1. 29 Nov, 2013 31 commits
    • Mikulas Patocka's avatar
      block: fix a probe argument to blk_register_region · 82b80fae
      Mikulas Patocka authored
      commit a207f593 upstream.
      
      The probe function is supposed to return NULL on failure (as we can see in
      kobj_lookup: kobj = probe(dev, index, data); ... if (kobj) return kobj;
      
      However, in loop and brd, it returns negative error from ERR_PTR.
      
      This causes a crash if we simulate disk allocation failure and run
      less -f /dev/loop0 because the negative number is interpreted as a pointer:
      
      BUG: unable to handle kernel NULL pointer dereference at 00000000000002b4
      IP: [<ffffffff8118b188>] __blkdev_get+0x28/0x450
      PGD 23c677067 PUD 23d6d1067 PMD 0
      Oops: 0000 [#1] PREEMPT SMP
      Modules linked in: loop hpfs nvidia(PO) ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev msr ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_stats cpufreq_ondemand cpufreq_userspace cpufreq_powersave cpufreq_conservative hid_generic spadfs usbhid hid fuse raid0 snd_usb_audio snd_pcm_oss snd_mixer_oss md_mod snd_pcm snd_timer snd_page_alloc snd_hwdep snd_usbmidi_lib dmi_sysfs snd_rawmidi nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack snd soundcore lm85 hwmon_vid ohci_hcd ehci_pci ehci_hcd serverworks sata_svw libata acpi_cpufreq freq_table mperf ide_core usbcore kvm_amd kvm tg3 i2c_piix4 libphy microcode e100 usb_common ptp skge i2c_core pcspkr k10temp evdev floppy hwmon pps_core mii rtc_cmos button processor unix [last unloaded: nvidia]
      CPU: 1 PID: 6831 Comm: less Tainted: P        W  O 3.10.15-devel #18
      Hardware name: empty empty/S3992-E, BIOS 'V1.06   ' 06/09/2009
      task: ffff880203cc6bc0 ti: ffff88023e47c000 task.ti: ffff88023e47c000
      RIP: 0010:[<ffffffff8118b188>]  [<ffffffff8118b188>] __blkdev_get+0x28/0x450
      RSP: 0018:ffff88023e47dbd8  EFLAGS: 00010286
      RAX: ffffffffffffff74 RBX: ffffffffffffff74 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
      RBP: ffff88023e47dc18 R08: 0000000000000002 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff88023f519658
      R13: ffffffff8118c300 R14: 0000000000000000 R15: ffff88023f519640
      FS:  00007f2070bf7700(0000) GS:ffff880247400000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000000002b4 CR3: 000000023da1d000 CR4: 00000000000007e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Stack:
       0000000000000002 0000001d00000000 000000003e47dc50 ffff88023f519640
       ffff88043d5bb668 ffffffff8118c300 ffff88023d683550 ffff88023e47de60
       ffff88023e47dc98 ffffffff8118c10d 0000001d81605698 0000000000000292
      Call Trace:
       [<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60
       [<ffffffff8118c10d>] blkdev_get+0x1dd/0x370
       [<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60
       [<ffffffff813cea6c>] ? _raw_spin_unlock+0x2c/0x50
       [<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60
       [<ffffffff8118c365>] blkdev_open+0x65/0x80
       [<ffffffff8114d12e>] do_dentry_open.isra.18+0x23e/0x2f0
       [<ffffffff8114d214>] finish_open+0x34/0x50
       [<ffffffff8115e122>] do_last.isra.62+0x2d2/0xc50
       [<ffffffff8115eb58>] path_openat.isra.63+0xb8/0x4d0
       [<ffffffff81115a8e>] ? might_fault+0x4e/0xa0
       [<ffffffff8115f4f0>] do_filp_open+0x40/0x90
       [<ffffffff813cea6c>] ? _raw_spin_unlock+0x2c/0x50
       [<ffffffff8116db85>] ? __alloc_fd+0xa5/0x1f0
       [<ffffffff8114e45f>] do_sys_open+0xef/0x1d0
       [<ffffffff8114e559>] SyS_open+0x19/0x20
       [<ffffffff813cff16>] system_call_fastpath+0x1a/0x1f
      Code: 44 00 00 55 48 89 e5 41 57 49 89 ff 41 56 41 89 d6 41 55 41 54 4c 8d 67 18 53 48 83 ec 18 89 75 cc e9 f2 00 00 00 0f 1f 44 00 00 <48> 8b 80 40 03 00 00 48 89 df 4c 8b 68 58 e8 d5
      a4 07 00 44 89
      RIP  [<ffffffff8118b188>] __blkdev_get+0x28/0x450
       RSP <ffff88023e47dbd8>
      CR2: 00000000000002b4
      ---[ end trace bb7f32dbf02398dc ]---
      
      The brd change should be backported to stable kernels starting with 2.6.25.
      The loop change should be backported to stable kernels starting with 2.6.22.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      82b80fae
    • Jeff Moyer's avatar
      block: fix race between request completion and timeout handling · 5413d6c0
      Jeff Moyer authored
      commit 4912aa6c upstream.
      
      crocode i2c_i801 i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma dca be2net sg ses enclosure ext4 mbcache jbd2 sd_mod crc_t10dif ahci megaraid_sas(U) dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan]
      
      Pid: 491, comm: scsi_eh_0 Tainted: G        W  ----------------   2.6.32-220.13.1.el6.x86_64 #1 IBM  -[8722PAX]-/00D1461
      RIP: 0010:[<ffffffff8124e424>]  [<ffffffff8124e424>] blk_requeue_request+0x94/0xa0
      RSP: 0018:ffff881057eefd60  EFLAGS: 00010012
      RAX: ffff881d99e3e8a8 RBX: ffff881d99e3e780 RCX: ffff881d99e3e8a8
      RDX: ffff881d99e3e8a8 RSI: ffff881d99e3e780 RDI: ffff881d99e3e780
      RBP: ffff881057eefd80 R08: ffff881057eefe90 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff881057f92338
      R13: 0000000000000000 R14: ffff881057f92338 R15: ffff883058188000
      FS:  0000000000000000(0000) GS:ffff880040200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
      CR2: 00000000006d3ec0 CR3: 000000302cd7d000 CR4: 00000000000406b0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process scsi_eh_0 (pid: 491, threadinfo ffff881057eee000, task ffff881057e29540)
      Stack:
       0000000000001057 0000000000000286 ffff8810275efdc0 ffff881057f16000
      <0> ffff881057eefdd0 ffffffff81362323 ffff881057eefe20 ffffffff8135f393
      <0> ffff881057e29af8 ffff8810275efdc0 ffff881057eefe78 ffff881057eefe90
      Call Trace:
       [<ffffffff81362323>] __scsi_queue_insert+0xa3/0x150
       [<ffffffff8135f393>] ? scsi_eh_ready_devs+0x5e3/0x850
       [<ffffffff81362a23>] scsi_queue_insert+0x13/0x20
       [<ffffffff8135e4d4>] scsi_eh_flush_done_q+0x104/0x160
       [<ffffffff8135fb6b>] scsi_error_handler+0x35b/0x660
       [<ffffffff8135f810>] ? scsi_error_handler+0x0/0x660
       [<ffffffff810908c6>] kthread+0x96/0xa0
       [<ffffffff8100c14a>] child_rip+0xa/0x20
       [<ffffffff81090830>] ? kthread+0x0/0xa0
       [<ffffffff8100c140>] ? child_rip+0x0/0x20
      Code: 00 00 eb d1 4c 8b 2d 3c 8f 97 00 4d 85 ed 74 bf 49 8b 45 00 49 83 c5 08 48 89 de 4c 89 e7 ff d0 49 8b 45 00 48 85 c0 75 eb eb a4 <0f> 0b eb fe 0f 1f 84 00 00 00 00 00 55 48 89 e5 0f 1f 44 00 00
      RIP  [<ffffffff8124e424>] blk_requeue_request+0x94/0xa0
       RSP <ffff881057eefd60>
      
      The RIP is this line:
              BUG_ON(blk_queued_rq(rq));
      
      After digging through the code, I think there may be a race between the
      request completion and the timer handler running.
      
