1. 22 5月, 2019 40 次提交
    • C
      ASoC: RT5677-SPI: Disable 16Bit SPI Transfers · df9f111d
      Curtis Malainey 提交于
      commit a46eb523220e242affb9a6bc9bb8efc05f4f7459 upstream.
      
      The current algorithm allows 3 types of transfers, 16bit, 32bit and
      burst. According to Realtek, 16bit transfers have a special restriction
      in that it is restricted to the memory region of
      0x18020000 ~ 0x18021000. This region is the memory location of the I2C
      registers. The current algorithm does not uphold this restriction and
      therefore fails to complete writes.
      
      Since this has been broken for some time it likely no one is using it.
      Better to simply disable the 16 bit writes. This will allow users to
      properly load firmware over SPI without data corruption.
      Signed-off-by: NCurtis Malainey <cujomalainey@chromium.org>
      Reviewed-by: NBen Zhang <benzh@chromium.org>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      df9f111d
    • J
      ASoC: max98090: Fix restore of DAPM Muxes · 7295359b
      Jon Hunter 提交于
      commit ecb2795c08bc825ebd604997e5be440b060c5b18 upstream.
      
      The max98090 driver defines 3 DAPM muxes; one for the right line output
      (LINMOD Mux), one for the left headphone mixer source (MIXHPLSEL Mux)
      and one for the right headphone mixer source (MIXHPRSEL Mux). The same
      bit is used for the mux as well as the DAPM enable, and although the mux
      can be correctly configured, after playback has completed, the mux will
      be reset during the disable phase. This is preventing the state of these
      muxes from being saved and restored correctly on system reboot. Fix this
      by marking these muxes as SND_SOC_NOPM.
      
      Note this has been verified this on the Tegra124 Nyan Big which features
      the MAX98090 codec.
      Signed-off-by: NJon Hunter <jonathanh@nvidia.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7295359b
    • J
      ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14) · e13bac40
      Jeremy Soller 提交于
      commit 80a5052db75131423b67f38b21958555d7d970e4 upstream.
      
      On the System76 Gazelle (gaze14), there is a headset microphone input
      attached to 0x1a that does not have a jack detect. In order to get it
      working, the pin configuration needs to be set correctly, and the
      ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC fixup needs to be applied. This is
      identical to the patch already applied for the System76 Darter Pro
      (darp5).
      Signed-off-by: NJeremy Soller <jeremy@system76.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e13bac40
    • K
      ALSA: hda/realtek - EAPD turn on later · d33f6063
      Kailang Yang 提交于
      commit 607ca3bd220f4022e6f5356026b19dafc363863a upstream.
      
      Let EAPD turn on after set pin output.
      
      [ NOTE: This change is supposed to reduce the possible click noises at
        (runtime) PM resume.  The functionality should be same (i.e. the
        verbs are executed correctly) no matter which order is, so this
        should be safe to apply for all codecs -- tiwai ]
      Signed-off-by: NKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d33f6063
    • H
      ALSA: hda/hdmi - Consider eld_valid when reporting jack event · 4ac6316a
      Hui Wang 提交于
      commit 7f641e26a6df9269cb25dd7a4b0a91d6586ed441 upstream.
      
      On the machines with AMD GPU or Nvidia GPU, we often meet this issue:
      after s3, there are 4 HDMI/DP audio devices in the gnome-sound-setting
      even there is no any monitors plugged.
      
      When this problem happens, we check the /proc/asound/cardX/eld#N.M, we
      will find the monitor_present=1, eld_valid=0.
      
      The root cause is BIOS or GPU driver makes the PRESENCE valid even no
      monitor plugged, and of course the driver will not get the valid
      eld_data subsequently.
      
      In this situation, we should not report the jack_plugged event, to do
      so, let us change the function hdmi_present_sense_via_verbs(). In this
      function, it reads the pin_sense via snd_hda_pin_sense(), after
      calling this function, the jack_dirty is 0, and before exiting
      via_verbs(), we change the shadow pin_sense according to both
      monitor_present and eld_valid, then in the snd_hda_jack_report_sync(),
      since the jack_dirty is still 0, it will report jack event according
      to this modified shadow pin_sense.
      
      After this change, the driver will not report Jack_is_plugged event
      through hdmi_present_sense_via_verbs() if monitor_present is 1 and
      eld_valid is 0.
      Signed-off-by: NHui Wang <hui.wang@canonical.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4ac6316a
    • H
      ALSA: hda/hdmi - Read the pin sense from register when repolling · 8c827cda
      Hui Wang 提交于
      commit 8c2e6728c2bf95765b724e07d0278ae97cd1ee0d upstream.
      
      The driver will check the monitor presence when resuming from suspend,
      starting poll or interrupt triggers. In these 3 situations, the
      jack_dirty will be set to 1 first, then the hda_jack.c reads the
      pin_sense from register, after reading the register, the jack_dirty
      will be set to 0. But hdmi_repoll_work() is enabled in these 3
      situations, It will read the pin_sense a couple of times subsequently,
      since the jack_dirty is 0 now, It does not read the register anymore,
      instead it uses the shadow pin_sense which is read at the first time.
      
