1. 26 Feb, 2017 11 commits
    • Javier Martinez Canillas's avatar
      tty: serial: msm: Fix module autoload · 04fae8ab
      Javier Martinez Canillas authored
      commit abe81f3b upstream.
      
      If the driver is built as a module, autoload won't work because the module
      alias information is not filled. So user-space can't match the registered
      device with the corresponding module.
      
      Export the module alias information using the MODULE_DEVICE_TABLE() macro.
      
      Before this patch:
      
      $ modinfo drivers/tty/serial/msm_serial.ko | grep alias
      $
      
      After this patch:
      
      $ modinfo drivers/tty/serial/msm_serial.ko | grep alias
      alias:          of:N*T*Cqcom,msm-uartdmC*
      alias:          of:N*T*Cqcom,msm-uartdm
      alias:          of:N*T*Cqcom,msm-uartC*
      alias:          of:N*T*Cqcom,msm-uart
      Signed-off-by: default avatarJavier Martinez Canillas <javier@osg.samsung.com>
      Acked-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      04fae8ab
    • Maxime Jayat's avatar
      net: socket: fix recvmmsg not returning error from sock_error · 49ed6307
      Maxime Jayat authored
      [ Upstream commit e623a9e9 ]
      
      Commit 34b88a68 ("net: Fix use after free in the recvmmsg exit path"),
      changed the exit path of recvmmsg to always return the datagrams
      variable and modified the error paths to set the variable to the error
      code returned by recvmsg if necessary.
      
      However in the case sock_error returned an error, the error code was
      then ignored, and recvmmsg returned 0.
      
      Change the error path of recvmmsg to correctly return the error code
      of sock_error.
      
      The bug was triggered by using recvmmsg on a CAN interface which was
      not up. Linux 4.6 and later return 0 in this case while earlier
      releases returned -ENETDOWN.
      
      Fixes: 34b88a68 ("net: Fix use after free in the recvmmsg exit path")
      Signed-off-by: default avatarMaxime Jayat <maxime.jayat@mobile-devices.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      49ed6307
    • Paolo Abeni's avatar
      ip: fix IP_CHECKSUM handling · ce9ecb8d
      Paolo Abeni authored
      [ Upstream commit ca4ef457 ]
      
      The skbs processed by ip_cmsg_recv() are not guaranteed to
      be linear e.g. when sending UDP packets over loopback with
      MSGMORE.
      Using csum_partial() on [potentially] the whole skb len
      is dangerous; instead be on the safe side and use skb_checksum().
      
      Thanks to syzkaller team to detect the issue and provide the
      reproducer.
      
      v1 -> v2:
       - move the variable declaration in a tighter scope
      
      Fixes: ad6f939a ("ip: Add offset parameter to ip_cmsg_recv")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce9ecb8d
    • David S. Miller's avatar
      irda: Fix lockdep annotations in hashbin_delete(). · 353dd729
      David S. Miller authored
      [ Upstream commit 4c03b862 ]
      
      A nested lock depth was added to the hasbin_delete() code but it
      doesn't actually work some well and results in tons of lockdep splats.
      
      Fix the code instead to properly drop the lock around the operation
      and just keep peeking the head of the hashbin queue.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      353dd729
    • Andrey Konovalov's avatar
      dccp: fix freeing skb too early for IPV6_RECVPKTINFO · a95df078
      Andrey Konovalov authored
      [ Upstream commit 5edabca9 ]
      
      In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
      is forcibly freed via __kfree_skb in dccp_rcv_state_process if
      dccp_v6_conn_request successfully returns.
      
      However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
      is saved to ireq->pktopts and the ref count for skb is incremented in
      dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
      in dccp_rcv_state_process.
      
      Fix by calling consume_skb instead of doing goto discard and therefore
      calling __kfree_skb.
      
      Similar fixes for TCP:
      
      fb7e2399 [TCP]: skb is unexpectedly freed.
      0aea76d3 tcp: SYN packets are now
      simply consumed
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a95df078
    • Anoob Soman's avatar
      packet: Do not call fanout_release from atomic contexts · fe41cfb4
      Anoob Soman authored
      [ Upstream commit 2bd624b4 ]
      
      Commit 66644982 ("packet: call fanout_release, while UNREGISTERING a
      netdev"), unfortunately, introduced the following issues.
      
