1. 05 Nov, 2014 40 commits
    • Daniel Borkmann's avatar
      net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks · aa001b04
      Daniel Borkmann authored
      commit 9de7922b upstream.
      
      Commit 6f4c618d ("SCTP : Add paramters validity check for
      ASCONF chunk") added basic verification of ASCONF chunks, however,
      it is still possible to remotely crash a server by sending a
      special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
      
      skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
       head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
       end:0x440 dev:<NULL>
       ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:129!
      [...]
      Call Trace:
       <IRQ>
       [<ffffffff8144fb1c>] skb_put+0x5c/0x70
       [<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
       [<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
       [<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
       [<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
       [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
       [<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
       [<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
       [<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
       [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
       [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
       [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
       [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
       [<ffffffff81497078>] ip_local_deliver+0x98/0xa0
       [<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
       [<ffffffff81496ac5>] ip_rcv+0x275/0x350
       [<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
       [<ffffffff81460588>] netif_receive_skb+0x58/0x60
      
      This can be triggered e.g., through a simple scripted nmap
      connection scan injecting the chunk after the handshake, for
      example, ...
      
        -------------- INIT[ASCONF; ASCONF_ACK] ------------->
        <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
        ------------------ ASCONF; UNKNOWN ------------------>
      
      ... where ASCONF chunk of length 280 contains 2 parameters ...
      
        1) Add IP address parameter (param length: 16)
        2) Add/del IP address parameter (param length: 255)
      
      ... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
      Address Parameter in the ASCONF chunk is even missing, too.
      This is just an example and similarly-crafted ASCONF chunks
      could be used just as well.
      
      The ASCONF chunk passes through sctp_verify_asconf() as all
      parameters passed sanity checks, and after walking, we ended
      up successfully at the chunk end boundary, and thus may invoke
      sctp_process_asconf(). Parameter walking is done with
      WORD_ROUND() to take padding into account.
      
      In sctp_process_asconf()'s TLV processing, we may fail in
      sctp_process_asconf_param() e.g., due to removal of the IP
      address that is also the source address of the packet containing
      the ASCONF chunk, and thus we need to add all TLVs after the
      failure to our ASCONF response to remote via helper function
      sctp_add_asconf_response(), which basically invokes a
      sctp_addto_chunk() adding the error parameters to the given
      skb.
      
      When walking to the next parameter this time, we proceed
      with ...
      
        length = ntohs(asconf_param->param_hdr.length);
        asconf_param = (void *)asconf_param + length;
      
      ... instead of the WORD_ROUND()'ed length, thus resulting here
      in an off-by-one that leads to reading the follow-up garbage
      parameter length of 12336, and thus throwing an skb_over_panic
      for the reply when trying to sctp_addto_chunk() next time,
      which implicitly calls the skb_put() with that length.
      
      Fix it by using sctp_walk_params() [ which is also used in
      INIT parameter processing ] macro in the verification *and*
      in ASCONF processing: it will make sure we don't spill over,
      that we walk parameters WORD_ROUND()'ed. Moreover, we're being
      more defensive and guard against unknown parameter types and
      missized addresses.
      
      Joint work with Vlad Yasevich.
      
      Fixes: b896b82b ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2:
       - Adjust context
       - sctp_sf_violation_paramlen() doesn't take a struct net * parameter]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      aa001b04
    • Nadav Amit's avatar
      KVM: x86: Handle errors when RIP is set during far jumps · f8a2b85d
      Nadav Amit authored
      commit d1442d85 upstream.
      
      Far jmp/call/ret may fault while loading a new RIP.  Currently KVM does not
      handle this case, and may result in failed vm-entry once the assignment is
      done.  The tricky part of doing so is that loading the new CS affects the
      VMCS/VMCB state, so if we fail during loading the new RIP, we are left in
      unconsistent state.  Therefore, this patch saves on 64-bit the old CS
      descriptor and restores it if loading RIP failed.
      
      This fixes CVE-2014-3647.
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [bwh: Backported to 3.2:
       - Adjust context
       - __load_segment_descriptor() does not take an in_task_switch parameter]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f8a2b85d
    • Paolo Bonzini's avatar
      KVM: x86: use new CS.RPL as CPL during task switch · 11c0bdb6
      Paolo Bonzini authored
      commit 2356aaeb upstream.
      
      During task switch, all of CS.DPL, CS.RPL, SS.DPL must match (in addition
      to all the other requirements) and will be the new CPL.  So far this
      worked by carefully setting the CS selector and flag before doing the
      task switch; setting CS.selector will already change the CPL.
      
      However, this will not work once we get the CPL from SS.DPL, because
      then you will have to set the full segment descriptor cache to change
      the CPL.  ctxt->ops->cpl(ctxt) will then return the old CPL during the
      task switch, and the check that SS.DPL == CPL will fail.
      
      Temporarily assume that the CPL comes from CS.RPL during task switch
      to a protected-mode task.  This is the same approach used in QEMU's
      emulation code, which (until version 2.0) manually tracks the CPL.
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [bwh: Backported to 3.2:
       - Adjust context
       - load_state_from_tss32() does not support VM86 mode]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      11c0bdb6
    • Nadav Amit's avatar
      KVM: x86: Emulator fixes for eip canonical checks on near branches · 71ca9dc3
      Nadav Amit authored
      commit 234f3ce4 upstream.
      
      Before changing rip (during jmp, call, ret, etc.) the target should be asserted
      to be canonical one, as real CPUs do.  During sysret, both target rsp and rip
      should be canonical. If any of these values is noncanonical, a #GP exception
      should occur.  The exception to this rule are syscall and sysenter instructions
      in which the assigned rip is checked during the assignment to the relevant
      MSRs.
      
