1. 11 May, 2016 8 commits
    • Mathias Krause's avatar
      proc: prevent accessing /proc/<PID>/environ until it's ready · cdfaba23
      Mathias Krause authored
      commit 8148a73c upstream.
      
      If /proc/<PID>/environ gets read before the envp[] array is fully set up
      in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to
      read more bytes than are actually written, as env_start will already be
      set but env_end will still be zero, making the range calculation
      underflow, allowing to read beyond the end of what has been written.
      
      Fix this as it is done for /proc/<PID>/cmdline by testing env_end for
      zero.  It is, apparently, intentionally set last in create_*_tables().
      
      This bug was found by the PaX size_overflow plugin that detected the
      arithmetic underflow of 'this_len = env_end - (env_start + src)' when
      env_end is still zero.
      
      The expected consequence is that userland trying to access
      /proc/<PID>/environ of a not yet fully set up process may get
      inconsistent data as we're in the middle of copying in the environment
      variables.
      
      Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363
      Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Cc: Emese Revfy <re.emese@gmail.com>
      Cc: Pax Team <pageexec@freemail.hu>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Mateusz Guzik <mguzik@redhat.com>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Cyrill Gorcunov <gorcunov@openvz.org>
      Cc: Jarod Wilson <jarod@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      cdfaba23
    • Sascha Hauer's avatar
      ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel · ddfe8a6b
      Sascha Hauer authored
      commit 5616f367 upstream.
      
      The secondary CPU starts up in ARM mode. When the kernel is compiled in
      thumb2 mode we have to explicitly compile the secondary startup
      trampoline in ARM mode, otherwise the CPU will go to Nirvana.
      Signed-off-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Reported-by: default avatarSteffen Trumtrar <s.trumtrar@pengutronix.de>
      Suggested-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarDinh Nguyen <dinguyen@opensource.altera.com>
      Signed-off-by: default avatarKevin Hilman <khilman@baylibre.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ddfe8a6b
    • Arnd Bergmann's avatar
      lpfc: fix misleading indentation · ba4d65de
      Arnd Bergmann authored
      commit aeb6641f upstream.
      
      gcc-6 complains about the indentation of the lpfc_destroy_vport_work_array()
      call in lpfc_online(), which clearly doesn't look right:
      
      drivers/scsi/lpfc/lpfc_init.c: In function 'lpfc_online':
      drivers/scsi/lpfc/lpfc_init.c:2880:3: warning: statement is indented as if it were guarded by... [-Wmisleading-indentation]
         lpfc_destroy_vport_work_array(phba, vports);
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/scsi/lpfc/lpfc_init.c:2863:2: note: ...this 'if' clause, but it is not
        if (vports != NULL)
        ^~
      
      Looking at the patch that introduced this code, it's clear that the
      behavior is correct and the indentation is wrong.
      
      This fixes the indentation and adds curly braces around the previous
      if() block for clarity, as that is most likely what caused the code
      to be misindented in the first place.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 549e55cd ("[SCSI] lpfc 8.2.2 : Fix locking around HBA's port_list")
      Reviewed-by: default avatarSebastian Herbszt <herbszt@gmx.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Reviewed-by: default avatarEwan D. Milne <emilne@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ba4d65de
    • Linus Walleij's avatar
      clk: versatile: sp810: support reentrance · 3dcc015c
      Linus Walleij authored
      commit ec7957a6 upstream.
      
      Despite care take to allocate clocks state containers the
      SP810 driver actually just supports creating one instance:
      all clocks registered for every instance will end up with the
      exact same name and __clk_init() will fail.
      
      Rename the timclken<0> .. timclken<n> to sp810_<instance>_<n>
      so every clock on every instance gets a unique name.
      
      This is necessary for the RealView PBA8 which has two SP810
      blocks: the second block will not register its clocks unless
      every clock on every instance is unique and results in boot
      logs like this:
      
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 0 at ../drivers/clk/versatile/clk-sp810.c:137
        clk_sp810_of_setup+0x110/0x154()
      Modules linked in:
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted
      4.5.0-rc2-00030-g352718fc39f6-dirty #225
      Hardware name: ARM RealView Machine (Device Tree Support)
      [<c00167f8>] (unwind_backtrace) from [<c0013204>]
                   (show_stack+0x10/0x14)
      [<c0013204>] (show_stack) from [<c01a049c>]
                   (dump_stack+0x84/0x9c)
      [<c01a049c>] (dump_stack) from [<c0024990>]
                   (warn_slowpath_common+0x74/0xb0)
      [<c0024990>] (warn_slowpath_common) from [<c0024a68>]
                   (warn_slowpath_null+0x1c/0x24)
      [<c0024a68>] (warn_slowpath_null) from [<c051eb44>]
                   (clk_sp810_of_setup+0x110/0x154)
      [<c051eb44>] (clk_sp810_of_setup) from [<c051e3a4>]
                   (of_clk_init+0x12c/0x1c8)
      [<c051e3a4>] (of_clk_init) from [<c0504714>]
                   (time_init+0x20/0x2c)
      [<c0504714>] (time_init) from [<c0501b18>]
                   (start_kernel+0x244/0x3c4)
      [<c0501b18>] (start_kernel) from [<7000807c>] (0x7000807c)
      ---[ end trace cb88537fdc8fa200 ]---
      
      Cc: Michael Turquette <mturquette@baylibre.com>
      Cc: Pawel Moll <pawel.moll@arm.com>
      Fixes: 6e973d2c "clk: vexpress: Add separate SP810 driver"
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      3dcc015c
    • Dan Streetman's avatar
      nbd: ratelimit error msgs after socket close · a85fd4d0
      Dan Streetman authored
      commit da6ccaaa upstream.
      
