1. 04 Apr, 2017 27 commits
    • Ben Hutchings's avatar
      Linux 3.16.43 · 760b5f93
      Ben Hutchings authored
      760b5f93
    • Ben Hutchings's avatar
      keys: Guard against null match function in keyring_search_aux() · c53ee259
      Ben Hutchings authored
      The "dead" key type has no match operation, and a search for keys of
      this type can cause a null dereference in keyring_search_iterator().
      keyring_search() has a check for this, but request_keyring_and_link()
      does not.  Move the check into keyring_search_aux(), covering both of
      them.
      
      This was fixed upstream by commit c06cfb08 ("KEYS: Remove
      key_type::match in favour of overriding default by match_preparse"),
      part of a series of large changes that are not suitable for
      backporting.
      
      CVE-2017-2647 / CVE-2017-6951
      Reported-by: default avatarIgor Redko <redkoi@virtuozzo.com>
      Reported-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647Reported-by: default avataridl3r <idler1984@gmail.com>
      References: https://www.spinics.net/lists/keyrings/msg01845.htmlSigned-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: David Howells <dhowells@redhat.com>
      c53ee259
    • Jann Horn's avatar
      aio: mark AIO pseudo-fs noexec · 880366a6
      Jann Horn authored
      commit 22f6b4d3 upstream.
      
      This ensures that do_mmap() won't implicitly make AIO memory mappings
      executable if the READ_IMPLIES_EXEC personality flag is set.  Such
      behavior is problematic because the security_mmap_file LSM hook doesn't
      catch this case, potentially permitting an attacker to bypass a W^X
      policy enforced by SELinux.
      
      I have tested the patch on my machine.
      
      To test the behavior, compile and run this:
      
          #define _GNU_SOURCE
          #include <unistd.h>
          #include <sys/personality.h>
          #include <linux/aio_abi.h>
          #include <err.h>
          #include <stdlib.h>
          #include <stdio.h>
          #include <sys/syscall.h>
      
          int main(void) {
              personality(READ_IMPLIES_EXEC);
              aio_context_t ctx = 0;
              if (syscall(__NR_io_setup, 1, &ctx))
                  err(1, "io_setup");
      
              char cmd[1000];
              sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'",
                  (int)getpid());
              system(cmd);
              return 0;
          }
      
      In the output, "rw-s" is good, "rwxs" is bad.
      Signed-off-by: default avatarJann Horn <jann@thejh.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.16: we don't have super_block::s_iflags; use
       file_system_type::fs_flags instead]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      880366a6
    • Eric W. Biederman's avatar
      vfs: Commit to never having exectuables on proc and sysfs. · 495d1af4
      Eric W. Biederman authored
      commit 22f6b4d3 upstream.
      
      Today proc and sysfs do not contain any executable files.  Several
      applications today mount proc or sysfs without noexec and nosuid and
      then depend on there being no exectuables files on proc or sysfs.
      Having any executable files show on proc or sysfs would cause
      a user space visible regression, and most likely security problems.
      
      Therefore commit to never allowing executables on proc and sysfs by
      adding a new flag to mark them as filesystems without executables and
      enforce that flag.
      
      Test the flag where MNT_NOEXEC is tested today, so that the only user
      visible effect will be that exectuables will be treated as if the
      execute bit is cleared.
      
      The filesystems proc and sysfs do not currently incoporate any
      executable files so this does not result in any user visible effects.
      
      This makes it unnecessary to vet changes to proc and sysfs tightly for
      adding exectuable files or changes to chattr that would modify
      existing files, as no matter what the individual file say they will
      not be treated as exectuable files by the vfs.
      
      Not having to vet changes to closely is important as without this we
      are only one proc_create call (or another goof up in the
      implementation of notify_change) from having problematic executables
      on proc.  Those mistakes are all too easy to make and would create
      a situation where there are security issues or the assumptions of
      some program having to be broken (and cause userspace regressions).
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      [bwh: Backported to 3.16: we don't have super_block::s_iflags; use
       file_system_type::fs_flags instead]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      495d1af4
    • Florian Westphal's avatar
      netlink: remove mmapped netlink support · 07a365dd
      Florian Westphal authored
      commit d1b4c689 upstream.
      
      mmapped netlink has a number of unresolved issues:
      
      - TX zerocopy support had to be disabled more than a year ago via
        commit 4682a035 ("netlink: Always copy on mmap TX.")
        because the content of the mmapped area can change after netlink
        attribute validation but before message processing.
      
      - RX support was implemented mainly to speed up nfqueue dumping packet
        payload to userspace.  However, since commit ae08ce00
        ("netfilter: nfnetlink_queue: zero copy support") we avoid one copy
        with the socket-based interface too (via the skb_zerocopy helper).
      
      The other problem is that skbs attached to mmaped netlink socket
      behave different from normal skbs:
      
      - they don't have a shinfo area, so all functions that use skb_shinfo()
      (e.g. skb_clone) cannot be used.
      
      - reserving headroom prevents userspace from seeing the content as
      it expects message to start at skb->head.
      See for instance
      commit aa3a0220 ("netlink: not trim skb for mmaped socket when dump").
      
      - skbs handed e.g. to netlink_ack must have non-NULL skb->sk, else we
      crash because it needs the sk to check if a tx ring is attached.
      
