1. 24 Mar, 2018 33 commits
  2. 22 Mar, 2018 7 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.123 · 3753696b
      Greg Kroah-Hartman authored
      3753696b
    • Jann Horn's avatar
      bpf: fix incorrect sign extension in check_alu_op() · a6132276
      Jann Horn authored
      commit 95a762e2 upstream.
      
      Distinguish between
      BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
      and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
      only perform sign extension in the first case.
      
      This patch differs from the mainline one because the verifier's internals
      have changed in the meantime. Mainline tracks register values as 64-bit
      values; however, 4.4 still stores tracked register values as 32-bit
      values with sign extension. Therefore, in the case of a 32-bit op with
      negative immediate, the value can't be tracked; leave the register as
      UNKNOWN_VALUE (set by the preceding check_reg_arg() call).
      
      
      I have manually tested this patch on top of 4.4.122. For the following BPF
      bytecode:
      
              BPF_MOV64_IMM(BPF_REG_1, 1),
              BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
              BPF_EXIT_INSN(),
      
              BPF_MOV32_IMM(BPF_REG_1, 1),
              BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
              BPF_EXIT_INSN(),
      
              BPF_MOV64_IMM(BPF_REG_1, -1),
              BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, -1, 1),
              BPF_EXIT_INSN(),
      
              BPF_MOV32_IMM(BPF_REG_1, -1),
              BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, -1, 2),
              BPF_MOV32_IMM(BPF_REG_0, 42),
              BPF_EXIT_INSN(),
      
              BPF_MOV32_IMM(BPF_REG_0, 43),
              BPF_EXIT_INSN()
      
      Verifier output on 4.4.122 without this patch:
      
      0: (b7) r1 = 1
      1: (15) if r1 == 0x1 goto pc+1
      3: (b4) (u32) r1 = (u32) 1
      4: (15) if r1 == 0x1 goto pc+1
      6: (b7) r1 = -1
      7: (15) if r1 == 0xffffffff goto pc+1
      9: (b4) (u32) r1 = (u32) -1
      10: (15) if r1 == 0xffffffff goto pc+2
      13: (b4) (u32) r0 = (u32) 43
      14: (95) exit
      
      Verifier output on 4.4.122+ with this patch:
      
      0: (b7) r1 = 1
      1: (15) if r1 == 0x1 goto pc+1
      3: (b4) (u32) r1 = (u32) 1
      4: (15) if r1 == 0x1 goto pc+1
      6: (b7) r1 = -1
      7: (15) if r1 == 0xffffffff goto pc+1
      9: (b4) (u32) r1 = (u32) -1
      10: (15) if r1 == 0xffffffff goto pc+2
       R1=inv R10=fp
      11: (b4) (u32) r0 = (u32) 42
      12: (95) exit
      
      from 10 to 13: R1=imm-1 R10=fp
      13: (b4) (u32) r0 = (u32) 43
      14: (95) exit
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a6132276
    • Srinath Mannam's avatar
      usb: gadget: bdc: 64-bit pointer capability check · 5a876e87
      Srinath Mannam authored
      commit c8e4e5bd upstream.
      
      Corrected the register to check the 64-bit pointer
      capability state. 64-bit pointer implementation capability
      was checking in wrong register, which causes the BDC
      enumeration failure in 64-bit memory address.
      
      Fixes: efed421a ("usb: gadget: Add UDC driver for
      Broadcom USB3.0 device controller IP BDC")
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarSrinath Mannam <srinath.mannam@broadcom.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a876e87
    • Wei Yongjun's avatar
      USB: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe() · a52a0a6c
      Wei Yongjun authored
      commit 8874ae5f upstream.
      
      Add the missing platform_device_put() before return from bdc_pci_probe()
      in the platform_device_add_resources() error handling case.
      
