1. 24 3月, 2019 40 次提交
    • T
      NFS: Don't recoalesce on error in nfs_pageio_complete_mirror() · 2c648caf
      Trond Myklebust 提交于
      commit 8127d82705998568b52ac724e28e00941538083d upstream.
      
      If the I/O completion failed with a fatal error, then we should just
      exit nfs_pageio_complete_mirror() rather than try to recoalesce.
      
      Fixes: a7d42ddb ("nfs: add mirroring support to pgio layer")
      Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com>
      Cc: stable@vger.kernel.org # v4.0+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2c648caf
    • T
      NFS: Fix an I/O request leakage in nfs_do_recoalesce · 63b0ee12
      Trond Myklebust 提交于
      commit 4d91969ed4dbcefd0e78f77494f0cb8fada9048a upstream.
      
      Whether we need to exit early, or just reprocess the list, we
      must not lost track of the request which failed to get recoalesced.
      
      Fixes: 03d5eb65 ("NFS: Fix a memory leak in nfs_do_recoalesce")
      Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com>
      Cc: stable@vger.kernel.org # v4.0+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      63b0ee12
    • T
      NFS: Fix I/O request leakages · be74fddc
      Trond Myklebust 提交于
      commit f57dcf4c72113c745d83f1c65f7291299f65c14f upstream.
      
      When we fail to add the request to the I/O queue, we currently leave it
      to the caller to free the failed request. However since some of the
      requests that fail are actually created by nfs_pageio_add_request()
      itself, and are not passed back the caller, this leads to a leakage
      issue, which can again cause page locks to leak.
      
      This commit addresses the leakage by freeing the created requests on
      error, using desc->pg_completion_ops->error_cleanup()
      Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com>
      Fixes: a7d42ddb ("nfs: add mirroring support to pgio layer")
      Cc: stable@vger.kernel.org # v4.0: c18b96a1: nfs: clean up rest of reqs
      Cc: stable@vger.kernel.org # v4.0: d600ad1f: NFS41: pop some layoutget
      Cc: stable@vger.kernel.org # v4.0+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be74fddc
    • P
      cpcap-charger: generate events for userspace · 4ea4f347
      Pavel Machek 提交于
      commit fd10606f93a149a9f3d37574e5385b083b4a7b32 upstream.
      
      The driver doesn't generate uevents on charger connect/disconnect.
      This leads to UPower not detecting when AC is on or off... and that is
      bad.
      
      Reported by Arthur D. on github (
      https://github.com/maemo-leste/bugtracker/issues/206 ), thanks to
      Merlijn Wajer for suggesting a fix.
      
      Cc: stable@kernel.org
      Signed-off-by: NPavel Machek <pavel@ucw.cz>
      Acked-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSebastian Reichel <sebastian.reichel@collabora.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4ea4f347
    • G
      mfd: sm501: Fix potential NULL pointer dereference · ce02d82c
      Gustavo A. R. Silva 提交于
      commit ae7b8eda27b33b1f688dfdebe4d46f690a8f9162 upstream.
      
      There is a potential NULL pointer dereference in case devm_kzalloc()
      fails and returns NULL.
      
      Fix this by adding a NULL check on *lookup*
      
      This bug was detected with the help of Coccinelle.
      
      Fixes: b2e63555 ("i2c: gpio: Convert to use descriptors")
      Cc: stable@vger.kernel.org
      Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: NLee Jones <lee.jones@linaro.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce02d82c
    • M
      dm integrity: limit the rate of error messages · 5579d97e
      Mikulas Patocka 提交于
      commit 225557446856448039a9e495da37b72c20071ef2 upstream.
      
      When using dm-integrity underneath md-raid, some tests with raid
      auto-correction trigger large amounts of integrity failures - and all
      these failures print an error message. These messages can bring the
      system to a halt if the system is using serial console.
      
      Fix this by limiting the rate of error messages - it improves the speed
      of raid recovery and avoids the hang.
      
      Fixes: 7eada909 ("dm: add integrity target")
      Cc: stable@vger.kernel.org # v4.12+
      Signed-off-by: NMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: NMike Snitzer <snitzer@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5579d97e
    • N
      dm: fix to_sector() for 32bit · 7668d6e4
      NeilBrown 提交于
      commit 0bdb50c531f7377a9da80d3ce2d61f389c84cb30 upstream.
      
      A dm-raid array with devices larger than 4GB won't assemble on
      a 32 bit host since _check_data_dev_sectors() was added in 4.16.
      This is because to_sector() treats its argument as an "unsigned long"
      which is 32bits (4GB) on a 32bit host.  Using "unsigned long long"
      is more correct.
      
      Kernels as early as 4.2 can have other problems due to to_sector()
      being used on the size of a device.
      
      Fixes: 0cf45031 ("dm raid: add support for the MD RAID0 personality")
      cc: stable@vger.kernel.org (v4.2+)
      Reported-and-tested-by: NGuillaume Perréal <gperreal@free.fr>
      Signed-off-by: NNeilBrown <neil@brown.name>
      Signed-off-by: NMike Snitzer <snitzer@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7668d6e4
    • Y
      ipmi_si: fix use-after-free of resource->name · a441fdaf
      Yang Yingliang 提交于
      commit 401e7e88d4ef80188ffa07095ac00456f901b8c4 upstream.
      
