1. 08 Aug, 2016 15 commits
  2. 03 Aug, 2016 1 commit
    • Florian Westphal's avatar
      netfilter: x_tables: speed up jump target validation · f5bba514
      Florian Westphal authored
      [ Upstream commit f4dc7771 ]
      
      The dummy ruleset I used to test the original validation change was broken,
      most rules were unreachable and were not tested by mark_source_chains().
      
      In some cases rulesets that used to load in a few seconds now require
      several minutes.
      
      sample ruleset that shows the behaviour:
      
      echo "*filter"
      for i in $(seq 0 100000);do
              printf ":chain_%06x - [0:0]\n" $i
      done
      for i in $(seq 0 100000);do
         printf -- "-A INPUT -j chain_%06x\n" $i
         printf -- "-A INPUT -j chain_%06x\n" $i
         printf -- "-A INPUT -j chain_%06x\n" $i
      done
      echo COMMIT
      
      [ pipe result into iptables-restore ]
      
      This ruleset will be about 74mbyte in size, with ~500k searches
      though all 500k[1] rule entries. iptables-restore will take forever
      (gave up after 10 minutes)
      
      Instead of always searching the entire blob for a match, fill an
      array with the start offsets of every single ipt_entry struct,
      then do a binary search to check if the jump target is present or not.
      
      After this change ruleset restore times get again close to what one
      gets when reverting 36472341 (~3 seconds on my workstation).
      
      [1] every user-defined rule gets an implicit RETURN, so we get
      300k jumps + 100k userchains + 100k returns -> 500k rule entries
      
      Fixes: 36472341 ("netfilter: x_tables: validate targets of jumps")
      Reported-by: default avatarJeff Wu <wujiafu@gmail.com>
      Tested-by: default avatarJeff Wu <wujiafu@gmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      f5bba514
  3. 01 Aug, 2016 2 commits
  4. 30 Jul, 2016 1 commit
  5. 20 Jul, 2016 9 commits
  6. 19 Jul, 2016 7 commits
    • Ursula Braun's avatar
      qeth: delete napi struct when removing a qeth device · 8c2cb775
      Ursula Braun authored
      [ Upstream commit 7831b4ff ]
      
      A qeth_card contains a napi_struct linked to the net_device during
      device probing. This struct must be deleted when removing the qeth
      device, otherwise Panic on oops can occur when qeth devices are
      repeatedly removed and added.
      
      Fixes: a1c3ed4c ("qeth: NAPI support for l2 and l3 discipline")
      Cc: stable@vger.kernel.org # v2.6.37+
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.vnet.ibm.com>
      Tested-by: default avatarAlexander Klein <ALKL@de.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      8c2cb775
    • Takashi Iwai's avatar
      ALSA: timer: Fix negative queue usage by racy accesses · a851e568
      Takashi Iwai authored
      [ Upstream commit 3fa6993f ]
      
      The user timer tu->qused counter may go to a negative value when
      multiple concurrent reads are performed since both the check and the
      decrement of tu->qused are done in two individual locked contexts.
      This results in bogus read outs, and the endless loop in the
      user-space side.
      
      The fix is to move the decrement of the tu->qused counter into the
      same spinlock context as the zero-check of the counter.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      a851e568
    • Omar Sandoval's avatar
      block: fix use-after-free in sys_ioprio_get() · b86ef7ef
      Omar Sandoval authored
      [ Upstream commit 8ba86821 ]
      
      get_task_ioprio() accesses the task->io_context without holding the task
      lock and thus can race with exit_io_context(), leading to a
      use-after-free. The reproducer below hits this within a few seconds on
      my 4-core QEMU VM:
      
      #define _GNU_SOURCE
      #include <assert.h>
      #include <unistd.h>
      #include <sys/syscall.h>
      #include <sys/wait.h>
      
      int main(int argc, char **argv)
      {
      	pid_t pid, child;
      	long nproc, i;
      
