1. 19 Jun, 2015 40 commits
    • Jan Beulich's avatar
      xen-pciback: limit guest control of command register · 2f4e074b
      Jan Beulich authored
      commit af6fc858 upstream.
      
      Otherwise the guest can abuse that control to cause e.g. PCIe
      Unsupported Request responses by disabling memory and/or I/O decoding
      and subsequently causing (CPU side) accesses to the respective address
      ranges, which (depending on system configuration) may be fatal to the
      host.
      
      Note that to alter any of the bits collected together as
      PCI_COMMAND_GUEST permissive mode is now required to be enabled
      globally or on the specific device.
      
      This is CVE-2015-2150 / XSA-120.
      Signed-off-by: default avatarJan Beulich <jbeulich@suse.com>
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      2f4e074b
    • Steven Rostedt (Red Hat)'s avatar
      ftrace: Fix ftrace enable ordering of sysctl ftrace_enabled · cf46e6e7
      Steven Rostedt (Red Hat) authored
      commit 524a3868 upstream.
      
      Some archs (specifically PowerPC), are sensitive with the ordering of
      the enabling of the calls to function tracing and setting of the
      function to use to be traced.
      
      That is, update_ftrace_function() sets what function the ftrace_caller
      trampoline should call. Some archs require this to be set before
      calling ftrace_run_update_code().
      
      Another bug was discovered, that ftrace_startup_sysctl() called
      ftrace_run_update_code() directly. If the function the ftrace_caller
      trampoline changes, then it will not be updated. Instead a call
      to ftrace_startup_enable() should be called because it tests to see
      if the callback changed since the code was disabled, and will
      tell the arch to update appropriately. Most archs do not need this
      notification, but PowerPC does.
      
      The problem could be seen by the following commands:
      
       # echo 0 > /proc/sys/kernel/ftrace_enabled
       # echo function > /sys/kernel/debug/tracing/current_tracer
       # echo 1 > /proc/sys/kernel/ftrace_enabled
       # cat /sys/kernel/debug/tracing/trace
      
      The trace will show that function tracing was not active.
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      cf46e6e7
    • Pratyush Anand's avatar
      ftrace: Fix en(dis)able graph caller when en(dis)abling record via sysctl · 2d4293a8
      Pratyush Anand authored
      commit 1619dc3f upstream.
      
      When ftrace is enabled globally through the proc interface, we must check if
      ftrace_graph_active is set. If it is set, then we should also pass the
      FTRACE_START_FUNC_RET command to ftrace_run_update_code(). Similarly, when
      ftrace is disabled globally through the proc interface, we must check if
      ftrace_graph_active is set. If it is set, then we should also pass the
      FTRACE_STOP_FUNC_RET command to ftrace_run_update_code().
      
      Consider the following situation.
      
       # echo 0 > /proc/sys/kernel/ftrace_enabled
      
      After this ftrace_enabled = 0.
      
       # echo function_graph > /sys/kernel/debug/tracing/current_tracer
      
      Since ftrace_enabled = 0, ftrace_enable_ftrace_graph_caller() is never
      called.
      
       # echo 1 > /proc/sys/kernel/ftrace_enabled
      
      Now ftrace_enabled will be set to true, but still
      ftrace_enable_ftrace_graph_caller() will not be called, which is not
      desired.
      
      Further if we execute the following after this:
        # echo nop > /sys/kernel/debug/tracing/current_tracer
      
      Now since ftrace_enabled is set it will call
      ftrace_disable_ftrace_graph_caller(), which causes a kernel warning on
      the ARM platform.
      
      On the ARM platform, when ftrace_enable_ftrace_graph_caller() is called,
      it checks whether the old instruction is a nop or not. If it's not a nop,
      then it returns an error. If it is a nop then it replaces instruction at
      that address with a branch to ftrace_graph_caller.
      ftrace_disable_ftrace_graph_caller() behaves just the opposite. Therefore,
      if generic ftrace code ever calls either ftrace_enable_ftrace_graph_caller()
      or ftrace_disable_ftrace_graph_caller() consecutively two times in a row,
      then it will return an error, which will cause the generic ftrace code to
      raise a warning.
      
      Note, x86 does not have an issue with this because the architecture
      specific code for ftrace_enable_ftrace_graph_caller() and
      ftrace_disable_ftrace_graph_caller() does not check the previous state,
      and calling either of these functions twice in a row has no ill effect.
      
      Link: http://lkml.kernel.org/r/e4fbe64cdac0dd0e86a3bf914b0f83c0b419f146.1425666454.git.panand@redhat.comSigned-off-by: default avatarPratyush Anand <panand@redhat.com>
      [
        removed extra if (ftrace_start_up) and defined ftrace_graph_active as 0
        if CONFIG_FUNCTION_GRAPH_TRACER is not set.
      ]
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      2d4293a8
    • Oliver Hartkopp's avatar
      can: add missing initialisations in CAN related skbuffs · 2932a0a1
      Oliver Hartkopp authored
      commit 96943901 upstream.
      
