2016-11-14 03:07:05

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 000/152] 3.2.84-rc1 review

This is the start of the stable review cycle for the 3.2.84 release.
There are 152 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sat Nov 19 00:00:00 UTC 2016.
Anything received after that time might be too late.

A combined patch relative to 3.2.83 will be posted as an additional
response to this. A shortlog and diffstat can be found below.

Ben.

-------------

Al Viro (23):
alpha: fix copy_from_user()
[2561d309dfd1555e781484af757ed0115035ddb3]
asm-generic: make copy_from_user() zero the destination properly
[2545e5da080b4839dd859e3b09343a884f6ab0e3]
asm-generic: make get_user() clear the destination on errors
[9ad18b75c2f6e4a78ce204e79f37781f8815c0fa]
avr32: fix copy_from_user()
[8630c32275bac2de6ffb8aea9d9b11663e7ad28e]
blackfin: fix copy_from_user()
[8f035983dd826d7e04f67b28acf8e2f08c347e41]
cris: buggered copy_from_user/copy_to_user/clear_user
[eb47e0293baaa3044022059f1fa9ff474bfe35cb]
frv: fix clear_user()
[3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90]
hexagon: fix strncpy_from_user() error return
[f35c1e0671728d1c9abc405d05ef548b5fcb2fc4]
ia64: copy_from_user() should zero the destination on access_ok() failure
[a5e541f796f17228793694d64b507f5f57db4cd7]
m32r: fix __get_user()
[c90a3bc5061d57e7931a9b7ad14784e1a0ed497d]
microblaze: fix __get_user()
[e98b9e37ae04562d52c96f46b3cf4c2e80222dc1]
microblaze: fix copy_from_user()
[d0cf385160c12abd109746cad1f13e3b3e8b50b8]
mn10300: copy_from_user() should zero on access_ok() failure...
[ae7cc577ec2a4a6151c9e928fd1f595d953ecef1]
mn10300: failing __get_user() and get_user() should zero
[43403eabf558d2800b429cd886e996fd555aa542]
openrisc: fix copy_from_user()
[acb2505d0119033a80c85ac8d02dccae41271667]
parisc: fix copy_from_user()
[aace880feea38875fbc919761b77e5732a3659ef]
ppc32: fix copy_from_user()
[224264657b8b228f949b42346e09ed8c90136a8e]
s390: get_user() should zero on failure
[fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7]
score: fix __get_user/get_user
[c2f18fa4cbb3ad92e033a24efa27583978ce9600]
score: fix copy_from_user() and friends
[b615e3c74621e06cd97f86373ca90d43d6d998aa]
sh64: failing __get_user() should zero
[c6852389228df9fb3067f94f3b651de2a7921b36]
sh: fix copy_from_user()
[6e050503a150b2126620c1a1e9b3a368fcd51eac]
sparc32: fix copy_from_user()
[917400cecb4b52b5cde5417348322bb9c8272fa6]

Alan Stern (4):
USB: avoid left shift by -1
[53e5f36fbd2453ad69a3369a1db62dc06c30a4aa]
USB: change bInterval default to 10 ms
[08c5cd37480f59ea39682f4585d92269be6b1424]
USB: fix typo in wMaxPacketSize validation
[6c73358c83ce870c0cf32413e5cadb3b9a39c606]
USB: validate wMaxPacketValue entries in endpoint descriptors
[aed9d65ac3278d4febd8665bd7db59ef53e825fe]

Aleksandr Makarov (2):
USB: serial: option: add WeTelecom 0x6802 and 0x6803 products
[40d9c32525cba79130612650b1abc47c0c0f19a8]
USB: serial: option: add WeTelecom WM-D200
[6695593e4a7659db49ac6eca98c164f7b5589f72]

Alex Deucher (1):
drm/radeon: fix firmware info version checks
[3edc38a0facef45ee22af8afdce3737f421f36ab]

Alex Vesker (1):
IB/ipoib: Don't allow MC joins during light MC flush
[344bacca8cd811809fc33a249f2738ab757d327f]

Alexey Khoroshilov (2):
USB: serial: mos7720: fix non-atomic allocation in write path
[5a5a1d614287a647b36dff3f40c2b0ceabbc83ec]
USB: serial: mos7840: fix non-atomic allocation in write path
[3b7c7e52efda0d4640060de747768360ba70a7c0]

Amadeusz Sławiński (1):
Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU
[23bc6ab0a0912146fd674a0becc758c3162baabc]

Andrey Pronin (1):
tpm: read burstcount from TPM_STS in one 32-bit transaction
[9754d45e997000ad4021bc4606cc266bb38d876f]

Ard Biesheuvel (1):
crypto: cryptd - initialize child shash_desc on import
[0bd2223594a4dcddc1e34b15774a3a4776f7749e]

Ashish Samant (1):
ocfs2: fix start offset to ocfs2_zero_range_for_truncate()
[d21c353d5e99c56cdd5b5c1183ffbcaf23b8b960]

Balbir Singh (1):
sched/core: Fix a race between try_to_wake_up() and a woken up task
[135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf]

Benjamin Coddington (1):
nfs: don't create zero-length requests
[149a4fddd0a72d526abbeac0c8deaab03559836a]

Bharata B Rao (1):
powerpc/numa: Fix multiple bugs in memory_hotplug_max()
[45b64ee64970dee9392229302efe1d1567e8d304]

Cameron Gutman (1):
Input: xpad - validate USB endpoint count during probe
[caca925fca4fb30c67be88cacbe908eec6721e43]

Christian König (1):
drm/radeon: fix radeon_move_blit on 32bit systems
[13f479b9df4e2bbf2d16e7e1b02f3f55f70e2455]

Chuck Lever (2):
NFS: Don't drop CB requests with invalid principals
[a4e187d83d88eeaba6252aac0a2ffe5eaa73a818]
svc: Avoid garbage replies when pc_func() returns rpc_drop_reply
[0533b13072f4bf35738290d2cf9e299c7bc6c42a]

Dan Carpenter (7):
MIPS: RM7000: Double locking bug in rm7k_tc_disable()
[58a7e1c140f3ad61646bc0cd9a1f6a9cafc0b225]
avr32: off by one in at32_init_pio()
[55f1cf83d5cf885c75267269729805852039c834]
ext3: NULL dereference in ext3_evict_inode()
[bcdd0c1600903e9222abfcde28947406020ccb5d]
hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common()
[8a545f185145e3c09348cd74326268ecfc6715a3]
mtd: pmcmsp-flash: Allocating too much in init_msp_flash()
[79ad07d45743721010e766e65dc004ad249bd429]
scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
[7bc2b55a5c030685b399bb65b6baa9ccc3d1f167]
usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame()
[f4693b08cc901912a87369c46537b94ed4084ea0]

Daniel Vetter (1):
drm: Reject page_flip for !DRIVER_MODESET
[6f00975c619064a18c23fd3aced325ae165a73b9]

Daniele Palmas (1):
USB: serial: option: add support for Telit LE910 PID 0x1206
[3c0415fa08548e3bc63ef741762664497ab187ed]

Dave Carroll (1):
aacraid: Check size values after double-fetch from user
[fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3]

Dave Weinstein (1):
arm: oabi compat: add missing access checks
[7de249964f5578e67b99699c5f0b405738d820a2]

David Howells (3):
KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace
[20f06ed9f61a185c6dabd662c310bed6189470df]
KEYS: Fix short sprintf buffer in /proc/keys show function
[03dab869b7b239c4e013ec82aea22e181e441cfc]
x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace
[f7d665627e103e82d34306c7d3f6f46f387c0d8b]

Dmitry Torokhov (3):
Input: i8042 - break load dependency between atkbd/psmouse and i8042
[4097461897df91041382ff6fcd2bfa7ee6b2448c]
Input: i8042 - set up shared ps2_cmd_mutex for AUX ports
[47af45d684b5f3ae000ad448db02ce4f13f73273]
tty/vt/keyboard: fix OOB access in do_compute_shiftstate()
[510cccb5b0c8868a2b302a0ab524da7912da648b]

Dmitry Tunin (1):
Bluetooth: Add support of 13d3:3490 AR3012 device
[12d868964f7352e8b18e755488f7265a93431de1]

Erez Shitrit (2):
IB/core: Fix use after free in send_leave function
[68c6bcdd8bd00394c234b915ab9b97c74104130c]
IB/ipoib: Fix memory corruption in ipoib cm mode connect flow
[546481c2816ea3c061ee9d5658eb48070f69212e]

Eric Dumazet (1):
tcp: fix use after free in tcp_xmit_retransmit_queue()
[bb1fceca22492109be12640d49f5ea5a544c6bb4]

Florian Fainelli (2):
brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get()
[f823a2aa8f4674c095a5413b9e3ba12d82df06f2]
net: ethoc: Fix early error paths
[386512d18b268c6182903239f9f3390f03ce4c7b]

Gavin Li (1):
cdc-acm: fix wrong pipe type on rx interrupt xfers
[add125054b8727103631dce116361668436ef6a7]

Guenter Roeck (2):
avr32: fix 'undefined reference to `___copy_from_user'
[65c0044ca8d7c7bbccae37f0ff2972f0210e9f41]
openrisc: fix the fix of copy_from_user()
[8e4b72054f554967827e18be1de0e8122e6efc04]

Hector Palacios (1):
mtd: nand: fix bug writing 1 byte less than page size
[144f4c98399e2c0ca60eb414c15a2c68125c18b8]

Helge Deller (1):
parisc: Fix order of EREFUSED define in errno.h
[3eb53b20d7bd1374598cfb1feaa081fcac0e76cd]

Herbert Xu (3):
crypto: gcm - Filter out async ghash if necessary
[b30bdfa86431afbafe15284a3ad5ac19b49b88e3]
crypto: scatterwalk - Fix test in scatterwalk_done
[5f070e81bee35f1b7bd1477bb223a873ff657803]
crypto: skcipher - Fix blkcipher walk OOM crash
[acdb04d0b36769b3e05990c488dc74d8b7ac8060]

Ilan Tayari (1):
xfrm: Fix memory leak of aead algorithm name
[b588479358ce26f32138e0f0a7ab0678f8e3e601]

Iosif Harutyunov (1):
ubi: Fix race condition between ubi device creation and udev
[714fb87e8bc05ff78255afc0dca981e8c5242785]

Jaganath Kanakkassery (1):
Bluetooth: Fix potential NULL dereference in RFCOMM bind callback
[951b6a0717db97ce420547222647bcc40bf1eacd]

James Hogan (1):
s390: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
[68c5cf5a6091c2c3fabccfd42ca844d730ec24c6]

Jan Beulich (2):
xenbus: don't BUG() on user mode induced condition
[0beef634b86a1350c31da5fcc2992f0d7c8a622b]
xenbus: don't look up transaction IDs for ordinary writes
[9a035a40f7f3f6708b79224b86c5777a3334f7ea]

Jan Kara (3):
fs: Avoid premature clearing of capabilities
[030b533c4fd4d2ec3402363323de4bb2983c9cee]
fs: Give dentry to inode_change_ok() instead of inode
[31051c85b5e2aaaf6315f74c72a732673632a905]
posix_acl: Clear SGID bit when setting file permissions
[073931017b49d9458aa351605b43a7e34598caef]

Jeff Mahoney (1):
btrfs: ensure that file descriptor used with subvol ioctls is a dir
[325c50e3cebb9208009083e841550f98a863bfa0]

Jia He (1):
mm/hugetlb: avoid soft lockup in set_max_huge_pages()
[649920c6ab93429b94bc7c1aa7c0e8395351be32]

Jim Lin (1):
usb: xhci: Fix panic if disconnect
[88716a93766b8f095cdef37a8e8f2c93aa233b21]

Jim Mattson (1):
KVM: nVMX: Fix memory corruption when using VMCS shadowing
[2f1fe81123f59271bddda673b60116bde9660385]

Jiri Slaby (1):
pps: do not crash when failed to register
[368301f2fe4b07e5fb71dba3cc566bc59eb6705f]

Joseph Qi (1):
ocfs2/dlm: fix race between convert and migration
[e6f0c6e6170fec175fe676495f29029aecdf486c]

Karl Beldan (1):
mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl
[f6d7c1b5598b6407c3f1da795dd54acf99c1990c]

Konstantin Neumoin (1):
balloon: check the number of available pages in leak balloon
[37cf99e08c6fb4dcea0f9ad2b13b6daa8c76a711]

Krzysztof Kozlowski (1):
serial: samsung: Fix possible out of bounds access on non-DT platform
[926b7b5122c96e1f18cd20e85a286c7ec8d18c97]

Lauro Costa (1):
Bluetooth: Add USB ID 13D3:3487 to ath3k
[72f9f8b58bc743e6b6abdc68f60db98486c3ffcf]

Linus Walleij (2):
iio: accel: kxsd9: Fix raw read return
[7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8]
iio: accel: kxsd9: Fix scaling bug
[307fe9dd11ae44d4f8881ee449a7cbac36e1f5de]

Liping Zhang (1):
netfilter: nfnetlink_queue: reject verdict request from different portid
[00a3101f561816e58de054a470484996f78eb5eb]

Liu Bo (1):
Btrfs: skip adding an acl attribute if we don't have to
[755ac67f83e515af55adbfe55134eb7d90839cdb]

Lubomir Rintel (1):
USB: serial: option: add D-Link DWM-156/A3
[cf1b18030de29e4e5b0a57695ae5db4a89da0ff7]

Lukas Wunner (3):
x86/quirks: Add early quirk to reset Apple AirPort card
[abb2bafd295fe962bbadc329dbfb2146457283ac]
x86/quirks: Apply nvidia_bugs quirk only on root bus
[447d29d1d3aed839e74c2401ef63387780ac51ed]
x86/quirks: Reintroduce scanning of secondary buses
[850c321027c2e31d0afc71588974719a4b565550]

Lyude (1):
drm/radeon: Poll for both connect/disconnect on analog connectors
[14ff8d48f2235295dfb3117693008e367b49cdb5]

Mario Kleiner (1):
drm/edid: Add 6 bpc quirk for display AEO model 0.
[e10aec652f31ec61d6a0b4d00d8ef8d2b66fa0fd]

Mathias Krause (1):
xfrm_user: propagate sec ctx allocation errors
[2f30ea5090cbc57ea573cdc66421264b3de3fb0a]

Mathias Nyman (1):
xhci: don't dereference a xhci member after removing xhci
[f1f6d9a8b540df22b87a5bf6bc104edaade81f47]

Michael Walle (1):
hwmon: (adt7411) set bit 3 in CFG1 register
[b53893aae441a034bf4dbbad42fe218561d7d81f]

Mike Snitzer (1):
dm flakey: error READ bios during the down_interval
[99f3c90d0d85708e7401a81ce3314e50bf7f2819]

Nikolay Aleksandrov (1):
ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route
[2cf750704bb6d7ed8c7d732e071dd1bc890ea5e8]

Paolo Bonzini (1):
KVM: nVMX: fix lifetime issues for vmcs02
[4fa7734c62cdd8c07edd54fa5a5e91482273071a]

Paul Moore (1):
netlabel: add address family checks to netlbl_{sock,req}_delattr()
[0e0e36774081534783aa8eeb9f6fbddf98d3c061]

Phil Turnbull (1):
ceph: Correctly return NXIO errors from ceph_llseek
[955818cd5b6c4b58ea574ace4573e7afa4c19c1e]

[email protected] (2):
irda: Free skb on irda_accept error path.
[8ab86c00e349cef9fb14719093a7f198bcc72629]
l2tp: Correctly return -EBADF from pppol2tp_getname.
[4ac36a4adaf80013a60013d6f829f5863d5d0e05]

Robert Deliën (1):
USB: serial: ftdi_sio: add PIDs for Ivium Technologies devices
[6977495c06f7f47636a076ee5a0ca571279d9697]

Russell King (1):
ARM: sa1111: fix pcmcia suspend/resume
[06dfe5cc0cc684e735cb0232fdb756d30780b05d]

Sebastian Andrzej Siewior (1):
x86/mm: Disable preemption during CR3 read+write
[5cf0791da5c162ebc14b01eb01631cfa7ed4fa6e]

Sebastian Reichel (1):
ARM: OMAP3: hwmod data: Add sysc information for DSI
[b46211d6dcfb81a8af66b8684a42d629183670d4]

Sergei Miroshnichenko (1):
can: dev: fix deadlock reported after bus-off
[9abefcb1aaa58b9d5aa40a8bb12c87d02415e4c8]

Sheng-Hui J. Chu (1):
USB: serial: ftdi_sio: add device ID for WICED USB UART dev board
[ae34d12cc1e212ffcd92e069030e54dae69c832f]

Soheil Hassas Yeganeh (1):
tcp: consider recv buf for the initial window scale
[f626300a3e776ccc9671b0dd94698fb3aa315966]

Stefan Haberland (1):
s390/dasd: fix hanging device after clear subchannel
[9ba333dc55cbb9523553df973adb3024d223e905]

Stefan Richter (1):
firewire: net: guard against rx buffer overflows
[667121ace9dbafb368618dbabcf07901c962ddac]

Steven Rostedt (2):
tracing: Move mutex to protect against resetting of seq data
[1245800c0f96eb6ebb368593e251d66c01e61022]
x86/paravirt: Do not trace _paravirt_ident_*() functions
[15301a570754c7af60335d094dd2d1808b0641a5]

Takashi Iwai (4):
ALSA: ctl: Stop notification after disconnection
[f388cdcdd160687c6650833f286b9c89c50960ff]
ALSA: rawmidi: Fix possible deadlock with virmidi registration
[816f318b2364262a51024096da7ca3b84e78e3b5]
ALSA: timer: Code cleanup
[c3b1681375dc6e71d89a3ae00cc3ce9e775a8917]
ALSA: timer: Fix zero-division by continue of uninitialized instance
[9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b]

Theodore Ts'o (2):
ext4: validate s_reserved_gdt_blocks on mount
[5b9554dc5bf008ae7f68a52e3d7e76c0920938a2]
ext4: validate that metadata blocks do not overlap superblock
[829fa70dddadf9dd041d62b82cd7cea63943899d]

Trond Myklebust (1):
NFSv4.1: Fix the CREATE_SESSION slot number accounting
[b519d408ea32040b1c7e10b155a3ee9a36660947]

Vegard Nossum (10):
ALSA: timer: fix NULL pointer dereference in read()/ioctl() race
[11749e086b2766cccf6217a527ef5c5604ba069c]
ALSA: timer: fix NULL pointer dereference on memory allocation failure
[8ddc05638ee42b18ba4fe99b5fb647fa3ad20456]
ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE
[6b760bb2c63a9e322c0e4a0b5daf335ad93d5a33]
block: fix use-after-free in seq file
[77da160530dd1dc94f6ae15a981f24e5f0021e84]
ext4: check for extents that wrap around
[f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6]
ext4: don't call ext4_should_journal_data() on the journal inode
[6a7fd522a7c94cdef0a3b08acf8e6702056e635c]
ext4: fix reference counting bug on block allocation error
[554a5ccc4e4a20c5f3ec859de0842db4b4b9c77e]
ext4: short-cut orphan cleanup on error
[c65d5c6c81a1f27dec5f627f67840726fcd146de]
fs/seq_file: fix out-of-bounds read
[088bf2ff5d12e2e32ee52a4024fec26e582f44d3]
net/irda: fix NULL pointer dereference on memory allocation failure
[d3e6952cfb7ba5f4bfa29d4803ba91f96ce1204d]

Vincent Stehlé (1):
ubifs: Fix assertion in layout_in_gaps()
[c0082e985fdf77b02fc9e0dac3b58504dcf11b7a]

Vladis Dronov (1):
[media] usbvision: revert commit 588afcc1
[d5468d7afaa9c9e961e150f0455a14a9f4872a98]

WANG Cong (1):
ppp: defer netns reference release for ppp channel
[205e1e255c479f3fd77446415706463b282f94e4]

Wanpeng Li (2):
sched/cputime: Fix prev steal time accouting during CPU hotplug
[3d89e5478bf550a50c99e93adf659369798263b0]
x86/apic: Do not init irq remapping if ioapic is disabled
[2e63ad4bd5dd583871e6602f9d398b9322d358d9]

Yadi.hu (1):
i2c-eg20t: fix race between i2c init and interrupt enable
[371a015344b6e270e7e3632107d9554ec6d27a6b]

Yinghai Lu (1):
megaraid_sas: Fix probing cards without io port
[e7f851684efb3377e9c93aca7fae6e76212e5680]

Yoshihiro Shimoda (2):
usb: renesas_usbhs: fix NULL pointer dereference in xfer_work()
[4fdef698383db07d829da567e0e405fc41ff3a89]
usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable()
[15e4292a2d21e9997fdb2b8c014cc461b3f268f0]

Zhong Jiang (1):
mm,ksm: fix endless looping in allocating memory when ksm enable
[5b398e416e880159fe55eefd93c6588fa072cd66]

Documentation/filesystems/porting | 4 +-
Makefile | 4 +-
arch/alpha/include/asm/uaccess.h | 19 ++---
arch/arm/common/sa1111.c | 22 +++--
arch/arm/kernel/sys_oabi-compat.c | 8 +-
arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 12 +++
arch/avr32/include/asm/uaccess.h | 11 ++-
arch/avr32/kernel/avr32_ksyms.c | 2 +-
arch/avr32/lib/copy_user.S | 8 +-
arch/avr32/mach-at32ap/pio.c | 2 +-
arch/blackfin/include/asm/uaccess.h | 9 +-
arch/cris/include/asm/uaccess.h | 71 +++++++---------
arch/frv/include/asm/uaccess.h | 12 ++-
arch/hexagon/include/asm/uaccess.h | 3 +-
arch/ia64/include/asm/uaccess.h | 20 ++---
arch/m32r/include/asm/uaccess.h | 2 +-
arch/microblaze/include/asm/uaccess.h | 11 ++-
arch/mips/kernel/scall64-n32.S | 2 +-
arch/mips/kernel/scall64-o32.S | 2 +-
arch/mips/mm/sc-rm7k.c | 2 +-
arch/mn10300/include/asm/uaccess.h | 1 +
arch/mn10300/lib/usercopy.c | 5 +-
arch/openrisc/include/asm/uaccess.h | 35 +++-----
arch/parisc/include/asm/errno.h | 4 +-
arch/parisc/include/asm/uaccess.h | 7 +-
arch/powerpc/include/asm/uaccess.h | 21 +----
arch/powerpc/mm/numa.c | 18 +++-
arch/s390/include/asm/auxvec.h | 2 +
arch/s390/include/asm/elf.h | 1 +
arch/s390/include/asm/uaccess.h | 8 +-
arch/score/include/asm/uaccess.h | 46 +++++-----
arch/sh/include/asm/uaccess.h | 5 +-
arch/sh/include/asm/uaccess_64.h | 1 +
arch/sparc/include/asm/uaccess_32.h | 4 +-
arch/x86/ia32/ia32entry.S | 2 +-
arch/x86/include/asm/tlbflush.h | 7 ++
arch/x86/kernel/apic/apic.c | 3 +
arch/x86/kernel/early-quirks.c | 106 +++++++++++++++++++++---
arch/x86/kernel/paravirt.c | 4 +-
arch/x86/kvm/vmx.c | 62 ++++++++++----
block/genhd.c | 1 +
crypto/blkcipher.c | 3 +-
crypto/cryptd.c | 9 +-
crypto/gcm.c | 4 +-
crypto/scatterwalk.c | 3 +-
drivers/bcma/bcma_private.h | 2 -
drivers/bluetooth/ath3k.c | 4 +
drivers/bluetooth/btusb.c | 2 +
drivers/char/tpm/tpm_tis.c | 9 +-
drivers/firewire/net.c | 46 +++++++---
drivers/gpu/drm/drm_crtc.c | 3 +
drivers/gpu/drm/drm_edid.c | 8 ++
drivers/gpu/drm/radeon/radeon_atombios.c | 4 +-
drivers/gpu/drm/radeon/radeon_connectors.c | 15 ++--
drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
drivers/hwmon/adt7411.c | 5 +-
drivers/i2c/busses/i2c-eg20t.c | 18 ++--
drivers/infiniband/core/multicast.c | 13 +--
drivers/infiniband/ulp/ipoib/ipoib.h | 1 +
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 16 ++++
drivers/infiniband/ulp/ipoib/ipoib_ib.c | 9 ++
drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 +-
drivers/input/joystick/xpad.c | 3 +
drivers/input/serio/i8042.c | 17 +---
drivers/input/serio/libps2.c | 10 +--
drivers/md/dm-flakey.c | 23 +++--
drivers/media/video/usbvision/usbvision-video.c | 7 --
drivers/mtd/maps/pmcmsp-flash.c | 6 +-
drivers/mtd/nand/davinci_nand.c | 3 +
drivers/mtd/nand/nand_base.c | 2 +-
drivers/mtd/ubi/build.c | 5 +-
drivers/net/can/dev.c | 27 +++---
drivers/net/ethernet/ethoc.c | 10 +--
drivers/net/ppp/ppp_generic.c | 5 +-
drivers/net/wireless/brcm80211/brcmsmac/stf.c | 2 +-
drivers/pps/clients/pps_parport.c | 2 +-
drivers/s390/block/dasd.c | 10 ++-
drivers/scsi/aacraid/commctrl.c | 13 ++-
drivers/scsi/arcmsr/arcmsr_hba.c | 8 +-
drivers/scsi/megaraid/megaraid_sas_base.c | 6 +-
drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 +-
drivers/staging/iio/accel/kxsd9.c | 2 +
drivers/staging/pohmelfs/Kconfig | 1 +
drivers/tty/serial/samsung.c | 4 +-
drivers/tty/vt/keyboard.c | 30 ++-----
drivers/usb/class/cdc-acm.c | 5 +-
drivers/usb/class/cdc-acm.h | 1 -
drivers/usb/core/config.c | 93 +++++++++++++++++----
drivers/usb/core/devio.c | 16 ++--
drivers/usb/gadget/fsl_qe_udc.c | 7 +-
drivers/usb/host/xhci-hub.c | 3 +
drivers/usb/host/xhci-pci.c | 3 +-
drivers/usb/renesas_usbhs/fifo.c | 18 +++-
drivers/usb/renesas_usbhs/mod_gadget.c | 9 +-
drivers/usb/serial/ftdi_sio.c | 3 +
drivers/usb/serial/ftdi_sio_ids.h | 12 +++
drivers/usb/serial/mos7720.c | 2 +-
drivers/usb/serial/mos7840.c | 4 +-
drivers/usb/serial/option.c | 13 +++
drivers/virtio/virtio_balloon.c | 2 +
drivers/xen/xenfs/xenbus.c | 14 ++--
fs/9p/acl.c | 40 ++++-----
fs/9p/vfs_inode.c | 2 +-
fs/9p/vfs_inode_dotl.c | 2 +-
fs/adfs/inode.c | 2 +-
fs/affs/inode.c | 2 +-
fs/attr.c | 35 +++++---
fs/btrfs/acl.c | 4 +-
fs/btrfs/inode.c | 2 +-
fs/btrfs/ioctl.c | 12 +++
fs/ceph/file.c | 13 ++-
fs/ceph/inode.c | 2 +-
fs/cifs/inode.c | 4 +-
fs/ecryptfs/inode.c | 2 +-
fs/exofs/inode.c | 2 +-
fs/ext2/acl.c | 12 +--
fs/ext2/inode.c | 2 +-
fs/ext3/acl.c | 12 +--
fs/ext3/inode.c | 6 +-
fs/ext4/acl.c | 12 +--
fs/ext4/extents.c | 8 +-
fs/ext4/inode.c | 8 +-
fs/ext4/mballoc.c | 17 +---
fs/ext4/super.c | 35 +++++++-
fs/fat/file.c | 2 +-
fs/fuse/dir.c | 2 +-
fs/generic_acl.c | 15 ++--
fs/gfs2/acl.c | 16 ++--
fs/gfs2/inode.c | 2 +-
fs/hfs/inode.c | 2 +-
fs/hfsplus/inode.c | 2 +-
fs/hostfs/hostfs_kern.c | 9 +-
fs/hpfs/inode.c | 2 +-
fs/hugetlbfs/inode.c | 2 +-
fs/jffs2/acl.c | 9 +-
fs/jffs2/fs.c | 2 +-
fs/jfs/file.c | 2 +-
fs/jfs/xattr.c | 6 +-
fs/libfs.c | 2 +-
fs/logfs/file.c | 2 +-
fs/minix/file.c | 2 +-
fs/ncpfs/inode.c | 2 +-
fs/nfs/callback_xdr.c | 6 +-
fs/nfs/nfs4proc.c | 15 +++-
fs/nfs/write.c | 5 +-
fs/nfsd/vfs.c | 12 +--
fs/nilfs2/inode.c | 2 +-
fs/ntfs/inode.c | 2 +-
fs/ocfs2/acl.c | 9 +-
fs/ocfs2/dlm/dlmconvert.c | 12 +--
fs/ocfs2/dlmfs/dlmfs.c | 2 +-
fs/ocfs2/file.c | 36 +++++---
fs/omfs/file.c | 2 +-
fs/posix_acl.c | 30 +++++++
fs/proc/base.c | 2 +-
fs/proc/generic.c | 2 +-
fs/proc/proc_sysctl.c | 2 +-
fs/ramfs/file-nommu.c | 2 +-
fs/reiserfs/inode.c | 2 +-
fs/reiserfs/xattr_acl.c | 8 +-
fs/seq_file.c | 4 +-
fs/sysfs/inode.c | 2 +-
fs/sysv/file.c | 2 +-
fs/ubifs/file.c | 2 +-
fs/ubifs/tnc_commit.c | 2 +-
fs/udf/file.c | 2 +-
fs/ufs/truncate.c | 2 +-
fs/utimes.c | 4 +-
fs/xfs/xfs_acl.c | 26 +++---
fs/xfs/xfs_file.c | 6 +-
fs/xfs/xfs_ioctl.c | 3 +-
fs/xfs/xfs_iops.c | 26 ++++--
fs/xfs/xfs_vnodeops.c | 5 +-
fs/xfs/xfs_vnodeops.h | 7 +-
include/asm-generic/uaccess.h | 20 +++--
include/linux/bcma/bcma.h | 1 +
include/linux/bcma/bcma_regs.h | 1 +
include/linux/can/dev.h | 3 +-
include/linux/fs.h | 2 +-
include/linux/i8042.h | 6 --
include/linux/mroute.h | 2 +-
include/linux/mroute6.h | 2 +-
include/linux/posix_acl.h | 1 +
include/linux/serio.h | 24 ++++--
include/net/tcp.h | 2 +
kernel/sched.c | 36 ++++----
kernel/trace/trace.c | 15 ++--
mm/hugetlb.c | 4 +
mm/ksm.c | 3 +-
mm/shmem.c | 2 +-
net/bluetooth/l2cap_sock.c | 2 +-
net/bluetooth/rfcomm/sock.c | 19 +++--
net/ipv4/ipmr.c | 3 +-
net/ipv4/route.c | 3 +-
net/ipv4/tcp_output.c | 3 +-
net/ipv6/ip6mr.c | 5 +-
net/ipv6/route.c | 4 +-
net/irda/af_irda.c | 12 +--
net/l2tp/l2tp_ppp.c | 7 +-
net/netfilter/nfnetlink_queue.c | 3 -
net/netlabel/netlabel_kapi.c | 12 ++-
net/sunrpc/svc.c | 7 +-
net/xfrm/xfrm_state.c | 1 +
net/xfrm/xfrm_user.c | 9 +-
security/keys/proc.c | 2 +-
sound/core/control.c | 2 +
sound/core/rawmidi.c | 4 +-
sound/core/timer.c | 72 ++++++++++------
virt/kvm/kvm_main.c | 2 +
209 files changed, 1278 insertions(+), 731 deletions(-)

--
Ben Hutchings
If more than one person is responsible for a bug, no one is at fault.


2016-11-14 02:06:54

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 111/152] mn10300: failing __get_user() and get_user() should zero

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit 43403eabf558d2800b429cd886e996fd555aa542 upstream.

Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mn10300/include/asm/uaccess.h | 1 +
1 file changed, 1 insertion(+)

--- a/arch/mn10300/include/asm/uaccess.h
+++ b/arch/mn10300/include/asm/uaccess.h
@@ -181,6 +181,7 @@ struct __large_struct { unsigned long bu
"2:\n" \
" .section .fixup,\"ax\"\n" \
"3:\n\t" \
+ " mov 0,%1\n" \
" mov %3,%0\n" \
" jmp 2b\n" \
" .previous\n" \

2016-11-14 02:06:56

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 033/152] mtd: nand: fix bug writing 1 byte less than page size

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hector Palacios <[email protected]>

commit 144f4c98399e2c0ca60eb414c15a2c68125c18b8 upstream.

nand_do_write_ops() determines if it is writing a partial page with the
formula:
part_pagewr = (column || writelen < (mtd->writesize - 1))

When 'writelen' is exactly 1 byte less than the NAND page size the formula
equates to zero, so the code doesn't process it as a partial write,
although it should.
As a consequence the function remains in the while(1) loop with 'writelen'
becoming 0xffffffff and iterating endlessly.

The bug may not be easy to reproduce in Linux since user space tools
usually force the padding or round-up the write size to a page-size
multiple.
This was discovered in U-Boot where the issue can be reproduced by
writing any size that is 1 byte less than a page-size multiple.
For example, on a NAND with 2K page (0x800):
=> nand erase.part <partition>
=> nand write $loadaddr <partition> 7ff

[Editor's note: the bug was added in commit 29072b96078f, but moved
around in commit 66507c7bc8895 ("mtd: nand: Add support to use nand_base
poi databuf as bounce buffer")]

Fixes: 29072b96078f ("[MTD] NAND: add subpage write support")
Signed-off-by: Hector Palacios <[email protected]>
Acked-by: Boris Brezillon <[email protected]>
Signed-off-by: Brian Norris <[email protected]>
[bwh: Backported to 3.2: adjusted context as noted above]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/mtd/nand/nand_base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -2229,7 +2229,7 @@ static int nand_do_write_ops(struct mtd_
uint8_t *wbuf = buf;

/* Partial page write? */
- if (unlikely(column || writelen < (mtd->writesize - 1))) {
+ if (unlikely(column || writelen < mtd->writesize)) {
cached = 0;
bytes = min_t(int, bytes - column, (int) writelen);
chip->pagebuf = -1;

2016-11-14 02:06:50

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 146/152] fs: Avoid premature clearing of capabilities

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jan Kara <[email protected]>

commit 030b533c4fd4d2ec3402363323de4bb2983c9cee upstream.

Currently, notify_change() clears capabilities or IMA attributes by
calling security_inode_killpriv() before calling into ->setattr. Thus it
happens before any other permission checks in inode_change_ok() and user
is thus allowed to trigger clearing of capabilities or IMA attributes
for any file he can look up e.g. by calling chown for that file. This is
unexpected and can lead to user DoSing a system.

Fix the problem by calling security_inode_killpriv() at the end of
inode_change_ok() instead of from notify_change(). At that moment we are
sure user has permissions to do the requested change.

References: CVE-2015-1350
Reviewed-by: Christoph Hellwig <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/attr.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)

--- a/fs/attr.c
+++ b/fs/attr.c
@@ -46,7 +46,7 @@ int setattr_prepare(struct dentry *dentr

/* If force is set do it anyway. */
if (ia_valid & ATTR_FORCE)
- return 0;
+ goto kill_priv;

/* Make sure a caller can chown. */
if ((ia_valid & ATTR_UID) &&
@@ -77,6 +77,16 @@ int setattr_prepare(struct dentry *dentr
return -EPERM;
}

+kill_priv:
+ /* User has permission for the change */
+ if (ia_valid & ATTR_KILL_PRIV) {
+ int error;
+
+ error = security_inode_killpriv(dentry);
+ if (error)
+ return error;
+ }
+
return 0;
}
EXPORT_SYMBOL(setattr_prepare);
@@ -199,13 +209,11 @@ int notify_change(struct dentry * dentry
if (!(ia_valid & ATTR_MTIME_SET))
attr->ia_mtime = now;
if (ia_valid & ATTR_KILL_PRIV) {
- attr->ia_valid &= ~ATTR_KILL_PRIV;
- ia_valid &= ~ATTR_KILL_PRIV;
error = security_inode_need_killpriv(dentry);
- if (error > 0)
- error = security_inode_killpriv(dentry);
- if (error)
+ if (error < 0)
return error;
+ if (error == 0)
+ ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV;
}

/*

2016-11-14 02:07:28

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 017/152] x86/quirks: Add early quirk to reset Apple AirPort card

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lukas Wunner <[email protected]>

commit abb2bafd295fe962bbadc329dbfb2146457283ac upstream.

The EFI firmware on Macs contains a full-fledged network stack for
downloading OS X images from osrecovery.apple.com. Unfortunately
on Macs introduced 2011 and 2012, EFI brings up the Broadcom 4331
wireless card on every boot and leaves it enabled even after
ExitBootServices has been called. The card continues to assert its IRQ
line, causing spurious interrupts if the IRQ is shared. It also corrupts
memory by DMAing received packets, allowing for remote code execution
over the air. This only stops when a driver is loaded for the wireless
card, which may be never if the driver is not installed or blacklisted.

The issue seems to be constrained to the Broadcom 4331. Chris Milsted
has verified that the newer Broadcom 4360 built into the MacBookPro11,3
(2013/2014) does not exhibit this behaviour. The chances that Apple will
ever supply a firmware fix for the older machines appear to be zero.

The solution is to reset the card on boot by writing to a reset bit in
its mmio space. This must be done as an early quirk and not as a plain
vanilla PCI quirk to successfully combat memory corruption by DMAed
packets: Matthew Garrett found out in 2012 that the packets are written
to EfiBootServicesData memory (http://mjg59.dreamwidth.org/11235.html).
This type of memory is made available to the page allocator by
efi_free_boot_services(). Plain vanilla PCI quirks run much later, in
subsys initcall level. In-between a time window would be open for memory
corruption. Random crashes occurring in this time window and attributed
to DMAed packets have indeed been observed in the wild by Chris
Bainbridge.

When Matthew Garrett analyzed the memory corruption issue in 2012, he
sought to fix it with a grub quirk which transitions the card to D3hot:
http://git.savannah.gnu.org/cgit/grub.git/commit/?id=9d34bb85da56

This approach does not help users with other bootloaders and while it
may prevent DMAed packets, it does not cure the spurious interrupts
emanating from the card. Unfortunately the card's mmio space is
inaccessible in D3hot, so to reset it, we have to undo the effect of
Matthew's grub patch and transition the card back to D0.

Note that the quirk takes a few shortcuts to reduce the amount of code:
The size of BAR 0 and the location of the PM capability is identical
on all affected machines and therefore hardcoded. Only the address of
BAR 0 differs between models. Also, it is assumed that the BCMA core
currently mapped is the 802.11 core. The EFI driver seems to always take
care of this.

Michael Büsch, Bjorn Helgaas and Matt Fleming contributed feedback
towards finding the best solution to this problem.

The following should be a comprehensive list of affected models:
iMac13,1 2012 21.5" [Root Port 00:1c.3 = 8086:1e16]
iMac13,2 2012 27" [Root Port 00:1c.3 = 8086:1e16]
Macmini5,1 2011 i5 2.3 GHz [Root Port 00:1c.1 = 8086:1c12]
Macmini5,2 2011 i5 2.5 GHz [Root Port 00:1c.1 = 8086:1c12]
Macmini5,3 2011 i7 2.0 GHz [Root Port 00:1c.1 = 8086:1c12]
Macmini6,1 2012 i5 2.5 GHz [Root Port 00:1c.1 = 8086:1e12]
Macmini6,2 2012 i7 2.3 GHz [Root Port 00:1c.1 = 8086:1e12]
MacBookPro8,1 2011 13" [Root Port 00:1c.1 = 8086:1c12]
MacBookPro8,2 2011 15" [Root Port 00:1c.1 = 8086:1c12]
MacBookPro8,3 2011 17" [Root Port 00:1c.1 = 8086:1c12]
MacBookPro9,1 2012 15" [Root Port 00:1c.1 = 8086:1e12]
MacBookPro9,2 2012 13" [Root Port 00:1c.1 = 8086:1e12]
MacBookPro10,1 2012 15" [Root Port 00:1c.1 = 8086:1e12]
MacBookPro10,2 2012 13" [Root Port 00:1c.1 = 8086:1e12]

For posterity, spurious interrupts caused by the Broadcom 4331 wireless
card resulted in splats like this (stacktrace omitted):

irq 17: nobody cared (try booting with the "irqpoll" option)
handlers:
[<ffffffff81374370>] pcie_isr
[<ffffffffc0704550>] sdhci_irq [sdhci] threaded [<ffffffffc07013c0>] sdhci_thread_irq [sdhci]
[<ffffffffc0a0b960>] azx_interrupt [snd_hda_codec]
Disabling IRQ #17

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=79301
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=111781
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=728916
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=895951#c16
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1009819
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1098621
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1149632#c5
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1279130
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1332732
Tested-by: Konstantin Simanov <[email protected]> # [MacBookPro8,1]
Tested-by: Lukas Wunner <[email protected]> # [MacBookPro9,1]
Tested-by: Bryan Paradis <[email protected]> # [MacBookPro9,2]
Tested-by: Andrew Worsley <[email protected]> # [MacBookPro10,1]
Tested-by: Chris Bainbridge <[email protected]> # [MacBookPro10,2]
Signed-off-by: Lukas Wunner <[email protected]>
Acked-by: Rafał Miłecki <[email protected]>
Acked-by: Matt Fleming <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Bjorn Helgaas <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Brian Gerst <[email protected]>
Cc: Chris Milsted <[email protected]>
Cc: Denys Vlasenko <[email protected]>
Cc: H. Peter Anvin <[email protected]>
Cc: Josh Poimboeuf <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Matthew Garrett <[email protected]>
Cc: Michael Buesch <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Yinghai Lu <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Link: http://lkml.kernel.org/r/48d0972ac82a53d460e5fce77a07b2560db95203.1465690253.git.lukas@wunner.de
[ Did minor readability edits. ]
Signed-off-by: Ingo Molnar <[email protected]>
[bwh: Backported to 3.2:
- early_ioremap() is declared in <asm/io.h> not <asm/early_ioremap.h>
- Add definition of BCMA_RESET_ST
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/kernel/early-quirks.c | 64 ++++++++++++++++++++++++++++++++++++++++++
drivers/bcma/bcma_private.h | 2 --
include/linux/bcma/bcma.h | 1 +
3 files changed, 65 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -11,13 +11,20 @@

#include <linux/pci.h>
#include <linux/acpi.h>
+#include <linux/delay.h>
+#include <linux/dmi.h>
#include <linux/pci_ids.h>
+#include <linux/bcma/bcma.h>
+#include <linux/bcma/bcma_regs.h>
#include <asm/pci-direct.h>
#include <asm/dma.h>
#include <asm/io_apic.h>
#include <asm/apic.h>
#include <asm/iommu.h>
#include <asm/gart.h>
+#include <asm/io.h>
+
+#define dev_err(msg) pr_err("pci 0000:%02x:%02x.%d: %s", bus, slot, func, msg)

static void __init fix_hypertransport_config(int num, int slot, int func)
{
@@ -199,6 +206,62 @@ static void __init ati_bugs_contd(int nu
}
#endif

+#define BCM4331_MMIO_SIZE 16384
+#define BCM4331_PM_CAP 0x40
+#define bcma_aread32(reg) ioread32(mmio + 1 * BCMA_CORE_SIZE + reg)
+#define bcma_awrite32(reg, val) iowrite32(val, mmio + 1 * BCMA_CORE_SIZE + reg)
+
+static void __init apple_airport_reset(int bus, int slot, int func)
+{
+ void __iomem *mmio;
+ u16 pmcsr;
+ u64 addr;
+ int i;
+
+ if (!dmi_match(DMI_SYS_VENDOR, "Apple Inc."))
+ return;
+
+ /* Card may have been put into PCI_D3hot by grub quirk */
+ pmcsr = read_pci_config_16(bus, slot, func, BCM4331_PM_CAP + PCI_PM_CTRL);
+
+ if ((pmcsr & PCI_PM_CTRL_STATE_MASK) != PCI_D0) {
+ pmcsr &= ~PCI_PM_CTRL_STATE_MASK;
+ write_pci_config_16(bus, slot, func, BCM4331_PM_CAP + PCI_PM_CTRL, pmcsr);
+ mdelay(10);
+
+ pmcsr = read_pci_config_16(bus, slot, func, BCM4331_PM_CAP + PCI_PM_CTRL);
+ if ((pmcsr & PCI_PM_CTRL_STATE_MASK) != PCI_D0) {
+ dev_err("Cannot power up Apple AirPort card\n");
+ return;
+ }
+ }
+
+ addr = read_pci_config(bus, slot, func, PCI_BASE_ADDRESS_0);
+ addr |= (u64)read_pci_config(bus, slot, func, PCI_BASE_ADDRESS_1) << 32;
+ addr &= PCI_BASE_ADDRESS_MEM_MASK;
+
+ mmio = early_ioremap(addr, BCM4331_MMIO_SIZE);
+ if (!mmio) {
+ dev_err("Cannot iomap Apple AirPort card\n");
+ return;
+ }
+
+ pr_info("Resetting Apple AirPort card (left enabled by EFI)\n");
+
+ for (i = 0; bcma_aread32(BCMA_RESET_ST) && i < 30; i++)
+ udelay(10);
+
+ bcma_awrite32(BCMA_RESET_CTL, BCMA_RESET_CTL_RESET);
+ bcma_aread32(BCMA_RESET_CTL);
+ udelay(1);
+
+ bcma_awrite32(BCMA_RESET_CTL, 0);
+ bcma_aread32(BCMA_RESET_CTL);
+ udelay(10);
+
+ early_iounmap(mmio, BCM4331_MMIO_SIZE);
+}
+
#define QFLAG_APPLY_ONCE 0x1
#define QFLAG_APPLIED 0x2
#define QFLAG_DONE (QFLAG_APPLY_ONCE|QFLAG_APPLIED)
@@ -222,6 +285,8 @@ static struct chipset early_qrk[] __init
PCI_CLASS_SERIAL_SMBUS, PCI_ANY_ID, 0, ati_bugs },
{ PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_SBX00_SMBUS,
PCI_CLASS_SERIAL_SMBUS, PCI_ANY_ID, 0, ati_bugs_contd },
+ { PCI_VENDOR_ID_BROADCOM, 0x4331,
+ PCI_CLASS_NETWORK_OTHER, PCI_ANY_ID, 0, apple_airport_reset},
{}
};

--- a/drivers/bcma/bcma_private.h
+++ b/drivers/bcma/bcma_private.h
@@ -8,8 +8,6 @@
#include <linux/bcma/bcma.h>
#include <linux/delay.h>

-#define BCMA_CORE_SIZE 0x1000
-
struct bcma_bus;

/* main.c */
--- a/include/linux/bcma/bcma.h
+++ b/include/linux/bcma/bcma.h
@@ -124,6 +124,7 @@ struct bcma_host_ops {
#define BCMA_CORE_DEFAULT 0xFFF

#define BCMA_MAX_NR_CORES 16
+#define BCMA_CORE_SIZE 0x1000

struct bcma_device {
struct bcma_bus *bus;
--- a/include/linux/bcma/bcma_regs.h
+++ b/include/linux/bcma/bcma_regs.h
@@ -35,6 +35,7 @@
#define BCMA_IOST_BIST_DONE 0x8000
#define BCMA_RESET_CTL 0x0800
#define BCMA_RESET_CTL_RESET 0x0001
+#define BCMA_RESET_ST 0x0804

/* BCMA PCI config space registers. */
#define BCMA_PCI_PMCSR 0x44

2016-11-14 02:08:01

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 102/152] mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Karl Beldan <[email protected]>

commit f6d7c1b5598b6407c3f1da795dd54acf99c1990c upstream.

