1. 29 Jan, 2016 40 commits
    • Sven Eckelmann's avatar
      batman-adv: Drop immediate batadv_neigh_node free function · 988d1d15
      Sven Eckelmann authored
      [ Upstream commit 2baa753c ]
      
      It is not allowed to free the memory of an object which is part of a list
      which is protected by rcu-read-side-critical sections without making sure
      that no other context is accessing the object anymore. This usually happens
      by removing the references to this object and then waiting until the rcu
      grace period is over and no one (allowedly) accesses it anymore.
      
      But the _now functions ignore this completely. They free the object
      directly even when a different context still tries to access it. This has
      to be avoided and thus these functions must be removed and all functions
      have to use batadv_neigh_node_free_ref.
      
      Fixes: 89652331 ("batman-adv: split tq information in neigh_node struct")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      988d1d15
    • Sven Eckelmann's avatar
      batman-adv: Drop immediate batadv_orig_ifinfo free function · 1a028ab3
      Sven Eckelmann authored
      [ Upstream commit deed9660 ]
      
      It is not allowed to free the memory of an object which is part of a list
      which is protected by rcu-read-side-critical sections without making sure
      that no other context is accessing the object anymore. This usually happens
      by removing the references to this object and then waiting until the rcu
      grace period is over and no one (allowedly) accesses it anymore.
      
      But the _now functions ignore this completely. They free the object
      directly even when a different context still tries to access it. This has
      to be avoided and thus these functions must be removed and all functions
      have to use batadv_orig_ifinfo_free_ref.
      
      Fixes: 7351a482 ("batman-adv: split out router from orig_node")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      1a028ab3
    • Sven Eckelmann's avatar
      batman-adv: Avoid recursive call_rcu for batadv_nc_node · 73234039
      Sven Eckelmann authored
      [ Upstream commit 44e8e7e9 ]
      
      The batadv_nc_node_free_ref function uses call_rcu to delay the free of the
      batadv_nc_node object until no (already started) rcu_read_lock is enabled
      anymore. This makes sure that no context is still trying to access the
      object which should be removed. But batadv_nc_node also contains a
      reference to orig_node which must be removed.
      
      The reference drop of orig_node was done in the call_rcu function
      batadv_nc_node_free_rcu but should actually be done in the
      batadv_nc_node_release function to avoid nested call_rcus. This is
      important because rcu_barrier (e.g. batadv_softif_free or batadv_exit) will
      not detect the inner call_rcu as relevant for its execution. Otherwise this
      barrier will most likely be inserted in the queue before the callback of
      the first call_rcu was executed. The caller of rcu_barrier will therefore
      continue to run before the inner call_rcu callback finished.
      
      Fixes: d56b1705 ("batman-adv: network coding - detect coding nodes and remove these after timeout")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      73234039
    • Sven Eckelmann's avatar
      batman-adv: Avoid recursive call_rcu for batadv_bla_claim · 96a84694
      Sven Eckelmann authored
      [ Upstream commit 63b39927 ]
      
      The batadv_claim_free_ref function uses call_rcu to delay the free of the
      batadv_bla_claim object until no (already started) rcu_read_lock is enabled
      anymore. This makes sure that no context is still trying to access the
      object which should be removed. But batadv_bla_claim also contains a
      reference to backbone_gw which must be removed.
      
      The reference drop of backbone_gw was done in the call_rcu function
      batadv_claim_free_rcu but should actually be done in the
      batadv_claim_release function to avoid nested call_rcus. This is important
      because rcu_barrier (e.g. batadv_softif_free or batadv_exit) will not
      detect the inner call_rcu as relevant for its execution. Otherwise this
      barrier will most likely be inserted in the queue before the callback of
      the first call_rcu was executed. The caller of rcu_barrier will therefore
      continue to run before the inner call_rcu callback finished.
      
      Fixes: 23721387 ("batman-adv: add basic bridge loop avoidance code")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Acked-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      96a84694
    • Nikolay Aleksandrov's avatar
      bridge: fix lockdep addr_list_lock false positive splat · d2f1feae
      Nikolay Aleksandrov authored
      [ Upstream commit c6894dec ]
      
      After promisc mode management was introduced a bridge device could do
      dev_set_promiscuity from its ndo_change_rx_flags() callback which in
      turn can be called after the bridge's addr_list_lock has been taken
      (e.g. by dev_uc_add). This causes a false positive lockdep splat because
      the port interfaces' addr_list_lock is taken when br_manage_promisc()
      runs after the bridge's addr list lock was already taken.
      To remove the false positive introduce a custom bridge addr_list_lock
      class and set it on bridge init.
      A simple way to reproduce this is with the following:
      $ brctl addbr br0
      $ ip l add l br0 br0.100 type vlan id 100
      $ ip l set br0 up
      $ ip l set br0.100 up
      $ echo 1 > /sys/class/net/br0/bridge/vlan_filtering
      $ brctl addif br0 eth0
      Splat:
      [   43.684325] =============================================
      [   43.684485] [ INFO: possible recursive locking detected ]
      [   43.684636] 4.4.0-rc8+ #54 Not tainted
      [   43.684755] ---------------------------------------------
      [   43.684906] brctl/1187 is trying to acquire lock:
      [   43.685047]  (_xmit_ETHER){+.....}, at: [<ffffffff8150169e>] dev_set_rx_mode+0x1e/0x40
      [   43.685460]  but task is already holding lock:
      [   43.685618]  (_xmit_ETHER){+.....}, at: [<ffffffff815072a7>] dev_uc_add+0x27/0x80
      [   43.686015]  other info that might help us debug this:
      [   43.686316]  Possible unsafe locking scenario:
      
      [   43.686743]        CPU0
      [   43.686967]        ----
      [   43.687197]   lock(_xmit_ETHER);
      [   43.687544]   lock(_xmit_ETHER);
      [   43.687886] *** DEADLOCK ***
      
