1. 11 Jul, 2018 1 commit
    • Houston Yaroschoff's avatar
      usb: cdc_acm: Add quirk for Uniden UBC125 scanner · 6f8b3fd2
      Houston Yaroschoff authored
      commit 4a762569 upstream.
      
      Uniden UBC125 radio scanner has USB interface which fails to work
      with cdc_acm driver:
        usb 1-1.5: new full-speed USB device number 4 using xhci_hcd
        cdc_acm 1-1.5:1.0: Zero length descriptor references
        cdc_acm: probe of 1-1.5:1.0 failed with error -22
      
      Adding the NO_UNION_NORMAL quirk for the device fixes the issue:
        usb 1-4: new full-speed USB device number 15 using xhci_hcd
        usb 1-4: New USB device found, idVendor=1965, idProduct=0018
        usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
        usb 1-4: Product: UBC125XLT
        usb 1-4: Manufacturer: Uniden Corp.
        usb 1-4: SerialNumber: 0001
        cdc_acm 1-4:1.0: ttyACM0: USB ACM device
      
      `lsusb -v` of the device:
      
        Bus 001 Device 015: ID 1965:0018 Uniden Corporation
        Device Descriptor:
          bLength                18
          bDescriptorType         1
          bcdUSB               2.00
          bDeviceClass            2 Communications
          bDeviceSubClass         0
          bDeviceProtocol         0
          bMaxPacketSize0        64
          idVendor           0x1965 Uniden Corporation
          idProduct          0x0018
          bcdDevice            0.01
          iManufacturer           1 Uniden Corp.
          iProduct                2 UBC125XLT
          iSerial                 3 0001
          bNumConfigurations      1
          Configuration Descriptor:
            bLength                 9
            bDescriptorType         2
            wTotalLength           48
            bNumInterfaces          2
            bConfigurationValue     1
            iConfiguration          0
            bmAttributes         0x80
              (Bus Powered)
            MaxPower              500mA
            Interface Descriptor:
              bLength                 9
              bDescriptorType         4
              bInterfaceNumber        0
              bAlternateSetting       0
              bNumEndpoints           1
              bInterfaceClass         2 Communications
              bInterfaceSubClass      2 Abstract (modem)
              bInterfaceProtocol      0 None
              iInterface              0
              Endpoint Descriptor:
                bLength                 7
                bDescriptorType         5
                bEndpointAddress     0x87  EP 7 IN
                bmAttributes            3
                  Transfer Type            Interrupt
                  Synch Type               None
                  Usage Type               Data
                wMaxPacketSize     0x0008  1x 8 bytes
                bInterval              10
            Interface Descriptor:
              bLength                 9
              bDescriptorType         4
              bInterfaceNumber        1
              bAlternateSetting       0
              bNumEndpoints           2
              bInterfaceClass        10 CDC Data
              bInterfaceSubClass      0 Unused
              bInterfaceProtocol      0
              iInterface              0
              Endpoint Descriptor:
                bLength                 7
                bDescriptorType         5
                bEndpointAddress     0x81  EP 1 IN
                bmAttributes            2
                  Transfer Type            Bulk
                  Synch Type               None
                  Usage Type               Data
                wMaxPacketSize     0x0040  1x 64 bytes
                bInterval               0
              Endpoint Descriptor:
                bLength                 7
                bDescriptorType         5
                bEndpointAddress     0x02  EP 2 OUT
                bmAttributes            2
                  Transfer Type            Bulk
                  Synch Type               None
                  Usage Type               Data
                wMaxPacketSize     0x0040  1x 64 bytes
                bInterval               0
        Device Status:     0x0000
          (Bus Powered)
      Signed-off-by: default avatarHouston Yaroschoff <hstn@4ever3.net>
      Cc: stable <stable@vger.kernel.org>
      Acked-by: default avatarOliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6f8b3fd2
  2. 03 Jul, 2018 39 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.139 · 16af0986
      Greg Kroah-Hartman authored
      16af0986
    • Szymon Janc's avatar
      Bluetooth: Fix connection if directed advertising and privacy is used · 679bd362
      Szymon Janc authored
      commit 082f2300 upstream.
      
      Local random address needs to be updated before creating connection if
      RPA from LE Direct Advertising Report was resolved in host. Otherwise
      remote device might ignore connection request due to address mismatch.
      
      This was affecting following qualification test cases:
      GAP/CONN/SCEP/BV-03-C, GAP/CONN/GCEP/BV-05-C, GAP/CONN/DCEP/BV-05-C
      
