Eric W. Biederman [Thu, 29 Jun 2017 14:28:50 +0000 (09:28 -0500)]
fcntl: Don't use ambiguous SIG_POLL si_codes
commit
d08477aa975e97f1dc64c0ae59cebf98520456ce upstream.
We have a weird and problematic intersection of features that when
they all come together result in ambiguous siginfo values, that
we can not support properly.
- Supporting fcntl(F_SETSIG,...) with arbitrary valid signals.
- Using positive values for POLL_IN, POLL_OUT, POLL_MSG, ..., etc
that imply they are signal specific si_codes and using the
aforementioned arbitrary signal to deliver them.
- Supporting injection of arbitrary siginfo values for debugging and
checkpoint/restore.
The result is that just looking at siginfo si_codes of 1 to 6 are
ambigious. It could either be a signal specific si_code or it could
be a generic si_code.
For most of the kernel this is a non-issue but for sending signals
with siginfo it is impossible to play back the kernel signals and
get the same result.
Strictly speaking when the si_code was changed from SI_SIGIO to
POLL_IN and friends between 2.2 and 2.4 this functionality was not
ambiguous, as only real time signals were supported. Before 2.4 was
released the kernel began supporting siginfo with non realtime signals
so they could give details of why the signal was sent.
The result is that if F_SETSIG is set to one of the signals with signal
specific si_codes then user space can not know why the signal was sent.
I grepped through a bunch of userspace programs using debian code
search to get a feel for how often people choose a signal that results
in an ambiguous si_code. I only found one program doing so and it was
using SIGCHLD to test the F_SETSIG functionality, and did not appear
to be a real world usage.
Therefore the ambiguity does not appears to be a real world problem in
practice. Remove the ambiguity while introducing the smallest chance
of breakage by changing the si_code to SI_SIGIO when signals with
signal specific si_codes are targeted.
Fixes: v2.3.40 -- Added support for queueing non-rt signals
Fixes: v2.3.21 -- Changed the si_code from SI_SIGIO
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Oleg Nesterov [Mon, 23 May 2016 23:24:02 +0000 (16:24 -0700)]
signal: move the "sig < SIGRTMIN" check into siginmask(sig)
commit
5c8ccefdf46c5f87d87b694c7fbc04941c2c99a5 upstream.
All the users of siginmask() must ensure that sig < SIGRTMIN. sig_fatal()
doesn't and this is wrong:
UBSAN: Undefined behaviour in kernel/signal.c:911:6
shift exponent 32 is too large for 32-bit type 'long unsigned int'
the patch doesn't add the neccesary check to sig_fatal(), it moves the
check into siginmask() and updates other callers.
Link: http://lkml.kernel.org/r/20160517195052.GA15187@redhat.com
Reported-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Noa Osherovich [Mon, 12 Jun 2017 08:14:02 +0000 (11:14 +0300)]
IB/core: Fix the validations of a multicast LID in attach or detach operations
commit
5236333592244557a19694a51337df6ac018f0a7 upstream.
RoCE Annex (A16.9.10/11) declares that during attach (detach) QP to a
multicast group, if the QP is associated with a RoCE port, the
multicast group MLID is unused and is ignored.
During attach or detach multicast, when the QP is associated with a
port, it is enough to check the port's link layer and validate the
LID only if it is Infiniband. Otherwise, avoid validating the
multicast LID.
Fixes:
8561eae60ff9 ("IB/core: For multicast functions, verify that LIDs are multicast LIDs")
Signed-off-by: Noa Osherovich <noaos@mellanox.com>
Reviewed-by: Moni Shoua <monis@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.2: use literal number instead of IB_MULTICAST_LID_BASE]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ben Hutchings [Sat, 11 Nov 2017 13:34:52 +0000 (13:34 +0000)]
Linux 3.2.95
Uwe Kleine-König [Wed, 24 Sep 2014 07:51:57 +0000 (08:51 +0100)]
ARM: 8160/1: drop warning about return_address not using unwind tables
commit
e16343c47e4276f5ebc77ca16feb5e50ca1918f9 upstream.
The warning was introduced in 2009 (commit
4bf1fa5a34aa ([ARM] 5613/1:
implement CALLER_ADDRESSx)). The only "problem" here is that
CALLER_ADDRESSx for x > 1 returns NULL which doesn't do much harm.
The drawback of implementing a fix (i.e. use unwind tables to implement CALLER_ADDRESSx) is that much of the unwinder code would need to be marked as not
traceable.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
A Raghavendra Rao [Thu, 7 Aug 2014 08:40:39 +0000 (14:10 +0530)]
Staging: wlan-ng: fix sparse warning in prism2fw.c
commit
41cb65c4854e14f12b1cbb8215e509d8ad4d0c88 upstream.
Fix the following sparse warning :
In file included from drivers/staging/wlan-ng/prism2usb.c:5:0:
drivers/staging/wlan-ng/prism2fw.c: In function
‘read_cardpda.constprop.43’:
drivers/staging/wlan-ng/prism2fw.c:792:1: warning: the frame size of
1068 bytes is larger than 1024 bytes [-Wframe-larger-than=]
The variable to 'struct p80211msg_p2req_readpda' was previously being created
on the stack, which inturn exeeded the frame size limit, resulting in a
sparse warning. This patch alloctes the memory to the structure dynamically
and the operations are left unchanged.
Signed-off-by: A Raghavendra Rao <arrao@cdac.in>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Arnd Bergmann [Fri, 5 May 2017 19:47:23 +0000 (21:47 +0200)]
staging: vt6655: fix overly large stack usage
We get a warning for the large stack usage in some configurations:
drivers/staging/vt6655/device_main.c: In function 'device_ioctl':
drivers/staging/vt6655/device_main.c:2974:1: warning: the frame size of 1304 bytes is larger than 1024 bytes [-Wframe-larger-than=]
This is addressed in linux-3.19 with commit
67013f2c0e58 ("staging: vt6655:
mac80211 conversion add main mac80211 functions"), which obsoletes the
device_ioctl() function, but as that does not apply to stable kernels,
this picks an easier way out by using dynamic allocation.
The driver was merged in 2.6.31, and the fix applies to all versions
before 3.19.
Fixes:
5449c685a4b3 ("Staging: Add pristine upstream vt6655 driver sources")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Arnd Bergmann [Fri, 5 May 2017 19:47:21 +0000 (21:47 +0200)]
staging: bcm: add 32-bit host dependency
The driver uses a 32-bit variable to store a pointer, causing a couple of
warnings:
../drivers/staging/bcm/CmHost.c: In function 'StoreCmControlResponseMessage':
../drivers/staging/bcm/CmHost.c:1503:3: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
(struct bcm_connect_mgr_params *) ntohl(
^
../drivers/staging/bcm/CmHost.c:1546:3: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
(struct bcm_connect_mgr_params *) ntohl(
^
../drivers/staging/bcm/CmHost.c:1564:3: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
(struct bcm_connect_mgr_params *) ntohl(
I fixed other warnings in an earlier commit
9f1c75ac2dba ("staging/bcm: fix most
build warnings"), but couldn't figure out what was the intended behavior on
64-bit machines here.
The driver was removed in linux-3.19, commit
d09e9b160fc1 ("staging: bcm: remove
driver") which explains that it never worked on 64-bit machines. This adds
a Kconfig dependency instead to prevent it from being built in the known
broken configuration. This workaround applies to v2.6.37 or higher.
Fixes:
f8942e07a3db ("staging: Beeceem USB Wimax driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Jeff Kirsher [Thu, 18 Sep 2014 09:33:41 +0000 (02:33 -0700)]
am2150: Update nmclan_cs.c to use update PCMCIA API
commit
5f5316fcd08ef74b282adf6774956431fac62663 upstream.
Resolves compile warning about use of a deprecated function call:
drivers/net/ethernet/amd/nmclan_cs.c: In function ‘nmclan_config’:
drivers/net/ethernet/amd/nmclan_cs.c:624:3: warning: ‘pcmcia_request_exclusive_irq’ is deprecated (declared at include/pcmcia/ds.h:213) [-Wdeprecated-declarations]
ret = pcmcia_request_exclusive_irq(link, mace_interrupt);
Updates pcmcia_request_exclusive_irq() to pcmcia_request_irq().
CC: Roger Pao <rpao@paonet.org>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Arnd Bergmann [Wed, 28 Jan 2015 14:15:04 +0000 (15:15 +0100)]
net: am2150: fix nmclan_cs.c shared interrupt handling
commit
96a30175f927facfb421655ef08b7a0fe546fbed upstream.
A recent patch tried to work around a valid warning for the use of a
deprecated interface by blindly changing from the old
pcmcia_request_exclusive_irq() interface to pcmcia_request_irq().
This driver has an interrupt handler that is not currently aware
of shared interrupts, but can be easily converted to be.
At the moment, the driver reads the interrupt status register
repeatedly until it contains only zeroes in the interesting bits,
and handles each bit individually.
This patch adds the missing part of returning IRQ_NONE in case none
of the bits are set to start with, so we can move on to the next
interrupt source.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes:
5f5316fcd08ef7 ("am2150: Update nmclan_cs.c to use update PCMCIA API")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Arnd Bergmann [Fri, 5 May 2017 19:46:53 +0000 (21:46 +0200)]
scsi: advansys: remove #warning message
The advansys driver was converted to the proper DMA API in linux-4.2, but
the 3.18-stable kernel still warns about this:
drivers/scsi/advansys.c:71:2: warning: #warning this driver is still not properly converted to the DMA API [-Wcpp]
The warning clearly is not helpful in 3.18 any more, it just clutters up
the build log. This removes the warning instead, and clarifies the
comment above it.
Cc: Hannes Reinecke <hare@suse.de>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
[bwh: Changed comment to say 3.2]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Dan Williams [Wed, 7 Dec 2011 07:24:42 +0000 (23:24 -0800)]
libsas: prevent double completion of scmds from eh
commit
a3a142524aa4b1539a64a55087bf12ffa4b1f94e upstream.
We invoke task->task_done() to free the task in the eh case, but at this
point we are prepared for scsi_eh_flush_done_q() to finish off the scmd.
Introduce sas_end_task() to capture the final response status from the
lldd and free the task.
Also take the opportunity to kill this warning.
drivers/scsi/libsas/sas_scsi_host.c: In function ‘sas_end_task’:
drivers/scsi/libsas/sas_scsi_host.c:102:3: warning: case value ‘2’ not in enumerated type ‘enum exec_status’ [-Wswitch]
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Andrew Vincer [Tue, 8 Nov 2011 15:43:45 +0000 (12:43 -0300)]
rc: Fix input deadlock and transmit error in redrat3 driver
commit
dbea1880368071dfa97d5e6aa4a368e7d0146a85 upstream.
Fixed submit urb logic so hardware doesn't hang trying to transmit
signal data
Removed unneeded enable/disable detector commands in
redrat3_transmit_ir (the hardware does this anyway) and converted
arguments to unsigned as per 5588dc2
Signed-off-by: Andrew Vincer <andrew@redrat.co.uk>
Cc: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Keith Packard [Fri, 9 Dec 2011 19:33:00 +0000 (11:33 -0800)]
drm/i915: Clean up multi-threaded forcewake patch
commit
c7dffff7cc8de748edf0e9f6571cdabecb198705 upstream.
We learned that the ECOBUS register was inside the GT power well, and
so *did* need force wake to be read, so it gets removed from the list
of 'doesn't need force wake' registers.
That means the code reading ECOBUS after forcing the mt_force_wake
function to be called needs to use I915_READ_NOTRACE; it doesn't need
to do more force wake fun as it's already done it manually.
This also adds a comment explaining why the MT forcewake testing code
only needs to call mt_forcewake_get/put and not disable RC6 manually
-- the ECOBUS read will return 0 if the device is in RC6 and isn't
using MT forcewake, causing the test to work correctly.
Signed-off-by: Keith Packard <keithp@keithp.com>
Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
[bwh: Backported to 3.2: I previously backported a change to
NEEDS_FORCE_WAKE() and applied it to the version in i915_drv.c, the one
that was actually being used. Move that change to i915_drv.h now.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Dan Carpenter [Fri, 23 Mar 2012 07:35:33 +0000 (04:35 -0300)]
mxl111sf: remove an unused variable
commit
3fd7e4341e04f80e2605f56bbd8cb1e8b027901a upstream.
We don't use this any more after
3be5bb71fb "[media] mxl111sf: fix error
on stream stop in mxl111sf_ep6_streaming_ctrl()" and it makes GCC
complain.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
David S. Miller [Sat, 26 Nov 2011 20:41:29 +0000 (15:41 -0500)]
ray_cs: Fix array bounds warnings.
commit
b4c0e72e80e2e04b462ea05cc5a001807d7feed6 upstream.
rx_msg is defined to have a 1 entry array at the end, so gcc warns:
drivers/net/wireless/ray_cs.c: In function ‘rx_authenticate’:
drivers/net/wireless/ray_cs.c:2436:3: warning: array subscript is above array bounds [-Warray-bounds]
drivers/net/wireless/ray_cs.c:2436:3: warning: array subscript is above array bounds [-Warray-bounds]
drivers/net/wireless/ray_cs.c:2436:3: warning: array subscript is above array bounds [-Warray-bounds]
drivers/net/wireless/ray_cs.c:2436:3: warning: array subscript is above array bounds [-Warray-bounds]
drivers/net/wireless/ray_cs.c:2436:3: warning: array subscript is above array bounds [-Warray-bounds]
drivers/net/wireless/ray_cs.c:2439:15: warning: array subscript is above array bounds [-Warray-bounds]
drivers/net/wireless/ray_cs.c:2452:16: warning: array subscript is above array bounds [-Warray-bounds]
drivers/net/wireless/ray_cs.c:2453:18: warning: array subscript is above array bounds [-Warray-bounds]
drivers/net/wireless/ray_cs.c:2453:32: warning: array subscript is above array bounds [-Warray-bounds]
Use a zero length array and rename to "ray_rx_msg" to make sure we hit all
of the necessary cases.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ben Hutchings [Mon, 6 Nov 2017 02:50:25 +0000 (02:50 +0000)]
mct_u232: Fix use of uninitialized pointer in mct_u323_startup()
My backport of commit
4e9a0b05257f "USB: mct_u232: add sanity checking in
probe" incorrectly added a dev_err() call using port->dev before 'port' was
initialised. Use the 'serial' parameter to look up the device instead.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Randy Dunlap [Mon, 25 Jun 2012 04:35:29 +0000 (21:35 -0700)]
staging: reduce stack usage in prism2fw.c
commit
c90e3e80b9751335cc98934ae32188fa7de6bccd upstream.