      [   43.688438]  May be due to missing lock nesting notation
      
      [   43.688882] 2 locks held by brctl/1187:
      [   43.689134]  #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff81510317>] rtnl_lock+0x17/0x20
      [   43.689852]  #1:  (_xmit_ETHER){+.....}, at: [<ffffffff815072a7>] dev_uc_add+0x27/0x80
      [   43.690575] stack backtrace:
      [   43.690970] CPU: 0 PID: 1187 Comm: brctl Not tainted 4.4.0-rc8+ #54
      [   43.691270] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.1-20150318_183358- 04/01/2014
      [   43.691770]  ffffffff826a25c0 ffff8800369fb8e0 ffffffff81360ceb ffffffff826a25c0
      [   43.692425]  ffff8800369fb9b8 ffffffff810d0466 ffff8800369fb968 ffffffff81537139
      [   43.693071]  ffff88003a08c880 0000000000000000 00000000ffffffff 0000000002080020
      [   43.693709] Call Trace:
      [   43.693931]  [<ffffffff81360ceb>] dump_stack+0x4b/0x70
      [   43.694199]  [<ffffffff810d0466>] __lock_acquire+0x1e46/0x1e90
      [   43.694483]  [<ffffffff81537139>] ? netlink_broadcast_filtered+0x139/0x3e0
      [   43.694789]  [<ffffffff8153b5da>] ? nlmsg_notify+0x5a/0xc0
      [   43.695064]  [<ffffffff810d10f5>] lock_acquire+0xe5/0x1f0
      [   43.695340]  [<ffffffff8150169e>] ? dev_set_rx_mode+0x1e/0x40
      [   43.695623]  [<ffffffff815edea5>] _raw_spin_lock_bh+0x45/0x80
      [   43.695901]  [<ffffffff8150169e>] ? dev_set_rx_mode+0x1e/0x40
      [   43.696180]  [<ffffffff8150169e>] dev_set_rx_mode+0x1e/0x40
      [   43.696460]  [<ffffffff8150189c>] dev_set_promiscuity+0x3c/0x50
      [   43.696750]  [<ffffffffa0586845>] br_port_set_promisc+0x25/0x50 [bridge]
      [   43.697052]  [<ffffffffa05869aa>] br_manage_promisc+0x8a/0xe0 [bridge]
      [   43.697348]  [<ffffffffa05826ee>] br_dev_change_rx_flags+0x1e/0x20 [bridge]
      [   43.697655]  [<ffffffff81501532>] __dev_set_promiscuity+0x132/0x1f0
      [   43.697943]  [<ffffffff81501672>] __dev_set_rx_mode+0x82/0x90
      [   43.698223]  [<ffffffff815072de>] dev_uc_add+0x5e/0x80
      [   43.698498]  [<ffffffffa05b3c62>] vlan_device_event+0x542/0x650 [8021q]
      [   43.698798]  [<ffffffff8109886d>] notifier_call_chain+0x5d/0x80
      [   43.699083]  [<ffffffff810988b6>] raw_notifier_call_chain+0x16/0x20
      [   43.699374]  [<ffffffff814f456e>] call_netdevice_notifiers_info+0x6e/0x80
      [   43.699678]  [<ffffffff814f4596>] call_netdevice_notifiers+0x16/0x20
      [   43.699973]  [<ffffffffa05872be>] br_add_if+0x47e/0x4c0 [bridge]
      [   43.700259]  [<ffffffffa058801e>] add_del_if+0x6e/0x80 [bridge]
      [   43.700548]  [<ffffffffa0588b5f>] br_dev_ioctl+0xaf/0xc0 [bridge]
      [   43.700836]  [<ffffffff8151a7ac>] dev_ifsioc+0x30c/0x3c0
      [   43.701106]  [<ffffffff8151aac9>] dev_ioctl+0xf9/0x6f0
      [   43.701379]  [<ffffffff81254345>] ? mntput_no_expire+0x5/0x450
      [   43.701665]  [<ffffffff812543ee>] ? mntput_no_expire+0xae/0x450
      [   43.701947]  [<ffffffff814d7b02>] sock_do_ioctl+0x42/0x50
      [   43.702219]  [<ffffffff814d8175>] sock_ioctl+0x1e5/0x290
      [   43.702500]  [<ffffffff81242d0b>] do_vfs_ioctl+0x2cb/0x5c0
      [   43.702771]  [<ffffffff81243079>] SyS_ioctl+0x79/0x90
      [   43.703033]  [<ffffffff815eebb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
      
      CC: Vlad Yasevich <vyasevic@redhat.com>
      CC: Stephen Hemminger <stephen@networkplumber.org>
      CC: Bridge list <bridge@lists.linux-foundation.org>
      CC: Andy Gospodarek <gospo@cumulusnetworks.com>
      CC: Roopa Prabhu <roopa@cumulusnetworks.com>
      Fixes: 2796d0c6 ("bridge: Automatically manage port promiscuous mode.")
      Reported-by: default avatarAndy Gospodarek <gospo@cumulusnetworks.com>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      d2f1feae
    • Eric Dumazet's avatar
      ipv6: update skb->csum when CE mark is propagated · ca7f40ec
      Eric Dumazet authored
      [ Upstream commit 34ae6a1a ]
      
      When a tunnel decapsulates the outer header, it has to comply
      with RFC 6080 and eventually propagate CE mark into inner header.
      
