1. 03 Mar, 2017 14 commits
    • Hannes Frederic Sowa's avatar
      ipv6: simplify detection of first operational link-local address on interface · 6a484057
      Hannes Frederic Sowa authored
      commit 11ffff75 upstream.
      
      In commit 1ec047eb ("ipv6: introduce per-interface counter for
      dad-completed ipv6 addresses") I build the detection of the first
      operational link-local address much to complex. Additionally this code
      now has a race condition.
      
      Replace it with a much simpler variant, which just scans the address
      list when duplicate address detection completes, to check if this is
      the first valid link local address and send RS and MLD reports then.
      
      Fixes: 1ec047eb ("ipv6: introduce per-interface counter for dad-completed ipv6 addresses")
      Reported-by: default avatarJiri Pirko <jiri@resnulli.us>
      Cc: Flavio Leitner <fbl@redhat.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarFlavio Leitner <fbl@redhat.com>
      Acked-by: default avatarJiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6a484057
    • Daniel Borkmann's avatar
      net: 6lowpan: fix lowpan_header_create non-compression memcpy call · d6ec2447
      Daniel Borkmann authored
      commit 965801e1 upstream.
      
      In function lowpan_header_create(), we invoke the following code
      construct:
      
        struct ipv6hdr *hdr;
        ...
        hdr = ipv6_hdr(skb);
        ...
        if (...)
          memcpy(hc06_ptr + 1, &hdr->flow_lbl[1], 2);
        else
          memcpy(hc06_ptr, &hdr, 4);
      
      Where the else path of the condition, that is, non-compression
      path, calls memcpy() with a pointer to struct ipv6hdr *hdr as
      source, thus two levels of indirection. This cannot be correct,
      and likely only one level of pointer was intended as source
      buffer for memcpy() here.
      
      Fixes: 44331fe2 ("IEEE802.15.4: 6LoWPAN basic support")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Alexander Smirnov <alex.bluesman.smirnov@gmail.com>
      Cc: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Cc: Werner Almesberger <werner@almesberger.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d6ec2447
    • Li RongQing's avatar
      ipv6: fix the use of pcpu_tstats in ip6_tunnel · 6da68047
      Li RongQing authored
      commit abb6013c upstream.
      
      when read/write the 64bit data, the correct lock should be hold.
      
      Fixes: 87b6d218 ("tunnel: implement 64 bits statistics")
      
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarLi RongQing <roy.qing.li@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6da68047
    • Viresh Kumar's avatar
      cpufreq: preserve user_policy across suspend/resume · d66961bf
      Viresh Kumar authored
      commit 08fd8c1c upstream.
      
      Prevent __cpufreq_add_dev() from overwriting the existing values of
      user_policy.{min|max|policy|governor} with defaults during resume
      from system suspend.
      
      Fixes: 5302c3fb ("cpufreq: Perform light-weight init/teardown during suspend/resume")
      Reported-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      [rjw: Changelog]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d66961bf
    • Rafael J. Wysocki's avatar
      cpufreq: Clean up after a failing light-weight initialization · d00f85b2
      Rafael J. Wysocki authored
      commit 72368d12 upstream.
      
      If cpufreq_policy_restore() returns NULL during system resume,
      __cpufreq_add_dev() should just fall back to the full initialization
      instead of returning an error, because that may actually make things
      work.  Moreover, it should not leave stale fallback data behind after
      it has failed to restore a previously existing policy.
      
      This change is based on Viresh Kumar's work.
      
      Fixes: 5302c3fb ("cpufreq: Perform light-weight init/teardown during suspend/resume")
      Reported-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d00f85b2
    • Viresh Kumar's avatar
      cpufreq: remove sysfs files for CPUs which failed to come back after resume · 83b8aa4c
      Viresh Kumar authored
      commit 42f921a6 upstream.
      
