1. 19 Nov, 2014 40 commits
    • Helge Deller's avatar
      parisc: Use compat layer for msgctl, shmat, shmctl and semtimedop syscalls · e29a7bc4
      Helge Deller authored
      commit 2fe749f5 upstream.
      
      Switch over the msgctl, shmat, shmctl and semtimedop syscalls to use the compat
      layer. The problem was found with the debian procenv package, which called
      	shmctl(0, SHM_INFO, &info);
      in which the shmctl syscall then overwrote parts of the surrounding areas on
      the stack on which the info variable was stored and thus lead to a segfault
      later on.
      
      Additionally fix the definition of struct shminfo64 to use unsigned longs like
      the other architectures. This has no impact on userspace since we only have a
      32bit userspace up to now.
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Cc: John David Anglin <dave.anglin@bell.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e29a7bc4
    • Christoph Hellwig's avatar
      scsi: only re-lock door after EH on devices that were reset · 7a6e7a36
      Christoph Hellwig authored
      commit 48379270 upstream.
      
      Setups that use the blk-mq I/O path can lock up if a host with a single
      device that has its door locked enters EH.  Make sure to only send the
      command to re-lock the door to devices that actually were reset and thus
      might have lost their state.  Otherwise the EH code might be get blocked
      on blk_get_request as all requests for non-reset devices might be in use.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reported-by: default avatarMeelis Roos <meelis.roos@ut.ee>
      Tested-by: default avatarMeelis Roos <meelis.roos@ut.ee>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7a6e7a36
    • Peng Tao's avatar
      nfs: fix pnfs direct write memory leak · d0c8187c
      Peng Tao authored
      commit 8c393f9a upstream.
      
      For pNFS direct writes, layout driver may dynamically allocate ds_cinfo.buckets.
      So we need to take care to free them when freeing dreq.
      
      Ideally this needs to be done inside layout driver where ds_cinfo.buckets
      are allocated. But buckets are attached to dreq and reused across LD IO iterations.
      So I feel it's OK to free them in the generic layer.
      Signed-off-by: default avatarPeng Tao <tao.peng@primarydata.com>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d0c8187c
    • Stefan Richter's avatar
      firewire: cdev: prevent kernel stack leaking into ioctl arguments · 9fb5f68e
      Stefan Richter authored
      commit eaca2d8e upstream.
      
      Found by the UC-KLEE tool:  A user could supply less input to
      firewire-cdev ioctls than write- or write/read-type ioctl handlers
      expect.  The handlers used data from uninitialized kernel stack then.
      
      This could partially leak back to the user if the kernel subsequently
      generated fw_cdev_event_'s (to be read from the firewire-cdev fd)
      which notably would contain the _u64 closure field which many of the
      ioctl argument structures contain.
      
      The fact that the handlers would act on random garbage input is a
      lesser issue since all handlers must check their input anyway.
      
      The fix simply always null-initializes the entire ioctl argument buffer
      regardless of the actual length of expected user input.  That is, a
      runtime overhead of memset(..., 40) is added to each firewirew-cdev
      ioctl() call.  [Comment from Clemens Ladisch:  This part of the stack is
      most likely to be already in the cache.]
      
      Remarks:
        - There was never any leak from kernel stack to the ioctl output
          buffer itself.  IOW, it was not possible to read kernel stack by a
          read-type or write/read-type ioctl alone; the leak could at most
          happen in combination with read()ing subsequent event data.
        - The actual expected minimum user input of each ioctl from
          include/uapi/linux/firewire-cdev.h is, in bytes:
          [0x00] = 32, [0x05] =  4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16,
          [0x01] = 36, [0x06] = 20, [0x0b] =  4, [0x10] = 20, [0x15] = 20,
          [0x02] = 20, [0x07] =  4, [0x0c] =  0, [0x11] =  0, [0x16] =  8,
          [0x03] =  4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12,
          [0x04] = 20, [0x09] = 24, [0x0e] =  4, [0x13] = 40, [0x18] =  4.
      Reported-by: default avatarDavid Ramos <daramos@stanford.edu>
      Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9fb5f68e
    • Kyle McMartin's avatar
      arm64: __clear_user: handle exceptions on strb · beb762ba
      Kyle McMartin authored
      commit 97fc1543 upstream.
      
      ARM64 currently doesn't fix up faults on the single-byte (strb) case of
      __clear_user... which means that we can cause a nasty kernel panic as an
      ordinary user with any multiple PAGE_SIZE+1 read from /dev/zero.
      i.e.: dd if=/dev/zero of=foo ibs=1 count=1 (or ibs=65537, etc.)
      
      This is a pretty obscure bug in the general case since we'll only
      __do_kernel_fault (since there's no extable entry for pc) if the
      mmap_sem is contended. However, with CONFIG_DEBUG_VM enabled, we'll
      always fault.
      
      if (!down_read_trylock(&mm->mmap_sem)) {
      	if (!user_mode(regs) && !search_exception_tables(regs->pc))
      		goto no_context;
      retry:
      	down_read(&mm->mmap_sem);
      } else {
      	/*
      	 * The above down_read_trylock() might have succeeded in
      	 * which
      	 * case, we'll have missed the might_sleep() from
      	 * down_read().
      	 */
      	might_sleep();
      	if (!user_mode(regs) && !search_exception_tables(regs->pc))
      		goto no_context;
      }
      
      Fix that by adding an extable entry for the strb instruction, since it
      touches user memory, similar to the other stores in __clear_user.
      Signed-off-by: default avatarKyle McMartin <kyle@redhat.com>
      Reported-by: default avatarMiloš Prchlík <mprchlik@redhat.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      beb762ba
    • Joe Thornber's avatar
      dm thin: grab a virtual cell before looking up the mapping · 2c49ae54
      Joe Thornber authored
      commit c822ed96 upstream.
      
      Avoids normal IO racing with discard.
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2c49ae54
    • Will Deacon's avatar
      ARM: 8191/1: decompressor: ensure I-side picks up relocated code · f0a72a0e
      Will Deacon authored
      commit 238962ac upstream.
      
      To speed up decompression, the decompressor sets up a flat, cacheable
      mapping of memory. However, when there is insufficient space to hold
      the page tables for this mapping, we don't bother to enable the caches
      and subsequently skip all the cache maintenance hooks.
      
      Skipping the cache maintenance before jumping to the relocated code
      allows the processor to predict the branch and populate the I-cache
      with stale data before the relocation loop has completed (since a
      bootloader may have SCTLR.I set, which permits normal, cacheable
      instruction fetches regardless of SCTLR.M).
      
      This patch moves the cache maintenance check into the maintenance
      routines themselves, allowing the v6/v7 versions to invalidate the
      I-cache regardless of the MMU state.
      Reported-by: default avatarMarc Carino <marc.ceeeee@gmail.com>
      Tested-by: default avatarJulien Grall <julien.grall@linaro.org>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f0a72a0e
    • Nathan Lynch's avatar
      ARM: 8198/1: make kuser helpers depend on MMU · d8149279
      Nathan Lynch authored
      commit 08b964ff upstream.
      
