1. 11 Jul, 2016 40 commits
    • Eryu Guan's avatar
      ext4: fix NULL pointer dereference in ext4_mark_inode_dirty() · 7925f4fb
      Eryu Guan authored
      [ Upstream commit 5e1021f2 ]
      
      ext4_reserve_inode_write() in ext4_mark_inode_dirty() could fail on
      error (e.g. EIO) and iloc.bh can be NULL in this case. But the error is
      ignored in the following "if" condition and ext4_expand_extra_isize()
      might be called with NULL iloc.bh set, which triggers NULL pointer
      dereference.
      
      This is uncovered by commit 8b4953e1 ("ext4: reserve code points for
      the project quota feature"), which enlarges the ext4_inode size, and
      run the following script on new kernel but with old mke2fs:
      
        #/bin/bash
        mnt=/mnt/ext4
        devname=ext4-error
        dev=/dev/mapper/$devname
        fsimg=/home/fs.img
      
        trap cleanup 0 1 2 3 9 15
      
        cleanup()
        {
                umount $mnt >/dev/null 2>&1
                dmsetup remove $devname
                losetup -d $backend_dev
                rm -f $fsimg
                exit 0
        }
      
        rm -f $fsimg
        fallocate -l 1g $fsimg
        backend_dev=`losetup -f --show $fsimg`
        devsize=`blockdev --getsz $backend_dev`
      
        good_tab="0 $devsize linear $backend_dev 0"
        error_tab="0 $devsize error $backend_dev 0"
      
        dmsetup create $devname --table "$good_tab"
      
        mkfs -t ext4 $dev
        mount -t ext4 -o errors=continue,strictatime $dev $mnt
      
        dmsetup load $devname --table "$error_tab" && dmsetup resume $devname
        echo 3 > /proc/sys/vm/drop_caches
        ls -l $mnt
        exit 0
      
      [ Patch changed to simplify the function a tiny bit. -- Ted ]
      Signed-off-by: default avatarEryu Guan <guaneryu@gmail.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7925f4fb
    • Karol Herbst's avatar
      x86/mm/kmmio: Fix mmiotrace for hugepages · 6e939f78
      Karol Herbst authored
      [ Upstream commit cfa52c0c ]
      
      Because Linux might use bigger pages than the 4K pages to handle those mmio
      ioremaps, the kmmio code shouldn't rely on the pade id as it currently does.
      
      Using the memory address instead of the page id lets us look up how big the
      page is and what its base address is, so that we won't get a page fault
      within the same page twice anymore.
      Tested-by: default avatarPierre Moreau <pierre.morrow@free.fr>
      Signed-off-by: default avatarKarol Herbst <nouveau@karolherbst.de>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Luis R. Rodriguez <mcgrof@suse.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Toshi Kani <toshi.kani@hp.com>
      Cc: linux-mm@kvack.org
      Cc: linux-x86_64@vger.kernel.org
      Cc: nouveau@lists.freedesktop.org
      Cc: pq@iki.fi
      Cc: rostedt@goodmis.org
      Link: http://lkml.kernel.org/r/1456966991-6861-1-git-send-email-nouveau@karolherbst.deSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6e939f78
    • Michael Hennerich's avatar
      drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors · 4385d1a4
      Michael Hennerich authored
      [ Upstream commit f3df53e4 ]
      
      Fix RDAC read back errors caused by a typo. Value must shift by 2.
      
      Fixes: a4bd3949 ("drivers/misc/ad525x_dpot.c: new features")
      Signed-off-by: default avatarMichael Hennerich <michael.hennerich@analog.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      4385d1a4
    • Krzysztof Kozlowski's avatar
      rtc: max77686: Properly handle regmap_irq_get_virq() error code · d8b75590
      Krzysztof Kozlowski authored
      [ Upstream commit fb166ba1 ]
      
      The regmap_irq_get_virq() can return 0 or -EINVAL in error conditions
      but driver checked only for value of 0.
      
      This could lead to a cast of -EINVAL to an unsigned int used as a
      interrupt number for devm_request_threaded_irq(). Although this is not
      yet fatal (devm_request_threaded_irq() will just fail with -EINVAL) but
      might be a misleading when diagnosing errors.
      Signed-off-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Fixes: 6f1c1e71 ("mfd: max77686: Convert to use regmap_irq")
      Reviewed-by: default avatarJavier Martinez Canillas <javier@osg.samsung.com>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d8b75590
    • Dan Carpenter's avatar
      rtc: ds1685: passing bogus values to irq_restore · 49d22c01
      Dan Carpenter authored
      [ Upstream commit 8c09b9fd ]
      
      We call spin_lock_irqrestore with "flags" set to zero instead of to the
      value from spin_lock_irqsave().
      
      Fixes: aaaf5fbf ('rtc: add driver for DS1685 family of real time clocks')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      49d22c01
    • Geert Uytterhoeven's avatar
      rtc: vr41xx: Wire up alarm_irq_enable · 1d22cdab
      Geert Uytterhoeven authored
      [ Upstream commit a25f4a95 ]
      
      drivers/rtc/rtc-vr41xx.c:229: warning: ‘vr41xx_rtc_alarm_irq_enable’ defined but not used
      
      Apparently the conversion to alarm_irq_enable forgot to wire up the
      callback.
      
