1. 19 May, 2016 40 commits
    • Mauro Carvalho Chehab's avatar
      Revert "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing" · 9df2dc6c
      Mauro Carvalho Chehab authored
      commit 93f0750d upstream.
      
      This patch causes a Kernel panic when called on a DVB driver.
      
      This was also reported by David R <david@unsolicited.net>:
      
      May  7 14:47:35 server kernel: [  501.247123] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
      May  7 14:47:35 server kernel: [  501.247239] IP: [<ffffffffa0222c71>] __verify_planes_array.isra.3+0x1/0x80 [videobuf2_v4l2]
      May  7 14:47:35 server kernel: [  501.247354] PGD cae6f067 PUD ca99c067 PMD 0
      May  7 14:47:35 server kernel: [  501.247426] Oops: 0000 [#1] SMP
      May  7 14:47:35 server kernel: [  501.247482] Modules linked in: xfs tun xt_connmark xt_TCPMSS xt_tcpmss xt_owner xt_REDIRECT nf_nat_redirect xt_nat ipt_MASQUERADE nf_nat_masquerade_ipv4 ts_kmp ts_bm xt_string ipt_REJECT nf_reject_ipv4 xt_recent xt_conntrack xt_multiport xt_pkttype xt_tcpudp xt_mark nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables ip6table_filter ip6_tables x_tables pppoe pppox dm_crypt ts2020 regmap_i2c ds3000 cx88_dvb dvb_pll cx88_vp3054_i2c mt352 videobuf2_dvb cx8800 cx8802 cx88xx pl2303 tveeprom videobuf2_dma_sg ppdev videobuf2_memops videobuf2_v4l2 videobuf2_core dvb_usb_digitv snd_hda_codec_via snd_hda_codec_hdmi snd_hda_codec_generic radeon dvb_usb snd_hda_intel amd64_edac_mod serio_raw snd_hda_codec edac_core fbcon k10temp bitblit softcursor snd_hda_core font snd_pcm_oss i2c_piix4 snd_mixer_oss tileblit drm_kms_helper syscopyarea snd_pcm snd_seq_dummy sysfillrect snd_seq_oss sysimgblt fb_sys_fops ttm snd_seq_midi r8169 snd_rawmidi drm snd_seq_midi_event e1000e snd_seq snd_seq_device snd_timer snd ptp pps_core i2c_algo_bit soundcore parport_pc ohci_pci shpchp tpm_tis tpm nfsd auth_rpcgss oid_registry hwmon_vid exportfs nfs_acl mii nfs bonding lockd grace lp sunrpc parport
      May  7 14:47:35 server kernel: [  501.249564] CPU: 1 PID: 6889 Comm: vb2-cx88[0] Not tainted 4.5.3 #3
      May  7 14:47:35 server kernel: [  501.249644] Hardware name: System manufacturer System Product Name/M4A785TD-V EVO, BIOS 0211    07/08/2009
      May  7 14:47:35 server kernel: [  501.249767] task: ffff8800aebf3600 ti: ffff8801e07a0000 task.ti: ffff8801e07a0000
      May  7 14:47:35 server kernel: [  501.249861] RIP: 0010:[<ffffffffa0222c71>]  [<ffffffffa0222c71>] __verify_planes_array.isra.3+0x1/0x80 [videobuf2_v4l2]
      May  7 14:47:35 server kernel: [  501.250002] RSP: 0018:ffff8801e07a3de8  EFLAGS: 00010086
      May  7 14:47:35 server kernel: [  501.250071] RAX: 0000000000000283 RBX: ffff880210dc5000 RCX: 0000000000000283
      May  7 14:47:35 server kernel: [  501.250161] RDX: ffffffffa0222cf0 RSI: 0000000000000000 RDI: ffff880210dc5014
      May  7 14:47:35 server kernel: [  501.250251] RBP: ffff8801e07a3df8 R08: ffff8801e07a0000 R09: 0000000000000000
      May  7 14:47:35 server kernel: [  501.250348] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8800cda2a9d8
      May  7 14:47:35 server kernel: [  501.250438] R13: ffff880210dc51b8 R14: 0000000000000000 R15: ffff8800cda2a828
      May  7 14:47:35 server kernel: [  501.250528] FS:  00007f5b77fff700(0000) GS:ffff88021fc40000(0000) knlGS:00000000adaffb40
      May  7 14:47:35 server kernel: [  501.250631] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      May  7 14:47:35 server kernel: [  501.250704] CR2: 0000000000000004 CR3: 00000000ca19d000 CR4: 00000000000006e0
      May  7 14:47:35 server kernel: [  501.250794] Stack:
      May  7 14:47:35 server kernel: [  501.250822]  ffff8801e07a3df8 ffffffffa0222cfd ffff8801e07a3e70 ffffffffa0236beb
      May  7 14:47:35 server kernel: [  501.250937]  0000000000000283 ffff8801e07a3e94 0000000000000000 0000000000000000
      May  7 14:47:35 server kernel: [  501.251051]  ffff8800aebf3600 ffffffff8108d8e0 ffff8801e07a3e38 ffff8801e07a3e38
      May  7 14:47:35 server kernel: [  501.251165] Call Trace:
      May  7 14:47:35 server kernel: [  501.251200]  [<ffffffffa0222cfd>] ? __verify_planes_array_core+0xd/0x10 [videobuf2_v4l2]
      May  7 14:47:35 server kernel: [  501.251306]  [<ffffffffa0236beb>] vb2_core_dqbuf+0x2eb/0x4c0 [videobuf2_core]
      May  7 14:47:35 server kernel: [  501.251398]  [<ffffffff8108d8e0>] ? prepare_to_wait_event+0x100/0x100
      May  7 14:47:35 server kernel: [  501.251482]  [<ffffffffa023855b>] vb2_thread+0x1cb/0x220 [videobuf2_core]
      May  7 14:47:35 server kernel: [  501.251569]  [<ffffffffa0238390>] ? vb2_core_qbuf+0x230/0x230 [videobuf2_core]
      May  7 14:47:35 server kernel: [  501.251662]  [<ffffffffa0238390>] ? vb2_core_qbuf+0x230/0x230 [videobuf2_core]
      May  7 14:47:35 server kernel: [  501.255982]  [<ffffffff8106f984>] kthread+0xc4/0xe0
      May  7 14:47:35 server kernel: [  501.260292]  [<ffffffff8106f8c0>] ? kthread_park+0x50/0x50
      May  7 14:47:35 server kernel: [  501.264615]  [<ffffffff81697a5f>] ret_from_fork+0x3f/0x70
      May  7 14:47:35 server kernel: [  501.268962]  [<ffffffff8106f8c0>] ? kthread_park+0x50/0x50
      May  7 14:47:35 server kernel: [  501.273216] Code: 0d 01 74 16 48 8b 46 28 48 8b 56 30 48 89 87 d0 01 00 00 48 89 97 d8 01 00 00 5d c3 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 55 <8b> 46 04 48 89 e5 8d 50 f7 31 c0 83 fa 01 76 02 5d c3 48 83 7e
      May  7 14:47:35 server kernel: [  501.282146] RIP  [<ffffffffa0222c71>] __verify_planes_array.isra.3+0x1/0x80 [videobuf2_v4l2]
      May  7 14:47:35 server kernel: [  501.286391]  RSP <ffff8801e07a3de8>
      May  7 14:47:35 server kernel: [  501.290619] CR2: 0000000000000004
      May  7 14:47:35 server kernel: [  501.294786] ---[ end trace b2b354153ccad110 ]---
      