      It turns out IP6_ECN_set_ce() does not correctly update skb->csum
      for CHECKSUM_COMPLETE packets, triggering infamous "hw csum failure"
      messages and stack traces.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      ca7f40ec
    • Rabin Vincent's avatar
      net: bpf: reject invalid shifts · 4540f1c1
      Rabin Vincent authored
      [ Upstream commit 229394e8 ]
      
      On ARM64, a BUG() is triggered in the eBPF JIT if a filter with a
      constant shift that can't be encoded in the immediate field of the
      UBFM/SBFM instructions is passed to the JIT.  Since these shifts
      amounts, which are negative or >= regsize, are invalid, reject them in
      the eBPF verifier and the classic BPF filter checker, for all
      architectures.
      Signed-off-by: default avatarRabin Vincent <rabin@rab.in>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      4540f1c1
    • Eric Dumazet's avatar
      phonet: properly unshare skbs in phonet_rcv() · 2558ef49
      Eric Dumazet authored
      [ Upstream commit 7aaed57c ]
      
      Ivaylo Dimitrov reported a regression caused by commit 7866a621
      ("dev: add per net_device packet type chains").
      
      skb->dev becomes NULL and we crash in __netif_receive_skb_core().
      
      Before above commit, different kind of bugs or corruptions could happen
      without major crash.
      
      But the root cause is that phonet_rcv() can queue skb without checking
      if skb is shared or not.
      
      Many thanks to Ivaylo Dimitrov for his help, diagnosis and tests.
      Reported-by: default avatarIvaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
      Tested-by: default avatarIvaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Remi Denis-Courmont <courmisch@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      2558ef49
    • Karl Heiss's avatar
      bonding: Prevent IPv6 link local address on enslaved devices · 68ab182d
      Karl Heiss authored
      [ Upstream commit 03d84a5f ]
      
      Commit 1f718f0f ("bonding: populate neighbour's private on enslave")
      undoes the fix provided by commit c2edacf8 ("bonding / ipv6: no addrconf
      for slaves separately from master") by effectively setting the slave flag
      after the slave has been opened.  If the slave comes up quickly enough, it
      will go through the IPv6 addrconf before the slave flag has been set and
      will get a link local IPv6 address.
      
      In order to ensure that addrconf knows to ignore the slave devices on state
      change, set IFF_SLAVE before dev_open() during bonding enslavement.
      
      Fixes: 1f718f0f ("bonding: populate neighbour's private on enslave")
      Signed-off-by: default avatarKarl Heiss <kheiss@gmail.com>
      Signed-off-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Reviewed-by: default avatarJarod Wilson <jarod@redhat.com>
      Signed-off-by: default avatarAndy Gospodarek <gospo@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      68ab182d
    • Konstantin Khlebnikov's avatar
      net: preserve IP control block during GSO segmentation · b2803c41
      Konstantin Khlebnikov authored
      [ Upstream commit 9207f9d4 ]
      
      Skb_gso_segment() uses skb control block during segmentation.
      This patch adds 32-bytes room for previous control block which
      will be copied into all resulting segments.
      
      This patch fixes kernel crash during fragmenting forwarded packets.
      Fragmentation requires valid IP CB in skb for clearing ip options.
      Also patch removes custom save/restore in ovs code, now it's redundant.
      Signed-off-by: default avatarKonstantin Khlebnikov <koct9i@gmail.com>
      Link: http://lkml.kernel.org/r/CALYGNiP-0MZ-FExV2HutTvE9U-QQtkKSoE--KN=JQE5STYsjAA@mail.gmail.comSigned-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      b2803c41
    • Michal Kubeček's avatar
      udp: disallow UFO for sockets with SO_NO_CHECK option · 5d5076ec
      Michal Kubeček authored
      [ Upstream commit 40ba3302 ]
      
      Commit acf8dd0a ("udp: only allow UFO for packets from SOCK_DGRAM
      sockets") disallows UFO for packets sent from raw sockets. We need to do
      the same also for SOCK_DGRAM sockets with SO_NO_CHECK options, even if
      for a bit different reason: while such socket would override the
      CHECKSUM_PARTIAL set by ip_ufo_append_data(), gso_size is still set and
      bad offloading flags warning is triggered in __skb_gso_segment().
      
      In the IPv6 case, SO_NO_CHECK option is ignored but we need to disallow
      UFO for packets sent by sockets with UDP_NO_CHECK6_TX option.
      Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Tested-by: default avatarShannon Nelson <shannon.nelson@intel.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      5d5076ec
    • Neal Cardwell's avatar
      tcp_yeah: don't set ssthresh below 2 · 3ddce9ec
      Neal Cardwell authored
      [ Upstream commit 83d15e70 ]
      
      For tcp_yeah, use an ssthresh floor of 2, the same floor used by Reno
      and CUBIC, per RFC 5681 (equation 4).
      
      tcp_yeah_ssthresh() was sometimes returning a 0 or negative ssthresh
      value if the intended reduction is as big or bigger than the current
      cwnd. Congestion control modules should never return a zero or
      negative ssthresh. A zero ssthresh generally results in a zero cwnd,
      causing the connection to stall. A negative ssthresh value will be
      interpreted as a u32 and will set a target cwnd for PRR near 4
      billion.
      
      Oleksandr Natalenko reported that a system using tcp_yeah with ECN
      could see a warning about a prior_cwnd of 0 in
      tcp_cwnd_reduction(). Testing verified that this was due to
      tcp_yeah_ssthresh() misbehaving in this way.
      Reported-by: default avatarOleksandr Natalenko <oleksandr@natalenko.name>
      Signed-off-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      3ddce9ec
    • Sasha Levin's avatar
      net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory · 105ae375
      Sasha Levin authored
      [ Upstream commit 320f1a4a ]
      
      proc_dostring() needs an initialized destination string, while the one
      provided in proc_sctp_do_hmac_alg() contains stack garbage.
      
      Thus, writing to cookie_hmac_alg would strlen() that garbage and end up
      accessing invalid memory.
      
