1. 20 Nov, 2016 40 commits
    • Jan Kara's avatar
      posix_acl: Clear SGID bit when setting file permissions · f2ba3e23
      Jan Kara authored
      commit 07393101 upstream.
      
      When file permissions are modified via chmod(2) and the user is not in
      the owning group or capable of CAP_FSETID, the setgid bit is cleared in
      inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
      permissions as well as the new ACL, but doesn't clear the setgid bit in
      a similar way; this allows to bypass the check in chmod(2).  Fix that.
      
      References: CVE-2016-7097
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      [bwh: Backported to 3.16:
       - Drop changes to orangefs
       - Adjust context
       - Update ext3 as well]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f2ba3e23
    • Jan Kara's avatar
      fs: Avoid premature clearing of capabilities · 3418703a
      Jan Kara authored
      commit 030b533c upstream.
      
      Currently, notify_change() clears capabilities or IMA attributes by
      calling security_inode_killpriv() before calling into ->setattr. Thus it
      happens before any other permission checks in inode_change_ok() and user
      is thus allowed to trigger clearing of capabilities or IMA attributes
      for any file he can look up e.g. by calling chown for that file. This is
      unexpected and can lead to user DoSing a system.
      
      Fix the problem by calling security_inode_killpriv() at the end of
      inode_change_ok() instead of from notify_change(). At that moment we are
      sure user has permissions to do the requested change.
      
      References: CVE-2015-1350
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3418703a
    • Jan Kara's avatar
      fs: Give dentry to inode_change_ok() instead of inode · be9df699
      Jan Kara authored
      commit 31051c85 upstream.
      
      inode_change_ok() will be resposible for clearing capabilities and IMA
      extended attributes and as such will need dentry. Give it as an argument
      to inode_change_ok() instead of an inode. Also rename inode_change_ok()
      to setattr_prepare() to better relect that it does also some
      modifications in addition to checks.
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      [bwh: Backported to 3.16:
       - Drop changes to orangefs, overlayfs
       - Adjust filenames, context
       - In fuse, pass dentry to fuse_do_setattr()
       - In nfsd, pass dentry to nfsd_sanitize_attrs()
       - In xfs, pass dentry to xfs_setattr_nonsize() and xfs_setattr_size()
       - Update ext3 as well]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      be9df699
    • Vlad Tsyrklevich's avatar
      vfio/pci: Fix integer overflows, bitmask check · 6593fe0c
      Vlad Tsyrklevich authored
      commit 05692d70 upstream.
      
      The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
      user-supplied integers, potentially allowing memory corruption. This
      patch adds appropriate integer overflow checks, checks the range bounds
      for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
      in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
      VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
      vfio_pci_set_irqs_ioctl().
      
      Furthermore, a kzalloc is changed to a kcalloc because the use of a
      kzalloc with an integer multiplication allowed an integer overflow
      condition to be reached without this patch. kcalloc checks for overflow
      and should prevent a similar occurrence.
      Signed-off-by: default avatarVlad Tsyrklevich <vlad@tsyrklevich.net>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6593fe0c
    • Arend Van Spriel's avatar
      brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() · df523e7a
      Arend Van Spriel authored
      commit ded89912 upstream.
      
      User-space can choose to omit NL80211_ATTR_SSID and only provide raw
      IE TLV data. When doing so it can provide SSID IE with length exceeding
      the allowed size. The driver further processes this IE copying it
      into a local variable without checking the length. Hence stack can be
      corrupted and used as exploit.
      Reported-by: default avatarDaxing Guo <freener.gdx@gmail.com>
      Reviewed-by: default avatarHante Meuleman <hante.meuleman@broadcom.com>
      Reviewed-by: default avatarPieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
      Reviewed-by: default avatarFranky Lin <franky.lin@broadcom.com>
      Signed-off-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      df523e7a
    • Stefan Richter's avatar
      firewire: net: guard against rx buffer overflows · 88eadd91
      Stefan Richter authored
      commit 667121ac upstream.
      
      The IP-over-1394 driver firewire-net lacked input validation when
      handling incoming fragmented datagrams.  A maliciously formed fragment
      with a respectively large datagram_offset would cause a memcpy past the
      datagram buffer.
      
      So, drop any packets carrying a fragment with offset + length larger
      than datagram_size.
      
      In addition, ensure that
        - GASP header, unfragmented encapsulation header, or fragment
          encapsulation header actually exists before we access it,
        - the encapsulated datagram or fragment is of nonzero size.
      Reported-by: default avatarEyal Itkin <eyal.itkin@gmail.com>
      Reviewed-by: default avatarEyal Itkin <eyal.itkin@gmail.com>
      Fixes: CVE 2016-8633
      Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      88eadd91
    • Dan Carpenter's avatar
      scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() · 400ce4d1
      Dan Carpenter authored
      commit 7bc2b55a upstream.
      
      We need to put an upper bound on "user_len" so the memcpy() doesn't
      overflow.
      Reported-by: default avatarMarco Grassi <marco.gra@gmail.com>
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarTomas Henzl <thenzl@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      [bwh: Backported to 3.16:
       - Adjust context
       - Use literal 1032 insetad of ARCMSR_API_DATA_BUFLEN]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      400ce4d1
    • David Howells's avatar
      KEYS: Fix short sprintf buffer in /proc/keys show function · dbc969a2
      David Howells authored
      commit 03dab869 upstream.
      
      This fixes CVE-2016-7042.
      
      Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
      is turned on, this can cause a panic due to stack corruption.
      
      The problem is that xbuf[] is not big enough to hold a 64-bit timeout
      rendered as weeks:
      
      	(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
      	$2 = 30500568904943
      
      That's 14 chars plus NUL, not 11 chars plus NUL.
      
      Expand the buffer to 16 chars.
      
      I think the unpatched code apparently works if the stack-protector is not
      enabled because on a 32-bit machine the buffer won't be overflowed and on a
      64-bit machine there's a 64-bit aligned pointer at one side and an int that
      isn't checked again on the other side.
      