      This reverts commit 2c1f6951.
      
      Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
      Cc: Hans Verkuil <hans.verkuil@cisco.com>
      Fixes: 2c1f6951 ("[media] videobuf2-v4l2: Verify planes array in buffer dequeueing")
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9df2dc6c
    • Marek Szyprowski's avatar
      Input: max8997-haptic - fix NULL pointer dereference · 1abbf804
      Marek Szyprowski authored
      commit 6ae645d5 upstream.
      
      NULL pointer derefence happens when booting with DTB because the
      platform data for haptic device is not set in supplied data from parent
      MFD device.
      
      The MFD device creates only platform data (from Device Tree) for itself,
      not for haptic child.
      
      Unable to handle kernel NULL pointer dereference at virtual address 0000009c
      pgd = c0004000
      	[0000009c] *pgd=00000000
      	Internal error: Oops: 5 [#1] PREEMPT SMP ARM
      	(max8997_haptic_probe) from [<c03f9cec>] (platform_drv_probe+0x4c/0xb0)
      	(platform_drv_probe) from [<c03f8440>] (driver_probe_device+0x214/0x2c0)
      	(driver_probe_device) from [<c03f8598>] (__driver_attach+0xac/0xb0)
      	(__driver_attach) from [<c03f67ac>] (bus_for_each_dev+0x68/0x9c)
      	(bus_for_each_dev) from [<c03f7a38>] (bus_add_driver+0x1a0/0x218)
      	(bus_add_driver) from [<c03f8db0>] (driver_register+0x78/0xf8)
      	(driver_register) from [<c0101774>] (do_one_initcall+0x90/0x1d8)
      	(do_one_initcall) from [<c0a00dbc>] (kernel_init_freeable+0x15c/0x1fc)
      	(kernel_init_freeable) from [<c06bb5b4>] (kernel_init+0x8/0x114)
      	(kernel_init) from [<c0107938>] (ret_from_fork+0x14/0x3c)
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Fixes: 104594b0 ("Input: add driver support for MAX8997-haptic")
      [k.kozlowski: Write commit message, add CC-stable]
      Signed-off-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1abbf804
    • Al Viro's avatar
      get_rock_ridge_filename(): handle malformed NM entries · 007796c0
      Al Viro authored
      commit 99d82582 upstream.
      
      Payloads of NM entries are not supposed to contain NUL.  When we run
      into such, only the part prior to the first NUL goes into the
      concatenation (i.e. the directory entry name being encoded by a bunch
      of NM entries).  We do stop when the amount collected so far + the
      claimed amount in the current NM entry exceed 254.  So far, so good,
      but what we return as the total length is the sum of *claimed*
      sizes, not the actual amount collected.  And that can grow pretty
      large - not unlimited, since you'd need to put CE entries in
      between to be able to get more than the maximum that could be
      contained in one isofs directory entry / continuation chunk and
      we are stop once we'd encountered 32 CEs, but you can get about 8Kb
      easily.  And that's what will be passed to readdir callback as the
      name length.  8Kb __copy_to_user() from a buffer allocated by
      __get_free_page()
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      007796c0
    • Steven Rostedt's avatar
      tools lib traceevent: Do not reassign parg after collapse_tree() · 35eb30c2
      Steven Rostedt authored
      commit 106b816c upstream.
      
      At the end of process_filter(), collapse_tree() was changed to update
      the parg parameter, but the reassignment after the call wasn't removed.
      
      What happens is that the "current_op" gets modified and freed and parg
      is assigned to the new allocated argument. But after the call to
      collapse_tree(), parg is assigned again to the just freed "current_op",
      and this causes the tool to crash.
      
      The current_op variable must also be assigned to NULL in case of error,
      otherwise it will cause it to be free()ed twice.
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Acked-by: default avatarNamhyung Kim <namhyung@kernel.org>
      Fixes: 42d6194d ("tools lib traceevent: Refactor process_filter()")
      Link: http://lkml.kernel.org/r/20160511150936.678c18a1@gandalf.local.homeSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      35eb30c2
    • Johannes Thumshirn's avatar
      qla1280: Don't allocate 512kb of host tags · 4c127a3e
      Johannes Thumshirn authored
      commit 2bcbc814 upstream.
      
      The qla1280 driver sets the scsi_host_template's can_queue field to 0xfffff
      which results in an allocation failure when allocating the block layer tags
      for the driver's queues. This was introduced with the change for host wide
      tags in commit 64d513ac - "scsi: use host wide tags by default".
      
      Reduce can_queue to MAX_OUTSTANDING_COMMANDS (512) to solve the allocation
      error.
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Fixes: 64d513ac - "scsi: use host wide tags by default"
      Cc: Laura Abbott <labbott@redhat.com>
      Cc: Michael Reed <mdr@sgi.com>
      Reviewed-by: default avatarLaurence Oberman <loberman@redhat.com>
      Reviewed-by: default avatarLee Duncan <lduncan@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJames Bottomley <jejb@linux.vnet.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4c127a3e
    • Al Viro's avatar
      atomic_open(): fix the handling of create_error · 4549fc71
      Al Viro authored
      commit 10c64cea upstream.
      