      Fixes: 3c68198e ("sctp: Make hmac algorithm selection for cookie generation dynamic")
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      105ae375
    • Nicolas Dichtel's avatar
      vxlan: fix test which detect duplicate vxlan iface · 780a5b75
      Nicolas Dichtel authored
      [ Upstream commit 07b9b37c ]
      
      When a vxlan interface is created, the driver checks that there is not
      another vxlan interface with the same properties. To do this, it checks
      the existing vxlan udp socket. Since commit 1c51a915, the creation of
      the vxlan socket is done only when the interface is set up, thus it breaks
      that test.
      
      Example:
      $ ip l a vxlan10 type vxlan id 10 group 239.0.0.10 dev eth0 dstport 0
      $ ip l a vxlan11 type vxlan id 10 group 239.0.0.10 dev eth0 dstport 0
      $ ip -br l | grep vxlan
      vxlan10          DOWN           f2:55:1c:6a:fb:00 <BROADCAST,MULTICAST>
      vxlan11          DOWN           7a:cb:b9:38:59:0d <BROADCAST,MULTICAST>
      
      Instead of checking sockets, let's loop over the vxlan iface list.
      
      Fixes: 1c51a915 ("vxlan: fix race caused by dropping rtnl_unlock")
      Reported-by: default avatarThomas Faivre <thomas.faivre@6wind.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      780a5b75
    • Hannes Frederic Sowa's avatar
      bridge: Only call /sbin/bridge-stp for the initial network namespace · 40db2513
      Hannes Frederic Sowa authored
      [ Upstream commit ff621985 ]
      
      [I stole this patch from Eric Biederman. He wrote:]
      
      > There is no defined mechanism to pass network namespace information
      > into /sbin/bridge-stp therefore don't even try to invoke it except
      > for bridge devices in the initial network namespace.
      >
      > It is possible for unprivileged users to cause /sbin/bridge-stp to be
      > invoked for any network device name which if /sbin/bridge-stp does not
      > guard against unreasonable arguments or being invoked twice on the
      > same network device could cause problems.
      
      [Hannes: changed patch using netns_eq]
      
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      40db2513
    • willy tarreau's avatar
      unix: properly account for FDs passed over unix sockets · 75bf68f2
      willy tarreau authored
      [ Upstream commit 712f4aad ]
      
      It is possible for a process to allocate and accumulate far more FDs than
      the process' limit by sending them over a unix socket then closing them
      to keep the process' fd count low.
      
      This change addresses this problem by keeping track of the number of FDs
      in flight per user and preventing non-privileged processes from having
      more FDs in flight than their configured FD limit.
      
      Reported-by: socketpair@gmail.com
      Reported-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Mitigates: CVE-2013-4312 (Linux 2.0+)
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      75bf68f2
    • Florian Westphal's avatar
      connector: bump skb->users before callback invocation · f8beafa5
      Florian Westphal authored
      [ Upstream commit 55285bf0 ]
      
      Dmitry reports memleak with syskaller program.
      Problem is that connector bumps skb usecount but might not invoke callback.
      
      So move skb_get to where we invoke the callback.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      f8beafa5
    • Xin Long's avatar
      sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close · 7b42666b
      Xin Long authored
      [ Upstream commit 068d8bd3 ]
      
      In sctp_close, sctp_make_abort_user may return NULL because of memory
      allocation failure. If this happens, it will bypass any state change
      and never free the assoc. The assoc has no chance to be freed and it
      will be kept in memory with the state it had even after the socket is
      closed by sctp_close().
      
      So if sctp_make_abort_user fails to allocate memory, we should abort
      the asoc via sctp_primitive_ABORT as well. Just like the annotation in
      sctp_sf_cookie_wait_prm_abort and sctp_sf_do_9_1_prm_abort said,
      "Even if we can't send the ABORT due to low memory delete the TCB.
      This is a departure from our typical NOMEM handling".
      
      But then the chunk is NULL (low memory) and the SCTP_CMD_REPLY cmd would
      dereference the chunk pointer, and system crash. So we should add
      SCTP_CMD_REPLY cmd only when the chunk is not NULL, just like other
      places where it adds SCTP_CMD_REPLY cmd.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      7b42666b
    • Bjørn Mork's avatar
      net: cdc_ncm: avoid changing RX/TX buffers on MTU changes · b0b03129
      Bjørn Mork authored
      [ Upstream commit 1dfddff5 ]
      
      NCM buffer sizes are negotiated with the device independently of
      the network device MTU.  The RX buffers are allocated by the
      usbnet framework based on the rx_urb_size value set by cdc_ncm. A
      single RX buffer can hold a number of MTU sized packets.
      
      The default usbnet change_mtu ndo only modifies rx_urb_size if it
      is equal to hard_mtu.  And the cdc_ncm driver will set rx_urb_size
      and hard_mtu independently of each other, based on dwNtbInMaxSize
      and dwNtbOutMaxSize respectively. It was therefore assumed that
      usbnet_change_mtu() would never touch rx_urb_size.  This failed to
      consider the case where dwNtbInMaxSize and dwNtbOutMaxSize happens
      to be equal.
      
      Fix by implementing an NCM specific change_mtu ndo, modifying the
      netdev MTU without touching the buffer size settings.
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      b0b03129
    • Vijay Pandurangan's avatar
      veth: don’t modify ip_summed; doing so treats packets with bad checksums as good. · f3afc7d3
      Vijay Pandurangan authored
      [ Upstream commit ce8c839b ]
      
      Packets that arrive from real hardware devices have ip_summed ==
      CHECKSUM_UNNECESSARY if the hardware verified the checksums, or
      CHECKSUM_NONE if the packet is bad or it was unable to verify it. The
      current version of veth will replace CHECKSUM_NONE with
      CHECKSUM_UNNECESSARY, which causes corrupt packets routed from hardware to
      a veth device to be delivered to the application. This caused applications
      at Twitter to receive corrupt data when network hardware was corrupting
      packets.
      
