1. 20 Apr, 2016 40 commits
    • Yoshihiro Shimoda's avatar
      usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer · 46e081b3
      Yoshihiro Shimoda authored
      commit 6490865c upstream.
      
      This patch adds a code to surely disable TX IRQ of the pipe before
      starting TX DMAC transfer. Otherwise, a lot of unnecessary TX IRQs
      may happen in rare cases when DMAC is used.
      
      Fixes: e73a9891 ("usb: renesas_usbhs: add DMAEngine support")
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      46e081b3
    • Yoshihiro Shimoda's avatar
      usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler() · f10d1592
      Yoshihiro Shimoda authored
      commit 894f2fc4 upstream.
      
      When unexpected situation happened (e.g. tx/rx irq happened while
      DMAC is used), the usbhsf_pkt_handler() was possible to cause NULL
      pointer dereference like the followings:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000000
      pgd = c0004000
      [00000000] *pgd=00000000
      Internal error: Oops: 80000007 [#1] SMP ARM
      Modules linked in: usb_f_acm u_serial g_serial libcomposite
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.5.0-rc6-00842-gac57066-dirty #63
      Hardware name: Generic R8A7790 (Flattened Device Tree)
      task: c0729c00 ti: c0724000 task.ti: c0724000
      PC is at 0x0
      LR is at usbhsf_pkt_handler+0xac/0x118
      pc : [<00000000>]    lr : [<c03257e0>]    psr: 60000193
      sp : c0725db8  ip : 00000000  fp : c0725df4
      r10: 00000001  r9 : 00000193  r8 : ef3ccab4
      r7 : ef3cca10  r6 : eea4586c  r5 : 00000000  r4 : ef19ceb4
      r3 : 00000000  r2 : 0000009c  r1 : c0725dc4  r0 : ef19ceb4
      
      This patch adds a condition to avoid the dereference.
      
      Fixes: e73a9891 ("usb: renesas_usbhs: add DMAEngine support")
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f10d1592
    • Michal Kazior's avatar
      mac80211: fix txq queue related crashes · d70ab4ad
      Michal Kazior authored
      commit 2a58d42c upstream.
      
      The driver can access the queue simultanously
      while mac80211 tears down the interface. Without
      spinlock protection this could lead to corrupting
      sk_buff_head and subsequently to an invalid
      pointer dereference.
      
      Fixes: ba8c3d6f ("mac80211: add an intermediate software queue implementation")
      Signed-off-by: default avatarMichal Kazior <michal.kazior@tieto.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d70ab4ad
    • Michal Kazior's avatar
      mac80211: fix unnecessary frame drops in mesh fwding · 542afcb4
      Michal Kazior authored
      commit cf440128 upstream.
      
      The ieee80211_queue_stopped() expects hw queue
      number but it was given raw WMM AC number instead.
      
      This could cause frame drops and problems with
      traffic in some cases - most notably if driver
      doesn't map AC numbers to queue numbers 1:1 and
      uses ieee80211_stop_queues() and
      ieee80211_wake_queue() only without ever calling
      ieee80211_wake_queues().
      
      On ath10k it was possible to hit this problem in
      the following case:
      
        1. wlan0 uses queue 0
           (ath10k maps queues per vif)
        2. offchannel uses queue 15
        3. queues 1-14 are unused
        4. ieee80211_stop_queues()
        5. ieee80211_wake_queue(q=0)
        6. ieee80211_wake_queue(q=15)
           (other queues are not woken up because both
            driver and mac80211 know other queues are
            unused)
        7. ieee80211_rx_h_mesh_fwding()
        8. ieee80211_select_queue_80211() returns 2
        9. ieee80211_queue_stopped(q=2) returns true
       10. frame is dropped (oops!)
      
      Fixes: d3c1597b ("mac80211: fix forwarded mesh frame queue mapping")
      Signed-off-by: default avatarMichal Kazior <michal.kazior@tieto.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      542afcb4
    • Sara Sharon's avatar
      mac80211: fix ibss scan parameters · 2c0824ac
      Sara Sharon authored
      commit d321cd01 upstream.
      
      When joining IBSS a full scan should be initiated in order to search
      for existing cell, unless the fixed_channel parameter was set.
      A default channel to create the IBSS on if no cell was found is
      provided as well.
      However - a scan is initiated only on the default channel provided
      regardless of whether ifibss->fixed_channel is set or not, with the
      obvious result of the cell not joining existing IBSS cell that is
      on another channel.
      
      Fixes: 76bed0f4 ("mac80211: IBSS fix scan request")
      Signed-off-by: default avatarSara Sharon <sara.sharon@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2c0824ac
    • Arnd Bergmann's avatar
      mac80211: avoid excessive stack usage in sta_info · 9da98ac3
      Arnd Bergmann authored
      commit 0ef049dc upstream.
      
      When CONFIG_OPTIMIZE_INLINING is set, the sta_info_insert_finish
      function consumes more stack than normally, exceeding the
      1024 byte limit on ARM:
      
      net/mac80211/sta_info.c: In function 'sta_info_insert_finish':
      net/mac80211/sta_info.c:561:1: error: the frame size of 1080 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      
      It turns out that there are two functions that put a 'struct station_info'
      on the stack: __sta_info_destroy_part2 and sta_info_insert_finish, and
      this structure alone requires up to 792 bytes.
      
      Hoping that both are called rarely enough, this replaces the
      on-stack structure with a dynamic allocation, which unfortunately
      requires some suboptimal error handling for out-of-memory.
      
