1. 13 Mar, 2017 10 commits
    • Paul Burton's avatar
      MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps · 4463676f
      Paul Burton authored
      commit 096a0de4 upstream.
      
      is_jump_ins() checks for plain jump ("j") instructions since commit
      e7438c4b ("MIPS: Fix sibling call handling in get_frame_info") but
      that commit didn't make the same change to the microMIPS code, leaving
      it inconsistent with the MIPS32/MIPS64 code. Handle the microMIPS
      encoding of the jump instruction too such that it behaves consistently.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: e7438c4b ("MIPS: Fix sibling call handling in get_frame_info")
      Cc: Tony Wu <tung7970@gmail.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14533/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4463676f
    • Paul Burton's avatar
      MIPS: Calculate microMIPS ra properly when unwinding the stack · f335c12d
      Paul Burton authored
      commit bb9bc468 upstream.
      
      get_frame_info() calculates the offset of the return address within a
      stack frame simply by dividing a the bottom 16 bits of the instruction,
      treated as a signed integer, by the size of a long. Whilst this works
      for MIPS32 & MIPS64 ISAs where the sw or sd instructions are used, it's
      incorrect for microMIPS where encodings differ. The result is that we
      typically completely fail to unwind the stack on microMIPS.
      
      Fix this by adjusting is_ra_save_ins() to calculate the return address
      offset, and take into account the various different encodings there in
      the same place as we consider whether an instruction is storing the
      ra/$31 register.
      
      With this we are now able to unwind the stack for kernels targetting the
      microMIPS ISA, for example we can produce:
      
          Call Trace:
          [<80109e1f>] show_stack+0x63/0x7c
          [<8011ea17>] __warn+0x9b/0xac
          [<8011ea45>] warn_slowpath_fmt+0x1d/0x20
          [<8013fe53>] register_console+0x43/0x314
          [<8067c58d>] of_setup_earlycon+0x1dd/0x1ec
          [<8067f63f>] early_init_dt_scan_chosen_stdout+0xe7/0xf8
          [<8066c115>] do_early_param+0x75/0xac
          [<801302f9>] parse_args+0x1dd/0x308
          [<8066c459>] parse_early_options+0x25/0x28
          [<8066c48b>] parse_early_param+0x2f/0x38
          [<8066e8cf>] setup_arch+0x113/0x488
          [<8066c4f3>] start_kernel+0x57/0x328
          ---[ end trace 0000000000000000 ]---
      
      Whereas previously we only produced:
      
          Call Trace:
          [<80109e1f>] show_stack+0x63/0x7c
          ---[ end trace 0000000000000000 ]---
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14532/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f335c12d
    • Paul Burton's avatar
      MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions · 553b06b1
      Paul Burton authored
      commit 67c75057 upstream.
      
      is_jump_ins() checks 16b instruction fields without verifying that the
      instruction is indeed 16b, as is done by is_ra_save_ins() &
      is_sp_move_ins(). Add the appropriate check.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14531/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      553b06b1
    • Paul Burton's avatar
      MIPS: Fix get_frame_info() handling of microMIPS function size · aae839a7
      Paul Burton authored
      commit b6c7a324 upstream.
      
      get_frame_info() is meant to iterate over up to the first 128
      instructions within a function, but for microMIPS kernels it will not
      reach that many instructions unless the function is 512 bytes long since
      we calculate the maximum number of instructions to check by dividing the
      function length by the 4 byte size of a union mips_instruction. In
      microMIPS kernels this won't do since instructions are variable length.
      
      Fix this by instead checking whether the pointer to the current
      instruction has reached the end of the function, and use max_insns as a
      simple constant to check the number of iterations against.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14530/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      aae839a7
    • Paul Burton's avatar
      MIPS: Prevent unaligned accesses during stack unwinding · 50ef9df8
      Paul Burton authored
      commit a3552dac upstream.
      
      During stack unwinding we call a number of functions to determine what
      type of instruction we're looking at. The union mips_instruction pointer
      provided to them may be pointing at a 2 byte, but not 4 byte, aligned
      address & we thus cannot directly access the 4 byte wide members of the
      union mips_instruction. To avoid this is_ra_save_ins() copies the
      required half-words of the microMIPS instruction to a correctly aligned
      union mips_instruction on the stack, which it can then access safely.
      The is_jump_ins() & is_sp_move_ins() functions do not correctly perform
      this temporary copy, and instead attempt to directly dereference 4 byte
      fields which may be misaligned and lead to an address exception.
      
      Fix this by copying the instruction halfwords to a temporary union
      mips_instruction in get_frame_info() such that we can provide a 4 byte
      aligned union mips_instruction to the is_*_ins() functions and they do
      not need to deal with misalignment themselves.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14529/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      50ef9df8
    • Paul Burton's avatar
      MIPS: Clear ISA bit correctly in get_frame_info() · 839f0816
      Paul Burton authored
      commit ccaf7caf upstream.
      
      get_frame_info() can be called in microMIPS kernels with the ISA bit
      already clear. For example this happens when unwind_stack_by_address()
      is called because we begin with a PC that has the ISA bit set & subtract
      the (odd) offset from the preceding symbol (which does not have the ISA
      bit set). Since get_frame_info() unconditionally subtracts 1 from the PC
      in microMIPS kernels it incorrectly misaligns the address it then
      attempts to access code at, leading to an address error exception.
      