      There are cases where cpufreq_add_dev() may fail for some CPUs
      during system resume. With the current code we will still have
      sysfs cpufreq files for those CPUs and struct cpufreq_policy
      would be already freed for them. Hence any operation on those
      sysfs files would result in kernel warnings.
      
      Example of problems resulting from resume errors (from Bjørn Mork):
      
      WARNING: CPU: 0 PID: 6055 at fs/sysfs/file.c:343 sysfs_open_file+0x77/0x212()
      missing sysfs attribute operations for kobject: (null)
      Modules linked in: [stripped as irrelevant]
      CPU: 0 PID: 6055 Comm: grep Tainted: G      D      3.13.0-rc2 #153
      Hardware name: LENOVO 2776LEG/2776LEG, BIOS 6EET55WW (3.15 ) 12/19/2011
       0000000000000009 ffff8802327ebb78 ffffffff81380b0e 0000000000000006
       ffff8802327ebbc8 ffff8802327ebbb8 ffffffff81038635 0000000000000000
       ffffffff811823c7 ffff88021a19e688 ffff88021a19e688 ffff8802302f9310
      Call Trace:
       [<ffffffff81380b0e>] dump_stack+0x55/0x76
       [<ffffffff81038635>] warn_slowpath_common+0x7c/0x96
       [<ffffffff811823c7>] ? sysfs_open_file+0x77/0x212
       [<ffffffff810386e3>] warn_slowpath_fmt+0x41/0x43
       [<ffffffff81182dec>] ? sysfs_get_active+0x6b/0x82
       [<ffffffff81182382>] ? sysfs_open_file+0x32/0x212
       [<ffffffff811823c7>] sysfs_open_file+0x77/0x212
       [<ffffffff81182350>] ? sysfs_schedule_callback+0x1ac/0x1ac
       [<ffffffff81122562>] do_dentry_open+0x17c/0x257
       [<ffffffff8112267e>] finish_open+0x41/0x4f
       [<ffffffff81130225>] do_last+0x80c/0x9ba
       [<ffffffff8112dbbd>] ? inode_permission+0x40/0x42
       [<ffffffff81130606>] path_openat+0x233/0x4a1
       [<ffffffff81130b7e>] do_filp_open+0x35/0x85
       [<ffffffff8113b787>] ? __alloc_fd+0x172/0x184
       [<ffffffff811232ea>] do_sys_open+0x6b/0xfa
       [<ffffffff811233a7>] SyS_openat+0xf/0x11
       [<ffffffff8138c812>] system_call_fastpath+0x16/0x1b
      
      To fix this, remove those sysfs files or put the associated kobject
      in case of such errors. Also, to make it simple, remove the cpufreq
      sysfs links from all the CPUs (except for the policy->cpu) during
      suspend, as that operation won't result in a loss of sysfs file
      permissions and we can create those links during resume just fine.
      
      [js] no rwsem in 3.12 yet
      
      Fixes: 5302c3fb ("cpufreq: Perform light-weight init/teardown during suspend/resume")
      Reported-and-tested-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      [rjw: Changelog]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      83b8aa4c
    • Bjørn Mork's avatar
      cpufreq: fix garbage kobjects on errors during suspend/resume · 85acaced
      Bjørn Mork authored
      commit 2167e239 upstream.
      
      This is effectively a revert of commit 5302c3fb ("cpufreq: Perform
      light-weight init/teardown during suspend/resume"), which enabled
      suspend/resume optimizations leaving the sysfs files in place.
      
      Errors during suspend/resume are not handled properly, leaving
      dead sysfs attributes in case of failures.  There are are number of
      functions with special code for the "frozen" case, and all these
      need to also have special error handling.
      
      The problem is easy to demonstrate by making cpufreq_driver->init()
      or cpufreq_driver->get() fail during resume.
      
      The code is too complex for a simple fix, with split code paths
      in multiple blocks within a number of functions.  It is therefore
      best to revert the patch enabling this code until the error handling
      is in place.
      
