1. 14 Apr, 2015 40 commits
    • Daniel Borkmann's avatar
      net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks · b0f741c5
      Daniel Borkmann authored
      commit 9de7922b upstream.
      
      Commit 6f4c618d ("SCTP : Add paramters validity check for
      ASCONF chunk") added basic verification of ASCONF chunks, however,
      it is still possible to remotely crash a server by sending a
      special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
      
      skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
       head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
       end:0x440 dev:<NULL>
       ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:129!
      [...]
      Call Trace:
       <IRQ>
       [<ffffffff8144fb1c>] skb_put+0x5c/0x70
       [<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
       [<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
       [<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
       [<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
       [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
       [<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
       [<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
       [<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
       [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
       [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
       [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
       [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
       [<ffffffff81497078>] ip_local_deliver+0x98/0xa0
       [<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
       [<ffffffff81496ac5>] ip_rcv+0x275/0x350
       [<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
       [<ffffffff81460588>] netif_receive_skb+0x58/0x60
      
      This can be triggered e.g., through a simple scripted nmap
      connection scan injecting the chunk after the handshake, for
      example, ...
      
        -------------- INIT[ASCONF; ASCONF_ACK] ------------->
        <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
        ------------------ ASCONF; UNKNOWN ------------------>
      
      ... where ASCONF chunk of length 280 contains 2 parameters ...
      
        1) Add IP address parameter (param length: 16)
        2) Add/del IP address parameter (param length: 255)
      
      ... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
      Address Parameter in the ASCONF chunk is even missing, too.
      This is just an example and similarly-crafted ASCONF chunks
      could be used just as well.
      
      The ASCONF chunk passes through sctp_verify_asconf() as all
      parameters passed sanity checks, and after walking, we ended
      up successfully at the chunk end boundary, and thus may invoke
      sctp_process_asconf(). Parameter walking is done with
      WORD_ROUND() to take padding into account.
      
      In sctp_process_asconf()'s TLV processing, we may fail in
      sctp_process_asconf_param() e.g., due to removal of the IP
      address that is also the source address of the packet containing
      the ASCONF chunk, and thus we need to add all TLVs after the
      failure to our ASCONF response to remote via helper function
      sctp_add_asconf_response(), which basically invokes a
      sctp_addto_chunk() adding the error parameters to the given
      skb.
      
      When walking to the next parameter this time, we proceed
      with ...
      
        length = ntohs(asconf_param->param_hdr.length);
        asconf_param = (void *)asconf_param + length;
      
      ... instead of the WORD_ROUND()'ed length, thus resulting here
      in an off-by-one that leads to reading the follow-up garbage
      parameter length of 12336, and thus throwing an skb_over_panic
      for the reply when trying to sctp_addto_chunk() next time,
      which implicitly calls the skb_put() with that length.
      
      Fix it by using sctp_walk_params() [ which is also used in
      INIT parameter processing ] macro in the verification *and*
      in ASCONF processing: it will make sure we don't spill over,
      that we walk parameters WORD_ROUND()'ed. Moreover, we're being
      more defensive and guard against unknown parameter types and
      missized addresses.
      
      Joint work with Vlad Yasevich.
      
      Fixes: b896b82b ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      b0f741c5
    • Daniel Borkmann's avatar
      net: sctp: fix panic on duplicate ASCONF chunks · d3fdf674
      Daniel Borkmann authored
      commit b69040d8 upstream.
      
      When receiving a e.g. semi-good formed connection scan in the
      form of ...
      
        -------------- INIT[ASCONF; ASCONF_ACK] ------------->
        <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
        ---------------- ASCONF_a; ASCONF_b ----------------->
      
      ... where ASCONF_a equals ASCONF_b chunk (at least both serials
      need to be equal), we panic an SCTP server!
      
      The problem is that good-formed ASCONF chunks that we reply with
      ASCONF_ACK chunks are cached per serial. Thus, when we receive a
      same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do
      not need to process them again on the server side (that was the
      idea, also proposed in the RFC). Instead, we know it was cached
      and we just resend the cached chunk instead. So far, so good.
      
      Where things get nasty is in SCTP's side effect interpreter, that
      is, sctp_cmd_interpreter():
      
      While incoming ASCONF_a (chunk = event_arg) is being marked
      !end_of_packet and !singleton, and we have an association context,
      we do not flush the outqueue the first time after processing the
      ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it
      queued up, although we set local_cork to 1. Commit 2e3216cd
      changed the precedence, so that as long as we get bundled, incoming
      chunks we try possible bundling on outgoing queue as well. Before
      this commit, we would just flush the output queue.
      
      Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we
      continue to process the same ASCONF_b chunk from the packet. As
      we have cached the previous ASCONF_ACK, we find it, grab it and
      do another SCTP_CMD_REPLY command on it. So, effectively, we rip
      the chunk->list pointers and requeue the same ASCONF_ACK chunk
      another time. Since we process ASCONF_b, it's correctly marked
      with end_of_packet and we enforce an uncork, and thus flush, thus
      crashing the kernel.
      
      Fix it by testing if the ASCONF_ACK is currently pending and if
      that is the case, do not requeue it. When flushing the output
      queue we may relink the chunk for preparing an outgoing packet,
      but eventually unlink it when it's copied into the skb right
      before transmission.
      
      Joint work with Vlad Yasevich.
      
      Fixes: 2e3216cd ("sctp: Follow security requirement of responding with 1 packet")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      d3fdf674
    • Linus Torvalds's avatar
      vm: make stack guard page errors return VM_FAULT_SIGSEGV rather than SIGBUS · 203ce0b2
      Linus Torvalds authored
      commit 9c145c56 upstream.
      
      The stack guard page error case has long incorrectly caused a SIGBUS
      rather than a SIGSEGV, but nobody actually noticed until commit
      fee7e49d ("mm: propagate error from stack expansion even for guard
      page") because that error case was never actually triggered in any
      normal situations.
      