      When we excute the following commands, we got oops
      rmmod ipmi_si
      cat /proc/ioports
      
      [ 1623.482380] Unable to handle kernel paging request at virtual address ffff00000901d478
      [ 1623.482382] Mem abort info:
      [ 1623.482383]   ESR = 0x96000007
      [ 1623.482385]   Exception class = DABT (current EL), IL = 32 bits
      [ 1623.482386]   SET = 0, FnV = 0
      [ 1623.482387]   EA = 0, S1PTW = 0
      [ 1623.482388] Data abort info:
      [ 1623.482389]   ISV = 0, ISS = 0x00000007
      [ 1623.482390]   CM = 0, WnR = 0
      [ 1623.482393] swapper pgtable: 4k pages, 48-bit VAs, pgdp = 00000000d7d94a66
      [ 1623.482395] [ffff00000901d478] pgd=000000dffbfff003, pud=000000dffbffe003, pmd=0000003f5d06e003, pte=0000000000000000
      [ 1623.482399] Internal error: Oops: 96000007 [#1] SMP
      [ 1623.487407] Modules linked in: ipmi_si(E) nls_utf8 isofs rpcrdma ib_iser ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_umad rdma_cm ib_cm dm_mirror dm_region_hash dm_log iw_cm dm_mod aes_ce_blk crypto_simd cryptd aes_ce_cipher ses ghash_ce sha2_ce enclosure sha256_arm64 sg sha1_ce hisi_sas_v2_hw hibmc_drm sbsa_gwdt hisi_sas_main ip_tables mlx5_ib ib_uverbs marvell ib_core mlx5_core ixgbe mdio hns_dsaf ipmi_devintf hns_enet_drv ipmi_msghandler hns_mdio [last unloaded: ipmi_si]
      [ 1623.532410] CPU: 30 PID: 11438 Comm: cat Kdump: loaded Tainted: G            E     5.0.0-rc3+ #168
      [ 1623.541498] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.37 11/21/2017
      [ 1623.548822] pstate: a0000005 (NzCv daif -PAN -UAO)
      [ 1623.553684] pc : string+0x28/0x98
      [ 1623.557040] lr : vsnprintf+0x368/0x5e8
      [ 1623.560837] sp : ffff000013213a80
      [ 1623.564191] x29: ffff000013213a80 x28: ffff00001138abb5
      [ 1623.569577] x27: ffff000013213c18 x26: ffff805f67d06049
      [ 1623.574963] x25: 0000000000000000 x24: ffff00001138abb5
      [ 1623.580349] x23: 0000000000000fb7 x22: ffff0000117ed000
      [ 1623.585734] x21: ffff000011188fd8 x20: ffff805f67d07000
      [ 1623.591119] x19: ffff805f67d06061 x18: ffffffffffffffff
      [ 1623.596505] x17: 0000000000000200 x16: 0000000000000000
      [ 1623.601890] x15: ffff0000117ed748 x14: ffff805f67d07000
      [ 1623.607276] x13: ffff805f67d0605e x12: 0000000000000000
      [ 1623.612661] x11: 0000000000000000 x10: 0000000000000000
      [ 1623.618046] x9 : 0000000000000000 x8 : 000000000000000f
      [ 1623.623432] x7 : ffff805f67d06061 x6 : fffffffffffffffe
      [ 1623.628817] x5 : 0000000000000012 x4 : ffff00000901d478
      [ 1623.634203] x3 : ffff0a00ffffff04 x2 : ffff805f67d07000
      [ 1623.639588] x1 : ffff805f67d07000 x0 : ffffffffffffffff
      [ 1623.644974] Process cat (pid: 11438, stack limit = 0x000000008d4cbc10)
      [ 1623.651592] Call trace:
      [ 1623.654068]  string+0x28/0x98
      [ 1623.657071]  vsnprintf+0x368/0x5e8
      [ 1623.660517]  seq_vprintf+0x70/0x98
      [ 1623.668009]  seq_printf+0x7c/0xa0
      [ 1623.675530]  r_show+0xc8/0xf8
      [ 1623.682558]  seq_read+0x330/0x440
      [ 1623.689877]  proc_reg_read+0x78/0xd0
      [ 1623.697346]  __vfs_read+0x60/0x1a0
      [ 1623.704564]  vfs_read+0x94/0x150
      [ 1623.711339]  ksys_read+0x6c/0xd8
      [ 1623.717939]  __arm64_sys_read+0x24/0x30
      [ 1623.725077]  el0_svc_common+0x120/0x148
      [ 1623.732035]  el0_svc_handler+0x30/0x40
      [ 1623.738757]  el0_svc+0x8/0xc
      [ 1623.744520] Code: d1000406 aa0103e2 54000149 b4000080 (39400085)
      [ 1623.753441] ---[ end trace f91b6a4937de9835 ]---
      [ 1623.760871] Kernel panic - not syncing: Fatal exception
      [ 1623.768935] SMP: stopping secondary CPUs
      [ 1623.775718] Kernel Offset: disabled
      [ 1623.781998] CPU features: 0x002,21006008
      [ 1623.788777] Memory Limit: none
      [ 1623.798329] Starting crashdump kernel...
      [ 1623.805202] Bye!
      
      If io_setup is called successful in try_smi_init() but try_smi_init()
      goes out_err before calling ipmi_register_smi(), so ipmi_unregister_smi()
      will not be called while removing module. It leads to the resource that
      allocated in io_setup() can not be freed, but the name(DEVICE_NAME) of
      resource is freed while removing the module. It causes use-after-free
      when cat /proc/ioports.
      
      Fix this by calling io_cleanup() while try_smi_init() goes to out_err.
      and don't call io_cleanup() until io_setup() returns successful to avoid
      warning prints.
      
      Fixes: 93c303d2 ("ipmi_si: Clean up shutdown a bit")
      Cc: stable@vger.kernel.org
      Reported-by: NNuoHan Qiao <qiaonuohan@huawei.com>
      Suggested-by: NCorey Minyard <cminyard@mvista.com>
      Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: NCorey Minyard <cminyard@mvista.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a441fdaf
    • D
      arm64: KVM: Fix architecturally invalid reset value for FPEXC32_EL2 · 3cbae9fa
      Dave Martin 提交于
      commit c88b093693ccbe41991ef2e9b1d251945e6e54ed upstream.
      
