4 years agoufs: set correct ->s_maxsize
Al Viro [Fri, 9 Jun 2017 01:15:45 +0000 (21:15 -0400)]
ufs: set correct ->s_maxsize

commit 6b0d144fa758869bdd652c50aa41aaf601232550 upstream.

Signed-off-by: Al Viro <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agofix ufs_isblockset()
Al Viro [Thu, 8 Jun 2017 22:15:18 +0000 (18:15 -0400)]
fix ufs_isblockset()

commit 414cf7186dbec29bd946c138d6b5c09da5955a08 upstream.

Signed-off-by: Al Viro <>
Signed-off-by: Ben Hutchings <>
4 years agoKEYS: fix dereferencing NULL payload with nonzero length
Eric Biggers [Thu, 8 Jun 2017 13:48:40 +0000 (14:48 +0100)]
KEYS: fix dereferencing NULL payload with nonzero length

commit 5649645d725c73df4302428ee4e02c869248b4c5 upstream.

sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a
NULL payload with nonzero length to be passed to the key type's
->preparse(), ->instantiate(), and/or ->update() methods.  Various key
types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did
not handle this case, allowing an unprivileged user to trivially cause a
NULL pointer dereference (kernel oops) if one of these key types was
present.  Fix it by doing the copy_from_user() when 'plen' is nonzero
rather than when '_payload' is non-NULL, causing the syscall to fail
with EFAULT as expected when an invalid buffer is specified.

Signed-off-by: Eric Biggers <>
Signed-off-by: David Howells <>
Signed-off-by: James Morris <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoMIPS: kprobes: flush_insn_slot should flush only if probe initialised
Marcin Nowakowski [Thu, 8 Jun 2017 13:20:32 +0000 (15:20 +0200)]
MIPS: kprobes: flush_insn_slot should flush only if probe initialised

commit 698b851073ddf5a894910d63ca04605e0473414e upstream.

When ftrace is used with kprobes, it is possible for a kprobe to contain
an invalid location (ie. only initialised to 0 and not to a specific
location in the code). Trying to perform a cache flush on such location
leads to a crash r4k_flush_icache_range().

Fixes: c1bf207d6ee1 ("MIPS: kprobe: Add support.")
Signed-off-by: Marcin Nowakowski <>
Signed-off-by: Ralf Baechle <>
Signed-off-by: Ben Hutchings <>
4 years agoKVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation
Wanpeng Li [Thu, 8 Jun 2017 08:22:07 +0000 (01:22 -0700)]
KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation

commit a3641631d14571242eec0d30c9faa786cbf52d44 upstream.

If "i" is the last element in the vcpu->arch.cpuid_entries[] array, it
potentially can be exploited the vulnerability. this will out-of-bounds
read and write.  Luckily, the effect is small:

/* when no next entry is found, the current entry[i] is reselected */
for (j = i + 1; ; j = (j + 1) % nent) {
struct kvm_cpuid_entry2 *ej = &vcpu->arch.cpuid_entries[j];
if (ej->function == e->function) {

It reads ej->maxphyaddr, which is user controlled.  However...


After cpuid_entries there is

int maxphyaddr;
struct x86_emulate_ctxt emulate_ctxt;  /* 16-byte aligned */

So we have:

- cpuid_entries at offset 1B50 (6992)
- maxphyaddr at offset 27D0 (6992 + 3200 = 10192)
- padding at 27D4...27DF
- emulate_ctxt at 27E0

And it writes in the padding.  Pfew, writing the ops field of emulate_ctxt
would have been much worse.

This patch fixes it by modding the index to avoid the out-of-bounds
access. Worst case, i == j and ej->function == e->function,
the loop can bail out.

Reported-by: Moguofang <>
Cc: Paolo Bonzini <>
Cc: Radim Krčmář <>
Cc: Guofang Mo <>
Signed-off-by: Wanpeng Li <>
Signed-off-by: Paolo Bonzini <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agoperf script python: Remove dups in documentation examples
SeongJae Park [Tue, 30 May 2017 11:18:25 +0000 (20:18 +0900)]
perf script python: Remove dups in documentation examples

commit 14fc42fa1b3e7ea5160c84d0e686a3a0c1ffe619 upstream.

Few shell command examples in perf-script-python.txt has few nitpicks

- tools/perf/scripts/python directory listing command is unnecessarily
- few examples contain additional information in command prompt
  unnecessarily and inconsistently.

This commit fixes them to enhance readability of the document.

Signed-off-by: SeongJae Park <>
Cc: Alexander Shishkin <>
Cc: Frederic Weisbecker <>
Cc: Peter Zijlstra <>
Cc: Tom Zanussi <>
Fixes: cff68e582237 ("perf/scripts: Add perf-trace-python Documentation")
Signed-off-by: Arnaldo Carvalho de Melo <>
Signed-off-by: Ben Hutchings <>
4 years agoperf script python: Updated trace_unhandled() signature
SeongJae Park [Tue, 30 May 2017 11:18:27 +0000 (20:18 +0900)]
perf script python: Updated trace_unhandled() signature

commit 1bf8d5a4a5da19b1f6e7958fe67db4118fa7a1c1 upstream.

Default function signature of trace_unhandled() got changed to include a
field dict, but its documentation, perf-script-python.txt has not been
updated.  Fix it.

Signed-off-by: SeongJae Park <>
Cc: Alexander Shishkin <>
Cc: Peter Zijlstra <>
Cc: Pierre Tardy <>
Fixes: c02514850d67 ("perf scripts python: Give field dict to unhandled callback")
Signed-off-by: Arnaldo Carvalho de Melo <>
Signed-off-by: Ben Hutchings <>
4 years agoperf script python: Fix wrong code snippets in documentation
SeongJae Park [Tue, 30 May 2017 11:18:26 +0000 (20:18 +0900)]
perf script python: Fix wrong code snippets in documentation

commit 26ddb8722df865aa67fbe459107d2f3f8e5c6829 upstream.

This commit fixes wrong code snippets for trace_begin() and trace_end()
function example definition.

Signed-off-by: SeongJae Park <>
Cc: Alexander Shishkin <>
Cc: Frederic Weisbecker <>
Cc: Peter Zijlstra <>
Cc: Tom Zanussi <>
Fixes: cff68e582237 ("perf/scripts: Add perf-trace-python Documentation")
Signed-off-by: Arnaldo Carvalho de Melo <>
Signed-off-by: Ben Hutchings <>
4 years agoperf script: Fix documentation errors
SeongJae Park [Tue, 30 May 2017 11:18:24 +0000 (20:18 +0900)]
perf script: Fix documentation errors

commit 34d4453dac257be53c21abf2f713c992fb692b5c upstream.

This commit fixes two errors in documents for perf-script-python and
perf-script-perl as below:

- /sys/kernel/debug/tracing events -> /sys/kernel/debug/tracing/events/
- trace_handled -> trace_unhandled

Signed-off-by: SeongJae Park <>
Cc: Alexander Shishkin <>
Cc: Frederic Weisbecker <>
Cc: Peter Zijlstra <>
Cc: Tom Zanussi <>
Fixes: cff68e582237 ("perf/scripts: Add perf-trace-python Documentation")
Signed-off-by: Arnaldo Carvalho de Melo <>
Signed-off-by: Ben Hutchings <>
4 years agoperf script: Fix outdated comment for perf-trace-python
SeongJae Park [Tue, 30 May 2017 11:18:23 +0000 (20:18 +0900)]
perf script: Fix outdated comment for perf-trace-python

commit c76132dc5182776b98e946d674cb41c421661ea9 upstream.

Script generated by the '--gen-script' option contains an outdated
comment. It mentions a 'perf-trace-python' document while it has been
renamed to 'perf-script-python'. Fix it.

Signed-off-by: SeongJae Park <>
Cc: Alexander Shishkin <>
Cc: Peter Zijlstra <>
Cc: Thomas Gleixner <>
Fixes: 133dc4c39c57 ("perf: Rename 'perf trace' to 'perf script'")
Signed-off-by: Arnaldo Carvalho de Melo <>
Signed-off-by: Ben Hutchings <>
4 years agoperf probe: Fix examples section of documentation
SeongJae Park [Sun, 7 May 2017 10:36:42 +0000 (19:36 +0900)]
perf probe: Fix examples section of documentation

commit d89269a89ebb6a74512f3f40e89cd12017f60a75 upstream.

An example in perf-probe documentation for pattern of function name
based probe addition is not providing example command for that case.

This commit fixes the example to give appropriate example command.

Signed-off-by: SeongJae Park <>
Acked-by: Masami Hiramatsu <>
Cc: Peter Zijlstra <>
Cc: Taeung Song <>
Fixes: ee391de876ae ("perf probe: Update perf probe document")
Signed-off-by: Arnaldo Carvalho de Melo <>
Signed-off-by: Ben Hutchings <>
4 years agodrm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve()
Dan Carpenter [Thu, 27 Apr 2017 09:12:08 +0000 (12:12 +0300)]
drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve()

commit f0c62e9878024300319ba2438adc7b06c6b9c448 upstream.

If vmalloc() fails then we need to a bit of cleanup before returning.

Fixes: fb1d9738ca05 ("drm/vmwgfx: Add DRM driver for VMware Virtual GPU")
Signed-off-by: Dan Carpenter <>
Reviewed-by: Sinclair Yeh <>
Signed-off-by: Ben Hutchings <>
4 years agonet: ethoc: enable NAPI before poll may be scheduled
Max Filippov [Tue, 6 Jun 2017 01:31:16 +0000 (18:31 -0700)]
net: ethoc: enable NAPI before poll may be scheduled

commit d220b942a4b6a0640aee78841608f4aa5e8e185e upstream.

ethoc_reset enables device interrupts, ethoc_interrupt may schedule a
NAPI poll before NAPI is enabled in the ethoc_open, which results in
device being unable to send or receive anything until it's closed and
reopened. In case the device is flooded with ingress packets it may be
unable to recover at all.
Move napi_enable above ethoc_reset in the ethoc_open to fix that.

Fixes: a1702857724f ("net: Add support for the OpenCores 10/100 Mbps Ethernet MAC.")
Signed-off-by: Max Filippov <>
Reviewed-by: Tobias Klauser <>
Reviewed-by: Florian Fainelli <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agovb2: Fix an off by one error in 'vb2_plane_vaddr'
Christophe JAILLET [Fri, 28 Apr 2017 04:51:40 +0000 (01:51 -0300)]
vb2: Fix an off by one error in 'vb2_plane_vaddr'

commit 5ebb6dd36c9f5fb37b1077b393c254d70a14cb46 upstream.

We should ensure that 'plane_no' is '< vb->num_planes' as done in
'vb2_plane_cookie' just a few lines below.

Fixes: e23ccc0ad925 ("[media] v4l: add videobuf2 Video for Linux 2 driver framework")

Signed-off-by: Christophe JAILLET <>
Reviewed-by: Sakari Ailus <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <>
4 years agovb2: fix plane index sanity check in vb2_plane_cookie()
Zhaowei Yuan [Fri, 22 Aug 2014 02:28:21 +0000 (23:28 -0300)]
vb2: fix plane index sanity check in vb2_plane_cookie()

commit a9ae4692eda4b99f85757b15d60971ff78a0a0e2 upstream.

It's also invalid when plane_no is equal to vb->num_planes

Signed-off-by: Zhaowei Yuan <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <>
4 years agonet: ping: do not abuse udp_poll()
Eric Dumazet [Sat, 3 Jun 2017 16:29:25 +0000 (09:29 -0700)]
net: ping: do not abuse udp_poll()

commit 77d4b1d36926a9b8387c6b53eeba42bcaaffcea3 upstream.

Alexander reported various KASAN messages triggered in recent kernels

The problem is that ping sockets should not use udp_poll() in the first
place, and recent changes in UDP stack finally exposed this old bug.

Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
Signed-off-by: Eric Dumazet <>
Reported-by: Sasha Levin <>
Cc: Solar Designer <>
Cc: Vasiliy Kulikov <>
Cc: Lorenzo Colitti <>
Acked-By: Lorenzo Colitti <>
Tested-By: Lorenzo Colitti <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2:
 - Drop IPv6 bits
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoipv6: Fix leak in ipv6_gso_segment().
David S. Miller [Mon, 5 Jun 2017 01:41:10 +0000 (21:41 -0400)]
ipv6: Fix leak in ipv6_gso_segment().

commit e3e86b5119f81e5e2499bea7ea1ebe8ac6aab789 upstream.