      Now that we actually report the error, people noticed the wrong signal
      that resulted.  So far, only the test suite of libsigsegv seems to have
      actually cared, but there are real applications that use libsigsegv, so
      let's not wait for any of those to break.
      Reported-and-tested-by: default avatarTakashi Iwai <tiwai@suse.de>
      Tested-by: default avatarJan Engelhardt <jengelh@inai.de>
      Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com> # "s390 still compiles and boots"
      Cc: linux-arch@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      203ce0b2
    • Linus Torvalds's avatar
      vm: add VM_FAULT_SIGSEGV handling support · a10ca0db
      Linus Torvalds authored
      commit 33692f27 upstream.
      
      The core VM already knows about VM_FAULT_SIGBUS, but cannot return a
      "you should SIGSEGV" error, because the SIGSEGV case was generally
      handled by the caller - usually the architecture fault handler.
      
      That results in lots of duplication - all the architecture fault
      handlers end up doing very similar "look up vma, check permissions, do
      retries etc" - but it generally works.  However, there are cases where
      the VM actually wants to SIGSEGV, and applications _expect_ SIGSEGV.
      
      In particular, when accessing the stack guard page, libsigsegv expects a
      SIGSEGV.  And it usually got one, because the stack growth is handled by
      that duplicated architecture fault handler.
      
      However, when the generic VM layer started propagating the error return
      from the stack expansion in commit fee7e49d ("mm: propagate error
      from stack expansion even for guard page"), that now exposed the
      existing VM_FAULT_SIGBUS result to user space.  And user space really
      expected SIGSEGV, not SIGBUS.
      
      To fix that case, we need to add a VM_FAULT_SIGSEGV, and teach all those
      duplicate architecture fault handlers about it.  They all already have
      the code to handle SIGSEGV, so it's about just tying that new return
      value to the existing code, but it's all a bit annoying.
      
      This is the mindless minimal patch to do this.  A more extensive patch
      would be to try to gather up the mostly shared fault handling logic into
      one generic helper routine, and long-term we really should do that
      cleanup.
      
      Just from this patch, you can generally see that most architectures just
      copied (directly or indirectly) the old x86 way of doing things, but in
      the meantime that original x86 model has been improved to hold the VM
      semaphore for shorter times etc and to handle VM_FAULT_RETRY and other
      "newer" things, so it would be a good idea to bring all those
      improvements to the generic case and teach other architectures about
      them too.
      Reported-and-tested-by: default avatarTakashi Iwai <tiwai@suse.de>
      Tested-by: default avatarJan Engelhardt <jengelh@inai.de>
      Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com> # "s390 still compiles and boots"
      Cc: linux-arch@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2:
       - Adjust filenames, context
       - Drop arc, metag, nios2 and lustre changes
       - For sh, patch both 32-bit and 64-bit implementations to use goto bad_area
       - For s390, pass int_code and trans_exc_code as arguments to do_no_context()
         and do_sigsegv()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      [lizf: Backported to 3.4:
       - adjust context in arch/power/mm/fault.c
       - apply the original change in upstream commit for s390]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      a10ca0db
    • Hannes Frederic Sowa's avatar
      ipv6: replacing a rt6_info needs to purge possible propagated rt6_infos too · 6c7738f3
      Hannes Frederic Sowa authored
      commit 6e9e16e6 upstream.
      
      Lubomir Rintel reported that during replacing a route the interface
      reference counter isn't correctly decremented.
      
      To quote bug <https://bugzilla.kernel.org/show_bug.cgi?id=91941>:
      | [root@rhel7-5 lkundrak]# sh -x lal
      | + ip link add dev0 type dummy
      | + ip link set dev0 up
      | + ip link add dev1 type dummy
      | + ip link set dev1 up
      | + ip addr add 2001:db8:8086::2/64 dev dev0
      | + ip route add 2001:db8:8086::/48 dev dev0 proto static metric 20
      | + ip route add 2001:db8:8088::/48 dev dev1 proto static metric 10
      | + ip route replace 2001:db8:8086::/48 dev dev1 proto static metric 20
      | + ip link del dev0 type dummy
      | Message from syslogd@rhel7-5 at Jan 23 10:54:41 ...
      |  kernel:unregister_netdevice: waiting for dev0 to become free. Usage count = 2
      |
      | Message from syslogd@rhel7-5 at Jan 23 10:54:51 ...
      |  kernel:unregister_netdevice: waiting for dev0 to become free. Usage count = 2
      
      During replacement of a rt6_info we must walk all parent nodes and check
      if the to be replaced rt6_info got propagated. If so, replace it with
      an alive one.
      
      Fixes: 4a287eba ("IPv6 routing, NLM_F_* flag support: REPLACE and EXCL flags support, warn about missing CREATE flag")
      Reported-by: default avatarLubomir Rintel <lkundrak@v3.sk>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Tested-by: default avatarLubomir Rintel <lkundrak@v3.sk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      6c7738f3
    • Daniel Borkmann's avatar
      net: sctp: fix slab corruption from use after free on INIT collisions · 0565f436
      Daniel Borkmann authored
      commit 600ddd68 upstream.
      
      When hitting an INIT collision case during the 4WHS with AUTH enabled, as
      already described in detail in commit 1be9a950 ("net: sctp: inherit
      auth_capable on INIT collisions"), it can happen that we occasionally
      still remotely trigger the following panic on server side which seems to
      have been uncovered after the fix from commit 1be9a950 ...
      
