1. 07 Jun, 2017 40 commits
    • Johan Hovold's avatar
      Input: yealink - validate number of endpoints before using them · e121cd40
      Johan Hovold authored
      commit 5cc4a1a9 upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Fixes: aca951a2 ("[PATCH] input-driver-yealink-P1K-usb-phone")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e121cd40
    • Johan Hovold's avatar
      Input: hanwang - validate number of endpoints before using them · ab84b30a
      Johan Hovold authored
      commit ba340d7b upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Fixes: bba5394a ("Input: add support for Hanwang tablets")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      ab84b30a
    • Johan Hovold's avatar
      Input: ims-pcu - validate number of endpoints before using them · ec5cc03d
      Johan Hovold authored
      commit 1916d319 upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack control-interface endpoints.
      
      Fixes: 628329d5 ("Input: add IMS Passenger Control Unit driver")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      ec5cc03d
    • Andrey Ulanov's avatar
      net: unix: properly re-increment inflight counter of GC discarded candidates · e24a53af
      Andrey Ulanov authored
      commit 7df9c246 upstream.
      
      Dmitry has reported that a BUG_ON() condition in unix_notinflight()
      may be triggered by a simple code that forwards unix socket in an
      SCM_RIGHTS message.
      That is caused by incorrect unix socket GC implementation in unix_gc().
      
      The GC first collects list of candidates, then (a) decrements their
      "children's" inflight counter, (b) checks which inflight counters are
      now 0, and then (c) increments all inflight counters back.
      (a) and (c) are done by calling scan_children() with inc_inflight or
      dec_inflight as the second argument.
      
      Commit 6209344f ("net: unix: fix inflight counting bug in garbage
      collector") changed scan_children() such that it no longer considers
      sockets that do not have UNIX_GC_CANDIDATE flag. It also added a block
      of code that that unsets this flag _before_ invoking
      scan_children(, dec_iflight, ). This may lead to incorrect inflight
      counters for some sockets.
      
      This change fixes this bug by changing order of operations:
      UNIX_GC_CANDIDATE is now unset only after all inflight counters are
      restored to the original state.
      
        kernel BUG at net/unix/garbage.c:149!
        RIP: 0010:[<ffffffff8717ebf4>]  [<ffffffff8717ebf4>]
        unix_notinflight+0x3b4/0x490 net/unix/garbage.c:149
        Call Trace:
         [<ffffffff8716cfbf>] unix_detach_fds.isra.19+0xff/0x170 net/unix/af_unix.c:1487
         [<ffffffff8716f6a9>] unix_destruct_scm+0xf9/0x210 net/unix/af_unix.c:1496
         [<ffffffff86a90a01>] skb_release_head_state+0x101/0x200 net/core/skbuff.c:655
         [<ffffffff86a9808a>] skb_release_all+0x1a/0x60 net/core/skbuff.c:668
         [<ffffffff86a980ea>] __kfree_skb+0x1a/0x30 net/core/skbuff.c:684
         [<ffffffff86a98284>] kfree_skb+0x184/0x570 net/core/skbuff.c:705
         [<ffffffff871789d5>] unix_release_sock+0x5b5/0xbd0 net/unix/af_unix.c:559
         [<ffffffff87179039>] unix_release+0x49/0x90 net/unix/af_unix.c:836
         [<ffffffff86a694b2>] sock_release+0x92/0x1f0 net/socket.c:570
         [<ffffffff86a6962b>] sock_close+0x1b/0x20 net/socket.c:1017
         [<ffffffff81a76b8e>] __fput+0x34e/0x910 fs/file_table.c:208
         [<ffffffff81a771da>] ____fput+0x1a/0x20 fs/file_table.c:244
         [<ffffffff81483ab0>] task_work_run+0x1a0/0x280 kernel/task_work.c:116
         [<     inline     >] exit_task_work include/linux/task_work.h:21
         [<ffffffff8141287a>] do_exit+0x183a/0x2640 kernel/exit.c:828
         [<ffffffff8141383e>] do_group_exit+0x14e/0x420 kernel/exit.c:931
         [<ffffffff814429d3>] get_signal+0x663/0x1880 kernel/signal.c:2307
         [<ffffffff81239b45>] do_signal+0xc5/0x2190 arch/x86/kernel/signal.c:807
         [<ffffffff8100666a>] exit_to_usermode_loop+0x1ea/0x2d0
        arch/x86/entry/common.c:156
         [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
         [<ffffffff81009693>] syscall_return_slowpath+0x4d3/0x570
        arch/x86/entry/common.c:259
         [<ffffffff881478e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
      
      Link: https://lkml.org/lkml/2017/3/6/252Signed-off-by: default avatarAndrey Ulanov <andreyu@google.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Fixes: 6209344f ("net: unix: fix inflight counting bug in garbage collector")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e24a53af
    • Eric Dumazet's avatar
      net: properly release sk_frag.page · de9d09c3
      Eric Dumazet authored
      commit 22a0e18e upstream.
      