      The __sta_info_destroy_part2 function is actually affected by the
      stack usage twice because it calls cfg80211_del_sta_sinfo(), which
      has another instance of struct station_info on its stack.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 98b62183 ("mac80211/cfg80211: add station events")
      Fixes: 6f7a8d26 ("mac80211: send statistics with delete station event")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9da98ac3
    • Johannes Berg's avatar
      mac80211: properly deal with station hashtable insert errors · 7de4ebac
      Johannes Berg authored
      commit 62b14b24 upstream.
      
      The original hand-implemented hash-table in mac80211 couldn't result
      in insertion errors, and while converting to rhashtable I evidently
      forgot to check the errors.
      
      This surfaced now only because Ben is adding many identical keys and
      that resulted in hidden insertion errors.
      
      Fixes: 7bedd0cf ("mac80211: use rhashtable for station table")
      Reported-by: default avatarBen Greear <greearb@candelatech.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7de4ebac
    • Michael S. Tsirkin's avatar
      virtio: virtio 1.0 cs04 spec compliance for reset · 5f6e35c2
      Michael S. Tsirkin authored
      commit 05dbcb43 upstream.
      
      The spec says: after writing 0 to device_status, the driver MUST wait
      for a read of device_status to return 0 before reinitializing the
      device.
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5f6e35c2
    • David Disseldorp's avatar
      rbd: use GFP_NOIO consistently for request allocations · 06e2d7dd
      David Disseldorp authored
      commit 2224d879 upstream.
      
      As of 5a60e876, RBD object request
      allocations are made via rbd_obj_request_create() with GFP_NOIO.
      However, subsequent OSD request allocations in rbd_osd_req_create*()
      use GFP_ATOMIC.
      
      With heavy page cache usage (e.g. OSDs running on same host as krbd
      client), rbd_osd_req_create() order-1 GFP_ATOMIC allocations have been
      observed to fail, where direct reclaim would have allowed GFP_NOIO
      allocations to succeed.
      Suggested-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Suggested-by: default avatarNeil Brown <neilb@suse.com>
      Signed-off-by: default avatarDavid Disseldorp <ddiss@suse.de>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      06e2d7dd
    • Manuel Lauss's avatar
      pcmcia: db1xxx_ss: fix last irq_to_gpio user · e4f2138e
      Manuel Lauss authored
      commit e34b6fcf upstream.
      
      remove the usage of removed irq_to_gpio() function.  On pre-DB1200
      boards, pass the actual carddetect GPIO number instead of the IRQ,
      because we need the gpio to actually test card status (inserted or
      not) and can get the irq number with gpio_to_irq() instead.
      
      Tested on DB1300 and DB1500, this patch fixes PCMCIA on the DB1500,
      which used irq_to_gpio().
      
      Fixes: 832f5dac ("MIPS: Remove all the uses of custom gpio.h")
      Signed-off-by: default avatarManuel Lauss <manuel.lauss@gmail.com>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Cc: linux-pcmcia@lists.infradead.org
      Cc: Linux-MIPS <linux-mips@linux-mips.org>
      Patchwork: https://patchwork.linux-mips.org/patch/12747/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e4f2138e
    • Laurent Pinchart's avatar
      v4l: vsp1: Set the SRU CTRL0 register when starting the stream · 5da980e3
      Laurent Pinchart authored
      commit f6acfcdc upstream.
      
      Commit 58f896d8 ("[media] v4l: vsp1: sru: Make the intensity
      controllable during streaming") refactored the stream start code and
      removed the SRU CTRL0 register write by mistake. Add it back.
      
      Fixes: 58f896d8 ("[media] v4l: vsp1: sru: Make the intensity controllable during streaming")
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5da980e3
    • Philipp Zabel's avatar
      coda: fix error path in case of missing pdata on non-DT platform · 4d4b032b
      Philipp Zabel authored
      commit bc717d5e upstream.
      
      If we bail out this early, v4l2_device_register() has not been called
      yet, so no need to call v4l2_device_unregister().
      
      Fixes: b7bd660a ("[media] coda: Call v4l2_device_unregister() from a single location")
      Reported-by: default avatarMichael Olbrich <m.olbrich@pengutronix.de>
      Signed-off-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      Reviewed-by: default avatarFabio Estevam <fabio.estevam@nxp.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4d4b032b
    • Mauro Carvalho Chehab's avatar
      au0828: Fix dev_state handling · 797e2136
      Mauro Carvalho Chehab authored
      commit e8e3039f upstream.
      
      The au0828 dev_state is actually a bit mask. It should not be
      checking with "==" but, instead, with a logic and. There are some
      places where it was doing it wrong.
      
      Fix that by replacing the dev_state set/clear/test with the
      bitops.
      
      As reviewed by Shuah:
      	"Looks good. Tested running bind/unbind au0828 loop for 1000 times.
      	Didn't see any problems and the v4l2_querycap() problem has been
      	fixed with this patch.
      
