1. 23 Dec, 2016 12 commits
    • Eric Dumazet's avatar
      tcp: fix use after free in tcp_xmit_retransmit_queue() · fa9b0c17
      Eric Dumazet authored
      [ Upstream commit bb1fceca ]
      
      When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
      tail of the write queue using tcp_add_write_queue_tail()
      
      Then it attempts to copy user data into this fresh skb.
      
      If the copy fails, we undo the work and remove the fresh skb.
      
      Unfortunately, this undo lacks the change done to tp->highest_sack and
      we can leave a dangling pointer (to a freed skb)
      
      Later, tcp_xmit_retransmit_queue() can dereference this pointer and
      access freed memory. For regular kernels where memory is not unmapped,
      this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
      returning garbage instead of tp->snd_nxt, but with various debug
      features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
      
      This bug was found by Marco Grassi thanks to syzkaller.
      
      Fixes: 6859d494 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
      Reported-by: default avatarMarco Grassi <marco.gra@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Reviewed-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      fa9b0c17
    • Sebastian Andrzej Siewior's avatar
      x86/kexec: add -fno-PIE · 5341057b
      Sebastian Andrzej Siewior authored
      [ Upstream commit 90944e40 ]
      
      If the gcc is configured to do -fPIE by default then the build aborts
      later with:
      | Unsupported relocation type: unknown type rel type name (29)
      
      Tagging it stable so it is possible to compile recent stable kernels as
      well.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarMichal Marek <mmarek@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      5341057b
    • Sebastian Andrzej Siewior's avatar
      scripts/has-stack-protector: add -fno-PIE · c873ec3a
      Sebastian Andrzej Siewior authored
      [ Upstream commit 82031ea2 ]
      
      Adding -no-PIE to the fstack protector check. -no-PIE was introduced
      before -fstack-protector so there is no need for a runtime check.
      
      Without it the build stops:
      |Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong available but compiler is broken
      
      due to -mcmodel=kernel + -fPIE if -fPIE is enabled by default.
      
      Tagging it stable so it is possible to compile recent stable kernels as
      well.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarMichal Marek <mmarek@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      c873ec3a
    • Andy Lutomirski's avatar
      x86/init: Fix cr4_init_shadow() on CR4-less machines · 0e3f4b0f
      Andy Lutomirski authored
      [ Upstream commit e1bfc11c ]
      
      cr4_init_shadow() will panic on 486-like machines without CR4.  Fix
      it using __read_cr4_safe().
      
      Reported-by: david@saggiorato.net
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Reviewed-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      Fixes: 1e02ce4c ("x86: Store a per-cpu shadow copy of CR4")
      Link: http://lkml.kernel.org/r/43a20f81fb504013bf613913dc25574b45336a61.1475091074.git.luto@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      0e3f4b0f
    • Roger Quadros's avatar
      ARM: 8617/1: dma: fix dma_max_pfn() · d884eb7c
      Roger Quadros authored
      [ Upstream commit d248220f ]
      
      Since commit 6ce0d200 ("ARM: dma: Use dma_pfn_offset for dma address translation"),
      dma_to_pfn() already returns the PFN with the physical memory start offset
      so we don't need to add it again.
      
      This fixes USB mass storage lock-up problem on systems that can't do DMA
      over the entire physical memory range (e.g.) Keystone 2 systems with 4GB RAM
      can only do DMA over the first 2GB. [K2E-EVM].
      
      What happens there is that without this patch SCSI layer sets a wrong
      bounce buffer limit in scsi_calculate_bounce_limit() for the USB mass
      storage device. dma_max_pfn() evaluates to 0x8fffff and bounce_limit
      is set to 0x8fffff000 whereas maximum DMA'ble physical memory on Keystone 2
      is 0x87fffffff. This results in non DMA'ble pages being given to the
      USB controller and hence the lock-up.
      
      NOTE: in the above case, USB-SCSI-device's dma_pfn_offset was showing as 0.
      This should have really been 0x780000 as on K2e, LOWMEM_START is 0x80000000
      and HIGHMEM_START is 0x800000000. DMA zone is 2GB so dma_max_pfn should be
      0x87ffff. The incorrect dma_pfn_offset for the USB storage device is because
      USB devices are not correctly inheriting the dma_pfn_offset from the
      USB host controller. This will be fixed by a separate patch.
      
      Fixes: 6ce0d200 ("ARM: dma: Use dma_pfn_offset for dma address translation")
      Cc: stable@vger.kernel.org
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Olof Johansson <olof@lixom.net>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Reported-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      d884eb7c
    • zhong jiang's avatar
      mm,ksm: fix endless looping in allocating memory when ksm enable · 956e1e40
      zhong jiang authored
      [ Upstream commit 5b398e41 ]
      
      I hit the following hung task when runing a OOM LTP test case with 4.1
      kernel.
      
