1. 22 Aug, 2016 40 commits
    • Sven Eckelmann's avatar
      batman-adv: Clean up untagged vlan when destroying via rtnl-link · 3d88d87f
      Sven Eckelmann authored
      commit 420cb1b7 upstream.
      
      The untagged vlan object is only destroyed when the interface is removed
      via the legacy sysfs interface. But it also has to be destroyed when the
      standard rtnl-link interface is used.
      
      Fixes: 5d2c05b2 ("batman-adv: add per VLAN interface attribute framework")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Acked-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: s/_put/_free_ref/]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3d88d87f
    • Sven Eckelmann's avatar
      batman-adv: Fix ICMP RR ethernet access after skb_linearize · 6d3ce108
      Sven Eckelmann authored
      commit 3b55e442 upstream.
      
      The skb_linearize may reallocate the skb. This makes the calculated pointer
      for ethhdr invalid. But it the pointer is used later to fill in the RR
      field of the batadv_icmp_packet_rr packet.
      
      Instead re-evaluate eth_hdr after the skb_linearize+skb_cow to fix the
      pointer and avoid the invalid read.
      
      Fixes: da6b8c20 ("batman-adv: generalize batman-adv icmp packet handling")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6d3ce108
    • Ben Hutchings's avatar
      batman-adv: Fix double-put of vlan object · 51e37ea1
      Ben Hutchings authored
      commit baceced9 upstream.
      
      Each batadv_tt_local_entry hold a single reference to a
      batadv_softif_vlan.  In case a new entry cannot be added to the hash
      table, the error path puts the reference, but the reference will also
      now be dropped by batadv_tt_local_entry_release().
      
      Fixes: a33d970d ("batman-adv: Fix reference counting of vlan object for tt_local_entry")
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: s/_put/_free_ref/]
      51e37ea1
    • Sven Eckelmann's avatar
      batman-adv: Fix use-after-free/double-free of tt_req_node · 55640775
      Sven Eckelmann authored
      commit 9c4604a2 upstream.
      
      The tt_req_node is added and removed from a list inside a spinlock. But the
      locking is sometimes removed even when the object is still referenced and
      will be used later via this reference. For example batadv_send_tt_request
      can create a new tt_req_node (including add to a list) and later
      re-acquires the lock to remove it from the list and to free it. But at this
      time another context could have already removed this tt_req_node from the
      list and freed it.
      
      CPU#0
      
          batadv_batman_skb_recv from net_device 0
          -> batadv_iv_ogm_receive
            -> batadv_iv_ogm_process
              -> batadv_iv_ogm_process_per_outif
                -> batadv_tvlv_ogm_receive
                  -> batadv_tvlv_ogm_receive
                    -> batadv_tvlv_containers_process
                      -> batadv_tvlv_call_handler
                        -> batadv_tt_tvlv_ogm_handler_v1
                          -> batadv_tt_update_orig
                            -> batadv_send_tt_request
                              -> batadv_tt_req_node_new
                                 spin_lock(...)
                                 allocates new tt_req_node and adds it to list
                                 spin_unlock(...)
                                 return tt_req_node
      
      CPU#1
      
          batadv_batman_skb_recv from net_device 1
          -> batadv_recv_unicast_tvlv
            -> batadv_tvlv_containers_process
              -> batadv_tvlv_call_handler
                -> batadv_tt_tvlv_unicast_handler_v1
                  -> batadv_handle_tt_response
                     spin_lock(...)
                     tt_req_node gets removed from list and is freed
                     spin_unlock(...)
      
      CPU#0
      
                            <- returned to batadv_send_tt_request
                               spin_lock(...)
                               tt_req_node gets removed from list and is freed
                               MEMORY CORRUPTION/SEGFAULT/...
                               spin_unlock(...)
      
      This can only be solved via reference counting to allow multiple contexts
      to handle the list manipulation while making sure that only the last
      context holding a reference will free the object.
      
      Fixes: a73105b8 ("batman-adv: improved client announcement mechanism")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Tested-by: default avatarMartin Weinelt <martin@darmstadt.freifunk.net>
      Tested-by: default avatarAmadeus Alfa <amadeus@chemnitz.freifunk.net>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16:
       - Adjust context
       - Use list_empty() instead of hlist_unhashed()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      55640775
    • Simon Wunderlich's avatar
      batman-adv: replace WARN with rate limited output on non-existing VLAN · 43c704f5
      Simon Wunderlich authored
      commit 0b3dd7df upstream.
      
      If a VLAN tagged frame is received and the corresponding VLAN is not
      configured on the soft interface, it will splat a WARN on every packet
      received. This is a quite annoying behaviour for some scenarios, e.g. if
      bat0 is bridged with eth0, and there are arbitrary VLAN tagged frames
      from Ethernet coming in without having any VLAN configuration on bat0.
      
      The code should probably create vlan objects on the fly and
      transparently transport these VLAN-tagged Ethernet frames, but until
      this is done, at least the WARN splat should be replaced by a rate
      limited output.
      
      Fixes: 354136bc ("batman-adv: fix kernel crash due to missing NULL checks")
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      43c704f5
    • Sven Eckelmann's avatar
      batman-adv: Fix memory leak on tt add with invalid vlan · cbc2dd21
      Sven Eckelmann authored
      commit fd7dec25 upstream.
      
      The object tt_local is allocated with kmalloc and not initialized when the
      function batadv_tt_local_add checks for the vlan. But this function can
      only cleanup the object when the (not yet initialized) reference counter of
      the object is 1. This is unlikely and thus the object would leak when the
      vlan could not be found.
      
