1. 27 Jul, 2017 40 commits
    • Jason A. Donenfeld's avatar
      sunrpc: use constant time memory comparison for mac · 4dd0aa9a
      Jason A. Donenfeld authored
      commit 15a8b93f upstream.
      
      Otherwise, we enable a MAC forgery via timing attack.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Cc: "J. Bruce Fields" <bfields@fieldses.org>
      Cc: Jeff Layton <jlayton@poochiereds.net>
      Cc: Trond Myklebust <trond.myklebust@primarydata.com>
      Cc: Anna Schumaker <anna.schumaker@netapp.com>
      Cc: linux-nfs@vger.kernel.org
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4dd0aa9a
    • Moni Shoua's avatar
      IB/core: Namespace is mandatory input for address resolution · dd0d6509
      Moni Shoua authored
      commit bebb2a47 upstream.
      
      In function addr_resolve() the namespace is a required input parameter
      and not an output. It is passed later for searching the routing table
      and device addresses. Also, it shouldn't be copied back to the caller.
      
      Fixes: 565edd1d ('IB/addr: Pass network namespace as a parameter')
      Signed-off-by: default avatarMoni Shoua <monis@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dd0d6509
    • Vladimir Neyelov's avatar
      IB/iser: Fix connection teardown race condition · 5c2717f4
      Vladimir Neyelov authored
      commit c8c16d3b upstream.
      
      Under heavy iser target(scst) start/stop stress during login/logout
      on iser intitiator side happened trace call provided below.
      
      The function iscsi_iser_slave_alloc iser_conn pointer could be NULL,
      due to the fact that function iscsi_iser_conn_stop can be called before
      and free iser connection. Let's protect that flow by introducing global mutex.
      
      BUG: unable to handle kernel paging request at 0000000000001018
      IP: [<ffffffffc0426f7e>] iscsi_iser_slave_alloc+0x1e/0x50 [ib_iser]
      Call Trace:
      ? scsi_alloc_sdev+0x242/0x300
      scsi_probe_and_add_lun+0x9e1/0xea0
      ? kfree_const+0x21/0x30
      ? kobject_set_name_vargs+0x76/0x90
      ? __pm_runtime_resume+0x5b/0x70
      __scsi_scan_target+0xf6/0x250
      scsi_scan_target+0xea/0x100
      iscsi_user_scan_session.part.13+0x101/0x130 [scsi_transport_iscsi]
      ? iscsi_user_scan_session.part.13+0x130/0x130 [scsi_transport_iscsi]
      iscsi_user_scan_session+0x1e/0x30 [scsi_transport_iscsi]
      device_for_each_child+0x50/0x90
      iscsi_user_scan+0x44/0x60 [scsi_transport_iscsi]
      store_scan+0xa8/0x100
      ? common_file_perm+0x5d/0x1c0
      dev_attr_store+0x18/0x30
      sysfs_kf_write+0x37/0x40
      kernfs_fop_write+0x12c/0x1c0
      __vfs_write+0x18/0x40
      vfs_write+0xb5/0x1a0
      SyS_write+0x55/0xc0
      
      Fixes: 318d311e ("iser: Accept arbitrary sg lists mapping if the device supports it")
      Signed-off-by: default avatarVladimir Neyelov <vladimirn@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Reviewed-by: default avatarSagi Grimberg <sagi@grimbeg.me>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c2717f4
    • Chen Hong's avatar
      Input: i8042 - fix crash at boot time · 5b50e0e7
      Chen Hong authored
      commit 340d394a upstream.
      
      The driver checks port->exists twice in i8042_interrupt(), first when
      trying to assign temporary "serio" variable, and second time when deciding
      whether it should call serio_interrupt(). The value of port->exists may
      change between the 2 checks, and we may end up calling serio_interrupt()
      with a NULL pointer:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
      IP: [<ffffffff8150feaf>] _spin_lock_irqsave+0x1f/0x40
      PGD 0
      Oops: 0002 [#1] SMP
      last sysfs file:
      CPU 0
      Modules linked in:
      
      Pid: 1, comm: swapper Not tainted 2.6.32-358.el6.x86_64 #1 QEMU Standard PC (i440FX + PIIX, 1996)
      RIP: 0010:[<ffffffff8150feaf>]  [<ffffffff8150feaf>] _spin_lock_irqsave+0x1f/0x40
      RSP: 0018:ffff880028203cc0  EFLAGS: 00010082
      RAX: 0000000000010000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000282 RSI: 0000000000000098 RDI: 0000000000000050
      RBP: ffff880028203cc0 R08: ffff88013e79c000 R09: ffff880028203ee0
      R10: 0000000000000298 R11: 0000000000000282 R12: 0000000000000050
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000098
      FS:  0000000000000000(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
      CR2: 0000000000000050 CR3: 0000000001a85000 CR4: 00000000001407f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process swapper (pid: 1, threadinfo ffff88013e79c000, task ffff88013e79b500)
      Stack:
      ffff880028203d00 ffffffff813de186 ffffffffffffff02 0000000000000000
      <d> 0000000000000000 0000000000000000 0000000000000000 0000000000000098
      <d> ffff880028203d70 ffffffff813e0162 ffff880028203d20 ffffffff8103b8ac
      Call Trace:
      <IRQ>
       [<ffffffff813de186>] serio_interrupt+0x36/0xa0
      [<ffffffff813e0162>] i8042_interrupt+0x132/0x3a0
      [<ffffffff8103b8ac>] ? kvm_clock_read+0x1c/0x20
      [<ffffffff8103b8b9>] ? kvm_clock_get_cycles+0x9/0x10
      [<ffffffff810e1640>] handle_IRQ_event+0x60/0x170
      [<ffffffff8103b154>] ? kvm_guest_apic_eoi_write+0x44/0x50
      [<ffffffff810e3d8e>] handle_edge_irq+0xde/0x180
      [<ffffffff8100de89>] handle_irq+0x49/0xa0
      [<ffffffff81516c8c>] do_IRQ+0x6c/0xf0
      [<ffffffff8100b9d3>] ret_from_intr+0x0/0x11
      [<ffffffff81076f63>] ? __do_softirq+0x73/0x1e0
      [<ffffffff8109b75b>] ? hrtimer_interrupt+0x14b/0x260
      [<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30
      [<ffffffff8100de05>] ? do_softirq+0x65/0xa0
      [<ffffffff81076d95>] ? irq_exit+0x85/0x90
      [<ffffffff81516d80>] ? smp_apic_timer_interrupt+0x70/0x9b
      [<ffffffff8100bb93>] ? apic_timer_interrupt+0x13/0x20
      
      To avoid the issue let's change the second check to test whether serio is
      NULL or not.
      
