1. 11 Jul, 2018 24 commits
  2. 03 Jul, 2018 16 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.139 · 16af0986
      Greg Kroah-Hartman authored
      16af0986
    • Szymon Janc's avatar
      Bluetooth: Fix connection if directed advertising and privacy is used · 679bd362
      Szymon Janc authored
      commit 082f2300 upstream.
      
      Local random address needs to be updated before creating connection if
      RPA from LE Direct Advertising Report was resolved in host. Otherwise
      remote device might ignore connection request due to address mismatch.
      
      This was affecting following qualification test cases:
      GAP/CONN/SCEP/BV-03-C, GAP/CONN/GCEP/BV-05-C, GAP/CONN/DCEP/BV-05-C
      
      Before patch:
      < HCI Command: LE Set Random Address (0x08|0x0005) plen 6          #11350 [hci0] 84680.231216
              Address: 56:BC:E8:24:11:68 (Resolvable)
                Identity type: Random (0x01)
                Identity: F2:F1:06:3D:9C:42 (Static)
      > HCI Event: Command Complete (0x0e) plen 4                        #11351 [hci0] 84680.246022
            LE Set Random Address (0x08|0x0005) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7         #11352 [hci0] 84680.246417
              Type: Passive (0x00)
              Interval: 60.000 msec (0x0060)
              Window: 30.000 msec (0x0030)
              Own address type: Random (0x01)
              Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
      > HCI Event: Command Complete (0x0e) plen 4                        #11353 [hci0] 84680.248854
            LE Set Scan Parameters (0x08|0x000b) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2             #11354 [hci0] 84680.249466
              Scanning: Enabled (0x01)
              Filter duplicates: Enabled (0x01)
      > HCI Event: Command Complete (0x0e) plen 4                        #11355 [hci0] 84680.253222
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 18                          #11356 [hci0] 84680.458387
            LE Direct Advertising Report (0x0b)
              Num reports: 1
              Event type: Connectable directed - ADV_DIRECT_IND (0x01)
              Address type: Random (0x01)
              Address: 53:38:DA:46:8C:45 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Direct address type: Random (0x01)
              Direct address: 7C:D6:76:8C:DF:82 (Resolvable)
                Identity type: Random (0x01)
                Identity: F2:F1:06:3D:9C:42 (Static)
              RSSI: -74 dBm (0xb6)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2             #11357 [hci0] 84680.458737
              Scanning: Disabled (0x00)
              Filter duplicates: Disabled (0x00)
      > HCI Event: Command Complete (0x0e) plen 4                        #11358 [hci0] 84680.469982
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection (0x08|0x000d) plen 25          #11359 [hci0] 84680.470444
              Scan interval: 60.000 msec (0x0060)
              Scan window: 60.000 msec (0x0060)
              Filter policy: White list is not used (0x00)
              Peer address type: Random (0x01)
              Peer address: 53:38:DA:46:8C:45 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Own address type: Random (0x01)
              Min connection interval: 30.00 msec (0x0018)
              Max connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Min connection length: 0.000 msec (0x0000)
              Max connection length: 0.000 msec (0x0000)
      > HCI Event: Command Status (0x0f) plen 4                          #11360 [hci0] 84680.474971
            LE Create Connection (0x08|0x000d) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection Cancel (0x08|0x000e) plen 0    #11361 [hci0] 84682.545385
      > HCI Event: Command Complete (0x0e) plen 4                        #11362 [hci0] 84682.551014
            LE Create Connection Cancel (0x08|0x000e) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 19                          #11363 [hci0] 84682.551074
            LE Connection Complete (0x01)
              Status: Unknown Connection Identifier (0x02)
              Handle: 0
              Role: Master (0x00)
              Peer address type: Public (0x00)
              Peer address: 00:00:00:00:00:00 (OUI 00-00-00)
              Connection interval: 0.00 msec (0x0000)
              Connection latency: 0 (0x0000)
              Supervision timeout: 0 msec (0x0000)
              Master clock accuracy: 0x00
      
