2016-04-27 00:40:53

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 000/115] 3.2.80-rc1 review

This is the start of the stable review cycle for the 3.2.80 release.
There are 115 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sat Apr 30 22:00:00 UTC 2016.
Anything received after that time might be too late.

A combined patch relative to 3.2.79 will be posted as an additional
response to this. A shortlog and diffstat can be found below.

Ben.

-------------

Andy Lutomirski (2):
x86/iopl/64: Properly context-switch IOPL on Xen PV
[b7a584598aea7ca73140cb87b40319944dd3393f]
x86/iopl: Fix iopl capability check on Xen PV
[c29016cf41fe9fa994a5ecca607cf5f1cd98801e]

Arnaldo Carvalho de Melo (1):
net: Fix use after free in the recvmmsg exit path
[34b88a68f26a75e4fded796f1a49c40f82234b7d]

Arnd Bergmann (4):
ath9k: fix buffer overrun for ar9287
[83d6f1f15f8cce844b0a131cbc63e444620e48b5]
farsync: fix off-by-one bug in fst_add_one
[e725a66c0202b5f36c2f9d59d26a65c53bbf21f7]
lpfc: fix misleading indentation
[aeb6641f8ebdd61939f462a8255b316f9bfab707]
mac80211: avoid excessive stack usage in sta_info
[0ef049dc1167fe834d0ad5d63f89eddc5c70f6e4]

Aurelien Jacquiot (1):
rapidio/rionet: fix deadlock on SMP
[36915976eca58f2eefa040ba8f9939672564df61]

Benjamin Tissoires (1):
Input: synaptics - handle spurious release of trackstick buttons, again
[82be788c96ed5978d3cb4a00079e26b981a3df3f]

Bjorn Helgaas (2):
PCI: Disable IO/MEM decoding for devices with non-compliant BARs
[b84106b4e2290c081cdab521fa832596cdfea246]
x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs
[b894157145e4ac7598d7062bc93320898a5e059e]

Bjørn Mork (1):
cdc_ncm: toggle altsetting to force reset before setup
[48906f62c96cc2cd35753e59310cb70eb08cc6a5]

Boris Ostrovsky (1):
xen/events: Mask a moving irq
[ff1e22e7a638a0782f54f81a6c9cb139aca2da35]

Dan Carpenter (2):
EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr()
[6f3508f61c814ee852c199988a62bd954c50dfc1]
ethernet: micrel: fix some error codes
[3af0d554c1ce11e9d0953381ff566271f9ab81a9]

David S. Miller (1):
ipv4: Don't do expensive useless work during inetdev destroy.
[fbd40ea0180a2d328c5adc61414dc8bab9335ce2]

Diego Viola (1):
net: jme: fix suspend/resume on JMC260
[ee50c130c82175eaa0820c96b6d3763928af2241]

DingXiang (1):
dm snapshot: disallow the COW and origin devices from being identical
[4df2bf466a9c9c92f40d27c4aa9120f4e8227bfc]

Dmitry Tunin (4):
Bluetooth: Add new AR3012 ID 0489:e095
[28c971d82fb58ef7cba22e5308be6d2d2590473d]
Bluetooth: btusb: Add a new AR3012 ID 04ca:3014
[81d90442eac779938217c3444b240aa51fd3db47]
Bluetooth: btusb: Add a new AR3012 ID 13d3:3472
[75c6aca4765dbe3d0c1507ab5052f2e373dc2331]
Bluetooth: btusb: Add new AR3012 ID 13d3:3395
[609574eb46335cfac1421a07c0505627cbbab1f0]

Douglas Gilbert (1):
sg: fix dxferp in from_to case
[5ecee0a3ee8d74b6950cb41e8989b0c2174568d4]

Eric Dumazet (3):
ipv4: fix memory leaks in ip_cmsg_send() callers
[919483096bfe75dda338e98d56da91a263746a0a]
ipv6: update skb->csum when CE mark is propagated
[34ae6a1aa0540f0f781dd265366036355fdc8930]
phonet: properly unshare skbs in phonet_rcv()
[7aaed57c5c2890634cfadf725173c7c68ea4cb4f]

Eryu Guan (1):
ext4: fix NULL pointer dereference in ext4_mark_inode_dirty()
[5e1021f2b6dff1a86a468a1424d59faae2bc63c1]

Florian Westphal (4):
connector: bump skb->users before callback invocation
[55285bf09427c5abf43ee1d54e892f352092b1f1]
netfilter: x_tables: fix unconditional helper
[54d83fc74aa9ec72794373cb47432c5f7fb1a309]
netfilter: x_tables: make sure e->next_offset covers remaining blob size
[6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91]
netfilter: x_tables: validate e->target_offset early
[bdf533de6968e9686df777dc178486f600c6e617]

Geert Uytterhoeven (2):
rtc: vr41xx: Wire up alarm_irq_enable
[a25f4a95ec3cded34c1250364eba704c5e4fdac4]
serial: sh-sci: Remove cpufreq notifier to fix crash/deadlock
[ff1cab374ad98f4b9f408525ca9c08992b4ed784]

Guenter Roeck (2):
MAINTAINERS: Update mailing list and web page for hwmon subsystem
[968ce1b1f45a7d76b5471b19bd035dbecc72f32d]
hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated
[3c2e2266a5bd2d1cef258e6e54dca1d99946379f]

Guillaume Nault (3):
ppp: ensure file->private_data can't be overridden
[e8e56ffd9d2973398b60ece1f1bebb8d67b4d032]
ppp: take reference on channels netns
[1f461dcdd296eecedaffffc6bae2bfa90bd7eb89]
pppoe: fix reference counting in PPPoE proxy
[29e73269aa4d36f92b35610c25f8b01c789b0dc8]

Guo-Fu Tseng (2):
jme: Do not enable NIC WoL functions on S0
[0772a99b818079e628a1da122ac7ee023faed83e]
jme: Fix device PM wakeup API usage
[81422e672f8181d7ad1ee6c60c723aac649f538f]

Haishuang Yan (1):
ipv4: l2tp: fix a potential issue in l2tp_ip_recv
[5745b8232e942abd5e16e85fa9b27cc21324acf0]

Hangbin Liu (1):
net/ipv6: add sysctl option accept_ra_min_hop_limit
[8013d1d7eafb0589ca766db6b74026f76b7f5cb4]

Hannes Frederic Sowa (1):
bridge: Only call /sbin/bridge-stp for the initial network namespace
[ff62198553e43cdffa9d539f6165d3e83f8a42bc]

Hannes Reinecke (1):
bio: return EINTR if copying to user space got interrupted
[2d99b55d378c996b9692a0c93dd25f4ed5d58934]

Hans de Goede (3):
[media] bttv: Width must be a multiple of 16 when capturing planar formats
[5c915c68763889f0183a1cc61c84bb228b60124a]
[media] pwc: Add USB id for Philips Spc880nc webcam
[7445e45d19a09e5269dc85f17f9635be29d2f76c]
[media] saa7134: Fix bytesperline not being set correctly for planar formats
[3e71da19f9dc22e39a755d6ae9678661abb66adc]

Hector Marco-Gisbert (1):
x86/mm/32: Enable full randomization on i386 and X86_32
[8b8addf891de8a00e4d39fc32f93f7c5eb8feceb]

Helge Deller (3):
parisc: Avoid function pointers for kernel exception routines
[e3893027a300927049efc1572f852201eb785142]
parisc: Fix kernel crash with reversed copy_from_user()
[ef72f3110d8b19f4c098a0bff7ed7d11945e70c6]
parisc: Unbreak handling exceptions from kernel modules
[2ef4dfd9d9f288943e249b78365a69e3ea3ec072]

Ignat Korchagin (1):
USB: usbip: fix potential out-of-bounds write
[b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb]

J. Bruce Fields (2):
nfsd4: fix bad bounds checking
[4aed9c46afb80164401143aa0fdcfe3798baa9d5]
nfsd: fix deadlock secinfo+readdir compound
[2f6fc056e899bd0144a08da5cacaecbe8997cd74]

Jakub Sitnicki (1):
ipv6: Count in extension headers in skb->network_header
[3ba3458fb9c050718b95275a3310b74415e767e2]

Jann Horn (1):
fs/coredump: prevent fsuid=0 dumps into user-controlled directories
[378c6520e7d29280f400ef2ceaf155c86f05a71a]

Joseph Qi (2):
ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list
[be12b299a83fc807bbaccd2bcb8ec50cbb0cb55c]
ocfs2/dlm: fix race between convert and recovery
[ac7cf246dfdbec3d8fed296c7bf30e16f5099dac]

Josh Boyer (3):
Input: powermate - fix oops with malicious USB descriptors
[9c6ba456711687b794dcf285856fc14e2c76074f]
USB: iowarrior: fix oops with malicious USB descriptors
[4ec0ef3a82125efc36173062a50624550a900ae0]
USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices
[ea6db90e750328068837bed34cb1302b7a177339]

Kees Cook (1):
x86: standardize mmap_rnd() usage
[82168140bc4cec7ec9bad39705518541149ff8b7]

Manfred Rudigier (1):
net: dp83640: Fix tx timestamp overflow handling.
[81e8f2e930fe76b9814c71b9d87c30760b5eb705]

Manish Chopra (1):
qlge: Fix receive packets drop.
[2c9a266afefe137bff06bbe0fc48b4d3b3cb348c]

Marco Angaroni (1):
ipvs: correct initial offset of Call-ID header search in SIP persistence engine
[7617a24f83b5d67f4dab1844956be1cebc44aec8]

Mario Kleiner (1):
drm/radeon: Don't drop DP 2.7 Ghz link setup on some cards.
[459ee1c3fd097ab56ababd8ff4bb7ef6a792de33]

Martin K. Petersen (1):
sd: Fix excessive capacity printing on devices with blocks bigger than 512 bytes
[f08bb1e0dbdd0297258d0b8cd4dbfcc057e57b2a]

Martyn Welch (1):
USB: serial: cp210x: Adding GE Healthcare Device ID
[cddc9434e3dcc37a85c4412fb8e277d3a582e456]

Mateusz Guzik (1):
xfs: fix two memory leaks in xfs_attr_list.c error paths
[2e83b79b2d6c78bf1b4aa227938a214dcbddc83f]

Maurizio Lombardi (1):
be2iscsi: set the boot_kset pointer to NULL in case of failure
[84bd64993f916bcf86270c67686ecf4cea7b8933]

Michael Hennerich (1):
drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors
[f3df53e4d70b5736368a8fe8aa1bb70c1cb1f577]

Michael S. Tsirkin (1):
watchdog: rc32434_wdt: fix ioctl error handling
[10e7ac22cdd4d211cef99afcb9371b70cb175be6]

Nate Dailey (1):
raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang
[ccfc7bf1f09d6190ef86693ddc761d5fe3fa47cb]

Neal Cardwell (1):
tcp_yeah: don't set ssthresh below 2
[83d15e70c4d8909d722c0d64747d8fb42e38a48f]

Neil Horman (1):
sctp: Fix port hash table size computation
[d9749fb5942f51555dc9ce1ac0dbb1806960a975]

OGAWA Hirofumi (1):
jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path
[c0a2ad9b50dd80eeccd73d9ff962234590d5ec93]

Oliver Neukum (8):
USB: cdc-acm: more sanity checking
[8835ba4a39cf53f705417b3b3a94eb067673f2c9]
USB: cypress_m8: add endpoint sanity check
[c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754]
USB: digi_acceleport: do sanity checking for the number of ports
[5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f]
USB: mct_u232: add sanity checking in probe
[4e9a0b05257f29cf4b75f3209243ed71614d062e]
USB: usb_driver_claim_interface: add sanity checking
[0b818e3956fc1ad976bee791eadcbb3b5fec5bfd]
usb: hub: fix a typo in hub_port_init() leading to wrong logic
[0d5ce778c43bf888328231bcdce05d5c860655aa]
usb: retry reset if a device times out
[264904ccc33c604d4b3141bbd33808152dfac45b]
usbnet: cleanup after bind() in probe()
[1666984c8625b3db19a9abc298931d35ab7bc64b]

Paolo Abeni (1):
ipv6/udp: use sticky pktinfo egress ifindex on connect()
[1cdda91871470f15e79375991bd2eddc6e86ddb1]

Peter Hurley (1):
net: irda: Fix use-after-free in irtty_open()
[401879c57f01cbf2da204ad2e8db910525c6dbea]

Rabin Vincent (1):
splice: handle zero nr_pages in splice_to_pipe()
[d6785d9152147596f60234157da2b02540c3e60f]

Radim Krčmář (1):
KVM: i8254: change PIT discard tick policy
[7dd0fdff145c5be7146d0ac06732ae3613412ac1]

Raghava Aditya Renukunta (1):
aacraid: Fix memory leak in aac_fib_map_free
[f88fa79a61726ce9434df9b4aede36961f709f17]

Sebastian Frias (1):
8250: use callbacks to access UART_DLL/UART_DLM
[0b41ce991052022c030fd868e03877700220b090]

Sergei Shtylyov (1):
sh_eth: fix NULL pointer dereference in sh_eth_ring_format()
[c1b7fca65070bfadca94dd53a4e6b71cd4f69715]

Shaohua Li (1):
raid10: include bio_end_io_list in nr_queued to prevent freeze_array hang
[23ddba80ebe836476bb2fa1f5ef305dd1c63dc0b]

Steven Rostedt (2):
tracing: Fix crash from reading trace_pipe with sendfile
[a29054d9478d0435ab01b7544da4f674ab13f533]
tracing: Have preempt(irqs)off trace preempt disabled functions
[cb86e05390debcc084cfdb0a71ed4c5dbbec517d]

[email protected] (1):
xfrm: Fix crash observed during device unregistration and decryption
[071d36bf21bcc837be00cea55bcef8d129e7f609]

Sudip Mukherjee (1):
mac80211: fix memory leak
[ea32f065bd3e3e09f0bcb3042f1664caf6b3e233]

Takashi Iwai (4):
ALSA: timer: Use mod_timer() for rearming the system timer
[4a07083ed613644c96c34a7dd2853dc5d7c70902]
ALSA: usb-audio: Add sanity checks for endpoint accesses
[447d6275f0c21f6cc97a88b3a0c601436a4cdf2a]
ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk()
[0f886ca12765d20124bd06291c82951fd49a33be]
ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk()
[902eb7fd1e4af3ac69b9b30f8373f118c92b9729]

Thomas Gleixner (1):
sched/cputime: Fix steal time accounting vs. CPU hotplug
[e9532e69b8d1d1284e8ecf8d2586de34aec61244]

Ursula Braun (1):
af_iucv: Validate socket address length in iucv_sock_bind()
[52a82e23b9f2a9e1d429c5207f8575784290d008]

Vijay Pandurangan (1):
veth: don’t modify ip_summed; doing so treats packets with bad checksums as good.
[ce8c839b74e3017996fad4e1b7ba2e2625ede82f]

Vittorio Gambaletta (1):
ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41.
[4061db03dd71d195b9973ee466f6ed32f6a3fc16]

Vladis Dronov (2):
ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call
[836b34a935abc91e13e63053d0a83b24dfb5ea78]
Input: ati_remote2 - fix crashes on detecting device with invalid descriptor
[950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d]

Willem de Bruijn (3):
ax25: add link layer header validation function
[ea47781c26510e5d97f80f9aceafe9065bd5e3aa]
macvtap: always pass ethernet header in linear
[8e2ad4113ce4671686740f808ff2795395c39eef]
net: validate variable length ll headers
[2793a23aacbd754dbbb5cb75093deb7e4103bace]

Xin Long (2):
sctp: lack the check for ports in sctp_v6_cmp_addr
[40b4f0fd74e46c017814618d67ec9127ff20f157]
sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close
[068d8bd338e855286aea54e70d1c101569284b21]

Yoshihiro Shimoda (3):
usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler()
[894f2fc44f2f3f48c36c973b1123f6ab298be160]
usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer
[6490865c67825277b29638e839850882600b48ec]
usb: renesas_usbhs: fix to avoid using a disabled ep in usbhsg_queue_done()
[4fccb0767fdbdb781a9c5b5c15ee7b219443c89d]

Yuki Shibuya (1):
KVM: x86: Inject pending interrupt even if pending nmi exist
[321c5658c5e9192dea0d58ab67cf1791e45b2b26]

Documentation/networking/ip-sysctl.txt | 8 +++
MAINTAINERS | 82 ++++++++++++++--------------
Makefile | 4 +-
arch/parisc/include/asm/uaccess.h | 1 +
arch/parisc/kernel/asm-offsets.c | 1 +
arch/parisc/kernel/parisc_ksyms.c | 10 ++--
arch/parisc/kernel/traps.c | 3 +
arch/parisc/lib/fixup.S | 6 ++
arch/parisc/mm/fault.c | 1 +
arch/um/drivers/mconsole_kern.c | 2 +-
arch/x86/include/asm/xen/hypervisor.h | 2 +
arch/x86/kernel/ioport.c | 7 ++-
arch/x86/kernel/process_64.c | 12 ++++
arch/x86/kvm/i8254.c | 12 ++--
arch/x86/kvm/x86.c | 12 ++--
arch/x86/mm/mmap.c | 44 ++++++---------
arch/x86/pci/fixup.c | 7 +++
arch/x86/xen/enlighten.c | 2 +-
drivers/bluetooth/ath3k.c | 8 +++
drivers/bluetooth/btusb.c | 4 ++
drivers/connector/connector.c | 11 +---
drivers/edac/amd64_edac.c | 2 +-
drivers/gpu/drm/radeon/atombios_encoders.c | 6 +-
drivers/hwmon/max1111.c | 6 ++
drivers/input/misc/ati_remote2.c | 36 ++++++++++--
drivers/input/misc/powermate.c | 3 +
drivers/input/mouse/synaptics.c | 5 +-
drivers/md/dm-snap.c | 9 +++
drivers/md/dm-table.c | 37 +++++++++----
drivers/md/raid1.c | 7 ++-
drivers/md/raid10.c | 7 ++-
drivers/media/video/bt8xx/bttv-driver.c | 26 +++++++--
drivers/media/video/pwc/pwc-if.c | 6 ++
drivers/media/video/saa7134/saa7134-video.c | 18 ++++--
drivers/misc/ad525x_dpot.c | 2 +-
drivers/net/ethernet/jme.c | 26 +++++----
drivers/net/ethernet/micrel/ks8842.c | 10 ++--
drivers/net/ethernet/qlogic/qlge/qlge_main.c | 11 ++++
drivers/net/ethernet/renesas/sh_eth.c | 3 +-
drivers/net/irda/irtty-sir.c | 10 ----
drivers/net/macvtap.c | 9 ++-
drivers/net/phy/dp83640.c | 17 ++++++
drivers/net/ppp/ppp_generic.c | 35 +++++++-----
drivers/net/ppp/pppoe.c | 2 +
drivers/net/rionet.c | 4 +-
drivers/net/usb/cdc_ncm.c | 6 +-
drivers/net/usb/usbnet.c | 7 +++
drivers/net/veth.c | 5 --
drivers/net/wan/farsync.c | 2 +-
drivers/net/wireless/ath/ath9k/eeprom.c | 7 +--
drivers/pci/probe.c | 14 +++++
drivers/rtc/rtc-vr41xx.c | 13 +++--
drivers/scsi/aacraid/commsup.c | 9 ++-
drivers/scsi/be2iscsi/be_main.c | 1 +
drivers/scsi/lpfc/lpfc_init.c | 5 +-
drivers/scsi/sd.c | 23 +++-----
drivers/scsi/sd.h | 7 ++-
drivers/scsi/sg.c | 3 +-
drivers/staging/usbip/usbip_common.c | 11 ++++
drivers/tty/serial/8250.c | 18 ++----
drivers/tty/serial/sh-sci.c | 37 -------------
drivers/usb/class/cdc-acm.c | 3 +
drivers/usb/core/driver.c | 6 +-
drivers/usb/core/hub.c | 16 ++++--
drivers/usb/misc/iowarrior.c | 6 ++
drivers/usb/renesas_usbhs/fifo.c | 4 +-
drivers/usb/renesas_usbhs/mod_gadget.c | 6 +-
drivers/usb/serial/cp210x.c | 1 +
drivers/usb/serial/cypress_m8.c | 11 ++--
drivers/usb/serial/digi_acceleport.c | 18 ++++++
drivers/usb/serial/ftdi_sio.c | 4 ++
drivers/usb/serial/ftdi_sio_ids.h | 8 +++
drivers/usb/serial/mct_u232.c | 6 ++
drivers/watchdog/rc32434_wdt.c | 2 +-
drivers/xen/events.c | 34 ++++++++++--
fs/bio.c | 12 ++--
fs/exec.c | 30 ++++++++--
fs/ext4/inode.c | 6 +-
fs/fhandle.c | 2 +-
fs/jbd2/journal.c | 17 ++++--
fs/nfsd/nfs4proc.c | 1 +
fs/nfsd/nfs4xdr.c | 13 +++--
fs/ocfs2/dlm/dlmconvert.c | 24 +++++++-
fs/ocfs2/dlm/dlmrecovery.c | 1 -
fs/open.c | 6 +-
fs/splice.c | 3 +
fs/xfs/xfs_attr_leaf.c | 19 ++++---
include/linux/device-mapper.h | 2 +
include/linux/fs.h | 2 +-
include/linux/ipv6.h | 3 +
include/linux/netdevice.h | 21 ++++++-
include/linux/pci.h | 1 +
include/net/inet_ecn.h | 19 ++++++-
kernel/sched.c | 14 +++++
kernel/sysctl_binary.c | 2 +-
kernel/trace/trace.c | 5 +-
kernel/trace/trace_irqsoff.c | 8 ++-
net/ax25/ax25_ip.c | 15 +++++
net/bridge/br_stp_if.c | 5 +-
net/ipv4/devinet.c | 4 ++
net/ipv4/fib_frontend.c | 4 ++
net/ipv4/ip_gre.c | 2 +-
net/ipv4/ip_sockglue.c | 2 +
net/ipv4/netfilter/arp_tables.c | 41 +++++++-------
net/ipv4/netfilter/ip_tables.c | 46 ++++++++--------
net/ipv4/netfilter/ipt_MASQUERADE.c | 12 +++-
net/ipv4/ping.c | 4 +-
net/ipv4/raw.c | 4 +-
net/ipv4/tcp_yeah.c | 2 +-
net/ipv4/udp.c | 4 +-
net/ipv6/addrconf.c | 10 ++++
net/ipv6/datagram.c | 3 +
net/ipv6/ip6_output.c | 9 ++-
net/ipv6/ip6_tunnel.c | 2 +-
net/ipv6/ndisc.c | 16 +++---
net/ipv6/netfilter/ip6_tables.c | 46 ++++++++--------
net/ipv6/sit.c | 2 +-
net/ipv6/xfrm6_mode_tunnel.c | 2 +-
net/iucv/af_iucv.c | 3 +
net/l2tp/l2tp_ip.c | 8 ++-
net/mac80211/sta_info.c | 17 ++++--
net/netfilter/ipvs/ip_vs_pe_sip.c | 2 +-
net/phonet/af_phonet.c | 4 ++
net/sctp/ipv6.c | 2 +
net/sctp/protocol.c | 47 +++++++++++++---
net/sctp/sm_statefuns.c | 6 +-
net/sctp/socket.c | 3 +-
net/socket.c | 38 ++++++-------
net/xfrm/xfrm_input.c | 3 +
sound/core/timer.c | 4 +-
sound/pci/intel8x0.c | 1 +
sound/usb/clock.c | 2 +
sound/usb/pcm.c | 2 +
sound/usb/quirks.c | 26 ++++++---
sound/usb/stream.c | 6 +-
135 files changed, 970 insertions(+), 479 deletions(-)

--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.


2016-04-26 23:13:38

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 016/115] nfsd4: fix bad bounds checking

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "J. Bruce Fields" <[email protected]>

commit 4aed9c46afb80164401143aa0fdcfe3798baa9d5 upstream.

A number of spots in the xdr decoding follow a pattern like

n = be32_to_cpup(p++);
READ_BUF(n + 4);

where n is a u32. The only bounds checking is done in READ_BUF itself,
but since it's checking (n + 4), it won't catch cases where n is very
large, (u32)(-4) or higher. I'm not sure exactly what the consequences
are, but we've seen crashes soon after.

Instead, just break these up into two READ_BUF()s.

Signed-off-by: J. Bruce Fields <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/nfsd/nfs4xdr.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -931,8 +931,9 @@ nfsd4_decode_rename(struct nfsd4_compoun

READ_BUF(4);
READ32(rename->rn_snamelen);
- READ_BUF(rename->rn_snamelen + 4);
+ READ_BUF(rename->rn_snamelen);
SAVEMEM(rename->rn_sname, rename->rn_snamelen);
+ READ_BUF(4);
READ32(rename->rn_tnamelen);
READ_BUF(rename->rn_tnamelen);
SAVEMEM(rename->rn_tname, rename->rn_tnamelen);
@@ -1009,13 +1010,14 @@ nfsd4_decode_setclientid(struct nfsd4_co
READ_BUF(8);
READ32(setclientid->se_callback_prog);
READ32(setclientid->se_callback_netid_len);
-
- READ_BUF(setclientid->se_callback_netid_len + 4);
+ READ_BUF(setclientid->se_callback_netid_len);
SAVEMEM(setclientid->se_callback_netid_val, setclientid->se_callback_netid_len);
+ READ_BUF(4);
READ32(setclientid->se_callback_addr_len);

- READ_BUF(setclientid->se_callback_addr_len + 4);
+ READ_BUF(setclientid->se_callback_addr_len);
SAVEMEM(setclientid->se_callback_addr_val, setclientid->se_callback_addr_len);
+ READ_BUF(4);
READ32(setclientid->se_callback_ident);

DECODE_TAIL;
@@ -1584,8 +1586,9 @@ nfsd4_decode_compound(struct nfsd4_compo
*/
READ_BUF(4);
READ32(argp->taglen);
- READ_BUF(argp->taglen + 8);
+ READ_BUF(argp->taglen);
SAVEMEM(argp->tag, argp->taglen);
+ READ_BUF(8);
READ32(argp->minorversion);
READ32(argp->opcnt);


2016-04-26 23:15:46

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 103/115] cdc_ncm: toggle altsetting to force reset before setup

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bjørn Mork <[email protected]>

[ Upstream commit 48906f62c96cc2cd35753e59310cb70eb08cc6a5 ]

Some devices will silently fail setup unless they are reset first.
This is necessary even if the data interface is already in
altsetting 0, which it will be when the device is probed for the
first time. Briefly toggling the altsetting forces a function
reset regardless of the initial state.

This fixes a setup problem observed on a number of Huawei devices,
appearing to operate in NTB-32 mode even if we explicitly set them
to NTB-16 mode.

Signed-off-by: Bjørn Mork <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: hard-code 1 for data_altsetting]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/usb/cdc_ncm.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -550,7 +550,11 @@ advance:

iface_no = ctx->data->cur_altsetting->desc.bInterfaceNumber;

- /* reset data interface */
+ /* Reset data interface. Some devices will not reset properly
+ * unless they are configured first. Toggle the altsetting to
+ * force a reset
+ */
+ usb_set_interface(dev->udev, iface_no, 1);
temp = usb_set_interface(dev->udev, iface_no, 0);
if (temp)
goto error2;

2016-04-26 23:15:49

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 087/115] connector: bump skb->users before callback invocation

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Florian Westphal <[email protected]>

[ Upstream commit 55285bf09427c5abf43ee1d54e892f352092b1f1 ]

Dmitry reports memleak with syskaller program.
Problem is that connector bumps skb usecount but might not invoke callback.

So move skb_get to where we invoke the callback.

Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/connector/connector.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)

--- a/drivers/connector/connector.c
+++ b/drivers/connector/connector.c
@@ -154,26 +154,21 @@ static int cn_call_callback(struct sk_bu
*
* It checks skb, netlink header and msg sizes, and calls callback helper.
*/
-static void cn_rx_skb(struct sk_buff *__skb)
+static void cn_rx_skb(struct sk_buff *skb)
{
struct nlmsghdr *nlh;
- struct sk_buff *skb;
int len, err;

- skb = skb_get(__skb);
-
if (skb->len >= NLMSG_SPACE(0)) {
nlh = nlmsg_hdr(skb);
len = nlmsg_len(nlh);

if (len < (int)sizeof(struct cn_msg) ||
skb->len < nlh->nlmsg_len ||
- len > CONNECTOR_MAX_MSG_SIZE) {
- kfree_skb(skb);
+ len > CONNECTOR_MAX_MSG_SIZE)
return;
- }

- err = cn_call_callback(skb);
+ err = cn_call_callback(skb_get(skb));
if (err < 0)
kfree_skb(skb);
}

2016-04-26 23:16:19

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 110/115] xfrm: Fix crash observed during device unregistration and decryption

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "[email protected]" <[email protected]>

[ Upstream commit 071d36bf21bcc837be00cea55bcef8d129e7f609 ]

A crash is observed when a decrypted packet is processed in receive
path. get_rps_cpus() tries to dereference the skb->dev fields but it
appears that the device is freed from the poison pattern.

[<ffffffc000af58ec>] get_rps_cpu+0x94/0x2f0
[<ffffffc000af5f94>] netif_rx_internal+0x140/0x1cc
[<ffffffc000af6094>] netif_rx+0x74/0x94
[<ffffffc000bc0b6c>] xfrm_input+0x754/0x7d0
[<ffffffc000bc0bf8>] xfrm_input_resume+0x10/0x1c
[<ffffffc000ba6eb8>] esp_input_done+0x20/0x30
[<ffffffc0000b64c8>] process_one_work+0x244/0x3fc
[<ffffffc0000b7324>] worker_thread+0x2f8/0x418
[<ffffffc0000bb40c>] kthread+0xe0/0xec

-013|get_rps_cpu(
| dev = 0xFFFFFFC08B688000,
| skb = 0xFFFFFFC0C76AAC00 -> (
| dev = 0xFFFFFFC08B688000 -> (
| name =
"......................................................
| name_hlist = (next = 0xAAAAAAAAAAAAAAAA, pprev =
0xAAAAAAAAAAA

Following are the sequence of events observed -

- Encrypted packet in receive path from netdevice is queued
- Encrypted packet queued for decryption (asynchronous)
- Netdevice brought down and freed
- Packet is decrypted and returned through callback in esp_input_done
- Packet is queued again for process in network stack using netif_rx

Since the device appears to have been freed, the dereference of
skb->dev in get_rps_cpus() leads to an unhandled page fault
exception.

Fix this by holding on to device reference when queueing packets
asynchronously and releasing the reference on call back return.

v2: Make the change generic to xfrm as mentioned by Steffen and
update the title to xfrm

Suggested-by: Herbert Xu <[email protected]>
Signed-off-by: Jerome Stanislaus <[email protected]>
Signed-off-by: Subash Abhinov Kasiviswanathan <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/xfrm/xfrm_input.c | 3 +++
1 file changed, 3 insertions(+)

--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -191,6 +191,7 @@ int xfrm_input(struct sk_buff *skb, int
XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;

skb_dst_force(skb);
+ dev_hold(skb->dev);

nexthdr = x->type->input(x, skb);

@@ -198,6 +199,8 @@ int xfrm_input(struct sk_buff *skb, int
return 0;

resume:
+ dev_put(skb->dev);
+
spin_lock(&x->lock);
if (nexthdr <= 0) {
if (nexthdr == -EBADMSG) {

2016-04-26 23:16:25

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 030/115] ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41.

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Vittorio Gambaletta (VittGam)" <[email protected]>

commit 4061db03dd71d195b9973ee466f6ed32f6a3fc16 upstream.

The clock measurement on the AC'97 audio card found in the IBM ThinkPad X41
will often fail, so add a quirk entry to fix it.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=441087
Signed-off-by: Vittorio Gambaletta <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/pci/intel8x0.c | 1 +
1 file changed, 1 insertion(+)

--- a/sound/pci/intel8x0.c
+++ b/sound/pci/intel8x0.c
@@ -2858,6 +2858,7 @@ static void __devinit intel8x0_measure_a

static struct snd_pci_quirk intel8x0_clock_list[] __devinitdata = {
SND_PCI_QUIRK(0x0e11, 0x008a, "AD1885", 41000),
+ SND_PCI_QUIRK(0x1014, 0x0581, "AD1981B", 48000),
SND_PCI_QUIRK(0x1028, 0x00be, "AD1885", 44100),
SND_PCI_QUIRK(0x1028, 0x0177, "AD1980", 48000),
SND_PCI_QUIRK(0x1028, 0x01ad, "AD1981B", 48000),

2016-04-26 23:16:42

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 031/115] rtc: vr41xx: Wire up alarm_irq_enable

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <[email protected]>

commit a25f4a95ec3cded34c1250364eba704c5e4fdac4 upstream.

drivers/rtc/rtc-vr41xx.c:229: warning: ‘vr41xx_rtc_alarm_irq_enable’ defined but not used

Apparently the conversion to alarm_irq_enable forgot to wire up the
callback.

Fixes: 16380c153a69c378 ("RTC: Convert rtc drivers to use the alarm_irq_enable method")
Signed-off-by: Geert Uytterhoeven <[email protected]>
Signed-off-by: Alexandre Belloni <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/rtc/rtc-vr41xx.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)

--- a/drivers/rtc/rtc-vr41xx.c
+++ b/drivers/rtc/rtc-vr41xx.c
@@ -272,12 +272,13 @@ static irqreturn_t rtclong1_interrupt(in
}

static const struct rtc_class_ops vr41xx_rtc_ops = {
- .release = vr41xx_rtc_release,
- .ioctl = vr41xx_rtc_ioctl,
- .read_time = vr41xx_rtc_read_time,
- .set_time = vr41xx_rtc_set_time,
- .read_alarm = vr41xx_rtc_read_alarm,
- .set_alarm = vr41xx_rtc_set_alarm,
+ .release = vr41xx_rtc_release,
+ .ioctl = vr41xx_rtc_ioctl,
+ .read_time = vr41xx_rtc_read_time,
+ .set_time = vr41xx_rtc_set_time,
+ .read_alarm = vr41xx_rtc_read_alarm,
+ .set_alarm = vr41xx_rtc_set_alarm,
+ .alarm_irq_enable = vr41xx_rtc_alarm_irq_enable,
};

static int __devinit rtc_probe(struct platform_device *pdev)

2016-04-26 23:16:51

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 041/115] raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nate Dailey <[email protected]>

commit ccfc7bf1f09d6190ef86693ddc761d5fe3fa47cb upstream.

If raid1d is handling a mix of read and write errors, handle_read_error's
call to freeze_array can get stuck.

This can happen because, though the bio_end_io_list is initially drained,
writes can be added to it via handle_write_finished as the retry_list
is processed. These writes contribute to nr_pending but are not included
in nr_queued.

If a later entry on the retry_list triggers a call to handle_read_error,
freeze array hangs waiting for nr_pending == nr_queued+extra. The writes
on the bio_end_io_list aren't included in nr_queued so the condition will
never be satisfied.

To prevent the hang, include bio_end_io_list writes in nr_queued.

There's probably a better way to handle decrementing nr_queued, but this
seemed like the safest way to avoid breaking surrounding code.

I'm happy to supply the script I used to repro this hang.

Fixes: 55ce74d4bfe1b(md/raid1: ensure device failure recorded before write request returns.)
Signed-off-by: Nate Dailey <[email protected]>
Signed-off-by: Shaohua Li <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/md/raid1.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -1976,6 +1976,7 @@ static void handle_write_finished(struct
if (fail) {
spin_lock_irq(&conf->device_lock);
list_add(&r1_bio->retry_list, &conf->bio_end_io_list);
+ conf->nr_queued++;
spin_unlock_irq(&conf->device_lock);
md_wakeup_thread(conf->mddev->thread);
} else {
@@ -2090,8 +2091,10 @@ static void raid1d(struct mddev *mddev)
LIST_HEAD(tmp);
spin_lock_irqsave(&conf->device_lock, flags);
if (!test_bit(MD_CHANGE_PENDING, &mddev->flags)) {
- list_add(&tmp, &conf->bio_end_io_list);
- list_del_init(&conf->bio_end_io_list);
+ while (!list_empty(&conf->bio_end_io_list)) {
+ list_move(conf->bio_end_io_list.prev, &tmp);
+ conf->nr_queued--;
+ }
}
spin_unlock_irqrestore(&conf->device_lock, flags);
while (!list_empty(&tmp)) {

2016-04-26 23:17:06

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 046/115] USB: cdc-acm: more sanity checking

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <[email protected]>

commit 8835ba4a39cf53f705417b3b3a94eb067673f2c9 upstream.

An attack has become available which pretends to be a quirky
device circumventing normal sanity checks and crashes the kernel
by an insufficient number of interfaces. This patch adds a check
to the code path for quirky devices.

Signed-off-by: Oliver Neukum <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/class/cdc-acm.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -926,6 +926,9 @@ static int acm_probe(struct usb_interfac
if (quirks == NO_UNION_NORMAL) {
data_interface = usb_ifnum_to_if(usb_dev, 1);
control_interface = usb_ifnum_to_if(usb_dev, 0);
+ /* we would crash */
+ if (!data_interface || !control_interface)
+ return -ENODEV;
goto skip_normal_probe;
}


2016-04-26 23:18:10

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 080/115] x86/mm/32: Enable full randomization on i386 and X86_32

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hector Marco-Gisbert <[email protected]>

commit 8b8addf891de8a00e4d39fc32f93f7c5eb8feceb upstream.

Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
the stack and the executable are randomized but not other mmapped files
(libraries, vDSO, etc.). This patch enables randomization for the
libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode.

By default on i386 there are 8 bits for the randomization of the libraries,
vDSO and mmaps which only uses 1MB of VA.

This patch preserves the original randomness, using 1MB of VA out of 3GB or
4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR.

The first obvious security benefit is that all objects are randomized (not
only the stack and the executable) in legacy mode which highly increases
the ASLR effectiveness, otherwise the attackers may use these
non-randomized areas. But also sensitive setuid/setgid applications are
more secure because currently, attackers can disable the randomization of
these applications by setting the ulimit stack to "unlimited". This is a
very old and widely known trick to disable the ASLR in i386 which has been
allowed for too long.

Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE
personality flag, but fortunately this doesn't work on setuid/setgid
applications because there is security checks which clear Security-relevant
flags.

This patch always randomizes the mmap_legacy_base address, removing the
possibility to disable the ASLR by setting the stack to "unlimited".

Signed-off-by: Hector Marco-Gisbert <[email protected]>
Acked-by: Ismael Ripoll Ripoll <[email protected]>
Acked-by: Kees Cook <[email protected]>
Acked-by: Arjan van de Ven <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: [email protected]
Cc: kees Cook <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/mm/mmap.c | 14 +-------------
1 file changed, 1 insertion(+), 13 deletions(-)

--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned
}

/*
- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
- * does, but not when emulating X86_32
- */
-static unsigned long mmap_legacy_base(unsigned long rnd)
-{
- if (mmap_is_ia32())
- return TASK_UNMAPPED_BASE;
- else
- return TASK_UNMAPPED_BASE + rnd;
-}
-
-/*
* This function, called very early during the creation of a new
* process VM image, sets up which VM layout function to use:
*/
@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_str
if (current->flags & PF_RANDOMIZE)
random_factor = mmap_rnd();

- mm->mmap_legacy_base = mmap_legacy_base(random_factor);
+ mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;

if (mmap_is_legacy()) {
mm->mmap_base = mm->mmap_legacy_base;

2016-04-26 23:18:42

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 061/115] usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <[email protected]>

commit 6490865c67825277b29638e839850882600b48ec upstream.

This patch adds a code to surely disable TX IRQ of the pipe before
starting TX DMAC transfer. Otherwise, a lot of unnecessary TX IRQs
may happen in rare cases when DMAC is used.

Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
Signed-off-by: Yoshihiro Shimoda <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/renesas_usbhs/fifo.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -932,6 +932,7 @@ static int usbhsf_dma_try_pop(struct usb

pkt->trans = len;

+ usbhsf_tx_irq_ctrl(pipe, 0);
tasklet_init(&fifo->tasklet,
usbhsf_dma_prepare_tasklet,
(unsigned long)pkt);

2016-04-26 23:18:51

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 056/115] MAINTAINERS: Update mailing list and web page for hwmon subsystem

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <[email protected]>

commit 968ce1b1f45a7d76b5471b19bd035dbecc72f32d upstream.

The old web page for the hwmon subsystem is no longer operational,
and the mailing list has become unreliable. Move both to kernel.org.

