1. 14 Jun, 2017 40 commits
    • Franziska Naepelt's avatar
      iio: light: ltr501 Fix interchanged als/ps register field · 8067c911
      Franziska Naepelt authored
      commit 7cc3bff4 upstream.
      
      The register mapping for the IIO driver for the Liteon Light and Proximity
      sensor LTR501 interrupt mode is interchanged (ALS/PS).
      There is a register called INTERRUPT register (address 0x8F)
      Bit 0 represents PS measurement trigger.
      Bit 1 represents ALS measurement trigger.
      This two bit fields are interchanged within the driver.
      see datasheet page 24:
      http://optoelectronics.liteon.com/upload/download/DS86-2012-0006/S_110_LTR-501ALS-01_PrelimDS_ver1%5B1%5D.pdfSigned-off-by: default avatarFranziska Naepelt <franziska.naepelt@idt.com>
      Fixes: 7ac702b3 ("iio: ltr501: Add interrupt support")
      Acked-by: default avatarPeter Meerwald-Stadler <pmeerw@pmeerw.net>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8067c911
    • Raveendra Padasalagi's avatar
      iio: adc: bcm_iproc_adc: swap primary and secondary isr handler's · e33679f9
      Raveendra Padasalagi authored
      commit f7d86ecf upstream.
      
      The third argument of devm_request_threaded_irq() is the primary
      handler. It is called in hardirq context and checks whether the
      interrupt is relevant to the device. If the primary handler returns
      IRQ_WAKE_THREAD, the secondary handler (a.k.a. handler thread) is
      scheduled to run in process context.
      
      bcm_iproc_adc.c uses the secondary handler as the primary one
      and the other way around. So this patch fixes the same, along with
      re-naming the secondary handler and primary handler names properly.
      
      Tested on the BCM9583XX iProc SoC based boards.
      
      Fixes: 4324c97e ("iio: Add driver for Broadcom iproc-static-adc")
      Reported-by: default avatarPavel Roskin <plroskin@gmail.com>
      Signed-off-by: default avatarRaveendra Padasalagi <raveendra.padasalagi@broadcom.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e33679f9
    • Oleg Drokin's avatar
      staging/lustre/lov: remove set_fs() call from lov_getstripe() · c5a80044
      Oleg Drokin authored
      commit 0a33252e upstream.
      
      lov_getstripe() calls set_fs(KERNEL_DS) so that it can handle a struct
      lov_user_md pointer from user- or kernel-space.  This changes the
      behavior of copy_from_user() on SPARC and may result in a misaligned
      access exception which in turn oopses the kernel.  In fact the
      relevant argument to lov_getstripe() is never called with a
      kernel-space pointer and so changing the address limits is unnecessary
      and so we remove the calls to save, set, and restore the address
      limits.
      Signed-off-by: default avatarJohn L. Hammond <john.hammond@intel.com>
      Reviewed-on: http://review.whamcloud.com/6150
      Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-3221Reviewed-by: default avatarAndreas Dilger <andreas.dilger@intel.com>
      Reviewed-by: default avatarLi Wei <wei.g.li@intel.com>
      Signed-off-by: default avatarOleg Drokin <green@linuxhacker.ru>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c5a80044
    • Michael Thalmeier's avatar
      usb: chipidea: debug: check before accessing ci_role · 5404b0c0
      Michael Thalmeier authored
      commit 0340ff83 upstream.
      
      ci_role BUGs when the role is >= CI_ROLE_END.
      Signed-off-by: default avatarMichael Thalmeier <michael.thalmeier@hale.at>
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5404b0c0
    • Jisheng Zhang's avatar
      usb: chipidea: udc: fix NULL pointer dereference if udc_start failed · 59db536f
      Jisheng Zhang authored
      commit aa1f058d upstream.
      
      Fix below NULL pointer dereference. we set ci->roles[CI_ROLE_GADGET]
      too early in ci_hdrc_gadget_init(), if udc_start() fails due to some
      reason, the ci->roles[CI_ROLE_GADGET] check in  ci_hdrc_gadget_destroy
      can't protect us.
      
      We fix this issue by only setting ci->roles[CI_ROLE_GADGET] if
      udc_start() succeed.
      
      [    1.398550] Unable to handle kernel NULL pointer dereference at
      virtual address 00000000
      ...
      [    1.448600] PC is at dma_pool_free+0xb8/0xf0
      [    1.453012] LR is at dma_pool_free+0x28/0xf0
      [    2.113369] [<ffffff80081817d8>] dma_pool_free+0xb8/0xf0
      [    2.118857] [<ffffff800841209c>] destroy_eps+0x4c/0x68
      [    2.124165] [<ffffff8008413770>] ci_hdrc_gadget_destroy+0x28/0x50
      [    2.130461] [<ffffff800840fa30>] ci_hdrc_probe+0x588/0x7e8
      [    2.136129] [<ffffff8008380fb8>] platform_drv_probe+0x50/0xb8
      [    2.142066] [<ffffff800837f494>] driver_probe_device+0x1fc/0x2a8
      [    2.148270] [<ffffff800837f68c>] __device_attach_driver+0x9c/0xf8
      [    2.154563] [<ffffff800837d570>] bus_for_each_drv+0x58/0x98
      [    2.160317] [<ffffff800837f174>] __device_attach+0xc4/0x138
      [    2.166072] [<ffffff800837f738>] device_initial_probe+0x10/0x18
      [    2.172185] [<ffffff800837e58c>] bus_probe_device+0x94/0xa0
      [    2.177940] [<ffffff800837c560>] device_add+0x3f0/0x560
      [    2.183337] [<ffffff8008380d20>] platform_device_add+0x180/0x240
      [    2.189541] [<ffffff800840f0e8>] ci_hdrc_add_device+0x440/0x4f8
      [    2.195654] [<ffffff8008414194>] ci_hdrc_usb2_probe+0x13c/0x2d8
      [    2.201769] [<ffffff8008380fb8>] platform_drv_probe+0x50/0xb8
      [    2.207705] [<ffffff800837f494>] driver_probe_device+0x1fc/0x2a8
      [    2.213910] [<ffffff800837f5ec>] __driver_attach+0xac/0xb0
      [    2.219575] [<ffffff800837d4b0>] bus_for_each_dev+0x60/0xa0
      [    2.225329] [<ffffff800837ec80>] driver_attach+0x20/0x28
      [    2.230816] [<ffffff800837e880>] bus_add_driver+0x1d0/0x238
      [    2.236571] [<ffffff800837fdb0>] driver_register+0x60/0xf8
      [    2.242237] [<ffffff8008380ef4>] __platform_driver_register+0x44/0x50
      [    2.248891] [<ffffff80086fd440>] ci_hdrc_usb2_driver_init+0x18/0x20
      [    2.255365] [<ffffff8008082950>] do_one_initcall+0x38/0x128
      [    2.261121] [<ffffff80086e0d00>] kernel_init_freeable+0x1ac/0x250
      [    2.267414] [<ffffff800852f0b8>] kernel_init+0x10/0x100
      [    2.272810] [<ffffff8008082680>] ret_from_fork+0x10/0x50
      