      * if we have a hashed negative dentry and either CREAT|EXCL on
      r/o filesystem, or CREAT|TRUNC on r/o filesystem, or CREAT|EXCL
      with failing may_o_create(), we should fail with EROFS or the
      error may_o_create() has returned, but not ENOENT.  Which is what
      the current code ends up returning.
      
      * if we have CREAT|TRUNC hitting a regular file on a read-only
      filesystem, we can't fail with EROFS here.  At the very least,
      not until we'd done follow_managed() - we might have a writable
      file (or a device, for that matter) bound on top of that one.
      Moreover, the code downstream will see that O_TRUNC and attempt
      to grab the write access (*after* following possible mount), so
      if we really should fail with EROFS, it will happen.  No need
      to do that inside atomic_open().
      
      The real logics is much simpler than what the current code is
      trying to do - if we decided to go for simple lookup, ended
      up with a negative dentry *and* had create_error set, fail with
      create_error.  No matter whether we'd got that negative dentry
      from lookup_real() or had found it in dcache.
      Acked-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4549fc71
    • Hans de Goede's avatar
      regulator: axp20x: Fix axp22x ldo_io voltage ranges · b6570278
      Hans de Goede authored
      commit a2262e5a upstream.
      
      The minium voltage of 1800mV is a copy and paste error from the axp20x
      regulator info. The correct minimum voltage for the ldo_io regulators
      on the axp22x is 700mV.
      
      Fixes: 1b82b4e4 ("regulator: axp20x: Add support for AXP22X regulators")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Acked-by: default avatarChen-Yu Tsai <wens@csie.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b6570278
    • Krzysztof Kozlowski's avatar
      regulator: s2mps11: Fix invalid selector mask and voltages for buck9 · fc2d8c98
      Krzysztof Kozlowski authored
      commit 3b672623 upstream.
      
      The buck9 regulator of S2MPS11 PMIC had incorrect vsel_mask (0xff
      instead of 0x1f) thus reading entire register as buck9's voltage. This
      effectively caused regulator core to interpret values as higher voltages
      than they were and then to set real voltage much lower than intended.
      
      The buck9 provides power to other regulators, including LDO13
      and LDO19 which supply the MMC2 (SD card). On Odroid XU3/XU4 the lower
      voltage caused SD card detection errors on Odroid XU3/XU4:
      	mmc1: card never left busy state
      	mmc1: error -110 whilst initialising SD card
      
      During driver probe the regulator core was checking whether initial
      voltage matches the constraints. With incorrect vsel_mask of 0xff and
      default value of 0x50, the core interpreted this as 5 V which is outside
      of constraints (3-3.775 V). Then the regulator core was adjusting the
      voltage to match the constraints. With incorrect vsel_mask this new
      voltage mapped to a vere low voltage in the driver.
      Signed-off-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Reviewed-by: default avatarJavier Martinez Canillas <javier@osg.samsung.com>
      Tested-by: default avatarJavier Martinez Canillas <javier@osg.samsung.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fc2d8c98
    • Wanpeng Li's avatar
      workqueue: fix rebind bound workers warning · cf73d8ad
      Wanpeng Li authored
      commit f7c17d26 upstream.
      
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 16 at kernel/workqueue.c:4559 rebind_workers+0x1c0/0x1d0
      Modules linked in:
      CPU: 0 PID: 16 Comm: cpuhp/0 Not tainted 4.6.0-rc4+ #31
      Hardware name: IBM IBM System x3550 M4 Server -[7914IUW]-/00Y8603, BIOS -[D7E128FUS-1.40]- 07/23/2013
       0000000000000000 ffff881037babb58 ffffffff8139d885 0000000000000010
       0000000000000000 0000000000000000 0000000000000000 ffff881037babba8
       ffffffff8108505d ffff881037ba0000 000011cf3e7d6e60 0000000000000046
      Call Trace:
       dump_stack+0x89/0xd4
       __warn+0xfd/0x120
       warn_slowpath_null+0x1d/0x20
       rebind_workers+0x1c0/0x1d0
       workqueue_cpu_up_callback+0xf5/0x1d0
       notifier_call_chain+0x64/0x90
       ? trace_hardirqs_on_caller+0xf2/0x220
       ? notify_prepare+0x80/0x80
       __raw_notifier_call_chain+0xe/0x10
       __cpu_notify+0x35/0x50
       notify_down_prepare+0x5e/0x80
       ? notify_prepare+0x80/0x80
       cpuhp_invoke_callback+0x73/0x330
       ? __schedule+0x33e/0x8a0
       cpuhp_down_callbacks+0x51/0xc0
       cpuhp_thread_fun+0xc1/0xf0
       smpboot_thread_fn+0x159/0x2a0
       ? smpboot_create_threads+0x80/0x80
       kthread+0xef/0x110
       ? wait_for_completion+0xf0/0x120
       ? schedule_tail+0x35/0xf0
       ret_from_fork+0x22/0x50
       ? __init_kthread_worker+0x70/0x70
      ---[ end trace eb12ae47d2382d8f ]---
      notify_down_prepare: attempt to take down CPU 0 failed
      
      This bug can be reproduced by below config w/ nohz_full= all cpus:
      
      CONFIG_BOOTPARAM_HOTPLUG_CPU0=y
      CONFIG_DEBUG_HOTPLUG_CPU0=y
      CONFIG_NO_HZ_FULL=y
      
      As Thomas pointed out:
      
      | If a down prepare callback fails, then DOWN_FAILED is invoked for all
      | callbacks which have successfully executed DOWN_PREPARE.
      |
      | But, workqueue has actually two notifiers. One which handles
      | UP/DOWN_FAILED/ONLINE and one which handles DOWN_PREPARE.
      |
      | Now look at the priorities of those callbacks:
      |
      | CPU_PRI_WORKQUEUE_UP        = 5
      | CPU_PRI_WORKQUEUE_DOWN      = -5
      |
      | So the call order on DOWN_PREPARE is:
      |
      | CB 1
      | CB ...
      | CB workqueue_up() -> Ignores DOWN_PREPARE
      | CB ...
      | CB X ---> Fails
      |
      | So we call up to CB X with DOWN_FAILED
      |
      | CB 1
      | CB ...
      | CB workqueue_up() -> Handles DOWN_FAILED
      | CB ...
      | CB X-1
      |
      | So the problem is that the workqueue stuff handles DOWN_FAILED in the up
      | callback, while it should do it in the down callback. Which is not a good idea
      | either because it wants to be called early on rollback...
      |
      | Brilliant stuff, isn't it? The hotplug rework will solve this problem because
      | the callbacks become symetric, but for the existing mess, we need some
      | workaround in the workqueue code.
      
