1. 10 Sep, 2017 40 commits
    • Paul Mackerras's avatar
      KVM: PPC: Book3S HV: Restore critical SPRs to host values on guest exit · d121574a
      Paul Mackerras authored
      [ Upstream commit 4c3bb4cc ]
      
      This restores several special-purpose registers (SPRs) to sane values
      on guest exit that were missed before.
      
      TAR and VRSAVE are readable and writable by userspace, and we need to
      save and restore them to prevent the guest from potentially affecting
      userspace execution (not that TAR or VRSAVE are used by any known
      program that run uses the KVM_RUN ioctl).  We save/restore these
      in kvmppc_vcpu_run_hv() rather than on every guest entry/exit.
      
      FSCR affects userspace execution in that it can prohibit access to
      certain facilities by userspace.  We restore it to the normal value
      for the task on exit from the KVM_RUN ioctl.
      
      IAMR is normally 0, and is restored to 0 on guest exit.  However,
      with a radix host on POWER9, it is set to a value that prevents the
      kernel from executing user-accessible memory.  On POWER9, we save
      IAMR on guest entry and restore it on guest exit to the saved value
      rather than 0.  On POWER8 we continue to set it to 0 on guest exit.
      
      PSPB is normally 0.  We restore it to 0 on guest exit to prevent
      userspace taking advantage of the guest having set it non-zero
      (which would allow userspace to set its SMT priority to high).
      
      UAMOR is normally 0.  We restore it to 0 on guest exit to prevent
      the AMR from being used as a covert channel between userspace
      processes, since the AMR is not context-switched at present.
      
      Fixes: b005255e ("KVM: PPC: Book3S HV: Context-switch new POWER8 SPRs", 2014-01-08)
      Cc: stable@vger.kernel.org # v3.14+
      Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      d121574a
    • Paul Mackerras's avatar
      KVM: PPC: Book3S HV: Context-switch EBB registers properly · fef3180a
      Paul Mackerras authored
      [ Upstream commit ca8efa1d ]
      
      This adds code to save the values of three SPRs (special-purpose
      registers) used by userspace to control event-based branches (EBBs),
      which are essentially interrupts that get delivered directly to
      userspace.  These registers are loaded up with guest values when
      entering the guest, and their values are saved when exiting the
      guest, but we were not saving the host values and restoring them
      before going back to userspace.
      
      On POWER8 this would only affect userspace programs which explicitly
      request the use of EBBs and also use the KVM_RUN ioctl, since the
      only source of EBBs on POWER8 is the PMU, and there is an explicit
      enable bit in the PMU registers (and those PMU registers do get
      properly context-switched between host and guest).  On POWER9 there
      is provision for externally-generated EBBs, and these are not subject
      to the control in the PMU registers.
      
      Since these registers only affect userspace, we can save them when
      we first come in from userspace and restore them before returning to
      userspace, rather than saving/restoring the host values on every
      guest entry/exit.  Similarly, we don't need to worry about their
      values on offline secondary threads since they execute in the context
      of the idle task, which never executes in userspace.
      
      Fixes: b005255e ("KVM: PPC: Book3S HV: Context-switch new POWER8 SPRs", 2014-01-08)
      Cc: stable@vger.kernel.org # v3.14+
      Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      fef3180a
    • Sinclair Yeh's avatar
      drm/vmwgfx: Fix gcc-7.1.1 warning · ff7d22e2
      Sinclair Yeh authored
      [ Upstream commit fcfffdd8 ]
      
      The current code does not look correct, and the reason for it is
      probably lost.  Since this now generates a compiler warning,
      fix it to what makes sense.
      
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSinclair Yeh <syeh@vmware.com>
      Reviewed-by: default avatarBrian Paul <brianp@vmware.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      ff7d22e2
    • Ofer Heifetz's avatar
      md/raid5: add thread_group worker async_tx_issue_pending_all · b89a99cf
      Ofer Heifetz authored
      [ Upstream commit 7e96d559 ]
      
      Since thread_group worker and raid5d kthread are not in sync, if
      worker writes stripe before raid5d then requests will be waiting
      for issue_pendig.
      
      Issue observed when building raid5 with ext4, in some build runs
      jbd2 would get hung and requests were waiting in the HW engine
      waiting to be issued.
      
      Fix this by adding a call to async_tx_issue_pending_all in the
      raid5_do_work.
      Signed-off-by: default avatarOfer Heifetz <oferh@marvell.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      b89a99cf
    • Laurent Vivier's avatar
      powerpc/pseries: Fix of_node_put() underflow during reconfig remove · 333ff174
      Laurent Vivier authored
      [ Upstream commit 4fd1bd44 ]
      
      As for commit 68baf692 ("powerpc/pseries: Fix of_node_put()
      underflow during DLPAR remove"), the call to of_node_put() must be
      removed from pSeries_reconfig_remove_node().
      
      dlpar_detach_node() and pSeries_reconfig_remove_node() both call
      of_detach_node(), and thus the node should not be released in both
      cases.
      
      Fixes: 0829f6d1 ("of: device_node kobject lifecycle fixes")
      Cc: stable@vger.kernel.org # v3.15+
      Signed-off-by: default avatarLaurent Vivier <lvivier@redhat.com>
      Reviewed-by: default avatarDavid Gibson <david@gibson.dropbear.id.au>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      333ff174
    • Eric Dumazet's avatar
      net: reduce skb_warn_bad_offload() noise · d47e660f
      Eric Dumazet authored
      [ Upstream commit b2504a5d ]
      
      Dmitry reported warnings occurring in __skb_gso_segment() [1]
      
      All SKB_GSO_DODGY producers can allow user space to feed
      packets that trigger the current check.
      
      We could prevent them from doing so, rejecting packets, but
      this might add regressions to existing programs.
      
      It turns out our SKB_GSO_DODGY handlers properly set up checksum
      information that is needed anyway when packets needs to be segmented.
      
      By checking again skb_needs_check() after skb_mac_gso_segment(),
      we should remove these pesky warnings, at a very minor cost.
      