      Fix this by using msk_isa16_mode() to clear the ISA bit, which allows
      get_frame_info() to function regardless of whether it is provided with a
      PC that has the ISA bit set or not.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14528/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      839f0816
    • James Cowgill's avatar
      MIPS: OCTEON: Fix copy_from_user fault handling for large buffers · 6f25f217
      James Cowgill authored
      commit 884b4269 upstream.
      
      If copy_from_user is called with a large buffer (>= 128 bytes) and the
      userspace buffer refers partially to unreadable memory, then it is
      possible for Octeon's copy_from_user to report the wrong number of bytes
      have been copied. In the case where the buffer size is an exact multiple
      of 128 and the fault occurs in the last 64 bytes, copy_from_user will
      report that all the bytes were copied successfully but leave some
      garbage in the destination buffer.
      
      The bug is in the main __copy_user_common loop in octeon-memcpy.S where
      in the middle of the loop, src and dst are incremented by 128 bytes. The
      l_exc_copy fault handler is used after this but that assumes that
      "src < THREAD_BUADDR($28)". This is not the case if src has already been
      incremented.
      
      Fix by adding an extra fault handler which rewinds the src and dst
      pointers 128 bytes before falling though to l_exc_copy.
      
      Thanks to the pwritev test from the strace test suite for originally
      highlighting this bug!
      
      Fixes: 5b3b1688 ("MIPS: Add Cavium OCTEON processor support ...")
      Signed-off-by: default avatarJames Cowgill <James.Cowgill@imgtec.com>
      Acked-by: default avatarDavid Daney <david.daney@cavium.com>
      Reviewed-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14978/Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6f25f217
    • Ralf Baechle's avatar
      MIPS: Fix special case in 64 bit IP checksumming. · 9245eb2f
      Ralf Baechle authored
      commit 66fd848c upstream.
      
      For certain arguments such as saddr = 0xc0a8fd60, daddr = 0xc0a8fda1,
      len = 80, proto = 17, sum = 0x7eae049d there will be a carry when
      folding the intermediate 64 bit checksum to 32 bit but the code doesn't
      add the carry back to the one's complement sum, thus an incorrect result
      will be generated.
      Reported-by: default avatarMark Zhang <bomb.zhang@gmail.com>
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Reviewed-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9245eb2f
    • Arnaldo Carvalho de Melo's avatar
      perf trace: Use the syscall raw_syscalls:sys_enter timestamp · 26b65f1b
      Arnaldo Carvalho de Melo authored
      commit ecf1e225 upstream.
      
      Instead of the one when another syscall takes place while another is being
      processed (in another CPU, but we show it serialized, so need to "interrupt"
      the other), and also when finally showing the sys_enter + sys_exit + duration,
      where we were showing the sample->time for the sys_exit, duh.
      
      Before:
      
        # perf trace sleep 1
        <SNIP>
           0.373 (   0.001 ms): close(fd: 3                   ) = 0
        1000.626 (1000.211 ms): nanosleep(rqtp: 0x7ffd6ddddfb0) = 0
        1000.653 (   0.003 ms): close(fd: 1                   ) = 0
        1000.657 (   0.002 ms): close(fd: 2                   ) = 0
        1000.667 (   0.000 ms): exit_group(                   )
        #
      
      After:
      
        # perf trace sleep 1
        <SNIP>
           0.336 (   0.001 ms): close(fd: 3                   ) = 0
           0.373 (1000.086 ms): nanosleep(rqtp: 0x7ffe303e9550) = 0
        1000.481 (   0.002 ms): close(fd: 1                   ) = 0
        1000.485 (   0.001 ms): close(fd: 2                   ) = 0
        1000.494 (   0.000 ms): exit_group(                   )
      [root@jouet linux]#
      
      [js] no trace__printf_interrupted_entry in 3.12 yet
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: David Ahern <dsahern@gmail.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Wang Nan <wangnan0@huawei.com>
      Link: http://lkml.kernel.org/n/tip-ecbzgmu2ni6glc6zkw8p1zmx@git.kernel.org
      Fixes: 752fde44 ("perf trace: Support interrupted syscalls")
      Signed-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      26b65f1b
    • Shmulik Ladkani's avatar
      net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames · 5cbbb3f0
      Shmulik Ladkani authored
      commit d65f2fa6 upstream.
      
      META_COLLECTOR int_vlan_tag() assumes that if the accel tag (vlan_tci)
      is zero, then no vlan accel tag is present.
      
      This is incorrect for zero VID vlan accel packets, making the following
      match fail:
        tc filter add ... basic match 'meta(vlan mask 0xfff eq 0)' ...
      
      Apparently 'int_vlan_tag' was implemented prior VLAN_TAG_PRESENT was
      introduced in 05423b24 "vlan: allow null VLAN ID to be used"
      (and at time introduced, the 'vlan_tx_tag_get' call in em_meta was not
       adapted).
      
      Fix, testing skb_vlan_tag_present instead of testing skb_vlan_tag_get's
      value.
      