      [  533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff
      [  533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230
      [  533.940559] PGD 5030f2067 PUD 0
      [  533.957104] Oops: 0000 [#1] SMP
      [  533.974283] Modules linked in: sctp mlx4_en [...]
      [  534.939704] Call Trace:
      [  534.951833]  [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
      [  534.984213]  [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
      [  535.015025]  [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
      [  535.045661]  [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
      [  535.074593]  [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
      [  535.105239]  [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
      [  535.138606]  [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0
      [  535.166848]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
      
      ... or depending on the the application, for example this one:
      
      [ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff
      [ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
      [ 1370.054568] PGD 633c94067 PUD 0
      [ 1370.070446] Oops: 0000 [#1] SMP
      [ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
      [ 1370.963431] Call Trace:
      [ 1370.974632]  [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
      [ 1371.000863]  [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
      [ 1371.027154]  [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
      [ 1371.054679]  [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
      [ 1371.080183]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
      
      With slab debugging enabled, we can see that the poison has been overwritten:
      
      [  669.826368] BUG kmalloc-128 (Tainted: G        W     ): Poison overwritten
      [  669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
      [  669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
      [  669.826424]  __slab_alloc+0x4bf/0x566
      [  669.826433]  __kmalloc+0x280/0x310
      [  669.826453]  sctp_auth_create_key+0x23/0x50 [sctp]
      [  669.826471]  sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
      [  669.826488]  sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
      [  669.826505]  sctp_do_sm+0x29d/0x17c0 [sctp] [...]
      [  669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
      [  669.826635]  __slab_free+0x39/0x2a8
      [  669.826643]  kfree+0x1d6/0x230
      [  669.826650]  kzfree+0x31/0x40
      [  669.826666]  sctp_auth_key_put+0x19/0x20 [sctp]
      [  669.826681]  sctp_assoc_update+0x1ee/0x2d0 [sctp]
      [  669.826695]  sctp_do_sm+0x674/0x17c0 [sctp]
      
      Since this only triggers in some collision-cases with AUTH, the problem at
      heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
      when having refcnt 1, once directly in sctp_assoc_update() and yet again
      from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
      the already kzfree'd memory, which is also consistent with the observation
      of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
      at a later point in time when poison is checked on new allocation).
      
      Reference counting of auth keys revisited:
      
      Shared keys for AUTH chunks are being stored in endpoints and associations
      in endpoint_shared_keys list. On endpoint creation, a null key is being
      added; on association creation, all endpoint shared keys are being cached
      and thus cloned over to the association. struct sctp_shared_key only holds
      a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
      keeps track of users internally through refcounting. Naturally, on assoc
      or enpoint destruction, sctp_shared_key are being destroyed directly and
      the reference on sctp_auth_bytes dropped.
      
      User space can add keys to either list via setsockopt(2) through struct
      sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
      adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
      with refcount 1 and in case of replacement drops the reference on the old
      sctp_auth_bytes. A key can be set active from user space through setsockopt()
      on the id via sctp_auth_set_active_key(), which iterates through either
      endpoint_shared_keys and in case of an assoc, invokes (one of various places)
      sctp_auth_asoc_init_active_key().
      
      sctp_auth_asoc_init_active_key() computes the actual secret from local's
      and peer's random, hmac and shared key parameters and returns a new key
      directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
      the reference if there was a previous one. The secret, which where we
      eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
      intitial refcount of 1, which also stays unchanged eventually in
      sctp_assoc_update(). This key is later being used for crypto layer to
      set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().
      
      To close the loop: asoc->asoc_shared_key is freshly allocated secret
      material and independant of the sctp_shared_key management keeping track
      of only shared keys in endpoints and assocs. Hence, also commit 4184b2a7
      ("net: sctp: fix memory leak in auth key management") is independant of
      this bug here since it concerns a different layer (though same structures
      being used eventually). asoc->asoc_shared_key is reference dropped correctly
      on assoc destruction in sctp_association_free() and when active keys are
      being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
      of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
      to remove that sctp_auth_key_put() from there which fixes these panics.
      
      Fixes: 730fc3d0 ("[SCTP]: Implete SCTP-AUTH parameter processing")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      0565f436
    • Clemens Ladisch's avatar
      ALSA: seq-dummy: remove deadlock-causing events on close · 612dcf53
      Clemens Ladisch authored
      commit 0767e95b upstream.
      
      When the last subscriber to a "Through" port has been removed, the
      subscribed destination ports might still be active, so it would be
      wrong to send "all sounds off" and "reset controller" events to them.
      The proper place for such a shutdown would be the closing of the actual
      MIDI port (and close_substream() in rawmidi.c already can do this).
      
      This also fixes a deadlock when dummy_unuse() tries to send events to
      its own port that is already locked because it is being freed.
      Reported-by: default avatarPeter Billam <peter@www.pjb.com.au>
      Signed-off-by: default avatarClemens Ladisch <clemens@ladisch.de>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      612dcf53
    • Bob Paauwe's avatar
      drm/i915: Only fence tiled region of object. · 0f1de5af
      Bob Paauwe authored
      commit af1a7301 upstream.
      
      When creating a fence for a tiled object, only fence the area that
      makes up the actual tiles.  The object may be larger than the tiled
      area and if we allow those extra addresses to be fenced, they'll
      get converted to addresses beyond where the object is mapped. This
      opens up the possiblity of writes beyond the end of object.
      
      To prevent this, we adjust the size of the fence to only encompass
      the area that makes up the actual tiles.  The extra space is considered
      un-tiled and now behaves as if it was a linear object.
      
      Testcase: igt/gem_tiled_fence_overflow
      Reported-by: default avatarDan Hettena <danh@ghs.com>
      Signed-off-by: default avatarBob Paauwe <bob.j.paauwe@intel.com>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      [lizf: Backported to 3.4:
       - adjust context
       - adjust indentation
       - make the same change to both sandybridge_write_fence_reg()
         and i965_write_fence_reg()]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      0f1de5af
    • Macpaul Lin's avatar
      USB: Add OTG PET device to TPL · 97fa724b
      Macpaul Lin authored
      commit e5dff0e8 upstream.
      