      Fixes: 3f124d23 ("usb: chipidea: add role init and destroy APIs")
      Signed-off-by: default avatarJisheng Zhang <jszhang@marvell.com>
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      59db536f
    • Thinh Nguyen's avatar
      usb: gadget: f_mass_storage: Serialize wake and sleep execution · 405ac24a
      Thinh Nguyen authored
      commit dc9217b6 upstream.
      
      f_mass_storage has a memorry barrier issue with the sleep and wake
      functions that can cause a deadlock. This results in intermittent hangs
      during MSC file transfer. The host will reset the device after receiving
      no response to resume the transfer. This issue is seen when dwc3 is
      processing 2 transfer-in-progress events at the same time, invoking
      completion handlers for CSW and CBW. Also this issue occurs depending on
      the system timing and latency.
      
      To increase the chance to hit this issue, you can force dwc3 driver to
      wait and process those 2 events at once by adding a small delay (~100us)
      in dwc3_check_event_buf() whenever the request is for CSW and read the
      event count again. Avoid debugging with printk and ftrace as extra
      delays and memory barrier will mask this issue.
      
      Scenario which can lead to failure:
      -----------------------------------
      1) The main thread sleeps and waits for the next command in
         get_next_command().
      2) bulk_in_complete() wakes up main thread for CSW.
      3) bulk_out_complete() tries to wake up the running main thread for CBW.
      4) thread_wakeup_needed is not loaded with correct value in
         sleep_thread().
      5) Main thread goes to sleep again.
      
      The pattern is shown below. Note the 2 critical variables.
       * common->thread_wakeup_needed
       * bh->state
      
      	CPU 0 (sleep_thread)		CPU 1 (wakeup_thread)
      	==============================  ===============================
      
      					bh->state = BH_STATE_FULL;
      					smp_wmb();
      	thread_wakeup_needed = 0;	thread_wakeup_needed = 1;
      	smp_rmb();
      	if (bh->state != BH_STATE_FULL)
      		sleep again ...
      
      As pointed out by Alan Stern, this is an R-pattern issue. The issue can
      be seen when there are two wakeups in quick succession. The
      thread_wakeup_needed can be overwritten in sleep_thread, and the read of
      the bh->state maybe reordered before the write to thread_wakeup_needed.
      
      This patch applies full memory barrier smp_mb() in both sleep_thread()
      and wakeup_thread() to ensure the order which the thread_wakeup_needed
      and bh->state are written and loaded.
      
      However, a better solution in the future would be to use wait_queue
      method that takes care of managing memory barrier between waker and
      waiter.
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarThinh Nguyen <thinhn@synopsys.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      405ac24a
    • Hans de Goede's avatar
      drm: Fix oops + Xserver hang when unplugging USB drm devices · 1308eeec
      Hans de Goede authored
      commit 75fb6363 upstream.
      
      commit a39be606 ("drm: Do a full device unregister when unplugging")
      causes backtraces like this one when unplugging an usb drm device while
      it is in use:
      
      usb 2-3: USB disconnect, device number 25
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 242 at drivers/gpu/drm/drm_mode_config.c:424
         drm_mode_config_cleanup+0x220/0x280 [drm]
      ...
      RIP: 0010:drm_mode_config_cleanup+0x220/0x280 [drm]
      ...
      Call Trace:
       gm12u320_modeset_cleanup+0xe/0x10 [gm12u320]
       gm12u320_driver_unload+0x35/0x70 [gm12u320]
       drm_dev_unregister+0x3c/0xe0 [drm]
       drm_unplug_dev+0x12/0x60 [drm]
       gm12u320_usb_disconnect+0x36/0x40 [gm12u320]
       usb_unbind_interface+0x72/0x280
       device_release_driver_internal+0x158/0x210
       device_release_driver+0x12/0x20
       bus_remove_device+0x104/0x180
       device_del+0x1d2/0x350
       usb_disable_device+0x9f/0x270
       usb_disconnect+0xc6/0x260
      ...
      [drm:drm_mode_config_cleanup [drm]] *ERROR* connector Unknown-1 leaked!
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 242 at drivers/gpu/drm/drm_mode_config.c:458
         drm_mode_config_cleanup+0x268/0x280 [drm]
      ...
      <same Call Trace>
      ---[ end trace 80df975dae439ed6 ]---
      general protection fault: 0000 [#1] SMP
      ...
      Call Trace:
       ? __switch_to+0x225/0x450
       drm_mode_rmfb_work_fn+0x55/0x70 [drm]
       process_one_work+0x193/0x3c0
       worker_thread+0x4a/0x3a0
      ...
      RIP: drm_framebuffer_remove+0x62/0x3f0 [drm] RSP: ffffb776c39dfd98
      ---[ end trace 80df975dae439ed7 ]---
      
      After which the system is unusable this is caused by drm_dev_unregister
      getting called immediately on unplug, which calls the drivers unload
      function which calls drm_mode_config_cleanup which removes the framebuffer
      object while userspace is still holding a reference to it.
      