Reviewed-by: Jean Delvare <[email protected]>
Signed-off-by: Guenter Roeck <[email protected]>
[bwh: Backported to 3.2: the set of hwmon drivers is different, so do a
search-and-replace for the same addresses]
Signed-off-by: Ben Hutchings <[email protected]>
---
MAINTAINERS | 96 ++++++++++++++++++++++++++++++-------------------------------
1 file changed, 48 insertions(+), 48 deletions(-)

--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -199,13 +199,13 @@ F: drivers/scsi/aacraid/

ABIT UGURU 1,2 HARDWARE MONITOR DRIVER
M: Hans de Goede <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: drivers/hwmon/abituguru.c

ABIT UGURU 3 HARDWARE MONITOR DRIVER
M: Alistair John Strachan <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: drivers/hwmon/abituguru3.c

@@ -322,14 +322,14 @@ S: Maintained

ADM1025 HARDWARE MONITOR DRIVER
M: Jean Delvare <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/adm1025
F: drivers/hwmon/adm1025.c

ADM1029 HARDWARE MONITOR DRIVER
M: Corentin Labbe <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: drivers/hwmon/adm1029.c

@@ -367,7 +367,7 @@ F: drivers/video/backlight/adp8860_bl.c

ADS1015 HARDWARE MONITOR DRIVER
M: Dirk Eibach <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/ads1015
F: drivers/hwmon/ads1015.c
@@ -380,7 +380,7 @@ F: drivers/macintosh/therm_adt746x.c

ADT7475 HARDWARE MONITOR DRIVER
M: Jean Delvare <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/adt7475
F: drivers/hwmon/adt7475.c
@@ -485,7 +485,7 @@ F: include/linux/altera_jtaguart.h

AMD FAM15H PROCESSOR POWER MONITORING DRIVER
M: Andreas Herrmann <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/fam15h_power
F: drivers/hwmon/fam15h_power.c
@@ -572,7 +572,7 @@ F: drivers/input/mouse/bcm5974.c

APPLE SMC DRIVER
M: Henrik Rydberg <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: drivers/hwmon/applesmc.c

@@ -1214,7 +1214,7 @@ F: arch/arm/mach-pxa/include/mach/z2.h

ASC7621 HARDWARE MONITOR DRIVER
M: George Joseph <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/asc7621
F: drivers/hwmon/asc7621.c
@@ -1230,7 +1230,7 @@ F: drivers/platform/x86/eeepc*.c

ASUS ASB100 HARDWARE MONITOR DRIVER
M: "Mark M. Hoffman" <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: drivers/hwmon/asb100.c

@@ -1303,7 +1303,7 @@ F: drivers/net/wireless/ath/carl9170/

ATK0110 HWMON DRIVER
M: Luca Tettamanti <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: drivers/hwmon/asus_atk0110.c

@@ -1937,7 +1937,7 @@ F: mm/*cgroup*

CORETEMP HARDWARE MONITORING DRIVER
M: Fenghua Yu <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/coretemp
F: drivers/hwmon/coretemp.c
@@ -2263,7 +2263,7 @@ T: git git://git.infradead.org/users/vko

DME1737 HARDWARE MONITOR DRIVER
M: Juerg Haefliger <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/dme1737
F: drivers/hwmon/dme1737.c
@@ -2632,7 +2632,7 @@ F: security/integrity/evm/

F71805F HARDWARE MONITORING DRIVER
M: Jean Delvare <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/f71805f
F: drivers/hwmon/f71805f.c
@@ -2683,7 +2683,7 @@ F: fs/*

FINTEK F75375S HARDWARE MONITOR AND FAN CONTROLLER DRIVER
M: Riku Voipio <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: drivers/hwmon/f75375s.c
F: include/linux/f75375s.h
@@ -3011,8 +3011,8 @@ F: drivers/tty/hvc/
HARDWARE MONITORING
M: Jean Delvare <[email protected]>
M: Guenter Roeck <[email protected]>
-L: [email protected]
-W: http://www.lm-sensors.org/
+L: [email protected]
+W: http://hwmon.wiki.kernel.org/
T: quilt kernel.org/pub/linux/kernel/people/jdelvare/linux-2.6/jdelvare-hwmon/
T: git git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging.git
S: Maintained
@@ -3656,7 +3656,7 @@ F: drivers/isdn/hardware/eicon/

IT87 HARDWARE MONITORING DRIVER
M: Jean Delvare <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/it87
F: drivers/hwmon/it87.c
@@ -3674,7 +3674,7 @@ F: include/linux/ivtv*

JC42.4 TEMPERATURE SENSOR DRIVER
M: Guenter Roeck <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: drivers/hwmon/jc42.c
F: Documentation/hwmon/jc42
@@ -3726,14 +3726,14 @@ F: drivers/tty/serial/jsm/

K10TEMP HARDWARE MONITORING DRIVER
M: Clemens Ladisch <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/k10temp
F: drivers/hwmon/k10temp.c

K8TEMP HARDWARE MONITORING DRIVER
M: Rudolf Marek <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/k8temp
F: drivers/hwmon/k8temp.c
@@ -4070,27 +4070,27 @@ F: net/llc/

LM73 HARDWARE MONITOR DRIVER
M: Guillaume Ligneul <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: drivers/hwmon/lm73.c

LM78 HARDWARE MONITOR DRIVER
M: Jean Delvare <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/lm78
F: drivers/hwmon/lm78.c

LM83 HARDWARE MONITOR DRIVER
M: Jean Delvare <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/lm83
F: drivers/hwmon/lm83.c

LM90 HARDWARE MONITOR DRIVER
M: Jean Delvare <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/lm90
F: drivers/hwmon/lm90.c
@@ -4137,7 +4137,7 @@ F: drivers/scsi/sym53c8xx_2/

LTC4261 HARDWARE MONITOR DRIVER
M: Guenter Roeck <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/ltc4261
F: drivers/hwmon/ltc4261.c
@@ -4258,14 +4258,14 @@ F: include/linux/matroxfb.h

MAX1668 TEMPERATURE SENSOR DRIVER
M: "David George" <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/max1668
F: drivers/hwmon/max1668.c

MAX6650 HARDWARE MONITOR AND FAN CONTROLLER DRIVER
M: "Hans J. Koch" <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/max6650
F: drivers/hwmon/max6650.c
@@ -4984,7 +4984,7 @@ F: drivers/parisc/

PC87360 HARDWARE MONITORING DRIVER
M: Jim Cromie <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/pc87360
F: drivers/hwmon/pc87360.c
@@ -4996,7 +4996,7 @@ F: drivers/char/pc8736x_gpio.c

PC87427 HARDWARE MONITORING DRIVER
M: Jean Delvare <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/pc87427
F: drivers/hwmon/pc87427.c
@@ -5143,8 +5143,8 @@ F: drivers/rtc/rtc-puv3.c

PMBUS HARDWARE MONITORING DRIVERS
M: Guenter Roeck <[email protected]>
-L: [email protected]
-W: http://www.lm-sensors.org/
+L: [email protected]
+W: http://hwmon.wiki.kernel.org/
W: http://www.roeck-us.net/linux/drivers/
T: git git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging.git
S: Maintained
@@ -6014,28 +6014,28 @@ F: drivers/net/ethernet/smsc/smc91x.*

SMM665 HARDWARE MONITOR DRIVER
M: Guenter Roeck <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/smm665
F: drivers/hwmon/smm665.c

SMSC EMC2103 HARDWARE MONITOR DRIVER
M: Steve Glendinning <[email protected]>
-L: [email protected]
+L: [email protected]
S: Supported
F: Documentation/hwmon/emc2103
F: drivers/hwmon/emc2103.c

SMSC SCH5627 HARDWARE MONITOR DRIVER
M: Hans de Goede <[email protected]>
-L: [email protected]
+L: [email protected]
S: Supported
F: Documentation/hwmon/sch5627
F: drivers/hwmon/sch5627.c

SMSC47B397 HARDWARE MONITOR DRIVER
M: "Mark M. Hoffman" <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/smsc47b397
F: drivers/hwmon/smsc47b397.c
@@ -7212,14 +7212,14 @@ F: include/linux/regulator/

VT1211 HARDWARE MONITOR DRIVER
M: Juerg Haefliger <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/vt1211
F: drivers/hwmon/vt1211.c

VT8231 HARDWARE MONITOR DRIVER
M: Roger Lucas <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: drivers/hwmon/vt8231.c

@@ -7238,21 +7238,21 @@ F: drivers/w1/

W83791D HARDWARE MONITORING DRIVER
M: Marc Hulsman <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/w83791d
F: drivers/hwmon/w83791d.c

W83793 HARDWARE MONITORING DRIVER
M: Rudolf Marek <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: Documentation/hwmon/w83793
F: drivers/hwmon/w83793.c

W83795 HARDWARE MONITORING DRIVER
M: Jean Delvare <[email protected]>
-L: [email protected]
+L: [email protected]
S: Maintained
F: drivers/hwmon/w83795.c


2016-04-26 23:19:34

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 044/115] USB: iowarrior: fix oops with malicious USB descriptors

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Josh Boyer <[email protected]>

commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream.

The iowarrior driver expects at least one valid endpoint. If given
malicious descriptors that specify 0 for the number of endpoints,
it will crash in the probe function. Ensure there is at least
one endpoint on the interface before using it.

The full report of this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/87

Reported-by: Ralf Spenneberg <[email protected]>
Signed-off-by: Josh Boyer <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/misc/iowarrior.c | 6 ++++++
1 file changed, 6 insertions(+)

--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -792,6 +792,12 @@ static int iowarrior_probe(struct usb_in
iface_desc = interface->cur_altsetting;
dev->product_id = le16_to_cpu(udev->descriptor.idProduct);

+ if (iface_desc->desc.bNumEndpoints < 1) {
+ dev_err(&interface->dev, "Invalid number of endpoints\n");
+ retval = -EINVAL;
+ goto error;
+ }
+
/* set up the endpoint information */
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
endpoint = &iface_desc->endpoint[i].desc;

2016-04-26 23:19:52

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 068/115] KVM: x86: Inject pending interrupt even if pending nmi exist

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yuki Shibuya <[email protected]>

commit 321c5658c5e9192dea0d58ab67cf1791e45b2b26 upstream.

Non maskable interrupts (NMI) are preferred to interrupts in current
implementation. If a NMI is pending and NMI is blocked by the result
of nmi_allowed(), pending interrupt is not injected and
enable_irq_window() is not executed, even if interrupts injection is
allowed.

In old kernel (e.g. 2.6.32), schedule() is often called in NMI context.
In this case, interrupts are needed to execute iret that intends end
of NMI. The flag of blocking new NMI is not cleared until the guest
execute the iret, and interrupts are blocked by pending NMI. Due to
this, iret can't be invoked in the guest, and the guest is starved
until block is cleared by some events (e.g. canceling injection).

This patch injects pending interrupts, when it's allowed, even if NMI
is blocked. And, If an interrupts is pending after executing
inject_pending_event(), enable_irq_window() is executed regardless of
NMI pending counter.

Signed-off-by: Yuki Shibuya <[email protected]>
Suggested-by: Paolo Bonzini <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
[bwh: Backported to 3.2:
- vcpu_enter_guest() is simpler because inject_pending_event() can't fail
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5634,12 +5634,10 @@ static void inject_pending_event(struct
}

/* try to inject new event if pending */
- if (vcpu->arch.nmi_pending) {
- if (kvm_x86_ops->nmi_allowed(vcpu)) {
- --vcpu->arch.nmi_pending;
- vcpu->arch.nmi_injected = true;
- kvm_x86_ops->set_nmi(vcpu);
- }
+ if (vcpu->arch.nmi_pending && kvm_x86_ops->nmi_allowed(vcpu)) {
+ --vcpu->arch.nmi_pending;
+ vcpu->arch.nmi_injected = true;
+ kvm_x86_ops->set_nmi(vcpu);
} else if (kvm_cpu_has_interrupt(vcpu)) {
if (kvm_x86_ops->interrupt_allowed(vcpu)) {
kvm_queue_interrupt(vcpu, kvm_cpu_get_interrupt(vcpu),
@@ -5742,7 +5740,7 @@ static int vcpu_enter_guest(struct kvm_v
/* enable NMI/IRQ window open exits if needed */
if (vcpu->arch.nmi_pending)
kvm_x86_ops->enable_nmi_window(vcpu);
- else if (kvm_cpu_has_interrupt(vcpu) || req_int_win)
+ if (kvm_cpu_has_interrupt(vcpu) || req_int_win)
kvm_x86_ops->enable_irq_window(vcpu);

if (kvm_lapic_enabled(vcpu)) {

2016-04-26 23:19:55

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 024/115] be2iscsi: set the boot_kset pointer to NULL in case of failure

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Maurizio Lombardi <[email protected]>

commit 84bd64993f916bcf86270c67686ecf4cea7b8933 upstream.

In beiscsi_setup_boot_info(), the boot_kset pointer should be set to
NULL in case of failure otherwise an invalid pointer dereference may
occur later.

Signed-off-by: Maurizio Lombardi <[email protected]>
Reviewed-by: Johannes Thumshirn <[email protected]>
Reviewed-by: Jitendra Bhivare <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/scsi/be2iscsi/be_main.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -3607,6 +3607,7 @@ put_shost:
scsi_host_put(phba->shost);
free_kset:
iscsi_boot_destroy_kset(phba->boot_kset);
+ phba->boot_kset = NULL;
return -ENOMEM;
}


2016-04-26 23:20:00

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 108/115] farsync: fix off-by-one bug in fst_add_one

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <[email protected]>

[ Upstream commit e725a66c0202b5f36c2f9d59d26a65c53bbf21f7 ]

gcc-6 finds an out of bounds access in the fst_add_one function
when calculating the end of the mmio area:

drivers/net/wan/farsync.c: In function 'fst_add_one':
drivers/net/wan/farsync.c:418:53: error: index 2 denotes an offset greater than size of 'u8[2][8192] {aka unsigned char[2][8192]}' [-Werror=array-bounds]
#define BUF_OFFSET(X) (BFM_BASE + offsetof(struct buf_window, X))
^
include/linux/compiler-gcc.h:158:21: note: in definition of macro '__compiler_offsetof'
__builtin_offsetof(a, b)
^
drivers/net/wan/farsync.c:418:37: note: in expansion of macro 'offsetof'
#define BUF_OFFSET(X) (BFM_BASE + offsetof(struct buf_window, X))
^~~~~~~~
drivers/net/wan/farsync.c:2519:36: note: in expansion of macro 'BUF_OFFSET'
+ BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);
^~~~~~~~~~

The warning is correct, but not critical because this appears
to be a write-only variable that is set by each WAN driver but
never accessed afterwards.

I'm taking the minimal fix here, using the correct pointer by
pointing 'mem_end' to the last byte inside of the register area
as all other WAN drivers do, rather than the first byte outside of
it. An alternative would be to just remove the mem_end member
entirely.

Signed-off-by: Arnd Bergmann <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wan/farsync.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wan/farsync.c
+++ b/drivers/net/wan/farsync.c
@@ -2546,7 +2546,7 @@ fst_add_one(struct pci_dev *pdev, const
dev->mem_start = card->phys_mem
+ BUF_OFFSET ( txBuffer[i][0][0]);
dev->mem_end = card->phys_mem
- + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);
+ + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER - 1][LEN_RX_BUFFER - 1]);
dev->base_addr = card->pci_conf;
dev->irq = card->irq;


2016-04-26 23:20:06

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 042/115] raid10: include bio_end_io_list in nr_queued to prevent freeze_array hang

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Shaohua Li <[email protected]>

commit 23ddba80ebe836476bb2fa1f5ef305dd1c63dc0b upstream.

This is the raid10 counterpart of the bug fixed by Nate
(raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang)

Fixes: 95af587e95(md/raid10: ensure device failure recorded before write request returns)
Cc: Nate Dailey <[email protected]>
Signed-off-by: Shaohua Li <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/md/raid10.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -2241,6 +2241,7 @@ static void handle_write_completed(struc
if (fail) {
spin_lock_irq(&conf->device_lock);
list_add(&r10_bio->retry_list, &conf->bio_end_io_list);
+ conf->nr_queued++;
spin_unlock_irq(&conf->device_lock);
md_wakeup_thread(conf->mddev->thread);
} else {
@@ -2267,8 +2268,10 @@ static void raid10d(struct mddev *mddev)
LIST_HEAD(tmp);
spin_lock_irqsave(&conf->device_lock, flags);
if (!test_bit(MD_CHANGE_PENDING, &mddev->flags)) {
- list_add(&tmp, &conf->bio_end_io_list);
- list_del_init(&conf->bio_end_io_list);
+ while (!list_empty(&conf->bio_end_io_list)) {
+ list_move(conf->bio_end_io_list.prev, &tmp);
+ conf->nr_queued--;
+ }
}
spin_unlock_irqrestore(&conf->device_lock, flags);
while (!list_empty(&tmp)) {

2016-04-26 23:20:11

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 037/115] nfsd: fix deadlock secinfo+readdir compound

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "J. Bruce Fields" <[email protected]>

commit 2f6fc056e899bd0144a08da5cacaecbe8997cd74 upstream.

nfsd_lookup_dentry exits with the parent filehandle locked. fh_put also
unlocks if necessary (nfsd filehandle locking is probably too lenient),
so it gets unlocked eventually, but if the following op in the compound
needs to lock it again, we can deadlock.

A fuzzer ran into this; normal clients don't send a secinfo followed by
a readdir in the same compound.

Signed-off-by: J. Bruce Fields <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/nfsd/nfs4proc.c | 1 +
1 file changed, 1 insertion(+)

--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -791,6 +791,7 @@ nfsd4_secinfo(struct svc_rqst *rqstp, st
&exp, &dentry);
if (err)
return err;
+ fh_unlock(&cstate->current_fh);
if (dentry->d_inode == NULL) {
exp_put(exp);
err = nfserr_noent;

2016-04-26 23:20:16

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 021/115] sched/cputime: Fix steal time accounting vs. CPU hotplug

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <[email protected]>

commit e9532e69b8d1d1284e8ecf8d2586de34aec61244 upstream.

On CPU hotplug the steal time accounting can keep a stale rq->prev_steal_time
value over CPU down and up. So after the CPU comes up again the delta
calculation in steal_account_process_tick() wreckages itself due to the
unsigned math:

u64 steal = paravirt_steal_clock(smp_processor_id());

steal -= this_rq()->prev_steal_time;

So if steal is smaller than rq->prev_steal_time we end up with an insane large
value which then gets added to rq->prev_steal_time, resulting in a permanent
wreckage of the accounting. As a consequence the per CPU stats in /proc/stat
become stale.

Nice trick to tell the world how idle the system is (100%) while the CPU is
100% busy running tasks. Though we prefer realistic numbers.

None of the accounting values which use a previous value to account for
fractions is reset at CPU hotplug time. update_rq_clock_task() has a sanity
check for prev_irq_time and prev_steal_time_rq, but that sanity check solely
deals with clock warps and limits the /proc/stat visible wreckage. The
prev_time values are still wrong.

Solution is simple: Reset rq->prev_*_time when the CPU is plugged in again.

Signed-off-by: Thomas Gleixner <[email protected]>
Acked-by: Rik van Riel <[email protected]>
Cc: Frederic Weisbecker <[email protected]>
Cc: Glauber Costa <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Fixes: commit 095c0aa83e52 "sched: adjust scheduler cpu power for stolen time"
Fixes: commit aa483808516c "sched: Remove irq time from available CPU power"
Fixes: commit e6e6685accfa "KVM guest: Steal time accounting"
Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1603041539490.3686@nanos
Signed-off-by: Ingo Molnar <[email protected]>
[bwh: Backported to 3.2: adjust filenames]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/kernel/sched.c
+++ b/kernel/sched.c
@@ -2084,6 +2084,19 @@ EXPORT_SYMBOL_GPL(account_system_vtime);

#endif /* CONFIG_IRQ_TIME_ACCOUNTING */

+static inline void account_reset_rq(struct rq *rq)
+{
+#ifdef CONFIG_IRQ_TIME_ACCOUNTING
+ rq->prev_irq_time = 0;
+#endif
+#ifdef CONFIG_PARAVIRT
+ rq->prev_steal_time = 0;
+#endif
+#ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING
+ rq->prev_steal_time_rq = 0;
+#endif
+}
+
#ifdef CONFIG_PARAVIRT
static inline u64 steal_ticks(u64 steal)
{
@@ -6851,6 +6864,7 @@ migration_call(struct notifier_block *nf

case CPU_UP_PREPARE:
rq->calc_load_update = calc_load_update;
+ account_reset_rq(rq);
break;

case CPU_ONLINE:

2016-04-26 23:20:38

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 029/115] dm snapshot: disallow the COW and origin devices from being identical

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: DingXiang <[email protected]>

commit 4df2bf466a9c9c92f40d27c4aa9120f4e8227bfc upstream.

Otherwise loading a "snapshot" table using the same device for the
origin and COW devices, e.g.:

echo "0 20971520 snapshot 253:3 253:3 P 8" | dmsetup create snap

will trigger:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000098
[ 1958.979934] IP: [<ffffffffa040efba>] dm_exception_store_set_chunk_size+0x7a/0x110 [dm_snapshot]
[ 1958.989655] PGD 0
[ 1958.991903] Oops: 0000 [#1] SMP
...
[ 1959.059647] CPU: 9 PID: 3556 Comm: dmsetup Tainted: G IO 4.5.0-rc5.snitm+ #150
...
[ 1959.083517] task: ffff8800b9660c80 ti: ffff88032a954000 task.ti: ffff88032a954000
[ 1959.091865] RIP: 0010:[<ffffffffa040efba>] [<ffffffffa040efba>] dm_exception_store_set_chunk_size+0x7a/0x110 [dm_snapshot]
[ 1959.104295] RSP: 0018:ffff88032a957b30 EFLAGS: 00010246
[ 1959.110219] RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000001
[ 1959.118180] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff880329334a00
[ 1959.126141] RBP: ffff88032a957b50 R08: 0000000000000000 R09: 0000000000000001
[ 1959.134102] R10: 000000000000000a R11: f000000000000000 R12: ffff880330884d80
[ 1959.142061] R13: 0000000000000008 R14: ffffc90001c13088 R15: ffff880330884d80
[ 1959.150021] FS: 00007f8926ba3840(0000) GS:ffff880333440000(0000) knlGS:0000000000000000
[ 1959.159047] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1959.165456] CR2: 0000000000000098 CR3: 000000032f48b000 CR4: 00000000000006e0
[ 1959.173415] Stack:
[ 1959.175656] ffffc90001c13040 ffff880329334a00 ffff880330884ed0 ffff88032a957bdc
[ 1959.183946] ffff88032a957bb8 ffffffffa040f225 ffff880329334a30 ffff880300000000
[ 1959.192233] ffffffffa04133e0 ffff880329334b30 0000000830884d58 00000000569c58cf
[ 1959.200521] Call Trace:
[ 1959.203248] [<ffffffffa040f225>] dm_exception_store_create+0x1d5/0x240 [dm_snapshot]
[ 1959.211986] [<ffffffffa040d310>] snapshot_ctr+0x140/0x630 [dm_snapshot]
[ 1959.219469] [<ffffffffa0005c44>] ? dm_split_args+0x64/0x150 [dm_mod]
[ 1959.226656] [<ffffffffa0005ea7>] dm_table_add_target+0x177/0x440 [dm_mod]
[ 1959.234328] [<ffffffffa0009203>] table_load+0x143/0x370 [dm_mod]
[ 1959.241129] [<ffffffffa00090c0>] ? retrieve_status+0x1b0/0x1b0 [dm_mod]
[ 1959.248607] [<ffffffffa0009e35>] ctl_ioctl+0x255/0x4d0 [dm_mod]
[ 1959.255307] [<ffffffff813304e2>] ? memzero_explicit+0x12/0x20
[ 1959.261816] [<ffffffffa000a0c3>] dm_ctl_ioctl+0x13/0x20 [dm_mod]
[ 1959.268615] [<ffffffff81215eb6>] do_vfs_ioctl+0xa6/0x5c0
[ 1959.274637] [<ffffffff81120d2f>] ? __audit_syscall_entry+0xaf/0x100
[ 1959.281726] [<ffffffff81003176>] ? do_audit_syscall_entry+0x66/0x70
[ 1959.288814] [<ffffffff81216449>] SyS_ioctl+0x79/0x90
[ 1959.294450] [<ffffffff8167e4ae>] entry_SYSCALL_64_fastpath+0x12/0x71
...
[ 1959.323277] RIP [<ffffffffa040efba>] dm_exception_store_set_chunk_size+0x7a/0x110 [dm_snapshot]
[ 1959.333090] RSP <ffff88032a957b30>
[ 1959.336978] CR2: 0000000000000098
[ 1959.344121] ---[ end trace b049991ccad1169e ]---

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1195899
Signed-off-by: Ding Xiang <[email protected]>
Signed-off-by: Mike Snitzer <[email protected]>
[bwh: Backported to 3.2: the device path parsing code is rather different,
but move it into dm_get_dev_t() anyway]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/md/dm-snap.c
+++ b/drivers/md/dm-snap.c
@@ -1055,6 +1055,7 @@ static int snapshot_ctr(struct dm_target
int i;
int r = -EINVAL;
char *origin_path, *cow_path;
+ dev_t origin_dev, cow_dev;
unsigned args_used, num_flush_requests = 1;
fmode_t origin_mode = FMODE_READ;

@@ -1085,11 +1086,19 @@ static int snapshot_ctr(struct dm_target
ti->error = "Cannot get origin device";
goto bad_origin;
}
+ origin_dev = s->origin->bdev->bd_dev;

cow_path = argv[0];
argv++;
argc--;

+ cow_dev = dm_get_dev_t(cow_path);
+ if (cow_dev && cow_dev == origin_dev) {
+ ti->error = "COW device cannot be the same as origin device";
+ r = -EINVAL;
+ goto bad_cow;
+ }
+
r = dm_get_device(ti, cow_path, dm_table_get_mode(ti->table), &s->cow);
if (r) {
ti->error = "Cannot get COW device";
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -458,35 +458,50 @@ static int upgrade_mode(struct dm_dev_in
}

/*
- * Add a device to the list, or just increment the usage count if
- * it's already present.
+ * Convert the path to a device
*/
-int dm_get_device(struct dm_target *ti, const char *path, fmode_t mode,
- struct dm_dev **result)
+dev_t dm_get_dev_t(const char *path)
{
- int r;
dev_t uninitialized_var(dev);
- struct dm_dev_internal *dd;
unsigned int major, minor;
- struct dm_table *t = ti->table;
-
- BUG_ON(!t);

if (sscanf(path, "%u:%u", &major, &minor) == 2) {
/* Extract the major/minor numbers */
dev = MKDEV(major, minor);
if (MAJOR(dev) != major || MINOR(dev) != minor)
- return -EOVERFLOW;
+ return 0;
} else {
/* convert the path to a device */
struct block_device *bdev = lookup_bdev(path);

if (IS_ERR(bdev))
- return PTR_ERR(bdev);
+ return 0;
dev = bdev->bd_dev;
bdput(bdev);
}

+ return dev;
+}
+EXPORT_SYMBOL_GPL(dm_get_dev_t);
+
+/*
+ * Add a device to the list, or just increment the usage count if
+ * it's already present.
+ */
+int dm_get_device(struct dm_target *ti, const char *path, fmode_t mode,
+ struct dm_dev **result)
+{
+ int r;
+ dev_t dev;
+ struct dm_dev_internal *dd;
+ struct dm_table *t = ti->table;
+
+ BUG_ON(!t);
+
+ dev = dm_get_dev_t(path);
+ if (!dev)
+ return -ENODEV;
+
dd = find_device(&t->devices, dev);
if (!dd) {
dd = kmalloc(sizeof(*dd), GFP_KERNEL);
--- a/include/linux/device-mapper.h
+++ b/include/linux/device-mapper.h
@@ -116,6 +116,8 @@ struct dm_dev {
char name[16];
};

+dev_t dm_get_dev_t(const char *path);
+
/*
* Constructors should call these functions to ensure destination devices
* are opened/closed correctly.

2016-04-26 23:20:49

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 083/115] ipv4: Don't do expensive useless work during inetdev destroy.

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "David S. Miller" <[email protected]>

commit fbd40ea0180a2d328c5adc61414dc8bab9335ce2 upstream.

When an inetdev is destroyed, every address assigned to the interface
is removed. And in this scenerio we do two pointless things which can
be very expensive if the number of assigned interfaces is large:

1) Address promotion. We are deleting all addresses, so there is no
point in doing this.

2) A full nf conntrack table purge for every address. We only need to
do this once, as is already caught by the existing
masq_dev_notifier so masq_inet_event() can skip this.

Reported-by: Solar Designer <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Tested-by: Cyrill Gorcunov <[email protected]>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/devinet.c | 4 ++++
net/ipv4/fib_frontend.c | 4 ++++
net/ipv4/netfilter/ipt_MASQUERADE.c | 12 ++++++++++--
3 files changed, 18 insertions(+), 2 deletions(-)

--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -326,6 +326,9 @@ static void __inet_del_ifa(struct in_dev

ASSERT_RTNL();

+ if (in_dev->dead)
+ goto no_promotions;
+
/* 1. Deleting primary ifaddr forces deletion all secondaries
* unless alias promotion is set
**/
@@ -372,6 +375,7 @@ static void __inet_del_ifa(struct in_dev
fib_del_ifaddr(ifa, ifa1);
}

+no_promotions:
/* 2. Unlink it */

*ifap = ifa1->ifa_next;
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -764,6 +764,9 @@ void fib_del_ifaddr(struct in_ifaddr *if
subnet = 1;
}

+ if (in_dev->dead)
+ goto no_promotions;
+
/* Deletion is more complicated than add.
* We should take care of not to delete too much :-)
*
@@ -839,6 +842,7 @@ void fib_del_ifaddr(struct in_ifaddr *if
}
}

+no_promotions:
if (!(ok & BRD_OK))
fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim);
if (subnet && ifa->ifa_prefixlen < 31) {
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -123,8 +123,16 @@ static int masq_inet_event(struct notifi
unsigned long event,
void *ptr)
{
- struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev;
- return masq_device_event(this, event, dev);
+ struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev;
+ /* The masq_dev_notifier will catch the case of the device going
+ * down. So if the inetdev is dead and being destroyed we have
+ * no work to do. Otherwise this is an individual address removal
+ * and we have to perform the flush.
+ */
+ if (idev->dead)
+ return NOTIFY_DONE;
+
+ return masq_device_event(this, event, idev->dev);
}

static struct notifier_block masq_dev_notifier = {

2016-04-26 23:21:05

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 035/115] ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk()

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit 0f886ca12765d20124bd06291c82951fd49a33be upstream.

create_fixed_stream_quirk() may cause a NULL-pointer dereference by
accessing the non-existing endpoint when a USB device with a malformed
USB descriptor is used.

This patch avoids it simply by adding a sanity check of bNumEndpoints
before the accesses.

Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
Signed-off-by: Takashi Iwai <[email protected]>
[bwh: Backported to 3.2:
- There's no altsd variable
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/usb/quirks.c | 6 ++++++
1 file changed, 6 insertions(+)

--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -165,6 +165,12 @@ static int create_fixed_stream_quirk(str
return -EINVAL;
}
alts = &iface->altsetting[fp->altset_idx];
+ if (get_iface_desc(alts)->bNumEndpoints < 1) {
+ kfree(fp);
+ kfree(rate_table);
+ return -EINVAL;
+ }
+
fp->datainterval = snd_usb_parse_datainterval(chip, alts);
fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize);
usb_set_interface(chip->dev, fp->iface, 0);

2016-04-26 23:21:13

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 072/115] USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Josh Boyer <[email protected]>

commit ea6db90e750328068837bed34cb1302b7a177339 upstream.

A Fedora user reports that the ftdi_sio driver works properly for the
ICP DAS I-7561U device. Further, the user manual for these devices
instructs users to load the driver and add the ids using the sysfs
interface.

Add support for these in the driver directly so that the devices work
out of the box instead of needing manual configuration.

Reported-by: <[email protected]>
Signed-off-by: Josh Boyer <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/ftdi_sio.c | 4 ++++
drivers/usb/serial/ftdi_sio_ids.h | 8 ++++++++
2 files changed, 12 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1026,6 +1026,10 @@ static struct usb_device_id id_table_com
{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) },
{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) },
{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) },
+ /* ICP DAS I-756xU devices */
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) },
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
{ }, /* Optional parameter entry */
{ } /* Terminating entry */
};
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -866,6 +866,14 @@
#define NOVITUS_BONO_E_PID 0x6010

/*
+ * ICPDAS I-756*U devices
+ */
+#define ICPDAS_VID 0x1b5c
+#define ICPDAS_I7560U_PID 0x0103
+#define ICPDAS_I7561U_PID 0x0104
+#define ICPDAS_I7563U_PID 0x0105
+
+/*
* RT Systems programming cables for various ham radios
*/
#define RTSYSTEMS_VID 0x2100 /* Vendor ID */

2016-04-26 23:21:19

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 075/115] parisc: Fix kernel crash with reversed copy_from_user()

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Helge Deller <[email protected]>

commit ef72f3110d8b19f4c098a0bff7ed7d11945e70c6 upstream.

The kernel module testcase (lib/test_user_copy.c) exhibited a kernel
crash on parisc if the parameters for copy_from_user were reversed
("illegal reversed copy_to_user" testcase).

Fix this potential crash by checking the fault handler if the faulting
address is in the exception table.

Signed-off-by: Helge Deller <[email protected]>
Cc: Kees Cook <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/parisc/kernel/traps.c | 3 +++
1 file changed, 3 insertions(+)

--- a/arch/parisc/kernel/traps.c
+++ b/arch/parisc/kernel/traps.c
@@ -817,6 +817,9 @@ void notrace handle_interruption(int cod

if (fault_space == 0 && !in_atomic())
{
+ /* Clean up and return if in exception table. */
+ if (fixup_exception(regs))
+ return;
pdc_chassis_send_status(PDC_CHASSIS_DIRECT_PANIC);
parisc_terminate("Kernel Fault", regs, code, fault_address);
}

2016-04-26 23:21:30

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 098/115] sctp: Fix port hash table size computation

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Neil Horman <[email protected]>

[ Upstream commit d9749fb5942f51555dc9ce1ac0dbb1806960a975 ]

Dmitry Vyukov noted recently that the sctp_port_hashtable had an error in
its size computation, observing that the current method never guaranteed
that the hashsize (measured in number of entries) would be a power of two,
which the input hash function for that table requires. The root cause of
the problem is that two values need to be computed (one, the allocation
order of the storage requries, as passed to __get_free_pages, and two the
number of entries for the hash table). Both need to be ^2, but for
different reasons, and the existing code is simply computing one order
value, and using it as the basis for both, which is wrong (i.e. it assumes
that ((1<<order)*PAGE_SIZE)/sizeof(bucket) is still ^2 when its not).

To fix this, we change the logic slightly. We start by computing a goal
allocation order (which is limited by the maximum size hash table we want
to support. Then we attempt to allocate that size table, decreasing the
order until a successful allocation is made. Then, with the resultant
successful order we compute the number of buckets that hash table supports,
which we then round down to the nearest power of two, giving us the number
of entries the table actually supports.

I've tested this locally here, using non-debug and spinlock-debug kernels,
and the number of entries in the hashtable consistently work out to be
powers of two in all cases.

Signed-off-by: Neil Horman <[email protected]>
Reported-by: Dmitry Vyukov <[email protected]>
CC: Dmitry Vyukov <[email protected]>
CC: Vladislav Yasevich <[email protected]>
CC: "David S. Miller" <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/sctp/protocol.c | 47 ++++++++++++++++++++++++++++++++++++++---------
1 file changed, 38 insertions(+), 9 deletions(-)

--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -67,6 +67,8 @@
#include <net/inet_common.h>
#include <net/inet_ecn.h>

+#define MAX_SCTP_PORT_HASH_ENTRIES (64 * 1024)
+
/* Global data structures. */
struct sctp_globals sctp_globals __read_mostly;
DEFINE_SNMP_STAT(struct sctp_mib, sctp_statistics) __read_mostly;
@@ -1206,6 +1208,8 @@ SCTP_STATIC __init int sctp_init(void)
unsigned long limit;
int max_share;
int order;
+ int num_entries;
+ int max_entry_order;

/* SCTP_DEBUG sanity check. */
if (!sctp_sanity_check())
@@ -1316,14 +1320,24 @@ SCTP_STATIC __init int sctp_init(void)

/* Size and allocate the association hash table.
* The methodology is similar to that of the tcp hash tables.
+ * Though not identical. Start by getting a goal size
*/
if (totalram_pages >= (128 * 1024))
goal = totalram_pages >> (22 - PAGE_SHIFT);
else
goal = totalram_pages >> (24 - PAGE_SHIFT);

- for (order = 0; (1UL << order) < goal; order++)
- ;
+ /* Then compute the page order for said goal */
+ order = get_order(goal);
+
+ /* Now compute the required page order for the maximum sized table we
+ * want to create
+ */
+ max_entry_order = get_order(MAX_SCTP_PORT_HASH_ENTRIES *
+ sizeof(struct sctp_bind_hashbucket));
+
+ /* Limit the page order by that maximum hash table size */
+ order = min(order, max_entry_order);

do {
sctp_assoc_hashsize = (1UL << order) * PAGE_SIZE /
@@ -1357,27 +1371,42 @@ SCTP_STATIC __init int sctp_init(void)
INIT_HLIST_HEAD(&sctp_ep_hashtable[i].chain);
}

- /* Allocate and initialize the SCTP port hash table. */
+ /* Allocate and initialize the SCTP port hash table.
+ * Note that order is initalized to start at the max sized
+ * table we want to support. If we can't get that many pages
+ * reduce the order and try again
+ */
do {
- sctp_port_hashsize = (1UL << order) * PAGE_SIZE /
- sizeof(struct sctp_bind_hashbucket);
- if ((sctp_port_hashsize > (64 * 1024)) && order > 0)
- continue;
sctp_port_hashtable = (struct sctp_bind_hashbucket *)
__get_free_pages(GFP_ATOMIC|__GFP_NOWARN, order);
} while (!sctp_port_hashtable && --order > 0);
+
if (!sctp_port_hashtable) {
pr_err("Failed bind hash alloc\n");
status = -ENOMEM;
goto err_bhash_alloc;
}
+
+ /* Now compute the number of entries that will fit in the
+ * port hash space we allocated
+ */
+ num_entries = (1UL << order) * PAGE_SIZE /
+ sizeof(struct sctp_bind_hashbucket);
+
+ /* And finish by rounding it down to the nearest power of two
+ * this wastes some memory of course, but its needed because
+ * the hash function operates based on the assumption that
+ * that the number of entries is a power of two
+ */
+ sctp_port_hashsize = rounddown_pow_of_two(num_entries);
+
for (i = 0; i < sctp_port_hashsize; i++) {
spin_lock_init(&sctp_port_hashtable[i].lock);
INIT_HLIST_HEAD(&sctp_port_hashtable[i].chain);
}

- pr_info("Hash tables configured (established %d bind %d)\n",
- sctp_assoc_hashsize, sctp_port_hashsize);
+ pr_info("Hash tables configured (established %d bind %d/%d)\n",
+ sctp_assoc_hashsize, sctp_port_hashsize, num_entries);

/* Disable ADDIP by default. */
sctp_addip_enable = 0;

2016-04-26 23:21:36

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 038/115] ppp: ensure file->private_data can't be overridden

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <[email protected]>

commit e8e56ffd9d2973398b60ece1f1bebb8d67b4d032 upstream.

Locking ppp_mutex must be done before dereferencing file->private_data,
otherwise it could be modified before ppp_unattached_ioctl() takes the
lock. This could lead ppp_unattached_ioctl() to override ->private_data,
thus leaking reference to the ppp_file previously pointed to.

v2: lock all ppp_ioctl() instead of just checking private_data in
ppp_unattached_ioctl(), to avoid ambiguous behaviour.

Fixes: f3ff8a4d80e8 ("ppp: push BKL down into the driver")
Signed-off-by: Guillaume Nault <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ppp/ppp_generic.c | 31 +++++++++++++++++--------------
1 file changed, 17 insertions(+), 14 deletions(-)

--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -555,7 +555,7 @@ static int get_filter(void __user *arg,

static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
- struct ppp_file *pf = file->private_data;
+ struct ppp_file *pf;
struct ppp *ppp;
int err = -EFAULT, val, val2, i;
struct ppp_idle idle;
@@ -565,9 +565,14 @@ static long ppp_ioctl(struct file *file,
void __user *argp = (void __user *)arg;
int __user *p = argp;

- if (!pf)
- return ppp_unattached_ioctl(current->nsproxy->net_ns,
- pf, file, cmd, arg);
+ mutex_lock(&ppp_mutex);
+
+ pf = file->private_data;
+ if (!pf) {
+ err = ppp_unattached_ioctl(current->nsproxy->net_ns,
+ pf, file, cmd, arg);
+ goto out;
+ }

if (cmd == PPPIOCDETACH) {
/*
@@ -582,7 +587,6 @@ static long ppp_ioctl(struct file *file,
* this fd and reopening /dev/ppp.
*/
err = -EINVAL;
- mutex_lock(&ppp_mutex);
if (pf->kind == INTERFACE) {
ppp = PF_TO_PPP(pf);
if (file == ppp->owner)
@@ -594,15 +598,13 @@ static long ppp_ioctl(struct file *file,
} else
pr_warn("PPPIOCDETACH file->f_count=%ld\n",
atomic_long_read(&file->f_count));
- mutex_unlock(&ppp_mutex);
- return err;
+ goto out;
}

if (pf->kind == CHANNEL) {
struct channel *pch;
struct ppp_channel *chan;

- mutex_lock(&ppp_mutex);
pch = PF_TO_CHANNEL(pf);

switch (cmd) {
@@ -624,17 +626,16 @@ static long ppp_ioctl(struct file *file,
err = chan->ops->ioctl(chan, cmd, arg);
up_read(&pch->chan_sem);
}
- mutex_unlock(&ppp_mutex);
- return err;
+ goto out;
}

if (pf->kind != INTERFACE) {
/* can't happen */
pr_err("PPP: not interface or channel??\n");
- return -EINVAL;
+ err = -EINVAL;
+ goto out;
}

- mutex_lock(&ppp_mutex);
ppp = PF_TO_PPP(pf);
switch (cmd) {
case PPPIOCSMRU:
@@ -781,7 +782,10 @@ static long ppp_ioctl(struct file *file,
default:
err = -ENOTTY;
}
+
+out:
mutex_unlock(&ppp_mutex);
+
return err;
}

@@ -794,7 +798,6 @@ static int ppp_unattached_ioctl(struct n
struct ppp_net *pn;
int __user *p = (int __user *)arg;

- mutex_lock(&ppp_mutex);
switch (cmd) {
case PPPIOCNEWUNIT:
/* Create a new ppp unit */
@@ -845,7 +848,7 @@ static int ppp_unattached_ioctl(struct n
default:
err = -ENOTTY;
}
- mutex_unlock(&ppp_mutex);
+
return err;
}


2016-04-26 23:21:47

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 079/115] x86: standardize mmap_rnd() usage

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Kees Cook <[email protected]>

commit 82168140bc4cec7ec9bad39705518541149ff8b7 upstream.