      OTG device shall support this device for allowing compliance automated testing.
      The modification is derived from Pavankumar and Vijayavardhans' previous work.
      Signed-off-by: default avatarMacpaul Lin <macpaul@gmail.com>
      Cc: Pavankumar Kondeti <pkondeti@codeaurora.org>
      Cc: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      97fa724b
    • James P Michels III's avatar
      usb-core bInterval quirk · 7583c9fa
      James P Michels III authored
      commit cd83ce9e upstream.
      
      This patch adds a usb quirk to support devices with interupt endpoints
      and bInterval values expressed as microframes. The quirk causes the
      parse endpoint function to modify the reported bInterval to a standards
      conforming value.
      
      There is currently code in the endpoint parser that checks for
      bIntervals that are outside of the valid range (1-16 for USB 2+ high
      speed and super speed interupt endpoints). In this case, the code assumes
      the bInterval is being reported in 1ms frames. As well, the correction
      is only applied if the original bInterval value is out of the 1-16 range.
      
      With this quirk applied to the device, the bInterval will be
      accurately adjusted from microframes to an exponent.
      Signed-off-by: default avatarJames P Michels III <james.p.michels@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      7583c9fa
    • Dmitry Nezhevenko's avatar
      usb-storage/SCSI: blacklist FUA on JMicron 152d:2566 USB-SATA controller · d6d1536d
      Dmitry Nezhevenko authored
      commit bf5c4136 upstream.
      
      It looks like FUA support is broken on JMicron 152d:2566 bridge:
      
      [223159.885704] sd 7:0:0:0: [sdc] Write Protect is off
      [223159.885706] sd 7:0:0:0: [sdc] Mode Sense: 47 00 10 08
      [223159.885942] sd 7:0:0:0: [sdc] Write cache: enabled, read cache: enabled, supports DPO and FUA
      
      [223283.691677] sd 7:0:0:0: [sdc]
      [223283.691680] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
      [223283.691681] sd 7:0:0:0: [sdc]
      [223283.691682] Sense Key : Illegal Request [current]
      [223283.691684] sd 7:0:0:0: [sdc]
      [223283.691685] Add. Sense: Invalid field in cdb
      [223283.691686] sd 7:0:0:0: [sdc] CDB:
      [223283.691687] Write(10): 2a 08 15 d0 83 0d 00 00 01 00
      [223283.691690] blk_update_request: critical target error, dev sdc, sector 2927892584
      
      This patch adds blacklist flag so that sd will not use FUA
      Signed-off-by: default avatarDmitry Nezhevenko <dion@dion.org.ua>
      Cc: Phil Dibowitz <phil@ipom.com>
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      d6d1536d
    • Alan Stern's avatar
      usb-storage/SCSI: Add broken_fua blacklist flag · ef978a9d
      Alan Stern authored
      commit b14bf2d0 upstream.
      
      Some buggy JMicron USB-ATA bridges don't know how to translate the FUA
      bit in READs or WRITEs.  This patch adds an entry in unusual_devs.h
      and a blacklist flag to tell the sd driver not to use FUA.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarMichael Büsch <m@bues.ch>
      Tested-by: default avatarMichael Büsch <m@bues.ch>
      Acked-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
      CC: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      ef978a9d
    • Johannes Berg's avatar
      nl80211: fix per-station group key get/del and memory leak · 89f1d011
      Johannes Berg authored
      commit 0fa7b391 upstream.
      
      In case userspace attempts to obtain key information for or delete a
      unicast key, this is currently erroneously rejected unless the driver
      sets the WIPHY_FLAG_IBSS_RSN flag. Apparently enough drivers do so it
      was never noticed.
      
      Fix that, and while at it fix a potential memory leak: the error path
      in the get_key() function was placed after allocating a message but
      didn't free it - move it to a better place. Luckily admin permissions
      are needed to call this operation.
      
      Fixes: e31b8213 ("cfg80211/mac80211: allow per-station GTKs")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      89f1d011
    • Laurent Dufour's avatar
      powerpc/xmon: Fix another endiannes issue in RTAS call from xmon · f720cca4
      Laurent Dufour authored
      commit e6eb2eba upstream.
      
      The commit 3b8a3c01 ("powerpc/pseries: Fix endiannes issue in RTAS
      call from xmon") was fixing an endianness issue in the call made from
      xmon to RTAS.
      
      However, as Michael Ellerman noticed, this fix was not complete, the
      token value was not byte swapped. This lead to call an unexpected and
      most of the time unexisting RTAS function, which is silently ignored by
      RTAS.
      
      This fix addresses this hole.
      Reported-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarLaurent Dufour <ldufour@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      f720cca4
    • Ashay Jaiswal's avatar
      regulator: core: fix race condition in regulator_put() · 8f108b36
      Ashay Jaiswal authored
      commit 83b0302d upstream.
      
      The regulator framework maintains a list of consumer regulators
      for a regulator device and protects it from concurrent access using
      the regulator device's mutex lock.
      
      In the case of regulator_put() the consumer is removed and regulator
      device's parameters are updated without holding the regulator device's
      mutex. This would lead to a race condition between the regulator_put()
      and any function which traverses the consumer list or modifies regulator
      device's parameters.
      Fix this race condition by holding the regulator device's mutex in case
      of regulator_put.
      Signed-off-by: default avatarAshay Jaiswal <ashayj@codeaurora.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      [lizf: Backported to 3.4:
       - adjust context
       - no need to change the comment]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      8f108b36
    • Zidan Wang's avatar
      ASoC: wm8960: Fix capture sample rate from 11250 to 11025 · 7845365e
      Zidan Wang authored
      commit 22ee76da upstream.
      
      wm8960 codec can't support sample rate 11250, it must be 11025.
      Signed-off-by: default avatarZidan Wang <b50113@freescale.com>
      Acked-by: default avatarCharles Keepax <ckeepax@opensource.wolfsonmicro.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      7845365e
    • Andy Shevchenko's avatar
      spi: dw-mid: fix FIFO size · f137e937
      Andy Shevchenko authored
      commit 67bf9cda upstream.
      
