1. 20 Nov, 2016 24 commits
    • Jim Mattson's avatar
      KVM: nVMX: Fix memory corruption when using VMCS shadowing · c8483104
      Jim Mattson authored
      commit 2f1fe811 upstream.
      
      When freeing the nested resources of a vcpu, there is an assumption that
      the vcpu's vmcs01 is the current VMCS on the CPU that executes
      nested_release_vmcs12(). If this assumption is violated, the vcpu's
      vmcs01 may be made active on multiple CPUs at the same time, in
      violation of Intel's specification. Moreover, since the vcpu's vmcs01 is
      not VMCLEARed on every CPU on which it is active, it can linger in a
      CPU's VMCS cache after it has been freed and potentially
      repurposed. Subsequent eviction from the CPU's VMCS cache on a capacity
      miss can result in memory corruption.
      
      It is not sufficient for vmx_free_vcpu() to call vmx_load_vmcs01(). If
      the vcpu in question was last loaded on a different CPU, it must be
      migrated to the current CPU before calling vmx_load_vmcs01().
      Signed-off-by: default avatarJim Mattson <jmattson@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [bwh: Backported to 3.2: vcpu_load() returns void]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c8483104
    • Paolo Bonzini's avatar
      KVM: nVMX: fix lifetime issues for vmcs02 · bcad1c39
      Paolo Bonzini authored
      commit 4fa7734c upstream.
      
      free_nested needs the loaded_vmcs to be valid if it is a vmcs02, in
      order to detach it from the shadow vmcs.  However, this is not
      available anymore after commit 26a865f4 (KVM: VMX: fix use after
      free of vmx->loaded_vmcs, 2014-01-03).
      
      Revert that patch, and fix its problem by forcing a vmcs01 as the
      active VMCS before freeing all the nested VMX state.
      Reported-by: default avatarWanpeng Li <wanpeng.li@linux.intel.com>
      Tested-by: default avatarWanpeng Li <wanpeng.li@linux.intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bcad1c39
    • Florian Fainelli's avatar
      net: ethoc: Fix early error paths · ac5ec090
      Florian Fainelli authored
      commit 386512d1 upstream.
      
      In case any operation fails before we can successfully go the point
      where we would register a MDIO bus, we would be going to an error label
      which involves unregistering then freeing this yet to be created MDIO
      bus. Update all error paths to go to label free which is the only one
      valid until either the clock is enabled, or the MDIO bus is allocated
      and registered. This fixes kernel oops observed while trying to
      dereference the MDIO bus structure which is not yet allocated.
      
      Fixes: a1702857 ("net: Add support for the OpenCores 10/100 Mbps Ethernet MAC.")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ac5ec090
    • Dmitry Tunin's avatar
      Bluetooth: Add support of 13d3:3490 AR3012 device · f6c84011
      Dmitry Tunin authored
      commit 12d86896 upstream.
      
      T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=05 Dev#= 5 Spd=12 MxCh= 0
      D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
      P: Vendor=13d3 ProdID=3490 Rev=00.01
      C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      
      BugLink: https://bugs.launchpad.net/bugs/1600623Signed-off-by: default avatarDmitry Tunin <hanipouspilot@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f6c84011
    • Lauro Costa's avatar
      Bluetooth: Add USB ID 13D3:3487 to ath3k · 95ebe060
      Lauro Costa authored
      commit 72f9f8b5 upstream.
      
      Add hw id to ath3k usb device list and btusb blacklist
      
      T:  Bus=01 Lev=01 Prnt=01 Port=08 Cnt=02 Dev#=  4 Spd=12  MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=13d3 ProdID=3487 Rev=00.02
      C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      I:  If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      
      Requires these firmwares:
      ar3k/AthrBT_0x11020100.dfu and ar3k/ramps_0x11020100_40.dfu
      Firmwares are available in linux-firmware.
      
      Device found in a laptop ASUS model N552VW. It's an Atheros AR9462 chip.
      Signed-off-by: default avatarLauro Costa <lauro@polilinux.com.br>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      95ebe060
    • Chuck Lever's avatar
      NFS: Don't drop CB requests with invalid principals · 84f51dca
      Chuck Lever authored
      commit a4e187d8 upstream.
      