      	After the above test, ran bind/unbind snd_usb_audio 1000 times.
      	Didn't see any problems. Generated media graph and the graph
      	looks good."
      Reviewed-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Tested-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      797e2136
    • Shuah Khan's avatar
      au0828: fix au0828_v4l2_close() dev_state race condition · 5046b85e
      Shuah Khan authored
      commit ed940cd2 upstream.
      
      au0828_v4l2_close() check for dev_state == DEV_DISCONNECTED will fail to
      detect the device disconnected state correctly, if au0828_v4l2_open() runs
      to set the DEV_INITIALIZED bit. A loop test of bind/unbind found this bug
      by increasing the likelihood of au0828_v4l2_open() occurring while unbind
      is in progress. When au0828_v4l2_close() fails to detect that the device
      is in disconnect state, it attempts to power down the device and fails with
      the following general protection fault:
      
      [  260.992962] Call Trace:
      [  260.993008]  [<ffffffffa0f80f0f>] ? xc5000_sleep+0x8f/0xd0 [xc5000]
      [  260.993095]  [<ffffffffa0f6803c>] ? fe_standby+0x3c/0x50 [tuner]
      [  260.993186]  [<ffffffffa0ef541c>] au0828_v4l2_close+0x53c/0x620 [au0828]
      [  260.993298]  [<ffffffffa0d08ec0>] v4l2_release+0xf0/0x210 [videodev]
      [  260.993382]  [<ffffffff81570f9c>] __fput+0x1fc/0x6c0
      [  260.993449]  [<ffffffff815714ce>] ____fput+0xe/0x10
      [  260.993519]  [<ffffffff8116eb83>] task_work_run+0x133/0x1f0
      [  260.993602]  [<ffffffff810035d0>] exit_to_usermode_loop+0x140/0x170
      [  260.993681]  [<ffffffff810061ca>] syscall_return_slowpath+0x16a/0x1a0
      [  260.993754]  [<ffffffff82835fb3>] entry_SYSCALL_64_fastpath+0xa6/0xa8
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5046b85e
    • Vladimir Zapolskiy's avatar
      pinctrl: freescale: imx: fix bogus check of of_iomap() return value · 2e638de5
      Vladimir Zapolskiy authored
      commit 9a4f4245 upstream.
      
      On error path of_iomap() returns NULL, hence IS_ERR() check is invalid
      and may cause a NULL pointer dereference, the change fixes this
      problem.
      
      While we are here invert a device node check to simplify the code.
      
      Fixes: 26d8cde5 ("pinctrl: freescale: imx: add shared input select reg support")
      Signed-off-by: default avatarVladimir Zapolskiy <vz@mleia.com>
      Acked-by: default avatarShawn Guo <shawnguo@kernel.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2e638de5
    • Linus Walleij's avatar
      pinctrl: nomadik: fix pull debug print inversion · e7c6abc4
      Linus Walleij authored
      commit 6ee33455 upstream.
      
      Pull up was reported as pull down and vice versa. Fix this.
      
      Fixes: 8f1774a2 "pinctrl: nomadik: improve GPIO debug prints"
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7c6abc4
    • Hans de Goede's avatar
      pinctrl: sunxi: Fix A33 external interrupts not working · 6bf00fff
      Hans de Goede authored
      commit 5e7515ba upstream.
      
      pinctrl-sun8i-a33.c (and the dts) declare only 2 interrupt banks,
      where as the closely related a23 has 3 banks. This matches with the
      datasheet for the A33 where only interrupt banks B and G are specified
      where as the A23 has banks A, B and G.
      
      However the A33 being the A23 derative it is means that the interrupt
      configure/status io-addresses for the 2 banks it has are not changed
      from the A23, iow they have the same address as if bank A was still
      present. Where as the sunxi pinctrl currently tries to use the A23 bank
      A addresses for bank B, since the pinctrl code does not know about the
      removed bank A.
      
      Add a irq_bank_base parameter and use this where appropriate to take
      the missing bank A into account.
      
      This fixes external interrupts not working on the A33 (tested with
      an i2c touchscreen controller which uses an external interrupt).
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Acked-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6bf00fff
    • Wolfram Sang's avatar
      pinctrl: sh-pfc: only use dummy states for non-DT platforms · 8536e378
      Wolfram Sang authored
      commit 0129801b upstream.
      
      If pinctrl_provide_dummies() is used unconditionally, then the dummy
      state will be used even on DT platforms when the "init" state was
      intentionally left out. Instead of "default", the dummy "init" state
      will then be used during probe. Thus, when probing an I2C controller on
      cold boot, communication triggered by bus notifiers broke because the
      pins were not initialized.
      
      Do it like OMAP2: use the dummy state only for non-DT platforms.
      
      Fixes: ef0eebc0 ("drivers/pinctrl: Add the concept of an "init" state")
      Reported-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarWolfram Sang <wsa+renesas@sang-engineering.com>
      Acked-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Tested-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8536e378
    • Govindraj Raja's avatar
      pinctrl: pistachio: fix mfio84-89 function description and pinmux. · 01f083c7
      Govindraj Raja authored
      commit e9adb336 upstream.
      
      mfio 84 to 89 are described wrongly, fix it to describe
      the right pin and add them to right pin-mux group.
      
      The correct order is:
      	pll1_lock => mips_pll	-- MFIO_83
      	pll2_lock => audio_pll	-- MFIO_84
      	pll3_lock => rpu_v_pll	-- MFIO_85
      	pll4_lock => rpu_l_pll	-- MFIO_86
      	pll5_lock => sys_pll	-- MFIO_87
      	pll6_lock => wifi_pll	-- MFIO_88
      	pll7_lock => bt_pll	-- MFIO_89
      
      Cc: linux-gpio@vger.kernel.org
      Cc: devicetree@vger.kernel.org
      Cc: linux-mips@linux-mips.org
      Cc: James Hartley <James.Hartley@imgtec.com>
      Fixes: cefc03e5("pinctrl: Add Pistachio SoC pin control driver")
      Signed-off-by: default avatarGovindraj Raja <Govindraj.Raja@imgtec.com>
      Acked-by: default avatarAndrew Bresticker <abrestic@chromium.org>
      Acked-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      01f083c7
    • Paul Burton's avatar
      MIPS: Fix MSA ld unaligned failure cases · af22bb95
      Paul Burton authored
      commit fa8ff601 upstream.
      