      This patch fixes the emulator to behave as real CPUs do for near branches.
      Far branches are handled by the next patch.
      
      This fixes CVE-2014-3647.
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [bwh: Backported to 3.2:
       - Adjust context
       - Use ctxt->regs[] instead of reg_read(), reg_write(), reg_rmw()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      71ca9dc3
    • Nadav Amit's avatar
      KVM: x86: Fix wrong masking on relative jump/call · ea8064a2
      Nadav Amit authored
      commit 05c83ec9 upstream.
      
      Relative jumps and calls do the masking according to the operand size, and not
      according to the address size as the KVM emulator does today.
      
      This patch fixes KVM behavior.
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ea8064a2
    • Takuya Yoshikawa's avatar
      KVM: x86 emulator: Use opcode::execute for CALL · befadafe
      Takuya Yoshikawa authored
      commit d4ddafcd upstream.
      
      CALL: E8
      Signed-off-by: default avatarTakuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>
      Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      befadafe
    • Petr Matousek's avatar
      kvm: vmx: handle invvpid vm exit gracefully · 3f09b1f1
      Petr Matousek authored
      commit a642fc30 upstream.
      
      On systems with invvpid instruction support (corresponding bit in
      IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid
      causes vm exit, which is currently not handled and results in
      propagation of unknown exit to userspace.
      
      Fix this by installing an invvpid vm exit handler.
      
      This is CVE-2014-3646.
      Signed-off-by: default avatarPetr Matousek <pmatouse@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [bwh: Backported to 3.2:
       - Adjust filename
       - Drop inapplicable change to exit reason string array]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3f09b1f1
    • Nadav Har'El's avatar
      nEPT: Nested INVEPT · 02a988e6
      Nadav Har'El authored
      commit bfd0a56b upstream.
      
      If we let L1 use EPT, we should probably also support the INVEPT instruction.
      
      In our current nested EPT implementation, when L1 changes its EPT table
      for L2 (i.e., EPT12), L0 modifies the shadow EPT table (EPT02), and in
      the course of this modification already calls INVEPT. But if last level
      of shadow page is unsync not all L1's changes to EPT12 are intercepted,
      which means roots need to be synced when L1 calls INVEPT. Global INVEPT
      should not be different since roots are synced by kvm_mmu_load() each
      time EPTP02 changes.
      Reviewed-by: default avatarXiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
      Signed-off-by: default avatarNadav Har'El <nyh@il.ibm.com>
      Signed-off-by: default avatarJun Nakajima <jun.nakajima@intel.com>
      Signed-off-by: default avatarXinhao Xu <xinhao.xu@intel.com>
      Signed-off-by: default avatarYang Zhang <yang.z.zhang@Intel.com>
      Signed-off-by: default avatarGleb Natapov <gleb@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [bwh: Backported to 3.2:
       - Adjust context, filename
       - Simplify handle_invept() as recommended by Paolo - nEPT is not
         supported so we always raise #UD]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      02a988e6
    • Andy Honig's avatar
      KVM: x86: Improve thread safety in pit · 30a340f5
      Andy Honig authored
      commit 2febc839 upstream.
      
      There's a race condition in the PIT emulation code in KVM.  In
      __kvm_migrate_pit_timer the pit_timer object is accessed without
      synchronization.  If the race condition occurs at the wrong time this
      can crash the host kernel.
      
      This fixes CVE-2014-3611.
      Signed-off-by: default avatarAndrew Honig <ahonig@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      30a340f5
    • Nadav Amit's avatar
      KVM: x86: Check non-canonical addresses upon WRMSR · 76715b56
      Nadav Amit authored
      commit 854e8bb1 upstream.
      
      Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is
      written to certain MSRs. The behavior is "almost" identical for AMD and Intel
      (ignoring MSRs that are not implemented in either architecture since they would
      anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
      non-canonical address is written on Intel but not on AMD (which ignores the top
      32-bits).
      
      Accordingly, this patch injects a #GP on the MSRs which behave identically on
      Intel and AMD.  To eliminate the differences between the architecutres, the
      value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to
      canonical value before writing instead of injecting a #GP.
      
      Some references from Intel and AMD manuals:
      
      According to Intel SDM description of WRMSR instruction #GP is expected on
      WRMSR "If the source register contains a non-canonical address and ECX
      specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,
      IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP."
      
      According to AMD manual instruction manual:
      LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the
      LSTAR and CSTAR registers.  If an RIP written by WRMSR is not in canonical
      form, a general-protection exception (#GP) occurs."
      IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the
      base field must be in canonical form or a #GP fault will occur."
      IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must
      be in canonical form."
      
      This patch fixes CVE-2014-3610.
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [bwh: Backported to 3.2:
       - The various set_msr() functions all separate msr_index and data parameters]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      76715b56
    • Hannes Frederic Sowa's avatar
      ipv6: reuse ip6_frag_id from ip6_ufo_append_data · 8db33010
      Hannes Frederic Sowa authored
      commit 916e4cf4 upstream.
      
      Currently we generate a new fragmentation id on UFO segmentation. It
      is pretty hairy to identify the correct net namespace and dst there.
      Especially tunnels use IFF_XMIT_DST_RELEASE and thus have no skb_dst
      available at all.
      
      This causes unreliable or very predictable ipv6 fragmentation id
      generation while segmentation.
      
