1. 30 Sep, 2016 40 commits
    • Brian Foster's avatar
      xfs: prevent dropping ioend completions during buftarg wait · fc4edddc
      Brian Foster authored
      commit 800b2694 upstream.
      
      xfs_wait_buftarg() waits for all pending I/O, drains the ioend
      completion workqueue and walks the LRU until all buffers in the cache
      have been released. This is traditionally an unmount operation` but the
      mechanism is also reused during filesystem freeze.
      
      xfs_wait_buftarg() invokes drain_workqueue() as part of the quiesce,
      which is intended more for a shutdown sequence in that it indicates to
      the queue that new operations are not expected once the drain has begun.
      New work jobs after this point result in a WARN_ON_ONCE() and are
      otherwise dropped.
      
      With filesystem freeze, however, read operations are allowed and can
      proceed during or after the workqueue drain. If such a read occurs
      during the drain sequence, the workqueue infrastructure complains about
      the queued ioend completion work item and drops it on the floor. As a
      result, the buffer remains on the LRU and the freeze never completes.
      
      Despite the fact that the overall buffer cache cleanup is not necessary
      during freeze, fix up this operation such that it is safe to invoke
      during non-unmount quiesce operations. Replace the drain_workqueue()
      call with flush_workqueue(), which runs a similar serialization on
      pending workqueue jobs without causing new jobs to be dropped. This is
      safe for unmount as unmount independently locks out new operations by
      the time xfs_wait_buftarg() is invoked.
      
      cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarBrian Foster <bfoster@redhat.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fc4edddc
    • Ian Kent's avatar
      autofs: use dentry flags to block walks during expire · 2ccb99b2
      Ian Kent authored
      commit 7cbdb4a2 upstream.
      
      Somewhere along the way the autofs expire operation has changed to hold
      a spin lock over expired dentry selection.  The autofs indirect mount
      expired dentry selection is complicated and quite lengthy so it isn't
      appropriate to hold a spin lock over the operation.
      
      Commit 47be6184 ("fs/dcache.c: avoid soft-lockup in dput()") added a
      might_sleep() to dput() causing a WARN_ONCE() about this usage to be
      issued.
      
      But the spin lock doesn't need to be held over this check, the autofs
      dentry info.  flags are enough to block walks into dentrys during the
      expire.
      
      I've left the direct mount expire as it is (for now) because it is much
      simpler and quicker than the indirect mount expire and adding spin lock
      release and re-aquires would do nothing more than add overhead.
      
      Fixes: 47be6184 ("fs/dcache.c: avoid soft-lockup in dput()")
      Link: http://lkml.kernel.org/r/20160912014017.1773.73060.stgit@pluto.themaw.netSigned-off-by: default avatarIan Kent <raven@themaw.net>
      Reported-by: default avatarTakashi Iwai <tiwai@suse.de>
      Tested-by: default avatarTakashi Iwai <tiwai@suse.de>
      Cc: Takashi Iwai <tiwai@suse.de>
      Cc: NeilBrown <neilb@suse.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ccb99b2
    • Al Viro's avatar
      autofs races · 30b54a26
      Al Viro authored
      commit ea01a184 upstream.
      
      * make autofs4_expire_indirect() skip the dentries being in process of
      expiry
      * do *not* mess with list_move(); making sure that dentry with
      AUTOFS_INF_EXPIRING are not picked for expiry is enough.
      * do not remove NO_RCU when we set EXPIRING, don't bother with smp_mb()
      there.  Clear it at the same time we clear EXPIRING.  Makes a bunch of
      tests simpler.
      * rename NO_RCU to WANT_EXPIRE, which is what it really is.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Cc: Ian Kent <raven@themaw.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      30b54a26
    • Thierry Reding's avatar
      pwm: Mark all devices as "might sleep" · 9aea5e0d
      Thierry Reding authored
      commit ff01c944 upstream.
      
      Commit d1cd2142 ("pwm: Set enable state properly on failed call to
      enable") introduced a mutex that is needed to protect internal state of
      PWM devices. Since that mutex is acquired in pwm_set_polarity() and in
      pwm_enable() and might potentially block, all PWM devices effectively
      become "might sleep".
      
      It's rather pointless to keep the .can_sleep field around, but given
      that there are external users let's postpone the removal for the next
      release cycle.
      Signed-off-by: default avatarThierry Reding <thierry.reding@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Fixes: d1cd2142 ("pwm: Set enable state properly on failed call to enable")
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      
      9aea5e0d
    • Davide Caratti's avatar
      bridge: re-introduce 'fix parsing of MLDv2 reports' · fd2e3102
      Davide Caratti authored
      [ Upstream commit 9264251e ]
      
      commit bc8c20ac ("bridge: multicast: treat igmpv3 report with
      INCLUDE and no sources as a leave") seems to have accidentally reverted
      commit 47cc84ce ("bridge: fix parsing of MLDv2 reports"). This
      commit brings back a change to br_ip6_multicast_mld2_report() where
      parsing of MLDv2 reports stops when the first group is successfully
      added to the MDB cache.
      
      Fixes: bc8c20ac ("bridge: multicast: treat igmpv3 report with INCLUDE and no sources as a leave")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Acked-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Acked-by: default avatarThadeu Lima de Souza Cascardo <cascardo@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fd2e3102
    • Russell King's avatar
      net: smc91x: fix SMC accesses · 8c945f5a
      Russell King authored
      [ Upstream commit 2fb04fdf ]
      
      Commit b70661c7 ("net: smc91x: use run-time configuration on all ARM
      machines") broke some ARM platforms through several mistakes.  Firstly,
      the access size must correspond to the following rule:
      
      (a) at least one of 16-bit or 8-bit access size must be supported
      (b) 32-bit accesses are optional, and may be enabled in addition to
          the above.
      
      Secondly, it provides no emulation of 16-bit accesses, instead blindly
      making 16-bit accesses even when the platform specifies that only 8-bit
      is supported.
      