      Before commit 778be232 ("NFS do not find client in NFSv4
      pg_authenticate"), the Linux callback server replied with
      RPC_AUTH_ERROR / RPC_AUTH_BADCRED, instead of dropping the CB
      request. Let's restore that behavior so the server has a chance to
      do something useful about it, and provide a warning that helps
      admins correct the problem.
      
      Fixes: 778be232 ("NFS do not find client in NFSv4 ...")
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Tested-by: default avatarSteve Wise <swise@opengridcomputing.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      84f51dca
    • Chuck Lever's avatar
      svc: Avoid garbage replies when pc_func() returns rpc_drop_reply · 80f69c17
      Chuck Lever authored
      commit 0533b130 upstream.
      
      If an RPC program does not set vs_dispatch and pc_func() returns
      rpc_drop_reply, the server sends a reply anyway containing a single
      word containing the value RPC_DROP_REPLY (in network byte-order, of
      course). This is a nonsense RPC message.
      
      Fixes: 9e701c61 ("svcrpc: simpler request dropping")
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Tested-by: default avatarSteve Wise <swise@opengridcomputing.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      80f69c17
    • Lukas Wunner's avatar
      x86/quirks: Add early quirk to reset Apple AirPort card · 319c66dd
      Lukas Wunner authored
      commit abb2bafd upstream.
      
      The EFI firmware on Macs contains a full-fledged network stack for
      downloading OS X images from osrecovery.apple.com. Unfortunately
      on Macs introduced 2011 and 2012, EFI brings up the Broadcom 4331
      wireless card on every boot and leaves it enabled even after
      ExitBootServices has been called. The card continues to assert its IRQ
      line, causing spurious interrupts if the IRQ is shared. It also corrupts
      memory by DMAing received packets, allowing for remote code execution
      over the air. This only stops when a driver is loaded for the wireless
      card, which may be never if the driver is not installed or blacklisted.
      
      The issue seems to be constrained to the Broadcom 4331. Chris Milsted
      has verified that the newer Broadcom 4360 built into the MacBookPro11,3
      (2013/2014) does not exhibit this behaviour. The chances that Apple will
      ever supply a firmware fix for the older machines appear to be zero.
      
      The solution is to reset the card on boot by writing to a reset bit in
      its mmio space. This must be done as an early quirk and not as a plain
      vanilla PCI quirk to successfully combat memory corruption by DMAed
      packets: Matthew Garrett found out in 2012 that the packets are written
      to EfiBootServicesData memory (http://mjg59.dreamwidth.org/11235.html).
      This type of memory is made available to the page allocator by
      efi_free_boot_services(). Plain vanilla PCI quirks run much later, in
      subsys initcall level. In-between a time window would be open for memory
      corruption. Random crashes occurring in this time window and attributed
      to DMAed packets have indeed been observed in the wild by Chris
      Bainbridge.
      
      When Matthew Garrett analyzed the memory corruption issue in 2012, he
      sought to fix it with a grub quirk which transitions the card to D3hot:
      http://git.savannah.gnu.org/cgit/grub.git/commit/?id=9d34bb85da56
      
      This approach does not help users with other bootloaders and while it
      may prevent DMAed packets, it does not cure the spurious interrupts
      emanating from the card. Unfortunately the card's mmio space is
      inaccessible in D3hot, so to reset it, we have to undo the effect of
      Matthew's grub patch and transition the card back to D0.
      
      Note that the quirk takes a few shortcuts to reduce the amount of code:
      The size of BAR 0 and the location of the PM capability is identical
      on all affected machines and therefore hardcoded. Only the address of
      BAR 0 differs between models. Also, it is assumed that the BCMA core
      currently mapped is the 802.11 core. The EFI driver seems to always take
      care of this.
      
      Michael Büsch, Bjorn Helgaas and Matt Fleming contributed feedback
      towards finding the best solution to this problem.
      
