1. 25 May, 2017 40 commits
    • Linus Torvalds's avatar
      x86: fix 32-bit case of __get_user_asm_u64() · efb209c8
      Linus Torvalds authored
      commit 33c9e972 upstream.
      
      The code to fetch a 64-bit value from user space was entirely buggered,
      and has been since the code was merged in early 2016 in commit
      b2f68038 ("x86/mm/32: Add support for 64-bit __get_user() on 32-bit
      kernels").
      
      Happily the buggered routine is almost certainly entirely unused, since
      the normal way to access user space memory is just with the non-inlined
      "get_user()", and the inlined version didn't even historically exist.
      
      The normal "get_user()" case is handled by external hand-written asm in
      arch/x86/lib/getuser.S that doesn't have either of these issues.
      
      There were two independent bugs in __get_user_asm_u64():
      
       - it still did the STAC/CLAC user space access marking, even though
         that is now done by the wrapper macros, see commit 11f1a4b9
         ("x86: reorganize SMAP handling in user space accesses").
      
         This didn't result in a semantic error, it just means that the
         inlined optimized version was hugely less efficient than the
         allegedly slower standard version, since the CLAC/STAC overhead is
         quite high on modern Intel CPU's.
      
       - the double register %eax/%edx was marked as an output, but the %eax
         part of it was touched early in the asm, and could thus clobber other
         inputs to the asm that gcc didn't expect it to touch.
      
         In particular, that meant that the generated code could look like
         this:
      
              mov    (%eax),%eax
              mov    0x4(%eax),%edx
      
         where the load of %edx obviously was _supposed_ to be from the 32-bit
         word that followed the source of %eax, but because %eax was
         overwritten by the first instruction, the source of %edx was
         basically random garbage.
      
      The fixes are trivial: remove the extraneous STAC/CLAC entries, and mark
      the 64-bit output as early-clobber to let gcc know that no inputs should
      alias with the output register.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Benjamin LaHaise <bcrl@kvack.org>
      Cc: Ingo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      efb209c8
    • Wanpeng Li's avatar
      KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation · 5bbaf88d
      Wanpeng Li authored
      commit cbfc6c91 upstream.
      
      Huawei folks reported a read out-of-bounds vulnerability in kvm pio emulation.
      
      - "inb" instruction to access PIT Mod/Command register (ioport 0x43, write only,
        a read should be ignored) in guest can get a random number.
      - "rep insb" instruction to access PIT register port 0x43 can control memcpy()
        in emulator_pio_in_emulated() to copy max 0x400 bytes but only read 1 bytes,
        which will disclose the unimportant kernel memory in host but no crash.
      
      The similar test program below can reproduce the read out-of-bounds vulnerability:
      
      void hexdump(void *mem, unsigned int len)
      {
              unsigned int i, j;
      
              for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++)
              {
                      /* print offset */
                      if(i % HEXDUMP_COLS == 0)
                      {
                              printf("0x%06x: ", i);
                      }
      
                      /* print hex data */
                      if(i < len)
                      {
                              printf("%02x ", 0xFF & ((char*)mem)[i]);
                      }
                      else /* end of block, just aligning for ASCII dump */
                      {
                              printf("   ");
                      }
      
                      /* print ASCII dump */
                      if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1))
                      {
                              for(j = i - (HEXDUMP_COLS - 1); j <= i; j++)
                              {
                                      if(j >= len) /* end of block, not really printing */
                                      {
                                              putchar(' ');
                                      }
                                      else if(isprint(((char*)mem)[j])) /* printable char */
                                      {
                                              putchar(0xFF & ((char*)mem)[j]);
                                      }
                                      else /* other char */
                                      {
                                              putchar('.');
                                      }
                              }
                              putchar('\n');
                      }
              }
      }
      
      int main(void)
      {
      	int i;
      	if (iopl(3))
      	{
      		err(1, "set iopl unsuccessfully\n");
      		return -1;
      	}
      	static char buf[0x40];
      
      	/* test ioport 0x40,0x41,0x42,0x43,0x44,0x45 */
      
      	memset(buf, 0xab, sizeof(buf));
      
      	asm volatile("push %rdi;");
      	asm volatile("mov %0, %%rdi;"::"q"(buf));
      
      	asm volatile ("mov $0x40, %rdx;");
      	asm volatile ("in %dx,%al;");
      	asm volatile ("stosb;");
      
      	asm volatile ("mov $0x41, %rdx;");
      	asm volatile ("in %dx,%al;");
      	asm volatile ("stosb;");
      
      	asm volatile ("mov $0x42, %rdx;");
      	asm volatile ("in %dx,%al;");
      	asm volatile ("stosb;");
      
      	asm volatile ("mov $0x43, %rdx;");
      	asm volatile ("in %dx,%al;");
      	asm volatile ("stosb;");
      
      	asm volatile ("mov $0x44, %rdx;");
      	asm volatile ("in %dx,%al;");
      	asm volatile ("stosb;");
      
      	asm volatile ("mov $0x45, %rdx;");
      	asm volatile ("in %dx,%al;");
      	asm volatile ("stosb;");
      
      	asm volatile ("pop %rdi;");
      	hexdump(buf, 0x40);
      
      	printf("\n");
      
      	/* ins port 0x40 */
      
      	memset(buf, 0xab, sizeof(buf));
      
      	asm volatile("push %rdi;");
      	asm volatile("mov %0, %%rdi;"::"q"(buf));
      
      	asm volatile ("mov $0x20, %rcx;");
      	asm volatile ("mov $0x40, %rdx;");
      	asm volatile ("rep insb;");
      
      	asm volatile ("pop %rdi;");
      	hexdump(buf, 0x40);
      
      	printf("\n");
      
      	/* ins port 0x43 */
      
      	memset(buf, 0xab, sizeof(buf));
      
      	asm volatile("push %rdi;");
      	asm volatile("mov %0, %%rdi;"::"q"(buf));
      
      	asm volatile ("mov $0x20, %rcx;");
      	asm volatile ("mov $0x43, %rdx;");
      	asm volatile ("rep insb;");
      
      	asm volatile ("pop %rdi;");
      	hexdump(buf, 0x40);
      
      	printf("\n");
      	return 0;
      }
      
      The vcpu->arch.pio_data buffer is used by both in/out instrutions emulation
      w/o clear after using which results in some random datas are left over in
      the buffer. Guest reads port 0x43 will be ignored since it is write only,
      however, the function kernel_pio() can't distigush this ignore from successfully
      reads data from device's ioport. There is no new data fill the buffer from
      port 0x43, however, emulator_pio_in_emulated() will copy the stale data in
      the buffer to the guest unconditionally. This patch fixes it by clearing the
      buffer before in instruction emulation to avoid to grant guest the stale data
      in the buffer.
      
      In addition, string I/O is not supported for in kernel device. So there is no
      iteration to read ioport %RCX times for string I/O. The function kernel_pio()
      just reads one round, and then copy the io size * %RCX to the guest unconditionally,
      actually it copies the one round ioport data w/ other random datas which are left
      over in the vcpu->arch.pio_data buffer to the guest. This patch fixes it by
      introducing the string I/O support for in kernel device in order to grant the right
      ioport datas to the guest.
      
