1. 25 May, 2019 1 commit
  2. 21 May, 2019 39 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.9.178 · a5f56b52
      Greg Kroah-Hartman authored
      a5f56b52
    • Sean Christopherson's avatar
      KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes · 0dd8bef5
      Sean Christopherson authored
      commit 11988499 upstream.
      
      KVM allows userspace to violate consistency checks related to the
      guest's CPUID model to some degree.  Generally speaking, userspace has
      carte blanche when it comes to guest state so long as jamming invalid
      state won't negatively affect the host.
      
      Currently this is seems to be a non-issue as most of the interesting
      EFER checks are missing, e.g. NX and LME, but those will be added
      shortly.  Proactively exempt userspace from the CPUID checks so as not
      to break userspace.
      
      Note, the efer_reserved_bits check still applies to userspace writes as
      that mask reflects the host's capabilities, e.g. KVM shouldn't allow a
      guest to run with NX=1 if it has been disabled in the host.
      
      Fixes: d8017474 ("KVM: SVM: Only allow setting of EFER_SVME when CPUID SVM is set")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0dd8bef5
    • Michał Wadowski's avatar
      ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug · 51776204
      Michał Wadowski authored
      commit 56df90b6 upstream.
      
      Add patch for realtek codec in Lenovo B50-70 that fixes inverted
      internal microphone channel.
      Device IdeaPad Y410P has the same PCI SSID as Lenovo B50-70,
      but first one is about fix the noise and it didn't seem help in a
      later kernel version.
      So I replaced IdeaPad Y410P device description with B50-70 and apply
      inverted microphone fix.
      
      Bugzilla: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1524215Signed-off-by: default avatarMichał Wadowski <wadosm@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      51776204
    • Lukas Czerner's avatar
      ext4: fix data corruption caused by overlapping unaligned and aligned IO · fa089775
      Lukas Czerner authored
      commit 57a0da28 upstream.
      
      Unaligned AIO must be serialized because the zeroing of partial blocks
      of unaligned AIO can result in data corruption in case it's overlapping
      another in flight IO.
      
      Currently we wait for all unwritten extents before we submit unaligned
      AIO which protects data in case of unaligned AIO is following overlapping
      IO. However if a unaligned AIO is followed by overlapping aligned AIO we
      can still end up corrupting data.
      
      To fix this, we must make sure that the unaligned AIO is the only IO in
      flight by waiting for unwritten extents conversion not just before the
      IO submission, but right after it as well.
      
      This problem can be reproduced by xfstest generic/538
      Signed-off-by: default avatarLukas Czerner <lczerner@redhat.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fa089775
    • Sriram Rajagopalan's avatar
      ext4: zero out the unused memory region in the extent tree block · ab6d14e8
      Sriram Rajagopalan authored
      commit 592acbf1 upstream.
      
      This commit zeroes out the unused memory region in the buffer_head
      corresponding to the extent metablock after writing the extent header
      and the corresponding extent node entries.
      
      This is done to prevent random uninitialized data from getting into
      the filesystem when the extent block is synced.
      
      This fixes CVE-2019-11833.
      Signed-off-by: default avatarSriram Rajagopalan <sriramr@arista.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ab6d14e8
    • Jiufei Xue's avatar
      fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount · 54e35658
      Jiufei Xue authored
      commit ec084de9 upstream.
      
      synchronize_rcu() didn't wait for call_rcu() callbacks, so inode wb
      switch may not go to the workqueue after synchronize_rcu().  Thus
      previous scheduled switches was not finished even flushing the
      workqueue, which will cause a NULL pointer dereferenced followed below.
      
        VFS: Busy inodes after unmount of vdd. Self-destruct in 5 seconds.  Have a nice day...
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000278
          evict+0xb3/0x180
          iput+0x1b0/0x230
          inode_switch_wbs_work_fn+0x3c0/0x6a0
          worker_thread+0x4e/0x490
          ? process_one_work+0x410/0x410
          kthread+0xe6/0x100
          ret_from_fork+0x39/0x50
      
      Replace the synchronize_rcu() call with a rcu_barrier() to wait for all
      pending callbacks to finish.  And inc isw_nr_in_flight after call_rcu()
      in inode_switch_wbs() to make more sense.
      
      Link: http://lkml.kernel.org/r/20190429024108.54150-1-jiufei.xue@linux.alibaba.comSigned-off-by: default avatarJiufei Xue <jiufei.xue@linux.alibaba.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Suggested-by: default avatarTejun Heo <tj@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      54e35658
    • Tejun Heo's avatar
      writeback: synchronize sync(2) against cgroup writeback membership switches · 1cfaba5b
      Tejun Heo authored
      commit 7fc5854f upstream.
      
      sync_inodes_sb() can race against cgwb (cgroup writeback) membership
      switches and fail to writeback some inodes.  For example, if an inode
      switches to another wb while sync_inodes_sb() is in progress, the new
      wb might not be visible to bdi_split_work_to_wbs() at all or the inode
      might jump from a wb which hasn't issued writebacks yet to one which
      already has.
      
      This patch adds backing_dev_info->wb_switch_rwsem to synchronize cgwb
      switch path against sync_inodes_sb() so that sync_inodes_sb() is
      guaranteed to see all the target wbs and inodes can't jump wbs to
      escape syncing.
      
      v2: Fixed misplaced rwsem init.  Spotted by Jiufei.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarJiufei Xue <xuejiufei@gmail.com>
      Link: http://lkml.kernel.org/r/dc694ae2-f07f-61e1-7097-7c8411cee12d@gmail.comAcked-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1cfaba5b
    • Greg Kroah-Hartman's avatar
      fib_rules: fix error in backport of e9919a24 ("fib_rules: return 0...") · d5c71a7c
      Greg Kroah-Hartman authored
      When commit e9919a24 ("fib_rules: return 0 directly if an exactly
      same rule exists when NLM_F_EXCL not supplied") was backported to 4.9.y,
      it changed the logic a bit as err should have been reset before exiting
      the test, like it happens in the original logic.
      
