4 years agodm: fix printk() rate limiting code
Bart Van Assche [Wed, 9 Aug 2017 18:32:11 +0000 (11:32 -0700)]
dm: fix printk() rate limiting code

commit 604407890ecf624c2fb41013c82b22aade59b455 upstream.

Using the same rate limiting state for different kinds of messages
is wrong because this can cause a high frequency message to suppress
a report of a low frequency message. Hence use a unique rate limiting
state per message type.

Fixes: 71a16736a15e ("dm: use local printk ratelimit")
Signed-off-by: Bart Van Assche <>
Signed-off-by: Mike Snitzer <>
Signed-off-by: Ben Hutchings <>
4 years agodm: convert DM printk macros to pr_<level> macros
Joe Perches [Thu, 20 Apr 2017 17:46:07 +0000 (10:46 -0700)]
dm: convert DM printk macros to pr_<level> macros

commit d2c3c8dcb5987b8352e82089c79a41b6e17e28d2 upstream.

Using pr_<level> is the more common logging style.

Standardize style and use new macro DM_FMT.
Use no_printk in DMDEBUG macros when CONFIG_DM_DEBUG is not #defined.

Signed-off-by: Joe Perches <>
Signed-off-by: Mike Snitzer <>
Signed-off-by: Ben Hutchings <>
4 years agoxfrm_user: fix info leak in build_aevent()
Mathias Krause [Sat, 26 Aug 2017 15:09:00 +0000 (17:09 +0200)]
xfrm_user: fix info leak in build_aevent()

commit 931e79d7a7ddee4709c56b39de169a36804589a1 upstream.

The memory reserved to dump the ID of the xfrm state includes a padding
byte in struct xfrm_usersa_id added by the compiler for alignment. To
prevent the heap info leak, memset(0) the sa_id before filling it.

Cc: Jamal Hadi Salim <>
Fixes: d51d081d6504 ("[IPSEC]: Sync series - user")
Signed-off-by: Mathias Krause <>
Signed-off-by: Steffen Klassert <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoxfrm_user: fix info leak in xfrm_notify_sa()
Mathias Krause [Sat, 26 Aug 2017 15:08:58 +0000 (17:08 +0200)]
xfrm_user: fix info leak in xfrm_notify_sa()

commit 50329c8a340c9dea60d837645fcf13fc36bfb84d upstream.

The memory reserved to dump the ID of the xfrm state includes a padding
byte in struct xfrm_usersa_id added by the compiler for alignment. To
prevent the heap info leak, memset(0) the whole struct before filling

Cc: Herbert Xu <>
Fixes: 0603eac0d6b7 ("[IPSEC]: Add XFRMA_SA/XFRMA_POLICY for delete notification")
Signed-off-by: Mathias Krause <>
Signed-off-by: Steffen Klassert <>
Signed-off-by: Ben Hutchings <>
4 years agor8169: Do not increment tx_dropped in TX ring cleaning
Florian Fainelli [Fri, 25 Aug 2017 01:34:43 +0000 (18:34 -0700)]
r8169: Do not increment tx_dropped in TX ring cleaning

commit 1089650d8837095f63e001bbf14d7b48043d67ad upstream.

rtl8169_tx_clear_range() is responsible for cleaning up the TX ring
during interface shutdown, incrementing tx_dropped for every SKB that we
left at the time in the ring is misleading.

Fixes: cac4b22f3d6a ("r8169: do not account fragments as packets")
Signed-off-by: Florian Fainelli <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agoipv6: Fix may be used uninitialized warning in rt6_check
Steffen Klassert [Fri, 25 Aug 2017 07:05:42 +0000 (09:05 +0200)]
ipv6: Fix may be used uninitialized warning in rt6_check

commit 3614364527daa870264f6dde77f02853cdecd02c upstream.

rt_cookie might be used uninitialized, fix this by
initializing it.

Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node")
Signed-off-by: Steffen Klassert <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoipv6: add rcu grace period before freeing fib6_node
Wei Wang [Mon, 21 Aug 2017 16:47:10 +0000 (09:47 -0700)]
ipv6: add rcu grace period before freeing fib6_node

commit c5cff8561d2d0006e972bd114afd51f082fee77c upstream.

We currently keep rt->rt6i_node pointing to the fib6_node for the route.
And some functions make use of this pointer to dereference the fib6_node
from rt structure, e.g. rt6_check(). However, as there is neither
refcount nor rcu taken when dereferencing rt->rt6i_node, it could
potentially cause crashes as rt->rt6i_node could be set to NULL by other
CPUs when doing a route deletion.
This patch introduces an rcu grace period before freeing fib6_node and
makes sure the functions that dereference it takes rcu_read_lock().

Note: there is no "Fixes" tag because this bug was there in a very
early stage.

Signed-off-by: Wei Wang <>
Acked-by: Eric Dumazet <>
Acked-by: Martin KaFai Lau <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoipv6: Add rt6_get_cookie() function
Martin KaFai Lau [Sat, 23 May 2015 03:56:01 +0000 (20:56 -0700)]
ipv6: Add rt6_get_cookie() function

commit b197df4f0f3782782e9ea8996e91b65ae33e8dd9 upstream.

Instead of doing the rt6->rt6i_node check whenever we need
to get the route's cookie.  Refactor it into rt6_get_cookie().
It is a prep work to handle FLOWI_FLAG_KNOWN_NH and also
percpu rt6_info later.

Signed-off-by: Martin KaFai Lau <>
Cc: Hannes Frederic Sowa <>
Cc: Steffen Klassert <>
Cc: Julian Anastasov <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2:
 - Drop changes in inet6_sk_rx_dst_set(), sctp_v6_get_dst()
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoPM/hibernate: touch NMI watchdog when creating snapshot
Chen Yu [Fri, 25 Aug 2017 22:55:30 +0000 (15:55 -0700)]
PM/hibernate: touch NMI watchdog when creating snapshot

commit 556b969a1cfe2686aae149137fa1dfcac0eefe54 upstream.

There is a problem that when counting the pages for creating the
hibernation snapshot will take significant amount of time, especially on
system with large memory.  Since the counting job is performed with irq
disabled, this might lead to NMI lockup.  The following warning were
found on a system with 1.5TB DRAM:

  Freezing user space processes ... (elapsed 0.002 seconds) done.
  OOM killer disabled.
  PM: Preallocating image memory...
  NMI watchdog: Watchdog detected hard LOCKUP on cpu 27
  CPU: 27 PID: 3128 Comm: systemd-sleep Not tainted 4.13.0-0.rc2.git0.1.fc27.x86_64 #1
  task: ffff9f01971ac000 task.stack: ffffb1a3f325c000
  RIP: 0010:memory_bm_find_bit+0xf4/0x100
  Call Trace:
  done (allocated 6590003 pages)
  PM: Allocated 26360012 kbytes in 19.89 seconds (1325.28 MB/s)

It has taken nearly 20 seconds(2.10GHz CPU) thus the NMI lockup was
triggered.  In case the timeout of the NMI watch dog has been set to 1
second, a safe interval should be 6590003/20 = 320k pages in theory.
However there might also be some platforms running at a lower frequency,
so feed the watchdog every 100k pages.

[ simplification]
[ use interval of 128k instead of 100k to avoid modulus]
Signed-off-by: Chen Yu <>
Reported-by: Jan Filipcewicz <>
Suggested-by: Michal Hocko <>
Reviewed-by: Michal Hocko <>
Acked-by: Rafael J. Wysocki <>
Cc: Mel Gorman <>
Cc: Vlastimil Babka <>
Cc: Len Brown <>
Cc: Dan Williams <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoperf/core: Fix group {cpu,task} validation
Mark Rutland [Thu, 22 Jun 2017 14:41:38 +0000 (15:41 +0100)]
perf/core: Fix group {cpu,task} validation

commit 64aee2a965cf2954a038b5522f11d2cd2f0f8f3e upstream.

Regardless of which events form a group, it does not make sense for the
events to target different tasks and/or CPUs, as this leaves the group
inconsistent and impossible to schedule. The core perf code assumes that
these are consistent across (successfully intialised) groups.

Core perf code only verifies this when moving SW events into a HW
context. Thus, we can violate this requirement for pure SW groups and
pure HW groups, unless the relevant PMU driver happens to perform this
verification itself. These mismatched groups subsequently wreak havoc

For example, we handle watchpoints as SW events, and reserve watchpoint
HW on a per-CPU basis at pmu::event_init() time to ensure that any event
that is initialised is guaranteed to have a slot at pmu::add() time.
However, the core code only checks the group leader's cpu filter (via
event_filter_match()), and can thus install follower events onto CPUs
violating thier (mismatched) CPU filters, potentially installing them
into a CPU without sufficient reserved slots.

This can be triggered with the below test case, resulting in warnings
from arch backends.

  #define _GNU_SOURCE
  #include <linux/hw_breakpoint.h>
  #include <linux/perf_event.h>
  #include <sched.h>
  #include <stdio.h>
  #include <sys/prctl.h>
  #include <sys/syscall.h>
  #include <unistd.h>

  static int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu,
   int group_fd, unsigned long flags)
return syscall(__NR_perf_event_open, attr, pid, cpu, group_fd, flags);

  char watched_char;

  struct perf_event_attr wp_attr = {
.bp_type = HW_BREAKPOINT_RW,
.bp_addr = (unsigned long)&watched_char,
.bp_len = 1,
.size = sizeof(wp_attr),

  int main(int argc, char *argv[])
int leader, ret;
cpu_set_t cpus;

 * Force use of CPU0 to ensure our CPU0-bound events get scheduled.
CPU_SET(0, &cpus);
ret = sched_setaffinity(0, sizeof(cpus), &cpus);
if (ret) {
printf("Unable to set cpu affinity\n");
return 1;

/* open leader event, bound to this task, CPU0 only */
leader = perf_event_open(&wp_attr, 0, 0, -1, 0);
if (leader < 0) {
printf("Couldn't open leader: %d\n", leader);
return 1;

 * Open a follower event that is bound to the same task, but a
 * different CPU. This means that the group should never be possible to
 * schedule.
ret = perf_event_open(&wp_attr, 0, 1, leader, 0);
if (ret < 0) {
printf("Couldn't open mismatched follower: %d\n", ret);
return 1;
} else {
printf("Opened leader/follower with mismastched CPUs\n");

 * Open as many independent events as we can, all bound to the same
 * task, CPU0 only.
do {
ret = perf_event_open(&wp_attr, 0, 0, -1, 0);
} while (ret >= 0);

 * Force enable/disble all events to trigger the erronoeous
 * installation of the follower event.
printf("Opened all events. Toggling..\n");
for (;;) {
prctl(PR_TASK_PERF_EVENTS_DISABLE, 0, 0, 0, 0);
prctl(PR_TASK_PERF_EVENTS_ENABLE, 0, 0, 0, 0);

return 0;

Fix this by validating this requirement regardless of whether we're
moving events.

Signed-off-by: Mark Rutland <>
Signed-off-by: Peter Zijlstra (Intel) <>
Cc: Alexander Shishkin <>
Cc: Arnaldo Carvalho de Melo <>
Cc: Linus Torvalds <>
Cc: Peter Zijlstra <>
Cc: Thomas Gleixner <>
Cc: Zhou Chengming <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Ben Hutchings <>
4 years agoperf: Tighten (and fix) the grouping condition
Peter Zijlstra [Fri, 23 Jan 2015 10:19:48 +0000 (11:19 +0100)]
perf: Tighten (and fix) the grouping condition

commit c3c87e770458aa004bd7ed3f29945ff436fd6511 upstream.

The fix from 9fc81d87420d ("perf: Fix events installation during
moving group") was incomplete in that it failed to recognise that
creating a group with events for different CPUs is semantically
broken -- they cannot be co-scheduled.

Furthermore, it leads to real breakage where, when we create an event
for CPU Y and then migrate it to form a group on CPU X, the code gets
confused where the counter is programmed -- triggered in practice
as well by me via the perf fuzzer.

Fix this by tightening the rules for creating groups. Only allow
grouping of counters that can be co-scheduled in the same context.
This means for the same task and/or the same cpu.

Fixes: 9fc81d87420d ("perf: Fix events installation during moving group")
Signed-off-by: Peter Zijlstra (Intel) <>
Cc: Arnaldo Carvalho de Melo <>
Cc: Jiri Olsa <>
Cc: Linus Torvalds <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Ben Hutchings <>
4 years agoqlge: avoid memcpy buffer overflow
Arnd Bergmann [Wed, 23 Aug 2017 13:59:49 +0000 (15:59 +0200)]
qlge: avoid memcpy buffer overflow

commit e58f95831e7468d25eb6e41f234842ecfe6f014f upstream.

gcc-8.0.0 (snapshot) points out that we copy a variable-length string
into a fixed length field using memcpy() with the destination length,
and that ends up copying whatever follows the string:

    inlined from 'ql_core_dump' at drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:1106:2:
drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:708:2: error: 'memcpy' reading 15 bytes from a region of size 14 [-Werror=stringop-overflow=]
  memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);

Changing it to use strncpy() will instead zero-pad the destination,
which seems to be the right thing to do here.

The bug is probably harmless, but it seems like a good idea to address
it in stable kernels as well, if only for the purpose of building with
gcc-8 without warnings.

Fixes: a61f80261306 ("qlge: Add ethtool register dump function.")
Signed-off-by: Arnd Bergmann <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agocifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
Ronnie Sahlberg [Wed, 23 Aug 2017 04:48:14 +0000 (14:48 +1000)]
cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()

commit d3edede29f74d335f81d95a4588f5f136a9f7dcf upstream.

Add checking for the path component length and verify it is <= the maximum
that the server advertizes via FileFsAttributeInformation.

With this patch cifs.ko will now return ENAMETOOLONG instead of ENOENT
when users to access an overlong path.