      It is meaningless to check the shadow pin_sense a couple of times,
      we need to read the register to check the real plugging state, so
      we set the jack_dirty to 1 in the hdmi_repoll_work().
      Signed-off-by: NHui Wang <hui.wang@canonical.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c827cda
    • W
      ALSA: usb-audio: Fix a memory leak bug · 30dda277
      Wenwen Wang 提交于
      commit cb5173594d50c72b7bfa14113dfc5084b4d2f726 upstream.
      
      In parse_audio_selector_unit(), the string array 'namelist' is allocated
      through kmalloc_array(), and each string pointer in this array, i.e.,
      'namelist[]', is allocated through kmalloc() in the following for loop.
      Then, a control instance 'kctl' is created by invoking snd_ctl_new1(). If
      an error occurs during the creation process, the string array 'namelist',
      including all string pointers in the array 'namelist[]', should be freed,
      before the error code ENOMEM is returned. However, the current code does
      not free 'namelist[]', resulting in memory leaks.
      
      To fix the above issue, free all string pointers 'namelist[]' in a loop.
      Signed-off-by: NWenwen Wang <wang6495@umn.edu>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      30dda277
    • T
      ALSA: line6: toneport: Fix broken usage of timer for delayed execution · 741e3efd
      Takashi Iwai 提交于
      commit 7f84ff68be05ec7a5d2acf8fdc734fe5897af48f upstream.
      
      The line6 toneport driver has code for some delayed initialization,
      and this hits the kernel Oops because mutex and other sleepable
      functions are used in the timer callback.  Fix the abuse by a delayed
      work instead so that everything works gracefully.
      
      Reported-by: syzbot+a07d0142e74fdd595cfb@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      741e3efd
    • R
      mmc: core: Fix tag set memory leak · 003cf675
      Raul E Rangel 提交于
      commit 43d8dabb4074cf7f3b1404bfbaeba5aa6f3e5cfc upstream.
      
      The tag set is allocated in mmc_init_queue but never freed. This results
      in a memory leak. This change makes sure we free the tag set when the
      queue is also freed.
      Signed-off-by: NRaul E Rangel <rrangel@chromium.org>
      Reviewed-by: NJens Axboe <axboe@kernel.dk>
      Acked-by: NAdrian Hunter <adrian.hunter@intel.com>
      Fixes: 81196976 ("mmc: block: Add blk-mq support")
      Cc: stable@vger.kernel.org
      Signed-off-by: NUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      003cf675
    • E
      crypto: arm64/aes-neonbs - don't access already-freed walk.iv · d42d3420
      Eric Biggers 提交于
      commit 4a8108b70508df0b6c4ffa4a3974dab93dcbe851 upstream.
      
      If the user-provided IV needs to be aligned to the algorithm's
      alignmask, then skcipher_walk_virt() copies the IV into a new aligned
      buffer walk.iv.  But skcipher_walk_virt() can fail afterwards, and then
      if the caller unconditionally accesses walk.iv, it's a use-after-free.
      
      xts-aes-neonbs doesn't set an alignmask, so currently it isn't affected
      by this despite unconditionally accessing walk.iv.  However this is more
      subtle than desired, and unconditionally accessing walk.iv has caused a
      real problem in other algorithms.  Thus, update xts-aes-neonbs to start
      checking the return value of skcipher_walk_virt().
      
      Fixes: 1abee99e ("crypto: arm64/aes - reimplement bit-sliced ARM/NEON implementation for arm64")
      Cc: <stable@vger.kernel.org> # v4.11+
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d42d3420
    • E
      crypto: arm/aes-neonbs - don't access already-freed walk.iv · 69b9d32d
      Eric Biggers 提交于
      commit 767f015ea0b7ab9d60432ff6cd06b664fd71f50f upstream.
      
      If the user-provided IV needs to be aligned to the algorithm's
      alignmask, then skcipher_walk_virt() copies the IV into a new aligned
      buffer walk.iv.  But skcipher_walk_virt() can fail afterwards, and then
      if the caller unconditionally accesses walk.iv, it's a use-after-free.
      
      arm32 xts-aes-neonbs doesn't set an alignmask, so currently it isn't
      affected by this despite unconditionally accessing walk.iv.  However
      this is more subtle than desired, and it was actually broken prior to
      the alignmask being removed by commit cc477bf6 ("crypto: arm/aes -
      replace bit-sliced OpenSSL NEON code").  Thus, update xts-aes-neonbs to
      start checking the return value of skcipher_walk_virt().
      
      Fixes: e4e7f10b ("ARM: add support for bit sliced AES using NEON instructions")
      Cc: <stable@vger.kernel.org> # v3.13+
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      69b9d32d
    • Z
      crypto: rockchip - update IV buffer to contain the next IV · b7d2adfd
      Zhang Zhijie 提交于
      commit f0cfd57b43fec65761ca61d3892b983a71515f23 upstream.
      
      The Kernel Crypto API request output the next IV data to
      IV buffer for CBC implementation. So the last block data of
      ciphertext should be copid into assigned IV buffer.
      Reported-by: NEric Biggers <ebiggers@google.com>
      Fixes: 433cd2c6 ("crypto: rockchip - add crypto driver for rk3288")
      Cc: <stable@vger.kernel.org> # v4.5+
      Signed-off-by: NZhang Zhijie <zhangzj@rock-chips.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b7d2adfd
    • E
      crypto: gcm - fix incompatibility between "gcm" and "gcm_base" · 9a61ab68
      Eric Biggers 提交于
      commit f699594d436960160f6d5ba84ed4a222f20d11cd upstream.
      
