1. 27 Nov, 2014 40 commits
    • Pablo Neira's avatar
      netfilter: xt_bpf: add mising opaque struct sk_filter definition · aa9a588a
      Pablo Neira authored
      commit e10038a8 upstream.
      
      This structure is not exposed to userspace, so fix this by defining
      struct sk_filter; so we skip the casting in kernelspace. This is safe
      since userspace has no way to lurk with that internal pointer.
      
      Fixes: e6f30c73 ("netfilter: x_tables: add xt_bpf match")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      aa9a588a
    • Devesh Sharma's avatar
      IB/core: Clear AH attr variable to prevent garbage data · 3b832570
      Devesh Sharma authored
      commit 8b0f93d9 upstream.
      
      During create-ah from userspace, uverbs is sending garbage data in
      attr.dmac and attr.vlan_id.  This patch sets attr.dmac and
      attr.vlan_id to zero.
      
      Fixes: dd5f03be ("IB/core: Ethernet L2 attributes in verbs/cm structures")
      Signed-off-by: default avatarDevesh Sharma <devesh.sharma@emulex.com>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3b832570
    • Bjorn Helgaas's avatar
      clocksource: Remove "weak" from clocksource_default_clock() declaration · 183f35d7
      Bjorn Helgaas authored
      commit 96a2adbc upstream.
      
      kernel/time/jiffies.c provides a default clocksource_default_clock()
      definition explicitly marked "weak".  arch/s390 provides its own definition
      intended to override the default, but the "weak" attribute on the
      declaration applied to the s390 definition as well, so the linker chose one
      based on link order (see 10629d71 ("PCI: Remove __weak annotation from
      pcibios_get_phb_of_node decl")).
      
      Remove the "weak" attribute from the clocksource_default_clock()
      declaration so we always prefer a non-weak definition over the weak one,
      independent of link order.
      
      Fixes: f1b82746 ("clocksource: Cleanup clocksource selection")
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Acked-by: default avatarIngo Molnar <mingo@kernel.org>
      CC: Daniel Lezcano <daniel.lezcano@linaro.org>
      CC: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      183f35d7
    • Bjorn Helgaas's avatar
      kgdb: Remove "weak" from kgdb_arch_pc() declaration · 894c6763
      Bjorn Helgaas authored
      commit 107bcc6d upstream.
      
      kernel/debug/debug_core.c provides a default kgdb_arch_pc() definition
      explicitly marked "weak".  Several architectures provide their own
      definitions intended to override the default, but the "weak" attribute on
      the declaration applied to the arch definitions as well, so the linker
      chose one based on link order (see 10629d71 ("PCI: Remove __weak
      annotation from pcibios_get_phb_of_node decl")).
      
      Remove the "weak" attribute from the declaration so we always prefer a
      non-weak definition over the weak one, independent of link order.
      
      Fixes: 688b744d ("kgdb: fix signedness mixmatches, add statics, add declaration to header")
      Tested-by: Vineet Gupta <vgupta@synopsys.com>	# for ARC build
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      894c6763
    • Bjorn Helgaas's avatar
      vmcore: Remove "weak" from function declarations · 15c089e6
      Bjorn Helgaas authored
      commit 5ab03ac5 upstream.
      
      For the following functions:
      
        elfcorehdr_alloc()
        elfcorehdr_free()
        elfcorehdr_read()
        elfcorehdr_read_notes()
        remap_oldmem_pfn_range()
      
      fs/proc/vmcore.c provides default definitions explicitly marked "weak".
      arch/s390 provides its own definitions intended to override the default
      ones, but the "weak" attribute on the declarations applied to the s390
      definitions as well, so the linker chose one based on link order (see
      10629d71 ("PCI: Remove __weak annotation from pcibios_get_phb_of_node
      decl")).
      
      Remove the "weak" attribute from the declarations so we always prefer a
      non-weak definition over the weak one, independent of link order.
      
      Fixes: be8a8d06 ("vmcore: introduce ELF header in new memory feature")
      Fixes: 9cb21813 ("vmcore: introduce remap_oldmem_pfn_range()")
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      CC: Michael Holzheu <holzheu@linux.vnet.ibm.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      15c089e6
    • Bjorn Helgaas's avatar
      memory-hotplug: Remove "weak" from memory_block_size_bytes() declaration · 7552f82e
      Bjorn Helgaas authored
      commit e0a8400c upstream.
      
      drivers/base/memory.c provides a default memory_block_size_bytes()
      definition explicitly marked "weak".  Several architectures provide their
      own definitions intended to override the default, but the "weak" attribute
      on the declaration applied to the arch definitions as well, so the linker
      chose one based on link order (see 10629d71 ("PCI: Remove __weak
      annotation from pcibios_get_phb_of_node decl")).
      
      Remove the "weak" attribute from the declaration so we always prefer a
      non-weak definition over the weak one, independent of link order.
      
      Fixes: 41f10726 ("drivers: base: Add prototype declaration to the header file")
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      CC: Rashika Kheria <rashika.kheria@gmail.com>
      CC: Nathan Fontenot <nfont@austin.ibm.com>
      CC: Anton Blanchard <anton@au1.ibm.com>
      CC: Heiko Carstens <heiko.carstens@de.ibm.com>
      CC: Yinghai Lu <yinghai@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      7552f82e
    • Roger Quadros's avatar
      pinctrl: dra: dt-bindings: Fix output pull up/down · 7b7d6748
      Roger Quadros authored
      commit 73b3a665 upstream.
      
      For PIN_OUTPUT_PULLUP and PIN_OUTPUT_PULLDOWN we must not set the
      PULL_DIS bit which disables the PULLs.
      
      PULL_ENA is a 0 and using it in an OR operation is a NOP, so don't
      use it in the PIN_OUTPUT_PULLUP/DOWN macros.
      
      Fixes: 23d9cec0 ("pinctrl: dra: dt-bindings: Fix pull enable/disable")
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Acked-by: default avatarNishanth Menon <nm@ti.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      7b7d6748
    • Junjie Mao's avatar
      mac80211_hwsim: release driver when ieee80211_register_hw fails · 2f8d8b1e
      Junjie Mao authored
      commit 805dbe17 upstream.
      