      If this is not set, errors happen :(
      Reported-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Reported-by: default avatarDavid Ahern <dsahern@gmail.com>
      Reported-by: default avatarFlorian Westphal <fw@strlen.de>
      Cc: Hangbin Liu <liuhangbin@gmail.com>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d5c71a7c
    • Eric Biggers's avatar
      crypto: arm/aes-neonbs - don't access already-freed walk.iv · 7f9290f7
      Eric Biggers authored
      commit 767f015e upstream.
      
      If the user-provided IV needs to be aligned to the algorithm's
      alignmask, then skcipher_walk_virt() copies the IV into a new aligned
      buffer walk.iv.  But skcipher_walk_virt() can fail afterwards, and then
      if the caller unconditionally accesses walk.iv, it's a use-after-free.
      
      arm32 xts-aes-neonbs doesn't set an alignmask, so currently it isn't
      affected by this despite unconditionally accessing walk.iv.  However
      this is more subtle than desired, and it was actually broken prior to
      the alignmask being removed by commit cc477bf6 ("crypto: arm/aes -
      replace bit-sliced OpenSSL NEON code").  Thus, update xts-aes-neonbs to
      start checking the return value of skcipher_walk_virt().
      
      Fixes: e4e7f10b ("ARM: add support for bit sliced AES using NEON instructions")
      Cc: <stable@vger.kernel.org> # v3.13+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      7f9290f7
    • Eric Biggers's avatar
      crypto: salsa20 - don't access already-freed walk.iv · 91078439
      Eric Biggers authored
      commit edaf28e9 upstream.
      
      If the user-provided IV needs to be aligned to the algorithm's
      alignmask, then skcipher_walk_virt() copies the IV into a new aligned
      buffer walk.iv.  But skcipher_walk_virt() can fail afterwards, and then
      if the caller unconditionally accesses walk.iv, it's a use-after-free.
      
      salsa20-generic doesn't set an alignmask, so currently it isn't affected
      by this despite unconditionally accessing walk.iv.  However this is more
      subtle than desired, and it was actually broken prior to the alignmask
      being removed by commit b62b3db7 ("crypto: salsa20-generic - cleanup
      and convert to skcipher API").
      
      Since salsa20-generic does not update the IV and does not need any IV
      alignment, update it to use req->iv instead of walk.iv.
      
      Fixes: 2407d608 ("[CRYPTO] salsa20: Salsa20 stream cipher")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      91078439
    • Eric Biggers's avatar
      crypto: gcm - fix incompatibility between "gcm" and "gcm_base" · 62d629a5
      Eric Biggers authored
      commit f699594d upstream.
      
      GCM instances can be created by either the "gcm" template, which only
      allows choosing the block cipher, e.g. "gcm(aes)"; or by "gcm_base",
      which allows choosing the ctr and ghash implementations, e.g.
      "gcm_base(ctr(aes-generic),ghash-generic)".
      
      However, a "gcm_base" instance prevents a "gcm" instance from being
      registered using the same implementations.  Nor will the instance be
      found by lookups of "gcm".  This can be used as a denial of service.
      Moreover, "gcm_base" instances are never tested by the crypto
      self-tests, even if there are compatible "gcm" tests.
      
      The root cause of these problems is that instances of the two templates
      use different cra_names.  Therefore, fix these problems by making
      "gcm_base" instances set the same cra_name as "gcm" instances, e.g.
      "gcm(aes)" instead of "gcm_base(ctr(aes-generic),ghash-generic)".
      
      This requires extracting the block cipher name from the name of the ctr
      algorithm.  It also requires starting to verify that the algorithms are
      really ctr and ghash, not something else entirely.  But it would be
      bizarre if anyone were actually using non-gcm-compatible algorithms with
      gcm_base, so this shouldn't break anyone in practice.
      
      Fixes: d00aa19b ("[CRYPTO] gcm: Allow block cipher parameter")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      62d629a5
    • Wei Yongjun's avatar
      crypto: gcm - Fix error return code in crypto_gcm_create_common() · 2f95ee0b
      Wei Yongjun authored
      commit 9b40f79c upstream.
      
      Fix to return error code -EINVAL from the invalid alg ivsize error
      handling case instead of 0, as done elsewhere in this function.
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f95ee0b
    • Kamlakant Patel's avatar
      ipmi:ssif: compare block number correctly for multi-part return messages · a2a2a146
      Kamlakant Patel authored
      commit 55be8658 upstream.
      
      According to ipmi spec, block number is a number that is incremented,
      starting with 0, for each new block of message data returned using the
      middle transaction.
      
      Here, the 'blocknum' is data[0] which always starts from zero(0) and
      'ssif_info->multi_pos' starts from 1.
      So, we need to add +1 to blocknum while comparing with multi_pos.
      
      Fixes: 7d6380cd ("ipmi:ssif: Fix handling of multi-part return messages").
      Reported-by: default avatarKiran Kolukuluru <kirank@ami.com>
      Signed-off-by: default avatarKamlakant Patel <kamlakantp@marvell.com>
      Message-Id: <1556106615-18722-1-git-send-email-kamlakantp@marvell.com>
      [Also added a debug log if the block numbers don't match.]
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Cc: stable@vger.kernel.org # 4.4
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2a2a146
    • Coly Li's avatar
      bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() · 7366d0cd
      Coly Li authored
      commit 1bee2add upstream.
      
      In journal_reclaim() ja->cur_idx of each cache will be update to
      reclaim available journal buckets. Variable 'int n' is used to count how
      many cache is successfully reclaimed, then n is set to c->journal.key
      by SET_KEY_PTRS(). Later in journal_write_unlocked(), a for_each_cache()
      loop will write the jset data onto each cache.
      