      Make the "Attempted send on closed socket" error messages generated in
      nbd_request_handler() ratelimited.
      
      When the nbd socket is shutdown, the nbd_request_handler() function emits
      an error message for every request remaining in its queue.  If the queue
      is large, this will spam a large amount of messages to the log.  There's
      no need for a separate error message for each request, so this patch
      ratelimits it.
      
      In the specific case this was found, the system was virtual and the error
      messages were logged to the serial port, which overwhelmed it.
      
      Fixes: 4d48a542 ("nbd: fix I/O hang on disconnected nbds")
      Signed-off-by: default avatarDan Streetman <dan.streetman@canonical.com>
      Signed-off-by: default avatarMarkus Pargmann <mpa@pengutronix.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a85fd4d0
    • Marco Angaroni's avatar
      ipvs: correct initial offset of Call-ID header search in SIP persistence engine · 72faba32
      Marco Angaroni authored
      commit 7617a24f upstream.
      
      The IPVS SIP persistence engine is not able to parse the SIP header
      "Call-ID" when such header is inserted in the first positions of
      the SIP message.
      
      When IPVS is configured with "--pe sip" option, like for example:
      ipvsadm -A -u 1.2.3.4:5060 -s rr --pe sip -p 120 -o
      some particular messages (see below for details) do not create entries
      in the connection template table, which can be listed with:
      ipvsadm -Lcn --persistent-conn
      
      Problematic SIP messages are SIP responses having "Call-ID" header
      positioned just after message first line:
      SIP/2.0 200 OK
      [Call-ID header here]
      [rest of the headers]
      
      When "Call-ID" header is positioned down (after a few other headers)
      it is correctly recognized.
      
      This is due to the data offset used in get_callid function call inside
      ip_vs_pe_sip.c file: since dptr already points to the start of the
      SIP message, the value of dataoff should be initially 0.
      Otherwise the header is searched starting from some bytes after the
      first character of the SIP message.
      
      Fixes: 758ff033 ("IPVS: sip persistence engine")
      Signed-off-by: default avatarMarco Angaroni <marcoangaroni@gmail.com>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      72faba32
    • Behan Webster's avatar
      x86: LLVMLinux: Fix "incomplete type const struct x86cpu_device_id" · 376539fa
      Behan Webster authored
      commit c4586256 upstream.
      
      Similar to the fix in 40413dcb
      
      MODULE_DEVICE_TABLE(x86cpu, ...) expects the struct to be called struct
      x86cpu_device_id, and not struct x86_cpu_id which is what is used in the rest
      of the kernel code.  Although gcc seems to ignore this error, clang fails
      without this define to fix the name.
      
      Code from drivers/thermal/x86_pkg_temp_thermal.c
      static const struct x86_cpu_id __initconst pkg_temp_thermal_ids[] = { ... };
      MODULE_DEVICE_TABLE(x86cpu, pkg_temp_thermal_ids);
      
      Error from clang:
      drivers/thermal/x86_pkg_temp_thermal.c:577:1: error: variable has
            incomplete type 'const struct x86cpu_device_id'
      MODULE_DEVICE_TABLE(x86cpu, pkg_temp_thermal_ids);
      ^
      include/linux/module.h:145:3: note: expanded from macro
            'MODULE_DEVICE_TABLE'
        MODULE_GENERIC_TABLE(type##_device, name)
        ^
      include/linux/module.h:87:32: note: expanded from macro
            'MODULE_GENERIC_TABLE'
      extern const struct gtype##_id __mod_##gtype##_table            \
                                     ^
      <scratch space>:143:1: note: expanded from here
      __mod_x86cpu_device_table
      ^
      drivers/thermal/x86_pkg_temp_thermal.c:577:1: note: forward declaration of
            'struct x86cpu_device_id'
      include/linux/module.h:145:3: note: expanded from macro
            'MODULE_DEVICE_TABLE'
        MODULE_GENERIC_TABLE(type##_device, name)
        ^
      include/linux/module.h:87:21: note: expanded from macro
            'MODULE_GENERIC_TABLE'
      extern const struct gtype##_id __mod_##gtype##_table            \
                          ^
      <scratch space>:141:1: note: expanded from here
      x86cpu_device_id
      ^
      1 error generated.
      Signed-off-by: default avatarBehan Webster <behanw@converseincode.com>
      Signed-off-by: default avatarJan-Simon Möller <dl9pf@gmx.de>
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [added vmbus, mei, and rapdio #defines, needed for 3.14 - gregkh]
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      376539fa
    • Paolo Bonzini's avatar
      compiler-gcc: disable -ftracer for __noclone functions · 0a0ff4eb
      Paolo Bonzini authored
      commit 95272c29 upstream.
      
      -ftracer can duplicate asm blocks causing compilation to fail in
      noclone functions.  For example, KVM declares a global variable
      in an asm like
      
          asm("2: ... \n
               .pushsection data \n
               .global vmx_return \n
               vmx_return: .long 2b");
      
      and -ftracer causes a double declaration.
      
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Michal Marek <mmarek@suse.cz>
      Cc: stable@vger.kernel.org
      Cc: kvm@vger.kernel.org
      Reported-by: default avatarLinda Walsh <lkml@tlinx.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0a0ff4eb
  2. 03 May, 2016 16 commits
  3. 02 May, 2016 14 commits
  4. 23 Apr, 2016 2 commits