      Reverting commit a39be606 ("drm: Do a full device unregister
      when unplugging") leads to the following oops on unplug instead,
      when userspace closes the last fd referencing the drm_dev:
      
      sysfs group 'power' not found for kobject 'card1-Unknown-1'
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 2459 at fs/sysfs/group.c:237
         sysfs_remove_group+0x80/0x90
      ...
      RIP: 0010:sysfs_remove_group+0x80/0x90
      ...
      Call Trace:
       dpm_sysfs_remove+0x57/0x60
       device_del+0xfd/0x350
       device_unregister+0x1a/0x60
       drm_sysfs_connector_remove+0x39/0x50 [drm]
       drm_connector_unregister+0x5a/0x70 [drm]
       drm_connector_unregister_all+0x45/0xa0 [drm]
       drm_modeset_unregister_all+0x12/0x30 [drm]
       drm_dev_unregister+0xca/0xe0 [drm]
       drm_put_dev+0x32/0x60 [drm]
       drm_release+0x2f3/0x380 [drm]
       __fput+0xdf/0x1e0
      ...
      ---[ end trace ecfb91ac85688bbe ]---
      BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8
      IP: down_write+0x1f/0x40
      ...
      Call Trace:
       debugfs_remove_recursive+0x55/0x1b0
       drm_debugfs_connector_remove+0x21/0x40 [drm]
       drm_connector_unregister+0x62/0x70 [drm]
       drm_connector_unregister_all+0x45/0xa0 [drm]
       drm_modeset_unregister_all+0x12/0x30 [drm]
       drm_dev_unregister+0xca/0xe0 [drm]
       drm_put_dev+0x32/0x60 [drm]
       drm_release+0x2f3/0x380 [drm]
       __fput+0xdf/0x1e0
      ...
      ---[ end trace ecfb91ac85688bbf ]---
      
      This is caused by the revert moving back to drm_unplug_dev calling
      drm_minor_unregister which does:
      
              device_del(minor->kdev);
              dev_set_drvdata(minor->kdev, NULL); /* safety belt */
              drm_debugfs_cleanup(minor);
      
      Causing the sysfs entries to already be removed even though we still
      have references to them in e.g. drm_connector.
      
      Note we must call drm_minor_unregister to notify userspace of the unplug
      of the device, so calling drm_dev_unregister is not completely wrong the
      problem is that drm_dev_unregister does too much.
      
      This commit fixes drm_unplug_dev by not only reverting
      commit a39be606 ("drm: Do a full device unregister when unplugging")
      but by also adding a call to drm_modeset_unregister_all before the
      drm_minor_unregister calls to make sure all sysfs entries are removed
      before calling device_del(minor->kdev) thereby also fixing the second
      set of oopses caused by just reverting the commit.
      
      Fixes: a39be606 ("drm: Do a full device unregister when unplugging")
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: Jeffy <jeffy.chen@rock-chips.com>
      Cc: Marco Diego Aurélio Mesquita <marcodiegomesquita@gmail.com>
      Reported-by: default avatarMarco Diego Aurélio Mesquita <marcodiegomesquita@gmail.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: default avatarSean Paul <seanpaul@chromium.org>
      Link: http://patchwork.freedesktop.org/patch/msgid/20170601115430.4113-1-hdegoede@redhat.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1308eeec
    • Jan Kara's avatar
      ext4: fix fdatasync(2) after extent manipulation operations · c404f0de
      Jan Kara authored
      commit 67a7d5f5 upstream.
      
      Currently, extent manipulation operations such as hole punch, range
      zeroing, or extent shifting do not record the fact that file data has
      changed and thus fdatasync(2) has a work to do. As a result if we crash
      e.g. after a punch hole and fdatasync, user can still possibly see the
      punched out data after journal replay. Test generic/392 fails due to
      these problems.
      
      Fix the problem by properly marking that file data has changed in these
      operations.
      
      Fixes: a4bb6b64Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c404f0de
    • Jan Kara's avatar
      ext4: fix data corruption with EXT4_GET_BLOCKS_ZERO · 2e16921d
      Jan Kara authored
      commit 4f8caa60 upstream.
      
      When ext4_map_blocks() is called with EXT4_GET_BLOCKS_ZERO to zero-out
      allocated blocks and these blocks are actually converted from unwritten
      extent the following race can happen:
      
      CPU0					CPU1
      
      page fault				page fault
      ...					...
      ext4_map_blocks()
        ext4_ext_map_blocks()
          ext4_ext_handle_unwritten_extents()
            ext4_ext_convert_to_initialized()
      	- zero out converted extent
      	ext4_zeroout_es()
      	  - inserts extent as initialized in status tree
      
      					ext4_map_blocks()
      					  ext4_es_lookup_extent()
      					    - finds initialized extent
      					write data
        ext4_issue_zeroout()
          - zeroes out new extent overwriting data
      
      This problem can be reproduced by generic/340 for the fallocated case
      for the last block in the file.
      
      Fix the problem by avoiding zeroing out the area we are mapping with
      ext4_map_blocks() in ext4_ext_convert_to_initialized(). It is pointless
      to zero out this area in the first place as the caller asked us to
      convert the area to initialized because he is just going to write data
      there before the transaction finishes. To achieve this we delete the
      special case of zeroing out full extent as that will be handled by the
      cases below zeroing only the part of the extent that needs it. We also
      instruct ext4_split_extent() that the middle of extent being split
      contains data so that ext4_split_extent_at() cannot zero out full extent
      in case of ENOSPC.
      
      Fixes: 12735f88Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2e16921d
    • Konstantin Khlebnikov's avatar
      ext4: keep existing extra fields when inode expands · 9890b9cb
      Konstantin Khlebnikov authored
      commit 887a9730 upstream.
      
      ext4_expand_extra_isize() should clear only space between old and new
      size.
      
      Fixes: 6dd4ee7c # v2.6.23
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9890b9cb
    • Jan Kara's avatar
      ext4: fix SEEK_HOLE · 9850844e
      Jan Kara authored
      commit 7d95eddf upstream.
      
