1. 09 Jun, 2014 26 commits
  2. 18 May, 2014 14 commits
    • Ben Hutchings's avatar
      Linux 3.2.59 · 382ae9d0
      Ben Hutchings authored
      382ae9d0
    • Matthew Daley's avatar
      floppy: don't write kernel-only members to FDRAWCMD ioctl output · 629cbea2
      Matthew Daley authored
      commit 2145e15e upstream.
      
      Do not leak kernel-only floppy_raw_cmd structure members to userspace.
      This includes the linked-list pointer and the pointer to the allocated
      DMA space.
      Signed-off-by: default avatarMatthew Daley <mattd@bugfuzz.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      629cbea2
    • Matthew Daley's avatar
      floppy: ignore kernel-only members in FDRAWCMD ioctl input · d79119d4
      Matthew Daley authored
      commit ef87dbe7 upstream.
      
      Always clear out these floppy_raw_cmd struct members after copying the
      entire structure from userspace so that the in-kernel version is always
      valid and never left in an interdeterminate state.
      Signed-off-by: default avatarMatthew Daley <mattd@bugfuzz.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d79119d4
    • Peter Hurley's avatar
      n_tty: Fix n_tty_write crash when echoing in raw mode · 1e509971
      Peter Hurley authored
      commit 4291086b upstream.
      
      The tty atomic_write_lock does not provide an exclusion guarantee for
      the tty driver if the termios settings are LECHO & !OPOST.  And since
      it is unexpected and not allowed to call TTY buffer helpers like
      tty_insert_flip_string concurrently, this may lead to crashes when
      concurrect writers call pty_write. In that case the following two
      writers:
      * the ECHOing from a workqueue and
      * pty_write from the process
      race and can overflow the corresponding TTY buffer like follows.
      
      If we look into tty_insert_flip_string_fixed_flag, there is:
        int space = __tty_buffer_request_room(port, goal, flags);
        struct tty_buffer *tb = port->buf.tail;
        ...
        memcpy(char_buf_ptr(tb, tb->used), chars, space);
        ...
        tb->used += space;
      
      so the race of the two can result in something like this:
                    A                                B
      __tty_buffer_request_room
                                        __tty_buffer_request_room
      memcpy(buf(tb->used), ...)
      tb->used += space;
                                        memcpy(buf(tb->used), ...) ->BOOM
      
      B's memcpy is past the tty_buffer due to the previous A's tb->used
      increment.
      
      Since the N_TTY line discipline input processing can output
      concurrently with a tty write, obtain the N_TTY ldisc output_lock to
      serialize echo output with normal tty writes.  This ensures the tty
      buffer helper tty_insert_flip_string is not called concurrently and
      everything is fine.
      
      Note that this is nicely reproducible by an ordinary user using
      forkpty and some setup around that (raw termios + ECHO). And it is
      present in kernels at least after commit
      d945cb9c (pty: Rework the pty layer to
      use the normal buffering logic) in 2.6.31-rc3.
      
      js: add more info to the commit log
      js: switch to bool
      js: lock unconditionally
      js: lock only the tty->ops->write call
      
      References: CVE-2014-0196
      Reported-and-tested-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: output_lock is a member of struct tty_struct]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1e509971
    • Ben Hutchings's avatar
      rtl8192ce: Fix null dereference in watchdog · 11e83519
      Ben Hutchings authored
      Dmitry Semyonov reported that after upgrading from 3.2.54 to
      3.2.57 the rtl8192ce driver will crash when its interface is brought
      up.  The oops message shows:
      
      [ 1833.611397] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
      [ 1833.611455] IP: [<ffffffffa0410c6a>] rtl92ce_update_hal_rate_tbl+0x29/0x4db [rtl8192ce]
      ...
      [ 1833.613326] Call Trace:
      [ 1833.613346]  [<ffffffffa02ad9c6>] ? rtl92c_dm_watchdog+0xd0b/0xec9 [rtl8192c_common]
      [ 1833.613391]  [<ffffffff8105b5cf>] ? process_one_work+0x161/0x269
      [ 1833.613425]  [<ffffffff8105c598>] ? worker_thread+0xc2/0x145
      [ 1833.613458]  [<ffffffff8105c4d6>] ? manage_workers.isra.25+0x15b/0x15b
      [ 1833.613496]  [<ffffffff8105f6d9>] ? kthread+0x76/0x7e
      [ 1833.613527]  [<ffffffff81356b74>] ? kernel_thread_helper+0x4/0x10
      [ 1833.613563]  [<ffffffff8105f663>] ? kthread_worker_fn+0x139/0x139
      [ 1833.613598]  [<ffffffff81356b70>] ? gs_change+0x13/0x13
      