      The driver is not released when ieee80211_register_hw fails in
      mac80211_hwsim_create_radio, leading to the access to the unregistered (and
      possibly freed) device in platform_driver_unregister:
      
      [    0.447547] mac80211_hwsim: ieee80211_register_hw failed (-2)
      [    0.448292] ------------[ cut here ]------------
      [    0.448854] WARNING: CPU: 0 PID: 1 at ../include/linux/kref.h:47 kobject_get+0x33/0x50()
      [    0.449839] CPU: 0 PID: 1 Comm: swapper Not tainted 3.17.0-00001-gdd46990-dirty #2
      [    0.450813] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [    0.451512]  00000000 00000000 78025e38 7967c6c6 78025e68 7905e09b 7988b480 00000000
      [    0.452579]  00000001 79887d62 0000002f 79170bb3 79170bb3 78397008 79ac9d74 00000001
      [    0.453614]  78025e78 7905e15d 00000009 00000000 78025e84 79170bb3 78397000 78025e8c
      [    0.454632] Call Trace:
      [    0.454921]  [<7967c6c6>] dump_stack+0x16/0x18
      [    0.455453]  [<7905e09b>] warn_slowpath_common+0x6b/0x90
      [    0.456067]  [<79170bb3>] ? kobject_get+0x33/0x50
      [    0.456612]  [<79170bb3>] ? kobject_get+0x33/0x50
      [    0.457155]  [<7905e15d>] warn_slowpath_null+0x1d/0x20
      [    0.457748]  [<79170bb3>] kobject_get+0x33/0x50
      [    0.458274]  [<7925824f>] get_device+0xf/0x20
      [    0.458779]  [<7925b5cd>] driver_detach+0x3d/0xa0
      [    0.459331]  [<7925a3ff>] bus_remove_driver+0x8f/0xb0
      [    0.459927]  [<7925bf80>] ? class_unregister+0x40/0x80
      [    0.460660]  [<7925bad7>] driver_unregister+0x47/0x50
      [    0.461248]  [<7925c033>] ? class_destroy+0x13/0x20
      [    0.461824]  [<7925d07b>] platform_driver_unregister+0xb/0x10
      [    0.462507]  [<79b51ba0>] init_mac80211_hwsim+0x3e8/0x3f9
      [    0.463161]  [<79b30c58>] do_one_initcall+0x106/0x1a9
      [    0.463758]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.464393]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.465001]  [<79071935>] ? parse_args+0x2f5/0x480
      [    0.465569]  [<7906b41e>] ? __usermodehelper_set_disable_depth+0x3e/0x50
      [    0.466345]  [<79b30dd9>] kernel_init_freeable+0xde/0x17d
      [    0.466972]  [<79b304d6>] ? do_early_param+0x7a/0x7a
      [    0.467546]  [<79677b1b>] kernel_init+0xb/0xe0
      [    0.468072]  [<79075f42>] ? schedule_tail+0x12/0x40
      [    0.468658]  [<79686580>] ret_from_kernel_thread+0x20/0x30
      [    0.469303]  [<79677b10>] ? rest_init+0xc0/0xc0
      [    0.469829] ---[ end trace ad8ac403ff8aef5c ]---
      [    0.470509] ------------[ cut here ]------------
      [    0.471047] WARNING: CPU: 0 PID: 1 at ../kernel/locking/lockdep.c:3161 __lock_acquire.isra.22+0x7aa/0xb00()
      [    0.472163] DEBUG_LOCKS_WARN_ON(id >= MAX_LOCKDEP_KEYS)
      [    0.472774] CPU: 0 PID: 1 Comm: swapper Tainted: G        W      3.17.0-00001-gdd46990-dirty #2
      [    0.473815] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [    0.474492]  78025de0 78025de0 78025da0 7967c6c6 78025dd0 7905e09b 79888931 78025dfc
      [    0.475515]  00000001 79888a93 00000c59 7907f33a 7907f33a 78028000 fffe9d09 00000000
      [    0.476519]  78025de8 7905e10e 00000009 78025de0 79888931 78025dfc 78025e24 7907f33a
      [    0.477523] Call Trace:
      [    0.477821]  [<7967c6c6>] dump_stack+0x16/0x18
      [    0.478352]  [<7905e09b>] warn_slowpath_common+0x6b/0x90
      [    0.478976]  [<7907f33a>] ? __lock_acquire.isra.22+0x7aa/0xb00
      [    0.479658]  [<7907f33a>] ? __lock_acquire.isra.22+0x7aa/0xb00
      [    0.480417]  [<7905e10e>] warn_slowpath_fmt+0x2e/0x30
      [    0.480479]  [<7907f33a>] __lock_acquire.isra.22+0x7aa/0xb00
      [    0.480479]  [<79078aa5>] ? sched_clock_cpu+0xb5/0xf0
      [    0.480479]  [<7907fd06>] lock_acquire+0x56/0x70
      [    0.480479]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.480479]  [<79682d11>] mutex_lock_nested+0x61/0x2a0
      [    0.480479]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.480479]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.480479]  [<7925b5e8>] driver_detach+0x58/0xa0
      [    0.480479]  [<7925a3ff>] bus_remove_driver+0x8f/0xb0
      [    0.480479]  [<7925bf80>] ? class_unregister+0x40/0x80
      [    0.480479]  [<7925bad7>] driver_unregister+0x47/0x50
      [    0.480479]  [<7925c033>] ? class_destroy+0x13/0x20
      [    0.480479]  [<7925d07b>] platform_driver_unregister+0xb/0x10
      [    0.480479]  [<79b51ba0>] init_mac80211_hwsim+0x3e8/0x3f9
      [    0.480479]  [<79b30c58>] do_one_initcall+0x106/0x1a9
      [    0.480479]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.480479]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.480479]  [<79071935>] ? parse_args+0x2f5/0x480
      [    0.480479]  [<7906b41e>] ? __usermodehelper_set_disable_depth+0x3e/0x50
      [    0.480479]  [<79b30dd9>] kernel_init_freeable+0xde/0x17d
      [    0.480479]  [<79b304d6>] ? do_early_param+0x7a/0x7a
      [    0.480479]  [<79677b1b>] kernel_init+0xb/0xe0
      [    0.480479]  [<79075f42>] ? schedule_tail+0x12/0x40
      [    0.480479]  [<79686580>] ret_from_kernel_thread+0x20/0x30
      [    0.480479]  [<79677b10>] ? rest_init+0xc0/0xc0
      [    0.480479] ---[ end trace ad8ac403ff8aef5d ]---
      [    0.495478] BUG: unable to handle kernel paging request at 00200200
      [    0.496257] IP: [<79682de5>] mutex_lock_nested+0x135/0x2a0
      [    0.496923] *pde = 00000000
      [    0.497290] Oops: 0002 [#1]
      [    0.497653] CPU: 0 PID: 1 Comm: swapper Tainted: G        W      3.17.0-00001-gdd46990-dirty #2
      [    0.498659] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [    0.499321] task: 78028000 ti: 78024000 task.ti: 78024000
      [    0.499955] EIP: 0060:[<79682de5>] EFLAGS: 00010097 CPU: 0
      [    0.500620] EIP is at mutex_lock_nested+0x135/0x2a0
      [    0.501145] EAX: 00200200 EBX: 78397434 ECX: 78397460 EDX: 78025e70
      [    0.501816] ESI: 00000246 EDI: 78028000 EBP: 78025e8c ESP: 78025e54
      [    0.502497]  DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
      [    0.503076] CR0: 8005003b CR2: 00200200 CR3: 01b9d000 CR4: 00000690
      [    0.503773] Stack:
      [    0.503998]  00000000 00000001 00000000 7925b5e8 78397460 7925b5e8 78397474 78397460
      [    0.504944]  00200200 11111111 78025e70 78397000 79ac9d74 00000001 78025ea0 7925b5e8
      [    0.505451]  79ac9d74 fffffffe 00000001 78025ebc 7925a3ff 7a251398 78025ec8 7925bf80
      [    0.505451] Call Trace:
      [    0.505451]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.505451]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.505451]  [<7925b5e8>] driver_detach+0x58/0xa0
      [    0.505451]  [<7925a3ff>] bus_remove_driver+0x8f/0xb0
      [    0.505451]  [<7925bf80>] ? class_unregister+0x40/0x80
      [    0.505451]  [<7925bad7>] driver_unregister+0x47/0x50
      [    0.505451]  [<7925c033>] ? class_destroy+0x13/0x20
      [    0.505451]  [<7925d07b>] platform_driver_unregister+0xb/0x10
      [    0.505451]  [<79b51ba0>] init_mac80211_hwsim+0x3e8/0x3f9
      [    0.505451]  [<79b30c58>] do_one_initcall+0x106/0x1a9
      [    0.505451]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.505451]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.505451]  [<79071935>] ? parse_args+0x2f5/0x480
      [    0.505451]  [<7906b41e>] ? __usermodehelper_set_disable_depth+0x3e/0x50
      [    0.505451]  [<79b30dd9>] kernel_init_freeable+0xde/0x17d
      [    0.505451]  [<79b304d6>] ? do_early_param+0x7a/0x7a
      [    0.505451]  [<79677b1b>] kernel_init+0xb/0xe0
      [    0.505451]  [<79075f42>] ? schedule_tail+0x12/0x40
      [    0.505451]  [<79686580>] ret_from_kernel_thread+0x20/0x30
      [    0.505451]  [<79677b10>] ? rest_init+0xc0/0xc0
      [    0.505451] Code: 89 d8 e8 cf 9b 9f ff 8b 4f 04 8d 55 e4 89 d8 e8 72 9d 9f ff 8d 43 2c 89 c1 89 45 d8 8b 43 30 8d 55 e4 89 53 30 89 4d e4 89 45 e8 <89> 10 8b 55 dc 8b 45 e0 89 7d ec e8 db af 9f ff eb 11 90 31 c0
      [    0.505451] EIP: [<79682de5>] mutex_lock_nested+0x135/0x2a0 SS:ESP 0068:78025e54
      [    0.505451] CR2: 0000000000200200
      [    0.505451] ---[ end trace ad8ac403ff8aef5e ]---
      [    0.505451] Kernel panic - not syncing: Fatal exception
      