      Also not obvious, leads to non-intuitive bug fixes such as 7c7bdf35
      ("netfilter: nfnetlink: use original skbuff when acking batches").
      
      mmaped netlink also didn't play nicely with the skb_zerocopy helper
      used by nfqueue and openvswitch.  Daniel Borkmann fixed this via
      commit 6bb0fef4 ("netlink, mmap: fix edge-case leakages in nf queue
      zero-copy")' but at the cost of also needing to provide remaining
      length to the allocation function.
      
      nfqueue also has problems when used with mmaped rx netlink:
      - mmaped netlink doesn't allow use of nfqueue batch verdict messages.
        Problem is that in the mmap case, the allocation time also determines
        the ordering in which the frame will be seen by userspace (A
        allocating before B means that A is located in earlier ring slot,
        but this also means that B might get a lower sequence number then A
        since seqno is decided later.  To fix this we would need to extend the
        spinlocked region to also cover the allocation and message setup which
        isn't desirable.
      - nfqueue can now be configured to queue large (GSO) skbs to userspace.
        Queing GSO packets is faster than having to force a software segmentation
        in the kernel, so this is a desirable option.  However, with a mmap based
        ring one has to use 64kb per ring slot element, else mmap has to fall back
        to the socket path (NL_MMAP_STATUS_COPY) for all large packets.
      
      To use the mmap interface, userspace not only has to probe for mmap netlink
      support, it also has to implement a recv/socket receive path in order to
      handle messages that exceed the size of an rx ring element.
      
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
      Cc: Pablo Neira Ayuso <pablo@netfilter.org>
      Cc: Patrick McHardy <kaber@trash.net>
      Cc: Thomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: deleted code and documentation is different in places]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Shi Yuejie <shiyuejie@outlook.com>
      07a365dd
    • James C Boyd's avatar
      HID: hid-input: Add parentheses to quell gcc warning · 4e54d5d9
      James C Boyd authored
      commit 09a5c34e upstream.
      
      GCC reports a -Wlogical-not-parentheses warning here; therefore
      add parentheses to shut it up and to express our intent more.
      Signed-off-by: default avatarJames C Boyd <jcboyd.dev@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      4e54d5d9
    • Ralf Baechle's avatar
      MIPS: Zero variable read by get_user / __get_user in case of an error. · 4c125b48
      Ralf Baechle authored
      commit 640465bd upstream.
      
      This wasn't happening in all cases.
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      4c125b48
    • John Crispin's avatar
      MIPS: ralink: Cosmetic change to prom_init(). · cfe5ef40
      John Crispin authored
      commit 9c48568b upstream.
      
      Over the years the code has been changed various times leading to
      argc/argv being defined in a different function to where we actually
      use the variables. Clean this up by moving them to prom_init_cmdline().
      Signed-off-by: default avatarJohn Crispin <john@phrozen.org>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14902/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      cfe5ef40
    • Fabio Estevam's avatar
      serial: samsung: Use %pa to print 'resource_size_t' type · e5de6418
      Fabio Estevam authored
      commit 1ff5b64d upstream.
      
      When building multi_v7_defconfig with CONFIG_ARM_LPAE=y the following warning
      is seen:
      
      drivers/tty/serial/samsung.c: In function 's3c24xx_serial_init_port':
      drivers/tty/serial/samsung.c:1229:2: warning: format '%x' expects argument of type 'unsigned int', but argument 2 has type 'resource_size_t' [-Wformat]
      
      Use %pa to print 'resource_size_t' type to fix the warning.
      Reported-by: default avatarOlof's autobuilder <build@lixom.net>
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Reviewed-by: default avatarJingoo Han <jg1.han@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      e5de6418
    • Arnd Bergmann's avatar
      mmc: sunxi: avoid invalid pointer calculation · 24c2431e
      Arnd Bergmann authored
      commit d34712d2 upstream.
      
      The sunxi mmc driver tries to calculate a dma address by using pointer
      arithmetic, which causes a warning when dma_addr_t is wider than a pointer:
      
      drivers/mmc/host/sunxi-mmc.c: In function 'sunxi_mmc_init_idma_des':
      drivers/mmc/host/sunxi-mmc.c:296:35: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
        struct sunxi_idma_des *pdes_pa = (struct sunxi_idma_des *)host->sg_dma;
                                         ^
      
      To avoid this warning and to simplify the logic, this changes
      the code to avoid the cast and calculate the correct address
      manually. The behavior should be unchanged.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarDavid Lanzendörfer <david.lanzendoerfer@o2s.ch>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      24c2431e
    • Andre Przywara's avatar
      fs/nfs: fix new compiler warning about boolean in switch · 1fcb247a
      Andre Przywara authored
      commit c7757074 upstream.
      
      The brand new GCC 5.1.0 warns by default on using a boolean in the
      switch condition. This results in the following warning:
      
      fs/nfs/nfs4proc.c: In function 'nfs4_proc_get_rootfh':
      fs/nfs/nfs4proc.c:3100:10: warning: switch condition has boolean value [-Wswitch-bool]
        switch (auth_probe) {
                ^
      
      This code was obviously using switch to make use of the fall-through
      semantics (without the usual comment, though).
      Rewrite that code using if statements to avoid the warning and make
      the code a bit more readable on the way.
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      1fcb247a
    • Arnd Bergmann's avatar
      crypto: improve gcc optimization flags for serpent and wp512 · fa5c761a
      Arnd Bergmann authored
      commit 7d6e9105 upstream.
      