      The problem is, if all jouranl buckets on each cache is full, the
      following code in journal_reclaim(),
      
      529 for_each_cache(ca, c, iter) {
      530       struct journal_device *ja = &ca->journal;
      531       unsigned int next = (ja->cur_idx + 1) % ca->sb.njournal_buckets;
      532
      533       /* No space available on this device */
      534       if (next == ja->discard_idx)
      535               continue;
      536
      537       ja->cur_idx = next;
      538       k->ptr[n++] = MAKE_PTR(0,
      539                         bucket_to_sector(c, ca->sb.d[ja->cur_idx]),
      540                         ca->sb.nr_this_dev);
      541 }
      542
      543 bkey_init(k);
      544 SET_KEY_PTRS(k, n);
      
      If there is no available bucket to reclaim, the if() condition at line
      534 will always true, and n remains 0. Then at line 544, SET_KEY_PTRS()
      will set KEY_PTRS field of c->journal.key to 0.
      
      Setting KEY_PTRS field of c->journal.key to 0 is wrong. Because in
      journal_write_unlocked() the journal data is written in following loop,
      
      649	for (i = 0; i < KEY_PTRS(k); i++) {
      650-671		submit journal data to cache device
      672	}
      
      If KEY_PTRS field is set to 0 in jouranl_reclaim(), the journal data
      won't be written to cache device here. If system crahed or rebooted
      before bkeys of the lost journal entries written into btree nodes, data
      corruption will be reported during bcache reload after rebooting the
      system.
      
      Indeed there is only one cache in a cache set, there is no need to set
      KEY_PTRS field in journal_reclaim() at all. But in order to keep the
      for_each_cache() logic consistent for now, this patch fixes the above
      problem by not setting 0 KEY_PTRS of journal key, if there is no bucket
      available to reclaim.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7366d0cd
    • Liang Chen's avatar
      bcache: fix a race between cache register and cacheset unregister · 3946cbbe
      Liang Chen authored
      commit a4b732a2 upstream.
      
      There is a race between cache device register and cache set unregister.
      For an already registered cache device, register_bcache will call
      bch_is_open to iterate through all cachesets and check every cache
      there. The race occurs if cache_set_free executes at the same time and
      clears the caches right before ca is dereferenced in bch_is_open_cache.
      To close the race, let's make sure the clean up work is protected by
      the bch_register_lock as well.
      
      This issue can be reproduced as follows,
      while true; do echo /dev/XXX> /sys/fs/bcache/register ; done&
      while true; do echo 1> /sys/block/XXX/bcache/set/unregister ; done &
      
      and results in the following oops,
      
      [  +0.000053] BUG: unable to handle kernel NULL pointer dereference at 0000000000000998
      [  +0.000457] #PF error: [normal kernel read fault]
      [  +0.000464] PGD 800000003ca9d067 P4D 800000003ca9d067 PUD 3ca9c067 PMD 0
      [  +0.000388] Oops: 0000 [#1] SMP PTI
      [  +0.000269] CPU: 1 PID: 3266 Comm: bash Not tainted 5.0.0+ #6
      [  +0.000346] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.fc28 04/01/2014
      [  +0.000472] RIP: 0010:register_bcache+0x1829/0x1990 [bcache]
      [  +0.000344] Code: b0 48 83 e8 50 48 81 fa e0 e1 10 c0 0f 84 a9 00 00 00 48 89 c6 48 89 ca 0f b7 ba 54 04 00 00 4c 8b 82 60 0c 00 00 85 ff 74 2f <49> 3b a8 98 09 00 00 74 4e 44 8d 47 ff 31 ff 49 c1 e0 03 eb 0d
      [  +0.000839] RSP: 0018:ffff92ee804cbd88 EFLAGS: 00010202
      [  +0.000328] RAX: ffffffffc010e190 RBX: ffff918b5c6b5000 RCX: ffff918b7d8e0000
      [  +0.000399] RDX: ffff918b7d8e0000 RSI: ffffffffc010e190 RDI: 0000000000000001
      [  +0.000398] RBP: ffff918b7d318340 R08: 0000000000000000 R09: ffffffffb9bd2d7a
      [  +0.000385] R10: ffff918b7eb253c0 R11: ffffb95980f51200 R12: ffffffffc010e1a0
      [  +0.000411] R13: fffffffffffffff2 R14: 000000000000000b R15: ffff918b7e232620
      [  +0.000384] FS:  00007f955bec2740(0000) GS:ffff918b7eb00000(0000) knlGS:0000000000000000
      [  +0.000420] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  +0.000801] CR2: 0000000000000998 CR3: 000000003cad6000 CR4: 00000000001406e0
      [  +0.000837] Call Trace:
      [  +0.000682]  ? _cond_resched+0x10/0x20
      [  +0.000691]  ? __kmalloc+0x131/0x1b0
      [  +0.000710]  kernfs_fop_write+0xfa/0x170
      [  +0.000733]  __vfs_write+0x2e/0x190
      [  +0.000688]  ? inode_security+0x10/0x30
      [  +0.000698]  ? selinux_file_permission+0xd2/0x120
      [  +0.000752]  ? security_file_permission+0x2b/0x100
      [  +0.000753]  vfs_write+0xa8/0x1a0
      [  +0.000676]  ksys_write+0x4d/0xb0
      [  +0.000699]  do_syscall_64+0x3a/0xf0
      [  +0.000692]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Signed-off-by: default avatarLiang Chen <liangchen.linux@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3946cbbe
    • Filipe Manana's avatar
      Btrfs: do not start a transaction at iterate_extent_inodes() · c44e237e
      Filipe Manana authored
      commit bfc61c36 upstream.
      
      When finding out which inodes have references on a particular extent, done
      by backref.c:iterate_extent_inodes(), from the BTRFS_IOC_LOGICAL_INO (both
      v1 and v2) ioctl and from scrub we use the transaction join API to grab a
      reference on the currently running transaction, since in order to give
      accurate results we need to inspect the delayed references of the currently
      running transaction.
      
      However, if there is currently no running transaction, the join operation
      will create a new transaction. This is inefficient as the transaction will
      eventually be committed, doing unnecessary IO and introducing a potential
      point of failure that will lead to a transaction abort due to -ENOSPC, as
      recently reported [1].
      