      The panic incurred looks something like:
      
      Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
      CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
      Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
       ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
       ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
      Call Trace:
       [<ffffffff813d941f>] dump_stack+0x63/0x84
       [<ffffffff811b2cb6>] panic+0xde/0x22a
       [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
       [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
       [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
       [<ffffffff81350410>] ? key_validate+0x50/0x50
       [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
       [<ffffffff8126b31c>] seq_read+0x2cc/0x390
       [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
       [<ffffffff81244fc7>] __vfs_read+0x37/0x150
       [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
       [<ffffffff81246156>] vfs_read+0x96/0x130
       [<ffffffff81247635>] SyS_read+0x55/0xc0
       [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
      Reported-by: default avatarOndrej Kozina <okozina@redhat.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarOndrej Kozina <okozina@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dbc969a2
    • Jaganath Kanakkassery's avatar
      Bluetooth: Fix potential NULL dereference in RFCOMM bind callback · 8c996f73
      Jaganath Kanakkassery authored
      commit 951b6a07 upstream.
      
      addr can be NULL and it should not be dereferenced before NULL checking.
      Signed-off-by: default avatarJaganath Kanakkassery <jaganath.k@samsung.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8c996f73
    • Suzuki K. Poulose's avatar
      arm64: perf: reject groups spanning multiple HW PMUs · b2aa2e25
      Suzuki K. Poulose authored
      commit 8fff105e upstream.
      
      The perf core implicitly rejects events spanning multiple HW PMUs, as in
      these cases the event->ctx will differ. However this validation is
      performed after pmu::event_init() is called in perf_init_event(), and
      thus pmu::event_init() may be called with a group leader from a
      different HW PMU.
      
      The ARM64 PMU driver does not take this fact into account, and when
      validating groups assumes that it can call to_arm_pmu(event->pmu) for
      any HW event. When the event in question is from another HW PMU this is
      wrong, and results in dereferencing garbage.
      
      This patch updates the ARM64 PMU driver to first test for and reject
      events from other PMUs, moving the to_arm_pmu and related logic after
      this test. Fixes a crash triggered by perf_fuzzer on Linux-4.0-rc2, with
      a CCI PMU present:
      
      Bad mode in Synchronous Abort handler detected, code 0x86000006 -- IABT (current EL)
      CPU: 0 PID: 1371 Comm: perf_fuzzer Not tainted 3.19.0+ #249
      Hardware name: V2F-1XV7 Cortex-A53x2 SMM (DT)
      task: ffffffc07c73a280 ti: ffffffc07b0a0000 task.ti: ffffffc07b0a0000
      PC is at 0x0
      LR is at validate_event+0x90/0xa8
      pc : [<0000000000000000>] lr : [<ffffffc000090228>] pstate: 00000145
      sp : ffffffc07b0a3ba0
      
      [<          (null)>]           (null)
      [<ffffffc0000907d8>] armpmu_event_init+0x174/0x3cc
      [<ffffffc00015d870>] perf_try_init_event+0x34/0x70
      [<ffffffc000164094>] perf_init_event+0xe0/0x10c
      [<ffffffc000164348>] perf_event_alloc+0x288/0x358
      [<ffffffc000164c5c>] SyS_perf_event_open+0x464/0x98c
      Code: bad PC value
      
      Also cleans up the code to use the arm_pmu only when we know
      that we are dealing with an arm pmu event.
      
      Cc: Will Deacon <will.deacon@arm.com>
      Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
      Acked-by: default avatarPeter Ziljstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarSuzuki K. Poulose <suzuki.poulose@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b2aa2e25
    • Srinivas Ramana's avatar
      ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 · 5f72dd0b
      Srinivas Ramana authored
      commit 117e5e9c upstream.
      
      If the bootloader uses the long descriptor format and jumps to
      kernel decompressor code, TTBCR may not be in a right state.
      Before enabling the MMU, it is required to clear the TTBCR.PD0
      field to use TTBR0 for translation table walks.
      
      The commit dbece458 ("ARM: 7501/1: decompressor:
      reset ttbcr for VMSA ARMv7 cores") does the reset of TTBCR.N, but
      doesn't consider all the bits for the size of TTBCR.N.
      
      Clear TTBCR.PD0 field and reset all the three bits of TTBCR.N to
      indicate the use of TTBR0 and the correct base address width.
      
      Fixes: dbece458 ("ARM: 7501/1: decompressor: reset ttbcr for VMSA ARMv7 cores")
      Acked-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: default avatarSrinivas Ramana <sramana@codeaurora.org>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5f72dd0b
    • Johannes Weiner's avatar
      mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page() · 829aa07a
      Johannes Weiner authored
      commit 22f2ac51 upstream.
      
      Antonio reports the following crash when using fuse under memory pressure:
      
        kernel BUG at /build/linux-a2WvEb/linux-4.4.0/mm/workingset.c:346!
        invalid opcode: 0000 [#1] SMP
        Modules linked in: all of them
        CPU: 2 PID: 63 Comm: kswapd0 Not tainted 4.4.0-36-generic #55-Ubuntu
        Hardware name: System manufacturer System Product Name/P8H67-M PRO, BIOS 3904 04/27/2013
        task: ffff88040cae6040 ti: ffff880407488000 task.ti: ffff880407488000
        RIP: shadow_lru_isolate+0x181/0x190
        Call Trace:
          __list_lru_walk_one.isra.3+0x8f/0x130
          list_lru_walk_one+0x23/0x30
          scan_shadow_nodes+0x34/0x50
          shrink_slab.part.40+0x1ed/0x3d0
          shrink_zone+0x2ca/0x2e0
          kswapd+0x51e/0x990
          kthread+0xd8/0xf0
          ret_from_fork+0x3f/0x70
      
      which corresponds to the following sanity check in the shadow node
      tracking:
      
        BUG_ON(node->count & RADIX_TREE_COUNT_MASK);
      
      The workingset code tracks radix tree nodes that exclusively contain
      shadow entries of evicted pages in them, and this (somewhat obscure)
      line checks whether there are real pages left that would interfere with
      reclaim of the radix tree node under memory pressure.
      