      Disassembly of rtl92ce_update_hal_rate_tbl() shows that the 'sta'
      parameter was null.  None of the changes to the rtlwifi family between
      3.2.54 and 3.2.57 seem to directly cause this, and reverting commit 
      f78bccd7 ('rtlwifi: rtl8192ce: Fix too long disable of IRQs')
      doesn't fix it.
      
      rtl92c_dm_watchdog() calls rtl92ce_update_hal_rate_tbl() via
      rtl92c_dm_refresh_rate_adaptive_mask(), which does not appear in the
      call trace as it was inlined.  That function has been completely
      removed upstream which may explain why this crash wasn't seen there.
      
      I'm not sure that it is sensible to completely remove
      rtl92c_dm_refresh_rate_adaptive_mask() without making other
      compensating changes elsewhere, so try to work around this for 3.2 by
      checking for a null pointer in rtl92c_dm_refresh_rate_adaptive_mask()
      and then skipping the call to rtl92ce_update_hal_rate_tbl().
      
      References: https://bugs.debian.org/745137
      References: https://bugs.debian.org/745462Reported-by: default avatarDmitry Semyonov <linulin@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Larry Finger <Larry.Finger@lwfinger.net>
      Cc: Chaoming Li <chaoming_li@realsil.com.cn>
      11e83519
    • Bjørn Mork's avatar
      usb: option: add and update a number of CMOTech devices · 74627ab1
      Bjørn Mork authored
      commit 34f972d6 upstream.
      
      A number of older CMOTech modems are based on Qualcomm
      chips.  The blacklisted interfaces are QMI/wwan.
      Reported-by: default avatarLars Melin <larsm17@gmail.com>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      74627ab1
    • Bjørn Mork's avatar
      usb: option: add Alcatel L800MA · 809d8833
      Bjørn Mork authored
      commit dd6b48ec upstream.
      
      Device interface layout:
      0: ff/ff/ff - serial
      1: ff/00/00 - serial AT+PPP
      2: ff/ff/ff - QMI/wwan
      3: 08/06/50 - storage
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      809d8833
    • Bjørn Mork's avatar
      usb: option: add Olivetti Olicard 500 · c0d47d94
      Bjørn Mork authored
      commit 533b3994 upstream.
      
      Device interface layout:
      0: ff/ff/ff - serial
      1: ff/ff/ff - serial AT+PPP
      2: 08/06/50 - storage
      3: ff/ff/ff - serial
      4: ff/ff/ff - QMI/wwan
      Reported-by: default avatarJulio Araujo <julio.araujo@wllctel.com.br>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c0d47d94
    • Johan Hovold's avatar
      USB: io_ti: fix firmware download on big-endian machines · 83ad4b78
      Johan Hovold authored
      commit 5509076d upstream.
      
      During firmware download the device expects memory addresses in
      big-endian byte order. As the wIndex parameter which hold the address is
      sent in little-endian byte order regardless of host byte order, we need
      to use swab16 rather than cpu_to_be16.
      
      Also make sure to handle the struct ti_i2c_desc size parameter which is
      returned in little-endian byte order.
      Reported-by: default avatarLudovic Drolez <ldrolez@debian.org>
      Tested-by: default avatarLudovic Drolez <ldrolez@debian.org>
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      83ad4b78
    • David Cohen's avatar
      usb/xhci: fix compilation warning when !CONFIG_PCI && !CONFIG_PM · 42eb6ec9
      David Cohen authored
      commit 01bb59eb upstream.
      
      When CONFIG_PCI and CONFIG_PM are not selected, xhci.c gets this
      warning:
      drivers/usb/host/xhci.c:409:13: warning: ‘xhci_msix_sync_irqs’ defined
      but not used [-Wunused-function]
      
      Instead of creating nested #ifdefs, this patch fixes it by defining the
      xHCI PCI stubs as inline.
      