      The kuser helpers page is not set up on non-MMU systems, so it does
      not make sense to allow CONFIG_KUSER_HELPERS to be enabled when
      CONFIG_MMU=n.  Allowing it to be set on !MMU results in an oops in
      set_tls (used in execve and the arm_syscall trap handler):
      
      Unhandled exception: IPSR = 00000005 LR = fffffff1
      CPU: 0 PID: 1 Comm: swapper Not tainted 3.18.0-rc1-00041-ga30465a #216
      task: 8b838000 ti: 8b82a000 task.ti: 8b82a000
      PC is at flush_thread+0x32/0x40
      LR is at flush_thread+0x21/0x40
      pc : [<8f00157a>]    lr : [<8f001569>]    psr: 4100000b
      sp : 8b82be20  ip : 00000000  fp : 8b83c000
      r10: 00000001  r9 : 88018c84  r8 : 8bb85000
      r7 : 8b838000  r6 : 00000000  r5 : 8bb77400  r4 : 8b82a000
      r3 : ffff0ff0  r2 : 8b82a000  r1 : 00000000  r0 : 88020354
      xPSR: 4100000b
      CPU: 0 PID: 1 Comm: swapper Not tainted 3.18.0-rc1-00041-ga30465a #216
      [<8f002bc1>] (unwind_backtrace) from [<8f002033>] (show_stack+0xb/0xc)
      [<8f002033>] (show_stack) from [<8f00265b>] (__invalid_entry+0x4b/0x4c)
      
      As best I can tell this issue existed for the set_tls ARM syscall
      before commit fbfb872f "ARM: 8148/1: flush TLS and thumbee
      register state during exec" consolidated the TLS manipulation code
      into the set_tls helper function, but now that we're using it to flush
      register state during execve, !MMU users encounter the oops at the
      first exec.
      
      Prevent CONFIG_MMU=n configurations from enabling
      CONFIG_KUSER_HELPERS.
      
      Fixes: fbfb872f (ARM: 8148/1: flush TLS and thumbee register state during exec)
      Signed-off-by: default avatarNathan Lynch <nathan_lynch@mentor.com>
      Reported-by: default avatarStefan Agner <stefan@agner.ch>
      Acked-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d8149279
    • Alex Deucher's avatar
      drm/radeon: add missing crtc unlock when setting up the MC · 984e580d
      Alex Deucher authored
      commit f0d7bfb9 upstream.
      
      Need to unlock the crtc after updating the blanking state.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      984e580d
    • Alex Deucher's avatar
      drm/radeon: make sure mode init is complete in bandwidth_update · 30c45d8c
      Alex Deucher authored
      commit 8efe82ca upstream.
      
      The power management code calls into the display code for
      certain things.  If certain power management sysfs attributes
      are called before the driver has finished initializing all of
      the hardware we can run into problems with uninitialized
      modesetting state.  Add a check to make sure modesetting
      init has completed to the bandwidth update callbacks to
      fix this.  Can be triggered by the tlp and laptop start
      up scripts depending on the timing.
      
      bugs:
      https://bugzilla.kernel.org/show_bug.cgi?id=83611
      https://bugs.freedesktop.org/show_bug.cgi?id=85771Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      30c45d8c
    • Jammy Zhou's avatar
      drm/radeon: set correct CE ram size for CIK · 37dc0956
      Jammy Zhou authored
      commit dc4edad6 upstream.
      
      CE ram size is 32k/0k/0k for GFX/CS0/CS1 with CIK
      
      Ported from amdgpu driver.
      Signed-off-by: default avatarJammy Zhou <Jammy.Zhou@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      37dc0956
    • Johannes Berg's avatar
      mac80211: fix use-after-free in defragmentation · 8384cbaf
      Johannes Berg authored
      commit b8fff407 upstream.
      
      Upon receiving the last fragment, all but the first fragment
      are freed, but the multicast check for statistics at the end
      of the function refers to the current skb (the last fragment)
      causing a use-after-free bug.
      
      Since multicast frames cannot be fragmented and we check for
      this early in the function, just modify that check to also
      do the accounting to fix the issue.
      Reported-by: default avatarYosef Khyal <yosefx.khyal@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8384cbaf
    • Luciano Coelho's avatar
      mac80211: schedule the actual switch of the station before CSA count 0 · e7ba6308
      Luciano Coelho authored
      commit ff1e417c upstream.
      
      Due to the time it takes to process the beacon that started the CSA
      process, we may be late for the switch if we try to reach exactly
      beacon 0.  To avoid that, use count - 1 when calculating the switch time.
      Reported-by: default avatarJouni Malinen <j@w1.fi>
      Signed-off-by: default avatarLuciano Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e7ba6308
    • Johannes Berg's avatar
      mac80211: properly flush delayed scan work on interface removal · 3a5a7cd8
      Johannes Berg authored
      commit 46238845 upstream.
      
      When an interface is deleted, an ongoing hardware scan is canceled and
      the driver must abort the scan, at the very least reporting completion
      while the interface is removed.
      
      However, if it scheduled the work that might only run after everything
      is said and done, which leads to cfg80211 warning that the scan isn't
      reported as finished yet; this is no fault of the driver, it already
      did, but mac80211 hasn't processed it.
      
      To fix this situation, flush the delayed work when the interface being
      removed is the one that was executing the scan.
      Reported-by: default avatarSujith Manoharan <sujith@msujith.org>
      Tested-by: default avatarSujith Manoharan <sujith@msujith.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      3a5a7cd8
    • Junjie Mao's avatar
      mac80211_hwsim: release driver when ieee80211_register_hw fails · 4d2ff0c7
      Junjie Mao authored
      commit 805dbe17 upstream.
      