      The FIFO size is 40 accordingly to the specifications, but this means 0x40,
      i.e. 64 bytes. This patch fixes the typo and enables FIFO size autodetection
      for Intel MID devices.
      
      Fixes: 7063c0d9 (spi/dw_spi: add DMA support)
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      f137e937
    • Axel Lin's avatar
      spi: dw: Fix detecting FIFO depth · 322c22aa
      Axel Lin authored
      commit d297933c upstream.
      
      Current code tries to find the highest valid fifo depth by checking the value
      it wrote to DW_SPI_TXFLTR. There are a few problems in current code:
      1) There is an off-by-one in dws->fifo_len setting because it assumes the latest
         register write fails so the latest valid value should be fifo - 1.
      2) We know the depth could be from 2 to 256 from HW spec, so it is not necessary
         to test fifo == 257. In the case fifo is 257, it means the latest valid
         setting is fifo = 256. So after the for loop iteration, we should check
         fifo == 2 case instead of fifo == 257 if detecting the FIFO depth fails.
      This patch fixes above issues.
      Signed-off-by: default avatarAxel Lin <axel.lin@ingics.com>
      Reviewed-and-tested-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      322c22aa
    • K. Y. Srinivasan's avatar
      x86, hyperv: Mark the Hyper-V clocksource as being continuous · b447eaa7
      K. Y. Srinivasan authored
      commit 32c6590d upstream.
      
      The Hyper-V clocksource is continuous; mark it accordingly.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Acked-by: jasowang@redhat.com
      Cc: gregkh@linuxfoundation.org
      Cc: devel@linuxdriverproject.org
      Cc: olaf@aepfle.de
      Cc: apw@canonical.com
      Link: http://lkml.kernel.org/r/1421108762-3331-1-git-send-email-kys@microsoft.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      b447eaa7
    • David Jeffery's avatar
      libata: prevent HSM state change race between ISR and PIO · dc3aaeef
      David Jeffery authored
      commit ce751452 upstream.
      
      It is possible for ata_sff_flush_pio_task() to set ap->hsm_task_state to
      HSM_ST_IDLE in between the time __ata_sff_port_intr() checks for HSM_ST_IDLE
      and before it calls ata_sff_hsm_move() causing ata_sff_hsm_move() to BUG().
      
      This problem is hard to reproduce making this patch hard to verify, but this
      fix will prevent the race.
      
      I have not been able to reproduce the problem, but here is a crash dump from
      a 2.6.32 kernel.
      
      On examining the ata port's state, its hsm_task_state field has a value of HSM_ST_IDLE:
      
      crash> struct ata_port.hsm_task_state ffff881c1121c000
        hsm_task_state = 0
      
      Normally, this should not be possible as ata_sff_hsm_move() was called from ata_sff_host_intr(),
      which checks hsm_task_state and won't call ata_sff_hsm_move() if it has a HSM_ST_IDLE value.
      
      PID: 11053  TASK: ffff8816e846cae0  CPU: 0   COMMAND: "sshd"
       #0 [ffff88008ba03960] machine_kexec at ffffffff81038f3b
       #1 [ffff88008ba039c0] crash_kexec at ffffffff810c5d92
       #2 [ffff88008ba03a90] oops_end at ffffffff8152b510
       #3 [ffff88008ba03ac0] die at ffffffff81010e0b
       #4 [ffff88008ba03af0] do_trap at ffffffff8152ad74
       #5 [ffff88008ba03b50] do_invalid_op at ffffffff8100cf95
       #6 [ffff88008ba03bf0] invalid_op at ffffffff8100bf9b
          [exception RIP: ata_sff_hsm_move+317]
          RIP: ffffffff813a77ad  RSP: ffff88008ba03ca0  RFLAGS: 00010097
          RAX: 0000000000000000  RBX: ffff881c1121dc60  RCX: 0000000000000000
          RDX: ffff881c1121dd10  RSI: ffff881c1121dc60  RDI: ffff881c1121c000
          RBP: ffff88008ba03d00   R8: 0000000000000000   R9: 000000000000002e
          R10: 000000000001003f  R11: 000000000000009b  R12: ffff881c1121c000
          R13: 0000000000000000  R14: 0000000000000050  R15: ffff881c1121dd78
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
       #7 [ffff88008ba03d08] ata_sff_host_intr at ffffffff813a7fbd
       #8 [ffff88008ba03d38] ata_sff_interrupt at ffffffff813a821e
       #9 [ffff88008ba03d78] handle_IRQ_event at ffffffff810e6ec0
      dc3aaeef
    • Michael Karcher's avatar
      scripts/recordmcount.pl: There is no -m32 gcc option on Super-H anymore · 81bd39b0
      Michael Karcher authored
      commit 1caf6aaa upstream.
      
      Compiling SH with gcc-4.8 fails due to the -m32 option not being
      supported.
      
      From http://buildd.debian-ports.org/status/fetch.php?pkg=linux&arch=sh4&ver=3.16.7-ckt4-1&stamp=1421425783
      
            CC      init/main.o
          gcc-4.8: error: unrecognized command line option '-m32'
          ld: cannot find init/.tmp_mc_main.o: No such file or directory
          objcopy: 'init/.tmp_mx_main.o': No such file
          rm: cannot remove 'init/.tmp_mx_main.o': No such file or directory
          rm: cannot remove 'init/.tmp_mc_main.o': No such file or directory
      
      Link: http://lkml.kernel.org/r/1421537778-29001-1-git-send-email-kernel@mkarcher.dialup.fu-berlin.de
      Link: http://lkml.kernel.org/r/54BCBDD4.10102@physik.fu-berlin.de
      
      Cc: Matt Fleming <matt@console-pimps.org>
      Reported-by: default avatarJohn Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
      Signed-off-by: default avatarMichael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      81bd39b0
    • Dan Williams's avatar
      libata: allow sata_sil24 to opt-out of tag ordered submission · 1e9ecb92
      Dan Williams authored
      commit 72dd299d upstream.
      