      That's because the join, creates the transaction but does not reserve any
      space, so when attempting to update the root item of the root passed to
      btrfs_join_transaction(), during the transaction commit, we can end up
      failling with -ENOSPC. Users of a join operation are supposed to actually
      do some filesystem changes and reserve space by some means, which is not
      the case of iterate_extent_inodes(), it is a read-only operation for all
      contextes from which it is called.
      
      The reported [1] -ENOSPC failure stack trace is the following:
      
       heisenberg kernel: ------------[ cut here ]------------
       heisenberg kernel: BTRFS: Transaction aborted (error -28)
       heisenberg kernel: WARNING: CPU: 0 PID: 7137 at fs/btrfs/root-tree.c:136 btrfs_update_root+0x22b/0x320 [btrfs]
      (...)
       heisenberg kernel: CPU: 0 PID: 7137 Comm: btrfs-transacti Not tainted 4.19.0-4-amd64 #1 Debian 4.19.28-2
       heisenberg kernel: Hardware name: FUJITSU LIFEBOOK U757/FJNB2A5, BIOS Version 1.21 03/19/2018
       heisenberg kernel: RIP: 0010:btrfs_update_root+0x22b/0x320 [btrfs]
      (...)
       heisenberg kernel: RSP: 0018:ffffb5448828bd40 EFLAGS: 00010286
       heisenberg kernel: RAX: 0000000000000000 RBX: ffff8ed56bccef50 RCX: 0000000000000006
       heisenberg kernel: RDX: 0000000000000007 RSI: 0000000000000092 RDI: ffff8ed6bda166a0
       heisenberg kernel: RBP: 00000000ffffffe4 R08: 00000000000003df R09: 0000000000000007
       heisenberg kernel: R10: 0000000000000000 R11: 0000000000000001 R12: ffff8ed63396a078
       heisenberg kernel: R13: ffff8ed092d7c800 R14: ffff8ed64f5db028 R15: ffff8ed6bd03d068
       heisenberg kernel: FS:  0000000000000000(0000) GS:ffff8ed6bda00000(0000) knlGS:0000000000000000
       heisenberg kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       heisenberg kernel: CR2: 00007f46f75f8000 CR3: 0000000310a0a002 CR4: 00000000003606f0
       heisenberg kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       heisenberg kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       heisenberg kernel: Call Trace:
       heisenberg kernel:  commit_fs_roots+0x166/0x1d0 [btrfs]
       heisenberg kernel:  ? _cond_resched+0x15/0x30
       heisenberg kernel:  ? btrfs_run_delayed_refs+0xac/0x180 [btrfs]
       heisenberg kernel:  btrfs_commit_transaction+0x2bd/0x870 [btrfs]
       heisenberg kernel:  ? start_transaction+0x9d/0x3f0 [btrfs]
       heisenberg kernel:  transaction_kthread+0x147/0x180 [btrfs]
       heisenberg kernel:  ? btrfs_cleanup_transaction+0x530/0x530 [btrfs]
       heisenberg kernel:  kthread+0x112/0x130
       heisenberg kernel:  ? kthread_bind+0x30/0x30
       heisenberg kernel:  ret_from_fork+0x35/0x40
       heisenberg kernel: ---[ end trace 05de912e30e012d9 ]---
      
      So fix that by using the attach API, which does not create a transaction
      when there is currently no running transaction.
      
      [1] https://lore.kernel.org/linux-btrfs/b2a668d7124f1d3e410367f587926f622b3f03a4.camel@scientia.net/Reported-by: default avatarZygo Blaxell <ce3g8jdj@umail.furryterror.org>
      CC: stable@vger.kernel.org # 4.4+
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c44e237e
    • Debabrata Banerjee's avatar
      ext4: fix ext4_show_options for file systems w/o journal · d5258b8a
      Debabrata Banerjee authored
      commit 50b29d8f upstream.
      
      Instead of removing EXT4_MOUNT_JOURNAL_CHECKSUM from s_def_mount_opt as
      I assume was intended, all other options were blown away leading to
      _ext4_show_options() output being incorrect.
      
      Fixes: 1e381f60 ("ext4: do not allow journal_opts for fs w/o journal")
      Signed-off-by: default avatarDebabrata Banerjee <dbanerje@akamai.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Cc: stable@kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d5258b8a
    • Kirill Tkhai's avatar
      ext4: actually request zeroing of inode table after grow · 083b19c7
      Kirill Tkhai authored
      commit 310a997f upstream.
      
      It is never possible, that number of block groups decreases,
      since only online grow is supported.
      
      But after a growing occured, we have to zero inode tables
      for just created new block groups.
      
      Fixes: 19c5246d ("ext4: add new online resize interface")
      Signed-off-by: default avatarKirill Tkhai <ktkhai@virtuozzo.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Cc: stable@kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      083b19c7
    • Jiufei Xue's avatar
      jbd2: check superblock mapped prior to committing · bd8f3bc2
      Jiufei Xue authored
      commit 742b06b5 upstream.
      
      We hit a BUG at fs/buffer.c:3057 if we detached the nbd device
      before unmounting ext4 filesystem.
      
      The typical chain of events leading to the BUG:
      jbd2_write_superblock
        submit_bh
          submit_bh_wbc
            BUG_ON(!buffer_mapped(bh));
      
      The block device is removed and all the pages are invalidated. JBD2
      was trying to write journal superblock to the block device which is
      no longer present.
      
      Fix this by checking the journal superblock's buffer head prior to
      submitting.
      Reported-by: default avatarEric Ren <renzhen@linux.alibaba.com>
      Signed-off-by: default avatarJiufei Xue <jiufei.xue@linux.alibaba.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Cc: stable@kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bd8f3bc2
    • Sergei Trofimovich's avatar
      tty/vt: fix write/write race in ioctl(KDSKBSENT) handler · 948c9cec
      Sergei Trofimovich authored
      commit 46ca3f73 upstream.
      
