1. 03 Dec, 2014 3 commits
    • Qi Yong's avatar
      minix zmap block counts calculation fix · 692f067f
      Qi Yong authored
      commit 6d6747f8 upstream.
      
      The original minix zmap blocks calculation was correct, in the formula of:
      
      	sbi->s_nzones - sbi->s_firstdatazone + 1
      
      It is
      
      	sp->s_zones - (sp->s_firstdatazone - 1)
      
      in the minix3 source code.
      
      But a later commit 016e8d44 ("fs/minix: Verify bitmap block counts
      before mounting") has changed it unfortunately as:
      
        sbi->s_nzones - (sbi->s_firstdatazone + 1)
      
      This would show free blocks one block less than the real when the total
      data blocks are in "full zmap blocks plus one".
      
      This patch corrects that zmap blocks calculation and tidy a printk
      message while at it.
      Signed-off-by: default avatarQi Yong <qiyong@fc-cn.com>
      Cc: Josh Boyer <jwboyer@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      692f067f
    • Andreas Rohner's avatar
      nilfs2: add missing blkdev_issue_flush() to nilfs_sync_fs() · 0d68992f
      Andreas Rohner authored
      commit e2c7617a upstream.
      
      Under normal circumstances nilfs_sync_fs() writes out the super block,
      which causes a flush of the underlying block device.  But this depends
      on the THE_NILFS_SB_DIRTY flag, which is only set if the pointer to the
      last segment crosses a segment boundary.  So if only a small amount of
      data is written before the call to nilfs_sync_fs(), no flush of the
      block device occurs.
      
      In the above case an additional call to blkdev_issue_flush() is needed.
      To prevent unnecessary overhead, the new flag nilfs->ns_flushed_device
      is introduced, which is cleared whenever new logs are written and set
      whenever the block device is flushed.  For convenience the function
      nilfs_flush_device() is added, which contains the above logic.
      Signed-off-by: default avatarAndreas Rohner <andreas.rohner@gmx.net>
      Signed-off-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0d68992f
    • Al Viro's avatar
      fix O_SYNC|O_APPEND syncing the wrong range on write() · 79a423ed
      Al Viro authored
      commit d311d79d upstream.
      
      It actually goes back to 2004 ([PATCH] Concurrent O_SYNC write support)
      when sync_page_range() had been introduced; generic_file_write{,v}() correctly
      synced
      	pos_after_write - written .. pos_after_write - 1
      but generic_file_aio_write() synced
      	pos_before_write .. pos_before_write + written - 1
      instead.  Which is not the same thing with O_APPEND, obviously.
      A couple of years later correct variant had been killed off when
      everything switched to use of generic_file_aio_write().
      
      All users of generic_file_aio_write() are affected, and the same bug
      has been copied into other instances of ->aio_write().
      
      The fix is trivial; the only subtle point is that generic_write_sync()
      ought to be inlined to avoid calculations useless for the majority of
      calls.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      79a423ed
  2. 27 Nov, 2014 7 commits
  3. 21 Nov, 2014 1 commit
    • Takashi Iwai's avatar
      pvpanic: Set high notifier priority · 037e6929
      Takashi Iwai authored
      commit 7939831e upstream.
      
      We've observed the missing pvpanic call at panic, and it turned out
      that this was blocked by the broken notifier of drm_fb_helper, where
      scheduling may be called during switching to the fb console.
      It's fairly difficult to fix the drm_fb problem and a quick fix isn't
      foreseen, a simpler solution for the missing pvpanic call would be
      just to call this earlier.
      
      In order to assure that, this patch sets a higher priority to pvpanic
      notifier_block.  Once when the issue of drm_fb is resolved, we can
      remove this priority again.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarMatthew Garrett <matthew.garrett@nebula.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      037e6929
  4. 19 Nov, 2014 29 commits
    • Sergei Antonov's avatar
      hfsplus: emit proper file type from readdir · f96abf00
      Sergei Antonov authored
      commit 97a62eae upstream.
      
      hfsplus_readdir() incorrectly returned DT_REG for symbolic links and
      special files.  Return DT_REG, DT_LNK, DT_FIFO, DT_CHR, DT_BLK, DT_SOCK,
      or DT_UNKNOWN according to mode field in catalog record.  Programs
      relying on information from readdir will now work correctly with HFS+.
      Signed-off-by: default avatarSergei Antonov <saproj@gmail.com>
      Cc: Anton Altaparmakov <aia21@cam.ac.uk>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: Vyacheslav Dubeyko <slava@dubeyko.com>
      Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f96abf00
    • Sougata Santra's avatar
      fs/hfsplus/extents.c: fix concurrent acess of alloc_blocks · 7357404a
      Sougata Santra authored
      commit d7bdb996 upstream.
      