      Fixes: 16380c15 ("RTC: Convert rtc drivers to use the alarm_irq_enable method")
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1d22cdab
    • Alexander Kochetkov's avatar
      rtc: hym8563: fix invalid year calculation · aa9d9e96
      Alexander Kochetkov authored
      [ Upstream commit d5861262 ]
      
      Year field must be in BCD format, according to
      hym8563 datasheet.
      
      Due to the bug year 2016 became 2010.
      
      Fixes: dcaf0384 ("rtc: add hym8563 rtc-driver")
      Signed-off-by: default avatarAlexander Kochetkov <al.kochet@gmail.com>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      aa9d9e96
    • Ben Hutchings's avatar
      misc/bmp085: Enable building as a module · 2de53375
      Ben Hutchings authored
      [ Upstream commit 50e6315d ]
      
      Commit 985087db 'misc: add support for bmp18x chips to the bmp085
      driver' changed the BMP085 config symbol to a boolean.  I see no
      reason why the shared code cannot be built as a module, so change it
      back to tristate.
      
      Fixes: 985087db ("misc: add support for bmp18x chips to the bmp085 driver")
      Cc: Eric Andersson <eric.andersson@unixphere.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      2de53375
    • Sushaanth Srirangapathi's avatar
      fbdev: da8xx-fb: fix videomodes of lcd panels · a5e1649e
      Sushaanth Srirangapathi authored
      [ Upstream commit 713fced8 ]
      
      Commit 028cd86b ("video: da8xx-fb: fix the polarities of the
      hsync/vsync pulse") fixes polarities of HSYNC/VSYNC pulse but
      forgot to update known_lcd_panels[] which had sync values
      according to old logic. This breaks LCD at least on DA850 EVM.
      
      This patch fixes this issue and I have tested this for panel
      "Sharp_LK043T1DG01" using DA850 EVM board.
      
      Fixes: 028cd86b ("video: da8xx-fb: fix the polarities of the hsync/vsync pulse")
      Signed-off-by: default avatarSushaanth Srirangapathi <sushaanth.s@ti.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a5e1649e
    • Arnd Bergmann's avatar
      paride: make 'verbose' parameter an 'int' again · 2d7efc56
      Arnd Bergmann authored
      [ Upstream commit dec63a4d ]
      
      gcc-6.0 found an ancient bug in the paride driver, which had a
      "module_param(verbose, bool, 0);" since before 2.6.12, but actually uses
      it to accept '0', '1' or '2' as arguments:
      
        drivers/block/paride/pd.c: In function 'pd_init_dev_parms':
        drivers/block/paride/pd.c:298:29: warning: comparison of constant '1' with boolean expression is always false [-Wbool-compare]
         #define DBMSG(msg) ((verbose>1)?(msg):NULL)
      
      In 2012, Rusty did a cleanup patch that also changed the type of the
      variable to 'bool', which introduced what is now a gcc warning.
      
      This changes the type back to 'int' and adapts the module_param() line
      instead, so it should work as documented in case anyone ever cares about
      running the ancient driver with debugging.
      
      Fixes: 90ab5ee9 ("module_param: make bool parameters really bool (drivers & misc)")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Rusty Russell <rusty@rustcorp.com.au>
      Cc: Tim Waugh <tim@cyberelk.net>
      Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
      Cc: Jens Axboe <axboe@fb.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      2d7efc56
    • Arnd Bergmann's avatar
      regulator: s5m8767: fix get_register() error handling · 1cc58547
      Arnd Bergmann authored
      [ Upstream commit e07ff943 ]
      
      The s5m8767_pmic_probe() function calls s5m8767_get_register() to
      read data without checking the return code, which produces a compile-time
      warning when that data is accessed:
      
      drivers/regulator/s5m8767.c: In function 's5m8767_pmic_probe':
      drivers/regulator/s5m8767.c:924:7: error: 'enable_reg' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      drivers/regulator/s5m8767.c:944:30: error: 'enable_val' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      
      This changes the s5m8767_get_register() function to return a -EINVAL
      not just for an invalid register number but also for an invalid
      regulator number, as both would result in returning uninitialized
      data. The s5m8767_pmic_probe() function is then changed accordingly
      to fail on a read error, as all the other callers of s5m8767_get_register()
      already do.
      
      In practice this probably cannot happen, as we don't call
      s5m8767_get_register() with invalid arguments, but the gcc
      warning seems valid in principle, in terms writing safe
      error checking.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 9c4c6055 ("regulator: s5m8767: Convert to use regulator_[enable|disable|is_enabled]_regmap")
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1cc58547
    • Huibin Hong's avatar
      spi/rockchip: Make sure spi clk is on in rockchip_spi_set_cs · 377e05c4
      Huibin Hong authored
      [ Upstream commit b920cc31 ]
      
      Rockchip_spi_set_cs could be called by spi_setup, but
      spi_setup may be called by device driver after runtime suspend.
      Then the spi clock is closed, rockchip_spi_set_cs may access the
      spi registers, which causes cpu block in some socs.
      