      Instead the uninitialized object tt_local has to be freed manually and the
      pointer has to set to NULL to avoid calling the function which would try to
      decrement the reference counter of the not existing object.
      
      CID: 1316518
      Fixes: 354136bc ("batman-adv: fix kernel crash due to missing NULL checks")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cbc2dd21
    • Florian Fainelli's avatar
      net: phy: Manage fixed PHY address space using IDA · 9a95f4c4
      Florian Fainelli authored
      commit 69fc58a5 upstream.
      
      If we have a system which uses fixed PHY devices and calls
      fixed_phy_register() then fixed_phy_unregister() we can exhaust the
      number of fixed PHYs available after a while, since we keep incrementing
      the variable phy_fixed_addr, but we never decrement it.
      
      This patch fixes that by converting the fixed PHY allocation to using
      IDA, which takes care of the allocation/dealloaction of the PHY
      addresses for us.
      
      Fixes: a7595121 ("net: phy: extend fixed driver with fixed_phy_register()")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16:
       - Adjust filename, context
       - fixed_phy_register() returns an integer, not a pointer/error]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9a95f4c4
    • Michael Neuling's avatar
      powerpc/tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0 · ceb3c227
      Michael Neuling authored
      commit 190ce869 upstream.
      
      Currently we have 2 segments that are bolted for the kernel linear
      mapping (ie 0xc000... addresses). This is 0 to 1TB and also the kernel
      stacks. Anything accessed outside of these regions may need to be
      faulted in. (In practice machines with TM always have 1T segments)
      
      If a machine has < 2TB of memory we never fault on the kernel linear
      mapping as these two segments cover all physical memory. If a machine
      has > 2TB of memory, there may be structures outside of these two
      segments that need to be faulted in. This faulting can occur when
      running as a guest as the hypervisor may remove any SLB that's not
      bolted.
      
      When we treclaim and trecheckpoint we have a window where we need to
      run with the userspace GPRs. This means that we no longer have a valid
      stack pointer in r1. For this window we therefore clear MSR RI to
      indicate that any exceptions taken at this point won't be able to be
      handled. This means that we can't take segment misses in this RI=0
      window.
      
      In this RI=0 region, we currently access the thread_struct for the
      process being context switched to or from. This thread_struct access
      may cause a segment fault since it's not guaranteed to be covered by
      the two bolted segment entries described above.
      
      We've seen this with a crash when running as a guest with > 2TB of
      memory on PowerVM:
      
        Unrecoverable exception 4100 at c00000000004f138
        Oops: Unrecoverable exception, sig: 6 [#1]
        SMP NR_CPUS=2048 NUMA pSeries
        CPU: 1280 PID: 7755 Comm: kworker/1280:1 Tainted: G                 X 4.4.13-46-default #1
        task: c000189001df4210 ti: c000189001d5c000 task.ti: c000189001d5c000
        NIP: c00000000004f138 LR: 0000000010003a24 CTR: 0000000010001b20
        REGS: c000189001d5f730 TRAP: 4100   Tainted: G                 X  (4.4.13-46-default)
        MSR: 8000000100001031 <SF,ME,IR,DR,LE>  CR: 24000048  XER: 00000000
        CFAR: c00000000004ed18 SOFTE: 0
        GPR00: ffffffffc58d7b60 c000189001d5f9b0 00000000100d7d00 000000003a738288
        GPR04: 0000000000002781 0000000000000006 0000000000000000 c0000d1f4d889620
        GPR08: 000000000000c350 00000000000008ab 00000000000008ab 00000000100d7af0
        GPR12: 00000000100d7ae8 00003ffe787e67a0 0000000000000000 0000000000000211
        GPR16: 0000000010001b20 0000000000000000 0000000000800000 00003ffe787df110
        GPR20: 0000000000000001 00000000100d1e10 0000000000000000 00003ffe787df050
        GPR24: 0000000000000003 0000000000010000 0000000000000000 00003fffe79e2e30
        GPR28: 00003fffe79e2e68 00000000003d0f00 00003ffe787e67a0 00003ffe787de680
        NIP [c00000000004f138] restore_gprs+0xd0/0x16c
        LR [0000000010003a24] 0x10003a24
        Call Trace:
        [c000189001d5f9b0] [c000189001d5f9f0] 0xc000189001d5f9f0 (unreliable)
        [c000189001d5fb90] [c00000000001583c] tm_recheckpoint+0x6c/0xa0
        [c000189001d5fbd0] [c000000000015c40] __switch_to+0x2c0/0x350
        [c000189001d5fc30] [c0000000007e647c] __schedule+0x32c/0x9c0
        [c000189001d5fcb0] [c0000000007e6b58] schedule+0x48/0xc0
        [c000189001d5fce0] [c0000000000deabc] worker_thread+0x22c/0x5b0
        [c000189001d5fd80] [c0000000000e7000] kthread+0x110/0x130
        [c000189001d5fe30] [c000000000009538] ret_from_kernel_thread+0x5c/0xa4
        Instruction dump:
        7cb103a6 7cc0e3a6 7ca222a6 78a58402 38c00800 7cc62838 08860000 7cc000a6
        38a00006 78c60022 7cc62838 0b060000 <e8c701a0> 7ccff120 e8270078 e8a70098
        ---[ end trace 602126d0a1dedd54 ]---
      
      This fixes this by copying the required data from the thread_struct to
      the stack before we clear MSR RI. Then once we clear RI, we only access
      the stack, guaranteeing there's no segment miss.
      
      We also tighten the region over which we set RI=0 on the treclaim()
      path. This may have a slight performance impact since we're adding an
      mtmsr instruction.
      