      Concurrent access to alloc_blocks in hfsplus_inode_info() is protected
      by extents_lock mutex.  This patch fixes two instances where
      alloc_blocks modification was not protected with this lock.
      
      This fixes possible allocation bitmap corruption in race conditions
      while extending and truncating files.
      
      [akpm@linux-foundation.org: take extents_lock before taking a copy of ->alloc_blocks]
      [akpm@linux-foundation.org: remove now-unused label `out']
      Signed-off-by: default avatarSougata Santra <sougata@tuxera.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Cc: Vyacheslav Dubeyko <slava@dubeyko.com>
      Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7357404a
    • Vyacheslav Dubeyko's avatar
      hfsplus: fix remount issue · 291e7f11
      Vyacheslav Dubeyko authored
      commit bd2c0035 upstream.
      
      Current implementation of HFS+ driver has small issue with remount
      option.  Namely, for example, you are unable to remount from RO mode
      into RW mode by means of command "mount -o remount,rw /dev/loop0
      /mnt/hfsplus".  Trying to execute sequence of commands results in an
      error message:
      
        mount /dev/loop0 /mnt/hfsplus
        mount -o remount,ro /dev/loop0 /mnt/hfsplus
        mount -o remount,rw /dev/loop0 /mnt/hfsplus
      
        mount: you must specify the filesystem type
      
        mount -t hfsplus -o remount,rw /dev/loop0 /mnt/hfsplus
      
        mount: /mnt/hfsplus not mounted or bad option
      
      The reason of such issue is failure of mount syscall:
      
        mount("/dev/loop0", "/mnt/hfsplus", 0x2282a60, MS_MGC_VAL|MS_REMOUNT, NULL) = -1 EINVAL (Invalid argument)
      
      Namely, hfsplus_parse_options_remount() method receives empty "input"
      argument and return false in such case.  As a result, hfsplus_remount()
      returns -EINVAL error code.
      
      This patch fixes the issue by means of return true for the case of empty
      "input" argument in hfsplus_parse_options_remount() method.
      Signed-off-by: default avatarVyacheslav Dubeyko <slava@dubeyko.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Christoph Hellwig <hch@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      291e7f11
    • Dan Carpenter's avatar
      drivers/vlynq/vlynq.c: fix another resource size off by 1 error · c5988e0e
      Dan Carpenter authored
      commit 59d42cd4 upstream.
      
      We fixed the call to request_mem_region() in commit 3354f73b
      ("drivers/vlynq/vlynq.c: fix resource size off by 1 error").  But we
      need to fix the call the release_mem_region() as well.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: Florian Fainelli <florian@openwrt.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c5988e0e
    • Martyn Welch's avatar
      VME: Stop using memcpy_[to|from]io() due to unwanted behaviour · 181bbf73
      Martyn Welch authored
      commit a2a720e1 upstream.
      
      The ca91cx42 and tsi148 VME bridges use the width of reads and writes on the
      PCI bus in part to control the width of the cycles on the VME bus. It is
      important that we can control the width of cycles on the VME bus as some VME
      hardware requires cycles of a specific width. The memcpy_toio() and
      memcpy_fromio() functions do not provide sufficient control, so instead loop
      using ioread functions.
      Reported-by: default avatarMichael Kenney <mfkenney@gmail.com>
      Signed-off-by: default avatarMartyn Welch <martyn.welch@ge.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      181bbf73
    • Joe Schultz's avatar
      vme_tsi148: Fix typo in tsi148_slave_get() · ff286b46
      Joe Schultz authored
      commit 098ced8f upstream.
      
      This patch corrects a typo where "vme_base" was used instead of
      "*vme_base". The typo resulted in an incorrect value being returned
      to userspace (via vme_user).
      
      It also removes the following compile warning on some platforms:
      
      warning: cast from pointer to integer of different size
      
      [asierra: commit title/log rewording]
      Signed-off-by: default avatarJoe Schultz <jschultz@xes-inc.com>
      Signed-off-by: default avatarAaron Sierra <asierra@xes-inc.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ff286b46
    • Joe Schultz's avatar
      vme_tsi148: Fix PCI address mapping assumption · 8a8f33b2
      Joe Schultz authored
      commit 226572b1 upstream.
      
      Previously, tsi148_master_set() assumed the address contained in its
      PCI bus resource represented the actual PCI bus address. This is a fine
      assumption on some platforms. However, on platforms that don't use a
      1:1 (CPU:PCI) mapping this results in the tsi148 driver configuring an
      invalid master window translation.
      
