Just one important fix for amdgpu to avoid possible memory corruption.
* 'drm-fixes-4.4' of git://people.freedesktop.org/~agd5f/linux:
drm/amdgpu: fix user fence handling
This fixes CVE-2015-7550.
There's a race between keyctl_read() and keyctl_revoke(). If the revoke
happens between keyctl_read() checking the validity of a key and the key's
semaphore being taken, then the key type read method will see a revoked key.
This causes a problem for the user-defined key type because it assumes in
its read method that there will always be a payload in a non-revoked key
and doesn't check for a NULL pointer.
Fix this by making keyctl_read() check the validity of a key after taking
semaphore instead of before.
I think the bug was introduced with the original keyrings code.
This was discovered by a multithreaded test program generated by syzkaller
(http://github.com/google/syzkaller). Here's a cleaned up version:
#include <sys/types.h>
#include <keyutils.h>
#include <pthread.h>
void *thr0(void *arg)
{
key_serial_t key = (unsigned long)arg;
keyctl_revoke(key);
return 0;
}
void *thr1(void *arg)
{
key_serial_t key = (unsigned long)arg;
char buffer[16];
keyctl_read(key, buffer, 16);
return 0;
}
int main()
{
key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
pthread_t th[5];
pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
pthread_join(th[0], 0);
pthread_join(th[1], 0);
pthread_join(th[2], 0);
pthread_join(th[3], 0);
return 0;
}
Build as:
cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
Run as:
while keyctl-race; do :; done
as it may need several iterations to crash the kernel. The crash can be
summarised as:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff81279b08>] user_read+0x56/0xa3
...
Call Trace:
[<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
[<ffffffff81277815>] SyS_keyctl+0x83/0xe0
[<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
Looks like we're missing the wakeirq for the console uart for
duovero parlor. Let's add that as without it console acess just
hangs with PM enabled.
Cc: Arun Bharadwaj <arun@gumstix.com>
Cc: Ash Charles <ash@gumstix.com>
Cc: Florian Vaussard <florian.vaussard@epfl.ch>
Signed-off-by: Tony Lindgren <tony@atomide.com>
When sending "SLEEP" command to the controller it ceases scanning
completely and is unable to wake the system up from sleep, so if it is
configured as a wakeup source we should simply configure interrupt for
wakeup and rely on idle logic within the controller to reduce power
consumption while it is not used.
Signed-off-by: James Chen <james.chen@emc.com.tw>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Pull btrfs fixes from Chris Mason:
"A couple of small fixes"
* 'for-linus-4.4' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
Btrfs: check prepare_uptodate_page() error code earlier
Btrfs: check for empty bitmap list in setup_cluster_bitmaps
btrfs: fix misleading warning when space cache failed to load
Btrfs: fix transaction handle leak in balance
Btrfs: fix unprotected list move from unused_bgs to deleted_bgs list
Merge misc fixes from Andrew Morton:
"Three patches"
* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
include/linux/mmdebug.h: should include linux/bug.h
mm/zswap: change incorrect strncmp use to strcmp
proc: fix -ESRCH error when writing to /proc/$pid/coredump_filter
mmdebug.h uses BUILD_BUG_ON_INVALID(), assuming someone else included
linux/bug.h. Include it ourselves.
This saves build-failures such as:
arch/arm64/include/asm/pgtable.h: In function 'set_pte_at':
arch/arm64/include/asm/pgtable.h:281:3: error: implicit declaration of function 'BUILD_BUG_ON_INVALID' [-Werror=implicit-function-declaration]
VM_WARN_ONCE(!pte_young(pte),
Fixes: 02602a18c3 ("bug: completely remove code generated by disabled VM_BUG_ON()")
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change the use of strncmp in zswap_pool_find_get() to strcmp.
The use of strncmp is no longer correct, now that zswap_zpool_type is
not an array; sizeof() will return the size of a pointer, which isn't
the right length to compare. We don't need to use strncmp anyway,
because the existing params and the passed in params are all guaranteed
to be null terminated, so strcmp should be used.
Signed-off-by: Dan Streetman <ddstreet@ieee.org>
Reported-by: Weijie Yang <weijie.yang@samsung.com>
Cc: Seth Jennings <sjennings@variantweb.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Writing to /proc/$pid/coredump_filter always returns -ESRCH because commit
774636e19e ("proc: convert to kstrto*()/kstrto*_from_user()") removed
the setting of ret after the get_proc_task call and incorrectly left it as
-ESRCH. Instead, return 0 when successful.