      When accessing CAN network interfaces with AF_PACKET sockets e.g. by dhclient
      this can lead to a skb_under_panic due to missing skb initialisations.
      
      Add the missing initialisations at the CAN skbuff creation times on driver
      level (rx path) and in the network layer (tx path).
      Reported-by: default avatarAustin Schuh <austin@peloton-tech.com>
      Reported-by: default avatarDaniel Steer <daniel.steer@mclaren.com>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      [lizf: Backported to 3.4:
       - adjust context
       - drop changes to alloc_canfd_skb(), as there's no such function]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      2932a0a1
    • James Bottomley's avatar
      libsas: Fix Kernel Crash in smp_execute_task · 1c45b5d6
      James Bottomley authored
      commit 6302ce4d upstream.
      
      This crash was reported:
      
      [  366.947370] sd 3:0:1:0: [sdb] Spinning up disk....
      [  368.804046] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [  368.804072] IP: [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
      [  368.804098] PGD 0
      [  368.804114] Oops: 0002 [#1] SMP
      [  368.804143] CPU 1
      [  368.804151] Modules linked in: sg netconsole s3g(PO) uinput joydev hid_multitouch usbhid hid snd_hda_codec_via cpufreq_userspace cpufreq_powersave cpufreq_stats uhci_hcd cpufreq_conservative snd_hda_intel snd_hda_codec snd_hwdep snd_pcm sdhci_pci snd_page_alloc sdhci snd_timer snd psmouse evdev serio_raw pcspkr soundcore xhci_hcd shpchp s3g_drm(O) mvsas mmc_core ahci libahci drm i2c_core acpi_cpufreq mperf video processor button thermal_sys dm_dmirror exfat_fs exfat_core dm_zcache dm_mod padlock_aes aes_generic padlock_sha iscsi_target_mod target_core_mod configfs sswipe libsas libata scsi_transport_sas picdev via_cputemp hwmon_vid fuse parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd2 sd_mod crc_t10dif usb_storage scsi_mod ehci_hcd usbcore usb_common
      [  368.804749]
      [  368.804764] Pid: 392, comm: kworker/u:3 Tainted: P        W  O 3.4.87-logicube-ng.22 #1 To be filled by O.E.M. To be filled by O.E.M./EPIA-M920
      [  368.804802] RIP: 0010:[<ffffffff81358457>]  [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
      [  368.804827] RSP: 0018:ffff880117001cc0  EFLAGS: 00010246
      [  368.804842] RAX: 0000000000000000 RBX: ffff8801185030d0 RCX: ffff88008edcb420
      [  368.804857] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8801185030d4
      [  368.804873] RBP: ffff8801181531c0 R08: 0000000000000020 R09: 00000000fffffffe
      [  368.804885] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801185030d4
      [  368.804899] R13: 0000000000000002 R14: ffff880117001fd8 R15: ffff8801185030d8
      [  368.804916] FS:  0000000000000000(0000) GS:ffff88011fc80000(0000) knlGS:0000000000000000
      [  368.804931] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  368.804946] CR2: 0000000000000000 CR3: 000000000160b000 CR4: 00000000000006e0
      [  368.804962] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  368.804978] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [  368.804995] Process kworker/u:3 (pid: 392, threadinfo ffff880117000000, task ffff8801181531c0)
      [  368.805009] Stack:
      [  368.805017]  ffff8801185030d8 0000000000000000 ffffffff8161ddf0 ffffffff81056f7c
      [  368.805062]  000000000000b503 ffff8801185030d0 ffff880118503000 0000000000000000
      [  368.805100]  ffff8801185030d0 ffff8801188b8000 ffff88008edcb420 ffffffff813583ac
      [  368.805135] Call Trace:
      [  368.805153]  [<ffffffff81056f7c>] ? up+0xb/0x33
      [  368.805168]  [<ffffffff813583ac>] ? mutex_lock+0x16/0x25
      [  368.805194]  [<ffffffffa018c414>] ? smp_execute_task+0x4e/0x222 [libsas]
      [  368.805217]  [<ffffffffa018ce1c>] ? sas_find_bcast_dev+0x3c/0x15d [libsas]
      [  368.805240]  [<ffffffffa018ce4f>] ? sas_find_bcast_dev+0x6f/0x15d [libsas]
      [  368.805264]  [<ffffffffa018e989>] ? sas_ex_revalidate_domain+0x37/0x2ec [libsas]
      [  368.805280]  [<ffffffff81355a2a>] ? printk+0x43/0x48
      [  368.805296]  [<ffffffff81359a65>] ? _raw_spin_unlock_irqrestore+0xc/0xd
      [  368.805318]  [<ffffffffa018b767>] ? sas_revalidate_domain+0x85/0xb6 [libsas]
      [  368.805336]  [<ffffffff8104e5d9>] ? process_one_work+0x151/0x27c
      [  368.805351]  [<ffffffff8104f6cd>] ? worker_thread+0xbb/0x152
      [  368.805366]  [<ffffffff8104f612>] ? manage_workers.isra.29+0x163/0x163
      [  368.805382]  [<ffffffff81052c4e>] ? kthread+0x79/0x81
      [  368.805399]  [<ffffffff8135fea4>] ? kernel_thread_helper+0x4/0x10
      [  368.805416]  [<ffffffff81052bd5>] ? kthread_flush_work_fn+0x9/0x9
      [  368.805431]  [<ffffffff8135fea0>] ? gs_change+0x13/0x13
      [  368.805442] Code: 83 7d 30 63 7e 04 f3 90 eb ab 4c 8d 63 04 4c 8d 7b 08 4c 89 e7 e8 fa 15 00 00 48 8b 43 10 4c 89 3c 24 48 89 63 10 48 89 44 24 08 <48> 89 20 83 c8 ff 48 89 6c 24 10 87 03 ff c8 74 35 4d 89 ee 41
      [  368.805851] RIP  [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
      [  368.805877]  RSP <ffff880117001cc0>
      [  368.805886] CR2: 0000000000000000
      [  368.805899] ---[ end trace b720682065d8f4cc ]---
      