      Fixes: 64e36824 ("spi/rockchip: add driver for Rockchip RK3xxx")
      Signed-off-by: default avatarHuibin Hong <huibin.hong@rock-chips.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      377e05c4
    • Ignat Korchagin's avatar
      USB: usbip: fix potential out-of-bounds write · 25c871c0
      Ignat Korchagin authored
      [ Upstream commit b348d7dd ]
      
      Fix potential out-of-bounds write to urb->transfer_buffer
      usbip handles network communication directly in the kernel. When receiving a
      packet from its peer, usbip code parses headers according to protocol. As
      part of this parsing urb->actual_length is filled. Since the input for
      urb->actual_length comes from the network, it should be treated as untrusted.
      Any entity controlling the network may put any value in the input and the
      preallocated urb->transfer_buffer may not be large enough to hold the data.
      Thus, the malicious entity is able to write arbitrary data to kernel memory.
      Signed-off-by: default avatarIgnat Korchagin <ignat.korchagin@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      25c871c0
    • Tejun Heo's avatar
      cgroup: make sure a parent css isn't freed before its children · cef12dbf
      Tejun Heo authored
      [ Upstream commit 8bb5ef79 ]
      
      There are three subsystem callbacks in css shutdown path -
      css_offline(), css_released() and css_free().  Except for
      css_released(), cgroup core didn't guarantee the order of invocation.
      css_offline() or css_free() could be called on a parent css before its
      children.  This behavior is unexpected and led to bugs in cpu and
      memory controller.
      
      The previous patch updated ordering for css_offline() which fixes the
      cpu controller issue.  While there currently isn't a known bug caused
      by misordering of css_free() invocations, let's fix it too for
      consistency.
      
      css_free() ordering can be trivially fixed by moving putting of the
      parent css below css_free() invocation.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      cef12dbf
    • Ard Biesheuvel's avatar
      efi: Expose non-blocking set_variable() wrapper to efivars · 33986118
      Ard Biesheuvel authored
      [ Upstream commit 9c6672ac ]
      
      Commit 6d80dba1 ("efi: Provide a non-blocking SetVariable()
      operation") implemented a non-blocking alternative for the UEFI
      SetVariable() invocation performed by efivars, since it may
      occur in atomic context. However, this version of the function
      was never exposed via the efivars struct, so the non-blocking
      versions was not actually callable. Fix that.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarMatt Fleming <matt@codeblueprint.co.uk>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-efi@vger.kernel.org
      Fixes: 6d80dba1 ("efi: Provide a non-blocking SetVariable() operation")
      Link: http://lkml.kernel.org/r/1454364428-494-2-git-send-email-matt@codeblueprint.co.ukSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      33986118
    • Lars-Peter Clausen's avatar
      ASoC: ssm4567: Reset device before regcache_sync() · fad61c46
      Lars-Peter Clausen authored
      [ Upstream commit 712a8038 ]
      
      When the ssm4567 is powered up the driver calles regcache_sync() to restore
      the register map content. regcache_sync() assumes that the device is in its
      power-on reset state. Make sure that this is the case by explicitly
      resetting the ssm4567 register map before calling regcache_sync() otherwise
      we might end up with a incorrect register map which leads to undefined
      behaviour.
      
      One such undefined behaviour was observed when returning from system
      suspend while a playback stream is active, in that case the ssm4567 was
      kept muted after resume.
      
      Fixes: 1ee44ce0 ("ASoC: ssm4567: Add driver for Analog Devices SSM4567 amplifier")
      Reported-by: default avatarHarsha Priya <harshapriya.n@intel.com>
      Tested-by: default avatarFang, Yang A <yang.a.fang@intel.com>
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      fad61c46
    • Arnd Bergmann's avatar
      ASoC: s3c24xx: use const snd_soc_component_driver pointer · 0cbc7967
      Arnd Bergmann authored
      [ Upstream commit ba4bc32e ]
      
      An older patch to convert the API in the s3c i2s driver
      ended up passing a const pointer into a function that takes
      a non-const pointer, so we now get a warning:
      
      sound/soc/samsung/s3c2412-i2s.c: In function 's3c2412_iis_dev_probe':
      sound/soc/samsung/s3c2412-i2s.c:172:9: error: passing argument 3 of 's3c_i2sv2_register_component' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
      
      However, the s3c_i2sv2_register_component() function again
      passes the pointer into another function taking a const, so
      we just need to change its prototype.
      
      Fixes: eca3b01d ("ASoC: switch over to use snd_soc_register_component() on s3c i2s")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      0cbc7967
    • Javier Martinez Canillas's avatar
      i2c: exynos5: Fix possible ABBA deadlock by keeping I2C clock prepared · 44783088
      Javier Martinez Canillas authored
      [ Upstream commit 10ff4c52 ]
      
      The exynos5 I2C controller driver always prepares and enables a clock
      before using it and then disables unprepares it when the clock is not
      used anymore.
      