Example breakage:
echo 0 > /proc/self/coredump_filter
bash: echo: write error: No such process
Fixes: 774636e19e ("proc: convert to kstrto*()/kstrto*_from_user()")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: <stable@vger.kernel.org> [4.3+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
In a set action tunnel attributes should be encoded in a
nested action.
I noticed this because ovs-dpctl was reporting an error
when dumping flows due to the incorrect encoding of tunnel attributes
in a set action.
Fixes: fc4099f172 ("openvswitch: Fix egress tunnel info.")
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
FW has a rare corner case in which a fragmented packet using lots
of frags would not be linearized, causing the FW to assert while trying
to transmit the packet.
To prevent this, we need to make sure the window of fragements containing
MSS worth of data contains 1 BD less than for regular packets due to
the additional parsing BD.
Signed-off-by: Yuval Mintz <Yuval.Mintz@qlogic.com>
Signed-off-by: Ariel Elior <Ariel.Elior@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
IP-TTL case is already handled in ip_tunnel_ioctl() API.
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Need to do the unregister_device() after all references to the driver
private have been done.
Also we need to use del_timer_sync() for the timers so that we don't
have any asynchronous references after the unregister.
Signed-off-by: David S. Miller <davem@davemloft.net>
- Select CONFIG_BITREVERSE for sht15 driver to avoid build failure
if it is not configured.
- Force wait for conversion time for the first valid data in tmp102
driver to avoid reporting erroneous data to the thermal subsystem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJWdGPZAAoJEMsfJm/On5mB8cMP/3G7+GElyMhUtNfXszliz66n
1pVi+Y/+YumGzLxzi1QMyw+4edQGGDLUZarciuQ4ADtpJ0FCFPwLrv3SyVMW4Cxf
/4OpKQo/2677xfh8Y2ZrTbVBgN3y5/6LNCdy4qNKOw4GVYjF7+7oL4owgSzyUmG/
vHZs9u0TQo78opTfdC1lUr+DjzkfFNvaEtRHywSQjdzylMjpgeTSU/Cr5pzcWeoh
wL8/mpS8KmIwiCYz12dohlqF8i7a7TV5HE5QKbDQqFXEoWSt5lUiaSkUrqVZUXlW
heXxM9CG01bicHkZJ4AOjMoqtEcZyfiU1MlumvTUAtVtzWkyHOWHQgGjIJFE6o6f
caXYjGUpTEhe5TSmMQW3Wlp6AEKegse5VLTR2Y4UzHkR28GoyR543MGtkR6w1Ux8
sea9JWwyYdvIcwmol9ivdG7V/ymCpJhT3yZxBIJSCrKbCfQuBszfnSmAUqMbFRBj
YD2FBVMAyt2rVjzPwUA9CKK/ERmgUZXftdiPCbcnHHPeT4tzx+KKzTE2cOpHYl3t
IeID+95pXoAukPF6F1kq6y2zR2Uzdqn5f5VeekGn9Bo+aZmL3zwAZFUgF4u9Tqzy
cO7Cn1b5fb6W5pdFEImK57irZSSSb6GZLlZXsHq9RRezdFQvJdyX0bPsX1Z7Fn+b
zuz5e1GhF+l5LpUUIKz8
=h83R
-----END PGP SIGNATURE-----
Merge tag 'hwmon-for-linus-v4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
Pull hwmon fixes from Guenter Roeck:
- Select CONFIG_BITREVERSE for sht15 driver to avoid build failure if
it is not configured.
- Force wait for conversion time for the first valid data in tmp102
driver to avoid reporting erroneous data to the thermal subsystem.
* tag 'hwmon-for-linus-v4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
hwmon: (sht15) Select CONFIG_BITREVERSE
hwmon: (tmp102) Force wait for conversion time for the first valid data
When the first request_irq fails in be_msix_register, i value
would be zero. The current code decrements the i value and
accesses the eq object without validating the decremented
"i" value. This can cause an "invalid memory address access"
violation.
This patch fixes the problem by accessing the eq object after
validating the "i" value.