This fixes subpage writes when using 4-bit HW ECC.

There has been numerous reports about ECC errors with devices using this
driver for a while. Also the 4-bit ECC has been reported as broken with
subpages in [1] and with 16 bits NANDs in the driver and in mach* board
files both in mainline and in the vendor BSPs.

What I saw with 4-bit ECC on a 16bits NAND (on an LCDK) which got me to
try reinitializing the ECC engine:
- R/W on whole pages properly generates/checks RS code
- try writing the 1st subpage only of a blank page, the subpage is well
written and the RS code properly generated, re-reading the same page
the HW detects some ECC error, reading the same page again no ECC
error is detected

Note that the ECC engine is already reinitialized in the 1-bit case.

Tested on my LCDK with UBI+UBIFS using subpages.
This could potentially get rid of the issue workarounded in [1].

[1] 28c015a9daab ("mtd: davinci-nand: disable subpage write for keystone-nand")

Fixes: 6a4123e581b3 ("mtd: nand: davinci_nand, 4-bit ECC for smallpage")
Signed-off-by: Karl Beldan <[email protected]>
Acked-by: Boris Brezillon <[email protected]>
Signed-off-by: Brian Norris <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/mtd/nand/davinci_nand.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/mtd/nand/davinci_nand.c
+++ b/drivers/mtd/nand/davinci_nand.c
@@ -239,6 +239,9 @@ static void nand_davinci_hwctl_4bit(stru
unsigned long flags;
u32 val;

+ /* Reset ECC hardware */
+ davinci_nand_readl(info, NAND_4BIT_ECC1_OFFSET);
+
spin_lock_irqsave(&davinci_nand_lock, flags);

/* Start 4-bit ECC calculation for read/write */

2016-11-14 02:08:00

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 142/152] KEYS: Fix short sprintf buffer in /proc/keys show function

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: David Howells <[email protected]>

commit 03dab869b7b239c4e013ec82aea22e181e441cfc upstream.

This fixes CVE-2016-7042.

Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector
is turned on, this can cause a panic due to stack corruption.

The problem is that xbuf[] is not big enough to hold a 64-bit timeout
rendered as weeks:

(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
$2 = 30500568904943

That's 14 chars plus NUL, not 11 chars plus NUL.

Expand the buffer to 16 chars.

I think the unpatched code apparently works if the stack-protector is not
enabled because on a 32-bit machine the buffer won't be overflowed and on a
64-bit machine there's a 64-bit aligned pointer at one side and an int that
isn't checked again on the other side.

The panic incurred looks something like:

Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
Call Trace:
[<ffffffff813d941f>] dump_stack+0x63/0x84
[<ffffffff811b2cb6>] panic+0xde/0x22a
[<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
[<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
[<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
[<ffffffff81350410>] ? key_validate+0x50/0x50
[<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
[<ffffffff8126b31c>] seq_read+0x2cc/0x390
[<ffffffff812b6b12>] proc_reg_read+0x42/0x70
[<ffffffff81244fc7>] __vfs_read+0x37/0x150
[<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
[<ffffffff81246156>] vfs_read+0x96/0x130
[<ffffffff81247635>] SyS_read+0x55/0xc0
[<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4

Reported-by: Ondrej Kozina <[email protected]>
Signed-off-by: David Howells <[email protected]>
Tested-by: Ondrej Kozina <[email protected]>
Signed-off-by: James Morris <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
security/keys/proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -188,7 +188,7 @@ static int proc_keys_show(struct seq_fil
struct timespec now;
unsigned long timo;
key_ref_t key_ref, skey_ref;
- char xbuf[12];
+ char xbuf[16];
int rc;

key_ref = make_key_ref(key, 0);

2016-11-14 02:08:36

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 147/152] Btrfs: skip adding an acl attribute if we don't have to

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Liu Bo <[email protected]>

commit 755ac67f83e515af55adbfe55134eb7d90839cdb upstream.

If the acl can be exactly represented in the traditional file
mode permission bits, we don't set another acl attribute.

Signed-off-by: Liu Bo <[email protected]>
Signed-off-by: Chris Mason <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/btrfs/acl.c | 2 ++
1 file changed, 2 insertions(+)

--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -121,6 +121,8 @@ static int btrfs_set_acl(struct btrfs_tr
ret = posix_acl_equiv_mode(acl, &inode->i_mode);
if (ret < 0)
return ret;
+ if (ret == 0)
+ acl = NULL;
}
ret = 0;
break;

2016-11-14 02:09:02

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 144/152] firewire: net: guard against rx buffer overflows

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Stefan Richter <[email protected]>

commit 667121ace9dbafb368618dbabcf07901c962ddac upstream.

The IP-over-1394 driver firewire-net lacked input validation when
handling incoming fragmented datagrams. A maliciously formed fragment
with a respectively large datagram_offset would cause a memcpy past the
datagram buffer.

So, drop any packets carrying a fragment with offset + length larger
than datagram_size.

In addition, ensure that
- GASP header, unfragmented encapsulation header, or fragment
encapsulation header actually exists before we access it,
- the encapsulated datagram or fragment is of nonzero size.

Reported-by: Eyal Itkin <[email protected]>
Reviewed-by: Eyal Itkin <[email protected]>
Fixes: CVE 2016-8633
Signed-off-by: Stefan Richter <[email protected]>
[bwh: Backported to 3.2: fwnet_receive_broadcast() never matches IPv6 packets]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/firewire/net.c
+++ b/drivers/firewire/net.c
@@ -677,6 +677,9 @@ static int fwnet_incoming_packet(struct
int retval;
u16 ether_type;

+ if (len <= RFC2374_UNFRAG_HDR_SIZE)
+ return 0;
+
hdr.w0 = be32_to_cpu(buf[0]);
lf = fwnet_get_hdr_lf(&hdr);
if (lf == RFC2374_HDR_UNFRAG) {
@@ -702,7 +705,12 @@ static int fwnet_incoming_packet(struct
return fwnet_finish_incoming_packet(net, skb, source_node_id,
is_broadcast, ether_type);
}
+
/* A datagram fragment has been received, now the fun begins. */
+
+ if (len <= RFC2374_FRAG_HDR_SIZE)
+ return 0;
+
hdr.w1 = ntohl(buf[1]);
buf += 2;
len -= RFC2374_FRAG_HDR_SIZE;
@@ -716,6 +724,9 @@ static int fwnet_incoming_packet(struct
datagram_label = fwnet_get_hdr_dgl(&hdr);
dg_size = fwnet_get_hdr_dg_size(&hdr); /* ??? + 1 */

+ if (fg_off + len > dg_size)
+ return 0;
+
spin_lock_irqsave(&dev->lock, flags);

peer = fwnet_peer_find_by_node_id(dev, source_node_id, generation);
@@ -822,6 +833,22 @@ static void fwnet_receive_packet(struct
fw_send_response(card, r, rcode);
}

+static int gasp_source_id(__be32 *p)
+{
+ return be32_to_cpu(p[0]) >> 16;
+}
+
+static u32 gasp_specifier_id(__be32 *p)
+{
+ return (be32_to_cpu(p[0]) & 0xffff) << 8 |
+ (be32_to_cpu(p[1]) & 0xff000000) >> 24;
+}
+
+static u32 gasp_version(__be32 *p)
+{
+ return be32_to_cpu(p[1]) & 0xffffff;
+}
+
static void fwnet_receive_broadcast(struct fw_iso_context *context,
u32 cycle, size_t header_length, void *header, void *data)
{
@@ -832,9 +859,6 @@ static void fwnet_receive_broadcast(stru
__be32 *buf_ptr;
int retval;
u32 length;
- u16 source_node_id;
- u32 specifier_id;
- u32 ver;
unsigned long offset;
unsigned long flags;

@@ -852,17 +876,13 @@ static void fwnet_receive_broadcast(stru

spin_unlock_irqrestore(&dev->lock, flags);

- specifier_id = (be32_to_cpu(buf_ptr[0]) & 0xffff) << 8
- | (be32_to_cpu(buf_ptr[1]) & 0xff000000) >> 24;
- ver = be32_to_cpu(buf_ptr[1]) & 0xffffff;
- source_node_id = be32_to_cpu(buf_ptr[0]) >> 16;
-
- if (specifier_id == IANA_SPECIFIER_ID && ver == RFC2734_SW_VERSION) {
- buf_ptr += 2;
- length -= IEEE1394_GASP_HDR_SIZE;
- fwnet_incoming_packet(dev, buf_ptr, length, source_node_id,
+ if (length > IEEE1394_GASP_HDR_SIZE &&
+ gasp_specifier_id(buf_ptr) == IANA_SPECIFIER_ID &&
+ gasp_version(buf_ptr) == RFC2734_SW_VERSION)
+ fwnet_incoming_packet(dev, buf_ptr + 2,
+ length - IEEE1394_GASP_HDR_SIZE,
+ gasp_source_id(buf_ptr),
context->card->generation, true);
- }

packet.payload_length = dev->rcv_buffer_size;
packet.interrupt = 1;

2016-11-14 02:08:57

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 141/152] Bluetooth: Fix potential NULL dereference in RFCOMM bind callback

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jaganath Kanakkassery <[email protected]>

commit 951b6a0717db97ce420547222647bcc40bf1eacd upstream.

addr can be NULL and it should not be dereferenced before NULL checking.

Signed-off-by: Jaganath Kanakkassery <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
[bwh: Backported to 3.2:
- There's no 'chan' variable
- Keep using batostr() to log addresses
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/bluetooth/rfcomm/sock.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)

--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -349,15 +349,19 @@ static int rfcomm_sock_create(struct net

static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
{
- struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
+ struct sockaddr_rc sa;
struct sock *sk = sock->sk;
- int err = 0;
-
- BT_DBG("sk %p %s", sk, batostr(&sa->rc_bdaddr));
+ int len, err = 0;

if (!addr || addr->sa_family != AF_BLUETOOTH)
return -EINVAL;

+ memset(&sa, 0, sizeof(sa));
+ len = min_t(unsigned int, sizeof(sa), addr_len);
+ memcpy(&sa, addr, len);
+
+ BT_DBG("sk %p %s", sk, batostr(&sa.rc_bdaddr));
+
lock_sock(sk);

if (sk->sk_state != BT_OPEN) {
@@ -372,12 +376,13 @@ static int rfcomm_sock_bind(struct socke

write_lock_bh(&rfcomm_sk_list.lock);

- if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) {
+ if (sa.rc_channel &&
+ __rfcomm_get_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
err = -EADDRINUSE;
} else {
/* Save source address */
- bacpy(&bt_sk(sk)->src, &sa->rc_bdaddr);
- rfcomm_pi(sk)->channel = sa->rc_channel;
+ bacpy(&bt_sk(sk)->src, &sa.rc_bdaddr);
+ rfcomm_pi(sk)->channel = sa.rc_channel;
sk->sk_state = BT_BOUND;
}


2016-11-14 02:09:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 139/152] ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <[email protected]>

commit 2cf750704bb6d7ed8c7d732e071dd1bc890ea5e8 upstream.

Since the commit below the ipmr/ip6mr rtnl_unicast() code uses the portid
instead of the previous dst_pid which was copied from in_skb's portid.
Since the skb is new the portid is 0 at that point so the packets are sent
to the kernel and we get scheduling while atomic or a deadlock (depending
on where it happens) by trying to acquire rtnl two times.
Also since this is RTM_GETROUTE, it can be triggered by a normal user.

Here's the sleeping while atomic trace:
[ 7858.212557] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
[ 7858.212748] in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper/0
[ 7858.212881] 2 locks held by swapper/0/0:
[ 7858.213013] #0: (((&mrt->ipmr_expire_timer))){+.-...}, at: [<ffffffff810fbbf5>] call_timer_fn+0x5/0x350
[ 7858.213422] #1: (mfc_unres_lock){+.....}, at: [<ffffffff8161e005>] ipmr_expire_process+0x25/0x130
[ 7858.213807] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.0-rc7+ #179
[ 7858.213934] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 7858.214108] 0000000000000000 ffff88005b403c50 ffffffff813a7804 0000000000000000
[ 7858.214412] ffffffff81a1338e ffff88005b403c78 ffffffff810a4a72 ffffffff81a1338e
[ 7858.214716] 000000000000026c 0000000000000000 ffff88005b403ca8 ffffffff810a4b9f
[ 7858.215251] Call Trace:
[ 7858.215412] <IRQ> [<ffffffff813a7804>] dump_stack+0x85/0xc1
[ 7858.215662] [<ffffffff810a4a72>] ___might_sleep+0x192/0x250
[ 7858.215868] [<ffffffff810a4b9f>] __might_sleep+0x6f/0x100
[ 7858.216072] [<ffffffff8165bea3>] mutex_lock_nested+0x33/0x4d0
[ 7858.216279] [<ffffffff815a7a5f>] ? netlink_lookup+0x25f/0x460
[ 7858.216487] [<ffffffff8157474b>] rtnetlink_rcv+0x1b/0x40
[ 7858.216687] [<ffffffff815a9a0c>] netlink_unicast+0x19c/0x260
[ 7858.216900] [<ffffffff81573c70>] rtnl_unicast+0x20/0x30
[ 7858.217128] [<ffffffff8161cd39>] ipmr_destroy_unres+0xa9/0xf0
[ 7858.217351] [<ffffffff8161e06f>] ipmr_expire_process+0x8f/0x130
[ 7858.217581] [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
[ 7858.217785] [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
[ 7858.217990] [<ffffffff810fbc95>] call_timer_fn+0xa5/0x350
[ 7858.218192] [<ffffffff810fbbf5>] ? call_timer_fn+0x5/0x350
[ 7858.218415] [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
[ 7858.218656] [<ffffffff810fde10>] run_timer_softirq+0x260/0x640
[ 7858.218865] [<ffffffff8166379b>] ? __do_softirq+0xbb/0x54f
[ 7858.219068] [<ffffffff816637c8>] __do_softirq+0xe8/0x54f
[ 7858.219269] [<ffffffff8107a948>] irq_exit+0xb8/0xc0
[ 7858.219463] [<ffffffff81663452>] smp_apic_timer_interrupt+0x42/0x50
[ 7858.219678] [<ffffffff816625bc>] apic_timer_interrupt+0x8c/0xa0
[ 7858.219897] <EOI> [<ffffffff81055f16>] ? native_safe_halt+0x6/0x10
[ 7858.220165] [<ffffffff810d64dd>] ? trace_hardirqs_on+0xd/0x10
[ 7858.220373] [<ffffffff810298e3>] default_idle+0x23/0x190
[ 7858.220574] [<ffffffff8102a20f>] arch_cpu_idle+0xf/0x20
[ 7858.220790] [<ffffffff810c9f8c>] default_idle_call+0x4c/0x60
[ 7858.221016] [<ffffffff810ca33b>] cpu_startup_entry+0x39b/0x4d0
[ 7858.221257] [<ffffffff8164f995>] rest_init+0x135/0x140
[ 7858.221469] [<ffffffff81f83014>] start_kernel+0x50e/0x51b
[ 7858.221670] [<ffffffff81f82120>] ? early_idt_handler_array+0x120/0x120
[ 7858.221894] [<ffffffff81f8243f>] x86_64_start_reservations+0x2a/0x2c
[ 7858.222113] [<ffffffff81f8257c>] x86_64_start_kernel+0x13b/0x14a

Fixes: 2942e9005056 ("[RTNETLINK]: Use rtnl_unicast() for rtnetlink unicasts")
Signed-off-by: Nikolay Aleksandrov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2:
- Use 'pid' instead of 'portid' where necessary
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
include/linux/mroute.h | 2 +-
include/linux/mroute6.h | 2 +-
net/ipv4/ipmr.c | 3 ++-
net/ipv4/route.c | 3 ++-
net/ipv6/ip6mr.c | 5 +++--
net/ipv6/route.c | 4 +++-
6 files changed, 12 insertions(+), 7 deletions(-)

--- a/include/linux/mroute.h
+++ b/include/linux/mroute.h
@@ -245,7 +245,7 @@ struct mfc_cache {
struct rtmsg;
extern int ipmr_get_route(struct net *net, struct sk_buff *skb,
__be32 saddr, __be32 daddr,
- struct rtmsg *rtm, int nowait);
+ struct rtmsg *rtm, int nowait, u32 portid);
#endif

#endif
--- a/include/linux/mroute6.h
+++ b/include/linux/mroute6.h
@@ -228,7 +228,7 @@ struct mfc6_cache {
#ifdef __KERNEL__
struct rtmsg;
extern int ip6mr_get_route(struct net *net, struct sk_buff *skb,
- struct rtmsg *rtm, int nowait);
+ struct rtmsg *rtm, int nowait, u32 portid);

#ifdef CONFIG_IPV6_MROUTE
extern struct sock *mroute6_socket(struct net *net, struct sk_buff *skb);
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -2058,7 +2058,7 @@ rtattr_failure:

int ipmr_get_route(struct net *net, struct sk_buff *skb,
__be32 saddr, __be32 daddr,
- struct rtmsg *rtm, int nowait)
+ struct rtmsg *rtm, int nowait, u32 portid)
{
struct mfc_cache *cache;
struct mr_table *mrt;
@@ -2098,6 +2098,7 @@ int ipmr_get_route(struct net *net, stru
return -ENOMEM;
}

+ NETLINK_CB(skb2).pid = portid;
skb_push(skb2, sizeof(struct iphdr));
skb_reset_network_header(skb2);
iph = ip_hdr(skb2);
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -3077,7 +3077,8 @@ static int rt_fill_info(struct net *net,
IPV4_DEVCONF_ALL(net, MC_FORWARDING)) {
int err = ipmr_get_route(net, skb,
rt->rt_src, rt->rt_dst,
- r, nowait);
+ r, nowait, pid);
+
if (err <= 0) {
if (!nowait) {
if (err == 0)
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -2137,8 +2137,8 @@ rtattr_failure:
return -EMSGSIZE;
}

-int ip6mr_get_route(struct net *net,
- struct sk_buff *skb, struct rtmsg *rtm, int nowait)
+int ip6mr_get_route(struct net *net, struct sk_buff *skb, struct rtmsg *rtm,
+ int nowait, u32 portid)
{
int err;
struct mr6_table *mrt;
@@ -2176,6 +2176,7 @@ int ip6mr_get_route(struct net *net,
return -ENOMEM;
}

+ NETLINK_CB(skb2).pid = portid;
skb_reset_transport_header(skb2);

skb_put(skb2, sizeof(struct ipv6hdr));
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2416,7 +2416,9 @@ static int rt6_fill_node(struct net *net
if (iif) {
#ifdef CONFIG_IPV6_MROUTE
if (ipv6_addr_is_multicast(&rt->rt6i_dst.addr)) {
- int err = ip6mr_get_route(net, skb, rtm, nowait);
+ int err = ip6mr_get_route(net, skb, rtm, nowait,
+ pid);
+
if (err <= 0) {
if (!nowait) {
if (err == 0)

2016-11-14 02:09:40

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 149/152] [media] usbvision: revert commit 588afcc1

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vladis Dronov <[email protected]>

commit d5468d7afaa9c9e961e150f0455a14a9f4872a98 upstream.

Commit 588afcc1c0e4 ("[media] usbvision fix overflow of interfaces
array")' should be reverted, because:

* "!dev->actconfig->interface[ifnum]" won't catch a case where the value
is not NULL but some garbage. This way the system may crash later with
GPF.

* "(ifnum >= USB_MAXINTERFACES)" does not cover all the error
conditions. "ifnum" should be compared to "dev->actconfig->
desc.bNumInterfaces", i.e. compared to the number of "struct
usb_interface" kzalloc()-ed, not to USB_MAXINTERFACES.

* There is a "struct usb_device" leak in this error path, as there is
usb_get_dev(), but no usb_put_dev() on this path.

* There is a bug of the same type several lines below with number of
endpoints. The code is accessing hard-coded second endpoint
("interface->endpoint[1].desc") which may not exist. It would be great
to handle this in the same patch too.

* All the concerns above are resolved by already-accepted commit fa52bd50
("[media] usbvision: fix crash on detecting device with invalid
configuration")

* Mailing list message:
http://www.spinics.net/lists/linux-media/msg94832.html

Signed-off-by: Vladis Dronov <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Cc: Luis Henriques <[email protected]>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/video/usbvision/usbvision-video.c | 7 -------
1 file changed, 7 deletions(-)

--- a/drivers/media/video/usbvision/usbvision-video.c
+++ b/drivers/media/video/usbvision/usbvision-video.c
@@ -1502,13 +1502,6 @@ static int __devinit usbvision_probe(str
printk(KERN_INFO "%s: %s found\n", __func__,
usbvision_device_data[model].model_string);

- /*
- * this is a security check.
- * an exploit using an incorrect bInterfaceNumber is known
- */
- if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
- return -ENODEV;
-
if (usbvision_device_data[model].interface >= 0)
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
else if (ifnum < dev->actconfig->desc.bNumInterfaces)

2016-11-14 02:09:39

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 132/152] xfrm: Fix memory leak of aead algorithm name

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ilan Tayari <[email protected]>

commit b588479358ce26f32138e0f0a7ab0678f8e3e601 upstream.

commit 1a6509d99122 ("[IPSEC]: Add support for combined mode algorithms")
introduced aead. The function attach_aead kmemdup()s the algorithm
name during xfrm_state_construct().
However this memory is never freed.
Implementation has since been slightly modified in
commit ee5c23176fcc ("xfrm: Clone states properly on migration")
without resolving this leak.
This patch adds a kfree() call for the aead algorithm name.

Fixes: 1a6509d99122 ("[IPSEC]: Add support for combined mode algorithms")
Signed-off-by: Ilan Tayari <[email protected]>
Acked-by: Rami Rosen <[email protected]>
Signed-off-by: Steffen Klassert <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/xfrm/xfrm_state.c | 1 +
1 file changed, 1 insertion(+)

--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -351,6 +351,7 @@ static void xfrm_state_gc_destroy(struct
{
tasklet_hrtimer_cancel(&x->mtimer);
del_timer_sync(&x->rtimer);
+ kfree(x->aead);
kfree(x->aalg);
kfree(x->ealg);
kfree(x->calg);

2016-11-14 02:10:23

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 145/152] fs: Give dentry to inode_change_ok() instead of inode

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jan Kara <[email protected]>

commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.

inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.

Reviewed-by: Christoph Hellwig <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
[bwh: Backported to 3.2:
- Drop changes to f2fs, lustre, orangefs, overlayfs
- Adjust filenames, context
- In nfsd, pass dentry to nfsd_sanitize_attrs()
- In xfs, pass dentry to xfs_change_file_space(), xfs_set_mode(),
xfs_setattr_nonsize(), and xfs_setattr_size()
- Update ext3 as well
- Mark pohmelfs as BROKEN; it's long dead upstream]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/Documentation/filesystems/porting
+++ b/Documentation/filesystems/porting
@@ -288,8 +288,8 @@ implementing on-disk size changes. Star
and vmtruncate, and the reorder the vmtruncate + foofs_vmtruncate sequence to
be in order of zeroing blocks using block_truncate_page or similar helpers,
size update and on finally on-disk truncation which should not fail.
-inode_change_ok now includes the size checks for ATTR_SIZE and must be called
-in the beginning of ->setattr unconditionally.
+setattr_prepare (which used to be inode_change_ok) now includes the size checks
+for ATTR_SIZE and must be called in the beginning of ->setattr unconditionally.

[mandatory]

--- a/drivers/staging/pohmelfs/Kconfig
+++ b/drivers/staging/pohmelfs/Kconfig
@@ -1,5 +1,6 @@
config POHMELFS
tristate "POHMELFS filesystem support"
+ depends on BROKEN
depends on NET
select CONNECTOR
select CRYPTO
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -1068,7 +1068,7 @@ static int v9fs_vfs_setattr(struct dentr
struct p9_wstat wstat;

P9_DPRINTK(P9_DEBUG_VFS, "\n");
- retval = inode_change_ok(dentry->d_inode, iattr);
+ retval = setattr_prepare(dentry, iattr);
if (retval)
return retval;

--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -538,7 +538,7 @@ int v9fs_vfs_setattr_dotl(struct dentry

P9_DPRINTK(P9_DEBUG_VFS, "\n");

- retval = inode_change_ok(dentry->d_inode, iattr);
+ retval = setattr_prepare(dentry, iattr);
if (retval)
return retval;

--- a/fs/adfs/inode.c
+++ b/fs/adfs/inode.c
@@ -298,7 +298,7 @@ adfs_notify_change(struct dentry *dentry
unsigned int ia_valid = attr->ia_valid;
int error;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);

/*
* we can't change the UID or GID of any file -
--- a/fs/affs/inode.c
+++ b/fs/affs/inode.c
@@ -222,7 +222,7 @@ affs_notify_change(struct dentry *dentry

pr_debug("AFFS: notify_change(%lu,0x%x)\n",inode->i_ino,attr->ia_valid);

- error = inode_change_ok(inode,attr);
+ error = setattr_prepare(dentry, attr);
if (error)
goto out;

--- a/fs/attr.c
+++ b/fs/attr.c
@@ -16,19 +16,22 @@
#include <linux/evm.h>

/**
- * inode_change_ok - check if attribute changes to an inode are allowed
- * @inode: inode to check
+ * setattr_prepare - check if attribute changes to a dentry are allowed
+ * @dentry: dentry to check
* @attr: attributes to change
*
* Check if we are allowed to change the attributes contained in @attr
- * in the given inode. This includes the normal unix access permission
- * checks, as well as checks for rlimits and others.
+ * in the given dentry. This includes the normal unix access permission
+ * checks, as well as checks for rlimits and others. The function also clears
+ * SGID bit from mode if user is not allowed to set it. Also file capabilities
+ * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set.
*
* Should be called as the first thing in ->setattr implementations,
* possibly after taking additional locks.
*/
-int inode_change_ok(const struct inode *inode, struct iattr *attr)
+int setattr_prepare(struct dentry *dentry, struct iattr *attr)
{
+ struct inode *inode = dentry->d_inode;
unsigned int ia_valid = attr->ia_valid;

/*
@@ -76,7 +79,7 @@ int inode_change_ok(const struct inode *

return 0;
}
-EXPORT_SYMBOL(inode_change_ok);
+EXPORT_SYMBOL(setattr_prepare);

/**
* inode_newsize_ok - may this inode be truncated to a given size
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -3533,7 +3533,7 @@ static int btrfs_setattr(struct dentry *
if (btrfs_root_readonly(root))
return -EROFS;

- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;

--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -1541,7 +1541,7 @@ int ceph_setattr(struct dentry *dentry,

__ceph_do_pending_vmtruncate(inode);

- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err != 0)
return err;

--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -1948,7 +1948,7 @@ cifs_setattr_unix(struct dentry *direntr
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_PERM)
attrs->ia_valid |= ATTR_FORCE;

- rc = inode_change_ok(inode, attrs);
+ rc = setattr_prepare(direntry, attrs);
if (rc < 0)
goto out;

@@ -2089,7 +2089,7 @@ cifs_setattr_nounix(struct dentry *diren
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_PERM)
attrs->ia_valid |= ATTR_FORCE;

- rc = inode_change_ok(inode, attrs);
+ rc = setattr_prepare(direntry, attrs);
if (rc < 0) {
FreeXid(xid);
return rc;
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -1026,7 +1026,7 @@ static int ecryptfs_setattr(struct dentr
}
mutex_unlock(&crypt_stat->cs_mutex);

- rc = inode_change_ok(inode, ia);
+ rc = setattr_prepare(dentry, ia);
if (rc)
goto out;
if (ia->ia_valid & ATTR_SIZE) {
--- a/fs/exofs/inode.c
+++ b/fs/exofs/inode.c
@@ -1018,7 +1018,7 @@ int exofs_setattr(struct dentry *dentry,
if (unlikely(error))
return error;

- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (unlikely(error))
return error;

--- a/fs/ext2/inode.c
+++ b/fs/ext2/inode.c
@@ -1530,7 +1530,7 @@ int ext2_setattr(struct dentry *dentry,
struct inode *inode = dentry->d_inode;
int error;

- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
return error;

--- a/fs/ext3/inode.c
+++ b/fs/ext3/inode.c
@@ -3271,7 +3271,7 @@ int ext3_setattr(struct dentry *dentry,
int error, rc = 0;
const unsigned int ia_valid = attr->ia_valid;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4291,7 +4291,7 @@ int ext4_setattr(struct dentry *dentry,
int orphan = 0;
const unsigned int ia_valid = attr->ia_valid;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;

--- a/fs/fat/file.c
+++ b/fs/fat/file.c
@@ -382,7 +382,7 @@ int fat_setattr(struct dentry *dentry, s
attr->ia_valid &= ~TIMES_SET_FLAGS;
}

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
attr->ia_valid = ia_valid;
if (error) {
if (sbi->options.quiet)
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1298,7 +1298,7 @@ static int fuse_do_setattr(struct dentry
if (!(fc->flags & FUSE_DEFAULT_PERMISSIONS))
attr->ia_valid |= ATTR_FORCE;

- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(entry, attr);
if (err)
return err;

--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -1646,7 +1646,7 @@ static int gfs2_setattr(struct dentry *d
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
goto out;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
goto out;

--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -588,7 +588,7 @@ int hfs_inode_setattr(struct dentry *den
struct hfs_sb_info *hsb = HFS_SB(inode->i_sb);
int error;

- error = inode_change_ok(inode, attr); /* basic permission checks */
+ error = setattr_prepare(dentry, attr); /* basic permission checks */
if (error)
return error;

--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -292,7 +292,7 @@ static int hfsplus_setattr(struct dentry
struct inode *inode = dentry->d_inode;
int error;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;

--- a/fs/hostfs/hostfs_kern.c
+++ b/fs/hostfs/hostfs_kern.c
@@ -792,7 +792,7 @@ int hostfs_setattr(struct dentry *dentry

int fd = HOSTFS_I(inode)->fd;

- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;

--- a/fs/hpfs/inode.c
+++ b/fs/hpfs/inode.c
@@ -268,7 +268,7 @@ int hpfs_setattr(struct dentry *dentry,
if ((attr->ia_valid & ATTR_SIZE) && attr->ia_size > inode->i_size)
goto out_unlock;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
goto out_unlock;

--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -422,7 +422,7 @@ static int hugetlbfs_setattr(struct dent

BUG_ON(!inode);

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;

--- a/fs/jffs2/fs.c
+++ b/fs/jffs2/fs.c
@@ -186,7 +186,7 @@ int jffs2_setattr(struct dentry *dentry,
{
int rc;

- rc = inode_change_ok(dentry->d_inode, iattr);
+ rc = setattr_prepare(dentry, iattr);
if (rc)
return rc;

--- a/fs/jfs/file.c
+++ b/fs/jfs/file.c
@@ -102,7 +102,7 @@ int jfs_setattr(struct dentry *dentry, s
struct inode *inode = dentry->d_inode;
int rc;

- rc = inode_change_ok(inode, iattr);
+ rc = setattr_prepare(dentry, iattr);
if (rc)
return rc;

--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -364,7 +364,7 @@ int simple_setattr(struct dentry *dentry

WARN_ON_ONCE(inode->i_op->truncate);

- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
return error;

--- a/fs/logfs/file.c
+++ b/fs/logfs/file.c
@@ -241,7 +241,7 @@ static int logfs_setattr(struct dentry *
struct inode *inode = dentry->d_inode;
int err = 0;

- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;

--- a/fs/minix/file.c
+++ b/fs/minix/file.c
@@ -28,7 +28,7 @@ static int minix_setattr(struct dentry *
struct inode *inode = dentry->d_inode;
int error;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;

--- a/fs/ncpfs/inode.c
+++ b/fs/ncpfs/inode.c
@@ -880,7 +880,7 @@ int ncp_notify_change(struct dentry *den
/* ageing the dentry to force validation */
ncp_age_dentry(server, dentry);

- result = inode_change_ok(inode, attr);
+ result = setattr_prepare(dentry, attr);
if (result < 0)
goto out;

--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -301,17 +301,19 @@ commit_metadata(struct svc_fh *fhp)
* NFS semantics and what Linux expects.
*/
static void
-nfsd_sanitize_attrs(struct inode *inode, struct iattr *iap)
+nfsd_sanitize_attrs(struct dentry *dentry, struct iattr *iap)
{
+ struct inode *inode = dentry->d_inode;
+
/*
* NFSv2 does not differentiate between "set-[ac]time-to-now"
* which only requires access, and "set-[ac]time-to-X" which
* requires ownership.
* So if it looks like it might be "set both to the same time which
- * is close to now", and if inode_change_ok fails, then we
+ * is close to now", and if setattr_prepare fails, then we
* convert to "set to now" instead of "set to explicit time"
*
- * We only call inode_change_ok as the last test as technically
+ * We only call setattr_prepare as the last test as technically
* it is not an interface that we should be using.
*/
#define BOTH_TIME_SET (ATTR_ATIME_SET | ATTR_MTIME_SET)
@@ -329,7 +331,7 @@ nfsd_sanitize_attrs(struct inode *inode,
if (delta < 0)
delta = -delta;
if (delta < MAX_TOUCH_TIME_ERROR &&
- inode_change_ok(inode, iap) != 0) {
+ setattr_prepare(dentry, iap) != 0) {
/*
* Turn off ATTR_[AM]TIME_SET but leave ATTR_[AM]TIME.
* This will cause notify_change to set these times
@@ -437,7 +439,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str
if (!iap->ia_valid)
goto out;

- nfsd_sanitize_attrs(inode, iap);
+ nfsd_sanitize_attrs(dentry, iap);

/*
* The size case is special, it changes the file in addition to the
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -792,7 +792,7 @@ int nilfs_setattr(struct dentry *dentry,
struct super_block *sb = inode->i_sb;
int err;

- err = inode_change_ok(inode, iattr);
+ err = setattr_prepare(dentry, iattr);
if (err)
return err;

--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -2890,7 +2890,7 @@ int ntfs_setattr(struct dentry *dentry,
int err;
unsigned int ia_valid = attr->ia_valid;

- err = inode_change_ok(vi, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
goto out;
/* We do not support NTFS ACLs yet. */
--- a/fs/ocfs2/dlmfs/dlmfs.c
+++ b/fs/ocfs2/dlmfs/dlmfs.c
@@ -212,7 +212,7 @@ static int dlmfs_file_setattr(struct den
struct inode *inode = dentry->d_inode;

attr->ia_valid &= ~ATTR_SIZE;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;

--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1127,7 +1127,7 @@ int ocfs2_setattr(struct dentry *dentry,
if (!(attr->ia_valid & OCFS2_VALID_ATTRS))
return 0;

- status = inode_change_ok(inode, attr);
+ status = setattr_prepare(dentry, attr);
if (status)
return status;

--- a/fs/omfs/file.c
+++ b/fs/omfs/file.c
@@ -345,7 +345,7 @@ static int omfs_setattr(struct dentry *d
struct inode *inode = dentry->d_inode;
int error;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;

--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -558,7 +558,7 @@ int proc_setattr(struct dentry *dentry,
if (attr->ia_valid & ATTR_MODE)
return -EPERM;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;

--- a/fs/proc/generic.c
+++ b/fs/proc/generic.c
@@ -257,7 +257,7 @@ static int proc_notify_change(struct den
struct proc_dir_entry *de = PDE(inode);
int error;

- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
return error;

--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -387,7 +387,7 @@ static int proc_sys_setattr(struct dentr
if (attr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
return -EPERM;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;

--- a/fs/ramfs/file-nommu.c
+++ b/fs/ramfs/file-nommu.c
@@ -164,7 +164,7 @@ static int ramfs_nommu_setattr(struct de
int ret = 0;

/* POSIX UID/GID verification for setting inode attributes */
- ret = inode_change_ok(inode, ia);
+ ret = setattr_prepare(dentry, ia);
if (ret)
return ret;

--- a/fs/reiserfs/inode.c
+++ b/fs/reiserfs/inode.c
@@ -3107,7 +3107,7 @@ int reiserfs_setattr(struct dentry *dent
int depth;
int error;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;

--- a/fs/sysfs/inode.c
+++ b/fs/sysfs/inode.c
@@ -114,7 +114,7 @@ int sysfs_setattr(struct dentry *dentry,
return -EINVAL;

mutex_lock(&sysfs_mutex);
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
goto out;

--- a/fs/sysv/file.c
+++ b/fs/sysv/file.c
@@ -35,7 +35,7 @@ static int sysv_setattr(struct dentry *d
struct inode *inode = dentry->d_inode;
int error;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;

--- a/fs/ubifs/file.c
+++ b/fs/ubifs/file.c
@@ -1260,7 +1260,7 @@ int ubifs_setattr(struct dentry *dentry,

dbg_gen("ino %lu, mode %#x, ia_valid %#x",
inode->i_ino, inode->i_mode, attr->ia_valid);
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;

--- a/fs/udf/file.c
+++ b/fs/udf/file.c
@@ -251,7 +251,7 @@ static int udf_setattr(struct dentry *de
struct inode *inode = dentry->d_inode;
int error;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;

--- a/fs/ufs/truncate.c
+++ b/fs/ufs/truncate.c
@@ -496,7 +496,7 @@ int ufs_setattr(struct dentry *dentry, s
unsigned int ia_valid = attr->ia_valid;
int error;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;

--- a/fs/utimes.c
+++ b/fs/utimes.c
@@ -80,7 +80,7 @@ static int utimes_common(struct path *pa
newattrs.ia_valid |= ATTR_MTIME_SET;
}
/*
- * Tell inode_change_ok(), that this is an explicit time
+ * Tell setattr_prepare(), that this is an explicit time
* update, even if neither ATTR_ATIME_SET nor ATTR_MTIME_SET
* were used.
*/
@@ -89,7 +89,7 @@ static int utimes_common(struct path *pa
/*
* If times is NULL (or both times are UTIME_NOW),
* then we need to check permissions, because
- * inode_change_ok() won't do it.
+ * setattr_prepare() won't do it.
*/
error = -EACCES;
if (IS_IMMUTABLE(inode))
--- a/fs/xfs/xfs_acl.c
+++ b/fs/xfs/xfs_acl.c
@@ -223,7 +223,7 @@ xfs_set_acl(struct inode *inode, int typ
}

static int
-xfs_set_mode(struct inode *inode, umode_t mode)
+xfs_set_mode(struct dentry *dentry, struct inode *inode, umode_t mode)
{
int error = 0;

@@ -234,7 +234,8 @@ xfs_set_mode(struct inode *inode, umode_
iattr.ia_mode = mode;
iattr.ia_ctime = current_fs_time(inode->i_sb);

- error = -xfs_setattr_nonsize(XFS_I(inode), &iattr, XFS_ATTR_NOACL);
+ error = -xfs_setattr_nonsize(dentry, XFS_I(inode), &iattr,
+ XFS_ATTR_NOACL);
}

return error;
@@ -290,7 +291,7 @@ xfs_inherit_acl(struct inode *inode, str
if (error > 0)
inherit = 1;

- error = xfs_set_mode(inode, mode);
+ error = xfs_set_mode(NULL, inode, mode);
if (error)
goto out;

@@ -394,7 +395,7 @@ xfs_xattr_acl_set(struct dentry *dentry,
return error;
}

- error = xfs_set_mode(inode, mode);
+ error = xfs_set_mode(dentry, inode, mode);
if (error)
goto out_release;
}
--- a/fs/xfs/xfs_file.c
+++ b/fs/xfs/xfs_file.c
@@ -1026,7 +1026,8 @@ xfs_file_fallocate(
if (file->f_flags & O_DSYNC)
attr_flags |= XFS_ATTR_SYNC;

- error = -xfs_change_file_space(ip, cmd, &bf, 0, attr_flags);
+ error = -xfs_change_file_space(file->f_dentry, cmd, &bf, 0,
+ attr_flags);
if (error)
goto out_unlock;

@@ -1036,7 +1037,8 @@ xfs_file_fallocate(

iattr.ia_valid = ATTR_SIZE;
iattr.ia_size = new_size;
- error = -xfs_setattr_size(ip, &iattr, XFS_ATTR_NOLOCK);
+ error = -xfs_setattr_size(file->f_dentry, &iattr,
+ XFS_ATTR_NOLOCK);
}

out_unlock:
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -632,7 +632,8 @@ xfs_ioc_space(
if (ioflags & IO_INVIS)
attr_flags |= XFS_ATTR_DMI;

- error = xfs_change_file_space(ip, cmd, bf, filp->f_pos, attr_flags);
+ error = xfs_change_file_space(filp->f_dentry, cmd, bf, filp->f_pos,
+ attr_flags);
return -error;
}

--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -531,6 +531,7 @@ xfs_setattr_mode(

int
xfs_setattr_nonsize(
+ struct dentry *dentry,
struct xfs_inode *ip,
struct iattr *iattr,
int flags)
@@ -553,9 +554,15 @@ xfs_setattr_nonsize(
if (XFS_FORCED_SHUTDOWN(mp))
return XFS_ERROR(EIO);

- error = -inode_change_ok(inode, iattr);
- if (error)
- return XFS_ERROR(error);
+ /*
+ * dentry can be NULL only when we're called from xfs_inherit_acl(),
+ * in which case no permission checks are needed
+ */
+ if (dentry) {
+ error = -setattr_prepare(dentry, iattr);
+ if (error)
+ return XFS_ERROR(error);
+ }

ASSERT((mask & ATTR_SIZE) == 0);

@@ -755,12 +762,13 @@ out_dqrele:
*/
int
xfs_setattr_size(
- struct xfs_inode *ip,
+ struct dentry *dentry,
struct iattr *iattr,
int flags)
{
+ struct inode *inode = dentry->d_inode;
+ struct xfs_inode *ip = XFS_I(inode);
struct xfs_mount *mp = ip->i_mount;
- struct inode *inode = VFS_I(ip);
int mask = iattr->ia_valid;
struct xfs_trans *tp;
int error;
@@ -776,7 +784,7 @@ xfs_setattr_size(
if (XFS_FORCED_SHUTDOWN(mp))
return XFS_ERROR(EIO);

- error = -inode_change_ok(inode, iattr);
+ error = -setattr_prepare(dentry, iattr);
if (error)
return XFS_ERROR(error);

@@ -802,7 +810,7 @@ xfs_setattr_size(
*/
xfs_iunlock(ip, lock_flags);
iattr->ia_valid &= ~ATTR_SIZE;
- return xfs_setattr_nonsize(ip, iattr, 0);
+ return xfs_setattr_nonsize(dentry, ip, iattr, 0);
}

/*
@@ -950,8 +958,8 @@ xfs_vn_setattr(
struct iattr *iattr)
{
if (iattr->ia_valid & ATTR_SIZE)
- return -xfs_setattr_size(XFS_I(dentry->d_inode), iattr, 0);
- return -xfs_setattr_nonsize(XFS_I(dentry->d_inode), iattr, 0);
+ return -xfs_setattr_size(dentry, iattr, 0);
+ return -xfs_setattr_nonsize(dentry, XFS_I(dentry->d_inode), iattr, 0);
}

#define XFS_FIEMAP_FLAGS (FIEMAP_FLAG_SYNC|FIEMAP_FLAG_XATTR)
--- a/fs/xfs/xfs_vnodeops.c
+++ b/fs/xfs/xfs_vnodeops.c
@@ -2234,12 +2234,13 @@ xfs_free_file_space(
*/
int
xfs_change_file_space(
- xfs_inode_t *ip,
+ struct dentry *dentry,
int cmd,
xfs_flock64_t *bf,
xfs_off_t offset,
int attr_flags)
{
+ xfs_inode_t *ip = XFS_I(dentry->d_inode);
xfs_mount_t *mp = ip->i_mount;
int clrprealloc;
int error;
@@ -2329,7 +2330,7 @@ xfs_change_file_space(
iattr.ia_valid = ATTR_SIZE;
iattr.ia_size = startoffset;

- error = xfs_setattr_size(ip, &iattr, attr_flags);
+ error = xfs_setattr_size(dentry, &iattr, attr_flags);

if (error)
return error;
--- a/fs/xfs/xfs_vnodeops.h
+++ b/fs/xfs/xfs_vnodeops.h
@@ -13,8 +13,9 @@ struct xfs_inode;
struct xfs_iomap;


-int xfs_setattr_nonsize(struct xfs_inode *ip, struct iattr *vap, int flags);
-int xfs_setattr_size(struct xfs_inode *ip, struct iattr *vap, int flags);
+int xfs_setattr_nonsize(struct dentry *dentry, struct xfs_inode *ip,
+ struct iattr *vap, int flags);
+int xfs_setattr_size(struct dentry *dentry, struct iattr *vap, int flags);
#define XFS_ATTR_DMI 0x01 /* invocation from a DMI function */
#define XFS_ATTR_NONBLOCK 0x02 /* return EAGAIN if operation would block */
#define XFS_ATTR_NOLOCK 0x04 /* Don't grab any conflicting locks */
@@ -37,7 +38,7 @@ int xfs_readdir(struct xfs_inode *dp, vo
int xfs_symlink(struct xfs_inode *dp, struct xfs_name *link_name,
const char *target_path, mode_t mode, struct xfs_inode **ipp);
int xfs_set_dmattrs(struct xfs_inode *ip, u_int evmask, u_int16_t state);
-int xfs_change_file_space(struct xfs_inode *ip, int cmd,
+int xfs_change_file_space(struct dentry *dentry, int cmd,
xfs_flock64_t *bf, xfs_off_t offset, int attr_flags);
int xfs_rename(struct xfs_inode *src_dp, struct xfs_name *src_name,
struct xfs_inode *src_ip, struct xfs_inode *target_dp,
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2615,7 +2615,7 @@ extern int buffer_migrate_page(struct ad
#define buffer_migrate_page NULL
#endif

-extern int inode_change_ok(const struct inode *, struct iattr *);
+extern int setattr_prepare(struct dentry *, struct iattr *);
extern int inode_newsize_ok(const struct inode *, loff_t offset);
extern void setattr_copy(struct inode *inode, const struct iattr *attr);

--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -562,7 +562,7 @@ static int shmem_setattr(struct dentry *
struct inode *inode = dentry->d_inode;
int error;

- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;


2016-11-14 02:10:29

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 137/152] can: dev: fix deadlock reported after bus-off

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sergei Miroshnichenko <[email protected]>

commit 9abefcb1aaa58b9d5aa40a8bb12c87d02415e4c8 upstream.