If ip6_find_1stfragopt() fails and we return an error we have to free
up 'segs' because nobody else is going to.

Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
Reported-by: Ben Hutchings <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <>
4 years agonet: add kfree_skb_list()
Ben Hutchings [Sun, 18 Jun 2017 01:36:32 +0000 (02:36 +0100)]
net: add kfree_skb_list()

Extracted from upstream commit bd8a7036c06c "gre: fix a possible skb leak".

This patch adds a kfree_skb_list() helper.

Signed-off-by: Ben Hutchings <>
4 years agorc-core: race condition during ir_raw_event_register()
Sean Young [Wed, 24 May 2017 09:24:51 +0000 (06:24 -0300)]
rc-core: race condition during ir_raw_event_register()

commit 963761a0b2e85663ee4a5630f72930885a06598a upstream.

A rc device can call ir_raw_event_handle() after rc_allocate_device(),
but before rc_register_device() has completed. This is racey because
rcdev->raw is set before rcdev->raw->thread has a valid value.

Reported-by: kbuild test robot <>
Signed-off-by: Sean Young <>
Signed-off-by: Mauro Carvalho Chehab <>
[bwh: Backported to 3.2: adjust filename, context, indentation]
Signed-off-by: Ben Hutchings <>
4 years agoalarmtimer: Rate limit periodic intervals
Thomas Gleixner [Tue, 30 May 2017 21:15:35 +0000 (23:15 +0200)]
alarmtimer: Rate limit periodic intervals

commit ff86bf0c65f14346bf2440534f9ba5ac232c39a0 upstream.

The alarmtimer code has another source of potentially rearming itself too
fast. Interval timers with a very samll interval have a similar CPU hog
effect as the previously fixed overflow issue.

The reason is that alarmtimers do not implement the normal protection
against this kind of problem which the other posix timer use:

  timer expires -> queue signal -> deliver signal -> rearm timer

This scheme brings the rearming under scheduler control and prevents
permanently firing timers which hog the CPU.

Bringing this scheme to the alarm timer code is a major overhaul because it
lacks all the necessary mechanisms completely.

So for a quick fix limit the interval to one jiffie. This is not
problematic in practice as alarmtimers are usually backed by an RTC for
suspend which have 1 second resolution. It could be therefor argued that
the resolution of this clock should be set to 1 second in general, but
that's outside the scope of this fix.

Signed-off-by: Thomas Gleixner <>
Cc: Peter Zijlstra <>
Cc: Kostya Serebryany <>
Cc: syzkaller <>
Cc: John Stultz <>
Cc: Dmitry Vyukov <>
[bwh: Backported to 3.2:
 - Use ktime_to_ns()/ktime_set() as ktime_t is not scalar
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoalarmtimer: Prevent overflow of relative timers
Thomas Gleixner [Tue, 30 May 2017 21:15:34 +0000 (23:15 +0200)]
alarmtimer: Prevent overflow of relative timers

commit f4781e76f90df7aec400635d73ea4c35ee1d4765 upstream.

Andrey reported a alartimer related RCU stall while fuzzing the kernel with

The reason for this is an overflow in ktime_add() which brings the
resulting time into negative space and causes immediate expiry of the
timer. The following rearm with a small interval does not bring the timer
back into positive space due to the same issue.

This results in a permanent firing alarmtimer which hogs the CPU.

Use ktime_add_safe() instead which detects the overflow and clamps the
result to KTIME_SEC_MAX.

Reported-by: Andrey Konovalov <>
Signed-off-by: Thomas Gleixner <>
Cc: Peter Zijlstra <>
Cc: Kostya Serebryany <>
Cc: syzkaller <>
Cc: John Stultz <>
Cc: Dmitry Vyukov <>
[bwh: Backported to 3.2: drop change in alarm_start_relative()]
Signed-off-by: Ben Hutchings <>
4 years agodrivers: char: mem: Fix wraparound check to allow mappings up to the end
Julius Werner [Fri, 2 Jun 2017 22:36:39 +0000 (15:36 -0700)]
drivers: char: mem: Fix wraparound check to allow mappings up to the end

commit 32829da54d9368103a2f03269a5120aa9ee4d5da upstream.

A recent fix to /dev/mem prevents mappings from wrapping around the end
of physical address space. However, the check was written in a way that
also prevents a mapping reaching just up to the end of physical address
space, which may be a valid use case (especially on 32-bit systems).
This patch fixes it by checking the last mapped address (instead of the
first address behind that) for overflow.

Fixes: b299cde245 ("drivers: char: mem: Check for address space wraparound with mmap()")
Reported-by: Nico Huber <>
Signed-off-by: Julius Werner <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agoipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
Ben Hutchings [Wed, 31 May 2017 12:15:41 +0000 (13:15 +0100)]
ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()

commit 6e80ac5cc992ab6256c3dae87f7e57db15e1a58c upstream.

xfrm6_find_1stfragopt() may now return an error code and we must
not treat it as a length.

Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
Signed-off-by: Ben Hutchings <>
Acked-by: Craig Gallek <>
Signed-off-by: David S. Miller <>
4 years agousb: gadget: f_mass_storage: Serialize wake and sleep execution
Thinh Nguyen [Fri, 12 May 2017 00:26:48 +0000 (17:26 -0700)]
usb: gadget: f_mass_storage: Serialize wake and sleep execution

commit dc9217b69dd6089dcfeb86ed4b3c671504326087 upstream.

f_mass_storage has a memorry barrier issue with the sleep and wake
functions that can cause a deadlock. This results in intermittent hangs
during MSC file transfer. The host will reset the device after receiving
no response to resume the transfer. This issue is seen when dwc3 is
processing 2 transfer-in-progress events at the same time, invoking
completion handlers for CSW and CBW. Also this issue occurs depending on
the system timing and latency.

To increase the chance to hit this issue, you can force dwc3 driver to
wait and process those 2 events at once by adding a small delay (~100us)
in dwc3_check_event_buf() whenever the request is for CSW and read the
event count again. Avoid debugging with printk and ftrace as extra
delays and memory barrier will mask this issue.

Scenario which can lead to failure:
1) The main thread sleeps and waits for the next command in
2) bulk_in_complete() wakes up main thread for CSW.
3) bulk_out_complete() tries to wake up the running main thread for CBW.
4) thread_wakeup_needed is not loaded with correct value in
5) Main thread goes to sleep again.

The pattern is shown below. Note the 2 critical variables.
 * common->thread_wakeup_needed
 * bh->state

CPU 0 (sleep_thread) CPU 1 (wakeup_thread)
==============================  ===============================

bh->state = BH_STATE_FULL;
thread_wakeup_needed = 0; thread_wakeup_needed = 1;
if (bh->state != BH_STATE_FULL)
sleep again ...

As pointed out by Alan Stern, this is an R-pattern issue. The issue can
be seen when there are two wakeups in quick succession. The
thread_wakeup_needed can be overwritten in sleep_thread, and the read of
the bh->state maybe reordered before the write to thread_wakeup_needed.

This patch applies full memory barrier smp_mb() in both sleep_thread()
and wakeup_thread() to ensure the order which the thread_wakeup_needed
and bh->state are written and loaded.

However, a better solution in the future would be to use wait_queue
method that takes care of managing memory barrier between waker and

Acked-by: Alan Stern <>
Signed-off-by: Thinh Nguyen <>
Signed-off-by: Felipe Balbi <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agonet: phy: fix marvell phy status reading
Russell King [Tue, 30 May 2017 15:21:51 +0000 (16:21 +0100)]
net: phy: fix marvell phy status reading

commit 898805e0cdf7fd860ec21bf661d3a0285a3defbd upstream.

The Marvell driver incorrectly provides phydev->lp_advertising as the
logical and of the link partner's advert and our advert.  This is
incorrect - this field is supposed to store the link parter's unmodified

This allows ethtool to report the correct link partner auto-negotiation

Fixes: be937f1f89ca ("Marvell PHY m88e1111 driver fix")
Signed-off-by: Russell King <>
Reviewed-by: Andrew Lunn <>
Reviewed-by: Florian Fainelli <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agoext4: fix fdatasync(2) after extent manipulation operations
Jan Kara [Mon, 29 May 2017 17:24:55 +0000 (13:24 -0400)]
ext4: fix fdatasync(2) after extent manipulation operations

commit 67a7d5f561f469ad2fa5154d2888258ab8e6df7c upstream.

Currently, extent manipulation operations such as hole punch, range
zeroing, or extent shifting do not record the fact that file data has
changed and thus fdatasync(2) has a work to do. As a result if we crash
e.g. after a punch hole and fdatasync, user can still possibly see the
punched out data after journal replay. Test generic/392 fails due to
these problems.

Fix the problem by properly marking that file data has changed in these

Fixes: a4bb6b64e39abc0e41ca077725f2a72c868e7622
Signed-off-by: Jan Kara <>
Signed-off-by: Theodore Ts'o <>
[bwh: Backported to 3.2: Only the punch-hole operation is supported, and
 it's in extents.c.]
Signed-off-by: Ben Hutchings <>
4 years agoext4: fix data corruption for mmap writes
Jan Kara [Fri, 26 May 2017 21:45:45 +0000 (17:45 -0400)]
ext4: fix data corruption for mmap writes

commit a056bdaae7a181f7dcc876cfab2f94538e508709 upstream.

mpage_submit_page() can race with another process growing i_size and
writing data via mmap to the written-back page. As mpage_submit_page()
samples i_size too early, it may happen that ext4_bio_write_page()
zeroes out too large tail of the page and thus corrupts user data.

Fix the problem by sampling i_size only after the page has been
write-protected in page tables by clear_page_dirty_for_io() call.

Reported-by: Michael Zimmer <>
Fixes: cb20d5188366f04d96d2e07b1240cc92170ade40
Signed-off-by: Jan Kara <>
Signed-off-by: Theodore Ts'o <>
[bwh: Backported to 3.2: The writeback path is very different here and
 it needs to read i_size long before calling clear_page_dirty_for_io().
 So read it twice and skip the page if it changed.]
Signed-off-by: Ben Hutchings <>
4 years agonet: ethernet: ax88796: don't call free_irq without request_irq first
Uwe Kleine-König [Thu, 25 May 2017 20:54:53 +0000 (22:54 +0200)]
net: ethernet: ax88796: don't call free_irq without request_irq first

commit 82533ad9a1ce3a7a6863849a552c2cc041b55e0d upstream.

The function ax_init_dev (which is called only from the driver's .probe
function) calls free_irq in the error path without having requested the
irq in the first place. So drop the free_irq call in the error path.

Fixes: 825a2ff1896e ("AX88796 network driver")
Signed-off-by: Uwe Kleine-König <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agoscsi: qla2xxx: don't disable a not previously enabled PCI device
Johannes Thumshirn [Tue, 23 May 2017 14:50:47 +0000 (16:50 +0200)]
scsi: qla2xxx: don't disable a not previously enabled PCI device

commit ddff7ed45edce4a4c92949d3c61cd25d229c4a14 upstream.

When pci_enable_device() or pci_enable_device_mem() fail in
qla2x00_probe_one() we bail out but do a call to
pci_disable_device(). This causes the dev_WARN_ON() in
pci_disable_device() to trigger, as the device wasn't enabled

So instead of taking the 'probe_out' error path we can directly return
*iff* one of the pci_enable_device() calls fails.

Additionally rename the 'probe_out' goto label's name to the more
descriptive 'disable_device'.

Signed-off-by: Johannes Thumshirn <>
Fixes: e315cd28b9ef ("[SCSI] qla2xxx: Code changes for qla data structure refactoring")
Reviewed-by: Bart Van Assche <>
Reviewed-by: Giridhar Malavali <>
Signed-off-by: Martin K. Petersen <>
Signed-off-by: Ben Hutchings <>
4 years agoASoC: Fix use-after-free at card unregistration
Takashi Iwai [Wed, 24 May 2017 08:19:45 +0000 (10:19 +0200)]
ASoC: Fix use-after-free at card unregistration

commit 4efda5f2130da033aeedc5b3205569893b910de2 upstream.

soc_cleanup_card_resources() call snd_card_free() at the last of its
procedure.  This turned out to lead to a use-after-free.
PCM runtimes have been already removed via soc_remove_pcm_runtimes(),
while it's dereferenced later in soc_pcm_free() called via

The fix is simple: just move the snd_card_free() call to the beginning
of the whole procedure.  This also gives another benefit: it
guarantees that all operations have been shut down before actually
releasing the resources, which was racy until now.