In preparation for splitting out ET_DYN ASLR, this refactors the use of
mmap_rnd() to be used similarly to arm, and extracts the checking of
PF_RANDOMIZE.

Signed-off-by: Kees Cook <[email protected]>
Reviewed-by: Ingo Molnar <[email protected]>
Cc: Oleg Nesterov <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/mm/mmap.c | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)

--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -67,22 +67,21 @@ static int mmap_is_legacy(void)

static unsigned long mmap_rnd(void)
{
- unsigned long rnd = 0;
+ unsigned long rnd;

/*
- * 8 bits of randomness in 32bit mmaps, 20 address space bits
- * 28 bits of randomness in 64bit mmaps, 40 address space bits
- */
- if (current->flags & PF_RANDOMIZE) {
- if (mmap_is_ia32())
- rnd = get_random_int() % (1<<8);
- else
- rnd = get_random_int() % (1<<28);
- }
+ * 8 bits of randomness in 32bit mmaps, 20 address space bits
+ * 28 bits of randomness in 64bit mmaps, 40 address space bits
+ */
+ if (mmap_is_ia32())
+ rnd = (unsigned long)get_random_int() % (1<<8);
+ else
+ rnd = (unsigned long)get_random_int() % (1<<28);
+
return rnd << PAGE_SHIFT;
}

-static unsigned long mmap_base(void)
+static unsigned long mmap_base(unsigned long rnd)
{
unsigned long gap = rlimit(RLIMIT_STACK);

@@ -91,19 +90,19 @@ static unsigned long mmap_base(void)
else if (gap > MAX_GAP)
gap = MAX_GAP;

- return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
+ return PAGE_ALIGN(TASK_SIZE - gap - rnd);
}

/*
* Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
* does, but not when emulating X86_32
*/
-static unsigned long mmap_legacy_base(void)
+static unsigned long mmap_legacy_base(unsigned long rnd)
{
if (mmap_is_ia32())
return TASK_UNMAPPED_BASE;
else
- return TASK_UNMAPPED_BASE + mmap_rnd();
+ return TASK_UNMAPPED_BASE + rnd;
}

/*
@@ -112,14 +111,19 @@ static unsigned long mmap_legacy_base(vo
*/
void arch_pick_mmap_layout(struct mm_struct *mm)
{
- mm->mmap_legacy_base = mmap_legacy_base();
- mm->mmap_base = mmap_base();
+ unsigned long random_factor = 0UL;
+
+ if (current->flags & PF_RANDOMIZE)
+ random_factor = mmap_rnd();
+
+ mm->mmap_legacy_base = mmap_legacy_base(random_factor);

if (mmap_is_legacy()) {
mm->mmap_base = mm->mmap_legacy_base;
mm->get_unmapped_area = arch_get_unmapped_area;
mm->unmap_area = arch_unmap_area;
} else {
+ mm->mmap_base = mmap_base(random_factor);
mm->get_unmapped_area = arch_get_unmapped_area_topdown;
mm->unmap_area = arch_unmap_area_topdown;
}

2016-04-26 23:22:13

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 082/115] USB: usbip: fix potential out-of-bounds write

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ignat Korchagin <[email protected]>

commit b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb upstream.

Fix potential out-of-bounds write to urb->transfer_buffer
usbip handles network communication directly in the kernel. When receiving a
packet from its peer, usbip code parses headers according to protocol. As
part of this parsing urb->actual_length is filled. Since the input for
urb->actual_length comes from the network, it should be treated as untrusted.
Any entity controlling the network may put any value in the input and the
preallocated urb->transfer_buffer may not be large enough to hold the data.
Thus, the malicious entity is able to write arbitrary data to kernel memory.

Signed-off-by: Ignat Korchagin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/staging/usbip/usbip_common.c | 11 +++++++++++
1 file changed, 11 insertions(+)

--- a/drivers/staging/usbip/usbip_common.c
+++ b/drivers/staging/usbip/usbip_common.c
@@ -820,6 +820,17 @@ int usbip_recv_xbuff(struct usbip_device
if (!(size > 0))
return 0;

+ if (size > urb->transfer_buffer_length) {
+ /* should not happen, probably malicious packet */
+ if (ud->side == USBIP_STUB) {
+ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP);
+ return 0;
+ } else {
+ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
+ return -EPIPE;
+ }
+ }
+
ret = usbip_xmit(0, ud->tcp_socket, (char *)urb->transfer_buffer,
size, 0);
if (ret != size) {

2016-04-26 23:22:28

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 077/115] netfilter: x_tables: validate e->target_offset early

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Florian Westphal <[email protected]>

commit bdf533de6968e9686df777dc178486f600c6e617 upstream.

We should check that e->target_offset is sane before
mark_source_chains gets called since it will fetch the target entry
for loop detection.

Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/netfilter/arp_tables.c | 17 ++++++++---------
net/ipv4/netfilter/ip_tables.c | 17 ++++++++---------
net/ipv6/netfilter/ip6_tables.c | 17 ++++++++---------
3 files changed, 24 insertions(+), 27 deletions(-)

--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -465,14 +465,12 @@ static int mark_source_chains(const stru
return 1;
}

-static inline int check_entry(const struct arpt_entry *e, const char *name)
+static inline int check_entry(const struct arpt_entry *e)
{
const struct xt_entry_target *t;

- if (!arp_checkentry(&e->arp)) {
- duprintf("arp_tables: arp check failed %p %s.\n", e, name);
+ if (!arp_checkentry(&e->arp))
return -EINVAL;
- }

if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset)
return -EINVAL;
@@ -513,10 +511,6 @@ find_check_entry(struct arpt_entry *e, c
struct xt_target *target;
int ret;

- ret = check_entry(e, name);
- if (ret)
- return ret;
-
t = arpt_get_target(e);
target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
t->u.user.revision);
@@ -561,6 +555,7 @@ static inline int check_entry_size_and_h
unsigned int valid_hooks)
{
unsigned int h;
+ int err;

if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
(unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
@@ -575,6 +570,10 @@ static inline int check_entry_size_and_h
return -EINVAL;
}

+ err = check_entry(e);
+ if (err)
+ return err;
+
/* Check hooks & underflows */
for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
if (!(valid_hooks & (1 << h)))
@@ -1232,7 +1231,7 @@ check_compat_entry_size_and_hooks(struct
}

/* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct arpt_entry *)e, name);
+ ret = check_entry((struct arpt_entry *)e);
if (ret)
return ret;

--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -561,14 +561,12 @@ static void cleanup_match(struct xt_entr
}

static int
-check_entry(const struct ipt_entry *e, const char *name)
+check_entry(const struct ipt_entry *e)
{
const struct xt_entry_target *t;

- if (!ip_checkentry(&e->ip)) {
- duprintf("ip check failed %p %s.\n", e, name);
+ if (!ip_checkentry(&e->ip))
return -EINVAL;
- }

if (e->target_offset + sizeof(struct xt_entry_target) >
e->next_offset)
@@ -658,10 +656,6 @@ find_check_entry(struct ipt_entry *e, st
struct xt_mtchk_param mtpar;
struct xt_entry_match *ematch;

- ret = check_entry(e, name);
- if (ret)
- return ret;
-
j = 0;
mtpar.net = net;
mtpar.table = name;
@@ -725,6 +719,7 @@ check_entry_size_and_hooks(struct ipt_en
unsigned int valid_hooks)
{
unsigned int h;
+ int err;

if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
(unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
@@ -739,6 +734,10 @@ check_entry_size_and_hooks(struct ipt_en
return -EINVAL;
}

+ err = check_entry(e);
+ if (err)
+ return err;
+
/* Check hooks & underflows */
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
if (!(valid_hooks & (1 << h)))
@@ -1499,7 +1498,7 @@ check_compat_entry_size_and_hooks(struct
}

/* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct ipt_entry *)e, name);
+ ret = check_entry((struct ipt_entry *)e);
if (ret)
return ret;

--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -583,14 +583,12 @@ static void cleanup_match(struct xt_entr
}

static int
-check_entry(const struct ip6t_entry *e, const char *name)
+check_entry(const struct ip6t_entry *e)
{
const struct xt_entry_target *t;

- if (!ip6_checkentry(&e->ipv6)) {
- duprintf("ip_tables: ip check failed %p %s.\n", e, name);
+ if (!ip6_checkentry(&e->ipv6))
return -EINVAL;
- }

if (e->target_offset + sizeof(struct xt_entry_target) >
e->next_offset)
@@ -681,10 +679,6 @@ find_check_entry(struct ip6t_entry *e, s
struct xt_mtchk_param mtpar;
struct xt_entry_match *ematch;

- ret = check_entry(e, name);
- if (ret)
- return ret;
-
j = 0;
mtpar.net = net;
mtpar.table = name;
@@ -748,6 +742,7 @@ check_entry_size_and_hooks(struct ip6t_e
unsigned int valid_hooks)
{
unsigned int h;
+ int err;

if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
(unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
@@ -762,6 +757,10 @@ check_entry_size_and_hooks(struct ip6t_e
return -EINVAL;
}

+ err = check_entry(e);
+ if (err)
+ return err;
+
/* Check hooks & underflows */
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
if (!(valid_hooks & (1 << h)))
@@ -1523,7 +1522,7 @@ check_compat_entry_size_and_hooks(struct
}

/* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct ip6t_entry *)e, name);
+ ret = check_entry((struct ip6t_entry *)e);
if (ret)
return ret;


2016-04-26 23:22:37

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 066/115] USB: digi_acceleport: do sanity checking for the number of ports

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <[email protected]>

commit 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f upstream.

The driver can be crashed with devices that expose crafted descriptors
with too few endpoints.

See: http://seclists.org/bugtraq/2016/Mar/61

Signed-off-by: Oliver Neukum <[email protected]>
[johan: fix OOB endpoint check and add error messages ]
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1489,12 +1489,30 @@ static int digi_startup_device(struct us
static int digi_startup(struct usb_serial *serial)
{

+ struct device *dev = &serial->interface->dev;
int i;
struct digi_port *priv;
struct digi_serial *serial_priv;

dbg("digi_startup: TOP");

+ /* check whether the device has the expected number of endpoints */
+ if (serial->num_port_pointers < serial->type->num_ports + 1) {
+ dev_err(dev, "OOB endpoints missing\n");
+ return -ENODEV;
+ }
+
+ for (i = 0; i < serial->type->num_ports + 1 ; i++) {
+ if (!serial->port[i]->read_urb) {
+ dev_err(dev, "bulk-in endpoint missing\n");
+ return -ENODEV;
+ }
+ if (!serial->port[i]->write_urb) {
+ dev_err(dev, "bulk-out endpoint missing\n");
+ return -ENODEV;
+ }
+ }
+
/* allocate the private data structures for all ports */
/* number of regular ports + 1 for the out-of-band port */
for (i = 0; i < serial->type->num_ports + 1; i++) {

2016-04-26 23:22:59

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 101/115] net: jme: fix suspend/resume on JMC260

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Diego Viola <[email protected]>

[ Upstream commit ee50c130c82175eaa0820c96b6d3763928af2241 ]

The JMC260 network card fails to suspend/resume because the call to
jme_start_irq() was too early, moving the call to jme_start_irq() after
the call to jme_reset_link() makes it work.

Prior this change suspend/resume would fail unless /sys/power/pm_async=0
was explicitly specified.

Relevant bug report: https://bugzilla.kernel.org/show_bug.cgi?id=112351

Signed-off-by: Diego Viola <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/jme.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/jme.c
+++ b/drivers/net/ethernet/jme.c
@@ -3285,13 +3285,14 @@ jme_resume(struct device *dev)
jme_reset_phy_processor(jme);
jme_phy_calibration(jme);
jme_phy_setEA(jme);
- jme_start_irq(jme);
netif_device_attach(netdev);

atomic_inc(&jme->link_changing);

jme_reset_link(jme);

+ jme_start_irq(jme);
+
return 0;
}


2016-04-26 23:23:30

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 047/115] tracing: Have preempt(irqs)off trace preempt disabled functions

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (Red Hat)" <[email protected]>

commit cb86e05390debcc084cfdb0a71ed4c5dbbec517d upstream.

Joel Fernandes reported that the function tracing of preempt disabled
sections was not being reported when running either the preemptirqsoff or
preemptoff tracers. This was due to the fact that the function tracer
callback for those tracers checked if irqs were disabled before tracing. But
this fails when we want to trace preempt off locations as well.

Joel explained that he wanted to see funcitons where interrupts are enabled
but preemption was disabled. The expected output he wanted:

<...>-2265 1d.h1 3419us : preempt_count_sub <-irq_exit
<...>-2265 1d..1 3419us : __do_softirq <-irq_exit
<...>-2265 1d..1 3419us : msecs_to_jiffies <-__do_softirq
<...>-2265 1d..1 3420us : irqtime_account_irq <-__do_softirq
<...>-2265 1d..1 3420us : __local_bh_disable_ip <-__do_softirq
<...>-2265 1..s1 3421us : run_timer_softirq <-__do_softirq
<...>-2265 1..s1 3421us : hrtimer_run_pending <-run_timer_softirq
<...>-2265 1..s1 3421us : _raw_spin_lock_irq <-run_timer_softirq
<...>-2265 1d.s1 3422us : preempt_count_add <-_raw_spin_lock_irq
<...>-2265 1d.s2 3422us : _raw_spin_unlock_irq <-run_timer_softirq
<...>-2265 1..s2 3422us : preempt_count_sub <-_raw_spin_unlock_irq
<...>-2265 1..s1 3423us : rcu_bh_qs <-__do_softirq
<...>-2265 1d.s1 3423us : irqtime_account_irq <-__do_softirq
<...>-2265 1d.s1 3423us : __local_bh_enable <-__do_softirq

There's a comment saying that the irq disabled check is because there's a
possible race that tracing_cpu may be set when the function is executed. But
I don't remember that race. For now, I added a check for preemption being
enabled too to not record the function, as there would be no race if that
was the case. I need to re-investigate this, as I'm now thinking that the
tracing_cpu will always be correct. But no harm in keeping the check for
now, except for the slight performance hit.

Link: http://lkml.kernel.org/r/[email protected]

Fixes: 5e6d2b9cfa3a "tracing: Use one prologue for the preempt irqs off tracer function tracers"
Cc: [email protected] # 2.6.37+
Reported-by: Joel Fernandes <[email protected]>
Signed-off-by: Steven Rostedt <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
kernel/trace/trace_irqsoff.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

--- a/kernel/trace/trace_irqsoff.c
+++ b/kernel/trace/trace_irqsoff.c
@@ -117,8 +117,12 @@ static int func_prolog_dec(struct trace_
return 0;

local_save_flags(*flags);
- /* slight chance to get a false positive on tracing_cpu */
- if (!irqs_disabled_flags(*flags))
+ /*
+ * Slight chance to get a false positive on tracing_cpu,
+ * although I'm starting to think there isn't a chance.
+ * Leave this for now just to be paranoid.
+ */
+ if (!irqs_disabled_flags(*flags) && !preempt_count())
return 0;

*data = tr->data[cpu];

2016-04-26 23:23:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 074/115] parisc: Avoid function pointers for kernel exception routines

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Helge Deller <[email protected]>

commit e3893027a300927049efc1572f852201eb785142 upstream.

We want to avoid the kernel module loader to create function pointers
for the kernel fixup routines of get_user() and put_user(). Changing
the external reference from function type to int type fixes this.

This unbreaks exception handling for get_user() and put_user() when
called from a kernel module.

Signed-off-by: Helge Deller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/parisc/kernel/parisc_ksyms.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

--- a/arch/parisc/kernel/parisc_ksyms.c
+++ b/arch/parisc/kernel/parisc_ksyms.c
@@ -48,11 +48,11 @@ EXPORT_SYMBOL(lstrncpy_from_user);
EXPORT_SYMBOL(lclear_user);
EXPORT_SYMBOL(lstrnlen_user);

-/* Global fixups */
-extern void fixup_get_user_skip_1(void);
-extern void fixup_get_user_skip_2(void);
-extern void fixup_put_user_skip_1(void);
-extern void fixup_put_user_skip_2(void);
+/* Global fixups - defined as int to avoid creation of function pointers */
+extern int fixup_get_user_skip_1;
+extern int fixup_get_user_skip_2;
+extern int fixup_put_user_skip_1;
+extern int fixup_put_user_skip_2;
EXPORT_SYMBOL(fixup_get_user_skip_1);
EXPORT_SYMBOL(fixup_get_user_skip_2);
EXPORT_SYMBOL(fixup_put_user_skip_1);

2016-04-26 23:23:52

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 052/115] fs/coredump: prevent fsuid=0 dumps into user-controlled directories

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jann Horn <[email protected]>

commit 378c6520e7d29280f400ef2ceaf155c86f05a71a upstream.

This commit fixes the following security hole affecting systems where
all of the following conditions are fulfilled:

- The fs.suid_dumpable sysctl is set to 2.
- The kernel.core_pattern sysctl's value starts with "/". (Systems
where kernel.core_pattern starts with "|/" are not affected.)
- Unprivileged user namespace creation is permitted. (This is
true on Linux >=3.8, but some distributions disallow it by
default using a distro patch.)

Under these conditions, if a program executes under secure exec rules,
causing it to run with the SUID_DUMP_ROOT flag, then unshares its user
namespace, changes its root directory and crashes, the coredump will be
written using fsuid=0 and a path derived from kernel.core_pattern - but
this path is interpreted relative to the root directory of the process,
allowing the attacker to control where a coredump will be written with
root privileges.

To fix the security issue, always interpret core_pattern for dumps that
are written under SUID_DUMP_ROOT relative to the root directory of init.

Signed-off-by: Jann Horn <[email protected]>
Acked-by: Kees Cook <[email protected]>
Cc: Al Viro <[email protected]>
Cc: "Eric W. Biederman" <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Oleg Nesterov <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/um/drivers/mconsole_kern.c | 2 +-
fs/exec.c | 30 ++++++++++++++++++++++++++----
fs/fhandle.c | 2 +-
fs/open.c | 6 ++----
include/linux/fs.h | 2 +-
kernel/sysctl_binary.c | 2 +-
6 files changed, 32 insertions(+), 12 deletions(-)

--- a/arch/um/drivers/mconsole_kern.c
+++ b/arch/um/drivers/mconsole_kern.c
@@ -133,7 +133,7 @@ void mconsole_proc(struct mc_request *re
ptr += strlen("proc");
ptr = skip_spaces(ptr);

- file = file_open_root(mnt->mnt_root, mnt, ptr, O_RDONLY);
+ file = file_open_root(mnt->mnt_root, mnt, ptr, O_RDONLY, 0);
if (IS_ERR(file)) {
mconsole_reply(req, "Failed to open file", 1, 0);
goto out;
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,6 +55,9 @@
#include <linux/pipe_fs_i.h>
#include <linux/oom.h>
#include <linux/compat.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
+#include <linux/path.h>

#include <asm/uaccess.h>
#include <asm/mmu_context.h>
@@ -2246,6 +2249,8 @@ void do_coredump(long signr, int exit_co
}
} else {
struct inode *inode;
+ int open_flags = O_CREAT | O_RDWR | O_NOFOLLOW |
+ O_LARGEFILE | O_EXCL;

if (cprm.limit < binfmt->min_coredump)
goto fail_unlock;
@@ -2284,10 +2289,27 @@ void do_coredump(long signr, int exit_co
* what matters is that at least one of the two processes
* writes its coredump successfully, not which one.
*/
- cprm.file = filp_open(cn.corename,
- O_CREAT | 2 | O_NOFOLLOW |
- O_LARGEFILE | O_EXCL,
- 0600);
+ if (need_suid_safe) {
+ /*
+ * Using user namespaces, normal user tasks can change
+ * their current->fs->root to point to arbitrary
+ * directories. Since the intention of the "only dump
+ * with a fully qualified path" rule is to control where
+ * coredumps may be placed using root privileges,
+ * current->fs->root must not be used. Instead, use the
+ * root directory of init_task.
+ */
+ struct path root;
+
+ task_lock(&init_task);
+ get_fs_root(init_task.fs, &root);
+ task_unlock(&init_task);
+ cprm.file = file_open_root(root.dentry, root.mnt,
+ cn.corename, open_flags, 0600);
+ path_put(&root);
+ } else {
+ cprm.file = filp_open(cn.corename, open_flags, 0600);
+ }
if (IS_ERR(cprm.file))
goto fail_unlock;

--- a/fs/fhandle.c
+++ b/fs/fhandle.c
@@ -229,7 +229,7 @@ long do_handle_open(int mountdirfd,
path_put(&path);
return fd;
}
- file = file_open_root(path.dentry, path.mnt, "", open_flag);
+ file = file_open_root(path.dentry, path.mnt, "", open_flag, 0);
if (IS_ERR(file)) {
put_unused_fd(fd);
retval = PTR_ERR(file);
--- a/fs/open.c
+++ b/fs/open.c
@@ -958,12 +958,10 @@ struct file *filp_open(const char *filen
EXPORT_SYMBOL(filp_open);

struct file *file_open_root(struct dentry *dentry, struct vfsmount *mnt,
- const char *filename, int flags)
+ const char *filename, int flags, umode_t mode)
{
struct open_flags op;
- int lookup = build_open_flags(flags, 0, &op);
- if (flags & O_CREAT)
- return ERR_PTR(-EINVAL);
+ int lookup = build_open_flags(flags, mode, &op);
if (!filename && (flags & O_DIRECTORY))
if (!dentry->d_inode->i_op->lookup)
return ERR_PTR(-ENOTDIR);
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2073,7 +2073,7 @@ extern long do_sys_open(int dfd, const c
int mode);
extern struct file *filp_open(const char *, int, int);
extern struct file *file_open_root(struct dentry *, struct vfsmount *,
- const char *, int);
+ const char *, int, umode_t);
extern struct file * dentry_open(struct dentry *, struct vfsmount *, int,
const struct cred *);
extern int filp_close(struct file *, fl_owner_t id);
--- a/kernel/sysctl_binary.c
+++ b/kernel/sysctl_binary.c
@@ -1346,7 +1346,7 @@ static ssize_t binary_sysctl(const int *
}

mnt = current->nsproxy->pid_ns->proc_mnt;
- file = file_open_root(mnt->mnt_root, mnt, pathname, flags);
+ file = file_open_root(mnt->mnt_root, mnt, pathname, flags, 0);
result = PTR_ERR(file);
if (IS_ERR(file))
goto out_putname;

2016-04-26 23:25:17

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 064/115] USB: mct_u232: add sanity checking in probe

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <[email protected]>

commit 4e9a0b05257f29cf4b75f3209243ed71614d062e upstream.

An attack using the lack of sanity checking in probe is known. This
patch checks for the existence of a second port.

CVE-2016-3136

Signed-off-by: Oliver Neukum <[email protected]>
[johan: add error message ]
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.2: put the check in mct_u232_startup(), which already
has a 'serial' variable]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -443,6 +443,12 @@ static int mct_u232_startup(struct usb_s
struct mct_u232_private *priv;
struct usb_serial_port *port, *rport;

+ /* check first to simplify error handling */
+ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
+ dev_err(&port->dev, "expected endpoint missing\n");
+ return -ENODEV;
+ }
+
priv = kzalloc(sizeof(struct mct_u232_private), GFP_KERNEL);
if (!priv)
return -ENOMEM;

2016-04-26 23:24:18

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 096/115] ipv4: fix memory leaks in ip_cmsg_send() callers

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

[ Upstream commit 919483096bfe75dda338e98d56da91a263746a0a ]

Dmitry reported memory leaks of IP options allocated in
ip_cmsg_send() when/if this function returns an error.

Callers are responsible for the freeing.

Many thanks to Dmitry for the report and diagnostic.

Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/ip_sockglue.c | 2 ++
net/ipv4/ping.c | 4 +++-
net/ipv4/raw.c | 4 +++-
net/ipv4/udp.c | 4 +++-
4 files changed, 11 insertions(+), 3 deletions(-)

--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -206,6 +206,8 @@ int ip_cmsg_send(struct net *net, struct
switch (cmsg->cmsg_type) {
case IP_RETOPTS:
err = cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr));
+
+ /* Our caller is responsible for freeing ipc->opt */
err = ip_options_get(net, &ipc->opt, CMSG_DATA(cmsg),
err < 40 ? err : 40);
if (err)
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -530,8 +530,10 @@ static int ping_sendmsg(struct kiocb *io

if (msg->msg_controllen) {
err = ip_cmsg_send(sock_net(sk), msg, &ipc);
- if (err)
+ if (unlikely(err)) {
+ kfree(ipc.opt);
return err;
+ }
if (ipc.opt)
free = 1;
}
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -520,8 +520,10 @@ static int raw_sendmsg(struct kiocb *ioc

if (msg->msg_controllen) {
err = ip_cmsg_send(sock_net(sk), msg, &ipc);
- if (err)
+ if (unlikely(err)) {
+ kfree(ipc.opt);
goto out;
+ }
if (ipc.opt)
free = 1;
}
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -875,8 +875,10 @@ int udp_sendmsg(struct kiocb *iocb, stru
return err;
if (msg->msg_controllen) {
err = ip_cmsg_send(sock_net(sk), msg, &ipc);
- if (err)
+ if (unlikely(err)) {
+ kfree(ipc.opt);
return err;
+ }
if (ipc.opt)
free = 1;
connected = 0;

2016-04-26 23:26:03

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 109/115] qlge: Fix receive packets drop.

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Manish Chopra <[email protected]>

[ Upstream commit 2c9a266afefe137bff06bbe0fc48b4d3b3cb348c ]

When running small packets [length < 256 bytes] traffic, packets were
being dropped due to invalid data in those packets which were
delivered by the driver upto the stack. Using pci_dma_sync_single_for_cpu
ensures copying latest and updated data into skb from the receive buffer.

Signed-off-by: Sony Chacko <[email protected]>
Signed-off-by: Manish Chopra <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/qlogic/qlge/qlge_main.c | 11 +++++++++++
1 file changed, 11 insertions(+)

--- a/drivers/net/ethernet/qlogic/qlge/qlge_main.c
+++ b/drivers/net/ethernet/qlogic/qlge/qlge_main.c
@@ -1622,7 +1622,18 @@ static void ql_process_mac_rx_skb(struct
return;
}
skb_reserve(new_skb, NET_IP_ALIGN);
+
+ pci_dma_sync_single_for_cpu(qdev->pdev,
+ dma_unmap_addr(sbq_desc, mapaddr),
+ dma_unmap_len(sbq_desc, maplen),
+ PCI_DMA_FROMDEVICE);
+
memcpy(skb_put(new_skb, length), skb->data, length);
+
+ pci_dma_sync_single_for_device(qdev->pdev,
+ dma_unmap_addr(sbq_desc, mapaddr),
+ dma_unmap_len(sbq_desc, maplen),
+ PCI_DMA_FROMDEVICE);
skb = new_skb;

/* Frame error, so drop the packet. */

2016-04-26 23:26:10

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 062/115] ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk()

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit 902eb7fd1e4af3ac69b9b30f8373f118c92b9729 upstream.

Just a minor code cleanup: unify the error paths.

Signed-off-by: Takashi Iwai <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/usb/quirks.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)

--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -153,22 +153,17 @@ static int create_fixed_stream_quirk(str
stream = (fp->endpoint & USB_DIR_IN)
? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
err = snd_usb_add_audio_stream(chip, stream, fp);
- if (err < 0) {
- kfree(fp);
- kfree(rate_table);
- return err;
- }
+ if (err < 0)
+ goto error;
if (fp->iface != get_iface_desc(&iface->altsetting[0])->bInterfaceNumber ||
fp->altset_idx >= iface->num_altsetting) {
- kfree(fp);
- kfree(rate_table);
- return -EINVAL;
+ err = -EINVAL;
+ goto error;
}
alts = &iface->altsetting[fp->altset_idx];
if (get_iface_desc(alts)->bNumEndpoints < 1) {
- kfree(fp);
- kfree(rate_table);
- return -EINVAL;
+ err = -EINVAL;
+ goto error;
}

fp->datainterval = snd_usb_parse_datainterval(chip, alts);
@@ -177,6 +172,11 @@ static int create_fixed_stream_quirk(str
snd_usb_init_pitch(chip, fp->iface, alts, fp);
snd_usb_init_sample_rate(chip, fp->iface, alts, fp, fp->rate_max);
return 0;
+
+ error:
+ kfree(fp);
+ kfree(rate_table);
+ return err;
}

/*

2016-04-26 23:26:15

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 023/115] x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bjorn Helgaas <[email protected]>

commit b894157145e4ac7598d7062bc93320898a5e059e upstream.

The Home Agent and PCU PCI devices in Broadwell-EP have a non-BAR register
where a BAR should be. We don't know what the side effects of sizing the
"BAR" would be, and we don't know what address space the "BAR" might appear
to describe.

Mark these devices as having non-compliant BARs so the PCI core doesn't
touch them.

Signed-off-by: Bjorn Helgaas <[email protected]>
Tested-by: Andi Kleen <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/pci/fixup.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/arch/x86/pci/fixup.c
+++ b/arch/x86/pci/fixup.c
@@ -538,3 +538,10 @@ static void __devinit twinhead_reserve_k
}
}
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x27B9, twinhead_reserve_killing_zone);
+
+static void pci_bdwep_bar(struct pci_dev *dev)
+{
+ dev->non_compliant_bars = 1;
+}
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fa0, pci_bdwep_bar);
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fc0, pci_bdwep_bar);

2016-04-26 23:26:25

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 033/115] net: Fix use after free in the recvmmsg exit path

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <[email protected]>

commit 34b88a68f26a75e4fded796f1a49c40f82234b7d upstream.

The syzkaller fuzzer hit the following use-after-free:

Call Trace:
[<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
[<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
[< inline >] SYSC_recvmmsg net/socket.c:2281
[<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
[<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185

And, as Dmitry rightly assessed, that is because we can drop the
reference and then touch it when the underlying recvmsg calls return
some packets and then hit an error, which will make recvmmsg to set
sock->sk->sk_err, oops, fix it.

Reported-and-Tested-by: Dmitry Vyukov <[email protected]>
Cc: Alexander Potapenko <[email protected]>
Cc: Eric Dumazet <[email protected]>
Cc: Kostya Serebryany <[email protected]>
Cc: Sasha Levin <[email protected]>
Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
http://lkml.kernel.org/r/[email protected]
Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/socket.c | 38 +++++++++++++++++++-------------------
1 file changed, 19 insertions(+), 19 deletions(-)

--- a/net/socket.c
+++ b/net/socket.c
@@ -2317,31 +2317,31 @@ int __sys_recvmmsg(int fd, struct mmsghd
break;
}

-out_put:
- fput_light(sock->file, fput_needed);
-
if (err == 0)
- return datagrams;
+ goto out_put;
+
+ if (datagrams == 0) {
+ datagrams = err;
+ goto out_put;
+ }

- if (datagrams != 0) {
+ /*
+ * We may return less entries than requested (vlen) if the
+ * sock is non block and there aren't enough datagrams...
+ */
+ if (err != -EAGAIN) {
/*
- * We may return less entries than requested (vlen) if the
- * sock is non block and there aren't enough datagrams...
+ * ... or if recvmsg returns an error after we
+ * received some datagrams, where we record the
+ * error to return on the next call or if the
+ * app asks about it using getsockopt(SO_ERROR).
*/
- if (err != -EAGAIN) {
- /*
- * ... or if recvmsg returns an error after we
- * received some datagrams, where we record the
- * error to return on the next call or if the
- * app asks about it using getsockopt(SO_ERROR).
- */
- sock->sk->sk_err = -err;
- }
-
- return datagrams;
+ sock->sk->sk_err = -err;
}
+out_put:
+ fput_light(sock->file, fput_needed);

- return err;
+ return datagrams;
}

SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,

2016-04-26 23:26:31

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 078/115] netfilter: x_tables: make sure e->next_offset covers remaining blob size

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Florian Westphal <[email protected]>

commit 6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91 upstream.

Otherwise this function may read data beyond the ruleset blob.

Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/netfilter/arp_tables.c | 6 ++++--
net/ipv4/netfilter/ip_tables.c | 6 ++++--
net/ipv6/netfilter/ip6_tables.c | 6 ++++--
3 files changed, 12 insertions(+), 6 deletions(-)

--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -558,7 +558,8 @@ static inline int check_entry_size_and_h
int err;

if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
- (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
+ (unsigned char *)e + sizeof(struct arpt_entry) >= limit ||
+ (unsigned char *)e + e->next_offset > limit) {
duprintf("Bad offset %p\n", e);
return -EINVAL;
}
@@ -1218,7 +1219,8 @@ check_compat_entry_size_and_hooks(struct

duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
- (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) {
+ (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit ||
+ (unsigned char *)e + e->next_offset > limit) {
duprintf("Bad offset %p, limit = %p\n", e, limit);
return -EINVAL;
}
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -722,7 +722,8 @@ check_entry_size_and_hooks(struct ipt_en
int err;

if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
- (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
+ (unsigned char *)e + sizeof(struct ipt_entry) >= limit ||
+ (unsigned char *)e + e->next_offset > limit) {
duprintf("Bad offset %p\n", e);
return -EINVAL;
}
@@ -1485,7 +1486,8 @@ check_compat_entry_size_and_hooks(struct

duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
- (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
+ (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit ||
+ (unsigned char *)e + e->next_offset > limit) {
duprintf("Bad offset %p, limit = %p\n", e, limit);
return -EINVAL;
}
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -745,7 +745,8 @@ check_entry_size_and_hooks(struct ip6t_e
int err;

if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
- (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
+ (unsigned char *)e + sizeof(struct ip6t_entry) >= limit ||
+ (unsigned char *)e + e->next_offset > limit) {
duprintf("Bad offset %p\n", e);
return -EINVAL;
}
@@ -1509,7 +1510,8 @@ check_compat_entry_size_and_hooks(struct

duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
- (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
+ (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit ||
+ (unsigned char *)e + e->next_offset > limit) {
duprintf("Bad offset %p, limit = %p\n", e, limit);
return -EINVAL;
}

2016-04-26 23:26:52

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 045/115] USB: usb_driver_claim_interface: add sanity checking

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <[email protected]>

commit 0b818e3956fc1ad976bee791eadcbb3b5fec5bfd upstream.

Attacks that trick drivers into passing a NULL pointer
to usb_driver_claim_interface() using forged descriptors are
known. This thwarts them by sanity checking.

Signed-off-by: Oliver Neukum <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/core/driver.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -428,9 +428,13 @@ static int usb_unbind_interface(struct d
int usb_driver_claim_interface(struct usb_driver *driver,
struct usb_interface *iface, void *priv)
{
- struct device *dev = &iface->dev;
+ struct device *dev;
int retval = 0;

+ if (!iface)
+ return -ENODEV;
+
+ dev = &iface->dev;
if (dev->driver)
return -EBUSY;


2016-04-26 23:26:57

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 025/115] drm/radeon: Don't drop DP 2.7 Ghz link setup on some cards.

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mario Kleiner <[email protected]>

commit 459ee1c3fd097ab56ababd8ff4bb7ef6a792de33 upstream.

As observed on Apple iMac10,1, DCE-3.2, RV-730,
link rate of 2.7 Ghz is not selected, because
the args.v1.ucConfig flag setting for 2.7 Ghz
gets overwritten by a following assignment of
the transmitter to use.

Move link rate setup a few lines down to fix this.
In practice this didn't have any positive or
negative effect on display setup on the tested
iMac10,1 so i don't know if backporting to stable
makes sense or not.

Signed-off-by: Mario Kleiner <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/radeon/atombios_encoders.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/radeon/atombios_encoders.c
+++ b/drivers/gpu/drm/radeon/atombios_encoders.c
@@ -607,8 +607,6 @@ atombios_dig_encoder_setup(struct drm_en
else
args.v1.ucLaneNum = 4;

- if (ENCODER_MODE_IS_DP(args.v1.ucEncoderMode) && (dp_clock == 270000))
- args.v1.ucConfig |= ATOM_ENCODER_CONFIG_DPLINKRATE_2_70GHZ;
switch (radeon_encoder->encoder_id) {
case ENCODER_OBJECT_ID_INTERNAL_UNIPHY:
args.v1.ucConfig = ATOM_ENCODER_CONFIG_V2_TRANSMITTER1;
@@ -625,6 +623,10 @@ atombios_dig_encoder_setup(struct drm_en
args.v1.ucConfig |= ATOM_ENCODER_CONFIG_LINKB;
else
args.v1.ucConfig |= ATOM_ENCODER_CONFIG_LINKA;
+
+ if (ENCODER_MODE_IS_DP(args.v1.ucEncoderMode) && (dp_clock == 270000))
+ args.v1.ucConfig |= ATOM_ENCODER_CONFIG_DPLINKRATE_2_70GHZ;
+
break;
case 2:
case 3:

2016-04-26 23:27:01

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 112/115] ipv6: Count in extension headers in skb->network_header

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jakub Sitnicki <[email protected]>

[ Upstream commit 3ba3458fb9c050718b95275a3310b74415e767e2 ]

When sending a UDPv6 message longer than MTU, account for the length
of fragmentable IPv6 extension headers in skb->network_header offset.
Same as we do in alloc_new_skb path in __ip6_append_data().

This ensures that later on __ip6_make_skb() will make space in
headroom for fragmentable extension headers:

/* move skb->data to ip header from ext header */
if (skb->data < skb_network_header(skb))
__skb_pull(skb, skb_network_offset(skb));

Prevents a splat due to skb_under_panic:

skbuff: skb_under_panic: text:ffffffff8143397b len:2126 put:14 \
head:ffff880005bacf50 data:ffff880005bacf4a tail:0x48 end:0xc0 dev:lo
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:104!
invalid opcode: 0000 [#1] KASAN
CPU: 0 PID: 160 Comm: reproducer Not tainted 4.6.0-rc2 #65
[...]
Call Trace:
[<ffffffff813eb7b9>] skb_push+0x79/0x80
[<ffffffff8143397b>] eth_header+0x2b/0x100
[<ffffffff8141e0d0>] neigh_resolve_output+0x210/0x310
[<ffffffff814eab77>] ip6_finish_output2+0x4a7/0x7c0
[<ffffffff814efe3a>] ip6_output+0x16a/0x280
[<ffffffff815440c1>] ip6_local_out+0xb1/0xf0
[<ffffffff814f1115>] ip6_send_skb+0x45/0xd0
[<ffffffff81518836>] udp_v6_send_skb+0x246/0x5d0
[<ffffffff8151985e>] udpv6_sendmsg+0xa6e/0x1090
[...]

Reported-by: Ji Jianwen <[email protected]>
Signed-off-by: Jakub Sitnicki <[email protected]>
Acked-by: Hannes Frederic Sowa <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv6/ip6_output.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)

--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1109,9 +1109,8 @@ static inline int ip6_ufo_append_data(st
int getfrag(void *from, char *to, int offset, int len,
int odd, struct sk_buff *skb),
void *from, int length, int hh_len, int fragheaderlen,
- int transhdrlen, int mtu,unsigned int flags,
- struct rt6_info *rt)
-
+ int exthdrlen, int transhdrlen, int mtu,
+ unsigned int flags, struct rt6_info *rt)
{
struct sk_buff *skb;
int err;
@@ -1136,7 +1135,7 @@ static inline int ip6_ufo_append_data(st
skb_put(skb,fragheaderlen + transhdrlen);

/* initialize network header pointer */
- skb_reset_network_header(skb);
+ skb_set_network_header(skb, exthdrlen);

/* initialize protocol header pointer */
skb->transport_header = skb->network_header + fragheaderlen;
@@ -1342,7 +1341,7 @@ int ip6_append_data(struct sock *sk, int
(rt->dst.dev->features & NETIF_F_UFO) &&
(sk->sk_type == SOCK_DGRAM)) {
err = ip6_ufo_append_data(sk, getfrag, from, length,
- hh_len, fragheaderlen,
+ hh_len, fragheaderlen, exthdrlen,
transhdrlen, mtu, flags, rt);
if (err)
goto error;

2016-04-26 23:27:09

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 102/115] sctp: lack the check for ports in sctp_v6_cmp_addr

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Xin Long <[email protected]>

[ Upstream commit 40b4f0fd74e46c017814618d67ec9127ff20f157 ]

As the member .cmp_addr of sctp_af_inet6, sctp_v6_cmp_addr should also check
the port of addresses, just like sctp_v4_cmp_addr, cause it's invoked by
sctp_cmp_addr_exact().

Now sctp_v6_cmp_addr just check the port when two addresses have different
family, and lack the port check for two ipv6 addresses. that will make
sctp_hash_cmp() cannot work well.

so fix it by adding ports comparison in sctp_v6_cmp_addr().