      The driver is not released when ieee80211_register_hw fails in
      mac80211_hwsim_create_radio, leading to the access to the unregistered (and
      possibly freed) device in platform_driver_unregister:
      
      [    0.447547] mac80211_hwsim: ieee80211_register_hw failed (-2)
      [    0.448292] ------------[ cut here ]------------
      [    0.448854] WARNING: CPU: 0 PID: 1 at ../include/linux/kref.h:47 kobject_get+0x33/0x50()
      [    0.449839] CPU: 0 PID: 1 Comm: swapper Not tainted 3.17.0-00001-gdd46990-dirty #2
      [    0.450813] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [    0.451512]  00000000 00000000 78025e38 7967c6c6 78025e68 7905e09b 7988b480 00000000
      [    0.452579]  00000001 79887d62 0000002f 79170bb3 79170bb3 78397008 79ac9d74 00000001
      [    0.453614]  78025e78 7905e15d 00000009 00000000 78025e84 79170bb3 78397000 78025e8c
      [    0.454632] Call Trace:
      [    0.454921]  [<7967c6c6>] dump_stack+0x16/0x18
      [    0.455453]  [<7905e09b>] warn_slowpath_common+0x6b/0x90
      [    0.456067]  [<79170bb3>] ? kobject_get+0x33/0x50
      [    0.456612]  [<79170bb3>] ? kobject_get+0x33/0x50
      [    0.457155]  [<7905e15d>] warn_slowpath_null+0x1d/0x20
      [    0.457748]  [<79170bb3>] kobject_get+0x33/0x50
      [    0.458274]  [<7925824f>] get_device+0xf/0x20
      [    0.458779]  [<7925b5cd>] driver_detach+0x3d/0xa0
      [    0.459331]  [<7925a3ff>] bus_remove_driver+0x8f/0xb0
      [    0.459927]  [<7925bf80>] ? class_unregister+0x40/0x80
      [    0.460660]  [<7925bad7>] driver_unregister+0x47/0x50
      [    0.461248]  [<7925c033>] ? class_destroy+0x13/0x20
      [    0.461824]  [<7925d07b>] platform_driver_unregister+0xb/0x10
      [    0.462507]  [<79b51ba0>] init_mac80211_hwsim+0x3e8/0x3f9
      [    0.463161]  [<79b30c58>] do_one_initcall+0x106/0x1a9
      [    0.463758]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.464393]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.465001]  [<79071935>] ? parse_args+0x2f5/0x480
      [    0.465569]  [<7906b41e>] ? __usermodehelper_set_disable_depth+0x3e/0x50
      [    0.466345]  [<79b30dd9>] kernel_init_freeable+0xde/0x17d
      [    0.466972]  [<79b304d6>] ? do_early_param+0x7a/0x7a
      [    0.467546]  [<79677b1b>] kernel_init+0xb/0xe0
      [    0.468072]  [<79075f42>] ? schedule_tail+0x12/0x40
      [    0.468658]  [<79686580>] ret_from_kernel_thread+0x20/0x30
      [    0.469303]  [<79677b10>] ? rest_init+0xc0/0xc0
      [    0.469829] ---[ end trace ad8ac403ff8aef5c ]---
      [    0.470509] ------------[ cut here ]------------
      [    0.471047] WARNING: CPU: 0 PID: 1 at ../kernel/locking/lockdep.c:3161 __lock_acquire.isra.22+0x7aa/0xb00()
      [    0.472163] DEBUG_LOCKS_WARN_ON(id >= MAX_LOCKDEP_KEYS)
      [    0.472774] CPU: 0 PID: 1 Comm: swapper Tainted: G        W      3.17.0-00001-gdd46990-dirty #2
      [    0.473815] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [    0.474492]  78025de0 78025de0 78025da0 7967c6c6 78025dd0 7905e09b 79888931 78025dfc
      [    0.475515]  00000001 79888a93 00000c59 7907f33a 7907f33a 78028000 fffe9d09 00000000
      [    0.476519]  78025de8 7905e10e 00000009 78025de0 79888931 78025dfc 78025e24 7907f33a
      [    0.477523] Call Trace:
      [    0.477821]  [<7967c6c6>] dump_stack+0x16/0x18
      [    0.478352]  [<7905e09b>] warn_slowpath_common+0x6b/0x90
      [    0.478976]  [<7907f33a>] ? __lock_acquire.isra.22+0x7aa/0xb00
      [    0.479658]  [<7907f33a>] ? __lock_acquire.isra.22+0x7aa/0xb00
      [    0.480417]  [<7905e10e>] warn_slowpath_fmt+0x2e/0x30
      [    0.480479]  [<7907f33a>] __lock_acquire.isra.22+0x7aa/0xb00
      [    0.480479]  [<79078aa5>] ? sched_clock_cpu+0xb5/0xf0
      [    0.480479]  [<7907fd06>] lock_acquire+0x56/0x70
      [    0.480479]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.480479]  [<79682d11>] mutex_lock_nested+0x61/0x2a0
      [    0.480479]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.480479]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.480479]  [<7925b5e8>] driver_detach+0x58/0xa0
      [    0.480479]  [<7925a3ff>] bus_remove_driver+0x8f/0xb0
      [    0.480479]  [<7925bf80>] ? class_unregister+0x40/0x80
      [    0.480479]  [<7925bad7>] driver_unregister+0x47/0x50
      [    0.480479]  [<7925c033>] ? class_destroy+0x13/0x20
      [    0.480479]  [<7925d07b>] platform_driver_unregister+0xb/0x10
      [    0.480479]  [<79b51ba0>] init_mac80211_hwsim+0x3e8/0x3f9
      [    0.480479]  [<79b30c58>] do_one_initcall+0x106/0x1a9
      [    0.480479]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.480479]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.480479]  [<79071935>] ? parse_args+0x2f5/0x480
      [    0.480479]  [<7906b41e>] ? __usermodehelper_set_disable_depth+0x3e/0x50
      [    0.480479]  [<79b30dd9>] kernel_init_freeable+0xde/0x17d
      [    0.480479]  [<79b304d6>] ? do_early_param+0x7a/0x7a
      [    0.480479]  [<79677b1b>] kernel_init+0xb/0xe0
      [    0.480479]  [<79075f42>] ? schedule_tail+0x12/0x40
      [    0.480479]  [<79686580>] ret_from_kernel_thread+0x20/0x30
      [    0.480479]  [<79677b10>] ? rest_init+0xc0/0xc0
      [    0.480479] ---[ end trace ad8ac403ff8aef5d ]---
      [    0.495478] BUG: unable to handle kernel paging request at 00200200
      [    0.496257] IP: [<79682de5>] mutex_lock_nested+0x135/0x2a0
      [    0.496923] *pde = 00000000
      [    0.497290] Oops: 0002 [#1]
      [    0.497653] CPU: 0 PID: 1 Comm: swapper Tainted: G        W      3.17.0-00001-gdd46990-dirty #2
      [    0.498659] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [    0.499321] task: 78028000 ti: 78024000 task.ti: 78024000
      [    0.499955] EIP: 0060:[<79682de5>] EFLAGS: 00010097 CPU: 0
      [    0.500620] EIP is at mutex_lock_nested+0x135/0x2a0
      [    0.501145] EAX: 00200200 EBX: 78397434 ECX: 78397460 EDX: 78025e70
      [    0.501816] ESI: 00000246 EDI: 78028000 EBP: 78025e8c ESP: 78025e54
      [    0.502497]  DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
      [    0.503076] CR0: 8005003b CR2: 00200200 CR3: 01b9d000 CR4: 00000690
      [    0.503773] Stack:
      [    0.503998]  00000000 00000001 00000000 7925b5e8 78397460 7925b5e8 78397474 78397460
      [    0.504944]  00200200 11111111 78025e70 78397000 79ac9d74 00000001 78025ea0 7925b5e8
      [    0.505451]  79ac9d74 fffffffe 00000001 78025ebc 7925a3ff 7a251398 78025ec8 7925bf80
      [    0.505451] Call Trace:
      [    0.505451]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.505451]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.505451]  [<7925b5e8>] driver_detach+0x58/0xa0
      [    0.505451]  [<7925a3ff>] bus_remove_driver+0x8f/0xb0
      [    0.505451]  [<7925bf80>] ? class_unregister+0x40/0x80
      [    0.505451]  [<7925bad7>] driver_unregister+0x47/0x50
      [    0.505451]  [<7925c033>] ? class_destroy+0x13/0x20
      [    0.505451]  [<7925d07b>] platform_driver_unregister+0xb/0x10
      [    0.505451]  [<79b51ba0>] init_mac80211_hwsim+0x3e8/0x3f9
      [    0.505451]  [<79b30c58>] do_one_initcall+0x106/0x1a9
      [    0.505451]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.505451]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.505451]  [<79071935>] ? parse_args+0x2f5/0x480
      [    0.505451]  [<7906b41e>] ? __usermodehelper_set_disable_depth+0x3e/0x50
      [    0.505451]  [<79b30dd9>] kernel_init_freeable+0xde/0x17d
      [    0.505451]  [<79b304d6>] ? do_early_param+0x7a/0x7a
      [    0.505451]  [<79677b1b>] kernel_init+0xb/0xe0
      [    0.505451]  [<79075f42>] ? schedule_tail+0x12/0x40
      [    0.505451]  [<79686580>] ret_from_kernel_thread+0x20/0x30
      [    0.505451]  [<79677b10>] ? rest_init+0xc0/0xc0
      [    0.505451] Code: 89 d8 e8 cf 9b 9f ff 8b 4f 04 8d 55 e4 89 d8 e8 72 9d 9f ff 8d 43 2c 89 c1 89 45 d8 8b 43 30 8d 55 e4 89 53 30 89 4d e4 89 45 e8 <89> 10 8b 55 dc 8b 45 e0 89 7d ec e8 db af 9f ff eb 11 90 31 c0
      [    0.505451] EIP: [<79682de5>] mutex_lock_nested+0x135/0x2a0 SS:ESP 0068:78025e54
      [    0.505451] CR2: 0000000000200200
      [    0.505451] ---[ end trace ad8ac403ff8aef5e ]---
      [    0.505451] Kernel panic - not syncing: Fatal exception
      