      With help from Willem de Bruijn
      
      [1]
      WARNING: CPU: 1 PID: 6768 at net/core/dev.c:2439 skb_warn_bad_offload+0x2af/0x390 net/core/dev.c:2434
      lo: caps=(0x000000a2803b7c69, 0x0000000000000000) len=138 data_len=0 gso_size=15883 gso_type=4 ip_summed=0
      Kernel panic - not syncing: panic_on_warn set ...
      
      CPU: 1 PID: 6768 Comm: syz-executor1 Not tainted 4.9.0 #5
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
       ffff8801c063ecd8 ffffffff82346bdf ffffffff00000001 1ffff100380c7d2e
       ffffed00380c7d26 0000000041b58ab3 ffffffff84b37e38 ffffffff823468f1
       ffffffff84820740 ffffffff84f289c0 dffffc0000000000 ffff8801c063ee20
      Call Trace:
       [<ffffffff82346bdf>] __dump_stack lib/dump_stack.c:15 [inline]
       [<ffffffff82346bdf>] dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
       [<ffffffff81827e34>] panic+0x1fb/0x412 kernel/panic.c:179
       [<ffffffff8141f704>] __warn+0x1c4/0x1e0 kernel/panic.c:542
       [<ffffffff8141f7e5>] warn_slowpath_fmt+0xc5/0x100 kernel/panic.c:565
       [<ffffffff8356cbaf>] skb_warn_bad_offload+0x2af/0x390 net/core/dev.c:2434
       [<ffffffff83585cd2>] __skb_gso_segment+0x482/0x780 net/core/dev.c:2706
       [<ffffffff83586f19>] skb_gso_segment include/linux/netdevice.h:3985 [inline]
       [<ffffffff83586f19>] validate_xmit_skb+0x5c9/0xc20 net/core/dev.c:2969
       [<ffffffff835892bb>] __dev_queue_xmit+0xe6b/0x1e70 net/core/dev.c:3383
       [<ffffffff8358a2d7>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3424
       [<ffffffff83ad161d>] packet_snd net/packet/af_packet.c:2930 [inline]
       [<ffffffff83ad161d>] packet_sendmsg+0x32ed/0x4d30 net/packet/af_packet.c:2955
       [<ffffffff834f0aaa>] sock_sendmsg_nosec net/socket.c:621 [inline]
       [<ffffffff834f0aaa>] sock_sendmsg+0xca/0x110 net/socket.c:631
       [<ffffffff834f329a>] ___sys_sendmsg+0x8fa/0x9f0 net/socket.c:1954
       [<ffffffff834f5e58>] __sys_sendmsg+0x138/0x300 net/socket.c:1988
       [<ffffffff834f604d>] SYSC_sendmsg net/socket.c:1999 [inline]
       [<ffffffff834f604d>] SyS_sendmsg+0x2d/0x50 net/socket.c:1995
       [<ffffffff84371941>] entry_SYSCALL_64_fastpath+0x1f/0xc2
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarDmitry Vyukov  <dvyukov@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      d47e660f
    • Yuejie Shi's avatar
      af_key: Add lock to key dump · cf655d39
      Yuejie Shi authored
      [ Upstream commit 89e357d8 ]
      
      A dump may come in the middle of another dump, modifying its dump
      structure members. This race condition will result in NULL pointer
      dereference in kernel. So add a lock to prevent that race.
      
      Fixes: 83321d6b ("[AF_KEY]: Dump SA/SP entries non-atomically")
      Signed-off-by: default avatarYuejie Shi <syjcnss@gmail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      cf655d39
    • Bjorn Andersson's avatar
      spmi: Include OF based modalias in device uevent · ca38136b
      Bjorn Andersson authored
      [ Upstream commit d50daa2a ]
      
      Include the OF-based modalias in the uevent sent when registering SPMI
      devices, so that user space has a chance to autoload the kernel module
      for the device.
      Tested-by: default avatarRob Clark <robdclark@gmail.com>
      Reported-by: default avatarRob Clark <robdclark@gmail.com>
      Reviewed-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      ca38136b
    • Stephen Boyd's avatar
      of: device: Export of_device_{get_modalias, uvent_modalias} to modules · 70a07ab0
      Stephen Boyd authored
      [ Upstream commit 7a3b7cd3 ]
      
      The ULPI bus can be built as a module, and it will soon be
      calling these functions when it supports probing devices from DT.
      Export them so they can be used by the ULPI module.
      Acked-by: default avatarRob Herring <robh@kernel.org>
      Cc: <devicetree@vger.kernel.org>
      Signed-off-by: default avatarStephen Boyd <stephen.boyd@linaro.org>
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      70a07ab0
    • Imre Deak's avatar
      drm/mst: Avoid processing partially received up/down message transactions · 7c3aed90
      Imre Deak authored
      [ Upstream commit 636c4c3e ]
      
      Currently we may process up/down message transactions containing
      uninitialized data. This can happen if there was an error during the
      reception of any message in the transaction, but we happened to receive
      the last message correctly with the end-of-message flag set.
      
      To avoid this abort the reception of the transaction when the first
      error is detected, rejecting any messages until a message with the
      start-of-message flag is received (which will start a new transaction).
      This is also what the DP 1.4 spec 2.11.8.2 calls for in this case.
      
      In addtion this also prevents receiving bogus transactions without the
      first message with the the start-of-message flag set.
      
      v2:
      - unchanged
      v3:
      - git add the part that actually skips messages after an error in
        drm_dp_sideband_msg_build()
      
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Lyude <lyude@redhat.com>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Reviewed-by: default avatarLyude <lyude@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20170719134632.13366-1-imre.deak@intel.comSigned-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      7c3aed90
    • Imre Deak's avatar
      drm/mst: Avoid dereferencing a NULL mstb in drm_dp_mst_handle_up_req() · ef30f719
      Imre Deak authored
      [ Upstream commit 7f8b3987 ]
      
      In case of an unknown broadcast message is sent mstb will remain unset,
      so check for this.
      
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Lyude <lyude@redhat.com>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Reviewed-by: default avatarLyude <lyude@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20170719114330.26540-3-imre.deak@intel.comSigned-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      ef30f719
    • Imre Deak's avatar
      drm/mst: Fix error handling during MST sideband message reception · 471ae589
      Imre Deak authored
      [ Upstream commit 448421b5 ]
      
      Handle any error due to partial reads, timeouts etc. to avoid parsing
      uninitialized data subsequently. Also bail out if the parsing itself
      fails.
      