      After patch:
      < HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7    #210 [hci0] 667.152459
              Type: Passive (0x00)
              Interval: 60.000 msec (0x0060)
              Window: 30.000 msec (0x0030)
              Own address type: Random (0x01)
              Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
      > HCI Event: Command Complete (0x0e) plen 4                   #211 [hci0] 667.153613
            LE Set Scan Parameters (0x08|0x000b) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2        #212 [hci0] 667.153704
              Scanning: Enabled (0x01)
              Filter duplicates: Enabled (0x01)
      > HCI Event: Command Complete (0x0e) plen 4                   #213 [hci0] 667.154584
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 18                     #214 [hci0] 667.182619
            LE Direct Advertising Report (0x0b)
              Num reports: 1
              Event type: Connectable directed - ADV_DIRECT_IND (0x01)
              Address type: Random (0x01)
              Address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Direct address type: Random (0x01)
              Direct address: 7C:C1:57:A5:B7:A8 (Resolvable)
                Identity type: Random (0x01)
                Identity: F4:28:73:5D:38:B0 (Static)
              RSSI: -70 dBm (0xba)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2       #215 [hci0] 667.182704
              Scanning: Disabled (0x00)
              Filter duplicates: Disabled (0x00)
      > HCI Event: Command Complete (0x0e) plen 4                  #216 [hci0] 667.183599
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Random Address (0x08|0x0005) plen 6    #217 [hci0] 667.183645
              Address: 7C:C1:57:A5:B7:A8 (Resolvable)
                Identity type: Random (0x01)
                Identity: F4:28:73:5D:38:B0 (Static)
      > HCI Event: Command Complete (0x0e) plen 4                  #218 [hci0] 667.184590
            LE Set Random Address (0x08|0x0005) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection (0x08|0x000d) plen 25    #219 [hci0] 667.184613
              Scan interval: 60.000 msec (0x0060)
              Scan window: 60.000 msec (0x0060)
              Filter policy: White list is not used (0x00)
              Peer address type: Random (0x01)
              Peer address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Own address type: Random (0x01)
              Min connection interval: 30.00 msec (0x0018)
              Max connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Min connection length: 0.000 msec (0x0000)
              Max connection length: 0.000 msec (0x0000)
      > HCI Event: Command Status (0x0f) plen 4                    #220 [hci0] 667.186558
            LE Create Connection (0x08|0x000d) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 19                    #221 [hci0] 667.485824
            LE Connection Complete (0x01)
              Status: Success (0x00)
              Handle: 0
              Role: Master (0x00)
              Peer address type: Random (0x01)
              Peer address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Master clock accuracy: 0x07
      @ MGMT Event: Device Connected (0x000b) plen 13          {0x0002} [hci0] 667.485996
              LE Address: 11:22:33:44:55:66 (OUI 11-22-33)
              Flags: 0x00000000
              Data length: 0
      Signed-off-by: default avatarSzymon Janc <szymon.janc@codecoup.pl>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      679bd362
    • Bjørn Mork's avatar
      cdc_ncm: avoid padding beyond end of skb · 9d4c1d93
      Bjørn Mork authored
      commit 49c2c3f2 upstream.
      
      Commit 4a0e3e98 ("cdc_ncm: Add support for moving NDP to end
      of NCM frame") added logic to reserve space for the NDP at the
      end of the NTB/skb.  This reservation did not take the final
      alignment of the NDP into account, causing us to reserve too
      little space. Additionally the padding prior to NDP addition did
      not ensure there was enough space for the NDP.
      
      The NTB/skb with the NDP appended would then exceed the configured
      max size. This caused the final padding of the NTB to use a
      negative count, padding to almost INT_MAX, and resulting in:
      
