1. 13 1月, 2019 40 次提交
    • C
      lib: fix build failure in CONFIG_DEBUG_VIRTUAL test · 4f44e58a
      Christophe Leroy 提交于
      commit 10fdf838e5f540beca466e9d1325999c072e5d3f upstream.
      
      On several arches, virt_to_phys() is in io.h
      
      Build fails without it:
      
        CC      lib/test_debug_virtual.o
      lib/test_debug_virtual.c: In function 'test_debug_virtual_init':
      lib/test_debug_virtual.c:26:7: error: implicit declaration of function 'virt_to_phys' [-Werror=implicit-function-declaration]
        pa = virt_to_phys(va);
             ^
      
      Fixes: e4dace36 ("lib: add test module for CONFIG_DEBUG_VIRTUAL")
      CC: stable@vger.kernel.org
      Signed-off-by: NChristophe Leroy <christophe.leroy@c-s.fr>
      Reviewed-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f44e58a
    • F
      of: __of_detach_node() - remove node from phandle cache · 8dbea644
      Frank Rowand 提交于
      commit 5801169a2ed20003f771acecf3ac00574cf10a38 upstream.
      
      Non-overlay dynamic devicetree node removal may leave the node in
      the phandle cache.  Subsequent calls to of_find_node_by_phandle()
      will incorrectly find the stale entry.  Remove the node from the
      cache.
      
      Add paranoia checks in of_find_node_by_phandle() as a second level
      of defense (do not return cached node if detached, do not add node
      to cache if detached).
      
      Fixes: 0b3ce78e ("of: cache phandle nodes to reduce cost of of_find_node_by_phandle()")
      Reported-by: NMichael Bringmann <mwb@linux.vnet.ibm.com>
      Cc: stable@vger.kernel.org # v4.17+
      Signed-off-by: NFrank Rowand <frank.rowand@sony.com>
      Signed-off-by: NRob Herring <robh@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8dbea644
    • F
      of: of_node_get()/of_node_put() nodes held in phandle cache · 1cb5a033
      Frank Rowand 提交于
      commit b8a9ac1a5b99a2fcbed19fd29d2d59270c281a31 upstream.
      
      The phandle cache contains struct device_node pointers.  The refcount
      of the pointers was not incremented while in the cache, allowing use
      after free error after kfree() of the node.  Add the proper increment
      and decrement of the use count.
      
      Fixes: 0b3ce78e ("of: cache phandle nodes to reduce cost of of_find_node_by_phandle()")
      Cc: stable@vger.kernel.org # v4.17+
      Signed-off-by: NFrank Rowand <frank.rowand@sony.com>
      Signed-off-by: NRob Herring <robh@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1cb5a033
    • L
      power: supply: olpc_battery: correct the temperature units · daa67bd5
      Lubomir Rintel 提交于
      commit ed54ffbe554f0902689fd6d1712bbacbacd11376 upstream.
      
      According to [1] and [2], the temperature values are in tenths of degree
      Celsius. Exposing the Celsius value makes the battery appear on fire:
      
        $ upower -i /org/freedesktop/UPower/devices/battery_olpc_battery
        ...
            temperature:         236.9 degrees C
      
      Tested on OLPC XO-1 and OLPC XO-1.75 laptops.
      
      [1] include/linux/power_supply.h
      [2] Documentation/power/power_supply_class.txt
      
      Fixes: fb972873 ("[BATTERY] One Laptop Per Child power/battery driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: NLubomir Rintel <lkundrak@v3.sk>
      Acked-by: NPavel Machek <pavel@ucw.cz>
      Signed-off-by: NSebastian Reichel <sebastian.reichel@collabora.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      daa67bd5
    • A
      intel_th: msu: Fix an off-by-one in attribute store · f65b4d4f
      Alexander Shishkin 提交于
      commit ec5b5ad6e272d8d6b92d1007f79574919862a2d2 upstream.
      
      The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated
      list of window sizes, passed from userspace. However, there is a bug in
      the string parsing logic wherein it doesn't exclude the comma character
      from the range of characters as it consumes them. This leads to an
      out-of-bounds access given a sufficiently long list. For example:
      
      > # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages
      > ==================================================================
      > BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40
      > Read of size 1 at addr ffff8803ffcebcd1 by task sh/825
      >
      > CPU: 3 PID: 825 Comm: npktest.sh Tainted: G        W         4.20.0-rc1+
      > Call Trace:
      >  dump_stack+0x7c/0xc0
      >  print_address_description+0x6c/0x23c
      >  ? memchr+0x1e/0x40
      >  kasan_report.cold.5+0x241/0x308
      >  memchr+0x1e/0x40
      >  nr_pages_store+0x203/0xd00 [intel_th_msu]
      
      Fix this by accounting for the comma character.
      Signed-off-by: NAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Fixes: ba82664c ("intel_th: Add Memory Storage Unit driver")
      Cc: stable@vger.kernel.org # v4.4+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f65b4d4f
    • C
      genwqe: Fix size check · 998c3537
      Christian Borntraeger 提交于
      commit fdd669684655c07dacbdb0d753fd13833de69a33 upstream.
      
      Calling the test program genwqe_cksum with the default buffer size of
      2MB triggers the following kernel warning on s390:
      