      Currently, SEEK_HOLE implementation in ext4 may both return that there's
      a hole at some offset although that offset already has data and skip
      some holes during a search for the next hole. The first problem is
      demostrated by:
      
      xfs_io -c "falloc 0 256k" -c "pwrite 0 56k" -c "seek -h 0" file
      wrote 57344/57344 bytes at offset 0
      56 KiB, 14 ops; 0.0000 sec (2.054 GiB/sec and 538461.5385 ops/sec)
      Whence	Result
      HOLE	0
      
      Where we can see that SEEK_HOLE wrongly returned offset 0 as containing
      a hole although we have written data there. The second problem can be
      demonstrated by:
      
      xfs_io -c "falloc 0 256k" -c "pwrite 0 56k" -c "pwrite 128k 8k"
             -c "seek -h 0" file
      
      wrote 57344/57344 bytes at offset 0
      56 KiB, 14 ops; 0.0000 sec (1.978 GiB/sec and 518518.5185 ops/sec)
      wrote 8192/8192 bytes at offset 131072
      8 KiB, 2 ops; 0.0000 sec (2 GiB/sec and 500000.0000 ops/sec)
      Whence	Result
      HOLE	139264
      
      Where we can see that hole at offsets 56k..128k has been ignored by the
      SEEK_HOLE call.
      
      The underlying problem is in the ext4_find_unwritten_pgoff() which is
      just buggy. In some cases it fails to update returned offset when it
      finds a hole (when no pages are found or when the first found page has
      higher index than expected), in some cases conditions for detecting hole
      are just missing (we fail to detect a situation where indices of
      returned pages are not contiguous).
      
      Fix ext4_find_unwritten_pgoff() to properly detect non-contiguous page
      indices and also handle all cases where we got less pages then expected
      in one place and handle it properly there.
      
      Fixes: c8c0df24
      CC: Zheng Liu <wenqing.lz@taobao.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9850844e
    • Julien Grall's avatar
      xen/privcmd: Support correctly 64KB page granularity when mapping memory · 9636c086
      Julien Grall authored
      commit 753c09b5 upstream.
      
      Commit 5995a68a "xen/privcmd: Add support for Linux 64KB page granularity" did
      not go far enough to support 64KB in mmap_batch_fn.
      
      The variable 'nr' is the number of 4KB chunk to map. However, when Linux
      is using 64KB page granularity the array of pages (vma->vm_private_data)
      contain one page per 64KB. Fix it by incrementing st->index correctly.
      
      Furthermore, st->va is not correctly incremented as PAGE_SIZE !=
      XEN_PAGE_SIZE.
      
      Fixes: 5995a68a ("xen/privcmd: Add support for Linux 64KB page granularity")
      Reported-by: default avatarFeng Kan <fkan@apm.com>
      Signed-off-by: default avatarJulien Grall <julien.grall@arm.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9636c086
    • Hou Tao's avatar
      cfq-iosched: fix the delay of cfq_group's vdisktime under iops mode · 08229c11
      Hou Tao authored
      commit 5be6b756 upstream.
      
      When adding a cfq_group into the cfq service tree, we use CFQ_IDLE_DELAY
      as the delay of cfq_group's vdisktime if there have been other cfq_groups
      already.
      
      When cfq is under iops mode, commit 9a7f38c4 ("cfq-iosched: Convert
      from jiffies to nanoseconds") could result in a large iops delay and
      lead to an abnormal io schedule delay for the added cfq_group. To fix
      it, we just need to revert to the old CFQ_IDLE_DELAY value: HZ / 5
      when iops mode is enabled.
      
      Despite having the same value, the delay of a cfq_queue in idle class
      and the delay of cfq_group are different things, so I define two new
      macros for the delay of a cfq_group under time-slice mode and iops mode.
      
      Fixes: 9a7f38c4 ("cfq-iosched: Convert from jiffies to nanoseconds")
      Signed-off-by: default avatarHou Tao <houtao1@huawei.com>
      Acked-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      08229c11
    • Thomas Petazzoni's avatar
      dmaengine: mv_xor_v2: set DMA mask to 40 bits · 1f67d28d
      Thomas Petazzoni authored
      commit b2d3c270 upstream.
      
      The XORv2 engine on Armada 7K/8K can only access the first 40 bits of
      the physical address space, so the DMA mask must be set accordingly.
      
      Fixes: 19a340b1 ("dmaengine: mv_xor_v2: new driver")
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1f67d28d
    • Thomas Petazzoni's avatar
      dmaengine: mv_xor_v2: remove interrupt coalescing · eb5afaba
      Thomas Petazzoni authored
      commit 9dd4f319 upstream.
      
      The current implementation of interrupt coalescing doesn't work, because
      it doesn't configure the coalescing timer, which is needed to make sure
      we get an interrupt at some point.
      
      As a fix for stable, we simply remove the interrupt coalescing
      functionality. It will be re-introduced properly in a future commit.
      
      Fixes: 19a340b1 ("dmaengine: mv_xor_v2: new driver")
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eb5afaba
    • Thomas Petazzoni's avatar
      dmaengine: mv_xor_v2: fix tx_submit() implementation · b2c8bb06
      Thomas Petazzoni authored
      commit 44d5887a upstream.
      
      The mv_xor_v2_tx_submit() gets the next available HW descriptor by
      calling mv_xor_v2_get_desq_write_ptr(), which reads a HW register
      telling the next available HW descriptor. This was working fine when HW
      descriptors were issued for processing directly in tx_submit().
      
      However, as part of the review process of the driver, a change was
      requested to move the actual kick-off of HW descriptors processing to
      ->issue_pending(). Due to this, reading the HW register to know the next
      available HW descriptor no longer works.
      
      So instead of using this HW register, we implemented a software index
      pointing to the next available HW descriptor.
      
      Fixes: 19a340b1 ("dmaengine: mv_xor_v2: new driver")
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b2c8bb06
    • Hanna Hawa's avatar
      dmaengine: mv_xor_v2: enable XOR engine after its configuration · 0d091850
      Hanna Hawa authored
      commit ab2c5f0a upstream.
      
