1. 13 Sep, 2017 21 commits
    • Greg Kroah-Hartman's avatar
      Linux 3.18.71 · 60a8261b
      Greg Kroah-Hartman authored
      60a8261b
    • Richard Wareing's avatar
      xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present · b766f084
      Richard Wareing authored
      commit b31ff3cd upstream.
      
      If using a kernel with CONFIG_XFS_RT=y and we set the RHINHERIT flag on
      a directory in a filesystem that does not have a realtime device and
      create a new file in that directory, it gets marked as a real time file.
      When data is written and a fsync is issued, the filesystem attempts to
      flush a non-existent rt device during the fsync process.
      
      This results in a crash dereferencing a null buftarg pointer in
      xfs_blkdev_issue_flush():
      
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
        IP: xfs_blkdev_issue_flush+0xd/0x20
        .....
        Call Trace:
          xfs_file_fsync+0x188/0x1c0
          vfs_fsync_range+0x3b/0xa0
          do_fsync+0x3d/0x70
          SyS_fsync+0x10/0x20
          do_syscall_64+0x4d/0xb0
          entry_SYSCALL64_slow_path+0x25/0x25
      
      Setting RT inode flags does not require special privileges so any
      unprivileged user can cause this oops to occur.  To reproduce, confirm
      kernel is compiled with CONFIG_XFS_RT=y and run:
      
        # mkfs.xfs -f /dev/pmem0
        # mount /dev/pmem0 /mnt/test
        # mkdir /mnt/test/foo
        # xfs_io -c 'chattr +t' /mnt/test/foo
        # xfs_io -f -c 'pwrite 0 5m' -c fsync /mnt/test/foo/bar
      
      Or just run xfstests with MKFS_OPTIONS="-d rtinherit=1" and wait.
      
      Kernels built with CONFIG_XFS_RT=n are not exposed to this bug.
      
      Fixes: f538d4da ("[XFS] write barrier support")
      Signed-off-by: default avatarRichard Wareing <rwareing@fb.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b766f084
    • Mark Rutland's avatar
      ARM: 8692/1: mm: abort uaccess retries upon fatal signal · 43d51814
      Mark Rutland authored
      commit 746a272e upstream.
      
      When there's a fatal signal pending, arm's do_page_fault()
      implementation returns 0. The intent is that we'll return to the
      faulting userspace instruction, delivering the signal on the way.
      
      However, if we take a fatal signal during fixing up a uaccess, this
      results in a return to the faulting kernel instruction, which will be
      instantly retried, resulting in the same fault being taken forever. As
      the task never reaches userspace, the signal is not delivered, and the
      task is left unkillable. While the task is stuck in this state, it can
      inhibit the forward progress of the system.
      
      To avoid this, we must ensure that when a fatal signal is pending, we
      apply any necessary fixup for a faulting kernel instruction. Thus we
      will return to an error path, and it is up to that code to make forward
      progress towards delivering the fatal signal.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Reviewed-by: default avatarSteve Capper <steve.capper@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      43d51814
    • Ben Seri's avatar
      Bluetooth: Properly check L2CAP config option output buffer length · 090aa465
      Ben Seri authored
      commit e860d2c9 upstream.
      
      Validate the output buffer length for L2CAP config requests and responses
      to avoid overflowing the stack buffer used for building the option blocks.
      Signed-off-by: default avatarBen Seri <ben@armis.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      090aa465
    • Takashi Iwai's avatar
      ALSA: msnd: Optimize / harden DSP and MIDI loops · bceac103
      Takashi Iwai authored
      commit 20e2b791 upstream.
      
      The ISA msnd drivers have loops fetching the ring-buffer head, tail
      and size values inside the loops.  Such codes are inefficient and
      fragile.
      
      This patch optimizes it, and also adds the sanity check to avoid the
      endless loops.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196131
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196133Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatargrygorii tertychnyi <gtertych@cisco.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bceac103
    • Yang Shi's avatar
      locktorture: Fix potential memory leak with rw lock test · 8e7e643a
      Yang Shi authored
      commit f4dbba59 upstream.
      