      Fixes: 090b9284 ("powerpc/tm: Clear MSR RI in non-recoverable TM code")
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Reviewed-by: default avatarCyril Bur <cyrilbur@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ceb3c227
    • Brian King's avatar
      ipr: Clear interrupt on croc/crocodile when running with LSI · 5de24309
      Brian King authored
      commit 54e430bb upstream.
      
      If we fall back to using LSI on the Croc or Crocodile chip we need to
      clear the interrupt so we don't hang the system.
      Tested-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5de24309
    • Trond Myklebust's avatar
      NFS: Fix another OPEN_DOWNGRADE bug · 9650f565
      Trond Myklebust authored
      commit e547f262 upstream.
      
      Olga Kornievskaia reports that the following test fails to trigger
      an OPEN_DOWNGRADE on the wire, and only triggers the final CLOSE.
      
      	fd0 = open(foo, RDRW)   -- should be open on the wire for "both"
      	fd1 = open(foo, RDONLY)  -- should be open on the wire for "read"
      	close(fd0) -- should trigger an open_downgrade
      	read(fd1)
      	close(fd1)
      
      The issue is that we're missing a check for whether or not the current
      state transitioned from an O_RDWR state as opposed to having transitioned
      from a combination of O_RDONLY and O_WRONLY.
      Reported-by: default avatarOlga Kornievskaia <aglo@umich.edu>
      Fixes: cd9288ff ("NFSv4: Fix another bug in the close/open_downgrade code")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9650f565
    • daniel's avatar
      Bridge: Fix ipv6 mc snooping if bridge has no ipv6 address · 766b5ed1
      daniel authored
      commit 0888d5f3 upstream.
      
      The bridge is falsly dropping ipv6 mulitcast packets if there is:
       1. No ipv6 address assigned on the brigde.
       2. No external mld querier present.
       3. The internal querier enabled.
      
      When the bridge fails to build mld queries, because it has no
      ipv6 address, it slilently returns, but keeps the local querier enabled.
      This specific case causes confusing packet loss.
      
      Ipv6 multicast snooping can only work if:
       a) An external querier is present
       OR
       b) The bridge has an ipv6 address an is capable of sending own queries
      
      Otherwise it has to forward/flood the ipv6 multicast traffic,
      because snooping cannot work.
      
      This patch fixes the issue by adding a flag to the bridge struct that
      indicates that there is currently no ipv6 address assinged to the bridge
      and returns a false state for the local querier in
      __br_multicast_querier_exists().
      
      Special thanks to Linus Lüssing.
      
      Fixes: d1d81d4c ("bridge: check return value of ipv6_dev_get_saddr()")
      Signed-off-by: default avatarDaniel Danzberger <daniel@dd-wrt.com>
      Acked-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      766b5ed1
    • Jouni Malinen's avatar
      mac80211: Fix mesh estab_plinks counting in STA removal case · 93917b05
      Jouni Malinen authored
      commit 126e7557 upstream.
      
      If a user space program (e.g., wpa_supplicant) deletes a STA entry that
      is currently in NL80211_PLINK_ESTAB state, the number of established
      plinks counter was not decremented and this could result in rejecting
      new plink establishment before really hitting the real maximum plink
      limit. For !user_mpm case, this decrementation is handled by
      mesh_plink_deactive().
      
      Fix this by decrementing estab_plinks on STA deletion
      (mesh_sta_cleanup() gets called from there) so that the counter has a
      correct value and the Beacon frame advertisement in Mesh Configuration
      element shows the proper value for capability to accept additional
      peers.
      Signed-off-by: default avatarJouni Malinen <j@w1.fi>
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      [bwh: Backported to 3.16: plink_state field is in struct sta_info]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      93917b05
    • Florian Fainelli's avatar
      net: bgmac: Remove superflous netif_carrier_on() · f61c0cf7
      Florian Fainelli authored
      commit 3894396e upstream.
      
      bgmac_open() calls phy_start() to initialize the PHY state machine,
      which will set the interface's carrier state accordingly, no need to
      force that as this could be conflicting with the PHY state determined by
      PHYLIB.
      
      Fixes: dd4544f0 ("bgmac: driver for GBit MAC core on BCMA bus")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f61c0cf7
    • Florian Fainelli's avatar
      net: bgmac: Start transmit queue in bgmac_open · 7d28b934
      Florian Fainelli authored
      commit c3897f2a upstream.
      
      The driver does not start the transmit queue in bgmac_open(). If the
      queue was stopped prior to closing then re-opening the interface, we
      would never be able to wake-up again.
      
      Fixes: dd4544f0 ("bgmac: driver for GBit MAC core on BCMA bus")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7d28b934
    • Martin Schwidefsky's avatar
      s390: fix test_fp_ctl inline assembly contraints · 89557831
      Martin Schwidefsky authored
      commit bcf4dd5f upstream.
      
      The test_fp_ctl function is used to test if a given value is a valid
      floating-point control. The inline assembly in test_fp_ctl uses an
      incorrect constraint for the 'orig_fpc' variable. If the compiler
      chooses the same register for 'fpc' and 'orig_fpc' the test_fp_ctl()
      function always returns true. This allows user space to trigger
      kernel oopses with invalid floating-point control values on the
      signal stack.
      
      This problem has been introduced with git commit 4725c860
      "s390: fix save and restore of the floating-point-control register"
      Reviewed-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      89557831
    • Alexey Brodkin's avatar
      arc: unwind: warn only once if DW2_UNWIND is disabled · 08015658
      Alexey Brodkin authored
      commit 9bd54517 upstream.
      