      Before the patch:
      
      0x000000: fe 38 93 93 ff ff ab ab .8......
      0x000008: ab ab ab ab ab ab ab ab ........
      0x000010: ab ab ab ab ab ab ab ab ........
      0x000018: ab ab ab ab ab ab ab ab ........
      0x000020: ab ab ab ab ab ab ab ab ........
      0x000028: ab ab ab ab ab ab ab ab ........
      0x000030: ab ab ab ab ab ab ab ab ........
      0x000038: ab ab ab ab ab ab ab ab ........
      
      0x000000: f6 00 00 00 00 00 00 00 ........
      0x000008: 00 00 00 00 00 00 00 00 ........
      0x000010: 00 00 00 00 4d 51 30 30 ....MQ00
      0x000018: 30 30 20 33 20 20 20 20 00 3
      0x000020: ab ab ab ab ab ab ab ab ........
      0x000028: ab ab ab ab ab ab ab ab ........
      0x000030: ab ab ab ab ab ab ab ab ........
      0x000038: ab ab ab ab ab ab ab ab ........
      
      0x000000: f6 00 00 00 00 00 00 00 ........
      0x000008: 00 00 00 00 00 00 00 00 ........
      0x000010: 00 00 00 00 4d 51 30 30 ....MQ00
      0x000018: 30 30 20 33 20 20 20 20 00 3
      0x000020: ab ab ab ab ab ab ab ab ........
      0x000028: ab ab ab ab ab ab ab ab ........
      0x000030: ab ab ab ab ab ab ab ab ........
      0x000038: ab ab ab ab ab ab ab ab ........
      
      After the patch:
      
      0x000000: 1e 02 f8 00 ff ff ab ab ........
      0x000008: ab ab ab ab ab ab ab ab ........
      0x000010: ab ab ab ab ab ab ab ab ........
      0x000018: ab ab ab ab ab ab ab ab ........
      0x000020: ab ab ab ab ab ab ab ab ........
      0x000028: ab ab ab ab ab ab ab ab ........
      0x000030: ab ab ab ab ab ab ab ab ........
      0x000038: ab ab ab ab ab ab ab ab ........
      
      0x000000: d2 e2 d2 df d2 db d2 d7 ........
      0x000008: d2 d3 d2 cf d2 cb d2 c7 ........
      0x000010: d2 c4 d2 c0 d2 bc d2 b8 ........
      0x000018: d2 b4 d2 b0 d2 ac d2 a8 ........
      0x000020: ab ab ab ab ab ab ab ab ........
      0x000028: ab ab ab ab ab ab ab ab ........
      0x000030: ab ab ab ab ab ab ab ab ........
      0x000038: ab ab ab ab ab ab ab ab ........
      
      0x000000: 00 00 00 00 00 00 00 00 ........
      0x000008: 00 00 00 00 00 00 00 00 ........
      0x000010: 00 00 00 00 00 00 00 00 ........
      0x000018: 00 00 00 00 00 00 00 00 ........
      0x000020: ab ab ab ab ab ab ab ab ........
      0x000028: ab ab ab ab ab ab ab ab ........
      0x000030: ab ab ab ab ab ab ab ab ........
      0x000038: ab ab ab ab ab ab ab ab ........
      Reported-by: default avatarMoguofang <moguofang@huawei.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Moguofang <moguofang@huawei.com>
      Signed-off-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5bbaf88d
    • Wanpeng Li's avatar
      KVM: x86: Fix potential preemption when get the current kvmclock timestamp · b67dcf8c
      Wanpeng Li authored
      commit e2c2206a upstream.
      
       BUG: using __this_cpu_read() in preemptible [00000000] code: qemu-system-x86/2809
       caller is __this_cpu_preempt_check+0x13/0x20
       CPU: 2 PID: 2809 Comm: qemu-system-x86 Not tainted 4.11.0+ #13
       Call Trace:
        dump_stack+0x99/0xce
        check_preemption_disabled+0xf5/0x100
        __this_cpu_preempt_check+0x13/0x20
        get_kvmclock_ns+0x6f/0x110 [kvm]
        get_time_ref_counter+0x5d/0x80 [kvm]
        kvm_hv_process_stimers+0x2a1/0x8a0 [kvm]
        ? kvm_hv_process_stimers+0x2a1/0x8a0 [kvm]
        ? kvm_arch_vcpu_ioctl_run+0xac9/0x1ce0 [kvm]
        kvm_arch_vcpu_ioctl_run+0x5bf/0x1ce0 [kvm]
        kvm_vcpu_ioctl+0x384/0x7b0 [kvm]
        ? kvm_vcpu_ioctl+0x384/0x7b0 [kvm]
        ? __fget+0xf3/0x210
        do_vfs_ioctl+0xa4/0x700
        ? __fget+0x114/0x210
        SyS_ioctl+0x79/0x90
        entry_SYSCALL_64_fastpath+0x23/0xc2
       RIP: 0033:0x7f9d164ed357
        ? __this_cpu_preempt_check+0x13/0x20
      
      This can be reproduced by run kvm-unit-tests/hyperv_stimer.flat w/
      CONFIG_PREEMPT and CONFIG_DEBUG_PREEMPT enabled.
      
      Safe access to per-CPU data requires a couple of constraints, though: the
      thread working with the data cannot be preempted and it cannot be migrated
      while it manipulates per-CPU variables. If the thread is preempted, the
      thread that replaces it could try to work with the same variables; migration
      to another CPU could also cause confusion. However there is no preemption
      disable when reads host per-CPU tsc rate to calculate the current kvmclock
      timestamp.
      
      This patch fixes it by utilizing get_cpu/put_cpu pair to guarantee both
      __this_cpu_read() and rdtsc() are not preempted.
      
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
      Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b67dcf8c
    • Wanpeng Li's avatar
      KVM: x86: Fix load damaged SSEx MXCSR register · 8223e8f9
      Wanpeng Li authored
      commit a575813b upstream.
      
      Reported by syzkaller:
      
         BUG: unable to handle kernel paging request at ffffffffc07f6a2e
         IP: report_bug+0x94/0x120
         PGD 348e12067
         P4D 348e12067
         PUD 348e14067
         PMD 3cbd84067
         PTE 80000003f7e87161
      
         Oops: 0003 [#1] SMP
         CPU: 2 PID: 7091 Comm: kvm_load_guest_ Tainted: G           OE   4.11.0+ #8
         task: ffff92fdfb525400 task.stack: ffffbda6c3d04000
         RIP: 0010:report_bug+0x94/0x120
         RSP: 0018:ffffbda6c3d07b20 EFLAGS: 00010202
          do_trap+0x156/0x170
          do_error_trap+0xa3/0x170
          ? kvm_load_guest_fpu.part.175+0x12a/0x170 [kvm]
          ? mark_held_locks+0x79/0xa0
          ? retint_kernel+0x10/0x10
          ? trace_hardirqs_off_thunk+0x1a/0x1c
          do_invalid_op+0x20/0x30
          invalid_op+0x1e/0x30
         RIP: 0010:kvm_load_guest_fpu.part.175+0x12a/0x170 [kvm]
          ? kvm_load_guest_fpu.part.175+0x1c/0x170 [kvm]
          kvm_arch_vcpu_ioctl_run+0xed6/0x1b70 [kvm]
          kvm_vcpu_ioctl+0x384/0x780 [kvm]
          ? kvm_vcpu_ioctl+0x384/0x780 [kvm]
          ? sched_clock+0x13/0x20
          ? __do_page_fault+0x2a0/0x550
          do_vfs_ioctl+0xa4/0x700
          ? up_read+0x1f/0x40
          ? __do_page_fault+0x2a0/0x550
          SyS_ioctl+0x79/0x90
          entry_SYSCALL_64_fastpath+0x23/0xc2
      