      When running locktorture module with the below commands with kmemleak enabled:
      
      $ modprobe locktorture torture_type=rw_lock_irq
      $ rmmod locktorture
      
      The below kmemleak got caught:
      
      root@10:~# echo scan > /sys/kernel/debug/kmemleak
      [  323.197029] kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
      root@10:~# cat /sys/kernel/debug/kmemleak
      unreferenced object 0xffffffc07592d500 (size 128):
        comm "modprobe", pid 368, jiffies 4294924118 (age 205.824s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 c3 7b 02 00 00 00 00 00  .........{......
          00 00 00 00 00 00 00 00 d7 9b 02 00 00 00 00 00  ................
        backtrace:
          [<ffffff80081e5a88>] create_object+0x110/0x288
          [<ffffff80086c6078>] kmemleak_alloc+0x58/0xa0
          [<ffffff80081d5acc>] __kmalloc+0x234/0x318
          [<ffffff80006fa130>] 0xffffff80006fa130
          [<ffffff8008083ae4>] do_one_initcall+0x44/0x138
          [<ffffff800817e28c>] do_init_module+0x68/0x1cc
          [<ffffff800811c848>] load_module+0x1a68/0x22e0
          [<ffffff800811d340>] SyS_finit_module+0xe0/0xf0
          [<ffffff80080836f0>] el0_svc_naked+0x24/0x28
          [<ffffffffffffffff>] 0xffffffffffffffff
      unreferenced object 0xffffffc07592d480 (size 128):
        comm "modprobe", pid 368, jiffies 4294924118 (age 205.824s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 3b 6f 01 00 00 00 00 00  ........;o......
          00 00 00 00 00 00 00 00 23 6a 01 00 00 00 00 00  ........#j......
        backtrace:
          [<ffffff80081e5a88>] create_object+0x110/0x288
          [<ffffff80086c6078>] kmemleak_alloc+0x58/0xa0
          [<ffffff80081d5acc>] __kmalloc+0x234/0x318
          [<ffffff80006fa22c>] 0xffffff80006fa22c
          [<ffffff8008083ae4>] do_one_initcall+0x44/0x138
          [<ffffff800817e28c>] do_init_module+0x68/0x1cc
          [<ffffff800811c848>] load_module+0x1a68/0x22e0
          [<ffffff800811d340>] SyS_finit_module+0xe0/0xf0
          [<ffffff80080836f0>] el0_svc_naked+0x24/0x28
          [<ffffffffffffffff>] 0xffffffffffffffff
      
      It is because cxt.lwsa and cxt.lrsa don't get freed in module_exit, so free
      them in lock_torture_cleanup() and free writer_tasks if reader_tasks is
      failed at memory allocation.
      Signed-off-by: default avatarYang Shi <yang.shi@linaro.org>
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Reviewed-by: default avatarJosh Triplett <josh@joshtriplett.org>
      Cc: 石洋 <yang.s@alibaba-inc.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8e7e643a
    • Aleksa Sarai's avatar
      btrfs: resume qgroup rescan on rw remount · b66950d5
      Aleksa Sarai authored
      commit 6c6b5a39 upstream.
      
      Several distributions mount the "proper root" as ro during initrd and
      then remount it as rw before pivot_root(2). Thus, if a rescan had been
      aborted by a previous shutdown, the rescan would never be resumed.
      
      This issue would manifest itself as several btrfs ioctl(2)s causing the
      entire machine to hang when btrfs_qgroup_wait_for_completion was hit
      (due to the fs_info->qgroup_rescan_running flag being set but the rescan
      itself not being resumed). Notably, Docker's btrfs storage driver makes
      regular use of BTRFS_QUOTA_CTL_DISABLE and BTRFS_IOC_QUOTA_RESCAN_WAIT
      (causing this problem to be manifested on boot for some machines).
      
      Cc: Jeff Mahoney <jeffm@suse.com>
      Fixes: b382a324 ("Btrfs: fix qgroup rescan resume on mount")
      Signed-off-by: default avatarAleksa Sarai <asarai@suse.de>
      Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
      Tested-by: default avatarNikolay Borisov <nborisov@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b66950d5
    • Todd Poynor's avatar
      scsi: sg: recheck MMAP_IO request length with lock held · 19011e6a
      Todd Poynor authored
      commit 8d26f491 upstream.
      