Signed-off-by: Xin Long <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/sctp/ipv6.c | 2 ++
1 file changed, 2 insertions(+)

--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -515,6 +515,8 @@ static int sctp_v6_cmp_addr(const union
}
return 0;
}
+ if (addr1->v6.sin6_port != addr2->v6.sin6_port)
+ return 0;
if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr))
return 0;
/* If this is a linklocal address, compare the scope_id. */

2016-04-26 23:27:17

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 105/115] ax25: add link layer header validation function

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <[email protected]>

[ Upstream commit ea47781c26510e5d97f80f9aceafe9065bd5e3aa ]

As variable length protocol, AX25 fails link layer header validation
tests based on a minimum length. header_ops.validate allows protocols
to validate headers that are shorter than hard_header_len. Implement
this callback for AX25.

See also http://comments.gmane.org/gmane.linux.network/401064

Signed-off-by: Willem de Bruijn <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ax25/ax25_ip.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)

--- a/net/ax25/ax25_ip.c
+++ b/net/ax25/ax25_ip.c
@@ -232,9 +232,24 @@ int ax25_rebuild_header(struct sk_buff *

#endif

+static bool ax25_validate_header(const char *header, unsigned int len)
+{
+ ax25_digi digi;
+
+ if (!len)
+ return false;
+
+ if (header[0])
+ return true;
+
+ return ax25_addr_parse(header + 1, len - 1, NULL, NULL, &digi, NULL,
+ NULL);
+}
+
const struct header_ops ax25_header_ops = {
.create = ax25_hard_header,
.rebuild = ax25_rebuild_header,
+ .validate = ax25_validate_header,
};

EXPORT_SYMBOL(ax25_hard_header);

2016-04-26 23:27:29

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 051/115] ethernet: micrel: fix some error codes

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit 3af0d554c1ce11e9d0953381ff566271f9ab81a9 upstream.

There were two issues here:
1) dma_mapping_error() return true/false but we want to return -ENOMEM
2) If dmaengine_prep_slave_sg() failed then "err" wasn't set but
presumably that should be -ENOMEM as well.

I changed the success path to "return 0;" instead of "return ret;" for
clarity.

Fixes: 94fe8c683cea ('ks8842: Support DMA when accessed via timberdale')
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/micrel/ks8842.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/micrel/ks8842.c
+++ b/drivers/net/ethernet/micrel/ks8842.c
@@ -562,8 +562,8 @@ static int __ks8842_start_new_rx_dma(str
sg_init_table(sg, 1);
sg_dma_address(sg) = dma_map_single(adapter->dev,
ctl->skb->data, DMA_BUFFER_SIZE, DMA_FROM_DEVICE);
- err = dma_mapping_error(adapter->dev, sg_dma_address(sg));
- if (unlikely(err)) {
+ if (dma_mapping_error(adapter->dev, sg_dma_address(sg))) {
+ err = -ENOMEM;
sg_dma_address(sg) = 0;
goto out;
}
@@ -574,8 +574,10 @@ static int __ks8842_start_new_rx_dma(str
sg, 1, DMA_FROM_DEVICE,
DMA_PREP_INTERRUPT | DMA_COMPL_SKIP_SRC_UNMAP);

- if (!ctl->adesc)
+ if (!ctl->adesc) {
+ err = -ENOMEM;
goto out;
+ }

ctl->adesc->callback_param = netdev;
ctl->adesc->callback = ks8842_dma_rx_cb;
@@ -586,7 +588,7 @@ static int __ks8842_start_new_rx_dma(str
goto out;
}

- return err;
+ return 0;
out:
if (sg_dma_address(sg))
dma_unmap_single(adapter->dev, sg_dma_address(sg),

2016-04-26 23:27:47

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 104/115] net: validate variable length ll headers

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <[email protected]>

[ Upstream commit 2793a23aacbd754dbbb5cb75093deb7e4103bace ]

Netdevice parameter hard_header_len is variously interpreted both as
an upper and lower bound on link layer header length. The field is
used as upper bound when reserving room at allocation, as lower bound
when validating user input in PF_PACKET.

Clarify the definition to be maximum header length. For validation
of untrusted headers, add an optional validate member to header_ops.

Allow bypassing of validation by passing CAP_SYS_RAWIO, for instance
for deliberate testing of corrupt input. In this case, pad trailing
bytes, as some device drivers expect completely initialized headers.

See also http://comments.gmane.org/gmane.linux.network/401064

Signed-off-by: Willem de Bruijn <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: net_device has inline comments instead of kernel-doc]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -293,6 +293,7 @@ struct header_ops {
void (*cache_update)(struct hh_cache *hh,
const struct net_device *dev,
const unsigned char *haddr);
+ bool (*validate)(const char *ll_header, unsigned int len);
};

/* These flag bits are private to the generic network queueing
@@ -1119,7 +1120,7 @@ struct net_device {

unsigned int mtu; /* interface MTU value */
unsigned short type; /* interface hardware type */
- unsigned short hard_header_len; /* hardware hdr length */
+ unsigned short hard_header_len; /* maximum hardware hdr length */

/* extra head- and tailroom the hardware may need, but not in all cases
* can this be guaranteed, especially tailroom. Some cases also use
@@ -1728,6 +1729,24 @@ static inline int dev_rebuild_header(str
return dev->header_ops->rebuild(skb);
}

+/* ll_header must have at least hard_header_len allocated */
+static inline bool dev_validate_header(const struct net_device *dev,
+ char *ll_header, int len)
+{
+ if (likely(len >= dev->hard_header_len))
+ return true;
+
+ if (capable(CAP_SYS_RAWIO)) {
+ memset(ll_header + len, 0, dev->hard_header_len - len);
+ return true;
+ }
+
+ if (dev->header_ops && dev->header_ops->validate)
+ return dev->header_ops->validate(ll_header, len);
+
+ return false;
+}
+
typedef int gifconf_func_t(struct net_device * dev, char __user * bufptr, int len);
extern int register_gifconf(unsigned int family, gifconf_func_t * gifconf);
static inline int unregister_gifconf(unsigned int family)

2016-04-26 23:27:52

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 081/115] usbnet: cleanup after bind() in probe()

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <[email protected]>

commit 1666984c8625b3db19a9abc298931d35ab7bc64b upstream.

In case bind() works, but a later error forces bailing
in probe() in error cases work and a timer may be scheduled.
They must be killed. This fixes an error case related to
the double free reported in
http://www.spinics.net/lists/netdev/msg367669.html
and needs to go on top of Linus' fix to cdc-ncm.

Signed-off-by: Oliver Neukum <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/usb/usbnet.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1486,6 +1486,13 @@ out3:
if (info->unbind)
info->unbind (dev, udev);
out1:
+ /* subdrivers must undo all they did in bind() if they
+ * fail it, but we may fail later and a deferred kevent
+ * may trigger an error resubmitting itself and, worse,
+ * schedule a timer. So we kill it all just in case.
+ */
+ cancel_work_sync(&dev->kevent);
+ del_timer_sync(&dev->delay);
free_netdev(net);
out:
usb_put_dev(xdev);

2016-04-26 23:28:06

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 106/115] sh_eth: fix NULL pointer dereference in sh_eth_ring_format()

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sergei Shtylyov <[email protected]>

[ Upstream commit c1b7fca65070bfadca94dd53a4e6b71cd4f69715 ]

In a low memory situation, if netdev_alloc_skb() fails on a first RX ring
loop iteration in sh_eth_ring_format(), 'rxdesc' is still NULL. Avoid
kernel oops by adding the 'rxdesc' check after the loop.

Reported-by: Wolfram Sang <[email protected]>
Signed-off-by: Sergei Shtylyov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/renesas/sh_eth.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -681,7 +681,8 @@ static void sh_eth_ring_format(struct ne
mdp->dirty_rx = (u32) (i - RX_RING_SIZE);

/* Mark the last entry as wrapping the ring. */
- rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL);
+ if (rxdesc)
+ rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL);

memset(mdp->tx_ring, 0, tx_ringsize);


2016-04-26 23:28:13

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 039/115] x86/iopl/64: Properly context-switch IOPL on Xen PV

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <[email protected]>

commit b7a584598aea7ca73140cb87b40319944dd3393f upstream.

On Xen PV, regs->flags doesn't reliably reflect IOPL and the
exit-to-userspace code doesn't change IOPL. We need to context
switch it manually.

I'm doing this without going through paravirt because this is
specific to Xen PV. After the dust settles, we can merge this with
the 32-bit code, tidy up the iopl syscall implementation, and remove
the set_iopl pvop entirely.

Fixes XSA-171.

Reviewewd-by: Jan Beulich <[email protected]>
Signed-off-by: Andy Lutomirski <[email protected]>
Cc: Andrew Cooper <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Boris Ostrovsky <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Brian Gerst <[email protected]>
Cc: David Vrabel <[email protected]>
Cc: Denys Vlasenko <[email protected]>
Cc: H. Peter Anvin <[email protected]>
Cc: Jan Beulich <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Link: http://lkml.kernel.org/r/693c3bd7aeb4d3c27c92c622b7d0f554a458173c.1458162709.git.luto@kernel.org
Signed-off-by: Ingo Molnar <[email protected]>
[bwh: Backported to 3.2:
- Use xen_pv_domain() directly as X86_FEATURE_XENPV is not defined
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/include/asm/xen/hypervisor.h | 2 ++
arch/x86/kernel/process_64.c | 12 ++++++++++++
arch/x86/xen/enlighten.c | 2 +-
3 files changed, 15 insertions(+), 1 deletion(-)

--- a/arch/x86/include/asm/xen/hypervisor.h
+++ b/arch/x86/include/asm/xen/hypervisor.h
@@ -72,4 +72,6 @@ static inline bool xen_x2apic_para_avail
}
#endif

+extern void xen_set_iopl_mask(unsigned mask);
+
#endif /* _ASM_X86_XEN_HYPERVISOR_H */
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -38,6 +38,7 @@
#include <linux/io.h>
#include <linux/ftrace.h>
#include <linux/cpuidle.h>
+#include <xen/xen.h>

#include <asm/pgtable.h>
#include <asm/system.h>
@@ -52,6 +53,7 @@
#include <asm/syscalls.h>
#include <asm/debugreg.h>
#include <asm/nmi.h>
+#include <asm/xen/hypervisor.h>

asmlinkage extern void ret_from_fork(void);

@@ -518,6 +520,16 @@ __switch_to(struct task_struct *prev_p,
task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV))
__switch_to_xtra(prev_p, next_p, tss);

+#ifdef CONFIG_XEN
+ /*
+ * On Xen PV, IOPL bits in pt_regs->flags have no effect, and
+ * current_pt_regs()->flags may not match the current task's
+ * intended IOPL. We need to switch it manually.
+ */
+ if (unlikely(xen_pv_domain() && prev->iopl != next->iopl))
+ xen_set_iopl_mask(next->iopl);
+#endif
+
return prev_p;
}

--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -768,7 +768,7 @@ static void xen_load_sp0(struct tss_stru
xen_mc_issue(PARAVIRT_LAZY_CPU);
}

-static void xen_set_iopl_mask(unsigned mask)
+void xen_set_iopl_mask(unsigned mask)
{
struct physdev_set_iopl set_iopl;


2016-04-26 23:28:11

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 043/115] Input: synaptics - handle spurious release of trackstick buttons, again

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Benjamin Tissoires <[email protected]>

commit 82be788c96ed5978d3cb4a00079e26b981a3df3f upstream.

Looks like the fimware 8.2 still has the extra buttons spurious release
bug.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=114321
Signed-off-by: Benjamin Tissoires <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/input/mouse/synaptics.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -674,8 +674,9 @@ static void synaptics_report_ext_buttons
if (!SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap))
return;

- /* Bug in FW 8.1, buttons are reported only when ExtBit is 1 */
- if (SYN_ID_FULL(priv->identity) == 0x801 &&
+ /* Bug in FW 8.1 & 8.2, buttons are reported only when ExtBit is 1 */
+ if ((SYN_ID_FULL(priv->identity) == 0x801 ||
+ SYN_ID_FULL(priv->identity) == 0x802) &&
!((psmouse->packet[0] ^ psmouse->packet[3]) & 0x02))
return;


2016-04-26 23:29:28

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 094/115] ipv6/udp: use sticky pktinfo egress ifindex on connect()

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paolo Abeni <[email protected]>

[ Upstream commit 1cdda91871470f15e79375991bd2eddc6e86ddb1 ]

Currently, the egress interface index specified via IPV6_PKTINFO
is ignored by __ip6_datagram_connect(), so that RFC 3542 section 6.7
can be subverted when the user space application calls connect()
before sendmsg().
Fix it by initializing properly flowi6_oif in connect() before
performing the route lookup.

Signed-off-by: Paolo Abeni <[email protected]>
Acked-by: Hannes Frederic Sowa <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv6/datagram.c | 3 +++
1 file changed, 3 insertions(+)

--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -161,6 +161,9 @@ ipv4_connected:
fl6.fl6_dport = inet->inet_dport;
fl6.fl6_sport = inet->inet_sport;

+ if (!fl6.flowi6_oif)
+ fl6.flowi6_oif = np->sticky_pktinfo.ipi6_ifindex;
+
if (!fl6.flowi6_oif && (addr_type&IPV6_ADDR_MULTICAST))
fl6.flowi6_oif = np->mcast_oif;


2016-04-26 23:29:32

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 067/115] sd: Fix excessive capacity printing on devices with blocks bigger than 512 bytes

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Martin K. Petersen" <[email protected]>

commit f08bb1e0dbdd0297258d0b8cd4dbfcc057e57b2a upstream.

During revalidate we check whether device capacity has changed before we
decide whether to output disk information or not.

The check for old capacity failed to take into account that we scaled
sdkp->capacity based on the reported logical block size. And therefore
the capacity test would always fail for devices with sectors bigger than
512 bytes and we would print several copies of the same discovery
information.

Avoid scaling sdkp->capacity and instead adjust the value on the fly
when setting the block device capacity and generating fake C/H/S
geometry.

Signed-off-by: Martin K. Petersen <[email protected]>
Reported-by: Hannes Reinecke <[email protected]>
Reviewed-by: Hannes Reinicke <[email protected]>
Reviewed-by: Ewan Milne <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
[bwh: Backported to 3.2:
- logical_to_sectors() is a new function
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -1051,18 +1051,19 @@ static int sd_getgeo(struct block_device
struct scsi_disk *sdkp = scsi_disk(bdev->bd_disk);
struct scsi_device *sdp = sdkp->device;
struct Scsi_Host *host = sdp->host;
+ sector_t capacity = logical_to_sectors(sdp, sdkp->capacity);
int diskinfo[4];

/* default to most commonly used values */
- diskinfo[0] = 0x40; /* 1 << 6 */
- diskinfo[1] = 0x20; /* 1 << 5 */
- diskinfo[2] = sdkp->capacity >> 11;
-
+ diskinfo[0] = 0x40; /* 1 << 6 */
+ diskinfo[1] = 0x20; /* 1 << 5 */
+ diskinfo[2] = capacity >> 11;
+
/* override with calculated, extended default, or driver values */
if (host->hostt->bios_param)
- host->hostt->bios_param(sdp, bdev, sdkp->capacity, diskinfo);
+ host->hostt->bios_param(sdp, bdev, capacity, diskinfo);
else
- scsicam_bios_param(bdev, sdkp->capacity, diskinfo);
+ scsicam_bios_param(bdev, capacity, diskinfo);

geo->heads = diskinfo[0];
geo->sectors = diskinfo[1];
@@ -1931,14 +1932,6 @@ got_data:
}
}

- /* Rescale capacity to 512-byte units */
- if (sector_size == 4096)
- sdkp->capacity <<= 3;
- else if (sector_size == 2048)
- sdkp->capacity <<= 2;
- else if (sector_size == 1024)
- sdkp->capacity <<= 1;
-
blk_queue_physical_block_size(sdp->request_queue,
sdkp->physical_block_size);
sdkp->device->sector_size = sector_size;
@@ -2416,7 +2409,7 @@ static int sd_revalidate_disk(struct gen

blk_queue_flush(sdkp->disk->queue, flush);

- set_capacity(disk, sdkp->capacity);
+ set_capacity(disk, logical_to_sectors(sdp, sdkp->capacity));
kfree(buffer);

out:
--- a/drivers/scsi/sd.h
+++ b/drivers/scsi/sd.h
@@ -52,7 +52,7 @@ struct scsi_disk {
struct device dev;
struct gendisk *disk;
atomic_t openers;
- sector_t capacity; /* size in 512-byte sectors */
+ sector_t capacity; /* size in logical blocks */
u32 max_ws_blocks;
u32 max_unmap_blocks;
u32 unmap_granularity;
@@ -89,6 +89,11 @@ static inline struct scsi_disk *scsi_dis
(sdsk)->disk->disk_name, ##a) : \
sdev_printk(prefix, (sdsk)->device, fmt, ##a)

+static inline sector_t logical_to_sectors(struct scsi_device *sdev, sector_t blocks)
+{
+ return blocks << (ilog2(sdev->sector_size) - 9);
+}
+
/*
* A DIF-capable target device can be formatted with different
* protection schemes. Currently 0 through 3 are defined:

2016-04-26 23:29:37

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 065/115] USB: cypress_m8: add endpoint sanity check

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <[email protected]>

commit c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 upstream.

An attack using missing endpoints exists.

CVE-2016-3137

Signed-off-by: Oliver Neukum <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/cypress_m8.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)

--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -489,6 +489,11 @@ static int generic_startup(struct usb_se

dbg("%s - port %d", __func__, port->number);

+ if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
+ dev_err(&port->dev, "required endpoint is missing\n");
+ return -ENODEV;
+ }
+
priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
if (!priv)
return -ENOMEM;
@@ -658,12 +663,6 @@ static int cypress_open(struct tty_struc
cypress_set_termios(tty, port, &priv->tmp_termios);

/* setup the port and start reading from the device */
- if (!port->interrupt_in_urb) {
- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
- __func__);
- return -1;
- }
-
usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
port->interrupt_in_urb->transfer_buffer,

2016-04-26 23:29:44

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 053/115] rapidio/rionet: fix deadlock on SMP

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Aurelien Jacquiot <[email protected]>

commit 36915976eca58f2eefa040ba8f9939672564df61 upstream.

Fix deadlocking during concurrent receive and transmit operations on SMP
platforms caused by the use of incorrect lock: on transmit 'tx_lock'
spinlock should be used instead of 'lock' which is used for receive
operation.

This fix is applicable to kernel versions starting from v2.15.

Signed-off-by: Aurelien Jacquiot <[email protected]>
Signed-off-by: Alexandre Bounine <[email protected]>
Cc: Matt Porter <[email protected]>
Cc: Andre van Herk <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/rionet.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/rionet.c
+++ b/drivers/net/rionet.c
@@ -269,7 +269,7 @@ static void rionet_outb_msg_event(struct
struct net_device *ndev = dev_id;
struct rionet_private *rnet = netdev_priv(ndev);

- spin_lock(&rnet->lock);
+ spin_lock(&rnet->tx_lock);

if (netif_msg_intr(rnet))
printk(KERN_INFO
@@ -288,7 +288,7 @@ static void rionet_outb_msg_event(struct
if (rnet->tx_cnt < RIONET_TX_RING_SIZE)
netif_wake_queue(ndev);

- spin_unlock(&rnet->lock);
+ spin_unlock(&rnet->tx_lock);
}

static int rionet_open(struct net_device *ndev)

2016-04-26 23:29:52

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 090/115] phonet: properly unshare skbs in phonet_rcv()

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

[ Upstream commit 7aaed57c5c2890634cfadf725173c7c68ea4cb4f ]

Ivaylo Dimitrov reported a regression caused by commit 7866a621043f
("dev: add per net_device packet type chains").

skb->dev becomes NULL and we crash in __netif_receive_skb_core().

Before above commit, different kind of bugs or corruptions could happen
without major crash.

But the root cause is that phonet_rcv() can queue skb without checking
if skb is shared or not.

Many thanks to Ivaylo Dimitrov for his help, diagnosis and tests.

Reported-by: Ivaylo Dimitrov <[email protected]>
Tested-by: Ivaylo Dimitrov <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Cc: Remi Denis-Courmont <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/phonet/af_phonet.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/net/phonet/af_phonet.c
+++ b/net/phonet/af_phonet.c
@@ -377,6 +377,10 @@ static int phonet_rcv(struct sk_buff *sk
struct sockaddr_pn sa;
u16 len;

+ skb = skb_share_check(skb, GFP_ATOMIC);
+ if (!skb)
+ return NET_RX_DROP;
+
/* check we have at least a full Phonet header */
if (!pskb_pull(skb, sizeof(struct phonethdr)))
goto out;

2016-04-26 23:30:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 089/115] tcp_yeah: don't set ssthresh below 2

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Neal Cardwell <[email protected]>

[ Upstream commit 83d15e70c4d8909d722c0d64747d8fb42e38a48f ]

For tcp_yeah, use an ssthresh floor of 2, the same floor used by Reno
and CUBIC, per RFC 5681 (equation 4).

tcp_yeah_ssthresh() was sometimes returning a 0 or negative ssthresh
value if the intended reduction is as big or bigger than the current
cwnd. Congestion control modules should never return a zero or
negative ssthresh. A zero ssthresh generally results in a zero cwnd,
causing the connection to stall. A negative ssthresh value will be
interpreted as a u32 and will set a target cwnd for PRR near 4
billion.

Oleksandr Natalenko reported that a system using tcp_yeah with ECN
could see a warning about a prior_cwnd of 0 in
tcp_cwnd_reduction(). Testing verified that this was due to
tcp_yeah_ssthresh() misbehaving in this way.

Reported-by: Oleksandr Natalenko <[email protected]>
Signed-off-by: Neal Cardwell <[email protected]>
Signed-off-by: Yuchung Cheng <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/tcp_yeah.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/tcp_yeah.c
+++ b/net/ipv4/tcp_yeah.c
@@ -222,7 +222,7 @@ static u32 tcp_yeah_ssthresh(struct sock
yeah->fast_count = 0;
yeah->reno_count = max(yeah->reno_count>>1, 2U);

- return tp->snd_cwnd - reduction;
+ return max_t(int, tp->snd_cwnd - reduction, 2);
}

static struct tcp_congestion_ops tcp_yeah __read_mostly = {

2016-04-26 23:30:46

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 088/115] bridge: Only call /sbin/bridge-stp for the initial network namespace

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hannes Frederic Sowa <[email protected]>

[ Upstream commit ff62198553e43cdffa9d539f6165d3e83f8a42bc ]

[I stole this patch from Eric Biederman. He wrote:]

> There is no defined mechanism to pass network namespace information
> into /sbin/bridge-stp therefore don't even try to invoke it except
> for bridge devices in the initial network namespace.
>
> It is possible for unprivileged users to cause /sbin/bridge-stp to be
> invoked for any network device name which if /sbin/bridge-stp does not
> guard against unreasonable arguments or being invoked twice on the
> same network device could cause problems.

[Hannes: changed patch using netns_eq]

Cc: Eric W. Biederman <[email protected]>
Signed-off-by: Eric W. Biederman <[email protected]>
Signed-off-by: Hannes Frederic Sowa <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/bridge/br_stp_if.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -129,7 +129,10 @@ static void br_stp_start(struct net_brid
char *argv[] = { BR_STP_PROG, br->dev->name, "start", NULL };
char *envp[] = { NULL };

- r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
+ if (net_eq(dev_net(br->dev), &init_net))
+ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
+ else
+ r = -ENOENT;
if (r == 0) {
br->stp_enabled = BR_USER_STP;
br_debug(br, "userspace STP started\n");

2016-04-26 23:31:10

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 040/115] x86/iopl: Fix iopl capability check on Xen PV

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <[email protected]>

commit c29016cf41fe9fa994a5ecca607cf5f1cd98801e upstream.

iopl(3) is supposed to work if iopl is already 3, even if
unprivileged. This didn't work right on Xen PV. Fix it.

Reviewewd-by: Jan Beulich <[email protected]>
Signed-off-by: Andy Lutomirski <[email protected]>
Cc: Andrew Cooper <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Boris Ostrovsky <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Brian Gerst <[email protected]>
Cc: David Vrabel <[email protected]>
Cc: Denys Vlasenko <[email protected]>
Cc: H. Peter Anvin <[email protected]>
Cc: Jan Beulich <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Link: http://lkml.kernel.org/r/8ce12013e6e4c0a44a97e316be4a6faff31bd5ea.1458162709.git.luto@kernel.org
Signed-off-by: Ingo Molnar <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/kernel/ioport.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -95,9 +95,14 @@ asmlinkage long sys_ioperm(unsigned long
*/
long sys_iopl(unsigned int level, struct pt_regs *regs)
{
- unsigned int old = (regs->flags >> 12) & 3;
struct thread_struct *t = &current->thread;

+ /*
+ * Careful: the IOPL bits in regs->flags are undefined under Xen PV
+ * and changing them has no effect.
+ */
+ unsigned int old = t->iopl >> 12;
+
if (level > 3)
return -EINVAL;
/* Trying to gain more privileges? */

2016-04-26 23:32:27

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 084/115] ext4: fix NULL pointer dereference in ext4_mark_inode_dirty()

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eryu Guan <[email protected]>

commit 5e1021f2b6dff1a86a468a1424d59faae2bc63c1 upstream.

ext4_reserve_inode_write() in ext4_mark_inode_dirty() could fail on
error (e.g. EIO) and iloc.bh can be NULL in this case. But the error is
ignored in the following "if" condition and ext4_expand_extra_isize()
might be called with NULL iloc.bh set, which triggers NULL pointer
dereference.

This is uncovered by commit 8b4953e13f4c ("ext4: reserve code points for
the project quota feature"), which enlarges the ext4_inode size, and
run the following script on new kernel but with old mke2fs:

#/bin/bash
mnt=/mnt/ext4
devname=ext4-error
dev=/dev/mapper/$devname
fsimg=/home/fs.img

trap cleanup 0 1 2 3 9 15

cleanup()
{
umount $mnt >/dev/null 2>&1
dmsetup remove $devname
losetup -d $backend_dev
rm -f $fsimg
exit 0
}

rm -f $fsimg
fallocate -l 1g $fsimg
backend_dev=`losetup -f --show $fsimg`
devsize=`blockdev --getsz $backend_dev`

good_tab="0 $devsize linear $backend_dev 0"
error_tab="0 $devsize error $backend_dev 0"

dmsetup create $devname --table "$good_tab"

mkfs -t ext4 $dev
mount -t ext4 -o errors=continue,strictatime $dev $mnt

dmsetup load $devname --table "$error_tab" && dmsetup resume $devname
echo 3 > /proc/sys/vm/drop_caches
ls -l $mnt
exit 0

[ Patch changed to simplify the function a tiny bit. -- Ted ]

Signed-off-by: Eryu Guan <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/inode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4636,6 +4636,8 @@ int ext4_mark_inode_dirty(handle_t *hand
might_sleep();
trace_ext4_mark_inode_dirty(inode, _RET_IP_);
err = ext4_reserve_inode_write(handle, inode, &iloc);
+ if (err)
+ return err;
if (ext4_handle_valid(handle) &&
EXT4_I(inode)->i_extra_isize < sbi->s_want_extra_isize &&
!ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND)) {
@@ -4666,9 +4668,7 @@ int ext4_mark_inode_dirty(handle_t *hand
}
}
}
- if (!err)
- err = ext4_mark_iloc_dirty(handle, inode, &iloc);
- return err;
+ return ext4_mark_iloc_dirty(handle, inode, &iloc);
}

/*

2016-04-26 23:32:31

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 049/115] tracing: Fix crash from reading trace_pipe with sendfile

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (Red Hat)" <[email protected]>

commit a29054d9478d0435ab01b7544da4f674ab13f533 upstream.

If tracing contains data and the trace_pipe file is read with sendfile(),
then it can trigger a NULL pointer dereference and various BUG_ON within the
VM code.

There's a patch to fix this in the splice_to_pipe() code, but it's also a
good idea to not let that happen from trace_pipe either.

Link: http://lkml.kernel.org/r/[email protected]

Reported-by: Rabin Vincent <[email protected]>
Signed-off-by: Steven Rostedt <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
kernel/trace/trace.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3565,7 +3565,10 @@ static ssize_t tracing_splice_read_pipe(

spd.nr_pages = i;

- ret = splice_to_pipe(pipe, &spd);
+ if (i)
+ ret = splice_to_pipe(pipe, &spd);
+ else
+ ret = 0;
out:
splice_shrink_spd(&spd);
return ret;

2016-04-26 23:32:34

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 022/115] ipvs: correct initial offset of Call-ID header search in SIP persistence engine

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Marco Angaroni <[email protected]>

commit 7617a24f83b5d67f4dab1844956be1cebc44aec8 upstream.

The IPVS SIP persistence engine is not able to parse the SIP header
"Call-ID" when such header is inserted in the first positions of
the SIP message.

When IPVS is configured with "--pe sip" option, like for example:
ipvsadm -A -u 1.2.3.4:5060 -s rr --pe sip -p 120 -o
some particular messages (see below for details) do not create entries
in the connection template table, which can be listed with:
ipvsadm -Lcn --persistent-conn

Problematic SIP messages are SIP responses having "Call-ID" header
positioned just after message first line:
SIP/2.0 200 OK
[Call-ID header here]
[rest of the headers]

When "Call-ID" header is positioned down (after a few other headers)
it is correctly recognized.

This is due to the data offset used in get_callid function call inside
ip_vs_pe_sip.c file: since dptr already points to the start of the
SIP message, the value of dataoff should be initially 0.
Otherwise the header is searched starting from some bytes after the
first character of the SIP message.

Fixes: 758ff0338722 ("IPVS: sip persistence engine")
Signed-off-by: Marco Angaroni <[email protected]>
Acked-by: Julian Anastasov <[email protected]>
Signed-off-by: Simon Horman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/netfilter/ipvs/ip_vs_pe_sip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/netfilter/ipvs/ip_vs_pe_sip.c
+++ b/net/netfilter/ipvs/ip_vs_pe_sip.c
@@ -85,7 +85,7 @@ ip_vs_sip_fill_param(struct ip_vs_conn_p
dptr = skb->data + dataoff;
datalen = skb->len - dataoff;

- if (get_callid(dptr, dataoff, datalen, &matchoff, &matchlen))
+ if (get_callid(dptr, 0, datalen, &matchoff, &matchlen))
return -EINVAL;

/* N.B: pe_data is only set on success,

2016-04-26 23:32:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 058/115] ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Joseph Qi <[email protected]>

commit be12b299a83fc807bbaccd2bcb8ec50cbb0cb55c upstream.

When master handles convert request, it queues ast first and then
returns status. This may happen that the ast is sent before the request
status because the above two messages are sent by two threads. And
right after the ast is sent, if master down, it may trigger BUG in
dlm_move_lockres_to_recovery_list in the requested node because ast
handler moves it to grant list without clear lock->convert_pending. So
remove BUG_ON statement and check if the ast is processed in
dlmconvert_remote.

Signed-off-by: Joseph Qi <[email protected]>
Reported-by: Yiwen Jiang <[email protected]>
Cc: Junxiao Bi <[email protected]>
Cc: Mark Fasheh <[email protected]>
Cc: Joel Becker <[email protected]>
Cc: Tariq Saeed <[email protected]>
Cc: Junxiao Bi <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ocfs2/dlm/dlmconvert.c | 13 +++++++++++++
fs/ocfs2/dlm/dlmrecovery.c | 1 -
2 files changed, 13 insertions(+), 1 deletion(-)

--- a/fs/ocfs2/dlm/dlmconvert.c
+++ b/fs/ocfs2/dlm/dlmconvert.c
@@ -291,6 +291,19 @@ enum dlm_status dlmconvert_remote(struct
status = DLM_DENIED;
goto bail;
}
+
+ if (lock->ml.type == type && lock->ml.convert_type == LKM_IVMODE) {
+ mlog(0, "last convert request returned DLM_RECOVERING, but "
+ "owner has already queued and sent ast to me. res %.*s, "
+ "(cookie=%u:%llu, type=%d, conv=%d)\n",
+ res->lockname.len, res->lockname.name,
+ dlm_get_lock_cookie_node(be64_to_cpu(lock->ml.cookie)),
+ dlm_get_lock_cookie_seq(be64_to_cpu(lock->ml.cookie)),
+ lock->ml.type, lock->ml.convert_type);
+ status = DLM_NORMAL;
+ goto bail;
+ }
+
res->state |= DLM_LOCK_RES_IN_PROGRESS;
/* move lock to local convert queue */
/* do not alter lock refcount. switching lists. */
--- a/fs/ocfs2/dlm/dlmrecovery.c
+++ b/fs/ocfs2/dlm/dlmrecovery.c
@@ -2039,7 +2039,6 @@ void dlm_move_lockres_to_recovery_list(s
dlm_lock_get(lock);
if (lock->convert_pending) {
/* move converting lock back to granted */
- BUG_ON(i != DLM_CONVERTING_LIST);
mlog(0, "node died with convert pending "
"on %.*s. move back to granted list.\n",
res->lockname.len, res->lockname.name);

2016-04-26 23:33:08

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 028/115] Bluetooth: btusb: Add a new AR3012 ID 13d3:3472

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Tunin <[email protected]>

commit 75c6aca4765dbe3d0c1507ab5052f2e373dc2331 upstream.

T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 4 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3472 Rev=00.01
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

BugLink: https://bugs.launchpad.net/bugs/1552925

Signed-off-by: Dmitry Tunin <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -116,6 +116,7 @@ static struct usb_device_id ath3k_table[
{ USB_DEVICE(0x13d3, 0x3408) },
{ USB_DEVICE(0x13d3, 0x3423) },
{ USB_DEVICE(0x13d3, 0x3432) },
+ { USB_DEVICE(0x13d3, 0x3472) },
{ USB_DEVICE(0x13d3, 0x3474) },

/* Atheros AR5BBU12 with sflash firmware */
@@ -179,6 +180,7 @@ static struct usb_device_id ath3k_blist_
{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },

/* Atheros AR5BBU22 with sflash firmware */
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -201,6 +201,7 @@ static struct usb_device_id blacklist_ta
{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },

/* Atheros AR5BBU12 with sflash firmware */

2016-04-26 23:33:13

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 093/115] net: dp83640: Fix tx timestamp overflow handling.

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Manfred Rudigier <[email protected]>

[ Upstream commit 81e8f2e930fe76b9814c71b9d87c30760b5eb705 ]

PHY status frames are not reliable, the PHY may not be able to send them
during heavy receive traffic. This overflow condition is signaled by the
PHY in the next status frame, but the driver did not make use of it.
Instead it always reported wrong tx timestamps to user space after an
overflow happened because it assigned newly received tx timestamps to old
packets in the queue.

This commit fixes this issue by clearing the tx timestamp queue every time
an overflow happens, so that no timestamps are delivered for overflow
packets. This way time stamping will continue correctly after an overflow.

Signed-off-by: Manfred Rudigier <[email protected]>
Acked-by: Richard Cochran <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/phy/dp83640.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)

--- a/drivers/net/phy/dp83640.c
+++ b/drivers/net/phy/dp83640.c
@@ -680,6 +680,11 @@ static void decode_rxts(struct dp83640_p
{
struct rxts *rxts;
unsigned long flags;
+ u8 overflow;
+
+ overflow = (phy_rxts->ns_hi >> 14) & 0x3;
+ if (overflow)
+ pr_debug("rx timestamp queue overflow, count %d\n", overflow);

spin_lock_irqsave(&dp83640->rx_lock, flags);

@@ -703,6 +708,7 @@ static void decode_txts(struct dp83640_p
struct skb_shared_hwtstamps shhwtstamps;
struct sk_buff *skb;
u64 ns;
+ u8 overflow;

/* We must already have the skb that triggered this. */

@@ -712,6 +718,17 @@ static void decode_txts(struct dp83640_p
pr_debug("dp83640: have timestamp but tx_queue empty\n");
return;
}
+
+ overflow = (phy_txts->ns_hi >> 14) & 0x3;
+ if (overflow) {
+ pr_debug("tx timestamp queue overflow, count %d\n", overflow);
+ while (skb) {
+ skb_complete_tx_timestamp(skb, NULL);
+ skb = skb_dequeue(&dp83640->tx_queue);
+ }
+ return;
+ }
+
ns = phy2txts(phy_txts);
memset(&shhwtstamps, 0, sizeof(shhwtstamps));
shhwtstamps.hwtstamp = ns_to_ktime(ns);

2016-04-26 23:33:27

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 085/115] veth: don’t modify ip_sum med; doing so treats packets with bad checksums as good.

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vijay Pandurangan <[email protected]>

[ Upstream commit ce8c839b74e3017996fad4e1b7ba2e2625ede82f ]

Packets that arrive from real hardware devices have ip_summed ==
CHECKSUM_UNNECESSARY if the hardware verified the checksums, or
CHECKSUM_NONE if the packet is bad or it was unable to verify it. The
current version of veth will replace CHECKSUM_NONE with
CHECKSUM_UNNECESSARY, which causes corrupt packets routed from hardware to
a veth device to be delivered to the application. This caused applications
at Twitter to receive corrupt data when network hardware was corrupting
packets.

We believe this was added as an optimization to skip computing and
verifying checksums for communication between containers. However, locally
generated packets have ip_summed == CHECKSUM_PARTIAL, so the code as
written does nothing for them. As far as we can tell, after removing this
code, these packets are transmitted from one stack to another unmodified
(tcpdump shows invalid checksums on both sides, as expected), and they are
delivered correctly to applications. We didn’t test every possible network
configuration, but we tried a few common ones such as bridging containers,
using NAT between the host and a container, and routing from hardware
devices to containers. We have effectively deployed this in production at
Twitter (by disabling RX checksum offloading on veth devices).

This code dates back to the first version of the driver, commit
<e314dbdc1c0dc6a548ecf> ("[NET]: Virtual ethernet device driver"), so I
suspect this bug occurred mostly because the driver API has evolved
significantly since then. Commit <0b7967503dc97864f283a> ("net/veth: Fix
packet checksumming") (in December 2010) fixed this for packets that get
created locally and sent to hardware devices, by not changing
CHECKSUM_PARTIAL. However, the same issue still occurs for packets coming
in from hardware devices.

Co-authored-by: Evan Jones <[email protected]>
Signed-off-by: Evan Jones <[email protected]>
Cc: Nicolas Dichtel <[email protected]>
Cc: Phil Sutter <[email protected]>
Cc: Toshiaki Makita <[email protected]>
Cc: [email protected]
Cc: [email protected]
Signed-off-by: Vijay Pandurangan <[email protected]>
Acked-by: Cong Wang <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/veth.c | 6 ------
1 file changed, 6 deletions(-)

--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -126,11 +126,6 @@ static netdev_tx_t veth_xmit(struct sk_b
stats = this_cpu_ptr(priv->stats);
rcv_stats = this_cpu_ptr(rcv_priv->stats);

- /* don't change ip_summed == CHECKSUM_PARTIAL, as that
- will cause bad checksum on forwarded packets */
- if (skb->ip_summed == CHECKSUM_NONE &&
- rcv->features & NETIF_F_RXCSUM)
- skb->ip_summed = CHECKSUM_UNNECESSARY;

length = skb->len;
if (dev_forward_skb(rcv, skb) != NET_RX_SUCCESS)

2016-04-26 23:33:59

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 086/115] sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Xin Long <[email protected]>

[ Upstream commit 068d8bd338e855286aea54e70d1c101569284b21 ]

In sctp_close, sctp_make_abort_user may return NULL because of memory
allocation failure. If this happens, it will bypass any state change
and never free the assoc. The assoc has no chance to be freed and it
will be kept in memory with the state it had even after the socket is
closed by sctp_close().

So if sctp_make_abort_user fails to allocate memory, we should abort
the asoc via sctp_primitive_ABORT as well. Just like the annotation in
sctp_sf_cookie_wait_prm_abort and sctp_sf_do_9_1_prm_abort said,
"Even if we can't send the ABORT due to low memory delete the TCB.
This is a departure from our typical NOMEM handling".

But then the chunk is NULL (low memory) and the SCTP_CMD_REPLY cmd would
dereference the chunk pointer, and system crash. So we should add
SCTP_CMD_REPLY cmd only when the chunk is not NULL, just like other
places where it adds SCTP_CMD_REPLY cmd.

Signed-off-by: Xin Long <[email protected]>
Acked-by: Marcelo Ricardo Leitner <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/sctp/sm_statefuns.c | 6 ++++--
net/sctp/socket.c | 3 +--
2 files changed, 5 insertions(+), 4 deletions(-)

--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -4740,7 +4740,8 @@ sctp_disposition_t sctp_sf_do_9_1_prm_ab

retval = SCTP_DISPOSITION_CONSUME;

- sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
+ if (abort)
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));

/* Even if we can't send the ABORT due to low memory delete the
* TCB. This is a departure from our typical NOMEM handling.
@@ -4872,7 +4873,8 @@ sctp_disposition_t sctp_sf_cookie_wait_p
SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
retval = SCTP_DISPOSITION_CONSUME;

- sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
+ if (abort)
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));

sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
SCTP_STATE(SCTP_STATE_CLOSED));
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1524,8 +1524,7 @@ SCTP_STATIC void sctp_close(struct sock
struct sctp_chunk *chunk;

chunk = sctp_make_abort_user(asoc, NULL, 0);
- if (chunk)
- sctp_primitive_ABORT(asoc, chunk);
+ sctp_primitive_ABORT(asoc, chunk);
} else
sctp_primitive_SHUTDOWN(asoc, NULL);
}

2016-04-26 23:34:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 054/115] ppp: take reference on channels netns

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <[email protected]>

commit 1f461dcdd296eecedaffffc6bae2bfa90bd7eb89 upstream.

Let channels hold a reference on their network namespace.
Some channel types, like ppp_async and ppp_synctty, can have their
userspace controller running in a different namespace. Therefore they
can't rely on them to preclude their netns from being removed from
under them.

