1. 10 Aug, 2016 40 commits
    • Gregory Greenman's avatar
      cfg80211: handle failed skb allocation · f4cb43e0
      Gregory Greenman authored
      commit 16a910a6 upstream.
      
      Handle the case when dev_alloc_skb returns NULL.
      
      Fixes: 2b67f944 ("cfg80211: reuse existing page fragments in A-MSDU rx")
      Signed-off-by: default avatarGregory Greenman <gregory.greenman@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f4cb43e0
    • Dmitri Epshtein's avatar
      net: mvneta: set real interrupt per packet for tx_done · 2f4cf2ec
      Dmitri Epshtein authored
      commit 06708f81 upstream.
      
      Commit aebea2ba ("net: mvneta: fix Tx interrupt delay") intended to
      set coalescing threshold to a value guaranteeing interrupt generation
      per each sent packet, so that buffers can be released with no delay.
      
      In fact setting threshold to '1' was wrong, because it causes interrupt
      every two packets. According to the documentation a reason behind it is
      following - interrupt occurs once sent buffers counter reaches a value,
      which is higher than one specified in MVNETA_TXQ_SIZE_REG(q). This
      behavior was confirmed during tests. Also when testing the SoC working
      as a NAS device, better performance was observed with int-per-packet,
      as it strongly depends on the fact that all transmitted packets are
      released immediately.
      
      This commit enables NETA controller work in interrupt per sent packet mode
      by setting coalescing threshold to 0.
      Signed-off-by: default avatarDmitri Epshtein <dima@marvell.com>
      Signed-off-by: default avatarMarcin Wojtas <mw@semihalf.com>
      Fixes aebea2ba ("net: mvneta: fix Tx interrupt delay")
      Acked-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f4cf2ec
    • Ilya Dryomov's avatar
      libceph: apply new_state before new_up_client on incrementals · 14877928
      Ilya Dryomov authored
      commit 930c5328 upstream.
      
      Currently, osd_weight and osd_state fields are updated in the encoding
      order.  This is wrong, because an incremental map may look like e.g.
      
          new_up_client: { osd=6, addr=... } # set osd_state and addr
          new_state: { osd=6, xorstate=EXISTS } # clear osd_state
      
      Suppose osd6's current osd_state is EXISTS (i.e. osd6 is down).  After
      applying new_up_client, osd_state is changed to EXISTS | UP.  Carrying
      on with the new_state update, we flip EXISTS and leave osd6 in a weird
      "!EXISTS but UP" state.  A non-existent OSD is considered down by the
      mapping code
      
      2087    for (i = 0; i < pg->pg_temp.len; i++) {
      2088            if (ceph_osd_is_down(osdmap, pg->pg_temp.osds[i])) {
      2089                    if (ceph_can_shift_osds(pi))
      2090                            continue;
      2091
      2092                    temp->osds[temp->size++] = CRUSH_ITEM_NONE;
      
      and so requests get directed to the second OSD in the set instead of
      the first, resulting in OSD-side errors like:
      
      [WRN] : client.4239 192.168.122.21:0/2444980242 misdirected client.4239.1:2827 pg 2.5df899f2 to osd.4 not [1,4,6] in e680/680
      
      and hung rbds on the client:
      
      [  493.566367] rbd: rbd0: write 400000 at 11cc00000 (0)
      [  493.566805] rbd: rbd0:   result -6 xferred 400000
      [  493.567011] blk_update_request: I/O error, dev rbd0, sector 9330688
      
      The fix is to decouple application from the decoding and:
      - apply new_weight first
      - apply new_state before new_up_client
      - twiddle osd_state flags if marking in
      - clear out some of the state if osd is destroyed
      
      Fixes: http://tracker.ceph.com/issues/14901Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarJosh Durgin <jdurgin@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      14877928
    • Tejun Heo's avatar
      libata: LITE-ON CX1-JB256-HP needs lower max_sectors · 54d61751
      Tejun Heo authored
      commit 1488a1e3 upstream.
      
      Since 34b48db6 ("block: remove artifical max_hw_sectors cap"),
      max_sectors is no longer limited to BLK_DEF_MAX_SECTORS and LITE-ON
      CX1-JB256-HP keeps timing out with higher max_sectors.  Revert it to
      the previous value.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: dgerasimov@gmail.com
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=121671
      Fixes: 34b48db6 ("block: remove artifical max_hw_sectors cap")
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      54d61751
    • Lukasz Gemborowski's avatar
      i2c: mux: reg: wrong condition checked for of_address_to_resource return value · ed87c214
      Lukasz Gemborowski authored
      commit 22ebf00e upstream.
      
      of_address_to_resource return 0 on successful call but
      devm_ioremap_resource is called only if it returns non-zero value
      Signed-off-by: default avatarLukasz Gemborowski <lukasz.gemborowski@nokia.com>
      Reviewed-by: default avatarAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ed87c214
    • Sricharan R's avatar
      i2c: qup: Fix wrong value of index variable · f5be1dff
      Sricharan R authored
      commit d4f56c77 upstream.
      
      index gets incremented during check to determine if the
      messages can be transferred with dma. But not reset after
      that, resulting in wrong start value in subsequent loop,
      causing failure. Fix it.
      Signed-off-by: default avatarSricharan R <sricharan@codeaurora.org>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f5be1dff
    • Laurent Pinchart's avatar
      adv7604: Don't ignore pad number in subdev DV timings pad operations · 9388174e
      Laurent Pinchart authored
      commit 6519c3d7 upstream.
      
      The dv_timings_cap() and enum_dv_timings() pad operations take a pad
      number as an input argument and return the DV timings capabilities and
      list of supported DV timings for that pad.
      
      Commit bd3e275f ("[media] media: i2c: adv7604: Use v4l2-dv-timings
      helpers") broke this as it started ignoring the pad number, always
      returning the information associated with the currently selected input.
      Fix it.
      