      But this can cause a possible ABBA deadlock in some scenarios since a
      driver that uses regmap to access its I2C registers, will first grab
      the regmap lock and then the I2C xfer function will grab the prepare
      lock when preparing the I2C clock. But since the clock driver also
      uses regmap for I2C accesses, preparing a clock will first grab the
      prepare lock and then the regmap lock when using the regmap API.
      
      An example of this happens on the Exynos5422 Odroid XU4 board where a
      s2mps11 PMIC is used and both the s2mps11 regulators and clk drivers
      share the same I2C regmap.
      
      The possible deadlock is reported by the kernel lockdep:
      
        Possible unsafe locking scenario:
      
              CPU0                    CPU1
              ----                    ----
         lock(sec_core:428:(regmap)->lock);
                                      lock(prepare_lock);
                                      lock(sec_core:428:(regmap)->lock);
         lock(prepare_lock);
      
        *** DEADLOCK ***
      
      Fix it by leaving the code prepared on probe and use {en,dis}able in
      the I2C transfer function.
      
      This patch is similar to commit 34e81ad5 ("i2c: s3c2410: fix ABBA
      deadlock by keeping clock prepared") that fixes the same bug in other
      driver for an I2C controller found in Samsung SoCs.
      Reported-by: default avatarAnand Moon <linux.amoon@gmail.com>
      Signed-off-by: default avatarJavier Martinez Canillas <javier@osg.samsung.com>
      Reviewed-by: default avatarAnand Moon <linux.amoon@gmail.com>
      Reviewed-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Cc: stable@kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      44783088
    • Ville Syrjälä's avatar
      drm/i915: Cleanup phys status page too · be109716
      Ville Syrjälä authored
      [ Upstream commit 7d3fdfff ]
      
      Restore the lost phys status page cleanup.
      
      Fixes the following splat with DMA_API_DEBUG=y:
      
      WARNING: CPU: 0 PID: 21615 at ../lib/dma-debug.c:974 dma_debug_device_change+0x190/0x1f0()
      pci 0000:00:02.0: DMA-API: device driver has pending DMA allocations while released from device [count=1]
                     One of leaked entries details: [device address=0x0000000023163000] [size=4096 bytes] [mapped with DMA_BIDIRECTIONAL] [mapped as coherent]
      Modules linked in: i915(-) i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm sha256_generic hmac drbg ctr ccm sch_fq_codel binfmt_misc joydev mousedev arc4 ath5k iTCO_wdt mac80211 smsc_ircc2 ath snd_intel8x0m snd_intel8x0 snd_ac97_codec ac97_bus psmouse snd_pcm input_leds i2c_i801 pcspkr snd_timer cfg80211 snd soundcore i2c_core ehci_pci firewire_ohci ehci_hcd firewire_core lpc_ich 8139too rfkill crc_itu_t mfd_core mii usbcore rng_core intel_agp intel_gtt usb_common agpgart irda crc_ccitt fujitsu_laptop led_class parport_pc video parport evdev backlight
      CPU: 0 PID: 21615 Comm: rmmod Tainted: G     U          4.4.0-rc4-mgm-ovl+ #4
      Hardware name: FUJITSU SIEMENS LIFEBOOK S6120/FJNB16C, BIOS Version 1.26  05/10/2004
       e31a3de0 e31a3de0 e31a3d9c c128d4bd e31a3dd0 c1045a0c c15e00c4 e31a3dfc
       0000546f c15dfad2 000003ce c12b3740 000003ce c12b3740 00000000 00000001
       f61fb8a0 e31a3de8 c1045a83 00000009 e31a3de0 c15e00c4 e31a3dfc e31a3e4c
      Call Trace:
       [<c128d4bd>] dump_stack+0x16/0x19
       [<c1045a0c>] warn_slowpath_common+0x8c/0xd0
       [<c12b3740>] ? dma_debug_device_change+0x190/0x1f0
       [<c12b3740>] ? dma_debug_device_change+0x190/0x1f0
       [<c1045a83>] warn_slowpath_fmt+0x33/0x40
       [<c12b3740>] dma_debug_device_change+0x190/0x1f0
       [<c1065499>] notifier_call_chain+0x59/0x70
       [<c10655af>] __blocking_notifier_call_chain+0x3f/0x80
       [<c106560f>] blocking_notifier_call_chain+0x1f/0x30
       [<c134cfb3>] __device_release_driver+0xc3/0xf0
       [<c134d0d7>] driver_detach+0x97/0xa0
       [<c134c440>] bus_remove_driver+0x40/0x90
       [<c134db18>] driver_unregister+0x28/0x60
       [<c1079e8c>] ? trace_hardirqs_on_caller+0x12c/0x1d0
       [<c12c0618>] pci_unregister_driver+0x18/0x80
       [<f83e96e7>] drm_pci_exit+0x87/0xb0 [drm]
       [<f8b3be2d>] i915_exit+0x1b/0x1ee [i915]
       [<c10b999c>] SyS_delete_module+0x14c/0x210
       [<c1079e8c>] ? trace_hardirqs_on_caller+0x12c/0x1d0
       [<c115a9bd>] ? ____fput+0xd/0x10
       [<c1002014>] do_fast_syscall_32+0xa4/0x450
       [<c149f6fa>] sysenter_past_esp+0x3b/0x5d
      ---[ end trace c2ecbc77760f10a0 ]---
      Mapped at:
       [<c12b3183>] debug_dma_alloc_coherent+0x33/0x90
       [<f83e989c>] drm_pci_alloc+0x18c/0x1e0 [drm]
       [<f8acd59f>] intel_init_ring_buffer+0x2af/0x490 [i915]
       [<f8acd8b0>] intel_init_render_ring_buffer+0x130/0x750 [i915]
       [<f8aaea4e>] i915_gem_init_rings+0x1e/0x110 [i915]
      