      Before patch:
      < HCI Command: LE Set Random Address (0x08|0x0005) plen 6          #11350 [hci0] 84680.231216
              Address: 56:BC:E8:24:11:68 (Resolvable)
                Identity type: Random (0x01)
                Identity: F2:F1:06:3D:9C:42 (Static)
      > HCI Event: Command Complete (0x0e) plen 4                        #11351 [hci0] 84680.246022
            LE Set Random Address (0x08|0x0005) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7         #11352 [hci0] 84680.246417
              Type: Passive (0x00)
              Interval: 60.000 msec (0x0060)
              Window: 30.000 msec (0x0030)
              Own address type: Random (0x01)
              Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
      > HCI Event: Command Complete (0x0e) plen 4                        #11353 [hci0] 84680.248854
            LE Set Scan Parameters (0x08|0x000b) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2             #11354 [hci0] 84680.249466
              Scanning: Enabled (0x01)
              Filter duplicates: Enabled (0x01)
      > HCI Event: Command Complete (0x0e) plen 4                        #11355 [hci0] 84680.253222
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 18                          #11356 [hci0] 84680.458387
            LE Direct Advertising Report (0x0b)
              Num reports: 1
              Event type: Connectable directed - ADV_DIRECT_IND (0x01)
              Address type: Random (0x01)
              Address: 53:38:DA:46:8C:45 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Direct address type: Random (0x01)
              Direct address: 7C:D6:76:8C:DF:82 (Resolvable)
                Identity type: Random (0x01)
                Identity: F2:F1:06:3D:9C:42 (Static)
              RSSI: -74 dBm (0xb6)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2             #11357 [hci0] 84680.458737
              Scanning: Disabled (0x00)
              Filter duplicates: Disabled (0x00)
      > HCI Event: Command Complete (0x0e) plen 4                        #11358 [hci0] 84680.469982
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection (0x08|0x000d) plen 25          #11359 [hci0] 84680.470444
              Scan interval: 60.000 msec (0x0060)
              Scan window: 60.000 msec (0x0060)
              Filter policy: White list is not used (0x00)
              Peer address type: Random (0x01)
              Peer address: 53:38:DA:46:8C:45 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Own address type: Random (0x01)
              Min connection interval: 30.00 msec (0x0018)
              Max connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Min connection length: 0.000 msec (0x0000)
              Max connection length: 0.000 msec (0x0000)
      > HCI Event: Command Status (0x0f) plen 4                          #11360 [hci0] 84680.474971
            LE Create Connection (0x08|0x000d) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection Cancel (0x08|0x000e) plen 0    #11361 [hci0] 84682.545385
      > HCI Event: Command Complete (0x0e) plen 4                        #11362 [hci0] 84682.551014
            LE Create Connection Cancel (0x08|0x000e) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 19                          #11363 [hci0] 84682.551074
            LE Connection Complete (0x01)
              Status: Unknown Connection Identifier (0x02)
              Handle: 0
              Role: Master (0x00)
              Peer address type: Public (0x00)
              Peer address: 00:00:00:00:00:00 (OUI 00-00-00)
              Connection interval: 0.00 msec (0x0000)
              Connection latency: 0 (0x0000)
              Supervision timeout: 0 msec (0x0000)
              Master clock accuracy: 0x00
      
      After patch:
      < HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7    #210 [hci0] 667.152459
              Type: Passive (0x00)
              Interval: 60.000 msec (0x0060)
              Window: 30.000 msec (0x0030)
              Own address type: Random (0x01)
              Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
      > HCI Event: Command Complete (0x0e) plen 4                   #211 [hci0] 667.153613
            LE Set Scan Parameters (0x08|0x000b) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2        #212 [hci0] 667.153704
              Scanning: Enabled (0x01)
              Filter duplicates: Enabled (0x01)
      > HCI Event: Command Complete (0x0e) plen 4                   #213 [hci0] 667.154584
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 18                     #214 [hci0] 667.182619
            LE Direct Advertising Report (0x0b)
              Num reports: 1
              Event type: Connectable directed - ADV_DIRECT_IND (0x01)
              Address type: Random (0x01)
              Address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Direct address type: Random (0x01)
              Direct address: 7C:C1:57:A5:B7:A8 (Resolvable)
                Identity type: Random (0x01)
                Identity: F4:28:73:5D:38:B0 (Static)
              RSSI: -70 dBm (0xba)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2       #215 [hci0] 667.182704
              Scanning: Disabled (0x00)
              Filter duplicates: Disabled (0x00)
      > HCI Event: Command Complete (0x0e) plen 4                  #216 [hci0] 667.183599
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Random Address (0x08|0x0005) plen 6    #217 [hci0] 667.183645
              Address: 7C:C1:57:A5:B7:A8 (Resolvable)
                Identity type: Random (0x01)
                Identity: F4:28:73:5D:38:B0 (Static)
      > HCI Event: Command Complete (0x0e) plen 4                  #218 [hci0] 667.184590
            LE Set Random Address (0x08|0x0005) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection (0x08|0x000d) plen 25    #219 [hci0] 667.184613
              Scan interval: 60.000 msec (0x0060)
              Scan window: 60.000 msec (0x0060)
              Filter policy: White list is not used (0x00)
              Peer address type: Random (0x01)
              Peer address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Own address type: Random (0x01)
              Min connection interval: 30.00 msec (0x0018)
              Max connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Min connection length: 0.000 msec (0x0000)
              Max connection length: 0.000 msec (0x0000)
      > HCI Event: Command Status (0x0f) plen 4                    #220 [hci0] 667.186558
            LE Create Connection (0x08|0x000d) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 19                    #221 [hci0] 667.485824
            LE Connection Complete (0x01)
              Status: Success (0x00)
              Handle: 0
              Role: Master (0x00)
              Peer address type: Random (0x01)
              Peer address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Master clock accuracy: 0x07
      @ MGMT Event: Device Connected (0x000b) plen 13          {0x0002} [hci0] 667.485996
              LE Address: 11:22:33:44:55:66 (OUI 11-22-33)
              Flags: 0x00000000
              Data length: 0
      Signed-off-by: default avatarSzymon Janc <szymon.janc@codecoup.pl>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      679bd362
    • Bjørn Mork's avatar
      cdc_ncm: avoid padding beyond end of skb · 9d4c1d93
      Bjørn Mork authored
      commit 49c2c3f2 upstream.
      
      Commit 4a0e3e98 ("cdc_ncm: Add support for moving NDP to end
      of NCM frame") added logic to reserve space for the NDP at the
      end of the NTB/skb.  This reservation did not take the final
      alignment of the NDP into account, causing us to reserve too
      little space. Additionally the padding prior to NDP addition did
      not ensure there was enough space for the NDP.
      