      Fixes: 05423b24 ("vlan: allow null VLAN ID to be used")
      Fixes: 1a31f204 ("netsched: Allow meta match on vlan tag on receive")
      Signed-off-by: default avatarShmulik Ladkani <shmulik.ladkani@gmail.com>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      5cbbb3f0
  2. 11 Mar, 2017 2 commits
    • Marcelo Ricardo Leitner's avatar
      sctp: deny peeloff operation on asocs with threads sleeping on it · 8aee8e6c
      Marcelo Ricardo Leitner authored
      commit dfcb9f4f upstream.
      
      commit 2dcab598 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
      attempted to avoid a BUG_ON call when the association being used for a
      sendmsg() is blocked waiting for more sndbuf and another thread did a
      peeloff operation on such asoc, moving it to another socket.
      
      As Ben Hutchings noticed, then in such case it would return without
      locking back the socket and would cause two unlocks in a row.
      
      Further analysis also revealed that it could allow a double free if the
      application managed to peeloff the asoc that is created during the
      sendmsg call, because then sctp_sendmsg() would try to free the asoc
      that was created only for that call.
      
      This patch takes another approach. It will deny the peeloff operation
      if there is a thread sleeping on the asoc, so this situation doesn't
      exist anymore. This avoids the issues described above and also honors
      the syscalls that are already being handled (it can be multiple sendmsg
      calls).
      
      Joint work with Xin Long.
      
      Fixes: 2dcab598 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
      Cc: Alexander Popov <alex.popov@linux.com>
      Cc: Ben Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8aee8e6c
    • colyli@suse.de's avatar
      md linear: fix a race between linear_add() and linear_congested() · d93cf670
      colyli@suse.de authored
      commit 03a9e24e upstream.
      
      Recently I receive a bug report that on Linux v3.0 based kerenl, hot add
      disk to a md linear device causes kernel crash at linear_congested(). From
      the crash image analysis, I find in linear_congested(), mddev->raid_disks
      contains value N, but conf->disks[] only has N-1 pointers available. Then
      a NULL pointer deference crashes the kernel.
      
      There is a race between linear_add() and linear_congested(), RCU stuffs
      used in these two functions cannot avoid the race. Since Linuv v4.0
      RCU code is replaced by introducing mddev_suspend().  After checking the
      upstream code, it seems linear_congested() is not called in
      generic_make_request() code patch, so mddev_suspend() cannot provent it
      from being called. The possible race still exists.
      
      Here I explain how the race still exists in current code.  For a machine
      has many CPUs, on one CPU, linear_add() is called to add a hard disk to a
      md linear device; at the same time on other CPU, linear_congested() is
      called to detect whether this md linear device is congested before issuing
      an I/O request onto it.
      
      Now I use a possible code execution time sequence to demo how the possible
      race happens,
      
      seq    linear_add()                linear_congested()
       0                                 conf=mddev->private
       1   oldconf=mddev->private
       2   mddev->raid_disks++
       3                              for (i=0; i<mddev->raid_disks;i++)
       4                                bdev_get_queue(conf->disks[i].rdev->bdev)
       5   mddev->private=newconf
      
      In linear_add() mddev->raid_disks is increased in time seq 2, and on
      another CPU in linear_congested() the for-loop iterates conf->disks[i] by
      the increased mddev->raid_disks in time seq 3,4. But conf with one more
      element (which is a pointer to struct dev_info type) to conf->disks[] is
      not updated yet, accessing its structure member in time seq 4 will cause a
      NULL pointer deference fault.
      
      To fix this race, there are 2 parts of modification in the patch,
       1) Add 'int raid_disks' in struct linear_conf, as a copy of
          mddev->raid_disks. It is initialized in linear_conf(), always being
          consistent with pointers number of 'struct dev_info disks[]'. When
          iterating conf->disks[] in linear_congested(), use conf->raid_disks to
          replace mddev->raid_disks in the for-loop, then NULL pointer deference
          will not happen again.
       2) RCU stuffs are back again, and use kfree_rcu() in linear_add() to
          free oldconf memory. Because oldconf may be referenced as mddev->private
          in linear_congested(), kfree_rcu() makes sure that its memory will not
          be released until no one uses it any more.
      Also some code comments are added in this patch, to make this modification
      to be easier understandable.
      
      This patch can be applied for kernels since v4.0 after commit:
      3be260cc ("md/linear: remove rcu protections in favour of
      suspend/resume"). But this bug is reported on Linux v3.0 based kernel, for
      people who maintain kernels before Linux v4.0, they need to do some back
      back port to this patch.
      
      Changelog:
       - V3: add 'int raid_disks' in struct linear_conf, and use kfree_rcu() to
             replace rcu_call() in linear_add().
       - v2: add RCU stuffs by suggestion from Shaohua and Neil.
       - v1: initial effort.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Cc: Shaohua Li <shli@fb.com>
      Cc: Neil Brown <neilb@suse.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d93cf670
  3. 06 Mar, 2017 1 commit
  4. 03 Mar, 2017 24 commits
    • Johan Hovold's avatar
      USB: cdc-acm: fix failed open not being detected · e6b7fdc0
      Johan Hovold authored
      commit 8727bf68 upstream.
      
      Fix errors during open not being returned to userspace. Specifically,
      failed control-line manipulations or control or read urb submissions
      would not be detected.
      
      Fixes: 7fb57a01 ("USB: cdc-acm: Fix potential deadlock (lockdep
      warning)")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e6b7fdc0
    • Johan Hovold's avatar
      USB: cdc-acm: fix open and suspend race · 0bb6506d
      Johan Hovold authored
      commit 703df329 upstream.
      