Reported-and-tested-by: Robert Jarzmik <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Mark Brown <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agonetfilter: ctnetlink: fix incorrect nf_ct_put during hash resize
Liping Zhang [Sat, 20 May 2017 23:22:49 +0000 (07:22 +0800)]
netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize

commit fefa92679dbe0c613e62b6c27235dcfbe9640ad1 upstream.

If nf_conntrack_htable_size was adjusted by the user during the ct
dump operation, we may invoke nf_ct_put twice for the same ct, i.e.
the "last" ct. This will cause the ct will be freed but still linked
in hash buckets.

It's very easy to reproduce the problem by the following commands:
  # while : ; do
  echo $RANDOM > /proc/sys/net/netfilter/nf_conntrack_buckets
  # while : ; do
  conntrack -L
  # iperf -s &
  # iperf -c -P 60 -t 36000

After a while, the system will hang like this:
  NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [bash:20184]
  NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [iperf:20382]

So at last if we find cb->args[1] is equal to "last", this means hash
resize happened, then we can set cb->args[1] to 0 to fix the above

Fixes: d205dc40798d ("[NETFILTER]: ctnetlink: fix deadlock in table dumping")
Signed-off-by: Liping Zhang <>
Signed-off-by: Pablo Neira Ayuso <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agodmaengine: ep93xx: Always start from BASE0
Alexander Sverdlin [Mon, 22 May 2017 14:05:22 +0000 (16:05 +0200)]
dmaengine: ep93xx: Always start from BASE0

commit 0037ae47812b1f431cc602100d1d51f37d77b61e upstream.

The current buffer is being reset to zero on device_free_chan_resources()
but not on device_terminate_all(). It could happen that HW is restarted and
expects BASE0 to be used, but the driver is not synchronized and will start
from BASE1. One solution is to reset the buffer explicitly in

Signed-off-by: Alexander Sverdlin <>
Signed-off-by: Vinod Koul <>
Signed-off-by: Ben Hutchings <>
4 years agodrm/gma500/psb: Actually use VBT mode when it is found
Patrik Jakobsson [Tue, 18 Apr 2017 11:43:32 +0000 (13:43 +0200)]
drm/gma500/psb: Actually use VBT mode when it is found

commit 82bc9a42cf854fdf63155759c0aa790bd1f361b0 upstream.

With LVDS we were incorrectly picking the pre-programmed mode instead of
the prefered mode provided by VBT. Make sure we pick the VBT mode if
one is provided. It is likely that the mode read-out code is still wrong
but this patch fixes the immediate problem on most machines.

Signed-off-by: Patrik Jakobsson <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agolibceph: NULL deref on crush_decode() error path
Dan Carpenter [Tue, 23 May 2017 14:25:10 +0000 (17:25 +0300)]
libceph: NULL deref on crush_decode() error path

commit 293dffaad8d500e1a5336eeb90d544cf40d4fbd8 upstream.

If there is not enough space then ceph_decode_32_safe() does a goto bad.
We need to return an error code in that situation.  The current code
returns ERR_PTR(0) which is NULL.  The callers are not expecting that
and it results in a NULL dereference.

Fixes: f24e9980eb86 ("ceph: OSD client")
Signed-off-by: Dan Carpenter <>
Reviewed-by: Ilya Dryomov <>
Signed-off-by: Ilya Dryomov <>
Signed-off-by: Ben Hutchings <>
4 years agoblock: fix an error code in add_partition()
Dan Carpenter [Tue, 23 May 2017 14:28:36 +0000 (17:28 +0300)]
block: fix an error code in add_partition()

commit 7bd897cfce1eb373892d35d7f73201b0f9b221c4 upstream.

We don't set an error code on this path.  It means that we return NULL
instead of an error pointer and the caller does a NULL dereference.

Fixes: 6d1d8050b4bc ("block, partition: add partition_meta_info to hd_struct")
Signed-off-by: Dan Carpenter <>
Signed-off-by: Jens Axboe <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agoALSA: hda - apply STAC_9200_DELL_M22 quirk for Dell Latitude D430
Alexander Tsoy [Mon, 22 May 2017 17:58:11 +0000 (20:58 +0300)]
ALSA: hda - apply STAC_9200_DELL_M22 quirk for Dell Latitude D430

commit 1fc2e41f7af4572b07190f9dec28396b418e9a36 upstream.

This model is actually called 92XXM2-8 in Windows driver. But since pin
configs for M22 and M28 are identical, just reuse M22 quirk.

Fixes external microphone (tested) and probably docking station ports
(not tested).

Signed-off-by: Alexander Tsoy <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
4 years agocrypto: gcm - wait for crypto op not signal safe
Gilad Ben-Yossef [Thu, 18 May 2017 13:29:25 +0000 (16:29 +0300)]
crypto: gcm - wait for crypto op not signal safe

commit f3ad587070d6bd961ab942b3fd7a85d00dfc934b upstream.

crypto_gcm_setkey() was using wait_for_completion_interruptible() to
wait for completion of async crypto op but if a signal occurs it
may return before DMA ops of HW crypto provider finish, thus
corrupting the data buffer that is kfree'ed in this case.

Resolve this by using wait_for_completion() instead.

Reported-by: Eric Biggers <>
Signed-off-by: Gilad Ben-Yossef <>
Signed-off-by: Herbert Xu <>
Signed-off-by: Ben Hutchings <>
4 years agoi2c: i2c-tiny-usb: fix buffer not being DMA capable
Sebastian Reichel [Fri, 5 May 2017 09:06:50 +0000 (11:06 +0200)]
i2c: i2c-tiny-usb: fix buffer not being DMA capable

commit 5165da5923d6c7df6f2927b0113b2e4d9288661e upstream.

Since v4.9 i2c-tiny-usb generates the below call trace
and longer works, since it can't communicate with the
USB device. The reason is, that since v4.9 the USB
stack checks, that the buffer it should transfer is DMA
capable. This was a requirement since v2.2 days, but it
usually worked nevertheless.

[   17.504959] ------------[ cut here ]------------
[   17.505488] WARNING: CPU: 0 PID: 93 at drivers/usb/core/hcd.c:1587 usb_hcd_map_urb_for_dma+0x37c/0x570
[   17.506545] transfer buffer not dma capable
[   17.507022] Modules linked in:
[   17.507370] CPU: 0 PID: 93 Comm: i2cdetect Not tainted 4.11.0-rc8+ #10
[   17.508103] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   17.509039] Call Trace:
[   17.509320]  ? dump_stack+0x5c/0x78
[   17.509714]  ? __warn+0xbe/0xe0
[   17.510073]  ? warn_slowpath_fmt+0x5a/0x80
[   17.510532]  ? nommu_map_sg+0xb0/0xb0
[   17.510949]  ? usb_hcd_map_urb_for_dma+0x37c/0x570
[   17.511482]  ? usb_hcd_submit_urb+0x336/0xab0
[   17.511976]  ? wait_for_completion_timeout+0x12f/0x1a0
[   17.512549]  ? wait_for_completion_timeout+0x65/0x1a0
[   17.513125]  ? usb_start_wait_urb+0x65/0x160
[   17.513604]  ? usb_control_msg+0xdc/0x130
[   17.514061]  ? usb_xfer+0xa4/0x2a0
[   17.514445]  ? __i2c_transfer+0x108/0x3c0
[   17.514899]  ? i2c_transfer+0x57/0xb0
[   17.515310]  ? i2c_smbus_xfer_emulated+0x12f/0x590
[   17.515851]  ? _raw_spin_unlock_irqrestore+0x11/0x20
[   17.516408]  ? i2c_smbus_xfer+0x125/0x330
[   17.516876]  ? i2c_smbus_xfer+0x125/0x330
[   17.517329]  ? i2cdev_ioctl_smbus+0x1c1/0x2b0
[   17.517824]  ? i2cdev_ioctl+0x75/0x1c0
[   17.518248]  ? do_vfs_ioctl+0x9f/0x600
[   17.518671]  ? vfs_write+0x144/0x190
[   17.519078]  ? SyS_ioctl+0x74/0x80
[   17.519463]  ? entry_SYSCALL_64_fastpath+0x1e/0xad
[   17.519959] ---[ end trace d047c04982f5ac50 ]---

Signed-off-by: Sebastian Reichel <>
Reviewed-by: Greg Kroah-Hartman <>
Acked-by: Till Harbaum <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
4 years agoext4: keep existing extra fields when inode expands
Konstantin Khlebnikov [Mon, 22 May 2017 02:36:23 +0000 (22:36 -0400)]
ext4: keep existing extra fields when inode expands

commit 887a9730614727c4fff7cb756711b190593fc1df upstream.

ext4_expand_extra_isize() should clear only space between old and new

Fixes: 6dd4ee7cab7e # v2.6.23
Signed-off-by: Konstantin Khlebnikov <>
Signed-off-by: Theodore Ts'o <>
Signed-off-by: Ben Hutchings <>
4 years agoosf_wait4(): fix infoleak
Al Viro [Mon, 15 May 2017 01:47:25 +0000 (21:47 -0400)]
osf_wait4(): fix infoleak

commit a8c39544a6eb2093c04afd5005b6192bd0e880c6 upstream.

failing sys_wait4() won't fill struct rusage...

Signed-off-by: Al Viro <>
Signed-off-by: Ben Hutchings <>
4 years agoKVM: x86: zero base3 of unusable segments
Radim Krčmář [Thu, 18 May 2017 17:37:30 +0000 (19:37 +0200)]
KVM: x86: zero base3 of unusable segments

commit f0367ee1d64d27fa08be2407df5c125442e885e3 upstream.

Static checker noticed that base3 could be used uninitialized if the
segment was not present (useable).  Random stack values probably would
not pass VMCS entry checks.

Reported-by: Dan Carpenter <>
Fixes: 1aa366163b8b ("KVM: x86 emulator: consolidate segment accessors")
Reviewed-by: Paolo Bonzini <>
Reviewed-by: David Hildenbrand <>
Signed-off-by: Radim Krčmář <>
Signed-off-by: Ben Hutchings <>
4 years agoKVM: x86: fix use of uninitialized memory as segment descriptor in emulator.
Gleb Natapov [Mon, 21 Jan 2013 13:36:48 +0000 (15:36 +0200)]
KVM: x86: fix use of uninitialized memory as segment descriptor in emulator.

commit 378a8b099fc207ddcb91b19a8c1457667e0af398 upstream.

If VMX reports segment as unusable, zero descriptor passed by the emulator
before returning. Such descriptor will be considered not present by the

Signed-off-by: Gleb Natapov <>
Signed-off-by: Marcelo Tosatti <>
Signed-off-by: Ben Hutchings <>
4 years agoKVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation
Wanpeng Li [Fri, 19 May 2017 09:46:56 +0000 (02:46 -0700)]
KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation

commit cbfc6c9184ce71b52df4b1d82af5afc81a709178 upstream.

Huawei folks reported a read out-of-bounds vulnerability in kvm pio emulation.

- "inb" instruction to access PIT Mod/Command register (ioport 0x43, write only,
  a read should be ignored) in guest can get a random number.
- "rep insb" instruction to access PIT register port 0x43 can control memcpy()
  in emulator_pio_in_emulated() to copy max 0x400 bytes but only read 1 bytes,
  which will disclose the unimportant kernel memory in host but no crash.

