar
      ARM: dts: am33xx-clocks: Fix ehrpwm tbclk data on am33xx · 25d96d6b
      Vignesh R authored
      [ Upstream commit 6e22616e ]
      
      ehrpwm tbclk is wrongly modelled as deriving from dpll_per_m2_ck.
      The TRM says tbclk is derived from SYSCLKOUT. SYSCLKOUT nothing but the
      functional clock of pwmss (l4ls_gclk).
      Fix this by changing source of ehrpwmx_tbclk to l4ls_gclk.
      
      Fixes: 9e100eba: ("Fix ehrpwm tbclk data")
      Signed-off-by: default avatarVignesh R <vigneshr@ti.com>
      Acked-by: default avatarTero Kristo <t-kristo@ti.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      25d96d6b
    • Ravikumar Kattekola's avatar
      ARM: dts: DRA7x: Fix the bypass clock source for dpll_iva and others · 07554817
      Ravikumar Kattekola authored
      [ Upstream commit d2192ea0 ]
      
      Fixes: ee6c7507 (ARM: dts: dra7 clock data)
      
      On DRA7x, For DPLL_IVA, the ref clock(CLKINP) is connected to sys_clk1 and
      the bypass input(CLKINPULOW) is connected to iva_dpll_hs_clk_div clock.
      But the bypass input is not directly routed to bypass clkout instead
      both CLKINP and CLKINPULOW are connected to bypass clkout via a mux.
      
      This mux is controlled by the bit - CM_CLKSEL_DPLL_IVA[23]:DPLL_BYP_CLKSEL
      and it's POR value is zero which selects the CLKINP as bypass clkout.
      which means iva_dpll_hs_clk_div is not the bypass clock for dpll_iva_ck
      
      Fix this by adding another mux clock as parent in bypass mode.
      
      This design is common to most of the PLLs and the rest have only one bypass
      clock. Below is a list of the DPLLs that need this fix:
      
      DPLL_IVA, DPLL_DDR,
      DPLL_DSP, DPLL_EVE,
      DPLL_GMAC, DPLL_PER,
      DPLL_USB and DPLL_CORE
      Signed-off-by: default avatarRavikumar Kattekola <rk@ti.com>
      Acked-by: default avatarTero Kristo <t-kristo@ti.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      07554817
    • Alexandre Belloni's avatar
      ARM: at91: pm: fix at91rm9200 standby · d409e2e6
      Alexandre Belloni authored
      [ Upstream commit 84e87166 ]
      
      at91rm9200 standby and suspend to ram has been broken since
      00482a40. It is wrongly using AT91_BASE_SYS which is a physical address
      and actually doesn't correspond to any register on at91rm9200.
      
      Use the correct at91_ramc_base[0] instead.
      
      Fixes: 00482a40 (ARM: at91: implement the standby function for pm/cpuidle)
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d409e2e6
    • Peter Chen's avatar
      ARM: imx6qdl-sabresd: set swbst_reg as vbus's parent reg · 1e29f16a
      Peter Chen authored
      [ Upstream commit 40f73779 ]
      
      USB vbus 5V is from PMIC SWBST, so set swbst_reg as vbus's
      parent reg, it fixed a bug that the voltage of vbus is incorrect
      due to swbst_reg is disabled after boots up.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPeter Chen <peter.chen@freescale.com>
      Signed-off-by: default avatarShawn Guo <shawn.guo@linaro.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1e29f16a
    • Daniel J Blueman's avatar
      x86: numachip: Fix 16-bit APIC ID truncation · f8ac6343
      Daniel J Blueman authored
      [ Upstream commit 00e7977d ]
      
      Prevent 16-bit APIC IDs being truncated by using correct mask. This fixes
      booting large systems, where the wrong core would receive the startup and
      init IPIs, causing hanging.
      Signed-off-by: default avatarDaniel J Blueman <daniel@numascale.com>
      Cc: Steffen Persvold <sp@numascale.com>
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Link: http://lkml.kernel.org/r/1415089784-28779-1-git-send-email-daniel@numascale.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      f8ac6343
    • Jiri Slaby's avatar
      x86/vdso: Fix the build on GCC5 · ad927769
      Jiri Slaby authored
      [ Upstream commit e8932869 ]
      
      On gcc5 the kernel does not link:
      
        ld: .eh_frame_hdr table[4] FDE at 0000000000000648 overlaps table[5] FDE at 0000000000000670.
      