      GCM instances can be created by either the "gcm" template, which only
      allows choosing the block cipher, e.g. "gcm(aes)"; or by "gcm_base",
      which allows choosing the ctr and ghash implementations, e.g.
      "gcm_base(ctr(aes-generic),ghash-generic)".
      
      However, a "gcm_base" instance prevents a "gcm" instance from being
      registered using the same implementations.  Nor will the instance be
      found by lookups of "gcm".  This can be used as a denial of service.
      Moreover, "gcm_base" instances are never tested by the crypto
      self-tests, even if there are compatible "gcm" tests.
      
      The root cause of these problems is that instances of the two templates
      use different cra_names.  Therefore, fix these problems by making
      "gcm_base" instances set the same cra_name as "gcm" instances, e.g.
      "gcm(aes)" instead of "gcm_base(ctr(aes-generic),ghash-generic)".
      
      This requires extracting the block cipher name from the name of the ctr
      algorithm.  It also requires starting to verify that the algorithms are
      really ctr and ghash, not something else entirely.  But it would be
      bizarre if anyone were actually using non-gcm-compatible algorithms with
      gcm_base, so this shouldn't break anyone in practice.
      
      Fixes: d00aa19b ("[CRYPTO] gcm: Allow block cipher parameter")
      Cc: stable@vger.kernel.org
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9a61ab68
    • E
      crypto: arm64/gcm-aes-ce - fix no-NEON fallback code · 63efe31c
      Eric Biggers 提交于
      commit 580e295178402d14bbf598a5702f8e01fc59dbaa upstream.
      
      The arm64 gcm-aes-ce algorithm is failing the extra crypto self-tests
      following my patches to test the !may_use_simd() code paths, which
      previously were untested.  The problem is that in the !may_use_simd()
      case, an odd number of AES blocks can be processed within each step of
      the skcipher_walk.  However, the skcipher_walk is being done with a
      "stride" of 2 blocks and is advanced by an even number of blocks after
      each step.  This causes the encryption to produce the wrong ciphertext
      and authentication tag, and causes the decryption to incorrectly fail.
      
      Fix it by only processing an even number of blocks per step.
      
      Fixes: c2b24c36 ("crypto: arm64/aes-gcm-ce - fix scatterwalk API violation")
      Fixes: 71e52c27 ("crypto: arm64/aes-ce-gcm - operate on two input blocks at a time")
      Cc: <stable@vger.kernel.org> # v4.19+
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Reviewed-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      63efe31c
    • E
      crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest() · e7fd8a28
      Eric Biggers 提交于
      commit dec3d0b1071a0f3194e66a83d26ecf4aa8c5910e upstream.
      
      The ->digest() method of crct10dif-pclmul reads the current CRC value
      from the shash_desc context.  But this value is uninitialized, causing
      crypto_shash_digest() to compute the wrong result.  Fix it.
      
      Probably this wasn't noticed before because lib/crc-t10dif.c only uses
      crypto_shash_update(), not crypto_shash_digest().  Likewise,
      crypto_shash_digest() is not yet tested by the crypto self-tests because
      those only test the ahash API which only uses shash init/update/final.
      
      Fixes: 0b95a7f8 ("crypto: crct10dif - Glue code to cast accelerated CRCT10DIF assembly as a crypto transform")
      Cc: <stable@vger.kernel.org> # v3.11+
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7fd8a28
    • E
      crypto: crct10dif-generic - fix use via crypto_shash_digest() · 7a19a4be
      Eric Biggers 提交于
      commit 307508d1072979f4435416f87936f87eaeb82054 upstream.
      
      The ->digest() method of crct10dif-generic reads the current CRC value
      from the shash_desc context.  But this value is uninitialized, causing
      crypto_shash_digest() to compute the wrong result.  Fix it.
      
      Probably this wasn't noticed before because lib/crc-t10dif.c only uses
      crypto_shash_update(), not crypto_shash_digest().  Likewise,
      crypto_shash_digest() is not yet tested by the crypto self-tests because
      those only test the ahash API which only uses shash init/update/final.
      
      This bug was detected by my patches that improve testmgr to fuzz
      algorithms against their generic implementation.
      
      Fixes: 2d31e518 ("crypto: crct10dif - Wrap crc_t10dif function all to use crypto transform framework")
      Cc: <stable@vger.kernel.org> # v3.11+
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7a19a4be
    • E
      crypto: skcipher - don't WARN on unprocessed data after slow walk step · aabf86f2
      Eric Biggers 提交于
      commit dcaca01a42cc2c425154a13412b4124293a6e11e upstream.
      
      skcipher_walk_done() assumes it's a bug if, after the "slow" path is
      executed where the next chunk of data is processed via a bounce buffer,
      the algorithm says it didn't process all bytes.  Thus it WARNs on this.
      
      However, this can happen legitimately when the message needs to be
      evenly divisible into "blocks" but isn't, and the algorithm has a
      'walksize' greater than the block size.  For example, ecb-aes-neonbs
      sets 'walksize' to 128 bytes and only supports messages evenly divisible
      into 16-byte blocks.  If, say, 17 message bytes remain but they straddle
      scatterlist elements, the skcipher_walk code will take the "slow" path
      and pass the algorithm all 17 bytes in the bounce buffer.  But the
      algorithm will only be able to process 16 bytes, triggering the WARN.
      