==================================================================
BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
addr ffff880064e217e0
Read of size 8 by task syz-executor/11581
=============================================================================
BUG net_namespace (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
[< none >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
[< none >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
[< inline >] slab_alloc_node kernel/mm/slub.c:2532
[< inline >] slab_alloc kernel/mm/slub.c:2574
[< none >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
[< inline >] kmem_cache_zalloc kernel/include/linux/slab.h:597
[< inline >] net_alloc kernel/net/core/net_namespace.c:325
[< none >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
[< none >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
[< none >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
[< none >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
[< inline >] copy_process kernel/kernel/fork.c:1274
[< none >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
[< inline >] SYSC_clone kernel/kernel/fork.c:1832
[< none >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185

INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
[< none >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
[< inline >] slab_free kernel/mm/slub.c:2805
[< none >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
[< inline >] net_free kernel/net/core/net_namespace.c:341
[< none >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
[< none >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
[< none >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
[< none >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
[< none >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
[< none >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
flags=0x5fffc0000004080
INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200

CPU: 1 PID: 11581 Comm: syz-executor Tainted: G B 4.4.0+
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
Call Trace:
[< inline >] __dump_stack kernel/lib/dump_stack.c:15
[<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
[<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
[<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661
[< inline >] print_address_description kernel/mm/kasan/report.c:138
[<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
[< inline >] kasan_report kernel/mm/kasan/report.c:259
[<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
[< inline >] ? ppp_pernet kernel/include/linux/compiler.h:218
[<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
[< inline >] ppp_pernet kernel/include/linux/compiler.h:218
[<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
[< inline >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
[<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
[<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
[<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
[<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
[<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
[<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
[<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
[<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
[<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208
[<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244
[<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
[< inline >] exit_task_work kernel/include/linux/task_work.h:21
[<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
[<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
[<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
[<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
[<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
[<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
[<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
[< inline >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
[<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
[<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
[<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
[<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
[<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
[< inline >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
[<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
[< inline >] ? context_switch kernel/kernel/sched/core.c:2807
[<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
[<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
[< inline >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
[<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
[<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
Memory state around the buggy address:
ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
Reported-by: Baozeng Ding <[email protected]>
Signed-off-by: Guillaume Nault <[email protected]>
Reviewed-by: Cyrill Gorcunov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ppp/ppp_generic.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2178,7 +2178,7 @@ int ppp_register_net_channel(struct net

pch->ppp = NULL;
pch->chan = chan;
- pch->chan_net = net;
+ pch->chan_net = get_net(net);
chan->ppp = pch;
init_ppp_file(&pch->file, CHANNEL);
pch->file.hdrlen = chan->hdrlen;
@@ -2275,6 +2275,8 @@ ppp_unregister_channel(struct ppp_channe
spin_lock_bh(&pn->all_channels_lock);
list_del(&pch->list);
spin_unlock_bh(&pn->all_channels_lock);
+ put_net(pch->chan_net);
+ pch->chan_net = NULL;

pch->file.dead = 1;
wake_up_interruptible(&pch->file.rwait);

2016-04-26 23:34:47

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 071/115] usb: renesas_usbhs: fix to avoid using a disabled ep in usbhsg_queue_done()

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <[email protected]>

commit 4fccb0767fdbdb781a9c5b5c15ee7b219443c89d upstream.

This patch fixes an issue that usbhsg_queue_done() may cause kernel
panic when dma callback is running and usb_ep_disable() is called
by interrupt handler. (Especially, we can reproduce this issue using
g_audio with usb-dmac driver.)

For example of a flow:
usbhsf_dma_complete (on tasklet)
--> usbhsf_pkt_handler (on tasklet)
--> usbhsg_queue_done (on tasklet)
*** interrupt happened and usb_ep_disable() is called ***
--> usbhsg_queue_pop (on tasklet)
Then, oops happened.

Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
Signed-off-by: Yoshihiro Shimoda <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/renesas_usbhs/mod_gadget.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/usb/renesas_usbhs/mod_gadget.c
+++ b/drivers/usb/renesas_usbhs/mod_gadget.c
@@ -146,10 +146,14 @@ static void usbhsg_queue_done(struct usb
struct usbhs_pipe *pipe = pkt->pipe;
struct usbhsg_uep *uep = usbhsg_pipe_to_uep(pipe);
struct usbhsg_request *ureq = usbhsg_pkt_to_ureq(pkt);
+ unsigned long flags;

ureq->req.actual = pkt->actual;

- usbhsg_queue_pop(uep, ureq, 0);
+ usbhs_lock(priv, flags);
+ if (uep)
+ __usbhsg_queue_pop(uep, ureq, 0);
+ usbhs_unlock(priv, flags);
}

static void usbhsg_queue_push(struct usbhsg_uep *uep,

2016-04-26 23:34:38

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 027/115] jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: OGAWA Hirofumi <[email protected]>

commit c0a2ad9b50dd80eeccd73d9ff962234590d5ec93 upstream.

On umount path, jbd2_journal_destroy() writes latest transaction ID
(->j_tail_sequence) to be used at next mount.

The bug is that ->j_tail_sequence is not holding latest transaction ID
in some cases. So, at next mount, there is chance to conflict with
remaining (not overwritten yet) transactions.

mount (id=10)
write transaction (id=11)
write transaction (id=12)
umount (id=10) <= the bug doesn't write latest ID

mount (id=10)
write transaction (id=11)
crash

mount
[recovery process]
transaction (id=11)
transaction (id=12) <= valid transaction ID, but old commit
must not replay

Like above, this bug become the cause of recovery failure, or FS
corruption.

So why ->j_tail_sequence doesn't point latest ID?

Because if checkpoint transactions was reclaimed by memory pressure
(i.e. bdev_try_to_free_page()), then ->j_tail_sequence is not updated.
(And another case is, __jbd2_journal_clean_checkpoint_list() is called
with empty transaction.)

So in above cases, ->j_tail_sequence is not pointing latest
transaction ID at umount path. Plus, REQ_FLUSH for checkpoint is not
done too.

So, to fix this problem with minimum changes, this patch updates
->j_tail_sequence, and issue REQ_FLUSH. (With more complex changes,
some optimizations would be possible to avoid unnecessary REQ_FLUSH
for example though.)

BTW,

journal->j_tail_sequence =
++journal->j_transaction_sequence;

Increment of ->j_transaction_sequence seems to be unnecessary, but
ext3 does this.

Signed-off-by: OGAWA Hirofumi <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/jbd2/journal.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)

--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -1340,11 +1340,12 @@ out:
/**
* jbd2_mark_journal_empty() - Mark on disk journal as empty.
* @journal: The journal to update.
+ * @write_op: With which operation should we write the journal sb
*
* Update a journal's dynamic superblock fields to show that journal is empty.
* Write updated superblock to disk waiting for IO to complete.
*/
-static void jbd2_mark_journal_empty(journal_t *journal)
+static void jbd2_mark_journal_empty(journal_t *journal, int write_op)
{
journal_superblock_t *sb = journal->j_superblock;

@@ -1357,7 +1358,7 @@ static void jbd2_mark_journal_empty(jour
sb->s_start = cpu_to_be32(0);
read_unlock(&journal->j_state_lock);

- jbd2_write_superblock(journal, WRITE_FUA);
+ jbd2_write_superblock(journal, write_op);

/* Log is no longer empty */
write_lock(&journal->j_state_lock);
@@ -1593,7 +1594,13 @@ int jbd2_journal_destroy(journal_t *jour
if (journal->j_sb_buffer) {
if (!is_journal_aborted(journal)) {
mutex_lock(&journal->j_checkpoint_mutex);
- jbd2_mark_journal_empty(journal);
+
+ write_lock(&journal->j_state_lock);
+ journal->j_tail_sequence =
+ ++journal->j_transaction_sequence;
+ write_unlock(&journal->j_state_lock);
+
+ jbd2_mark_journal_empty(journal, WRITE_FLUSH_FUA);
mutex_unlock(&journal->j_checkpoint_mutex);
} else
err = -EIO;
@@ -1859,7 +1866,7 @@ int jbd2_journal_flush(journal_t *journa
* the magic code for a fully-recovered superblock. Any future
* commits of data to the journal will restore the current
* s_start value. */
- jbd2_mark_journal_empty(journal);
+ jbd2_mark_journal_empty(journal, WRITE_FUA);
mutex_unlock(&journal->j_checkpoint_mutex);
write_lock(&journal->j_state_lock);
J_ASSERT(!journal->j_running_transaction);
@@ -1905,7 +1912,7 @@ int jbd2_journal_wipe(journal_t *journal
if (write) {
/* Lock to make assertions happy... */
mutex_lock(&journal->j_checkpoint_mutex);
- jbd2_mark_journal_empty(journal);
+ jbd2_mark_journal_empty(journal, WRITE_FUA);
mutex_unlock(&journal->j_checkpoint_mutex);
}


2016-04-26 23:35:07

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 107/115] macvtap: always pass ethernet header in linear

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <[email protected]>

[ Upstream commit 8e2ad4113ce4671686740f808ff2795395c39eef ]

The stack expects link layer headers in the skb linear section.
Macvtap can create skbs with llheader in frags in edge cases:
when (IFF_VNET_HDR is off or vnet_hdr.hdr_len < ETH_HLEN) and
prepad + len > PAGE_SIZE and vnet_hdr.flags has no or bad csum.

Add checks to ensure linear is always at least ETH_HLEN.
At this point, len is already ensured to be >= ETH_HLEN.

For backwards compatiblity, rounds up short vnet_hdr.hdr_len.
This differs from tap and packet, which return an error.

Fixes b9fb9ee07e67 ("macvtap: add GSO/csum offload support")
Signed-off-by: Willem de Bruijn <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: don't use macvtap16_to_cpu()]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/macvtap.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -720,6 +720,8 @@ static ssize_t macvtap_get_user(struct m
copylen = vnet_hdr.hdr_len ? vnet_hdr.hdr_len : GOODCOPY_LEN;
if (copylen > good_linear)
copylen = good_linear;
+ else if (copylen < ETH_HLEN)
+ copylen = ETH_HLEN;
linear = copylen;
if (iov_pages(iv, vnet_hdr_len + copylen, count)
<= MAX_SKB_FRAGS)
@@ -728,10 +730,11 @@ static ssize_t macvtap_get_user(struct m

if (!zerocopy) {
copylen = len;
- if (vnet_hdr.hdr_len > good_linear)
+ linear = vnet_hdr.hdr_len;
+ if (linear > good_linear)
linear = good_linear;
- else
- linear = vnet_hdr.hdr_len;
+ else if (linear < ETH_HLEN)
+ linear = ETH_HLEN;
}

skb = macvtap_alloc_skb(&q->sk, MACVTAP_RESERVE, copylen,

2016-04-26 23:35:45

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 055/115] Input: ati_remote2 - fix crashes on detecting device with invalid descriptor

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vladis Dronov <[email protected]>

commit 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d upstream.

The ati_remote2 driver expects at least two interfaces with one
endpoint each. If given malicious descriptor that specify one
interface or no endpoints, it will crash in the probe function.
Ensure there is at least two interfaces and one endpoint for each
interface before using it.

The full disclosure: http://seclists.org/bugtraq/2016/Mar/90

Reported-by: Ralf Spenneberg <[email protected]>
Signed-off-by: Vladis Dronov <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/input/misc/ati_remote2.c | 36 ++++++++++++++++++++++++++++++------
1 file changed, 30 insertions(+), 6 deletions(-)

--- a/drivers/input/misc/ati_remote2.c
+++ b/drivers/input/misc/ati_remote2.c
@@ -814,26 +814,49 @@ static int ati_remote2_probe(struct usb_

ar2->udev = udev;

+ /* Sanity check, first interface must have an endpoint */
+ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
+ dev_err(&interface->dev,
+ "%s(): interface 0 must have an endpoint\n", __func__);
+ r = -ENODEV;
+ goto fail1;
+ }
ar2->intf[0] = interface;
ar2->ep[0] = &alt->endpoint[0].desc;

+ /* Sanity check, the device must have two interfaces */
ar2->intf[1] = usb_ifnum_to_if(udev, 1);
+ if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) {
+ dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n",
+ __func__, udev->actconfig->desc.bNumInterfaces);
+ r = -ENODEV;
+ goto fail1;
+ }
+
r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2);
if (r)
goto fail1;
+
+ /* Sanity check, second interface must have an endpoint */
alt = ar2->intf[1]->cur_altsetting;
+ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
+ dev_err(&interface->dev,
+ "%s(): interface 1 must have an endpoint\n", __func__);
+ r = -ENODEV;
+ goto fail2;
+ }
ar2->ep[1] = &alt->endpoint[0].desc;

r = ati_remote2_urb_init(ar2);
if (r)
- goto fail2;
+ goto fail3;

ar2->channel_mask = channel_mask;
ar2->mode_mask = mode_mask;

r = ati_remote2_setup(ar2, ar2->channel_mask);
if (r)
- goto fail2;
+ goto fail3;

usb_make_path(udev, ar2->phys, sizeof(ar2->phys));
strlcat(ar2->phys, "/input0", sizeof(ar2->phys));
@@ -842,11 +865,11 @@ static int ati_remote2_probe(struct usb_

r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group);
if (r)
- goto fail2;
+ goto fail3;

r = ati_remote2_input_init(ar2);
if (r)
- goto fail3;
+ goto fail4;

usb_set_intfdata(interface, ar2);

@@ -854,10 +877,11 @@ static int ati_remote2_probe(struct usb_

return 0;

- fail3:
+ fail4:
sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group);
- fail2:
+ fail3:
ati_remote2_urb_cleanup(ar2);
+ fail2:
usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]);
fail1:
kfree(ar2);

2016-04-26 23:35:49

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 050/115] splice: handle zero nr_pages in splice_to_pipe()

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Rabin Vincent <[email protected]>

commit d6785d9152147596f60234157da2b02540c3e60f upstream.

Running the following command:

busybox cat /sys/kernel/debug/tracing/trace_pipe > /dev/null

with any tracing enabled pretty very quickly leads to various NULL
pointer dereferences and VM BUG_ON()s, such as these:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: [<ffffffff8119df6c>] generic_pipe_buf_release+0xc/0x40
Call Trace:
[<ffffffff811c48a3>] splice_direct_to_actor+0x143/0x1e0
[<ffffffff811c42e0>] ? generic_pipe_buf_nosteal+0x10/0x10
[<ffffffff811c49cf>] do_splice_direct+0x8f/0xb0
[<ffffffff81196869>] do_sendfile+0x199/0x380
[<ffffffff81197600>] SyS_sendfile64+0x90/0xa0
[<ffffffff8192cbee>] entry_SYSCALL_64_fastpath+0x12/0x6d

page dumped because: VM_BUG_ON_PAGE(atomic_read(&page->_count) == 0)
kernel BUG at include/linux/mm.h:367!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
RIP: [<ffffffff8119df9c>] generic_pipe_buf_release+0x3c/0x40
Call Trace:
[<ffffffff811c48a3>] splice_direct_to_actor+0x143/0x1e0
[<ffffffff811c42e0>] ? generic_pipe_buf_nosteal+0x10/0x10
[<ffffffff811c49cf>] do_splice_direct+0x8f/0xb0
[<ffffffff81196869>] do_sendfile+0x199/0x380
[<ffffffff81197600>] SyS_sendfile64+0x90/0xa0
[<ffffffff8192cd1e>] tracesys_phase2+0x84/0x89

(busybox's cat uses sendfile(2), unlike the coreutils version)

This is because tracing_splice_read_pipe() can call splice_to_pipe()
with spd->nr_pages == 0. spd_pages underflows in splice_to_pipe() and
we fill the page pointers and the other fields of the pipe_buffers with
garbage.

All other callers of splice_to_pipe() avoid calling it when nr_pages ==
0, and we could make tracing_splice_read_pipe() do that too, but it
seems reasonable to have splice_to_page() handle this condition
gracefully.

Signed-off-by: Rabin Vincent <[email protected]>
Reviewed-by: Christoph Hellwig <[email protected]>
Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/splice.c | 3 +++
1 file changed, 3 insertions(+)

--- a/fs/splice.c
+++ b/fs/splice.c
@@ -188,6 +188,9 @@ ssize_t splice_to_pipe(struct pipe_inode
unsigned int spd_pages = spd->nr_pages;
int ret, do_wakeup, page_nr;

+ if (!spd_pages)
+ return 0;
+
ret = 0;
do_wakeup = 0;
page_nr = 0;

2016-04-26 23:35:05

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 092/115] af_iucv: Validate socket address length in iucv_sock_bind()

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ursula Braun <[email protected]>

[ Upstream commit 52a82e23b9f2a9e1d429c5207f8575784290d008 ]

Signed-off-by: Ursula Braun <[email protected]>
Reported-by: Dmitry Vyukov <[email protected]>
Reviewed-by: Evgeny Cherkashin <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/iucv/af_iucv.c | 3 +++
1 file changed, 3 insertions(+)

--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -708,6 +708,9 @@ static int iucv_sock_bind(struct socket
if (!addr || addr->sa_family != AF_IUCV)
return -EINVAL;

+ if (addr_len < sizeof(struct sockaddr_iucv))
+ return -EINVAL;
+
lock_sock(sk);
if (sk->sk_state != IUCV_OPEN) {
err = -EBADFD;

2016-04-26 23:36:31

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 020/115] KVM: i8254: change PIT discard tick policy

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Radim Krčmář <[email protected]>

commit 7dd0fdff145c5be7146d0ac06732ae3613412ac1 upstream.

Discard policy uses ack_notifiers to prevent injection of PIT interrupts
before EOI from the last one.

This patch changes the policy to always try to deliver the interrupt,
which makes a difference when its vector is in ISR.
Old implementation would drop the interrupt, but proposed one injects to
IRR, like real hardware would.

The old policy breaks legacy NMI watchdogs, where PIT is used through
virtual wire (LVT0): PIT never sends an interrupt before receiving EOI,
thus a guest deadlock with disabled interrupts will stop NMIs.

Note that NMI doesn't do EOI, so PIT also had to send a normal interrupt
through IOAPIC. (KVM's PIT is deeply rotten and luckily not used much
in modern systems.)

Even though there is a chance of regressions, I think we can fix the
LVT0 NMI bug without introducing a new tick policy.

Reported-by: Yuki Shibuya <[email protected]>
Reviewed-by: Paolo Bonzini <[email protected]>
Signed-off-by: Radim Krčmář <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
[bwh: Backported to 3.2:
- s/ps->reinject/ps->pit_timer.reinject/
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/kvm/i8254.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)

--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -246,7 +246,7 @@ static void kvm_pit_ack_irq(struct kvm_i
* PIC is being reset. Handle it gracefully here
*/
atomic_inc(&ps->pit_timer.pending);
- else if (value > 0)
+ else if (value > 0 && ps->pit_timer.reinject)
/* in this case, we had multiple outstanding pit interrupts
* that we needed to inject. Reinject
*/
@@ -300,7 +300,9 @@ static void pit_do_work(struct work_stru
* last one has been acked.
*/
spin_lock(&ps->inject_lock);
- if (ps->irq_ack) {
+ if (!ps->pit_timer.reinject)
+ inject = 1;
+ else if (ps->irq_ack) {
ps->irq_ack = 0;
inject = 1;
}
@@ -329,10 +331,10 @@ static enum hrtimer_restart pit_timer_fn
struct kvm_timer *ktimer = container_of(data, struct kvm_timer, timer);
struct kvm_pit *pt = ktimer->kvm->arch.vpit;

- if (ktimer->reinject || !atomic_read(&ktimer->pending)) {
+ if (ktimer->reinject)
atomic_inc(&ktimer->pending);
- queue_work(pt->wq, &pt->expired);
- }
+
+ queue_work(pt->wq, &pt->expired);

if (ktimer->t_ops->is_periodic(ktimer)) {
hrtimer_add_expires_ns(&ktimer->timer, ktimer->period);

2016-04-26 23:36:37

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 032/115] Input: powermate - fix oops with malicious USB descriptors

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Josh Boyer <[email protected]>

commit 9c6ba456711687b794dcf285856fc14e2c76074f upstream.

The powermate driver expects at least one valid USB endpoint in its
probe function. If given malicious descriptors that specify 0 for
the number of endpoints, it will crash. Validate the number of
endpoints on the interface before using them.

The full report for this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/85

Reported-by: Ralf Spenneberg <[email protected]>
Signed-off-by: Josh Boyer <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/input/misc/powermate.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/input/misc/powermate.c
+++ b/drivers/input/misc/powermate.c
@@ -304,6 +304,9 @@ static int powermate_probe(struct usb_in
int error = -ENOMEM;

interface = intf->cur_altsetting;
+ if (interface->desc.bNumEndpoints < 1)
+ return -EINVAL;
+
endpoint = &interface->endpoint[0].desc;
if (!usb_endpoint_is_int_in(endpoint))
return -EIO;

2016-04-26 23:36:45

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 059/115] hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <[email protected]>

commit 3c2e2266a5bd2d1cef258e6e54dca1d99946379f upstream.

arm:pxa_defconfig can result in the following crash if the max1111 driver
is not instantiated.

Unhandled fault: page domain fault (0x01b) at 0x00000000
pgd = c0004000
[00000000] *pgd=00000000
Internal error: : 1b [#1] PREEMPT ARM
Modules linked in:
CPU: 0 PID: 300 Comm: kworker/0:1 Not tainted 4.5.0-01301-g1701f680407c #10
Hardware name: SHARP Akita
Workqueue: events sharpsl_charge_toggle
task: c390a000 ti: c391e000 task.ti: c391e000
PC is at max1111_read_channel+0x20/0x30
LR is at sharpsl_pm_pxa_read_max1111+0x2c/0x3c
pc : [<c03aaab0>] lr : [<c0024b50>] psr: 20000013
...
[<c03aaab0>] (max1111_read_channel) from [<c0024b50>]
(sharpsl_pm_pxa_read_max1111+0x2c/0x3c)
[<c0024b50>] (sharpsl_pm_pxa_read_max1111) from [<c00262e0>]
(spitzpm_read_devdata+0x5c/0xc4)
[<c00262e0>] (spitzpm_read_devdata) from [<c0024094>]
(sharpsl_check_battery_temp+0x78/0x110)
[<c0024094>] (sharpsl_check_battery_temp) from [<c0024f9c>]
(sharpsl_charge_toggle+0x48/0x110)
[<c0024f9c>] (sharpsl_charge_toggle) from [<c004429c>]
(process_one_work+0x14c/0x48c)
[<c004429c>] (process_one_work) from [<c0044618>] (worker_thread+0x3c/0x5d4)
[<c0044618>] (worker_thread) from [<c004a238>] (kthread+0xd0/0xec)
[<c004a238>] (kthread) from [<c000a670>] (ret_from_fork+0x14/0x24)

This can occur because the SPI controller driver (SPI_PXA2XX) is built as
module and thus not necessarily loaded. While building SPI_PXA2XX into the
kernel would make the problem disappear, it appears prudent to ensure that
the driver is instantiated before accessing its data structures.

Cc: Arnd Bergmann <[email protected]>
Signed-off-by: Guenter Roeck <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/hwmon/max1111.c | 6 ++++++
1 file changed, 6 insertions(+)

--- a/drivers/hwmon/max1111.c
+++ b/drivers/hwmon/max1111.c
@@ -80,6 +80,9 @@ static struct max1111_data *the_max1111;

int max1111_read_channel(int channel)
{
+ if (!the_max1111 || !the_max1111->spi)
+ return -ENODEV;
+
return max1111_read(&the_max1111->spi->dev, channel);
}
EXPORT_SYMBOL(max1111_read_channel);
@@ -208,6 +211,9 @@ static int __devexit max1111_remove(stru
{
struct max1111_data *data = spi_get_drvdata(spi);

+#ifdef CONFIG_SHARPSL_PM
+ the_max1111 = NULL;
+#endif
hwmon_device_unregister(data->hwmon_dev);
sysfs_remove_group(&spi->dev.kobj, &max1111_attr_group);
mutex_destroy(&data->drvdata_lock);

2016-04-26 23:37:22

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 095/115] net/ipv6: add sysctl option accept_ra_min_hop_limit

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hangbin Liu <[email protected]>

[ Upstream commit 8013d1d7eafb0589ca766db6b74026f76b7f5cb4 ]

Commit 6fd99094de2b ("ipv6: Don't reduce hop limit for an interface")
disabled accept hop limit from RA if it is smaller than the current hop
limit for security stuff. But this behavior kind of break the RFC definition.

RFC 4861, 6.3.4. Processing Received Router Advertisements
A Router Advertisement field (e.g., Cur Hop Limit, Reachable Time,
and Retrans Timer) may contain a value denoting that it is
unspecified. In such cases, the parameter should be ignored and the
host should continue using whatever value it is already using.

If the received Cur Hop Limit value is non-zero, the host SHOULD set
its CurHopLimit variable to the received value.

So add sysctl option accept_ra_min_hop_limit to let user choose the minimum
hop limit value they can accept from RA. And set default to 1 to meet RFC
standards.

Signed-off-by: Hangbin Liu <[email protected]>
Acked-by: YOSHIFUJI Hideaki <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2:
- Adjust filename, context
- Number DEVCONF enumerators explicitly to match upstream]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1070,6 +1070,14 @@ accept_ra_defrtr - BOOLEAN
Functional default: enabled if accept_ra is enabled.
disabled if accept_ra is disabled.

+accept_ra_min_hop_limit - INTEGER
+ Minimum hop limit Information in Router Advertisement.
+
+ Hop limit Information in Router Advertisement less than this
+ variable shall be ignored.
+
+ Default: 1
+
accept_ra_pinfo - BOOLEAN
Learn Prefix Information in Router Advertisement.

--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -153,6 +153,7 @@ struct ipv6_devconf {
#endif
__s32 max_addresses;
__s32 accept_ra_defrtr;
+ __s32 accept_ra_min_hop_limit;
__s32 accept_ra_pinfo;
#ifdef CONFIG_IPV6_ROUTER_PREF
__s32 accept_ra_rtr_pref;
@@ -213,6 +214,8 @@ enum {
DEVCONF_DISABLE_IPV6,
DEVCONF_ACCEPT_DAD,
DEVCONF_FORCE_TLLAO,
+ DEVCONF_USE_OIF_ADDRS_ONLY = 37,
+ DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT,
DEVCONF_MAX
};

--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -185,6 +185,7 @@ static struct ipv6_devconf ipv6_devconf
#endif
.max_addresses = IPV6_MAX_ADDRESSES,
.accept_ra_defrtr = 1,
+ .accept_ra_min_hop_limit= 1,
.accept_ra_pinfo = 1,
#ifdef CONFIG_IPV6_ROUTER_PREF
.accept_ra_rtr_pref = 1,
@@ -219,6 +220,7 @@ static struct ipv6_devconf ipv6_devconf_
#endif
.max_addresses = IPV6_MAX_ADDRESSES,
.accept_ra_defrtr = 1,
+ .accept_ra_min_hop_limit= 1,
.accept_ra_pinfo = 1,
#ifdef CONFIG_IPV6_ROUTER_PREF
.accept_ra_rtr_pref = 1,
@@ -3943,6 +3945,7 @@ static inline void ipv6_store_devconf(st
#endif
array[DEVCONF_MAX_ADDRESSES] = cnf->max_addresses;
array[DEVCONF_ACCEPT_RA_DEFRTR] = cnf->accept_ra_defrtr;
+ array[DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT] = cnf->accept_ra_min_hop_limit;
array[DEVCONF_ACCEPT_RA_PINFO] = cnf->accept_ra_pinfo;
#ifdef CONFIG_IPV6_ROUTER_PREF
array[DEVCONF_ACCEPT_RA_RTR_PREF] = cnf->accept_ra_rtr_pref;
@@ -4544,6 +4547,13 @@ static struct addrconf_sysctl_table
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec,
+ },
+ {
+ .procname = "accept_ra_min_hop_limit",
+ .data = &ipv6_devconf.accept_ra_min_hop_limit,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
},
{
.procname = "accept_ra_pinfo",
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1276,18 +1276,16 @@ static void ndisc_router_discovery(struc
if (rt)
rt->rt6i_expires = jiffies + (HZ * lifetime);

- if (ra_msg->icmph.icmp6_hop_limit) {
- /* Only set hop_limit on the interface if it is higher than
- * the current hop_limit.
- */
- if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
+ if (in6_dev->cnf.accept_ra_min_hop_limit < 256 &&
+ ra_msg->icmph.icmp6_hop_limit) {
+ if (in6_dev->cnf.accept_ra_min_hop_limit <= ra_msg->icmph.icmp6_hop_limit) {
in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
+ if (rt)
+ dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
+ ra_msg->icmph.icmp6_hop_limit);
} else {
- ND_PRINTK2(KERN_WARNING "RA: Got route advertisement with lower hop_limit than current\n");
+ ND_PRINTK2(KERN_WARNING "RA: Got route advertisement with lower hop_limit than minimum\n");
}
- if (rt)
- dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
- ra_msg->icmph.icmp6_hop_limit);
}

skip_defrtr:

2016-04-26 23:37:31

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 057/115] ocfs2/dlm: fix race between convert and recovery

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Joseph Qi <[email protected]>

commit ac7cf246dfdbec3d8fed296c7bf30e16f5099dac upstream.

There is a race window between dlmconvert_remote and
dlm_move_lockres_to_recovery_list, which will cause a lock with
OCFS2_LOCK_BUSY in grant list, thus system hangs.

dlmconvert_remote
{
spin_lock(&res->spinlock);
list_move_tail(&lock->list, &res->converting);
lock->convert_pending = 1;
spin_unlock(&res->spinlock);

status = dlm_send_remote_convert_request();
>>>>>> race window, master has queued ast and return DLM_NORMAL,
and then down before sending ast.
this node detects master down and calls
dlm_move_lockres_to_recovery_list, which will revert the
lock to grant list.
Then OCFS2_LOCK_BUSY won't be cleared as new master won't
send ast any more because it thinks already be authorized.

spin_lock(&res->spinlock);
lock->convert_pending = 0;
if (status != DLM_NORMAL)
dlm_revert_pending_convert(res, lock);
spin_unlock(&res->spinlock);
}

In this case, check if res->state has DLM_LOCK_RES_RECOVERING bit set
(res is still in recovering) or res master changed (new master has
finished recovery), reset the status to DLM_RECOVERING, then it will
retry convert.

Signed-off-by: Joseph Qi <[email protected]>
Reported-by: Yiwen Jiang <[email protected]>
Reviewed-by: Junxiao Bi <[email protected]>
Cc: Mark Fasheh <[email protected]>
Cc: Joel Becker <[email protected]>
Cc: Tariq Saeed <[email protected]>
Cc: Junxiao Bi <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ocfs2/dlm/dlmconvert.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)

--- a/fs/ocfs2/dlm/dlmconvert.c
+++ b/fs/ocfs2/dlm/dlmconvert.c
@@ -265,6 +265,7 @@ enum dlm_status dlmconvert_remote(struct
struct dlm_lock *lock, int flags, int type)
{
enum dlm_status status;
+ u8 old_owner = res->owner;

mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type,
lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS);
@@ -319,11 +320,19 @@ enum dlm_status dlmconvert_remote(struct
spin_lock(&res->spinlock);
res->state &= ~DLM_LOCK_RES_IN_PROGRESS;
lock->convert_pending = 0;
- /* if it failed, move it back to granted queue */
+ /* if it failed, move it back to granted queue.
+ * if master returns DLM_NORMAL and then down before sending ast,
+ * it may have already been moved to granted queue, reset to
+ * DLM_RECOVERING and retry convert */
if (status != DLM_NORMAL) {
if (status != DLM_NOTQUEUED)
dlm_error(status);
dlm_revert_pending_convert(res, lock);
+ } else if ((res->state & DLM_LOCK_RES_RECOVERING) ||
+ (old_owner != res->owner)) {
+ mlog(0, "res %.*s is in recovering or has been recovered.\n",
+ res->lockname.len, res->lockname.name);
+ status = DLM_RECOVERING;
}
bail:
spin_unlock(&res->spinlock);

2016-04-26 23:41:01

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 048/115] lpfc: fix misleading indentation

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <[email protected]>

commit aeb6641f8ebdd61939f462a8255b316f9bfab707 upstream.

gcc-6 complains about the indentation of the lpfc_destroy_vport_work_array()
call in lpfc_online(), which clearly doesn't look right:

drivers/scsi/lpfc/lpfc_init.c: In function 'lpfc_online':
drivers/scsi/lpfc/lpfc_init.c:2880:3: warning: statement is indented as if it were guarded by... [-Wmisleading-indentation]
lpfc_destroy_vport_work_array(phba, vports);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/lpfc/lpfc_init.c:2863:2: note: ...this 'if' clause, but it is not
if (vports != NULL)
^~

Looking at the patch that introduced this code, it's clear that the
behavior is correct and the indentation is wrong.

This fixes the indentation and adds curly braces around the previous
if() block for clarity, as that is most likely what caused the code
to be misindented in the first place.

Signed-off-by: Arnd Bergmann <[email protected]>
Fixes: 549e55cd2a1b ("[SCSI] lpfc 8.2.2 : Fix locking around HBA's port_list")
Reviewed-by: Sebastian Herbszt <[email protected]>
Reviewed-by: Hannes Reinecke <[email protected]>
Reviewed-by: Ewan D. Milne <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/scsi/lpfc/lpfc_init.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -2526,7 +2526,7 @@ lpfc_online(struct lpfc_hba *phba)
}

vports = lpfc_create_vport_work_array(phba);
- if (vports != NULL)
+ if (vports != NULL) {
for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++) {
struct Scsi_Host *shost;
shost = lpfc_shost_from_vport(vports[i]);
@@ -2538,7 +2538,8 @@ lpfc_online(struct lpfc_hba *phba)
vports[i]->fc_flag |= FC_VPORT_NEEDS_INIT_VPI;
spin_unlock_irq(shost->host_lock);
}
- lpfc_destroy_vport_work_array(phba, vports);
+ }
+ lpfc_destroy_vport_work_array(phba, vports);

lpfc_unblock_mgmt_io(phba);
return 0;

2016-04-26 23:27:15

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 069/115] ALSA: timer: Use mod_timer() for rearming the system timer

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit 4a07083ed613644c96c34a7dd2853dc5d7c70902 upstream.

ALSA system timer backend stops the timer via del_timer() without sync
and leaves del_timer_sync() at the close instead. This is because of
the restriction by the design of ALSA timer: namely, the stop callback
may be called from the timer handler, and calling the sync shall lead
to a hangup. However, this also triggers a kernel BUG() when the
timer is rearmed immediately after stopping without sync:
kernel BUG at kernel/time/timer.c:966!
Call Trace:
<IRQ>
[<ffffffff8239c94e>] snd_timer_s_start+0x13e/0x1a0
[<ffffffff8239e1f4>] snd_timer_interrupt+0x504/0xec0
[<ffffffff8122fca0>] ? debug_check_no_locks_freed+0x290/0x290
[<ffffffff8239ec64>] snd_timer_s_function+0xb4/0x120
[<ffffffff81296b72>] call_timer_fn+0x162/0x520
[<ffffffff81296add>] ? call_timer_fn+0xcd/0x520
[<ffffffff8239ebb0>] ? snd_timer_interrupt+0xec0/0xec0
....

It's the place where add_timer() checks the pending timer. It's clear
that this may happen after the immediate restart without sync in our
cases.

So, the workaround here is just to use mod_timer() instead of
add_timer(). This looks like a band-aid fix, but it's a right move,
as snd_timer_interrupt() takes care of the continuous rearm of timer.

Reported-by: Jiri Slaby <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/core/timer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1017,8 +1017,8 @@ static int snd_timer_s_start(struct snd_
njiff += timer->sticks - priv->correction;
priv->correction = 0;
}
- priv->last_expires = priv->tlist.expires = njiff;
- add_timer(&priv->tlist);
+ priv->last_expires = njiff;
+ mod_timer(&priv->tlist, njiff);
return 0;
}


2016-04-26 23:41:54

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 091/115] ipv6: update skb->csum when CE mark is propagated

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

[ Upstream commit 34ae6a1aa0540f0f781dd265366036355fdc8930 ]

When a tunnel decapsulates the outer header, it has to comply
with RFC 6080 and eventually propagate CE mark into inner header.

It turns out IP6_ECN_set_ce() does not correctly update skb->csum
for CHECKSUM_COMPLETE packets, triggering infamous "hw csum failure"
messages and stack traces.

Signed-off-by: Eric Dumazet <[email protected]>
Acked-by: Herbert Xu <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2:
- Adjust context
- Add skb argument to other callers of IP6_ECN_set_ce()]
Signed-off-by: Ben Hutchings <[email protected]>
---
include/net/inet_ecn.h | 19 ++++++++++++++++---
net/ipv6/xfrm6_mode_tunnel.c | 2 +-
2 files changed, 17 insertions(+), 4 deletions(-)

--- a/include/net/inet_ecn.h
+++ b/include/net/inet_ecn.h
@@ -109,11 +109,24 @@ static inline void ipv4_copy_dscp(unsign

struct ipv6hdr;

-static inline int IP6_ECN_set_ce(struct ipv6hdr *iph)
+/* Note:
+ * IP_ECN_set_ce() has to tweak IPV4 checksum when setting CE,
+ * meaning both changes have no effect on skb->csum if/when CHECKSUM_COMPLETE
+ * In IPv6 case, no checksum compensates the change in IPv6 header,
+ * so we have to update skb->csum.
+ */
+static inline int IP6_ECN_set_ce(struct sk_buff *skb, struct ipv6hdr *iph)
{
+ __be32 from, to;
+
if (INET_ECN_is_not_ect(ipv6_get_dsfield(iph)))
return 0;
- *(__be32*)iph |= htonl(INET_ECN_CE << 20);
+
+ from = *(__be32 *)iph;
+ to = from | htonl(INET_ECN_CE << 20);
+ *(__be32 *)iph = to;
+ if (skb->ip_summed == CHECKSUM_COMPLETE)
+ skb->csum = csum_add(csum_sub(skb->csum, from), to);
return 1;
}

@@ -138,7 +151,7 @@ static inline int INET_ECN_set_ce(struct

case cpu_to_be16(ETH_P_IPV6):
if (skb->network_header + sizeof(struct ipv6hdr) <= skb->tail)
- return IP6_ECN_set_ce(ipv6_hdr(skb));
+ return IP6_ECN_set_ce(skb, ipv6_hdr(skb));
break;
}

--- a/net/ipv6/xfrm6_mode_tunnel.c
+++ b/net/ipv6/xfrm6_mode_tunnel.c
@@ -24,7 +24,7 @@ static inline void ipip6_ecn_decapsulate
struct ipv6hdr *inner_iph = ipipv6_hdr(skb);

if (INET_ECN_is_ce(ipv6_get_dsfield(outer_iph)))
- IP6_ECN_set_ce(inner_iph);
+ IP6_ECN_set_ce(skb, inner_iph);
}

/* Add encapsulation header.
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -535,7 +535,7 @@ static inline void ipgre_ecn_decapsulate
if (skb->protocol == htons(ETH_P_IP)) {
IP_ECN_set_ce(ip_hdr(skb));
} else if (skb->protocol == htons(ETH_P_IPV6)) {
- IP6_ECN_set_ce(ipv6_hdr(skb));
+ IP6_ECN_set_ce(skb, ipv6_hdr(skb));
}
}
}
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -689,7 +689,7 @@ static void ip6ip6_dscp_ecn_decapsulate(
ipv6_copy_dscp(ipv6_get_dsfield(ipv6h), ipv6_hdr(skb));

if (INET_ECN_is_ce(ipv6_get_dsfield(ipv6h)))
- IP6_ECN_set_ce(ipv6_hdr(skb));
+ IP6_ECN_set_ce(skb, ipv6_hdr(skb));
}

/* called with rcu_read_lock() */
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -553,7 +553,7 @@ out:
static inline void ipip6_ecn_decapsulate(const struct iphdr *iph, struct sk_buff *skb)
{
if (INET_ECN_is_ce(iph->tos))
- IP6_ECN_set_ce(ipv6_hdr(skb));
+ IP6_ECN_set_ce(skb, ipv6_hdr(skb));
}

static int ipip6_rcv(struct sk_buff *skb)

2016-04-26 23:43:14

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 099/115] bio: return EINTR if copying to user space got interrupted

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hannes Reinecke <[email protected]>

commit 2d99b55d378c996b9692a0c93dd25f4ed5d58934 upstream.

Commit 35dc248383bbab0a7203fca4d722875bc81ef091 introduced a check for
current->mm to see if we have a user space context and only copies data
if we do. Now if an IO gets interrupted by a signal data isn't copied
into user space any more (as we don't have a user space context) but
user space isn't notified about it.

This patch modifies the behaviour to return -EINTR from bio_uncopy_user()
to notify userland that a signal has interrupted the syscall, otherwise
it could lead to a situation where the caller may get a buffer with
no data returned.

This can be reproduced by issuing SG_IO ioctl()s in one thread while
constantly sending signals to it.