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Lyude <lyude@redhat.com>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Reviewed-by: default avatarLyude <lyude@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20170719114330.26540-2-imre.deak@intel.comSigned-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      471ae589
    • Michael Gugino's avatar
      staging: rtl8188eu: add TL-WN722N v2 support · adefa5fe
      Michael Gugino authored
      [ Upstream commit 5a1d4c5d ]
      
      Add support for USB Device TP-Link TL-WN722N v2.
      VendorID: 0x2357, ProductID: 0x010c
      Signed-off-by: default avatarMichael Gugino <michael.gugino.2@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      adefa5fe
    • Ingo Molnar's avatar
      Revert "perf/core: Drop kernel samples even though :u is specified" · 5789f1b8
      Ingo Molnar authored
      [ Upstream commit 6a8a75f3 ]
      
      This reverts commit cc1582c2.
      
      This commit introduced a regression that broke rr-project, which uses sampling
      events to receive a signal on overflow (but does not care about the contents
      of the sample). These signals are critical to the correct operation of rr.
      
      There's been some back and forth about how to fix it - but to not keep
      applications in limbo queue up a revert.
      Reported-by: default avatarKyle Huey <me@kylehuey.com>
      Acked-by: default avatarKyle Huey <me@kylehuey.com>
      Acked-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Jin Yao <yao.jin@linux.intel.com>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/20170628105600.GC5981@leverpostejSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      5789f1b8
    • Jin Yao's avatar
      perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target · a17ff9db
      Jin Yao authored
      [ Upstream commit 80f62589 ]
      
      When the jump instruction is displayed at the row 0 in annotate view,
      the arrow is broken. An example:
      
       16.86 │   ┌──je     82
        0.01 │      movsd  (%rsp),%xmm0
             │      movsd  0x8(%rsp),%xmm4
             │      movsd  0x8(%rsp),%xmm1
             │      movsd  (%rsp),%xmm3
             │      divsd  %xmm4,%xmm0
             │      divsd  %xmm3,%xmm1
             │      movsd  (%rsp),%xmm2
             │      addsd  %xmm1,%xmm0
             │      addsd  %xmm2,%xmm0
             │      movsd  %xmm0,(%rsp)
             │82:   sub    $0x1,%ebx
       83.03 │    ↑ jne    38
             │      add    $0x10,%rsp
             │      xor    %eax,%eax
             │      pop    %rbx
             │    ← retq
      
      The patch increments the row number before checking with 0.
      Signed-off-by: default avatarYao Jin <yao.jin@linux.intel.com>
      Tested-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Kan Liang <kan.liang@intel.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: stable@vger.kernel.org
      Fixes: 944e1abe ("perf ui browser: Add method to draw up/down arrow line")
      Link: http://lkml.kernel.org/r/1496901704-30275-1-git-send-email-yao.jin@linux.intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      a17ff9db
    • Jiang Yi's avatar
      target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce · baab4ab4
      Jiang Yi authored
      [ Upstream commit 1d6ef276 ]
      
      This patch addresses a COMPARE_AND_WRITE se_device->caw_sem leak,
      that would be triggered during normal se_cmd shutdown or abort
      via __transport_wait_for_tasks().
      
      This would occur because target_complete_cmd() would catch this
      early and do complete_all(&cmd->t_transport_stop_comp), but since
      target_complete_ok_work() or target_complete_failure_work() are
      never called to invoke se_cmd->transport_complete_callback(),
      the COMPARE_AND_WRITE specific callbacks never release caw_sem.
      
      To address this special case, go ahead and release caw_sem
      directly from target_complete_cmd().
      
      (Remove '&& success' from check, to release caw_sem regardless
       of scsi_status - nab)
      Signed-off-by: default avatarJiang Yi <jiangyilism@gmail.com>
      Cc: <stable@vger.kernel.org> # 3.14+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      baab4ab4
    • Jan Kara's avatar
      udf: Fix deadlock between writeback and udf_setsize() · deec8c69
      Jan Kara authored
      [ Upstream commit f2e95355 ]
      
      udf_setsize() called truncate_setsize() with i_data_sem held. Thus
      truncate_pagecache() called from truncate_setsize() could lock a page
      under i_data_sem which can deadlock as page lock ranks below
      i_data_sem - e. g. writeback can hold page lock and try to acquire
      i_data_sem to map a block.
      
      Fix the problem by moving truncate_setsize() calls from under
      i_data_sem. It is safe for us to change i_size without holding
      i_data_sem as all the places that depend on i_size being stable already
      hold inode_lock.
      
      CC: stable@vger.kernel.org
      Fixes: 7e49b6f2Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      deec8c69
    • NeilBrown's avatar
      NFS: only invalidate dentrys that are clearly invalid. · 4b2c60a3
      NeilBrown authored
      [ Upstream commit cc89684c ]
      
      Since commit bafc9b75 ("vfs: More precise tests in d_invalidate")
      in v3.18, a return of '0' from ->d_revalidate() will cause the dentry
      to be invalidated even if it has filesystems mounted on or it or on a
      descendant.  The mounted filesystem is unmounted.
      
      This means we need to be careful not to return 0 unless the directory
      referred to truly is invalid.  So -ESTALE or -ENOENT should invalidate
      the directory.  Other errors such a -EPERM or -ERESTARTSYS should be
      returned from ->d_revalidate() so they are propagated to the caller.
      
      A particular problem can be demonstrated by:
      
      1/ mount an NFS filesystem using NFSv3 on /mnt
      2/ mount any other filesystem on /mnt/foo
      3/ ls /mnt/foo
      4/ turn off network, or otherwise make the server unable to respond
      5/ ls /mnt/foo &
      6/ cat /proc/$!/stack # note that nfs_lookup_revalidate is in the call stack
      7/ kill -9 $! # this results in -ERESTARTSYS being returned
      8/ observe that /mnt/foo has been unmounted.
      
      This patch changes nfs_lookup_revalidate() to only treat
        -ESTALE from nfs_lookup_verify_inode() and
        -ESTALE or -ENOENT from ->lookup()
      as indicating an invalid inode.  Other errors are returned.
      
