1. 20 Nov, 2016 40 commits
    • Alex Vesker's avatar
      IB/ipoib: Don't allow MC joins during light MC flush · a289c65c
      Alex Vesker authored
      commit 344bacca upstream.
      
      This fix solves a race between light flush and on the fly joins.
      Light flush doesn't set the device to down and unset IPOIB_OPER_UP
      flag, this means that if while flushing we have a MC join in progress
      and the QP was attached to BC MGID we can have a mismatches when
      re-attaching a QP to the BC MGID.
      
      The light flush would set the broadcast group to NULL causing an on
      the fly join to rejoin and reattach to the BC MCG as well as adding
      the BC MGID to the multicast list. The flush process would later on
      remove the BC MGID and detach it from the QP. On the next flush
      the BC MGID is present in the multicast list but not found when trying
      to detach it because of the previous double attach and single detach.
      
      [18332.714265] ------------[ cut here ]------------
      [18332.717775] WARNING: CPU: 6 PID: 3767 at drivers/infiniband/core/verbs.c:280 ib_dealloc_pd+0xff/0x120 [ib_core]
      ...
      [18332.775198] Hardware name: Red Hat KVM, BIOS Bochs 01/01/2011
      [18332.779411]  0000000000000000 ffff8800b50dfbb0 ffffffff813fed47 0000000000000000
      [18332.784960]  0000000000000000 ffff8800b50dfbf0 ffffffff8109add1 0000011832f58300
      [18332.790547]  ffff880226a596c0 ffff880032482000 ffff880032482830 ffff880226a59280
      [18332.796199] Call Trace:
      [18332.798015]  [<ffffffff813fed47>] dump_stack+0x63/0x8c
      [18332.801831]  [<ffffffff8109add1>] __warn+0xd1/0xf0
      [18332.805403]  [<ffffffff8109aebd>] warn_slowpath_null+0x1d/0x20
      [18332.809706]  [<ffffffffa025d90f>] ib_dealloc_pd+0xff/0x120 [ib_core]
      [18332.814384]  [<ffffffffa04f3d7c>] ipoib_transport_dev_cleanup+0xfc/0x1d0 [ib_ipoib]
      [18332.820031]  [<ffffffffa04ed648>] ipoib_ib_dev_cleanup+0x98/0x110 [ib_ipoib]
      [18332.825220]  [<ffffffffa04e62c8>] ipoib_dev_cleanup+0x2d8/0x550 [ib_ipoib]
      [18332.830290]  [<ffffffffa04e656f>] ipoib_uninit+0x2f/0x40 [ib_ipoib]
      [18332.834911]  [<ffffffff81772a8a>] rollback_registered_many+0x1aa/0x2c0
      [18332.839741]  [<ffffffff81772bd1>] rollback_registered+0x31/0x40
      [18332.844091]  [<ffffffff81773b18>] unregister_netdevice_queue+0x48/0x80
      [18332.848880]  [<ffffffffa04f489b>] ipoib_vlan_delete+0x1fb/0x290 [ib_ipoib]
      [18332.853848]  [<ffffffffa04df1cd>] delete_child+0x7d/0xf0 [ib_ipoib]
      [18332.858474]  [<ffffffff81520c08>] dev_attr_store+0x18/0x30
      [18332.862510]  [<ffffffff8127fe4a>] sysfs_kf_write+0x3a/0x50
      [18332.866349]  [<ffffffff8127f4e0>] kernfs_fop_write+0x120/0x170
      [18332.870471]  [<ffffffff81207198>] __vfs_write+0x28/0xe0
      [18332.874152]  [<ffffffff810e09bf>] ? percpu_down_read+0x1f/0x50
      [18332.878274]  [<ffffffff81208062>] vfs_write+0xa2/0x1a0
      [18332.881896]  [<ffffffff812093a6>] SyS_write+0x46/0xa0
      [18332.885632]  [<ffffffff810039b7>] do_syscall_64+0x57/0xb0
      [18332.889709]  [<ffffffff81883321>] entry_SYSCALL64_slow_path+0x25/0x25
      [18332.894727] ---[ end trace 09ebbe31f831ef17 ]---
      
      Fixes: ee1e2c82 ("IPoIB: Refresh paths instead of flushing them on SM change events")
      Signed-off-by: default avatarAlex Vesker <valex@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a289c65c
    • Alan Stern's avatar
      USB: change bInterval default to 10 ms · 0823893b
      Alan Stern authored
      commit 08c5cd37 upstream.
      