      v2: s/BUG_ON/WARN_ON/ since dim doens't like the former anymore
      
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Fixes: 5c6c6003 ("drm/i915: Remove DRI1 ring accessors and API")
      Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> (v1)
      Link: http://patchwork.freedesktop.org/patch/msgid/1452538112-5331-1-git-send-email-ville.syrjala@linux.intel.comReviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      be109716
    • Keerthy's avatar
      pinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs · 4e57736d
      Keerthy authored
      [ Upstream commit 56b367c0 ]
      
      pcs_parse_bits_in_pinctrl_entry uses ffs which gives bit indices
      ranging from 1 to MAX. This leads to a corner case where we try to request
      the pin number = MAX and fails.
      
      bit_pos value is being calculted using ffs. pin_num_from_lsb uses
      bit_pos value. pins array is populated with:
      
      pin + pin_num_from_lsb.
      
      The above is 1 more than usual bit indices as bit_pos uses ffs to compute
      first set bit. Hence the last of the pins array is populated with the MAX
      value and not MAX - 1 which causes error when we call pin_request.
      
      mask_pos is rightly calculated as ((pcs->fmask) << (bit_pos - 1))
      Consequently val_pos and submask are correct.
      
      Hence use __ffs which gives (ffs(x) - 1) as the first bit set.
      
      fixes: 4e7e8017 ("pinctrl: pinctrl-single: enhance to configure multiple pins of different modules")
      Signed-off-by: default avatarKeerthy <j-keerthy@ti.com>
      Acked-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      4e57736d
    • Arnd Bergmann's avatar
      xen kconfig: don't "select INPUT_XEN_KBDDEV_FRONTEND" · 37257413
      Arnd Bergmann authored
      [ Upstream commit 13aa38e2 ]
      
      The Xen framebuffer driver selects the xen keyboard driver, so the latter
      will be built-in if XEN_FBDEV_FRONTEND=y. However, when CONFIG_INPUT
      is a loadable module, this configuration cannot work. On mainline kernels,
      the symbol will be enabled but not used, while in combination with
      a patch I have to detect such useless configurations, we get the
      expected link failure:
      
      drivers/input/built-in.o: In function `xenkbd_remove':
      xen-kbdfront.c:(.text+0x2f0): undefined reference to `input_unregister_device'
      xen-kbdfront.c:(.text+0x30e): undefined reference to `input_unregister_device'
      
      This removes the extra "select", as it just causes more trouble than
      it helps. In theory, some defconfig file might break if it has
      XEN_FBDEV_FRONTEND in it but not INPUT_XEN_KBDDEV_FRONTEND. The Kconfig
      fragment we ship in the kernel (kernel/configs/xen.config) however
      already enables both, and anyone using an old .config file would
      keep having both enabled.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Suggested-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Fixes: 36c1132e ("xen kconfig: fix select INPUT_XEN_KBDDEV_FRONTEND")
      Acked-by: default avatarStefano Stabellini <stefano.stabellini@eu.citrix.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      37257413
    • Stephen Boyd's avatar
      Input: pmic8xxx-pwrkey - fix algorithm for converting trigger delay · e9f20ca8
      Stephen Boyd authored
      [ Upstream commit eda5ecc0 ]
      
      The trigger delay algorithm that converts from microseconds to
      the register value looks incorrect. According to most of the PMIC
      documentation, the equation is
      
      	delay (Seconds) = (1 / 1024) * 2 ^ (x + 4)
      
      except for one case where the documentation looks to have a
      formatting issue and the equation looks like
      
      	delay (Seconds) = (1 / 1024) * 2 x + 4
      
      Most likely this driver was written with the improper
      documentation to begin with. According to the downstream sources
      the valid delays are from 2 seconds to 1/64 second, and the
      latter equation just doesn't make sense for that. Let's fix the
      algorithm and the range check to match the documentation and the
      downstream sources.
      Reported-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Fixes: 92d57a73 ("input: Add support for Qualcomm PMIC8XXX power key")
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Tested-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Acked-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e9f20ca8
    • Anton Blanchard's avatar
      powerpc: Update TM user feature bits in scan_features() · f49eb503
      Anton Blanchard authored
      [ Upstream commit 4705e024 ]
      
      We need to update the user TM feature bits (PPC_FEATURE2_HTM and
      PPC_FEATURE2_HTM) to mirror what we do with the kernel TM feature
      bit.
      