      A timer is started for each request put on the device's queue (see
      blk_start_request->blk_add_timer).  If the request does not complete
      before the timer expires, the timer handler (blk_rq_timed_out_timer)
      will mark the request complete atomically:
      
      static inline int blk_mark_rq_complete(struct request *rq)
      {
              return test_and_set_bit(REQ_ATOM_COMPLETE, &rq->atomic_flags);
      }
      
      and then call blk_rq_timed_out.  The latter function will call
      scsi_times_out, which will return one of BLK_EH_HANDLED,
      BLK_EH_RESET_TIMER or BLK_EH_NOT_HANDLED.  If BLK_EH_RESET_TIMER is
      returned, blk_clear_rq_complete is called, and blk_add_timer is again
      called to simply wait longer for the request to complete.
      
      Now, if the request happens to complete while this is going on, what
      happens?  Given that we know the completion handler will bail if it
      finds the REQ_ATOM_COMPLETE bit set, we need to focus on the completion
      handler running after that bit is cleared.  So, from the above
      paragraph, after the call to blk_clear_rq_complete.  If the completion
      sets REQ_ATOM_COMPLETE before the BUG_ON in blk_add_timer, we go boom
      there (I haven't seen this in the cores).  Next, if we get the
      completion before the call to list_add_tail, then the timer will
      eventually fire for an old req, which may either be freed or reallocated
      (there is evidence that this might be the case).  Finally, if the
      completion comes in *after* the addition to the timeout list, I think
      it's harmless.  The request will be removed from the timeout list,
      req_atom_complete will be set, and all will be well.
      
      This will only actually explain the coredumps *IF* the request
      structure was freed, reallocated *and* queued before the error handler
      thread had a chance to process it.  That is possible, but it may make
      sense to keep digging for another race.  I think that if this is what
      was happening, we would see other instances of this problem showing up
      as null pointer or garbage pointer dereferences, for example when the
      request structure was not re-used.  It looks like we actually do run
      into that situation in other reports.
      
      This patch moves the BUG_ON(test_bit(REQ_ATOM_COMPLETE,
      &req->atomic_flags)); from blk_add_timer to the only caller that could
      trip over it (blk_start_request).  It then inverts the calls to
      blk_clear_rq_complete and blk_add_timer in blk_rq_timed_out to address
      the race.  I've boot tested this patch, but nothing more.
      Signed-off-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Acked-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5413d6c0
    • Guenter Roeck's avatar
      hwmon: (lm90) Fix max6696 alarm handling · cf359232
      Guenter Roeck authored
      commit e41fae2b upstream.
      
      Bit 2 of status register 2 on MAX6696 (external diode 2 open)
      sets ALERT; the bit thus has to be listed in alert_alarms.
      Also display a message in the alert handler if the condition
      is encountered.
      
      Even though not all overtemperature conditions cause ALERT
      to be set, we should not ignore them in the alert handler.
      Display messages for all out-of-range conditions.
      Reported-by: default avatarJean Delvare <khali@linux-fr.org>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarJean Delvare <khali@linux-fr.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf359232
    • Thomas Renninger's avatar
      x86/microcode/amd: Tone down printk(), don't treat a missing firmware file as an error · b227aa81
      Thomas Renninger authored
      commit 11f918d3 upstream.
      
      Do it the same way as done in microcode_intel.c: use pr_debug()
      for missing firmware files.
      
      There seem to be CPUs out there for which no microcode update
      has been submitted to kernel-firmware repo yet resulting in
      scary sounding error messages in dmesg:
      
        microcode: failed to load file amd-ucode/microcode_amd_fam16h.bin
      Signed-off-by: default avatarThomas Renninger <trenn@suse.de>
      Acked-by: default avatarBorislav Petkov <bp@suse.de>
      Link: http://lkml.kernel.org/r/1384274383-43510-1-git-send-email-trenn@suse.deSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b227aa81
    • Christoph Hellwig's avatar
      nfsd: make sure to balance get/put_write_access · 107bb3cc
      Christoph Hellwig authored
      commit 987da479 upstream.
      
      Use a straight goto error label style in nfsd_setattr to make sure
      we always do the put_write_access call after we got it earlier.
      
      Note that the we have been failing to do that in the case
      nfsd_break_lease() returns an error, a bug introduced into 2.6.38 with
      6a76bebe "nfsd4: break lease on nfsd
      setattr".
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      107bb3cc
    • Christoph Hellwig's avatar
      nfsd: split up nfsd_setattr · 6ee4fd26
      Christoph Hellwig authored
      commit 818e5a22 upstream.
      
      Split out two helpers to make the code more readable and easier to verify
      for correctness.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ee4fd26
    • Trond Myklebust's avatar
      NFSv4: Fix a use-after-free situation in _nfs4_proc_getlk() · 1ac50b94
      Trond Myklebust authored
      commit a6f951dd upstream.
      
      In nfs4_proc_getlk(), when some error causes a retry of the call to
      _nfs4_proc_getlk(), we can end up with Oopses of the form
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000134
       IP: [<ffffffff8165270e>] _raw_spin_lock+0xe/0x30
      <snip>
       Call Trace:
        [<ffffffff812f287d>] _atomic_dec_and_lock+0x4d/0x70
        [<ffffffffa053c4f2>] nfs4_put_lock_state+0x32/0xb0 [nfsv4]
        [<ffffffffa053c585>] nfs4_fl_release_lock+0x15/0x20 [nfsv4]
        [<ffffffffa0522c06>] _nfs4_proc_getlk.isra.40+0x146/0x170 [nfsv4]
        [<ffffffffa052ad99>] nfs4_proc_lock+0x399/0x5a0 [nfsv4]
      
      The problem is that we don't clear the request->fl_ops after the first
      try and so when we retry, nfs4_set_lock_state() exits early without
      setting the lock stateid.
      Regression introduced by commit 70cc6487
      (locks: make ->lock release private data before returning in GETLK case)
      Reported-by: default avatarWeston Andros Adamson <dros@netapp.com>
      Reported-by: default avatarJorge Mora <mora@netapp.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1ac50b94
    • Takashi Iwai's avatar
      ALSA: msnd: Avoid duplicated driver name · eaea722e
      Takashi Iwai authored
      commit 092f9cd1 upstream.
      
      msnd_pinnacle.c is used for both snd-msnd-pinnacle and
      snd-msnd-classic drivers, and both should have different driver
      names.  Using the same driver name results in the sysfs warning for
      duplicated entries like
       kobject: 'msnd-pinnacle.7' (cec33408): kobject_release, parent   (null) (delayed)
       kobject: 'msnd-pinnacle' (cecd4980): kobject_release, parent cf3ad9b0 (delayed)
       ------------[ cut here ]------------
       WARNING: CPU: 0 PID: 1 at fs/sysfs/dir.c:486 sysfs_warn_dup+0x7d/0xa0()
       sysfs: cannot create duplicate filename '/bus/isa/drivers/msnd-pinnacle'
       ......
      Reported-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eaea722e
    • Takashi Iwai's avatar
      ALSA: 6fire: Fix probe of multiple cards · 1b443352
      Takashi Iwai authored
      commit 9b389a8a upstream.
      
