linux-stable.git, branch v4.4.75

Linux 4.4.75

2017-06-29T10:49:08+00:00

nvme: apply DELAY_BEFORE_CHK_RDY quirk at probe time too

2017-06-29T10:48:53+00:00

commit b5a10c5f7532b7473776da87e67f8301bbc32693 upstream.

Commit 54adc01055b7 ("nvme/quirk: Add a delay before checking for adapter
readiness") introduced a quirk to adapters that cannot read the bit
NVME_CSTS_RDY right after register NVME_REG_CC is set; these adapters
need a delay or else the action of reading the bit NVME_CSTS_RDY could
somehow corrupt adapter's registers state and it never recovers.

When this quirk was added, we checked ctrl->tagset in order to avoid
quirking in probe time, supposing we would never require such delay
during probe. Well, it was too optimistic; we in fact need this quirk
at probe time in some cases, like after a kexec.

In some experiments, after abnormal shutdown of machine (aka power cord
unplug), we booted into our bootloader in Power, which is a Linux kernel,
and kexec'ed into another distro. If this kexec is too quick, we end up
reaching the probe of NVMe adapter in that distro when adapter is in
bad state (not fully initialized on our bootloader). What happens next
is that nvme_wait_ready() is unable to complete, except if the quirk is
enabled.

So, this patch removes the original ctrl->tagset verification in order
to enable the quirk even on probe time.

Fixes: 54adc01055b7 ("nvme/quirk: Add a delay before checking for adapter readiness")
Reported-by: Andrew Byrne 
Reported-by: Jaime A. H. Gomez 
Reported-by: Zachary D. Myers 
Signed-off-by: Guilherme G. Piccoli 
Acked-by: Jeffrey Lien 
Signed-off-by: Christoph Hellwig 
[mauricfo: backport to v4.4.70 without nvme quirk handling & nvme_ctrl]
Signed-off-by: Mauricio Faria de Oliveira 
Tested-by: Narasimhan Vaidyanathan 
Signed-off-by: Greg Kroah-Hartman

nvme/quirk: Add a delay before checking for adapter readiness

2017-06-29T10:48:53+00:00

commit 54adc01055b75ec8769c5a36574c7a0895c0c0b2 upstream.

When disabling the controller, the specification says the register
NVME_REG_CC should be written and then driver needs to wait the
adapter to be ready, which is checked by reading another register
bit (NVME_CSTS_RDY). There's a timeout validation in this checking,
so in case this timeout is reached the driver gives up and removes
the adapter from the system.

After a firmware activation procedure, the PCI_DEVICE(0x1c58, 0x0003)
(HGST adapter) end up being removed if we issue a reset_controller,
because driver keeps verifying the NVME_REG_CSTS until the timeout is
reached. This patch adds a necessary quirk for this adapter, by
introducing a delay before nvme_wait_ready(), so the reset procedure
is able to be completed. This quirk is needed because just increasing
the timeout is not enough in case of this adapter - the driver must
wait before start reading NVME_REG_CSTS register on this specific
device.

Signed-off-by: Guilherme G. Piccoli 
Reviewed-by: Christoph Hellwig 
Signed-off-by: Jens Axboe 
[mauricfo: backport to v4.4.70 without nvme quirk handling & nvme_ctrl]
Signed-off-by: Mauricio Faria de Oliveira 
Tested-by: Narasimhan Vaidyanathan 
Signed-off-by: Greg Kroah-Hartman

net: phy: fix marvell phy status reading

2017-06-29T10:48:53+00:00

commit 898805e0cdf7fd860ec21bf661d3a0285a3defbd upstream.

The Marvell driver incorrectly provides phydev->lp_advertising as the
logical and of the link partner's advert and our advert.  This is
incorrect - this field is supposed to store the link parter's unmodified
advertisment.

This allows ethtool to report the correct link partner auto-negotiation
status.

Fixes: be937f1f89ca ("Marvell PHY m88e1111 driver fix")
Signed-off-by: Russell King 
Reviewed-by: Andrew Lunn 
Reviewed-by: Florian Fainelli 
Signed-off-by: David S. Miller 
Signed-off-by: Amit Pundir 
Signed-off-by: Greg Kroah-Hartman

net: phy: Initialize mdio clock at probe function

2017-06-29T10:48:53+00:00

commit bb1a619735b4660f21bce3e728b937640024b4ad upstream.

USB PHYs need the MDIO clock divisor enabled earlier to work.
Initialize mdio clock divisor in probe function. The ext bus
bit available in the same register will be used by mdio mux
to enable external mdio.