      Commit 1bc0eb04 ("scsi: sg: protect accesses to 'reserved' page
      array") adds needed concurrency protection for the "reserve" buffer.
      Some checks that are initially made outside the lock are replicated once
      the lock is taken to ensure the checks and resulting decisions are made
      using consistent state.
      
      The check that a request with flag SG_FLAG_MMAP_IO set fits in the
      reserve buffer also needs to be performed again under the lock to ensure
      the reserve buffer length compared against matches the value in effect
      when the request is linked to the reserve buffer.  An -ENOMEM should be
      returned in this case, instead of switching over to an indirect buffer
      as for non-MMAP_IO requests.
      Signed-off-by: default avatarTodd Poynor <toddpoynor@google.com>
      Acked-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19011e6a
    • Todd Poynor's avatar
      scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE · 57923c95
      Todd Poynor authored
      commit 6a8dadcc upstream.
      
      Take f_mutex around mmap() processing to protect against races with the
      SG_SET_RESERVED_SIZE ioctl.  Ensure the reserve buffer length remains
      consistent during the mapping operation, and set the "mmap called" flag
      to prevent further changes to the reserved buffer size as an atomic
      operation with the mapping.
      
      [mkp: fixed whitespace]
      Signed-off-by: default avatarTodd Poynor <toddpoynor@google.com>
      Acked-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      57923c95
    • Andrey Korolyov's avatar
      cs5536: add support for IDE controller variant · 61b491f5
      Andrey Korolyov authored
      commit 591b6bb6 upstream.
      
      Several legacy devices such as Geode-based Cisco ASA appliances
      and DB800 development board do possess CS5536 IDE controller
      with different PCI id than existing one. Using pata_generic is
      not always feasible as at least DB800 requires MSR quirk from
      pata_cs5536 to be used with vendor firmware.
      Signed-off-by: default avatarAndrey Korolyov <andrey@xdel.ru>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      61b491f5
    • Ben Hutchings's avatar
      workqueue: Fix flag collision · 18f9ff5c
      Ben Hutchings authored
      commit fbf1c41f upstream.
      
      Commit 0a94efb5 ("workqueue: implicit ordered attribute should be
      overridable") introduced a __WQ_ORDERED_EXPLICIT flag but gave it the
      same value as __WQ_LEGACY.  I don't believe these were intended to
      mean the same thing, so renumber __WQ_ORDERED_EXPLICIT.
      
      Fixes: 0a94efb5 ("workqueue: implicit ordered attribute should be ...")
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18f9ff5c
    • Doug Berger's avatar
      cma: fix calculation of aligned offset · e7023d13
      Doug Berger authored
      commit e048cb32 upstream.
      
      The align_offset parameter is used by bitmap_find_next_zero_area_off()
      to represent the offset of map's base from the previous alignment
      boundary; the function ensures that the returned index, plus the
      align_offset, honors the specified align_mask.
      
      The logic introduced by commit b5be83e3 ("mm: cma: align to physical
      address, not CMA region position") has the cma driver calculate the
      offset to the *next* alignment boundary.  In most cases, the base
      alignment is greater than that specified when making allocations,
      resulting in a zero offset whether we align up or down.  In the example
      given with the commit, the base alignment (8MB) was half the requested
      alignment (16MB) so the math also happened to work since the offset is
      8MB in both directions.  However, when requesting allocations with an
      alignment greater than twice that of the base, the returned index would
      not be correctly aligned.
      
      Also, the align_order arguments of cma_bitmap_aligned_mask() and
      cma_bitmap_aligned_offset() should not be negative so the argument type
      was made unsigned.
      