      Due to what looks like a typo dating back to the original addition
      of FPEXC32_EL2 handling, KVM currently initialises this register to
      an architecturally invalid value.
      
      As a result, the VECITR field (RES1) in bits [10:8] is initialised
      with 0, and the two reserved (RES0) bits [6:5] are initialised with
      1.  (In the Common VFP Subarchitecture as specified by ARMv7-A,
      these two bits were IMP DEF.  ARMv8-A removes them.)
      
      This patch changes the reset value from 0x70 to 0x700, which
      reflects the architectural constraints and is presumably what was
      originally intended.
      
      Cc: <stable@vger.kernel.org> # 4.12.x-
      Cc: Christoffer Dall <christoffer.dall@arm.com>
      Fixes: 62a89c44 ("arm64: KVM: 32bit handling of coprocessor traps")
      Signed-off-by: NDave Martin <Dave.Martin@arm.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3cbae9fa
    • W
      arm64: debug: Ensure debug handlers check triggering exception level · c113a7fb
      Will Deacon 提交于
      commit 6bd288569b50bc89fa5513031086746968f585cb upstream.
      
      Debug exception handlers may be called for exceptions generated both by
      user and kernel code. In many cases, this is checked explicitly, but
      in other cases things either happen to work by happy accident or they
      go slightly wrong. For example, executing 'brk #4' from userspace will
      enter the kprobes code and be ignored, but the instruction will be
      retried forever in userspace instead of delivering a SIGTRAP.
      
      Fix this issue in the most stable-friendly fashion by simply adding
      explicit checks of the triggering exception level to all of our debug
      exception handlers.
      
      Cc: <stable@vger.kernel.org>
      Reviewed-by: NMark Rutland <mark.rutland@arm.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c113a7fb
    • J
      arm64: Fix HCR.TGE status for NMI contexts · 85c8ea22
      Julien Thierry 提交于
      commit 5870970b9a828d8693aa6d15742573289d7dbcd0 upstream.
      
      When using VHE, the host needs to clear HCR_EL2.TGE bit in order
      to interact with guest TLBs, switching from EL2&0 translation regime
      to EL1&0.
      
      However, some non-maskable asynchronous event could happen while TGE is
      cleared like SDEI. Because of this address translation operations
      relying on EL2&0 translation regime could fail (tlb invalidation,
      userspace access, ...).
      
      Fix this by properly setting HCR_EL2.TGE when entering NMI context and
      clear it if necessary when returning to the interrupted context.
      Signed-off-by: NJulien Thierry <julien.thierry@arm.com>
      Suggested-by: NMarc Zyngier <marc.zyngier@arm.com>
      Reviewed-by: NMarc Zyngier <marc.zyngier@arm.com>
      Reviewed-by: NJames Morse <james.morse@arm.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Cc: James Morse <james.morse@arm.com>
      Cc: linux-arch@vger.kernel.org
      Cc: stable@vger.kernel.org
      Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      85c8ea22
    • G
      ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify · 58691e6a
      Gustavo A. R. Silva 提交于
      commit e2477233145f2156434afb799583bccd878f3e9f upstream.
      
      Fix boolean expressions by using logical AND operator '&&' instead of
      bitwise operator '&'.
      
      This issue was detected with the help of Coccinelle.
      
      Fixes: 4fa084af ("ARM: OSIRIS: DVS (Dynamic Voltage Scaling) supoort.")
      Cc: stable@vger.kernel.org
      Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com>
      [krzk: Fix -Wparentheses warning]
      Signed-off-by: NKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      58691e6a
    • C
      powerpc/traps: Fix the message printed when stack overflows · d6d004b3
      Christophe Leroy 提交于
      commit 9bf3d3c4e4fd82c7174f4856df372ab2a71005b9 upstream.
      
      Today's message is useless:
      
        [   42.253267] Kernel stack overflow in process (ptrval), r1=c65500b0
      
      This patch fixes it:
      
        [   66.905235] Kernel stack overflow in process sh[356], r1=c65560b0
      
      Fixes: ad67b74d ("printk: hash addresses printed with %p")
      Cc: stable@vger.kernel.org # v4.15+
      Signed-off-by: NChristophe Leroy <christophe.leroy@c-s.fr>
      [mpe: Use task_pid_nr()]
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d6d004b3
    • C
      powerpc/traps: fix recoverability of machine check handling on book3s/32 · 461a52a4
      Christophe Leroy 提交于
      commit 0bbea75c476b77fa7d7811d6be911cc7583e640f upstream.
      
      Looks like book3s/32 doesn't set RI on machine check, so
      checking RI before calling die() will always be fatal
      allthought this is not an issue in most cases.
      
      Fixes: b96672dd ("powerpc: Machine check interrupt is a non-maskable interrupt")
      Fixes: daf00ae71dad ("powerpc/traps: restore recoverability of machine_check interrupts")
      Signed-off-by: NChristophe Leroy <christophe.leroy@c-s.fr>
      Cc: stable@vger.kernel.org
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      461a52a4
    • A
      powerpc/hugetlb: Don't do runtime allocation of 16G pages in LPAR configuration · baed68a9
      Aneesh Kumar K.V 提交于
      commit 35f2806b481f5b9207f25e1886cba5d1c4d12cc7 upstream.
      
      We added runtime allocation of 16G pages in commit 4ae279c2
      ("powerpc/mm/hugetlb: Allow runtime allocation of 16G.") That was done
      to enable 16G allocation on PowerNV and KVM config. In case of KVM
      config, we mostly would have the entire guest RAM backed by 16G
      hugetlb pages for this to work. PAPR do support partial backing of
      guest RAM with hugepages via ibm,expected#pages node of memory node in
      the device tree. This means rest of the guest RAM won't be backed by
      16G contiguous pages in the host and hence a hash page table insertion
      can fail in such case.
      
