1. 16 Feb, 2016 6 commits
    • Ursula Braun's avatar
      qeth: initialize net_device with carrier off · 9839fffc
      Ursula Braun authored
      commit e5ebe632 upstream.
      
      /sys/class/net/<interface>/operstate for an active qeth network
      interface offen shows "unknown", which translates to "state UNKNOWN
      in output of "ip link show". It is caused by a missing initialization
      of the __LINK_STATE_NOCARRIER bit in the net_device state field.
      This patch adds a netif_carrier_off() invocation when creating the
      net_device for a qeth device.
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.vnet.ibm.com>
      Acked-by: default avatarHendrik Brueckner <brueckner@linux.vnet.ibm.com>
      Reference-ID: Bugzilla 133209
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      9839fffc
    • David Howells's avatar
      ASN.1: Fix non-match detection failure on data overrun · 15430f77
      David Howells authored
      commit 0d62e9dd upstream.
      
      If the ASN.1 decoder is asked to parse a sequence of objects, non-optional
      matches get skipped if there's no more data to be had rather than a
      data-overrun error being reported.
      
      This is due to the code segment that decides whether to skip optional
      matches (ie. matches that could get ignored because an element is marked
      OPTIONAL in the grammar) due to a lack of data also skips non-optional
      elements if the data pointer has reached the end of the buffer.
      
      This can be tested with the data decoder for the new RSA akcipher algorithm
      that takes three non-optional integers.  Currently, it skips the last
      integer if there is insufficient data.
      
      Without the fix, #defining DEBUG in asn1_decoder.c will show something
      like:
      
      	next_op: pc=0/13 dp=0/270 C=0 J=0
      	- match? 30 30 00
      	- TAG: 30 266 CONS
      	next_op: pc=2/13 dp=4/270 C=1 J=0
      	- match? 02 02 00
      	- TAG: 02 257
      	- LEAF: 257
      	next_op: pc=5/13 dp=265/270 C=1 J=0
      	- match? 02 02 00
      	- TAG: 02 3
      	- LEAF: 3
      	next_op: pc=8/13 dp=270/270 C=1 J=0
      	next_op: pc=11/13 dp=270/270 C=1 J=0
      	- end cons t=4 dp=270 l=270/270
      
      The next_op line for pc=8/13 should be followed by a match line.
      
      This is not exploitable for X.509 certificates by means of shortening the
      message and fixing up the ASN.1 CONS tags because:
      
       (1) The relevant records being built up are cleared before use.
      
       (2) If the message is shortened sufficiently to remove the public key, the
           ASN.1 parse of the RSA key will fail quickly due to a lack of data.
      
       (3) Extracted signature data is either turned into MPIs (which cope with a
           0 length) or is simpler integers specifying algoritms and suchlike
           (which can validly be 0); and
      
       (4) The AKID and SKID extensions are optional and their removal is handled
           without risking passing a NULL to asymmetric_key_generate_id().
      
       (5) If the certificate is truncated sufficiently to remove the subject,
           issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons
           stack underflow' return.
      
      This is not exploitable for PKCS#7 messages by means of removal of elements
      from such a message from the tail end of a sequence:
      
       (1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable
           as detailed above.
      
       (2) The message digest content isn't used if it shows a NULL pointer,
           similarly, the authattrs aren't used if that shows a NULL pointer.
      
       (3) A missing signature results in a NULL MPI - which the MPI routines deal
           with.
      
       (4) If data is NULL, it is expected that the message has detached content and
           that is handled appropriately.
      
       (5) If the serialNumber is excised, the unconditional action associated
           with it will pick up the containing SEQUENCE instead, so no NULL
           pointer will be seen here.
      
           If both the issuer and the serialNumber are excised, the ASN.1 decode
           will fail with an 'Unexpected tag' return.
      
           In either case, there's no way to get to asymmetric_key_generate_id()
           with a NULL pointer.
      
       (6) Other fields are decoded to simple integers.  Shortening the message
           to omit an algorithm ID field will cause checks on this to fail early
           in the verification process.
      
      This can also be tested by snipping objects off of the end of the ASN.1 stream
      such that mandatory tags are removed - or even from the end of internal
      SEQUENCEs.  If any mandatory tag is missing, the error EBADMSG *should* be
      produced.  Without this patch ERANGE or ENOPKG might be produced or the parse
      may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced
      later, depending on what gets snipped.
      
      Just snipping off the final BIT_STRING or OCTET_STRING from either sample
      should be a start since both are mandatory and neither will cause an EBADMSG
      without the patches
      Reported-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Reviewed-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      Cc: Moritz Muehlenhoff <jmm@inutil.org>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      15430f77
    • Vladis Dronov's avatar
      USB: serial: visor: fix crash on detecting device without write_urbs · d80e009b
      Vladis Dronov authored
      commit cb323213 upstream.
      