      The engine was enabled prior to its configuration, which isn't
      correct. This patch relocates the activation of the XOR engine, to be
      after the configuration of the XOR engine.
      
      Fixes: 19a340b1 ("dmaengine: mv_xor_v2: new driver")
      Signed-off-by: default avatarHanna Hawa <hannah@marvell.com>
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0d091850
    • Thomas Petazzoni's avatar
      dmaengine: mv_xor_v2: do not use descriptors not acked by async_tx · e2a092ea
      Thomas Petazzoni authored
      commit bc473da1 upstream.
      
      Descriptors that have not been acknowledged by the async_tx layer
      should not be re-used, so this commit adjusts the implementation of
      mv_xor_v2_prep_sw_desc() to skip descriptors for which
      async_tx_test_ack() is false.
      
      Fixes: 19a340b1 ("dmaengine: mv_xor_v2: new driver")
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2a092ea
    • Thomas Petazzoni's avatar
      dmaengine: mv_xor_v2: properly handle wrapping in the array of HW descriptors · 67b1684c
      Thomas Petazzoni authored
      commit 2aab4e18 upstream.
      
      mv_xor_v2_tasklet() is looping over completed HW descriptors. Before the
      loop, it initializes 'next_pending_hw_desc' to the first HW descriptor
      to handle, and then the loop simply increments this point, without
      taking care of wrapping when we reach the last HW descriptor. The
      'pending_ptr' index was being wrapped back to 0 at the end, but it
      wasn't used in each iteration of the loop to calculate
      next_pending_hw_desc.
      
      This commit fixes that, and makes next_pending_hw_desc a variable local
      to the loop itself.
      
      Fixes: 19a340b1 ("dmaengine: mv_xor_v2: new driver")
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      67b1684c
    • Thomas Petazzoni's avatar
      dmaengine: mv_xor_v2: handle mv_xor_v2_prep_sw_desc() error properly · f08c84d4
      Thomas Petazzoni authored
      commit eb8df543 upstream.
      
      The mv_xor_v2_prep_sw_desc() is called from a few different places in
      the driver, but we never take into account the fact that it might
      return NULL. This commit fixes that, ensuring that we don't panic if
      there are no more descriptors available.
      
      Fixes: 19a340b1 ("dmaengine: mv_xor_v2: new driver")
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f08c84d4
    • Alexander Sverdlin's avatar
      dmaengine: ep93xx: Don't drain the transfers in terminate_all() · f2e9d10b
      Alexander Sverdlin authored
      commit 98f9de36 upstream.
      
      Draining the transfers in terminate_all callback happens with IRQs disabled,
      therefore induces huge latency:
      
       irqsoff latency trace v1.1.5 on 4.11.0
       --------------------------------------------------------------------
       latency: 39770 us, #57/57, CPU#0 | (M:preempt VP:0, KP:0, SP:0 HP:0)
          -----------------
          | task: process-129 (uid:0 nice:0 policy:2 rt_prio:50)
          -----------------
        => started at: _snd_pcm_stream_lock_irqsave
        => ended at:   snd_pcm_stream_unlock_irqrestore
      
                        _------=> CPU#
                       / _-----=> irqs-off
                      | / _----=> need-resched
                      || / _---=> hardirq/softirq
                      ||| / _--=> preempt-depth
                      |||| /     delay
        cmd     pid   ||||| time  |   caller
           \   /      |||||  \    |   /
      process-129     0d.s.    3us : _snd_pcm_stream_lock_irqsave
      process-129     0d.s1    9us : snd_pcm_stream_lock <-_snd_pcm_stream_lock_irqsave
      process-129     0d.s1   15us : preempt_count_add <-snd_pcm_stream_lock
      process-129     0d.s2   22us : preempt_count_add <-snd_pcm_stream_lock
      process-129     0d.s3   32us : snd_pcm_update_hw_ptr0 <-snd_pcm_period_elapsed
      process-129     0d.s3   41us : soc_pcm_pointer <-snd_pcm_update_hw_ptr0
      process-129     0d.s3   50us : dmaengine_pcm_pointer <-soc_pcm_pointer
      process-129     0d.s3   58us+: snd_dmaengine_pcm_pointer_no_residue <-dmaengine_pcm_pointer
      process-129     0d.s3   96us : update_audio_tstamp <-snd_pcm_update_hw_ptr0
      process-129     0d.s3  103us : snd_pcm_update_state <-snd_pcm_update_hw_ptr0
      process-129     0d.s3  112us : xrun <-snd_pcm_update_state
      process-129     0d.s3  119us : snd_pcm_stop <-xrun
      process-129     0d.s3  126us : snd_pcm_action <-snd_pcm_stop
      process-129     0d.s3  134us : snd_pcm_action_single <-snd_pcm_action
      process-129     0d.s3  141us : snd_pcm_pre_stop <-snd_pcm_action_single
      process-129     0d.s3  150us : snd_pcm_do_stop <-snd_pcm_action_single
      process-129     0d.s3  157us : soc_pcm_trigger <-snd_pcm_do_stop
      process-129     0d.s3  166us : snd_dmaengine_pcm_trigger <-soc_pcm_trigger
      process-129     0d.s3  175us : ep93xx_dma_terminate_all <-snd_dmaengine_pcm_trigger
      process-129     0d.s3  182us : preempt_count_add <-ep93xx_dma_terminate_all
      process-129     0d.s4  189us*: m2p_hw_shutdown <-ep93xx_dma_terminate_all
      process-129     0d.s4 39472us : m2p_hw_setup <-ep93xx_dma_terminate_all
      
       ... rest skipped...
      
      process-129     0d.s. 40080us : <stack trace>
       => ep93xx_dma_tasklet
       => tasklet_action
       => __do_softirq
       => irq_exit
       => __handle_domain_irq
       => vic_handle_irq
       => __irq_usr
       => 0xb66c6668
      
      Just abort the transfers and warn if the HW state is not what we expect.
      Move draining into device_synchronize callback.
      Signed-off-by: default avatarAlexander Sverdlin <alexander.sverdlin@gmail.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2e9d10b
    • Alexander Sverdlin's avatar
      dmaengine: ep93xx: Always start from BASE0 · b7e7a4d5
      Alexander Sverdlin authored
      commit 0037ae47 upstream.
      