      Fix this by just removing the WARN_ON().  Returning -EINVAL, as the code
      already does, is the right behavior.
      
      This bug was detected by my patches that improve testmgr to fuzz
      algorithms against their generic implementation.
      
      Fixes: b286d8b1 ("crypto: skcipher - Add skcipher walk interface")
      Cc: <stable@vger.kernel.org> # v4.10+
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aabf86f2
    • D
      crypto: vmx - fix copy-paste error in CTR mode · 66f5de68
      Daniel Axtens 提交于
      commit dcf7b48212c0fab7df69e84fab22d6cb7c8c0fb9 upstream.
      
      The original assembly imported from OpenSSL has two copy-paste
      errors in handling CTR mode. When dealing with a 2 or 3 block tail,
      the code branches to the CBC decryption exit path, rather than to
      the CTR exit path.
      
      This leads to corruption of the IV, which leads to subsequent blocks
      being corrupted.
      
      This can be detected with libkcapi test suite, which is available at
      https://github.com/smuellerDD/libkcapiReported-by: NOndrej Mosnáček <omosnacek@gmail.com>
      Fixes: 5c380d62 ("crypto: vmx - Add support for VMS instructions by ASM")
      Cc: stable@vger.kernel.org
      Signed-off-by: NDaniel Axtens <dja@axtens.net>
      Tested-by: NMichael Ellerman <mpe@ellerman.id.au>
      Tested-by: NOndrej Mosnacek <omosnacek@gmail.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66f5de68
    • S
      crypto: ccp - Do not free psp_master when PLATFORM_INIT fails · 07d677ae
      Singh, Brijesh 提交于
      commit f5a2aeb8b254c764772729a6e48d4e0c914bb56a upstream.
      
      Currently, we free the psp_master if the PLATFORM_INIT fails during the
      SEV FW probe. If psp_master is freed then driver does not invoke the PSP
      FW. As per SEV FW spec, there are several commands (PLATFORM_RESET,
      PLATFORM_STATUS, GET_ID etc) which can be executed in the UNINIT state
      We should not free the psp_master when PLATFORM_INIT fails.
      
      Fixes: 200664d5 ("crypto: ccp: Add SEV support")
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Gary Hook <gary.hook@amd.com>
      Cc: stable@vger.kernel.org # 4.19.y
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      07d677ae
    • E
      crypto: chacha20poly1305 - set cra_name correctly · fe632ee5
      Eric Biggers 提交于
      commit 5e27f38f1f3f45a0c938299c3a34a2d2db77165a upstream.
      
      If the rfc7539 template is instantiated with specific implementations,
      e.g. "rfc7539(chacha20-generic,poly1305-generic)" rather than
      "rfc7539(chacha20,poly1305)", then the implementation names end up
      included in the instance's cra_name.  This is incorrect because it then
      prevents all users from allocating "rfc7539(chacha20,poly1305)", if the
      highest priority implementations of chacha20 and poly1305 were selected.
      Also, the self-tests aren't run on an instance allocated in this way.
      
      Fix it by setting the instance's cra_name from the underlying
      algorithms' actual cra_names, rather than from the requested names.
      This matches what other templates do.
      
      Fixes: 71ebc4d1 ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
      Cc: <stable@vger.kernel.org> # v4.2+
      Cc: Martin Willi <martin@strongswan.org>
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Reviewed-by: NMartin Willi <martin@strongswan.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fe632ee5
    • E
      crypto: salsa20 - don't access already-freed walk.iv · 3b5ddd5e
      Eric Biggers 提交于
      commit edaf28e996af69222b2cb40455dbb5459c2b875a upstream.
      
      If the user-provided IV needs to be aligned to the algorithm's
      alignmask, then skcipher_walk_virt() copies the IV into a new aligned
      buffer walk.iv.  But skcipher_walk_virt() can fail afterwards, and then
      if the caller unconditionally accesses walk.iv, it's a use-after-free.
      
      salsa20-generic doesn't set an alignmask, so currently it isn't affected
      by this despite unconditionally accessing walk.iv.  However this is more
      subtle than desired, and it was actually broken prior to the alignmask
      being removed by commit b62b3db7 ("crypto: salsa20-generic - cleanup
      and convert to skcipher API").
      
      Since salsa20-generic does not update the IV and does not need any IV
      alignment, update it to use req->iv instead of walk.iv.
      
      Fixes: 2407d608 ("[CRYPTO] salsa20: Salsa20 stream cipher")
      Cc: stable@vger.kernel.org
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3b5ddd5e
    • C
      crypto: crypto4xx - fix cfb and ofb "overran dst buffer" issues · 7a32ad34
      Christian Lamparter 提交于
      commit 7e92e1717e3eaf6b322c252947c696b3059f05be upstream.
      