      Fixes: bd3e275f ("[media] media: i2c: adv7604: Use v4l2-dv-timings helpers")
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9388174e
    • Thomas Gleixner's avatar
      cpu/hotplug: Keep enough storage space if SMP=n to avoid array out of bounds scribble · 5e8123b6
      Thomas Gleixner authored
      commit a7c73414 upstream.
      
      Xiaolong Ye reported lock debug warnings triggered by the following commit:
      
        8de4a0066106 ("perf/x86: Convert the core to the hotplug state machine")
      
      The bug is the following: the cpuhp_bp_states[] array is cut short when
      CONFIG_SMP=n, but the dynamically registered callbacks are stored nevertheless
      and happily scribble outside of the array bounds...
      
      We need to store them in case that the state is unregistered so we can invoke
      the teardown function. That's independent of CONFIG_SMP. Make sure the array
      is large enough.
      Reported-by: default avatarkernel test robot <xiaolong.ye@intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Adam Borowski <kilobyte@angband.pl>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Kan Liang <kan.liang@intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: lkp@01.org
      Cc: tipbuild@zytor.com
      Fixes: cff7d378 "cpu/hotplug: Convert to a state machine for the control processor"
      Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1607122144560.4083@nanosSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e8123b6
    • Alexey Dobriyan's avatar
      posix_cpu_timer: Exit early when process has been reaped · 2acf7a3a
      Alexey Dobriyan authored
      commit 2c13ce8f upstream.
      
      Variable "now" seems to be genuinely used unintialized
      if branch
      
      	if (CPUCLOCK_PERTHREAD(timer->it_clock)) {
      
      is not taken and branch
      
      	if (unlikely(sighand == NULL)) {
      
      is taken. In this case the process has been reaped and the timer is marked as
      disarmed anyway. So none of the postprocessing of the sample is
      required. Return right away.
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Link: http://lkml.kernel.org/r/20160707223911.GA26483@p183.telecom.bySigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2acf7a3a
    • James Patrick-Evans's avatar
      media: fix airspy usb probe error path · 1031db3d
      James Patrick-Evans authored
      commit aa93d1fe upstream.
      
      Fix a memory leak on probe error of the airspy usb device driver.
      
      The problem is triggered when more than 64 usb devices register with
      v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.
      
      The memory leak is caused by the probe function of the airspy driver
      mishandeling errors and not freeing the corresponding control structures
      when an error occours registering the device to v4l2 core.
      
      A badusb device can emulate 64 of these devices, and then through
      continual emulated connect/disconnect of the 65th device, cause the
      kernel to run out of RAM and crash the kernel, thus causing a local DOS
      vulnerability.
      
      Fixes CVE-2016-5400
      Signed-off-by: default avatarJames Patrick-Evans <james@jmp-e.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1031db3d
    • Brian King's avatar
      ipr: Clear interrupt on croc/crocodile when running with LSI · 602efc3c
      Brian King authored
      commit 54e430bb upstream.
      
      If we fall back to using LSI on the Croc or Crocodile chip we need to
      clear the interrupt so we don't hang the system.
      Tested-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      602efc3c
    • Alan Stern's avatar
      SCSI: fix new bug in scsi_dev_info_list string matching · 224d3cc7
      Alan Stern authored
      commit 5e7ff2ca upstream.
      
      Commit b704f70c ("SCSI: fix bug in scsi_dev_info_list matching")
      changed the way vendor- and model-string matching was carried out in the
      routine that looks up entries in a SCSI devinfo list.  The new matching
      code failed to take into account the case of a maximum-length string; in
      such cases it could end up testing for a terminating '\0' byte beyond
      the end of the memory allocated to the string.  This out-of-bounds bug
      was detected by UBSAN.
      
      I don't know if anybody has actually encountered this bug.  The symptom
      would be that a device entry in the blacklist might not be matched
      properly if it contained an 8-character vendor name or a 16-character
      model name.  Such entries certainly exist in scsi_static_device_list.
      
      This patch fixes the problem by adding a check for a maximum-length
      string before the '\0' test.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Fixes: b704f70c ("SCSI: fix bug in scsi_dev_info_list matching")
      Tested-by: default avatarWilfried Klaebe <linux-kernel@lebenslange-mailadresse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      224d3cc7
    • Bruno Prémont's avatar
      qla2xxx: Fix NULL pointer deref in QLA interrupt · ddb2bdc5
      Bruno Prémont authored
      commit 262e2bfd upstream.
      
      In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
      pointer dereference when rsp->msix is NULL:
      