A timer was used to restart after the bus-off state, leading to a
relatively large can_restart() executed in an interrupt context,
which in turn sets up pinctrl. When this happens during system boot,
there is a high probability of grabbing the pinctrl_list_mutex,
which is locked already by the probe() of other device, making the
kernel suspect a deadlock condition [1].

To resolve this issue, the restart_timer is replaced by a delayed
work.

[1] https://github.com/victronenergy/venus/issues/24

Signed-off-by: Sergei Miroshnichenko <[email protected]>
Signed-off-by: Marc Kleine-Budde <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/can/dev.c | 27 +++++++++++++++++----------
include/linux/can/dev.h | 3 ++-
2 files changed, 19 insertions(+), 11 deletions(-)

--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -22,6 +22,7 @@
#include <linux/slab.h>
#include <linux/netdevice.h>
#include <linux/if_arp.h>
+#include <linux/workqueue.h>
#include <linux/can.h>
#include <linux/can/dev.h>
#include <linux/can/netlink.h>
@@ -361,9 +362,8 @@ EXPORT_SYMBOL_GPL(can_free_echo_skb);
/*
* CAN device restart for bus-off recovery
*/
-void can_restart(unsigned long data)
+void can_restart(struct net_device *dev)
{
- struct net_device *dev = (struct net_device *)data;
struct can_priv *priv = netdev_priv(dev);
struct net_device_stats *stats = &dev->stats;
struct sk_buff *skb;
@@ -403,6 +403,14 @@ restart:
dev_err(dev->dev.parent, "Error %d during restart", err);
}

+static void can_restart_work(struct work_struct *work)
+{
+ struct delayed_work *dwork = to_delayed_work(work);
+ struct can_priv *priv = container_of(dwork, struct can_priv, restart_work);
+
+ can_restart(priv->dev);
+}
+
int can_restart_now(struct net_device *dev)
{
struct can_priv *priv = netdev_priv(dev);
@@ -416,8 +424,8 @@ int can_restart_now(struct net_device *d
if (priv->state != CAN_STATE_BUS_OFF)
return -EBUSY;

- /* Runs as soon as possible in the timer context */
- mod_timer(&priv->restart_timer, jiffies);
+ cancel_delayed_work_sync(&priv->restart_work);
+ can_restart(dev);

return 0;
}
@@ -439,8 +447,8 @@ void can_bus_off(struct net_device *dev)
priv->can_stats.bus_off++;

if (priv->restart_ms)
- mod_timer(&priv->restart_timer,
- jiffies + (priv->restart_ms * HZ) / 1000);
+ schedule_delayed_work(&priv->restart_work,
+ msecs_to_jiffies(priv->restart_ms));
}
EXPORT_SYMBOL_GPL(can_bus_off);

@@ -515,6 +523,7 @@ struct net_device *alloc_candev(int size
return NULL;

priv = netdev_priv(dev);
+ priv->dev = dev;

if (echo_skb_max) {
priv->echo_skb_max = echo_skb_max;
@@ -524,7 +533,7 @@ struct net_device *alloc_candev(int size

priv->state = CAN_STATE_STOPPED;

- init_timer(&priv->restart_timer);
+ INIT_DELAYED_WORK(&priv->restart_work, can_restart_work);

return dev;
}
@@ -558,8 +567,6 @@ int open_candev(struct net_device *dev)
if (!netif_carrier_ok(dev))
netif_carrier_on(dev);

- setup_timer(&priv->restart_timer, can_restart, (unsigned long)dev);
-
return 0;
}
EXPORT_SYMBOL_GPL(open_candev);
@@ -574,7 +581,7 @@ void close_candev(struct net_device *dev
{
struct can_priv *priv = netdev_priv(dev);

- del_timer_sync(&priv->restart_timer);
+ cancel_delayed_work_sync(&priv->restart_work);
can_flush_echo_skb(dev);
}
EXPORT_SYMBOL_GPL(close_candev);
--- a/include/linux/can/dev.h
+++ b/include/linux/can/dev.h
@@ -30,6 +30,7 @@ enum can_mode {
* CAN common private data
*/
struct can_priv {
+ struct net_device *dev;
struct can_device_stats can_stats;

struct can_bittiming bittiming;
@@ -41,7 +42,7 @@ struct can_priv {
u32 ctrlmode_supported;

int restart_ms;
- struct timer_list restart_timer;
+ struct delayed_work restart_work;

int (*do_set_bittiming)(struct net_device *dev);
int (*do_set_mode)(struct net_device *dev, enum can_mode mode);

2016-11-14 02:10:53

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 136/152] btrfs: ensure that file descriptor used with subvol ioctls is a dir

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jeff Mahoney <[email protected]>

commit 325c50e3cebb9208009083e841550f98a863bfa0 upstream.

If the subvol/snapshot create/destroy ioctls are passed a regular file
with execute permissions set, we'll eventually Oops while trying to do
inode->i_op->lookup via lookup_one_len.

This patch ensures that the file descriptor refers to a directory.

Fixes: cb8e70901d (Btrfs: Fix subvolume creation locking rules)
Fixes: 76dda93c6a (Btrfs: add snapshot/subvolume destroy ioctl)
Signed-off-by: Jeff Mahoney <[email protected]>
Signed-off-by: Chris Mason <[email protected]>
[bwh: Backported to 3.2:
- Open-code file_inode()
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/btrfs/ioctl.c | 12 ++++++++++++
1 file changed, 12 insertions(+)

--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1302,6 +1302,9 @@ static noinline int btrfs_ioctl_snap_cre
int namelen;
int ret = 0;

+ if (!S_ISDIR(file->f_dentry->d_inode->i_mode))
+ return -ENOTDIR;
+
if (root->fs_info->sb->s_flags & MS_RDONLY)
return -EROFS;

@@ -1350,6 +1353,9 @@ static noinline int btrfs_ioctl_snap_cre
struct btrfs_ioctl_vol_args *vol_args;
int ret;

+ if (!S_ISDIR(file->f_dentry->d_inode->i_mode))
+ return -ENOTDIR;
+
vol_args = memdup_user(arg, sizeof(*vol_args));
if (IS_ERR(vol_args))
return PTR_ERR(vol_args);
@@ -1372,6 +1378,9 @@ static noinline int btrfs_ioctl_snap_cre
u64 *ptr = NULL;
bool readonly = false;

+ if (!S_ISDIR(file->f_dentry->d_inode->i_mode))
+ return -ENOTDIR;
+
vol_args = memdup_user(arg, sizeof(*vol_args));
if (IS_ERR(vol_args))
return PTR_ERR(vol_args);
@@ -1848,6 +1857,9 @@ static noinline int btrfs_ioctl_snap_des
int ret;
int err = 0;

+ if (!S_ISDIR(dir->i_mode))
+ return -ENOTDIR;
+
vol_args = memdup_user(arg, sizeof(*vol_args));
if (IS_ERR(vol_args))
return PTR_ERR(vol_args);

2016-11-14 02:10:58

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 135/152] i2c-eg20t: fix race between i2c init and interrupt enable

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Yadi.hu" <[email protected]>

commit 371a015344b6e270e7e3632107d9554ec6d27a6b upstream.

the eg20t driver call request_irq() function before the pch_base_address,
base address of i2c controller's register, is assigned an effective value.

there is one possible scenario that an interrupt which isn't inside eg20t
arrives immediately after request_irq() is executed when i2c controller
shares an interrupt number with others. since the interrupt handler
pch_i2c_handler() has already active as shared action, it will be called
and read its own register to determine if this interrupt is from itself.

At that moment, since base address of i2c registers is not remapped
in kernel space yet,so the INT handler will access an illegal address
and then a error occurs.

Signed-off-by: Yadi.hu <[email protected]>
Signed-off-by: Wolfram Sang <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/i2c/busses/i2c-eg20t.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)

--- a/drivers/i2c/busses/i2c-eg20t.c
+++ b/drivers/i2c/busses/i2c-eg20t.c
@@ -893,13 +893,6 @@ static int __devinit pch_i2c_probe(struc
/* Set the number of I2C channel instance */
adap_info->ch_num = id->driver_data;

- ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED,
- KBUILD_MODNAME, adap_info);
- if (ret) {
- pch_pci_err(pdev, "request_irq FAILED\n");
- goto err_request_irq;
- }
-
for (i = 0; i < adap_info->ch_num; i++) {
pch_adap = &adap_info->pch_data[i].pch_adapter;
adap_info->pch_i2c_suspended = false;
@@ -916,6 +909,17 @@ static int __devinit pch_i2c_probe(struc
adap_info->pch_data[i].pch_base_address = base_addr + 0x100 * i;

pch_adap->dev.parent = &pdev->dev;
+ }
+
+ ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED,
+ KBUILD_MODNAME, adap_info);
+ if (ret) {
+ pch_pci_err(pdev, "request_irq FAILED\n");
+ goto err_request_irq;
+ }
+
+ for (i = 0; i < adap_info->ch_num; i++) {
+ pch_adap = &adap_info->pch_data[i].pch_adapter;

pch_i2c_init(&adap_info->pch_data[i]);
ret = i2c_add_adapter(pch_adap);

2016-11-14 02:11:01

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 014/152] ppp: defer netns reference release for ppp channel

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: WANG Cong <[email protected]>

commit 205e1e255c479f3fd77446415706463b282f94e4 upstream.

Matt reported that we have a NULL pointer dereference
in ppp_pernet() from ppp_connect_channel(),
i.e. pch->chan_net is NULL.

This is due to that a parallel ppp_unregister_channel()
could happen while we are in ppp_connect_channel(), during
which pch->chan_net set to NULL. Since we need a reference
to net per channel, it makes sense to sync the refcnt
with the life time of the channel, therefore we should
release this reference when we destroy it.

Fixes: 1f461dcdd296 ("ppp: take reference on channels netns")
Reported-by: Matt Bennett <[email protected]>
Cc: Paul Mackerras <[email protected]>
Cc: [email protected]
Cc: Guillaume Nault <[email protected]>
Cc: Cyrill Gorcunov <[email protected]>
Signed-off-by: Cong Wang <[email protected]>
Reviewed-by: Cyrill Gorcunov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ppp/ppp_generic.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2275,8 +2275,6 @@ ppp_unregister_channel(struct ppp_channe
spin_lock_bh(&pn->all_channels_lock);
list_del(&pch->list);
spin_unlock_bh(&pn->all_channels_lock);
- put_net(pch->chan_net);
- pch->chan_net = NULL;

pch->file.dead = 1;
wake_up_interruptible(&pch->file.rwait);
@@ -2883,6 +2881,9 @@ ppp_disconnect_channel(struct channel *p
*/
static void ppp_destroy_channel(struct channel *pch)
{
+ put_net(pch->chan_net);
+ pch->chan_net = NULL;
+
atomic_dec(&channel_count);

if (!pch->file.dead) {

2016-11-14 02:11:38

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 105/152] crypto: skcipher - Fix blkcipher walk OOM crash

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Herbert Xu <[email protected]>

commit acdb04d0b36769b3e05990c488dc74d8b7ac8060 upstream.

When we need to allocate a temporary blkcipher_walk_next and it
fails, the code is supposed to take the slow path of processing
the data block by block. However, due to an unrelated change
we instead end up dereferencing the NULL pointer.

This patch fixes it by moving the unrelated bsize setting out
of the way so that we enter the slow path as inteded.

Fixes: 7607bd8ff03b ("[CRYPTO] blkcipher: Added blkcipher_walk_virt_block")
Reported-by: xiakaixu <[email protected]>
Reported-by: Ard Biesheuvel <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Tested-by: Ard Biesheuvel <[email protected]>
[bwh: Backported to 3.2: s/walk_blocksize/blocksize/]
Signed-off-by: Ben Hutchings <[email protected]>
---
crypto/blkcipher.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/crypto/blkcipher.c
+++ b/crypto/blkcipher.c
@@ -238,6 +238,8 @@ static int blkcipher_walk_next(struct bl
return blkcipher_walk_done(desc, walk, -EINVAL);
}

+ bsize = min(walk->blocksize, n);
+
walk->flags &= ~(BLKCIPHER_WALK_SLOW | BLKCIPHER_WALK_COPY |
BLKCIPHER_WALK_DIFF);
if (!scatterwalk_aligned(&walk->in, alignmask) ||
@@ -250,7 +252,6 @@ static int blkcipher_walk_next(struct bl
}
}

- bsize = min(walk->blocksize, n);
n = scatterwalk_clamp(&walk->in, n);
n = scatterwalk_clamp(&walk->out, n);


2016-11-14 02:11:46

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 127/152] USB: change bInterval default to 10 ms

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <[email protected]>

commit 08c5cd37480f59ea39682f4585d92269be6b1424 upstream.

Some full-speed mceusb infrared transceivers contain invalid endpoint
descriptors for their interrupt endpoints, with bInterval set to 0.
In the past they have worked out okay with the mceusb driver, because
the driver sets the bInterval field in the descriptor to 1,
overwriting whatever value may have been there before. However, this
approach was never sanctioned by the USB core, and in fact it does not
work with xHCI controllers, because they use the bInterval value that
was present when the configuration was installed.

Currently usbcore uses 32 ms as the default interval if the value in
the endpoint descriptor is invalid. It turns out that these IR
transceivers don't work properly unless the interval is set to 10 ms
or below. To work around this mceusb problem, this patch changes the
endpoint-descriptor parsing routine, making the default interval value
be 10 ms rather than 32 ms.

Signed-off-by: Alan Stern <[email protected]>
Tested-by: Wade Berrier <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/core/config.c | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -213,8 +213,10 @@ static int usb_parse_endpoint(struct dev
memcpy(&endpoint->desc, d, n);
INIT_LIST_HEAD(&endpoint->urb_list);

- /* Fix up bInterval values outside the legal range. Use 32 ms if no
- * proper value can be guessed. */
+ /*
+ * Fix up bInterval values outside the legal range.
+ * Use 10 or 8 ms if no proper value can be guessed.
+ */
i = 0; /* i = min, j = max, n = default */
j = 255;
if (usb_endpoint_xfer_int(d)) {
@@ -222,13 +224,15 @@ static int usb_parse_endpoint(struct dev
switch (to_usb_device(ddev)->speed) {
case USB_SPEED_SUPER:
case USB_SPEED_HIGH:
- /* Many device manufacturers are using full-speed
+ /*
+ * Many device manufacturers are using full-speed
* bInterval values in high-speed interrupt endpoint
- * descriptors. Try to fix those and fall back to a
- * 32 ms default value otherwise. */
+ * descriptors. Try to fix those and fall back to an
+ * 8-ms default value otherwise.
+ */
n = fls(d->bInterval*8);
if (n == 0)
- n = 9; /* 32 ms = 2^(9-1) uframes */
+ n = 7; /* 8 ms = 2^(7-1) uframes */
j = 16;

/*
@@ -243,10 +247,12 @@ static int usb_parse_endpoint(struct dev
}
break;
default: /* USB_SPEED_FULL or _LOW */
- /* For low-speed, 10 ms is the official minimum.
+ /*
+ * For low-speed, 10 ms is the official minimum.
* But some "overclocked" devices might want faster
- * polling so we'll allow it. */
- n = 32;
+ * polling so we'll allow it.
+ */
+ n = 10;
break;
}
} else if (usb_endpoint_xfer_isoc(d)) {
@@ -254,10 +260,10 @@ static int usb_parse_endpoint(struct dev
j = 16;
switch (to_usb_device(ddev)->speed) {
case USB_SPEED_HIGH:
- n = 9; /* 32 ms = 2^(9-1) uframes */
+ n = 7; /* 8 ms = 2^(7-1) uframes */
break;
default: /* USB_SPEED_FULL */
- n = 6; /* 32 ms = 2^(6-1) frames */
+ n = 4; /* 8 ms = 2^(4-1) frames */
break;
}
}

2016-11-14 02:11:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 128/152] IB/ipoib: Don't allow MC joins during light MC flush

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alex Vesker <[email protected]>

commit 344bacca8cd811809fc33a249f2738ab757d327f upstream.

This fix solves a race between light flush and on the fly joins.
Light flush doesn't set the device to down and unset IPOIB_OPER_UP
flag, this means that if while flushing we have a MC join in progress
and the QP was attached to BC MGID we can have a mismatches when
re-attaching a QP to the BC MGID.

The light flush would set the broadcast group to NULL causing an on
the fly join to rejoin and reattach to the BC MCG as well as adding
the BC MGID to the multicast list. The flush process would later on
remove the BC MGID and detach it from the QP. On the next flush
the BC MGID is present in the multicast list but not found when trying
to detach it because of the previous double attach and single detach.

[18332.714265] ------------[ cut here ]------------
[18332.717775] WARNING: CPU: 6 PID: 3767 at drivers/infiniband/core/verbs.c:280 ib_dealloc_pd+0xff/0x120 [ib_core]
...
[18332.775198] Hardware name: Red Hat KVM, BIOS Bochs 01/01/2011
[18332.779411] 0000000000000000 ffff8800b50dfbb0 ffffffff813fed47 0000000000000000
[18332.784960] 0000000000000000 ffff8800b50dfbf0 ffffffff8109add1 0000011832f58300
[18332.790547] ffff880226a596c0 ffff880032482000 ffff880032482830 ffff880226a59280
[18332.796199] Call Trace:
[18332.798015] [<ffffffff813fed47>] dump_stack+0x63/0x8c
[18332.801831] [<ffffffff8109add1>] __warn+0xd1/0xf0
[18332.805403] [<ffffffff8109aebd>] warn_slowpath_null+0x1d/0x20
[18332.809706] [<ffffffffa025d90f>] ib_dealloc_pd+0xff/0x120 [ib_core]
[18332.814384] [<ffffffffa04f3d7c>] ipoib_transport_dev_cleanup+0xfc/0x1d0 [ib_ipoib]
[18332.820031] [<ffffffffa04ed648>] ipoib_ib_dev_cleanup+0x98/0x110 [ib_ipoib]
[18332.825220] [<ffffffffa04e62c8>] ipoib_dev_cleanup+0x2d8/0x550 [ib_ipoib]
[18332.830290] [<ffffffffa04e656f>] ipoib_uninit+0x2f/0x40 [ib_ipoib]
[18332.834911] [<ffffffff81772a8a>] rollback_registered_many+0x1aa/0x2c0
[18332.839741] [<ffffffff81772bd1>] rollback_registered+0x31/0x40
[18332.844091] [<ffffffff81773b18>] unregister_netdevice_queue+0x48/0x80
[18332.848880] [<ffffffffa04f489b>] ipoib_vlan_delete+0x1fb/0x290 [ib_ipoib]
[18332.853848] [<ffffffffa04df1cd>] delete_child+0x7d/0xf0 [ib_ipoib]
[18332.858474] [<ffffffff81520c08>] dev_attr_store+0x18/0x30
[18332.862510] [<ffffffff8127fe4a>] sysfs_kf_write+0x3a/0x50
[18332.866349] [<ffffffff8127f4e0>] kernfs_fop_write+0x120/0x170
[18332.870471] [<ffffffff81207198>] __vfs_write+0x28/0xe0
[18332.874152] [<ffffffff810e09bf>] ? percpu_down_read+0x1f/0x50
[18332.878274] [<ffffffff81208062>] vfs_write+0xa2/0x1a0
[18332.881896] [<ffffffff812093a6>] SyS_write+0x46/0xa0
[18332.885632] [<ffffffff810039b7>] do_syscall_64+0x57/0xb0
[18332.889709] [<ffffffff81883321>] entry_SYSCALL64_slow_path+0x25/0x25
[18332.894727] ---[ end trace 09ebbe31f831ef17 ]---

Fixes: ee1e2c82c245 ("IPoIB: Refresh paths instead of flushing them on SM change events")
Signed-off-by: Alex Vesker <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/ulp/ipoib/ipoib_ib.c | 9 +++++++++
1 file changed, 9 insertions(+)

--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
@@ -973,8 +973,17 @@ static void __ipoib_ib_dev_flush(struct
}

if (level == IPOIB_FLUSH_LIGHT) {
+ int oper_up;
ipoib_mark_paths_invalid(dev);
+ /* Set IPoIB operation as down to prevent races between:
+ * the flush flow which leaves MCG and on the fly joins
+ * which can happen during that time. mcast restart task
+ * should deal with join requests we missed.
+ */
+ oper_up = test_and_clear_bit(IPOIB_FLAG_OPER_UP, &priv->flags);
ipoib_mcast_dev_flush(dev);
+ if (oper_up)
+ set_bit(IPOIB_FLAG_OPER_UP, &priv->flags);
}

if (level >= IPOIB_FLUSH_NORMAL)

2016-11-14 02:12:35

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 117/152] score: fix __get_user/get_user

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit c2f18fa4cbb3ad92e033a24efa27583978ce9600 upstream.

* should zero on any failure
* __get_user() should use __copy_from_user(), not copy_from_user()

Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/score/include/asm/uaccess.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/score/include/asm/uaccess.h
+++ b/arch/score/include/asm/uaccess.h
@@ -158,7 +158,7 @@ do { \
__get_user_asm(val, "lw", ptr); \
break; \
case 8: \
- if ((copy_from_user((void *)&val, ptr, 8)) == 0) \
+ if (__copy_from_user((void *)&val, ptr, 8) == 0) \
__gu_err = 0; \
else \
__gu_err = -EFAULT; \
@@ -183,6 +183,8 @@ do { \
\
if (likely(access_ok(VERIFY_READ, __gu_ptr, size))) \
__get_user_common((x), size, __gu_ptr); \
+ else \
+ (x) = 0; \
\
__gu_err; \
})
@@ -196,6 +198,7 @@ do { \
"2:\n" \
".section .fixup,\"ax\"\n" \
"3:li %0, %4\n" \
+ "li %1, 0\n" \
"j 2b\n" \
".previous\n" \
".section __ex_table,\"a\"\n" \

2016-11-14 02:12:46

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 121/152] sparc32: fix copy_from_user()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit 917400cecb4b52b5cde5417348322bb9c8272fa6 upstream.

Acked-by: David S. Miller <[email protected]>
Signed-off-by: Al Viro <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/sparc/include/asm/uaccess_32.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
@@ -264,8 +264,10 @@ static inline unsigned long copy_from_us
{
if (n && __access_ok((unsigned long) from, n))
return __copy_user((__force void __user *) to, from, n);
- else
+ else {
+ memset(to, 0, n);
return n;
+ }
}

static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)

2016-11-14 02:12:39

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 002/152] powerpc/numa: Fix multiple bugs in memory_hotplug_max()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bharata B Rao <[email protected]>

commit 45b64ee64970dee9392229302efe1d1567e8d304 upstream.

memory_hotplug_max() uses hot_add_drconf_memory_max() to get maxmimum
addressable memory by referring to ibm,dyanamic-memory property. There
are three problems with the current approach:

1 hot_add_drconf_memory_max() assumes that ibm,dynamic-memory includes
all the LMBs of the guest, but that is not true for PowerKVM which
populates only DR LMBs (LMBs that can be hotplugged/removed) in that
property.
2 hot_add_drconf_memory_max() multiplies lmb-size with lmb-count to arrive
at the max possible address. Since ibm,dynamic-memory doesn't include
RMA LMBs, the address thus obtained will be less than the actual max
address. For example, if max possible memory size is 32G, with lmb-size
of 256MB there can be 127 LMBs in ibm,dynamic-memory (1 LMB for RMA
which won't be present here). hot_add_drconf_memory_max() would then
return the max addressable memory as 127 * 256MB = 31.75GB, the max
address should have been 32G which is what ibm,lrdr-capacity shows.
3 In PowerKVM, there can be a gap between the end of boot time RAM and
beginning of hotplug RAM area. So just multiplying lmb-count with
lmb-size will not provide the correct max possible address for PowerKVM.

This patch fixes 1 by using ibm,lrdr-capacity property to return the max
addressable memory whenever the property is present. Then it fixes 2 & 3
by fetching the address of the last LMB in ibm,dynamic-memory property.

Fixes: cd34206e949b ("powerpc: Add memory_hotplug_max()")
Signed-off-by: Bharata B Rao <[email protected]>
Reviewed-by: David Gibson <[email protected]>
Signed-off-by: Michael Ellerman <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/powerpc/mm/numa.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)

--- a/arch/powerpc/mm/numa.c
+++ b/arch/powerpc/mm/numa.c
@@ -1275,17 +1275,33 @@ int hot_add_scn_to_nid(unsigned long scn
static u64 hot_add_drconf_memory_max(void)
{
struct device_node *memory = NULL;
+ struct device_node *dn = NULL;
unsigned int drconf_cell_cnt = 0;
u64 lmb_size = 0;
const u32 *dm = 0;
+ const __be64 *lrdr = NULL;
+ struct of_drconf_cell drmem;
+
+ dn = of_find_node_by_path("/rtas");
+ if (dn) {
+ lrdr = of_get_property(dn, "ibm,lrdr-capacity", NULL);
+ of_node_put(dn);
+ if (lrdr)
+ return be64_to_cpup(lrdr);
+ }

memory = of_find_node_by_path("/ibm,dynamic-reconfiguration-memory");
if (memory) {
drconf_cell_cnt = of_get_drconf_memory(memory, &dm);
lmb_size = of_get_lmb_size(memory);
+
+ /* Advance to the last cell, each cell has 6 32 bit integers */
+ dm += (drconf_cell_cnt - 1) * 6;
+ read_drconf_cell(&drmem, &dm);
of_node_put(memory);
+ return drmem.base_addr + lmb_size;
}
- return lmb_size * drconf_cell_cnt;
+ return 0;
}

/*

2016-11-14 02:12:51

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 068/152] USB: serial: mos7720: fix non-atomic allocation in write path

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alexey Khoroshilov <[email protected]>

commit 5a5a1d614287a647b36dff3f40c2b0ceabbc83ec upstream.

There is an allocation with GFP_KERNEL flag in mos7720_write(),
while it may be called from interrupt context.

Follow-up for commit 191252837626 ("USB: kobil_sct: fix non-atomic
allocation in write path")

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/mos7720.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -1320,7 +1320,7 @@ static int mos7720_write(struct tty_stru

if (urb->transfer_buffer == NULL) {
urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
- GFP_KERNEL);
+ GFP_ATOMIC);
if (urb->transfer_buffer == NULL) {
dev_err(&port->dev, "%s no more kernel memory...\n",
__func__);

2016-11-14 02:12:58

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 104/152] ARM: sa1111: fix pcmcia suspend/resume

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Russell King <[email protected]>

commit 06dfe5cc0cc684e735cb0232fdb756d30780b05d upstream.

SA1111 PCMCIA was broken when PCMCIA switched to using dev_pm_ops for
the PCMCIA socket class. PCMCIA used to handle suspend/resume via the
socket hosting device, which happened at normal device suspend/resume
time.

However, the referenced commit changed this: much of the resume now
happens much earlier, in the noirq resume handler of dev_pm_ops.

However, on SA1111, the PCMCIA device is not accessible as the SA1111
has not been resumed at _noirq time. It's slightly worse than that,
because the SA1111 has already been put to sleep at _noirq time, so
suspend doesn't work properly.

Fix this by converting the core SA1111 code to use dev_pm_ops as well,
and performing its own suspend/resume at noirq time.

This fixes these errors in the kernel log:

pcmcia_socket pcmcia_socket0: time out after reset
pcmcia_socket pcmcia_socket1: time out after reset

and the resulting lack of PCMCIA cards after a S2RAM cycle.

Fixes: d7646f7632549 ("pcmcia: use dev_pm_ops for class pcmcia_socket_class")
Signed-off-by: Russell King <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/arm/common/sa1111.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)

--- a/arch/arm/common/sa1111.c
+++ b/arch/arm/common/sa1111.c
@@ -878,9 +878,9 @@ struct sa1111_save_data {

#ifdef CONFIG_PM

-static int sa1111_suspend(struct platform_device *dev, pm_message_t state)
+static int sa1111_suspend_noirq(struct device *dev)
{
- struct sa1111 *sachip = platform_get_drvdata(dev);
+ struct sa1111 *sachip = dev_get_drvdata(dev);
struct sa1111_save_data *save;
unsigned long flags;
unsigned int val;
@@ -938,9 +938,9 @@ static int sa1111_suspend(struct platfor
* restored by their respective drivers, and must be called
* via LDM after this function.
*/
-static int sa1111_resume(struct platform_device *dev)
+static int sa1111_resume_noirq(struct device *dev)
{
- struct sa1111 *sachip = platform_get_drvdata(dev);
+ struct sa1111 *sachip = dev_get_drvdata(dev);
struct sa1111_save_data *save;
unsigned long flags, id;
void __iomem *base;
@@ -956,7 +956,7 @@ static int sa1111_resume(struct platform
id = sa1111_readl(sachip->base + SA1111_SKID);
if ((id & SKID_ID_MASK) != SKID_SA1111_ID) {
__sa1111_remove(sachip);
- platform_set_drvdata(dev, NULL);
+ dev_set_drvdata(dev, NULL);
kfree(save);
return 0;
}
@@ -1002,8 +1002,8 @@ static int sa1111_resume(struct platform
}

#else
-#define sa1111_suspend NULL
-#define sa1111_resume NULL
+#define sa1111_suspend_noirq NULL
+#define sa1111_resume_noirq NULL
#endif

static int __devinit sa1111_probe(struct platform_device *pdev)
@@ -1037,6 +1037,11 @@ static int sa1111_remove(struct platform
return 0;
}

+static struct dev_pm_ops sa1111_pm_ops = {
+ .suspend_noirq = sa1111_suspend_noirq,
+ .resume_noirq = sa1111_resume_noirq,
+};
+
/*
* Not sure if this should be on the system bus or not yet.
* We really want some way to register a system device at
@@ -1049,10 +1054,9 @@ static int sa1111_remove(struct platform
static struct platform_driver sa1111_device_driver = {
.probe = sa1111_probe,
.remove = sa1111_remove,
- .suspend = sa1111_suspend,
- .resume = sa1111_resume,
.driver = {
.name = "sa1111",
+ .pm = &sa1111_pm_ops,
},
};


2016-11-14 02:12:55

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 073/152] tcp: fix use after free in tcp_xmit_retransmit_queue()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

commit bb1fceca22492109be12640d49f5ea5a544c6bb4 upstream.

When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()

Then it attempts to copy user data into this fresh skb.

If the copy fails, we undo the work and remove the fresh skb.

Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)

Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.

This bug was found by Marco Grassi thanks to syzkaller.

Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Cc: Ilpo Järvinen <[email protected]>
Cc: Yuchung Cheng <[email protected]>
Cc: Neal Cardwell <[email protected]>
Acked-by: Neal Cardwell <[email protected]>
Reviewed-by: Cong Wang <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
include/net/tcp.h | 2 ++
1 file changed, 2 insertions(+)

--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1293,6 +1293,8 @@ static inline void tcp_check_send_head(s
{
if (sk->sk_send_head == skb_unlinked)
sk->sk_send_head = NULL;
+ if (tcp_sk(sk)->highest_sack == skb_unlinked)
+ tcp_sk(sk)->highest_sack = NULL;
}

static inline void tcp_init_send_head(struct sock *sk)

2016-11-14 02:12:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 148/152] posix_acl: Clear SGID bit when setting file permissions

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jan Kara <[email protected]>

commit 073931017b49d9458aa351605b43a7e34598caef upstream.

When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok(). Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2). Fix that.

References: CVE-2016-7097
Reviewed-by: Christoph Hellwig <[email protected]>
Reviewed-by: Jeff Layton <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Andreas Gruenbacher <[email protected]>
[bwh: Backported to 3.2:
- Drop changes to ceph, f2fs, hfsplus, orangefs
- Use capable() instead of capable_wrt_inode_uidgid()
- Update ext3 and generic_acl.c as well
- In gfs2, jfs, and xfs, take care to avoid leaking the allocated ACL if
posix_acl_update_mode() determines it's not needed
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/fs/9p/acl.c
+++ b/fs/9p/acl.c
@@ -319,32 +319,26 @@ static int v9fs_xattr_set_acl(struct den
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- retval = posix_acl_equiv_mode(acl, &mode);
- if (retval < 0)
+ struct iattr iattr;
+
+ retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
+ if (retval)
goto err_out;
- else {
- struct iattr iattr;
- if (retval == 0) {
- /*
- * ACL can be represented
- * by the mode bits. So don't
- * update ACL.
- */
- acl = NULL;
- value = NULL;
- size = 0;
- }
- /* Updte the mode bits */
- iattr.ia_mode = ((mode & S_IALLUGO) |
- (inode->i_mode & ~S_IALLUGO));
- iattr.ia_valid = ATTR_MODE;
- /* FIXME should we update ctime ?
- * What is the following setxattr update the
- * mode ?
+ if (!acl) {
+ /*
+ * ACL can be represented
+ * by the mode bits. So don't
+ * update ACL.
*/
- v9fs_vfs_setattr_dotl(dentry, &iattr);
+ value = NULL;
+ size = 0;
}
+ iattr.ia_valid = ATTR_MODE;
+ /* FIXME should we update ctime ?
+ * What is the following setxattr update the
+ * mode ?
+ */
+ v9fs_vfs_setattr_dotl(dentry, &iattr);
}
break;
case ACL_TYPE_DEFAULT:
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -118,11 +118,9 @@ static int btrfs_set_acl(struct btrfs_tr
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- ret = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (ret < 0)
+ ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (ret)
return ret;
- if (ret == 0)
- acl = NULL;
}
ret = 0;
break;
--- a/fs/ext2/acl.c
+++ b/fs/ext2/acl.c
@@ -194,15 +194,11 @@ ext2_set_acl(struct inode *inode, int ty
case ACL_TYPE_ACCESS:
name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- inode->i_ctime = CURRENT_TIME_SEC;
- mark_inode_dirty(inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = CURRENT_TIME_SEC;
+ mark_inode_dirty(inode);
}
break;

--- a/fs/ext3/acl.c
+++ b/fs/ext3/acl.c
@@ -199,15 +199,11 @@ ext3_set_acl(handle_t *handle, struct in
case ACL_TYPE_ACCESS:
name_index = EXT3_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- inode->i_ctime = CURRENT_TIME_SEC;
- ext3_mark_inode_dirty(handle, inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = CURRENT_TIME_SEC;
+ ext3_mark_inode_dirty(handle, inode);
}
break;

--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -198,15 +198,11 @@ ext4_set_acl(handle_t *handle, struct in
case ACL_TYPE_ACCESS:
name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- inode->i_ctime = ext4_current_time(inode);
- ext4_mark_inode_dirty(handle, inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = ext4_current_time(inode);
+ ext4_mark_inode_dirty(handle, inode);
}
break;

--- a/fs/generic_acl.c
+++ b/fs/generic_acl.c
@@ -86,16 +86,17 @@ generic_acl_set(struct dentry *dentry, c
if (error)
goto failed;
switch (type) {
- case ACL_TYPE_ACCESS:
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ case ACL_TYPE_ACCESS: {
+ struct posix_acl *saved_acl = acl;
+
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (acl == NULL)
+ posix_acl_release(saved_acl);
+ if (error)
goto failed;
inode->i_ctime = CURRENT_TIME;
- if (error == 0) {
- posix_acl_release(acl);
- acl = NULL;
- }
break;
+ }
case ACL_TYPE_DEFAULT:
if (!S_ISDIR(inode->i_mode)) {
error = -EINVAL;
--- a/fs/gfs2/acl.c
+++ b/fs/gfs2/acl.c
@@ -277,16 +277,14 @@ static int gfs2_xattr_system_set(struct
goto out_release;

if (type == ACL_TYPE_ACCESS) {
- umode_t mode = inode->i_mode;
- error = posix_acl_equiv_mode(acl, &mode);
+ struct posix_acl *saved_acl = acl;
+ umode_t mode;

- if (error <= 0) {
- posix_acl_release(acl);
- acl = NULL;
-
- if (error < 0)
- return error;
- }
+ error = posix_acl_update_mode(inode, &mode, &acl);
+ if (error || acl == NULL)
+ posix_acl_release(saved_acl);
+ if (error)
+ return error;

error = gfs2_set_mode(inode, mode);
if (error)
--- a/fs/jffs2/acl.c
+++ b/fs/jffs2/acl.c
@@ -227,9 +227,10 @@ static int jffs2_set_acl(struct inode *i
case ACL_TYPE_ACCESS:
xprefix = JFFS2_XPREFIX_ACL_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- rc = posix_acl_equiv_mode(acl, &mode);
- if (rc < 0)
+ umode_t mode;
+
+ rc = posix_acl_update_mode(inode, &mode, &acl);
+ if (rc)
return rc;
if (inode->i_mode != mode) {
struct iattr attr;
@@ -241,8 +242,6 @@ static int jffs2_set_acl(struct inode *i
if (rc < 0)
return rc;
}
- if (rc == 0)
- acl = NULL;
}
break;
case ACL_TYPE_DEFAULT:
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -693,9 +693,11 @@ static int can_set_system_xattr(struct i
return rc;
}
if (acl) {
- rc = posix_acl_equiv_mode(acl, &inode->i_mode);
+ struct posix_acl *dummy = acl;
+
+ rc = posix_acl_update_mode(inode, &inode->i_mode, &dummy);
posix_acl_release(acl);
- if (rc < 0) {
+ if (rc) {
printk(KERN_ERR
"posix_acl_equiv_mode returned %d\n",
rc);
--- a/fs/ocfs2/acl.c
+++ b/fs/ocfs2/acl.c
@@ -247,14 +247,11 @@ static int ocfs2_set_acl(handle_t *handl
case ACL_TYPE_ACCESS:
name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- ret = posix_acl_equiv_mode(acl, &mode);
- if (ret < 0)
+ umode_t mode;
+ ret = posix_acl_update_mode(inode, &mode, &acl);
+ if (ret)
return ret;
else {
- if (ret == 0)
- acl = NULL;
-
ret = ocfs2_acl_set_mode(inode, di_bh,
handle, mode);
if (ret)
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -341,6 +341,36 @@ static int posix_acl_create_masq(struct
return not_equiv;
}

+/**
+ * posix_acl_update_mode - update mode in set_acl
+ *
+ * Update the file mode when setting an ACL: compute the new file permission
+ * bits based on the ACL. In addition, if the ACL is equivalent to the new
+ * file mode, set *acl to NULL to indicate that no ACL should be set.
+ *
+ * As with chmod, clear the setgit bit if the caller is not in the owning group
+ * or capable of CAP_FSETID (see inode_change_ok).
+ *
+ * Called from set_acl inode operations.
+ */
+int posix_acl_update_mode(struct inode *inode, umode_t *mode_p,
+ struct posix_acl **acl)
+{
+ umode_t mode = inode->i_mode;
+ int error;
+
+ error = posix_acl_equiv_mode(*acl, &mode);
+ if (error < 0)
+ return error;
+ if (error == 0)
+ *acl = NULL;
+ if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
+ mode &= ~S_ISGID;
+ *mode_p = mode;
+ return 0;
+}
+EXPORT_SYMBOL(posix_acl_update_mode);
+
/*
* Modify the ACL for the chmod syscall.
*/
--- a/fs/reiserfs/xattr_acl.c
+++ b/fs/reiserfs/xattr_acl.c
@@ -272,13 +272,9 @@ reiserfs_set_acl(struct reiserfs_transac
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- if (error == 0)
- acl = NULL;
- }
}
break;
case ACL_TYPE_DEFAULT:
--- a/fs/xfs/xfs_acl.c
+++ b/fs/xfs/xfs_acl.c
@@ -384,17 +384,14 @@ xfs_xattr_acl_set(struct dentry *dentry,
goto out_release;

if (type == ACL_TYPE_ACCESS) {
- umode_t mode = inode->i_mode;
- error = posix_acl_equiv_mode(acl, &mode);
-
- if (error <= 0) {
- posix_acl_release(acl);
- acl = NULL;
-
- if (error < 0)
- return error;
- }
+ struct posix_acl *saved_acl = acl;
+ umode_t mode;

+ error = posix_acl_update_mode(inode, &mode, &acl);
+ if (error || acl == NULL)
+ posix_acl_release(saved_acl);
+ if (error)
+ return error;
error = xfs_set_mode(dentry, inode, mode);
if (error)
goto out_release;
--- a/include/linux/posix_acl.h
+++ b/include/linux/posix_acl.h
@@ -83,6 +83,7 @@ extern struct posix_acl *posix_acl_from_
extern int posix_acl_equiv_mode(const struct posix_acl *, umode_t *);
extern int posix_acl_create(struct posix_acl **, gfp_t, umode_t *);
extern int posix_acl_chmod(struct posix_acl **, gfp_t, umode_t);
+extern int posix_acl_update_mode(struct inode *, umode_t *, struct posix_acl **);

extern struct posix_acl *get_posix_acl(struct inode *, int);
extern int set_posix_acl(struct inode *, int, struct posix_acl *);

2016-11-14 02:14:23

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 022/152] net: ethoc: Fix early error paths

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <[email protected]>

commit 386512d18b268c6182903239f9f3390f03ce4c7b upstream.

In case any operation fails before we can successfully go the point
where we would register a MDIO bus, we would be going to an error label
which involves unregistering then freeing this yet to be created MDIO
bus. Update all error paths to go to label free which is the only one
valid until either the clock is enabled, or the MDIO bus is allocated
and registered. This fixes kernel oops observed while trying to
dereference the MDIO bus structure which is not yet allocated.

Fixes: a1702857724f ("net: Add support for the OpenCores 10/100 Mbps Ethernet MAC.")
Signed-off-by: Florian Fainelli <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/ethoc.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/net/ethernet/ethoc.c
+++ b/drivers/net/ethernet/ethoc.c
@@ -976,7 +976,7 @@ static int __devinit ethoc_probe(struct
if (!priv->iobase) {
dev_err(&pdev->dev, "cannot remap I/O memory space\n");
ret = -ENXIO;
- goto error;
+ goto free;
}

if (netdev->mem_end) {
@@ -985,7 +985,7 @@ static int __devinit ethoc_probe(struct
if (!priv->membase) {
dev_err(&pdev->dev, "cannot remap memory space\n");
ret = -ENXIO;
- goto error;
+ goto free;
}
} else {
/* Allocate buffer memory */
@@ -996,7 +996,7 @@ static int __devinit ethoc_probe(struct
dev_err(&pdev->dev, "cannot allocate %dB buffer\n",
buffer_size);
ret = -ENOMEM;
- goto error;
+ goto free;
}
netdev->mem_end = netdev->mem_start + buffer_size;
priv->dma_alloc = buffer_size;
@@ -1007,7 +1007,7 @@ static int __devinit ethoc_probe(struct
128, (netdev->mem_end - netdev->mem_start + 1) / ETHOC_BUFSIZ);
if (num_bd < 4) {
ret = -ENODEV;
- goto error;
+ goto free;
}
/* num_tx must be a power of two */
priv->num_tx = rounddown_pow_of_two(num_bd >> 1);
@@ -1019,7 +1019,7 @@ static int __devinit ethoc_probe(struct
priv->vma = devm_kzalloc(&pdev->dev, num_bd*sizeof(void*), GFP_KERNEL);
if (!priv->vma) {
ret = -ENOMEM;
- goto error;
+ goto free;
}

/* Allow the platform setup code to pass in a MAC address. */

2016-11-14 02:14:29

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 026/152] ext4: short-cut orphan cleanup on error

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vegard Nossum <[email protected]>

commit c65d5c6c81a1f27dec5f627f67840726fcd146de upstream.

If we encounter a filesystem error during orphan cleanup, we should stop.
Otherwise, we may end up in an infinite loop where the same inode is
processed again and again.

EXT4-fs (loop0): warning: checktime reached, running e2fsck is recommended
EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 2, block bitmap and bg descriptor inconsistent: 6117 vs 0 free clusters
Aborting journal on device loop0-8.
EXT4-fs (loop0): Remounting filesystem read-only
EXT4-fs error (device loop0) in ext4_free_blocks:4895: Journal has aborted
EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
EXT4-fs error (device loop0) in ext4_ext_remove_space:3068: IO failure
EXT4-fs error (device loop0) in ext4_ext_truncate:4667: Journal has aborted
EXT4-fs error (device loop0) in ext4_orphan_del:2927: Journal has aborted
EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
EXT4-fs (loop0): Inode 16 (00000000618192a0): orphan list check failed!
[...]
EXT4-fs (loop0): Inode 16 (0000000061819748): orphan list check failed!
[...]
EXT4-fs (loop0): Inode 16 (0000000061819bf0): orphan list check failed!
[...]

See-also: c9eb13a9105 ("ext4: fix hang when processing corrupted orphaned inode list")
Cc: Jan Kara <[email protected]>
Signed-off-by: Vegard Nossum <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/super.c | 10 ++++++++++
1 file changed, 10 insertions(+)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2246,6 +2246,16 @@ static void ext4_orphan_cleanup(struct s
while (es->s_last_orphan) {
struct inode *inode;

+ /*
+ * We may have encountered an error during cleanup; if
+ * so, skip the rest.
+ */
+ if (EXT4_SB(sb)->s_mount_state & EXT4_ERROR_FS) {
+ jbd_debug(1, "Skipping orphan recovery on fs with errors.\n");
+ es->s_last_orphan = 0;
+ break;
+ }
+
inode = ext4_orphan_get(sb, le32_to_cpu(es->s_last_orphan));
if (IS_ERR(inode)) {
es->s_last_orphan = 0;

2016-11-14 02:14:27

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 028/152] USB: serial: option: add support for Telit LE910 PID 0x1206

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Daniele Palmas <[email protected]>

commit 3c0415fa08548e3bc63ef741762664497ab187ed upstream.