      This patch updates the vme_tsi148 driver to first convert the address
      contained in the PCI bus resource into a PCI bus address before using
      it.
      
      [asierra: account for pcibios_resource_to_bus() prototype change]
      Signed-off-by: default avatarJoe Schultz <jschultz@xes-inc.com>
      Signed-off-by: default avatarAaron Sierra <asierra@xes-inc.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8a8f33b2
    • Ezequiel Garcia's avatar
      parport: Add support for the WCH353 1S/1P multi-IO card · 8d6960fa
      Ezequiel Garcia authored
      commit feb58142 upstream.
      
      This Multi-IO card has one serial 16550-like and one parallel port connector.
      Here's the lspci output, after this commit is applied:
      
      03:07.0 Serial controller: Device 4348:5053 (rev 10) (prog-if 02 [16550])
      	Subsystem: Device 4348:5053
      	Control: I/O+ Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
      	Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
      	Interrupt: pin A routed to IRQ 21
      	Region 0: I/O ports at cf00 [size=8]
      	Region 1: I/O ports at ce00 [size=8]
      	Kernel driver in use: parport_serial
      	Kernel modules: 8250_pci, parport_serial
      
      This commit adds an entry with the device ID to the blacklist declared in
      8250_pci to prevent the driver from taking ownership. Also, and as was done
      for the 2S/1P variant, add a quirk to skip autodetection and set the correct
      type to 16550A clone.
      
      Proper entries are added to parport_serial, to support the device parallel
      and serial ports.
      
      Cc: Gianluca Anzolin <gianluca@sottospazio.it>
      Cc: Alan Cox <alan@linux.intel.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarEzequiel Garcia <ezequiel.garcia@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8d6960fa
    • Arnd Bergmann's avatar
      pcmcia: journada720: use sa1100 pin interfaces correctly · bd66de1b
      Arnd Bergmann authored
      commit 58409f9d upstream.
      
      commit dabd1468 "PCMCIA: sa1111: remove duplicated initializers"
      incorrectly moved some code into the pcmcia_jornada720_init, causing
      a few build errors, and for unknown reasons, the driver lacks
      an inclusion of <linux/io.h>, so we get the build errors, and more:
      
      sa1111_jornada720.c: In function 'pcmcia_jornada720_init':
      sa1111_jornada720.c:101:3: error: implicit declaration of function 'IOMEM' [-Werror=implicit-function-declaration]
         GRER |= 0x00000002;
         ^
      sa1111_jornada720.c:104:3: warning: passing argument 1 of 'sa1111_set_io_dir' from incompatible pointer type [enabled by default]
         sa1111_set_io_dir(dev, pin, 0, 0);
         ^
      
      This patch uses the SA1111_DEV() to convert the dev pointer to the
      correct type before passing it and adds the missing include.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Russell King <rmk+kernel@arm.linux.org.uk>
      Cc: Kristoffer Ericson <kristoffer.ericson@gmail.com>
      Cc: linux-pcmcia@lists.infradead.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      bd66de1b
    • Arnd Bergmann's avatar
      pcmcia: pxa2xx: fix logic for lubbock · 2948ce57
      Arnd Bergmann authored
      commit f1674f21 upstream.
      
      The lubbock platform uses the sa1111 companion chip with a pxa250
      CPU, which means it requires both the PCMCIA_SA1111 and the
      PCMCIA_PXA2XX code to be built into the kernel. Unfortunately,
      the Makefile and Kconfig don't agree on how this is accomplished,
      leading to a situation where you get this link error when building
      a lubbock kernel with PCMCIA_SA1111 enabled but PCMCIA_PXA2XX
      disabled:
      
      ERROR: "pxa2xx_configure_sockets" [drivers/pcmcia/sa1111_cs.ko] undefined!
      ERROR: "pxa2xx_drv_pcmcia_ops" [drivers/pcmcia/sa1111_cs.ko] undefined!
      ERROR: "pxa2xx_drv_pcmcia_add_one" [drivers/pcmcia/sa1111_cs.ko] undefined!
      
      This patch changes the Kconfig code to disallow that particular
      configuration.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2948ce57
    • Arnd Bergmann's avatar
      pcmcia: sa1100: H3100 and H3600 share a driver · 77cf7a12
      Arnd Bergmann authored
      commit d8477126 upstream.
      
      When building a iPAQ H3100-only kernel with PCMCIA enabled,
      we get this build error:
      
      ERROR: "pcmcia_h3600_init" [drivers/pcmcia/sa1100_cs.ko] undefined!
      