      The current buffer is being reset to zero on device_free_chan_resources()
      but not on device_terminate_all(). It could happen that HW is restarted and
      expects BASE0 to be used, but the driver is not synchronized and will start
      from BASE1. One solution is to reset the buffer explicitly in
      m2p_hw_setup().
      Signed-off-by: default avatarAlexander Sverdlin <alexander.sverdlin@gmail.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b7e7a4d5
    • Hiroyuki Yokoyama's avatar
      dmaengine: usb-dmac: Fix DMAOR AE bit definition · cd0ef520
      Hiroyuki Yokoyama authored
      commit 9a445bbb upstream.
      
      This patch fixes the register definition of AE (Address Error flag) bit.
      
      Fixes: 0c1c8ff3 ("dmaengine: usb-dmac: Add Renesas USB DMA Controller (USB-DMAC) driver")
      Signed-off-by: default avatarHiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
      [Shimoda: add Fixes and Cc tags in the commit log]
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Reviewed-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd0ef520
    • Marc Zyngier's avatar
      KVM: arm/arm64: vgic-v2: Do not use Active+Pending state for a HW interrupt · 3e7a76b2
      Marc Zyngier authored
      commit ddf42d06 upstream.
      
      When an interrupt is injected with the HW bit set (indicating that
      deactivation should be propagated to the physical distributor),
      special care must be taken so that we never mark the corresponding
      LR with the Active+Pending state (as the pending state is kept in
      the physycal distributor).
      
      Cc: stable@vger.kernel.org
      Fixes: 140b086d ("KVM: arm/arm64: vgic-new: Add GICv2 world switch backend")
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Reviewed-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3e7a76b2
    • Marc Zyngier's avatar
      KVM: arm/arm64: vgic-v3: Do not use Active+Pending state for a HW interrupt · 2a5c08a4
      Marc Zyngier authored
      commit 3d6e77ad upstream.
      
      When an interrupt is injected with the HW bit set (indicating that
      deactivation should be propagated to the physical distributor),
      special care must be taken so that we never mark the corresponding
      LR with the Active+Pending state (as the pending state is kept in
      the physycal distributor).
      
      Fixes: 59529f69 ("KVM: arm/arm64: vgic-new: Add GICv3 world switch backend")
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Reviewed-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      2a5c08a4
    • Wanpeng Li's avatar
      KVM: async_pf: avoid async pf injection when in guest mode · 81555e45
      Wanpeng Li authored
      commit 9bc1f09f upstream.
      
       INFO: task gnome-terminal-:1734 blocked for more than 120 seconds.
             Not tainted 4.12.0-rc4+ #8
       "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
       gnome-terminal- D    0  1734   1015 0x00000000
       Call Trace:
        __schedule+0x3cd/0xb30
        schedule+0x40/0x90
        kvm_async_pf_task_wait+0x1cc/0x270
        ? __vfs_read+0x37/0x150
        ? prepare_to_swait+0x22/0x70
        do_async_page_fault+0x77/0xb0
        ? do_async_page_fault+0x77/0xb0
        async_page_fault+0x28/0x30
      
      This is triggered by running both win7 and win2016 on L1 KVM simultaneously,
      and then gives stress to memory on L1, I can observed this hang on L1 when
      at least ~70% swap area is occupied on L0.
      
      This is due to async pf was injected to L2 which should be injected to L1,
      L2 guest starts receiving pagefault w/ bogus %cr2(apf token from the host
      actually), and L1 guest starts accumulating tasks stuck in D state in
      kvm_async_pf_task_wait() since missing PAGE_READY async_pfs.
      
      This patch fixes the hang by doing async pf when executing L1 guest.
      
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      81555e45
    • Marc Zyngier's avatar
      arm: KVM: Allow unaligned accesses at HYP · 85c19308
      Marc Zyngier authored
      commit 33b5c388 upstream.
      
      We currently have the HSCTLR.A bit set, trapping unaligned accesses
      at HYP, but we're not really prepared to deal with it.
      
      Since the rest of the kernel is pretty happy about that, let's follow
      its example and set HSCTLR.A to zero. Modern CPUs don't really care.
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      85c19308
    • Marc Zyngier's avatar
      arm64: KVM: Allow unaligned accesses at EL2 · 8abce1e4
      Marc Zyngier authored
      commit 78fd6dcf upstream.
      
      We currently have the SCTLR_EL2.A bit set, trapping unaligned accesses
      at EL2, but we're not really prepared to deal with it. So far, this
      has been unnoticed, until GCC 7 started emitting those (in particular
      64bit writes on a 32bit boundary).
      
      Since the rest of the kernel is pretty happy about that, let's follow
      its example and set SCTLR_EL2.A to zero. Modern CPUs don't really
      care.
      Reported-by: default avatarAlexander Graf <agraf@suse.de>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8abce1e4
    • Marc Zyngier's avatar
      arm64: KVM: Preserve RES1 bits in SCTLR_EL2 · b9824dd7
      Marc Zyngier authored
      commit d68c1f7f upstream.
      
      __do_hyp_init has the rather bad habit of ignoring RES1 bits and
      writing them back as zero. On a v8.0-8.2 CPU, this doesn't do anything
      bad, but may end-up being pretty nasty on future revisions of the
      architecture.
      
      Let's preserve those bits so that we don't have to fix this later on.
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b9824dd7
    • Wanpeng Li's avatar
      KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation · 19c9a115
      Wanpeng Li authored
      commit a3641631 upstream.
      