      We believe this was added as an optimization to skip computing and
      verifying checksums for communication between containers. However, locally
      generated packets have ip_summed == CHECKSUM_PARTIAL, so the code as
      written does nothing for them. As far as we can tell, after removing this
      code, these packets are transmitted from one stack to another unmodified
      (tcpdump shows invalid checksums on both sides, as expected), and they are
      delivered correctly to applications. We didn’t test every possible network
      configuration, but we tried a few common ones such as bridging containers,
      using NAT between the host and a container, and routing from hardware
      devices to containers. We have effectively deployed this in production at
      Twitter (by disabling RX checksum offloading on veth devices).
      
      This code dates back to the first version of the driver, commit
      <e314dbdc> ("[NET]: Virtual ethernet device driver"), so I
      suspect this bug occurred mostly because the driver API has evolved
      significantly since then. Commit <0b796750> ("net/veth: Fix
      packet checksumming") (in December 2010) fixed this for packets that get
      created locally and sent to hardware devices, by not changing
      CHECKSUM_PARTIAL. However, the same issue still occurs for packets coming
      in from hardware devices.
      Co-authored-by: default avatarEvan Jones <ej@evanjones.ca>
      Signed-off-by: default avatarEvan Jones <ej@evanjones.ca>
      Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
      Cc: Phil Sutter <phil@nwl.cc>
      Cc: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Cc: netdev@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarVijay Pandurangan <vijayp@vijayp.ca>
      Acked-by: default avatarCong Wang <cwang@twopensource.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      f3afc7d3
    • Moni Shoua's avatar
      net/mlx4: Remove unused macro · 03131280
      Moni Shoua authored
      commit f25bf197 upstream.
      
      The macro mlx4_foreach_non_ib_transport_port() is not used anywhere. Remove it.
      
      Fixes: aa9a2d51 ("mlx4: Activate RoCE/SRIOV")
      Signed-off-by: default avatarMoni Shoua <monis@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      03131280
    • Matan Barak's avatar
      IB/mlx4: Initialize hop_limit when creating address handle · bcffa6fa
      Matan Barak authored
      commit 4e408167 upstream.
      
      Hop limit value wasn't copied from attributes  when ah was created.
      This may influence packets for unconnected services to get dropped in
      routers when endpoints are not in the same subnet.
      
      Fixes: fa417f7b ("IB/mlx4: Add support for IBoE")
      Signed-off-by: default avatarMatan Barak <matanb@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      bcffa6fa
    • Chuanxiao Dong's avatar
      mmc: debugfs: correct wrong voltage value · ef270e45
      Chuanxiao Dong authored
      commit 0036e746 upstream.
      
      Correct the wrong voltage value shown in debugfs for mmc/sd/sdio.
      Signed-off-by: default avatarChuanxiao Dong <chuanxiao.dong@intel.com>
      Signed-off-by: default avatarPawel Wodkowski <pawelx.wodkowski@intel.com>
      Fixes: 42cd95a0 ("mmc: core: debugfs: Add signal_voltage to ios dump")
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      ef270e45
    • Geert Uytterhoeven's avatar
      ARM: dts: armadillo800eva Correct extal1 frequency to 24 MHz · 752d78d7
      Geert Uytterhoeven authored
      commit c61f30a2 upstream.
      
      On r8a7740/armadillo, actual clock rates are ca. 4% lower than reported
      by /sys/kernel/debug/clk/clk_summary. Correct the extal1 frequency from
      25 MHz to 24 MHz to fix this.
      
      This matches the Armadillo-800 EVA Product Manual, which claims the main
      crystal runs at 24 MHz, and the old legacy/reference board code.
      
      Fixes: 25aa7ba3 ("ARM: shmobile: armadillo800eva: Sync DTS")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      752d78d7
    • Aaron Conole's avatar
      printk: help pr_debug and pr_devel to optimize out arguments · e5193590
      Aaron Conole authored
      commit fe22cd9b upstream.
      
      Currently, pr_debug and pr_devel will not elide function call arguments
      appearing in calls to the no_printk for these macros.  This is because
      all side effects must be honored before proceeding to the 0-value
      assignment in no_printk.
      
      The behavior is contrary to documentation found in the CodingStyle and
      the header file where these functions are declared.
      
      This patch corrects that behavior by shunting out the call to no_printk
      completely.  The format string is still checked by gcc for correctness,
      but no code seems to be emitted in common cases.
      
      [akpm@linux-foundation.org: remove braces, per Joe]
      Fixes: 5264f2f7 ("include/linux/printk.h: use and neaten no_printk")
      Signed-off-by: default avatarAaron Conole <aconole@redhat.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: Joe Perches <joe@perches.com>
      Cc: Jason Baron <jbaron@akamai.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      e5193590
    • Sebastian Andrzej Siewior's avatar
      btrfs: initialize the seq counter in struct btrfs_device · d37eba3d
      Sebastian Andrzej Siewior authored
      commit 546bed63 upstream.
      
      I managed to trigger this:
      | INFO: trying to register non-static key.
      | the code is fine but needs lockdep annotation.
      | turning off the locking correctness validator.
      | CPU: 1 PID: 781 Comm: systemd-gpt-aut Not tainted 4.4.0-rt2+ #14
      | Hardware name: ARM-Versatile Express
      | [<80307cec>] (dump_stack)
      | [<80070e98>] (__lock_acquire)
      | [<8007184c>] (lock_acquire)
      | [<80287800>] (btrfs_ioctl)
      | [<8012a8d4>] (do_vfs_ioctl)
      | [<8012ac14>] (SyS_ioctl)
      
      so I think that btrfs_device_data_ordered_init() is not invoked behind
      a macro somewhere.
      
      Fixes: 7cc8e58d ("Btrfs: fix unprotected device's variants on 32bits machine")
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      d37eba3d
    • Dan Carpenter's avatar
      Btrfs: clean up an error code in btrfs_init_space_info() · d317fa1b
      Dan Carpenter authored
      commit 0dc924c5 upstream.
      