      Call trace:
      [<ffffffc000086a88>] __switch_to+0x74/0x8c
      [<ffffffc000a1bae0>] __schedule+0x23c/0x7bc
      [<ffffffc000a1c09c>] schedule+0x3c/0x94
      [<ffffffc000a1eb84>] rwsem_down_write_failed+0x214/0x350
      [<ffffffc000a1e32c>] down_write+0x64/0x80
      [<ffffffc00021f794>] __ksm_exit+0x90/0x19c
      [<ffffffc0000be650>] mmput+0x118/0x11c
      [<ffffffc0000c3ec4>] do_exit+0x2dc/0xa74
      [<ffffffc0000c46f8>] do_group_exit+0x4c/0xe4
      [<ffffffc0000d0f34>] get_signal+0x444/0x5e0
      [<ffffffc000089fcc>] do_signal+0x1d8/0x450
      [<ffffffc00008a35c>] do_notify_resume+0x70/0x78
      
      The oom victim cannot terminate because it needs to take mmap_sem for
      write while the lock is held by ksmd for read which loops in the page
      allocator
      
      ksm_do_scan
      	scan_get_next_rmap_item
      		down_read
      		get_next_rmap_item
      			alloc_rmap_item   #ksmd will loop permanently.
      
      There is no way forward because the oom victim cannot release any memory
      in 4.1 based kernel.  Since 4.6 we have the oom reaper which would solve
      this problem because it would release the memory asynchronously.
      Nevertheless we can relax alloc_rmap_item requirements and use
      __GFP_NORETRY because the allocation failure is acceptable as ksm_do_scan
      would just retry later after the lock got dropped.
      
      Such a patch would be also easy to backport to older stable kernels which
      do not have oom_reaper.
      
      While we are at it add GFP_NOWARN so the admin doesn't have to be alarmed
      by the allocation failure.
      
      Link: http://lkml.kernel.org/r/1474165570-44398-1-git-send-email-zhongjiang@huawei.comSigned-off-by: default avatarzhong jiang <zhongjiang@huawei.com>
      Suggested-by: default avatarHugh Dickins <hughd@google.com>
      Suggested-by: default avatarMichal Hocko <mhocko@suse.cz>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Acked-by: default avatarHugh Dickins <hughd@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      956e1e40
    • Sergei Miroshnichenko's avatar
      can: dev: fix deadlock reported after bus-off · 5e5920ac
      Sergei Miroshnichenko authored
      [ Upstream commit 9abefcb1 ]
      
      A timer was used to restart after the bus-off state, leading to a
      relatively large can_restart() executed in an interrupt context,
      which in turn sets up pinctrl. When this happens during system boot,
      there is a high probability of grabbing the pinctrl_list_mutex,
      which is locked already by the probe() of other device, making the
      kernel suspect a deadlock condition [1].
      
      To resolve this issue, the restart_timer is replaced by a delayed
      work.
      
      [1] https://github.com/victronenergy/venus/issues/24Signed-off-by: default avatarSergei Miroshnichenko <sergeimir@emcraft.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      5e5920ac
    • Joonwoo Park's avatar
      cpuset: handle race between CPU hotplug and cpuset_hotplug_work · e1df4c5d
      Joonwoo Park authored
      [ Upstream commit 28b89b9e ]
      
      A discrepancy between cpu_online_mask and cpuset's effective_cpus
      mask is inevitable during hotplug since cpuset defers updating of
      effective_cpus mask using a workqueue, during which time nothing
      prevents the system from more hotplug operations.  For that reason
      guarantee_online_cpus() walks up the cpuset hierarchy until it finds
      an intersection under the assumption that top cpuset's effective_cpus
      mask intersects with cpu_online_mask even with such a race occurring.
      
      However a sequence of CPU hotplugs can open a time window, during which
      none of the effective CPUs in the top cpuset intersect with
      cpu_online_mask.
      
      For example when there are 4 possible CPUs 0-3 and only CPU0 is online:
      
        ========================  ===========================
         cpu_online_mask           top_cpuset.effective_cpus
        ========================  ===========================
         echo 1 > cpu2/online.
         CPU hotplug notifier woke up hotplug work but not yet scheduled.
            [0,2]                     [0]
      
         echo 0 > cpu0/online.
         The workqueue is still runnable.
            [2]                       [0]
        ========================  ===========================
      
        Now there is no intersection between cpu_online_mask and
        top_cpuset.effective_cpus.  Thus invoking sys_sched_setaffinity() at
        this moment can cause following:
      
         Unable to handle kernel NULL pointer dereference at virtual address 000000d0
         ------------[ cut here ]------------
         Kernel BUG at ffffffc0001389b0 [verbose debug info unavailable]
         Internal error: Oops - BUG: 96000005 [#1] PREEMPT SMP
         Modules linked in:
         CPU: 2 PID: 1420 Comm: taskset Tainted: G        W       4.4.8+ #98
         task: ffffffc06a5c4880 ti: ffffffc06e124000 task.ti: ffffffc06e124000
         PC is at guarantee_online_cpus+0x2c/0x58
         LR is at cpuset_cpus_allowed+0x4c/0x6c
         <snip>
         Process taskset (pid: 1420, stack limit = 0xffffffc06e124020)
         Call trace:
         [<ffffffc0001389b0>] guarantee_online_cpus+0x2c/0x58
         [<ffffffc00013b208>] cpuset_cpus_allowed+0x4c/0x6c
         [<ffffffc0000d61f0>] sched_setaffinity+0xc0/0x1ac
         [<ffffffc0000d6374>] SyS_sched_setaffinity+0x98/0xac
         [<ffffffc000085cb0>] el0_svc_naked+0x24/0x28
      