      [    5.622457] NULL pointer dereference at 0000000000000050
      [    5.622457] IP: [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
      [    5.622457] PGD 0
      [    5.622457] Oops: 0000 [#1] SMP
      [    5.622457] Modules linked in:
      [    5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1
      [    5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011
      [    5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000
      [    5.622457] RIP: 0010:[<ffffffff8155e614>]  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
      [    5.622457] RSP: 0000:ffff8801afb03de8  EFLAGS: 00010002
      [    5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff
      [    5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0
      [    5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000
      [    5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8
      [    5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013
      [    5.622457] FS:  0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000
      [    5.622457] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0
      [    5.622457] Stack:
      [    5.622457]  ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002
      [    5.622457]  ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002
      [    5.622457]  ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032
      [    5.622457] Call Trace:
      [    5.622457]  <IRQ>
      [    5.622457]  [<ffffffff810c0f2d>] ? __wake_up_common+0x4d/0x80
      [    5.622457]  [<ffffffff816570e1>] ? usb_hcd_resume_root_hub+0x51/0x60
      [    5.622457]  [<ffffffff816772d4>] ? uhci_hub_status_data+0x64/0x240
      [    5.622457]  [<ffffffff81560d00>] qla24xx_intr_handler+0xf0/0x2e0
      [    5.622457]  [<ffffffff810d569e>] ? get_next_timer_interrupt+0xce/0x200
      [    5.622457]  [<ffffffff810c89b4>] handle_irq_event_percpu+0x64/0x100
      [    5.622457]  [<ffffffff810c8a77>] handle_irq_event+0x27/0x50
      [    5.622457]  [<ffffffff810cb965>] handle_edge_irq+0x65/0x140
      [    5.622457]  [<ffffffff8101a498>] handle_irq+0x18/0x30
      [    5.622457]  [<ffffffff8101a276>] do_IRQ+0x46/0xd0
      [    5.622457]  [<ffffffff817f8fff>] common_interrupt+0x7f/0x7f
      [    5.622457]  <EOI>
      [    5.622457]  [<ffffffff81020d38>] ? mwait_idle+0x68/0x80
      [    5.622457]  [<ffffffff8102114a>] arch_cpu_idle+0xa/0x10
      [    5.622457]  [<ffffffff810c1b97>] default_idle_call+0x27/0x30
      [    5.622457]  [<ffffffff810c1d3b>] cpu_startup_entry+0x19b/0x230
      [    5.622457]  [<ffffffff810324c6>] start_secondary+0x136/0x140
      [    5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00
      [    5.622457] RIP  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
      [    5.622457]  RSP <ffff8801afb03de8>
      [    5.622457] CR2: 0000000000000050
      [    5.622457] ---[ end trace fa2b19c25106d42b ]---
      [    5.622457] Kernel panic - not syncing: Fatal exception in interrupt
      
      The affected code was introduced by commit cdb898c5
      (qla2xxx: Add irq affinity notification).
      
      Only dereference rsp->msix when it has been set so the machine can boot
      fine. Possibly rsp->msix is unset because:
      [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
      [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
      [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
      [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
      [    3.890145] scsi host0: qla2xxx
      [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
      [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
      [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).
      Signed-off-by: default avatarBruno Prémont <bonbons@linux-vserver.org>
      Acked-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Fixes: cdb898c5Signed-off-by: default avatarJames Bottomley <jejb@linux.vnet.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ddb2bdc5
    • Paul Burton's avatar
      irqchip/mips-gic: Match IPI IRQ domain by bus token only · 4406733d
      Paul Burton authored
      commit 547aefc4 upstream.
      
      Commit fbde2d7d ("MIPS: Add generic SMP IPI support") introduced
      code which calls irq_find_matching_host with a NULL node parameter in
      order to discover IPI IRQ domains which are not associated with the DT
      root node's interrupt parent. This suggests that implementations of IPI
      IRQ domains should effectively ignore the node parameter if it is NULL
      and search purely based upon the bus token. Commit 2af70a96
      ("irqchip/mips-gic: Add a IPI hierarchy domain") did not do this when
      implementing the GIC IPI IRQ domain, and on MIPS Boston boards this
      leads to no IPI domain being discovered and a NULL pointer dereference
      when attempting to send an IPI:
      
        CPU 0 Unable to handle kernel paging request at virtual address 0000000000000040, epc == ffffffff8016e70c, ra == ffffffff8010ff5c
        Oops[#1]:
        CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.7.0-rc6-00223-gad0d1b6 #945
        task: a8000000ff066fc0 ti: a8000000ff068000 task.ti: a8000000ff068000
        $ 0   : 0000000000000000 0000000000000001 ffffffff80730000 0000000000000003
        $ 4   : 0000000000000000 ffffffff8057e5b0 a800000001e3ee00 0000000000000000
        $ 8   : 0000000000000000 0000000000000023 0000000000000001 0000000000000001
        $12   : 0000000000000000 ffffffff803323d0 0000000000000000 0000000000000000
        $16   : 0000000000000000 0000000000000000 0000000000000001 ffffffff801108fc
        $20   : 0000000000000000 ffffffff8057e5b0 0000000000000001 0000000000000000
        $24   : 0000000000000000 ffffffff8012de28
        $28   : a8000000ff068000 a8000000ff06fbc0 0000000000000000 ffffffff8010ff5c
        Hi    : ffffffff8014c174
        Lo    : a800000001e1e140
        epc   : ffffffff8016e70c __ipi_send_mask+0x24/0x11c
        ra    : ffffffff8010ff5c mips_smp_send_ipi_mask+0x68/0x178
        Status: 140084e2        KX SX UX KERNEL EXL
        Cause : 00800008 (ExcCode 02)
        BadVA : 0000000000000040
        PrId  : 0001a920 (MIPS I6400)
        Process swapper/0 (pid: 1, threadinfo=a8000000ff068000, task=a8000000ff066fc0, tls=0000000000000000)
        Stack : 0000000000000000 0000000000000000 0000000000000001 ffffffff801108fc
                  0000000000000000 ffffffff8057e5b0 0000000000000001 ffffffff8010ff5c
                  0000000000000001 0000000000000020 0000000000000000 0000000000000000
                  0000000000000000 ffffffff801108fc 0000000000000000 0000000000000001
                  0000000000000001 0000000000000000 0000000000000000 ffffffff801865e8
                  a8000000ff0c7500 a8000000ff06fc90 0000000000000001 0000000000000002
                  ffffffff801108fc ffffffff801868b8 0000000000000000 ffffffff801108fc
                  0000000000000000 0000000000000003 ffffffff8068c700 0000000000000001
                  ffffffff80730000 0000000000000001 a8000000ff00a290 ffffffff80110c50
                  0000000000000003 a800000001e48308 0000000000000003 0000000000000008
                  ...
        Call Trace:
        [<ffffffff8016e70c>] __ipi_send_mask+0x24/0x11c
        [<ffffffff8010ff5c>] mips_smp_send_ipi_mask+0x68/0x178
        [<ffffffff801865e8>] generic_exec_single+0x150/0x170
        [<ffffffff801868b8>] smp_call_function_single+0x108/0x160
        [<ffffffff80110c50>] cps_boot_secondary+0x328/0x394
        [<ffffffff80110534>] __cpu_up+0x38/0x90
        [<ffffffff8012de4c>] bringup_cpu+0x24/0xac
        [<ffffffff8012df40>] cpuhp_up_callbacks+0x58/0xdc
        [<ffffffff8012e648>] cpu_up+0x118/0x18c
        [<ffffffff806dc158>] smp_init+0xbc/0xe8
        [<ffffffff806d4c18>] kernel_init_freeable+0xa0/0x228
        [<ffffffff8056c908>] kernel_init+0x10/0xf0
        [<ffffffff80105098>] ret_from_kernel_thread+0x14/0x1c
      