      Fixes: b5be83e3 ("mm: cma: align to physical address, not CMA region position")
      Link: http://lkml.kernel.org/r/20170628170742.2895-1-opendmb@gmail.comSigned-off-by: default avatarAngus Clark <angus@angusclark.org>
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Acked-by: default avatarGregory Fong <gregory.0xf0@gmail.com>
      Cc: Doug Berger <opendmb@gmail.com>
      Cc: Angus Clark <angus@angusclark.org>
      Cc: Laura Abbott <labbott@redhat.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Lucas Stach <l.stach@pengutronix.de>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Shiraz Hashim <shashim@codeaurora.org>
      Cc: Jaewon Kim <jaewon31.kim@samsung.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7023d13
    • Edwin Török's avatar
      dlm: avoid double-free on error path in dlm_device_{register,unregister} · fcd5675c
      Edwin Török authored
      commit 55acdd92 upstream.
      
      Can be reproduced when running dlm_controld (tested on 4.4.x, 4.12.4):
       # seq 1 100 | xargs -P0 -n1 dlm_tool join
       # seq 1 100 | xargs -P0 -n1 dlm_tool leave
      
      misc_register fails due to duplicate sysfs entry, which causes
      dlm_device_register to free ls->ls_device.name.
      In dlm_device_deregister the name was freed again, causing memory
      corruption.
      
      According to the comment in dlm_device_deregister the name should've been
      set to NULL when registration fails,
      so this patch does that.
      
      sysfs: cannot create duplicate filename '/dev/char/10:1'
      ------------[ cut here ]------------
      warning: cpu: 1 pid: 4450 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x56/0x70
      modules linked in: msr rfcomm dlm ccm bnep dm_crypt uvcvideo
      videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core videodev
      btusb media btrtl btbcm btintel bluetooth ecdh_generic intel_rapl
      x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm
      snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul
      ghash_clmulni_intel thinkpad_acpi pcbc nvram snd_seq_midi
      snd_seq_midi_event aesni_intel snd_hda_codec_realtek snd_hda_codec_generic
      snd_rawmidi aes_x86_64 crypto_simd glue_helper snd_hda_intel snd_hda_codec
      cryptd intel_cstate arc4 snd_hda_core snd_seq snd_seq_device snd_hwdep
      iwldvm intel_rapl_perf mac80211 joydev input_leds iwlwifi serio_raw
      cfg80211 snd_pcm shpchp snd_timer snd mac_hid mei_me lpc_ich mei soundcore
      sunrpc parport_pc ppdev lp parport autofs4 i915 psmouse
       e1000e ahci libahci i2c_algo_bit sdhci_pci ptp drm_kms_helper sdhci
      pps_core syscopyarea sysfillrect sysimgblt fb_sys_fops drm wmi video
      cpu: 1 pid: 4450 comm: dlm_test.exe not tainted 4.12.4-041204-generic
      hardware name: lenovo 232425u/232425u, bios g2et82ww (2.02 ) 09/11/2012
      task: ffff96b0cbabe140 task.stack: ffffb199027d0000
      rip: 0010:sysfs_warn_dup+0x56/0x70
      rsp: 0018:ffffb199027d3c58 eflags: 00010282
      rax: 0000000000000038 rbx: ffff96b0e2c49158 rcx: 0000000000000006
      rdx: 0000000000000000 rsi: 0000000000000086 rdi: ffff96b15e24dcc0
      rbp: ffffb199027d3c70 r08: 0000000000000001 r09: 0000000000000721
      r10: ffffb199027d3c00 r11: 0000000000000721 r12: ffffb199027d3cd1
      r13: ffff96b1592088f0 r14: 0000000000000001 r15: ffffffffffffffef
      fs:  00007f78069c0700(0000) gs:ffff96b15e240000(0000)
      knlgs:0000000000000000
      cs:  0010 ds: 0000 es: 0000 cr0: 0000000080050033
      cr2: 000000178625ed28 cr3: 0000000091d3e000 cr4: 00000000001406e0
      call trace:
       sysfs_do_create_link_sd.isra.2+0x9e/0xb0
       sysfs_create_link+0x25/0x40
       device_add+0x5a9/0x640
       device_create_groups_vargs+0xe0/0xf0
       device_create_with_groups+0x3f/0x60
       ? snprintf+0x45/0x70
       misc_register+0x140/0x180
       device_write+0x6a8/0x790 [dlm]
       __vfs_write+0x37/0x160
       ? apparmor_file_permission+0x1a/0x20
       ? security_file_permission+0x3b/0xc0
       vfs_write+0xb5/0x1a0
       sys_write+0x55/0xc0
       ? sys_fcntl+0x5d/0xb0
       entry_syscall_64_fastpath+0x1e/0xa9
      rip: 0033:0x7f78083454bd
      rsp: 002b:00007f78069bbd30 eflags: 00000293 orig_rax: 0000000000000001
      rax: ffffffffffffffda rbx: 0000000000000006 rcx: 00007f78083454bd
      rdx: 000000000000009c rsi: 00007f78069bee00 rdi: 0000000000000005
      rbp: 00007f77f8000a20 r08: 000000000000fcf0 r09: 0000000000000032
      r10: 0000000000000024 r11: 0000000000000293 r12: 00007f78069bde00
      r13: 00007f78069bee00 r14: 000000000000000a r15: 00007f78069bbd70
      code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef e8 2c c8
      ff ff 4c 89 e2 48 89 de 48 c7 c7 b0 8e 0c a8 e8 41 e8 ed ff <0f> ff 48 89
      df e8 00 d5 f4 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84
      ---[ end trace 40412246357cc9e0 ]---
      