      [60103.825970] BUG: unable to handle kernel paging request at ffff9641f2004000
      [60103.825998] IP: __memset+0x24/0x30
      [60103.826001] PGD a6a06067 P4D a6a06067 PUD 4f65a063 PMD 72003063 PTE 0
      [60103.826013] Oops: 0002 [#1] SMP NOPTI
      [60103.826018] Modules linked in: (removed(
      [60103.826158] CPU: 0 PID: 5990 Comm: Chrome_DevTools Tainted: G           O 4.14.0-3-amd64 #1 Debian 4.14.17-1
      [60103.826162] Hardware name: LENOVO 20081 BIOS 41CN28WW(V2.04) 05/03/2012
      [60103.826166] task: ffff964193484fc0 task.stack: ffffb2890137c000
      [60103.826171] RIP: 0010:__memset+0x24/0x30
      [60103.826174] RSP: 0000:ffff964316c03b68 EFLAGS: 00010216
      [60103.826178] RAX: 0000000000000000 RBX: 00000000fffffffd RCX: 000000001ffa5000
      [60103.826181] RDX: 0000000000000005 RSI: 0000000000000000 RDI: ffff9641f2003ffc
      [60103.826184] RBP: ffff964192f6c800 R08: 00000000304d434e R09: ffff9641f1d2c004
      [60103.826187] R10: 0000000000000002 R11: 00000000000005ae R12: ffff9642e6957a80
      [60103.826190] R13: ffff964282ff2ee8 R14: 000000000000000d R15: ffff9642e4843900
      [60103.826194] FS:  00007f395aaf6700(0000) GS:ffff964316c00000(0000) knlGS:0000000000000000
      [60103.826197] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [60103.826200] CR2: ffff9641f2004000 CR3: 0000000013b0c000 CR4: 00000000000006f0
      [60103.826204] Call Trace:
      [60103.826212]  <IRQ>
      [60103.826225]  cdc_ncm_fill_tx_frame+0x5e3/0x740 [cdc_ncm]
      [60103.826236]  cdc_ncm_tx_fixup+0x57/0x70 [cdc_ncm]
      [60103.826246]  usbnet_start_xmit+0x5d/0x710 [usbnet]
      [60103.826254]  ? netif_skb_features+0x119/0x250
      [60103.826259]  dev_hard_start_xmit+0xa1/0x200
      [60103.826267]  sch_direct_xmit+0xf2/0x1b0
      [60103.826273]  __dev_queue_xmit+0x5e3/0x7c0
      [60103.826280]  ? ip_finish_output2+0x263/0x3c0
      [60103.826284]  ip_finish_output2+0x263/0x3c0
      [60103.826289]  ? ip_output+0x6c/0xe0
      [60103.826293]  ip_output+0x6c/0xe0
      [60103.826298]  ? ip_forward_options+0x1a0/0x1a0
      [60103.826303]  tcp_transmit_skb+0x516/0x9b0
      [60103.826309]  tcp_write_xmit+0x1aa/0xee0
      [60103.826313]  ? sch_direct_xmit+0x71/0x1b0
      [60103.826318]  tcp_tasklet_func+0x177/0x180
      [60103.826325]  tasklet_action+0x5f/0x110
      [60103.826332]  __do_softirq+0xde/0x2b3
      [60103.826337]  irq_exit+0xae/0xb0
      [60103.826342]  do_IRQ+0x81/0xd0
      [60103.826347]  common_interrupt+0x98/0x98
      [60103.826351]  </IRQ>
      [60103.826355] RIP: 0033:0x7f397bdf2282
      [60103.826358] RSP: 002b:00007f395aaf57d8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff6e
      [60103.826362] RAX: 0000000000000000 RBX: 00002f07bc6d0900 RCX: 00007f39752d7fe7
      [60103.826365] RDX: 0000000000000022 RSI: 0000000000000147 RDI: 00002f07baea02c0
      [60103.826368] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
      [60103.826371] R10: 00000000ffffffff R11: 0000000000000000 R12: 00002f07baea02c0
      [60103.826373] R13: 00002f07bba227a0 R14: 00002f07bc6d090c R15: 0000000000000000
      [60103.826377] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83
      e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48
      ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1
      [60103.826442] RIP: __memset+0x24/0x30 RSP: ffff964316c03b68
      [60103.826444] CR2: ffff9641f2004000
      
      Commit e1069bbf ("net: cdc_ncm: Reduce memory use when kernel
      memory low") made this bug much more likely to trigger by reducing
      the NTB size under memory pressure.
      