      At the moment, if firmware reports TM is not available we turn off
      the kernel TM feature bit but leave the userspace ones on. Userspace
      thinks it can execute TM instructions and it dies trying.
      
      This (together with a QEMU patch) fixes PR KVM, which doesn't currently
      support TM.
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      f49eb503
    • Davidlohr Bueso's avatar
      futex: Acknowledge a new waiter in counter before plist · 0ee1b6db
      Davidlohr Bueso authored
      [ Upstream commit fe1bce9e ]
      
      Otherwise an incoming waker on the dest hash bucket can miss
      the waiter adding itself to the plist during the lockless
      check optimization (small window but still the correct way
      of doing this); similarly to the decrement counterpart.
      Suggested-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: bigeasy@linutronix.de
      Cc: dvhart@infradead.org
      Cc: stable@kernel.org
      Link: http://lkml.kernel.org/r/1461208164-29150-1-git-send-email-dave@stgolabs.netSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      0ee1b6db
    • Michal Kazior's avatar
      mac80211: fix txq queue related crashes · 17e8cd1e
      Michal Kazior authored
      [ Upstream commit 2a58d42c ]
      
      The driver can access the queue simultanously
      while mac80211 tears down the interface. Without
      spinlock protection this could lead to corrupting
      sk_buff_head and subsequently to an invalid
      pointer dereference.
      
      Fixes: ba8c3d6f ("mac80211: add an intermediate software queue implementation")
      Signed-off-by: default avatarMichal Kazior <michal.kazior@tieto.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      17e8cd1e
    • Michal Kazior's avatar
      mac80211: fix unnecessary frame drops in mesh fwding · 193517ef
      Michal Kazior authored
      [ Upstream commit cf440128 ]
      
      The ieee80211_queue_stopped() expects hw queue
      number but it was given raw WMM AC number instead.
      
      This could cause frame drops and problems with
      traffic in some cases - most notably if driver
      doesn't map AC numbers to queue numbers 1:1 and
      uses ieee80211_stop_queues() and
      ieee80211_wake_queue() only without ever calling
      ieee80211_wake_queues().
      
      On ath10k it was possible to hit this problem in
      the following case:
      
        1. wlan0 uses queue 0
           (ath10k maps queues per vif)
        2. offchannel uses queue 15
        3. queues 1-14 are unused
        4. ieee80211_stop_queues()
        5. ieee80211_wake_queue(q=0)
        6. ieee80211_wake_queue(q=15)
           (other queues are not woken up because both
            driver and mac80211 know other queues are
            unused)
        7. ieee80211_rx_h_mesh_fwding()
        8. ieee80211_select_queue_80211() returns 2
        9. ieee80211_queue_stopped(q=2) returns true
       10. frame is dropped (oops!)
      
      Fixes: d3c1597b ("mac80211: fix forwarded mesh frame queue mapping")
      Signed-off-by: default avatarMichal Kazior <michal.kazior@tieto.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      193517ef
    • Sara Sharon's avatar
      mac80211: fix ibss scan parameters · bd6b2f89
      Sara Sharon authored
      [ Upstream commit d321cd01 ]
      
      When joining IBSS a full scan should be initiated in order to search
      for existing cell, unless the fixed_channel parameter was set.
      A default channel to create the IBSS on if no cell was found is
      provided as well.
      However - a scan is initiated only on the default channel provided
      regardless of whether ifibss->fixed_channel is set or not, with the
      obvious result of the cell not joining existing IBSS cell that is
      on another channel.
      
      Fixes: 76bed0f4 ("mac80211: IBSS fix scan request")
      Signed-off-by: default avatarSara Sharon <sara.sharon@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      bd6b2f89
    • Arnd Bergmann's avatar
      mac80211: avoid excessive stack usage in sta_info · 6c59578f
      Arnd Bergmann authored
      [ Upstream commit 0ef049dc ]
      
      When CONFIG_OPTIMIZE_INLINING is set, the sta_info_insert_finish
      function consumes more stack than normally, exceeding the
      1024 byte limit on ARM:
      
      net/mac80211/sta_info.c: In function 'sta_info_insert_finish':
      net/mac80211/sta_info.c:561:1: error: the frame size of 1080 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      
      It turns out that there are two functions that put a 'struct station_info'
      on the stack: __sta_info_destroy_part2 and sta_info_insert_finish, and
      this structure alone requires up to 792 bytes.
      
      Hoping that both are called rarely enough, this replaces the
      on-stack structure with a dynamic allocation, which unfortunately
      requires some suboptimal error handling for out-of-memory.
      
      The __sta_info_destroy_part2 function is actually affected by the
      stack usage twice because it calls cfg80211_del_sta_sinfo(), which
      has another instance of struct station_info on its stack.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 98b62183 ("mac80211/cfg80211: add station events")
      Fixes: 6f7a8d26 ("mac80211: send statistics with delete station event")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6c59578f
    • Laurent Pinchart's avatar
      [media] v4l: vsp1: Set the SRU CTRL0 register when starting the stream · f46752f2
      Laurent Pinchart authored
      [ Upstream commit f6acfcdc ]
      
      Commit 58f896d8 ("[media] v4l: vsp1: sru: Make the intensity
      controllable during streaming") refactored the stream start code and
      removed the SRU CTRL0 register write by mistake. Add it back.
      