      I mistakenly added the code to release sk->sk_frag in
      sk_common_release() instead of sk_destruct()
      
      TCP sockets using sk->sk_allocation == GFP_ATOMIC do no call
      sk_common_release() at close time, thus leaking one (order-3) page.
      
      iSCSI is using such sockets.
      
      Fixes: 5640f768 ("net: use a per task frag allocator")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      de9d09c3
    • Dan Streetman's avatar
      xen: do not re-use pirq number cached in pci device msi msg data · d7a68428
      Dan Streetman authored
      commit c74fd80f upstream.
      
      Revert the main part of commit:
      af42b8d1 ("xen: fix MSI setup and teardown for PV on HVM guests")
      
      That commit introduced reading the pci device's msi message data to see
      if a pirq was previously configured for the device's msi/msix, and re-use
      that pirq.  At the time, that was the correct behavior.  However, a
      later change to Qemu caused it to call into the Xen hypervisor to unmap
      all pirqs for a pci device, when the pci device disables its MSI/MSIX
      vectors; specifically the Qemu commit:
      c976437c7dba9c7444fb41df45468968aaa326ad
      ("qemu-xen: free all the pirqs for msi/msix when driver unload")
      
      Once Qemu added this pirq unmapping, it was no longer correct for the
      kernel to re-use the pirq number cached in the pci device msi message
      data.  All Qemu releases since 2.1.0 contain the patch that unmaps the
      pirqs when the pci device disables its MSI/MSIX vectors.
      
      This bug is causing failures to initialize multiple NVMe controllers
      under Xen, because the NVMe driver sets up a single MSIX vector for
      each controller (concurrently), and then after using that to talk to
      the controller for some configuration data, it disables the single MSIX
      vector and re-configures all the MSIX vectors it needs.  So the MSIX
      setup code tries to re-use the cached pirq from the first vector
      for each controller, but the hypervisor has already given away that
      pirq to another controller, and its initialization fails.
      
      This is discussed in more detail at:
      https://lists.xen.org/archives/html/xen-devel/2017-01/msg00447.html
      
      Fixes: af42b8d1 ("xen: fix MSI setup and teardown for PV on HVM guests")
      Signed-off-by: default avatarDan Streetman <dan.streetman@canonical.com>
      Reviewed-by: default avatarStefano Stabellini <sstabellini@kernel.org>
      Acked-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      d7a68428
    • Johan Hovold's avatar
      isdn/gigaset: fix NULL-deref at probe · 47bad919
      Johan Hovold authored
      commit 68c32f9c upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Fixes: cf7776dc ("[PATCH] isdn4linux: Siemens Gigaset drivers - direct USB connection")
      Cc: Hansjoerg Lipp <hjlipp@web.de>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      47bad919
    • Peter Zijlstra's avatar
      perf/core: Fix event inheritance on fork() · 1e0d06b2
      Peter Zijlstra authored
      commit e7cc4865 upstream.
      
      While hunting for clues to a use-after-free, Oleg spotted that
      perf_event_init_context() can loose an error value with the result
      that fork() can succeed even though we did not fully inherit the perf
      event context.
      Spotted-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: oleg@redhat.com
      Fixes: 889ff015 ("perf/core: Split context's event group list into pinned and non-pinned lists")
      Link: http://lkml.kernel.org/r/20170316125823.190342547@infradead.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      1e0d06b2
    • Roman Mashak's avatar
      net sched actions: decrement module reference count after table flush. · 20af6b40
      Roman Mashak authored
      commit edb9d1bf upstream.
      
      When tc actions are loaded as a module and no actions have been installed,
      flushing them would result in actions removed from the memory, but modules
      reference count not being decremented, so that the modules would not be
      unloaded.
      
      Following is example with GACT action:
      
      % sudo modprobe act_gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  0
      %
      % sudo tc actions ls action gact
      %
      % sudo tc actions flush action gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  1
      % sudo tc actions flush action gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  2
      % sudo rmmod act_gact
      rmmod: ERROR: Module act_gact is in use
      ....
      
      After the fix:
      % lsmod
      Module                  Size  Used by
      act_gact               16384  0
      %
      % sudo tc actions add action pass index 1
      % sudo tc actions add action pass index 2
      % sudo tc actions add action pass index 3
      % lsmod
      Module                  Size  Used by
      act_gact               16384  3
      %
      % sudo tc actions flush action gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  0
      %
      % sudo tc actions flush action gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  0
      % sudo rmmod act_gact
      % lsmod
      Module                  Size  Used by
      %
      
      Fixes: f97017cd ("net-sched: Fix actions flushing")
      Signed-off-by: default avatarRoman Mashak <mrv@mojatatu.com>
      Signed-off-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      20af6b40
    • Jon Maxwell's avatar
      dccp/tcp: fix routing redirect race · 29c4bf40
      Jon Maxwell authored
      commit 45caeaa5 upstream.
      