      Fixes: 9ea92774 ("mac80211_hwsim: Register and bind to driver")
      Reported-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarJunjie Mao <eternal.n08@gmail.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4d2ff0c7
    • Herbert Xu's avatar
      macvtap: Fix csum_start when VLAN tags are present · 6e2b9478
      Herbert Xu authored
      commit 3ce9b20f upstream.
      
      When VLAN is in use in macvtap_put_user, we end up setting
      csum_start to the wrong place.  The result is that the whoever
      ends up doing the checksum setting will corrupt the packet instead
      of writing the checksum to the expected location, usually this
      means writing the checksum with an offset of -4.
      
      This patch fixes this by adjusting csum_start when VLAN tags are
      detected.
      
      Fixes: f09e2249 ("macvtap: restore vlan header on user read")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6e2b9478
    • Ilya Dryomov's avatar
      libceph: do not crash on large auth tickets · 8ad76662
      Ilya Dryomov authored
      commit aaef3170 upstream.
      
      Large (greater than 32k, the value of PAGE_ALLOC_COSTLY_ORDER) auth
      tickets will have their buffers vmalloc'ed, which leads to the
      following crash in crypto:
      
      [   28.685082] BUG: unable to handle kernel paging request at ffffeb04000032c0
      [   28.686032] IP: [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80
      [   28.686032] PGD 0
      [   28.688088] Oops: 0000 [#1] PREEMPT SMP
      [   28.688088] Modules linked in:
      [   28.688088] CPU: 0 PID: 878 Comm: kworker/0:2 Not tainted 3.17.0-vm+ #305
      [   28.688088] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
      [   28.688088] Workqueue: ceph-msgr con_work
      [   28.688088] task: ffff88011a7f9030 ti: ffff8800d903c000 task.ti: ffff8800d903c000
      [   28.688088] RIP: 0010:[<ffffffff81392b42>]  [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80
      [   28.688088] RSP: 0018:ffff8800d903f688  EFLAGS: 00010286
      [   28.688088] RAX: ffffeb04000032c0 RBX: ffff8800d903f718 RCX: ffffeb04000032c0
      [   28.688088] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8800d903f750
      [   28.688088] RBP: ffff8800d903f688 R08: 00000000000007de R09: ffff8800d903f880
      [   28.688088] R10: 18df467c72d6257b R11: 0000000000000000 R12: 0000000000000010
      [   28.688088] R13: ffff8800d903f750 R14: ffff8800d903f8a0 R15: 0000000000000000
      [   28.688088] FS:  00007f50a41c7700(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
      [   28.688088] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [   28.688088] CR2: ffffeb04000032c0 CR3: 00000000da3f3000 CR4: 00000000000006b0
      [   28.688088] Stack:
      [   28.688088]  ffff8800d903f698 ffffffff81392ca8 ffff8800d903f6e8 ffffffff81395d32
      [   28.688088]  ffff8800dac96000 ffff880000000000 ffff8800d903f980 ffff880119b7e020
      [   28.688088]  ffff880119b7e010 0000000000000000 0000000000000010 0000000000000010
      [   28.688088] Call Trace:
      [   28.688088]  [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40
      [   28.688088]  [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40
      [   28.688088]  [<ffffffff81395d32>] blkcipher_walk_done+0x182/0x220
      [   28.688088]  [<ffffffff813990bf>] crypto_cbc_encrypt+0x15f/0x180
      [   28.688088]  [<ffffffff81399780>] ? crypto_aes_set_key+0x30/0x30
      [   28.688088]  [<ffffffff8156c40c>] ceph_aes_encrypt2+0x29c/0x2e0
      [   28.688088]  [<ffffffff8156d2a3>] ceph_encrypt2+0x93/0xb0
      [   28.688088]  [<ffffffff8156d7da>] ceph_x_encrypt+0x4a/0x60
      [   28.688088]  [<ffffffff8155b39d>] ? ceph_buffer_new+0x5d/0xf0
      [   28.688088]  [<ffffffff8156e837>] ceph_x_build_authorizer.isra.6+0x297/0x360
      [   28.688088]  [<ffffffff8112089b>] ? kmem_cache_alloc_trace+0x11b/0x1c0
      [   28.688088]  [<ffffffff8156b496>] ? ceph_auth_create_authorizer+0x36/0x80
      [   28.688088]  [<ffffffff8156ed83>] ceph_x_create_authorizer+0x63/0xd0
      [   28.688088]  [<ffffffff8156b4b4>] ceph_auth_create_authorizer+0x54/0x80
      [   28.688088]  [<ffffffff8155f7c0>] get_authorizer+0x80/0xd0
      [   28.688088]  [<ffffffff81555a8b>] prepare_write_connect+0x18b/0x2b0
      [   28.688088]  [<ffffffff81559289>] try_read+0x1e59/0x1f10
      
      This is because we set up crypto scatterlists as if all buffers were
      kmalloc'ed.  Fix it.
      Signed-off-by: default avatarIlya Dryomov <idryomov@redhat.com>
      Reviewed-by: default avatarSage Weil <sage@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8ad76662
    • Max Filippov's avatar
      xtensa: re-wire umount syscall to sys_oldumount · 89e4b776
      Max Filippov authored
      commit 2651cc69 upstream.
      