      Because prior GCC versions always emitted NOPs on ALIGN directives, but
      gcc5 started omitting them.
      
      .LSTARTFDEDLSI1 says:
      
              /* HACK: The dwarf2 unwind routines will subtract 1 from the
                 return address to get an address in the middle of the
                 presumed call instruction.  Since we didn't get here via
                 a call, we need to include the nop before the real start
                 to make up for it.  */
              .long .LSTART_sigreturn-1-.     /* PC-relative start address */
      
      But commit 69d0627a ("x86 vDSO: reorder vdso32 code") from 2.6.25
      replaced .org __kernel_vsyscall+32,0x90 by ALIGN right before
      __kernel_sigreturn.
      
      Of course, ALIGN need not generate any NOP in there. Esp. gcc5 collapses
      vclock_gettime.o and int80.o together with no generated NOPs as "ALIGN".
      
      So fix this by adding to that point at least a single NOP and make the
      function ALIGN possibly with more NOPs then.
      
      Kudos for reporting and diagnosing should go to Richard.
      Reported-by: default avatarRichard Biener <rguenther@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Acked-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Cc: <stable@vger.kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1425543211-12542-1-git-send-email-jslaby@suse.czSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      ad927769
    • Paolo Bonzini's avatar
      kvm: move advertising of KVM_CAP_IRQFD to common code · 9ab9ee7a
      Paolo Bonzini authored
      [ Upstream commit dc9be0fa ]
      
      POWER supports irqfds but forgot to advertise them.  Some userspace does
      not check for the capability, but others check it---thus they work on
      x86 and s390 but not POWER.
      
      To avoid that other architectures in the future make the same mistake, let
      common code handle KVM_CAP_IRQFD the same way as KVM_CAP_IRQFD_RESAMPLE.
      Reported-and-tested-by: default avatarGreg Kurz <gkurz@linux.vnet.ibm.com>
      Cc: stable@vger.kernel.org
      Fixes: 297e2105Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      9ab9ee7a
    • Oleg Nesterov's avatar
      x86/fpu: Drop_fpu() should not assume that tsk equals current · 1b6bd919
      Oleg Nesterov authored
      [ Upstream commit f4c36863 ]
      
      drop_fpu() does clear_used_math() and usually this is correct
      because tsk == current.
      
      However switch_fpu_finish()->restore_fpu_checking() is called before
      __switch_to() updates the "current_task" variable. If it fails,
      we will wrongly clear the PF_USED_MATH flag of the previous task.
      
      So use clear_stopped_child_used_math() instead.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Reviewed-by: default avatarRik van Riel <riel@redhat.com>
      Cc: <stable@vger.kernel.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Pekka Riikonen <priikone@iki.fi>
      Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
      Cc: Suresh Siddha <sbsiddha@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20150309171041.GB11388@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1b6bd919
    • Oleg Nesterov's avatar
      x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig() · 1a29c27a
      Oleg Nesterov authored
      [ Upstream commit a7c80ebc ]
      
      math_state_restore() assumes it is called with irqs disabled,
      but this is not true if the caller is __restore_xstate_sig().
      
      This means that if ia32_fxstate == T and __copy_from_user()
      fails, __restore_xstate_sig() returns with irqs disabled too.
      
      This triggers:
      
        BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:41
         dump_stack
         ___might_sleep
         ? _raw_spin_unlock_irqrestore
         __might_sleep
         down_read
         ? _raw_spin_unlock_irqrestore
         print_vma_addr
         signal_fault
         sys32_rt_sigreturn
      
      Change __restore_xstate_sig() to call set_used_math()
      unconditionally. This avoids enabling and disabling interrupts
      in math_state_restore(). If copy_from_user() fails, we can
      simply do fpu_finit() by hand.
      