      If "i" is the last element in the vcpu->arch.cpuid_entries[] array, it
      potentially can be exploited the vulnerability. this will out-of-bounds
      read and write.  Luckily, the effect is small:
      
      	/* when no next entry is found, the current entry[i] is reselected */
      	for (j = i + 1; ; j = (j + 1) % nent) {
      		struct kvm_cpuid_entry2 *ej = &vcpu->arch.cpuid_entries[j];
      		if (ej->function == e->function) {
      
      It reads ej->maxphyaddr, which is user controlled.  However...
      
      			ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT;
      
      After cpuid_entries there is
      
      	int maxphyaddr;
      	struct x86_emulate_ctxt emulate_ctxt;  /* 16-byte aligned */
      
      So we have:
      
      - cpuid_entries at offset 1B50 (6992)
      - maxphyaddr at offset 27D0 (6992 + 3200 = 10192)
      - padding at 27D4...27DF
      - emulate_ctxt at 27E0
      
      And it writes in the padding.  Pfew, writing the ops field of emulate_ctxt
      would have been much worse.
      
      This patch fixes it by modding the index to avoid the out-of-bounds
      access. Worst case, i == j and ej->function == e->function,
      the loop can bail out.
      Reported-by: default avatarMoguofang <moguofang@huawei.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Guofang Mo <moguofang@huawei.com>
      Signed-off-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19c9a115
    • Paolo Bonzini's avatar
      kvm: async_pf: fix rcu_irq_enter() with irqs enabled · 78f87ce2
      Paolo Bonzini authored
      commit bbaf0e2b upstream.
      
      native_safe_halt enables interrupts, and you just shouldn't
      call rcu_irq_enter() with interrupts enabled.  Reorder the
      call with the following local_irq_disable() to respect the
      invariant.
      Reported-by: default avatarRoss Zwisler <ross.zwisler@linux.intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Acked-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Tested-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      78f87ce2
    • Juergen Gross's avatar
      efi: Don't issue error message when booted under Xen · 4809f0e5
      Juergen Gross authored
      commit 1ea34adb upstream.
      
      When booted as Xen dom0 there won't be an EFI memmap allocated. Avoid
      issuing an error message in this case:
      
        [    0.144079] efi: Failed to allocate new EFI memmap
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarMatt Fleming <matt@codeblueprint.co.uk>
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-efi@vger.kernel.org
      Link: http://lkml.kernel.org/r/20170526113652.21339-2-matt@codeblueprint.co.ukSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4809f0e5
    • Trond Myklebust's avatar
      nfsd: Fix up the "supattr_exclcreat" attributes · e273ed24
      Trond Myklebust authored
      commit b26b78cb upstream.
      
      If an NFSv4 client asks us for the supattr_exclcreat, then we must
      not return attributes that are unsupported by this minor version.
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Fixes: 75976de6 ("NFSD: Return word2 bitmask if setting security..,")
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e273ed24
    • J. Bruce Fields's avatar
      nfsd4: fix null dereference on replay · bfeac838
      J. Bruce Fields authored
      commit 9a307403 upstream.
      
      if we receive a compound such that:
      
      	- the sessionid, slot, and sequence number in the SEQUENCE op
      	  match a cached succesful reply with N ops, and
      	- the Nth operation of the compound is a PUTFH, PUTPUBFH,
      	  PUTROOTFH, or RESTOREFH,
      
      then nfsd4_sequence will return 0 and set cstate->status to
      nfserr_replay_cache.  The current filehandle will not be set.  This will
      cause us to call check_nfsd_access with first argument NULL.
      
      To nfsd4_compound it looks like we just succesfully executed an
      operation that set a filehandle, but the current filehandle is not set.
      
      Fix this by moving the nfserr_replay_cache earlier.  There was never any
      reason to have it after the encode_op label, since the only case where
      he hit that is when opdesc->op_func sets it.
      
      Note that there are two ways we could hit this case:
      
      	- a client is resending a previously sent compound that ended
      	  with one of the four PUTFH-like operations, or
      	- a client is sending a *new* compound that (incorrectly) shares
      	  sessionid, slot, and sequence number with a previously sent
      	  compound, and the length of the previously sent compound
      	  happens to match the position of a PUTFH-like operation in the
      	  new compound.
      
      The second is obviously incorrect client behavior.  The first is also
      very strange--the only purpose of a PUTFH-like operation is to set the
      current filehandle to be used by the following operation, so there's no
      point in having it as the last in a compound.
      
      So it's likely this requires a buggy or malicious client to reproduce.
      Reported-by: default avatarScott Mayhew <smayhew@redhat.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bfeac838
    • Alex Deucher's avatar
      drm/amdgpu/ci: disable mclk switching for high refresh rates (v2) · 34bae9b3
      Alex Deucher authored
      commit 0a646f33 upstream.
      
      Even if the vblank period would allow it, it still seems to
      be problematic on some cards.
      
      v2: fix logic inversion (Nils)
      
      bug: https://bugs.freedesktop.org/show_bug.cgi?id=96868Acked-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34bae9b3
    • Gilad Ben-Yossef's avatar
      crypto: gcm - wait for crypto op not signal safe · d4783eb9
      Gilad Ben-Yossef authored
      commit f3ad5870 upstream.
      
      crypto_gcm_setkey() was using wait_for_completion_interruptible() to
      wait for completion of async crypto op but if a signal occurs it
      may return before DMA ops of HW crypto provider finish, thus
      corrupting the data buffer that is kfree'ed in this case.
      
      Resolve this by using wait_for_completion() instead.
      Reported-by: default avatarEric Biggers <ebiggers3@gmail.com>
      Signed-off-by: default avatarGilad Ben-Yossef <gilad@benyossef.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d4783eb9
    • Gilad Ben-Yossef's avatar
      crypto: drbg - wait for crypto op not signal safe · 2d028007
      Gilad Ben-Yossef authored
      commit a5dfefb1 upstream.
      
      drbg_kcapi_sym_ctr() was using wait_for_completion_interruptible() to
      wait for completion of async crypto op but if a signal occurs it
      may return before DMA ops of HW crypto provider finish, thus
      corrupting the output buffer.
      