      If we return 1 here, then the caller treats it as an error and returns
      -EINVAL.  It causes a static checker warning to treat positive returns
      as an error.
      
      Fixes: 1aba86d6 ('Btrfs: fix easily get into ENOSPC in mixed case')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      d317fa1b
    • Christoph Lameter's avatar
      vmstat: make vmstat_updater deferrable again and shut down on idle · c401d879
      Christoph Lameter authored
      commit 0eb77e98 upstream.
      
      Currently the vmstat updater is not deferrable as a result of commit
      ba4877b9 ("vmstat: do not use deferrable delayed work for
      vmstat_update").  This in turn can cause multiple interruptions of the
      applications because the vmstat updater may run at
      
      Make vmstate_update deferrable again and provide a function that folds
      the differentials when the processor is going to idle mode thus
      addressing the issue of the above commit in a clean way.
      
      Note that the shepherd thread will continue scanning the differentials
      from another processor and will reenable the vmstat workers if it
      detects any changes.
      
      Fixes: ba4877b9 ("vmstat: do not use deferrable delayed work for vmstat_update")
      Signed-off-by: default avatarChristoph Lameter <cl@linux.com>
      Cc: Michal Hocko <mhocko@suse.cz>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [ kamal: backport to 4.2-stable: context ]
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      c401d879
    • Johannes Weiner's avatar
      net: tcp_memcontrol: properly detect ancestor socket pressure · 9c5b1997
      Johannes Weiner authored
      commit 8c2c2358 upstream.
      
      When charging socket memory, the code currently checks only the local
      page counter for excess to determine whether the memcg is under socket
      pressure.  But even if the local counter is fine, one of the ancestors
      could have breached its limit, which should also force this child to
      enter socket pressure.  This currently doesn't happen.
      
      Fix this by using page_counter_try_charge() first.  If that fails, it
      means that either the local counter or one of the ancestors are in
      excess of their limit, and the child should enter socket pressure.
      
      Fixes: 3e32cb2e ("mm: memcontrol: lockless page counters")
      Signed-off-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Reviewed-by: default avatarVladimir Davydov <vdavydov@virtuozzo.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      9c5b1997
    • Russell King's avatar
      mmc: sd: limit SD card power limit according to cards capabilities · 500bcf7a
      Russell King authored
      commit d9812780 upstream.
      
      The SD card specification allows cards to error out a SWITCH command
      where the requested function in a group is not supported.  The spec
      provides for a set of capabilities which indicate which functions are
      supported.
      
      In the case of the power limit, requesting an unsupported power level
      via the SWITCH command fails, resulting in the power level remaining at
      the power-on default of 0.72W, even though the host and card may support
      higher powers levels.
      
      This has been seen with SanDisk 8GB cards, which support the default
      0.72W and 1.44W (200mA and 400mA) in combination with an iMX6 host,
      supporting up to 2.88W (800mA).  This currently causes us to try to set
      a power limit function value of '3' (2.88W) which the card errors out
      on, and thereby causes the power level to remain at 0.72W rather than
      the desired 1.44W.
      
      Arrange to limit the selected current limit by the capabilities reported
      by the card to avoid the SWITCH command failing.  Select the highest
      current limit that the host and card combination support.
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Fixes: a39ca6ae ("mmc: core: Simplify and fix for SD switch processing")
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      500bcf7a
    • Lee Jones's avatar
      kbuild: Demote 'sign-compare' warning to W=2 · 86d38ef7
      Lee Jones authored
      commit 7599ea8b upstream.
      
      Ideally, a kernel compile with W=1 enabled should complete cleanly;
      however, when we run one currently we are presented with ~25k warnings.
      'sign-compare' accounts for ~22k of those ~25k.
      
      In this patch we're demoting 'sign-compare' warnings to W=2, with a view
      to fixing the remaining 3k W=1 warnings required for a clean build.
      
      Arnd adds:
        "As per our discussion, I'd add that this was inadvertedly introduced
         by Behan when he moved the clang specific warnings into an ifdef block
         and did not notice that -Wsign-compare was interpreted by both gcc
         and clang.
      
         Earlier, it was introduced in just the same way by Jan-Simon as part
         of 3d3d6b84 ("kbuild: LLVMLinux: Adapt warnings for compilation
         with clang")."
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 26ea6bb1 ("kbuild, LLVMLinux: Supress warnings unless W=1-3")
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarMichal Marek <mmarek@suse.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      86d38ef7
    • Mickaël Salaün's avatar
      um: Fix build error and kconfig for i386 · a3b9e74b
      Mickaël Salaün authored
      commit 42d91f61 upstream.
      
      Fix build error by generating elfcore.o only when ELF_CORE (depending on
      COREDUMP) is selected:
      
      arch/x86/um/built-in.o: In function `elf_core_write_extra_phdrs':
      (.text+0x3e62): undefined reference to `dump_emit'
      arch/x86/um/built-in.o: In function `elf_core_write_extra_data':
      (.text+0x3eef): undefined reference to `dump_emit'
      
      Fixes: 5d2acfc7 ("kconfig: make allnoconfig disable options behind EMBEDDED and EXPERT")
      Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Josh Triplett <josh@joshtriplett.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Michal Marek <mmarek@suse.cz>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Reviewed-by: default avatarJosh Triplett <josh@joshtriplett.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      a3b9e74b
    • Finn Thain's avatar
      m68k/atari, m68k/sun3: Fix SCSI platform device registration when driver is modular · d1b4d185
      Finn Thain authored
      commit 2d522618 upstream.
      
