1. 30 Jul, 2015 40 commits
    • Simon Wood's avatar
      HID: hid-lg4ff: Support new version of G27 · b38095f5
      Simon Wood authored
      commit 6b5625b2 upstream.
      
      It has been reported that there is a new hardware version of the G27
      in the 'wild'. This patch add's this new revision so that it can be
      sent the command to switch to native mode.
      Reported-by: default avatar"Ivan Baldo" <ibaldo@adinet.com.uy>
      Tested-by: default avatar"evilcow" <evilcow93@yahoo.com>
      Signed-off-by: default avatarSimon Wood <simon@mungewell.org>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Cc: Oliver Neukum <ONeukum@suse.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b38095f5
    • David Herrmann's avatar
      HID: hyperv: make sure input buffer is big enough · a64a8714
      David Herrmann authored
      commit 3ccfd0a8 upstream.
      
      We need at least HID_MAX_BUFFER_SIZE (4096) bytes as input buffer. HID
      core depends on this as it requires every input report to be at least as
      big as advertised.
      Signed-off-by: default avatarDavid Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Cc: Oliver Neukum <ONeukum@suse.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a64a8714
    • Guennadi Liakhovetski's avatar
      ARM: shmobile: wait for MSTP clock status to toggle, when enabling it · 7d07816b
      Guennadi Liakhovetski authored
      commit a028c6da upstream.
      
      On r-/sh-mobile SoCs MSTP clocks are used by the runtime PM to dynamically
      enable and disable peripheral clocks. To make sure the clock has really
      started we have to read back its status register until it confirms success.
      Signed-off-by: default avatarGuennadi Liakhovetski <g.liakhovetski+renesas@gmail.com>
      Signed-off-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.com>
      7d07816b
    • Yoshihiro Shimoda's avatar
      thermal: rcar: fix ENR register value · 0d77ef01
      Yoshihiro Shimoda authored
      commit 11313746 upstream.
      
      On R-Mobile APE6, since it has 3 thermal zones, ENR register
      has enable bits in bit 19-16, bit 11-8 and bit 3-0.
      
      However, on R-Car gen2, since it has 1 thermal zone, ENR register has
      enable bits in bit 3-0. (In other words, the write value should always
      be 0 for bit 31-4 of ENR register.)
      
      So, this patch fixes the ENR register value using I/O resource sets.
      Acked-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarEduardo Valentin <edubezval@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.com>
      0d77ef01
    • Lukasz Majewski's avatar
      thermal: step_wise: fix: Prevent from binary overflow when trend is dropping · ad3f45e4
      Lukasz Majewski authored
      commit 26bb0e9a upstream.
      
      It turns out that some boards can have instance->lower greater than 0 and
      when thermal trend is dropping it results with next_target equal to -1.
      
      Since the next_target is defined as unsigned long it is interpreted as
      0xFFFFFFFF and larger than instance->upper.
      As a result the next_target is set to instance->upper which ramps up to
      maximal cooling device target when the temperature is steadily decreasing.
      Signed-off-by: default avatarLukasz Majewski <l.majewski@samsung.com>
      Signed-off-by: default avatarZhang Rui <rui.zhang@intel.com>
      Cc: Mason <slash.tmp@free.fr>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ad3f45e4
    • Uwe Kleine-König's avatar
      mtd: dc21285: use raw spinlock functions for nw_gpio_lock · bd206d3d
      Uwe Kleine-König authored
      commit e5babdf9 upstream.
      
      Since commit bd31b859 (which is in 3.2-rc1) nw_gpio_lock is a raw spinlock
      that needs usage of the corresponding raw functions.
      
      This fixes:
      
        drivers/mtd/maps/dc21285.c: In function 'nw_en_write':
        drivers/mtd/maps/dc21285.c:41:340: warning: passing argument 1 of 'spinlock_check' from incompatible pointer type
          spin_lock_irqsave(&nw_gpio_lock, flags);
      
        In file included from include/linux/seqlock.h:35:0,
                         from include/linux/time.h:5,
                         from include/linux/stat.h:18,
                         from include/linux/module.h:10,
                         from drivers/mtd/maps/dc21285.c:8:
        include/linux/spinlock.h:299:102: note: expected 'struct spinlock_t *' but argument is of type 'struct raw_spinlock_t *'
         static inline raw_spinlock_t *spinlock_check(spinlock_t *lock)
                                                                                                              ^
        drivers/mtd/maps/dc21285.c:43:25: warning: passing argument 1 of 'spin_unlock_irqrestore' from incompatible pointer type
          spin_unlock_irqrestore(&nw_gpio_lock, flags);
                                 ^
        In file included from include/linux/seqlock.h:35:0,
                         from include/linux/time.h:5,
                         from include/linux/stat.h:18,
                         from include/linux/module.h:10,
                         from drivers/mtd/maps/dc21285.c:8:
        include/linux/spinlock.h:370:91: note: expected 'struct spinlock_t *' but argument is of type 'struct raw_spinlock_t *'
         static inline void spin_unlock_irqrestore(spinlock_t *lock, unsigned long flags)
      
      Fixes: bd31b859 ("locking, ARM: Annotate low level hw locks as raw")
      Signed-off-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      bd206d3d
    • Brian Norris's avatar
      mtd: fix: avoid race condition when accessing mtd->usecount · 6be3211b
      Brian Norris authored
      commit 073db4a5 upstream.
      