      We must not do the usb_autopm_put_interface() before submitting the read
      urbs or we might end up doing I/O to a suspended device.
      
      Fixes: 088c64f8 ("USB: cdc-acm: re-write read processing")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0bb6506d
    • Alexey Khoroshilov's avatar
      USB: cdc-acm: fix double usb_autopm_put_interface() in acm_port_activate() · bdd76f45
      Alexey Khoroshilov authored
      commit 070c0b17 upstream.
      
      If acm_submit_read_urbs() fails in acm_port_activate(), error handling
      code calls usb_autopm_put_interface() while it is already called
      before acm_submit_read_urbs(). The patch reorganizes error handling code
      to avoid double decrement of USB interface's PM-usage counter.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Acked-by: default avatarOliver Neukum <oliver@neukum.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      bdd76f45
    • Heiko Carstens's avatar
      net: filter: s390: fix JIT address randomization · 5cb402ee
      Heiko Carstens authored
      commit e84d2f8d upstream.
      
      This is the s390 variant of Alexei's JIT bug fix.
      (patch description below stolen from Alexei's patch)
      
      bpf_alloc_binary() adds 128 bytes of room to JITed program image
      and rounds it up to the nearest page size. If image size is close
      to page size (like 4000), it is rounded to two pages:
      round_up(4000 + 4 + 128) == 8192
      then 'hole' is computed as 8192 - (4000 + 4) = 4188
      If prandom_u32() % hole selects a number >= PAGE_SIZE - sizeof(*header)
      then kernel will crash during bpf_jit_free():
      
      kernel BUG at arch/x86/mm/pageattr.c:887!
      Call Trace:
       [<ffffffff81037285>] change_page_attr_set_clr+0x135/0x460
       [<ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50
       [<ffffffff810378ff>] set_memory_rw+0x2f/0x40
       [<ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60
       [<ffffffff8106bf98>] process_one_work+0x1d8/0x6a0
       [<ffffffff8106bf38>] ? process_one_work+0x178/0x6a0
       [<ffffffff8106c90c>] worker_thread+0x11c/0x370
      
      since bpf_jit_free() does:
        unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
        struct bpf_binary_header *header = (void *)addr;
      to compute start address of 'bpf_binary_header'
      and header->pages will pass junk to:
        set_memory_rw(addr, header->pages);
      
      Fix it by making sure that &header->image[prandom_u32() % hole] and &header
      are in the same page.
      
      Fixes: aa2d2c73 ("s390/bpf,jit: address randomize and write protect jit code")
      Reported-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      5cb402ee
    • Alexei Starovoitov's avatar
      net: filter: x86: fix JIT address randomization · ba6f34fe
      Alexei Starovoitov authored
      commit 773cd38f upstream.
      
      bpf_alloc_binary() adds 128 bytes of room to JITed program image
      and rounds it up to the nearest page size. If image size is close
      to page size (like 4000), it is rounded to two pages:
      round_up(4000 + 4 + 128) == 8192
      then 'hole' is computed as 8192 - (4000 + 4) = 4188
      If prandom_u32() % hole selects a number >= PAGE_SIZE - sizeof(*header)
      then kernel will crash during bpf_jit_free():
      
      kernel BUG at arch/x86/mm/pageattr.c:887!
      Call Trace:
       [<ffffffff81037285>] change_page_attr_set_clr+0x135/0x460
       [<ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50
       [<ffffffff810378ff>] set_memory_rw+0x2f/0x40
       [<ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60
       [<ffffffff8106bf98>] process_one_work+0x1d8/0x6a0
       [<ffffffff8106bf38>] ? process_one_work+0x178/0x6a0
       [<ffffffff8106c90c>] worker_thread+0x11c/0x370
      
      since bpf_jit_free() does:
        unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
        struct bpf_binary_header *header = (void *)addr;
      to compute start address of 'bpf_binary_header'
      and header->pages will pass junk to:
        set_memory_rw(addr, header->pages);
      
      Fix it by making sure that &header->image[prandom_u32() % hole] and &header
      are in the same page
      
      Fixes: 314beb9b ("x86: bpf_jit_comp: secure bpf jit against spraying attacks")
      Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ba6f34fe
    • Claudiu Manoil's avatar
      gianfar: Check if phydev present on ethtool -A · b24cd48c
      Claudiu Manoil authored
      commit 98a46d46 upstream.
      
      This fixes a seg fault on 'ethtool -A' entry if the
      interface is down.  Obviously we need to have the
      phy device initialized / "connected" (see of_phy_connect())
      to be able to advertise pause frame capabilities.
      
      Fixes: 23402bddSigned-off-by: default avatarClaudiu Manoil <claudiu.manoil@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b24cd48c
    • Thomas Petazzoni's avatar
      PCI: mvebu: split PCIe BARs into multiple MBus windows when needed · 42e99f1c
      Thomas Petazzoni authored
      commit 398f5d5e upstream.
      
      MBus windows are used on Marvell platforms to map certain peripherals
      in the physical address space. In the PCIe context, MBus windows are
      needed to map PCIe I/O and memory regions in the physical address.
      
      However, those MBus windows can only have power of two sizes, while
      PCIe BAR do not necessarily guarantee this. For this reason, the
      current pci-mvebu breaks on platforms where PCIe devices have BARs
      that don't sum up to a power of two size at the emulated bridge level.
      