      The visor driver crashes in clie_5_attach() when a specially crafted USB
      device without bulk-out endpoint is detected. This fix adds a check that
      the device has proper configuration expected by the driver.
      Reported-by: default avatarRalf Spenneberg <ralf@spenneberg.net>
      Signed-off-by: default avatarVladis Dronov <vdronov@redhat.com>
      Fixes: cfb8da8f ("USB: visor: fix initialisation of UX50/TH55 devices")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Cc: Moritz Muehlenhoff <jmm@inutil.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      d80e009b
    • Peter Hurley's avatar
      tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) · 3991600f
      Peter Hurley authored
      commit 5c17c861 upstream.
      
      ioctl(TIOCGETD) retrieves the line discipline id directly from the
      ldisc because the line discipline id (c_line) in termios is untrustworthy;
      userspace may have set termios via ioctl(TCSETS*) without actually
      changing the line discipline via ioctl(TIOCSETD).
      
      However, directly accessing the current ldisc via tty->ldisc is
      unsafe; the ldisc ptr dereferenced may be stale if the line discipline
      is changing via ioctl(TIOCSETD) or hangup.
      
      Wait for the line discipline reference (just like read() or write())
      to retrieve the "current" line discipline id.
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Moritz Muehlenhoff <jmm@inutil.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3991600f
    • Vladis Dronov's avatar
      [media] usbvision: fix crash on detecting device with invalid configuration · 409d6ec0
      Vladis Dronov authored
      commit fa52bd50 upstream.
      
      The usbvision driver crashes when a specially crafted usb device with invalid
      number of interfaces or endpoints is detected. This fix adds checks that the
      device has proper configuration expected by the driver.
      Reported-by: default avatarRalf Spenneberg <ralf@spenneberg.net>
      Signed-off-by: default avatarVladis Dronov <vdronov@redhat.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Cc: Moritz Muehlenhoff <jmm@inutil.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      409d6ec0
    • Alexey Khoroshilov's avatar
      [media] usbvision: fix leak of usb_dev on failure paths in usbvision_probe() · cc9a3a2a
      Alexey Khoroshilov authored
      commit afd270d1 upstream.
      
      There is no usb_put_dev() on failure paths in usbvision_probe().
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      cc9a3a2a
  2. 09 Feb, 2016 1 commit
  3. 07 Feb, 2016 1 commit
  4. 03 Feb, 2016 11 commits
  5. 02 Feb, 2016 21 commits
    • Sven Eckelmann's avatar
      batman-adv: Drop immediate neigh_ifinfo free function · a03f20f4
      Sven Eckelmann authored
      commit ae3e1e36 upstream.
      
      It is not allowed to free the memory of an object which is part of a list
      which is protected by rcu-read-side-critical sections without making sure
      that no other context is accessing the object anymore. This usually happens
      by removing the references to this object and then waiting until the rcu
      grace period is over and no one (allowedly) accesses it anymore.
      
      But the _now functions ignore this completely. They free the object
      directly even when a different context still tries to access it. This has
      to be avoided and thus these functions must be removed and all functions
      have to use batadv_neigh_ifinfo_free_ref.
      
      Fixes: 89652331 ("batman-adv: split tq information in neigh_node struct")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      a03f20f4
    • Sven Eckelmann's avatar
      batman-adv: Drop immediate batadv_neigh_node free function · dd876ecc
      Sven Eckelmann authored
      commit 2baa753c upstream.
      
      It is not allowed to free the memory of an object which is part of a list
      which is protected by rcu-read-side-critical sections without making sure
      that no other context is accessing the object anymore. This usually happens
      by removing the references to this object and then waiting until the rcu
      grace period is over and no one (allowedly) accesses it anymore.
      
      But the _now functions ignore this completely. They free the object
      directly even when a different context still tries to access it. This has
      to be avoided and thus these functions must be removed and all functions
      have to use batadv_neigh_node_free_ref.
      
      Fixes: 89652331 ("batman-adv: split tq information in neigh_node struct")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      dd876ecc
    • Sven Eckelmann's avatar
      batman-adv: Drop immediate batadv_orig_ifinfo free function · 7b4c331e
      Sven Eckelmann authored
      commit deed9660 upstream.
      
      It is not allowed to free the memory of an object which is part of a list
      which is protected by rcu-read-side-critical sections without making sure
      that no other context is accessing the object anymore. This usually happens
      by removing the references to this object and then waiting until the rcu
      grace period is over and no one (allowedly) accesses it anymore.
      
      But the _now functions ignore this completely. They free the object
      directly even when a different context still tries to access it. This has
      to be avoided and thus these functions must be removed and all functions
      have to use batadv_orig_ifinfo_free_ref.
      
