4 years agoFix missing sanity check in /dev/sg
Al Viro [Sun, 19 Feb 2017 07:15:27 +0000 (07:15 +0000)]
Fix missing sanity check in /dev/sg

commit 137d01df511b3afe1f05499aea05f3bafc0fb221 upstream.

What happens is that a write to /dev/sg is given a request with non-zero
->iovec_count combined with zero ->dxfer_len.  Or with ->dxferp pointing
to an array full of empty iovecs.

Having write permission to /dev/sg shouldn't be equivalent to the
ability to trigger BUG_ON() while holding spinlocks...

Found by Dmitry Vyukov and syzkaller.

[ The BUG_ON() got changed to a WARN_ON_ONCE(), but this fixes the
  underlying issue.  - Linus ]

Signed-off-by: Al Viro <>
Reported-by: Dmitry Vyukov <>
Reviewed-by: Christoph Hellwig <>
Signed-off-by: Linus Torvalds <>
[bwh: Backported to 3.2: we're not using iov_iter, but can check the
 byte length after truncation]
Signed-off-by: Ben Hutchings <>
4 years agopacket: Do not call fanout_release from atomic contexts
Anoob Soman [Wed, 15 Feb 2017 20:25:39 +0000 (20:25 +0000)]
packet: Do not call fanout_release from atomic contexts

commit 2bd624b4611ffee36422782d16e1c944d1351e98 upstream.

Commit 6664498280cf ("packet: call fanout_release, while UNREGISTERING a
netdev"), unfortunately, introduced the following issues.

1. calling mutex_lock(&fanout_mutex) (fanout_release()) from inside
rcu_read-side critical section. rcu_read_lock disables preemption, most often,
which prohibits calling sleeping functions.

[  ] include/linux/rcupdate.h:560 Illegal context switch in RCU read-side critical section!
[  ]
[  ] rcu_scheduler_active = 1, debug_locks = 0
[  ] 4 locks held by ovs-vswitchd/1969:
[  ]  #0:  (cb_lock){++++++}, at: [<ffffffff8158a6c9>] genl_rcv+0x19/0x40
[  ]  #1:  (ovs_mutex){+.+.+.}, at: [<ffffffffa04878ca>] ovs_vport_cmd_del+0x4a/0x100 [openvswitch]
[  ]  #2:  (rtnl_mutex){+.+.+.}, at: [<ffffffff81564157>] rtnl_lock+0x17/0x20
[  ]  #3:  (rcu_read_lock){......}, at: [<ffffffff81614165>] packet_notifier+0x5/0x3f0
[  ]
[  ] Call Trace:
[  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
[  ]  [<ffffffff810c9077>] lockdep_rcu_suspicious+0x107/0x110
[  ]  [<ffffffff810a2da7>] ___might_sleep+0x57/0x210
[  ]  [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
[  ]  [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
[  ]  [<ffffffff810de93f>] ? vprintk_default+0x1f/0x30
[  ]  [<ffffffff81186e88>] ? printk+0x4d/0x4f
[  ]  [<ffffffff816106dd>] fanout_release+0x1d/0xe0
[  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0

2. calling mutex_lock(&fanout_mutex) inside spin_lock(&po->bind_lock).
"sleeping function called from invalid context"

[  ] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
[  ] in_atomic(): 1, irqs_disabled(): 0, pid: 1969, name: ovs-vswitchd
[  ] INFO: lockdep is turned off.
[  ] Call Trace:
[  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
[  ]  [<ffffffff810a2f52>] ___might_sleep+0x202/0x210
[  ]  [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
[  ]  [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
[  ]  [<ffffffff816106dd>] fanout_release+0x1d/0xe0
[  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0

3. calling dev_remove_pack(&fanout->prot_hook), from inside
spin_lock(&po->bind_lock) or rcu_read-side critical-section. dev_remove_pack()
-> synchronize_net(), which might sleep.

[  ] BUG: scheduling while atomic: ovs-vswitchd/1969/0x00000002
[  ] INFO: lockdep is turned off.
[  ] Call Trace:
[  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
[  ]  [<ffffffff81186274>] __schedule_bug+0x64/0x73
[  ]  [<ffffffff8162b8cb>] __schedule+0x6b/0xd10
[  ]  [<ffffffff8162c5db>] schedule+0x6b/0x80
[  ]  [<ffffffff81630b1d>] schedule_timeout+0x38d/0x410
[  ]  [<ffffffff810ea3fd>] synchronize_sched_expedited+0x53d/0x810
[  ]  [<ffffffff810ea6de>] synchronize_rcu_expedited+0xe/0x10
[  ]  [<ffffffff8154eab5>] synchronize_net+0x35/0x50
[  ]  [<ffffffff8154eae3>] dev_remove_pack+0x13/0x20
[  ]  [<ffffffff8161077e>] fanout_release+0xbe/0xe0
[  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0

4. fanout_release() races with calls from different CPU.

To fix the above problems, remove the call to fanout_release() under
rcu_read_lock(). Instead, call __dev_remove_pack(&fanout->prot_hook) and
netdev_run_todo will be happy that &dev->ptype_specific list is empty. In order
to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to
__fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure
fanout->prot_hook is removed as well.

Fixes: 6664498280cf ("packet: call fanout_release, while UNREGISTERING a netdev")
Reported-by: Eric Dumazet <>
Signed-off-by: Anoob Soman <>
Acked-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2:
 - Don't call fanout_release_data()
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agopacket: call fanout_release, while UNREGISTERING a netdev
Anoob Soman [Wed, 5 Oct 2016 14:12:54 +0000 (15:12 +0100)]
packet: call fanout_release, while UNREGISTERING a netdev

commit 6664498280cf17a59c3e7cf1a931444c02633ed1 upstream.

If a socket has FANOUT sockopt set, a new proto_hook is registered
as part of fanout_add(). When processing a NETDEV_UNREGISTER event in
af_packet, __fanout_unlink is called for all sockets, but prot_hook which was
registered as part of fanout_add is not removed. Call fanout_release, on a
NETDEV_UNREGISTER, which removes prot_hook and removes fanout from the

This fixes BUG_ON(!list_empty(&dev->ptype_specific)) in netdev_run_todo()

Signed-off-by: Anoob Soman <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agovfs: fix uninitialized flags in splice_to_pipe()
Miklos Szeredi [Thu, 16 Feb 2017 16:49:02 +0000 (17:49 +0100)]
vfs: fix uninitialized flags in splice_to_pipe()

commit 5a81e6a171cdbd1fa8bc1fdd80c23d3d71816fac upstream.

Flags (PIPE_BUF_FLAG_PACKET, PIPE_BUF_FLAG_GIFT) could remain on the
unused part of the pipe ring buffer.  Previously splice_to_pipe() left
the flags value alone, which could result in incorrect behavior.

Uninitialized flags appears to have been there from the introduction of
the splice syscall.

Signed-off-by: Miklos Szeredi <>
Signed-off-by: Linus Torvalds <>
[bwh: Backported to 3.2: adjust context, indentation]
Signed-off-by: Ben Hutchings <>
4 years agonet: xilinx_emaclite: fix receive buffer overflow
Anssi Hannula [Tue, 14 Feb 2017 17:11:44 +0000 (19:11 +0200)]
net: xilinx_emaclite: fix receive buffer overflow

commit cd224553641848dd17800fe559e4ff5d208553e8 upstream.

xilinx_emaclite looks at the received data to try to determine the
Ethernet packet length but does not properly clamp it if
proto_type == ETH_P_IP or 1500 < proto_type <= 1518, causing a buffer
overflow and a panic via skb_panic() as the length exceeds the allocated
skb size.

Fix those cases.

Also add an additional unconditional check with WARN_ON() at the end.

Signed-off-by: Anssi Hannula <>
Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver")
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agosiano: make it work again with CONFIG_VMAP_STACK
Mauro Carvalho Chehab [Tue, 14 Feb 2017 19:47:57 +0000 (17:47 -0200)]
siano: make it work again with CONFIG_VMAP_STACK

commit f9c85ee67164b37f9296eab3b754e543e4e96a1c upstream.

Reported as a Kaffeine bug:

The USB control messages require DMA to work. We cannot pass
a stack-allocated buffer, as it is not warranted that the
stack would be into a DMA enabled area.

On Kernel 4.9, the default is to not accept DMA on stack anymore
on x86 architecture. On other architectures, this has been a
requirement since Kernel 2.2. So, after this patch, this driver
should likely work fine on all archs.

Tested with USB ID 2040:5510: Hauppauge Windham

Signed-off-by: Mauro Carvalho Chehab <>
[bwh: Backported to 3.2:
 - s/sms_msg_hdr/SmsMsgHdr_ST/
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <>
4 years agopacket: fix races in fanout_add()
Eric Dumazet [Tue, 14 Feb 2017 17:03:51 +0000 (09:03 -0800)]
packet: fix races in fanout_add()

commit d199fab63c11998a602205f7ee7ff7c05c97164b upstream.

Multiple threads can call fanout_add() at the same time.

We need to grab fanout_mutex earlier to avoid races that could
lead to one thread freeing po->rollover that was set by another thread.

Do the same in fanout_release(), for peace of mind, and to help us
finding lockdep issues earlier.

Fixes: dc99f600698d ("packet: Add fanout support.")
Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
Signed-off-by: Eric Dumazet <>
Cc: Willem de Bruijn <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2:
 - No rollover queue stats
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agofutex: Move futex_init() to core_initcall
Yang Yang [Fri, 30 Dec 2016 08:17:55 +0000 (16:17 +0800)]
futex: Move futex_init() to core_initcall

commit 25f71d1c3e98ef0e52371746220d66458eac75bc upstream.

The UEVENT user mode helper is enabled before the initcalls are executed
and is available when the root filesystem has been mounted.

The user mode helper is triggered by device init calls and the executable
might use the futex syscall.

futex_init() is marked __initcall which maps to device_initcall, but there
is no guarantee that futex_init() is invoked _before_ the first device init
call which triggers the UEVENT user mode helper.

If the user mode helper uses the futex syscall before futex_init() then the
syscall crashes with a NULL pointer dereference because the futex subsystem
has not been initialized yet.

Move futex_init() to core_initcall so futexes are initialized before the
root filesystem is mounted and the usermode helper becomes available.

[ tglx: Rewrote changelog ]

Signed-off-by: Yang Yang <>
Cc: Peter Zijlstra <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Ben Hutchings <>
4 years agonet/llc: avoid BUG_ON() in skb_orphan()
Eric Dumazet [Sun, 12 Feb 2017 22:03:52 +0000 (14:03 -0800)]
net/llc: avoid BUG_ON() in skb_orphan()

commit 8b74d439e1697110c5e5c600643e823eb1dd0762 upstream.

It seems nobody used LLC since linux-3.12.

Fortunately fuzzers like syzkaller still know how to run this code,
otherwise it would be no fun.

Setting skb->sk without skb->destructor leads to all kinds of
bugs, we now prefer to be very strict about it.

Ideally here we would use skb_set_owner() but this helper does not exist yet,
only CAN seems to have a private helper for that.

Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
Signed-off-by: Eric Dumazet <>
Reported-by: Andrey Konovalov <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agonet/sock: Add sock_efree() function
Ben Hutchings [Fri, 3 Mar 2017 02:32:07 +0000 (02:32 +0000)]
net/sock: Add sock_efree() function

Extracted from commit 62bccb8cdb69 ("net-timestamp: Make the clone operation
stand-alone from phy timestamping").

Signed-off-by: Ben Hutchings <>
4 years agol2tp: do not use udp_ioctl()
Eric Dumazet [Fri, 10 Feb 2017 00:15:52 +0000 (16:15 -0800)]
l2tp: do not use udp_ioctl()

commit 72fb96e7bdbbdd4421b0726992496531060f3636 upstream.

udp_ioctl(), as its name suggests, is used by UDP protocols,
but is also used by L2TP :(

L2TP should use its own handler, because it really does not
look the same.

SIOCINQ for instance should not assume UDP checksum or headers.

Thanks to Andrey and syzkaller team for providing the report
and a nice reproducer.

While crashes only happen on recent kernels (after commit
7c13f97ffde6 ("udp: do fwd memory scheduling on dequeue")), this
probably needs to be backported to older kernels.