      The bug manifests as an attempt to access deallocated memory:
      
          BUG: unable to handle kernel paging request at ffff9c8735448000
          #PF error: [PROT] [WRITE]
          PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161
          Oops: 0003 [#1] PREEMPT SMP
          CPU: 6 PID: 388 Comm: loadkeys Tainted: G         C        5.0.0-rc6-00153-g5ded5871 #91
          Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013
          RIP: 0010:__memmove+0x81/0x1a0
          Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
          RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203
          RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf
          RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb
          RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b
          R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000
          R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c
          FS:  00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0
          Call Trace:
           vt_do_kdgkb_ioctl+0x34d/0x440
           vt_ioctl+0xba3/0x1190
           ? __bpf_prog_run32+0x39/0x60
           ? mem_cgroup_commit_charge+0x7b/0x4e0
           tty_ioctl+0x23f/0x920
           ? preempt_count_sub+0x98/0xe0
           ? __seccomp_filter+0x67/0x600
           do_vfs_ioctl+0xa2/0x6a0
           ? syscall_trace_enter+0x192/0x2d0
           ksys_ioctl+0x3a/0x70
           __x64_sys_ioctl+0x16/0x20
           do_syscall_64+0x54/0xe0
           entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The bug manifests on systemd systems with multiple vtcon devices:
        # cat /sys/devices/virtual/vtconsole/vtcon0/name
        (S) dummy device
        # cat /sys/devices/virtual/vtconsole/vtcon1/name
        (M) frame buffer device
      
      There systemd runs 'loadkeys' tool in tapallel for each vtcon
      instance. This causes two parallel ioctl(KDSKBSENT) calls to
      race into adding the same entry into 'func_table' array at:
      
          drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl()
      
      The function has no locking around writes to 'func_table'.
      
      The simplest reproducer is to have initrams with the following
      init on a 8-CPU machine x86_64:
      
          #!/bin/sh
      
          loadkeys -q windowkeys ru4 &
          loadkeys -q windowkeys ru4 &
          loadkeys -q windowkeys ru4 &
          loadkeys -q windowkeys ru4 &
      
          loadkeys -q windowkeys ru4 &
          loadkeys -q windowkeys ru4 &
          loadkeys -q windowkeys ru4 &
          loadkeys -q windowkeys ru4 &
          wait
      
      The change adds lock on write path only. Reads are still racy.
      
      CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      CC: Jiri Slaby <jslaby@suse.com>
      Link: https://lkml.org/lkml/2019/2/17/256Signed-off-by: default avatarSergei Trofimovich <slyfox@gentoo.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      948c9cec
    • Dmitry Osipenko's avatar
      mfd: max77620: Fix swapped FPS_PERIOD_MAX_US values · db4a55c0
      Dmitry Osipenko authored
      commit ea611d1c upstream.
      
      The FPS_PERIOD_MAX_US definitions are swapped for MAX20024 and MAX77620,
      fix it.
      
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarDmitry Osipenko <digetx@gmail.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      db4a55c0
    • Steve Twiss's avatar
      mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L · 56c8a5d5
      Steve Twiss authored
      commit 6b4814a9 upstream.
      
      Mismatch between what is found in the Datasheets for DA9063 and DA9063L
      provided by Dialog Semiconductor, and the register names provided in the
      MFD registers file. The changes are for the OTP (one-time-programming)
      control registers. The two naming errors are OPT instead of OTP, and
      COUNT instead of CONT (i.e. control).
      
      Cc: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarSteve Twiss <stwiss.opensource@diasemi.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      56c8a5d5
    • Shuning Zhang's avatar
      ocfs2: fix ocfs2 read inode data panic in ocfs2_iget · a11b4df7
      Shuning Zhang authored
      commit e091eab0 upstream.
      
      In some cases, ocfs2_iget() reads the data of inode, which has been
      deleted for some reason.  That will make the system panic.  So We should
      judge whether this inode has been deleted, and tell the caller that the
      inode is a bad inode.
      
      For example, the ocfs2 is used as the backed of nfs, and the client is
      nfsv3.  This issue can be reproduced by the following steps.
      
      on the nfs server side,
      ..../patha/pathb
      
      Step 1: The process A was scheduled before calling the function fh_verify.
      
      Step 2: The process B is removing the 'pathb', and just completed the call
      to function dput.  Then the dentry of 'pathb' has been deleted from the
      dcache, and all ancestors have been deleted also.  The relationship of
      dentry and inode was deleted through the function hlist_del_init.  The
      following is the call stack.
      dentry_iput->hlist_del_init(&dentry->d_u.d_alias)
      
      At this time, the inode is still in the dcache.
      
      Step 3: The process A call the function ocfs2_get_dentry, which get the
      inode from dcache.  Then the refcount of inode is 1.  The following is the
      call stack.
      nfsd3_proc_getacl->fh_verify->exportfs_decode_fh->fh_to_dentry(ocfs2_get_dentry)
      
      Step 4: Dirty pages are flushed by bdi threads.  So the inode of 'patha'
      is evicted, and this directory was deleted.  But the inode of 'pathb'
      can't be evicted, because the refcount of the inode was 1.
      
      Step 5: The process A keep running, and call the function
      reconnect_path(in exportfs_decode_fh), which call function
      ocfs2_get_parent of ocfs2.  Get the block number of parent
      directory(patha) by the name of ...  Then read the data from disk by the
      block number.  But this inode has been deleted, so the system panic.
      