      Also, let's take i8042_lock in i8042_start() and i8042_stop() instead of
      trying to be overly smart and using memory barriers.
      Signed-off-by: default avatarChen Hong <chenhong3@huawei.com>
      [dtor: take lock in i8042_start()/i8042_stop()]
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b50e0e7
    • Maciej W. Rozycki's avatar
      MIPS: Fix a typo: s/preset/present/ in r2-to-r6 emulation error message · 6d77ac4b
      Maciej W. Rozycki authored
      commit 27fe2200 upstream.
      
      This is a user-visible message, so we want it to be spelled correctly.
      
      Fixes: 5f9f41c4 ("MIPS: kernel: Prepare the JR instruction for emulation on MIPS R6")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16400/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d77ac4b
    • Maciej W. Rozycki's avatar
      MIPS: Send SIGILL for R6 branches in `__compute_return_epc_for_insn' · 3330a05c
      Maciej W. Rozycki authored
      commit a60b1a5b upstream.
      
      Fix:
      
      * commit 8467ca01 ("MIPS: Emulate the new MIPS R6 branch compact
      (BC) instruction"),
      
      * commit 84fef630 ("MIPS: Emulate the new MIPS R6 BALC
      instruction"),
      
      * commit 69b9a2fd ("MIPS: Emulate the new MIPS R6 BEQZC and JIC
      instructions"),
      
      * commit 28d6f93d ("MIPS: Emulate the new MIPS R6 BNEZC and JIALC
      instructions"),
      
      * commit c893ce38 ("MIPS: Emulate the new MIPS R6 BOVC, BEQC and
      BEQZALC instructions")
      
      and send SIGILL rather than returning -SIGILL for R6 branch and jump
      instructions.  Returning -SIGILL is never correct as the API defines
      this function's result upon error to be -EFAULT and a signal actually
      issued.
      
      Fixes: 8467ca01 ("MIPS: Emulate the new MIPS R6 branch compact (BC) instruction")
      Fixes: 84fef630 ("MIPS: Emulate the new MIPS R6 BALC instruction")
      Fixes: 69b9a2fd ("MIPS: Emulate the new MIPS R6 BEQZC and JIC instructions")
      Fixes: 28d6f93d ("MIPS: Emulate the new MIPS R6 BNEZC and JIALC instructions")
      Fixes: c893ce38 ("MIPS: Emulate the new MIPS R6 BOVC, BEQC and BEQZALC instructions")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16399/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3330a05c
    • Maciej W. Rozycki's avatar
      MIPS: Send SIGILL for linked branches in `__compute_return_epc_for_insn' · d4bd6a1d
      Maciej W. Rozycki authored
      commit fef40be6 upstream.
      
      Fix commit 319824ea ("MIPS: kernel: branch: Do not emulate the
      branch likelies on MIPS R6") and also send SIGILL rather than returning
      -SIGILL for BLTZAL, BLTZALL, BGEZAL and BGEZALL instruction encodings no
      longer supported in R6, except where emulated.  Returning -SIGILL is
      never correct as the API defines this function's result upon error to be
      -EFAULT and a signal actually issued.
      
      Fixes: 319824ea ("MIPS: kernel: branch: Do not emulate the branch likelies on MIPS R6")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16398/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d4bd6a1d
    • Maciej W. Rozycki's avatar
      MIPS: Rename `sigill_r6' to `sigill_r2r6' in `__compute_return_epc_for_insn' · 99ce7614
      Maciej W. Rozycki authored
      commit 1f4edde4 upstream.
      
      Use the more accurate `sigill_r2r6' name for the label used in the case
      of sending SIGILL in the absence of the instruction emulator for an
      earlier ISA level instruction that has been removed as from the R6 ISA,
      so that the `sigill_r6' name is freed for the situation where an R6
      instruction is not supposed to be interpreted, because the executing
      processor does not support the R6 ISA.
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16397/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99ce7614
    • Maciej W. Rozycki's avatar
      MIPS: Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn' · 86dd4aa3
      Maciej W. Rozycki authored
      commit 7b82c105 upstream.
      
      Fix commit e50c0a8f ("Support the MIPS32 / MIPS64 DSP ASE.") and
      send SIGILL rather than SIGBUS whenever an unimplemented BPOSGE32 DSP
      ASE instruction has been encountered in `__compute_return_epc_for_insn'
      as our Reserved Instruction exception handler would in response to an
      attempt to actually execute the instruction.  Sending SIGBUS only makes
      sense for the unaligned PC case, since moved to `__compute_return_epc'.
      Adjust function documentation accordingly, correct formatting and use
      `pr_info' rather than `printk' as the other exit path already does.
      
      Fixes: e50c0a8f ("Support the MIPS32 / MIPS64 DSP ASE.")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16396/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      86dd4aa3
    • Maciej W. Rozycki's avatar
      MIPS: math-emu: Prevent wrong ISA mode instruction emulation · d79354cc
      Maciej W. Rozycki authored
      commit 13769eba upstream.
      
      Terminate FPU emulation immediately whenever an ISA mode switch has been
      observed.  This is so that we do not interpret machine code in the wrong
      mode, for example when a regular MIPS FPU instruction has been placed in
      a delay slot of a jump that switches into the MIPS16 mode, as with the
      following code (taken from a GCC test suite case):
      
      00400650 <set_fast_math>:
        400650:	3c020100 	lui	v0,0x100
        400654:	03e00008 	jr	ra
        400658:	44c2f800 	ctc1	v0,c1_fcsr
        40065c:	00000000 	nop
      
      [...]
      