      The following should be a comprehensive list of affected models:
          iMac13,1        2012  21.5"       [Root Port 00:1c.3 = 8086:1e16]
          iMac13,2        2012  27"         [Root Port 00:1c.3 = 8086:1e16]
          Macmini5,1      2011  i5 2.3 GHz  [Root Port 00:1c.1 = 8086:1c12]
          Macmini5,2      2011  i5 2.5 GHz  [Root Port 00:1c.1 = 8086:1c12]
          Macmini5,3      2011  i7 2.0 GHz  [Root Port 00:1c.1 = 8086:1c12]
          Macmini6,1      2012  i5 2.5 GHz  [Root Port 00:1c.1 = 8086:1e12]
          Macmini6,2      2012  i7 2.3 GHz  [Root Port 00:1c.1 = 8086:1e12]
          MacBookPro8,1   2011  13"         [Root Port 00:1c.1 = 8086:1c12]
          MacBookPro8,2   2011  15"         [Root Port 00:1c.1 = 8086:1c12]
          MacBookPro8,3   2011  17"         [Root Port 00:1c.1 = 8086:1c12]
          MacBookPro9,1   2012  15"         [Root Port 00:1c.1 = 8086:1e12]
          MacBookPro9,2   2012  13"         [Root Port 00:1c.1 = 8086:1e12]
          MacBookPro10,1  2012  15"         [Root Port 00:1c.1 = 8086:1e12]
          MacBookPro10,2  2012  13"         [Root Port 00:1c.1 = 8086:1e12]
      
      For posterity, spurious interrupts caused by the Broadcom 4331 wireless
      card resulted in splats like this (stacktrace omitted):
      
          irq 17: nobody cared (try booting with the "irqpoll" option)
          handlers:
          [<ffffffff81374370>] pcie_isr
          [<ffffffffc0704550>] sdhci_irq [sdhci] threaded [<ffffffffc07013c0>] sdhci_thread_irq [sdhci]
          [<ffffffffc0a0b960>] azx_interrupt [snd_hda_codec]
          Disabling IRQ #17
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=79301
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=111781
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=728916
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=895951#c16
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1009819
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1098621
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1149632#c5
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1279130
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1332732
      Tested-by: Konstantin Simanov <k.simanov@stlk.ru>        # [MacBookPro8,1]
      Tested-by: Lukas Wunner <lukas@wunner.de>                # [MacBookPro9,1]
      Tested-by: Bryan Paradis <bryan.paradis@gmail.com>       # [MacBookPro9,2]
      Tested-by: Andrew Worsley <amworsley@gmail.com>          # [MacBookPro10,1]
      Tested-by: Chris Bainbridge <chris.bainbridge@gmail.com> # [MacBookPro10,2]
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Acked-by: default avatarRafał Miłecki <zajec5@gmail.com>
      Acked-by: default avatarMatt Fleming <matt@codeblueprint.co.uk>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Chris Milsted <cmilsted@redhat.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Matthew Garrett <mjg59@srcf.ucam.org>
      Cc: Michael Buesch <m@bues.ch>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Yinghai Lu <yinghai@kernel.org>
      Cc: b43-dev@lists.infradead.org
      Cc: linux-pci@vger.kernel.org
      Cc: linux-wireless@vger.kernel.org
      Link: http://lkml.kernel.org/r/48d0972ac82a53d460e5fce77a07b2560db95203.1465690253.git.lukas@wunner.de
      [ Did minor readability edits. ]
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      [bwh: Backported to 3.2:
       - early_ioremap() is declared in <asm/io.h> not <asm/early_ioremap.h>
       - Add definition of BCMA_RESET_ST
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      319c66dd
    • Lukas Wunner's avatar
      x86/quirks: Reintroduce scanning of secondary buses · 46278ae5
      Lukas Wunner authored
      commit 850c3210 upstream.
      
      We used to scan secondary buses until the following commit that
      was applied in 2009:
      
        8659c406 ("x86: only scan the root bus in early PCI quirks")
      
      which commit constrained early quirks to the root bus only. Its
      motivation was to prevent application of the nvidia_bugs quirk
      on secondary buses.
      
      We're about to add a quirk to reset the Broadcom 4331 wireless card on
      2011/2012 Macs, which is located on a secondary bus behind a PCIe root
      port. To facilitate that, reintroduce scanning of secondary buses.
      
      The commit message of 8659c406 notes that scanning only the root bus
      "saves quite some unnecessary scanning work". The algorithm used prior
      to 8659c406 was particularly time consuming because it scanned
      buses 0 to 31 brute force. To avoid lengthening boot time, employ a
      recursive strategy which only scans buses that are actually reachable
      from the root bus.
      
      Yinghai Lu pointed out that the secondary bus number read from a
      bridge's config space may be invalid, in particular a value of 0 would
      cause an infinite loop. The PCI core goes beyond that and recurses to a
      child bus only if its bus number is greater than the parent bus number
      (see pci_scan_bridge()). Since the root bus is numbered 0, this implies
      that secondary buses may not be 0. Do the same on early scanning.
      