      This commit fixes this by allowing the pci-mvebu driver to create
      multiple contiguous MBus windows (each having a power of two size) to
      cover a given PCIe BAR.
      
      To achieve this, two functions are added: mvebu_pcie_add_windows() and
      mvebu_pcie_del_windows() to respectively add and remove all the MBus
      windows that are needed to map the provided PCIe region base and
      size. The emulated PCI bridge code now calls those functions, instead
      of directly calling the mvebu-mbus driver functions.
      
      Fixes: 45361a4f ('pci: PCIe driver for Marvell Armada 370/XP systems')
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Link: https://lkml.kernel.org/r/1397823593-1932-8-git-send-email-thomas.petazzoni@free-electrons.comTested-by: default avatarNeil Greatorex <neil@fatboyfat.co.uk>
      Acked-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarJason Cooper <jason@lakedaemon.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      42e99f1c
    • Jingoo Han's avatar
      PCI: mvebu: Use max_t() instead of max(resource_size_t,) · 9921463b
      Jingoo Han authored
      commit 06489002 upstream.
      
      Use max_t() instead of max(resource_size_t,) in order to fix
      the following checkpatch warning.
      
        WARNING: max() should probably be max_t(resource_size_t, SZ_64K, size)
        WARNING: max() should probably be max_t(resource_size_t, SZ_1M, size)
      Signed-off-by: default avatarJingoo Han <jg1.han@samsung.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by: default avatarJason Cooper <jason@lakedaemon.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9921463b
    • Steffen Klassert's avatar
      vti4: Don't count header length twice. · ca5fbde4
      Steffen Klassert authored
      commit a3245236 upstream.
      
      We currently count the size of LL_MAX_HEADER and struct iphdr
      twice for vti4 devices, this leads to a wrong device mtu.
      The size of LL_MAX_HEADER and struct iphdr is already counted in
      ip_tunnel_bind_dev(), so don't do it again in vti_tunnel_init().
      
      Fixes: b9959fd3 ("vti: switch to new ip tunnel code")
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ca5fbde4
    • Daniel Borkmann's avatar
      net: sctp: rework multihoming retransmission path selection to rfc4960 · d2c2bdcd
      Daniel Borkmann authored
      commit 4c47af4d upstream.
      
      Problem statement: 1) both paths (primary path1 and alternate
      path2) are up after the association has been established i.e.,
      HB packets are normally exchanged, 2) path2 gets inactive after
      path_max_retrans * max_rto timed out (i.e. path2 is down completely),
      3) now, if a transmission times out on the only surviving/active
      path1 (any ~1sec network service impact could cause this like
      a channel bonding failover), then the retransmitted packets are
      sent over the inactive path2; this happens with partial failover
      and without it.
      
      Besides not being optimal in the above scenario, a small failure
      or timeout in the only existing path has the potential to cause
      long delays in the retransmission (depending on RTO_MAX) until
      the still active path is reselected. Further, when the T3-timeout
      occurs, we have active_patch == retrans_path, and even though the
      timeout occurred on the initial transmission of data, not a
      retransmit, we end up updating retransmit path.
      
      RFC4960, section 6.4. "Multi-Homed SCTP Endpoints" states under
      6.4.1. "Failover from an Inactive Destination Address" the
      following:
      
        Some of the transport addresses of a multi-homed SCTP endpoint
        may become inactive due to either the occurrence of certain
        error conditions (see Section 8.2) or adjustments from the
        SCTP user.
      
        When there is outbound data to send and the primary path
        becomes inactive (e.g., due to failures), or where the SCTP
        user explicitly requests to send data to an inactive
        destination transport address, before reporting an error to
        its ULP, the SCTP endpoint should try to send the data to an
        alternate __active__ destination transport address if one
        exists.
      
        When retransmitting data that timed out, if the endpoint is
        multihomed, it should consider each source-destination address
        pair in its retransmission selection policy. When retransmitting
        timed-out data, the endpoint should attempt to pick the most
        divergent source-destination pair from the original
        source-destination pair to which the packet was transmitted.
      
        Note: Rules for picking the most divergent source-destination
        pair are an implementation decision and are not specified
        within this document.
      
      So, we should first reconsider to take the current active
      retransmission transport if we cannot find an alternative
      active one. If all of that fails, we can still round robin
      through unkown, partial failover, and inactive ones in the
      hope to find something still suitable.
      
      Commit 4141ddc0 ("sctp: retran_path update bug fix") broke
      that behaviour by selecting the next inactive transport when
      no other active transport was found besides the current assoc's
      peer.retran_path. Before commit 4141ddc0, we would have
      traversed through the list until we reach our peer.retran_path
      again, and in case that is still in state SCTP_ACTIVE, we would
      take it and return. Only if that is not the case either, we
      take the next inactive transport.
      
      Besides all that, another issue is that transports in state
      SCTP_UNKNOWN could be preferred over transports in state
      SCTP_ACTIVE in case a SCTP_ACTIVE transport appears after
      SCTP_UNKNOWN in the transport list yielding a weaker transport
      state to be used in retransmission.
      
      This patch mostly reverts 4141ddc0, but also rewrites
      this function to introduce more clarity and strictness into
      the code. A strict priority of transport states is enforced
      in this patch, hence selection is active > unkown > partial
      failover > inactive.
      