      dlm: 59f24629-ae39-44e2-9030-397ebc2eda26: leaving the lockspace group...
      bug: unable to handle kernel null pointer dereference at 0000000000000001
      ip: [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140
      pgd 0
      oops: 0000 [#1] smp
      modules linked in: dlm 8021q garp mrp stp llc openvswitch nf_defrag_ipv6
      nf_conntrack libcrc32c iptable_filter dm_multipath crc32_pclmul dm_mod
      aesni_intel psmouse aes_x86_64 sg ablk_helper cryptd lrw gf128mul
      glue_helper i2c_piix4 nls_utf8 tpm_tis tpm isofs nfsd auth_rpcgss
      oid_registry nfs_acl lockd grace sunrpc xen_wdt ip_tables x_tables autofs4
      hid_generic usbhid hid sr_mod cdrom sd_mod ata_generic pata_acpi 8139too
      serio_raw ata_piix 8139cp mii uhci_hcd ehci_pci ehci_hcd libata
      scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_mod ipv6
      cpu: 0 pid: 394 comm: systemd-udevd tainted: g w 4.4.0+0 #1
      hardware name: xen hvm domu, bios 4.7.2-2.2 05/11/2017
      task: ffff880002410000 ti: ffff88000243c000 task.ti: ffff88000243c000
      rip: e030:[<ffffffff811a3b4a>] [<ffffffff811a3b4a>]
      kmem_cache_alloc+0x7a/0x140
      rsp: e02b:ffff88000243fd90 eflags: 00010202
      rax: 0000000000000000 rbx: ffff8800029864d0 rcx: 000000000007b36c
      rdx: 000000000007b36b rsi: 00000000024000c0 rdi: ffff880036801c00
      rbp: ffff88000243fdc0 r08: 0000000000018880 r09: 0000000000000054
      r10: 000000000000004a r11: ffff880034ace6c0 r12: 00000000024000c0
      r13: ffff880036801c00 r14: 0000000000000001 r15: ffffffff8118dcc2
      fs: 00007f0ab77548c0(0000) gs:ffff880036e00000(0000) knlgs:0000000000000000
      cs: e033 ds: 0000 es: 0000 cr0: 0000000080050033
      cr2: 0000000000000001 cr3: 000000000332d000 cr4: 0000000000040660
      stack:
      ffffffff8118dc90 ffff8800029864d0 0000000000000000 ffff88003430b0b0
      ffff880034b78320 ffff88003430b0b0 ffff88000243fdf8 ffffffff8118dcc2
      ffff8800349c6700 ffff8800029864d0 000000000000000b 00007f0ab7754b90
      call trace:
      [<ffffffff8118dc90>] ? anon_vma_fork+0x60/0x140
      [<ffffffff8118dcc2>] anon_vma_fork+0x92/0x140
      [<ffffffff8107033e>] copy_process+0xcae/0x1a80
      [<ffffffff8107128b>] _do_fork+0x8b/0x2d0
      [<ffffffff81071579>] sys_clone+0x19/0x20
      [<ffffffff815a30ae>] entry_syscall_64_fastpath+0x12/0x71
      ] code: f6 75 1c 4c 89 fa 44 89 e6 4c 89 ef e8 a7 e4 00 00 41 f7 c4 00 80
      00 00 49 89 c6 74 47 eb 32 49 63 45 20 48 8d 4a 01 4d 8b 45 00 <49> 8b 1c
      06 4c 89 f0 65 49 0f c7 08 0f 94 c0 84 c0 74 ac 49 63
      rip [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140
      rsp <ffff88000243fd90>
      cr2: 0000000000000001
      --[ end trace 70cb9fd1b164a0e8 ]--
      Signed-off-by: default avatarEdwin Török <edvin.torok@citrix.com>
      Signed-off-by: default avatarDavid Teigland <teigland@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fcd5675c
    • Oscar Campos's avatar
      Input: trackpoint - assume 3 buttons when buttons detection fails · 524386e8
      Oscar Campos authored
      commit 293b915f upstream.
      