      This warning has been in since 3.2 kernel and was
      caused by commit 421aa841
      "usb/xhci: hide MSI code behind PCI bars", but wasn't noticed
      until 3.13 when a configuration with these options was tried
      Signed-off-by: default avatarDavid Cohen <david.a.cohen@linux.intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      42eb6ec9
    • Julius Werner's avatar
      usb: xhci: Prefer endpoint context dequeue pointer over stopped_trb · b9c6d6da
      Julius Werner authored
      commit 1f81b6d2 upstream.
      
      We have observed a rare cycle state desync bug after Set TR Dequeue
      Pointer commands on Intel LynxPoint xHCs (resulting in an endpoint that
      doesn't fetch new TRBs and thus an unresponsive USB device). It always
      triggers when a previous Set TR Dequeue Pointer command has set the
      pointer to the final Link TRB of a segment, and then another URB gets
      enqueued and cancelled again before it can be completed. Further
      investigation showed that the xHC had returned the Link TRB in the TRB
      Pointer field of the Transfer Event (CC == Stopped -- Length Invalid),
      but when xhci_find_new_dequeue_state() later accesses the Endpoint
      Context's TR Dequeue Pointer field it is set to the first TRB of the
      next segment.
      
      The driver expects those two values to be the same in this situation,
      and uses the cycle state of the latter together with the address of the
      former. This should be fine according to the XHCI specification, since
      the endpoint ring should be stopped when returning the Transfer Event
      and thus should not advance over the Link TRB before it gets restarted.
      However, real-world XHCI implementations apparently don't really care
      that much about these details, so the driver should follow a more
      defensive approach to try to work around HC spec violations.
      
      This patch removes the stopped_trb variable that had been used to store
      the TRB Pointer from the last Transfer Event of a stopped TRB. Instead,
      xhci_find_new_dequeue_state() now relies only on the Endpoint Context,
      requiring a small amount of additional processing to find the virtual
      address corresponding to the TR Dequeue Pointer. Some other parts of the
      function were slightly rearranged to better fit into this model.
      
      This patch should be backported to kernels as old as 2.6.31 that contain
      the commit ae636747 "USB: xhci: URB
      cancellation support."
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b9c6d6da
    • Hans de Goede's avatar
      xhci: For streams the css flag most be read from the stream-ctx on ep stop · 8723390b
      Hans de Goede authored
      commit c4bedb77 upstream.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8723390b
    • Miao Xie's avatar
      Btrfs: fix inode caching vs tree log · d6db8ad7
      Miao Xie authored
      commit 1c70d8fb upstream.
      
      Currently, with inode cache enabled, we will reuse its inode id immediately
      after unlinking file, we may hit something like following:
      
      |->iput inode
      |->return inode id into inode cache
      |->create dir,fsync
      |->power off
      
      An easy way to reproduce this problem is:
      
      mkfs.btrfs -f /dev/sdb
      mount /dev/sdb /mnt -o inode_cache,commit=100
      dd if=/dev/zero of=/mnt/data bs=1M count=10 oflag=sync
      inode_id=`ls -i /mnt/data | awk '{print $1}'`
      rm -f /mnt/data
      
      i=1
      while [ 1 ]
      do
              mkdir /mnt/dir_$i
              test1=`stat /mnt/dir_$i | grep Inode: | awk '{print $4}'`
              if [ $test1 -eq $inode_id ]
              then
      		dd if=/dev/zero of=/mnt/dir_$i/data bs=1M count=1 oflag=sync
      		echo b > /proc/sysrq-trigger
      	fi
      	sleep 1
              i=$(($i+1))
      done
      
      mount /dev/sdb /mnt
      umount /dev/sdb
      btrfs check /dev/sdb
      
      We fix this problem by adding unlinked inode's id into pinned tree,
      and we can not reuse them until committing transaction.
      Signed-off-by: default avatarMiao Xie <miaox@cn.fujitsu.com>
      Signed-off-by: default avatarWang Shilong <wangsl.fnst@cn.fujitsu.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d6db8ad7
    • Stefan Behrens's avatar
      Btrfs: Don't allocate inode that is already in use · 8bbfb31d
      Stefan Behrens authored
      commit ff76b056 upstream.
      
      Due to an off-by-one error, it is possible to reproduce a bug
      when the inode cache is used.
      
      The same inode number is assigned twice, the second time this
      leads to an EEXIST in btrfs_insert_empty_items().
      