      Some full-speed mceusb infrared transceivers contain invalid endpoint
      descriptors for their interrupt endpoints, with bInterval set to 0.
      In the past they have worked out okay with the mceusb driver, because
      the driver sets the bInterval field in the descriptor to 1,
      overwriting whatever value may have been there before.  However, this
      approach was never sanctioned by the USB core, and in fact it does not
      work with xHCI controllers, because they use the bInterval value that
      was present when the configuration was installed.
      
      Currently usbcore uses 32 ms as the default interval if the value in
      the endpoint descriptor is invalid.  It turns out that these IR
      transceivers don't work properly unless the interval is set to 10 ms
      or below.  To work around this mceusb problem, this patch changes the
      endpoint-descriptor parsing routine, making the default interval value
      be 10 ms rather than 32 ms.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Tested-by: default avatarWade Berrier <wberrier@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0823893b
    • Al Viro's avatar
      avr32: fix copy_from_user() · 2932d541
      Al Viro authored
      commit 8630c322 upstream.
      
      really ugly, but apparently avr32 compilers turns access_ok() into
      something so bad that they want it in assembler.  Left that way,
      zeroing added in inline wrapper.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2932d541
    • Al Viro's avatar
      microblaze: fix __get_user() · e17dc9d3
      Al Viro authored
      commit e98b9e37 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e17dc9d3
    • Al Viro's avatar
      microblaze: fix copy_from_user() · f5f944fb
      Al Viro authored
      commit d0cf3851 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f5f944fb
    • Al Viro's avatar
      m32r: fix __get_user() · f69350b2
      Al Viro authored
      commit c90a3bc5 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f69350b2
    • Al Viro's avatar
      blackfin: fix copy_from_user() · e61ab394
      Al Viro authored
      commit 8f035983 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e61ab394
    • Al Viro's avatar
      sparc32: fix copy_from_user() · e258d340
      Al Viro authored
      commit 917400ce upstream.
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e258d340
    • Al Viro's avatar
      sh: fix copy_from_user() · 6089b5ee
      Al Viro authored
      commit 6e050503 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6089b5ee
    • Al Viro's avatar
      sh64: failing __get_user() should zero · 264a0351
      Al Viro authored
      commit c6852389 upstream.
      
      It could be done in exception-handling bits in __get_user_b() et.al.,
      but the surgery involved would take more knowledge of sh64 details
      than I have or _want_ to have.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      264a0351
    • Al Viro's avatar
      score: fix copy_from_user() and friends · b33c94f2
      Al Viro authored
      commit b615e3c7 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b33c94f2
    • Al Viro's avatar
      score: fix __get_user/get_user · 15bf8ad3
      Al Viro authored
      commit c2f18fa4 upstream.
      
      * should zero on any failure
      * __get_user() should use __copy_from_user(), not copy_from_user()
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      15bf8ad3
    • Al Viro's avatar
      s390: get_user() should zero on failure · f806d6ef
      Al Viro authored
      commit fd2d2b19 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f806d6ef
    • Al Viro's avatar
      ppc32: fix copy_from_user() · 040793b4
      Al Viro authored
      commit 22426465 upstream.
      
      should clear on access_ok() failures.  Also remove the useless
      range truncation logics.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: no calls to check_object_size()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      040793b4
    • Al Viro's avatar
      parisc: fix copy_from_user() · 843b3708
      Al Viro authored
      commit aace880f upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      843b3708
    • Al Viro's avatar
      openrisc: fix copy_from_user() · 6882b9a5
      Al Viro authored
      commit acb2505d upstream.
      