      Fixes: 7351a482 ("batman-adv: split out router from orig_node")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      7b4c331e
    • Linus Lüssing's avatar
      batman-adv: fix potential TT client + orig-node memory leak · e46b9d49
      Linus Lüssing authored
      commit 9d31b3ce upstream.
      
      This patch fixes a potential memory leak which can occur once an
      originator times out. On timeout the according global translation table
      entry might not get purged correctly. Furthermore, the non purged TT
      entry will cause its orig-node to leak, too. Which additionally can lead
      to the new multicast optimization feature not kicking in because of a
      therefore bogus counter.
      
      In detail: The batadv_tt_global_entry->orig_list holds the reference to
      the orig-node. Usually this reference is released after
      BATADV_PURGE_TIMEOUT through: _batadv_purge_orig()->
      batadv_purge_orig_node()->batadv_update_route()->_batadv_update_route()->
      batadv_tt_global_del_orig() which purges this global tt entry and
      releases the reference to the orig-node.
      
      However, if between two batadv_purge_orig_node() calls the orig-node
      timeout grew to 2*BATADV_PURGE_TIMEOUT then this call path isn't
      reached. Instead the according orig-node is removed from the
      originator hash in _batadv_purge_orig(), the batadv_update_route()
      part is skipped and won't be reached anymore.
      
      Fixing the issue by moving batadv_tt_global_del_orig() out of the rcu
      callback.
      Signed-off-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Acked-by: default avatarAntonio Quartulli <antonio@meshcoding.com>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <antonio@meshcoding.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      e46b9d49
    • Sven Eckelmann's avatar
      batman-adv: Avoid recursive call_rcu for batadv_nc_node · e9e0ede5
      Sven Eckelmann authored
      commit 44e8e7e9 upstream.
      
      The batadv_nc_node_free_ref function uses call_rcu to delay the free of the
      batadv_nc_node object until no (already started) rcu_read_lock is enabled
      anymore. This makes sure that no context is still trying to access the
      object which should be removed. But batadv_nc_node also contains a
      reference to orig_node which must be removed.
      
      The reference drop of orig_node was done in the call_rcu function
      batadv_nc_node_free_rcu but should actually be done in the
      batadv_nc_node_release function to avoid nested call_rcus. This is
      important because rcu_barrier (e.g. batadv_softif_free or batadv_exit) will
      not detect the inner call_rcu as relevant for its execution. Otherwise this
      barrier will most likely be inserted in the queue before the callback of
      the first call_rcu was executed. The caller of rcu_barrier will therefore
      continue to run before the inner call_rcu callback finished.
      
      Fixes: d56b1705 ("batman-adv: network coding - detect coding nodes and remove these after timeout")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      e9e0ede5
    • Sven Eckelmann's avatar
      batman-adv: Avoid recursive call_rcu for batadv_bla_claim · 3816a728
      Sven Eckelmann authored
      commit 63b39927 upstream.
      
      The batadv_claim_free_ref function uses call_rcu to delay the free of the
      batadv_bla_claim object until no (already started) rcu_read_lock is enabled
      anymore. This makes sure that no context is still trying to access the
      object which should be removed. But batadv_bla_claim also contains a
      reference to backbone_gw which must be removed.
      
      The reference drop of backbone_gw was done in the call_rcu function
      batadv_claim_free_rcu but should actually be done in the
      batadv_claim_release function to avoid nested call_rcus. This is important
      because rcu_barrier (e.g. batadv_softif_free or batadv_exit) will not
      detect the inner call_rcu as relevant for its execution. Otherwise this
      barrier will most likely be inserted in the queue before the callback of
      the first call_rcu was executed. The caller of rcu_barrier will therefore
      continue to run before the inner call_rcu callback finished.
      
      Fixes: 23721387 ("batman-adv: add basic bridge loop avoidance code")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Acked-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3816a728
    • Nikolay Aleksandrov's avatar
      bridge: fix lockdep addr_list_lock false positive splat · 9647516f
      Nikolay Aleksandrov authored
      commit c6894dec upstream.
      
      After promisc mode management was introduced a bridge device could do
      dev_set_promiscuity from its ndo_change_rx_flags() callback which in
      turn can be called after the bridge's addr_list_lock has been taken
      (e.g. by dev_uc_add). This causes a false positive lockdep splat because
      the port interfaces' addr_list_lock is taken when br_manage_promisc()
      runs after the bridge's addr list lock was already taken.
      To remove the false positive introduce a custom bridge addr_list_lock
      class and set it on bridge init.
      A simple way to reproduce this is with the following:
      $ brctl addbr br0
      $ ip l add l br0 br0.100 type vlan id 100
      $ ip l set br0 up
      $ ip l set br0.100 up
      $ echo 1 > /sys/class/net/br0/bridge/vlan_filtering
      $ brctl addif br0 eth0
      Splat:
      [   43.684325] =============================================
      [   43.684485] [ INFO: possible recursive locking detected ]
      [   43.684636] 4.4.0-rc8+ #54 Not tainted
      [   43.684755] ---------------------------------------------
      [   43.684906] brctl/1187 is trying to acquire lock:
      [   43.685047]  (_xmit_ETHER){+.....}, at: [<ffffffff8150169e>] dev_set_rx_mode+0x1e/0x40
      [   43.685460]  but task is already holding lock:
      [   43.685618]  (_xmit_ETHER){+.....}, at: [<ffffffff815072a7>] dev_uc_add+0x27/0x80
      [   43.686015]  other info that might help us debug this:
      [   43.686316]  Possible unsafe locking scenario:
      