      The probe code of snd-usb-6fire driver overrides the devices[] pointer
      wrongly without checking whether it's already occupied or not.  This
      would screw up the device disconnection later.
      
      Spotted by coverity CID 141423.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b443352
    • Kees Cook's avatar
      exec/ptrace: fix get_dumpable() incorrect tests · c0d30628
      Kees Cook authored
      commit d049f74f upstream.
      
      The get_dumpable() return value is not boolean.  Most users of the
      function actually want to be testing for non-SUID_DUMP_USER(1) rather than
      SUID_DUMP_DISABLE(0).  The SUID_DUMP_ROOT(2) is also considered a
      protected state.  Almost all places did this correctly, excepting the two
      places fixed in this patch.
      
      Wrong logic:
          if (dumpable == SUID_DUMP_DISABLE) { /* be protective */ }
              or
          if (dumpable == 0) { /* be protective */ }
              or
          if (!dumpable) { /* be protective */ }
      
      Correct logic:
          if (dumpable != SUID_DUMP_USER) { /* be protective */ }
              or
          if (dumpable != 1) { /* be protective */ }
      
      Without this patch, if the system had set the sysctl fs/suid_dumpable=2, a
      user was able to ptrace attach to processes that had dropped privileges to
      that user.  (This may have been partially mitigated if Yama was enabled.)
      
      The macros have been moved into the file that declares get/set_dumpable(),
      which means things like the ia64 code can see them too.
      
      CVE-2013-2929
      Reported-by: default avatarVasily Kulikov <segoon@openwall.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: "Luck, Tony" <tony.luck@intel.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c0d30628
    • Mimi Zohar's avatar
      Revert "ima: policy for RAMFS" · 7288f91d
      Mimi Zohar authored
      commit 08de59eb upstream.
      
      This reverts commit 4c2c3927.
      
      Everything in the initramfs should be measured and appraised,
      but until the initramfs has extended attribute support, at
      least measured.
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7288f91d
    • Stanislaw Gruszka's avatar
      rt2x00: check if device is still available on rt2x00mac_flush() · 7eebf56b
      Stanislaw Gruszka authored
      commit 5671ab05 upstream.
      
      Fix random kernel panic with below messages when remove dongle.
      
