1. 07 Apr, 2017 36 commits
    • Johan Hovold's avatar
      Input: hanwang - validate number of endpoints before using them · 006c0207
      Johan Hovold authored
      commit ba340d7b upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Fixes: bba5394a ("Input: add support for Hanwang tablets")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      006c0207
    • Johan Hovold's avatar
      Input: ims-pcu - validate number of endpoints before using them · e542630d
      Johan Hovold authored
      commit 1916d319 upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack control-interface endpoints.
      
      Fixes: 628329d5 ("Input: add IMS Passenger Control Unit driver")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e542630d
    • Johan Hovold's avatar
      Input: iforce - validate number of endpoints before using them · cbd99aa6
      Johan Hovold authored
      commit 59cf8bed upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer or accessing memory that lie beyond the end of the endpoint
      array should a malicious device lack the expected endpoints.
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      cbd99aa6
    • Kai-Heng Feng's avatar
      Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000 · ea433af2
      Kai-Heng Feng authored
      commit 45838660 upstream.
      
      The aux port does not get detected without noloop quirk, so external PS/2
      mouse cannot work as result.
      
      The PS/2 mouse can work with this quirk.
      
      BugLink: https://bugs.launchpad.net/bugs/1591053Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Reviewed-by: default avatarMarcos Paulo de Souza <marcos.souza.org@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ea433af2
    • Bjørn Mork's avatar
      USB: qcserial: add Sierra Wireless EM74xx device ID · 471e11c1
      Bjørn Mork authored
      commit 04fdbc82 upstream.
      
      The MC74xx and EM74xx modules use different IDs by default, according
      to the Lenovo EM7455 driver for Windows.
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      471e11c1
    • Patrik Halfar's avatar
      USB: qcserial: add Dell Wireless 5809e Gobi 4G HSPA+ (rev3) · 6c412c64
      Patrik Halfar authored
      commit 013dd239 upstream.
      
      New revision of Dell Wireless 5809e Gobi 4G HSPA+ Mobile Broadband Card
      has new idProduct.
      
      Bus 002 Device 006: ID 413c:81b3 Dell Computer Corp.
      Device Descriptor:
        bLength                18
        bDescriptorType         1
        bcdUSB               2.00
        bDeviceClass            0
        bDeviceSubClass         0
        bDeviceProtocol         0
        bMaxPacketSize0        64
        idVendor           0x413c Dell Computer Corp.
        idProduct          0x81b3
        bcdDevice            0.06
        iManufacturer           1 Sierra Wireless, Incorporated
        iProduct                2 Dell Wireless 5809e Gobi 4G HSPA+ Mobile Broadband Card
        iSerial                 3
        bNumConfigurations      2
      Signed-off-by: default avatarPatrik Halfar <patrik_halfar@halfarit.cz>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6c412c64
    • Petr Štetiar's avatar
      USB: qcserial: Add support for Quectel EC20 Mini PCIe module · 41800825
      Petr Štetiar authored
      commit 9d5b5ed7 upstream.
      
      It seems like this device has same vendor and product IDs as G2K
      devices, but it has different number of interfaces(4 vs 5) and also
      different interface layout which makes it currently unusable:
      
      	usbcore: registered new interface driver qcserial
      	usbserial: USB Serial support registered for Qualcomm USB modem
      	usb 2-1.2: unknown number of interfaces: 5
      
      lsusb output:
      
      	Bus 002 Device 003: ID 05c6:9215 Qualcomm, Inc. Acer Gobi 2000 Wireless
      	Device Descriptor:
      	  bLength                18
      	  bDescriptorType         1
      	  bcdUSB               2.00
      	  bDeviceClass            0 (Defined at Interface level)
      	  bDeviceSubClass         0
      	  bDeviceProtocol         0
      	  bMaxPacketSize0        64
      	  idVendor           0x05c6 Qualcomm, Inc.
      	  idProduct          0x9215 Acer Gobi 2000 Wireless Modem
      	  bcdDevice            2.32
      	  iManufacturer           1 Quectel
      	  iProduct                2 Quectel LTE Module
      	  iSerial                 0
      	  bNumConfigurations      1
      	  Configuration Descriptor:
      	    bLength                 9
      	    bDescriptorType         2
      	    wTotalLength          209
      	    bNumInterfaces          5
      	    bConfigurationValue     1
      	    iConfiguration          0
      	    bmAttributes         0xa0
      	      (Bus Powered)
      	      Remote Wakeup
      	    MaxPower              500mA
      Signed-off-by: default avatarPetr Štetiar <ynezz@true.cz>
      [johan: rename define and add comment ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      41800825
    • Bjørn Mork's avatar
      USB: qcserial: add Sierra Wireless MC74xx/EM74xx · 1a517395
      Bjørn Mork authored
      commit f504ab18 upstream.
      