      Process A                                             Process B
      1. in nfsd3_proc_getacl                   |
      2.                                        |        dput
      3. fh_to_dentry(ocfs2_get_dentry)         |
      4. bdi flush dirty cache                  |
      5. ocfs2_iget                             |
      
      [283465.542049] OCFS2: ERROR (device sdp): ocfs2_validate_inode_block:
      Invalid dinode #580640: OCFS2_VALID_FL not set
      
      [283465.545490] Kernel panic - not syncing: OCFS2: (device sdp): panic forced
      after error
      
      [283465.546889] CPU: 5 PID: 12416 Comm: nfsd Tainted: G        W
      4.1.12-124.18.6.el6uek.bug28762940v3.x86_64 #2
      [283465.548382] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
      Desktop Reference Platform, BIOS 6.00 09/21/2015
      [283465.549657]  0000000000000000 ffff8800a56fb7b8 ffffffff816e839c
      ffffffffa0514758
      [283465.550392]  000000000008dc20 ffff8800a56fb838 ffffffff816e62d3
      0000000000000008
      [283465.551056]  ffff880000000010 ffff8800a56fb848 ffff8800a56fb7e8
      ffff88005df9f000
      [283465.551710] Call Trace:
      [283465.552516]  [<ffffffff816e839c>] dump_stack+0x63/0x81
      [283465.553291]  [<ffffffff816e62d3>] panic+0xcb/0x21b
      [283465.554037]  [<ffffffffa04e66b0>] ocfs2_handle_error+0xf0/0xf0 [ocfs2]
      [283465.554882]  [<ffffffffa04e7737>] __ocfs2_error+0x67/0x70 [ocfs2]
      [283465.555768]  [<ffffffffa049c0f9>] ocfs2_validate_inode_block+0x229/0x230
      [ocfs2]
      [283465.556683]  [<ffffffffa047bcbc>] ocfs2_read_blocks+0x46c/0x7b0 [ocfs2]
      [283465.557408]  [<ffffffffa049bed0>] ? ocfs2_inode_cache_io_unlock+0x20/0x20
      [ocfs2]
      [283465.557973]  [<ffffffffa049f0eb>] ocfs2_read_inode_block_full+0x3b/0x60
      [ocfs2]
      [283465.558525]  [<ffffffffa049f5ba>] ocfs2_iget+0x4aa/0x880 [ocfs2]
      [283465.559082]  [<ffffffffa049146e>] ocfs2_get_parent+0x9e/0x220 [ocfs2]
      [283465.559622]  [<ffffffff81297c05>] reconnect_path+0xb5/0x300
      [283465.560156]  [<ffffffff81297f46>] exportfs_decode_fh+0xf6/0x2b0
      [283465.560708]  [<ffffffffa062faf0>] ? nfsd_proc_getattr+0xa0/0xa0 [nfsd]
      [283465.561262]  [<ffffffff810a8196>] ? prepare_creds+0x26/0x110
      [283465.561932]  [<ffffffffa0630860>] fh_verify+0x350/0x660 [nfsd]
      [283465.562862]  [<ffffffffa0637804>] ? nfsd_cache_lookup+0x44/0x630 [nfsd]
      [283465.563697]  [<ffffffffa063a8b9>] nfsd3_proc_getattr+0x69/0xf0 [nfsd]
      [283465.564510]  [<ffffffffa062cf60>] nfsd_dispatch+0xe0/0x290 [nfsd]
      [283465.565358]  [<ffffffffa05eb892>] ? svc_tcp_adjust_wspace+0x12/0x30
      [sunrpc]
      [283465.566272]  [<ffffffffa05ea652>] svc_process_common+0x412/0x6a0 [sunrpc]
      [283465.567155]  [<ffffffffa05eaa03>] svc_process+0x123/0x210 [sunrpc]
      [283465.568020]  [<ffffffffa062c90f>] nfsd+0xff/0x170 [nfsd]
      [283465.568962]  [<ffffffffa062c810>] ? nfsd_destroy+0x80/0x80 [nfsd]
      [283465.570112]  [<ffffffff810a622b>] kthread+0xcb/0xf0
      [283465.571099]  [<ffffffff810a6160>] ? kthread_create_on_node+0x180/0x180
      [283465.572114]  [<ffffffff816f11b8>] ret_from_fork+0x58/0x90
      [283465.573156]  [<ffffffff810a6160>] ? kthread_create_on_node+0x180/0x180
      
      Link: http://lkml.kernel.org/r/1554185919-3010-1-git-send-email-sunny.s.zhang@oracle.comSigned-off-by: default avatarShuning Zhang <sunny.s.zhang@oracle.com>
      Reviewed-by: default avatarJoseph Qi <jiangqi903@gmail.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Changwei Ge <gechangwei@live.cn>
      Cc: piaojun <piaojun@huawei.com>
      Cc: "Gang He" <ghe@suse.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a11b4df7
    • Jiri Kosina's avatar
      mm/mincore.c: make mincore() more conservative · fef85fb0
      Jiri Kosina authored
      commit 134fca90 upstream.
      
      The semantics of what mincore() considers to be resident is not
      completely clear, but Linux has always (since 2.3.52, which is when
      mincore() was initially done) treated it as "page is available in page
      cache".
      
      That's potentially a problem, as that [in]directly exposes
      meta-information about pagecache / memory mapping state even about
      memory not strictly belonging to the process executing the syscall,
      opening possibilities for sidechannel attacks.
      
      Change the semantics of mincore() so that it only reveals pagecache
      information for non-anonymous mappings that belog to files that the
      calling process could (if it tried to) successfully open for writing;
      otherwise we'd be including shared non-exclusive mappings, which
      
       - is the sidechannel
      
       - is not the usecase for mincore(), as that's primarily used for data,
         not (shared) text
      
      [jkosina@suse.cz: v2]
        Link: http://lkml.kernel.org/r/20190312141708.6652-2-vbabka@suse.cz
      [mhocko@suse.com: restructure can_do_mincore() conditions]
      Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1903062342020.19912@cbobk.fhfr.pmSigned-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Acked-by: default avatarJosh Snyder <joshs@netflix.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Originally-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Originally-by: default avatarDominique Martinet <asmadeus@codewreck.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Dave Chinner <david@fromorbit.com>
      Cc: Kevin Easton <kevin@guarana.org>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Cyril Hrubis <chrubis@suse.cz>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Kirill A. Shutemov <kirill@shutemov.name>
      Cc: Daniel Gruss <daniel@gruss.cc>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fef85fb0
    • Curtis Malainey's avatar
      ASoC: RT5677-SPI: Disable 16Bit SPI Transfers · 63a3811e
      Curtis Malainey authored
      commit a46eb523 upstream.
      
      The current algorithm allows 3 types of transfers, 16bit, 32bit and
      burst. According to Realtek, 16bit transfers have a special restriction
      in that it is restricted to the memory region of
      0x18020000 ~ 0x18021000. This region is the memory location of the I2C
      registers. The current algorithm does not uphold this restriction and
      therefore fails to complete writes.
      