      Fixes: 3ff228af ("atari_scsi: Convert to platform device")
      Fixes: 0d31f875 ("sun3_scsi: Convert to platform device")
      Reported-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      d1b4d185
    • Bart Van Assche's avatar
      target: Fix a memory leak in target_dev_lba_map_store() · ac7e1d6b
      Bart Van Assche authored
      commit f0a8afec upstream.
      
      strsep() modifies its first argument. Make the pointer passed to kfree()
      match the return value of kmalloc().
      
      Fixes: 229d4f11 (commit "target_core_alua: Referrals configfs integration")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      ac7e1d6b
    • Brian Norris's avatar
      firmware: actually return NULL on failed request_firmware_nowait() · 468cf983
      Brian Norris authored
      commit 715780ae upstream.
      
      The kerneldoc for request_firmware_nowait() says that it may call the
      provided cont() callback with @fw == NULL, if the firmware request
      fails. However, this is not the case when called with an empty string
      (""). This case is short-circuited by the 'name[0] == '\0'' check
      introduced in commit 471b095d ("firmware_class: make sure fw requests
      contain a name"), so _request_firmware() never gets to set the fw to
      NULL.
      
      Noticed while using the new 'trigger_async_request' testing hook:
      
          # printf '\x00' > /sys/devices/virtual/misc/test_firmware/trigger_async_request
          [10553.726178] test_firmware: loading ''
          [10553.729859] test_firmware: loaded: 995209091
          # printf '\x00' > /sys/devices/virtual/misc/test_firmware/trigger_async_request
          [10733.676184] test_firmware: loading ''
          [10733.679855] Unable to handle kernel NULL pointer dereference at virtual address 00000004
          [10733.687951] pgd = ec188000
          [10733.690655] [00000004] *pgd=00000000
          [10733.694240] Internal error: Oops: 5 [#1] SMP ARM
          [10733.698847] Modules linked in: btmrvl_sdio btmrvl bluetooth sbs_battery nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables asix usbnet mwifiex_sdio mwifiex cfg80211 jitterentropy_rng drbg joydev snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device ppp_async ppp_generic slhc tun
          [10733.725670] CPU: 0 PID: 6600 Comm: bash Not tainted 4.4.0-rc4-00351-g63d0877 #178
          [10733.733137] Hardware name: Rockchip (Device Tree)
          [10733.737831] task: ed24f6c0 ti: ee322000 task.ti: ee322000
          [10733.743222] PC is at do_raw_spin_lock+0x18/0x1a0
          [10733.747831] LR is at _raw_spin_lock+0x18/0x1c
          [10733.752180] pc : [<c00653a0>]    lr : [<c054c204>]    psr: a00d0013
          [10733.752180] sp : ee323df8  ip : ee323e20  fp : ee323e1c
          [10733.763634] r10: 00000051  r9 : b6f18000  r8 : ee323f80
          [10733.768847] r7 : c089cebc  r6 : 00000001  r5 : 00000000  r4 : ec0e6000
          [10733.775360] r3 : dead4ead  r2 : c06bd140  r1 : eef913b4  r0 : 00000000
          [10733.781874] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
          [10733.788995] Control: 10c5387d  Table: 2c18806a  DAC: 00000051
          [10733.794728] Process bash (pid: 6600, stack limit = 0xee322218)
          [10733.800549] Stack: (0xee323df8 to 0xee324000)
          [10733.804896] 3de0:                                                       ec0e6000 00000000
          [10733.813059] 3e00: 00000001 c089cebc ee323f80 b6f18000 ee323e2c ee323e20 c054c204 c0065394
          [10733.821221] 3e20: ee323e44 ee323e30 c02fec60 c054c1f8 ec0e7ec0 ec3fcfc0 ee323e5c ee323e48
          [10733.829384] 3e40: c02fed08 c02fec48 c07dbf74 eeb05a00 ee323e8c ee323e60 c0253828 c02fecac
          [10733.837547] 3e60: 00000001 c0116950 ee323eac ee323e78 00000001 ec3fce00 ed2d9700 ed2d970c
          [10733.845710] 3e80: ee323e9c ee323e90 c02e873c c02537d4 ee323eac ee323ea0 c017bd40 c02e8720
          [10733.853873] 3ea0: ee323ee4 ee323eb0 c017b250 c017bd00 00000000 00000000 f3e47a54 ec128b00
          [10733.862035] 3ec0: c017b10c ee323f80 00000001 c000f504 ee322000 00000000 ee323f4c ee323ee8
          [10733.870197] 3ee0: c011b71c c017b118 ee323fb0 c011bc90 becfa8d9 00000001 ec128b00 00000001
          [10733.878359] 3f00: b6f18000 ee323f80 ee323f4c ee323f18 c011bc90 c0063950 ee323f3c ee323f28
          [10733.886522] 3f20: c0063950 c0549138 00000001 ec128b00 00000001 ec128b00 b6f18000 ee323f80
          [10733.894684] 3f40: ee323f7c ee323f50 c011bed8 c011b6ec c0135fb8 c0135f24 ec128b00 ec128b00
          [10733.902847] 3f60: 00000001 b6f18000 c000f504 ee322000 ee323fa4 ee323f80 c011c664 c011be24
          [10733.911009] 3f80: 00000000 00000000 00000001 b6f18000 b6e79be0 00000004 00000000 ee323fa8
          [10733.919172] 3fa0: c000f340 c011c618 00000001 b6f18000 00000001 b6f18000 00000001 00000000
          [10733.927334] 3fc0: 00000001 b6f18000 b6e79be0 00000004 00000001 00000001 8068a3f1 b6e79c84
          [10733.935496] 3fe0: 00000000 becfa7dc b6de194d b6e20246 400d0030 00000001 7a4536e8 49bda390
          [10733.943664] [<c00653a0>] (do_raw_spin_lock) from [<c054c204>] (_raw_spin_lock+0x18/0x1c)
          [10733.951743] [<c054c204>] (_raw_spin_lock) from [<c02fec60>] (fw_free_buf+0x24/0x64)
          [10733.959388] [<c02fec60>] (fw_free_buf) from [<c02fed08>] (release_firmware+0x68/0x74)
          [10733.967207] [<c02fed08>] (release_firmware) from [<c0253828>] (trigger_async_request_store+0x60/0x124)
          [10733.976501] [<c0253828>] (trigger_async_request_store) from [<c02e873c>] (dev_attr_store+0x28/0x34)
          [10733.985533] [<c02e873c>] (dev_attr_store) from [<c017bd40>] (sysfs_kf_write+0x4c/0x58)
          [10733.993437] [<c017bd40>] (sysfs_kf_write) from [<c017b250>] (kernfs_fop_write+0x144/0x1a8)
          [10734.001689] [<c017b250>] (kernfs_fop_write) from [<c011b71c>] (__vfs_write+0x3c/0xe4)
      