      An ancient gcc bug (first reported in 2003) has apparently resurfaced
      on MIPS, where kernelci.org reports an overly large stack frame in the
      whirlpool hash algorithm:
      
      crypto/wp512.c:987:1: warning: the frame size of 1112 bytes is larger than 1024 bytes [-Wframe-larger-than=]
      
      With some testing in different configurations, I'm seeing large
      variations in stack frames size up to 1500 bytes for what should have
      around 300 bytes at most. I also checked the reference implementation,
      which is essentially the same code but also comes with some test and
      benchmarking infrastructure.
      
      It seems that recent compiler versions on at least arm, arm64 and powerpc
      have a partial fix for this problem, but enabling "-fsched-pressure", but
      even with that fix they suffer from the issue to a certain degree. Some
      testing on arm64 shows that the time needed to hash a given amount of
      data is roughly proportional to the stack frame size here, which makes
      sense given that the wp512 implementation is doing lots of loads for
      table lookups, and the problem with the overly large stack is a result
      of doing a lot more loads and stores for spilled registers (as seen from
      inspecting the object code).
      
      Disabling -fschedule-insns consistently fixes the problem for wp512,
      in my collection of cross-compilers, the results are consistently better
      or identical when comparing the stack sizes in this function, though
      some architectures (notable x86) have schedule-insns disabled by
      default.
      
      The four columns are:
      default: -O2
      press:	 -O2 -fsched-pressure
      nopress: -O2 -fschedule-insns -fno-sched-pressure
      nosched: -O2 -no-schedule-insns (disables sched-pressure)
      
      				default	press	nopress	nosched
      alpha-linux-gcc-4.9.3		1136	848	1136	176
      am33_2.0-linux-gcc-4.9.3	2100	2076	2100	2104
      arm-linux-gnueabi-gcc-4.9.3	848	848	1048	352
      cris-linux-gcc-4.9.3		272	272	272	272
      frv-linux-gcc-4.9.3		1128	1000	1128	280
      hppa64-linux-gcc-4.9.3		1128	336	1128	184
      hppa-linux-gcc-4.9.3		644	308	644	276
      i386-linux-gcc-4.9.3		352	352	352	352
      m32r-linux-gcc-4.9.3		720	656	720	268
      microblaze-linux-gcc-4.9.3	1108	604	1108	256
      mips64-linux-gcc-4.9.3		1328	592	1328	208
      mips-linux-gcc-4.9.3		1096	624	1096	240
      powerpc64-linux-gcc-4.9.3	1088	432	1088	160
      powerpc-linux-gcc-4.9.3		1080	584	1080	224
      s390-linux-gcc-4.9.3		456	456	624	360
      sh3-linux-gcc-4.9.3		292	292	292	292
      sparc64-linux-gcc-4.9.3		992	240	992	208
      sparc-linux-gcc-4.9.3		680	592	680	312
      x86_64-linux-gcc-4.9.3		224	240	272	224
      xtensa-linux-gcc-4.9.3		1152	704	1152	304
      
      aarch64-linux-gcc-7.0.0		224	224	1104	208
      arm-linux-gnueabi-gcc-7.0.1	824	824	1048	352
      mips-linux-gcc-7.0.0		1120	648	1120	272
      x86_64-linux-gcc-7.0.1		240	240	304	240
      
      arm-linux-gnueabi-gcc-4.4.7	840			392
      arm-linux-gnueabi-gcc-4.5.4	784	728	784	320
      arm-linux-gnueabi-gcc-4.6.4	736	728	736	304
      arm-linux-gnueabi-gcc-4.7.4	944	784	944	352
      arm-linux-gnueabi-gcc-4.8.5	464	464	760	352
      arm-linux-gnueabi-gcc-4.9.3	848	848	1048	352
      arm-linux-gnueabi-gcc-5.3.1	824	824	1064	336
      arm-linux-gnueabi-gcc-6.1.1	808	808	1056	344
      arm-linux-gnueabi-gcc-7.0.1	824	824	1048	352
      
      Trying the same test for serpent-generic, the picture is a bit different,
      and while -fno-schedule-insns is generally better here than the default,
      -fsched-pressure wins overall, so I picked that instead.
      
      				default	press	nopress	nosched
      alpha-linux-gcc-4.9.3		1392	864	1392	960
      am33_2.0-linux-gcc-4.9.3	536	524	536	528
      arm-linux-gnueabi-gcc-4.9.3	552	552	776	536
      cris-linux-gcc-4.9.3		528	528	528	528
      frv-linux-gcc-4.9.3		536	400	536	504
      hppa64-linux-gcc-4.9.3		524	208	524	480
      hppa-linux-gcc-4.9.3		768	472	768	508
      i386-linux-gcc-4.9.3		564	564	564	564
      m32r-linux-gcc-4.9.3		712	576	712	532
      microblaze-linux-gcc-4.9.3	724	392	724	512
      mips64-linux-gcc-4.9.3		720	384	720	496
      mips-linux-gcc-4.9.3		728	384	728	496
      powerpc64-linux-gcc-4.9.3	704	304	704	480
      powerpc-linux-gcc-4.9.3		704	296	704	480
      s390-linux-gcc-4.9.3		560	560	592	536
      sh3-linux-gcc-4.9.3		540	540	540	540
      sparc64-linux-gcc-4.9.3		544	352	544	496
      sparc-linux-gcc-4.9.3		544	344	544	496
      x86_64-linux-gcc-4.9.3		528	536	576	528
      xtensa-linux-gcc-4.9.3		752	544	752	544
      