      On A MIPS 32-cores machine a BUG_ON was triggered because some acesses to
      mtd->usecount were done without taking mtd_table_mutex.
      kernel: Call Trace:
      kernel: [<ffffffff80401818>] __put_mtd_device+0x20/0x50
      kernel: [<ffffffff804086f4>] blktrans_release+0x8c/0xd8
      kernel: [<ffffffff802577e0>] __blkdev_put+0x1a8/0x200
      kernel: [<ffffffff802579a4>] blkdev_close+0x1c/0x30
      kernel: [<ffffffff8022006c>] __fput+0xac/0x250
      kernel: [<ffffffff80171208>] task_work_run+0xd8/0x120
      kernel: [<ffffffff8012c23c>] work_notifysig+0x10/0x18
      kernel:
      kernel:
              Code: 2442ffff  ac8202d8  000217fe <00020336> dc820128  10400003
                     00000000  0040f809  00000000
      kernel: ---[ end trace 080fbb4579b47a73 ]---
      
      Fixed by taking the mutex in blktrans_open and blktrans_release.
      
      Note that this locking is already suggested in
      include/linux/mtd/blktrans.h:
      
      struct mtd_blktrans_ops {
      ...
      	/* Called with mtd_table_mutex held; no race with add/remove */
      	int (*open)(struct mtd_blktrans_dev *dev);
      	void (*release)(struct mtd_blktrans_dev *dev);
      ...
      };
      
      But we weren't following it.
      
      Originally reported by (and patched by) Zhang and Giuseppe,
      independently. Improved and rewritten.
      Reported-by: default avatarZhang Xingcai <zhangxingcai@huawei.com>
      Reported-by: default avatarGiuseppe Cantavenera <giuseppe.cantavenera.ext@nokia.com>
      Tested-by: default avatarGiuseppe Cantavenera <giuseppe.cantavenera.ext@nokia.com>
      Acked-by: default avatarAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6be3211b
    • Grygorii Strashko's avatar
      leds / PM: fix hibernation on arm when gpio-led used with CPU led trigger · 1e0dfcd5
      Grygorii Strashko authored
      commit 084609bf upstream.
      
      Setting a dev_pm_ops suspend/resume pair of callbacks but not a set of
      hibernation callbacks means those pm functions will not be
      called upon hibernation - that leads to system crash on ARM during
      freezing if gpio-led is used in combination with CPU led trigger.
      It may happen after freeze_noirq stage (GPIO is suspended)
      and before syscore_suspend stage (CPU led trigger is suspended)
      - usually when disable_nonboot_cpus() is called.
      
      Log:
        PM: noirq freeze of devices complete after 1.425 msecs
        Disabling non-boot CPUs ...
          ^ system may crash or stuck here with message (TI AM572x)
      
        WARNING: CPU: 0 PID: 3100 at drivers/bus/omap_l3_noc.c:148 l3_interrupt_handler+0x22c/0x370()
        44000000.ocp:L3 Custom Error: MASTER MPU TARGET L4_PER1_P3 (Idle): Data Access in Supervisor mode during Functional access
      
        CPU1: shutdown
          ^ or here
      
      Fix this by using SIMPLE_DEV_PM_OPS, which appropriately
      assigns the suspend and hibernation callbacks and move
      led_suspend/led_resume under CONFIG_PM_SLEEP to avoid
      build warnings.
      
      Fixes: 73e1ab41 (leds: Convert led class driver from legacy pm ops to dev_pm_ops)
      Signed-off-by: default avatarGrygorii Strashko <Grygorii.Strashko@linaro.org>
      Acked-by: default avatarJacek Anaszewski <j.anaszewski@samsung.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      1e0dfcd5
    • Ezequiel Garcia's avatar
      spi: pl022: Specify 'num-cs' property as required in devicetree binding · 4e7f1779
      Ezequiel Garcia authored
      commit ea6055c4 upstream.
      
      Since commit 39a6ac11 ("spi/pl022: Devicetree support w/o platform data")
      the 'num-cs' parameter cannot be passed through platform data when probing
      with devicetree. Instead, it's a required devicetree property.
      
      Fix the binding documentation so the property is properly specified.
      
      Fixes: 39a6ac11 ("spi/pl022: Devicetree support w/o platform data")
      Signed-off-by: default avatarEzequiel Garcia <ezequiel@vanguardiasur.com.ar>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4e7f1779
    • Stefan Wahren's avatar
      regulator: core: fix constraints output buffer · 1ffe4b45
      Stefan Wahren authored
      commit a7068e39 upstream.
      
      The buffer for condtraints debug isn't big enough to hold the output
      in all cases. So fix this issue by increasing the buffer.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      1ffe4b45
    • Maxime Coquelin's avatar
      regmap: Fix possible shift overflow in regmap_field_init() · 190747f7
      Maxime Coquelin authored
      commit 921cc294 upstream.
      
      The way the mask is generated in regmap_field_init() is wrong.
      Indeed, a field initialized with msb = 31 and lsb = 0 provokes a shift
      overflow while calculating the mask field.
      
      On some 32 bits architectures, such as x86, the generated mask is 0,
      instead of the expected 0xffffffff.
      
      This patch uses GENMASK() to fix the problem, as this macro is already safe
      regarding shift overflow.
      
      [-js: in 3.12, we do not have GENMASK for general access. Define
      locally as RM_GENMASK.]
      Signed-off-by: default avatarMaxime Coquelin <maxime.coquelin@st.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      190747f7
    • Arun Chandran's avatar
      regmap: Fix regmap_bulk_read in BE mode · c28cdee6
      Arun Chandran authored
      commit 15b8d2c4 upstream.
      