      [ Note: this is only the first step. math_state_restore() should
              not check used_math(), it should set this flag. While
      	init_fpu() should simply die. ]
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: <stable@vger.kernel.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Pekka Riikonen <priikone@iki.fi>
      Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Suresh Siddha <sbsiddha@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20150307153844.GB25954@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1a29c27a
    • Stephan Mueller's avatar
      crypto: aesni - fix memory usage in GCM decryption · 3b389956
      Stephan Mueller authored
      [ Upstream commit ccfe8c3f ]
      
      The kernel crypto API logic requires the caller to provide the
      length of (ciphertext || authentication tag) as cryptlen for the
      AEAD decryption operation. Thus, the cipher implementation must
      calculate the size of the plaintext output itself and cannot simply use
      cryptlen.
      
      The RFC4106 GCM decryption operation tries to overwrite cryptlen memory
      in req->dst. As the destination buffer for decryption only needs to hold
      the plaintext memory but cryptlen references the input buffer holding
      (ciphertext || authentication tag), the assumption of the destination
      buffer length in RFC4106 GCM operation leads to a too large size. This
      patch simply uses the already calculated plaintext size.
      
      In addition, this patch fixes the offset calculation of the AAD buffer
      pointer: as mentioned before, cryptlen already includes the size of the
      tag. Thus, the tag does not need to be added. With the addition, the AAD
      will be written beyond the already allocated buffer.
      
      Note, this fixes a kernel crash that can be triggered from user space
      via AF_ALG(aead) -- simply use the libkcapi test application
      from [1] and update it to use rfc4106-gcm-aes.
      
      Using [1], the changes were tested using CAVS vectors to demonstrate
      that the crypto operation still delivers the right results.
      
      [1] http://www.chronox.de/libkcapi.html
      
      CC: Tadeusz Struk <tadeusz.struk@intel.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      3b389956
    • Ard Biesheuvel's avatar
      crypto: arm/aes update NEON AES module to latest OpenSSL version · 73a115c5
      Ard Biesheuvel authored
      [ Upstream commit 001eabfd ]
      
      This updates the bit sliced AES module to the latest version in the
      upstream OpenSSL repository (e620e5ae37bc). This is needed to fix a
      bug in the XTS decryption path, where data chunked in a certain way
      could trigger the ciphertext stealing code, which is not supposed to
      be active in the kernel build (The kernel implementation of XTS only
      supports round multiples of the AES block size of 16 bytes, whereas
      the conformant OpenSSL implementation of XTS supports inputs of
      arbitrary size by applying ciphertext stealing). This is fixed in
      the upstream version by adding the missing #ifndef XTS_CHAIN_TWEAK
      around the offending instructions.
      
      The upstream code also contains the change applied by Russell to
      build the code unconditionally, i.e., even if __LINUX_ARM_ARCH__ < 7,
      but implemented slightly differently.
      
      Cc: stable@vger.kernel.org
      Fixes: e4e7f10b ("ARM: add support for bit sliced AES using NEON instructions")
      Reported-by: default avatarAdrian Kotelba <adrian.kotelba@gmail.com>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Tested-by: default avatarMilan Broz <gmazyland@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      73a115c5
    • Kirill A. Shutemov's avatar
      pagemap: do not leak physical addresses to non-privileged userspace · 1cd3d374
      Kirill A. Shutemov authored
      [ Upstream commit ab676b7d ]
      
      As pointed by recent post[1] on exploiting DRAM physical imperfection,
      /proc/PID/pagemap exposes sensitive information which can be used to do
      attacks.
      
      This disallows anybody without CAP_SYS_ADMIN to read the pagemap.
      
      [1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
      
      [ Eventually we might want to do anything more finegrained, but for now
        this is the simple model.   - Linus ]
      Signed-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Acked-by: default avatarKonstantin Khlebnikov <khlebnikov@openvz.org>
      Acked-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Cc: Pavel Emelyanov <xemul@parallels.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Mark Seaborn <mseaborn@chromium.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1cd3d374
    • Maxime Ripard's avatar
      irqchip: armada-370-xp: Fix chained per-cpu interrupts · 016958bf
      Maxime Ripard authored
      [ Upstream commit 5724be84 ]
      
      On the Cortex-A9-based Armada SoCs, the MPIC is not the primary interrupt
      controller. Yet, it still has to handle some per-cpu interrupt.
      