      Copying the content of an MSA vector from user memory may involve TLB
      faults & mapping in pages. This will fail when preemption is disabled
      due to an inability to acquire mmap_sem from do_page_fault, which meant
      such vector loads to unmapped pages would always fail to be emulated.
      Fix this by disabling preemption later only around the updating of
      vector register state.
      
      This change does however introduce a race between performing the load
      into thread context & the thread being preempted, saving its current
      live context & clobbering the loaded value. This should be a rare
      occureence, so optimise for the fast path by simply repeating the load if
      we are preempted.
      
      Additionally if the copy failed then the failure path was taken with
      preemption left disabled, leading to the kernel typically encountering
      further issues around sleeping whilst atomic. The change to where
      preemption is disabled avoids this issue.
      
      Fixes: e4aa1f15 "MIPS: MSA unaligned memory access support"
      Reported-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Reviewed-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>
      Cc: Maciej W. Rozycki <macro@linux-mips.org>
      Cc: James Cowgill <James.Cowgill@imgtec.com>
      Cc: Markos Chandras <markos.chandras@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/12345/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af22bb95
    • Paolo Bonzini's avatar
      KVM: x86: reduce default value of halt_poll_ns parameter · 84f2443e
      Paolo Bonzini authored
      commit 14ebda33 upstream.
      
      Windows lets applications choose the frequency of the timer tick,
      and in Windows 10 the maximum rate was changed from 1024 Hz to
      2048 Hz.  Unfortunately, because of the way the Windows API
      works, most applications who need a higher rate than the default
      64 Hz will just do
      
         timeGetDevCaps(&tc, sizeof(tc));
         timeBeginPeriod(tc.wPeriodMin);
      
      and pick the maximum rate.  This causes very high CPU usage when
      playing media or games on Windows 10, even if the guest does not
      actually use the CPU very much, because the frequent timer tick
      causes halt_poll_ns to kick in.
      
      There is no really good solution, especially because Microsoft
      could sooner or later bump the limit to 4096 Hz, but for now
      the best we can do is lower a bit the upper limit for
      halt_poll_ns. :-(
      Reported-by: default avatarJon Panozzo <jonp@lime-technology.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      84f2443e
    • Yuki Shibuya's avatar
      KVM: x86: Inject pending interrupt even if pending nmi exist · 30d6a9fd
      Yuki Shibuya authored
      commit 321c5658 upstream.
      
      Non maskable interrupts (NMI) are preferred to interrupts in current
      implementation. If a NMI is pending and NMI is blocked by the result
      of nmi_allowed(), pending interrupt is not injected and
      enable_irq_window() is not executed, even if interrupts injection is
      allowed.
      
      In old kernel (e.g. 2.6.32), schedule() is often called in NMI context.
      In this case, interrupts are needed to execute iret that intends end
      of NMI. The flag of blocking new NMI is not cleared until the guest
      execute the iret, and interrupts are blocked by pending NMI. Due to
      this, iret can't be invoked in the guest, and the guest is starved
      until block is cleared by some events (e.g. canceling injection).
      
      This patch injects pending interrupts, when it's allowed, even if NMI
      is blocked. And, If an interrupts is pending after executing
      inject_pending_event(), enable_irq_window() is executed regardless of
      NMI pending counter.
      Signed-off-by: default avatarYuki Shibuya <shibuya.yk@ncos.nec.co.jp>
      Suggested-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      30d6a9fd
    • Oliver Neukum's avatar
      cdc-acm: fix NULL pointer reference · ac1373d6
      Oliver Neukum authored
      commit 29c6dd59 upstream.
      
      The union descriptor must be checked. Its usage was conditional
      before the parser was introduced. This is important, because
      many RNDIS device, which also use the common parser, have
      bogus extra descriptors.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Tested-by: default avatarVasily Galkin <galkin-vv@yandex.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ac1373d6
    • Hans de Goede's avatar
      USB: uas: Add a new NO_REPORT_LUNS quirk · f9a6b3ca
      Hans de Goede authored
      commit 13630746 upstream.
      
      Add a new NO_REPORT_LUNS quirk and set it for Seagate drives with
      an usb-id of: 0bc2:331a, as these will fail to respond to a
      REPORT_LUNS command.
      Reported-and-tested-by: default avatarDavid Webb <djw@noc.ac.uk>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f9a6b3ca
    • Hans de Goede's avatar
      USB: uas: Limit qdepth at the scsi-host level · 4337f6e5
      Hans de Goede authored
      commit 198de51d upstream.
      
      Commit 64d513ac ("scsi: use host wide tags by default") causes
      the SCSI core to queue more commands then we can handle on devices with
      multiple LUNs, limit the queue depth at the scsi-host level instead of
      per slave to fix this.
      
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1315013Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4337f6e5
    • Roopa Prabhu's avatar
      mpls: find_outdev: check for err ptr in addition to NULL check · c1ea2d02
      Roopa Prabhu authored
      [ Upstream commit 94a57f1f ]
      
      find_outdev calls inet{,6}_fib_lookup_dev() or dev_get_by_index() to
      find the output device. In case of an error, inet{,6}_fib_lookup_dev()
      returns error pointer and dev_get_by_index() returns NULL. But the function
      only checks for NULL and thus can end up calling dev_put on an ERR_PTR.
      This patch adds an additional check for err ptr after the NULL check.
      