      In big endian mode regmap_bulk_read gives incorrect data
      for byte reads.
      
      This is because memcpy of a single byte from an address
      after full word read gives different results when
      endianness differs. ie. we get little-end in LE and big-end in BE.
      Signed-off-by: default avatarArun Chandran <achandran@mvista.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c28cdee6
    • Rafael J. Wysocki's avatar
      cpuidle / menu: Return (-1) if there are no suitable states · 4d8b8587
      Rafael J. Wysocki authored
      commit 3836785a upstream.
      
      If there is a PM QoS latency limit and all of the sufficiently shallow
      C-states are disabled, the cpuidle menu governor returns 0 which on
      some systems is CPUIDLE_DRIVER_STATE_START and shouldn't be returned
      if that C-state has been disabled.
      
      Fix the issue by modifying the menu governor to return (-1) in such
      situations.
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      [shilpab: Backport to 3.10.y
       - adjust context
       - add a check if 'next_state' is less than 0 in 'cpuidle_idle_call()',
         this ensures that we exit 'cpuidle_idle_call()' if governor->select()
         returns  negative value]
      Signed-off-by: default avatarShilpasri G Bhat <shilpa.bhat@linux.vnet.ibm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4d8b8587
    • Will Deacon's avatar
      arm64: vdso: work-around broken ELF toolchains in Makefile · e2046be9
      Will Deacon authored
      commit 6f1a6ae8 upstream.
      
      When building the kernel with a bare-metal (ELF) toolchain, the -shared
      option may not be passed down to collect2, resulting in silent corruption
      of the vDSO image (in particular, the DYNAMIC section is omitted).
      
      The effect of this corruption is that the dynamic linker fails to find
      the vDSO symbols and libc is instead used for the syscalls that we
      intended to optimise (e.g. gettimeofday). Functionally, there is no
      issue as the sigreturn trampoline is still intact and located by the
      kernel.
      
      This patch fixes the problem by explicitly passing -shared to the linker
      when building the vDSO.
      Reported-by: default avatarSzabolcs Nagy <Szabolcs.Nagy@arm.com>
      Reported-by: default avatarJames Greenlaigh <james.greenhalgh@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e2046be9
    • Dave P Martin's avatar
      arm64: mm: Fix freeing of the wrong memmap entries with !SPARSEMEM_VMEMMAP · 60b51980
      Dave P Martin authored
      commit b9bcc919 upstream.
      
      The memmap freeing code in free_unused_memmap() computes the end of
      each memblock by adding the memblock size onto the base.  However,
      if SPARSEMEM is enabled then the value (start) used for the base
      may already have been rounded downwards to work out which memmap
      entries to free after the previous memblock.
      
      This may cause memmap entries that are in use to get freed.
      
      In general, you're not likely to hit this problem unless there
      are at least 2 memblocks and one of them is not aligned to a
      sparsemem section boundary.  Note that carve-outs can increase
      the number of memblocks by splitting the regions listed in the
      device tree.
      
      This problem doesn't occur with SPARSEMEM_VMEMMAP, because the
      vmemmap code deals with freeing the unused regions of the memmap
      instead of requiring the arch code to do it.
      
      This patch gets the memblock base out of the memblock directly when
      computing the block end address to ensure the correct value is used.
      Signed-off-by: default avatarDave Martin <Dave.Martin@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      60b51980
    • Catalin Marinas's avatar
      arm64: Do not attempt to use init_mm in reset_context() · 4dd03eff
      Catalin Marinas authored
      commit 565630d5 upstream.
      
      After secondary CPU boot or hotplug, the active_mm of the idle thread is
      &init_mm. The init_mm.pgd (swapper_pg_dir) is only meant for TTBR1_EL1
      and must not be set in TTBR0_EL1. Since when active_mm == &init_mm the
      TTBR0_EL1 is already set to the reserved value, there is no need to
      perform any context reset.
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4dd03eff
    • Vineet Gupta's avatar
      ARC: add compiler barrier to LLSC based cmpxchg · d308de3b
      Vineet Gupta authored
      commit d57f7272 upstream.
      
      When auditing cmpxchg call sites, Chuck noted that gcc was optimizing
      away some of the desired LDs.
      
      |	do {
      |		new = old = *ipi_data_ptr;
      |		new |= 1U << msg;
      |	} while (cmpxchg(ipi_data_ptr, old, new) != old);
      
      was generating to below
      
      | 8015cef8:	ld         r2,[r4,0]  <-- First LD
      | 8015cefc:	bset       r1,r2,r1
      |
      | 8015cf00:	llock      r3,[r4]  <-- atomic op
      | 8015cf04:	brne       r3,r2,8015cf10
      | 8015cf08:	scond      r1,[r4]
      | 8015cf0c:	bnz        8015cf00
      |
      | 8015cf10:	brne       r3,r2,8015cf00  <-- Branch doesn't go to orig LD
      
      Although this was fixed by adding a ACCESS_ONCE in this call site, it
      seems safer (for now at least) to add compiler barrier to LLSC based
      cmpxchg
      Reported-by: default avatarChuck Jordan <cjordan@synopsys.com>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d308de3b
    • Takashi Iwai's avatar
      ALSA: hda - Fix the dock headphone output on Fujitsu Lifebook E780 · 2f14e9e8
      Takashi Iwai authored
      commit 4df3fd17 upstream.
      