      [ 2212.355447] BUG: unable to handle kernel NULL pointer dereference at 0000000000000250
      [ 2212.355527] IP: [<ffffffffa02667f2>] rt2x00usb_kick_tx_entry+0x12/0x160 [rt2x00usb]
      [ 2212.355599] PGD 0
      [ 2212.355626] Oops: 0000 [#1] SMP
      [ 2212.355664] Modules linked in: rt2800usb rt2x00usb rt2800lib crc_ccitt rt2x00lib mac80211 cfg80211 tun arc4 fuse rfcomm bnep snd_hda_codec_realtek snd_hda_intel snd_hda_codec btusb uvcvideo bluetooth snd_hwdep x86_pkg_temp_thermal snd_seq coretemp aesni_intel aes_x86_64 snd_seq_device glue_helper snd_pcm ablk_helper videobuf2_vmalloc sdhci_pci videobuf2_memops videobuf2_core sdhci videodev mmc_core serio_raw snd_page_alloc microcode i2c_i801 snd_timer hid_multitouch thinkpad_acpi lpc_ich mfd_core snd tpm_tis wmi tpm tpm_bios soundcore acpi_cpufreq i915 i2c_algo_bit drm_kms_helper drm i2c_core video [last unloaded: cfg80211]
      [ 2212.356224] CPU: 0 PID: 34 Comm: khubd Not tainted 3.12.0-rc3-wl+ #3
      [ 2212.356268] Hardware name: LENOVO 3444CUU/3444CUU, BIOS G6ET93WW (2.53 ) 02/04/2013
      [ 2212.356319] task: ffff880212f687c0 ti: ffff880212f66000 task.ti: ffff880212f66000
      [ 2212.356392] RIP: 0010:[<ffffffffa02667f2>]  [<ffffffffa02667f2>] rt2x00usb_kick_tx_entry+0x12/0x160 [rt2x00usb]
      [ 2212.356481] RSP: 0018:ffff880212f67750  EFLAGS: 00010202
      [ 2212.356519] RAX: 000000000000000c RBX: 000000000000000c RCX: 0000000000000293
      [ 2212.356568] RDX: ffff8801f4dc219a RSI: 0000000000000000 RDI: 0000000000000240
      [ 2212.356617] RBP: ffff880212f67778 R08: ffffffffa02667e0 R09: 0000000000000002
      [ 2212.356665] R10: 0001f95254ab4b40 R11: ffff880212f675be R12: ffff8801f4dc2150
      [ 2212.356712] R13: 0000000000000000 R14: ffffffffa02667e0 R15: 000000000000000d
      [ 2212.356761] FS:  0000000000000000(0000) GS:ffff88021e200000(0000) knlGS:0000000000000000
      [ 2212.356813] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2212.356852] CR2: 0000000000000250 CR3: 0000000001a0c000 CR4: 00000000001407f0
      [ 2212.356899] Stack:
      [ 2212.356917]  000000000000000c ffff8801f4dc2150 0000000000000000 ffffffffa02667e0
      [ 2212.356980]  000000000000000d ffff880212f677b8 ffffffffa03a31ad ffff8801f4dc219a
      [ 2212.357038]  ffff8801f4dc2150 0000000000000000 ffff8800b93217a0 ffff8801f49bc800
      [ 2212.357099] Call Trace:
      [ 2212.357122]  [<ffffffffa02667e0>] ? rt2x00usb_interrupt_txdone+0x90/0x90 [rt2x00usb]
      [ 2212.357174]  [<ffffffffa03a31ad>] rt2x00queue_for_each_entry+0xed/0x170 [rt2x00lib]
      [ 2212.357244]  [<ffffffffa026701c>] rt2x00usb_kick_queue+0x5c/0x60 [rt2x00usb]
      [ 2212.357314]  [<ffffffffa03a3682>] rt2x00queue_flush_queue+0x62/0xa0 [rt2x00lib]
      [ 2212.357386]  [<ffffffffa03a2930>] rt2x00mac_flush+0x30/0x70 [rt2x00lib]
      [ 2212.357470]  [<ffffffffa04edded>] ieee80211_flush_queues+0xbd/0x140 [mac80211]
      [ 2212.357555]  [<ffffffffa0502e52>] ieee80211_set_disassoc+0x2d2/0x3d0 [mac80211]
      [ 2212.357645]  [<ffffffffa0506da3>] ieee80211_mgd_deauth+0x1d3/0x240 [mac80211]
      [ 2212.357718]  [<ffffffff8108b17c>] ? try_to_wake_up+0xec/0x290
      [ 2212.357788]  [<ffffffffa04dbd18>] ieee80211_deauth+0x18/0x20 [mac80211]
      [ 2212.357872]  [<ffffffffa0418ddc>] cfg80211_mlme_deauth+0x9c/0x140 [cfg80211]
      [ 2212.357913]  [<ffffffffa041907c>] cfg80211_mlme_down+0x5c/0x60 [cfg80211]
      [ 2212.357962]  [<ffffffffa041cd18>] cfg80211_disconnect+0x188/0x1a0 [cfg80211]
      [ 2212.358014]  [<ffffffffa04013bc>] ? __cfg80211_stop_sched_scan+0x1c/0x130 [cfg80211]
      [ 2212.358067]  [<ffffffffa03f8954>] cfg80211_leave+0xc4/0xe0 [cfg80211]
      [ 2212.358124]  [<ffffffffa03f8d1b>] cfg80211_netdev_notifier_call+0x3ab/0x5e0 [cfg80211]
      [ 2212.358177]  [<ffffffff815140f8>] ? inetdev_event+0x38/0x510
      [ 2212.358217]  [<ffffffff81085a94>] ? __wake_up+0x44/0x50
      [ 2212.358254]  [<ffffffff8155995c>] notifier_call_chain+0x4c/0x70
      [ 2212.358293]  [<ffffffff81081156>] raw_notifier_call_chain+0x16/0x20
      [ 2212.358361]  [<ffffffff814b6dd5>] call_netdevice_notifiers_info+0x35/0x60
      [ 2212.358429]  [<ffffffff814b6ec9>] __dev_close_many+0x49/0xd0
      [ 2212.358487]  [<ffffffff814b7028>] dev_close_many+0x88/0x100
      [ 2212.358546]  [<ffffffff814b8150>] rollback_registered_many+0xb0/0x220
      [ 2212.358612]  [<ffffffff814b8319>] unregister_netdevice_many+0x19/0x60
      [ 2212.358694]  [<ffffffffa04d8eb2>] ieee80211_remove_interfaces+0x112/0x190 [mac80211]
      [ 2212.358791]  [<ffffffffa04c585f>] ieee80211_unregister_hw+0x4f/0x100 [mac80211]
      [ 2212.361994]  [<ffffffffa03a1221>] rt2x00lib_remove_dev+0x161/0x1a0 [rt2x00lib]
      [ 2212.365240]  [<ffffffffa0266e2e>] rt2x00usb_disconnect+0x2e/0x70 [rt2x00usb]
      [ 2212.368470]  [<ffffffff81419ce4>] usb_unbind_interface+0x64/0x1c0
      [ 2212.371734]  [<ffffffff813b446f>] __device_release_driver+0x7f/0xf0
      [ 2212.374999]  [<ffffffff813b4503>] device_release_driver+0x23/0x30
      [ 2212.378131]  [<ffffffff813b3c98>] bus_remove_device+0x108/0x180
      [ 2212.381358]  [<ffffffff813b0565>] device_del+0x135/0x1d0
      [ 2212.384454]  [<ffffffff81417760>] usb_disable_device+0xb0/0x270
      [ 2212.387451]  [<ffffffff8140d9cd>] usb_disconnect+0xad/0x1d0
      [ 2212.390294]  [<ffffffff8140f6cd>] hub_thread+0x63d/0x1660
      [ 2212.393034]  [<ffffffff8107c860>] ? wake_up_atomic_t+0x30/0x30
      [ 2212.395728]  [<ffffffff8140f090>] ? hub_port_debounce+0x130/0x130
      [ 2212.398412]  [<ffffffff8107baa0>] kthread+0xc0/0xd0
      [ 2212.401058]  [<ffffffff8107b9e0>] ? insert_kthread_work+0x40/0x40
      [ 2212.403639]  [<ffffffff8155de3c>] ret_from_fork+0x7c/0xb0
      [ 2212.406193]  [<ffffffff8107b9e0>] ? insert_kthread_work+0x40/0x40
      [ 2212.408732] Code: 24 58 08 00 00 bf 80 00 00 00 e8 3a c3 e0 e0 5b 41 5c 5d c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 <48> 8b 47 10 48 89 fb 4c 8b 6f 28 4c 8b 20 49 8b 04 24 4c 8b 30
      [ 2212.414671] RIP  [<ffffffffa02667f2>] rt2x00usb_kick_tx_entry+0x12/0x160 [rt2x00usb]
      [ 2212.417646]  RSP <ffff880212f67750>
      [ 2212.420547] CR2: 0000000000000250
      [ 2212.441024] ---[ end trace 5442918f33832bce ]---
      Signed-off-by: default avatarStanislaw Gruszka <stf_xl@wp.pl>
      Acked-by: default avatarHelmut Schaa <helmut.schaa@googlemail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7eebf56b
    • Steven Rostedt's avatar
      perf/ftrace: Fix paranoid level for enabling function tracer · d134082b
      Steven Rostedt authored
      commit 12ae030d upstream.
      
      The current default perf paranoid level is "1" which has
      "perf_paranoid_kernel()" return false, and giving any operations that
      use it, access to normal users. Unfortunately, this includes function
      tracing and normal users should not be allowed to enable function
      tracing by default.
      
      The proper level is defined at "-1" (full perf access), which
      "perf_paranoid_tracepoint_raw()" will only give access to. Use that
      check instead for enabling function tracing.
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Reported-by: default avatarVince Weaver <vincent.weaver@maine.edu>
      Tested-by: default avatarVince Weaver <vincent.weaver@maine.edu>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      CVE: CVE-2013-2930
      Fixes: ced39002 ("ftrace, perf: Add support to use function tracepoint in perf")
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d134082b
    • Fan Du's avatar
      include/linux/fs.h: disable preempt when acquire i_size_seqcount write lock · f22ff9d0
      Fan Du authored
      commit 74e3d1e1 upstream.
      
      Two rt tasks bind to one CPU core.
      
      The higher priority rt task A preempts a lower priority rt task B which
      has already taken the write seq lock, and then the higher priority rt
      task A try to acquire read seq lock, it's doomed to lockup.
      
      rt task A with lower priority: call write
      i_size_write                                        rt task B with higher priority: call sync, and preempt task A
        write_seqcount_begin(&inode->i_size_seqcount);    i_size_read
        inode->i_size = i_size;                             read_seqcount_begin <-- lockup here...
      
      So disable preempt when acquiring every i_size_seqcount *write* lock will
      cure the problem.
      Signed-off-by: default avatarFan Du <fan.du@windriver.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Zhao Hongjiang <zhaohongjiang@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f22ff9d0
    • Oleg Nesterov's avatar
      exec: do not abuse ->cred_guard_mutex in threadgroup_lock() · df4011e0
      Oleg Nesterov authored
      commit e56fb287 upstream.
      
      threadgroup_lock() takes signal->cred_guard_mutex to ensure that
      thread_group_leader() is stable.  This doesn't look nice, the scope of
      this lock in do_execve() is huge.
      