Fixes: 7c13f97ffde6 ("udp: do fwd memory scheduling on dequeue")
Fixes: 85584672012e ("udp: Fix udp_poll() and ioctl()")
Signed-off-by: Eric Dumazet <>
Reported-by: Andrey Konovalov <>
Acked-by: Paolo Abeni <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2:
 - Drop the IPv6 change
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoxen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
Boris Ostrovsky [Mon, 30 Jan 2017 17:45:46 +0000 (12:45 -0500)]
xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()

commit 74470954857c264168d2b5a113904cf0cfd27d18 upstream.

rx_refill_timer should be deleted as soon as we disconnect from the
backend since otherwise it is possible for the timer to go off before
we get to xennet_destroy_queues(). If this happens we may dereference
queue->rx.sring which is set to NULL in xennet_disconnect_backend().

Signed-off-by: Boris Ostrovsky <>
Reviewed-by: Juergen Gross <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: there's only one RX queue here, and del_timer_sync()
 was called from xennet_remove() but that's also too late]
Signed-off-by: Ben Hutchings <>
4 years agoscsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send
Steffen Maier [Wed, 8 Feb 2017 14:34:22 +0000 (15:34 +0100)]
scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send

commit 2dfa6688aafdc3f74efeb1cf05fb871465d67f79 upstream.

Dan Carpenter kindly reported:
The patch d27a7cb91960: "zfcp: trace on request for open and close of
WKA port" from Aug 10, 2016, leads to the following static checker

drivers/s390/scsi/zfcp_fsf.c:1615 zfcp_fsf_open_wka_port()
warn: 'req' was already freed.

  1609          zfcp_fsf_start_timer(req, ZFCP_FSF_REQUEST_TIMEOUT);
  1610          retval = zfcp_fsf_req_send(req);
  1611          if (retval)
  1612                  zfcp_fsf_req_free(req);

  1613  out:
  1614          spin_unlock_irq(&qdio->req_q_lock);
  1615          if (req && !IS_ERR(req))
  1616                  zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id);
Use after free.

  1617          return retval;
  1618  }

Same thing for zfcp_fsf_close_wka_port() as well.

Rather than relying on req being NULL (or ERR_PTR) for all cases where
we don't want to trace or should not trace,
simply check retval which is unconditionally initialized with -EIO != 0
and it can only become 0 on successful retval = zfcp_fsf_req_send(req).
With that we can also remove the then again unnecessary unconditional
initialization of req which was introduced with that earlier commit.

Reported-by: Dan Carpenter <>
Suggested-by: Benjamin Block <>
Signed-off-by: Steffen Maier <>
Fixes: d27a7cb91960 ("zfcp: trace on request for open and close of WKA port")
Reviewed-by: Benjamin Block <>
Reviewed-by: Jens Remus <>
Signed-off-by: Martin K. Petersen <>
Signed-off-by: Ben Hutchings <>
4 years agoping: fix a null pointer dereference
WANG Cong [Tue, 7 Feb 2017 20:59:46 +0000 (12:59 -0800)]
ping: fix a null pointer dereference

commit 73d2c6678e6c3af7e7a42b1e78cd0211782ade32 upstream.

Andrey reported a kernel crash:

  general protection fault: 0000 [#1] SMP KASAN
  Dumping ftrace buffer:
     (ftrace buffer empty)
  Modules linked in:
  CPU: 2 PID: 3880 Comm: syz-executor1 Not tainted 4.10.0-rc6+ #124
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  task: ffff880060048040 task.stack: ffff880069be8000
  RIP: 0010:ping_v4_push_pending_frames net/ipv4/ping.c:647 [inline]
  RIP: 0010:ping_v4_sendmsg+0x1acd/0x23f0 net/ipv4/ping.c:837
  RSP: 0018:ffff880069bef8b8 EFLAGS: 00010206
  RAX: dffffc0000000000 RBX: ffff880069befb90 RCX: 0000000000000000
  RDX: 0000000000000018 RSI: ffff880069befa30 RDI: 00000000000000c2
  RBP: ffff880069befbb8 R08: 0000000000000008 R09: 0000000000000000
  R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069befab0
  R13: ffff88006c624a80 R14: ffff880069befa70 R15: 0000000000000000
  FS:  00007f6f7c716700(0000) GS:ffff88006de00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00000000004a6f28 CR3: 000000003a134000 CR4: 00000000000006e0
  Call Trace:
   inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
   sock_sendmsg_nosec net/socket.c:635 [inline]
   sock_sendmsg+0xca/0x110 net/socket.c:645
   SYSC_sendto+0x660/0x810 net/socket.c:1687
   SyS_sendto+0x40/0x50 net/socket.c:1655

This is because we miss a check for NULL pointer for skb_peek() when
the queue is empty. Other places already have the same check.

Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Reported-by: Andrey Konovalov <>
Tested-by: Andrey Konovalov <>
Signed-off-by: Cong Wang <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agobtrfs: fix btrfs_compat_ioctl failures on non-compat ioctls
Jeff Mahoney [Tue, 7 Feb 2017 00:39:09 +0000 (19:39 -0500)]
btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls

commit 2a362249187a8d0f6d942d6e1d763d150a296f47 upstream.

Commit 4c63c2454ef incorrectly assumed that returning -ENOIOCTLCMD would
cause the native ioctl to be called.  The ->compat_ioctl callback is
expected to handle all ioctls, not just compat variants.  As a result,
when using 32-bit userspace on 64-bit kernels, everything except those
three ioctls would return -ENOTTY.

Fixes: 4c63c2454ef ("btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl")
Signed-off-by: Jeff Mahoney <>
Reviewed-by: David Sterba <>
Signed-off-by: David Sterba <>
Signed-off-by: Ben Hutchings <>
4 years agoALSA: seq: Fix race at creating a queue
Takashi Iwai [Wed, 8 Feb 2017 11:35:39 +0000 (12:35 +0100)]
ALSA: seq: Fix race at creating a queue

commit 4842e98f26dd80be3623c4714a244ba52ea096a8 upstream.

When a sequencer queue is created in snd_seq_queue_alloc(),it adds the
new queue element to the public list before referencing it.  Thus the
queue might be deleted before the call of snd_seq_queue_use(), and it
results in the use-after-free error, as spotted by syzkaller.

The fix is to reference the queue object at the right time.

Reported-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
4 years agocatc: Use heap buffer for memory size test
Ben Hutchings [Sat, 4 Feb 2017 16:57:04 +0000 (16:57 +0000)]
catc: Use heap buffer for memory size test

commit 2d6a0e9de03ee658a9adc3bfb2f0ca55dff1e478 upstream.

Allocating USB buffers on the stack is not portable, and no longer
works on x86_64 (with VMAP_STACK enabled as per default).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ben Hutchings <>
Signed-off-by: David S. Miller <>
4 years agocatc: Combine failure cleanup code in catc_probe()
Ben Hutchings [Sat, 4 Feb 2017 16:56:56 +0000 (16:56 +0000)]
catc: Combine failure cleanup code in catc_probe()

commit d41149145f98fe26dcd0bfd1d6cc095e6e041418 upstream.

Signed-off-by: Ben Hutchings <>
Signed-off-by: David S. Miller <>
4 years agortl8150: Use heap buffers for all register access
Ben Hutchings [Sat, 4 Feb 2017 16:56:32 +0000 (16:56 +0000)]
rtl8150: Use heap buffers for all register access

commit 7926aff5c57b577ab0f43364ff0c59d968f6a414 upstream.

Allocating USB buffers on the stack is not portable, and no longer
works on x86_64 (with VMAP_STACK enabled as per default).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ben Hutchings <>
Signed-off-by: David S. Miller <>
4 years agoALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
Takashi Iwai [Mon, 6 Feb 2017 14:09:48 +0000 (15:09 +0100)]
ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()

commit 37a7ea4a9b81f6a864c10a7cb0b96458df5310a3 upstream.

snd_seq_pool_done() syncs with closing of all opened threads, but it
aborts the wait loop with a timeout, and proceeds to the release
resource even if not all threads have been closed.  The timeout was 5
seconds, and if you run a crazy stuff, it can exceed easily, and may
result in the access of the invalid memory address -- this is what
syzkaller detected in a bug report.

As a fix, let the code graduate from naiveness, simply remove the loop

Reported-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
[bwh: Backported to 3.2: deleted log statement is slightly different]
Signed-off-by: Ben Hutchings <>
4 years agomac80211: Fix adding of mesh vendor IEs
Thorsten Horstmann [Fri, 3 Feb 2017 13:38:29 +0000 (14:38 +0100)]
mac80211: Fix adding of mesh vendor IEs

commit da7061c82e4a1bc6a5e134ef362c86261906c860 upstream.

The function ieee80211_ie_split_vendor doesn't return 0 on errors. Instead
it returns any offset < ielen when WLAN_EID_VENDOR_SPECIFIC is found. The
return value in mesh_add_vendor_ies must therefore be checked against
ifmsh->ie_len and not 0. Otherwise all ifmsh->ie starting with
WLAN_EID_VENDOR_SPECIFIC will be rejected.

Fixes: 082ebb0c258d ("mac80211: fix mesh beacon format")
Signed-off-by: Thorsten Horstmann <>
Signed-off-by: Mathias Kretschmer <>
Signed-off-by: Simon Wunderlich <>
[ Add commit message]
Signed-off-by: Sven Eckelmann <>
Signed-off-by: Johannes Berg <>
Signed-off-by: Ben Hutchings <>
4 years agonetlabel: out of bound access in cipso_v4_validate()
Eric Dumazet [Fri, 3 Feb 2017 08:03:26 +0000 (00:03 -0800)]
netlabel: out of bound access in cipso_v4_validate()

commit d71b7896886345c53ef1d84bda2bc758554f5d61 upstream.

syzkaller found another out of bound access in ip_options_compile(),
or more exactly in cipso_v4_validate()

Fixes: 20e2a8648596 ("cipso: handle CIPSO options correctly when NetLabel is disabled")
Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
Signed-off-by: Eric Dumazet <>
Reported-by: Dmitry Vyukov <>
Cc: Paul Moore <>
Acked-by: Paul Moore <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agomm, fs: check for fatal signals in do_generic_file_read()
Michal Hocko [Fri, 3 Feb 2017 21:13:29 +0000 (13:13 -0800)]
mm, fs: check for fatal signals in do_generic_file_read()

commit 5abf186a30a89d5b9c18a6bf93a2c192c9fd52f6 upstream.

do_generic_file_read() can be told to perform a large request from
userspace.  If the system is under OOM and the reading task is the OOM
victim then it has an access to memory reserves and finishing the full
request can lead to the full memory depletion which is dangerous.  Make
sure we rather go with a short read and allow the killed task to

Signed-off-by: Michal Hocko <>
Reviewed-by: Christoph Hellwig <>
Cc: Tetsuo Handa <>
Cc: Al Viro <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: pl2303: add ATEN device ID
Marcel J.E. Mol [Mon, 30 Jan 2017 18:26:40 +0000 (19:26 +0100)]
USB: serial: pl2303: add ATEN device ID

commit d07830db1bdb254e4b50d366010b219286b8c937 upstream.

Seems that ATEN serial-to-usb devices using pl2303 exist with
different device ids. This patch adds a missing device ID so it
is recognised by the driver.

Signed-off-by: Marcel J.E. Mol <>
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agoARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
Dave Martin [Wed, 18 Jan 2017 16:11:56 +0000 (17:11 +0100)]
ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write

commit 228dbbfb5d77f8e047b2a1d78da14b7158433027 upstream.

Ensure that if userspace supplies insufficient data to
PTRACE_SETREGSET to fill all the registers, the thread's old
registers are preserved.

Fixes: 5be6f62b0059 ("ARM: 6883/1: ptrace: Migrate to regsets framework")
Signed-off-by: Dave Martin <>
Acked-by: Russell King <>
Signed-off-by: Russell King <>
Signed-off-by: Ben Hutchings <>
4 years agocan: bcm: fix hrtimer/tasklet termination in bcm op removal
Oliver Hartkopp [Wed, 18 Jan 2017 20:30:51 +0000 (21:30 +0100)]
can: bcm: fix hrtimer/tasklet termination in bcm op removal

commit a06393ed03167771246c4c43192d9c264bc48412 upstream.

When removing a bcm tx operation either a hrtimer or a tasklet might run.
As the hrtimer triggers its associated tasklet and vice versa we need to
take care to mutually terminate both handlers.