      Userspace actually passes single parameter (path name) to the umount
      syscall, so new umount just fails. Fix it by requesting old umount
      syscall implementation and re-wiring umount to it.
      Signed-off-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      89e4b776
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix memory leak in FTU quirk · 9e7e0e10
      Takashi Iwai authored
      commit 1a290581 upstream.
      
      M-audio FastTrack Ultra quirk doesn't release the kzalloc'ed memory.
      This patch adds the private_free callback to release it properly.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9e7e0e10
    • Tejun Heo's avatar
      ahci: disable MSI instead of NCQ on Samsung pci-e SSDs on macbooks · 9c599f2b
      Tejun Heo authored
      commit 66a7cbc3 upstream.
      
      Samsung pci-e SSDs on macbooks failed miserably on NCQ commands, so
      67809f85 ("ahci: disable NCQ on Samsung pci-e SSDs on macbooks")
      disabled NCQ on them.  It turns out that NCQ is fine as long as MSI is
      not used, so let's turn off MSI and leave NCQ on.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=60731
      Tested-by: <dorin@i51.org>
      Tested-by: default avatarImre Kaloz <kaloz@openwrt.org>
      Fixes: 67809f85 ("ahci: disable NCQ on Samsung pci-e SSDs on macbooks")
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9c599f2b
    • James Ralston's avatar
      ahci: Add Device IDs for Intel Sunrise Point PCH · 8a489593
      James Ralston authored
      commit 690000b9 upstream.
      
      This patch adds the AHCI-mode SATA Device IDs for the Intel Sunrise Point PCH.
      Signed-off-by: default avatarJames Ralston <james.d.ralston@intel.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8a489593
    • Miklos Szeredi's avatar
      audit: keep inode pinned · 24c0902a
      Miklos Szeredi authored
      commit 799b6014 upstream.
      
      Audit rules disappear when an inode they watch is evicted from the cache.
      This is likely not what we want.
      
      The guilty commit is "fsnotify: allow marks to not pin inodes in core",
      which didn't take into account that audit_tree adds watches with a zero
      mask.
      
      Adding any mask should fix this.
      
      Fixes: 90b1e7a5 ("fsnotify: allow marks to not pin inodes in core")
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      24c0902a
    • Andy Lutomirski's avatar
      x86, x32, audit: Fix x32's AUDIT_ARCH wrt audit · d45d0a5e
      Andy Lutomirski authored
      commit 81f49a8f upstream.
      
      is_compat_task() is the wrong check for audit arch; the check should
      be is_ia32_task(): x32 syscalls should be AUDIT_ARCH_X86_64, not
      AUDIT_ARCH_I386.
      
      CONFIG_AUDITSYSCALL is currently incompatible with x32, so this has
      no visible effect.
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Link: http://lkml.kernel.org/r/a0138ed8c709882aec06e4acc30bfa9b623b8717.1409954077.git.luto@amacapital.netSigned-off-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d45d0a5e
    • Herbert Xu's avatar
      tun: Fix csum_start with VLAN acceleration · c1505848
      Herbert Xu authored
      commit a8f9bfdf upstream.
      
      When VLAN acceleration is in use on the xmit path, we end up
      setting csum_start to the wrong place.  The result is that the
      whoever ends up doing the checksum setting will corrupt the packet
      instead of writing the checksum to the expected location, usually
      this means writing the checksum with an offset of -4.
      
      This patch fixes this by adjusting csum_start when VLAN acceleration
      is detected.
      
      Fixes: 6680ec68 ("tuntap: hardware vlan tx support")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c1505848
    • Greg Kurz's avatar
      hwrng: pseries - port to new read API and fix stack corruption · 50e52368
      Greg Kurz authored
      commit 24c65bc7 upstream.
      
      The add_early_randomness() function in drivers/char/hw_random/core.c passes
      a 16-byte buffer to pseries_rng_data_read(). Unfortunately, plpar_hcall()
      returns four 64-bit values and trashes 16 bytes on the stack.
      
      This bug has been lying around for a long time. It got unveiled by:
      
      commit d3cc7996
      Author: Amit Shah <amit.shah@redhat.com>
      Date:   Thu Jul 10 15:42:34 2014 +0530
      
          hwrng: fetch randomness only after device init
      
      It may trig a oops while loading or unloading the pseries-rng module for both
      PowerVM and PowerKVM guests.
      
      This patch does two things:
      - pass an intermediate well sized buffer to plpar_hcall(). This is acceptalbe
        since we're not on a hot path.
      - move to the new read API so that we know the return buffer size for sure.
      Signed-off-by: default avatarGreg Kurz <gkurz@linux.vnet.ibm.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      50e52368
    • Cristian Stoica's avatar
      crypto: caam - remove duplicated sg copy functions · e5fbc698
      Cristian Stoica authored
      commit 307fd543 upstream.
      
      Replace equivalent (and partially incorrect) scatter-gather functions
      with ones from crypto-API.
      
      The replacement is motivated by page-faults in sg_copy_part triggered
      by successive calls to crypto_hash_update. The following fault appears
      after calling crypto_ahash_update twice, first with 13 and then
      with 285 bytes:
      
      Unable to handle kernel paging request for data at address 0x00000008
      Faulting instruction address: 0xf9bf9a8c
      Oops: Kernel access of bad area, sig: 11 [#1]
      SMP NR_CPUS=8 CoreNet Generic
      Modules linked in: tcrypt(+) caamhash caam_jr caam tls
      CPU: 6 PID: 1497 Comm: cryptomgr_test Not tainted
      3.12.19-rt30-QorIQ-SDK-V1.6+g9fda9f2 #75
      task: e9308530 ti: e700e000 task.ti: e700e000
      NIP: f9bf9a8c LR: f9bfcf28 CTR: c0019ea0
      REGS: e700fb80 TRAP: 0300   Not tainted
      (3.12.19-rt30-QorIQ-SDK-V1.6+g9fda9f2)
      MSR: 00029002 <CE,EE,ME>  CR: 44f92024  XER: 20000000
      DEAR: 00000008, ESR: 00000000
      