      004012d0 <__libc_csu_init>:
        4012d0:	f000 6a02 	li	v0,2
        4012d4:	f150 0b1c 	la	v1,3f9430 <_DYNAMIC-0x6df0>
        4012d8:	f400 3240 	sll	v0,16
        4012dc:	e269      	addu	v0,v1
        4012de:	659a      	move	gp,v0
        4012e0:	f00c 64f6 	save	a0-a2,48,ra,s0-s1
        4012e4:	673c      	move	s1,gp
        4012e6:	f010 9978 	lw	v1,-32744(s1)
        4012ea:	d204      	sw	v0,16(sp)
        4012ec:	eb40      	jalr	v1
        4012ee:	653b      	move	t9,v1
        4012f0:	f010 997c 	lw	v1,-32740(s1)
        4012f4:	f030 9920 	lw	s1,-32736(s1)
        4012f8:	e32f      	subu	v1,s1
        4012fa:	326b      	sra	v0,v1,2
        4012fc:	d206      	sw	v0,24(sp)
        4012fe:	220c      	beqz	v0,401318 <__libc_csu_init+0x48>
        401300:	6800      	li	s0,0
        401302:	99e0      	lw	a3,0(s1)
        401304:	4801      	addiu	s0,1
        401306:	960e      	lw	a2,56(sp)
        401308:	4904      	addiu	s1,4
        40130a:	950d      	lw	a1,52(sp)
        40130c:	940c      	lw	a0,48(sp)
        40130e:	ef40      	jalr	a3
        401310:	653f      	move	t9,a3
        401312:	9206      	lw	v0,24(sp)
        401314:	ea0a      	cmp	v0,s0
        401316:	61f5      	btnez	401302 <__libc_csu_init+0x32>
        401318:	6476      	restore	48,ra,s0-s1
        40131a:	e8a0      	jrc	ra
      
      Here `set_fast_math' is called from `40130e' (`40130f' with the ISA bit)
      and emulation triggers for the CTC1 instruction.  As it is in a jump
      delay slot emulation continues from `401312' (`401313' with the ISA
      bit).  However we have no path to handle MIPS16 FPU code emulation,
      because there are no MIPS16 FPU instructions.  So the default emulation
      path is taken, interpreting a 32-bit word fetched by `get_user' from
      `401313' as a regular MIPS instruction, which is:
      
        401313:	f5ea0a92	sdc1	$f10,2706(t7)
      
      This makes the FPU emulator proceed with the supposed SDC1 instruction
      and consequently makes the program considered here terminate with
      SIGSEGV.
      
      A similar although less severe issue exists with pure-microMIPS
      processors in the case where similarly an FPU instruction is emulated in
      a delay slot of a register jump that (incorrectly) switches into the
      regular MIPS mode.  A subsequent instruction fetch from the jump's
      target is supposed to cause an Address Error exception, however instead
      we proceed with regular MIPS FPU emulation.
      
      For simplicity then, always terminate the emulation loop whenever a mode
      change is detected, denoted by an ISA mode bit flip.  As from commit
      377cb1b6 ("MIPS: Disable MIPS16/microMIPS crap for platforms not
      supporting these ASEs.") the result of `get_isa16_mode' can be hardcoded
      to 0, so we need to examine the ISA mode bit by hand.
      
      This complements commit 102cedc3 ("MIPS: microMIPS: Floating point
      support.") which added JALX decoding to FPU emulation.
      
      Fixes: 102cedc3 ("MIPS: microMIPS: Floating point support.")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16393/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d79354cc
    • Maciej W. Rozycki's avatar
      MIPS: Fix unaligned PC interpretation in `compute_return_epc' · 040078ad
      Maciej W. Rozycki authored
      commit 11a3799d upstream.
      
      Fix a regression introduced with commit fb6883e5 ("MIPS: microMIPS:
      Support handling of delay slots.") and defer to `__compute_return_epc'
      if the ISA bit is set in EPC with non-MIPS16, non-microMIPS hardware,
      which will then arrange for a SIGBUS due to an unaligned instruction
      reference.  Returning EPC here is never correct as the API defines this
      function's result to be either a negative error code on failure or one
      of 0 and BRANCH_LIKELY_TAKEN on success.
      
      Fixes: fb6883e5 ("MIPS: microMIPS: Support handling of delay slots.")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16395/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      040078ad
    • Maciej W. Rozycki's avatar
      MIPS: Actually decode JALX in `__compute_return_epc_for_insn' · 434c9f2e
      Maciej W. Rozycki authored
      commit a9db101b upstream.
      
      Complement commit fb6883e5 ("MIPS: microMIPS: Support handling of
      delay slots.") and actually decode the regular MIPS JALX major
      instruction opcode, the handling of which has been added with the said
      commit for EPC calculation in `__compute_return_epc_for_insn'.
      
      Fixes: fb6883e5 ("MIPS: microMIPS: Support handling of delay slots.")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16394/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      434c9f2e
    • James Hogan's avatar
      MIPS: Save static registers before sysmips · f8c331cb
      James Hogan authored
      commit 49955d84 upstream.
      
      The MIPS sysmips system call handler may return directly from the
      MIPS_ATOMIC_SET case (mips_atomic_set()) to syscall_exit. This path
      restores the static (callee saved) registers, however they won't have
      been saved on entry to the system call.
      
      Use the save_static_function() macro to create a __sys_sysmips wrapper
      function which saves the static registers before calling sys_sysmips, so
      that the correct static register state is restored by syscall_exit.
      
      Fixes: f1e39a4a ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16149/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8c331cb
    • Maciej W. Rozycki's avatar
      MIPS: Fix MIPS I ISA /proc/cpuinfo reporting · a9db2f4f
      Maciej W. Rozycki authored
      commit e5f5a5b0 upstream.
      