      The top cpuset's effective_cpus are guaranteed to be identical to
      cpu_online_mask eventually.  Hence fall back to cpu_online_mask when
      there is no intersection between top cpuset's effective_cpus and
      cpu_online_mask.
      Signed-off-by: default avatarJoonwoo Park <joonwoop@codeaurora.org>
      Acked-by: default avatarLi Zefan <lizefan@huawei.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: cgroups@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: <stable@vger.kernel.org> # 3.17+
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      e1df4c5d
    • Karl Beldan's avatar
      mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl · 57d83cda
      Karl Beldan authored
      [ Upstream commit f6d7c1b5 ]
      
      This fixes subpage writes when using 4-bit HW ECC.
      
      There has been numerous reports about ECC errors with devices using this
      driver for a while.  Also the 4-bit ECC has been reported as broken with
      subpages in [1] and with 16 bits NANDs in the driver and in mach* board
      files both in mainline and in the vendor BSPs.
      
      What I saw with 4-bit ECC on a 16bits NAND (on an LCDK) which got me to
      try reinitializing the ECC engine:
      - R/W on whole pages properly generates/checks RS code
      - try writing the 1st subpage only of a blank page, the subpage is well
        written and the RS code properly generated, re-reading the same page
        the HW detects some ECC error, reading the same page again no ECC
        error is detected
      
      Note that the ECC engine is already reinitialized in the 1-bit case.
      
      Tested on my LCDK with UBI+UBIFS using subpages.
      This could potentially get rid of the issue workarounded in [1].
      
      [1] 28c015a9 ("mtd: davinci-nand: disable subpage write for keystone-nand")
      
      Fixes: 6a4123e5 ("mtd: nand: davinci_nand, 4-bit ECC for smallpage")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarKarl Beldan <kbeldan@baylibre.com>
      Acked-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      57d83cda
    • Rob Clark's avatar
      drm/msm: fix use of copy_from_user() while holding spinlock · 86a53e36
      Rob Clark authored
      [ Upstream commit 89f82cbb ]
      
      Use instead __copy_from_user_inatomic() and fallback to slow-path where
      we drop and re-aquire the lock in case of fault.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarVaishali Thakkar <vaishali.thakkar@oracle.com>
      Signed-off-by: default avatarRob Clark <robdclark@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      86a53e36
    • Pawel Moll's avatar
      bus: arm-ccn: Fix PMU handling of MN · 077ae72a
      Pawel Moll authored
      [ Upstream commit 4e486cba ]
      
      The "Miscellaneous Node" fell through cracks of node initialisation,
      as its ID is shared with HN-I.
      
      This patch treats MN as a special case (which it is), adding separate
      validation check for it and pre-defining the node ID in relevant events
      descriptions. That way one can simply run:
      
      	# perf stat -a -e ccn/mn_ecbarrier/ <workload>
      
      Additionally, direction in the MN pseudo-events XP watchpoint
      definitions is corrected to be "TX" (1) as they are defined from the
      crosspoint point of view (thus barriers are transmitted from XP to MN).
      
      Cc: stable@vger.kernel.org # 3.17+
      Signed-off-by: default avatarPawel Moll <pawel.moll@arm.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      077ae72a
    • Pawel Moll's avatar
      bus: arm-ccn: Provide required event arguments · 69ecf071
      Pawel Moll authored
      [ Upstream commit 8f06c51f ]
      
      Since 688d4dfc "perf tools: Support
      parsing parameterized events" the perf userspace tools understands
      "argument=?" syntax in the events file, making sure that required
      arguments are provided by the user and not defaulting to 0, causing
      confusion.
      
      This patch adds the required arguments lists for CCN events.
      Signed-off-by: default avatarPawel Moll <pawel.moll@arm.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      69ecf071
  2. 02 Dec, 2016 1 commit
  3. 29 Nov, 2016 1 commit
  4. 25 Nov, 2016 1 commit
    • Sebastian Andrzej Siewior's avatar
      kbuild: add -fno-PIE · e45cc419
      Sebastian Andrzej Siewior authored
      [ Upstream commit 8ae94224 ]
      
      Debian started to build the gcc with -fPIE by default so the kernel
      build ends before it starts properly with:
      |kernel/bounds.c:1:0: error: code model kernel does not support PIC mode
      
      Also add to KBUILD_AFLAGS due to:
      
      |gcc -Wp,-MD,arch/x86/entry/vdso/vdso32/.note.o.d … -mfentry -DCC_USING_FENTRY … vdso/vdso32/note.S
      |arch/x86/entry/vdso/vdso32/note.S:1:0: sorry, unimplemented: -mfentry isn’t supported for 32-bit in combination with -fpic
      
      Tagging it stable so it is possible to compile recent stable kernels as
      well.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarMichal Marek <mmarek@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      e45cc419
  5. 24 Nov, 2016 25 commits
    • Stefan Richter's avatar
      firewire: net: fix fragmented datagram_size off-by-one · 1eb043ff
      Stefan Richter authored
      [ Upstream commit e9300a4b ]
      
      RFC 2734 defines the datagram_size field in fragment encapsulation
      headers thus:
      
          datagram_size:  The encoded size of the entire IP datagram.  The
          value of datagram_size [...] SHALL be one less than the value of
          Total Length in the datagram's IP header (see STD 5, RFC 791).
      