      Ronny reports: https://bugzilla.kernel.org/show_bug.cgi?id=87101
          "Since commit 8a4aeec8 "libata/ahci: accommodate tag ordered
          controllers" the access to the harddisk on the first SATA-port is
          failing on its first access. The access to the harddisk on the
          second port is working normal.
      
          When reverting the above commit, access to both harddisks is working
          fine again."
      
      Maintain tag ordered submission as the default, but allow sata_sil24 to
      continue with the old behavior.
      
      Cc: Tejun Heo <tj@kernel.org>
      Reported-by: default avatarRonny Hegewald <Ronny.Hegewald@online.de>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      1e9ecb92
    • Jason Lee Cragg's avatar
      a6887b40
    • Johan Hovold's avatar
      gpio: sysfs: fix gpio attribute-creation race · d77c3bbf
      Johan Hovold authored
      commit ebbeba12 upstream.
      
      Fix attribute-creation race with userspace by using the default group
      to create also the contingent gpio device attributes.
      
      Fixes: d8f388d8 ("gpio: sysfs interface")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      [lizf:
       - adjust filename
       - call gpio_to_irq() instead of gpiod_to_irq]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      d77c3bbf
    • Johan Hovold's avatar
      gpio: sysfs: fix gpio device-attribute leak · d08ee685
      Johan Hovold authored
      commit 0915e6fe upstream.
      
      The gpio device attributes were never destroyed when the gpio was
      unexported (or on export failures).
      
      Use device_create_with_groups() to create the default device attributes
      of the gpio class device. Note that this also fixes the
      attribute-creation race with userspace for these attributes.
      
      Remove contingent attributes in export error path and on unexport.
      
      Fixes: d8f388d8 ("gpio: sysfs interface")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      [lizf: Backported to 3.4:
       - adjust filename
       - adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      d08ee685
    • Ryan Mallon's avatar
      gpiolib: Refactor gpio_export · 5e4c2b6b
      Ryan Mallon authored
      commit fc4e2514 upstream.
      
      The gpio_export function uses nested if statements and the status
      variable to handle the failure cases. This makes the function logic
      difficult to follow. Refactor the code to abort immediately on failure
      using goto. This makes the code slightly longer, but significantly
      reduces the nesting and number of split lines and makes the code easier
      to read.
      Signed-off-by: default avatarRyan Mallon <rmallon@gmail.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      5e4c2b6b
    • Johan Hovold's avatar
      gpio: sysfs: fix gpio-chip device-attribute leak · 9ce63940
      Johan Hovold authored
      commit 121b6a79 upstream.
      
      The gpio-chip device attributes were never destroyed when the device was
      removed.
      
      Fix by using device_create_with_groups() to create the device attributes
      of the chip class device.
      
      Note that this also fixes the attribute-creation race with userspace.
      
      Fixes: d8f388d8 ("gpio: sysfs interface")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      [lizf: Backported to 3.4: adjust filename]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      9ce63940
    • Guenter Roeck's avatar
      driver core: Introduce device_create_groups · 4ef74f7a
      Guenter Roeck authored
      commit 39ef3112 upstream.
      
      device_create_groups lets callers create devices as well as associated
      sysfs attributes with a single call. This avoids race conditions seen
      if sysfs attributes on new devices are created later.
      
      [fixed up comment block placement and add checks for printk buffer
      formats - gregkh]
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Cc: Jean Delvare <khali@linux-fr.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      4ef74f7a
    • Greg Kroah-Hartman's avatar
      sysfs.h: add ATTRIBUTE_GROUPS() macro · aa12b754
      Greg Kroah-Hartman authored
      commit f2f37f58 upstream.
      
      To make it easier for driver subsystems to work with attribute groups,
      create the ATTRIBUTE_GROUPS macro to remove some of the repetitive
      typing for the most common use for attribute groups.
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Tested-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      aa12b754
    • Oliver Hartkopp's avatar
      can: dev: fix crtlmode_supported check · 5b724689
      Oliver Hartkopp authored
      commit 9b1087aa upstream.
      
      When changing flags in the CAN drivers ctrlmode the provided new content has to
      be checked whether the bits are allowed to be changed. The bits that are to be
      changed are given as a bitfield in cm->mask. Therefore checking against
      cm->flags is wrong as the content can hold any kind of values.
      
      The iproute2 tool sets the bits in cm->mask and cm->flags depending on the
      detected command line options. To be robust against bogus user space
      applications additionally sanitize the provided flags with the provided mask.
      
      Cc: Wolfgang Grandegger <wg@grandegger.com>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      5b724689
    • Steven Rostedt (Red Hat)'s avatar
      ftrace/jprobes/x86: Fix conflict between jprobes and function graph tracing · 76b6793a
      Steven Rostedt (Red Hat) authored
      commit 237d28db upstream.
      
      If the function graph tracer traces a jprobe callback, the system will
      crash. This can easily be demonstrated by compiling the jprobe
      sample module that is in the kernel tree, loading it and running the
      function graph tracer.
      