      Fix this by allowing the GIC IPI IRQ domain to match purely based upon
      the bus token if the node provided is NULL.
      
      Fixes: 2af70a96 ("irqchip/mips-gic: Add a IPI hierarchy domain")
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: Jason Cooper <jason@lakedaemon.net>
      Cc: Qais Yousef <qsyousef@gmail.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Link: http://lkml.kernel.org/r/20160705132600.27730-2-paul.burton@imgtec.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4406733d
    • Paul Burton's avatar
      irqchip/mips-gic: Map to VPs using HW VPNum · 42c33fde
      Paul Burton authored
      commit 99ec8a36 upstream.
      
      When mapping an interrupt to a VP(E) we must use the identifier for the
      VP that the hardware expects, and this does not always match up with the
      Linux CPU number. Commit d46812bb ("irqchip: mips-gic: Use HW IDs
      for VPE_OTHER_ADDR") corrected this for the cases that existed at the
      time it was written, but commit 2af70a96 ("irqchip/mips-gic: Add a
      IPI hierarchy domain") added another case before the former patch was
      merged. This leads to incorrectly using Linux CPU numbers when mapping
      interrupts to VPs, which breaks on certain systems such as those with
      multi-core I6400 CPUs. Fix by adding the appropriate call to
      mips_cm_vp_id() to retrieve the expected VP identifier.
      
      Fixes: d46812bb ("irqchip: mips-gic: Use HW IDs for VPE_OTHER_ADDR")
      Fixes: 2af70a96 ("irqchip/mips-gic: Add a IPI hierarchy domain")
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: Jason Cooper <jason@lakedaemon.net>
      Cc: Qais Yousef <qsyousef@gmail.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Link: http://lkml.kernel.org/r/20160705132600.27730-1-paul.burton@imgtec.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      42c33fde
    • Vegard Nossum's avatar
      RDS: fix rds_tcp_init() error path · d71872a9
      Vegard Nossum authored
      commit 3dad5424 upstream.
      
      If register_pernet_subsys() fails, we shouldn't try to call
      unregister_pernet_subsys().
      
      Fixes: 467fa153 ("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.")
      Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Acked-by: default avatarSowmini Varadhan <sowmini.varadhan@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d71872a9
    • Oliver Hartkopp's avatar
      can: fix oops caused by wrong rtnl dellink usage · f3f8ae8b
      Oliver Hartkopp authored
      commit 25e1ed6e upstream.
      
      For 'real' hardware CAN devices the netlink interface is used to set CAN
      specific communication parameters. Real CAN hardware can not be created nor
      removed with the ip tool ...
      
      This patch adds a private dellink function for the CAN device driver interface
      that does just nothing.
      
      It's a follow up to commit 993e6f2f ("can: fix oops caused by wrong rtnl
      newlink usage") but for dellink.
      Reported-by: default avatarajneu <ajneu1@gmail.com>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3f8ae8b
    • Oliver Hartkopp's avatar
      can: fix handling of unmodifiable configuration options fix · 171cf1dc
      Oliver Hartkopp authored
      commit bce271f2 upstream.
      
      With upstream commit bb208f14 (can: fix handling of unmodifiable
      configuration options) a new can_validate() function was introduced.
      
      When invoking 'ip link set can0 type can' without any configuration data
      can_validate() tries to validate the content without taking into account that
      there's totally no content. This patch adds a check for missing content.
      Reported-by: default avatarajneu <ajneu1@gmail.com>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      171cf1dc
    • Thor Thayer's avatar
      can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access · 07562cc2
      Thor Thayer authored
      commit 427460c8 upstream.
      
      When testing CAN write floods on Altera's CycloneV, the first 2 bytes
      are sometimes 0x00, 0x00 or corrupted instead of the values sent. Also
      observed bytes 4 & 5 were corrupted in some cases.
      
      The D_CAN Data registers are 32 bits and changing from 16 bit writes to
      32 bit writes fixes the problem.
      
      Testing performed on Altera CycloneV (D_CAN).  Requesting tests on other
      C_CAN & D_CAN platforms.
      Reported-by: default avatarRichard Andrysek <richard.andrysek@gomtec.de>
      Signed-off-by: default avatarThor Thayer <tthayer@opensource.altera.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      07562cc2
    • Wolfgang Grandegger's avatar
      can: at91_can: RX queue could get stuck at high bus load · 88e08b41
      Wolfgang Grandegger authored
      commit 43200a44 upstream.
      
      At high bus load it could happen that "at91_poll()" enters with all RX
      message boxes filled up. If then at the end the "quota" is exceeded as
      well, "rx_next" will not be reset to the first RX mailbox and hence the
      interrupts remain disabled.
      Signed-off-by: default avatarWolfgang Grandegger <wg@grandegger.com>
      Tested-by: default avatarAmr Bekhit <amrbekhit@gmail.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88e08b41
    • Peter Zijlstra's avatar
      sched/fair: Fix effective_load() to consistently use smoothed load · 81dc1601
      Peter Zijlstra authored
      commit 7dd49125 upstream.
      