      WARNING: CPU: 30 PID: 9311 at mm/page_alloc.c:3189 __alloc_pages_nodemask+0x45c/0xbe0
      CPU: 30 PID: 9311 Comm: genwqe_cksum Kdump: loaded Not tainted 3.10.0-957.el7.s390x #1
      task: 00000005e5d13980 ti: 00000005e7c6c000 task.ti: 00000005e7c6c000
      Krnl PSW : 0704c00180000000 00000000002780ac (__alloc_pages_nodemask+0x45c/0xbe0)
                 R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3
      Krnl GPRS: 00000000002932b8 0000000000b73d7c 0000000000000010 0000000000000009
                 0000000000000041 00000005e7c6f9b8 0000000000000001 00000000000080d0
                 0000000000000000 0000000000b70500 0000000000000001 0000000000000000
                 0000000000b70528 00000000007682c0 0000000000277df2 00000005e7c6f9a0
      Krnl Code: 000000000027809e: de7195001000	ed	1280(114,%r9),0(%r1)
      	   00000000002780a4: a774fead		brc	7,277dfe
      	  #00000000002780a8: a7f40001		brc	15,2780aa
      	  >00000000002780ac: 92011000		mvi	0(%r1),1
      	   00000000002780b0: a7f4fea7		brc	15,277dfe
      	   00000000002780b4: 9101c6b6		tm	1718(%r12),1
      	   00000000002780b8: a784ff3a		brc	8,277f2c
      	   00000000002780bc: a7f4fe2e		brc	15,277d18
      Call Trace:
      ([<0000000000277df2>] __alloc_pages_nodemask+0x1a2/0xbe0)
       [<000000000013afae>] s390_dma_alloc+0xfe/0x310
       [<000003ff8065f362>] __genwqe_alloc_consistent+0xfa/0x148 [genwqe_card]
       [<000003ff80658f7a>] genwqe_mmap+0xca/0x248 [genwqe_card]
       [<00000000002b2712>] mmap_region+0x4e2/0x778
       [<00000000002b2c54>] do_mmap+0x2ac/0x3e0
       [<0000000000292d7e>] vm_mmap_pgoff+0xd6/0x118
       [<00000000002b081c>] SyS_mmap_pgoff+0xdc/0x268
       [<00000000002b0a34>] SyS_old_mmap+0x8c/0xb0
       [<000000000074e518>] sysc_tracego+0x14/0x1e
       [<000003ffacf87dc6>] 0x3ffacf87dc6
      
      turns out the check in __genwqe_alloc_consistent uses "> MAX_ORDER"
      while the mm code uses ">= MAX_ORDER". Fix genwqe.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: NFrank Haverkamp <haver@linux.vnet.ibm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      998c3537
    • S
      drivers/perf: hisi: Fixup one DDRC PMU register offset · 86dcb943
      Shaokun Zhang 提交于
      commit eb4f5213251833567570df1a09803f895653274d upstream.
      
      For DDRC PMU, each PMU counter is fixed-purpose. There is a mismatch
      between perf list and driver definition on rw_chg event.
      # perf list | grep chg
        hisi_sccl1_ddrc0/rnk_chg/                          [Kernel PMU event]
        hisi_sccl1_ddrc0/rw_chg/                           [Kernel PMU event]
      But the register offset of rw_chg event is not defined in the driver,
      meanwhile bnk_chg register offset is mis-defined, let's fixup it.
      
      Fixes: 904dcf03 ("perf: hisi: Add support for HiSilicon SoC DDRC PMU driver")
      Cc: stable@vger.kernel.org
      Cc: John Garry <john.garry@huawei.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Reported-by: NWeijian Huang <huangweijian4@hisilicon.com>
      Signed-off-by: NShaokun Zhang <zhangshaokun@hisilicon.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      86dcb943
    • Y
      video: fbdev: pxafb: Fix "WARNING: invalid free of devm_ allocated data" · c1aa0c84
      YueHaibing 提交于
      commit 2607391882fca37463187e7f2a9c76dec286947e upstream.
      
      'info->modes' got allocated with devm_kcalloc in of_get_pxafb_display.
      
      This gives this error message:
        ./drivers/video/fbdev/pxafb.c:2238:2-7: WARNING: invalid free of devm_ allocated data
      
      Fixes: c8f96304 ("video: fbdev: pxafb: switch to devm_* API")
      Cc: stable@kernel.org [v4.19+]
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Reviewed-by: NDaniel Mack <daniel@zonque.org>
      Cc: Robert Jarzmik <robert.jarzmik@free.fr>
      Signed-off-by: NBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c1aa0c84
    • Y
      ceph: don't update importing cap's mseq when handing cap export · 9797226b
      Yan, Zheng 提交于
      commit 3c1392d4c49962a31874af14ae9ff289cb2b3851 upstream.
      
      Updating mseq makes client think importer mds has accepted all prior
      cap messages and importer mds knows what caps client wants. Actually
      some cap messages may have been dropped because of mseq mismatch.
      
      If mseq is left untouched, importing cap's mds_wanted later will get
      reset by cap import message.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: N"Yan, Zheng" <zyan@redhat.com>
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9797226b
    • L
      sched/fair: Fix infinite loop in update_blocked_averages() by reverting a9e7f654 · dc8408ea
      Linus Torvalds 提交于
      commit c40f7d74c741a907cfaeb73a7697081881c497d0 upstream.
      
      Zhipeng Xie, Xie XiuQi and Sargun Dhillon reported lockups in the
      scheduler under high loads, starting at around the v4.18 time frame,
      and Zhipeng Xie tracked it down to bugs in the rq->leaf_cfs_rq_list
      manipulation.
      
      Do a (manual) revert of:
      
        a9e7f654 ("sched/fair: Fix O(nr_cgroups) in load balance path")
      
      It turns out that the list_del_leaf_cfs_rq() introduced by this commit
      is a surprising property that was not considered in followup commits
      such as:
      
        9c2791f9 ("sched/fair: Fix hierarchical order in rq->leaf_cfs_rq_list")
      
      As Vincent Guittot explains:
      
       "I think that there is a bigger problem with commit a9e7f654 and
        cfs_rq throttling:
      
        Let take the example of the following topology TG2 --> TG1 --> root:
      
         1) The 1st time a task is enqueued, we will add TG2 cfs_rq then TG1
            cfs_rq to leaf_cfs_rq_list and we are sure to do the whole branch in
            one path because it has never been used and can't be throttled so
            tmp_alone_branch will point to leaf_cfs_rq_list at the end.
      
         2) Then TG1 is throttled
      
         3) and we add TG3 as a new child of TG1.
      
         4) The 1st enqueue of a task on TG3 will add TG3 cfs_rq just before TG1
            cfs_rq and tmp_alone_branch will stay  on rq->leaf_cfs_rq_list.
      
        With commit a9e7f654, we can del a cfs_rq from rq->leaf_cfs_rq_list.
        So if the load of TG1 cfs_rq becomes NULL before step 2) above, TG1
        cfs_rq is removed from the list.
        Then at step 4), TG3 cfs_rq is added at the beginning of rq->leaf_cfs_rq_list
        but tmp_alone_branch still points to TG3 cfs_rq because its throttled
        parent can't be enqueued when the lock is released.
        tmp_alone_branch doesn't point to rq->leaf_cfs_rq_list whereas it should.
      
