1. 08 Dec, 2016 27 commits
  2. 02 Dec, 2016 13 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.8.12 · 356ccf6d
      Greg Kroah-Hartman authored
      356ccf6d
    • Suganath Prabu S's avatar
      scsi: mpt3sas: Unblock device after controller reset · f81c9001
      Suganath Prabu S authored
      commit 7ff723ad upstream.
      
      While issuing any ATA passthrough command to firmware the driver will
      block the device. But it will unblock the device only if the I/O
      completes through the ISR path. If a controller reset occurs before
      command completion the device will remain in blocked state.
      
      Make sure we unblock the device following a controller reset if an ATA
      passthrough command was queued.
      
      [mkp: clarified patch description]
      
      Fixes: ac6c2a93bd07 ("mpt3sas: Fix for SATA drive in blocked state, after diag reset")
      Signed-off-by: default avatarSuganath Prabu S <suganath-prabu.subramani@broadcom.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f81c9001
    • Eric Dumazet's avatar
      flow_dissect: call init_default_flow_dissectors() earlier · 3de3eebb
      Eric Dumazet authored
      commit c9b8af13 upstream.
      
      Andre Noll reported panics after my recent fix (commit 34fad54c
      "net: __skb_flow_dissect() must cap its return value")
      
      After some more headaches, Alexander root caused the problem to
      init_default_flow_dissectors() being called too late, in case
      a network driver like IGB is not a module and receives DHCP message
      very early.
      
      Fix is to call init_default_flow_dissectors() much earlier,
      as it is a core infrastructure and does not depend on another
      kernel service.
      
      Fixes: 06635a35 ("flow_dissect: use programable dissector in skb_flow_dissect and friends")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarAndre Noll <maan@tuebingen.mpg.de>
      Diagnosed-by: default avatarAlexander Duyck <alexander.h.duyck@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3de3eebb
    • Michal Hocko's avatar
      mm, oom: stop pre-mature high-order OOM killer invocations · 7838fbe2
      Michal Hocko authored
      31e49bfd ("mm, oom: protect !costly allocations some more for
      !CONFIG_COMPACTION") was an attempt to reduce chances of pre-mature OOM
      killer invocation for high order requests. It seemed to work for most
      users just fine but it is far from bullet proof and obviously not
      sufficient for Marc who has reported pre-mature OOM killer invocations
      with 4.8 based kernels. 4.9 will all the compaction improvements seems
      to be behaving much better but that would be too intrusive to backport
      to 4.8 stable kernels. Instead this patch simply never declares OOM for
      !costly high order requests. We rely on order-0 requests to do that in
      case we are really out of memory. Order-0 requests are much more common
      and so a risk of a livelock without any way forward is highly unlikely.
      Reported-by: default avatarMarc MERLIN <marc@merlins.org>
      Tested-by: default avatarMarc MERLIN <marc@merlins.org>
      Signed-off-by: default avatarMichal Hocko <mhocko@suse.com>
      7838fbe2
    • Oliver Hartkopp's avatar
      can: bcm: fix support for CAN FD frames · 374ff835
      Oliver Hartkopp authored
      commit 5499a6b2 upstream.
      
      Since commit 6f3b911d ("can: bcm: add support for CAN FD frames") the
      CAN broadcast manager supports CAN and CAN FD data frames.
      
      As these data frames are embedded in struct can[fd]_frames which have a
      different length the access to the provided array of CAN frames became
      dependend of op->cfsiz. By using a struct canfd_frame pointer for the array of
      CAN frames the new offset calculation based on op->cfsiz was accidently applied
      to CAN FD frame element lengths.
      
      This fix makes the pointer to the arrays of the different CAN frame types a
      void pointer so that the offset calculation in bytes accesses the correct CAN
      frame elements.
      
      Reference: http://marc.info/?l=linux-netdev&m=147980658909653Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      374ff835
    • Oliver O'Halloran's avatar
      powerpc/boot: Fix the early OPAL console wrappers · 7ed8d94b
      Oliver O'Halloran authored
      commit a1ff5741 upstream.
      
      When configured with CONFIG_PPC_EARLY_DEBUG_OPAL=y the kernel expects
      the OPAL entry and base addresses to be passed in r8 and r9
      respectively. Currently the wrapper does not attempt to restore these
      values before entering the decompressed kernel which causes the kernel
      to branch into whatever happens to be in r9 when doing a write to the
      OPAL console in early boot.
      
      This patch adds a platform_ops hook that can be used to branch into the
      new kernel. The OPAL console driver patches this at runtime so that if
      the console is used it will be restored just prior to entering the
      kernel.
      