The similar test program below can reproduce the read out-of-bounds vulnerability:

void hexdump(void *mem, unsigned int len)
        unsigned int i, j;

        for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++)
                /* print offset */
                if(i % HEXDUMP_COLS == 0)
                        printf("0x%06x: ", i);

                /* print hex data */
                if(i < len)
                        printf("%02x ", 0xFF & ((char*)mem)[i]);
                else /* end of block, just aligning for ASCII dump */
                        printf("   ");

                /* print ASCII dump */
                if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1))
                        for(j = i - (HEXDUMP_COLS - 1); j <= i; j++)
                                if(j >= len) /* end of block, not really printing */
                                        putchar(' ');
                                else if(isprint(((char*)mem)[j])) /* printable char */
                                        putchar(0xFF & ((char*)mem)[j]);
                                else /* other char */

int main(void)
int i;
if (iopl(3))
err(1, "set iopl unsuccessfully\n");
return -1;
static char buf[0x40];

/* test ioport 0x40,0x41,0x42,0x43,0x44,0x45 */

memset(buf, 0xab, sizeof(buf));

asm volatile("push %rdi;");
asm volatile("mov %0, %%rdi;"::"q"(buf));

asm volatile ("mov $0x40, %rdx;");
asm volatile ("in %dx,%al;");
asm volatile ("stosb;");

asm volatile ("mov $0x41, %rdx;");
asm volatile ("in %dx,%al;");
asm volatile ("stosb;");

asm volatile ("mov $0x42, %rdx;");
asm volatile ("in %dx,%al;");
asm volatile ("stosb;");

asm volatile ("mov $0x43, %rdx;");
asm volatile ("in %dx,%al;");
asm volatile ("stosb;");

asm volatile ("mov $0x44, %rdx;");
asm volatile ("in %dx,%al;");
asm volatile ("stosb;");

asm volatile ("mov $0x45, %rdx;");
asm volatile ("in %dx,%al;");
asm volatile ("stosb;");

asm volatile ("pop %rdi;");
hexdump(buf, 0x40);


/* ins port 0x40 */

memset(buf, 0xab, sizeof(buf));

asm volatile("push %rdi;");
asm volatile("mov %0, %%rdi;"::"q"(buf));

asm volatile ("mov $0x20, %rcx;");
asm volatile ("mov $0x40, %rdx;");
asm volatile ("rep insb;");

asm volatile ("pop %rdi;");
hexdump(buf, 0x40);


/* ins port 0x43 */

memset(buf, 0xab, sizeof(buf));

asm volatile("push %rdi;");
asm volatile("mov %0, %%rdi;"::"q"(buf));

asm volatile ("mov $0x20, %rcx;");
asm volatile ("mov $0x43, %rdx;");
asm volatile ("rep insb;");

asm volatile ("pop %rdi;");
hexdump(buf, 0x40);

return 0;

The vcpu->arch.pio_data buffer is used by both in/out instrutions emulation
w/o clear after using which results in some random datas are left over in
the buffer. Guest reads port 0x43 will be ignored since it is write only,
however, the function kernel_pio() can't distigush this ignore from successfully
reads data from device's ioport. There is no new data fill the buffer from
port 0x43, however, emulator_pio_in_emulated() will copy the stale data in
the buffer to the guest unconditionally. This patch fixes it by clearing the
buffer before in instruction emulation to avoid to grant guest the stale data
in the buffer.

In addition, string I/O is not supported for in kernel device. So there is no
iteration to read ioport %RCX times for string I/O. The function kernel_pio()
just reads one round, and then copy the io size * %RCX to the guest unconditionally,
actually it copies the one round ioport data w/ other random datas which are left
over in the vcpu->arch.pio_data buffer to the guest. This patch fixes it by
introducing the string I/O support for in kernel device in order to grant the right
ioport datas to the guest.

Before the patch:

0x000000: fe 38 93 93 ff ff ab ab .8......
0x000008: ab ab ab ab ab ab ab ab ........
0x000010: ab ab ab ab ab ab ab ab ........
0x000018: ab ab ab ab ab ab ab ab ........
0x000020: ab ab ab ab ab ab ab ab ........
0x000028: ab ab ab ab ab ab ab ab ........
0x000030: ab ab ab ab ab ab ab ab ........
0x000038: ab ab ab ab ab ab ab ab ........

0x000000: f6 00 00 00 00 00 00 00 ........
0x000008: 00 00 00 00 00 00 00 00 ........
0x000010: 00 00 00 00 4d 51 30 30 ....MQ00
0x000018: 30 30 20 33 20 20 20 20 00 3
0x000020: ab ab ab ab ab ab ab ab ........
0x000028: ab ab ab ab ab ab ab ab ........
0x000030: ab ab ab ab ab ab ab ab ........
0x000038: ab ab ab ab ab ab ab ab ........

0x000000: f6 00 00 00 00 00 00 00 ........
0x000008: 00 00 00 00 00 00 00 00 ........
0x000010: 00 00 00 00 4d 51 30 30 ....MQ00
0x000018: 30 30 20 33 20 20 20 20 00 3
0x000020: ab ab ab ab ab ab ab ab ........
0x000028: ab ab ab ab ab ab ab ab ........
0x000030: ab ab ab ab ab ab ab ab ........
0x000038: ab ab ab ab ab ab ab ab ........

After the patch:

0x000000: 1e 02 f8 00 ff ff ab ab ........
0x000008: ab ab ab ab ab ab ab ab ........
0x000010: ab ab ab ab ab ab ab ab ........
0x000018: ab ab ab ab ab ab ab ab ........
0x000020: ab ab ab ab ab ab ab ab ........
0x000028: ab ab ab ab ab ab ab ab ........
0x000030: ab ab ab ab ab ab ab ab ........
0x000038: ab ab ab ab ab ab ab ab ........

0x000000: d2 e2 d2 df d2 db d2 d7 ........
0x000008: d2 d3 d2 cf d2 cb d2 c7 ........
0x000010: d2 c4 d2 c0 d2 bc d2 b8 ........
0x000018: d2 b4 d2 b0 d2 ac d2 a8 ........
0x000020: ab ab ab ab ab ab ab ab ........
0x000028: ab ab ab ab ab ab ab ab ........
0x000030: ab ab ab ab ab ab ab ab ........
0x000038: ab ab ab ab ab ab ab ab ........

0x000000: 00 00 00 00 00 00 00 00 ........
0x000008: 00 00 00 00 00 00 00 00 ........
0x000010: 00 00 00 00 00 00 00 00 ........
0x000018: 00 00 00 00 00 00 00 00 ........
0x000020: ab ab ab ab ab ab ab ab ........
0x000028: ab ab ab ab ab ab ab ab ........
0x000030: ab ab ab ab ab ab ab ab ........
0x000038: ab ab ab ab ab ab ab ab ........

Reported-by: Moguofang <>
Cc: Paolo Bonzini <>
Cc: Radim Krčmář <>
Cc: Moguofang <>
Signed-off-by: Wanpeng Li <>
Signed-off-by: Radim Krčmář <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agopowerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash
Michael Ellerman [Thu, 18 May 2017 10:37:31 +0000 (20:37 +1000)]
powerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash

commit e41e53cd4fe331d0d1f06f8e4ed7e2cc63ee2c34 upstream.

virt_addr_valid() is supposed to tell you if it's OK to call virt_to_page() on
an address. What this means in practice is that it should only return true for
addresses in the linear mapping which are backed by a valid PFN.

We are failing to properly check that the address is in the linear mapping,
because virt_to_pfn() will return a valid looking PFN for more or less any
address. That bug is actually caused by __pa(), used in virt_to_pfn().

eg: __pa(0xc000000000010000) = 0x10000  # Good
    __pa(0xd000000000010000) = 0x10000  # Bad!
    __pa(0x0000000000010000) = 0x10000  # Bad!

This started happening after commit bdbc29c19b26 ("powerpc: Work around gcc
miscompilation of __pa() on 64-bit") (Aug 2013), where we changed the definition
of __pa() to work around a GCC bug. Prior to that we subtracted PAGE_OFFSET from
the value passed to __pa(), meaning __pa() of a 0xd or 0x0 address would give
you something bogus back.

Until we can verify if that GCC bug is no longer an issue, or come up with
another solution, this commit does the minimal fix to make virt_addr_valid()
work, by explicitly checking that the address is in the linear mapping region.

Fixes: bdbc29c19b26 ("powerpc: Work around gcc miscompilation of __pa() on 64-bit")
Signed-off-by: Michael Ellerman <>
Reviewed-by: Paul Mackerras <>
Reviewed-by: Balbir Singh <>
Tested-by: Breno Leitao <>
[bwh: Backported to 3.2: open-code virt_to_pfn()]
Signed-off-by: Ben Hutchings <>
4 years agowatchdog: pcwd_usb: fix NULL-deref at probe
Johan Hovold [Mon, 13 Mar 2017 12:49:45 +0000 (13:49 +0100)]
watchdog: pcwd_usb: fix NULL-deref at probe

commit 46c319b848268dab3f0e7c4a5b6e9146d3bca8a4 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <>
Reviewed-by: Guenter Roeck <>
Signed-off-by: Guenter Roeck <>
Signed-off-by: Wim Van Sebroeck <>
Signed-off-by: Ben Hutchings <>
4 years agodrivers: char: mem: Check for address space wraparound with mmap()
Julius Werner [Fri, 12 May 2017 21:42:58 +0000 (14:42 -0700)]
drivers: char: mem: Check for address space wraparound with mmap()

commit b299cde245b0b76c977f4291162cf668e087b408 upstream.

/dev/mem currently allows mmap() mappings that wrap around the end of
the physical address space, which should probably be illegal. It
circumvents the existing STRICT_DEVMEM permission check because the loop
immediately terminates (as the start address is already higher than the
end address). On the x86_64 architecture it will then cause a panic
(from the BUG(start >= end) in arch/x86/mm/pat.c:reserve_memtype()).

This patch adds an explicit check to make sure offset + size will not
wrap around in the physical address type.

Signed-off-by: Julius Werner <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agousb: musb: tusb6010_omap: Do not reset the other direction's packet size
Peter Ujfalusi [Wed, 17 May 2017 16:23:11 +0000 (11:23 -0500)]
usb: musb: tusb6010_omap: Do not reset the other direction's packet size

commit 6df2b42f7c040d57d9ecb67244e04e905ab87ac6 upstream.

We have one register for each EP to set the maximum packet size for both
TX and RX.
If for example an RX programming would happen before the previous TX
transfer finishes we would reset the TX packet side.

To fix this issue, only modify the TX or RX part of the register.

Fixes: 550a7375fe72 ("USB: Add MUSB and TUSB support")
Signed-off-by: Peter Ujfalusi <>
Tested-by: Tony Lindgren <>
Signed-off-by: Bin Liu <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: xhci: fix lock-inversion problem
Alan Stern [Wed, 17 May 2017 15:32:03 +0000 (18:32 +0300)]
USB: xhci: fix lock-inversion problem

commit 63aea0dbab90a2461faaae357cbc8cfd6c8de9fe upstream.

With threaded interrupts, bottom-half handlers are called with
interrupts enabled.  Therefore they can't safely use spin_lock(); they
have to use spin_lock_irqsave().  Lockdep warns about a violation
occurring in xhci_irq():

[ INFO: possible irq lock inversion dependency detected ]
4.11.0-rc8-dbg+ #1 Not tainted
swapper/7/0 just changed the state of lock:
 (&(&ehci->lock)->rlock){-.-...}, at: [<ffffffffa0130a69>]
ehci_hrtimer_func+0x29/0xc0 [ehci_hcd]
but this lock took another, HARDIRQ-unsafe lock in the past:

and interrupts could create inverse lock ordering between them.

other info that might help us debug this:
 Possible interrupt unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
 *** DEADLOCK ***

no locks held by swapper/7/0.
the shortest dependencies between 2nd lock and 1st lock:
 -> (hcd_urb_list_lock){+.....} ops: 252 {
    HARDIRQ-ON-W at:
                      usb_hcd_unlink_urb_from_ep+0x1b/0x60 [usbcore]
                      xhci_giveback_urb_in_irq.isra.45+0x70/0x1b0 [xhci_hcd]
                      finish_td.constprop.60+0x1d8/0x2e0 [xhci_hcd]
                      xhci_irq+0xdd6/0x1fa0 [xhci_hcd]
                      usb_hcd_irq+0x26/0x40 [usbcore]

This patch fixes the problem.

Signed-off-by: Alan Stern <>
Reported-and-tested-by: Bart Van Assche <>
Signed-off-by: Mathias Nyman <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agousb: host: xhci: simplify irq handler return
Felipe Balbi [Mon, 23 Jan 2017 12:20:07 +0000 (14:20 +0200)]
usb: host: xhci: simplify irq handler return

commit 76a35293b901915c5dcb4a87a4a0da8d7caf39fe upstream.