      Since this has been broken for some time it likely no one is using it.
      Better to simply disable the 16 bit writes. This will allow users to
      properly load firmware over SPI without data corruption.
      Signed-off-by: default avatarCurtis Malainey <cujomalainey@chromium.org>
      Reviewed-by: default avatarBen Zhang <benzh@chromium.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      63a3811e
    • Jon Hunter's avatar
      ASoC: max98090: Fix restore of DAPM Muxes · cfdfd0e9
      Jon Hunter authored
      commit ecb2795c upstream.
      
      The max98090 driver defines 3 DAPM muxes; one for the right line output
      (LINMOD Mux), one for the left headphone mixer source (MIXHPLSEL Mux)
      and one for the right headphone mixer source (MIXHPRSEL Mux). The same
      bit is used for the mux as well as the DAPM enable, and although the mux
      can be correctly configured, after playback has completed, the mux will
      be reset during the disable phase. This is preventing the state of these
      muxes from being saved and restored correctly on system reboot. Fix this
      by marking these muxes as SND_SOC_NOPM.
      
      Note this has been verified this on the Tegra124 Nyan Big which features
      the MAX98090 codec.
      Signed-off-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cfdfd0e9
    • Kailang Yang's avatar
      ALSA: hda/realtek - EAPD turn on later · 595a6a53
      Kailang Yang authored
      commit 607ca3bd upstream.
      
      Let EAPD turn on after set pin output.
      
      [ NOTE: This change is supposed to reduce the possible click noises at
        (runtime) PM resume.  The functionality should be same (i.e. the
        verbs are executed correctly) no matter which order is, so this
        should be safe to apply for all codecs -- tiwai ]
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      595a6a53
    • Hui Wang's avatar
      ALSA: hda/hdmi - Consider eld_valid when reporting jack event · 72cd3810
      Hui Wang authored
      commit 7f641e26 upstream.
      
      On the machines with AMD GPU or Nvidia GPU, we often meet this issue:
      after s3, there are 4 HDMI/DP audio devices in the gnome-sound-setting
      even there is no any monitors plugged.
      
      When this problem happens, we check the /proc/asound/cardX/eld#N.M, we
      will find the monitor_present=1, eld_valid=0.
      
      The root cause is BIOS or GPU driver makes the PRESENCE valid even no
      monitor plugged, and of course the driver will not get the valid
      eld_data subsequently.
      
      In this situation, we should not report the jack_plugged event, to do
      so, let us change the function hdmi_present_sense_via_verbs(). In this
      function, it reads the pin_sense via snd_hda_pin_sense(), after
      calling this function, the jack_dirty is 0, and before exiting
      via_verbs(), we change the shadow pin_sense according to both
      monitor_present and eld_valid, then in the snd_hda_jack_report_sync(),
      since the jack_dirty is still 0, it will report jack event according
      to this modified shadow pin_sense.
      
      After this change, the driver will not report Jack_is_plugged event
      through hdmi_present_sense_via_verbs() if monitor_present is 1 and
      eld_valid is 0.
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      72cd3810
    • Hui Wang's avatar
      ALSA: hda/hdmi - Read the pin sense from register when repolling · 5c767fc6
      Hui Wang authored
      commit 8c2e6728 upstream.
      
      The driver will check the monitor presence when resuming from suspend,
      starting poll or interrupt triggers. In these 3 situations, the
      jack_dirty will be set to 1 first, then the hda_jack.c reads the
      pin_sense from register, after reading the register, the jack_dirty
      will be set to 0. But hdmi_repoll_work() is enabled in these 3
      situations, It will read the pin_sense a couple of times subsequently,
      since the jack_dirty is 0 now, It does not read the register anymore,
      instead it uses the shadow pin_sense which is read at the first time.
      
      It is meaningless to check the shadow pin_sense a couple of times,
      we need to read the register to check the real plugging state, so
      we set the jack_dirty to 1 in the hdmi_repoll_work().
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c767fc6
    • Wenwen Wang's avatar
      ALSA: usb-audio: Fix a memory leak bug · f934bf3f
      Wenwen Wang authored
      commit cb517359 upstream.
      
      In parse_audio_selector_unit(), the string array 'namelist' is allocated
      through kmalloc_array(), and each string pointer in this array, i.e.,
      'namelist[]', is allocated through kmalloc() in the following for loop.
      Then, a control instance 'kctl' is created by invoking snd_ctl_new1(). If
      an error occurs during the creation process, the string array 'namelist',
      including all string pointers in the array 'namelist[]', should be freed,
      before the error code ENOMEM is returned. However, the current code does
      not free 'namelist[]', resulting in memory leaks.
      
      To fix the above issue, free all string pointers 'namelist[]' in a loop.
      Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f934bf3f
    • Eric Biggers's avatar
      crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest() · ec51ec92
      Eric Biggers authored
      commit dec3d0b1 upstream.
      
      The ->digest() method of crct10dif-pclmul reads the current CRC value
      from the shash_desc context.  But this value is uninitialized, causing
      crypto_shash_digest() to compute the wrong result.  Fix it.
      
      Probably this wasn't noticed before because lib/crc-t10dif.c only uses
      crypto_shash_update(), not crypto_shash_digest().  Likewise,
      crypto_shash_digest() is not yet tested by the crypto self-tests because
      those only test the ahash API which only uses shash init/update/final.
      
      Fixes: 0b95a7f8 ("crypto: crct10dif - Glue code to cast accelerated CRCT10DIF assembly as a crypto transform")
      Cc: <stable@vger.kernel.org> # v3.11+
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ec51ec92
    • Eric Biggers's avatar
      crypto: crct10dif-generic - fix use via crypto_shash_digest() · ccb5b8fe
      Eric Biggers authored
      commit 307508d1 upstream.
      
      The ->digest() method of crct10dif-generic reads the current CRC value
      from the shash_desc context.  But this value is uninitialized, causing
      crypto_shash_digest() to compute the wrong result.  Fix it.
      