      And as Dave pointed out this can lead to deadlock, we have the
      following dependencies:
      
      	do_execve:		cred_guard_mutex -> i_mutex
      	cgroup_mount:		i_mutex -> cgroup_mutex
      	attach_task_by_pid:	cgroup_mutex -> cred_guard_mutex
      
      Change de_thread() to take threadgroup_change_begin() around the
      switch-the-leader code and change threadgroup_lock() to avoid
      ->cred_guard_mutex.
      
      Note that de_thread() can't sleep with ->group_rwsem held, this can
      obviously deadlock with the exiting leader if the writer is active, so it
      does threadgroup_change_end() before schedule().
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Acked-by: default avatarLi Zefan <lizefan@huawei.com>
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [ zhj: adjust context ]
      Signed-off-by: default avatarZhao Hongjiang <zhaohongjiang@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      df4011e0
    • Al Viro's avatar
      Nest rename_lock inside vfsmount_lock · 1a9a8c2c
      Al Viro authored
      commit 7ea600b5 upstream.
      
      ... lest we get livelocks between path_is_under() and d_path() and friends.
      
      The thing is, wrt fairness lglocks are more similar to rwsems than to rwlocks;
      it is possible to have thread B spin on attempt to take lock shared while thread
      A is already holding it shared, if B is on lower-numbered CPU than A and there's
      a thread C spinning on attempt to take the same lock exclusive.
      
      As the result, we need consistent ordering between vfsmount_lock (lglock) and
      rename_lock (seq_lock), even though everything that takes both is going to take
      vfsmount_lock only shared.
      Spotted-by: default avatarBrad Spengler <spender@grsecurity.net>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [ zhj: backport to 3.4:
        - Adjust context
        - s/&vfsmount_lock/vfsmount_lock/]
      Signed-off-by: default avatarZhao Hongjiang <zhaohongjiang@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1a9a8c2c
    • Andy Adamson's avatar
      SUNRPC: don't map EKEYEXPIRED to EACCES in call_refreshresult · acf9ebde
      Andy Adamson authored
      commit f1ff0c27 upstream.
      
      The NFS layer needs to know when a key has expired.
      This change also returns -EKEYEXPIRED to the application, and the informative
      "Key has expired" error message is displayed. The user then knows that
      credential renewal is required.
      Signed-off-by: default avatarAndy Adamson <andros@netapp.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      acf9ebde
    • Andy Adamson's avatar
      SUNRPC handle EKEYEXPIRED in call_refreshresult · 14384c73
      Andy Adamson authored
      commit eb96d5c9 upstream.
      
      Currently, when an RPCSEC_GSS context has expired or is non-existent
      and the users (Kerberos) credentials have also expired or are non-existent,
      the client receives the -EKEYEXPIRED error and tries to refresh the context
      forever.  If an application is performing I/O, or other work against the share,
      the application hangs, and the user is not prompted to refresh/establish their
      credentials. This can result in a denial of service for other users.
      
      Users are expected to manage their Kerberos credential lifetimes to mitigate
      this issue.
      
      Move the -EKEYEXPIRED handling into the RPC layer. Try tk_cred_retry number
      of times to refresh the gss_context, and then return -EACCES to the application.
      Signed-off-by: default avatarAndy Adamson <andros@netapp.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      [bwh: Backported to 3.2:
       - Adjust context
       - Drop change to nfs4_handle_reclaim_lease_error()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      14384c73
    • Linus Torvalds's avatar
      Fix a few incorrectly checked [io_]remap_pfn_range() calls · fa7b5d69
      Linus Torvalds authored
      commit 7314e613 upstream.
      
      Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
      really should use the vm_iomap_memory() helper.  This trivially converts
      two of them to the helper, and comments about why the third one really
      needs to continue to use remap_pfn_range(), and adds the missing size
      check.
      Reported-by: default avatarNico Golde <nico@ngolde.de>
      Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
      [lizf: backported to 3.4:
       - adjust context
       - no uio_physical_vm_ops]
      Signed-off-by: default avatarLi Zefan <lizefan@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fa7b5d69
    • David Woodhouse's avatar
      8139cp: re-enable interrupts after tx timeout · d05ee9e1
      David Woodhouse authored
      commit 01ffc0a7 upstream.
      
      Recovery doesn't work too well if we leave interrupts disabled...
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      Acked-by: default avatarFrancois Romieu <romieu@fr.zoreil.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Cc: Luis Henriques <luis.henriques@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d05ee9e1
    • Markus Pargmann's avatar
      can: c_can: Fix RX message handling, handle lost message before EOB · 06d5a745
      Markus Pargmann authored
      commit 5d0f801a upstream.
      
      If we handle end of block messages with higher priority than a lost message,
      we can run into an endless interrupt loop.
      
      This is reproducable with a am335x processor and "cansequence -r" at 1Mbit.
      As soon as we loose a packet we can't escape from an interrupt loop.
      
      This patch fixes the problem by handling lost packets before EOB packets.
      Signed-off-by: default avatarMarkus Pargmann <mpa@pengutronix.de>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      06d5a745
    • Neil Horman's avatar
      crypto: ansi_cprng - Fix off by one error in non-block size request · 4a4c6cd2
      Neil Horman authored
      commit 714b33d1 upstream.
      
      Stephan Mueller reported to me recently a error in random number generation in
      the ansi cprng. If several small requests are made that are less than the
      instances block size, the remainder for loop code doesn't increment
      rand_data_valid in the last iteration, meaning that the last bytes in the
      rand_data buffer gets reused on the subsequent smaller-than-a-block request for
      random data.
      
      The fix is pretty easy, just re-code the for loop to make sure that
      rand_data_valid gets incremented appropriately
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Reported-by: default avatarStephan Mueller <stephan.mueller@atsec.com>
      CC: Stephan Mueller <stephan.mueller@atsec.com>
      CC: Petr Matousek <pmatouse@redhat.com>
      CC: Herbert Xu <herbert@gondor.apana.org.au>
      CC: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Cc: Luis Henriques <luis.henriques@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4a4c6cd2
    • Johan Hovold's avatar
      USB: mos7840: fix tiocmget error handling · a4f4086a
      Johan Hovold authored
      commit a91ccd26 upstream.
      
      Make sure to return errors from tiocmget rather than rely on
      uninitialised stack data.
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a4f4086a
    • Bob Moore's avatar
      ACPICA: Fix for a Store->ArgX when ArgX contains a reference to a field. · 8e5931c3
      Bob Moore authored
      commit 4be4be8f upstream.
      
      This change fixes a problem where a Store operation to an ArgX object
      that contained a reference to a field object did not complete the
      automatic dereference and then write to the actual field object.
      Instead, the object type of the field object was inadvertently changed
      to match the type of the source operand. The new behavior will actually
      write to the field object (buffer field or field unit), thus matching
      the correct ACPI-defined behavior.
      Signed-off-by: default avatarBob Moore <robert.moore@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarLv Zheng <lv.zheng@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8e5931c3
    • Bob Moore's avatar
      ACPICA: Return error if DerefOf resolves to a null package element. · f9a3a293
      Bob Moore authored
      commit a50abf48 upstream.
      
      Disallow the dereference of a reference (via index) to an uninitialized
      package element. Provides compatibility with other ACPI
      implementations. ACPICA BZ 1003.
      