      Fixes: 9ea92774 ("mac80211_hwsim: Register and bind to driver")
      Reported-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarJunjie Mao <eternal.n08@gmail.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      2f8d8b1e
    • Richard Guy Briggs's avatar
      audit: correct AUDIT_GET_FEATURE return message type · 99ba91a3
      Richard Guy Briggs authored
      commit 9ef91514 upstream.
      
      When an AUDIT_GET_FEATURE message is sent from userspace to the kernel, it
      should reply with a message tagged as an AUDIT_GET_FEATURE type with a struct
      audit_feature.  The current reply is a message tagged as an AUDIT_GET
      type with a struct audit_feature.
      
      This appears to have been a cut-and-paste-eo in commit b0fed402.
      Reported-by: default avatarSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      99ba91a3
    • Cristian Stoica's avatar
      crypto: caam - remove duplicated sg copy functions · 86f80b54
      Cristian Stoica authored
      commit 307fd543 upstream.
      
      Replace equivalent (and partially incorrect) scatter-gather functions
      with ones from crypto-API.
      
      The replacement is motivated by page-faults in sg_copy_part triggered
      by successive calls to crypto_hash_update. The following fault appears
      after calling crypto_ahash_update twice, first with 13 and then
      with 285 bytes:
      
      Unable to handle kernel paging request for data at address 0x00000008
      Faulting instruction address: 0xf9bf9a8c
      Oops: Kernel access of bad area, sig: 11 [#1]
      SMP NR_CPUS=8 CoreNet Generic
      Modules linked in: tcrypt(+) caamhash caam_jr caam tls
      CPU: 6 PID: 1497 Comm: cryptomgr_test Not tainted
      3.12.19-rt30-QorIQ-SDK-V1.6+g9fda9f2 #75
      task: e9308530 ti: e700e000 task.ti: e700e000
      NIP: f9bf9a8c LR: f9bfcf28 CTR: c0019ea0
      REGS: e700fb80 TRAP: 0300   Not tainted
      (3.12.19-rt30-QorIQ-SDK-V1.6+g9fda9f2)
      MSR: 00029002 <CE,EE,ME>  CR: 44f92024  XER: 20000000
      DEAR: 00000008, ESR: 00000000
      
      GPR00: f9bfcf28 e700fc30 e9308530 e70b1e55 00000000 ffffffdd e70b1e54 0bebf888
      GPR08: 902c7ef5 c0e771e2 00000002 00000888 c0019ea0 00000000 00000000 c07a4154
      GPR16: c08d0000 e91a8f9c 00000001 e98fb400 00000100 e9c83028 e70b1e08 e70b1d48
      GPR24: e992ce10 e70b1dc8 f9bfe4f4 e70b1e55 ffffffdd e70b1ce0 00000000 00000000
      NIP [f9bf9a8c] sg_copy+0x1c/0x100 [caamhash]
      LR [f9bfcf28] ahash_update_no_ctx+0x628/0x660 [caamhash]
      Call Trace:
      [e700fc30] [f9bf9c50] sg_copy_part+0xe0/0x160 [caamhash] (unreliable)
      [e700fc50] [f9bfcf28] ahash_update_no_ctx+0x628/0x660 [caamhash]
      [e700fcb0] [f954e19c] crypto_tls_genicv+0x13c/0x300 [tls]
      [e700fd10] [f954e65c] crypto_tls_encrypt+0x5c/0x260 [tls]
      [e700fd40] [c02250ec] __test_aead.constprop.9+0x2bc/0xb70
      [e700fe40] [c02259f0] alg_test_aead+0x50/0xc0
      [e700fe60] [c02241e4] alg_test+0x114/0x2e0
      [e700fee0] [c022276c] cryptomgr_test+0x4c/0x60
      [e700fef0] [c004f658] kthread+0x98/0xa0
      [e700ff40] [c000fd04] ret_from_kernel_thread+0x5c/0x64
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      86f80b54
    • Pawel Moll's avatar
      perf: Handle compat ioctl · df9e5a37
      Pawel Moll authored
      commit b3f20785 upstream.
      