      Also nfs_check_inode_attributes() is changed to return -ESTALE rather
      than -EIO.  This is consistent with the error returned in similar
      circumstances from nfs_update_inode().
      
      As this bug allows any user to unmount a filesystem mounted on an NFS
      filesystem, this fix is suitable for stable kernels.
      
      Fixes: bafc9b75 ("vfs: More precise tests in d_invalidate")
      Cc: stable@vger.kernel.org (v3.18+)
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      4b2c60a3
    • Chen Hong's avatar
      Input: i8042 - fix crash at boot time · 6b4a5a2e
      Chen Hong authored
      [ Upstream commit 340d394a ]
      
      The driver checks port->exists twice in i8042_interrupt(), first when
      trying to assign temporary "serio" variable, and second time when deciding
      whether it should call serio_interrupt(). The value of port->exists may
      change between the 2 checks, and we may end up calling serio_interrupt()
      with a NULL pointer:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
      IP: [<ffffffff8150feaf>] _spin_lock_irqsave+0x1f/0x40
      PGD 0
      Oops: 0002 [#1] SMP
      last sysfs file:
      CPU 0
      Modules linked in:
      
      Pid: 1, comm: swapper Not tainted 2.6.32-358.el6.x86_64 #1 QEMU Standard PC (i440FX + PIIX, 1996)
      RIP: 0010:[<ffffffff8150feaf>]  [<ffffffff8150feaf>] _spin_lock_irqsave+0x1f/0x40
      RSP: 0018:ffff880028203cc0  EFLAGS: 00010082
      RAX: 0000000000010000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000282 RSI: 0000000000000098 RDI: 0000000000000050
      RBP: ffff880028203cc0 R08: ffff88013e79c000 R09: ffff880028203ee0
      R10: 0000000000000298 R11: 0000000000000282 R12: 0000000000000050
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000098
      FS:  0000000000000000(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
      CR2: 0000000000000050 CR3: 0000000001a85000 CR4: 00000000001407f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process swapper (pid: 1, threadinfo ffff88013e79c000, task ffff88013e79b500)
      Stack:
      ffff880028203d00 ffffffff813de186 ffffffffffffff02 0000000000000000
      <d> 0000000000000000 0000000000000000 0000000000000000 0000000000000098
      <d> ffff880028203d70 ffffffff813e0162 ffff880028203d20 ffffffff8103b8ac
      Call Trace:
      <IRQ>
       [<ffffffff813de186>] serio_interrupt+0x36/0xa0
      [<ffffffff813e0162>] i8042_interrupt+0x132/0x3a0
      [<ffffffff8103b8ac>] ? kvm_clock_read+0x1c/0x20
      [<ffffffff8103b8b9>] ? kvm_clock_get_cycles+0x9/0x10
      [<ffffffff810e1640>] handle_IRQ_event+0x60/0x170
      [<ffffffff8103b154>] ? kvm_guest_apic_eoi_write+0x44/0x50
      [<ffffffff810e3d8e>] handle_edge_irq+0xde/0x180
      [<ffffffff8100de89>] handle_irq+0x49/0xa0
      [<ffffffff81516c8c>] do_IRQ+0x6c/0xf0
      [<ffffffff8100b9d3>] ret_from_intr+0x0/0x11
      [<ffffffff81076f63>] ? __do_softirq+0x73/0x1e0
      [<ffffffff8109b75b>] ? hrtimer_interrupt+0x14b/0x260
      [<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30
      [<ffffffff8100de05>] ? do_softirq+0x65/0xa0
      [<ffffffff81076d95>] ? irq_exit+0x85/0x90
      [<ffffffff81516d80>] ? smp_apic_timer_interrupt+0x70/0x9b
      [<ffffffff8100bb93>] ? apic_timer_interrupt+0x13/0x20
      
      To avoid the issue let's change the second check to test whether serio is
      NULL or not.
      
      Also, let's take i8042_lock in i8042_start() and i8042_stop() instead of
      trying to be overly smart and using memory barriers.
      Signed-off-by: default avatarChen Hong <chenhong3@huawei.com>
      [dtor: take lock in i8042_start()/i8042_stop()]
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      6b4a5a2e
    • Maciej W. Rozycki's avatar
      MIPS: Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn' · cd37e7c7
      Maciej W. Rozycki authored
      [ Upstream commit 7b82c105 ]
      
      Fix commit e50c0a8f ("Support the MIPS32 / MIPS64 DSP ASE.") and
      send SIGILL rather than SIGBUS whenever an unimplemented BPOSGE32 DSP
      ASE instruction has been encountered in `__compute_return_epc_for_insn'
      as our Reserved Instruction exception handler would in response to an
      attempt to actually execute the instruction.  Sending SIGBUS only makes
      sense for the unaligned PC case, since moved to `__compute_return_epc'.
      Adjust function documentation accordingly, correct formatting and use
      `pr_info' rather than `printk' as the other exit path already does.
      
      Fixes: e50c0a8f ("Support the MIPS32 / MIPS64 DSP ASE.")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # 2.6.14+
      Patchwork: https://patchwork.linux-mips.org/patch/16396/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      cd37e7c7
    • Maciej W. Rozycki's avatar
      MIPS: math-emu: Prevent wrong ISA mode instruction emulation · 5bc1fd6c
      Maciej W. Rozycki authored
      [ Upstream commit 13769eba ]
      
      Terminate FPU emulation immediately whenever an ISA mode switch has been
      observed.  This is so that we do not interpret machine code in the wrong
      mode, for example when a regular MIPS FPU instruction has been placed in
      a delay slot of a jump that switches into the MIPS16 mode, as with the
      following code (taken from a GCC test suite case):
      
      00400650 <set_fast_math>:
        400650:	3c020100 	lui	v0,0x100
        400654:	03e00008 	jr	ra
        400658:	44c2f800 	ctc1	v0,c1_fcsr
        40065c:	00000000 	nop
      
      [...]
      