      Correct a commit 515a6393 ("MIPS: kernel: proc: Add MIPS R6 support
      to /proc/cpuinfo") regression that caused MIPS I systems to show no ISA
      levels supported in /proc/cpuinfo, e.g.:
      
      system type		: Digital DECstation 2100/3100
      machine			: Unknown
      processor		: 0
      cpu model		: R3000 V2.0  FPU V2.0
      BogoMIPS		: 10.69
      wait instruction	: no
      microsecond timers	: no
      tlb_entries		: 64
      extra interrupt vector	: no
      hardware watchpoint	: no
      isa			:
      ASEs implemented	:
      shadow register sets	: 1
      kscratch registers	: 0
      package			: 0
      core			: 0
      VCED exceptions		: not available
      VCEI exceptions		: not available
      
      and similarly exclude `mips1' from the ISA list for any processors below
      MIPSr1.  This is because the condition to show `mips1' on has been made
      `cpu_has_mips_r1' rather than newly-introduced `cpu_has_mips_1'.  Use
      the correct condition then.
      
      Fixes: 515a6393 ("MIPS: kernel: proc: Add MIPS R6 support to /proc/cpuinfo")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@linux-mips.org>
      Reviewed-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16758/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a9db2f4f
    • Seunghun Han's avatar
      x86/ioapic: Pass the correct data to unmask_ioapic_irq() · c69280e9
      Seunghun Han authored
      commit e708e35b upstream.
      
      One of the rarely executed code pathes in check_timer() calls
      unmask_ioapic_irq() passing irq_get_chip_data(0) as argument.
      
      That's wrong as unmask_ioapic_irq() expects a pointer to the irq data of
      interrupt 0. irq_get_chip_data(0) returns NULL, so the following
      dereference in unmask_ioapic_irq() causes a kernel panic.
      
      The issue went unnoticed in the first place because irq_get_chip_data()
      returns a void pointer so the compiler cannot do a type check on the
      argument. The code path was added for machines with broken configuration,
      but it seems that those machines are either not running current kernels or
      simply do not longer exist.
      
      Hand in irq_get_irq_data(0) as argument which provides the correct data.
      
      [ tglx: Rewrote changelog ]
      
      Fixes: 4467715a ("x86/irq: Move irq_cfg.irq_2_pin into io_apic.c")
      Signed-off-by: default avatarSeunghun Han <kkamagui@gmail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1500369644-45767-1-git-send-email-kkamagui@gmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c69280e9
    • Seunghun Han's avatar
      x86/acpi: Prevent out of bound access caused by broken ACPI tables · 036d59f4
      Seunghun Han authored
      commit dad5ab0d upstream.
      
      The bus_irq argument of mp_override_legacy_irq() is used as the index into
      the isa_irq_to_gsi[] array. The bus_irq argument originates from
      ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
      tables, but is nowhere sanity checked.
      
      That allows broken or malicious ACPI tables to overwrite memory, which
      might cause malfunction, panic or arbitrary code execution.
      
      Add a sanity check and emit a warning when that triggers.
      
      [ tglx: Added warning and rewrote changelog ]
      Signed-off-by: default avatarSeunghun Han <kkamagui@gmail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: security@kernel.org
      Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      036d59f4
    • Lv Zheng's avatar
      Revert "ACPI / EC: Enable event freeze mode..." to fix a regression · 456a9974
      Lv Zheng authored
      commit 9c40f956 upstream.
      
      On Lenovo ThinkPad X1 Carbon - the 5th Generation, enabling an earlier
      EC event freezing timing causes acpitz-virtual-0 to report a stuck
      48C temparature.  And with EC firmware revisioned as 1.14, without
      reverting back to old EC event freezing timing, the fan still blows
      up after a system resume.
      
      This reverts the culprit change so that the regression can be fixed
      without upgrading the EC firmware.
      
      Fixes: d3028305 (ACPI / EC: Enable event freeze mode to improve event handling)
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=191181#c168Tested-by: default avatarDamjan Georgievski <gdamjan@gmail.com>
      Signed-off-by: default avatarLv Zheng <lv.zheng@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      456a9974
    • Lv Zheng's avatar
      ACPI / EC: Drop EC noirq hooks to fix a regression · b2966b10
      Lv Zheng authored
      commit 66259146 upstream.
      
      According to bug reports, although the busy polling mode can make
      noirq stages execute faster, it causes abnormal fan blowing up after
      system resume (see the first link below for a video demonstration)
      on Lenovo ThinkPad X1 Carbon - the 5th Generation.  The problem can
      be fixed by upgrading the EC firmware on that machine.
      
      However, many reporters confirm that the problem can be fixed by
      stopping busy polling during suspend/resume and for some of them
      upgrading the EC firmware is not an option.
      
      For this reason, drop the noirq stage hooks from the EC driver
      to fix the regression.
      
      Fixes: c3a696b6 (ACPI / EC: Use busy polling mode when GPE is not enabled)
      Link: https://youtu.be/9NQ9x-Jm99Q
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=196129Reported-by: default avatarAndreas Lindhe <andreas@lindhe.io>
      Tested-by: default avatarGjorgji Jankovski <j.gjorgji@gmail.com>
      Tested-by: default avatarDamjan Georgievski <gdamjan@gmail.com>
      Tested-by: default avatarFernando Chaves <nanochaves@gmail.com>
      Tested-by: default avatarTomislav Ivek <tomislav.ivek@gmail.com>
      Tested-by: default avatarDenis P. <theoriginal.skullburner@gmail.com>
      Signed-off-by: default avatarLv Zheng <lv.zheng@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b2966b10
    • Richard Weinberger's avatar
      ubifs: Don't leak kernel memory to the MTD · ec469b5e
      Richard Weinberger authored
      commit 4acadda7 upstream.
      
      When UBIFS prepares data structures which will be written to the MTD it
      ensues that their lengths are multiple of 8. Since it uses kmalloc() the
      padded bytes are left uninitialized and we leak a few bytes of kernel
      memory to the MTD.
      To make sure that all bytes are initialized, let's switch to kzalloc().
      Kzalloc() is fine in this case because the buffers are not huge and in
      the IO path the performance bottleneck is anyway the MTD.
      
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Reviewed-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ec469b5e
    • James Hogan's avatar
      MIPS: Negate error syscall return in trace · 02131aea
      James Hogan authored
      commit 4f32a39d upstream.
      