      The boot CPU handles housekeeping duty(unbound timers, workqueues,
      timekeeping, ...) on behalf of full dynticks CPUs. It must remain
      online when nohz full is enabled. There is a priority set to every
      notifier_blocks:
      
      workqueue_cpu_up > tick_nohz_cpu_down > workqueue_cpu_down
      
      So tick_nohz_cpu_down callback failed when down prepare cpu 0, and
      notifier_blocks behind tick_nohz_cpu_down will not be called any
      more, which leads to workers are actually not unbound. Then hotplug
      state machine will fallback to undo and online cpu 0 again. Workers
      will be rebound unconditionally even if they are not unbound and
      trigger the warning in this progress.
      
      This patch fix it by catching !DISASSOCIATED to avoid rebind bound
      workers.
      
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Lai Jiangshan <jiangshanlai@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Frédéric Weisbecker <fweisbec@gmail.com>
      Suggested-by: default avatarLai Jiangshan <jiangshanlai@gmail.com>
      Signed-off-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf73d8ad
    • Boris Brezillon's avatar
      ARM: dts: at91: sam9x5: Fix the memory range assigned to the PMC · b66cb8c5
      Boris Brezillon authored
      commit aab0a4c8 upstream.
      
      The memory range assigned to the PMC (Power Management Controller) was
      not including the PMC_PCR register which are used to control peripheral
      clocks.
      
      This was working fine thanks to the page granularity of ioremap(), but
      started to fail when we switched to syscon/regmap, because regmap is
      making sure that all accesses are falling into the reserved range.
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Reported-by: default avatarRichard Genoud <richard.genoud@gmail.com>
      Tested-by: default avatarRichard Genoud <richard.genoud@gmail.com>
      Fixes: 863a81c3 ("clk: at91: make use of syscon to share PMC registers in several drivers")
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b66cb8c5
    • Miklos Szeredi's avatar
      vfs: rename: check backing inode being equal · 8e5bb3c5
      Miklos Szeredi authored
      commit 9409e22a upstream.
      
      If a file is renamed to a hardlink of itself POSIX specifies that rename(2)
      should do nothing and return success.
      
      This condition is checked in vfs_rename().  However it won't detect hard
      links on overlayfs where these are given separate inodes on the overlayfs
      layer.
      
      Overlayfs itself detects this condition and returns success without doing
      anything, but then vfs_rename() will proceed as if this was a successful
      rename (detach_mounts(), d_move()).
      
      The correct thing to do is to detect this condition before even calling
      into overlayfs.  This patch does this by calling vfs_select_inode() to get
      the underlying inodes.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8e5bb3c5
    • Miklos Szeredi's avatar
      vfs: add vfs_select_inode() helper · b0dac61d
      Miklos Szeredi authored
      commit 54d5ca87 upstream.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b0dac61d
    • Alexander Shishkin's avatar
      perf/core: Disable the event on a truncated AUX record · e54c41be
      Alexander Shishkin authored
      commit 9f448cd3 upstream.
      
      When the PMU driver reports a truncated AUX record, it effectively means
      that there is no more usable room in the event's AUX buffer (even though
      there may still be some room, so that perf_aux_output_begin() doesn't take
      action). At this point the consumer still has to be woken up and the event
      has to be disabled, otherwise the event will just keep spinning between
      perf_aux_output_begin() and perf_aux_output_end() until its context gets
      unscheduled.
      
      Again, for cpu-wide events this means never, so once in this condition,
      they will be forever losing data.
      
      Fix this by disabling the event and waking up the consumer in case of a
      truncated AUX record.
      Reported-by: default avatarMarkus Metzger <markus.t.metzger@intel.com>
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: vince@deater.net
      Link: http://lkml.kernel.org/r/1462886313-13660-3-git-send-email-alexander.shishkin@linux.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e54c41be
    • Jack Pham's avatar
      regmap: spmi: Fix regmap_spmi_ext_read in multi-byte case · 4e7e3f54
      Jack Pham authored
      commit dec8e8f6 upstream.
      
      Specifically for the case of reads that use the Extended Register
      Read Long command, a multi-byte read operation is broken up into
      8-byte chunks.  However the call to spmi_ext_register_readl() is
      incorrectly passing 'val_size', which if greater than 8 will
      always fail.  The argument should instead be 'len'.
      
      Fixes: c9afbb05 ("regmap: spmi: support base and extended register spaces")
      Signed-off-by: default avatarJack Pham <jackp@codeaurora.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4e7e3f54
    • Ludovic Desroches's avatar
      pinctrl: at91-pio4: fix pull-up/down logic · 1fba064f
      Ludovic Desroches authored
      commit 5305a7b7 upstream.
      
      The default configuration of a pin is often with a value in the
      pull-up/down field at chip reset. So, even if the internal logic of the
      controller prevents writing a configuration with pull-up and pull-down at
      the same time, we must ensure explicitly this condition before writing the
      register.
      
      This was leading to a pull-down condition not taken into account for
      instance.
      Signed-off-by: default avatarLudovic Desroches <ludovic.desroches@atmel.com>
      Fixes: 77618084 ("pinctrl: introduce driver for Atmel PIO4 controller")
      Acked-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1fba064f
    • Ben Hutchings's avatar
      spi: spi-ti-qspi: Handle truncated frames properly · 1441dcbd
      Ben Hutchings authored
      commit 1ff7760f upstream.
      
      We clamp frame_len_words to a maximum of 4096, but do not actually
      limit the number of words written or read through the DATA registers
      or the length added to spi_message::actual_length.  This results in
      silent data corruption for commands longer than this maximum.
      
      Recalculate the length of each transfer, taking frame_len_words into
      account.  Use this length in qspi_{read,write}_msg(), and to increment
      spi_message::actual_length.
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1441dcbd
    • Ben Hutchings's avatar
      spi: spi-ti-qspi: Fix FLEN and WLEN settings if bits_per_word is overridden · 44418927
      Ben Hutchings authored
      commit ea1b60fb upstream.
      