      When running a 32-bit userspace on a 64-bit kernel (eg. i386
      application on x86_64 kernel or 32-bit arm userspace on arm64
      kernel) some of the perf ioctls must be treated with special
      care, as they have a pointer size encoded in the command.
      
      For example, PERF_EVENT_IOC_ID in 32-bit world will be encoded
      as 0x80042407, but 64-bit kernel will expect 0x80082407. In
      result the ioctl will fail returning -ENOTTY.
      
      This patch solves the problem by adding code fixing up the
      size as compat_ioctl file operation.
      Reported-by: default avatarDrew Richardson <drew.richardson@arm.com>
      Signed-off-by: default avatarPawel Moll <pawel.moll@arm.com>
      Signed-off-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Link: http://lkml.kernel.org/r/1402671812-9078-1-git-send-email-pawel.moll@arm.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      df9e5a37
    • Derek Browne's avatar
      mmc: sdhci-pci: SDIO host controller support for Intel Quark X1000 · 48151818
      Derek Browne authored
      commit 43e968ce upstream.
      
      This patch is to enable SDIO host controller for Intel Quark X1000.
      Signed-off-by: default avatarDerek Browne <Derek.Browne@intel.com>
      Signed-off-by: default avatarAlvin (Weike) Chen <alvin.chen@intel.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      48151818
    • Frank Schaefer's avatar
      [media] em28xx-v4l: give back all active video buffers to the vb2 core properly on streaming stop · cbabd79a
      Frank Schaefer authored
      commit 627530c3 upstream.
      
      When a new video frame is started, the driver takes the next video buffer from
      the list of active buffers and moves it to dev->usb_ctl.vid_buf / dev->usb_ctl.vbi_buf
      for further processing.
      
      On streaming stop we currently only give back the pending buffers from the list
      but not the ones which are currently processed.
      
      This causes the following warning from the vb2 core since kernel 3.15:
      
      ...
       ------------[ cut here ]------------
       WARNING: CPU: 1 PID: 2284 at drivers/media/v4l2-core/videobuf2-core.c:2115 __vb2_queue_cancel+0xed/0x150 [videobuf2_core]()
       [...]
       Call Trace:
        [<c0769c46>] dump_stack+0x48/0x69
        [<c0245b69>] warn_slowpath_common+0x79/0x90
        [<f925e4ad>] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core]
        [<f925e4ad>] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core]
        [<c0245bfd>] warn_slowpath_null+0x1d/0x20
        [<f925e4ad>] __vb2_queue_cancel+0xed/0x150 [videobuf2_core]
        [<f925fa35>] vb2_internal_streamoff+0x35/0x90 [videobuf2_core]
        [<f925fac5>] vb2_streamoff+0x35/0x60 [videobuf2_core]
        [<f925fb27>] vb2_ioctl_streamoff+0x37/0x40 [videobuf2_core]
        [<f8e45895>] v4l_streamoff+0x15/0x20 [videodev]
        [<f8e4925d>] __video_do_ioctl+0x23d/0x2d0 [videodev]
        [<f8e49020>] ? video_ioctl2+0x20/0x20 [videodev]
        [<f8e48c63>] video_usercopy+0x203/0x5a0 [videodev]
        [<f8e49020>] ? video_ioctl2+0x20/0x20 [videodev]
        [<c039d0e7>] ? fsnotify+0x1e7/0x2b0
        [<f8e49012>] video_ioctl2+0x12/0x20 [videodev]
        [<f8e49020>] ? video_ioctl2+0x20/0x20 [videodev]
        [<f8e4461e>] v4l2_ioctl+0xee/0x130 [videodev]
        [<f8e44530>] ? v4l2_open+0xf0/0xf0 [videodev]
        [<c0378de2>] do_vfs_ioctl+0x2e2/0x4d0
        [<c0368eec>] ? vfs_write+0x13c/0x1c0
        [<c0369a8f>] ? vfs_writev+0x2f/0x50
        [<c0379028>] SyS_ioctl+0x58/0x80
        [<c076fff3>] sysenter_do_call+0x12/0x12
       ---[ end trace 5545f934409f13f4 ]---
      ...
      
      Many thanks to Hans Verkuil, whose recently added check in the vb2 core unveiled
      this long standing issue and who has investigated it further.
      Signed-off-by: default avatarFrank Schäfer <fschaefer.oss@googlemail.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <m.chehab@samsung.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      cbabd79a
    • Stephan Mueller's avatar
      quirk for Lenovo Yoga 3: no rfkill switch · 87cca01a
      Stephan Mueller authored
      commit 725c7f61 upstream.
      
      The Yoga 3 does not contain any physical rfkill switch. Therefore
      disable the rfkill switch identically to the Yoga 2 approach.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarDarren Hart <dvhart@linux.intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      87cca01a
    • Nadav Amit's avatar
      KVM: x86: Don't report guest userspace emulation error to userspace · 7dd767ff
      Nadav Amit authored
      commit a2b9e6c1 upstream.
      
      Commit fc3a9157 ("KVM: X86: Don't report L2 emulation failures to
      user-space") disabled the reporting of L2 (nested guest) emulation failures to
      userspace due to race-condition between a vmexit and the instruction emulator.
      The same rational applies also to userspace applications that are permitted by
      the guest OS to access MMIO area or perform PIO.
      
      This patch extends the current behavior - of injecting a #UD instead of
      reporting it to userspace - also for guest userspace code.
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      7dd767ff
    • Alex Deucher's avatar
      drm/radeon: initialize sadb to NULL in the audio code · 2b73646c
      Alex Deucher authored
      commit 83d04c39 upstream.
      
      Fixes kfree of the sadb buffer when it's NULL.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      2b73646c
    • Andreas Larsson's avatar
      sparc32: Implement xchg and atomic_xchg using ATOMIC_HASH locks · 4f7e7dca
      Andreas Larsson authored
      commit 1a17fdc4 upstream.
      
      Atomicity between xchg and cmpxchg cannot be guaranteed when xchg is
      implemented with a swap and cmpxchg is implemented with locks.
      Without this, e.g. mcs_spin_lock and mcs_spin_unlock are broken.
      Signed-off-by: default avatarAndreas Larsson <andreas@gaisler.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      4f7e7dca
    • David S. Miller's avatar
      sparc64: Do irq_{enter,exit}() around generic_smp_call_function*(). · 816dcf66
      David S. Miller authored
      commit ab5c7809 upstream.
      