      The sys_exit trace event takes a single return value for the system
      call, which MIPS passes the value of the $v0 (result) register, however
      MIPS returns positive error codes in $v0 with $a3 specifying that $v0
      contains an error code. As a result erroring system calls are traced
      returning positive error numbers that can't always be distinguished from
      success.
      
      Use regs_return_value() to negate the error code if $a3 is set.
      
      Fixes: 1d7bf993 ("MIPS: ftrace: Add support for syscall tracepoints.")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16651/Acked-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      02131aea
    • James Hogan's avatar
      MIPS: Fix mips_atomic_set() with EVA · f39f3b5d
      James Hogan authored
      commit 4915e1b0 upstream.
      
      EVA linked loads (LLE) and conditional stores (SCE) should be used on
      EVA kernels for the MIPS_ATOMIC_SET operation of the sysmips system
      call, or else the atomic set will apply to the kernel view of the
      virtual address space (potentially unmapped on EVA kernels) rather than
      the user view (TLB mapped).
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16151/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f39f3b5d
    • James Hogan's avatar
      MIPS: Fix mips_atomic_set() retry condition · dd2f8326
      James Hogan authored
      commit 2ec420b2 upstream.
      
      The inline asm retry check in the MIPS_ATOMIC_SET operation of the
      sysmips system call has been backwards since commit f1e39a4a ("MIPS:
      Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
      merged in v2.6.32, resulting in the non R10000_LLSC_WAR case retrying
      until the operation was inatomic, before returning the new value that
      was probably just written multiple times instead of the old value.
      
      Invert the branch condition to fix that particular issue.
      
      Fixes: f1e39a4a ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16148/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dd2f8326
    • Dan Carpenter's avatar
      ftrace: Fix uninitialized variable in match_records() · 198bd494
      Dan Carpenter authored
      commit 2e028c4f upstream.
      
      My static checker complains that if "func" is NULL then "clear_filter"
      is uninitialized.  This seems like it could be true, although it's
      possible something subtle is happening that I haven't seen.
      
          kernel/trace/ftrace.c:3844 match_records()
          error: uninitialized symbol 'clear_filter'.
      
      Link: http://lkml.kernel.org/r/20170712073556.h6tkpjcdzjaozozs@mwanda
      
      Fixes: f0a3b154 ("ftrace: Clarify code for mod command")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      198bd494
    • Marta Rybczynska's avatar
      nvme-rdma: remove race conditions from IB signalling · d17cc7b7
      Marta Rybczynska authored
      commit 5e599d73 upstream.
      
      This patch improves the way the RDMA IB signalling is done by using atomic
      operations for the signalling variable. This avoids race conditions on
      sig_count.
      
      The signalling interval changes slightly and is now the largest power of
      two not larger than queue depth / 2.
      
      ilog() usage idea by Bart Van Assche.
      Signed-off-by: default avatarMarta Rybczynska <marta.rybczynska@kalray.eu>
      Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d17cc7b7
    • Alex Williamson's avatar
      vfio: New external user group/file match · 8f9dec0c
      Alex Williamson authored
      commit 5d6dee80 upstream.
      
      At the point where the kvm-vfio pseudo device wants to release its
      vfio group reference, we can't always acquire a new reference to make
      that happen.  The group can be in a state where we wouldn't allow a
      new reference to be added.  This new helper function allows a caller
      to match a file to a group to facilitate this.  Given a file and
      group, report if they match.  Thus the caller needs to already have a
      group reference to match to the file.  This allows the deletion of a
      group without acquiring a new reference.
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Reviewed-by: default avatarEric Auger <eric.auger@redhat.com>
      Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Tested-by: default avatarEric Auger <eric.auger@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f9dec0c
    • Alex Williamson's avatar
      vfio: Fix group release deadlock · e91a5579
      Alex Williamson authored
      commit 811642d8 upstream.
      
      If vfio_iommu_group_notifier() acquires a group reference and that
      reference becomes the last reference to the group, then vfio_group_put
      introduces a deadlock code path where we're trying to unregister from
      the iommu notifier chain from within a callout of that chain.  Use a
      work_struct to release this reference asynchronously.
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Reviewed-by: default avatarEric Auger <eric.auger@redhat.com>
      Tested-by: default avatarEric Auger <eric.auger@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e91a5579
    • Konstantin Khlebnikov's avatar
      ovl: drop CAP_SYS_RESOURCE from saved mounter's credentials · fee760fc
      Konstantin Khlebnikov authored
      commit 51f8f3c4 upstream.
      
      If overlay was mounted by root then quota set for upper layer does not work
      because overlay now always use mounter's credentials for operations.
      Also overlay might deplete reserved space and inodes in ext4.
      
      This patch drops capability SYS_RESOURCE from saved credentials.
      This affects creation new files, whiteouts, and copy-up operations.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Fixes: 1175b6b8 ("ovl: do operations on underlying file system in mounter's context")
      Cc: Vivek Goyal <vgoyal@redhat.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Cc: Amir Goldstein <amir73il@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fee760fc
    • John Brooks's avatar
      drm/ttm: Fix use-after-free in ttm_bo_clean_mm · 0fb615f9
      John Brooks authored
      commit 8046e195 upstream.
      
      We unref the man->move fence in ttm_bo_clean_mm() and then call
      ttm_bo_force_list_clean() which waits on it, except the refcount is now
      zero so a warning is generated (or worse):
      