      1. calling mutex_lock(&fanout_mutex) (fanout_release()) from inside
      rcu_read-side critical section. rcu_read_lock disables preemption, most often,
      which prohibits calling sleeping functions.
      
      [  ] include/linux/rcupdate.h:560 Illegal context switch in RCU read-side critical section!
      [  ]
      [  ] rcu_scheduler_active = 1, debug_locks = 0
      [  ] 4 locks held by ovs-vswitchd/1969:
      [  ]  #0:  (cb_lock){++++++}, at: [<ffffffff8158a6c9>] genl_rcv+0x19/0x40
      [  ]  #1:  (ovs_mutex){+.+.+.}, at: [<ffffffffa04878ca>] ovs_vport_cmd_del+0x4a/0x100 [openvswitch]
      [  ]  #2:  (rtnl_mutex){+.+.+.}, at: [<ffffffff81564157>] rtnl_lock+0x17/0x20
      [  ]  #3:  (rcu_read_lock){......}, at: [<ffffffff81614165>] packet_notifier+0x5/0x3f0
      [  ]
      [  ] Call Trace:
      [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
      [  ]  [<ffffffff810c9077>] lockdep_rcu_suspicious+0x107/0x110
      [  ]  [<ffffffff810a2da7>] ___might_sleep+0x57/0x210
      [  ]  [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
      [  ]  [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
      [  ]  [<ffffffff810de93f>] ? vprintk_default+0x1f/0x30
      [  ]  [<ffffffff81186e88>] ? printk+0x4d/0x4f
      [  ]  [<ffffffff816106dd>] fanout_release+0x1d/0xe0
      [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
      
      2. calling mutex_lock(&fanout_mutex) inside spin_lock(&po->bind_lock).
      "sleeping function called from invalid context"
      
      [  ] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
      [  ] in_atomic(): 1, irqs_disabled(): 0, pid: 1969, name: ovs-vswitchd
      [  ] INFO: lockdep is turned off.
      [  ] Call Trace:
      [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
      [  ]  [<ffffffff810a2f52>] ___might_sleep+0x202/0x210
      [  ]  [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
      [  ]  [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
      [  ]  [<ffffffff816106dd>] fanout_release+0x1d/0xe0
      [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
      
      3. calling dev_remove_pack(&fanout->prot_hook), from inside
      spin_lock(&po->bind_lock) or rcu_read-side critical-section. dev_remove_pack()
      -> synchronize_net(), which might sleep.
      
      [  ] BUG: scheduling while atomic: ovs-vswitchd/1969/0x00000002
      [  ] INFO: lockdep is turned off.
      [  ] Call Trace:
      [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
      [  ]  [<ffffffff81186274>] __schedule_bug+0x64/0x73
      [  ]  [<ffffffff8162b8cb>] __schedule+0x6b/0xd10
      [  ]  [<ffffffff8162c5db>] schedule+0x6b/0x80
      [  ]  [<ffffffff81630b1d>] schedule_timeout+0x38d/0x410
      [  ]  [<ffffffff810ea3fd>] synchronize_sched_expedited+0x53d/0x810
      [  ]  [<ffffffff810ea6de>] synchronize_rcu_expedited+0xe/0x10
      [  ]  [<ffffffff8154eab5>] synchronize_net+0x35/0x50
      [  ]  [<ffffffff8154eae3>] dev_remove_pack+0x13/0x20
      [  ]  [<ffffffff8161077e>] fanout_release+0xbe/0xe0
      [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
      
      4. fanout_release() races with calls from different CPU.
      
      To fix the above problems, remove the call to fanout_release() under
      rcu_read_lock(). Instead, call __dev_remove_pack(&fanout->prot_hook) and
      netdev_run_todo will be happy that &dev->ptype_specific list is empty. In order
      to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to
      __fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure
      fanout->prot_hook is removed as well.
      