      GPR00: f9bfcf28 e700fc30 e9308530 e70b1e55 00000000 ffffffdd e70b1e54 0bebf888
      GPR08: 902c7ef5 c0e771e2 00000002 00000888 c0019ea0 00000000 00000000 c07a4154
      GPR16: c08d0000 e91a8f9c 00000001 e98fb400 00000100 e9c83028 e70b1e08 e70b1d48
      GPR24: e992ce10 e70b1dc8 f9bfe4f4 e70b1e55 ffffffdd e70b1ce0 00000000 00000000
      NIP [f9bf9a8c] sg_copy+0x1c/0x100 [caamhash]
      LR [f9bfcf28] ahash_update_no_ctx+0x628/0x660 [caamhash]
      Call Trace:
      [e700fc30] [f9bf9c50] sg_copy_part+0xe0/0x160 [caamhash] (unreliable)
      [e700fc50] [f9bfcf28] ahash_update_no_ctx+0x628/0x660 [caamhash]
      [e700fcb0] [f954e19c] crypto_tls_genicv+0x13c/0x300 [tls]
      [e700fd10] [f954e65c] crypto_tls_encrypt+0x5c/0x260 [tls]
      [e700fd40] [c02250ec] __test_aead.constprop.9+0x2bc/0xb70
      [e700fe40] [c02259f0] alg_test_aead+0x50/0xc0
      [e700fe60] [c02241e4] alg_test+0x114/0x2e0
      [e700fee0] [c022276c] cryptomgr_test+0x4c/0x60
      [e700fef0] [c004f658] kthread+0x98/0xa0
      [e700ff40] [c000fd04] ret_from_kernel_thread+0x5c/0x64
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Cc: Cristian Stoica <cristian.stoica@freescale.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e5fbc698
    • Weijie Yang's avatar
      zram: avoid kunmap_atomic() of a NULL pointer · 14ddbde7
      Weijie Yang authored
      commit c4065152 upstream.
      
      zram could kunmap_atomic() a NULL pointer in a rare situation: a zram
      page becomes a full-zeroed page after a partial write io.  The current
      code doesn't handle this case and performs kunmap_atomic() on a NULL
      pointer, which panics the kernel.
      
      This patch fixes this issue.
      Signed-off-by: default avatarWeijie Yang <weijie.yang@samsung.com>
      Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Cc: Dan Streetman <ddstreet@ieee.org>
      Cc: Nitin Gupta <ngupta@vflare.org>
      Cc: Weijie Yang <weijie.yang.kh@gmail.com>
      Acked-by: default avatarJerome Marchand <jmarchan@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      14ddbde7
    • Emmanuel Grumbach's avatar
      iwlwifi: configure the LTR · 9546673d
      Emmanuel Grumbach authored
      commit 9180ac50 upstream.
      
      The LTR is the handshake between the device and the root
      complex about the latency allowed when the bus exits power
      save. This configuration was missing and this led to high
      latency in the link power up. The end user could experience
      high latency in the network because of this.
      
      Cc: <stable@vger.kernel.org> [3.10+]
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9546673d
    • Michael Ellerman's avatar
      hwrng: pseries - Return errors to upper levels in pseries-rng.c · b4dc3a3a
      Michael Ellerman authored
      commit d319fe2a upstream.
      
      We don't expect to get errors from the hypervisor when reading the rng,
      but if we do we should pass the error up to the hwrng driver. Otherwise
      the hwrng driver will continue calling us forever.
      Signed-off-by: default avatarMichael Ellerman <michael@ellerman.id.au>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b4dc3a3a
    • Andreas Larsson's avatar
      sparc32: Implement xchg and atomic_xchg using ATOMIC_HASH locks · 1c854a6c
      Andreas Larsson authored
      [ Upstream commit 1a17fdc4 ]
      
      Atomicity between xchg and cmpxchg cannot be guaranteed when xchg is
      implemented with a swap and cmpxchg is implemented with locks.
      Without this, e.g. mcs_spin_lock and mcs_spin_unlock are broken.
      Signed-off-by: default avatarAndreas Larsson <andreas@gaisler.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      1c854a6c
    • David S. Miller's avatar
      sparc64: Do irq_{enter,exit}() around generic_smp_call_function*(). · a80e35d9
      David S. Miller authored
      [ Upstream commit ab5c7809 ]
      
      Otherwise rcu_irq_{enter,exit}() do not happen and we get dumps like:
      
      ====================
      [  188.275021] ===============================
      [  188.309351] [ INFO: suspicious RCU usage. ]
      [  188.343737] 3.18.0-rc3-00068-g20f3963d-dirty #54 Not tainted
      [  188.394786] -------------------------------
      [  188.429170] include/linux/rcupdate.h:883 rcu_read_lock() used
      illegally while idle!
      [  188.505235]
      other info that might help us debug this:
      
      [  188.554230]
      RCU used illegally from idle CPU!
      rcu_scheduler_active = 1, debug_locks = 0
      [  188.637587] RCU used illegally from extended quiescent state!
      [  188.690684] 3 locks held by swapper/7/0:
      [  188.721932]  #0:  (&x->wait#11){......}, at: [<0000000000495de8>] complete+0x8/0x60
      [  188.797994]  #1:  (&p->pi_lock){-.-.-.}, at: [<000000000048510c>] try_to_wake_up+0xc/0x400
      [  188.881343]  #2:  (rcu_read_lock){......}, at: [<000000000048a910>] select_task_rq_fair+0x90/0xb40
      [  188.973043]stack backtrace:
      [  188.993879] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 3.18.0-rc3-00068-g20f3963d-dirty #54
      [  189.076187] Call Trace:
      [  189.089719]  [0000000000499360] lockdep_rcu_suspicious+0xe0/0x100
      [  189.147035]  [000000000048a99c] select_task_rq_fair+0x11c/0xb40
      [  189.202253]  [00000000004852d8] try_to_wake_up+0x1d8/0x400
      [  189.252258]  [000000000048554c] default_wake_function+0xc/0x20
      [  189.306435]  [0000000000495554] __wake_up_common+0x34/0x80
      [  189.356448]  [00000000004955b4] __wake_up_locked+0x14/0x40
      [  189.406456]  [0000000000495e08] complete+0x28/0x60
      [  189.448142]  [0000000000636e28] blk_end_sync_rq+0x8/0x20
      [  189.496057]  [0000000000639898] __blk_mq_end_request+0x18/0x60
      [  189.550249]  [00000000006ee014] scsi_end_request+0x94/0x180
      [  189.601286]  [00000000006ee334] scsi_io_completion+0x1d4/0x600
      [  189.655463]  [00000000006e51c4] scsi_finish_command+0xc4/0xe0
      [  189.708598]  [00000000006ed958] scsi_softirq_done+0x118/0x140
      [  189.761735]  [00000000006398ec] __blk_mq_complete_request_remote+0xc/0x20
      [  189.827383]  [00000000004c75d0] generic_smp_call_function_single_interrupt+0x150/0x1c0
      [  189.906581]  [000000000043e514] smp_call_function_single_client+0x14/0x40
      ====================
      