      [149492.279301] refcount_t: increment on 0; use-after-free.
      [149492.279309] ------------[ cut here ]------------
      [149492.279315] WARNING: CPU: 3 PID: 18726 at lib/refcount.c:150 refcount_inc+0x2b/0x30
      [149492.279315] Modules linked in: vhost_net vhost tun x86_pkg_temp_thermal crc32_pclmul ghash_clmulni_intel efivarfs amdgpu(
      -) i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
      [149492.279326] CPU: 3 PID: 18726 Comm: rmmod Not tainted 4.12.0-rc5-drm-next-4.13-ttmpatch+ #1
      [149492.279326] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD3H-BK/Z97X-UD3H-BK-CF, BIOS F6 06/17/2014
      [149492.279327] task: ffff8804ddfedcc0 task.stack: ffffc90008d20000
      [149492.279329] RIP: 0010:refcount_inc+0x2b/0x30
      [149492.279330] RSP: 0018:ffffc90008d23c30 EFLAGS: 00010286
      [149492.279331] RAX: 000000000000002b RBX: 0000000000000170 RCX: 0000000000000000
      [149492.279331] RDX: 0000000000000000 RSI: ffff88051ecccbe8 RDI: ffff88051ecccbe8
      [149492.279332] RBP: ffffc90008d23c30 R08: 0000000000000001 R09: 00000000000003ee
      [149492.279333] R10: ffffc90008d23bb0 R11: 00000000000003ee R12: ffff88043aaac960
      [149492.279333] R13: ffff8805005e28a8 R14: 0000000000000002 R15: ffff88050115e178
      [149492.279334] FS:  00007fc540168700(0000) GS:ffff88051ecc0000(0000) knlGS:0000000000000000
      [149492.279335] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [149492.279336] CR2: 00007fc3e8654140 CR3: 000000027ba77000 CR4: 00000000001426e0
      [149492.279337] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [149492.279337] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [149492.279338] Call Trace:
      [149492.279345]  ttm_bo_force_list_clean+0xb9/0x110 [ttm]
      [149492.279348]  ttm_bo_clean_mm+0x7a/0xe0 [ttm]
      [149492.279375]  amdgpu_ttm_fini+0xc9/0x1f0 [amdgpu]
      [149492.279392]  amdgpu_bo_fini+0x12/0x40 [amdgpu]
      [149492.279415]  gmc_v7_0_sw_fini+0x32/0x40 [amdgpu]
      [149492.279430]  amdgpu_fini+0x2c9/0x490 [amdgpu]
      [149492.279445]  amdgpu_device_fini+0x58/0x1b0 [amdgpu]
      [149492.279461]  amdgpu_driver_unload_kms+0x4f/0xa0 [amdgpu]
      [149492.279470]  drm_dev_unregister+0x3c/0xe0 [drm]
      [149492.279485]  amdgpu_pci_remove+0x19/0x30 [amdgpu]
      [149492.279487]  pci_device_remove+0x39/0xc0
      [149492.279490]  device_release_driver_internal+0x155/0x210
      [149492.279491]  driver_detach+0x38/0x70
      [149492.279493]  bus_remove_driver+0x4c/0xa0
      [149492.279494]  driver_unregister+0x2c/0x40
      [149492.279496]  pci_unregister_driver+0x21/0x90
      [149492.279520]  amdgpu_exit+0x15/0x406 [amdgpu]
      [149492.279523]  SyS_delete_module+0x1a8/0x270
      [149492.279525]  ? exit_to_usermode_loop+0x92/0xa0
      [149492.279528]  entry_SYSCALL_64_fastpath+0x13/0x94
      [149492.279529] RIP: 0033:0x7fc53fcb68e7
      [149492.279529] RSP: 002b:00007ffcfbfaabb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [149492.279531] RAX: ffffffffffffffda RBX: 0000563117adb200 RCX: 00007fc53fcb68e7
      [149492.279531] RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000563117adb268
      [149492.279532] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999
      [149492.279533] R10: 0000000000000883 R11: 0000000000000206 R12: 00007ffcfbfa9ba0
      [149492.279533] R13: 0000000000000000 R14: 0000000000000000 R15: 0000563117adb200
      [149492.279534] Code: 55 48 89 e5 e8 77 fe ff ff 84 c0 74 02 5d c3 80 3d 40 f2 a4 00 00 75 f5 48 c7 c7 20 3c ca 81 c6 05 30 f2 a4 00 01 e8 91 f0 d7 ff <0f> ff 5d c3 90 55 48 89 fe bf 01 00 00 00 48 89 e5 e8 9f fe ff
      [149492.279557] ---[ end trace 2d4e0ffcb66a1016 ]---
      
      Unref the fence *after* waiting for it.
      
      v2: Set man->move to NULL after dropping the last ref (Christian König)
      
      Fixes: aff98ba1 (drm/ttm: wait for eviction in ttm_bo_force_list_clean)
      Signed-off-by: default avatarJohn Brooks <john@fastquake.com>
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      0fb615f9
    • Jaegeuk Kim's avatar
      f2fs: Don't clear SGID when inheriting ACLs · f97f9e94
      Jaegeuk Kim authored
      commit c925dc16 upstream.
      
      This patch copies commit b7f8a09f:
      "btrfs: Don't clear SGID when inheriting ACLs" written by Jan.
      
      Fixes: 07393101Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f97f9e94
    • Jin Qian's avatar
      f2fs: sanity check size of nat and sit cache · 19e117a5
      Jin Qian authored
      commit 21d3f8e1 upstream.
      
      Make sure number of entires doesn't exceed max journal size.
      Signed-off-by: default avatarJin Qian <jinqian@android.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19e117a5
    • Jan Kara's avatar
      xfs: Don't clear SGID when inheriting ACLs · 58d2eacd
      Jan Kara authored
      commit 8ba35875 upstream.
      
      When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
      set, DIR1 is expected to have SGID bit set (and owning group equal to
      the owning group of 'DIR0'). However when 'DIR0' also has some default
      ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
      'DIR1' to get cleared if user is not member of the owning group.
      
      Fix the problem by calling __xfs_set_acl() instead of xfs_set_acl() when
      setting up inode in xfs_generic_create(). That prevents SGID bit
      clearing and mode is properly set by posix_acl_create() anyway. We also
      reorder arguments of __xfs_set_acl() to match the ordering of
      xfs_set_acl() to make things consistent.
      
      Fixes: 07393101
      CC: Darrick J. Wong <darrick.wong@oracle.com>
      CC: linux-xfs@vger.kernel.org
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      58d2eacd
    • Corey Minyard's avatar
      ipmi:ssif: Add missing unlock in error branch · 1b9008cd
      Corey Minyard authored
      commit 4495ec6d upstream.
      
      When getting flags, a response to a different message would
      result in a deadlock because of a missing unlock.  Add that
      unlock and a comment.  Found by static analysis.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b9008cd
    • Tony Camuso's avatar
      ipmi: use rcu lock around call to intf->handlers->sender() · 685e124e
      Tony Camuso authored
      commit cdea4656 upstream.
      