      Reorganise smc91x.h so we can make use of the existing 16-bit access
      emulation already provided - if 16-bit accesses are supported, use
      16-bit accesses directly, otherwise if 8-bit accesses are supported,
      use the provided 16-bit access emulation.  If neither, BUG().  This
      exactly reflects the driver behaviour prior to the commit being fixed.
      
      Since the conversion incorrectly cut down the available access sizes on
      several platforms, we also need to go through every platform and fix up
      the overly-restrictive access size: Arnd assumed that if a platform can
      perform 32-bit, 16-bit and 8-bit accesses, then only a 32-bit access
      size needed to be specified - not so, all available access sizes must
      be specified.
      
      This likely fixes some performance regressions in doing this: if a
      platform does not support 8-bit accesses, 8-bit accesses have been
      emulated by performing a 16-bit read-modify-write access.
      
      Tested on the Intel Assabet/Neponset platform, which supports only 8-bit
      accesses, which was broken by the original commit.
      
      Fixes: b70661c7 ("net: smc91x: use run-time configuration on all ARM machines")
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Tested-by: default avatarRobert Jarzmik <robert.jarzmik@free.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c945f5a
    • Xander Huff's avatar
      Revert "phy: IRQ cannot be shared" · 339d61ab
      Xander Huff authored
      [ Upstream commit c3e70edd ]
      
      This reverts:
        commit 33c133cc ("phy: IRQ cannot be shared")
      
      On hardware with multiple PHY devices hooked up to the same IRQ line, allow
      them to share it.
      
      Sergei Shtylyov says:
        "I'm not sure now what was the reason I concluded that the IRQ sharing
        was impossible... most probably I thought that the kernel IRQ handling
        code exited the loop over the IRQ actions once IRQ_HANDLED was returned
        -- which is obviously not so in reality..."
      Signed-off-by: default avatarXander Huff <xander.huff@ni.com>
      Signed-off-by: default avatarNathan Sullivan <nathan.sullivan@ni.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      339d61ab
    • Florian Fainelli's avatar
      net: dsa: bcm_sf2: Fix race condition while unmasking interrupts · a3fb2b3b
      Florian Fainelli authored
      [ Upstream commit 4f101c47 ]
      
      We kept shadow copies of which interrupt sources we have enabled and
      disabled, but due to an order bug in how intrl2_mask_clear was defined,
      we could run into the following scenario:
      
      CPU0					CPU1
      intrl2_1_mask_clear(..)
      sets INTRL2_CPU_MASK_CLEAR
      					bcm_sf2_switch_1_isr
      					read INTRL2_CPU_STATUS and masks with stale
      					irq1_mask value
      updates irq1_mask value
      
      Which would make us loop again and again trying to process and interrupt
      we are not clearing since our copy of whether it was enabled before
      still indicates it was not. Fix this by updating the shadow copy first,
      and then unasking at the HW level.
      
      Fixes: 246d7f77 ("net: dsa: add Broadcom SF2 switch driver")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a3fb2b3b
    • Paul Blakey's avatar
      net/mlx5: Added missing check of msg length in verifying its signature · c03c024f
      Paul Blakey authored
      [ Upstream commit 2c0f8ce1 ]
      
      Set and verify signature calculates the signature for each of the
      mailbox nodes, even for those that are unused (from cache). Added
      a missing length check to set and verify only those which are used.
      
      While here, also moved the setting of msg's nodes token to where we
      already go over them. This saves a pass because checksum is disabled,
      and the only useful thing remaining that set signature does is setting
      the token.
      
      Fixes: e126ba97 ('mlx5: Add driver for Mellanox Connect-IB
      adapters')
      Signed-off-by: default avatarPaul Blakey <paulb@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c03c024f
    • Vegard Nossum's avatar
      tipc: fix NULL pointer dereference in shutdown() · 4be4511a
      Vegard Nossum authored
      [ Upstream commit d2fbdf76 ]
      
      tipc_msg_create() can return a NULL skb and if so, we shouldn't try to
      call tipc_node_xmit_skb() on it.
      
          general protection fault: 0000 [#1] PREEMPT SMP KASAN
          CPU: 3 PID: 30298 Comm: trinity-c0 Not tainted 4.7.0-rc7+ #19
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
          task: ffff8800baf09980 ti: ffff8800595b8000 task.ti: ffff8800595b8000
          RIP: 0010:[<ffffffff830bb46b>]  [<ffffffff830bb46b>] tipc_node_xmit_skb+0x6b/0x140
          RSP: 0018:ffff8800595bfce8  EFLAGS: 00010246
          RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003023b0e0
          RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffffff83d12580
          RBP: ffff8800595bfd78 R08: ffffed000b2b7f32 R09: 0000000000000000
          R10: fffffbfff0759725 R11: 0000000000000000 R12: 1ffff1000b2b7f9f
          R13: ffff8800595bfd58 R14: ffffffff83d12580 R15: dffffc0000000000
          FS:  00007fcdde242700(0000) GS:ffff88011af80000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: 00007fcddde1db10 CR3: 000000006874b000 CR4: 00000000000006e0
          DR0: 00007fcdde248000 DR1: 00007fcddd73d000 DR2: 00007fcdde248000
          DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000090602
          Stack:
           0000000000000018 0000000000000018 0000000041b58ab3 ffffffff83954208
           ffffffff830bb400 ffff8800595bfd30 ffffffff8309d767 0000000000000018
           0000000000000018 ffff8800595bfd78 ffffffff8309da1a 00000000810ee611
          Call Trace:
           [<ffffffff830c84a3>] tipc_shutdown+0x553/0x880
           [<ffffffff825b4a3b>] SyS_shutdown+0x14b/0x170
           [<ffffffff8100334c>] do_syscall_64+0x19c/0x410
           [<ffffffff83295ca5>] entry_SYSCALL64_slow_path+0x25/0x25
          Code: 90 00 b4 0b 83 c7 00 f1 f1 f1 f1 4c 8d 6d e0 c7 40 04 00 00 00 f4 c7 40 08 f3 f3 f3 f3 48 89 d8 48 c1 e8 03 c7 45 b4 00 00 00 00 <80> 3c 30 00 75 78 48 8d 7b 08 49 8d 75 c0 48 b8 00 00 00 00 00
          RIP  [<ffffffff830bb46b>] tipc_node_xmit_skb+0x6b/0x140
           RSP <ffff8800595bfce8>
          ---[ end trace 57b0484e351e71f1 ]---
      