      Examples of problems resulting from resume errors:
      
      WARNING: CPU: 0 PID: 6055 at fs/sysfs/file.c:343 sysfs_open_file+0x77/0x212()
      missing sysfs attribute operations for kobject: (null)
      Modules linked in: [stripped as irrelevant]
      CPU: 0 PID: 6055 Comm: grep Tainted: G      D      3.13.0-rc2 #153
      Hardware name: LENOVO 2776LEG/2776LEG, BIOS 6EET55WW (3.15 ) 12/19/2011
       0000000000000009 ffff8802327ebb78 ffffffff81380b0e 0000000000000006
       ffff8802327ebbc8 ffff8802327ebbb8 ffffffff81038635 0000000000000000
       ffffffff811823c7 ffff88021a19e688 ffff88021a19e688 ffff8802302f9310
      Call Trace:
       [<ffffffff81380b0e>] dump_stack+0x55/0x76
       [<ffffffff81038635>] warn_slowpath_common+0x7c/0x96
       [<ffffffff811823c7>] ? sysfs_open_file+0x77/0x212
       [<ffffffff810386e3>] warn_slowpath_fmt+0x41/0x43
       [<ffffffff81182dec>] ? sysfs_get_active+0x6b/0x82
       [<ffffffff81182382>] ? sysfs_open_file+0x32/0x212
       [<ffffffff811823c7>] sysfs_open_file+0x77/0x212
       [<ffffffff81182350>] ? sysfs_schedule_callback+0x1ac/0x1ac
       [<ffffffff81122562>] do_dentry_open+0x17c/0x257
       [<ffffffff8112267e>] finish_open+0x41/0x4f
       [<ffffffff81130225>] do_last+0x80c/0x9ba
       [<ffffffff8112dbbd>] ? inode_permission+0x40/0x42
       [<ffffffff81130606>] path_openat+0x233/0x4a1
       [<ffffffff81130b7e>] do_filp_open+0x35/0x85
       [<ffffffff8113b787>] ? __alloc_fd+0x172/0x184
       [<ffffffff811232ea>] do_sys_open+0x6b/0xfa
       [<ffffffff811233a7>] SyS_openat+0xf/0x11
       [<ffffffff8138c812>] system_call_fastpath+0x16/0x1b
      
      The failure to restore cpufreq devices on cancelled hibernation is
      not a new bug. It is caused by the ACPI _PPC call failing unless the
      hibernate is completed. This makes the acpi_cpufreq driver fail its
      init.
      
      Previously, the cpufreq device could be restored by offlining the
      cpu temporarily.  And as a complete hibernation cycle would do this,
      it would be automatically restored most of the time.  But after
      commit 5302c3fb the leftover sysfs attributes will block any
      device add action.  Therefore offlining and onlining CPU 1 will no
      longer restore the cpufreq object, and a complete suspend/resume
      cycle will replace it with garbage.
      
      Fixes: 5302c3fb ("cpufreq: Perform light-weight init/teardown during suspend/resume")
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      85acaced
    • Dan Carpenter's avatar
      drm/nv50/disp: min/max are reversed in nv50_crtc_gamma_set() · 4b1774f7
      Dan Carpenter authored
      commit bdefc8cb upstream.
      
      We should be taking the minimum here instead of the max.  It could lead
      to a buffer overflow.
      
      Fixes: 438d99e3 ('drm/nvd0/disp: initial crtc object implementation')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      
      a/drm/nv50_display.c b/drm/nv50_display.c
      index f8e66c08b11a..4e384a2f99c3 100644
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4b1774f7
    • Dan Carpenter's avatar
      Staging: vt6655-6: potential NULL dereference in hostap_disable_hostapd() · c8a1464f
      Dan Carpenter authored
      commit cb4855b4 upstream.
      
      We fixed this to use free_netdev() instead of kfree() but unfortunately
      free_netdev() doesn't accept NULL pointers.  Smatch complains about
      this, it's not something I discovered through testing.
      