Reported-by: Michael Josenhans <>
Signed-off-by: Oliver Hartkopp <>
Tested-by: Michael Josenhans <>
Signed-off-by: Marc Kleine-Budde <>
Signed-off-by: Ben Hutchings <>
4 years agoparisc: Don't use BITS_PER_LONG in userspace-exported swab.h header
Helge Deller [Sat, 28 Jan 2017 10:52:02 +0000 (11:52 +0100)]
parisc: Don't use BITS_PER_LONG in userspace-exported swab.h header

commit 2ad5d52d42810bed95100a3d912679d8864421ec upstream.

In swab.h the "#if BITS_PER_LONG > 32" breaks compiling userspace programs if
BITS_PER_LONG is #defined by userspace with the sizeof() compiler builtin.

Solve this problem by using __BITS_PER_LONG instead.  Since we now
#include asm/bitsperlong.h avoid further potential userspace pollution
by moving the #define of SHIFT_PER_LONG to bitops.h which is not
exported to userspace.

This patch unbreaks compiling qemu on hppa/parisc.

Signed-off-by: Helge Deller <>
[bwh: Backported to 3.2: adjust filenames]
Signed-off-by: Ben Hutchings <>
4 years agosysctl: fix proc_doulongvec_ms_jiffies_minmax()
Eric Dumazet [Thu, 26 Jan 2017 02:20:55 +0000 (18:20 -0800)]
sysctl: fix proc_doulongvec_ms_jiffies_minmax()

commit ff9f8a7cf935468a94d9927c68b00daae701667e upstream.

We perform the conversion between kernel jiffies and ms only when
exporting kernel value to user space.

We need to do the opposite operation when value is written by user.

Only matters when HZ != 1000

Signed-off-by: Eric Dumazet <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: Add quirk for WORLDE easykey.25 MIDI keyboard
Lukáš Lalinský [Fri, 20 Jan 2017 18:46:34 +0000 (19:46 +0100)]
USB: Add quirk for WORLDE easykey.25 MIDI keyboard

commit d9b2997e4a0a874e452df7cdd7de5a54502bd0aa upstream.

Add a quirk for WORLDE easykey.25 MIDI keyboard (idVendor=0218,
idProduct=0401). The device reports that it has config string
descriptor at index 3, but when the system selects the configuration
and tries to get the description, it returns a -EPROTO error,
the communication restarts and this keeps repeating over and over again.
Not requesting the string descriptor makes the device work correctly.

Relevant info from Wireshark:


    bLength: 9
    bDescriptorType: 0x02 (CONFIGURATION)
    wTotalLength: 101
    bNumInterfaces: 2
    bConfigurationValue: 1
    iConfiguration: 3
    Configuration bmAttributes: 0xc0  SELF-POWERED  NO REMOTE-WAKEUP
        1... .... = Must be 1: Must be 1 for USB 1.1 and higher
        .1.. .... = Self-Powered: This device is SELF-POWERED
        ..0. .... = Remote Wakeup: This device does NOT support remote wakeup
    bMaxPower: 50  (100mA)


     45 0.369104       host                  2.38.0                USB      64     GET DESCRIPTOR Request STRING


URB setup
    bmRequestType: 0x80
        1... .... = Direction: Device-to-host
        .00. .... = Type: Standard (0x00)
        ...0 0000 = Recipient: Device (0x00)
    bRequest: GET DESCRIPTOR (6)
    Descriptor Index: 0x03
    bDescriptorType: 0x03
    Language Id: English (United States) (0x0409)
    wLength: 255

     46 0.369255       2.38.0                host                  USB      64     GET DESCRIPTOR Response STRING[Malformed Packet]


Frame 46: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
    [Source: 2.38.0]
    [Destination: host]
    URB id: 0xffff88021f62d480
    URB type: URB_COMPLETE ('C')
    URB transfer type: URB_CONTROL (0x02)
    Endpoint: 0x80, Direction: IN
    Device: 38
    URB bus id: 2
    Device setup request: not relevant ('-')
    Data: present (0)
    URB sec: 1484896277
    URB usec: 455031
    URB status: Protocol error (-EPROTO) (-71)
    URB length [bytes]: 0
    Data length [bytes]: 0
    [Request in: 45]
    [Time from request: 0.000151000 seconds]
    Unused Setup Header
    Interval: 0
    Start frame: 0
    Copy of Transfer Flags: 0x00000200
    Number of ISO descriptors: 0
[Malformed Packet: USB]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]

Signed-off-by: Lukáš Lalinský <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agomm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
Keno Fischer [Tue, 24 Jan 2017 23:17:48 +0000 (15:17 -0800)]
mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp

commit 8310d48b125d19fcd9521d83b8293e63eb1646aa upstream.

In commit 19be0eaffa3a ("mm: remove gup_flags FOLL_WRITE games from
__get_user_pages()"), the mm code was changed from unsetting FOLL_WRITE
after a COW was resolved to setting the (newly introduced) FOLL_COW
instead.  Simultaneously, the check in gup.c was updated to still allow
writes with FOLL_FORCE set if FOLL_COW had also been set.

However, a similar check in huge_memory.c was forgotten.  As a result,
remote memory writes to ro regions of memory backed by transparent huge
pages cause an infinite loop in the kernel (handle_mm_fault sets
FOLL_COW and returns 0 causing a retry, but follow_trans_huge_pmd bails
out immidiately because `(flags & FOLL_WRITE) && !pmd_write(*pmd)` is

While in this state the process is stil SIGKILLable, but little else
works (e.g.  no ptrace attach, no other signals).  This is easily
reproduced with the following code (assuming thp are set to always):

    #include <assert.h>
    #include <fcntl.h>
    #include <stdint.h>
    #include <stdio.h>
    #include <string.h>
    #include <sys/mman.h>
    #include <sys/stat.h>
    #include <sys/types.h>
    #include <sys/wait.h>
    #include <unistd.h>

    #define TEST_SIZE 5 * 1024 * 1024

    int main(void) {
      int status;
      pid_t child;
      int fd = open("/proc/self/mem", O_RDWR);
      void *addr = mmap(NULL, TEST_SIZE, PROT_READ,
                        MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
      assert(addr != MAP_FAILED);
      pid_t parent_pid = getpid();
      if ((child = fork()) == 0) {
        void *addr2 = mmap(NULL, TEST_SIZE, PROT_READ | PROT_WRITE,
                           MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
        assert(addr2 != MAP_FAILED);
        memset(addr2, 'a', TEST_SIZE);
        pwrite(fd, addr2, TEST_SIZE, (uintptr_t)addr);
        return 0;
      assert(child == waitpid(child, &status, 0));
      assert(WIFEXITED(status) && WEXITSTATUS(status) == 0);
      return 0;

Fix this by updating follow_trans_huge_pmd in huge_memory.c analogously
to the update in gup.c in the original commit.  The same pattern exists
in follow_devmap_pmd.  However, we should not be able to reach that
check with FOLL_COW set, so add WARN_ONCE to make sure we notice if we
ever do.

[ coding-style fixes]
Signed-off-by: Keno Fischer <>
Acked-by: Kirill A. Shutemov <>
Cc: Greg Thelen <>
Cc: Nicholas Piggin <>
Cc: Willy Tarreau <>
Cc: Oleg Nesterov <>
Cc: Kees Cook <>
Cc: Andy Lutomirski <>
Cc: Michal Hocko <>
Cc: Hugh Dickins <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
[bwh: Backported to 3.2:
 - Drop change to follow_devmap_pmd()
 - pmd_dirty() is not available; check the page flags as in
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: option: add device ID for HP lt2523 (Novatel E371)
Bjørn Mork [Tue, 24 Jan 2017 09:31:18 +0000 (10:31 +0100)]
USB: serial: option: add device ID for HP lt2523 (Novatel E371)

commit 5d03a2fd2292e71936c4235885c35ccc3c94695b upstream.

Yet another laptop vendor rebranded Novatel E371.

Signed-off-by: Bjørn Mork <>
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agocrypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg
Salvatore Benedetto [Fri, 13 Jan 2017 11:54:08 +0000 (11:54 +0000)]
crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg

commit d6040764adcb5cb6de1489422411d701c158bb69 upstream.

Make sure CRYPTO_ALG_DEAD bit is cleared before proceeding with
the algorithm registration. This fixes qat-dh registration when
driver is restarted

Signed-off-by: Salvatore Benedetto <>
Signed-off-by: Herbert Xu <>
Signed-off-by: Ben Hutchings <>
4 years agoplatform/x86: intel_mid_powerbtn: Set IRQ_ONESHOT
Andy Shevchenko [Thu, 19 Jan 2017 16:39:40 +0000 (18:39 +0200)]
platform/x86: intel_mid_powerbtn: Set IRQ_ONESHOT

commit 5a00b6c2438460b870a451f14593fc40d3c7edf6 upstream.

The commit 1c6c69525b40 ("genirq: Reject bogus threaded irq requests")
starts refusing misconfigured interrupt handlers. This makes
intel_mid_powerbtn not working anymore.

Add a mandatory flag to a threaded IRQ request in the driver.

Fixes: 1c6c69525b40 ("genirq: Reject bogus threaded irq requests")
Signed-off-by: Andy Shevchenko <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agopowerpc: Ignore reserved field in DCSR and PVR reads and writes
Anton Blanchard [Thu, 19 Jan 2017 03:19:10 +0000 (14:19 +1100)]
powerpc: Ignore reserved field in DCSR and PVR reads and writes

commit 178f358208ceb8b38e5cff3f815e0db4a6a70a07 upstream.

IBM bit 31 (for the rest of us - bit 0) is a reserved field in the
instruction definition of mtspr and mfspr. Hardware is encouraged to
(and does) ignore it.

As a result, if userspace executes an mtspr DSCR with the reserved bit
set, we get a DSCR facility unavailable exception. The kernel fails to
match against the expected value/mask, and we silently return to
userspace to try and re-execute the same mtspr DSCR instruction. We
loop forever until the process is killed.

We should do something here, and it seems mirroring what hardware does
is the better option vs killing the process. While here, relax the
matching of mfspr PVR too.

Signed-off-by: Anton Blanchard <>
Signed-off-by: Michael Ellerman <>
[bwh: Backported to 3.2: drop changes to PPC_INST_M{F,T}SPR_DSCR_USER_MASK]
Signed-off-by: Ben Hutchings <>
4 years agopowerpc/ptrace: Preserve previous fprs/vsrs on short regset write
Dave Martin [Thu, 5 Jan 2017 16:50:57 +0000 (16:50 +0000)]
powerpc/ptrace: Preserve previous fprs/vsrs on short regset write

commit 99dfe80a2a246c600440a815741fd2e74a8b4977 upstream.

Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.

Fixes: c6e6771b87d4 ("powerpc: Introduce VSX thread_struct and CONFIG_VSX")
Signed-off-by: Dave Martin <>
Signed-off-by: Michael Ellerman <>
[bwh: Backported to 3.2:
 - fpscr and fpr are direct members of struct thread_struct
 - Use memcpy() for fpscr, like the reverse copy below, to avoid type error
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agonbd: only set MSG_MORE when we have more to send
Josef Bacik [Thu, 19 Jan 2017 21:08:49 +0000 (16:08 -0500)]
nbd: only set MSG_MORE when we have more to send

commit d61b7f972dab2a7d187c38254845546dfc8eed85 upstream.

A user noticed that write performance was horrible over loopback and we
traced it to an inversion of when we need to set MSG_MORE.  It should be
set when we have more bvec's to send, not when we are on the last bvec.
This patch made the test go from 20 iops to 78k iops.

Signed-off-by: Josef Bacik <>
Fixes: 429a787be679 ("nbd: fix use-after-free of rq/bio in the xmit path")
Signed-off-by: Jens Axboe <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agonbd: fix use-after-free of rq/bio in the xmit path
Jens Axboe [Thu, 17 Nov 2016 19:30:37 +0000 (12:30 -0700)]
nbd: fix use-after-free of rq/bio in the xmit path

commit 429a787be6793554ee02aacc7e1f11ebcecc4453 upstream.

For writes, we can get a completion in while we're still iterating
the request and bio chain. If that happens, we're reading freed
memory and we can crash.

Break out after the last segment and avoid having the iterator
read freed memory.