      If this algorithm is found to significantly impact boot time or cause
      infinite loops on broken hardware, it would be possible to limit its
      recursion depth: The Broadcom 4331 quirk applies at depth 1, all others
      at depth 0, so the bus need not be scanned deeper than that for now. An
      alternative approach would be to revert to scanning only the root bus,
      and apply the Broadcom 4331 quirk to the root ports 8086:1c12, 8086:1e12
      and 8086:1e16. Apple always positioned the card behind either of these
      three ports. The quirk would then check presence of the card in slot 0
      below the root port and do its deed.
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Yinghai Lu <yinghai@kernel.org>
      Cc: linux-pci@vger.kernel.org
      Link: http://lkml.kernel.org/r/f0daa70dac1a9b2483abdb31887173eb6ab77bdf.1465690253.git.lukas@wunner.deSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      46278ae5
    • Lukas Wunner's avatar
      x86/quirks: Apply nvidia_bugs quirk only on root bus · c5ca328c
      Lukas Wunner authored
      commit 447d29d1 upstream.
      
      Since the following commit:
      
        8659c406 ("x86: only scan the root bus in early PCI quirks")
      
      ... early quirks are only applied to devices on the root bus.
      
      The motivation was to prevent application of the nvidia_bugs quirk on
      secondary buses.
      
      We're about to reintroduce scanning of secondary buses for a quirk to
      reset the Broadcom 4331 wireless card on 2011/2012 Macs. To prevent
      regressions, open code the requirement to apply nvidia_bugs only on the
      root bus.
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Yinghai Lu <yinghai@kernel.org>
      Link: http://lkml.kernel.org/r/4d5477c1d76b2f0387a780f2142bbcdd9fee869b.1465690253.git.lukas@wunner.deSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c5ca328c
    • WANG Cong's avatar
      ppp: defer netns reference release for ppp channel · 5a552196
      WANG Cong authored
      commit 205e1e25 upstream.
      
      Matt reported that we have a NULL pointer dereference
      in ppp_pernet() from ppp_connect_channel(),
      i.e. pch->chan_net is NULL.
      
      This is due to that a parallel ppp_unregister_channel()
      could happen while we are in ppp_connect_channel(), during
      which pch->chan_net set to NULL. Since we need a reference
      to net per channel, it makes sense to sync the refcnt
      with the life time of the channel, therefore we should
      release this reference when we destroy it.
      
      Fixes: 1f461dcd ("ppp: take reference on channels netns")
      Reported-by: default avatarMatt Bennett <Matt.Bennett@alliedtelesis.co.nz>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: linux-ppp@vger.kernel.org
      Cc: Guillaume Nault <g.nault@alphalink.fr>
      Cc: Cyrill Gorcunov <gorcunov@openvz.org>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: default avatarCyrill Gorcunov <gorcunov@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5a552196
    • Takashi Iwai's avatar
      ALSA: ctl: Stop notification after disconnection · 69d5af27
      Takashi Iwai authored
      commit f388cdcd upstream.
      
      snd_ctl_remove() has a notification for the removal event.  It's
      superfluous when done during the device got disconnected.  Although
      the notification itself is mostly harmless, it may potentially be
      harmful, and should be suppressed.  Actually some components PCM may
      free ctl elements during the disconnect or free callbacks, thus it's
      no theoretical issue.
      
      This patch adds the check of card->shutdown flag for avoiding
      unnecessary notifications after (or during) the disconnect.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      69d5af27
    • Lyude's avatar
      drm/radeon: Poll for both connect/disconnect on analog connectors · a9c9297a
      Lyude authored
      commit 14ff8d48 upstream.
      
      DRM_CONNECTOR_POLL_CONNECT only enables polling for connections, not
      disconnections. Because of this, we end up losing hotplug polling for
      analog connectors once they get connected.
      
      Easy way to reproduce:
       - Grab a machine with a radeon GPU and a VGA port
       - Plug a monitor into the VGA port, wait for it to update the connector
         from disconnected to connected
       - Disconnect the monitor on VGA, a hotplug event is never sent for the
         removal of the connector.
      