Instead of having several return points, let's use a local variable and
a single place to return. This makes the code slightly easier to read.

[set ret = IRQ_HANDLED in default working case  -Mathias]
Signed-off-by: Felipe Balbi <>
Signed-off-by: Mathias Nyman <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agousb: host: xhci-mem: allocate zeroed Scratchpad Buffer
Peter Chen [Wed, 17 May 2017 15:32:01 +0000 (18:32 +0300)]
usb: host: xhci-mem: allocate zeroed Scratchpad Buffer

commit 7480d912d549f414e0ce39331870899e89a5598c upstream.

According to xHCI ch4.20 Scratchpad Buffers, the Scratchpad
Buffer needs to be zeroed.

The following operations take place to allocate
        Scratchpad Buffers to the xHC:
b. Software clears the Scratchpad Buffer to '0'

Signed-off-by: Peter Chen <>
Signed-off-by: Mathias Nyman <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: we only do one allocation for scratchpad buffers]
Signed-off-by: Ben Hutchings <>
4 years agoxhci: apply PME_STUCK_QUIRK and MISSING_CAS quirk for Denverton
Mathias Nyman [Wed, 17 May 2017 15:32:00 +0000 (18:32 +0300)]
xhci: apply PME_STUCK_QUIRK and MISSING_CAS quirk for Denverton

commit a0c16630d35a874e82bdf2088f58ecaca1024315 upstream.

Intel Denverton microserver is Atom based and need the PME and CAS quirks
as well.

Signed-off-by: Mathias Nyman <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agousb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake
Wan Ahmad Zainie [Tue, 3 Jan 2017 16:28:52 +0000 (18:28 +0200)]
usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake

commit 6c97cfc1a097b1e0786c836e92b7a72b4d031e25 upstream.

Intel Apollo Lake also requires XHCI_PME_STUCK_QUIRK.
Adding its PCI ID to quirk.

Signed-off-by: Wan Ahmad Zainie <>
Signed-off-by: Mathias Nyman <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agoxhci: workaround for hosts missing CAS bit
Mathias Nyman [Thu, 20 Oct 2016 15:09:19 +0000 (18:09 +0300)]
xhci: workaround for hosts missing CAS bit

commit 346e99736c3ce328fd42d678343b70243aca5f36 upstream.

If a device is unplugged and replugged during Sx system suspend
some  Intel xHC hosts will overwrite the CAS (Cold attach status) flag
and no device connection is noticed in resume.

A device in this state can be identified in resume if its link state
is in polling or compliance mode, and the current connect status is 0.
A device in this state needs to be warm reset.

Intel 100/c230 series PCH specification update Doc #332692-006 Errata #8

Observed on Cherryview and Apollolake as they go into compliance mode
if LFPS times out during polling, and re-plugged devices are not
discovered at resume.

Signed-off-by: Mathias Nyman <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agotracing/kprobes: Enforce kprobes teardown after testing
Thomas Gleixner [Wed, 17 May 2017 08:19:49 +0000 (10:19 +0200)]
tracing/kprobes: Enforce kprobes teardown after testing

commit 30e7d894c1478c88d50ce94ddcdbd7f9763d9cdd upstream.

Enabling the tracer selftest triggers occasionally the warning in
text_poke(), which warns when the to be modified page is not marked

The reason is that the tracer selftest installs kprobes on functions marked
__init for testing. These probes are removed after the tests, but that
removal schedules the delayed kprobes_optimizer work, which will do the
actual text poke. If the work is executed after the init text is freed,
then the warning triggers. The bug can be reproduced reliably when the work
delay is increased.

Flush the optimizer work and wait for the optimizing/unoptimizing lists to
become empty before returning from the kprobes tracer selftest. That
ensures that all operations which were queued due to the probes removal
have completed.

Signed-off-by: Thomas Gleixner <>
Acked-by: Masami Hiramatsu <>
Fixes: 6274de498 ("kprobes: Support delayed unoptimizing")
Signed-off-by: Steven Rostedt (VMware) <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoof: fdt: add missing allocation-failure check
Johan Hovold [Wed, 17 May 2017 15:29:09 +0000 (17:29 +0200)]
of: fdt: add missing allocation-failure check

commit 49e67dd17649b60b4d54966e18ec9c80198227f0 upstream.

The memory allocator passed to __unflatten_device_tree() (e.g. a wrapped
kzalloc) can fail so add the missing sanity check to avoid dereferencing
a NULL pointer.

Fixes: fe14042358fa ("of/flattree: Refactor unflatten_device_tree and add fdt_unflatten_tree")
Signed-off-by: Johan Hovold <>
Signed-off-by: Rob Herring <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agomac80211: strictly check mesh address extension mode
Rajkumar Manoharan [Mon, 15 May 2017 04:41:55 +0000 (21:41 -0700)]
mac80211: strictly check mesh address extension mode

commit 5667c86acf021e6dcf02584408b4484a273ac68f upstream.

Mesh forwarding path checks for address extension mode to fetch
appropriate proxied address and MPP address. Existing condition
that looks for 6 address format is not strict enough so that
frames with improper values are processed and invalid entries
are added into MPP table. Fix that by adding a stricter check before
processing the packet.

Per IEEE Std 802.11s-2011 spec. Table 7-6g1 lists address extension
mode 0x3 as reserved one. And also Table Table 9-13 does not specify
0x3 as valid address field.

Fixes: 9b395bc3be1c ("mac80211: verify that skb data is present")
Signed-off-by: Rajkumar Manoharan <>
Signed-off-by: Johannes Berg <>
[bwh: Backported to 3.2: add mesh_flags variable in ieee80211_data_to_8023(),
 added separately upstream]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: hub: fix SS max number of ports
Johan Hovold [Wed, 10 May 2017 16:18:29 +0000 (18:18 +0200)]
USB: hub: fix SS max number of ports

commit 93491ced3c87c94b12220dbac0527e1356702179 upstream.

Add define for the maximum number of ports on a SuperSpeed hub as per
USB 3.1 spec Table 10-5, and use it when verifying the retrieved hub

This specifically avoids benign attempts to update the DeviceRemovable
mask for non-existing ports (should we get that far).

Fixes: dbe79bbe9dcb ("USB 3.0 Hub Changes")
Acked-by: Alan Stern <>
Signed-off-by: Johan Hovold <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2:
 - Add maxchild variable in hub_configure(), which was added separately upstream
 - Adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: hub: fix non-SS hub-descriptor handling
Johan Hovold [Wed, 10 May 2017 16:18:28 +0000 (18:18 +0200)]
USB: hub: fix non-SS hub-descriptor handling

commit bec444cd1c94c48df409a35ad4e5b143c245c3f7 upstream.

Add missing sanity check on the non-SuperSpeed hub-descriptor length in
order to avoid parsing and leaking two bytes of uninitialised slab data
through sysfs removable-attributes (or a compound-device debug

Note that we only make sure that the DeviceRemovable field is always
present (and specifically ignore the unused PortPwrCtrlMask field) in
order to continue support any hubs with non-compliant descriptors. As a
further safeguard, the descriptor buffer is also cleared.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <>
Acked-by: Alan Stern <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: hub: fix SS hub-descriptor handling
Johan Hovold [Wed, 10 May 2017 16:18:27 +0000 (18:18 +0200)]
USB: hub: fix SS hub-descriptor handling

commit 2c25a2c818023df64463aac3288a9f969491e507 upstream.

A SuperSpeed hub descriptor does not have any variable-length fields so
bail out when reading a short descriptor.

This avoids parsing and leaking two bytes of uninitialised slab data
through sysfs removable-attributes.

Fixes: dbe79bbe9dcb ("USB 3.0 Hub Changes")
Cc: John Youn <>
Acked-by: Alan Stern <>
Signed-off-by: Johan Hovold <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: usbip: fix nonconforming hub descriptor
Johan Hovold [Wed, 10 May 2017 16:18:26 +0000 (18:18 +0200)]
USB: usbip: fix nonconforming hub descriptor

commit ec963b412a54aac8e527708ecad06a6988a86fb4 upstream.

Fix up the root-hub descriptor to accommodate the variable-length
DeviceRemovable and PortPwrCtrlMask fields, while marking all ports as
removable (and leaving the reserved bit zero unset).

Also add a build-time constraint on VHCI_HC_PORTS which must never be
greater than USB_MAXCHILDREN (but this was only enforced through a
KConfig constant).

This specifically fixes the descriptor layout whenever VHCI_HC_PORTS is
greater than seven (default is 8).

Fixes: 04679b3489e0 ("Staging: USB/IP: add client driver")
Cc: Takahiro Hirofuchi <>
Cc: Valentina Manea <>
Signed-off-by: Johan Hovold <>
Acked-by: Shuah Khan <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2:
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: gadget: dummy_hcd: fix hub-descriptor removable fields
Johan Hovold [Wed, 10 May 2017 16:18:25 +0000 (18:18 +0200)]
USB: gadget: dummy_hcd: fix hub-descriptor removable fields

commit d81182ce30dbd497a1e7047d7fda2af040347790 upstream.

Flag the first and only port as removable while also leaving the
remaining bits (including the reserved bit zero) unset in accordance
with the specifications:

"Within a byte, if no port exists for a given location, the bit
field representing the port characteristics shall be 0."

Also add a comment marking the legacy PortPwrCtrlMask field.

Fixes: 1cd8fd2887e1 ("usb: gadget: dummy_hcd: add SuperSpeed support")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: Tatyana Brokhman <>
Signed-off-by: Johan Hovold <>
Acked-by: Alan Stern <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agousb: r8a66597-hcd: select a different endpoint on timeout
Chris Brandt [Thu, 27 Apr 2017 19:12:02 +0000 (12:12 -0700)]
usb: r8a66597-hcd: select a different endpoint on timeout

commit 1f873d857b6c2fefb4dada952674aa01bcfb92bd upstream.

If multiple endpoints on a single device have pending IN URBs and one
endpoint times out due to NAKs (perfectly legal), select a different
endpoint URB to try.
The existing code only checked to see another device address has pending
URBs and ignores other IN endpoints on the current device address. This
leads to endpoints never getting serviced if one endpoint is using NAK as
a flow control method.

Fixes: 5d3043586db4 ("usb: r8a66597-hcd: host controller driver for R8A6659")
Signed-off-by: Chris Brandt <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agousb: r8a66597-hcd: decrease timeout
Chris Brandt [Thu, 27 Apr 2017 19:12:49 +0000 (12:12 -0700)]
usb: r8a66597-hcd: decrease timeout

commit dd14a3e9b92ac6f0918054f9e3477438760a4fa6 upstream.

The timeout for BULK packets was 300ms which is a long time if other
endpoints or devices are waiting for their turn. Changing it to 50ms
greatly increased the overall performance for multi-endpoint devices.

Fixes: 5d3043586db4 ("usb: r8a66597-hcd: host controller driver for R8A6659")
Signed-off-by: Chris Brandt <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: iowarrior: fix info ioctl on big-endian hosts
Johan Hovold [Thu, 11 May 2017 09:36:02 +0000 (11:36 +0200)]
USB: iowarrior: fix info ioctl on big-endian hosts

commit dd5ca753fa92fb736b1395db892bd29f78e6d408 upstream.

Drop erroneous le16_to_cpu when returning the USB device speed which is
already in host byte order.

Found using sparse:

warning: cast to restricted __le16

Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Signed-off-by: Johan Hovold <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agouwb: fix device quirk on big-endian hosts
Johan Hovold [Fri, 12 May 2017 10:06:32 +0000 (12:06 +0200)]
uwb: fix device quirk on big-endian hosts

commit 41318a2b82f5d5fe1fb408f6d6e0b22aa557111d upstream.

Add missing endianness conversion when using the USB device-descriptor
idProduct field to apply a hardware quirk.

Fixes: 1ba47da52712 ("uwb: add the i1480 DFU driver")
Signed-off-by: Johan Hovold <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: core: replace %p with %pK
Vamsi Krishna Samavedam [Tue, 16 May 2017 12:38:08 +0000 (14:38 +0200)]
USB: core: replace %p with %pK

commit 2f964780c03b73de269b08d12aff96a9618d13f3 upstream.