      [   43.686743]        CPU0
      [   43.686967]        ----
      [   43.687197]   lock(_xmit_ETHER);
      [   43.687544]   lock(_xmit_ETHER);
      [   43.687886] *** DEADLOCK ***
      
      [   43.688438]  May be due to missing lock nesting notation
      
      [   43.688882] 2 locks held by brctl/1187:
      [   43.689134]  #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff81510317>] rtnl_lock+0x17/0x20
      [   43.689852]  #1:  (_xmit_ETHER){+.....}, at: [<ffffffff815072a7>] dev_uc_add+0x27/0x80
      [   43.690575] stack backtrace:
      [   43.690970] CPU: 0 PID: 1187 Comm: brctl Not tainted 4.4.0-rc8+ #54
      [   43.691270] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.1-20150318_183358- 04/01/2014
      [   43.691770]  ffffffff826a25c0 ffff8800369fb8e0 ffffffff81360ceb ffffffff826a25c0
      [   43.692425]  ffff8800369fb9b8 ffffffff810d0466 ffff8800369fb968 ffffffff81537139
      [   43.693071]  ffff88003a08c880 0000000000000000 00000000ffffffff 0000000002080020
      [   43.693709] Call Trace:
      [   43.693931]  [<ffffffff81360ceb>] dump_stack+0x4b/0x70
      [   43.694199]  [<ffffffff810d0466>] __lock_acquire+0x1e46/0x1e90
      [   43.694483]  [<ffffffff81537139>] ? netlink_broadcast_filtered+0x139/0x3e0
      [   43.694789]  [<ffffffff8153b5da>] ? nlmsg_notify+0x5a/0xc0
      [   43.695064]  [<ffffffff810d10f5>] lock_acquire+0xe5/0x1f0
      [   43.695340]  [<ffffffff8150169e>] ? dev_set_rx_mode+0x1e/0x40
      [   43.695623]  [<ffffffff815edea5>] _raw_spin_lock_bh+0x45/0x80
      [   43.695901]  [<ffffffff8150169e>] ? dev_set_rx_mode+0x1e/0x40
      [   43.696180]  [<ffffffff8150169e>] dev_set_rx_mode+0x1e/0x40
      [   43.696460]  [<ffffffff8150189c>] dev_set_promiscuity+0x3c/0x50
      [   43.696750]  [<ffffffffa0586845>] br_port_set_promisc+0x25/0x50 [bridge]
      [   43.697052]  [<ffffffffa05869aa>] br_manage_promisc+0x8a/0xe0 [bridge]
      [   43.697348]  [<ffffffffa05826ee>] br_dev_change_rx_flags+0x1e/0x20 [bridge]
      [   43.697655]  [<ffffffff81501532>] __dev_set_promiscuity+0x132/0x1f0
      [   43.697943]  [<ffffffff81501672>] __dev_set_rx_mode+0x82/0x90
      [   43.698223]  [<ffffffff815072de>] dev_uc_add+0x5e/0x80
      [   43.698498]  [<ffffffffa05b3c62>] vlan_device_event+0x542/0x650 [8021q]
      [   43.698798]  [<ffffffff8109886d>] notifier_call_chain+0x5d/0x80
      [   43.699083]  [<ffffffff810988b6>] raw_notifier_call_chain+0x16/0x20
      [   43.699374]  [<ffffffff814f456e>] call_netdevice_notifiers_info+0x6e/0x80
      [   43.699678]  [<ffffffff814f4596>] call_netdevice_notifiers+0x16/0x20
      [   43.699973]  [<ffffffffa05872be>] br_add_if+0x47e/0x4c0 [bridge]
      [   43.700259]  [<ffffffffa058801e>] add_del_if+0x6e/0x80 [bridge]
      [   43.700548]  [<ffffffffa0588b5f>] br_dev_ioctl+0xaf/0xc0 [bridge]
      [   43.700836]  [<ffffffff8151a7ac>] dev_ifsioc+0x30c/0x3c0
      [   43.701106]  [<ffffffff8151aac9>] dev_ioctl+0xf9/0x6f0
      [   43.701379]  [<ffffffff81254345>] ? mntput_no_expire+0x5/0x450
      [   43.701665]  [<ffffffff812543ee>] ? mntput_no_expire+0xae/0x450
      [   43.701947]  [<ffffffff814d7b02>] sock_do_ioctl+0x42/0x50
      [   43.702219]  [<ffffffff814d8175>] sock_ioctl+0x1e5/0x290
      [   43.702500]  [<ffffffff81242d0b>] do_vfs_ioctl+0x2cb/0x5c0
      [   43.702771]  [<ffffffff81243079>] SyS_ioctl+0x79/0x90
      [   43.703033]  [<ffffffff815eebb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
      