This patch adds support for 0x1206 PID of Telit LE910.

Since the interfaces positions are the same than the ones for
0x1043 PID of Telit LE922, telit_le922_blacklist_usbcfg3 is used.

Signed-off-by: Daniele Palmas <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/option.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -273,6 +273,7 @@ static void option_instat_callback(struc
#define TELIT_PRODUCT_LE922_USBCFG3 0x1043
#define TELIT_PRODUCT_LE920 0x1200
#define TELIT_PRODUCT_LE910 0x1201
+#define TELIT_PRODUCT_LE910_USBCFG4 0x1206

/* ZTE PRODUCTS */
#define ZTE_VENDOR_ID 0x19d2
@@ -1193,6 +1194,8 @@ static const struct usb_device_id option
.driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
.driver_info = (kernel_ulong_t)&telit_le910_blacklist },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
.driver_info = (kernel_ulong_t)&telit_le920_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */

2016-11-14 02:14:26

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 106/152] asm-generic: make get_user() clear the destination on errors

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa upstream.

both for access_ok() failures and for faults halfway through

Signed-off-by: Al Viro <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
include/asm-generic/uaccess.h | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -221,13 +221,17 @@ extern int __put_user_bad(void) __attrib
might_sleep(); \
access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ? \
__get_user(x, ptr) : \
- -EFAULT; \
+ ((x) = (__typeof__(*(ptr)))0,-EFAULT); \
})

static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
{
- size = __copy_from_user(x, ptr, size);
- return size ? -EFAULT : size;
+ size_t n = __copy_from_user(x, ptr, size);
+ if (unlikely(n)) {
+ memset(x + (size - n), 0, n);
+ return -EFAULT;
+ }
+ return 0;
}

extern int __get_user_bad(void) __attribute__((noreturn));

2016-11-14 02:14:22

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 049/152] s390: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: James Hogan <[email protected]>

commit 68c5cf5a6091c2c3fabccfd42ca844d730ec24c6 upstream.

AT_VECTOR_SIZE_ARCH should be defined with the maximum number of
NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined
for s390 at all even though ARCH_DLINFO can contain one NEW_AUX_ENT when
VDSO is enabled.

This shouldn't be a problem as AT_VECTOR_SIZE_BASE includes space for
AT_BASE_PLATFORM which s390 doesn't use, but lets define it now and add
the comment above ARCH_DLINFO as found in several other architectures to
remind future modifiers of ARCH_DLINFO to keep AT_VECTOR_SIZE_ARCH up to
date.

Fixes: b020632e40c3 ("[S390] introduce vdso on s390")
Signed-off-by: James Hogan <[email protected]>
Signed-off-by: Martin Schwidefsky <[email protected]>
Cc: Heiko Carstens <[email protected]>
Cc: [email protected]
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/s390/include/asm/elf.h | 1 +
arch/s390/include/asm/auxvec.h | 2 ++
2 files changed, 3 insertions(+)

--- a/arch/s390/include/asm/elf.h
+++ b/arch/s390/include/asm/elf.h
@@ -199,6 +199,7 @@ do { \

#define STACK_RND_MASK 0x7ffUL

+/* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */
#define ARCH_DLINFO \
do { \
if (vdso_enabled) \
--- a/arch/s390/include/asm/auxvec.h
+++ b/arch/s390/include/asm/auxvec.h
@@ -3,4 +3,6 @@

#define AT_SYSINFO_EHDR 33

+#define AT_VECTOR_SIZE_ARCH 1 /* entries in ARCH_DLINFO */
+
#endif

2016-11-14 02:14:16

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 113/152] openrisc: fix copy_from_user()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit acb2505d0119033a80c85ac8d02dccae41271667 upstream.

... that should zero on faults. Also remove the <censored> helpful
logics wrt range truncation copied from ppc32. Where it had ever
been needed only in case of copy_from_user() *and* had not been merged
into the mainline until a month after the need had disappeared.
A decade before openrisc went into mainline, I might add...

Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/openrisc/include/asm/uaccess.h | 35 +++++++++++------------------------
1 file changed, 11 insertions(+), 24 deletions(-)

--- a/arch/openrisc/include/asm/uaccess.h
+++ b/arch/openrisc/include/asm/uaccess.h
@@ -274,28 +274,20 @@ __copy_tofrom_user(void *to, const void
static inline unsigned long
copy_from_user(void *to, const void *from, unsigned long n)
{
- unsigned long over;
+ unsigned long res = n;

- if (access_ok(VERIFY_READ, from, n))
- return __copy_tofrom_user(to, from, n);
- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + n - TASK_SIZE;
- return __copy_tofrom_user(to, from, n - over) + over;
- }
- return n;
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ n = __copy_tofrom_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}

static inline unsigned long
copy_to_user(void *to, const void *from, unsigned long n)
{
- unsigned long over;
-
- if (access_ok(VERIFY_WRITE, to, n))
- return __copy_tofrom_user(to, from, n);
- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + n - TASK_SIZE;
- return __copy_tofrom_user(to, from, n - over) + over;
- }
+ if (likely(access_ok(VERIFY_WRITE, to, n)))
+ n = __copy_tofrom_user(to, from, n);
return n;
}

@@ -304,13 +296,8 @@ extern unsigned long __clear_user(void *
static inline __must_check unsigned long
clear_user(void *addr, unsigned long size)
{
-
- if (access_ok(VERIFY_WRITE, addr, size))
- return __clear_user(addr, size);
- if ((unsigned long)addr < TASK_SIZE) {
- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
- return __clear_user(addr, size - over) + over;
- }
+ if (likely(access_ok(VERIFY_WRITE, addr, size)))
+ size = __clear_user(addr, size);
return size;
}


2016-11-14 02:14:12

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 122/152] blackfin: fix copy_from_user()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit 8f035983dd826d7e04f67b28acf8e2f08c347e41 upstream.

Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/blackfin/include/asm/uaccess.h | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

--- a/arch/blackfin/include/asm/uaccess.h
+++ b/arch/blackfin/include/asm/uaccess.h
@@ -194,11 +194,12 @@ static inline int bad_user_access_length
static inline unsigned long __must_check
copy_from_user(void *to, const void __user *from, unsigned long n)
{
- if (access_ok(VERIFY_READ, from, n))
+ if (likely(access_ok(VERIFY_READ, from, n))) {
memcpy(to, (const void __force *)from, n);
- else
- return n;
- return 0;
+ return 0;
+ }
+ memset(to, 0, n);
+ return n;
}

static inline unsigned long __must_check

2016-11-14 02:15:57

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 143/152] scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit 7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 upstream.

We need to put an upper bound on "user_len" so the memcpy() doesn't
overflow.

Reported-by: Marco Grassi <[email protected]>
Signed-off-by: Dan Carpenter <[email protected]>
Reviewed-by: Tomas Henzl <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
[bwh: Backported to 3.2:
- Adjust context
- Use literal 1032 insetad of ARCMSR_API_DATA_BUFLEN]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/scsi/arcmsr/arcmsr_hba.c
+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
@@ -1803,7 +1803,8 @@ static int arcmsr_iop_message_xfer(struc

case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
unsigned char *ver_addr;
- int32_t my_empty_len, user_len, wqbuf_firstindex, wqbuf_lastindex;
+ uint32_t user_len;
+ int32_t my_empty_len, wqbuf_firstindex, wqbuf_lastindex;
uint8_t *pQbuffer, *ptmpuserbuffer;

ver_addr = kmalloc(1032, GFP_ATOMIC);
@@ -1820,6 +1821,11 @@ static int arcmsr_iop_message_xfer(struc
}
ptmpuserbuffer = ver_addr;
user_len = pcmdmessagefld->cmdmessage.Length;
+ if (user_len > 1032) {
+ retvalue = ARCMSR_MESSAGE_FAIL;
+ kfree(ver_addr);
+ goto message_out;
+ }
memcpy(ptmpuserbuffer, pcmdmessagefld->messagedatabuffer, user_len);
wqbuf_lastindex = acb->wqbuf_lastindex;
wqbuf_firstindex = acb->wqbuf_firstindex;

2016-11-14 02:15:55

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 024/152] KVM: nVMX: Fix memory corruption when using VMCS shadowing

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jim Mattson <[email protected]>

commit 2f1fe81123f59271bddda673b60116bde9660385 upstream.

When freeing the nested resources of a vcpu, there is an assumption that
the vcpu's vmcs01 is the current VMCS on the CPU that executes
nested_release_vmcs12(). If this assumption is violated, the vcpu's
vmcs01 may be made active on multiple CPUs at the same time, in
violation of Intel's specification. Moreover, since the vcpu's vmcs01 is
not VMCLEARed on every CPU on which it is active, it can linger in a
CPU's VMCS cache after it has been freed and potentially
repurposed. Subsequent eviction from the CPU's VMCS cache on a capacity
miss can result in memory corruption.

It is not sufficient for vmx_free_vcpu() to call vmx_load_vmcs01(). If
the vcpu in question was last loaded on a different CPU, it must be
migrated to the current CPU before calling vmx_load_vmcs01().

Signed-off-by: Jim Mattson <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
[bwh: Backported to 3.2: vcpu_load() returns void]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6328,14 +6328,27 @@ static void vmx_load_vmcs01(struct kvm_v
put_cpu();
}

+/*
+ * Ensure that the current vmcs of the logical processor is the
+ * vmcs01 of the vcpu before calling free_nested().
+ */
+static void vmx_free_vcpu_nested(struct kvm_vcpu *vcpu)
+{
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+
+ vcpu_load(vcpu);
+ vmx_load_vmcs01(vcpu);
+ free_nested(vmx);
+ vcpu_put(vcpu);
+}
+
static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);

free_vpid(vmx);
leave_guest_mode(vcpu);
- vmx_load_vmcs01(vcpu);
- free_nested(vmx);
+ vmx_free_vcpu_nested(vcpu);
free_loaded_vmcs(vmx->loaded_vmcs);
kfree(vmx->guest_msrs);
kvm_vcpu_uninit(vcpu);
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -156,6 +156,7 @@ void vcpu_load(struct kvm_vcpu *vcpu)
kvm_arch_vcpu_load(vcpu, cpu);
put_cpu();
}
+EXPORT_SYMBOL_GPL(vcpu_load);

void vcpu_put(struct kvm_vcpu *vcpu)
{
@@ -165,6 +166,7 @@ void vcpu_put(struct kvm_vcpu *vcpu)
preempt_enable();
mutex_unlock(&vcpu->mutex);
}
+EXPORT_SYMBOL_GPL(vcpu_put);

static void ack_flush(void *_completed)
{

2016-11-14 02:15:53

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 067/152] megaraid_sas: Fix probing cards without io port

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yinghai Lu <[email protected]>

commit e7f851684efb3377e9c93aca7fae6e76212e5680 upstream.

Found one megaraid_sas HBA probe fails,

[ 187.235190] scsi host2: Avago SAS based MegaRAID driver
[ 191.112365] megaraid_sas 0000:89:00.0: BAR 0: can't reserve [io 0x0000-0x00ff]
[ 191.120548] megaraid_sas 0000:89:00.0: IO memory region busy!

and the card has resource like,
[ 125.097714] pci 0000:89:00.0: [1000:005d] type 00 class 0x010400
[ 125.104446] pci 0000:89:00.0: reg 0x10: [io 0x0000-0x00ff]
[ 125.110686] pci 0000:89:00.0: reg 0x14: [mem 0xce400000-0xce40ffff 64bit]
[ 125.118286] pci 0000:89:00.0: reg 0x1c: [mem 0xce300000-0xce3fffff 64bit]
[ 125.125891] pci 0000:89:00.0: reg 0x30: [mem 0xce200000-0xce2fffff pref]

that does not io port resource allocated from BIOS, and kernel can not
assign one as io port shortage.

The driver is only looking for MEM, and should not fail.

It turns out megasas_init_fw() etc are using bar index as mask. index 1
is used as mask 1, so that pci_request_selected_regions() is trying to
request BAR0 instead of BAR1.

Fix all related reference.

Fixes: b6d5d8808b4c ("megaraid_sas: Use lowest memory bar for SR-IOV VF support")
Signed-off-by: Yinghai Lu <[email protected]>
Acked-by: Kashyap Desai <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/scsi/megaraid/megaraid_sas_base.c | 6 +++---
drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -3508,7 +3508,7 @@ static int megasas_init_fw(struct megasa
/* Find first memory bar */
bar_list = pci_select_bars(instance->pdev, IORESOURCE_MEM);
instance->bar = find_first_bit(&bar_list, sizeof(unsigned long));
- if (pci_request_selected_regions(instance->pdev, instance->bar,
+ if (pci_request_selected_regions(instance->pdev, 1<<instance->bar,
"megasas: LSI")) {
printk(KERN_DEBUG "megasas: IO memory region busy!\n");
return -EBUSY;
@@ -3661,7 +3661,7 @@ fail_ready_state:
iounmap(instance->reg_set);

fail_ioremap:
- pci_release_selected_regions(instance->pdev, instance->bar);
+ pci_release_selected_regions(instance->pdev, 1<<instance->bar);

return -EINVAL;
}
@@ -3682,7 +3682,7 @@ static void megasas_release_mfi(struct m

iounmap(instance->reg_set);

- pci_release_selected_regions(instance->pdev, instance->bar);
+ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
}

/**
--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -2026,7 +2026,7 @@ megasas_release_fusion(struct megasas_in

iounmap(instance->reg_set);

- pci_release_selected_regions(instance->pdev, instance->bar);
+ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
}

/**

2016-11-14 02:15:51

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 152/152] ext3: NULL dereference in ext3_evict_inode()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit bcdd0c1600903e9222abfcde28947406020ccb5d upstream.

This is an fsfuzzer bug. ->s_journal is set at the end of
ext3_load_journal() but we try to use it in the error handling from
ext3_get_journal() while it's still NULL.

[ 337.039041] BUG: unable to handle kernel NULL pointer dereference at 0000000000000024
[ 337.040380] IP: [<ffffffff816e6539>] _raw_spin_lock+0x9/0x30
[ 337.041687] PGD 0
[ 337.043118] Oops: 0002 [#1] SMP
[ 337.044483] CPU 3
[ 337.044495] Modules linked in: ecb md4 cifs fuse kvm_intel kvm brcmsmac brcmutil crc8 cordic r8169 [last unloaded: scsi_wait_scan]
[ 337.047633]
[ 337.049259] Pid: 8308, comm: mount Not tainted 3.2.0-rc2-next-20111121+ #24 SAMSUNG ELECTRONICS CO., LTD. RV411/RV511/E3511/S3511 /RV411/RV511/E3511/S3511
[ 337.051064] RIP: 0010:[<ffffffff816e6539>] [<ffffffff816e6539>] _raw_spin_lock+0x9/0x30
[ 337.052879] RSP: 0018:ffff8800b1d11ae8 EFLAGS: 00010282
[ 337.054668] RAX: 0000000000000100 RBX: 0000000000000000 RCX: ffff8800b77c2000
[ 337.056400] RDX: ffff8800a97b5c00 RSI: 0000000000000000 RDI: 0000000000000024
[ 337.058099] RBP: ffff8800b1d11ae8 R08: 6000000000000000 R09: e018000000000000
[ 337.059841] R10: ff67366cc2607c03 R11: 00000000110688e6 R12: 0000000000000000
[ 337.061607] R13: 0000000000000000 R14: 0000000000000000 R15: ffff8800a78f06e8
[ 337.063385] FS: 00007f9d95652800(0000) GS:ffff8800b7180000(0000) knlGS:0000000000000000
[ 337.065110] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 337.066801] CR2: 0000000000000024 CR3: 00000000aef2c000 CR4: 00000000000006e0
[ 337.068581] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 337.070321] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 337.072105] Process mount (pid: 8308, threadinfo ffff8800b1d10000, task ffff8800b1d02be0)
[ 337.073800] Stack:
[ 337.075487] ffff8800b1d11b08 ffffffff811f48cf ffff88007ac9b158 0000000000000000
[ 337.077255] ffff8800b1d11b38 ffffffff8119405d ffff88007ac9b158 ffff88007ac9b250
[ 337.078851] ffffffff8181bda0 ffffffff8181bda0 ffff8800b1d11b68 ffffffff81131e31
[ 337.080284] Call Trace:
[ 337.081706] [<ffffffff811f48cf>] log_start_commit+0x1f/0x40
[ 337.083107] [<ffffffff8119405d>] ext3_evict_inode+0x1fd/0x2a0
[ 337.084490] [<ffffffff81131e31>] evict+0xa1/0x1a0
[ 337.085857] [<ffffffff81132031>] iput+0x101/0x210
[ 337.087220] [<ffffffff811339d1>] iget_failed+0x21/0x30
[ 337.088581] [<ffffffff811905fc>] ext3_iget+0x15c/0x450
[ 337.089936] [<ffffffff8118b0c1>] ? ext3_rsv_window_add+0x81/0x100
[ 337.091284] [<ffffffff816df9a4>] ext3_get_journal+0x15/0xde
[ 337.092641] [<ffffffff811a2e9b>] ext3_fill_super+0xf2b/0x1c30
[ 337.093991] [<ffffffff810ddf7d>] ? register_shrinker+0x4d/0x60
[ 337.095332] [<ffffffff8111c112>] mount_bdev+0x1a2/0x1e0
[ 337.096680] [<ffffffff811a1f70>] ? ext3_setup_super+0x210/0x210
[ 337.098026] [<ffffffff8119a770>] ext3_mount+0x10/0x20
[ 337.099362] [<ffffffff8111cbee>] mount_fs+0x3e/0x1b0
[ 337.100759] [<ffffffff810eda1b>] ? __alloc_percpu+0xb/0x10
[ 337.102330] [<ffffffff81135385>] vfs_kern_mount+0x65/0xc0
[ 337.103889] [<ffffffff8113611f>] do_kern_mount+0x4f/0x100
[ 337.105442] [<ffffffff811378fc>] do_mount+0x19c/0x890
[ 337.106989] [<ffffffff810e8456>] ? memdup_user+0x46/0x90
[ 337.108572] [<ffffffff810e84f3>] ? strndup_user+0x53/0x70
[ 337.110114] [<ffffffff811383fb>] sys_mount+0x8b/0xe0
[ 337.111617] [<ffffffff816ed93b>] system_call_fastpath+0x16/0x1b
[ 337.113133] Code: 38 c2 74 0f 66 0f 1f 44 00 00 f3 90 0f b6 03 38 c2 75 f7 48 83 c4 08 5b 5d c3 0f 1f 84 00 00 00 00 00 55 b8 00 01 00 00 48 89 e5 <f0> 66 0f c1 07 0f b6 d4 38 c2 74 0c 0f 1f 00 f3 90 0f b6 07 38
[ 337.116588] RIP [<ffffffff816e6539>] _raw_spin_lock+0x9/0x30
[ 337.118260] RSP <ffff8800b1d11ae8>
[ 337.119998] CR2: 0000000000000024
[ 337.188701] ---[ end trace c36d790becac1615 ]---

Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
Cc: Amir Goldstein <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext3/inode.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/fs/ext3/inode.c
+++ b/fs/ext3/inode.c
@@ -223,8 +223,12 @@ void ext3_evict_inode (struct inode *ino
*
* Note that directories do not have this problem because they don't
* use page cache.
+ *
+ * The s_journal check handles the case when ext3_get_journal() fails
+ * and puts the journal inode.
*/
if (inode->i_nlink && ext3_should_journal_data(inode) &&
+ EXT3_SB(inode->i_sb)->s_journal &&
(S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) {
tid_t commit_tid = atomic_read(&ei->i_datasync_tid);
journal_t *journal = EXT3_SB(inode->i_sb)->s_journal;

2016-11-14 02:16:48

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 087/152] ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vegard Nossum <[email protected]>

commit 6b760bb2c63a9e322c0e4a0b5daf335ad93d5a33 upstream.

I got this:

divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #189
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
task: ffff8801120a9580 task.stack: ffff8801120b0000
RIP: 0010:[<ffffffff82c8bd9a>] [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
RSP: 0018:ffff88011aa87da8 EFLAGS: 00010006
RAX: 0000000000004f76 RBX: ffff880112655e88 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff880112655ea0 RDI: 0000000000000001
RBP: ffff88011aa87e00 R08: ffff88013fff905c R09: ffff88013fff9048
R10: ffff88013fff9050 R11: 00000001050a7b8c R12: ffff880114778a00
R13: ffff880114778ab4 R14: ffff880114778b30 R15: 0000000000000000
FS: 00007f071647c700(0000) GS:ffff88011aa80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000603001 CR3: 0000000112021000 CR4: 00000000000006e0
Stack:
0000000000000000 ffff880114778ab8 ffff880112655ea0 0000000000004f76
ffff880112655ec8 ffff880112655e80 ffff880112655e88 ffff88011aa98fc0
00000000b97ccf2b dffffc0000000000 ffff88011aa98fc0 ffff88011aa87ef0
Call Trace:
<IRQ>
[<ffffffff813abce7>] __hrtimer_run_queues+0x347/0xa00
[<ffffffff82c8bbc0>] ? snd_hrtimer_close+0x130/0x130
[<ffffffff813ab9a0>] ? retrigger_next_event+0x1b0/0x1b0
[<ffffffff813ae1a6>] ? hrtimer_interrupt+0x136/0x4b0
[<ffffffff813ae220>] hrtimer_interrupt+0x1b0/0x4b0
[<ffffffff8120f91e>] local_apic_timer_interrupt+0x6e/0xf0
[<ffffffff81227ad3>] ? kvm_guest_apic_eoi_write+0x13/0xc0
[<ffffffff83c35086>] smp_apic_timer_interrupt+0x76/0xa0
[<ffffffff83c3416c>] apic_timer_interrupt+0x8c/0xa0
<EOI>
[<ffffffff83c3239c>] ? _raw_spin_unlock_irqrestore+0x2c/0x60
[<ffffffff82c8185d>] snd_timer_start1+0xdd/0x670
[<ffffffff82c87015>] snd_timer_continue+0x45/0x80
[<ffffffff82c88100>] snd_timer_user_ioctl+0x1030/0x2830
[<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
[<ffffffff815aa4f8>] ? handle_mm_fault+0xbc8/0x27f0
[<ffffffff815a9930>] ? __pmd_alloc+0x370/0x370
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
[<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
[<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
[<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
[<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
[<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
[<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
[<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
[<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
[<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
[<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
Code: e8 fc 42 7b fe 8b 0d 06 8a 50 03 49 0f af cf 48 85 c9 0f 88 7c 01 00 00 48 89 4d a8 e8 e0 42 7b fe 48 8b 45 c0 48 8b 4d a8 48 99 <48> f7 f9 49 01 c7 e8 cb 42 7b fe 48 8b 55 d0 48 b8 00 00 00 00
RIP [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
RSP <ffff88011aa87da8>
---[ end trace 6aa380f756a21074 ]---

The problem happens when you call ioctl(SNDRV_TIMER_IOCTL_CONTINUE) on a
completely new/unused timer -- it will have ->sticks == 0, which causes a
divide by 0 in snd_hrtimer_callback().

Signed-off-by: Vegard Nossum <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -822,6 +822,7 @@ int snd_timer_new(struct snd_card *card,
timer->tmr_subdevice = tid->subdevice;
if (id)
strlcpy(timer->id, id, sizeof(timer->id));
+ timer->sticks = 1;
INIT_LIST_HEAD(&timer->device_list);
INIT_LIST_HEAD(&timer->open_list_head);
INIT_LIST_HEAD(&timer->active_list_head);

2016-11-14 02:16:52

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 031/152] tpm: read burstcount from TPM_STS in one 32-bit transaction

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Andrey Pronin <[email protected]>

commit 9754d45e997000ad4021bc4606cc266bb38d876f upstream.

Some chips incorrectly support partial reads from TPM_STS register
at non-zero offsets. Read the entire 32-bits register instead of
making two 8-bit reads to support such devices and reduce the number
of bus transactions when obtaining the burstcount from TPM_STS.

Fixes: 27084efee0c3 ("tpm: driver for next generation TPM chips")
Signed-off-by: Andrey Pronin <[email protected]>
Reviewed-by: Jarkko Sakkinen <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
[bwh: Backported to 3.2:
- Use raw ioread32() instead of tpm_tis_read32()
- Adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/char/tpm/tpm_tis.c
+++ b/drivers/char/tpm/tpm_tis.c
@@ -176,16 +176,15 @@ static int get_burstcount(struct tpm_chi
{
unsigned long stop;
int burstcnt;
+ u32 value;

/* wait for burstcount */
/* which timeout value, spec has 2 answers (c & d) */
stop = jiffies + chip->vendor.timeout_d;
do {
- burstcnt = ioread8(chip->vendor.iobase +
- TPM_STS(chip->vendor.locality) + 1);
- burstcnt += ioread8(chip->vendor.iobase +
- TPM_STS(chip->vendor.locality) +
- 2) << 8;
+ value = ioread32(chip->vendor.iobase +
+ TPM_STS(chip->vendor.locality));
+ burstcnt = (value >> 8) & 0xFFFF;
if (burstcnt)
return burstcnt;
msleep(TPM_TIMEOUT);

2016-11-14 02:17:28

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 094/152] sched/core: Fix a race between try_to_wake_up() and a woken up task

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Balbir Singh <[email protected]>

commit 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf upstream.

The origin of the issue I've seen is related to
a missing memory barrier between check for task->state and
the check for task->on_rq.

The task being woken up is already awake from a schedule()
and is doing the following:

do {
schedule()
set_current_state(TASK_(UN)INTERRUPTIBLE);
} while (!cond);

The waker, actually gets stuck doing the following in
try_to_wake_up():

while (p->on_cpu)
cpu_relax();

Analysis:

The instance I've seen involves the following race:

CPU1 CPU2

while () {
if (cond)
break;
do {
schedule();
set_current_state(TASK_UN..)
} while (!cond);
wakeup_routine()
spin_lock_irqsave(wait_lock)
raw_spin_lock_irqsave(wait_lock) wake_up_process()
} try_to_wake_up()
set_current_state(TASK_RUNNING); ..
list_del(&waiter.list);

CPU2 wakes up CPU1, but before it can get the wait_lock and set
current state to TASK_RUNNING the following occurs:

CPU3
wakeup_routine()
raw_spin_lock_irqsave(wait_lock)
if (!list_empty)
wake_up_process()
try_to_wake_up()
raw_spin_lock_irqsave(p->pi_lock)
..
if (p->on_rq && ttwu_wakeup())
..
while (p->on_cpu)
cpu_relax()
..

CPU3 tries to wake up the task on CPU1 again since it finds
it on the wait_queue, CPU1 is spinning on wait_lock, but immediately
after CPU2, CPU3 got it.

CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and
the task is spinning on the wait_lock. Interestingly since p->on_rq
is checked under pi_lock, I've noticed that try_to_wake_up() finds
p->on_rq to be 0. This was the most confusing bit of the analysis,
but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq
check is not reliable without this fix IMHO. The race is visible
(based on the analysis) only when ttwu_queue() does a remote wakeup
via ttwu_queue_remote. In which case the p->on_rq change is not
done uder the pi_lock.

The result is that after a while the entire system locks up on
the raw_spin_irqlock_save(wait_lock) and the holder spins infintely

Reproduction of the issue:

The issue can be reproduced after a long run on my system with 80
threads and having to tweak available memory to very low and running
memory stress-ng mmapfork test. It usually takes a long time to
reproduce. I am trying to work on a test case that can reproduce
the issue faster, but thats work in progress. I am still testing the
changes on my still in a loop and the tests seem OK thus far.

Big thanks to Benjamin and Nick for helping debug this as well.
Ben helped catch the missing barrier, Nick caught every missing
bit in my theory.

Signed-off-by: Balbir Singh <[email protected]>
[ Updated comment to clarify matching barriers. Many
architectures do not have a full barrier in switch_to()
so that cannot be relied upon. ]
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Acked-by: Benjamin Herrenschmidt <[email protected]>
Cc: Alexey Kardashevskiy <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Nicholas Piggin <[email protected]>
Cc: Nicholas Piggin <[email protected]>
Cc: Oleg Nesterov <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
kernel/sched.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)

--- a/kernel/sched.c
+++ b/kernel/sched.c
@@ -2833,6 +2833,28 @@ try_to_wake_up(struct task_struct *p, un
success = 1; /* we're going to change ->state */
cpu = task_cpu(p);

+ /*
+ * Ensure we load p->on_rq _after_ p->state, otherwise it would
+ * be possible to, falsely, observe p->on_rq == 0 and get stuck
+ * in smp_cond_load_acquire() below.
+ *
+ * sched_ttwu_pending() try_to_wake_up()
+ * [S] p->on_rq = 1; [L] P->state
+ * UNLOCK rq->lock -----.
+ * \
+ * +--- RMB
+ * schedule() /
+ * LOCK rq->lock -----'
+ * UNLOCK rq->lock
+ *
+ * [task p]
+ * [S] p->state = UNINTERRUPTIBLE [L] p->on_rq
+ *
+ * Pairs with the UNLOCK+LOCK on rq->lock from the
+ * last wakeup of our task and the schedule that got our task
+ * current.
+ */
+ smp_rmb();
if (p->on_rq && ttwu_remote(p, wake_flags))
goto stat;


2016-11-14 02:17:31

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 098/152] ALSA: rawmidi: Fix possible deadlock with virmidi registration

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit 816f318b2364262a51024096da7ca3b84e78e3b5 upstream.

When a seq-virmidi driver is initialized, it registers a rawmidi
instance with its callback to create an associated seq kernel client.
Currently it's done throughly in rawmidi's register_mutex context.
Recently it was found that this may lead to a deadlock another rawmidi
device that is being attached with the sequencer is accessed, as both
open with the same register_mutex. This was actually triggered by
syzkaller, as Dmitry Vyukov reported:

======================================================
[ INFO: possible circular locking dependency detected ]
4.8.0-rc1+ #11 Not tainted
-------------------------------------------------------
syz-executor/7154 is trying to acquire lock:
(register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341

but task is already holding lock:
(&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (&grp->list_mutex){++++.+}:
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
[<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
[< inline >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681
[<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822
[<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418
[<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101
[<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297
[< inline >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383
[<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450
[<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645
[<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164
[< inline >] __snd_device_register sound/core/device.c:162
[<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212
[<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
[<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123
[<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564
......

-> #0 (register_mutex#5){+.+.+.}:
[< inline >] check_prev_add kernel/locking/lockdep.c:1829
[< inline >] check_prevs_add kernel/locking/lockdep.c:1939
[< inline >] validate_chain kernel/locking/lockdep.c:2266
[<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
[< inline >] __mutex_lock_common kernel/locking/mutex.c:521
[<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
[<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
[<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188
[< inline >] subscribe_port sound/core/seq/seq_ports.c:427
[<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510
[<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579
[<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480
[<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225
[<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440
[<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375
[<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281
[<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274
[<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
[<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
......

other info that might help us debug this:

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&grp->list_mutex);
lock(register_mutex#5);
lock(&grp->list_mutex);
lock(register_mutex#5);

*** DEADLOCK ***
======================================================

The fix is to simply move the registration parts in
snd_rawmidi_dev_register() to the outside of the register_mutex lock.
The lock is needed only to manage the linked list, and it's not
necessarily to cover the whole initialization process.

Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/core/rawmidi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -1609,11 +1609,13 @@ static int snd_rawmidi_dev_register(stru
return -EBUSY;
}
list_add_tail(&rmidi->list, &snd_rawmidi_devices);
+ mutex_unlock(&register_mutex);
sprintf(name, "midiC%iD%i", rmidi->card->number, rmidi->device);
if ((err = snd_register_device(SNDRV_DEVICE_TYPE_RAWMIDI,
rmidi->card, rmidi->device,
&snd_rawmidi_f_ops, rmidi, name)) < 0) {
snd_printk(KERN_ERR "unable to register rawmidi device %i:%i\n", rmidi->card->number, rmidi->device);
+ mutex_lock(&register_mutex);
list_del(&rmidi->list);
mutex_unlock(&register_mutex);
return err;
@@ -1621,6 +1623,7 @@ static int snd_rawmidi_dev_register(stru
if (rmidi->ops && rmidi->ops->dev_register &&
(err = rmidi->ops->dev_register(rmidi)) < 0) {
snd_unregister_device(SNDRV_DEVICE_TYPE_RAWMIDI, rmidi->card, rmidi->device);
+ mutex_lock(&register_mutex);
list_del(&rmidi->list);
mutex_unlock(&register_mutex);
return err;
@@ -1649,7 +1652,6 @@ static int snd_rawmidi_dev_register(stru
}
}
#endif /* CONFIG_SND_OSSEMUL */
- mutex_unlock(&register_mutex);
sprintf(name, "midi%d", rmidi->device);
entry = snd_info_create_card_entry(rmidi->card, name, rmidi->card->proc_root);
if (entry) {

2016-11-14 02:17:24

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 099/152] xfrm_user: propagate sec ctx allocation errors

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mathias Krause <[email protected]>

commit 2f30ea5090cbc57ea573cdc66421264b3de3fb0a upstream.

When we fail to attach the security context in xfrm_state_construct()
we'll return 0 as error value which, in turn, will wrongly claim success
to userland when, in fact, we won't be adding / updating the XFRM state.

This is a regression introduced by commit fd21150a0fe1 ("[XFRM] netlink:
Inline attach_encap_tmpl(), attach_sec_ctx(), and attach_one_addr()").

Fix it by propagating the error returned by security_xfrm_state_alloc()
in this case.

Fixes: fd21150a0fe1 ("[XFRM] netlink: Inline attach_encap_tmpl()...")
Signed-off-by: Mathias Krause <[email protected]>
Cc: Thomas Graf <[email protected]>
Signed-off-by: Steffen Klassert <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/xfrm/xfrm_user.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -558,9 +558,12 @@ static struct xfrm_state *xfrm_state_con
if (err)
goto error;

- if (attrs[XFRMA_SEC_CTX] &&
- security_xfrm_state_alloc(x, nla_data(attrs[XFRMA_SEC_CTX])))
- goto error;
+ if (attrs[XFRMA_SEC_CTX]) {
+ err = security_xfrm_state_alloc(x,
+ nla_data(attrs[XFRMA_SEC_CTX]));
+ if (err)
+ goto error;
+ }

if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn,
attrs[XFRMA_REPLAY_ESN_VAL])))

2016-11-14 02:18:28

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 093/152] iio: accel: kxsd9: Fix scaling bug

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Linus Walleij <[email protected]>

commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de upstream.

All the scaling of the KXSD9 involves multiplication with a
fraction number < 1.

However the scaling value returned from IIO_INFO_SCALE was
unpredictable as only the micros of the value was assigned, and
not the integer part, resulting in scaling like this:

$cat in_accel_scale
-1057462640.011978

Fix this by assigning zero to the integer part.

Tested-by: Jonathan Cameron <[email protected]>
Signed-off-by: Linus Walleij <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/staging/iio/accel/kxsd9.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/staging/iio/accel/kxsd9.c
+++ b/drivers/staging/iio/accel/kxsd9.c
@@ -169,6 +169,7 @@ static int kxsd9_read_raw(struct iio_dev
ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
if (ret < 0)
goto error_ret;
+ *val = 0;
*val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
ret = IIO_VAL_INT_PLUS_MICRO;
break;

2016-11-14 02:18:39

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 091/152] IB/core: Fix use after free in send_leave function

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Erez Shitrit <[email protected]>

commit 68c6bcdd8bd00394c234b915ab9b97c74104130c upstream.

The function send_leave sets the member: group->query_id
(group->query_id = ret) after calling the sa_query, but leave_handler
can be executed before the setting and it might delete the group object,
and will get a memory corruption.

Additionally, this patch gets rid of group->query_id variable which is
not used.

Fixes: faec2f7b96b5 ('IB/sa: Track multicast join/leave requests')
Signed-off-by: Erez Shitrit <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/core/multicast.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)

--- a/drivers/infiniband/core/multicast.c
+++ b/drivers/infiniband/core/multicast.c
@@ -106,7 +106,6 @@ struct mcast_group {
atomic_t refcount;
enum mcast_group_state state;
struct ib_sa_query *query;
- int query_id;
u16 pkey_index;
u8 leave_state;
int retries;
@@ -339,11 +338,7 @@ static int send_join(struct mcast_group
member->multicast.comp_mask,
3000, GFP_KERNEL, join_handler, group,
&group->query);
- if (ret >= 0) {
- group->query_id = ret;
- ret = 0;
- }
- return ret;
+ return (ret > 0) ? 0 : ret;
}

static int send_leave(struct mcast_group *group, u8 leave_state)
@@ -363,11 +358,7 @@ static int send_leave(struct mcast_group
IB_SA_MCMEMBER_REC_JOIN_STATE,
3000, GFP_KERNEL, leave_handler,
group, &group->query);
- if (ret >= 0) {
- group->query_id = ret;
- ret = 0;
- }
- return ret;
+ return (ret > 0) ? 0 : ret;
}

static void join_group(struct mcast_group *group, struct mcast_member *member,

2016-11-14 02:18:47

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 082/152] USB: avoid left shift by -1

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <[email protected]>

commit 53e5f36fbd2453ad69a3369a1db62dc06c30a4aa upstream.

UBSAN complains about a left shift by -1 in proc_do_submiturb(). This
can occur when an URB is submitted for a bulk or control endpoint on
a high-speed device, since the code doesn't bother to check the
endpoint type; normally only interrupt or isochronous endpoints have
a nonzero bInterval value.

Aside from the fact that the operation is illegal, it shouldn't matter
because the result isn't used. Still, in theory it could cause a
hardware exception or other problem, so we should work around it.
This patch avoids doing the left shift unless the shift amount is >= 0.

The same piece of code has another problem. When checking the device
speed (the exponential encoding for interrupt endpoints is used only
by high-speed or faster devices), we need to look for speed >=
USB_SPEED_SUPER as well as speed == USB_SPEED HIGH. The patch adds
this check.

Signed-off-by: Alan Stern <[email protected]>
Reported-by: Vittorio Zecca <[email protected]>
Tested-by: Vittorio Zecca <[email protected]>
Suggested-by: Bjørn Mork <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/core/devio.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)

--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1281,11 +1281,17 @@ static int proc_do_submiturb(struct dev_
as->urb->setup_packet = (unsigned char *)dr;
as->urb->start_frame = uurb->start_frame;
as->urb->number_of_packets = uurb->number_of_packets;
- if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
- ps->dev->speed == USB_SPEED_HIGH)
- as->urb->interval = 1 << min(15, ep->desc.bInterval - 1);
- else
- as->urb->interval = ep->desc.bInterval;
+
+ if (ep->desc.bInterval) {
+ if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
+ ps->dev->speed == USB_SPEED_HIGH ||
+ ps->dev->speed >= USB_SPEED_SUPER)
+ as->urb->interval = 1 <<
+ min(15, ep->desc.bInterval - 1);
+ else
+ as->urb->interval = ep->desc.bInterval;
+ }
+
as->urb->context = as;
as->urb->complete = async_completed;
for (totlen = u = 0; u < uurb->number_of_packets; u++) {

2016-11-14 02:18:45

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 076/152] parisc: Fix order of EREFUSED define in errno.h

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Helge Deller <[email protected]>

commit 3eb53b20d7bd1374598cfb1feaa081fcac0e76cd upstream.

When building gccgo in userspace, errno.h gets parsed and the go include file
sysinfo.go is generated.

Since EREFUSED is defined to the same value as ECONNREFUSED, and ECONNREFUSED
is defined later on in errno.h, this leads to go complaining that EREFUSED
isn't defined yet.

Fix this trivial problem by moving the define of EREFUSED down after
ECONNREFUSED in errno.h (and clean up the indenting while touching this line).

Signed-off-by: Helge Deller <[email protected]>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/parisc/include/asm/errno.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/parisc/include/asm/errno.h
+++ b/arch/parisc/include/asm/errno.h
@@ -97,10 +97,10 @@
#define ENOTCONN 235 /* Transport endpoint is not connected */
#define ESHUTDOWN 236 /* Cannot send after transport endpoint shutdown */
#define ETOOMANYREFS 237 /* Too many references: cannot splice */
-#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
#define ETIMEDOUT 238 /* Connection timed out */
#define ECONNREFUSED 239 /* Connection refused */
-#define EREMOTERELEASE 240 /* Remote peer released connection */
+#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
+#define EREMOTERELEASE 240 /* Remote peer released connection */
#define EHOSTDOWN 241 /* Host is down */
#define EHOSTUNREACH 242 /* No route to host */


2016-11-14 02:18:35

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 095/152] crypto: cryptd - initialize child shash_desc on import

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ard Biesheuvel <[email protected]>

commit 0bd2223594a4dcddc1e34b15774a3a4776f7749e upstream.

When calling .import() on a cryptd ahash_request, the structure members
that describe the child transform in the shash_desc need to be initialized
like they are when calling .init()

Signed-off-by: Ard Biesheuvel <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
crypto/cryptd.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

--- a/crypto/cryptd.c
+++ b/crypto/cryptd.c
@@ -565,9 +565,14 @@ static int cryptd_hash_export(struct aha

static int cryptd_hash_import(struct ahash_request *req, const void *in)
{
- struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
+ struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm);
+ struct shash_desc *desc = cryptd_shash_desc(req);

- return crypto_shash_import(&rctx->desc, in);
+ desc->tfm = ctx->child;
+ desc->flags = req->base.flags;
+
+ return crypto_shash_import(desc, in);
}

static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,

2016-11-14 02:18:31

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 126/152] avr32: fix copy_from_user()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit 8630c32275bac2de6ffb8aea9d9b11663e7ad28e upstream.

really ugly, but apparently avr32 compilers turns access_ok() into
something so bad that they want it in assembler. Left that way,
zeroing added in inline wrapper.

Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/avr32/include/asm/uaccess.h | 11 ++++++++++-
arch/avr32/kernel/avr32_ksyms.c | 2 +-
arch/avr32/lib/copy_user.S | 4 ++--
3 files changed, 13 insertions(+), 4 deletions(-)

--- a/arch/avr32/include/asm/uaccess.h
+++ b/arch/avr32/include/asm/uaccess.h
@@ -74,7 +74,7 @@ extern __kernel_size_t __copy_user(void

extern __kernel_size_t copy_to_user(void __user *to, const void *from,
__kernel_size_t n);
-extern __kernel_size_t copy_from_user(void *to, const void __user *from,
+extern __kernel_size_t ___copy_from_user(void *to, const void __user *from,
__kernel_size_t n);

static inline __kernel_size_t __copy_to_user(void __user *to, const void *from,
@@ -88,6 +88,15 @@ static inline __kernel_size_t __copy_fro
{
return __copy_user(to, (const void __force *)from, n);
}
+static inline __kernel_size_t copy_from_user(void *to,
+ const void __user *from,
+ __kernel_size_t n)
+{
+ size_t res = ___copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
+}

#define __copy_to_user_inatomic __copy_to_user
#define __copy_from_user_inatomic __copy_from_user
--- a/arch/avr32/kernel/avr32_ksyms.c
+++ b/arch/avr32/kernel/avr32_ksyms.c
@@ -36,7 +36,7 @@ EXPORT_SYMBOL(copy_page);
/*
* Userspace access stuff.
*/
-EXPORT_SYMBOL(copy_from_user);
+EXPORT_SYMBOL(___copy_from_user);
EXPORT_SYMBOL(copy_to_user);
EXPORT_SYMBOL(__copy_user);
EXPORT_SYMBOL(strncpy_from_user);
--- a/arch/avr32/lib/copy_user.S
+++ b/arch/avr32/lib/copy_user.S
@@ -25,11 +25,11 @@
.align 1
.global copy_from_user
.type copy_from_user, @function
-copy_from_user:
+___copy_from_user:
branch_if_kernel r8, __copy_user
ret_if_privileged r8, r11, r10, r10
rjmp __copy_user
- .size copy_from_user, . - copy_from_user
+ .size ___copy_from_user, . - ___copy_from_user

.global copy_to_user
.type copy_to_user, @function

2016-11-14 02:18:24

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 047/152] ubi: Fix race condition between ubi device creation and udev

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Iosif Harutyunov <[email protected]>

commit 714fb87e8bc05ff78255afc0dca981e8c5242785 upstream.

Install the UBI device object before we arm sysfs.
Otherwise udev tries to read sysfs attributes before UBI is ready and
udev rules will not match.

Signed-off-by: Iosif Harutyunov <[email protected]>
[rw: massaged commit message]
Signed-off-by: Richard Weinberger <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/mtd/ubi/build.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -974,6 +974,9 @@ int ubi_attach_mtd_dev(struct mtd_info *
goto out_detach;
}

+ /* Make device "available" before it becomes accessible via sysfs */
+ ubi_devices[ubi_num] = ubi;
+
err = uif_init(ubi, &ref);
if (err)
goto out_detach;
@@ -1017,7 +1020,6 @@ int ubi_attach_mtd_dev(struct mtd_info *
wake_up_process(ubi->bgt_thread);
spin_unlock(&ubi->wl_lock);

- ubi_devices[ubi_num] = ubi;
ubi_notify_all(ubi, UBI_VOLUME_ADDED, NULL);
return ubi_num;

@@ -1028,6 +1030,7 @@ out_uif:
ubi_assert(ref);
uif_close(ubi);
out_detach:
+ ubi_devices[ubi_num] = NULL;
ubi_wl_close(ubi);
free_internal_volumes(ubi);
vfree(ubi->vtbl);

2016-11-14 02:18:21

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 092/152] IB/ipoib: Fix memory corruption in ipoib cm mode connect flow

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Erez Shitrit <[email protected]>

commit 546481c2816ea3c061ee9d5658eb48070f69212e upstream.

When a new CM connection is being requested, ipoib driver copies data
from the path pointer in the CM/tx object, the path object might be
invalid at the point and memory corruption will happened later when now
the CM driver will try using that data.