      SDM mentioned that "The MXCSR has several reserved bits, and attempting to write
      a 1 to any of these bits will cause a general-protection exception(#GP) to be
      generated". The syzkaller forks' testcase overrides xsave area w/ random values
      and steps on the reserved bits of MXCSR register. The damaged MXCSR register
      values of guest will be restored to SSEx MXCSR register before vmentry. This
      patch fixes it by catching userspace override MXCSR register reserved bits w/
      random values and bails out immediately.
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8223e8f9
    • Daniel Glöckner's avatar
      ima: accept previously set IMA_NEW_FILE · efa8cd1e
      Daniel Glöckner authored
      commit 1ac202e9 upstream.
      
      Modifying the attributes of a file makes ima_inode_post_setattr reset
      the IMA cache flags. So if the file, which has just been created,
      is opened a second time before the first file descriptor is closed,
      verification fails since the security.ima xattr has not been written
      yet. We therefore have to look at the IMA_NEW_FILE even if the file
      already existed.
      
      With this patch there should no longer be an error when cat tries to
      open testfile:
      
      $ rm -f testfile
      $ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile
      
      A file being new is no reason to accept that it is missing a digital
      signature demanded by the policy.
      Signed-off-by: default avatarDaniel Glöckner <dg@emlix.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      efa8cd1e
    • Brian Norris's avatar
      mwifiex: pcie: fix cmd_buf use-after-free in remove/reset · d5811285
      Brian Norris authored
      commit 3c8cb9ad upstream.
      
      Command buffers (skb's) are allocated by the main driver, and freed upon
      the last use. That last use is often in mwifiex_free_cmd_buffer(). In
      the meantime, if the command buffer gets used by the PCI driver, we map
      it as DMA-able, and store the mapping information in the 'cb' memory.
      
      However, if a command was in-flight when resetting the device (and
      therefore was still mapped), we don't get a chance to unmap this memory
      until after the core has cleaned up its command handling.
      
      Let's keep a refcount within the PCI driver, so we ensure the memory
      only gets freed after we've finished unmapping it.
      
      Noticed by KASAN when forcing a reset via:
      
        echo 1 > /sys/bus/pci/.../reset
      
      The same code path can presumably be exercised in remove() and
      shutdown().
      
      [  205.390377] mwifiex_pcie 0000:01:00.0: info: shutdown mwifiex...
      [  205.400393] ==================================================================
      [  205.407719] BUG: KASAN: use-after-free in mwifiex_unmap_pci_memory.isra.14+0x4c/0x100 [mwifiex_pcie] at addr ffffffc0ad471b28
      [  205.419040] Read of size 16 by task bash/1913
      [  205.423421] =============================================================================
      [  205.431625] BUG skbuff_head_cache (Tainted: G    B          ): kasan: bad access detected
      [  205.439815] -----------------------------------------------------------------------------
      [  205.439815]
      [  205.449534] INFO: Allocated in __build_skb+0x48/0x114 age=1311 cpu=4 pid=1913
      [  205.456709] 	alloc_debug_processing+0x124/0x178
      [  205.461282] 	___slab_alloc.constprop.58+0x528/0x608
      [  205.466196] 	__slab_alloc.isra.54.constprop.57+0x44/0x54
      [  205.471542] 	kmem_cache_alloc+0xcc/0x278
      [  205.475497] 	__build_skb+0x48/0x114
      [  205.479019] 	__netdev_alloc_skb+0xe0/0x170
      [  205.483244] 	mwifiex_alloc_cmd_buffer+0x68/0xdc [mwifiex]
      [  205.488759] 	mwifiex_init_fw+0x40/0x6cc [mwifiex]
      [  205.493584] 	_mwifiex_fw_dpc+0x158/0x520 [mwifiex]
      [  205.498491] 	mwifiex_reinit_sw+0x2c4/0x398 [mwifiex]
      [  205.503510] 	mwifiex_pcie_reset_notify+0x114/0x15c [mwifiex_pcie]
      [  205.509643] 	pci_reset_notify+0x5c/0x6c
      [  205.513519] 	pci_reset_function+0x6c/0x7c
      [  205.517567] 	reset_store+0x68/0x98
      [  205.521003] 	dev_attr_store+0x54/0x60
      [  205.524705] 	sysfs_kf_write+0x9c/0xb0
      [  205.528413] INFO: Freed in __kfree_skb+0xb0/0xbc age=131 cpu=4 pid=1913
      [  205.535064] 	free_debug_processing+0x264/0x370
      [  205.539550] 	__slab_free+0x84/0x40c
      [  205.543075] 	kmem_cache_free+0x1c8/0x2a0
      [  205.547030] 	__kfree_skb+0xb0/0xbc
      [  205.550465] 	consume_skb+0x164/0x178
      [  205.554079] 	__dev_kfree_skb_any+0x58/0x64
      [  205.558304] 	mwifiex_free_cmd_buffer+0xa0/0x158 [mwifiex]
      [  205.563817] 	mwifiex_shutdown_drv+0x578/0x5c4 [mwifiex]
      [  205.569164] 	mwifiex_shutdown_sw+0x178/0x310 [mwifiex]
      [  205.574353] 	mwifiex_pcie_reset_notify+0xd4/0x15c [mwifiex_pcie]
      [  205.580398] 	pci_reset_notify+0x5c/0x6c
      [  205.584274] 	pci_dev_save_and_disable+0x24/0x6c
      [  205.588837] 	pci_reset_function+0x30/0x7c
      [  205.592885] 	reset_store+0x68/0x98
      [  205.596324] 	dev_attr_store+0x54/0x60
      [  205.600017] 	sysfs_kf_write+0x9c/0xb0
      ...
      [  205.800488] Call trace:
      [  205.802980] [<ffffffc00020a69c>] dump_backtrace+0x0/0x190
      [  205.808415] [<ffffffc00020a96c>] show_stack+0x20/0x28
      [  205.813506] [<ffffffc0005d020c>] dump_stack+0xa4/0xcc
      [  205.818598] [<ffffffc0003be44c>] print_trailer+0x158/0x168
      [  205.824120] [<ffffffc0003be5f0>] object_err+0x4c/0x5c
      [  205.829210] [<ffffffc0003c45bc>] kasan_report+0x334/0x500
      [  205.834641] [<ffffffc0003c3994>] check_memory_region+0x20/0x14c
      [  205.840593] [<ffffffc0003c3b14>] __asan_loadN+0x14/0x1c
      [  205.845879] [<ffffffbffc46171c>] mwifiex_unmap_pci_memory.isra.14+0x4c/0x100 [mwifiex_pcie]
      [  205.854282] [<ffffffbffc461864>] mwifiex_pcie_delete_cmdrsp_buf+0x94/0xa8 [mwifiex_pcie]
      [  205.862421] [<ffffffbffc462028>] mwifiex_pcie_free_buffers+0x11c/0x158 [mwifiex_pcie]
      [  205.870302] [<ffffffbffc4620d4>] mwifiex_pcie_down_dev+0x70/0x80 [mwifiex_pcie]
      [  205.877736] [<ffffffbffc1397a8>] mwifiex_shutdown_sw+0x190/0x310 [mwifiex]
      [  205.884658] [<ffffffbffc4606b4>] mwifiex_pcie_reset_notify+0xd4/0x15c [mwifiex_pcie]
      [  205.892446] [<ffffffc000635f54>] pci_reset_notify+0x5c/0x6c
      [  205.898048] [<ffffffc00063a044>] pci_dev_save_and_disable+0x24/0x6c
      [  205.904350] [<ffffffc00063cf0c>] pci_reset_function+0x30/0x7c
      [  205.910134] [<ffffffc000641118>] reset_store+0x68/0x98
      [  205.915312] [<ffffffc000771588>] dev_attr_store+0x54/0x60
      [  205.920750] [<ffffffc00046f53c>] sysfs_kf_write+0x9c/0xb0
      [  205.926182] [<ffffffc00046dfb0>] kernfs_fop_write+0x184/0x1f8
      [  205.931963] [<ffffffc0003d64f4>] __vfs_write+0x6c/0x17c
      [  205.937221] [<ffffffc0003d7164>] vfs_write+0xf0/0x1c4
      [  205.942310] [<ffffffc0003d7da0>] SyS_write+0x78/0xd8
      [  205.947312] [<ffffffc000204634>] el0_svc_naked+0x24/0x28
      ...
      [  205.998268] ==================================================================
      