      Starting with the following commit:
      
        fde7d22e ("sched/fair: Fix overly small weight for interactive group entities")
      
      calc_tg_weight() doesn't compute the right value as expected by effective_load().
      
      The difference is in the 'correction' term. In order to ensure \Sum
      rw_j >= rw_i we cannot use tg->load_avg directly, since that might be
      lagging a correction on the current cfs_rq->avg.load_avg value.
      Therefore we use tg->load_avg - cfs_rq->tg_load_avg_contrib +
      cfs_rq->avg.load_avg.
      
      Now, per the referenced commit, calc_tg_weight() doesn't use
      cfs_rq->avg.load_avg, as is later used in @w, but uses
      cfs_rq->load.weight instead.
      
      So stop using calc_tg_weight() and do it explicitly.
      
      The effects of this bug are wake_affine() making randomly
      poor choices in cgroup-intense workloads.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: fde7d22e ("sched/fair: Fix overly small weight for interactive group entities")
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      81dc1601
    • Taras Kondratiuk's avatar
      mmc: block: fix packed command header endianness · 8815298c
      Taras Kondratiuk authored
      commit f68381a7 upstream.
      
      The code that fills packed command header assumes that CPU runs in
      little-endian mode. Hence the header is malformed in big-endian mode
      and causes MMC data transfer errors:
      
      [  563.200828] mmcblk0: error -110 transferring data, sector 2048, nr 8, cmd response 0x900, card status 0xc40
      [  563.219647] mmcblk0: packed cmd failed, nr 2, sectors 16, failure index: -1
      
      Convert header data to LE.
      Signed-off-by: default avatarTaras Kondratiuk <takondra@cisco.com>
      Fixes: ce39f9d1 ("mmc: support packed write command for eMMC4.5 devices")
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8815298c
    • Ville Viinikka's avatar
      mmc: block: fix free of uninitialized 'idata->buf' · 5e8087b3
      Ville Viinikka authored
      commit bfe5b1b1 upstream.
      
      Set 'idata->buf' to NULL so that it never gets returned without
      initialization. This fixes a bug where mmc_blk_ioctl_cmd() would
      free both 'idata' and 'idata->buf' but 'idata->buf' was returned
      uninitialized.
      
      Fixes: 1ff8950c ("mmc: block: change to use kmalloc when copy data from userspace")
      Signed-off-by: default avatarVille Viinikka <ville@tuxera.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e8087b3
    • Omar Sandoval's avatar
      block: fix use-after-free in sys_ioprio_get() · 5c72cc56
      Omar Sandoval authored
      commit 8ba86821 upstream.
      
      get_task_ioprio() accesses the task->io_context without holding the task
      lock and thus can race with exit_io_context(), leading to a
      use-after-free. The reproducer below hits this within a few seconds on
      my 4-core QEMU VM:
      
      #define _GNU_SOURCE
      #include <assert.h>
      #include <unistd.h>
      #include <sys/syscall.h>
      #include <sys/wait.h>
      
      int main(int argc, char **argv)
      {
      	pid_t pid, child;
      	long nproc, i;
      
      	/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
      	syscall(SYS_ioprio_set, 1, 0, 0x6000);
      
      	nproc = sysconf(_SC_NPROCESSORS_ONLN);
      
      	for (i = 0; i < nproc; i++) {
      		pid = fork();
      		assert(pid != -1);
      		if (pid == 0) {
      			for (;;) {
      				pid = fork();
      				assert(pid != -1);
      				if (pid == 0) {
      					_exit(0);
      				} else {
      					child = wait(NULL);
      					assert(child == pid);
      				}
      			}
      		}
      
      		pid = fork();
      		assert(pid != -1);
      		if (pid == 0) {
      			for (;;) {
      				/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
      				syscall(SYS_ioprio_get, 2, 0);
      			}
      		}
      	}
      
      	for (;;) {
      		/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
      		syscall(SYS_ioprio_get, 2, 0);
      	}
      
      	return 0;
      }
      
      This gets us KASAN dumps like this:
      
      [   35.526914] ==================================================================
      [   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
      [   35.530009] Read of size 2 by task ioprio-gpf/363
      [   35.530009] =============================================================================
      [   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
      [   35.530009] -----------------------------------------------------------------------------
      
      [   35.530009] Disabling lock debugging due to kernel taint
      [   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
      [   35.530009] 	___slab_alloc+0x55d/0x5a0
      [   35.530009] 	__slab_alloc.isra.20+0x2b/0x40
      [   35.530009] 	kmem_cache_alloc_node+0x84/0x200
      [   35.530009] 	create_task_io_context+0x2b/0x370
      [   35.530009] 	get_task_io_context+0x92/0xb0
      [   35.530009] 	copy_process.part.8+0x5029/0x5660
      [   35.530009] 	_do_fork+0x155/0x7e0
      [   35.530009] 	SyS_clone+0x19/0x20
      [   35.530009] 	do_syscall_64+0x195/0x3a0
      [   35.530009] 	return_from_SYSCALL_64+0x0/0x6a
      [   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
      [   35.530009] 	__slab_free+0x27b/0x3d0
      [   35.530009] 	kmem_cache_free+0x1fb/0x220
      [   35.530009] 	put_io_context+0xe7/0x120
      [   35.530009] 	put_io_context_active+0x238/0x380
      [   35.530009] 	exit_io_context+0x66/0x80
      [   35.530009] 	do_exit+0x158e/0x2b90
      [   35.530009] 	do_group_exit+0xe5/0x2b0
      [   35.530009] 	SyS_exit_group+0x1d/0x20
      [   35.530009] 	entry_SYSCALL_64_fastpath+0x1a/0xa4
      [   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
      [   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
      [   35.530009] ==================================================================
      
      Fix it by grabbing the task lock while we poke at the io_context.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarOmar Sandoval <osandov@fb.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c72cc56
    • Randy Dunlap's avatar
      init/Kconfig: keep Expert users menu together · ad2591f0
      Randy Dunlap authored
      commit 076501ff upstream.
      