      004012d0 <__libc_csu_init>:
        4012d0:	f000 6a02 	li	v0,2
        4012d4:	f150 0b1c 	la	v1,3f9430 <_DYNAMIC-0x6df0>
        4012d8:	f400 3240 	sll	v0,16
        4012dc:	e269      	addu	v0,v1
        4012de:	659a      	move	gp,v0
        4012e0:	f00c 64f6 	save	a0-a2,48,ra,s0-s1
        4012e4:	673c      	move	s1,gp
        4012e6:	f010 9978 	lw	v1,-32744(s1)
        4012ea:	d204      	sw	v0,16(sp)
        4012ec:	eb40      	jalr	v1
        4012ee:	653b      	move	t9,v1
        4012f0:	f010 997c 	lw	v1,-32740(s1)
        4012f4:	f030 9920 	lw	s1,-32736(s1)
        4012f8:	e32f      	subu	v1,s1
        4012fa:	326b      	sra	v0,v1,2
        4012fc:	d206      	sw	v0,24(sp)
        4012fe:	220c      	beqz	v0,401318 <__libc_csu_init+0x48>
        401300:	6800      	li	s0,0
        401302:	99e0      	lw	a3,0(s1)
        401304:	4801      	addiu	s0,1
        401306:	960e      	lw	a2,56(sp)
        401308:	4904      	addiu	s1,4
        40130a:	950d      	lw	a1,52(sp)
        40130c:	940c      	lw	a0,48(sp)
        40130e:	ef40      	jalr	a3
        401310:	653f      	move	t9,a3
        401312:	9206      	lw	v0,24(sp)
        401314:	ea0a      	cmp	v0,s0
        401316:	61f5      	btnez	401302 <__libc_csu_init+0x32>
        401318:	6476      	restore	48,ra,s0-s1
        40131a:	e8a0      	jrc	ra
      
      Here `set_fast_math' is called from `40130e' (`40130f' with the ISA bit)
      and emulation triggers for the CTC1 instruction.  As it is in a jump
      delay slot emulation continues from `401312' (`401313' with the ISA
      bit).  However we have no path to handle MIPS16 FPU code emulation,
      because there are no MIPS16 FPU instructions.  So the default emulation
      path is taken, interpreting a 32-bit word fetched by `get_user' from
      `401313' as a regular MIPS instruction, which is:
      
        401313:	f5ea0a92	sdc1	$f10,2706(t7)
      
      This makes the FPU emulator proceed with the supposed SDC1 instruction
      and consequently makes the program considered here terminate with
      SIGSEGV.
      
      A similar although less severe issue exists with pure-microMIPS
      processors in the case where similarly an FPU instruction is emulated in
      a delay slot of a register jump that (incorrectly) switches into the
      regular MIPS mode.  A subsequent instruction fetch from the jump's
      target is supposed to cause an Address Error exception, however instead
      we proceed with regular MIPS FPU emulation.
      
      For simplicity then, always terminate the emulation loop whenever a mode
      change is detected, denoted by an ISA mode bit flip.  As from commit
      377cb1b6 ("MIPS: Disable MIPS16/microMIPS crap for platforms not
      supporting these ASEs.") the result of `get_isa16_mode' can be hardcoded
      to 0, so we need to examine the ISA mode bit by hand.
      
      This complements commit 102cedc3 ("MIPS: microMIPS: Floating point
      support.") which added JALX decoding to FPU emulation.
      
      Fixes: 102cedc3 ("MIPS: microMIPS: Floating point support.")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # 3.9+
      Patchwork: https://patchwork.linux-mips.org/patch/16393/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      5bc1fd6c
    • Maciej W. Rozycki's avatar
      MIPS: Fix unaligned PC interpretation in `compute_return_epc' · fb6c5037
      Maciej W. Rozycki authored
      [ Upstream commit 11a3799d ]
      
      Fix a regression introduced with commit fb6883e5 ("MIPS: microMIPS:
      Support handling of delay slots.") and defer to `__compute_return_epc'
      if the ISA bit is set in EPC with non-MIPS16, non-microMIPS hardware,
      which will then arrange for a SIGBUS due to an unaligned instruction
      reference.  Returning EPC here is never correct as the API defines this
      function's result to be either a negative error code on failure or one
      of 0 and BRANCH_LIKELY_TAKEN on success.
      
      Fixes: fb6883e5 ("MIPS: microMIPS: Support handling of delay slots.")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # 3.9+
      Patchwork: https://patchwork.linux-mips.org/patch/16395/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      fb6c5037
    • Maciej W. Rozycki's avatar
      MIPS: Actually decode JALX in `__compute_return_epc_for_insn' · 512a16d0
      Maciej W. Rozycki authored
      [ Upstream commit a9db101b ]
      
      Complement commit fb6883e5 ("MIPS: microMIPS: Support handling of
      delay slots.") and actually decode the regular MIPS JALX major
      instruction opcode, the handling of which has been added with the said
      commit for EPC calculation in `__compute_return_epc_for_insn'.
      
      Fixes: fb6883e5 ("MIPS: microMIPS: Support handling of delay slots.")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # 3.9+
      Patchwork: https://patchwork.linux-mips.org/patch/16394/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      512a16d0
    • James Hogan's avatar
      MIPS: Save static registers before sysmips · a7fe9414
      James Hogan authored
      [ Upstream commit 49955d84 ]
      
      The MIPS sysmips system call handler may return directly from the
      MIPS_ATOMIC_SET case (mips_atomic_set()) to syscall_exit. This path
      restores the static (callee saved) registers, however they won't have
      been saved on entry to the system call.
      
      Use the save_static_function() macro to create a __sys_sysmips wrapper
      function which saves the static registers before calling sys_sysmips, so
      that the correct static register state is restored by syscall_exit.
      