      The NTB/skb with the NDP appended would then exceed the configured
      max size. This caused the final padding of the NTB to use a
      negative count, padding to almost INT_MAX, and resulting in:
      
      [60103.825970] BUG: unable to handle kernel paging request at ffff9641f2004000
      [60103.825998] IP: __memset+0x24/0x30
      [60103.826001] PGD a6a06067 P4D a6a06067 PUD 4f65a063 PMD 72003063 PTE 0
      [60103.826013] Oops: 0002 [#1] SMP NOPTI
      [60103.826018] Modules linked in: (removed(
      [60103.826158] CPU: 0 PID: 5990 Comm: Chrome_DevTools Tainted: G           O 4.14.0-3-amd64 #1 Debian 4.14.17-1
      [60103.826162] Hardware name: LENOVO 20081 BIOS 41CN28WW(V2.04) 05/03/2012
      [60103.826166] task: ffff964193484fc0 task.stack: ffffb2890137c000
      [60103.826171] RIP: 0010:__memset+0x24/0x30
      [60103.826174] RSP: 0000:ffff964316c03b68 EFLAGS: 00010216
      [60103.826178] RAX: 0000000000000000 RBX: 00000000fffffffd RCX: 000000001ffa5000
      [60103.826181] RDX: 0000000000000005 RSI: 0000000000000000 RDI: ffff9641f2003ffc
      [60103.826184] RBP: ffff964192f6c800 R08: 00000000304d434e R09: ffff9641f1d2c004
      [60103.826187] R10: 0000000000000002 R11: 00000000000005ae R12: ffff9642e6957a80
      [60103.826190] R13: ffff964282ff2ee8 R14: 000000000000000d R15: ffff9642e4843900
      [60103.826194] FS:  00007f395aaf6700(0000) GS:ffff964316c00000(0000) knlGS:0000000000000000
      [60103.826197] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [60103.826200] CR2: ffff9641f2004000 CR3: 0000000013b0c000 CR4: 00000000000006f0
      [60103.826204] Call Trace:
      [60103.826212]  <IRQ>
      [60103.826225]  cdc_ncm_fill_tx_frame+0x5e3/0x740 [cdc_ncm]
      [60103.826236]  cdc_ncm_tx_fixup+0x57/0x70 [cdc_ncm]
      [60103.826246]  usbnet_start_xmit+0x5d/0x710 [usbnet]
      [60103.826254]  ? netif_skb_features+0x119/0x250
      [60103.826259]  dev_hard_start_xmit+0xa1/0x200
      [60103.826267]  sch_direct_xmit+0xf2/0x1b0
      [60103.826273]  __dev_queue_xmit+0x5e3/0x7c0
      [60103.826280]  ? ip_finish_output2+0x263/0x3c0
      [60103.826284]  ip_finish_output2+0x263/0x3c0
      [60103.826289]  ? ip_output+0x6c/0xe0
      [60103.826293]  ip_output+0x6c/0xe0
      [60103.826298]  ? ip_forward_options+0x1a0/0x1a0
      [60103.826303]  tcp_transmit_skb+0x516/0x9b0
      [60103.826309]  tcp_write_xmit+0x1aa/0xee0
      [60103.826313]  ? sch_direct_xmit+0x71/0x1b0
      [60103.826318]  tcp_tasklet_func+0x177/0x180
      [60103.826325]  tasklet_action+0x5f/0x110
      [60103.826332]  __do_softirq+0xde/0x2b3
      [60103.826337]  irq_exit+0xae/0xb0
      [60103.826342]  do_IRQ+0x81/0xd0
      [60103.826347]  common_interrupt+0x98/0x98
      [60103.826351]  </IRQ>
      [60103.826355] RIP: 0033:0x7f397bdf2282
      [60103.826358] RSP: 002b:00007f395aaf57d8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff6e
      [60103.826362] RAX: 0000000000000000 RBX: 00002f07bc6d0900 RCX: 00007f39752d7fe7
      [60103.826365] RDX: 0000000000000022 RSI: 0000000000000147 RDI: 00002f07baea02c0
      [60103.826368] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
      [60103.826371] R10: 00000000ffffffff R11: 0000000000000000 R12: 00002f07baea02c0
      [60103.826373] R13: 00002f07bba227a0 R14: 00002f07bc6d090c R15: 0000000000000000
      [60103.826377] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83
      e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48
      ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1
      [60103.826442] RIP: __memset+0x24/0x30 RSP: ffff964316c03b68
      [60103.826444] CR2: ffff9641f2004000
      
      Commit e1069bbf ("net: cdc_ncm: Reduce memory use when kernel
      memory low") made this bug much more likely to trigger by reducing
      the NTB size under memory pressure.
      
      Link: https://bugs.debian.org/893393Reported-by: default avatarГорбешко Богдан <bodqhrohro@gmail.com>
      Reported-and-tested-by: default avatarDennis Wassenberg <dennis.wassenberg@secunet.com>
      Cc: Enrico Mioso <mrkiko.rs@gmail.com>
      Fixes: 4a0e3e98 ("cdc_ncm: Add support for moving NDP to end of NCM frame")
      [ bmork:  tx_curr_size => tx_max and context fixup for v4.12 and older ]
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9d4c1d93
    • Mike Snitzer's avatar
      dm thin: handle running out of data space vs concurrent discard · 052ef26b
      Mike Snitzer authored
      commit a685557f upstream.
      
      Discards issued to a DM thin device can complete to userspace (via
      fstrim) _before_ the metadata changes associated with the discards is
      reflected in the thinp superblock (e.g. free blocks).  As such, if a
      user constructs a test that loops repeatedly over these steps, block
      allocation can fail due to discards not having completed yet:
      1) fill thin device via filesystem file
      2) remove file
      3) fstrim
      
      From initial report, here:
      https://www.redhat.com/archives/dm-devel/2018-April/msg00022.html
      
      "The root cause of this issue is that dm-thin will first remove
      mapping and increase corresponding blocks' reference count to prevent
      them from being reused before DISCARD bios get processed by the
      underlying layers. However. increasing blocks' reference count could
      also increase the nr_allocated_this_transaction in struct sm_disk
      which makes smd->old_ll.nr_allocated +
      smd->nr_allocated_this_transaction bigger than smd->old_ll.nr_blocks.
      In this case, alloc_data_block() will never commit metadata to reset
      the begin pointer of struct sm_disk, because sm_disk_get_nr_free()
      always return an underflow value."
      
      While there is room for improvement to the space-map accounting that
      thinp is making use of: the reality is this test is inherently racey and
      will result in the previous iteration's fstrim's discard(s) completing
      vs concurrent block allocation, via dd, in the next iteration of the
      loop.
      
      No amount of space map accounting improvements will be able to allow
      user's to use a block before a discard of that block has completed.
      