Fixes: 35dc248 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
Signed-off-by: Johannes Thumshirn <[email protected]>
Signed-off-by: Hannes Reinecke <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
[bwh: Backported to 3.2:
- Adjust filename
- Put the assignment in the existing 'else' block]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -793,15 +793,19 @@ int bio_uncopy_user(struct bio *bio)
if (!bio_flagged(bio, BIO_NULL_MAPPED)) {
/*
* if we're in a workqueue, the request is orphaned, so
- * don't copy into a random user address space, just free.
+ * don't copy into a random user address space, just free
+ * and return -EINTR so user space doesn't expect any data.
*/
if (current->mm)
ret = __bio_copy_iov(bio, bmd->iovecs, bmd->sgvecs,
bmd->nr_sgvecs, bio_data_dir(bio) == READ,
0, bmd->is_our_pages);
- else if (bmd->is_our_pages)
- bio_for_each_segment_all(bvec, bio, i)
- __free_page(bvec->bv_page);
+ else {
+ ret = -EINTR;
+ if (bmd->is_our_pages)
+ bio_for_each_segment_all(bvec, bio, i)
+ __free_page(bvec->bv_page);
+ }
}
bio_free_map_data(bmd);
bio_put(bio);

2016-04-26 23:44:18

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 097/115] pppoe: fix reference counting in PPPoE proxy

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <[email protected]>

[ Upstream commit 29e73269aa4d36f92b35610c25f8b01c789b0dc8 ]

Drop reference on the relay_po socket when __pppoe_xmit() succeeds.
This is already handled correctly in the error path.

Signed-off-by: Guillaume Nault <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ppp/pppoe.c | 2 ++
1 file changed, 2 insertions(+)

--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -398,6 +398,8 @@ static int pppoe_rcv_core(struct sock *s

if (!__pppoe_xmit(sk_pppox(relay_po), skb))
goto abort_put;
+
+ sock_put(sk_pppox(relay_po));
} else {
if (sock_queue_rcv_skb(sk, skb))
goto abort_kfree;

2016-04-26 23:44:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 034/115] ath9k: fix buffer overrun for ar9287

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <[email protected]>

commit 83d6f1f15f8cce844b0a131cbc63e444620e48b5 upstream.

Code that was added back in 2.6.38 has an obvious overflow
when accessing a static array, and at the time it was added
only a code comment was put in front of it as a reminder
to have it reviewed properly.

This has not happened, but gcc-6 now points to the specific
overflow:

drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs':
drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds]
maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4];
~~~~~~~~~~~~~~~~~~~~~~~~~^~~

It turns out that the correct array length exists in the local
'intercepts' variable of this function, so we can just use that
instead of hardcoding '4', so this patch changes all three
instances to use that variable. The other two instances were
already correct, but it's more consistent this way.

Signed-off-by: Arnd Bergmann <[email protected]>
Fixes: 940cd2c12ebf ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs")
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/ath/ath9k/eeprom.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/net/wireless/ath/ath9k/eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/eeprom.c
@@ -364,10 +364,9 @@ void ath9k_hw_get_gain_boundaries_pdadcs

if (match) {
if (AR_SREV_9287(ah)) {
- /* FIXME: array overrun? */
for (i = 0; i < numXpdGains; i++) {
minPwrT4[i] = data_9287[idxL].pwrPdg[i][0];
- maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4];
+ maxPwrT4[i] = data_9287[idxL].pwrPdg[i][intercepts - 1];
ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i],
data_9287[idxL].pwrPdg[i],
data_9287[idxL].vpdPdg[i],
@@ -377,7 +376,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs
} else if (eeprom_4k) {
for (i = 0; i < numXpdGains; i++) {
minPwrT4[i] = data_4k[idxL].pwrPdg[i][0];
- maxPwrT4[i] = data_4k[idxL].pwrPdg[i][4];
+ maxPwrT4[i] = data_4k[idxL].pwrPdg[i][intercepts - 1];
ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i],
data_4k[idxL].pwrPdg[i],
data_4k[idxL].vpdPdg[i],
@@ -387,7 +386,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs
} else {
for (i = 0; i < numXpdGains; i++) {
minPwrT4[i] = data_def[idxL].pwrPdg[i][0];
- maxPwrT4[i] = data_def[idxL].pwrPdg[i][4];
+ maxPwrT4[i] = data_def[idxL].pwrPdg[i][intercepts - 1];
ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i],
data_def[idxL].pwrPdg[i],
data_def[idxL].vpdPdg[i],

2016-04-26 23:22:09

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 073/115] USB: serial: cp210x: Adding GE Healthcare Device ID

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Martyn Welch <[email protected]>

commit cddc9434e3dcc37a85c4412fb8e277d3a582e456 upstream.

The CP2105 is used in the GE Healthcare Remote Alarm Box, with the
Manufacturer ID of 0x1901 and Product ID of 0x0194.

Signed-off-by: Martyn Welch <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/cp210x.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -170,6 +170,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
{ USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
{ USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
+ { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */
{ USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */
{ USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
{ USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */

2016-04-26 23:45:49

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 070/115] xen/events: Mask a moving irq

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Boris Ostrovsky <[email protected]>

commit ff1e22e7a638a0782f54f81a6c9cb139aca2da35 upstream.

Moving an unmasked irq may result in irq handler being invoked on both
source and target CPUs.

With 2-level this can happen as follows:

On source CPU:
evtchn_2l_handle_events() ->
generic_handle_irq() ->
handle_edge_irq() ->
eoi_pirq():
irq_move_irq(data);

/***** WE ARE HERE *****/

if (VALID_EVTCHN(evtchn))
clear_evtchn(evtchn);

If at this moment target processor is handling an unrelated event in
evtchn_2l_handle_events()'s loop it may pick up our event since target's
cpu_evtchn_mask claims that this event belongs to it *and* the event is
unmasked and still pending. At the same time, source CPU will continue
executing its own handle_edge_irq().

With FIFO interrupt the scenario is similar: irq_move_irq() may result
in a EVTCHNOP_unmask hypercall which, in turn, may make the event
pending on the target CPU.

We can avoid this situation by moving and clearing the event while
keeping event masked.

Signed-off-by: Boris Ostrovsky <[email protected]>
Signed-off-by: David Vrabel <[email protected]>
[bwh: Backported to 3.2:
- Adjust filename
- Add a suitable definition of test_and_set_mask()]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/xen/events.c
+++ b/drivers/xen/events.c
@@ -337,6 +337,12 @@ static inline int test_evtchn(int port)
return sync_test_bit(port, &s->evtchn_pending[0]);
}

+static inline int test_and_set_mask(int port)
+{
+ struct shared_info *s = HYPERVISOR_shared_info;
+ return sync_test_and_set_bit(port, &s->evtchn_mask[0]);
+}
+

/**
* notify_remote_via_irq - send event to remote end of event channel via irq
@@ -507,9 +513,19 @@ static void eoi_pirq(struct irq_data *da
struct physdev_eoi eoi = { .irq = pirq_from_irq(data->irq) };
int rc = 0;

- irq_move_irq(data);
+ if (!VALID_EVTCHN(evtchn))
+ return;

- if (VALID_EVTCHN(evtchn))
+ if (unlikely(irqd_is_setaffinity_pending(data))) {
+ int masked = test_and_set_mask(evtchn);
+
+ clear_evtchn(evtchn);
+
+ irq_move_masked_irq(data);
+
+ if (!masked)
+ unmask_evtchn(evtchn);
+ } else
clear_evtchn(evtchn);

if (pirq_needs_eoi(data->irq)) {
@@ -1427,9 +1443,19 @@ static void ack_dynirq(struct irq_data *
{
int evtchn = evtchn_from_irq(data->irq);

- irq_move_irq(data);
+ if (!VALID_EVTCHN(evtchn))
+ return;

- if (VALID_EVTCHN(evtchn))
+ if (unlikely(irqd_is_setaffinity_pending(data))) {
+ int masked = test_and_set_mask(evtchn);
+
+ clear_evtchn(evtchn);
+
+ irq_move_masked_irq(data);
+
+ if (!masked)
+ unmask_evtchn(evtchn);
+ } else
clear_evtchn(evtchn);
}


2016-04-26 23:46:17

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 036/115] ALSA: usb-audio: Add sanity checks for endpoint accesses

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit 447d6275f0c21f6cc97a88b3a0c601436a4cdf2a upstream.

Add some sanity check codes before actually accessing the endpoint via
get_endpoint() in order to avoid the invalid access through a
malformed USB descriptor. Mostly just checking bNumEndpoints, but in
one place (snd_microii_spdif_default_get()), the validity of iface and
altsetting index is checked as well.

Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
Signed-off-by: Takashi Iwai <[email protected]>
[bwh: Backported to 3.2: drop changes to code we don't have]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -211,6 +211,8 @@ static int set_sample_rate_v1(struct snd
unsigned char data[3];
int err, crate;

+ if (get_iface_desc(alts)->bNumEndpoints < 1)
+ return -EINVAL;
ep = get_endpoint(alts, 0)->bEndpointAddress;

/* if endpoint doesn't have sampling rate control, bail out */
--- a/sound/usb/pcm.c
+++ b/sound/usb/pcm.c
@@ -148,6 +148,8 @@ static int init_pitch_v1(struct snd_usb_
unsigned char data[1];
int err;

+ if (get_iface_desc(alts)->bNumEndpoints < 1)
+ return -EINVAL;
ep = get_endpoint(alts, 0)->bEndpointAddress;

data[0] = 1;

2016-04-26 23:47:26

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 026/115] sg: fix dxferp in from_to case

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Douglas Gilbert <[email protected]>

commit 5ecee0a3ee8d74b6950cb41e8989b0c2174568d4 upstream.

One of the strange things that the original sg driver did was let the
user provide both a data-out buffer (it followed the sg_header+cdb)
_and_ specify a reply length greater than zero. What happened was that
the user data-out buffer was copied into some kernel buffers and then
the mid level was told a read type operation would take place with the
data from the device overwriting the same kernel buffers. The user would
then read those kernel buffers back into the user space.

=46romwhat I can tell, the above action was broken by commit fad7f01e61bf
("sg: set dxferp to NULL for READ with the older SG interface") in 2008
and syzkaller found that out recently.

Make sure that a user space pointer is passed through when data follows
the sg_header structure and command. Fix the abnormal case when a
non-zero reply_len is also given.

Fixes: fad7f01e61bf737fe8a3740d803f000db57ecac6
Signed-off-by: Douglas Gilbert <[email protected]>
Reviewed-by: Ewan Milne <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/scsi/sg.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -609,7 +609,8 @@ sg_write(struct file *filp, const char _
else
hp->dxfer_direction = (mxsize > 0) ? SG_DXFER_FROM_DEV : SG_DXFER_NONE;
hp->dxfer_len = mxsize;
- if (hp->dxfer_direction == SG_DXFER_TO_DEV)
+ if ((hp->dxfer_direction == SG_DXFER_TO_DEV) ||
+ (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV))
hp->dxferp = (char __user *)buf + cmd_size;
else
hp->dxferp = NULL;

2016-04-26 23:49:55

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 063/115] ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vladis Dronov <[email protected]>

commit 836b34a935abc91e13e63053d0a83b24dfb5ea78 upstream.

create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
create_uaxx_quirk() functions allocate the audioformat object by themselves
and free it upon error before returning. However, once the object is linked
to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
double-freed, eventually resulting in a memory corruption.

This patch fixes these failures in the error paths by unlinking the audioformat
object before freeing it.

Based on a patch by Takashi Iwai <[email protected]>

[Note for stable backports:
this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
code cleanup in create_fixed_stream_quirk()')]

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
Reported-by: Ralf Spenneberg <[email protected]>
Signed-off-by: Vladis Dronov <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/usb/quirks.c | 4 ++++
sound/usb/stream.c | 6 +++++-
2 files changed, 9 insertions(+), 1 deletion(-)

--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -136,6 +136,7 @@ static int create_fixed_stream_quirk(str
snd_printk(KERN_ERR "cannot memdup\n");
return -ENOMEM;
}
+ INIT_LIST_HEAD(&fp->list);
if (fp->nr_rates > MAX_NR_RATES) {
kfree(fp);
return -EINVAL;
@@ -174,6 +175,7 @@ static int create_fixed_stream_quirk(str
return 0;

error:
+ list_del(&fp->list); /* unlink for avoiding double-free */
kfree(fp);
kfree(rate_table);
return err;
@@ -243,6 +245,7 @@ static int create_uaxx_quirk(struct snd_
fp->ep_attr = get_endpoint(alts, 0)->bmAttributes;
fp->datainterval = 0;
fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize);
+ INIT_LIST_HEAD(&fp->list);

switch (fp->maxpacksize) {
case 0x120:
@@ -266,6 +269,7 @@ static int create_uaxx_quirk(struct snd_
? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
err = snd_usb_add_audio_stream(chip, stream, fp);
if (err < 0) {
+ list_del(&fp->list); /* unlink for avoiding double-free */
kfree(fp);
return err;
}
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -77,7 +77,9 @@ static void snd_usb_audio_pcm_free(struc
/*
* add this endpoint to the chip instance.
* if a stream with the same endpoint already exists, append to it.
- * if not, create a new pcm stream.
+ * if not, create a new pcm stream. note, fp is added to the substream
+ * fmt_list and will be freed on the chip instance release. do not free
+ * fp or do remove it from the substream fmt_list to avoid double-free.
*/
int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
int stream,
@@ -403,6 +405,7 @@ int snd_usb_parse_audio_interface(struct
* (fp->maxpacksize & 0x7ff);
fp->attributes = parse_uac_endpoint_attributes(chip, alts, protocol, iface_no);
fp->clock = clock;
+ INIT_LIST_HEAD(&fp->list);

/* some quirks for attributes here */

@@ -446,6 +449,7 @@ int snd_usb_parse_audio_interface(struct
snd_printdd(KERN_INFO "%d:%u:%d: add audio endpoint %#x\n", dev->devnum, iface_no, altno, fp->endpoint);
err = snd_usb_add_audio_stream(chip, stream, fp);
if (err < 0) {
+ list_del(&fp->list); /* unlink for avoiding double-free */
kfree(fp->rate_table);
kfree(fp);
return err;

2016-04-26 23:50:55

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 076/115] parisc: Unbreak handling exceptions from kernel modules

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Helge Deller <[email protected]>

commit 2ef4dfd9d9f288943e249b78365a69e3ea3ec072 upstream.

Handling exceptions from modules never worked on parisc.
It was just masked by the fact that exceptions from modules
don't happen during normal use.

When a module triggers an exception in get_user() we need to load the
main kernel dp value before accessing the exception_data structure, and
afterwards restore the original dp value of the module on exit.

Noticed-by: Mikulas Patocka <[email protected]>
Signed-off-by: Helge Deller <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/parisc/include/asm/uaccess.h | 1 +
arch/parisc/kernel/asm-offsets.c | 1 +
arch/parisc/lib/fixup.S | 6 ++++++
arch/parisc/mm/fault.c | 1 +
4 files changed, 9 insertions(+)

--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -79,6 +79,7 @@ struct exception_table_entry {
*/
struct exception_data {
unsigned long fault_ip;
+ unsigned long fault_gp;
unsigned long fault_space;
unsigned long fault_addr;
};
--- a/arch/parisc/kernel/asm-offsets.c
+++ b/arch/parisc/kernel/asm-offsets.c
@@ -292,6 +292,7 @@ int main(void)
DEFINE(ASM_PT_INITIAL, PT_INITIAL);
BLANK();
DEFINE(EXCDATA_IP, offsetof(struct exception_data, fault_ip));
+ DEFINE(EXCDATA_GP, offsetof(struct exception_data, fault_gp));
DEFINE(EXCDATA_SPACE, offsetof(struct exception_data, fault_space));
DEFINE(EXCDATA_ADDR, offsetof(struct exception_data, fault_addr));
BLANK();
--- a/arch/parisc/lib/fixup.S
+++ b/arch/parisc/lib/fixup.S
@@ -26,6 +26,7 @@

#ifdef CONFIG_SMP
.macro get_fault_ip t1 t2
+ loadgp
addil LT%__per_cpu_offset,%r27
LDREG RT%__per_cpu_offset(%r1),\t1
/* t2 = smp_processor_id() */
@@ -40,14 +41,19 @@
LDREG RT%exception_data(%r1),\t1
/* t1 = &__get_cpu_var(exception_data) */
add,l \t1,\t2,\t1
+ /* %r27 = t1->fault_gp - restore gp */
+ LDREG EXCDATA_GP(\t1), %r27
/* t1 = t1->fault_ip */
LDREG EXCDATA_IP(\t1), \t1
.endm
#else
.macro get_fault_ip t1 t2
+ loadgp
/* t1 = &__get_cpu_var(exception_data) */
addil LT%exception_data,%r27
LDREG RT%exception_data(%r1),\t2
+ /* %r27 = t2->fault_gp - restore gp */
+ LDREG EXCDATA_GP(\t2), %r27
/* t1 = t2->fault_ip */
LDREG EXCDATA_IP(\t2), \t1
.endm
--- a/arch/parisc/mm/fault.c
+++ b/arch/parisc/mm/fault.c
@@ -147,6 +147,7 @@ int fixup_exception(struct pt_regs *regs
struct exception_data *d;
d = &__get_cpu_var(exception_data);
d->fault_ip = regs->iaoq[0];
+ d->fault_gp = regs->gr[27];
d->fault_space = regs->isr;
d->fault_addr = regs->ior;


2016-04-26 23:52:13

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 111/115] ipv4: l2tp: fix a potential issue in l2tp_ip_recv

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Haishuang Yan <[email protected]>

[ Upstream commit 5745b8232e942abd5e16e85fa9b27cc21324acf0 ]

pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
right place.

Signed-off-by: Haishuang Yan <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/l2tp/l2tp_ip.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -129,12 +129,11 @@ static int l2tp_ip_recv(struct sk_buff *
int length;
int offset;

- /* Point to L2TP header */
- optr = ptr = skb->data;
-
if (!pskb_may_pull(skb, 4))
goto discard;

+ /* Point to L2TP header */
+ optr = ptr = skb->data;
session_id = ntohl(*((__be32 *) ptr));
ptr += 4;

@@ -162,6 +161,9 @@ static int l2tp_ip_recv(struct sk_buff *
if (!pskb_may_pull(skb, length))
goto discard;

+ /* Point to L2TP header */
+ optr = ptr = skb->data;
+ ptr += 4;
printk(KERN_DEBUG "%s: ip recv: ", tunnel->name);

offset = 0;

2016-04-26 23:52:46

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 100/115] serial: sh-sci: Remove cpufreq notifier to fix crash/deadlock

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <[email protected]>

commit ff1cab374ad98f4b9f408525ca9c08992b4ed784 upstream.

The BSP team noticed that there is spin/mutex lock issue on sh-sci when
CPUFREQ is used. The issue is that the notifier function may call
mutex_lock() while the spinlock is held, which can lead to a BUG().
This may happen if CPUFREQ is changed while another CPU calls
clk_get_rate().

Taking the spinlock was added to the notifier function in commit
e552de2413edad1a ("sh-sci: add platform device private data"), to
protect the list of serial ports against modification during traversal.
At that time the Common Clock Framework didn't exist yet, and
clk_get_rate() just returned clk->rate without taking a mutex.
Note that since commit d535a2305facf9b4 ("serial: sh-sci: Require a
device per port mapping."), there's no longer a list of serial ports to
traverse, and taking the spinlock became superfluous.

To fix the issue, just remove the cpufreq notifier:
1. The notifier doesn't work correctly: all it does is update the
stored clock rate; it does not update the divider in the hardware.
The divider will only be updated when calling sci_set_termios().
I believe this was broken back in 2004, when the old
drivers/char/sh-sci.c driver (where the notifier did update the
divider) was replaced by drivers/serial/sh-sci.c (where the
notifier just updated port->uartclk).
Cfr. full-history-linux commits 6f8deaef2e9675d9 ("[PATCH] sh: port
sh-sci driver to the new API") and 3f73fe878dc9210a ("[PATCH]
Remove old sh-sci driver").
2. On modern SoCs, the sh-sci parent clock rate is no longer related
to the CPU clock rate anyway, so using a cpufreq notifier is
futile.

Signed-off-by: Geert Uytterhoeven <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -40,7 +40,6 @@
#include <linux/console.h>
#include <linux/platform_device.h>
#include <linux/serial_sci.h>
-#include <linux/notifier.h>
#include <linux/pm_runtime.h>
#include <linux/cpufreq.h>
#include <linux/clk.h>
@@ -95,8 +94,6 @@ struct sci_port {
unsigned int rx_timeout;
#endif

- struct notifier_block freq_transition;
-
#ifdef CONFIG_SERIAL_SH_SCI_CONSOLE
unsigned short saved_smr;
unsigned short saved_fcr;
@@ -958,30 +955,6 @@ static irqreturn_t sci_mpxed_interrupt(i
return ret;
}

-/*
- * Here we define a transition notifier so that we can update all of our
- * ports' baud rate when the peripheral clock changes.
- */
-static int sci_notifier(struct notifier_block *self,
- unsigned long phase, void *p)
-{
- struct sci_port *sci_port;
- unsigned long flags;
-
- sci_port = container_of(self, struct sci_port, freq_transition);
-
- if ((phase == CPUFREQ_POSTCHANGE) ||
- (phase == CPUFREQ_RESUMECHANGE)) {
- struct uart_port *port = &sci_port->port;
-
- spin_lock_irqsave(&port->lock, flags);
- port->uartclk = clk_get_rate(sci_port->iclk);
- spin_unlock_irqrestore(&port->lock, flags);
- }
-
- return NOTIFY_OK;
-}
-
static struct sci_irq_desc {
const char *desc;
irq_handler_t handler;
@@ -2171,9 +2144,6 @@ static int sci_remove(struct platform_de
{
struct sci_port *port = platform_get_drvdata(dev);

- cpufreq_unregister_notifier(&port->freq_transition,
- CPUFREQ_TRANSITION_NOTIFIER);
-
uart_remove_one_port(&sci_uart_driver, &port->port);

clk_put(port->iclk);
@@ -2227,13 +2197,6 @@ static int __devinit sci_probe(struct pl
if (ret)
goto err_unreg;

- sp->freq_transition.notifier_call = sci_notifier;
-
- ret = cpufreq_register_notifier(&sp->freq_transition,
- CPUFREQ_TRANSITION_NOTIFIER);
- if (unlikely(ret < 0))
- goto err_unreg;
-
#ifdef CONFIG_SH_STANDARD_BIOS
sh_bios_gdb_detach();
#endif

2016-04-26 23:16:12

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 060/115] usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler()

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <[email protected]>

commit 894f2fc44f2f3f48c36c973b1123f6ab298be160 upstream.

When unexpected situation happened (e.g. tx/rx irq happened while
DMAC is used), the usbhsf_pkt_handler() was possible to cause NULL
pointer dereference like the followings:

Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = c0004000
[00000000] *pgd=00000000
Internal error: Oops: 80000007 [#1] SMP ARM
Modules linked in: usb_f_acm u_serial g_serial libcomposite
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.5.0-rc6-00842-gac57066-dirty #63
Hardware name: Generic R8A7790 (Flattened Device Tree)
task: c0729c00 ti: c0724000 task.ti: c0724000
PC is at 0x0
LR is at usbhsf_pkt_handler+0xac/0x118
pc : [<00000000>] lr : [<c03257e0>] psr: 60000193
sp : c0725db8 ip : 00000000 fp : c0725df4
r10: 00000001 r9 : 00000193 r8 : ef3ccab4
r7 : ef3cca10 r6 : eea4586c r5 : 00000000 r4 : ef19ceb4
r3 : 00000000 r2 : 0000009c r1 : c0725dc4 r0 : ef19ceb4

This patch adds a condition to avoid the dereference.

Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
Signed-off-by: Yoshihiro Shimoda <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/renesas_usbhs/fifo.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -166,7 +166,8 @@ static int usbhsf_pkt_handler(struct usb
goto __usbhs_pkt_handler_end;
}

- ret = func(pkt, &is_done);
+ if (likely(func))
+ ret = func(pkt, &is_done);

if (is_done)
__usbhsf_pkt_del(pkt);

2016-04-26 23:13:36

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 004/115] net: irda: Fix use-after-free in irtty_open()

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Peter Hurley <[email protected]>

commit 401879c57f01cbf2da204ad2e8db910525c6dbea upstream.

The N_IRDA line discipline may access the previous line discipline's closed
and already-fre private data on open [1].

The tty->disc_data field _never_ refers to valid data on entry to the
line discipline's open() method. Rather, the ldisc is expected to
initialize that field for its own use for the lifetime of the instance
(ie. from open() to close() only).

[1]
==================================================================
BUG: KASAN: use-after-free in irtty_open+0x422/0x550 at addr ffff8800331dd068
Read of size 4 by task a.out/13960
=============================================================================
BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
-----------------------------------------------------------------------------
...
Call Trace:
[<ffffffff815fa2ae>] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:279
[<ffffffff836938a2>] irtty_open+0x422/0x550 drivers/net/irda/irtty-sir.c:436
[<ffffffff829f1b80>] tty_ldisc_open.isra.2+0x60/0xa0 drivers/tty/tty_ldisc.c:447
[<ffffffff829f21c0>] tty_set_ldisc+0x1a0/0x940 drivers/tty/tty_ldisc.c:567
[< inline >] tiocsetd drivers/tty/tty_io.c:2650
[<ffffffff829da49e>] tty_ioctl+0xace/0x1fd0 drivers/tty/tty_io.c:2883
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff816708ac>] do_vfs_ioctl+0x57c/0xe60 fs/ioctl.c:607
[< inline >] SYSC_ioctl fs/ioctl.c:622
[<ffffffff81671204>] SyS_ioctl+0x74/0x80 fs/ioctl.c:613
[<ffffffff852a7876>] entry_SYSCALL_64_fastpath+0x16/0x7a

Reported-and-tested-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Peter Hurley <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/irda/irtty-sir.c | 10 ----------
1 file changed, 10 deletions(-)

--- a/drivers/net/irda/irtty-sir.c
+++ b/drivers/net/irda/irtty-sir.c
@@ -430,16 +430,6 @@ static int irtty_open(struct tty_struct

/* Module stuff handled via irda_ldisc.owner - Jean II */

- /* First make sure we're not already connected. */
- if (tty->disc_data != NULL) {
- priv = tty->disc_data;
- if (priv && priv->magic == IRTTY_MAGIC) {
- ret = -EEXIST;
- goto out;
- }
- tty->disc_data = NULL; /* ### */
- }
-
/* stop the underlying driver */
irtty_stop_receiver(tty, TRUE);
if (tty->ops->stop)

2016-04-26 23:13:33

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 007/115] Bluetooth: btusb: Add new AR3012 ID 13d3:3395

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Tunin <[email protected]>

commit 609574eb46335cfac1421a07c0505627cbbab1f0 upstream.

T: Bus=03 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3395 Rev=00.01
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

BugLink: https://bugs.launchpad.net/bugs/1542564

Reported-and-tested-by: Christopher Simerly <[email protected]>
Signed-off-by: Dmitry Tunin <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -109,6 +109,7 @@ static struct usb_device_id ath3k_table[
{ USB_DEVICE(0x13d3, 0x3362) },
{ USB_DEVICE(0x13d3, 0x3375) },
{ USB_DEVICE(0x13d3, 0x3393) },
+ { USB_DEVICE(0x13d3, 0x3395) },
{ USB_DEVICE(0x13d3, 0x3402) },
{ USB_DEVICE(0x13d3, 0x3408) },
{ USB_DEVICE(0x13d3, 0x3423) },
@@ -169,6 +170,7 @@ static struct usb_device_id ath3k_blist_
{ USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3395), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -194,6 +194,7 @@ static struct usb_device_id blacklist_ta
{ USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3395), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },

2016-04-27 00:40:55

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 113/115] jme: Do not enable NIC WoL functions on S0

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guo-Fu Tseng <[email protected]>

commit 0772a99b818079e628a1da122ac7ee023faed83e upstream.

Otherwise it might be back on resume right after going to suspend in
some hardware.

Reported-by: Diego Viola <[email protected]>
Signed-off-by: Guo-Fu Tseng <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/jme.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)

--- a/drivers/net/ethernet/jme.c
+++ b/drivers/net/ethernet/jme.c
@@ -269,11 +269,17 @@ jme_reset_mac_processor(struct jme_adapt
}

static inline void
-jme_clear_pm(struct jme_adapter *jme)
+jme_clear_pm_enable_wol(struct jme_adapter *jme)
{
jwrite32(jme, JME_PMCS, PMCS_STMASK | jme->reg_pmcs);
}

+static inline void
+jme_clear_pm_disable_wol(struct jme_adapter *jme)
+{
+ jwrite32(jme, JME_PMCS, PMCS_STMASK);
+}
+
static int
jme_reload_eeprom(struct jme_adapter *jme)
{
@@ -1856,7 +1862,7 @@ jme_open(struct net_device *netdev)
struct jme_adapter *jme = netdev_priv(netdev);
int rc;

- jme_clear_pm(jme);
+ jme_clear_pm_disable_wol(jme);
JME_NAPI_ENABLE(jme);

tasklet_enable(&jme->linkch_task);
@@ -1928,7 +1934,7 @@ jme_powersave_phy(struct jme_adapter *jm
jme_set_100m_half(jme);
if (jme->reg_pmcs & (PMCS_LFEN | PMCS_LREN))
jme_wait_link(jme);
- jme_clear_pm(jme);
+ jme_clear_pm_enable_wol(jme);
} else {
jme_phy_off(jme);
}
@@ -2616,7 +2622,6 @@ jme_set_wol(struct net_device *netdev,
if (wol->wolopts & WAKE_MAGIC)
jme->reg_pmcs |= PMCS_MFEN;

- jwrite32(jme, JME_PMCS, jme->reg_pmcs);
device_set_wakeup_enable(&jme->pdev->dev, !!(jme->reg_pmcs));

return 0;
@@ -3142,7 +3147,7 @@ jme_init_one(struct pci_dev *pdev,
jme->mii_if.mdio_read = jme_mdio_read;
jme->mii_if.mdio_write = jme_mdio_write;

- jme_clear_pm(jme);
+ jme_clear_pm_disable_wol(jme);
pci_set_power_state(jme->pdev, PCI_D0);
device_set_wakeup_enable(&pdev->dev, true);

@@ -3277,7 +3282,7 @@ jme_resume(struct device *dev)
if (!netif_running(netdev))
return 0;

- jme_clear_pm(jme);
+ jme_clear_pm_disable_wol(jme);
jme_phy_on(jme);
if (test_bit(JME_FLAG_SSET, &jme->flags))
jme_set_settings(netdev, &jme->old_ecmd);

2016-04-27 00:40:52

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 017/115] xfs: fix two memory leaks in xfs_attr_list.c error paths

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mateusz Guzik <[email protected]>

commit 2e83b79b2d6c78bf1b4aa227938a214dcbddc83f upstream.

This plugs 2 trivial leaks in xfs_attr_shortform_list and
xfs_attr3_leaf_list_int.

Signed-off-by: Mateusz Guzik <[email protected]>
Reviewed-by: Eric Sandeen <[email protected]>
Signed-off-by: Dave Chinner <[email protected]>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/xfs/xfs_attr_leaf.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)

--- a/fs/xfs/xfs_attr_leaf.c
+++ b/fs/xfs/xfs_attr_leaf.c
@@ -721,8 +721,10 @@ xfs_attr_shortform_list(xfs_attr_list_co
sbp->namelen,
sbp->valuelen,
&sbp->name[sbp->namelen]);
- if (error)
+ if (error) {
+ kmem_free(sbuf);
return error;
+ }
if (context->seen_enough)
break;
cursor->offset++;
@@ -2404,14 +2406,13 @@ xfs_attr_leaf_list_int(xfs_dabuf_t *bp,
args.rmtblkno = be32_to_cpu(name_rmt->valueblk);
args.rmtblkcnt = XFS_B_TO_FSB(args.dp->i_mount, valuelen);
retval = xfs_attr_rmtval_get(&args);
- if (retval)
- return retval;
- retval = context->put_listent(context,
- entry->flags,
- name_rmt->name,
- (int)name_rmt->namelen,
- valuelen,
- args.value);
+ if (!retval)
+ retval = context->put_listent(context,
+ entry->flags,
+ name_rmt->name,
+ (int)name_rmt->namelen,
+ valuelen,
+ args.value);
kmem_free(args.value);
} else {
retval = context->put_listent(context,

2016-04-26 23:13:30

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 008/115] Bluetooth: Add new AR3012 ID 0489:e095

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Tunin <[email protected]>

commit 28c971d82fb58ef7cba22e5308be6d2d2590473d upstream.

T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 3 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0489 ProdID=e095 Rev=00.01
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

This device requires ar3k/AthrBT_0x31010100.dfu and
ar3k/ramps_0x31010100_40.dfu firmware files that are not in
linux-firmware yet.

BugLink: https://bugs.launchpad.net/bugs/1542944

Signed-off-by: Dmitry Tunin <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -80,6 +80,7 @@ static struct usb_device_id ath3k_table[
{ USB_DEVICE(0x0489, 0xe05f) },
{ USB_DEVICE(0x0489, 0xe076) },
{ USB_DEVICE(0x0489, 0xe078) },
+ { USB_DEVICE(0x0489, 0xe095) },
{ USB_DEVICE(0x04c5, 0x1330) },
{ USB_DEVICE(0x04CA, 0x3004) },
{ USB_DEVICE(0x04CA, 0x3005) },
@@ -141,6 +142,7 @@ static struct usb_device_id ath3k_blist_
{ USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe095), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -165,6 +165,7 @@ static struct usb_device_id blacklist_ta
{ USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe095), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },

2016-04-27 00:42:08

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 003/115] 8250: use callbacks to access UART_DLL/UART_DLM

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sebastian Frias <[email protected]>

commit 0b41ce991052022c030fd868e03877700220b090 upstream.

Some UART HW has a single register combining UART_DLL/UART_DLM
(this was probably forgotten in the change that introduced the
callbacks, commit b32b19b8ffc05cbd3bf91c65e205f6a912ca15d9)

Fixes: b32b19b8ffc0 ("[SERIAL] 8250: set divisor register correctly ...")

Signed-off-by: Sebastian Frias <[email protected]>
Reviewed-by: Peter Hurley <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.2:
- Adjust filename
- We're using serial_{in,out}p for 8-bit I/O]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/tty/serial/8250.c | 18 ++++++------------
1 file changed, 6 insertions(+), 12 deletions(-)

--- a/drivers/tty/serial/8250.c
+++ b/drivers/tty/serial/8250.c
@@ -777,22 +777,16 @@ static int size_fifo(struct uart_8250_po
*/
static unsigned int autoconfig_read_divisor_id(struct uart_8250_port *p)
{
- unsigned char old_dll, old_dlm, old_lcr;
- unsigned int id;
+ unsigned char old_lcr;
+ unsigned int id, old_dl;

old_lcr = serial_inp(p, UART_LCR);
serial_outp(p, UART_LCR, UART_LCR_CONF_MODE_A);
+ old_dl = serial_dl_read(p);
+ serial_dl_write(p, 0);
+ id = serial_dl_read(p);
+ serial_dl_write(p, old_dl);

- old_dll = serial_inp(p, UART_DLL);
- old_dlm = serial_inp(p, UART_DLM);
-
- serial_outp(p, UART_DLL, 0);
- serial_outp(p, UART_DLM, 0);
-
- id = serial_inp(p, UART_DLL) | serial_inp(p, UART_DLM) << 8;
-
- serial_outp(p, UART_DLL, old_dll);
- serial_outp(p, UART_DLM, old_dlm);
serial_outp(p, UART_LCR, old_lcr);

return id;

2016-04-27 00:41:56

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 001/115] EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr()

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit 6f3508f61c814ee852c199988a62bd954c50dfc1 upstream.

dct_sel_base_off is declared as a u64 but we're only using the lower 32
bits because of a shift wrapping bug. This can possibly truncate the
upper 16 bits of DctSelBaseOffset[47:26], causing us to misdecode the CS
row.

Fixes: c8e518d5673d ('amd64_edac: Sanitize f10_get_base_addr_offset')
Signed-off-by: Dan Carpenter <[email protected]>
Cc: Aravind Gopalakrishnan <[email protected]>
Cc: linux-edac <[email protected]>
Link: http://lkml.kernel.org/r/20160120095451.GB19898@mwanda
Signed-off-by: Borislav Petkov <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/edac/amd64_edac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/edac/amd64_edac.c
+++ b/drivers/edac/amd64_edac.c
@@ -1318,7 +1318,7 @@ static u64 f1x_get_norm_dct_addr(struct
u64 chan_off;
u64 dram_base = get_dram_base(pvt, range);
u64 hole_off = f10_dhar_offset(pvt);
- u64 dct_sel_base_off = (pvt->dct_sel_hi & 0xFFFFFC00) << 16;
+ u64 dct_sel_base_off = (u64)(pvt->dct_sel_hi & 0xFFFFFC00) << 16;

if (hi_rng) {
/*

2016-04-27 00:44:01

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 114/115] jme: Fix device PM wakeup API usage

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guo-Fu Tseng <[email protected]>

commit 81422e672f8181d7ad1ee6c60c723aac649f538f upstream.

According to Documentation/power/devices.txt

The driver should not use device_set_wakeup_enable() which is the policy
for user to decide.

Using device_init_wakeup() to initialize dev->power.should_wakeup and
dev->power.can_wakeup on driver initialization.

And use device_may_wakeup() on suspend to decide if WoL function should
be enabled on NIC.

Reported-by: Diego Viola <[email protected]>
Signed-off-by: Guo-Fu Tseng <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/jme.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/jme.c
+++ b/drivers/net/ethernet/jme.c
@@ -1930,7 +1930,7 @@ jme_wait_link(struct jme_adapter *jme)
static void
jme_powersave_phy(struct jme_adapter *jme)
{
- if (jme->reg_pmcs) {
+ if (jme->reg_pmcs && device_may_wakeup(&jme->pdev->dev)) {
jme_set_100m_half(jme);
if (jme->reg_pmcs & (PMCS_LFEN | PMCS_LREN))
jme_wait_link(jme);
@@ -2622,8 +2622,6 @@ jme_set_wol(struct net_device *netdev,
if (wol->wolopts & WAKE_MAGIC)
jme->reg_pmcs |= PMCS_MFEN;

- device_set_wakeup_enable(&jme->pdev->dev, !!(jme->reg_pmcs));
-
return 0;
}

@@ -3149,7 +3147,7 @@ jme_init_one(struct pci_dev *pdev,

jme_clear_pm_disable_wol(jme);
pci_set_power_state(jme->pdev, PCI_D0);
- device_set_wakeup_enable(&pdev->dev, true);
+ device_init_wakeup(&pdev->dev, true);

jme_set_phyfifo_5level(jme);
jme->pcirev = pdev->revision;

2016-04-27 00:44:44

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 009/115] aacraid: Fix memory leak in aac_fib_map_free

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Raghava Aditya Renukunta <[email protected]>

commit f88fa79a61726ce9434df9b4aede36961f709f17 upstream.

aac_fib_map_free() calls pci_free_consistent() without checking that
dev->hw_fib_va is not NULL and dev->max_fib_size is not zero.If they are
indeed NULL/0, this will result in a hang as pci_free_consistent() will
attempt to invalidate cache for the entire 64-bit address space
(which would take a very long time).

Fixed by adding a check to make sure that dev->hw_fib_va and
dev->max_fib_size are not NULL and 0 respectively.

Fixes: 9ad5204d6 - "[SCSI]aacraid: incorrect dma mapping mask during blinked recover or user initiated reset"

Signed-off-by: Raghava Aditya Renukunta <[email protected]>
Reviewed-by: Johannes Thumshirn <[email protected]>
Reviewed-by: Tomas Henzl <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/scsi/aacraid/commsup.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/scsi/aacraid/commsup.c
+++ b/drivers/scsi/aacraid/commsup.c
@@ -83,9 +83,12 @@ static int fib_map_alloc(struct aac_dev

void aac_fib_map_free(struct aac_dev *dev)
{
- pci_free_consistent(dev->pdev,
- dev->max_fib_size * (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB),
- dev->hw_fib_va, dev->hw_fib_pa);
+ if (dev->hw_fib_va && dev->max_fib_size) {
+ pci_free_consistent(dev->pdev,
+ (dev->max_fib_size *
+ (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB)),
+ dev->hw_fib_va, dev->hw_fib_pa);
+ }
dev->hw_fib_va = NULL;
dev->hw_fib_pa = 0;
}

2016-04-27 00:44:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 115/115] netfilter: x_tables: fix unconditional helper

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Florian Westphal <[email protected]>

commit 54d83fc74aa9ec72794373cb47432c5f7fb1a309 upstream.

Ben Hawkes says:

In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset.

Problem is that mark_source_chains should not have been called --
the rule doesn't have a next entry, so its supposed to return
an absolute verdict of either ACCEPT or DROP.

However, the function conditional() doesn't work as the name implies.
It only checks that the rule is using wildcard address matching.

However, an unconditional rule must also not be using any matches
(no -m args).

The underflow validator only checked the addresses, therefore
passing the 'unconditional absolute verdict' test, while
mark_source_chains also tested for presence of matches, and thus
proceeeded to the next (not-existent) rule.

Unify this so that all the callers have same idea of 'unconditional rule'.

Reported-by: Ben Hawkes <[email protected]>
Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/netfilter/arp_tables.c | 18 +++++++++---------
net/ipv4/netfilter/ip_tables.c | 23 +++++++++++------------
net/ipv6/netfilter/ip6_tables.c | 23 +++++++++++------------
3 files changed, 31 insertions(+), 33 deletions(-)

--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -350,11 +350,12 @@ unsigned int arpt_do_table(struct sk_buf
}

/* All zeroes == unconditional rule. */
-static inline bool unconditional(const struct arpt_arp *arp)
+static inline bool unconditional(const struct arpt_entry *e)
{
static const struct arpt_arp uncond;

- return memcmp(arp, &uncond, sizeof(uncond)) == 0;
+ return e->target_offset == sizeof(struct arpt_entry) &&
+ memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
}

/* Figures out from what hook each rule can be called: returns 0 if
@@ -393,11 +394,10 @@ static int mark_source_chains(const stru
|= ((1 << hook) | (1 << NF_ARP_NUMHOOKS));

/* Unconditional return/END. */
- if ((e->target_offset == sizeof(struct arpt_entry) &&
+ if ((unconditional(e) &&
(strcmp(t->target.u.user.name,
XT_STANDARD_TARGET) == 0) &&
- t->verdict < 0 && unconditional(&e->arp)) ||
- visited) {
+ t->verdict < 0) || visited) {
unsigned int oldpos, size;

if ((strcmp(t->target.u.user.name,
@@ -536,7 +536,7 @@ static bool check_underflow(const struct
const struct xt_entry_target *t;
unsigned int verdict;

- if (!unconditional(&e->arp))
+ if (!unconditional(e))
return false;
t = arpt_get_target_c(e);
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
@@ -583,9 +583,9 @@ static inline int check_entry_size_and_h
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h]) {
if (!check_underflow(e)) {
- pr_err("Underflows must be unconditional and "
- "use the STANDARD target with "
- "ACCEPT/DROP\n");
+ pr_debug("Underflows must be unconditional and "
+ "use the STANDARD target with "
+ "ACCEPT/DROP\n");
return -EINVAL;
}
newinfo->underflow[h] = underflows[h];
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -168,11 +168,12 @@ get_entry(const void *base, unsigned int

/* All zeroes == unconditional rule. */
/* Mildly perf critical (only if packet tracing is on) */
-static inline bool unconditional(const struct ipt_ip *ip)
+static inline bool unconditional(const struct ipt_entry *e)
{
static const struct ipt_ip uncond;

- return memcmp(ip, &uncond, sizeof(uncond)) == 0;
+ return e->target_offset == sizeof(struct ipt_entry) &&
+ memcmp(&e->ip, &uncond, sizeof(uncond)) == 0;
#undef FWINV
}

@@ -230,11 +231,10 @@ get_chainname_rulenum(const struct ipt_e
} else if (s == e) {
(*rulenum)++;

- if (s->target_offset == sizeof(struct ipt_entry) &&
+ if (unconditional(s) &&
strcmp(t->target.u.kernel.target->name,
XT_STANDARD_TARGET) == 0 &&
- t->verdict < 0 &&
- unconditional(&s->ip)) {
+ t->verdict < 0) {
/* Tail of chains: STANDARD target (return/policy) */
*comment = *chainname == hookname
? comments[NF_IP_TRACE_COMMENT_POLICY]
@@ -468,11 +468,10 @@ mark_source_chains(const struct xt_table
e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));

/* Unconditional return/END. */
- if ((e->target_offset == sizeof(struct ipt_entry) &&
+ if ((unconditional(e) &&
(strcmp(t->target.u.user.name,
XT_STANDARD_TARGET) == 0) &&
- t->verdict < 0 && unconditional(&e->ip)) ||
- visited) {
+ t->verdict < 0) || visited) {
unsigned int oldpos, size;

if ((strcmp(t->target.u.user.name,
@@ -699,7 +698,7 @@ static bool check_underflow(const struct
const struct xt_entry_target *t;
unsigned int verdict;

- if (!unconditional(&e->ip))
+ if (!unconditional(e))
return false;
t = ipt_get_target_c(e);
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
@@ -747,9 +746,9 @@ check_entry_size_and_hooks(struct ipt_en
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h]) {
if (!check_underflow(e)) {
- pr_err("Underflows must be unconditional and "
- "use the STANDARD target with "
- "ACCEPT/DROP\n");
+ pr_debug("Underflows must be unconditional and "
+ "use the STANDARD target with "
+ "ACCEPT/DROP\n");
return -EINVAL;
}
newinfo->underflow[h] = underflows[h];
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -208,11 +208,12 @@ get_entry(const void *base, unsigned int

/* All zeroes == unconditional rule. */
/* Mildly perf critical (only if packet tracing is on) */
-static inline bool unconditional(const struct ip6t_ip6 *ipv6)
+static inline bool unconditional(const struct ip6t_entry *e)
{
static const struct ip6t_ip6 uncond;

- return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
+ return e->target_offset == sizeof(struct ip6t_entry) &&
+ memcmp(&e->ipv6, &uncond, sizeof(uncond)) == 0;
}

static inline const struct xt_entry_target *
@@ -269,11 +270,10 @@ get_chainname_rulenum(const struct ip6t_
} else if (s == e) {
(*rulenum)++;

- if (s->target_offset == sizeof(struct ip6t_entry) &&
+ if (unconditional(s) &&
strcmp(t->target.u.kernel.target->name,
XT_STANDARD_TARGET) == 0 &&
- t->verdict < 0 &&
- unconditional(&s->ipv6)) {
+ t->verdict < 0) {
/* Tail of chains: STANDARD target (return/policy) */
*comment = *chainname == hookname
? comments[NF_IP6_TRACE_COMMENT_POLICY]
@@ -490,11 +490,10 @@ mark_source_chains(const struct xt_table
e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));

/* Unconditional return/END. */
- if ((e->target_offset == sizeof(struct ip6t_entry) &&
+ if ((unconditional(e) &&
(strcmp(t->target.u.user.name,
XT_STANDARD_TARGET) == 0) &&
- t->verdict < 0 &&
- unconditional(&e->ipv6)) || visited) {
+ t->verdict < 0) || visited) {
unsigned int oldpos, size;

if ((strcmp(t->target.u.user.name,
@@ -722,7 +721,7 @@ static bool check_underflow(const struct
const struct xt_entry_target *t;
unsigned int verdict;

- if (!unconditional(&e->ipv6))
+ if (!unconditional(e))
return false;
t = ip6t_get_target_c(e);
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
@@ -770,9 +769,9 @@ check_entry_size_and_hooks(struct ip6t_e
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h]) {
if (!check_underflow(e)) {
- pr_err("Underflows must be unconditional and "
- "use the STANDARD target with "
- "ACCEPT/DROP\n");
+ pr_debug("Underflows must be unconditional and "
+ "use the STANDARD target with "
+ "ACCEPT/DROP\n");
return -EINVAL;
}
newinfo->underflow[h] = underflows[h];

2016-04-27 00:45:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 011/115] mac80211: fix memory leak

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sudip Mukherjee <[email protected]>

commit ea32f065bd3e3e09f0bcb3042f1664caf6b3e233 upstream.

On error we jumped to the error label and returned the error code but we
missed releasing sinfo.

Fixes: 5fe74014172d ("mac80211: avoid excessive stack usage in sta_info")
Reviewed-by: Julian Calaby <[email protected]>
Signed-off-by: Sudip Mukherjee <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
[bwh: Backported to 3.2: there's no out_err label but there is another
error case that would leak sinfo]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/mac80211/sta_info.c | 1 +
1 file changed, 1 insertion(+)

--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -362,8 +362,10 @@ static int sta_info_finish_insert(struct
u.ap);
err = drv_sta_add(local, sdata, &sta->sta);
if (err) {
- if (!async)
+ if (!async) {
+ kfree(sinfo);
return err;
+ }
printk(KERN_DEBUG "%s: failed to add IBSS STA %pM to "
"driver (%d) - keeping it anyway.\n",
sdata->name, sta->sta.addr, err);

2016-04-27 00:46:45

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 018/115] drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Michael Hennerich <[email protected]>

commit f3df53e4d70b5736368a8fe8aa1bb70c1cb1f577 upstream.

Fix RDAC read back errors caused by a typo. Value must shift by 2.

Fixes: a4bd394956f2 ("drivers/misc/ad525x_dpot.c: new features")
Signed-off-by: Michael Hennerich <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/misc/ad525x_dpot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/misc/ad525x_dpot.c
+++ b/drivers/misc/ad525x_dpot.c
@@ -218,7 +218,7 @@ static s32 dpot_read_i2c(struct dpot_dat
*/
value = swab16(value);

- if (dpot->uid == DPOT_UID(AD5271_ID))
+ if (dpot->uid == DPOT_UID(AD5274_ID))
value = value >> 2;
return value;
default:

2016-04-27 00:46:44

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 010/115] mac80211: avoid excessive stack usage in sta_info

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <[email protected]>

commit 0ef049dc1167fe834d0ad5d63f89eddc5c70f6e4 upstream.

When CONFIG_OPTIMIZE_INLINING is set, the sta_info_insert_finish
function consumes more stack than normally, exceeding the
1024 byte limit on ARM:

net/mac80211/sta_info.c: In function 'sta_info_insert_finish':
net/mac80211/sta_info.c:561:1: error: the frame size of 1080 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]

It turns out that there are two functions that put a 'struct station_info'
on the stack: __sta_info_destroy_part2 and sta_info_insert_finish, and
this structure alone requires up to 792 bytes.

Hoping that both are called rarely enough, this replaces the
on-stack structure with a dynamic allocation, which unfortunately
requires some suboptimal error handling for out-of-memory.

The __sta_info_destroy_part2 function is actually affected by the
stack usage twice because it calls cfg80211_del_sta_sinfo(), which
has another instance of struct station_info on its stack.

Signed-off-by: Arnd Bergmann <[email protected]>
Fixes: 98b6218388e3 ("mac80211/cfg80211: add station events")
Fixes: 6f7a8d26e266 ("mac80211: send statistics with delete station event")
Signed-off-by: Johannes Berg <[email protected]>
[bwh: Backported to 3.2:
- There's only one instance to fix
- Adjust context,indentation
- Use 'return' instead of 'goto out_err']
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -344,12 +344,16 @@ static int sta_info_finish_insert(struct
{
struct ieee80211_local *local = sta->local;
struct ieee80211_sub_if_data *sdata = sta->sdata;
- struct station_info sinfo;
+ struct station_info *sinfo;
unsigned long flags;
int err = 0;

lockdep_assert_held(&local->sta_mtx);

+ sinfo = kzalloc(sizeof(struct station_info), GFP_KERNEL);
+ if (!sinfo)
+ return -ENOMEM;
+
if (!sta->dummy || dummy_reinsert) {
/* notify driver */
if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
@@ -397,12 +401,11 @@ static int sta_info_finish_insert(struct
ieee80211_sta_debugfs_add(sta);
rate_control_add_sta_debugfs(sta);

- memset(&sinfo, 0, sizeof(sinfo));
- sinfo.filled = 0;
- sinfo.generation = local->sta_generation;
- cfg80211_new_sta(sdata->dev, sta->sta.addr, &sinfo, GFP_KERNEL);
+ sinfo->generation = local->sta_generation;
+ cfg80211_new_sta(sdata->dev, sta->sta.addr, sinfo, GFP_KERNEL);
}

+ kfree(sinfo);
return 0;
}


2016-04-27 00:46:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 005/115] usb: retry reset if a device times out

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <[email protected]>

commit 264904ccc33c604d4b3141bbd33808152dfac45b upstream.

Some devices I got show an inability to operate right after
power on if they are already connected. They are beyond recovery
if the descriptors are requested multiple times. So in case of
a timeout we rather bail early and reset again. But it must be
done only on the first loop lest we get into a reset/time out
spiral that can be overcome with a retry.

This patch is a rework of a patch that fell through the cracks.
http://www.spinics.net/lists/linux-usb/msg103263.html

Signed-off-by: Oliver Neukum <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/core/hub.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -3171,7 +3171,13 @@ hub_port_init (struct usb_hub *hub, stru
r = -EPROTO;
break;
}
- if (r == 0)
+ /*
+ * Some devices time out if they are powered on
+ * when already connected. They need a second
+ * reset. But only on the first attempt,
+ * lest we get into a time out/reset loop
+ */
+ if (r == 0 || (r == -ETIMEDOUT && j == 0))
break;
}
udev->descriptor.bMaxPacketSize0 =

2016-04-27 00:46:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 006/115] [media] saa7134: Fix bytesperline not being set correctly for planar formats

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hans de Goede <[email protected]>

commit 3e71da19f9dc22e39a755d6ae9678661abb66adc upstream.

bytesperline should be the bytesperline for the first plane for planar
formats, not that of all planes combined.

This fixes a crash in xawtv caused by the wrong bpl.

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1305389
Reported-and-tested-by: Stas Sergeev <[email protected]>

Signed-off-by: Hans de Goede <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/video/saa7134/saa7134-video.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)

--- a/drivers/media/video/saa7134/saa7134-video.c
+++ b/drivers/media/video/saa7134/saa7134-video.c
@@ -1577,10 +1577,13 @@ static int saa7134_g_fmt_vid_cap(struct
f->fmt.pix.height = fh->height;
f->fmt.pix.field = fh->cap.field;
f->fmt.pix.pixelformat = fh->fmt->fourcc;
- f->fmt.pix.bytesperline =
- (f->fmt.pix.width * fh->fmt->depth) >> 3;
+ if (fh->fmt->planar)
+ f->fmt.pix.bytesperline = f->fmt.pix.width;
+ else
+ f->fmt.pix.bytesperline =
+ (f->fmt.pix.width * fh->fmt->depth) / 8;
f->fmt.pix.sizeimage =
- f->fmt.pix.height * f->fmt.pix.bytesperline;
+ (f->fmt.pix.height * f->fmt.pix.width * fh->fmt->depth) / 8;
return 0;
}

@@ -1641,10 +1644,13 @@ static int saa7134_try_fmt_vid_cap(struc
if (f->fmt.pix.height > maxh)
f->fmt.pix.height = maxh;
f->fmt.pix.width &= ~0x03;
- f->fmt.pix.bytesperline =
- (f->fmt.pix.width * fmt->depth) >> 3;
+ if (fmt->planar)
+ f->fmt.pix.bytesperline = f->fmt.pix.width;
+ else
+ f->fmt.pix.bytesperline =
+ (f->fmt.pix.width * fmt->depth) / 8;
f->fmt.pix.sizeimage =
- f->fmt.pix.height * f->fmt.pix.bytesperline;
+ (f->fmt.pix.height * f->fmt.pix.width * fmt->depth) / 8;

return 0;
}

2016-04-27 00:47:46

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 019/115] usb: hub: fix a typo in hub_port_init() leading to wrong logic

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <[email protected]>

commit 0d5ce778c43bf888328231bcdce05d5c860655aa upstream.

A typo of j for i led to a logic bug. To rule out future
confusion, the variable names are made meaningful.

Signed-off-by: Oliver Neukum <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/core/hub.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -3033,7 +3033,7 @@ hub_port_init (struct usb_hub *hub, stru

struct usb_device *hdev = hub->hdev;
struct usb_hcd *hcd = bus_to_hcd(hdev->bus);
- int i, j, retval;
+ int retries, operations, retval, i;
unsigned delay = HUB_SHORT_RESET_TIME;
enum usb_device_speed oldspeed = udev->speed;
const char *speed;
@@ -3135,7 +3135,7 @@ hub_port_init (struct usb_hub *hub, stru
* first 8 bytes of the device descriptor to get the ep0 maxpacket
* value.
*/
- for (i = 0; i < GET_DESCRIPTOR_TRIES; (++i, msleep(100))) {
+ for (retries = 0; retries < GET_DESCRIPTOR_TRIES; (++retries, msleep(100))) {
if (USE_NEW_SCHEME(retry_counter) && !(hcd->driver->flags & HCD_USB3)) {
struct usb_device_descriptor *buf;
int r = 0;
@@ -3151,7 +3151,7 @@ hub_port_init (struct usb_hub *hub, stru
* 255 is for WUSB devices, we actually need to use
* 512 (WUSB1.0[4.8.1]).
*/
- for (j = 0; j < 3; ++j) {
+ for (operations = 0; operations < 3; ++operations) {
buf->bMaxPacketSize0 = 0;
r = usb_control_msg(udev, usb_rcvaddr0pipe(),
USB_REQ_GET_DESCRIPTOR, USB_DIR_IN,
@@ -3177,7 +3177,7 @@ hub_port_init (struct usb_hub *hub, stru
* reset. But only on the first attempt,
* lest we get into a time out/reset loop
*/
- if (r == 0 || (r == -ETIMEDOUT && j == 0))
+ if (r == 0 || (r == -ETIMEDOUT && retries == 0))
break;
}
udev->descriptor.bMaxPacketSize0 =
@@ -3209,7 +3209,7 @@ hub_port_init (struct usb_hub *hub, stru
* authorization will assign the final address.
*/
if (udev->wusb == 0) {
- for (j = 0; j < SET_ADDRESS_TRIES; ++j) {
+ for (operations = 0; operations < SET_ADDRESS_TRIES; ++operations) {
retval = hub_set_address(udev, devnum);
if (retval >= 0)
break;

2016-04-27 00:47:50

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 013/115] Bluetooth: btusb: Add a new AR3012 ID 04ca:3014

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Tunin <[email protected]>

commit 81d90442eac779938217c3444b240aa51fd3db47 upstream.

T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=03 Dev#= 5 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=04ca ProdID=3014 Rev=00.02
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

BugLink: https://bugs.launchpad.net/bugs/1546694

Signed-off-by: Dmitry Tunin <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -90,6 +90,7 @@ static struct usb_device_id ath3k_table[
{ USB_DEVICE(0x04CA, 0x300b) },
{ USB_DEVICE(0x04CA, 0x300f) },
{ USB_DEVICE(0x04CA, 0x3010) },
+ { USB_DEVICE(0x04CA, 0x3014) },
{ USB_DEVICE(0x0930, 0x0219) },
{ USB_DEVICE(0x0930, 0x021c) },
{ USB_DEVICE(0x0930, 0x0220) },
@@ -152,6 +153,7 @@ static struct usb_device_id ath3k_blist_
{ USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -175,6 +175,7 @@ static struct usb_device_id blacklist_ta
{ USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },

2016-04-27 00:47:49

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 002/115] [media] pwc: Add USB id for Philips Spc880nc webcam

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hans de Goede <[email protected]>

commit 7445e45d19a09e5269dc85f17f9635be29d2f76c upstream.

SPC 880NC PC camera discussions:
http://www.pclinuxos.com/forum/index.php/topic,135688.0.html

Reported-by: Kikim <[email protected]>
Signed-off-by: Hans de Goede <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/video/pwc/pwc-if.c | 6 ++++++
1 file changed, 6 insertions(+)

--- a/drivers/media/video/pwc/pwc-if.c
+++ b/drivers/media/video/pwc/pwc-if.c
@@ -91,6 +91,7 @@ static const struct usb_device_id pwc_de
{ USB_DEVICE(0x0471, 0x0312) },
{ USB_DEVICE(0x0471, 0x0313) }, /* the 'new' 720K */
{ USB_DEVICE(0x0471, 0x0329) }, /* Philips SPC 900NC PC Camera */
+ { USB_DEVICE(0x0471, 0x032C) }, /* Philips SPC 880NC PC Camera */
{ USB_DEVICE(0x069A, 0x0001) }, /* Askey */
{ USB_DEVICE(0x046D, 0x08B0) }, /* Logitech QuickCam Pro 3000 */
{ USB_DEVICE(0x046D, 0x08B1) }, /* Logitech QuickCam Notebook Pro */
@@ -965,6 +966,11 @@ static int usb_pwc_probe(struct usb_inte
name = "Philips SPC 900NC webcam";
type_id = 740;
break;
+ case 0x032C:
+ PWC_INFO("Philips SPC 880NC USB webcam detected.\n");
+ name = "Philips SPC 880NC webcam";
+ type_id = 740;
+ break;
default:
return -ENODEV;
break;

2016-04-27 00:47:47

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 015/115] watchdog: rc32434_wdt: fix ioctl error handling

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Michael S. Tsirkin" <[email protected]>

commit 10e7ac22cdd4d211cef99afcb9371b70cb175be6 upstream.

Calling return copy_to_user(...) in an ioctl will not do the right thing
if there's a pagefault: copy_to_user returns the number of bytes not
copied in this case.

Fix up watchdog/rc32434_wdt to do
return copy_to_user(...)) ? -EFAULT : 0;

instead.

Signed-off-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Guenter Roeck <[email protected]>
Signed-off-by: Wim Van Sebroeck <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/watchdog/rc32434_wdt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/watchdog/rc32434_wdt.c
+++ b/drivers/watchdog/rc32434_wdt.c
@@ -239,7 +239,7 @@ static long rc32434_wdt_ioctl(struct fil
return -EINVAL;
/* Fall through */
case WDIOC_GETTIMEOUT:
- return copy_to_user(argp, &timeout, sizeof(int));
+ return copy_to_user(argp, &timeout, sizeof(int)) ? -EFAULT : 0;
default:
return -ENOTTY;
}

2016-04-27 00:47:44

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 012/115] PCI: Disable IO/MEM decoding for devices with non-compliant BARs

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bjorn Helgaas <[email protected]>

commit b84106b4e2290c081cdab521fa832596cdfea246 upstream.

The PCI config header (first 64 bytes of each device's config space) is
defined by the PCI spec so generic software can identify the device and
manage its usage of I/O, memory, and IRQ resources.

Some non-spec-compliant devices put registers other than BARs where the
BARs should be. When the PCI core sizes these "BARs", the reads and writes
it does may have unwanted side effects, and the "BAR" may appear to
describe non-sensical address space.

Add a flag bit to mark non-compliant devices so we don't touch their BARs.
Turn off IO/MEM decoding to prevent the devices from consuming address
space, since we can't read the BARs to find out what that address space
would be.

Signed-off-by: Bjorn Helgaas <[email protected]>
Tested-by: Andi Kleen <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pci/probe.c | 14 ++++++++++++++
include/linux/pci.h | 1 +
2 files changed, 15 insertions(+)

--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -136,6 +136,9 @@ int __pci_read_base(struct pci_dev *dev,
u32 l, sz, mask;
u16 orig_cmd;

+ if (dev->non_compliant_bars)
+ return 0;
+
mask = type ? PCI_ROM_ADDRESS_MASK : ~0;

if (!dev->mmio_always_on) {
@@ -902,6 +905,7 @@ void set_pcie_hotplug_bridge(struct pci_
int pci_setup_device(struct pci_dev *dev)
{
u32 class;
+ u16 cmd;
u8 hdr_type;
struct pci_slot *slot;
int pos = 0;
@@ -949,6 +953,16 @@ int pci_setup_device(struct pci_dev *dev
/* device class may be changed after fixup */
class = dev->class >> 8;

+ if (dev->non_compliant_bars) {
+ pci_read_config_word(dev, PCI_COMMAND, &cmd);
+ if (cmd & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) {
+ dev_info(&dev->dev, "device has non-compliant BARs; disabling IO/MEM decoding\n");
+ cmd &= ~PCI_COMMAND_IO;
+ cmd &= ~PCI_COMMAND_MEMORY;
+ pci_write_config_word(dev, PCI_COMMAND, cmd);
+ }
+ }
+
switch (dev->hdr_type) { /* header type */
case PCI_HEADER_TYPE_NORMAL: /* standard header */
if (class == PCI_CLASS_BRIDGE_PCI)
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -327,6 +327,7 @@ struct pci_dev {
unsigned int is_hotplug_bridge:1;
unsigned int __aer_firmware_first_valid:1;
unsigned int __aer_firmware_first:1;
+ unsigned int non_compliant_bars:1; /* broken BARs; ignore them */
pci_dev_flags_t dev_flags;
atomic_t enable_cnt; /* pci_enable_device has been called */


2016-04-27 00:47:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 014/115] [media] bttv: Width must be a multiple of 16 when capturing planar formats

3.2.80-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hans de Goede <[email protected]>