Fix frame size (stack usage) warning by allocating and freeing
pointers to the data.
drivers/staging/wlan-ng/prism2fw.c:1115:1: warning: the frame size of 4288 bytes is larger than 2048 bytes
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Peter Huewe [Tue, 19 Feb 2013 04:18:50 +0000 (05:18 +0100)]
staging/slicoss: Fix operation may be undefined warning
commit
6d1b80fd886937ad4d6169ffa78cb0075eebce53 upstream.
gcc complains about an undefined operation:
slicoss.c:1417:19: warning: operation on 'rspq->pageindex' may be
undefined [-Wsequence-point]
The intended operation was (probably) to retrieve the pageindex + 1 and let
it wrap around if it reaches the num_pages.
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ben Hutchings [Thu, 8 Sep 2011 01:09:42 +0000 (02:09 +0100)]
sfc: Merge efx_mcdi_mac_check_fault() and efx_mcdi_get_mac_faults()
commit
1daf417029ddc10b7854430c1e1118df791d0eaf upstream.
The latter is only called by the former, which is a very short
wrapper. Further, gcc 4.5 may currently wrongly warn that the
'faults' variable may be used uninitialised.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
[bwh: Backported to 3.2: keep efx_mcdi_get_mac_faults() static]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Leed Aguilar [Thu, 14 Jun 2012 15:05:31 +0000 (11:05 -0400)]
staging:iio:gyro:adis16080: remove sparse warnings
commit
4d9505af7743828464d066795c6e1311c7884db4 upstream.
Removed the following sparse warning:
In function 'adis16080_read_raw':
warning: 'ut' may be used uninitialized in this function
Signed-off-by: Leed Aguilar <leed.aguilar@ti.com>
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Cc: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Reddy, Sreekanth [Tue, 26 Feb 2013 12:06:12 +0000 (17:36 +0530)]
mpt2sas: fix for unused variable 'event_data' warning
commit
c3a634bf78242177fba9c85deb709e7b63ed0ef1 upstream.
If CONFIG_SCSI_MPT2SAS_LOGGING is undefined, then these warnings are emitted
drivers/scsi/mpt2sas/mpt2sas_scsih.c: In function '_scsih_sas_broadcast_primitive_event'
drivers/scsi/mpt2sas/mpt2sas_scsih.c:5810:40: warning: unused variable 'event_data'
Use pr_info() function instead of dewtprintk().
Signed-off-by: Sreekanth Reddy <Sreekanth.Reddy@lsi.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Michael Hennerich [Mon, 16 Jul 2012 08:42:00 +0000 (09:42 +0100)]
iio: staging: ad7298_ring: Fix maybe-uninitialized warning
commit
dfffd0d65fdf16d034681716dcbea74776f62e40 upstream.
drivers/staging/iio/adc/ad7298_ring.c:97:37: warning: 'time_ns' may
be used uninitialized in this function [-Wmaybe-uninitialized]
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Andreas Ruprecht [Mon, 28 Nov 2011 15:59:13 +0000 (16:59 +0100)]
Staging: iio/accel: Changed return type of lis3l02dq_read_event_config() to int
commit
28998e005bb669b60de0e432d6f142267f5c1403 upstream.
The lis3l02dq_read_event_config() function returned an ssize_t up to
now, which lead to a compiler warning in line 660 (initialization from
incompatible pointer type). The iio_info struct is defined to accept an
int-returning function as the read_event_config parameter.
Also it seems odd to have the check for (ret < 0) and return ret in
this case, when the return type is signed.
Signed-off-by: Andreas Ruprecht <rupran@einserver.de>
Acked-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
SeongJae Park [Tue, 4 Feb 2014 08:36:39 +0000 (17:36 +0900)]
staging: cxt1e1: remove unnecessary function, VMETRO_TRACE
commit
ce8386da7488c998969288355111996c2c23c892 upstream.
VMETRO_TRACE isn't called from anywhere. So delete it.
Signed-off-by: SeongJae Park <sj38.park@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Greg Kroah-Hartman [Thu, 6 Sep 2012 18:21:48 +0000 (11:21 -0700)]
staging: comedi: vmk80xx: fix compiler warning
commit
13f7952f8f13fb1bbd18b85988e3a5bbbed00879 upstream.
gcc complains about some potentially uninitalized variables here, yet it
can not happen, due to an enumerated type (either the board is one type
or the other.) Make the compiler happy by providing a default case
option that makes the logic a bit simpler for it to determine that there
really isn't a problem here.
Cc: H Hartley Sweeten <hartleys@visionengravers.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Hannes Reinecke [Mon, 6 Jul 2015 11:07:58 +0000 (13:07 +0200)]
aic94xx: Skip reading user settings if flash is not found
commit
36dd5acd196574d41de3e81d8264df475bbb7123 upstream.
If no user settings are found it's pointless trying to
read them from flash. So skip that step.
This also fixes a compilation warning about uninitialized variables in
aic94xx.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Paul Bolle [Fri, 5 Oct 2012 00:14:35 +0000 (17:14 -0700)]
drivers/rtc/rtc-m41t80.c: remove disabled alarm functionality
commit
48e9766726ebb8f5d98823fe6b32dff570bc04d8 upstream.
Commit
c3b79770e51a ("rtc: m41t80: Workaround broken alarm
functionality") disabled m41t80's alarm functions. But since those
functions were not touched, building this driver triggers these GCC
warnings:
drivers/rtc/rtc-m41t80.c:216:12: warning: 'm41t80_rtc_alarm_irq_enable' defined but not used [-Wunused-function]
drivers/rtc/rtc-m41t80.c:238:12: warning: 'm41t80_rtc_set_alarm' defined but not used [-Wunused-function]
drivers/rtc/rtc-m41t80.c:308:12: warning: 'm41t80_rtc_read_alarm' defined but not used [-Wunused-function]
Remove these functions (and the commented out references to them) to
silence these warnings. Anyone wanting to fix the alarm irq functionality
can easily find the removed code in the git log of this file or through
some web searches.
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Cc: John Stultz <john.stultz@linaro.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Andy Shevchenko [Wed, 7 Jun 2017 13:56:15 +0000 (16:56 +0300)]
platform/x86: samsung-laptop: Initialize loca variable
commit
0d2c95354a3b63256e92d9fb865c08902d2c9b0b upstream.
The variable is used uninitialized which might come into unexpected
behaviour on some Samsung laptops.
Initialize it to 0xffff which seems a proper value for non-supported
feature.
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Artem Bityutskiy [Thu, 29 Dec 2011 16:06:01 +0000 (18:06 +0200)]
mtd: sst25l: kill unused variable
commit
d81a32f2c16a3c42cf26f2216765c520630daa4e upstream.
Fix the following gcc warning:
drivers/mtd/devices/sst25l.c: In function ‘sst25l_probe’:
drivers/mtd/devices/sst25l.c:381:11: warning: unused variable ‘i’ [-Wunused-variable]
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Danny Kukawka [Mon, 30 Jan 2012 22:00:08 +0000 (23:00 +0100)]
vmw_balloon: fix for a -Wuninitialized warning
commit
3e5ba466d515eb3fb1e0e975a3d8e499126ae2b5 upstream.
Fix for a -Wuninitialized compiler warning. Changed return value of
vmballoon_send_lock_page() from bool to int to be able to distinguish
between the error cases to avoid uninitialized use of hv_status in
vmballoon_reserve_page()
Signed-off-by: Danny Kukawka <danny.kukawka@bisect.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Viresh Kumar [Mon, 29 Oct 2012 17:17:26 +0000 (22:47 +0530)]
mtd: map: Fix compilation warning
commit
3e9ce49e0ef95e22790a74720f0068696b2477c9 upstream.
This patch is an attempt to fix following compilation warning.
In file included from drivers/mtd/chips/cfi_cmdset_0001.c:35:0:
drivers/mtd/chips/cfi_cmdset_0001.c: In function 'cfi_intelext_write_words':
include/linux/mtd/map.h:331:11: warning: 'r.x[0]' may be used uninitialized in this function [-Wmaybe-uninitialized]
I could have used uninitialized_var() too, but didn't used it as the final else
part of map_word_load() is missing. So there is a chance that it might be passed
uninitialized. Better initialize to zero.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Antti Palosaari [Thu, 9 Aug 2012 23:50:35 +0000 (20:50 -0300)]
tda18212: silence compiler warning
commit
e666a44fa313cb9329c0381ad02fc6ee1e21cb31 upstream.
Trivial fix.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Antti Palosaari [Thu, 9 Aug 2012 23:50:37 +0000 (20:50 -0300)]
tda18218: silence compiler warning
commit
e0e52d4e9f5bce7ea887027c127473eb654a5a04 upstream.
Trivial fix.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Antonio Alecrim Jr [Sat, 14 Sep 2013 17:20:40 +0000 (14:20 -0300)]
isdn: hfcpci_softirq: get func return to suppress compiler warning
commit
d6d6d1bc44362112e10a48d434e5b3c716152003 upstream.
Signed-off-by: Antonio Alecrim Jr <antonio.alecrim@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Mauro Carvalho Chehab [Mon, 29 Oct 2012 10:02:31 +0000 (08:02 -0200)]
xc4000: Fix a few warnings
commit
0d0d76e5bcd70439b0e736a99539d7eef4f87baf upstream.
drivers/media/tuners/xc4000.c: In function ‘check_firmware’:
drivers/media/tuners/xc4000.c:1048:45: warning: ‘fw_minor’ may be used uninitialized in this function [-Wmaybe-uninitialized]
drivers/media/tuners/xc4000.c:1048:39: warning: ‘fw_major’ may be used uninitialized in this function [-Wmaybe-uninitialized]
drivers/media/tuners/xc4000.c:1062:39: warning: ‘hw_minor’ may be used uninitialized in this function [-Wmaybe-uninitialized]
drivers/media/tuners/xc4000.c:1062:33: warning: ‘hw_major’ may be used uninitialized in this function [-Wmaybe-uninitialized]
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Danny Kukawka [Thu, 2 Feb 2012 03:20:28 +0000 (03:20 +0000)]
eicon: fix -Warray-bounds warning
commit
e1f4c485cdb2b1d7aae172b731f6c2b403381ebb upstream.
Fix for a -Warray-bounds warning. mixer_notify_update() tries to
write to ((CAPI_MSG *) msg)->info.facility_req.structs[3] while
structs is defined as byte structs[1]. Set all 'structs' which are
part of the typdefs in the info union to 'byte structs[0]'.
v2: set all info.*.structs to byte structs[0]
Signed-off-by: Danny Kukawka <danny.kukawka@bisect.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Paul Bolle [Sat, 14 Jul 2012 23:11:55 +0000 (23:11 +0000)]
gigaset: silence GCC warning for unused 'format_ie'
commit
6ba6047bf99cf4ade4f63b6b3d97cc3ad763b678 upstream.
Building Gigaset's CAPI support without Gigaset's debugging enabled
triggers this GCC warning:
'format_ie' defined but not used [-Wunused-function]
Silence this warning by wrapping format_ie() in an "#ifdef
CONFIG_GIGASET_DEBUG" and "#endif" pair.
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Paul Bolle [Mon, 25 Feb 2013 17:17:13 +0000 (09:17 -0800)]
IB/mlx4: Fix compiler warning about uninitialized 'vlan' variable
commit
57d88cffc83a2120266bbe9e72cbba5bd5f33675 upstream.
Building qp.o triggers this gcc warning:
drivers/infiniband/hw/mlx4/qp.c: In function ‘mlx4_ib_post_send’:
drivers/infiniband/hw/mlx4/qp.c:1862:62: warning: ‘vlan’ may be used uninitialized in this function [-Wmaybe-uninitialized]
drivers/infiniband/hw/mlx4/qp.c:1752:6: note: ‘vlan’ was declared here
Looking at the code it is clear 'vlan' is only set and used if 'is_eth'
is non-zero. But by initializing 'vlan' to 0xffff, on
gcc (Ubuntu 4.7.2-22ubuntu1) 4.7.2
on x86-64 at least, we fix the warning, and the compiler was already
setting 'vlan' to 0 in the generated code, so there's no real downside.
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
[ Get rid of unnecessary move of 'is_vlan' initialization. - Roland ]
Signed-off-by: Roland Dreier <roland@purestorage.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
David Howells [Thu, 15 Dec 2011 13:03:14 +0000 (13:03 +0000)]
intel_idle: Fix a cast to pointer from integer of different size warning in intel_idle
commit
95e3ec11491d0cbce9fcdf1cc17a527c114c7dcf upstream.
Fix the following warning:
drivers/idle/intel_idle.c: In function 'intel_idle_cpuidle_devices_init':
drivers/idle/intel_idle.c:518:5: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
By making get_driver_data() return a long instead of an int.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
David S. Miller [Thu, 27 Sep 2012 22:35:47 +0000 (18:35 -0400)]
pkt_sched: Fix warning false positives.
commit
f54ba7798848ce1385a71b36a2c997422c82220a upstream.
GCC refuses to recognize that all error control flows do in fact
set err to something.