      Link: https://bugs.debian.org/893393Reported-by: default avatarГорбешко Богдан <bodqhrohro@gmail.com>
      Reported-and-tested-by: default avatarDennis Wassenberg <dennis.wassenberg@secunet.com>
      Cc: Enrico Mioso <mrkiko.rs@gmail.com>
      Fixes: 4a0e3e98 ("cdc_ncm: Add support for moving NDP to end of NCM frame")
      [ bmork:  tx_curr_size => tx_max and context fixup for v4.12 and older ]
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9d4c1d93
    • Mike Snitzer's avatar
      dm thin: handle running out of data space vs concurrent discard · 052ef26b
      Mike Snitzer authored
      commit a685557f upstream.
      
      Discards issued to a DM thin device can complete to userspace (via
      fstrim) _before_ the metadata changes associated with the discards is
      reflected in the thinp superblock (e.g. free blocks).  As such, if a
      user constructs a test that loops repeatedly over these steps, block
      allocation can fail due to discards not having completed yet:
      1) fill thin device via filesystem file
      2) remove file
      3) fstrim
      
      From initial report, here:
      https://www.redhat.com/archives/dm-devel/2018-April/msg00022.html
      
      "The root cause of this issue is that dm-thin will first remove
      mapping and increase corresponding blocks' reference count to prevent
      them from being reused before DISCARD bios get processed by the
      underlying layers. However. increasing blocks' reference count could
      also increase the nr_allocated_this_transaction in struct sm_disk
      which makes smd->old_ll.nr_allocated +
      smd->nr_allocated_this_transaction bigger than smd->old_ll.nr_blocks.
      In this case, alloc_data_block() will never commit metadata to reset
      the begin pointer of struct sm_disk, because sm_disk_get_nr_free()
      always return an underflow value."
      
      While there is room for improvement to the space-map accounting that
      thinp is making use of: the reality is this test is inherently racey and
      will result in the previous iteration's fstrim's discard(s) completing
      vs concurrent block allocation, via dd, in the next iteration of the
      loop.
      
      No amount of space map accounting improvements will be able to allow
      user's to use a block before a discard of that block has completed.
      
      So the best we can really do is allow DM thinp to gracefully handle such
      aggressive use of all the pool's data by degrading the pool into
      out-of-data-space (OODS) mode.  We _should_ get that behaviour already
      (if space map accounting didn't falsely cause alloc_data_block() to
      believe free space was available).. but short of that we handle the
      current reality that dm_pool_alloc_data_block() can return -ENOSPC.
      Reported-by: default avatarDennis Yang <dennisyang@qnap.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      052ef26b
    • Keith Busch's avatar
      block: Fix transfer when chunk sectors exceeds max · a740830e
      Keith Busch authored
      commit 15bfd21f upstream.
      
      A device may have boundary restrictions where the number of sectors
      between boundaries exceeds its max transfer size. In this case, we need
      to cap the max size to the smaller of the two limits.
      Reported-by: default avatarJitendra Bhivare <jitendra.bhivare@broadcom.com>
      Tested-by: default avatarJitendra Bhivare <jitendra.bhivare@broadcom.com>
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarKeith Busch <keith.busch@intel.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a740830e
    • Maxime Chevallier's avatar
      spi: Fix scatterlist elements size in spi_map_buf · 9b46e5e9
      Maxime Chevallier authored
      commit ce99319a upstream.
      
      When SPI transfers can be offloaded using DMA, the SPI core need to
      build a scatterlist to make sure that the buffer to be transferred is
      dma-able.
      
      This patch fixes the scatterlist entry size computation in the case
      where the maximum acceptable scatterlist entry supported by the DMA
      controller is less than PAGE_SIZE, when the buffer is vmalloced.
      
      For each entry, the actual size is given by the minimum between the
      desc_len (which is the max buffer size supported by the DMA controller)
      and the remaining buffer length until we cross a page boundary.
      
      Fixes: 65598c13 ("spi: Fix per-page mapping of unaligned vmalloc-ed buffer")
      Signed-off-by: default avatarMaxime Chevallier <maxime.chevallier@bootlin.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9b46e5e9
    • Liu Bo's avatar
      Btrfs: fix unexpected cow in run_delalloc_nocow · 0e1bd020
      Liu Bo authored
      commit 58113753 upstream.
      