      Each transfer can specify 8, 16 or 32 bits per word independently of
      the default for the device being addressed.  However, currently we
      calculate the number of words in the frame assuming that the word size
      is the device default.
      
      If multiple transfers in the same message have differing
      bits_per_word, we bitwise-or the different values in the WLEN register
      field.
      
      Fix both of these.  Also rename 'frame_length' to 'frame_len_words' to
      make clear that it's not a byte count like spi_message::frame_length.
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      44418927
    • Jarkko Nikula's avatar
      spi: pxa2xx: Do not detect number of enabled chip selects on Intel SPT · ca100af9
      Jarkko Nikula authored
      commit 66ec246e upstream.
      
      Certain Intel Sunrisepoint PCH variants report zero chip selects in SPI
      capabilities register even they have one per port. Detection in
      pxa2xx_spi_probe() sets master->num_chipselect to 0 leading to -EINVAL
      from spi_register_master() where chip select count is validated.
      
      Fix this by not using SPI capabilities register on Sunrisepoint. They don't
      have more than one chip select so use the default value 1 instead of
      detection.
      
      Fixes: 8b136baa ("spi: pxa2xx: Detect number of enabled Intel LPSS SPI chip select signals")
      Signed-off-by: default avatarJarkko Nikula <jarkko.nikula@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ca100af9
    • Takashi Iwai's avatar
      ALSA: hda - Fix broken reconfig · 90204cbb
      Takashi Iwai authored
      commit addacd80 upstream.
      
      The HD-audio reconfig function got broken in the recent kernels,
      typically resulting in a failure like:
        snd_hda_intel 0000:00:1b.0: control 3:0:0:Playback Channel Map:0 is already present
      
      This is because of the code restructuring to move the PCM and control
      instantiation into the codec drive probe, by the commit [bcd96557:
      ALSA: hda - Build PCMs and controls at codec driver probe].  Although
      the commit above removed the calls of snd_hda_codec_build_pcms() and
      *_build_controls() at the controller driver probe, the similar calls
      in the reconfig were still left forgotten.  This caused the
      conflicting and duplicated PCMs and controls.
      
      The fix is trivial: just remove these superfluous calls from
      reconfig_codec().
      
      Fixes: bcd96557 ('ALSA: hda - Build PCMs and controls at codec driver probe')
      Reported-by: default avatarJochen Henneberg <jh@henneberg-systemdesign.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      90204cbb
    • Kaho Ng's avatar
      ALSA: hda - Fix white noise on Asus UX501VW headset · 28ff35e4
      Kaho Ng authored
      commit 2da2dc9e upstream.
      
      For reducing the noise from the headset output on ASUS UX501VW,
      call the existing fixup, alc_fixup_headset_mode_alc668(), additionally.
      
      Thread: https://bbs.archlinux.org/viewtopic.php?id=209554Signed-off-by: default avatarKaho Ng <ngkaho1234@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      28ff35e4
    • Yura Pakhuchiy's avatar
      ALSA: hda - Fix subwoofer pin on ASUS N751 and N551 · 28c56446
      Yura Pakhuchiy authored
      commit 3231e205 upstream.
      
      Subwoofer does not work out of the box on ASUS N751/N551 laptops. This
      patch fixes it. Patch tested on N751 laptop. N551 part is not tested,
      but according to [1] and [2] this laptop requires similar changes, so I
      included them in the patch.
      
      1. https://github.com/honsiorovskyi/asus-n551-hda-fix
      2. https://bugs.launchpad.net/ubuntu/+source/alsa-tools/+bug/1405691
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=117781Signed-off-by: default avatarYura Pakhuchiy <pakhuchiy@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      28c56446
    • Takashi Iwai's avatar
      ALSA: usb-audio: Yet another Phoneix Audio device quirk · 7e8b58b0
      Takashi Iwai authored
      commit 84add303 upstream.
      
      Phoenix Audio has yet another device with another id (even a different
      vendor id, 0556:0014) that requires the same quirk for the sample
      rate.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=110221Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7e8b58b0
    • Takashi Iwai's avatar
      ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2) · 2a5db188
      Takashi Iwai authored
      commit 2d2c038a upstream.
      
      Phoenix Audio MT202pcs (1de7:0114) and MT202exe (1de7:0013) need the
      same workaround as TMX320 for avoiding the firmware bug.  It fixes the
      frequent error about the sample rate inquiries and the slow device
      probe as consequence.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=117321Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a5db188
    • Herbert Xu's avatar
      crypto: testmgr - Use kmalloc memory for RSA input · 7c712000
      Herbert Xu authored
      commit df27b26f upstream.
      
      As akcipher uses an SG interface, you must not use vmalloc memory
      as input for it.  This patch fixes testmgr to copy the vmalloc
      test vectors to kmalloc memory before running the test.
      
      This patch also removes a superfluous sg_virt call in do_test_rsa.
      Reported-by: default avatarAnatoly Pugachev <matorola@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7c712000
    • Herbert Xu's avatar
      crypto: hash - Fix page length clamping in hash walk · 3cbc5f6e
      Herbert Xu authored
      commit 13f4bb78 upstream.
      
      The crypto hash walk code is broken when supplied with an offset
      greater than or equal to PAGE_SIZE.  This patch fixes it by adjusting
      walk->pg and walk->offset when this happens.
      Reported-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3cbc5f6e
    • Tadeusz Struk's avatar
      crypto: qat - fix invalid pf2vf_resp_wq logic · 6f151942
      Tadeusz Struk authored
      commit 9e209fcf upstream.
      
      The pf2vf_resp_wq is a global so it has to be created at init
      and destroyed at exit, instead of per device.
      Tested-by: default avatarSuresh Marikkannu <sureshx.marikkannu@intel.com>
      Signed-off-by: default avatarTadeusz Struk <tadeusz.struk@intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6f151942
    • Gerald Schaefer's avatar
      s390/mm: fix asce_bits handling with dynamic pagetable levels · ce1bc448
      Gerald Schaefer authored
      commit 723cacbd upstream.
      
      There is a race with multi-threaded applications between context switch and
      pagetable upgrade. In switch_mm() a new user_asce is built from mm->pgd and
      mm->context.asce_bits, w/o holding any locks. A concurrent mmap with a
      pagetable upgrade on another thread in crst_table_upgrade() could already
      have set new asce_bits, but not yet the new mm->pgd. This would result in a
      corrupt user_asce in switch_mm(), and eventually in a kernel panic from a
      translation exception.
      