      Before: Trying to add an mpls route with no oif from user, no available
      path to 10.1.1.8 and no default route:
      $ip -f mpls route add 100 as 200 via inet 10.1.1.8
      [  822.337195] BUG: unable to handle kernel NULL pointer dereference at
      00000000000003a3
      [  822.340033] IP: [<ffffffff8148781e>] mpls_nh_assign_dev+0x10b/0x182
      [  822.340033] PGD 1db38067 PUD 1de9e067 PMD 0
      [  822.340033] Oops: 0000 [#1] SMP
      [  822.340033] Modules linked in:
      [  822.340033] CPU: 0 PID: 11148 Comm: ip Not tainted 4.5.0-rc7+ #54
      [  822.340033] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
      BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org
      04/01/2014
      [  822.340033] task: ffff88001db82580 ti: ffff88001dad4000 task.ti:
      ffff88001dad4000
      [  822.340033] RIP: 0010:[<ffffffff8148781e>]  [<ffffffff8148781e>]
      mpls_nh_assign_dev+0x10b/0x182
      [  822.340033] RSP: 0018:ffff88001dad7a88  EFLAGS: 00010282
      [  822.340033] RAX: ffffffffffffff9b RBX: ffffffffffffff9b RCX:
      0000000000000002
      [  822.340033] RDX: 00000000ffffff9b RSI: 0000000000000008 RDI:
      0000000000000000
      [  822.340033] RBP: ffff88001ddc9ea0 R08: ffff88001e9f1768 R09:
      0000000000000000
      [  822.340033] R10: ffff88001d9c1100 R11: ffff88001e3c89f0 R12:
      ffffffff8187e0c0
      [  822.340033] R13: ffffffff8187e0c0 R14: ffff88001ddc9e80 R15:
      0000000000000004
      [  822.340033] FS:  00007ff9ed798700(0000) GS:ffff88001fc00000(0000)
      knlGS:0000000000000000
      [  822.340033] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  822.340033] CR2: 00000000000003a3 CR3: 000000001de89000 CR4:
      00000000000006f0
      [  822.340033] Stack:
      [  822.340033]  0000000000000000 0000000100000000 0000000000000000
      0000000000000000
      [  822.340033]  0000000000000000 0801010a00000000 0000000000000000
      0000000000000000
      [  822.340033]  0000000000000004 ffffffff8148749b ffffffff8187e0c0
      000000000000001c
      [  822.340033] Call Trace:
      [  822.340033]  [<ffffffff8148749b>] ? mpls_rt_alloc+0x2b/0x3e
      [  822.340033]  [<ffffffff81488e66>] ? mpls_rtm_newroute+0x358/0x3e2
      [  822.340033]  [<ffffffff810e7bbc>] ? get_page+0x5/0xa
      [  822.340033]  [<ffffffff813b7d94>] ? rtnetlink_rcv_msg+0x17e/0x191
      [  822.340033]  [<ffffffff8111794e>] ? __kmalloc_track_caller+0x8c/0x9e
      [  822.340033]  [<ffffffff813c9393>] ?
      rht_key_hashfn.isra.20.constprop.57+0x14/0x1f
      [  822.340033]  [<ffffffff813b7c16>] ? __rtnl_unlock+0xc/0xc
      [  822.340033]  [<ffffffff813cb794>] ? netlink_rcv_skb+0x36/0x82
      [  822.340033]  [<ffffffff813b4507>] ? rtnetlink_rcv+0x1f/0x28
      [  822.340033]  [<ffffffff813cb2b1>] ? netlink_unicast+0x106/0x189
      [  822.340033]  [<ffffffff813cb5b3>] ? netlink_sendmsg+0x27f/0x2c8
      [  822.340033]  [<ffffffff81392ede>] ? sock_sendmsg_nosec+0x10/0x1b
      [  822.340033]  [<ffffffff81393df1>] ? ___sys_sendmsg+0x182/0x1e3
      [  822.340033]  [<ffffffff810e4f35>] ?
      __alloc_pages_nodemask+0x11c/0x1e4
      [  822.340033]  [<ffffffff8110619c>] ? PageAnon+0x5/0xd
      [  822.340033]  [<ffffffff811062fe>] ? __page_set_anon_rmap+0x45/0x52
      [  822.340033]  [<ffffffff810e7bbc>] ? get_page+0x5/0xa
      [  822.340033]  [<ffffffff810e85ab>] ? __lru_cache_add+0x1a/0x3a
      [  822.340033]  [<ffffffff81087ea9>] ? current_kernel_time64+0x9/0x30
      [  822.340033]  [<ffffffff813940c4>] ? __sys_sendmsg+0x3c/0x5a
      [  822.340033]  [<ffffffff8148f597>] ?
      entry_SYSCALL_64_fastpath+0x12/0x6a
      [  822.340033] Code: 83 08 04 00 00 65 ff 00 48 8b 3c 24 e8 40 7c f2 ff
      eb 13 48 c7 c3 9f ff ff ff eb 0f 89 ce e8 f1 ae f1 ff 48 89 c3 48 85 db
      74 15 <48> 8b 83 08 04 00 00 65 ff 08 48 81 fb 00 f0 ff ff 76 0d eb 07
      [  822.340033] RIP  [<ffffffff8148781e>] mpls_nh_assign_dev+0x10b/0x182
      [  822.340033]  RSP <ffff88001dad7a88>
      [  822.340033] CR2: 00000000000003a3
      [  822.435363] ---[ end trace 98cc65e6f6b8bf11 ]---
      
      After patch:
      $ip -f mpls route add 100 as 200 via inet 10.1.1.8
      RTNETLINK answers: Network is unreachable
      Signed-off-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Reported-by: default avatarDavid Miller <davem@davemloft.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c1ea2d02
    • Jakub Sitnicki's avatar
      ipv6: Count in extension headers in skb->network_header · 5598928f
      Jakub Sitnicki authored
      [ Upstream commit 3ba3458f ]
      
      When sending a UDPv6 message longer than MTU, account for the length
      of fragmentable IPv6 extension headers in skb->network_header offset.
      Same as we do in alloc_new_skb path in __ip6_append_data().
      