      References: https://bugs.acpica.org/show_bug.cgi?id=431Signed-off-by: default avatarBob Moore <robert.moore@intel.com>
      Signed-off-by: default avatarLv Zheng <lv.zheng@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f9a3a293
    • Bob Moore's avatar
      ACPICA: DeRefOf operator: Update to fully resolve FieldUnit and BufferField refs. · 71a28e49
      Bob Moore authored
      commit 63660e05 upstream.
      
      Previously, references to these objects were resolved only to the actual
      FieldUnit or BufferField object. The correct behavior is to resolve these
      references to an actual value.
      The problem is that DerefOf did not resolve these objects to actual
      values.  An "Integer" object is simple, return the value.  But a field in
      an operation region will require a read operation.  For a BufferField, the
      appropriate data must be extracted from the parent buffer.
      
      NOTE: It appears that this issues is present in Windows7 but not
      Windows8.
      Signed-off-by: default avatarBob Moore <robert.moore@intel.com>
      Signed-off-by: default avatarLv Zheng <lv.zheng@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      71a28e49
    • Bob Moore's avatar
      ACPICA: Interpreter: Fix Store() when implicit conversion is not possible. · b6af75b2
      Bob Moore authored
      commit 3f654bad upstream.
      
      For the cases such as a store of a string to an existing package
      object, implement the store as a CopyObject().
      This is a small departure from the ACPI specification which states
      that the control method should be aborted in this case. However,
      ASLTS suite depends on this behavior.
      Signed-off-by: default avatarBob Moore <robert.moore@intel.com>
      Signed-off-by: default avatarLv Zheng <lv.zheng@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b6af75b2
    • Mahesh Rajashekhara's avatar
      aacraid: prevent invalid pointer dereference · 3a7ed06c
      Mahesh Rajashekhara authored
      commit b4789b8e upstream.
      
      It appears that driver runs into a problem here if fibsize is too small
      because we allocate user_srbcmd with fibsize size only but later we
      access it until user_srbcmd->sg.count to copy it over to srbcmd.
      
      It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
      structure already includes one sg element and this is not needed for
      commands without data.  So, we would recommend to add the following
      (instead of test for fibsize == 0).
      Signed-off-by: default avatarMahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
      Reported-by: default avatarNico Golde <nico@ngolde.de>
      Reported-by: default avatarFabian Yamaguchi <fabs@goesec.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a7ed06c
    • Dan Carpenter's avatar
      libertas: potential oops in debugfs · e181e375
      Dan Carpenter authored
      commit a497e47d upstream.
      
      If we do a zero size allocation then it will oops.  Also we can't be
      sure the user passes us a NUL terminated string so I've added a
      terminator.
      
      This code can only be triggered by root.
      Reported-by: default avatarNico Golde <nico@ngolde.de>
      Reported-by: default avatarFabian Yamaguchi <fabs@goesec.de>
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarDan Williams <dcbw@redhat.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e181e375
    • Jeff Layton's avatar
      nfs: don't allow nfs_find_actor to match inodes of the wrong type · d92fa5be
      Jeff Layton authored
      commit f6488c9b upstream.
      
      Benny Halevy reported the following oops when testing RHEL6:
      
      <7>nfs_update_inode: inode 892950 mode changed, 0040755 to 0100644
      <1>BUG: unable to handle kernel NULL pointer dereference at (null)
      <1>IP: [<ffffffffa02a52c5>] nfs_closedir+0x15/0x30 [nfs]
      <4>PGD 81448a067 PUD 831632067 PMD 0
      <4>Oops: 0000 [#1] SMP
      <4>last sysfs file: /sys/kernel/mm/redhat_transparent_hugepage/enabled
      <4>CPU 6
      <4>Modules linked in: fuse bonding 8021q garp ebtable_nat ebtables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi cxgb3 mdio ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi softdog bridge stp llc xt_physdev ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 xt_multiport iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 dm_round_robin dm_multipath objlayoutdriver2(U) nfs(U) lockd fscache auth_rpcgss nfs_acl sunrpc vhost_net macvtap macvlan tun kvm_intel kvm be2net igb dca ptp pps_core microcode serio_raw sg iTCO_wdt iTCO_vendor_support i7core_edac edac_core shpchp ext4 mbcache jbd2 sd_mod crc_t10dif ahci dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan]
      <4>
      <4>Pid: 6332, comm: dd Not tainted 2.6.32-358.el6.x86_64 #1 HP ProLiant DL170e G6  /ProLiant DL170e G6
      <4>RIP: 0010:[<ffffffffa02a52c5>]  [<ffffffffa02a52c5>] nfs_closedir+0x15/0x30 [nfs]
      <4>RSP: 0018:ffff88081458bb98  EFLAGS: 00010292
      <4>RAX: ffffffffa02a52b0 RBX: 0000000000000000 RCX: 0000000000000003
      <4>RDX: ffffffffa02e45a0 RSI: ffff88081440b300 RDI: ffff88082d5f5760
      <4>RBP: ffff88081458bba8 R08: 0000000000000000 R09: 0000000000000000
      <4>R10: 0000000000000772 R11: 0000000000400004 R12: 0000000040000008
      <4>R13: ffff88082d5f5760 R14: ffff88082d6e8800 R15: ffff88082f12d780
      <4>FS:  00007f728f37e700(0000) GS:ffff8800456c0000(0000) knlGS:0000000000000000
      <4>CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      <4>CR2: 0000000000000000 CR3: 0000000831279000 CR4: 00000000000007e0
      <4>DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      <4>DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      <4>Process dd (pid: 6332, threadinfo ffff88081458a000, task ffff88082fa0e040)
      <4>Stack:
      <4> 0000000040000008 ffff88081440b300 ffff88081458bbf8 ffffffff81182745
      <4><d> ffff88082d5f5760 ffff88082d6e8800 ffff88081458bbf8 ffffffffffffffea
      <4><d> ffff88082f12d780 ffff88082d6e8800 ffffffffa02a50a0 ffff88082d5f5760
      <4>Call Trace:
      <4> [<ffffffff81182745>] __fput+0xf5/0x210
      <4> [<ffffffffa02a50a0>] ? do_open+0x0/0x20 [nfs]
      <4> [<ffffffff81182885>] fput+0x25/0x30
      <4> [<ffffffff8117e23e>] __dentry_open+0x27e/0x360
      <4> [<ffffffff811c397a>] ? inotify_d_instantiate+0x2a/0x60
      <4> [<ffffffff8117e4b9>] lookup_instantiate_filp+0x69/0x90
      <4> [<ffffffffa02a6679>] nfs_intent_set_file+0x59/0x90 [nfs]
      <4> [<ffffffffa02a686b>] nfs_atomic_lookup+0x1bb/0x310 [nfs]
      <4> [<ffffffff8118e0c2>] __lookup_hash+0x102/0x160
      <4> [<ffffffff81225052>] ? selinux_inode_permission+0x72/0xb0
      <4> [<ffffffff8118e76a>] lookup_hash+0x3a/0x50
      <4> [<ffffffff81192a4b>] do_filp_open+0x2eb/0xdd0
      <4> [<ffffffff8104757c>] ? __do_page_fault+0x1ec/0x480
      <4> [<ffffffff8119f562>] ? alloc_fd+0x92/0x160
      <4> [<ffffffff8117de79>] do_sys_open+0x69/0x140
      <4> [<ffffffff811811f6>] ? sys_lseek+0x66/0x80
      <4> [<ffffffff8117df90>] sys_open+0x20/0x30
      <4> [<ffffffff8100b072>] system_call_fastpath+0x16/0x1b
      <4>Code: 65 48 8b 04 25 c8 cb 00 00 83 a8 44 e0 ff ff 01 5b 41 5c c9 c3 90 55 48 89 e5 53 48 83 ec 08 0f 1f 44 00 00 48 8b 9e a0 00 00 00 <48> 8b 3b e8 13 0c f7 ff 48 89 df e8 ab 3d ec e0 48 83 c4 08 31
      <1>RIP  [<ffffffffa02a52c5>] nfs_closedir+0x15/0x30 [nfs]
      <4> RSP <ffff88081458bb98>
      <4>CR2: 0000000000000000
      
      I think this is ultimately due to a bug on the server. The client had
      previously found a directory dentry. It then later tried to do an atomic
      open on a new (regular file) dentry. The attributes it got back had the
      same filehandle as the previously found directory inode. It then tried
      to put the filp because it failed the aops tests for O_DIRECT opens, and
      oopsed here because the ctx was still NULL.
      