      Fix this by storing the complete asce instead of just the asce_bits, which
      can then be read atomically from switch_mm(), so that it either sees the
      old value or the new value, but no mixture. Both cases are OK. Having the
      old value would result in a page fault on access to the higher level memory,
      but the fault handler would see the new mm->pgd, if it was a valid access
      after the mmap on the other thread has completed. So as worst-case scenario
      we would have a page fault loop for the racing thread until the next time
      slice.
      
      Also remove dead code and simplify the upgrade/downgrade path, there are no
      upgrades from 2 levels, and only downgrades from 3 levels for compat tasks.
      There are also no concurrent upgrades, because the mmap_sem is held with
      down_write() in do_mmap, so the flush and table checks during upgrade can
      be removed.
      Reported-by: default avatarMichael Munday <munday@ca.ibm.com>
      Reviewed-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGerald Schaefer <gerald.schaefer@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce1bc448
    • Sergey Senozhatsky's avatar
      zsmalloc: fix zs_can_compact() integer overflow · 1d77f0a5
      Sergey Senozhatsky authored
      commit 44f43e99 upstream.
      
      zs_can_compact() has two race conditions in its core calculation:
      
      unsigned long obj_wasted = zs_stat_get(class, OBJ_ALLOCATED) -
      				zs_stat_get(class, OBJ_USED);
      
      1) classes are not locked, so the numbers of allocated and used
         objects can change by the concurrent ops happening on other CPUs
      2) shrinker invokes it from preemptible context
      
      Depending on the circumstances, thus, OBJ_ALLOCATED can become
      less than OBJ_USED, which can result in either very high or
      negative `total_scan' value calculated later in do_shrink_slab().
      
      do_shrink_slab() has some logic to prevent those cases:
      
       vmscan: shrink_slab: zs_shrinker_scan+0x0/0x28 [zsmalloc] negative objects to delete nr=-62
       vmscan: shrink_slab: zs_shrinker_scan+0x0/0x28 [zsmalloc] negative objects to delete nr=-62
       vmscan: shrink_slab: zs_shrinker_scan+0x0/0x28 [zsmalloc] negative objects to delete nr=-64
       vmscan: shrink_slab: zs_shrinker_scan+0x0/0x28 [zsmalloc] negative objects to delete nr=-62
       vmscan: shrink_slab: zs_shrinker_scan+0x0/0x28 [zsmalloc] negative objects to delete nr=-62
       vmscan: shrink_slab: zs_shrinker_scan+0x0/0x28 [zsmalloc] negative objects to delete nr=-62
      
      However, due to the way `total_scan' is calculated, not every
      shrinker->count_objects() overflow can be spotted and handled.
      To demonstrate the latter, I added some debugging code to do_shrink_slab()
      (x86_64) and the results were:
      
       vmscan: OVERFLOW: shrinker->count_objects() == -1 [18446744073709551615]
       vmscan: but total_scan > 0: 92679974445502
       vmscan: resulting total_scan: 92679974445502
      [..]
       vmscan: OVERFLOW: shrinker->count_objects() == -1 [18446744073709551615]
       vmscan: but total_scan > 0: 22634041808232578
       vmscan: resulting total_scan: 22634041808232578
      
      Even though shrinker->count_objects() has returned an overflowed value,
      the resulting `total_scan' is positive, and, what is more worrisome, it
      is insanely huge. This value is getting used later on in
      shrinker->scan_objects() loop:
      
              while (total_scan >= batch_size ||
                     total_scan >= freeable) {
                      unsigned long ret;
                      unsigned long nr_to_scan = min(batch_size, total_scan);
      
                      shrinkctl->nr_to_scan = nr_to_scan;
                      ret = shrinker->scan_objects(shrinker, shrinkctl);
                      if (ret == SHRINK_STOP)
                              break;
                      freed += ret;
      
                      count_vm_events(SLABS_SCANNED, nr_to_scan);
                      total_scan -= nr_to_scan;
      
                      cond_resched();
              }
      
      `total_scan >= batch_size' is true for a very-very long time and
      'total_scan >= freeable' is also true for quite some time, because
      `freeable < 0' and `total_scan' is large enough, for example,
      22634041808232578. The only break condition, in the given scheme of
      things, is shrinker->scan_objects() == SHRINK_STOP test, which is a
      bit too weak to rely on, especially in heavy zsmalloc-usage scenarios.
      
      To fix the issue, take a pool stat snapshot and use it instead of
      racy zs_stat_get() calls.
      
      Link: http://lkml.kernel.org/r/20160509140052.3389-1-sergey.senozhatsky@gmail.comSigned-off-by: default avatarSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Cc: Minchan Kim <minchan@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d77f0a5
    • Junxiao Bi's avatar
      ocfs2: fix posix_acl_create deadlock · dc3e6de0
      Junxiao Bi authored
      commit c25a1e06 upstream.
      
      Commit 702e5bc6 ("ocfs2: use generic posix ACL infrastructure")
      refactored code to use posix_acl_create.  The problem with this function
      is that it is not mindful of the cluster wide inode lock making it
      unsuitable for use with ocfs2 inode creation with ACLs.  For example,
      when used in ocfs2_mknod, this function can cause deadlock as follows.
      The parent dir inode lock is taken when calling posix_acl_create ->
      get_acl -> ocfs2_iop_get_acl which takes the inode lock again.  This can
      cause deadlock if there is a blocked remote lock request waiting for the
      lock to be downconverted.  And same deadlock happened in ocfs2_reflink.
      This fix is to revert back using ocfs2_init_acl.
      
      Fixes: 702e5bc6 ("ocfs2: use generic posix ACL infrastructure")
      Signed-off-by: default avatarTariq Saeed <tariq.x.saeed@oracle.com>
      Signed-off-by: default avatarJunxiao Bi <junxiao.bi@oracle.com>
      Cc: Mark Fasheh <mfasheh@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dc3e6de0
    • Junxiao Bi's avatar
      ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang · 3cbabd4e
      Junxiao Bi authored
      commit 5ee0fbd5 upstream.
      