      Currently, crypto4xx CFB and OFB AES ciphers are
      failing testmgr's test vectors.
      
      |cfb-aes-ppc4xx encryption overran dst buffer on test vector 3, cfg="in-place"
      |ofb-aes-ppc4xx encryption overran dst buffer on test vector 1, cfg="in-place"
      
      This is because of a very subtile "bug" in the hardware that
      gets indirectly mentioned in 18.1.3.5 Encryption/Decryption
      of the hardware spec:
      
      the OFB and CFB modes for AES are listed there as operation
      modes for >>> "Block ciphers" <<<. Which kind of makes sense,
      but we would like them to be considered as stream ciphers just
      like the CTR mode.
      
      To workaround this issue and stop the hardware from causing
      "overran dst buffer" on crypttexts that are not a multiple
      of 16 (AES_BLOCK_SIZE), we force the driver to use the scatter
      buffers as the go-between.
      
      As a bonus this patch also kills redundant pd_uinfo->num_gd
      and pd_uinfo->num_sd setters since the value has already been
      set before.
      
      Cc: stable@vger.kernel.org
      Fixes: f2a13e7c ("crypto: crypto4xx - enable AES RFC3686, ECB, CFB and OFB offloads")
      Signed-off-by: NChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7a32ad34
    • C
      crypto: crypto4xx - fix ctr-aes missing output IV · c1ec6bea
      Christian Lamparter 提交于
      commit 25baaf8e2c93197d063b372ef7b62f2767c7ac0b upstream.
      
      Commit 8efd972ef96a ("crypto: testmgr - support checking skcipher output IV")
      caused the crypto4xx driver to produce the following error:
      
      | ctr-aes-ppc4xx encryption test failed (wrong output IV)
      | on test vector 0, cfg="in-place"
      
      This patch fixes this by reworking the crypto4xx_setkey_aes()
      function to:
      
       - not save the iv for ECB (as per 18.2.38 CRYP0_SA_CMD_0:
         "This bit mut be cleared for DES ECB mode or AES ECB mode,
         when no IV is used.")
      
       - instruct the hardware to save the generated IV for all
         other modes of operations that have IV and then supply
         it back to the callee in pretty much the same way as we
         do it for cbc-aes already.
      
       - make it clear that the DIR_(IN|OUT)BOUND is the important
         bit that tells the hardware to encrypt or decrypt the data.
         (this is cosmetic - but it hopefully prevents me from
          getting confused again).
      
       - don't load any bogus hash when we don't use any hash
         operation to begin with.
      
      Cc: stable@vger.kernel.org
      Fixes: f2a13e7c ("crypto: crypto4xx - enable AES RFC3686, ECB, CFB and OFB offloads")
      Signed-off-by: NChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c1ec6bea
    • P
      sched/x86: Save [ER]FLAGS on context switch · 2ea1a37d
      Peter Zijlstra 提交于
      commit 6690e86be83ac75832e461c141055b5d601c0a6d upstream.
      
      Effectively reverts commit:
      
        2c7577a7 ("sched/x86_64: Don't save flags on context switch")
      
      Specifically because SMAP uses FLAGS.AC which invalidates the claim
      that the kernel has clean flags.
      
      In particular; while preemption from interrupt return is fine (the
      IRET frame on the exception stack contains FLAGS) it breaks any code
      that does synchonous scheduling, including preempt_enable().
      
      This has become a significant issue ever since commit:
      
        5b24a7a2 ("Add 'unsafe' user access functions for batched accesses")
      
      provided for means of having 'normal' C code between STAC / CLAC,
      exposing the FLAGS.AC state. So far this hasn't led to trouble,
      however fix it before it comes apart.
      Reported-by: NJulien Thierry <julien.thierry@arm.com>
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: NAndy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@kernel.org
      Fixes: 5b24a7a2 ("Add 'unsafe' user access functions for batched accesses")
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ea1a37d
    • J
      arm64: Save and restore OSDLR_EL1 across suspend/resume · d8d751ef
      Jean-Philippe Brucker 提交于
      commit 827a108e354db633698f0b4a10c1ffd2b1f8d1d0 upstream.
      
      When the CPU comes out of suspend, the firmware may have modified the OS
      Double Lock Register. Save it in an unused slot of cpu_suspend_ctx, and
      restore it on resume.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NJean-Philippe Brucker <jean-philippe.brucker@arm.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d8d751ef
    • J
      arm64: Clear OSDLR_EL1 on CPU boot · f273cd16
      Jean-Philippe Brucker 提交于
      commit 6fda41bf12615ee7c3ddac88155099b1a8cf8d00 upstream.
      
      Some firmwares may reboot CPUs with OS Double Lock set. Make sure that
      it is unlocked, in order to use debug exceptions.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NJean-Philippe Brucker <jean-philippe.brucker@arm.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f273cd16
    • V
      arm64: compat: Reduce address limit · 26e7d2ad
      Vincenzo Frascino 提交于
      commit d263119387de9975d2acba1dfd3392f7c5979c18 upstream.
      
      Currently, compat tasks running on arm64 can allocate memory up to
      TASK_SIZE_32 (UL(0x100000000)).
      
      This means that mmap() allocations, if we treat them as returning an
      array, are not compliant with the sections 6.5.8 of the C standard
      (C99) which states that: "If the expression P points to an element of
      an array object and the expression Q points to the last element of the
      same array object, the pointer expression Q+1 compares greater than P".
      
      Redefine TASK_SIZE_32 to address the issue.
      