Format specifier %p can leak kernel addresses while not valuing the
kptr_restrict system settings. When kptr_restrict is set to (1), kernel
pointers printed using the %pK format specifier will be replaced with
Zeros. Debugging Note : &pK prints only Zeros as address. If you need
actual address information, write 0 to kptr_restrict.

echo 0 > /proc/sys/kernel/kptr_restrict

[Found by poking around in a random vendor kernel tree, it would be nice
if someone would actually send these types of patches upstream - gkh]

Signed-off-by: Vamsi Krishna Samavedam <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: drop changes in proc_reapurb*(), usbdev_do_ioctl(),
Signed-off-by: Ben Hutchings <>
4 years agoUSB: ene_usb6250: fix DMA to the stack
Alan Stern [Tue, 16 May 2017 15:47:29 +0000 (11:47 -0400)]
USB: ene_usb6250: fix DMA to the stack

commit 628c2893d44876ddd11602400c70606ade62e129 upstream.

The ene_usb6250 sub-driver in usb-storage does USB I/O to buffers on
the stack, which doesn't work with vmapped stacks.  This patch fixes
the problem by allocating a separate 512-byte buffer at probe time and
using it for all of the offending I/O operations.

Signed-off-by: Alan Stern <>
Reported-and-tested-by: Andreas Hartmann <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agotcp: eliminate negative reordering in tcp_clean_rtx_queue
Soheil Hassas Yeganeh [Mon, 15 May 2017 21:05:47 +0000 (17:05 -0400)]
tcp: eliminate negative reordering in tcp_clean_rtx_queue

commit bafbb9c73241760023d8981191ddd30bb1c6dbac upstream.

tcp_ack() can call tcp_fragment() which may dededuct the
value tp->fackets_out when MSS changes. When prior_fackets
is larger than tp->fackets_out, tcp_clean_rtx_queue() can
invoke tcp_update_reordering() with negative values. This
results in absurd tp->reodering values higher than

Note that tcp_update_reordering indeeds sets tp->reordering
to min(sysctl_tcp_max_reordering, metric), but because
the comparison is signed, a negative metric always wins.

Fixes: c7caf8d3ed7a ("[TCP]: Fix reord detection due to snd_una covered holes")
Reported-by: Rebecca Isaacs <>
Signed-off-by: Soheil Hassas Yeganeh <>
Signed-off-by: Neal Cardwell <>
Signed-off-by: Yuchung Cheng <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agoahci: Acer SA5-271 SSD Not Detected Fix
Sui Chen [Tue, 9 May 2017 12:47:22 +0000 (07:47 -0500)]
ahci: Acer SA5-271 SSD Not Detected Fix

commit 8bfd174312629866efa535193d9e563768ff4307 upstream.

(Correction in this resend: fixed function name acer_sa5_271_workaround; fixed
 the always-true condition in the function; fixed description.)

On the Acer Switch Alpha 12 (model number: SA5-271), the internal SSD may not
get detected because the port_map and CAP.nr_ports combination causes the driver
to skip the port that is actually connected to the SSD. More specifically,
either all SATA ports are identified as DUMMY, or all ports get ``link down''
and never get up again.

This problem occurs occasionally. When this problem occurs, CAP may hold a
value of 0xC734FF00 or 0xC734FF01 and port_map may hold a value of 0x00 or 0x01.
When this problem does not occur, CAP holds a value of 0xC734FF02 and port_map
may hold a value of 0x07. Overriding the CAP value to 0xC734FF02 and port_map to
0x7 significantly reduces the occurrence of this problem.

Signed-off-by: Sui Chen <>
Tested-by: Damian Ivanov <>
Signed-off-by: Tejun Heo <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: io_ti: fix div-by-zero in set_termios
Johan Hovold [Thu, 11 May 2017 09:41:21 +0000 (11:41 +0200)]
USB: serial: io_ti: fix div-by-zero in set_termios

commit 6aeb75e6adfaed16e58780309613a578fe1ee90b upstream.

Fix a division-by-zero in set_termios when debugging is enabled and a
high-enough speed has been requested so that the divisor value becomes

Instead of just fixing the offending debug statement, cap the baud rate
at the base as a zero divisor value also appears to crash the firmware.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <>
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: mct_u232: fix big-endian baud-rate handling
Johan Hovold [Thu, 11 May 2017 09:41:20 +0000 (11:41 +0200)]
USB: serial: mct_u232: fix big-endian baud-rate handling

commit 26cede343656c0bc2c33cdc783771282405c7fb2 upstream.

Drop erroneous cpu_to_le32 when setting the baud rate, something which
corrupted the divisor on big-endian hosts.

Found using sparse:

warning: incorrect type in argument 1 (different base types)
    expected unsigned int [unsigned] [usertype] val
    got restricted __le32 [usertype] <noident>

Fixes: af2ac1a091bc ("USB: serial mct_usb232: move DMA buffers to heap")
Reviewed-by: Greg Kroah-Hartman <>
Acked-By: Pete Zaitcev <>
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: ir-usb: fix big-endian baud-rate debug printk
Johan Hovold [Thu, 11 May 2017 09:41:19 +0000 (11:41 +0200)]
USB: serial: ir-usb: fix big-endian baud-rate debug printk

commit ad0ccac76dcc92c3331f4c94c9fc54f8bf1ab20c upstream.

Add missing endianness conversion when printing the supported baud

Found using sparse:

warning: restricted __le16 degrades to integer

Fixes: e0d795e4f36c ("usb: irda: cleanup on ir-usb module")
Reviewed-by: Greg Kroah-Hartman <>
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: ftdi_sio: fix setting latency for unprivileged users
Anthony Mallet [Fri, 5 May 2017 15:30:16 +0000 (17:30 +0200)]
USB: serial: ftdi_sio: fix setting latency for unprivileged users

commit bb246681b3ed0967489a7401ad528c1aaa1a4c2e upstream.

Commit 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY
flag") enables unprivileged users to set the FTDI latency timer,
but there was a logic flaw that skipped sending the corresponding
USB control message to the device.

Specifically, the device latency timer would not be updated until next
open, something which was later also inadvertently broken by commit
c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port

A recent commit c6dce2626606 ("USB: serial: ftdi_sio: fix extreme
low-latency setting") disabled the low-latency mode by default so we now
need this fix to allow unprivileged users to again enable it.

Signed-off-by: Anthony Mallet <>
[johan: amend commit message]
Fixes: 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY flag")
Fixes: c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port probe").
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agonet: irda: irda-usb: fix firmware name on big-endian hosts
Johan Hovold [Fri, 12 May 2017 10:11:13 +0000 (12:11 +0200)]
net: irda: irda-usb: fix firmware name on big-endian hosts

commit 75cf067953d5ee543b3bda90bbfcbee5e1f94ae8 upstream.

Add missing endianness conversion when using the USB device-descriptor
bcdDevice field to construct a firmware file name.

Fixes: 8ef80aef118e ("[IRDA]: irda-usb.c: STIR421x cleanups")
Cc: Nick Fedchik <>
Signed-off-by: Johan Hovold <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agotcp: avoid fragmenting peculiar skbs in SACK
Yuchung Cheng [Thu, 11 May 2017 00:01:27 +0000 (17:01 -0700)]
tcp: avoid fragmenting peculiar skbs in SACK

commit b451e5d24ba6687c6f0e7319c727a709a1846c06 upstream.

This patch fixes a bug in splitting an SKB during SACK
processing. Specifically if an skb contains multiple
packets and is only partially sacked in the higher sequences,
tcp_match_sack_to_skb() splits the skb and marks the second fragment
as SACKed.

The current code further attempts rounding up the first fragment
to MSS boundaries. But it misses a boundary condition when the
rounded-up fragment size (pkt_len) is exactly skb size.  Spliting
such an skb is pointless and causses a kernel warning and aborts
the SACK processing. This patch universally checks such over-split
before calling tcp_fragment to prevent these unnecessary warnings.

Fixes: adb92db857ee ("tcp: Make SACK code to split only at mss boundaries")
Signed-off-by: Yuchung Cheng <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: Soheil Hassas Yeganeh <>
Acked-by: Neal Cardwell <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoaf_key: Fix slab-out-of-bounds in pfkey_compile_policy.
Steffen Klassert [Fri, 5 May 2017 05:40:42 +0000 (07:40 +0200)]
af_key: Fix slab-out-of-bounds in pfkey_compile_policy.

commit d90c902449a7561f1b1d58ba5a0d11728ce8b0b2 upstream.

The sadb_x_sec_len is stored in the unit 'byte divided by eight'.
So we have to multiply this value by eight before we can do
size checks. Otherwise we may get a slab-out-of-bounds when
we memcpy the user sec_ctx.

Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.")
Reported-by: Andrey Konovalov <>
Tested-by: Andrey Konovalov <>
Signed-off-by: Steffen Klassert <>
Signed-off-by: Ben Hutchings <>
4 years agoxfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY
Sabrina Dubroca [Wed, 3 May 2017 14:43:19 +0000 (16:43 +0200)]
xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY

commit 9b3eb54106cf6acd03f07cf0ab01c13676a226c2 upstream.

When CONFIG_XFRM_SUB_POLICY=y, xfrm_dst stores a copy of the flowi for
that dst. Unfortunately, the code that allocates and fills this copy
doesn't care about what type of flowi (flowi, flowi4, flowi6) gets
passed. In multiple code paths (from raw_sendmsg, from TCP when
replying to a FIN, in vxlan, geneve, and gre), the flowi that gets
passed to xfrm is actually an on-stack flowi4, so we end up reading
stuff from the stack past the end of the flowi4 struct.

Since xfrm_dst->origin isn't used anywhere following commit
ca116922afa8 ("xfrm: Eliminate "fl" and "pol" args to
xfrm_bundle_ok()."), just get rid of it.  xfrm_dst->partner isn't used
either, so get rid of that too.

Fixes: 9d6ec938019c ("ipv4: Use flowi4 in public route lookup interfaces.")
Signed-off-by: Sabrina Dubroca <>
Signed-off-by: Steffen Klassert <>
[bwh: Backported to 3.2: deleted code is slightly different]
Signed-off-by: Ben Hutchings <>
4 years agoLinux 3.2.92 v3.2.92
Ben Hutchings [Sat, 26 Aug 2017 01:14:07 +0000 (02:14 +0100)]
Linux 3.2.92

4 years agopacket: fix tp_reserve race in packet_set_ring
Willem de Bruijn [Thu, 10 Aug 2017 16:41:58 +0000 (12:41 -0400)]
packet: fix tp_reserve race in packet_set_ring

commit c27927e372f0785f3303e8fad94b85945e2c97b7 upstream.

Updates to tp_reserve can race with reads of the field in
packet_set_ring. Avoid this by holding the socket lock during
updates in setsockopt PACKET_RESERVE.

This bug was discovered by syzkaller.

Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Reported-by: Andrey Konovalov <>
Signed-off-by: Willem de Bruijn <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agomqueue: fix a use-after-free in sys_mq_notify()
Cong Wang [Sun, 9 Jul 2017 20:19:55 +0000 (13:19 -0700)]
mqueue: fix a use-after-free in sys_mq_notify()

commit f991af3daabaecff34684fd51fac80319d1baad1 upstream.

The retry logic for netlink_attachskb() inside sys_mq_notify()
is nasty and vulnerable:

1) The sock refcnt is already released when retry is needed
2) The fd is controllable by user-space because we already
   release the file refcnt

so we when retry but the fd has been just closed by user-space
during this small window, we end up calling netlink_detachskb()
on the error path which releases the sock again, later when
the user-space closes this socket a use-after-free could be

Setting 'sock' to NULL here should be sufficient to fix it.

Reported-by: GeneBlue <>
Signed-off-by: Cong Wang <>
Cc: Andrew Morton <>
Cc: Manfred Spraul <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
4 years agotimerfd: Protect the might cancel mechanism proper
Thomas Gleixner [Tue, 31 Jan 2017 14:24:03 +0000 (15:24 +0100)]
timerfd: Protect the might cancel mechanism proper

commit 1e38da300e1e395a15048b0af1e5305bd91402f6 upstream.

The handling of the might_cancel queueing is not properly protected, so
parallel operations on the file descriptor can race with each other and
lead to list corruptions or use after free.

Protect the context for these operations with a seperate lock.