      It's directly caused by 89d3cf6a [SCSI] libsas: add mutex for SMP task
      execution, but shows a deeper cause: expander functions expect to be able to
      cast to and treat domain devices as expanders.  The correct fix is to only do
      expander discover when we know we've got an expander device to avoid wrongly
      casting a non-expander device.
      Reported-by: default avatarPraveen Murali <pmurali@logicube.com>
      Tested-by: default avatarPraveen Murali <pmurali@logicube.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      1c45b5d6
    • Brian King's avatar
      bnx2x: Force fundamental reset for EEH recovery · 89cd7665
      Brian King authored
      commit da293700 upstream.
      
      EEH recovery for bnx2x based adapters is not reliable on all Power
      systems using the default hot reset, which can result in an
      unrecoverable EEH error. Forcing the use of fundamental reset
      during EEH recovery fixes this.
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      89cd7665
    • Alexandre Belloni's avatar
      ARM: at91: pm: fix at91rm9200 standby · ec3be97f
      Alexandre Belloni authored
      commit 84e87166 upstream.
      
      at91rm9200 standby and suspend to ram has been broken since
      00482a40. It is wrongly using AT91_BASE_SYS which is a physical address
      and actually doesn't correspond to any register on at91rm9200.
      
      Use the correct at91_ramc_base[0] instead.
      
      Fixes: 00482a40 (ARM: at91: implement the standby function for pm/cpuidle)
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      ec3be97f
    • Julian Anastasov's avatar
      ipvs: add missing ip_vs_pe_put in sync code · bd637e58
      Julian Anastasov authored
      commit 528c943f upstream.
      
      ip_vs_conn_fill_param_sync() gets in param.pe a module
      reference for persistence engine from __ip_vs_pe_getbyname()
      but forgets to put it. Problem occurs in backup for
      sync protocol v1 (2.6.39).
      
      Also, pe_data usually comes in sync messages for
      connection templates and ip_vs_conn_new() copies
      the pointer only in this case. Make sure pe_data
      is not leaked if it comes unexpectedly for normal
      connections. Leak can happen only if bogus messages
      are sent to backup server.
      
      Fixes: fe5e7a1e ("IPVS: Backup, Adding Version 1 receive capability")
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      bd637e58
    • Al Viro's avatar
      gadgetfs: use-after-free in ->aio_read() · 0b4b4c30
      Al Viro authored
      commit f01d35a1 upstream.
      
      AIO_PREAD requests call ->aio_read() with iovec on caller's stack, so if
      we are going to access it asynchronously, we'd better get ourselves
      a copy - the one on kernel stack of aio_run_iocb() won't be there
      anymore.  function/f_fs.c take care of doing that, legacy/inode.c
      doesn't...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [lizf: Backproted to 3.4:
       - adjust context
       - need kfree() after calling get_ready_ep()]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      0b4b4c30
    • Al Viro's avatar
      sunrpc: fix braino in ->poll() · 464e5035
      Al Viro authored
      commit 1711fd9a upstream.
      
      POLL_OUT isn't what callers of ->poll() are expecting to see; it's
      actually __SI_POLL | 2 and it's a siginfo code, not a poll bitmap
      bit...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Cc: Bruce Fields <bfields@fieldses.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      464e5035
    • Johan Hovold's avatar
      TTY: fix tty_wait_until_sent on 64-bit machines · 9d3cfbba
      Johan Hovold authored
      commit 79fbf4a5 upstream.
      
      Fix overflow bug in tty_wait_until_sent on 64-bit machines, where an
      infinite timeout (0) would be passed to the underlying tty-driver's
      wait_until_sent-operation as a negative timeout (-1), causing it to
      return immediately.
      
      This manifests itself for example as tcdrain() returning immediately,
      drivers not honouring the drain flags when setting terminal attributes,
      or even dropped data on close as a requested infinite closing-wait
      timeout would be ignored.
      
      The first symptom  was reported by Asier LLANO who noted that tcdrain()
      returned prematurely when using the ftdi_sio usb-serial driver.
      