      The defconfig normally works fine because it enables both H3100
      and H3600 support. This patch fixes the Makefile to build the
      driver if at least one of the two machines are selected.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      77cf7a12
    • Johan Hovold's avatar
      pcmcia: at91_cf: fix deferred probe from __init · ae04c825
      Johan Hovold authored
      commit 16a7c7cf upstream.
      
      Move probe out of __init section and don't use platform_driver_probe
      which cannot be used with deferred probing.
      
      Since commit e9354576 ("gpiolib: Defer failed gpio requests by default")
      this driver might return -EPROBE_DEFER if a gpio_request fails.
      
      Cc: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ae04c825
    • Dmitry Eremin-Solenikov's avatar
      Input: wm97xx - adapt parameters to tosa touchscreen. · 05b598ab
      Dmitry Eremin-Solenikov authored
      commit 859abd1d upstream.
      
      Sharp SL-6000 (tosa) touchscreen needs wider limits to properly map all
      points on the screen. Expand ranges in abs_x and abs_y arrays according
      to the touchscreen area.
      Signed-off-by: default avatarDmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      05b598ab
    • Tobias Klauser's avatar
      Input: altera_ps2 - write to correct register when disabling interrupts · 937d4c93
      Tobias Klauser authored
      commit d0269b84 upstream.
      
      In altera_ps2_close, the data register (offset 0) is written instead of
      the control register (offset 4), leading to the RX interrupt not being
      disabled. Fix this by calling writel() with the offset for the proper
      register.
      Signed-off-by: default avatarTobias Klauser <tklauser@distanz.ch>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      937d4c93
    • Dan Carpenter's avatar
      [media] usbvision-video: two use after frees · 214c97a1
      Dan Carpenter authored
      commit 470a9147 upstream.
      
      The lock has been freed in usbvision_release() so there is no need to
      call mutex_unlock() here.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      214c97a1
    • Micky Ching's avatar
      drivers/memstick/host/rtsx_pci_ms.c: add cancel_work when remove driver · fed533bb
      Micky Ching authored
      commit b6226b45 upstream.
      
      Add cancel_work_sync() in rtsx_pci_ms_drv_remove() to cancel pending
      request work when removing the driver.
      Signed-off-by: default avatarMicky Ching <micky_ching@realsil.com.cn>
      Cc: Samuel Ortiz <sameo@linux.intel.com> says:
      Cc: Maxim Levitsky <maximlevitsky@gmail.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Alex Dubov <oakad@yahoo.com>
      Cc: Roger Tseng <rogerable@realtek.com>
      Cc: Wei WANG <wei_wang@realsil.com.cn>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      fed533bb
    • Daniel Borkmann's avatar
      net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks · bbd951a2
      Daniel Borkmann authored
      commit 9de7922b upstream.
      
      Commit 6f4c618d ("SCTP : Add paramters validity check for
      ASCONF chunk") added basic verification of ASCONF chunks, however,
      it is still possible to remotely crash a server by sending a
      special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
      
      skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
       head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
       end:0x440 dev:<NULL>
       ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:129!
      [...]
      Call Trace:
       <IRQ>
       [<ffffffff8144fb1c>] skb_put+0x5c/0x70
       [<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
       [<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
       [<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
       [<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
       [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
       [<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
       [<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
       [<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
       [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
       [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
       [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
       [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
       [<ffffffff81497078>] ip_local_deliver+0x98/0xa0
       [<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
       [<ffffffff81496ac5>] ip_rcv+0x275/0x350
       [<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
       [<ffffffff81460588>] netif_receive_skb+0x58/0x60
      
      This can be triggered e.g., through a simple scripted nmap
      connection scan injecting the chunk after the handshake, for
      example, ...
      
        -------------- INIT[ASCONF; ASCONF_ACK] ------------->
        <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
        ------------------ ASCONF; UNKNOWN ------------------>
      
      ... where ASCONF chunk of length 280 contains 2 parameters ...
      
        1) Add IP address parameter (param length: 16)
        2) Add/del IP address parameter (param length: 255)
      
      ... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
      Address Parameter in the ASCONF chunk is even missing, too.
      This is just an example and similarly-crafted ASCONF chunks
      could be used just as well.
      
      The ASCONF chunk passes through sctp_verify_asconf() as all
      parameters passed sanity checks, and after walking, we ended
      up successfully at the chunk end boundary, and thus may invoke
      sctp_process_asconf(). Parameter walking is done with
      WORD_ROUND() to take padding into account.
      