      Fixes: 4141ddc0 ("sctp: retran_path update bug fix")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Gui Jianfeng <guijianfeng@cn.fujitsu.com>
      Acked-by: default avatarVlad Yasevich <yasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d2c2bdcd
    • Hannes Frederic Sowa's avatar
      ipv6: simplify detection of first operational link-local address on interface · 6a484057
      Hannes Frederic Sowa authored
      commit 11ffff75 upstream.
      
      In commit 1ec047eb ("ipv6: introduce per-interface counter for
      dad-completed ipv6 addresses") I build the detection of the first
      operational link-local address much to complex. Additionally this code
      now has a race condition.
      
      Replace it with a much simpler variant, which just scans the address
      list when duplicate address detection completes, to check if this is
      the first valid link local address and send RS and MLD reports then.
      
      Fixes: 1ec047eb ("ipv6: introduce per-interface counter for dad-completed ipv6 addresses")
      Reported-by: default avatarJiri Pirko <jiri@resnulli.us>
      Cc: Flavio Leitner <fbl@redhat.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarFlavio Leitner <fbl@redhat.com>
      Acked-by: default avatarJiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6a484057
    • Daniel Borkmann's avatar
      net: 6lowpan: fix lowpan_header_create non-compression memcpy call · d6ec2447
      Daniel Borkmann authored
      commit 965801e1 upstream.
      
      In function lowpan_header_create(), we invoke the following code
      construct:
      
        struct ipv6hdr *hdr;
        ...
        hdr = ipv6_hdr(skb);
        ...
        if (...)
          memcpy(hc06_ptr + 1, &hdr->flow_lbl[1], 2);
        else
          memcpy(hc06_ptr, &hdr, 4);
      
      Where the else path of the condition, that is, non-compression
      path, calls memcpy() with a pointer to struct ipv6hdr *hdr as
      source, thus two levels of indirection. This cannot be correct,
      and likely only one level of pointer was intended as source
      buffer for memcpy() here.
      
      Fixes: 44331fe2 ("IEEE802.15.4: 6LoWPAN basic support")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Alexander Smirnov <alex.bluesman.smirnov@gmail.com>
      Cc: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Cc: Werner Almesberger <werner@almesberger.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d6ec2447
    • Li RongQing's avatar
      ipv6: fix the use of pcpu_tstats in ip6_tunnel · 6da68047
      Li RongQing authored
      commit abb6013c upstream.
      
      when read/write the 64bit data, the correct lock should be hold.
      
      Fixes: 87b6d218 ("tunnel: implement 64 bits statistics")
      
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarLi RongQing <roy.qing.li@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6da68047
    • Viresh Kumar's avatar
      cpufreq: preserve user_policy across suspend/resume · d66961bf
      Viresh Kumar authored
      commit 08fd8c1c upstream.
      
      Prevent __cpufreq_add_dev() from overwriting the existing values of
      user_policy.{min|max|policy|governor} with defaults during resume
      from system suspend.
      
      Fixes: 5302c3fb ("cpufreq: Perform light-weight init/teardown during suspend/resume")
      Reported-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      [rjw: Changelog]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d66961bf
    • Rafael J. Wysocki's avatar
      cpufreq: Clean up after a failing light-weight initialization · d00f85b2
      Rafael J. Wysocki authored
      commit 72368d12 upstream.
      
      If cpufreq_policy_restore() returns NULL during system resume,
      __cpufreq_add_dev() should just fall back to the full initialization
      instead of returning an error, because that may actually make things
      work.  Moreover, it should not leave stale fallback data behind after
      it has failed to restore a previously existing policy.
      
      This change is based on Viresh Kumar's work.
      
      Fixes: 5302c3fb ("cpufreq: Perform light-weight init/teardown during suspend/resume")
      Reported-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d00f85b2
    • Viresh Kumar's avatar
      cpufreq: remove sysfs files for CPUs which failed to come back after resume · 83b8aa4c
      Viresh Kumar authored
      commit 42f921a6 upstream.
      
      There are cases where cpufreq_add_dev() may fail for some CPUs
      during system resume. With the current code we will still have
      sysfs cpufreq files for those CPUs and struct cpufreq_policy
      would be already freed for them. Hence any operation on those
      sysfs files would result in kernel warnings.
      
      Example of problems resulting from resume errors (from Bjørn Mork):
      