      Fix this by passing 0 rather than MAX_SCHEDULE_TIMEOUT (LONG_MAX) to the
      underlying tty driver.
      
      Note that the serial-core wait_until_sent-implementation is not affected
      by this bug due to a lucky chance (comparison to an unsigned maximum
      timeout), and neither is the cyclades one that had an explicit check for
      negative timeouts, but all other tty drivers appear to be affected.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarZIV-Asier Llano Palacios <asier.llano@cgglobal.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Reviewed-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      9d3cfbba
    • Johan Hovold's avatar
      net: irda: fix wait_until_sent poll timeout · 974de0a7
      Johan Hovold authored
      commit 2c3fbe3c upstream.
      
      In case an infinite timeout (0) is requested, the irda wait_until_sent
      implementation would use a zero poll timeout rather than the default
      200ms.
      
      Note that wait_until_sent is currently never called with a 0-timeout
      argument due to a bug in tty_wait_until_sent.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      974de0a7
    • Peter Hurley's avatar
      console: Fix console name size mismatch · 7ebae41b
      Peter Hurley authored
      commit 30a22c21 upstream.
      
      commit 6ae9200f ("enlarge console.name") increased the storage
      for the console name to 16 bytes, but not the corresponding
      struct console_cmdline::name storage. Console names longer than
      8 bytes cause read beyond end-of-string and failure to match
      console; I'm not sure if there are other unexpected consequences.
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [lizf: Backported to 3.4:
       - adjust filename
       - s/c->name/console_cmdline[i].name/]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      7ebae41b
    • Jiri Slaby's avatar
      tty: fix up atime/mtime mess, take four · f835912a
      Jiri Slaby authored
      commit f0bf0bd0 upstream.
      
      This problem was taken care of three times already in
      * b0de59b5 (TTY: do not update
        atime/mtime on read/write),
      * 37b7f3c7 (TTY: fix atime/mtime
        regression), and
      * b0b88565 (tty: fix up atime/mtime
        mess, take three)
      
      But it still misses one point. As John Paul correctly points out, we
      do not care about setting date. If somebody ever changes wall
      time backwards (by mistake for example), tty timestamps are never
      updated until the original wall time passes.
      
      So check the absolute difference of times and if it large than "8
      seconds or so", always update the time. That means we will update
      immediatelly when changing time. Ergo, CAP_SYS_TIME can foul the
      check, but it was always that way.
      
      Thanks John for serving me this so nicely debugged.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Reported-by: default avatarJohn Paul Perry <john_paul.perry@alcatel-lucent.com>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      f835912a
    • Russell King's avatar
      Change email address for 8250_pci · 23e1d762
      Russell King authored
      commit f2e0ea86 upstream.
      
      I'm still receiving reports to my email address, so let's point this
      at the linux-serial mailing list instead.
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      23e1d762
    • Mathias Nyman's avatar
      xhci: Workaround for PME stuck issues in Intel xhci · 6f82bf68
      Mathias Nyman authored
      commit b8cb91e0 upstream.
      
      The xhci in Intel Sunrisepoint and Cherryview platforms need a driver
      workaround for a Stuck PME that might either block PME events in suspend,
      or create spurious PME events preventing runtime suspend.
      
      Workaround is to clear a internal PME flag, BIT(28) in a vendor specific
      PMCTRL register at offset 0x80a4, in both suspend resume callbacks
      
      Without this, xhci connected usb devices might never be able to wake up the
      system from suspend, or prevent device from going to suspend (xhci d3)
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      6f82bf68
    • Aleksander Morgado's avatar
      xhci: fix reporting of 0-sized URBs in control endpoint · 1038be67
      Aleksander Morgado authored
      commit 45ba2154 upstream.
      
      When a control transfer has a short data stage, the xHCI controller generates
      two transfer events: a COMP_SHORT_TX event that specifies the untransferred
      amount, and a COMP_SUCCESS event. But when the data stage is not short, only the
      COMP_SUCCESS event occurs. Therefore, xhci-hcd must set urb->actual_length to
      urb->transfer_buffer_length while processing the COMP_SUCCESS event, unless
      urb->actual_length was set already by a previous COMP_SHORT_TX event.
      
      The driver checks this by seeing whether urb->actual_length == 0, but this alone
      is the wrong test, as it is entirely possible for a short transfer to have an
      urb->actual_length = 0.
      
      This patch changes the xhci driver to rely on a new td->urb_length_set flag,
      which is set to true when a COMP_SHORT_TX event is received and the URB length
      updated at that stage.
      
      This fixes a bug which affected the HSO plugin, which relies on URBs with
      urb->actual_length == 0 to halt re-submitting the RX URB in the control
      endpoint.
      Signed-off-by: default avatarAleksander Morgado <aleksander@aleksander.es>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      1038be67
    • Andy Lutomirski's avatar
      x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization · 55864668
      Andy Lutomirski authored
      commit 956421fb upstream.
      