      While discussing ways how fuse might sneak pages into the radix tree
      past the workingset code, Miklos pointed to replace_page_cache_page(),
      and indeed there is a problem there: it properly accounts for the old
      page being removed - __delete_from_page_cache() does that - but then
      does a raw raw radix_tree_insert(), not accounting for the replacement
      page.  Eventually the page count bits in node->count underflow while
      leaving the node incorrectly linked to the shadow node LRU.
      
      To address this, make sure replace_page_cache_page() uses the tracked
      page insertion code, page_cache_tree_insert().  This fixes the page
      accounting and makes sure page-containing nodes are properly unlinked
      from the shadow node LRU again.
      
      Also, make the sanity checks a bit less obscure by using the helpers for
      checking the number of pages and shadows in a radix tree node.
      
      Fixes: 449dd698 ("mm: keep page cache radix tree nodes in check")
      Link: http://lkml.kernel.org/r/20160919155822.29498-1-hannes@cmpxchg.orgSigned-off-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Reported-by: default avatarAntonio SJ Musumeci <trapexit@spawn.link>
      Debugged-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.16:
       - Implementation of page_cache_tree_insert() is different
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      829aa07a
    • Paul Burton's avatar
      MIPS: Malta: Fix IOCU disable switch read for MIPS64 · 9fdf5742
      Paul Burton authored
      commit 305723ab upstream.
      
      Malta boards used with CPU emulators feature a switch to disable use of
      an IOCU. Software has to check this switch & ignore any present IOCU if
      the switch is closed. The read used to do this was unsafe for 64 bit
      kernels, as it simply casted the address 0xbf403000 to a pointer &
      dereferenced it. Whilst in a 32 bit kernel this would access kseg1, in a
      64 bit kernel this attempts to access xuseg & results in an address
      error exception.
      
      Fix by accessing a correctly formed ckseg1 address generated using the
      CKSEG1ADDR macro.
      
      Whilst modifying this code, define the name of the register and the bit
      we care about within it, which indicates whether PCI DMA is routed to
      the IOCU or straight to DRAM. The code previously checked that bit 0 was
      also set, but the least significant 7 bits of the CONFIG_GEN0 register
      contain the value of the MReqInfo signal provided to the IOCU OCP bus,
      so singling out bit 0 makes little sense & that part of the check is
      dropped.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: b6d92b4a ("MIPS: Add option to disable software I/O coherency.")
      Cc: Matt Redfearn <matt.redfearn@imgtec.com>
      Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/14187/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9fdf5742
    • Roger Quadros's avatar
      ARM: 8617/1: dma: fix dma_max_pfn() · b842156b
      Roger Quadros authored
      commit d248220f upstream.
      
      Since commit 6ce0d200 ("ARM: dma: Use dma_pfn_offset for dma address translation"),
      dma_to_pfn() already returns the PFN with the physical memory start offset
      so we don't need to add it again.
      
      This fixes USB mass storage lock-up problem on systems that can't do DMA
      over the entire physical memory range (e.g.) Keystone 2 systems with 4GB RAM
      can only do DMA over the first 2GB. [K2E-EVM].
      
      What happens there is that without this patch SCSI layer sets a wrong
      bounce buffer limit in scsi_calculate_bounce_limit() for the USB mass
      storage device. dma_max_pfn() evaluates to 0x8fffff and bounce_limit
      is set to 0x8fffff000 whereas maximum DMA'ble physical memory on Keystone 2
      is 0x87fffffff. This results in non DMA'ble pages being given to the
      USB controller and hence the lock-up.
      
      NOTE: in the above case, USB-SCSI-device's dma_pfn_offset was showing as 0.
      This should have really been 0x780000 as on K2e, LOWMEM_START is 0x80000000
      and HIGHMEM_START is 0x800000000. DMA zone is 2GB so dma_max_pfn should be
      0x87ffff. The incorrect dma_pfn_offset for the USB storage device is because
      USB devices are not correctly inheriting the dma_pfn_offset from the
      USB host controller. This will be fixed by a separate patch.
      
      Fixes: 6ce0d200 ("ARM: dma: Use dma_pfn_offset for dma address translation")
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Olof Johansson <olof@lixom.net>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Reported-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b842156b
    • zhong jiang's avatar
      mm,ksm: fix endless looping in allocating memory when ksm enable · 2b05a3ae
      zhong jiang authored
      commit 5b398e41 upstream.
      
      I hit the following hung task when runing a OOM LTP test case with 4.1
      kernel.
      
      Call trace:
      [<ffffffc000086a88>] __switch_to+0x74/0x8c
      [<ffffffc000a1bae0>] __schedule+0x23c/0x7bc
      [<ffffffc000a1c09c>] schedule+0x3c/0x94
      [<ffffffc000a1eb84>] rwsem_down_write_failed+0x214/0x350
      [<ffffffc000a1e32c>] down_write+0x64/0x80
      [<ffffffc00021f794>] __ksm_exit+0x90/0x19c
      [<ffffffc0000be650>] mmput+0x118/0x11c
      [<ffffffc0000c3ec4>] do_exit+0x2dc/0xa74
      [<ffffffc0000c46f8>] do_group_exit+0x4c/0xe4
      [<ffffffc0000d0f34>] get_signal+0x444/0x5e0
      [<ffffffc000089fcc>] do_signal+0x1d8/0x450
      [<ffffffc00008a35c>] do_notify_resume+0x70/0x78
      
      The oom victim cannot terminate because it needs to take mmap_sem for
      write while the lock is held by ksmd for read which loops in the page
      allocator
      
      ksm_do_scan
      	scan_get_next_rmap_item
      		down_read
      		get_next_rmap_item
      			alloc_rmap_item   #ksmd will loop permanently.
      