      aarch64-linux-gcc-7.0.0		432	432	656	480
      arm-linux-gnueabi-gcc-7.0.1	616	616	808	536
      mips-linux-gcc-7.0.0		720	464	720	488
      x86_64-linux-gcc-7.0.1		536	528	600	536
      
      arm-linux-gnueabi-gcc-4.4.7	592			440
      arm-linux-gnueabi-gcc-4.5.4	776	448	776	544
      arm-linux-gnueabi-gcc-4.6.4	776	448	776	544
      arm-linux-gnueabi-gcc-4.7.4	768	448	768	544
      arm-linux-gnueabi-gcc-4.8.5	488	488	776	544
      arm-linux-gnueabi-gcc-4.9.3	552	552	776	536
      arm-linux-gnueabi-gcc-5.3.1	552	552	776	536
      arm-linux-gnueabi-gcc-6.1.1	560	560	776	536
      arm-linux-gnueabi-gcc-7.0.1	616	616	808	536
      
      I did not do any runtime tests with serpent, so it is possible that stack
      frame size does not directly correlate with runtime performance here and
      it actually makes things worse, but it's more likely to help here, and
      the reduced stack frame size is probably enough reason to apply the patch,
      especially given that the crypto code is often used in deep call chains.
      
      Link: https://kernelci.org/build/id/58797d7559b5149efdf6c3a9/logs/
      Link: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=11488
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fa5c761a
    • Tillmann Heidsieck's avatar
      atm: iphase: fix misleading indention · 1964b12e
      Tillmann Heidsieck authored
      commit cbb41b91 upstream.
      
      Fix a smatch warning:
      drivers/atm/iphase.c:1178 rx_pkt() warn: curly braces intended?
      
      The code is correct, the indention is misleading. In case the allocation
      of skb fails, we want to skip to the end.
      Signed-off-by: default avatarTillmann Heidsieck <theidsieck@leenox.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      1964b12e
    • Paul Burton's avatar
      MIPS: wrap cfcmsa & ctcmsa accesses for toolchains with MSA support · 3831477b
      Paul Burton authored
      commit e1bebbab upstream.
      
      Uses of the cfcmsa & ctcmsa instructions were not being wrapped by a
      macro in the case where the toolchain supports MSA, since the arguments
      exactly match a typical use of the instructions. However using current
      toolchains this leads to errors such as:
      
        arch/mips/kernel/genex.S:437: Error: opcode not supported on this processor: mips32r2 (mips32r2) `cfcmsa $5,1'
      
      Thus uses of the instructions must be in the context of a ".set msa"
      directive, however doing that from the users of the instructions would
      be messy due to the possibility that the toolchain does not support
      MSA. Fix this by renaming the macros (prepending an underscore) in order
      to avoid recursion when attempting to emit the instructions, and provide
      implementations for the TOOLCHAIN_SUPPORTS_MSA case which ".set msa" as
      appropriate.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/9163/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3831477b
    • Paul Burton's avatar
      MIPS: remove MSA macro recursion · 5c57237e
      Paul Burton authored
      commit a3a49810 upstream.
      
      Recursive macros made the code more concise & worked great for the
      case where the toolchain doesn't support MSA. However, with toolchains
      which do support MSA they lead to build failures such as:
      
        arch/mips/kernel/r4k_switch.S: Assembler messages:
        arch/mips/kernel/r4k_switch.S:148: Error: invalid operands `insert.w $w(0+1)[2],$1'
        arch/mips/kernel/r4k_switch.S:148: Error: invalid operands `insert.w $w(0+1)[3],$1'
        arch/mips/kernel/r4k_switch.S:148: Error: invalid operands `insert.w $w((0+1)+1)[2],$1'
        arch/mips/kernel/r4k_switch.S:148: Error: invalid operands `insert.w $w((0+1)+1)[3],$1'
        ...
      
      Drop the recursion from msa_init_all_upper invoking the msa_init_upper
      macro explicitly for each vector register.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/9162/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5c57237e
    • Paul Burton's avatar
      MIPS: assume at as source/dest of MSA copy/insert instructions · 7478d342
      Paul Burton authored
      commit f23ce388 upstream.
      
      Assuming at ($1) as the source or destination register of copy or
      insert instructions:
      
        - Simplifies the macros providing those instructions for toolchains
          without MSA support.
      
        - Avoids an unnecessary move instruction when at is used as the source
          or destination register anyway.
      
        - Is sufficient for the uses to be introduced in the kernel by a
          subsequent patch.
      
      Note that due to a patch ordering snafu on my part this also fixes the
      currently broken build with MSA support enabled. The build has been
      broken since commit c9017757 "MIPS: init upper 64b of vector
      registers when MSA is first used", which this patch should have
      preceeded.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/9161/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7478d342
    • Paul Burton's avatar
      MIPS: Push .set mips64r* into the functions needing it · 1a68ee72
      Paul Burton authored
      commit 631afc65 upstream.
      
      The {save,restore}_fp_context{,32} functions require that the assembler
      allows the use of sdc instructions on any FP register, and this is
      acomplished by setting the arch to mips64r2 or mips64r6
      (using MIPS_ISA_ARCH_LEVEL_RAW).
      