      Accordingly, the eth1394 driver of Linux 2.6.36 and older set and got
      this field with a -/+1 offset:
      
          ether1394_tx() /* transmit */
              ether1394_encapsulate_prep()
                  hdr->ff.dg_size = dg_size - 1;
      
          ether1394_data_handler() /* receive */
              if (hdr->common.lf == ETH1394_HDR_LF_FF)
                  dg_size = hdr->ff.dg_size + 1;
              else
                  dg_size = hdr->sf.dg_size + 1;
      
      Likewise, I observe OS X 10.4 and Windows XP Pro SP3 to transmit 1500
      byte sized datagrams in fragments with datagram_size=1499 if link
      fragmentation is required.
      
      Only firewire-net sets and gets datagram_size without this offset.  The
      result is lacking interoperability of firewire-net with OS X, Windows
      XP, and presumably Linux' eth1394.  (I did not test with the latter.)
      For example, FTP data transfers to a Linux firewire-net box with max_rec
      smaller than the 1500 bytes MTU
        - from OS X fail entirely,
        - from Win XP start out with a bunch of fragmented datagrams which
          time out, then continue with unfragmented datagrams because Win XP
          temporarily reduces the MTU to 576 bytes.
      
      So let's fix firewire-net's datagram_size accessors.
      
      Note that firewire-net thereby loses interoperability with unpatched
      firewire-net, but only if link fragmentation is employed.  (This happens
      with large broadcast datagrams, and with large datagrams on several
      FireWire CardBus cards with smaller max_rec than equivalent PCI cards,
      and it can be worked around by setting a small enough MTU.)
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      1eb043ff
    • Stefan Richter's avatar
      firewire: net: guard against rx buffer overflows · dff462fc
      Stefan Richter authored
      [ Upstream commit 667121ac ]
      
      The IP-over-1394 driver firewire-net lacked input validation when
      handling incoming fragmented datagrams.  A maliciously formed fragment
      with a respectively large datagram_offset would cause a memcpy past the
      datagram buffer.
      
      So, drop any packets carrying a fragment with offset + length larger
      than datagram_size.
      
      In addition, ensure that
        - GASP header, unfragmented encapsulation header, or fragment
          encapsulation header actually exists before we access it,
        - the encapsulated datagram or fragment is of nonzero size.
      Reported-by: default avatarEyal Itkin <eyal.itkin@gmail.com>
      Reviewed-by: default avatarEyal Itkin <eyal.itkin@gmail.com>
      Fixes: CVE 2016-8633
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      dff462fc
    • John David Anglin's avatar
      parisc: Ensure consistent state when switching to kernel stack at syscall entry · 056bcad9
      John David Anglin authored
      [ Upstream commit 6ed51832 ]
      
      We have one critical section in the syscall entry path in which we switch from
      the userspace stack to kernel stack. In the event of an external interrupt, the
      interrupt code distinguishes between those two states by analyzing the value of
      sr7. If sr7 is zero, it uses the kernel stack. Therefore it's important, that
      the value of sr7 is in sync with the currently enabled stack.
      
      This patch now disables interrupts while executing the critical section.  This
      prevents the interrupt handler to possibly see an inconsistent state which in
      the worst case can lead to crashes.
      
      Interestingly, in the syscall exit path interrupts were already disabled in the
      critical section which switches back to the userspace stack.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      056bcad9
    • Miklos Szeredi's avatar
      ovl: fsync after copy-up · dff2cd53
      Miklos Szeredi authored
      [ Upstream commit 641089c1 ]
      
      Make sure the copied up file hits the disk before renaming to the final
      destination.  If this is not done then the copy-up may corrupt the data in
      the file in case of a crash.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      dff2cd53
    • Matt Redfearn's avatar
      virtio: console: Unlock vqs while freeing buffers · cc30a01a
      Matt Redfearn authored
      [ Upstream commit 34563769 ]
      
      Commit c6017e79 ("virtio: console: add locks around buffer removal
      in port unplug path") added locking around the freeing of buffers in the
      vq. However, when free_buf() is called with can_sleep = true and rproc
      is enabled, it calls dma_free_coherent() directly, requiring interrupts
      to be enabled. Currently a WARNING is triggered due to the spin locking
      around free_buf, with a call stack like this:
      