      Fixes: f1e39a4a ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/16149/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      a7fe9414
    • Maciej W. Rozycki's avatar
      MIPS: Fix MIPS I ISA /proc/cpuinfo reporting · 0c23a777
      Maciej W. Rozycki authored
      [ Upstream commit e5f5a5b0 ]
      
      Correct a commit 515a6393 ("MIPS: kernel: proc: Add MIPS R6 support
      to /proc/cpuinfo") regression that caused MIPS I systems to show no ISA
      levels supported in /proc/cpuinfo, e.g.:
      
      system type		: Digital DECstation 2100/3100
      machine			: Unknown
      processor		: 0
      cpu model		: R3000 V2.0  FPU V2.0
      BogoMIPS		: 10.69
      wait instruction	: no
      microsecond timers	: no
      tlb_entries		: 64
      extra interrupt vector	: no
      hardware watchpoint	: no
      isa			:
      ASEs implemented	:
      shadow register sets	: 1
      kscratch registers	: 0
      package			: 0
      core			: 0
      VCED exceptions		: not available
      VCEI exceptions		: not available
      
      and similarly exclude `mips1' from the ISA list for any processors below
      MIPSr1.  This is because the condition to show `mips1' on has been made
      `cpu_has_mips_r1' rather than newly-introduced `cpu_has_mips_1'.  Use
      the correct condition then.
      
      Fixes: 515a6393 ("MIPS: kernel: proc: Add MIPS R6 support to /proc/cpuinfo")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@linux-mips.org>
      Reviewed-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # 3.19+
      Patchwork: https://patchwork.linux-mips.org/patch/16758/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      0c23a777
    • Seunghun Han's avatar
      x86/acpi: Prevent out of bound access caused by broken ACPI tables · 424e53f1
      Seunghun Han authored
      [ Upstream commit dad5ab0d ]
      
      The bus_irq argument of mp_override_legacy_irq() is used as the index into
      the isa_irq_to_gsi[] array. The bus_irq argument originates from
      ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
      tables, but is nowhere sanity checked.
      
      That allows broken or malicious ACPI tables to overwrite memory, which
      might cause malfunction, panic or arbitrary code execution.
      
      Add a sanity check and emit a warning when that triggers.
      
      [ tglx: Added warning and rewrote changelog ]
      Signed-off-by: default avatarSeunghun Han <kkamagui@gmail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: security@kernel.org
      Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      424e53f1
    • James Hogan's avatar
      MIPS: Negate error syscall return in trace · 187daab0
      James Hogan authored
      [ Upstream commit 4f32a39d ]
      
      The sys_exit trace event takes a single return value for the system
      call, which MIPS passes the value of the $v0 (result) register, however
      MIPS returns positive error codes in $v0 with $a3 specifying that $v0
      contains an error code. As a result erroring system calls are traced
      returning positive error numbers that can't always be distinguished from
      success.
      
      Use regs_return_value() to negate the error code if $a3 is set.
      
      Fixes: 1d7bf993 ("MIPS: ftrace: Add support for syscall tracepoints.")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # 3.13+
      Patchwork: https://patchwork.linux-mips.org/patch/16651/Acked-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      187daab0
    • James Hogan's avatar
      MIPS: Fix mips_atomic_set() with EVA · a8bfdd6d
      James Hogan authored
      [ Upstream commit 4915e1b0 ]
      
      EVA linked loads (LLE) and conditional stores (SCE) should be used on
      EVA kernels for the MIPS_ATOMIC_SET operation of the sysmips system
      call, or else the atomic set will apply to the kernel view of the
      virtual address space (potentially unmapped on EVA kernels) rather than
      the user view (TLB mapped).
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # 3.15.x-
      Patchwork: https://patchwork.linux-mips.org/patch/16151/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      a8bfdd6d
    • James Hogan's avatar
      MIPS: Fix mips_atomic_set() retry condition · 85995071
      James Hogan authored
      [ Upstream commit 2ec420b2 ]
      
      The inline asm retry check in the MIPS_ATOMIC_SET operation of the
      sysmips system call has been backwards since commit f1e39a4a ("MIPS:
      Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
      merged in v2.6.32, resulting in the non R10000_LLSC_WAR case retrying
      until the operation was inatomic, before returning the new value that
      was probably just written multiple times instead of the old value.
      
      Invert the branch condition to fix that particular issue.
      
      Fixes: f1e39a4a ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/16148/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      85995071
    • Alex Williamson's avatar
      vfio: New external user group/file match · 9a8b134e
      Alex Williamson authored
      [ Upstream commit 5d6dee80 ]
      
      At the point where the kvm-vfio pseudo device wants to release its
      vfio group reference, we can't always acquire a new reference to make
      that happen.  The group can be in a state where we wouldn't allow a
      new reference to be added.  This new helper function allows a caller
      to match a file to a group to facilitate this.  Given a file and
      group, report if they match.  Thus the caller needs to already have a
      group reference to match to the file.  This allows the deletion of a
      group without acquiring a new reference.
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Reviewed-by: default avatarEric Auger <eric.auger@redhat.com>
      Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Tested-by: default avatarEric Auger <eric.auger@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      9a8b134e
    • Alex Williamson's avatar
      vfio: Fix group release deadlock · bfcfc16a
      Alex Williamson authored
      [ Upstream commit 811642d8 ]
      
      If vfio_iommu_group_notifier() acquires a group reference and that
      reference becomes the last reference to the group, then vfio_group_put
      introduces a deadlock code path where we're trying to unregister from
      the iommu notifier chain from within a callout of that chain.  Use a
      work_struct to release this reference asynchronously.
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Reviewed-by: default avatarEric Auger <eric.auger@redhat.com>
      Tested-by: default avatarEric Auger <eric.auger@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      bfcfc16a
    • Jaegeuk Kim's avatar
      f2fs: Don't clear SGID when inheriting ACLs · 6750822a
      Jaegeuk Kim authored
      [ Upstream commit c925dc16 ]
      
      This patch copies commit b7f8a09f:
      "btrfs: Don't clear SGID when inheriting ACLs" written by Jan.
      