      WARNING: CPU: 0 PID: 6055 at fs/sysfs/file.c:343 sysfs_open_file+0x77/0x212()
      missing sysfs attribute operations for kobject: (null)
      Modules linked in: [stripped as irrelevant]
      CPU: 0 PID: 6055 Comm: grep Tainted: G      D      3.13.0-rc2 #153
      Hardware name: LENOVO 2776LEG/2776LEG, BIOS 6EET55WW (3.15 ) 12/19/2011
       0000000000000009 ffff8802327ebb78 ffffffff81380b0e 0000000000000006
       ffff8802327ebbc8 ffff8802327ebbb8 ffffffff81038635 0000000000000000
       ffffffff811823c7 ffff88021a19e688 ffff88021a19e688 ffff8802302f9310
      Call Trace:
       [<ffffffff81380b0e>] dump_stack+0x55/0x76
       [<ffffffff81038635>] warn_slowpath_common+0x7c/0x96
       [<ffffffff811823c7>] ? sysfs_open_file+0x77/0x212
       [<ffffffff810386e3>] warn_slowpath_fmt+0x41/0x43
       [<ffffffff81182dec>] ? sysfs_get_active+0x6b/0x82
       [<ffffffff81182382>] ? sysfs_open_file+0x32/0x212
       [<ffffffff811823c7>] sysfs_open_file+0x77/0x212
       [<ffffffff81182350>] ? sysfs_schedule_callback+0x1ac/0x1ac
       [<ffffffff81122562>] do_dentry_open+0x17c/0x257
       [<ffffffff8112267e>] finish_open+0x41/0x4f
       [<ffffffff81130225>] do_last+0x80c/0x9ba
       [<ffffffff8112dbbd>] ? inode_permission+0x40/0x42
       [<ffffffff81130606>] path_openat+0x233/0x4a1
       [<ffffffff81130b7e>] do_filp_open+0x35/0x85
       [<ffffffff8113b787>] ? __alloc_fd+0x172/0x184
       [<ffffffff811232ea>] do_sys_open+0x6b/0xfa
       [<ffffffff811233a7>] SyS_openat+0xf/0x11
       [<ffffffff8138c812>] system_call_fastpath+0x16/0x1b
      
      To fix this, remove those sysfs files or put the associated kobject
      in case of such errors. Also, to make it simple, remove the cpufreq
      sysfs links from all the CPUs (except for the policy->cpu) during
      suspend, as that operation won't result in a loss of sysfs file
      permissions and we can create those links during resume just fine.
      
      [js] no rwsem in 3.12 yet
      
      Fixes: 5302c3fb ("cpufreq: Perform light-weight init/teardown during suspend/resume")
      Reported-and-tested-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      [rjw: Changelog]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      83b8aa4c
    • Bjørn Mork's avatar
      cpufreq: fix garbage kobjects on errors during suspend/resume · 85acaced
      Bjørn Mork authored
      commit 2167e239 upstream.
      
      This is effectively a revert of commit 5302c3fb ("cpufreq: Perform
      light-weight init/teardown during suspend/resume"), which enabled
      suspend/resume optimizations leaving the sysfs files in place.
      
      Errors during suspend/resume are not handled properly, leaving
      dead sysfs attributes in case of failures.  There are are number of
      functions with special code for the "frozen" case, and all these
      need to also have special error handling.
      
      The problem is easy to demonstrate by making cpufreq_driver->init()
      or cpufreq_driver->get() fail during resume.
      
      The code is too complex for a simple fix, with split code paths
      in multiple blocks within a number of functions.  It is therefore
      best to revert the patch enabling this code until the error handling
      is in place.
      
      Examples of problems resulting from resume errors:
      
      WARNING: CPU: 0 PID: 6055 at fs/sysfs/file.c:343 sysfs_open_file+0x77/0x212()
      missing sysfs attribute operations for kobject: (null)
      Modules linked in: [stripped as irrelevant]
      CPU: 0 PID: 6055 Comm: grep Tainted: G      D      3.13.0-rc2 #153
      Hardware name: LENOVO 2776LEG/2776LEG, BIOS 6EET55WW (3.15 ) 12/19/2011
       0000000000000009 ffff8802327ebb78 ffffffff81380b0e 0000000000000006
       ffff8802327ebbc8 ffff8802327ebbb8 ffffffff81038635 0000000000000000
       ffffffff811823c7 ffff88021a19e688 ffff88021a19e688 ffff8802302f9310
      Call Trace:
       [<ffffffff81380b0e>] dump_stack+0x55/0x76
       [<ffffffff81038635>] warn_slowpath_common+0x7c/0x96
       [<ffffffff811823c7>] ? sysfs_open_file+0x77/0x212
       [<ffffffff810386e3>] warn_slowpath_fmt+0x41/0x43
       [<ffffffff81182dec>] ? sysfs_get_active+0x6b/0x82
       [<ffffffff81182382>] ? sysfs_open_file+0x32/0x212
       [<ffffffff811823c7>] sysfs_open_file+0x77/0x212
       [<ffffffff81182350>] ? sysfs_schedule_callback+0x1ac/0x1ac
       [<ffffffff81122562>] do_dentry_open+0x17c/0x257
       [<ffffffff8112267e>] finish_open+0x41/0x4f
       [<ffffffff81130225>] do_last+0x80c/0x9ba
       [<ffffffff8112dbbd>] ? inode_permission+0x40/0x42
       [<ffffffff81130606>] path_openat+0x233/0x4a1
       [<ffffffff81130b7e>] do_filp_open+0x35/0x85
       [<ffffffff8113b787>] ? __alloc_fd+0x172/0x184
       [<ffffffff811232ea>] do_sys_open+0x6b/0xfa
       [<ffffffff811233a7>] SyS_openat+0xf/0x11
       [<ffffffff8138c812>] system_call_fastpath+0x16/0x1b
      
      The failure to restore cpufreq devices on cancelled hibernation is
      not a new bug. It is caused by the ACPI _PPC call failing unless the
      hibernate is completed. This makes the acpi_cpufreq driver fail its
      init.
      