      This bug has been around in different forms for a while. It was sort of
      noticed in commit 955ab095 ("mwifiex: Do not kfree cmd buf while
      unregistering PCIe"), but it just fixed the double-free, without
      acknowledging the potential for use-after-free.
      
      Fixes: fc331460 ("mwifiex: use pci_alloc/free_consistent APIs for PCIe")
      Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d5811285
    • Brian Norris's avatar
      mwifiex: MAC randomization should not be persistent · a32a0c82
      Brian Norris authored
      commit 7e2f18f0 upstream.
      
      nl80211 provides the NL80211_SCAN_FLAG_RANDOM_ADDR for every scan
      request that should be randomized; the absence of such a flag means we
      should not randomize. However, mwifiex was stashing the latest
      randomization request and *always* using it for future scans, even those
      that didn't set the flag.
      
      Let's zero out the randomization info whenever we get a scan request
      without NL80211_SCAN_FLAG_RANDOM_ADDR. I'd prefer to remove
      priv->random_mac entirely (and plumb the randomization MAC properly
      through the call sequence), but the spaghetti is a little difficult to
      unravel here for me.
      
      Fixes: c2a8f0ff ("mwifiex: support random MAC address for scanning")
      Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a32a0c82
    • Larry Finger's avatar
      rtlwifi: rtl8821ae: setup 8812ae RFE according to device type · cf6df2bc
      Larry Finger authored
      commit 46cfa214 upstream.
      
      Current channel switch implementation sets 8812ae RFE reg value assuming
      that device always has type 2.
      
      Extend possible RFE types set and write corresponding reg values.
      
      Source for new code is
      http://dlcdnet.asus.com/pub/ASUS/wireless/PCE-AC51/DR_PCE_AC51_20232801152016.zipSigned-off-by: default avatarMaxim Samoylov <max7255@gmail.com>
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Cc: Yan-Hsuan Chuang <yhchuang@realtek.com>
      Cc: Pkshih <pkshih@realtek.com>
      Cc: Birming Chiu <birming@realtek.com>
      Cc: Shaofu <shaofu@realtek.com>
      Cc: Steven Ting <steventing@realtek.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf6df2bc
    • NeilBrown's avatar
      md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop · 699ae096
      NeilBrown authored
      commit 065e519e upstream.
      
      if called md_set_readonly and set MD_CLOSING bit, the mddev cannot
      be opened any more due to the MD_CLOING bit wasn't cleared. Thus it
      needs to be cleared in md_ioctl after any call to md_set_readonly()
      or do_md_stop().
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Fixes: af8d8e6f ("md: changes for MD_STILL_CLOSED flag")
      Signed-off-by: default avatarZhilong Liu <zlliu@suse.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      699ae096
    • Dennis Yang's avatar
      md: update slab_cache before releasing new stripes when stripes resizing · 1800fde3
      Dennis Yang authored
      commit 583da48e upstream.
      
      When growing raid5 device on machine with small memory, there is chance that
      mdadm will be killed and the following bug report can be observed. The same
      bug could also be reproduced in linux-4.10.6.
      
      [57600.075774] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [57600.083796] IP: [<ffffffff81a6aa87>] _raw_spin_lock+0x7/0x20
      [57600.110378] PGD 421cf067 PUD 4442d067 PMD 0
      [57600.114678] Oops: 0002 [#1] SMP
      [57600.180799] CPU: 1 PID: 25990 Comm: mdadm Tainted: P           O    4.2.8 #1
      [57600.187849] Hardware name: To be filled by O.E.M. To be filled by O.E.M./MAHOBAY, BIOS QV05AR66 03/06/2013
      [57600.197490] task: ffff880044e47240 ti: ffff880043070000 task.ti: ffff880043070000
      [57600.204963] RIP: 0010:[<ffffffff81a6aa87>]  [<ffffffff81a6aa87>] _raw_spin_lock+0x7/0x20
      [57600.213057] RSP: 0018:ffff880043073810  EFLAGS: 00010046
      [57600.218359] RAX: 0000000000000000 RBX: 000000000000000c RCX: ffff88011e296dd0
      [57600.225486] RDX: 0000000000000001 RSI: ffffe8ffffcb46c0 RDI: 0000000000000000
      [57600.232613] RBP: ffff880043073878 R08: ffff88011e5f8170 R09: 0000000000000282
      [57600.239739] R10: 0000000000000005 R11: 28f5c28f5c28f5c3 R12: ffff880043073838
      [57600.246872] R13: ffffe8ffffcb46c0 R14: 0000000000000000 R15: ffff8800b9706a00
      [57600.253999] FS:  00007f576106c700(0000) GS:ffff88011e280000(0000) knlGS:0000000000000000
      [57600.262078] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [57600.267817] CR2: 0000000000000000 CR3: 00000000428fe000 CR4: 00000000001406e0
      [57600.274942] Stack:
      [57600.276949]  ffffffff8114ee35 ffff880043073868 0000000000000282 000000000000eb3f
      [57600.284383]  ffffffff81119043 ffff880043073838 ffff880043073838 ffff88003e197b98
      [57600.291820]  ffffe8ffffcb46c0 ffff88003e197360 0000000000000286 ffff880043073968
      [57600.299254] Call Trace:
      [57600.301698]  [<ffffffff8114ee35>] ? cache_flusharray+0x35/0xe0
      [57600.307523]  [<ffffffff81119043>] ? __page_cache_release+0x23/0x110
      [57600.313779]  [<ffffffff8114eb53>] kmem_cache_free+0x63/0xc0
      [57600.319344]  [<ffffffff81579942>] drop_one_stripe+0x62/0x90
      [57600.324915]  [<ffffffff81579b5b>] raid5_cache_scan+0x8b/0xb0
      [57600.330563]  [<ffffffff8111b98a>] shrink_slab.part.36+0x19a/0x250
      [57600.336650]  [<ffffffff8111e38c>] shrink_zone+0x23c/0x250
      [57600.342039]  [<ffffffff8111e4f3>] do_try_to_free_pages+0x153/0x420
      [57600.348210]  [<ffffffff8111e851>] try_to_free_pages+0x91/0xa0
      [57600.353959]  [<ffffffff811145b1>] __alloc_pages_nodemask+0x4d1/0x8b0
      [57600.360303]  [<ffffffff8157a30b>] check_reshape+0x62b/0x770
      [57600.365866]  [<ffffffff8157a4a5>] raid5_check_reshape+0x55/0xa0
      [57600.371778]  [<ffffffff81583df7>] update_raid_disks+0xc7/0x110
      [57600.377604]  [<ffffffff81592b73>] md_ioctl+0xd83/0x1b10
      [57600.382827]  [<ffffffff81385380>] blkdev_ioctl+0x170/0x690
      [57600.388307]  [<ffffffff81195238>] block_ioctl+0x38/0x40
      [57600.393525]  [<ffffffff811731c5>] do_vfs_ioctl+0x2b5/0x480
      [57600.399010]  [<ffffffff8115e07b>] ? vfs_write+0x14b/0x1f0
      [57600.404400]  [<ffffffff811733cc>] SyS_ioctl+0x3c/0x70
      [57600.409447]  [<ffffffff81a6ad97>] entry_SYSCALL_64_fastpath+0x12/0x6a
      [57600.415875] Code: 00 00 00 00 55 48 89 e5 8b 07 85 c0 74 04 31 c0 5d c3 ba 01 00 00 00 f0 0f b1 17 85 c0 75 ef b0 01 5d c3 90 31 c0 ba 01 00 00 00 <f0> 0f b1 17 85 c0 75 01 c3 55 89 c6 48 89 e5 e8 85 d1 63 ff 5d
      [57600.435460] RIP  [<ffffffff81a6aa87>] _raw_spin_lock+0x7/0x20
      [57600.441208]  RSP <ffff880043073810>
      [57600.444690] CR2: 0000000000000000
      [57600.448000] ---[ end trace cbc6b5cc4bf9831d ]---
      