      So the best we can really do is allow DM thinp to gracefully handle such
      aggressive use of all the pool's data by degrading the pool into
      out-of-data-space (OODS) mode.  We _should_ get that behaviour already
      (if space map accounting didn't falsely cause alloc_data_block() to
      believe free space was available).. but short of that we handle the
      current reality that dm_pool_alloc_data_block() can return -ENOSPC.
      Reported-by: default avatarDennis Yang <dennisyang@qnap.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      052ef26b
    • Keith Busch's avatar
      block: Fix transfer when chunk sectors exceeds max · a740830e
      Keith Busch authored
      commit 15bfd21f upstream.
      
      A device may have boundary restrictions where the number of sectors
      between boundaries exceeds its max transfer size. In this case, we need
      to cap the max size to the smaller of the two limits.
      Reported-by: default avatarJitendra Bhivare <jitendra.bhivare@broadcom.com>
      Tested-by: default avatarJitendra Bhivare <jitendra.bhivare@broadcom.com>
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarKeith Busch <keith.busch@intel.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a740830e
    • Maxime Chevallier's avatar
      spi: Fix scatterlist elements size in spi_map_buf · 9b46e5e9
      Maxime Chevallier authored
      commit ce99319a upstream.
      
      When SPI transfers can be offloaded using DMA, the SPI core need to
      build a scatterlist to make sure that the buffer to be transferred is
      dma-able.
      
      This patch fixes the scatterlist entry size computation in the case
      where the maximum acceptable scatterlist entry supported by the DMA
      controller is less than PAGE_SIZE, when the buffer is vmalloced.
      
      For each entry, the actual size is given by the minimum between the
      desc_len (which is the max buffer size supported by the DMA controller)
      and the remaining buffer length until we cross a page boundary.
      
      Fixes: 65598c13 ("spi: Fix per-page mapping of unaligned vmalloc-ed buffer")
      Signed-off-by: default avatarMaxime Chevallier <maxime.chevallier@bootlin.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9b46e5e9
    • Liu Bo's avatar
      Btrfs: fix unexpected cow in run_delalloc_nocow · 0e1bd020
      Liu Bo authored
      commit 58113753 upstream.
      
      Fstests generic/475 provides a way to fail metadata reads while
      checking if checksum exists for the inode inside run_delalloc_nocow(),
      and csum_exist_in_range() interprets error (-EIO) as inode having
      checksum and makes its caller enter the cow path.
      
      In case of free space inode, this ends up with a warning in
      cow_file_range().
      
      The same problem applies to btrfs_cross_ref_exist() since it may also
      read metadata in between.
      
      With this, run_delalloc_nocow() bails out when errors occur at the two
      places.
      
      cc: <stable@vger.kernel.org> v2.6.28+
      Fixes: 17d217fe ("Btrfs: fix nodatasum handling in balancing code")
      Signed-off-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0e1bd020
    • Takashi Iwai's avatar
      ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 · b69733c8
      Takashi Iwai authored
      commit 275ec0cb upstream.
      
      Fujitsu Seimens ESPRIMO Mobile U9210 requires the same fixup as H270
      for the correct pin configs.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200107
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b69733c8
    • ???'s avatar
      Input: elantech - fix V4 report decoding for module with middle key · a3fe277e
      ??? authored
      commit e0ae2519 upstream.
      
      Some touchpad has middle key and it will be indicated in bit 2 of packet[0].
      We need to fix V4 formation's byte mask to prevent error decoding.
      Signed-off-by: default avatarKT Liao <kt.liao@emc.com.tw>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a3fe277e
    • Aaron Ma's avatar
      Input: elantech - enable middle button of touchpads on ThinkPad P52 · cbbc4566
      Aaron Ma authored
      commit 24bb555e upstream.
      
      PNPID is better way to identify the type of touchpads.
      Enable middle button support on 2 types of touchpads on Lenovo P52.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAaron Ma <aaron.ma@canonical.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cbbc4566
    • Ben Hutchings's avatar
      Input: elan_i2c_smbus - fix more potential stack buffer overflows · defacc88
      Ben Hutchings authored
      commit 50fc7b61 upstream.
      
      Commit 40f7090b ("Input: elan_i2c_smbus - fix corrupted stack")
      fixed most of the functions using i2c_smbus_read_block_data() to
      allocate a buffer with the maximum block size.  However three
      functions were left unchanged:
      
      * In elan_smbus_initialize(), increase the buffer size in the same
        way.
      * In elan_smbus_calibrate_result(), the buffer is provided by the
        caller (calibrate_store()), so introduce a bounce buffer.  Also
        name the result buffer size.
      * In elan_smbus_get_report(), the buffer is provided by the caller
        but happens to be the right length.  Add a compile-time assertion
        to ensure this remains the case.
      
      Cc: <stable@vger.kernel.org> # 3.19+
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      defacc88
    • Jan Kara's avatar
      udf: Detect incorrect directory size · fc98ab45
      Jan Kara authored
      commit fa65653e upstream.
      
      Detect when a directory entry is (possibly partially) beyond directory
      size and return EIO in that case since it means the filesystem is
      corrupted. Otherwise directory operations can further corrupt the
      directory and possibly also oops the kernel.
      
      CC: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
      CC: stable@vger.kernel.org
      Reported-and-tested-by: default avatarAnatoly Trosinenko <anatoly.trosinenko@gmail.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fc98ab45
    • Boris Ostrovsky's avatar
      xen: Remove unnecessary BUG_ON from __unbind_from_irq() · 009aa1cd
      Boris Ostrovsky authored
      commit eef04c7b upstream.
      
      Commit 910f8bef ("xen/pirq: fix error path cleanup when binding
      MSIs") fixed a couple of errors in error cleanup path of
      xen_bind_pirq_msi_to_irq(). This cleanup allowed a call to
      __unbind_from_irq() with an unbound irq, which would result in
      triggering the BUG_ON there.
      
      Since there is really no reason for the BUG_ON (xen_free_irq() can
      operate on unbound irqs) we can remove it.
      Reported-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      009aa1cd
    • Alexandr Savca's avatar
      Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID · 53e877f2
      Alexandr Savca authored
      commit 8938fc7b upstream.
      