To test this, try to cd into a (non-existing) directory on a CIFS share
that has a too long name:
cd /mnt/aaaaaaaaaaaaaaa...

and it now should show a good error message from the shell:
bash: cd: /mnt/aaaaaaaaaaaaaaaa...aaaaaa: File name too long

rh bz 1153996

Signed-off-by: Ronnie Sahlberg <>
Signed-off-by: Steve French <>
[bwh: Backported to 3.2: name checks are done only in cifs_lookup()]
Signed-off-by: Ben Hutchings <>
4 years agoALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)
Takashi Iwai [Wed, 23 Aug 2017 07:30:17 +0000 (09:30 +0200)]
ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)

commit bbba6f9d3da357bbabc6fda81e99ff5584500e76 upstream.

Lenovo G50-70 (17aa:3978) with Conexant codec chip requires the
similar workaround for the inverted stereo dmic like other Lenovo

Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
4 years agoipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()
Stefano Brivio [Fri, 18 Aug 2017 12:40:53 +0000 (14:40 +0200)]
ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()

commit 3de33e1ba0506723ab25734e098cf280ecc34756 upstream.

A packet length of exactly IPV6_MAXPLEN is allowed, we should
refuse parsing options only if the size is 64KiB or more.

While at it, remove one extra variable and one assignment which
were also introduced by the commit that introduced the size
check. Checking the sum 'offset + len' and only later adding
'len' to 'offset' doesn't provide any advantage over directly
summing to 'offset' and checking it.

Fixes: 6399f1fae4ec ("ipv6: avoid overflow of offset in ip6_find_1stfragopt")
Signed-off-by: Stefano Brivio <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agoALSA: core: Fix unexpected error at replacing user TLV
Takashi Iwai [Tue, 22 Aug 2017 06:15:13 +0000 (08:15 +0200)]
ALSA: core: Fix unexpected error at replacing user TLV

commit 88c54cdf61f508ebcf8da2d819f5dfc03e954d1d upstream.

When user tries to replace the user-defined control TLV, the kernel
checks the change of its content via memcmp().  The problem is that
the kernel passes the return value from memcmp() as is.  memcmp()
gives a non-zero negative value depending on the comparison result,
and this shall be recognized as an error code.

The patch covers that corner-case, return 1 properly for the changed

Fixes: 8aa9b586e420 ("[ALSA] Control API - more robust TLV implementation")
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
4 years agoInput: trackpoint - add new trackpoint firmware ID
Aaron Ma [Fri, 18 Aug 2017 19:17:21 +0000 (12:17 -0700)]
Input: trackpoint - add new trackpoint firmware ID

commit ec667683c532c93fb41e100e5d61a518971060e2 upstream.

Synaptics add new TP firmware ID: 0x2 and 0x3, for now both lower 2 bits
are indicated as TP. Change the constant to bitwise values.

This makes trackpoint to be recognized on Lenovo Carbon X1 Gen5 instead
of it being identified as "PS/2 Generic Mouse".

Signed-off-by: Aaron Ma <>
Signed-off-by: Dmitry Torokhov <>
Signed-off-by: Ben Hutchings <>
4 years agomm/mempolicy: fix use after free when calling get_mempolicy
zhong jiang [Fri, 18 Aug 2017 22:16:24 +0000 (15:16 -0700)]
mm/mempolicy: fix use after free when calling get_mempolicy

commit 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 upstream.

I hit a use after free issue when executing trinity and repoduced it
with KASAN enabled.  The related call trace is as follows.

  BUG: KASan: use after free in SyS_get_mempolicy+0x3c8/0x960 at addr ffff8801f582d766
  Read of size 2 by task syz-executor1/798

  INFO: Allocated in mpol_new.part.2+0x74/0x160 age=3 cpu=1 pid=799
  INFO: Freed in __mpol_put+0x2b/0x40 age=4 cpu=1 pid=799
  INFO: Slab 0xffffea0009cb8dc0 objects=23 used=8 fp=0xffff8801f582de40 flags=0x200000000004080
  INFO: Object 0xffff8801f582d760 @offset=5984 fp=0xffff8801f582d600

  Bytes b4 ffff8801f582d750: ae 01 ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ
  Object ffff8801f582d760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
  Object ffff8801f582d770: 6b 6b 6b 6b 6b 6b 6b a5                          kkkkkkk.
  Redzone ffff8801f582d778: bb bb bb bb bb bb bb bb                          ........
  Padding ffff8801f582d8b8: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
  Memory state around the buggy address:
  ffff8801f582d600: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff8801f582d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  >ffff8801f582d700: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fc

!shared memory policy is not protected against parallel removal by other
thread which is normally protected by the mmap_sem.  do_get_mempolicy,
however, drops the lock midway while we can still access it later.

Early premature up_read is a historical artifact from times when
put_user was called in this path see
but that is gone since 8bccd85ffbaf ("[PATCH] Implement sys_* do_*
layering in the memory policy layer.").  but when we have the the
current mempolicy ref count model.  The issue was introduced

Fix the issue by removing the premature release.

Signed-off-by: zhong jiang <>
Acked-by: Michal Hocko <>
Cc: Minchan Kim <>
Cc: Vlastimil Babka <>
Cc: David Rientjes <>
Cc: Mel Gorman <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
4 years agoALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices
Takashi Iwai [Wed, 16 Aug 2017 12:18:37 +0000 (14:18 +0200)]
ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices

commit 0f174b3525a43bd51f9397394763925e0ebe7bc7 upstream.

C-Media devices (at least some models) mute the playback stream when
volumes are set to the minimum value.  But this isn't informed via TLV
and the user-space, typically PulseAudio, gets confused as if it's
still played in a low volume.

This patch adds the new flag, min_mute, to struct usb_mixer_elem_info
for indicating that the mixer element is with the minimum-mute volume.
This flag is set for known C-Media devices in
snd_usb_mixer_fu_apply_quirk() in turn.

Signed-off-by: Takashi Iwai <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoparisc: pci memory bar assignment fails with 64bit kernels on dino/cujo
Thomas Bogendoerfer [Sat, 12 Aug 2017 21:36:47 +0000 (23:36 +0200)]
parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo

commit 4098116039911e8870d84c975e2ec22dab65a909 upstream.

For 64bit kernels the lmmio_space_offset of the host bridge window
isn't set correctly on systems with dino/cujo PCI host bridges.
This leads to not assigned memory bars and failing drivers, which
need to use these bars.

Signed-off-by: Thomas Bogendoerfer <>
Acked-by: Helge Deller <>
Signed-off-by: Helge Deller <>
Signed-off-by: Ben Hutchings <>
4 years agoaudit: Fix use after free in audit_remove_watch_rule()
Jan Kara [Tue, 15 Aug 2017 11:00:36 +0000 (13:00 +0200)]
audit: Fix use after free in audit_remove_watch_rule()

commit d76036ab47eafa6ce52b69482e91ca3ba337d6d6 upstream.

audit_remove_watch_rule() drops watch's reference to parent but then
continues to work with it. That is not safe as parent can get freed once
we drop our reference. The following is a trivial reproducer:

mount -o loop image /mnt
touch /mnt/file
auditctl -w /mnt/file -p wax
umount /mnt
auditctl -D
<crash in fsnotify_destroy_mark()>

Grab our own reference in audit_remove_watch_rule() earlier to make sure
mark does not get freed under us.

Reported-by: Tony Jones <>
Signed-off-by: Jan Kara <>
Tested-by: Tony Jones <>
Signed-off-by: Paul Moore <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoaf_key: do not use GFP_KERNEL in atomic contexts
Eric Dumazet [Mon, 14 Aug 2017 17:16:45 +0000 (10:16 -0700)]
af_key: do not use GFP_KERNEL in atomic contexts

commit 36f41f8fc6d8aa9f8c9072d66ff7cf9055f5e69b upstream.

pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].

This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()

[1] : syzkaller reported :

in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
 #0:  (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
 #1:  (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
 #2:  (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
 #2:  (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
 __might_sleep+0x95/0x190 kernel/sched/core.c:5947
 slab_pre_alloc_hook mm/slab.h:416 [inline]
 slab_alloc mm/slab.c:3383 [inline]
 kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
 skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
 pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
 pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
 dump_sp+0x3d6/0x500 net/key/af_key.c:2685
 xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
 pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
 pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
 pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
 pfkey_process+0x606/0x710 net/key/af_key.c:2814
 pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:643
 ___sys_sendmsg+0x755/0x890 net/socket.c:2035
 __sys_sendmsg+0xe5/0x210 net/socket.c:2069
 SYSC_sendmsg net/socket.c:2080 [inline]
 SyS_sendmsg+0x2d/0x50 net/socket.c:2076
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000

Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <>
Reported-by: Dmitry Vyukov <>
Cc: David Ahern <>
Acked-by: David Ahern <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoxfs: fix inobt inode allocation search optimization
Omar Sandoval [Fri, 11 Aug 2017 16:00:06 +0000 (09:00 -0700)]
xfs: fix inobt inode allocation search optimization

commit c44245b3d5435f533ca8346ece65918f84c057f9 upstream.

When we try to allocate a free inode by searching the inobt, we try to
find the inode nearest the parent inode by searching chunks both left
and right of the chunk containing the parent. As an optimization, we
cache the leftmost and rightmost records that we previously searched; if
we do another allocation with the same parent inode, we'll pick up the
search where it last left off.

There's a bug in the case where we found a free inode to the left of the
parent's chunk: we need to update the cached left and right records, but
because we already reassigned the right record to point to the left, we
end up assigning the left record to both the cached left and right

This isn't a correctness problem strictly, but it can result in the next
allocation rechecking chunks unnecessarily or allocating inodes further
away from the parent than it needs to. Fix it by swapping the record
pointer after we update the cached left and right records.

Fixes: bd169565993b ("xfs: speed up free inode search")
Signed-off-by: Omar Sandoval <>
Reviewed-by: Christoph Hellwig <>
Reviewed-by: Darrick J. Wong <>
Signed-off-by: Darrick J. Wong <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agoIB/uverbs: Fix device cleanup
Yishai Hadas [Tue, 1 Aug 2017 06:41:36 +0000 (09:41 +0300)]
IB/uverbs: Fix device cleanup

commit efdd6f53b10aead0f5cf19a93dd3eb268ac0d991 upstream.

Uverbs device should be cleaned up only when there is no
potential usage of.

As part of ib_uverbs_remove_one which might be triggered upon reset flow
the device reference count is decreased as expected and leave the final
cleanup to the FDs that were opened.

Current code increases reference count upon opening a new command FD and
decreases it upon closing the file. The event FD is opened internally
and rely on the command FD by taking on it a reference count.

In case that the command FD was closed and just later the event FD we
may ensure that the device resources as of srcu are still alive as they
are still in use.

Fixing the above by moving the reference count decreasing to the place
where the command FD is really freed instead of doing that when it was
just closed.

fixes: 036b10635739 ("IB/uverbs: Enable device removal when there are active user space applications")
Signed-off-by: Yishai Hadas <>
Reviewed-by: Matan Barak <>
Reviewed-by: Jason Gunthorpe <>
Tested-by: Jason Gunthorpe <>
Signed-off-by: Leon Romanovsky <>
Signed-off-by: Doug Ledford <>
Signed-off-by: Ben Hutchings <>
4 years agoRDMA/uverbs: Prevent leak of reserved field
Leon Romanovsky [Tue, 1 Aug 2017 06:41:35 +0000 (09:41 +0300)]
RDMA/uverbs: Prevent leak of reserved field

commit f7a6cb7b38c6845b26aaa8bbdf519ff6e3090831 upstream.

initialize to zero the response structure to prevent
the leakage of "resp.reserved" field.

drivers/infiniband/core/uverbs_cmd.c:1178 ib_uverbs_resize_cq() warn:
check that 'resp.reserved' doesn't leak information

Fixes: 33b9b3ee9709 ("IB: Add userspace support for resizing CQs")
Signed-off-by: Leon Romanovsky <>
Reviewed-by: Dennis Dalessandro <>
Signed-off-by: Doug Ledford <>
Signed-off-by: Ben Hutchings <>
4 years agoocfs2: don't clear SGID when inheriting ACLs
Jan Kara [Wed, 2 Aug 2017 20:32:30 +0000 (13:32 -0700)]
ocfs2: don't clear SGID when inheriting ACLs

commit 19ec8e48582670c021e998b9deb88e39a842ff45 upstream.

When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
set, DIR1 is expected to have SGID bit set (and owning group equal to
the owning group of 'DIR0').  However when 'DIR0' also has some default
ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
'DIR1' to get cleared if user is not member of the owning group.

Fix the problem by moving posix_acl_update_mode() out of ocfs2_set_acl()
into ocfs2_iop_set_acl().  That way the function will not be called when
inheriting ACLs which is what we want as it prevents SGID bit clearing
and the mode has been properly set by posix_acl_create() anyway.  Also
posix_acl_chmod() that is calling ocfs2_set_acl() takes care of updating
mode itself.

Fixes: 073931017b4 ("posix_acl: Clear SGID bit when setting file permissions")
Signed-off-by: Jan Kara <>
Cc: Mark Fasheh <>
Cc: Joel Becker <>
Cc: Junxiao Bi <>
Cc: Joseph Qi <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
[bwh: Backported to 3.2: Move the call to posix_acl_update_mode() into
 ocfs2_xattr_set_acl(). Pass NULL as the bh argument to
 ocfs2_acl_set_mode(). Reuse the existing cleanup label.]
Signed-off-by: Ben Hutchings <>
4 years agonet/mlx4_en: Fix wrong indication of Wake-on-LAN (WoL) support
Inbar Karmy [Tue, 1 Aug 2017 13:43:43 +0000 (16:43 +0300)]
net/mlx4_en: Fix wrong indication of Wake-on-LAN (WoL) support

commit c994f778bb1cca8ebe7a4e528cefec233e93b5cc upstream.

Currently when WoL is supported but disabled, ethtool reports:
"Supports Wake-on: d".
Fix the indication of Wol support, so that the indication
remains "g" all the time if the NIC supports WoL.

As accepted, when NIC supports WoL- ethtool reports:
Supports Wake-on: g
Wake-on: d
when NIC doesn't support WoL- ethtool reports:
        Supports Wake-on: d
        Wake-on: d

Fixes: 14c07b1358ed ("mlx4: Wake on LAN support")
Signed-off-by: Inbar Karmy <>
Signed-off-by: Tariq Toukan <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agogpio: tegra: fix unbalanced chained_irq_enter/exit
Michał Mirosław [Tue, 18 Jul 2017 12:35:45 +0000 (14:35 +0200)]
gpio: tegra: fix unbalanced chained_irq_enter/exit

commit 9e9509e38fbe034782339eb09c915f0b5765ff69 upstream.

