commit 2447a018c3226c811528bb70024c6ffd83342a70 Author: Ben Hutchings Date: Sat Nov 11 13:34:06 2017 +0000 Linux 3.16.50 commit 88f33cee187088254441cb6a12b56d68dbd2d36e Author: Pontus Andersson Date: Mon Oct 2 14:45:19 2017 +0200 i2c: ismt: Separate I2C block read from SMBus block read commit c6ebcedbab7ca78984959386012a17b21183e1a3 upstream. Commit b6c159a9cb69 ("i2c: ismt: Don't duplicate the receive length for block reads") broke I2C block reads. It aimed to fix normal SMBus block read, but changed the correct behavior of I2C block read in the process. According to Documentation/i2c/smbus-protocol, one vital difference between normal SMBus block read and I2C block read is that there is no byte count prefixed in the data sent on the wire: SMBus Block Read: i2c_smbus_read_block_data() S Addr Wr [A] Comm [A] S Addr Rd [A] [Count] A [Data] A [Data] A ... A [Data] NA P I2C Block Read: i2c_smbus_read_i2c_block_data() S Addr Wr [A] Comm [A] S Addr Rd [A] [Data] A [Data] A ... A [Data] NA P Therefore the two transaction types need to be processed differently in the driver by copying of the dma_buffer as done previously for the I2C_SMBUS_I2C_BLOCK_DATA case. Fixes: b6c159a9cb69 ("i2c: ismt: Don't duplicate the receive length for block reads") Signed-off-by: Pontus Andersson Tested-by: Stephen Douthit Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit f63a372e33e3dc51db6cc4dce13bfbd5db6817bf Author: Arnd Bergmann Date: Tue May 9 12:05:01 2017 +0200 net/xen-netback: disable on 64KB page granularity Building the linux-3.16 stable branch, I ran into this warning that shows a serious problem in the xen-netback driver: drivers/net/xen-netback/netback.c: In function 'xenvif_dealloc_kthread': drivers/net/xen-netback/netback.c:2002:1: error: the frame size of 16384 bytes is larger than 2048 bytes [-Werror=frame-larger-than=] The bug was fixed in linux-4.4, but for any older stable kernel we either need to backport that fix, or not use the driver when the page size is set to 64KB. As the proper fix is way bigger than the usual limit for stable backport patches, this adds a Kconfig dependency. Fixes: d0089e8a0e4c ("net/xen-netback: Make it running on 64KB page granularity") Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 476829725f11564a863ce191e9370909bcd42f4b Author: Zubair Lutfullah Kakakhel Date: Mon Jul 14 16:39:19 2014 +0100 MIPS: Fix a warning for virt_to_page commit 4d5b3bdc0ecb0cf5b1e1598eeaaac4b5cb33868d upstream. Compiling mm/highmem.c gives a warning: passing argument 1 of 'virt_to_phys' makes pointer from integer without a cast Fixed by casting to void* Signed-off-by: Zubair Lutfullah Kakakhel Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/7337/ Signed-off-by: Ralf Baechle Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 0d9854e37d5d0c79f53a699a93354bf431d28024 Author: Jeff Kirsher Date: Sat May 2 01:20:04 2015 -0700 e1000e: fix call to do_div() to use u64 arg commit 30544af5483755b11bb5924736e9e0b45ef0644a upstream. We were using s64 for lat_ns (latency nano-second value) since in our calculations a negative value could be a resultant. For negative values, we then assign lat_ns to be zero, so the value passed to do_div() was never negative, but do_div() expects the argument type to be u64, so do a cast to resolve a compile warning seen on PowerPC. CC: Yanjiang Jin CC: Yanir Lubetkin Reported-by: Yanjiang Jin Signed-off-by: Jeff Kirsher Tested-by: Aaron Brown Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 57805a7fca1c2b2b62b38bbbe38b38d85804c16d Author: Paul Burton Date: Fri Sep 2 15:22:48 2016 +0100 net: ti: cpmac: Fix compiler warning due to type confusion commit 2f5281ba2a8feaf6f0aee93356f350855bb530fc upstream. cpmac_start_xmit() used the max() macro on skb->len (an unsigned int) and ETH_ZLEN (a signed int literal). This led to the following compiler warning: In file included from include/linux/list.h:8:0, from include/linux/module.h:9, from drivers/net/ethernet/ti/cpmac.c:19: drivers/net/ethernet/ti/cpmac.c: In function 'cpmac_start_xmit': include/linux/kernel.h:748:17: warning: comparison of distinct pointer types lacks a cast (void) (&_max1 == &_max2); \ ^ drivers/net/ethernet/ti/cpmac.c:560:8: note: in expansion of macro 'max' len = max(skb->len, ETH_ZLEN); ^ On top of this, it assigned the result of the max() macro to a signed integer whilst all further uses of it result in it being cast to varying widths of unsigned integer. Fix this up by using max_t to ensure the comparison is performed as unsigned integers, and for consistency change the type of the len variable to unsigned int. Signed-off-by: Paul Burton Signed-off-by: David S. Miller Cc: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 38a9d14b20b757a303fe4debcedbc150c74c0eb1 Author: Ralf Baechle Date: Wed Feb 4 12:59:43 2015 +0100 MIPS: elf2ecoff: Ignore PT_MIPS_ABIFLAGS program headers. commit 26f7c4bd05cf34e63a4a794150ab66a40a5a84a9 upstream. These are generated by very recent toolchains and result in an error message when attenpting to convert a kernel from ELF to ECOFF. Signed-off-by: Ralf Baechle Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit af25de1f9e8bd976bca184242f49bcaece3ec186 Author: Arnd Bergmann Date: Tue May 9 12:04:54 2017 +0200 MIPS: jz4740: fix build error in irq.h kernelci found build error on the 3.16 and 3.18 stable trees that don't show up in later versions: arch/mips/jz4740/irq.h:21:38: error: 'struct irq_data' declared inside parameter list will not be visible outside of this definition or declaration [-Werror] arch/mips/jz4740/irq.h:20:39: error: 'struct irq_data' declared inside parameter list will not be visible outside of this definition or declaration [-Werror] include/linux/irqdesc.h:92:33: error: 'NR_IRQS' undeclared here (not in a function) arch/mips/jz4740/irq.c:91:41: error: 'JZ4740_IRQ_BASE' undeclared (first use in this function) arch/mips/jz4740/irq.c:68:6: error: conflicting types for 'jz4740_irq_resume' arch/mips/jz4740/irq.c:62:6: error: conflicting types for 'jz4740_irq_suspend' arch/mips/jz4740/irq.c:49:39: error: 'JZ4740_IRQ_BASE' undeclared (first use in this function) arch/mips/jz4740/gpio.c:47:32: error: initializer element is not constant arch/mips/jz4740/gpio.c:46:32: error: initializer element is not constant arch/mips/jz4740/gpio.c:45:32: error: initializer element is not constant arch/mips/jz4740/gpio.c:44:32: error: initializer element is not constant arch/mips/jz4740/gpio.c:447:22: error: assignment from incompatible pointer type [-Werror=incompatible-pointer-types] arch/mips/jz4740/gpio.c:446:23: error: assignment from incompatible pointer type [-Werror=incompatible-pointer-types] arch/mips/jz4740/gpio.c:427:14: error: implicit declaration of function 'JZ4740_IRQ_INTC_GPIO' [-Werror=implicit-function-declaration] arch/mips/jz4740/gpio.c:269:9: error: implicit declaration of function 'JZ4740_IRQ_GPIO' [-Werror=implicit-function-declaration] The problem seems to be caused by commit 83bc76920080 ("MIPS: JZ4740: Use generic irq chip") from linux-3.2, but only showed up in a defconfig build when qi_lb60_defconfig was added in linux-3.13 and that configuration never successfully built. The code has changed in a number of ways before 4.4, which builds fine. While I did not bisect the problem to a specific change, I found a simple fix by including the obviously missing header. Cc: Lars-Peter Clausen Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 17b9e402f8864261628403985e0dfad96af9e459 Author: Peter Zijlstra (Intel) Date: Tue Dec 16 12:47:34 2014 +0100 perf: Avoid horrible stack usage commit 86038c5ea81b519a8a1fcfcd5e4599aab0cdd119 upstream. Both Linus (most recent) and Steve (a while ago) reported that perf related callbacks have massive stack bloat. The problem is that software events need a pt_regs in order to properly report the event location and unwind stack. And because we could not assume one was present we allocated one on stack and filled it with minimal bits required for operation. Now, pt_regs is quite large, so this is undesirable. Furthermore it turns out that most sites actually have a pt_regs pointer available, making this even more onerous, as the stack space is pointless waste. This patch addresses the problem by observing that software events have well defined nesting semantics, therefore we can use static per-cpu storage instead of on-stack. Linus made the further observation that all but the scheduler callers of perf_sw_event() have a pt_regs available, so we change the regular perf_sw_event() to require a valid pt_regs (where it used to be optional) and add perf_sw_event_sched() for the scheduler. We have a scheduler specific call instead of a more generic _noregs() like construct because we can assume non-recursion from the scheduler and thereby simplify the code further (_noregs would have to put the recursion context call inline in order to assertain which __perf_regs element to use). One last note on the implementation of perf_trace_buf_prepare(); we allow .regs = NULL for those cases where we already have a pt_regs pointer available and do not need another. Reported-by: Linus Torvalds Reported-by: Steven Rostedt Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Javi Merino Cc: Linus Torvalds Cc: Mathieu Desnoyers Cc: Oleg Nesterov Cc: Paul Mackerras Cc: Petr Mladek Cc: Steven Rostedt Cc: Tom Zanussi Cc: Vaibhav Nagarnaik Link: http://lkml.kernel.org/r/20141216115041.GW3337@twins.programming.kicks-ass.net Signed-off-by: Ingo Molnar Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 81643dbd14fe01991d0e96aab88dad0d90b9bee1 Author: Lars Ellenberg Date: Fri Mar 20 15:47:22 2015 +0100 drbd: avoid redefinition of BITS_PER_PAGE commit 2630628b2dbc3fc320aafaf84836119e4e3d62f1 upstream. Apparently we now implicitly get definitions for BITS_PER_PAGE and BITS_PER_PAGE_MASK from the pid_namespace.h Instead of renaming our defines, I chose to define only if not yet defined, but to double check the value if already defined. Signed-off-by: Philipp Reisner Signed-off-by: Lars Ellenberg Signed-off-by: Jens Axboe Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit b5c95acc07fda282dccef269e4ac8e6aed381331 Author: Arnd Bergmann Date: Tue Mar 10 17:48:37 2015 +0100 mtd: cfi: reduce stack size commit d09957fbb4d0b059b3176b510540df69048ad170 upstream. The cfi_staa_write_buffers function uses a large amount of kernel stack whenever CONFIG_MTD_MAP_BANK_WIDTH_32 is set, and that results in a warning on ARM allmodconfig builds: drivers/mtd/chips/cfi_cmdset_0020.c: In function 'cfi_staa_write_buffers': drivers/mtd/chips/cfi_cmdset_0020.c:651:1: warning: the frame size of 1208 bytes is larger than 1024 bytes [-Wframe-larger-than=] It turns out that this is largely a result of a suboptimal implementation of map_word_andequal(). Replacing this function with a straightforward one reduces the stack size in this function by exactly 200 bytes, shrinks the .text segment for this file from 27648 bytes to 26608 bytes, and makes the warning go away. Signed-off-by: Arnd Bergmann Signed-off-by: Brian Norris Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit c6291fcd19e1eab1fa5fdf7030e285b57580d57f Author: Arnd Bergmann Date: Tue May 9 12:04:49 2017 +0200 staging: r8192ee: prorperly format warning message In stable/linux-3.16.y, we get a warning for 64-bit architectures: drivers/staging/rtl8192ee/pci.c: In function '_rtl_pci_rx_interrupt': include/linux/kern_levels.h:4:18: warning: format '%d' expects argument of type 'int', but argument 2 has type 'sk_buff_data_t {aka unsigned char *}' [-Wformat=] include/linux/kern_levels.h:4:18: warning: format '%d' expects argument of type 'int', but argument 3 has type 'sk_buff_data_t {aka unsigned char *}' [-Wformat=] The driver was removed in 3.18 before this was fixed, so there is no workaround to backport, but it's easy enough to avoid the problem by changing the printk message to something similar that uses proper accessors for the skb fields. Fixes: 78de2c063710 ("staging: r8192ee: Add source files for core driver") Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 7b8920300697cab19fcf0db1e334ffe963580e9c Author: Ralf Baechle Date: Wed Feb 4 13:04:03 2015 +0100 MIPS: elf2ecoff: Fix warning due to dead code. commit 2d76e9633b572ae5a64150b638eed77f4afc12db upstream. HOSTCC arch/mips/boot/elf2ecoff arch/mips/boot/elf2ecoff.c: In function ‘main’: arch/mips/boot/elf2ecoff.c:271:8: warning: variable ‘shstrtab’ set but not used [-Wunused-but-set-variable] char *shstrtab; Signed-off-by: Ralf Baechle Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 9a642b9a3de2172c1ffba533488727400ed1732d Author: Atsushi Nemoto Date: Sat Jun 28 23:57:13 2014 +0900 MIPS: TXx9: Delete an unused variable in tx4927_pcibios_setup commit 1bc2d3e38e5bf90af4e9d64e1696f2d39757355a upstream. Signed-off-by: Atsushi Nemoto Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/7216/ Signed-off-by: Ralf Baechle Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit df4c88630b908881efa9b37d5e5a79caee266305 Author: Alban Bedel Date: Fri Sep 4 14:29:16 2015 +0200 MIPS: Fix the build on jz4740 after removing the custom gpio.h commit 5b235dc2647e4977b17b5c41d959d0f455831c3f upstream. Somehow the wrong version of the patch to remove the use of custom gpio.h on mips has been merged. This patch add the missing fixes for a build error on jz4740 because linux/gpio.h doesn't provide any machine specfics definitions anymore. Signed-off-by: Alban Bedel Cc: Paul Burton Cc: Lars-Peter Clausen Cc: Brian Norris Cc: Thomas Gleixner Cc: Linus Walleij Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/11089/ Signed-off-by: Ralf Baechle Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 4d20d309d4cbdd9d07a994bfb696384b5e112041 Author: Sergey Ryazanov Date: Sat Aug 30 06:06:25 2014 +0400 MIPS: MSP71xx: remove odd locking in PCI config space access code commit c4a305374bbf36414515d2ae00d588c67051e67d upstream. Caller (generic PCI code) already do proper locking so no need to add another one here. Signed-off-by: Sergey Ryazanov Cc: Linux MIPS Patchwork: https://patchwork.linux-mips.org/patch/7601/ Signed-off-by: Ralf Baechle Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 7a63464acde9007e7614729720465d7d11f90b9e Author: Arnd Bergmann Date: Tue Jan 17 16:18:46 2017 +0100 MIPS: ip22: Fix ip28 build for modern gcc commit 23ca9b522383d3b9b7991d8586db30118992af4a upstream. kernelci reports a failure of the ip28_defconfig build after upgrading its gcc version: arch/mips/sgi-ip22/Platform:29: *** gcc doesn't support needed option -mr10k-cache-barrier=store. Stop. The problem apparently is that the -mr10k-cache-barrier=store option is now rejected for CPUs other than r10k. Explicitly including the CPU in the check fixes this and is safe because both