      Add ELAN0618 to the list of supported touchpads; this ID is used in
      Lenovo v330 15IKB devices.
      Signed-off-by: default avatarAlexandr Savca <alexandr.savca@saltedge.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      53e877f2
    • Kees Cook's avatar
      video: uvesafb: Fix integer overflow in allocation · 842803e4
      Kees Cook authored
      commit 9f645bcc upstream.
      
      cmap->len can get close to INT_MAX/2, allowing for an integer overflow in
      allocation. This uses kmalloc_array() instead to catch the condition.
      Reported-by: default avatarDr Silvio Cesare of InfoSect <silvio.cesare@gmail.com>
      Fixes: 8bdb3a2d ("uvesafb: the driver core")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      842803e4
    • Dave Wysochanski's avatar
      NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message · ba195a93
      Dave Wysochanski authored
      commit d6889480 upstream.
      
      In nfs_idmap_read_and_verify_message there is an incorrect sprintf '%d'
      that converts the __u32 'im_id' from struct idmap_msg to 'id_str', which
      is a stack char array variable of length NFS_UINT_MAXLEN == 11.
      If a uid or gid value is > 2147483647 = 0x7fffffff, the conversion
      overflows into a negative value, for example:
      crash> p (unsigned) (0x80000000)
      $1 = 2147483648
      crash> p (signed) (0x80000000)
      $2 = -2147483648
      The '-' sign is written to the buffer and this causes a 1 byte overflow
      when the NULL byte is written, which corrupts kernel stack memory.  If
      CONFIG_CC_STACKPROTECTOR_STRONG is set we see a stack-protector panic:
      
      [11558053.616565] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa05b8a8c
      [11558053.639063] CPU: 6 PID: 9423 Comm: rpc.idmapd Tainted: G        W      ------------ T 3.10.0-514.el7.x86_64 #1
      [11558053.641990] Hardware name: Red Hat OpenStack Compute, BIOS 1.10.2-3.el7_4.1 04/01/2014
      [11558053.644462]  ffffffff818c7bc0 00000000b1f3aec1 ffff880de0f9bd48 ffffffff81685eac
      [11558053.646430]  ffff880de0f9bdc8 ffffffff8167f2b3 ffffffff00000010 ffff880de0f9bdd8
      [11558053.648313]  ffff880de0f9bd78 00000000b1f3aec1 ffffffff811dcb03 ffffffffa05b8a8c
      [11558053.650107] Call Trace:
      [11558053.651347]  [<ffffffff81685eac>] dump_stack+0x19/0x1b
      [11558053.653013]  [<ffffffff8167f2b3>] panic+0xe3/0x1f2
      [11558053.666240]  [<ffffffff811dcb03>] ? kfree+0x103/0x140
      [11558053.682589]  [<ffffffffa05b8a8c>] ? idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
      [11558053.689710]  [<ffffffff810855db>] __stack_chk_fail+0x1b/0x30
      [11558053.691619]  [<ffffffffa05b8a8c>] idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
      [11558053.693867]  [<ffffffffa00209d6>] rpc_pipe_write+0x56/0x70 [sunrpc]
      [11558053.695763]  [<ffffffff811fe12d>] vfs_write+0xbd/0x1e0
      [11558053.702236]  [<ffffffff810acccc>] ? task_work_run+0xac/0xe0
      [11558053.704215]  [<ffffffff811fec4f>] SyS_write+0x7f/0xe0
      [11558053.709674]  [<ffffffff816964c9>] system_call_fastpath+0x16/0x1b
      
      Fix this by calling the internally defined nfs_map_numeric_to_string()
      function which properly uses '%u' to convert this __u32.  For consistency,
      also replace the one other place where snprintf is called.
      Signed-off-by: default avatarDave Wysochanski <dwysocha@redhat.com>
      Reported-by: default avatarStephen Johnston <sjohnsto@redhat.com>
      Fixes: cf4ab538 ("NFSv4: Fix the string length returned by the idmapper")
      Cc: stable@vger.kernel.org # v3.4+
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ba195a93
    • Scott Mayhew's avatar
      nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir · 2a3af73c
      Scott Mayhew authored
      commit 9c2ece6e upstream.
      
      nfsd4_readdir_rsize restricts rd_maxcount to svc_max_payload when
      estimating the size of the readdir reply, but nfsd_encode_readdir
      restricts it to INT_MAX when encoding the reply.  This can result in log
      messages like "kernel: RPC request reserved 32896 but used 1049444".
      
      Restrict rd_dircount similarly (no reason it should be larger than
      svc_max_payload).
      Signed-off-by: default avatarScott Mayhew <smayhew@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a3af73c
    • Mauro Carvalho Chehab's avatar
      media: dvb_frontend: fix locking issues at dvb_frontend_get_event() · c5808ebb
      Mauro Carvalho Chehab authored
      commit 76d81243 upstream.
      
      As warned by smatch:
      	drivers/media/dvb-core/dvb_frontend.c:314 dvb_frontend_get_event() warn: inconsistent returns 'sem:&fepriv->sem'.
      	  Locked on:   line 288
      	               line 295
      	               line 306
      	               line 314
      	  Unlocked on: line 303
      
      The lock implementation for get event is wrong, as, if an
      interrupt occurs, down_interruptible() will fail, and the
      routine will call up() twice when userspace calls the ioctl
      again.
      
      The bad code is there since when Linux migrated to git, in
      2005.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c5808ebb
    • Kai-Heng Feng's avatar
      media: cx231xx: Add support for AverMedia DVD EZMaker 7 · dd40abfa
      Kai-Heng Feng authored
      commit 29e61d6e upstream.
      
      User reports AverMedia DVD EZMaker 7 can be driven by VIDEO_GRABBER.
      Add the device to the id_table to make it work.
      
      BugLink: https://bugs.launchpad.net/bugs/1620762
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarHans Verkuil <hansverk@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dd40abfa
    • Mauro Carvalho Chehab's avatar
      media: v4l2-compat-ioctl32: prevent go past max size · ce7d1aac
      Mauro Carvalho Chehab authored
      commit ea72fbf5 upstream.
      