      Obviously the root cause here is a server issue, but we can take steps
      to mitigate this on the client. When nfs_fhget is called, we always know
      what type of inode it is. In the event that there's a broken or
      malicious server on the other end of the wire, the client can end up
      crashing because the wrong ops are set on it.
      
      Have nfs_find_actor check that the inode type is correct after checking
      the fileid. The fileid check should rarely ever match, so it should only
      rarely ever get to this check. In the case where we have a broken
      server, we may see two different inodes with the same i_ino, but the
      client should be able to cope with them without crashing.
      
      This should fix the oops reported here:
      
          https://bugzilla.redhat.com/show_bug.cgi?id=913660Reported-by: default avatarBenny Halevy <bhalevy@tonian.com>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Cc: Rui Xiang <rui.xiang@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d92fa5be
    • Linus Torvalds's avatar
      vfs,proc: guarantee unique inodes in /proc · a3b4c0ba
      Linus Torvalds authored
      commit 51f0885e upstream.
      
      Dave Jones found another /proc issue with his Trinity tool: thanks to
      the namespace model, we can have multiple /proc dentries that point to
      the same inode, aliasing directories in /proc/<pid>/net/ for example.
      
      This ends up being a total disaster, because it acts like hardlinked
      directories, and causes locking problems.  We rely on the topological
      sort of the inodes pointed to by dentries, and if we have aliased
      directories, that odering becomes unreliable.
      
      In short: don't do this.  Multiple dentries with the same (directory)
      inode is just a bad idea, and the namespace code should never have
      exposed things this way.  But we're kind of stuck with it.
      
      This solves things by just always allocating a new inode during /proc
      dentry lookup, instead of using "iget_locked()" to look up existing
      inodes by superblock and number.  That actually simplies the code a bit,
      at the cost of potentially doing more inode [de]allocations.
      
      That said, the inode lookup wasn't free either (and did a lot of locking
      of inodes), so it is probably not that noticeable.  We could easily keep
      the old lookup model for non-directory entries, but rather than try to
      be excessively clever this just implements the minimal and simplest
      workaround for the problem.
      Reported-and-tested-by: default avatarDave Jones <davej@redhat.com>
      Analyzed-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2:
       - Adjust context
       - Never drop the pde reference in proc_get_inode(), as callers only
         expect this when we return an existing inode, and we never do that now]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Rui Xiang <rui.xiang@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a3b4c0ba
  2. 20 Nov, 2013 9 commits
    • Greg Kroah-Hartman's avatar
      Linux 3.4.70 · 234d96ee
      Greg Kroah-Hartman authored
      234d96ee
    • Krzysztof Mazur's avatar
      usb: fix cleanup after failure in hub_configure() · a73ff614
      Krzysztof Mazur authored
      commit d0308d4b upstream.
      
      If the hub_configure() fails after setting the hdev->maxchild
      the hub->ports might be NULL or point to uninitialized kzallocated
      memory causing NULL pointer dereference in hub_quiesce() during cleanup.
      
      Now after such error the hdev->maxchild is set to 0 to avoid cleanup
      of uninitialized ports.
      Signed-off-by: default avatarKrzysztof Mazur <krzysiek@podlesie.net>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a73ff614
    • Rafael J. Wysocki's avatar
      PCI/PM: Clear state_saved during suspend · 17447567
      Rafael J. Wysocki authored
      commit 82fee4d6 upstream.
      
      This patch clears pci_dev->state_saved at the beginning of suspending.
      PCI config state may be saved long before that.  Some drivers call
      pci_save_state() from the ->probe() callback to get snapshot of sane
      configuration space to use in the ->slot_reset() callback.
      
      [wangyj: adjust context]
      Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org> # add comment
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarYijing Wang <wangyijing@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      17447567
    • Nicolas Pitre's avatar
      ARM: 7670/1: fix the memset fix · d1814ea1
      Nicolas Pitre authored
      commit 418df63a upstream.
      
      Commit 455bd4c4 ("ARM: 7668/1: fix memset-related crashes caused by
      recent GCC (4.7.2) optimizations") attempted to fix a compliance issue
      with the memset return value.  However the memset itself became broken
      by that patch for misaligned pointers.
      
      This fixes the above by branching over the entry code from the
      misaligned fixup code to avoid reloading the original pointer.
      
      Also, because the function entry alignment is wrong in the Thumb mode
      compilation, that fixup code is moved to the end.
      
      While at it, the entry instructions are slightly reworked to help dual
      issue pipelines.
      Signed-off-by: default avatarNicolas Pitre <nico@linaro.org>
      Tested-by: default avatarAlexander Holler <holler@ahsoftware.de>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Cc: Eric Bénard <eric@eukrea.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d1814ea1
    • Ivan Djelic's avatar
      ARM: 7668/1: fix memset-related crashes caused by recent GCC (4.7.2) optimizations · e6fffec6
      Ivan Djelic authored
      commit 455bd4c4 upstream.
      
      Recent GCC versions (e.g. GCC-4.7.2) perform optimizations based on
      assumptions about the implementation of memset and similar functions.
      The current ARM optimized memset code does not return the value of
      its first argument, as is usually expected from standard implementations.
      
      For instance in the following function:
      
      void debug_mutex_lock_common(struct mutex *lock, struct mutex_waiter *waiter)
      {
      	memset(waiter, MUTEX_DEBUG_INIT, sizeof(*waiter));
      	waiter->magic = waiter;
      	INIT_LIST_HEAD(&waiter->list);
      }
      
      compiled as:
      
      800554d0 <debug_mutex_lock_common>:
      800554d0:       e92d4008        push    {r3, lr}
      800554d4:       e1a00001        mov     r0, r1
      800554d8:       e3a02010        mov     r2, #16 ; 0x10
      800554dc:       e3a01011        mov     r1, #17 ; 0x11
      800554e0:       eb04426e        bl      80165ea0 <memset>
      800554e4:       e1a03000        mov     r3, r0
      800554e8:       e583000c        str     r0, [r3, #12]
      800554ec:       e5830000        str     r0, [r3]
      800554f0:       e5830004        str     r0, [r3, #4]
      800554f4:       e8bd8008        pop     {r3, pc}
      
      GCC assumes memset returns the value of pointer 'waiter' in register r0; causing
      register/memory corruptions.
      