      Fixes: 656ad58e ("powerpc/boot: Add OPAL console to epapr wrappers")
      Signed-off-by: default avatarOliver O'Halloran <oohall@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ed8d94b
    • Aneesh Kumar K.V's avatar
      powerpc/mm: Fixup kernel read only mapping · 7cbe9568
      Aneesh Kumar K.V authored
      commit 984d7a1e upstream.
      
      With commit e58e87ad ("powerpc/mm: Update _PAGE_KERNEL_RO") we
      started using the ppp value 0b110 to map kernel readonly. But that
      facility was only added as part of ISA 2.04. For earlier ISA version
      only supported ppp bit value for readonly mapping is 0b011. (This
      implies both user and kernel get mapped using the same ppp bit value for
      readonly mapping.).
      Update the code such that for earlier architecture version we use ppp
      value 0b011 for readonly mapping. We don't differentiate between power5+
      and power5 here and apply the new ppp bits only from power6 (ISA 2.05).
      This keep the changes minimal.
      
      This fixes issue with PS3 spu usage reported at
      https://lkml.kernel.org/r/rep.1421449714.geoff@infradead.org
      
      Fixes: e58e87ad ("powerpc/mm: Update _PAGE_KERNEL_RO")
      Tested-by: default avatarGeoff Levand <geoff@infradead.org>
      Signed-off-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7cbe9568
    • Benjamin Herrenschmidt's avatar
      powerpc: Set missing wakeup bit in LPCR on POWER9 · 30988ea3
      Benjamin Herrenschmidt authored
      commit 7a43906f upstream.
      
      There is a new bit, LPCR_PECE_HVEE (Hypervisor Virtualization Exit
      Enable), which controls wakeup from STOP states on Hypervisor
      Virtualization Interrupts (which happen to also be all external
      interrupts in host or bare metal mode).
      
      It needs to be set or we will miss wakeups.
      
      Fixes: 9baaef0a ("powerpc/irq: Add support for HV virtualization interrupts")
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      [mpe: Rename it to HVEE to match the name in the ISA]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      30988ea3
    • Dan Williams's avatar
      device-dax: fail all private mapping attempts · 8d248df4
      Dan Williams authored
      commit 4cb19355 upstream.
      
      The device-dax implementation originally tried to be tricky and allow
      private read-only mappings, but in the process allowed writable
      MAP_PRIVATE + MAP_NORESERVE mappings.  For simplicity and predictability
      just fail all private mapping attempts since device-dax memory is
      statically allocated and will never support overcommit.
      
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Fixes: dee41079 ("/dev/dax, core: file operations and dax-mmap")
      Reported-by: default avatarPawel Lebioda <pawel.lebioda@intel.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8d248df4
    • Dan Williams's avatar
      device-dax: check devm_nsio_enable() return value · f87a4831
      Dan Williams authored
      commit 6a84fb4b upstream.
      
      If the dax_pmem driver is passed a resource that is already busy the
      driver probe attempt should fail with a message like the following:
      
        dax_pmem dax0.1: could not reserve region [mem 0x100000000-0x11fffffff]
      
      However, if we do not catch the error we crash for the obvious reason of
      accessing memory that is not mapped.
      
       BUG: unable to handle kernel paging request at ffffc90020001000
       IP: [<ffffffff81496712>] __memcpy+0x12/0x20
       [..]
       Call Trace:
        [<ffffffff815c4960>] ? nsio_rw_bytes+0x60/0x180
        [<ffffffff815c6045>] nd_pfn_validate+0x75/0x320
        [<ffffffff815c63a9>] nvdimm_setup_pfn+0xb9/0x5d0
        [<ffffffff815c48ef>] ? devm_nsio_enable+0xff/0x110
        [<ffffffff815cb699>] dax_pmem_probe+0x59/0x260
      
      Fixes: ab68f262 ("/dev/dax, pmem: direct access to persistent memory")
      Reported-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f87a4831
    • Takashi Iwai's avatar
      xc2028: Fix use-after-free bug properly · 5b08489e
      Takashi Iwai authored
      commit 22a1e778 upstream.
      
      The commit 8dfbcc43 ("[media] xc2028: avoid use after free") tried
      to address the reported use-after-free by clearing the reference.
      
      However, it's clearing the wrong pointer; it sets NULL to
      priv->ctrl.fname, but it's anyway overwritten by the next line
      memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).
      
      OTOH, the actual code accessing the freed string is the strcmp() call
      with priv->fname:
      	if (!firmware_name[0] && p->fname &&
      	    priv->fname && strcmp(p->fname, priv->fname))
      		free_firmware(priv);
      
      where priv->fname points to the previous file name, and this was
      already freed by kfree().
      
      For fixing the bug properly, this patch does the following:
      
      - Keep the copy of firmware file name in only priv->fname,
        priv->ctrl.fname isn't changed;
      - The allocation is done only when the firmware gets loaded;
      - The kfree() is called in free_firmware() commonly
      
      Fixes: commit 8dfbcc43 ('[media] xc2028: avoid use after free')
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b08489e
    • Andrey Ryabinin's avatar
      X.509: Fix double free in x509_cert_parse() [ver #3] · 9030deb2
      Andrey Ryabinin authored
      commit 2b95fda2 upstream.
      