      Fujitsu Lifebook E780 sets the sequence number 0x0f to only only of
      the two headphones, thus the driver tries to assign another as the
      line-out, and this results in the inconsistent mapping between the
      created jack ctl and the actual I/O.  Due to this, PulseAudio doesn't
      handle it properly and gets the silent output.
      
      The fix is to ignore the non-HP sequencer checks.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=99681Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2f14e9e8
    • Takashi Iwai's avatar
      ALSA: hda - Add headset support to Acer Aspire V5 · 318344bc
      Takashi Iwai authored
      commit 7819717b upstream.
      
      Acer Aspire V5 with ALC282 codec needs the similar quirk like Dell
      laptops to support the headset mic.  The headset mic pin is 0x19 and
      it's not exposed by BIOS, thus we need to fix the pincfg as well.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=96201Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      318344bc
    • Ryan Underwood's avatar
      Disable write buffering on Toshiba ToPIC95 · 9b534159
      Ryan Underwood authored
      commit 2fb22a80 upstream.
      
      Disable write buffering on the Toshiba ToPIC95 if it is enabled by
      somebody (it is not supposed to be a power-on default according to
      the datasheet). On the ToPIC95, practically no 32-bit Cardbus card
      will work under heavy load without locking up the whole system if
      this is left enabled. I tried about a dozen. It does not affect
      16-bit cards. This is similar to the O2 bugs in early controller
      revisions it seems.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=55961Signed-off-by: default avatarRyan C. Underwood <nemesis@icequake.net>
      Signed-off-by: default avatarDominik Brodowski <linux@dominikbrodowski.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9b534159
    • Brian King's avatar
      ipr: Increase default adapter init stage change timeout · 9acf0767
      Brian King authored
      commit 45c44b5f upstream.
      
      Increase the default init stage change timeout from 15 seconds to 30 seconds.
      This resolves issues we have seen with some adapters not transitioning
      to the first init stage within 15 seconds, which results in adapter
      initialization failures.
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9acf0767
    • Paul E. McKenney's avatar
      rcu: Correctly handle non-empty Tiny RCU callback list with none ready · 8e1aa21d
      Paul E. McKenney authored
      commit 6e91f8cb upstream.
      
      If, at the time __rcu_process_callbacks() is invoked,  there are callbacks
      in Tiny RCU's callback list, but none of them are ready to be invoked,
      the current list-management code will knit the non-ready callbacks out
      of the list.  This can result in hangs and possibly worse.  This commit
      therefore inserts a check for there being no callbacks that can be
      invoked immediately.
      
      This bug is unlikely to occur -- you have to get a new callback between
      the time rcu_sched_qs() or rcu_bh_qs() was called, but before we get to
      __rcu_process_callbacks().  It was detected by the addition of RCU-bh
      testing to rcutorture, which in turn was instigated by Iftekhar Ahmed's
      mutation testing.  Although this bug was made much more likely by
      915e8a4f (rcu: Remove fastpath from __rcu_process_callbacks()), this
      did not cause the bug, but rather made it much more probable.   That
      said, it takes more than 40 hours of rcutorture testing, on average,
      for this bug to appear, so this fix cannot be considered an emergency.
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Reviewed-by: default avatarJosh Triplett <josh@joshtriplett.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8e1aa21d
    • Bjorn Helgaas's avatar
      x86/PCI: Use host bridge _CRS info on systems with >32 bit addressing · 601291ed
      Bjorn Helgaas authored
      commit 3d9fecf6 upstream.
      
      We enable _CRS on all systems from 2008 and later.  On older systems, we
      ignore _CRS and assume the whole physical address space (excluding RAM and
      other devices) is available for PCI devices, but on systems that support
      physical address spaces larger than 4GB, it's doubtful that the area above
      4GB is really available for PCI.
      
      After d56dbf5b ("PCI: Allocate 64-bit BARs above 4G when possible"), we
      try to use that space above 4GB *first*, so we're more likely to put a
      device there.
      
      On Juan's Toshiba Satellite Pro U200, BIOS left the graphics, sound, 1394,
      and card reader devices unassigned (but only after Windows had been
      booted).  Only the sound device had a 64-bit BAR, so it was the only device
      placed above 4GB, and hence the only device that didn't work.
      
      Keep _CRS enabled even on pre-2008 systems if they support physical address
      space larger than 4GB.
      
      Fixes: d56dbf5b ("PCI: Allocate 64-bit BARs above 4G when possible")
      Reported-and-tested-by: default avatarJuan Dayer <jdayer@outlook.com>
      Reported-and-tested-by: default avatarAlan Horsfield <alan@hazelgarth.co.uk>
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=99221
      Link: https://bugzilla.opensuse.org/show_bug.cgi?id=907092Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.com>
      601291ed
    • Eric W. Biederman's avatar
      vfs: Ignore unlocked mounts in fs_fully_visible · 5029d7e0
      Eric W. Biederman authored
      commit ceeb0e5d upstream.
      
      Limit the mounts fs_fully_visible considers to locked mounts.
      Unlocked can always be unmounted so considering them adds hassle
      but no security benefit.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      5029d7e0
    • Eric W. Biederman's avatar
      vfs: Remove incorrect debugging WARN in prepend_path · 4ac11cad
      Eric W. Biederman authored
      commit 93e3bce6 upstream.
      
      The warning message in prepend_path is unclear and outdated.  It was
      added as a warning that the mechanism for generating names of pseudo
      files had been removed from prepend_path and d_dname should be used
      instead.  Unfortunately the warning reads like a general warning,
      making it unclear what to do with it.
      