      This patch fixes the return value of the assembly version of memset.
      It adds a 'mov' instruction and merges an additional load+store into
      existing load/store instructions.
      For ease of review, here is a breakdown of the patch into 4 simple steps:
      
      Step 1
      ======
      Perform the following substitutions:
      ip -> r8, then
      r0 -> ip,
      and insert 'mov ip, r0' as the first statement of the function.
      At this point, we have a memset() implementation returning the proper result,
      but corrupting r8 on some paths (the ones that were using ip).
      
      Step 2
      ======
      Make sure r8 is saved and restored when (! CALGN(1)+0) == 1:
      
      save r8:
      -       str     lr, [sp, #-4]!
      +       stmfd   sp!, {r8, lr}
      
      and restore r8 on both exit paths:
      -       ldmeqfd sp!, {pc}               @ Now <64 bytes to go.
      +       ldmeqfd sp!, {r8, pc}           @ Now <64 bytes to go.
      (...)
              tst     r2, #16
              stmneia ip!, {r1, r3, r8, lr}
      -       ldr     lr, [sp], #4
      +       ldmfd   sp!, {r8, lr}
      
      Step 3
      ======
      Make sure r8 is saved and restored when (! CALGN(1)+0) == 0:
      
      save r8:
      -       stmfd   sp!, {r4-r7, lr}
      +       stmfd   sp!, {r4-r8, lr}
      
      and restore r8 on both exit paths:
              bgt     3b
      -       ldmeqfd sp!, {r4-r7, pc}
      +       ldmeqfd sp!, {r4-r8, pc}
      (...)
              tst     r2, #16
              stmneia ip!, {r4-r7}
      -       ldmfd   sp!, {r4-r7, lr}
      +       ldmfd   sp!, {r4-r8, lr}
      
      Step 4
      ======
      Rewrite register list "r4-r7, r8" as "r4-r8".
      Signed-off-by: default avatarIvan Djelic <ivan.djelic@parrot.com>
      Reviewed-by: default avatarNicolas Pitre <nico@linaro.org>
      Signed-off-by: default avatarDirk Behme <dirk.behme@gmail.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Cc: Eric Bénard <eric@eukrea.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e6fffec6
    • Steven Rostedt's avatar
      tracing: Fix potential out-of-bounds in trace_get_user() · af15b769
      Steven Rostedt authored
      commit 057db848 upstream.
      
      Andrey reported the following report:
      
      ERROR: AddressSanitizer: heap-buffer-overflow on address ffff8800359c99f3
      ffff8800359c99f3 is located 0 bytes to the right of 243-byte region [ffff8800359c9900, ffff8800359c99f3)
      Accessed by thread T13003:
        #0 ffffffff810dd2da (asan_report_error+0x32a/0x440)
        #1 ffffffff810dc6b0 (asan_check_region+0x30/0x40)
        #2 ffffffff810dd4d3 (__tsan_write1+0x13/0x20)
        #3 ffffffff811cd19e (ftrace_regex_release+0x1be/0x260)
        #4 ffffffff812a1065 (__fput+0x155/0x360)
        #5 ffffffff812a12de (____fput+0x1e/0x30)
        #6 ffffffff8111708d (task_work_run+0x10d/0x140)
        #7 ffffffff810ea043 (do_exit+0x433/0x11f0)
        #8 ffffffff810eaee4 (do_group_exit+0x84/0x130)
        #9 ffffffff810eafb1 (SyS_exit_group+0x21/0x30)
        #10 ffffffff81928782 (system_call_fastpath+0x16/0x1b)
      
      Allocated by thread T5167:
        #0 ffffffff810dc778 (asan_slab_alloc+0x48/0xc0)
        #1 ffffffff8128337c (__kmalloc+0xbc/0x500)
        #2 ffffffff811d9d54 (trace_parser_get_init+0x34/0x90)
        #3 ffffffff811cd7b3 (ftrace_regex_open+0x83/0x2e0)
        #4 ffffffff811cda7d (ftrace_filter_open+0x2d/0x40)
        #5 ffffffff8129b4ff (do_dentry_open+0x32f/0x430)
        #6 ffffffff8129b668 (finish_open+0x68/0xa0)
        #7 ffffffff812b66ac (do_last+0xb8c/0x1710)
        #8 ffffffff812b7350 (path_openat+0x120/0xb50)
        #9 ffffffff812b8884 (do_filp_open+0x54/0xb0)
        #10 ffffffff8129d36c (do_sys_open+0x1ac/0x2c0)
        #11 ffffffff8129d4b7 (SyS_open+0x37/0x50)
        #12 ffffffff81928782 (system_call_fastpath+0x16/0x1b)
      
      Shadow bytes around the buggy address:
        ffff8800359c9700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        ffff8800359c9780: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
        ffff8800359c9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        ffff8800359c9880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        ffff8800359c9900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>ffff8800359c9980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[03]fb
        ffff8800359c9a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        ffff8800359c9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        ffff8800359c9b00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
        ffff8800359c9b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        ffff8800359c9c00: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap redzone:          fa
        Heap kmalloc redzone:  fb
        Freed heap region:     fd
        Shadow gap:            fe
      
      The out-of-bounds access happens on 'parser->buffer[parser->idx] = 0;'
      
      Although the crash happened in ftrace_regex_open() the real bug
      occurred in trace_get_user() where there's an incrementation to
      parser->idx without a check against the size. The way it is triggered
      is if userspace sends in 128 characters (EVENT_BUF_SIZE + 1), the loop
      that reads the last character stores it and then breaks out because
      there is no more characters. Then the last character is read to determine
      what to do next, and the index is incremented without checking size.
      
      Then the caller of trace_get_user() usually nulls out the last character
      with a zero, but since the index is equal to the size, it writes a nul
      character after the allocated space, which can corrupt memory.
      
      Luckily, only root user has write access to this file.
      
      Link: http://lkml.kernel.org/r/20131009222323.04fd1a0d@gandalf.local.homeReported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af15b769
    • Patrick McHardy's avatar
      netfilter: nf_ct_sip: don't drop packets with offsets pointing outside the packet · 9736cb3f
      Patrick McHardy authored
      commit 3a7b21ea upstream.
      
      Some Cisco phones create huge messages that are spread over multiple packets.
      After calculating the offset of the SIP body, it is validated to be within
      the packet and the packet is dropped otherwise. This breaks operation of
      these phones. Since connection tracking is supposed to be passive, just let
      those packets pass unmodified and untracked.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Cc: William Roberts <bill.c.roberts@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9736cb3f
    • Takashi Iwai's avatar
      ALSA: hda - Move one-time init codes from generic_hdmi_init() · 1ddb811a
      Takashi Iwai authored
      commit 8b8d654b upstream.
      
      The codes to initialize work struct or create a proc interface should
      be called only once and never although it's called many times through
      the init callback.  Move that stuff into patch_generic_hdmi() so that
      it's called only once.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      BugLink: https://bugs.launchpad.net/bugs/1212160Signed-off-by: default avatarDavid Henningsson <david.henningsson@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1ddb811a
    • Rui li's avatar
      USB: add new zte 3g-dongle's pid to option.c · a2757768
      Rui li authored
      commit 0636fc50 upstream.
      Signed-off-by: default avatarRui li <li.rui27@zte.com.cn>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2757768