      New device IDs shamelessly lifted from the vendor driver.
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Acked-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      1a517395
    • David Ward's avatar
      USB: qcserial: add HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module · 4100a0ec
      David Ward authored
      commit 44840dec upstream.
      
      This is an HP-branded Sierra Wireless EM7355:
      https://bugzilla.redhat.com/show_bug.cgi?id=1223646#c2Signed-off-by: default avatarDavid Ward <david.ward@ll.mit.edu>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4100a0ec
    • Pieter Hollants's avatar
      USB: qcserial: Add support for Dell Wireless 5809e 4G Modem · 4ef0939b
      Pieter Hollants authored
      commit 6da3700c upstream.
      
      Added the USB IDs 0x413c:0x81b1 for the "Dell Wireless 5809e Gobi(TM) 4G
      LTE Mobile Broadband Card", a Dell-branded Sierra Wireless EM7305 LTE
      card in M.2 form factor, used eg. in Dell's Latitude E7540 Notebook
      series.
      
      "lsusb -v" output for this device:
      
      Bus 002 Device 003: ID 413c:81b1 Dell Computer Corp.
      Device Descriptor:
        bLength                18
        bDescriptorType         1
        bcdUSB               2.00
        bDeviceClass            0
        bDeviceSubClass         0
        bDeviceProtocol         0
        bMaxPacketSize0        64
        idVendor           0x413c Dell Computer Corp.
        idProduct          0x81b1
        bcdDevice            0.06
        iManufacturer           1 Sierra Wireless, Incorporated
        iProduct                2 Dell Wireless 5809e Gobi 4G LTE Mobile Broadband Card
        iSerial                 3
        bNumConfigurations      2
        Configuration Descriptor:
          bLength                 9
          bDescriptorType         2
          wTotalLength          204
          bNumInterfaces          4
          bConfigurationValue     1
          iConfiguration          0
          bmAttributes         0xe0
            Self Powered
            Remote Wakeup
          MaxPower              500mA
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        0
            bAlternateSetting       0
            bNumEndpoints           2
            bInterfaceClass       255 Vendor Specific Class
            bInterfaceSubClass    255 Vendor Specific Subclass
            bInterfaceProtocol    255 Vendor Specific Protocol
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x81  EP 1 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval               0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x01  EP 1 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval               0
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        2
            bAlternateSetting       0
            bNumEndpoints           3
            bInterfaceClass       255 Vendor Specific Class
            bInterfaceSubClass      0
            bInterfaceProtocol      0
            iInterface              0
            ** UNRECOGNIZED:  05 24 00 10 01
            ** UNRECOGNIZED:  05 24 01 00 00
            ** UNRECOGNIZED:  04 24 02 02
            ** UNRECOGNIZED:  05 24 06 00 00
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x83  EP 3 IN
              bmAttributes            3
                Transfer Type            Interrupt
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x000c  1x 12 bytes
              bInterval               9
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x82  EP 2 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval               0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x02  EP 2 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval               0
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        3
            bAlternateSetting       0
            bNumEndpoints           3
            bInterfaceClass       255 Vendor Specific Class
            bInterfaceSubClass      0
            bInterfaceProtocol      0
            iInterface              0
            ** UNRECOGNIZED:  05 24 00 10 01
            ** UNRECOGNIZED:  05 24 01 00 00
            ** UNRECOGNIZED:  04 24 02 02
            ** UNRECOGNIZED:  05 24 06 00 00
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x85  EP 5 IN
              bmAttributes            3
                Transfer Type            Interrupt
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x000c  1x 12 bytes
              bInterval               9
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x84  EP 4 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval               0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x03  EP 3 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval               0
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        8
            bAlternateSetting       0
            bNumEndpoints           3
            bInterfaceClass       255 Vendor Specific Class
            bInterfaceSubClass    255 Vendor Specific Subclass
            bInterfaceProtocol    255 Vendor Specific Protocol
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x87  EP 7 IN
              bmAttributes            3
                Transfer Type            Interrupt
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x000a  1x 10 bytes
              bInterval               9
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x86  EP 6 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval               0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x04  EP 4 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval               0
              ** UNRECOGNIZED:  2c ff 42 49 53 54 00 01 07 f5 40 f6 00 00 00 00 01 f7 c4 09 02 f8 c4 09 03 f9 88 13 04 fa 10 27 05 fb 10 27 06 fc c4 09 07 fd c4 09
        Configuration Descriptor:
          bLength                 9
          bDescriptorType         2
          wTotalLength           95
          bNumInterfaces          2
          bConfigurationValue     2
          iConfiguration          0
          bmAttributes         0xe0
            Self Powered
            Remote Wakeup
          MaxPower              500mA
          Interface Association:
            bLength                 8
            bDescriptorType        11
            bFirstInterface        12
            bInterfaceCount         2
            bFunctionClass          2 Communications
            bFunctionSubClass      14
            bFunctionProtocol       0
            iFunction               0
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber       12
            bAlternateSetting       0
            bNumEndpoints           1
            bInterfaceClass         2 Communications
            bInterfaceSubClass     14
            bInterfaceProtocol      0
            iInterface              0
            CDC Header:
              bcdCDC               1.10
            CDC Union:
              bMasterInterface        12
              bSlaveInterface         13
            CDC MBIM:
              bcdMBIMVersion       1.00
              wMaxControlMessage   4096
              bNumberFilters       32
              bMaxFilterSize       128
              wMaxSegmentSize      1500
              bmNetworkCapabilities 0x20
                8-byte ntb input size
            CDC MBIM Extended:
              bcdMBIMExtendedVersion           1.00
              bMaxOutstandingCommandMessages     64
              wMTU                             1500
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x82  EP 2 IN
              bmAttributes            3
                Transfer Type            Interrupt
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0040  1x 64 bytes
              bInterval               9
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber       13
            bAlternateSetting       0
            bNumEndpoints           0
            bInterfaceClass        10 CDC Data
            bInterfaceSubClass      0
            bInterfaceProtocol      2
            iInterface              0
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber       13
            bAlternateSetting       1
            bNumEndpoints           2
            bInterfaceClass        10 CDC Data
            bInterfaceSubClass      0
            bInterfaceProtocol      2
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x81  EP 1 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval               0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x01  EP 1 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval               0
      Device Qualifier (for other device speed):
        bLength                10
        bDescriptorType         6
        bcdUSB               2.00
        bDeviceClass            0
        bDeviceSubClass         0
        bDeviceProtocol         0
        bMaxPacketSize0        64
        bNumConfigurations      2
      Device Status:     0x0000
        (Bus Powered)
      Signed-off-by: default avatarPieter Hollants <pieter@hollants.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4ef0939b
    • Ilya Dryomov's avatar
      libceph: don't set weight to IN when OSD is destroyed · 5db1728d
      Ilya Dryomov authored
      commit b581a585 upstream.
      