      Trackpoint buttons detection fails on ThinkPad 570 and 470 series,
      this makes the middle button of the trackpoint to not being recogized.
      As I don't believe there is any trackpoint with less than 3 buttons this
      patch just assumes three buttons when the extended button information
      read fails.
      Signed-off-by: default avatarOscar Campos <oscar.campos@member.fsf.org>
      Acked-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarAaron Ma <aaron.ma@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      524386e8
    • Christophe JAILLET's avatar
      driver core: bus: Fix a potential double free · 2c97bb69
      Christophe JAILLET authored
      commit 0f9b011d upstream.
      
      The .release function of driver_ktype is 'driver_release()'.
      This function frees the container_of this kobject.
      
      So, this memory must not be freed explicitly in the error handling path of
      'bus_add_driver()'. Otherwise a double free will occur.
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2c97bb69
    • Colin Ian King's avatar
      staging/rts5208: fix incorrect shift to extract upper nybble · 158333ad
      Colin Ian King authored
      commit 34ff1bf4 upstream.
      
      The mask of sns_key_info1 suggests the upper nybble is being extracted
      however the following shift of 8 bits is too large and always results in
      0.  Fix this by shifting only by 4 bits to correctly get the upper nybble.
      
      Detected by CoverityScan, CID#142891 ("Operands don't affect result")
      
      Fixes: fa590c22 ("staging: rts5208: add support for rts5208 and rts5288")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      158333ad
    • Douglas Anderson's avatar
      USB: core: Avoid race of async_completed() w/ usbdev_release() · d512a576
      Douglas Anderson authored
      commit ed62ca2f upstream.
      
      While running reboot tests w/ a specific set of USB devices (and
      slub_debug enabled), I found that once every few hours my device would
      be crashed with a stack that looked like this:
      
      [   14.012445] BUG: spinlock bad magic on CPU#0, modprobe/2091
      [   14.012460]  lock: 0xffffffc0cb055978, .magic: ffffffc0, .owner: cryption contexts: %lu/%lu
      [   14.012460] /1025536097, .owner_cpu: 0
      [   14.012466] CPU: 0 PID: 2091 Comm: modprobe Not tainted 4.4.79 #352
      [   14.012468] Hardware name: Google Kevin (DT)
      [   14.012471] Call trace:
      [   14.012483] [<....>] dump_backtrace+0x0/0x160
      [   14.012487] [<....>] show_stack+0x20/0x28
      [   14.012494] [<....>] dump_stack+0xb4/0xf0
      [   14.012500] [<....>] spin_dump+0x8c/0x98
      [   14.012504] [<....>] spin_bug+0x30/0x3c
      [   14.012508] [<....>] do_raw_spin_lock+0x40/0x164
      [   14.012515] [<....>] _raw_spin_lock_irqsave+0x64/0x74
      [   14.012521] [<....>] __wake_up+0x2c/0x60
      [   14.012528] [<....>] async_completed+0x2d0/0x300
      [   14.012534] [<....>] __usb_hcd_giveback_urb+0xc4/0x138
      [   14.012538] [<....>] usb_hcd_giveback_urb+0x54/0xf0
      [   14.012544] [<....>] xhci_irq+0x1314/0x1348
      [   14.012548] [<....>] usb_hcd_irq+0x40/0x50
      [   14.012553] [<....>] handle_irq_event_percpu+0x1b4/0x3f0
      [   14.012556] [<....>] handle_irq_event+0x4c/0x7c
      [   14.012561] [<....>] handle_fasteoi_irq+0x158/0x1c8
      [   14.012564] [<....>] generic_handle_irq+0x30/0x44
      [   14.012568] [<....>] __handle_domain_irq+0x90/0xbc
      [   14.012572] [<....>] gic_handle_irq+0xcc/0x18c
      