      Remove the warning.  The transition it was added to warn about is long
      over, and I added code several years ago which in rare cases causes
      the warning to fire on legitimate code, and the warning is now firing
      and scaring people for no good reason.
      Reported-by: default avatarIvan Delalande <colona@arista.com>
      Reported-by: default avatarOmar Sandoval <osandov@osandov.com>
      Fixes: f48cfddc ("vfs: In d_path don't call d_dname on a mount point")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4ac11cad
    • Jan Kara's avatar
      fs: Fix S_NOSEC handling · c37fe1ff
      Jan Kara authored
      commit 2426f391 upstream.
      
      file_remove_suid() could mistakenly set S_NOSEC inode bit when root was
      modifying the file. As a result following writes to the file by ordinary
      user would avoid clearing suid or sgid bits.
      
      Fix the bug by checking actual mode bits before setting S_NOSEC.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c37fe1ff
    • Radim Krčmář's avatar
      KVM: x86: make vapics_in_nmi_mode atomic · 67b3047b
      Radim Krčmář authored
      commit 42720138 upstream.
      
      Writes were a bit racy, but hard to turn into a bug at the same time.
      (Particularly because modern Linux doesn't use this feature anymore.)
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      [Actually the next patch makes it much, much easier to trigger the race
       so I'm including this one for stable@ as well. - Paolo]
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      67b3047b
    • James Hogan's avatar
      MIPS: Fix KVM guest fixmap address · 55d8b6ac
      James Hogan authored
      commit 8e748c8d upstream.
      
      KVM guest kernels for trap & emulate run in user mode, with a modified
      set of kernel memory segments. However the fixmap address is still in
      the normal KSeg3 region at 0xfffe0000 regardless, causing problems when
      cache alias handling makes use of them when handling copy on write.
      
      Therefore define FIXADDR_TOP as 0x7ffe0000 in the guest kernel mapped
      region when CONFIG_KVM_GUEST is defined.
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/9887/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      55d8b6ac
    • Bjorn Helgaas's avatar
      x86/PCI: Use host bridge _CRS info on Foxconn K8M890-8237A · 0fc28ac7
      Bjorn Helgaas authored
      commit 1dace011 upstream.
      
      The Foxconn K8M890-8237A has two PCI host bridges, and we can't assign
      resources correctly without the information from _CRS that tells us which
      address ranges are claimed by which bridge.  In the bugs mentioned below,
      we incorrectly assign a sound card address (this example is from 1033299):
      
        bus: 00 index 2 [mem 0x80000000-0xfcffffffff]
        ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-7f])
        pci_root PNP0A08:00: host bridge window [mem 0x80000000-0xbfefffff] (ignored)
        pci_root PNP0A08:00: host bridge window [mem 0xc0000000-0xdfffffff] (ignored)
        pci_root PNP0A08:00: host bridge window [mem 0xf0000000-0xfebfffff] (ignored)
        ACPI: PCI Root Bridge [PCI1] (domain 0000 [bus 80-ff])
        pci_root PNP0A08:01: host bridge window [mem 0xbff00000-0xbfffffff] (ignored)
        pci 0000:80:01.0: [1106:3288] type 0 class 0x000403
        pci 0000:80:01.0: reg 10: [mem 0xbfffc000-0xbfffffff 64bit]
        pci 0000:80:01.0: address space collision: [mem 0xbfffc000-0xbfffffff 64bit] conflicts with PCI Bus #00 [mem 0x80000000-0xfcffffffff]
        pci 0000:80:01.0: BAR 0: assigned [mem 0xfd00000000-0xfd00003fff 64bit]
        BUG: unable to handle kernel paging request at ffffc90000378000
        IP: [<ffffffffa0345f63>] azx_create+0x37c/0x822 [snd_hda_intel]
      
      We assigned 0xfd_0000_0000, but that is not in any of the host bridge
      windows, and the sound card doesn't work.
      
      Turn on pci=use_crs automatically for this system.
      
      Link: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/931368
      Link: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1033299Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0fc28ac7
    • Anton Blanchard's avatar
      powerpc/perf: Fix book3s kernel to userspace backtraces · d820ef12
      Anton Blanchard authored
      commit 72e349f1 upstream.
      
      When we take a PMU exception or a software event we call
      perf_read_regs(). This overloads regs->result with a boolean that
      describes if we should use the sampled instruction address register
      (SIAR) or the regs.
      
      If the exception is in kernel, we start with the kernel regs and
      backtrace through the kernel stack. At this point we switch to the
      userspace regs and backtrace the user stack with perf_callchain_user().
      
      Unfortunately these regs have not got the perf_read_regs() treatment,
      so regs->result could be anything. If it is non zero,
      perf_instruction_pointer() decides to use the SIAR, and we get issues
      like this:
      
      0.11%  qemu-system-ppc  [kernel.kallsyms]        [k] _raw_spin_lock_irqsave
             |
             ---_raw_spin_lock_irqsave
                |
                |--52.35%-- 0
                |          |
                |          |--46.39%-- __hrtimer_start_range_ns
                |          |          kvmppc_run_core
                |          |          kvmppc_vcpu_run_hv
                |          |          kvmppc_vcpu_run
                |          |          kvm_arch_vcpu_ioctl_run
                |          |          kvm_vcpu_ioctl
                |          |          do_vfs_ioctl
                |          |          sys_ioctl
                |          |          system_call
                |          |          |
                |          |          |--67.08%-- _raw_spin_lock_irqsave <--- hi mum
                |          |          |          |
                |          |          |           --100.00%-- 0x7e714
                |          |          |                     0x7e714
      
      Notice the bogus _raw_spin_irqsave when we transition from kernel
      (system_call) to userspace (0x7e714). We inserted what was in the SIAR.
      