      WARNING: CPU: 3 PID: 121 at ./include/linux/dma-mapping.h:433
      free_buf+0x1a8/0x288
      Call Trace:
      [<8040c538>] show_stack+0x74/0xc0
      [<80757240>] dump_stack+0xd0/0x110
      [<80430d98>] __warn+0xfc/0x130
      [<80430ee0>] warn_slowpath_null+0x2c/0x3c
      [<807e7c6c>] free_buf+0x1a8/0x288
      [<807ea590>] remove_port_data+0x50/0xac
      [<807ea6a0>] unplug_port+0xb4/0x1bc
      [<807ea858>] virtcons_remove+0xb0/0xfc
      [<807b6734>] virtio_dev_remove+0x58/0xc0
      [<807f918c>] __device_release_driver+0xac/0x134
      [<807f924c>] device_release_driver+0x38/0x50
      [<807f7edc>] bus_remove_device+0xfc/0x130
      [<807f4b74>] device_del+0x17c/0x21c
      [<807f4c38>] device_unregister+0x24/0x38
      [<807b6b50>] unregister_virtio_device+0x28/0x44
      
      Fix this by restructuring the loops to allow the locks to only be taken
      where it is necessary to protect the vqs, and release it while the
      buffer is being freed.
      
      Fixes: c6017e79 ("virtio: console: add locks around buffer removal in port unplug path")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMatt Redfearn <matt.redfearn@imgtec.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      cc30a01a
    • NeilBrown's avatar
      md: be careful not lot leak internal curr_resync value into metadata. -- (all) · 919224dc
      NeilBrown authored
      [ Upstream commit 1217e1d1 ]
      
      mddev->curr_resync usually records where the current resync is up to,
      but during the starting phase it has some "magic" values.
      
       1 - means that the array is trying to start a resync, but has yielded
           to another array which shares physical devices, and also needs to
           start a resync
       2 - means the array is trying to start resync, but has found another
           array which shares physical devices and has already started resync.
      
       3 - means that resync has commensed, but it is possible that nothing
           has actually been resynced yet.
      
      It is important that this value not be visible to user-space and
      particularly that it doesn't get written to the metadata, as the
      resync or recovery checkpoint.  In part, this is because it may be
      slightly higher than the correct value, though this is very rare.
      In part, because it is not a multiple of 4K, and some devices only
      support 4K aligned accesses.
      
      There are two places where this value is propagates into either
      ->curr_resync_completed or ->recovery_cp or ->recovery_offset.
      These currently avoid the propagation of values 1 and 3, but will
      allow 3 to leak through.
      
      Change them to only propagate the value if it is > 3.
      
      As this can cause an array to fail, the patch is suitable for -stable.
      
      Cc: stable@vger.kernel.org (v3.7+)
      Reported-by: default avatarViswesh <viswesh.vichu@gmail.com>
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      919224dc
    • NeilBrown's avatar
      md: sync sync_completed has correct value as recovery finishes. · debebae7
      NeilBrown authored
      [ Upstream commit 5ed1df2e ]
      
      There can be a small window between the moment that recovery
      actually writes the last block and the time when various sysfs
      and /proc/mdstat attributes report that it has finished.
      During this time, 'sync_completed' can have the wrong value.
      This can confuse monitoring software.
      
      So:
       - don't set curr_resync_completed beyond the end of the devices,
       - set it correctly when resync/recovery has completed.
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      debebae7
    • Ching Huang's avatar
      scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware · 98d446ef
      Ching Huang authored
      [ Upstream commit 2bf7dc84 ]
      
      The arcmsr driver failed to pass SYNCHRONIZE CACHE to controller
      firmware. Depending on how drive caches are handled internally by
      controller firmware this could potentially lead to data integrity
      problems.
      
      Ensure that cache flushes are passed to the controller.
      
      [mkp: applied by hand and removed unused vars]
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarChing Huang <ching2048@areca.com.tw>
      Reported-by: default avatarTomas Henzl <thenzl@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      98d446ef
    • Ewan D. Milne's avatar
      scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded · 103432f0
      Ewan D. Milne authored
      [ Upstream commit 4d2b496f ]
      
      map_storep was not being vfree()'d in the module_exit call.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarEwan D. Milne <emilne@redhat.com>
      Reviewed-by: default avatarLaurence Oberman <loberman@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      103432f0
    • Alex Deucher's avatar
      drm/radeon/si_dpm: workaround for SI kickers · c0e76ecc
      Alex Deucher authored
      [ Upstream commit 7dc86ef5 ]
      
      Consolidate existing quirks. Fixes stability issues
      on some kickers.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      c0e76ecc
    • James Hogan's avatar
      KVM: MIPS: Make ERET handle ERL before EXL · b4caa5be
      James Hogan authored
      [ Upstream commit ede5f3e7 ]
      
      The ERET instruction to return from exception is used for returning from
      exception level (Status.EXL) and error level (Status.ERL). If both bits
      are set however we should be returning from ERL first, as ERL can
      interrupt EXL, for example when an NMI is taken. KVM however checks EXL
      first.
      
      Fix the order of the checks to match the pseudocode in the instruction
      set manual.
      
      Fixes: e685c689 ("KVM/MIPS32: Privileged instruction/target branch emulation.")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář <rkrcmar@redhat.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: kvm@vger.kernel.org
      Cc: <stable@vger.kernel.org> # 3.10.x-
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      b4caa5be
    • Lucas Stach's avatar
      drm/radeon: drop register readback in cayman_cp_int_cntl_setup · 1d98a7de
      Lucas Stach authored
      [ Upstream commit 537b4b46 ]
      
      The read is taking a considerable amount of time (about 50us on this
      machine). The register does not ever hold anything other than the ring
      ID that is updated in this exact function, so there is no need for
      the read modify write cycle.
      