      ... that should zero on faults.  Also remove the <censored> helpful
      logics wrt range truncation copied from ppc32.  Where it had ever
      been needed only in case of copy_from_user() *and* had not been merged
      into the mainline until a month after the need had disappeared.
      A decade before openrisc went into mainline, I might add...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6882b9a5
    • Al Viro's avatar
      mn10300: copy_from_user() should zero on access_ok() failure... · 3229d77d
      Al Viro authored
      commit ae7cc577 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: include <linux/string.h> to get declaration of memset()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3229d77d
    • Al Viro's avatar
      mn10300: failing __get_user() and get_user() should zero · 237ea27c
      Al Viro authored
      commit 43403eab upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      237ea27c
    • Al Viro's avatar
      ia64: copy_from_user() should zero the destination on access_ok() failure · 62388007
      Al Viro authored
      commit a5e541f7 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: no calls to check_object_size()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      62388007
    • Al Viro's avatar
      hexagon: fix strncpy_from_user() error return · d848857e
      Al Viro authored
      commit f35c1e06 upstream.
      
      It's -EFAULT, not -1 (and contrary to the comment in there,
      __strnlen_user() can return 0 - on faults).
      Acked-by: default avatarRichard Kuo <rkuo@codeaurora.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d848857e
    • Al Viro's avatar
      frv: fix clear_user() · fd435487
      Al Viro authored
      commit 3b8767a8 upstream.
      
      It should check access_ok().  Otherwise a bunch of places turn into
      trivially exploitable rootholes.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fd435487
    • Al Viro's avatar
      cris: buggered copy_from_user/copy_to_user/clear_user · a1599d81
      Al Viro authored
      commit eb47e029 upstream.
      
      * copy_from_user() on access_ok() failure ought to zero the destination
      * none of those primitives should skip the access_ok() check in case of
      small constant size.
      Acked-by: default avatarJesper Nilsson <jesper.nilsson@axis.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a1599d81
    • Al Viro's avatar
      asm-generic: make get_user() clear the destination on errors · 33734b78
      Al Viro authored
      commit 9ad18b75 upstream.
      
      both for access_ok() failures and for faults halfway through
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      33734b78
    • Herbert Xu's avatar
      crypto: skcipher - Fix blkcipher walk OOM crash · 87f3c895
      Herbert Xu authored
      commit acdb04d0 upstream.
      
      When we need to allocate a temporary blkcipher_walk_next and it
      fails, the code is supposed to take the slow path of processing
      the data block by block.  However, due to an unrelated change
      we instead end up dereferencing the NULL pointer.
      
      This patch fixes it by moving the unrelated bsize setting out
      of the way so that we enter the slow path as inteded.
      
      Fixes: 7607bd8f ("[CRYPTO] blkcipher: Added blkcipher_walk_virt_block")
      Reported-by: default avatarxiakaixu <xiakaixu@huawei.com>
      Reported-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Tested-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      [bwh: Backported to 3.2: s/walk_blocksize/blocksize/]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      87f3c895
    • Russell King's avatar
      ARM: sa1111: fix pcmcia suspend/resume · b9590db4
      Russell King authored
      commit 06dfe5cc upstream.
      
      SA1111 PCMCIA was broken when PCMCIA switched to using dev_pm_ops for
      the PCMCIA socket class.  PCMCIA used to handle suspend/resume via the
      socket hosting device, which happened at normal device suspend/resume
      time.
      
      However, the referenced commit changed this: much of the resume now
      happens much earlier, in the noirq resume handler of dev_pm_ops.
      
      However, on SA1111, the PCMCIA device is not accessible as the SA1111
      has not been resumed at _noirq time.  It's slightly worse than that,
      because the SA1111 has already been put to sleep at _noirq time, so
      suspend doesn't work properly.
      
      Fix this by converting the core SA1111 code to use dev_pm_ops as well,
      and performing its own suspend/resume at noirq time.
      
      This fixes these errors in the kernel log:
      
      pcmcia_socket pcmcia_socket0: time out after reset
      pcmcia_socket pcmcia_socket1: time out after reset
      
      and the resulting lack of PCMCIA cards after a S2RAM cycle.
      
      Fixes: d7646f76 ("pcmcia: use dev_pm_ops for class pcmcia_socket_class")
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b9590db4
    • Trond Myklebust's avatar
      NFSv4.1: Fix the CREATE_SESSION slot number accounting · f20eed46
      Trond Myklebust authored
      commit b519d408 upstream.
      