      I feel like we should maybe return -ENOMEM or -ENOBUFS, but I'm not sure
      userspace is equipped to handle that. Anyway, this is better than a GPF
      and looks somewhat consistent with other tipc_msg_create() callers.
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4be4511a
    • Vegard Nossum's avatar
      net/irda: handle iriap_register_lsap() allocation failure · 8d0d2ce6
      Vegard Nossum authored
      [ Upstream commit 5ba092ef ]
      
      If iriap_register_lsap() fails to allocate memory, self->lsap is
      set to NULL. However, none of the callers handle the failure and
      irlmp_connect_request() will happily dereference it:
      
          iriap_register_lsap: Unable to allocated LSAP!
          ================================================================================
          UBSAN: Undefined behaviour in net/irda/irlmp.c:378:2
          member access within null pointer of type 'struct lsap_cb'
          CPU: 1 PID: 15403 Comm: trinity-c0 Not tainted 4.8.0-rc1+ #81
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org
          04/01/2014
           0000000000000000 ffff88010c7e78a8 ffffffff82344f40 0000000041b58ab3
           ffffffff84f98000 ffffffff82344e94 ffff88010c7e78d0 ffff88010c7e7880
           ffff88010630ad00 ffffffff84a5fae0 ffffffff84d3f5c0 000000000000017a
          Call Trace:
           [<ffffffff82344f40>] dump_stack+0xac/0xfc
           [<ffffffff8242f5a8>] ubsan_epilogue+0xd/0x8a
           [<ffffffff824302bf>] __ubsan_handle_type_mismatch+0x157/0x411
           [<ffffffff83b7bdbc>] irlmp_connect_request+0x7ac/0x970
           [<ffffffff83b77cc0>] iriap_connect_request+0xa0/0x160
           [<ffffffff83b77f48>] state_s_disconnect+0x88/0xd0
           [<ffffffff83b78904>] iriap_do_client_event+0x94/0x120
           [<ffffffff83b77710>] iriap_getvaluebyclass_request+0x3e0/0x6d0
           [<ffffffff83ba6ebb>] irda_find_lsap_sel+0x1eb/0x630
           [<ffffffff83ba90c8>] irda_connect+0x828/0x12d0
           [<ffffffff833c0dfb>] SYSC_connect+0x22b/0x340
           [<ffffffff833c7e09>] SyS_connect+0x9/0x10
           [<ffffffff81007bd3>] do_syscall_64+0x1b3/0x4b0
           [<ffffffff845f946a>] entry_SYSCALL64_slow_path+0x25/0x25
          ================================================================================
      
      The bug seems to have been around since forever.
      
      There's more problems with missing error checks in iriap_init() (and
      indeed all of irda_init()), but that's a bigger problem that needs
      very careful review and testing. This patch will fix the most serious
      bug (as it's easily reached from unprivileged userspace).
      
      I have tested my patch with a reproducer.
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8d0d2ce6
    • Lance Richardson's avatar
      vti: flush x-netns xfrm cache when vti interface is removed · 0bb225a0
      Lance Richardson authored
      [ Upstream commit a5d0dc81 ]
      
      When executing the script included below, the netns delete operation
      hangs with the following message (repeated at 10 second intervals):
      
        kernel:unregister_netdevice: waiting for lo to become free. Usage count = 1
      
      This occurs because a reference to the lo interface in the "secure" netns
      is still held by a dst entry in the xfrm bundle cache in the init netns.
      
      Address this problem by garbage collecting the tunnel netns flow cache
      when a cross-namespace vti interface receives a NETDEV_DOWN notification.
      
      A more detailed description of the problem scenario (referencing commands
      in the script below):
      
      (1) ip link add vti_test type vti local 1.1.1.1 remote 1.1.1.2 key 1
      
        The vti_test interface is created in the init namespace. vti_tunnel_init()
        attaches a struct ip_tunnel to the vti interface's netdev_priv(dev),
        setting the tunnel net to &init_net.
      
      (2) ip link set vti_test netns secure
      
        The vti_test interface is moved to the "secure" netns. Note that
        the associated struct ip_tunnel still has tunnel->net set to &init_net.
      
      (3) ip netns exec secure ping -c 4 -i 0.02 -I 192.168.100.1 192.168.200.1
      
        The first packet sent using the vti device causes xfrm_lookup() to be
        called as follows:
      
            dst = xfrm_lookup(tunnel->net, skb_dst(skb), fl, NULL, 0);
      
        Note that tunnel->net is the init namespace, while skb_dst(skb) references
        the vti_test interface in the "secure" namespace. The returned dst
        references an interface in the init namespace.
      
        Also note that the first parameter to xfrm_lookup() determines which flow
        cache is used to store the computed xfrm bundle, so after xfrm_lookup()
        returns there will be a cached bundle in the init namespace flow cache
        with a dst referencing a device in the "secure" namespace.
      
      (4) ip netns del secure
      
        Kernel begins to delete the "secure" namespace.  At some point the
        vti_test interface is deleted, at which point dst_ifdown() changes
        the dst->dev in the cached xfrm bundle flow from vti_test to lo (still
        in the "secure" namespace however).
        Since nothing has happened to cause the init namespace's flow cache
        to be garbage collected, this dst remains attached to the flow cache,
        so the kernel loops waiting for the last reference to lo to go away.
      