      If CONFIG_ARC_DW2_UNWIND is disabled every time arc_unwind_core()
      gets called following message gets printed in debug console:
      ----------------->8---------------
      CONFIG_ARC_DW2_UNWIND needs to be enabled
      ----------------->8---------------
      
      That message makes sense if user indeed wants to see a backtrace or
      get nice function call-graphs in perf but what if user disabled
      unwinder for the purpose? Why pollute his debug console?
      
      So instead we'll warn user about possibly missing feature once and
      let him decide if that was what he or she really wanted.
      Signed-off-by: default avatarAlexey Brodkin <abrodkin@synopsys.com>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      08015658
    • Vineet Gupta's avatar
      ARC: unwind: ensure that .debug_frame is generated (vs. .eh_frame) · 75126cd2
      Vineet Gupta authored
      commit f52e126c upstream.
      
      With recent binutils update to support dwarf CFI pseudo-ops in gas, we
      now get .eh_frame vs. .debug_frame. Although the call frame info is
      exactly the same in both, the CIE differs, which the current kernel
      unwinder can't cope with.
      
      This broke both the kernel unwinder as well as loadable modules (latter
      because of a new unhandled relo R_ARC_32_PCREL from .rela.eh_frame in
      the module loader)
      
      The ideal solution would be to switch unwinder to .eh_frame.
      For now however we can make do by just ensureing .debug_frame is
      generated by removing -fasynchronous-unwind-tables
      
       .eh_frame    generated with -gdwarf-2 -fasynchronous-unwind-tables
       .debug_frame generated with -gdwarf-2
      
      Fixes STAR 9001058196
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      75126cd2
    • Christophe JAILLET's avatar
      ALSA: echoaudio: Fix memory allocation · db92ce5d
      Christophe JAILLET authored
      commit 9c6795a9 upstream.
      
      'commpage_bak' is allocated with 'sizeof(struct echoaudio)' bytes.
      We then copy 'sizeof(struct comm_page)' bytes in it.
      On my system, smatch complains because one is 2960 and the other is 3072.
      
      This would result in memory corruption or a oops.
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      db92ce5d
    • Alan Stern's avatar
      USB: don't free bandwidth_mutex too early · 37fd3970
      Alan Stern authored
      commit ab2a4bf8 upstream.
      
      The USB core contains a bug that can show up when a USB-3 host
      controller is removed.  If the primary (USB-2) hcd structure is
      released before the shared (USB-3) hcd, the core will try to do a
      double-free of the common bandwidth_mutex.
      
      The problem was described in graphical form by Chung-Geol Kim, who
      first reported it:
      
      =================================================
           At *remove USB(3.0) Storage
           sequence <1> --> <5> ((Problem Case))
      =================================================
                                        VOLD
      ------------------------------------|------------
                                       (uevent)
                                  ________|_________
                                 |<1>               |
                                 |dwc3_otg_sm_work  |
                                 |usb_put_hcd       |
                                 |peer_hcd(kref=2)|
                                 |__________________|
                                  ________|_________
                                 |<2>               |
                                 |New USB BUS #2    |
                                 |                  |
                                 |peer_hcd(kref=1)  |
                                 |                  |
                               --(Link)-bandXX_mutex|
                               | |__________________|
                               |
          ___________________  |
         |<3>                | |
         |dwc3_otg_sm_work   | |
         |usb_put_hcd        | |
         |primary_hcd(kref=1)| |
         |___________________| |
          _________|_________  |
         |<4>                | |
         |New USB BUS #1     | |
         |hcd_release        | |
         |primary_hcd(kref=0)| |
         |                   | |
         |bandXX_mutex(free) |<-
         |___________________|
                                     (( VOLD ))
                                  ______|___________
                                 |<5>               |
                                 |      SCSI        |
                                 |usb_put_hcd       |
                                 |peer_hcd(kref=0)  |
                                 |*hcd_release      |
                                 |bandXX_mutex(free*)|<- double free
                                 |__________________|
      
      =================================================
      
      This happens because hcd_release() frees the bandwidth_mutex whenever
      it sees a primary hcd being released (which is not a very good idea
      in any case), but in the course of releasing the primary hcd, it
      changes the pointers in the shared hcd in such a way that the shared
      hcd will appear to be primary when it gets released.
      
      This patch fixes the problem by changing hcd_release() so that it
      deallocates the bandwidth_mutex only when the _last_ hcd structure
      referencing it is released.  The patch also removes an unnecessary
      test, so that when an hcd is released, both the shared_hcd and
      primary_hcd pointers in the hcd's peer will be cleared.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarChung-Geol Kim <chunggeol.kim@samsung.com>
      Tested-by: default avatarChung-Geol Kim <chunggeol.kim@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.16: free only usb_hcd::bandwidth_mutex, not
       usb_hcd::address0_mutex too]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      37fd3970
    • Al Viro's avatar
      make nfs_atomic_open() call d_drop() on all ->open_context() errors. · 1d14b238
      Al Viro authored
      commit d20cb71d upstream.
      
      In "NFSv4: Move dentry instantiation into the NFSv4-specific atomic open code"
      unconditional d_drop() after the ->open_context() had been removed.  It had
      been correct for success cases (there ->open_context() itself had been doing
      dcache manipulations), but not for error ones.  Only one of those (ENOENT)
      got a compensatory d_drop() added in that commit, but in fact it should've
      been done for all errors.  As it is, the case of O_CREAT non-exclusive open
      on a hashed negative dentry racing with e.g. symlink creation from another
      client ended up with ->open_context() getting an error and proceeding to
      call nfs_lookup().  On a hashed dentry, which would've instantly triggered
      BUG_ON() in d_materialise_unique() (or, these days, its equivalent in
      d_splice_alias()).
      Tested-by: default avatarOleg Drokin <green@linuxhacker.ru>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1d14b238
    • James Morse's avatar
      KVM: arm/arm64: Stop leaking vcpu pid references · b7c05a9c
      James Morse authored
      commit 591d215a upstream.
      
      kvm provides kvm_vcpu_uninit(), which amongst other things, releases the
      last reference to the struct pid of the task that was last running the vcpu.
      