      Ensure that we conform to the algorithm described in RFC5661, section
      18.36.4 for when to bump the sequence id. In essence we do it for all
      cases except when the RPC call timed out, or in case of the server returning
      NFS4ERR_DELAY or NFS4ERR_STALE_CLIENTID.
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      [bwh: Backported to 3.2:
       - Add the 'out' label
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f20eed46
    • Karl Beldan's avatar
      mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl · acf46003
      Karl Beldan authored
      commit f6d7c1b5 upstream.
      
      This fixes subpage writes when using 4-bit HW ECC.
      
      There has been numerous reports about ECC errors with devices using this
      driver for a while.  Also the 4-bit ECC has been reported as broken with
      subpages in [1] and with 16 bits NANDs in the driver and in mach* board
      files both in mainline and in the vendor BSPs.
      
      What I saw with 4-bit ECC on a 16bits NAND (on an LCDK) which got me to
      try reinitializing the ECC engine:
      - R/W on whole pages properly generates/checks RS code
      - try writing the 1st subpage only of a blank page, the subpage is well
        written and the RS code properly generated, re-reading the same page
        the HW detects some ECC error, reading the same page again no ECC
        error is detected
      
      Note that the ECC engine is already reinitialized in the 1-bit case.
      
      Tested on my LCDK with UBI+UBIFS using subpages.
      This could potentially get rid of the issue workarounded in [1].
      
      [1] 28c015a9 ("mtd: davinci-nand: disable subpage write for keystone-nand")
      
      Fixes: 6a4123e5 ("mtd: nand: davinci_nand, 4-bit ECC for smallpage")
      Signed-off-by: default avatarKarl Beldan <kbeldan@baylibre.com>
      Acked-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      acf46003
    • Al Viro's avatar
      asm-generic: make copy_from_user() zero the destination properly · 263fd98a
      Al Viro authored
      commit 2545e5da upstream.
      
      ... in all cases, including the failing access_ok()
      
      Note that some architectures using asm-generic/uaccess.h have
      __copy_from_user() not zeroing the tail on failure halfway
      through.  This variant works either way.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      263fd98a
    • Al Viro's avatar
      alpha: fix copy_from_user() · 536e7d5e
      Al Viro authored
      commit 2561d309 upstream.
      
      it should clear the destination even when access_ok() fails.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      536e7d5e
    • Mathias Krause's avatar
      xfrm_user: propagate sec ctx allocation errors · 02945b7d
      Mathias Krause authored
      commit 2f30ea50 upstream.
      
      When we fail to attach the security context in xfrm_state_construct()
      we'll return 0 as error value which, in turn, will wrongly claim success
      to userland when, in fact, we won't be adding / updating the XFRM state.
      
      This is a regression introduced by commit fd21150a ("[XFRM] netlink:
      Inline attach_encap_tmpl(), attach_sec_ctx(), and attach_one_addr()").
      
      Fix it by propagating the error returned by security_xfrm_state_alloc()
      in this case.
      
      Fixes: fd21150a ("[XFRM] netlink: Inline attach_encap_tmpl()...")
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Cc: Thomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      02945b7d
    • Takashi Iwai's avatar
      ALSA: rawmidi: Fix possible deadlock with virmidi registration · 18d403ac
      Takashi Iwai authored
      commit 816f318b upstream.
      
      When a seq-virmidi driver is initialized, it registers a rawmidi
      instance with its callback to create an associated seq kernel client.
      Currently it's done throughly in rawmidi's register_mutex context.
      Recently it was found that this may lead to a deadlock another rawmidi
      device that is being attached with the sequencer is accessed, as both
      open with the same register_mutex.  This was actually triggered by
      syzkaller, as Dmitry Vyukov reported:
      
      ======================================================
       [ INFO: possible circular locking dependency detected ]
       4.8.0-rc1+ #11 Not tainted
       -------------------------------------------------------
       syz-executor/7154 is trying to acquire lock:
        (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
      
       but task is already holding lock:
        (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
      
       which lock already depends on the new lock.
      
       the existing dependency chain (in reverse order) is:
      
       -> #1 (&grp->list_mutex){++++.+}:
          [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
          [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
          [<     inline     >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681
          [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822
          [<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418
          [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101
          [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297
          [<     inline     >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383
          [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450
          [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645
          [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164
          [<     inline     >] __snd_device_register sound/core/device.c:162
          [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212
          [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
          [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123
          [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564
          ......
      