      Luckily we already have pregenerated the ip6_frag_id in
      ip6_ufo_append_data and can use it here.
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2: adjust filename, indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8db33010
    • Theodore Ts'o's avatar
      ext4: fix BUG_ON in mb_free_blocks() · 4c844312
      Theodore Ts'o authored
      commit c99d1e6e upstream.
      
      If we suffer a block allocation failure (for example due to a memory
      allocation failure), it's possible that we will call
      ext4_discard_allocated_blocks() before we've actually allocated any
      blocks.  In that case, fe_len and fe_start in ac->ac_f_ex will still
      be zero, and this will result in mb_free_blocks(inode, e4b, 0, 0)
      triggering the BUG_ON on mb_free_blocks():
      
      	BUG_ON(last >= (sb->s_blocksize << 3));
      
      Fix this by bailing out of ext4_discard_allocated_blocks() if fs_len
      is zero.
      
      Also fix a missing ext4_mb_unload_buddy() call in
      ext4_discard_allocated_blocks().
      
      Google-Bug-Id: 16844242
      
      Fixes: 86f0afd4Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4c844312
    • chenweilong's avatar
      ipv6: reallocate addrconf router for ipv6 address when lo device up · a0a8667a
      chenweilong authored
      It fix the bug 67951 on bugzilla
      https://bugzilla.kernel.org/show_bug.cgi?id=67951
      
      The patch can't be applied directly, as it' used the function introduced
      by "commit 94e187c0" ip6_rt_put(), that patch can't be applied directly
      either.
      
      ====================
      
      From: Gao feng <gaofeng@cn.fujitsu.com>
      
      commit 33d99113 upstream.
      
      This commit don't have a stable tag, but it fix the bug
      no reply after loopback down-up.It's very worthy to be
      applied to stable 3.4 kernels.
      
      The bug is 67951 on bugzilla
      https://bugzilla.kernel.org/show_bug.cgi?id=67951
      
      
      CC: Sabrina Dubroca <sd@queasysnail.net>
      CC: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Reported-by: default avatarWeilong Chen <chenweilong@huawei.com>
      Signed-off-by: default avatarWeilong Chen <chenweilong@huawei.com>
      Signed-off-by: default avatarGao feng <gaofeng@cn.fujitsu.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [weilong: s/ip6_rt_put/dst_release]
      Signed-off-by: default avatarChen Weilong <chenweilong@huawei.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a0a8667a
    • Marcelo Ricardo Leitner's avatar
      ipv4: disable bh while doing route gc · 4715883b
      Marcelo Ricardo Leitner authored
      Further tests revealed that after moving the garbage collector to a work
      queue and protecting it with a spinlock may leave the system prone to
      soft lockups if bottom half gets very busy.
      
      It was reproced with a set of firewall rules that REJECTed packets. If
      the NIC bottom half handler ends up running on the same CPU that is
      running the garbage collector on a very large cache, the garbage
      collector will not be able to do its job due to the amount of work
      needed for handling the REJECTs and also won't reschedule.
      
      The fix is to disable bottom half during the garbage collecting, as it
      already was in the first place (most calls to it came from softirqs).
      Signed-off-by: default avatarMarcelo Ricardo Leitner <mleitner@redhat.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4715883b
    • Marcelo Ricardo Leitner's avatar
      ipv4: avoid parallel route cache gc executions · ad5ca98f
      Marcelo Ricardo Leitner authored
      When rt_intern_hash() has to deal with neighbour cache overflowing,
      it triggers the route cache garbage collector in an attempt to free
      some references on neighbour entries.
      
      Such call cannot be done async but should also not run in parallel with
      an already-running one, so that they don't collapse fighting over the
      hash lock entries.
      
      This patch thus blocks parallel executions with spinlocks:
      - A call from worker and from rt_intern_hash() are not the same, and
      cannot be merged, thus they will wait each other on rt_gc_lock.
      - Calls to gc from rt_intern_hash() may happen in parallel but we must
      wait for it to finish in order to try again. This dedup and
      synchrinozation is then performed by the locking just before calling
      __do_rt_garbage_collect().
      Signed-off-by: default avatarMarcelo Ricardo Leitner <mleitner@redhat.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ad5ca98f
    • Marcelo Ricardo Leitner's avatar
      ipv4: move route garbage collector to work queue · 6c383b3a
      Marcelo Ricardo Leitner authored
      Currently the route garbage collector gets called by dst_alloc() if it
      have more entries than the threshold. But it's an expensive call, that
      don't really need to be done by then.
      
      Another issue with current way is that it allows running the garbage
      collector with the same start parameters on multiple CPUs at once, which
      is not optimal. A system may even soft lockup if the cache is big enough
      as the garbage collectors will be fighting over the hash lock entries.
      
      This patch thus moves the garbage collector to run asynchronously on a
      work queue, much similar to how rt_expire_check runs.
      
      There is one condition left that allows multiple executions, which is
      handled by the next patch.
      Signed-off-by: default avatarMarcelo Ricardo Leitner <mleitner@redhat.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6c383b3a
    • Yoichi Yuasa's avatar
      MIPS: Fix forgotten preempt_enable() when CPU has inclusive pcaches · d521f4ba
      Yoichi Yuasa authored
      commit 5596b0b2 upstream.
      