      'ret_from_fork' checks TIF_IA32 to determine whether 'pt_regs' and
      the related state make sense for 'ret_from_sys_call'.  This is
      entirely the wrong check.  TS_COMPAT would make a little more
      sense, but there's really no point in keeping this optimization
      at all.
      
      This fixes a return to the wrong user CS if we came from int
      0x80 in a 64-bit task.
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/4710be56d76ef994ddf59087aad98c000fbab9a4.1424989793.git.luto@amacapital.net
      [ Backported from tip:x86/asm. ]
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      55864668
    • Peter Ujfalusi's avatar
      ASoC: omap-pcm: Correct dma mask · 95f6ecf4
      Peter Ujfalusi authored
      commit d51199a8 upstream.
      
      DMA_BIT_MASK of 64 is not valid dma address mask for OMAPs, it should be
      set to 32.
      The 64 was introduced by commit (in 2009):
      a152ff24 ASoC: OMAP: Make DMA 64 aligned
      
      But the dma_mask and coherent_dma_mask can not be used to specify alignment.
      
      Fixes: a152ff24 (ASoC: OMAP: Make DMA 64 aligned)
      Reported-by: default avatarGrygorii Strashko <Grygorii.Strashko@linaro.org>
      Signed-off-by: default avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      [lizf: Backported to 3.4: there's no dma_coerce_mask_and_coherent()]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      95f6ecf4
    • Chris Wilson's avatar
      ACPI / video: Load the module even if ACPI is disabled · 4863cbc4
      Chris Wilson authored
      commit 6e17cb12 upstream.
      
      i915.ko depends upon the acpi/video.ko module and so refuses to load if
      ACPI is disabled at runtime if for example the BIOS is broken beyond
      repair. acpi/video provides an optional service for i915.ko and so we
      should just allow the modules to load, but do no nothing in order to let
      the machines boot correctly.
      Reported-by: default avatarBill Augur <bill-auger@programmer.net>
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: Jani Nikula <jani.nikula@intel.com>
      Acked-by: default avatarAaron Lu <aaron.lu@intel.com>
      [ rjw: Fixed up the new comment in acpi_video_init() ]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      4863cbc4
    • Tommi Rantala's avatar
      drm/radeon: fix DRM_IOCTL_RADEON_CS oops · 96aded16
      Tommi Rantala authored
      commit a28b2a47 upstream.
      
      Passing zeroed drm_radeon_cs struct to DRM_IOCTL_RADEON_CS produces the
      following oops.
      
      Fix by always calling INIT_LIST_HEAD() to avoid the crash in list_sort().
      
      ----------------------------------
      
       #include <stdint.h>
       #include <fcntl.h>
       #include <unistd.h>
       #include <sys/ioctl.h>
       #include <drm/radeon_drm.h>
      
       static const struct drm_radeon_cs cs;
      
       int main(int argc, char **argv)
       {
               return ioctl(open(argv[1], O_RDWR), DRM_IOCTL_RADEON_CS, &cs);
       }
      
      ----------------------------------
      
      [ttrantal@test2 ~]$ ./main /dev/dri/card0
      [   46.904650] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [   46.905022] IP: [<ffffffff814d6df2>] list_sort+0x42/0x240
      [   46.905022] PGD 68f29067 PUD 688b5067 PMD 0
      [   46.905022] Oops: 0002 [#1] SMP
      [   46.905022] CPU: 0 PID: 2413 Comm: main Not tainted 4.0.0-rc1+ #58
      [   46.905022] Hardware name: Hewlett-Packard HP Compaq dc5750 Small Form Factor/0A64h, BIOS 786E3 v02.10 01/25/2007
      [   46.905022] task: ffff880058e2bcc0 ti: ffff880058e64000 task.ti: ffff880058e64000
      [   46.905022] RIP: 0010:[<ffffffff814d6df2>]  [<ffffffff814d6df2>] list_sort+0x42/0x240
      [   46.905022] RSP: 0018:ffff880058e67998  EFLAGS: 00010246
      [   46.905022] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
      [   46.905022] RDX: ffffffff81644410 RSI: ffff880058e67b40 RDI: ffff880058e67a58
      [   46.905022] RBP: ffff880058e67a88 R08: 0000000000000000 R09: 0000000000000000
      [   46.905022] R10: ffff880058e2bcc0 R11: ffffffff828e6ca0 R12: ffffffff81644410
      [   46.905022] R13: ffff8800694b8018 R14: 0000000000000000 R15: ffff880058e679b0
      [   46.905022] FS:  00007fdc65a65700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000
      [   46.905022] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   46.905022] CR2: 0000000000000000 CR3: 0000000058dd9000 CR4: 00000000000006f0
      [   46.905022] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   46.905022] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
      [   46.905022] Stack:
      [   46.905022]  ffff880058e67b40 ffff880058e2bcc0 ffff880058e67a78 0000000000000000
      [   46.905022]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
      [   46.905022]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
      [   46.905022] Call Trace:
      [   46.905022]  [<ffffffff81644a65>] radeon_cs_parser_fini+0x195/0x220
      [   46.905022]  [<ffffffff81645069>] radeon_cs_ioctl+0xa9/0x960
      [   46.905022]  [<ffffffff815e1f7c>] drm_ioctl+0x19c/0x640
      [   46.905022]  [<ffffffff810f8fdd>] ? trace_hardirqs_on_caller+0xfd/0x1c0
      [   46.905022]  [<ffffffff810f90ad>] ? trace_hardirqs_on+0xd/0x10
      [   46.905022]  [<ffffffff8160c066>] radeon_drm_ioctl+0x46/0x80
      [   46.905022]  [<ffffffff81211868>] do_vfs_ioctl+0x318/0x570
      [   46.905022]  [<ffffffff81462ef6>] ? selinux_file_ioctl+0x56/0x110
      [   46.905022]  [<ffffffff81211b41>] SyS_ioctl+0x81/0xa0
      [   46.905022]  [<ffffffff81dc6312>] system_call_fastpath+0x12/0x17
      [   46.905022] Code: 48 89 b5 10 ff ff ff 0f 84 03 01 00 00 4c 8d bd 28 ff ff
      ff 31 c0 48 89 fb b9 15 00 00 00 49 89 d4 4c 89 ff f3 48 ab 48 8b 46 08 <48> c7
      00 00 00 00 00 48 8b 0e 48 85 c9 0f 84 7d 00 00 00 c7 85
      [   46.905022] RIP  [<ffffffff814d6df2>] list_sort+0x42/0x240
      [   46.905022]  RSP <ffff880058e67998>
      [   46.905022] CR2: 0000000000000000
      [   47.149253] ---[ end trace 09576b4e8b2c20b8 ]---
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarTommi Rantala <tt.rantala@gmail.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      96aded16
    • Alex Deucher's avatar
      drm/radeon: do a posting read in si_set_irq · 63a445d3
      Alex Deucher authored
      commit 0586915e upstream.
      