Add an explicit initialization to shut it up.
net/sched/sch_drr.c: In function ‘drr_enqueue’:
net/sched/sch_drr.c:359:11: warning: ‘err’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/sched/sch_qfq.c: In function ‘qfq_enqueue’:
net/sched/sch_qfq.c:885:11: warning: ‘err’ may be used uninitialized in this function [-Wmaybe-uninitialized]
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Guenter Roeck [Tue, 12 Jun 2012 15:27:49 +0000 (08:27 -0700)]
hwmon: (w83781d) Fix compile warning
commit
bbc8a569ae91e0951f4b7f8eb33ef1970bf2129c upstream.
The following compile warning may be seen if the driver is compiled with
-Wuninitialized:
drivers/hwmon/w83781d.c: warning: 'sc_addr[1]' may be used uninitialized in this
function [-Wuninitialized]
While this is a false positive, it is annoying in nightly builds, and may help
to conceal real problems. The current code is quite tricky, and and it is easy
to rearrage the code to make the warning disappear. So fix it.
Cc: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Pablo Neira Ayuso [Wed, 29 Aug 2012 15:58:29 +0000 (15:58 +0000)]
netfilter: xt_socket: fix compilation warnings with gcc 4.7
commit
6703aa74ad1ba2e598bb49a37f7518da1195bacb upstream.
This patch fixes compilation warnings in xt_socket with gcc-4.7.
In file included from net/netfilter/xt_socket.c:22:0:
net/netfilter/xt_socket.c: In function ‘socket_mt6_v1’:
include/net/netfilter/nf_tproxy_core.h:175:23: warning: ‘sport’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_socket.c:265:16: note: ‘sport’ was declared here
In file included from net/netfilter/xt_socket.c:22:0:
include/net/netfilter/nf_tproxy_core.h:175:23: warning: ‘dport’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_socket.c:265:9: note: ‘dport’ was declared here
In file included from net/netfilter/xt_socket.c:22:0:
include/net/netfilter/nf_tproxy_core.h:175:6: warning: ‘saddr’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_socket.c:264:27: note: ‘saddr’ was declared here
In file included from net/netfilter/xt_socket.c:22:0:
include/net/netfilter/nf_tproxy_core.h:175:6: warning: ‘daddr’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_socket.c:264:19: note: ‘daddr’ was declared here
In file included from net/netfilter/xt_socket.c:22:0:
net/netfilter/xt_socket.c: In function ‘socket_match.isra.4’:
include/net/netfilter/nf_tproxy_core.h:75:2: warning: ‘protocol’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_socket.c:113:5: note: ‘protocol’ was declared here
In file included from include/net/tcp.h:37:0,
from net/netfilter/xt_socket.c:17:
include/net/inet_hashtables.h:356:45: warning: ‘sport’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_socket.c:112:16: note: ‘sport’ was declared here
In file included from net/netfilter/xt_socket.c:22:0:
include/net/netfilter/nf_tproxy_core.h:106:23: warning: ‘dport’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_socket.c:112:9: note: ‘dport’ was declared here
In file included from include/net/tcp.h:37:0,
from net/netfilter/xt_socket.c:17:
include/net/inet_hashtables.h:356:15: warning: ‘saddr’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_socket.c:111:16: note: ‘saddr’ was declared here
In file included from include/net/tcp.h:37:0,
from net/netfilter/xt_socket.c:17:
include/net/inet_hashtables.h:356:15: warning: ‘daddr’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_socket.c:111:9: note: ‘daddr’ was declared here
In file included from net/netfilter/xt_socket.c:22:0:
net/netfilter/xt_socket.c: In function ‘socket_mt6_v1’:
include/net/netfilter/nf_tproxy_core.h:175:23: warning: ‘sport’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_socket.c:268:16: note: ‘sport’ was declared here
In file included from net/netfilter/xt_socket.c:22:0:
include/net/netfilter/nf_tproxy_core.h:175:23: warning: ‘dport’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_socket.c:268:9: note: ‘dport’ was declared here
In file included from net/netfilter/xt_socket.c:22:0:
include/net/netfilter/nf_tproxy_core.h:175:6: warning: ‘saddr’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_socket.c:267:27: note: ‘saddr’ was declared here
In file included from net/netfilter/xt_socket.c:22:0:
include/net/netfilter/nf_tproxy_core.h:175:6: warning: ‘daddr’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_socket.c:267:19: note: ‘daddr’ was declared here
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ryusuke Konishi [Sat, 7 Nov 2015 00:32:16 +0000 (16:32 -0800)]
nilfs2: fix gcc uninitialized-variable warnings in powerpc build
commit
4f05028f8d1af782cfd03d09e0a052e9745dc5ad upstream.
Some false positive warnings are reported for powerpc build.
The following warnings are reported in
http://kisskb.ellerman.id.au/kisskb/buildresult/
12519703/
CC fs/nilfs2/super.o
fs/nilfs2/super.c: In function 'nilfs_resize_fs':
fs/nilfs2/super.c:376:2: warning: 'blocknr' may be used uninitialized in this function [-Wuninitialized]
fs/nilfs2/super.c:362:11: note: 'blocknr' was declared here
CC fs/nilfs2/recovery.o
fs/nilfs2/recovery.c: In function 'nilfs_salvage_orphan_logs':
fs/nilfs2/recovery.c:631:21: warning: 'sum' may be used uninitialized in this function [-Wuninitialized]
fs/nilfs2/recovery.c:585:32: note: 'sum' was declared here
fs/nilfs2/recovery.c: In function 'nilfs_search_super_root':
fs/nilfs2/recovery.c:873:11: warning: 'sum' may be used uninitialized in this function [-Wuninitialized]
Another similar warning is reported in
http://kisskb.ellerman.id.au/kisskb/buildresult/
12520079/
CC fs/nilfs2/btree.o
fs/nilfs2/btree.c: In function 'nilfs_btree_convert_and_insert':
include/asm-generic/bitops/non-atomic.h:105:20: warning: 'bh' may be used uninitialized in this function [-Wuninitialized]
fs/nilfs2/btree.c:1859:22: note: 'bh' was declared here
This cleans out these warnings by forcing the variables to be initialized.
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Daniel Mack [Mon, 18 Jun 2012 19:16:31 +0000 (21:16 +0200)]
ALSA: snd-usb-caiaq: initialize card pointer
commit
da185443c12f5ef7416af50293833a5654854186 upstream.
Fixes the following warning:
CC [M] sound/usb/caiaq/device.o
sound/usb/caiaq/device.c: In function ‘snd_probe’:
sound/usb/caiaq/device.c:500:16: warning: ‘card’ may be used
uninitialized in this function [-Wmaybe-uninitialized]
Signed-off-by: Daniel Mack <zonque@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ben Hutchings [Mon, 6 Nov 2017 01:09:48 +0000 (01:09 +0000)]
edac: i7300_edac: Fix 'may be used uninitialized' warning
gcc 4.7 warns that nr_pages may be used uninitialized in
i7300_init_csrows(). In fact, the case where it's not initialised is
an error that will result in returning early without using it.
Silence the warning by initialising to 0.
This was done upstream as part of commit
084a4fccef39 "edac: move dimm
properties to struct dimm_info".
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Fabio Estevam [Mon, 24 Dec 2012 17:55:37 +0000 (15:55 -0200)]
ASoC: wm8985: Refactor set_pll code to avoid gcc warnings
commit
5f3d25c08dee44a40229f1f9e8934f3217478a67 upstream.
Refactor set_pll code to avoid the following warnings:
sound/soc/codecs/wm8985.c:852:50: warning: 'pll_div.k' may be used uninitialized in this function
sound/soc/codecs/wm8985.c:849:9: warning: 'pll_div.n' may be used uninitialized in this function
sound/soc/codecs/wm8985.c:848:23: warning: 'pll_div.div2' may be used uninitialized in this function
Do the same as in commit
86ce6c9a (ASoC: WM8804: Refactor set_pll code to avoid
GCC warnings).
Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Fabio Estevam [Wed, 12 Dec 2012 03:24:40 +0000 (01:24 -0200)]
ASoC: wm8993: Refactor set_pll code to avoid GCC warnings
commit
6757d8cc0c6ff2e61972d84797d358a2f69f2217 upstream.
Refactor set_pll code to avoid the following warnings:
sound/soc/codecs/wm8983.c:873:40: warning: 'pll_div.k' may be used uninitialized in this function [-Wuninitialized]
sound/soc/codecs/wm8983.c:870:9: warning: 'pll_div.n' may be used uninitialized in this function [-Wuninitialized]
sound/soc/codecs/wm8983.c:869:23: warning: 'pll_div.div2' may be used uninitialized in this function [-Wuninitialized]
Do the same as in commit
86ce6c9a (ASoC: WM8804: Refactor set_pll code to avoid
GCC warnings).
Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
David S. Miller [Thu, 1 Dec 2011 19:45:49 +0000 (14:45 -0500)]
dccp: Fix compile warning in probe code.
commit
d984e6197ecd2babc1537f42dc1e676133005cda upstream.
Commit
1386be55e32a3c5d8ef4a2b243c530a7b664c02c ("dccp: fix
auto-loading of dccp(_probe)") fixed a bug but created a new
compiler warning:
net/dccp/probe.c: In function ‘dccpprobe_init’:
net/dccp/probe.c:166:2: warning: the omitted middle operand in ?: will always be ‘true’, suggest explicit middle operand [-Wparentheses]
try_then_request_module() is built for situations where the
"existence" test is some lookup function that returns a non-NULL
object on success, and with a reference count of some kind held.
Here we're looking for a success return of zero from the jprobe
registry.
Instead of fighting the way try_then_request_module() works, simply
open code what we want to happen in a local helper function.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Tim Gardner [Sun, 10 Mar 2013 16:58:21 +0000 (10:58 -0600)]
ASoC: wm_hubs: Silence reg_r and reg_l 'may be used uninitialized' warnings
commit
1f5353e765fe2a1168477bfe55e4dd7cdd96b477 upstream.
Return an error from wm_hubs_read_dc_servo() if hubs->dcs_readback_mode is not
correctly initialized. You might as well bail out since nothing is likely to
work correctly afterwards.
sound/soc/codecs/wm_hubs.c:321:11: warning: 'reg_r' may be used uninitialized in this function [-Wuninitialized]
sound/soc/codecs/wm_hubs.c:251:13: note: 'reg_r' was declared here
sound/soc/codecs/wm_hubs.c:322:11: warning: 'reg_l' may be used uninitialized in this function [-Wuninitialized]
sound/soc/codecs/wm_hubs.c:251:6: note: 'reg_l' was declared here
gcc version 4.6.3
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
[bwh: Backported to 3.2: There's no separate wm_hubs_read_dc_servo() function,
so return directly from calibrate_dc_servo().]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Tim Gardner [Mon, 11 Mar 2013 19:18:23 +0000 (13:18 -0600)]
ASoC: adau1373: adau1373_hw_params: Silence overflow warning
commit
14a1b8ca172f4cfbc544051a729d85a380447a82 upstream.
ADAU1373_BCLKDIV_SOURCE is defined as BIT(5) which uses UL constants. On
amd64 the result of the ones complement operator is then truncated to
unsigned int according to the prototype of snd_soc_update_bits(). I think
gcc is correctly warning that the upper 32 bits are lost.
sound/soc/codecs/adau1373.c: In function 'adau1373_hw_params':
sound/soc/codecs/adau1373.c:940:3: warning: large integer implicitly truncated to unsigned type [-Woverflow]
gcc version 4.6.3
Add 2 more BCLKDIV mask macros as explained by Lars:
The BCLKDIV has three fields. The bitclock divider (bit 0-1), the samplerate
(bit 2-4) and the source select (bit 5). Here we want to update the bitclock
divider field and the samplerate field. When I wrote the code I was lazy and
used ~ADAU1373_BCLKDIV_SOURCE as the mask, which for this register is
functionally equivalent to ADAU1373_BCLKDIV_SR_MASK | ADAU1373_BCLKDIV_BCLK_MASK.
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cong Wang [Tue, 3 Apr 2012 06:13:36 +0000 (14:13 +0800)]
drbd: check MODULE for THIS_MODULE
commit
bc4854bc91c9a7f117437215cd8b16a0a5671d93 upstream.
THIS_MODULE is NULL only when drbd is compiled as built-in,
so the #ifdef CONFIG_MODULES should be #ifdef MODULE instead.
This fixes the warning:
drivers/block/drbd/drbd_main.c: In function ‘drbd_buildtag’:
drivers/block/drbd/drbd_main.c:4187:24: warning: the comparison will always evaluate as ‘true’ for the address of ‘__this_module’ will never be NULL [-Waddress]
Signed-off-by: WANG Cong <xiyou.wangcong@gmail.com>
Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Danny Kukawka [Fri, 2 Mar 2012 09:48:35 +0000 (10:48 +0100)]
drivers/block/DAC960: fix -Wuninitialized warning
commit
cecd353a02fb1405c8a72a324b26b5acf97e7411 upstream.
Set CommandMailbox with memset before use it. Fix for:
drivers/block/DAC960.c: In function ‘DAC960_V1_EnableMemoryMailboxInterface’:
arch/x86/include/asm/io.h:61:1: warning: ‘CommandMailbox.Bytes[12]’
may be used uninitialized in this function [-Wuninitialized]
drivers/block/DAC960.c:1175:30: note: ‘CommandMailbox.Bytes[12]’
was declared here
Signed-off-by: Danny Kukawka <danny.kukawka@bisect.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Danny Kukawka [Fri, 2 Mar 2012 09:48:32 +0000 (10:48 +0100)]
drivers/block/DAC960: fix DAC960_V2_IOCTL_Opcode_T -Wenum-compare warning
commit
bca505f1097c725708ddc055cf8055e922b0904b upstream.
Fixed compiler warning:
comparison between ‘DAC960_V2_IOCTL_Opcode_T’ and ‘enum <anonymous>’
Renamed enum, added a new enum for SCSI_10.CommandOpcode in
DAC960_V2_ProcessCompletedCommand().
Signed-off-by: Danny Kukawka <danny.kukawka@bisect.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Miklos Szeredi [Tue, 15 Jan 2013 11:24:46 +0000 (12:24 +0100)]
cuse: fix uninitialized variable warnings
commit
e2560362cc2b39a0567cab510121a7e93dfbe797 upstream.