      Fixes: 66644982 ("packet: call fanout_release, while UNREGISTERING a netdev")
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarAnoob Soman <anoob.soman@citrix.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fe41cfb4
    • Eric Dumazet's avatar
      packet: fix races in fanout_add() · abd672de
      Eric Dumazet authored
      [ Upstream commit d199fab6 ]
      
      Multiple threads can call fanout_add() at the same time.
      
      We need to grab fanout_mutex earlier to avoid races that could
      lead to one thread freeing po->rollover that was set by another thread.
      
      Do the same in fanout_release(), for peace of mind, and to help us
      finding lockdep issues earlier.
      
      Fixes: dc99f600 ("packet: Add fanout support.")
      Fixes: 0648ab70 ("packet: rollover prepare: per-socket state")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      abd672de
    • Eric Dumazet's avatar
      net/llc: avoid BUG_ON() in skb_orphan() · 2b3eb433
      Eric Dumazet authored
      [ Upstream commit 8b74d439 ]
      
      It seems nobody used LLC since linux-3.12.
      
      Fortunately fuzzers like syzkaller still know how to run this code,
      otherwise it would be no fun.
      
      Setting skb->sk without skb->destructor leads to all kinds of
      bugs, we now prefer to be very strict about it.
      
      Ideally here we would use skb_set_owner() but this helper does not exist yet,
      only CAN seems to have a private helper for that.
      
      Fixes: 376c7311 ("net: add a temporary sanity check in skb_orphan()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2b3eb433
    • Omar Sandoval's avatar
      blk-mq: really fix plug list flushing for nomerge queues · e8330cb5
      Omar Sandoval authored
      commit 87c279e6 upstream.
      
      Commit 0809e3ac ("block: fix plug list flushing for nomerge queues")
      updated blk_mq_make_request() to set request_count even when
      blk_queue_nomerges() returns true. However, blk_mq_make_request() only
      does limited plugging and doesn't use request_count;
      blk_sq_make_request() is the one that should have been fixed. Do that
      and get rid of the unnecessary work in the mq version.
      
      Fixes: 0809e3ac ("block: fix plug list flushing for nomerge queues")
      Signed-off-by: default avatarOmar Sandoval <osandov@fb.com>
      Reviewed-by: default avatarMing Lei <tom.leiming@gmail.com>
      Reviewed-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Cc: Sumit Semwal <sumit.semwal@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e8330cb5
    • Colin Ian King's avatar
      rtc: interface: ignore expired timers when enqueuing new timers · f0414c1f
      Colin Ian King authored
      commit 2b2f5ff0 upstream.
      
      This patch fixes a RTC wakealarm issue, namely, the event fires during
      hibernate and is not cleared from the list, causing hwclock to block.
      
      The current enqueuing does not trigger an alarm if any expired timers
      already exist on the timerqueue. This can occur when a RTC wake alarm
      is used to wake a machine out of hibernate and the resumed state has
      old expired timers that have not been removed from the timer queue.
      This fix skips over any expired timers and triggers an alarm if there
      are no pending timers on the timerqueue. Note that the skipped expired
      timer will get reaped later on, so there is no need to clean it up
      immediately.
      
      The issue can be reproduced by putting a machine into hibernate and
      waking it with the RTC wakealarm.  Running the example RTC test program
      from tools/testing/selftests/timers/rtctest.c after the hibernate will
      block indefinitely.  With the fix, it no longer blocks after the
      hibernate resume.
      
      BugLink: http://bugs.launchpad.net/bugs/1333569Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Cc: Sumit Semwal <sumit.semwal@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0414c1f
    • Larry Finger's avatar
      rtlwifi: rtl_usb: Fix missing entry in USB driver's private data · a82ac399
      Larry Finger authored
      commit 60f59ce0 upstream.
      
      These drivers need to be able to reference "struct ieee80211_hw" from
      the driver's private data, and vice versa. The USB driver failed to
      store the address of ieee80211_hw in the private data. Although this
      bug has been present for a long time, it was not exposed until
      commit ba9f93f8 ("rtlwifi: Fix enter/exit power_save").
      
      Fixes: ba9f93f8 ("rtlwifi: Fix enter/exit power_save")
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Cc: Takashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a82ac399
  2. 23 Feb, 2017 16 commits
  3. 18 Feb, 2017 13 commits