      Otherwise rcu_irq_{enter,exit}() do not happen and we get dumps like:
      
      ====================
      [  188.275021] ===============================
      [  188.309351] [ INFO: suspicious RCU usage. ]
      [  188.343737] 3.18.0-rc3-00068-g20f3963d-dirty #54 Not tainted
      [  188.394786] -------------------------------
      [  188.429170] include/linux/rcupdate.h:883 rcu_read_lock() used
      illegally while idle!
      [  188.505235]
      other info that might help us debug this:
      
      [  188.554230]
      RCU used illegally from idle CPU!
      rcu_scheduler_active = 1, debug_locks = 0
      [  188.637587] RCU used illegally from extended quiescent state!
      [  188.690684] 3 locks held by swapper/7/0:
      [  188.721932]  #0:  (&x->wait#11){......}, at: [<0000000000495de8>] complete+0x8/0x60
      [  188.797994]  #1:  (&p->pi_lock){-.-.-.}, at: [<000000000048510c>] try_to_wake_up+0xc/0x400
      [  188.881343]  #2:  (rcu_read_lock){......}, at: [<000000000048a910>] select_task_rq_fair+0x90/0xb40
      [  188.973043]stack backtrace:
      [  188.993879] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 3.18.0-rc3-00068-g20f3963d-dirty #54
      [  189.076187] Call Trace:
      [  189.089719]  [0000000000499360] lockdep_rcu_suspicious+0xe0/0x100
      [  189.147035]  [000000000048a99c] select_task_rq_fair+0x11c/0xb40
      [  189.202253]  [00000000004852d8] try_to_wake_up+0x1d8/0x400
      [  189.252258]  [000000000048554c] default_wake_function+0xc/0x20
      [  189.306435]  [0000000000495554] __wake_up_common+0x34/0x80
      [  189.356448]  [00000000004955b4] __wake_up_locked+0x14/0x40
      [  189.406456]  [0000000000495e08] complete+0x28/0x60
      [  189.448142]  [0000000000636e28] blk_end_sync_rq+0x8/0x20
      [  189.496057]  [0000000000639898] __blk_mq_end_request+0x18/0x60
      [  189.550249]  [00000000006ee014] scsi_end_request+0x94/0x180
      [  189.601286]  [00000000006ee334] scsi_io_completion+0x1d4/0x600
      [  189.655463]  [00000000006e51c4] scsi_finish_command+0xc4/0xe0
      [  189.708598]  [00000000006ed958] scsi_softirq_done+0x118/0x140
      [  189.761735]  [00000000006398ec] __blk_mq_complete_request_remote+0xc/0x20
      [  189.827383]  [00000000004c75d0] generic_smp_call_function_single_interrupt+0x150/0x1c0
      [  189.906581]  [000000000043e514] smp_call_function_single_client+0x14/0x40
      ====================
      
      Based almost entirely upon a patch by Paul E. McKenney.
      Reported-by: default avatarMeelis Roos <mroos@linux.ee>
      Tested-by: default avatarMeelis Roos <mroos@linux.ee>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      816dcf66
    • David S. Miller's avatar
      sparc64: Fix crashes in schizo_pcierr_intr_other(). · c0dabb8f
      David S. Miller authored
      commit 7da89a2a upstream.
      
      Meelis Roos reports crashes during bootup on a V480 that look like
      this:
      
      ====================
      [   61.300577] PCI: Scanning PBM /pci@9,600000
      [   61.304867] schizo f009b070: PCI host bridge to bus 0003:00
      [   61.310385] pci_bus 0003:00: root bus resource [io  0x7ffe9000000-0x7ffe9ffffff] (bus address [0x0000-0xffffff])
      [   61.320515] pci_bus 0003:00: root bus resource [mem 0x7fb00000000-0x7fbffffffff] (bus address [0x00000000-0xffffffff])
      [   61.331173] pci_bus 0003:00: root bus resource [bus 00]
      [   61.385344] Unable to handle kernel NULL pointer dereference
      [   61.390970] tsk->{mm,active_mm}->context = 0000000000000000
      [   61.396515] tsk->{mm,active_mm}->pgd = fff000b000002000
      [   61.401716]               \|/ ____ \|/
      [   61.401716]               "@'/ .. \`@"
      [   61.401716]               /_| \__/ |_\
      [   61.401716]                  \__U_/
      [   61.416362] swapper/0(0): Oops [#1]
      [   61.419837] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.18.0-rc1-00422-g2cc91884-dirty #24
      [   61.427975] task: fff000b0fd8e9c40 ti: fff000b0fd928000 task.ti: fff000b0fd928000
      [   61.435426] TSTATE: 0000004480e01602 TPC: 00000000004455e4 TNPC: 00000000004455e8 Y: 00000000    Not tainted
      [   61.445230] TPC: <schizo_pcierr_intr+0x104/0x560>
      [   61.449897] g0: 0000000000000000 g1: 0000000000000000 g2: 0000000000a10f78 g3: 000000000000000a
      [   61.458563] g4: fff000b0fd8e9c40 g5: fff000b0fdd82000 g6: fff000b0fd928000 g7: 000000000000000a
      [   61.467229] o0: 000000000000003d o1: 0000000000000000 o2: 0000000000000006 o3: fff000b0ffa5fc7e
      [   61.475894] o4: 0000000000060000 o5: c000000000000000 sp: fff000b0ffa5f3c1 ret_pc: 00000000004455cc
      [   61.484909] RPC: <schizo_pcierr_intr+0xec/0x560>
      [   61.489500] l0: fff000b0fd8e9c40 l1: 0000000000a20800 l2: 0000000000000000 l3: 000000000119a430
      [   61.498164] l4: 0000000001742400 l5: 00000000011cfbe0 l6: 00000000011319c0 l7: fff000b0fd8ea348
      [   61.506830] i0: 0000000000000000 i1: fff000b0fdb34000 i2: 0000000320000000 i3: 0000000000000000
      [   61.515497] i4: 00060002010b003f i5: 0000040004e02000 i6: fff000b0ffa5f481 i7: 00000000004a9920
      [   61.524175] I7: <handle_irq_event_percpu+0x40/0x140>
      [   61.529099] Call Trace:
      [   61.531531]  [00000000004a9920] handle_irq_event_percpu+0x40/0x140
      [   61.537681]  [00000000004a9a58] handle_irq_event+0x38/0x80
      [   61.543145]  [00000000004ac77c] handle_fasteoi_irq+0xbc/0x200
      [   61.548860]  [00000000004a9084] generic_handle_irq+0x24/0x40
      [   61.554500]  [000000000042be0c] handler_irq+0xac/0x100
      ====================
      
      The problem is that pbm->pci_bus->self is NULL.
      
      This code is trying to go through the standard PCI config space
      interfaces to read the PCI controller's PCI_STATUS register.
      
      This doesn't work, because we more often than not do not enumerate
      the PCI controller as a bonafide PCI device during the OF device
      node scan.  Therefore bus->self remains NULL.
      
      Existing common code for PSYCHO and PSYCHO-like PCI controllers
      handles this properly, by doing the config space access directly.
      