      Add a check in regs_use_siar() to check that the regs in question
      are from a PMU exception. With this fix the backtrace makes sense:
      
           0.47%  qemu-system-ppc  [kernel.vmlinux]         [k] _raw_spin_lock_irqsave
                  |
                  ---_raw_spin_lock_irqsave
                     |
                     |--53.83%-- 0
                     |          |
                     |          |--44.73%-- hrtimer_try_to_cancel
                     |          |          kvmppc_start_thread
                     |          |          kvmppc_run_core
                     |          |          kvmppc_vcpu_run_hv
                     |          |          kvmppc_vcpu_run
                     |          |          kvm_arch_vcpu_ioctl_run
                     |          |          kvm_vcpu_ioctl
                     |          |          do_vfs_ioctl
                     |          |          sys_ioctl
                     |          |          system_call
                     |          |          __ioctl
                     |          |          0x7e714
                     |          |          0x7e714
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d820ef12
    • Marc Zyngier's avatar
      arm: KVM: force execution of HCPTR access on VM exit · 91f6ad7d
      Marc Zyngier authored
      commit 85e84ba3 upstream.
      
      On VM entry, we disable access to the VFP registers in order to
      perform a lazy save/restore of these registers.
      
      On VM exit, we restore access, test if we did enable them before,
      and save/restore the guest/host registers if necessary. In this
      sequence, the FPEXC register is always accessed, irrespective
      of the trapping configuration.
      
      If the guest didn't touch the VFP registers, then the HCPTR access
      has now enabled such access, but we're missing a barrier to ensure
      architectural execution of the new HCPTR configuration. If the HCPTR
      access has been delayed/reordered, the subsequent access to FPEXC
      will cause a trap, which we aren't prepared to handle at all.
      
      The same condition exists when trapping to enable VFP for the guest.
      
      The fix is to introduce a barrier after enabling VFP access. In the
      vmexit case, it can be relaxed to only takes place if the guest hasn't
      accessed its view of the VFP registers, making the access to FPEXC safe.
      
      The set_hcptr macro is modified to deal with both vmenter/vmexit and
      vmtrap operations, and now takes an optional label that is branched to
      when the guest hasn't touched the VFP registers.
      Reported-by: default avatarVikram Sethi <vikrams@codeaurora.org>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      91f6ad7d
    • Joerg Roedel's avatar
      iommu/amd: Handle large pages correctly in free_pagetable · 4075da9b
      Joerg Roedel authored
      commit 0b3fff54 upstream.
      
      Make sure that we are skipping over large PTEs while walking
      the page-table tree.
      
      Fixes: 5c34c403 ("iommu/amd: Fix memory leak in free_pagetable")
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4075da9b
    • Horia Geant?'s avatar
      Revert "crypto: talitos - convert to use be16_add_cpu()" · 7f9a9673
      Horia Geant? authored
      commit 69d9cd8c upstream.
      
      This reverts commit 7291a932.
      
      The conversion to be16_add_cpu() is incorrect in case cryptlen is
      negative due to premature (i.e. before addition / subtraction)
      implicit conversion of cryptlen (int -> u16) leading to sign loss.
      
      Cc: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
      Signed-off-by: default avatarHoria Geanta <horia.geanta@freescale.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7f9a9673
    • Horia Geant?'s avatar
      crypto: talitos - avoid memleak in talitos_alg_alloc() · 284d4f3c
      Horia Geant? authored
      commit 5fa7dadc upstream.
      
      Fixes: 1d11911a ("crypto: talitos - fix warning: 'alg' may be used uninitialized in this function")
      Signed-off-by: default avatarHoria Geanta <horia.geanta@freescale.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      284d4f3c
    • Alexander Sverdlin's avatar
      sctp: Fix race between OOTB responce and route removal · a41f0610
      Alexander Sverdlin authored
      [ Upstream commit 29c4afc4 ]
      
      There is NULL pointer dereference possible during statistics update if the route
      used for OOTB responce is removed at unfortunate time. If the route exists when
      we receive OOTB packet and we finally jump into sctp_packet_transmit() to send
      ABORT, but in the meantime route is removed under our feet, we take "no_route"
      path and try to update stats with IP_INC_STATS(sock_net(asoc->base.sk), ...).
      
      But sctp_ootb_pkt_new() used to prepare responce packet doesn't call
      sctp_transport_set_owner() and therefore there is no asoc associated with this
      packet. Probably temporary asoc just for OOTB responces is overkill, so just
      introduce a check like in all other places in sctp_packet_transmit(), where
      "asoc" is dereferenced.
      