Signed-off-by: Venkat Duvvuru <venkatkumar.duvvuru@avagotech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
* Two similar fixes for the Intel and AMD IOMMU drivers to add
proper access checks before calling handle_mm_fault.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJWdCp7AAoJECvwRC2XARrjjAIP/0ihW2zF4R622RgY1C1Cm62j
0eb/R4UqjI3PG0KsURgDHcIm9JP5Z//dgKTOtNX9KOkHlXLcO9MMSD5chVBd4HKG
+Mgx7RM+Mr7f6ElRUa6s1GY1tcJlGf43fW5cMQ44BJIqVXlE47go4U09D86DVgXy
KgyBxQldeOrkXZvAG82WLjGgkdGALQjbDlI8ktmfYWXAvIRWNGJqWY16BwAYOWfb
9d3+1JPekSSBWHC6H+qbkDb8ueO69/Ux0HL5z2Q0zchqGjBb1gnfwLcz865KZpOB
qUwsKFSXTl+jPCrAaLYJnVqAnH4qqKaF6WKAJSIHObTSVqXKHpFHrQrlGVzOvYNn
s3216KIMsxG2nnvSgXCOFGqM/810MH2MSo8YcF5A3celrka3j2Gj08mxInrZXN7D
3p51HSwq8ePo4i5jppT5ldOBSjNV9N3wKWcjDb4OL+OfkJc/u2VbSHNQtpvTclsV
V6VSfWLDC8BCmUveMH2TrawQWkKOz0LqgqfQPX+VvSCIM7tgkrgVsTJrijPtGOs1
zid/A/cfqMdBezSVALrZfB4OVBaM2UL2LJmmLJgApYV+N55Oxmx+nxnMr0aT5KlY
crjcnVaypkq3rG1Wjpt+nTTwtllB0yXNEywQcu2edeswmaQCqsEgQRsDqi6S2/+S
c8l9JKoTrB4+vToYjXyW
=qrAB
-----END PGP SIGNATURE-----
Merge tag 'iommu-fixes-v4.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu
Pull IOMMU fixes from Joerg Roedel:
"Two similar fixes for the Intel and AMD IOMMU drivers to add proper
access checks before calling handle_mm_fault"
* tag 'iommu-fixes-v4.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
iommu/vt-d: Do access checks before calling handle_mm_fault()
iommu/amd: Do proper access checking before calling handle_mm_fault()
- XSA-155 security fixes to backend drivers.
- XSA-157 security fixes to pciback.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJWdDrXAAoJEFxbo/MsZsTR3N0H/0Lvz6MWBARCje7livbz7nqE
PS0Bea+2yAfNhCDDiDlpV0lor8qlyfWDF6lGhLjItldAzahag3ZDKDf1Z/lcQvhf
3MwFOcOVZE8lLtvLT6LGnPuehi1Mfdi1Qk1/zQhPhsq6+FLPLT2y+whmBihp8mMh
C12f7KRg5r3U7eZXNB6MEtGA0RFrOp0lBdvsiZx3qyVLpezj9mIe0NueQqwY3QCS
xQ0fILp/x2EnZNZuzgghFTPRxMAx5ReOezgn9Rzvq4aThD+irz1y6ghkYN4rG2s2
tyYOTqBnjJEJEQ+wmYMhnfCwVvDffztG+uI9hqN31QFJiNB0xsjSWFCkDAWchiU=
=Argz
-----END PGP SIGNATURE-----
Merge tag 'for-linus-4.4-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
Pull xen bug fixes from David Vrabel:
- XSA-155 security fixes to backend drivers.
- XSA-157 security fixes to pciback.
* tag 'for-linus-4.4-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
xen-pciback: fix up cleanup path when alloc fails
xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set.
xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled.
xen/pciback: Do not install an IRQ handler for MSI interrupts.
xen/pciback: Return error on XEN_PCI_OP_enable_msix when device has MSI or MSI-X enabled
xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled
xen/pciback: Save xen_pci_op commands before processing it
xen-scsiback: safely copy requests
xen-blkback: read from indirect descriptors only once
xen-blkback: only read request operation from shared ring once
xen-netback: use RING_COPY_REQUEST() throughout
xen-netback: don't use last request to determine minimum Tx credit
xen: Add RING_COPY_REQUEST()
xen/x86/pvh: Use HVM's flush_tlb_others op
xen: Resume PMU from non-atomic context
xen/events/fifo: Consume unprocessed events when a CPU dies
Or Gerlitz says:
====================
Mellanox mlx4 driver fixes
Two small fixes from Jenny for code flows that deal with time-stamping.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
mlx4_en_init_timestamp was called before creation of netdev and port
init, thus used uninitialized values. Specifically - NIC frequency was
incorrect causing wrong calculations and later wrong HW timestamps.