      The problem is that resize_stripes() releases new stripe_heads before assigning new
      slab cache to conf->slab_cache. If the shrinker function raid5_cache_scan() gets called
      after resize_stripes() starting releasing new stripes but right before new slab cache
      being assigned, it is possible that these new stripe_heads will be freed with the old
      slab_cache which was already been destoryed and that triggers this bug.
      Signed-off-by: default avatarDennis Yang <dennisyang@qnap.com>
      Fixes: edbe83ab ("md/raid5: allow the stripe_cache to grow and shrink.")
      Reviewed-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1800fde3
    • Joe Thornber's avatar
      dm space map disk: fix some book keeping in the disk space map · d7252903
      Joe Thornber authored
      commit 0377a07c upstream.
      
      When decrementing the reference count for a block, the free count wasn't
      being updated if the reference count went to zero.
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7252903
    • Joe Thornber's avatar
      dm thin metadata: call precommit before saving the roots · f568a102
      Joe Thornber authored
      commit 91bcdb92 upstream.
      
      These calls were the wrong way round in __write_initial_superblock.
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f568a102
    • Mikulas Patocka's avatar
      dm bufio: make the parameter "retain_bytes" unsigned long · 17cedf3b
      Mikulas Patocka authored
      commit 13840d38 upstream.
      
      Change the type of the parameter "retain_bytes" from unsigned to
      unsigned long, so that on 64-bit machines the user can set more than
      4GiB of data to be retained.
      
      Also, change the type of the variable "count" in the function
      "__evict_old_buffers" to unsigned long.  The assignment
      "count = c->n_buffers[LIST_CLEAN] + c->n_buffers[LIST_DIRTY];"
      could result in unsigned long to unsigned overflow and that could result
      in buffers not being freed when they should.
      
      While at it, avoid division in get_retain_buffers().  Division is slow,
      we can change it to shift because we have precalculated the log2 of
      block size.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      17cedf3b
    • Mike Snitzer's avatar
      dm cache metadata: fail operations if fail_io mode has been established · 2e80638c
      Mike Snitzer authored
      commit 10add84e upstream.
      
      Otherwise it is possible to trigger crashes due to the metadata being
      inaccessible yet these methods don't safely account for that possibility
      without these checks.
      Reported-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2e80638c
    • Bart Van Assche's avatar
      dm mpath: delay requeuing while path initialization is in progress · a5b9afd6
      Bart Van Assche authored
      commit c1d7ecf7 upstream.
      
      Requeuing a request immediately while path initialization is ongoing
      causes high CPU usage, something that is undesired.  Hence delay
      requeuing while path initialization is in progress.
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a5b9afd6
    • Bart Van Assche's avatar
      dm mpath: avoid that path removal can trigger an infinite loop · 5087ded2
      Bart Van Assche authored
      commit 7083abbb upstream.
      
      If blk_get_request() fails, check whether the failure is due to a path
      being removed.  If that is the case, fail the path by triggering a call
      to fail_path().  This avoids that the following scenario can be
      encountered while removing paths:
      * CPU usage of a kworker thread jumps to 100%.
      * Removing the DM device becomes impossible.
      
      Delay requeueing if blk_get_request() returns -EBUSY or -EWOULDBLOCK,
      and the queue is not dying, because in these cases immediate requeuing
      is inappropriate.
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5087ded2
    • Bart Van Assche's avatar
      dm mpath: split and rename activate_path() to prepare for its expanded use · 5a094143
      Bart Van Assche authored
      commit 89bfce76 upstream.
      
      activate_path() is renamed to activate_path_work() which now calls
      activate_or_offline_path().  activate_or_offline_path() will be used
      by the next commit.
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a094143
    • Bart Van Assche's avatar
      dm mpath: requeue after a small delay if blk_get_request() fails · 4ff00db7
      Bart Van Assche authored
      commit 06eb061f upstream.
      
      If blk_get_request() returns ENODEV then multipath_clone_and_map()
      causes a request to be requeued immediately. This can cause a kworker
      thread to spend 100% of the CPU time of a single core in
      __blk_mq_run_hw_queue() and also can cause device removal to never
      finish.
      
      Avoid this by only requeuing after a delay if blk_get_request() fails.
      Additionally, reduce the requeue delay.
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4ff00db7
    • Mikulas Patocka's avatar
      dm bufio: check new buffer allocation watermark every 30 seconds · 7d67cd02
      Mikulas Patocka authored
      commit 390020ad upstream.
      
      dm-bufio checks a watermark when it allocates a new buffer in
      __bufio_new().  However, it doesn't check the watermark when the user
      changes /sys/module/dm_bufio/parameters/max_cache_size_bytes.
      
      This may result in a problem - if the watermark is high enough so that
      all possible buffers are allocated and if the user lowers the value of
      "max_cache_size_bytes", the watermark will never be checked against the
      new value because no new buffer would be allocated.
      
      To fix this, change __evict_old_buffers() so that it checks the
      watermark.  __evict_old_buffers() is called every 30 seconds, so if the
      user reduces "max_cache_size_bytes", dm-bufio will react to this change
      within 30 seconds and decrease memory consumption.
      