      Do the same here, pbm->pci_ops->{read,write}().
      Reported-by: default avatarMeelis Roos <mroos@linux.ee>
      Tested-by: default avatarMeelis Roos <mroos@linux.ee>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c0dabb8f
    • Dwight Engen's avatar
      sunvdc: don't call VD_OP_GET_VTOC · a4f4bd0c
      Dwight Engen authored
      commit 85b0c6e6 upstream.
      
      The VD_OP_GET_VTOC operation will succeed only if the vdisk backend has a
      VTOC label, otherwise it will fail. In particular, it will return error
      48 (ENOTSUP) if the disk has an EFI label. VTOC disk labels are already
      handled by directly reading the disk in block/partitions/sun.c (enabled by
      CONFIG_SUN_PARTITION which defaults to y on SPARC). Since port->label is
      unused in the driver, remove the call and the field.
      Signed-off-by: default avatarDwight Engen <dwight.engen@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      a4f4bd0c
    • Dwight Engen's avatar
      vio: fix reuse of vio_dring slot · 03f0d176
      Dwight Engen authored
      commit d0aedcd4 upstream.
      
      vio_dring_avail() will allow use of every dring entry, but when the last
      entry is allocated then dr->prod == dr->cons which is indistinguishable from
      the ring empty condition. This causes the next allocation to reuse an entry.
      When this happens in sunvdc, the server side vds driver begins nack'ing the
      messages and ends up resetting the ldc channel. This problem does not effect
      sunvnet since it checks for < 2.
      
      The fix here is to just never allocate the very last dring slot so that full
      and empty are not the same condition. The request start path was changed to
      check for the ring being full a bit earlier, and to stop the blk_queue if
      there is no space left. The blk_queue will be restarted once the ring is
      only half full again. The number of ring entries was increased to 512 which
      matches the sunvnet and Solaris vdc drivers, and greatly reduces the
      frequency of hitting the ring full condition and the associated blk_queue
      stop/starting. The checks in sunvent were adjusted to account for
      vio_dring_avail() returning 1 less.
      
      Orabug: 19441666
      OraBZ: 14983
      Signed-off-by: default avatarDwight Engen <dwight.engen@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      03f0d176
    • Dwight Engen's avatar
      sunvdc: limit each sg segment to a page · 486db7c9
      Dwight Engen authored
      commit 5eed69ff upstream.
      
      ldc_map_sg() could fail its check that the number of pages referred to
      by the sg scatterlist was <= the number of cookies.
      
      This fixes the issue by doing a similar thing to the xen-blkfront driver,
      ensuring that the scatterlist will only ever contain a segment count <=
      port->ring_cookies, and each segment will be page aligned, and <= page
      size. This ensures that the scatterlist is always mappable.
      
      Orabug: 19347817
      OraBZ: 15945
      Signed-off-by: default avatarDwight Engen <dwight.engen@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      486db7c9
    • Allen Pais's avatar
      sunvdc: compute vdisk geometry from capacity · b2210eb6
      Allen Pais authored
      commit de5b73f0 upstream.
      
      The LDom diskserver doesn't return reliable geometry data. In addition,
      the types for all fields in the vio_disk_geom are u16, which were being
      truncated in the cast into the u8's of the Linux struct hd_geometry.
      
      Modify vdc_getgeo() to compute the geometry from the disk's capacity in a
      manner consistent with xen-blkfront::blkif_getgeo().
      Signed-off-by: default avatarDwight Engen <dwight.engen@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      b2210eb6
    • Allen Pais's avatar
      sunvdc: add cdrom and v1.1 protocol support · 39a83081
      Allen Pais authored
      commit 9bce2182 upstream.
      
      Interpret the media type from v1.1 protocol to support CDROM/DVD.
      
      For v1.0 protocol, a disk's size continues to be calculated from the
      geometry returned by the vdisk server. The geometry returned by the server
      can be less than the actual number of sectors available in the backing
      image/device due to the rounding in the division used to compute the
      geometry in the vdisk server.
      
      In v1.1 protocol a disk's actual size in sectors is returned during the
      handshake. Use this size when v1.1 protocol is negotiated. Since this size
      will always be larger than the former geometry computed size, disks created
      under v1.0 will be forwards compatible to v1.1, but not vice versa.
      Signed-off-by: default avatarDwight Engen <dwight.engen@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      39a83081
    • Enric Balletbo i Serra's avatar
      smsc911x: power-up phydev before doing a software reset. · 9bc045c6
      Enric Balletbo i Serra authored
      commit ccf899a2 upstream.
      
      With commit be9dad1f ("net: phy: suspend phydev when going
      to HALTED"), the PHY device will be put in a low-power mode using
      BMCR_PDOWN if the the interface is set down. The smsc911x driver does
      a software_reset opening the device driver (ndo_open). In such case,
      the PHY must be powered-up before access to any register and before
      calling the software_reset function. Otherwise, as the PHY is powered
      down the software reset fails and the interface can not be enabled
      again.
      
      This patch fixes this scenario that is easy to reproduce setting down
      the network interface and setting up again.
      
          $ ifconfig eth0 down
          $ ifconfig eth0 up
          ifconfig: SIOCSIFFLAGS: Input/output error
      Signed-off-by: default avatarEnric Balletbo i Serra <eballetbo@iseebcn.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      9bc045c6
    • Hiroaki SHIMODA's avatar
      netlink: Properly unbind in error conditions. · 1b1a5bb6
      Hiroaki SHIMODA authored
      commit 6251edd9 upstream.
      
      Even if netlink_kernel_cfg::unbind is implemented the unbind() method is
      not called, because cfg->unbind is omitted in __netlink_kernel_create().
      And fix wrong argument of test_bit() and off by one problem.
      
      At this point, no unbind() method is implemented, so there is no real
      issue.
      
      Fixes: 4f520900 ("netlink: have netlink per-protocol bind function return an error code.")
      Signed-off-by: default avatarHiroaki SHIMODA <shimoda.hiroaki@gmail.com>
      Cc: Richard Guy Briggs <rgb@redhat.com>
      Acked-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1b1a5bb6
    • Eric Dumazet's avatar
      ipv6: fix IPV6_PKTINFO with v4 mapped · b828096e
      Eric Dumazet authored
      commit 5337b5b7 upstream.
      
      Use IS_ENABLED(CONFIG_IPV6), to enable this code if IPv6 is
      a module.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Fixes: c8e6ad08 ("ipv6: honor IPV6_PKTINFO with v4 mapped addresses on sendmsg")
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      b828096e
    • Daniel Borkmann's avatar
      net: sctp: fix memory leak in auth key management · 6bd693b5
      Daniel Borkmann authored
      commit 4184b2a7 upstream.
      