      As Eric Dumazet pointed out this also needs to be fixed in IPv6.
      v2: Contains the IPv6 tcp/Ipv6 dccp patches as well.
      
      We have seen a few incidents lately where a dst_enty has been freed
      with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that
      dst_entry. If the conditions/timings are right a crash then ensues when the
      freed dst_entry is referenced later on. A Common crashing back trace is:
      
       #8 [] page_fault at ffffffff8163e648
          [exception RIP: __tcp_ack_snd_check+74]
      .
      .
       #9 [] tcp_rcv_established at ffffffff81580b64
      #10 [] tcp_v4_do_rcv at ffffffff8158b54a
      #11 [] tcp_v4_rcv at ffffffff8158cd02
      #12 [] ip_local_deliver_finish at ffffffff815668f4
      #13 [] ip_local_deliver at ffffffff81566bd9
      #14 [] ip_rcv_finish at ffffffff8156656d
      #15 [] ip_rcv at ffffffff81566f06
      #16 [] __netif_receive_skb_core at ffffffff8152b3a2
      #17 [] __netif_receive_skb at ffffffff8152b608
      #18 [] netif_receive_skb at ffffffff8152b690
      #19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3]
      #20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3]
      #21 [] net_rx_action at ffffffff8152bac2
      #22 [] __do_softirq at ffffffff81084b4f
      #23 [] call_softirq at ffffffff8164845c
      #24 [] do_softirq at ffffffff81016fc5
      #25 [] irq_exit at ffffffff81084ee5
      #26 [] do_IRQ at ffffffff81648ff8
      
      Of course it may happen with other NIC drivers as well.
      
      It's found the freed dst_entry here:
      
       224 static bool tcp_in_quickack_mode(struct sock *sk)↩
       225 {↩
       226 ▹       const struct inet_connection_sock *icsk = inet_csk(sk);↩
       227 ▹       const struct dst_entry *dst = __sk_dst_get(sk);↩
       228 ↩
       229 ▹       return (dst && dst_metric(dst, RTAX_QUICKACK)) ||↩
       230 ▹       ▹       (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);↩
       231 }↩
      
      But there are other backtraces attributed to the same freed dst_entry in
      netfilter code as well.
      
      All the vmcores showed 2 significant clues:
      
      - Remote hosts behind the default gateway had always been redirected to a
      different gateway. A rtable/dst_entry will be added for that host. Making
      more dst_entrys with lower reference counts. Making this more probable.
      
      - All vmcores showed a postitive LockDroppedIcmps value, e.g:
      
      LockDroppedIcmps                  267
      
      A closer look at the tcp_v4_err() handler revealed that do_redirect() will run
      regardless of whether user space has the socket locked. This can result in a
      race condition where the same dst_entry cached in sk->sk_dst_entry can be
      decremented twice for the same socket via:
      
      do_redirect()->__sk_dst_check()-> dst_release().
      
      Which leads to the dst_entry being prematurely freed with another socket
      pointing to it via sk->sk_dst_cache and a subsequent crash.
      
      To fix this skip do_redirect() if usespace has the socket locked. Instead let
      the redirect take place later when user space does not have the socket
      locked.
      
      The dccp/IPv6 code is very similar in this respect, so fixing it there too.
      
      As Eric Garver pointed out the following commit now invalidates routes. Which
      can set the dst->obsolete flag so that ipv4_dst_check() returns null and
      triggers the dst_release().
      
      Fixes: ceb33206 ("ipv4: Kill routes during PMTU/redirect updates.")
      Cc: Eric Garver <egarver@redhat.com>
      Cc: Hannes Sowa <hsowa@redhat.com>
      Signed-off-by: default avatarJon Maxwell <jmaxwell37@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      29c4bf40
    • Eric Dumazet's avatar
      net: net_enable_timestamp() can be called from irq contexts · 9cfe9423
      Eric Dumazet authored
      commit 13baa00a upstream.
      
      It is now very clear that silly TCP listeners might play with
      enabling/disabling timestamping while new children are added
      to their accept queue.
      
      Meaning net_enable_timestamp() can be called from BH context
      while current state of the static key is not enabled.
      
      Lets play safe and allow all contexts.
      
      The work queue is scheduled only under the problematic cases,
      which are the static key enable/disable transition, to not slow down
      critical paths.
      
      This extends and improves what we did in commit 5fa8bbda ("net: use
      a work queue to defer net_disable_timestamp() work")
      
      Fixes: b90e5794 ("net: dont call jump_label_dec from irq context")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      9cfe9423
    • Peter Zijlstra's avatar
      locking/static_keys: Add static_key_{en,dis}able() helpers · 12f1a0f9
      Peter Zijlstra authored
      commit e33886b3 upstream.
      