      Fixes: 58f896d8 ("[media] v4l: vsp1: sru: Make the intensity controllable during streaming")
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      f46752f2
    • Philipp Zabel's avatar
      [media] coda: fix error path in case of missing pdata on non-DT platform · 80a3bf1c
      Philipp Zabel authored
      [ Upstream commit bc717d5e ]
      
      If we bail out this early, v4l2_device_register() has not been called
      yet, so no need to call v4l2_device_unregister().
      
      Fixes: b7bd660a ("[media] coda: Call v4l2_device_unregister() from a single location")
      Reported-by: default avatarMichael Olbrich <m.olbrich@pengutronix.de>
      Signed-off-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      Reviewed-by: default avatarFabio Estevam <fabio.estevam@nxp.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      80a3bf1c
    • Linus Walleij's avatar
      pinctrl: nomadik: fix pull debug print inversion · 921aa6dd
      Linus Walleij authored
      [ Upstream commit 6ee33455 ]
      
      Pull up was reported as pull down and vice versa. Fix this.
      
      Fixes: 8f1774a2 "pinctrl: nomadik: improve GPIO debug prints"
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      921aa6dd
    • Thadeu Lima de Souza Cascardo's avatar
      ip6_tunnel: set rtnl_link_ops before calling register_netdevice · 80618333
      Thadeu Lima de Souza Cascardo authored
      [ Upstream commit b6ee376c ]
      
      When creating an ip6tnl tunnel with ip tunnel, rtnl_link_ops is not set
      before ip6_tnl_create2 is called. When register_netdevice is called, there
      is no linkinfo attribute in the NEWLINK message because of that.
      
      Setting rtnl_link_ops before calling register_netdevice fixes that.
      
      Fixes: 0b112457 ("ip6tnl: add support of link creation via rtnl")
      Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@redhat.com>
      Acked-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      80618333
    • Haishuang Yan's avatar
      ipv6: l2tp: fix a potential issue in l2tp_ip6_recv · 1d8ad31a
      Haishuang Yan authored
      [ Upstream commit be447f30 ]
      
      pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
      right place.
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1d8ad31a
    • Haishuang Yan's avatar
      ipv4: l2tp: fix a potential issue in l2tp_ip_recv · a9c51077
      Haishuang Yan authored
      [ Upstream commit 5745b823 ]
      
      pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
      right place.
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a9c51077
    • Nicolas Dichtel's avatar
      rtnl: fix msg size calculation in if_nlmsg_size() · 5e6a091f
      Nicolas Dichtel authored
      [ Upstream commit c57c7a95 ]
      
      Size of the attribute IFLA_PHYS_PORT_NAME was missing.
      
      Fixes: db24a904 ("net: add support for phys_port_name")
      CC: David Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      5e6a091f
    • Eric Dumazet's avatar
      ipv6: udp: fix UDP_MIB_IGNOREDMULTI updates · b95228fd
      Eric Dumazet authored
      [ Upstream commit 2d421226 ]
      
      IPv6 counters updates use a different macro than IPv4.
      
      Fixes: 36cbb245 ("udp: Increment UDP_MIB_IGNOREDMULTI for arriving unmatched multicasts")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Rick Jones <rick.jones2@hp.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      b95228fd
    • Bjørn Mork's avatar
      qmi_wwan: add "D-Link DWM-221 B1" device id · 95e4695b
      Bjørn Mork authored
      [ Upstream commit e84810c7 ]
      
      Thomas reports:
      "Windows:
      
      00 diagnostics
      01 modem
      02 at-port
      03 nmea
      04 nic
      
      Linux:
      
      T:  Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=2001 ProdID=7e19 Rev=02.32
      S:  Manufacturer=Mobile Connect
      S:  Product=Mobile Connect
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage"
      Reported-by: default avatarThomas Schäfer <tschaefer@t-online.de>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      95e4695b
    • subashab@codeaurora.org's avatar
      xfrm: Fix crash observed during device unregistration and decryption · a2359773
      subashab@codeaurora.org authored
      [ Upstream commit 071d36bf ]
      
      A crash is observed when a decrypted packet is processed in receive
      path. get_rps_cpus() tries to dereference the skb->dev fields but it
      appears that the device is freed from the poison pattern.
      