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Jann Horn <jannh@google.com>
      Cc: <stable@vger.kernel.org>
      Reported-by: NJann Horn <jannh@google.com>
      Signed-off-by: NVincenzo Frascino <vincenzo.frascino@arm.com>
      [will: fixed typo in comment]
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      26e7d2ad
    • W
      arm64: arch_timer: Ensure counter register reads occur with seqlock held · 6d696ceb
      Will Deacon 提交于
      commit 75a19a0202db21638a1c2b424afb867e1f9a2376 upstream.
      
      When executing clock_gettime(), either in the vDSO or via a system call,
      we need to ensure that the read of the counter register occurs within
      the seqlock reader critical section. This ensures that updates to the
      clocksource parameters (e.g. the multiplier) are consistent with the
      counter value and therefore avoids the situation where time appears to
      go backwards across multiple reads.
      
      Extend the vDSO logic so that the seqlock critical section covers the
      read of the counter register as well as accesses to the data page. Since
      reads of the counter system registers are not ordered by memory barrier
      instructions, introduce dependency ordering from the counter read to a
      subsequent memory access so that the seqlock memory barriers apply to
      the counter access in both the vDSO and the system call paths.
      
      Cc: <stable@vger.kernel.org>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Tested-by: NVincenzo Frascino <vincenzo.frascino@arm.com>
      Link: https://lore.kernel.org/linux-arm-kernel/alpine.DEB.2.21.1902081950260.1662@nanos.tec.linutronix.de/Reported-by: NThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d696ceb
    • B
      arm64: mmap: Ensure file offset is treated as unsigned · 222abad9
      Boyang Zhou 提交于
      commit f08cae2f28db24d95be5204046b60618d8de4ddc upstream.
      
      The file offset argument to the arm64 sys_mmap() implementation is
      scaled from bytes to pages by shifting right by PAGE_SHIFT.
      Unfortunately, the offset is passed in as a signed 'off_t' type and
      therefore large offsets (i.e. with the top bit set) are incorrectly
      sign-extended by the shift. This has been observed to cause false mmap()
      failures when mapping GPU doorbells on an arm64 server part.
      
      Change the type of the file offset argument to sys_mmap() from 'off_t'
      to 'unsigned long' so that the shifting scales the value as expected.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NBoyang Zhou <zhouby_cn@126.com>
      [will: rewrote commit message]
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      222abad9
    • H
      power: supply: axp288_fuel_gauge: Add ACEPC T8 and T11 mini PCs to the blacklist · 592127e9
      Hans de Goede 提交于
      commit 9274c78305e12c5f461bec15f49c38e0f32ca705 upstream.
      
      The ACEPC T8 and T11 Cherry Trail Z8350 mini PCs use an AXP288 and as PCs,
      rather then portables, they does not have a battery. Still for some
      reason the AXP288 not only thinks there is a battery, it actually
      thinks it is discharging while the PC is running, slowly going to
      0% full, causing userspace to shutdown the system due to the battery
      being critically low after a while.
      
      This commit adds the ACEPC T8 and T11 to the axp288 fuel-gauge driver
      blacklist, so that we stop reporting bogus battery readings on this device.
      
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1690852
      Cc: stable@vger.kernel.org
      Signed-off-by: NHans de Goede <hdegoede@redhat.com>
      Signed-off-by: NSebastian Reichel <sebastian.reichel@collabora.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      592127e9
    • G
      power: supply: axp288_charger: Fix unchecked return value · 26eb5e7f
      Gustavo A. R. Silva 提交于
      commit c3422ad5f84a66739ec6a37251ca27638c85b6be upstream.
      
      Currently there is no check on platform_get_irq() return value
      in case it fails, hence never actually reporting any errors and
      causing unexpected behavior when using such value as argument
      for function regmap_irq_get_virq().
      
      Fix this by adding a proper check, a message reporting any errors
      and returning *pirq*
      
      Addresses-Coverity-ID: 1443940 ("Improper use of negative value")
      Fixes: 843735b7 ("power: axp288_charger: axp288 charger driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com>
      Reviewed-by: NHans de Goede <hdegoede@redhat.com>
      Signed-off-by: NSebastian Reichel <sebastian.reichel@collabora.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      26eb5e7f
    • W
      ARM: exynos: Fix a leaked reference by adding missing of_node_put · 921bc154
      Wen Yang 提交于
      commit 629266bf7229cd6a550075f5961f95607b823b59 upstream.
      
      The call to of_get_next_child returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with warnings like:
          arch/arm/mach-exynos/firmware.c:201:2-8: ERROR: missing of_node_put;
              acquired a node pointer with refcount incremented on line 193,
              but without a corresponding object release within this function.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NWen Yang <wen.yang99@zte.com.cn>
      Signed-off-by: NKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      921bc154
    • C
      mmc: sdhci-of-arasan: Add DTS property to disable DCMDs. · 6eaeee1e
      Christoph Muellner 提交于
      commit 7bda9482e7ed4d27d83c1f9cb5cbe3b34ddac3e8 upstream.
      
      Direct commands (DCMDs) are an optional feature of eMMC 5.1's command
      queue engine (CQE). The Arasan eMMC 5.1 controller uses the CQHCI,
      which exposes a control register bit to enable the feature.
      The current implementation sets this bit unconditionally.
      