       -> #0 (register_mutex#5){+.+.+.}:
          [<     inline     >] check_prev_add kernel/locking/lockdep.c:1829
          [<     inline     >] check_prevs_add kernel/locking/lockdep.c:1939
          [<     inline     >] validate_chain kernel/locking/lockdep.c:2266
          [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
          [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
          [<     inline     >] __mutex_lock_common kernel/locking/mutex.c:521
          [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
          [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
          [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188
          [<     inline     >] subscribe_port sound/core/seq/seq_ports.c:427
          [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510
          [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579
          [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480
          [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225
          [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440
          [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375
          [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281
          [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274
          [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
          [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
          ......
      
       other info that might help us debug this:
      
       Possible unsafe locking scenario:
      
              CPU0                    CPU1
              ----                    ----
         lock(&grp->list_mutex);
                                      lock(register_mutex#5);
                                      lock(&grp->list_mutex);
         lock(register_mutex#5);
      
       *** DEADLOCK ***
      ======================================================
      
      The fix is to simply move the registration parts in
      snd_rawmidi_dev_register() to the outside of the register_mutex lock.
      The lock is needed only to manage the linked list, and it's not
      necessarily to cover the whole initialization process.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      18d403ac
    • Takashi Iwai's avatar
      ALSA: timer: Fix zero-division by continue of uninitialized instance · cf1533f9
      Takashi Iwai authored
      commit 9f8a7658 upstream.
      
      When a user timer instance is continued without the explicit start
      beforehand, the system gets eventually zero-division error like:
      
        divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
        CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
         task: ffff88003c9b2280 task.stack: ffff880027280000
         RIP: 0010:[<ffffffff858e1a6c>]  [<     inline     >] ktime_divns include/linux/ktime.h:195
         RIP: 0010:[<ffffffff858e1a6c>]  [<ffffffff858e1a6c>] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62
        Call Trace:
         <IRQ>
         [<     inline     >] __run_hrtimer kernel/time/hrtimer.c:1238
         [<ffffffff81504335>] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302
         [<ffffffff81506ceb>] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336
         [<ffffffff8126d8df>] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933
         [<ffffffff86e13056>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957
         [<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487
         <EOI>
         .....
      
      Although a similar issue was spotted and a fix patch was merged in
      commit [6b760bb2: ALSA: timer: fix division by zero after
      SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of
      iceberg.
      
      In this patch, we fix the issue a bit more drastically.  Basically the
      continue of an uninitialized timer is supposed to be a fresh start, so
      we do it for user timers.  For the direct snd_timer_continue() call,
      there is no way to pass the initial tick value, so we kick out for the
      uninitialized case.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      [bwh: Backported to 3.2:
       - Adjust context
       - In _snd_timer_stop(), check the value of 'event' instead of 'stop']
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cf1533f9
    • Takashi Iwai's avatar
      ALSA: timer: Code cleanup · 483935fc
      Takashi Iwai authored
      commit c3b16813 upstream.
      
      This is a minor code cleanup without any functional changes:
      - Kill keep_flag argument from _snd_timer_stop(), as all callers pass
        only it false.
      - Remove redundant NULL check in _snd_timer_stop().
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      [bwh: Backported to 3.2: adjust to apply after previously backported
       "ALSA: timer: Fix race between stop and interrupt"]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      483935fc
    • Ard Biesheuvel's avatar
      crypto: cryptd - initialize child shash_desc on import · 0a9c9f4c
      Ard Biesheuvel authored
      commit 0bd22235 upstream.
      
      When calling .import() on a cryptd ahash_request, the structure members
      that describe the child transform in the shash_desc need to be initialized
      like they are when calling .init()
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0a9c9f4c
    • Balbir Singh's avatar
      sched/core: Fix a race between try_to_wake_up() and a woken up task · b0f819c3
      Balbir Singh authored
      commit 135e8c92 upstream.
      
      The origin of the issue I've seen is related to
      a missing memory barrier between check for task->state and
      the check for task->on_rq.
      