      As warned by smatch:
      	drivers/media/v4l2-core/v4l2-compat-ioctl32.c:879 put_v4l2_ext_controls32() warn: check for integer overflow 'count'
      
      The access_ok() logic should check for too big arrays too.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce7d1aac
    • Adrian Hunter's avatar
      perf intel-pt: Fix packet decoding of CYC packets · 5f21ae5a
      Adrian Hunter authored
      commit 621a5a32 upstream.
      
      Use a 64-bit type so that the cycle count is not limited to 32-bits.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/1528371002-8862-1-git-send-email-adrian.hunter@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5f21ae5a
    • Adrian Hunter's avatar
      perf intel-pt: Fix "Unexpected indirect branch" error · 727998de
      Adrian Hunter authored
      commit 9fb52336 upstream.
      
      Some Atom CPUs can produce FUP packets that contain NLIP (next linear
      instruction pointer) instead of CLIP (current linear instruction
      pointer).  That will result in "Unexpected indirect branch" errors. Fix
      by comparing IP to NLIP in that case.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/1527762225-26024-5-git-send-email-adrian.hunter@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      727998de
    • Adrian Hunter's avatar
      perf intel-pt: Fix MTC timing after overflow · eadc0ef1
      Adrian Hunter authored
      commit dd27b87a upstream.
      
      On some platforms, overflows will clear before MTC wraparound, and there
      is no following TSC/TMA packet. In that case the previous TMA is valid.
      Since there will be a valid TMA either way, stop setting 'have_tma' to
      false upon overflow.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/1527762225-26024-4-git-send-email-adrian.hunter@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eadc0ef1
    • Adrian Hunter's avatar
      perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP · a6338a81
      Adrian Hunter authored
      commit bd2e49ec upstream.
      
      It is possible to have a CBR packet between a FUP packet and
      corresponding TIP packet. Stop treating it as an error.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/1527762225-26024-3-git-send-email-adrian.hunter@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a6338a81
    • Adrian Hunter's avatar
      perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING · 4a618451
      Adrian Hunter authored
      commit dbcb82b9 upstream.
      
      sync_switch is a facility to synchronize decoding more closely with the
      point in the kernel when the context actually switched.
      
      In one case, INTEL_PT_SS_NOT_TRACING state was not correctly
      transitioning to INTEL_PT_SS_TRACING state due to a missing case clause.
      Add it.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/1527762225-26024-2-git-send-email-adrian.hunter@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4a618451
    • Adrian Hunter's avatar
      perf tools: Fix symbol and object code resolution for vdso32 and vdsox32 · d21abf46
      Adrian Hunter authored
      commit aef4feac upstream.
      
      Fix __kmod_path__parse() so that perf tools does not treat vdso32 and
      vdsox32 as kernel modules and fail to find the object.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Wang Nan <wangnan0@huawei.com>
      Cc: stable@vger.kernel.org
      Fixes: 1f121b03 ("perf tools: Deal with kernel module names in '[]' correctly")
      Link: http://lkml.kernel.org/r/1528117014-30032-3-git-send-email-adrian.hunter@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d21abf46
    • Andy Shevchenko's avatar
      mfd: intel-lpss: Program REMAP register in PIO mode · 473e9c0b
      Andy Shevchenko authored
      commit d28b6252 upstream.
      
      According to documentation REMAP register has to be programmed in
      either DMA or PIO mode of the slice.
      
      Move the DMA capability check below to let REMAP register be programmed
      in PIO mode.
      
      Cc: stable@vger.kernel.org # 4.3+
      Fixes: 4b45efe8 ("mfd: Add support for Intel Sunrisepoint LPSS devices")
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      473e9c0b
    • Johan Hovold's avatar
      backlight: tps65217_bl: Fix Device Tree node lookup · 4544b184
      Johan Hovold authored
      commit 2b12dfa1 upstream.
      
      Fix child-node lookup during probe, which ended up searching the whole
      device tree depth-first starting at the parent rather than just matching
      on its children.
      
      This would only cause trouble if the child node is missing while there
      is an unrelated node named "backlight" elsewhere in the tree.
      
      Cc: stable <stable@vger.kernel.org>     # 3.7
      Fixes: eebfdc17 ("backlight: Add TPS65217 WLED driver")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Acked-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4544b184
    • Johan Hovold's avatar
      backlight: max8925_bl: Fix Device Tree node lookup · 1b9ecd3d
      Johan Hovold authored
      commit d1cc0ec3 upstream.
      
      Fix child-node lookup during probe, which ended up searching the whole
      device tree depth-first starting at the parent rather than just matching
      on its children.
      
      To make things worse, the parent mfd node was also prematurely freed,
      while the child backlight node was leaked.
      
      Cc: stable <stable@vger.kernel.org>     # 3.9
      Fixes: 47ec340c ("mfd: max8925: Support dt for backlight")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Acked-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b9ecd3d
    • Johan Hovold's avatar
      backlight: as3711_bl: Fix Device Tree node lookup · 91a9aaeb
      Johan Hovold authored
      commit 4a9c8bb2 upstream.
      
      Fix child-node lookup during probe, which ended up searching the whole
      device tree depth-first starting at the parent rather than just matching
      on its children.
      
      To make things worse, the parent mfd node was also prematurely freed.
      
      Cc: stable <stable@vger.kernel.org>     # 3.10
      Fixes: 59eb2b5e ("drivers/video/backlight/as3711_bl.c: add OF support")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Acked-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      91a9aaeb
    • Florian Westphal's avatar
      xfrm: skip policies marked as dead while rehashing · 10f64c9d
      Florian Westphal authored
      commit 862591bf upstream.
      
      syzkaller triggered following KASAN splat:
      
      BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
      read of size 2 at addr ffff8801c8e92fe4 by task kworker/1:1/23 [..]
      Workqueue: events xfrm_hash_rebuild [..]
       __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
       xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
       process_one_work+0xbbf/0x1b10 kernel/workqueue.c:2112
       worker_thread+0x223/0x1990 kernel/workqueue.c:2246 [..]
      