      However this has the effect of enabling the assembler to use mips64
      instructions in the expansion of pseudo-instructions. This was done in
      the (now-reverted) commit eec43a22 "MIPS: Save/restore MSA context
      around signals" which led to my mistakenly believing that there was an
      assembler bug, when in reality the assembler was just emitting mips64
      instructions. Avoid the issue for future commits which will add code to
      r4k_fpu.S by pushing the .set MIPS_ISA_ARCH_LEVEL_RAW directives into
      the functions that require it, and remove the spurious assertion
      declaring the assembler bug.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      [james.hogan@imgtec.com: Rebase on v4.0-rc1 and reword commit message to
       reflect use of MIPS_ISA_ARCH_LEVEL_RAW]
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/9612/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      [bwh: Backported to 3.16: in r4k_fpu.S, keep using arch=r4000]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1a68ee72
    • James Hogan's avatar
      MIPS: traps: Fix inline asm ctc1 missing .set hardfloat · 8deb4d7c
      James Hogan authored
      commit d76e9b9f upstream.
      
      Commit 842dfc11 ("MIPS: Fix build with binutils 2.24.51+") in v3.18
      enabled -msoft-float and sprinkled ".set hardfloat" where necessary to
      use FP instructions. However it missed enable_restore_fp_context() which
      since v3.17 does a ctc1 with inline assembly, causing the following
      assembler errors on Mentor's 2014.05 toolchain:
      
      {standard input}: Assembler messages:
      {standard input}:2913: Error: opcode not supported on this processor: mips32r2 (mips32r2) `ctc1 $2,$31'
      scripts/Makefile.build:257: recipe for target 'arch/mips/kernel/traps.o' failed
      
      Fix that to use the new write_32bit_cp1_register() macro so that ".set
      hardfloat" is automatically added when -msoft-float is in use.
      
      Fixes 842dfc11 ("MIPS: Fix build with binutils 2.24.51+")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Paul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/9173/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8deb4d7c
    • James Hogan's avatar
      MIPS: mipsregs.h: Add write_32bit_cp1_register() · 35dd58f3
      James Hogan authored
      commit 5e32033e upstream.
      
      Add a write_32bit_cp1_register() macro to compliment the
      read_32bit_cp1_register() macro. This is to abstract whether .set
      hardfloat needs to be used based on GAS_HAS_SET_HARDFLOAT.
      
      The implementation of _read_32bit_cp1_register() .sets mips1 due to
      failure of gas v2.19 to assemble cfc1 for Octeon (see commit
      25c30003 ("MIPS: Override assembler target architecture for
      octeon.")). I haven't copied this over to _write_32bit_cp1_register() as
      I'm uncertain whether it applies to ctc1 too, or whether anybody cares
      about that version of binutils any longer.
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Paul Burton <paul.burton@imgtec.com>
      Cc: David Daney <david.daney@cavium.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/9172/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      35dd58f3
    • Manuel Lauss's avatar
      MIPS: Fix build with binutils 2.24.51+ · 1e7276ac
      Manuel Lauss authored
      commit 842dfc11 upstream.
      
      Starting with version 2.24.51.20140728 MIPS binutils complain loudly
      about mixing soft-float and hard-float object files, leading to this
      build failure since GCC is invoked with "-msoft-float" on MIPS:
      
      {standard input}: Warning: .gnu_attribute 4,3 requires `softfloat'
        LD      arch/mips/alchemy/common/built-in.o
      mipsel-softfloat-linux-gnu-ld: Warning: arch/mips/alchemy/common/built-in.o
       uses -msoft-float (set by arch/mips/alchemy/common/prom.o),
       arch/mips/alchemy/common/sleeper.o uses -mhard-float
      
      To fix this, we detect if GAS is new enough to support "-msoft-float" command
      option, and if it does, we can let GCC pass it to GAS;  but then we also need
      to sprinkle the files which make use of floating point registers with the
      necessary ".set hardfloat" directives.
      Signed-off-by: default avatarManuel Lauss <manuel.lauss@gmail.com>
      Cc: Linux-MIPS <linux-mips@linux-mips.org>
      Cc: Matthew Fortune <Matthew.Fortune@imgtec.com>
      Cc: Markos Chandras <Markos.Chandras@imgtec.com>
      Cc: Maciej W. Rozycki <macro@linux-mips.org>
      Patchwork: https://patchwork.linux-mips.org/patch/8355/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      1e7276ac
    • Paul Burton's avatar
      MIPS: init upper 64b of vector registers when MSA is first used · 2c627f99
      Paul Burton authored
      commit c9017757 upstream.
      
      When a task first makes use of MSA we need to ensure that the upper
      64b of the vector registers are set to some value such that no
      information can be leaked to it from the previous task to use MSA
      context on the CPU. The architecture formerly specified that these
      bits would be cleared to 0 when a scalar FP instructions wrote to the
      aliased FP registers, which would have implicitly handled this as the
      kernel restored scalar FP context. However more recent versions of the
      specification now state that the value of the bits in such cases is
      unpredictable. Initialise them explictly to be sure, and set all the
      bits to 1 rather than 0 for consistency with the least significant
      64b.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/7497/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      2c627f99
    • Paul Burton's avatar
      MIPS: save/disable MSA in lose_fpu · 13acbb17
      Paul Burton authored
      commit 33c771ba upstream.
      
      The kernel depends upon MSA never being enabled when the FPU is not, a
      condition which is currently violated in a few places (whilst saving
      sigcontext, following mips_cpu_save). Catch all the problem cases by
      disabling MSA in lose_fpu, after saving context if necessary.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/7302/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      13acbb17
    • Paul Burton's avatar
      MIPS: preserve scalar FP CSR when switching vector context · 5ff2ed33
      Paul Burton authored
      commit b8340673 upstream.
      