      Since ceph.git commit 4e28f9e63644 ("osd/OSDMap: clear osd_info,
      osd_xinfo on osd deletion"), weight is set to IN when OSD is deleted.
      This changes the result of applying an incremental for clients, not
      just OSDs.  Because CRUSH computations are obviously affected,
      pre-4e28f9e63644 servers disagree with post-4e28f9e63644 clients on
      object placement, resulting in misdirected requests.
      
      Mirrors ceph.git commit a6009d1039a55e2c77f431662b3d6cc5a8e8e63f.
      
      Fixes: 930c5328 ("libceph: apply new_state before new_up_client on incrementals")
      Link: http://tracker.ceph.com/issues/19122Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarSage Weil <sage@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      5db1728d
    • Eric Dumazet's avatar
      tcp: initialize icsk_ack.lrcvtime at session start time · 111aa29e
      Eric Dumazet authored
      [ Upstream commit 15bb7745 ]
      
      icsk_ack.lrcvtime has a 0 value at socket creation time.
      
      tcpi_last_data_recv can have bogus value if no payload is ever received.
      
      This patch initializes icsk_ack.lrcvtime for active sessions
      in tcp_finish_connect(), and for passive sessions in
      tcp_create_openreq_child()
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      111aa29e
    • Eric Dumazet's avatar
      ipv4: provide stronger user input validation in nl_fib_input() · 083b7de7
      Eric Dumazet authored
      [ Upstream commit c64c0b3c ]
      
      Alexander reported a KMSAN splat caused by reads of uninitialized
      field (tb_id_in) from user provided struct fib_result_nl
      
      It turns out nl_fib_input() sanity tests on user input is a bit
      wrong :
      
      User can pretend nlh->nlmsg_len is big enough, but provide
      at sendmsg() time a too small buffer.
      Reported-by: default avatarAlexander Potapenko <glider@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      083b7de7
    • Maor Gottlieb's avatar
      net/mlx5: Increase number of max QPs in default profile · 7d409c04
      Maor Gottlieb authored
      [ Upstream commit 5f40b4ed ]
      
      With ConnectX-4 sharing SRQs from the same space as QPs, we hit a
      limit preventing some applications to allocate needed QPs amount.
      Double the size to 256K.
      