Fixes: 1ec4864b10 ('net/mlx4_en: Fixed crash when port type is changed')
Signed-off-by: Eugenia Emantayev <eugenia@mellanox.com>
Signed-off-by: Marina Varshaver <marinav@mellanox.com>
Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Service task is responsible for other tasks in addition to timestamping
overflow check. Launch it even if timestamping is not supported by device.
Fixes: 07841f9d94 ('net/mlx4_en: Schedule napi when RX buffers allocation fails')
Signed-off-by: Eugenia Emantayev <eugenia@mellanox.com>
Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
As usual in rc6, this update contains only a few HD-audio and
USB-audio device-specific quirks: yet another Thinkpad noise fixes,
Dell headphone mic fixes, and AudioQuest DragonFly fixes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJWc8fIAAoJEGwxgFQ9KSmkxtMP/0k05GN1EBQyKVhAFgO24N0g
zNoLAEzNylXfFD3p8Dq0YVrnebQ8AuA5SaCZmREjikG/r02JozniDhTFKk2igb0d
RSo+aRC6TnsIfKw7wNIlNUFM3c7ysuHecMtP7RKux6GSNM4lyfKmUWcUXKZkxq97
CXFEyZ82vX3Y7vc5vrXblx5pr0c61Urzel/b8li+noBec8G91FMgAbAIddjZBFhU
J14qSWlWnY92aiclYNeH9CHTk8j5gVkS4Vg2XsDrl1iOSHrKrAc40Tm1+sIjT7RA
2OoAjGyrSdW6v3rxakbqT/Wmz6lZOhfeoRwNCphLbhN5UalNj8QryvoF5ypU/ypr
oPDKTmy4AJ1XU9kGmr5OfTIOl4XVMTK4QpcTqkDJQW3sBDCk0vunZdk84YDx/rNf
26GjpeDfqzEGW9CQdPbpKgeaMMIPSdBD62IIuTD0lRQuelz2KH35PYsj6u+kYqJD
vgPUeETN5TCaqyafIWaYmUIcXWEfYRLQMUXJK0G+317bKFcBeQQAU9UnHennwmGl
AGLggl2zfAafspl/wImbKtvhHWmGAKPBCS2R0YNuO83Wvl5RJG/Jt7hyyUxi7n8h
bD5ao9BCpTnIqCqZskuJYGbNV4fVHTthjcqhak0+vAf0ymYBF4VlSAOySE3BrO/m
qkkEH2zJ2/IAOjJlvZfg
=bf1H
-----END PGP SIGNATURE-----
Merge tag 'sound-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"As usual in rc6, this update contains only a few HD-audio and
USB-audio device-specific quirks: yet another Thinkpad noise fixes,
Dell headphone mic fixes, and AudioQuest DragonFly fixes"
* tag 'sound-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda - Add a fixup for Thinkpad X1 Carbon 2nd
ALSA: hda - Set codec to D3 at reboot/shutdown on Thinkpads
ALSA: hda - Apply click noise workaround for Thinkpads generically
ALSA: hda - Fix headphone mic input on a few Dell ALC293 machines
ALSA: usb-audio: Add sample rate inquiry quirk for AudioQuest DragonFly
ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly
David Rivshin says:
====================
drivers: net: cpsw: Fix bugs in fixed-link PHY DT parsing
Commit 1f71e8c96f ("drivers: net: cpsw:
Add support for fixed-link PHY") added initial fixed-link PHY support
for CPSW, but missed a few considerations.
This series is based on the tip of the net tree. The first two patches
fix user-visible errors in different hardware configurations. The third
patch is for an internal reference counting issue. They are logically
independent changes, but in the same function, so must be applied in
order to apply cleanly.
The first patch was originally submitted by Pascal Speck on December 4,
but was not picked up by patchwork. I suspect that is because the patch
was mangled by the mailer. I fixed the mangling and am including it in
this series, as I believe it is the correct change.
I have tested on the following hardware configurations:
- (EVMSK) dual emac with two real MDIO-connected phys using RGMII-TXID
- single emac with fixed-link using RGMII
Testing of other CPSW emac configurations that folks may have would
be appreciated.
Changes from v1 [1]:
- Split into 3 smaller patches.