options were introduced in gcc-4.4. Signed-off-by: Arnd Bergmann Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/15049/ Signed-off-by: Ralf Baechle Signed-off-by: Ben Hutchings commit ef4127d8d62c86bafd600dc4806290b1f39cc473 Author: Maciej W. Rozycki Date: Sun Jul 30 21:28:15 2017 +0100 MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression commit 68fe55680d0f3342969f49412fceabb90bdfadba upstream. Fix a commit 3021773c7c3e ("MIPS: DEC: Avoid la pseudo-instruction in delay slots") regression and remove assembly errors: arch/mips/dec/int-handler.S: Assembler messages: arch/mips/dec/int-handler.S:162: Error: Macro used $at after ".set noat" arch/mips/dec/int-handler.S:163: Error: Macro used $at after ".set noat" arch/mips/dec/int-handler.S:229: Error: Macro used $at after ".set noat" arch/mips/dec/int-handler.S:230: Error: Macro used $at after ".set noat" triggering with with the CPU_DADDI_WORKAROUNDS option set and the DADDIU instruction. This is because with that option in place the instruction becomes a macro, which expands to an LI/DADDU (or actually ADDIU/DADDU) sequence that uses $at as a temporary register. With CPU_DADDI_WORKAROUNDS we only support `-msym32' compilation though, and this is already enforced in arch/mips/Makefile, so choose the 32-bit expansion variant for the supported configurations and then replace the 64-bit variant with #error just in case. Fixes: 3021773c7c3e ("MIPS: DEC: Avoid la pseudo-instruction in delay slots") Signed-off-by: Maciej W. Rozycki Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/16893/ Signed-off-by: Ralf Baechle Signed-off-by: Ben Hutchings commit ce9f1a813f5e285dc96ceb10981e5f91f90ed6a8 Author: Ralf Baechle Date: Tue Sep 20 14:33:01 2016 +0200 MIPS: DEC: Avoid la pseudo-instruction in delay slots commit 3021773c7c3e75e20b693931a19362681e744ea9 upstream. When expanding the la or dla pseudo-instruction in a delay slot the GNU assembler will complain should the pseudo-instruction expand to multiple actual instructions, since only the first of them will be in the delay slot leading to the pseudo-instruction being only partially executed if the branch is taken. Use of PTR_LA in the dec int-handler.S leads to such warnings: arch/mips/dec/int-handler.S: Assembler messages: arch/mips/dec/int-handler.S:149: Warning: macro instruction expanded into multiple instructions in a branch delay slot arch/mips/dec/int-handler.S:198: Warning: macro instruction expanded into multiple instructions in a branch delay slot Avoid this by open coding the PTR_LA macros. Signed-off-by: Ralf Baechle Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 8f5205ecce6ff8fdce1faf16dd5c7b751b52c2f3 Author: Kevin Cernekee Date: Mon Oct 20 21:27:51 2014 -0700 MIPS: BMIPS: Fix ".previous without corresponding .section" warnings commit 4ec8f9e9b08451303253249e4e302f10ee23d565 upstream. Commit 078a55fc824c1 ("Delete __cpuinit/__CPUINIT usage from MIPS code") removed our __CPUINIT directives, so now the ".previous" directives are superfluous. Remove them. Signed-off-by: Kevin Cernekee Cc: f.fainelli@gmail.com Cc: mbizon@freebox.fr Cc: jogo@openwrt.org Cc: jfraser@broadcom.com Cc: linux-mips@linux-mips.org Cc: devicetree@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/8156/ Signed-off-by: Ralf Baechle Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit bbe711b4189ff84d9db5dfc8cb75fa9a363ad593 Author: Arnd Bergmann Date: Wed Jan 28 17:54:38 2015 +0100 ARM: 8296/1: cache-l2x0: clean up aurora cache handling commit 20e783e39e55c2615fb61d1b3d139ee9edcf6772 upstream. The aurora cache controller is the only remaining user of a couple of functions in this file and are completely unused when that is disabled, leading to build warnings: arch/arm/mm/cache-l2x0.c:167:13: warning: 'l2x0_cache_sync' defined but not used [-Wunused-function] arch/arm/mm/cache-l2x0.c:184:13: warning: 'l2x0_flush_all' defined but not used [-Wunused-function] arch/arm/mm/cache-l2x0.c:194:13: warning: 'l2x0_disable' defined but not used [-Wunused-function] With the knowledge that the code is now aurora-specific, we can simplify it noticeably: - The pl310 errata workarounds are not needed on aurora and can be removed - As confirmed by Thomas Petazzoni from the data sheet, the cache_wait() macro is never needed. - No need to hold the lock across atomic cache sync - We can load the l2x0_base into a local variable across operations There should be no functional change in this patch, but readability and the generated object code improves, along with avoiding the warnings. (on Armada 370 RD and Armada XP GP, boot tested, plus a little bit of DMA traffic by reading data from a SD card) Acked-by: Thomas Petazzoni Tested-by: Thomas Petazzoni Signed-off-by: Arnd Bergmann Signed-off-by: Russell King Signed-off-by: Ben Hutchings commit bb51ea7b935379e35fc600bc760ad041ee850c3b Author: Uwe Kleine-König Date: Wed Sep 24 08:51:57 2014 +0100 ARM: 8160/1: drop warning about return_address not using unwind tables commit e16343c47e4276f5ebc77ca16feb5e50ca1918f9 upstream. The warning was introduced in 2009 (commit 4bf1fa5a34aa ([ARM] 5613/1: implement CALLER_ADDRESSx)). The only "problem" here is that CALLER_ADDRESSx for x > 1 returns NULL which doesn't do much harm. The drawback of implementing a fix (i.e. use unwind tables to implement CALLER_ADDRESSx) is that much of the unwinder code would need to be marked as not traceable. Signed-off-by: Uwe Kleine-König Signed-off-by: Russell King Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit cc05e09817fd95e0d40ae1022077b9a688254197 Author: Tony Lindgren Date: Mon Sep 8 14:29:25 2014 -0700 ARM: OMAP: Fix Kconfig warning for omap1 commit 52aaac5ae52ad9a7016410ffeedbaf24b722f3a2 upstream. Commit 21278aeafbfa ("ARM: use menuconfig for sub-arch menus") improved the sub-arch menus, but accidentally caused new warnings for omap1. This was because the commit added a menu entry around config ARCH_OMAP bool entry where the menu had depends on ARCH_MULTI_V6 || ARCH_MULTI_V7. As ARCH_OMAP is shared between omap1 and omap2plus, let's fix the issue by defining ARCH_OMAP in the shared plat-omap/Kconfig. Fixes: 21278aeafbfa ("ARM: use menuconfig for sub-arch menus") Reported-by: Andreas Ruprecht Signed-off-by: Tony Lindgren Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 2c838a79fcc3ebd11459b850058674c8982dca09 Author: Ard Biesheuvel Date: Tue Dec 22 08:24:59 2015 +0100 ARM: 8452/3: PJ4: make coprocessor access sequences buildable in Thumb2 mode commit 5008efc83bf85b647aa1cbc44718b1675bbb7444 upstream. The PJ4 inline asm sequence to write to cp15 cannot be built in Thumb-2 mode, due to the way it performs arithmetic on the program counter, so it is built in ARM mode instead. However, building C files in ARM mode under CONFIG_THUMB2_KERNEL is problematic, since the instrumentation performed by subsystems like ftrace does not expect having to deal with interworking branches. Since the sequence in question is simply a poor man's ISB instruction, let's use a straight 'isb' instead when building in Thumb2 mode. Thumb2 implies V7, so 'isb' should always be supported in that case. Acked-by: Arnd Bergmann Acked-by: Nicolas Pitre Signed-off-by: Ard Biesheuvel Signed-off-by: Russell King Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 013a7698d04fa36b148f294deeff1b8d11bbdc79 Author: Ard Biesheuvel Date: Tue Nov 25 13:31:46 2014 +0100 ARM: 8221/1: PJ4: allow building in Thumb-2 mode commit 13d1b9575ac2c2da143cd2236b6cf0fc314570f8 upstream. Two files that get included when building the multi_v7_defconfig target fail to build when selecting THUMB2_KERNEL for this configuration. In both cases, we can just build the file as ARM code, as none of its symbols are exported to modules, so there are no interworking concerns. In the iwmmxt.S case, add ENDPROC() declarations so the symbols are annotated as functions, resulting in the linker to emit the appropriate mode switches. Acked-by: Nicolas Pitre Tested-by: Olof Johansson Signed-off-by: Ard Biesheuvel Signed-off-by: Russell King Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 0306358d1f6ed2e5102cccbad9c792345fd7240d Author: Arnd Bergmann Date: Fri May 5 21:47:31 2017 +0200 ARM: cns3xxx: shut up frame size warning This shuts up a warning in the 3.18-stable series that has been fixed in newer kernels with commit 498a92d42596 ("ARM: cns3xxx: pci: avoid potential stack overflow"): arch/arm/mach-cns3xxx/pcie.c: In function 'cns3xxx_pcie_hw_init': arch/arm/mach-cns3xxx/pcie.c:313:1: error: the frame size of 1080 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] The fix that went into v4.4 is known to be buggy and was later fixed again with commit 88e9da9a2a70 ("CNS3xxx: Fix PCI cns3xxx_write_config()"). While we could backport both to 3.18, they are fairly invasive and the warning is definitely harmless here as the call chain is known to not overflow the stack of the init task. This simply adds a Makefile flag to extend the limit for this one file. Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 0cfcc30048609b38004610ef170d101c94f75830 Author: Ingo Molnar Date: Fri Nov 23 19:19:07 2012 +0100 x86/boot: Add CONFIG_PARAVIRT_SPINLOCKS quirk to arch/x86/boot/compressed/misc.h commit 927392d73a97d8d235bb65400e2e3c7f0bec2b6f upstream. Linus reported the following new warning on x86 allmodconfig with GCC 5.1: > ./arch/x86/include/asm/spinlock.h: In function ‘arch_spin_lock’: > ./arch/x86/include/asm/spinlock.h:119:3: warning: implicit declaration > of function ‘__ticket_lock_spinning’ [-Wimplicit-function-declaration] > __ticket_lock_spinning(lock, inc.tail); > ^ This warning triggers because of these hacks in misc.h: /* * we have to be careful, because no indirections are allowed here, and * paravirt_ops is a kind of one. As it will only run in baremetal anyway, * we just keep it from happening */ #undef CONFIG_PARAVIRT #undef CONFIG_KASAN But these hacks were not updated when CONFIG_PARAVIRT_SPINLOCKS was added, and eventually (with the introduction of queued paravirt spinlocks in recent kernels) this created an invalid Kconfig combination and broke the build. So add a CONFIG_PARAVIRT_SPINLOCKS #undef line as well. Also remove the _ASM_X86_DESC_H quirk: that undocumented quirk was originally added ages ago, in: 099e1377269a ("x86: use ELF format in compressed images.") and I went back to that kernel (and fixed up the main Makefile which didn't build anymore) and checked what failure it avoided: it avoided an include file dependencies related build failure related to our old x86-platforms code. That old code is long gone, the header dependencies got cleaned up, and the build does not fail anymore with the totality of asm/desc.h included - so remove the quirk. Reported-by: Linus Torvalds Cc: "H. Peter Anvin" Cc: Thomas Gleixner Cc: linux-kernel@vger.kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit cb21bc8f872c7663c5c03ae9c1bc8a90bb6171b7 Author: Juergen Gross Date: Thu Jun 23 07:12:27 2016 +0200 x86/xen: fix upper bound of pmd loop in xen_cleanhighmap() commit 1cf38741308c64d08553602b3374fb39224eeb5a upstream. xen_cleanhighmap() is operating on level2_kernel_pgt only. The upper bound of the loop setting non-kernel-image entries to zero should not exceed the size of level2_kernel_pgt. Reported-by: Linus Torvalds Signed-off-by: Juergen Gross Signed-off-by: David Vrabel Signed-off-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 287b80fac2c69c490e5163414cd11a24d765b786 Author: Konrad Zapalowicz Date: Wed Aug 6 14:21:21 2014 +0200 staging: dgnc: Fix frame size is larger than 1024B commit ea6e9dea2e72a7abd146a2c5bab726b27f34b36c upstream. This comit fixes the following sparse warnign: drivers/staging/dgnc/dgnc_tty.c:572:1: warning: the frame size of 1060 bytes is larger than 1024 bytes [-Wframe-larger-than=] This was caused by having buffer as an automatic variable. This commit moves it from the stack to the heap. Signed-off-by: Konrad Zapalowicz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit e1ecc17d38b93a8230a96d6723f88b57d0477a95 Author: A Raghavendra Rao Date: Thu Aug 7 14:10:39 2014 +0530 Staging: wlan-ng: fix sparse warning in prism2fw.c commit 41cb65c4854e14f12b1cbb8215e509d8ad4d0c88 upstream. Fix the following sparse warning : In file included from drivers/staging/wlan-ng/prism2usb.c:5:0: drivers/staging/wlan-ng/prism2fw.c: In function ‘read_cardpda.constprop.43’: drivers/staging/wlan-ng/prism2fw.c:792:1: warning: the frame size of 1068 bytes is larger than 1024 bytes [-Wframe-larger-than=] The variable to 'struct p80211msg_p2req_readpda' was previously being created on the stack, which inturn exeeded the frame size limit, resulting in a sparse warning. This patch alloctes the memory to the structure dynamically and the operations are left unchanged. Signed-off-by: A Raghavendra Rao Signed-off-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit aa7b5447a50ef901407ad1d465be54755320e556 Author: Luis de Bethencourt Date: Wed Oct 21 18:32:38 2015 +0100 staging: rtl8723au: core: rtw_wlan_util: fix misleading indentation commit 8c182ae20791d638c07ff499709c4a1d4697bd7c upstream. For loop is outside of the else branch of the above conditional statement. Fixing misleading indentation. Fix a smatch warning: drivers/staging/rtl8723au/core/rtw_wlan_util.c:528 WMMOnAssocRsp23a() warn: curly braces intended? Signed-off-by: Luis de Bethencourt Acked-by: Jes Sorensen Signed-off-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit ac5d7a0802c9a6e031196bce963b566d192c3753 Author: Dan Carpenter Date: Wed Feb 25 16:20:36 2015 +0300 Staging: lustre: missing curly braces in ll_setattr_raw() commit 53bd4a004ee5ff0f71a858de78faac98924b4a87 upstream. >From the indenting, it looks like curly braces were intended here. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 0c172c793191ed17f65bba147215591bd29d1dfa Author: Colin Ian King Date: Sat Jan 23 19:33:10 2016 +0000 Staging: iio: adc: fix indent on break statement commit b6acb0cfc21293a1bfc283e9217f58f7474ef728 upstream. Fix indent warning when building with gcc 6: drivers/staging/iio/adc/ad7192.c:239:4: warning: statement is indented as if it were guarded by... [-Wmisleading-indentation] Signed-off-by: Colin Ian King Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 56d1e5d52a44289b4ef0a54e0d7216d40259d50a Author: Arnd Bergmann Date: Fri May 5 21:47:23 2017 +0200 staging: vt6655: fix overly large stack usage We get a warning for the large stack usage in some configurations: drivers/staging/vt6655/device_main.c: In function 'device_ioctl': drivers/staging/vt6655/device_main.c:2974:1: warning: the frame size of 1304 bytes is larger than 1024 bytes [-Wframe-larger-than=] This is addressed in linux-3.19 with commit 67013f2c0e58 ("staging: vt6655: mac80211 conversion add main mac80211 functions"), which obsoletes the device_ioctl() function, but as that does not apply to stable kernels, this picks an easier way out by using dynamic allocation. The driver was merged in 2.6.31, and the fix applies to all versions before 3.19. Fixes: 5449c685a4b3 ("Staging: Add pristine upstream vt6655 driver sources") Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit a75a3adcc61506ae600964f541507785630e8531 Author: Arnd Bergmann Date: Fri May 5 21:47:22 2017 +0200 staging: imx-drm: fix indentation warning gcc-6 produces a harmless warning: drivers/staging/imx-drm/imx-hdmi.c: In function 'hdmi_config_AVI': drivers/staging/imx-drm/imx-hdmi.c:967:2: error: this 'else' clause does not guard... [-Werror=misleading-indentation] Commit d083c312cba2 ("drm: bridge/dw_hdmi: simplify hdmi_config_AVI() a little") in linux-4.3 fixes this with a larger rewrite that is not applicable here. After that rewrite, the variable that gets assigned here no longer exists. The assignment is rather pointless here, as we just set a variable to zero that is later added into another variable using a bitwise or operator, and that has no effect, so I'm just changing the indentation here to shut up the warning. The driver was originally merged in linux-3.13, and the fix applies to all versions between that and 4.2. Fixes: 9aaf880ed4ee ("imx-drm: Add mx6 hdmi transmitter support") Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 2de9c3daaac0cc0e5a41808db382487f9257c627 Author: Arnd Bergmann Date: Fri May 5 21:47:21 2017 +0200 staging: bcm: add 32-bit host dependency The driver uses a 32-bit variable to store a pointer, causing a couple of warnings: ../drivers/staging/bcm/CmHost.c: In function 'StoreCmControlResponseMessage': ../drivers/staging/bcm/CmHost.c:1503:3: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] (struct bcm_connect_mgr_params *) ntohl( ^ ../drivers/staging/bcm/CmHost.c:1546:3: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] (struct bcm_connect_mgr_params *) ntohl( ^ ../drivers/staging/bcm/CmHost.c:1564:3: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] (struct bcm_connect_mgr_params *) ntohl( I fixed other warnings in an earlier commit 9f1c75ac2dba ("staging/bcm: fix most build warnings"), but couldn't figure out what was the intended behavior on 64-bit machines here. The driver was removed in linux-3.19, commit d09e9b160fc1 ("staging: bcm: remove driver") which explains that it never worked on 64-bit machines. This adds a Kconfig dependency instead to prevent it from being built in the known broken configuration. This workaround applies to v2.6.37 or higher. Fixes: f8942e07a3db ("staging: Beeceem USB Wimax driver") Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 27c440eb436931b50d51546f2c496586558152fa Author: Arnd Bergmann Date: Mon Sep 8 17:17:13 2014 +0200 video: mx3fb: always enable BACKLIGHT_LCD_SUPPORT commit 9c8ee3c7341393811d5be5eb61b815e76f92c799 upstream. Commit 7edaa761ee81b ("video: mx3fb: Add backlight control support") changed the mx3fb driver so it always selects the BACKLIGHT_CLASS_DEVICE symbol, but that is hidden behind BACKLIGHT_LCD_SUPPORT in Kconfig, so we get a Kconfig warning for multi_v5_defconfig, which doesn't have that: Warning: (DRM_RADEON && DRM_NOUVEAU && DRM_I915 && DRM_GMA500 && DRM_SHMOBILE && DRM_TILCDC && FB_BACKLIGHT && FB_MX3 && USB_APPLEDISPLAY && FB_OLPC_DCON && ASUS_LAPTOP && SONY_LAPTOP && THINKPAD_ACPI && EEEPC_LAPTOP && ACPI_CMPC && SAMSUNG_Q10) selects BACKLIGHT_CLASS_DEVICE which has unmet direct dependencies (HAS_IOMEM && BACKLIGHT_LCD_SUPPORT) This makes sure we always enable both symbols together for mx3fb, like we do for the other drivers that can't be built without backlight support. Note that a better solution would be to ensure the driver can work with or without backlight support. Signed-off-by: Arnd Bergmann Cc: Alexander Stein Cc: Tomi Valkeinen Cc: linux-fbdev@vger.kernel.org Cc: Jean-Christophe Plagniol-Villard Signed-off-by: Tomi Valkeinen Signed-off-by: Ben Hutchings commit f5b471f3d01de44b475aa4c9c46f5f27fe9abd2e Author: Dan Carpenter Date: Wed Feb 25 16:17:48 2015 +0300 drm/i915: cleanup some indenting commit ba0635ffb7665d76715b43ae8144e014a90c1e63 upstream. Static checkers complain that we should probably add curly braces because, from the indenting, it looks like seq_printf() should be inside the list_for_each_entry() loop. But the code is actually correct, it's just the indenting which is off. Besides fixing the indenting on seq_printf(), I did add curly braces, because generally mult-line indents should have curly braces to make them more readable. The unintended indent was left behind and not unindented in commit d7f46fc4e7323887494db13f063a8e59861fefb0 Author: Ben Widawsky Date: Fri Dec 6 14:10:55 2013 -0800 drm/i915: Make pin count per VMA Signed-off-by: Dan Carpenter Reviewed-by: Jani Nikula Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit a927a508ae2dcb088638de54455152c979b57d5f Author: David S. Miller Date: Mon Apr 27 13:20:34 2015 -0400 netfilter; Add some missing default cases to switch statements in nft_reject. commit 129d23a56623eea0947a05288158d76dc7f2f0ac upstream. This fixes: ==================== net/netfilter/nft_reject.c: In function ‘nft_reject_dump’: net/netfilter/nft_reject.c:61:2: warning: enumeration value ‘NFT_REJECT_TCP_RST’ not handled in switch [-Wswitch] switch (priv->type) { ^ net/netfilter/nft_reject.c:61:2: warning: enumeration value ‘NFT_REJECT_ICMPX_UNREACH’ not handled in switch [-Wswi\ tch] net/netfilter/nft_reject_inet.c: In function ‘nft_reject_inet_dump’: net/netfilter/nft_reject_inet.c:105:2: warning: enumeration value ‘NFT_REJECT_TCP_RST’ not handled in switch [-Wswi\ tch] switch (priv->type) { ^ ==================== Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 3d4abcb83fd3ad085444c0a87ad4b75bc79a7f63 Author: David Miller Date: Tue Apr 7 23:05:42 2015 -0400 netfilter: Fix switch statement warnings with recent gcc. commit c1f866767777d1c6abae0ec57effffcb72017c00 upstream. More recent GCC warns about two kinds of switch statement uses: 1) Switching on an enumeration, but not having an explicit case statement for all members of the enumeration. To show the compiler this is intentional, we simply add a default case with nothing more than a break statement. 2) Switching on a boolean value. I think this warning is dumb but nevertheless you get it wholesale with -Wswitch. This patch cures all such warnings in netfilter. Signed-off-by: David S. Miller Acked-by: Pablo Neira Ayuso Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit f78d54d6e335f6d0df9379242d873b9a358e004d Author: Arnd Bergmann Date: Tue May 12 23:54:25 2015 +0200 brcmfmac: avoid gcc-5.1 warning commit 22f44150aad7a1d6b074ab6cf59abee61c7187c6 upstream. gcc-5.0 gained a new warning in the fwsignal portion of the brcmfmac driver: drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c: In function 'brcmf_fws_txs_process': drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c:1478:8: warning: 'skb' may be used uninitialized in this function [-Wmaybe-uninitialized] This is a false positive, and marking the brcmf_fws_hanger_poppkt function as 'static inline' makes the warning go away. I have checked the object file output and while a little code gets moved around, the size of the binary remains identical. Signed-off-by: Arnd Bergmann Signed-off-by: Kalle Valo Signed-off-by: Ben Hutchings commit 10237035134761b002024951ab710910b9cb2e8c Author: Arnd Bergmann Date: Thu May 19 09:58:49 2016 +0200 iwlegacy: avoid warning about missing braces commit 2cce76c3fab410520610a7d2f52faebc3cfcf843 upstream. gcc-6 warns about code in il3945_hw_txq_ctx_free() being somewhat ambiguous: drivers/net/wireless/intel/iwlegacy/3945.c:1022:5: warning: suggest explicit braces to avoid ambiguous 'else' [-Wparentheses] This adds a set of curly braces to avoid the warning. Signed-off-by: Arnd Bergmann Acked-by: Stanislaw Gruszka Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 99425ef81b136f03b9e84058bfea46ef02c182fa Author: Arnd Bergmann Date: Thu Jan 28 22:58:28 2016 +0100 hostap: avoid uninitialized variable use in hfa384x_get_rid commit 48dc5fb3ba53b20418de8514700f63d88c5de3a3 upstream. The driver reads a value from hfa384x_from_bap(), which may fail, and then assigns the value to a local variable. gcc detects that in in the failure case, the 'rlen' variable now contains uninitialized data: In file included from ../drivers/net/wireless/intersil/hostap/hostap_pci.c:220:0: drivers/net/wireless/intersil/hostap/hostap_hw.c: In function 'hfa384x_get_rid': drivers/net/wireless/intersil/hostap/hostap_hw.c:842:5: warning: 'rec' may be used uninitialized in this function [-Wmaybe-uninitialized] if (le16_to_cpu(rec.len) == 0) { This restructures the function as suggested by Russell King, to make it more readable and get more reliable error handling, by handling each failure mode using a goto. Signed-off-by: Arnd Bergmann Signed-off-by: Kalle Valo Signed-off-by: Ben Hutchings commit da4fe1a6782a22b74338b29707015ef0da19168d Author: David Malcolm Date: Tue Jun 2 15:31:17 2015 -0400 drivers/net/ethernet/dec/tulip/uli526x.c: fix misleading indentation in uli526x_timer commit e1395a321eab1a7833d82e952eb8255e0a1f03cb upstream. This code in drivers/net/ethernet/dec/tulip/uli526x.c function "uli526x_timer": 1086 } else 1087 if ((tmp_cr12 & 0x3) && db->link_failed) { [...snip...] 1109 } 1110 else if(!(tmp_cr12 & 0x3) && db->link_failed) 1111 { [...snip...] 1117 } 1118 db->init=0; is misleadingly indented: the db->init=0 is indented as if part of the else clause at line 1086, but it is independent of it (no braces before the "if" at line 1087). This patch fixes the indentation to reflect the actual meaning of the code, though is it actually meant to be part of the "else" clause? (I'm a compiler developer, not a kernel person). It also adds spaces around the assignment, to placate checkpatch.pl. Seen via an experimental new gcc warning I'm working on for gcc 6, -Wmisleading-indentation, using gcc r223098 adding -Werror=misleading-indentation to KBUILD_CFLAGS in Makefile. The experimental GCC emits this warning (as an error), rightly IMHO: drivers/net/ethernet/dec/tulip/uli526x.c: In function ‘uli526x_timer’: drivers/net/ethernet/dec/tulip/uli526x.c:1118:3: error: statement is indented as if it were guarded by... [-Werror=misleading-indentation] db->init=0; ^ drivers/net/ethernet/dec/tulip/uli526x.c:1086:4: note: ...this ‘else’ clause, but it is not } else ^ Hope this is helpful Dave Signed-off-by: David Malcolm Signed-off-by: David S. Miller Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit d09dfb2ac3aa9aa881cd3dd60fae4a6bfa7a77eb Author: Arnd Bergmann Date: Fri Jan 29 12:39:13 2016 +0100 net: vxge: avoid unused function warnings commit 57e7c8cef224af166b8ec932b5e383641418c005 upstream. When CONFIG_PCI_MSI is disabled, we get warnings about unused functions in the vxge driver: drivers/net/ethernet/neterion/vxge/vxge-main.c:2121:13: warning: 'adaptive_coalesce_tx_interrupts' defined but not used [-Wunused-function] drivers/net/ethernet/neterion/vxge/vxge-main.c:2149:13: warning: 'adaptive_coalesce_rx_interrupts' defined but not used [-Wunused-function] We could add another #ifdef here, but it's nicer to avoid those warnings for good by converting the existing #ifdef to if(IS_ENABLED()), which has the same effect but provides better compile-time coverage in general, and lets the compiler understand better when the function is intentionally unused. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit a7e32b7be60e4dc4d83f4b05e021626c90858c29 Author: Arnd Bergmann Date: Thu Nov 19 11:42:26 2015 +0100 net: tulip: turn compile-time warning into dev_warn() commit de92718883ddbcd11b738d36ffcf57617b97fa12 upstream. The tulip driver causes annoying build-time warnings for allmodconfig builds for all recent architectures: dec/tulip/winbond-840.c:910:2: warning: #warning Processor architecture undefined dec/tulip/tulip_core.c:101:2: warning: #warning Processor architecture undefined! This is the last remaining warning for arm64, and I'd like to get rid of it. We don't really know the cache line size, architecturally it would be at least 16 bytes, but all implementations I found have 64 or 128 bytes. Configuring tulip for 32-byte lines as we do on ARM32 seems to be the safe but slow default, and nobody who cares about performance these days would use a tulip chip anyway, so we can just use that. To save the next person the job of trying to find out what this is for and picking a default for their architecture just to kill off the warning, I'm now removing the preprocessor #warning and turning it into a pr_warn or dev_warn that prints the equivalent information when the driver gets loaded. Signed-off-by: Arnd Bergmann Acked-by: Grant Grundler Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 00b3f522f36eb266b01e638a6a1f5d8237dfad43 Author: Jeff Kirsher Date: Thu Sep 18 02:33:41 2014 -0700 am2150: Update nmclan_cs.c to use update PCMCIA API commit 5f5316fcd08ef74b282adf6774956431fac62663 upstream. Resolves compile warning about use of a deprecated function call: drivers/net/ethernet/amd/nmclan_cs.c: In function ‘nmclan_config’: drivers/net/ethernet/amd/nmclan_cs.c:624:3: warning: ‘pcmcia_request_exclusive_irq’ is deprecated (declared at include/pcmcia/ds.h:213) [-Wdeprecated-declarations] ret = pcmcia_request_exclusive_irq(link, mace_interrupt); Updates pcmcia_request_exclusive_irq() to pcmcia_request_irq(). CC: Roger Pao Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 7e27c4492089298d7a4bc0a8704943fa647b1f4d Author: Arnd Bergmann Date: Wed Jan 28 15:15:04 2015 +0100 net: am2150: fix nmclan_cs.c shared interrupt handling commit 96a30175f927facfb421655ef08b7a0fe546fbed upstream. A recent patch tried to work around a valid warning for the use of a deprecated interface by blindly changing from the old pcmcia_request_exclusive_irq() interface to pcmcia_request_irq(). This driver has an interrupt handler that is not currently aware of shared interrupts, but can be easily converted to be. At the moment, the driver reads the interrupt status register repeatedly until it contains only zeroes in the interesting bits, and handles each bit individually. This patch adds the missing part of returning IRQ_NONE in case none of the bits are set to start with, so we can move on to the next interrupt source. Signed-off-by: Arnd Bergmann Fixes: 5f5316fcd08ef7 ("am2150: Update nmclan_cs.c to use update PCMCIA API") Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit f7e72ebbd67551fd1ba00f387f5dc14e5f8e8c14 Author: Arnd Bergmann Date: Mon Mar 14 15:18:38 2016 +0100 net: caif: fix misleading indentation commit 8e0cc8c326d99e41468c96fea9785ab78883a281 upstream. gcc points out code that is not indented the way it is interpreted: net/caif/cfpkt_skbuff.c: In function 'cfpkt_setlen': net/caif/cfpkt_skbuff.c:289:4: error: statement is indented as if it were guarded by... [-Werror=misleading-indentation] return cfpkt_getlen(pkt); ^~~~~~ net/caif/cfpkt_skbuff.c:286:3: note: ...this 'else' clause, but it is not else ^~~~ It is clear from the context that not returning here would be a bug, as we'd end up passing a negative length into a function that takes a u16 length, so it is not missing curly braces here, and I'm assuming that the indentation is the only part that's wrong about it. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 9a26891f02499b3eb58e977776b890b7b6bd90b8 Author: Arnd Bergmann Date: Mon Jan 16 14:20:54 2017 +0100 cpmac: remove hopeless #warning commit d43e6fb4ac4abfe4ef7c102833ed02330ad701e0 upstream. The #warning was present 10 years ago when the driver first got merged. As the platform is rather obsolete by now, it seems very unlikely that the warning will cause anyone to fix the code properly. kernelci.org reports the warning for every build in the meantime, so I think it's better to just turn it into a code comment to reduce noise. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 209b7496f91aa8f6e88e531f516aaf06fe01bdff Author: Arnd Bergmann Date: Tue Jan 13 17:10:58 2015 +0100 mISDN: avoid arch specific __builtin_return_address call commit 3e7a8716e20b759eec0ad88145255bb33174f0c8 upstream. Not all architectures are able to call __builtin_return_address(). On ARM, the mISDN code produces this warning: hardware/mISDN/w6692.c: In function 'w6692_dctrl': hardware/mISDN/w6692.c:1181:75: warning: unsupported argument to '__builtin_return_address' pr_debug("%s: %s dev(%d) open from %p\n", card->name, __func__, ^ hardware/mISDN/mISDNipac.c: In function 'open_dchannel': hardware/mISDN/mISDNipac.c:759:75: warning: unsupported argument to '__builtin_return_address' pr_debug("%s: %s dev(%d) open from %p\n", isac->name, __func__, ^ In a lot of cases, this is relatively easy to work around by passing the value of __builtin_return_address(0) from the callers into the functions that want it. One exception is the indirect 'open' function call in struct isac_hw. While it would be possible to fix this as well, this patch only addresses the other callers properly and lets this one return the direct parent function, which should be good enough. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit c0d4744e70d12acf1702d9a8edd13909eee2f9fe Author: Arnd Bergmann Date: Tue Jan 13 17:08:06 2015 +0100 mlx5: avoid build warnings on 32-bit commit 065bd8c28ba37d04c9a5b732173c1508954b1f58 upstream. The mlx5 driver passes a string pointer in through a 'u64' variable, which on 32-bit machines causes a build warning: drivers/net/ethernet/mellanox/mlx5/core/debugfs.c: In function 'qp_read_field': drivers/net/ethernet/mellanox/mlx5/core/debugfs.c:303:11: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] The code is in fact safe, so we can shut up the warning by adding extra type casts. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 678019e21b505efb8a2dcaad4eb02c20579a7172 Author: Joe Perches Date: Tue Nov 18 05:53:00 2014 +0000 i40e: Reduce stack in i40e_dbg_dump_desc commit e6c97234d1b18d4751671df15d52e29daa8a7ba8 upstream. Reduce stack use by using kmemdup and not using a very large struct on stack. In function ‘i40e_dbg_dump_desc’: warning: the frame size of 8192 bytes is larger than 2048 bytes [-Wframe-larger-than=] Signed-off-by: Joe Perches Tested-by: Jim Young Signed-off-by: Jeff Kirsher Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 31a10eaad05b8d124edbe72eca137f4ebd86444b Author: Manuel Schölling Date: Sun Jun 22 13:24:54 2014 +0200 xilinx: Fix compiler warning commit 9f8b93cb32e088d3377c86fabb666b884bac0f12 upstream. The time comparsion functions require arguments of type unsigned long instead of (signed) long. Signed-off-by: Manuel Schölling Signed-off-by: David S. Miller Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit fef2b91ce9cbbf2ff3cd92d8d9b6610a5952f1d0 Author: Atsushi Nemoto Date: Sun Jun 29 00:01:18 2014 +0900 mtd: maps: rbtx4939-flash: delete an unused variable in rbtx4939_flash_remove commit e4c4c9c15ebe8ec03b7f5bf36e079052cc88217c upstream. Signed-off-by: Atsushi Nemoto Signed-off-by: Brian Norris Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 8baed508251fad815cefb5284b0c8d3bdd6a83ef Author: Arnd Bergmann Date: Fri Feb 3 10:49:17 2017 +0100 mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy commit 906b268477bc03daaa04f739844c120fe4dbc991 upstream. kernelci.org reports a warning for this driver, as it copies a local variable into a 'const char *' string: drivers/mtd/maps/pmcmsp-flash.c:149:30: warning: passing argument 1 of 'strncpy' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] Using kstrndup() simplifies the code and avoids the warning. Signed-off-by: Arnd Bergmann Acked-by: Marek Vasut Signed-off-by: Brian Norris Signed-off-by: Ben Hutchings commit 04af5c7dd48363d5b95450a6906f6583fed6e7eb Author: Hannes Reinecke Date: Mon Jul 6 13:07:58 2015 +0200 aic94xx: Skip reading user settings if flash is not found commit 36dd5acd196574d41de3e81d8264df475bbb7123 upstream. If no user settings are found it's pointless trying to read them from flash. So skip that step. This also fixes a compilation warning about uninitialized variables in aic94xx. Signed-off-by: Hannes Reinecke Reviewed-by: Christoph Hellwig Signed-off-by: James Bottomley Signed-off-by: Ben Hutchings commit 80e9c06a1508483a15dc2697f7e76fb95b9043f5 Author: Dan Carpenter Date: Wed Apr 15 16:16:36 2015 -0700 paride: fix the "verbose" module param commit 946e87981942552e526aca9cb6204f02a6c847cb upstream. The verbose module parameter can be set to 2 for extremely verbose messages so the type should be int instead of bool. Signed-off-by: Dan Carpenter Cc: Tim Waugh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit e463d11869c14bc2b01bae807b035fce2093393b Author: Luis de Bethencourt Date: Mon Nov 30 14:32:17 2015 +0000 mvsas: fix misleading indentation commit 7789cd39274c51bf475411fe22a8ee7255082809 upstream. Fix a smatch warning: drivers/scsi/mvsas/mv_sas.c:740 mvs_task_prep() warn: curly braces intended? The code is correct, the indention is misleading. When the device is not ready we want to return SAS_PHY_DOWN. But current indentation makes it look like we only do so in the else branch of if (mvi_dev). Signed-off-by: Luis de Bethencourt Reviewed-by: Johannes Thumshirn Signed-off-by: Martin K. Petersen Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 95dd69efa7280624f207296a70dc8f47c13e2e33 Author: Tim Gardner Date: Fri Oct 30 12:22:58 2015 -0600 be2iscsi: Fix bogus WARN_ON length check commit dd29dae00d39186890a5eaa2fe4ad8768bfd41a9 upstream. drivers/scsi/be2iscsi/be_main.c: In function 'be_sgl_create_contiguous': drivers/scsi/be2iscsi/be_main.c:3187:18: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] WARN_ON(!length > 0); gcc version 5.2.1 Signed-off-by: Tim Gardner Cc: Jayamohan Kallickal Cc: Minh Tran Cc: John Soni Jose Cc: "James E.J. Bottomley" Reported-by: Joel Stanley Reviewed-by: Manoj Kumar Signed-off-by: Martin K. Petersen Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 9927a5180e6fdcd8804b9bb8fa42852f95b53c83 Author: Anil Gurumurthy Date: Thu Aug 13 06:41:51 2015 -0400 bfa: Fix indentation commit b7f4d6343820af5c2dc3979e91d85e71e638cd3d upstream. Signed-off-by: Anil Gurumurthy Tested-by : Sudarasana Kalluru Reviewed-by: Ewan D. Milne Signed-off-by: James Bottomley Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 34f25c6c0c8b7841aa7fa3ca180371088bb45957 Author: Arnd Bergmann Date: Fri May 5 21:46:53 2017 +0200 scsi: advansys: remove #warning message The advansys driver was converted to the proper DMA API in linux-4.2, but the 3.18-stable kernel still warns about this: drivers/scsi/advansys.c:71:2: warning: #warning this driver is still not properly converted to the DMA API [-Wcpp] The warning clearly is not helpful in 3.18 any more, it just clutters up the build log. This removes the warning instead, and clarifies the comment above it. Cc: Hannes Reinecke Signed-off-by: Arnd Bergmann [bwh: Changed comment to say 3.16] Signed-off-by: Ben Hutchings commit e0a6b00681fc623ba54f494df2184ad261dd7cdd Author: James Bottomley Date: Tue May 19 11:38:17 2015 -0700 ips: remove pointless #warning commit e03c2da6574223081b786960e39c1e5ecf5d492d upstream. non-x86 builds want the #warning in the IPS code about compiling on the wrong architecture removed because it keeps triggering on their platforms build farms. Transform from a compile time warning into a runtime one with taint to preserve the original intent of the authors. Acked-by: Arnd Bergmann Signed-off-by: James Bottomley Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit fcad768091e90e6f78fb2c9a68f93a915d4acf38 Author: Arnd Bergmann Date: Fri May 5 21:46:51 2017 +0200 scsi-tgt: fix type conversion warning In 3.16-stable, we get this warning: drivers/scsi/scsi_tgt_if.c:289:36: warning: passing argument 1 of 'virt_to_phys' makes pointer from integer without a cast [-Wint-conversion] The driver was removed in 3.17, so the bug was never fixed, but the code works correctly and is only lacking a cast to build cleanly on all architectures. Fixes: 97f78759ea1c ("[SCSI] scsi tgt: scsi target user and kernel communication interface") Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit bc51148bb99969a7a74cae5ae6128e54f90bec3d Author: Arnd Bergmann Date: Fri May 5 21:46:50 2017 +0200 dm bufio: hide bogus warning mips-gcc-5.3 warns about correct code on linux-3.18 and earlier: In file included from ../include/linux/blkdev.h:4:0, from ../drivers/md/dm-bufio.h:12, from ../drivers/md/dm-bufio.c:9: ../drivers/md/dm-bufio.c: In function 'alloc_buffer': ../include/linux/sched.h:1975:56: warning: 'noio_flag' may be used uninitialized in this function [-Wmaybe-uninitialized] current->flags = (current->flags & ~PF_MEMALLOC_NOIO) | flags; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ ../drivers/md/dm-bufio.c:325:11: note: 'noio_flag' was declared here The warning disappeared on later kernels with this commit: be0c37c985ed ("MIPS: Rearrange PTE bits into fixed positions.") I assume this only happened because it changed some inlining decisions. On 3.18.y, we can shut up the warning by adding an extra initialization. Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit e14bf178a4b66e5480745fcc0ca464bbafdf4544 Author: Arnd Bergmann Date: Fri May 5 21:46:49 2017 +0200 i2o: hide unsafe ioctl on 64-bit We get a warning about a broken pointer conversion on 64-bit architectures: drivers/message/i2o/i2o_config.c: In function 'i2o_cfg_passthru': drivers/message/i2o/i2o_config.c:893:19: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] (p->virt, (void __user *)sg[i].addr_bus, ^ drivers/message/i2o/i2o_config.c:953:10: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] ((void __user *)sg[j].addr_bus, sg_list[j].virt, ^ This has clearly never worked right, so we can add an #ifdef around the code. The driver was moved to staging in linux-4.0 and finally removed in 4.2, so upstream does not have a fix for it. The driver originally got this mostly right, though probably by accident. Fixes: f4c2c15b930b ("[PATCH] Convert i2o to compat_ioctl") Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 84d97df9c1bbb00b7950d5d08c80dd5da316cef6 Author: Arnd Bergmann Date: Tue Jan 13 22:59:47 2015 +0100 tty/isicom: fix big-endian compile warning commit f3e2d56dce47dbd0bb3f69f84741b439542fef37 upstream. Building an arm allmodconfig kernel triggers a lengthy but harmless warning in the isicom driver: drvers/tty/isicom.c: In function 'isicom_send_break': uapi/linux/swab.h:13:15: warning: integer overflow in expression [-Woverflow] (((__u16)(x) & (__u16)0x00ffU) << 8) | \ ^ uapi/linux/swab.h:107:2: note: in expansion of macro '___constant_swab16' ___constant_swab16(x) : \ ^ uapi/linux/byteorder/big_endian.h:34:43: note: in expansion of macro '__swab16' #define __cpu_to_le16(x) ((__force __le16)__swab16((x))) ^ linux/byteorder/generic.h:89:21: note: in expansion of macro '__cpu_to_le16' #define cpu_to_le16 __cpu_to_le16 ^ include/asm/io.h:270:6: note: in expansion of macro 'cpu_to_le16' cpu_to_le16(v),__io(p)); }) ^ drivers/tty/isicom.c:1058:2: note: in expansion of macro 'outw' outw((length & 0xff00), base); ^ Apparently, the problem is related to the fact that the value 0xff00, when used as a 16-bit number, is negative and passed into bitwise operands of the generic byte swapping code. Marking the input argument as unsigned in both technically correct and avoids the warning. Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 4ddcee574279a33d10c4d06f0eeaa886e6ca4ab6 Author: Arnd Bergmann Date: Mon Jan 25 22:54:56 2016 +0100 tty: nozomi: avoid a harmless gcc warning commit a4f642a8a3c2838ad09fe8313d45db46600e1478 upstream. The nozomi wireless data driver has its own helper function to transfer data from a FIFO, doing an extra byte swap on big-endian architectures, presumably to bring the data back into byte-serial order after readw() or readl() perform their implicit byteswap. This helper function is used in the receive_data() function to first read the length into a 32-bit variable, which causes a compile-time warning: drivers/tty/nozomi.c: In function 'receive_data': drivers/tty/nozomi.c:857:9: warning: 'size' may be used uninitialized in this function [-Wmaybe-uninitialized] The problem is that gcc is unsure whether the data was actually read or not. We know that it is at this point, so we can replace it with a single readl() to shut up that warning. I am leaving the byteswap in there, to preserve the existing behavior, even though this seems fishy: Reading the length of the data into a cpu-endian variable should normally not use a second byteswap on big-endian systems, unless the hardware is aware of the CPU endianess. There appears to be a lot more confusion about endianess in this driver, so it probably has not worked on big-endian systems in a long time, if ever, and I have no way to test it. It's well possible that this driver has not been used by anyone in a while, the last patch that looks like it was tested on the hardware is from 2008. Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 7db5c4ff9aa5990fc7cd48c6678ca297886c700e Author: Mark Brown Date: Fri Aug 1 17:47:38 2014 +0100 spi/pl022: Explicitly truncate large bitmask commit d555ea05f9d8ebf567eaa6b4e4cb5776aacf2940 upstream. When building on 64 bit architectures the use of bitwise negation generates constants larger than 32 bits which won't fit in u32s used to represent 32 bit register values on the device. Explicitly cast to let the compiler know that the higher bits are not significant and can be discarded. Signed-off-by: Mark Brown Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 0f65994a85795949925e54296b191074c5a76a52 Author: Mark Brown Date: Fri Aug 1 17:43:03 2014 +0100 spi/atmel: Fix pointer to int conversion warnings on 64 bit builds commit 67f08d690aa90e47a0e793fc63e2ecbe95d29839 upstream. On 64 bit systems integers are generally still 32 bit but long values and pointers are usually 64 bit. GCC warns when casting a 64 bit pointer into a 32 bit integer so cast to a long instead in order to avoid warnings. Signed-off-by: Mark Brown Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 15606da9b7edc4d91d8a40be94335c0d68ab4ede Author: Geert Uytterhoeven Date: Fri Jun 6 13:38:42 2014 +0200 spi: rspi: Remove unused variable in rspi_rz_transfer_one() commit 95029a00886f0c8d79e700cb8983b881c75af0f1 upstream. Introduced by commit 8b983e90ea1a3dd82070f96c062ad521a06b7cc0 ("spi: rspi: Extract rspi_common_transfer()"), which removed its users. Signed-off-by: Geert Uytterhoeven Signed-off-by: Mark Brown Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 0b1058651b56cf0ff7aee6ebfc7f59733f9f2162 Author: Uwe Kleine-König Date: Mon Jul 28 16:38:21 2014 +0200 clk/efm32gg: fix dt init prototype commit 8ce8ebeb572d70e672a8d158e93ffaac80ea7576 upstream. Since commit 54196ccbe0ba (of: consolidate linker section OF match table declarations) which went into 3.16-rc1 the following compiler warning is generated: In file included from drivers/clk/clk-efm32gg.c:12:0: include/linux/of.h:772:20: warning: comparison of distinct pointer types lacks a cast [enabled by default] .data = (fn == (fn_type)NULL) ? fn : fn } ^ include/linux/of.h:785:3: note: in expansion of macro '_OF_DECLARE' _OF_DECLARE(table, name, compat, fn, of_init_fn_1) ^ include/linux/clk-provider.h:545:42: note: in expansion of macro 'OF_DECLARE_1' #define CLK_OF_DECLARE(name, compat, fn) OF_DECLARE_1(clk, name, compat, fn) ^ drivers/clk/clk-efm32gg.c:81:1: note: in expansion of macro 'CLK_OF_DECLARE' CLK_OF_DECLARE(efm32ggcmu, "efm32gg,cmu", efm32gg_cmu_init); ^ Fix it by making efm32gg_cmu_init return void. Cc: Rob Herring Reported-by: Bryan Hundven Reviewed-by: Arnd Bergmann Signed-off-by: Uwe Kleine-König Signed-off-by: Mike Turquette Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit b5287a68e31f41d70f8cfcde6d1f5f4e38450835 Author: Arnd Bergmann Date: Tue May 19 16:34:05 2015 +0200 ata: hpt366: fix constant cast warning commit 6ec0a86c645be3fce7ade42f165a6a417c3503b1 upstream. gcc-5.x warns about a preexisting problem in the hpt36x pata driver: drivers/ata/pata_hpt366.c: In function 'hpt36x_init_one': drivers/ata/pata_hpt366.c:376:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers] Other ata drivers have the same problem, as ata_pci_bmdma_init_one takes a non-const pointer, and they solve it by using a cast to turn that pointer into a normal non-const pointer. I also tried to change the ata core code to make host->private_data a const pointer, but that quickly got out of hand, as some other drivers expect it to be writable, so I ended up using the same hack as the others here. Signed-off-by: Arnd Bergmann Acked-by: Bartlomiej Zolnierkiewicz Signed-off-by: Tejun Heo Signed-off-by: Ben Hutchings commit 77931968a94749c4fb56785852ef80e265712677 Author: Mark Brown Date: Fri Aug 1 17:19:00 2014 +0100 ASoC: adau1977: Fix truncation warning on 64 bit architectures commit d8df26bb57d2a86365de46a5421b97417401e39a upstream. Negating ADAU1977_BLOCK_POWER_SAI_LDO_EN creates an unsigned long constant with all bits set which on 64 bit architectures needs to be truncated to an unsigned int, generating a warning. Add an explicit cast since we know this is OK. Signed-off-by: Mark Brown Acked-by: Lars-Peter Clausen Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 26b7e0e678d1330babfb9900968c4c9c35767a7c Author: Nicolin Chen Date: Mon Aug 4 15:07:25 2014 +0800 ASoC: fsl_sai: Set SYNC bit of TCR2 to Asynchronous Mode commit 855675f6e6a65688a7f4cf45b9b5a98cf6c6f5c3 upstream. There is one design rule according to SAI's reference manual: If the transmitter bit clock and frame sync are to be used by both transmitter and receiver, the transmitter must be configured for asynchronous operation and the receiver for synchronous operation. And SYNC of TCR2 is a 2-width control bit: 00 Asynchronous mode. 01 Synchronous with receiver. 10 Synchronous with another SAI transmitter. 11 Synchronous with another SAI receiver. So the driver should have set SYNC bit of TCR2 to 0x0, and meanwhile set SYNC bit of RCR2 to 0x1 (Synchronous with transmitter). Signed-off-by: Nicolin Chen Signed-off-by: Mark Brown Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 7ee8387b6f86dee7be10e6d30207219aad70f922 Author: Mark Brown Date: Fri Aug 1 17:55:55 2014 +0100 ASoC: imx-audmux: Use uintptr_t for port numbers commit e5f89768e9bc1f441d18e2299518a2907e5017c9 upstream. Since we pass the port number through file private data for debugfs we cast it to and from a pointer so use uintptr_t in order to ensure that the types are compatible, avoiding warnings on 64 bit platforms where pointers are 64 bit and unsigned integers 32 bit. Signed-off-by: Mark Brown Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit f7220347be608002a31537b4d8f1814c51f8f6d9 Author: Timur Tabi Date: Fri Jun 13 07:42:40 2014 -0500 ASoC: fsl-ssi: fix do_div build warning in fsl_ssi_set_bclk() commit acf2c60a60b3d6d7080854b9483f37d99ded9b23 upstream. do_div() requires that the first parameter is a 64-bit integer, which but clkrate was defined as an unsigned long. This caused the following warnings: CC sound/soc/fsl/fsl_ssi.o sound/soc/fsl/fsl_ssi.c: In function 'fsl_ssi_set_bclk': sound/soc/fsl/fsl_ssi.c:593:3: warning: comparison of distinct pointer types lacks a cast sound/soc/fsl/fsl_ssi.c:593:3: warning: right shift count >= width of type sound/soc/fsl/fsl_ssi.c:593:3: warning: passing argument 1 of '__div64_32' from incompatible pointer type include/asm-generic/div64.h:35:17: note: expected 'uint64_t *' but argument is of type 'long unsigned int *' Signed-off-by: Timur Tabi Signed-off-by: Mark Brown Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit dd01f2e5e8eca7fab2d9428e2edaf65df5dc48a3 Author: Linus Walleij Date: Wed Jul 23 10:47:49 2014 +0200 gpio: drop retval check enforcing from gpiochip_remove() commit 14c8a620ba436511b1347c592633befa49535176 upstream. As we start to decomission the return value from gpiochip_remove() the compilers emit warnings due to the function being tagged __must_check. So drop this until we remove the return value altogether. Cc: Abdoulaye Berthe Suggested-by: Stephen Rothwell Signed-off-by: Linus Walleij Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit e9c5514c310474d8f7e7870ef885f51b13346b81 Author: Mark Brown Date: Fri Aug 1 18:09:48 2014 +0100 dma: pl08x: Use correct specifier for size_t values commit 6fc8ae787c589245ee3395630d2c428a1afab26c upstream. When printing size_t values we should use the %zd or %zx format specifier in order to ensure the value is displayed correctly and avoid warnings from sparse. Signed-off-by: Mark Brown Signed-off-by: Vinod Koul Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 6d007ea50431dfbd203a1fc0779ca81fc8b2bbdc Author: Mark Brown Date: Mon Aug 11 11:08:56 2014 -0700 Input: joystick - use get_cycles on ARMv8 commit a6b48699ae50ccce700506ced863ba1f5ce2af11 upstream. As with ARM the ARMv8 architecture provides a cycle counter which can be used to provide a high resolution time for the joystick driver and silence the build warning that results from not having a precise timer on ARMv8, making allmodconfig and allyesconfig quieter. Signed-off-by: Mark Brown Signed-off-by: Dmitry Torokhov Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit d72bf7df163ce2aaf39f22bbc97015ae39d26719 Author: Lee Jones Date: Wed Jul 2 14:28:46 2014 +0100 mfd: arizona: Rid data size incompatibility warn when building for 64bit commit 942786e6e647cef94cf96dcd836d343be55fc452 upstream. Extinguishes: ../drivers/mfd/arizona-core.c: In function ‘arizona_of_get_type’: ../drivers/mfd/arizona-core.c:505:10: warning: cast from pointer to integer of different size Signed-off-by: Lee Jones Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit a04a7aa1428d03f11128c1ba83c9fa3a0758ef9c Author: Mark Brown Date: Sun Aug 24 19:36:29 2014 -0500 power/reset: xgene-reset: Fix prototype of xgene_restart() commit d3ed534cca703b2aaeee9277a5b8063ae6eab1d1 upstream. The xgene-reset driver uses xgene_restart() as arm_pm_restart() but that function should take an enum reset_type as the first argument rather than a char. Fix this; the paramter is not referenced in the implementation. Signed-off-by: Mark Brown Signed-off-by: Sebastian Reichel Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 79e103d435c51e0bf84c8719165c72fd80844145 Author: Arnd Bergmann Date: Tue Jan 13 17:09:43 2015 +0100 infiniband: mlx5: avoid a compile-time warning commit 7835bfb5261501590a508b3de3379e2231cb4853 upstream. The return type of find_first_bit() is architecture specific, on ARM it is 'unsigned int', while the asm-generic code used on x86 and a lot of other architectures returns 'unsigned long'. When building the mlx5 driver on ARM, we get a warning about this: infiniband/hw/mlx5/mem.c: In function 'mlx5_ib_cont_pages': infiniband/hw/mlx5/mem.c:84:143: warning: comparison of distinct pointer types lacks a cast m = min(m, find_first_bit(&tmp, sizeof(tmp))); This patch changes the driver to use min_t to make it behave the same way on all architectures. Signed-off-by: Arnd Bergmann Acked-by: Eli Cohen Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 14ffc8e43369a30ef59dca9d7f0e7f59776ca368 Author: Arnd Bergmann Date: Fri May 5 21:46:30 2017 +0200 iio: adc: fix building on 64-bit On the 3.16 kernel, we get a harmless warning: drivers/iio/adc/exynos_adc.c: In function 'exynos_adc_get_version': drivers/iio/adc/exynos_adc.c:112:9: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast] Upstream commit e49d99e0ecc8 ("iio: adc: exynos_adc: Add exynos_adc_data structure to improve readability") in 3.17 removed the function, so we can't backport a fix from upstream, but changing the cast to use uintptr_t is the obvious fix. Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit ebb4ccde90e52413b5a11e624e176825f4f1fe57 Author: Arnd Bergmann Date: Fri May 5 21:46:28 2017 +0200 gfs2: remove IS_ERR_VALUE abuse Picked from commit 287980e49ffc0f6d911601e7e352a812ed27768e ("remove lots of IS_ERR_VALUE abuses") upstream. The original fix that was backported to 3.18 already addressed the warning in some configurations, but not in others, leaving us with the same output: ../fs/gfs2/dir.c: In function 'get_first_leaf': ../fs/gfs2/dir.c:768:9: warning: 'leaf_no' may be used uninitialized in this function [-Wmaybe-uninitialized] error = get_leaf(dip, leaf_no, bh_out); ^ ../fs/gfs2/dir.c: In function 'dir_split_leaf.isra.20': ../fs/gfs2/dir.c:987:8: warning: 'leaf_no' may be used uninitialized in this function [-Wmaybe-uninitialized] This takes the approach that we took in later versions in mainline, but does not backport the entire patch, as that would be too large for stable and IIRC caused regressions in other drivers. Fixes: 9d46d31e9aea ("gfs2: avoid uninitialized variable warning") Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit f1e8b20371007c937ea213ce67a2c1424d3640b1 Author: Rusty Russell Date: Sat May 9 03:14:13 2015 +0930 cpumask_set_cpu_local_first => cpumask_local_spread, lament commit f36963c9d3f6f415732710da3acdd8608a9fa0e upstream. da91309e0a7e (cpumask: Utility function to set n'th cpu...) created a genuinely weird function. I never saw it before, it went through DaveM. (He only does this to make us other maintainers feel better about our own mistakes.) cpumask_set_cpu_local_first's purpose is say "I need to spread things across N online cpus, choose the ones on this numa node first"; you call it in a loop. It can fail. One of the two callers ignores this, the other aborts and fails the device open. It can fail in two ways: allocating the off-stack cpumask, or through a convoluted codepath which AFAICT can only occur if cpu_online_mask changes. Which shouldn't happen, because if cpu_online_mask can change while you call this, it could return a now-offline cpu anyway. It contains a nonsensical test "!cpumask_of_node(numa_node)". This was drawn to my attention by Geert, who said this causes a warning on Sparc. It sets a single bit in a cpumask instead of returning a cpu number, because that's what the callers want. It could be made more efficient by passing the previous cpu rather than an index, but that would be more invasive to the callers. Fixes: da91309e0a7e8966d916a74cce42ed170fde06bf Signed-off-by: Rusty Russell (then rebased) Tested-by: Amir Vadai Acked-by: Amir Vadai Acked-by: David S. Miller Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 41e2300fe9099ad9b0980eb3c33964a4e22b4394 Author: Gerald Schaefer Date: Fri Oct 7 17:01:13 2016 -0700 mm/hugetlb: improve locking in dissolve_free_huge_pages() commit eb03aa008561004257900983193d024e57abdd96 upstream. For every pfn aligned to minimum_order, dissolve_free_huge_pages() will call dissolve_free_huge_page() which takes the hugetlb spinlock, even if the page is not huge at all or a hugepage that is in-use. Improve this by doing the PageHuge() and page_count() checks already in dissolve_free_huge_pages() before calling dissolve_free_huge_page(). In dissolve_free_huge_page(), when holding the spinlock, those checks need to be revalidated. Link: http://lkml.kernel.org/r/20160926172811.94033-4-gerald.schaefer@de.ibm.com Signed-off-by: Gerald Schaefer Acked-by: Michal Hocko Acked-by: Naoya Horiguchi Cc: "Kirill A . Shutemov" Cc: Vlastimil Babka Cc: Mike Kravetz Cc: "Aneesh Kumar K . V" Cc: Martin Schwidefsky Cc: Heiko Carstens Cc: Rui Teng Cc: Dave Hansen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 3cb0dc19883f0c69225311d4f76aa8128d3681a4 Author: Andrey Ryabinin Date: Fri Feb 13 14:40:13 2015 -0800 module: fix types of device tables aliases commit 6301939d97d079f0d3dbe71e750f4daf5d39fc33 upstream. MODULE_DEVICE_TABLE() macro used to create aliases to device tables. Normally alias should have the same type as aliased symbol. Device tables are arrays, so they have 'struct type##_device_id[x]' types. Alias created by MODULE_DEVICE_TABLE() will have non-array type - 'struct type##_device_id'. This inconsistency confuses compiler, it could make a wrong assumption about variable's size which leads KASan to produce a false positive report about out of bounds access. For every global variable compiler calls __asan_register_globals() passing