      [js] this is in another file in 3.12
      
      Fixes: e126ba97 ('mlx5: Add driver for Mellanox Connect-IB adapters')
      Signed-off-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7d409c04
    • Bjørn Mork's avatar
      qmi_wwan: add Dell DW5811e · b46441c8
      Bjørn Mork authored
      [ Upstream commit 6bd845d1 ]
      
      This is a Dell branded Sierra Wireless EM7455. It is operating in
      MBIM mode by default, but can be configured to provide two QMI/RMNET
      functions.
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b46441c8
    • Andrey Ulanov's avatar
      net: unix: properly re-increment inflight counter of GC discarded candidates · c2c0754b
      Andrey Ulanov authored
      [ Upstream commit 7df9c246 ]
      
      Dmitry has reported that a BUG_ON() condition in unix_notinflight()
      may be triggered by a simple code that forwards unix socket in an
      SCM_RIGHTS message.
      That is caused by incorrect unix socket GC implementation in unix_gc().
      
      The GC first collects list of candidates, then (a) decrements their
      "children's" inflight counter, (b) checks which inflight counters are
      now 0, and then (c) increments all inflight counters back.
      (a) and (c) are done by calling scan_children() with inc_inflight or
      dec_inflight as the second argument.
      
      Commit 6209344f ("net: unix: fix inflight counting bug in garbage
      collector") changed scan_children() such that it no longer considers
      sockets that do not have UNIX_GC_CANDIDATE flag. It also added a block
      of code that that unsets this flag _before_ invoking
      scan_children(, dec_iflight, ). This may lead to incorrect inflight
      counters for some sockets.
      
      This change fixes this bug by changing order of operations:
      UNIX_GC_CANDIDATE is now unset only after all inflight counters are
      restored to the original state.
      
        kernel BUG at net/unix/garbage.c:149!
        RIP: 0010:[<ffffffff8717ebf4>]  [<ffffffff8717ebf4>]
        unix_notinflight+0x3b4/0x490 net/unix/garbage.c:149
        Call Trace:
         [<ffffffff8716cfbf>] unix_detach_fds.isra.19+0xff/0x170 net/unix/af_unix.c:1487
         [<ffffffff8716f6a9>] unix_destruct_scm+0xf9/0x210 net/unix/af_unix.c:1496
         [<ffffffff86a90a01>] skb_release_head_state+0x101/0x200 net/core/skbuff.c:655
         [<ffffffff86a9808a>] skb_release_all+0x1a/0x60 net/core/skbuff.c:668
         [<ffffffff86a980ea>] __kfree_skb+0x1a/0x30 net/core/skbuff.c:684
         [<ffffffff86a98284>] kfree_skb+0x184/0x570 net/core/skbuff.c:705
         [<ffffffff871789d5>] unix_release_sock+0x5b5/0xbd0 net/unix/af_unix.c:559
         [<ffffffff87179039>] unix_release+0x49/0x90 net/unix/af_unix.c:836
         [<ffffffff86a694b2>] sock_release+0x92/0x1f0 net/socket.c:570
         [<ffffffff86a6962b>] sock_close+0x1b/0x20 net/socket.c:1017
         [<ffffffff81a76b8e>] __fput+0x34e/0x910 fs/file_table.c:208
         [<ffffffff81a771da>] ____fput+0x1a/0x20 fs/file_table.c:244
         [<ffffffff81483ab0>] task_work_run+0x1a0/0x280 kernel/task_work.c:116
         [<     inline     >] exit_task_work include/linux/task_work.h:21
         [<ffffffff8141287a>] do_exit+0x183a/0x2640 kernel/exit.c:828
         [<ffffffff8141383e>] do_group_exit+0x14e/0x420 kernel/exit.c:931
         [<ffffffff814429d3>] get_signal+0x663/0x1880 kernel/signal.c:2307
         [<ffffffff81239b45>] do_signal+0xc5/0x2190 arch/x86/kernel/signal.c:807
         [<ffffffff8100666a>] exit_to_usermode_loop+0x1ea/0x2d0
        arch/x86/entry/common.c:156
         [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
         [<ffffffff81009693>] syscall_return_slowpath+0x4d3/0x570
        arch/x86/entry/common.c:259
         [<ffffffff881478e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
      
      Link: https://lkml.org/lkml/2017/3/6/252Signed-off-by: default avatarAndrey Ulanov <andreyu@google.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Fixes: 6209344f ("net: unix: fix inflight counting bug in garbage collector")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c2c0754b
    • Eric Dumazet's avatar
      net: properly release sk_frag.page · e2d987fe
      Eric Dumazet authored
      [ Upstream commit 22a0e18e ]
      
      I mistakenly added the code to release sk->sk_frag in
      sk_common_release() instead of sk_destruct()
      
      TCP sockets using sk->sk_allocation == GFP_ATOMIC do no call
      sk_common_release() at close time, thus leaking one (order-3) page.
      
      iSCSI is using such sockets.
      