      CC: Vlad Yasevich <vyasevic@redhat.com>
      CC: Stephen Hemminger <stephen@networkplumber.org>
      CC: Bridge list <bridge@lists.linux-foundation.org>
      CC: Andy Gospodarek <gospo@cumulusnetworks.com>
      CC: Roopa Prabhu <roopa@cumulusnetworks.com>
      Fixes: 2796d0c6 ("bridge: Automatically manage port promiscuous mode.")
      Reported-by: default avatarAndy Gospodarek <gospo@cumulusnetworks.com>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      9647516f
    • Dan Carpenter's avatar
      Btrfs: clean up an error code in btrfs_init_space_info() · 26976416
      Dan Carpenter authored
      commit 0dc924c5 upstream.
      
      If we return 1 here, then the caller treats it as an error and returns
      -EINVAL.  It causes a static checker warning to treat positive returns
      as an error.
      
      Fixes: 1aba86d6 ('Btrfs: fix easily get into ENOSPC in mixed case')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      26976416
    • Russell King's avatar
      mmc: sd: limit SD card power limit according to cards capabilities · 6f40d496
      Russell King authored
      commit d9812780 upstream.
      
      The SD card specification allows cards to error out a SWITCH command
      where the requested function in a group is not supported.  The spec
      provides for a set of capabilities which indicate which functions are
      supported.
      
      In the case of the power limit, requesting an unsupported power level
      via the SWITCH command fails, resulting in the power level remaining at
      the power-on default of 0.72W, even though the host and card may support
      higher powers levels.
      
      This has been seen with SanDisk 8GB cards, which support the default
      0.72W and 1.44W (200mA and 400mA) in combination with an iMX6 host,
      supporting up to 2.88W (800mA).  This currently causes us to try to set
      a power limit function value of '3' (2.88W) which the card errors out
      on, and thereby causes the power level to remain at 0.72W rather than
      the desired 1.44W.
      
      Arrange to limit the selected current limit by the capabilities reported
      by the card to avoid the SWITCH command failing.  Select the highest
      current limit that the host and card combination support.
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Fixes: a39ca6ae ("mmc: core: Simplify and fix for SD switch processing")
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      6f40d496
    • Eric Dumazet's avatar
      ipv6: tcp: add rcu locking in tcp_v6_send_synack() · 2e000990
      Eric Dumazet authored
      commit 3e4006f0 upstream.
      
      When first SYNACK is sent, we already hold rcu_read_lock(), but this
      is not true if a SYNACK is retransmitted, as a timer (soft) interrupt
      does not hold rcu_read_lock()
      
      Fixes: 45f6fad8 ("ipv6: add complete rcu protection around np->opt")
      Reported-by: default avatarDave Jones <davej@codemonkey.org.uk>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      2e000990
    • Mickaël Salaün's avatar
      um: Fix build error and kconfig for i386 · 1b687f7e
      Mickaël Salaün authored
      commit 42d91f61 upstream.
      
      Fix build error by generating elfcore.o only when ELF_CORE (depending on
      COREDUMP) is selected:
      
      arch/x86/um/built-in.o: In function `elf_core_write_extra_phdrs':
      (.text+0x3e62): undefined reference to `dump_emit'
      arch/x86/um/built-in.o: In function `elf_core_write_extra_data':
      (.text+0x3eef): undefined reference to `dump_emit'
      
      Fixes: 5d2acfc7 ("kconfig: make allnoconfig disable options behind EMBEDDED and EXPERT")
      Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Josh Triplett <josh@joshtriplett.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Michal Marek <mmarek@suse.cz>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Reviewed-by: default avatarJosh Triplett <josh@joshtriplett.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1b687f7e
    • Bart Van Assche's avatar
      target: Fix a memory leak in target_dev_lba_map_store() · c8897d10
      Bart Van Assche authored
      commit f0a8afec upstream.
      
      strsep() modifies its first argument. Make the pointer passed to kfree()
      match the return value of kmalloc().
      
      Fixes: 229d4f11 (commit "target_core_alua: Referrals configfs integration")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c8897d10
    • Brian Norris's avatar
      firmware: actually return NULL on failed request_firmware_nowait() · f5117c4c
      Brian Norris authored
      commit 715780ae upstream.
      