When more than one GPIO IRQs are triggered simultaneously,
tegra_gpio_irq_handler() called chained_irq_exit() multiple
times for one chained_irq_enter().

Fixes: 3c92db9ac0ca3eee8e46e2424b6c074e2e394ad9
Signed-off-by: Michał Mirosław <>
[Also changed the variable to a bool]
Signed-off-by: Linus Walleij <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoxtensa: mm/cache: add missing EXPORT_SYMBOLs
Max Filippov [Tue, 1 Aug 2017 18:15:15 +0000 (11:15 -0700)]
xtensa: mm/cache: add missing EXPORT_SYMBOLs

commit bc652eb6a0d5cffaea7dc8e8ad488aab2a1bf1ed upstream.

Functions clear_user_highpage, copy_user_highpage, flush_dcache_page,
local_flush_cache_range and local_flush_cache_page may be used from
modules. Export them.

Signed-off-by: Max Filippov <>
[bwh: Backported to 3.2: drop exports of {clear,copy}_user_highpage()]
Signed-off-by: Ben Hutchings <>
4 years agoxtensa: don't limit csum_partial export by CONFIG_NET
Max Filippov [Tue, 1 Aug 2017 18:02:46 +0000 (11:02 -0700)]
xtensa: don't limit csum_partial export by CONFIG_NET

commit 7f81e55c737a8fa82c71f290945d729a4902f8d2 upstream.

csum_partial and csum_partial_copy_generic are defined unconditionally
and are available even when CONFIG_NET is disabled. They are used not
only by the network drivers, but also by scsi and media.
Don't limit these functions export by CONFIG_NET.

Signed-off-by: Max Filippov <>
Signed-off-by: Ben Hutchings <>
4 years agoxtensa: add missing symbol exports
Max Filippov [Mon, 17 Sep 2012 01:44:56 +0000 (05:44 +0400)]
xtensa: add missing symbol exports

commit d3738f407c8ced4fd17dccf6cce729023c735c73 upstream.

Signed-off-by: Max Filippov <>
Signed-off-by: Chris Zankel <>
[bwh: Backported to 3.2: drop exports of some functions that aren't defined here]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: hcd: Mark secondary HCD as dead if the primary one died
Rafael J. Wysocki [Tue, 25 Jul 2017 21:58:50 +0000 (23:58 +0200)]
USB: hcd: Mark secondary HCD as dead if the primary one died

commit cd5a6a4fdaba150089af2afc220eae0fef74878a upstream.

Make usb_hc_died() clear the HCD_FLAG_RH_RUNNING flag for the shared
HCD and set HCD_FLAG_DEAD for it, in analogy with what is done for
the primary one.

Among other thigs, this prevents check_root_hub_suspended() from
returning -EBUSY for dead HCDs which helps to work around system
suspend issues in some situations.

This actually fixes occasional suspend failures on one of my test

Suggested-by: Alan Stern <>
Signed-off-by: Rafael J. Wysocki <>
Acked-by: Alan Stern <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agoxtensa: fix cache aliasing handling code for WT cache
Max Filippov [Sat, 29 Jul 2017 00:42:59 +0000 (17:42 -0700)]
xtensa: fix cache aliasing handling code for WT cache

commit 6d0f581d1768d3eaba15776e7dd1fdfec10cfe36 upstream.

Currently building kernel for xtensa core with aliasing WT cache fails
with the following messages:

  mm/memory.c:2152: undefined reference to `flush_dcache_page'
  mm/memory.c:2332: undefined reference to `local_flush_cache_page'
  mm/memory.c:1919: undefined reference to `local_flush_cache_range'
  mm/memory.c:4179: undefined reference to `copy_to_user_page'
  mm/memory.c:4183: undefined reference to `copy_from_user_page'

This happens because implementation of these functions is only compiled
when data cache is WB, which looks wrong: even when data cache doesn't
need flushing it still needs invalidation. The functions like
__flush_[invalidate_]dcache_* are correctly defined for both WB and WT
caches (and even if they weren't that'd still be ok, just slower).

Fix this by providing the same implementation of the above functions for
both WB and WT cache.

Signed-off-by: Max Filippov <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoARM: pxa: select both FB and FB_W100 for eseries
Arnd Bergmann [Wed, 19 Mar 2014 17:41:37 +0000 (18:41 +0100)]
ARM: pxa: select both FB and FB_W100 for eseries

commit 1d20d8a9fce8f1e2ef00a0f3d068fa18d59ddf8f upstream.

We get a link error trying to access the w100fb_gpio_read/write
functions from the platform when the driver is a loadable module
or not built-in, so the platform already uses 'select' to hard-enable
the driver.

However, that fails if the framebuffer subsystem is disabled

I've considered various ways to fix this properly, but they
all seem like too much work or too risky, so this simply
adds another 'select' to force the subsystem on as well.

Fixes: 82427de2c7c3 ("ARM: pxa: PXA_ESERIES depends on FB_W100.")
Signed-off-by: Arnd Bergmann <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agosctp: fix the check for _sctp_walk_params and _sctp_walk_errors
Xin Long [Wed, 26 Jul 2017 08:24:59 +0000 (16:24 +0800)]
sctp: fix the check for _sctp_walk_params and _sctp_walk_errors

commit 6b84202c946cd3da3a8daa92c682510e9ed80321 upstream.

Commit b1f5bfc27a19 ("sctp: don't dereference ptr before leaving
_sctp_walk_{params, errors}()") tried to fix the issue that it
may overstep the chunk end for _sctp_walk_{params, errors} with
'chunk_end > offset(length) + sizeof(length)'.

But it introduced a side effect: When processing INIT, it verifies
the chunks with 'param.v == chunk_end' after iterating all params
by sctp_walk_params(). With the check 'chunk_end > offset(length)
+ sizeof(length)', it would return when the last param is not yet
accessed. Because the last param usually is fwdtsn supported param
whose size is 4 and 'chunk_end == offset(length) + sizeof(length)'

This is a badly issue even causing sctp couldn't process 4-shakes.
Client would always get abort when connecting to server, due to
the failure of INIT chunk verification on server.

The patch is to use 'chunk_end <= offset(length) + sizeof(length)'
instead of 'chunk_end < offset(length) + sizeof(length)' for both
_sctp_walk_params and _sctp_walk_errors.

Fixes: b1f5bfc27a19 ("sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()")
Signed-off-by: Xin Long <>
Acked-by: Neil Horman <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agosctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()
Alexander Potapenko [Fri, 14 Jul 2017 16:32:45 +0000 (18:32 +0200)]
sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()

commit b1f5bfc27a19f214006b9b4db7b9126df2dfdf5a upstream.

If the length field of the iterator (|pos.p| or |err|) is past the end
of the chunk, we shouldn't access it.

This bug has been detected by KMSAN. For the following pair of system

  socket(PF_INET6, SOCK_STREAM, 0x84 /* IPPROTO_??? */) = 3
  sendto(3, "A", 1, MSG_OOB, {sa_family=AF_INET6, sin6_port=htons(0),
         inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0,
         sin6_scope_id=0}, 28) = 1

the tool has reported a use of uninitialized memory:

  BUG: KMSAN: use of uninitialized memory in sctp_rcv+0x17b8/0x43b0
  CPU: 1 PID: 2940 Comm: probe Not tainted 4.11.0-rc5+ #2926
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
  Call Trace:
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x172/0x1c0 lib/dump_stack.c:52
   kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:927
   __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:469
   __sctp_rcv_init_lookup net/sctp/input.c:1074
   __sctp_rcv_lookup_harder net/sctp/input.c:1233
   __sctp_rcv_lookup net/sctp/input.c:1255
   sctp_rcv+0x17b8/0x43b0 net/sctp/input.c:170
   sctp6_rcv+0x32/0x70 net/sctp/ipv6.c:984
   ip6_input_finish+0x82f/0x1ee0 net/ipv6/ip6_input.c:279
   NF_HOOK ./include/linux/netfilter.h:257
   ip6_input+0x239/0x290 net/ipv6/ip6_input.c:322
   dst_input ./include/net/dst.h:492
   ip6_rcv_finish net/ipv6/ip6_input.c:69
   NF_HOOK ./include/linux/netfilter.h:257
   ipv6_rcv+0x1dbd/0x22e0 net/ipv6/ip6_input.c:203
   __netif_receive_skb_core+0x2f6f/0x3a20 net/core/dev.c:4208
   __netif_receive_skb net/core/dev.c:4246
   process_backlog+0x667/0xba0 net/core/dev.c:4866
   napi_poll net/core/dev.c:5268
   net_rx_action+0xc95/0x1590 net/core/dev.c:5333
   __do_softirq+0x485/0x942 kernel/softirq.c:284
   do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:902
   do_softirq kernel/softirq.c:328
   __local_bh_enable_ip+0x25b/0x290 kernel/softirq.c:181
   local_bh_enable+0x37/0x40 ./include/linux/bottom_half.h:31
   rcu_read_unlock_bh ./include/linux/rcupdate.h:931
   ip6_finish_output2+0x19b2/0x1cf0 net/ipv6/ip6_output.c:124
   ip6_finish_output+0x764/0x970 net/ipv6/ip6_output.c:149
   NF_HOOK_COND ./include/linux/netfilter.h:246
   ip6_output+0x456/0x520 net/ipv6/ip6_output.c:163
   dst_output ./include/net/dst.h:486
   NF_HOOK ./include/linux/netfilter.h:257
   ip6_xmit+0x1841/0x1c00 net/ipv6/ip6_output.c:261
   sctp_v6_xmit+0x3b7/0x470 net/sctp/ipv6.c:225
   sctp_packet_transmit+0x38cb/0x3a20 net/sctp/output.c:632
   sctp_outq_flush+0xeb3/0x46e0 net/sctp/outqueue.c:885
   sctp_outq_uncork+0xb2/0xd0 net/sctp/outqueue.c:750
   sctp_side_effects net/sctp/sm_sideeffect.c:1773
   sctp_do_sm+0x6962/0x6ec0 net/sctp/sm_sideeffect.c:1147
   sctp_primitive_ASSOCIATE+0x12c/0x160 net/sctp/primitive.c:88
   sctp_sendmsg+0x43e5/0x4f90 net/sctp/socket.c:1954
   inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762
   sock_sendmsg_nosec net/socket.c:633
   sock_sendmsg net/socket.c:643
   SYSC_sendto+0x608/0x710 net/socket.c:1696
   SyS_sendto+0x8a/0xb0 net/socket.c:1664
   do_syscall_64+0xe6/0x130 arch/x86/entry/common.c:285
   entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246
  RIP: 0033:0x401133
  RSP: 002b:00007fff6d99cd38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
  RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000401133
  RDX: 0000000000000001 RSI: 0000000000494088 RDI: 0000000000000003
  RBP: 00007fff6d99cd90 R08: 00007fff6d99cd50 R09: 000000000000001c
  R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
  R13: 00000000004063d0 R14: 0000000000406460 R15: 0000000000000000
   save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59
   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302
   kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:198
   kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:211
   slab_alloc_node mm/slub.c:2743
   __kmalloc_node_track_caller+0x200/0x360 mm/slub.c:4351
   __kmalloc_reserve net/core/skbuff.c:138
   __alloc_skb+0x26b/0x840 net/core/skbuff.c:231
   alloc_skb ./include/linux/skbuff.h:933
   sctp_packet_transmit+0x31e/0x3a20 net/sctp/output.c:570
   sctp_outq_flush+0xeb3/0x46e0 net/sctp/outqueue.c:885
   sctp_outq_uncork+0xb2/0xd0 net/sctp/outqueue.c:750
   sctp_side_effects net/sctp/sm_sideeffect.c:1773
   sctp_do_sm+0x6962/0x6ec0 net/sctp/sm_sideeffect.c:1147
   sctp_primitive_ASSOCIATE+0x12c/0x160 net/sctp/primitive.c:88
   sctp_sendmsg+0x43e5/0x4f90 net/sctp/socket.c:1954
   inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762
   sock_sendmsg_nosec net/socket.c:633
   sock_sendmsg net/socket.c:643
   SYSC_sendto+0x608/0x710 net/socket.c:1696
   SyS_sendto+0x8a/0xb0 net/socket.c:1664
   do_syscall_64+0xe6/0x130 arch/x86/entry/common.c:285
   return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246

Signed-off-by: Alexander Potapenko <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoIB/ipoib: Remove double pointer assigning
Leon Romanovsky [Sat, 15 Jul 2017 13:26:55 +0000 (16:26 +0300)]
IB/ipoib: Remove double pointer assigning

commit 1b355094b308f3377c8f574ce86135ee159c6285 upstream.

There is no need to assign "p" pointer twice.

This patch fixes the following smatch warning:
drivers/infiniband/ulp/ipoib/ipoib_cm.c:517 ipoib_cm_rx_handler() warn:
missing break? reassigning 'p->id'

Fixes: 839fcaba355a ("IPoIB: Connected mode experimental support")
Signed-off-by: Leon Romanovsky <>
Signed-off-by: Ben Hutchings <>
4 years agoIB/ipoib: Prevent setting negative values to max_nonsrq_conn_qp
Alex Vesker [Thu, 13 Jul 2017 08:27:12 +0000 (11:27 +0300)]
IB/ipoib: Prevent setting negative values to max_nonsrq_conn_qp

commit 11f74b40359b19f760964e71d04882a6caf530cc upstream.

Don't allow negative values to max_nonsrq_conn_qp. There is no functional
impact on a negative value but it is logicically incorrect.

Fixes: 68e995a29572 ("IPoIB/cm: Add connected mode support for devices without SRQs")
Signed-off-by: Alex Vesker <>
Signed-off-by: Leon Romanovsky <>
Signed-off-by: Ben Hutchings <>
4 years agoperf/core: Fix locking for children siblings group read
Jiri Olsa [Thu, 20 Jul 2017 14:14:55 +0000 (16:14 +0200)]
perf/core: Fix locking for children siblings group read

commit 2aeb1883547626d82c597cce2c99f0b9c62e2425 upstream.