      There is no way forward because the oom victim cannot release any memory
      in 4.1 based kernel.  Since 4.6 we have the oom reaper which would solve
      this problem because it would release the memory asynchronously.
      Nevertheless we can relax alloc_rmap_item requirements and use
      __GFP_NORETRY because the allocation failure is acceptable as ksm_do_scan
      would just retry later after the lock got dropped.
      
      Such a patch would be also easy to backport to older stable kernels which
      do not have oom_reaper.
      
      While we are at it add GFP_NOWARN so the admin doesn't have to be alarmed
      by the allocation failure.
      
      Link: http://lkml.kernel.org/r/1474165570-44398-1-git-send-email-zhongjiang@huawei.comSigned-off-by: default avatarzhong jiang <zhongjiang@huawei.com>
      Suggested-by: default avatarHugh Dickins <hughd@google.com>
      Suggested-by: default avatarMichal Hocko <mhocko@suse.cz>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Acked-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2b05a3ae
    • Alex Deucher's avatar
      drm/radeon/si/dpm: add workaround for for Jet parts · 4a160ae9
      Alex Deucher authored
      commit 670bb4fd upstream.
      
      Add clock quirks for Jet parts.
      Reviewed-by: default avatarSonny Jiang <sonny.jiang@amd.com>
      Tested-by: default avatarSonny Jiang <sonny.jiang@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4a160ae9
    • Nikolay Aleksandrov's avatar
      ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route · 0406c74e
      Nikolay Aleksandrov authored
      commit 2cf75070 upstream.
      
      Since the commit below the ipmr/ip6mr rtnl_unicast() code uses the portid
      instead of the previous dst_pid which was copied from in_skb's portid.
      Since the skb is new the portid is 0 at that point so the packets are sent
      to the kernel and we get scheduling while atomic or a deadlock (depending
      on where it happens) by trying to acquire rtnl two times.
      Also since this is RTM_GETROUTE, it can be triggered by a normal user.
      
      Here's the sleeping while atomic trace:
      [ 7858.212557] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
      [ 7858.212748] in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper/0
      [ 7858.212881] 2 locks held by swapper/0/0:
      [ 7858.213013]  #0:  (((&mrt->ipmr_expire_timer))){+.-...}, at: [<ffffffff810fbbf5>] call_timer_fn+0x5/0x350
      [ 7858.213422]  #1:  (mfc_unres_lock){+.....}, at: [<ffffffff8161e005>] ipmr_expire_process+0x25/0x130
      [ 7858.213807] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.0-rc7+ #179
      [ 7858.213934] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
      [ 7858.214108]  0000000000000000 ffff88005b403c50 ffffffff813a7804 0000000000000000
      [ 7858.214412]  ffffffff81a1338e ffff88005b403c78 ffffffff810a4a72 ffffffff81a1338e
      [ 7858.214716]  000000000000026c 0000000000000000 ffff88005b403ca8 ffffffff810a4b9f
      [ 7858.215251] Call Trace:
      [ 7858.215412]  <IRQ>  [<ffffffff813a7804>] dump_stack+0x85/0xc1
      [ 7858.215662]  [<ffffffff810a4a72>] ___might_sleep+0x192/0x250
      [ 7858.215868]  [<ffffffff810a4b9f>] __might_sleep+0x6f/0x100
      [ 7858.216072]  [<ffffffff8165bea3>] mutex_lock_nested+0x33/0x4d0
      [ 7858.216279]  [<ffffffff815a7a5f>] ? netlink_lookup+0x25f/0x460
      [ 7858.216487]  [<ffffffff8157474b>] rtnetlink_rcv+0x1b/0x40
      [ 7858.216687]  [<ffffffff815a9a0c>] netlink_unicast+0x19c/0x260
      [ 7858.216900]  [<ffffffff81573c70>] rtnl_unicast+0x20/0x30
      [ 7858.217128]  [<ffffffff8161cd39>] ipmr_destroy_unres+0xa9/0xf0
      [ 7858.217351]  [<ffffffff8161e06f>] ipmr_expire_process+0x8f/0x130
      [ 7858.217581]  [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
      [ 7858.217785]  [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
      [ 7858.217990]  [<ffffffff810fbc95>] call_timer_fn+0xa5/0x350
      [ 7858.218192]  [<ffffffff810fbbf5>] ? call_timer_fn+0x5/0x350
      [ 7858.218415]  [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
      [ 7858.218656]  [<ffffffff810fde10>] run_timer_softirq+0x260/0x640
      [ 7858.218865]  [<ffffffff8166379b>] ? __do_softirq+0xbb/0x54f
      [ 7858.219068]  [<ffffffff816637c8>] __do_softirq+0xe8/0x54f
      [ 7858.219269]  [<ffffffff8107a948>] irq_exit+0xb8/0xc0
      [ 7858.219463]  [<ffffffff81663452>] smp_apic_timer_interrupt+0x42/0x50
      [ 7858.219678]  [<ffffffff816625bc>] apic_timer_interrupt+0x8c/0xa0
      [ 7858.219897]  <EOI>  [<ffffffff81055f16>] ? native_safe_halt+0x6/0x10
      [ 7858.220165]  [<ffffffff810d64dd>] ? trace_hardirqs_on+0xd/0x10
      [ 7858.220373]  [<ffffffff810298e3>] default_idle+0x23/0x190
      [ 7858.220574]  [<ffffffff8102a20f>] arch_cpu_idle+0xf/0x20
      [ 7858.220790]  [<ffffffff810c9f8c>] default_idle_call+0x4c/0x60
      [ 7858.221016]  [<ffffffff810ca33b>] cpu_startup_entry+0x39b/0x4d0
      [ 7858.221257]  [<ffffffff8164f995>] rest_init+0x135/0x140
      [ 7858.221469]  [<ffffffff81f83014>] start_kernel+0x50e/0x51b
      [ 7858.221670]  [<ffffffff81f82120>] ? early_idt_handler_array+0x120/0x120
      [ 7858.221894]  [<ffffffff81f8243f>] x86_64_start_reservations+0x2a/0x2c
      [ 7858.222113]  [<ffffffff81f8257c>] x86_64_start_kernel+0x13b/0x14a
      
      Fixes: 2942e900 ("[RTNETLINK]: Use rtnl_unicast() for rtnetlink unicasts")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0406c74e
    • Steven Rostedt (Red Hat)'s avatar
      tracing: Move mutex to protect against resetting of seq data · e044d0e8
      Steven Rostedt (Red Hat) authored
      commit 1245800c upstream.
      