        So if TG3 cfs_rq is removed or destroyed before tmp_alone_branch
        points on another TG cfs_rq, the next TG cfs_rq that will be added,
        will be linked outside rq->leaf_cfs_rq_list - which is bad.
      
        In addition, we can break the ordering of the cfs_rq in
        rq->leaf_cfs_rq_list but this ordering is used to update and
        propagate the update from leaf down to root."
      
      Instead of trying to work through all these cases and trying to reproduce
      the very high loads that produced the lockup to begin with, simplify
      the code temporarily by reverting a9e7f654 - which change was clearly
      not thought through completely.
      
      This (hopefully) gives us a kernel that doesn't lock up so people
      can continue to enjoy their holidays without worrying about regressions. ;-)
      
      [ mingo: Wrote changelog, fixed weird spelling in code comment while at it. ]
      Analyzed-by: NXie XiuQi <xiexiuqi@huawei.com>
      Analyzed-by: NVincent Guittot <vincent.guittot@linaro.org>
      Reported-by: NZhipeng Xie <xiezhipeng1@huawei.com>
      Reported-by: NSargun Dhillon <sargun@sargun.me>
      Reported-by: NXie XiuQi <xiexiuqi@huawei.com>
      Tested-by: NZhipeng Xie <xiezhipeng1@huawei.com>
      Tested-by: NSargun Dhillon <sargun@sargun.me>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Acked-by: NVincent Guittot <vincent.guittot@linaro.org>
      Cc: <stable@vger.kernel.org> # v4.13+
      Cc: Bin Li <huawei.libin@huawei.com>
      Cc: Mike Galbraith <efault@gmx.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: a9e7f654 ("sched/fair: Fix O(nr_cgroups) in load balance path")
      Link: http://lkml.kernel.org/r/1545879866-27809-1-git-send-email-xiexiuqi@huawei.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dc8408ea
    • S
      iommu/vt-d: Handle domain agaw being less than iommu agaw · 87b86807
      Sohil Mehta 提交于
      commit 3569dd07aaad71920c5ea4da2d5cc9a167c1ffd4 upstream.
      
      The Intel IOMMU driver opportunistically skips a few top level page
      tables from the domain paging directory while programming the IOMMU
      context entry. However there is an implicit assumption in the code that
      domain's adjusted guest address width (agaw) would always be greater
      than IOMMU's agaw.
      
      The IOMMU capabilities in an upcoming platform cause the domain's agaw
      to be lower than IOMMU's agaw. The issue is seen when the IOMMU supports
      both 4-level and 5-level paging. The domain builds a 4-level page table
      based on agaw of 2. However the IOMMU's agaw is set as 3 (5-level). In
      this case the code incorrectly tries to skip page page table levels.
      This causes the IOMMU driver to avoid programming the context entry. The
      fix handles this case and programs the context entry accordingly.
      
      Fixes: de24e553 ("iommu/vt-d: Simplify domain_context_mapping_one")
      Cc: <stable@vger.kernel.org>
      Cc: Ashok Raj <ashok.raj@intel.com>
      Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
      Cc: Lu Baolu <baolu.lu@linux.intel.com>
      Reviewed-by: NLu Baolu <baolu.lu@linux.intel.com>
      Reported-by: NRamos Falcon, Ernesto R <ernesto.r.ramos.falcon@intel.com>
      Tested-by: NRicardo Neri <ricardo.neri-calderon@linux.intel.com>
      Signed-off-by: NSohil Mehta <sohil.mehta@intel.com>
      Signed-off-by: NJoerg Roedel <jroedel@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      87b86807
    • B
      RDMA/srpt: Fix a use-after-free in the channel release code · f408aac3
      Bart Van Assche 提交于
      commit ed041919f0d23c109d52cde8da6ddc211c52d67e upstream.
      
      This patch avoids that KASAN sporadically reports the following:
      
      BUG: KASAN: use-after-free in rxe_run_task+0x1e/0x60 [rdma_rxe]
      Read of size 1 at addr ffff88801c50d8f4 by task check/24830
      
      CPU: 4 PID: 24830 Comm: check Not tainted 4.20.0-rc6-dbg+ #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
      Call Trace:
       dump_stack+0x86/0xca
       print_address_description+0x71/0x239
       kasan_report.cold.5+0x242/0x301
       __asan_load1+0x47/0x50
       rxe_run_task+0x1e/0x60 [rdma_rxe]
       rxe_post_send+0x4bd/0x8d0 [rdma_rxe]
       srpt_zerolength_write+0xe1/0x160 [ib_srpt]
       srpt_close_ch+0x8b/0xe0 [ib_srpt]
       srpt_set_enabled+0xe7/0x150 [ib_srpt]
       srpt_tpg_enable_store+0xc0/0x100 [ib_srpt]
       configfs_write_file+0x157/0x1d0
       __vfs_write+0xd7/0x3d0
       vfs_write+0x102/0x290
       ksys_write+0xab/0x130
       __x64_sys_write+0x43/0x50
       do_syscall_64+0x71/0x210
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Allocated by task 13856:
       save_stack+0x43/0xd0
       kasan_kmalloc+0xc7/0xe0
       kasan_slab_alloc+0x11/0x20
       kmem_cache_alloc+0x105/0x320
       rxe_alloc+0xff/0x1f0 [rdma_rxe]
       rxe_create_qp+0x9f/0x160 [rdma_rxe]
       ib_create_qp+0xf5/0x690 [ib_core]
       rdma_create_qp+0x6a/0x140 [rdma_cm]
       srpt_cm_req_recv.cold.59+0x1588/0x237b [ib_srpt]
       srpt_rdma_cm_req_recv.isra.35+0x1d5/0x220 [ib_srpt]
       srpt_rdma_cm_handler+0x6f/0x100 [ib_srpt]
       cma_listen_handler+0x59/0x60 [rdma_cm]
       cma_ib_req_handler+0xd5b/0x2570 [rdma_cm]
       cm_process_work+0x2e/0x110 [ib_cm]
       cm_work_handler+0x2aae/0x502b [ib_cm]
       process_one_work+0x481/0x9e0
       worker_thread+0x67/0x5b0
       kthread+0x1cf/0x1f0
       ret_from_fork+0x24/0x30
      