Signed-off-by: Yendapally Reddy Dhananjaya Reddy 
Fixes: ddc24ae1 ("net: phy: Broadcom iProc MDIO bus driver")
Reviewed-by: Florian Fainelli 
Signed-off-by: Jon Mason 
Signed-off-by: David S. Miller 
Signed-off-by: Amit Pundir 
Signed-off-by: Greg Kroah-Hartman

usb: gadget: f_fs: avoid out of bounds access on comp_desc

2017-06-29T10:48:53+00:00

commit b7f73850bb4fac1e2209a4dd5e636d39be92f42c upstream.

Companion descriptor is only used for SuperSpeed endpoints,
if the endpoints are HighSpeed or FullSpeed, the Companion
descriptor will not allocated, so we can only access it if
gadget is SuperSpeed.

I can reproduce this issue on Rockchip platform rk3368 SoC
which supports USB 2.0, and use functionfs for ADB. Kernel
build with CONFIG_KASAN=y and CONFIG_SLUB_DEBUG=y report
the following BUG:

==================================================================
BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x224/0x3a0 at addr ffffffc0601f6509
Read of size 1 by task swapper/0/0
============================================================================
BUG kmalloc-256 (Not tainted): kasan: bad access detected
----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in ffs_func_bind+0x52c/0x99c age=1275 cpu=0 pid=1
alloc_debug_processing+0x128/0x17c
___slab_alloc.constprop.58+0x50c/0x610
__slab_alloc.isra.55.constprop.57+0x24/0x34
__kmalloc+0xe0/0x250
ffs_func_bind+0x52c/0x99c
usb_add_function+0xd8/0x1d4
configfs_composite_bind+0x48c/0x570
udc_bind_to_driver+0x6c/0x170
usb_udc_attach_driver+0xa4/0xd0
gadget_dev_desc_UDC_store+0xcc/0x118
configfs_write_file+0x1a0/0x1f8
__vfs_write+0x64/0x174
vfs_write+0xe4/0x200
SyS_write+0x68/0xc8
el0_svc_naked+0x24/0x28
INFO: Freed in inode_doinit_with_dentry+0x3f0/0x7c4 age=1275 cpu=7 pid=247
...
Call trace:
[] dump_backtrace+0x0/0x230
[] show_stack+0x14/0x1c
[] dump_stack+0xa0/0xc8
[] print_trailer+0x188/0x198
[] object_err+0x3c/0x4c
[] kasan_report+0x324/0x4dc
[] __asan_load1+0x24/0x50
[] ffs_func_set_alt+0x224/0x3a0
[] composite_setup+0xdcc/0x1ac8
[] android_setup+0x124/0x1a0
[] _setup+0x54/0x74
[] handle_ep0+0x3288/0x4390
[] dwc_otg_pcd_handle_out_ep_intr+0x14dc/0x2ae4
[] dwc_otg_pcd_handle_intr+0x1ec/0x298
[] dwc_otg_pcd_irq+0x10/0x20
[] handle_irq_event_percpu+0x124/0x3ac
[] handle_irq_event+0x60/0xa0
[] handle_fasteoi_irq+0x10c/0x1d4
[] generic_handle_irq+0x30/0x40
[] __handle_domain_irq+0xac/0xdc
[] gic_handle_irq+0x64/0xa4
...
Memory state around the buggy address:
  ffffffc0601f6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffffffc0601f6480: 00 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc
 >ffffffc0601f6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                       ^
  ffffffc0601f6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffffffc0601f6600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================

Signed-off-by: William Wu 
Signed-off-by: Felipe Balbi 
Cc: Jerry Zhang 
Signed-off-by: Greg Kroah-Hartman

powerpc/slb: Force a full SLB flush when we insert for a bad EA

2017-06-29T10:48:52+00:00

[Note this patch is not upstream. The bug fix was fixed differently in
upstream prior to the bug being identified.]

The SLB miss handler calls slb_allocate_realmode() in order to create an
SLB entry for the faulting address. At the very start of that function
we check that the faulting Effective Address (EA) is less than
PGTABLE_RANGE (ignoring the region), ie. is it an address which could
possibly fit in the virtual address space.

For an EA which fails that test, we branch out of line (to label 8), but
we still go on to create an SLB entry for the address. The SLB entry we
create has a VSID of 0, which means it will never match anything in the
hash table and so can't actually translate to a physical address.

However that SLB entry will be inserted in the SLB, and so needs to be
managed properly like any other SLB entry. In particular we need to
insert the SLB entry in the SLB cache, so that it will be flushed when
the process is descheduled.

And that is where the bugs begin. The first bug is that slb_finish_load()
uses cr7 to decide if it should insert the SLB entry into the SLB cache.
When we come from the invalid EA case we don't set cr7, it just has some
junk value from userspace. So we may or may not insert the SLB entry in
the SLB cache. If we fail to insert it, we may then incorrectly leave it
in the SLB when the process is descheduled.