      Switching the vector context implicitly saves & restores the state of
      the aliased scalar FP data registers, however the scalar FP control
      & status register is distinct from the MSA control & status register.
      In order to allow scalar FP to function correctly in programs using
      MSA, the scalar CSR needs to be saved & restored along with the MSA
      vector context.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/7301/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      5ff2ed33
    • Paul Burton's avatar
      MIPS: save/restore MSACSR register on context switch · 249dbf6c
      Paul Burton authored
      commit f7a46fa7 upstream.
      
      I added a field for the MSACSR register in struct mips_fpu_struct, but
      never actually made use of it... This is a clear bug. Save and restore
      the MSACSR register along with the vector registers.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/7300/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      249dbf6c
    • Paul Burton's avatar
      MIPS: allow msa.h to be included in assembly files · f251957b
      Paul Burton authored
      commit 558155a0 upstream.
      
      Just #ifdef away the C functions when included from an assembly file,
      as will be done in a following commit.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/7299/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f251957b
    • Linus Torvalds's avatar
      blk: rq_data_dir() should not return a boolean · 5b9e0325
      Linus Torvalds authored
      commit 10fbd36e upstream.
      
      rq_data_dir() returns either READ or WRITE (0 == READ, 1 == WRITE), not
      a boolean value.
      
      Now, admittedly the "!= 0" doesn't really change the value (0 stays as
      zero, 1 stays as one), but it's not only redundant, it confuses gcc, and
      causes gcc to warn about the construct
      
          switch (rq_data_dir(req)) {
              case READ:
                  ...
              case WRITE:
                  ...
      
      that we have in a few drivers.
      
      Now, the gcc warning is silly and stupid (it seems to warn not about the
      switch value having a different type from the case statements, but about
      _any_ boolean switch value), but in this case the code itself is silly
      and stupid too, so let's just change it, and get rid of warnings like
      this:
      
        drivers/block/hd.c: In function ‘hd_request’:
        drivers/block/hd.c:630:11: warning: switch condition has boolean value [-Wswitch-bool]
           switch (rq_data_dir(req)) {
      
      The odd '!= 0' came in when "cmd_flags" got turned into a "u64" in
      commit 5953316d ("block: make rq->cmd_flags be 64-bit") and is
      presumably because the old code (that just did a logical 'and' with 1)
      would then end up making the type of rq_data_dir() be u64 too.
      
      But if we want to retain the old regular integer type, let's just cast
      the result to 'int' rather than use that rather odd '!= 0'.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      5b9e0325
    • Tim Gardner's avatar
      fs: namespace: suppress 'may be used uninitialized' warnings · 0ffcf69c
      Tim Gardner authored
      commit b8850d1f upstream.
      
      The gcc version 4.9.1 compiler complains Even though it isn't possible for
      these variables to not get initialized before they are used.
      
      fs/namespace.c: In function ‘SyS_mount’:
      fs/namespace.c:2720:8: warning: ‘kernel_dev’ may be used uninitialized in this function [-Wmaybe-uninitialized]
        ret = do_mount(kernel_dev, kernel_dir->name, kernel_type, flags,
              ^
      fs/namespace.c:2699:8: note: ‘kernel_dev’ was declared here
        char *kernel_dev;
              ^
      fs/namespace.c:2720:8: warning: ‘kernel_type’ may be used uninitialized in this function [-Wmaybe-uninitialized]
        ret = do_mount(kernel_dev, kernel_dir->name, kernel_type, flags,
              ^
      fs/namespace.c:2697:8: note: ‘kernel_type’ was declared here
        char *kernel_type;
              ^
      
      Fix the warnings by simplifying copy_mount_string() as suggested by Al Viro.
      
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarTim Gardner <tim.gardner@canonical.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      0ffcf69c
  2. 16 Mar, 2017 13 commits
    • Ben Hutchings's avatar
      Linux 3.16.42 · 65be6fa1
      Ben Hutchings authored
      65be6fa1
    • Alexander Popov's avatar
      tty: n_hdlc: get rid of racy n_hdlc.tbuf · 2e523bd9
      Alexander Popov authored
      commit 82f2341c upstream.
      
      Currently N_HDLC line discipline uses a self-made singly linked list for
      data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
      an error.
      
      The commit be10eb75
      ("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf.
      After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put
      one data buffer to tx_free_buf_list twice. That causes double free in
      n_hdlc_release().
      
      Let's use standard kernel linked list and get rid of n_hdlc.tbuf:
      in case of tx error put current data buffer after the head of tx_buf_list.
      Signed-off-by: default avatarAlexander Popov <alex.popov@linux.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2e523bd9
    • Jiri Slaby's avatar
      TTY: n_hdlc, fix lockdep false positive · 3931fb83
      Jiri Slaby authored
      commit e9b736d8 upstream.
      