      Originally, only using DRM_CONNECTOR_POLL_CONNECT might have been a good
      idea since doing VGA polling can sometimes result in having to mess with
      the DAC voltages to figure out whether or not there's actually something
      there since VGA doesn't have HPD. Doing this would have the potential of
      showing visible artifacts on the screen every time we ran a poll while a
      VGA display was connected. Luckily, radeon_vga_detect() only resorts to
      this sort of polling if the poll is forced, and DRM's polling helper
      doesn't force it's polls.
      
      Additionally, this removes some assignments to connector->polled that
      weren't actually doing anything.
      Signed-off-by: default avatarLyude <cpaul@redhat.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a9c9297a
    • Theodore Ts'o's avatar
      ext4: validate s_reserved_gdt_blocks on mount · 03eaa747
      Theodore Ts'o authored
      commit 5b9554dc upstream.
      
      If s_reserved_gdt_blocks is extremely large, it's possible for
      ext4_init_block_bitmap(), which is called when ext4 sets up an
      uninitialized block bitmap, to corrupt random kernel memory.  Add the
      same checks which e2fsck has --- it must never be larger than
      blocksize / sizeof(__u32) --- and then add a backup check in
      ext4_init_block_bitmap() in case the superblock gets modified after
      the file system is mounted.
      Reported-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      [bwh: Backported to 3.2:
       - Drop the second check in ext4_init_block_bitmap() since it can't return
         an error code
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      03eaa747
    • Vegard Nossum's avatar
      ext4: don't call ext4_should_journal_data() on the journal inode · 90a737fb
      Vegard Nossum authored
      commit 6a7fd522 upstream.
      
      If ext4_fill_super() fails early, it's possible for ext4_evict_inode()
      to call ext4_should_journal_data() before superblock options and flags
      are fully set up.  In that case, the iput() on the journal inode can
      end up causing a BUG().
      
      Work around this problem by reordering the tests so we only call
      ext4_should_journal_data() after we know it's not the journal inode.
      
      Fixes: 2d859db3 ("ext4: fix data corruption in inodes with journalled data")
      Fixes: 2b405bfa ("ext4: fix data=journal fast mount/umount hang")
      Cc: Jan Kara <jack@suse.cz>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      90a737fb
    • Vegard Nossum's avatar
      ext4: check for extents that wrap around · acc016f6
      Vegard Nossum authored
      commit f70749ca upstream.
      
      An extent with lblock = 4294967295 and len = 1 will pass the
      ext4_valid_extent() test:
      
      	ext4_lblk_t last = lblock + len - 1;
      
      	if (len == 0 || lblock > last)
      		return 0;
      
      since last = 4294967295 + 1 - 1 = 4294967295. This would later trigger
      the BUG_ON(es->es_lblk + es->es_len < es->es_lblk) in ext4_es_end().
      
      We can simplify it by removing the - 1 altogether and changing the test
      to use lblock + len <= lblock, since now if len = 0, then lblock + 0 ==
      lblock and it fails, and if len > 0 then lblock + len > lblock in order
      to pass (i.e. it doesn't overflow).
      
      Fixes: 5946d089 ("ext4: check for overlapping extents in ext4_valid_extent_entries()")
      Fixes: 2f974865 ("ext4: check for zero length extent explicitly")
      Cc: Eryu Guan <guaneryu@gmail.com>
      Signed-off-by: default avatarPhil Turnbull <phil.turnbull@oracle.com>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      acc016f6
    • Cameron Gutman's avatar
      Input: xpad - validate USB endpoint count during probe · 1b87c10c
      Cameron Gutman authored
      commit caca925f upstream.
      
      This prevents a malicious USB device from causing an oops.
      Signed-off-by: default avatarCameron Gutman <aicommander@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1b87c10c
    • Yoshihiro Shimoda's avatar
      usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable() · f1e9174e
      Yoshihiro Shimoda authored
      commit 15e4292a upstream.
      
      This patch fixes an issue that the CFIFOSEL register value is possible
      to be changed by usbhsg_ep_enable() wrongly. And then, a data transfer
      using CFIFO may not work correctly.
      
      For example:
       # modprobe g_multi file=usb-storage.bin
       # ifconfig usb0 192.168.1.1 up
       (During the USB host is sending file to the mass storage)
       # ifconfig usb0 down
      
      In this case, since the u_ether.c may call usb_ep_enable() in
      eth_stop(), if the renesas_usbhs driver is also using CFIFO for
      mass storage, the mass storage may not work correctly.
      