      Based almost entirely upon a patch by Paul E. McKenney.
      Reported-by: default avatarMeelis Roos <mroos@linux.ee>
      Tested-by: default avatarMeelis Roos <mroos@linux.ee>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a80e35d9
    • David S. Miller's avatar
      sparc64: Fix crashes in schizo_pcierr_intr_other(). · 80059d68
      David S. Miller authored
      [ Upstream commit 7da89a2a ]
      
      Meelis Roos reports crashes during bootup on a V480 that look like
      this:
      
      ====================
      [   61.300577] PCI: Scanning PBM /pci@9,600000
      [   61.304867] schizo f009b070: PCI host bridge to bus 0003:00
      [   61.310385] pci_bus 0003:00: root bus resource [io  0x7ffe9000000-0x7ffe9ffffff] (bus address [0x0000-0xffffff])
      [   61.320515] pci_bus 0003:00: root bus resource [mem 0x7fb00000000-0x7fbffffffff] (bus address [0x00000000-0xffffffff])
      [   61.331173] pci_bus 0003:00: root bus resource [bus 00]
      [   61.385344] Unable to handle kernel NULL pointer dereference
      [   61.390970] tsk->{mm,active_mm}->context = 0000000000000000
      [   61.396515] tsk->{mm,active_mm}->pgd = fff000b000002000
      [   61.401716]               \|/ ____ \|/
      [   61.401716]               "@'/ .. \`@"
      [   61.401716]               /_| \__/ |_\
      [   61.401716]                  \__U_/
      [   61.416362] swapper/0(0): Oops [#1]
      [   61.419837] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.18.0-rc1-00422-g2cc91884-dirty #24
      [   61.427975] task: fff000b0fd8e9c40 ti: fff000b0fd928000 task.ti: fff000b0fd928000
      [   61.435426] TSTATE: 0000004480e01602 TPC: 00000000004455e4 TNPC: 00000000004455e8 Y: 00000000    Not tainted
      [   61.445230] TPC: <schizo_pcierr_intr+0x104/0x560>
      [   61.449897] g0: 0000000000000000 g1: 0000000000000000 g2: 0000000000a10f78 g3: 000000000000000a
      [   61.458563] g4: fff000b0fd8e9c40 g5: fff000b0fdd82000 g6: fff000b0fd928000 g7: 000000000000000a
      [   61.467229] o0: 000000000000003d o1: 0000000000000000 o2: 0000000000000006 o3: fff000b0ffa5fc7e
      [   61.475894] o4: 0000000000060000 o5: c000000000000000 sp: fff000b0ffa5f3c1 ret_pc: 00000000004455cc
      [   61.484909] RPC: <schizo_pcierr_intr+0xec/0x560>
      [   61.489500] l0: fff000b0fd8e9c40 l1: 0000000000a20800 l2: 0000000000000000 l3: 000000000119a430
      [   61.498164] l4: 0000000001742400 l5: 00000000011cfbe0 l6: 00000000011319c0 l7: fff000b0fd8ea348
      [   61.506830] i0: 0000000000000000 i1: fff000b0fdb34000 i2: 0000000320000000 i3: 0000000000000000
      [   61.515497] i4: 00060002010b003f i5: 0000040004e02000 i6: fff000b0ffa5f481 i7: 00000000004a9920
      [   61.524175] I7: <handle_irq_event_percpu+0x40/0x140>
      [   61.529099] Call Trace:
      [   61.531531]  [00000000004a9920] handle_irq_event_percpu+0x40/0x140
      [   61.537681]  [00000000004a9a58] handle_irq_event+0x38/0x80
      [   61.543145]  [00000000004ac77c] handle_fasteoi_irq+0xbc/0x200
      [   61.548860]  [00000000004a9084] generic_handle_irq+0x24/0x40
      [   61.554500]  [000000000042be0c] handler_irq+0xac/0x100
      ====================
      
      The problem is that pbm->pci_bus->self is NULL.
      
      This code is trying to go through the standard PCI config space
      interfaces to read the PCI controller's PCI_STATUS register.
      
      This doesn't work, because we more often than not do not enumerate
      the PCI controller as a bonafide PCI device during the OF device
      node scan.  Therefore bus->self remains NULL.
      
      Existing common code for PSYCHO and PSYCHO-like PCI controllers
      handles this properly, by doing the config space access directly.
      
      Do the same here, pbm->pci_ops->{read,write}().
      Reported-by: default avatarMeelis Roos <mroos@linux.ee>
      Tested-by: default avatarMeelis Roos <mroos@linux.ee>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      80059d68
    • Dwight Engen's avatar
      sunvdc: don't call VD_OP_GET_VTOC · 6ec85a43
      Dwight Engen authored
      [ Upstream commit 85b0c6e6 ]
      
      The VD_OP_GET_VTOC operation will succeed only if the vdisk backend has a
      VTOC label, otherwise it will fail. In particular, it will return error
      48 (ENOTSUP) if the disk has an EFI label. VTOC disk labels are already
      handled by directly reading the disk in block/partitions/sun.c (enabled by
      CONFIG_SUN_PARTITION which defaults to y on SPARC). Since port->label is
      unused in the driver, remove the call and the field.
      Signed-off-by: default avatarDwight Engen <dwight.engen@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6ec85a43
    • Dwight Engen's avatar
      vio: fix reuse of vio_dring slot · 4a08354c
      Dwight Engen authored
      [ Upstream commit d0aedcd4 ]
      
      vio_dring_avail() will allow use of every dring entry, but when the last
      entry is allocated then dr->prod == dr->cons which is indistinguishable from
      the ring empty condition. This causes the next allocation to reuse an entry.
      When this happens in sunvdc, the server side vds driver begins nack'ing the
      messages and ends up resetting the ldc channel. This problem does not effect
      sunvnet since it checks for < 2.
      
      The fix here is to just never allocate the very last dring slot so that full
      and empty are not the same condition. The request start path was changed to
      check for the ring being full a bit earlier, and to stop the blk_queue if
      there is no space left. The blk_queue will be restarted once the ring is
      only half full again. The number of ring entries was increased to 512 which
      matches the sunvnet and Solaris vdc drivers, and greatly reduces the
      frequency of hitting the ring full condition and the associated blk_queue
      stop/starting. The checks in sunvent were adjusted to account for
      vio_dring_avail() returning 1 less.
      