The next scenario demonstrates it:
neigh_add_path --> ipoib_cm_create_tx -->
queue_work (pointer to path is in the cm/tx struct)
#while the work is still in the queue,
#the port goes down and causes the ipoib_flush_paths:
ipoib_flush_paths --> path_free --> kfree(path)
#at this point the work scheduled starts.
ipoib_cm_tx_start --> copy from the (invalid)path pointer:
(memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);)
-> memory corruption.

To fix that the driver now starts the CM/tx connection only if that
specific path exists in the general paths database.
This check is protected with the relevant locks, and uses the gid from
the neigh member in the CM/tx object which is valid according to the ref
count that was taken by the CM/tx.

Fixes: 839fcaba35 ('IPoIB: Connected mode experimental support')
Signed-off-by: Erez Shitrit <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
[bwh: Backported to 3.2: s/neigh->daddr/neigh->neighbour->ha/]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/ulp/ipoib/ipoib.h | 1 +
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 16 ++++++++++++++++
drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 +-
3 files changed, 18 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/ulp/ipoib/ipoib.h
+++ b/drivers/infiniband/ulp/ipoib/ipoib.h
@@ -434,6 +434,7 @@ void ipoib_send(struct net_device *dev,
struct ipoib_ah *address, u32 qpn);
void ipoib_reap_ah(struct work_struct *work);

+struct ipoib_path *__path_find(struct net_device *dev, void *gid);
void ipoib_mark_paths_invalid(struct net_device *dev);
void ipoib_flush_paths(struct net_device *dev);
struct ipoib_dev_priv *ipoib_intf_alloc(const char *format);
--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -1288,6 +1288,8 @@ void ipoib_cm_destroy_tx(struct ipoib_cm
}
}

+#define QPN_AND_OPTIONS_OFFSET 4
+
static void ipoib_cm_tx_start(struct work_struct *work)
{
struct ipoib_dev_priv *priv = container_of(work, struct ipoib_dev_priv,
@@ -1296,6 +1298,7 @@ static void ipoib_cm_tx_start(struct wor
struct ipoib_neigh *neigh;
struct ipoib_cm_tx *p;
unsigned long flags;
+ struct ipoib_path *path;
int ret;

struct ib_sa_path_rec pathrec;
@@ -1308,7 +1311,19 @@ static void ipoib_cm_tx_start(struct wor
p = list_entry(priv->cm.start_list.next, typeof(*p), list);
list_del_init(&p->list);
neigh = p->neigh;
+
qpn = IPOIB_QPN(neigh->neighbour->ha);
+ /*
+ * As long as the search is with these 2 locks,
+ * path existence indicates its validity.
+ */
+ path = __path_find(dev, neigh->neighbour->ha + QPN_AND_OPTIONS_OFFSET);
+ if (!path) {
+ pr_info("%s ignore not valid path %pI6\n",
+ __func__,
+ neigh->neighbour->ha + QPN_AND_OPTIONS_OFFSET);
+ goto free_neigh;
+ }
memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);

spin_unlock_irqrestore(&priv->lock, flags);
@@ -1320,6 +1335,7 @@ static void ipoib_cm_tx_start(struct wor
spin_lock_irqsave(&priv->lock, flags);

if (ret) {
+free_neigh:
neigh = p->neigh;
if (neigh) {
neigh->cm = NULL;
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -208,7 +208,7 @@ static int ipoib_change_mtu(struct net_d
return 0;
}

-static struct ipoib_path *__path_find(struct net_device *dev, void *gid)
+struct ipoib_path *__path_find(struct net_device *dev, void *gid)
{
struct ipoib_dev_priv *priv = netdev_priv(dev);
struct rb_node *n = priv->path_tree.rb_node;

2016-11-14 02:18:19

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 109/152] hexagon: fix strncpy_from_user() error return

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 upstream.

It's -EFAULT, not -1 (and contrary to the comment in there,
__strnlen_user() can return 0 - on faults).

Acked-by: Richard Kuo <[email protected]>
Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/hexagon/include/asm/uaccess.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/hexagon/include/asm/uaccess.h
+++ b/arch/hexagon/include/asm/uaccess.h
@@ -102,7 +102,8 @@ static inline long hexagon_strncpy_from_
{
long res = __strnlen_user(src, n);

- /* return from strnlen can't be zero -- that would be rubbish. */
+ if (unlikely(!res))
+ return -EFAULT;

if (res > n) {
copy_from_user(dst, src, n);

2016-11-14 02:20:23

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 046/152] avr32: off by one in at32_init_pio()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit 55f1cf83d5cf885c75267269729805852039c834 upstream.

The pio_dev[] array has MAX_NR_PIO_DEVICES elements so the > should be
>=.

Fixes: 5f97f7f9400d ('[PATCH] avr32 architecture')
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/avr32/mach-at32ap/pio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/avr32/mach-at32ap/pio.c
+++ b/arch/avr32/mach-at32ap/pio.c
@@ -435,7 +435,7 @@ void __init at32_init_pio(struct platfor
struct resource *regs;
struct pio_device *pio;

- if (pdev->id > MAX_NR_PIO_DEVICES) {
+ if (pdev->id >= MAX_NR_PIO_DEVICES) {
dev_err(&pdev->dev, "only %d PIO devices supported\n",
MAX_NR_PIO_DEVICES);
return;

2016-11-14 02:20:28

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 039/152] ARM: OMAP3: hwmod data: Add sysc information for DSI

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sebastian Reichel <[email protected]>

commit b46211d6dcfb81a8af66b8684a42d629183670d4 upstream.

Add missing sysconfig/sysstatus information
to OMAP3 hwmod. The information has been
checked against OMAP34xx and OMAP36xx TRM.

Without this change DSI block is not reset
during boot, which is required for working
Nokia N950 display.

Signed-off-by: Sebastian Reichel <[email protected]>
Signed-off-by: Tony Lindgren <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 12 ++++++++++++
1 file changed, 12 insertions(+)

--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
@@ -1470,8 +1470,20 @@ static struct omap_hwmod omap3xxx_dss_di
* display serial interface controller
*/

+static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = {
+ .rev_offs = 0x0000,
+ .sysc_offs = 0x0010,
+ .syss_offs = 0x0014,
+ .sysc_flags = (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY |
+ SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE |
+ SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS),
+ .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART),
+ .sysc_fields = &omap_hwmod_sysc_type1,
+};
+
static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = {
.name = "dsi",
+ .sysc = &omap3xxx_dsi_sysc,
};

static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = {

2016-11-14 02:20:34

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 040/152] net/irda: fix NULL pointer dereference on memory allocation failure

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vegard Nossum <[email protected]>

commit d3e6952cfb7ba5f4bfa29d4803ba91f96ce1204d upstream.

I ran into this:

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 2 PID: 2012 Comm: trinity-c3 Not tainted 4.7.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff8800b745f2c0 ti: ffff880111740000 task.ti: ffff880111740000
RIP: 0010:[<ffffffff82bbf066>] [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
RSP: 0018:ffff880111747bb8 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000069dd8358
RDX: 0000000000000009 RSI: 0000000000000027 RDI: 0000000000000048
RBP: ffff880111747c00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000069dd8358 R11: 1ffffffff0759723 R12: 0000000000000000
R13: ffff88011a7e4780 R14: 0000000000000027 R15: 0000000000000000
FS: 00007fc738404700(0000) GS:ffff88011af00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc737fdfb10 CR3: 0000000118087000 CR4: 00000000000006e0
Stack:
0000000000000200 ffff880111747bd8 ffffffff810ee611 ffff880119f1f220
ffff880119f1f4f8 ffff880119f1f4f0 ffff88011a7e4780 ffff880119f1f232
ffff880119f1f220 ffff880111747d58 ffffffff82bca542 0000000000000000
Call Trace:
[<ffffffff82bca542>] irda_connect+0x562/0x1190
[<ffffffff825ae582>] SYSC_connect+0x202/0x2a0
[<ffffffff825b4489>] SyS_connect+0x9/0x10
[<ffffffff8100334c>] do_syscall_64+0x19c/0x410
[<ffffffff83295ca5>] entry_SYSCALL64_slow_path+0x25/0x25
Code: 41 89 ca 48 89 e5 41 57 41 56 41 55 41 54 41 89 d7 53 48 89 fb 48 83 c7 48 48 89 fa 41 89 f6 48 c1 ea 03 48 83 ec 20 4c 8b 65 10 <0f> b6 04 02 84 c0 74 08 84 c0 0f 8e 4c 04 00 00 80 7b 48 00 74
RIP [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
RSP <ffff880111747bb8>
---[ end trace 4cda2588bc055b30 ]---

The problem is that irda_open_tsap() can fail and leave self->tsap = NULL,
and then irttp_connect_request() almost immediately dereferences it.

Signed-off-by: Vegard Nossum <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/irda/af_irda.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1040,8 +1040,11 @@ static int irda_connect(struct socket *s
}

/* Check if we have opened a local TSAP */
- if (!self->tsap)
- irda_open_tsap(self, LSAP_ANY, addr->sir_name);
+ if (!self->tsap) {
+ err = irda_open_tsap(self, LSAP_ANY, addr->sir_name);
+ if (err)
+ goto out;
+ }

/* Move to connecting socket, start sending Connect Requests */
sock->state = SS_CONNECTING;

2016-11-14 02:20:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 038/152] pps: do not crash when failed to register

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jiri Slaby <[email protected]>

commit 368301f2fe4b07e5fb71dba3cc566bc59eb6705f upstream.

With this command sequence:

modprobe plip
modprobe pps_parport
rmmod pps_parport

the partport_pps modules causes this crash:

BUG: unable to handle kernel NULL pointer dereference at (null)
IP: parport_detach+0x1d/0x60 [pps_parport]
Oops: 0000 [#1] SMP
...
Call Trace:
parport_unregister_driver+0x65/0xc0 [parport]
SyS_delete_module+0x187/0x210

The sequence that builds up to this is:

1) plip is loaded and takes the parport device for exclusive use:

plip0: Parallel port at 0x378, using IRQ 7.

2) pps_parport then fails to grab the device:

pps_parport: parallel port PPS client
parport0: cannot grant exclusive access for device pps_parport
pps_parport: couldn't register with parport0

3) rmmod of pps_parport is then killed because it tries to access
pardev->name, but pardev (taken from port->cad) is NULL.

So add a check for NULL in the test there too.

Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Jiri Slaby <[email protected]>
Acked-by: Rodolfo Giometti <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pps/clients/pps_parport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/pps/clients/pps_parport.c
+++ b/drivers/pps/clients/pps_parport.c
@@ -194,7 +194,7 @@ static void parport_detach(struct parpor
struct pps_client_pp *device;

/* FIXME: oooh, this is ugly! */
- if (strcmp(pardev->name, KBUILD_MODNAME))
+ if (!pardev || strcmp(pardev->name, KBUILD_MODNAME))
/* not our port */
return;


2016-11-14 02:20:38

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 034/152] hwmon: (adt7411) set bit 3 in CFG1 register

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Michael Walle <[email protected]>

commit b53893aae441a034bf4dbbad42fe218561d7d81f upstream.

According to the datasheet you should only write 1 to this bit. If it is
not set, at least AIN3 will return bad values on newer silicon revisions.

Fixes: d84ca5b345c2 ("hwmon: Add driver for ADT7411 voltage and temperature sensor")
Signed-off-by: Michael Walle <[email protected]>
Signed-off-by: Guenter Roeck <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/hwmon/adt7411.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/hwmon/adt7411.c
+++ b/drivers/hwmon/adt7411.c
@@ -31,6 +31,7 @@

#define ADT7411_REG_CFG1 0x18
#define ADT7411_CFG1_START_MONITOR (1 << 0)
+#define ADT7411_CFG1_RESERVED_BIT3 (1 << 3)

#define ADT7411_REG_CFG2 0x19
#define ADT7411_CFG2_DISABLE_AVG (1 << 5)
@@ -291,8 +292,10 @@ static int __devinit adt7411_probe(struc
mutex_init(&data->device_lock);
mutex_init(&data->update_lock);

+ /* According to the datasheet, we must only write 1 to bit 3 */
ret = adt7411_modify_bit(client, ADT7411_REG_CFG1,
- ADT7411_CFG1_START_MONITOR, 1);
+ ADT7411_CFG1_RESERVED_BIT3
+ | ADT7411_CFG1_START_MONITOR, 1);
if (ret < 0)
goto exit_free;


2016-11-14 02:20:25

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 032/152] brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <[email protected]>

commit f823a2aa8f4674c095a5413b9e3ba12d82df06f2 upstream.

wlc_phy_txpower_get_current() does a logical OR of power->flags, which
presumes that power.flags was initiliazed earlier by the caller,
unfortunately, this is not the case, so make sure we zero out the struct
tx_power before calling into wlc_phy_txpower_get_current().

Reported-by: coverity (CID 146011)
Fixes: 5b435de0d7868 ("net: wireless: add brcm80211 drivers")
Signed-off-by: Florian Fainelli <[email protected]>
Acked-by: Arend van Spriel <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/brcm80211/brcmsmac/stf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/brcm80211/brcmsmac/stf.c
+++ b/drivers/net/wireless/brcm80211/brcmsmac/stf.c
@@ -86,7 +86,7 @@ void
brcms_c_stf_ss_algo_channel_get(struct brcms_c_info *wlc, u16 *ss_algo_channel,
u16 chanspec)
{
- struct tx_power power;
+ struct tx_power power = { };
u8 siso_mcs_id, cdd_mcs_id, stbc_mcs_id;

/* Clear previous settings */

2016-11-14 02:20:19

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 083/152] ubifs: Fix assertion in layout_in_gaps()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vincent Stehlé <[email protected]>

commit c0082e985fdf77b02fc9e0dac3b58504dcf11b7a upstream.

An assertion in layout_in_gaps() verifies that the gap_lebs pointer is
below the maximum bound. When computing this maximum bound the idx_lebs
count is multiplied by sizeof(int), while C pointers arithmetic does take
into account the size of the pointed elements implicitly already. Remove
the multiplication to fix the assertion.

Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
Signed-off-by: Vincent Stehlé <[email protected]>
Cc: Artem Bityutskiy <[email protected]>
Signed-off-by: Artem Bityutskiy <[email protected]>
Signed-off-by: Richard Weinberger <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ubifs/tnc_commit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ubifs/tnc_commit.c
+++ b/fs/ubifs/tnc_commit.c
@@ -373,7 +373,7 @@ static int layout_in_gaps(struct ubifs_i

p = c->gap_lebs;
do {
- ubifs_assert(p < c->gap_lebs + sizeof(int) * c->lst.idx_lebs);
+ ubifs_assert(p < c->gap_lebs + c->lst.idx_lebs);
written = layout_leb_in_gaps(c, p);
if (written < 0) {
err = written;

2016-11-14 02:22:12

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 011/152] ext4: validate s_reserved_gdt_blocks on mount

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <[email protected]>

commit 5b9554dc5bf008ae7f68a52e3d7e76c0920938a2 upstream.

If s_reserved_gdt_blocks is extremely large, it's possible for
ext4_init_block_bitmap(), which is called when ext4 sets up an
uninitialized block bitmap, to corrupt random kernel memory. Add the
same checks which e2fsck has --- it must never be larger than
blocksize / sizeof(__u32) --- and then add a backup check in
ext4_init_block_bitmap() in case the superblock gets modified after
the file system is mounted.

Reported-by: Vegard Nossum <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
[bwh: Backported to 3.2:
- Drop the second check in ext4_init_block_bitmap() since it can't return
an error code
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3429,6 +3429,13 @@ static int ext4_fill_super(struct super_
goto failed_mount;
}

+ if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) {
+ ext4_msg(sb, KERN_ERR,
+ "Number of reserved GDT blocks insanely large: %d",
+ le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks));
+ goto failed_mount;
+ }
+
if (sb->s_blocksize != blocksize) {
/* Validate the filesystem blocksize */
if (!sb_set_blocksize(sb, blocksize)) {

2016-11-14 02:22:31

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 001/152] netlabel: add address family checks to netlbl_{sock,req}_delattr()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paul Moore <[email protected]>

commit 0e0e36774081534783aa8eeb9f6fbddf98d3c061 upstream.

It seems risky to always rely on the caller to ensure the socket's
address family is correct before passing it to the NetLabel kAPI,
especially since we see at least one LSM which didn't. Add address
family checks to the *_delattr() functions to help prevent future
problems.

Reported-by: Maninder Singh <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/netlabel/netlabel_kapi.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)

--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -710,7 +710,11 @@ socket_setattr_return:
*/
void netlbl_sock_delattr(struct sock *sk)
{
- cipso_v4_sock_delattr(sk);
+ switch (sk->sk_family) {
+ case AF_INET:
+ cipso_v4_sock_delattr(sk);
+ break;
+ }
}

/**
@@ -889,7 +893,11 @@ req_setattr_return:
*/
void netlbl_req_delattr(struct request_sock *req)
{
- cipso_v4_req_delattr(req);
+ switch (req->rsk_ops->family) {
+ case AF_INET:
+ cipso_v4_req_delattr(req);
+ break;
+ }
}

/**

2016-11-14 02:22:34

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 096/152] ALSA: timer: Code cleanup

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit c3b1681375dc6e71d89a3ae00cc3ce9e775a8917 upstream.

This is a minor code cleanup without any functional changes:
- Kill keep_flag argument from _snd_timer_stop(), as all callers pass
only it false.
- Remove redundant NULL check in _snd_timer_stop().

Signed-off-by: Takashi Iwai <[email protected]>
[bwh: Backported to 3.2: adjust to apply after previously backported
"ALSA: timer: Fix race between stop and interrupt"]
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/core/timer.c | 28 +++++++++++-----------------
1 file changed, 11 insertions(+), 17 deletions(-)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -310,8 +310,7 @@ int snd_timer_open(struct snd_timer_inst
return 0;
}

-static int _snd_timer_stop(struct snd_timer_instance *timeri,
- int keep_flag, int event);
+static int _snd_timer_stop(struct snd_timer_instance *timeri, int event);

/*
* close a timer instance
@@ -353,7 +352,7 @@ int snd_timer_close(struct snd_timer_ins
spin_unlock_irq(&timer->lock);
mutex_lock(&register_mutex);
list_del(&timeri->open_list);
- if (timer && list_empty(&timer->open_list_head) &&
+ if (list_empty(&timer->open_list_head) &&
timer->hw.close)
timer->hw.close(timer);
/* remove slave links */
@@ -505,8 +504,7 @@ int snd_timer_start(struct snd_timer_ins
return result;
}

-static int _snd_timer_stop(struct snd_timer_instance * timeri,
- int keep_flag, int event)
+static int _snd_timer_stop(struct snd_timer_instance *timeri, int event)
{
struct snd_timer *timer;
unsigned long flags;
@@ -515,21 +513,19 @@ static int _snd_timer_stop(struct snd_ti
return -ENXIO;

if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) {
- if (!keep_flag) {
- spin_lock_irqsave(&slave_active_lock, flags);
- if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
- spin_unlock_irqrestore(&slave_active_lock, flags);
- return -EBUSY;
- }
- if (timeri->timer)
- spin_lock(&timeri->timer->lock);
- timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
- list_del_init(&timeri->ack_list);
- list_del_init(&timeri->active_list);
- if (timeri->timer)
- spin_unlock(&timeri->timer->lock);
+ spin_lock_irqsave(&slave_active_lock, flags);
+ if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
spin_unlock_irqrestore(&slave_active_lock, flags);
+ return -EBUSY;
}
+ if (timeri->timer)
+ spin_lock(&timeri->timer->lock);
+ timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
+ list_del_init(&timeri->ack_list);
+ list_del_init(&timeri->active_list);
+ if (timeri->timer)
+ spin_unlock(&timeri->timer->lock);
+ spin_unlock_irqrestore(&slave_active_lock, flags);
goto __end;
}
timer = timeri->timer;
@@ -555,9 +551,7 @@ static int _snd_timer_stop(struct snd_ti
}
}
}
- if (!keep_flag)
- timeri->flags &=
- ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
+ timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
spin_unlock_irqrestore(&timer->lock, flags);
__end:
if (event != SNDRV_TIMER_EVENT_RESOLUTION)
@@ -576,7 +570,7 @@ int snd_timer_stop(struct snd_timer_inst
unsigned long flags;
int err;

- err = _snd_timer_stop(timeri, 0, SNDRV_TIMER_EVENT_STOP);
+ err = _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_STOP);
if (err < 0)
return err;
timer = timeri->timer;
@@ -625,7 +619,7 @@ int snd_timer_continue(struct snd_timer_
*/
int snd_timer_pause(struct snd_timer_instance * timeri)
{
- return _snd_timer_stop(timeri, 0, SNDRV_TIMER_EVENT_PAUSE);
+ return _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_PAUSE);
}

/*

2016-11-14 02:22:38

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 115/152] ppc32: fix copy_from_user()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit 224264657b8b228f949b42346e09ed8c90136a8e upstream.

should clear on access_ok() failures. Also remove the useless
range truncation logics.

Signed-off-by: Al Viro <[email protected]>
[bwh: Backported to 3.2: no calls to check_object_size()]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -332,30 +332,17 @@ extern unsigned long __copy_tofrom_user(
static inline unsigned long copy_from_user(void *to,
const void __user *from, unsigned long n)
{
- unsigned long over;
-
- if (access_ok(VERIFY_READ, from, n))
+ if (likely(access_ok(VERIFY_READ, from, n)))
return __copy_tofrom_user((__force void __user *)to, from, n);
- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + n - TASK_SIZE;
- return __copy_tofrom_user((__force void __user *)to, from,
- n - over) + over;
- }
+ memset(to, 0, n);
return n;
}

static inline unsigned long copy_to_user(void __user *to,
const void *from, unsigned long n)
{
- unsigned long over;
-
if (access_ok(VERIFY_WRITE, to, n))
return __copy_tofrom_user(to, (__force void __user *)from, n);
- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + n - TASK_SIZE;
- return __copy_tofrom_user(to, (__force void __user *)from,
- n - over) + over;
- }
return n;
}

@@ -446,10 +433,6 @@ static inline unsigned long clear_user(v
might_sleep();
if (likely(access_ok(VERIFY_WRITE, addr, size)))
return __clear_user(addr, size);
- if ((unsigned long)addr < TASK_SIZE) {
- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
- return __clear_user(addr, size - over) + over;
- }
return size;
}


2016-11-14 02:22:29

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 005/152] serial: samsung: Fix possible out of bounds access on non-DT platform

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <[email protected]>

commit 926b7b5122c96e1f18cd20e85a286c7ec8d18c97 upstream.

On non-DeviceTree platforms, the index of serial device is a static
variable incremented on each probe. It is incremented even if deferred
probe happens when getting the clock in s3c24xx_serial_init_port().

This index is used for referencing elements of statically allocated
s3c24xx_serial_ports array. In case of re-probe, the index will point
outside of this array leading to memory corruption.

Increment the index only on successful probe.

Reported-by: Bartlomiej Zolnierkiewicz <[email protected]>
Fixes: b497549a035c ("[ARM] S3C24XX: Split serial driver into core and per-cpu drivers")
Signed-off-by: Krzysztof Kozlowski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/tty/serial/samsung.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -1237,8 +1237,6 @@ int s3c24xx_serial_probe(struct platform
dbg("s3c24xx_serial_probe(%p, %p) %d\n", dev, info, probe_index);

ourport = &s3c24xx_serial_ports[probe_index];
- probe_index++;
-
dbg("%s: initialising port %p...\n", __func__, ourport);

ret = s3c24xx_serial_init_port(ourport, info, dev);
@@ -1275,6 +1273,8 @@ int __devexit s3c24xx_serial_remove(stru
uart_remove_one_port(&s3c24xx_uart_drv, port);
}

+ probe_index++;
+
return 0;
}


2016-11-14 02:22:26

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 004/152] crypto: gcm - Filter out async ghash if necessary

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Herbert Xu <[email protected]>

commit b30bdfa86431afbafe15284a3ad5ac19b49b88e3 upstream.

As it is if you ask for a sync gcm you may actually end up with
an async one because it does not filter out async implementations
of ghash.

This patch fixes this by adding the necessary filter when looking
for ghash.

Signed-off-by: Herbert Xu <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
crypto/gcm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -711,7 +711,9 @@ static struct crypto_instance *crypto_gc

ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type,
CRYPTO_ALG_TYPE_HASH,
- CRYPTO_ALG_TYPE_AHASH_MASK);
+ CRYPTO_ALG_TYPE_AHASH_MASK |
+ crypto_requires_sync(algt->type,
+ algt->mask));
err = PTR_ERR(ghash_alg);
if (IS_ERR(ghash_alg))
return ERR_PTR(err);

2016-11-14 02:24:09

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 119/152] sh64: failing __get_user() should zero

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit c6852389228df9fb3067f94f3b651de2a7921b36 upstream.

It could be done in exception-handling bits in __get_user_b() et.al.,
but the surgery involved would take more knowledge of sh64 details
than I have or _want_ to have.

Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/sh/include/asm/uaccess_64.h | 1 +
1 file changed, 1 insertion(+)

--- a/arch/sh/include/asm/uaccess_64.h
+++ b/arch/sh/include/asm/uaccess_64.h
@@ -24,6 +24,7 @@
#define __get_user_size(x,ptr,size,retval) \
do { \
retval = 0; \
+ x = 0; \
switch (size) { \
case 1: \
retval = __get_user_asm_b((void *)&x, \

2016-11-14 02:24:26

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 025/152] ext4: fix reference counting bug on block allocation error

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vegard Nossum <[email protected]>

commit 554a5ccc4e4a20c5f3ec859de0842db4b4b9c77e upstream.

If we hit this error when mounted with errors=continue or
errors=remount-ro:

EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:2940: comm ext4.exe: Allocating blocks 5090-6081 which overlap fs metadata

then ext4_mb_new_blocks() will call ext4_mb_release_context() and try to
continue. However, ext4_mb_release_context() is the wrong thing to call
here since we are still actually using the allocation context.

Instead, just error out. We could retry the allocation, but there is a
possibility of getting stuck in an infinite loop instead, so this seems
safer.

[ Fixed up so we don't return EAGAIN to userspace. --tytso ]

Fixes: 8556e8f3b6 ("ext4: Don't allow new groups to be added during block allocation")
Signed-off-by: Vegard Nossum <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
Cc: Aneesh Kumar K.V <[email protected]>
[bwh: Backported to 3.2:
- Use EIO instead of EFSCORRUPTED
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/mballoc.c | 17 +++--------------
1 file changed, 3 insertions(+), 14 deletions(-)

--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2824,7 +2824,7 @@ ext4_mb_mark_diskspace_used(struct ext4_
ext4_error(sb, "Allocating blocks %llu-%llu which overlap "
"fs metadata\n", block, block+len);
/* File system mounted not to panic on error
- * Fix the bitmap and repeat the block allocation
+ * Fix the bitmap and return EIO
* We leak some of the blocks here.
*/
ext4_lock_group(sb, ac->ac_b_ex.fe_group);
@@ -2833,7 +2833,7 @@ ext4_mb_mark_diskspace_used(struct ext4_
ext4_unlock_group(sb, ac->ac_b_ex.fe_group);
err = ext4_handle_dirty_metadata(handle, NULL, bitmap_bh);
if (!err)
- err = -EAGAIN;
+ err = -EIO;
goto out_err;
}

@@ -4401,18 +4401,7 @@ repeat:
}
if (likely(ac->ac_status == AC_STATUS_FOUND)) {
*errp = ext4_mb_mark_diskspace_used(ac, handle, reserv_clstrs);
- if (*errp == -EAGAIN) {
- /*
- * drop the reference that we took
- * in ext4_mb_use_best_found
- */
- ext4_mb_release_context(ac);
- ac->ac_b_ex.fe_group = 0;
- ac->ac_b_ex.fe_start = 0;
- ac->ac_b_ex.fe_len = 0;
- ac->ac_status = AC_STATUS_CONTINUE;
- goto repeat;
- } else if (*errp)
+ if (*errp)
errout:
ext4_discard_allocated_blocks(ac);
else {

2016-11-14 02:25:00

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 063/152] USB: validate wMaxPacketValue entries in endpoint descriptors

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <[email protected]>

commit aed9d65ac3278d4febd8665bd7db59ef53e825fe upstream.

Erroneous or malicious endpoint descriptors may have non-zero bits in
reserved positions, or out-of-bounds values. This patch helps prevent
these from causing problems by bounds-checking the wMaxPacketValue
entries in endpoint descriptors and capping the values at the maximum
allowed.

This issue was first discovered and tests were conducted by Jake Lamberson
<[email protected]>, an intern working for Rosie Hall.

Signed-off-by: Alan Stern <[email protected]>
Reported-by: roswest <[email protected]>
Tested-by: roswest <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.2: drop the USB_SPEED_SUPER_PLUS case]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -144,6 +144,31 @@ static void usb_parse_ss_endpoint_compan
}
}

+static const unsigned short low_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 8,
+ [USB_ENDPOINT_XFER_ISOC] = 0,
+ [USB_ENDPOINT_XFER_BULK] = 0,
+ [USB_ENDPOINT_XFER_INT] = 8,
+};
+static const unsigned short full_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 64,
+ [USB_ENDPOINT_XFER_ISOC] = 1023,
+ [USB_ENDPOINT_XFER_BULK] = 64,
+ [USB_ENDPOINT_XFER_INT] = 64,
+};
+static const unsigned short high_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 64,
+ [USB_ENDPOINT_XFER_ISOC] = 1024,
+ [USB_ENDPOINT_XFER_BULK] = 512,
+ [USB_ENDPOINT_XFER_INT] = 1023,
+};
+static const unsigned short super_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 512,
+ [USB_ENDPOINT_XFER_ISOC] = 1024,
+ [USB_ENDPOINT_XFER_BULK] = 1024,
+ [USB_ENDPOINT_XFER_INT] = 1024,
+};
+
static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
int asnum, struct usb_host_interface *ifp, int num_ep,
unsigned char *buffer, int size)
@@ -152,6 +177,8 @@ static int usb_parse_endpoint(struct dev
struct usb_endpoint_descriptor *d;
struct usb_host_endpoint *endpoint;
int n, i, j, retval;
+ unsigned int maxp;
+ const unsigned short *maxpacket_maxes;

d = (struct usb_endpoint_descriptor *) buffer;
buffer += d->bLength;
@@ -258,6 +285,41 @@ static int usb_parse_endpoint(struct dev
endpoint->desc.wMaxPacketSize = cpu_to_le16(8);
}

+ /* Validate the wMaxPacketSize field */
+ maxp = usb_endpoint_maxp(&endpoint->desc);
+
+ /* Find the highest legal maxpacket size for this endpoint */
+ i = 0; /* additional transactions per microframe */
+ switch (to_usb_device(ddev)->speed) {
+ case USB_SPEED_LOW:
+ maxpacket_maxes = low_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_FULL:
+ maxpacket_maxes = full_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_HIGH:
+ /* Bits 12..11 are allowed only for HS periodic endpoints */
+ if (usb_endpoint_xfer_int(d) || usb_endpoint_xfer_isoc(d)) {
+ i = maxp & (BIT(12) | BIT(11));
+ maxp &= ~i;
+ }
+ /* fallthrough */
+ default:
+ maxpacket_maxes = high_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_SUPER:
+ maxpacket_maxes = super_speed_maxpacket_maxes;
+ break;
+ }
+ j = maxpacket_maxes[usb_endpoint_type(&endpoint->desc)];
+
+ if (maxp > j) {
+ dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has invalid maxpacket %d, setting to %d\n",
+ cfgno, inum, asnum, d->bEndpointAddress, maxp, j);
+ maxp = j;
+ endpoint->desc.wMaxPacketSize = cpu_to_le16(i | maxp);
+ }
+
/*
* Some buggy high speed devices have bulk endpoints using
* maxpacket sizes other than 512. High speed HCDs may not
@@ -265,9 +327,6 @@ static int usb_parse_endpoint(struct dev
*/
if (to_usb_device(ddev)->speed == USB_SPEED_HIGH
&& usb_endpoint_xfer_bulk(d)) {
- unsigned maxp;
-
- maxp = usb_endpoint_maxp(&endpoint->desc) & 0x07ff;
if (maxp != 512)
dev_warn(ddev, "config %d interface %d altsetting %d "
"bulk endpoint 0x%X has invalid maxpacket %d\n",

2016-11-14 02:25:36

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 100/152] alpha: fix copy_from_user()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit 2561d309dfd1555e781484af757ed0115035ddb3 upstream.

it should clear the destination even when access_ok() fails.

Signed-off-by: Al Viro <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/alpha/include/asm/uaccess.h | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)

--- a/arch/alpha/include/asm/uaccess.h
+++ b/arch/alpha/include/asm/uaccess.h
@@ -371,14 +371,6 @@ __copy_tofrom_user_nocheck(void *to, con
return __cu_len;
}

-extern inline long
-__copy_tofrom_user(void *to, const void *from, long len, const void __user *validate)
-{
- if (__access_ok((unsigned long)validate, len, get_fs()))
- len = __copy_tofrom_user_nocheck(to, from, len);
- return len;
-}
-
#define __copy_to_user(to,from,n) \
({ \
__chk_user_ptr(to); \
@@ -393,17 +385,22 @@ __copy_tofrom_user(void *to, const void
#define __copy_to_user_inatomic __copy_to_user
#define __copy_from_user_inatomic __copy_from_user

-
extern inline long
copy_to_user(void __user *to, const void *from, long n)
{
- return __copy_tofrom_user((__force void *)to, from, n, to);
+ if (likely(__access_ok((unsigned long)to, n, get_fs())))
+ n = __copy_tofrom_user_nocheck((__force void *)to, from, n);
+ return n;
}

extern inline long
copy_from_user(void *to, const void __user *from, long n)
{
- return __copy_tofrom_user(to, (__force void *)from, n, from);
+ if (likely(__access_ok((unsigned long)from, n, get_fs())))
+ n = __copy_tofrom_user_nocheck(to, (__force void *)from, n);
+ else
+ memset(to, 0, n);
+ return n;
}

extern void __do_clear_user(void);

2016-11-14 02:26:29

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 062/152] netfilter: nfnetlink_queue: reject verdict request from different portid

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Liping Zhang <[email protected]>

commit 00a3101f561816e58de054a470484996f78eb5eb upstream.

Like NFQNL_MSG_VERDICT_BATCH do, we should also reject the verdict
request when the portid is not same with the initial portid(maybe
from another process).

Fixes: 97d32cf9440d ("netfilter: nfnetlink_queue: batch verdict support")
Signed-off-by: Liping Zhang <[email protected]>
Reviewed-by: Florian Westphal <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/netfilter/nfnetlink_queue.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -716,9 +716,6 @@ nfqnl_recv_verdict(struct sock *ctnl, st
unsigned int verdict;
struct nf_queue_entry *entry;

- queue = instance_lookup(queue_num);
- if (!queue)
-
queue = verdict_instance_lookup(queue_num, NETLINK_CB(skb).pid);
if (IS_ERR(queue))
return PTR_ERR(queue);

2016-11-14 02:27:11

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 071/152] usb: xhci: Fix panic if disconnect

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jim Lin <[email protected]>

commit 88716a93766b8f095cdef37a8e8f2c93aa233b21 upstream.

After a device is disconnected, xhci_stop_device() will be invoked
in xhci_bus_suspend().
Also the "disconnect" IRQ will have ISR to invoke
xhci_free_virt_device() in this sequence.
xhci_irq -> xhci_handle_event -> handle_cmd_completion ->
xhci_handle_cmd_disable_slot -> xhci_free_virt_device

If xhci->devs[slot_id] has been assigned to NULL in
xhci_free_virt_device(), then virt_dev->eps[i].ring in
xhci_stop_device() may point to an invlid address to cause kernel
panic.

virt_dev = xhci->devs[slot_id];
:
if (virt_dev->eps[i].ring && virt_dev->eps[i].ring->dequeue)

[] Unable to handle kernel paging request at virtual address 00001a68
[] pgd=ffffffc001430000
[] [00001a68] *pgd=000000013c807003, *pud=000000013c807003,
*pmd=000000013c808003, *pte=0000000000000000
[] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[] CPU: 0 PID: 39 Comm: kworker/0:1 Tainted: G U
[] Workqueue: pm pm_runtime_work
[] task: ffffffc0bc0e0bc0 ti: ffffffc0bc0ec000 task.ti:
ffffffc0bc0ec000
[] PC is at xhci_stop_device.constprop.11+0xb4/0x1a4

This issue is found when running with realtek ethernet device
(0bda:8153).

Signed-off-by: Jim Lin <[email protected]>
Signed-off-by: Mathias Nyman <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/host/xhci-hub.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -278,6 +278,9 @@ static int xhci_stop_device(struct xhci_

ret = 0;
virt_dev = xhci->devs[slot_id];
+ if (!virt_dev)
+ return -ENODEV;
+
cmd = xhci_alloc_command(xhci, false, true, GFP_NOIO);
if (!cmd) {
xhci_dbg(xhci, "Couldn't allocate command structure.\n");

2016-11-14 02:28:33

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 140/152] mm,ksm: fix endless looping in allocating memory when ksm enable

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: zhong jiang <[email protected]>

commit 5b398e416e880159fe55eefd93c6588fa072cd66 upstream.

I hit the following hung task when runing a OOM LTP test case with 4.1
kernel.

Call trace:
[<ffffffc000086a88>] __switch_to+0x74/0x8c
[<ffffffc000a1bae0>] __schedule+0x23c/0x7bc
[<ffffffc000a1c09c>] schedule+0x3c/0x94
[<ffffffc000a1eb84>] rwsem_down_write_failed+0x214/0x350
[<ffffffc000a1e32c>] down_write+0x64/0x80
[<ffffffc00021f794>] __ksm_exit+0x90/0x19c
[<ffffffc0000be650>] mmput+0x118/0x11c
[<ffffffc0000c3ec4>] do_exit+0x2dc/0xa74
[<ffffffc0000c46f8>] do_group_exit+0x4c/0xe4
[<ffffffc0000d0f34>] get_signal+0x444/0x5e0
[<ffffffc000089fcc>] do_signal+0x1d8/0x450
[<ffffffc00008a35c>] do_notify_resume+0x70/0x78

The oom victim cannot terminate because it needs to take mmap_sem for
write while the lock is held by ksmd for read which loops in the page
allocator

ksm_do_scan
scan_get_next_rmap_item
down_read
get_next_rmap_item
alloc_rmap_item #ksmd will loop permanently.

There is no way forward because the oom victim cannot release any memory
in 4.1 based kernel. Since 4.6 we have the oom reaper which would solve
this problem because it would release the memory asynchronously.
Nevertheless we can relax alloc_rmap_item requirements and use
__GFP_NORETRY because the allocation failure is acceptable as ksm_do_scan
would just retry later after the lock got dropped.

Such a patch would be also easy to backport to older stable kernels which
do not have oom_reaper.

While we are at it add GFP_NOWARN so the admin doesn't have to be alarmed
by the allocation failure.

Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: zhong jiang <[email protected]>
Suggested-by: Hugh Dickins <[email protected]>
Suggested-by: Michal Hocko <[email protected]>
Acked-by: Michal Hocko <[email protected]>
Acked-by: Hugh Dickins <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
mm/ksm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -238,7 +238,8 @@ static inline struct rmap_item *alloc_rm
{
struct rmap_item *rmap_item;

- rmap_item = kmem_cache_zalloc(rmap_item_cache, GFP_KERNEL);
+ rmap_item = kmem_cache_zalloc(rmap_item_cache, GFP_KERNEL |
+ __GFP_NORETRY | __GFP_NOWARN);
if (rmap_item)
ksm_rmap_items++;
return rmap_item;

2016-11-14 02:30:25

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 110/152] ia64: copy_from_user() should zero the destination on access_ok() failure

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit a5e541f796f17228793694d64b507f5f57db4cd7 upstream.

Signed-off-by: Al Viro <[email protected]>
[bwh: Backported to 3.2: no calls to check_object_size()]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/arch/ia64/include/asm/uaccess.h
+++ b/arch/ia64/include/asm/uaccess.h
@@ -262,17 +262,15 @@ __copy_from_user (void *to, const void _
__cu_len; \
})

-#define copy_from_user(to, from, n) \
-({ \
- void *__cu_to = (to); \
- const void __user *__cu_from = (from); \
- long __cu_len = (n); \
- \
- __chk_user_ptr(__cu_from); \
- if (__access_ok(__cu_from, __cu_len, get_fs())) \
- __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
- __cu_len; \
-})
+static inline unsigned long
+copy_from_user(void *to, const void __user *from, unsigned long n)
+{
+ if (likely(__access_ok(from, n, get_fs())))
+ n = __copy_user((__force void __user *) to, from, n);
+ else
+ memset(to, 0, n);
+ return n;
+}

#define __copy_in_user(to, from, size) __copy_user((to), (from), (size))


2016-11-14 02:30:59

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 085/152] USB: serial: option: add WeTelecom 0x6802 and 0x6803 products

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Aleksandr Makarov <[email protected]>

commit 40d9c32525cba79130612650b1abc47c0c0f19a8 upstream.

These product IDs are listed in Windows driver.
0x6803 corresponds to WeTelecom WM-D300.
0x6802 name is unknown.

Signed-off-by: Aleksandr Makarov <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/option.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -515,6 +515,8 @@ static void option_instat_callback(struc
/* WeTelecom products */
#define WETELECOM_VENDOR_ID 0x22de
#define WETELECOM_PRODUCT_WMD200 0x6801
+#define WETELECOM_PRODUCT_6802 0x6802
+#define WETELECOM_PRODUCT_WMD300 0x6803

/* some devices interfaces need special handling due to a number of reasons */
enum option_blacklist_reason {
@@ -1953,6 +1955,8 @@ static const struct usb_device_id option
{ USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
{ USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);

2016-11-14 02:32:05

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 055/152] hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit 8a545f185145e3c09348cd74326268ecfc6715a3 upstream.

We can't pass error pointers to kfree() or it causes an oops.

Fixes: 52b209f7b848 ('get rid of hostfs_read_inode()')
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Richard Weinberger <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/hostfs/hostfs_kern.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

--- a/fs/hostfs/hostfs_kern.c
+++ b/fs/hostfs/hostfs_kern.c
@@ -955,10 +955,11 @@ static int hostfs_fill_sb_common(struct

if (S_ISLNK(root_inode->i_mode)) {
char *name = follow_link(host_root_path);
- if (IS_ERR(name))
+ if (IS_ERR(name)) {
err = PTR_ERR(name);
- else
- err = read_name(root_inode, name);
+ goto out_put;
+ }
+ err = read_name(root_inode, name);
kfree(name);
if (err)
goto out_put;

2016-11-14 02:32:15

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 059/152] USB: serial: ftdi_sio: add device ID for WICED USB UART dev board

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Sheng-Hui J. Chu" <[email protected]>

commit ae34d12cc1e212ffcd92e069030e54dae69c832f upstream.

BCM20706V2_EVAL is a WICED dev board designed with FT2232H USB 2.0
UART/FIFO IC.

To support BCM920706V2_EVAL dev board for WICED development on Linux.
Add the VID(0a5c) and PID(6422) to ftdi_sio driver to allow loading
ftdi_sio for this board.

Signed-off-by: Sheng-Hui J. Chu <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
2 files changed, 7 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1032,6 +1032,7 @@ static struct usb_device_id id_table_com
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) },
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
+ { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) },
{ }, /* Optional parameter entry */
{ } /* Terminating entry */
};
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -673,6 +673,12 @@
#define INTREPID_NEOVI_PID 0x0701

/*
+ * WICED USB UART
+ */
+#define WICED_VID 0x0A5C
+#define WICED_USB20706V2_PID 0x6422
+
+/*
* Definitions for ID TECH (http://www.idt-net.com) devices
*/
#define IDTECH_VID 0x0ACD /* ID TECH Vendor ID */

2016-11-14 02:33:34

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 075/152] Input: i8042 - set up shared ps2_cmd_mutex for AUX ports

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Torokhov <[email protected]>

commit 47af45d684b5f3ae000ad448db02ce4f13f73273 upstream.

The commit 4097461897df ("Input: i8042 - break load dependency ...")
correctly set up ps2_cmd_mutex pointer for the KBD port but forgot to do
the same for AUX port(s), which results in communication on KBD and AUX
ports to clash with each other.

Fixes: 4097461897df ("Input: i8042 - break load dependency ...")
Reported-by: Bruno Wolff III <[email protected]>
Tested-by: Bruno Wolff III <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/input/serio/i8042.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/input/serio/i8042.c
+++ b/drivers/input/serio/i8042.c
@@ -1249,6 +1249,7 @@ static int __init i8042_create_aux_port(
serio->write = i8042_aux_write;
serio->start = i8042_start;
serio->stop = i8042_stop;
+ serio->ps2_cmd_mutex = &i8042_mutex;
serio->port_data = port;
serio->dev.parent = &i8042_platform_device->dev;
if (idx < 0) {

2016-11-14 02:33:38

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 120/152] sh: fix copy_from_user()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit 6e050503a150b2126620c1a1e9b3a368fcd51eac upstream.

Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/sh/include/asm/uaccess.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/sh/include/asm/uaccess.h
+++ b/arch/sh/include/asm/uaccess.h
@@ -175,7 +175,10 @@ copy_from_user(void *to, const void __us
__kernel_size_t __copy_size = (__kernel_size_t) n;

if (__copy_size && __access_ok(__copy_from, __copy_size))
- return __copy_user(to, from, __copy_size);
+ __copy_size = __copy_user(to, from, __copy_size);
+
+ if (unlikely(__copy_size))
+ memset(to + (n - __copy_size), 0, __copy_size);

return __copy_size;
}

2016-11-14 02:34:40

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 061/152] aacraid: Check size values after double-fetch from user

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dave Carroll <[email protected]>

commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream.

In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
get the fib header's size and one for the fib itself. Later we use the
size field from the second fetch to further process the fib. If for some
reason the size from the second fetch is different than from the first
fix, we may encounter an out-of- bounds access in aac_fib_send(). We
also check the sender size to insure it is not out of bounds. This was
reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
assigned CVE-2016-6480.