      [    1.904000] BUG: scheduling while atomic: swapper/1/0x00000002
      [    1.908000] Modules linked in:
      [    1.916000] CPU: 0 PID: 1 Comm: swapper Not tainted 3.12.0-rc2-lemote-los.git-5318619-dirty #1
      [    1.920000] Stack : 0000000031aac000 ffffffff810d0000 0000000000000052 ffffffff802730a4
                0000000000000000 0000000000000001 ffffffff810cdf90 ffffffff810d0000
                ffffffff8068b968 ffffffff806f5537 ffffffff810cdf90 980000009f0782e8
                0000000000000001 ffffffff80720000 ffffffff806b0000 980000009f078000
                980000009f290000 ffffffff805f312c 980000009f05b5d8 ffffffff80233518
                980000009f05b5e8 ffffffff80274b7c 980000009f078000 ffffffff8068b968
                0000000000000000 0000000000000000 0000000000000000 0000000000000000
                0000000000000000 980000009f05b520 0000000000000000 ffffffff805f2f6c
                0000000000000000 ffffffff80700000 ffffffff80700000 ffffffff806fc758
                ffffffff80700000 ffffffff8020be98 ffffffff806fceb0 ffffffff805f2f6c
                ...
      [    2.028000] Call Trace:
      [    2.032000] [<ffffffff8020be98>] show_stack+0x80/0x98
      [    2.036000] [<ffffffff805f2f6c>] __schedule_bug+0x44/0x6c
      [    2.040000] [<ffffffff805fac58>] __schedule+0x518/0x5b0
      [    2.044000] [<ffffffff805f8a58>] schedule_timeout+0x128/0x1f0
      [    2.048000] [<ffffffff80240314>] msleep+0x3c/0x60
      [    2.052000] [<ffffffff80495400>] do_probe+0x238/0x3a8
      [    2.056000] [<ffffffff804958b0>] ide_probe_port+0x340/0x7e8
      [    2.060000] [<ffffffff80496028>] ide_host_register+0x2d0/0x7a8
      [    2.064000] [<ffffffff8049c65c>] ide_pci_init_two+0x4e4/0x790
      [    2.068000] [<ffffffff8049f9b8>] amd74xx_probe+0x148/0x2c8
      [    2.072000] [<ffffffff803f571c>] pci_device_probe+0xc4/0x130
      [    2.076000] [<ffffffff80478f60>] driver_probe_device+0x98/0x270
      [    2.080000] [<ffffffff80479298>] __driver_attach+0xe0/0xe8
      [    2.084000] [<ffffffff80476ab0>] bus_for_each_dev+0x78/0xe0
      [    2.088000] [<ffffffff80478468>] bus_add_driver+0x230/0x310
      [    2.092000] [<ffffffff80479b44>] driver_register+0x84/0x158
      [    2.096000] [<ffffffff80200504>] do_one_initcall+0x104/0x160
      Signed-off-by: default avatarYoichi Yuasa <yuasa@linux-mips.org>
      Reported-by: default avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Tested-by: default avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Cc: linux-mips@linux-mips.org
      Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
      Patchwork: https://patchwork.linux-mips.org/patch/5941/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d521f4ba
    • Josh Triplett's avatar
      init/Kconfig: Hide printk log config if CONFIG_PRINTK=n · ff872daa
      Josh Triplett authored
      commit 361e9dfb upstream.
      
      The buffers sized by CONFIG_LOG_BUF_SHIFT and
      CONFIG_LOG_CPU_MAX_BUF_SHIFT do not exist if CONFIG_PRINTK=n, so don't
      ask about their size at all.
      Signed-off-by: default avatarJosh Triplett <josh@joshtriplett.org>
      Acked-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      [bwh: Backported to 3.2: drop change to CONFIG_LOG_CPU_MAX_BUF_SHIFT]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ff872daa
    • Peter Zijlstra's avatar
      perf: fix perf bug in fork() · 96cb09b8
      Peter Zijlstra authored
      commit 6c72e350 upstream.
      
      Oleg noticed that a cleanup by Sylvain actually uncovered a bug; by
      calling perf_event_free_task() when failing sched_fork() we will not yet
      have done the memset() on ->perf_event_ctxp[] and will therefore try and
      'free' the inherited contexts, which are still in use by the parent
      process.  This is bad..
      Suggested-by: default avatarOleg Nesterov <oleg@redhat.com>
      Reported-by: default avatarOleg Nesterov <oleg@redhat.com>
      Reported-by: default avatarSylvain 'ythier' Hitier <sylvain.hitier@gmail.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Ingo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      96cb09b8
    • Mel Gorman's avatar
      mm: migrate: Close race between migration completion and mprotect · b47191f7
      Mel Gorman authored
      commit d3cb8bf6 upstream.
      
      A migration entry is marked as write if pte_write was true at the time the
      entry was created. The VMA protections are not double checked when migration
      entries are being removed as mprotect marks write-migration-entries as
      read. It means that potentially we take a spurious fault to mark PTEs write
      again but it's straight-forward. However, there is a race between write
      migrations being marked read and migrations finishing. This potentially
      allows a PTE to be write that should have been read. Close this race by
      double checking the VMA permissions using maybe_mkwrite when migration
      completes.
      
      [torvalds@linux-foundation.org: use maybe_mkwrite]
      Signed-off-by: default avatarMel Gorman <mgorman@suse.de>
      Acked-by: default avatarRik van Riel <riel@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b47191f7
    • Miklos Szeredi's avatar
      shmem: fix nlink for rename overwrite directory · 6bf3b2e3
      Miklos Szeredi authored
      commit b928095b upstream.
      
      If overwriting an empty directory with rename, then need to drop the extra
      nlink.
      