      To do so, it is chained with the GIC using a per-cpu interrupt. However, the
      current code only call irq_set_chained_handler, which is called and enable that
      interrupt only on the boot CPU, which means that the parent per-CPU interrupt
      is never unmasked on the secondary CPUs, preventing the per-CPU interrupt to
      actually work as expected.
      
      This was not seen until now since the only MPIC PPI users were the Marvell
      timers that were not working, but not used either since the system use the ARM
      TWD by default, and the ethernet controllers, that are faking there interrupts
      as SPI, and don't really expect to have interrupts on the secondary cores
      anyway.
      
      Add a CPU notifier that will enable the PPI on the secondary cores when they
      are brought up.
      
      Cc: <stable@vger.kernel.org> # 3.15+
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Acked-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Link: https://lkml.kernel.org/r/1425378443-28822-1-git-send-email-maxime.ripard@free-electrons.comSigned-off-by: default avatarJason Cooper <jason@lakedaemon.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      016958bf
    • Sasha Levin's avatar
      PCI: Don't read past the end of sysfs "driver_override" buffer · a10f2890
      Sasha Levin authored
      [ Upstream commit 4efe874a ]
      
      When printing the driver_override parameter when it is 4095 and 4094 bytes
      long, the printing code would access invalid memory because we need count+1
      bytes for printing.
      
      Fixes: 782a985d ("PCI: Introduce new device binding path using pci_dev.driver_override")
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      CC: stable@vger.kernel.org	# v3.16+
      CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      CC: Alexander Graf <agraf@suse.de>
      CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a10f2890
    • James Bottomley's avatar
      libsas: Fix Kernel Crash in smp_execute_task · 89410138
      James Bottomley authored
      [ Upstream commit 6302ce4d ]
      
      This crash was reported:
      