Fix the following compiler warnings:
fs/fuse/cuse.c: In function 'cuse_process_init_reply':
fs/fuse/cuse.c:288:24: warning: 'val' may be used uninitialized in this function [-Wmaybe-uninitialized]
fs/fuse/cuse.c:272:14: note: 'val' was declared here
fs/fuse/cuse.c:284:10: warning: 'key' may be used uninitialized in this function [-Wmaybe-uninitialized]
fs/fuse/cuse.c:272:8: note: 'key' was declared here
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ben Hutchings [Mon, 6 Nov 2017 00:47:19 +0000 (00:47 +0000)]
ACPICA: Fix 'may be used uninitialized' warning in acpi_ns_repair_object()
gcc 4.7 warns that new_object may be used uninitialized in this
function. In fact, all the cases where it's not initialised are
errors that will result in returning early without using it.
Silence the warning by initialising to NULL.
This was done upstream as part of commit
d5a36100f62f "ACPICA: Add
mechanism for early object repairs on a per-name basis".
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Simon Que [Thu, 17 Jan 2013 19:18:20 +0000 (11:18 -0800)]
eCryptfs: initialize payload_len in keystore.c
commit
fa5199648e273a5e3e80aca41c1eb53700438dc1 upstream.
This is meant to remove a compiler warning. It should not make any
functional change.
payload_len should be initialized when it is passed to
write_tag_64_packet() as a pointer. If that call fails, this function
should return early, and payload_len won't be used.
Signed-off-by: Simon Que <sque@chromium.org>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Jeff Layton [Mon, 26 Mar 2012 13:55:29 +0000 (09:55 -0400)]
cifs: silence compiler warnings showing up with gcc-4.7.0
commit
b2a3ad9ca502169fc4c11296fa20f56059c7c031 upstream.
gcc-4.7.0 has started throwing these warnings when building cifs.ko.
CC [M] fs/cifs/cifssmb.o
fs/cifs/cifssmb.c: In function ‘CIFSSMBSetCIFSACL’:
fs/cifs/cifssmb.c:3905:9: warning: array subscript is above array bounds [-Warray-bounds]
fs/cifs/cifssmb.c: In function ‘CIFSSMBSetFileInfo’:
fs/cifs/cifssmb.c:5711:8: warning: array subscript is above array bounds [-Warray-bounds]
fs/cifs/cifssmb.c: In function ‘CIFSSMBUnixSetFileInfo’:
fs/cifs/cifssmb.c:6001:25: warning: array subscript is above array bounds [-Warray-bounds]
This patch cleans up the code a bit by using the offsetof macro instead
of the funky "&pSMB->hdr.Protocol" construct.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ben Hutchings [Mon, 6 Nov 2017 00:34:07 +0000 (00:34 +0000)]
mm/huge_memory: Fix unused label warning
This label is unused since commit
2ea6895123eb8604c1c0c153e2fcd1305fb96aca
"mm/huge_memory.c: fix up "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for
thp" backport". There's no upstream equivalent of this as the label is
still used there.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ben Hutchings [Tue, 17 Oct 2017 23:45:49 +0000 (00:45 +0100)]
ALSA: seq: Enable 'use' locking in all configurations
commit
8009d506a1dd00cf436b0c4cca0dcec130580a21 upstream.
The 'use' locking macros are no-ops if neither SMP or SND_DEBUG is
enabled. This might once have been OK in non-preemptible
configurations, but even in that case snd_seq_read() may sleep while
relying on a 'use' lock. So always use the proper implementations.
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Alan Stern [Wed, 18 Oct 2017 16:49:38 +0000 (12:49 -0400)]
USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
commit
1c0edc3633b56000e18d82fc241e3995ca18a69e upstream.
Andrey used the syzkaller fuzzer to find an out-of-bounds memory
access in usb_get_bos_descriptor(). The code wasn't checking that the
next usb_dev_cap_header structure could fit into the remaining buffer
space.
This patch fixes the error and also reduces the bNumDeviceCaps field
in the header to match the actual number of capabilities found, in
cases where there are fewer than expected.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Jaejoong Kim [Thu, 28 Sep 2017 10:16:30 +0000 (19:16 +0900)]
HID: usbhid: fix out-of-bounds bug
commit
f043bfc98c193c284e2cd768fefabe18ac2fed9b upstream.
The hid descriptor identifies the length and type of subordinate
descriptors for a device. If the received hid descriptor is smaller than
the size of the struct hid_descriptor, it is possible to cause
out-of-bounds.
In addition, if bNumDescriptors of the hid descriptor have an incorrect
value, this can also cause out-of-bounds while approaching hdesc->desc[n].
So check the size of hid descriptor and bNumDescriptors.
BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
Read of size 1 at addr
ffff88006c5f8edf by task kworker/1:2/1261
CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
4.14.0-rc1-42251-gebb2c2437d80 #169
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x292/0x395 lib/dump_stack.c:52
print_address_description+0x78/0x280 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351
kasan_report+0x22f/0x340 mm/kasan/report.c:409
__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
hub_port_connect drivers/usb/core/hub.c:4903
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
worker_thread+0x221/0x1850 kernel/workqueue.c:2253
kthread+0x3a1/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Alan Stern [Fri, 29 Sep 2017 14:54:24 +0000 (10:54 -0400)]
usb: usbtest: fix NULL pointer dereference
commit
7c80f9e4a588f1925b07134bb2e3689335f6c6d8 upstream.
If the usbtest driver encounters a device with an IN bulk endpoint but
no OUT bulk endpoint, it will try to dereference a NULL pointer
(out->desc.bEndpointAddress). The problem can be solved by adding a
missing test.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Greg Kroah-Hartman [Tue, 19 Sep 2017 13:07:17 +0000 (15:07 +0200)]
USB: fix out-of-bounds in usb_set_configuration
commit
bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb upstream.
Andrey Konovalov reported a possible out-of-bounds problem for a USB interface
association descriptor. He writes:
It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION
descriptor. It's only checked that the size is >= 2 in
usb_parse_configuration(), so find_iad() might do out-of-bounds access
to intf_assoc->bInterfaceCount.
And he's right, we don't check for crazy descriptors of this type very well, so
resolve this problem. Yet another issue found by syzkaller...
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Takashi Iwai [Fri, 22 Sep 2017 14:18:53 +0000 (16:18 +0200)]
ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
commit
bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991 upstream.
When a USB-audio device receives a maliciously adjusted or corrupted
buffer descriptor, the USB-audio driver may access an out-of-bounce
value at its parser. This was detected by syzkaller, something like:
BUG: KASAN: slab-out-of-bounds in usb_audio_probe+0x27b2/0x2ab0
Read of size 1 at addr
ffff88006b83a9e8 by task kworker/0:1/24
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #224
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x292/0x395 lib/dump_stack.c:52
print_address_description+0x78/0x280 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351
kasan_report+0x22f/0x340 mm/kasan/report.c:409
__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
snd_usb_create_streams sound/usb/card.c:248
usb_audio_probe+0x27b2/0x2ab0 sound/usb/card.c:605
usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
hub_port_connect drivers/usb/core/hub.c:4903
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
worker_thread+0x221/0x1850 kernel/workqueue.c:2253
kthread+0x3a1/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
This patch adds the checks of out-of-bounce accesses at appropriate
places and bails out when it goes out of the given buffer.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Takashi Iwai [Tue, 10 Oct 2017 12:10:32 +0000 (14:10 +0200)]
ALSA: usb-audio: Kill stray URB at exiting
commit
124751d5e63c823092060074bd0abaae61aaa9c4 upstream.
USB-audio driver may leave a stray URB for the mixer interrupt when it
exits by some error during probe. This leads to a use-after-free
error as spotted by syzkaller like:
==================================================================
BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:16
dump_stack+0x292/0x395 lib/dump_stack.c:52
print_address_description+0x78/0x280 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351
kasan_report+0x23d/0x350 mm/kasan/report.c:409
__asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
__usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
....
Allocated by task 1484:
save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
kmalloc ./include/linux/slab.h:493
kzalloc ./include/linux/slab.h:666
snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
....
Freed by task 1484:
save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459
kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1390
slab_free_freelist_hook mm/slub.c:1412
slab_free mm/slub.c:2988
kfree+0xf6/0x2f0 mm/slub.c:3919
snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
__snd_device_free+0x1ff/0x380 sound/core/device.c:91
snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
snd_card_do_free sound/core/init.c:461
release_card_device+0x47/0x170 sound/core/init.c:181
device_release+0x13f/0x210 drivers/base/core.c:814
....
Actually such a URB is killed properly at disconnection when the
device gets probed successfully, and what we need is to apply it for
the error-path, too.
In this patch, we apply snd_usb_mixer_disconnect() at releasing.
Also introduce a new flag, disconnected, to struct usb_mixer_interface
for not performing the disconnection procedure twice.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.2: snd_usb_mixer_disconnect() takes a pointer to
usb_mixer_interface::list, not to usb_mixer_interface itself]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Willem de Bruijn [Tue, 26 Sep 2017 16:19:37 +0000 (12:19 -0400)]
packet: in packet_do_bind, test fanout with bind_lock held
commit
4971613c1639d8e5f102c4e797c3bf8f83a5a69e upstream.
Once a socket has po->fanout set, it remains a member of the group
until it is destroyed. The prot_hook must be constant and identical
across sockets in the group.
If fanout_add races with packet_do_bind between the test of po->fanout
and taking the lock, the bind call may make type or dev inconsistent
with that of the fanout group.
Hold po->bind_lock when testing po->fanout to avoid this race.
I had to introduce artificial delay (local_bh_enable) to actually
observe the race.
Fixes:
dc99f600698d ("packet: Add fanout support.")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Willem de Bruijn [Thu, 14 Sep 2017 21:14:41 +0000 (17:14 -0400)]
packet: hold bind lock when rebinding to fanout hook
commit
008ba2a13f2d04c947adc536d19debb8fe66f110 upstream.
Packet socket bind operations must hold the po->bind_lock. This keeps
po->running consistent with whether the socket is actually on a ptype
list to receive packets.
fanout_add unbinds a socket and its packet_rcv/tpacket_rcv call, then
binds the fanout object to receive through packet_rcv_fanout.
Make it hold the po->bind_lock when testing po->running and rebinding.
Else, it can race with other rebind operations, such as that in
packet_set_ring from packet_rcv to tpacket_rcv. Concurrent updates
can result in a socket being added to a fanout group twice, causing
use-after-free KASAN bug reports, among others.
Reported independently by both trinity and syzkaller.
Verified that the syzkaller reproducer passes after this patch.
Fixes:
dc99f600698d ("packet: Add fanout support.")
Reported-by: nixioaming <nixiaoming@huawei.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: use atomic_read() not refcount_read()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Francesco Ruggeri [Thu, 5 Nov 2015 16:16:14 +0000 (08:16 -0800)]
packet: race condition in packet_bind
commit
30f7ea1c2b5f5fb7462c5ae44fe2e40cb2d6a474 upstream.
There is a race conditions between packet_notifier and packet_bind{_spkt}.
It happens if packet_notifier(NETDEV_UNREGISTER) executes between the
time packet_bind{_spkt} takes a reference on the new netdevice and the
time packet_do_bind sets po->ifindex.
In this case the notification can be missed.
If this happens during a dev_change_net_namespace this can result in the
netdevice to be moved to the new namespace while the packet_sock in the
old namespace still holds a reference on it. When the netdevice is later
deleted in the new namespace the deletion hangs since the packet_sock
is not found in the new namespace' &net->packet.sklist.
It can be reproduced with the script below.
This patch makes packet_do_bind check again for the presence of the
netdevice in the packet_sock's namespace after the synchronize_net
in unregister_prot_hook.
More in general it also uses the rcu lock for the duration of the bind
to stop dev_change_net_namespace/rollback_registered_many from
going past the synchronize_net following unlist_netdevice, so that
no NETDEV_UNREGISTER notifications can happen on the new netdevice
while the bind is executing. In order to do this some code from
packet_bind{_spkt} is consolidated into packet_do_dev.
import socket, os, time, sys
proto=7
realDev='em1'
vlanId=400
if len(sys.argv) > 1:
vlanId=int(sys.argv[1])
dev='vlan%d' % vlanId
os.system('taskset -p 0x10 %d' % os.getpid())
s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, proto)
os.system('ip link add link %s name %s type vlan id %d' %
(realDev, dev, vlanId))
os.system('ip netns add dummy')
pid=os.fork()
if pid == 0:
# dev should be moved while packet_do_bind is in synchronize net
os.system('taskset -p 0x20000 %d' % os.getpid())
os.system('ip link set %s netns dummy' % dev)
os.system('ip netns exec dummy ip link del %s' % dev)
s.close()
sys.exit(0)
time.sleep(.004)
try:
s.bind(('%s' % dev, proto+1))
except:
print 'Could not bind socket'
s.close()
os.system('ip netns del dummy')
sys.exit(0)
os.waitpid(pid, 0)
s.close()
os.system('ip netns del dummy')
sys.exit(0)
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2:
- Add the 'dev_curr' variable
- Drop the packet_cached_dev changes
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
David Howells [Thu, 12 Oct 2017 15:00:41 +0000 (16:00 +0100)]
KEYS: don't let add_key() update an uninstantiated key
commit
60ff5b2f547af3828aebafd54daded44cfb0807a upstream.
Currently, when passed a key that already exists, add_key() will call the
key's ->update() method if such exists. But this is heavily broken in the
case where the key is uninstantiated because it doesn't call
__key_instantiate_and_link(). Consequently, it doesn't do most of the
things that are supposed to happen when the key is instantiated, such as
setting the instantiation state, clearing KEY_FLAG_USER_CONSTRUCT and
awakening tasks waiting on it, and incrementing key->user->nikeys.