      The task being woken up is already awake from a schedule()
      and is doing the following:
      
      	do {
      		schedule()
      		set_current_state(TASK_(UN)INTERRUPTIBLE);
      	} while (!cond);
      
      The waker, actually gets stuck doing the following in
      try_to_wake_up():
      
      	while (p->on_cpu)
      		cpu_relax();
      
      Analysis:
      
      The instance I've seen involves the following race:
      
       CPU1					CPU2
      
       while () {
         if (cond)
           break;
         do {
           schedule();
           set_current_state(TASK_UN..)
         } while (!cond);
      					wakeup_routine()
      					  spin_lock_irqsave(wait_lock)
         raw_spin_lock_irqsave(wait_lock)	  wake_up_process()
       }					  try_to_wake_up()
       set_current_state(TASK_RUNNING);	  ..
       list_del(&waiter.list);
      
      CPU2 wakes up CPU1, but before it can get the wait_lock and set
      current state to TASK_RUNNING the following occurs:
      
       CPU3
       wakeup_routine()
       raw_spin_lock_irqsave(wait_lock)
       if (!list_empty)
         wake_up_process()
         try_to_wake_up()
         raw_spin_lock_irqsave(p->pi_lock)
         ..
         if (p->on_rq && ttwu_wakeup())
         ..
         while (p->on_cpu)
           cpu_relax()
         ..
      
      CPU3 tries to wake up the task on CPU1 again since it finds
      it on the wait_queue, CPU1 is spinning on wait_lock, but immediately
      after CPU2, CPU3 got it.
      
      CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and
      the task is spinning on the wait_lock. Interestingly since p->on_rq
      is checked under pi_lock, I've noticed that try_to_wake_up() finds
      p->on_rq to be 0. This was the most confusing bit of the analysis,
      but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq
      check is not reliable without this fix IMHO. The race is visible
      (based on the analysis) only when ttwu_queue() does a remote wakeup
      via ttwu_queue_remote. In which case the p->on_rq change is not
      done uder the pi_lock.
      
      The result is that after a while the entire system locks up on
      the raw_spin_irqlock_save(wait_lock) and the holder spins infintely
      
      Reproduction of the issue:
      
      The issue can be reproduced after a long run on my system with 80
      threads and having to tweak available memory to very low and running
      memory stress-ng mmapfork test. It usually takes a long time to
      reproduce. I am trying to work on a test case that can reproduce
      the issue faster, but thats work in progress. I am still testing the
      changes on my still in a loop and the tests seem OK thus far.
      
      Big thanks to Benjamin and Nick for helping debug this as well.
      Ben helped catch the missing barrier, Nick caught every missing
      bit in my theory.
      Signed-off-by: default avatarBalbir Singh <bsingharora@gmail.com>
      [ Updated comment to clarify matching barriers. Many
        architectures do not have a full barrier in switch_to()
        so that cannot be relied upon. ]
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Alexey Kardashevskiy <aik@ozlabs.ru>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Nicholas Piggin <nicholas.piggin@gmail.com>
      Cc: Nicholas Piggin <npiggin@gmail.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/e02cce7b-d9ca-1ad0-7a61-ea97c7582b37@gmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b0f819c3
    • Linus Walleij's avatar
      iio: accel: kxsd9: Fix scaling bug · adce3b19
      Linus Walleij authored
      commit 307fe9dd upstream.
      
      All the scaling of the KXSD9 involves multiplication with a
      fraction number < 1.
      
      However the scaling value returned from IIO_INFO_SCALE was
      unpredictable as only the micros of the value was assigned, and
      not the integer part, resulting in scaling like this:
      
      $cat in_accel_scale
      -1057462640.011978
      
      Fix this by assigning zero to the integer part.
      Tested-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      adce3b19
    • Erez Shitrit's avatar
      IB/ipoib: Fix memory corruption in ipoib cm mode connect flow · 8391d896
      Erez Shitrit authored
      commit 546481c2 upstream.
      
      When a new CM connection is being requested, ipoib driver copies data
      from the path pointer in the CM/tx object, the path object might be
      invalid at the point and memory corruption will happened later when now
      the CM driver will try using that data.
      
      The next scenario demonstrates it:
      	neigh_add_path --> ipoib_cm_create_tx -->
      	queue_work (pointer to path is in the cm/tx struct)
      	#while the work is still in the queue,
      	#the port goes down and causes the ipoib_flush_paths:
      	ipoib_flush_paths --> path_free --> kfree(path)
      	#at this point the work scheduled starts.
      	ipoib_cm_tx_start --> copy from the (invalid)path pointer:
      	(memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);)
      	 -> memory corruption.
      