      So, this patch adds usbhs_lock() and usbhs_unlock() calling in
      usbhsg_ep_enable() to protect CFIFOSEL register. This is because:
       - CFIFOSEL.CURPIPE = 0 is also needed for the pipe configuration
       - The CFIFOSEL (fifo->sel) is already protected by usbhs_lock()
      
      Fixes: 97664a20 ("usb: renesas_usbhs: shrink spin lock area")
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f1e9174e
    • Yoshihiro Shimoda's avatar
      usb: renesas_usbhs: fix NULL pointer dereference in xfer_work() · c91172cb
      Yoshihiro Shimoda authored
      commit 4fdef698 upstream.
      
      This patch fixes an issue that the xfer_work() is possible to cause
      NULL pointer dereference if the usb cable is disconnected while data
      transfer is running.
      
      In such case, a gadget driver may call usb_ep_disable()) before
      xfer_work() is actually called. In this case, the usbhs_pkt_pop()
      will call usbhsf_fifo_unselect(), and then usbhs_pipe_to_fifo()
      in xfer_work() will return NULL.
      
      Fixes: e73a9891 ("usb: renesas_usbhs: add DMAEngine support")
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c91172cb
    • Krzysztof Kozlowski's avatar
      serial: samsung: Fix possible out of bounds access on non-DT platform · df47dba1
      Krzysztof Kozlowski authored
      commit 926b7b51 upstream.
      
      On non-DeviceTree platforms, the index of serial device is a static
      variable incremented on each probe.  It is incremented even if deferred
      probe happens when getting the clock in s3c24xx_serial_init_port().
      
      This index is used for referencing elements of statically allocated
      s3c24xx_serial_ports array.  In case of re-probe, the index will point
      outside of this array leading to memory corruption.
      
      Increment the index only on successful probe.
      Reported-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Fixes: b497549a ("[ARM] S3C24XX: Split serial driver into core and per-cpu drivers")
      Signed-off-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      df47dba1
    • Herbert Xu's avatar
      crypto: gcm - Filter out async ghash if necessary · f64965a7
      Herbert Xu authored
      commit b30bdfa8 upstream.
      
      As it is if you ask for a sync gcm you may actually end up with
      an async one because it does not filter out async implementations
      of ghash.
      
      This patch fixes this by adding the necessary filter when looking
      for ghash.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f64965a7
    • Wanpeng Li's avatar
      sched/cputime: Fix prev steal time accouting during CPU hotplug · 97220c6c
      Wanpeng Li authored
      commit 3d89e547 upstream.
      
      Commit:
      
        e9532e69 ("sched/cputime: Fix steal time accounting vs. CPU hotplug")
      
      ... set rq->prev_* to 0 after a CPU hotplug comes back, in order to
      fix the case where (after CPU hotplug) steal time is smaller than
      rq->prev_steal_time.
      
      However, this should never happen. Steal time was only smaller because of the
      KVM-specific bug fixed by the previous patch.  Worse, the previous patch
      triggers a bug on CPU hot-unplug/plug operation: because
      rq->prev_steal_time is cleared, all of the CPU's past steal time will be
      accounted again on hot-plug.
      
      Since the root cause has been fixed, we can just revert commit e9532e69.
      Signed-off-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mike Galbraith <efault@gmx.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 'commit e9532e69 ("sched/cputime: Fix steal time accounting vs. CPU hotplug")'
      Link: http://lkml.kernel.org/r/1465813966-3116-3-git-send-email-wanpeng.li@hotmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      [bwh: Backported to 3.2: adjust filename, context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      97220c6c
    • Bharata B Rao's avatar
      powerpc/numa: Fix multiple bugs in memory_hotplug_max() · 17cc521e
      Bharata B Rao authored
      commit 45b64ee6 upstream.
      
      memory_hotplug_max() uses hot_add_drconf_memory_max() to get maxmimum
      addressable memory by referring to ibm,dyanamic-memory property. There
      are three problems with the current approach:
      
      1 hot_add_drconf_memory_max() assumes that ibm,dynamic-memory includes
        all the LMBs of the guest, but that is not true for PowerKVM which
        populates only DR LMBs (LMBs that can be hotplugged/removed) in that
        property.
      2 hot_add_drconf_memory_max() multiplies lmb-size with lmb-count to arrive
        at the max possible address. Since ibm,dynamic-memory doesn't include
        RMA LMBs, the address thus obtained will be less than the actual max
        address. For example, if max possible memory size is 32G, with lmb-size
        of 256MB there can be 127 LMBs in ibm,dynamic-memory (1 LMB for RMA
        which won't be present here).  hot_add_drconf_memory_max() would then
        return the max addressable memory as 127 * 256MB = 31.75GB, the max
        address should have been 32G which is what ibm,lrdr-capacity shows.
      3 In PowerKVM, there can be a gap between the end of boot time RAM and
        beginning of hotplug RAM area. So just multiplying lmb-count with
        lmb-size will not provide the correct max possible address for PowerKVM.
      