      Depends-on: 1b0fb5a5 ("dm bufio: avoid a possible ABBA deadlock")
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7d67cd02
    • Mikulas Patocka's avatar
      dm bufio: avoid a possible ABBA deadlock · 2aac21e0
      Mikulas Patocka authored
      commit 1b0fb5a5 upstream.
      
      __get_memory_limit() tests if dm_bufio_cache_size changed and calls
      __cache_size_refresh() if it did.  It takes dm_bufio_clients_lock while
      it already holds the client lock.  However, lock ordering is violated
      because in cleanup_old_buffers() dm_bufio_clients_lock is taken before
      the client lock.
      
      This results in a possible deadlock and lockdep engine warning.
      
      Fix this deadlock by changing mutex_lock() to mutex_trylock().  If the
      lock can't be taken, it will be re-checked next time when a new buffer
      is allocated.
      
      Also add "unlikely" to the if condition, so that the optimizer assumes
      that the condition is false.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2aac21e0
    • Mikulas Patocka's avatar
      dm raid: select the Kconfig option CONFIG_MD_RAID0 · 539ee786
      Mikulas Patocka authored
      commit 7b81ef8b upstream.
      
      Since the commit 0cf45031 ("dm raid: add support for the MD RAID0
      personality"), the dm-raid subsystem can activate a RAID-0 array.
      Therefore, add MD_RAID0 to the dependencies of DM_RAID, so that MD_RAID0
      will be selected when DM_RAID is selected.
      
      Fixes: 0cf45031 ("dm raid: add support for the MD RAID0 personality")
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      539ee786
    • Vinothkumar Raja's avatar
      dm btree: fix for dm_btree_find_lowest_key() · 11dfdb1a
      Vinothkumar Raja authored
      commit 7d1fedb6 upstream.
      
      dm_btree_find_lowest_key() is giving incorrect results.  find_key()
      traverses the btree correctly for finding the highest key, but there is
      an error in the way it traverses the btree for retrieving the lowest
      key.  dm_btree_find_lowest_key() fetches the first key of the rightmost
      block of the btree instead of fetching the first key from the leftmost
      block.
      
      Fix this by conditionally passing the correct parameter to value64()
      based on the @find_highest flag.
      Signed-off-by: default avatarErez Zadok <ezk@fsl.cs.sunysb.edu>
      Signed-off-by: default avatarVinothkumar Raja <vinraja@cs.stonybrook.edu>
      Signed-off-by: default avatarNidhi Panpalia <npanpalia@cs.stonybrook.edu>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      11dfdb1a
    • Paolo Abeni's avatar
      infiniband: call ipv6 route lookup via the stub interface · cd21f4af
      Paolo Abeni authored
      commit eea40b8f upstream.
      
      The infiniband address handle can be triggered to resolve an ipv6
      address in response to MAD packets, regardless of the ipv6
      module being disabled via the kernel command line argument.
      
      That will cause a call into the ipv6 routing code, which is not
      initialized, and a conseguent oops.
      
      This commit addresses the above issue replacing the direct lookup
      call with an indirect one via the ipv6 stub, which is properly
      initialized according to the ipv6 status (e.g. if ipv6 is
      disabled, the routing lookup fails gracefully)
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd21f4af
    • Sagi Grimberg's avatar
      mlx5: Fix mlx5_ib_map_mr_sg mr length · 3992c93b
      Sagi Grimberg authored
      commit 0a49f2c3 upstream.
      
      In case we got an initial sg_offset, we need to
      account for it in the mr length.
      
      Fixes: ff2ba993 ("IB/core: Add passing an offset into the SG to ib_map_mr_sg")
      Signed-off-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Tested-by: default avatarIsrael Rukshin <israelr@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3992c93b
    • Alexander Sverdlin's avatar
      ASoC: cs4271: configure reset GPIO as output · cca9c04a
      Alexander Sverdlin authored
      commit 49b2e27a upstream.
      
      During reset "refactoring" the output configuration was lost.
      This commit repairs sound on EDB93XX boards.
      
      Fixes: 9a397f47 ("ASoC: cs4271: add regulator consumer support")
      Signed-off-by: default avatarAlexander Sverdlin <alexander.sverdlin@gmail.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cca9c04a
    • Petr Vandrovec's avatar
      tpm: fix handling of the TPM 2.0 event logs · a7caccf8
      Petr Vandrovec authored
      commit fd5c7869 upstream.
      
      When TPM2 log has entries with more than 3 digests, or with digests
      not listed in the log header, log gets misparsed, eventually
      leading to kernel complaint that code tried to vmalloc 512MB of
      memory (I have no idea what would happen on bigger system).
      
      So code should not parse only first 3 digests: both event header
      and event itself are already in memory, so we can parse any number
      of digests, as long as we do not try to parse whole memory when
      given count of 0xFFFFFFFF.
      
      So this change:
      
      * Rejects event entry with more digests than log header describes.
        Digest types should be unique, and all should be described in
        log header, so there cannot be more digests in the event than in
        the header.
      
      * Reject event entry with digest that is not described in the
        log header.  In theory code could hardcode information about
        digest IDs already assigned by TCG, but if firmware authors
        cannot get event log format right, why should anyone believe
        that they got event log content right.
      
      Fixes: 4d23cc32 ("tpm: add securityfs support for TPM 2.0 firmware event log")
      Signed-off-by: default avatarPetr Vandrovec <petr@vmware.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a7caccf8
    • Hon Ching \(Vicky) Lo's avatar
      vTPM: Fix missing NULL check · 455edd3c
      Hon Ching \(Vicky) Lo authored
      commit 31574d32 upstream.
      
      The current code passes the address of tpm_chip as the argument to
      dev_get_drvdata() without prior NULL check in
      tpm_ibmvtpm_get_desired_dma.  This resulted an oops during kernel
      boot when vTPM is enabled in Power partition configured in active
      memory sharing mode.
      
      The vio_driver's get_desired_dma() is called before the probe(), which
      for vtpm is tpm_ibmvtpm_probe, and it's this latter function that
      initializes the driver and set data.  Attempting to get data before
      the probe() caused the problem.
      
      This patch adds a NULL check to the tpm_ibmvtpm_get_desired_dma.
      
      fixes: 9e0d39d8 ("tpm: Remove useless priv field in struct tpm_vendor_specific")
      Signed-off-by: default avatarHon Ching(Vicky) Lo <honclo@linux.vnet.ibm.com>
      Reviewed-by: default avatarJarkko Sakkine <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      455edd3c
    • Jerry Snitselaar's avatar
      tpm_crb: check for bad response size · b06ad9f0
      Jerry Snitselaar authored
      commit 8569defd upstream.
      
      Make sure size of response buffer is at least 6 bytes, or
      we will underflow and pass large size_t to memcpy_fromio().
      This was encountered while testing earlier version of
      locality patchset.
      
      Fixes: 30fc8d13 ("tpm: TPM 2.0 CRB Interface")
      Signed-off-by: default avatarJerry Snitselaar <jsnitsel@redhat.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b06ad9f0
    • Nayna Jain's avatar
      tpm: add sleep only for retry in i2c_nuvoton_write_status() · 7cb54bfb
      Nayna Jain authored
      commit 0afb7118 upstream.
      