      On arm64 built with CONFIG_DEBUG_KMEMLEAK, starting a guest with kvmtool,
      then killing it with SIGKILL results (after some considerable time) in:
      > cat /sys/kernel/debug/kmemleak
      > unreferenced object 0xffff80007d5ea080 (size 128):
      >  comm "lkvm", pid 2025, jiffies 4294942645 (age 1107.776s)
      >  hex dump (first 32 bytes):
      >    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      >    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      >  backtrace:
      >    [<ffff8000001b30ec>] create_object+0xfc/0x278
      >    [<ffff80000071da34>] kmemleak_alloc+0x34/0x70
      >    [<ffff80000019fa2c>] kmem_cache_alloc+0x16c/0x1d8
      >    [<ffff8000000d0474>] alloc_pid+0x34/0x4d0
      >    [<ffff8000000b5674>] copy_process.isra.6+0x79c/0x1338
      >    [<ffff8000000b633c>] _do_fork+0x74/0x320
      >    [<ffff8000000b66b0>] SyS_clone+0x18/0x20
      >    [<ffff800000085cb0>] el0_svc_naked+0x24/0x28
      >    [<ffffffffffffffff>] 0xffffffffffffffff
      
      On x86 kvm_vcpu_uninit() is called on the path from kvm_arch_destroy_vm(),
      on arm no equivalent call is made. Add the call to kvm_arch_vcpu_free().
      Signed-off-by: default avatarJames Morse <james.morse@arm.com>
      Fixes: 749cf76c ("KVM: ARM: Initial skeleton to compile KVM support")
      Acked-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b7c05a9c
    • Cyril Bur's avatar
      powerpc/tm: Always reclaim in start_thread() for exec() class syscalls · 8c96b416
      Cyril Bur authored
      commit 8e96a87c upstream.
      
      Userspace can quite legitimately perform an exec() syscall with a
      suspended transaction. exec() does not return to the old process, rather
      it load a new one and starts that, the expectation therefore is that the
      new process starts not in a transaction. Currently exec() is not treated
      any differently to any other syscall which creates problems.
      
      Firstly it could allow a new process to start with a suspended
      transaction for a binary that no longer exists. This means that the
      checkpointed state won't be valid and if the suspended transaction were
      ever to be resumed and subsequently aborted (a possibility which is
      exceedingly likely as exec()ing will likely doom the transaction) the
      new process will jump to invalid state.
      
      Secondly the incorrect attempt to keep the transactional state while
      still zeroing state for the new process creates at least two TM Bad
      Things. The first triggers on the rfid to return to userspace as
      start_thread() has given the new process a 'clean' MSR but the suspend
      will still be set in the hardware MSR. The second TM Bad Thing triggers
      in __switch_to() as the processor is still transactionally suspended but
      __switch_to() wants to zero the TM sprs for the new process.
      
      This is an example of the outcome of calling exec() with a suspended
      transaction. Note the first 700 is likely the first TM bad thing
      decsribed earlier only the kernel can't report it as we've loaded
      userspace registers. c000000000009980 is the rfid in
      fast_exception_return()
      
        Bad kernel stack pointer 3fffcfa1a370 at c000000000009980
        Oops: Bad kernel stack pointer, sig: 6 [#1]
        CPU: 0 PID: 2006 Comm: tm-execed Not tainted
        NIP: c000000000009980 LR: 0000000000000000 CTR: 0000000000000000
        REGS: c00000003ffefd40 TRAP: 0700   Not tainted
        MSR: 8000000300201031 <SF,ME,IR,DR,LE,TM[SE]>  CR: 00000000  XER: 00000000
        CFAR: c0000000000098b4 SOFTE: 0
        PACATMSCRATCH: b00000010000d033
        GPR00: 0000000000000000 00003fffcfa1a370 0000000000000000 0000000000000000
        GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
        GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
        GPR12: 00003fff966611c0 0000000000000000 0000000000000000 0000000000000000
        NIP [c000000000009980] fast_exception_return+0xb0/0xb8
        LR [0000000000000000]           (null)
        Call Trace:
        Instruction dump:
        f84d0278 e9a100d8 7c7b03a6 e84101a0 7c4ff120 e8410170 7c5a03a6 e8010070
        e8410080 e8610088 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed023b
      