      Probably this wasn't noticed before because lib/crc-t10dif.c only uses
      crypto_shash_update(), not crypto_shash_digest().  Likewise,
      crypto_shash_digest() is not yet tested by the crypto self-tests because
      those only test the ahash API which only uses shash init/update/final.
      
      This bug was detected by my patches that improve testmgr to fuzz
      algorithms against their generic implementation.
      
      Fixes: 2d31e518 ("crypto: crct10dif - Wrap crc_t10dif function all to use crypto transform framework")
      Cc: <stable@vger.kernel.org> # v3.11+
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ccb5b8fe
    • Daniel Axtens's avatar
      crypto: vmx - fix copy-paste error in CTR mode · e8de7b8e
      Daniel Axtens authored
      commit dcf7b482 upstream.
      
      The original assembly imported from OpenSSL has two copy-paste
      errors in handling CTR mode. When dealing with a 2 or 3 block tail,
      the code branches to the CBC decryption exit path, rather than to
      the CTR exit path.
      
      This leads to corruption of the IV, which leads to subsequent blocks
      being corrupted.
      
      This can be detected with libkcapi test suite, which is available at
      https://github.com/smuellerDD/libkcapiReported-by: default avatarOndrej Mosnáček <omosnacek@gmail.com>
      Fixes: 5c380d62 ("crypto: vmx - Add support for VMS instructions by ASM")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Tested-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Tested-by: default avatarOndrej Mosnacek <omosnacek@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e8de7b8e
    • Eric Biggers's avatar
      crypto: chacha20poly1305 - set cra_name correctly · fa2876c4
      Eric Biggers authored
      commit 5e27f38f upstream.
      
      If the rfc7539 template is instantiated with specific implementations,
      e.g. "rfc7539(chacha20-generic,poly1305-generic)" rather than
      "rfc7539(chacha20,poly1305)", then the implementation names end up
      included in the instance's cra_name.  This is incorrect because it then
      prevents all users from allocating "rfc7539(chacha20,poly1305)", if the
      highest priority implementations of chacha20 and poly1305 were selected.
      Also, the self-tests aren't run on an instance allocated in this way.
      
      Fix it by setting the instance's cra_name from the underlying
      algorithms' actual cra_names, rather than from the requested names.
      This matches what other templates do.
      
      Fixes: 71ebc4d1 ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
      Cc: <stable@vger.kernel.org> # v4.2+
      Cc: Martin Willi <martin@strongswan.org>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarMartin Willi <martin@strongswan.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fa2876c4
    • Peter Zijlstra's avatar
      sched/x86: Save [ER]FLAGS on context switch · 45fe6dee
      Peter Zijlstra authored
      commit 6690e86b upstream.
      
      Effectively reverts commit:
      
        2c7577a7 ("sched/x86_64: Don't save flags on context switch")
      
      Specifically because SMAP uses FLAGS.AC which invalidates the claim
      that the kernel has clean flags.
      
      In particular; while preemption from interrupt return is fine (the
      IRET frame on the exception stack contains FLAGS) it breaks any code
      that does synchonous scheduling, including preempt_enable().
      
      This has become a significant issue ever since commit:
      
        5b24a7a2 ("Add 'unsafe' user access functions for batched accesses")
      
      provided for means of having 'normal' C code between STAC / CLAC,
      exposing the FLAGS.AC state. So far this hasn't led to trouble,
      however fix it before it comes apart.
      Reported-by: default avatarJulien Thierry <julien.thierry@arm.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@kernel.org
      Fixes: 5b24a7a2 ("Add 'unsafe' user access functions for batched accesses")
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      45fe6dee
    • Jean-Philippe Brucker's avatar
      arm64: Clear OSDLR_EL1 on CPU boot · 621881df
      Jean-Philippe Brucker authored
      commit 6fda41bf upstream.
      
      Some firmwares may reboot CPUs with OS Double Lock set. Make sure that
      it is unlocked, in order to use debug exceptions.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJean-Philippe Brucker <jean-philippe.brucker@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      621881df
    • Vincenzo Frascino's avatar
      arm64: compat: Reduce address limit · 20230611
      Vincenzo Frascino authored
      commit d2631193 upstream.
      
      Currently, compat tasks running on arm64 can allocate memory up to
      TASK_SIZE_32 (UL(0x100000000)).
      
      This means that mmap() allocations, if we treat them as returning an
      array, are not compliant with the sections 6.5.8 of the C standard
      (C99) which states that: "If the expression P points to an element of
      an array object and the expression Q points to the last element of the
      same array object, the pointer expression Q+1 compares greater than P".
      
      Redefine TASK_SIZE_32 to address the issue.
      
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Jann Horn <jannh@google.com>
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarVincenzo Frascino <vincenzo.frascino@arm.com>
      [will: fixed typo in comment]
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20230611
    • Gustavo A. R. Silva's avatar
      power: supply: axp288_charger: Fix unchecked return value · 4bae1935
      Gustavo A. R. Silva authored
      commit c3422ad5 upstream.
      
      Currently there is no check on platform_get_irq() return value
      in case it fails, hence never actually reporting any errors and
      causing unexpected behavior when using such value as argument
      for function regmap_irq_get_virq().
      
      Fix this by adding a proper check, a message reporting any errors
      and returning *pirq*
      
      Addresses-Coverity-ID: 1443940 ("Improper use of negative value")
      Fixes: 843735b7 ("power: axp288_charger: axp288 charger driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Reviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarSebastian Reichel <sebastian.reichel@collabora.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4bae1935
    • Wen Yang's avatar
      ARM: exynos: Fix a leaked reference by adding missing of_node_put · f8646ad1
      Wen Yang authored
      commit 629266bf upstream.
      
      The call to of_get_next_child returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with warnings like:
          arch/arm/mach-exynos/firmware.c:201:2-8: ERROR: missing of_node_put;
              acquired a node pointer with refcount incremented on line 193,
              but without a corresponding object release within this function.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarWen Yang <wen.yang99@zte.com.cn>
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8646ad1