      Fixes: 07393101
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      6750822a
    • Corey Minyard's avatar
      ipmi:ssif: Add missing unlock in error branch · 04e006a8
      Corey Minyard authored
      [ Upstream commit 4495ec6d ]
      
      When getting flags, a response to a different message would
      result in a deadlock because of a missing unlock.  Add that
      unlock and a comment.  Found by static analysis.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: stable@vger.kernel.org # 3.19
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      04e006a8
    • Tony Camuso's avatar
      ipmi: use rcu lock around call to intf->handlers->sender() · 25ff8cb0
      Tony Camuso authored
      [ Upstream commit cdea4656 ]
      
      A vendor with a system having more than 128 CPUs occasionally encounters
      the following crash during shutdown. This is not an easily reproduceable
      event, but the vendor was able to provide the following analysis of the
      crash, which exhibits the same footprint each time.
      
      crash> bt
      PID: 0      TASK: ffff88017c70ce70  CPU: 5   COMMAND: "swapper/5"
       #0 [ffff88085c143ac8] machine_kexec at ffffffff81059c8b
       #1 [ffff88085c143b28] __crash_kexec at ffffffff811052e2
       #2 [ffff88085c143bf8] crash_kexec at ffffffff811053d0
       #3 [ffff88085c143c10] oops_end at ffffffff8168ef88
       #4 [ffff88085c143c38] no_context at ffffffff8167ebb3
       #5 [ffff88085c143c88] __bad_area_nosemaphore at ffffffff8167ec49
       #6 [ffff88085c143cd0] bad_area_nosemaphore at ffffffff8167edb3
       #7 [ffff88085c143ce0] __do_page_fault at ffffffff81691d1e
       #8 [ffff88085c143d40] do_page_fault at ffffffff81691ec5
       #9 [ffff88085c143d70] page_fault at ffffffff8168e188
          [exception RIP: unknown or invalid address]
          RIP: ffffffffa053c800  RSP: ffff88085c143e28  RFLAGS: 00010206
          RAX: ffff88017c72bfd8  RBX: ffff88017a8dc000  RCX: ffff8810588b5ac8
          RDX: ffff8810588b5a00  RSI: ffffffffa053c800  RDI: ffff8810588b5a00
          RBP: ffff88085c143e58   R8: ffff88017c70d408   R9: ffff88017a8dc000
          R10: 0000000000000002  R11: ffff88085c143da0  R12: ffff8810588b5ac8
          R13: 0000000000000100  R14: ffffffffa053c800  R15: ffff8810588b5a00
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
          <IRQ stack>
          [exception RIP: cpuidle_enter_state+82]
          RIP: ffffffff81514192  RSP: ffff88017c72be50  RFLAGS: 00000202
          RAX: 0000001e4c3c6f16  RBX: 000000000000f8a0  RCX: 0000000000000018
          RDX: 0000000225c17d03  RSI: ffff88017c72bfd8  RDI: 0000001e4c3c6f16
          RBP: ffff88017c72be78   R8: 000000000000237e   R9: 0000000000000018
          R10: 0000000000002494  R11: 0000000000000001  R12: ffff88017c72be20
          R13: ffff88085c14f8e0  R14: 0000000000000082  R15: 0000001e4c3bb400
          ORIG_RAX: ffffffffffffff10  CS: 0010  SS: 0018
      
      This is the corresponding stack trace
      
      It has crashed because the area pointed with RIP extracted from timer
      element is already removed during a shutdown process.
      
      The function is smi_timeout().
      
      And we think ffff8810588b5a00 in RDX is a parameter struct smi_info
      
      crash> rd ffff8810588b5a00 20
      ffff8810588b5a00:  ffff8810588b6000 0000000000000000   .`.X............
      ffff8810588b5a10:  ffff880853264400 ffffffffa05417e0   .D&S......T.....
      ffff8810588b5a20:  24a024a000000000 0000000000000000   .....$.$........
      ffff8810588b5a30:  0000000000000000 0000000000000000   ................
      ffff8810588b5a30:  0000000000000000 0000000000000000   ................
      ffff8810588b5a40:  ffffffffa053a040 ffffffffa053a060   @.S.....`.S.....
      ffff8810588b5a50:  0000000000000000 0000000100000001   ................
      ffff8810588b5a60:  0000000000000000 0000000000000e00   ................
      ffff8810588b5a70:  ffffffffa053a580 ffffffffa053a6e0   ..S.......S.....
      ffff8810588b5a80:  ffffffffa053a4a0 ffffffffa053a250   ..S.....P.S.....
      ffff8810588b5a90:  0000000500000002 0000000000000000   ................
      
      Unfortunately the top of this area is already detroyed by someone.
      But because of two reasonns we think this is struct smi_info
       1) The address included in between  ffff8810588b5a70 and ffff8810588b5a80:
        are inside of ipmi_si_intf.c  see crash> module ffff88085779d2c0
      
       2) We've found the area which point this.
        It is offset 0x68 of  ffff880859df4000
      
      crash> rd  ffff880859df4000 100
      ffff880859df4000:  0000000000000000 0000000000000001   ................
      ffff880859df4010:  ffffffffa0535290 dead000000000200   .RS.............
      ffff880859df4020:  ffff880859df4020 ffff880859df4020    @.Y.... @.Y....
      ffff880859df4030:  0000000000000002 0000000000100010   ................
      ffff880859df4040:  ffff880859df4040 ffff880859df4040   @@.Y....@@.Y....
      ffff880859df4050:  0000000000000000 0000000000000000   ................
      ffff880859df4060:  0000000000000000 ffff8810588b5a00   .........Z.X....
      ffff880859df4070:  0000000000000001 ffff880859df4078   ........x@.Y....
      
       If we regards it as struct ipmi_smi in shutdown process
       it looks consistent.
      
      The remedy for this apparent race is affixed below.
      Signed-off-by: default avatarTony Camuso <tcamuso@redhat.com>
      Cc: stable@vger.kernel.org # 3.19
      
      This was first introduced in 7ea0ed2b ipmi: Make the
      message handler easier to use for SMI interfaces
      where some code was moved outside of the rcu_read_lock()
      and the lock was not added.
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      25ff8cb0
    • Mario Kleiner's avatar
      drm/radeon: Fix eDP for single-display iMac10,1 (v2) · 661a5bc3
      Mario Kleiner authored
      [ Upstream commit 564d8a2c ]
      
      The late 2009, 27 inch Apple iMac10,1 has an
      internal eDP display and an external Mini-
      Displayport output, driven by a DCE-3.2, RV730
      Radeon Mobility HD-4670.
      
      The machine worked fine in a dual-display setup
      with eDP panel + externally connected HDMI
      or DVI-D digital display sink, connected via
      MiniDP to DVI or HDMI adapter.
      
      However, booting the machine single-display with
      only eDP panel results in a completely black
      display - even backlight powering off, as soon as
      the radeon modesetting driver loads.
      