        Kernel BUG at c000000000043e80 [verbose debug info unavailable]
        Unexpected TM Bad Thing exception at c000000000043e80 (msr 0x201033)
        Oops: Unrecoverable exception, sig: 6 [#2]
        CPU: 0 PID: 2006 Comm: tm-execed Tainted: G      D
        task: c0000000fbea6d80 ti: c00000003ffec000 task.ti: c0000000fb7ec000
        NIP: c000000000043e80 LR: c000000000015a24 CTR: 0000000000000000
        REGS: c00000003ffef7e0 TRAP: 0700   Tainted: G      D
        MSR: 8000000300201033 <SF,ME,IR,DR,RI,LE,TM[SE]>  CR: 28002828  XER: 00000000
        CFAR: c000000000015a20 SOFTE: 0
        PACATMSCRATCH: b00000010000d033
        GPR00: 0000000000000000 c00000003ffefa60 c000000000db5500 c0000000fbead000
        GPR04: 8000000300001033 2222222222222222 2222222222222222 00000000ff160000
        GPR08: 0000000000000000 800000010000d033 c0000000fb7e3ea0 c00000000fe00004
        GPR12: 0000000000002200 c00000000fe00000 0000000000000000 0000000000000000
        GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
        GPR20: 0000000000000000 0000000000000000 c0000000fbea7410 00000000ff160000
        GPR24: c0000000ffe1f600 c0000000fbea8700 c0000000fbea8700 c0000000fbead000
        GPR28: c000000000e20198 c0000000fbea6d80 c0000000fbeab680 c0000000fbea6d80
        NIP [c000000000043e80] tm_restore_sprs+0xc/0x1c
        LR [c000000000015a24] __switch_to+0x1f4/0x420
        Call Trace:
        Instruction dump:
        7c800164 4e800020 7c0022a6 f80304a8 7c0222a6 f80304b0 7c0122a6 f80304b8
        4e800020 e80304a8 7c0023a6 e80304b0 <7c0223a6> e80304b8 7c0123a6 4e800020
      
      This fixes CVE-2016-5828.
      
      Fixes: bc2a9408 ("powerpc: Hook in new transactional memory code")
      Signed-off-by: default avatarCyril Bur <cyrilbur@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8c96b416
    • Mark Brown's avatar
      iio:ad7266: Fix probe deferral for vref · e5dbfa75
      Mark Brown authored
      commit 68b356eb upstream.
      
      Currently the ad7266 driver treats any failure to get vref as though the
      regulator were not present but this means that if probe deferral is
      triggered the driver will act as though the regulator were not present.
      Instead only use the internal reference if we explicitly got -ENODEV which
      is what is returned for absent regulators.
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e5dbfa75
    • Mark Brown's avatar
      iio:ad7266: Fix support for optional regulators · 10ac4f5e
      Mark Brown authored
      commit e5511c81 upstream.
      
      The ad7266 driver attempts to support deciding between the use of internal
      and external power supplies by checking to see if an error is returned when
      requesting the regulator. This doesn't work with the current code since the
      driver uses a normal regulator_get() which is for non-optional supplies
      and so assumes that if a regulator is not provided by the platform then
      this is a bug in the platform integration and so substitutes a dummy
      regulator. Use regulator_get_optional() instead which indicates to the
      framework that the regulator may be absent and provides a dummy regulator
      instead.
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      10ac4f5e
    • Mark Brown's avatar
      iio:ad7266: Fix broken regulator error handling · 146cd92b
      Mark Brown authored
      commit 6b7f4e25 upstream.
      
      All regulator_get() variants return either a pointer to a regulator or an
      ERR_PTR() so testing for NULL makes no sense and may lead to bugs if we
      use NULL as a valid regulator. Fix this by using IS_ERR() as expected.
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      146cd92b
    • Linus Walleij's avatar
      iio: accel: kxsd9: fix the usage of spi_w8r8() · 87efffda
      Linus Walleij authored
      commit 0c1f91b9 upstream.
      
      These two spi_w8r8() calls return a value with is used by the code
      following the error check. The dubious use was caused by a cleanup
      patch.
      
      Fixes: d34dbee8 ("staging:iio:accel:kxsd9 cleanup and conversion to iio_chan_spec.")
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      87efffda
    • Luis de Bethencourt's avatar
      staging: iio: accel: fix error check · a0e025ca
      Luis de Bethencourt authored
      commit ef3149eb upstream.
      
      sca3000_read_ctrl_reg() returns a negative number on failure, check for
      this instead of zero.
      Signed-off-by: default avatarLuis de Bethencourt <luisbg@osg.samsung.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a0e025ca
    • Torsten Hilbrich's avatar
      fs/nilfs2: fix potential underflow in call to crc32_le · cf53a0b9
      Torsten Hilbrich authored
      commit 63d2f95d upstream.
      
      The value `bytes' comes from the filesystem which is about to be
      mounted.  We cannot trust that the value is always in the range we
      expect it to be.
      
      Check its value before using it to calculate the length for the crc32_le
      call.  It value must be larger (or equal) sumoff + 4.
      
      This fixes a kernel bug when accidentially mounting an image file which
      had the nilfs2 magic value 0x3434 at the right offset 0x406 by chance.
      The bytes 0x01 0x00 were stored at 0x408 and were interpreted as a
      s_bytes value of 1.  This caused an underflow when substracting sumoff +
      4 (20) in the call to crc32_le.
      
        BUG: unable to handle kernel paging request at ffff88021e600000
        IP:  crc32_le+0x36/0x100
        ...
        Call Trace:
          nilfs_valid_sb.part.5+0x52/0x60 [nilfs2]
          nilfs_load_super_block+0x142/0x300 [nilfs2]
          init_nilfs+0x60/0x390 [nilfs2]
          nilfs_mount+0x302/0x520 [nilfs2]
          mount_fs+0x38/0x160
          vfs_kern_mount+0x67/0x110
          do_mount+0x269/0xe00
          SyS_mount+0x9f/0x100
          entry_SYSCALL_64_fastpath+0x16/0x71
      
      Link: http://lkml.kernel.org/r/1466778587-5184-2-git-send-email-konishi.ryusuke@lab.ntt.co.jpSigned-off-by: default avatarTorsten Hilbrich <torsten.hilbrich@secunet.com>
      Tested-by: default avatarTorsten Hilbrich <torsten.hilbrich@secunet.com>
      Signed-off-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cf53a0b9
    • Anthony Romano's avatar
      tmpfs: don't undo fallocate past its last page · c248b3ba
      Anthony Romano authored
      commit b9b4bb26 upstream.
      