      This chops off a big chunk of the time spent in hardirq disabled
      context, as this function is called multiple times in the interrupt
      handler. With this change applied radeon won't show up in the list
      of the worst IRQ latency offenders anymore, where it was a regular
      before.
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarLucas Stach <dev@lynxeye.de>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      1d98a7de
    • Kashyap Desai's avatar
      scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough) devices · 24542192
      Kashyap Desai authored
      [ Upstream commit 1e793f6f ]
      
      Commit 02b01e01 ("megaraid_sas: return sync cache call with
      success") modified the driver to successfully complete SYNCHRONIZE_CACHE
      commands without passing them to the controller. Disk drive caches are
      only explicitly managed by controller firmware when operating in RAID
      mode. So this commit effectively disabled writeback cache flushing for
      any drives used in JBOD mode, leading to data integrity failures.
      
      [mkp: clarified patch description]
      
      Fixes: 02b01e01
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarKashyap Desai <kashyap.desai@broadcom.com>
      Signed-off-by: default avatarSumit Saxena <sumit.saxena@broadcom.com>
      Reviewed-by: default avatarTomas Henzl <thenzl@redhat.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Reviewed-by: default avatarEwan D. Milne <emilne@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      24542192
    • Sasha Levin's avatar
      powerpc: Convert cmp to cmpd in idle enter sequence · c6f51aab
      Sasha Levin authored
      [ Upstream commit 80f23935 ]
      
      PowerPC's "cmp" instruction has four operands. Normally people write
      "cmpw" or "cmpd" for the second cmp operand 0 or 1. But, frequently
      people forget, and write "cmp" with just three operands.
      
      With older binutils this is silently accepted as if this was "cmpw",
      while often "cmpd" is wanted. With newer binutils GAS will complain
      about this for 64-bit code. For 32-bit code it still silently assumes
      "cmpw" is what is meant.
      
      In this instance the code comes directly from ISA v2.07, including the
      cmp, but cmpd is correct. Backport to stable so that new toolchains can
      build old kernels.
      
      Fixes: 948cf67c ("powerpc: Add NAP mode support on Power7 in HV mode")
      Cc: stable@vger.kernel.org # v3.0
      Reviewed-by: default avatarVaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
      Signed-off-by: default avatarSegher Boessenkool <segher@kernel.crashing.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      c6f51aab
    • Tom St Denis's avatar
      drm/radeon/si_dpm: Limit clocks on HD86xx part · 2b5408a0
      Tom St Denis authored
      [ Upstream commit fb9a5b0c ]
      
      Limit clocks on a specific HD86xx part to avoid
      crashes (while awaiting an appropriate PP fix).
      Signed-off-by: default avatarTom St Denis <tom.stdenis@amd.com>
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      2b5408a0
    • Alex Deucher's avatar
      drm/radeon/si/dpm: add workaround for for Jet parts · 2c21744a
      Alex Deucher authored
      [ Upstream commit 670bb4fd ]
      
      Add clock quirks for Jet parts.
      Reviewed-by: default avatarSonny Jiang <sonny.jiang@amd.com>
      Tested-by: default avatarSonny Jiang <sonny.jiang@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      2c21744a
    • Johan Hovold's avatar
      USB: serial: cp210x: fix tiocmget error handling · 1f601388
      Johan Hovold authored
      [ Upstream commit de24e0a1 ]
      
      The current tiocmget implementation would fail to report errors up the
      stack and instead leaked a few bits from the stack as a mask of
      modem-status flags.
      
      Fixes: 39a66b8d ("[PATCH] USB: CP2101 Add support for flow control")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      1f601388
    • Patrick Scheuring's avatar
      Input: i8042 - add XMG C504 to keyboard reset table · d95841d1
      Patrick Scheuring authored
      [ Upstream commit da25311c ]
      
      The Schenker XMG C504 is a rebranded Gigabyte P35 v2 laptop.
      Therefore it also needs a keyboard reset to detect the Elantech touchpad.
      Otherwise the touchpad appears to be dead.
      
      With this patch the touchpad is detected:
      
      $ dmesg | grep -E "(i8042|Elantech|elantech)"
      
      [    2.675399] i8042: PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at 0x60,0x64 irq 1,12
      [    2.680372] i8042: Attempting to reset device connected to KBD port
      [    2.789037] serio: i8042 KBD port at 0x60,0x64 irq 1
      [    2.791586] serio: i8042 AUX port at 0x60,0x64 irq 12
      [    2.813840] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input4
      [    3.811431] psmouse serio1: elantech: assuming hardware version 4 (with firmware version 0x361f0e)
      [    3.825424] psmouse serio1: elantech: Synaptics capabilities query result 0x00, 0x15, 0x0f.
      [    3.839424] psmouse serio1: elantech: Elan sample query result 03, 58, 74
      [    3.911349] input: ETPS/2 Elantech Touchpad as /devices/platform/i8042/serio1/input/input6
      Signed-off-by: default avatarPatrick Scheuring <patrick.scheuring.dev@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      d95841d1
    • Johannes Berg's avatar
      mac80211: discard multicast and 4-addr A-MSDUs · fa3fcdd3
      Johannes Berg authored
      [ Upstream commit ea720935 ]
      