      Commit 743b5f14 ("ocfs2: take inode lock in ocfs2_iop_set/get_acl()")
      introduced this issue.  ocfs2_setattr called by chmod command holds
      cluster wide inode lock when calling posix_acl_chmod.  This latter
      function in turn calls ocfs2_iop_get_acl and ocfs2_iop_set_acl.  These
      two are also called directly from vfs layer for getfacl/setfacl commands
      and therefore acquire the cluster wide inode lock.  If a remote
      conversion request comes after the first inode lock in ocfs2_setattr,
      OCFS2_LOCK_BLOCKED will be set.  And this will cause the second call to
      inode lock from the ocfs2_iop_get_acl() to block indefinetly.
      
      The deleted version of ocfs2_acl_chmod() calls __posix_acl_chmod() which
      does not call back into the filesystem.  Therefore, we restore
      ocfs2_acl_chmod(), modify it slightly for locking as needed, and use that
      instead.
      
      Fixes: 743b5f14 ("ocfs2: take inode lock in ocfs2_iop_set/get_acl()")
      Signed-off-by: default avatarTariq Saeed <tariq.x.saeed@oracle.com>
      Signed-off-by: default avatarJunxiao Bi <junxiao.bi@oracle.com>
      Cc: Mark Fasheh <mfasheh@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3cbabd4e
    • Paolo Abeni's avatar
      net/route: enforce hoplimit max value · 1c76c5d5
      Paolo Abeni authored
      [ Upstream commit 626abd59 ]
      
      Currently, when creating or updating a route, no check is performed
      in both ipv4 and ipv6 code to the hoplimit value.
      
      The caller can i.e. set hoplimit to 256, and when such route will
       be used, packets will be sent with hoplimit/ttl equal to 0.
      
      This commit adds checks for the RTAX_HOPLIMIT value, in both ipv4
      ipv6 route code, substituting any value greater than 255 with 255.
      
      This is consistent with what is currently done for ADVMSS and MTU
      in the ipv4 code.
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1c76c5d5
    • Eric Dumazet's avatar
      tcp: refresh skb timestamp at retransmit time · 2cddc95a
      Eric Dumazet authored
      [ Upstream commit 10a81980 ]
      
      In the very unlikely case __tcp_retransmit_skb() can not use the cloning
      done in tcp_transmit_skb(), we need to refresh skb_mstamp before doing
      the copy and transmit, otherwise TCP TS val will be an exact copy of
      original transmit.
      
      Fixes: 7faee5c0 ("tcp: remove TCP_SKB_CB(skb)->when")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2cddc95a
    • xypron.glpk@gmx.de's avatar
      net: thunderx: avoid exposing kernel stack · a7ddb047
      xypron.glpk@gmx.de authored
      [ Upstream commit 161de2ca ]
      
      Reserved fields should be set to zero to avoid exposing
      bits from the kernel stack.
      Signed-off-by: default avatarHeinrich Schuchardt <xypron.glpk@gmx.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a7ddb047
    • Kangjie Lu's avatar
      net: fix a kernel infoleak in x25 module · 83857201
      Kangjie Lu authored
      [ Upstream commit 79e48650 ]
      
      Stack object "dte_facilities" is allocated in x25_rx_call_request(),
      which is supposed to be initialized in x25_negotiate_facilities.
      However, 5 fields (8 bytes in total) are not initialized. This
      object is then copied to userland via copy_to_user, thus infoleak
      occurs.
      Signed-off-by: default avatarKangjie Lu <kjlu@gatech.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      83857201
    • Mikko Rapeli's avatar
      uapi glibc compat: fix compile errors when glibc net/if.h included before... · 1575c095
      Mikko Rapeli authored
      uapi glibc compat: fix compile errors when glibc net/if.h included before linux/if.h MIME-Version: 1.0
      
      [ Upstream commit 4a91cb61 ]
      
      glibc's net/if.h contains copies of definitions from linux/if.h and these
      conflict and cause build failures if both files are included by application
      source code. Changes in uapi headers, which fixed header file dependencies to
      include linux/if.h when it was needed, e.g. commit 1ffad83d, made the
      net/if.h and linux/if.h incompatibilities visible as build failures for
      userspace applications like iproute2 and xtables-addons.
      
      This patch fixes compile errors when glibc net/if.h is included before
      linux/if.h:
      
      ./linux/if.h:99:21: error: redeclaration of enumerator ‘IFF_NOARP’
      ./linux/if.h:98:23: error: redeclaration of enumerator ‘IFF_RUNNING’
      ./linux/if.h:97:26: error: redeclaration of enumerator ‘IFF_NOTRAILERS’
      ./linux/if.h:96:27: error: redeclaration of enumerator ‘IFF_POINTOPOINT’
      ./linux/if.h:95:24: error: redeclaration of enumerator ‘IFF_LOOPBACK’
      ./linux/if.h:94:21: error: redeclaration of enumerator ‘IFF_DEBUG’
      ./linux/if.h:93:25: error: redeclaration of enumerator ‘IFF_BROADCAST’
      ./linux/if.h:92:19: error: redeclaration of enumerator ‘IFF_UP’
      ./linux/if.h:252:8: error: redefinition of ‘struct ifconf’
      ./linux/if.h:203:8: error: redefinition of ‘struct ifreq’
      ./linux/if.h:169:8: error: redefinition of ‘struct ifmap’
      ./linux/if.h:107:23: error: redeclaration of enumerator ‘IFF_DYNAMIC’
      ./linux/if.h:106:25: error: redeclaration of enumerator ‘IFF_AUTOMEDIA’
      ./linux/if.h:105:23: error: redeclaration of enumerator ‘IFF_PORTSEL’
      ./linux/if.h:104:25: error: redeclaration of enumerator ‘IFF_MULTICAST’
      ./linux/if.h:103:21: error: redeclaration of enumerator ‘IFF_SLAVE’
      ./linux/if.h:102:22: error: redeclaration of enumerator ‘IFF_MASTER’
      ./linux/if.h:101:24: error: redeclaration of enumerator ‘IFF_ALLMULTI’
      ./linux/if.h:100:23: error: redeclaration of enumerator ‘IFF_PROMISC’
      
      The cases where linux/if.h is included before net/if.h need a similar fix in
      the glibc side, or the order of include files can be changed userspace
      code as a workaround.
      