      When fallocate is interrupted it will undo a range that extends one byte
      past its range of allocated pages.  This can corrupt an in-use page by
      zeroing out its first byte.  Instead, undo using the inclusive byte
      range.
      
      Fixes: 1635f6a7 ("tmpfs: undo fallocation on failure")
      Link: http://lkml.kernel.org/r/1462713387-16724-1-git-send-email-anthony.romano@coreos.comSigned-off-by: default avatarAnthony Romano <anthony.romano@coreos.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Brandon Philips <brandon@ifup.co>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.16: use PAGE_CACHE_SHIFT instead of PAGE_SHIFT]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c248b3ba
    • Steve French's avatar
      Fix reconnect to not defer smb3 session reconnect long after socket reconnect · 2e4378ee
      Steve French authored
      commit 4fcd1813 upstream.
      
      Azure server blocks clients that open a socket and don't do anything on it.
      In our reconnect scenarios, we can reconnect the tcp session and
      detect the socket is available but we defer the negprot and SMB3 session
      setup and tree connect reconnection until the next i/o is requested, but
      this looks suspicous to some servers who expect SMB3 negprog and session
      setup soon after a socket is created.
      
      In the echo thread, reconnect SMB3 sessions and tree connections
      that are disconnected.  A later patch will replay persistent (and
      resilient) handle opens.
      Signed-off-by: default avatarSteve French <steve.french@primarydata.com>
      Acked-by: default avatarPavel Shilovsky <pshilovsky@samba.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2e4378ee
    • Ben Hutchings's avatar
      nfsd: check permissions when setting ACLs · 24ae40c9
      Ben Hutchings authored
      commit 99965378 upstream.
      
      Use set_posix_acl, which includes proper permission checks, instead of
      calling ->set_acl directly.  Without this anyone may be able to grant
      themselves permissions to a file by setting the ACL.
      
      Lock the inode to make the new checks atomic with respect to set_acl.
      (Also, nfsd was the only caller of set_acl not locking the inode, so I
      suspect this may fix other races.)
      
      This also simplifies the code, and ensures our ACLs are checked by
      posix_acl_valid.
      
      The permission checks and the inode locking were lost with commit
      4ac7249e, which changed nfsd to use the set_acl inode operation directly
      instead of going through xattr handlers.
      Reported-by: default avatarDavid Sinquin <david@sinquin.eu>
      [agreunba@redhat.com: use set_posix_acl]
      Fixes: 4ac7249e
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      [carnil: backport for 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      24ae40c9
    • Andreas Gruenbacher's avatar
      posix_acl: Add set_posix_acl · 8e31c40b
      Andreas Gruenbacher authored
      commit 485e71e8 upstream.
      
      Factor out part of posix_acl_xattr_set into a common function that takes
      a posix_acl, which nfsd can also call.
      
      The prototype already exists in include/linux/posix_acl.h.
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      [carnil: backport to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8e31c40b
    • Takashi Iwai's avatar
      ALSA: dummy: Fix a use-after-free at closing · 9e3f375d
      Takashi Iwai authored
      commit d5dbbe65 upstream.
      
      syzkaller fuzzer spotted a potential use-after-free case in snd-dummy
      driver when hrtimer is used as backend:
      > ==================================================================
      > BUG: KASAN: use-after-free in rb_erase+0x1b17/0x2010 at addr ffff88005e5b6f68
      >  Read of size 8 by task syz-executor/8984
      > =============================================================================
      > BUG kmalloc-192 (Not tainted): kasan: bad access detected
      > -----------------------------------------------------------------------------
      >
      > Disabling lock debugging due to kernel taint
      > INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446705582212484632
      > ....
      > [<      none      >] dummy_hrtimer_create+0x49/0x1a0 sound/drivers/dummy.c:464
      > ....
      > INFO: Freed in 0xfffd8e09 age=18446705496313138713 cpu=2164287125 pid=-1
      > [<      none      >] dummy_hrtimer_free+0x68/0x80 sound/drivers/dummy.c:481
      > ....
      > Call Trace:
      >  [<ffffffff8179e59e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:333
      >  [<     inline     >] rb_set_parent include/linux/rbtree_augmented.h:111
      >  [<     inline     >] __rb_erase_augmented include/linux/rbtree_augmented.h:218
      >  [<ffffffff82ca5787>] rb_erase+0x1b17/0x2010 lib/rbtree.c:427
      >  [<ffffffff82cb02e8>] timerqueue_del+0x78/0x170 lib/timerqueue.c:86
      >  [<ffffffff814d0c80>] __remove_hrtimer+0x90/0x220 kernel/time/hrtimer.c:903
      >  [<     inline     >] remove_hrtimer kernel/time/hrtimer.c:945
      >  [<ffffffff814d23da>] hrtimer_try_to_cancel+0x22a/0x570 kernel/time/hrtimer.c:1046
      >  [<ffffffff814d2742>] hrtimer_cancel+0x22/0x40 kernel/time/hrtimer.c:1066
      >  [<ffffffff85420531>] dummy_hrtimer_stop+0x91/0xb0 sound/drivers/dummy.c:417
      >  [<ffffffff854228bf>] dummy_pcm_trigger+0x17f/0x1e0 sound/drivers/dummy.c:507
      >  [<ffffffff85392170>] snd_pcm_do_stop+0x160/0x1b0 sound/core/pcm_native.c:1106
      >  [<ffffffff85391b26>] snd_pcm_action_single+0x76/0x120 sound/core/pcm_native.c:956
      >  [<ffffffff85391e01>] snd_pcm_action+0x231/0x290 sound/core/pcm_native.c:974
      >  [<     inline     >] snd_pcm_stop sound/core/pcm_native.c:1139
      >  [<ffffffff8539754d>] snd_pcm_drop+0x12d/0x1d0 sound/core/pcm_native.c:1784
      >  [<ffffffff8539d3be>] snd_pcm_common_ioctl1+0xfae/0x2150 sound/core/pcm_native.c:2805
      >  [<ffffffff8539ee91>] snd_pcm_capture_ioctl1+0x2a1/0x5e0 sound/core/pcm_native.c:2976
      >  [<ffffffff8539f2ec>] snd_pcm_kernel_ioctl+0x11c/0x160 sound/core/pcm_native.c:3020
      >  [<ffffffff853d9a44>] snd_pcm_oss_sync+0x3a4/0xa30 sound/core/oss/pcm_oss.c:1693
      >  [<ffffffff853da27d>] snd_pcm_oss_release+0x1ad/0x280 sound/core/oss/pcm_oss.c:2483
      >  .....
      