      In sctp_process_asconf()'s TLV processing, we may fail in
      sctp_process_asconf_param() e.g., due to removal of the IP
      address that is also the source address of the packet containing
      the ASCONF chunk, and thus we need to add all TLVs after the
      failure to our ASCONF response to remote via helper function
      sctp_add_asconf_response(), which basically invokes a
      sctp_addto_chunk() adding the error parameters to the given
      skb.
      
      When walking to the next parameter this time, we proceed
      with ...
      
        length = ntohs(asconf_param->param_hdr.length);
        asconf_param = (void *)asconf_param + length;
      
      ... instead of the WORD_ROUND()'ed length, thus resulting here
      in an off-by-one that leads to reading the follow-up garbage
      parameter length of 12336, and thus throwing an skb_over_panic
      for the reply when trying to sctp_addto_chunk() next time,
      which implicitly calls the skb_put() with that length.
      
      Fix it by using sctp_walk_params() [ which is also used in
      INIT parameter processing ] macro in the verification *and*
      in ASCONF processing: it will make sure we don't spill over,
      that we walk parameters WORD_ROUND()'ed. Moreover, we're being
      more defensive and guard against unknown parameter types and
      missized addresses.
      
      Joint work with Vlad Yasevich.
      
      Fixes: b896b82b ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Cc: Josh Boyer <jwboyer@fedoraproject.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      bbd951a2
    • Daniel Borkmann's avatar
      net: sctp: fix panic on duplicate ASCONF chunks · a723db0b
      Daniel Borkmann authored
      commit b69040d8 upstream.
      
      When receiving a e.g. semi-good formed connection scan in the
      form of ...
      
        -------------- INIT[ASCONF; ASCONF_ACK] ------------->
        <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
        ---------------- ASCONF_a; ASCONF_b ----------------->
      
      ... where ASCONF_a equals ASCONF_b chunk (at least both serials
      need to be equal), we panic an SCTP server!
      
      The problem is that good-formed ASCONF chunks that we reply with
      ASCONF_ACK chunks are cached per serial. Thus, when we receive a
      same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do
      not need to process them again on the server side (that was the
      idea, also proposed in the RFC). Instead, we know it was cached
      and we just resend the cached chunk instead. So far, so good.
      
      Where things get nasty is in SCTP's side effect interpreter, that
      is, sctp_cmd_interpreter():
      
      While incoming ASCONF_a (chunk = event_arg) is being marked
      !end_of_packet and !singleton, and we have an association context,
      we do not flush the outqueue the first time after processing the
      ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it
      queued up, although we set local_cork to 1. Commit 2e3216cd
      changed the precedence, so that as long as we get bundled, incoming
      chunks we try possible bundling on outgoing queue as well. Before
      this commit, we would just flush the output queue.
      
      Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we
      continue to process the same ASCONF_b chunk from the packet. As
      we have cached the previous ASCONF_ACK, we find it, grab it and
      do another SCTP_CMD_REPLY command on it. So, effectively, we rip
      the chunk->list pointers and requeue the same ASCONF_ACK chunk
      another time. Since we process ASCONF_b, it's correctly marked
      with end_of_packet and we enforce an uncork, and thus flush, thus
      crashing the kernel.
      
      Fix it by testing if the ASCONF_ACK is currently pending and if
      that is the case, do not requeue it. When flushing the output
      queue we may relink the chunk for preparing an outgoing packet,
      but eventually unlink it when it's copied into the skb right
      before transmission.
      
      Joint work with Vlad Yasevich.
      
      Fixes: 2e3216cd ("sctp: Follow security requirement of responding with 1 packet")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Cc: Josh Boyer <jwboyer@fedoraproject.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a723db0b
    • Daniel Borkmann's avatar
      net: sctp: fix remote memory pressure from excessive queueing · e4768414
      Daniel Borkmann authored
      commit 26b87c78 upstream.
      
      This scenario is not limited to ASCONF, just taken as one
      example triggering the issue. When receiving ASCONF probes
      in the form of ...
      
        -------------- INIT[ASCONF; ASCONF_ACK] ------------->
        <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
        ---- ASCONF_a; [ASCONF_b; ...; ASCONF_n;] JUNK ------>
        [...]
        ---- ASCONF_m; [ASCONF_o; ...; ASCONF_z;] JUNK ------>
      
      ... where ASCONF_a, ASCONF_b, ..., ASCONF_z are good-formed
      ASCONFs and have increasing serial numbers, we process such
      ASCONF chunk(s) marked with !end_of_packet and !singleton,
      since we have not yet reached the SCTP packet end. SCTP does
      only do verification on a chunk by chunk basis, as an SCTP
      packet is nothing more than just a container of a stream of
      chunks which it eats up one by one.
      