      Resolve this by using wait_for_completion() instead.
      Reported-by: default avatarEric Biggers <ebiggers3@gmail.com>
      Signed-off-by: default avatarGilad Ben-Yossef <gilad@benyossef.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2d028007
    • Eric Biggers's avatar
      KEYS: encrypted: avoid encrypting/decrypting stack buffers · d24c1c19
      Eric Biggers authored
      commit e9ff56ac upstream.
      
      Since v4.9, the crypto API cannot (normally) be used to encrypt/decrypt
      stack buffers because the stack may be virtually mapped.  Fix this for
      the padding buffers in encrypted-keys by using ZERO_PAGE for the
      encryption padding and by allocating a temporary heap buffer for the
      decryption padding.
      
      Tested with CONFIG_DEBUG_SG=y:
      	keyctl new_session
      	keyctl add user master "abcdefghijklmnop" @s
      	keyid=$(keyctl add encrypted desc "new user:master 25" @s)
      	datablob="$(keyctl pipe $keyid)"
      	keyctl unlink $keyid
      	keyid=$(keyctl add encrypted desc "load $datablob" @s)
      	datablob2="$(keyctl pipe $keyid)"
      	[ "$datablob" = "$datablob2" ] && echo "Success!"
      
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d24c1c19
    • Eric Biggers's avatar
      KEYS: fix freeing uninitialized memory in key_update() · 24369761
      Eric Biggers authored
      commit 63a0b050 upstream.
      
      key_update() freed the key_preparsed_payload even if it was not
      initialized first.  This would cause a crash if userspace called
      keyctl_update() on a key with type like "asymmetric" that has a
      ->preparse() method but not an ->update() method.  Possibly it could
      even be triggered for other key types by racing with keyctl_setperm() to
      make the KEY_NEED_WRITE check fail (the permission was already checked,
      so normally it wouldn't fail there).
      
      Reproducer with key type "asymmetric", given a valid cert.der:
      
      keyctl new_session
      keyid=$(keyctl padd asymmetric desc @s < cert.der)
      keyctl setperm $keyid 0x3f000000
      keyctl update $keyid data
      
      [  150.686666] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
      [  150.687601] IP: asymmetric_key_free_kids+0x12/0x30
      [  150.688139] PGD 38a3d067
      [  150.688141] PUD 3b3de067
      [  150.688447] PMD 0
      [  150.688745]
      [  150.689160] Oops: 0000 [#1] SMP
      [  150.689455] Modules linked in:
      [  150.689769] CPU: 1 PID: 2478 Comm: keyctl Not tainted 4.11.0-rc4-xfstests-00187-ga9f6b6b8 #742
      [  150.690916] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
      [  150.692199] task: ffff88003b30c480 task.stack: ffffc90000350000
      [  150.692952] RIP: 0010:asymmetric_key_free_kids+0x12/0x30
      [  150.693556] RSP: 0018:ffffc90000353e58 EFLAGS: 00010202
      [  150.694142] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000004
      [  150.694845] RDX: ffffffff81ee3920 RSI: ffff88003d4b0700 RDI: 0000000000000001
      [  150.697569] RBP: ffffc90000353e60 R08: ffff88003d5d2140 R09: 0000000000000000
      [  150.702483] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
      [  150.707393] R13: 0000000000000004 R14: ffff880038a4d2d8 R15: 000000000040411f
      [  150.709720] FS:  00007fcbcee35700(0000) GS:ffff88003fd00000(0000) knlGS:0000000000000000
      [  150.711504] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  150.712733] CR2: 0000000000000001 CR3: 0000000039eab000 CR4: 00000000003406e0
      [  150.714487] Call Trace:
      [  150.714975]  asymmetric_key_free_preparse+0x2f/0x40
      [  150.715907]  key_update+0xf7/0x140
      [  150.716560]  ? key_default_cmp+0x20/0x20
      [  150.717319]  keyctl_update_key+0xb0/0xe0
      [  150.718066]  SyS_keyctl+0x109/0x130
      [  150.718663]  entry_SYSCALL_64_fastpath+0x1f/0xc2
      [  150.719440] RIP: 0033:0x7fcbce75ff19
      [  150.719926] RSP: 002b:00007ffd5d167088 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
      [  150.720918] RAX: ffffffffffffffda RBX: 0000000000404d80 RCX: 00007fcbce75ff19
      [  150.721874] RDX: 00007ffd5d16785e RSI: 000000002866cd36 RDI: 0000000000000002
      [  150.722827] RBP: 0000000000000006 R08: 000000002866cd36 R09: 00007ffd5d16785e
      [  150.723781] R10: 0000000000000004 R11: 0000000000000206 R12: 0000000000404d80
      [  150.724650] R13: 00007ffd5d16784d R14: 00007ffd5d167238 R15: 000000000040411f
      [  150.725447] Code: 83 c4 08 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 85 ff 74 23 55 48 89 e5 53 48 89 fb <48> 8b 3f e8 06 21 c5 ff 48 8b 7b 08 e8 fd 20 c5 ff 48 89 df e8
      [  150.727489] RIP: asymmetric_key_free_kids+0x12/0x30 RSP: ffffc90000353e58
      [  150.728117] CR2: 0000000000000001
      [  150.728430] ---[ end trace f7f8fe1da2d5ae8d ]---
      
      Fixes: 4d8c0250 ("KEYS: Call ->free_preparse() even after ->preparse() returns an error")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24369761
    • Eric Biggers's avatar
      KEYS: fix dereferencing NULL payload with nonzero length · 1b253e02
      Eric Biggers authored
      commit 5649645d upstream.
      
      sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a
      NULL payload with nonzero length to be passed to the key type's
      ->preparse(), ->instantiate(), and/or ->update() methods.  Various key
      types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did
      not handle this case, allowing an unprivileged user to trivially cause a
      NULL pointer dereference (kernel oops) if one of these key types was
      present.  Fix it by doing the copy_from_user() when 'plen' is nonzero
      rather than when '_payload' is non-NULL, causing the syscall to fail
      with EFAULT as expected when an invalid buffer is specified.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b253e02