      The "expert" menu was broken (split) such that all entries in it after
      KALLSYMS were displayed in the "General setup" area instead of in the
      "Expert users" area.  Fix this by adding one kconfig dependency.
      
      Yes, the Expert users menu is fragile.  Problems like this have happened
      several times in the past.  I will attempt to isolate the Expert users
      menu if there is interest in that.
      
      Fixes: 4d5d5664 ("x86: kallsyms: disable absolute percpu symbols on !SMP")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ad2591f0
    • Ursula Braun's avatar
      qeth: delete napi struct when removing a qeth device · 635814d2
      Ursula Braun authored
      commit 7831b4ff upstream.
      
      A qeth_card contains a napi_struct linked to the net_device during
      device probing. This struct must be deleted when removing the qeth
      device, otherwise Panic on oops can occur when qeth devices are
      repeatedly removed and added.
      
      Fixes: a1c3ed4c ("qeth: NAPI support for l2 and l3 discipline")
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.vnet.ibm.com>
      Tested-by: default avatarAlexander Klein <ALKL@de.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      635814d2
    • Dan Carpenter's avatar
      platform/chrome: cros_ec_dev - double fetch bug in ioctl · 68b0cefc
      Dan Carpenter authored
      commit 096cdc6f upstream.
      
      We verify "u_cmd.outsize" and "u_cmd.insize" but we need to make sure
      that those values have not changed between the two copy_from_user()
      calls.  Otherwise it could lead to a buffer overflow.
      
      Additionally, cros_ec_cmd_xfer() can set s_cmd->insize to a lower value.
      We should use the new smaller value so we don't copy too much data to
      the user.
      Reported-by: default avatarPengfei Wang <wpengfeinudt@gmail.com>
      Fixes: a8411784 ('mfd: cros_ec: Use a zero-length array for command data')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarGwendal Grignou <gwendal@chromium.org>
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      68b0cefc
    • Scott Mayhew's avatar
      lockd: unregister notifier blocks if the service fails to come up completely · f54a878c
      Scott Mayhew authored
      commit cb7d224f upstream.
      
      If the lockd service fails to start up then we need to be sure that the
      notifier blocks are not registered, otherwise a subsequent start of the
      service could cause the same notifier to be registered twice, leading to
      soft lockups.
      Signed-off-by: default avatarScott Mayhew <smayhew@redhat.com>
      Fixes: 0751ddf7 "lockd: Register callbacks on the inetaddr_chain..."
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f54a878c
    • Boris Brezillon's avatar
      clk: at91: fix clk_programmable_set_parent() · 3e70b591
      Boris Brezillon authored
      commit f96423f4 upstream.
      
      Since commit 1bdf0232 ("clk: at91: make use of syscon/regmap
      internally"), clk_programmable_set_parent() is always selecting the
      first parent (AKA slow_clk), no matter what's passed in the 'index'
      parameter.
      
      Fix that by initializing the pckr variable to the index value.
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Reported-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Fixes: 1bdf0232 ("clk: at91: make use of syscon/regmap internally")
      Signed-off-by: default avatarMichael Turquette <mturquette@baylibre.com>
      Link: lkml.kernel.org/r/1468828152-18389-1-git-send-email-boris.brezillon@free-electrons.com
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3e70b591
    • Heiko Stuebner's avatar
      clk: rockchip: initialize flags of clk_init_data in mmc-phase clock · 690a5f1e
      Heiko Stuebner authored
      commit 595144c1 upstream.
      
      The flags element of clk_init_data was never initialized for mmc-
      phase-clocks resulting in the element containing a random value
      and thus possibly enabling unwanted clock flags.
      
      Fixes: 89bf26cb ("clk: rockchip: Add support for the mmc clock phases using the framework")
      Signed-off-by: default avatarHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      690a5f1e
    • Michal Suchanek's avatar
      spi: sun4i: fix FIFO limit · bb70d865
      Michal Suchanek authored
      commit 6d9fe44b upstream.
      
      When testing SPI without DMA I noticed that filling the FIFO on the
      spi controller causes timeout.
      
      Always leave room for one byte in the FIFO.
      Signed-off-by: default avatarMichal Suchanek <hramrach@gmail.com>
      Acked-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bb70d865
    • Michal Suchanek's avatar
      spi: sunxi: fix transfer timeout · 3fe82d1e
      Michal Suchanek authored
      commit 719bd654 upstream.
      
      The trasfer timeout is fixed at 1000 ms. Reading a 4Mbyte flash over
      1MHz SPI bus takes way longer than that. Calculate the timeout from the
      actual time the transfer is supposed to take and multiply by 2 for good
      measure.
      Signed-off-by: default avatarMichal Suchanek <hramrach@gmail.com>
      Acked-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3fe82d1e
    • Tomeu Vizoso's avatar
      spi: rockchip: Signal unfinished DMA transfers · ef40d3f3
      Tomeu Vizoso authored
      commit 4dc0dd83 upstream.
      
      When using DMA, the transfer_one callback should return 1 because the
      transfer hasn't finished yet.
      
      A previous commit changed the function to return 0 when the DMA channels
      were correctly prepared.
      