      The class of 4 n_hdls buf locks is the same because a single function
      n_hdlc_buf_list_init is used to init all the locks. But since
      flush_tx_queue takes n_hdlc->tx_buf_list.spinlock and then calls
      n_hdlc_buf_put which takes n_hdlc->tx_free_buf_list.spinlock, lockdep
      emits a warning:
      =============================================
      [ INFO: possible recursive locking detected ]
      4.3.0-25.g91e30a7-default #1 Not tainted
      ---------------------------------------------
      a.out/1248 is trying to acquire lock:
       (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
      
      but task is already holding lock:
       (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&(&list->spinlock)->rlock);
        lock(&(&list->spinlock)->rlock);
      
       *** DEADLOCK ***
      
       May be due to missing lock nesting notation
      
      2 locks held by a.out/1248:
       #0:  (&tty->ldisc_sem){++++++}, at: [<ffffffff814c9eb0>] tty_ldisc_ref_wait+0x20/0x50
       #1:  (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
      ...
      Call Trace:
      ...
       [<ffffffff81738fd0>] _raw_spin_lock_irqsave+0x50/0x70
       [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
       [<ffffffffa01fdc24>] n_hdlc_tty_ioctl+0x144/0x1d0 [n_hdlc]
       [<ffffffff814c25c1>] tty_ioctl+0x3f1/0xe40
      ...
      
      Fix it by initializing the spin_locks separately. This removes also
      reduntand memset of a freshly kzallocated space.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3931fb83
    • Marcelo Ricardo Leitner's avatar
      sctp: deny peeloff operation on asocs with threads sleeping on it · ae722d6d
      Marcelo Ricardo Leitner authored
      commit dfcb9f4f upstream.
      
      commit 2dcab598 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
      attempted to avoid a BUG_ON call when the association being used for a
      sendmsg() is blocked waiting for more sndbuf and another thread did a
      peeloff operation on such asoc, moving it to another socket.
      
      As Ben Hutchings noticed, then in such case it would return without
      locking back the socket and would cause two unlocks in a row.
      
      Further analysis also revealed that it could allow a double free if the
      application managed to peeloff the asoc that is created during the
      sendmsg call, because then sctp_sendmsg() would try to free the asoc
      that was created only for that call.
      
      This patch takes another approach. It will deny the peeloff operation
      if there is a thread sleeping on the asoc, so this situation doesn't
      exist anymore. This avoids the issues described above and also honors
      the syscalls that are already being handled (it can be multiple sendmsg
      calls).
      
      Joint work with Xin Long.
      
      Fixes: 2dcab598 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
      Cc: Alexander Popov <alex.popov@linux.com>
      Cc: Ben Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ae722d6d
    • Marcelo Ricardo Leitner's avatar
      sctp: avoid BUG_ON on sctp_wait_for_sndbuf · 2ad78d37
      Marcelo Ricardo Leitner authored
      commit 2dcab598 upstream.
      
      Alexander Popov reported that an application may trigger a BUG_ON in
      sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
      waiting on it to queue more data and meanwhile another thread peels off
      the association being used by the first thread.
      
      This patch replaces the BUG_ON call with a proper error handling. It
      will return -EPIPE to the original sendmsg call, similarly to what would
      have been done if the association wasn't found in the first place.
      Acked-by: default avatarAlexander Popov <alex.popov@linux.com>
      Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2ad78d37
    • Davidlohr Bueso's avatar
      ipc/shm: Fix shmat mmap nil-page protection · 13508cb3
      Davidlohr Bueso authored
      commit 95e91b83 upstream.
      
      The issue is described here, with a nice testcase:
      
          https://bugzilla.kernel.org/show_bug.cgi?id=192931
      
      The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
      the address rounded down to 0.  For the regular mmap case, the
      protection mentioned above is that the kernel gets to generate the
      address -- arch_get_unmapped_area() will always check for MAP_FIXED and
      return that address.  So by the time we do security_mmap_addr(0) things
      get funky for shmat().
      
      The testcase itself shows that while a regular user crashes, root will
      not have a problem attaching a nil-page.  There are two possible fixes
      to this.  The first, and which this patch does, is to simply allow root
      to crash as well -- this is also regular mmap behavior, ie when hacking
      up the testcase and adding mmap(...  |MAP_FIXED).  While this approach
      is the safer option, the second alternative is to ignore SHM_RND if the
      rounded address is 0, thus only having MAP_SHARED flags.  This makes the
      behavior of shmat() identical to the mmap() case.  The downside of this
      is obviously user visible, but does make sense in that it maintains
      semantics after the round-down wrt 0 address and mmap.
      
      Passes shm related ltp tests.
      
      Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.netSigned-off-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Reported-by: default avatarGareth Evans <gareth.evans@contextis.co.uk>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      13508cb3
    • Paolo Bonzini's avatar
      kvm: fix page struct leak in handle_vmon · 591fc80b
      Paolo Bonzini authored
      commit 06ce521a upstream.
      
      handle_vmon gets a reference on VMXON region page,
      but does not release it. Release the reference.
      
      Found by syzkaller; based on a patch by Dmitry.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [bwh: Backported to 3.16: use skip_emulated_instruction()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      591fc80b
    • Ben Hutchings's avatar
      Revert "KVM: x86: expose MSR_TSC_AUX to userspace" · 58b44358
      Ben Hutchings authored
      This reverts commit a79ed0ed, which was
      commit 9dbe6cf9 upstream.  It depends on
      several other large commits to work, and without them causes a regression.
      
      References: https://bugzilla.redhat.com/show_bug.cgi?id=1408333Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Eric Wheeler <kvm@lists.ewheeler.net>
      58b44358
    • Hangbin Liu's avatar
      igmp, mld: Fix memory leak in igmpv3/mld_del_delrec() · 5bae9a41
      Hangbin Liu authored
      commit 9c8bb163 upstream.
      