Reported-by: Pengfei Wang <[email protected]>
Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
Signed-off-by: Dave Carroll <[email protected]>
Reviewed-by: Johannes Thumshirn <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/scsi/aacraid/commctrl.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev
struct fib *fibptr;
struct hw_fib * hw_fib = (struct hw_fib *)0;
dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
- unsigned size;
+ unsigned int size, osize;
int retval;

if (dev->in_reset) {
@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev
* will not overrun the buffer when we copy the memory. Return
* an error if we would.
*/
- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
+ osize = size = le16_to_cpu(kfib->header.Size) +
+ sizeof(struct aac_fibhdr);
if (size < le16_to_cpu(kfib->header.SenderSize))
size = le16_to_cpu(kfib->header.SenderSize);
if (size > dev->max_fib_size) {
@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev
goto cleanup;
}

+ /* Sanity check the second copy */
+ if ((osize != le16_to_cpu(kfib->header.Size) +
+ sizeof(struct aac_fibhdr))
+ || (size < le16_to_cpu(kfib->header.SenderSize))) {
+ retval = -EINVAL;
+ goto cleanup;
+ }
+
if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
aac_adapter_interrupt(dev);
/*

2016-11-14 02:35:05

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 116/152] s390: get_user() should zero on failure

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 upstream.

Signed-off-by: Al Viro <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/s390/include/asm/uaccess.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/s390/include/asm/uaccess.h
+++ b/arch/s390/include/asm/uaccess.h
@@ -147,28 +147,28 @@ extern int __put_user_bad(void) __attrib
__chk_user_ptr(ptr); \
switch (sizeof(*(ptr))) { \
case 1: { \
- unsigned char __x; \
+ unsigned char __x = 0; \
__gu_err = __get_user_fn(sizeof (*(ptr)), \
ptr, &__x); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 2: { \
- unsigned short __x; \
+ unsigned short __x = 0; \
__gu_err = __get_user_fn(sizeof (*(ptr)), \
ptr, &__x); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 4: { \
- unsigned int __x; \
+ unsigned int __x = 0; \
__gu_err = __get_user_fn(sizeof (*(ptr)), \
ptr, &__x); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 8: { \
- unsigned long long __x; \
+ unsigned long long __x = 0; \
__gu_err = __get_user_fn(sizeof (*(ptr)), \
ptr, &__x); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \

2016-11-14 02:35:22

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 056/152] block: fix use-after-free in seq file

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vegard Nossum <[email protected]>

commit 77da160530dd1dc94f6ae15a981f24e5f0021e84 upstream.

I got a KASAN report of use-after-free:

==================================================================
BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
Read of size 8 by task trinity-c1/315
=============================================================================
BUG kmalloc-32 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
___slab_alloc+0x4f1/0x520
__slab_alloc.isra.58+0x56/0x80
kmem_cache_alloc_trace+0x260/0x2a0
disk_seqf_start+0x66/0x110
traverse+0x176/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
__slab_free+0x17a/0x2c0
kfree+0x20a/0x220
disk_seqf_stop+0x42/0x50
traverse+0x3b5/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a

CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G B 4.7.0+ #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
Call Trace:
[<ffffffff81d6ce81>] dump_stack+0x65/0x84
[<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
[<ffffffff814704ff>] object_err+0x2f/0x40
[<ffffffff814754d1>] kasan_report_error+0x221/0x520
[<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
[<ffffffff83888161>] klist_iter_exit+0x61/0x70
[<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
[<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
[<ffffffff8151f812>] seq_read+0x4b2/0x11a0
[<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
[<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
[<ffffffff814b4c45>] do_readv_writev+0x565/0x660
[<ffffffff814b8a17>] vfs_readv+0x67/0xa0
[<ffffffff814b8de6>] do_preadv+0x126/0x170
[<ffffffff814b92ec>] SyS_preadv+0xc/0x10

This problem can occur in the following situation:

open()
- pread()
- .seq_start()
- iter = kmalloc() // succeeds
- seqf->private = iter
- .seq_stop()
- kfree(seqf->private)
- pread()
- .seq_start()
- iter = kmalloc() // fails
- .seq_stop()
- class_dev_iter_exit(seqf->private) // boom! old pointer

As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.

An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.

Signed-off-by: Vegard Nossum <[email protected]>
Acked-by: Tejun Heo <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
block/genhd.c | 1 +
1 file changed, 1 insertion(+)

--- a/block/genhd.c
+++ b/block/genhd.c
@@ -829,6 +829,7 @@ static void disk_seqf_stop(struct seq_fi
if (iter) {
class_dev_iter_exit(iter);
kfree(iter);
+ seqf->private = NULL;
}
}


2016-11-14 02:35:34

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 123/152] m32r: fix __get_user()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d upstream.

Signed-off-by: Al Viro <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/m32r/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/m32r/include/asm/uaccess.h
+++ b/arch/m32r/include/asm/uaccess.h
@@ -215,7 +215,7 @@ extern int fixup_exception(struct pt_reg
#define __get_user_nocheck(x,ptr,size) \
({ \
long __gu_err = 0; \
- unsigned long __gu_val; \
+ unsigned long __gu_val = 0; \
might_sleep(); \
__get_user_size(__gu_val,(ptr),(size),__gu_err); \
(x) = (__typeof__(*(ptr)))__gu_val; \

2016-11-14 02:35:38

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 074/152] drm/radeon: fix radeon_move_blit on 32bit systems

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Christian König <[email protected]>

commit 13f479b9df4e2bbf2d16e7e1b02f3f55f70e2455 upstream.

This bug seems to be present for a very long time.

Signed-off-by: Christian König <[email protected]>
Reviewed-by: Alex Deucher <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/radeon/radeon_ttm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/radeon/radeon_ttm.c
+++ b/drivers/gpu/drm/radeon/radeon_ttm.c
@@ -248,8 +248,8 @@ static int radeon_move_blit(struct ttm_b
if (unlikely(r)) {
return r;
}
- old_start = old_mem->start << PAGE_SHIFT;
- new_start = new_mem->start << PAGE_SHIFT;
+ old_start = (u64)old_mem->start << PAGE_SHIFT;
+ new_start = (u64)new_mem->start << PAGE_SHIFT;

switch (old_mem->mem_type) {
case TTM_PL_VRAM:

2016-11-14 02:35:59

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 060/152] drm/edid: Add 6 bpc quirk for display AEO model 0.

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mario Kleiner <[email protected]>

commit e10aec652f31ec61d6a0b4d00d8ef8d2b66fa0fd upstream.

Bugzilla https://bugzilla.kernel.org/show_bug.cgi?id=105331
reports that the "AEO model 0" display is driven with 8 bpc
without dithering by default, which looks bad because that
panel is apparently a 6 bpc DP panel with faulty EDID.

A fix for this was made by commit 013dd9e03872
("drm/i915/dp: fall back to 18 bpp when sink capability is unknown").

That commit triggers new regressions in precision for DP->DVI and
DP->VGA displays. A patch is out to revert that commit, but it will
revert video output for the AEO model 0 panel to 8 bpc without
dithering.

The EDID 1.3 of that panel, as decoded from the xrandr output
attached to that bugzilla bug report, is somewhat faulty, and beyond
other problems also sets the "DFP 1.x compliant TMDS" bit, which
according to DFP spec means to drive the panel with 8 bpc and
no dithering in absence of other colorimetry information.

Try to make the original bug reporter happy despite the
faulty EDID by adding a quirk to mark that panel as 6 bpc,
so 6 bpc output with dithering creates a nice picture.

Tested by injecting the edid from the fdo bug into a DP connector
via drm_kms_helper.edid_firmware and verifying the 6 bpc + dithering
is selected.

This patch should be backported to stable.

Signed-off-by: Mario Kleiner <[email protected]>
Cc: Jani Nikula <[email protected]>
Cc: Ville Syrjälä <[email protected]>
Cc: Daniel Vetter <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/drm_edid.c | 8 ++++++++
1 file changed, 8 insertions(+)

--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -68,6 +68,8 @@
#define EDID_QUIRK_DETAILED_SYNC_PP (1 << 6)
/* Force reduced-blanking timings for detailed modes */
#define EDID_QUIRK_FORCE_REDUCED_BLANKING (1 << 7)
+/* Force 6bpc */
+#define EDID_QUIRK_FORCE_6BPC (1 << 10)

struct detailed_mode_closure {
struct drm_connector *connector;
@@ -94,6 +96,9 @@ static struct edid_quirk {
/* Unknown Acer */
{ "ACR", 2423, EDID_QUIRK_FIRST_DETAILED_PREFERRED },

+ /* AEO model 0 reports 8 bpc, but is a 6 bpc panel */
+ { "AEO", 0, EDID_QUIRK_FORCE_6BPC },
+
/* Belinea 10 15 55 */
{ "MAX", 1516, EDID_QUIRK_PREFER_LARGE_60 },
{ "MAX", 0x77e, EDID_QUIRK_PREFER_LARGE_60 },
@@ -1752,6 +1757,9 @@ int drm_add_edid_modes(struct drm_connec

drm_add_display_info(edid, &connector->display_info);

+ if (quirks & EDID_QUIRK_FORCE_6BPC)
+ connector->display_info.bpc = 6;
+
return num_modes;
}
EXPORT_SYMBOL(drm_add_edid_modes);

2016-11-14 02:36:23

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 023/152] KVM: nVMX: fix lifetime issues for vmcs02

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <[email protected]>

commit 4fa7734c62cdd8c07edd54fa5a5e91482273071a upstream.

free_nested needs the loaded_vmcs to be valid if it is a vmcs02, in
order to detach it from the shadow vmcs. However, this is not
available anymore after commit 26a865f4aa8e (KVM: VMX: fix use after
free of vmx->loaded_vmcs, 2014-01-03).

Revert that patch, and fix its problem by forcing a vmcs01 as the
active VMCS before freeing all the nested VMX state.

Reported-by: Wanpeng Li <[email protected]>
Tested-by: Wanpeng Li <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/kvm/vmx.c | 49 +++++++++++++++++++++++++++++++++----------------
1 file changed, 33 insertions(+), 16 deletions(-)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -4999,22 +4999,27 @@ static void nested_free_vmcs02(struct vc

/*
* Free all VMCSs saved for this vcpu, except the one pointed by
- * vmx->loaded_vmcs. These include the VMCSs in vmcs02_pool (except the one
- * currently used, if running L2), and vmcs01 when running L2.
+ * vmx->loaded_vmcs. We must be running L1, so vmx->loaded_vmcs
+ * must be &vmx->vmcs01.
*/
static void nested_free_all_saved_vmcss(struct vcpu_vmx *vmx)
{
struct vmcs02_list *item, *n;
+
+ WARN_ON(vmx->loaded_vmcs != &vmx->vmcs01);
list_for_each_entry_safe(item, n, &vmx->nested.vmcs02_pool, list) {
- if (vmx->loaded_vmcs != &item->vmcs02)
- free_loaded_vmcs(&item->vmcs02);
+ /*
+ * Something will leak if the above WARN triggers. Better than
+ * a use-after-free.
+ */
+ if (vmx->loaded_vmcs == &item->vmcs02)
+ continue;
+
+ free_loaded_vmcs(&item->vmcs02);
list_del(&item->list);
kfree(item);
+ vmx->nested.vmcs02_num--;
}
- vmx->nested.vmcs02_num = 0;
-
- if (vmx->loaded_vmcs != &vmx->vmcs01)
- free_loaded_vmcs(&vmx->vmcs01);
}

/*
@@ -6307,13 +6312,31 @@ static void __noclone vmx_vcpu_run(struc
#undef R
#undef Q

+static void vmx_load_vmcs01(struct kvm_vcpu *vcpu)
+{
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ int cpu;
+
+ if (vmx->loaded_vmcs == &vmx->vmcs01)
+ return;
+
+ cpu = get_cpu();
+ vmx->loaded_vmcs = &vmx->vmcs01;
+ vmx_vcpu_put(vcpu);
+ vmx_vcpu_load(vcpu, cpu);
+ vcpu->cpu = cpu;
+ put_cpu();
+}
+
static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);

free_vpid(vmx);
- free_loaded_vmcs(vmx->loaded_vmcs);
+ leave_guest_mode(vcpu);
+ vmx_load_vmcs01(vcpu);
free_nested(vmx);
+ free_loaded_vmcs(vmx->loaded_vmcs);
kfree(vmx->guest_msrs);
kvm_vcpu_uninit(vcpu);
kmem_cache_free(kvm_vcpu_cache, vmx);
@@ -7059,18 +7082,12 @@ void load_vmcs12_host_state(struct kvm_v
static void nested_vmx_vmexit(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
- int cpu;
struct vmcs12 *vmcs12 = get_vmcs12(vcpu);

leave_guest_mode(vcpu);
prepare_vmcs12(vcpu, vmcs12);

- cpu = get_cpu();
- vmx->loaded_vmcs = &vmx->vmcs01;
- vmx_vcpu_put(vcpu);
- vmx_vcpu_load(vcpu, cpu);
- vcpu->cpu = cpu;
- put_cpu();
+ vmx_load_vmcs01(vcpu);

/* if no vmcs02 cache requested, remove the one we used */
if (VMCS02_POOL_SIZE == 0)

2016-11-14 02:35:31

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 114/152] parisc: fix copy_from_user()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit aace880feea38875fbc919761b77e5732a3659ef upstream.

Signed-off-by: Al Viro <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -10,6 +10,8 @@
#include <asm/errno.h>
#include <asm-generic/uaccess-unaligned.h>

+#include <linux/string.h>
+
#define VERIFY_READ 0
#define VERIFY_WRITE 1

@@ -255,13 +257,14 @@ static inline unsigned long __must_check
unsigned long n)
{
int sz = __compiletime_object_size(to);
- int ret = -EFAULT;
+ unsigned long ret = n;

if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
ret = __copy_from_user(to, from, n);
else
copy_from_user_overflow();
-
+ if (unlikely(ret))
+ memset(to + (n - ret), 0, ret);
return ret;
}


2016-11-14 02:37:25

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 151/152] xenbus: don't look up transaction IDs for ordinary writes

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jan Beulich <[email protected]>

commit 9a035a40f7f3f6708b79224b86c5777a3334f7ea upstream.

This should really only be done for XS_TRANSACTION_END messages, or
else at least some of the xenstore-* tools don't work anymore.

Fixes: 0beef634b8 ("xenbus: don't BUG() on user mode induced condition")
Reported-by: Richard Schütz <[email protected]>
Signed-off-by: Jan Beulich <[email protected]>
Tested-by: Richard Schütz <[email protected]>
Signed-off-by: David Vrabel <[email protected]>
Cc: Ed Swierk <[email protected]>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/xen/xenfs/xenbus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/xen/xenfs/xenbus.c
+++ b/drivers/xen/xenfs/xenbus.c
@@ -310,7 +310,7 @@ static int xenbus_write_transaction(unsi
rc = -ENOMEM;
goto out;
}
- } else {
+ } else if (msg_type == XS_TRANSACTION_END) {
list_for_each_entry(trans, &u->transactions, list)
if (trans->handle.id == u->u.msg.tx_id)
break;

2016-11-14 02:40:52

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 150/152] xenbus: don't BUG() on user mode induced condition

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jan Beulich <[email protected]>

commit 0beef634b86a1350c31da5fcc2992f0d7c8a622b upstream.

Inability to locate a user mode specified transaction ID should not
lead to a kernel crash. For other than XS_TRANSACTION_START also
don't issue anything to xenbus if the specified ID doesn't match that
of any active transaction.

Signed-off-by: Jan Beulich <[email protected]>
Signed-off-by: David Vrabel <[email protected]>
Cc: Ed Swierk <[email protected]>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/xen/xenfs/xenbus.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)

--- a/drivers/xen/xenfs/xenbus.c
+++ b/drivers/xen/xenfs/xenbus.c
@@ -310,11 +310,18 @@ static int xenbus_write_transaction(unsi
rc = -ENOMEM;
goto out;
}
+ } else {
+ list_for_each_entry(trans, &u->transactions, list)
+ if (trans->handle.id == u->u.msg.tx_id)
+ break;
+ if (&trans->list == &u->transactions)
+ return -ESRCH;
}

reply = xenbus_dev_request_and_reply(&u->u.msg);
if (IS_ERR(reply)) {
- kfree(trans);
+ if (msg_type == XS_TRANSACTION_START)
+ kfree(trans);
rc = PTR_ERR(reply);
goto out;
}
@@ -324,12 +331,7 @@ static int xenbus_write_transaction(unsi

list_add(&trans->list, &u->transactions);
} else if (msg_type == XS_TRANSACTION_END) {
- list_for_each_entry(trans, &u->transactions, list)
- if (trans->handle.id == u->u.msg.tx_id)
- break;
- BUG_ON(&trans->list == &u->transactions);
list_del(&trans->list);
-
kfree(trans);
}


2016-11-14 02:41:09

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 133/152] ocfs2/dlm: fix race between convert and migration

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Joseph Qi <[email protected]>

commit e6f0c6e6170fec175fe676495f29029aecdf486c upstream.

Commit ac7cf246dfdb ("ocfs2/dlm: fix race between convert and recovery")
checks if lockres master has changed to identify whether new master has
finished recovery or not. This will introduce a race that right after
old master does umount ( means master will change), a new convert
request comes.

In this case, it will reset lockres state to DLM_RECOVERING and then
retry convert, and then fail with lockres->l_action being set to
OCFS2_AST_INVALID, which will cause inconsistent lock level between
ocfs2 and dlm, and then finally BUG.

Since dlm recovery will clear lock->convert_pending in
dlm_move_lockres_to_recovery_list, we can use it to correctly identify
the race case between convert and recovery. So fix it.

Fixes: ac7cf246dfdb ("ocfs2/dlm: fix race between convert and recovery")
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Joseph Qi <[email protected]>
Signed-off-by: Jun Piao <[email protected]>
Cc: Mark Fasheh <[email protected]>
Cc: Joel Becker <[email protected]>
Cc: Junxiao Bi <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ocfs2/dlm/dlmconvert.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)

--- a/fs/ocfs2/dlm/dlmconvert.c
+++ b/fs/ocfs2/dlm/dlmconvert.c
@@ -265,7 +265,6 @@ enum dlm_status dlmconvert_remote(struct
struct dlm_lock *lock, int flags, int type)
{
enum dlm_status status;
- u8 old_owner = res->owner;

mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type,
lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS);
@@ -332,7 +331,6 @@ enum dlm_status dlmconvert_remote(struct

spin_lock(&res->spinlock);
res->state &= ~DLM_LOCK_RES_IN_PROGRESS;
- lock->convert_pending = 0;
/* if it failed, move it back to granted queue.
* if master returns DLM_NORMAL and then down before sending ast,
* it may have already been moved to granted queue, reset to
@@ -341,12 +339,14 @@ enum dlm_status dlmconvert_remote(struct
if (status != DLM_NOTQUEUED)
dlm_error(status);
dlm_revert_pending_convert(res, lock);
- } else if ((res->state & DLM_LOCK_RES_RECOVERING) ||
- (old_owner != res->owner)) {
- mlog(0, "res %.*s is in recovering or has been recovered.\n",
- res->lockname.len, res->lockname.name);
+ } else if (!lock->convert_pending) {
+ mlog(0, "%s: res %.*s, owner died and lock has been moved back "
+ "to granted list, retry convert.\n",
+ dlm->name, res->lockname.len, res->lockname.name);
status = DLM_RECOVERING;
}
+
+ lock->convert_pending = 0;
bail:
spin_unlock(&res->spinlock);


2016-11-14 02:33:30

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 058/152] USB: serial: ftdi_sio: add PIDs for Ivium Technologies devices

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Robert Deliën <[email protected]>

commit 6977495c06f7f47636a076ee5a0ca571279d9697 upstream.

Ivium Technologies uses the FTDI VID with custom PIDs for their line of
electrochemical interfaces and the PalmSens they developed for PalmSens
BV.

Signed-off-by: Robert Delien <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/ftdi_sio.c | 2 ++
drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
2 files changed, 8 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -672,6 +672,8 @@ static struct usb_device_id id_table_com
{ USB_DEVICE(FTDI_VID, FTDI_ELV_TFD128_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_ELV_FM3RX_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_ELV_WS777_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_PALMSENS_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_IVIUM_XSTAT_PID) },
{ USB_DEVICE(FTDI_VID, LINX_SDMUSBQSS_PID) },
{ USB_DEVICE(FTDI_VID, LINX_MASTERDEVEL2_PID) },
{ USB_DEVICE(FTDI_VID, LINX_FUTURE_0_PID) },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -406,6 +406,12 @@
#define FTDI_4N_GALAXY_DE_3_PID 0xF3C2

/*
+ * Ivium Technologies product IDs
+ */
+#define FTDI_PALMSENS_PID 0xf440
+#define FTDI_IVIUM_XSTAT_PID 0xf441
+
+/*
* Linx Technologies product ids
*/
#define LINX_SDMUSBQSS_PID 0xF448 /* Linx SDM-USB-QS-S */

2016-11-14 02:33:26

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 079/152] drm: Reject page_flip for !DRIVER_MODESET

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Vetter <[email protected]>

commit 6f00975c619064a18c23fd3aced325ae165a73b9 upstream.

Somehow this one slipped through, which means drivers without modeset
support can be oopsed (since those also don't call
drm_mode_config_init, which means the crtc lookup will chase an
uninitalized idr).

Reported-by: Alexander Potapenko <[email protected]>
Cc: Alexander Potapenko <[email protected]>
Signed-off-by: Daniel Vetter <[email protected]>
Reviewed-by: Chris Wilson <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/drm_crtc.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -2675,6 +2675,9 @@ int drm_mode_page_flip_ioctl(struct drm_
unsigned long flags;
int ret = -EINVAL;

+ if (!drm_core_check_feature(dev, DRIVER_MODESET))
+ return -EINVAL;
+
if (page_flip->flags & ~DRM_MODE_PAGE_FLIP_FLAGS ||
page_flip->reserved != 0)
return -EINVAL;

2016-11-14 02:43:02

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 080/152] usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit f4693b08cc901912a87369c46537b94ed4084ea0 upstream.

We can't assign -EINVAL to a u16.

Fixes: 3948f0e0c999 ('usb: add Freescale QE/CPM USB peripheral controller driver')
Acked-by: Peter Chen <[email protected]>
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/gadget/fsl_qe_udc.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)

--- a/drivers/usb/gadget/fsl_qe_udc.c
+++ b/drivers/usb/gadget/fsl_qe_udc.c
@@ -1883,11 +1883,8 @@ static int qe_get_frame(struct usb_gadge

tmp = in_be16(&udc_controller->usb_param->frame_n);
if (tmp & 0x8000)
- tmp = tmp & 0x07ff;
- else
- tmp = -EINVAL;
-
- return (int)tmp;
+ return tmp & 0x07ff;
+ return -EINVAL;
}

/* Tries to wake up the host connected to this gadget

2016-11-14 02:44:02

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 069/152] USB: serial: mos7840: fix non-atomic allocation in write path

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alexey Khoroshilov <[email protected]>

commit 3b7c7e52efda0d4640060de747768360ba70a7c0 upstream.

There is an allocation with GFP_KERNEL flag in mos7840_write(),
while it may be called from interrupt context.

Follow-up for commit 191252837626 ("USB: kobil_sct: fix non-atomic
allocation in write path")

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/mos7840.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -1524,8 +1524,8 @@ static int mos7840_write(struct tty_stru
}

if (urb->transfer_buffer == NULL) {
- urb->transfer_buffer =
- kmalloc(URB_TRANSFER_BUFFER_SIZE, GFP_KERNEL);
+ urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
+ GFP_ATOMIC);

if (urb->transfer_buffer == NULL) {
dev_err(&port->dev, "%s no more kernel memory...\n",

2016-11-14 02:44:49

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 072/152] xhci: don't dereference a xhci member after removing xhci

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <[email protected]>

commit f1f6d9a8b540df22b87a5bf6bc104edaade81f47 upstream.

Remove the hcd after checking for the xhci last quirks, not before.

This caused a hang on a Alpine Ridge xhci based maching which remove
the whole xhci controller when unplugging the last usb device

Signed-off-by: Mathias Nyman <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/host/xhci-pci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -252,12 +252,13 @@ static void xhci_pci_remove(struct pci_d
usb_remove_hcd(xhci->shared_hcd);
usb_put_hcd(xhci->shared_hcd);
}
- usb_hcd_pci_remove(dev);

/* Workaround for spurious wakeups at shutdown with HSW */
if (xhci->quirks & XHCI_SPURIOUS_WAKEUP)
pci_set_power_state(dev, PCI_D3hot);

+ usb_hcd_pci_remove(dev);
+
kfree(xhci);
}


2016-11-14 02:31:26

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 052/152] balloon: check the number of available pages in leak balloon

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Konstantin Neumoin <[email protected]>

commit 37cf99e08c6fb4dcea0f9ad2b13b6daa8c76a711 upstream.

The balloon has a special mechanism that is subscribed to the oom
notification which leads to deflation for a fixed number of pages.
The number is always fixed even when the balloon is fully deflated.
But leak_balloon did not expect that the pages to deflate will be more
than taken, and raise a "BUG" in balloon_page_dequeue when page list
will be empty.

So, the simplest solution would be to check that the number of releases
pages is less or equal to the number taken pages.

Signed-off-by: Konstantin Neumoin <[email protected]>
Signed-off-by: Denis V. Lunev <[email protected]>
CC: Michael S. Tsirkin <[email protected]>
Signed-off-by: Michael S. Tsirkin <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/virtio/virtio_balloon.c | 2 ++
1 file changed, 2 insertions(+)

--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -142,6 +142,8 @@ static void leak_balloon(struct virtio_b
/* We can only do one array worth at a time. */
num = min(num, ARRAY_SIZE(vb->pfns));

+ /* We can't release more pages than taken */
+ num = min(num, (size_t)vb->num_pages);
for (vb->num_pfns = 0; vb->num_pfns < num; vb->num_pfns++) {
page = list_first_entry(&vb->pages, struct page, lru);
list_del(&page->lru);

2016-11-14 02:46:40

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 027/152] mtd: pmcmsp-flash: Allocating too much in init_msp_flash()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit 79ad07d45743721010e766e65dc004ad249bd429 upstream.

There is a cut and paste issue here. The bug is that we are allocating
more memory than necessary for msp_maps. We should be allocating enough
space for a map_info struct (144 bytes) but we instead allocate enough
for an mtd_info struct (1840 bytes). It's a small waste.

The other part of this is not harmful but when we allocated msp_flash
then we allocated enough space fro a map_info pointer instead of an
mtd_info pointer. But since pointers are the same size it works out
fine.

Anyway, I decided to clean up all three allocations a bit to make them
a bit more consistent and clear.

Fixes: 68aa0fa87f6d ('[MTD] PMC MSP71xx flash/rootfs mappings')
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Brian Norris <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/mtd/maps/pmcmsp-flash.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/mtd/maps/pmcmsp-flash.c
+++ b/drivers/mtd/maps/pmcmsp-flash.c
@@ -75,15 +75,15 @@ static int __init init_msp_flash(void)

printk(KERN_NOTICE "Found %d PMC flash devices\n", fcnt);

- msp_flash = kmalloc(fcnt * sizeof(struct map_info *), GFP_KERNEL);
+ msp_flash = kcalloc(fcnt, sizeof(*msp_flash), GFP_KERNEL);
if (!msp_flash)
return -ENOMEM;

- msp_parts = kmalloc(fcnt * sizeof(struct mtd_partition *), GFP_KERNEL);
+ msp_parts = kcalloc(fcnt, sizeof(*msp_parts), GFP_KERNEL);
if (!msp_parts)
goto free_msp_flash;

- msp_maps = kcalloc(fcnt, sizeof(struct mtd_info), GFP_KERNEL);
+ msp_maps = kcalloc(fcnt, sizeof(*msp_maps), GFP_KERNEL);
if (!msp_maps)
goto free_msp_parts;


2016-11-14 02:25:26

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 134/152] ocfs2: fix start offset to ocfs2_zero_range_for_truncate()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ashish Samant <[email protected]>

commit d21c353d5e99c56cdd5b5c1183ffbcaf23b8b960 upstream.

If we punch a hole on a reflink such that following conditions are met:

1. start offset is on a cluster boundary
2. end offset is not on a cluster boundary
3. (end offset is somewhere in another extent) or
(hole range > MAX_CONTIG_BYTES(1MB)),

we dont COW the first cluster starting at the start offset. But in this
case, we were wrongly passing this cluster to
ocfs2_zero_range_for_truncate() to zero out. This will modify the
cluster in place and zero it in the source too.

Fix this by skipping this cluster in such a scenario.

To reproduce:

1. Create a random file of say 10 MB
xfs_io -c 'pwrite -b 4k 0 10M' -f 10MBfile
2. Reflink it
reflink -f 10MBfile reflnktest
3. Punch a hole at starting at cluster boundary with range greater that
1MB. You can also use a range that will put the end offset in another
extent.
fallocate -p -o 0 -l 1048615 reflnktest
4. sync
5. Check the first cluster in the source file. (It will be zeroed out).
dd if=10MBfile iflag=direct bs=<cluster size> count=1 | hexdump -C

Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ashish Samant <[email protected]>
Reported-by: Saar Maoz <[email protected]>
Reviewed-by: Srinivas Eeda <[email protected]>
Cc: Mark Fasheh <[email protected]>
Cc: Joel Becker <[email protected]>
Cc: Junxiao Bi <[email protected]>
Cc: Joseph Qi <[email protected]>
Cc: Eric Ren <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ocfs2/file.c | 34 ++++++++++++++++++++++++----------
1 file changed, 24 insertions(+), 10 deletions(-)

--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1518,7 +1518,8 @@ static int ocfs2_zero_partial_clusters(s
u64 start, u64 len)
{
int ret = 0;
- u64 tmpend, end = start + len;
+ u64 tmpend = 0;
+ u64 end = start + len;
struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
unsigned int csize = osb->s_clustersize;
handle_t *handle;
@@ -1550,18 +1551,31 @@ static int ocfs2_zero_partial_clusters(s
}

/*
- * We want to get the byte offset of the end of the 1st cluster.
+ * If start is on a cluster boundary and end is somewhere in another
+ * cluster, we have not COWed the cluster starting at start, unless
+ * end is also within the same cluster. So, in this case, we skip this
+ * first call to ocfs2_zero_range_for_truncate() truncate and move on
+ * to the next one.
*/
- tmpend = (u64)osb->s_clustersize + (start & ~(osb->s_clustersize - 1));
- if (tmpend > end)
- tmpend = end;
-
- trace_ocfs2_zero_partial_clusters_range1((unsigned long long)start,
- (unsigned long long)tmpend);
-
- ret = ocfs2_zero_range_for_truncate(inode, handle, start, tmpend);
- if (ret)
- mlog_errno(ret);
+ if ((start & (csize - 1)) != 0) {
+ /*
+ * We want to get the byte offset of the end of the 1st
+ * cluster.
+ */
+ tmpend = (u64)osb->s_clustersize +
+ (start & ~(osb->s_clustersize - 1));
+ if (tmpend > end)
+ tmpend = end;
+
+ trace_ocfs2_zero_partial_clusters_range1(
+ (unsigned long long)start,
+ (unsigned long long)tmpend);
+
+ ret = ocfs2_zero_range_for_truncate(inode, handle, start,
+ tmpend);
+ if (ret)
+ mlog_errno(ret);
+ }

if (tmpend < end) {
/*

2016-11-14 02:49:37

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 129/152] irda: Free skb on irda_accept error path.

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "[email protected]" <[email protected]>

commit 8ab86c00e349cef9fb14719093a7f198bcc72629 upstream.

skb is not freed if newsk is NULL. Rework the error path so free_skb is
unconditionally called on function exit.

Fixes: c3ea9fa27413 ("[IrDA] af_irda: IRDA_ASSERT cleanups")
Signed-off-by: Phil Turnbull <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/irda/af_irda.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -846,7 +846,7 @@ static int irda_accept(struct socket *so
struct sock *sk = sock->sk;
struct irda_sock *new, *self = irda_sk(sk);
struct sock *newsk;
- struct sk_buff *skb;
+ struct sk_buff *skb = NULL;
int err;

IRDA_DEBUG(2, "%s()\n", __func__);
@@ -916,7 +916,6 @@ static int irda_accept(struct socket *so
err = -EPERM; /* value does not seem to make sense. -arnd */
if (!new->tsap) {
IRDA_DEBUG(0, "%s(), dup failed!\n", __func__);
- kfree_skb(skb);
goto out;
}

@@ -935,7 +934,6 @@ static int irda_accept(struct socket *so
/* Clean up the original one to keep it in listen state */
irttp_listen(self->tsap);

- kfree_skb(skb);
sk->sk_ack_backlog--;

newsock->state = SS_CONNECTED;
@@ -943,6 +941,7 @@ static int irda_accept(struct socket *so
irda_connect_response(new);
err = 0;
out:
+ kfree_skb(skb);
release_sock(sk);
return err;
}

2016-11-14 02:50:16

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 130/152] avr32: fix 'undefined reference to `___copy_from_user'

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <[email protected]>

commit 65c0044ca8d7c7bbccae37f0ff2972f0210e9f41 upstream.

avr32 builds fail with:

arch/avr32/kernel/built-in.o: In function `arch_ptrace':
(.text+0x650): undefined reference to `___copy_from_user'
arch/avr32/kernel/built-in.o:(___ksymtab+___copy_from_user+0x0): undefined
reference to `___copy_from_user'
kernel/built-in.o: In function `proc_doulongvec_ms_jiffies_minmax':
(.text+0x5dd8): undefined reference to `___copy_from_user'
kernel/built-in.o: In function `proc_dointvec_minmax_sysadmin':
sysctl.c:(.text+0x6174): undefined reference to `___copy_from_user'
kernel/built-in.o: In function `ptrace_has_cap':
ptrace.c:(.text+0x69c0): undefined reference to `___copy_from_user'
kernel/built-in.o:ptrace.c:(.text+0x6b90): more undefined references to
`___copy_from_user' follow

Fixes: 8630c32275ba ("avr32: fix copy_from_user()")
Cc: Al Viro <[email protected]>
Acked-by: Havard Skinnemoen <[email protected]>
Acked-by: Hans-Christian Noren Egtvedt <[email protected]>
Signed-off-by: Guenter Roeck <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/avr32/lib/copy_user.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/avr32/lib/copy_user.S
+++ b/arch/avr32/lib/copy_user.S
@@ -23,8 +23,8 @@
*/
.text
.align 1
- .global copy_from_user
- .type copy_from_user, @function
+ .global ___copy_from_user
+ .type ___copy_from_user, @function
___copy_from_user:
branch_if_kernel r8, __copy_user
ret_if_privileged r8, r11, r10, r10

2016-11-14 02:50:50

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 065/152] x86/mm: Disable preemption during CR3 read+write

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sebastian Andrzej Siewior <[email protected]>

commit 5cf0791da5c162ebc14b01eb01631cfa7ed4fa6e upstream.

There's a subtle preemption race on UP kernels:

Usually current->mm (and therefore mm->pgd) stays the same during the
lifetime of a task so it does not matter if a task gets preempted during
the read and write of the CR3.

But then, there is this scenario on x86-UP:

TaskA is in do_exit() and exit_mm() sets current->mm = NULL followed by:

-> mmput()
-> exit_mmap()
-> tlb_finish_mmu()
-> tlb_flush_mmu()
-> tlb_flush_mmu_tlbonly()
-> tlb_flush()
-> flush_tlb_mm_range()
-> __flush_tlb_up()
-> __flush_tlb()
-> __native_flush_tlb()

At this point current->mm is NULL but current->active_mm still points to
the "old" mm.

Let's preempt taskA _after_ native_read_cr3() by taskB. TaskB has its
own mm so CR3 has changed.

Now preempt back to taskA. TaskA has no ->mm set so it borrows taskB's
mm and so CR3 remains unchanged. Once taskA gets active it continues
where it was interrupted and that means it writes its old CR3 value
back. Everything is fine because userland won't need its memory
anymore.

Now the fun part:

Let's preempt taskA one more time and get back to taskB. This
time switch_mm() won't do a thing because oldmm (->active_mm)
is the same as mm (as per context_switch()). So we remain
with a bad CR3 / PGD and return to userland.

The next thing that happens is handle_mm_fault() with an address for
the execution of its code in userland. handle_mm_fault() realizes that
it has a PTE with proper rights so it returns doing nothing. But the
CPU looks at the wrong PGD and insists that something is wrong and
faults again. And again. And one more time…

This pagefault circle continues until the scheduler gets tired of it and
puts another task on the CPU. It gets little difficult if the task is a
RT task with a high priority. The system will either freeze or it gets
fixed by the software watchdog thread which usually runs at RT-max prio.
But waiting for the watchdog will increase the latency of the RT task
which is no good.

Fix this by disabling preemption across the critical code section.

Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
Acked-by: Peter Zijlstra (Intel) <[email protected]>
Acked-by: Rik van Riel <[email protected]>
Acked-by: Andy Lutomirski <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Brian Gerst <[email protected]>
Cc: Denys Vlasenko <[email protected]>
Cc: H. Peter Anvin <[email protected]>
Cc: Josh Poimboeuf <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Mel Gorman <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: [email protected]
Link: http://lkml.kernel.org/r/[email protected]
[ Prettified the changelog. ]
Signed-off-by: Ingo Molnar <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/include/asm/tlbflush.h | 7 +++++++
1 file changed, 7 insertions(+)

--- a/arch/x86/include/asm/tlbflush.h
+++ b/arch/x86/include/asm/tlbflush.h
@@ -17,7 +17,14 @@

static inline void __native_flush_tlb(void)
{
+ /*
+ * If current->mm == NULL then we borrow a mm which may change during a
+ * task switch and therefore we must not be preempted while we write CR3
+ * back:
+ */
+ preempt_disable();
native_write_cr3(native_read_cr3());
+ preempt_enable();
}

static inline void __native_flush_tlb_global(void)

2016-11-14 02:51:08

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 081/152] USB: fix typo in wMaxPacketSize validation

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <[email protected]>

commit 6c73358c83ce870c0cf32413e5cadb3b9a39c606 upstream.

The maximum value allowed for wMaxPacketSize of a high-speed interrupt
endpoint is 1024 bytes, not 1023.

Signed-off-by: Alan Stern <[email protected]>
Fixes: aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors")
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/core/config.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -160,7 +160,7 @@ static const unsigned short high_speed_m
[USB_ENDPOINT_XFER_CONTROL] = 64,
[USB_ENDPOINT_XFER_ISOC] = 1024,
[USB_ENDPOINT_XFER_BULK] = 512,
- [USB_ENDPOINT_XFER_INT] = 1023,
+ [USB_ENDPOINT_XFER_INT] = 1024,
};
static const unsigned short super_speed_maxpacket_maxes[4] = {
[USB_ENDPOINT_XFER_CONTROL] = 512,

2016-11-14 02:24:56

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 086/152] fs/seq_file: fix out-of-bounds read

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vegard Nossum <[email protected]>

commit 088bf2ff5d12e2e32ee52a4024fec26e582f44d3 upstream.

seq_read() is a nasty piece of work, not to mention buggy.

It has (I think) an old bug which allows unprivileged userspace to read
beyond the end of m->buf.

I was getting these:

BUG: KASAN: slab-out-of-bounds in seq_read+0xcd2/0x1480 at addr ffff880116889880
Read of size 2713 by task trinity-c2/1329
CPU: 2 PID: 1329 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #96
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
Call Trace:
kasan_object_err+0x1c/0x80
kasan_report_error+0x2cb/0x7e0
kasan_report+0x4e/0x80
check_memory_region+0x13e/0x1a0
kasan_check_read+0x11/0x20
seq_read+0xcd2/0x1480
proc_reg_read+0x10b/0x260
do_loop_readv_writev.part.5+0x140/0x2c0
do_readv_writev+0x589/0x860
vfs_readv+0x7b/0xd0
do_readv+0xd8/0x2c0
SyS_readv+0xb/0x10
do_syscall_64+0x1b3/0x4b0
entry_SYSCALL64_slow_path+0x25/0x25
Object at ffff880116889100, in cache kmalloc-4096 size: 4096
Allocated:
PID = 1329
save_stack_trace+0x26/0x80
save_stack+0x46/0xd0
kasan_kmalloc+0xad/0xe0
__kmalloc+0x1aa/0x4a0
seq_buf_alloc+0x35/0x40
seq_read+0x7d8/0x1480
proc_reg_read+0x10b/0x260
do_loop_readv_writev.part.5+0x140/0x2c0
do_readv_writev+0x589/0x860
vfs_readv+0x7b/0xd0
do_readv+0xd8/0x2c0
SyS_readv+0xb/0x10
do_syscall_64+0x1b3/0x4b0
return_from_SYSCALL_64+0x0/0x6a
Freed:
PID = 0
(stack is not available)
Memory state around the buggy address:
ffff88011688a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88011688a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88011688a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88011688a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88011688a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint

This seems to be the same thing that Dave Jones was seeing here:

https://lkml.org/lkml/2016/8/12/334

There are multiple issues here:

1) If we enter the function with a non-empty buffer, there is an attempt
to flush it. But it was not clearing m->from after doing so, which
means that if we try to do this flush twice in a row without any call
to traverse() in between, we are going to be reading from the wrong
place -- the splat above, fixed by this patch.

2) If there's a short write to userspace because of page faults, the
buffer may already contain multiple lines (i.e. pos has advanced by
more than 1), but we don't save the progress that was made so the
next call will output what we've already returned previously. Since
that is a much less serious issue (and I have a headache after
staring at seq_read() for the past 8 hours), I'll leave that for now.

Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Vegard Nossum <[email protected]>
Reported-by: Dave Jones <[email protected]>
Cc: Al Viro <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/seq_file.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -184,8 +184,10 @@ ssize_t seq_read(struct file *file, char
size -= n;
buf += n;
copied += n;
- if (!m->count)
+ if (!m->count) {
+ m->from = 0;
m->index++;
+ }
if (!size)
goto Done;
}

2016-11-14 02:54:11

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 054/152] mm/hugetlb: avoid soft lockup in set_max_huge_pages()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jia He <[email protected]>

commit 649920c6ab93429b94bc7c1aa7c0e8395351be32 upstream.

In powerpc servers with large memory(32TB), we watched several soft
lockups for hugepage under stress tests.

The call traces are as follows:
1.
get_page_from_freelist+0x2d8/0xd50
__alloc_pages_nodemask+0x180/0xc20
alloc_fresh_huge_page+0xb0/0x190
set_max_huge_pages+0x164/0x3b0

2.
prep_new_huge_page+0x5c/0x100
alloc_fresh_huge_page+0xc8/0x190
set_max_huge_pages+0x164/0x3b0

This patch fixes such soft lockups. It is safe to call cond_resched()
there because it is out of spin_lock/unlock section.

Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Jia He <[email protected]>
Reviewed-by: Naoya Horiguchi <[email protected]>
Acked-by: Michal Hocko <[email protected]>
Acked-by: Dave Hansen <[email protected]>
Cc: Mike Kravetz <[email protected]>
Cc: "Kirill A. Shutemov" <[email protected]>
Cc: Paul Gortmaker <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
mm/hugetlb.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1417,6 +1417,10 @@ static unsigned long set_max_huge_pages(
* and reducing the surplus.
*/
spin_unlock(&hugetlb_lock);
+
+ /* yield cpu to avoid soft lockup */
+ cond_resched();
+
ret = alloc_fresh_huge_page(h, nodes_allowed);
spin_lock(&hugetlb_lock);
if (!ret)

2016-11-14 02:55:21

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 064/152] s390/dasd: fix hanging device after clear subchannel

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Stefan Haberland <[email protected]>

commit 9ba333dc55cbb9523553df973adb3024d223e905 upstream.

When a device is in a status where CIO has killed all I/O by itself the
interrupt for a clear request may not contain an irb to determine the
clear function. Instead it contains an error pointer -EIO.
This was ignored by the DASD int_handler leading to a hanging device
waiting for a clear interrupt.

Handle -EIO error pointer correctly for requests that are clear pending and
treat the clear as successful.

Signed-off-by: Stefan Haberland <[email protected]>
Reviewed-by: Sebastian Ott <[email protected]>
Signed-off-by: Martin Schwidefsky <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/s390/block/dasd.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/s390/block/dasd.c
+++ b/drivers/s390/block/dasd.c
@@ -1593,9 +1593,18 @@ void dasd_int_handler(struct ccw_device
unsigned long long now;
int expires;

+ cqr = (struct dasd_ccw_req *) intparm;
if (IS_ERR(irb)) {
switch (PTR_ERR(irb)) {
case -EIO:
+ if (cqr && cqr->status == DASD_CQR_CLEAR_PENDING) {
+ device = (struct dasd_device *) cqr->startdev;
+ cqr->status = DASD_CQR_CLEARED;
+ dasd_device_clear_timer(device);
+ wake_up(&dasd_flush_wq);
+ dasd_schedule_device_bh(device);
+ return;
+ }
break;
case -ETIMEDOUT:
DBF_EVENT_DEVID(DBF_WARNING, cdev, "%s: "
@@ -1611,7 +1620,6 @@ void dasd_int_handler(struct ccw_device
}

now = get_clock();
- cqr = (struct dasd_ccw_req *) intparm;
/* check for conditions that should be handled immediately */
if (!cqr ||
!(scsw_dstat(&irb->scsw) == (DEV_STAT_CHN_END | DEV_STAT_DEV_END) &&

2016-11-14 02:56:13

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 103/152] NFSv4.1: Fix the CREATE_SESSION slot number accounting

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <[email protected]>

commit b519d408ea32040b1c7e10b155a3ee9a36660947 upstream.

Ensure that we conform to the algorithm described in RFC5661, section
18.36.4 for when to bump the sequence id. In essence we do it for all
cases except when the RPC call timed out, or in case of the server returning
NFS4ERR_DELAY or NFS4ERR_STALE_CLIENTID.

Signed-off-by: Trond Myklebust <[email protected]>
[bwh: Backported to 3.2:
- Add the 'out' label
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -5360,14 +5360,21 @@ static int _nfs4_proc_create_session(str

status = rpc_call_sync(session->clp->cl_rpcclient, &msg, RPC_TASK_TIMEOUT);

+ switch (status) {
+ case -NFS4ERR_STALE_CLIENTID:
+ case -NFS4ERR_DELAY:
+ case -ETIMEDOUT:
+ case -EACCES:
+ case -EAGAIN:
+ goto out;
+ };
+
+ clp->cl_seqid++;
if (!status)
/* Verify the session's negotiated channel_attrs values */
status = nfs4_verify_channel_attrs(&args, session);
- if (!status) {
- /* Increment the clientid slot sequence id */
- clp->cl_seqid++;
- }

+out:
return status;
}


2016-11-14 02:56:47

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 138/152] tracing: Move mutex to protect against resetting of seq data

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (Red Hat)" <[email protected]>

commit 1245800c0f96eb6ebb368593e251d66c01e61022 upstream.