      The reproducer triggers:
      1016                 if (error) {
      1017                         list_move_tail(&walk->walk.all, &x->all);
      1018                         goto out;
      1019                 }
      
      in xfrm_policy_walk() via pfkey (it sets tiny rcv space, dump
      callback returns -ENOBUFS).
      
      In this case, *walk is located the pfkey socket struct, so this socket
      becomes visible in the global policy list.
      
      It looks like this is intentional -- phony walker has walk.dead set to 1
      and all other places skip such "policies".
      
      Ccing original authors of the two commits that seem to expose this
      issue (first patch missed ->dead check, second patch adds pfkey
      sockets to policies dumper list).
      
      Fixes: 880a6fab ("xfrm: configure policy hash table thresholds by netlink")
      Fixes: 12a169e7 ("ipsec: Put dumpers on the dump list")
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Timo Teras <timo.teras@iki.fi>
      Cc: Christophe Gouault <christophe.gouault@6wind.com>
      Reported-by: default avatarsyzbot <bot+c028095236fcb6f4348811565b75084c754dc729@syzkaller.appspotmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Cc: Zubin Mithra <zsm@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      10f64c9d
    • Tobias Brunner's avatar
      xfrm: Ignore socket policies when rebuilding hash tables · 3a727fca
      Tobias Brunner authored
      commit 6916fb3b upstream.
      
      Whenever thresholds are changed the hash tables are rebuilt.  This is
      done by enumerating all policies and hashing and inserting them into
      the right table according to the thresholds and direction.
      
      Because socket policies are also contained in net->xfrm.policy_all but
      no hash tables are defined for their direction (dir + XFRM_POLICY_MAX)
      this causes a NULL or invalid pointer dereference after returning from
      policy_hash_bysel() if the rebuild is done while any socket policies
      are installed.
      
      Since the rebuild after changing thresholds is scheduled this crash
      could even occur if the userland sets thresholds seemingly before
      installing any socket policies.
      
      Fixes: 53c2e285 ("xfrm: Do not hash socket policies")
      Signed-off-by: default avatarTobias Brunner <tobias@strongswan.org>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Cc: Zubin Mithra <zsm@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a727fca
    • Silvio Cesare's avatar
      UBIFS: Fix potential integer overflow in allocation · 9c3a27c0
      Silvio Cesare authored
      commit 353748a3 upstream.
      
      There is potential for the size and len fields in ubifs_data_node to be
      too large causing either a negative value for the length fields or an
      integer overflow leading to an incorrect memory allocation. Likewise,
      when the len field is small, an integer underflow may occur.
      Signed-off-by: default avatarSilvio Cesare <silvio.cesare@gmail.com>
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9c3a27c0
    • Richard Weinberger's avatar
      ubi: fastmap: Cancel work upon detach · 7cff3147
      Richard Weinberger authored
      commit 6e7d8016 upstream.
      
      Ben Hutchings pointed out that 29b7a6fa ("ubi: fastmap: Don't flush
      fastmap work on detach") does not really fix the problem, it just
      reduces the risk to hit the race window where fastmap work races against
      free()'ing ubi->volumes[].
      
      The correct approach is making sure that no more fastmap work is in
      progress before we free ubi data structures.
      So we cancel fastmap work right after the ubi background thread is
      stopped.
      By setting ubi->thread_enabled to zero we make sure that no further work
      tries to wake the thread.
      
      Fixes: 29b7a6fa ("ubi: fastmap: Don't flush fastmap work on detach")
      Fixes: 74cdaf24 ("UBI: Fastmap: Fix memory leaks while closing the WL sub-system")
      Cc: stable@vger.kernel.org
      Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
      Cc: Martin Townsend <mtownsend1973@gmail.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7cff3147
    • NeilBrown's avatar
      md: fix two problems with setting the "re-add" device state. · 4028e395
      NeilBrown authored
      commit 011abdc9 upstream.
      
      If "re-add" is written to the "state" file for a device
      which is faulty, this has an effect similar to removing
      and re-adding the device.  It should take up the
      same slot in the array that it previously had, and
      an accelerated (e.g. bitmap-based) rebuild should happen.
      
      The slot that "it previously had" is determined by
      rdev->saved_raid_disk.
      However this is not set when a device fails (only when a device
      is added), and it is cleared when resync completes.
      This means that "re-add" will normally work once, but may not work a
      second time.
      
      This patch includes two fixes.
      1/ when a device fails, record the ->raid_disk value in
          ->saved_raid_disk before clearing ->raid_disk
      2/ when "re-add" is written to a device for which
          ->saved_raid_disk is not set, fail.
      
      I think this is suitable for stable as it can
      cause re-adding a device to be forced to do a full
      resync which takes a lot longer and so puts data at
      more risk.
      
      Cc: <stable@vger.kernel.org> (v4.1)
      Fixes: 97f6cd39 ("md-cluster: re-add capabilities")
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Reviewed-by: default avatarGoldwyn Rodrigues <rgoldwyn@suse.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4028e395
    • Robert Elliott's avatar
      linvdimm, pmem: Preserve read-only setting for pmem devices · 37e87504
      Robert Elliott authored
      commit 254a4cd5 upstream.
      
      The pmem driver does not honor a forced read-only setting for very long:
      	$ blockdev --setro /dev/pmem0
      	$ blockdev --getro /dev/pmem0
      	1
      
      followed by various commands like these:
      	$ blockdev --rereadpt /dev/pmem0
      	or
      	$ mkfs.ext4 /dev/pmem0
      
      results in this in the kernel serial log:
      	 nd_pmem namespace0.0: region0 read-write, marking pmem0 read-write
      
      with the read-only setting lost:
      	$ blockdev --getro /dev/pmem0
      	0
      
      That's from bus.c nvdimm_revalidate_disk(), which always applies the
      setting from nd_region (which is initially based on the ACPI NFIT
      NVDIMM state flags not_armed bit).
      