      Orabug: 19441666
      OraBZ: 14983
      Signed-off-by: default avatarDwight Engen <dwight.engen@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4a08354c
    • Dwight Engen's avatar
      sunvdc: limit each sg segment to a page · d19343d6
      Dwight Engen authored
      [ Upstream commit 5eed69ff ]
      
      ldc_map_sg() could fail its check that the number of pages referred to
      by the sg scatterlist was <= the number of cookies.
      
      This fixes the issue by doing a similar thing to the xen-blkfront driver,
      ensuring that the scatterlist will only ever contain a segment count <=
      port->ring_cookies, and each segment will be page aligned, and <= page
      size. This ensures that the scatterlist is always mappable.
      
      Orabug: 19347817
      OraBZ: 15945
      Signed-off-by: default avatarDwight Engen <dwight.engen@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d19343d6
    • Allen Pais's avatar
      sunvdc: compute vdisk geometry from capacity · 2c6b39c0
      Allen Pais authored
      [ Upstream commit de5b73f0 ]
      
      The LDom diskserver doesn't return reliable geometry data. In addition,
      the types for all fields in the vio_disk_geom are u16, which were being
      truncated in the cast into the u8's of the Linux struct hd_geometry.
      
      Modify vdc_getgeo() to compute the geometry from the disk's capacity in a
      manner consistent with xen-blkfront::blkif_getgeo().
      Signed-off-by: default avatarDwight Engen <dwight.engen@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2c6b39c0
    • Allen Pais's avatar
      sunvdc: add cdrom and v1.1 protocol support · 81e8f416
      Allen Pais authored
      [ Upstream commit 9bce2182 ]
      
      Interpret the media type from v1.1 protocol to support CDROM/DVD.
      
      For v1.0 protocol, a disk's size continues to be calculated from the
      geometry returned by the vdisk server. The geometry returned by the server
      can be less than the actual number of sectors available in the backing
      image/device due to the rounding in the division used to compute the
      geometry in the vdisk server.
      
      In v1.1 protocol a disk's actual size in sectors is returned during the
      handshake. Use this size when v1.1 protocol is negotiated. Since this size
      will always be larger than the former geometry computed size, disks created
      under v1.0 will be forwards compatible to v1.1, but not vice versa.
      Signed-off-by: default avatarDwight Engen <dwight.engen@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      81e8f416
    • Daniel Borkmann's avatar
      net: sctp: fix memory leak in auth key management · 7e9acaf5
      Daniel Borkmann authored
      [ Upstream commit 4184b2a7 ]
      
      A very minimal and simple user space application allocating an SCTP
      socket, setting SCTP_AUTH_KEY setsockopt(2) on it and then closing
      the socket again will leak the memory containing the authentication
      key from user space:
      
      unreferenced object 0xffff8800837047c0 (size 16):
        comm "a.out", pid 2789, jiffies 4296954322 (age 192.258s)
        hex dump (first 16 bytes):
          01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff816d7e8e>] kmemleak_alloc+0x4e/0xb0
          [<ffffffff811c88d8>] __kmalloc+0xe8/0x270
          [<ffffffffa0870c23>] sctp_auth_create_key+0x23/0x50 [sctp]
          [<ffffffffa08718b1>] sctp_auth_set_key+0xa1/0x140 [sctp]
          [<ffffffffa086b383>] sctp_setsockopt+0xd03/0x1180 [sctp]
          [<ffffffff815bfd94>] sock_common_setsockopt+0x14/0x20
          [<ffffffff815beb61>] SyS_setsockopt+0x71/0xd0
          [<ffffffff816e58a9>] system_call_fastpath+0x12/0x17
          [<ffffffffffffffff>] 0xffffffffffffffff
      
      This is bad because of two things, we can bring down a machine from
      user space when auth_enable=1, but also we would leave security sensitive
      keying material in memory without clearing it after use. The issue is
      that sctp_auth_create_key() already sets the refcount to 1, but after
      allocation sctp_auth_set_key() does an additional refcount on it, and
      thus leaving it around when we free the socket.
      
      Fixes: 65b07e5d ("[SCTP]: API updates to suport SCTP-AUTH extensions.")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7e9acaf5
    • Daniel Borkmann's avatar
      net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet · 4008f1db
      Daniel Borkmann authored
      [ Upstream commit e40607cb ]
      
      An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
      in the form of:
      
        ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
      
      While the INIT chunk parameter verification dissects through many things
      in order to detect malformed input, it misses to actually check parameters
      inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
      IP address' parameter in ASCONF, which has as a subparameter an address
      parameter.
      
      So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
      or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
      and thus sctp_get_af_specific() returns NULL, too, which we then happily
      dereference unconditionally through af->from_addr_param().
      
      The trace for the log:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
      IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
      PGD 0
      Oops: 0000 [#1] SMP
      [...]
      Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
      RIP: 0010:[<ffffffffa01e9c62>]  [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
      [...]
      Call Trace:
       <IRQ>
       [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
       [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
       [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
       [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
       [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
       [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
       [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
       [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
       [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
      [...]
      
      A minimal way to address this is to check for NULL as we do on all
      other such occasions where we know sctp_get_af_specific() could
      possibly return with NULL.
      
      Fixes: d6de3097 ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4008f1db
    • Marcelo Leitner's avatar
      vxlan: Do not reuse sockets for a different address family · b27471ba
      Marcelo Leitner authored
      [ Upstream commit 19ca9fc1 ]
      
      Currently, we only match against local port number in order to reuse
      socket. But if this new vxlan wants an IPv6 socket and a IPv4 one bound
      to that port, vxlan will reuse an IPv4 socket as IPv6 and a panic will
      follow. The following steps reproduce it:
      
         # ip link add vxlan6 type vxlan id 42 group 229.10.10.10 \
             srcport 5000 6000 dev eth0
         # ip link add vxlan7 type vxlan id 43 group ff0e::110 \
             srcport 5000 6000 dev eth0
         # ip link set vxlan6 up
         # ip link set vxlan7 up
         <panic>
      
      [    4.187481] BUG: unable to handle kernel NULL pointer dereference at 0000000000000058
      ...
      [    4.188076] Call Trace:
      [    4.188085]  [<ffffffff81667c4a>] ? ipv6_sock_mc_join+0x3a/0x630
      [    4.188098]  [<ffffffffa05a6ad6>] vxlan_igmp_join+0x66/0xd0 [vxlan]
      [    4.188113]  [<ffffffff810a3430>] process_one_work+0x220/0x710
      [    4.188125]  [<ffffffff810a33c4>] ? process_one_work+0x1b4/0x710
      [    4.188138]  [<ffffffff810a3a3b>] worker_thread+0x11b/0x3a0
      [    4.188149]  [<ffffffff810a3920>] ? process_one_work+0x710/0x710
      
      So address family must also match in order to reuse a socket.
      Reported-by: default avatarJean-Tsung Hsiao <jhsiao@redhat.com>
      Signed-off-by: default avatarMarcelo Ricardo Leitner <mleitner@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b27471ba