      In mac80211, multicast A-MSDUs are accepted in many cases that
      they shouldn't be accepted in:
       * drop A-MSDUs with a multicast A1 (RA), as required by the
         spec in 9.11 (802.11-2012 version)
       * drop A-MSDUs with a 4-addr header, since the fourth address
         can't actually be useful for them; unless 4-address frame
         format is actually requested, even though the fourth address
         is still not useful in this case, but ignored
      
      Accepting the first case, in particular, is very problematic
      since it allows anyone else with possession of a GTK to send
      unicast frames encapsulated in a multicast A-MSDU, even when
      the AP has client isolation enabled.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      fa3fcdd3
    • Gerald Schaefer's avatar
      GenWQE: Fix bad page access during abort of resource allocation · 7d9ad295
      Gerald Schaefer authored
      [ Upstream commit a7a7aeef ]
      
      When interrupting an application which was allocating DMAable
      memory, it was possible, that the DMA memory was deallocated
      twice, leading to the error symptoms below.
      
      Thanks to Gerald, who analyzed the problem and provided this
      patch.
      
      I agree with his analysis of the problem: ddcb_cmd_fixups() ->
      genwqe_alloc_sync_sgl() (fails in f/lpage, but sgl->sgl != NULL
      and f/lpage maybe also != NULL) -> ddcb_cmd_cleanup() ->
      genwqe_free_sync_sgl() (double free, because sgl->sgl != NULL and
      f/lpage maybe also != NULL)
      
      In this scenario we would have exactly the kind of double free that
      would explain the WARNING / Bad page state, and as expected it is
      caused by broken error handling (cleanup).
      
      Using the Ubuntu git source, tag Ubuntu-4.4.0-33.52, he was able to reproduce
      the "Bad page state" issue, and with the patch on top he could not reproduce
      it any more.
      
      ------------[ cut here ]------------
      WARNING: at /build/linux-o03cxz/linux-4.4.0/arch/s390/include/asm/pci_dma.h:141
      Modules linked in: qeth_l2 ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha256_s390 sha1_s390 sha_common genwqe_card qeth crc_itu_t qdio ccwgroup vmur dm_multipath dasd_eckd_mod dasd_mod
      CPU: 2 PID: 3293 Comm: genwqe_gunzip Not tainted 4.4.0-33-generic #52-Ubuntu
      task: 0000000032c7e270 ti: 00000000324e4000 task.ti: 00000000324e4000
      Krnl PSW : 0404c00180000000 0000000000156346 (dma_update_cpu_trans+0x9e/0xa8)
                 R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3
      Krnl GPRS: 00000000324e7bcd 0000000000c3c34a 0000000027628298 000000003215b400
                 0000000000000400 0000000000001fff 0000000000000400 0000000116853000
                 07000000324e7b1e 0000000000000001 0000000000000001 0000000000000001
                 0000000000001000 0000000116854000 0000000000156402 00000000324e7a38
      Krnl Code: 000000000015633a: 95001000           cli     0(%r1),0
                 000000000015633e: a774ffc3           brc     7,1562c4
                #0000000000156342: a7f40001           brc     15,156344
                >0000000000156346: 92011000           mvi     0(%r1),1
                 000000000015634a: a7f4ffbd           brc     15,1562c4
                 000000000015634e: 0707               bcr     0,%r7
                 0000000000156350: c00400000000       brcl    0,156350
                 0000000000156356: eb7ff0500024       stmg    %r7,%r15,80(%r15)
      Call Trace:
      ([<00000000001563e0>] dma_update_trans+0x90/0x228)
       [<00000000001565dc>] s390_dma_unmap_pages+0x64/0x160
       [<00000000001567c2>] s390_dma_free+0x62/0x98
       [<000003ff801310ce>] __genwqe_free_consistent+0x56/0x70 [genwqe_card]
       [<000003ff801316d0>] genwqe_free_sync_sgl+0xf8/0x160 [genwqe_card]
       [<000003ff8012bd6e>] ddcb_cmd_cleanup+0x86/0xa8 [genwqe_card]
       [<000003ff8012c1c0>] do_execute_ddcb+0x110/0x348 [genwqe_card]
       [<000003ff8012c914>] genwqe_ioctl+0x51c/0xc20 [genwqe_card]
       [<000000000032513a>] do_vfs_ioctl+0x3b2/0x518
       [<0000000000325344>] SyS_ioctl+0xa4/0xb8
       [<00000000007b86c6>] system_call+0xd6/0x264
       [<000003ff9e8e520a>] 0x3ff9e8e520a
      Last Breaking-Event-Address:
       [<0000000000156342>] dma_update_cpu_trans+0x9a/0xa8
      ---[ end trace 35996336235145c8 ]---
      BUG: Bad page state in process jbd2/dasdb1-8  pfn:3215b
      page:000003d100c856c0 count:-1 mapcount:0 mapping:          (null) index:0x0
      flags: 0x3fffc0000000000()
      page dumped because: nonzero _count
      Signed-off-by: default avatarGerald Schaefer <gerald.schaefer@de.ibm.com>
      Signed-off-by: default avatarFrank Haverkamp <haver@linux.vnet.ibm.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      7d9ad295
    • Chris Mason's avatar
      btrfs: fix races on root_log_ctx lists · 00736653
      Chris Mason authored
      [ Upstream commit 570dd450 ]
      
      btrfs_remove_all_log_ctxs takes a shortcut where it avoids walking the
      list because it knows all of the waiters are patiently waiting for the
      commit to finish.
      