      This manifested in Veyron boards with this message:
      
      [ 1.983605] cros-ec-spi spi0.0: EC failed to respond in time
      
      Fixes: ea984911 ("spi: rockchip: check return value of dmaengine_prep_slave_sg")
      Signed-off-by: default avatarTomeu Vizoso <tomeu.vizoso@collabora.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ef40d3f3
    • Andrey Ulanov's avatar
      namespace: update event counter when umounting a deleted dentry · 7b1789f9
      Andrey Ulanov authored
      commit e06b933e upstream.
      
      - m_start() in fs/namespace.c expects that ns->event is incremented each
        time a mount added or removed from ns->list.
      - umount_tree() removes items from the list but does not increment event
        counter, expecting that it's done before the function is called.
      - There are some codepaths that call umount_tree() without updating
        "event" counter. e.g. from __detach_mounts().
      - When this happens m_start may reuse a cached mount structure that no
        longer belongs to ns->list (i.e. use after free which usually leads
        to infinite loop).
      
      This change fixes the above problem by incrementing global event counter
      before invoking umount_tree().
      
      Change-Id: I622c8e84dcb9fb63542372c5dbf0178ee86bb589
      Signed-off-by: default avatarAndrey Ulanov <andreyu@google.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7b1789f9
    • Colin Ian King's avatar
      devpts: fix null pointer dereference on failed memory allocation · a0292a0f
      Colin Ian King authored
      commit 5353ed8d upstream.
      
      An ENOMEM when creating a pair tty in tty_ldisc_setup causes a null
      pointer dereference in devpts_kill_index because tty->link->driver_data
      is NULL.  The oops was triggered with the pty stressor in stress-ng when
      in a low memory condition.
      
      tty_init_dev tries to clean up a tty_ldisc_setup ENOMEM error by calling
      release_tty, however, this ultimately tries to clean up the NULL pair'd
      tty in pty_unix98_remove, triggering the Oops.
      
      Add check to pty_unix98_remove to only clean up fsi if it is not NULL.
      
      Ooops:
      
      [   23.020961] Oops: 0000 [#1] SMP
      [   23.020976] Modules linked in: ppdev snd_hda_codec_generic snd_hda_intel snd_hda_codec parport_pc snd_hda_core snd_hwdep parport snd_pcm input_leds joydev snd_timer serio_raw snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel qxl aes_x86_64 ttm lrw gf128mul glue_helper ablk_helper drm_kms_helper cryptd syscopyarea sysfillrect psmouse sysimgblt floppy fb_sys_fops drm pata_acpi jitterentropy_rng drbg ansi_cprng
      [   23.020978] CPU: 0 PID: 1452 Comm: stress-ng-pty Not tainted 4.7.0-rc4+ #2
      [   23.020978] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [   23.020979] task: ffff88007ba30000 ti: ffff880078ea8000 task.ti: ffff880078ea8000
      [   23.020981] RIP: 0010:[<ffffffff813f11ff>]  [<ffffffff813f11ff>] ida_remove+0x1f/0x120
      [   23.020981] RSP: 0018:ffff880078eabb60  EFLAGS: 00010a03
      [   23.020982] RAX: 4444444444444567 RBX: 0000000000000000 RCX: 000000000000001f
      [   23.020982] RDX: 000000000000014c RSI: 000000000000026f RDI: 0000000000000000
      [   23.020982] RBP: ffff880078eabb70 R08: 0000000000000004 R09: 0000000000000036
      [   23.020983] R10: 000000000000026f R11: 0000000000000000 R12: 000000000000026f
      [   23.020983] R13: 000000000000026f R14: ffff88007c944b40 R15: 000000000000026f
      [   23.020984] FS:  00007f9a2f3cc700(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
      [   23.020984] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   23.020985] CR2: 0000000000000010 CR3: 000000006c81b000 CR4: 00000000001406f0
      [   23.020988] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   23.020988] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   23.020988] Stack:
      [   23.020989]  0000000000000000 000000000000026f ffff880078eabb90 ffffffff812a5a99
      [   23.020990]  0000000000000000 00000000fffffff4 ffff880078eabba8 ffffffff814f9cbe
      [   23.020991]  ffff88007965c800 ffff880078eabbc8 ffffffff814eef43 fffffffffffffff4
      [   23.020991] Call Trace:
      [   23.021000]  [<ffffffff812a5a99>] devpts_kill_index+0x29/0x50
      [   23.021002]  [<ffffffff814f9cbe>] pty_unix98_remove+0x2e/0x50
      [   23.021006]  [<ffffffff814eef43>] release_tty+0xb3/0x1b0
      [   23.021007]  [<ffffffff814f18d4>] tty_init_dev+0xd4/0x1c0
      [   23.021011]  [<ffffffff814f9fae>] ptmx_open+0xae/0x190
      [   23.021013]  [<ffffffff812254ef>] chrdev_open+0xbf/0x1b0
      [   23.021015]  [<ffffffff8121d973>] do_dentry_open+0x203/0x310
      [   23.021016]  [<ffffffff81225430>] ? cdev_put+0x30/0x30
      [   23.021017]  [<ffffffff8121ee44>] vfs_open+0x54/0x80
      [   23.021018]  [<ffffffff8122b8fc>] ? may_open+0x8c/0x100
      [   23.021019]  [<ffffffff8122f26b>] path_openat+0x2eb/0x1440
      [   23.021020]  [<ffffffff81230534>] ? putname+0x54/0x60
      [   23.021022]  [<ffffffff814f6f97>] ? n_tty_ioctl_helper+0x27/0x100
      [   23.021023]  [<ffffffff81231651>] do_filp_open+0x91/0x100
      [   23.021024]  [<ffffffff81230596>] ? getname_flags+0x56/0x1f0
      [   23.021026]  [<ffffffff8123fc66>] ? __alloc_fd+0x46/0x190
      [   23.021027]  [<ffffffff8121f1e4>] do_sys_open+0x124/0x210
      [   23.021028]  [<ffffffff8121f2ee>] SyS_open+0x1e/0x20
      [   23.021035]  [<ffffffff81845576>] entry_SYSCALL_64_fastpath+0x1e/0xa8
      [   23.021044] Code: 63 28 45 31 e4 eb dd 0f 1f 44 00 00 55 4c 63 d6 48 ba 89 88 88 88 88 88 88 88 4c 89 d0 b9 1f 00 00 00 48 f7 e2 48 89 e5 41 54 53 <8b> 47 10 48 89 fb 8d 3c c5 00 00 00 00 48 c1 ea 09 b8 01 00 00
      [   23.021045] RIP  [<ffffffff813f11ff>] ida_remove+0x1f/0x120
      [   23.021045]  RSP <ffff880078eabb60>
      [   23.021046] CR2: 0000000000000010
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a0292a0f
    • Rafael J. Wysocki's avatar
      cpufreq: Avoid false-positive WARN_ON()s in cpufreq_update_policy() · 4be5c33b
      Rafael J. Wysocki authored
      commit 742c87bf upstream.
      