      <Begin script>
      ip link add br1 type bridge
      ip link set dev br1 up
      ip addr add dev br1 1.1.1.1/8
      
      ip netns add secure
      ip link add vti_test type vti local 1.1.1.1 remote 1.1.1.2 key 1
      ip link set vti_test netns secure
      ip netns exec secure ip link set vti_test up
      ip netns exec secure ip link s lo up
      ip netns exec secure ip addr add dev lo 192.168.100.1/24
      ip netns exec secure ip route add 192.168.200.0/24 dev vti_test
      ip xfrm policy flush
      ip xfrm state flush
      ip xfrm policy add dir out tmpl src 1.1.1.1 dst 1.1.1.2 \
         proto esp mode tunnel mark 1
      ip xfrm policy add dir in tmpl src 1.1.1.2 dst 1.1.1.1 \
         proto esp mode tunnel mark 1
      ip xfrm state add src 1.1.1.1 dst 1.1.1.2 proto esp spi 1 \
         mode tunnel enc des3_ede 0x112233445566778811223344556677881122334455667788
      ip xfrm state add src 1.1.1.2 dst 1.1.1.1 proto esp spi 1 \
         mode tunnel enc des3_ede 0x112233445566778811223344556677881122334455667788
      
      ip netns exec secure ping -c 4 -i 0.02 -I 192.168.100.1 192.168.200.1
      
      ip netns del secure
      <End script>
      Reported-by: default avatarHangbin Liu <haliu@redhat.com>
      Reported-by: default avatarJan Tluka <jtluka@redhat.com>
      Signed-off-by: default avatarLance Richardson <lrichard@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0bb225a0
    • Linus Torvalds's avatar
      af_unix: split 'u->readlock' into two: 'iolock' and 'bindlock' · 9b5390d7
      Linus Torvalds authored
      commit 6e1ce3c3 upstream.
      
      Right now we use the 'readlock' both for protecting some of the af_unix
      IO path and for making the bind be single-threaded.
      
      The two are independent, but using the same lock makes for a nasty
      deadlock due to ordering with regards to filesystem locking.  The bind
      locking would want to nest outside the VSF pathname locking, but the IO
      locking wants to nest inside some of those same locks.
      
      We tried to fix this earlier with commit c845acb3 ("af_unix: Fix
      splice-bind deadlock") which moved the readlock inside the vfs locks,
      but that caused problems with overlayfs that will then call back into
      filesystem routines that take the lock in the wrong order anyway.
      
      Splitting the locks means that we can go back to having the bind lock be
      the outermost lock, and we don't have any deadlocks with lock ordering.
      Acked-by: default avatarRainer Weikusat <rweikusat@cyberadapt.com>
      Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9b5390d7
    • Linus Torvalds's avatar
      Revert "af_unix: Fix splice-bind deadlock" · 941f6995
      Linus Torvalds authored
      commit 38f7bd94 upstream.
      
      This reverts commit c845acb3.
      
      It turns out that it just replaces one deadlock with another one: we can
      still get the wrong lock ordering with the readlock due to overlayfs
      calling back into the filesystem layer and still taking the vfs locks
      after the readlock.
      
      The proper solution ends up being to just split the readlock into two
      pieces: the bind lock (taken *outside* the vfs locks) and the IO lock
      (taken *inside* the filesystem locks).  The two locks are independent
      anyway.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Reviewed-by: default avatarShmulik Ladkani <shmulik.ladkani@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      941f6995
    • Mahesh Bandewar's avatar
      bonding: Fix bonding crash · f357a798
      Mahesh Bandewar authored
      [ Upstream commit 24b27fc4 ]
      
      Following few steps will crash kernel -
      
        (a) Create bonding master
            > modprobe bonding miimon=50
        (b) Create macvlan bridge on eth2
            > ip link add link eth2 dev mvl0 address aa:0:0:0:0:01 \
      	   type macvlan
        (c) Now try adding eth2 into the bond
            > echo +eth2 > /sys/class/net/bond0/bonding/slaves
            <crash>
      
      Bonding does lots of things before checking if the device enslaved is
      busy or not.
      
      In this case when the notifier call-chain sends notifications, the
      bond_netdev_event() assumes that the rx_handler /rx_handler_data is
      registered while the bond_enslave() hasn't progressed far enough to
      register rx_handler for the new slave.
      
      This patch adds a rx_handler check that can be performed right at the
      beginning of the enslave code to avoid getting into this situation.
      Signed-off-by: default avatarMahesh Bandewar <maheshb@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f357a798
    • Maurizio Lombardi's avatar
      megaraid: fix null pointer check in megasas_detach_one(). · 56e5ad1e
      Maurizio Lombardi authored
      commit 546e559c upstream.
      
      The pd_seq_sync pointer can't be NULL, we have to check its entries
      instead.
      Signed-off-by: default avatarMaurizio Lombardi <mlombard@redhat.com>
      Acked-by: default avatarSumit Saxena <sumit.saxena@broadcom.com>
      Reviewed-by: default avatarTomas Henzl <thenzl@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      56e5ad1e
    • Arnd Bergmann's avatar
      nouveau: fix nv40_perfctr_next() cleanup regression · e3718ed1
      Arnd Bergmann authored
      commit 86d65b7e upstream.
      
      gcc-6 warns about code in the nouveau driver that is obviously silly:
      
      drivers/gpu/drm/nouveau/nvkm/engine/pm/nv40.c: In function 'nv40_perfctr_next':
      drivers/gpu/drm/nouveau/nvkm/engine/pm/nv40.c:62:19: warning: self-comparison always evaluats to false [-Wtautological-compare]
        if (pm->sequence != pm->sequence) {
      
      The behavior was accidentally introduced in a patch described as "This is
      purely preparation for upcoming commits, there should be no code changes here.".
      As far as I can tell, that was true for the rest of that patch except for
      this one function, which has been changed to a NOP.
      