      A very minimal and simple user space application allocating an SCTP
      socket, setting SCTP_AUTH_KEY setsockopt(2) on it and then closing
      the socket again will leak the memory containing the authentication
      key from user space:
      
      unreferenced object 0xffff8800837047c0 (size 16):
        comm "a.out", pid 2789, jiffies 4296954322 (age 192.258s)
        hex dump (first 16 bytes):
          01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff816d7e8e>] kmemleak_alloc+0x4e/0xb0
          [<ffffffff811c88d8>] __kmalloc+0xe8/0x270
          [<ffffffffa0870c23>] sctp_auth_create_key+0x23/0x50 [sctp]
          [<ffffffffa08718b1>] sctp_auth_set_key+0xa1/0x140 [sctp]
          [<ffffffffa086b383>] sctp_setsockopt+0xd03/0x1180 [sctp]
          [<ffffffff815bfd94>] sock_common_setsockopt+0x14/0x20
          [<ffffffff815beb61>] SyS_setsockopt+0x71/0xd0
          [<ffffffff816e58a9>] system_call_fastpath+0x12/0x17
          [<ffffffffffffffff>] 0xffffffffffffffff
      
      This is bad because of two things, we can bring down a machine from
      user space when auth_enable=1, but also we would leave security sensitive
      keying material in memory without clearing it after use. The issue is
      that sctp_auth_create_key() already sets the refcount to 1, but after
      allocation sctp_auth_set_key() does an additional refcount on it, and
      thus leaving it around when we free the socket.
      
      Fixes: 65b07e5d ("[SCTP]: API updates to suport SCTP-AUTH extensions.")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      6bd693b5
    • Daniel Borkmann's avatar
      net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet · 1cfecc6b
      Daniel Borkmann authored
      commit e40607cb upstream.
      
      An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
      in the form of:
      
        ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
      
      While the INIT chunk parameter verification dissects through many things
      in order to detect malformed input, it misses to actually check parameters
      inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
      IP address' parameter in ASCONF, which has as a subparameter an address
      parameter.
      
      So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
      or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
      and thus sctp_get_af_specific() returns NULL, too, which we then happily
      dereference unconditionally through af->from_addr_param().
      
      The trace for the log:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
      IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
      PGD 0
      Oops: 0000 [#1] SMP
      [...]
      Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
      RIP: 0010:[<ffffffffa01e9c62>]  [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
      [...]
      Call Trace:
       <IRQ>
       [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
       [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
       [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
       [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
       [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
       [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
       [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
       [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
       [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
      [...]
      
      A minimal way to address this is to check for NULL as we do on all
      other such occasions where we know sctp_get_af_specific() could
      possibly return with NULL.
      
      Fixes: d6de3097 ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1cfecc6b
    • Marcelo Leitner's avatar
      vxlan: Do not reuse sockets for a different address family · 6437cf7e
      Marcelo Leitner authored
      commit 19ca9fc1 upstream.
      
      Currently, we only match against local port number in order to reuse
      socket. But if this new vxlan wants an IPv6 socket and a IPv4 one bound
      to that port, vxlan will reuse an IPv4 socket as IPv6 and a panic will
      follow. The following steps reproduce it:
      
         # ip link add vxlan6 type vxlan id 42 group 229.10.10.10 \
             srcport 5000 6000 dev eth0
         # ip link add vxlan7 type vxlan id 43 group ff0e::110 \
             srcport 5000 6000 dev eth0
         # ip link set vxlan6 up
         # ip link set vxlan7 up
         <panic>
      
      [    4.187481] BUG: unable to handle kernel NULL pointer dereference at 0000000000000058
      ...
      [    4.188076] Call Trace:
      [    4.188085]  [<ffffffff81667c4a>] ? ipv6_sock_mc_join+0x3a/0x630
      [    4.188098]  [<ffffffffa05a6ad6>] vxlan_igmp_join+0x66/0xd0 [vxlan]
      [    4.188113]  [<ffffffff810a3430>] process_one_work+0x220/0x710
      [    4.188125]  [<ffffffff810a33c4>] ? process_one_work+0x1b4/0x710
      [    4.188138]  [<ffffffff810a3a3b>] worker_thread+0x11b/0x3a0
      [    4.188149]  [<ffffffff810a3920>] ? process_one_work+0x710/0x710
      
      So address family must also match in order to reuse a socket.
      Reported-by: default avatarJean-Tsung Hsiao <jhsiao@redhat.com>
      Signed-off-by: default avatarMarcelo Ricardo Leitner <mleitner@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      6437cf7e
    • Karl Beldan's avatar
      net: mv643xx_eth: reclaim TX skbs only when released by the HW · 0d795012
      Karl Beldan authored
      commit 2c2a9cbd upstream.
      
      ATM, txq_reclaim will dequeue and free an skb for each tx desc released
      by the hw that has TX_LAST_DESC set. However, in case of TSO, each
      hw desc embedding the last part of a segment has TX_LAST_DESC set,
      losing the one-to-one 'last skb frag'/'TX_LAST_DESC set' correspondance,
      which causes data corruption.
      
      Fix this by checking TX_ENABLE_INTERRUPT instead of TX_LAST_DESC, and
      warn when trying to dequeue from an empty txq (which can be symptomatic
      of releasing skbs prematurely).
      
      Fixes: 3ae8f4e0 ('net: mv643xx_eth: Implement software TSO')
      Reported-by: default avatarSlawomir Gajzner <slawomir.gajzner@gmail.com>
      Reported-by: default avatarJulien D'Ascenzio <jdascenzio@yahoo.fr>
      Signed-off-by: default avatarKarl Beldan <karl.beldan@rivierawaves.com>
      Cc: Ian Campbell <ijc@hellion.org.uk>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
      Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      0d795012
    • Steffen Klassert's avatar
      gre6: Move the setting of dev->iflink into the ndo_init functions. · 9c5425d7
      Steffen Klassert authored
      commit f03eb128 upstream.
      
      Otherwise it gets overwritten by register_netdev().
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      9c5425d7
    • Steffen Klassert's avatar
      sit: Use ipip6_tunnel_init as the ndo_init function. · 5e146414
      Steffen Klassert authored
      commit ebe084aa upstream.
      
      ipip6_tunnel_init() sets the dev->iflink via a call to
      ipip6_tunnel_bind_dev(). After that, register_netdevice()
      sets dev->iflink = -1. So we loose the iflink configuration
      for ipv6 tunnels. Fix this by using ipip6_tunnel_init() as the
      ndo_init function. Then ipip6_tunnel_init() is called after
      dev->iflink is set to -1 from register_netdevice().
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      5e146414
    • Steffen Klassert's avatar
      vti6: Use vti6_dev_init as the ndo_init function. · 3510081a
      Steffen Klassert authored
      commit 16a0231b upstream.
      
      vti6_dev_init() sets the dev->iflink via a call to
      vti6_link_config(). After that, register_netdevice()
      sets dev->iflink = -1. So we loose the iflink configuration
      for vti6 tunnels. Fix this by using vti6_dev_init() as the
      ndo_init function. Then vti6_dev_init() is called after
      dev->iflink is set to -1 from register_netdevice().
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3510081a
    • Steffen Klassert's avatar
      ip6_tunnel: Use ip6_tnl_dev_init as the ndo_init function. · 6ca9a33e
      Steffen Klassert authored
      commit 6c6151da upstream.
      