      Add two helpers to make it easier to treat the refcount as boolean.
      
      [js] do not involve WARN_ON_ONCE as it causes build failures
      Suggested-by: default avatarJason Baron <jasonbaron0@gmail.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      [wt: only backported for use in next fix ;
           s/static_key_count(key)/atomic_read(&key->enabled)/]
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      12f1a0f9
    • Julian Anastasov's avatar
      ipv4: mask tos for input route · 7c72e851
      Julian Anastasov authored
      commit 6e28099d upstream.
      
      Restore the lost masking of TOS in input route code to
      allow ip rules to match it properly.
      
      Problem [1] noticed by Shmulik Ladkani <shmulik.ladkani@gmail.com>
      
      [1] http://marc.info/?t=137331755300040&r=1&w=2
      
      Fixes: 89aef892 ("ipv4: Delete routing cache.")
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      7c72e851
    • Matthias Schiffer's avatar
      vxlan: correctly validate VXLAN ID against VXLAN_N_VID · e5c6b9c5
      Matthias Schiffer authored
      commit 4e37d691 upstream.
      
      The incorrect check caused an off-by-one error: the maximum VID 0xffffff
      was unusable.
      
      Fixes: d342894c ("vxlan: virtual extensible lan")
      Signed-off-by: default avatarMatthias Schiffer <mschiffer@universe-factory.net>
      Acked-by: default avatarJiri Benc <jbenc@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e5c6b9c5
    • Johan Hovold's avatar
      USB: serial: io_ti: fix information leak in completion handler · cb32438b
      Johan Hovold authored
      commit 654b404f upstream.
      
      Add missing sanity check to the bulk-in completion handler to avoid an
      integer underflow that can be triggered by a malicious device.
      
      This avoids leaking 128 kB of memory content from after the URB transfer
      buffer to user space.
      
      Fixes: 8c209e67 ("USB: make actual_length in struct urb field u32")
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      cb32438b
    • Johan Hovold's avatar
      USB: serial: io_ti: fix NULL-deref in interrupt callback · 58a600a7
      Johan Hovold authored
      commit 0b1d250a upstream.
      
      Fix a NULL-pointer dereference in the interrupt callback should a
      malicious device send data containing a bad port number by adding the
      missing sanity check.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      58a600a7
    • Johan Hovold's avatar
      USB: iowarrior: fix NULL-deref in write · 04992d78
      Johan Hovold authored
      commit de46e566 upstream.
      
      Make sure to verify that we have the required interrupt-out endpoint for
      IOWarrior56 devices to avoid dereferencing a NULL-pointer in write
      should a malicious device lack such an endpoint.
      
      Fixes: 946b960d ("USB: add driver for iowarrior devices.")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      04992d78
    • Johan Hovold's avatar
      USB: iowarrior: fix NULL-deref at probe · 88ee6312
      Johan Hovold authored
      commit b7321e81 upstream.
      
      Make sure to check for the required interrupt-in endpoint to avoid
      dereferencing a NULL-pointer should a malicious device lack such an
      endpoint.
      
      Note that a fairly recent change purported to fix this issue, but added
      an insufficient test on the number of endpoints only, a test which can
      now be removed.
      
      Fixes: 4ec0ef3a ("USB: iowarrior: fix oops with malicious USB descriptors")
      Fixes: 946b960d ("USB: add driver for iowarrior devices.")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      88ee6312
    • Johan Hovold's avatar
      USB: serial: omninet: fix reference leaks at open · 50b60740
      Johan Hovold authored
      commit 30572418 upstream.
      
      This driver needlessly took another reference to the tty on open, a
      reference which was then never released on close. This lead to not just
      a leak of the tty, but also a driver reference leak that prevented the
      driver from being unloaded after a port had once been opened.
      
      Fixes: 4a90f09b ("tty: usb-serial krefs")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      50b60740
    • Johan Hovold's avatar
      USB: serial: safe_serial: fix information leak in completion handler · 61ab4e5c
      Johan Hovold authored
      commit 8c76d7cd upstream.
      
      Add missing sanity check to the bulk-in completion handler to avoid an
      integer underflow that could be triggered by a malicious device.
      
      This avoids leaking up to 56 bytes from after the URB transfer buffer to
      user space.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      61ab4e5c
    • Rik van Riel's avatar
      tracing: Add #undef to fix compile error · 2b6aa627
      Rik van Riel authored
      commit bf7165cf upstream.
      
      There are several trace include files that define TRACE_INCLUDE_FILE.
      
      Include several of them in the same .c file (as I currently have in
      some code I am working on), and the compile will blow up with a
      "warning: "TRACE_INCLUDE_FILE" redefined #define TRACE_INCLUDE_FILE syscalls"
      
      Every other include file in include/trace/events/ avoids that issue
      by having a #undef TRACE_INCLUDE_FILE before the #define; syscalls.h
      should have one, too.
      