      A vendor with a system having more than 128 CPUs occasionally encounters
      the following crash during shutdown. This is not an easily reproduceable
      event, but the vendor was able to provide the following analysis of the
      crash, which exhibits the same footprint each time.
      
      crash> bt
      PID: 0      TASK: ffff88017c70ce70  CPU: 5   COMMAND: "swapper/5"
       #0 [ffff88085c143ac8] machine_kexec at ffffffff81059c8b
       #1 [ffff88085c143b28] __crash_kexec at ffffffff811052e2
       #2 [ffff88085c143bf8] crash_kexec at ffffffff811053d0
       #3 [ffff88085c143c10] oops_end at ffffffff8168ef88
       #4 [ffff88085c143c38] no_context at ffffffff8167ebb3
       #5 [ffff88085c143c88] __bad_area_nosemaphore at ffffffff8167ec49
       #6 [ffff88085c143cd0] bad_area_nosemaphore at ffffffff8167edb3
       #7 [ffff88085c143ce0] __do_page_fault at ffffffff81691d1e
       #8 [ffff88085c143d40] do_page_fault at ffffffff81691ec5
       #9 [ffff88085c143d70] page_fault at ffffffff8168e188
          [exception RIP: unknown or invalid address]
          RIP: ffffffffa053c800  RSP: ffff88085c143e28  RFLAGS: 00010206
          RAX: ffff88017c72bfd8  RBX: ffff88017a8dc000  RCX: ffff8810588b5ac8
          RDX: ffff8810588b5a00  RSI: ffffffffa053c800  RDI: ffff8810588b5a00
          RBP: ffff88085c143e58   R8: ffff88017c70d408   R9: ffff88017a8dc000
          R10: 0000000000000002  R11: ffff88085c143da0  R12: ffff8810588b5ac8
          R13: 0000000000000100  R14: ffffffffa053c800  R15: ffff8810588b5a00
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
          <IRQ stack>
          [exception RIP: cpuidle_enter_state+82]
          RIP: ffffffff81514192  RSP: ffff88017c72be50  RFLAGS: 00000202
          RAX: 0000001e4c3c6f16  RBX: 000000000000f8a0  RCX: 0000000000000018
          RDX: 0000000225c17d03  RSI: ffff88017c72bfd8  RDI: 0000001e4c3c6f16
          RBP: ffff88017c72be78   R8: 000000000000237e   R9: 0000000000000018
          R10: 0000000000002494  R11: 0000000000000001  R12: ffff88017c72be20
          R13: ffff88085c14f8e0  R14: 0000000000000082  R15: 0000001e4c3bb400
          ORIG_RAX: ffffffffffffff10  CS: 0010  SS: 0018
      
      This is the corresponding stack trace
      
      It has crashed because the area pointed with RIP extracted from timer
      element is already removed during a shutdown process.
      
      The function is smi_timeout().
      
      And we think ffff8810588b5a00 in RDX is a parameter struct smi_info
      
      crash> rd ffff8810588b5a00 20
      ffff8810588b5a00:  ffff8810588b6000 0000000000000000   .`.X............
      ffff8810588b5a10:  ffff880853264400 ffffffffa05417e0   .D&S......T.....
      ffff8810588b5a20:  24a024a000000000 0000000000000000   .....$.$........
      ffff8810588b5a30:  0000000000000000 0000000000000000   ................
      ffff8810588b5a30:  0000000000000000 0000000000000000   ................
      ffff8810588b5a40:  ffffffffa053a040 ffffffffa053a060   @.S.....`.S.....
      ffff8810588b5a50:  0000000000000000 0000000100000001   ................
      ffff8810588b5a60:  0000000000000000 0000000000000e00   ................
      ffff8810588b5a70:  ffffffffa053a580 ffffffffa053a6e0   ..S.......S.....
      ffff8810588b5a80:  ffffffffa053a4a0 ffffffffa053a250   ..S.....P.S.....
      ffff8810588b5a90:  0000000500000002 0000000000000000   ................
      
      Unfortunately the top of this area is already detroyed by someone.
      But because of two reasonns we think this is struct smi_info
       1) The address included in between  ffff8810588b5a70 and ffff8810588b5a80:
        are inside of ipmi_si_intf.c  see crash> module ffff88085779d2c0
      
       2) We've found the area which point this.
        It is offset 0x68 of  ffff880859df4000
      
      crash> rd  ffff880859df4000 100
      ffff880859df4000:  0000000000000000 0000000000000001   ................
      ffff880859df4010:  ffffffffa0535290 dead000000000200   .RS.............
      ffff880859df4020:  ffff880859df4020 ffff880859df4020    @.Y.... @.Y....
      ffff880859df4030:  0000000000000002 0000000000100010   ................
      ffff880859df4040:  ffff880859df4040 ffff880859df4040   @@.Y....@@.Y....
      ffff880859df4050:  0000000000000000 0000000000000000   ................
      ffff880859df4060:  0000000000000000 ffff8810588b5a00   .........Z.X....
      ffff880859df4070:  0000000000000001 ffff880859df4078   ........x@.Y....
      
       If we regards it as struct ipmi_smi in shutdown process
       it looks consistent.
      
      The remedy for this apparent race is affixed below.
      Signed-off-by: default avatarTony Camuso <tcamuso@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      This was first introduced in 7ea0ed2b ipmi: Make the
      message handler easier to use for SMI interfaces
      where some code was moved outside of the rcu_read_lock()
      and the lock was not added.
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      685e124e
    • Mario Kleiner's avatar
      drm/radeon: Fix eDP for single-display iMac10,1 (v2) · 6e7b1eff
      Mario Kleiner authored
      commit 564d8a2c upstream.
      
      The late 2009, 27 inch Apple iMac10,1 has an
      internal eDP display and an external Mini-
      Displayport output, driven by a DCE-3.2, RV730
      Radeon Mobility HD-4670.
      
      The machine worked fine in a dual-display setup
      with eDP panel + externally connected HDMI
      or DVI-D digital display sink, connected via
      MiniDP to DVI or HDMI adapter.
      