      Test prog:
      
      #include <stdio.h>
      #include <fcntl.h>
      #include <err.h>
      #include <sys/stat.h>
      
      int main(void)
      {
      	const char *test_dir1 = "test-dir1";
      	const char *test_dir2 = "test-dir2";
      	int res;
      	int fd;
      	struct stat statbuf;
      
      	res = mkdir(test_dir1, 0777);
      	if (res == -1)
      		err(1, "mkdir(\"%s\")", test_dir1);
      
      	res = mkdir(test_dir2, 0777);
      	if (res == -1)
      		err(1, "mkdir(\"%s\")", test_dir2);
      
      	fd = open(test_dir2, O_RDONLY);
      	if (fd == -1)
      		err(1, "open(\"%s\")", test_dir2);
      
      	res = rename(test_dir1, test_dir2);
      	if (res == -1)
      		err(1, "rename(\"%s\", \"%s\")", test_dir1, test_dir2);
      
      	res = fstat(fd, &statbuf);
      	if (res == -1)
      		err(1, "fstat(%i)", fd);
      
      	if (statbuf.st_nlink != 0) {
      		fprintf(stderr, "nlink is %lu, should be 0\n", statbuf.st_nlink);
      		return 1;
      	}
      
      	return 0;
      }
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6bf3b2e3
    • Joseph Qi's avatar
      ocfs2/dlm: do not get resource spinlock if lockres is new · 40d31c49
      Joseph Qi authored
      commit 5760a97c upstream.
      
      There is a deadlock case which reported by Guozhonghua:
        https://oss.oracle.com/pipermail/ocfs2-devel/2014-September/010079.html
      
      This case is caused by &res->spinlock and &dlm->master_lock
      misordering in different threads.
      
      It was introduced by commit 8d400b81 ("ocfs2/dlm: Clean up refmap
      helpers").  Since lockres is new, it doesn't not require the
      &res->spinlock.  So remove it.
      
      Fixes: 8d400b81 ("ocfs2/dlm: Clean up refmap helpers")
      Signed-off-by: default avatarJoseph Qi <joseph.qi@huawei.com>
      Reviewed-by: default avatarjoyce.xue <xuejiufei@huawei.com>
      Reported-by: default avatarGuozhonghua <guozhonghua@h3c.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Mark Fasheh <mfasheh@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      40d31c49
    • Andreas Rohner's avatar
      nilfs2: fix data loss with mmap() · a428c0e1
      Andreas Rohner authored
      commit 56d7acc7 upstream.
      
      This bug leads to reproducible silent data loss, despite the use of
      msync(), sync() and a clean unmount of the file system.  It is easily
      reproducible with the following script:
      
        ----------------[BEGIN SCRIPT]--------------------
        mkfs.nilfs2 -f /dev/sdb
        mount /dev/sdb /mnt
      
        dd if=/dev/zero bs=1M count=30 of=/mnt/testfile
      
        umount /mnt
        mount /dev/sdb /mnt
        CHECKSUM_BEFORE="$(md5sum /mnt/testfile)"
      
        /root/mmaptest/mmaptest /mnt/testfile 30 10 5
      
        sync
        CHECKSUM_AFTER="$(md5sum /mnt/testfile)"
        umount /mnt
        mount /dev/sdb /mnt
        CHECKSUM_AFTER_REMOUNT="$(md5sum /mnt/testfile)"
        umount /mnt
      
        echo "BEFORE MMAP:\t$CHECKSUM_BEFORE"
        echo "AFTER MMAP:\t$CHECKSUM_AFTER"
        echo "AFTER REMOUNT:\t$CHECKSUM_AFTER_REMOUNT"
        ----------------[END SCRIPT]--------------------
      
      The mmaptest tool looks something like this (very simplified, with
      error checking removed):
      
        ----------------[BEGIN mmaptest]--------------------
        data = mmap(NULL, file_size - file_offset, PROT_READ | PROT_WRITE,
                    MAP_SHARED, fd, file_offset);
      
        for (i = 0; i < write_count; ++i) {
              memcpy(data + i * 4096, buf, sizeof(buf));
              msync(data, file_size - file_offset, MS_SYNC))
        }
        ----------------[END mmaptest]--------------------
      
      The output of the script looks something like this:
      
        BEFORE MMAP:    281ed1d5ae50e8419f9b978aab16de83  /mnt/testfile
        AFTER MMAP:     6604a1c31f10780331a6850371b3a313  /mnt/testfile
        AFTER REMOUNT:  281ed1d5ae50e8419f9b978aab16de83  /mnt/testfile
      
      So it is clear, that the changes done using mmap() do not survive a
      remount.  This can be reproduced a 100% of the time.  The problem was
      introduced in commit 136e8770 ("nilfs2: fix issue of
      nilfs_set_page_dirty() for page at EOF boundary").
      
      If the page was read with mpage_readpage() or mpage_readpages() for
      example, then it has no buffers attached to it.  In that case
      page_has_buffers(page) in nilfs_set_page_dirty() will be false.
      Therefore nilfs_set_file_dirty() is never called and the pages are never
      collected and never written to disk.
      
      This patch fixes the problem by also calling nilfs_set_file_dirty() if the
      page has no buffers attached to it.
      
      [akpm@linux-foundation.org: s/PAGE_SHIFT/PAGE_CACHE_SHIFT/]
      Signed-off-by: default avatarAndreas Rohner <andreas.rohner@gmx.net>
      Tested-by: default avatarAndreas Rohner <andreas.rohner@gmx.net>
      Signed-off-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a428c0e1
    • Markos Chandras's avatar
      MIPS: mcount: Adjust stack pointer for static trace in MIPS32 · bbc3708a
      Markos Chandras authored
      commit 8a574cfa upstream.
      