commit 5c915c68763889f0183a1cc61c84bb228b60124a upstream.

On my bttv card "Hauppauge WinTV [card=10]" capturing in YV12 fmt at max
size results in a solid green rectangle being captured (all colors 0 in
YUV).

This turns out to be caused by max-width (924) not being a multiple of 16.

We've likely never hit this problem before since normally xawtv / tvtime,
etc. will prefer packed pixel formats. But when using a video card which
is using xf86-video-modesetting + glamor, only planar XVideo fmts are
available, and xawtv will chose a matching capture format to avoid needing
to do conversion, triggering the solid green window problem.

Signed-off-by: Hans de Goede <[email protected]>
Acked-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/video/bt8xx/bttv-driver.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)

--- a/drivers/media/video/bt8xx/bttv-driver.c
+++ b/drivers/media/video/bt8xx/bttv-driver.c
@@ -2480,6 +2480,19 @@ static int bttv_g_fmt_vid_overlay(struct
return 0;
}

+static void bttv_get_width_mask_vid_cap(const struct bttv_format *fmt,
+ unsigned int *width_mask,
+ unsigned int *width_bias)
+{
+ if (fmt->flags & FORMAT_FLAGS_PLANAR) {
+ *width_mask = ~15; /* width must be a multiple of 16 pixels */
+ *width_bias = 8; /* nearest */
+ } else {
+ *width_mask = ~3; /* width must be a multiple of 4 pixels */
+ *width_bias = 2; /* nearest */
+ }
+}
+
static int bttv_try_fmt_vid_cap(struct file *file, void *priv,
struct v4l2_format *f)
{
@@ -2488,6 +2501,7 @@ static int bttv_try_fmt_vid_cap(struct f
struct bttv *btv = fh->btv;
enum v4l2_field field;
__s32 width, height;
+ unsigned int width_mask, width_bias;
int rc;

fmt = format_by_fourcc(f->fmt.pix.pixelformat);
@@ -2525,9 +2539,9 @@ static int bttv_try_fmt_vid_cap(struct f
width = f->fmt.pix.width;
height = f->fmt.pix.height;

+ bttv_get_width_mask_vid_cap(fmt, &width_mask, &width_bias);
rc = limit_scaled_size_lock(fh, &width, &height, field,
- /* width_mask: 4 pixels */ ~3,
- /* width_bias: nearest */ 2,
+ width_mask, width_bias,
/* adjust_size */ 1,
/* adjust_crop */ 0);
if (0 != rc)
@@ -2558,6 +2572,7 @@ static int bttv_s_fmt_vid_cap(struct fil
struct bttv_fh *fh = priv;
struct bttv *btv = fh->btv;
__s32 width, height;
+ unsigned int width_mask, width_bias;
enum v4l2_field field;

retval = bttv_switch_type(fh, f->type);
@@ -2572,9 +2587,10 @@ static int bttv_s_fmt_vid_cap(struct fil
height = f->fmt.pix.height;
field = f->fmt.pix.field;

+ fmt = format_by_fourcc(f->fmt.pix.pixelformat);
+ bttv_get_width_mask_vid_cap(fmt, &width_mask, &width_bias);
retval = limit_scaled_size_lock(fh, &width, &height, f->fmt.pix.field,
- /* width_mask: 4 pixels */ ~3,
- /* width_bias: nearest */ 2,
+ width_mask, width_bias,
/* adjust_size */ 1,
/* adjust_crop */ 1);
if (0 != retval)
@@ -2582,8 +2598,6 @@ static int bttv_s_fmt_vid_cap(struct fil

f->fmt.pix.field = field;

- fmt = format_by_fourcc(f->fmt.pix.pixelformat);
-
/* update our state informations */
fh->fmt = fmt;
fh->cap.field = f->fmt.pix.field;

2016-04-27 03:38:41

by Guenter Roeck

[permalink] [raw]
Subject: Re: [PATCH 3.2 000/115] 3.2.80-rc1 review

On 04/26/2016 04:02 PM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.2.80 release.
> There are 115 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat Apr 30 22:00:00 UTC 2016.
> Anything received after that time might be too late.
>

Build results:
total: 94 pass: 94 fail: 0
Qemu test results:
total: 61 pass: 61 fail: 0

Details are available at http://kerneltests.org/builders.

Guenter

2016-04-27 15:59:48

by Ben Greear

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_s ummed; doing so treats packets with bad checksums as good.

On 04/26/2016 04:02 PM, Ben Hutchings wrote:
> 3.2.80-rc1 review patch. If anyone has any objections, please let me know.

I would be careful about this. It causes regressions when sending
PACKET_SOCKET buffers from user-space to veth devices.

There was a proposed upstream fix for the regression, but it has not gone
into the tree as far as I know.

http://www.spinics.net/lists/netdev/msg370436.html

Thanks,
Ben

>
> ------------------
>
> From: Vijay Pandurangan <[email protected]>
>
> [ Upstream commit ce8c839b74e3017996fad4e1b7ba2e2625ede82f ]
>
> Packets that arrive from real hardware devices have ip_summed ==
> CHECKSUM_UNNECESSARY if the hardware verified the checksums, or
> CHECKSUM_NONE if the packet is bad or it was unable to verify it. The
> current version of veth will replace CHECKSUM_NONE with
> CHECKSUM_UNNECESSARY, which causes corrupt packets routed from hardware to
> a veth device to be delivered to the application. This caused applications
> at Twitter to receive corrupt data when network hardware was corrupting
> packets.
>
> We believe this was added as an optimization to skip computing and
> verifying checksums for communication between containers. However, locally
> generated packets have ip_summed == CHECKSUM_PARTIAL, so the code as
> written does nothing for them. As far as we can tell, after removing this
> code, these packets are transmitted from one stack to another unmodified
> (tcpdump shows invalid checksums on both sides, as expected), and they are
> delivered correctly to applications. We didn’t test every possible network
> configuration, but we tried a few common ones such as bridging containers,
> using NAT between the host and a container, and routing from hardware
> devices to containers. We have effectively deployed this in production at
> Twitter (by disabling RX checksum offloading on veth devices).
>
> This code dates back to the first version of the driver, commit
> <e314dbdc1c0dc6a548ecf> ("[NET]: Virtual ethernet device driver"), so I
> suspect this bug occurred mostly because the driver API has evolved
> significantly since then. Commit <0b7967503dc97864f283a> ("net/veth: Fix
> packet checksumming") (in December 2010) fixed this for packets that get
> created locally and sent to hardware devices, by not changing
> CHECKSUM_PARTIAL. However, the same issue still occurs for packets coming
> in from hardware devices.
>
> Co-authored-by: Evan Jones <[email protected]>
> Signed-off-by: Evan Jones <[email protected]>
> Cc: Nicolas Dichtel <[email protected]>
> Cc: Phil Sutter <[email protected]>
> Cc: Toshiaki Makita <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Signed-off-by: Vijay Pandurangan <[email protected]>
> Acked-by: Cong Wang <[email protected]>
> Signed-off-by: David S. Miller <[email protected]>
> [bwh: Backported to 3.2: adjust context]
> Signed-off-by: Ben Hutchings <[email protected]>
> ---
> drivers/net/veth.c | 6 ------
> 1 file changed, 6 deletions(-)
>
> --- a/drivers/net/veth.c
> +++ b/drivers/net/veth.c
> @@ -126,11 +126,6 @@ static netdev_tx_t veth_xmit(struct sk_b
> stats = this_cpu_ptr(priv->stats);
> rcv_stats = this_cpu_ptr(rcv_priv->stats);
>
> - /* don't change ip_summed == CHECKSUM_PARTIAL, as that
> - will cause bad checksum on forwarded packets */
> - if (skb->ip_summed == CHECKSUM_NONE &&
> - rcv->features & NETIF_F_RXCSUM)
> - skb->ip_summed = CHECKSUM_UNNECESSARY;
>
> length = skb->len;
> if (dev_forward_skb(rcv, skb) != NET_RX_SUCCESS)
>


--
Ben Greear <[email protected]>
Candela Technologies Inc http://www.candelatech.com

2016-04-27 18:08:15

by Ben Hutchings

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_summed; doing so treats packets with bad checksums as good.

On Wed, 2016-04-27 at 08:59 -0700, Ben Greear wrote:
> On 04/26/2016 04:02 PM, Ben Hutchings wrote:
> >
> > 3.2.80-rc1 review patch.  If anyone has any objections, please let me know.
> I would be careful about this.  It causes regressions when sending
> PACKET_SOCKET buffers from user-space to veth devices.
>
> There was a proposed upstream fix for the regression, but it has not gone
> into the tree as far as I know.
>
> http://www.spinics.net/lists/netdev/msg370436.html
[...]

OK, I'll drop this for now.

Ben.

--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.


Attachments:
signature.asc (819.00 B)
This is a digitally signed message part

2016-04-27 21:20:22

by Ben Hutchings

[permalink] [raw]
Subject: Re: [PATCH 3.2 000/115] 3.2.80-rc1 review

This is the combined diff for 3.2.80-rc1 relative to 3.2.79.

Ben.

--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.


Attachments:
linux-3.2.80-rc1.patch (142.89 kB)
signature.asc (819.00 B)
This is a digitally signed message part
Download all attachments

2016-04-28 00:00:08

by Hannes Frederic Sowa

[permalink] [raw]
Subject: Re: [PATCH 3.2 085 /115] veth: don’t modify ip_summed; doing so treats pa ckets with bad che cksums as good.

Hi Ben,

On Wed, Apr 27, 2016, at 20:07, Ben Hutchings wrote:
> On Wed, 2016-04-27 at 08:59 -0700, Ben Greear wrote:
> > On 04/26/2016 04:02 PM, Ben Hutchings wrote:
> > >
> > > 3.2.80-rc1 review patch.  If anyone has any objections, please let me know.
> > I would be careful about this.  It causes regressions when sending
> > PACKET_SOCKET buffers from user-space to veth devices.
> >
> > There was a proposed upstream fix for the regression, but it has not gone
> > into the tree as far as I know.
> >
> > http://www.spinics.net/lists/netdev/msg370436.html
> [...]
>
> OK, I'll drop this for now.

The fall out from not having this patch is in my opinion a bigger
fallout than not having this patch. This patch fixes silent data
corruption vs. the problem Ben Greear is talking about, which might not
be that a common usage.

What do others think?

Bye,
Hannes

2016-04-28 00:14:51

by Ben Greear

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_s ummed; doing so treats packets with bad checksums as good.

On 04/27/2016 05:00 PM, Hannes Frederic Sowa wrote:
> Hi Ben,
>
> On Wed, Apr 27, 2016, at 20:07, Ben Hutchings wrote:
>> On Wed, 2016-04-27 at 08:59 -0700, Ben Greear wrote:
>>> On 04/26/2016 04:02 PM, Ben Hutchings wrote:
>>>>
>>>> 3.2.80-rc1 review patch. If anyone has any objections, please let me know.
>>> I would be careful about this. It causes regressions when sending
>>> PACKET_SOCKET buffers from user-space to veth devices.
>>>
>>> There was a proposed upstream fix for the regression, but it has not gone
>>> into the tree as far as I know.
>>>
>>> http://www.spinics.net/lists/netdev/msg370436.html
>> [...]
>>
>> OK, I'll drop this for now.
>
> The fall out from not having this patch is in my opinion a bigger
> fallout than not having this patch. This patch fixes silent data
> corruption vs. the problem Ben Greear is talking about, which might not
> be that a common usage.
>
> What do others think?
>
> Bye,
> Hannes
>

This patch from Cong Wang seems to fix the regression for me, I think it should be added and
tested in the main tree, and then apply them to stable as a pair.

http://dmz2.candelatech.com/?p=linux-4.4.dev.y/.git;a=commitdiff;h=8153e983c0e5eba1aafe1fc296248ed2a553f1ac;hp=454b07405d694dad52e7f41af5816eed0190da8a



diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index da1ae0e..f8cc758 100644 (file)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1926,6 +1926,7 @@ retry:
goto out_unlock;
}

+ skb->ip_summed = CHECKSUM_UNNECESSARY;
skb->protocol = proto;
skb->dev = dev;
skb->priority = sk->sk_priority;
@@ -2352,6 +2353,7 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,

ph.raw = frame;

+ skb->ip_summed = CHECKSUM_UNNECESSARY;
skb->protocol = proto;
skb->dev = dev;
skb->priority = po->sk.sk_priority;
@@ -2776,6 +2778,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
goto out_free;
}

+ skb->ip_summed = CHECKSUM_UNNECESSARY;
skb->protocol = proto;
skb->dev = dev;
skb->priority = sk->sk_priority;

Thanks,
Ben

--
Ben Greear <[email protected]>
Candela Technologies Inc http://www.candelatech.com

2016-04-28 10:30:05

by Sabrina Dubroca

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: do n’t modify ip_summed ; doing so treats packets with bad checksums as good.

Hello,

2016-04-27, 17:14:44 -0700, Ben Greear wrote:
> On 04/27/2016 05:00 PM, Hannes Frederic Sowa wrote:
> > Hi Ben,
> >
> > On Wed, Apr 27, 2016, at 20:07, Ben Hutchings wrote:
> > > On Wed, 2016-04-27 at 08:59 -0700, Ben Greear wrote:
> > > > On 04/26/2016 04:02 PM, Ben Hutchings wrote:
> > > > >
> > > > > 3.2.80-rc1 review patch. If anyone has any objections, please let me know.
> > > > I would be careful about this. It causes regressions when sending
> > > > PACKET_SOCKET buffers from user-space to veth devices.
> > > >
> > > > There was a proposed upstream fix for the regression, but it has not gone
> > > > into the tree as far as I know.
> > > >
> > > > http://www.spinics.net/lists/netdev/msg370436.html
> > > [...]
> > >
> > > OK, I'll drop this for now.
> >
> > The fall out from not having this patch is in my opinion a bigger
> > fallout than not having this patch. This patch fixes silent data
> > corruption vs. the problem Ben Greear is talking about, which might not
> > be that a common usage.
> >
> > What do others think?
> >
> > Bye,
> > Hannes
> >
>
> This patch from Cong Wang seems to fix the regression for me, I think it should be added and
> tested in the main tree, and then apply them to stable as a pair.
>
> http://dmz2.candelatech.com/?p=linux-4.4.dev.y/.git;a=commitdiff;h=8153e983c0e5eba1aafe1fc296248ed2a553f1ac;hp=454b07405d694dad52e7f41af5816eed0190da8a

Actually, no, this is not really a regression.

If you capture packets on a device with checksum offloading enabled,
the TCP/UDP checksum isn't filled. veth also behaves that way. What
the "veth: don't modify ip_summed" patch does is enable proper
checksum validation on veth. This really was a bug in veth.

Cong's patch would also break cases where we choose to inject packets
with invalid checksums, and they would now be accepted as correct.

Your use case is invalid, it just happened to work because of a
bug. If you want the stack to fill checksums so that you want capture
and reinject packets, you have to disable checksum offloading (or
compute the checksum yourself in userspace).

Thanks.

--
Sabrina

2016-04-28 13:45:55

by Ben Greear

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_ summed; doing so treats packets with bad checks ums as good.



On 04/28/2016 03:29 AM, Sabrina Dubroca wrote:
> Hello,
>
> 2016-04-27, 17:14:44 -0700, Ben Greear wrote:
>> On 04/27/2016 05:00 PM, Hannes Frederic Sowa wrote:
>>> Hi Ben,
>>>
>>> On Wed, Apr 27, 2016, at 20:07, Ben Hutchings wrote:
>>>> On Wed, 2016-04-27 at 08:59 -0700, Ben Greear wrote:
>>>>> On 04/26/2016 04:02 PM, Ben Hutchings wrote:
>>>>>>
>>>>>> 3.2.80-rc1 review patch. If anyone has any objections, please let me know.
>>>>> I would be careful about this. It causes regressions when sending
>>>>> PACKET_SOCKET buffers from user-space to veth devices.
>>>>>
>>>>> There was a proposed upstream fix for the regression, but it has not gone
>>>>> into the tree as far as I know.
>>>>>
>>>>> http://www.spinics.net/lists/netdev/msg370436.html
>>>> [...]
>>>>
>>>> OK, I'll drop this for now.
>>>
>>> The fall out from not having this patch is in my opinion a bigger
>>> fallout than not having this patch. This patch fixes silent data
>>> corruption vs. the problem Ben Greear is talking about, which might not
>>> be that a common usage.
>>>
>>> What do others think?
>>>
>>> Bye,
>>> Hannes
>>>
>>
>> This patch from Cong Wang seems to fix the regression for me, I think it should be added and
>> tested in the main tree, and then apply them to stable as a pair.
>>
>> http://dmz2.candelatech.com/?p=linux-4.4.dev.y/.git;a=commitdiff;h=8153e983c0e5eba1aafe1fc296248ed2a553f1ac;hp=454b07405d694dad52e7f41af5816eed0190da8a
>
> Actually, no, this is not really a regression.
>
> If you capture packets on a device with checksum offloading enabled,
> the TCP/UDP checksum isn't filled. veth also behaves that way. What
> the "veth: don't modify ip_summed" patch does is enable proper
> checksum validation on veth. This really was a bug in veth.
>
> Cong's patch would also break cases where we choose to inject packets
> with invalid checksums, and they would now be accepted as correct.
>
> Your use case is invalid, it just happened to work because of a
> bug. If you want the stack to fill checksums so that you want capture
> and reinject packets, you have to disable checksum offloading (or
> compute the checksum yourself in userspace).

Disabling checksum offloading or computing in user-space (and then
recomputing in veth to verify the checksum?) is a huge performance loss.

Maybe we could add a socket option to enable Cong's patch on a per-socket
basis? That way my use-case can still work and you can have this new
behaviour by default?

Thanks,
Ben


--
Ben Greear <[email protected]>
Candela Technologies Inc http://www.candelatech.com

2016-04-28 15:46:05

by Ben Hutchings

[permalink] [raw]
Subject: Re: [PATCH 3.2 071/115] usb: renesas_usbhs: fix to avoid using a disabled ep in usbhsg_queue_done()

On Wed, 2016-04-27 at 01:02 +0200, Ben Hutchings wrote:
> 3.2.80-rc1 review patch.  If anyone has any objections, please let me know.

I'm dropping this as it depends on other changes to renesas_usbhs.

Ben.

> ------------------
>
> From: Yoshihiro Shimoda <[email protected]>
>
> commit 4fccb0767fdbdb781a9c5b5c15ee7b219443c89d upstream.
>
> This patch fixes an issue that usbhsg_queue_done() may cause kernel
> panic when dma callback is running and usb_ep_disable() is called
> by interrupt handler. (Especially, we can reproduce this issue using
> g_audio with usb-dmac driver.)
>
> For example of a flow:
>  usbhsf_dma_complete (on tasklet)
>   --> usbhsf_pkt_handler (on tasklet)
>    --> usbhsg_queue_done (on tasklet)
>     *** interrupt happened and usb_ep_disable() is called ***
>     --> usbhsg_queue_pop (on tasklet)
>      Then, oops happened.
>
> Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
> Signed-off-by: Yoshihiro Shimoda <[email protected]>
> Signed-off-by: Felipe Balbi <[email protected]>
> Signed-off-by: Ben Hutchings <[email protected]>
> ---
>  drivers/usb/renesas_usbhs/mod_gadget.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> --- a/drivers/usb/renesas_usbhs/mod_gadget.c
> +++ b/drivers/usb/renesas_usbhs/mod_gadget.c
> @@ -146,10 +146,14 @@ static void usbhsg_queue_done(struct usb
>   struct usbhs_pipe *pipe = pkt->pipe;
>   struct usbhsg_uep *uep = usbhsg_pipe_to_uep(pipe);
>   struct usbhsg_request *ureq = usbhsg_pkt_to_ureq(pkt);
> + unsigned long flags;
>  
>   ureq->req.actual = pkt->actual;
>  
> - usbhsg_queue_pop(uep, ureq, 0);
> + usbhs_lock(priv, flags);
> + if (uep)
> + __usbhsg_queue_pop(uep, ureq, 0);
> + usbhs_unlock(priv, flags);
>  }
>  
>  static void usbhsg_queue_push(struct usbhsg_uep *uep,
>
> --
> To unsubscribe from this list: send the line "unsubscribe stable" in
> the body of a message to [email protected]
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
Ben Hutchings
All extremists should be taken out and shot.


Attachments:
signature.asc (819.00 B)
This is a digitally signed message part

2016-04-28 16:05:21

by Ben Hutchings

[permalink] [raw]
Subject: Re: [PATCH 3.2 000/115] 3.2.80-rc1 review

On Tue, 2016-04-26 at 20:38 -0700, Guenter Roeck wrote:
> On 04/26/2016 04:02 PM, Ben Hutchings wrote:
> >
> > This is the start of the stable review cycle for the 3.2.80
> > release.
> > There are 115 patches in this series, which will be posted as
> > responses
> > to this one.  If anyone has any issues with these being applied,
> > please
> > let me know.
> >
> > Responses should be made by Sat Apr 30 22:00:00 UTC 2016.
> > Anything received after that time might be too late.
> >
> Build results:
> total: 94 pass: 94 fail: 0
> Qemu test results:
> total: 61 pass: 61 fail: 0
>
> Details are available at http://kerneltests.org/builders.

Thanks for checking.

Ben.

-- 
Ben Hutchings
All extremists should be taken out and shot.


Attachments:
signature.asc (819.00 B)
This is a digitally signed message part

2016-04-30 19:27:01

by Ben Hutchings

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_summed; doing so treats packets with bad checksums as good.

On Thu, 2016-04-28 at 12:29 +0200, Sabrina Dubroca wrote:
> Hello,
>
> 2016-04-27, 17:14:44 -0700, Ben Greear wrote:
> >
> > On 04/27/2016 05:00 PM, Hannes Frederic Sowa wrote:
> > >
> > > Hi Ben,
> > >
> > > On Wed, Apr 27, 2016, at 20:07, Ben Hutchings wrote:
> > > >
> > > > On Wed, 2016-04-27 at 08:59 -0700, Ben Greear wrote:
> > > > >
> > > > > On 04/26/2016 04:02 PM, Ben Hutchings wrote:
> > > > > >
> > > > > >
> > > > > > 3.2.80-rc1 review patch.  If anyone has any objections, please let me know.
> > > > > I would be careful about this.  It causes regressions when sending
> > > > > PACKET_SOCKET buffers from user-space to veth devices.
> > > > >
> > > > > There was a proposed upstream fix for the regression, but it has not gone
> > > > > into the tree as far as I know.
> > > > >
> > > > > http://www.spinics.net/lists/netdev/msg370436.html
> > > > [...]
> > > >
> > > > OK, I'll drop this for now.
> > > The fall out from not having this patch is in my opinion a bigger
> > > fallout than not having this patch. This patch fixes silent data
> > > corruption vs. the problem Ben Greear is talking about, which might not
> > > be that a common usage.
> > >
> > > What do others think?
> > >
> > > Bye,
> > > Hannes
> > >
> > This patch from Cong Wang seems to fix the regression for me, I think it should be added and
> > tested in the main tree, and then apply them to stable as a pair.
> >
> > http://dmz2.candelatech.com/?p=linux-4.4.dev.y/.git;a=commitdiff;h=8153e983c0e5eba1aafe1fc296248ed2a553f1ac;hp=454b07405d694dad52e7f41af5816eed0190da8a
> Actually, no, this is not really a regression.
[...]

It really is.  Even though the old behaviour was a bug (raw packets
should not be changed), if there are real applications that depend on
that then we have to keep those applications working somehow.

Ben.

--
Ben Hutchings
Tomorrow will be cancelled due to lack of interest.


Attachments:
signature.asc (819.00 B)
This is a digitally signed message part

2016-04-30 19:26:59

by Ben Hutchings

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_summed; doing so treats packets with bad checksums as good.

On Thu, 2016-04-28 at 06:45 -0700, Ben Greear wrote:
>
> On 04/28/2016 03:29 AM, Sabrina Dubroca wrote:
[...]
> > Your use case is invalid, it just happened to work because of a
> > bug.  If you want the stack to fill checksums so that you want capture
> > and reinject packets, you have to disable checksum offloading (or
> > compute the checksum yourself in userspace).
> Disabling checksum offloading or computing in user-space (and then
> recomputing in veth to verify the checksum?) is a huge performance loss.
>
> Maybe we could add a socket option to enable Cong's patch on a per-socket
> basis?  That way my use-case can still work and you can have this new
> behaviour by default?

It does sound like a useful option to have.  If there are other
applications that depend on veth's checksum-fixing behaviour and are
being distributed in binary form, then a per-device option might be
necessary so users can keep those applications working before they're
updated.

Ben.

--
Ben Hutchings
Tomorrow will be cancelled due to lack of interest.


Attachments:
signature.asc (819.00 B)
This is a digitally signed message part

2016-04-30 19:40:13

by Ben Greear

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_ summed; doing so treats packets with bad checks ums as good.



On 04/30/2016 11:33 AM, Ben Hutchings wrote:
> On Thu, 2016-04-28 at 12:29 +0200, Sabrina Dubroca wrote:
>> Hello,

>>> http://dmz2.candelatech.com/?p=linux-4.4.dev.y/.git;a=commitdiff;h=8153e983c0e5eba1aafe1fc296248ed2a553f1ac;hp=454b07405d694dad52e7f41af5816eed0190da8a
>> Actually, no, this is not really a regression.
> [...]
>
> It really is. Even though the old behaviour was a bug (raw packets
> should not be changed), if there are real applications that depend on
> that then we have to keep those applications working somehow.

To be honest, I fail to see why the old behaviour is a bug when sending
raw packets from user-space. If raw packets should not be changed, then
we need some way to specify what the checksum setting is to begin with,
otherwise, user-space has not enough control.

A socket option for new programs, and sysctl configurable defaults for raw sockets
for old binary programs would be sufficient I think.

Thanks,
Ben

--
Ben Greear <[email protected]>
Candela Technologies Inc http://www.candelatech.com

2016-04-30 19:54:40

by Tom Herbert

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_summ ed; doing so treats packets with bad checksums as good.

We've put considerable effort into cleaning up the checksum interface
to make it as unambiguous as possible, please be very careful to
follow it. Broken checksum processing is really hard to detect and
debug.

CHECKSUM_UNNECESSARY means that some number of _specific_ checksums
(indicated by csum_level) have been verified to be correct in a
packet. Blindly promoting CHECKSUM_NONE to CHECKSUM_UNNECESSARY is
never right. If CHECKSUM_UNNECESSARY is set in such a manner but the
checksum it would refer to has not been verified and is incorrect this
is a major bug.

Tom

On Sat, Apr 30, 2016 at 12:40 PM, Ben Greear <[email protected]> wrote:
>
>
> On 04/30/2016 11:33 AM, Ben Hutchings wrote:
>>
>> On Thu, 2016-04-28 at 12:29 +0200, Sabrina Dubroca wrote:
>>>
>>> Hello,
>
>
>>>>
>>>> http://dmz2.candelatech.com/?p=linux-4.4.dev.y/.git;a=commitdiff;h=8153e983c0e5eba1aafe1fc296248ed2a553f1ac;hp=454b07405d694dad52e7f41af5816eed0190da8a
>>>
>>> Actually, no, this is not really a regression.
>>
>> [...]
>>
>> It really is. Even though the old behaviour was a bug (raw packets
>> should not be changed), if there are real applications that depend on
>> that then we have to keep those applications working somehow.
>
>
> To be honest, I fail to see why the old behaviour is a bug when sending
> raw packets from user-space. If raw packets should not be changed, then
> we need some way to specify what the checksum setting is to begin with,
> otherwise, user-space has not enough control.
>
> A socket option for new programs, and sysctl configurable defaults for raw
> sockets
> for old binary programs would be sufficient I think.
>
>
> Thanks,
> Ben
>
> --
> Ben Greear <[email protected]>
> Candela Technologies Inc http://www.candelatech.com

2016-04-30 20:15:59

by Vijay Pandurangan

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_summ ed; doing so treats packets with bad checksums as good.

[oops – resending this because I was using gmail in HTML mode before
by accident]

There was a discussion on a separate thread about this. I agree with
Sabrina fully. I believe veth should provide an abstraction layer that
correctly emulates a physical network in all ways.

Consider an environment where we have multiple physical computers.
Each computer runs one or more containers, each of which has a
publicly routable ip address. When adding a new app to the cluster, a
scheduler might decide to run this container on any physical machine
of its choice, assuming that apps have a way of routing traffic to
their backends (we did something similar Google >10 years ago). This
is something we might imagine happening with docker and ipv6 for
instance.

If you have an app, A, which sends raw ethernet frames (the simplest
case I could imagine) with TCP data that has invalid checksums to app
B, which is receiving it, the behaviour of the system _will be
different_ depending upon whether app B is scheduled to run on the
same machine as app A or not. This seems like a clear bug and a broken
abstraction (especially as the default case), and something we should
endeavour to avoid.

I do see Ben's point about enabling sw checksum verification as
potentially incurring a huge performance penalty (I haven't had a
chance to measure it) that is completely wasteful in the vast majority
of cases.

Unfortunately I just don't see how we can solve this problem in a way
that preserves a correct abstraction layer while also avoiding excess
work. I guess the first piece of data that would be helpful is to
determine just how big of a performance penalty this is. If it's
small, then maybe it doesn't matter.




On Thu, Apr 28, 2016 at 6:29 AM, Sabrina Dubroca <[email protected]> wrote:
> Hello,
>
> 2016-04-27, 17:14:44 -0700, Ben Greear wrote:
>> On 04/27/2016 05:00 PM, Hannes Frederic Sowa wrote:
>> > Hi Ben,
>> >
>> > On Wed, Apr 27, 2016, at 20:07, Ben Hutchings wrote:
>> > > On Wed, 2016-04-27 at 08:59 -0700, Ben Greear wrote:
>> > > > On 04/26/2016 04:02 PM, Ben Hutchings wrote:
>> > > > >
>> > > > > 3.2.80-rc1 review patch. If anyone has any objections, please let me know.
>> > > > I would be careful about this. It causes regressions when sending
>> > > > PACKET_SOCKET buffers from user-space to veth devices.
>> > > >
>> > > > There was a proposed upstream fix for the regression, but it has not gone
>> > > > into the tree as far as I know.
>> > > >
>> > > > http://www.spinics.net/lists/netdev/msg370436.html
>> > > [...]
>> > >
>> > > OK, I'll drop this for now.
>> >
>> > The fall out from not having this patch is in my opinion a bigger
>> > fallout than not having this patch. This patch fixes silent data
>> > corruption vs. the problem Ben Greear is talking about, which might not
>> > be that a common usage.
>> >
>> > What do others think?
>> >
>> > Bye,
>> > Hannes
>> >
>>
>> This patch from Cong Wang seems to fix the regression for me, I think it should be added and
>> tested in the main tree, and then apply them to stable as a pair.
>>
>> http://dmz2.candelatech.com/?p=linux-4.4.dev.y/.git;a=commitdiff;h=8153e983c0e5eba1aafe1fc296248ed2a553f1ac;hp=454b07405d694dad52e7f41af5816eed0190da8a
>
> Actually, no, this is not really a regression.
>
> If you capture packets on a device with checksum offloading enabled,
> the TCP/UDP checksum isn't filled. veth also behaves that way. What
> the "veth: don't modify ip_summed" patch does is enable proper
> checksum validation on veth. This really was a bug in veth.
>
> Cong's patch would also break cases where we choose to inject packets
> with invalid checksums, and they would now be accepted as correct.
>
> Your use case is invalid, it just happened to work because of a
> bug. If you want the stack to fill checksums so that you want capture
> and reinject packets, you have to disable checksum offloading (or
> compute the checksum yourself in userspace).
>
> Thanks.
>
> --
> Sabrina

2016-04-30 20:59:37

by Ben Greear

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_ summed; doing so treats packets with bad checks ums as good.


On 04/30/2016 12:54 PM, Tom Herbert wrote:
> We've put considerable effort into cleaning up the checksum interface
> to make it as unambiguous as possible, please be very careful to
> follow it. Broken checksum processing is really hard to detect and
> debug.
>
> CHECKSUM_UNNECESSARY means that some number of _specific_ checksums
> (indicated by csum_level) have been verified to be correct in a
> packet. Blindly promoting CHECKSUM_NONE to CHECKSUM_UNNECESSARY is
> never right. If CHECKSUM_UNNECESSARY is set in such a manner but the
> checksum it would refer to has not been verified and is incorrect this
> is a major bug.

Suppose I know that the packet received on a packet-socket has
already been verified by a NIC that supports hardware checksumming.

Then, I want to transmit it on a veth interface using a second
packet socket. I do not want veth to recalculate the checksum on
transmit, nor to validate it on the peer veth on receive, because I do
not want to waste the CPU cycles. I am assuming that my app is not
accidentally corrupting frames, so the checksum can never be bad.

How should the checksumming be configured for the packets going into
the packet-socket from user-space?

Also, I might want to send raw frames that do have
broken checksums (lets assume a real NIC, not veth), and I want them
to hit the wire with those bad checksums.

How do I configure the checksumming in this case?


Thanks,
Ben


>
> Tom
>
> On Sat, Apr 30, 2016 at 12:40 PM, Ben Greear <[email protected]> wrote:
>>
>>
>> On 04/30/2016 11:33 AM, Ben Hutchings wrote:
>>>
>>> On Thu, 2016-04-28 at 12:29 +0200, Sabrina Dubroca wrote:
>>>>
>>>> Hello,
>>
>>
>>>>>
>>>>> http://dmz2.candelatech.com/?p=linux-4.4.dev.y/.git;a=commitdiff;h=8153e983c0e5eba1aafe1fc296248ed2a553f1ac;hp=454b07405d694dad52e7f41af5816eed0190da8a
>>>>
>>>> Actually, no, this is not really a regression.
>>>
>>> [...]
>>>
>>> It really is. Even though the old behaviour was a bug (raw packets
>>> should not be changed), if there are real applications that depend on
>>> that then we have to keep those applications working somehow.
>>
>>
>> To be honest, I fail to see why the old behaviour is a bug when sending
>> raw packets from user-space. If raw packets should not be changed, then
>> we need some way to specify what the checksum setting is to begin with,
>> otherwise, user-space has not enough control.
>>
>> A socket option for new programs, and sysctl configurable defaults for raw
>> sockets
>> for old binary programs would be sufficient I think.
>>
>>
>> Thanks,
>> Ben
>>
>> --
>> Ben Greear <[email protected]>
>> Candela Technologies Inc http://www.candelatech.com
>

--
Ben Greear <[email protected]>
Candela Technologies Inc http://www.candelatech.com

2016-04-30 21:14:15

by Vijay Pandurangan

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_summ ed; doing so treats packets with bad checksums as good.

On Sat, Apr 30, 2016 at 4:59 PM, Ben Greear <[email protected]> wrote:
>
>
> On 04/30/2016 12:54 PM, Tom Herbert wrote:
>>
>> We've put considerable effort into cleaning up the checksum interface
>> to make it as unambiguous as possible, please be very careful to
>> follow it. Broken checksum processing is really hard to detect and
>> debug.
>>
>> CHECKSUM_UNNECESSARY means that some number of _specific_ checksums
>> (indicated by csum_level) have been verified to be correct in a
>> packet. Blindly promoting CHECKSUM_NONE to CHECKSUM_UNNECESSARY is
>> never right. If CHECKSUM_UNNECESSARY is set in such a manner but the
>> checksum it would refer to has not been verified and is incorrect this
>> is a major bug.
>
>
> Suppose I know that the packet received on a packet-socket has
> already been verified by a NIC that supports hardware checksumming.
>
> Then, I want to transmit it on a veth interface using a second
> packet socket. I do not want veth to recalculate the checksum on
> transmit, nor to validate it on the peer veth on receive, because I do
> not want to waste the CPU cycles. I am assuming that my app is not
> accidentally corrupting frames, so the checksum can never be bad.
>
> How should the checksumming be configured for the packets going into
> the packet-socket from user-space?


It seems like that only the receiver should decide whether or not to
checksum packets on the veth, not the sender.

How about:

We could add a receiving socket option for "don't checksum packets
received from a veth when the other side has marked them as
elide-checksum-suggested" (similar to UDP_NOCHECKSUM), and a sending
socket option for "mark all data sent via this socket to a veth as
elide-checksum-suggested".

So the process would be:

Writer:
1. open read socket
2. open write socket, with option elide-checksum-for-veth-suggested
3. write data

Reader:
1. open read socket with "follow-elide-checksum-suggestions-on-veth"
2. read data

The kernel / module would then need to persist the flag on all packets
that traverse a veth, and drop these data when they leave the veth
module.


>
>
> Also, I might want to send raw frames that do have
> broken checksums (lets assume a real NIC, not veth), and I want them
> to hit the wire with those bad checksums.
>
>
> How do I configure the checksumming in this case?


Correct me if I'm wrong but I think this is already possible now. You
can have packets with incorrect checksum hitting the wire as is. What
you cannot do is instruct the receiving end to ignore the checksum
from the sending end when using a physical device (and something I
think we should mimic on the sending device).


>
>
>
> Thanks,
> Ben
>
>
>
>>
>> Tom
>>
>> On Sat, Apr 30, 2016 at 12:40 PM, Ben Greear <[email protected]> wrote:
>>>
>>>
>>>
>>> On 04/30/2016 11:33 AM, Ben Hutchings wrote:
>>>>
>>>>
>>>> On Thu, 2016-04-28 at 12:29 +0200, Sabrina Dubroca wrote:
>>>>>
>>>>>
>>>>> Hello,
>>>
>>>
>>>
>>>>>>
>>>>>> http://dmz2.candelatech.com/?p=linux-4.4.dev.y/.git;a=commitdiff;h=8153e983c0e5eba1aafe1fc296248ed2a553f1ac;hp=454b07405d694dad52e7f41af5816eed0190da8a
>>>>>
>>>>>
>>>>> Actually, no, this is not really a regression.
>>>>
>>>>
>>>> [...]
>>>>
>>>> It really is. Even though the old behaviour was a bug (raw packets
>>>> should not be changed), if there are real applications that depend on
>>>> that then we have to keep those applications working somehow.
>>>
>>>
>>>
>>> To be honest, I fail to see why the old behaviour is a bug when sending
>>> raw packets from user-space. If raw packets should not be changed, then
>>> we need some way to specify what the checksum setting is to begin with,
>>> otherwise, user-space has not enough control.
>>>
>>> A socket option for new programs, and sysctl configurable defaults for raw
>>> sockets
>>> for old binary programs would be sufficient I think.
>>>
>>>
>>> Thanks,
>>> Ben
>>>
>>> --
>>> Ben Greear <[email protected]>
>>> Candela Technologies Inc http://www.candelatech.com
>>
>>
>
> --
> Ben Greear <[email protected]>
> Candela Technologies Inc http://www.candelatech.com

2016-04-30 21:29:46

by Ben Greear

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_ summed; doing so treats packets with bad checks ums as good.



On 04/30/2016 02:13 PM, Vijay Pandurangan wrote:
> On Sat, Apr 30, 2016 at 4:59 PM, Ben Greear <[email protected]> wrote:
>>
>>
>> On 04/30/2016 12:54 PM, Tom Herbert wrote:
>>>
>>> We've put considerable effort into cleaning up the checksum interface
>>> to make it as unambiguous as possible, please be very careful to
>>> follow it. Broken checksum processing is really hard to detect and
>>> debug.
>>>
>>> CHECKSUM_UNNECESSARY means that some number of _specific_ checksums
>>> (indicated by csum_level) have been verified to be correct in a
>>> packet. Blindly promoting CHECKSUM_NONE to CHECKSUM_UNNECESSARY is
>>> never right. If CHECKSUM_UNNECESSARY is set in such a manner but the
>>> checksum it would refer to has not been verified and is incorrect this
>>> is a major bug.
>>
>>
>> Suppose I know that the packet received on a packet-socket has
>> already been verified by a NIC that supports hardware checksumming.
>>
>> Then, I want to transmit it on a veth interface using a second
>> packet socket. I do not want veth to recalculate the checksum on
>> transmit, nor to validate it on the peer veth on receive, because I do
>> not want to waste the CPU cycles. I am assuming that my app is not
>> accidentally corrupting frames, so the checksum can never be bad.
>>
>> How should the checksumming be configured for the packets going into
>> the packet-socket from user-space?
>
>
> It seems like that only the receiver should decide whether or not to
> checksum packets on the veth, not the sender.
>
> How about:
>
> We could add a receiving socket option for "don't checksum packets
> received from a veth when the other side has marked them as
> elide-checksum-suggested" (similar to UDP_NOCHECKSUM), and a sending
> socket option for "mark all data sent via this socket to a veth as
> elide-checksum-suggested".
>
> So the process would be:
>
> Writer:
> 1. open read socket
> 2. open write socket, with option elide-checksum-for-veth-suggested
> 3. write data
>
> Reader:
> 1. open read socket with "follow-elide-checksum-suggestions-on-veth"
> 2. read data
>
> The kernel / module would then need to persist the flag on all packets
> that traverse a veth, and drop these data when they leave the veth
> module.

I'm not sure this works completely. In my app, the packet flow might be:

eth0 <-> raw-socket <-> user-space-bridge <-> raw-socket <-> vethA <-> vethB <-> [kernel router/bridge logic ...] <-> eth1

There may be no sockets on the vethB port. And reader/writer is not
a good way to look at it since I am implementing a bi-directional bridge in
user-space and each packet-socket is for both rx and tx.

>> Also, I might want to send raw frames that do have
>> broken checksums (lets assume a real NIC, not veth), and I want them
>> to hit the wire with those bad checksums.
>>
>>
>> How do I configure the checksumming in this case?
>
>
> Correct me if I'm wrong but I think this is already possible now. You
> can have packets with incorrect checksum hitting the wire as is. What
> you cannot do is instruct the receiving end to ignore the checksum
> from the sending end when using a physical device (and something I
> think we should mimic on the sending device).

Yes, it does work currently (or, last I checked)...I just want to make sure it keeps working.

Thanks,
Ben

--
Ben Greear <[email protected]>
Candela Technologies Inc http://www.candelatech.com

2016-04-30 21:37:01

by Vijay Pandurangan

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_summ ed; doing so treats packets with bad checksums as good.

On Sat, Apr 30, 2016 at 5:29 PM, Ben Greear <[email protected]> wrote:
>
>
> On 04/30/2016 02:13 PM, Vijay Pandurangan wrote:
>>
>> On Sat, Apr 30, 2016 at 4:59 PM, Ben Greear <[email protected]>
>> wrote:
>>>
>>>
>>>
>>> On 04/30/2016 12:54 PM, Tom Herbert wrote:
>>>>
>>>>
>>>> We've put considerable effort into cleaning up the checksum interface
>>>> to make it as unambiguous as possible, please be very careful to
>>>> follow it. Broken checksum processing is really hard to detect and
>>>> debug.
>>>>
>>>> CHECKSUM_UNNECESSARY means that some number of _specific_ checksums
>>>> (indicated by csum_level) have been verified to be correct in a
>>>> packet. Blindly promoting CHECKSUM_NONE to CHECKSUM_UNNECESSARY is
>>>> never right. If CHECKSUM_UNNECESSARY is set in such a manner but the
>>>> checksum it would refer to has not been verified and is incorrect this
>>>> is a major bug.
>>>
>>>
>>>
>>> Suppose I know that the packet received on a packet-socket has
>>> already been verified by a NIC that supports hardware checksumming.
>>>
>>> Then, I want to transmit it on a veth interface using a second
>>> packet socket. I do not want veth to recalculate the checksum on
>>> transmit, nor to validate it on the peer veth on receive, because I do
>>> not want to waste the CPU cycles. I am assuming that my app is not
>>> accidentally corrupting frames, so the checksum can never be bad.
>>>
>>> How should the checksumming be configured for the packets going into
>>> the packet-socket from user-space?
>>
>>
>>
>> It seems like that only the receiver should decide whether or not to
>> checksum packets on the veth, not the sender.
>>
>> How about:
>>
>> We could add a receiving socket option for "don't checksum packets
>> received from a veth when the other side has marked them as
>> elide-checksum-suggested" (similar to UDP_NOCHECKSUM), and a sending
>> socket option for "mark all data sent via this socket to a veth as
>> elide-checksum-suggested".
>>
>> So the process would be:
>>
>> Writer:
>> 1. open read socket
>> 2. open write socket, with option elide-checksum-for-veth-suggested
>> 3. write data
>>
>> Reader:
>> 1. open read socket with "follow-elide-checksum-suggestions-on-veth"
>> 2. read data
>>
>> The kernel / module would then need to persist the flag on all packets
>> that traverse a veth, and drop these data when they leave the veth
>> module.
>
>
> I'm not sure this works completely. In my app, the packet flow might be:
>
> eth0 <-> raw-socket <-> user-space-bridge <-> raw-socket <-> vethA <-> vethB
> <-> [kernel router/bridge logic ...] <-> eth1

Good point, so if you had:

eth0 <-> raw <-> user space-bridge <-> raw <-> vethA <-> veth B <->
userspace-stub <->eth1

and user-space hub enabled this elide flag, things would work, right?
Then, it seems like what we need is a way to tell the kernel
router/bridge logic to follow elide signals in packets coming from
veth. I'm not sure what the best way to do this is because I'm less
familiar with conventions in that part of the kernel, but assuming
there's a way to do this, would it be acceptable?



>
> There may be no sockets on the vethB port. And reader/writer is not
> a good way to look at it since I am implementing a bi-directional bridge in
> user-space and each packet-socket is for both rx and tx.

Sure, but we could model a bidrectional connection as two
unidirectional sockets for our discussions here, right?



>
>>> Also, I might want to send raw frames that do have
>>> broken checksums (lets assume a real NIC, not veth), and I want them
>>> to hit the wire with those bad checksums.
>>>
>>>
>>> How do I configure the checksumming in this case?
>>
>>
>>
>> Correct me if I'm wrong but I think this is already possible now. You
>> can have packets with incorrect checksum hitting the wire as is. What
>> you cannot do is instruct the receiving end to ignore the checksum
>> from the sending end when using a physical device (and something I
>> think we should mimic on the sending device).
>
>
> Yes, it does work currently (or, last I checked)...I just want to make sure
> it keeps working.

Yeah, good point. It would be great if we could write a test, or at
the very least, a list of invariants about what kinds of things should
work somewhere.

>
>
> Thanks,
> Ben
>
> --
> Ben Greear <[email protected]>
> Candela Technologies Inc http://www.candelatech.com

2016-04-30 21:52:33

by Ben Greear

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_ summed; doing so treats packets with bad checks ums as good.



On 04/30/2016 02:36 PM, Vijay Pandurangan wrote:
> On Sat, Apr 30, 2016 at 5:29 PM, Ben Greear <[email protected]> wrote:
>>
>>
>> On 04/30/2016 02:13 PM, Vijay Pandurangan wrote:
>>>
>>> On Sat, Apr 30, 2016 at 4:59 PM, Ben Greear <[email protected]>
>>> wrote:
>>>>
>>>>
>>>>
>>>> On 04/30/2016 12:54 PM, Tom Herbert wrote:
>>>>>
>>>>>
>>>>> We've put considerable effort into cleaning up the checksum interface
>>>>> to make it as unambiguous as possible, please be very careful to
>>>>> follow it. Broken checksum processing is really hard to detect and
>>>>> debug.
>>>>>
>>>>> CHECKSUM_UNNECESSARY means that some number of _specific_ checksums
>>>>> (indicated by csum_level) have been verified to be correct in a
>>>>> packet. Blindly promoting CHECKSUM_NONE to CHECKSUM_UNNECESSARY is
>>>>> never right. If CHECKSUM_UNNECESSARY is set in such a manner but the
>>>>> checksum it would refer to has not been verified and is incorrect this
>>>>> is a major bug.
>>>>
>>>>
>>>>
>>>> Suppose I know that the packet received on a packet-socket has
>>>> already been verified by a NIC that supports hardware checksumming.
>>>>
>>>> Then, I want to transmit it on a veth interface using a second
>>>> packet socket. I do not want veth to recalculate the checksum on
>>>> transmit, nor to validate it on the peer veth on receive, because I do
>>>> not want to waste the CPU cycles. I am assuming that my app is not
>>>> accidentally corrupting frames, so the checksum can never be bad.
>>>>
>>>> How should the checksumming be configured for the packets going into
>>>> the packet-socket from user-space?
>>>
>>>
>>>
>>> It seems like that only the receiver should decide whether or not to
>>> checksum packets on the veth, not the sender.
>>>
>>> How about:
>>>
>>> We could add a receiving socket option for "don't checksum packets
>>> received from a veth when the other side has marked them as
>>> elide-checksum-suggested" (similar to UDP_NOCHECKSUM), and a sending
>>> socket option for "mark all data sent via this socket to a veth as
>>> elide-checksum-suggested".
>>>
>>> So the process would be:
>>>
>>> Writer:
>>> 1. open read socket
>>> 2. open write socket, with option elide-checksum-for-veth-suggested
>>> 3. write data
>>>
>>> Reader:
>>> 1. open read socket with "follow-elide-checksum-suggestions-on-veth"
>>> 2. read data
>>>
>>> The kernel / module would then need to persist the flag on all packets
>>> that traverse a veth, and drop these data when they leave the veth
>>> module.
>>
>>
>> I'm not sure this works completely. In my app, the packet flow might be:
>>
>> eth0 <-> raw-socket <-> user-space-bridge <-> raw-socket <-> vethA <-> vethB
>> <-> [kernel router/bridge logic ...] <-> eth1
>
> Good point, so if you had:
>
> eth0 <-> raw <-> user space-bridge <-> raw <-> vethA <-> veth B <->
> userspace-stub <->eth1
>
> and user-space hub enabled this elide flag, things would work, right?
> Then, it seems like what we need is a way to tell the kernel
> router/bridge logic to follow elide signals in packets coming from
> veth. I'm not sure what the best way to do this is because I'm less
> familiar with conventions in that part of the kernel, but assuming
> there's a way to do this, would it be acceptable?

You cannot receive on one veth without transmitting on the other, so
I think the elide csum logic can go on the raw-socket, and apply to packets
in the transmit-from-user-space direction. Just allowing the socket to make
the veth behave like it used to before this patch in question should be good
enough, since that worked for us for years. So, just an option to modify the
ip_summed for pkts sent on a socket is probably sufficient.

>> There may be no sockets on the vethB port. And reader/writer is not
>> a good way to look at it since I am implementing a bi-directional bridge in
>> user-space and each packet-socket is for both rx and tx.
>
> Sure, but we could model a bidrectional connection as two
> unidirectional sockets for our discussions here, right?

Best not to I think, you want to make sure that one socket can
correctly handle tx and rx. As long as that works, then using
uni-directional sockets should work too.

Thanks,
Ben

--
Ben Greear <[email protected]>
Candela Technologies Inc http://www.candelatech.com

2016-04-30 22:01:53

by Vijay Pandurangan

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_summ ed; doing so treats packets with bad checksums as good.

On Sat, Apr 30, 2016 at 5:52 PM, Ben Greear <[email protected]> wrote:
>>
>> Good point, so if you had:
>>
>> eth0 <-> raw <-> user space-bridge <-> raw <-> vethA <-> veth B <->
>> userspace-stub <->eth1
>>
>> and user-space hub enabled this elide flag, things would work, right?
>> Then, it seems like what we need is a way to tell the kernel
>> router/bridge logic to follow elide signals in packets coming from
>> veth. I'm not sure what the best way to do this is because I'm less
>> familiar with conventions in that part of the kernel, but assuming
>> there's a way to do this, would it be acceptable?
>
>
> You cannot receive on one veth without transmitting on the other, so
> I think the elide csum logic can go on the raw-socket, and apply to packets
> in the transmit-from-user-space direction. Just allowing the socket to make
> the veth behave like it used to before this patch in question should be good
> enough, since that worked for us for years. So, just an option to modify
> the
> ip_summed for pkts sent on a socket is probably sufficient.

I don't think this is right. Consider:

- App A sends out corrupt packets 50% of the time and discards inbound data.
- App B doesn't care about corrupt packets and is happy to receive
them and has some way of dealing with them (special case)
- App C is a regular app, say nc or something.

In your world, where A decides what happens to data it transmits,
then
A<--veth-->B and A<---wire-->B will have the same behaviour

but

A<-- veth --> C and A<-- wire --> C will have _different_ behaviour: C
will behave incorrectly if it's connected over veth but correctly if
connected with a wire. That is a bug.

Since A cannot know what the app it's talking to will desire, I argue
that both sides of a message must be opted in to this optimization.






>
>>> There may be no sockets on the vethB port. And reader/writer is not
>>> a good way to look at it since I am implementing a bi-directional bridge
>>> in
>>> user-space and each packet-socket is for both rx and tx.
>>
>>
>> Sure, but we could model a bidrectional connection as two
>> unidirectional sockets for our discussions here, right?
>
>
> Best not to I think, you want to make sure that one socket can
> correctly handle tx and rx. As long as that works, then using
> uni-directional sockets should work too.
>
>
> Thanks,
> Ben
>
> --
> Ben Greear <[email protected]>
> Candela Technologies Inc http://www.candelatech.com

2016-04-30 22:42:30

by Tom Herbert

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_summ ed; doing so treats packets with bad checksums as good.

On Sat, Apr 30, 2016 at 1:59 PM, Ben Greear <[email protected]> wrote:
>
> On 04/30/2016 12:54 PM, Tom Herbert wrote:
>>
>> We've put considerable effort into cleaning up the checksum interface
>> to make it as unambiguous as possible, please be very careful to
>> follow it. Broken checksum processing is really hard to detect and
>> debug.
>>
>> CHECKSUM_UNNECESSARY means that some number of _specific_ checksums
>> (indicated by csum_level) have been verified to be correct in a
>> packet. Blindly promoting CHECKSUM_NONE to CHECKSUM_UNNECESSARY is
>> never right. If CHECKSUM_UNNECESSARY is set in such a manner but the
>> checksum it would refer to has not been verified and is incorrect this
>> is a major bug.
>
>
> Suppose I know that the packet received on a packet-socket has
> already been verified by a NIC that supports hardware checksumming.
>
> Then, I want to transmit it on a veth interface using a second
> packet socket. I do not want veth to recalculate the checksum on
> transmit, nor to validate it on the peer veth on receive, because I do
> not want to waste the CPU cycles. I am assuming that my app is not
> accidentally corrupting frames, so the checksum can never be bad.
>
> How should the checksumming be configured for the packets going into
> the packet-socket from user-space?
>
Checksum unnecessary conversion to checksum complete should be done
and then the computed value can be sent to user space. If you want to
take advantage of the value on transmit then we would to change the
interface. But I'm not sure why recalculating the the checksum in the
host is even a problem. With all the advances in checksum offload,
LCO, RCO it seems like that shouldn't be a common case anyway.

> Also, I might want to send raw frames that do have
> broken checksums (lets assume a real NIC, not veth), and I want them
> to hit the wire with those bad checksums.
>
> How do I configure the checksumming in this case?

Just send raw packets with bad checksums (no checksum offload).

Tom

>
>
> Thanks,
> Ben
>
>
>
>>
>> Tom
>>
>> On Sat, Apr 30, 2016 at 12:40 PM, Ben Greear <[email protected]>
>> wrote:
>>>
>>>
>>>
>>> On 04/30/2016 11:33 AM, Ben Hutchings wrote:
>>>>
>>>>
>>>> On Thu, 2016-04-28 at 12:29 +0200, Sabrina Dubroca wrote:
>>>>>
>>>>>
>>>>> Hello,
>>>
>>>
>>>
>>>>>>
>>>>>>
>>>>>> http://dmz2.candelatech.com/?p=linux-4.4.dev.y/.git;a=commitdiff;h=8153e983c0e5eba1aafe1fc296248ed2a553f1ac;hp=454b07405d694dad52e7f41af5816eed0190da8a
>>>>>
>>>>>
>>>>> Actually, no, this is not really a regression.
>>>>
>>>>
>>>> [...]
>>>>
>>>> It really is. Even though the old behaviour was a bug (raw packets
>>>> should not be changed), if there are real applications that depend on
>>>> that then we have to keep those applications working somehow.
>>>
>>>
>>>
>>> To be honest, I fail to see why the old behaviour is a bug when sending
>>> raw packets from user-space. If raw packets should not be changed, then
>>> we need some way to specify what the checksum setting is to begin with,
>>> otherwise, user-space has not enough control.
>>>
>>> A socket option for new programs, and sysctl configurable defaults for
>>> raw
>>> sockets
>>> for old binary programs would be sufficient I think.
>>>
>>>
>>> Thanks,
>>> Ben
>>>
>>> --
>>> Ben Greear <[email protected]>
>>> Candela Technologies Inc http://www.candelatech.com
>>
>>
>
> --
> Ben Greear <[email protected]>
> Candela Technologies Inc http://www.candelatech.com

2016-04-30 22:43:57

by Ben Greear

[permalink] [raw]
Subject: Re: [PATCH 3.2 085/115] veth: don’t modify ip_ summed; doing so treats packets with bad checks ums as good.



On 04/30/2016 03:01 PM, Vijay Pandurangan wrote:
> On Sat, Apr 30, 2016 at 5:52 PM, Ben Greear <[email protected]> wrote:
>>>
>>> Good point, so if you had:
>>>
>>> eth0 <-> raw <-> user space-bridge <-> raw <-> vethA <-> veth B <->
>>> userspace-stub <->eth1
>>>
>>> and user-space hub enabled this elide flag, things would work, right?
>>> Then, it seems like what we need is a way to tell the kernel
>>> router/bridge logic to follow elide signals in packets coming from
>>> veth. I'm not sure what the best way to do this is because I'm less
>>> familiar with conventions in that part of the kernel, but assuming
>>> there's a way to do this, would it be acceptable?
>>
>>
>> You cannot receive on one veth without transmitting on the other, so
>> I think the elide csum logic can go on the raw-socket, and apply to packets
>> in the transmit-from-user-space direction. Just allowing the socket to make
>> the veth behave like it used to before this patch in question should be good
>> enough, since that worked for us for years. So, just an option to modify
>> the
>> ip_summed for pkts sent on a socket is probably sufficient.
>
> I don't think this is right. Consider:
>
> - App A sends out corrupt packets 50% of the time and discards inbound data.
> - App B doesn't care about corrupt packets and is happy to receive
> them and has some way of dealing with them (special case)
> - App C is a regular app, say nc or something.
>
> In your world, where A decides what happens to data it transmits,
> then
> A<--veth-->B and A<---wire-->B will have the same behaviour
>
> but
>
> A<-- veth --> C and A<-- wire --> C will have _different_ behaviour: C
> will behave incorrectly if it's connected over veth but correctly if
> connected with a wire. That is a bug.
>
> Since A cannot know what the app it's talking to will desire, I argue
> that both sides of a message must be opted in to this optimization.

How can you make a generic app C know how to do this? The path could be,
for instance:

eth0 <-> user-space-A <-> vethA <-> vethB <-> { kernel routing logic } <-> vethC <-> vethD <-> appC

There are no sockets on vethB, but it does need to have special behaviour to elide
csums. Even if appC is hacked to know how to twiddle some thing on it's veth port,
mucking with vethD will have no effect on vethB.

With regard to your example above, why would A corrupt packets? My guess:

1) It has bugs (so, fix the bugs, it could equally create incorrect data with proper checksums,
so just enabling checksumming adds no useful protection.)

2) It means to corrupt frames. In that case, someone must expect that C should receive incorrect
frames, otherwise why bother making App-A corrupt them in the first place?

3) You are explicitly trying to test the kernel checksum logic, so you want the kernel to
detect the bad checksum and throw away the packet. In this case, just don't set the socket
option in appA to elide checksums and the packet will be thrown away.

Any other cases you can think of?

Thanks,
Ben

--
Ben Greear <[email protected]>
Candela Technologies Inc http://www.candelatech.com