      To reproduce this, one needs to
      0. ensure that sctp module is loaded (otherwise ABORT is not generated)
      1. remove default route on the machine
      2. while true; do
           ip route del [interface-specific route]
           ip route add [interface-specific route]
         done
      3. send enough OOTB packets (i.e. HB REQs) from another host to trigger ABORT
         responce
      
      On x86_64 the crash looks like this:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
      IP: [<ffffffffa05ec9ac>] sctp_packet_transmit+0x63c/0x730 [sctp]
      PGD 0
      Oops: 0000 [#1] PREEMPT SMP
      Modules linked in: ...
      CPU: 0 PID: 0 Comm: swapper/0 Tainted: G           O    4.0.5-1-ARCH #1
      Hardware name: ...
      task: ffffffff818124c0 ti: ffffffff81800000 task.ti: ffffffff81800000
      RIP: 0010:[<ffffffffa05ec9ac>]  [<ffffffffa05ec9ac>] sctp_packet_transmit+0x63c/0x730 [sctp]
      RSP: 0018:ffff880127c037b8  EFLAGS: 00010296
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000015ff66b480
      RDX: 00000015ff66b400 RSI: ffff880127c17200 RDI: ffff880123403700
      RBP: ffff880127c03888 R08: 0000000000017200 R09: ffffffff814625af
      R10: ffffea00047e4680 R11: 00000000ffffff80 R12: ffff8800b0d38a28
      R13: ffff8800b0d38a28 R14: ffff8800b3e88000 R15: ffffffffa05f24e0
      FS:  0000000000000000(0000) GS:ffff880127c00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 0000000000000020 CR3: 00000000c855b000 CR4: 00000000000007f0
      Stack:
       ffff880127c03910 ffff8800b0d38a28 ffffffff8189d240 ffff88011f91b400
       ffff880127c03828 ffffffffa05c94c5 0000000000000000 ffff8800baa1c520
       0000000000000000 0000000000000001 0000000000000000 0000000000000000
      Call Trace:
       <IRQ>
       [<ffffffffa05c94c5>] ? sctp_sf_tabort_8_4_8.isra.20+0x85/0x140 [sctp]
       [<ffffffffa05d6b42>] ? sctp_transport_put+0x52/0x80 [sctp]
       [<ffffffffa05d0bfc>] sctp_do_sm+0xb8c/0x19a0 [sctp]
       [<ffffffff810b0e00>] ? trigger_load_balance+0x90/0x210
       [<ffffffff810e0329>] ? update_process_times+0x59/0x60
       [<ffffffff812c7a40>] ? timerqueue_add+0x60/0xb0
       [<ffffffff810e0549>] ? enqueue_hrtimer+0x29/0xa0
       [<ffffffff8101f599>] ? read_tsc+0x9/0x10
       [<ffffffff8116d4b5>] ? put_page+0x55/0x60
       [<ffffffff810ee1ad>] ? clockevents_program_event+0x6d/0x100
       [<ffffffff81462b68>] ? skb_free_head+0x58/0x80
       [<ffffffffa029a10b>] ? chksum_update+0x1b/0x27 [crc32c_generic]
       [<ffffffff81283f3e>] ? crypto_shash_update+0xce/0xf0
       [<ffffffffa05d3993>] sctp_endpoint_bh_rcv+0x113/0x280 [sctp]
       [<ffffffffa05dd4e6>] sctp_inq_push+0x46/0x60 [sctp]
       [<ffffffffa05ed7a0>] sctp_rcv+0x880/0x910 [sctp]
       [<ffffffffa05ecb50>] ? sctp_packet_transmit_chunk+0xb0/0xb0 [sctp]
       [<ffffffffa05ecb70>] ? sctp_csum_update+0x20/0x20 [sctp]
       [<ffffffff814b05a5>] ? ip_route_input_noref+0x235/0xd30
       [<ffffffff81051d6b>] ? ack_ioapic_level+0x7b/0x150
       [<ffffffff814b27be>] ip_local_deliver_finish+0xae/0x210
       [<ffffffff814b2e15>] ip_local_deliver+0x35/0x90
       [<ffffffff814b2a15>] ip_rcv_finish+0xf5/0x370
       [<ffffffff814b3128>] ip_rcv+0x2b8/0x3a0
       [<ffffffff81474193>] __netif_receive_skb_core+0x763/0xa50
       [<ffffffff81476c28>] __netif_receive_skb+0x18/0x60
       [<ffffffff81476cb0>] netif_receive_skb_internal+0x40/0xd0
       [<ffffffff814776c8>] napi_gro_receive+0xe8/0x120
       [<ffffffffa03946aa>] rtl8169_poll+0x2da/0x660 [r8169]
       [<ffffffff8147896a>] net_rx_action+0x21a/0x360
       [<ffffffff81078dc1>] __do_softirq+0xe1/0x2d0
       [<ffffffff8107912d>] irq_exit+0xad/0xb0
       [<ffffffff8157d158>] do_IRQ+0x58/0xf0
       [<ffffffff8157b06d>] common_interrupt+0x6d/0x6d
       <EOI>
       [<ffffffff810e1218>] ? hrtimer_start+0x18/0x20
       [<ffffffffa05d65f9>] ? sctp_transport_destroy_rcu+0x29/0x30 [sctp]
       [<ffffffff81020c50>] ? mwait_idle+0x60/0xa0
       [<ffffffff810216ef>] arch_cpu_idle+0xf/0x20
       [<ffffffff810b731c>] cpu_startup_entry+0x3ec/0x480
       [<ffffffff8156b365>] rest_init+0x85/0x90
       [<ffffffff818eb035>] start_kernel+0x48b/0x4ac
       [<ffffffff818ea120>] ? early_idt_handlers+0x120/0x120
       [<ffffffff818ea339>] x86_64_start_reservations+0x2a/0x2c
       [<ffffffff818ea49c>] x86_64_start_kernel+0x161/0x184
      Code: 90 48 8b 80 b8 00 00 00 48 89 85 70 ff ff ff 48 83 bd 70 ff ff ff 00 0f 85 cd fa ff ff 48 89 df 31 db e8 18 63 e7 e0 48 8b 45 80 <48> 8b 40 20 48 8b 40 30 48 8b 80 68 01 00 00 65 48 ff 40 78 e9
      RIP  [<ffffffffa05ec9ac>] sctp_packet_transmit+0x63c/0x730 [sctp]
       RSP <ffff880127c037b8>
      CR2: 0000000000000020
      ---[ end trace 5aec7fd2dc983574 ]---
      Kernel panic - not syncing: Fatal exception in interrupt
      Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff)
      drm_kms_helper: panic occurred, switching back to text console
      ---[ end Kernel panic - not syncing: Fatal exception in interrupt
      Signed-off-by: default avatarAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a41f0610
    • Julian Anastasov's avatar
      neigh: do not modify unlinked entries · 5cfc7581
      Julian Anastasov authored
      [ Upstream commit 2c51a97f ]
      