      	/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
      	syscall(SYS_ioprio_set, 1, 0, 0x6000);
      
      	nproc = sysconf(_SC_NPROCESSORS_ONLN);
      
      	for (i = 0; i < nproc; i++) {
      		pid = fork();
      		assert(pid != -1);
      		if (pid == 0) {
      			for (;;) {
      				pid = fork();
      				assert(pid != -1);
      				if (pid == 0) {
      					_exit(0);
      				} else {
      					child = wait(NULL);
      					assert(child == pid);
      				}
      			}
      		}
      
      		pid = fork();
      		assert(pid != -1);
      		if (pid == 0) {
      			for (;;) {
      				/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
      				syscall(SYS_ioprio_get, 2, 0);
      			}
      		}
      	}
      
      	for (;;) {
      		/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
      		syscall(SYS_ioprio_get, 2, 0);
      	}
      
      	return 0;
      }
      
      This gets us KASAN dumps like this:
      
      [   35.526914] ==================================================================
      [   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
      [   35.530009] Read of size 2 by task ioprio-gpf/363
      [   35.530009] =============================================================================
      [   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
      [   35.530009] -----------------------------------------------------------------------------
      
      [   35.530009] Disabling lock debugging due to kernel taint
      [   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
      [   35.530009] 	___slab_alloc+0x55d/0x5a0
      [   35.530009] 	__slab_alloc.isra.20+0x2b/0x40
      [   35.530009] 	kmem_cache_alloc_node+0x84/0x200
      [   35.530009] 	create_task_io_context+0x2b/0x370
      [   35.530009] 	get_task_io_context+0x92/0xb0
      [   35.530009] 	copy_process.part.8+0x5029/0x5660
      [   35.530009] 	_do_fork+0x155/0x7e0
      [   35.530009] 	SyS_clone+0x19/0x20
      [   35.530009] 	do_syscall_64+0x195/0x3a0
      [   35.530009] 	return_from_SYSCALL_64+0x0/0x6a
      [   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
      [   35.530009] 	__slab_free+0x27b/0x3d0
      [   35.530009] 	kmem_cache_free+0x1fb/0x220
      [   35.530009] 	put_io_context+0xe7/0x120
      [   35.530009] 	put_io_context_active+0x238/0x380
      [   35.530009] 	exit_io_context+0x66/0x80
      [   35.530009] 	do_exit+0x158e/0x2b90
      [   35.530009] 	do_group_exit+0xe5/0x2b0
      [   35.530009] 	SyS_exit_group+0x1d/0x20
      [   35.530009] 	entry_SYSCALL_64_fastpath+0x1a/0xa4
      [   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
      [   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
      [   35.530009] ==================================================================
      
      Fix it by grabbing the task lock while we poke at the io_context.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarOmar Sandoval <osandov@fb.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      b86ef7ef
    • Borislav Petkov's avatar
      x86/amd_nb: Fix boot crash on non-AMD systems · 82736d51
      Borislav Petkov authored
      [ Upstream commit 1ead852d ]
      
      Fix boot crash that triggers if this driver is built into a kernel and
      run on non-AMD systems.
      
      AMD northbridges users call amd_cache_northbridges() and it returns
      a negative value to signal that we weren't able to cache/detect any
      northbridges on the system.
      
      At least, it should do so as all its callers expect it to do so. But it
      does return a negative value only when kmalloc() fails.
      
      Fix it to return -ENODEV if there are no NBs cached as otherwise, amd_nb
      users like amd64_edac, for example, which relies on it to know whether
      it should load or not, gets loaded on systems like Intel Xeons where it
      shouldn't.
      Reported-and-tested-by: default avatarTony Battersby <tonyb@cybernetics.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: <stable@vger.kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1466097230-5333-2-git-send-email-bp@alien8.de
      Link: https://lkml.kernel.org/r/5761BEB0.9000807@cybernetics.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      82736d51
    • Takashi Iwai's avatar
      ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift() · fa48403a
      Takashi Iwai authored
      [ Upstream commit 62db7152 ]
      
      vortex_wtdma_bufshift() function does calculate the page index
      wrongly, first masking then shift, which always results in zero.
      The proper computation is to first shift, then mask.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      fa48403a
    • Brian King's avatar
      ipr: Clear interrupt on croc/crocodile when running with LSI · 9f0a4f41
      Brian King authored
      [ Upstream commit 54e430bb ]
      
      If we fall back to using LSI on the Croc or Crocodile chip we need to
      clear the interrupt so we don't hang the system.
      
      Cc: <stable@vger.kernel.org>
      Tested-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      9f0a4f41
    • Christophe JAILLET's avatar
      ALSA: echoaudio: Fix memory allocation · 9d171576
      Christophe JAILLET authored
      [ Upstream commit 9c6795a9 ]
      
      'commpage_bak' is allocated with 'sizeof(struct echoaudio)' bytes.
      We then copy 'sizeof(struct comm_page)' bytes in it.
      On my system, smatch complains because one is 2960 and the other is 3072.
      