It also never takes key_construction_mutex, which means that
->instantiate() can run concurrently with ->update() on the same key. In
the case of the "user" and "logon" key types this causes a memory leak, at
best. Maybe even worse, the ->update() methods of the "encrypted" and
"trusted" key types actually just dereference a NULL pointer when passed an
uninstantiated key.
Change key_create_or_update() to wait interruptibly for the key to finish
construction before continuing.
This patch only affects *uninstantiated* keys. For now we still allow a
negatively instantiated key to be updated (thereby positively
instantiating it), although that's broken too (the next patch fixes it)
and I'm not sure that anyone actually uses that functionality either.
Here is a simple reproducer for the bug using the "encrypted" key type
(requires CONFIG_ENCRYPTED_KEYS=y), though as noted above the bug
pertained to more than just the "encrypted" key type:
#include <stdlib.h>
#include <unistd.h>
#include <keyutils.h>
int main(void)
{
int ringid = keyctl_join_session_keyring(NULL);
if (fork()) {
for (;;) {
const char payload[] = "update user:foo 32";
usleep(rand() % 10000);
add_key("encrypted", "desc", payload, sizeof(payload), ringid);
keyctl_clear(ringid);
}
} else {
for (;;)
request_key("encrypted", "desc", "callout_info", ringid);
}
}
It causes:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000018
IP: encrypted_update+0xb0/0x170
PGD
7a178067 P4D
7a178067 PUD
77269067 PMD 0
PREEMPT SMP
CPU: 0 PID: 340 Comm: reproduce Tainted: G D 4.14.0-rc1-00025-g428490e38b2e #796
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task:
ffff8a467a39a340 task.stack:
ffffb15c40770000
RIP: 0010:encrypted_update+0xb0/0x170
RSP: 0018:
ffffb15c40773de8 EFLAGS:
00010246
RAX:
0000000000000000 RBX:
ffff8a467a275b00 RCX:
0000000000000000
RDX:
0000000000000005 RSI:
ffff8a467a275b14 RDI:
ffffffffb742f303
RBP:
ffffb15c40773e20 R08:
0000000000000000 R09:
ffff8a467a275b17
R10:
0000000000000020 R11:
0000000000000000 R12:
0000000000000000
R13:
0000000000000000 R14:
ffff8a4677057180 R15:
ffff8a467a275b0f
FS:
00007f5d7fb08700(0000) GS:
ffff8a467f200000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000000000018 CR3:
0000000077262005 CR4:
00000000001606f0
Call Trace:
key_create_or_update+0x2bc/0x460
SyS_add_key+0x10c/0x1d0
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x7f5d7f211259
RSP: 002b:
00007ffed03904c8 EFLAGS:
00000246 ORIG_RAX:
00000000000000f8
RAX:
ffffffffffffffda RBX:
000000003b2a7955 RCX:
00007f5d7f211259
RDX:
00000000004009e4 RSI:
00000000004009ff RDI:
0000000000400a04
RBP:
0000000068db8bad R08:
000000003b2a7955 R09:
0000000000000004
R10:
000000000000001a R11:
0000000000000246 R12:
0000000000400868
R13:
00007ffed03905d0 R14:
0000000000000000 R15:
0000000000000000
Code: 77 28 e8 64 34 1f 00 45 31 c0 31 c9 48 8d 55 c8 48 89 df 48 8d 75 d0 e8 ff f9 ff ff 85 c0 41 89 c4 0f 88 84 00 00 00 4c 8b 7d c8 <49> 8b 75 18 4c 89 ff e8 24 f8 ff ff 85 c0 41 89 c4 78 6d 49 8b
RIP: encrypted_update+0xb0/0x170 RSP:
ffffb15c40773de8
CR2:
0000000000000018
Reported-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Eric Biggers <ebiggers@google.com>
[bwh: Backported to 3.2:
- Use the 'error' label to return, not 'error_free_prep'
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Takashi Iwai [Mon, 9 Oct 2017 09:09:20 +0000 (11:09 +0200)]
ALSA: seq: Fix use-after-free at creating a port
commit
71105998845fb012937332fe2e806d443c09e026 upstream.
There is a potential race window opened at creating and deleting a
port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates
a port object and returns its pointer, but it doesn't take the
refcount, thus it can be deleted immediately by another thread.
Meanwhile, snd_seq_ioctl_create_port() still calls the function
snd_seq_system_client_ev_port_start() with the created port object
that is being deleted, and this triggers use-after-free like:
BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr
ffff8801f2241cb1
=============================================================================
BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
___slab_alloc+0x425/0x460
__slab_alloc+0x20/0x40
kmem_cache_alloc_trace+0x150/0x190
snd_seq_create_port+0x94/0x9b0 [snd_seq]
snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
snd_seq_ioctl+0x40/0x80 [snd_seq]
do_vfs_ioctl+0x54b/0xda0
SyS_ioctl+0x79/0x90
entry_SYSCALL_64_fastpath+0x16/0x75
INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
__slab_free+0x204/0x310
kfree+0x15f/0x180
port_delete+0x136/0x1a0 [snd_seq]
snd_seq_delete_port+0x235/0x350 [snd_seq]
snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
snd_seq_ioctl+0x40/0x80 [snd_seq]
do_vfs_ioctl+0x54b/0xda0
SyS_ioctl+0x79/0x90
entry_SYSCALL_64_fastpath+0x16/0x75
Call Trace:
[<
ffffffff81b03781>] dump_stack+0x63/0x82
[<
ffffffff81531b3b>] print_trailer+0xfb/0x160
[<
ffffffff81536db4>] object_err+0x34/0x40
[<
ffffffff815392d3>] kasan_report.part.2+0x223/0x520
[<
ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
[<
ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
[<
ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
[<
ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
[<
ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
[<
ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
[<
ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
[<
ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
[<
ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
.....
We may fix this in a few different ways, and in this patch, it's fixed
simply by taking the refcount properly at snd_seq_create_port() and
letting the caller unref the object after use. Also, there is another
potential use-after-free by sprintf() call in snd_seq_create_port(),
and this is moved inside the lock.
This fix covers CVE-2017-15265.
Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Johannes Berg [Tue, 5 Sep 2017 12:54:54 +0000 (14:54 +0200)]
mac80211: accept key reinstall without changing anything
commit
fdf7cb4185b60c68e1a75e61691c4afdc15dea0e upstream.
When a key is reinstalled we can reset the replay counters
etc. which can lead to nonce reuse and/or replay detection
being impossible, breaking security properties, as described
in the "KRACK attacks".
In particular, CVE-2017-13080 applies to GTK rekeying that
happened in firmware while the host is in D3, with the second
part of the attack being done after the host wakes up. In
this case, the wpa_supplicant mitigation isn't sufficient
since wpa_supplicant doesn't know the GTK material.
In case this happens, simply silently accept the new key
coming from userspace but don't take any action on it since
it's the same key; this keeps the PN replay counters intact.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[bwh: Backported to 3.2:
- Use __ieee80211_key_free() instead of ieee80211_key_free_unused()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Vitaly Mayatskikh [Fri, 22 Sep 2017 05:18:39 +0000 (01:18 -0400)]
fix unbalanced page refcounting in bio_map_user_iov
commit
95d78c28b5a85bacbc29b8dba7c04babb9b0d467 upstream.
bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if
IO vector has small consecutive buffers belonging to the same page.
bio_add_pc_page merges them into one, but the page reference is never
dropped.
Signed-off-by: Vitaly Mayatskikh <v.mayatskih@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ronnie Sahlberg [Mon, 30 Oct 2017 02:28:03 +0000 (13:28 +1100)]
cifs: check MaxPathNameComponentLength != 0 before using it
commit
f74bc7c6679200a4a83156bb89cbf6c229fe8ec0 upstream.
And fix tcon leak in error path.
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
[bwh: Backported to 3.2: cifs_tcon pointer is tcon, and there's no leak to fix]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Oleg Nesterov [Fri, 1 Sep 2017 16:55:33 +0000 (18:55 +0200)]
epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove()
commit
138e4ad67afd5c6c318b056b4d17c17f2c0ca5c0 upstream.
The race was introduced by me in commit
971316f0503a ("epoll:
ep_unregister_pollwait() can use the freed pwq->whead"). I did not
realize that nothing can protect eventpoll after ep_poll_callback() sets
->whead = NULL, only whead->lock can save us from the race with
ep_free() or ep_remove().
Move ->whead = NULL to the end of ep_poll_callback() and add the
necessary barriers.
TODO: cleanup the ewake/EPOLLEXCLUSIVE logic, it was confusing even
before this patch.
Hopefully this explains use-after-free reported by syzcaller:
BUG: KASAN: use-after-free in debug_spin_lock_before
...
_raw_spin_lock_irqsave+0x4a/0x60 kernel/locking/spinlock.c:159
ep_poll_callback+0x29f/0xff0 fs/eventpoll.c:1148
this is spin_lock(eventpoll->lock),
...
Freed by task 17774:
...
kfree+0xe8/0x2c0 mm/slub.c:3883
ep_free+0x22c/0x2a0 fs/eventpoll.c:865
Fixes:
971316f0503a ("epoll: ep_unregister_pollwait() can use the freed pwq->whead")
Reported-by: 范龙飞 <long7573@126.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.2:
- Use smp_mb() and ACCESS_ONCE() instead of smp_{load_acquire,store_release}()
- EPOLLEXCLUSIVE is not supported]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cong Wang [Thu, 31 Aug 2017 14:47:43 +0000 (16:47 +0200)]
wl1251: add a missing spin_lock_init()
commit
f581a0dd744fe32b0a8805e279c59ec1ac676d60 upstream.
wl1251: add a missing spin_lock_init()
This fixes the following kernel warning:
[ 5668.771453] BUG: spinlock bad magic on CPU#0, kworker/u2:3/9745
[ 5668.771850] lock: 0xce63ef20, .magic:
00000000, .owner: <none>/-1,
.owner_cpu: 0
[ 5668.772277] CPU: 0 PID: 9745 Comm: kworker/u2:3 Tainted: G W
4.12.0-03002-gec979a4-dirty #40
[ 5668.772796] Hardware name: Nokia RX-51 board
[ 5668.773071] Workqueue: phy1 wl1251_irq_work
[ 5668.773345] [<
c010c9e4>] (unwind_backtrace) from [<
c010a274>]
(show_stack+0x10/0x14)
[ 5668.773803] [<
c010a274>] (show_stack) from [<
c01545a4>]
(do_raw_spin_lock+0x6c/0xa0)
[ 5668.774230] [<
c01545a4>] (do_raw_spin_lock) from [<
c06ca578>]
(_raw_spin_lock_irqsave+0x10/0x18)
[ 5668.774658] [<
c06ca578>] (_raw_spin_lock_irqsave) from [<
c048c010>]
(wl1251_op_tx+0x38/0x5c)
[ 5668.775115] [<
c048c010>] (wl1251_op_tx) from [<
c06a12e8>]
(ieee80211_tx_frags+0x188/0x1c0)
[ 5668.775543] [<
c06a12e8>] (ieee80211_tx_frags) from [<
c06a138c>]
(__ieee80211_tx+0x6c/0x130)
[ 5668.775970] [<
c06a138c>] (__ieee80211_tx) from [<
c06a3dbc>]
(ieee80211_tx+0xdc/0x104)
[ 5668.776367] [<
c06a3dbc>] (ieee80211_tx) from [<
c06a4af0>]
(__ieee80211_subif_start_xmit+0x454/0x8c8)
[ 5668.776824] [<
c06a4af0>] (__ieee80211_subif_start_xmit) from
[<
c06a4f94>] (ieee80211_subif_start_xmit+0x30/0x2fc)
[ 5668.777343] [<
c06a4f94>] (ieee80211_subif_start_xmit) from
[<
c0578848>] (dev_hard_start_xmit+0x80/0x118)
...
by adding the missing spin_lock_init().
Reported-by: Pavel Machek <pavel@ucw.cz>
Cc: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Nikolay Aleksandrov [Wed, 30 Aug 2017 09:49:05 +0000 (12:49 +0300)]
sch_tbf: fix two null pointer dereferences on init failure
commit
c2d6511e6a4f1f3673d711569c00c3849549e9b0 upstream.
sch_tbf calls qdisc_watchdog_cancel() in both its ->reset and ->destroy
callbacks but it may fail before the timer is initialized due to missing
options (either not supplied by user-space or set as a default qdisc),
also q->qdisc is used by ->reset and ->destroy so we need it initialized.