      Link: http://lkml.kernel.org/r/20160928225554.13bd7ac6@annuminas.surriel.com
      
      Fixes: b8007ef7 ("tracing: Separate raw syscall from syscall tracer")
      Signed-off-by: default avatarRik van Riel <riel@redhat.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      2b6aa627
    • Arnd Bergmann's avatar
      MIPS: ip27: Disable qlge driver in defconfig · 06a5c0b6
      Arnd Bergmann authored
      commit b6176494 upstream.
      
      One of the last remaining failures in kernelci.org is for a gcc bug:
      
      drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: error: insn does not satisfy its constraints:
      drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: internal compiler error: in extract_constrain_insn, at recog.c:2190
      
      This is apparently broken in gcc-6 but fixed in gcc-7, and I cannot
      reproduce the problem here. However, it is clear that ip27_defconfig
      does not actually need this driver as the platform has only PCI-X but
      not PCIe, and the qlge adapter in turn is PCIe-only.
      
      The driver was originally enabled in 2010 along with lots of other
      drivers.
      
      Fixes: 59d302b3 ("MIPS: IP27: Make defconfig useful again.")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/15197/Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      06a5c0b6
    • Johan Hovold's avatar
      USB: serial: digi_acceleport: fix OOB-event processing · 5e44fdd1
      Johan Hovold authored
      commit 2e46565c upstream.
      
      A recent change claimed to fix an off-by-one error in the OOB-port
      completion handler, but instead introduced such an error. This could
      specifically led to modem-status changes going unnoticed, effectively
      breaking TIOCMGET.
      
      Note that the offending commit fixes a loop-condition underflow and is
      marked for stable, but should not be backported without this fix.
      Reported-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Fixes: 2d380889 ("USB: serial: digi_acceleport: fix OOB data sanity
      check")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      5e44fdd1
    • Johan Hovold's avatar
      USB: serial: digi_acceleport: fix OOB data sanity check · 7c759899
      Johan Hovold authored
      commit 2d380889 upstream.
      
      Make sure to check for short transfers to avoid underflow in a loop
      condition when parsing the receive buffer.
      
      Also fix an off-by-one error in the incomplete sanity check which could
      lead to invalid data being parsed.
      
      Fixes: 8c209e67 ("USB: make actual_length in struct urb field u32")
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      7c759899
    • Mikulas Patocka's avatar
      dm: flush queued bios when process blocks to avoid deadlock · cc3d0c26
      Mikulas Patocka authored
      commit d67a5f4b upstream.
      
      Commit df2cb6da ("block: Avoid deadlocks with bio allocation by
      stacking drivers") created a workqueue for every bio set and code
      in bio_alloc_bioset() that tries to resolve some low-memory deadlocks
      by redirecting bios queued on current->bio_list to the workqueue if the
      system is low on memory.  However other deadlocks (see below **) may
      happen, without any low memory condition, because generic_make_request
      is queuing bios to current->bio_list (rather than submitting them).
      
      ** the related dm-snapshot deadlock is detailed here:
      https://www.redhat.com/archives/dm-devel/2016-July/msg00065.html
      
      Fix this deadlock by redirecting any bios on current->bio_list to the
      bio_set's rescue workqueue on every schedule() call.  Consequently,
      when the process blocks on a mutex, the bios queued on
      current->bio_list are dispatched to independent workqueus and they can
      complete without waiting for the mutex to be available.
      
      The structure blk_plug contains an entry cb_list and this list can contain
      arbitrary callback functions that are called when the process blocks.
      To implement this fix DM (ab)uses the onstack plug's cb_list interface
      to get its flush_current_bio_list() called at schedule() time.
      
      This fixes the snapshot deadlock - if the map method blocks,
      flush_current_bio_list() will be called and it redirects bios waiting
      on current->bio_list to appropriate workqueues.
      
      Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1267650
      Depends-on: df2cb6da ("block: Avoid deadlocks with bio allocation by stacking drivers")
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      cc3d0c26
    • Trond Myklebust's avatar
      nlm: Ensure callback code also checks that the files match · ebd9572e
      Trond Myklebust authored
      commit 251af29c upstream.
      
      It is not sufficient to just check that the lock pids match when
      granting a callback, we also need to ensure that we're granting
      the callback on the right file.
      Reported-by: default avatarPankaj Singh <psingh.ait@gmail.com>
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      ebd9572e
    • Steven Rostedt (VMware)'s avatar
      ktest: Fix child exit code processing · 5bb7a6c4
      Steven Rostedt (VMware) authored
      commit 32677207 upstream.
      
      The child_exit errno needs to be shifted by 8 bits to compare against the
      return values for the bisect variables.
      
      Fixes: c5dacb88 ("ktest: Allow overriding bisect test results")
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      5bb7a6c4
    • Feras Daoud's avatar
      IB/ipoib: Fix deadlock between rmmod and set_mode · 2c318737
      Feras Daoud authored
      commit 0a0007f2 upstream.
      