      Freed by task 3440:
       save_stack+0x43/0xd0
       __kasan_slab_free+0x139/0x190
       kasan_slab_free+0xe/0x10
       kmem_cache_free+0xbc/0x330
       rxe_elem_release+0x66/0xe0 [rdma_rxe]
       rxe_destroy_qp+0x3f/0x50 [rdma_rxe]
       ib_destroy_qp+0x140/0x360 [ib_core]
       srpt_release_channel_work+0xdc/0x310 [ib_srpt]
       process_one_work+0x481/0x9e0
       worker_thread+0x67/0x5b0
       kthread+0x1cf/0x1f0
       ret_from_fork+0x24/0x30
      
      Cc: Sergey Gorenko <sergeygo@mellanox.com>
      Cc: Max Gurtovoy <maxg@mellanox.com>
      Cc: Laurence Oberman <loberman@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NBart Van Assche <bvanassche@acm.org>
      Signed-off-by: NDoug Ledford <dledford@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f408aac3
    • S
      rxe: fix error completion wr_id and qp_num · c03d6b0f
      Sagi Grimberg 提交于
      commit e48d8ed9c6193502d849b35767fd18e20bbd7ba2 upstream.
      
      Error completions must still contain a valid wr_id and
      qp_num such that the consumer can rely on. Correctly
      fill these fields in receive error completions.
      Reported-by: NWalker Benjamin <benjamin.walker@intel.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NSagi Grimberg <sagi@grimberg.me>
      Reviewed-by: NZhu Yanjun <yanjun.zhu@oracle.com>
      Tested-by: NZhu Yanjun <yanjun.zhu@oracle.com>
      Signed-off-by: NDoug Ledford <dledford@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c03d6b0f
    • D
      9p/net: put a lower bound on msize · 6bf97c01
      Dominique Martinet 提交于
      commit 574d356b7a02c7e1b01a1d9cba8a26b3c2888f45 upstream.
      
      If the requested msize is too small (either from command line argument
      or from the server version reply), we won't get any work done.
      If it's *really* too small, nothing will work, and this got caught by
      syzbot recently (on a new kmem_cache_create_usercopy() call)
      
      Just set a minimum msize to 4k in both code paths, until someone
      complains they have a use-case for a smaller msize.
      
      We need to check in both mount option and server reply individually
      because the msize for the first version request would be unchecked
      with just a global check on clnt->msize.
      
      Link: http://lkml.kernel.org/r/1541407968-31350-1-git-send-email-asmadeus@codewreck.org
      Reported-by: syzbot+0c1d61e4db7db94102ca@syzkaller.appspotmail.com
      Signed-off-by: NDominique Martinet <dominique.martinet@cea.fr>
      Cc: Eric Van Hensbergen <ericvh@gmail.com>
      Cc: Latchesar Ionkov <lucho@ionkov.net>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6bf97c01
    • M
      iio: dac: ad5686: fix bit shift read register · af7cc8eb
      Mircea Caprioru 提交于
      commit 0e76df5c978338f3051e5126fc0c4245c57a307a upstream.
      
      This patch solves the register readback issue with the bit shift. When the
      dac resolution was lower than the register size (ex. 12 bits out of 16
      bits) the readback value was not shifted with the difference in bits and
      the value was higher. Also a mask is applied on the read value in order to
      get the value relative to the actual bit size.
      
      Fixes: 0357e488 ("iio:dac:ad5686: Refactor the driver")
      Signed-off-by: NMircea Caprioru <mircea.caprioru@analog.com>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: NJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af7cc8eb
    • B
      powerpc/tm: Set MSR[TS] just prior to recheckpoint · a854ab8f
      Breno Leitao 提交于
      commit e1c3743e1a20647c53b719dbf28b48f45d23f2cd upstream.
      
      On a signal handler return, the user could set a context with MSR[TS] bits
      set, and these bits would be copied to task regs->msr.
      
      At restore_tm_sigcontexts(), after current task regs->msr[TS] bits are set,
      several __get_user() are called and then a recheckpoint is executed.
      
      This is a problem since a page fault (in kernel space) could happen when
      calling __get_user(). If it happens, the process MSR[TS] bits were
      already set, but recheckpoint was not executed, and SPRs are still invalid.
      
      The page fault can cause the current process to be de-scheduled, with
      MSR[TS] active and without tm_recheckpoint() being called.  More
      importantly, without TEXASR[FS] bit set also.
      
      Since TEXASR might not have the FS bit set, and when the process is
      scheduled back, it will try to reclaim, which will be aborted because of
      the CPU is not in the suspended state, and, then, recheckpoint. This
      recheckpoint will restore thread->texasr into TEXASR SPR, which might be
      zero, hitting a BUG_ON().
      
      	kernel BUG at /build/linux-sf3Co9/linux-4.9.30/arch/powerpc/kernel/tm.S:434!
      	cpu 0xb: Vector: 700 (Program Check) at [c00000041f1576d0]
      	    pc: c000000000054550: restore_gprs+0xb0/0x180
      	    lr: 0000000000000000
      	    sp: c00000041f157950
      	   msr: 8000000100021033
      	  current = 0xc00000041f143000
      	  paca    = 0xc00000000fb86300	 softe: 0	 irq_happened: 0x01
      	    pid   = 1021, comm = kworker/11:1
      	kernel BUG at /build/linux-sf3Co9/linux-4.9.30/arch/powerpc/kernel/tm.S:434!
      	Linux version 4.9.0-3-powerpc64le (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26)
      	enter ? for help
      	[c00000041f157b30] c00000000001bc3c tm_recheckpoint.part.11+0x6c/0xa0
      	[c00000041f157b70] c00000000001d184 __switch_to+0x1e4/0x4c0
      	[c00000041f157bd0] c00000000082eeb8 __schedule+0x2f8/0x990
      	[c00000041f157cb0] c00000000082f598 schedule+0x48/0xc0
      	[c00000041f157ce0] c0000000000f0d28 worker_thread+0x148/0x610
      	[c00000041f157d80] c0000000000f96b0 kthread+0x120/0x140
      	[c00000041f157e30] c00000000000c0e0 ret_from_kernel_thread+0x5c/0x7c
      
      This patch simply delays the MSR[TS] set, so, if there is any page fault in
      the __get_user() section, it does not have regs->msr[TS] set, since the TM
      structures are still invalid, thus avoiding doing TM operations for
      in-kernel exceptions and possible process reschedule.
      