      An example error message will look like
      
        hash-mmu: mm: Hashing failure ! EA=0x7efc00000000 access=0x8000000000000006 current=readback
        hash-mmu:     trap=0x300 vsid=0x67af789 ssize=1 base psize=14 psize 14 pte=0xc000000400000386
        readback[12260]: unhandled signal 7 at 00007efc00000000 nip 00000000100012d0 lr 000000001000127c code 2
      
      This patch address that by preventing runtime allocation of 16G
      hugepages in LPAR config. To allocate 16G hugetlb one need to kernel
      command line hugepagesz=16G hugepages=<number of 16G pages>
      
      With radix translation mode we don't run into this issue.
      
      This change will prevent runtime allocation of 16G hugetlb pages on
      kvm with hash translation mode. However, with the current upstream it
      was observed that 16G hugetlbfs backed guest doesn't boot at all.
      
      We observe boot failure with the below message:
        [131354.647546] KVM: map_vrma at 0 failed, ret=-4
      
      That means this patch is not resulting in an observable regression.
      Once we fix the boot issue with 16G hugetlb backed memory, we need to
      use ibm,expected#pages memory node attribute to indicate 16G page
      reservation to the guest. This will also enable partial backing of
      guest RAM with 16G pages.
      
      Fixes: 4ae279c2 ("powerpc/mm/hugetlb: Allow runtime allocation of 16G.")
      Cc: stable@vger.kernel.org # v4.14+
      Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      baed68a9
    • M
      powerpc/ptrace: Simplify vr_get/set() to avoid GCC warning · 9d2e929c
      Michael Ellerman 提交于
      commit ca6d5149d2ad0a8d2f9c28cbe379802260a0a5e0 upstream.
      
      GCC 8 warns about the logic in vr_get/set(), which with -Werror breaks
      the build:
      
        In function ‘user_regset_copyin’,
            inlined from ‘vr_set’ at arch/powerpc/kernel/ptrace.c:628:9:
        include/linux/regset.h:295:4: error: ‘memcpy’ offset [-527, -529] is
        out of the bounds [0, 16] of object ‘vrsave’ with type ‘union
        <anonymous>’ [-Werror=array-bounds]
        arch/powerpc/kernel/ptrace.c: In function ‘vr_set’:
        arch/powerpc/kernel/ptrace.c:623:5: note: ‘vrsave’ declared here
           } vrsave;
      
      This has been identified as a regression in GCC, see GCC bug 88273.
      
      However we can avoid the warning and also simplify the logic and make
      it more robust.
      
      Currently we pass -1 as end_pos to user_regset_copyout(). This says
      "copy up to the end of the regset".
      
      The definition of the regset is:
      	[REGSET_VMX] = {
      		.core_note_type = NT_PPC_VMX, .n = 34,
      		.size = sizeof(vector128), .align = sizeof(vector128),
      		.active = vr_active, .get = vr_get, .set = vr_set
      	},
      
      The end is calculated as (n * size), ie. 34 * sizeof(vector128).
      
      In vr_get/set() we pass start_pos as 33 * sizeof(vector128), meaning
      we can copy up to sizeof(vector128) into/out-of vrsave.
      
      The on-stack vrsave is defined as:
        union {
      	  elf_vrreg_t reg;
      	  u32 word;
        } vrsave;
      
      And elf_vrreg_t is:
        typedef __vector128 elf_vrreg_t;
      
      So there is no bug, but we rely on all those sizes lining up,
      otherwise we would have a kernel stack exposure/overwrite on our
      hands.
      
      Rather than relying on that we can pass an explict end_pos based on
      the sizeof(vrsave). The result should be exactly the same but it's
      more obviously not over-reading/writing the stack and it avoids the
      compiler warning.
      Reported-by: NMeelis Roos <mroos@linux.ee>
      Reported-by: NMathieu Malaterre <malat@debian.org>
      Cc: stable@vger.kernel.org
      Tested-by: NMathieu Malaterre <malat@debian.org>
      Tested-by: NMeelis Roos <mroos@linux.ee>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9d2e929c
    • M
      powerpc: Fix 32-bit KVM-PR lockup and host crash with MacOS guest · 344996a8
      Mark Cave-Ayland 提交于
      commit fe1ef6bcdb4fca33434256a802a3ed6aacf0bd2f upstream.
      
      Commit 8792468d "powerpc: Add the ability to save FPU without
      giving it up" unexpectedly removed the MSR_FE0 and MSR_FE1 bits from
      the bitmask used to update the MSR of the previous thread in
      __giveup_fpu() causing a KVM-PR MacOS guest to lockup and panic the
      host kernel.
      
      Leaving FE0/1 enabled means unrelated processes might receive FPEs
      when they're not expecting them and crash. In particular if this
      happens to init the host will then panic.
      
      eg (transcribed):
        qemu-system-ppc[837]: unhandled signal 8 at 12cc9ce4 nip 12cc9ce4 lr 12cc9ca4 code 0
        systemd[1]: unhandled signal 8 at 202f02e0 nip 202f02e0 lr 001003d4 code 0
        Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
      
      Reinstate these bits to the MSR bitmask to enable MacOS guests to run
      under 32-bit KVM-PR once again without issue.
      
      Fixes: 8792468d ("powerpc: Add the ability to save FPU without giving it up")
      Cc: stable@vger.kernel.org # v4.6+
      Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      344996a8
    • P
      powerpc/powernv: Don't reprogram SLW image on every KVM guest entry/exit · 3bf8ff7b
      Paul Mackerras 提交于
      commit 19f8a5b5be2898573a5e1dc1db93e8d40117606a upstream.
      