      Fstests generic/475 provides a way to fail metadata reads while
      checking if checksum exists for the inode inside run_delalloc_nocow(),
      and csum_exist_in_range() interprets error (-EIO) as inode having
      checksum and makes its caller enter the cow path.
      
      In case of free space inode, this ends up with a warning in
      cow_file_range().
      
      The same problem applies to btrfs_cross_ref_exist() since it may also
      read metadata in between.
      
      With this, run_delalloc_nocow() bails out when errors occur at the two
      places.
      
      cc: <stable@vger.kernel.org> v2.6.28+
      Fixes: 17d217fe ("Btrfs: fix nodatasum handling in balancing code")
      Signed-off-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0e1bd020
    • Takashi Iwai's avatar
      ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 · b69733c8
      Takashi Iwai authored
      commit 275ec0cb upstream.
      
      Fujitsu Seimens ESPRIMO Mobile U9210 requires the same fixup as H270
      for the correct pin configs.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200107
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b69733c8
    • ???'s avatar
      Input: elantech - fix V4 report decoding for module with middle key · a3fe277e
      ??? authored
      commit e0ae2519 upstream.
      
      Some touchpad has middle key and it will be indicated in bit 2 of packet[0].
      We need to fix V4 formation's byte mask to prevent error decoding.
      Signed-off-by: default avatarKT Liao <kt.liao@emc.com.tw>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a3fe277e
    • Aaron Ma's avatar
      Input: elantech - enable middle button of touchpads on ThinkPad P52 · cbbc4566
      Aaron Ma authored
      commit 24bb555e upstream.
      
      PNPID is better way to identify the type of touchpads.
      Enable middle button support on 2 types of touchpads on Lenovo P52.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAaron Ma <aaron.ma@canonical.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cbbc4566
    • Ben Hutchings's avatar
      Input: elan_i2c_smbus - fix more potential stack buffer overflows · defacc88
      Ben Hutchings authored
      commit 50fc7b61 upstream.
      
      Commit 40f7090b ("Input: elan_i2c_smbus - fix corrupted stack")
      fixed most of the functions using i2c_smbus_read_block_data() to
      allocate a buffer with the maximum block size.  However three
      functions were left unchanged:
      
      * In elan_smbus_initialize(), increase the buffer size in the same
        way.
      * In elan_smbus_calibrate_result(), the buffer is provided by the
        caller (calibrate_store()), so introduce a bounce buffer.  Also
        name the result buffer size.
      * In elan_smbus_get_report(), the buffer is provided by the caller
        but happens to be the right length.  Add a compile-time assertion
        to ensure this remains the case.
      
      Cc: <stable@vger.kernel.org> # 3.19+
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      defacc88
    • Jan Kara's avatar
      udf: Detect incorrect directory size · fc98ab45
      Jan Kara authored
      commit fa65653e upstream.
      
      Detect when a directory entry is (possibly partially) beyond directory
      size and return EIO in that case since it means the filesystem is
      corrupted. Otherwise directory operations can further corrupt the
      directory and possibly also oops the kernel.
      
      CC: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
      CC: stable@vger.kernel.org
      Reported-and-tested-by: default avatarAnatoly Trosinenko <anatoly.trosinenko@gmail.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fc98ab45
    • Boris Ostrovsky's avatar
      xen: Remove unnecessary BUG_ON from __unbind_from_irq() · 009aa1cd
      Boris Ostrovsky authored
      commit eef04c7b upstream.
      
      Commit 910f8bef ("xen/pirq: fix error path cleanup when binding
      MSIs") fixed a couple of errors in error cleanup path of
      xen_bind_pirq_msi_to_irq(). This cleanup allowed a call to
      __unbind_from_irq() with an unbound irq, which would result in
      triggering the BUG_ON there.
      
      Since there is really no reason for the BUG_ON (xen_free_irq() can
      operate on unbound irqs) we can remove it.
      Reported-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      009aa1cd
    • Alexandr Savca's avatar
      Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID · 53e877f2
      Alexandr Savca authored
      commit 8938fc7b upstream.
      