      With this patch, the MSR[TS] will only be set just before recheckpointing
      and setting TEXASR[FS] = 1, thus avoiding an interrupt with TM registers in
      invalid state.
      
      Other than that, if CONFIG_PREEMPT is set, there might be a preemption just
      after setting MSR[TS] and before tm_recheckpoint(), thus, this block must
      be atomic from a preemption perspective, thus, calling
      preempt_disable/enable() on this code.
      
      It is not possible to move tm_recheckpoint to happen earlier, because it is
      required to get the checkpointed registers from userspace, with
      __get_user(), thus, the only way to avoid this undesired behavior is
      delaying the MSR[TS] set.
      
      The 32-bits signal handler seems to be safe this current issue, but, it
      might be exposed to the preemption issue, thus, disabling preemption in
      this chunk of code.
      
      Changes from v2:
       * Run the critical section with preempt_disable.
      
      Fixes: 87b4e539 ("powerpc/tm: Fix return of active 64bit signals")
      Cc: stable@vger.kernel.org (v3.9+)
      Signed-off-by: NBreno Leitao <leitao@debian.org>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a854ab8f
    • G
      Revert "powerpc/tm: Unset MSR[TS] if not recheckpointing" · 6d9e96f3
      Greg Kroah-Hartman 提交于
      This reverts commit a9935a12 which is
      commit 6f5b9f018f4c7686fd944d920209d1382d320e4e upstream.
      
      It breaks the powerpc build, so drop it from the tree until a fix goes
      upstream.
      Reported-by: NGuenter Roeck <linux@roeck-us.net>
      Cc: Breno Leitao <leitao@debian.org>
      Cc: Michal Suchánek <msuchanek@suse.de>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d9e96f3
    • J
      leds: pwm: silently error out on EPROBE_DEFER · eb05c029
      Jerome Brunet 提交于
      commit 9aec30371fb095a0c9415f3f0146ae269c3713d8 upstream.
      
      When probing, if we fail to get the pwm due to probe deferal, we shouldn't
      print an error message. Just be silent in this case.
      Signed-off-by: NJerome Brunet <jbrunet@baylibre.com>
      Signed-off-by: NJacek Anaszewski <jacek.anaszewski@gmail.com>
      Cc: Benjamin Drung <bdrung@debian.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eb05c029
    • A
      arm64: relocatable: fix inconsistencies in linker script and options · ae5c75e6
      Ard Biesheuvel 提交于
      commit 3bbd3db86470c701091fb1d67f1fab6621debf50 upstream.
      
      readelf complains about the section layout of vmlinux when building
      with CONFIG_RELOCATABLE=y (for KASLR):
      
        readelf: Warning: [21]: Link field (0) should index a symtab section.
        readelf: Warning: [21]: Info field (0) should index a relocatable section.
      
      Also, it seems that our use of '-pie -shared' is contradictory, and
      thus ambiguous. In general, the way KASLR is wired up at the moment
      is highly tailored to how ld.bfd happens to implement (and conflate)
      PIE executables and shared libraries, so given the current effort to
      support other toolchains, let's fix some of these issues as well.
      
      - Drop the -pie linker argument and just leave -shared. In ld.bfd,
        the differences between them are unclear (except for the ELF type
        of the produced image [0]) but lld chokes on seeing both at the
        same time.
      
      - Rename the .rela output section to .rela.dyn, as is customary for
        shared libraries and PIE executables, so that it is not misidentified
        by readelf as a static relocation section (producing the warnings
        above).
      
      - Pass the -z notext and -z norelro options to explicitly instruct the
        linker to permit text relocations, and to omit the RELRO program
        header (which requires a certain section layout that we don't adhere
        to in the kernel). These are the defaults for current versions of
        ld.bfd.
      
      - Discard .eh_frame and .gnu.hash sections to avoid them from being
        emitted between .head.text and .text, screwing up the section layout.
      
      These changes only affect the ELF image, and produce the same binary
      image.
      
      [0] b9dce7f1 ("arm64: kernel: force ET_DYN ELF type for ...")
      
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Cc: Peter Smith <peter.smith@linaro.org>
      Tested-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ae5c75e6
    • A
      arm64: drop linker script hack to hide __efistub_ symbols · 9873efe7
      Ard Biesheuvel 提交于
      commit dd6846d774693bfa27d7db4dae5ea67dfe373fa1 upstream.
      
      Commit 1212f7a1 ("scripts/kallsyms: filter arm64's __efistub_
      symbols") updated the kallsyms code to filter out symbols with
      the __efistub_ prefix explicitly, so we no longer require the
      hack in our linker script to emit them as absolute symbols.
      
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9873efe7
    • J
      nfsd4: zero-length WRITE should succeed · 3f26e68a
      J. Bruce Fields 提交于
      commit fdec6114ee1f0f43b1ad081ad8d46b23ba126d70 upstream.
      
      Zero-length writes are legal; from 5661 section 18.32.3: "If the count
      is zero, the WRITE will succeed and return a count of zero subject to
      permissions checking".
      
      This check is unnecessary and is causing zero-length reads to return
      EINVAL.
      
      Cc: stable@vger.kernel.org
      Fixes: 3fd9557a "NFSD: Refactor the generic write vector fill helper"
      Cc: Chuck Lever <chuck.lever@oracle.com>
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3f26e68a
    • B
      lockd: Show pid of lockd for remote locks · 0b6001b9
      Benjamin Coddington 提交于
      commit b8eee0e90f9797b747113638bc75e739b192ad38 upstream.
      