      This change was tested in x86 userspace on Debian unstable with
      scripts/headers_compile_test.sh:
      
      $ make headers_install && \
        cd usr/include && ../../scripts/headers_compile_test.sh -l -k
      ...
      cc -Wall -c -nostdinc -I /usr/lib/gcc/i586-linux-gnu/5/include -I /usr/lib/gcc/i586-linux-gnu/5/include-fixed -I . -I /home/mcfrisk/src/linux-2.6/usr/headers_compile_test_include.2uX2zH -I /home/mcfrisk/src/linux-2.6/usr/headers_compile_test_include.2uX2zH/i586-linux-gnu -o /dev/null ./linux/if.h_libc_before_kernel.h
      PASSED libc before kernel test: ./linux/if.h
      Reported-by: default avatarJan Engelhardt <jengelh@inai.de>
      Reported-by: default avatarJosh Boyer <jwboyer@fedoraproject.org>
      Reported-by: default avatarStephen Hemminger <shemming@brocade.com>
      Reported-by: default avatarWaldemar Brodkorb <mail@waldemar-brodkorb.de>
      Cc: Gabriel Laskar <gabriel@lse.epita.fr>
      Signed-off-by: default avatarMikko Rapeli <mikko.rapeli@iki.fi>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1575c095
    • Linus Lüssing's avatar
      bridge: fix igmp / mld query parsing · 58957012
      Linus Lüssing authored
      [ Upstream commit 856ce5d0 ]
      
      With the newly introduced helper functions the skb pulling is hidden
      in the checksumming function - and undone before returning to the
      caller.
      
      The IGMP and MLD query parsing functions in the bridge still
      assumed that the skb is pointing to the beginning of the IGMP/MLD
      message while it is now kept at the beginning of the IPv4/6 header.
      
      If there is a querier somewhere else, then this either causes
      the multicast snooping to stay disabled even though it could be
      enabled. Or, if we have the querier enabled too, then this can
      create unnecessary IGMP / MLD query messages on the link.
      
      Fixing this by taking the offset between IP and IGMP/MLD header into
      account, too.
      
      Fixes: 9afd85c9 ("net: Export IGMP/MLD message validation code")
      Reported-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      58957012
    • Nikolay Aleksandrov's avatar
      net: bridge: fix old ioctl unlocked net device walk · 97c2160d
      Nikolay Aleksandrov authored
      [ Upstream commit 31ca0458 ]
      
      get_bridge_ifindices() is used from the old "deviceless" bridge ioctl
      calls which aren't called with rtnl held. The comment above says that it is
      called with rtnl but that is not really the case.
      Here's a sample output from a test ASSERT_RTNL() which I put in
      get_bridge_ifindices and executed "brctl show":
      [  957.422726] RTNL: assertion failed at net/bridge//br_ioctl.c (30)
      [  957.422925] CPU: 0 PID: 1862 Comm: brctl Tainted: G        W  O
      4.6.0-rc4+ #157
      [  957.423009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
      BIOS 1.8.1-20150318_183358- 04/01/2014
      [  957.423009]  0000000000000000 ffff880058adfdf0 ffffffff8138dec5
      0000000000000400
      [  957.423009]  ffffffff81ce8380 ffff880058adfe58 ffffffffa05ead32
      0000000000000001
      [  957.423009]  00007ffec1a444b0 0000000000000400 ffff880053c19130
      0000000000008940
      [  957.423009] Call Trace:
      [  957.423009]  [<ffffffff8138dec5>] dump_stack+0x85/0xc0
      [  957.423009]  [<ffffffffa05ead32>]
      br_ioctl_deviceless_stub+0x212/0x2e0 [bridge]
      [  957.423009]  [<ffffffff81515beb>] sock_ioctl+0x22b/0x290
      [  957.423009]  [<ffffffff8126ba75>] do_vfs_ioctl+0x95/0x700
      [  957.423009]  [<ffffffff8126c159>] SyS_ioctl+0x79/0x90
      [  957.423009]  [<ffffffff8163a4c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
      
      Since it only reads bridge ifindices, we can use rcu to safely walk the net
      device list. Also remove the wrong rtnl comment above.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      97c2160d
    • Ian Campbell's avatar
      VSOCK: do not disconnect socket when peer has shutdown SEND only · 67779d20
      Ian Campbell authored
      [ Upstream commit dedc58e0 ]
      
      The peer may be expecting a reply having sent a request and then done a
      shutdown(SHUT_WR), so tearing down the whole socket at this point seems
      wrong and breaks for me with a client which does a SHUT_WR.
      
      Looking at other socket family's stream_recvmsg callbacks doing a shutdown
      here does not seem to be the norm and removing it does not seem to have
      had any adverse effects that I can see.
      
      I'm using Stefan's RFC virtio transport patches, I'm unsure of the impact
      on the vmci transport.
      Signed-off-by: default avatarIan Campbell <ian.campbell@docker.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Stefan Hajnoczi <stefanha@redhat.com>
      Cc: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
      Cc: Andy King <acking@vmware.com>
      Cc: Dmitry Torokhov <dtor@vmware.com>
      Cc: Jorgen Hansen <jhansen@vmware.com>
      Cc: Adit Ranadive <aditr@vmware.com>
      Cc: netdev@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      67779d20
    • Daniel Jurgens's avatar
      net/mlx4_en: Fix endianness bug in IPV6 csum calculation · bcf3e33e
      Daniel Jurgens authored
      [ Upstream commit 82d69203 ]
      
      Use htons instead of unconditionally byte swapping nexthdr.  On a little
      endian systems shifting the byte is correct behavior, but it results in
      incorrect csums on big endian architectures.
      
      Fixes: f8c6455b ('net/mlx4_en: Extend checksum offloading by CHECKSUM COMPLETE')
      Signed-off-by: default avatarDaniel Jurgens <danielj@mellanox.com>
      Reviewed-by: default avatarCarol Soto <clsoto@us.ibm.com>
      Tested-by: default avatarCarol Soto <clsoto@us.ibm.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bcf3e33e
    • Kangjie Lu's avatar
      net: fix infoleak in rtnetlink · e0c03136
      Kangjie Lu authored
      [ Upstream commit 5f8e4474 ]
      
      The stack object “map” has a total size of 32 bytes. Its last 4
      bytes are padding generated by compiler. These padding bytes are
      not initialized and sent out via “nla_put”.
      Signed-off-by: default avatarKangjie Lu <kjlu@gatech.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e0c03136