      This patch restores the original behavior.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 8c1aeaa1 ("drm/nouveau/pm: cosmetic changes")
      Reviewed-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e3718ed1
    • Colin Ian King's avatar
      Staging: iio: adc: fix indent on break statement · 2c4e9913
      Colin Ian King authored
      commit b6acb0cf upstream.
      
      Fix indent warning when building with gcc 6:
      drivers/staging/iio/adc/ad7192.c:239:4: warning: statement is indented
        as if it were guarded by... [-Wmisleading-indentation]
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2c4e9913
    • Arnd Bergmann's avatar
      iwlegacy: avoid warning about missing braces · 682c360e
      Arnd Bergmann authored
      commit 2cce76c3 upstream.
      
      gcc-6 warns about code in il3945_hw_txq_ctx_free() being
      somewhat ambiguous:
      
      drivers/net/wireless/intel/iwlegacy/3945.c:1022:5: warning: suggest explicit braces to avoid ambiguous 'else' [-Wparentheses]
      
      This adds a set of curly braces to avoid the warning.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      682c360e
    • Arnd Bergmann's avatar
      ath9k: fix misleading indentation · 1fff631e
      Arnd Bergmann authored
      commit 362210e0 upstream.
      
      A cleanup patch in linux-3.18 moved around some code in the ath9k
      driver and left some code to be indented in a misleading way,
      made worse by the addition of some new code for p2p mode, as
      discovered by a new gcc-6 warning:
      
      drivers/net/wireless/ath/ath9k/init.c: In function 'ath9k_set_hw_capab':
      drivers/net/wireless/ath/ath9k/init.c:851:4: warning: statement is indented as if it were guarded by... [-Wmisleading-indentation]
          hw->wiphy->iface_combinations = if_comb;
          ^~
      drivers/net/wireless/ath/ath9k/init.c:847:3: note: ...this 'if' clause, but it is not
         if (ath9k_is_chanctx_enabled())
         ^~
      
      The code is in fact correct, but the indentation is not, so I'm
      reformatting it as it should have been after the original cleanup.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 499afacc ("ath9k: Isolate ath9k_use_chanctx module parameter")
      Fixes: eb61f9f6 ("ath9k: advertise p2p dev support when chanctx")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1fff631e
    • Arnd Bergmann's avatar
      am437x-vfpe: fix typo in vpfe_get_app_input_index · 7fb33fb7
      Arnd Bergmann authored
      commit 0fb50400 upstream.
      
      gcc-6 points out an obviously silly comparison in vpfe_get_app_input_index():
      
      drivers/media/platform/am437x/am437x-vpfe.c: In function 'vpfe_get_app_input_index':
      drivers/media/platform/am437x/am437x-vpfe.c:1709:27: warning: self-comparison always evaluats to true [-Wtautological-compare]
             client->adapter->nr == client->adapter->nr) {
                                 ^~
      
      This was introduced in a slighly incorrect conversion, and it's
      clear that the comparison was meant to compare the iterator
      to the current subdev instead, as we do in the line above.
      
      Fixes: d3723239 ("[media] media: am437x-vpfe: match the OF node/i2c addr instead of name")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarLad, Prabhakar <prabhakar.csengg@gmail.com>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7fb33fb7
    • Linus Torvalds's avatar
      Add braces to avoid "ambiguous ‘else’" compiler warnings · c48692f5
      Linus Torvalds authored
      commit 194dc870 upstream.
      
      Some of our "for_each_xyz()" macro constructs make gcc unhappy about
      lack of braces around if-statements inside or outside the loop, because
      the loop construct itself has a "if-then-else" statement inside of it.
      
      The resulting warnings look something like this:
      
        drivers/gpu/drm/i915/i915_debugfs.c: In function ‘i915_dump_lrc’:
        drivers/gpu/drm/i915/i915_debugfs.c:2103:6: warning: suggest explicit braces to avoid ambiguous ‘else’ [-Wparentheses]
           if (ctx != dev_priv->kernel_context)
              ^
      
      even if the code itself is fine.
      
      Since the warning is fairly easy to avoid by adding a braces around the
      if-statement near the for_each_xyz() construct, do so, rather than
      disabling the otherwise potentially useful warning.
      
      (The if-then-else statements used in the "for_each_xyz()" constructs are
      designed to be inherently safe even with no braces, but in this case
      it's quite understandable that gcc isn't really able to tell that).
      
      This finally leaves the standard "allmodconfig" build with just a
      handful of remaining warnings, so new and valid warnings hopefully will
      stand out.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c48692f5
    • Arnd Bergmann's avatar
      net: caif: fix misleading indentation · bc43ac8b
      Arnd Bergmann authored
      commit 8e0cc8c3 upstream.
      
      gcc points out code that is not indented the way it is
      interpreted:
      
      net/caif/cfpkt_skbuff.c: In function 'cfpkt_setlen':
      net/caif/cfpkt_skbuff.c:289:4: error: statement is indented as if it were guarded by... [-Werror=misleading-indentation]
          return cfpkt_getlen(pkt);
          ^~~~~~
      net/caif/cfpkt_skbuff.c:286:3: note: ...this 'else' clause, but it is not
         else
         ^~~~
      
      It is clear from the context that not returning here would be
      a bug, as we'd end up passing a negative length into a function
      that takes a u16 length, so it is not missing curly braces
      here, and I'm assuming that the indentation is the only part
      that's wrong about it.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bc43ac8b
    • Steven Rostedt's avatar
      Makefile: Mute warning for __builtin_return_address(>0) for tracing only · a52031be
      Steven Rostedt authored
      commit 377ccbb4 upstream.
      
      With the latest gcc compilers, they give a warning if
      __builtin_return_address() parameter is greater than 0. That is because if
      it is used by a function called by a top level function (or in the case of
      the kernel, by assembly), it can try to access stack frames outside the
      stack and crash the system.
      