- Maintain 1f71e8c96fc6's preference for fixed-link over phy_id if
they are both (incorrectly) specified in the slave node.
- Update binding documentation to no longer say that phy_mode is also
mutually exclusive with fixed-link.
- Dropped unnecessary include of phy_fixed.h.
[1] https://patchwork.ozlabs.org/patch/554989/
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
When a fixed-link sub-node exists in a slave node, the slave node
is also the PHY node. Since this is a separate use of the slave node,
of_node_get() should be used to increment the reference count.
Fixes: 1f71e8c96f ("drivers: net: cpsw: Add support for fixed-link PHY")
Signed-off-by: David Rivshin <drivshin@allworx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Commit 1f71e8c96f ("drivers: net: cpsw: Add
support for fixed-link PHY") did not parse the "phy-mode" property in
the case of a fixed-link PHY, leaving slave_data->phy_if with its default
of PHY_INTERFACE_MODE_NA(0). This later gets passed to phy_connect() in
cpsw_slave_open(), and eventually to cpsw_phy_sel() where it hits a default
case that configures the MAC for MII mode.
The user visible symptom is that while kernel log messages seem to indicate
that the interface is set up, there is no network communication. Eventually
a watchdog error occurs:
NETDEV WATCHDOG: eth0 (cpsw): transmit queue 0 timed out
Fixes: 1f71e8c96f ("drivers: net: cpsw: Add support for fixed-link PHY")
Signed-off-by: David Rivshin <drivshin@allworx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When using more than one slave with ti cpsw and fixed phy the pd->phy_id
will be always zero, but slave_data->phy_id must be unique. pd->phy_id
means a "phy hardware id" whereas slave_data->phy_id means an "unique id",
so we should use pd->addr which has the same unique meaning.
Fixes: 1f71e8c96f ("drivers: net: cpsw: Add support for fixed-link PHY")
Signed-off-by: Pascal Speck <kernel@iktek.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
A little bit of a last-minute change for the device tree "fixed partition"
binding. This is needed because we might want to reuse the 'partitions' subnode
for other sorts of partitioning descriptions -- e.g., for describing which
on-flash partition format(s) might be used on the system.
Also tone down a warning message, since it is probably going to show up on a
lot of systems where it should just be ignored.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJWc3C5AAoJEFySrpd9RFgtFlIP/jXyyH0ZmfRopa4idhF7bit1
aVZO3YuVw0UG8iXhHp4tpIIHt68P4VdozMV9iehy8dm31Jx/l71rMfTh6TQDmb9Q
mhzY5Oz5lu7zQvoj0pzIeQOAdg83r+eVCjpSfA8yHiVyoHz5CNHJHGiUyerJ/NLG
KCLWZEz9/VEEcuiOHs27dnvSgxQygqAf2gCGJQlvXSZJV6mv50l5KPxkt/vMe3Fz
3i1hjcOvKW5Md1DZHMBg06Mma04pDDE55whZConrGzIMd1jPQ/IbIveud2SmmuU8
+JzRKv//DIqxdJdbp3ybSh2eOPaRx63fAUOUtUdfxQkwz25avs11YWr8daQ4PFsy
wiDR/wTaP9kZyXwupFYqDhsvj7NXHVp/i00Q0FMq7ryrXYMbrOWMwAZgeTRZ3unr
Bq5Js+lbl9H/NVG/GPIKLrDj5n8eNh7DnU5x1ZpSu5wVNxXoSMNuU8piv2nb81RT
Cj4r6eARg5g0+SCz9h57BCIeVwGRtJT9T/PLga6osL/DN3DhMxBf2nSokA53lyXu
1dJh0m+LzgULKJV0s/0/GZ2E8TbZFqgzqq74YCMywciDa9qwvO3qgZdzM55102yx
QNzC5yQrVBraeDQ0dJ8VSOm6cB7sg7O66QhYAu6d/YdqB3CTuto2ehK2ffKLkpkg
5C6hpaIHCchBcFpqeHsT
=UcSG
-----END PGP SIGNATURE-----
Merge tag 'for-linus-20151217' of git://git.infradead.org/linux-mtd
Pull MTD fixes from Brian Norris:
"I was holding out on this pull request for a bit, since there are a
few other small issues being discussed that look like 4.4-rc
regressions. Hopefully I can get those stabilized soon, but these are
ready at any rate:
- A little bit of a last-minute change for the device tree "fixed
partition" binding. This is needed because we might want to reuse
the 'partitions' subnode for other sorts of partitioning
descriptions -- e.g., for describing which on-flash partition
format(s) might be used on the system.