      The lockless lookups can return entry that is unlinked.
      Sometimes they get reference before last neigh_cleanup_and_release,
      sometimes they do not need reference. Later, any
      modification attempts may result in the following problems:
      
      1. entry is not destroyed immediately because neigh_update
      can start the timer for dead entry, eg. on change to NUD_REACHABLE
      state. As result, entry lives for some time but is invisible
      and out of control.
      
      2. __neigh_event_send can run in parallel with neigh_destroy
      while refcnt=0 but if timer is started and expired refcnt can
      reach 0 for second time leading to second neigh_destroy and
      possible crash.
      
      Thanks to Eric Dumazet and Ying Xue for their work and analyze
      on the __neigh_event_send change.
      
      Fixes: 767e97e1 ("neigh: RCU conversion of struct neighbour")
      Fixes: a263b309 ("ipv4: Make neigh lookups directly in output packet path.")
      Fixes: 6fd6ce20 ("ipv6: Do not depend on rt->n in ip6_finish_output2().")
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Ying Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      5cfc7581
    • Willem de Bruijn's avatar
      packet: avoid out of bounds read in round robin fanout · 53cd9056
      Willem de Bruijn authored
      [ Upstream commit 468479e6 ]
      
      PACKET_FANOUT_LB computes f->rr_cur such that it is modulo
      f->num_members. It returns the old value unconditionally, but
      f->num_members may have changed since the last store. Ensure
      that the return value is always < num.
      
      When modifying the logic, simplify it further by replacing the loop
      with an unconditional atomic increment.
      
      Fixes: dc99f600 ("packet: Add fanout support.")
      Suggested-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      53cd9056
    • Eric Dumazet's avatar
      packet: read num_members once in packet_rcv_fanout() · d8162e46
      Eric Dumazet authored
      [ Upstream commit f98f4514 ]
      
      We need to tell compiler it must not read f->num_members multiple
      times. Otherwise testing if num is not zero is flaky, and we could
      attempt an invalid divide by 0 in fanout_demux_cpu()
      
      Note bug was present in packet_rcv_fanout_hash() and
      packet_rcv_fanout_lb() but final 3.1 had a simple location
      after commit 95ec3eb4 ("packet: Add 'cpu' fanout policy.")
      
      Fixes: dc99f600 ("packet: Add fanout support.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d8162e46
    • Nikolay Aleksandrov's avatar
      bridge: fix br_stp_set_bridge_priority race conditions · f08abd15
      Nikolay Aleksandrov authored
      [ Upstream commit 2dab80a8 ]
      
      After the ->set() spinlocks were removed br_stp_set_bridge_priority
      was left running without any protection when used via sysfs. It can
      race with port add/del and could result in use-after-free cases and
      corrupted lists. Tested by running port add/del in a loop with stp
      enabled while setting priority in a loop, crashes are easily
      reproducible.
      The spinlocks around sysfs ->set() were removed in commit:
      14f98f25 ("bridge: range check STP parameters")
      There's also a race condition in the netlink priority support that is
      fixed by this change, but it was introduced recently and the fixes tag
      covers it, just in case it's needed the commit is:
      af615762 ("bridge: add ageing_time, stp_state, priority over netlink")
      Signed-off-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Fixes: 14f98f25 ("bridge: range check STP parameters")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f08abd15
    • Marcelo Ricardo Leitner's avatar
      sctp: fix ASCONF list handling · bee9ad8f
      Marcelo Ricardo Leitner authored
      [ Upstream commit 2d45a02d ]
      
      ->auto_asconf_splist is per namespace and mangled by functions like
      sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.
      
      Also, the call to inet_sk_copy_descendant() was backuping
      ->auto_asconf_list through the copy but was not honoring
      ->do_auto_asconf, which could lead to list corruption if it was
      different between both sockets.
      
      This commit thus fixes the list handling by using ->addr_wq_lock
      spinlock to protect the list. A special handling is done upon socket
      creation and destruction for that. Error handlig on sctp_init_sock()
      will never return an error after having initialized asconf, so
      sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
      will be take on sctp_close_sock(), before locking the socket, so we
      don't do it in inverse order compared to sctp_addr_wq_timeout_handler().
      
      Instead of taking the lock on sctp_sock_migrate() for copying and
      restoring the list values, it's preferred to avoid rewritting it by
      implementing sctp_copy_descendant().
      
      Issue was found with a test application that kept flipping sysctl
      default_auto_asconf on and off, but one could trigger it by issuing
      simultaneous setsockopt() calls on multiple sockets or by
      creating/destroying sockets fast enough. This is only triggerable
      locally.
      
      Fixes: 9f7d653b ("sctp: Add Auto-ASCONF support (core).")
      Reported-by: default avatarJi Jianwen <jiji@redhat.com>
      Suggested-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Suggested-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      bee9ad8f