      This patch fixes 1 by using ibm,lrdr-capacity property to return the max
      addressable memory whenever the property is present. Then it fixes 2 & 3
      by fetching the address of the last LMB in ibm,dynamic-memory property.
      
      Fixes: cd34206e ("powerpc: Add memory_hotplug_max()")
      Signed-off-by: default avatarBharata B Rao <bharata@linux.vnet.ibm.com>
      Reviewed-by: default avatarDavid Gibson <david@gibson.dropbear.id.au>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      17cc521e
    • Paul Moore's avatar
      netlabel: add address family checks to netlbl_{sock,req}_delattr() · bc64d7bf
      Paul Moore authored
      commit 0e0e3677 upstream.
      
      It seems risky to always rely on the caller to ensure the socket's
      address family is correct before passing it to the NetLabel kAPI,
      especially since we see at least one LSM which didn't. Add address
      family checks to the *_delattr() functions to help prevent future
      problems.
      Reported-by: default avatarManinder Singh <maninder1.s@samsung.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bc64d7bf
  2. 20 Oct, 2016 2 commits
    • Ben Hutchings's avatar
      Linux 3.2.83 · e0aed024
      Ben Hutchings authored
      e0aed024
    • Michal Hocko's avatar
      mm, gup: close FOLL MAP_PRIVATE race · 243f858d
      Michal Hocko authored
      commit 19be0eaf upstream.
      
      faultin_page drops FOLL_WRITE after the page fault handler did the CoW
      and then we retry follow_page_mask to get our CoWed page. This is racy,
      however because the page might have been unmapped by that time and so
      we would have to do a page fault again, this time without CoW. This
      would cause the page cache corruption for FOLL_FORCE on MAP_PRIVATE
      read only mappings with obvious consequences.
      
      This is an ancient bug that was actually already fixed once by Linus
      eleven years ago in commit 4ceb5db9 ("Fix get_user_pages() race
      for write access") but that was then undone due to problems on s390
      by commit f33ea7f4 ("fix get_user_pages bug") because s390 didn't
      have proper dirty pte tracking until abf09bed ("s390/mm: implement
      software dirty bits"). This wasn't a problem at the time as pointed out
      by Hugh Dickins because madvise relied on mmap_sem for write up until
      0a27a14a ("mm: madvise avoid exclusive mmap_sem") but since then we
      can race with madvise which can unmap the fresh COWed page or with KSM
      and corrupt the content of the shared page.
      
      This patch is based on the Linus' approach to not clear FOLL_WRITE after
      the CoW page fault (aka VM_FAULT_WRITE) but instead introduces FOLL_COW
      to note this fact. The flag is then rechecked during follow_pfn_pte to
      enforce the page fault again if we do not see the CoWed page. Linus was
      suggesting to check pte_dirty again as s390 is OK now. But that would
      make backporting to some old kernels harder. So instead let's just make
      sure that vm_normal_page sees a pure anonymous page.
      
      This would guarantee we are seeing a real CoW page. Introduce
      can_follow_write_pte which checks both pte_write and falls back to
      PageAnon on forced write faults which passed CoW already. Thanks to Hugh
      to point out that a special care has to be taken for KSM pages because
      our COWed page might have been merged with a KSM one and keep its
      PageAnon flag.
      
      Fixes: 0a27a14a ("mm: madvise avoid exclusive mmap_sem")
      Reported-by: default avatarPhil "not Paul" Oester <kernel@linuxace.com>
      Disclosed-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarMichal Hocko <mhocko@suse.com>
      [bwh: Backported to 3.2:
       - Adjust filename, context, indentation
       - The 'no_page' exit path in follow_page() is different, so open-code the
         cleanup
       - Delete a now-unused label]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      243f858d
  3. 22 Aug, 2016 14 commits