      To make sure the writes go through the pci bridge.
      
      bug:
      https://bugzilla.kernel.org/show_bug.cgi?id=90741Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      63a445d3
    • Alex Deucher's avatar
      drm/radeon: do a posting read in evergreen_set_irq · 0c354d6a
      Alex Deucher authored
      commit c320bb5f upstream.
      
      To make sure the writes go through the pci bridge.
      
      bug:
      https://bugzilla.kernel.org/show_bug.cgi?id=90741Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      0c354d6a
    • Alex Deucher's avatar
      drm/radeon: do a posting read in r600_set_irq · 7758b16f
      Alex Deucher authored
      commit 9d1393f2 upstream.
      
      To make sure the writes go through the pci bridge.
      
      bug:
      https://bugzilla.kernel.org/show_bug.cgi?id=90741Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      7758b16f
    • Alex Deucher's avatar
      drm/radeon: do a posting read in rs600_set_irq · 81b10081
      Alex Deucher authored
      commit 54acf107 upstream.
      
      To make sure the writes go through the pci bridge.
      
      bug:
      https://bugzilla.kernel.org/show_bug.cgi?id=90741Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      81b10081
    • Alex Deucher's avatar
      drm/radeon: do a posting read in r100_set_irq · e653b3ed
      Alex Deucher authored
      commit f957063f upstream.
      
      To make sure the writes go through the pci bridge.
      
      bug:
      https://bugzilla.kernel.org/show_bug.cgi?id=90741Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      e653b3ed
    • Tyler Hicks's avatar
      eCryptfs: don't pass fs-specific ioctl commands through · ba4e25ac
      Tyler Hicks authored
      commit 6d65261a upstream.
      
      eCryptfs can't be aware of what to expect when after passing an
      arbitrary ioctl command through to the lower filesystem. The ioctl
      command may trigger an action in the lower filesystem that is
      incompatible with eCryptfs.
      
      One specific example is when one attempts to use the Btrfs clone
      ioctl command when the source file is in the Btrfs filesystem that
      eCryptfs is mounted on top of and the destination fd is from a new file
      created in the eCryptfs mount. The ioctl syscall incorrectly returns
      success because the command is passed down to Btrfs which thinks that it
      was able to do the clone operation. However, the result is an empty
      eCryptfs file.
      
      This patch allows the trim, {g,s}etflags, and {g,s}etversion ioctl
      commands through and then copies up the inode metadata from the lower
      inode to the eCryptfs inode to catch any changes made to the lower
      inode's metadata. Those five ioctl commands are mostly common across all
      filesystems but the whitelist may need to be further pruned in the
      future.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=93691
      https://launchpad.net/bugs/1305335Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Cc: Rocko <rockorequin@hotmail.com>
      Cc: Colin Ian King <colin.king@canonical.com>
      [lizf: Backported to 3.4:
       - adjust context
       - there's no file_inode(), so open-code it]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      ba4e25ac
    • Max Mansfield's avatar
      usb: ftdi_sio: Add jtag quirk support for Cyber Cortex AV boards · eeaab591
      Max Mansfield authored
      commit c7d373c3 upstream.
      
      This patch integrates Cyber Cortex AV boards with the existing
      ftdi_jtag_quirk in order to use serial port 0 with JTAG which is
      required by the manufacturers' software.
      