- Also tone down a warning message, since it is probably going to
show up on a lot of systems where it should just be ignored"
* tag 'for-linus-20151217' of git://git.infradead.org/linux-mtd:
doc: dt: mtd: partitions: add compatible property to "partitions" node
mtd: ofpart: don't complain about missing 'partitions' node too loudly
- Fix for the active interrupt detection code, affecting
the timer interrupt injection.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJWc/90AAoJECPQ0LrRPXpDTLgP/1UlFghuA/bi4H+VQh+LXGdG
r3R8LfeDlj6nkj8cFUL4Dcr/ft/oraqKiWDmsc7oOlcIT1X9cVD3SX7kxr69vRLN
va9M72Ui+yc2/d6Ko5QZlI+0fVPJLTyuBhjlf9VuO9lODN0xI3iYpghU3uiHfw37
ohcUNB+Twt1/ZZkyZ05Akr8ASiOgDRCgstwE1em3EGsE61jZyRhYeTI1q7n9yfjV
6Xt1xDakwpJYr80uCpJiwctik2CWCJ+CwfaArSdxpsK/NZk11PigW/YfJhfXkJUd
OrEAjBedhlGHyY7VsElR+wOga6tmby0BWIEs0GKp3cMMo9aO4sH+iQ/p7a5oV7d4
MxlvxjFk/ijsPN7NtHPvmc2dz3rKO1C/KxAbT0uZrDaQP90/GmJRlaIw3JBkvPa0
rpfT9O5y/Bcylb/5NIyIxW/Ninnu2TP47bitYUmYa6wp1rBXVTGSiK/YnXxXyS9w
jkyXmiaf1Etzt0oCuC4YLyJBNjz+WEND3ygfx8BDjZey9boNjNw9q8YaP1dIo4HB
I4SKBSmaz9REU6KJkl5gp+KKv/5LoG7j/t3pIgj4B2aTSFZRp0nM8x7dLIUybEvi
GQWm653cBdhQ+ZsFpULGc9x41WhFME1lCoUBY+2fVW1QyPxpcMyTRQkoMOGevZgX
DJE2birTdNx/fOxJ+1XL
=I1JK
-----END PGP SIGNATURE-----
Merge tag 'kvm-arm-for-v4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD
KVM/ARM fixes for v4.4-rc6
- Fix for the active interrupt detection code, affecting
the timer interrupt injection.
Commit 8520f38099 ("USB: change hub initialization sleeps to
delayed_work") changed the hub_activate() routine to make part of it
run in a workqueue. However, the commit failed to take a reference to
the usb_hub structure or to lock the hub interface while doing so. As
a result, if a hub is plugged in and quickly unplugged before the work
routine can run, the routine will try to access memory that has been
deallocated. Or, if the hub is unplugged while the routine is
running, the memory may be deallocated while it is in active use.
This patch fixes the problem by taking a reference to the usb_hub at
the start of hub_activate() and releasing it at the end (when the work
is finished), and by locking the hub interface while the work routine
is running. It also adds a check at the start of the routine to see
if the hub has already been disconnected, in which nothing should be
done.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Alexandru Cornea <alexandru.cornea@intel.com>
Tested-by: Alexandru Cornea <alexandru.cornea@intel.com>
Fixes: 8520f38099 ("USB: change hub initialization sleeps to delayed_work")
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The code expects the loop to end with "retries" set to zero but, because
it is a post-op, it will end set to -1. I have fixed this by moving the
decrement inside the loop.
Fixes: 014aa2a3c3 ('USB: ipaq: minor ipaq_open() cleanup.')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Driver requested device firmware version string during probe using
only 24 byte long buffer. That buffer is too small for newer firmware
versions, which causes device firmware hang - device stops responding
to any commands after that. Increase buffer size to 128 which should
be enough for any current and future version strings.
Link: https://github.com/airspy/host/issues/27
Cc: <stable@vger.kernel.org> # 3.17+
Reported-by: Benjamin Vernoux <bvernoux@gmail.com>
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Used Avago MGA-81563 RF amplifier could be destroyed pretty easily
with too strong signal or transmitting to bad antenna.