      This ensures that later on __ip6_make_skb() will make space in
      headroom for fragmentable extension headers:
      
      	/* move skb->data to ip header from ext header */
      	if (skb->data < skb_network_header(skb))
      		__skb_pull(skb, skb_network_offset(skb));
      
      Prevents a splat due to skb_under_panic:
      
      skbuff: skb_under_panic: text:ffffffff8143397b len:2126 put:14 \
      head:ffff880005bacf50 data:ffff880005bacf4a tail:0x48 end:0xc0 dev:lo
      ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:104!
      invalid opcode: 0000 [#1] KASAN
      CPU: 0 PID: 160 Comm: reproducer Not tainted 4.6.0-rc2 #65
      [...]
      Call Trace:
       [<ffffffff813eb7b9>] skb_push+0x79/0x80
       [<ffffffff8143397b>] eth_header+0x2b/0x100
       [<ffffffff8141e0d0>] neigh_resolve_output+0x210/0x310
       [<ffffffff814eab77>] ip6_finish_output2+0x4a7/0x7c0
       [<ffffffff814efe3a>] ip6_output+0x16a/0x280
       [<ffffffff815440c1>] ip6_local_out+0xb1/0xf0
       [<ffffffff814f1115>] ip6_send_skb+0x45/0xd0
       [<ffffffff81518836>] udp_v6_send_skb+0x246/0x5d0
       [<ffffffff8151985e>] udpv6_sendmsg+0xa6e/0x1090
      [...]
      Reported-by: default avatarJi Jianwen <jiji@redhat.com>
      Signed-off-by: default avatarJakub Sitnicki <jkbs@redhat.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5598928f
    • Thadeu Lima de Souza Cascardo's avatar
      ip6_tunnel: set rtnl_link_ops before calling register_netdevice · 4f4de9ab
      Thadeu Lima de Souza Cascardo authored
      [ Upstream commit b6ee376c ]
      
      When creating an ip6tnl tunnel with ip tunnel, rtnl_link_ops is not set
      before ip6_tnl_create2 is called. When register_netdevice is called, there
      is no linkinfo attribute in the NEWLINK message because of that.
      
      Setting rtnl_link_ops before calling register_netdevice fixes that.
      
      Fixes: 0b112457 ("ip6tnl: add support of link creation via rtnl")
      Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@redhat.com>
      Acked-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f4de9ab
    • Haishuang Yan's avatar
      ipv6: l2tp: fix a potential issue in l2tp_ip6_recv · 9bd8af99
      Haishuang Yan authored
      [ Upstream commit be447f30 ]
      
      pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
      right place.
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9bd8af99
    • Haishuang Yan's avatar
      ipv4: l2tp: fix a potential issue in l2tp_ip_recv · ad730152
      Haishuang Yan authored
      [ Upstream commit 5745b823 ]
      
      pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
      right place.
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ad730152
    • Jason Wang's avatar
      tuntap: restore default qdisc · 9daaadbe
      Jason Wang authored
      [ Upstream commit 016adb72 ]
      
      After commit f84bb1ea ("net: fix IFF_NO_QUEUE for drivers using
      alloc_netdev"), default qdisc was changed to noqueue because
      tuntap does not set tx_queue_len during .setup(). This patch restores
      default qdisc by setting tx_queue_len in tun_setup().
      
      Fixes: f84bb1ea ("net: fix IFF_NO_QUEUE for drivers using alloc_netdev")
      Cc: Phil Sutter <phil@nwl.cc>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarPhil Sutter <phil@nwl.cc>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9daaadbe
    • Daniel Borkmann's avatar
      tun, bpf: fix suspicious RCU usage in tun_{attach, detach}_filter · e137eeb3
      Daniel Borkmann authored
      [ Upstream commit 5a5abb1f ]
      
      Sasha Levin reported a suspicious rcu_dereference_protected() warning
      found while fuzzing with trinity that is similar to this one:
      