Reproduce:
$ sysctl net.core.default_qdisc=tbf
$ ip l set ethX up
Crash log:
[ 959.160172] BUG: unable to handle kernel NULL pointer dereference at
0000000000000018
[ 959.160323] IP: qdisc_reset+0xa/0x5c
[ 959.160400] PGD
59cdb067
[ 959.160401] P4D
59cdb067
[ 959.160466] PUD
59ccb067
[ 959.160532] PMD 0
[ 959.160597]
[ 959.160706] Oops: 0000 [#1] SMP
[ 959.160778] Modules linked in: sch_tbf sch_sfb sch_prio sch_netem
[ 959.160891] CPU: 2 PID: 1562 Comm: ip Not tainted 4.13.0-rc6+ #62
[ 959.160998] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 959.161157] task:
ffff880059c9a700 task.stack:
ffff8800376d0000
[ 959.161263] RIP: 0010:qdisc_reset+0xa/0x5c
[ 959.161347] RSP: 0018:
ffff8800376d3610 EFLAGS:
00010286
[ 959.161531] RAX:
ffffffffa001b1dd RBX:
ffff8800373a2800 RCX:
0000000000000000
[ 959.161733] RDX:
ffffffff8215f160 RSI:
ffffffff8215f160 RDI:
0000000000000000
[ 959.161939] RBP:
ffff8800376d3618 R08:
00000000014080c0 R09:
00000000ffffffff
[ 959.162141] R10:
ffff8800376d3578 R11:
0000000000000020 R12:
ffffffffa001d2c0
[ 959.162343] R13:
ffff880037538000 R14:
00000000ffffffff R15:
0000000000000001
[ 959.162546] FS:
00007fcc5126b740(0000) GS:
ffff88005d900000(0000) knlGS:
0000000000000000
[ 959.162844] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 959.163030] CR2:
0000000000000018 CR3:
000000005abc4000 CR4:
00000000000406e0
[ 959.163233] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 959.163436] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[ 959.163638] Call Trace:
[ 959.163788] tbf_reset+0x19/0x64 [sch_tbf]
[ 959.163957] qdisc_destroy+0x8b/0xe5
[ 959.164119] qdisc_create_dflt+0x86/0x94
[ 959.164284] ? dev_activate+0x129/0x129
[ 959.164449] attach_one_default_qdisc+0x36/0x63
[ 959.164623] netdev_for_each_tx_queue+0x3d/0x48
[ 959.164795] dev_activate+0x4b/0x129
[ 959.164957] __dev_open+0xe7/0x104
[ 959.165118] __dev_change_flags+0xc6/0x15c
[ 959.165287] dev_change_flags+0x25/0x59
[ 959.165451] do_setlink+0x30c/0xb3f
[ 959.165613] ? check_chain_key+0xb0/0xfd
[ 959.165782] rtnl_newlink+0x3a4/0x729
[ 959.165947] ? rtnl_newlink+0x117/0x729
[ 959.166121] ? ns_capable_common+0xd/0xb1
[ 959.166288] ? ns_capable+0x13/0x15
[ 959.166450] rtnetlink_rcv_msg+0x188/0x197
[ 959.166617] ? rcu_read_unlock+0x3e/0x5f
[ 959.166783] ? rtnl_newlink+0x729/0x729
[ 959.166948] netlink_rcv_skb+0x6c/0xce
[ 959.167113] rtnetlink_rcv+0x23/0x2a
[ 959.167273] netlink_unicast+0x103/0x181
[ 959.167439] netlink_sendmsg+0x326/0x337
[ 959.167607] sock_sendmsg_nosec+0x14/0x3f
[ 959.167772] sock_sendmsg+0x29/0x2e
[ 959.167932] ___sys_sendmsg+0x209/0x28b
[ 959.168098] ? do_raw_spin_unlock+0xcd/0xf8
[ 959.168267] ? _raw_spin_unlock+0x27/0x31
[ 959.168432] ? __handle_mm_fault+0x651/0xdb1
[ 959.168602] ? check_chain_key+0xb0/0xfd
[ 959.168773] __sys_sendmsg+0x45/0x63
[ 959.168934] ? __sys_sendmsg+0x45/0x63
[ 959.169100] SyS_sendmsg+0x19/0x1b
[ 959.169260] entry_SYSCALL_64_fastpath+0x23/0xc2
[ 959.169432] RIP: 0033:0x7fcc5097e690
[ 959.169592] RSP: 002b:
00007ffd0d5c7b48 EFLAGS:
00000246 ORIG_RAX:
000000000000002e
[ 959.169887] RAX:
ffffffffffffffda RBX:
ffffffff810d278c RCX:
00007fcc5097e690
[ 959.170089] RDX:
0000000000000000 RSI:
00007ffd0d5c7b90 RDI:
0000000000000003
[ 959.170292] RBP:
ffff8800376d3f98 R08:
0000000000000001 R09:
0000000000000003
[ 959.170494] R10:
00007ffd0d5c7910 R11:
0000000000000246 R12:
0000000000000006
[ 959.170697] R13:
000000000066f1a0 R14:
00007ffd0d5cfc40 R15:
0000000000000000
[ 959.170900] ? trace_hardirqs_off_caller+0xa7/0xcf
[ 959.171076] Code: 00 41 c7 84 24 14 01 00 00 00 00 00 00 41 c7 84 24
98 00 00 00 00 00 00 00 41 5c 41 5d 41 5e 5d c3 66 66 66 66 90 55 48 89
e5 53 <48> 8b 47 18 48 89 fb 48 8b 40 48 48 85 c0 74 02 ff d0 48 8b bb
[ 959.171637] RIP: qdisc_reset+0xa/0x5c RSP:
ffff8800376d3610
[ 959.171821] CR2:
0000000000000018
Fixes:
87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Fixes:
0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Nikolay Aleksandrov [Wed, 30 Aug 2017 09:49:03 +0000 (12:49 +0300)]
sch_netem: avoid null pointer deref on init failure
commit
634576a1844dba15bc5e6fc61d72f37e13a21615 upstream.
netem can fail in ->init due to missing options (either not supplied by
user-space or used as a default qdisc) causing a timer->base null
pointer deref in its ->destroy() and ->reset() callbacks.
Reproduce:
$ sysctl net.core.default_qdisc=netem
$ ip l set ethX up
Crash log:
[ 1814.846943] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 1814.847181] IP: hrtimer_active+0x17/0x8a
[ 1814.847270] PGD
59c34067
[ 1814.847271] P4D
59c34067
[ 1814.847337] PUD
37374067
[ 1814.847403] PMD 0
[ 1814.847468]
[ 1814.847582] Oops: 0000 [#1] SMP
[ 1814.847655] Modules linked in: sch_netem(O) sch_fq_codel(O)
[ 1814.847761] CPU: 3 PID: 1573 Comm: ip Tainted: G O 4.13.0-rc6+ #62
[ 1814.847884] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 1814.848043] task:
ffff88003723a700 task.stack:
ffff88005adc8000
[ 1814.848235] RIP: 0010:hrtimer_active+0x17/0x8a
[ 1814.848407] RSP: 0018:
ffff88005adcb590 EFLAGS:
00010246
[ 1814.848590] RAX:
0000000000000000 RBX:
ffff880058e359d8 RCX:
0000000000000000
[ 1814.848793] RDX:
0000000000000000 RSI:
0000000000000000 RDI:
ffff880058e359d8
[ 1814.848998] RBP:
ffff88005adcb5b0 R08:
00000000014080c0 R09:
00000000ffffffff
[ 1814.849204] R10:
ffff88005adcb660 R11:
0000000000000020 R12:
0000000000000000
[ 1814.849410] R13:
ffff880058e359d8 R14:
00000000ffffffff R15:
0000000000000001
[ 1814.849616] FS:
00007f733bbca740(0000) GS:
ffff88005d980000(0000) knlGS:
0000000000000000
[ 1814.849919] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 1814.850107] CR2:
0000000000000000 CR3:
0000000059f0d000 CR4:
00000000000406e0
[ 1814.850313] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 1814.850518] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[ 1814.850723] Call Trace:
[ 1814.850875] hrtimer_try_to_cancel+0x1a/0x93
[ 1814.851047] hrtimer_cancel+0x15/0x20
[ 1814.851211] qdisc_watchdog_cancel+0x12/0x14
[ 1814.851383] netem_reset+0xe6/0xed [sch_netem]
[ 1814.851561] qdisc_destroy+0x8b/0xe5
[ 1814.851723] qdisc_create_dflt+0x86/0x94
[ 1814.851890] ? dev_activate+0x129/0x129
[ 1814.852057] attach_one_default_qdisc+0x36/0x63
[ 1814.852232] netdev_for_each_tx_queue+0x3d/0x48
[ 1814.852406] dev_activate+0x4b/0x129
[ 1814.852569] __dev_open+0xe7/0x104
[ 1814.852730] __dev_change_flags+0xc6/0x15c
[ 1814.852899] dev_change_flags+0x25/0x59
[ 1814.853064] do_setlink+0x30c/0xb3f
[ 1814.853228] ? check_chain_key+0xb0/0xfd
[ 1814.853396] ? check_chain_key+0xb0/0xfd
[ 1814.853565] rtnl_newlink+0x3a4/0x729
[ 1814.853728] ? rtnl_newlink+0x117/0x729
[ 1814.853905] ? ns_capable_common+0xd/0xb1
[ 1814.854072] ? ns_capable+0x13/0x15
[ 1814.854234] rtnetlink_rcv_msg+0x188/0x197
[ 1814.854404] ? rcu_read_unlock+0x3e/0x5f
[ 1814.854572] ? rtnl_newlink+0x729/0x729
[ 1814.854737] netlink_rcv_skb+0x6c/0xce
[ 1814.854902] rtnetlink_rcv+0x23/0x2a
[ 1814.855064] netlink_unicast+0x103/0x181
[ 1814.855230] netlink_sendmsg+0x326/0x337
[ 1814.855398] sock_sendmsg_nosec+0x14/0x3f
[ 1814.855584] sock_sendmsg+0x29/0x2e
[ 1814.855747] ___sys_sendmsg+0x209/0x28b
[ 1814.855912] ? do_raw_spin_unlock+0xcd/0xf8
[ 1814.856082] ? _raw_spin_unlock+0x27/0x31
[ 1814.856251] ? __handle_mm_fault+0x651/0xdb1
[ 1814.856421] ? check_chain_key+0xb0/0xfd
[ 1814.856592] __sys_sendmsg+0x45/0x63
[ 1814.856755] ? __sys_sendmsg+0x45/0x63
[ 1814.856923] SyS_sendmsg+0x19/0x1b
[ 1814.857083] entry_SYSCALL_64_fastpath+0x23/0xc2
[ 1814.857256] RIP: 0033:0x7f733b2dd690
[ 1814.857419] RSP: 002b:
00007ffe1d3387d8 EFLAGS:
00000246 ORIG_RAX:
000000000000002e
[ 1814.858238] RAX:
ffffffffffffffda RBX:
ffffffff810d278c RCX:
00007f733b2dd690
[ 1814.858445] RDX:
0000000000000000 RSI:
00007ffe1d338820 RDI:
0000000000000003
[ 1814.858651] RBP:
ffff88005adcbf98 R08:
0000000000000001 R09:
0000000000000003
[ 1814.858856] R10:
00007ffe1d3385a0 R11:
0000000000000246 R12:
0000000000000002
[ 1814.859060] R13:
000000000066f1a0 R14:
00007ffe1d3408d0 R15:
0000000000000000
[ 1814.859267] ? trace_hardirqs_off_caller+0xa7/0xcf
[ 1814.859446] Code: 10 55 48 89 c7 48 89 e5 e8 45 a1 fb ff 31 c0 5d c3
31 c0 c3 66 66 66 66 90 55 48 89 e5 41 56 41 55 41 54 53 49 89 fd 49 8b
45 30 <4c> 8b 20 41 8b 5c 24 38 31 c9 31 d2 48 c7 c7 50 8e 1d 82 41 89
[ 1814.860022] RIP: hrtimer_active+0x17/0x8a RSP:
ffff88005adcb590
[ 1814.860214] CR2:
0000000000000000
Fixes:
87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Fixes:
0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Nikolay Aleksandrov [Wed, 30 Aug 2017 09:49:01 +0000 (12:49 +0300)]
sch_cbq: fix null pointer dereferences on init failure
commit
3501d059921246ff617b43e86250a719c140bd97 upstream.
CBQ can fail on ->init by wrong nl attributes or simply for missing any,
f.e. if it's set as a default qdisc then TCA_OPTIONS (opt) will be NULL
when it is activated. The first thing init does is parse opt but it will
dereference a null pointer if used as a default qdisc, also since init
failure at default qdisc invokes ->reset() which cancels all timers then
we'll also dereference two more null pointers (timer->base) as they were
never initialized.