      Currently, there is an unnecessary 1 msec delay added in
      i2c_nuvoton_write_status() for the successful case. This
      function is called multiple times during send() and recv(),
      which implies adding multiple extra delays for every TPM
      operation.
      
      This patch calls usleep_range() only if retry is to be done.
      Signed-off-by: default avatarNayna Jain <nayna@linux.vnet.ibm.com>
      Reviewed-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7cb54bfb
    • Nayna Jain's avatar
      tpm: msleep() delays - replace with usleep_range() in i2c nuvoton driver · 6705f253
      Nayna Jain authored
      commit a233a028 upstream.
      
      Commit 500462a9 "timers: Switch to a non-cascading wheel" replaced
      the 'classic' timer wheel, which aimed for near 'exact' expiry of the
      timers.  Their analysis was that the vast majority of timeout timers
      are used as safeguards, not as real timers, and are cancelled or
      rearmed before expiration.  The only exception noted to this were
      networking timers with a small expiry time.
      
      Not included in the analysis was the TPM polling timer, which resulted
      in a longer normal delay and, every so often, a very long delay.  The
      non-cascading wheel delay is based on CONFIG_HZ.  For a description of
      the different rings and their delays, refer to the comments in
      kernel/time/timer.c.
      
      Below are the delays given for rings 0 - 2, which explains the longer
      "normal" delays and the very, long delays as seen on systems with
      CONFIG_HZ 250.
      
      * HZ 1000 steps
       * Level Offset  Granularity            Range
       *  0      0         1 ms                0 ms - 63 ms
       *  1     64         8 ms               64 ms - 511 ms
       *  2    128        64 ms              512 ms - 4095 ms (512ms - ~4s)
      
      * HZ  250
       * Level Offset  Granularity            Range
       *  0      0         4 ms                0 ms - 255 ms
       *  1     64        32 ms              256 ms - 2047 ms (256ms - ~2s)
       *  2    128       256 ms             2048 ms - 16383 ms (~2s - ~16s)
      
      Below is a comparison of extending the TPM with 1000 measurements,
      using msleep() vs. usleep_delay() when configured for 1000 hz vs. 250
      hz, before and after commit 500462a9.
      
      linux-4.7 | msleep() usleep_range()
      1000 hz: 0m44.628s | 1m34.497s 29.243s
      250 hz: 1m28.510s | 4m49.269s 32.386s
      
      linux-4.7  | min-max (msleep)  min-max (usleep_range)
      1000 hz: 0:017 - 2:760s | 0:015 - 3:967s    0:014 - 0:418s
      250 hz: 0:028 - 1:954s | 0:040 - 4:096s    0:016 - 0:816s
      
      This patch replaces the msleep() with usleep_range() calls in the
      i2c nuvoton driver with a consistent max range value.
      Signed-of-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarNayna Jain <nayna@linux.vnet.ibm.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6705f253
    • Peter Huewe's avatar
      tpm_tis_spi: Add small delay after last transfer · 84eef50e
      Peter Huewe authored
      commit 5cc0101d upstream.
      
      Testing the implementation with a Raspberry Pi 2 showed that under some
      circumstances its SPI master erroneously releases the CS line before the
      transfer is complete, i.e. before the end of the last clock. In this case
      the TPM ignores the transfer and misses for example the GO command. The
      driver is unable to detect this communication problem and will wait for a
      command response that is never going to arrive, timing out eventually.
      
      As a workaround, the small delay ensures that the CS line is held long
      enough, even with a faulty SPI master. Other SPI masters are not affected,
      except for a negligible performance penalty.
      
      Fixes: 0edbfea5 ("tpm/tpm_tis_spi: Add support for spi phy")
      Signed-off-by: default avatarAlexander Steffen <Alexander.Steffen@infineon.com>
      Signed-off-by: default avatarPeter Huewe <peter.huewe@infineon.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Tested-by: default avatarBenoit Houyere <benoit.houyere@st.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      84eef50e
    • Peter Huewe's avatar
      tpm_tis_spi: Remove limitation of transfers to MAX_SPI_FRAMESIZE bytes · 32a6b619
      Peter Huewe authored
      commit 591e48c2 upstream.
      
      Limiting transfers to MAX_SPI_FRAMESIZE was not expected by the upper
      layers, as tpm_tis has no such limitation. Add a loop to hide that
      limitation.
      
      v2: Moved scope of spi_message to the top as requested by Jarkko
      Fixes: 0edbfea5 ("tpm/tpm_tis_spi: Add support for spi phy")
      Signed-off-by: default avatarAlexander Steffen <Alexander.Steffen@infineon.com>
      Signed-off-by: default avatarPeter Huewe <peter.huewe@infineon.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Tested-by: default avatarBenoit Houyere <benoit.houyere@st.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      32a6b619
    • Peter Huewe's avatar
      tpm_tis_spi: Check correct byte for wait state indicator · e2fbfd47
      Peter Huewe authored
      commit e110cc69 upstream.
      
      Wait states are signaled in the last byte received from the TPM in
      response to the header, not the first byte. Check rx_buf[3] instead of
      rx_buf[0].
      
      Fixes: 0edbfea5 ("tpm/tpm_tis_spi: Add support for spi phy")
      Signed-off-by: default avatarAlexander Steffen <Alexander.Steffen@infineon.com>
      Signed-off-by: default avatarPeter Huewe <peter.huewe@infineon.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Tested-by: default avatarBenoit Houyere <benoit.houyere@st.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2fbfd47
    • Peter Huewe's avatar
      tpm_tis_spi: Abort transfer when too many wait states are signaled · 6b2a246a
      Peter Huewe authored
      commit 975094dd upstream.
      
      Abort the transfer with ETIMEDOUT when the TPM signals more than
      TPM_RETRY wait states. Continuing with the transfer in this state
      will only lead to arbitrary failures in other parts of the code.
      
      Fixes: 0edbfea5 ("tpm/tpm_tis_spi: Add support for spi phy")
      Signed-off-by: default avatarAlexander Steffen <Alexander.Steffen@infineon.com>
      Signed-off-by: default avatarPeter Huewe <peter.huewe@infineon.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Tested-by: default avatarBenoit Houyere <benoit.houyere@st.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6b2a246a
    • Peter Huewe's avatar
      tpm_tis_spi: Use single function to transfer data · b0e2a93c
      Peter Huewe authored
      commit f848f214 upstream.
      
      The algorithm for sending data to the TPM is mostly identical to the
      algorithm for receiving data from the TPM, so a single function is
      sufficient to handle both cases.
      
      This is a prequisite for all the other fixes, so we don't have to fix
      everything twice (send/receive)
      
      v2: u16 instead of u8 for the length.
      Fixes: 0edbfea5 ("tpm/tpm_tis_spi: Add support for spi phy")
      Signed-off-by: default avatarAlexander Steffen <Alexander.Steffen@infineon.com>
      Signed-off-by: default avatarPeter Huewe <peter.huewe@infineon.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Tested-by: default avatarBenoit Houyere <benoit.houyere@st.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b0e2a93c
    • Amir Goldstein's avatar
      fanotify: don't expose EOPENSTALE to userspace · 580c656a
      Amir Goldstein authored
      commit 4ff33aaf upstream.
      