      A workaround is to call hrtimer_cancel() in dummy_hrtimer_sync() which
      is called certainly before other blocking ops.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9e3f375d
    • Scott Bauer's avatar
      HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands · 4ef3e38d
      Scott Bauer authored
      commit 93a2001b upstream.
      
      This patch validates the num_values parameter from userland during the
      HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
      to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
      leading to a heap overflow.
      Signed-off-by: default avatarScott Bauer <sbauer@plzdonthack.me>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4ef3e38d
    • Jerome Marchand's avatar
      cifs: dynamic allocation of ntlmssp blob · 44b522de
      Jerome Marchand authored
      commit b8da344b upstream.
      
      In sess_auth_rawntlmssp_authenticate(), the ntlmssp blob is allocated
      statically and its size is an "empirical" 5*sizeof(struct
      _AUTHENTICATE_MESSAGE) (320B on x86_64). I don't know where this value
      comes from or if it was ever appropriate, but it is currently
      insufficient: the user and domain name in UTF16 could take 1kB by
      themselves. Because of that, build_ntlmssp_auth_blob() might corrupt
      memory (out-of-bounds write). The size of ntlmssp_blob in
      SMB2_sess_setup() is too small too (sizeof(struct _NEGOTIATE_MESSAGE)
      + 500).
      
      This patch allocates the blob dynamically in
      build_ntlmssp_auth_blob().
      Signed-off-by: default avatarJerome Marchand <jmarchan@redhat.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      [bwh: Backported to 3.16: adjust context, indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      44b522de
    • Jerome Marchand's avatar
      cifs: use CIFS_MAX_DOMAINNAME_LEN when converting the domain name · 30622d3d
      Jerome Marchand authored
      commit 202d772b upstream.
      
      Currently in build_ntlmssp_auth_blob(), when converting the domain
      name to UTF16, CIFS_MAX_USERNAME_LEN limit is used. It should be
      CIFS_MAX_DOMAINNAME_LEN. This patch fixes this.
      Signed-off-by: default avatarJerome Marchand <jmarchan@redhat.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      30622d3d
    • Dmitry Torokhov's avatar
      Input: elantech - add more IC body types to the list · b2c8a987
      Dmitry Torokhov authored
      commit 226ba707 upstream.
      
      The touchpad in HP Pavilion 14-ab057ca reports it's version as 12 and
      according to Elan both 11 and 12 are valid IC types and should be
      identified as hw_version 4.
      Reported-by: default avatarPatrick Lessard <Patrick.Lessard@cogeco.com>
      Tested-by: default avatarPatrick Lessard <Patrick.Lessard@cogeco.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b2c8a987
    • Ping Cheng's avatar
      Input: wacom_w8001 - w8001_MAX_LENGTH should be 13 · 9a20812e
      Ping Cheng authored
      commit 12afb344 upstream.
      
      Somehow the patch that added two-finger touch support forgot to update
      W8001_MAX_LENGTH from 11 to 13.
      Signed-off-by: default avatarPing Cheng <pingc@wacom.com>
      Reviewed-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9a20812e
    • Dotan Barak's avatar
      IB/mlx4: Fix memory leak if QP creation failed · bce7f377
      Dotan Barak authored
      commit 5b420d9c upstream.
      
      When RC, UC, or RAW QPs are created, a qp object is allocated (kzalloc).
      If at a later point (in procedure create_qp_common) the qp creation fails,
      this qp object must be freed.
      
      Fixes: 1ffeb2eb ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support")
      Signed-off-by: default avatarDotan Barak <dotanb@dev.mellanox.co.il>
      Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bce7f377
    • Yishai Hadas's avatar
      IB/mlx4: Verify port number in flow steering create flow · 0ac1d558
      Yishai Hadas authored
      commit 5533c18a upstream.
      
      In procedure mlx4_ib_create_flow, passing an invalid port number
      will cause an out-of-bounds array access. Data passed to this procedure
      can come from user-space.  Therefore, need to validate port number
      before proceeding onwards.
      
      Note that we check against the number of physical ports declared at
      the verbs (ib core) level; When bonding is active, the verbs level
      sees one physical port, even though the low-level driver sees two ports.
      
      Fixes: f77c0162 ("IB/mlx4: Add receive flow steering support")
      Signed-off-by: default avatarYishai Hadas <yishaih@mellanox.com>
      Reviewed-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Reviewed-by: default avatarMoni Shoua <monis@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      [bwh: Backported to 3.16:
       - Adjust context
       - Function returns an integer, not a pointer/error]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0ac1d558