Reviewed-by: Josef Bacik <>
Signed-off-by: Jens Axboe <>
[bwh: Backported to 3.2:
 - bio_for_each_segment() uses iterator of type int
 - Open-code bio_iter_last()
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoceph: fix bad endianness handling in parse_reply_info_extra
Jeff Layton [Thu, 12 Jan 2017 19:42:41 +0000 (14:42 -0500)]
ceph: fix bad endianness handling in parse_reply_info_extra

commit 6df8c9d80a27cb587f61b4f06b57e248d8bc3f86 upstream.

sparse says:

    fs/ceph/mds_client.c:291:23: warning: restricted __le32 degrades to integer
    fs/ceph/mds_client.c:293:28: warning: restricted __le32 degrades to integer
    fs/ceph/mds_client.c:294:28: warning: restricted __le32 degrades to integer
    fs/ceph/mds_client.c:296:28: warning: restricted __le32 degrades to integer

The op value is __le32, so we need to convert it before comparing it.

Signed-off-by: Jeff Layton <>
Reviewed-by: Sage Weil <>
Signed-off-by: Ilya Dryomov <>
[bwh: Backported to 3.2: only filelock and directory replies are handled]
Signed-off-by: Ben Hutchings <>
4 years agocan: ti_hecc: add missing prepare and unprepare of the clock
Yegor Yefremov [Wed, 18 Jan 2017 10:35:57 +0000 (11:35 +0100)]
can: ti_hecc: add missing prepare and unprepare of the clock

commit befa60113ce7ea270cb51eada28443ca2756f480 upstream.

In order to make the driver work with the common clock framework, this
patch converts the clk_enable()/clk_disable() to

Also add error checking for clk_prepare_enable().

Signed-off-by: Yegor Yefremov <>
Signed-off-by: Marc Kleine-Budde <>
Signed-off-by: Ben Hutchings <>
4 years agoubifs: Fix journal replay wrt. xattr nodes
Richard Weinberger [Tue, 10 Jan 2017 10:49:40 +0000 (11:49 +0100)]
ubifs: Fix journal replay wrt. xattr nodes

commit 1cb51a15b576ee325d527726afff40947218fd5e upstream.

When replaying the journal it can happen that a journal entry points to
a garbage collected node.
This is the case when a power-cut occurred between a garbage collect run
and a commit. In such a case nodes have to be read using the failable
read functions to detect whether the found node matches what we expect.

One corner case was forgotten, when the journal contains an entry to
remove an inode all xattrs have to be removed too. UBIFS models xattr
like directory entries, so the TNC code iterates over
all xattrs of the inode and removes them too. This code re-uses the
functions for walking directories and calls ubifs_tnc_next_ent().
ubifs_tnc_next_ent() expects to be used only after the journal and
aborts when a node does not match the expected result. This behavior can
render an UBIFS volume unmountable after a power-cut when xattrs are

Fix this issue by using failable read functions in ubifs_tnc_next_ent()
too when replaying the journal.
Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
Reported-by: Rock Lee <>
Reviewed-by: David Gstir <>
Signed-off-by: Richard Weinberger <>
Signed-off-by: Ben Hutchings <>
4 years agonet/mlx4_core: Fix racy CQ (Completion Queue) free
Jack Morgenstein [Mon, 16 Jan 2017 16:31:37 +0000 (18:31 +0200)]
net/mlx4_core: Fix racy CQ (Completion Queue) free

commit 291c566a28910614ce42d0ffe82196eddd6346f4 upstream.

In function mlx4_cq_completion() and mlx4_cq_event(), the
radix_tree_lookup requires a rcu_read_lock.
This is mandatory: if another core frees the CQ, it could
run the radix_tree_node_rcu_free() call_rcu() callback while
its being used by the radix tree lookup function.

Additionally, in function mlx4_cq_event(), since we are adding
the rcu lock around the radix-tree lookup, we no longer need to take
the spinlock. Also, the synchronize_irq() call for the async event
eliminates the need for incrementing the cq reference count in

Other changes:
1. In function mlx4_cq_free(), replace spin_lock_irq with spin_lock:
   we no longer take this spinlock in the interrupt context.
   The spinlock here, therefore, simply protects against different
   threads simultaneously invoking mlx4_cq_free() for different cq's.

2. In function mlx4_cq_free(), we move the radix tree delete to before
   the synchronize_irq() calls. This guarantees that we will not
   access this cq during any subsequent interrupts, and therefore can
   safely free the CQ after the synchronize_irq calls. The rcu_read_lock
   in the interrupt handlers only needs to protect against corrupting the
   radix tree; the interrupt handlers may access the cq outside the
   rcu_read_lock due to the synchronize_irq calls which protect against
   premature freeing of the cq.

3. In function mlx4_cq_event(), we change the mlx_warn message to mlx4_dbg.

4. We leave the cq reference count mechanism in place, because it is
   still needed for the cq completion tasklet mechanism.

Fixes: 6d90aa5cf17b ("net/mlx4_core: Make sure there are no pending async events when freeing CQ")
Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters")
Signed-off-by: Jack Morgenstein <>
Signed-off-by: Matan Barak <>
Signed-off-by: Tariq Toukan <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agosvcrpc: don't leak contexts on PROC_DESTROY
J. Bruce Fields [Mon, 9 Jan 2017 22:15:18 +0000 (17:15 -0500)]
svcrpc: don't leak contexts on PROC_DESTROY

commit 78794d1890708cf94e3961261e52dcec2cc34722 upstream.

Context expiry times are in units of seconds since boot, not unix time.

The use of get_seconds() here therefore sets the expiry time decades in
the future.  This prevents timely freeing of contexts destroyed by
client RPC_GSS_PROC_DESTROY requests.  We'd still free them eventually
(when the module is unloaded or the container shut down), but a lot of
contexts could pile up before then.

Fixes: c5b29f885afe "sunrpc: use seconds since boot in expiry cache"
Reported-by: Andy Adamson <>
Signed-off-by: J. Bruce Fields <>
Signed-off-by: Ben Hutchings <>
4 years agoi2c: fix kernel memory disclosure in dev interface
Vlad Tsyrklevich [Mon, 9 Jan 2017 15:53:36 +0000 (22:53 +0700)]
i2c: fix kernel memory disclosure in dev interface

commit 30f939feaeee23e21391cfc7b484f012eb189c3c upstream.

i2c_smbus_xfer() does not always fill an entire block, allowing
kernel stack memory disclosure through the temp variable. Clear
it before it's read to.

Signed-off-by: Vlad Tsyrklevich <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
4 years agommc: mxs-mmc: Fix additional cycles after transmission stop
Stefan Wahren [Thu, 5 Jan 2017 19:24:04 +0000 (19:24 +0000)]
mmc: mxs-mmc: Fix additional cycles after transmission stop

commit 01167c7b9cbf099c69fe411a228e4e9c7104e123 upstream.

According to the code the intention is to append 8 SCK cycles
instead of 4 at end of a MMC_STOP_TRANSMISSION command. But this
will never happened because it's an AC command not an ADTC command.
So fix this by moving the statement into the right function.

Signed-off-by: Stefan Wahren <>
Fixes: e4243f13d10e (mmc: mxs-mmc: add mmc host driver for i.MX23/28)
Signed-off-by: Ulf Hansson <>
Signed-off-by: Ben Hutchings <>
4 years agoxhci: fix deadlock at host remove by running watchdog correctly
Mathias Nyman [Wed, 11 Jan 2017 15:10:34 +0000 (17:10 +0200)]
xhci: fix deadlock at host remove by running watchdog correctly

commit d6169d04097fd9ddf811e63eae4e5cd71e6666e2 upstream.

If a URB is killed while the host is removed we can end up in a situation
where the hub thread takes the roothub device lock, and waits for
the URB to be given back by xhci-hcd, blocking the host remove code.

xhci-hcd tries to stop the endpoint and give back the urb, but can't
as the host is removed from PCI bus at the same time, preventing the normal
way of giving back urb.

Instead we need to rely on the stop command timeout function to give back
the urb. This xhci_stop_endpoint_command_watchdog() timeout function
used a XHCI_STATE_DYING flag to indicate if the timeout function is already
running, but later this flag has been taking into use in other places to
mark that xhci is dying.

Remove checks for XHCI_STATE_DYING in xhci_urb_dequeue. We are still
checking that reading from pci state does not return 0xffffffff or that
host is not halted before trying to stop the endpoint.

This whole area of stopping endpoints, giving back URBs, and the wathdog
timeout need rework, this fix focuses on solving a specific deadlock
issue that we can then send to stable before any major rework.

Signed-off-by: Mathias Nyman <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: the checks look slightly different]
Signed-off-by: Ben Hutchings <>
4 years agogro: use min_t() in skb_gro_reset_offset()
Eric Dumazet [Wed, 11 Jan 2017 03:52:43 +0000 (19:52 -0800)]
gro: use min_t() in skb_gro_reset_offset()

commit 7cfd5fd5a9813f1430290d20c0fead9b4582a307 upstream.

On 32bit arches, (skb->end - skb->data) is not 'unsigned int',
so we shall use min_t() instead of min() to avoid a compiler error.

Fixes: 1272ce87fa01 ("gro: Enter slow-path if there is no tailroom")
Reported-by: kernel test robot <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: ch341: fix control-message error handling
Johan Hovold [Fri, 6 Jan 2017 18:15:18 +0000 (19:15 +0100)]
USB: serial: ch341: fix control-message error handling

commit 2d5a9c72d0c4ac73cf97f4b7814ed6c44b1e49ae upstream.

A short control transfer would currently fail to be detected, something
which could lead to stale buffer data being used as valid input.

Check for short transfers, and make sure to log any transfer errors.

Note that this also avoids leaking heap data to user space (TIOCMGET)
and the remote device (break control).

Fixes: 6ce76104781a ("USB: Driver for CH341 USB-serial adaptor")
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agovme: Fix wrong pointer utilization in ca91cx42_slave_get
Augusto Mecking Caringi [Tue, 10 Jan 2017 10:45:00 +0000 (10:45 +0000)]
vme: Fix wrong pointer utilization in ca91cx42_slave_get

commit c8a6a09c1c617402cc9254b2bc8da359a0347d75 upstream.

In ca91cx42_slave_get function, the value pointed by vme_base pointer is
set through:

*vme_base = ioread32(bridge->base + CA91CX42_VSI_BS[i]);

So it must be dereferenced to be used in calculation of pci_base:

*pci_base = (dma_addr_t)*vme_base + pci_offset;

This bug was caught thanks to the following gcc warning:

drivers/vme/bridges/vme_ca91cx42.c: In function ‘ca91cx42_slave_get’:
drivers/vme/bridges/vme_ca91cx42.c:467:14: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
*pci_base = (dma_addr_t)vme_base + pci_offset;

Signed-off-by: Augusto Mecking Caringi <>
Acked-By: Martyn Welch <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agosysrq: attach sysrq handler correctly for 32-bit kernel
Akinobu Mita [Thu, 5 Jan 2017 17:14:16 +0000 (02:14 +0900)]
sysrq: attach sysrq handler correctly for 32-bit kernel

commit 802c03881f29844af0252b6e22be5d2f65f93fd0 upstream.

The sysrq input handler should be attached to the input device which has
a left alt key.

On 32-bit kernels, some input devices which has a left alt key cannot
attach sysrq handler.  Because the keybit bitmap in struct input_device_id
for sysrq is not correctly initialized.  KEY_LEFTALT is 56 which is
greater than BITS_PER_LONG on 32-bit kernels.

I found this problem when using a matrix keypad device which defines
a KEY_LEFTALT (56) but doesn't have a KEY_O (24 == 56%32).

Cc: Jiri Slaby <>
Signed-off-by: Akinobu Mita <>
Acked-by: Dmitry Torokhov <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agoocfs2: fix crash caused by stale lvb with fsdlm plugin
Eric Ren [Wed, 11 Jan 2017 00:57:33 +0000 (16:57 -0800)]
ocfs2: fix crash caused by stale lvb with fsdlm plugin

commit e7ee2c089e94067d68475990bdeed211c8852917 upstream.

The crash happens rather often when we reset some cluster nodes while
nodes contend fiercely to do truncate and append.