      Fixes: 5640f768 ("net: use a per task frag allocator")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e2d987fe
    • Todd Fujinaka's avatar
      igb: add i211 to i210 PHY workaround · 92239ce8
      Todd Fujinaka authored
      [ Upstream commit 5bc8c230 ]
      
      i210 and i211 share the same PHY but have different PCI IDs. Don't
      forget i211 for any i210 workarounds.
      Signed-off-by: default avatarTodd Fujinaka <todd.fujinaka@intel.com>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      92239ce8
    • Chris J Arges's avatar
      igb: Workaround for igb i210 firmware issue · f3102ed1
      Chris J Arges authored
      [ Upstream commit 4e684f59 ]
      
      Sometimes firmware may not properly initialize I347AT4_PAGE_SELECT causing
      the probe of an igb i210 NIC to fail. This patch adds an addition zeroing
      of this register during igb_get_phy_id to workaround this issue.
      
      Thanks for Jochen Henneberg for the idea and original patch.
      Signed-off-by: default avatarChris J Arges <christopherarges@gmail.com>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f3102ed1
    • Dan Streetman's avatar
      xen: do not re-use pirq number cached in pci device msi msg data · 6cc44bf0
      Dan Streetman authored
      [ Upstream commit c74fd80f ]
      
      Revert the main part of commit:
      af42b8d1 ("xen: fix MSI setup and teardown for PV on HVM guests")
      
      That commit introduced reading the pci device's msi message data to see
      if a pirq was previously configured for the device's msi/msix, and re-use
      that pirq.  At the time, that was the correct behavior.  However, a
      later change to Qemu caused it to call into the Xen hypervisor to unmap
      all pirqs for a pci device, when the pci device disables its MSI/MSIX
      vectors; specifically the Qemu commit:
      c976437c7dba9c7444fb41df45468968aaa326ad
      ("qemu-xen: free all the pirqs for msi/msix when driver unload")
      
      Once Qemu added this pirq unmapping, it was no longer correct for the
      kernel to re-use the pirq number cached in the pci device msi message
      data.  All Qemu releases since 2.1.0 contain the patch that unmaps the
      pirqs when the pci device disables its MSI/MSIX vectors.
      
      This bug is causing failures to initialize multiple NVMe controllers
      under Xen, because the NVMe driver sets up a single MSIX vector for
      each controller (concurrently), and then after using that to talk to
      the controller for some configuration data, it disables the single MSIX
      vector and re-configures all the MSIX vectors it needs.  So the MSIX
      setup code tries to re-use the cached pirq from the first vector
      for each controller, but the hypervisor has already given away that
      pirq to another controller, and its initialization fails.
      
      This is discussed in more detail at:
      https://lists.xen.org/archives/html/xen-devel/2017-01/msg00447.html
      
      Fixes: af42b8d1 ("xen: fix MSI setup and teardown for PV on HVM guests")
      Signed-off-by: default avatarDan Streetman <dan.streetman@canonical.com>
      Reviewed-by: default avatarStefano Stabellini <sstabellini@kernel.org>
      Acked-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6cc44bf0
    • Johan Hovold's avatar
      isdn/gigaset: fix NULL-deref at probe · a787d281
      Johan Hovold authored
      commit 68c32f9c upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Fixes: cf7776dc ("[PATCH] isdn4linux: Siemens Gigaset drivers - direct USB connection")
      Cc: Hansjoerg Lipp <hjlipp@web.de>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a787d281
    • Anton Blanchard's avatar
      scsi: lpfc: Add shutdown method for kexec · 0f718126
      Anton Blanchard authored
      commit 85e8a239 upstream.
      
      We see lpfc devices regularly fail during kexec. Fix this by adding a
      shutdown method which mirrors the remove method.
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Reviewed-by: default avatarMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
      Tested-by: default avatarMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0f718126
    • Nicholas Bellinger's avatar
      target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export · 181adb12
      Nicholas Bellinger authored
      commit a04e54f2 upstream.
      
      The following fixes a divide by zero OOPs with TYPE_TAPE
      due to pscsi_tape_read_blocksize() failing causing a zero
      sd->sector_size being propigated up via dev_attrib.hw_block_size.
      