Add module parameter 'enable_rf_gain_ctrl' which allows enabling
RF gain control - otherwise, default without the module parameter,
RF gain control is set to 'grabbed' state which prevents setting
value to the control.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
drivers/media/usb/hackrf/hackrf.c:1533 hackrf_probe()
error: we previously assumed 'dev' could be null (see line 1366)
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
When allocating a pciback device fails, clear the private
field. This could lead to an use-after free, however
the 'really_probe' takes care of setting
dev_set_drvdata(dev, NULL) in its failure path (which we would
exercise if the ->probe function failed), so we we
are OK. However lets be defensive as the code can change.
Going forward we should clean up the pci_set_drvdata(dev, NULL)
in the various code-base. That will be for another day.
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
If CONFIG_BITREVERSE is not built-in, the sht15 driver fails to link:
drivers/built-in.o: In function `sht15_crc8':
drivers/hwmon/sht15.c:195: undefined reference to `byte_rev_table'
This adds a Kconfig 'select' statement, like all other users of
bitrev.h have it.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 33836ee985 ("hwmon:change sht15_reverse()")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
After several open/close sai test with ctrl+c, there will be
I/O error. The SAI can't work anymore, can't recover. There
will be no frame clock. With adding the software reset in
trigger stop, the issue can be fixed.
This is a hardware bug/errata and reset is the only option.
According to the reference manual, the software reset doesn't
reset any control register but only internal hardware logics
such as bit clock generator, status flags, and FIFO pointers.
(Our purpose is just to reset the clock generator while the
software reset is the only way to do that.)
Since slave mode doesn't use the clock generator, only apply
the reset procedure to the master mode.
For asynchronous mode, TX will not be reset when RX is still
running. In this case, i can't reproduce this issue.
Signed-off-by: Zidan Wang <zidan.wang@freescale.com>
Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
commit f598282f51 ("PCI: Fix the NIU MSI-X problem in a better way")
teaches us that dealing with MSI-X can be troublesome.
Further checks in the MSI-X architecture shows that if the
PCI_COMMAND_MEMORY bit is turned of in the PCI_COMMAND we
may not be able to access the BAR (since they are memory regions).
Since the MSI-X tables are located in there.. that can lead
to us causing PCIe errors. Inhibit us performing any
operation on the MSI-X unless the MEMORY bit is set.
Note that Xen hypervisor with:
"x86/MSI-X: access MSI-X table only after having enabled MSI-X"
will return:
xen_pciback: 0000:0a:00.1: error -6 enabling MSI-X for guest 3!
When the generic MSI code tries to setup the PIRQ without
MEMORY bit set. Which means with later versions of Xen
(4.6) this patch is not neccessary.
This is part of XSA-157
CC: stable@vger.kernel.org
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Otherwise just continue on, returning the same values as
previously (return of 0, and op->result has the PIRQ value).
This does not change the behavior of XEN_PCI_OP_disable_msi[|x].
The pci_disable_msi or pci_disable_msix have the checks for
msi_enabled or msix_enabled so they will error out immediately.
However the guest can still call these operations and cause
us to disable the 'ack_intr'. That means the backend IRQ handler
for the legacy interrupt will not respond to interrupts anymore.
This will lead to (if the device is causing an interrupt storm)
for the Linux generic code to disable the interrupt line.
Naturally this will only happen if the device in question
is plugged in on the motherboard on shared level interrupt GSI.
This is part of XSA-157
CC: stable@vger.kernel.org
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Otherwise an guest can subvert the generic MSI code to trigger
an BUG_ON condition during MSI interrupt freeing:
for (i = 0; i < entry->nvec_used; i++)
BUG_ON(irq_has_action(entry->irq + i));
Xen PCI backed installs an IRQ handler (request_irq) for
the dev->irq whenever the guest writes PCI_COMMAND_MEMORY
(or PCI_COMMAND_IO) to the PCI_COMMAND register. This is
done in case the device has legacy interrupts the GSI line
is shared by the backend devices.
To subvert the backend the guest needs to make the backend
to change the dev->irq from the GSI to the MSI interrupt line,
make the backend allocate an interrupt handler, and then command
the backend to free the MSI interrupt and hit the BUG_ON.
Since the backend only calls 'request_irq' when the guest
writes to the PCI_COMMAND register the guest needs to call
XEN_PCI_OP_enable_msi before any other operation. This will
cause the generic MSI code to setup an MSI entry and
populate dev->irq with the new PIRQ value.