      We shouldn't free cert->pub->key in x509_cert_parse() because
      x509_free_certificate() also does this:
      	BUG: Double free or freeing an invalid pointer
      	...
      	Call Trace:
      	 [<ffffffff81896c20>] dump_stack+0x63/0x83
      	 [<ffffffff81356571>] kasan_object_err+0x21/0x70
      	 [<ffffffff81356ed9>] kasan_report_double_free+0x49/0x60
      	 [<ffffffff813561ad>] kasan_slab_free+0x9d/0xc0
      	 [<ffffffff81350b7a>] kfree+0x8a/0x1a0
      	 [<ffffffff81844fbf>] public_key_free+0x1f/0x30
      	 [<ffffffff818455d4>] x509_free_certificate+0x24/0x90
      	 [<ffffffff818460bc>] x509_cert_parse+0x2bc/0x300
      	 [<ffffffff81846cae>] x509_key_preparse+0x3e/0x330
      	 [<ffffffff818444cf>] asymmetric_key_preparse+0x6f/0x100
      	 [<ffffffff8178bec0>] key_create_or_update+0x260/0x5f0
      	 [<ffffffff8178e6d9>] SyS_add_key+0x199/0x2a0
      	 [<ffffffff821d823b>] entry_SYSCALL_64_fastpath+0x1e/0xad
      	Object at ffff880110bd1900, in cache kmalloc-512 size: 512
      	....
      	Freed:
      	PID = 2579
      	[<ffffffff8104283b>] save_stack_trace+0x1b/0x20
      	[<ffffffff813558f6>] save_stack+0x46/0xd0
      	[<ffffffff81356183>] kasan_slab_free+0x73/0xc0
      	[<ffffffff81350b7a>] kfree+0x8a/0x1a0
      	[<ffffffff818460a3>] x509_cert_parse+0x2a3/0x300
      	[<ffffffff81846cae>] x509_key_preparse+0x3e/0x330
      	[<ffffffff818444cf>] asymmetric_key_preparse+0x6f/0x100
      	[<ffffffff8178bec0>] key_create_or_update+0x260/0x5f0
      	[<ffffffff8178e6d9>] SyS_add_key+0x199/0x2a0
      	[<ffffffff821d823b>] entry_SYSCALL_64_fastpath+0x1e/0xad
      
      Fixes: db6c43bd ("crypto: KEYS: convert public key and digsig asym to the akcipher api")
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9030deb2
    • Andrey Ryabinin's avatar
      mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] · 0257b7e2
      Andrey Ryabinin authored
      commit f5527fff upstream.
      
      This fixes CVE-2016-8650.
      
      If mpi_powm() is given a zero exponent, it wants to immediately return
      either 1 or 0, depending on the modulus.  However, if the result was
      initalised with zero limb space, no limbs space is allocated and a
      NULL-pointer exception ensues.
      
      Fix this by allocating a minimal amount of limb space for the result when
      the 0-exponent case when the result is 1 and not touching the limb space
      when the result is 0.
      
      This affects the use of RSA keys and X.509 certificates that carry them.
      
      BUG: unable to handle kernel NULL pointer dereference at           (null)
      IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
      PGD 0
      Oops: 0002 [#1] SMP
      Modules linked in:
      CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278
      Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
      task: ffff8804011944c0 task.stack: ffff880401294000
      RIP: 0010:[<ffffffff8138ce5d>]  [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
      RSP: 0018:ffff880401297ad8  EFLAGS: 00010212
      RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0
      RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0
      RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000
      R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50
      FS:  00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0
      Stack:
       ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4
       0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30
       ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8
      Call Trace:
       [<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66
       [<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d
       [<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd
       [<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146
       [<ffffffff8132a95c>] rsa_verify+0x9d/0xee
       [<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb
       [<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1
       [<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228
       [<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4
       [<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1
       [<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1
       [<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61
       [<ffffffff812fc9f3>] key_create_or_update+0x145/0x399
       [<ffffffff812fe227>] SyS_add_key+0x154/0x19e
       [<ffffffff81001c2b>] do_syscall_64+0x80/0x191
       [<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25
      Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f
      RIP  [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
       RSP <ffff880401297ad8>
      CR2: 0000000000000000
      ---[ end trace d82015255d4a5d8d ]---
      
      Basically, this is a backport of a libgcrypt patch:
      
      	http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526
      
      Fixes: cdec9cb5 ("crypto: GnuPG based MPI lib - source files (part 1)")
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
      cc: linux-ima-devel@lists.sourceforge.net
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0257b7e2