      It also fixes another long-standing bug where TYPE_TAPE and
      TYPE_MEDIMUM_CHANGER where using pscsi_create_type_other(),
      which does not call scsi_device_get() to take the device
      reference.  Instead, rename pscsi_create_type_rom() to
      pscsi_create_type_nondisk() and use it for all cases.
      
      Finally, also drop a dump_stack() in pscsi_get_blocks() for
      non TYPE_DISK, which in modern target-core can get invoked
      via target_sense_desc_format() during CHECK_CONDITION.
      
      [js] cast max_sectors to unsigned to avoid warnings
      Reported-by: default avatarMalcolm Haak <insanemal@gmail.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      181adb12
    • Rafael J. Wysocki's avatar
      cpufreq: Fix and clean up show_cpuinfo_cur_freq() · b2dd4331
      Rafael J. Wysocki authored
      commit 9b4f603e upstream.
      
      There is a missing newline in show_cpuinfo_cur_freq(), so add it,
      but while at it clean that function up somewhat too.
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b2dd4331
    • Peter Zijlstra's avatar
      perf/core: Fix event inheritance on fork() · ba439eb5
      Peter Zijlstra authored
      commit e7cc4865 upstream.
      
      While hunting for clues to a use-after-free, Oleg spotted that
      perf_event_init_context() can loose an error value with the result
      that fork() can succeed even though we did not fully inherit the perf
      event context.
      Spotted-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: oleg@redhat.com
      Fixes: 889ff015 ("perf/core: Split context's event group list into pinned and non-pinned lists")
      Link: http://lkml.kernel.org/r/20170316125823.190342547@infradead.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ba439eb5
    • Andi Kleen's avatar
      kernek/fork.c: allocate idle task for a CPU always on its local node · 92ac2376
      Andi Kleen authored
      commit 725fc629 upstream.
      
      Linux preallocates the task structs of the idle tasks for all possible
      CPUs.  This currently means they all end up on node 0.  This also
      implies that the cache line of MWAIT, which is around the flags field in
      the task struct, are all located in node 0.
      
      We see a noticeable performance improvement on Knights Landing CPUs when
      the cache lines used for MWAIT are located in the local nodes of the
      CPUs using them.  I would expect this to give a (likely slight)
      improvement on other systems too.
      
      The patch implements placing the idle task in the node of its CPUs, by
      passing the right target node to copy_process()
      
      [js] to tls in copy_process in 3.12 yet
      
      [akpm@linux-foundation.org: use NUMA_NO_NODE, not a bare -1]
      Link: http://lkml.kernel.org/r/1463492694-15833-1-git-send-email-andi@firstfloor.orgSigned-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Sumit Semwal <sumit.semwal@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      92ac2376
    • Sebastian Ott's avatar
      s390/pci: fix use after free in dma_init · fe049608
      Sebastian Ott authored
      commit dba59909 upstream.
      
      After a failure during registration of the dma_table (because of the
      function being in error state) we free its memory but don't reset the
      associated pointer to zero.
      
      When we then receive a notification from firmware (about the function
      being in error state) we'll try to walk and free the dma_table again.
      
      Fix this by resetting the dma_table pointer. In addition to that make
      sure that we free the iommu_bitmap when appropriate.
      Signed-off-by: default avatarSebastian Ott <sebott@linux.vnet.ibm.com>
      Reviewed-by: default avatarGerald Schaefer <gerald.schaefer@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Sumit Semwal <sumit.semwal@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      fe049608
    • Thomas Huth's avatar
      KVM: PPC: Book3S PR: Fix illegal opcode emulation · c244d3d0
      Thomas Huth authored
      commit 708e75a3 upstream.
      
      If kvmppc_handle_exit_pr() calls kvmppc_emulate_instruction() to emulate
      one instruction (in the BOOK3S_INTERRUPT_H_EMUL_ASSIST case), it calls
      kvmppc_core_queue_program() afterwards if kvmppc_emulate_instruction()
      returned EMULATE_FAIL, so the guest gets an program interrupt for the
      illegal opcode.
      However, the kvmppc_emulate_instruction() also tried to inject a
      program exception for this already, so the program interrupt gets
      injected twice and the return address in srr0 gets destroyed.
      All other callers of kvmppc_emulate_instruction() are also injecting
      a program interrupt, and since the callers have the right knowledge
      about the srr1 flags that should be used, it is the function
      kvmppc_emulate_instruction() that should _not_ inject program
      interrupts, so remove the kvmppc_core_queue_program() here.
      