      Investigation using kgdb() found that the wait queue that was passed
      into wake_up() had been freed (it was filled with slub_debug poison).
      
      I analyzed and instrumented the code and reproduced.  My current
      belief is that this is happening:
      
      1. async_completed() is called (from IRQ).  Moves "as" onto the
         completed list.
      2. On another CPU, proc_reapurbnonblock_compat() calls
         async_getcompleted().  Blocks on spinlock.
      3. async_completed() releases the lock; keeps running; gets blocked
         midway through wake_up().
      4. proc_reapurbnonblock_compat() => async_getcompleted() gets the
         lock; removes "as" from completed list and frees it.
      5. usbdev_release() is called.  Frees "ps".
      6. async_completed() finally continues running wake_up().  ...but
         wake_up() has a pointer to the freed "ps".
      
      The instrumentation that led me to believe this was based on adding
      some trace_printk() calls in a select few functions and then using
      kdb's "ftdump" at crash time.  The trace follows (NOTE: in the trace
      below I cheated a little bit and added a udelay(1000) in
      async_completed() after releasing the spinlock because I wanted it to
      trigger quicker):
      
      <...>-2104   0d.h2 13759034us!: async_completed at start: as=ffffffc0cc638200
      mtpd-2055    3.... 13759356us : async_getcompleted before spin_lock_irqsave
      mtpd-2055    3d..1 13759362us : async_getcompleted after list_del_init: as=ffffffc0cc638200
      mtpd-2055    3.... 13759371us+: proc_reapurbnonblock_compat: free_async(ffffffc0cc638200)
      mtpd-2055    3.... 13759422us+: async_getcompleted before spin_lock_irqsave
      mtpd-2055    3.... 13759479us : usbdev_release at start: ps=ffffffc0cc042080
      mtpd-2055    3.... 13759487us : async_getcompleted before spin_lock_irqsave
      mtpd-2055    3.... 13759497us!: usbdev_release after kfree(ps): ps=ffffffc0cc042080
      <...>-2104   0d.h2 13760294us : async_completed before wake_up(): as=ffffffc0cc638200
      
      To fix this problem we can just move the wake_up() under the ps->lock.
      There should be no issues there that I'm aware of.
      Signed-off-by: default avatarDouglas Anderson <dianders@chromium.org>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d512a576
    • Sandeep Singh's avatar
      usb:xhci:Fix regression when ATI chipsets detected · 7d687695
      Sandeep Singh authored
      commit e6b422b8 upstream.
      
      The following commit cause a regression on ATI chipsets.
      'commit e788787e ("usb:xhci:Add quirk for Certain
      failing HP keyboard on reset after resume")'
      
      This causes pinfo->smbus_dev to be wrongly set to NULL on
      systems with the ATI chipset that this function checks for first.
      