We're missing ctx lock when iterating children siblings
within the perf_read path for group reading. Following
race and crash can happen:

User space doing read syscall on event group leader:

    lock event->ctx->mutex
      lock leader->child_mutex
        list_for_each_entry(sub, &leader->sibling_list, group_entry)

---->   sub might be invalid at this point, because it could
        get removed via perf_event_exit_task_context in T2

Child exiting and cleaning up its events:

    lock ctx->mutex
    list_for_each_entry_safe(child_event, next, &child_ctx->event_list,...
        lock ctx->lock
        unlock ctx->lock

---->   child is removed from sibling_list without any sync
        with T1 path above


Before the child is removed from the leader's child_list,
(and thus is omitted from perf_read_group processing), we
need to ensure that perf_read_group touches child's
siblings under its ctx->lock.

Peter further notes:

| One additional note; this bug got exposed by commit:
|   ba5213ae6b88 ("perf/core: Correct event creation with PERF_FORMAT_GROUP")
| which made it possible to actually trigger this code-path.

Tested-by: Andi Kleen <>
Signed-off-by: Jiri Olsa <>
Acked-by: Peter Zijlstra (Intel) <>
Cc: Alexander Shishkin <>
Cc: Arnaldo Carvalho de Melo <>
Cc: Jiri Olsa <>
Cc: Linus Torvalds <>
Cc: Peter Zijlstra <>
Cc: Peter Zijlstra <>
Cc: Thomas Gleixner <>
Fixes: ba5213ae6b88 ("perf/core: Correct event creation with PERF_FORMAT_GROUP")
Signed-off-by: Ingo Molnar <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoperf/core: Invert perf_read_group() loops
Peter Zijlstra [Fri, 4 Sep 2015 03:07:49 +0000 (20:07 -0700)]
perf/core: Invert perf_read_group() loops

commit fa8c269353d560b7c28119ad7617029f92e40b15 upstream.

In order to enable the use of perf_event_read(.group = true), we need
to invert the sibling-child loop nesting of perf_read_group().

Currently we iterate the child list for each sibling, this precludes
using group reads. Flip things around so we iterate each group for
each child.

Signed-off-by: Peter Zijlstra (Intel) <>
[ Made the patch compile and things. ]
Signed-off-by: Sukadev Bhattiprolu <>
Signed-off-by: Peter Zijlstra (Intel) <>
Cc: Arnaldo Carvalho de Melo <>
Cc: Arnaldo Carvalho de Melo <>
Cc: Jiri Olsa <>
Cc: Linus Torvalds <>
Cc: Michael Ellerman <>
Cc: Peter Zijlstra <>
Cc: Stephane Eranian <>
Cc: Thomas Gleixner <>
Cc: Vince Weaver <>
Signed-off-by: Ingo Molnar <>
[bwh: Backported to 3.2 as a dependency of commit 2aeb18835476 ("perf/core: Fix
 locking for children siblings group read"):
 - Keep the function name perf_event_read_group()
 - Keep using perf_event_read_value()]
Signed-off-by: Ben Hutchings <>
4 years agoipv4: initialize fib_trie prior to register_netdev_notifier call.
Mahesh Bandewar [Wed, 19 Jul 2017 22:41:33 +0000 (15:41 -0700)]
ipv4: initialize fib_trie prior to register_netdev_notifier call.

commit 8799a221f5944a7d74516ecf46d58c28ec1d1f75 upstream.

Net stack initialization currently initializes fib-trie after the
first call to netdevice_notifier() call. In fact fib_trie initialization
needs to happen before first rtnl_register(). It does not cause any problem
since there are no devices UP at this moment, but trying to bring 'lo'
UP at initialization would make this assumption wrong and exposes the issue.

Fixes following crash

 Call Trace:
  ? alternate_node_alloc+0x76/0xa0
  ? ipv4_offload_init+0x66/0x66
  ? rest_init+0x80/0x80
 Code: f6 46 23 04 74 86 4c 89 f7 e8 ae 45 01 00 49 89 c7 4d 85 ff 0f 85 7b ff ff ff 31 db eb 08 4c 89 ff e8 16 47 01 00 48 8b 44 24 38 <45> 8b 6e 14 4d 63 76 74 48 89 04 24 0f 1f 44 00 00 48 83 c4 08
 RIP: kmem_cache_alloc+0xcf/0x1c0 RSP: ffff9b1500017c28
 CR2: 0000000000000014

Fixes: 7b1a74fdbb9e ("[NETNS]: Refactor fib initialization so it can handle multiple namespaces.")
Fixes: 7f9b80529b8a ("[IPV4]: fib hash|trie initialization")

Signed-off-by: Mahesh Bandewar <>
Acked-by: "Eric W. Biederman" <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agoRDMA/core: Initialize port_num in qp_attr
Ismail, Mustafa [Fri, 14 Jul 2017 14:41:31 +0000 (09:41 -0500)]
RDMA/core: Initialize port_num in qp_attr

commit a62ab66b13a0f9bcb17b7b761f6670941ed5cd62 upstream.

Initialize the port_num for iWARP in rdma_init_qp_attr.

Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds")
Reviewed-by: Steve Wise <>
Signed-off-by: Mustafa Ismail <>
Tested-by: Mike Marciniszyn <>
Signed-off-by: Doug Ledford <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoRDMA/uverbs: Fix the check for port number
Ismail, Mustafa [Fri, 14 Jul 2017 14:41:30 +0000 (09:41 -0500)]
RDMA/uverbs: Fix the check for port number

commit 5a7a88f1b488e4ee49eb3d5b82612d4d9ffdf2c3 upstream.

The port number is only valid if IB_QP_PORT is set in the mask.
So only check port number if it is valid to prevent modify_qp from
failing due to an invalid port number.

Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds")
Reviewed-by: Steve Wise <>
Signed-off-by: Mustafa Ismail <>
Tested-by: Mike Marciniszyn <>
Signed-off-by: Doug Ledford <>
[bwh: Backported to 3.2: command structure is cmd not cmd->base]
Signed-off-by: Ben Hutchings <>
4 years agoIB/cxgb3: Fix error codes in iwch_alloc_mr()
Dan Carpenter [Thu, 13 Jul 2017 07:48:00 +0000 (10:48 +0300)]
IB/cxgb3: Fix error codes in iwch_alloc_mr()

commit 9064d6055c14f700aa13f7c72fd3e63d12bee643 upstream.

We accidentally don't set the error code on some error paths.  It means
return ERR_PTR(0) which is NULL and results in a NULL dereference in the

Fixes: 13a239330abd ("RDMA/cxgb3: Don't ignore insert_handle() failures")
Signed-off-by: Dan Carpenter <>
Acked-by: Steve Wise <>
Signed-off-by: Doug Ledford <>
[bwh: Backported to 3.2: drop inapplicable hunk]
Signed-off-by: Ben Hutchings <>
4 years agocxgb4: Fix error codes in c4iw_create_cq()
Dan Carpenter [Thu, 13 Jul 2017 07:47:40 +0000 (10:47 +0300)]
cxgb4: Fix error codes in c4iw_create_cq()

commit 6ebedacbb44602d4dec3348dee5ec31dd9b09521 upstream.

If one of these kmalloc() calls fails then we return ERR_PTR(0) which is
NULL.  It results in a NULL dereference in the callers.

Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC")
Signed-off-by: Dan Carpenter <>
Acked-by: Steve Wise <>
Signed-off-by: Doug Ledford <>
Signed-off-by: Ben Hutchings <>
4 years agox86/acpi: Prevent out of bound access caused by broken ACPI tables
Seunghun Han [Tue, 18 Jul 2017 11:03:51 +0000 (20:03 +0900)]
x86/acpi: Prevent out of bound access caused by broken ACPI tables

commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 upstream.

The bus_irq argument of mp_override_legacy_irq() is used as the index into
the isa_irq_to_gsi[] array. The bus_irq argument originates from
tables, but is nowhere sanity checked.

That allows broken or malicious ACPI tables to overwrite memory, which
might cause malfunction, panic or arbitrary code execution.

Add a sanity check and emit a warning when that triggers.

[ tglx: Added warning and rewrote changelog ]

Signed-off-by: Seunghun Han <>
Signed-off-by: Thomas Gleixner <>
Cc: "Rafael J. Wysocki" <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Ben Hutchings <>
4 years agomount: copy the port field into the cloned nfs_server structure.
Steve Dickson [Thu, 29 Jun 2017 15:48:26 +0000 (11:48 -0400)]
mount: copy the port field into the cloned nfs_server structure.

commit 89a6814d9b665b196aa3a102f96b6dc7e8cb669e upstream.

Doing this copy eliminates the "port=0" entry in
the /proc/mounts entries


Signed-off-by: Steve Dickson <>
Signed-off-by: Anna Schumaker <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agolibata: array underflow in ata_find_dev()
Dan Carpenter [Wed, 19 Jul 2017 10:06:41 +0000 (13:06 +0300)]
libata: array underflow in ata_find_dev()

commit 59a5e266c3f5c1567508888dd61a45b86daed0fa upstream.

My static checker complains that "devno" can be negative, meaning that
we read before the start of the loop.  I've looked at the code, and I
think the warning is right.  This come from /proc so it's root only or
it would be quite a quite a serious bug.  The call tree looks like this:

proc_scsi_write() <- gets id and channel from simple_strtoul()
-> scsi_add_single_device() <- calls shost->transportt->user_scan()
   -> ata_scsi_user_scan()
      -> ata_find_dev()

Signed-off-by: Dan Carpenter <>
Signed-off-by: Tejun Heo <>
Signed-off-by: Ben Hutchings <>
4 years agousb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL
Yoshihiro Shimoda [Wed, 19 Jul 2017 07:16:54 +0000 (16:16 +0900)]
usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL

commit 59a0879a0e17b2e43ecdc5e3299da85b8410d7ce upstream.

This patch fixes an issue that some registers may be not initialized
after resume if the USBHSF_RUNTIME_PWCTRL is not set. Otherwise,
if a cable is not connected, the driver will not enable INTENB0.VBSE
after resume. And then, the driver cannot detect the VBUS.

Fixes: ca8a282a5373 ("usb: gadget: renesas_usbhs: add suspend/resume support")
Signed-off-by: Yoshihiro Shimoda <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Ben Hutchings <>
4 years agousb: renesas_usbhs: fixup resume method for autonomy mode
Kuninori Morimoto [Mon, 6 Aug 2012 05:44:43 +0000 (22:44 -0700)]
usb: renesas_usbhs: fixup resume method for autonomy mode

commit 5b50d3b52601651ef3183cfb33d03cf486180e48 upstream.

If renesas_usbhs is probed as autonomy mode,
phy reset should be called after power resumed,
and manual cold-plug should be called with slight delay.

Signed-off-by: Kuninori Morimoto <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agousb: storage: return on error to avoid a null pointer dereference
Colin Ian King [Thu, 6 Jul 2017 15:06:32 +0000 (16:06 +0100)]
usb: storage: return on error to avoid a null pointer dereference

commit 446230f52a5bef593554510302465eabab45a372 upstream.

When us->extra is null the driver is not initialized, however, a
later call to osd200_scsi_to_ata is made that dereferences
us->extra, causing a null pointer dereference.  The code
currently detects and reports that the driver is not initialized;
add a return to avoid the subsequent dereference issue in this

Thanks to Alan Stern for pointing out that srb->result needs setting
to DID_ERROR << 16

Detected by CoverityScan, CID#100308 ("Dereference after null check")

Signed-off-by: Colin Ian King <>
Acked-by: Alan Stern <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: cdc-acm: add device-id for quirky printer
Johan Hovold [Wed, 12 Jul 2017 13:08:39 +0000 (15:08 +0200)]
USB: cdc-acm: add device-id for quirky printer

commit fe855789d605590e57f9cd968d85ecce46f5c3fd upstream.

Add device-id entry for DATECS FP-2000 fiscal printer needing the

Reported-by: Anton Avramov <>
Signed-off-by: Johan Hovold <>
Acked-by: Oliver Neukum <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: cp210x: add support for Qivicon USB ZigBee dongle
Stefan Triller [Fri, 30 Jun 2017 12:44:03 +0000 (14:44 +0200)]
USB: serial: cp210x: add support for Qivicon USB ZigBee dongle

commit 9585e340db9f6cc1c0928d82c3a23cc4460f0a3f upstream.

The German Telekom offers a ZigBee USB Stick under the brand name Qivicon
for their SmartHome Home Base in its 1. Generation. The productId is not
known by the according kernel module, this patch adds support for it.

Signed-off-by: Stefan Triller <>
Reviewed-by: Frans Klaver <>
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agostaging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read
Arnd Bergmann [Fri, 14 Jul 2017 09:31:03 +0000 (11:31 +0200)]
staging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read

commit 105967ad68d2eb1a041bc041f9cf96af2a653b65 upstream.

gcc-7 points out an older regression:

drivers/staging/iio/resolver/ad2s1210.c: In function 'ad2s1210_read_raw':
drivers/staging/iio/resolver/ad2s1210.c:515:42: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context]

The original code had 'unsigned short' here, but incorrectly got
converted to 'bool'. This reverts the regression and uses a normal
type instead.

Fixes: 29148543c521 ("staging:iio:resolver:ad2s1210 minimal chan spec conversion.")
Signed-off-by: Arnd Bergmann <>
Signed-off-by: Jonathan Cameron <>
Signed-off-by: Ben Hutchings <>
4 years agoiio: light: tsl2563: use correct event code
Akinobu Mita [Tue, 20 Jun 2017 16:46:37 +0000 (01:46 +0900)]
iio: light: tsl2563: use correct event code

commit a3507e48d3f99a93a3056a34a5365f310434570f upstream.

The TSL2563 driver provides three iio channels, two of which are raw ADC
channels (channel 0 and channel 1) in the device and the remaining one
is calculated by the two.  The ADC channel 0 only supports programmable
interrupt with threshold settings and this driver supports the event but
the generated event code does not contain the corresponding iio channel

This is going to change userspace ABI.  Hopefully fixing this to be
what it should always have been won't break any userspace code.