      Steps: 2
      
      [ftdi_sio_ids.h]
      1. Defined the device PID
      
      [ftdi_sio.c]
      2. Added a macro declaration to the ids array, in order to enable the
      jtag quirk for the device.
      Signed-off-by: default avatarMax Mansfield <max.m.mansfield@gmail.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      eeaab591
    • Trond Myklebust's avatar
      NFSv4: Don't call put_rpccred() under the rcu_read_lock() · deee5f87
      Trond Myklebust authored
      commit 7c0af9ff upstream.
      
      put_rpccred() can sleep.
      
      Fixes: 8f649c37 ("NFSv4: Fix the locking in nfs_inode_reclaim_delegation()")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      deee5f87
    • Michiel vd Garde's avatar
      USB: serial: cp210x: Adding Seletek device id's · c7ef03cc
      Michiel vd Garde authored
      commit 675af708 upstream.
      
      These device ID's are not associated with the cp210x module currently,
      but should be. This patch allows the devices to operate upon connecting
      them to the usb bus as intended.
      Signed-off-by: default avatarMichiel van de Garde <mgparser@gmail.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      c7ef03cc
    • Jouni Malinen's avatar
      mac80211: Send EAPOL frames at lowest rate · 29bc7124
      Jouni Malinen authored
      commit 9c1c98a3 upstream.
      
      The current minstrel_ht rate control behavior is somewhat optimistic in
      trying to find optimum TX rate. While this is usually fine for normal
      Data frames, there are cases where a more conservative set of retry
      parameters would be beneficial to make the connection more robust.
      
      EAPOL frames are critical to the authentication and especially the
      EAPOL-Key message 4/4 (the last message in the 4-way handshake) is
      important to get through to the AP. If that message is lost, the only
      recovery mechanism in many cases is to reassociate with the AP and start
      from scratch. This can often be avoided by trying to send the frame with
      more conservative rate and/or with more link layer retries.
      
      In most cases, minstrel_ht is currently using the initial EAPOL-Key
      frames for probing higher rates and this results in only five link layer
      transmission attempts (one at high(ish) MCS and four at MCS0). While
      this works with most APs, it looks like there are some deployed APs that
      may have issues with the EAPOL frames using HT MCS immediately after
      association. Similarly, there may be issues in cases where the signal
      strength or radio environment is not good enough to be able to get
      frames through even at couple of MCS 0 tries.
      
      The best approach for this would likely to be to reduce the TX rate for
      the last rate (3rd rate parameter in the set) to a low basic rate (say,
      6 Mbps on 5 GHz and 2 or 5.5 Mbps on 2.4 GHz), but doing that cleanly
      requires some more effort. For now, we can start with a simple one-liner
      that forces the minimum rate to be used for EAPOL frames similarly how
      the TX rate is selected for the IEEE 802.11 Management frames. This does
      result in a small extra latency added to the cases where the AP would be
      able to receive the higher rate, but taken into account how small number
      of EAPOL frames are used, this is likely to be insignificant. A future
      optimization in the minstrel_ht design can also allow this patch to be
      reverted to get back to the more optimized initial TX rate.
      
      It should also be noted that many drivers that do not use minstrel as
      the rate control algorithm are already doing similar workarounds by
      forcing the lowest TX rate to be used for EAPOL frames.
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Tested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJouni Malinen <jouni@qca.qualcomm.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      [lizf: Backported to 3.4: adjust the if statement]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      29bc7124
    • Johan Hovold's avatar
      USB: serial: fix tty-device error handling at probe · ba5369ce
      Johan Hovold authored
      commit ca4383a3 upstream.
      
      Add missing error handling when registering the tty device at port
      probe. This avoids trying to remove an uninitialised character device
      when the port device is removed.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Acked-by: default avatarGreg Kroah-Hartman <greg@kroah.com>
      [lizf: Backported to 3.4:
       - adjust context
       - s/goto exit_with_autopm/goto exit]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      ba5369ce
    • Johan Hovold's avatar
      USB: serial: fix potential use-after-free after failed probe · 97d0aa6b
      Johan Hovold authored
      commit 07fdfc5e upstream.
      
      Fix return value in probe error path, which could end up returning
      success (0) on errors. This could in turn lead to use-after-free or
      double free (e.g. in port_remove) when the port device is removed.
      
      Fixes: c706ebdf ("USB: usb-serial: call port_probe and port_remove
      at the right times")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Acked-by: default avatarGreg Kroah-Hartman <greg@kroah.com>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      97d0aa6b
    • Mark Glover's avatar
      USB: ftdi_sio: add PIDs for Actisense USB devices · a10ca36c
      Mark Glover authored
      commit f6950344 upstream.
      
      These product identifiers (PID) all deal with marine NMEA format data
      used on motor boats and yachts. We supply the programmed devices to
      Chetco, for use inside their equipment. The PIDs are a direct copy of
      our Windows device drivers (FTDI drivers with altered PIDs).
      Signed-off-by: default avatarMark Glover <mark@actisense.com>
      [johan: edit commit message slightly ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      a10ca36c
    • Alan Stern's avatar
      USB: usbfs: don't leak kernel data in siginfo · 43cc8e41
      Alan Stern authored
      commit f0c2b681 upstream.
      