The crash backtrace is below:

   dlm: C21CBDA5E0774F4BA5A9D4F317717495: dlm_recover_grant 1 locks on 971 resources
   dlm: C21CBDA5E0774F4BA5A9D4F317717495: dlm_recover 9 generation 5 done: 4 ms
   ocfs2: Begin replay journal (node 318952601, slot 2) on device (253,18)
   ocfs2: End replay journal (node 318952601, slot 2) on device (253,18)
   ocfs2: Beginning quota recovery on device (253,18) for slot 2
   ocfs2: Finishing quota recovery on device (253,18) for slot 2
   (truncate,30154,1):ocfs2_truncate_file:470 ERROR: bug expression: le64_to_cpu(fe->i_size) != i_size_read(inode)
   (truncate,30154,1):ocfs2_truncate_file:470 ERROR: Inode 290321, inode i_size = 732 != di i_size = 937, i_flags = 0x1
   ------------[ cut here ]------------
   kernel BUG at /usr/src/linux/fs/ocfs2/file.c:470!
   invalid opcode: 0000 [#1] SMP
   Modules linked in: ocfs2_stack_user(OEN) ocfs2(OEN) ocfs2_nodemanager ocfs2_stackglue(OEN) quota_tree dlm(OEN) configfs fuse sd_mod    iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi af_packet iscsi_ibft iscsi_boot_sysfs softdog xfs libcrc32c ppdev parport_pc pcspkr parport      joydev virtio_balloon virtio_net i2c_piix4 acpi_cpufreq button processor ext4 crc16 jbd2 mbcache ata_generic cirrus virtio_blk ata_piix               drm_kms_helper ahci syscopyarea libahci sysfillrect sysimgblt fb_sys_fops ttm floppy libata drm virtio_pci virtio_ring uhci_hcd virtio ehci_hcd       usbcore serio_raw usb_common sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4
   Supported: No, Unsupported modules are loaded
   CPU: 1 PID: 30154 Comm: truncate Tainted: G           OE   N  4.4.21-69-default #1
   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014
   task: ffff88004ff6d240 ti: ffff880074e68000 task.ti: ffff880074e68000
   RIP: 0010:[<ffffffffa05c8c30>]  [<ffffffffa05c8c30>] ocfs2_truncate_file+0x640/0x6c0 [ocfs2]
   RSP: 0018:ffff880074e6bd50  EFLAGS: 00010282
   RAX: 0000000000000074 RBX: 000000000000029e RCX: 0000000000000000
   RDX: 0000000000000001 RSI: 0000000000000246 RDI: 0000000000000246
   RBP: ffff880074e6bda8 R08: 000000003675dc7a R09: ffffffff82013414
   R10: 0000000000034c50 R11: 0000000000000000 R12: ffff88003aab3448
   R13: 00000000000002dc R14: 0000000000046e11 R15: 0000000000000020
   FS:  00007f839f965700(0000) GS:ffff88007fc80000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
   CR2: 00007f839f97e000 CR3: 0000000036723000 CR4: 00000000000006e0
   Call Trace:
     ocfs2_setattr+0x698/0xa90 [ocfs2]
   Code: 24 28 ba d6 01 00 00 48 c7 c6 30 43 62 a0 8b 41 2c 89 44 24 08 48 8b 41 20 48 c7 c1 78 a3 62 a0 48 89 04 24 31 c0 e8 a0 97 f9 ff <0f> 0b 3d 00 fe ff ff 0f 84 ab fd ff ff 83 f8 fc 0f 84 a2 fd ff
   RIP  [<ffffffffa05c8c30>] ocfs2_truncate_file+0x640/0x6c0 [ocfs2]

It's because ocfs2_inode_lock() get us stale LVB in which the i_size is
not equal to the disk i_size.  We mistakenly trust the LVB because the
underlaying fsdlm dlm_lock() doesn't set lkb_sbflags with
DLM_SBF_VALNOTVALID properly for us.  But, why?

The current code tries to downconvert lock without DLM_LKF_VALBLK flag
to tell o2cb don't update RSB's LVB if it's a PR->NULL conversion, even
if the lock resource type needs LVB.  This is not the right way for

The fsdlm plugin behaves different on DLM_LKF_VALBLK, it depends on
DLM_LKF_VALBLK to decide if we care about the LVB in the LKB.  If
DLM_LKF_VALBLK is not set, fsdlm will skip recovering RSB's LVB from
this lkb and set the right DLM_SBF_VALNOTVALID appropriately when node
failure happens.

The following diagram briefly illustrates how this crash happens:

RSB1 is inode metadata lock resource with LOCK_TYPE_USES_LVB;

The 1st round:

             Node1                                    Node2
                                                  RSB1(master): NULL->EX
ocfs2_downconvert_lock(PR->NULL, set_lvb==0)
  ocfs2_dlm_lock(no DLM_LKF_VALBLK)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

dlm_lock(no DLM_LKF_VALBLK)
  convert_lock(overwrite lkb->lkb_exflags
               with no DLM_LKF_VALBLK)

RSB1: NULL                                        RSB1: EX
                                                  reset Node2

/* The LVB is not trustable if the node with EX fails and
 * no lock >= PR is left. We should set RSB_VALNOTVALID for RSB1.

 if(!(kb_exflags & DLM_LKF_VALBLK)) /* This means we miss the chance to
           return;                   * to invalid the LVB here.

The 2nd round:

         Node 1                                Node2
RSB1(become master from recovery)

    /* dlm_lock() return the stale lvb without setting DLM_SBF_VALNOTVALID */
    ocfs2_meta_lvb_is_trustable() return 1 /* so we don't refresh inode from disk */
      mlog_bug_on_msg(disk isize != i_size_read(inode))  /* crash! */

The fix is quite straightforward.  We keep to set DLM_LKF_VALBLK flag
for dlm_lock() if the lock resource type needs LVB and the fsdlm plugin
is uesed.

Signed-off-by: Eric Ren <>
Reviewed-by: Joseph Qi <>
Cc: Mark Fasheh <>
Cc: Joel Becker <>
Cc: Junxiao Bi <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agogro: Disable frag0 optimization on IPv6 ext headers
Herbert Xu [Tue, 10 Jan 2017 20:24:15 +0000 (12:24 -0800)]
gro: Disable frag0 optimization on IPv6 ext headers

commit 57ea52a865144aedbcd619ee0081155e658b6f7d upstream.

The GRO fast path caches the frag0 address.  This address becomes
invalid if frag0 is modified by pskb_may_pull or its variants.
So whenever that happens we must disable the frag0 optimization.

This is usually done through the combination of gro_header_hard
and gro_header_slow, however, the IPv6 extension header path did
the pulling directly and would continue to use the GRO fast path

This patch fixes it by disabling the fast path when we enter the
IPv6 extension header path.

Fixes: 78a478d0efd9 ("gro: Inline skb_gro_header and cache frag0 virtual address")
Reported-by: Slava Shwartsman <>
Signed-off-by: Herbert Xu <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agogro: Enter slow-path if there is no tailroom
Herbert Xu [Tue, 10 Jan 2017 20:24:01 +0000 (12:24 -0800)]
gro: Enter slow-path if there is no tailroom

commit 1272ce87fa017ca4cf32920764d879656b7a005a upstream.

The GRO path has a fast-path where we avoid calling pskb_may_pull
and pskb_expand by directly accessing frag0.  However, this should
only be done if we have enough tailroom in the skb as otherwise
we'll have to expand it later anyway.

This patch adds the check by capping frag0_len with the skb tailroom.

Fixes: cb18978cbf45 ("gro: Open-code final pskb_may_pull")
Reported-by: Slava Shwartsman <>
Signed-off-by: Herbert Xu <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs
Mark Rutland [Fri, 6 Jan 2017 12:12:47 +0000 (13:12 +0100)]
ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs

commit ddc37832a1349f474c4532de381498020ed71d31 upstream.

On APQ8060, the kernel crashes in arch_hw_breakpoint_init, taking an
undefined instruction trap within write_wb_reg. This is because Scorpion
CPUs erroneously appear to set DBGPRSR.SPD when WFI is issued, even if
the core is not powered down. When DBGPRSR.SPD is set, breakpoint and
watchpoint registers are treated as undefined.

It's possible to trigger similar crashes later on from userspace, by
requesting the kernel to install a breakpoint or watchpoint, as we can
go idle at any point between the reset of the debug registers and their
later use. This has always been the case.

Given that this has always been broken, no-one has complained until now,
and there is no clear workaround, disable hardware breakpoints and
watchpoints on Scorpion to avoid these issues.

Signed-off-by: Mark Rutland <>
Reported-by: Linus Walleij <>
Reviewed-by: Stephen Boyd <>
Acked-by: Will Deacon <>
Cc: Russell King <>
Signed-off-by: Russell King <>
[bwh: Backported to 3.2:
 - Open-code read_cpuid_part()
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: ch341: fix baud rate and line-control handling
Johan Hovold [Fri, 6 Jan 2017 18:15:16 +0000 (19:15 +0100)]
USB: serial: ch341: fix baud rate and line-control handling

commit 55fa15b5987db22b4f35d3f0798928c126be5f1c upstream.

Revert to using direct register writes to set the divisor and
line-control registers.

A recent change switched to using the init vendor command to update
these registers, something which also enabled support for CH341A
devices. It turns out that simply setting bit 7 in the divisor register
is sufficient to support CH341A and specifically prevent data from being
buffered until a full endpoint-size packet (32 bytes) has been received.

Using the init command also had the side-effect of temporarily
deasserting the DTR/RTS signals on every termios change (including
initialisation on open) something which for example could cause problems
in setups where DTR is used to trigger a reset.

Fixes: 4e46c410e050 ("USB: serial: ch341: reinitialize chip on
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: ch341: fix resume after reset
Johan Hovold [Fri, 6 Jan 2017 18:15:14 +0000 (19:15 +0100)]
USB: serial: ch341: fix resume after reset

commit ce5e292828117d1b71cbd3edf9e9137cf31acd30 upstream.

Fix reset-resume handling which failed to resubmit the read and
interrupt URBs, thereby leaving a port that was open before suspend in a
broken state until closed and reopened.

Fixes: 1ded7ea47b88 ("USB: ch341 serial: fix port number changed after
Fixes: 2bfd1c96a9fb ("USB: serial: ch341: remove reset_resume callback")
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2:
 - Move initialisation of 'serial' up to make this work
 - Delete the call to usb_serial_resume() that was still present and
   would be redundant with usb_serial_generic_resume()
 - Open-code tty_port_initialized()]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: ch341: fix open error handling
Johan Hovold [Fri, 6 Jan 2017 18:15:13 +0000 (19:15 +0100)]
USB: serial: ch341: fix open error handling

commit f2950b78547ffb8475297ada6b92bc2d774d5461 upstream.

Make sure to stop the interrupt URB before returning on errors during

Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: ch341: fix modem-control and B0 handling
Johan Hovold [Fri, 6 Jan 2017 18:15:12 +0000 (19:15 +0100)]
USB: serial: ch341: fix modem-control and B0 handling

commit 030ee7ae52a46a2be52ccc8242c4a330aba8d38e upstream.

The modem-control signals are managed by the tty-layer during open and
should not be asserted prematurely when set_termios is called from
driver open.

Also make sure that the signals are asserted only when changing speed
from B0.

Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: ch341: fix open and resume after B0
Johan Hovold [Fri, 6 Jan 2017 18:15:11 +0000 (19:15 +0100)]
USB: serial: ch341: fix open and resume after B0

commit a20047f36e2f6a1eea4f1fd261aaa55882369868 upstream.

The private baud_rate variable is used to configure the port at open and
reset-resume and must never be set to (and left at) zero or reset-resume
and all further open attempts will fail.

Fixes: aa91def41a7b ("USB: ch341: set tty baud speed according to tty
Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: ch341: fix initial modem-control state
Johan Hovold [Fri, 6 Jan 2017 18:15:10 +0000 (19:15 +0100)]
USB: serial: ch341: fix initial modem-control state

commit 4e2da44691cffbfffb1535f478d19bc2dca3e62b upstream.

DTR and RTS will be asserted by the tty-layer when the port is opened
and deasserted on close (if HUPCL is set). Make sure the initial state
is not-asserted before the port is first opened as well.

Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: ch341: reinitialize chip on reconfiguration
Aidan Thornton [Sat, 22 Oct 2016 21:02:24 +0000 (22:02 +0100)]
USB: serial: ch341: reinitialize chip on reconfiguration

commit 4e46c410e050bcac36deadbd8e20449d078204e8 upstream.

Changing the LCR register after initialization does not seem to be reliable
on all chips (particularly not on CH341A). Restructure initialization and
configuration to always reinit the chip on configuration changes instead and
pass the LCR register value directly to the initialization command.

(Note that baud rates above 500kbaud are incorrect, but they're incorrect in
the same way both before and after this patch at least on the CH340G. Fixing
this isn't a priority as higher baud rates don't seem that reliable anyway.)