      Commit 24be85a2 ("powerpc/powernv: Clear PECE1 in LPCR via stop-api
      only on Hotplug", 2017-07-21) added two calls to opal_slw_set_reg()
      inside pnv_cpu_offline(), with the aim of changing the LPCR value in
      the SLW image to disable wakeups from the decrementer while a CPU is
      offline.  However, pnv_cpu_offline() gets called each time a secondary
      CPU thread is woken up to participate in running a KVM guest, that is,
      not just when a CPU is offlined.
      
      Since opal_slw_set_reg() is a very slow operation (with observed
      execution times around 20 milliseconds), this means that an offline
      secondary CPU can often be busy doing the opal_slw_set_reg() call
      when the primary CPU wants to grab all the secondary threads so that
      it can run a KVM guest.  This leads to messages like "KVM: couldn't
      grab CPU n" being printed and guest execution failing.
      
      There is no need to reprogram the SLW image on every KVM guest entry
      and exit.  So that we do it only when a CPU is really transitioning
      between online and offline, this moves the calls to
      pnv_program_cpu_hotplug_lpcr() into pnv_smp_cpu_kill_self().
      
      Fixes: 24be85a2 ("powerpc/powernv: Clear PECE1 in LPCR via stop-api only on Hotplug")
      Cc: stable@vger.kernel.org # v4.14+
      Signed-off-by: NPaul Mackerras <paulus@ozlabs.org>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3bf8ff7b
    • C
      powerpc/83xx: Also save/restore SPRG4-7 during suspend · f6f03d60
      Christophe Leroy 提交于
      commit 36da5ff0bea2dc67298150ead8d8471575c54c7d upstream.
      
      The 83xx has 8 SPRG registers and uses at least SPRG4
      for DTLB handling LRU.
      
      Fixes: 2319f123 ("powerpc/mm: e300c2/c3/c4 TLB errata workaround")
      Cc: stable@vger.kernel.org
      Signed-off-by: NChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f6f03d60
    • J
      powerpc/powernv: Make opal log only readable by root · b0934990
      Jordan Niethe 提交于
      commit 7b62f9bd2246b7d3d086e571397c14ba52645ef1 upstream.
      
      Currently the opal log is globally readable. It is kernel policy to
      limit the visibility of physical addresses / kernel pointers to root.
      Given this and the fact the opal log may contain this information it
      would be better to limit the readability to root.
      
      Fixes: bfc36894 ("powerpc/powernv: Add OPAL message log interface")
      Cc: stable@vger.kernel.org # v3.15+
      Signed-off-by: NJordan Niethe <jniethe5@gmail.com>
      Reviewed-by: NStewart Smith <stewart@linux.ibm.com>
      Reviewed-by: NAndrew Donnellan <andrew.donnellan@au1.ibm.com>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b0934990
    • C
      powerpc/wii: properly disable use of BATs when requested. · 9b530550
      Christophe Leroy 提交于
      commit 6d183ca8baec983dc4208ca45ece3c36763df912 upstream.
      
      'nobats' kernel parameter or some options like CONFIG_DEBUG_PAGEALLOC
      deny the use of BATS for mapping memory.
      
      This patch makes sure that the specific wii RAM mapping function
      takes it into account as well.
      
      Fixes: de32400d ("wii: use both mem1 and mem2 as ram")
      Cc: stable@vger.kernel.org
      Reviewed-by: NJonathan Neuschafer <j.neuschaefer@gmx.net>
      Signed-off-by: NChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9b530550
    • C
      powerpc/32: Clear on-stack exception marker upon exception return · 40b97853
      Christophe Leroy 提交于
      commit 9580b71b5a7863c24a9bd18bcd2ad759b86b1eff upstream.
      
      Clear the on-stack STACK_FRAME_REGS_MARKER on exception exit in order
      to avoid confusing stacktrace like the one below.
      
        Call Trace:
        [c0e9dca0] [c01c42a0] print_address_description+0x64/0x2bc (unreliable)
        [c0e9dcd0] [c01c4684] kasan_report+0xfc/0x180
        [c0e9dd10] [c0895130] memchr+0x24/0x74
        [c0e9dd30] [c00a9e38] msg_print_text+0x124/0x574
        [c0e9dde0] [c00ab710] console_unlock+0x114/0x4f8
        [c0e9de40] [c00adc60] vprintk_emit+0x188/0x1c4
        --- interrupt: c0e9df00 at 0x400f330
            LR = init_stack+0x1f00/0x2000
        [c0e9de80] [c00ae3c4] printk+0xa8/0xcc (unreliable)
        [c0e9df20] [c0c27e44] early_irq_init+0x38/0x108
        [c0e9df50] [c0c15434] start_kernel+0x310/0x488
        [c0e9dff0] [00003484] 0x3484
      
      With this patch the trace becomes:
      
        Call Trace:
        [c0e9dca0] [c01c42c0] print_address_description+0x64/0x2bc (unreliable)
        [c0e9dcd0] [c01c46a4] kasan_report+0xfc/0x180
        [c0e9dd10] [c0895150] memchr+0x24/0x74
        [c0e9dd30] [c00a9e58] msg_print_text+0x124/0x574
        [c0e9dde0] [c00ab730] console_unlock+0x114/0x4f8
        [c0e9de40] [c00adc80] vprintk_emit+0x188/0x1c4
        [c0e9de80] [c00ae3e4] printk+0xa8/0xcc
        [c0e9df20] [c0c27e44] early_irq_init+0x38/0x108
        [c0e9df50] [c0c15434] start_kernel+0x310/0x488
        [c0e9dff0] [00003484] 0x3484
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      40b97853
    • J
      security/selinux: fix SECURITY_LSM_NATIVE_LABELS on reused superblock · c7dad095
      J. Bruce Fields 提交于
      commit 3815a245b50124f0865415dcb606a034e97494d4 upstream.
      