      We could run into the case that we receive a packet with a
      malformed tail, above marked as trailing JUNK. All previous
      chunks are here goodformed, so the stack will eat up all
      previous chunks up to this point. In case JUNK does not fit
      into a chunk header and there are no more other chunks in
      the input queue, or in case JUNK contains a garbage chunk
      header, but the encoded chunk length would exceed the skb
      tail, or we came here from an entirely different scenario
      and the chunk has pdiscard=1 mark (without having had a flush
      point), it will happen, that we will excessively queue up
      the association's output queue (a correct final chunk may
      then turn it into a response flood when flushing the
      queue ;)): I ran a simple script with incremental ASCONF
      serial numbers and could see the server side consuming
      excessive amount of RAM [before/after: up to 2GB and more].
      
      The issue at heart is that the chunk train basically ends
      with !end_of_packet and !singleton markers and since commit
      2e3216cd ("sctp: Follow security requirement of responding
      with 1 packet") therefore preventing an output queue flush
      point in sctp_do_sm() -> sctp_cmd_interpreter() on the input
      chunk (chunk = event_arg) even though local_cork is set,
      but its precedence has changed since then. In the normal
      case, the last chunk with end_of_packet=1 would trigger the
      queue flush to accommodate possible outgoing bundling.
      
      In the input queue, sctp_inq_pop() seems to do the right thing
      in terms of discarding invalid chunks. So, above JUNK will
      not enter the state machine and instead be released and exit
      the sctp_assoc_bh_rcv() chunk processing loop. It's simply
      the flush point being missing at loop exit. Adding a try-flush
      approach on the output queue might not work as the underlying
      infrastructure might be long gone at this point due to the
      side-effect interpreter run.
      
      One possibility, albeit a bit of a kludge, would be to defer
      invalid chunk freeing into the state machine in order to
      possibly trigger packet discards and thus indirectly a queue
      flush on error. It would surely be better to discard chunks
      as in the current, perhaps better controlled environment, but
      going back and forth, it's simply architecturally not possible.
      I tried various trailing JUNK attack cases and it seems to
      look good now.
      
      Joint work with Vlad Yasevich.
      
      Fixes: 2e3216cd ("sctp: Follow security requirement of responding with 1 packet")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Cc: Josh Boyer <jwboyer@fedoraproject.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e4768414
    • Nadav Amit's avatar
      KVM: x86: Don't report guest userspace emulation error to userspace · 7e1ebf02
      Nadav Amit authored
      commit a2b9e6c1 upstream.
      
      Commit fc3a9157 ("KVM: X86: Don't report L2 emulation failures to
      user-space") disabled the reporting of L2 (nested guest) emulation failures to
      userspace due to race-condition between a vmexit and the instruction emulator.
      The same rational applies also to userspace applications that are permitted by
      the guest OS to access MMIO area or perform PIO.
      
      This patch extends the current behavior - of injecting a #UD instead of
      reporting it to userspace - also for guest userspace code.
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7e1ebf02
    • Pranith Kumar's avatar
      rcu: Use rcu_gp_kthread_wake() to wake up grace period kthreads · 4ffc1f8b
      Pranith Kumar authored
      commit 2aa792e6 upstream.
      
      The rcu_gp_kthread_wake() function checks for three conditions before
      waking up grace period kthreads:
      
      *  Is the thread we are trying to wake up the current thread?
      *  Are the gp_flags zero? (all threads wait on non-zero gp_flags condition)
      *  Is there no thread created for this flavour, hence nothing to wake up?
      
      If any one of these condition is true, we do not call wake_up().
      It was found that there are quite a few avoidable wake ups both during
      idle time and under stress induced by rcutorture.
      
      Idle:
      
      Total:66000, unnecessary:66000, case1:61827, case2:66000, case3:0
      Total:68000, unnecessary:68000, case1:63696, case2:68000, case3:0
      
      rcutorture:
      
      Total:254000, unnecessary:254000, case1:199913, case2:254000, case3:0
      Total:256000, unnecessary:256000, case1:201784, case2:256000, case3:0
      
      Here case{1-3} are the cases listed above. We can avoid these wake
      ups by using rcu_gp_kthread_wake() to conditionally wake up the grace
      period kthreads.
      
      There is a comment about an implied barrier supplied by the wake_up()
      logic.  This barrier is necessary for the awakened thread to see the
      updated ->gp_flags.  This flag is always being updated with the root node
      lock held. Also, the awakened thread tries to acquire the root node lock
      before reading ->gp_flags because of which there is proper ordering.
      