      This patch allows to suppress the feature activation,
      by specifying the property disable-cqe-dcmd.
      Signed-off-by: NChristoph Muellner <christoph.muellner@theobroma-systems.com>
      Signed-off-by: NPhilipp Tomsich <philipp.tomsich@theobroma-systems.com>
      Acked-by: NAdrian Hunter <adrian.hunter@intel.com>
      Fixes: 84362d79 ("mmc: sdhci-of-arasan: Add CQHCI support for arasan,sdhci-5.1")
      Cc: stable@vger.kernel.org
      Signed-off-by: NUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6eaeee1e
    • S
      ARM: dts: exynos: Fix audio (microphone) routing on Odroid XU3 · e2c436d9
      Sylwester Nawrocki 提交于
      commit 9b23e1a3e8fde76e8cc0e366ab1ed4ffb4440feb upstream.
      
      The name of CODEC input widget to which microphone is connected through
      the "Headphone" jack is "IN12" not "IN1". This fixes microphone support
      on Odroid XU3.
      
      Cc: <stable@vger.kernel.org> # v4.14+
      Signed-off-by: NSylwester Nawrocki <s.nawrocki@samsung.com>
      Signed-off-by: NKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2c436d9
    • S
      ARM: dts: exynos: Fix interrupt for shared EINTs on Exynos5260 · abea1fb5
      Stuart Menefy 提交于
      commit b7ed69d67ff0788d8463e599dd5dd1b45c701a7e upstream.
      
      Fix the interrupt information for the GPIO lines with a shared EINT
      interrupt.
      
      Fixes: 16d7ff26 ("ARM: dts: add dts files for exynos5260 SoC")
      Cc: stable@vger.kernel.org
      Signed-off-by: NStuart Menefy <stuart.menefy@mathembedded.com>
      Signed-off-by: NKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      abea1fb5
    • C
      arm64: dts: rockchip: Disable DCMDs on RK3399's eMMC controller. · 8cf1bbca
      Christoph Muellner 提交于
      commit a3eec13b8fd2b9791a21fa16e38dfea8111579bf upstream.
      
      When using direct commands (DCMDs) on an RK3399, we get spurious
      CQE completion interrupts for the DCMD transaction slot (#31):
      
      [  931.196520] ------------[ cut here ]------------
      [  931.201702] mmc1: cqhci: spurious TCN for tag 31
      [  931.206906] WARNING: CPU: 0 PID: 1433 at /usr/src/kernel/drivers/mmc/host/cqhci.c:725 cqhci_irq+0x2e4/0x490
      [  931.206909] Modules linked in:
      [  931.206918] CPU: 0 PID: 1433 Comm: irq/29-mmc1 Not tainted 4.19.8-rt6-funkadelic #1
      [  931.206920] Hardware name: Theobroma Systems RK3399-Q7 SoM (DT)
      [  931.206924] pstate: 40000005 (nZcv daif -PAN -UAO)
      [  931.206927] pc : cqhci_irq+0x2e4/0x490
      [  931.206931] lr : cqhci_irq+0x2e4/0x490
      [  931.206933] sp : ffff00000e54bc80
      [  931.206934] x29: ffff00000e54bc80 x28: 0000000000000000
      [  931.206939] x27: 0000000000000001 x26: ffff000008f217e8
      [  931.206944] x25: ffff8000f02ef030 x24: ffff0000091417b0
      [  931.206948] x23: ffff0000090aa000 x22: ffff8000f008b000
      [  931.206953] x21: 0000000000000002 x20: 000000000000001f
      [  931.206957] x19: ffff8000f02ef018 x18: ffffffffffffffff
      [  931.206961] x17: 0000000000000000 x16: 0000000000000000
      [  931.206966] x15: ffff0000090aa6c8 x14: 0720072007200720
      [  931.206970] x13: 0720072007200720 x12: 0720072007200720
      [  931.206975] x11: 0720072007200720 x10: 0720072007200720
      [  931.206980] x9 : 0720072007200720 x8 : 0720072007200720
      [  931.206984] x7 : 0720073107330720 x6 : 00000000000005a0
      [  931.206988] x5 : ffff00000860d4b0 x4 : 0000000000000000
      [  931.206993] x3 : 0000000000000001 x2 : 0000000000000001
      [  931.206997] x1 : 1bde3a91b0d4d900 x0 : 0000000000000000
      [  931.207001] Call trace:
      [  931.207005]  cqhci_irq+0x2e4/0x490
      [  931.207009]  sdhci_arasan_cqhci_irq+0x5c/0x90
      [  931.207013]  sdhci_irq+0x98/0x930
      [  931.207019]  irq_forced_thread_fn+0x2c/0xa0
      [  931.207023]  irq_thread+0x114/0x1c0
      [  931.207027]  kthread+0x128/0x130
      [  931.207032]  ret_from_fork+0x10/0x20
      [  931.207035] ---[ end trace 0000000000000002 ]---
      
      The driver shows this message only for the first spurious interrupt
      by using WARN_ONCE(). Changing this to WARN() shows, that this is
      happening quite frequently (up to once a second).
      
      Since the eMMC 5.1 specification, where CQE and CQHCI are specified,
      does not mention that spurious TCN interrupts for DCMDs can be simply
      ignored, we must assume that using this feature is not working reliably.
      