      The tracing system uses __builtin_return_address() of up to 2! But it is
      well aware of the dangers that it may have, and has even added precautions
      to protect against it (see the thunk code in arch/x86/entry/thunk*.S)
      
      Linus originally added KBUILD_CFLAGS that would suppress the warning for the
      entire kernel, as simply adding KBUILD_CFLAGS to the tracing directory
      wouldn't work. The tracing directory plays a bit with the CFLAGS and
      requires a little more logic.
      
      This adds that special logic to only suppress the warning for the tracing
      directory. If it is used anywhere else outside of tracing, the warning will
      still be triggered.
      
      Link: http://lkml.kernel.org/r/20160728223043.51996267@grimm.local.homeTested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a52031be
    • Linus Torvalds's avatar
      Disable "frame-address" warning · a521e942
      Linus Torvalds authored
      commit 124a3d88 upstream.
      
      Newer versions of gcc warn about the use of __builtin_return_address()
      with a non-zero argument when "-Wall" is specified:
      
        kernel/trace/trace_irqsoff.c: In function ‘stop_critical_timings’:
        kernel/trace/trace_irqsoff.c:433:86: warning: calling ‘__builtin_return_address’ with a nonzero argument is unsafe [-Wframe-address]
           stop_critical_timing(CALLER_ADDR0, CALLER_ADDR1);
        [ .. repeats a few times for other similar cases .. ]
      
      It is true that a non-zero argument is somewhat dangerous, and we do not
      actually have very many uses of that in the kernel - but the ftrace code
      does use it, and as Stephen Rostedt says:
      
       "We are well aware of the danger of using __builtin_return_address() of
        > 0.  In fact that's part of the reason for having the "thunk" code in
        x86 (See arch/x86/entry/thunk_{64,32}.S).  [..] it adds extra frames
        when tracking irqs off sections, to prevent __builtin_return_address()
        from accessing bad areas.  In fact the thunk_32.S states: 'Trampoline to
        trace irqs off.  (otherwise CALLER_ADDR1 might crash)'."
      
      For now, __builtin_return_address() with a non-zero argument is the best
      we can do, and the warning is not helpful and can end up making people
      miss other warnings for real problems.
      
      So disable the frame-address warning on compilers that need it.
      Acked-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a521e942
    • Linus Torvalds's avatar
      Disable "maybe-uninitialized" warning globally · 3da2a4cb
      Linus Torvalds authored
      commit 6e8d666e upstream.
      
      Several build configurations had already disabled this warning because
      it generates a lot of false positives.  But some had not, and it was
      still enabled for "allmodconfig" builds, for example.
      
      Looking at the warnings produced, every single one I looked at was a
      false positive, and the warnings are frequent enough (and big enough)
      that they can easily hide real problems that you don't notice in the
      noise generated by -Wmaybe-uninitialized.
      
      The warning is good in theory, but this is a classic case of a warning
      that causes more problems than the warning can solve.
      
      If gcc gets better at avoiding false positives, we may be able to
      re-enable this warning.  But as is, we're better off without it, and I
      want to be able to see the *real* warnings.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3da2a4cb
    • Arnd Bergmann's avatar
      gcov: disable -Wmaybe-uninitialized warning · 7cd4d223
      Arnd Bergmann authored
      commit e72e2dfe upstream.
      
      When gcov profiling is enabled, we see a lot of spurious warnings about
      possibly uninitialized variables being used:
      
      arch/arm/mm/dma-mapping.c: In function 'arm_coherent_iommu_map_page':
      arch/arm/mm/dma-mapping.c:1085:16: warning: 'start' may be used uninitialized in this function [-Wmaybe-uninitialized]
      drivers/clk/st/clk-flexgen.c: In function 'st_of_flexgen_setup':
      drivers/clk/st/clk-flexgen.c:323:9: warning: 'num_parents' may be used uninitialized in this function [-Wmaybe-uninitialized]
      kernel/cgroup.c: In function 'cgroup_mount':
      kernel/cgroup.c:2119:11: warning: 'root' may be used uninitialized in this function [-Wmaybe-uninitialized]
      
      All of these are false positives, so it seems better to just disable
      the warnings whenever GCOV is enabled. Most users don't enable GCOV,
      and based on a prior patch, it is now also disabled for 'allmodconfig'
      builds, so there should be no downsides of doing this.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarPeter Oberparleiter <oberpar@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichal Marek <mmarek@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7cd4d223
    • Arnd Bergmann's avatar
      Kbuild: disable 'maybe-uninitialized' warning for CONFIG_PROFILE_ALL_BRANCHES · 60562377
      Arnd Bergmann authored
      commit 815eb71e upstream.
      
      CONFIG_PROFILE_ALL_BRANCHES confuses gcc-5.x to the degree that it prints
      incorrect warnings about a lot of variables that it thinks can be used
      uninitialized, e.g.:
      
      i2c/busses/i2c-diolan-u2c.c: In function 'diolan_usb_xfer':
      i2c/busses/i2c-diolan-u2c.c:391:16: warning: 'byte' may be used uninitialized in this function
      iio/gyro/itg3200_core.c: In function 'itg3200_probe':
      iio/gyro/itg3200_core.c:213:6: warning: 'val' may be used uninitialized in this function
      leds/leds-lp55xx-common.c: In function 'lp55xx_update_bits':
      leds/leds-lp55xx-common.c:350:6: warning: 'tmp' may be used uninitialized in this function
      misc/bmp085.c: In function 'show_pressure':
      misc/bmp085.c:363:10: warning: 'pressure' may be used uninitialized in this function
      power/ds2782_battery.c: In function 'ds2786_get_capacity':
      power/ds2782_battery.c:214:17: warning: 'raw' may be used uninitialized in this function
      
      These are all false positives that either rob someone's time when trying
      to figure out whether they are real, or they get people to send wrong
      patches to shut up the warnings.
      