      This would result in memory corruption or a oops.
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      9d171576
  7. 13 Jul, 2016 1 commit
  8. 12 Jul, 2016 4 commits
    • Hugh Dickins's avatar
      tmpfs: fix regression hang in fallocate undo · 52a8202d
      Hugh Dickins authored
      [ Upstream commit 7f556567 ]
      
      The well-spotted fallocate undo fix is good in most cases, but not when
      fallocate failed on the very first page.  index 0 then passes lend -1
      to shmem_undo_range(), and that has two bad effects: (a) that it will
      undo every fallocation throughout the file, unrestricted by the current
      range; but more importantly (b) it can cause the undo to hang, because
      lend -1 is treated as truncation, which makes it keep on retrying until
      every page has gone, but those already fully instantiated will never go
      away.  Big thank you to xfstests generic/269 which demonstrates this.
      
      Fixes: b9b4bb26 ("tmpfs: don't undo fallocate past its last page")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      52a8202d
    • Florian Westphal's avatar
      netfilter: x_tables: introduce and use xt_copy_counters_from_user · 6a9f9d4e
      Florian Westphal authored
      [ Upstream commit d7591f0c ]
      
      The three variants use same copy&pasted code, condense this into a
      helper and use that.
      
      Make sure info.name is 0-terminated.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6a9f9d4e
    • Florian Westphal's avatar
      netfilter: x_tables: do compat validation via translate_table · aaa155f8
      Florian Westphal authored
      [ Upstream commit 09d96860 ]
      
      This looks like refactoring, but its also a bug fix.
      
      Problem is that the compat path (32bit iptables, 64bit kernel) lacks a few
      sanity tests that are done in the normal path.
      
      For example, we do not check for underflows and the base chain policies.
      
      While its possible to also add such checks to the compat path, its more
      copy&pastry, for instance we cannot reuse check_underflow() helper as
      e->target_offset differs in the compat case.
      
      Other problem is that it makes auditing for validation errors harder; two
      places need to be checked and kept in sync.
      
      At a high level 32 bit compat works like this:
      1- initial pass over blob:
         validate match/entry offsets, bounds checking
         lookup all matches and targets
         do bookkeeping wrt. size delta of 32/64bit structures
         assign match/target.u.kernel pointer (points at kernel
         implementation, needed to access ->compatsize etc.)
      
      2- allocate memory according to the total bookkeeping size to
         contain the translated ruleset
      
      3- second pass over original blob:
         for each entry, copy the 32bit representation to the newly allocated
         memory.  This also does any special match translations (e.g.
         adjust 32bit to 64bit longs, etc).
      
      4- check if ruleset is free of loops (chase all jumps)
      
      5-first pass over translated blob:
         call the checkentry function of all matches and targets.
      
      The alternative implemented by this patch is to drop steps 3&4 from the
      compat process, the translation is changed into an intermediate step
      rather than a full 1:1 translate_table replacement.
      
      In the 2nd pass (step #3), change the 64bit ruleset back to a kernel
      representation, i.e. put() the kernel pointer and restore ->u.user.name .
      
      This gets us a 64bit ruleset that is in the format generated by a 64bit
      iptables userspace -- we can then use translate_table() to get the
      'native' sanity checks.
      
      This has two drawbacks:
      
      1. we re-validate all the match and target entry structure sizes even
      though compat translation is supposed to never generate bogus offsets.
      2. we put and then re-lookup each match and target.
      
      THe upside is that we get all sanity tests and ruleset validations
      provided by the normal path and can remove some duplicated compat code.
      
      iptables-restore time of autogenerated ruleset with 300k chains of form
      -A CHAIN0001 -m limit --limit 1/s -j CHAIN0002
      -A CHAIN0002 -m limit --limit 1/s -j CHAIN0003
      
      shows no noticeable differences in restore times:
      old:   0m30.796s
      new:   0m31.521s
      64bit: 0m25.674s
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      aaa155f8
    • Florian Westphal's avatar
      netfilter: x_tables: xt_compat_match_from_user doesn't need a retval · edd8ae36
      Florian Westphal authored
      [ Upstream commit 0188346f ]
      
      Always returned 0.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      edd8ae36