      When delivering an event to userspace for a file on an NFS share,
      if the file is deleted on server side before user reads the event,
      user will not get the event.
      
      If the event queue contained several events, the stale event is
      quietly dropped and read() returns to user with events read so far
      in the buffer.
      
      If the event queue contains a single stale event or if the stale
      event is a permission event, read() returns to user with the kernel
      internal error code 518 (EOPENSTALE), which is not a POSIX error code.
      
      Check the internal return value -EOPENSTALE in fanotify_read(), just
      the same as it is checked in path_openat() and drop the event in the
      cases that it is not already dropped.
      
      This is a reproducer from Marko Rauhamaa:
      
      Just take the example program listed under "man fanotify" ("fantest")
      and follow these steps:
      
          ==============================================================
          NFS Server    NFS Client(1)     NFS Client(2)
          ==============================================================
          # echo foo >/nfsshare/bar.txt
                        # cat /nfsshare/bar.txt
                        foo
                                          # ./fantest /nfsshare
                                          Press enter key to terminate.
                                          Listening for events.
          # rm -f /nfsshare/bar.txt
                        # cat /nfsshare/bar.txt
                                          read: Unknown error 518
                        cat: /nfsshare/bar.txt: Operation not permitted
          ==============================================================
      
      where NFS Client (1) and (2) are two terminal sessions on a single NFS
      Client machine.
      Reported-by: default avatarMarko Rauhamaa <marko.rauhamaa@f-secure.com>
      Tested-by: default avatarMarko Rauhamaa <marko.rauhamaa@f-secure.com>
      Cc: <linux-api@vger.kernel.org>
      Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      580c656a
    • Jeeja KP's avatar
      ALSA: hda: Fix cpu lockup when stopping the cmd dmas · 826ca313
      Jeeja KP authored
      commit 96001376 upstream.
      
      Using jiffies in hdac_wait_for_cmd_dmas() to determine when to time out
      when interrupts are off (snd_hdac_bus_stop_cmd_io()/spin_lock_irq())
      causes hard lockup so unlock while waiting using jiffies.
      
      ---<-snip->---
      <0>[ 1211.603046] NMI watchdog: Watchdog detected hard LOCKUP on cpu 3
      <4>[ 1211.603047] Modules linked in: snd_hda_intel i915 vgem
      <4>[ 1211.603053] irq event stamp: 13366
      <4>[ 1211.603053] hardirqs last  enabled at (13365):
      ...
      <4>[ 1211.603059] Call Trace:
      <4>[ 1211.603059]  ? delay_tsc+0x3d/0xc0
      <4>[ 1211.603059]  __delay+0xa/0x10
      <4>[ 1211.603060]  __const_udelay+0x31/0x40
      <4>[ 1211.603060]  snd_hdac_bus_stop_cmd_io+0x96/0xe0 [snd_hda_core]
      <4>[ 1211.603060]  ? azx_dev_disconnect+0x20/0x20 [snd_hda_intel]
      <4>[ 1211.603061]  snd_hdac_bus_stop_chip+0xb1/0x100 [snd_hda_core]
      <4>[ 1211.603061]  azx_stop_chip+0x9/0x10 [snd_hda_codec]
      <4>[ 1211.603061]  azx_suspend+0x72/0x220 [snd_hda_intel]
      <4>[ 1211.603061]  pci_pm_suspend+0x71/0x140
      <4>[ 1211.603062]  dpm_run_callback+0x6f/0x330
      <4>[ 1211.603062]  ? pci_pm_freeze+0xe0/0xe0
      <4>[ 1211.603062]  __device_suspend+0xf9/0x370
      <4>[ 1211.603062]  ? dpm_watchdog_set+0x60/0x60
      <4>[ 1211.603063]  async_suspend+0x1a/0x90
      <4>[ 1211.603063]  async_run_entry_fn+0x34/0x160
      <4>[ 1211.603063]  process_one_work+0x1f4/0x6d0
      <4>[ 1211.603063]  ? process_one_work+0x16e/0x6d0
      <4>[ 1211.603064]  worker_thread+0x49/0x4a0
      <4>[ 1211.603064]  kthread+0x107/0x140
      <4>[ 1211.603064]  ? process_one_work+0x6d0/0x6d0
      <4>[ 1211.603065]  ? kthread_create_on_node+0x40/0x40
      <4>[ 1211.603065]  ret_from_fork+0x2e/0x40
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=100419
      Fixes: 38b19ed7 ("ALSA: hda: fix to wait for RIRB & CORB DMA to set")
      Reported-by: default avatarMarta Lofstedt <marta.lofstedt@intel.com>
      Suggested-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJeeja KP <jeeja.kp@intel.com>
      Acked-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      826ca313
    • Alexander Steffen's avatar
      tpm_tis_core: Choose appropriate timeout for reading burstcount · d2b8a861
      Alexander Steffen authored
      commit 302a6ad7 upstream.
      
      TIS v1.3 for TPM 1.2 and PTP for TPM 2.0 disagree about which timeout
      value applies to reading a valid burstcount. It is TIMEOUT_D according to
      TIS, but TIMEOUT_A according to PTP, so choose the appropriate value
      depending on whether we deal with a TPM 1.2 or a TPM 2.0.
      
      This is important since according to the PTP TIMEOUT_D is much smaller
      than TIMEOUT_A. So the previous implementation could run into timeouts
      with a TPM 2.0, even though the TPM was behaving perfectly fine.
      
      During tpm2_probe TIMEOUT_D will be used even with a TPM 2.0, because
      TPM_CHIP_FLAG_TPM2 is not yet set. This is fine, since the timeout values
      will only be changed afterwards by tpm_get_timeouts. Until then
      TIS_TIMEOUT_D_MAX applies, which is large enough.
      
      Fixes: aec04cbd ("tpm: TPM 2.0 FIFO Interface")
      Signed-off-by: default avatarAlexander Steffen <Alexander.Steffen@infineon.com>
      Signed-off-by: default avatarPeter Huewe <peter.huewe@infineon.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d2b8a861
    • Vamsi Krishna Samavedam's avatar
      USB: core: replace %p with %pK · b3bf0bbc
      Vamsi Krishna Samavedam authored
      commit 2f964780 upstream.
      
      Format specifier %p can leak kernel addresses while not valuing the
      kptr_restrict system settings. When kptr_restrict is set to (1), kernel
      pointers printed using the %pK format specifier will be replaced with
      Zeros. Debugging Note : &pK prints only Zeros as address. If you need
      actual address information, write 0 to kptr_restrict.
      
      echo 0 > /proc/sys/kernel/kptr_restrict
      
      [Found by poking around in a random vendor kernel tree, it would be nice
      if someone would actually send these types of patches upstream - gkh]
      Signed-off-by: default avatarVamsi Krishna Samavedam <vskrishn@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b3bf0bbc
    • Willy Tarreau's avatar
      char: lp: fix possible integer overflow in lp_setup() · 28c7411c
      Willy Tarreau authored
      commit 3e21f4af upstream.
      
      The lp_setup() code doesn't apply any bounds checking when passing
      "lp=none", and only in this case, resulting in an overflow of the
      parport_nr[] array. All versions in Git history are affected.
      Reported-By: default avatarRoee Hay <roee.hay@hcl.com>
      Cc: Ben Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      28c7411c