Cleaned-up version of a patch by Grigori Goronzy

Signed-off-by: Aidan Thornton <>
Reviewed-by: Grigori Goronzy <>
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: tty_struct::termios is a pointer, not a struct]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: ch341: add register and USB request definitions
Aidan Thornton [Sat, 22 Oct 2016 21:02:23 +0000 (22:02 +0100)]
USB: serial: ch341: add register and USB request definitions

commit 6fde8d29b0424f292a4ec5dbce01458ad759a41f upstream.

No functional changes, this just gives names to some registers and USB
requests based on Grigori Goronzy's work and WinChipTech's Linux driver
(which reassuringly agree), then uses them in place of magic numbers.
This also renames the misnamed BREAK2 register (actually UART config)

Signed-off-by: Aidan Thornton <>
Reviewed-by: Grigori Goronzy <>
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: ch341: set tty baud speed according to tty struct
Nicolas PLANEL [Sun, 1 Mar 2015 18:47:22 +0000 (13:47 -0500)]
USB: ch341: set tty baud speed according to tty struct

commit aa91def41a7bb1fd65492934ce6bea19202b6080 upstream.

The ch341_set_baudrate() function initialize the device baud speed
according to the value on priv->baud_rate. By default the ch341_open() set
it to a hardcoded value (DEFAULT_BAUD_RATE 9600). Unfortunately, the
tty_struct is not initialized with the same default value. (usually 56700)

This means that the tty_struct and the device baud rate generator are not
synchronized after opening the port.

Fixup is done by calling ch341_set_termios() if tty exist.
Remove unnecessary variable priv->baud_rate setup as it's already done by
Remove unnecessary call to ch341_set_{handshake,baudrate}() in
ch341_open() as there already called in ch341_configure() and

Signed-off-by: Nicolas PLANEL <>
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: ch341: remove redundant close from open error path
Johan Hovold [Thu, 19 Feb 2015 05:34:41 +0000 (12:34 +0700)]
USB: ch341: remove redundant close from open error path

commit 394a10331a9e43100a8ee293255cfc428c7355ac upstream.

Remove redundant call to ch341_close from error path when submission of
the interrupt urb fails in open.

Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: ch341: forward USB errors to USB serial core
Johan Hovold [Thu, 10 Nov 2011 13:58:28 +0000 (14:58 +0100)]
USB: ch341: forward USB errors to USB serial core

commit 06946a66546aedfc5192645e8fc56081441e378c upstream.

All error messages from stack in open are being forwarded except for
one call to usb_submit_urb. Change this for consistency.

Signed-off-by: Johan Hovold <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agoata: sata_mv:- Handle return value of devm_ioremap.
Arvind Yadav [Mon, 12 Dec 2016 17:43:27 +0000 (23:13 +0530)]
ata: sata_mv:- Handle return value of devm_ioremap.

commit 064c3db9c564cc5be514ac21fb4aa26cc33db746 upstream.

Here, If devm_ioremap will fail. It will return NULL.
Then hpriv->base = NULL - 0x20000; Kernel can run into
a NULL-pointer dereference. This error check will avoid
NULL pointer dereference.

Signed-off-by: Arvind Yadav <>
Signed-off-by: Tejun Heo <>
Signed-off-by: Ben Hutchings <>
4 years agoHID: hid-cypress: validate length of report
Greg Kroah-Hartman [Fri, 6 Jan 2017 14:33:36 +0000 (15:33 +0100)]
HID: hid-cypress: validate length of report

commit 1ebb71143758f45dc0fa76e2f48429e13b16d110 upstream.

Make sure we have enough of a report structure to validate before
looking at it.

Reported-by: Benoit Camredon <>
Tested-by: Benoit Camredon <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Jiri Kosina <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: fix problems with duplicate endpoint addresses
Alan Stern [Mon, 19 Dec 2016 17:03:41 +0000 (12:03 -0500)]
USB: fix problems with duplicate endpoint addresses

commit 0a8fd1346254974c3a852338508e4a4cddbb35f1 upstream.

When checking a new device's descriptors, the USB core does not check
for duplicate endpoint addresses.  This can cause a problem when the
sysfs files for those endpoints are created; trying to create multiple
files with the same name will provoke a WARNING:

WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0
sysfs: cannot create duplicate filename
Kernel panic - not syncing: panic_on_warn set ...

CPU: 2 PID: 865 Comm: kworker/2:1 Not tainted 4.9.0-rc7+ #34
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
 ffff88006bee64c8 ffffffff81f96b8a ffffffff00000001 1ffff1000d7dcc2c
 ffffed000d7dcc24 0000000000000001 0000000041b58ab3 ffffffff8598b510
 ffffffff81f968f8 ffffffff850fee20 ffffffff85cff020 dffffc0000000000
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [<ffffffff8168c88e>] panic+0x1cb/0x3a9 kernel/panic.c:179
 [<ffffffff812b80b4>] __warn+0x1c4/0x1e0 kernel/panic.c:542
 [<ffffffff812b8195>] warn_slowpath_fmt+0xc5/0x110 kernel/panic.c:565
 [<ffffffff819e70ca>] sysfs_warn_dup+0x8a/0xa0 fs/sysfs/dir.c:30
 [<ffffffff819e7308>] sysfs_create_dir_ns+0x178/0x1d0 fs/sysfs/dir.c:59
 [<     inline     >] create_dir lib/kobject.c:71
 [<ffffffff81fa1b07>] kobject_add_internal+0x227/0xa60 lib/kobject.c:229
 [<     inline     >] kobject_add_varg lib/kobject.c:366
 [<ffffffff81fa2479>] kobject_add+0x139/0x220 lib/kobject.c:411
 [<ffffffff82737a63>] device_add+0x353/0x1660 drivers/base/core.c:1088
 [<ffffffff82738d8d>] device_register+0x1d/0x20 drivers/base/core.c:1206
 [<ffffffff82cb77d3>] usb_create_ep_devs+0x163/0x260 drivers/usb/core/endpoint.c:195
 [<ffffffff82c9f27b>] create_intf_ep_devs+0x13b/0x200 drivers/usb/core/message.c:1030
 [<ffffffff82ca39d3>] usb_set_configuration+0x1083/0x18d0 drivers/usb/core/message.c:1937
 [<ffffffff82cc9e2e>] generic_probe+0x6e/0xe0 drivers/usb/core/generic.c:172
 [<ffffffff82caa7fa>] usb_probe_device+0xaa/0xe0 drivers/usb/core/driver.c:263

This patch prevents the problem by checking for duplicate endpoint
addresses during enumeration and skipping any duplicates.

Signed-off-by: Alan Stern <>
Reported-by: Andrey Konovalov <>
Tested-by: Andrey Konovalov <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agousb: musb: Fix trying to free already-free IRQ 4
Tony Lindgren [Wed, 4 Jan 2017 00:13:48 +0000 (18:13 -0600)]
usb: musb: Fix trying to free already-free IRQ 4

commit 8c300fe282fa254ea730c92cb0983e2642dc1fff upstream.

When unloading omap2430, we can get the following splat:

WARNING: CPU: 1 PID: 295 at kernel/irq/manage.c:1478 __free_irq+0xa8/0x2c8
Trying to free already-free IRQ 4
[<c01a8b78>] (free_irq) from [<bf0aea84>]
(musbhs_dma_controller_destroy+0x28/0xb0 [musb_hdrc])
[<bf0aea84>] (musbhs_dma_controller_destroy [musb_hdrc]) from
[<bf09f88c>] (musb_remove+0xf0/0x12c [musb_hdrc])
[<bf09f88c>] (musb_remove [musb_hdrc]) from [<c056a384>]

This is because the irq number in use is 260 nowadays, and the dma
controller is using u8 instead of int.

Fixes: 6995eb68aab7 ("USB: musb: enable low level DMA operation for Blackfin")
Signed-off-by: Tony Lindgren <>
[ added Fixes tag]
Signed-off-by: Bin Liu <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agox86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command...
Lukasz Odzioba [Wed, 28 Dec 2016 13:55:40 +0000 (14:55 +0100)]
x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option

commit dd853fd216d1485ed3045ff772079cc8689a9a4a upstream.

A negative number can be specified in the cmdline which will be used as
setup_clear_cpu_cap() argument. With that we can clear/set some bit in
memory predceeding boot_cpu_data/cpu_caps_cleared which may cause kernel
to misbehave. This patch adds lower bound check to setup_disablecpuid().

Boris Petkov reproduced a crash:

  [    1.234575] BUG: unable to handle kernel paging request at ffffffff858bd540
  [    1.236535] IP: memcpy_erms+0x6/0x10

Signed-off-by: Lukasz Odzioba <>
Acked-by: Borislav Petkov <>
Cc: Linus Torvalds <>
Cc: Peter Zijlstra <>
Cc: Thomas Gleixner <>
Fixes: ac72e7888a61 ("x86: add generic clearcpuid=... option")
Signed-off-by: Ingo Molnar <>
Signed-off-by: Ben Hutchings <>
4 years agoiommu/amd: Fix the left value check of cmd buffer
Huang Rui [Mon, 12 Dec 2016 12:28:26 +0000 (07:28 -0500)]
iommu/amd: Fix the left value check of cmd buffer

commit 432abf68a79332282329286d190e21fe3ac02a31 upstream.

The generic command buffer entry is 128 bits (16 bytes), so the offset
of tail and head pointer should be 16 bytes aligned and increased with
0x10 per command.

When cmd buf is full, head = (tail + 0x10) % CMD_BUFFER_SIZE.

So when left space of cmd buf should be able to store only two
command, we should be issued one COMPLETE_WAIT additionally to wait
all older commands completed. Then the left space should be increased
after IOMMU fetching from cmd buf.

So left check value should be left <= 0x20 (two commands).

Signed-off-by: Huang Rui <>
Fixes: ac0ea6e92b222 ('x86/amd-iommu: Improve handling of full command buffer')
Signed-off-by: Joerg Roedel <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: ti_usb_3410_5052: fix NULL-deref at open
Johan Hovold [Tue, 3 Jan 2017 15:40:03 +0000 (16:40 +0100)]
USB: serial: ti_usb_3410_5052: fix NULL-deref at open

commit ef079936d3cd09e63612834fe2698eeada0d8e3f upstream.

Fix NULL-pointer dereference in open() should a malicious device lack
the expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
[<bf06a6b0>] (ti_open [ti_usb_3410_5052]) from [<bf02e118>] (serial_port_activate+0x68/0x98 [usbserial])

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: spcp8x5: fix NULL-deref at open
Johan Hovold [Tue, 3 Jan 2017 15:40:02 +0000 (16:40 +0100)]
USB: serial: spcp8x5: fix NULL-deref at open

commit cc0909248258f679c4bb4cd315565d40abaf6bc6 upstream.

Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
PC is at spcp8x5_open+0x30/0xd0 [spcp8x5]

Fixes: 619a6f1d1423 ("USB: add usb-serial spcp8x5 driver")
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: add this check to the existing
 usb_serial_driver::attach implementation]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: pl2303: fix NULL-deref at open
Johan Hovold [Tue, 3 Jan 2017 15:40:00 +0000 (16:40 +0100)]
USB: serial: pl2303: fix NULL-deref at open

commit 76ab439ed1b68778e9059c79ecc5d14de76c89a8 upstream.

Fix NULL-pointer dereference in open() should a type-0 or type-1 device
lack the expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
PC is at pl2303_open+0x38/0xec [pl2303]

Note that a missing interrupt-in endpoint would have caused open() to

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: oti6858: fix NULL-deref at open
Johan Hovold [Tue, 3 Jan 2017 15:39:59 +0000 (16:39 +0100)]
USB: serial: oti6858: fix NULL-deref at open

commit 5afeef2366db14587b65558bbfd5a067542e07fb upstream.

Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
PC is at oti6858_open+0x30/0x1d0 [oti6858]

Note that a missing interrupt-in endpoint would have caused open() to

Fixes: 49cdee0ed0fc ("USB: oti6858 usb-serial driver (in Nokia CA-42
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: add this check to the existing
 usb_serial_driver::attach implementation]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: omninet: fix NULL-derefs at open and disconnect
Johan Hovold [Tue, 3 Jan 2017 15:39:58 +0000 (16:39 +0100)]
USB: serial: omninet: fix NULL-derefs at open and disconnect

commit a5bc01949e3b19d8a23b5eabc6fc71bb50dc820e upstream.