      However, booting the machine single-display with
      only eDP panel results in a completely black
      display - even backlight powering off, as soon as
      the radeon modesetting driver loads.
      
      This patch fixes the single dispay eDP case by
      assigning encoders based on dig->linkb, similar
      to DCE-4+. While this should not be generally
      necessary (Alex: "...atom on normal boards
      should be able to handle any mapping."), Apple
      seems to use some special routing here.
      
      One remaining problem not solved by this patch
      is that an external Minidisplayport->DP sink
      does still not work on iMac10,1, whereas external
      DVI and HDMI sinks continue to work.
      
      The problem affects at least all tested kernels
      since Linux 3.13 - didn't test earlier kernels, so
      backporting to stable probably makes sense.
      
      v2: With the original patch from 2016, Alex was worried it
          will break other DCE3.2 systems. Use dmi_match() to
          apply this special encoder assignment only for the
          Apple iMac 10,1 from late 2009.
      Signed-off-by: default avatarMario Kleiner <mario.kleiner.de@gmail.com>
      Cc: Alex Deucher <alexander.deucher@amd.com>
      Cc: Michel Dänzer <michel.daenzer@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e7b1eff
    • Alex Deucher's avatar
      drm/radeon/ci: disable mclk switching for high refresh rates (v2) · a844f8d2
      Alex Deucher authored
      commit ab03d9fe upstream.
      
      Even if the vblank period would allow it, it still seems to
      be problematic on some cards.
      
      v2: fix logic inversion (Nils)
      
      bug: https://bugs.freedesktop.org/show_bug.cgi?id=96868Acked-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a844f8d2
    • Tom St Denis's avatar
      drm/amd/amdgpu: Return error if initiating read out of range on vram · b85007c9
      Tom St Denis authored
      commit 9156e723 upstream.
      
      If you initiate a read that is out of the VRAM address space return
      ENXIO instead of 0.
      
      Reads that begin below that point will read upto the VRAM limit as
      before.
      Signed-off-by: default avatarTom St Denis <tom.stdenis@amd.com>
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b85007c9
    • Jiri Olsa's avatar
      s390/syscalls: Fix out of bounds arguments access · 8302e9d2
      Jiri Olsa authored
      commit c46fc042 upstream.
      
      Zorro reported following crash while having enabled
      syscall tracing (CONFIG_FTRACE_SYSCALLS):
      
        Unable to handle kernel pointer dereference at virtual ...
        Oops: 0011 [#1] SMP DEBUG_PAGEALLOC
      
        SNIP
      
        Call Trace:
        ([<000000000024d79c>] ftrace_syscall_enter+0xec/0x1d8)
         [<00000000001099c6>] do_syscall_trace_enter+0x236/0x2f8
         [<0000000000730f1c>] sysc_tracesys+0x1a/0x32
         [<000003fffcf946a2>] 0x3fffcf946a2
        INFO: lockdep is turned off.
        Last Breaking-Event-Address:
         [<000000000022dd44>] rb_event_data+0x34/0x40
        ---[ end trace 8c795f86b1b3f7b9 ]---
      
      The crash happens in syscall_get_arguments function for
      syscalls with zero arguments, that will try to access
      first argument (args[0]) in event entry, but it's not
      allocated.
      
      Bail out of there are no arguments.
      Reported-by: default avatarZorro Lang <zlang@redhat.com>
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8302e9d2
    • Xiao Ni's avatar
      Raid5 should update rdev->sectors after reshape · 1e951485
      Xiao Ni authored
      commit b5d27718 upstream.
      
      The raid5 md device is created by the disks which we don't use the total size. For example,
      the size of the device is 5G and it just uses 3G of the devices to create one raid5 device.
      Then change the chunksize and wait reshape to finish. After reshape finishing stop the raid
      and assemble it again. It fails.
      mdadm -CR /dev/md0 -l5 -n3 /dev/loop[0-2] --size=3G --chunk=32 --assume-clean
      mdadm /dev/md0 --grow --chunk=64
      wait reshape to finish
      mdadm -S /dev/md0
      mdadm -As
      The error messages:
      [197519.814302] md: loop1 does not have a valid v1.2 superblock, not importing!
      [197519.821686] md: md_import_device returned -22
      
      After reshape the data offset is changed. It selects backwards direction in this condition.
      In function super_1_load it compares the available space of the underlying device with
      sb->data_size. The new data offset gets bigger after reshape. So super_1_load returns -EINVAL.
      rdev->sectors is updated in md_finish_reshape. Then sb->data_size is set in super_1_sync based
      on rdev->sectors. So add md_finish_reshape in end_reshape.
      Signed-off-by: default avatarXiao Ni <xni@redhat.com>
      Acked-by: default avatarGuoqing Jiang <gqjiang@suse.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e951485
    • Jan Kara's avatar
      ext2: Don't clear SGID when inheriting ACLs · 4d1f97eb
      Jan Kara authored
      commit a992f2d3 upstream.
      
      When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
      set, DIR1 is expected to have SGID bit set (and owning group equal to
      the owning group of 'DIR0'). However when 'DIR0' also has some default
      ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
      'DIR1' to get cleared if user is not member of the owning group.
      
      Fix the problem by creating __ext2_set_acl() function that does not call
      posix_acl_update_mode() and use it when inheriting ACLs. That prevents
      SGID bit clearing and the mode has been properly set by
      posix_acl_create() anyway.
      
      Fixes: 07393101
      CC: linux-ext4@vger.kernel.org
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4d1f97eb
    • Toshi Kani's avatar
      libnvdimm: fix badblock range handling of ARS range · 0fa705dc
      Toshi Kani authored
      commit 4e3f0701 upstream.
      
      __add_badblock_range() does not account sector alignment when
      it sets 'num_sectors'.  Therefore, an ARS error record range
      spanning across two sectors is set to a single sector length,
      which leaves the 2nd sector unprotected.
      
      Change __add_badblock_range() to set 'num_sectors' properly.
      
      Fixes: 0caeef63 ("libnvdimm: Add a poison list and export badblocks")
      Signed-off-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Reviewed-by: default avatarVishal Verma <vishal.l.verma@intel.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0fa705dc