      In the case when we're reusing a superblock, selinux_sb_clone_mnt_opts()
      fails to set set_kern_flags, with the result that
      nfs_clone_sb_security() incorrectly clears NFS_CAP_SECURITY_LABEL.
      
      The result is that if you mount the same NFS filesystem twice, NFS
      security labels are turned off, even if they would work fine if you
      mounted the filesystem only once.
      
      ("fixes" may be not exactly the right tag, it may be more like
      "fixed-other-cases-but-missed-this-one".)
      
      Cc: Scott Mayhew <smayhew@redhat.com>
      Cc: stable@vger.kernel.org
      Fixes: 0b4d3452 "security/selinux: allow security_sb_clone_mnt_opts..."
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c7dad095
    • X
      selinux: add the missing walk_size + len check in selinux_sctp_bind_connect · e4f6f82c
      Xin Long 提交于
      commit 292c997a1970f8d1e1dfa354ed770a22f7b5a434 upstream.
      
      As does in __sctp_connect(), when checking addrs in a while loop, after
      get the addr len according to sa_family, it's necessary to do the check
      walk_size + af->sockaddr_len > addrs_size to make sure it won't access
      an out-of-bounds addr.
      
      The same thing is needed in selinux_sctp_bind_connect(), otherwise an
      out-of-bounds issue can be triggered:
      
        [14548.772313] BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x1aa/0x1f0
        [14548.927083] Call Trace:
        [14548.938072]  dump_stack+0x9a/0xe9
        [14548.953015]  print_address_description+0x65/0x22e
        [14548.996524]  kasan_report.cold.6+0x92/0x1a6
        [14549.015335]  selinux_sctp_bind_connect+0x1aa/0x1f0
        [14549.036947]  security_sctp_bind_connect+0x58/0x90
        [14549.058142]  __sctp_setsockopt_connectx+0x5a/0x150 [sctp]
        [14549.081650]  sctp_setsockopt.part.24+0x1322/0x3ce0 [sctp]
      
      Cc: stable@vger.kernel.org
      Fixes: d452930f ("selinux: Add SCTP support")
      Reported-by: NChunyu Hu <chuhu@redhat.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Reviewed-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e4f6f82c
    • Z
      jbd2: fix compile warning when using JBUFFER_TRACE · 584f390d
      zhangyi (F) 提交于
      commit 01215d3edb0f384ddeaa5e4a22c1ae5ff634149f upstream.
      
      The jh pointer may be used uninitialized in the two cases below and the
      compiler complain about it when enabling JBUFFER_TRACE macro, fix them.
      
      In file included from fs/jbd2/transaction.c:19:0:
      fs/jbd2/transaction.c: In function ‘jbd2_journal_get_undo_access’:
      ./include/linux/jbd2.h:1637:38: warning: ‘jh’ is used uninitialized in this function [-Wuninitialized]
       #define JBUFFER_TRACE(jh, info) do { printk("%s: %d\n", __func__, jh->b_jcount);} while (0)
                                            ^
      fs/jbd2/transaction.c:1219:23: note: ‘jh’ was declared here
        struct journal_head *jh;
                             ^
      In file included from fs/jbd2/transaction.c:19:0:
      fs/jbd2/transaction.c: In function ‘jbd2_journal_dirty_metadata’:
      ./include/linux/jbd2.h:1637:38: warning: ‘jh’ may be used uninitialized in this function [-Wmaybe-uninitialized]
       #define JBUFFER_TRACE(jh, info) do { printk("%s: %d\n", __func__, jh->b_jcount);} while (0)
                                            ^
      fs/jbd2/transaction.c:1332:23: note: ‘jh’ was declared here
        struct journal_head *jh;
                             ^
      Signed-off-by: Nzhangyi (F) <yi.zhang@huawei.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Reviewed-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      584f390d
    • Z
      jbd2: clear dirty flag when revoking a buffer from an older transaction · dbe4bc99
      zhangyi (F) 提交于
      commit 904cdbd41d749a476863a0ca41f6f396774f26e4 upstream.
      
      Now, we capture a data corruption problem on ext4 while we're truncating
      an extent index block. Imaging that if we are revoking a buffer which
      has been journaled by the committing transaction, the buffer's jbddirty
      flag will not be cleared in jbd2_journal_forget(), so the commit code
      will set the buffer dirty flag again after refile the buffer.
      
      fsx                               kjournald2
                                        jbd2_journal_commit_transaction
      jbd2_journal_revoke                commit phase 1~5...
       jbd2_journal_forget
         belongs to older transaction    commit phase 6
         jbddirty not clear               __jbd2_journal_refile_buffer
                                           __jbd2_journal_unfile_buffer
                                            test_clear_buffer_jbddirty
                                             mark_buffer_dirty
      
      Finally, if the freed extent index block was allocated again as data
      block by some other files, it may corrupt the file data after writing
      cached pages later, such as during unmount time. (In general,
      clean_bdev_aliases() related helpers should be invoked after
      re-allocation to prevent the above corruption, but unfortunately we
      missed it when zeroout the head of extra extent blocks in
      ext4_ext_handle_unwritten_extents()).
      
      This patch mark buffer as freed and set j_next_transaction to the new
      transaction when it already belongs to the committing transaction in
      jbd2_journal_forget(), so that commit code knows it should clear dirty
      bits when it is done with the buffer.
      
      This problem can be reproduced by xfstests generic/455 easily with
      seeds (3246 3247 3248 3249).
      Signed-off-by: Nzhangyi (F) <yi.zhang@huawei.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dbe4bc99
    • J
      serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954... · 3545324f
      Jay Dolan 提交于
      serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()
      
      commit 78d3820b9bd39028727c6aab7297b63c093db343 upstream.
      