      Nobody normally wants to run a CONFIG_PROFILE_ALL_BRANCHES kernel in
      production, so disabling the whole class of warnings for this configuration
      has no serious downsides either.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: Steven Rostedt <rostedtgoodmis.org>
      Signed-off-by: default avatarMichal Marek <mmarek@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      60562377
    • Robert Jarzmik's avatar
      kbuild: forbid kernel directory to contain spaces and colons · d772ec13
      Robert Jarzmik authored
      commit 51193b76 upstream.
      
      When the kernel path contains a space or a colon somewhere in the path
      name, the modules_install target doesn't work anymore, as the path names
      are not enclosed in double quotes. It is also supposed that and O= build
      will suffer from the same weakness as modules_install.
      
      Instead of checking and improving kbuild to resist to directories
      including these characters, error out early to prevent any build if the
      kernel's main directory contains a space.
      Signed-off-by: default avatarRobert Jarzmik <robert.jarzmik@free.fr>
      Signed-off-by: default avatarMichal Marek <mmarek@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d772ec13
    • Josh Poimboeuf's avatar
      tools: Support relative directory path for 'O=' · 9b6bbc3d
      Josh Poimboeuf authored
      commit e17cf3a8 upstream.
      
      Running "make O=foo" (with a relative directory path) fails with:
      
        scripts/Makefile.include:3: *** O=foo does not exist.  Stop.
        /home/jpoimboe/git/linux/Makefile:1547: recipe for target 'tools/objtool' failed
      
      The tools Makefile gets confused by the relative path and tries to build
      objtool in tools/foo.  Convert the output directory to an absolute path
      before passing it to the tools Makefile.
      Reported-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephen Rothwell <sfr@canb.auug.org.au>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-next@vger.kernel.org
      Cc: linux@roeck-us.net
      Cc: live-patching@vger.kernel.org
      Link: http://lkml.kernel.org/r/94a078c6c998fac9f01a14f574008bf7dff40191.1457016803.git.jpoimboe@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9b6bbc3d
    • Wang YanQing's avatar
      Makefile: revert "Makefile: Document ability to make file.lst and file.S" partially · 97283248
      Wang YanQing authored
      commit 40ab87a4 upstream.
      
      Commit 62718979 ("Makefile: Document ability to make file.lst
      and file.S") document ability to make file.S, but there isn't such
      ability in kbuild, so revert it.
      Signed-off-by: default avatarWang YanQing <udknight@gmail.com>
      Signed-off-by: default avatarMichal Marek <mmarek@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      97283248
    • Michal Marek's avatar
      kbuild: Do not run modules_install and install in paralel · 252644d8
      Michal Marek authored
      commit a85a41ed upstream.
      
      Based on a x86-only patch by Andy Lutomirski <luto@amacapital.net>
      
      With modular kernels, 'make install' is going to need the installed
      modules at some point to generate the initramfs.
      Signed-off-by: default avatarMichal Marek <mmarek@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      252644d8
    • Ashish Samant's avatar
      ocfs2: fix start offset to ocfs2_zero_range_for_truncate() · cf5fa7b8
      Ashish Samant authored
      commit d21c353d upstream.
      
      If we punch a hole on a reflink such that following conditions are met:
      
      1. start offset is on a cluster boundary
      2. end offset is not on a cluster boundary
      3. (end offset is somewhere in another extent) or
         (hole range > MAX_CONTIG_BYTES(1MB)),
      
      we dont COW the first cluster starting at the start offset.  But in this
      case, we were wrongly passing this cluster to
      ocfs2_zero_range_for_truncate() to zero out.  This will modify the
      cluster in place and zero it in the source too.
      
      Fix this by skipping this cluster in such a scenario.
      
      To reproduce:
      
      1. Create a random file of say 10 MB
           xfs_io -c 'pwrite -b 4k 0 10M' -f 10MBfile
      2. Reflink  it
           reflink -f 10MBfile reflnktest
      3. Punch a hole at starting at cluster boundary  with range greater that
      1MB. You can also use a range that will put the end offset in another
      extent.
           fallocate -p -o 0 -l 1048615 reflnktest
      4. sync
      5. Check the  first cluster in the source file. (It will be zeroed out).
          dd if=10MBfile iflag=direct bs=<cluster size> count=1 | hexdump -C
      
      Link: http://lkml.kernel.org/r/1470957147-14185-1-git-send-email-ashish.samant@oracle.comSigned-off-by: default avatarAshish Samant <ashish.samant@oracle.com>
      Reported-by: default avatarSaar Maoz <saar.maoz@oracle.com>
      Reviewed-by: default avatarSrinivas Eeda <srinivas.eeda@oracle.com>
      Cc: Mark Fasheh <mfasheh@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Cc: Eric Ren <zren@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf5fa7b8
    • Joseph Qi's avatar
      ocfs2/dlm: fix race between convert and migration · f1ce664e
      Joseph Qi authored
      commit e6f0c6e6 upstream.
      
      Commit ac7cf246 ("ocfs2/dlm: fix race between convert and recovery")
      checks if lockres master has changed to identify whether new master has
      finished recovery or not.  This will introduce a race that right after
      old master does umount ( means master will change), a new convert
      request comes.
      
      In this case, it will reset lockres state to DLM_RECOVERING and then
      retry convert, and then fail with lockres->l_action being set to
      OCFS2_AST_INVALID, which will cause inconsistent lock level between
      ocfs2 and dlm, and then finally BUG.
      
      Since dlm recovery will clear lock->convert_pending in
      dlm_move_lockres_to_recovery_list, we can use it to correctly identify
      the race case between convert and recovery.  So fix it.
      
      Fixes: ac7cf246 ("ocfs2/dlm: fix race between convert and recovery")
      Link: http://lkml.kernel.org/r/57CE1569.8010704@huawei.comSigned-off-by: default avatarJoseph Qi <joseph.qi@huawei.com>
      Signed-off-by: default avatarJun Piao <piaojun@huawei.com>
      Cc: Mark Fasheh <mfasheh@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f1ce664e
    • Herbert Xu's avatar
      crypto: echainiv - Replace chaining with multiplication · 2426cdb3
      Herbert Xu authored
      commit 53a5d5dd upstream.
      