      Hence this commit tries to avoid calling wake_up() whenever we can by
      using rcu_gp_kthread_wake() function.
      Signed-off-by: default avatarPranith Kumar <bobby.prani@gmail.com>
      CC: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Kamal Mostafa <kamal@canonical.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4ffc1f8b
    • Paul E. McKenney's avatar
      rcu: Make callers awaken grace-period kthread · 9b3128c4
      Paul E. McKenney authored
      commit 48a7639c upstream.
      
      The rcu_start_gp_advanced() function currently uses irq_work_queue()
      to defer wakeups of the RCU grace-period kthread.  This deferring
      is necessary to avoid RCU-scheduler deadlocks involving the rcu_node
      structure's lock, meaning that RCU cannot call any of the scheduler's
      wake-up functions while holding one of these locks.
      
      Unfortunately, the second and subsequent calls to irq_work_queue() are
      ignored, and the first call will be ignored (aside from queuing the work
      item) if the scheduler-clock tick is turned off.  This is OK for many
      uses, especially those where irq_work_queue() is called from an interrupt
      or softirq handler, because in those cases the scheduler-clock-tick state
      will be re-evaluated, which will turn the scheduler-clock tick back on.
      On the next tick, any deferred work will then be processed.
      
      However, this strategy does not always work for RCU, which can be invoked
      at process level from idle CPUs.  In this case, the tick might never
      be turned back on, indefinitely defering a grace-period start request.
      Note that the RCU CPU stall detector cannot see this condition, because
      there is no RCU grace period in progress.  Therefore, we can (and do!)
      see long tens-of-seconds stalls in grace-period handling.  In theory,
      we could see a full grace-period hang, but rcutorture testing to date
      has seen only the tens-of-seconds stalls.  Event tracing demonstrates
      that irq_work_queue() is being called repeatedly to no effect during
      these stalls: The "newreq" event appears repeatedly from a task that is
      not one of the grace-period kthreads.
      
      In theory, irq_work_queue() might be fixed to avoid this sort of issue,
      but RCU's requirements are unusual and it is quite straightforward to pass
      wake-up responsibility up through RCU's call chain, so that the wakeup
      happens when the offending locks are released.
      
      This commit therefore makes this change.  The rcu_start_gp_advanced(),
      rcu_start_future_gp(), rcu_accelerate_cbs(), rcu_advance_cbs(),
      __note_gp_changes(), and rcu_start_gp() functions now return a boolean
      which indicates when a wake-up is needed.  A new rcu_gp_kthread_wake()
      does the wakeup when it is necessary and safe to do so: No self-wakes,
      no wake-ups if the ->gp_flags field indicates there is no need (as in
      someone else did the wake-up before we got around to it), and no wake-ups
      before the grace-period kthread has been created.
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Reviewed-by: default avatarJosh Triplett <josh@joshtriplett.org>
      [ Pranith: backport to 3.13-stable: just rcu_gp_kthread_wake(),
        prereq for 2aa792e6 "rcu: Use rcu_gp_kthread_wake() to wake up grace
        period kthreads" ]
      Signed-off-by: default avatarPranith Kumar <bobby.prani@gmail.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9b3128c4
    • Ben Dooks's avatar
      ARM: probes: fix instruction fetch order with <asm/opcodes.h> · 612d0786
      Ben Dooks authored
      commit 888be254 upstream.
      
      If we are running BE8, the data and instruction endianness do not
      match, so use <asm/opcodes.h> to correctly translate memory accesses
      into ARM instructions.
      Acked-by: default avatarJon Medhurst <tixy@linaro.org>
      Signed-off-by: default avatarBen Dooks <ben.dooks@codethink.co.uk>
      [taras.kondratiuk@linaro.org: fixed Thumb instruction fetch order]
      Signed-off-by: default avatarTaras Kondratiuk <taras.kondratiuk@linaro.org>
      [wangnan: backport to 3.10 and 3.14:
       - adjust context
       - backport all changes on arch/arm/kernel/probes.c to
         arch/arm/kernel/kprobes-common.c since we don't have
         commit c18377c3.
       - After the above adjustments, becomes same to Taras Kondratiuk's
         original patch:
           http://lists.linaro.org/pipermail/linaro-kernel/2014-January/010346.html
      ]
      Signed-off-by: default avatarWang Nan <wangnan0@huawei.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      612d0786
    • Pablo Neira's avatar
      netfilter: xt_bpf: add mising opaque struct sk_filter definition · afdb2106
      Pablo Neira authored
      commit e10038a8 upstream.
      