       # modprobe jprobe_example.ko
       # echo function_graph > /sys/kernel/debug/tracing/current_tracer
       # ls
      
      The first two commands end up in a nice crash after the first fork.
      (do_fork has a jprobe attached to it, so "ls" just triggers that fork)
      
      The problem is caused by the jprobe_return() that all jprobe callbacks
      must end with. The way jprobes works is that the function a jprobe
      is attached to has a breakpoint placed at the start of it (or it uses
      ftrace if fentry is supported). The breakpoint handler (or ftrace callback)
      will copy the stack frame and change the ip address to return to the
      jprobe handler instead of the function. The jprobe handler must end
      with jprobe_return() which swaps the stack and does an int3 (breakpoint).
      This breakpoint handler will then put back the saved stack frame,
      simulate the instruction at the beginning of the function it added
      a breakpoint to, and then continue on.
      
      For function tracing to work, it hijakes the return address from the
      stack frame, and replaces it with a hook function that will trace
      the end of the call. This hook function will restore the return
      address of the function call.
      
      If the function tracer traces the jprobe handler, the hook function
      for that handler will not be called, and its saved return address
      will be used for the next function. This will result in a kernel crash.
      
      To solve this, pause function tracing before the jprobe handler is called
      and unpause it before it returns back to the function it probed.
      
      Some other updates:
      
      Used a variable "saved_sp" to hold kcb->jprobe_saved_sp. This makes the
      code look a bit cleaner and easier to understand (various tries to fix
      this bug required this change).
      
      Note, if fentry is being used, jprobes will change the ip address before
      the function graph tracer runs and it will not be able to trace the
      function that the jprobe is probing.
      
      Link: http://lkml.kernel.org/r/20150114154329.552437962@goodmis.orgAcked-by: default avatarMasami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      [lizf: Backported to 3.4:
       - adjust filename
       - adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      76b6793a
    • Amit Virdi's avatar
      usb: dwc3: gadget: Stop TRB preparation after limit is reached · e82160b7
      Amit Virdi authored
      commit 39e60635 upstream.
      
      DWC3 gadget sets up a pool of 32 TRBs for each EP during initialization. This
      means, the max TRBs that can be submitted for an EP is fixed to 32. Since the
      request queue for an EP is a linked list, any number of requests can be queued
      to it by the gadget layer.  However, the dwc3 driver must not submit TRBs more
      than the pool it has created for. This limit wasn't respected when SG was used
      resulting in submitting more than the max TRBs, eventually leading to
      non-transfer of the TRBs submitted over the max limit.
      
      Root cause:
      When SG is used, there are two loops iterating to prepare TRBs:
       - Outer loop over the request_list
       - Inner loop over the SG list
      The code was missing break to get out of the outer loop.
      
      Fixes: eeb720fb (usb: dwc3: gadget: add support for SG lists)
      Signed-off-by: default avatarAmit Virdi <amit.virdi@st.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      e82160b7
    • Johan Hovold's avatar
      gpio: fix memory and reference leaks in gpiochip_add error path · a610d5d4
      Johan Hovold authored
      commit 5539b3c9 upstream.
      
      Memory allocated and references taken by of_gpiochip_add and
      acpi_gpiochip_add were never released on errors in gpiochip_add (e.g.
      failure to find free gpio range).
      
      Fixes: 391c970c ("of/gpio: add default of_xlate function if device
      has a node pointer")
      Fixes: 664e3e5a ("gpio / ACPI: register to ACPI events
      automatically")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      [lizf: Backported to 3.4:
       - move the call to of_gpiochip_add() into the above if condition.
       - remove the call to acpi_gpiochip_remove()]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      a610d5d4
    • Konstantin Khlebnikov's avatar
      mm: fix corner case in anon_vma endless growing prevention · 8463d312
      Konstantin Khlebnikov authored
      commit b800c91a upstream.
      
      Fix for BUG_ON(anon_vma->degree) splashes in unlink_anon_vmas() ("kernel
      BUG at mm/rmap.c:399!") caused by commit 7a3ef208 ("mm: prevent
      endless growth of anon_vma hierarchy")
      
      Anon_vma_clone() is usually called for a copy of source vma in
      destination argument.  If source vma has anon_vma it should be already
      in dst->anon_vma.  NULL in dst->anon_vma is used as a sign that it's
      called from anon_vma_fork().  In this case anon_vma_clone() finds
      anon_vma for reusing.
      
      Vma_adjust() calls it differently and this breaks anon_vma reusing
      logic: anon_vma_clone() links vma to old anon_vma and updates degree
      counters but vma_adjust() overrides vma->anon_vma right after that.  As
      a result final unlink_anon_vmas() decrements degree for wrong anon_vma.
      
      This patch assigns ->anon_vma before calling anon_vma_clone().
      Signed-off-by: default avatarKonstantin Khlebnikov <koct9i@gmail.com>
      Reported-and-tested-by: default avatarChris Clayton <chris2553@googlemail.com>
      Reported-and-tested-by: default avatarOded Gabbay <oded.gabbay@amd.com>
      Reported-and-tested-by: default avatarChih-Wei Huang <cwhuang@android-x86.org>
      Acked-by: default avatarRik van Riel <riel@redhat.com>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Cc: Daniel Forrest <dan.forrest@ssec.wisc.edu>
      Cc: Michal Hocko <mhocko@suse.cz>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [lizf: Backported to 3.4: define variable @error and return this instead
       of returning -ENOMEM]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      8463d312
    • Linus Torvalds's avatar
      mm: Don't count the stack guard page towards RLIMIT_STACK · df5f1b2e
      Linus Torvalds authored
      commit 690eac53 upstream.
      
      Commit fee7e49d ("mm: propagate error from stack expansion even for
      guard page") made sure that we return the error properly for stack
      growth conditions.  It also theorized that counting the guard page
      towards the stack limit might break something, but also said "Let's see
      if anybody notices".
      
      Somebody did notice.  Apparently android-x86 sets the stack limit very
      close to the limit indeed, and including the guard page in the rlimit
      check causes the android 'zygote' process problems.
      