      [  366.947370] sd 3:0:1:0: [sdb] Spinning up disk....
      [  368.804046] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [  368.804072] IP: [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
      [  368.804098] PGD 0
      [  368.804114] Oops: 0002 [#1] SMP
      [  368.804143] CPU 1
      [  368.804151] Modules linked in: sg netconsole s3g(PO) uinput joydev hid_multitouch usbhid hid snd_hda_codec_via cpufreq_userspace cpufreq_powersave cpufreq_stats uhci_hcd cpufreq_conservative snd_hda_intel snd_hda_codec snd_hwdep snd_pcm sdhci_pci snd_page_alloc sdhci snd_timer snd psmouse evdev serio_raw pcspkr soundcore xhci_hcd shpchp s3g_drm(O) mvsas mmc_core ahci libahci drm i2c_core acpi_cpufreq mperf video processor button thermal_sys dm_dmirror exfat_fs exfat_core dm_zcache dm_mod padlock_aes aes_generic padlock_sha iscsi_target_mod target_core_mod configfs sswipe libsas libata scsi_transport_sas picdev via_cputemp hwmon_vid fuse parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd2 sd_mod crc_t10dif usb_storage scsi_mod ehci_hcd usbcore usb_common
      [  368.804749]
      [  368.804764] Pid: 392, comm: kworker/u:3 Tainted: P        W  O 3.4.87-logicube-ng.22 #1 To be filled by O.E.M. To be filled by O.E.M./EPIA-M920
      [  368.804802] RIP: 0010:[<ffffffff81358457>]  [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
      [  368.804827] RSP: 0018:ffff880117001cc0  EFLAGS: 00010246
      [  368.804842] RAX: 0000000000000000 RBX: ffff8801185030d0 RCX: ffff88008edcb420
      [  368.804857] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8801185030d4
      [  368.804873] RBP: ffff8801181531c0 R08: 0000000000000020 R09: 00000000fffffffe
      [  368.804885] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801185030d4
      [  368.804899] R13: 0000000000000002 R14: ffff880117001fd8 R15: ffff8801185030d8
      [  368.804916] FS:  0000000000000000(0000) GS:ffff88011fc80000(0000) knlGS:0000000000000000
      [  368.804931] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  368.804946] CR2: 0000000000000000 CR3: 000000000160b000 CR4: 00000000000006e0
      [  368.804962] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  368.804978] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [  368.804995] Process kworker/u:3 (pid: 392, threadinfo ffff880117000000, task ffff8801181531c0)
      [  368.805009] Stack:
      [  368.805017]  ffff8801185030d8 0000000000000000 ffffffff8161ddf0 ffffffff81056f7c
      [  368.805062]  000000000000b503 ffff8801185030d0 ffff880118503000 0000000000000000
      [  368.805100]  ffff8801185030d0 ffff8801188b8000 ffff88008edcb420 ffffffff813583ac
      [  368.805135] Call Trace:
      [  368.805153]  [<ffffffff81056f7c>] ? up+0xb/0x33
      [  368.805168]  [<ffffffff813583ac>] ? mutex_lock+0x16/0x25
      [  368.805194]  [<ffffffffa018c414>] ? smp_execute_task+0x4e/0x222 [libsas]
      [  368.805217]  [<ffffffffa018ce1c>] ? sas_find_bcast_dev+0x3c/0x15d [libsas]
      [  368.805240]  [<ffffffffa018ce4f>] ? sas_find_bcast_dev+0x6f/0x15d [libsas]
      [  368.805264]  [<ffffffffa018e989>] ? sas_ex_revalidate_domain+0x37/0x2ec [libsas]
      [  368.805280]  [<ffffffff81355a2a>] ? printk+0x43/0x48
      [  368.805296]  [<ffffffff81359a65>] ? _raw_spin_unlock_irqrestore+0xc/0xd
      [  368.805318]  [<ffffffffa018b767>] ? sas_revalidate_domain+0x85/0xb6 [libsas]
      [  368.805336]  [<ffffffff8104e5d9>] ? process_one_work+0x151/0x27c
      [  368.805351]  [<ffffffff8104f6cd>] ? worker_thread+0xbb/0x152
      [  368.805366]  [<ffffffff8104f612>] ? manage_workers.isra.29+0x163/0x163
      [  368.805382]  [<ffffffff81052c4e>] ? kthread+0x79/0x81
      [  368.805399]  [<ffffffff8135fea4>] ? kernel_thread_helper+0x4/0x10
      [  368.805416]  [<ffffffff81052bd5>] ? kthread_flush_work_fn+0x9/0x9
      [  368.805431]  [<ffffffff8135fea0>] ? gs_change+0x13/0x13
      [  368.805442] Code: 83 7d 30 63 7e 04 f3 90 eb ab 4c 8d 63 04 4c 8d 7b 08 4c 89 e7 e8 fa 15 00 00 48 8b 43 10 4c 89 3c 24 48 89 63 10 48 89 44 24 08 <48> 89 20 83 c8 ff 48 89 6c 24 10 87 03 ff c8 74 35 4d 89 ee 41
      [  368.805851] RIP  [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
      [  368.805877]  RSP <ffff880117001cc0>
      [  368.805886] CR2: 0000000000000000
      [  368.805899] ---[ end trace b720682065d8f4cc ]---
      
      It's directly caused by 89d3cf6a [SCSI] libsas: add mutex for SMP task
      execution, but shows a deeper cause: expander functions expect to be able to
      cast to and treat domain devices as expanders.  The correct fix is to only do
      expander discover when we know we've got an expander device to avoid wrongly
      casting a non-expander device.
      Reported-by: default avatarPraveen Murali <pmurali@logicube.com>
      Tested-by: default avatarPraveen Murali <pmurali@logicube.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      89410138
    • Al Viro's avatar
      gadgetfs: use-after-free in ->aio_read() · c81fc59b
      Al Viro authored
      [ Upstream commit f01d35a1 ]
      
      AIO_PREAD requests call ->aio_read() with iovec on caller's stack, so if
      we are going to access it asynchronously, we'd better get ourselves
      a copy - the one on kernel stack of aio_run_iocb() won't be there
      anymore.  function/f_fs.c take care of doing that, legacy/inode.c
      doesn't...
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c81fc59b