Fix NULL-pointer dereferences at open() and disconnect() should the
device lack the expected bulk-out endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 000000b4
[c0170ff0>] (__lock_acquire) from [<c0172f00>] (lock_acquire+0x108/0x264)
[<c0172f00>] (lock_acquire) from [<c06a5090>] (_raw_spin_lock_irqsave+0x58/0x6c)
[<c06a5090>] (_raw_spin_lock_irqsave) from [<c0470684>] (tty_port_tty_set+0x28/0xa4)
[<c0470684>] (tty_port_tty_set) from [<bf08d384>] (omninet_open+0x30/0x40 [omninet])
[<bf08d384>] (omninet_open [omninet]) from [<bf07c118>] (serial_port_activate+0x68/0x98 [usbserial])

Unable to handle kernel NULL pointer dereference at virtual address 00000234
[<bf01f418>] (omninet_disconnect [omninet]) from [<bf0016c0>] (usb_serial_disconnect+0xe4/0x100 [usbserial])

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: add this check to the existing
 usb_serial_driver::attach implementation]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: mos7840: fix misleading interrupt-URB comment
Johan Hovold [Tue, 3 Jan 2017 15:39:57 +0000 (16:39 +0100)]
USB: serial: mos7840: fix misleading interrupt-URB comment

commit 472d7e55d559aa1cbf58c73b14fcfc4651b1a9f5 upstream.

The interrupt URB is killed at final port close since commit
0de9a7024e7a ("USB: overhaul of mos7840 driver").

Fixes: 0de9a7024e7a ("USB: overhaul of mos7840 driver")
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: mos7840: fix NULL-deref at open
Johan Hovold [Tue, 3 Jan 2017 15:39:55 +0000 (16:39 +0100)]
USB: serial: mos7840: fix NULL-deref at open

commit 5c75633ef751dd4cd8f443dc35152c1ae563162e upstream.

Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
PC is at mos7840_open+0x88/0x8dc [mos7840]

Note that we continue to treat the interrupt-in endpoint as optional for

Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: add this check to the existing
 usb_serial_driver::attach implementation]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: mos7720: fix parallel probe
Johan Hovold [Tue, 3 Jan 2017 15:39:53 +0000 (16:39 +0100)]
USB: serial: mos7720: fix parallel probe

commit fde1faf872ed86d88e245191bc15a8e57368cd1c upstream.

A static usb-serial-driver structure that is used to initialise the
interrupt URB was modified during probe depending on the currently
probed device type, something which could break a parallel probe of a
device of a different type.

Fix this up by overriding the default completion callback for MCS7715
devices in attach() instead. We may want to use two usb-serial driver
instances for the two types later.

Fixes: fb088e335d78 ("USB: serial: add support for serial port on the
moschip 7715")
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: mos7720: fix parport use-after-free on probe errors
Johan Hovold [Tue, 3 Jan 2017 15:39:52 +0000 (16:39 +0100)]
USB: serial: mos7720: fix parport use-after-free on probe errors

commit 75dd211e773afcbc264677b0749d1cf7d937ab2d upstream.

Do not submit the interrupt URB until after the parport has been
successfully registered to avoid another use-after-free in the
completion handler when accessing the freed parport private data in case
of a racing completion.

Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel
port on moschip 7715")
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: mos7720: fix use-after-free on probe errors
Johan Hovold [Tue, 3 Jan 2017 15:39:51 +0000 (16:39 +0100)]
USB: serial: mos7720: fix use-after-free on probe errors

commit 91a1ff4d53c5184d383d0baeeaeab6f9736f2ff3 upstream.

The interrupt URB was submitted on probe but never stopped on probe
errors. This can lead to use-after-free issues in the completion
handler when accessing the freed usb-serial struct:

Unable to handle kernel paging request at virtual address 6b6b6be7
[<bf052e70>] (mos7715_interrupt_callback [mos7720]) from [<c052a894>] (__usb_hcd_giveback_urb+0x80/0x140)
[<c052a894>] (__usb_hcd_giveback_urb) from [<c052a9a4>] (usb_hcd_giveback_urb+0x50/0x138)
[<c052a9a4>] (usb_hcd_giveback_urb) from [<c0550684>] (musb_giveback+0xc8/0x1cc)

Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel
port on moschip 7715")
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: mos7720: fix NULL-deref at open
Johan Hovold [Tue, 3 Jan 2017 15:39:50 +0000 (16:39 +0100)]
USB: serial: mos7720: fix NULL-deref at open

commit b05aebc25fdc5aeeac3ee29f0dc9f58dd07c13cc upstream.

Fix NULL-pointer dereference at port open if a device lacks the expected
bulk in and out endpoints.

Unable to handle kernel NULL pointer dereference at virtual address 00000030
[<bf071c20>] (mos7720_open [mos7720]) from [<bf0490e0>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf0490e0>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf049d98>] (serial_open+0x48/0x6c [usbserial])
[<bf049d98>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)

Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver")
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: kobil_sct: fix NULL-deref in write
Johan Hovold [Tue, 3 Jan 2017 15:39:49 +0000 (16:39 +0100)]
USB: serial: kobil_sct: fix NULL-deref in write

commit 21ce57840243c7b70fbc1ebd3dceeb70bb6e9e09 upstream.

Fix NULL-pointer dereference in write() should the device lack the
expected interrupt-out endpoint:

Unable to handle kernel NULL pointer dereference at virtual address 00000054
PC is at kobil_write+0x144/0x2a0 [kobil_sct]

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: add this check to the existing
 usb_serial_driver::attach implementation]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: keyspan_pda: verify endpoints at probe
Johan Hovold [Tue, 3 Jan 2017 15:39:48 +0000 (16:39 +0100)]
USB: serial: keyspan_pda: verify endpoints at probe

commit 5d9b0f859babe96175cd33d7162a9463a875ffde upstream.

Check for the expected endpoints in attach() and fail loudly if not

Note that failing to do this appears to be benign since da280e348866
("USB: keyspan_pda: clean up write-urb busy handling") which prevents a
NULL-pointer dereference in write() by never marking a non-existent
write-urb as free.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: add this check to the existing
 usb_serial_driver::attach implementation]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: iuu_phoenix: fix NULL-deref at open
Johan Hovold [Tue, 3 Jan 2017 15:39:47 +0000 (16:39 +0100)]
USB: serial: iuu_phoenix: fix NULL-deref at open

commit 90507d54f712d81b74815ef3a4bbb555cd9fab2f upstream.

Fix NULL-pointer dereference at open should the device lack a bulk-in or
bulk-out endpoint:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
PC is at iuu_open+0x78/0x59c [iuu_phoenix]

Fixes: 07c3b1a10016 ("USB: remove broken usb-serial num_endpoints
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: add this check to the existing
 usb_serial_driver::attach implementation]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: io_ti: fix another NULL-deref at open
Johan Hovold [Tue, 3 Jan 2017 15:39:44 +0000 (16:39 +0100)]
USB: serial: io_ti: fix another NULL-deref at open

commit 4f9785cc99feeb3673993b471f646b4dbaec2cc1 upstream.

In case a device is left in "boot-mode" we must not register any port
devices in order to avoid a NULL-pointer dereference on open due to
missing endpoints. This could be used by a malicious device to trigger
an OOPS:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
[<bf0caa84>] (edge_open [io_ti]) from [<bf0b0118>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf0b0118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf0b0da0>] (serial_open+0x48/0x6c [usbserial])
[<bf0b0da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2:
 - No heartbeat_work to initialise earlier
 - No separate port_probe and port_remove operations, so add check for null
   port pointers in edge_release()
 - Adjust context]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: io_ti: fix NULL-deref at open
Johan Hovold [Tue, 3 Jan 2017 15:39:43 +0000 (16:39 +0100)]
USB: serial: io_ti: fix NULL-deref at open

commit a323fefc6f5079844dc62ffeb54f491d0242ca35 upstream.

Fix NULL-pointer dereference when clearing halt at open should a
malicious device lack the expected endpoints when in download mode.

Unable to handle kernel NULL pointer dereference at virtual address 00000030
[<bf011ed8>] (edge_open [io_ti]) from [<bf000118>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf000118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf000da0>] (serial_open+0x48/0x6c [usbserial])
[<bf000da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: io_edgeport: fix NULL-deref at open
Johan Hovold [Tue, 3 Jan 2017 15:39:42 +0000 (16:39 +0100)]
USB: serial: io_edgeport: fix NULL-deref at open

commit 0dd408425eb21ddf26a692b3c8044c9e7d1a7948 upstream.

Fix NULL-pointer dereference when initialising URBs at open should a
non-EPIC device lack a bulk-in or interrupt-in endpoint.

Unable to handle kernel NULL pointer dereference at virtual address 00000028
PC is at edge_open+0x24c/0x3e8 [io_edgeport]

Note that the EPIC-device probe path has the required sanity checks so
this makes those checks partially redundant.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: garmin_gps: fix memory leak on failed URB submit
Johan Hovold [Tue, 3 Jan 2017 15:39:41 +0000 (16:39 +0100)]
USB: serial: garmin_gps: fix memory leak on failed URB submit

commit c4ac4496e835b78a45dfbf74f6173932217e4116 upstream.

Make sure to free the URB transfer buffer in case submission fails (e.g.
due to a disconnect).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: serial: cyberjack: fix NULL-deref at open
Johan Hovold [Tue, 3 Jan 2017 15:39:40 +0000 (16:39 +0100)]
USB: serial: cyberjack: fix NULL-deref at open

commit 3dca01114dcecb1cf324534cd8d75fd1306a516b upstream.

Fix NULL-pointer dereference when clearing halt at open should the device
lack a bulk-out endpoint.

Unable to handle kernel NULL pointer dereference at virtual address 00000030
PC is at cyberjack_open+0x40/0x9c [cyberjack]

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <>
[bwh: Backported to 3.2: add this check to the existing
 usb_serial_driver::attach implementation]
Signed-off-by: Ben Hutchings <>
4 years agoxhci: free xhci virtual devices with leaf nodes first
Mathias Nyman [Tue, 3 Jan 2017 16:28:43 +0000 (18:28 +0200)]
xhci: free xhci virtual devices with leaf nodes first

commit ee8665e28e8d90ce69d4abe5a469c14a8707ae0e upstream.

the tt_info provided by a HS hub might be in use to by a child device
Make sure we free the devices in the correct order.

This is needed in special cases such as when xhci controller is
reset when resuming from hibernate, and all virt_devices are freed.

Also free the virt_devices starting from max slot_id as children
more commonly have higher slot_id than parent.

Reported-by: Guenter Roeck <>
Tested-by: Guenter Roeck <>
Signed-off-by: Mathias Nyman <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
4 years agoUSB: gadgetfs: fix checks of wTotalLength in config descriptors
Alan Stern [Fri, 9 Dec 2016 20:24:24 +0000 (15:24 -0500)]
USB: gadgetfs: fix checks of wTotalLength in config descriptors

commit 1c069b057dcf64fada952eaa868d35f02bb0cfc2 upstream.

Andrey Konovalov's fuzz testing of gadgetfs showed that we should
improve the driver's checks for valid configuration descriptors passed
in by the user.  In particular, the driver needs to verify that the
wTotalLength value in the descriptor is not too short (smaller
than USB_DT_CONFIG_SIZE).  And the check for whether wTotalLength is
too large has to be changed, because the driver assumes there is
always enough room remaining in the buffer to hold a device descriptor
(at least USB_DT_DEVICE_SIZE bytes).

This patch adds the additional check and fixes the existing check.  It
may do a little more than strictly necessary, but one extra check
won't hurt.

Signed-off-by: Alan Stern <>
CC: Andrey Konovalov <>
Signed-off-by: Felipe Balbi <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: gadgetfs: fix use-after-free bug
Alan Stern [Fri, 9 Dec 2016 20:18:43 +0000 (15:18 -0500)]
USB: gadgetfs: fix use-after-free bug

commit add333a81a16abbd4f106266a2553677a165725f upstream.

Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN use-after-free bug report in gadgetfs:

BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr ffff88003dfe5bf2
Read of size 2 by task syz-executor0/22994
CPU: 3 PID: 22994 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006df06a18 ffffffff81f96aba ffffffffe0528500 1ffff1000dbe0cd6
 ffffed000dbe0cce ffff88006df068f0 0000000041b58ab3 ffffffff8598b4c8
 ffffffff81f96828 1ffff1000dbe0ccd ffff88006df06708 ffff88006df06748
Call Trace:
 <IRQ> [  201.343209]  [<     inline     >] __dump_stack lib/dump_stack.c:15
 <IRQ> [  201.343209]  [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
 [<     inline     >] print_address_description mm/kasan/report.c:197
 [<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
 [<     inline     >] kasan_report mm/kasan/report.c:306
 [<ffffffff817e562a>] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:337
 [<     inline     >] config_buf drivers/usb/gadget/legacy/inode.c:1298
 [<ffffffff8322c8fa>] gadgetfs_setup+0x208a/0x20e0 drivers/usb/gadget/legacy/inode.c:1368
 [<ffffffff830fdcd0>] dummy_timer+0x11f0/0x36d0 drivers/usb/gadget/udc/dummy_hcd.c:1858
 [<ffffffff814807c1>] call_timer_fn+0x241/0x800 kernel/time/timer.c:1308
 [<     inline     >] expire_timers kernel/time/timer.c:1348
 [<ffffffff81482de6>] __run_timers+0xa06/0xec0 kernel/time/timer.c:1641
 [<ffffffff814832c1>] run_timer_softirq+0x21/0x80 kernel/time/timer.c:1654
 [<ffffffff84f4af8b>] __do_softirq+0x2fb/0xb63 kernel/softirq.c:284

The cause of the bug is subtle.  The dev_config() routine gets called
twice by the fuzzer.  The first time, the user data contains both a
full-speed configuration descriptor and a high-speed config
descriptor, causing dev->hs_config to be set.  But it also contains an
invalid device descriptor, so the buffer containing the descriptors is
deallocated and dev_config() returns an error.

The second time dev_config() is called, the user data contains only a
full-speed config descriptor.  But dev->hs_config still has the stale
pointer remaining from the first call, causing the routine to think
that there is a valid high-speed config.  Later on, when the driver
dereferences the stale pointer to copy that descriptor, we get a
use-after-free access.

The fix is simple: Clear dev->hs_config if the passed-in data does not
contain a high-speed config descriptor.

Signed-off-by: Alan Stern <>
Reported-by: Andrey Konovalov <>
Tested-by: Andrey Konovalov <>
Signed-off-by: Felipe Balbi <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: gadgetfs: fix unbounded memory allocation bug
Alan Stern [Fri, 9 Dec 2016 20:17:46 +0000 (15:17 -0500)]
USB: gadgetfs: fix unbounded memory allocation bug

commit faab50984fe6636e616c7cc3d30308ba391d36fd upstream.

Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN warning in gadgetfs:

BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160
Write of size 65537 by task syz-executor0/6356
CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee
 ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8
 ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
 [<     inline     >] print_address_description mm/kasan/report.c:197
 [<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
 [<ffffffff817e5705>] kasan_report+0x35/0x40 mm/kasan/report.c:306
 [<     inline     >] check_memory_region_inline mm/kasan/kasan.c:308
 [<ffffffff817e3fb9>] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315
 [<ffffffff817e4044>] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326
 [<     inline     >] copy_from_user arch/x86/include/asm/uaccess.h:689
 [<     inline     >] ep0_write drivers/usb/gadget/legacy/inode.c:1135
 [<ffffffff83228caf>] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759
 [<ffffffff817fdd55>] __vfs_write+0x5d5/0x760 fs/read_write.c:510
 [<ffffffff817ff650>] vfs_write+0x170/0x4e0 fs/read_write.c:560
 [<     inline     >] SYSC_write fs/read_write.c:607
 [<ffffffff81803a5b>] SyS_write+0xfb/0x230 fs/read_write.c:599
 [<ffffffff84f47ec1>] entry_SYSCALL_64_fastpath+0x1f/0xc2

Indeed, there is a comment saying that the value of len is restricted
to a 16-bit integer, but the code doesn't actually do this.

This patch fixes the warning.  It replaces the comment with a
computation that forces the amount of data copied from the user in
ep0_write() to be no larger than the wLength size for the control
transfer, which is a 16-bit quantity.

Signed-off-by: Alan Stern <>
Reported-by: Andrey Konovalov <>
Tested-by: Andrey Konovalov <>
Signed-off-by: Felipe Balbi <>
[bwh: Backported to 3.2 adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agousb: gadgetfs: restrict upper bound on device configuration size
Greg Kroah-Hartman [Tue, 6 Dec 2016 07:36:29 +0000 (08:36 +0100)]
usb: gadgetfs: restrict upper bound on device configuration size

commit 0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1 upstream.

Andrey Konovalov reported that we were not properly checking the upper
limit before of a device configuration size before calling
memdup_user(), which could cause some problems.

So set the upper limit to PAGE_SIZE * 4, which should be good enough for
all devices.

Reported-by: Andrey Konovalov <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Felipe Balbi <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
4 years agoUSB: dummy-hcd: fix bug in stop_activity (handle ep0)
Alan Stern [Wed, 14 Dec 2016 19:55:56 +0000 (14:55 -0500)]
USB: dummy-hcd: fix bug in stop_activity (handle ep0)

commit bcdbeb844773333d2d1c08004f3b3e25921040e5 upstream.

The stop_activity() routine in dummy-hcd is supposed to unlink all
active requests for every endpoint, among other things.  But it
doesn't handle ep0.  As a result, fuzz testing can generate a WARNING
like the following:

WARNING: CPU: 0 PID: 4410 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170
Modules linked in:
CPU: 0 PID: 4410 Comm: syz-executor Not tainted 4.9.0-rc7+ #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006a64ed10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d4c9d35
 ffffed000d4c9d2d ffff880065f8ac00 0000000041b58ab3 ffffffff8598b510
 ffffffff81f968f8 0000000041b58ab3 ffffffff859410e0 ffffffff813f0590
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [<ffffffff812b808f>] __warn+0x19f/0x1e0 kernel/panic.c:550
 [<ffffffff812b831c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
 [<ffffffff830fcb13>] dummy_free_request+0x153/0x170 drivers/usb/gadget/udc/dummy_hcd.c:672
 [<ffffffff830ed1b0>] usb_ep_free_request+0xc0/0x420 drivers/usb/gadget/udc/core.c:195
 [<ffffffff83225031>] gadgetfs_unbind+0x131/0x190 drivers/usb/gadget/legacy/inode.c:1612
 [<ffffffff830ebd8f>] usb_gadget_remove_driver+0x10f/0x2b0 drivers/usb/gadget/udc/core.c:1228
 [<ffffffff830ec084>] usb_gadget_unregister_driver+0x154/0x240 drivers/usb/gadget/udc/core.c:1357

This patch fixes the problem by iterating over all the endpoints in
the driver's ep array instead of iterating over the gadget's ep_list,
which explicitly leaves out ep0.

Signed-off-by: Alan Stern <>
Reported-by: Andrey Konovalov <>
Signed-off-by: Felipe Balbi <>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <>
4 years agousb: gadget: composite: Test get_alt() presence instead of set_alt()
Krzysztof Opasiak [Tue, 20 Dec 2016 18:52:16 +0000 (19:52 +0100)]
usb: gadget: composite: Test get_alt() presence instead of set_alt()

commit 7e4da3fcf7c9fe042f2f7cb7bf23861a899b4a8f upstream.

By convention (according to doc) if function does not provide
get_alt() callback composite framework should assume that it has only
altsetting 0 and should respond with error if host tries to set
other one.

After commit dd4dff8b035f ("USB: composite: Fix bug: should test
set_alt function pointer before use it")
we started checking set_alt() callback instead of get_alt().
This check is useless as we check if set_alt() is set inside
usb_add_function() and fail if it's NULL.

Let's fix this check and move comment about why we check the get
method instead of set a little bit closer to prevent future false

Fixes: dd4dff8b035f ("USB: composite: Fix bug: should test set_alt function pointer before use it")
Signed-off-by: Krzysztof Opasiak <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Ben Hutchings <>
4 years agonet/mlx4: Remove BUG_ON from ICM allocation routine
Leon Romanovsky [Thu, 29 Dec 2016 16:37:11 +0000 (18:37 +0200)]
net/mlx4: Remove BUG_ON from ICM allocation routine

commit c1d5f8ff80ea84768f5fae1ca9d1abfbb5e6bbaa upstream.

This patch removes BUG_ON() macro from mlx4_alloc_icm_coherent()
by checking DMA address alignment in advance and performing proper
folding in case of error.

Fixes: 5b0bf5e25efe ("mlx4_core: Support ICM tables in coherent memory")
Reported-by: Ozgur Karatas <>
Signed-off-by: Leon Romanovsky <>
Signed-off-by: Tariq Toukan <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agonet/mlx4_en: Fix bad WQE issue
Eugenia Emantayev [Thu, 29 Dec 2016 16:37:10 +0000 (18:37 +0200)]
net/mlx4_en: Fix bad WQE issue

commit 6496bbf0ec481966ef9ffe5b6660d8d1b55c60cc upstream.

Single send WQE in RX buffer should be stamped with software
ownership in order to prevent the flow of QP in error in FW
once UPDATE_QP is called.

Fixes: 9f519f68cfff ('mlx4_en: Not using Shared Receive Queues')
Signed-off-by: Eugenia Emantayev <>
Signed-off-by: Tariq Toukan <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agonet: korina: Fix NAPI versus resources freeing
Florian Fainelli [Sat, 24 Dec 2016 03:56:56 +0000 (19:56 -0800)]
net: korina: Fix NAPI versus resources freeing

commit e6afb1ad88feddf2347ea779cfaf4d03d3cd40b6 upstream.

Commit beb0babfb77e ("korina: disable napi on close and restart")
introduced calls to napi_disable() that were missing before,
unfortunately this leaves a small window during which NAPI has a chance
to run, yet we just freed resources since korina_free_ring() has been

Fix this by disabling NAPI first then freeing resource, and make sure
that we also cancel the restart task before doing the resource freeing.

Fixes: beb0babfb77e ("korina: disable napi on close and restart")
Reported-by: Alexandros C. Couloumbis <>
Signed-off-by: Florian Fainelli <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
4 years agonet, sched: fix soft lockup in tc_classify
Daniel Borkmann [Wed, 21 Dec 2016 17:04:11 +0000 (18:04 +0100)]
net, sched: fix soft lockup in tc_classify

commit 628185cfddf1dfb701c4efe2cfd72cf5b09f5702 upstream.

Shahar reported a soft lockup in tc_classify(), where we run into an
endless loop when walking the classifier chain due to tp->next == tp
which is a state we should never run into. The issue only seems to
trigger under load in the tc control path.

What happens is that in tc_ctl_tfilter(), thread A allocates a new
tp, initializes it, sets tp_created to 1, and calls into tp->ops->change()
with it. In that classifier callback we had to unlock/lock the rtnl
mutex and returned with -EAGAIN. One reason why we need to drop there
is, for example, that we need to request an action module to be loaded.

This happens via tcf_exts_validate() -> tcf_action_init/_1() meaning
after we loaded and found the requested action, we need to redo the
whole request so we don't race against others. While we had to unlock
rtnl in that time, thread B's request was processed next on that CPU.
Thread B added a new tp instance successfully to the classifier chain.
When thread A returned grabbing the rtnl mutex again, propagating -EAGAIN
and destroying its tp instance which never got linked, we goto replay
and redo A's request.

This time when walking the classifier chain in tc_ctl_tfilter() for
checking for existing tp instances we had a priority match and found
the tp instance that was created and linked by thread B. Now calling
again into tp->ops->change() with that tp was successful and returned
without error.

tp_created was never cleared in the second round, thus kernel thinks
that we need to link it into the classifier chain (once again). tp and
*back point to the same object due to the match we had earlier on. Thus
for thread B's already public tp, we reset tp->next to tp itself and
link it into the chain, which eventually causes the mentioned endless
loop in tc_classify() once a packet hits the data path.

Fix is to clear tp_created at the beginning of each request, also when
we replay it. On the paths that can cause -EAGAIN we already destroy
the original tp instance we had and on replay we really need to start
from scratch. It seems that this issue was first introduced in commit
12186be7d2e1 ("net_cls: fix unconfigured struct tcf_proto keeps chaining
and avoid kernel panic when we use cls_cgroup").

Fixes: 12186be7d2e1 ("net_cls: fix unconfigured struct tcf_proto keeps chaining and avoid kernel panic when we use cls_cgroup")
Reported-by: Shahar Klein <>
Signed-off-by: Daniel Borkmann <>
Cc: Cong Wang <>
Acked-by: Eric Dumazet <>
Tested-by: Shahar Klein <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>