      Every mcount() call in the MIPS 32-bit kernel is done as follows:
      
      [...]
      move at, ra
      jal _mcount
      addiu sp, sp, -8
      [...]
      
      but upon returning from the mcount() function, the stack pointer
      is not adjusted properly. This is explained in details in 58b69401
      (MIPS: Function tracer: Fix broken function tracing).
      
      Commit ad8c3969 ("MIPS: Unbreak function tracer for 64-bit kernel.)
      fixed the stack manipulation for 64-bit but it didn't fix it completely
      for MIPS32.
      Signed-off-by: default avatarMarkos Chandras <markos.chandras@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/7792/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bbc3708a
    • Robin Murphy's avatar
      ARM: 8165/1: alignment: don't break misaligned NEON load/store · edeb8f82
      Robin Murphy authored
      commit 5ca918e5 upstream.
      
      The alignment fixup incorrectly decodes faulting ARM VLDn/VSTn
      instructions (where the optional alignment hint is given but incorrect)
      as LDR/STR, leading to register corruption. Detect these and correctly
      treat them as unhandled, so that userspace gets the fault it expects.
      Reported-by: default avatarSimon Hosie <simon.hosie@arm.com>
      Signed-off-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      edeb8f82
    • Wanpeng Li's avatar
      sched: Fix unreleased llc_shared_mask bit during CPU hotplug · fdb7a047
      Wanpeng Li authored
      commit 03bd4e1f upstream.
      
      The following bug can be triggered by hot adding and removing a large number of
      xen domain0's vcpus repeatedly:
      
      	BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 IP: [..] find_busiest_group
      	PGD 5a9d5067 PUD 13067 PMD 0
      	Oops: 0000 [#3] SMP
      	[...]
      	Call Trace:
      	load_balance
      	? _raw_spin_unlock_irqrestore
      	idle_balance
      	__schedule
      	schedule
      	schedule_timeout
      	? lock_timer_base
      	schedule_timeout_uninterruptible
      	msleep
      	lock_device_hotplug_sysfs
      	online_store
      	dev_attr_store
      	sysfs_write_file
      	vfs_write
      	SyS_write
      	system_call_fastpath
      
      Last level cache shared mask is built during CPU up and the
      build_sched_domain() routine takes advantage of it to setup
      the sched domain CPU topology.
      
      However, llc_shared_mask is not released during CPU disable,
      which leads to an invalid sched domainCPU topology.
      
      This patch fix it by releasing the llc_shared_mask correctly
      during CPU disable.
      
      Yasuaki also reported that this can happen on real hardware:
      
        https://lkml.org/lkml/2014/7/22/1018
      
      His case is here:
      
      	==
      	Here is an example on my system.
      	My system has 4 sockets and each socket has 15 cores and HT is
      	enabled. In this case, each core of sockes is numbered as
      	follows:
      
      		 | CPU#
      	Socket#0 | 0-14 , 60-74
      	Socket#1 | 15-29, 75-89
      	Socket#2 | 30-44, 90-104
      	Socket#3 | 45-59, 105-119
      
      	Then llc_shared_mask of CPU#30 has 0x3fff80000001fffc0000000.
      
      	It means that last level cache of Socket#2 is shared with
      	CPU#30-44 and 90-104.
      
      	When hot-removing socket#2 and #3, each core of sockets is
      	numbered as follows:
      
      		 | CPU#
      	Socket#0 | 0-14 , 60-74
      	Socket#1 | 15-29, 75-89
      
      	But llc_shared_mask is not cleared. So llc_shared_mask of CPU#30
      	remains having 0x3fff80000001fffc0000000.
      
      	After that, when hot-adding socket#2 and #3, each core of
      	sockets is numbered as follows:
      
      		 | CPU#
      	Socket#0 | 0-14 , 60-74
      	Socket#1 | 15-29, 75-89
      	Socket#2 | 30-59
      	Socket#3 | 90-119
      
      	Then llc_shared_mask of CPU#30 becomes
      	0x3fff8000fffffffc0000000. It means that last level cache of
      	Socket#2 is shared with CPU#30-59 and 90-104. So the mask has
      	the wrong value.
      Signed-off-by: default avatarWanpeng Li <wanpeng.li@linux.intel.com>
      Tested-by: default avatarLinn Crosetto <linn@hp.com>
      Reviewed-by: default avatarBorislav Petkov <bp@suse.de>
      Reviewed-by: default avatarToshi Kani <toshi.kani@hp.com>
      Reviewed-by: default avatarYasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Prarit Bhargava <prarit@redhat.com>
      Cc: Steven Rostedt <srostedt@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Link: http://lkml.kernel.org/r/1411547885-48165-1-git-send-email-wanpeng.li@linux.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fdb7a047
    • John David Anglin's avatar
      parisc: Only use -mfast-indirect-calls option for 32-bit kernel builds · cfda9893
      John David Anglin authored
      commit d26a7730 upstream.
      
      In spite of what the GCC manual says, the -mfast-indirect-calls has
      never been supported in the 64-bit parisc compiler. Indirect calls have
      always been done using function descriptors irrespective of the
      -mfast-indirect-calls option.
      
      Recently, it was noticed that a function descriptor was always requested
      when the -mfast-indirect-calls option was specified. This caused
      problems when the option was used in  application code and doesn't make
      any sense because the whole point of the option is to avoid using a
      function descriptor for indirect calls.
      
      Fixing this broke 64-bit kernel builds.
      
      I will fix GCC but for now we need the attached change. This results in
      the same kernel code as before.
      Signed-off-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cfda9893
    • Anton Altaparmakov's avatar
      Fix nasty 32-bit overflow bug in buffer i/o code. · 918b2160
      Anton Altaparmakov authored
      commit f2d5a944 upstream.
      