      The four port Pericom chips have the fourth port at the wrong address.
      Make use of quirk to fix it.
      
      Fixes: c8d19242 ("serial: 8250: added acces i/o products quad and octal serial cards")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NJay Dolan <jay.dolan@accesio.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      3545324f
    • J
      serial: 8250_pci: Fix number of ports for ACCES serial cards · 8225bb96
      Jay Dolan 提交于
      commit b896b03bc7fce43a07012cc6bf5e2ab2fddf3364 upstream.
      
      Have the correct number of ports created for ACCES serial cards. Two port
      cards show up as four ports, and four port cards show up as eight.
      
      Fixes: c8d19242 ("serial: 8250: added acces i/o products quad and octal serial cards")
      Signed-off-by: NJay Dolan <jay.dolan@accesio.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8225bb96
    • L
      serial: 8250_of: assume reg-shift of 2 for mrvl,mmp-uart · 9d0b55bb
      Lubomir Rintel 提交于
      commit f4817843e39ce78aace0195a57d4e8500a65a898 upstream.
      
      There are two other drivers that bind to mrvl,mmp-uart and both of them
      assume register shift of 2 bits. There are device trees that lack the
      property and rely on that assumption.
      
      If this driver wins the race to bind to those devices, it should behave
      the same as the older deprecated driver.
      Signed-off-by: NLubomir Rintel <lkundrak@v3.sk>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9d0b55bb
    • A
      serial: uartps: Fix stuck ISR if RX disabled with non-empty FIFO · a4b021ec
      Anssi Hannula 提交于
      commit 7abab1605139bc41442864c18f9573440f7ca105 upstream.
      
      If RX is disabled while there are still unprocessed bytes in RX FIFO,
      cdns_uart_handle_rx() called from interrupt handler will get stuck in
      the receive loop as read bytes will not get removed from the RX FIFO
      and CDNS_UART_SR_RXEMPTY bit will never get set.
      
      Avoid the stuck handler by checking first if RX is disabled. port->lock
      protects against race with RX-disabling functions.
      
      This HW behavior was mentioned by Nathan Rossi in 43e98facc4a3 ("tty:
      xuartps: Fix RX hang, and TX corruption in termios call") which fixed a
      similar issue in cdns_uart_set_termios().
      The behavior can also be easily verified by e.g. setting
      CDNS_UART_CR_RX_DIS at the beginning of cdns_uart_handle_rx() - the
      following loop will then get stuck.
      
      Resetting the FIFO using RXRST would not set RXEMPTY either so simply
      issuing a reset after RX-disable would not work.
      
      I observe this frequently on a ZynqMP board during heavy RX load at 1M
      baudrate when the reader process exits and thus RX gets disabled.
      
      Fixes: 61ec9016 ("tty/serial: add support for Xilinx PS UART")
      Signed-off-by: NAnssi Hannula <anssi.hannula@bitwise.fi>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a4b021ec
    • W
      bpf: only test gso type on gso packets · 9920eb40
      Willem de Bruijn 提交于
      [ Upstream commit 4c3024debf62de4c6ac6d3cb4c0063be21d4f652 ]
      
      BPF can adjust gso only for tcp bytestreams. Fail on other gso types.
      
      But only on gso packets. It does not touch this field if !gso_size.
      
      Fixes: b90efd225874 ("bpf: only adjust gso_size on bytestream protocols")
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Acked-by: NYonghong Song <yhs@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      9920eb40
    • T
      drm/i915: Relax mmap VMA check · 206fa92c
      Tvrtko Ursulin 提交于
      [ Upstream commit ca22f32a6296cbfa29de56328c8505560a18cfa8 ]
      
      Legacy behaviour was to allow non-page-aligned mmap requests, as does the
      linux mmap(2) implementation by virtue of automatically rounding up for
      the caller.
      
      To avoid breaking legacy userspace relax the newly introduced fix.
      Signed-off-by: NTvrtko Ursulin <tvrtko.ursulin@intel.com>
      Fixes: 5c4604e757ba ("drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set")
      Reported-by: NGuenter Roeck <linux@roeck-us.net>
      Cc: Adam Zabrocki <adamza@microsoft.com>
      Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
      Cc: <stable@vger.kernel.org> # v4.0+
      Cc: Akash Goel <akash.goel@intel.com>
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: Jani Nikula <jani.nikula@linux.intel.com>
      Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Cc: intel-gfx@lists.freedesktop.org
      Reviewed-by: NChris Wilson <chris@chris-wilson.co.uk>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190305110409.28633-1-tvrtko.ursulin@linux.intel.com
      (cherry picked from commit a90e1948efb648f567444f87f3c19b2a0787affd)
      Signed-off-by: NRodrigo Vivi <rodrigo.vivi@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      206fa92c
    • M
      can: flexcan: FLEXCAN_IFLAG_MB: add () around macro argument · 116a9e31
      Marc Kleine-Budde 提交于
      [ Upstream commit 22233f7bf2c99ef52ec19d30876a12d2f725972e ]
      
      This patch fixes the following checkpatch warning:
      
      | Macro argument 'x' may be better as '(x)' to avoid precedence issues
      
      Fixes: cbffaf7aa09e ("can: flexcan: Always use last mailbox for TX")
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      116a9e31
    • M
      gpio: pca953x: Fix dereference of irq data in shutdown · 6f29e4c2
      Mark Walton 提交于
      commit c378b3aa015931a46c91d6ccc2fe04d97801d060 upstream.
      
      If a PCA953x gpio was used as an interrupt and then released,
      the shutdown function was trying to extract the pca953x_chip
      pointer directly from the irq_data, but in reality was getting
      the gpio_chip structure.
      
      The net effect was that the subsequent writes to the data
      structure corrupted data in the gpio_chip structure, which wasn't
      immediately obvious until attempting to use the GPIO again in the
      future, at which point the kernel panics.
      