      The current implementation uses DCMD for REQ_OP_FLUSH only, and
      I could not see any performance/power impact when disabling
      this optional feature for RK3399.
      
      Therefore this patch disables DCMDs for RK3399.
      Signed-off-by: NChristoph Muellner <christoph.muellner@theobroma-systems.com>
      Signed-off-by: NPhilipp Tomsich <philipp.tomsich@theobroma-systems.com>
      Fixes: 84362d79 ("mmc: sdhci-of-arasan: Add CQHCI support for arasan,sdhci-5.1")
      Cc: stable@vger.kernel.org
      [the corresponding code changes are queued for 5.2 so doing that as well]
      Signed-off-by: NHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8cf1bbca
    • J
      objtool: Fix function fallthrough detection · 7b72ca63
      Josh Poimboeuf 提交于
      commit e6f393bc939d566ce3def71232d8013de9aaadde upstream.
      
      When a function falls through to the next function due to a compiler
      bug, objtool prints some obscure warnings.  For example:
      
        drivers/regulator/core.o: warning: objtool: regulator_count_voltages()+0x95: return with modified stack frame
        drivers/regulator/core.o: warning: objtool: regulator_count_voltages()+0x0: stack state mismatch: cfa1=7+32 cfa2=7+8
      
      Instead it should be printing:
      
        drivers/regulator/core.o: warning: objtool: regulator_supply_is_couple() falls through to next function regulator_count_voltages()
      
      This used to work, but was broken by the following commit:
      
        13810435 ("objtool: Support GCC 8's cold subfunctions")
      
      The padding nops at the end of a function aren't actually part of the
      function, as defined by the symbol table.  So the 'func' variable in
      validate_branch() is getting cleared to NULL when a padding nop is
      encountered, breaking the fallthrough detection.
      
      If the current instruction doesn't have a function associated with it,
      just consider it to be part of the previously detected function by not
      overwriting the previous value of 'func'.
      Reported-by: Nkbuild test robot <lkp@intel.com>
      Signed-off-by: NJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: <stable@vger.kernel.org>
      Fixes: 13810435 ("objtool: Support GCC 8's cold subfunctions")
      Link: http://lkml.kernel.org/r/546d143820cd08a46624ae8440d093dd6c902cae.1557766718.git.jpoimboe@redhat.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7b72ca63
    • A
      x86/speculation/mds: Improve CPU buffer clear documentation · b185029f
      Andy Lutomirski 提交于
      commit 9d8d0294e78a164d407133dea05caf4b84247d6a upstream.
      
      On x86_64, all returns to usermode go through
      prepare_exit_to_usermode(), with the sole exception of do_nmi().
      This even includes machine checks -- this was added several years
      ago to support MCE recovery.  Update the documentation.
      Signed-off-by: NAndy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Frederic Weisbecker <frederic@kernel.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Jon Masters <jcm@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user")
      Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.orgSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b185029f
    • A
      x86/speculation/mds: Revert CPU buffer clear on double fault exit · 393ca9ea
      Andy Lutomirski 提交于
      commit 88640e1dcd089879530a49a8d212d1814678dfe7 upstream.
      
      The double fault ESPFIX path doesn't return to user mode at all --
      it returns back to the kernel by simulating a #GP fault.
      prepare_exit_to_usermode() will run on the way out of
      general_protection before running user code.
      Signed-off-by: NAndy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Frederic Weisbecker <frederic@kernel.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Jon Masters <jcm@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user")
      Link: http://lkml.kernel.org/r/ac97612445c0a44ee10374f6ea79c222fe22a5c4.1557865329.git.luto@kernel.orgSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      393ca9ea
    • W
      locking/rwsem: Prevent decrement of reader count before increment · 7761dbf5
      Waiman Long 提交于
      [ Upstream commit a9e9bcb45b1525ba7aea26ed9441e8632aeeda58 ]
      
      During my rwsem testing, it was found that after a down_read(), the
      reader count may occasionally become 0 or even negative. Consequently,
      a writer may steal the lock at that time and execute with the reader
      in parallel thus breaking the mutual exclusion guarantee of the write
      lock. In other words, both readers and writer can become rwsem owners
      simultaneously.
      
      The current reader wakeup code does it in one pass to clear waiter->task
      and put them into wake_q before fully incrementing the reader count.
      Once waiter->task is cleared, the corresponding reader may see it,
      finish the critical section and do unlock to decrement the count before
      the count is incremented. This is not a problem if there is only one
      reader to wake up as the count has been pre-incremented by 1.  It is
      a problem if there are more than one readers to be woken up and writer
      can steal the lock.
      
      The wakeup was actually done in 2 passes before the following v4.9 commit:
      
        70800c3c ("locking/rwsem: Scan the wait_list for readers only once")
      
      To fix this problem, the wakeup is now done in two passes
      again. In the first pass, we collect the readers and count them.
      The reader count is then fully incremented. In the second pass, the
      waiter->task is then cleared and they are put into wake_q to be woken
      up later.
      Signed-off-by: NWaiman Long <longman@redhat.com>
      Acked-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: huang ying <huang.ying.caritas@gmail.com>
      Fixes: 70800c3c ("locking/rwsem: Scan the wait_list for readers only once")
      Link: http://lkml.kernel.org/r/20190428212557.13482-2-longman@redhat.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7761dbf5