      Commit 9d5b86ac ("fs/locks: Remove fl_nspid and use fs-specific l_pid
      for remote locks") specified that the l_pid returned for F_GETLK on a local
      file that has a remote lock should be the pid of the lock manager process.
      That commit, while updating other filesystems, failed to update lockd, such
      that locks created by lockd had their fl_pid set to that of the remote
      process holding the lock.  Fix that here to be the pid of lockd.
      
      Also, fix the client case so that the returned lock pid is negative, which
      indicates a remote lock on a remote file.
      
      Fixes: 9d5b86ac ("fs/locks: Remove fl_nspid and use fs-specific...")
      Cc: stable@vger.kernel.org
      Signed-off-by: NBenjamin Coddington <bcodding@redhat.com>
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0b6001b9
    • J
      PCI / PM: Allow runtime PM without callback functions · b541ebbe
      Jarkko Nikula 提交于
      commit c5eb1190074cfb14c5d9cac692f1912eecf1a5e4 upstream.
      
      a9c8088c ("i2c: i801: Don't restore config registers on runtime PM")
      nullified the runtime PM suspend/resume callback pointers while keeping the
      runtime PM enabled.
      
      This caused the SMBus PCI device to stay in D0 with
      /sys/devices/.../power/runtime_status showing "error" when the runtime PM
      framework attempted to autosuspend the device.  This is due to PCI bus
      runtime PM, which checks for driver runtime PM callbacks and returns
      -ENOSYS if they are not set.
      
      Since i2c-i801.c doesn't need to do anything device-specific for runtime
      PM, Jean Delvare proposed this be fixed in the PCI core rather than adding
      dummy runtime PM callback functions in the PCI drivers.
      
      Change pci_pm_runtime_suspend()/pci_pm_runtime_resume() so they allow
      changing the PCI device power state during runtime PM transitions even if
      the driver supplies no runtime PM callbacks.
      
      This fixes the runtime PM regression on i2c-i801.c.
      
      It is not obvious why the code previously required the runtime PM
      callbacks.  The test has been there since the code was introduced by
      6cbf8214 ("PCI PM: Run-time callbacks for PCI bus type").
      
      On the other hand, a similar change was done to generic runtime PM
      callbacks in 05aa55dd ("PM / Runtime: Lenient generic runtime pm
      callbacks").
      
      Fixes: a9c8088c ("i2c: i801: Don't restore config registers on runtime PM")
      Reported-by: NMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: NJarkko Nikula <jarkko.nikula@linux.intel.com>
      Signed-off-by: NBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: NJean Delvare <jdelvare@suse.de>
      Reviewed-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Cc: stable@vger.kernel.org	# v4.18+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b541ebbe
    • O
      selinux: policydb - fix byte order and alignment issues · b37fdd94
      Ondrej Mosnacek 提交于
      commit 5df275cd4cf51c86d49009f1397132f284ba515e upstream.
      
      Do the LE conversions before doing the Infiniband-related range checks.
      The incorrect checks are otherwise causing a failure to load any policy
      with an ibendportcon rule on BE systems. This can be reproduced by
      running (on e.g. ppc64):
      
      cat >my_module.cil <<EOF
      (type test_ibendport_t)
      (roletype object_r test_ibendport_t)
      (ibendportcon mlx4_0 1 (system_u object_r test_ibendport_t ((s0) (s0))))
      EOF
      semodule -i my_module.cil
      
      Also, fix loading/storing the 64-bit subnet prefix for OCON_IBPKEY to
      use a correctly aligned buffer.
      
      Finally, do not use the 'nodebuf' (u32) buffer where 'buf' (__le32)
      should be used instead.
      
      Tested internally on a ppc64 machine with a RHEL 7 kernel with this
      patch applied.
      
      Cc: Daniel Jurgens <danielj@mellanox.com>
      Cc: Eli Cohen <eli@mellanox.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Doug Ledford <dledford@redhat.com>
      Cc: <stable@vger.kernel.org> # 4.13+
      Fixes: a806f7a1 ("selinux: Create policydb version for Infiniband support")
      Signed-off-by: NOndrej Mosnacek <omosnace@redhat.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b37fdd94
    • L
      b43: Fix error in cordic routine · c6c59adb
      Larry Finger 提交于
      commit 8ea3819c0bbef57a51d8abe579e211033e861677 upstream.
      
      The cordic routine for calculating sines and cosines that was added in
      commit 6f98e62a ("b43: update cordic code to match current specs")
      contains an error whereby a quantity declared u32 can in fact go negative.
      
      This problem was detected by Priit Laes who is switching b43 to use the
      routine in the library functions of the kernel.
      
      Fixes: 98650454 ("b43: make cordic common (LP-PHY and N-PHY need it)")
      Reported-by: NPriit Laes <plaes@plaes.org>
      Cc: Rafał Miłecki <zajec5@gmail.com>
      Cc: Stable <stable@vger.kernel.org> # 2.6.34
      Signed-off-by: NLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: NPriit Laes <plaes@plaes.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c6c59adb
    • A
      gfs2: Fix loop in gfs2_rbm_find · 6ef56c9a
      Andreas Gruenbacher 提交于
      commit 2d29f6b96d8f80322ed2dd895bca590491c38d34 upstream.
      
      Fix the resource group wrap-around logic in gfs2_rbm_find that commit
      e579ed4f broke.  The bug can lead to unnecessary repeated scanning of the
      same bitmaps; there is a risk that future changes will turn this into an
      endless loop.
      
      Fixes: e579ed4f ("GFS2: Introduce rbm field bii")
      Cc: stable@vger.kernel.org # v3.13+
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ef56c9a
    • A
      gfs2: Get rid of potential double-freeing in gfs2_create_inode · 31048610
      Andreas Gruenbacher 提交于
      commit 6ff9b09e00a441599f3aacdf577254455a048bc9 upstream.
      
      In gfs2_create_inode, after setting and releasing the acl / default_acl, the
      acl / default_acl pointers are not set to NULL as they should be.  In that
      state, when the function reaches label fail_free_acls, gfs2_create_inode will
      try to release the same acls again.
      
      Fix that by setting the pointers to NULL after releasing the acls.  Slightly
      simplify the logic.  Also, posix_acl_release checks for NULL already, so
      there is no need to duplicate those checks here.
      