      This fix correctly extracts the pca953x_chip structure via the
      gpio_chip structure, as is correctly done in the other irq
      functions.
      
      Fixes: 0a70fe00 ("gpio: pca953x: Clear irq trigger type on irq shutdown")
      Cc: stable@vger.kernel.org
      Signed-off-by: NMark Walton <mark.walton@serialtek.com>
      Reviewed-by: NBartosz Golaszewski <bgolaszewski@baylibre.com>
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6f29e4c2
    • L
      media: i2c: ov5640: Fix post-reset delay · e86a57ec
      Loic Poulain 提交于
      commit 1d4c41f3d887bcd66e82cb2fda124533dad8808a upstream.
      
      According to the ov5640 specification (2.7 power up sequence), host can
      access the sensor's registers 20ms after reset. Trying to access them
      before leads to undefined behavior and result in sporadic initialization
      errors.
      Signed-off-by: NLoic Poulain <loic.poulain@linaro.org>
      Signed-off-by: NSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Cc: Adam Ford <aford173@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e86a57ec
    • S
      i2c: tegra: fix maximum transfer size · 5f9614d0
      Sowjanya Komatineni 提交于
      commit f4e3f4ae1d9c9330de355f432b69952e8cef650c upstream.
      
      Tegra186 and prior supports maximum 4K bytes per packet transfer
      including 12 bytes of packet header.
      
      This patch fixes max write length limit to account packet header
      size for transfers.
      
      Cc: stable@vger.kernel.org # 4.4+
      Reviewed-by: NDmitry Osipenko <digetx@gmail.com>
      Signed-off-by: NSowjanya Komatineni <skomatineni@nvidia.com>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5f9614d0
    • Q
      parport_pc: fix find_superio io compare code, should use equal test. · 25970b51
      QiaoChong 提交于
      commit 21698fd57984cd28207d841dbdaa026d6061bceb upstream.
      
      In the original code before 181bf1e8 the loop was continuing until
      it finds the first matching superios[i].io and p->base.
      But after 181bf1e8 the logic changed and the loop now returns the
      pointer to the first mismatched array element which is then used in
      get_superio_dma() and get_superio_irq() and thus returning the wrong
      value.
      Fix the condition so that it now returns the correct pointer.
      
      Fixes: 181bf1e8 ("parport_pc: clean up the modified while loops using for")
      Cc: Alan Cox <alan@linux.intel.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NQiaoChong <qiaochong@loongson.cn>
      [rewrite the commit message]
      Signed-off-by: NSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      25970b51
    • A
      intel_th: Don't reference unassigned outputs · 57c29a08
      Alexander Shishkin 提交于
      commit 9ed3f22223c33347ed963e7c7019cf2956dd4e37 upstream.
      
      When an output port driver is removed, also remove references to it from
      any masters. Failing to do this causes a NULL ptr dereference when
      configuring another output port:
      
      > BUG: unable to handle kernel NULL pointer dereference at 000000000000000d
      > RIP: 0010:master_attr_store+0x9d/0x160 [intel_th_gth]
      > Call Trace:
      > dev_attr_store+0x1b/0x30
      > sysfs_kf_write+0x3c/0x50
      > kernfs_fop_write+0x125/0x1a0
      > __vfs_write+0x3a/0x190
      > ? __vfs_write+0x5/0x190
      > ? _cond_resched+0x1a/0x50
      > ? rcu_all_qs+0x5/0xb0
      > ? __vfs_write+0x5/0x190
      > vfs_write+0xb8/0x1b0
      > ksys_write+0x55/0xc0
      > __x64_sys_write+0x1a/0x20
      > do_syscall_64+0x5a/0x140
      > entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Signed-off-by: NAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Fixes: b27a6a3f ("intel_th: Add Global Trace Hub driver")
      CC: stable@vger.kernel.org # v4.4+
      Reported-by: NAmmy Yi <ammy.yi@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      57c29a08
    • H
      device property: Fix the length used in PROPERTY_ENTRY_STRING() · c835b441
      Heikki Krogerus 提交于
      commit 2b6e492467c78183bb629bb0a100ea3509b615a5 upstream.
      
      With string type property entries we need to use
      sizeof(const char *) instead of the number of characters as
      the length of the entry.
      
      If the string was shorter then sizeof(const char *),
      attempts to read it would have failed with -EOVERFLOW. The
      problem has been hidden because all build-in string
      properties have had a string longer then 8 characters until
      now.
      
      Fixes: a85f4204 ("device property: helper macros for property entry creation")
      Cc: 4.5+ <stable@vger.kernel.org> # 4.5+
      Signed-off-by: NHeikki Krogerus <heikki.krogerus@linux.intel.com>
      Reviewed-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c835b441
    • Z
      kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv · 93c8a44a
      Zev Weiss 提交于
      commit 8cf7630b29701d364f8df4a50e4f1f5e752b2778 upstream.
      
      This bug has apparently existed since the introduction of this function
      in the pre-git era (4500e91754d3 in Thomas Gleixner's history.git,
      "[NET]: Add proc_dointvec_userhz_jiffies, use it for proper handling of
      neighbour sysctls.").
      
      As a minimal fix we can simply duplicate the corresponding check in
      do_proc_dointvec_conv().
      
      Link: http://lkml.kernel.org/r/20190207123426.9202-3-zev@bewilderbeest.netSigned-off-by: NZev Weiss <zev@bewilderbeest.net>
      Cc: Brendan Higgins <brendanhiggins@google.com>
      Cc: Iurii Zaikin <yzaikin@google.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Luis Chamberlain <mcgrof@kernel.org>
      Cc: <stable@vger.kernel.org>	[2.6.2+]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      93c8a44a