      Fixes: efed421a ("usb: gadget: Add UDC driver for Broadcom USB3.0 device controller IP BDC")
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a52a0a6c
    • Nikolay Borisov's avatar
      btrfs: Fix use-after-free when cleaning up fs_devs with a single stale device · e1994e4d
      Nikolay Borisov authored
      commit fd649f10 upstream.
      
      Commit 4fde46f0 ("Btrfs: free the stale device") introduced
      btrfs_free_stale_device which iterates the device lists for all
      registered btrfs filesystems and deletes those devices which aren't
      mounted. In a btrfs_devices structure has only 1 device attached to it
      and it is unused then btrfs_free_stale_devices will proceed to also free
      the btrfs_fs_devices struct itself. Currently this leads to a use after
      free since list_for_each_entry will try to perform a check on the
      already freed memory to see if it has to terminate the loop.
      
      The fix is to use 'break' when we know we are freeing the current
      fs_devs.
      
      Fixes: 4fde46f0 ("Btrfs: free the stale device")
      Signed-off-by: default avatarNikolay Borisov <nborisov@suse.com>
      Reviewed-by: default avatarAnand Jain <anand.jain@oracle.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e1994e4d
    • Hans van Kranenburg's avatar
      btrfs: alloc_chunk: fix DUP stripe size handling · 97c3e46e
      Hans van Kranenburg authored
      commit 92e222df upstream.
      
      In case of using DUP, we search for enough unallocated disk space on a
      device to hold two stripes.
      
      The devices_info[ndevs-1].max_avail that holds the amount of unallocated
      space found is directly assigned to stripe_size, while it's actually
      twice the stripe size.
      
      Later on in the code, an unconditional division of stripe_size by
      dev_stripes corrects the value, but in the meantime there's a check to
      see if the stripe_size does not exceed max_chunk_size. Since during this
      check stripe_size is twice the amount as intended, the check will reduce
      the stripe_size to max_chunk_size if the actual correct to be used
      stripe_size is more than half the amount of max_chunk_size.
      
      The unconditional division later tries to correct stripe_size, but will
      actually make sure we can't allocate more than half the max_chunk_size.
      
      Fix this by moving the division by dev_stripes before the max chunk size
      check, so it always contains the right value, instead of putting a duct
      tape division in further on to get it fixed again.
      
      Since in all other cases than DUP, dev_stripes is 1, this change only
      affects DUP.
      
      Other attempts in the past were made to fix this:
      * 37db63a4 "Btrfs: fix max chunk size check in chunk allocator" tried
      to fix the same problem, but still resulted in part of the code acting
      on a wrongly doubled stripe_size value.
      * 86db2578 "Btrfs: fix max chunk size on raid5/6" unintentionally
      broke this fix again.
      
      The real problem was already introduced with the rest of the code in
      73c5de00.
      
      The user visible result however will be that the max chunk size for DUP
      will suddenly double, while it's actually acting according to the limits
      in the code again like it was 5 years ago.
      Reported-by: default avatarNaohiro Aota <naohiro.aota@wdc.com>
      Link: https://www.spinics.net/lists/linux-btrfs/msg69752.html
      Fixes: 73c5de00 ("btrfs: quasi-round-robin for chunk allocation")
      Fixes: 86db2578 ("Btrfs: fix max chunk size on raid5/6")
      Signed-off-by: default avatarHans van Kranenburg <hans.van.kranenburg@mendix.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      [ update comment ]
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      97c3e46e
    • Adam Ford's avatar
      ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux · 29b20311
      Adam Ford authored
      commit 74402055 upstream.
      
      The pinmuxing was missing for I2C1 which was causing intermittent issues
      with the PMIC which is connected to I2C1.  The bootloader did not quite
      configure the I2C1 either, so when running at 2.6MHz, it was generating
      errors at time.
      
      This correctly sets the I2C1 pinmuxing so it can operate at 2.6MHz
      
      Fixes: 687c2767 ("ARM: dts: Add minimal support for LogicPD Torpedo
      DM3730 devkit")
      Signed-off-by: default avatarAdam Ford <aford173@gmail.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      29b20311