      Fixes: e01580bf ("gfs2: use generic posix ACL infrastructure")
      Reported-by: NPan Bian <bianpan2016@163.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: stable@vger.kernel.org # v4.9+
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      31048610
    • V
      dlm: memory leaks on error path in dlm_user_request() · 30d3dfd4
      Vasily Averin 提交于
      commit d47b41aceeadc6b58abc9c7c6485bef7cfb75636 upstream.
      
      According to comment in dlm_user_request() ua should be freed
      in dlm_free_lkb() after successful attach to lkb.
      
      However ua is attached to lkb not in set_lock_args() but later,
      inside request_lock().
      
      Fixes 597d0cae ("[DLM] dlm: user locks")
      Cc: stable@kernel.org # 2.6.19
      Signed-off-by: NVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: NDavid Teigland <teigland@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      30d3dfd4
    • V
      dlm: lost put_lkb on error path in receive_convert() and receive_unlock() · c5fa01a0
      Vasily Averin 提交于
      commit c0174726c3976e67da8649ac62cae43220ae173a upstream.
      
      Fixes 6d40c4a7 ("dlm: improve error and debug messages")
      Cc: stable@kernel.org # 3.5
      Signed-off-by: NVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: NDavid Teigland <teigland@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c5fa01a0
    • V
      dlm: possible memory leak on error path in create_lkb() · 29477656
      Vasily Averin 提交于
      commit 23851e978f31eda8b2d01bd410d3026659ca06c7 upstream.
      
      Fixes 3d6aa675 ("dlm: keep lkbs in idr")
      Cc: stable@kernel.org # 3.1
      Signed-off-by: NVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: NDavid Teigland <teigland@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      29477656
    • V
      dlm: fixed memory leaks after failed ls_remove_names allocation · 03acbec2
      Vasily Averin 提交于
      commit b982896cdb6e6a6b89d86dfb39df489d9df51e14 upstream.
      
      If allocation fails on last elements of array need to free already
      allocated elements.
      
      v2: just move existing out_rsbtbl label to right place
      
      Fixes 789924ba635f ("dlm: fix race between remove and lookup")
      Cc: stable@kernel.org # 3.6
      Signed-off-by: NVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: NDavid Teigland <teigland@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      03acbec2
    • D
      block: mq-deadline: Fix write completion handling · 6353c0a0
      Damien Le Moal 提交于
      commit 7211aef86f79583e59b88a0aba0bc830566f7e8e upstream.
      
      For a zoned block device using mq-deadline, if a write request for a
      zone is received while another write was already dispatched for the same
      zone, dd_dispatch_request() will return NULL and the newly inserted
      write request is kept in the scheduler queue waiting for the ongoing
      zone write to complete. With this behavior, when no other request has
      been dispatched, rq_list in blk_mq_sched_dispatch_requests() is empty
      and blk_mq_sched_mark_restart_hctx() not called. This in turn leads to
      __blk_mq_free_request() call of blk_mq_sched_restart() to not run the
      queue when the already dispatched write request completes. The newly
      dispatched request stays stuck in the scheduler queue until eventually
      another request is submitted.
      
      This problem does not affect SCSI disk as the SCSI stack handles queue
      restart on request completion. However, this problem is can be triggered
      the nullblk driver with zoned mode enabled.
      
      Fix this by always requesting a queue restart in dd_dispatch_request()
      if no request was dispatched while WRITE requests are queued.
      
      Fixes: 5700f691 ("mq-deadline: Introduce zone locking support")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NDamien Le Moal <damien.lemoal@wdc.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      Add missing export of blk_mq_sched_restart()
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      6353c0a0
    • M
      block: deactivate blk_stat timer in wbt_disable_default() · 69e9b285
      Ming Lei 提交于
      commit 544fbd16a461a318cd80537d1331c0df5c6cf930 upstream.
      
      rwb_enabled() can't be changed when there is any inflight IO.
      
      wbt_disable_default() may set rwb->wb_normal as zero, however the
      blk_stat timer may still be pending, and the timer function will update
      wrb->wb_normal again.
      
      This patch introduces blk_stat_deactivate() and applies it in
      wbt_disable_default(), then the following IO hang triggered when running
      parted & switching io scheduler can be fixed:
      
      [  369.937806] INFO: task parted:3645 blocked for more than 120 seconds.
      [  369.938941]       Not tainted 4.20.0-rc6-00284-g906c801e5248 #498
      [  369.939797] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [  369.940768] parted          D    0  3645   3239 0x00000000
      [  369.941500] Call Trace:
      [  369.941874]  ? __schedule+0x6d9/0x74c
      [  369.942392]  ? wbt_done+0x5e/0x5e
      [  369.942864]  ? wbt_cleanup_cb+0x16/0x16
      [  369.943404]  ? wbt_done+0x5e/0x5e
      [  369.943874]  schedule+0x67/0x78
      [  369.944298]  io_schedule+0x12/0x33
      [  369.944771]  rq_qos_wait+0xb5/0x119
      [  369.945193]  ? karma_partition+0x1c2/0x1c2
      [  369.945691]  ? wbt_cleanup_cb+0x16/0x16
      [  369.946151]  wbt_wait+0x85/0xb6
      [  369.946540]  __rq_qos_throttle+0x23/0x2f
      [  369.947014]  blk_mq_make_request+0xe6/0x40a
      [  369.947518]  generic_make_request+0x192/0x2fe
      [  369.948042]  ? submit_bio+0x103/0x11f
      [  369.948486]  ? __radix_tree_lookup+0x35/0xb5
      [  369.949011]  submit_bio+0x103/0x11f
      [  369.949436]  ? blkg_lookup_slowpath+0x25/0x44
      [  369.949962]  submit_bio_wait+0x53/0x7f
      [  369.950469]  blkdev_issue_flush+0x8a/0xae
      [  369.951032]  blkdev_fsync+0x2f/0x3a
      [  369.951502]  do_fsync+0x2e/0x47
      [  369.951887]  __x64_sys_fsync+0x10/0x13
      [  369.952374]  do_syscall_64+0x89/0x149
      [  369.952819]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  369.953492] RIP: 0033:0x7f95a1e729d4
      [  369.953996] Code: Bad RIP value.
      [  369.954456] RSP: 002b:00007ffdb570dd48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a
      [  369.955506] RAX: ffffffffffffffda RBX: 000055c2139c6be0 RCX: 00007f95a1e729d4
      [  369.956389] RDX: 0000000000000001 RSI: 0000000000001261 RDI: 0000000000000004
      [  369.957325] RBP: 0000000000000002 R08: 0000000000000000 R09: 000055c2139c6ce0
      [  369.958199] R10: 0000000000000000 R11: 0000000000000246 R12: 000055c2139c0380
      [  369.959143] R13: 0000000000000004 R14: 0000000000000100 R15: 0000000000000008
      