The iter->seq can be reset outside the protection of the mutex. So can
reading of user data. Move the mutex up to the beginning of the function.

Fixes: d7350c3f45694 ("tracing/core: make the read callbacks reentrants")
Reported-by: Al Viro <[email protected]>
Signed-off-by: Steven Rostedt <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
kernel/trace/trace.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3331,13 +3331,6 @@ tracing_read_pipe(struct file *filp, cha
static struct tracer *old_tracer;
ssize_t sret;

- /* return any leftover data */
- sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
- if (sret != -EBUSY)
- return sret;
-
- trace_seq_init(&iter->seq);
-
/* copy the tracer to avoid using a global lock all around */
mutex_lock(&trace_types_lock);
if (unlikely(old_tracer != current_trace && current_trace)) {
@@ -3352,6 +3345,14 @@ tracing_read_pipe(struct file *filp, cha
* is protected.
*/
mutex_lock(&iter->mutex);
+
+ /* return any leftover data */
+ sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
+ if (sret != -EBUSY)
+ goto out;
+
+ trace_seq_init(&iter->seq);
+
if (iter->trace->read) {
sret = iter->trace->read(iter, filp, ubuf, cnt, ppos);
if (sret)

2016-11-14 02:24:06

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 050/152] ext4: validate that metadata blocks do not overlap superblock

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <[email protected]>

commit 829fa70dddadf9dd041d62b82cd7cea63943899d upstream.

A number of fuzzing failures seem to be caused by allocation bitmaps
or other metadata blocks being pointed at the superblock.

This can cause kernel BUG or WARNings once the superblock is
overwritten, so validate the group descriptor blocks to make sure this
doesn't happen.

Signed-off-by: Theodore Ts'o <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/super.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2097,6 +2097,7 @@ int ext4_group_desc_csum_verify(struct e

/* Called at mount-time, super-block is locked */
static int ext4_check_descriptors(struct super_block *sb,
+ ext4_fsblk_t sb_block,
ext4_group_t *first_not_zeroed)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
@@ -2127,6 +2128,11 @@ static int ext4_check_descriptors(struct
grp = i;

block_bitmap = ext4_block_bitmap(sb, gdp);
+ if (block_bitmap == sb_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Block bitmap for group %u overlaps "
+ "superblock", i);
+ }
if (block_bitmap < first_block || block_bitmap > last_block) {
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
"Block bitmap for group %u not in group "
@@ -2134,6 +2140,11 @@ static int ext4_check_descriptors(struct
return 0;
}
inode_bitmap = ext4_inode_bitmap(sb, gdp);
+ if (inode_bitmap == sb_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Inode bitmap for group %u overlaps "
+ "superblock", i);
+ }
if (inode_bitmap < first_block || inode_bitmap > last_block) {
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
"Inode bitmap for group %u not in group "
@@ -2141,6 +2152,11 @@ static int ext4_check_descriptors(struct
return 0;
}
inode_table = ext4_inode_table(sb, gdp);
+ if (inode_table == sb_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Inode table for group %u overlaps "
+ "superblock", i);
+ }
if (inode_table < first_block ||
inode_table + sbi->s_itb_per_group - 1 > last_block) {
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
@@ -3674,7 +3690,7 @@ static int ext4_fill_super(struct super_
goto failed_mount2;
}
}
- if (!ext4_check_descriptors(sb, &first_not_zeroed)) {
+ if (!ext4_check_descriptors(sb, logical_sb_block, &first_not_zeroed)) {
ext4_msg(sb, KERN_ERR, "group descriptors corrupted!");
goto failed_mount2;
}

2016-11-14 02:59:42

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 057/152] USB: serial: option: add D-Link DWM-156/A3

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lubomir Rintel <[email protected]>

commit cf1b18030de29e4e5b0a57695ae5db4a89da0ff7 upstream.

The device has four interfaces; the three serial ports ought to be
handled by this driver:

00 Diagnostic interface serial port
01 NMEA device serial port
02 Mass storage (sd card)
03 Modem serial port

The other product ids listed in the Windows driver are present already.

Signed-off-by: Lubomir Rintel <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/option.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1945,6 +1945,7 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */
{ USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
{ USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) },
{ } /* Terminating entry */

2016-11-14 02:23:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 125/152] microblaze: fix __get_user()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 upstream.

Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/microblaze/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -218,7 +218,7 @@ extern long __user_bad(void);

#define __get_user(x, ptr) \
({ \
- unsigned long __gu_val; \
+ unsigned long __gu_val = 0; \
/*unsigned long __gu_ptr = (unsigned long)(ptr);*/ \
long __gu_err; \
switch (sizeof(*(ptr))) { \

2016-11-14 03:00:02

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 070/152] cdc-acm: fix wrong pipe type on rx interrupt xfers

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Gavin Li <[email protected]>

commit add125054b8727103631dce116361668436ef6a7 upstream.

This fixes the "BOGUS urb xfer" warning logged by usb_submit_urb().

Signed-off-by: Gavin Li <[email protected]>
Acked-by: Oliver Neukum <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/class/cdc-acm.c | 5 ++---
drivers/usb/class/cdc-acm.h | 1 -
2 files changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1156,7 +1156,6 @@ made_compressed_probe:
spin_lock_init(&acm->write_lock);
spin_lock_init(&acm->read_lock);
mutex_init(&acm->mutex);
- acm->rx_endpoint = usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress);
acm->is_int_ep = usb_endpoint_xfer_int(epread);
if (acm->is_int_ep)
acm->bInterval = epread->bInterval;
@@ -1205,14 +1204,14 @@ made_compressed_probe:
urb->transfer_dma = rb->dma;
if (acm->is_int_ep) {
usb_fill_int_urb(urb, acm->dev,
- acm->rx_endpoint,
+ usb_rcvintpipe(usb_dev, epread->bEndpointAddress),
rb->base,
acm->readsize,
acm_read_bulk_callback, rb,
acm->bInterval);
} else {
usb_fill_bulk_urb(urb, acm->dev,
- acm->rx_endpoint,
+ usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress),
rb->base,
acm->readsize,
acm_read_bulk_callback, rb);
--- a/drivers/usb/class/cdc-acm.h
+++ b/drivers/usb/class/cdc-acm.h
@@ -95,7 +95,6 @@ struct acm {
struct urb *read_urbs[ACM_NR];
struct acm_rb read_buffers[ACM_NR];
int rx_buflimit;
- int rx_endpoint;
spinlock_t read_lock;
int write_used; /* number of non-empty write buffers */
int transmitting;

2016-11-14 03:00:39

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 066/152] arm: oabi compat: add missing access checks

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dave Weinstein <[email protected]>

commit 7de249964f5578e67b99699c5f0b405738d820a2 upstream.

Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop().
This fixes CVE-2016-3857, a local privilege escalation under
CONFIG_OABI_COMPAT.

Reported-by: Chiachih Wu <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
Reviewed-by: Nicolas Pitre <[email protected]>
Signed-off-by: Dave Weinstein <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/arm/kernel/sys_oabi-compat.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

--- a/arch/arm/kernel/sys_oabi-compat.c
+++ b/arch/arm/kernel/sys_oabi-compat.c
@@ -275,8 +275,12 @@ asmlinkage long sys_oabi_epoll_wait(int
mm_segment_t fs;
long ret, err, i;

- if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event)))
+ if (maxevents <= 0 ||
+ maxevents > (INT_MAX/sizeof(*kbuf)) ||
+ maxevents > (INT_MAX/sizeof(*events)))
return -EINVAL;
+ if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
+ return -EFAULT;
kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL);
if (!kbuf)
return -ENOMEM;
@@ -313,6 +317,8 @@ asmlinkage long sys_oabi_semtimedop(int

if (nsops < 1 || nsops > SEMOPM)
return -EINVAL;
+ if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
+ return -EFAULT;
sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
if (!sops)
return -ENOMEM;

2016-11-14 03:01:12

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 084/152] x86/apic: Do not init irq remapping if ioapic is disabled

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Wanpeng Li <[email protected]>

commit 2e63ad4bd5dd583871e6602f9d398b9322d358d9 upstream.

native_smp_prepare_cpus
-> default_setup_apic_routing
-> enable_IR_x2apic
-> irq_remapping_prepare
-> intel_prepare_irq_remapping
-> intel_setup_irq_remapping

So IR table is setup even if "noapic" boot parameter is added. As a result we
crash later when the interrupt affinity is set due to a half initialized
remapping infrastructure.

Prevent remap initialization when IOAPIC is disabled.

Signed-off-by: Wanpeng Li <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Joerg Roedel <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Thomas Gleixner <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/kernel/apic/apic.c | 3 +++
1 file changed, 3 insertions(+)

--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1481,6 +1481,9 @@ void __init enable_IR_x2apic(void)
int ret, x2apic_enabled = 0;
int dmar_table_init_ret;

+ if (skip_ioapic_setup)
+ return;
+
dmar_table_init_ret = dmar_table_init();
if (dmar_table_init_ret && !x2apic_supported())
return;

2016-11-14 03:01:29

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 118/152] score: fix copy_from_user() and friends

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit b615e3c74621e06cd97f86373ca90d43d6d998aa upstream.

Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/score/include/asm/uaccess.h | 41 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 21 deletions(-)

--- a/arch/score/include/asm/uaccess.h
+++ b/arch/score/include/asm/uaccess.h
@@ -296,35 +296,34 @@ extern int __copy_tofrom_user(void *to,
static inline unsigned long
copy_from_user(void *to, const void *from, unsigned long len)
{
- unsigned long over;
+ unsigned long res = len;

- if (access_ok(VERIFY_READ, from, len))
- return __copy_tofrom_user(to, from, len);
+ if (likely(access_ok(VERIFY_READ, from, len)))
+ res = __copy_tofrom_user(to, from, len);

- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + len - TASK_SIZE;
- return __copy_tofrom_user(to, from, len - over) + over;
- }
- return len;
+ if (unlikely(res))
+ memset(to + (len - res), 0, res);
+
+ return res;
}

static inline unsigned long
copy_to_user(void *to, const void *from, unsigned long len)
{
- unsigned long over;
-
- if (access_ok(VERIFY_WRITE, to, len))
- return __copy_tofrom_user(to, from, len);
+ if (likely(access_ok(VERIFY_WRITE, to, len)))
+ len = __copy_tofrom_user(to, from, len);

- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + len - TASK_SIZE;
- return __copy_tofrom_user(to, from, len - over) + over;
- }
return len;
}

-#define __copy_from_user(to, from, len) \
- __copy_tofrom_user((to), (from), (len))
+static inline unsigned long
+__copy_from_user(void *to, const void *from, unsigned long len)
+{
+ unsigned long left = __copy_tofrom_user(to, from, len);
+ if (unlikely(left))
+ memset(to + (len - left), 0, left);
+ return left;
+}

#define __copy_to_user(to, from, len) \
__copy_tofrom_user((to), (from), (len))
@@ -338,17 +337,17 @@ __copy_to_user_inatomic(void *to, const
static inline unsigned long
__copy_from_user_inatomic(void *to, const void *from, unsigned long len)
{
- return __copy_from_user(to, from, len);
+ return __copy_tofrom_user(to, from, len);
}

-#define __copy_in_user(to, from, len) __copy_from_user(to, from, len)
+#define __copy_in_user(to, from, len) __copy_tofrom_user(to, from, len)

static inline unsigned long
copy_in_user(void *to, const void *from, unsigned long len)
{
if (access_ok(VERIFY_READ, from, len) &&
access_ok(VERFITY_WRITE, to, len))
- return copy_from_user(to, from, len);
+ return __copy_tofrom_user(to, from, len);
}

/*

2016-11-14 02:23:30

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 124/152] microblaze: fix copy_from_user()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit d0cf385160c12abd109746cad1f13e3b3e8b50b8 upstream.

Signed-off-by: Al Viro <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/microblaze/include/asm/uaccess.h | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -364,10 +364,13 @@ extern long __user_bad(void);
static inline long copy_from_user(void *to,
const void __user *from, unsigned long n)
{
+ unsigned long res = n;
might_sleep();
- if (access_ok(VERIFY_READ, from, n))
- return __copy_from_user(to, from, n);
- return n;
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ res = __copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}

#define __copy_to_user(to, from, n) \

2016-11-14 03:02:30

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 051/152] x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: David Howells <[email protected]>

commit f7d665627e103e82d34306c7d3f6f46f387c0d8b upstream.

x86_64 needs to use compat_sys_keyctl for 32-bit userspace rather than
calling sys_keyctl(). The latter will work in a lot of cases, thereby
hiding the issue.

Reported-by: Stephan Mueller <[email protected]>
Tested-by: Stephan Mueller <[email protected]>
Signed-off-by: David Howells <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Brian Gerst <[email protected]>
Cc: Denys Vlasenko <[email protected]>
Cc: H. Peter Anvin <[email protected]>
Cc: Josh Poimboeuf <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: [email protected]
Cc: [email protected]
Link: http://lkml.kernel.org/r/146961615805.14395.5581949237156769439.stgit@warthog.procyon.org.uk
Signed-off-by: Ingo Molnar <[email protected]>
[bwh: Backported to 3.2: compat system call table is in ia32entry.S]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -791,7 +791,7 @@ ia32_sys_call_table:
.quad quiet_ni_syscall /* 285: sys_altroot */
.quad sys_add_key
.quad sys_request_key
- .quad sys_keyctl
+ .quad compat_sys_keyctl
.quad sys_ioprio_set
.quad sys_ioprio_get /* 290 */
.quad sys_inotify_init

2016-11-14 02:22:22

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 010/152] ext4: don't call ext4_should_journal_data() on the journal inode

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vegard Nossum <[email protected]>

commit 6a7fd522a7c94cdef0a3b08acf8e6702056e635c upstream.

If ext4_fill_super() fails early, it's possible for ext4_evict_inode()
to call ext4_should_journal_data() before superblock options and flags
are fully set up. In that case, the iput() on the journal inode can
end up causing a BUG().

Work around this problem by reordering the tests so we only call
ext4_should_journal_data() after we know it's not the journal inode.

Fixes: 2d859db3e4 ("ext4: fix data corruption in inodes with journalled data")
Fixes: 2b405bfa84 ("ext4: fix data=journal fast mount/umount hang")
Cc: Jan Kara <[email protected]>
Signed-off-by: Vegard Nossum <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
Reviewed-by: Jan Kara <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/inode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -142,9 +142,9 @@ void ext4_evict_inode(struct inode *inod
* Note that directories do not have this problem because they
* don't use page cache.
*/
- if (ext4_should_journal_data(inode) &&
- (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode)) &&
- inode->i_ino != EXT4_JOURNAL_INO) {
+ if (inode->i_ino != EXT4_JOURNAL_INO &&
+ ext4_should_journal_data(inode) &&
+ (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) {
journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
tid_t commit_tid = EXT4_I(inode)->i_datasync_tid;


2016-11-14 02:22:20

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 020/152] Bluetooth: Add USB ID 13D3:3487 to ath3k

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lauro Costa <[email protected]>

commit 72f9f8b58bc743e6b6abdc68f60db98486c3ffcf upstream.

Add hw id to ath3k usb device list and btusb blacklist

T: Bus=01 Lev=01 Prnt=01 Port=08 Cnt=02 Dev#= 4 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3487 Rev=00.02
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

Requires these firmwares:
ar3k/AthrBT_0x11020100.dfu and ar3k/ramps_0x11020100_40.dfu
Firmwares are available in linux-firmware.

Device found in a laptop ASUS model N552VW. It's an Atheros AR9462 chip.

Signed-off-by: Lauro Costa <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -118,6 +118,7 @@ static struct usb_device_id ath3k_table[
{ USB_DEVICE(0x13d3, 0x3432) },
{ USB_DEVICE(0x13d3, 0x3472) },
{ USB_DEVICE(0x13d3, 0x3474) },
+ { USB_DEVICE(0x13d3, 0x3487) },

/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE02C) },
@@ -182,6 +183,7 @@ static struct usb_device_id ath3k_blist_
{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },

/* Atheros AR5BBU22 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -203,6 +203,7 @@ static struct usb_device_id blacklist_ta
{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },

/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },

2016-11-14 02:22:17

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 009/152] ext4: check for extents that wrap around

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vegard Nossum <[email protected]>

commit f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6 upstream.

An extent with lblock = 4294967295 and len = 1 will pass the
ext4_valid_extent() test:

ext4_lblk_t last = lblock + len - 1;

if (len == 0 || lblock > last)
return 0;

since last = 4294967295 + 1 - 1 = 4294967295. This would later trigger
the BUG_ON(es->es_lblk + es->es_len < es->es_lblk) in ext4_es_end().

We can simplify it by removing the - 1 altogether and changing the test
to use lblock + len <= lblock, since now if len = 0, then lblock + 0 ==
lblock and it fails, and if len > 0 then lblock + len > lblock in order
to pass (i.e. it doesn't overflow).

Fixes: 5946d0893 ("ext4: check for overlapping extents in ext4_valid_extent_entries()")
Fixes: 2f974865f ("ext4: check for zero length extent explicitly")
Cc: Eryu Guan <[email protected]>
Signed-off-by: Phil Turnbull <[email protected]>
Signed-off-by: Vegard Nossum <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/extents.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -319,9 +319,13 @@ static int ext4_valid_extent(struct inod
ext4_fsblk_t block = ext4_ext_pblock(ext);
int len = ext4_ext_get_actual_len(ext);
ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
- ext4_lblk_t last = lblock + len - 1;

- if (len == 0 || lblock > last)
+ /*
+ * We allow neither:
+ * - zero length
+ * - overflow/wrap-around
+ */
+ if (lblock + len <= lblock)
return 0;
return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
}

2016-11-14 03:03:59

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 131/152] openrisc: fix the fix of copy_from_user()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <[email protected]>

commit 8e4b72054f554967827e18be1de0e8122e6efc04 upstream.

Since commit acb2505d0119 ("openrisc: fix copy_from_user()"),
copy_from_user() returns the number of bytes requested, not the
number of bytes not copied.

Cc: Al Viro <[email protected]>
Fixes: acb2505d0119 ("openrisc: fix copy_from_user()")
Signed-off-by: Guenter Roeck <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/openrisc/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/openrisc/include/asm/uaccess.h
+++ b/arch/openrisc/include/asm/uaccess.h
@@ -277,7 +277,7 @@ copy_from_user(void *to, const void *fro
unsigned long res = n;

if (likely(access_ok(VERIFY_READ, from, n)))
- n = __copy_tofrom_user(to, from, n);
+ res = __copy_tofrom_user(to, from, n);
if (unlikely(res))
memset(to + (n - res), 0, res);
return res;

2016-11-14 03:04:10

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 101/152] asm-generic: make copy_from_user() zero the destination properly

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 upstream.

... in all cases, including the failing access_ok()

Note that some architectures using asm-generic/uaccess.h have
__copy_from_user() not zeroing the tail on failure halfway
through. This variant works either way.

Signed-off-by: Al Viro <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
include/asm-generic/uaccess.h | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -243,11 +243,13 @@ extern int __get_user_bad(void) __attrib
static inline long copy_from_user(void *to,
const void __user * from, unsigned long n)
{
+ unsigned long res = n;
might_sleep();
- if (access_ok(VERIFY_READ, from, n))
- return __copy_from_user(to, from, n);
- else
- return n;
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ res = __copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}

static inline long copy_to_user(void __user *to,

2016-11-14 03:04:14

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 112/152] mn10300: copy_from_user() should zero on access_ok() failure...

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 upstream.

Signed-off-by: Al Viro <[email protected]>
[bwh: Backported to 3.2: include <linux/string.h> to get declaration of memset()]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mn10300/lib/usercopy.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/mn10300/lib/usercopy.c
+++ b/arch/mn10300/lib/usercopy.c
@@ -9,7 +9,8 @@
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
-#include <asm/uaccess.h>
+#include <linux/string.h>
+#include <linux/uaccess.h>

unsigned long
__generic_copy_to_user(void *to, const void *from, unsigned long n)
@@ -24,6 +25,8 @@ __generic_copy_from_user(void *to, const
{
if (access_ok(VERIFY_READ, from, n))
__copy_user_zeroing(to, from, n);
+ else
+ memset(to, 0, n);
return n;
}


2016-11-14 03:04:28

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 097/152] ALSA: timer: Fix zero-division by continue of uninitialized instance

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit 9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b upstream.

When a user timer instance is continued without the explicit start
beforehand, the system gets eventually zero-division error like:

divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003c9b2280 task.stack: ffff880027280000
RIP: 0010:[<ffffffff858e1a6c>] [< inline >] ktime_divns include/linux/ktime.h:195
RIP: 0010:[<ffffffff858e1a6c>] [<ffffffff858e1a6c>] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62
Call Trace:
<IRQ>
[< inline >] __run_hrtimer kernel/time/hrtimer.c:1238
[<ffffffff81504335>] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302
[<ffffffff81506ceb>] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336
[<ffffffff8126d8df>] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933
[<ffffffff86e13056>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957
[<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487
<EOI>
.....

Although a similar issue was spotted and a fix patch was merged in
commit [6b760bb2c63a: ALSA: timer: fix division by zero after
SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of
iceberg.

In this patch, we fix the issue a bit more drastically. Basically the
continue of an uninitialized timer is supposed to be a fresh start, so
we do it for user timers. For the direct snd_timer_continue() call,
there is no way to pass the initial tick value, so we kick out for the
uninitialized case.

Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
[bwh: Backported to 3.2:
- Adjust context
- In _snd_timer_stop(), check the value of 'event' instead of 'stop']
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/core/timer.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -34,6 +34,9 @@
#include <sound/initval.h>
#include <linux/kmod.h>

+/* internal flags */
+#define SNDRV_TIMER_IFLG_PAUSED 0x00010000
+
#if defined(CONFIG_SND_HRTIMER) || defined(CONFIG_SND_HRTIMER_MODULE)
#define DEFAULT_TIMER_LIMIT 4
#elif defined(CONFIG_SND_RTCTIMER) || defined(CONFIG_SND_RTCTIMER_MODULE)
@@ -552,6 +555,10 @@ static int _snd_timer_stop(struct snd_ti
}
}
timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
+ if (event == SNDRV_TIMER_EVENT_STOP)
+ timeri->flags &= ~SNDRV_TIMER_IFLG_PAUSED;
+ else
+ timeri->flags |= SNDRV_TIMER_IFLG_PAUSED;
spin_unlock_irqrestore(&timer->lock, flags);
__end:
if (event != SNDRV_TIMER_EVENT_RESOLUTION)
@@ -594,6 +601,10 @@ int snd_timer_continue(struct snd_timer_

if (timeri == NULL)
return result;
+ /* timer can continue only after pause */
+ if (!(timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
+ return -EINVAL;
+
if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
return snd_timer_start_slave(timeri);
timer = timeri->timer;
@@ -1798,6 +1809,9 @@ static int snd_timer_user_continue(struc
tu = file->private_data;
if (!tu->timeri)
return -EBADFD;
+ /* start timer instead of continue if it's not used before */
+ if (!(tu->timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
+ return snd_timer_user_start(file);
tu->timeri->lost = 0;
return (err = snd_timer_continue(tu->timeri)) < 0 ? err : 0;
}

2016-11-14 03:04:25

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 088/152] ALSA: timer: fix NULL pointer dereference on memory allocation failure

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vegard Nossum <[email protected]>

commit 8ddc05638ee42b18ba4fe99b5fb647fa3ad20456 upstream.

I hit this with syzkaller:

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #190
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
task: ffff88011278d600 task.stack: ffff8801120c0000
RIP: 0010:[<ffffffff82c8ba07>] [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
RSP: 0018:ffff8801120c7a60 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 0000000000000009 RSI: 1ffff10023483091 RDI: 0000000000000048
RBP: ffff8801120c7a78 R08: ffff88011a5cf768 R09: ffff88011a5ba790
R10: 0000000000000002 R11: ffffed00234b9ef1 R12: ffff880114843980
R13: ffffffff84213c00 R14: ffff880114843ab0 R15: 0000000000000286
FS: 00007f72958f3700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000603001 CR3: 00000001126ab000 CR4: 00000000000006f0
Stack:
ffff880114843980 ffff880111eb2dc0 ffff880114843a34 ffff8801120c7ad0
ffffffff82c81ab1 0000000000000000 ffffffff842138e0 0000000100000000
ffff880111eb2dd0 ffff880111eb2dc0 0000000000000001 ffff880111eb2dc0
Call Trace:
[<ffffffff82c81ab1>] snd_timer_start1+0x331/0x670
[<ffffffff82c85bfd>] snd_timer_start+0x5d/0xa0
[<ffffffff82c8795e>] snd_timer_user_ioctl+0x88e/0x2830
[<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
[<ffffffff8132762f>] ? put_prev_entity+0x108f/0x21a0
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
[<ffffffff813510af>] ? cpuacct_account_field+0x12f/0x1a0
[<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
[<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
[<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
[<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
[<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
[<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
[<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
[<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
[<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
[<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
Code: c7 c7 c4 b9 c8 82 48 89 d9 4c 89 ee e8 63 88 7f fe e8 7e 46 7b fe 48 8d 7b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 84 c0 7e 65 80 7b 48 00 74 0e e8 52 46
RIP [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
RSP <ffff8801120c7a60>
---[ end trace 5955b08db7f2b029 ]---

This can happen if snd_hrtimer_open() fails to allocate memory and
returns an error, which is currently not checked by snd_timer_open():

ioctl(SNDRV_TIMER_IOCTL_SELECT)
- snd_timer_user_tselect()
- snd_timer_close()
- snd_hrtimer_close()
- (struct snd_timer *) t->private_data = NULL
- snd_timer_open()
- snd_hrtimer_open()
- kzalloc() fails; t->private_data is still NULL

ioctl(SNDRV_TIMER_IOCTL_START)
- snd_timer_user_start()
- snd_timer_start()
- snd_timer_start1()
- snd_hrtimer_start()
- t->private_data == NULL // boom

Signed-off-by: Vegard Nossum <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
[bwh: Backported to 3.2: don't put_device() since snd_timer_instance_new()
doesn't take a device reference]
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/core/timer.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -290,8 +290,19 @@ int snd_timer_open(struct snd_timer_inst
}
timeri->slave_class = tid->dev_sclass;
timeri->slave_id = slave_id;
- if (list_empty(&timer->open_list_head) && timer->hw.open)
- timer->hw.open(timer);
+
+ if (list_empty(&timer->open_list_head) && timer->hw.open) {
+ int err = timer->hw.open(timer);
+ if (err) {
+ kfree(timeri->owner);
+ kfree(timeri);
+
+ module_put(timer->module);
+ mutex_unlock(&register_mutex);
+ return err;
+ }
+ }
+
list_add_tail(&timeri->open_list, &timer->open_list_head);
snd_timer_check_master(timeri);
mutex_unlock(&register_mutex);

2016-11-14 03:04:21

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 037/152] nfs: don't create zero-length requests

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Benjamin Coddington <[email protected]>

commit 149a4fddd0a72d526abbeac0c8deaab03559836a upstream.

NFS doesn't expect requests with wb_bytes set to zero and may make
unexpected decisions about how to handle that request at the page IO layer.
Skip request creation if we won't have any wb_bytes in the request.

Signed-off-by: Benjamin Coddington <[email protected]>
Signed-off-by: Alexey Dobriyan <[email protected]>
Reviewed-by: Weston Andros Adamson <[email protected]>
Signed-off-by: Trond Myklebust <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/nfs/write.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -747,6 +747,9 @@ int nfs_updatepage(struct file *file, st
file->f_path.dentry->d_name.name, count,
(long long)(page_offset(page) + offset));

+ if (!count)
+ goto out;
+
/* If we're not using byte range locks, and we know the page
* is up to date, it may be more efficient to extend the write
* to cover the entire page in order to avoid fragmentation
@@ -764,7 +767,7 @@ int nfs_updatepage(struct file *file, st
nfs_set_pageerror(page);
else
__set_page_dirty_nobuffers(page);
-
+out:
dprintk("NFS: nfs_updatepage returns %d (isize %lld)\n",
status, (long long)i_size_read(inode));
return status;

2016-11-14 03:04:17

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 107/152] cris: buggered copy_from_user/copy_to_user/clear_user

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit eb47e0293baaa3044022059f1fa9ff474bfe35cb upstream.

* copy_from_user() on access_ok() failure ought to zero the destination
* none of those primitives should skip the access_ok() check in case of
small constant size.

Acked-by: Jesper Nilsson <[email protected]>
Signed-off-by: Al Viro <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/cris/include/asm/uaccess.h | 71 +++++++++++++++++++----------------------
1 file changed, 32 insertions(+), 39 deletions(-)

--- a/arch/cris/include/asm/uaccess.h
+++ b/arch/cris/include/asm/uaccess.h
@@ -176,30 +176,6 @@ extern unsigned long __copy_user(void __
extern unsigned long __copy_user_zeroing(void *to, const void __user *from, unsigned long n);
extern unsigned long __do_clear_user(void __user *to, unsigned long n);

-static inline unsigned long
-__generic_copy_to_user(void __user *to, const void *from, unsigned long n)
-{
- if (access_ok(VERIFY_WRITE, to, n))
- return __copy_user(to,from,n);
- return n;
-}
-
-static inline unsigned long
-__generic_copy_from_user(void *to, const void __user *from, unsigned long n)
-{
- if (access_ok(VERIFY_READ, from, n))
- return __copy_user_zeroing(to,from,n);
- return n;
-}
-
-static inline unsigned long
-__generic_clear_user(void __user *to, unsigned long n)
-{
- if (access_ok(VERIFY_WRITE, to, n))
- return __do_clear_user(to,n);
- return n;
-}
-
static inline long
__strncpy_from_user(char *dst, const char __user *src, long count)
{
@@ -262,7 +238,7 @@ __constant_copy_from_user(void *to, cons
else if (n == 24)
__asm_copy_from_user_24(to, from, ret);
else
- ret = __generic_copy_from_user(to, from, n);
+ ret = __copy_user_zeroing(to, from, n);

return ret;
}
@@ -312,7 +288,7 @@ __constant_copy_to_user(void __user *to,
else if (n == 24)
__asm_copy_to_user_24(to, from, ret);
else
- ret = __generic_copy_to_user(to, from, n);
+ ret = __copy_user(to, from, n);

return ret;
}
@@ -344,26 +320,43 @@ __constant_clear_user(void __user *to, u
else if (n == 24)
__asm_clear_24(to, ret);
else
- ret = __generic_clear_user(to, n);
+ ret = __do_clear_user(to, n);

return ret;
}


-#define clear_user(to, n) \
-(__builtin_constant_p(n) ? \
- __constant_clear_user(to, n) : \
- __generic_clear_user(to, n))
-
-#define copy_from_user(to, from, n) \
-(__builtin_constant_p(n) ? \
- __constant_copy_from_user(to, from, n) : \
- __generic_copy_from_user(to, from, n))
-
-#define copy_to_user(to, from, n) \
-(__builtin_constant_p(n) ? \
- __constant_copy_to_user(to, from, n) : \
- __generic_copy_to_user(to, from, n))
+static inline size_t clear_user(void __user *to, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
+ return n;
+ if (__builtin_constant_p(n))
+ return __constant_clear_user(to, n);
+ else
+ return __do_clear_user(to, n);
+}
+
+static inline size_t copy_from_user(void *to, const void __user *from, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_READ, from, n))) {
+ memset(to, 0, n);
+ return n;
+ }
+ if (__builtin_constant_p(n))
+ return __constant_copy_from_user(to, from, n);
+ else
+ return __copy_user_zeroing(to, from, n);
+}
+
+static inline size_t copy_to_user(void __user *to, const void *from, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
+ return n;
+ if (__builtin_constant_p(n))
+ return __constant_copy_to_user(to, from, n);
+ else
+ return __copy_user(to, from, n);
+}

/* We let the __ versions of copy_from/to_user inline, because they're often
* used in fast paths and have only a small space overhead.

2016-11-14 03:04:07

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 090/152] x86/paravirt: Do not trace _paravirt_ident_*() functions

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Steven Rostedt <[email protected]>

commit 15301a570754c7af60335d094dd2d1808b0641a5 upstream.

Łukasz Daniluk reported that on a RHEL kernel that his machine would lock up
after enabling function tracer. I asked him to bisect the functions within
available_filter_functions, which he did and it came down to three:

_paravirt_nop(), _paravirt_ident_32() and _paravirt_ident_64()

It was found that this is only an issue when noreplace-paravirt is added
to the kernel command line.

This means that those functions are most likely called within critical
sections of the funtion tracer, and must not be traced.

In newer kenels _paravirt_nop() is defined within gcc asm(), and is no
longer an issue. But both _paravirt_ident_{32,64}() causes the
following splat when they are traced:

mm/pgtable-generic.c:33: bad pmd ffff8800d2435150(0000000001d00054)
mm/pgtable-generic.c:33: bad pmd ffff8800d3624190(0000000001d00070)
mm/pgtable-generic.c:33: bad pmd ffff8800d36a5110(0000000001d00054)
mm/pgtable-generic.c:33: bad pmd ffff880118eb1450(0000000001d00054)
NMI watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [systemd-journal:469]
Modules linked in: e1000e
CPU: 2 PID: 469 Comm: systemd-journal Not tainted 4.6.0-rc4-test+ #513
Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
task: ffff880118f740c0 ti: ffff8800d4aec000 task.ti: ffff8800d4aec000
RIP: 0010:[<ffffffff81134148>] [<ffffffff81134148>] queued_spin_lock_slowpath+0x118/0x1a0
RSP: 0018:ffff8800d4aefb90 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011eb16d40
RDX: ffffffff82485760 RSI: 000000001f288820 RDI: ffffea0000008030
RBP: ffff8800d4aefb90 R08: 00000000000c0000 R09: 0000000000000000
R10: ffffffff821c8e0e R11: 0000000000000000 R12: ffff880000200fb8
R13: 00007f7a4e3f7000 R14: ffffea000303f600 R15: ffff8800d4b562e0
FS: 00007f7a4e3d7840(0000) GS:ffff88011eb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7a4e3f7000 CR3: 00000000d3e71000 CR4: 00000000001406e0
Call Trace:
_raw_spin_lock+0x27/0x30
handle_pte_fault+0x13db/0x16b0
handle_mm_fault+0x312/0x670
__do_page_fault+0x1b1/0x4e0
do_page_fault+0x22/0x30
page_fault+0x28/0x30
__vfs_read+0x28/0xe0
vfs_read+0x86/0x130
SyS_read+0x46/0xa0
entry_SYSCALL_64_fastpath+0x1e/0xa8
Code: 12 48 c1 ea 0c 83 e8 01 83 e2 30 48 98 48 81 c2 40 6d 01 00 48 03 14 c5 80 6a 5d 82 48 89 0a 8b 41 08 85 c0 75 09 f3 90 8b 41 08 <85> c0 74 f7 4c 8b 09 4d 85 c9 74 08 41 0f 18 09 eb 02 f3 90 8b

Reported-by: Łukasz Daniluk <[email protected]>
Signed-off-by: Steven Rostedt <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/kernel/paravirt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/paravirt.c
+++ b/arch/x86/kernel/paravirt.c
@@ -52,12 +52,12 @@ asm (".pushsection .entry.text, \"ax\"\n
".popsection");

/* identity function, which can be inlined */
-u32 _paravirt_ident_32(u32 x)
+u32 notrace _paravirt_ident_32(u32 x)
{
return x;
}

-u64 _paravirt_ident_64(u64 x)
+u64 notrace _paravirt_ident_64(u64 x)
{
return x;
}

2016-11-14 03:04:04

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 108/152] frv: fix clear_user()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <[email protected]>

commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 upstream.

It should check access_ok(). Otherwise a bunch of places turn into
trivially exploitable rootholes.

Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/frv/include/asm/uaccess.h | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

--- a/arch/frv/include/asm/uaccess.h
+++ b/arch/frv/include/asm/uaccess.h
@@ -263,19 +263,25 @@ do { \
extern long __memset_user(void *dst, unsigned long count);
extern long __memcpy_user(void *dst, const void *src, unsigned long count);

-#define clear_user(dst,count) __memset_user(____force(dst), (count))
+#define __clear_user(dst,count) __memset_user(____force(dst), (count))
#define __copy_from_user_inatomic(to, from, n) __memcpy_user((to), ____force(from), (n))
#define __copy_to_user_inatomic(to, from, n) __memcpy_user(____force(to), (from), (n))

#else

-#define clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
+#define __clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
#define __copy_from_user_inatomic(to, from, n) (memcpy((to), ____force(from), (n)), 0)
#define __copy_to_user_inatomic(to, from, n) (memcpy(____force(to), (from), (n)), 0)

#endif

-#define __clear_user clear_user
+static inline unsigned long __must_check
+clear_user(void __user *to, unsigned long n)
+{
+ if (likely(__access_ok(to, n)))
+ n = __clear_user(to, n);
+ return n;
+}

static inline unsigned long __must_check
__copy_to_user(void __user *to, const void *from, unsigned long n)

2016-11-14 03:06:23

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 078/152] iio: accel: kxsd9: Fix raw read return

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Linus Walleij <[email protected]>

commit 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 upstream.

Any readings from the raw interface of the KXSD9 driver will
return an empty string, because it does not return
IIO_VAL_INT but rather some random value from the accelerometer
to the caller.

Signed-off-by: Linus Walleij <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/staging/iio/accel/kxsd9.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/staging/iio/accel/kxsd9.c
+++ b/drivers/staging/iio/accel/kxsd9.c
@@ -163,6 +163,7 @@ static int kxsd9_read_raw(struct iio_dev
if (ret < 0)
goto error_ret;
*val = ret;
+ ret = IIO_VAL_INT;
break;
case (1 << IIO_CHAN_INFO_SCALE_SHARED):
ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));

2016-11-14 03:06:39

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 043/152] ceph: Correctly return NXIO errors from ceph_llseek

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Phil Turnbull <[email protected]>

commit 955818cd5b6c4b58ea574ace4573e7afa4c19c1e upstream.

ceph_llseek does not correctly return NXIO errors because the 'out' path
always returns 'offset'.

Fixes: 06222e491e66 ("fs: handle SEEK_HOLE/SEEK_DATA properly in all fs's that define their own llseek")
Signed-off-by: Phil Turnbull <[email protected]>
Signed-off-by: Yan, Zheng <[email protected]>
[bwh: Backported to 3.2:
- We don't use vfs_setpos(); instead set ret = -EINVAL or ret = offset
directly
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ceph/file.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)

--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -793,17 +793,15 @@ out:
static loff_t ceph_llseek(struct file *file, loff_t offset, int origin)
{
struct inode *inode = file->f_mapping->host;
- int ret;
+ loff_t ret;

mutex_lock(&inode->i_mutex);
__ceph_do_pending_vmtruncate(inode);

if (origin == SEEK_END || origin == SEEK_DATA || origin == SEEK_HOLE) {
ret = ceph_do_getattr(inode, CEPH_STAT_CAP_SIZE);
- if (ret < 0) {
- offset = ret;
+ if (ret < 0)
goto out;
- }
}

switch (origin) {
@@ -818,7 +816,7 @@ static loff_t ceph_llseek(struct file *f
* write() or lseek() might have altered it
*/
if (offset == 0) {
- offset = file->f_pos;
+ ret = file->f_pos;
goto out;
}
offset += file->f_pos;
@@ -839,7 +837,7 @@ static loff_t ceph_llseek(struct file *f
}

if (offset < 0 || offset > inode->i_sb->s_maxbytes) {
- offset = -EINVAL;
+ ret = -EINVAL;
goto out;
}

@@ -848,10 +846,11 @@ static loff_t ceph_llseek(struct file *f
file->f_pos = offset;
file->f_version = 0;
}
+ ret = offset;

out:
mutex_unlock(&inode->i_mutex);
- return offset;
+ return ret;
}

const struct file_operations ceph_file_fops = {

2016-11-14 03:07:00

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 041/152] l2tp: Correctly return -EBADF from pppol2tp_getname.

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "[email protected]" <[email protected]>

commit 4ac36a4adaf80013a60013d6f829f5863d5d0e05 upstream.

If 'tunnel' is NULL we should return -EBADF but the 'end_put_sess' path
unconditionally sets 'error' back to zero. Rework the error path so it
more closely matches pppol2tp_sendmsg.

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Phil Turnbull <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/l2tp/l2tp_ppp.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -914,10 +914,8 @@ static int pppol2tp_getname(struct socke

pls = l2tp_session_priv(session);
tunnel = l2tp_sock_to_tunnel(pls->tunnel_sock);
- if (tunnel == NULL) {
- error = -EBADF;
+ if (tunnel == NULL)
goto end_put_sess;
- }

inet = inet_sk(tunnel->sock);
if (tunnel->version == 2) {
@@ -955,12 +953,11 @@ static int pppol2tp_getname(struct socke
}

*usockaddr_len = len;
+ error = 0;

sock_put(pls->tunnel_sock);
end_put_sess:
sock_put(sk);
- error = 0;
-
end:
return error;
}

2016-11-14 03:07:09

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 016/152] x86/quirks: Reintroduce scanning of secondary buses

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lukas Wunner <[email protected]>

commit 850c321027c2e31d0afc71588974719a4b565550 upstream.

We used to scan secondary buses until the following commit that
was applied in 2009:

8659c406ade3 ("x86: only scan the root bus in early PCI quirks")

which commit constrained early quirks to the root bus only. Its
motivation was to prevent application of the nvidia_bugs quirk
on secondary buses.

We're about to add a quirk to reset the Broadcom 4331 wireless card on
2011/2012 Macs, which is located on a secondary bus behind a PCIe root
port. To facilitate that, reintroduce scanning of secondary buses.

The commit message of 8659c406ade3 notes that scanning only the root bus
"saves quite some unnecessary scanning work". The algorithm used prior
to 8659c406ade3 was particularly time consuming because it scanned
buses 0 to 31 brute force. To avoid lengthening boot time, employ a
recursive strategy which only scans buses that are actually reachable
from the root bus.

Yinghai Lu pointed out that the secondary bus number read from a
bridge's config space may be invalid, in particular a value of 0 would
cause an infinite loop. The PCI core goes beyond that and recurses to a
child bus only if its bus number is greater than the parent bus number
(see pci_scan_bridge()). Since the root bus is numbered 0, this implies
that secondary buses may not be 0. Do the same on early scanning.

If this algorithm is found to significantly impact boot time or cause
infinite loops on broken hardware, it would be possible to limit its
recursion depth: The Broadcom 4331 quirk applies at depth 1, all others
at depth 0, so the bus need not be scanned deeper than that for now. An
alternative approach would be to revert to scanning only the root bus,
and apply the Broadcom 4331 quirk to the root ports 8086:1c12, 8086:1e12
and 8086:1e16. Apple always positioned the card behind either of these
three ports. The quirk would then check presence of the card in slot 0
below the root port and do its deed.

Signed-off-by: Lukas Wunner <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Bjorn Helgaas <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Brian Gerst <[email protected]>
Cc: Denys Vlasenko <[email protected]>
Cc: H. Peter Anvin <[email protected]>
Cc: Josh Poimboeuf <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Yinghai Lu <[email protected]>
Cc: [email protected]
Link: http://lkml.kernel.org/r/f0daa70dac1a9b2483abdb31887173eb6ab77bdf.1465690253.git.lukas@wunner.de
Signed-off-by: Ingo Molnar <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/kernel/early-quirks.c | 34 +++++++++++++++++++++-------------
1 file changed, 21 insertions(+), 13 deletions(-)

--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -211,12 +211,6 @@ struct chipset {
void (*f)(int num, int slot, int func);
};

-/*
- * Only works for devices on the root bus. If you add any devices
- * not on bus 0 readd another loop level in early_quirks(). But
- * be careful because at least the Nvidia quirk here relies on
- * only matching on bus 0.
- */
static struct chipset early_qrk[] __initdata = {
{ PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID,
PCI_CLASS_BRIDGE_PCI, PCI_ANY_ID, QFLAG_APPLY_ONCE, nvidia_bugs },
@@ -231,6 +225,8 @@ static struct chipset early_qrk[] __init
{}
};

+static void __init early_pci_scan_bus(int bus);
+
/**
* check_dev_quirk - apply early quirks to a given PCI device
* @num: bus number
@@ -239,7 +235,7 @@ static struct chipset early_qrk[] __init
*
* Check the vendor & device ID against the early quirks table.
*
- * If the device is single function, let early_quirks() know so we don't
+ * If the device is single function, let early_pci_scan_bus() know so we don't
* poke at this device again.
*/
static int __init check_dev_quirk(int num, int slot, int func)
@@ -248,6 +244,7 @@ static int __init check_dev_quirk(int nu
u16 vendor;
u16 device;
u8 type;
+ u8 sec;
int i;

class = read_pci_config_16(num, slot, func, PCI_CLASS_DEVICE);
@@ -275,25 +272,36 @@ static int __init check_dev_quirk(int nu

type = read_pci_config_byte(num, slot, func,
PCI_HEADER_TYPE);
+
+ if ((type & 0x7f) == PCI_HEADER_TYPE_BRIDGE) {
+ sec = read_pci_config_byte(num, slot, func, PCI_SECONDARY_BUS);
+ if (sec > num)
+ early_pci_scan_bus(sec);
+ }
+
if (!(type & 0x80))
return -1;

return 0;
}

-void __init early_quirks(void)
+static void __init early_pci_scan_bus(int bus)
{
int slot, func;

- if (!early_pci_allowed())
- return;
-
/* Poor man's PCI discovery */
- /* Only scan the root bus */
for (slot = 0; slot < 32; slot++)
for (func = 0; func < 8; func++) {
/* Only probe function 0 on single fn devices */
- if (check_dev_quirk(0, slot, func))
+ if (check_dev_quirk(bus, slot, func))
break;
}
}
+
+void __init early_quirks(void)
+{
+ if (!early_pci_allowed())
+ return;
+
+ early_pci_scan_bus(0);
+}

2016-11-14 03:07:15

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 030/152] crypto: scatterwalk - Fix test in scatterwalk_done

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Herbert Xu <[email protected]>

commit 5f070e81bee35f1b7bd1477bb223a873ff657803 upstream.

When there is more data to be processed, the current test in
scatterwalk_done may prevent us from calling pagedone even when
we should.

In particular, if we're on an SG entry spanning multiple pages
where the last page is not a full page, we will incorrectly skip
calling pagedone on the second last page.