      The iter->seq can be reset outside the protection of the mutex. So can
      reading of user data. Move the mutex up to the beginning of the function.
      
      Fixes: d7350c3f ("tracing/core: make the read callbacks reentrants")
      Reported-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e044d0e8
    • Lance Richardson's avatar
      ip6_gre: fix flowi6_proto value in ip6gre_xmit_other() · e071c8d1
      Lance Richardson authored
      commit db32e4e4 upstream.
      
      Similar to commit 3be07244 ("ip6_gre: fix flowi6_proto value in
      xmit path"), set flowi6_proto to IPPROTO_GRE for output route lookup.
      
      Up until now, ip6gre_xmit_other() has set flowi6_proto to a bogus value.
      This affected output route lookup for packets sent on an ip6gretap device
      in cases where routing was dependent on the value of flowi6_proto.
      
      Since the correct proto is already set in the tunnel flowi6 template via
      commit 252f3f5a ("ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit
      path."), simply delete the line setting the incorrect flowi6_proto value.
      Suggested-by: default avatarJiri Benc <jbenc@redhat.com>
      Fixes: c12b395a ("gre: Support GRE over IPv6")
      Reviewed-by: default avatarShmulik Ladkani <shmulik.ladkani@gmail.com>
      Signed-off-by: default avatarLance Richardson <lrichard@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e071c8d1
    • Haishuang Yan's avatar
      ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit path. · 10dab580
      Haishuang Yan authored
      commit 252f3f5a upstream.
      
      In gre6 xmit path, we are sending a GRE packet, so set fl6 proto
      to IPPROTO_GRE properly.
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      10dab580
    • Eric Dumazet's avatar
      tcp: fix a compile error in DBGUNDO() · 1ae83f8c
      Eric Dumazet authored
      commit 019b1c9f upstream.
      
      If DBGUNDO() is enabled (FASTRETRANS_DEBUG > 1), a compile
      error will happen, since inet6_sk(sk)->daddr became sk->sk_v6_daddr
      
      Fixes: efe4208f ("ipv6: make lookups simpler and faster")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1ae83f8c
    • Sudeep Holla's avatar
      i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended · f1790ee2
      Sudeep Holla authored
      commit 331dcf42 upstream.
      
      If the i2c device is already runtime suspended, if qup_i2c_suspend is
      executed during suspend-to-idle or suspend-to-ram it will result in the
      following splat:
      
      WARNING: CPU: 3 PID: 1593 at drivers/clk/clk.c:476 clk_core_unprepare+0x80/0x90
      Modules linked in:
      
      CPU: 3 PID: 1593 Comm: bash Tainted: G        W       4.8.0-rc3 #14
      Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
      PC is at clk_core_unprepare+0x80/0x90
      LR is at clk_unprepare+0x28/0x40
      pc : [<ffff0000086eecf0>] lr : [<ffff0000086f0c58>] pstate: 60000145
      Call trace:
       clk_core_unprepare+0x80/0x90
       qup_i2c_disable_clocks+0x2c/0x68
       qup_i2c_suspend+0x10/0x20
       platform_pm_suspend+0x24/0x68
       ...
      
      This patch fixes the issue by executing qup_i2c_pm_suspend_runtime
      conditionally in qup_i2c_suspend.
      Signed-off-by: default avatarSudeep Holla <sudeep.holla@arm.com>
      Reviewed-by: default avatarAndy Gross <andy.gross@linaro.org>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f1790ee2
    • Sergei Miroshnichenko's avatar
      can: dev: fix deadlock reported after bus-off · ca0e1ef2
      Sergei Miroshnichenko authored
      commit 9abefcb1 upstream.
      
      A timer was used to restart after the bus-off state, leading to a
      relatively large can_restart() executed in an interrupt context,
      which in turn sets up pinctrl. When this happens during system boot,
      there is a high probability of grabbing the pinctrl_list_mutex,
      which is locked already by the probe() of other device, making the
      kernel suspect a deadlock condition [1].
      
      To resolve this issue, the restart_timer is replaced by a delayed
      work.
      
      [1] https://github.com/victronenergy/venus/issues/24Signed-off-by: default avatarSergei Miroshnichenko <sergeimir@emcraft.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ca0e1ef2
    • Jeff Mahoney's avatar
      btrfs: ensure that file descriptor used with subvol ioctls is a dir · d1adfc59
      Jeff Mahoney authored
      commit 325c50e3 upstream.
      
      If the subvol/snapshot create/destroy ioctls are passed a regular file
      with execute permissions set, we'll eventually Oops while trying to do
      inode->i_op->lookup via lookup_one_len.
      
      This patch ensures that the file descriptor refers to a directory.
      
      Fixes: cb8e7090 (Btrfs: Fix subvolume creation locking rules)
      Fixes: 76dda93c (Btrfs: add snapshot/subvolume destroy ioctl)
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d1adfc59
    • Peter Rosin's avatar
      i2c: mux: pca954x: retry updating the mux selection on failure · 77d74c0a
      Peter Rosin authored
      commit 463e8f84 upstream.
      
      The cached value of the last selected channel prevents retries on the
      next call, even on failure to update the selected channel. Fix that.
      Signed-off-by: default avatarPeter Rosin <peda@axentia.se>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      77d74c0a
    • Yadi.hu's avatar
      i2c-eg20t: fix race between i2c init and interrupt enable · 90e5f82c
      Yadi.hu authored
      commit 371a0153 upstream.
      
      the eg20t driver call request_irq() function before the pch_base_address,
      base address of i2c controller's register, is assigned an effective value.
      
      there is one possible scenario that an interrupt which isn't inside eg20t
      arrives immediately after request_irq() is executed when i2c controller
      shares an interrupt number with others. since the interrupt handler
      pch_i2c_handler() has already active as shared action, it will be called
      and read its own register to determine if this interrupt is from itself.
      
      At that moment, since base address of i2c registers is not remapped
      in kernel space yet,so the INT handler will access an illegal address
      and then a error occurs.
      Signed-off-by: default avatarYadi.hu <yadi.hu@windriver.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      90e5f82c
    • Al Viro's avatar
      fix fault_in_multipages_...() on architectures with no-op access_ok() · d09dfcf6
      Al Viro authored
      commit e23d4159 upstream.
      
      Switching iov_iter fault-in to multipages variants has exposed an old
      bug in underlying fault_in_multipages_...(); they break if the range
      passed to them wraps around.  Normally access_ok() done by callers will
      prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into
      such a range and they should not point to any valid objects).
      
      However, on architectures where userland and kernel live in different
      MMU contexts (e.g. s390) access_ok() is a no-op and on those a range
      with a wraparound can reach fault_in_multipages_...().
      
      Since any wraparound means EFAULT there, the fix is trivial - turn
      those
      
          while (uaddr <= end)
      	    ...
      into
      
          if (unlikely(uaddr > end))
      	    return -EFAULT;
          do
      	    ...
          while (uaddr <= end);
      Reported-by: default avatarJan Stancek <jstancek@redhat.com>
      Tested-by: default avatarJan Stancek <jstancek@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d09dfcf6
    • Ashish Samant's avatar
      ocfs2: fix start offset to ocfs2_zero_range_for_truncate() · aca5f21e
      Ashish Samant authored
      commit d21c353d upstream.
      
      If we punch a hole on a reflink such that following conditions are met:
      
      1. start offset is on a cluster boundary
      2. end offset is not on a cluster boundary
      3. (end offset is somewhere in another extent) or
         (hole range > MAX_CONTIG_BYTES(1MB)),
      
      we dont COW the first cluster starting at the start offset.  But in this
      case, we were wrongly passing this cluster to
      ocfs2_zero_range_for_truncate() to zero out.  This will modify the
      cluster in place and zero it in the source too.
      
      Fix this by skipping this cluster in such a scenario.
      
      To reproduce:
      
      1. Create a random file of say 10 MB
           xfs_io -c 'pwrite -b 4k 0 10M' -f 10MBfile
      2. Reflink  it
           reflink -f 10MBfile reflnktest
      3. Punch a hole at starting at cluster boundary  with range greater that
      1MB. You can also use a range that will put the end offset in another
      extent.
           fallocate -p -o 0 -l 1048615 reflnktest
      4. sync
      5. Check the  first cluster in the source file. (It will be zeroed out).
          dd if=10MBfile iflag=direct bs=<cluster size> count=1 | hexdump -C
      
      Link: http://lkml.kernel.org/r/1470957147-14185-1-git-send-email-ashish.samant@oracle.comSigned-off-by: default avatarAshish Samant <ashish.samant@oracle.com>
      Reported-by: default avatarSaar Maoz <saar.maoz@oracle.com>
      Reviewed-by: default avatarSrinivas Eeda <srinivas.eeda@oracle.com>
      Cc: Mark Fasheh <mfasheh@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Cc: Eric Ren <zren@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      aca5f21e
    • Jan Kara's avatar
      fanotify: fix list corruption in fanotify_get_response() · 24265130
      Jan Kara authored
      commit 96d41019 upstream.
      
      fanotify_get_response() calls fsnotify_remove_event() when it finds that
      group is being released from fanotify_release() (bypass_perm is set).
      
      However the event it removes need not be only in the group's notification
      queue but it can have already moved to access_list (userspace read the
      event before closing the fanotify instance fd) which is protected by a
      different lock.  Thus when fsnotify_remove_event() races with
      fanotify_release() operating on access_list, the list can get corrupted.
      
      Fix the problem by moving all the logic removing permission events from
      the lists to one place - fanotify_release().
      
      Fixes: 5838d444 ("fanotify: fix double free of pending permission events")
      Link: http://lkml.kernel.org/r/1473797711-14111-3-git-send-email-jack@suse.czSigned-off-by: default avatarJan Kara <jack@suse.cz>
      Reported-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Tested-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Reviewed-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.16:
       - s/fsnotify_remove_first_event/fsnotify_remove_notify_event/
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      24265130
    • Jan Kara's avatar
      fsnotify: add a way to stop queueing events on group shutdown · 460da2d5
      Jan Kara authored
      commit 12703dbf upstream.
      
      Implement a function that can be called when a group is being shutdown
      to stop queueing new events to the group.  Fanotify will use this.
      
      Fixes: 5838d444 ("fanotify: fix double free of pending permission events")
      Link: http://lkml.kernel.org/r/1473797711-14111-2-git-send-email-jack@suse.czSigned-off-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      460da2d5
    • Joseph Qi's avatar
      ocfs2/dlm: fix race between convert and migration · a8e9bf76
      Joseph Qi authored
      commit e6f0c6e6 upstream.
      
      Commit ac7cf246 ("ocfs2/dlm: fix race between convert and recovery")
      checks if lockres master has changed to identify whether new master has
      finished recovery or not.  This will introduce a race that right after
      old master does umount ( means master will change), a new convert
      request comes.
      
      In this case, it will reset lockres state to DLM_RECOVERING and then
      retry convert, and then fail with lockres->l_action being set to
      OCFS2_AST_INVALID, which will cause inconsistent lock level between
      ocfs2 and dlm, and then finally BUG.
      
      Since dlm recovery will clear lock->convert_pending in
      dlm_move_lockres_to_recovery_list, we can use it to correctly identify
      the race case between convert and recovery.  So fix it.
      
      Fixes: ac7cf246 ("ocfs2/dlm: fix race between convert and recovery")
      Link: http://lkml.kernel.org/r/57CE1569.8010704@huawei.comSigned-off-by: default avatarJoseph Qi <joseph.qi@huawei.com>
      Signed-off-by: default avatarJun Piao <piaojun@huawei.com>
      Cc: Mark Fasheh <mfasheh@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a8e9bf76
    • Fabio Estevam's avatar
      can: flexcan: fix resume function · 8da5e825
      Fabio Estevam authored
      commit 4de349e7 upstream.
      
      On a imx6ul-pico board the following error is seen during system suspend:
      
      dpm_run_callback(): platform_pm_resume+0x0/0x54 returns -110
      PM: Device 2090000.flexcan failed to resume: error -110
      
      The reason for this suspend error is because when the CAN interface is not
      active the clocks are disabled and then flexcan_chip_enable() will
      always fail due to a timeout error.
      
      In order to fix this issue, only call flexcan_chip_enable/disable()
      when the CAN interface is active.
      
      Based on a patch from Dong Aisheng in the NXP kernel.
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@nxp.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8da5e825
    • Ilan Tayari's avatar
      xfrm: Fix memory leak of aead algorithm name · ae028124
      Ilan Tayari authored
      commit b5884793 upstream.
      
      commit 1a6509d9 ("[IPSEC]: Add support for combined mode algorithms")
      introduced aead. The function attach_aead kmemdup()s the algorithm
      name during xfrm_state_construct().
      However this memory is never freed.
      Implementation has since been slightly modified in
      commit ee5c2317 ("xfrm: Clone states properly on migration")
      without resolving this leak.
      This patch adds a kfree() call for the aead algorithm name.
      
      Fixes: 1a6509d9 ("[IPSEC]: Add support for combined mode algorithms")
      Signed-off-by: default avatarIlan Tayari <ilant@mellanox.com>
      Acked-by: default avatarRami Rosen <roszenrami@gmail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ae028124
    • Guenter Roeck's avatar
      openrisc: fix the fix of copy_from_user() · 0f8ac3ee
      Guenter Roeck authored
      commit 8e4b7205 upstream.
      
      Since commit acb2505d ("openrisc: fix copy_from_user()"),
      copy_from_user() returns the number of bytes requested, not the
      number of bytes not copied.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Fixes: acb2505d ("openrisc: fix copy_from_user()")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0f8ac3ee
    • Guenter Roeck's avatar
      avr32: fix 'undefined reference to `___copy_from_user' · 90c9255c
      Guenter Roeck authored
      commit 65c0044c upstream.
      
      avr32 builds fail with:
      
      arch/avr32/kernel/built-in.o: In function `arch_ptrace':
      (.text+0x650): undefined reference to `___copy_from_user'
      arch/avr32/kernel/built-in.o:(___ksymtab+___copy_from_user+0x0): undefined
      reference to `___copy_from_user'
      kernel/built-in.o: In function `proc_doulongvec_ms_jiffies_minmax':
      (.text+0x5dd8): undefined reference to `___copy_from_user'
      kernel/built-in.o: In function `proc_dointvec_minmax_sysadmin':
      sysctl.c:(.text+0x6174): undefined reference to `___copy_from_user'
      kernel/built-in.o: In function `ptrace_has_cap':
      ptrace.c:(.text+0x69c0): undefined reference to `___copy_from_user'
      kernel/built-in.o:ptrace.c:(.text+0x6b90): more undefined references to
      `___copy_from_user' follow
      
      Fixes: 8630c322 ("avr32: fix copy_from_user()")
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Acked-by: default avatarHavard Skinnemoen <hskinnemoen@gmail.com>
      Acked-by: default avatarHans-Christian Noren Egtvedt <egtvedt@samfundet.no>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      90c9255c
    • phil.turnbull@oracle.com's avatar
      irda: Free skb on irda_accept error path. · dab80253
      phil.turnbull@oracle.com authored
      commit 8ab86c00 upstream.
      
      skb is not freed if newsk is NULL. Rework the error path so free_skb is
      unconditionally called on function exit.
      
      Fixes: c3ea9fa2 ("[IrDA] af_irda: IRDA_ASSERT cleanups")
      Signed-off-by: default avatarPhil Turnbull <phil.turnbull@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dab80253
    • Jack Morgenstein's avatar
      IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV · c5764055
      Jack Morgenstein authored
      commit 8ec07bf8 upstream.
      
      When sending QP1 MAD packets which use a GRH, the source GID
      (which consists of the 64-bit subnet prefix, and the 64 bit port GUID)
      must be included in the packet GRH.
      
      For SR-IOV, a GID cache is used, since the source GID needs to be the
      slave's source GID, and not the Hypervisor's GID. This cache also
      included a subnet_prefix. Unfortunately, the subnet_prefix field in
      the cache was never initialized (to the default subnet prefix 0xfe80::0).
      As a result, this field remained all zeroes.  Therefore, when SR-IOV
      was active, all QP1 packets which included a GRH had a source GID
      subnet prefix of all-zeroes.
      
      However, the subnet-prefix should initially be 0xfe80::0 (the default
      subnet prefix). In addition, if OpenSM modifies a port's subnet prefix,
      the new subnet prefix must be used in the GRH when sending QP1 packets.
      To fix this we now initialize the subnet prefix in the SR-IOV GID cache
      to the default subnet prefix. We update the cached value if/when OpenSM
      modifies the port's subnet prefix. We take this cached value when sending
      QP1 packets when SR-IOV is active.
      