      This fixes the issue discovered by Laurent Vivier with kvm-unit-tests
      where the logs are filled with these messages when the test tries
      to execute an illegal instruction:
      
           Couldn't emulate instruction 0x00000000 (op 0 xop 0)
           kvmppc_handle_exit_pr: emulation at 700 failed (00000000)
      Signed-off-by: default avatarThomas Huth <thuth@redhat.com>
      Reviewed-by: default avatarAlexander Graf <agraf@suse.de>
      Tested-by: default avatarLaurent Vivier <lvivier@redhat.com>
      Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
      Cc: Sumit Semwal <sumit.semwal@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c244d3d0
    • Vitaly Kuznetsov's avatar
      Drivers: hv: avoid vfree() on crash · db536d37
      Vitaly Kuznetsov authored
      commit a9f61ca7 upstream.
      
      When we crash from NMI context (e.g. after NMI injection from host when
      'sysctl -w kernel.unknown_nmi_panic=1' is set) we hit
      
          kernel BUG at mm/vmalloc.c:1530!
      
      as vfree() is denied. While the issue could be solved with in_nmi() check
      instead I opted for skipping vfree on all sorts of crashes to reduce the
      amount of work which can cause consequent crashes. We don't really need to
      free anything on crash.
      
      [js] no tsc and kexec in 3.12 yet
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Cc: Sumit Semwal <sumit.semwal@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      db536d37
    • Vitaly Kuznetsov's avatar
      Drivers: hv: balloon: don't crash when memory is added in non-sorted order · 799207c7
      Vitaly Kuznetsov authored
      commit 77c0c973 upstream.
      
      When we iterate through all HA regions in handle_pg_range() we have an
      assumption that all these regions are sorted in the list and the
      'start_pfn >= has->end_pfn' check is enough to find the proper region.
      Unfortunately it's not the case with WS2016 where host can hot-add regions
      in a different order. We end up modifying the wrong HA region and crashing
      later on pages online. Modify the check to make sure we found the region
      we were searching for while iterating. Fix the same check in pfn_covered()
      as well.
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Cc: Sumit Semwal <sumit.semwal@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      799207c7
    • Alex Hung's avatar
      ACPI / video: skip evaluating _DOD when it does not exist · 4bdc5ba8
      Alex Hung authored
      commit e34fbbac upstream.
      
      Some system supports hybrid graphics and its discrete VGA
      does not have any connectors and therefore has no _DOD method.
      Signed-off-by: default avatarAlex Hung <alex.hung@canonical.com>
      Reviewed-by: default avatarAaron Lu <aaron.lu@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Cc: Sumit Semwal <sumit.semwal@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4bdc5ba8
    • Wang, Rui Y's avatar
      crypto: cryptd - Assign statesize properly · f42108f6
      Wang, Rui Y authored
      commit 1a078340 upstream.
      
      cryptd_create_hash() fails by returning -EINVAL.  It is because after
      8996eafd ("crypto: ahash - ensure statesize is non-zero") all ahash
      drivers must have a non-zero statesize.
      
      This patch fixes the problem by properly assigning the statesize.
      Signed-off-by: default avatarRui Wang <rui.y.wang@intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Cc: Sumit Semwal <sumit.semwal@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f42108f6
    • Wang, Rui Y's avatar
      crypto: ghash-clmulni - Fix load failure · 756233cc
      Wang, Rui Y authored
      commit 3a020a72 upstream.
      
      ghash_clmulni_intel fails to load on Linux 4.3+ with the following message:
      "modprobe: ERROR: could not insert 'ghash_clmulni_intel': Invalid argument"
      
      After 8996eafd ("crypto: ahash - ensure statesize is non-zero") all ahash
      drivers are required to implement import()/export(), and must have a non-
      zero statesize.
      
      This patch has been tested with the algif_hash interface. The calculated
      digest values, after several rounds of import()s and export()s, match those
      calculated by tcrypt.
      Signed-off-by: default avatarRui Wang <rui.y.wang@intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Cc: Sumit Semwal <sumit.semwal@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      
      756233cc
    • Florian Westphal's avatar
      netlink: remove mmapped netlink support · 22aa4952
      Florian Westphal authored
      commit d1b4c689 upstream.
      
      mmapped netlink has a number of unresolved issues:
      
      - TX zerocopy support had to be disabled more than a year ago via
        commit 4682a035 ("netlink: Always copy on mmap TX.")
        because the content of the mmapped area can change after netlink
        attribute validation but before message processing.
      
      - RX support was implemented mainly to speed up nfqueue dumping packet
        payload to userspace.  However, since commit ae08ce00
        ("netfilter: nfnetlink_queue: zero copy support") we avoid one copy
        with the socket-based interface too (via the skb_zerocopy helper).
      