      Add ELAN0618 to the list of supported touchpads; this ID is used in
      Lenovo v330 15IKB devices.
      Signed-off-by: default avatarAlexandr Savca <alexandr.savca@saltedge.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      53e877f2
    • Kees Cook's avatar
      video: uvesafb: Fix integer overflow in allocation · 842803e4
      Kees Cook authored
      commit 9f645bcc upstream.
      
      cmap->len can get close to INT_MAX/2, allowing for an integer overflow in
      allocation. This uses kmalloc_array() instead to catch the condition.
      Reported-by: default avatarDr Silvio Cesare of InfoSect <silvio.cesare@gmail.com>
      Fixes: 8bdb3a2d ("uvesafb: the driver core")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      842803e4
    • Dave Wysochanski's avatar
      NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message · ba195a93
      Dave Wysochanski authored
      commit d6889480 upstream.
      
      In nfs_idmap_read_and_verify_message there is an incorrect sprintf '%d'
      that converts the __u32 'im_id' from struct idmap_msg to 'id_str', which
      is a stack char array variable of length NFS_UINT_MAXLEN == 11.
      If a uid or gid value is > 2147483647 = 0x7fffffff, the conversion
      overflows into a negative value, for example:
      crash> p (unsigned) (0x80000000)
      $1 = 2147483648
      crash> p (signed) (0x80000000)
      $2 = -2147483648
      The '-' sign is written to the buffer and this causes a 1 byte overflow
      when the NULL byte is written, which corrupts kernel stack memory.  If
      CONFIG_CC_STACKPROTECTOR_STRONG is set we see a stack-protector panic:
      
      [11558053.616565] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa05b8a8c
      [11558053.639063] CPU: 6 PID: 9423 Comm: rpc.idmapd Tainted: G        W      ------------ T 3.10.0-514.el7.x86_64 #1
      [11558053.641990] Hardware name: Red Hat OpenStack Compute, BIOS 1.10.2-3.el7_4.1 04/01/2014
      [11558053.644462]  ffffffff818c7bc0 00000000b1f3aec1 ffff880de0f9bd48 ffffffff81685eac
      [11558053.646430]  ffff880de0f9bdc8 ffffffff8167f2b3 ffffffff00000010 ffff880de0f9bdd8
      [11558053.648313]  ffff880de0f9bd78 00000000b1f3aec1 ffffffff811dcb03 ffffffffa05b8a8c
      [11558053.650107] Call Trace:
      [11558053.651347]  [<ffffffff81685eac>] dump_stack+0x19/0x1b
      [11558053.653013]  [<ffffffff8167f2b3>] panic+0xe3/0x1f2
      [11558053.666240]  [<ffffffff811dcb03>] ? kfree+0x103/0x140
      [11558053.682589]  [<ffffffffa05b8a8c>] ? idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
      [11558053.689710]  [<ffffffff810855db>] __stack_chk_fail+0x1b/0x30
      [11558053.691619]  [<ffffffffa05b8a8c>] idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
      [11558053.693867]  [<ffffffffa00209d6>] rpc_pipe_write+0x56/0x70 [sunrpc]
      [11558053.695763]  [<ffffffff811fe12d>] vfs_write+0xbd/0x1e0
      [11558053.702236]  [<ffffffff810acccc>] ? task_work_run+0xac/0xe0
      [11558053.704215]  [<ffffffff811fec4f>] SyS_write+0x7f/0xe0
      [11558053.709674]  [<ffffffff816964c9>] system_call_fastpath+0x16/0x1b
      
      Fix this by calling the internally defined nfs_map_numeric_to_string()
      function which properly uses '%u' to convert this __u32.  For consistency,
      also replace the one other place where snprintf is called.
      Signed-off-by: default avatarDave Wysochanski <dwysocha@redhat.com>
      Reported-by: default avatarStephen Johnston <sjohnsto@redhat.com>
      Fixes: cf4ab538 ("NFSv4: Fix the string length returned by the idmapper")
      Cc: stable@vger.kernel.org # v3.4+
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ba195a93