      When a signal is delivered, the information in the siginfo structure
      is copied to userspace.  Good security practice dicatates that the
      unused fields in this structure should be initialized to 0 so that
      random kernel stack data isn't exposed to the user.  This patch adds
      such an initialization to the two places where usbfs raises signals.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarDave Mielke <dave@mielke.cc>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      43cc8e41
    • Mathias Nyman's avatar
      xhci: Allocate correct amount of scratchpad buffers · ab4676b6
      Mathias Nyman authored
      commit 6596a926 upstream.
      
      Include the high order bit fields for Max scratchpad buffers when
      calculating how many scratchpad buffers are needed.
      
      I'm suprised this hasn't caused more issues, we never allocated more than
      32 buffers even if xhci needed more. Either we got lucky and xhci never
      really used past that area, or then we got enough zeroed dma memory anyway.
      
      Should be backported as far back as possible
      Reported-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
      Tested-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      ab4676b6
    • Paolo Bonzini's avatar
      KVM: emulate: fix CMPXCHG8B on 32-bit hosts · fac95017
      Paolo Bonzini authored
      commit 4ff6f8e6 upstream.
      
      This has been broken for a long time: it broke first in 2.6.35, then was
      almost fixed in 2.6.36 but this one-liner slipped through the cracks.
      The bug shows up as an infinite loop in Windows 7 (and newer) boot on
      32-bit hosts without EPT.
      
      Windows uses CMPXCHG8B to write to page tables, which causes a
      page fault if running without EPT; the emulator is then called from
      kvm_mmu_page_fault.  The loop then happens if the higher 4 bytes are
      not 0; the common case for this is that the NX bit (bit 63) is 1.
      
      Fixes: 6550e1f1
      Fixes: 16518d5aReported-by: default avatarErik Rull <erik.rull@rdsoftware.de>
      Tested-by: default avatarErik Rull <erik.rull@rdsoftware.de>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      fac95017
    • Jiri Pirko's avatar
      team: fix possible null pointer dereference in team_handle_frame · c5f69b5a
      Jiri Pirko authored
      commit 57e59563 upstream.
      
      Currently following race is possible in team:
      
      CPU0                                        CPU1
                                                  team_port_del
                                                    team_upper_dev_unlink
                                                      priv_flags &= ~IFF_TEAM_PORT
      team_handle_frame
        team_port_get_rcu
          team_port_exists
            priv_flags & IFF_TEAM_PORT == 0
          return NULL (instead of port got
                       from rx_handler_data)
                                                    netdev_rx_handler_unregister
      
      The thing is that the flag is removed before rx_handler is unregistered.
      If team_handle_frame is called in between, team_port_exists returns 0
      and team_port_get_rcu will return NULL.
      So do not check the flag here. It is guaranteed by netdev_rx_handler_unregister
      that team_handle_frame will always see valid rx_handler_data pointer.
      Signed-off-by: default avatarJiri Pirko <jiri@resnulli.us>
      Fixes: 3d249d4c ("net: introduce ethernet teaming device")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      c5f69b5a
    • Eric Dumazet's avatar
      netfilter: xt_socket: fix a stack corruption bug · cea9eddd
      Eric Dumazet authored
      commit 78296c97 upstream.
      
      As soon as extract_icmp6_fields() returns, its local storage (automatic
      variables) is deallocated and can be overwritten.
      
      Lets add an additional parameter to make sure storage is valid long
      enough.
      
      While we are at it, adds some const qualifiers.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Fixes: b64c9256 ("tproxy: added IPv6 support to the socket match")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      cea9eddd
    • Ryusuke Konishi's avatar
      nilfs2: fix potential memory overrun on inode · 3dc8cc46
      Ryusuke Konishi authored
      commit 957ed60b upstream.
      
      Each inode of nilfs2 stores a root node of a b-tree, and it turned out to
      have a memory overrun issue:
      
      Each b-tree node of nilfs2 stores a set of key-value pairs and the number
      of them (in "bn_nchildren" member of nilfs_btree_node struct), as well as
      a few other "bn_*" members.
      
      Since the value of "bn_nchildren" is used for operations on the key-values
      within the b-tree node, it can cause memory access overrun if a large
      number is incorrectly set to "bn_nchildren".
      
      For instance, nilfs_btree_node_lookup() function determines the range of
      binary search with it, and too large "bn_nchildren" leads
      nilfs_btree_node_get_key() in that function to overrun.
      
      As for intermediate b-tree nodes, this is prevented by a sanity check
      performed when each node is read from a drive, however, no sanity check
      has been done for root nodes stored in inodes.
      
      This patch fixes the issue by adding missing sanity check against b-tree
      root nodes so that it's called when on-memory inodes are read from ifile,
      inode metadata file.
      Signed-off-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      3dc8cc46