The wait queue lock cannot be reused for this because that would create a
lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
atomic (atomic_t or atomic bit) does not help either because it still can
race vs. the actual list operation.

Reported-by: Dmitry Vyukov <>
Signed-off-by: Thomas Gleixner <>
Cc: ""
Cc: syzkaller <>
Cc: Al Viro <>
Signed-off-by: Thomas Gleixner <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoipv6: avoid overflow of offset in ip6_find_1stfragopt
Sabrina Dubroca [Wed, 19 Jul 2017 20:28:55 +0000 (22:28 +0200)]
ipv6: avoid overflow of offset in ip6_find_1stfragopt

commit 6399f1fae4ec29fab5ec76070435555e256ca3a6 upstream.

In some cases, offset can overflow and can cause an infinite loop in
ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.

This problem has been here since before the beginning of git history.

Signed-off-by: Sabrina Dubroca <>
Acked-by: Hannes Frederic Sowa <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <>
4 years agox86/mm/32: Set the '__vmalloc_start_set' flag in initmem_init()
Laura Abbott [Mon, 8 May 2017 21:23:16 +0000 (14:23 -0700)]
x86/mm/32: Set the '__vmalloc_start_set' flag in initmem_init()

commit 861ce4a3244c21b0af64f880d5bfe5e6e2fb9e4a upstream.

'__vmalloc_start_set' currently only gets set in initmem_init() when
!CONFIG_NEED_MULTIPLE_NODES. This breaks detection of vmalloc address
with virt_addr_valid() with CONFIG_NEED_MULTIPLE_NODES=y, causing
a kernel crash:

  [mm/usercopy] 517e1fbeb6: kernel BUG at arch/x86/mm/physaddr.c:78!

Set '__vmalloc_start_set' appropriately for that case as well.

Reported-by: kbuild test robot <>
Signed-off-by: Laura Abbott <>
Reviewed-by: Kees Cook <>
Cc: Linus Torvalds <>
Cc: Peter Zijlstra <>
Cc: Thomas Gleixner <>
Fixes: dc16ecf7fd1f ("x86-32: use specific __vmalloc_start_set flag in __virt_addr_valid")
Signed-off-by: Ingo Molnar <>
Signed-off-by: Ben Hutchings <>
4 years agofbdev: sti: don't select CONFIG_VT
Arnd Bergmann [Fri, 5 May 2017 15:25:12 +0000 (17:25 +0200)]
fbdev: sti: don't select CONFIG_VT

commit 34bf129a7f068e3108dbb051b4b05674e2a270e7 upstream.

While working on another build error, I ran into several variations of
this dependency loop:

subsection "Kconfig recursive dependency limitations"
drivers/input/Kconfig:8: symbol INPUT is selected by VT
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/tty/Kconfig:12: symbol VT is selected by FB_STI
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/video/fbdev/Kconfig:677: symbol FB_STI depends on FB
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/video/fbdev/Kconfig:5: symbol FB is selected by DRM_KMS_FB_HELPER
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/gpu/drm/Kconfig:72: symbol DRM_KMS_FB_HELPER is selected by DRM_KMS_CMA_HELPER
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/gpu/drm/Kconfig:137: symbol DRM_KMS_CMA_HELPER is selected by DRM_HDLCD
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/gpu/drm/arm/Kconfig:6: symbol DRM_HDLCD depends on OF
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/of/Kconfig:4: symbol OF is selected by X86_INTEL_CE
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
arch/x86/Kconfig:523: symbol X86_INTEL_CE depends on X86_IO_APIC
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
arch/x86/Kconfig:1011: symbol X86_IO_APIC depends on X86_LOCAL_APIC
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
arch/x86/Kconfig:1005: symbol X86_LOCAL_APIC depends on X86_UP_APIC
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
arch/x86/Kconfig:980: symbol X86_UP_APIC depends on PCI_MSI
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/pci/Kconfig:11: symbol PCI_MSI is selected by AMD_IOMMU
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/iommu/Kconfig:106: symbol AMD_IOMMU depends on IOMMU_SUPPORT
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/iommu/Kconfig:5: symbol IOMMU_SUPPORT is selected by DRM_ETNAVIV
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/gpu/drm/etnaviv/Kconfig:2: symbol DRM_ETNAVIV depends on THERMAL
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/thermal/Kconfig:5: symbol THERMAL is selected by ACPI_VIDEO
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/acpi/Kconfig:183: symbol ACPI_VIDEO is selected by INPUT

This doesn't currently show up as I fixed the 'THERMAL' part of it,
but I noticed that the FB_STI dependency should not be there but
was introduced by slightly incorrect bug-fix patch that tried to
fix a link error.

Instead of selecting 'VT' to make us enter the drivers/video/console
directory at compile-time, it's sufficient to build the
drivers/video/console/sticore.c file by adding its directory
to when CONFIG_FB_STI is enabled. Alternatively, we could move the
sticore code to another directory that is always built when we
have at STI_CONSOLE or FB_STI enabled.

Fixes: 17085a934592 ("parisc: stifb: should depend on STI_CONSOLE")
Signed-off-by: Arnd Bergmann <>
Cc: Helge Deller <>
Cc: "James E.J. Bottomley" <>
Cc: Alexander Beregalov <>
Signed-off-by: Bartlomiej Zolnierkiewicz <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agoum: Fix PTRACE_POKEUSER on x86_64
Richard Weinberger [Fri, 31 Mar 2017 22:41:57 +0000 (00:41 +0200)]
um: Fix PTRACE_POKEUSER on x86_64

commit 9abc74a22d85ab29cef9896a2582a530da7e79bf upstream.

This is broken since ever but sadly nobody noticed.
Recent versions of GDB set DR_CONTROL unconditionally and
UML dies due to a heap corruption. It turns out that
the PTRACE_POKEUSER was copy&pasted from i386 and assumes
that addresses are 4 bytes long.

Fix that by using 8 as address size in the calculation.

Reported-by: jie cao <>
Signed-off-by: Richard Weinberger <>
Signed-off-by: Ben Hutchings <>
4 years agoSet unicode flag on cifs echo request to avoid Mac error
Steve French [Tue, 2 May 2017 18:35:20 +0000 (13:35 -0500)]
Set unicode flag on cifs echo request to avoid Mac error

commit 26c9cb668c7fbf9830516b75d8bee70b699ed449 upstream.

Mac requires the unicode flag to be set for cifs, even for the smb
echo request (which doesn't have strings).

Without this Mac rejects the periodic echo requests (when mounting
with cifs) that we use to check if server is down

Signed-off-by: Steve French <>
Signed-off-by: Ben Hutchings <>
4 years agocifs: small underflow in cnvrtDosUnixTm()
Dan Carpenter [Mon, 1 May 2017 18:43:43 +0000 (21:43 +0300)]
cifs: small underflow in cnvrtDosUnixTm()

commit 564277eceeca01e02b1ef3e141cfb939184601b4 upstream.

January is month 1.  There is no zero-th month.  If someone passes a
zero month then it means we read from one space before the start of the
total_days_of_prev_months[] array.

We may as well also be strict about days as well.

Fixes: 1bd5bbcb6531 ("[CIFS] Legacy time handling for Win9x and OS/2 part 1")
Signed-off-by: Dan Carpenter <>
Signed-off-by: Steve French <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agotcp: fix wraparound issue in tcp_lp
Eric Dumazet [Mon, 1 May 2017 22:29:48 +0000 (15:29 -0700)]
tcp: fix wraparound issue in tcp_lp

commit a9f11f963a546fea9144f6a6d1a307e814a387e7 upstream.

Be careful when comparing tcp_time_stamp to some u32 quantity,
otherwise result can be surprising.

Fixes: 7c106d7e782b ("[TCP]: TCP Low Priority congestion control")
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoipv6: Need to export ipv6_push_frag_opts for tunneling now.
David S. Miller [Mon, 1 May 2017 19:10:20 +0000 (15:10 -0400)]
ipv6: Need to export ipv6_push_frag_opts for tunneling now.

commit 5b8481fa42ac58484d633b558579e302aead64c1 upstream.

Since that change also made the nfrag function not necessary
for exports, remove it.

Fixes: 89a23c8b528b ("ip6_tunnel: Fix missing tunnel encapsulation limit option")
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoip6_tunnel: Fix missing tunnel encapsulation limit option
Craig Gallek [Wed, 26 Apr 2017 18:37:45 +0000 (14:37 -0400)]
ip6_tunnel: Fix missing tunnel encapsulation limit option

commit 89a23c8b528bd2c89f3981573d6cd7d23840c8a6 upstream.

The IPv6 tunneling code tries to insert IPV6_TLV_TNL_ENCAP_LIMIT and
IPV6_TLV_PADN options when an encapsulation limit is defined (the
default is a limit of 4).  An MTU adjustment is done to account for
these options as well.  However, the options are never present in the
generated packets.

The issue appears to be a subtlety between IPV6_DSTOPTS and
IPV6_RTHDRDSTOPTS defined in RFC 3542.  When the IPIP tunnel driver was
written, the encap limit options were included as IPV6_RTHDRDSTOPTS in
dst0opt of struct ipv6_txoptions.  Later, ipv6_push_nfrags_opts was
(correctly) updated to require IPV6_RTHDR options when IPV6_RTHDRDSTOPTS
are to be used.  This caused the options to no longer be included in v6
encapsulated packets.

The fix is to use IPV6_DSTOPTS (in dst1opt of struct ipv6_txoptions)
instead.  IPV6_DSTOPTS do not have the additional IPV6_RTHDR requirement.

Fixes: 1df64a8569c7: ("[IPV6]: Add ip6ip6 tunnel driver.")
Fixes: 333fad5364d6: ("[IPV6]: Support several new sockopt / ancillary data in Advanced API (RFC3542)")
Signed-off-by: Craig Gallek <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agopower: supply: pda_power: move from timer to delayed_work
Michael Trimarchi [Tue, 25 Apr 2017 13:18:05 +0000 (15:18 +0200)]
power: supply: pda_power: move from timer to delayed_work

commit 633e8799ddc09431be2744c4a1efdbda13af2b0b upstream.

This changed is needed to avoid locking problem during
boot as shown:

<5>[    8.824096] Registering SWP/SWPB emulation handler
<6>[    8.977294] clock: disabling unused clocks to save power
<3>[    9.108154] BUG: sleeping function called from invalid context at kernel_albert/kernel/mutex.c:269
<3>[    9.122894] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0
<4>[    9.130249] 3 locks held by swapper/0/1:
<4>[    9.134613]  #0:  (&__lockdep_no_validate__){......}, at: [<c0342430>] __driver_attach+0x58/0xa8
<4>[    9.144500]  #1:  (&__lockdep_no_validate__){......}, at: [<c0342440>] __driver_attach+0x68/0xa8
<4>[    9.154357]  #2:  (&polling_timer){......}, at: [<c0053770>] run_timer_softirq+0x108/0x3ec
<4>[    9.163726] Backtrace:
<4>[    9.166473] [<c001269c>] (dump_backtrace+0x0/0x114) from [<c067e5f0>] (dump_stack+0x20/0x24)
<4>[    9.175811]  r6:00203230 r5:0000010d r4:d782e000 r3:60000113
<4>[    9.182250] [<c067e5d0>] (dump_stack+0x0/0x24) from [<c007441c>] (__might_sleep+0x10c/0x128)
<4>[    9.191650] [<c0074310>] (__might_sleep+0x0/0x128) from [<c0688f60>] (mutex_lock_nested+0x34/0x36c)
<4>[    9.201660]  r5:c02d5350 r4:d79a0c64
<4>[    9.205688] [<c0688f2c>] (mutex_lock_nested+0x0/0x36c) from [<c02d5350>] (regulator_set_current_limit+0x30/0x118)
<4>[    9.217071] [<c02d5320>] (regulator_set_current_limit+0x0/0x118) from [<c0435ce0>] (update_charger+0x84/0xc4)
<4>[    9.228027]  r7:d782fb20 r6:00000101 r5:c1767e94 r4:00000000
<4>[    9.234436] [<c0435c5c>] (update_charger+0x0/0xc4) from [<c0435d40>] (psy_changed+0x20/0x48)
<4>[    9.243804]  r5:d782e000 r4:c1767e94
<4>[    9.247802] [<c0435d20>] (psy_changed+0x0/0x48) from [<c0435dec>] (polling_timer_func+0x84/0xb8)
<4>[    9.257537]  r4:c1767e94 r3:00000002
<4>[    9.261566] [<c0435d68>] (polling_timer_func+0x0/0xb8) from [<c00537e4>] (run_timer_softirq+0x17c/0x3ec)
<4>[    9.272033]  r4:c1767eb0 r3:00000000
<4>[    9.276062] [<c0053668>] (run_timer_softirq+0x0/0x3ec) from [<c004b000>] (__do_softirq+0xf0/0x298)
<4>[    9.286010] [<c004af10>] (__do_softirq+0x0/0x298) from [<c004b650>] (irq_exit+0x98/0xa0)
<4>[    9.295013] [<c004b5b8>] (irq_exit+0x0/0xa0) from [<c000edbc>] (handle_IRQ+0x60/0xc0)
<4>[    9.303680]  r4:c1194e98 r3:c00bc778
<4>[    9.307708] [<c000ed5c>] (handle_IRQ+0x0/0xc0) from [<c0008504>] (gic_handle_irq+0x34/0x68)
<4>[    9.316955]  r8:000ac383 r7:d782fc3c r6:d782fc08 r5:c11936c4 r4:e0802100
<4>[    9.324310] r3:c026ba48
<4>[    9.327301] [<c00084d0>] (gic_handle_irq+0x0/0x68) from [<c068c2c0>] (__irq_svc+0x40/0x74)
<4>[    9.336456] Exception stack(0xd782fc08 to 0xd782fc50)
<4>[    9.342041] fc00:                   d6e30e6c ac383627 00000000 ac383417 ea19c000 ea200000
<4>[    9.351104] fc20: beffffff 00000667 000ac383 d6e30670 d6e3066c d782fc94 d782fbe8 d782fc50
<4>[    9.360168] fc40: c026ba48 c001d1f0 00000113 ffffffff