      In function igmpv3/mld_add_delrec() we allocate pmc and put it in
      idev->mc_tomb, so we should free it when we don't need it in del_delrec().
      But I removed kfree(pmc) incorrectly in latest two patches. Now fix it.
      
      Fixes: 24803f38 ("igmp: do not remove igmp souce list info when ...")
      Fixes: 1666d49e ("mld: do not remove mld souce list info when ...")
      Reported-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5bae9a41
    • Hangbin Liu's avatar
      mld: do not remove mld souce list info when set link down · 8752be62
      Hangbin Liu authored
      commit 1666d49e upstream.
      
      This is an IPv6 version of commit 24803f38 ("igmp: do not remove igmp
      souce list..."). In mld_del_delrec(), we will restore back all source filter
      info instead of flush them.
      
      Move mld_clear_delrec() from ipv6_mc_down() to ipv6_mc_destroy_dev() since
      we should not remove source list info when set link down. Remove
      igmp6_group_dropped() in ipv6_mc_destroy_dev() since we have called it in
      ipv6_mc_down().
      
      Also clear all source info after igmp6_group_dropped() instead of in it
      because ipv6_mc_down() will call igmp6_group_dropped().
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8752be62
    • Hangbin Liu's avatar
      igmp: do not remove igmp souce list info when set link down · b38c6e0b
      Hangbin Liu authored
      commit 24803f38 upstream.
      
      In commit 24cf3af3 ("igmp: call ip_mc_clear_src..."), we forgot to remove
      igmpv3_clear_delrec() in ip_mc_down(), which also called ip_mc_clear_src().
      This make us clear all IGMPv3 source filter info after NETDEV_DOWN.
      Move igmpv3_clear_delrec() to ip_mc_destroy_dev() and then no need
      ip_mc_clear_src() in ip_mc_destroy_dev().
      
      On the other hand, we should restore back instead of free all source filter
      info in igmpv3_del_delrec(). Or we will not able to restore IGMPv3 source
      filter info after NETDEV_UP and NETDEV_POST_TYPE_CHANGE.
      
      Fixes: 24cf3af3 ("igmp: call ip_mc_clear_src() only when ...")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: use IGMP_Unsolicited_Report_Count instead of
       sysctl_igmp_qrv]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b38c6e0b
    • Darrick J. Wong's avatar
      xfs: update MAINTAINERS · 3dbe499e
      Darrick J. Wong authored
      commit 721a0edf upstream.
      
      I am taking over as XFS maintainer from Dave Chinner[1], so update
      contact information and git tree pointers.
      
      [1] http://lkml.iu.edu/hypermail/linux/kernel/1612.1/04390.htmlSigned-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Dave Chinner <david@fromorbit.com>
      3dbe499e
    • WANG Cong's avatar
      sit: fix a double free on error path · c683ac5e
      WANG Cong authored
      [ Upstream commit d7426c69 ]
      
      Dmitry reported a double free in sit_init_net():
      
        kernel BUG at mm/percpu.c:689!
        invalid opcode: 0000 [#1] SMP KASAN
        Dumping ftrace buffer:
           (ftrace buffer empty)
        Modules linked in:
        CPU: 0 PID: 15692 Comm: syz-executor1 Not tainted 4.10.0-rc6-next-20170206 #1
        Hardware name: Google Google Compute Engine/Google Compute Engine,
        BIOS Google 01/01/2011
        task: ffff8801c9cc27c0 task.stack: ffff88017d1d8000
        RIP: 0010:pcpu_free_area+0x68b/0x810 mm/percpu.c:689
        RSP: 0018:ffff88017d1df488 EFLAGS: 00010046
        RAX: 0000000000010000 RBX: 00000000000007c0 RCX: ffffc90002829000
        RDX: 0000000000010000 RSI: ffffffff81940efb RDI: ffff8801db841d94
        RBP: ffff88017d1df590 R08: dffffc0000000000 R09: 1ffffffff0bb3bdd
        R10: dffffc0000000000 R11: 00000000000135dd R12: ffff8801db841d80
        R13: 0000000000038e40 R14: 00000000000007c0 R15: 00000000000007c0
        FS:  00007f6ea608f700(0000) GS:ffff8801dbe00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 000000002000aff8 CR3: 00000001c8d44000 CR4: 00000000001426f0
        DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
        Call Trace:
         free_percpu+0x212/0x520 mm/percpu.c:1264
         ipip6_dev_free+0x43/0x60 net/ipv6/sit.c:1335
         sit_init_net+0x3cb/0xa10 net/ipv6/sit.c:1831
         ops_init+0x10a/0x530 net/core/net_namespace.c:115
         setup_net+0x2ed/0x690 net/core/net_namespace.c:291
         copy_net_ns+0x26c/0x530 net/core/net_namespace.c:396
         create_new_namespaces+0x409/0x860 kernel/nsproxy.c:106
         unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
         SYSC_unshare kernel/fork.c:2281 [inline]
         SyS_unshare+0x64e/0xfc0 kernel/fork.c:2231
         entry_SYSCALL_64_fastpath+0x1f/0xc2
      
      This is because when tunnel->dst_cache init fails, we free dev->tstats
      once in ipip6_tunnel_init() and twice in sit_init_net(). This looks
      redundant but its ndo_uinit() does not seem enough to clean up everything
      here. So avoid this by setting dev->tstats to NULL after the first free,
      at least for -net.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c683ac5e