      So this adds the (fairly trivial) code to make the stack rlimit check be
      against the actual real stack size, rather than the size of the vma that
      includes the guard page.
      Reported-and-tested-by: default avatarChih-Wei Huang <cwhuang@android-x86.org>
      Cc: Jay Foad <jay.foad@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      df5f1b2e
    • Johan Hovold's avatar
      USB: console: fix potential use after free · 08424459
      Johan Hovold authored
      commit 32a4bf2e upstream.
      
      Use tty kref to release the fake tty in usb_console_setup to avoid use
      after free if the underlying serial driver has acquired a reference.
      
      Note that using the tty destructor release_one_tty requires some more
      state to be initialised.
      
      Fixes: 4a90f09b ("tty: usb-serial krefs")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      08424459
    • Arseny Solokha's avatar
      OHCI: add a quirk for ULi M5237 blocking on reset · 5281ada3
      Arseny Solokha authored
      commit 56abcab8 upstream.
      
      Commit 8dccddbc ("OHCI: final fix for NVIDIA problems (I hope)")
      introduced into 3.1.9 broke boot on e.g. Freescale P2020DS development
      board. The code path that was previously specific to NVIDIA controllers
      had then become taken for all chips.
      
      However, the M5237 installed on the board wedges solid when accessing
      its base+OHCI_FMINTERVAL register, making it impossible to boot any
      kernel newer than 3.1.8 on this particular and apparently other similar
      machines.
      
      Don't readl() and writel() base+OHCI_FMINTERVAL on PCI ID 10b9:5237.
      
      The patch is suitable for the -next tree as well as all maintained
      kernels up to 3.2 inclusive.
      Signed-off-by: default avatarArseny Solokha <asolokha@kb.kras.ru>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      5281ada3
    • Dan Carpenter's avatar
      HID: roccat: potential out of bounds in pyra_sysfs_write_settings() · 12594362
      Dan Carpenter authored
      commit 606185b2 upstream.
      
      This is a static checker fix.  We write some binary settings to the
      sysfs file.  One of the settings is the "->startup_profile".  There
      isn't any checking to make sure it fits into the
      pyra->profile_settings[] array in the profile_activated() function.
      
      I added a check to pyra_sysfs_write_settings() in both places because
      I wasn't positive that the other callers were correct.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      [lizf: Backported to 3.4: define the variable @settings]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      12594362
    • Johannes Weiner's avatar
      mm: protect set_page_dirty() from ongoing truncation · 7f1be7c6
      Johannes Weiner authored
      commit 2d6d7f98 upstream.
      
      Tejun, while reviewing the code, spotted the following race condition
      between the dirtying and truncation of a page:
      
      __set_page_dirty_nobuffers()       __delete_from_page_cache()
        if (TestSetPageDirty(page))
                                           page->mapping = NULL
      				     if (PageDirty())
      				       dec_zone_page_state(page, NR_FILE_DIRTY);
      				       dec_bdi_stat(mapping->backing_dev_info, BDI_RECLAIMABLE);
          if (page->mapping)
            account_page_dirtied(page)
              __inc_zone_page_state(page, NR_FILE_DIRTY);
      	__inc_bdi_stat(mapping->backing_dev_info, BDI_RECLAIMABLE);
      
      which results in an imbalance of NR_FILE_DIRTY and BDI_RECLAIMABLE.
      
      Dirtiers usually lock out truncation, either by holding the page lock
      directly, or in case of zap_pte_range(), by pinning the mapcount with
      the page table lock held.  The notable exception to this rule, though,
      is do_wp_page(), for which this race exists.  However, do_wp_page()
      already waits for a locked page to unlock before setting the dirty bit,
      in order to prevent a race where clear_page_dirty() misses the page bit
      in the presence of dirty ptes.  Upgrade that wait to a fully locked
      set_page_dirty() to also cover the situation explained above.
      
      Afterwards, the code in set_page_dirty() dealing with a truncation race
      is no longer needed.  Remove it.
      Reported-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [lizf: Backported to 3.4:
       - adjust context
       - use VM_BUG_ON() instead of VM_BUG_ON_PAGE()]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      7f1be7c6
    • Konstantin Khlebnikov's avatar
      mm: prevent endless growth of anon_vma hierarchy · 0b4f2ae7
      Konstantin Khlebnikov authored
      commit 7a3ef208 upstream.
      
      Constantly forking task causes unlimited grow of anon_vma chain.  Each
      next child allocates new level of anon_vmas and links vma to all
      previous levels because pages might be inherited from any level.
      
      This patch adds heuristic which decides to reuse existing anon_vma
      instead of forking new one.  It adds counter anon_vma->degree which
      counts linked vmas and directly descending anon_vmas and reuses anon_vma
      if counter is lower than two.  As a result each anon_vma has either vma
      or at least two descending anon_vmas.  In such trees half of nodes are
      leafs with alive vmas, thus count of anon_vmas is no more than two times
      bigger than count of vmas.
      
      This heuristic reuses anon_vmas as few as possible because each reuse
      adds false aliasing among vmas and rmap walker ought to scan more ptes
      when it searches where page is might be mapped.
      
      Link: http://lkml.kernel.org/r/20120816024610.GA5350@evergreen.ssec.wisc.edu
      Fixes: 5beb4930 ("mm: change anon_vma linking to fix multi-process server scalability issue")
      [akpm@linux-foundation.org: fix typo, per Rik]
      Signed-off-by: default avatarKonstantin Khlebnikov <koct9i@gmail.com>
      Reported-by: default avatarDaniel Forrest <dan.forrest@ssec.wisc.edu>
      Tested-by: default avatarMichal Hocko <mhocko@suse.cz>
      Tested-by: default avatarJerome Marchand <jmarchan@redhat.com>
      Reviewed-by: default avatarMichal Hocko <mhocko@suse.cz>
      Reviewed-by: default avatarRik van Riel <riel@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      0b4f2ae7