Fixes: b2998049cfae ("[BATTERY] pda_power platform driver")
Signed-off-by: Michael Trimarchi <>
Signed-off-by: Anthony Brandon <>
Signed-off-by: Sebastian Reichel <>
[bwh: Backported to 3.2:
 - Drop changes in otg_handle_notification()
 - Adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agoBluetooth: Fix user channel for 32bit userspace on 64bit kernel
Szymon Janc [Tue, 25 Apr 2017 01:25:04 +0000 (18:25 -0700)]
Bluetooth: Fix user channel for 32bit userspace on 64bit kernel

commit ab89f0bdd63a3721f7cd3f064f39fc4ac7ca14d4 upstream.

Running 32bit userspace on 64bit kernel results in MSG_CMSG_COMPAT being
defined as 0x80000000. This results in sendmsg failure if used from 32bit
userspace running on 64bit kernel. Fix this by accounting for MSG_CMSG_COMPAT
in flags check in hci_sock_sendmsg.

Signed-off-by: Szymon Janc <>
Signed-off-by: Marko Kiiskila <>
Signed-off-by: Marcel Holtmann <>
Signed-off-by: Ben Hutchings <>
4 years agonet: ethernet: ucc_geth: fix MEM_PART_MURAM mode
Christophe Leroy [Tue, 7 Feb 2017 09:05:09 +0000 (10:05 +0100)]
net: ethernet: ucc_geth: fix MEM_PART_MURAM mode

commit 8b8642af15ed14b9a7a34d3401afbcc274533e13 upstream.

Since commit 5093bb965a163 ("powerpc/QE: switch to the cpm_muram
implementation"), muram area is not part of immrbar mapping anymore
so immrbar_virt_to_phys() is not usable anymore.

Fixes: 5093bb965a163 ("powerpc/QE: switch to the cpm_muram implementation")
Signed-off-by: Christophe Leroy <>
Acked-by: David S. Miller <>
Acked-by: Li Yang <>
Signed-off-by: Scott Wood <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agolibata: reject passthrough WRITE SAME requests
Christoph Hellwig [Tue, 25 Apr 2017 11:39:54 +0000 (13:39 +0200)]
libata: reject passthrough WRITE SAME requests

commit c6ade20f5e50e188d20b711a618b20dd1d50457e upstream.

The WRITE SAME to TRIM translation rewrites the DATA OUT buffer.  While
the SCSI code accomodates for this by passing a read-writable buffer
userspace applications don't cater for this behavior.  In fact it can
be used to rewrite e.g. a readonly file through mmap and should be
considered as a security fix.

Signed-off-by: Christoph Hellwig <>
Reviewed-by: Martin K. Petersen <>
Signed-off-by: Tejun Heo <>
[bwh: Backported to 3.2:
 - Open-code blk_rq_is_passthrough()
 - We don't distinguish which field is invaid so goto invalid_fld
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoIB/core: For multicast functions, verify that LIDs are multicast LIDs
Michael J. Ruhl [Sun, 9 Apr 2017 17:15:51 +0000 (10:15 -0700)]
IB/core: For multicast functions, verify that LIDs are multicast LIDs

commit 8561eae60ff9417a50fa1fb2b83ae950dc5c1e21 upstream.

The Infiniband spec defines "A multicast address is defined by a
MGID and a MLID" (section 10.5).  Currently the MLID value is not

Add check to verify that the MLID value is in the correct address

Fixes: 0c33aeedb2cf ("[IB] Add checks to multicast attach and detach")
Reviewed-by: Ira Weiny <>
Reviewed-by: Dasaratharaman Chandramouli <>
Signed-off-by: Michael J. Ruhl <>
Signed-off-by: Dennis Dalessandro <>
Reviewed-by: Leon Romanovsky <>
Signed-off-by: Doug Ledford <>
[bwh: Backported to 3.2: use literal number instead of IB_MULTICAST_LID_BASE]
Signed-off-by: Ben Hutchings <>
4 years agoIB/core: If the MGID/MLID pair is not on the list return an error
Michael J. Ruhl [Sun, 9 Apr 2017 17:15:32 +0000 (10:15 -0700)]
IB/core: If the MGID/MLID pair is not on the list return an error

commit 20c7840a77ddcb2ed2fbd66e8197db2868495751 upstream.

A list of MGID/MLID pairs is built when doing a multicast attach.  When
the multicast detach is called, the list is searched, and regardless of
the search outcome, the driver detach is called.

If an MGID/MLID pair is not on the list, driver detach should not be
called, and an error should be returned.  Calling the driver without
removing an MGID/MLID pair from the list can leave the core and driver
out of sync.

Fixes: f4e401562c11 ("IB/uverbs: track multicast group membership for userspace QPs")
Reviewed-by: Ira Weiny <>
Reviewed-by: Leon Romanovsky <>
Signed-off-by: Michael J. Ruhl <>
Signed-off-by: Dennis Dalessandro <>
Signed-off-by: Doug Ledford <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agousb: Make sure usb/phy/of gets built-in
Alexey Brodkin [Thu, 13 Apr 2017 12:33:34 +0000 (15:33 +0300)]
usb: Make sure usb/phy/of gets built-in

commit 3d6159640da9c9175d1ca42f151fc1a14caded59 upstream.

DWC3 driver uses of_usb_get_phy_mode() which is
implemented in drivers/usb/phy/of.c and in bare minimal
configuration it might not be pulled in kernel binary.

In case of ARC or ARM this could be easily reproduced with
"allnodefconfig" +CONFIG_USB=m +CONFIG_USB_DWC3=m.

On building all ends-up with:
  Kernel: arch/arm/boot/Image is ready
  Kernel: arch/arm/boot/zImage is ready
  Building modules, stage 2.
  MODPOST 5 modules
ERROR: "of_usb_get_phy_mode" [drivers/usb/dwc3/dwc3.ko] undefined!
make[1]: *** [__modpost] Error 1
make: *** [modules] Error 2

Signed-off-by: Alexey Brodkin <>
Cc: Greg Kroah-Hartman <>
Cc: Masahiro Yamada <>
Cc: Geert Uytterhoeven <>
Cc: Nicolas Pitre <>
Cc: Thomas Gleixner <>
Cc: Felipe Balbi <>
Cc: Felix Fietkau <>
Cc: Jeremy Kerr <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agoPCI: Disable boot interrupt quirk for ASUS M2N-LR
Stefan Assmann [Wed, 19 Apr 2017 07:22:45 +0000 (09:22 +0200)]
PCI: Disable boot interrupt quirk for ASUS M2N-LR

commit c4e649b09f55595e6df6da5465a5b3cfc93557c1 upstream.

The ASUS M2N-LR should not trigger boot interrupt quirks although it
carries an Intel 6702PXH.  On this board the boot interrupt quirks cause
incorrect IRQ assignments and should be disabled.

Tested-by: Solomon Peachy <>
Signed-off-by: Stefan Assmann <>
Signed-off-by: Bjorn Helgaas <>
Signed-off-by: Ben Hutchings <>
4 years agonetfilter: ctnetlink: make it safer when updating ct->status
Liping Zhang [Mon, 17 Apr 2017 13:18:57 +0000 (21:18 +0800)]
netfilter: ctnetlink: make it safer when updating ct->status

commit 53b56da83d7899de375a9de153fd7f5397de85e6 upstream.

After converting to use rcu for conntrack hash, one CPU may update
the ct->status via ctnetlink, while another CPU may process the
packets and update the ct->status.

So the non-atomic operation "ct->status |= status;" via ctnetlink
becomes unsafe, and this may clear the IPS_DYING_BIT bit set by
another CPU unexpectedly. For example:
         CPU0                            CPU1
  ctnetlink_change_status        __nf_conntrack_find_get
      old = ct->status              nf_ct_gc_expired
          -                         nf_ct_kill
          -                      test_and_set_bit(IPS_DYING_BIT
      new = old | status;                 -
  ct->status = new; <-- oops, _DYING_ is cleared!

Now using a series of atomic bit operation to solve the above issue.

Also note, user shouldn't set IPS_TEMPLATE, IPS_SEQ_ADJUST directly,
so make these two bits be unchangable too.

If we set the IPS_TEMPLATE_BIT, ct will be freed by nf_ct_tmpl_free,
but actually it is alloced by nf_conntrack_alloc.
If we set the IPS_SEQ_ADJUST_BIT, this may cause the NULL pointer
deference, as the nfct_seqadj(ct) maybe NULL.

Last, add some comments to describe the logic change due to the
commit a963d710f367 ("netfilter: ctnetlink: Fix regression in CTA_STATUS
processing"), which makes me feel a little confusing.

Fixes: 76507f69c44e ("[NETFILTER]: nf_conntrack: use RCU for conntrack hash")
Signed-off-by: Liping Zhang <>
Signed-off-by: Pablo Neira Ayuso <>
[bwh: Backported to 3.2:
 - IPS_UNCHANGEABLE_MASK was not previously defined and ctnetlink_update_status()
   is not needed
 - enum ip_conntrack_status only assigns 13 bits
 - Adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agox86/boot: Fix BSS corruption/overwrite bug in early x86 kernel startup
Ashish Kalra [Wed, 19 Apr 2017 15:20:15 +0000 (20:50 +0530)]
x86/boot: Fix BSS corruption/overwrite bug in early x86 kernel startup

commit d594aa0277e541bb997aef0bc0a55172d8138340 upstream.

The minimum size for a new stack (512 bytes) setup for arch/x86/boot components
when the bootloader does not setup/provide a stack for the early boot components
is not "enough".

The setup code executing as part of early kernel startup code, uses the stack
beyond 512 bytes and accidentally overwrites and corrupts part of the BSS
section. This is exposed mostly in the early video setup code, where
it was corrupting BSS variables like force_x, force_y, which in-turn affected
kernel parameters such as screen_info (screen_info.orig_video_cols) and
later caused an exception/panic in console_init().

Most recent boot loaders setup the stack for early boot components, so this
stack overwriting into BSS section issue has not been exposed.

Signed-off-by: Ashish Kalra <>
Cc: Andy Lutomirski <>
Cc: Borislav Petkov <>
Cc: Brian Gerst <>
Cc: Denys Vlasenko <>
Cc: H. Peter Anvin <>
Cc: Josh Poimboeuf <>
Cc: Linus Torvalds <>
Cc: Peter Zijlstra <>
Cc: Thomas Gleixner <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Ben Hutchings <>