information about global variable (address, size, size with redzone, name ...) __asan_register_globals() poison symbols redzone to detect possible out of bounds accesses. When symbol has an alias __asan_register_globals() will be called as for symbol so for alias. Compiler determines size of variable by size of variable's type. Alias and symbol have the same address, so if alias have the wrong size part of memory that actually belongs to the symbol could be poisoned as redzone of alias symbol. By fixing type of alias symbol we will fix size of it, so __asan_register_globals() will not poison valid memory. Signed-off-by: Andrey Ryabinin Cc: Dmitry Vyukov Cc: Konstantin Serebryany Cc: Dmitry Chernenkov Signed-off-by: Andrey Konovalov Cc: Yuri Gribov Cc: Konstantin Khlebnikov Cc: Sasha Levin Cc: Christoph Lameter Cc: Joonsoo Kim Cc: Dave Hansen Cc: Andi Kleen Cc: Ingo Molnar Cc: Thomas Gleixner Cc: "H. Peter Anvin" Cc: Christoph Lameter Cc: Pekka Enberg Cc: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 136b17dbcd68d5d0250b5cf0f52bfb5a47b9cc83 Author: Geert Uytterhoeven Date: Wed Feb 4 10:59:25 2015 -0800 Input: gscps2 - fix MODULE_DEVICE_TABLE invocation commit 6c8afa88adce613c23f27e719f805cc2a6441b07 upstream. The patch "module: fix types of device tables aliases" newly requires that invocations of MODULE_DEVICE_TABLE(type, name); come *after* the definition of `name'. That is reasonable, but gscps2 wasn't doing this. Fix it. Signed-off-by: Geert Uytterhoeven Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings commit 8627b587a51c8e31c68ba5cd66b4d1107b7da94e Author: Andrew Morton Date: Fri Feb 13 14:39:11 2015 -0800 MODULE_DEVICE_TABLE: fix some callsites commit 0f989f749b51ec1fd94bb5a42f8ad10c8b9f73cb upstream. The patch "module: fix types of device tables aliases" newly requires that invocations of MODULE_DEVICE_TABLE(type, name); come *after* the definition of `name'. That is reasonable, but some drivers weren't doing this. Fix them. Cc: James Bottomley Cc: Andrey Ryabinin Cc: David Miller Cc: Hans Verkuil Acked-by: Mauro Carvalho Chehab Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 6be8aa510a243ed610ff002a3d64caed6fde065a Author: Varka Bhadram Date: Mon Jul 14 14:09:08 2014 +0530 ethernet: amd: fix pci device ids commit ba69a3d78e4f51e65933a86b8b107c86709bb2f5 upstream. Normally any device ids will be above the corresponding device driver structure. This patch moves the pci device ids and MODULE_DEVICE_TABLE() above the pci driver structure. Signed-off-by: Varka Bhadram Signed-off-by: David S. Miller Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 89df4c05e38b84213ce370c1b45fb88f97a25c9c Author: Paul Gortmaker Date: Mon Apr 20 10:20:40 2015 +0930 modpost: don't emit section mismatch warnings for compiler optimizations commit 4a3893d069b788f3570c19c12d9e986e8e15870f upstream. Currently an allyesconfig build [gcc-4.9.1] can generate the following: WARNING: vmlinux.o(.text.unlikely+0x3864): Section mismatch in reference from the function cpumask_empty.constprop.3() to the variable .init.data:nmi_ipi_mask which comes from the cpumask_empty usage in arch/x86/kernel/nmi_selftest.c. Normally we would not see a symbol entry for cpumask_empty since it is: static inline bool cpumask_empty(const struct cpumask *srcp) however in this case, the variant of the symbol gets emitted when GCC does constant propagation optimization. Fix things up so that any locally optimized constprop variants don't warn when accessing variables that live in the __init sections. [arnd: adapted text_sections definition to 3.18] Signed-off-by: Paul Gortmaker Signed-off-by: Rusty Russell Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit a74cbb37bb2fe6a700eba93000347b12659bc844 Author: Paul Gortmaker Date: Mon Apr 20 10:20:26 2015 +0930 modpost: expand pattern matching to support substring matches commit 09c20c032b0f753969ae778d9783d946f054d7fe upstream. Currently the match() function supports a leading * to match any prefix and a trailing * to match any suffix. However there currently is not a combination of both that can be used to target matches of whole families of functions that share a common substring. Here we expand the *foo and foo* match to also support *foo* with the goal of targeting compiler generated symbol names that contain strings like ".constprop." and ".isra." Signed-off-by: Paul Gortmaker Signed-off-by: Rusty Russell Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 987b13a4f0a5f92909ec2eeba885e5abe67abef8 Author: Linus Torvalds Date: Fri May 5 21:46:20 2017 +0200 Disable "frame-address" warning commit 124a3d88fa20e1869fc229d7d8c740cc81944264 upstream. Newer versions of gcc warn about the use of __builtin_return_address() with a non-zero argument when "-Wall" is specified: kernel/trace/trace_irqsoff.c: In function ‘stop_critical_timings’: kernel/trace/trace_irqsoff.c:433:86: warning: calling ‘__builtin_return_address’ with a nonzero argument is unsafe [-Wframe-address] stop_critical_timing(CALLER_ADDR0, CALLER_ADDR1); [ .. repeats a few times for other similar cases .. ] It is true that a non-zero argument is somewhat dangerous, and we do not actually have very many uses of that in the kernel - but the ftrace code does use it, and as Stephen Rostedt says: "We are well aware of the danger of using __builtin_return_address() of > 0. In fact that's part of the reason for having the "thunk" code in x86 (See arch/x86/entry/thunk_{64,32}.S). [..] it adds extra frames when tracking irqs off sections, to prevent __builtin_return_address() from accessing bad areas. In fact the thunk_32.S states: 'Trampoline to trace irqs off. (otherwise CALLER_ADDR1 might crash)'." For now, __builtin_return_address() with a non-zero argument is the best we can do, and the warning is not helpful and can end up making people miss other warnings for real problems. So disable the frame-address warning on compilers that need it. Acked-by: Steven Rostedt Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 574a87e2b44301d56b0ade6740e91448e12d4bf8 Author: Oliver O'Halloran Date: Tue Jul 26 15:22:17 2016 -0700 mm/init: fix zone boundary creation commit 90cae1fe1c3540f791d5b8e025985fa5e699b2bb upstream. As a part of memory initialisation the architecture passes an array to free_area_init_nodes() which specifies the max PFN of each memory zone. This array is not necessarily monotonic (due to unused zones) so this array is parsed to build monotonic lists of the min and max PFN for each zone. ZONE_MOVABLE is special cased here as its limits are managed by the mm subsystem rather than the architecture. Unfortunately, this special casing is broken when ZONE_MOVABLE is the not the last zone in the zone list. The core of the issue is: if (i == ZONE_MOVABLE) continue; arch_zone_lowest_possible_pfn[i] = arch_zone_highest_possible_pfn[i-1]; As ZONE_MOVABLE is skipped the lowest_possible_pfn of the next zone will be set to zero. This patch fixes this bug by adding explicitly tracking where the next zone should start rather than relying on the contents arch_zone_highest_possible_pfn[]. Thie is low priority. To get bitten by this you need to enable a zone that appears after ZONE_MOVABLE in the zone_type enum. As far as I can tell this means running a kernel with ZONE_DEVICE or ZONE_CMA enabled, so I can't see this affecting too many people. I only noticed this because I've been fiddling with ZONE_DEVICE on powerpc and 4.6 broke my test kernel. This bug, in conjunction with the changes in Taku Izumi's kernelcore=mirror patch (d91749c1dda71) and powerpc being the odd architecture which initialises max_zone_pfn[] to ~0ul instead of 0 caused all of system memory to be placed into ZONE_DEVICE at boot, followed a panic since device memory cannot be used for kernel allocations. I've already submitted a patch to fix the powerpc specific bits, but I figured this should be fixed too. Link: http://lkml.kernel.org/r/1462435033-15601-1-git-send-email-oohall@gmail.com Signed-off-by: Oliver O'Halloran Cc: Anton Blanchard Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 90dbe547e888fd895e67f2208f48c5c9a283fec1 Author: Andy Shevchenko Date: Wed Jun 7 16:56:15 2017 +0300 platform/x86: samsung-laptop: Initialize loca variable commit 0d2c95354a3b63256e92d9fb865c08902d2c9b0b upstream. The variable is used uninitialized which might come into unexpected behaviour on some Samsung laptops. Initialize it to 0xffff which seems a proper value for non-supported feature. Reported-by: Geert Uytterhoeven Signed-off-by: Andy Shevchenko Signed-off-by: Ben Hutchings commit 6e48ead2a37fd26e04761dcfb37643895fce87c8 Author: Ryusuke Konishi Date: Fri Nov 6 16:32:16 2015 -0800 nilfs2: fix gcc uninitialized-variable warnings in powerpc build commit 4f05028f8d1af782cfd03d09e0a052e9745dc5ad upstream. Some false positive warnings are reported for powerpc build. The following warnings are reported in http://kisskb.ellerman.id.au/kisskb/buildresult/12519703/ CC fs/nilfs2/super.o fs/nilfs2/super.c: In function 'nilfs_resize_fs': fs/nilfs2/super.c:376:2: warning: 'blocknr' may be used uninitialized in this function [-Wuninitialized] fs/nilfs2/super.c:362:11: note: 'blocknr' was declared here CC fs/nilfs2/recovery.o fs/nilfs2/recovery.c: In function 'nilfs_salvage_orphan_logs': fs/nilfs2/recovery.c:631:21: warning: 'sum' may be used uninitialized in this function [-Wuninitialized] fs/nilfs2/recovery.c:585:32: note: 'sum' was declared here fs/nilfs2/recovery.c: In function 'nilfs_search_super_root': fs/nilfs2/recovery.c:873:11: warning: 'sum' may be used uninitialized in this function [-Wuninitialized] Another similar warning is reported in http://kisskb.ellerman.id.au/kisskb/buildresult/12520079/ CC fs/nilfs2/btree.o fs/nilfs2/btree.c: In function 'nilfs_btree_convert_and_insert': include/asm-generic/bitops/non-atomic.h:105:20: warning: 'bh' may be used uninitialized in this function [-Wuninitialized] fs/nilfs2/btree.c:1859:22: note: 'bh' was declared here This cleans out these warnings by forcing the variables to be initialized. Signed-off-by: Ryusuke Konishi Reported-by: Geert Uytterhoeven Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 26be0adf343804be6b9a2474d0425fb379802b0a Author: Ben Hutchings Date: Wed Oct 18 00:45:49 2017 +0100 ALSA: seq: Enable 'use' locking in all configurations commit 8009d506a1dd00cf436b0c4cca0dcec130580a21 upstream. The 'use' locking macros are no-ops if neither SMP or SND_DEBUG is enabled. This might once have been OK in non-preemptible configurations, but even in that case snd_seq_read() may sleep while relying on a 'use' lock. So always use the proper implementations. Signed-off-by: Ben Hutchings Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 6514189e83d470af2f35735038c1b096410ab98d Author: Alan Stern Date: Wed Oct 18 12:49:38 2017 -0400 USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() commit 1c0edc3633b56000e18d82fc241e3995ca18a69e upstream. Andrey used the syzkaller fuzzer to find an out-of-bounds memory access in usb_get_bos_descriptor(). The code wasn't checking that the next usb_dev_cap_header structure could fit into the remaining buffer space. This patch fixes the error and also reduces the bNumDeviceCaps field in the header to match the actual number of capabilities found, in cases where there are fewer than expected. Reported-by: Andrey Konovalov Signed-off-by: Alan Stern Tested-by: Andrey Konovalov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 8d675aa967d3927ac100f7af48f2a2af8a041d2d Author: Jaejoong Kim Date: Thu Sep 28 19:16:30 2017 +0900 HID: usbhid: fix out-of-bounds bug commit f043bfc98c193c284e2cd768fefabe18ac2fed9b upstream. The hid descriptor identifies the length and type of subordinate descriptors for a device. If the received hid descriptor is smaller than the size of the struct hid_descriptor, it is possible to cause out-of-bounds. In addition, if bNumDescriptors of the hid descriptor have an incorrect value, this can also cause out-of-bounds while approaching hdesc->desc[n]. So check the size of hid descriptor and bNumDescriptors. BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20 Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261 CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #169 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x292/0x395 lib/dump_stack.c:52 print_address_description+0x78/0x280 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 kasan_report+0x22f/0x340 mm/kasan/report.c:409 __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427 usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004 hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944 usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 really_probe drivers/base/dd.c:413 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 device_add+0xd0b/0x1660 drivers/base/core.c:1835 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 really_probe drivers/base/dd.c:413 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 device_add+0xd0b/0x1660 drivers/base/core.c:1835 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 hub_port_connect drivers/usb/core/hub.c:4903 hub_port_connect_change drivers/usb/core/hub.c:5009 port_event drivers/usb/core/hub.c:5115 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 worker_thread+0x221/0x1850 kernel/workqueue.c:2253 kthread+0x3a1/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 Reported-by: Andrey Konovalov Signed-off-by: Jaejoong Kim Tested-by: Andrey Konovalov Acked-by: Alan Stern Signed-off-by: Jiri Kosina Signed-off-by: Ben Hutchings commit 824f2a5ccdd9ddfb53418c13f493aa46ae0c2c00 Author: Alan Stern Date: Fri Sep 29 10:54:24 2017 -0400 usb: usbtest: fix NULL pointer dereference commit 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 upstream. If the usbtest driver encounters a device with an IN bulk endpoint but no OUT bulk endpoint, it will try to dereference a NULL pointer (out->desc.bEndpointAddress). The problem can be solved by adding a missing test. Signed-off-by: Alan Stern Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: Felipe Balbi Signed-off-by: Ben Hutchings commit cc81fff9d62e32a27b1f16dab1a6172935792ab7 Author: Greg Kroah-Hartman Date: Tue Sep 19 15:07:17 2017 +0200 USB: fix out-of-bounds in usb_set_configuration commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb upstream. Andrey Konovalov reported a possible out-of-bounds problem for a USB interface association descriptor. He writes: It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION descriptor. It's only checked that the size is >= 2 in usb_parse_configuration(), so find_iad() might do out-of-bounds access to intf_assoc->bInterfaceCount. And he's right, we don't check for crazy descriptors of this type very well, so resolve this problem. Yet another issue found by syzkaller... Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit c0003557dbdec4ec1976ea7be9534abef758297b Author: Alan Stern Date: Fri Sep 22 11:56:49 2017 -0400 USB: uas: fix bug in handling of alternate settings commit 786de92b3cb26012d3d0f00ee37adf14527f35c4 upstream. The uas driver has a subtle bug in the way it handles alternate settings. The uas_find_uas_alt_setting() routine returns an altsetting value (the bAlternateSetting number in the descriptor), but uas_use_uas_driver() then treats that value as an index to the intf->altsetting array, which it isn't. Normally this doesn't cause any problems because the various alternate settings have bAlternateSetting values 0, 1, 2, ..., so the value is equal to the index in the array. But this is not guaranteed, and Andrey Konovalov used the syzkaller fuzzer with KASAN to get a slab-out-of-bounds error by violating this assumption. This patch fixes the bug by making uas_find_uas_alt_setting() return a pointer to the altsetting entry rather than either the value or the index. Pointers are less subject to misinterpretation. Signed-off-by: Alan Stern Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov CC: Oliver Neukum Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 9992800cfd0b367369407d62a4c228c454c5d0e3 Author: Takashi Iwai Date: Fri Sep 22 16:18:53 2017 +0200 ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor commit bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991 upstream. When a USB-audio device receives a maliciously adjusted or corrupted buffer descriptor, the USB-audio driver may access an out-of-bounce value at its parser. This was detected by syzkaller, something like: BUG: KASAN: slab-out-of-bounds in usb_audio_probe+0x27b2/0x2ab0 Read of size 1 at addr ffff88006b83a9e8 by task kworker/0:1/24 CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #224 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x292/0x395 lib/dump_stack.c:52 print_address_description+0x78/0x280 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 kasan_report+0x22f/0x340 mm/kasan/report.c:409 __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427 snd_usb_create_streams sound/usb/card.c:248 usb_audio_probe+0x27b2/0x2ab0 sound/usb/card.c:605 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 really_probe drivers/base/dd.c:413 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 device_add+0xd0b/0x1660 drivers/base/core.c:1835 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 really_probe drivers/base/dd.c:413 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 device_add+0xd0b/0x1660 drivers/base/core.c:1835 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 hub_port_connect drivers/usb/core/hub.c:4903 hub_port_connect_change drivers/usb/core/hub.c:5009 port_event drivers/usb/core/hub.c:5115 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 worker_thread+0x221/0x1850 kernel/workqueue.c:2253 kthread+0x3a1/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 This patch adds the checks of out-of-bounce accesses at appropriate places and bails out when it goes out of the given buffer. Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 6a6488e8d231fa1fca2408e59e819f64fecb45f3 Author: Takashi Iwai Date: Tue Oct 10 14:10:32 2017 +0200 ALSA: usb-audio: Kill stray URB at exiting commit 124751d5e63c823092060074bd0abaae61aaa9c4 upstream. USB-audio driver may leave a stray URB for the mixer interrupt when it exits by some error during probe. This leads to a use-after-free error as spotted by syzkaller like: ================================================================== BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x292/0x395 lib/dump_stack.c:52 print_address_description+0x78/0x280 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 kasan_report+0x23d/0x350 mm/kasan/report.c:409 __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430 snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490 __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779 .... Allocated by task 1484: save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772 kmalloc ./include/linux/slab.h:493 kzalloc ./include/linux/slab.h:666 snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540 create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516 snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560 create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59 snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560 usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618 .... Freed by task 1484: save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524 slab_free_hook mm/slub.c:1390 slab_free_freelist_hook mm/slub.c:1412 slab_free mm/slub.c:2988 kfree+0xf6/0x2f0 mm/slub.c:3919 snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244 snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250 __snd_device_free+0x1ff/0x380 sound/core/device.c:91 snd_device_free_all+0x8f/0xe0 sound/core/device.c:244 snd_card_do_free sound/core/init.c:461 release_card_device+0x47/0x170 sound/core/init.c:181 device_release+0x13f/0x210 drivers/base/core.c:814 .... Actually such a URB is killed properly at disconnection when the device gets probed successfully, and what we need is to apply it for the error-path, too. In this patch, we apply snd_usb_mixer_disconnect() at releasing. Also introduce a new flag, disconnected, to struct usb_mixer_interface for not performing the disconnection procedure twice. Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: Takashi Iwai [bwh: Backported to 3.16: snd_usb_mixer_disconnect() takes a pointer to usb_mixer_interface::list, not to usb_mixer_interface itself] Signed-off-by: Ben Hutchings commit 70abad3796f52ed593d5d31bf9f0b5410a522548 Author: Willem de Bruijn Date: Tue Sep 26 12:19:37 2017 -0400 packet: in packet_do_bind, test fanout with bind_lock held commit 4971613c1639d8e5f102c4e797c3bf8f83a5a69e upstream. Once a socket has po->fanout set, it remains a member of the group until it is destroyed. The prot_hook must be constant and identical across sockets in the group. If fanout_add races with packet_do_bind between the test of po->fanout and taking the lock, the bind call may make type or dev inconsistent with that of the fanout group. Hold po->bind_lock when testing po->fanout to avoid this race. I had to introduce artificial delay (local_bh_enable) to actually observe the race. Fixes: dc99f600698d ("packet: Add fanout support.") Signed-off-by: Willem de Bruijn Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 4839233c04cd9ffb65fa00bdb473cbdac427d45f Author: Willem de Bruijn Date: Thu Sep 14 17:14:41 2017 -0400 packet: hold bind lock when rebinding to fanout hook commit 008ba2a13f2d04c947adc536d19debb8fe66f110 upstream. Packet socket bind operations must hold the po->bind_lock. This keeps po->running consistent with whether the socket is actually on a ptype list to receive packets. fanout_add unbinds a socket and its packet_rcv/tpacket_rcv call, then binds the fanout object to receive through packet_rcv_fanout. Make it hold the po->bind_lock when testing po->running and rebinding. Else, it can race with other rebind operations, such as that in packet_set_ring from packet_rcv to tpacket_rcv. Concurrent updates can result in a socket being added to a fanout group twice, causing use-after-free KASAN bug reports, among others. Reported independently by both trinity and syzkaller. Verified that the syzkaller reproducer passes after this patch. Fixes: dc99f600698d ("packet: Add fanout support.") Reported-by: nixioaming Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller [bwh: Backported to 3.16: use atomic_read() not refcount_read()] Signed-off-by: Ben Hutchings commit 24832178de3ab7b6fb42f2730d8d675e3d30adb2 Author: David Howells Date: Thu Oct 12 16:00:41 2017 +0100 KEYS: don't let add_key() update an uninstantiated key commit 60ff5b2f547af3828aebafd54daded44cfb0807a upstream. Currently, when passed a key that already exists, add_key() will call the key's ->update() method if such exists. But this is heavily broken in the case where the key is uninstantiated because it doesn't call __key_instantiate_and_link(). Consequently, it doesn't do most of the things that are supposed to happen when the key is instantiated, such as setting the instantiation state, clearing KEY_FLAG_USER_CONSTRUCT and awakening tasks waiting on it, and incrementing key->user->nikeys. It also never takes key_construction_mutex, which means that ->instantiate() can run concurrently with ->update() on the same key. In the case of the "user" and "logon" key types this causes a memory leak, at best. Maybe even worse, the ->update() methods of the "encrypted" and "trusted" key types actually just dereference a NULL pointer when passed an uninstantiated key. Change key_create_or_update() to wait interruptibly for the key to finish construction before continuing. This patch only affects *uninstantiated* keys. For now we still allow a negatively instantiated key to be updated (thereby positively instantiating it), although that's broken too (the next patch fixes it) and I'm not sure that anyone actually uses that functionality either. Here is a simple reproducer for the bug using the "encrypted" key type (requires CONFIG_ENCRYPTED_KEYS=y), though as noted above the bug pertained to more than just the "encrypted" key type: #include #include #include int main(void) { int ringid = keyctl_join_session_keyring(NULL); if (fork()) { for (;;) { const char payload[] = "update user:foo 32"; usleep(rand() % 10000); add_key("encrypted", "desc", payload, sizeof(payload), ringid); keyctl_clear(ringid); } } else { for (;;) request_key("encrypted", "desc", "callout_info", ringid); } } It causes: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 IP: encrypted_update+0xb0/0x170 PGD 7a178067 P4D 7a178067 PUD 77269067 PMD 0 PREEMPT SMP CPU: 0 PID: 340 Comm: reproduce Tainted: G D 4.14.0-rc1-00025-g428490e38b2e #796 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff8a467a39a340 task.stack: ffffb15c40770000 RIP: 0010:encrypted_update+0xb0/0x170 RSP: 0018:ffffb15c40773de8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8a467a275b00 RCX: 0000000000000000 RDX: 0000000000000005 RSI: ffff8a467a275b14 RDI: ffffffffb742f303 RBP: ffffb15c40773e20 R08: 0000000000000000 R09: ffff8a467a275b17 R10: 0000000000000020 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: ffff8a4677057180 R15: ffff8a467a275b0f FS: 00007f5d7fb08700(0000) GS:ffff8a467f200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 0000000077262005 CR4: 00000000001606f0 Call Trace: key_create_or_update+0x2bc/0x460 SyS_add_key+0x10c/0x1d0 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x7f5d7f211259 RSP: 002b:00007ffed03904c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 RAX: ffffffffffffffda RBX: 000000003b2a7955 RCX: 00007f5d7f211259 RDX: 00000000004009e4 RSI: 00000000004009ff RDI: 0000000000400a04 RBP: 0000000068db8bad R08: 000000003b2a7955 R09: 0000000000000004 R10: 000000000000001a R11: 0000000000000246 R12: 0000000000400868 R13: 00007ffed03905d0 R14: 0000000000000000 R15: 0000000000000000 Code: 77 28 e8 64 34 1f 00 45 31 c0 31 c9 48 8d 55 c8 48 89 df 48 8d 75 d0 e8 ff f9 ff ff 85 c0 41 89 c4 0f 88 84 00 00 00 4c 8b 7d c8 <49> 8b 75 18 4c 89 ff e8 24 f8 ff ff 85 c0 41 89 c4 78 6d 49 8b RIP: encrypted_update+0xb0/0x170 RSP: ffffb15c40773de8 CR2: 0000000000000018 Reported-by: Eric Biggers Signed-off-by: David Howells cc: Eric Biggers Signed-off-by: Ben Hutchings commit 853c65fe1db498563bdeea5b7e733441db34d330 Author: Takashi Iwai Date: Mon Oct 9 11:09:20 2017 +0200 ALSA: seq: Fix use-after-free at creating a port commit 71105998845fb012937332fe2e806d443c09e026 upstream. There is a potential race window opened at creating and deleting a port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates a port object and returns its pointer, but it doesn't take the refcount, thus it can be deleted immediately by another thread. Meanwhile, snd_seq_ioctl_create_port() still calls the function snd_seq_system_client_ev_port_start() with the created port object that is being deleted, and this triggers use-after-free like: BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511 ___slab_alloc+0x425/0x460 __slab_alloc+0x20/0x40 kmem_cache_alloc_trace+0x150/0x190 snd_seq_create_port+0x94/0x9b0 [snd_seq] snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] snd_seq_ioctl+0x40/0x80 [snd_seq] do_vfs_ioctl+0x54b/0xda0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x16/0x75 INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717 __slab_free+0x204/0x310 kfree+0x15f/0x180 port_delete+0x136/0x1a0 [snd_seq] snd_seq_delete_port+0x235/0x350 [snd_seq] snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] snd_seq_ioctl+0x40/0x80 [snd_seq] do_vfs_ioctl+0x54b/0xda0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x16/0x75 Call Trace: [] dump_stack+0x63/0x82 [] print_trailer+0xfb/0x160 [] object_err+0x34/0x40 [] kasan_report.part.2+0x223/0x520 [] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] [] __asan_report_load1_noabort+0x2e/0x30 [] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] [] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq] [] ? taskstats_exit+0xbc0/0xbc0 [] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] [] snd_seq_ioctl+0x40/0x80 [snd_seq] [] ? acct_account_cputime+0x63/0x80 [] do_vfs_ioctl+0x54b/0xda0 ..... We may fix this in a few different ways, and in this patch, it's fixed simply by taking the refcount properly at snd_seq_create_port() and letting the caller unref the object after use. Also, there is another potential use-after-free by sprintf() call in snd_seq_create_port(), and this is moved inside the lock. This fix covers CVE-2017-15265. Reported-and-tested-by: Michael23 Yu Suggested-by: Linus Torvalds Signed-off-by: Takashi Iwai [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit a0a8a11d1630cd648dc1ce86da620b4e240e0315 Author: Johannes Berg Date: Tue Sep 5 14:54:54 2017 +0200 mac80211: accept key reinstall without changing anything commit fdf7cb4185b60c68e1a75e61691c4afdc15dea0e upstream. When a key is reinstalled we can reset the replay counters etc. which can lead to nonce reuse and/or replay detection being impossible, breaking security properties, as described in the "KRACK attacks". In particular, CVE-2017-13080 applies to GTK rekeying that happened in firmware while the host is in D3, with the second part of the attack being done after the host wakes up. In this case, the wpa_supplicant mitigation isn't sufficient since wpa_supplicant doesn't know the GTK material. In case this happens, simply silently accept the new key coming from userspace but don't take any action on it since it's