      ip6_tnl_dev_init() sets the dev->iflink via a call to
      ip6_tnl_link_config(). After that, register_netdevice()
      sets dev->iflink = -1. So we loose the iflink configuration
      for ipv6 tunnels. Fix this by using ip6_tnl_dev_init() as the
      ndo_init function. Then ip6_tnl_dev_init() is called after
      dev->iflink is set to -1 from register_netdevice().
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      6ca9a33e
    • NeilBrown's avatar
      md: Always set RECOVERY_NEEDED when clearing RECOVERY_FROZEN · 9ac298cb
      NeilBrown authored
      commit 45eaf45d upstream.
      
      md_check_recovery will skip any recovery and also clear
      MD_RECOVERY_NEEDED if MD_RECOVERY_FROZEN is set.
      So when we clear _FROZEN, we must set _NEEDED and ensure that
      md_check_recovery gets run.
      Otherwise we could miss out on something that is needed.
      
      In particular, this can make it impossible to remove a
      failed device from an array is the  'recovery-needed' processing
      didn't happen.
      Suitable for stable kernels since 3.13.
      Reported-and-tested-by: default avatarJoe Lawrence <joe.lawrence@stratus.com>
      Fixes: 30b8feb7Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      9ac298cb
    • Stefan Richter's avatar
      firewire: cdev: prevent kernel stack leaking into ioctl arguments · cec4c7e4
      Stefan Richter authored
      commit eaca2d8e upstream.
      
      Found by the UC-KLEE tool:  A user could supply less input to
      firewire-cdev ioctls than write- or write/read-type ioctl handlers
      expect.  The handlers used data from uninitialized kernel stack then.
      
      This could partially leak back to the user if the kernel subsequently
      generated fw_cdev_event_'s (to be read from the firewire-cdev fd)
      which notably would contain the _u64 closure field which many of the
      ioctl argument structures contain.
      
      The fact that the handlers would act on random garbage input is a
      lesser issue since all handlers must check their input anyway.
      
      The fix simply always null-initializes the entire ioctl argument buffer
      regardless of the actual length of expected user input.  That is, a
      runtime overhead of memset(..., 40) is added to each firewirew-cdev
      ioctl() call.  [Comment from Clemens Ladisch:  This part of the stack is
      most likely to be already in the cache.]
      
      Remarks:
        - There was never any leak from kernel stack to the ioctl output
          buffer itself.  IOW, it was not possible to read kernel stack by a
          read-type or write/read-type ioctl alone; the leak could at most
          happen in combination with read()ing subsequent event data.
        - The actual expected minimum user input of each ioctl from
          include/uapi/linux/firewire-cdev.h is, in bytes:
          [0x00] = 32, [0x05] =  4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16,
          [0x01] = 36, [0x06] = 20, [0x0b] =  4, [0x10] = 20, [0x15] = 20,
          [0x02] = 20, [0x07] =  4, [0x0c] =  0, [0x11] =  0, [0x16] =  8,
          [0x03] =  4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12,
          [0x04] = 20, [0x09] = 24, [0x0e] =  4, [0x13] = 40, [0x18] =  4.
      Reported-by: default avatarDavid Ramos <daramos@stanford.edu>
      Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      cec4c7e4
    • Pali Rohár's avatar
      Input: alps - ignore bad data on Dell Latitudes E6440 and E7440 · 6755d937
      Pali Rohár authored
      commit a7ef82ae upstream.
      
      Sometimes on Dell Latitude laptops psmouse/alps driver receive invalid ALPS
      protocol V3 packets with bit7 set in last byte. More often it can be
      reproduced on Dell Latitude E6440 or E7440 with closed lid and pushing
      cover above touchpad.
      
      If bit7 in last packet byte is set then it is not valid ALPS packet. I was
      told that ALPS devices never send these packets. It is not know yet who
      send those packets, it could be Dell EC, bug in BIOS and also bug in
      touchpad firmware...
      
      With this patch alps driver does not process those invalid packets, but
      instead of reporting PSMOUSE_BAD_DATA, getting into out of sync state,
      getting back in sync with the next byte and spam dmesg we return
      PSMOUSE_FULL_PACKET. If driver is truly out of sync we'll fail the checks
      on the next byte and report PSMOUSE_BAD_DATA then.
      Signed-off-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Tested-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      6755d937
    • Tang Chen's avatar
      mem-hotplug: reset node present pages when hot-adding a new pgdat · c8d462c8
      Tang Chen authored
      commit 0bd85420 upstream.
      
      When memory is hot-added, all the memory is in offline state.  So clear
      all zones' present_pages because they will be updated in online_pages()
      and offline_pages().  Otherwise, /proc/zoneinfo will corrupt:
      
      When the memory of node2 is offline:
      
        # cat /proc/zoneinfo
        ......
        Node 2, zone   Movable
        ......
              spanned  8388608
              present  8388608
              managed  0
      
      When we online memory on node2:
      
        # cat /proc/zoneinfo
        ......
        Node 2, zone   Movable
        ......
              spanned  8388608
              present  16777216
              managed  8388608
      Signed-off-by: default avatarTang Chen <tangchen@cn.fujitsu.com>
      Reviewed-by: default avatarYasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c8d462c8
    • Tang Chen's avatar
      mem-hotplug: reset node managed pages when hot-adding a new pgdat · 0cc5277d
      Tang Chen authored
      commit f784a3f1 upstream.
      
      In free_area_init_core(), zone->managed_pages is set to an approximate
      value for lowmem, and will be adjusted when the bootmem allocator frees
      pages into the buddy system.
      
      But free_area_init_core() is also called by hotadd_new_pgdat() when
      hot-adding memory.  As a result, zone->managed_pages of the newly added
      node's pgdat is set to an approximate value in the very beginning.
      
      Even if the memory on that node has node been onlined,
      /sys/device/system/node/nodeXXX/meminfo has wrong value:
      
        hot-add node2 (memory not onlined)
        cat /sys/device/system/node/node2/meminfo
        Node 2 MemTotal:       33554432 kB
        Node 2 MemFree:               0 kB
        Node 2 MemUsed:        33554432 kB
        Node 2 Active:                0 kB
      
      This patch fixes this problem by reset node managed pages to 0 after
      hot-adding a new node.
      
      1. Move reset_managed_pages_done from reset_node_managed_pages() to
         reset_all_zones_managed_pages()
      2. Make reset_node_managed_pages() non-static
      3. Call reset_node_managed_pages() in hotadd_new_pgdat() after pgdat
         is initialized
      Signed-off-by: default avatarTang Chen <tangchen@cn.fujitsu.com>
      Signed-off-by: default avatarYasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      0cc5277d