      This patch fixes the single dispay eDP case by
      assigning encoders based on dig->linkb, similar
      to DCE-4+. While this should not be generally
      necessary (Alex: "...atom on normal boards
      should be able to handle any mapping."), Apple
      seems to use some special routing here.
      
      One remaining problem not solved by this patch
      is that an external Minidisplayport->DP sink
      does still not work on iMac10,1, whereas external
      DVI and HDMI sinks continue to work.
      
      The problem affects at least all tested kernels
      since Linux 3.13 - didn't test earlier kernels, so
      backporting to stable probably makes sense.
      
      v2: With the original patch from 2016, Alex was worried it
          will break other DCE3.2 systems. Use dmi_match() to
          apply this special encoder assignment only for the
          Apple iMac 10,1 from late 2009.
      Signed-off-by: default avatarMario Kleiner <mario.kleiner.de@gmail.com>
      Cc: Alex Deucher <alexander.deucher@amd.com>
      Cc: Michel Dänzer <michel.daenzer@amd.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      661a5bc3
    • Jiri Olsa's avatar
      s390/syscalls: Fix out of bounds arguments access · 317518cd
      Jiri Olsa authored
      [ Upstream commit c46fc042 ]
      
      Zorro reported following crash while having enabled
      syscall tracing (CONFIG_FTRACE_SYSCALLS):
      
        Unable to handle kernel pointer dereference at virtual ...
        Oops: 0011 [#1] SMP DEBUG_PAGEALLOC
      
        SNIP
      
        Call Trace:
        ([<000000000024d79c>] ftrace_syscall_enter+0xec/0x1d8)
         [<00000000001099c6>] do_syscall_trace_enter+0x236/0x2f8
         [<0000000000730f1c>] sysc_tracesys+0x1a/0x32
         [<000003fffcf946a2>] 0x3fffcf946a2
        INFO: lockdep is turned off.
        Last Breaking-Event-Address:
         [<000000000022dd44>] rb_event_data+0x34/0x40
        ---[ end trace 8c795f86b1b3f7b9 ]---
      
      The crash happens in syscall_get_arguments function for
      syscalls with zero arguments, that will try to access
      first argument (args[0]) in event entry, but it's not
      allocated.
      
      Bail out of there are no arguments.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarZorro Lang <zlang@redhat.com>
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      317518cd
    • Xiao Ni's avatar
      Raid5 should update rdev->sectors after reshape · e6d5242a
      Xiao Ni authored
      [ Upstream commit b5d27718 ]
      
      The raid5 md device is created by the disks which we don't use the total size. For example,
      the size of the device is 5G and it just uses 3G of the devices to create one raid5 device.
      Then change the chunksize and wait reshape to finish. After reshape finishing stop the raid
      and assemble it again. It fails.
      mdadm -CR /dev/md0 -l5 -n3 /dev/loop[0-2] --size=3G --chunk=32 --assume-clean
      mdadm /dev/md0 --grow --chunk=64
      wait reshape to finish
      mdadm -S /dev/md0
      mdadm -As
      The error messages:
      [197519.814302] md: loop1 does not have a valid v1.2 superblock, not importing!
      [197519.821686] md: md_import_device returned -22
      
      After reshape the data offset is changed. It selects backwards direction in this condition.
      In function super_1_load it compares the available space of the underlying device with
      sb->data_size. The new data offset gets bigger after reshape. So super_1_load returns -EINVAL.
      rdev->sectors is updated in md_finish_reshape. Then sb->data_size is set in super_1_sync based
      on rdev->sectors. So add md_finish_reshape in end_reshape.
      Signed-off-by: default avatarXiao Ni <xni@redhat.com>
      Acked-by: default avatarGuoqing Jiang <gqjiang@suse.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      e6d5242a
    • Devin Heitmueller's avatar
      [media] cx88: Fix regression in initial video standard setting · 56b204ee
      Devin Heitmueller authored
      [ Upstream commit 4e0973a9 ]
      
      Setting initial standard at the top of cx8800_initdev would cause the
      first call to cx88_set_tvnorm() to return without programming any
      registers (leaving the driver saying it's set to NTSC but the hardware
      isn't programmed).  Even worse, any subsequent attempt to explicitly
      set it to NTSC-M will return success but actually fail to program the
      underlying registers unless first changing the standard to something
      other than NTSC-M.
      
      Set the initial standard later in the process, and make sure the field
      is zero at the beginning to ensure that the call always goes through.
      
      This regression was introduced in the following commit:
      
      commit ccd6f1d4 ("[media] cx88: move width, height and field to core
      struct")
      
      Author: Hans Verkuil <hans.verkuil@cisco.com>
      
      [media] cx88: move width, height and field to core struct
      Signed-off-by: default avatarDevin Heitmueller <dheitmueller@kernellabs.com>
      Cc: <stable@vger.kernel.org>      # for v3.19 and up
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      56b204ee
    • Marek Marczykowski-Górecki's avatar
      x86/xen: allow userspace access during hypercalls · bf6f66de
      Marek Marczykowski-Górecki authored
      [ Upstream commit c54590ca ]
      
      Userspace application can do a hypercall through /dev/xen/privcmd, and
      some for some hypercalls argument is a pointers to user-provided
      structure. When SMAP is supported and enabled, hypervisor can't access.
      So, lets allow it.
      
      The same applies to HYPERVISOR_dm_op, where additionally privcmd driver
      carefully verify buffer addresses.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMarek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      bf6f66de
    • Mikulas Patocka's avatar
      md: don't use flush_signals in userspace processes · 1799763d
      Mikulas Patocka authored
      [ Upstream commit f9c79bc0 ]
      
      The function flush_signals clears all pending signals for the process. It
      may be used by kernel threads when we need to prepare a kernel thread for
      responding to signals. However using this function for an userspaces
      processes is incorrect - clearing signals without the program expecting it
      can cause misbehavior.
      
      The raid1 and raid5 code uses flush_signals in its request routine because
      it wants to prepare for an interruptible wait. This patch drops
      flush_signals and uses sigprocmask instead to block all signals (including
      SIGKILL) around the schedule() call. The signals are not lost, but the
      schedule() call won't respond to them.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Cc: stable@vger.kernel.org
      Acked-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      1799763d