This patch fixes this by adding a separate test for whether we've
reached the end of a page.

Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
crypto/scatterwalk.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/crypto/scatterwalk.c
+++ b/crypto/scatterwalk.c
@@ -68,7 +68,8 @@ static void scatterwalk_pagedone(struct

void scatterwalk_done(struct scatter_walk *walk, int out, int more)
{
- if (!(scatterwalk_pagelen(walk) & (PAGE_SIZE - 1)) || !more)
+ if (!more || walk->offset >= walk->sg->offset + walk->sg->length ||
+ !(walk->offset & (PAGE_SIZE - 1)))
scatterwalk_pagedone(walk, out, more);
}
EXPORT_SYMBOL_GPL(scatterwalk_done);

2016-11-14 03:06:50

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 053/152] dm flakey: error READ bios during the down_interval

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mike Snitzer <[email protected]>

commit 99f3c90d0d85708e7401a81ce3314e50bf7f2819 upstream.

When the corrupt_bio_byte feature was introduced it caused READ bios to
no longer be errored with -EIO during the down_interval. This had to do
with the complexity of needing to submit READs if the corrupt_bio_byte
feature was used.

Fix it so READ bios are properly errored with -EIO; doing so early in
flakey_map() as long as there isn't a match for the corrupt_bio_byte
feature.

Fixes: a3998799fb4df ("dm flakey: add corrupt_bio_byte feature")
Reported-by: Akira Hayakawa <[email protected]>
Signed-off-by: Mike Snitzer <[email protected]>
[bwh: Backported to 3.2: in flakey_end_io(), keep using
bio_submitted_while_down instead of pb->bio_submitted]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/md/dm-flakey.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)

--- a/drivers/md/dm-flakey.c
+++ b/drivers/md/dm-flakey.c
@@ -279,10 +279,16 @@ static int flakey_map(struct dm_target *
map_context->ll = 1;

/*
- * Map reads as normal.
+ * Map reads as normal only if corrupt_bio_byte set.
*/
- if (bio_data_dir(bio) == READ)
- goto map_bio;
+ if (bio_data_dir(bio) == READ) {
+ /* If flags were specified, only corrupt those that match. */
+ if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
+ all_corrupt_bio_flags_match(bio, fc))
+ goto map_bio;
+ else
+ return -EIO;
+ }

/*
* Drop writes?
@@ -321,12 +327,13 @@ static int flakey_end_io(struct dm_targe

/*
* Corrupt successful READs while in down state.
- * If flags were specified, only corrupt those that match.
*/
- if (fc->corrupt_bio_byte && !error && bio_submitted_while_down &&
- (bio_data_dir(bio) == READ) && (fc->corrupt_bio_rw == READ) &&
- all_corrupt_bio_flags_match(bio, fc))
- corrupt_bio_data(bio, fc);
+ if (!error && bio_submitted_while_down && (bio_data_dir(bio) == READ)) {
+ if (fc->corrupt_bio_byte)
+ corrupt_bio_data(bio, fc);
+ else
+ return -EIO;
+ }

return error;
}

2016-11-14 03:06:48

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 048/152] tcp: consider recv buf for the initial window scale

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Soheil Hassas Yeganeh <[email protected]>

commit f626300a3e776ccc9671b0dd94698fb3aa315966 upstream.

tcp_select_initial_window() intends to advertise a window
scaling for the maximum possible window size. To do so,
it considers the maximum of net.ipv4.tcp_rmem[2] and
net.core.rmem_max as the only possible upper-bounds.
However, users with CAP_NET_ADMIN can use SO_RCVBUFFORCE
to set the socket's receive buffer size to values
larger than net.ipv4.tcp_rmem[2] and net.core.rmem_max.
Thus, SO_RCVBUFFORCE is effectively ignored by
tcp_select_initial_window().

To fix this, consider the maximum of net.ipv4.tcp_rmem[2],
net.core.rmem_max and socket's initial buffer space.

Fixes: b0573dea1fb3 ("[NET]: Introduce SO_{SND,RCV}BUFFORCE socket options")
Signed-off-by: Soheil Hassas Yeganeh <[email protected]>
Suggested-by: Neal Cardwell <[email protected]>
Acked-by: Neal Cardwell <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/tcp_output.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -220,7 +220,8 @@ void tcp_select_initial_window(int __spa
/* Set window scaling on max possible window
* See RFC1323 for an explanation of the limit to 14
*/
- space = max_t(u32, sysctl_tcp_rmem[2], sysctl_rmem_max);
+ space = max_t(u32, space, sysctl_tcp_rmem[2]);
+ space = max_t(u32, space, sysctl_rmem_max);
space = min_t(u32, space, *window_clamp);
while (space > 65535 && (*rcv_wscale) < 14) {
space >>= 1;

2016-11-14 03:06:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 045/152] drm/radeon: fix firmware info version checks

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <[email protected]>

commit 3edc38a0facef45ee22af8afdce3737f421f36ab upstream.

Some of the checks didn't handle frev 2 tables properly.

Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/radeon/radeon_atombios.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/radeon/radeon_atombios.c
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
@@ -1138,7 +1138,7 @@ bool radeon_atom_get_clock_info(struct d
le16_to_cpu(firmware_info->info.usReferenceClock);
p1pll->reference_div = 0;

- if (crev < 2)
+ if ((frev < 2) && (crev < 2))
p1pll->pll_out_min =
le16_to_cpu(firmware_info->info.usMinPixelClockPLL_Output);
else
@@ -1147,7 +1147,7 @@ bool radeon_atom_get_clock_info(struct d
p1pll->pll_out_max =
le32_to_cpu(firmware_info->info.ulMaxPixelClockPLL_Output);

- if (crev >= 4) {
+ if (((frev < 2) && (crev >= 4)) || (frev >= 2)) {
p1pll->lcd_pll_out_min =
le16_to_cpu(firmware_info->info_14.usLcdMinPixelClockPLL_Output) * 100;
if (p1pll->lcd_pll_out_min == 0)

2016-11-14 03:06:37

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 077/152] USB: serial: option: add WeTelecom WM-D200

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Aleksandr Makarov <[email protected]>

commit 6695593e4a7659db49ac6eca98c164f7b5589f72 upstream.

Add support for WeTelecom WM-D200.

T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 4 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=22de ProdID=6801 Rev=00.00
S: Manufacturer=WeTelecom Incorporated
S: Product=WeTelecom Mobile Products
C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I: If#= 3 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage

Signed-off-by: Aleksandr Makarov <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/option.c | 5 +++++
1 file changed, 5 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -512,6 +512,10 @@ static void option_instat_callback(struc
#define VIATELECOM_VENDOR_ID 0x15eb
#define VIATELECOM_PRODUCT_CDS7 0x0001

+/* WeTelecom products */
+#define WETELECOM_VENDOR_ID 0x22de
+#define WETELECOM_PRODUCT_WMD200 0x6801
+
/* some devices interfaces need special handling due to a number of reasons */
enum option_blacklist_reason {
OPTION_BLACKLIST_NONE = 0,
@@ -1948,6 +1952,7 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */
{ USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
{ USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);

2016-11-14 03:06:31

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 089/152] ALSA: timer: fix NULL pointer dereference in read()/ioctl() race

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vegard Nossum <[email protected]>

commit 11749e086b2766cccf6217a527ef5c5604ba069c upstream.

I got this with syzkaller:

==================================================================
BUG: KASAN: null-ptr-deref on address 0000000000000020
Read of size 32 by task syz-executor/22519
CPU: 1 PID: 22519 Comm: syz-executor Not tainted 4.8.0-rc2+ #169
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2
014
0000000000000001 ffff880111a17a00 ffffffff81f9f141 ffff880111a17a90
ffff880111a17c50 ffff880114584a58 ffff880114584a10 ffff880111a17a80
ffffffff8161fe3f ffff880100000000 ffff880118d74a48 ffff880118d74a68
Call Trace:
[<ffffffff81f9f141>] dump_stack+0x83/0xb2
[<ffffffff8161fe3f>] kasan_report_error+0x41f/0x4c0
[<ffffffff8161ff74>] kasan_report+0x34/0x40
[<ffffffff82c84b54>] ? snd_timer_user_read+0x554/0x790
[<ffffffff8161e79e>] check_memory_region+0x13e/0x1a0
[<ffffffff8161e9c1>] kasan_check_read+0x11/0x20
[<ffffffff82c84b54>] snd_timer_user_read+0x554/0x790
[<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
[<ffffffff817d0831>] ? proc_fault_inject_write+0x1c1/0x250
[<ffffffff817d0670>] ? next_tgid+0x2a0/0x2a0
[<ffffffff8127c278>] ? do_group_exit+0x108/0x330
[<ffffffff8174653a>] ? fsnotify+0x72a/0xca0
[<ffffffff81674dfe>] __vfs_read+0x10e/0x550
[<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
[<ffffffff81674cf0>] ? do_sendfile+0xc50/0xc50
[<ffffffff81745e10>] ? __fsnotify_update_child_dentry_flags+0x60/0x60
[<ffffffff8143fec6>] ? kcov_ioctl+0x56/0x190
[<ffffffff81e5ada2>] ? common_file_perm+0x2e2/0x380
[<ffffffff81746b0e>] ? __fsnotify_parent+0x5e/0x2b0
[<ffffffff81d93536>] ? security_file_permission+0x86/0x1e0
[<ffffffff816728f5>] ? rw_verify_area+0xe5/0x2b0
[<ffffffff81675355>] vfs_read+0x115/0x330
[<ffffffff81676371>] SyS_read+0xd1/0x1a0
[<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
[<ffffffff82001c2c>] ? __this_cpu_preempt_check+0x1c/0x20
[<ffffffff8150455a>] ? __context_tracking_exit.part.4+0x3a/0x1e0
[<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
[<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
[<ffffffff810052fc>] ? syscall_return_slowpath+0x16c/0x1d0
[<ffffffff83c3276a>] entry_SYSCALL64_slow_path+0x25/0x25
==================================================================

There are a couple of problems that I can see:

- ioctl(SNDRV_TIMER_IOCTL_SELECT), which potentially sets
tu->queue/tu->tqueue to NULL on memory allocation failure, so read()
would get a NULL pointer dereference like the above splat

- the same ioctl() can free tu->queue/to->tqueue which means read()
could potentially see (and dereference) the freed pointer

We can fix both by taking the ioctl_lock mutex when dereferencing
->queue/->tqueue, since that's always held over all the ioctl() code.

Just looking at the code I find it likely that there are more problems
here such as tu->qhead pointing outside the buffer if the size is
changed concurrently using SNDRV_TIMER_IOCTL_PARAMS.

Signed-off-by: Vegard Nossum <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/core/timer.c | 2 ++
1 file changed, 2 insertions(+)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1941,6 +1941,7 @@ static ssize_t snd_timer_user_read(struc
tu->qused--;
spin_unlock_irq(&tu->qlock);

+ mutex_lock(&tu->ioctl_lock);
if (tu->tread) {
if (copy_to_user(buffer, &tu->tqueue[qhead],
sizeof(struct snd_timer_tread)))
@@ -1950,6 +1951,7 @@ static ssize_t snd_timer_user_read(struc
sizeof(struct snd_timer_read)))
err = -EFAULT;
}
+ mutex_unlock(&tu->ioctl_lock);

spin_lock_irq(&tu->qlock);
if (err < 0)

2016-11-14 03:06:28

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 042/152] Input: i8042 - break load dependency between atkbd/psmouse and i8042

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Torokhov <[email protected]>

commit 4097461897df91041382ff6fcd2bfa7ee6b2448c upstream.

As explained in [email protected] we
have a hard load dependency between i8042 and atkbd which prevents
keyboard from working on Gen2 Hyper-V VMs.

> hyperv_keyboard invokes serio_interrupt(), which needs a valid serio
> driver like atkbd.c. atkbd.c depends on libps2.c because it invokes
> ps2_command(). libps2.c depends on i8042.c because it invokes
> i8042_check_port_owner(). As a result, hyperv_keyboard actually
> depends on i8042.c.
>
> For a Generation 2 Hyper-V VM (meaning no i8042 device emulated), if a
> Linux VM (like Arch Linux) happens to configure CONFIG_SERIO_I8042=m
> rather than =y, atkbd.ko can't load because i8042.ko can't load(due to
> no i8042 device emulated) and finally hyperv_keyboard can't work and
> the user can't input: https://bugs.archlinux.org/task/39820
> (Ubuntu/RHEL/SUSE aren't affected since they use CONFIG_SERIO_I8042=y)

To break the dependency we move away from using i8042_check_port_owner()
and instead allow serio port owner specify a mutex that clients should use
to serialize PS/2 command stream.

Reported-by: Mark Laws <[email protected]>
Tested-by: Mark Laws <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/input/serio/i8042.c | 16 +---------------
drivers/input/serio/libps2.c | 10 ++++------
include/linux/i8042.h | 6 ------
include/linux/serio.h | 24 +++++++++++++++++++-----
4 files changed, 24 insertions(+), 32 deletions(-)

--- a/drivers/input/serio/i8042.c
+++ b/drivers/input/serio/i8042.c
@@ -1223,6 +1223,7 @@ static int __init i8042_create_kbd_port(
serio->start = i8042_start;
serio->stop = i8042_stop;
serio->close = i8042_port_close;
+ serio->ps2_cmd_mutex = &i8042_mutex;
serio->port_data = port;
serio->dev.parent = &i8042_platform_device->dev;
strlcpy(serio->name, "i8042 KBD port", sizeof(serio->name));
@@ -1310,21 +1311,6 @@ static void __devexit i8042_unregister_p
}
}

-/*
- * Checks whether port belongs to i8042 controller.
- */
-bool i8042_check_port_owner(const struct serio *port)
-{
- int i;
-
- for (i = 0; i < I8042_NUM_PORTS; i++)
- if (i8042_ports[i].serio == port)
- return true;
-
- return false;
-}
-EXPORT_SYMBOL(i8042_check_port_owner);
-
static void i8042_free_irqs(void)
{
if (i8042_aux_irq_registered)
--- a/drivers/input/serio/libps2.c
+++ b/drivers/input/serio/libps2.c
@@ -57,19 +57,17 @@ EXPORT_SYMBOL(ps2_sendbyte);

void ps2_begin_command(struct ps2dev *ps2dev)
{
- mutex_lock(&ps2dev->cmd_mutex);
+ struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex;

- if (i8042_check_port_owner(ps2dev->serio))
- i8042_lock_chip();
+ mutex_lock(m);
}
EXPORT_SYMBOL(ps2_begin_command);

void ps2_end_command(struct ps2dev *ps2dev)
{
- if (i8042_check_port_owner(ps2dev->serio))
- i8042_unlock_chip();
+ struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex;

- mutex_unlock(&ps2dev->cmd_mutex);
+ mutex_unlock(m);
}
EXPORT_SYMBOL(ps2_end_command);

--- a/include/linux/i8042.h
+++ b/include/linux/i8042.h
@@ -38,7 +38,6 @@ struct serio;
void i8042_lock_chip(void);
void i8042_unlock_chip(void);
int i8042_command(unsigned char *param, int command);
-bool i8042_check_port_owner(const struct serio *);
int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str,
struct serio *serio));
int i8042_remove_filter(bool (*filter)(unsigned char data, unsigned char str,
@@ -59,11 +58,6 @@ static inline int i8042_command(unsigned
return -ENODEV;
}

-static inline bool i8042_check_port_owner(const struct serio *serio)
-{
- return false;
-}
-
static inline int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str,
struct serio *serio))
{
--- a/include/linux/serio.h
+++ b/include/linux/serio.h
@@ -33,7 +33,8 @@ struct serio {

struct serio_device_id id;

- spinlock_t lock; /* protects critical sections from port's interrupt handler */
+ /* Protects critical sections from port's interrupt handler */
+ spinlock_t lock;

int (*write)(struct serio *, unsigned char);
int (*open)(struct serio *);
@@ -42,16 +43,29 @@ struct serio {
void (*stop)(struct serio *);

struct serio *parent;
- struct list_head child_node; /* Entry in parent->children list */
+ /* Entry in parent->children list */
+ struct list_head child_node;
struct list_head children;
- unsigned int depth; /* level of nesting in serio hierarchy */
+ /* Level of nesting in serio hierarchy */
+ unsigned int depth;

- struct serio_driver *drv; /* accessed from interrupt, must be protected by serio->lock and serio->sem */
- struct mutex drv_mutex; /* protects serio->drv so attributes can pin driver */
+ /*
+ * serio->drv is accessed from interrupt handlers; when modifying
+ * caller should acquire serio->drv_mutex and serio->lock.
+ */
+ struct serio_driver *drv;
+ /* Protects serio->drv so attributes can pin current driver */
+ struct mutex drv_mutex;

struct device dev;

struct list_head node;
+
+ /*
+ * For use by PS/2 layer when several ports share hardware and
+ * may get indigestion when exposed to concurrent access (i8042).
+ */
+ struct mutex *ps2_cmd_mutex;
};
#define to_serio_port(d) container_of(d, struct serio, dev)


2016-11-14 03:06:20

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 044/152] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: David Howells <[email protected]>

commit 20f06ed9f61a185c6dabd662c310bed6189470df upstream.

MIPS64 needs to use compat_sys_keyctl for 32-bit userspace rather than
calling sys_keyctl. The latter will work in a lot of cases, thereby hiding
the issue.

Reported-by: Stephan Mueller <[email protected]>
Signed-off-by: David Howells <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/13832/
Signed-off-by: Ralf Baechle <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/kernel/scall64-n32.S | 2 +-
arch/mips/kernel/scall64-o32.S | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

--- a/arch/mips/kernel/scall64-n32.S
+++ b/arch/mips/kernel/scall64-n32.S
@@ -366,7 +366,7 @@ EXPORT(sysn32_call_table)
PTR sys_ni_syscall /* available, was setaltroot */
PTR sys_add_key
PTR sys_request_key
- PTR sys_keyctl /* 6245 */
+ PTR compat_sys_keyctl /* 6245 */
PTR sys_set_thread_area
PTR sys_inotify_init
PTR sys_inotify_add_watch
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -486,7 +486,7 @@ sys_call_table:
PTR sys_ni_syscall /* available, was setaltroot */
PTR sys_add_key /* 4280 */
PTR sys_request_key
- PTR sys_keyctl
+ PTR compat_sys_keyctl
PTR sys_set_thread_area
PTR sys_inotify_init
PTR sys_inotify_add_watch /* 4285 */

2016-11-14 03:10:04

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 036/152] MIPS: RM7000: Double locking bug in rm7k_tc_disable()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit 58a7e1c140f3ad61646bc0cd9a1f6a9cafc0b225 upstream.

We obviously intended to enable IRQs again at the end.

Fixes: 745aef5df1e2 ('MIPS: RM7000: Add support for tertiary cache')
Signed-off-by: Dan Carpenter <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/13815/
Signed-off-by: Ralf Baechle <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/mm/sc-rm7k.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/mips/mm/sc-rm7k.c
+++ b/arch/mips/mm/sc-rm7k.c
@@ -162,7 +162,7 @@ static void rm7k_tc_disable(void)
local_irq_save(flags);
blast_rm7k_tcache();
clear_c0_config(RM7K_CONF_TE);
- local_irq_save(flags);
+ local_irq_restore(flags);
}

static void rm7k_sc_disable(void)

2016-11-14 03:10:12

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 029/152] Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Amadeusz Sławiński
<[email protected]>

commit 23bc6ab0a0912146fd674a0becc758c3162baabc upstream.

When we retrieve imtu value from userspace we should use 16 bit pointer
cast instead of 32 as it's defined that way in headers. Fixes setsockopt
calls on big-endian platforms.

Signed-off-by: Amadeusz Sławiński <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/bluetooth/l2cap_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -630,7 +630,7 @@ static int l2cap_sock_setsockopt(struct
break;
}

- if (get_user(opt, (u32 __user *) optval)) {
+ if (get_user(opt, (u16 __user *) optval)) {
err = -EFAULT;
break;
}

2016-11-14 03:10:22

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 018/152] svc: Avoid garbage replies when pc_func() returns rpc_drop_reply

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Chuck Lever <[email protected]>

commit 0533b13072f4bf35738290d2cf9e299c7bc6c42a upstream.

If an RPC program does not set vs_dispatch and pc_func() returns
rpc_drop_reply, the server sends a reply anyway containing a single
word containing the value RPC_DROP_REPLY (in network byte-order, of
course). This is a nonsense RPC message.

Fixes: 9e701c610923 ("svcrpc: simpler request dropping")
Signed-off-by: Chuck Lever <[email protected]>
Tested-by: Steve Wise <[email protected]>
Signed-off-by: Anna Schumaker <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -1167,7 +1167,7 @@ svc_process_common(struct svc_rqst *rqst
*statp = procp->pc_func(rqstp, rqstp->rq_argp, rqstp->rq_resp);

/* Encode reply */
- if (rqstp->rq_dropme) {
+ if (*statp == rpc_drop_reply || rqstp->rq_dropme) {
if (procp->pc_release)
procp->pc_release(rqstp, NULL, rqstp->rq_resp);
goto dropit;

2016-11-14 03:10:09

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 035/152] tty/vt/keyboard: fix OOB access in do_compute_shiftstate()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Torokhov <[email protected]>

commit 510cccb5b0c8868a2b302a0ab524da7912da648b upstream.

The size of individual keymap in drivers/tty/vt/keyboard.c is NR_KEYS,
which is currently 256, whereas number of keys/buttons in input device (and
therefor in key_down) is much larger - KEY_CNT - 768, and that can cause
out-of-bound access when we do

sym = U(key_maps[0][k]);

with large 'k'.

To fix it we should not attempt iterating beyond smaller of NR_KEYS and
KEY_CNT.

Also while at it let's switch to for_each_set_bit() instead of open-coding
it.

Reported-by: Sasha Levin <[email protected]>
Reviewed-by: Guenter Roeck <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/tty/vt/keyboard.c | 30 +++++++++---------------------
1 file changed, 9 insertions(+), 21 deletions(-)

--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -386,34 +386,22 @@ static void to_utf8(struct vc_data *vc,
*/
void compute_shiftstate(void)
{
- unsigned int i, j, k, sym, val;
+ unsigned int k, sym, val;

shift_state = 0;
memset(shift_down, 0, sizeof(shift_down));

- for (i = 0; i < ARRAY_SIZE(key_down); i++) {
-
- if (!key_down[i])
+ for_each_set_bit(k, key_down, min(NR_KEYS, KEY_CNT)) {
+ sym = U(key_maps[0][k]);
+ if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK)
continue;

- k = i * BITS_PER_LONG;
-
- for (j = 0; j < BITS_PER_LONG; j++, k++) {
-
- if (!test_bit(k, key_down))
- continue;
-
- sym = U(key_maps[0][k]);
- if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK)
- continue;
-
- val = KVAL(sym);
- if (val == KVAL(K_CAPSSHIFT))
- val = KVAL(K_SHIFT);
+ val = KVAL(sym);
+ if (val == KVAL(K_CAPSSHIFT))
+ val = KVAL(K_SHIFT);

- shift_down[val]++;
- shift_state |= (1 << val);
- }
+ shift_down[val]++;
+ shift_state |= BIT(val);
}
}


2016-11-14 03:10:19

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 019/152] NFS: Don't drop CB requests with invalid principals

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Chuck Lever <[email protected]>

commit a4e187d83d88eeaba6252aac0a2ffe5eaa73a818 upstream.

Before commit 778be232a207 ("NFS do not find client in NFSv4
pg_authenticate"), the Linux callback server replied with
RPC_AUTH_ERROR / RPC_AUTH_BADCRED, instead of dropping the CB
request. Let's restore that behavior so the server has a chance to
do something useful about it, and provide a warning that helps
admins correct the problem.

Fixes: 778be232a207 ("NFS do not find client in NFSv4 ...")
Signed-off-by: Chuck Lever <[email protected]>
Tested-by: Steve Wise <[email protected]>
Signed-off-by: Anna Schumaker <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/nfs/callback_xdr.c | 6 +++++-
net/sunrpc/svc.c | 5 +++++
2 files changed, 10 insertions(+), 1 deletion(-)

--- a/fs/nfs/callback_xdr.c
+++ b/fs/nfs/callback_xdr.c
@@ -878,7 +878,7 @@ static __be32 nfs4_callback_compound(str
if (hdr_arg.minorversion == 0) {
cps.clp = nfs4_find_client_ident(hdr_arg.cb_ident);
if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp))
- return rpc_drop_reply;
+ goto out_invalidcred;
}

hdr_res.taglen = hdr_arg.taglen;
@@ -905,6 +905,10 @@ static __be32 nfs4_callback_compound(str
nfs_put_client(cps.clp);
dprintk("%s: done, status = %u\n", __func__, ntohl(status));
return rpc_success;
+
+out_invalidcred:
+ pr_warn_ratelimited("NFS: NFSv4 callback contains invalid cred\n");
+ return rpc_autherr_badcred;
}

/*
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -1172,6 +1172,11 @@ svc_process_common(struct svc_rqst *rqst
procp->pc_release(rqstp, NULL, rqstp->rq_resp);
goto dropit;
}
+ if (*statp == rpc_autherr_badcred) {
+ if (procp->pc_release)
+ procp->pc_release(rqstp, NULL, rqstp->rq_resp);
+ goto err_bad_auth;
+ }
if (*statp == rpc_success &&
(xdr = procp->pc_encode) &&
!xdr(rqstp, resv->iov_base+resv->iov_len, rqstp->rq_resp)) {

2016-11-14 03:10:15

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 015/152] x86/quirks: Apply nvidia_bugs quirk only on root bus

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lukas Wunner <[email protected]>

commit 447d29d1d3aed839e74c2401ef63387780ac51ed upstream.

Since the following commit:

8659c406ade3 ("x86: only scan the root bus in early PCI quirks")

... early quirks are only applied to devices on the root bus.

The motivation was to prevent application of the nvidia_bugs quirk on
secondary buses.

We're about to reintroduce scanning of secondary buses for a quirk to
reset the Broadcom 4331 wireless card on 2011/2012 Macs. To prevent
regressions, open code the requirement to apply nvidia_bugs only on the
root bus.

Signed-off-by: Lukas Wunner <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Bjorn Helgaas <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Brian Gerst <[email protected]>
Cc: Denys Vlasenko <[email protected]>
Cc: H. Peter Anvin <[email protected]>
Cc: Josh Poimboeuf <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Yinghai Lu <[email protected]>
Link: http://lkml.kernel.org/r/4d5477c1d76b2f0387a780f2142bbcdd9fee869b.1465690253.git.lukas@wunner.de
Signed-off-by: Ingo Molnar <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/kernel/early-quirks.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -73,6 +73,13 @@ static void __init nvidia_bugs(int num,
#ifdef CONFIG_ACPI
#ifdef CONFIG_X86_IO_APIC
/*
+ * Only applies to Nvidia root ports (bus 0) and not to
+ * Nvidia graphics cards with PCI ports on secondary buses.
+ */
+ if (num)
+ return;
+
+ /*
* All timer overrides on Nvidia are
* wrong unless HPET is enabled.
* Unfortunately that's not true on many Asus boards.

2016-11-14 03:11:56

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 007/152] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <[email protected]>

commit 15e4292a2d21e9997fdb2b8c014cc461b3f268f0 upstream.

This patch fixes an issue that the CFIFOSEL register value is possible
to be changed by usbhsg_ep_enable() wrongly. And then, a data transfer
using CFIFO may not work correctly.

For example:
# modprobe g_multi file=usb-storage.bin
# ifconfig usb0 192.168.1.1 up
(During the USB host is sending file to the mass storage)
# ifconfig usb0 down

In this case, since the u_ether.c may call usb_ep_enable() in
eth_stop(), if the renesas_usbhs driver is also using CFIFO for
mass storage, the mass storage may not work correctly.

So, this patch adds usbhs_lock() and usbhs_unlock() calling in
usbhsg_ep_enable() to protect CFIFOSEL register. This is because:
- CFIFOSEL.CURPIPE = 0 is also needed for the pipe configuration
- The CFIFOSEL (fifo->sel) is already protected by usbhs_lock()

Fixes: 97664a207bc2 ("usb: renesas_usbhs: shrink spin lock area")
Signed-off-by: Yoshihiro Shimoda <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/renesas_usbhs/mod_gadget.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/usb/renesas_usbhs/mod_gadget.c
+++ b/drivers/usb/renesas_usbhs/mod_gadget.c
@@ -472,6 +472,9 @@ static int usbhsg_ep_enable(struct usb_e
struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv);
struct usbhs_pipe *pipe;
int ret = -EIO;
+ unsigned long flags;
+
+ usbhs_lock(priv, flags);

/*
* if it already have pipe,
@@ -480,7 +483,8 @@ static int usbhsg_ep_enable(struct usb_e
if (uep->pipe) {
usbhs_pipe_clear(uep->pipe);
usbhs_pipe_sequence_data0(uep->pipe);
- return 0;
+ ret = 0;
+ goto usbhsg_ep_enable_end;
}

pipe = usbhs_pipe_malloc(priv,
@@ -508,6 +512,9 @@ static int usbhsg_ep_enable(struct usb_e
ret = 0;
}

+usbhsg_ep_enable_end:
+ usbhs_unlock(priv, flags);
+
return ret;
}


2016-11-14 03:12:02

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 006/152] usb: renesas_usbhs: fix NULL pointer dereference in xfer_work()

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <[email protected]>

commit 4fdef698383db07d829da567e0e405fc41ff3a89 upstream.

This patch fixes an issue that the xfer_work() is possible to cause
NULL pointer dereference if the usb cable is disconnected while data
transfer is running.

In such case, a gadget driver may call usb_ep_disable()) before
xfer_work() is actually called. In this case, the usbhs_pkt_pop()
will call usbhsf_fifo_unselect(), and then usbhs_pipe_to_fifo()
in xfer_work() will return NULL.

Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
Signed-off-by: Yoshihiro Shimoda <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/renesas_usbhs/fifo.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)

--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -760,15 +760,22 @@ static void usbhsf_dma_prepare_tasklet(u
{
struct usbhs_pkt *pkt = (struct usbhs_pkt *)data;
struct usbhs_pipe *pipe = pkt->pipe;
- struct usbhs_fifo *fifo = usbhs_pipe_to_fifo(pipe);
+ struct usbhs_fifo *fifo;
struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
struct scatterlist sg;
struct dma_async_tx_descriptor *desc;
- struct dma_chan *chan = usbhsf_dma_chan_get(fifo, pkt);
+ struct dma_chan *chan;
struct device *dev = usbhs_priv_to_dev(priv);
enum dma_data_direction dir;
dma_cookie_t cookie;
+ unsigned long flags;

+ usbhs_lock(priv, flags);
+ fifo = usbhs_pipe_to_fifo(pipe);
+ if (!fifo)
+ goto xfer_work_end;
+
+ chan = usbhsf_dma_chan_get(fifo, pkt);
dir = usbhs_pipe_is_dir_in(pipe) ? DMA_FROM_DEVICE : DMA_TO_DEVICE;

sg_init_table(&sg, 1);
@@ -781,7 +788,7 @@ static void usbhsf_dma_prepare_tasklet(u
DMA_PREP_INTERRUPT |
DMA_CTRL_ACK);
if (!desc)
- return;
+ goto xfer_work_end;

desc->callback = usbhsf_dma_complete;
desc->callback_param = pipe;
@@ -789,7 +796,7 @@ static void usbhsf_dma_prepare_tasklet(u
cookie = desc->tx_submit(desc);
if (cookie < 0) {
dev_err(dev, "Failed to submit dma descriptor\n");
- return;
+ goto xfer_work_end;
}

dev_dbg(dev, " %s %d (%d/ %d)\n",
@@ -797,6 +804,9 @@ static void usbhsf_dma_prepare_tasklet(u

usbhsf_dma_start(pipe, fifo);
dma_async_issue_pending(chan);
+
+xfer_work_end:
+ usbhs_unlock(priv, flags);
}

/*

2016-11-14 03:11:59

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 008/152] Input: xpad - validate USB endpoint count during probe

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Cameron Gutman <[email protected]>

commit caca925fca4fb30c67be88cacbe908eec6721e43 upstream.

This prevents a malicious USB device from causing an oops.

Signed-off-by: Cameron Gutman <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/input/joystick/xpad.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -825,6 +825,9 @@ static int xpad_probe(struct usb_interfa
struct usb_endpoint_descriptor *ep_irq_in;
int i, error;

+ if (intf->cur_altsetting->desc.bNumEndpoints != 2)
+ return -ENODEV;
+
for (i = 0; xpad_device[i].idVendor; i++) {
if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) &&
(le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct))

2016-11-14 03:11:53

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 013/152] ALSA: ctl: Stop notification after disconnection

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit f388cdcdd160687c6650833f286b9c89c50960ff upstream.

snd_ctl_remove() has a notification for the removal event. It's
superfluous when done during the device got disconnected. Although
the notification itself is mostly harmless, it may potentially be
harmful, and should be suppressed. Actually some components PCM may
free ctl elements during the disconnect or free callbacks, thus it's
no theoretical issue.

This patch adds the check of card->shutdown flag for avoiding
unnecessary notifications after (or during) the disconnect.

Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/core/control.c | 2 ++
1 file changed, 2 insertions(+)

--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -150,6 +150,8 @@ void snd_ctl_notify(struct snd_card *car

if (snd_BUG_ON(!card || !id))
return;
+ if (card->shutdown)
+ return;
read_lock(&card->ctl_files_rwlock);
#if defined(CONFIG_SND_MIXER_OSS) || defined(CONFIG_SND_MIXER_OSS_MODULE)
card->mixer_oss_change_count++;

2016-11-14 03:11:50

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 012/152] drm/radeon: Poll for both connect/disconnect on analog connectors

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lyude <[email protected]>

commit 14ff8d48f2235295dfb3117693008e367b49cdb5 upstream.

DRM_CONNECTOR_POLL_CONNECT only enables polling for connections, not
disconnections. Because of this, we end up losing hotplug polling for
analog connectors once they get connected.

Easy way to reproduce:
- Grab a machine with a radeon GPU and a VGA port
- Plug a monitor into the VGA port, wait for it to update the connector
from disconnected to connected
- Disconnect the monitor on VGA, a hotplug event is never sent for the
removal of the connector.

Originally, only using DRM_CONNECTOR_POLL_CONNECT might have been a good
idea since doing VGA polling can sometimes result in having to mess with
the DAC voltages to figure out whether or not there's actually something
there since VGA doesn't have HPD. Doing this would have the potential of
showing visible artifacts on the screen every time we ran a poll while a
VGA display was connected. Luckily, radeon_vga_detect() only resorts to
this sort of polling if the poll is forced, and DRM's polling helper
doesn't force it's polls.

Additionally, this removes some assignments to connector->polled that
weren't actually doing anything.

Signed-off-by: Lyude <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/radeon/radeon_connectors.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)

--- a/drivers/gpu/drm/radeon/radeon_connectors.c
+++ b/drivers/gpu/drm/radeon/radeon_connectors.c
@@ -1589,7 +1589,6 @@ radeon_add_atom_connector(struct drm_dev
1);
/* no HPD on analog connectors */
radeon_connector->hpd.hpd = RADEON_HPD_NONE;
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
connector->interlace_allowed = true;
connector->doublescan_allowed = true;
break;
@@ -1787,8 +1786,10 @@ radeon_add_atom_connector(struct drm_dev
}

if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
- if (i2c_bus->valid)
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ if (i2c_bus->valid) {
+ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
+ DRM_CONNECTOR_POLL_DISCONNECT;
+ }
} else
connector->polled = DRM_CONNECTOR_POLL_HPD;

@@ -1860,7 +1861,6 @@ radeon_add_legacy_connector(struct drm_d
1);
/* no HPD on analog connectors */
radeon_connector->hpd.hpd = RADEON_HPD_NONE;
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
connector->interlace_allowed = true;
connector->doublescan_allowed = true;
break;
@@ -1945,10 +1945,13 @@ radeon_add_legacy_connector(struct drm_d
}

if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
- if (i2c_bus->valid)
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ if (i2c_bus->valid) {
+ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
+ DRM_CONNECTOR_POLL_DISCONNECT;
+ }
} else
connector->polled = DRM_CONNECTOR_POLL_HPD;
+
connector->display_info.subpixel_order = subpixel_order;
drm_sysfs_connector_add(connector);
if (connector_type == DRM_MODE_CONNECTOR_LVDS) {

2016-11-14 03:11:45

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 021/152] Bluetooth: Add support of 13d3:3490 AR3012 device

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Tunin <[email protected]>

commit 12d868964f7352e8b18e755488f7265a93431de1 upstream.

T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=05 Dev#= 5 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3490 Rev=00.01
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

BugLink: https://bugs.launchpad.net/bugs/1600623

Signed-off-by: Dmitry Tunin <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -119,6 +119,7 @@ static struct usb_device_id ath3k_table[
{ USB_DEVICE(0x13d3, 0x3472) },
{ USB_DEVICE(0x13d3, 0x3474) },
{ USB_DEVICE(0x13d3, 0x3487) },
+ { USB_DEVICE(0x13d3, 0x3490) },

/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE02C) },
@@ -184,6 +185,7 @@ static struct usb_device_id ath3k_blist_
{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },

/* Atheros AR5BBU22 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -204,6 +204,7 @@ static struct usb_device_id blacklist_ta
{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },

/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },

2016-11-14 03:13:19

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.2 003/152] sched/cputime: Fix prev steal time accouting during CPU hotplug

3.2.84-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Wanpeng Li <[email protected]>

commit 3d89e5478bf550a50c99e93adf659369798263b0 upstream.

Commit:

e9532e69b8d1 ("sched/cputime: Fix steal time accounting vs. CPU hotplug")

... set rq->prev_* to 0 after a CPU hotplug comes back, in order to
fix the case where (after CPU hotplug) steal time is smaller than
rq->prev_steal_time.

However, this should never happen. Steal time was only smaller because of the
KVM-specific bug fixed by the previous patch. Worse, the previous patch
triggers a bug on CPU hot-unplug/plug operation: because
rq->prev_steal_time is cleared, all of the CPU's past steal time will be
accounted again on hot-plug.

Since the root cause has been fixed, we can just revert commit e9532e69b8d1.

Signed-off-by: Wanpeng Li <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Acked-by: Paolo Bonzini <[email protected]>
Cc: Frederic Weisbecker <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Mike Galbraith <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Radim Krčmář <[email protected]>
Cc: Rik van Riel <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Fixes: 'commit e9532e69b8d1 ("sched/cputime: Fix steal time accounting vs. CPU hotplug")'
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/kernel/sched.c
+++ b/kernel/sched.c
@@ -2084,19 +2084,6 @@ EXPORT_SYMBOL_GPL(account_system_vtime);

#endif /* CONFIG_IRQ_TIME_ACCOUNTING */

-static inline void account_reset_rq(struct rq *rq)
-{
-#ifdef CONFIG_IRQ_TIME_ACCOUNTING
- rq->prev_irq_time = 0;
-#endif
-#ifdef CONFIG_PARAVIRT
- rq->prev_steal_time = 0;
-#endif
-#ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING
- rq->prev_steal_time_rq = 0;
-#endif
-}
-
#ifdef CONFIG_PARAVIRT
static inline u64 steal_ticks(u64 steal)
{
@@ -6869,7 +6856,6 @@ migration_call(struct notifier_block *nf

case CPU_UP_PREPARE:
rq->calc_load_update = calc_load_update;
- account_reset_rq(rq);
break;

case CPU_ONLINE:

2016-11-14 04:05:46

by Ben Hutchings

[permalink] [raw]
Subject: Re: [PATCH 3.2 000/152] 3.2.84-rc1 review

This is the combined diff for 3.2.84-rc1 relative to 3.2.83.

Ben.

--
Ben Hutchings
If more than one person is responsible for a bug, no one is at fault.


Attachments:
linux-3.2.84-rc1.patch (184.08 kB)
signature.asc (801.00 B)
This is a digitally signed message part
Download all attachments

2016-11-14 05:47:48

by Guenter Roeck

[permalink] [raw]
Subject: Re: [PATCH 3.2 000/152] 3.2.84-rc1 review

On 11/13/2016 04:14 PM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.2.84 release.
> There are 152 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat Nov 19 00:00:00 UTC 2016.
> Anything received after that time might be too late.
>

Build results:
total: 89 pass: 89 fail: 0
Qemu test results:
total: 61 pass: 61 fail: 0

Details are available at http://kerneltests.org/builders.

Guenter




2016-11-14 15:30:18

by Vegard Nossum

[permalink] [raw]
Subject: Re: [PATCH 3.2 009/152] ext4: check for extents that wrap around

On 11/14/2016 01:14 AM, Ben Hutchings wrote:
> 3.2.84-rc1 review patch. If anyone has any objections, please let me know.

Just a general comment on stable review workflow, really:

It might be more useful to send the diff-of-diffs with the upstream
commit so I can easily see if you had any conflicts when cherry-picking
this and how they were resolved.

That's generally much more interesting than just the plain patch, where
I can't really tell if there were any changes at all (or conversely,
much more boring in case there were no changes, and thus easier to
review).

If you could push this commit to git before sending the review, you
could also include a command that I can use to quickly do the
diff-of-diffs myself without having to download and apply the patch (or
look for it), e.g. something like (using the 3.12 stable commit vs
upstream):

"""
diff -yw \
<(echo upstream; git log -p -W f70749c^..f70749c) \
<(echo 3.2; git log -p -W 33234c6^..33234c6)
"""

At least that would make it a lot easier for me (and I suspect other
casual stable contributors) to glance at a stable review email and tell
if the backport is correct or not. It should be pretty easy to script on
your end(s) for the benefit of everybody.

Just my 2 cents. Thanks,


Vegard

> ------------------
>
> From: Vegard Nossum <[email protected]>
>
> commit f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6 upstream.
>
> An extent with lblock = 4294967295 and len = 1 will pass the
> ext4_valid_extent() test:
>
> ext4_lblk_t last = lblock + len - 1;
>
> if (len == 0 || lblock > last)
> return 0;
>
> since last = 4294967295 + 1 - 1 = 4294967295. This would later trigger
> the BUG_ON(es->es_lblk + es->es_len < es->es_lblk) in ext4_es_end().
>
> We can simplify it by removing the - 1 altogether and changing the test
> to use lblock + len <= lblock, since now if len = 0, then lblock + 0 ==
> lblock and it fails, and if len > 0 then lblock + len > lblock in order
> to pass (i.e. it doesn't overflow).
>
> Fixes: 5946d0893 ("ext4: check for overlapping extents in ext4_valid_extent_entries()")
> Fixes: 2f974865f ("ext4: check for zero length extent explicitly")
> Cc: Eryu Guan <[email protected]>
> Signed-off-by: Phil Turnbull <[email protected]>
> Signed-off-by: Vegard Nossum <[email protected]>
> Signed-off-by: Theodore Ts'o <[email protected]>
> Signed-off-by: Ben Hutchings <[email protected]>
> ---
> fs/ext4/extents.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> --- a/fs/ext4/extents.c
> +++ b/fs/ext4/extents.c
> @@ -319,9 +319,13 @@ static int ext4_valid_extent(struct inod
> ext4_fsblk_t block = ext4_ext_pblock(ext);
> int len = ext4_ext_get_actual_len(ext);
> ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
> - ext4_lblk_t last = lblock + len - 1;
>
> - if (len == 0 || lblock > last)
> + /*
> + * We allow neither:
> + * - zero length
> + * - overflow/wrap-around
> + */
> + if (lblock + len <= lblock)
> return 0;
> return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
> }
>

2016-11-14 16:15:30

by Ben Hutchings

[permalink] [raw]
Subject: Re: [PATCH 3.2 009/152] ext4: check for extents that wrap around

On Mon, 2016-11-14 at 16:29 +0100, Vegard Nossum wrote:
> On 11/14/2016 01:14 AM, Ben Hutchings wrote:
> > 3.2.84-rc1 review patch.  If anyone has any objections, please let me know.
>
> Just a general comment on stable review workflow, really:
>
> It might be more useful to send the diff-of-diffs with the upstream
> commit so I can easily see if you had any conflicts when cherry-picking
> this and how they were resolved.

When there are conflicts, I explain how they were resolved before my
Signed-off-by: line. In this case there were none.

I'm not going to change to diff-of-diffs unless there is consensus for
this among stable maintainers and reviewers.

[...]
> If you could push this commit to git before sending the review, you
> could also include a command that I can use to quickly do the
> diff-of-diffs myself without having to download and apply the patch (or
> look for it), e.g. something like (using the 3.12 stable commit vs
> upstream):
[...]

You can find all the patches in a 3.2-rc or 3.16-rc review at
<https://git.kernel.org/cgit/linux/kernel/git/bwh/linux-stable-queue.git/>.

Ben.

--
Ben Hutchings
If more than one person is responsible for a bug, no one is at fault.


Attachments:
signature.asc (801.00 B)
This is a digitally signed message part

2016-11-14 17:10:11

by Ben Hutchings

[permalink] [raw]
Subject: Re: [PATCH 3.2 000/152] 3.2.84-rc1 review

On Sun, 2016-11-13 at 21:47 -0800, Guenter Roeck wrote:
> On 11/13/2016 04:14 PM, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.2.84 release.
> > There are 152 patches in this series, which will be posted as responses
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat Nov 19 00:00:00 UTC 2016.
> > Anything received after that time might be too late.
> >
>
> Build results:
> total: 89 pass: 89 fail: 0
> Qemu test results:
> total: 61 pass: 61 fail: 0
>
> Details are available at http://kerneltests.org/builders.

Thanks for checking.

Ben.

--
Ben Hutchings
If more than one person is responsible for a bug, no one is at fault.


Attachments:
signature.asc (801.00 B)
This is a digitally signed message part

2016-11-14 21:09:22

by Stefan Richter

[permalink] [raw]
Subject: Re: [PATCH 3.2 144/152] firewire: net: guard against rx buffer overflows

On Nov 14 Ben Hutchings wrote:
> 3.2.84-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Stefan Richter <[email protected]>
>
> commit 667121ace9dbafb368618dbabcf07901c962ddac upstream.
[...]
> [bwh: Backported to 3.2: fwnet_receive_broadcast() never matches IPv6 packets]
> Signed-off-by: Ben Hutchings <[email protected]>

Backport looks correct to me; thanks.
--
Stefan Richter
-======----- =-== -===-
http://arcgraph.de/sr/