      The issue can happen when a file is removed right after a subvolume
      is created and then a new inode number is created before the
      inodes in free_inode_pinned are processed.
      unlink() calls btrfs_return_ino() which calls start_caching() in this
      case which adds [highest_ino + 1, BTRFS_LAST_FREE_OBJECTID] by
      searching for the highest inode (which already cannot find the
      unlinked one anymore in btrfs_find_free_objectid()). So if this
      unlinked inode's number is equal to the highest_ino + 1 (or >= this value
      instead of > this value which was the off-by-one error), we mustn't add
      the inode number to free_ino_pinned (caching_thread() does it right).
      In this case we need to try directly to add the number to the inode_cache
      which will fail in this case.
      
      When this inode number is allocated while it is still in free_ino_pinned,
      it is allocated and still added to the free inode cache when the
      pinned inodes are processed, thus one of the following inode number
      allocations will get an inode that is already in use and fail with EEXIST
      in btrfs_insert_empty_items().
      
      One example which was created with the reproducer below:
      Create a snapshot, work in the newly created snapshot for the rest.
      In unlink(inode 34284) call btrfs_return_ino() which calls start_caching().
      start_caching() calls add_free_space [34284, 18446744073709517077].
      In btrfs_return_ino(), call start_caching pinned [34284, 1] which is wrong.
      mkdir() call btrfs_find_ino_for_alloc() which returns the number 34284.
      btrfs_unpin_free_ino calls add_free_space [34284, 1].
      mkdir() call btrfs_find_ino_for_alloc() which returns the number 34284.
      EEXIST when the new inode is inserted.
      
      One possible reproducer is this one:
       #!/bin/sh
       # preparation
      TEST_DEV=/dev/sdc1
      TEST_MNT=/mnt
      umount ${TEST_MNT} 2>/dev/null || true
      mkfs.btrfs -f ${TEST_DEV}
      mount ${TEST_DEV} ${TEST_MNT} -o \
       rw,relatime,compress=lzo,space_cache,inode_cache
      btrfs subv create ${TEST_MNT}/s1
      for i in `seq 34027`; do touch ${TEST_MNT}/s1/${i}; done
      btrfs subv snap ${TEST_MNT}/s1 ${TEST_MNT}/s2
      FILENAME=`find ${TEST_MNT}/s1/ -inum 4085 | sed 's|^.*/\([^/]*\)$|\1|'`
      rm ${TEST_MNT}/s2/$FILENAME
      touch ${TEST_MNT}/s2/$FILENAME
       # the following steps can be repeated to reproduce the issue again and again
      [ -e ${TEST_MNT}/s3 ] && btrfs subv del ${TEST_MNT}/s3
      btrfs subv snap ${TEST_MNT}/s2 ${TEST_MNT}/s3
      rm ${TEST_MNT}/s3/$FILENAME
      touch ${TEST_MNT}/s3/$FILENAME
      ls -alFi ${TEST_MNT}/s?/$FILENAME
      touch ${TEST_MNT}/s3/_1 || logger FAILED
      ls -alFi ${TEST_MNT}/s?/_1
      touch ${TEST_MNT}/s3/_2 || logger FAILED
      ls -alFi ${TEST_MNT}/s?/_2
      touch ${TEST_MNT}/s3/__1 || logger FAILED
      ls -alFi ${TEST_MNT}/s?/__1
      touch ${TEST_MNT}/s3/__2 || logger FAILED
      ls -alFi ${TEST_MNT}/s?/__2
       # if the above is not enough, add the following loop:
      for i in `seq 3 9`; do touch ${TEST_MNT}/s3/__${i} || logger FAILED; done
       #for i in `seq 3 34027`; do touch ${TEST_MNT}/s3/__${i} || logger FAILED; done
       # one of the touch(1) calls in s3 fail due to EEXIST because the inode is
       # already in use that btrfs_find_ino_for_alloc() returns.
      Signed-off-by: default avatarStefan Behrens <sbehrens@giantdisaster.de>
      Reviewed-by: default avatarJan Schmidt <list.btrfs@jan-o-sch.net>
      Signed-off-by: default avatarJosef Bacik <jbacik@fusionio.com>
      Signed-off-by: default avatarChris Mason <chris.mason@fusionio.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8bbfb31d