Cc: Jonathan Cameron <>
Signed-off-by: Akinobu Mita <>
Signed-off-by: Jonathan Cameron <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agofuse: initialize the flock flag in fuse_file on allocation
Mateusz Jurczyk [Wed, 7 Jun 2017 10:26:49 +0000 (12:26 +0200)]
fuse: initialize the flock flag in fuse_file on allocation

commit 68227c03cba84a24faf8a7277d2b1a03c8959c2c upstream.

Before the patch, the flock flag could remain uninitialized for the
lifespan of the fuse_file allocation. Unless set to true in
fuse_file_flock(), it would remain in an indeterminate state until read in
an if statement in fuse_release_common(). This could consequently lead to
taking an unexpected branch in the code.

The bug was discovered by a runtime instrumentation designed to detect use
of uninitialized memory in the kernel.

Signed-off-by: Mateusz Jurczyk <>
Fixes: 37fb3a30b462 ("fuse: fix flock")
Signed-off-by: Miklos Szeredi <>
Signed-off-by: Ben Hutchings <>
4 years agoLinux 3.2.94
Ben Hutchings [Thu, 12 Oct 2017 14:27:23 +0000 (15:27 +0100)]
Linux 3.2.94

4 years agocpuset: PF_SPREAD_PAGE and PF_SPREAD_SLAB should be atomic flags
Zefan Li [Thu, 25 Sep 2014 01:41:02 +0000 (09:41 +0800)]
cpuset: PF_SPREAD_PAGE and PF_SPREAD_SLAB should be atomic flags

commit 2ad654bc5e2b211e92f66da1d819e47d79a866f0 upstream.

When we change cpuset.memory_spread_{page,slab}, cpuset will flip
PF_SPREAD_{PAGE,SLAB} bit of tsk->flags for each task in that cpuset.
This should be done using atomic bitops, but currently we don't,
which is broken.

Tetsuo reported a hard-to-reproduce kernel crash on RHEL6, which happened
when one thread tried to clear PF_USED_MATH while at the same time another
thread tried to flip PF_SPREAD_PAGE/PF_SPREAD_SLAB. They both operate on
the same task.

Here's the full report:

To fix this, we make PF_SPREAD_PAGE and PF_SPREAD_SLAB atomic flags.

- updated mm/slab.c. (Fengguang Wu)
- updated Documentation.

Cc: Peter Zijlstra <>
Cc: Ingo Molnar <>
Cc: Miao Xie <>
Cc: Kees Cook <>
Fixes: 950592f7b991 ("cpusets: update tasks' page/slab spread flags in time")
Reported-by: Tetsuo Handa <>
Signed-off-by: Zefan Li <>
Signed-off-by: Tejun Heo <>
[lizf: Backported to 3.4:
 - adjust context
 - check current->flags & PF_MEMPOLICY rather than current->mempolicy]
Signed-off-by: Ben Hutchings <>
4 years agosched: add macros to define bitops for task atomic flags
Zefan Li [Thu, 25 Sep 2014 01:40:40 +0000 (09:40 +0800)]
sched: add macros to define bitops for task atomic flags

commit e0e5070b20e01f0321f97db4e4e174f3f6b49e50 upstream.

This will simplify code when we add new flags.

- Kees pointed out that no_new_privs should never be cleared, so we
shouldn't define task_clear_no_new_privs(). we define 3 macros instead
of a single one.

- updated scripts/, suggested by Peter

Cc: Ingo Molnar <>
Cc: Miao Xie <>
Cc: Tetsuo Handa <>
Acked-by: Peter Zijlstra (Intel) <>
Acked-by: Kees Cook <>
Signed-off-by: Zefan Li <>
Signed-off-by: Tejun Heo <>
[lizf: Backported to 3.4:
 - adjust context
 - remove no_new_priv code
 - add atomic_flags to struct task_struct]
[bwh: Backported to 3.2:
 - Drop changes in scripts/
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agonet sched filters: fix notification of filter delete with proper handle
Jamal Hadi Salim [Tue, 25 Oct 2016 00:18:27 +0000 (20:18 -0400)]
net sched filters: fix notification of filter delete with proper handle

[ Upstream commit 9ee7837449b3d6f0fcf9132c6b5e5aaa58cc67d4 ]

Daniel says:

While trying out [1][2], I noticed that tc monitor doesn't show the
correct handle on delete:

$ tc monitor
qdisc clsact ffff: dev eno1 parent ffff:fff1
filter dev eno1 ingress protocol all pref 49152 bpf handle 0x2a [...]
deleted filter dev eno1 ingress protocol all pref 49152 bpf handle 0xf3be0c80

some context to explain the above:
The user identity of any tc filter is represented by a 32-bit
identifier encoded in tcm->tcm_handle. Example 0x2a in the bpf filter
above. A user wishing to delete, get or even modify a specific filter
uses this handle to reference it.
Every classifier is free to provide its own semantics for the 32 bit handle.
Example: classifiers like u32 use schemes like 800:1:801 to describe
the semantics of their filters represented as hash table, bucket and
node ids etc.
Classifiers also have internal per-filter representation which is different
from this externally visible identity. Most classifiers set this
internal representation to be a pointer address (which allows fast retrieval
of said filters in their implementations). This internal representation
is referenced with the "fh" variable in the kernel control code.

When a user successfuly deletes a specific filter, by specifying the correct
tcm->tcm_handle, an event is generated to user space which indicates
which specific filter was deleted.

Before this patch, the "fh" value was sent to user space as the identity.
As an example what is shown in the sample bpf filter delete event above
is 0xf3be0c80. This is infact a 32-bit truncation of 0xffff8807f3be0c80
which happens to be a 64-bit memory address of the internal filter
representation (address of the corresponding filter's struct cls_bpf_prog);

After this patch the appropriate user identifiable handle as encoded
in the originating request tcm->tcm_handle is generated in the event.
One of the cardinal rules of netlink rules is to be able to take an
event (such as a delete in this case) and reflect it back to the
kernel and successfully delete the filter. This patch achieves that.

Note, this issue has existed since the original TC action
infrastructure code patch back in 2004 as found in:


Fixes: 4e54c4816bfe ("[NET]: Add tc extensions infrastructure.")
Reported-by: Daniel Borkmann <>
Acked-by: Cong Wang <>
Signed-off-by: Jamal Hadi Salim <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agom32r: add io*_rep helpers
Sudip Mukherjee [Tue, 29 Dec 2015 22:54:19 +0000 (14:54 -0800)]
m32r: add io*_rep helpers

commit 92a8ed4c7643809123ef0a65424569eaacc5c6b0 upstream.

m32r allmodconfig was failing with the error:

  error: implicit declaration of function 'read'

On checking io.h it turned out that 'read' is not defined but 'readb' is
defined and 'ioread8' will then obviously mean 'readb'.

At the same time some of the helper functions ioreadN_rep() and
iowriteN_rep() were missing which also led to the build failure.

Signed-off-by: Sudip Mukherjee <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
4 years agom32r: add definition of ioremap_wc to io.h
Abhilash Kesavan [Fri, 6 Feb 2015 13:45:26 +0000 (19:15 +0530)]
m32r: add definition of ioremap_wc to io.h

commit 71a49d16f06de2ccdf52ca247d496a2bb1ca36fe upstream.

Before adding a resource managed ioremap_wc function, we need
to have ioremap_wc defined for m32r to prevent build errors.

Signed-off-by: Abhilash Kesavan <>
Acked-by: Catalin Marinas <>
Signed-off-by: Greg Kroah-Hartman <>
Cc: Sudip Mukherjee <>
Signed-off-by: Ben Hutchings <>
4 years agoperf/x86: Check if user fp is valid
Arun Sharma [Fri, 20 Apr 2012 22:41:35 +0000 (15:41 -0700)]
perf/x86: Check if user fp is valid

commit bc6ca7b342d5ae15c3ba3081fd40271b8039fb25 upstream.

Signed-off-by: Arun Sharma <>
Cc: Linus Torvalds <>
Signed-off-by: Peter Zijlstra <>
Signed-off-by: Ingo Molnar <>
[bwh: Backported to 3.2: also add user_addr_max() macro]
Cc: Jann Horn <>
Signed-off-by: Ben Hutchings <>
4 years agoMIPS: Refactor 'clear_page' and 'copy_page' functions.
Steven J. Hill [Fri, 6 Jul 2012 19:56:01 +0000 (21:56 +0200)]
MIPS: Refactor 'clear_page' and 'copy_page' functions.

commit c022630633624a75b3b58f43dd3c6cc896a56cff upstream.

Remove usage of the '__attribute__((alias("...")))' hack that aliased
to integer arrays containing micro-assembled instructions. This hack
breaks when building a microMIPS kernel. It also makes the code much
easier to understand.

[ Added back export of the clear_page and copy_page
symbols so certain modules will work again.  Also fixed build with

Signed-off-by: Steven J. Hill <>
Acked-by: David Daney <>
Signed-off-by: Ralf Baechle <>
[bwh: Backported to 3.2: adjust context]
Cc: Guenter Roeck <>
Signed-off-by: Ben Hutchings <>
4 years agonetfilter: nf_conntrack: fix RCU race in nf_conntrack_find_get
Andrey Vagin [Wed, 29 Jan 2014 18:34:14 +0000 (19:34 +0100)]
netfilter: nf_conntrack: fix RCU race in nf_conntrack_find_get

commit c6825c0976fa7893692e0e43b09740b419b23c09 upstream.

Lets look at destroy_conntrack:

kmem_cache_free(net->ct.nf_conntrack_cachep, ct);

net->ct.nf_conntrack_cachep is created with SLAB_DESTROY_BY_RCU.

The hash is protected by rcu, so readers look up conntracks without
A conntrack is removed from the hash, but in this moment a few readers
still can use the conntrack. Then this conntrack is released and another
thread creates conntrack with the same address and the equal tuple.
After this a reader starts to validate the conntrack:
* It's not dying, because a new conntrack was created
* nf_ct_tuple_equal() returns true.

But this conntrack is not initialized yet, so it can not be used by two
threads concurrently. In this case BUG_ON may be triggered from

Florian Westphal suggested to check the confirm bit too. I think it's

task 1 task 2 task 3
 if (nf_ct_is_dying(ct))
 if (!nf_ct_tuple_equal()

I'm not sure, that I have ever seen this race condition in a real life.
Currently we are investigating a bug, which is reproduced on a few nodes.
In our case one conntrack is initialized from a few tasks concurrently,
we don't have any other explanation for this.

<2>[46267.083061] kernel BUG at net/ipv4/netfilter/nf_nat_core.c:322!
<4>[46267.083951] RIP: 0010:[<ffffffffa01e00a4>]  [<ffffffffa01e00a4>] nf_nat_setup_info+0x564/0x590 [nf_nat]
<4>[46267.085549] Call Trace:
<4>[46267.085622]  [<ffffffffa023421b>] alloc_null_binding+0x5b/0xa0 [iptable_nat]
<4>[46267.085697]  [<ffffffffa02342bc>] nf_nat_rule_find+0x5c/0x80 [iptable_nat]
<4>[46267.085770]  [<ffffffffa0234521>] nf_nat_fn+0x111/0x260 [iptable_nat]
<4>[46267.085843]  [<ffffffffa0234798>] nf_nat_out+0x48/0xd0 [iptable_nat]
<4>[46267.085919]  [<ffffffff814841b9>] nf_iterate+0x69/0xb0
<4>[46267.085991]  [<ffffffff81494e70>] ? ip_finish_output+0x0/0x2f0
<4>[46267.086063]  [<ffffffff81484374>] nf_hook_slow+0x74/0x110
<4>[46267.086133]  [<ffffffff81494e70>] ? ip_finish_output+0x0/0x2f0
<4>[46267.086207]  [<ffffffff814b5890>] ? dst_output+0x0/0x20
<4>[46267.086277]  [<ffffffff81495204>] ip_output+0xa4/0xc0
<4>[46267.086346]  [<ffffffff814b65a4>] raw_sendmsg+0x8b4/0x910
<4>[46267.086419]  [<ffffffff814c10fa>] inet_sendmsg+0x4a/0xb0
<4>[46267.086491]  [<ffffffff814459aa>] ? sock_update_classid+0x3a/0x50
<4>[46267.086562]  [<ffffffff81444d67>] sock_sendmsg+0x117/0x140
<4>[46267.086638]  [<ffffffff8151997b>] ? _spin_unlock_bh+0x1b/0x20
<4>[46267.086712]  [<ffffffff8109d370>] ? autoremove_wake_function+0x0/0x40
<4>[46267.086785]  [<ffffffff81495e80>] ? do_ip_setsockopt+0x90/0xd80
<4>[46267.086858]  [<ffffffff8100be0e>] ? call_function_interrupt+0xe/0x20
<4>[46267.086936]  [<ffffffff8118cb10>] ? ub_slab_ptr+0x20/0x90
<4>[46267.087006]  [<ffffffff8118cb10>] ? ub_slab_ptr+0x20/0x90
<4>[46267.087081]  [<ffffffff8118f2e8>] ? kmem_cache_alloc+0xd8/0x1e0
<4>[46267.087151]  [<ffffffff81445599>] sys_sendto+0x139/0x190
<4>[46267.087229]  [<ffffffff81448c0d>] ? sock_setsockopt+0x16d/0x6f0
<4>[46267.087303]  [<ffffffff810efa47>] ? audit_syscall_entry+0x1d7/0x200
<4>[46267.087378]  [<ffffffff810ef795>] ? __audit_syscall_exit+0x265/0x290
<4>[46267.087454]  [<ffffffff81474885>] ? compat_sys_setsockopt+0x75/0x210
<4>[46267.087531]  [<ffffffff81474b5f>] compat_sys_socketcall+0x13f/0x210
<4>[46267.087607]  [<ffffffff8104dea3>] ia32_sysret+0x0/0x5
<4>[46267.087676] Code: 91 20 e2 01 75 29 48 89 de 4c 89 f7 e8 56 fa ff ff 85 c0 0f 84 68 fc ff ff 0f b6 4d c6 41 8b 45 00 e9 4d fb ff ff e8 7c 19 e9 e0 <0f> 0b eb fe f6 05 17 91 20 e2 80 74 ce 80 3d 5f 2e 00 00 00 74
<1>[46267.088023] RIP  [<ffffffffa01e00a4>] nf_nat_setup_info+0x564/0x590

Cc: Eric Dumazet <>
Cc: Florian Westphal <>
Cc: Pablo Neira Ayuso <>
Cc: Patrick McHardy <>
Cc: Jozsef Kadlecsik <>
Cc: "David S. Miller" <>
Cc: Cyrill Gorcunov <>
Signed-off-by: Andrey Vagin <>
Acked-by: Eric Dumazet <>
Signed-off-by: Pablo Neira Ayuso <>
Signed-off-by: Ben Hutchings <>
4 years agol2tp: avoid use-after-free caused by l2tp_ip_backlog_recv
Paul Hüber [Sun, 26 Feb 2017 16:58:19 +0000 (17:58 +0100)]
l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv

commit 51fb60eb162ab84c5edf2ae9c63cf0b878e5547e upstream.

l2tp_ip_backlog_recv may not return -1 if the packet gets dropped.
The return value is passed up to ip_local_deliver_finish, which treats
negative values as an IP protocol number for resubmission.