      Fixes: 3030d40b ('staging: vt6655: use free_netdev instead of kfree')
      Fixes: 0a438d5b ('staging: vt6656: use free_netdev instead of kfree')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c8a1464f
    • Dan Carpenter's avatar
      mfd: pm8921: Potential NULL dereference in pm8921_remove() · 87822b39
      Dan Carpenter authored
      commit d6daef95 upstream.
      
      We assume that "pmic" could be NULL and then dereference it two lines
      later.  I fix this by moving the dereference inside the NULL check.
      
      Fixes: c013f0a5 ('mfd: Add pm8xxx irq support')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      87822b39
    • Dan Carpenter's avatar
      6lowpan: release device on error path · 83037689
      Dan Carpenter authored
      commit 78032f9b upstream.
      
      We recently added a new error path and it needs a dev_put().
      
      Fixes: 7adac1ec ('6lowpan: Only make 6lowpan links to IEEE802154 devices')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      83037689
    • Ben Hutchings's avatar
      ocfs2: do not write error flag to user structure we cannot copy from/to · 9095638d
      Ben Hutchings authored
      commit 2b462638 upstream.
      
      If we failed to copy from the structure, writing back the flags leaks 31
      bits of kernel memory (the rest of the ir_flags field).
      
      In any case, if we cannot copy from/to the structure, why should we
      expect putting just the flags to work?
      
      Also make sure ocfs2_info_handle_freeinode() returns the right error
      code if the copy_to_user() fails.
      
      Fixes: ddee5cdb ('Ocfs2: Add new OCFS2_IOC_INFO ioctl for ocfs2 v8.')
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Joel Becker <jlbec@evilplan.org>
      Acked-by: default avatarMark Fasheh <mfasheh@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9095638d
    • Theodore Ts'o's avatar
      ext4: fix fencepost in s_first_meta_bg validation · 7ae31f6a
      Theodore Ts'o authored
      commit 2ba3e6e8 upstream.
      
      It is OK for s_first_meta_bg to be equal to the number of block group
      descriptor blocks.  (It rarely happens, but it shouldn't cause any
      problems.)
      
      https://bugzilla.kernel.org/show_bug.cgi?id=194567
      
      Fixes: 3a4b77cdSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7ae31f6a
    • Eryu Guan's avatar
      ext4: validate s_first_meta_bg at mount time · bb878bde
      Eryu Guan authored
      commit 3a4b77cd upstream.
      
      Ralf Spenneberg reported that he hit a kernel crash when mounting a
      modified ext4 image. And it turns out that kernel crashed when
      calculating fs overhead (ext4_calculate_overhead()), this is because
      the image has very large s_first_meta_bg (debug code shows it's
      842150400), and ext4 overruns the memory in count_overhead() when
      setting bitmap buffer, which is PAGE_SIZE.
      
      ext4_calculate_overhead():
        buf = get_zeroed_page(GFP_NOFS);  <=== PAGE_SIZE buffer
        blks = count_overhead(sb, i, buf);
      
      count_overhead():
        for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400
                ext4_set_bit(EXT4_B2C(sbi, s++), buf);   <=== buffer overrun
                count++;
        }
      
      This can be reproduced easily for me by this script:
      
        #!/bin/bash
        rm -f fs.img
        mkdir -p /mnt/ext4
        fallocate -l 16M fs.img
        mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img
        debugfs -w -R "ssv first_meta_bg 842150400" fs.img
        mount -o loop fs.img /mnt/ext4
      
      Fix it by validating s_first_meta_bg first at mount time, and
      refusing to mount if its value exceeds the largest possible meta_bg
      number.
      
      [js] use EXT4_HAS_INCOMPAT_FEATURE instead of new
           ext4_has_feature_meta_bg
      Reported-by: default avatarRalf Spenneberg <ralf@os-t.de>
      Signed-off-by: default avatarEryu Guan <guaneryu@gmail.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarAndreas Dilger <adilger@dilger.ca>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      bb878bde
  2. 01 Mar, 2017 26 commits