      Previously, the cpufreq device could be restored by offlining the
      cpu temporarily.  And as a complete hibernation cycle would do this,
      it would be automatically restored most of the time.  But after
      commit 5302c3fb the leftover sysfs attributes will block any
      device add action.  Therefore offlining and onlining CPU 1 will no
      longer restore the cpufreq object, and a complete suspend/resume
      cycle will replace it with garbage.
      
      Fixes: 5302c3fb ("cpufreq: Perform light-weight init/teardown during suspend/resume")
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      85acaced
    • Dan Carpenter's avatar
      drm/nv50/disp: min/max are reversed in nv50_crtc_gamma_set() · 4b1774f7
      Dan Carpenter authored
      commit bdefc8cb upstream.
      
      We should be taking the minimum here instead of the max.  It could lead
      to a buffer overflow.
      
      Fixes: 438d99e3 ('drm/nvd0/disp: initial crtc object implementation')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      
      a/drm/nv50_display.c b/drm/nv50_display.c
      index f8e66c08b11a..4e384a2f99c3 100644
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4b1774f7
    • Dan Carpenter's avatar
      Staging: vt6655-6: potential NULL dereference in hostap_disable_hostapd() · c8a1464f
      Dan Carpenter authored
      commit cb4855b4 upstream.
      
      We fixed this to use free_netdev() instead of kfree() but unfortunately
      free_netdev() doesn't accept NULL pointers.  Smatch complains about
      this, it's not something I discovered through testing.
      
      Fixes: 3030d40b ('staging: vt6655: use free_netdev instead of kfree')
      Fixes: 0a438d5b ('staging: vt6656: use free_netdev instead of kfree')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c8a1464f
    • Dan Carpenter's avatar
      mfd: pm8921: Potential NULL dereference in pm8921_remove() · 87822b39
      Dan Carpenter authored
      commit d6daef95 upstream.
      
      We assume that "pmic" could be NULL and then dereference it two lines
      later.  I fix this by moving the dereference inside the NULL check.
      
      Fixes: c013f0a5 ('mfd: Add pm8xxx irq support')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      87822b39
    • Dan Carpenter's avatar
      6lowpan: release device on error path · 83037689
      Dan Carpenter authored
      commit 78032f9b upstream.
      
      We recently added a new error path and it needs a dev_put().
      
      Fixes: 7adac1ec ('6lowpan: Only make 6lowpan links to IEEE802154 devices')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      83037689
    • Ben Hutchings's avatar
      ocfs2: do not write error flag to user structure we cannot copy from/to · 9095638d
      Ben Hutchings authored
      commit 2b462638 upstream.
      
      If we failed to copy from the structure, writing back the flags leaks 31
      bits of kernel memory (the rest of the ir_flags field).
      
      In any case, if we cannot copy from/to the structure, why should we
      expect putting just the flags to work?
      
      Also make sure ocfs2_info_handle_freeinode() returns the right error
      code if the copy_to_user() fails.
      
      Fixes: ddee5cdb ('Ocfs2: Add new OCFS2_IOC_INFO ioctl for ocfs2 v8.')
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Joel Becker <jlbec@evilplan.org>
      Acked-by: default avatarMark Fasheh <mfasheh@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9095638d
    • Theodore Ts'o's avatar
      ext4: fix fencepost in s_first_meta_bg validation · 7ae31f6a
      Theodore Ts'o authored
      commit 2ba3e6e8 upstream.
      
      It is OK for s_first_meta_bg to be equal to the number of block group
      descriptor blocks.  (It rarely happens, but it shouldn't cause any
      problems.)
      
      https://bugzilla.kernel.org/show_bug.cgi?id=194567
      
      Fixes: 3a4b77cdSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7ae31f6a
    • Eryu Guan's avatar
      ext4: validate s_first_meta_bg at mount time · bb878bde
      Eryu Guan authored
      commit 3a4b77cd upstream.
      
      Ralf Spenneberg reported that he hit a kernel crash when mounting a
      modified ext4 image. And it turns out that kernel crashed when
      calculating fs overhead (ext4_calculate_overhead()), this is because
      the image has very large s_first_meta_bg (debug code shows it's
      842150400), and ext4 overruns the memory in count_overhead() when
      setting bitmap buffer, which is PAGE_SIZE.
      
      ext4_calculate_overhead():
        buf = get_zeroed_page(GFP_NOFS);  <=== PAGE_SIZE buffer
        blks = count_overhead(sb, i, buf);
      
      count_overhead():
        for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400
                ext4_set_bit(EXT4_B2C(sbi, s++), buf);   <=== buffer overrun
                count++;
        }
      
      This can be reproduced easily for me by this script:
      
        #!/bin/bash
        rm -f fs.img
        mkdir -p /mnt/ext4
        fallocate -l 16M fs.img
        mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img
        debugfs -w -R "ssv first_meta_bg 842150400" fs.img
        mount -o loop fs.img /mnt/ext4
      
      Fix it by validating s_first_meta_bg first at mount time, and
      refusing to mount if its value exceeds the largest possible meta_bg
      number.
      
      [js] use EXT4_HAS_INCOMPAT_FEATURE instead of new
           ext4_has_feature_meta_bg
      Reported-by: default avatarRalf Spenneberg <ralf@os-t.de>
      Signed-off-by: default avatarEryu Guan <guaneryu@gmail.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarAndreas Dilger <adilger@dilger.ca>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      bb878bde
  5. 01 Mar, 2017 3 commits