To reproduce:
$ sysctl net.core.default_qdisc=cbq
$ ip l set ethX up
Crash log of the first null ptr deref:
[44727.907454] BUG: unable to handle kernel NULL pointer dereference at (null)
[44727.907600] IP: cbq_init+0x27/0x205
[44727.907676] PGD
59ff4067
[44727.907677] P4D
59ff4067
[44727.907742] PUD
59c70067
[44727.907807] PMD 0
[44727.907873]
[44727.907982] Oops: 0000 [#1] SMP
[44727.908054] Modules linked in:
[44727.908126] CPU: 1 PID: 21312 Comm: ip Not tainted 4.13.0-rc6+ #60
[44727.908235] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[44727.908477] task:
ffff88005ad42700 task.stack:
ffff880037214000
[44727.908672] RIP: 0010:cbq_init+0x27/0x205
[44727.908838] RSP: 0018:
ffff8800372175f0 EFLAGS:
00010286
[44727.909018] RAX:
ffffffff816c3852 RBX:
ffff880058c53800 RCX:
0000000000000000
[44727.909222] RDX:
0000000000000004 RSI:
0000000000000000 RDI:
ffff8800372175f8
[44727.909427] RBP:
ffff880037217650 R08:
ffffffff81b0f380 R09:
0000000000000000
[44727.909631] R10:
ffff880037217660 R11:
0000000000000020 R12:
ffffffff822a44c0
[44727.909835] R13:
ffff880058b92000 R14:
00000000ffffffff R15:
0000000000000001
[44727.910040] FS:
00007ff8bc583740(0000) GS:
ffff88005d880000(0000) knlGS:
0000000000000000
[44727.910339] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[44727.910525] CR2:
0000000000000000 CR3:
00000000371e5000 CR4:
00000000000406e0
[44727.910731] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[44727.910936] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[44727.911141] Call Trace:
[44727.911291] ? lockdep_init_map+0xb6/0x1ba
[44727.911461] ? qdisc_alloc+0x14e/0x187
[44727.911626] qdisc_create_dflt+0x7a/0x94
[44727.911794] ? dev_activate+0x129/0x129
[44727.911959] attach_one_default_qdisc+0x36/0x63
[44727.912132] netdev_for_each_tx_queue+0x3d/0x48
[44727.912305] dev_activate+0x4b/0x129
[44727.912468] __dev_open+0xe7/0x104
[44727.912631] __dev_change_flags+0xc6/0x15c
[44727.912799] dev_change_flags+0x25/0x59
[44727.912966] do_setlink+0x30c/0xb3f
[44727.913129] ? check_chain_key+0xb0/0xfd
[44727.913294] ? check_chain_key+0xb0/0xfd
[44727.913463] rtnl_newlink+0x3a4/0x729
[44727.913626] ? rtnl_newlink+0x117/0x729
[44727.913801] ? ns_capable_common+0xd/0xb1
[44727.913968] ? ns_capable+0x13/0x15
[44727.914131] rtnetlink_rcv_msg+0x188/0x197
[44727.914300] ? rcu_read_unlock+0x3e/0x5f
[44727.914465] ? rtnl_newlink+0x729/0x729
[44727.914630] netlink_rcv_skb+0x6c/0xce
[44727.914796] rtnetlink_rcv+0x23/0x2a
[44727.914956] netlink_unicast+0x103/0x181
[44727.915122] netlink_sendmsg+0x326/0x337
[44727.915291] sock_sendmsg_nosec+0x14/0x3f
[44727.915459] sock_sendmsg+0x29/0x2e
[44727.915619] ___sys_sendmsg+0x209/0x28b
[44727.915784] ? do_raw_spin_unlock+0xcd/0xf8
[44727.915954] ? _raw_spin_unlock+0x27/0x31
[44727.916121] ? __handle_mm_fault+0x651/0xdb1
[44727.916290] ? check_chain_key+0xb0/0xfd
[44727.916461] __sys_sendmsg+0x45/0x63
[44727.916626] ? __sys_sendmsg+0x45/0x63
[44727.916792] SyS_sendmsg+0x19/0x1b
[44727.916950] entry_SYSCALL_64_fastpath+0x23/0xc2
[44727.917125] RIP: 0033:0x7ff8bbc96690
[44727.917286] RSP: 002b:
00007ffc360991e8 EFLAGS:
00000246 ORIG_RAX:
000000000000002e
[44727.917579] RAX:
ffffffffffffffda RBX:
ffffffff810d278c RCX:
00007ff8bbc96690
[44727.917783] RDX:
0000000000000000 RSI:
00007ffc36099230 RDI:
0000000000000003
[44727.917987] RBP:
ffff880037217f98 R08:
0000000000000001 R09:
0000000000000003
[44727.918190] R10:
00007ffc36098fb0 R11:
0000000000000246 R12:
0000000000000006
[44727.918393] R13:
000000000066f1a0 R14:
00007ffc360a12e0 R15:
0000000000000000
[44727.918597] ? trace_hardirqs_off_caller+0xa7/0xcf
[44727.918774] Code: 41 5f 5d c3 66 66 66 66 90 55 48 8d 56 04 45 31 c9
49 c7 c0 80 f3 b0 81 48 89 e5 41 55 41 54 53 48 89 fb 48 8d 7d a8 48 83
ec 48 <0f> b7 0e be 07 00 00 00 83 e9 04 e8 e6 f7 d8 ff 85 c0 0f 88 bb
[44727.919332] RIP: cbq_init+0x27/0x205 RSP:
ffff8800372175f0
[44727.919516] CR2:
0000000000000000
Fixes:
0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2:
- Keep using HRTIMER_MODE_ABS
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Nikolay Aleksandrov [Wed, 30 Aug 2017 09:49:00 +0000 (12:49 +0300)]
sch_hfsc: fix null pointer deref and double free on init failure
commit
3bdac362a2f89ed3e148fa6f38c5f5d858f50b1a upstream.
Depending on where ->init fails we can get a null pointer deref due to
uninitialized hires timer (watchdog) or a double free of the qdisc hash
because it is already freed by ->destroy().
Fixes:
8d5537387505 ("net/sched/hfsc: allocate tcf block for hfsc root class")
Fixes:
87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: sch_hfsc doesn't use a tcf block]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Nikolay Aleksandrov [Wed, 30 Aug 2017 09:48:58 +0000 (12:48 +0300)]
sch_multiq: fix double free on init failure
commit
e89d469e3be3ed3d7124a803211a463ff83d0964 upstream.
The below commit added a call to ->destroy() on init failure, but multiq
still frees ->queues on error in init, but ->queues is also freed by
->destroy() thus we get double free and corrupted memory.
Very easy to reproduce (eth0 not multiqueue):
$ tc qdisc add dev eth0 root multiq
RTNETLINK answers: Operation not supported
$ ip l add dumdum type dummy
(crash)
Trace log:
[ 3929.467747] general protection fault: 0000 [#1] SMP
[ 3929.468083] Modules linked in:
[ 3929.468302] CPU: 3 PID: 967 Comm: ip Not tainted 4.13.0-rc6+ #56
[ 3929.468625] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 3929.469124] task:
ffff88003716a700 task.stack:
ffff88005872c000
[ 3929.469449] RIP: 0010:__kmalloc_track_caller+0x117/0x1be
[ 3929.469746] RSP: 0018:
ffff88005872f6a0 EFLAGS:
00010246
[ 3929.470042] RAX:
00000000000002de RBX:
0000000058a59000 RCX:
00000000000002df
[ 3929.470406] RDX:
0000000000000000 RSI:
0000000000000000 RDI:
ffffffff821f7020
[ 3929.470770] RBP:
ffff88005872f6e8 R08:
000000000001f010 R09:
0000000000000000
[ 3929.471133] R10:
ffff88005872f730 R11:
0000000000008cdd R12:
ff006d75646d7564
[ 3929.471496] R13:
00000000014000c0 R14:
ffff88005b403c00 R15:
ffff88005b403c00
[ 3929.471869] FS:
00007f0b70480740(0000) GS:
ffff88005d980000(0000) knlGS:
0000000000000000
[ 3929.472286] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 3929.472677] CR2:
00007ffcee4f3000 CR3:
0000000059d45000 CR4:
00000000000406e0
[ 3929.473209] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 3929.474109] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[ 3929.474873] Call Trace:
[ 3929.475337] ? kstrdup_const+0x23/0x25
[ 3929.475863] kstrdup+0x2e/0x4b
[ 3929.476338] kstrdup_const+0x23/0x25
[ 3929.478084] __kernfs_new_node+0x28/0xbc
[ 3929.478478] kernfs_new_node+0x35/0x55
[ 3929.478929] kernfs_create_link+0x23/0x76
[ 3929.479478] sysfs_do_create_link_sd.isra.2+0x85/0xd7
[ 3929.480096] sysfs_create_link+0x33/0x35
[ 3929.480649] device_add+0x200/0x589
[ 3929.481184] netdev_register_kobject+0x7c/0x12f
[ 3929.481711] register_netdevice+0x373/0x471
[ 3929.482174] rtnl_newlink+0x614/0x729
[ 3929.482610] ? rtnl_newlink+0x17f/0x729
[ 3929.483080] rtnetlink_rcv_msg+0x188/0x197
[ 3929.483533] ? rcu_read_unlock+0x3e/0x5f
[ 3929.483984] ? rtnl_newlink+0x729/0x729
[ 3929.484420] netlink_rcv_skb+0x6c/0xce
[ 3929.484858] rtnetlink_rcv+0x23/0x2a
[ 3929.485291] netlink_unicast+0x103/0x181
[ 3929.485735] netlink_sendmsg+0x326/0x337
[ 3929.486181] sock_sendmsg_nosec+0x14/0x3f
[ 3929.486614] sock_sendmsg+0x29/0x2e
[ 3929.486973] ___sys_sendmsg+0x209/0x28b
[ 3929.487340] ? do_raw_spin_unlock+0xcd/0xf8
[ 3929.487719] ? _raw_spin_unlock+0x27/0x31
[ 3929.488092] ? __handle_mm_fault+0x651/0xdb1
[ 3929.488471] ? check_chain_key+0xb0/0xfd
[ 3929.488847] __sys_sendmsg+0x45/0x63
[ 3929.489206] ? __sys_sendmsg+0x45/0x63
[ 3929.489576] SyS_sendmsg+0x19/0x1b
[ 3929.489901] entry_SYSCALL_64_fastpath+0x23/0xc2
[ 3929.490172] RIP: 0033:0x7f0b6fb93690
[ 3929.490423] RSP: 002b:
00007ffcee4ed588 EFLAGS:
00000246 ORIG_RAX:
000000000000002e
[ 3929.490881] RAX:
ffffffffffffffda RBX:
ffffffff810d278c RCX:
00007f0b6fb93690
[ 3929.491198] RDX:
0000000000000000 RSI:
00007ffcee4ed5d0 RDI:
0000000000000003
[ 3929.491521] RBP:
ffff88005872ff98 R08:
0000000000000001 R09:
0000000000000000
[ 3929.491801] R10:
00007ffcee4ed350 R11:
0000000000000246 R12:
0000000000000002
[ 3929.492075] R13:
000000000066f1a0 R14:
00007ffcee4f5680 R15:
0000000000000000
[ 3929.492352] ? trace_hardirqs_off_caller+0xa7/0xcf
[ 3929.492590] Code: 8b 45 c0 48 8b 45 b8 74 17 48 8b 4d c8 83 ca ff 44
89 ee 4c 89 f7 e8 83 ca ff ff 49 89 c4 eb 49 49 63 56 20 48 8d 48 01 4d
8b 06 <49> 8b 1c 14 48 89 c2 4c 89 e0 65 49 0f c7 08 0f 94 c0 83 f0 01
[ 3929.493335] RIP: __kmalloc_track_caller+0x117/0x1be RSP:
ffff88005872f6a0
Fixes:
87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Fixes:
f07d1501292b ("multiq: Further multiqueue cleanup")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: delete now-unused 'err' variable]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Nikolay Aleksandrov [Wed, 30 Aug 2017 09:48:57 +0000 (12:48 +0300)]
sch_htb: fix crash on init failure
commit
88c2ace69dbef696edba77712882af03879abc9c upstream.
The commit below added a call to the ->destroy() callback for all qdiscs
which failed in their ->init(), but some were not prepared for such
change and can't handle partially initialized qdisc. HTB is one of them
and if any error occurs before the qdisc watchdog timer and qdisc work are
initialized then we can hit either a null ptr deref (timer->base) when
canceling in ->destroy or lockdep error info about trying to register
a non-static key and a stack dump. So to fix these two move the watchdog
timer and workqueue init before anything that can err out.
To reproduce userspace needs to send broken htb qdisc create request,
tested with a modified tc (q_htb.c).
Trace log:
[ 2710.897602] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 2710.897977] IP: hrtimer_active+0x17/0x8a
[ 2710.898174] PGD
58fab067
[ 2710.898175] P4D
58fab067
[ 2710.898353] PUD
586c0067
[ 2710.898531] PMD 0
[ 2710.898710]
[ 2710.899045] Oops: 0000 [#1] SMP
[ 2710.899232] Modules linked in:
[ 2710.899419] CPU: 1 PID: 950 Comm: tc Not tainted 4.13.0-rc6+ #54
[ 2710.899646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 2710.900035] task:
ffff880059ed2700 task.stack:
ffff88005ad4c000
[ 2710.900262] RIP: 0010:hrtimer_active+0x17/0x8a
[ 2710.900467] RSP: 0018:
ffff88005ad4f960 EFLAGS:
00010246
[ 2710.900684] RAX:
0000000000000000 RBX:
ffff88003701e298 RCX:
0000000000000000
[ 2710.900933] RDX:
0000000000000000 RSI:
0000000000000000 RDI:
ffff88003701e298
[ 2710.901177] RBP:
ffff88005ad4f980 R08:
0000000000000001 R09:
0000000000000001
[ 2710.901419] R10:
ffff88005ad4f800 R11:
0000000000000400 R12:
0000000000000000
[ 2710.901663] R13:
ffff88003701e298 R14:
ffffffff822a4540 R15:
ffff88005ad4fac0
[ 2710.901907] FS:
00007f2f5e90f740(0000) GS:
ffff88005d880000(0000) knlGS:
0000000000000000
[ 2710.902277] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 2710.902500] CR2:
0000000000000000 CR3:
0000000058ca3000 CR4:
00000000000406e0
[ 2710.902744] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 2710.902977] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[ 2710.903180] Call Trace:
[ 2710.903332] hrtimer_try_to_cancel+0x1a/0x93
[ 2710.903504] hrtimer_cancel+0x15/0x20
[ 2710.903667] qdisc_watchdog_cancel+0x12/0x14
[ 2710.903866] htb_destroy+0x2e/0xf7
[ 2710.904097] qdisc_create+0x377/0x3fd
[ 2710.904330] tc_modify_qdisc+0x4d2/0x4fd
[ 2710.904511] rtnetlink_rcv_msg+0x188/0x197
[ 2710.904682] ? rcu_read_unlock+0x3e/0x5f
[ 2710.904849] ? rtnl_newlink+0x729/0x729
[ 2710.905017] netlink_rcv_skb+0x6c/0xce
[ 2710.905183] rtnetlink_rcv+0x23/0x2a
[ 2710.905345] netlink_unicast+0x103/0x181
[ 2710.905511] netlink_sendmsg+0x326/0x337
[ 2710.905679] sock_sendmsg_nosec+0x14/0x3f
[ 2710.905847] sock_sendmsg+0x29/0x2e
[ 2710.906010] ___sys_sendmsg+0x209/0x28b
[ 2710.906176] ? do_raw_spin_unlock+0xcd/0xf8
[ 2710.906346] ? _raw_spin_unlock+0x27/0x31
[ 2710.906514] ? __handle_mm_fault+0x651/0xdb1
[ 2710.906685] ? check_chain_key+0xb0/0xfd
[ 2710.906855] __sys_sendmsg+0x45/0x63
[ 2710.907018] ? __sys_sendmsg+0x45/0x63
[ 2710.907185] SyS_sendmsg+0x19/0x1b
[ 2710.907344] entry_SYSCALL_64_fastpath+0x23/0xc2
Note that probably this bug goes further back because the default qdisc
handling always calls ->destroy on init failure too.
Fixes:
87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Fixes:
0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Eric Dumazet [Fri, 10 Feb 2017 18:31:49 +0000 (10:31 -0800)]
net_sched: fix error recovery at qdisc creation
commit
87b60cfacf9f17cf71933c6e33b66e68160af71d upstream.