      [<ffffffc000af58ec>] get_rps_cpu+0x94/0x2f0
      [<ffffffc000af5f94>] netif_rx_internal+0x140/0x1cc
      [<ffffffc000af6094>] netif_rx+0x74/0x94
      [<ffffffc000bc0b6c>] xfrm_input+0x754/0x7d0
      [<ffffffc000bc0bf8>] xfrm_input_resume+0x10/0x1c
      [<ffffffc000ba6eb8>] esp_input_done+0x20/0x30
      [<ffffffc0000b64c8>] process_one_work+0x244/0x3fc
      [<ffffffc0000b7324>] worker_thread+0x2f8/0x418
      [<ffffffc0000bb40c>] kthread+0xe0/0xec
      
      -013|get_rps_cpu(
           |    dev = 0xFFFFFFC08B688000,
           |    skb = 0xFFFFFFC0C76AAC00 -> (
           |      dev = 0xFFFFFFC08B688000 -> (
           |        name =
      "......................................................
           |        name_hlist = (next = 0xAAAAAAAAAAAAAAAA, pprev =
      0xAAAAAAAAAAA
      
      Following are the sequence of events observed -
      
      - Encrypted packet in receive path from netdevice is queued
      - Encrypted packet queued for decryption (asynchronous)
      - Netdevice brought down and freed
      - Packet is decrypted and returned through callback in esp_input_done
      - Packet is queued again for process in network stack using netif_rx
      
      Since the device appears to have been freed, the dereference of
      skb->dev in get_rps_cpus() leads to an unhandled page fault
      exception.
      
      Fix this by holding on to device reference when queueing packets
      asynchronously and releasing the reference on call back return.
      
      v2: Make the change generic to xfrm as mentioned by Steffen and
      update the title to xfrm
      Suggested-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJerome Stanislaus <jeromes@codeaurora.org>
      Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a2359773
    • Guillaume Nault's avatar
      ppp: take reference on channels netns · fc74ace8
      Guillaume Nault authored
      [ Upstream commit 1f461dcd ]
      
      Let channels hold a reference on their network namespace.
      Some channel types, like ppp_async and ppp_synctty, can have their
      userspace controller running in a different namespace. Therefore they
      can't rely on them to preclude their netns from being removed from
      under them.
      
      ==================================================================
      BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
      addr ffff880064e217e0
      Read of size 8 by task syz-executor/11581
      =============================================================================
      BUG net_namespace (Not tainted): kasan: bad access detected
      -----------------------------------------------------------------------------
      
      Disabling lock debugging due to kernel taint
      INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
      [<      none      >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
      [<      none      >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
      [<     inline     >] slab_alloc_node kernel/mm/slub.c:2532
      [<     inline     >] slab_alloc kernel/mm/slub.c:2574
      [<      none      >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
      [<     inline     >] kmem_cache_zalloc kernel/include/linux/slab.h:597
      [<     inline     >] net_alloc kernel/net/core/net_namespace.c:325
      [<      none      >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
      [<      none      >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
      [<      none      >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
      [<      none      >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
      [<     inline     >] copy_process kernel/kernel/fork.c:1274
      [<      none      >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
      [<     inline     >] SYSC_clone kernel/kernel/fork.c:1832
      [<      none      >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
      [<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185
      
      INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
      [<      none      >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
      [<     inline     >] slab_free kernel/mm/slub.c:2805
      [<      none      >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
      [<     inline     >] net_free kernel/net/core/net_namespace.c:341
      [<      none      >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
      [<      none      >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
      [<      none      >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
      [<      none      >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
      [<      none      >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
      [<      none      >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
      INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
      flags=0x5fffc0000004080
      INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200
      
      CPU: 1 PID: 11581 Comm: syz-executor Tainted: G    B           4.4.0+
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
       00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
       ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
       ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
      Call Trace:
       [<     inline     >] __dump_stack kernel/lib/dump_stack.c:15
       [<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
       [<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
       [<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661
       [<     inline     >] print_address_description kernel/mm/kasan/report.c:138
       [<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
       [<     inline     >] kasan_report kernel/mm/kasan/report.c:259
       [<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
       [<     inline     >] ? ppp_pernet kernel/include/linux/compiler.h:218
       [<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
       [<     inline     >] ppp_pernet kernel/include/linux/compiler.h:218
       [<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
       [<     inline     >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
       [<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
       [<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
       [<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
       [<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
       [<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
       [<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
       [<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
       [<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
       [<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208
       [<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244
       [<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
       [<     inline     >] exit_task_work kernel/include/linux/task_work.h:21
       [<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
       [<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
       [<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
       [<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
       [<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
       [<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
       [<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
       [<     inline     >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
       [<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
       [<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
       [<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
       [<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
       [<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
       [<     inline     >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
       [<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
       [<     inline     >] ? context_switch kernel/kernel/sched/core.c:2807
       [<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
       [<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
       [<     inline     >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
       [<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
       [<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
      Memory state around the buggy address:
       ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
       ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      
      Fixes: 273ec51d ("net: ppp_generic - introduce net-namespace functionality v2")
      Reported-by: default avatarBaozeng Ding <sploving1@gmail.com>
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Reviewed-by: default avatarCyrill Gorcunov <gorcunov@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      fc74ace8
    • Paolo Abeni's avatar
      ipv4: fix broadcast packets reception · 263a20bc
      Paolo Abeni authored
      [ Upstream commit ad0ea198 ]
      
      Currently, ingress ipv4 broadcast datagrams are dropped since,
      in udp_v4_early_demux(), ip_check_mc_rcu() is invoked even on
      bcast packets.
      
      This patch addresses the issue, invoking ip_check_mc_rcu()
      only for mcast packets.
      
      Fixes: 6e540309 ("ipv4/udp: Verify multicast group is ours in upd_v4_early_demux()")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      263a20bc