      The kerneldoc for request_firmware_nowait() says that it may call the
      provided cont() callback with @fw == NULL, if the firmware request
      fails. However, this is not the case when called with an empty string
      (""). This case is short-circuited by the 'name[0] == '\0'' check
      introduced in commit 471b095d ("firmware_class: make sure fw requests
      contain a name"), so _request_firmware() never gets to set the fw to
      NULL.
      
      Noticed while using the new 'trigger_async_request' testing hook:
      
          # printf '\x00' > /sys/devices/virtual/misc/test_firmware/trigger_async_request
          [10553.726178] test_firmware: loading ''
          [10553.729859] test_firmware: loaded: 995209091
          # printf '\x00' > /sys/devices/virtual/misc/test_firmware/trigger_async_request
          [10733.676184] test_firmware: loading ''
          [10733.679855] Unable to handle kernel NULL pointer dereference at virtual address 00000004
          [10733.687951] pgd = ec188000
          [10733.690655] [00000004] *pgd=00000000
          [10733.694240] Internal error: Oops: 5 [#1] SMP ARM
          [10733.698847] Modules linked in: btmrvl_sdio btmrvl bluetooth sbs_battery nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables asix usbnet mwifiex_sdio mwifiex cfg80211 jitterentropy_rng drbg joydev snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device ppp_async ppp_generic slhc tun
          [10733.725670] CPU: 0 PID: 6600 Comm: bash Not tainted 4.4.0-rc4-00351-g63d0877 #178
          [10733.733137] Hardware name: Rockchip (Device Tree)
          [10733.737831] task: ed24f6c0 ti: ee322000 task.ti: ee322000
          [10733.743222] PC is at do_raw_spin_lock+0x18/0x1a0
          [10733.747831] LR is at _raw_spin_lock+0x18/0x1c
          [10733.752180] pc : [<c00653a0>]    lr : [<c054c204>]    psr: a00d0013
          [10733.752180] sp : ee323df8  ip : ee323e20  fp : ee323e1c
          [10733.763634] r10: 00000051  r9 : b6f18000  r8 : ee323f80
          [10733.768847] r7 : c089cebc  r6 : 00000001  r5 : 00000000  r4 : ec0e6000
          [10733.775360] r3 : dead4ead  r2 : c06bd140  r1 : eef913b4  r0 : 00000000
          [10733.781874] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
          [10733.788995] Control: 10c5387d  Table: 2c18806a  DAC: 00000051
          [10733.794728] Process bash (pid: 6600, stack limit = 0xee322218)
          [10733.800549] Stack: (0xee323df8 to 0xee324000)
          [10733.804896] 3de0:                                                       ec0e6000 00000000
          [10733.813059] 3e00: 00000001 c089cebc ee323f80 b6f18000 ee323e2c ee323e20 c054c204 c0065394
          [10733.821221] 3e20: ee323e44 ee323e30 c02fec60 c054c1f8 ec0e7ec0 ec3fcfc0 ee323e5c ee323e48
          [10733.829384] 3e40: c02fed08 c02fec48 c07dbf74 eeb05a00 ee323e8c ee323e60 c0253828 c02fecac
          [10733.837547] 3e60: 00000001 c0116950 ee323eac ee323e78 00000001 ec3fce00 ed2d9700 ed2d970c
          [10733.845710] 3e80: ee323e9c ee323e90 c02e873c c02537d4 ee323eac ee323ea0 c017bd40 c02e8720
          [10733.853873] 3ea0: ee323ee4 ee323eb0 c017b250 c017bd00 00000000 00000000 f3e47a54 ec128b00
          [10733.862035] 3ec0: c017b10c ee323f80 00000001 c000f504 ee322000 00000000 ee323f4c ee323ee8
          [10733.870197] 3ee0: c011b71c c017b118 ee323fb0 c011bc90 becfa8d9 00000001 ec128b00 00000001
          [10733.878359] 3f00: b6f18000 ee323f80 ee323f4c ee323f18 c011bc90 c0063950 ee323f3c ee323f28
          [10733.886522] 3f20: c0063950 c0549138 00000001 ec128b00 00000001 ec128b00 b6f18000 ee323f80
          [10733.894684] 3f40: ee323f7c ee323f50 c011bed8 c011b6ec c0135fb8 c0135f24 ec128b00 ec128b00
          [10733.902847] 3f60: 00000001 b6f18000 c000f504 ee322000 ee323fa4 ee323f80 c011c664 c011be24
          [10733.911009] 3f80: 00000000 00000000 00000001 b6f18000 b6e79be0 00000004 00000000 ee323fa8
          [10733.919172] 3fa0: c000f340 c011c618 00000001 b6f18000 00000001 b6f18000 00000001 00000000
          [10733.927334] 3fc0: 00000001 b6f18000 b6e79be0 00000004 00000001 00000001 8068a3f1 b6e79c84
          [10733.935496] 3fe0: 00000000 becfa7dc b6de194d b6e20246 400d0030 00000001 7a4536e8 49bda390
          [10733.943664] [<c00653a0>] (do_raw_spin_lock) from [<c054c204>] (_raw_spin_lock+0x18/0x1c)
          [10733.951743] [<c054c204>] (_raw_spin_lock) from [<c02fec60>] (fw_free_buf+0x24/0x64)
          [10733.959388] [<c02fec60>] (fw_free_buf) from [<c02fed08>] (release_firmware+0x68/0x74)
          [10733.967207] [<c02fed08>] (release_firmware) from [<c0253828>] (trigger_async_request_store+0x60/0x124)
          [10733.976501] [<c0253828>] (trigger_async_request_store) from [<c02e873c>] (dev_attr_store+0x28/0x34)
          [10733.985533] [<c02e873c>] (dev_attr_store) from [<c017bd40>] (sysfs_kf_write+0x4c/0x58)
          [10733.993437] [<c017bd40>] (sysfs_kf_write) from [<c017b250>] (kernfs_fop_write+0x144/0x1a8)
          [10734.001689] [<c017b250>] (kernfs_fop_write) from [<c011b71c>] (__vfs_write+0x3c/0xe4)
      