The second bug is that even if we do happen to add the entry to the SLB
cache, we do not have enough bits in the SLB cache to remember the full
ESID value for very large EAs.

For example if a process branches to 0x788c545a18000000, that results in
a 256MB SLB entry with an ESID of 0x788c545a1. But each entry in the SLB
cache is only 32-bits, meaning we truncate the ESID to 0x88c545a1. This
has the same effect as the first bug, we incorrectly leave the SLB entry
in the SLB when the process is descheduled.

When a process accesses an invalid EA it results in a SEGV signal being
sent to the process, which typically results in the process being
killed. Process death isn't instantaneous however, the process may catch
the SEGV signal and continue somehow, or the kernel may start writing a
core dump for the process, either of which means it's possible for the
process to be preempted while its processing the SEGV but before it's
been killed.

If that happens, when the process is scheduled back onto the CPU we will
allocate a new SLB entry for the NIP, which will insert a second entry
into the SLB for the bad EA. Because we never flushed the original
entry, due to either bug one or two, we now have two SLB entries that
match the same EA.

If another access is made to that EA, either by the process continuing
after catching the SEGV, or by a second process accessing the same bad
EA on the same CPU, we will trigger an SLB multi-hit machine check
exception. This has been observed happening in the wild.

The fix is when we hit the invalid EA case, we mark the SLB cache as
being full. This causes us to not insert the truncated ESID into the SLB
cache, and means when the process is switched out we will flush the
entire SLB. Note that this works both for the original fault and for a
subsequent call to slb_allocate_realmode() from switch_slb().

Because we mark the SLB cache as full, it doesn't really matter what
value is in cr7, but rather than leaving it as something random we set
it to indicate the address was a kernel address. That also skips the
attempt to insert it in the SLB cache which is a nice side effect.

Another way to fix the bug would be to make the entries in the SLB cache
wider, so that we don't truncate the ESID. However this would be a more
intrusive change as it alters the size and layout of the paca.

This bug was fixed in upstream by commit f0f558b131db ("powerpc/mm:
Preserve CFAR value on SLB miss caused by access to bogus address"),
which changed the way we handle a bad EA entirely removing this bug in
the process.

Signed-off-by: Michael Ellerman 
Reviewed-by: Paul Mackerras 
Signed-off-by: Greg Kroah-Hartman

mtd: spi-nor: fix spansion quad enable

2017-06-29T10:48:52+00:00

commit 807c16253319ee6ccf8873ae64f070f7eb532cd5 upstream.

With the S25FL127S nor flash part, each writing to the configuration
register takes hundreds of ms. During that  time, no more accesses to
the flash should be done (even reads).

This commit adds a wait loop after the register writing until the flash
finishes its work.

This issue could make rootfs mounting fail when the latter was done too
much closely to this quad enable bit setting step. And in this case, a
driver as UBIFS may try to recover the filesystem and may broke it
completely.

Signed-off-by: Joël Esponde 
Signed-off-by: Cyrille Pitchen 
Signed-off-by: Amit Pundir 
Signed-off-by: Greg Kroah-Hartman

of: Add check to of_scan_flat_dt() before accessing initial_boot_params

2017-06-29T10:48:52+00:00

commit 3ec754410cb3e931a6c4920b1a150f21a94a2bf4 upstream.

An empty __dtb_start to __dtb_end section might result in
initial_boot_params being null for arch/mips/ralink. This showed that the
boot process hangs indefinitely in of_scan_flat_dt().

Signed-off-by: Tobias Wolf 
Cc: Sergei Shtylyov 
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14605/
Signed-off-by: Ralf Baechle 
Signed-off-by: Amit Pundir 
Signed-off-by: Greg Kroah-Hartman

rxrpc: Fix several cases where a padded len isn't checked in ticket decode

2017-06-29T10:48:52+00:00

commit 5f2f97656ada8d811d3c1bef503ced266fcd53a0 upstream.

This fixes CVE-2017-7482.

When a kerberos 5 ticket is being decoded so that it can be loaded into an
rxrpc-type key, there are several places in which the length of a
variable-length field is checked to make sure that it's not going to
overrun the available data - but the data is padded to the nearest
four-byte boundary and the code doesn't check for this extra.  This could
lead to the size-remaining variable wrapping and the data pointer going
over the end of the buffer.

Fix this by making the various variable-length data checks use the padded
length.

Reported-by: 石磊 
Signed-off-by: David Howells 
Reviewed-by: Marc Dionne 
Reviewed-by: Dan Carpenter 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman