1. 11 Jul, 2016 40 commits
    • Guillaume Nault's avatar
      ppp: take reference on channels netns · fc74ace8
      Guillaume Nault authored
      [ Upstream commit 1f461dcd ]
      
      Let channels hold a reference on their network namespace.
      Some channel types, like ppp_async and ppp_synctty, can have their
      userspace controller running in a different namespace. Therefore they
      can't rely on them to preclude their netns from being removed from
      under them.
      
      ==================================================================
      BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
      addr ffff880064e217e0
      Read of size 8 by task syz-executor/11581
      =============================================================================
      BUG net_namespace (Not tainted): kasan: bad access detected
      -----------------------------------------------------------------------------
      
      Disabling lock debugging due to kernel taint
      INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
      [<      none      >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
      [<      none      >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
      [<     inline     >] slab_alloc_node kernel/mm/slub.c:2532
      [<     inline     >] slab_alloc kernel/mm/slub.c:2574
      [<      none      >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
      [<     inline     >] kmem_cache_zalloc kernel/include/linux/slab.h:597
      [<     inline     >] net_alloc kernel/net/core/net_namespace.c:325
      [<      none      >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
      [<      none      >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
      [<      none      >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
      [<      none      >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
      [<     inline     >] copy_process kernel/kernel/fork.c:1274
      [<      none      >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
      [<     inline     >] SYSC_clone kernel/kernel/fork.c:1832
      [<      none      >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
      [<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185
      
      INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
      [<      none      >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
      [<     inline     >] slab_free kernel/mm/slub.c:2805
      [<      none      >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
      [<     inline     >] net_free kernel/net/core/net_namespace.c:341
      [<      none      >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
      [<      none      >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
      [<      none      >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
      [<      none      >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
      [<      none      >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
      [<      none      >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
      INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
      flags=0x5fffc0000004080
      INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200
      
      CPU: 1 PID: 11581 Comm: syz-executor Tainted: G    B           4.4.0+
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
       00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
       ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
       ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
      Call Trace:
       [<     inline     >] __dump_stack kernel/lib/dump_stack.c:15
       [<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
       [<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
       [<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661
       [<     inline     >] print_address_description kernel/mm/kasan/report.c:138
       [<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
       [<     inline     >] kasan_report kernel/mm/kasan/report.c:259
       [<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
       [<     inline     >] ? ppp_pernet kernel/include/linux/compiler.h:218
       [<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
       [<     inline     >] ppp_pernet kernel/include/linux/compiler.h:218
       [<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
       [<     inline     >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
       [<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
       [<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
       [<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
       [<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
       [<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
       [<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
       [<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
       [<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
       [<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208
       [<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244
       [<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
       [<     inline     >] exit_task_work kernel/include/linux/task_work.h:21
       [<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
       [<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
       [<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
       [<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
       [<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
       [<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
       [<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
       [<     inline     >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
       [<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
       [<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
       [<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
       [<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
       [<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
       [<     inline     >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
       [<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
       [<     inline     >] ? context_switch kernel/kernel/sched/core.c:2807
       [<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
       [<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
       [<     inline     >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
       [<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
       [<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
      Memory state around the buggy address:
       ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
       ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      
      Fixes: 273ec51d ("net: ppp_generic - introduce net-namespace functionality v2")
      Reported-by: default avatarBaozeng Ding <sploving1@gmail.com>
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Reviewed-by: default avatarCyrill Gorcunov <gorcunov@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      fc74ace8
    • Paolo Abeni's avatar
      ipv4: fix broadcast packets reception · 263a20bc
      Paolo Abeni authored
      [ Upstream commit ad0ea198 ]
      
      Currently, ingress ipv4 broadcast datagrams are dropped since,
      in udp_v4_early_demux(), ip_check_mc_rcu() is invoked even on
      bcast packets.
      
      This patch addresses the issue, invoking ip_check_mc_rcu()
      only for mcast packets.
      
      Fixes: 6e540309 ("ipv4/udp: Verify multicast group is ours in upd_v4_early_demux()")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      263a20bc
    • Eric Dumazet's avatar
      bonding: fix bond_get_stats() · 6acfc65a
      Eric Dumazet authored
      [ Upstream commit fe30937b ]
      
      bond_get_stats() can be called from rtnetlink (with RTNL held)
      or from /proc/net/dev seq handler (with RCU held)
      
      The logic added in commit 5f0c5f73 ("bonding: make global bonding
      stats more reliable") kind of assumed only one cpu could run there.
      
      If multiple threads are reading /proc/net/dev, stats can be really
      messed up after a while.
      
      A second problem is that some fields are 32bit, so we need to properly
      handle the wrap around problem.
      
      Given that RTNL is not always held, we need to use
      bond_for_each_slave_rcu().
      
      Fixes: 5f0c5f73 ("bonding: make global bonding stats more reliable")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Reviewed-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6acfc65a
    • Eric Dumazet's avatar
      net: bcmgenet: fix dma api length mismatch · 1fdc6943
      Eric Dumazet authored
      [ Upstream commit eee57723 ]
      
      When un-mapping skb->data in __bcmgenet_tx_reclaim(),
      we must use the length that was used in original dma_map_single(),
      instead of skb->len that might be bigger (includes the frags)
      
      We simply can store skb_len into tx_cb_ptr->dma_len and use it
      at unmap time.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1fdc6943
    • Manish Chopra's avatar
      qlge: Fix receive packets drop. · bb9863ec
      Manish Chopra authored
      [ Upstream commit 2c9a266a ]
      
      When running small packets [length < 256 bytes] traffic, packets were
      being dropped due to invalid data in those packets which were
      delivered by the driver upto the stack. Using pci_dma_sync_single_for_cpu
      ensures copying latest and updated data into skb from the receive buffer.
      Signed-off-by: default avatarSony Chacko <sony.chacko@qlogic.com>
      Signed-off-by: default avatarManish Chopra <manish.chopra@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      bb9863ec
    • Guillaume Nault's avatar
      ppp: ensure file->private_data can't be overridden · 827e5072
      Guillaume Nault authored
      [ Upstream commit e8e56ffd ]
      
      Locking ppp_mutex must be done before dereferencing file->private_data,
      otherwise it could be modified before ppp_unattached_ioctl() takes the
      lock. This could lead ppp_unattached_ioctl() to override ->private_data,
      thus leaking reference to the ppp_file previously pointed to.
      
      v2: lock all ppp_ioctl() instead of just checking private_data in
          ppp_unattached_ioctl(), to avoid ambiguous behaviour.
      
      Fixes: f3ff8a4d ("ppp: push BKL down into the driver")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      827e5072
    • Arnd Bergmann's avatar
      ath9k: fix buffer overrun for ar9287 · 58bcdf45
      Arnd Bergmann authored
      [ Upstream commit 83d6f1f1 ]
      
      Code that was added back in 2.6.38 has an obvious overflow
      when accessing a static array, and at the time it was added
      only a code comment was put in front of it as a reminder
      to have it reviewed properly.
      
      This has not happened, but gcc-6 now points to the specific
      overflow:
      
      drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs':
      drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds]
           maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4];
                         ~~~~~~~~~~~~~~~~~~~~~~~~~^~~
      
      It turns out that the correct array length exists in the local
      'intercepts' variable of this function, so we can just use that
      instead of hardcoding '4', so this patch changes all three
      instances to use that variable. The other two instances were
      already correct, but it's more consistent this way.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 940cd2c1 ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      58bcdf45
    • Arnd Bergmann's avatar
      farsync: fix off-by-one bug in fst_add_one · 7b95465e
      Arnd Bergmann authored
      [ Upstream commit e725a66c ]
      
      gcc-6 finds an out of bounds access in the fst_add_one function
      when calculating the end of the mmio area:
      
      drivers/net/wan/farsync.c: In function 'fst_add_one':
      drivers/net/wan/farsync.c:418:53: error: index 2 denotes an offset greater than size of 'u8[2][8192] {aka unsigned char[2][8192]}' [-Werror=array-bounds]
       #define BUF_OFFSET(X)   (BFM_BASE + offsetof(struct buf_window, X))
                                                           ^
      include/linux/compiler-gcc.h:158:21: note: in definition of macro '__compiler_offsetof'
        __builtin_offsetof(a, b)
                           ^
      drivers/net/wan/farsync.c:418:37: note: in expansion of macro 'offsetof'
       #define BUF_OFFSET(X)   (BFM_BASE + offsetof(struct buf_window, X))
                                           ^~~~~~~~
      drivers/net/wan/farsync.c:2519:36: note: in expansion of macro 'BUF_OFFSET'
                                        + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);
                                          ^~~~~~~~~~
      
      The warning is correct, but not critical because this appears
      to be a write-only variable that is set by each WAN driver but
      never accessed afterwards.
      
      I'm taking the minimal fix here, using the correct pointer by
      pointing 'mem_end' to the last byte inside of the register area
      as all other WAN drivers do, rather than the first byte outside of
      it. An alternative would be to just remove the mem_end member
      entirely.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7b95465e
    • Arnd Bergmann's avatar
      mlx4: add missing braces in verify_qp_parameters · c7c3a321
      Arnd Bergmann authored
      [ Upstream commit baefd701 ]
      
      The implementation of QP paravirtualization back in linux-3.7 included
      some code that looks very dubious, and gcc-6 has grown smart enough
      to warn about it:
      
      drivers/net/ethernet/mellanox/mlx4/resource_tracker.c: In function 'verify_qp_parameters':
      drivers/net/ethernet/mellanox/mlx4/resource_tracker.c:3154:5: error: statement is indented as if it were guarded by... [-Werror=misleading-indentation]
           if (optpar & MLX4_QP_OPTPAR_ALT_ADDR_PATH) {
           ^~
      drivers/net/ethernet/mellanox/mlx4/resource_tracker.c:3144:4: note: ...this 'if' clause, but it is not
          if (slave != mlx4_master_func_num(dev))
      
      >From looking at the context, I'm reasonably sure that the indentation
      is correct but that it should have contained curly braces from the
      start, as the update_gid() function in the same patch correctly does.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 54679e14 ("mlx4: Implement QP paravirtualization and maintain phys_pkey_cache for smp_snoop")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c7c3a321
    • Arnaldo Carvalho de Melo's avatar
      net: Fix use after free in the recvmmsg exit path · 8ca7bf09
      Arnaldo Carvalho de Melo authored
      [ Upstream commit 34b88a68 ]
      
      The syzkaller fuzzer hit the following use-after-free:
      
        Call Trace:
         [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
         [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
         [<     inline     >] SYSC_recvmmsg net/socket.c:2281
         [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
         [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
        arch/x86/entry/entry_64.S:185
      
      And, as Dmitry rightly assessed, that is because we can drop the
      reference and then touch it when the underlying recvmsg calls return
      some packets and then hit an error, which will make recvmmsg to set
      sock->sk->sk_err, oops, fix it.
      Reported-and-Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Sasha Levin <sasha.levin@oracle.com>
      Fixes: a2e27255 ("net: Introduce recvmmsg socket syscall")
      http://lkml.kernel.org/r/20160122211644.GC2470@redhat.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      8ca7bf09
    • David S. Miller's avatar
      ipv4: Don't do expensive useless work during inetdev destroy. · 86de8271
      David S. Miller authored
      [ Upstream commit fbd40ea0 ]
      
      When an inetdev is destroyed, every address assigned to the interface
      is removed.  And in this scenerio we do two pointless things which can
      be very expensive if the number of assigned interfaces is large:
      
      1) Address promotion.  We are deleting all addresses, so there is no
         point in doing this.
      
      2) A full nf conntrack table purge for every address.  We only need to
         do this once, as is already caught by the existing
         masq_dev_notifier so masq_inet_event() can skip this.
      Reported-by: default avatarSolar Designer <solar@openwall.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Tested-by: default avatarCyrill Gorcunov <gorcunov@openvz.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      86de8271
    • Willem de Bruijn's avatar
      macvtap: always pass ethernet header in linear · 68626392
      Willem de Bruijn authored
      [ Upstream commit 8e2ad411 ]
      
      The stack expects link layer headers in the skb linear section.
      Macvtap can create skbs with llheader in frags in edge cases:
      when (IFF_VNET_HDR is off or vnet_hdr.hdr_len < ETH_HLEN) and
      prepad + len > PAGE_SIZE and vnet_hdr.flags has no or bad csum.
      
      Add checks to ensure linear is always at least ETH_HLEN.
      At this point, len is already ensured to be >= ETH_HLEN.
      
      For backwards compatiblity, rounds up short vnet_hdr.hdr_len.
      This differs from tap and packet, which return an error.
      
      Fixes b9fb9ee0 ("macvtap: add GSO/csum offload support")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      68626392
    • Rajesh Borundia's avatar
      qlcnic: Fix mailbox completion handling during spurious interrupt · 5284ee1e
      Rajesh Borundia authored
      [ Upstream commit 819bfe76 ]
      
      o While the driver is in the middle of a MB completion processing
      and it receives a spurious MB interrupt, it is mistaken as a good MB
      completion interrupt leading to premature completion of the next MB
      request. Fix the driver to guard against this by checking the current
      state of MB processing and ignore the spurious interrupt.
      Also added a stats counter to record this condition.
      Signed-off-by: default avatarRajesh Borundia <rajesh.borundia@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      5284ee1e
    • Rajesh Borundia's avatar
      qlcnic: Remove unnecessary usage of atomic_t · fa565f53
      Rajesh Borundia authored
      [ Upstream commit 5bf93251 ]
      
      o atomic_t usage is incorrect as we are not implementing
      any atomicity.
      Signed-off-by: default avatarRajesh Borundia <rajesh.borundia@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      fa565f53
    • Sergei Shtylyov's avatar
      sh_eth: fix RX buffer size alignment · 52643323
      Sergei Shtylyov authored
      [ Upstream commit ab857916 ]
      
      Both  Renesas R-Car and RZ/A1 manuals state that RX buffer  length must be
      a multiple of 32 bytes, while the driver  only uses 16 byte granularity...
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      52643323
    • Sergei Shtylyov's avatar
      sh_eth: fix NULL pointer dereference in sh_eth_ring_format() · c5e6283a
      Sergei Shtylyov authored
      [ Upstream commit c1b7fca6 ]
      
      In a low memory situation, if netdev_alloc_skb() fails on a first RX ring
      loop iteration  in sh_eth_ring_format(), 'rxdesc' is still NULL.  Avoid
      kernel oops by adding the 'rxdesc' check after the loop.
      Reported-by: default avatarWolfram Sang <wsa+renesas@sang-engineering.com>
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c5e6283a
    • Willem de Bruijn's avatar
      packet: validate variable length ll headers · 795f5dc9
      Willem de Bruijn authored
      [ Upstream commit 9ed988cd ]
      
      Replace link layer header validation check ll_header_truncate with
      more generic dev_validate_header.
      
      Validation based on hard_header_len incorrectly drops valid packets
      in variable length protocols, such as AX25. dev_validate_header
      calls header_ops.validate for such protocols to ensure correctness
      below hard_header_len.
      
      See also http://comments.gmane.org/gmane.linux.network/401064
      
      Fixes 9c707762 ("packet: make packet_snd fail on len smaller than l2 header")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      795f5dc9
    • Willem de Bruijn's avatar
      ax25: add link layer header validation function · 58ba5f64
      Willem de Bruijn authored
      [ Upstream commit ea47781c ]
      
      As variable length protocol, AX25 fails link layer header validation
      tests based on a minimum length. header_ops.validate allows protocols
      to validate headers that are shorter than hard_header_len. Implement
      this callback for AX25.
      
      See also http://comments.gmane.org/gmane.linux.network/401064Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      58ba5f64
    • Willem de Bruijn's avatar
      net: validate variable length ll headers · 1df16498
      Willem de Bruijn authored
      [ Upstream commit 2793a23a ]
      
      Netdevice parameter hard_header_len is variously interpreted both as
      an upper and lower bound on link layer header length. The field is
      used as upper bound when reserving room at allocation, as lower bound
      when validating user input in PF_PACKET.
      
      Clarify the definition to be maximum header length. For validation
      of untrusted headers, add an optional validate member to header_ops.
      
      Allow bypassing of validation by passing CAP_SYS_RAWIO, for instance
      for deliberate testing of corrupt input. In this case, pad trailing
      bytes, as some device drivers expect completely initialized headers.
      
      See also http://comments.gmane.org/gmane.linux.network/401064Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1df16498
    • Martin Blumenstingl's avatar
      packet: Allow packets with only a header (but no payload) · 58c92f13
      Martin Blumenstingl authored
      [ Upstream commit 880621c2 ]
      
      Commit 9c707762 ("packet: make packet_snd fail on len smaller
      than l2 header") added validation for the packet size in packet_snd.
      This change enforces that every packet needs a header (with at least
      hard_header_len bytes) plus a payload with at least one byte. Before
      this change the payload was optional.
      
      This fixes PPPoE connections which do not have a "Service" or
      "Host-Uniq" configured (which is violating the spec, but is still
      widely used in real-world setups). Those are currently failing with the
      following message: "pppd: packet size is too short (24 <= 24)"
      Signed-off-by: default avatarMartin Blumenstingl <martin.blumenstingl@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      58c92f13
    • Bill Sommerfeld's avatar
      udp6: fix UDP/IPv6 encap resubmit path · 6def7a99
      Bill Sommerfeld authored
      [ Upstream commit 59dca1d8 ]
      
      IPv4 interprets a negative return value from a protocol handler as a
      request to redispatch to a new protocol.  In contrast, IPv6 interprets a
      negative value as an error, and interprets a positive value as a request
      for redispatch.
      
      UDP for IPv6 was unaware of this difference.  Change __udp6_lib_rcv() to
      return a positive value for redispatch.  Note that the socket's
      encap_rcv hook still needs to return a negative value to request
      dispatch, and in the case of IPv6 packets, adjust IP6CB(skb)->nhoff to
      identify the byte containing the next protocol.
      Signed-off-by: default avatarBill Sommerfeld <wsommerfeld@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6def7a99
    • Oliver Neukum's avatar
      usbnet: cleanup after bind() in probe() · 900aa978
      Oliver Neukum authored
      [ Upstream commit 1666984c ]
      
      In case bind() works, but a later error forces bailing
      in probe() in error cases work and a timer may be scheduled.
      They must be killed. This fixes an error case related to
      the double free reported in
      http://www.spinics.net/lists/netdev/msg367669.html
      and needs to go on top of Linus' fix to cdc-ncm.
      Signed-off-by: default avatarOliver Neukum <ONeukum@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      900aa978
    • Bjørn Mork's avatar
      cdc_ncm: toggle altsetting to force reset before setup · cf852e98
      Bjørn Mork authored
      [ Upstream commit 48906f62 ]
      
      Some devices will silently fail setup unless they are reset first.
      This is necessary even if the data interface is already in
      altsetting 0, which it will be when the device is probed for the
      first time.  Briefly toggling the altsetting forces a function
      reset regardless of the initial state.
      
      This fixes a setup problem observed on a number of Huawei devices,
      appearing to operate in NTB-32 mode even if we explicitly set them
      to NTB-16 mode.
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      cf852e98
    • Florian Westphal's avatar
      ipv6: re-enable fragment header matching in ipv6_find_hdr · af4f7a3c
      Florian Westphal authored
      [ Upstream commit 5d150a98 ]
      
      When ipv6_find_hdr is used to find a fragment header
      (caller specifies target NEXTHDR_FRAGMENT) we erronously return
      -ENOENT for all fragments with nonzero offset.
      
      Before commit 9195bb8e, when target was specified, we did not
      enter the exthdr walk loop as nexthdr == target so this used to work.
      
      Now we do (so we can skip empty route headers). When we then stumble upon
      a frag with nonzero frag_off we must return -ENOENT ("header not found")
      only if the caller did not specifically request NEXTHDR_FRAGMENT.
      
      This allows nfables exthdr expression to match ipv6 fragments, e.g. via
      
      nft add rule ip6 filter input frag frag-off gt 0
      
      Fixes: 9195bb8e ("ipv6: improve ipv6_find_hdr() to skip empty routing headers")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      af4f7a3c
    • Bjørn Mork's avatar
      qmi_wwan: add Sierra Wireless EM74xx device ID · 4ded71d9
      Bjørn Mork authored
      [ Upstream commit bf13c94c ]
      
      The MC74xx and EM74xx modules use different IDs by default, according
      to the Lenovo EM7455 driver for Windows.
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      4ded71d9
    • Benjamin Poirier's avatar
      mld, igmp: Fix reserved tailroom calculation · fda740f6
      Benjamin Poirier authored
      [ Upstream commit 1837b2e2 ]
      
      The current reserved_tailroom calculation fails to take hlen and tlen into
      account.
      
      skb:
      [__hlen__|__data____________|__tlen___|__extra__]
      ^                                               ^
      head                                            skb_end_offset
      
      In this representation, hlen + data + tlen is the size passed to alloc_skb.
      "extra" is the extra space made available in __alloc_skb because of
      rounding up by kmalloc. We can reorder the representation like so:
      
      [__hlen__|__data____________|__extra__|__tlen___]
      ^                                               ^
      head                                            skb_end_offset
      
      The maximum space available for ip headers and payload without
      fragmentation is min(mtu, data + extra). Therefore,
      reserved_tailroom
      = data + extra + tlen - min(mtu, data + extra)
      = skb_end_offset - hlen - min(mtu, skb_end_offset - hlen - tlen)
      = skb_tailroom - min(mtu, skb_tailroom - tlen) ; after skb_reserve(hlen)
      
      Compare the second line to the current expression:
      reserved_tailroom = skb_end_offset - min(mtu, skb_end_offset)
      and we can see that hlen and tlen are not taken into account.
      
      The min() in the third line can be expanded into:
      if mtu < skb_tailroom - tlen:
      	reserved_tailroom = skb_tailroom - mtu
      else:
      	reserved_tailroom = tlen
      
      Depending on hlen, tlen, mtu and the number of multicast address records,
      the current code may output skbs that have less tailroom than
      dev->needed_tailroom or it may output more skbs than needed because not all
      space available is used.
      
      Fixes: 4c672e4b ("ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs")
      Signed-off-by: default avatarBenjamin Poirier <bpoirier@suse.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      fda740f6
    • Xin Long's avatar
      sctp: lack the check for ports in sctp_v6_cmp_addr · 67eab324
      Xin Long authored
      [ Upstream commit 40b4f0fd ]
      
      As the member .cmp_addr of sctp_af_inet6, sctp_v6_cmp_addr should also check
      the port of addresses, just like sctp_v4_cmp_addr, cause it's invoked by
      sctp_cmp_addr_exact().
      
      Now sctp_v6_cmp_addr just check the port when two addresses have different
      family, and lack the port check for two ipv6 addresses. that will make
      sctp_hash_cmp() cannot work well.
      
      so fix it by adding ports comparison in sctp_v6_cmp_addr().
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      67eab324
    • Stefan Wahren's avatar
      net: qca_spi: clear IFF_TX_SKB_SHARING · 8590142d
      Stefan Wahren authored
      [ Upstream commit a4690afe ]
      
      ether_setup sets IFF_TX_SKB_SHARING but this is not supported by
      qca_spi as it modifies the skb on xmit.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Fixes: 291ab06e (net: qualcomm: new Ethernet over SPI driver for QCA7000)
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      8590142d
    • Stefan Wahren's avatar
      net: qca_spi: Don't clear IFF_BROADCAST · 830b50ea
      Stefan Wahren authored
      [ Upstream commit 2b70bad2 ]
      
      Currently qcaspi_netdev_setup accidentally clears IFF_BROADCAST.
      So fix this by keeping the flags from ether_setup.
      Reported-by: default avatarMichael Heimpold <michael.heimpold@i2se.com>
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Fixes: 291ab06e (net: qualcomm: new Ethernet over SPI driver for QCA7000)
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      830b50ea
    • Diego Viola's avatar
      net: jme: fix suspend/resume on JMC260 · 2131abc3
      Diego Viola authored
      [ Upstream commit ee50c130 ]
      
      The JMC260 network card fails to suspend/resume because the call to
      jme_start_irq() was too early, moving the call to jme_start_irq() after
      the call to jme_reset_link() makes it work.
      
      Prior this change suspend/resume would fail unless /sys/power/pm_async=0
      was explicitly specified.
      
      Relevant bug report: https://bugzilla.kernel.org/show_bug.cgi?id=112351Signed-off-by: default avatarDiego Viola <diego.viola@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      2131abc3
    • Bernie Harris's avatar
      tunnel: Clear IPCB(skb)->opt before dst_link_failure called · ea82b38f
      Bernie Harris authored
      [ Upstream commit 5146d1f1 ]
      
      IPCB may contain data from previous layers (in the observed case the
      qdisc layer). In the observed scenario, the data was misinterpreted as
      ip header options, which later caused the ihl to be set to an invalid
      value (<5). This resulted in an infinite loop in the mips implementation
      of ip_fast_csum.
      
      This patch clears IPCB(skb)->opt before dst_link_failure can be called for
      various types of tunnels. This change only applies to encapsulated ipv4
      packets.
      
      The code introduced in 11c21a30 which clears all of IPCB has been removed
      to be consistent with these changes, and instead the opt field is cleared
      unconditionally in ip_tunnel_xmit. The change in ip_tunnel_xmit applies to
      SIT, GRE, and IPIP tunnels.
      
      The relevant vti, l2tp, and pptp functions already contain similar code for
      clearing the IPCB.
      Signed-off-by: default avatarBernie Harris <bernie.harris@alliedtelesis.co.nz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      ea82b38f
    • Konstantin Khlebnikov's avatar
      tcp: convert cached rtt from usec to jiffies when feeding initial rto · 3de6011e
      Konstantin Khlebnikov authored
      [ Upstream commit 9bdfb3b7 ]
      
      Currently it's converted into msecs, thus HZ=1000 intact.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Fixes: 740b0f18 ("tcp: switch rtt estimations to usec resolution")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      3de6011e
    • Alex Deucher's avatar
      drm/radeon: add a dpm quirk for all R7 370 parts · d393b6c7
      Alex Deucher authored
      [ Upstream commit 0e5585dc ]
      
      Higher mclk values are not stable due to a bug somewhere.
      Limit them for now.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d393b6c7
    • Alex Deucher's avatar
      cd18a79a
    • Daniel Vetter's avatar
      drm/udl: Use unlocked gem unreferencing · 28a201e2
      Daniel Vetter authored
      [ Upstream commit 72b9ff06 ]
      
      For drm_gem_object_unreference callers are required to hold
      dev->struct_mutex, which these paths don't. Enforcing this requirement
      has become a bit more strict with
      
      commit ef4c6270
      Author: Daniel Vetter <daniel.vetter@ffwll.ch>
      Date:   Thu Oct 15 09:36:25 2015 +0200
      
          drm/gem: Check locking in drm_gem_object_unreference
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      28a201e2
    • Todd Previte's avatar
      drm: Fix for DP CTS test 4.2.2.5 - I2C DEFER handling · da38a239
      Todd Previte authored
      [ Upstream commit 396aa445 ]
      
      For test 4.2.2.5 to pass per the Link CTS Core 1.2 rev1.1 spec, the source
      device must attempt at least 7 times to read the EDID when it receives an
      I2C defer. The normal DRM code makes only 7 retries, regardless of whether
      or not the response is a native defer or an I2C defer. Test 4.2.2.5 fails
      since there are native defers interspersed with the I2C defers which
      results in less than 7 EDID read attempts.
      
      The solution is to add the numer of defers to the retry counter when an I2C
      DEFER is returned such that another read attempt will be made. This situation
      should normally only occur in compliance testing, however, as a worse case
      real-world scenario, it would result in 13 attempts ( 6 native defers, 7 I2C
      defers) for a single transaction to complete. The net result is a slightly
      slower response to an EDID read that shouldn't significantly impact overall
      performance.
      
      V2:
      - Added a check on the number of I2C Defers to limit the number
        of times that the retries variable will be decremented. This
        is to address review feedback regarding possible infinite loops
        from misbehaving sink devices.
      V3:
      - Fixed the limit value to 7 instead of 8 to get the correct retry
        count.
      - Combined the increment of the defer count into the if-statement
      V4:
      - Removed i915 tag from subject as the patch is not i915-specific
      V5:
      - Updated the for-loop to add the number of i2c defers to the retry
        counter such that the correct number of retry attempts will be
        made
      Signed-off-by: default avatarTodd Previte <tprevite@gmail.com>
      Cc: dri-devel@lists.freedesktop.org
      Reviewed-by: default avatarPaulo Zanoni <paulo.r.zanoni@intel.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      da38a239
    • Sebastian Siewior's avatar
      powerpc/mm: Fixup preempt underflow with huge pages · 7e69c7b2
      Sebastian Siewior authored
      [ Upstream commit 08a5bb29 ]
      
      hugepd_free() used __get_cpu_var() once. Nothing ensured that the code
      accessing the variable did not migrate from one CPU to another and soon
      this was noticed by Tiejun Chen in 94b09d75 ("powerpc/hugetlb:
      Replace __get_cpu_var with get_cpu_var"). So we had it fixed.
      
      Christoph Lameter was doing his __get_cpu_var() replaces and forgot
      PowerPC. Then he noticed this and sent his fixed up batch again which
      got applied as 69111bac ("powerpc: Replace __get_cpu_var uses").
      
      The careful reader will noticed one little detail: get_cpu_var() got
      replaced with this_cpu_ptr(). So now we have a put_cpu_var() which does
      a preempt_enable() and nothing that does preempt_disable() so we
      underflow the preempt counter.
      
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Reviewed-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7e69c7b2
    • Xishi Qiu's avatar
      mm: fix invalid node in alloc_migrate_target() · 39bf5645
      Xishi Qiu authored
      [ Upstream commit 6f25a14a ]
      
      It is incorrect to use next_node to find a target node, it will return
      MAX_NUMNODES or invalid node.  This will lead to crash in buddy system
      allocation.
      
      Fixes: c8721bbb ("mm: memory-hotplug: enable memory hotplug to handle hugepage")
      Signed-off-by: default avatarXishi Qiu <qiuxishi@huawei.com>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Acked-by: default avatarNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: Joonsoo Kim <js1304@gmail.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: "Laura Abbott" <lauraa@codeaurora.org>
      Cc: Hui Zhu <zhuhui@xiaomi.com>
      Cc: Wang Xiaoqiang <wangxq10@lzu.edu.cn>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      39bf5645
    • Takashi Iwai's avatar
      ALSA: timer: Use mod_timer() for rearming the system timer · b9f2aab6
      Takashi Iwai authored
      [ Upstream commit 4a07083e ]
      
      ALSA system timer backend stops the timer via del_timer() without sync
      and leaves del_timer_sync() at the close instead.  This is because of
      the restriction by the design of ALSA timer: namely, the stop callback
      may be called from the timer handler, and calling the sync shall lead
      to a hangup.  However, this also triggers a kernel BUG() when the
      timer is rearmed immediately after stopping without sync:
       kernel BUG at kernel/time/timer.c:966!
       Call Trace:
        <IRQ>
        [<ffffffff8239c94e>] snd_timer_s_start+0x13e/0x1a0
        [<ffffffff8239e1f4>] snd_timer_interrupt+0x504/0xec0
        [<ffffffff8122fca0>] ? debug_check_no_locks_freed+0x290/0x290
        [<ffffffff8239ec64>] snd_timer_s_function+0xb4/0x120
        [<ffffffff81296b72>] call_timer_fn+0x162/0x520
        [<ffffffff81296add>] ? call_timer_fn+0xcd/0x520
        [<ffffffff8239ebb0>] ? snd_timer_interrupt+0xec0/0xec0
        ....
      
      It's the place where add_timer() checks the pending timer.  It's clear
      that this may happen after the immediate restart without sync in our
      cases.
      
      So, the workaround here is just to use mod_timer() instead of
      add_timer().  This looks like a band-aid fix, but it's a right move,
      as snd_timer_interrupt() takes care of the continuous rearm of timer.
      Reported-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      b9f2aab6
    • Nicolai Stange's avatar
      PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument · fb7a806f
      Nicolai Stange authored
      [ Upstream commit e5435891 ]
      
      Despite what the DocBook comment to pkcs7_validate_trust() says, the
      *_trusted argument is never set to false.
      
      pkcs7_validate_trust() only positively sets *_trusted upon encountering
      a trusted PKCS#7 SignedInfo block.
      
      This is quite unfortunate since its callers, system_verify_data() for
      example, depend on pkcs7_validate_trust() clearing *_trusted on non-trust.
      
      Indeed, UBSAN splats when attempting to load the uninitialized local
      variable 'trusted' from system_verify_data() in pkcs7_validate_trust():
      
        UBSAN: Undefined behaviour in crypto/asymmetric_keys/pkcs7_trust.c:194:14
        load of value 82 is not a valid value for type '_Bool'
        [...]
        Call Trace:
          [<ffffffff818c4d35>] dump_stack+0xbc/0x117
          [<ffffffff818c4c79>] ? _atomic_dec_and_lock+0x169/0x169
          [<ffffffff8194113b>] ubsan_epilogue+0xd/0x4e
          [<ffffffff819419fa>] __ubsan_handle_load_invalid_value+0x111/0x158
          [<ffffffff819418e9>] ? val_to_string.constprop.12+0xcf/0xcf
          [<ffffffff818334a4>] ? x509_request_asymmetric_key+0x114/0x370
          [<ffffffff814b83f0>] ? kfree+0x220/0x370
          [<ffffffff818312c2>] ? public_key_verify_signature_2+0x32/0x50
          [<ffffffff81835e04>] pkcs7_validate_trust+0x524/0x5f0
          [<ffffffff813c391a>] system_verify_data+0xca/0x170
          [<ffffffff813c3850>] ? top_trace_array+0x9b/0x9b
          [<ffffffff81510b29>] ? __vfs_read+0x279/0x3d0
          [<ffffffff8129372f>] mod_verify_sig+0x1ff/0x290
          [...]
      
      The implication is that pkcs7_validate_trust() effectively grants trust
      when it really shouldn't have.
      
      Fix this by explicitly setting *_trusted to false at the very beginning
      of pkcs7_validate_trust().
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarNicolai Stange <nicstange@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      fb7a806f