        [   52.765684] net/core/filter.c:2262 suspicious rcu_dereference_protected() usage!
        [   52.765688] other info that might help us debug this:
        [   52.765695] rcu_scheduler_active = 1, debug_locks = 1
        [   52.765701] 1 lock held by a.out/1525:
        [   52.765704]  #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff816a64b7>] rtnl_lock+0x17/0x20
        [   52.765721] stack backtrace:
        [   52.765728] CPU: 1 PID: 1525 Comm: a.out Not tainted 4.5.0+ #264
        [...]
        [   52.765768] Call Trace:
        [   52.765775]  [<ffffffff813e488d>] dump_stack+0x85/0xc8
        [   52.765784]  [<ffffffff810f2fa5>] lockdep_rcu_suspicious+0xd5/0x110
        [   52.765792]  [<ffffffff816afdc2>] sk_detach_filter+0x82/0x90
        [   52.765801]  [<ffffffffa0883425>] tun_detach_filter+0x35/0x90 [tun]
        [   52.765810]  [<ffffffffa0884ed4>] __tun_chr_ioctl+0x354/0x1130 [tun]
        [   52.765818]  [<ffffffff8136fed0>] ? selinux_file_ioctl+0x130/0x210
        [   52.765827]  [<ffffffffa0885ce3>] tun_chr_ioctl+0x13/0x20 [tun]
        [   52.765834]  [<ffffffff81260ea6>] do_vfs_ioctl+0x96/0x690
        [   52.765843]  [<ffffffff81364af3>] ? security_file_ioctl+0x43/0x60
        [   52.765850]  [<ffffffff81261519>] SyS_ioctl+0x79/0x90
        [   52.765858]  [<ffffffff81003ba2>] do_syscall_64+0x62/0x140
        [   52.765866]  [<ffffffff817d563f>] entry_SYSCALL64_slow_path+0x25/0x25
      
      Same can be triggered with PROVE_RCU (+ PROVE_RCU_REPEATEDLY) enabled
      from tun_attach_filter() when user space calls ioctl(tun_fd, TUN{ATTACH,
      DETACH}FILTER, ...) for adding/removing a BPF filter on tap devices.
      
      Since the fix in f91ff5b9 ("net: sk_{detach|attach}_filter() rcu
      fixes") sk_attach_filter()/sk_detach_filter() now dereferences the
      filter with rcu_dereference_protected(), checking whether socket lock
      is held in control path.
      
      Since its introduction in 99405162 ("tun: socket filter support"),
      tap filters are managed under RTNL lock from __tun_chr_ioctl(). Thus the
      sock_owned_by_user(sk) doesn't apply in this specific case and therefore
      triggers the false positive.
      
      Extend the BPF API with __sk_attach_filter()/__sk_detach_filter() pair
      that is used by tap filters and pass in lockdep_rtnl_is_held() for the
      rcu_dereference_protected() checks instead.
      Reported-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e137eeb3
    • Nicolas Dichtel's avatar
      rtnl: fix msg size calculation in if_nlmsg_size() · 18baf0e0
      Nicolas Dichtel authored
      [ Upstream commit c57c7a95 ]
      
      Size of the attribute IFLA_PHYS_PORT_NAME was missing.
      
      Fixes: db24a904 ("net: add support for phys_port_name")
      CC: David Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18baf0e0
    • Haishuang Yan's avatar
      bridge: Allow set bridge ageing time when switchdev disabled · df371b19
      Haishuang Yan authored
      [ Upstream commit 5e263f71 ]
      
      When NET_SWITCHDEV=n, switchdev_port_attr_set will return -EOPNOTSUPP,
      we should ignore this error code and continue to set the ageing time.
      
      Fixes: c62987bb ("bridge: push bridge setting ageing_time down to switchdev")
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Acked-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      df371b19
    • Eric Dumazet's avatar
      ipv6: udp: fix UDP_MIB_IGNOREDMULTI updates · 26dd42eb
      Eric Dumazet authored
      [ Upstream commit 2d421226 ]
      
      IPv6 counters updates use a different macro than IPv4.
      
      Fixes: 36cbb245 ("udp: Increment UDP_MIB_IGNOREDMULTI for arriving unmatched multicasts")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Rick Jones <rick.jones2@hp.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      26dd42eb
    • Bjørn Mork's avatar
      qmi_wwan: add "D-Link DWM-221 B1" device id · 9603d0a5
      Bjørn Mork authored
      [ Upstream commit e84810c7 ]
      
      Thomas reports:
      "Windows:
      
      00 diagnostics
      01 modem
      02 at-port
      03 nmea
      04 nic
      
      Linux:
      
      T:  Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=2001 ProdID=7e19 Rev=02.32
      S:  Manufacturer=Mobile Connect
      S:  Product=Mobile Connect
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage"
      Reported-by: default avatarThomas Schäfer <tschaefer@t-online.de>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9603d0a5
    • subashab@codeaurora.org's avatar
      xfrm: Fix crash observed during device unregistration and decryption · 759e8f38
      subashab@codeaurora.org authored
      [ Upstream commit 071d36bf ]
      
      A crash is observed when a decrypted packet is processed in receive
      path. get_rps_cpus() tries to dereference the skb->dev fields but it
      appears that the device is freed from the poison pattern.
      
      [<ffffffc000af58ec>] get_rps_cpu+0x94/0x2f0
      [<ffffffc000af5f94>] netif_rx_internal+0x140/0x1cc
      [<ffffffc000af6094>] netif_rx+0x74/0x94
      [<ffffffc000bc0b6c>] xfrm_input+0x754/0x7d0
      [<ffffffc000bc0bf8>] xfrm_input_resume+0x10/0x1c
      [<ffffffc000ba6eb8>] esp_input_done+0x20/0x30
      [<ffffffc0000b64c8>] process_one_work+0x244/0x3fc
      [<ffffffc0000b7324>] worker_thread+0x2f8/0x418
      [<ffffffc0000bb40c>] kthread+0xe0/0xec
      
      -013|get_rps_cpu(
           |    dev = 0xFFFFFFC08B688000,
           |    skb = 0xFFFFFFC0C76AAC00 -> (
           |      dev = 0xFFFFFFC08B688000 -> (
           |        name =
      "......................................................
           |        name_hlist = (next = 0xAAAAAAAAAAAAAAAA, pprev =
      0xAAAAAAAAAAA
      
      Following are the sequence of events observed -
      
      - Encrypted packet in receive path from netdevice is queued
      - Encrypted packet queued for decryption (asynchronous)
      - Netdevice brought down and freed
      - Packet is decrypted and returned through callback in esp_input_done
      - Packet is queued again for process in network stack using netif_rx
      
      Since the device appears to have been freed, the dereference of
      skb->dev in get_rps_cpus() leads to an unhandled page fault
      exception.
      