      Cc: stable@vger.kernel.org
      Cc: Paolo Valente <paolo.valente@linaro.org>
      Signed-off-by: NMing Lei <ming.lei@redhat.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      69e9b285
    • M
      Fix failure path in alloc_pid() · a8544919
      Matthew Wilcox 提交于
      commit 1a80dade010c7a7f4885a4c4c2a7ac22cc7b34df upstream.
      
      The failure path removes the allocated PIDs from the wrong namespace.
      This could lead to us inadvertently reusing PIDs in the leaf namespace
      and leaking PIDs in parent namespaces.
      
      Fixes: 95846ecf ("pid: replace pid bitmap implementation with IDR API")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NMatthew Wilcox <willy@infradead.org>
      Acked-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Reviewed-by: NOleg Nesterov <oleg@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a8544919
    • R
      driver core: Add missing dev->bus->need_parent_lock checks · 5781b53d
      Rafael J. Wysocki 提交于
      commit e121a833745b4708b660e3fe6776129c2956b041 upstream.
      
      __device_release_driver() has to check dev->bus->need_parent_lock
      before dropping the parent lock and acquiring it again as it may
      attempt to drop a lock that hasn't been acquired or lock a device
      that shouldn't be locked and create a lock imbalance.
      
      Fixes: 8c97a46a (driver core: hold dev's parent lock when needed)
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5781b53d
    • D
      srcu: Lock srcu_data structure in srcu_gp_start() · b57b3b00
      Dennis Krein 提交于
      commit eb4c2382272ae7ae5d81fdfa5b7a6c86146eaaa4 upstream.
      
      The srcu_gp_start() function is called with the srcu_struct structure's
      ->lock held, but not with the srcu_data structure's ->lock.  This is
      problematic because this function accesses and updates the srcu_data
      structure's ->srcu_cblist, which is protected by that lock.  Failing to
      hold this lock can result in corruption of the SRCU callback lists,
      which in turn can result in arbitrarily bad results.
      
      This commit therefore makes srcu_gp_start() acquire the srcu_data
      structure's ->lock across the calls to rcu_segcblist_advance() and
      rcu_segcblist_accelerate(), thus preventing this corruption.
      Reported-by: NBart Van Assche <bvanassche@acm.org>
      Reported-by: NChristoph Hellwig <hch@infradead.org>
      Reported-by: NSebastian Kuzminsky <seb.kuzminsky@gmail.com>
      Signed-off-by: NDennis Krein <Dennis.Krein@netapp.com>
      Signed-off-by: NPaul E. McKenney <paulmck@linux.ibm.com>
      Tested-by: NDennis Krein <Dennis.Krein@netapp.com>
      Cc: <stable@vger.kernel.org> # 4.16.x
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b57b3b00
    • T
      ALSA: usb-audio: Always check descriptor sizes in parser code · 378f9dfa
      Takashi Iwai 提交于
      commit 3e96d7280f16e2f787307f695a31296b9e4a1cd7 upstream.
      
      There are a few places where we access the data without checking the
      actual object size from the USB audio descriptor.  This may result in
      OOB access, as recently reported.
      
      This patch addresses these missing checks.  Most of added codes are
      simple bLength checks in the caller side.  For the input and output
      terminal parsers, we put the length check in the parser functions.
      For the input terminal, a new argument is added to distinguish between
      UAC1 and the rest, as they treat different objects.
      Reported-by: NMathias Payer <mathias.payer@nebelwelt.net>
      Reported-by: Benquike's avatarHui Peng <benquike@163.com>
      Tested-by: Benquike's avatarHui Peng <benquike@163.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      378f9dfa
    • Benquike's avatar
      ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks · 6c8c1647
      Benquike 提交于
      commit cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 upstream.
      
      In `create_composite_quirk`, the terminating condition of for loops is
      `quirk->ifnum < 0`. So any composite quirks should end with `struct
      snd_usb_audio_quirk` object with ifnum < 0.
      
          for (quirk = quirk_comp->data; quirk->ifnum >= 0; ++quirk) {
      
          	.....
          }
      
      the data field of Bower's & Wilkins PX headphones usb device device quirks
      do not end with {.ifnum = -1}, wihch may result in out-of-bound read.
      
      This Patch fix the bug by adding an ending quirk object.
      
      Fixes: 240a8af9 ("ALSA: usb-audio: Add a quirck for B&W PX headphones")
      Signed-off-by: Benquike's avatarHui Peng <benquike@163.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6c8c1647
    • T
      ALSA: usb-audio: Check mixer unit descriptors more strictly · b389f9c4
      Takashi Iwai 提交于
      commit 0bfe5e434e6665b3590575ec3c5e4f86a1ce51c9 upstream.
      
      We've had some sanity checks of the mixer unit descriptors but they
      are too loose and some corner cases are overlooked.  Add more strict
      checks in uac_mixer_unit_get_channels() for avoiding possible OOB
      accesses by malformed descriptors.
      
      This also changes the semantics of uac_mixer_unit_get_channels()
      slightly.  Now it returns zero for the cases where the descriptor
      lacks of bmControls instead of -EINVAL.  Then the caller side skips
      the mixer creation for such unit while it keeps parsing it.
      This corresponds to the case like Maya44.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b389f9c4
    • T
      ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() · 8ee6f180
      Takashi Iwai 提交于
      commit f4351a199cc120ff9d59e06d02e8657d08e6cc46 upstream.
      
      The parser for the processing unit reads bNrInPins field before the
      bLength sanity check, which may lead to an out-of-bound access when a
      malformed descriptor is given.  Fix it by assignment after the bLength
      check.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8ee6f180