      When calling set_mode from sys/fs, the call flow locks the sys/fs lock
      first and then tries to lock rtnl_lock (when calling ipoib_set_mod).
      On the other hand, the rmmod call flow takes the rtnl_lock first
      (when calling unregister_netdev) and then tries to take the sys/fs
      lock. Deadlock a->b, b->a.
      
      The problem starts when ipoib_set_mod frees it's rtnl_lck and tries
      to get it after that.
      
          set_mod:
          [<ffffffff8104f2bd>] ? check_preempt_curr+0x6d/0x90
          [<ffffffff814fee8e>] __mutex_lock_slowpath+0x13e/0x180
          [<ffffffff81448655>] ? __rtnl_unlock+0x15/0x20
          [<ffffffff814fed2b>] mutex_lock+0x2b/0x50
          [<ffffffff81448675>] rtnl_lock+0x15/0x20
          [<ffffffffa02ad807>] ipoib_set_mode+0x97/0x160 [ib_ipoib]
          [<ffffffffa02b5f5b>] set_mode+0x3b/0x80 [ib_ipoib]
          [<ffffffff8134b840>] dev_attr_store+0x20/0x30
          [<ffffffff811f0fe5>] sysfs_write_file+0xe5/0x170
          [<ffffffff8117b068>] vfs_write+0xb8/0x1a0
          [<ffffffff8117ba81>] sys_write+0x51/0x90
          [<ffffffff8100b0f2>] system_call_fastpath+0x16/0x1b
      
          rmmod:
          [<ffffffff81279ffc>] ? put_dec+0x10c/0x110
          [<ffffffff8127a2ee>] ? number+0x2ee/0x320
          [<ffffffff814fe6a5>] schedule_timeout+0x215/0x2e0
          [<ffffffff8127cc04>] ? vsnprintf+0x484/0x5f0
          [<ffffffff8127b550>] ? string+0x40/0x100
          [<ffffffff814fe323>] wait_for_common+0x123/0x180
          [<ffffffff81060250>] ? default_wake_function+0x0/0x20
          [<ffffffff8119661e>] ? ifind_fast+0x5e/0xb0
          [<ffffffff814fe43d>] wait_for_completion+0x1d/0x20
          [<ffffffff811f2e68>] sysfs_addrm_finish+0x228/0x270
          [<ffffffff811f2fb3>] sysfs_remove_dir+0xa3/0xf0
          [<ffffffff81273f66>] kobject_del+0x16/0x40
          [<ffffffff8134cd14>] device_del+0x184/0x1e0
          [<ffffffff8144e59b>] netdev_unregister_kobject+0xab/0xc0
          [<ffffffff8143c05e>] rollback_registered+0xae/0x130
          [<ffffffff8143c102>] unregister_netdevice+0x22/0x70
          [<ffffffff8143c16e>] unregister_netdev+0x1e/0x30
          [<ffffffffa02a91b0>] ipoib_remove_one+0xe0/0x120 [ib_ipoib]
          [<ffffffffa01ed95f>] ib_unregister_device+0x4f/0x100 [ib_core]
          [<ffffffffa021f5e1>] mlx4_ib_remove+0x41/0x180 [mlx4_ib]
          [<ffffffffa01ab771>] mlx4_remove_device+0x71/0x90 [mlx4_core]
      
      Fixes: 862096a8 ("IB/ipoib: Add more rtnl_link_ops callbacks")
      Cc: Or Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarFeras Daoud <ferasda@mellanox.com>
      Signed-off-by: default avatarErez Shitrit <erezsh@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      2c318737
    • Julian Wiedmann's avatar
      s390/qdio: clear DSCI prior to scanning multiple input queues · 8e68a4d1
      Julian Wiedmann authored
      commit 1e4a382f upstream.
      
      For devices with multiple input queues, tiqdio_call_inq_handlers()
      iterates over all input queues and clears the device's DSCI
      during each iteration. If the DSCI is re-armed during one
      of the later iterations, we therefore do not scan the previous
      queues again.
      The re-arming also raises a new adapter interrupt. But its
      handler does not trigger a rescan for the device, as the DSCI
      has already been erroneously cleared.
      This can result in queue stalls on devices with multiple
      input queues.
      
      Fix it by clearing the DSCI just once, prior to scanning the queues.
      
      As the code is moved in front of the loop, we also need to access
      the DSCI directly (ie irq->dsci) instead of going via each queue's
      parent pointer to the same irq. This is not a functional change,
      and a follow-up patch will clean up the other users.
      
      In practice, this bug only affects CQ-enabled HiperSockets devices,
      ie. devices with sysfs-attribute "hsuid" set. Setting a hsuid is
      needed for AF_IUCV socket applications that use HiperSockets
      communication.
      