      Fix this by holding on to device reference when queueing packets
      asynchronously and releasing the reference on call back return.
      
      v2: Make the change generic to xfrm as mentioned by Steffen and
      update the title to xfrm
      Suggested-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJerome Stanislaus <jeromes@codeaurora.org>
      Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      759e8f38
    • Guillaume Nault's avatar
      ppp: take reference on channels netns · 046ea818
      Guillaume Nault authored
      [ Upstream commit 1f461dcd ]
      
      Let channels hold a reference on their network namespace.
      Some channel types, like ppp_async and ppp_synctty, can have their
      userspace controller running in a different namespace. Therefore they
      can't rely on them to preclude their netns from being removed from
      under them.
      
      ==================================================================
      BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
      addr ffff880064e217e0
      Read of size 8 by task syz-executor/11581
      =============================================================================
      BUG net_namespace (Not tainted): kasan: bad access detected
      -----------------------------------------------------------------------------
      
      Disabling lock debugging due to kernel taint
      INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
      [<      none      >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
      [<      none      >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
      [<     inline     >] slab_alloc_node kernel/mm/slub.c:2532
      [<     inline     >] slab_alloc kernel/mm/slub.c:2574
      [<      none      >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
      [<     inline     >] kmem_cache_zalloc kernel/include/linux/slab.h:597
      [<     inline     >] net_alloc kernel/net/core/net_namespace.c:325
      [<      none      >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
      [<      none      >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
      [<      none      >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
      [<      none      >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
      [<     inline     >] copy_process kernel/kernel/fork.c:1274
      [<      none      >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
      [<     inline     >] SYSC_clone kernel/kernel/fork.c:1832
      [<      none      >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
      [<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185
      
      INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
      [<      none      >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
      [<     inline     >] slab_free kernel/mm/slub.c:2805
      [<      none      >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
      [<     inline     >] net_free kernel/net/core/net_namespace.c:341
      [<      none      >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
      [<      none      >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
      [<      none      >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
      [<      none      >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
      [<      none      >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
      [<      none      >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
      INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
      flags=0x5fffc0000004080
      INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200
      
      CPU: 1 PID: 11581 Comm: syz-executor Tainted: G    B           4.4.0+
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
       00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
       ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
       ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
      Call Trace:
       [<     inline     >] __dump_stack kernel/lib/dump_stack.c:15
       [<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
       [<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
       [<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661
       [<     inline     >] print_address_description kernel/mm/kasan/report.c:138
       [<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
       [<     inline     >] kasan_report kernel/mm/kasan/report.c:259
       [<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
       [<     inline     >] ? ppp_pernet kernel/include/linux/compiler.h:218
       [<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
       [<     inline     >] ppp_pernet kernel/include/linux/compiler.h:218
       [<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
       [<     inline     >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
       [<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
       [<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
       [<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
       [<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
       [<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
       [<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
       [<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
       [<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
       [<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208
       [<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244
       [<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
       [<     inline     >] exit_task_work kernel/include/linux/task_work.h:21
       [<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
       [<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
       [<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
       [<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
       [<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
       [<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
       [<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
       [<     inline     >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
       [<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
       [<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
       [<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
       [<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
       [<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
       [<     inline     >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
       [<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
       [<     inline     >] ? context_switch kernel/kernel/sched/core.c:2807
       [<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
       [<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
       [<     inline     >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
       [<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
       [<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
      Memory state around the buggy address:
       ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
       ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      
      Fixes: 273ec51d ("net: ppp_generic - introduce net-namespace functionality v2")
      Reported-by: default avatarBaozeng Ding <sploving1@gmail.com>
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Reviewed-by: default avatarCyrill Gorcunov <gorcunov@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      046ea818
    • Lance Richardson's avatar
      ipv4: initialize flowi4_flags before calling fib_lookup() · 80de2e41
      Lance Richardson authored
      [ Upstream commit 4cfc86f3 ]
      
      Field fl4.flowi4_flags is not initialized in fib_compute_spec_dst()
      before calling fib_lookup(), which means fib_table_lookup() is
      using non-deterministic data at this line:
      
      	if (!(flp->flowi4_flags & FLOWI_FLAG_SKIP_NH_OIF)) {
      
      Fix by initializing the entire fl4 structure, which will prevent
      similar issues as fields are added in the future by ensuring that
      all fields are initialized to zero unless explicitly initialized
      to another value.
      
      Fixes: 58189ca7 ("net: Fix vti use case with oif in dst lookups")
      Suggested-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarLance Richardson <lrichard@redhat.com>
      Acked-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      80de2e41
    • Paolo Abeni's avatar
      ipv4: fix broadcast packets reception · 2ddb1813
      Paolo Abeni authored
      [ Upstream commit ad0ea198 ]
      
      Currently, ingress ipv4 broadcast datagrams are dropped since,
      in udp_v4_early_demux(), ip_check_mc_rcu() is invoked even on
      bcast packets.
      
      This patch addresses the issue, invoking ip_check_mc_rcu()
      only for mcast packets.
      
      Fixes: 6e540309 ("ipv4/udp: Verify multicast group is ours in upd_v4_early_demux()")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ddb1813