Dmitry reported uses after free in qdisc code [1]
The problem here is that ops->init() can return an error.
qdisc_create_dflt() then call ops->destroy(),
while qdisc_create() does _not_ call it.
Four qdisc chose to call their own ops->destroy(), assuming their caller
would not.
This patch makes sure qdisc_create() calls ops->destroy()
and fixes the four qdisc to avoid double free.
[1]
BUG: KASAN: use-after-free in mq_destroy+0x242/0x290 net/sched/sch_mq.c:33 at addr
ffff8801d415d440
Read of size 8 by task syz-executor2/5030
CPU: 0 PID: 5030 Comm: syz-executor2 Not tainted 4.3.5-smp-DEV #119
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
0000000000000046 ffff8801b435b870 ffffffff81bbbed4 ffff8801db000400
ffff8801d415d440 ffff8801d415dc40 ffff8801c4988510 ffff8801b435b898
ffffffff816682b1 ffff8801b435b928 ffff8801d415d440 ffff8801c49880c0
Call Trace:
[<
ffffffff81bbbed4>] __dump_stack lib/dump_stack.c:15 [inline]
[<
ffffffff81bbbed4>] dump_stack+0x6c/0x98 lib/dump_stack.c:51
[<
ffffffff816682b1>] kasan_object_err+0x21/0x70 mm/kasan/report.c:158
[<
ffffffff81668524>] print_address_description mm/kasan/report.c:196 [inline]
[<
ffffffff81668524>] kasan_report_error+0x1b4/0x4b0 mm/kasan/report.c:285
[<
ffffffff81668953>] kasan_report mm/kasan/report.c:305 [inline]
[<
ffffffff81668953>] __asan_report_load8_noabort+0x43/0x50 mm/kasan/report.c:326
[<
ffffffff82527b02>] mq_destroy+0x242/0x290 net/sched/sch_mq.c:33
[<
ffffffff82524bdd>] qdisc_destroy+0x12d/0x290 net/sched/sch_generic.c:953
[<
ffffffff82524e30>] qdisc_create_dflt+0xf0/0x120 net/sched/sch_generic.c:848
[<
ffffffff8252550d>] attach_default_qdiscs net/sched/sch_generic.c:1029 [inline]
[<
ffffffff8252550d>] dev_activate+0x6ad/0x880 net/sched/sch_generic.c:1064
[<
ffffffff824b1db1>] __dev_open+0x221/0x320 net/core/dev.c:1403
[<
ffffffff824b24ce>] __dev_change_flags+0x15e/0x3e0 net/core/dev.c:6858
[<
ffffffff824b27de>] dev_change_flags+0x8e/0x140 net/core/dev.c:6926
[<
ffffffff824f5bf6>] dev_ifsioc+0x446/0x890 net/core/dev_ioctl.c:260
[<
ffffffff824f61fa>] dev_ioctl+0x1ba/0xb80 net/core/dev_ioctl.c:546
[<
ffffffff82430509>] sock_do_ioctl+0x99/0xb0 net/socket.c:879
[<
ffffffff82430d30>] sock_ioctl+0x2a0/0x390 net/socket.c:958
[<
ffffffff816f3b68>] vfs_ioctl fs/ioctl.c:44 [inline]
[<
ffffffff816f3b68>] do_vfs_ioctl+0x8a8/0xe50 fs/ioctl.c:611
[<
ffffffff816f41a4>] SYSC_ioctl fs/ioctl.c:626 [inline]
[<
ffffffff816f41a4>] SyS_ioctl+0x94/0xc0 fs/ioctl.c:617
[<
ffffffff8123e357>] entry_SYSCALL_64_fastpath+0x12/0x17
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2:
- Drop changes to sch_hhf (doesn't exist) and sch_sfq (doesn't have this bug)
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Steve French [Sun, 27 Aug 2017 21:56:08 +0000 (16:56 -0500)]
CIFS: remove endian related sparse warning
commit
6e3c1529c39e92ed64ca41d53abadabbaa1d5393 upstream.
Recent patch had an endian warning ie
cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
Signed-off-by: Steve French <smfrench@gmail.com>
CC: Ronnie Sahlberg <lsahlber@redhat.com>
Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ben Hutchings [Thu, 1 Oct 2015 00:35:55 +0000 (01:35 +0100)]
alpha: uapi: Add support for __SANE_USERSPACE_TYPES__
commit
cec80d82142ab25c71eee24b529cfeaf17c43062 upstream.
This fixes compiler errors in perf such as:
tests/attr.c: In function 'store_event':
tests/attr.c:66:27: error: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__u64 {aka long unsigned int}' [-Werror=format=]
snprintf(path, PATH_MAX, "%s/event-%d-%llu-%d", dir,
^
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Tested-by: Michael Cree <mcree@orcon.net.nz>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Tejun Heo [Mon, 28 Aug 2017 21:51:27 +0000 (14:51 -0700)]
cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs
commit
b339752d054fb32863418452dff350a1086885b1 upstream.
When !NUMA, cpumask_of_node(@node) equals cpu_online_mask regardless of
@node. The assumption seems that if !NUMA, there shouldn't be more than
one node and thus reporting cpu_online_mask regardless of @node is
correct. However, that assumption was broken years ago to support
DISCONTIGMEM and whether a system has multiple nodes or not is
separately controlled by NEED_MULTIPLE_NODES.
This means that, on a system with !NUMA && NEED_MULTIPLE_NODES,
cpumask_of_node() will report cpu_online_mask for all possible nodes,
indicating that the CPUs are associated with multiple nodes which is an
impossible configuration.
This bug has been around forever but doesn't look like it has caused any
noticeable symptoms. However, it triggers a WARN recently added to
workqueue to verify NUMA affinity configuration.
Fix it by reporting empty cpumask on non-zero nodes if !NUMA.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-and-tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Wei Wang [Fri, 25 Aug 2017 22:03:10 +0000 (15:03 -0700)]
ipv6: fix sparse warning on rt6i_node
commit
4e587ea71bf924f7dac621f1351653bd41e446cb upstream.
Commit
c5cff8561d2d adds rcu grace period before freeing fib6_node. This
generates a new sparse warning on rt->rt6i_node related code:
net/ipv6/route.c:1394:30: error: incompatible types in comparison
expression (different address spaces)
./include/net/ip6_fib.h:187:14: error: incompatible types in comparison
expression (different address spaces)
This commit adds "__rcu" tag for rt6i_node and makes sure corresponding
rcu API is used for it.
After this fix, sparse no longer generates the above warning.
Fixes:
c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node")
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2:
- fib6_add_rt2node() has only one assignment to update
- Drop changes in rt6_cache_allowed_for_pmtu()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Guillaume Nault [Fri, 25 Aug 2017 14:51:46 +0000 (16:51 +0200)]
l2tp: hold tunnel used while creating sessions with netlink
commit
e702c1204eb57788ef189c839c8c779368267d70 upstream.
Use l2tp_tunnel_get() to retrieve tunnel, so that it can't go away on
us. Otherwise l2tp_tunnel_destruct() might release the last reference
count concurrently, thus freeing the tunnel while we're using it.
Fixes:
309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Guillaume Nault [Tue, 11 Apr 2017 11:12:13 +0000 (13:12 +0200)]
l2tp: remove useless duplicate session detection in l2tp_netlink
commit
af87ae465abdc070de0dc35d6c6a9e7a8cd82987 upstream.
There's no point in checking for duplicate sessions at the beginning of
l2tp_nl_cmd_session_create(); the ->session_create() callbacks already
return -EEXIST when the session already exists.
Furthermore, even if l2tp_session_find() returns NULL, a new session
might be created right after the test. So relying on ->session_create()
to avoid duplicate session is the only sane behaviour.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: also delete the now-unused local variable]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Guillaume Nault [Fri, 25 Aug 2017 14:51:43 +0000 (16:51 +0200)]
l2tp: hold tunnel while handling genl TUNNEL_GET commands
commit
4e4b21da3acc68a7ea55f850cacc13706b7480e9 upstream.
Use l2tp_tunnel_get() instead of l2tp_tunnel_find() so that we get
a reference on the tunnel, preventing l2tp_tunnel_destruct() from
freeing it from under us.
Also move l2tp_tunnel_get() below nlmsg_new() so that we only take
the reference when needed.
Fixes:
309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Guillaume Nault [Fri, 25 Aug 2017 14:51:42 +0000 (16:51 +0200)]
l2tp: hold tunnel while handling genl tunnel updates
commit
8c0e421525c9eb50d68e8f633f703ca31680b746 upstream.
We need to make sure the tunnel is not going to be destroyed by
l2tp_tunnel_destruct() concurrently.
Fixes:
309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Guillaume Nault [Fri, 25 Aug 2017 14:51:42 +0000 (16:51 +0200)]
l2tp: hold tunnel while processing genl delete command
commit
bb0a32ce4389e17e47e198d2cddaf141561581ad upstream.
l2tp_nl_cmd_tunnel_delete() needs to take a reference on the tunnel, to
prevent it from being concurrently freed by l2tp_tunnel_destruct().
Fixes:
309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Guillaume Nault [Fri, 25 Aug 2017 14:51:40 +0000 (16:51 +0200)]
l2tp: hold tunnel while looking up sessions in l2tp_netlink
commit
54652eb12c1b72e9602d09cb2821d5760939190f upstream.
l2tp_tunnel_find() doesn't take a reference on the returned tunnel.
Therefore, it's unsafe to use it because the returned tunnel can go
away on us anytime.
Fix this by defining l2tp_tunnel_get(), which works like
l2tp_tunnel_find(), but takes a reference on the returned tunnel.
Caller then has to drop this reference using l2tp_tunnel_dec_refcount().
As l2tp_tunnel_dec_refcount() needs to be moved to l2tp_core.h, let's
simplify the patch and not move the L2TP_REFCNT_DEBUG part. This code
has been broken (not even compiling) in May 2012 by
commit
a4ca44fa578c ("net: l2tp: Standardize logging styles")
and fixed more than two years later by
commit
29abe2fda54f ("l2tp: fix missing line continuation"). So it
doesn't appear to be used by anyone.
Same thing for l2tp_tunnel_free(); instead of moving it to l2tp_core.h,
let's just simplify things and call kfree_rcu() directly in
l2tp_tunnel_dec_refcount(). Extra assertions and debugging code
provided by l2tp_tunnel_free() didn't help catching any of the
reference counting and socket handling issues found while working on
this series.
Fixes:
309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: l2tp_tunnel_free() does more than just kfree_rcu(), so
don't remove it]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Guillaume Nault [Wed, 12 Apr 2017 08:05:29 +0000 (10:05 +0200)]
l2tp: define parameters of l2tp_session_get*() as "const"
commit
9aaef50c44f132e040dcd7686c8e78a3390037c5 upstream.
Make l2tp_pernet()'s parameter constant, so that l2tp_session_get*() can
declare their "net" variable as "const".
Also constify "ifname" in l2tp_session_get_by_ifname().
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Guillaume Nault [Fri, 25 Aug 2017 14:22:17 +0000 (16:22 +0200)]
l2tp: initialise session's refcount before making it reachable
commit
9ee369a405c57613d7c83a3967780c3e30c52ecc upstream.
Sessions must be fully initialised before calling
l2tp_session_add_to_tunnel(). Otherwise, there's a short time frame
where partially initialised sessions can be accessed by external users.
Fixes:
dbdbc73b4478 ("l2tp: fix duplicate session creation")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: keep using l2tp_session_inc_refcount()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Bart Van Assche [Wed, 9 Aug 2017 18:32:11 +0000 (11:32 -0700)]
dm: fix printk() rate limiting code
commit
604407890ecf624c2fb41013c82b22aade59b455 upstream.
Using the same rate limiting state for different kinds of messages
is wrong because this can cause a high frequency message to suppress
a report of a low frequency message. Hence use a unique rate limiting
state per message type.
Fixes:
71a16736a15e ("dm: use local printk ratelimit")
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Joe Perches [Thu, 20 Apr 2017 17:46:07 +0000 (10:46 -0700)]
dm: convert DM printk macros to pr_<level> macros
commit
d2c3c8dcb5987b8352e82089c79a41b6e17e28d2 upstream.
Using pr_<level> is the more common logging style.
Standardize style and use new macro DM_FMT.
Use no_printk in DMDEBUG macros when CONFIG_DM_DEBUG is not #defined.
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Mathias Krause [Sat, 26 Aug 2017 15:09:00 +0000 (17:09 +0200)]
xfrm_user: fix info leak in build_aevent()
commit
931e79d7a7ddee4709c56b39de169a36804589a1 upstream.
The memory reserved to dump the ID of the xfrm state includes a padding
byte in struct xfrm_usersa_id added by the compiler for alignment. To
prevent the heap info leak, memset(0) the sa_id before filling it.
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Fixes:
d51d081d6504 ("[IPSEC]: Sync series - user")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Mathias Krause [Sat, 26 Aug 2017 15:08:58 +0000 (17:08 +0200)]
xfrm_user: fix info leak in xfrm_notify_sa()
commit
50329c8a340c9dea60d837645fcf13fc36bfb84d upstream.
The memory reserved to dump the ID of the xfrm state includes a padding
byte in struct xfrm_usersa_id added by the compiler for alignment. To
prevent the heap info leak, memset(0) the whole struct before filling
it.
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Fixes:
0603eac0d6b7 ("[IPSEC]: Add XFRMA_SA/XFRMA_POLICY for delete notification")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Florian Fainelli [Fri, 25 Aug 2017 01:34:43 +0000 (18:34 -0700)]
r8169: Do not increment tx_dropped in TX ring cleaning
commit
1089650d8837095f63e001bbf14d7b48043d67ad upstream.
rtl8169_tx_clear_range() is responsible for cleaning up the TX ring
during interface shutdown, incrementing tx_dropped for every SKB that we
left at the time in the ring is misleading.
Fixes:
cac4b22f3d6a ("r8169: do not account fragments as packets")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
git.openpandora.org / pandora-kernel.git / log