Signed-off-by: Paul Hüber <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agoBluetooth: Properly check L2CAP config option output buffer length
Ben Seri [Sat, 9 Sep 2017 21:15:59 +0000 (23:15 +0200)]
Bluetooth: Properly check L2CAP config option output buffer length

commit e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream.

Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.

Signed-off-by: Ben Seri <>
Signed-off-by: Marcel Holtmann <>
Signed-off-by: Linus Torvalds <>
[bwh: Backported to 3.2:
 - Drop changes to handling of L2CAP_CONF_EFS, L2CAP_CONF_EWS
 - Drop changes to l2cap_do_create(), l2cap_security_cfm(), and L2CAP_CONF_PENDING
   case in l2cap_config_rsp()
 - In l2cap_config_rsp(), s/buf/req/
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoscsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
Xin Long [Sun, 27 Aug 2017 12:25:26 +0000 (20:25 +0800)]
scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly

commit c88f0e6b06f4092995688211a631bb436125d77b upstream.

ChunYu found a kernel crash by syzkaller:

[  651.617875] kasan: CONFIG_KASAN_INLINE enabled
[  651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
[  651.618731] general protection fault: 0000 [#1] SMP KASAN
[  651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
[  651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[  651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
[  651.622762] RIP: 0010:skb_release_data+0x26c/0x590
[  651.627260] Call Trace:
[  651.629156]  skb_release_all+0x4f/0x60
[  651.629450]  consume_skb+0x1a5/0x600
[  651.630705]  netlink_unicast+0x505/0x720
[  651.632345]  netlink_sendmsg+0xab2/0xe70
[  651.633704]  sock_sendmsg+0xcf/0x110
[  651.633942]  ___sys_sendmsg+0x833/0x980
[  651.637117]  __sys_sendmsg+0xf3/0x240
[  651.638820]  SyS_sendmsg+0x32/0x50
[  651.639048]  entry_SYSCALL_64_fastpath+0x1f/0xc2

It's caused by skb_shared_info at the end of sk_buff was overwritten by
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.

During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
new value to skb_shinfo(SKB)->nr_frags by ev->type.

This patch is to fix it by checking nlh->nlmsg_len properly there to
avoid over accessing sk_buff.

Reported-by: ChunYu Wang <>
Signed-off-by: Xin Long <>
Acked-by: Chris Leech <>
Signed-off-by: Martin K. Petersen <>
Signed-off-by: Ben Hutchings <>
4 years agoxfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
Richard Wareing [Tue, 12 Sep 2017 23:09:35 +0000 (09:09 +1000)]
xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present

commit b31ff3cdf540110da4572e3e29bd172087af65cc upstream.

If using a kernel with CONFIG_XFS_RT=y and we set the RHINHERIT flag on
a directory in a filesystem that does not have a realtime device and
create a new file in that directory, it gets marked as a real time file.
When data is written and a fsync is issued, the filesystem attempts to
flush a non-existent rt device during the fsync process.

This results in a crash dereferencing a null buftarg pointer in

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
  IP: xfs_blkdev_issue_flush+0xd/0x20
  Call Trace:

Setting RT inode flags does not require special privileges so any
unprivileged user can cause this oops to occur.  To reproduce, confirm
kernel is compiled with CONFIG_XFS_RT=y and run:

  # mkfs.xfs -f /dev/pmem0
  # mount /dev/pmem0 /mnt/test
  # mkdir /mnt/test/foo
  # xfs_io -c 'chattr +t' /mnt/test/foo
  # xfs_io -f -c 'pwrite 0 5m' -c fsync /mnt/test/foo/bar

Or just run xfstests with MKFS_OPTIONS="-d rtinherit=1" and wait.

Kernels built with CONFIG_XFS_RT=n are not exposed to this bug.

Fixes: f538d4da8d52 ("[XFS] write barrier support")
Signed-off-by: Richard Wareing <>
Signed-off-by: Dave Chinner <>
Signed-off-by: Linus Torvalds <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agovideo: fbdev: aty: do not leak uninitialized padding in clk to userspace
Vladis Dronov [Mon, 4 Sep 2017 14:00:50 +0000 (16:00 +0200)]
video: fbdev: aty: do not leak uninitialized padding in clk to userspace

commit 8e75f7a7a00461ef6d91797a60b606367f6e344d upstream.

'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
field unitialized, leaking data from the stack. Fix this ensuring all of
'clk' is initialized to zero.

Reported-by: sohu0106 <>
Signed-off-by: Vladis Dronov <>
Signed-off-by: Bartlomiej Zolnierkiewicz <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agokvm: nVMX: Don't allow L2 to access the hardware CR8
Jim Mattson [Tue, 12 Sep 2017 20:02:54 +0000 (13:02 -0700)]
kvm: nVMX: Don't allow L2 to access the hardware CR8

commit 51aa68e7d57e3217192d88ce90fd5b8ef29ec94f upstream.

If L1 does not specify the "use TPR shadow" VM-execution control in
vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
exiting" VM-execution controls in vmcs02. Failure to do so will give
the L2 VM unrestricted read/write access to the hardware CR8.

This fixes CVE-2017-12154.

Signed-off-by: Jim Mattson <>
Reviewed-by: David Hildenbrand <>
Signed-off-by: Paolo Bonzini <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agonl80211: check for the required netlink attributes presence
Vladis Dronov [Tue, 12 Sep 2017 22:21:21 +0000 (00:21 +0200)]
nl80211: check for the required netlink attributes presence

commit e785fa0a164aa11001cba931367c7f94ffaff888 upstream.

nl80211_set_rekey_data() does not check if the required attributes
NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
users with CAP_NET_ADMIN privilege and may result in NULL dereference
and a system crash. Add a check for the required attributes presence.
This patch is based on the patch by bo Zhang.

This fixes CVE-2017-12153.

Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
Reported-by: bo Zhang <>
Signed-off-by: Vladis Dronov <>
Signed-off-by: Johannes Berg <>
Signed-off-by: Ben Hutchings <>
4 years agosaa7164: fix double fetch PCIe access condition
Steven Toth [Tue, 6 Jun 2017 12:30:27 +0000 (09:30 -0300)]
saa7164: fix double fetch PCIe access condition

commit 6fb05e0dd32e566facb96ea61a48c7488daa5ac3 upstream.

Avoid a double fetch by reusing the values from the prior transfer.

Originally reported via

Thanks to Pengfei Wang <> for reporting.

Signed-off-by: Steven Toth <>
Reported-by: Pengfei Wang <>
Signed-off-by: Mauro Carvalho Chehab <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agosaa7164: fix sparse warnings
Hans Verkuil [Fri, 7 Nov 2014 14:39:46 +0000 (11:39 -0300)]
saa7164: fix sparse warnings

commit 065e1477d277174242e73e7334c717b840d0693f upstream.

Fix many sparse warnings:

drivers/media/pci/saa7164/saa7164-core.c:97:18: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-core.c:122:31: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-core.c:122:31: warning: incorrect type in initializer (different address spaces)
drivers/media/pci/saa7164/saa7164-core.c:122:31:    expected unsigned char [noderef] [usertype] <asn:2>*bufcpu
drivers/media/pci/saa7164/saa7164-core.c:122:31:    got unsigned char [usertype] *<noident>
drivers/media/pci/saa7164/saa7164-core.c:282:44: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-core.c:286:38: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-core.c:286:35: warning: incorrect type in assignment (different address spaces)
drivers/media/pci/saa7164/saa7164-core.c:286:35:    expected unsigned char [noderef] [usertype] <asn:2>*p
drivers/media/pci/saa7164/saa7164-core.c:286:35:    got unsigned char [usertype] *<noident>
drivers/media/pci/saa7164/saa7164-core.c:352:44: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-core.c:527:53: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-core.c:129:30: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:133:38: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:133:72: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:134:35: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:287:61: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:288:65: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:289:65: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:290:65: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:291:65: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:292:65: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:293:65: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:294:65: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-fw.c:548:52: warning: incorrect type in argument 5 (different address spaces)
drivers/media/pci/saa7164/saa7164-fw.c:548:52:    expected unsigned char [usertype] *dst
drivers/media/pci/saa7164/saa7164-fw.c:548:52:    got unsigned char [noderef] [usertype] <asn:2>*
drivers/media/pci/saa7164/saa7164-fw.c:579:44: warning: incorrect type in argument 5 (different address spaces)
drivers/media/pci/saa7164/saa7164-fw.c:579:44:    expected unsigned char [usertype] *dst
drivers/media/pci/saa7164/saa7164-fw.c:579:44:    got unsigned char [noderef] [usertype] <asn:2>*
drivers/media/pci/saa7164/saa7164-fw.c:597:44: warning: incorrect type in argument 5 (different address spaces)
drivers/media/pci/saa7164/saa7164-fw.c:597:44:    expected unsigned char [usertype] *dst
drivers/media/pci/saa7164/saa7164-fw.c:597:44:    got unsigned char [noderef] [usertype] <asn:2>*
drivers/media/pci/saa7164/saa7164-bus.c:36:36: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-bus.c:41:36: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-bus.c:151:19: warning: incorrect type in assignment (different base types)
drivers/media/pci/saa7164/saa7164-bus.c:151:19:    expected unsigned short [unsigned] [usertype] size
drivers/media/pci/saa7164/saa7164-bus.c:151:19:    got restricted __le16 [usertype] <noident>
drivers/media/pci/saa7164/saa7164-bus.c:152:22: warning: incorrect type in assignment (different base types)
drivers/media/pci/saa7164/saa7164-bus.c:152:22:    expected unsigned int [unsigned] [usertype] command
drivers/media/pci/saa7164/saa7164-bus.c:152:22:    got restricted __le32 [usertype] <noident>
drivers/media/pci/saa7164/saa7164-bus.c:153:30: warning: incorrect type in assignment (different base types)
drivers/media/pci/saa7164/saa7164-bus.c:153:30:    expected unsigned short [unsigned] [usertype] controlselector
drivers/media/pci/saa7164/saa7164-bus.c:153:30:    got restricted __le16 [usertype] <noident>
drivers/media/pci/saa7164/saa7164-bus.c:172:20: warning: cast to restricted __le32
drivers/media/pci/saa7164/saa7164-bus.c:173:20: warning: cast to restricted __le32
drivers/media/pci/saa7164/saa7164-bus.c:206:28: warning: cast to restricted __le32
drivers/media/pci/saa7164/saa7164-bus.c:287:9: warning: incorrect type in argument 1 (different base types)
drivers/media/pci/saa7164/saa7164-bus.c:287:9:    expected unsigned int [unsigned] val
drivers/media/pci/saa7164/saa7164-bus.c:287:9:    got restricted __le32 [usertype] <noident>
drivers/media/pci/saa7164/saa7164-bus.c:339:20: warning: cast to restricted __le32
drivers/media/pci/saa7164/saa7164-bus.c:340:20: warning: cast to restricted __le32
drivers/media/pci/saa7164/saa7164-bus.c:463:9: warning: incorrect type in argument 1 (different base types)
drivers/media/pci/saa7164/saa7164-bus.c:463:9:    expected unsigned int [unsigned] val
drivers/media/pci/saa7164/saa7164-bus.c:463:9:    got restricted __le32 [usertype] <noident>
drivers/media/pci/saa7164/saa7164-bus.c:466:21: warning: cast to restricted __le16
drivers/media/pci/saa7164/saa7164-bus.c:467:24: warning: cast to restricted __le32
drivers/media/pci/saa7164/saa7164-bus.c:468:32: warning: cast to restricted __le16
drivers/media/pci/saa7164/saa7164-buffer.c:122:18: warning: incorrect type in assignment (different address spaces)
drivers/media/pci/saa7164/saa7164-buffer.c:122:18:    expected unsigned long long [noderef] [usertype] <asn:2>*cpu
drivers/media/pci/saa7164/saa7164-buffer.c:122:18:    got void *
drivers/media/pci/saa7164/saa7164-buffer.c:127:21: warning: incorrect type in assignment (different address spaces)
drivers/media/pci/saa7164/saa7164-buffer.c:127:21:    expected unsigned long long [noderef] [usertype] <asn:2>*pt_cpu
drivers/media/pci/saa7164/saa7164-buffer.c:127:21:    got void *
drivers/media/pci/saa7164/saa7164-buffer.c:134:20: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-buffer.c:156:63: warning: incorrect type in argument 3 (different address spaces)
drivers/media/pci/saa7164/saa7164-buffer.c:156:63:    expected void *vaddr
drivers/media/pci/saa7164/saa7164-buffer.c:156:63:    got unsigned long long [noderef] [usertype] <asn:2>*cpu
drivers/media/pci/saa7164/saa7164-buffer.c:179:57: warning: incorrect type in argument 3 (different address spaces)
drivers/media/pci/saa7164/saa7164-buffer.c:179:57:    expected void *vaddr
drivers/media/pci/saa7164/saa7164-buffer.c:179:57:    got unsigned long long [noderef] [usertype] <asn:2>*cpu
drivers/media/pci/saa7164/saa7164-buffer.c:180:56: warning: incorrect type in argument 3 (different address spaces)
drivers/media/pci/saa7164/saa7164-buffer.c:180:56:    expected void *vaddr
drivers/media/pci/saa7164/saa7164-buffer.c:180:56:    got unsigned long long [noderef] [usertype] <asn:2>*pt_cpu
drivers/media/pci/saa7164/saa7164-buffer.c:84:17: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-buffer.c:147:31: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-buffer.c:148:17: warning: dereference of noderef expression

Most are caused by pointers marked as __iomem when they aren't or not marked as
__iomem when they should.