      This structure is not exposed to userspace, so fix this by defining
      struct sk_filter; so we skip the casting in kernelspace. This is safe
      since userspace has no way to lurk with that internal pointer.
      
      Fixes: e6f30c73 ("netfilter: x_tables: add xt_bpf match")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      afdb2106
    • Houcheng Lin's avatar
      netfilter: nf_log: release skbuff on nlmsg put failure · 37bdac28
      Houcheng Lin authored
      commit b51d3fa3 upstream.
      
      The kernel should reserve enough room in the skb so that the DONE
      message can always be appended.  However, in case of e.g. new attribute
      erronously not being size-accounted for, __nfulnl_send() will still
      try to put next nlmsg into this full skbuf, causing the skb to be stuck
      forever and blocking delivery of further messages.
      
      Fix issue by releasing skb immediately after nlmsg_put error and
      WARN() so we can track down the cause of such size mismatch.
      
      [ fw@strlen.de: add tailroom/len info to WARN ]
      Signed-off-by: default avatarHoucheng Lin <houcheng@gmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      37bdac28
    • Florian Westphal's avatar
      netfilter: nfnetlink_log: fix maximum packet length logged to userspace · 45ebf364
      Florian Westphal authored
      commit c1e7dc91 upstream.
      
      don't try to queue payloads > 0xffff - NLA_HDRLEN, it does not work.
      The nla length includes the size of the nla struct, so anything larger
      results in u16 integer overflow.
      
      This patch is similar to
      9cefbbc9 (netfilter: nfnetlink_queue: cleanup copy_range usage).
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      45ebf364
    • Florian Westphal's avatar
      netfilter: nf_log: account for size of NLMSG_DONE attribute · 13117284
      Florian Westphal authored
      commit 9dfa1dfe upstream.
      
      We currently neither account for the nlattr size, nor do we consider
      the size of the trailing NLMSG_DONE when allocating nlmsg skb.
      
      This can result in nflog to stop working, as __nfulnl_send() re-tries
      sending forever if it failed to append NLMSG_DONE (which will never
      work if buffer is not large enough).
      Reported-by: default avatarHoucheng Lin <houcheng@gmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      13117284
    • Andrey Vagin's avatar
      ipc: always handle a new value of auto_msgmni · 04e7556e
      Andrey Vagin authored
      commit 1195d94e upstream.
      
      proc_dointvec_minmax() returns zero if a new value has been set.  So we
      don't need to check all charecters have been handled.
      
      Below you can find two examples.  In the new value has not been handled
      properly.
      
      $ strace ./a.out
      open("/proc/sys/kernel/auto_msgmni", O_WRONLY) = 3
      write(3, "0\n\0", 3)                    = 2
      close(3)                                = 0
      exit_group(0)
      $ cat /sys/kernel/debug/tracing/trace
      
      $strace ./a.out
      open("/proc/sys/kernel/auto_msgmni", O_WRONLY) = 3
      write(3, "0\n", 2)                      = 2
      close(3)                                = 0
      
      $ cat /sys/kernel/debug/tracing/trace
      a.out-697   [000] ....  3280.998235: unregister_ipcns_notifier <-proc_ipcauto_dointvec_minmax
      
      Fixes: 9eefe520 ("ipc: do not use a negative value to re-enable msgmni automatic recomputin")
      Signed-off-by: default avatarAndrey Vagin <avagin@openvz.org>
      Cc: Mathias Krause <minipli@googlemail.com>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Cc: Joe Perches <joe@perches.com>
      Cc: Davidlohr Bueso <davidlohr@hp.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      04e7556e
    • Bjorn Helgaas's avatar
      clocksource: Remove "weak" from clocksource_default_clock() declaration · 0f207b54
      Bjorn Helgaas authored
      commit 96a2adbc upstream.
      
      kernel/time/jiffies.c provides a default clocksource_default_clock()
      definition explicitly marked "weak".  arch/s390 provides its own definition
      intended to override the default, but the "weak" attribute on the
      declaration applied to the s390 definition as well, so the linker chose one
      based on link order (see 10629d71 ("PCI: Remove __weak annotation from
      pcibios_get_phb_of_node decl")).
      
      Remove the "weak" attribute from the clocksource_default_clock()
      declaration so we always prefer a non-weak definition over the weak one,
      independent of link order.
      
      Fixes: f1b82746 ("clocksource: Cleanup clocksource selection")
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Acked-by: default avatarIngo Molnar <mingo@kernel.org>
      CC: Daniel Lezcano <daniel.lezcano@linaro.org>
      CC: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0f207b54