      To fix that the driver now starts the CM/tx connection only if that
      specific path exists in the general paths database.
      This check is protected with the relevant locks, and uses the gid from
      the neigh member in the CM/tx object which is valid according to the ref
      count that was taken by the CM/tx.
      
      Fixes: 839fcaba ('IPoIB: Connected mode experimental support')
      Signed-off-by: default avatarErez Shitrit <erezsh@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      [bwh: Backported to 3.2: s/neigh->daddr/neigh->neighbour->ha/]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8391d896
    • Erez Shitrit's avatar
      IB/core: Fix use after free in send_leave function · 59079b3f
      Erez Shitrit authored
      commit 68c6bcdd upstream.
      
      The function send_leave sets the member: group->query_id
      (group->query_id = ret) after calling the sa_query, but leave_handler
      can be executed before the setting and it might delete the group object,
      and will get a memory corruption.
      
      Additionally, this patch gets rid of group->query_id variable which is
      not used.
      
      Fixes: faec2f7b ('IB/sa: Track multicast join/leave requests')
      Signed-off-by: default avatarErez Shitrit <erezsh@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      59079b3f
    • Steven Rostedt's avatar
      x86/paravirt: Do not trace _paravirt_ident_*() functions · 51017990
      Steven Rostedt authored
      commit 15301a57 upstream.
      
      Łukasz Daniluk reported that on a RHEL kernel that his machine would lock up
      after enabling function tracer. I asked him to bisect the functions within
      available_filter_functions, which he did and it came down to three:
      
        _paravirt_nop(), _paravirt_ident_32() and _paravirt_ident_64()
      
      It was found that this is only an issue when noreplace-paravirt is added
      to the kernel command line.
      
      This means that those functions are most likely called within critical
      sections of the funtion tracer, and must not be traced.
      
      In newer kenels _paravirt_nop() is defined within gcc asm(), and is no
      longer an issue.  But both _paravirt_ident_{32,64}() causes the
      following splat when they are traced:
      
       mm/pgtable-generic.c:33: bad pmd ffff8800d2435150(0000000001d00054)
       mm/pgtable-generic.c:33: bad pmd ffff8800d3624190(0000000001d00070)
       mm/pgtable-generic.c:33: bad pmd ffff8800d36a5110(0000000001d00054)
       mm/pgtable-generic.c:33: bad pmd ffff880118eb1450(0000000001d00054)
       NMI watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [systemd-journal:469]
       Modules linked in: e1000e
       CPU: 2 PID: 469 Comm: systemd-journal Not tainted 4.6.0-rc4-test+ #513
       Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
       task: ffff880118f740c0 ti: ffff8800d4aec000 task.ti: ffff8800d4aec000
       RIP: 0010:[<ffffffff81134148>]  [<ffffffff81134148>] queued_spin_lock_slowpath+0x118/0x1a0
       RSP: 0018:ffff8800d4aefb90  EFLAGS: 00000246
       RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011eb16d40
       RDX: ffffffff82485760 RSI: 000000001f288820 RDI: ffffea0000008030
       RBP: ffff8800d4aefb90 R08: 00000000000c0000 R09: 0000000000000000
       R10: ffffffff821c8e0e R11: 0000000000000000 R12: ffff880000200fb8
       R13: 00007f7a4e3f7000 R14: ffffea000303f600 R15: ffff8800d4b562e0
       FS:  00007f7a4e3d7840(0000) GS:ffff88011eb00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 00007f7a4e3f7000 CR3: 00000000d3e71000 CR4: 00000000001406e0
       Call Trace:
         _raw_spin_lock+0x27/0x30
         handle_pte_fault+0x13db/0x16b0
         handle_mm_fault+0x312/0x670
         __do_page_fault+0x1b1/0x4e0
         do_page_fault+0x22/0x30
         page_fault+0x28/0x30
         __vfs_read+0x28/0xe0
         vfs_read+0x86/0x130
         SyS_read+0x46/0xa0
         entry_SYSCALL_64_fastpath+0x1e/0xa8
       Code: 12 48 c1 ea 0c 83 e8 01 83 e2 30 48 98 48 81 c2 40 6d 01 00 48 03 14 c5 80 6a 5d 82 48 89 0a 8b 41 08 85 c0 75 09 f3 90 8b 41 08 <85> c0 74 f7 4c 8b 09 4d 85 c9 74 08 41 0f 18 09 eb 02 f3 90 8b
      Reported-by: default avatarŁukasz Daniluk <lukasz.daniluk@intel.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      51017990
    • Vegard Nossum's avatar
      ALSA: timer: fix NULL pointer dereference in read()/ioctl() race · 4e8918d9
      Vegard Nossum authored
      commit 11749e08 upstream.
      