Then the guest can write to PCI_COMMAND PCI_COMMAND_MEMORY
and cause the backend to setup an IRQ handler for dev->irq
(which instead of the GSI value has the MSI pirq). See
'xen_pcibk_control_isr'.
Then the guest disables the MSI: XEN_PCI_OP_disable_msi
which ends up triggering the BUG_ON condition in 'free_msi_irqs'
as there is an IRQ handler for the entry->irq (dev->irq).
Note that this cannot be done using MSI-X as the generic
code does not over-write dev->irq with the MSI-X PIRQ values.
The patch inhibits setting up the IRQ handler if MSI or
MSI-X (for symmetry reasons) code had been called successfully.
P.S.
Xen PCIBack when it sets up the device for the guest consumption
ends up writting 0 to the PCI_COMMAND (see xen_pcibk_reset_device).
XSA-120 addendum patch removed that - however when upstreaming said
addendum we found that it caused issues with qemu upstream. That
has now been fixed in qemu upstream.
This is part of XSA-157
CC: stable@vger.kernel.org
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
The guest sequence of:
a) XEN_PCI_OP_enable_msix
b) XEN_PCI_OP_enable_msix
results in hitting an NULL pointer due to using freed pointers.
The device passed in the guest MUST have MSI-X capability.
The a) constructs and SysFS representation of MSI and MSI groups.
The b) adds a second set of them but adding in to SysFS fails (duplicate entry).
'populate_msi_sysfs' frees the newly allocated msi_irq_groups (note that
in a) pdev->msi_irq_groups is still set) and also free's ALL of the
MSI-X entries of the device (the ones allocated in step a) and b)).
The unwind code: 'free_msi_irqs' deletes all the entries and tries to
delete the pdev->msi_irq_groups (which hasn't been set to NULL).
However the pointers in the SysFS are already freed and we hit an
NULL pointer further on when 'strlen' is attempted on a freed pointer.
The patch adds a simple check in the XEN_PCI_OP_enable_msix to guard
against that. The check for msi_enabled is not stricly neccessary.
This is part of XSA-157
CC: stable@vger.kernel.org
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
The guest sequence of:
a) XEN_PCI_OP_enable_msi
b) XEN_PCI_OP_enable_msi
c) XEN_PCI_OP_disable_msi
results in hitting an BUG_ON condition in the msi.c code.
The MSI code uses an dev->msi_list to which it adds MSI entries.
Under the above conditions an BUG_ON() can be hit. The device
passed in the guest MUST have MSI capability.
The a) adds the entry to the dev->msi_list and sets msi_enabled.
The b) adds a second entry but adding in to SysFS fails (duplicate entry)
and deletes all of the entries from msi_list and returns (with msi_enabled
is still set). c) pci_disable_msi passes the msi_enabled checks and hits:
BUG_ON(list_empty(dev_to_msi_list(&dev->dev)));
and blows up.
The patch adds a simple check in the XEN_PCI_OP_enable_msi to guard
against that. The check for msix_enabled is not stricly neccessary.
This is part of XSA-157.
CC: stable@vger.kernel.org
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Double fetch vulnerabilities that happen when a variable is
fetched twice from shared memory but a security check is only
performed the first time.
The xen_pcibk_do_op function performs a switch statements on the op->cmd
value which is stored in shared memory. Interestingly this can result
in a double fetch vulnerability depending on the performed compiler
optimization.
This patch fixes it by saving the xen_pci_op command before
processing it. We also use 'barrier' to make sure that the
compiler does not perform any optimization.
This is part of XSA155.
CC: stable@vger.kernel.org
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
The copy of the ring request was lacking a following barrier(),
potentially allowing the compiler to optimize the copy away.
Use RING_COPY_REQUEST() to ensure the request is copied to local
memory.
This is part of XSA155.
CC: stable@vger.kernel.org
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Since indirect descriptors are in memory shared with the frontend, the
frontend could alter the first_sect and last_sect values after they have
been validated but before they are recorded in the request. This may
result in I/O requests that overflow the foreign page, possibly
overwriting local pages when the I/O request is executed.
When parsing indirect descriptors, only read first_sect and last_sect
once.
This is part of XSA155.
CC: stable@vger.kernel.org
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
A compiler may load a switch statement value multiple times, which could
be bad when the value is in memory shared with the frontend.
When converting a non-native request to a native one, ensure that
src->operation is only loaded once by using READ_ONCE().
This is part of XSA155.
CC: stable@vger.kernel.org
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>