Also note that readl/writel already do endian conversion, so there is no need to
do it again.

saa7164_bus_set/get were a bit tricky: you have to make sure the msg endian
conversion is done at the right time, and that the code isn't using fields that
are still little endian instead of cpu-endianness.

The approach chosen is to convert just before writing to the ring buffer
and to convert it back right after reading from the ring buffer.

Signed-off-by: Hans Verkuil <>
Cc: Steven Toth <>
Signed-off-by: Mauro Carvalho Chehab <>
[bwh: Backported to 3.2: adjust filenames, context]
Signed-off-by: Ben Hutchings <>
4 years agosaa7164: fix endian conversion in saa7164_bus_set()
Dan Carpenter [Mon, 28 Nov 2011 12:08:53 +0000 (09:08 -0300)]
saa7164: fix endian conversion in saa7164_bus_set()

commit 773ddbd228dc16a4829836e1dc16383e44c8575e upstream.

The msg->command field is 32 bits, and we should fill it with a call
to cpu_to_le32().  The current code is broke on big endian systems.
On little endian systems it truncates the 32 bit value to 16 bits
which probably still works fine.

Signed-off-by: Dan Carpenter <>
Cc: Steven Toth <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Ben Hutchings <>
4 years agobtrfs: preserve i_mode if __btrfs_set_acl() fails
Ernesto A. Fernández [Wed, 2 Aug 2017 06:18:27 +0000 (03:18 -0300)]
btrfs: preserve i_mode if __btrfs_set_acl() fails

commit d7d824966530acfe32b94d1ed672e6fe1638cd68 upstream.

When changing a file's acl mask, btrfs_set_acl() will first set the
group bits of i_mode to the value of the mask, and only then set the
actual extended attribute representing the new acl.

If the second part fails (due to lack of space, for example) and the
file had no acl attribute to begin with, the system will from now on
assume that the mask permission bits are actual group permission bits,
potentially granting access to the wrong users.

Prevent this by restoring the original mode bits if __btrfs_set_acl

Signed-off-by: Ernesto A. Fernández <>
Reviewed-by: David Sterba <>
Signed-off-by: David Sterba <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoext4: Don't clear SGID when inheriting ACLs
Jan Kara [Mon, 31 Jul 2017 03:33:01 +0000 (23:33 -0400)]
ext4: Don't clear SGID when inheriting ACLs

commit a3bb2d5587521eea6dab2d05326abb0afb460abd upstream.

When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
set, DIR1 is expected to have SGID bit set (and owning group equal to
the owning group of 'DIR0'). However when 'DIR0' also has some default
ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
'DIR1' to get cleared if user is not member of the owning group.

Fix the problem by moving posix_acl_update_mode() out of
__ext4_set_acl() into ext4_set_acl(). That way the function will not be
called when inheriting ACLs which is what we want as it prevents SGID
bit clearing and the mode has been properly set by posix_acl_create()

Fixes: 073931017b49d9458aa351605b43a7e34598caef
Signed-off-by: Theodore Ts'o <>
Signed-off-by: Jan Kara <>
Reviewed-by: Andreas Gruenbacher <>
[bwh: Backported to 3.2: the __ext4_set_acl() function didn't exist,
 so added it]
Signed-off-by: Ben Hutchings <>
4 years agoext4: preserve i_mode if __ext4_set_acl() fails
Ernesto A. Fernández [Mon, 31 Jul 2017 02:43:41 +0000 (22:43 -0400)]
ext4: preserve i_mode if __ext4_set_acl() fails

commit 397e434176bb62bc6068d2210af1d876c6212a7e upstream.

When changing a file's acl mask, __ext4_set_acl() will first set the group
bits of i_mode to the value of the mask, and only then set the actual
extended attribute representing the new acl.

If the second part fails (due to lack of space, for example) and the file
had no acl attribute to begin with, the system will from now on assume
that the mask permission bits are actual group permission bits, potentially
granting access to the wrong users.

Prevent this by only changing the inode mode after the acl has been set.

Signed-off-by: Ernesto A. Fernández <>
Signed-off-by: Theodore Ts'o <>
Reviewed-by: Jan Kara <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoreiserfs: preserve i_mode if __reiserfs_set_acl() fails
Ernesto A. Fernández [Mon, 17 Jul 2017 16:42:41 +0000 (18:42 +0200)]
reiserfs: preserve i_mode if __reiserfs_set_acl() fails

commit fcea8aed91f53b51f9b943dc01f12d8aa666c720 upstream.

When changing a file's acl mask, reiserfs_set_acl() will first set the
group bits of i_mode to the value of the mask, and only then set the
actual extended attribute representing the new acl.

If the second part fails (due to lack of space, for example) and the
file had no acl attribute to begin with, the system will from now on
assume that the mask permission bits are actual group permission bits,
potentially granting access to the wrong users.

Prevent this by only changing the inode mode after the acl has been set.

Signed-off-by: Ernesto A. Fernández <>
Signed-off-by: Jan Kara <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoreiserfs: Don't clear SGID when inheriting ACLs
Jan Kara [Thu, 22 Jun 2017 07:32:49 +0000 (09:32 +0200)]
reiserfs: Don't clear SGID when inheriting ACLs

commit 6883cd7f68245e43e91e5ee583b7550abf14523f upstream.

When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
set, DIR1 is expected to have SGID bit set (and owning group equal to
the owning group of 'DIR0'). However when 'DIR0' also has some default
ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
'DIR1' to get cleared if user is not member of the owning group.

Fix the problem by moving posix_acl_update_mode() out of
__reiserfs_set_acl() into reiserfs_set_acl(). That way the function will
not be called when inheriting ACLs which is what we want as it prevents
SGID bit clearing and the mode has been properly set by
posix_acl_create() anyway.

Fixes: 073931017b49d9458aa351605b43a7e34598caef
Signed-off-by: Jan Kara <>
[bwh: Backported to 3.2: the __reiserfs_set_acl() function didn't exist,
 so added it]
Signed-off-by: Ben Hutchings <>
4 years agoext3: preserve i_mode if ext2_set_acl() fails
Ben Hutchings [Sun, 8 Oct 2017 13:48:44 +0000 (14:48 +0100)]
ext3: preserve i_mode if ext2_set_acl() fails

Based on Ernesto A. Fernández's fix for ext2 (commit fe26569eb919), from
which the following description is taken:

> When changing a file's acl mask, ext2_set_acl() will first set the group
> bits of i_mode to the value of the mask, and only then set the actual
> extended attribute representing the new acl.
> If the second part fails (due to lack of space, for example) and the file
> had no acl attribute to begin with, the system will from now on assume
> that the mask permission bits are actual group permission bits, potentially
> granting access to the wrong users.
> Prevent this by only changing the inode mode after the acl has been set.

Cc: Ernesto A. Fernández <>
Cc: Jan Kara <>
Signed-off-by: Ben Hutchings <>
4 years agoext3: Don't clear SGID when inheriting ACLs
Ben Hutchings [Fri, 6 Oct 2017 02:18:40 +0000 (03:18 +0100)]
ext3: Don't clear SGID when inheriting ACLs

Based on Jan Kara's fix for ext2 (commit a992f2d38e4c), from which the
following description is taken:

> When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
> set, DIR1 is expected to have SGID bit set (and owning group equal to
> the owning group of 'DIR0'). However when 'DIR0' also has some default
> ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
> 'DIR1' to get cleared if user is not member of the owning group.
> Fix the problem by creating __ext2_set_acl() function that does not call
> posix_acl_update_mode() and use it when inheriting ACLs. That prevents
> SGID bit clearing and the mode has been properly set by
> posix_acl_create() anyway.

Fixes: 073931017b49 ("posix_acl: Clear SGID bit when setting file permissions")
Cc: Jan Kara <>
Signed-off-by: Ben Hutchings <>
4 years agoext2: preserve i_mode if ext2_set_acl() fails
Ernesto A. Fernández [Wed, 12 Jul 2017 09:54:19 +0000 (06:54 -0300)]
ext2: preserve i_mode if ext2_set_acl() fails

commit fe26569eb9197d845d73abe7dd20f603d79eb031 upstream.

When changing a file's acl mask, ext2_set_acl() will first set the group
bits of i_mode to the value of the mask, and only then set the actual
extended attribute representing the new acl.

If the second part fails (due to lack of space, for example) and the file
had no acl attribute to begin with, the system will from now on assume
that the mask permission bits are actual group permission bits, potentially
granting access to the wrong users.

Prevent this by only changing the inode mode after the acl has been set.

[JK: Rebased on top of "ext2: Don't clear SGID when inheriting ACLs"]
Signed-off-by: Ernesto A. Fernández <>
Signed-off-by: Jan Kara <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoext2: Don't clear SGID when inheriting ACLs
Jan Kara [Wed, 21 Jun 2017 12:34:15 +0000 (14:34 +0200)]
ext2: Don't clear SGID when inheriting ACLs

commit a992f2d38e4ce17b8c7d1f7f67b2de0eebdea069 upstream.

When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
set, DIR1 is expected to have SGID bit set (and owning group equal to
the owning group of 'DIR0'). However when 'DIR0' also has some default
ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
'DIR1' to get cleared if user is not member of the owning group.

Fix the problem by creating __ext2_set_acl() function that does not call
posix_acl_update_mode() and use it when inheriting ACLs. That prevents
SGID bit clearing and the mode has been properly set by
posix_acl_create() anyway.

Fixes: 073931017b49d9458aa351605b43a7e34598caef
Signed-off-by: Jan Kara <>
[bwh: Backported to 3.2:
 - Keep using CURRENT_TIME_SEC
 - Change parameter order of ext2_set_acl() to match upstream
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agovt: fix unchecked __put_user() in tioclinux ioctls
Adam Borowski [Sat, 3 Jun 2017 07:35:06 +0000 (09:35 +0200)]
vt: fix unchecked __put_user() in tioclinux ioctls

commit 6987dc8a70976561d22450b5858fc9767788cc1c upstream.

Only read access is checked before this call.

Actually, at the moment this is not an issue, as every in-tree arch does
the same manual checks for VERIFY_READ vs VERIFY_WRITE, relying on the MMU
to tell them apart, but this wasn't the case in the past and may happen
again on some odd arch in the future.

If anyone cares about 3.7 and earlier, this is a security hole (untested)
on real 80386 CPUs.

Signed-off-by: Adam Borowski <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agomm: fix overflow check in expand_upwards()
Helge Deller [Fri, 14 Jul 2017 21:49:38 +0000 (14:49 -0700)]
mm: fix overflow check in expand_upwards()

commit 37511fb5c91db93d8bd6e3f52f86e5a7ff7cfcdf upstream.

Jörn Engel noticed that the expand_upwards() function might not return
-ENOMEM in case the requested address is (unsigned long)-PAGE_SIZE and
if the architecture didn't defined TASK_SIZE as multiple of PAGE_SIZE.

Affected architectures are arm, frv, m68k, blackfin, h8300 and xtensa
which all define TASK_SIZE as 0xffffffff, but since none of those have
an upwards-growing stack we currently have no actual issue.

Nevertheless let's fix this just in case any of the architectures with
an upward-growing stack (currently parisc, metag and partly ia64) define
TASK_SIZE similar.

Fixes: bd726c90b6b8 ("Allow stack to grow up to address space limit")
Signed-off-by: Helge Deller <>
Reported-by: Jörn Engel <>
Cc: Hugh Dickins <>
Cc: Oleg Nesterov <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
4 years agoubifs: Don't leak kernel memory to the MTD
Richard Weinberger [Fri, 16 Jun 2017 14:21:44 +0000 (16:21 +0200)]
ubifs: Don't leak kernel memory to the MTD

commit 4acadda74ff8b949c448c0282765ae747e088c87 upstream.

When UBIFS prepares data structures which will be written to the MTD it
ensues that their lengths are multiple of 8. Since it uses kmalloc() the
padded bytes are left uninitialized and we leak a few bytes of kernel
memory to the MTD.
To make sure that all bytes are initialized, let's switch to kzalloc().
Kzalloc() is fine in this case because the buffers are not huge and in
the IO path the performance bottleneck is anyway the MTD.

Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
Signed-off-by: Richard Weinberger <>
Reviewed-by: Boris Brezillon <>
Signed-off-by: Richard Weinberger <>
[bwh: Backported to 3.2:
 - Drop change in ubifs_jnl_xrename()
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoubifs: Correctly evict xattr inodes
Richard Weinberger [Tue, 16 May 2017 22:20:27 +0000 (00:20 +0200)]
ubifs: Correctly evict xattr inodes

commit 272eda8298dc82eb411ece82bbb2c62911087b24 upstream.

UBIFS handles extended attributes just like files, as consequence of
that, they also have inodes.
Therefore UBIFS does all the inode machinery also for xattrs. Since new
inodes have i_nlink of 1, a file or xattr inode will be evicted
if i_nlink goes down to 0 after an unlink. UBIFS assumes this model also
for xattrs, which is not correct.
One can create a file "foo" with xattr "user.test". By reading
"user.test" an inode will be created, and by deleting "user.test" it
will get evicted later. The assumption breaks if the file "foo", which
hosts the xattrs, will be removed. VFS nor UBIFS does not remove each
xattr via ubifs_xattr_remove(), it just removes the host inode from
the TNC and all underlying xattr nodes too and the inode will remain
in the cache and wastes memory.

To solve this problem, remove xattr inodes from the VFS inode cache in
ubifs_xattr_remove() to make sure that they get evicted.

Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
Signed-off-by: Richard Weinberger <>
[bwh: Backported to 3.2:
 - xattr support is optional, so add an #ifdef around the call
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoInput: i8042 - fix crash at boot time
Chen Hong [Sun, 2 Jul 2017 22:11:10 +0000 (15:11 -0700)]
Input: i8042 - fix crash at boot time

commit 340d394a789518018f834ff70f7534fc463d3226 upstream.

The driver checks port->exists twice in i8042_interrupt(), first when
trying to assign temporary "serio" variable, and second time when deciding
whether it should call serio_interrupt(). The value of port->exists may
change between the 2 checks, and we may end up calling serio_interrupt()
with a NULL pointer:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
IP: [<ffffffff8150feaf>] _spin_lock_irqsave+0x1f/0x40
Oops: 0002 [#1] SMP
last sysfs file:
Modules linked in:

Pid: 1, comm: swapper Not tainted 2.6.32-358.el6.x86_64 #1 QEMU Standard PC (i440FX + PIIX, 1996)
RIP: 0010:[<ffffffff8150feaf>]  [<ffffffff8150feaf>] _spin_lock_irqsave+0x1f/0x40
RSP: 0018:ffff880028203cc0  EFLAGS: 00010082
RAX: 0000000000010000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000282 RSI: 0000000000000098 RDI: 0000000000000050
RBP: ffff880028203cc0 R08: ffff88013e79c000 R09: ffff880028203ee0
R10: 0000000000000298 R11: 0000000000000282 R12: 0000000000000050
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000098
FS:  0000000000000000(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 0000000000000050 CR3: 0000000001a85000 CR4: 00000000001407f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper (pid: 1, threadinfo ffff88013e79c000, task ffff88013e79b500)
ffff880028203d00 ffffffff813de186 ffffffffffffff02 0000000000000000
<d> 0000000000000000 0000000000000000 0000000000000000 0000000000000098
<d> ffff880028203d70 ffffffff813e0162 ffff880028203d20 ffffffff8103b8ac
Call Trace:
 [<ffffffff813de186>] serio_interrupt+0x36/0xa0
[<ffffffff813e0162>] i8042_interrupt+0x132/0x3a0
[<ffffffff8103b8ac>] ? kvm_clock_read+0x1c/0x20
[<ffffffff8103b8b9>] ? kvm_clock_get_cycles+0x9/0x10
[<ffffffff810e1640>] handle_IRQ_event+0x60/0x170
[<ffffffff8103b154>] ? kvm_guest_apic_eoi_write+0x44/0x50
[<ffffffff810e3d8e>] handle_edge_irq+0xde/0x180
[<ffffffff8100de89>] handle_irq+0x49/0xa0
[<ffffffff81516c8c>] do_IRQ+0x6c/0xf0
[<ffffffff8100b9d3>] ret_from_intr+0x0/0x11
[<ffffffff81076f63>] ? __do_softirq+0x73/0x1e0
[<ffffffff8109b75b>] ? hrtimer_interrupt+0x14b/0x260
[<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30
[<ffffffff8100de05>] ? do_softirq+0x65/0xa0
[<ffffffff81076d95>] ? irq_exit+0x85/0x90
[<ffffffff81516d80>] ? smp_apic_timer_interrupt+0x70/0x9b
[<ffffffff8100bb93>] ? apic_timer_interrupt+0x13/0x20

To avoid the issue let's change the second check to test whether serio is
NULL or not.

Also, let's take i8042_lock in i8042_start() and i8042_stop() instead of
trying to be overly smart and using memory barriers.

Signed-off-by: Chen Hong <>
[dtor: take lock in i8042_start()/i8042_stop()]
Signed-off-by: Dmitry Torokhov <>
Signed-off-by: Ben Hutchings <>
4 years agopowerpc: Fix emulation of mfocrf in emulate_step()
Anton Blanchard [Wed, 14 Jun 2017 23:46:39 +0000 (09:46 +1000)]
powerpc: Fix emulation of mfocrf in emulate_step()

commit 64e756c55aa46fc18fd53e8f3598b73b528d8637 upstream.

From POWER4 onwards, mfocrf() only places the specified CR field into
the destination GPR, and the rest of it is set to 0. The PowerPC AS
from version 3.0 now requires this behaviour.

The emulation code currently puts the entire CR into the destination GPR.
Fix it.

Fixes: 6888199f7fe5 ("[POWERPC] Emulate more instructions in software")
Signed-off-by: Anton Blanchard <>
Acked-by: Naveen N. Rao <>
Signed-off-by: Michael Ellerman <>
Signed-off-by: Ben Hutchings <>
4 years agopowerpc/asm: Mark cr0 as clobbered in mftb()
Oliver O'Halloran [Thu, 6 Jul 2017 08:46:43 +0000 (18:46 +1000)]
powerpc/asm: Mark cr0 as clobbered in mftb()

commit 2400fd822f467cb4c886c879d8ad99feac9cf319 upstream.

The workaround for the CELL timebase bug does not correctly mark cr0 as
being clobbered. This means GCC doesn't know that the asm block changes cr0 and
might leave the result of an unrelated comparison in cr0 across the block, which
we then trash, leading to basically random behaviour.

Fixes: 859deea949c3 ("[POWERPC] Cell timebase bug workaround")
Signed-off-by: Oliver O'Halloran <>
[mpe: Tweak change log and flag for stable]
Signed-off-by: Michael Ellerman <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agofs/dcache.c: fix spin lockup issue on nlru->lock
Sahitya Tummala [Mon, 10 Jul 2017 22:50:00 +0000 (15:50 -0700)]
fs/dcache.c: fix spin lockup issue on nlru->lock

commit b17c070fb624cf10162cf92ea5e1ec25cd8ac176 upstream.

__list_lru_walk_one() acquires nlru spin lock (nlru->lock) for longer
duration if there are more number of items in the lru list.  As per the
current code, it can hold the spin lock for upto maximum UINT_MAX
entries at a time.  So if there are more number of items in the lru
list, then "BUG: spinlock lockup suspected" is observed in the below


This nlru->lock is acquired by another CPU in this path -


Fix this lockup by reducing the number of entries to be shrinked from
the lru list to 1024 at once.  Also, add cond_resched() before
processing the lru list again.

Signed-off-by: Sahitya Tummala <>
Suggested-by: Jan Kara <>
Suggested-by: Vladimir Davydov <>
Acked-by: Vladimir Davydov <>
Cc: Alexander Polakov <>
Cc: Al Viro <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
[bwh: Backported to 3.2: we don't hold the spin-lock for long, but adding
 cond_resched() looks like a good idea]
Signed-off-by: Ben Hutchings <>
4 years agomm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
Michal Hocko [Mon, 10 Jul 2017 22:49:51 +0000 (15:49 -0700)]
mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack

commit 561b5e0709e4a248c67d024d4d94b6e31e3edf2f upstream.

Commit 1be7107fbe18 ("mm: larger stack guard gap, between vmas") has
introduced a regression in some rust and Java environments which are
trying to implement their own stack guard page.  They are punching a new
MAP_FIXED mapping inside the existing stack Vma.

This will confuse expand_{downwards,upwards} into thinking that the
stack expansion would in fact get us too close to an existing non-stack
vma which is a correct behavior wrt safety.  It is a real regression on
the other hand.

Let's work around the problem by considering PROT_NONE mapping as a part
of the stack.  This is a gros hack but overflowing to such a mapping
would trap anyway an we only can hope that usespace knows what it is
doing and handle it propely.

Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
Signed-off-by: Michal Hocko <>
Debugged-by: Vlastimil Babka <>
Cc: Ben Hutchings <>
Cc: Willy Tarreau <>
Cc: Oleg Nesterov <>
Cc: Rik van Riel <>
Cc: Hugh Dickins <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
4 years agocfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES
Srinivas Dasari [Thu, 6 Jul 2017 22:43:42 +0000 (01:43 +0300)]
cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES

commit d7f13f7450369281a5d0ea463cc69890a15923ae upstream.

validate_scan_freqs() retrieves frequencies from attributes
nested in the attribute NL80211_ATTR_SCAN_FREQUENCIES with
nla_get_u32(), which reads 4 bytes from each attribute
without validating the size of data received. Attributes
nested in NL80211_ATTR_SCAN_FREQUENCIES don't have an nla policy.

Validate size of each attribute before parsing to avoid potential buffer

Fixes: 2a519311926 ("cfg80211/nl80211: scanning (and mac80211 update to use it)")
Signed-off-by: Srinivas Dasari <>
Signed-off-by: Jouni Malinen <>
Signed-off-by: Johannes Berg <>
Signed-off-by: Ben Hutchings <>
4 years agocfg80211: Check if PMKID attribute is of expected size
Srinivas Dasari [Thu, 6 Jul 2017 22:43:39 +0000 (01:43 +0300)]
cfg80211: Check if PMKID attribute is of expected size

commit 9361df14d1cbf966409d5d6f48bb334384fbe138 upstream.

nla policy checks for only maximum length of the attribute data
when the attribute type is NLA_BINARY. If userspace sends less
data than specified, the wireless drivers may access illegal
memory. When type is NLA_UNSPEC, nla policy check ensures that
userspace sends minimum specified length number of bytes.

Remove type assignment to NLA_BINARY from nla_policy of
NL80211_ATTR_PMKID to make this NLA_UNSPEC and to make sure minimum
WLAN_PMKID_LEN bytes are received from userspace with

Fixes: 67fbb16be69d ("nl80211: PMKSA caching support")
Signed-off-by: Srinivas Dasari <>
Signed-off-by: Jouni Malinen <>
Signed-off-by: Johannes Berg <>
Signed-off-by: Ben Hutchings <>
4 years agotpm: fix a kernel memory leak in tpm-sysfs.c
Jarkko Sakkinen [Tue, 20 Jun 2017 09:38:02 +0000 (11:38 +0200)]
tpm: fix a kernel memory leak in tpm-sysfs.c

commit 13b47cfcfc60495cde216eef4c01040d76174cbe upstream.

While cleaning up sysfs callback that prints EK we discovered a kernel
memory leak. This commit fixes the issue by zeroing the buffer used for
TPM command/response.

The leak happen when we use either tpm_vtpm_proxy, tpm_ibmvtpm or

Fixes: 0883743825e3 ("TPM: sysfs functions consolidation")
Reported-by: Jason Gunthorpe <>
Tested-by: Stefan Berger <>
Signed-off-by: Jarkko Sakkinen <>
Signed-off-by: James Morris <>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <>
4 years agortc: rtc-nuc900: fix loop timeout test
Dan Carpenter [Fri, 23 Jun 2017 08:29:00 +0000 (11:29 +0300)]
rtc: rtc-nuc900: fix loop timeout test

commit d0a67c372df410b579197ea818596001fe20070d upstream.

We should change this post-op to a pre-op because we want the loop to
exit with "timeout" set to zero.

Fixes: 0a89b55364e0 ("nuc900/rtc: change the waiting for device ready implement")
Signed-off-by: Dan Carpenter <>
Signed-off-by: Alexandre Belloni <>
Signed-off-by: Ben Hutchings <>
4 years agos390/syscalls: Fix out of bounds arguments access
Jiri Olsa [Thu, 29 Jun 2017 09:38:11 +0000 (11:38 +0200)]
s390/syscalls: Fix out of bounds arguments access

commit c46fc0424ced3fb71208e72bd597d91b9169a781 upstream.

Zorro reported following crash while having enabled
syscall tracing (CONFIG_FTRACE_SYSCALLS):

  Unable to handle kernel pointer dereference at virtual ...
  Oops: 0011 [#1] SMP DEBUG_PAGEALLOC


  Call Trace:
  ([<000000000024d79c>] ftrace_syscall_enter+0xec/0x1d8)
   [<00000000001099c6>] do_syscall_trace_enter+0x236/0x2f8
   [<0000000000730f1c>] sysc_tracesys+0x1a/0x32
   [<000003fffcf946a2>] 0x3fffcf946a2
  INFO: lockdep is turned off.
  Last Breaking-Event-Address:
   [<000000000022dd44>] rb_event_data+0x34/0x40
  ---[ end trace 8c795f86b1b3f7b9 ]---

The crash happens in syscall_get_arguments function for
syscalls with zero arguments, that will try to access
first argument (args[0]) in event entry, but it's not

Bail out of there are no arguments.

Reported-by: Zorro Lang <>
Signed-off-by: Jiri Olsa <>
Signed-off-by: Martin Schwidefsky <>
Signed-off-by: Ben Hutchings <>
4 years agoRDMA/uverbs: Check port number supplied by user verbs cmds
Boris Pismenny [Tue, 27 Jun 2017 12:09:13 +0000 (15:09 +0300)]
RDMA/uverbs: Check port number supplied by user verbs cmds

commit 5ecce4c9b17bed4dc9cb58bfb10447307569b77b upstream.

The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive
the port number from user input as part of its attributes and assumes
it is valid. Down on the stack, that parameter is used to access kernel
data structures.  If the value is invalid, the kernel accesses memory
it should not.  To prevent this, verify the port number before using it.

BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313

BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0
Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819

Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
Fixes: 189aba99e70 ("IB/uverbs: Extend modify_qp and support packet pacing")
Cc: <>
Cc: Yevgeny Kliteynik <>
Cc: Tziporet Koren <>
Cc: Alex Polak <>
Signed-off-by: Boris Pismenny <>
Signed-off-by: Leon Romanovsky <>
Signed-off-by: Doug Ledford <>
[bwh: Backported to 3.2:
 - In modify_qp(), command structure is cmd not cmd->base
 - In modify_qp(), add release_qp label
 - In ib_uverbs_create_ah(), add definition of ib_dev
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoIB/core: Add inline function to validate port
Yuval Shaia [Wed, 25 Jan 2017 16:41:37 +0000 (18:41 +0200)]
IB/core: Add inline function to validate port

commit 24dc831b77eca9361cf835be59fa69ea0e471afc upstream.

Signed-off-by: Yuval Shaia <>
Reviewed-by: Leon Romanovsky <>
Signed-off-by: Doug Ledford <>
[bwh: Backported to 3.2:
 - Drop inapplicable changes
 - Adjust context]
Signed-off-by: Ben Hutchings <>