      On 32-bit architectures, the legacy buffer_head functions are not always
      handling the sector number with the proper 64-bit types, and will thus
      fail on 4TB+ disks.
      
      Any code that uses __getblk() (and thus bread(), breadahead(),
      sb_bread(), sb_breadahead(), sb_getblk()), and calls it using a 64-bit
      block on a 32-bit arch (where "long" is 32-bit) causes an inifinite loop
      in __getblk_slow() with an infinite stream of errors logged to dmesg
      like this:
      
        __find_get_block_slow() failed. block=6740375944, b_blocknr=2445408648
        b_state=0x00000020, b_size=512
        device sda1 blocksize: 512
      
      Note how in hex block is 0x191C1F988 and b_blocknr is 0x91C1F988 i.e. the
      top 32-bits are missing (in this case the 0x1 at the top).
      
      This is because grow_dev_page() is broken and has a 32-bit overflow due
      to shifting the page index value (a pgoff_t - which is just 32 bits on
      32-bit architectures) left-shifted as the block number.  But the top
      bits to get lost as the pgoff_t is not type cast to sector_t / 64-bit
      before the shift.
      
      This patch fixes this issue by type casting "index" to sector_t before
      doing the left shift.
      
      Note this is not a theoretical bug but has been seen in the field on a
      4TiB hard drive with logical sector size 512 bytes.
      
      This patch has been verified to fix the infinite loop problem on 3.17-rc5
      kernel using a 4TB disk image mounted using "-o loop".  Without this patch
      doing a "find /nt" where /nt is an NTFS volume causes the inifinite loop
      100% reproducibly whilst with the patch it works fine as expected.
      Signed-off-by: default avatarAnton Altaparmakov <aia21@cantab.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      918b2160
    • Clemens Ladisch's avatar
      ALSA: pcm: fix fifo_size frame calculation · 53412c3f
      Clemens Ladisch authored
      commit a9960e6a upstream.
      
      The calculated frame size was wrong because snd_pcm_format_physical_width()
      actually returns the number of bits, not bytes.
      
      Use snd_pcm_format_size() instead, which not only returns bytes, but also
      simplifies the calculation.
      
      Fixes: 8bea869c ("ALSA: PCM midlevel: improve fifo_size handling")
      Signed-off-by: default avatarClemens Ladisch <clemens@ladisch.de>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      53412c3f
    • David Dueck's avatar
      can: at91_can: add missing prepare and unprepare of the clock · 51562cd4
      David Dueck authored
      commit e77980e5 upstream.
      
      In order to make the driver work with the common clock framework, this patch
      converts the clk_enable()/clk_disable() to
      clk_prepare_enable()/clk_disable_unprepare(). While there, add the missing
      error handling.
      Signed-off-by: default avatarDavid Dueck <davidcdueck@googlemail.com>
      Signed-off-by: default avatarAnthony Harivel <anthony.harivel@emtrion.de>
      Acked-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      51562cd4
    • Marc Kleine-Budde's avatar
      can: flexcan: put TX mailbox into TX_INACTIVE mode after tx-complete · 3158bdb2
      Marc Kleine-Budde authored
      commit de594488 upstream.
      
      After sending a RTR frame the TX mailbox becomes a RX_EMPTY mailbox. To avoid
      side effects when the RX-FIFO is full, this patch puts the TX mailbox into
      TX_INACTIVE mode in the transmission complete interrupt handler. This, of
      course, leaves a race window between the actual completion of the transmission
      and the handling of tx-complete interrupt. However this is the best we can do
      without busy polling the tx complete interrupt.
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3158bdb2
    • David Jander's avatar
      can: flexcan: implement workaround for errata ERR005829 · 7056cbe8
      David Jander authored
      commit 25e92445 upstream.
      
      This patch implements the workaround mentioned in ERR005829:
      
          ERR005829: FlexCAN: FlexCAN does not transmit a message that is enabled to
          be transmitted in a specific moment during the arbitration process.
      
      Workaround: The workaround consists of two extra steps after setting up a
      message for transmission:
      
      Step 8: Reserve the first valid mailbox as an inactive mailbox (CODE=0b1000).
      If RX FIFO is disabled, this mailbox must be message buffer 0. Otherwise, the
      first valid mailbox can be found using the "RX FIFO filters" table in the
      FlexCAN chapter of the chip reference manual.
      
      Step 9: Write twice INACTIVE code (0b1000) into the first valid mailbox.
      Signed-off-by: default avatarDavid Jander <david@protonic.nl>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7056cbe8
    • David Jander's avatar
      can: flexcan: correctly initialize mailboxes · d306d951
      David Jander authored
      commit fc05b884 upstream.
      
      Apparently mailboxes may contain random data at startup, causing some of them
      being prepared for message reception. This causes overruns being missed or even
      confusing the IRQ check for trasmitted messages, increasing the transmit
      counter instead of the error counter.
      
      This patch initializes all mailboxes after the FIFO as RX_INACTIVE.
      Signed-off-by: default avatarDavid Jander <david@protonic.nl>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d306d951
    • Marc Kleine-Budde's avatar
      can: flexcan: mark TX mailbox as TX_INACTIVE · 1b184fd1
      Marc Kleine-Budde authored
      commit c32fe4ad upstream.
      
      This patch fixes the initialization of the TX mailbox. It is now correctly
      initialized as TX_INACTIVE not RX_EMPTY.
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1b184fd1
    • Johannes Berg's avatar
      nl80211: clear skb cb before passing to netlink · a93db944
      Johannes Berg authored
      commit bd8c78e7 upstream.
      