      In contrast, commit 20bd1d02 ("scsi: sd: Keep disk read-only when
      re-reading partition") fixed this issue for SCSI devices to preserve
      the previous setting if it was set to read-only.
      
      This patch modifies bus.c to preserve any previous read-only setting.
      It also eliminates the kernel serial log print except for cases where
      read-write is changed to read-only, so it doesn't print read-only to
      read-only non-changes.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 58138820 ("libnvdimm, nfit: handle unarmed dimms, mark namespaces read-only")
      Signed-off-by: default avatarRobert Elliott <elliott@hpe.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      37e87504
    • Steffen Maier's avatar
      scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread · f723101e
      Steffen Maier authored
      commit 6a765508 upstream.
      
      Example trace record formatted with zfcpdbf from s390-tools:
      
      Timestamp      : ...
      Area           : REC
      Subarea        : 00
      Level          : 1
      Exception      : -
      CPU ID         : ..
      Caller         : 0x...
      Record ID      : 1                      ZFCP_DBF_REC_TRIG
      Tag            : .......
      LUN            : 0x...
      WWPN           : 0x...
      D_ID           : 0x...
      Adapter status : 0x...
      Port status    : 0x...
      LUN status     : 0x...
      Ready count    : 0x...
      Running count  : 0x...
      ERP want       : 0x0.                   ZFCP_ERP_ACTION_REOPEN_...
      ERP need       : 0xc0                   ZFCP_ERP_ACTION_NONE
      Signed-off-by: default avatarSteffen Maier <maier@linux.ibm.com>
      Cc: <stable@vger.kernel.org> #2.6.38+
      Reviewed-by: default avatarBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f723101e
    • Steffen Maier's avatar
      scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED · 1d7e2354
      Steffen Maier authored
      commit 8c3d20aa upstream.
      
      That other commit introduced an inconsistency because it would trace on
      ERP_FAILED for all callers of port forced reopen triggers (not just
      terminate_rport_io), but it would not trace on ERP_FAILED for all callers of
      other ERP triggers such as adapter, port regular, LUN.
      
      Therefore, generalize that other commit. zfcp_erp_action_enqueue() already
      had two early outs which re-used the one zfcp_dbf_rec_trig() call.  All ERP
      trigger functions finally run through zfcp_erp_action_enqueue().  So move
      the special handling for ZFCP_STATUS_COMMON_ERP_FAILED into
      zfcp_erp_action_enqueue() and add another early out with new trace marker
      for pseudo ERP need in this case. This removes all early returns from all
      ERP trigger functions so we always end up at zfcp_dbf_rec_trig().
      
      Example trace record formatted with zfcpdbf from s390-tools:
      
      Timestamp      : ...
      Area           : REC
      Subarea        : 00
      Level          : 1
      Exception      : -
      CPU ID         : ..
      Caller         : 0x...
      Record ID      : 1                      ZFCP_DBF_REC_TRIG
      Tag            : .......
      LUN            : 0x...
      WWPN           : 0x...
      D_ID           : 0x...
      Adapter status : 0x...
      Port status    : 0x...
      LUN status     : 0x...
      Ready count    : 0x...
      Running count  : 0x...
      ERP want       : 0x0.                   ZFCP_ERP_ACTION_REOPEN_...
      ERP need       : 0xe0                   ZFCP_ERP_ACTION_FAILED
      Signed-off-by: default avatarSteffen Maier <maier@linux.ibm.com>
      Cc: <stable@vger.kernel.org> #2.6.38+
      Reviewed-by: default avatarBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d7e2354
    • Steffen Maier's avatar
      scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED · 24f2f5d7
      Steffen Maier authored
      commit d70aab55 upstream.
      
      For problem determination we always want to see when we were invoked on the
      terminate_rport_io callback whether we perform something or not.
      
      Temporal event sequence of interest with a long fast_io_fail_tmo of 27 sec:
      
      loose remote port
      
      t   workqueue
      [s] zfcp_q_<dev>       IRQ                 zfcperp<dev>
      
      === ================== =================== ============================
      
        0                    recv RSCN
                             q p.test_link_work
          block rport
           start fast_io_fail_tmo
          send ADISC ELS
        4                    recv ADISC fail
                             block zfcp_port
                                                 port forced reopen
                                                 send open port
       12                    recv open port fail
                                                 q p.gid_pn_work
                                                 zfcp_erp_wakeup
                                                 (zfcp_erp_wait would return)
          GID_PN fail
      
      Before this point, we got a SCSI trace with tag "sctrpi1" on fast_io_fail,
      e.g. with the typical 5 sec setting.
      
          port.status |= ERP_FAILED
      
      If fast_io_fail_tmo triggers after this point, we missed a SCSI trace.
      
          workqueue
          fc_dl_<host>
          ==================
       27 fc_timeout_fail_rport_io
          fc_terminate_rport_io
          zfcp_scsi_terminate_rport_io
          zfcp_erp_port_forced_reopen
          _zfcp_erp_port_forced_reopen
           if (port.status & ERP_FAILED)
            return;
      
      Therefore, write a trace before above early return.
      
      Example trace record formatted with zfcpdbf from s390-tools:
      
      Timestamp      : ...
      Area           : REC
      Subarea        : 00
      Level          : 1
      Exception      : -
      CPU ID         : ..
      Caller         : 0x...
      Record ID      : 1                      ZFCP_DBF_REC_TRIG
      Tag            : sctrpi1                SCSI terminate rport I/O
      LUN            : 0xffffffffffffffff                     none (invalid)
      WWPN           : 0x<wwpn>
      D_ID           : 0x<n_port_id>
      Adapter status : 0x...
      Port status    : 0x...
      LUN status     : 0x00000000                             none (invalid)
      Ready count    : 0x...
      Running count  : 0x...
      ERP want       : 0x03                   ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
      ERP need       : 0xe0                   ZFCP_ERP_ACTION_FAILED
      Signed-off-by: default avatarSteffen Maier <maier@linux.ibm.com>
      Cc: <stable@vger.kernel.org> #2.6.38+
      Reviewed-by: default avatarBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24f2f5d7