      The other problem is that skbs attached to mmaped netlink socket
      behave different from normal skbs:
      
      - they don't have a shinfo area, so all functions that use skb_shinfo()
      (e.g. skb_clone) cannot be used.
      
      - reserving headroom prevents userspace from seeing the content as
      it expects message to start at skb->head.
      See for instance
      commit aa3a0220 ("netlink: not trim skb for mmaped socket when dump").
      
      - skbs handed e.g. to netlink_ack must have non-NULL skb->sk, else we
      crash because it needs the sk to check if a tx ring is attached.
      
      Also not obvious, leads to non-intuitive bug fixes such as 7c7bdf35
      ("netfilter: nfnetlink: use original skbuff when acking batches").
      
      mmaped netlink also didn't play nicely with the skb_zerocopy helper
      used by nfqueue and openvswitch.  Daniel Borkmann fixed this via
      commit 6bb0fef4 ("netlink, mmap: fix edge-case leakages in nf queue
      zero-copy")' but at the cost of also needing to provide remaining
      length to the allocation function.
      
      nfqueue also has problems when used with mmaped rx netlink:
      - mmaped netlink doesn't allow use of nfqueue batch verdict messages.
        Problem is that in the mmap case, the allocation time also determines
        the ordering in which the frame will be seen by userspace (A
        allocating before B means that A is located in earlier ring slot,
        but this also means that B might get a lower sequence number then A
        since seqno is decided later.  To fix this we would need to extend the
        spinlocked region to also cover the allocation and message setup which
        isn't desirable.
      - nfqueue can now be configured to queue large (GSO) skbs to userspace.
        Queing GSO packets is faster than having to force a software segmentation
        in the kernel, so this is a desirable option.  However, with a mmap based
        ring one has to use 64kb per ring slot element, else mmap has to fall back
        to the socket path (NL_MMAP_STATUS_COPY) for all large packets.
      
      To use the mmap interface, userspace not only has to probe for mmap netlink
      support, it also has to implement a recv/socket receive path in order to
      handle messages that exceed the size of an rx ring element.
      
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
      Cc: Pablo Neira Ayuso <pablo@netfilter.org>
      Cc: Patrick McHardy <kaber@trash.net>
      Cc: Thomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      22aa4952
    • Darrick J. Wong's avatar
      xfs: don't allow di_size with high bit set · ffd0475d
      Darrick J. Wong authored
      Commit ef388e20 upstream.
      
      The on-disk field di_size is used to set i_size, which is a signed
      integer of loff_t.  If the high bit of di_size is set, we'll end up with
      a negative i_size, which will cause all sorts of problems.  Since the
      VFS won't let us create a file with such length, we should catch them
      here in the verifier too.
      
      [nborisov: Backported to 3.12]
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: default avatarDave Chinner <dchinner@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarNikolay Borisov <nborisov@suse.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ffd0475d
    • Eric Sandeen's avatar
      xfs: fix up xfs_swap_extent_forks inline extent handling · 35c9f7f2
      Eric Sandeen authored
      commit 4dfce57d upstream.
      
      There have been several reports over the years of NULL pointer
      dereferences in xfs_trans_log_inode during xfs_fsr processes,
      when the process is doing an fput and tearing down extents
      on the temporary inode, something like:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
      PID: 29439  TASK: ffff880550584fa0  CPU: 6   COMMAND: "xfs_fsr"
          [exception RIP: xfs_trans_log_inode+0x10]
       #9 [ffff8800a57bbbe0] xfs_bunmapi at ffffffffa037398e [xfs]
      
      As it turns out, this is because the i_itemp pointer, along
      with the d_ops pointer, has been overwritten with zeros
      when we tear down the extents during truncate.  When the in-core
      inode fork on the temporary inode used by xfs_fsr was originally
      set up during the extent swap, we mistakenly looked at di_nextents
      to determine whether all extents fit inline, but this misses extents
      generated by speculative preallocation; we should be using if_bytes
      instead.
      
      This mistake corrupts the in-memory inode, and code in
      xfs_iext_remove_inline eventually gets bad inputs, causing
      it to memmove and memset incorrect ranges; this became apparent
      because the two values in ifp->if_u2.if_inline_ext[1] contained
      what should have been in d_ops and i_itemp; they were memmoved due
      to incorrect array indexing and then the original locations
      were zeroed with memset, again due to an array overrun.
      
      Fix this by properly using i_df.if_bytes to determine the number
      of extents, not di_nextents.
      
      Thanks to dchinner for looking at this with me and spotting the
      root cause.
      
      [nborisov: Backported to 3.12]
      Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarNikolay Borisov <nborisov@suse.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      35c9f7f2
  2. 28 Mar, 2017 4 commits