      In testmode and vendor command reply/event SKBs we use the
      skb cb data to store nl80211 parameters between allocation
      and sending. This causes the code for CONFIG_NETLINK_MMAP
      to get confused, because it takes ownership of the skb cb
      data when the SKB is handed off to netlink, and it doesn't
      explicitly clear it.
      
      Clear the skb cb explicitly when we're done and before it
      gets passed to netlink to avoid this issue.
      Reported-by: default avatarAssaf Azulay <assaf.azulay@intel.com>
      Reported-by: default avatarDavid Spinadel <david.spinadel@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a93db944
    • Mark's avatar
      USB: storage: Add quirks for Entrega/Xircom USB to SCSI converters · b2d0a271
      Mark authored
      commit c80b4495 upstream.
      
      This patch adds quirks for Entrega Technologies (later Xircom PortGear) USB-
      SCSI converters. They use Shuttle Technology EUSB-01/EUSB-S1 chips. The
      US_FL_SCM_MULT_TARG quirk is needed to allow multiple devices on the SCSI
      chain to be accessed. Without it only the (single) device with SCSI ID 0
      can be used.
      
      The standalone converter sold by Entrega had model number U1-SC25. Xircom
      acquired Entrega and re-branded the product line PortGear. The PortGear USB
      to SCSI Converter (model PGSCSI) is internally identical to the Entrega
      product, but later models may use a different USB ID. The Entrega-branded
      units have USB ID 1645:0007, as does my Xircom PGSCSI, but the Windows and
      Macintosh drivers also support 085A:0028.
      
      Entrega also sold the "Mac USB Dock", which provides two USB ports, a Mac
      (8-pin mini-DIN) serial port and a SCSI port. It appears to the computer as
      a four-port hub, USB-serial, and USB-SCSI converters. The USB-SCSI part may
      have initially used the same ID as the standalone U1-SC25 (1645:0007), but
      later production used 085A:0026.
      
      My Xircom PortGear PGSCSI has bcdDevice=0x0100. Units with bcdDevice=0x0133
      probably also exist.
      
      This patch adds quirks for 1645:0007, 085A:0026 and 085A:0028. The Windows
      driver INF file also mentions 085A:0032 "PortStation SCSI Module", but I
      couldn't find any mention of that actually existing in the wild; perhaps it
      was cancelled before release?
      Signed-off-by: default avatarMark Knibbs <markk@clara.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b2d0a271
    • Mark's avatar
      USB: storage: Add quirk for Ariston Technologies iConnect USB to SCSI adapter · eeaff23a
      Mark authored
      commit b6a3ed67 upstream.
      
      Hi,
      
      The Ariston Technologies iConnect 025 and iConnect 050 (also known as e.g.
      iSCSI-50) are SCSI-USB converters which use Shuttle Technology/SCM
      Microsystems chips. Only the connectors differ; both have the same USB ID.
      The US_FL_SCM_MULT_TARG quirk is required to use SCSI devices with ID other
      than 0.
      
      I don't have one of these, but based on the other entries for Shuttle/
      SCM-based converters this patch is very likely correct. I used 0x0000 and
      0x9999 for bcdDeviceMin and bcdDeviceMax because I'm not sure which
      bcdDevice value the products use.
      Signed-off-by: default avatarMark Knibbs <markk@clara.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      eeaff23a
    • Mark's avatar
      USB: storage: Add quirk for Adaptec USBConnect 2000 USB-to-SCSI Adapter · 7d81e603
      Mark authored
      commit 67d365a5 upstream.
      
      The Adaptec USBConnect 2000 is another SCSI-USB converter which uses
      Shuttle Technology/SCM Microsystems chips. The US_FL_SCM_MULT_TARG quirk is
      required to use SCSI devices with ID other than 0.
      
      I don't have a USBConnect 2000, but based on the other entries for Shuttle/
      SCM-based converters this patch is very likely correct. I used 0x0000 and
      0x9999 for bcdDeviceMin and bcdDeviceMax because I'm not sure which
      bcdDevice value the product uses.
      Signed-off-by: default avatarMark Knibbs <markk@clara.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7d81e603
    • Mike Christie's avatar
      libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu · 74cb1722
      Mike Christie authored
      commit db9bfd64 upstream.
      
      This patches fixes a potential buffer overrun in __iscsi_conn_send_pdu.
      This function is used by iscsi drivers and userspace to send iscsi PDUs/
      commands. For login commands, we have a set buffer size. For all other
      commands we do not support data buffers.
      
      This was reported by Dan Carpenter here:
      http://www.spinics.net/lists/linux-scsi/msg66838.htmlReported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarMike Christie <michaelc@cs.wisc.edu>
      Reviewed-by: default avatarSagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      74cb1722
    • Trond Myklebust's avatar
      NFSv4: Fix another bug in the close/open_downgrade code · 5bd3c047
      Trond Myklebust authored
      commit cd9288ff upstream.
      
      James Drew reports another bug whereby the NFS client is now sending
      an OPEN_DOWNGRADE in a situation where it should really have sent a
      CLOSE: the client is opening the file for O_RDWR, but then trying to
      do a downgrade to O_RDONLY, which is not allowed by the NFSv4 spec.
      Reported-by: default avatarJames Drews <drews@engr.wisc.edu>
      Link: http://lkml.kernel.org/r/541AD7E5.8020409@engr.wisc.edu
      Fixes: aee7af35 (NFSv4: Fix problems with close in the presence...)
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5bd3c047