      After this patch:
      
          # printf '\x00' > /sys/devices/virtual/misc/test_firmware/trigger_async_request
          [   32.126322] test_firmware: loading ''
          [   32.129995] test_firmware: failed to async load firmware
          -bash: printf: write error: No such device
      
      Fixes: 471b095d ("firmware_class: make sure fw requests contain a name")
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Acked-by: default avatarMing Lei <ming.lei@canonical.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      468cf983
    • Sasha Levin's avatar
      power: test_power: correctly handle empty writes · 288a15fc
      Sasha Levin authored
      commit 6b9140f3 upstream.
      
      Writing 0 length data into test_power makes it access an invalid array
      location and kill the system.
      
      Fixes: f17ef9b2 ("power: Make test_power driver more dynamic.")
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarSebastian Reichel <sre@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      288a15fc
    • Stephane Eranian's avatar
      perf/x86: Fix filter_events() bug with event mappings · 797bf315
      Stephane Eranian authored
      commit 61b87cae upstream.
      
      This patch fixes a bug in the filter_events() function.
      
      The patch fixes the bug whereby if some mappings did not
      exist, e.g., STALLED_CYCLES_FRONTEND, then any event after it
      in the attrs array would disappear from the published list of
      events in /sys/devices/cpu/events. This could be verified
      easily on any system post SNB (which do not publish
      STALLED_CYCLES_FRONTEND):
      
      	$ ./perf stat -e cycles,ref-cycles true
      	Performance counter stats for 'true':
                    1,217,348      cycles
      	<not supported>      ref-cycles
      
      The problem is that in filter_events() there is an assumption
      that the argument (attrs) is organized in increasing continuous
      event indexes related to the event_map(). But if we remove the
      non-supported events by shifing the position in the array, then
      the lookup x86_pmu.event_map() needs to compensate for it, otherwise
      we are looking up the wrong index. This patch corrects this problem
      by compensating for the deleted events and with that ref-cycles
      reappears (here shown on Haswell):
      
      	$ perf stat -e ref-cycles,cycles true
      	Performance counter stats for 'true':
               4,525,910      ref-cycles
               1,064,920      cycles
             0.002943888 seconds time elapsed
      Signed-off-by: default avatarStephane Eranian <eranian@google.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: jolsa@kernel.org
      Cc: kan.liang@intel.com
      Fixes: 8300daa2 ("perf/x86: Filter out undefined events from sysfs events attribute")
      Link: http://lkml.kernel.org/r/1449516805-6637-1-git-send-email-eranian@google.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      797bf315
    • Vegard Nossum's avatar
      kconfig: return 'false' instead of 'no' in bool function · daf3f63a
      Vegard Nossum authored
      commit aab24a89 upstream.
      
      menu_is_visible() is a bool function and should use boolean return
      values. "no" is a tristate value which happens to also have a value
      of 0, but we should nevertheless use the right symbol for it.
      
      This is a very minor cleanup with no semantic change.
      
      Fixes: 86e187ff ("kconfig: add an option to determine a menu's visibility")
      Cc: Arnaud Lacombe <lacombar@gmail.com>
      Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarMichal Marek <mmarek@suse.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      daf3f63a
    • Ani Sinha's avatar
      sysrq: Fix warning in sysrq generated crash. · 25654207
      Ani Sinha authored
      commit 984cf355 upstream.
      
      Commit 984d74a7 ("sysrq: rcu-ify __handle_sysrq") replaced
      spin_lock_irqsave() calls with rcu_read_lock() calls in sysrq. Since
      rcu_read_lock() does not disable preemption, faulthandler_disabled() in
      __do_page_fault() in x86/fault.c returns false. When the code later calls
      might_sleep() in the pagefault handler, we get the following warning:
      
      BUG: sleeping function called from invalid context at ../arch/x86/mm/fault.c:1187
      in_atomic(): 0, irqs_disabled(): 0, pid: 4706, name: bash
      Preemption disabled at:[<ffffffff81484339>] printk+0x48/0x4a
      
      To fix this, we release the RCU read lock before we crash.
      
      Tested this patch on linux 3.18 by booting off one of our boards.
      
      Fixes: 984d74a7 ("sysrq: rcu-ify __handle_sysrq")
      Signed-off-by: default avatarAni Sinha <ani@arista.com>
      Reviewed-by: default avatarRik van Riel <riel@redhat.com>
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      25654207
    • Jan Beulich's avatar
      x86/LDT: Print the real LDT base address · c2505e71
      Jan Beulich authored
      commit 0d430e3f upstream.
      
      This was meant to print base address and entry count; make it do so
      again.
      
      Fixes: 37868fe1 "x86/ldt: Make modify_ldt synchronous"
      Signed-off-by: default avatarJan Beulich <jbeulich@suse.com>
      Acked-by: default avatarAndy Lutomirski <luto@kernel.org>
      Link: http://lkml.kernel.org/r/56797D8402000078000C24F0@prv-mh.provo.novell.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      c2505e71