      I got this with syzkaller:
      
          ==================================================================
          BUG: KASAN: null-ptr-deref on address 0000000000000020
          Read of size 32 by task syz-executor/22519
          CPU: 1 PID: 22519 Comm: syz-executor Not tainted 4.8.0-rc2+ #169
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2
          014
           0000000000000001 ffff880111a17a00 ffffffff81f9f141 ffff880111a17a90
           ffff880111a17c50 ffff880114584a58 ffff880114584a10 ffff880111a17a80
           ffffffff8161fe3f ffff880100000000 ffff880118d74a48 ffff880118d74a68
          Call Trace:
           [<ffffffff81f9f141>] dump_stack+0x83/0xb2
           [<ffffffff8161fe3f>] kasan_report_error+0x41f/0x4c0
           [<ffffffff8161ff74>] kasan_report+0x34/0x40
           [<ffffffff82c84b54>] ? snd_timer_user_read+0x554/0x790
           [<ffffffff8161e79e>] check_memory_region+0x13e/0x1a0
           [<ffffffff8161e9c1>] kasan_check_read+0x11/0x20
           [<ffffffff82c84b54>] snd_timer_user_read+0x554/0x790
           [<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
           [<ffffffff817d0831>] ? proc_fault_inject_write+0x1c1/0x250
           [<ffffffff817d0670>] ? next_tgid+0x2a0/0x2a0
           [<ffffffff8127c278>] ? do_group_exit+0x108/0x330
           [<ffffffff8174653a>] ? fsnotify+0x72a/0xca0
           [<ffffffff81674dfe>] __vfs_read+0x10e/0x550
           [<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
           [<ffffffff81674cf0>] ? do_sendfile+0xc50/0xc50
           [<ffffffff81745e10>] ? __fsnotify_update_child_dentry_flags+0x60/0x60
           [<ffffffff8143fec6>] ? kcov_ioctl+0x56/0x190
           [<ffffffff81e5ada2>] ? common_file_perm+0x2e2/0x380
           [<ffffffff81746b0e>] ? __fsnotify_parent+0x5e/0x2b0
           [<ffffffff81d93536>] ? security_file_permission+0x86/0x1e0
           [<ffffffff816728f5>] ? rw_verify_area+0xe5/0x2b0
           [<ffffffff81675355>] vfs_read+0x115/0x330
           [<ffffffff81676371>] SyS_read+0xd1/0x1a0
           [<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
           [<ffffffff82001c2c>] ? __this_cpu_preempt_check+0x1c/0x20
           [<ffffffff8150455a>] ? __context_tracking_exit.part.4+0x3a/0x1e0
           [<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
           [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
           [<ffffffff810052fc>] ? syscall_return_slowpath+0x16c/0x1d0
           [<ffffffff83c3276a>] entry_SYSCALL64_slow_path+0x25/0x25
          ==================================================================
      
      There are a couple of problems that I can see:
      
       - ioctl(SNDRV_TIMER_IOCTL_SELECT), which potentially sets
         tu->queue/tu->tqueue to NULL on memory allocation failure, so read()
         would get a NULL pointer dereference like the above splat
      
       - the same ioctl() can free tu->queue/to->tqueue which means read()
         could potentially see (and dereference) the freed pointer
      
      We can fix both by taking the ioctl_lock mutex when dereferencing
      ->queue/->tqueue, since that's always held over all the ioctl() code.
      
      Just looking at the code I find it likely that there are more problems
      here such as tu->qhead pointing outside the buffer if the size is
      changed concurrently using SNDRV_TIMER_IOCTL_PARAMS.
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4e8918d9