      Fixes: 104ea556 ("qdio: support asynchronous delivery of storage blocks")
      Reviewed-by: default avatarUrsula Braun <ubraun@linux.vnet.ibm.com>
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      8e68a4d1
    • J. Bruce Fields's avatar
      NFSv4: fix getacl head length estimation · 58ccba85
      J. Bruce Fields authored
      commit 6682c14b upstream.
      
      Bitmap and attrlen follow immediately after the op reply header.  This
      was an oversight from commit bf118a34.
      
      Consequences of this are just minor efficiency (extra calls to
      xdr_shrink_bufhead).
      
      Fixes: bf118a34 "NFSv4: include bitmap in nfsv4 get acl data"
      Reviewed-by: default avatarKinglong Mee <kinglongmee@gmail.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      58ccba85
    • Jason Gunthorpe's avatar
      RDMA/core: Fix incorrect structure packing for booleans · e9a1e1cc
      Jason Gunthorpe authored
      commit 55efcfcd upstream.
      
      The RDMA core uses ib_pack() to convert from unpacked CPU structs
      to on-the-wire bitpacked structs.
      
      This process requires that 1 bit fields are declared as u8 in the
      unpacked struct, otherwise the packing process does not read the
      value properly and the packed result is wired to 0. Several
      places wrongly used int.
      
      Crucially this means the kernel has never, set reversible
      correctly in the path record request. It has always asked for
      irreversible paths even if the ULP requests otherwise.
      
      When the kernel is used with a SM that supports this feature, it
      completely breaks communication management if reversible paths are
      not properly requested.
      
      The only reason this ever worked is because opensm ignores the
      reversible bit.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJason Gunthorpe <jgunthorpe@obsidianresearch.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e9a1e1cc
    • Miklos Szeredi's avatar
      fuse: add missing FR_FORCE · 5beea857
      Miklos Szeredi authored
      commit 2e38bea9 upstream.
      
      fuse_file_put() was missing the "force" flag for the RELEASE request when
      sending synchronously (fuseblk).
      
      If this flag is not set, then a sync request may be interrupted before it
      is dequeued by the userspace filesystem.  In this case the OPEN won't be
      balanced with a RELEASE.
      
      [js] force is a variable, not a bit
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Fixes: 5a18ec17 ("fuse: fix hang of single threaded fuseblk filesystem")
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      5beea857
    • Christian Lamparter's avatar
      ath9k: use correct OTP register offsets for the AR9340 and AR9550 · f90660e1
      Christian Lamparter authored
      commit c9f1e326 upstream.
      
      This patch fixes the OTP register definitions for the AR934x and AR9550
      WMAC SoC.
      
      Previously, the ath9k driver was unable to initialize the integrated
      WMAC on an Aerohive AP121:
      
      | ath: phy0: timeout (1000 us) on reg 0x30018: 0xbadc0ffe & 0x00000007 != 0x00000004
      | ath: phy0: timeout (1000 us) on reg 0x30018: 0xbadc0ffe & 0x00000007 != 0x00000004
      | ath: phy0: Unable to initialize hardware; initialization status: -5
      | ath9k ar934x_wmac: failed to initialize device
      | ath9k: probe of ar934x_wmac failed with error -5
      
      It turns out that the AR9300_OTP_STATUS and AR9300_OTP_DATA
      definitions contain a typo.
      
      Cc: Gabor Juhos <juhosg@openwrt.org>
      Fixes: add295a4 "ath9k: use correct OTP register offsets for AR9550"
      Signed-off-by: default avatarChristian Lamparter <chunkeey@googlemail.com>
      Signed-off-by: default avatarChris Blake <chrisrblake93@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      f90660e1
    • Raghava Aditya Renukunta's avatar
      scsi: aacraid: Reorder Adapter status check · 63901140
      Raghava Aditya Renukunta authored
      commit c421530b upstream.
      
      The driver currently checks the SELF_TEST_FAILED first and then
      KERNEL_PANIC next. Under error conditions(boot code failure) both
      SELF_TEST_FAILED and KERNEL_PANIC can be set at the same time.
      
      The driver has the capability to reset the controller on an KERNEL_PANIC,
      but not on SELF_TEST_FAILED.
      
      Fixed by first checking KERNEL_PANIC and then the others.
      
      Fixes: e8b12f0f ([SCSI] aacraid: Add new code for PMC-Sierra's SRC base controller family)
      Signed-off-by: default avatarRaghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
      Reviewed-by: default avatarDavid Carroll <David.Carroll@microsemi.com>
      Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      63901140
    • Guennadi Liakhovetski's avatar
      uvcvideo: Fix a wrong macro · 0259f8b8
      Guennadi Liakhovetski authored
      commit 17c341ec upstream.
      
      Don't mix up UVC_BUF_STATE_* and VB2_BUF_STATE_* codes.
      