      But, there's a small race where btrfs_sync_log can remove itself from
      the list if it finds a log commit is already done.  Also, it uses
      list_del_init() to remove itself from the list, but there's no way to
      know if btrfs_remove_all_log_ctxs has already run, so we don't know for
      sure if it is safe to call list_del_init().
      
      This gets rid of all the shortcuts for btrfs_remove_all_log_ctxs(), and
      just calls it with the proper locking.
      
      This is part two of the corruption fixed by cbd60aa7.  I should have
      done this in the first place, but convinced myself the optimizations were
      safe.  A 12 hour run of dbench 2048 will eventually trigger a list debug
      WARN_ON for the list_del_init() in btrfs_sync_log().
      
      Fixes: d1433debReported-by: default avatarDave Jones <davej@codemonkey.org.uk>
      cc: stable@vger.kernel.org # 3.15+
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      00736653
    • Scot Doyle's avatar
      vt: clear selection before resizing · 0b2a0a58
      Scot Doyle authored
      [ Upstream commit 009e39ae ]
      
      When resizing a vt its selection may exceed the new size, resulting in
      an invalid memory access [1]. Clear the selection before resizing.
      
      [1] http://lkml.kernel.org/r/CACT4Y+acDTwy4umEvf5ROBGiRJNrxHN4Cn5szCXE5Jw-d1B=Xw@mail.gmail.comReported-and-tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarScot Doyle <lkml14@scotdoyle.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      0b2a0a58
    • Dmitry Vyukov's avatar
      tty: limit terminal size to 4M chars · 78ad6d4c
      Dmitry Vyukov authored
      [ Upstream commit 32b2921e ]
      
      Size of kmalloc() in vc_do_resize() is controlled by user.
      Too large kmalloc() size triggers WARNING message on console.
      Put a reasonable upper bound on terminal size to prevent WARNINGs.
      Signed-off-by: default avatarDmitry Vyukov <dvyukov@google.com>
      CC: David Rientjes <rientjes@google.com>
      Cc: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Jiri Slaby <jslaby@suse.com>
      Cc: Peter Hurley <peter@hurleysoftware.com>
      Cc: linux-kernel@vger.kernel.org
      Cc: syzkaller@googlegroups.com
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      78ad6d4c
    • Marcel Hasler's avatar
      ALSA: usb-audio: Add quirk for Syntek STK1160 · 5352af8b
      Marcel Hasler authored
      [ Upstream commit bdc3478f ]
      
      The stk1160 chip needs QUIRK_AUDIO_ALIGN_TRANSFER. This patch resolves
      the issue reported on the mailing list
      (http://marc.info/?l=linux-sound&m=139223599126215&w=2) and also fixes
      bug 180071 (https://bugzilla.kernel.org/show_bug.cgi?id=180071).
      Signed-off-by: default avatarMarcel Hasler <mahasler@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      5352af8b
    • David Howells's avatar
      KEYS: Fix short sprintf buffer in /proc/keys show function · abe571f8
      David Howells authored
      [ Upstream commit 03dab869 ]
      
      This fixes CVE-2016-7042.
      
      Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
      is turned on, this can cause a panic due to stack corruption.
      
      The problem is that xbuf[] is not big enough to hold a 64-bit timeout
      rendered as weeks:
      
      	(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
      	$2 = 30500568904943
      
      That's 14 chars plus NUL, not 11 chars plus NUL.
      
      Expand the buffer to 16 chars.
      
      I think the unpatched code apparently works if the stack-protector is not
      enabled because on a 32-bit machine the buffer won't be overflowed and on a
      64-bit machine there's a 64-bit aligned pointer at one side and an int that
      isn't checked again on the other side.
      
      The panic incurred looks something like:
      
      Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
      CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
      Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
       ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
       ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
      Call Trace:
       [<ffffffff813d941f>] dump_stack+0x63/0x84
       [<ffffffff811b2cb6>] panic+0xde/0x22a
       [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
       [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
       [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
       [<ffffffff81350410>] ? key_validate+0x50/0x50
       [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
       [<ffffffff8126b31c>] seq_read+0x2cc/0x390
       [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
       [<ffffffff81244fc7>] __vfs_read+0x37/0x150
       [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
       [<ffffffff81246156>] vfs_read+0x96/0x130
       [<ffffffff81247635>] SyS_read+0x55/0xc0
       [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
      Reported-by: default avatarOndrej Kozina <okozina@redhat.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarOndrej Kozina <okozina@redhat.com>
      cc: stable@vger.kernel.org
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      abe571f8