      CPU notifications from the firmware coming in when cpufreq is
      suspended cause cpufreq_update_current_freq() to return 0 which
      triggers the WARN_ON() in cpufreq_update_policy() for no reason.
      
      Avoid that by checking cpufreq_suspended before calling
      cpufreq_update_current_freq().
      
      Fixes: c9d9c929 (cpufreq: Abort cpufreq_update_current_freq() for cpufreq_suspended set)
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4be5c33b
    • Miklos Szeredi's avatar
      9p: use file_dentry() · 8b592e2a
      Miklos Szeredi authored
      commit b403f0e3 upstream.
      
      v9fs may be used as lower layer of overlayfs and accessing f_path.dentry
      can lead to a crash.  In this case it's a NULL pointer dereference in
      p9_fid_create().
      
      Fix by replacing direct access of file->f_path.dentry with the
      file_dentry() accessor, which will always return a native object.
      Reported-by: default avatarAlessio Igor Bogani <alessioigorbogani@gmail.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Tested-by: default avatarAlessio Igor Bogani <alessioigorbogani@gmail.com>
      Fixes: 4bacc9c9 ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay")
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b592e2a
    • Vegard Nossum's avatar
      ext4: verify extent header depth · af2be3d2
      Vegard Nossum authored
      commit 7bc94916 upstream.
      
      Although the extent tree depth of 5 should enough be for the worst
      case of 2*32 extents of length 1, the extent tree code does not
      currently to merge nodes which are less than half-full with a sibling
      node, or to shrink the tree depth if possible.  So it's possible, at
      least in theory, for the tree depth to be greater than 5.  However,
      even in the worst case, a tree depth of 32 is highly unlikely, and if
      the file system is maliciously corrupted, an insanely large eh_depth
      can cause memory allocation failures that will trigger kernel warnings
      (here, eh_depth = 65280):
      
          JBD2: ext4.exe wants too many credits credits:195849 rsv_credits:0 max:256
          ------------[ cut here ]------------
          WARNING: CPU: 0 PID: 50 at fs/jbd2/transaction.c:293 start_this_handle+0x569/0x580
          CPU: 0 PID: 50 Comm: ext4.exe Not tainted 4.7.0-rc5+ #508
          Stack:
           604a8947 625badd8 0002fd09 00000000
           60078643 00000000 62623910 601bf9bc
           62623970 6002fc84 626239b0 900000125
          Call Trace:
           [<6001c2dc>] show_stack+0xdc/0x1a0
           [<601bf9bc>] dump_stack+0x2a/0x2e
           [<6002fc84>] __warn+0x114/0x140
           [<6002fdff>] warn_slowpath_null+0x1f/0x30
           [<60165829>] start_this_handle+0x569/0x580
           [<60165d4e>] jbd2__journal_start+0x11e/0x220
           [<60146690>] __ext4_journal_start_sb+0x60/0xa0
           [<60120a81>] ext4_truncate+0x131/0x3a0
           [<60123677>] ext4_setattr+0x757/0x840
           [<600d5d0f>] notify_change+0x16f/0x2a0
           [<600b2b16>] do_truncate+0x76/0xc0
           [<600c3e56>] path_openat+0x806/0x1300
           [<600c55c9>] do_filp_open+0x89/0xf0
           [<600b4074>] do_sys_open+0x134/0x1e0
           [<600b4140>] SyS_open+0x20/0x30
           [<6001ea68>] handle_syscall+0x88/0x90
           [<600295fd>] userspace+0x3fd/0x500
           [<6001ac55>] fork_handler+0x85/0x90
      
          ---[ end trace 08b0b88b6387a244 ]---
      
      [ Commit message modified and the extent tree depath check changed
      from 5 to 32 -- tytso ]
      
      Cc: Darrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af2be3d2
    • Jeff Mahoney's avatar
      ecryptfs: don't allow mmap when the lower fs doesn't support it · f7803b2f
      Jeff Mahoney authored
      commit f0fe970d upstream.
      
      There are legitimate reasons to disallow mmap on certain files, notably
      in sysfs or procfs.  We shouldn't emulate mmap support on file systems
      that don't offer support natively.
      
      CVE-2016-1583
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      [tyhicks: clean up f_op check by using ecryptfs_file_to_lower()]
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f7803b2f
    • Jeff Mahoney's avatar
      Revert "ecryptfs: forbid opening files without mmap handler" · 9cd0ae8d
      Jeff Mahoney authored
      commit 78c4e172 upstream.
      
      This reverts commit 2f36db71.
      
      It fixed a local root exploit but also introduced a dependency on
      the lower file system implementing an mmap operation just to open a file,
      which is a bit of a heavy hammer.  The right fix is to have mmap depend
      on the existence of the mmap handler instead.
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9cd0ae8d