      Added conditional check for AMD chipsets to avoid the overwriting
      pinfo->smbus_dev.
      Reported-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Fixes: e788787e ("usb:xhci:Add quirk for Certain
      failing HP keyboard on reset after resume")
      cc: Nehal Shah <Nehal-bakulchandra.Shah@amd.com>
      Signed-off-by: default avatarSandeep Singh <Sandeep.Singh@amd.com>
      Signed-off-by: default avatarShyam Sundar S K <Shyam-sundar.S-k@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7d687695
    • Dmitry Fleytman's avatar
      usb: Add device quirk for Logitech HD Pro Webcam C920-C · f638d313
      Dmitry Fleytman authored
      commit a1279ef7 upstream.
      
      Commit e0429362
      ("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e")
      introduced quirk to workaround an issue with some Logitech webcams.
      
      Apparently model C920-C has the same issue so applying
      the same quirk as well.
      
      See aforementioned commit message for detailed explanation of the problem.
      Signed-off-by: default avatarDmitry Fleytman <dmitry@daynix.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f638d313
    • Maciej S. Szmigiero's avatar
      USB: serial: option: add support for D-Link DWM-157 C1 · f396fe57
      Maciej S. Szmigiero authored
      commit 169e8654 upstream.
      
      This commit adds support (an ID, really) for D-Link DWM-157 hardware
      version C1 USB modem to option driver.
      
      According to manufacturer-provided Windows INF file the device has four
      serial ports:
      "D-Link HSPA+DataCard Diagnostics Interface" (interface 2; modem port),
      "D-Link HSPA+DataCard NMEA Device" (interface 3),
      "D-Link HSPA+DataCard Speech Port" (interface 4),
      "D-Link HSPA+DataCard Debug Port" (interface 5).
      
      usb-devices output:
      T:  Bus=05 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#=  3 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=2001 ProdID=7d0e Rev=03.00
      S:  Manufacturer=D-Link,Inc
      S:  Product=D-Link DWM-157
      C:  #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=02 Prot=01 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 6 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
      Signed-off-by: default avatarMaciej S. Szmigiero <mail@maciej.szmigiero.name>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f396fe57
    • Kai-Heng Feng's avatar
      usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard · d70662e5
      Kai-Heng Feng authored
      commit de3af5bf upstream.
      
      Corsair Strafe RGB keyboard has trouble to initialize:
      
      [ 1.679455] usb 3-6: new full-speed USB device number 4 using xhci_hcd
      [ 6.871136] usb 3-6: unable to read config index 0 descriptor/all
      [ 6.871138] usb 3-6: can't read configurations, error -110
      [ 6.991019] usb 3-6: new full-speed USB device number 5 using xhci_hcd
      [ 12.246642] usb 3-6: unable to read config index 0 descriptor/all
      [ 12.246644] usb 3-6: can't read configurations, error -110
      [ 12.366555] usb 3-6: new full-speed USB device number 6 using xhci_hcd
      [ 17.622145] usb 3-6: unable to read config index 0 descriptor/all
      [ 17.622147] usb 3-6: can't read configurations, error -110
      [ 17.742093] usb 3-6: new full-speed USB device number 7 using xhci_hcd
      [ 22.997715] usb 3-6: unable to read config index 0 descriptor/all
      [ 22.997716] usb 3-6: can't read configurations, error -110
      
      Although it may work after several times unpluging/pluging:
      
      [ 68.195240] usb 3-6: new full-speed USB device number 11 using xhci_hcd
      [ 68.337459] usb 3-6: New USB device found, idVendor=1b1c, idProduct=1b20
      [ 68.337463] usb 3-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
      [ 68.337466] usb 3-6: Product: Corsair STRAFE RGB Gaming Keyboard
      [ 68.337468] usb 3-6: Manufacturer: Corsair
      [ 68.337470] usb 3-6: SerialNumber: 0F013021AEB8046755A93ED3F5001941
      
      Tried three quirks: USB_QUIRK_DELAY_INIT, USB_QUIRK_NO_LPM and
      USB_QUIRK_DEVICE_QUALIFIER, user confirmed that USB_QUIRK_DELAY_INIT alone
      can workaround this issue. Hence add the quirk for Corsair Strafe RGB.
      
      BugLink: https://bugs.launchpad.net/bugs/1678477Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d70662e5
  2. 07 Sep, 2017 10 commits
  3. 02 Sep, 2017 9 commits