      Note that the value is stored as an atomic64. This eliminates any need
      for locking when the subnet prefix is being updated.
      
      Note also that we depend on the FW generating the "port management change"
      event for tracking subnet-prefix changes performed by OpenSM. If running
      early FW (before 2.9.4630), subnet prefix changes will not be tracked (but
      the default subnet prefix still will be stored in the cache; therefore
      users who do not modify the subnet prefix will not have a problem).
      IF there is a need for such tracking also for early FW, we will add that
      capability in a subsequent patch.
      
      Fixes: 1ffeb2eb ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support")
      Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c5764055
    • Jack Morgenstein's avatar
      IB/mlx4: Fix code indentation in QP1 MAD flow · 4f735990
      Jack Morgenstein authored
      commit baa0be70 upstream.
      
      The indentation in the QP1 GRH flow in procedure build_mlx_header is
      really confusing. Fix it, in preparation for a commit which touches
      this code.
      
      Fixes: 1ffeb2eb ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support")
      Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4f735990
    • Alex Vesker's avatar
      IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV · 600307e6
      Alex Vesker authored
      commit e5ac40cd upstream.
      
      Because of an incorrect bit-masking done on the join state bits, when
      handling a join request we failed to detect a difference between the
      group join state and the request join state when joining as send only
      full member (0x8). This caused the MC join request not to be sent.
      This issue is relevant only when SRIOV is enabled and SM supports
      send only full member.
      
      This fix separates scope bits and join states bits a nibble each.
      
      Fixes: b9c5d6a6 ('IB/mlx4: Add multicast group (MCG) paravirtualization for SR-IOV')
      Signed-off-by: default avatarAlex Vesker <valex@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      600307e6
    • Alex Vesker's avatar
      IB/ipoib: Don't allow MC joins during light MC flush · dfe80970
      Alex Vesker authored
      commit 344bacca upstream.
      
      This fix solves a race between light flush and on the fly joins.
      Light flush doesn't set the device to down and unset IPOIB_OPER_UP
      flag, this means that if while flushing we have a MC join in progress
      and the QP was attached to BC MGID we can have a mismatches when
      re-attaching a QP to the BC MGID.
      
      The light flush would set the broadcast group to NULL causing an on
      the fly join to rejoin and reattach to the BC MCG as well as adding
      the BC MGID to the multicast list. The flush process would later on
      remove the BC MGID and detach it from the QP. On the next flush
      the BC MGID is present in the multicast list but not found when trying
      to detach it because of the previous double attach and single detach.
      
      [18332.714265] ------------[ cut here ]------------
      [18332.717775] WARNING: CPU: 6 PID: 3767 at drivers/infiniband/core/verbs.c:280 ib_dealloc_pd+0xff/0x120 [ib_core]
      ...
      [18332.775198] Hardware name: Red Hat KVM, BIOS Bochs 01/01/2011
      [18332.779411]  0000000000000000 ffff8800b50dfbb0 ffffffff813fed47 0000000000000000
      [18332.784960]  0000000000000000 ffff8800b50dfbf0 ffffffff8109add1 0000011832f58300
      [18332.790547]  ffff880226a596c0 ffff880032482000 ffff880032482830 ffff880226a59280
      [18332.796199] Call Trace:
      [18332.798015]  [<ffffffff813fed47>] dump_stack+0x63/0x8c
      [18332.801831]  [<ffffffff8109add1>] __warn+0xd1/0xf0
      [18332.805403]  [<ffffffff8109aebd>] warn_slowpath_null+0x1d/0x20
      [18332.809706]  [<ffffffffa025d90f>] ib_dealloc_pd+0xff/0x120 [ib_core]
      [18332.814384]  [<ffffffffa04f3d7c>] ipoib_transport_dev_cleanup+0xfc/0x1d0 [ib_ipoib]
      [18332.820031]  [<ffffffffa04ed648>] ipoib_ib_dev_cleanup+0x98/0x110 [ib_ipoib]
      [18332.825220]  [<ffffffffa04e62c8>] ipoib_dev_cleanup+0x2d8/0x550 [ib_ipoib]
      [18332.830290]  [<ffffffffa04e656f>] ipoib_uninit+0x2f/0x40 [ib_ipoib]
      [18332.834911]  [<ffffffff81772a8a>] rollback_registered_many+0x1aa/0x2c0
      [18332.839741]  [<ffffffff81772bd1>] rollback_registered+0x31/0x40
      [18332.844091]  [<ffffffff81773b18>] unregister_netdevice_queue+0x48/0x80
      [18332.848880]  [<ffffffffa04f489b>] ipoib_vlan_delete+0x1fb/0x290 [ib_ipoib]
      [18332.853848]  [<ffffffffa04df1cd>] delete_child+0x7d/0xf0 [ib_ipoib]
      [18332.858474]  [<ffffffff81520c08>] dev_attr_store+0x18/0x30
      [18332.862510]  [<ffffffff8127fe4a>] sysfs_kf_write+0x3a/0x50
      [18332.866349]  [<ffffffff8127f4e0>] kernfs_fop_write+0x120/0x170
      [18332.870471]  [<ffffffff81207198>] __vfs_write+0x28/0xe0
      [18332.874152]  [<ffffffff810e09bf>] ? percpu_down_read+0x1f/0x50
      [18332.878274]  [<ffffffff81208062>] vfs_write+0xa2/0x1a0
      [18332.881896]  [<ffffffff812093a6>] SyS_write+0x46/0xa0
      [18332.885632]  [<ffffffff810039b7>] do_syscall_64+0x57/0xb0
      [18332.889709]  [<ffffffff81883321>] entry_SYSCALL64_slow_path+0x25/0x25
      [18332.894727] ---[ end trace 09ebbe31f831ef17 ]---
      
      Fixes: ee1e2c82 ("IPoIB: Refresh paths instead of flushing them on SM change events")
      Signed-off-by: default avatarAlex Vesker <valex@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dfe80970