      After this patch:
      
          # printf '\x00' > /sys/devices/virtual/misc/test_firmware/trigger_async_request
          [   32.126322] test_firmware: loading ''
          [   32.129995] test_firmware: failed to async load firmware
          -bash: printf: write error: No such device
      
      Fixes: 471b095d ("firmware_class: make sure fw requests contain a name")
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Acked-by: default avatarMing Lei <ming.lei@canonical.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      f5117c4c
    • Sasha Levin's avatar
      power: test_power: correctly handle empty writes · 9b633ad4
      Sasha Levin authored
      commit 6b9140f3 upstream.
      
      Writing 0 length data into test_power makes it access an invalid array
      location and kill the system.
      
      Fixes: f17ef9b2 ("power: Make test_power driver more dynamic.")
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarSebastian Reichel <sre@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      9b633ad4
    • Stephane Eranian's avatar
      perf/x86: Fix filter_events() bug with event mappings · 6342a172
      Stephane Eranian authored
      commit 61b87cae upstream.
      
      This patch fixes a bug in the filter_events() function.
      
      The patch fixes the bug whereby if some mappings did not
      exist, e.g., STALLED_CYCLES_FRONTEND, then any event after it
      in the attrs array would disappear from the published list of
      events in /sys/devices/cpu/events. This could be verified
      easily on any system post SNB (which do not publish
      STALLED_CYCLES_FRONTEND):
      
      	$ ./perf stat -e cycles,ref-cycles true
      	Performance counter stats for 'true':
                    1,217,348      cycles
      	<not supported>      ref-cycles
      
      The problem is that in filter_events() there is an assumption
      that the argument (attrs) is organized in increasing continuous
      event indexes related to the event_map(). But if we remove the
      non-supported events by shifing the position in the array, then
      the lookup x86_pmu.event_map() needs to compensate for it, otherwise
      we are looking up the wrong index. This patch corrects this problem
      by compensating for the deleted events and with that ref-cycles
      reappears (here shown on Haswell):
      
      	$ perf stat -e ref-cycles,cycles true
      	Performance counter stats for 'true':
               4,525,910      ref-cycles
               1,064,920      cycles
             0.002943888 seconds time elapsed
      Signed-off-by: default avatarStephane Eranian <eranian@google.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: jolsa@kernel.org
      Cc: kan.liang@intel.com
      Fixes: 8300daa2 ("perf/x86: Filter out undefined events from sysfs events attribute")
      Link: http://lkml.kernel.org/r/1449516805-6637-1-git-send-email-eranian@google.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      6342a172
    • Vegard Nossum's avatar
      kconfig: return 'false' instead of 'no' in bool function · 684b9df4
      Vegard Nossum authored
      commit aab24a89 upstream.
      
      menu_is_visible() is a bool function and should use boolean return
      values. "no" is a tristate value which happens to also have a value
      of 0, but we should nevertheless use the right symbol for it.
      
      This is a very minor cleanup with no semantic change.
      
      Fixes: 86e187ff ("kconfig: add an option to determine a menu's visibility")
      Cc: Arnaud Lacombe <lacombar@gmail.com>
      Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarMichal Marek <mmarek@suse.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      684b9df4
    • Ani Sinha's avatar
      sysrq: Fix warning in sysrq generated crash. · 3b6dec3f
      Ani Sinha authored
      commit 984cf355 upstream.
      