      Fixes: 6998b6fb ("[media] uvcvideo: Use videobuf2-vmalloc")
      Signed-off-by: default avatarGuennadi Liakhovetski <guennadi.liakhovetski@intel.com>
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      0259f8b8
    • Paul Burton's avatar
      MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps · 9dc2420f
      Paul Burton authored
      commit 096a0de4 upstream.
      
      is_jump_ins() checks for plain jump ("j") instructions since commit
      e7438c4b ("MIPS: Fix sibling call handling in get_frame_info") but
      that commit didn't make the same change to the microMIPS code, leaving
      it inconsistent with the MIPS32/MIPS64 code. Handle the microMIPS
      encoding of the jump instruction too such that it behaves consistently.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: e7438c4b ("MIPS: Fix sibling call handling in get_frame_info")
      Cc: Tony Wu <tung7970@gmail.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14533/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      9dc2420f
    • Paul Burton's avatar
      MIPS: Calculate microMIPS ra properly when unwinding the stack · 8577fb6b
      Paul Burton authored
      commit bb9bc468 upstream.
      
      get_frame_info() calculates the offset of the return address within a
      stack frame simply by dividing a the bottom 16 bits of the instruction,
      treated as a signed integer, by the size of a long. Whilst this works
      for MIPS32 & MIPS64 ISAs where the sw or sd instructions are used, it's
      incorrect for microMIPS where encodings differ. The result is that we
      typically completely fail to unwind the stack on microMIPS.
      
      Fix this by adjusting is_ra_save_ins() to calculate the return address
      offset, and take into account the various different encodings there in
      the same place as we consider whether an instruction is storing the
      ra/$31 register.
      
      With this we are now able to unwind the stack for kernels targetting the
      microMIPS ISA, for example we can produce:
      
          Call Trace:
          [<80109e1f>] show_stack+0x63/0x7c
          [<8011ea17>] __warn+0x9b/0xac
          [<8011ea45>] warn_slowpath_fmt+0x1d/0x20
          [<8013fe53>] register_console+0x43/0x314
          [<8067c58d>] of_setup_earlycon+0x1dd/0x1ec
          [<8067f63f>] early_init_dt_scan_chosen_stdout+0xe7/0xf8
          [<8066c115>] do_early_param+0x75/0xac
          [<801302f9>] parse_args+0x1dd/0x308
          [<8066c459>] parse_early_options+0x25/0x28
          [<8066c48b>] parse_early_param+0x2f/0x38
          [<8066e8cf>] setup_arch+0x113/0x488
          [<8066c4f3>] start_kernel+0x57/0x328
          ---[ end trace 0000000000000000 ]---
      
      Whereas previously we only produced:
      
          Call Trace:
          [<80109e1f>] show_stack+0x63/0x7c
          ---[ end trace 0000000000000000 ]---
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14532/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      8577fb6b
    • Paul Burton's avatar
      MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions · a3e70c33
      Paul Burton authored
      commit 67c75057 upstream.
      
      is_jump_ins() checks 16b instruction fields without verifying that the
      instruction is indeed 16b, as is done by is_ra_save_ins() &
      is_sp_move_ins(). Add the appropriate check.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14531/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      a3e70c33
    • Paul Burton's avatar
      MIPS: Fix get_frame_info() handling of microMIPS function size · 9c01ee59
      Paul Burton authored
      commit b6c7a324 upstream.
      
      get_frame_info() is meant to iterate over up to the first 128
      instructions within a function, but for microMIPS kernels it will not
      reach that many instructions unless the function is 512 bytes long since
      we calculate the maximum number of instructions to check by dividing the
      function length by the 4 byte size of a union mips_instruction. In
      microMIPS kernels this won't do since instructions are variable length.
      
      Fix this by instead checking whether the pointer to the current
      instruction has reached the end of the function, and use max_insns as a
      simple constant to check the number of iterations against.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14530/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      9c01ee59
    • Paul Burton's avatar
      MIPS: Prevent unaligned accesses during stack unwinding · 15d2aa74
      Paul Burton authored
      commit a3552dac upstream.
      
      During stack unwinding we call a number of functions to determine what
      type of instruction we're looking at. The union mips_instruction pointer
      provided to them may be pointing at a 2 byte, but not 4 byte, aligned
      address & we thus cannot directly access the 4 byte wide members of the
      union mips_instruction. To avoid this is_ra_save_ins() copies the
      required half-words of the microMIPS instruction to a correctly aligned
      union mips_instruction on the stack, which it can then access safely.
      The is_jump_ins() & is_sp_move_ins() functions do not correctly perform
      this temporary copy, and instead attempt to directly dereference 4 byte
      fields which may be misaligned and lead to an address exception.
      
      Fix this by copying the instruction halfwords to a temporary union
      mips_instruction in get_frame_info() such that we can provide a 4 byte
      aligned union mips_instruction to the is_*_ins() functions and they do
      not need to deal with misalignment themselves.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14529/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      15d2aa74