      The current implementation uses a global per-cpu array to store
      data which are used to derive the next IV.  This is insecure as
      the attacker may change the stored data.
      
      This patch removes all traces of chaining and replaces it with
      multiplication of the salt and the sequence number.
      
      Fixes: a10f554f ("crypto: echainiv - Add encrypted chain IV...")
      Reported-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2426cdb3
    • Herbert Xu's avatar
      crypto: skcipher - Fix blkcipher walk OOM crash · 1c95a8a4
      Herbert Xu authored
      commit acdb04d0 upstream.
      
      When we need to allocate a temporary blkcipher_walk_next and it
      fails, the code is supposed to take the slow path of processing
      the data block by block.  However, due to an unrelated change
      we instead end up dereferencing the NULL pointer.
      
      This patch fixes it by moving the unrelated bsize setting out
      of the way so that we enter the slow path as inteded.
      
      Fixes: 7607bd8f ("[CRYPTO] blkcipher: Added blkcipher_walk_virt_block")
      Reported-by: default avatarxiakaixu <xiakaixu@huawei.com>
      Reported-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Tested-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1c95a8a4
    • Ard Biesheuvel's avatar
      crypto: arm/aes-ctr - fix NULL dereference in tail processing · 9246fd26
      Ard Biesheuvel authored
      commit f82e90b2 upstream.
      
      The AES-CTR glue code avoids calling into the blkcipher API for the
      tail portion of the walk, by comparing the remainder of walk.nbytes
      modulo AES_BLOCK_SIZE with the residual nbytes, and jumping straight
      into the tail processing block if they are equal. This tail processing
      block checks whether nbytes != 0, and does nothing otherwise.
      
      However, in case of an allocation failure in the blkcipher layer, we
      may enter this code with walk.nbytes == 0, while nbytes > 0. In this
      case, we should not dereference the source and destination pointers,
      since they may be NULL. So instead of checking for nbytes != 0, check
      for (walk.nbytes % AES_BLOCK_SIZE) != 0, which implies the former in
      non-error conditions.
      
      Fixes: 86464859 ("crypto: arm - AES in ECB/CBC/CTR/XTS modes using ARMv8 Crypto Extensions")
      Reported-by: default avatarxiakaixu <xiakaixu@huawei.com>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9246fd26
    • Ard Biesheuvel's avatar
      crypto: arm64/aes-ctr - fix NULL dereference in tail processing · 3e2d986d
      Ard Biesheuvel authored
      commit 2db34e78 upstream.
      
      The AES-CTR glue code avoids calling into the blkcipher API for the
      tail portion of the walk, by comparing the remainder of walk.nbytes
      modulo AES_BLOCK_SIZE with the residual nbytes, and jumping straight
      into the tail processing block if they are equal. This tail processing
      block checks whether nbytes != 0, and does nothing otherwise.
      
      However, in case of an allocation failure in the blkcipher layer, we
      may enter this code with walk.nbytes == 0, while nbytes > 0. In this
      case, we should not dereference the source and destination pointers,
      since they may be NULL. So instead of checking for nbytes != 0, check
      for (walk.nbytes % AES_BLOCK_SIZE) != 0, which implies the former in
      non-error conditions.
      
      Fixes: 49788fe2 ("arm64/crypto: AES-ECB/CBC/CTR/XTS using ARMv8 NEON and Crypto Extensions")
      Reported-by: default avatarxiakaixu <xiakaixu@huawei.com>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3e2d986d
    • Eric Dumazet's avatar
      tcp: properly scale window in tcp_v[46]_reqsk_send_ack() · c867a112
      Eric Dumazet authored
      [ Upstream commit 20a2b49f ]
      
      When sending an ack in SYN_RECV state, we must scale the offered
      window if wscale option was negotiated and accepted.
      
      Tested:
       Following packetdrill test demonstrates the issue :
      
      0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
      +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
      
      +0 bind(3, ..., ...) = 0
      +0 listen(3, 1) = 0
      
      // Establish a connection.
      +0 < S 0:0(0) win 20000 <mss 1000,sackOK,wscale 7, nop, TS val 100 ecr 0>
      +0 > S. 0:0(0) ack 1 win 28960 <mss 1460,sackOK, TS val 100 ecr 100, nop, wscale 7>
      
      +0 < . 1:11(10) ack 1 win 156 <nop,nop,TS val 99 ecr 100>
      // check that window is properly scaled !
      +0 > . 1:1(0) ack 1 win 226 <nop,nop,TS val 200 ecr 100>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Tested-by: default avatarHolger Hoffstätte <holger@applied-asynchrony.com>
      c867a112
    • Eric Dumazet's avatar
      tcp: fix use after free in tcp_xmit_retransmit_queue() · 0f55fa75
      Eric Dumazet authored
      [ Upstream commit bb1fceca ]
      
      When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
      tail of the write queue using tcp_add_write_queue_tail()
      
      Then it attempts to copy user data into this fresh skb.
      
      If the copy fails, we undo the work and remove the fresh skb.
      
      Unfortunately, this undo lacks the change done to tp->highest_sack and
      we can leave a dangling pointer (to a freed skb)
      
      Later, tcp_xmit_retransmit_queue() can dereference this pointer and
      access freed memory. For regular kernels where memory is not unmapped,
      this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
      returning garbage instead of tp->snd_nxt, but with various debug
      features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
      
      This bug was found by Marco Grassi thanks to syzkaller.
      
      Fixes: 6859d494 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
      Reported-by: default avatarMarco Grassi <marco.gra@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Reviewed-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Tested-by: default avatarHolger Hoffstätte <holger@applied-asynchrony.com>
      0f55fa75