      Commit 984d74a7 ("sysrq: rcu-ify __handle_sysrq") replaced
      spin_lock_irqsave() calls with rcu_read_lock() calls in sysrq. Since
      rcu_read_lock() does not disable preemption, faulthandler_disabled() in
      __do_page_fault() in x86/fault.c returns false. When the code later calls
      might_sleep() in the pagefault handler, we get the following warning:
      
      BUG: sleeping function called from invalid context at ../arch/x86/mm/fault.c:1187
      in_atomic(): 0, irqs_disabled(): 0, pid: 4706, name: bash
      Preemption disabled at:[<ffffffff81484339>] printk+0x48/0x4a
      
      To fix this, we release the RCU read lock before we crash.
      
      Tested this patch on linux 3.18 by booting off one of our boards.
      
      Fixes: 984d74a7 ("sysrq: rcu-ify __handle_sysrq")
      Signed-off-by: default avatarAni Sinha <ani@arista.com>
      Reviewed-by: default avatarRik van Riel <riel@redhat.com>
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3b6dec3f
    • Jan Beulich's avatar
      x86/LDT: Print the real LDT base address · 279aba8e
      Jan Beulich authored
      commit 0d430e3f upstream.
      
      This was meant to print base address and entry count; make it do so
      again.
      
      Fixes: 37868fe1 "x86/ldt: Make modify_ldt synchronous"
      Signed-off-by: default avatarJan Beulich <jbeulich@suse.com>
      Acked-by: default avatarAndy Lutomirski <luto@kernel.org>
      Link: http://lkml.kernel.org/r/56797D8402000078000C24F0@prv-mh.provo.novell.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      279aba8e
    • Stefan Wahren's avatar
      pinctrl: bcm2835: Fix memory leak in error path · 0bbacb6a
      Stefan Wahren authored
      commit 53653c6b upstream.
      
      In case of an invalid pin value bcm2835_pctl_dt_node_to_map()
      would leak the pull configs of already assigned pins.
      So avoid this by calling the free map function in error case.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Fixes: e1b2dc70 ("pinctrl: add bcm2835 driver")
      Reviewed-by: default avatarEric Anholt <eric@anholt.net>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      [ luis: backported to 3.16:
        - file rename: drivers/pinctrl/bcm/pinctrl-bcm2835.c ->
          drivers/pinctrl/pinctrl-bcm2835.c ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      0bbacb6a
    • Andy Shevchenko's avatar
      ALSA: fm801: propagate TUNER_ONLY bit when autodetected · 59887677
      Andy Shevchenko authored
      commit dbec6719 upstream.
      
      The commit d7ba858a (ALSA: fm801: implement TEA575x tuner autodetection)
      brings autodetection to the driver. However the autodetection algorithm misses
      the TUNER_ONLY bit if it is supplied by the user.
      
      Thus, user gets weird messages and no card registered.
      
       snd_fm801 0000:0d:01.0: detected TEA575x radio type SF64-PCR
       snd_fm801 0000:0d:01.0: AC'97 interface is busy (1)
       snd_fm801 0000:0d:01.0: AC'97 interface is busy (1)
      ...
       snd_fm801 0000:0d:01.0: AC'97 0 does not respond - RESET
       snd_fm801 0000:0d:01.0: AC'97 interface is busy (1)
       snd_fm801 0000:0d:01.0: AC'97 interface is busy (1)
       snd_fm801 0000:0d:01.0: AC'97 0 access is not valid [0x0], removing mixer.
       snd_fm801: probe of 0000:0d:01.0 failed with error -5
      
      Do a copy of TUNER_ONLY bit to be applied after autodetection is done.
      
      Fixes: d7ba858a (ALSA: fm801: implement TEA575x tuner autodetection)
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Ondrej Zary <linux@rainbow-software.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      59887677
    • Boris BREZILLON's avatar
      mtd: nand: remove unused and buggy get_platform_nandchip() helper function · f1b1b603
      Boris BREZILLON authored
      commit 8142b47e upstream.
      
      Nobody uses the get_platform_nandchip() helper function which is supposed
      to return a pointer to a platform_nand_chip struct from an mtd_info
      pointer.
      Moreover, this function is buggy since the introduction of the plat_nand
      layer (chip->priv is now storing a pointer to an intermediate
      plat_nand_data structure allocated in plat_nand_probe(), and we have no
      way to retrieve a pointer to the provided platform_nand_chip struct from
      this plat_nand_data pointer).
      
      While we are at it, remove the useless (and buggy, since it's pointing to
      something stored on the stack) data->chip.priv assignment.
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Fixes: 711fdf62 ("[MTD] [NAND] platform NAND driver: add driver")
      Cc: Vitaly Wool <vitalywool@gmail.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      f1b1b603