the same key; this keeps the PN replay counters intact. Signed-off-by: Johannes Berg [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit c42ab77ec3454fc0d9710bd6734e241e4202d8b3 Author: David Howells Date: Wed Oct 11 23:32:27 2017 +0100 assoc_array: Fix a buggy node-splitting case commit ea6789980fdaa610d7eb63602c746bf6ec70cd2b upstream. This fixes CVE-2017-12193. Fix a case in the assoc_array implementation in which a new leaf is added that needs to go into a node that happens to be full, where the existing leaves in that node cluster together at that level to the exclusion of new leaf. What needs to happen is that the existing leaves get moved out to a new node, N1, at level + 1 and the existing node needs replacing with one, N0, that has pointers to the new leaf and to N1. The code that tries to do this gets this wrong in two ways: (1) The pointer that should've pointed from N0 to N1 is set to point recursively to N0 instead. (2) The backpointer from N0 needs to be set correctly in the case N0 is either the root node or reached through a shortcut. Fix this by removing this path and using the split_node path instead, which achieves the same end, but in a more general way (thanks to Eric Biggers for spotting the redundancy). The problem manifests itself as: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 IP: assoc_array_apply_edit+0x59/0xe5 Fixes: 3cb989501c26 ("Add a generic associative array implementation.") Reported-and-tested-by: WU Fan Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 3eab231a5b5382067ab3ead172780144f9c0f721 Author: Eric Biggers Date: Mon Sep 18 11:37:23 2017 -0700 KEYS: prevent KEYCTL_READ on negative key commit 37863c43b2c6464f252862bf2e9768264e961678 upstream. Because keyctl_read_key() looks up the key with no permissions requested, it may find a negatively instantiated key. If the key is also possessed, we went ahead and called ->read() on the key. But the key payload will actually contain the ->reject_error rather than the normal payload. Thus, the kernel oopses trying to read the user_key_payload from memory address (int)-ENOKEY = 0x00000000ffffff82. Fortunately the payload data is stored inline, so it shouldn't be possible to abuse this as an arbitrary memory read primitive... Reproducer: keyctl new_session keyctl request2 user desc '' @s keyctl read $(keyctl show | awk '/user: desc/ {print $1}') It causes a crash like the following: BUG: unable to handle kernel paging request at 00000000ffffff92 IP: user_read+0x33/0xa0 PGD 36a54067 P4D 36a54067 PUD 0 Oops: 0000 [#1] SMP CPU: 0 PID: 211 Comm: keyctl Not tainted 4.14.0-rc1 #337 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014 task: ffff90aa3b74c3c0 task.stack: ffff9878c0478000 RIP: 0010:user_read+0x33/0xa0 RSP: 0018:ffff9878c047bee8 EFLAGS: 00010246 RAX: 0000000000000001 RBX: ffff90aa3d7da340 RCX: 0000000000000017 RDX: 0000000000000000 RSI: 00000000ffffff82 RDI: ffff90aa3d7da340 RBP: ffff9878c047bf00 R08: 00000024f95da94f R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f58ece69740(0000) GS:ffff90aa3e200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000ffffff92 CR3: 0000000036adc001 CR4: 00000000003606f0 Call Trace: keyctl_read_key+0xac/0xe0 SyS_keyctl+0x99/0x120 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x7f58ec787bb9 RSP: 002b:00007ffc8d401678 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa RAX: ffffffffffffffda RBX: 00007ffc8d402800 RCX: 00007f58ec787bb9 RDX: 0000000000000000 RSI: 00000000174a63ac RDI: 000000000000000b RBP: 0000000000000004 R08: 00007ffc8d402809 R09: 0000000000000020 R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8d402800 R13: 00007ffc8d4016e0 R14: 0000000000000000 R15: 0000000000000000 Code: e5 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb e8 a4 b4 ad ff 85 c0 74 09 80 3d b9 4c 96 00 00 74 43 48 8b b3 20 01 00 00 4d 85 ed <0f> b7 5e 10 74 29 4d 85 e4 74 24 4c 39 e3 4c 89 e2 4c 89 ef 48 RIP: user_read+0x33/0xa0 RSP: ffff9878c047bee8 CR2: 00000000ffffff92 Fixes: 61ea0c0ba904 ("KEYS: Skip key state checks when checking for possession") Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: Ben Hutchings commit 3c885aa3b459aabc5fa04251a5fdd88e29b1de70 Author: Vitaly Mayatskikh Date: Fri Sep 22 01:18:39 2017 -0400 fix unbalanced page refcounting in bio_map_user_iov commit 95d78c28b5a85bacbc29b8dba7c04babb9b0d467 upstream. bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page merges them into one, but the page reference is never dropped. Signed-off-by: Vitaly Mayatskikh Signed-off-by: Al Viro Signed-off-by: Ben Hutchings commit 7df83adfc5d38bf960ef7ff0e4cb1c2c92715f63 Author: Arend Van Spriel Date: Tue Sep 12 10:47:53 2017 +0200 brcmfmac: add length check in brcmf_cfg80211_escan_handler() commit 17df6453d4be17910456e99c5a85025aa1b7a246 upstream. Upon handling the firmware notification for scans the length was checked properly and may result in corrupting kernel heap memory due to buffer overruns. This fix addresses CVE-2017-0786. Cc: Kevin Cernekee Reviewed-by: Hante Meuleman Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Franky Lin Signed-off-by: Arend van Spriel Signed-off-by: Kalle Valo [bwh: Backported to 3.16: - Use WL_ESCAN_BUF_SIZE instead of BRCMF_ESCAN_BUF_SIZE - Adjust filename] Signed-off-by: Ben Hutchings commit 8a97fcd83ab01fb303bb5cdfc449f7d1a70462b6 Author: Ronnie Sahlberg Date: Mon Oct 30 13:28:03 2017 +1100 cifs: check MaxPathNameComponentLength != 0 before using it commit f74bc7c6679200a4a83156bb89cbf6c229fe8ec0 upstream. And fix tcon leak in error path. Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Reviewed-by: David Disseldorp Signed-off-by: Ben Hutchings commit 8d1e6515be4aabfbd7eca1e9a5daf8cae1cd39e7 Author: Oleg Nesterov Date: Fri Sep 1 18:55:33 2017 +0200 epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove() commit 138e4ad67afd5c6c318b056b4d17c17f2c0ca5c0 upstream. The race was introduced by me in commit 971316f0503a ("epoll: ep_unregister_pollwait() can use the freed pwq->whead"). I did not realize that nothing can protect eventpoll after ep_poll_callback() sets ->whead = NULL, only whead->lock can save us from the race with ep_free() or ep_remove(). Move ->whead = NULL to the end of ep_poll_callback() and add the necessary barriers. TODO: cleanup the ewake/EPOLLEXCLUSIVE logic, it was confusing even before this patch. Hopefully this explains use-after-free reported by syzcaller: BUG: KASAN: use-after-free in debug_spin_lock_before ... _raw_spin_lock_irqsave+0x4a/0x60 kernel/locking/spinlock.c:159 ep_poll_callback+0x29f/0xff0 fs/eventpoll.c:1148 this is spin_lock(eventpoll->lock), ... Freed by task 17774: ... kfree+0xe8/0x2c0 mm/slub.c:3883 ep_free+0x22c/0x2a0 fs/eventpoll.c:865 Fixes: 971316f0503a ("epoll: ep_unregister_pollwait() can use the freed pwq->whead") Reported-by: 范龙飞 Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds [bwh: Backported to 3.16: EPOLLEXCLUSIVE is not supported] Signed-off-by: Ben Hutchings commit 67175ba774af8fb3c3b4db3cf38bf3e7124dd7d2 Author: Cong Wang Date: Thu Aug 31 16:47:43 2017 +0200 wl1251: add a missing spin_lock_init() commit f581a0dd744fe32b0a8805e279c59ec1ac676d60 upstream. wl1251: add a missing spin_lock_init() This fixes the following kernel warning: [ 5668.771453] BUG: spinlock bad magic on CPU#0, kworker/u2:3/9745 [ 5668.771850] lock: 0xce63ef20, .magic: 00000000, .owner: /-1, .owner_cpu: 0 [ 5668.772277] CPU: 0 PID: 9745 Comm: kworker/u2:3 Tainted: G W 4.12.0-03002-gec979a4-dirty #40 [ 5668.772796] Hardware name: Nokia RX-51 board [ 5668.773071] Workqueue: phy1 wl1251_irq_work [ 5668.773345] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 5668.773803] [] (show_stack) from [] (do_raw_spin_lock+0x6c/0xa0) [ 5668.774230] [] (do_raw_spin_lock) from [] (_raw_spin_lock_irqsave+0x10/0x18) [ 5668.774658] [] (_raw_spin_lock_irqsave) from [] (wl1251_op_tx+0x38/0x5c) [ 5668.775115] [] (wl1251_op_tx) from [] (ieee80211_tx_frags+0x188/0x1c0) [ 5668.775543] [] (ieee80211_tx_frags) from [] (__ieee80211_tx+0x6c/0x130) [ 5668.775970] [] (__ieee80211_tx) from [] (ieee80211_tx+0xdc/0x104) [ 5668.776367] [] (ieee80211_tx) from [] (__ieee80211_subif_start_xmit+0x454/0x8c8) [ 5668.776824] [] (__ieee80211_subif_start_xmit) from [] (ieee80211_subif_start_xmit+0x30/0x2fc) [ 5668.777343] [] (ieee80211_subif_start_xmit) from [] (dev_hard_start_xmit+0x80/0x118) ... by adding the missing spin_lock_init(). Reported-by: Pavel Machek Cc: Kalle Valo Signed-off-by: Cong Wang Acked-by: Pavel Machek Signed-off-by: Kalle Valo Signed-off-by: Pavel Machek Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 76fb491fac59fd94e17b5615250701e6f57af2de Author: Nikolay Aleksandrov Date: Wed Aug 30 12:49:05 2017 +0300 sch_tbf: fix two null pointer dereferences on init failure commit c2d6511e6a4f1f3673d711569c00c3849549e9b0 upstream. sch_tbf calls qdisc_watchdog_cancel() in both its ->reset and ->destroy callbacks but it may fail before the timer is initialized due to missing options (either not supplied by user-space or set as a default qdisc), also q->qdisc is used by ->reset and ->destroy so we need it initialized. Reproduce: $ sysctl net.core.default_qdisc=tbf $ ip l set ethX up Crash log: [ 959.160172] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 [ 959.160323] IP: qdisc_reset+0xa/0x5c [ 959.160400] PGD 59cdb067 [ 959.160401] P4D 59cdb067 [ 959.160466] PUD 59ccb067 [ 959.160532] PMD 0 [ 959.160597] [ 959.160706] Oops: 0000 [#1] SMP [ 959.160778] Modules linked in: sch_tbf sch_sfb sch_prio sch_netem [ 959.160891] CPU: 2 PID: 1562 Comm: ip Not tainted 4.13.0-rc6+ #62 [ 959.160998] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 959.161157] task: ffff880059c9a700 task.stack: ffff8800376d0000 [ 959.161263] RIP: 0010:qdisc_reset+0xa/0x5c [ 959.161347] RSP: 0018:ffff8800376d3610 EFLAGS: 00010286 [ 959.161531] RAX: ffffffffa001b1dd RBX: ffff8800373a2800 RCX: 0000000000000000 [ 959.161733] RDX: ffffffff8215f160 RSI: ffffffff8215f160 RDI: 0000000000000000 [ 959.161939] RBP: ffff8800376d3618 R08: 00000000014080c0 R09: 00000000ffffffff [ 959.162141] R10: ffff8800376d3578 R11: 0000000000000020 R12: ffffffffa001d2c0 [ 959.162343] R13: ffff880037538000 R14: 00000000ffffffff R15: 0000000000000001 [ 959.162546] FS: 00007fcc5126b740(0000) GS:ffff88005d900000(0000) knlGS:0000000000000000 [ 959.162844] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 959.163030] CR2: 0000000000000018 CR3: 000000005abc4000 CR4: 00000000000406e0 [ 959.163233] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 959.163436] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 959.163638] Call Trace: [ 959.163788] tbf_reset+0x19/0x64 [sch_tbf] [ 959.163957] qdisc_destroy+0x8b/0xe5 [ 959.164119] qdisc_create_dflt+0x86/0x94 [ 959.164284] ? dev_activate+0x129/0x129 [ 959.164449] attach_one_default_qdisc+0x36/0x63 [ 959.164623] netdev_for_each_tx_queue+0x3d/0x48 [ 959.164795] dev_activate+0x4b/0x129 [ 959.164957] __dev_open+0xe7/0x104 [ 959.165118] __dev_change_flags+0xc6/0x15c [ 959.165287] dev_change_flags+0x25/0x59 [ 959.165451] do_setlink+0x30c/0xb3f [ 959.165613] ? check_chain_key+0xb0/0xfd [ 959.165782] rtnl_newlink+0x3a4/0x729 [ 959.165947] ? rtnl_newlink+0x117/0x729 [ 959.166121] ? ns_capable_common+0xd/0xb1 [ 959.166288] ? ns_capable+0x13/0x15 [ 959.166450] rtnetlink_rcv_msg+0x188/0x197 [ 959.166617] ? rcu_read_unlock+0x3e/0x5f [ 959.166783] ? rtnl_newlink+0x729/0x729 [ 959.166948] netlink_rcv_skb+0x6c/0xce [ 959.167113] rtnetlink_rcv+0x23/0x2a [ 959.167273] netlink_unicast+0x103/0x181 [ 959.167439] netlink_sendmsg+0x326/0x337 [ 959.167607] sock_sendmsg_nosec+0x14/0x3f [ 959.167772] sock_sendmsg+0x29/0x2e [ 959.167932] ___sys_sendmsg+0x209/0x28b [ 959.168098] ? do_raw_spin_unlock+0xcd/0xf8 [ 959.168267] ? _raw_spin_unlock+0x27/0x31 [ 959.168432] ? __handle_mm_fault+0x651/0xdb1 [ 959.168602] ? check_chain_key+0xb0/0xfd [ 959.168773] __sys_sendmsg+0x45/0x63 [ 959.168934] ? __sys_sendmsg+0x45/0x63 [ 959.169100] SyS_sendmsg+0x19/0x1b [ 959.169260] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 959.169432] RIP: 0033:0x7fcc5097e690 [ 959.169592] RSP: 002b:00007ffd0d5c7b48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 959.169887] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007fcc5097e690 [ 959.170089] RDX: 0000000000000000 RSI: 00007ffd0d5c7b90 RDI: 0000000000000003 [ 959.170292] RBP: ffff8800376d3f98 R08: 0000000000000001 R09: 0000000000000003 [ 959.170494] R10: 00007ffd0d5c7910 R11: 0000000000000246 R12: 0000000000000006 [ 959.170697] R13: 000000000066f1a0 R14: 00007ffd0d5cfc40 R15: 0000000000000000 [ 959.170900] ? trace_hardirqs_off_caller+0xa7/0xcf [ 959.171076] Code: 00 41 c7 84 24 14 01 00 00 00 00 00 00 41 c7 84 24 98 00 00 00 00 00 00 00 41 5c 41 5d 41 5e 5d c3 66 66 66 66 90 55 48 89 e5 53 <48> 8b 47 18 48 89 fb 48 8b 40 48 48 85 c0 74 02 ff d0 48 8b bb [ 959.171637] RIP: qdisc_reset+0xa/0x5c RSP: ffff8800376d3610 [ 959.171821] CR2: 0000000000000018 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 0ff978e604aaea9cadd885bd12df2e4538198f97 Author: Nikolay Aleksandrov Date: Wed Aug 30 12:49:03 2017 +0300 sch_netem: avoid null pointer deref on init failure commit 634576a1844dba15bc5e6fc61d72f37e13a21615 upstream. netem can fail in ->init due to missing options (either not supplied by user-space or used as a default qdisc) causing a timer->base null pointer deref in its ->destroy() and ->reset() callbacks. Reproduce: $ sysctl net.core.default_qdisc=netem $ ip l set ethX up Crash log: [ 1814.846943] BUG: unable to handle kernel NULL pointer dereference at (null) [ 1814.847181] IP: hrtimer_active+0x17/0x8a [ 1814.847270] PGD 59c34067 [ 1814.847271] P4D 59c34067 [ 1814.847337] PUD 37374067 [ 1814.847403] PMD 0 [ 1814.847468] [ 1814.847582] Oops: 0000 [#1] SMP [ 1814.847655] Modules linked in: sch_netem(O) sch_fq_codel(O) [ 1814.847761] CPU: 3 PID: 1573 Comm: ip Tainted: G O 4.13.0-rc6+ #62 [ 1814.847884] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 1814.848043] task: ffff88003723a700 task.stack: ffff88005adc8000 [ 1814.848235] RIP: 0010:hrtimer_active+0x17/0x8a [ 1814.848407] RSP: 0018:ffff88005adcb590 EFLAGS: 00010246 [ 1814.848590] RAX: 0000000000000000 RBX: ffff880058e359d8 RCX: 0000000000000000 [ 1814.848793] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880058e359d8 [ 1814.848998] RBP: ffff88005adcb5b0 R08: 00000000014080c0 R09: 00000000ffffffff [ 1814.849204] R10: ffff88005adcb660 R11: 0000000000000020 R12: 0000000000000000 [ 1814.849410] R13: ffff880058e359d8 R14: 00000000ffffffff R15: 0000000000000001 [ 1814.849616] FS: 00007f733bbca740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000 [ 1814.849919] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1814.850107] CR2: 0000000000000000 CR3: 0000000059f0d000 CR4: 00000000000406e0 [ 1814.850313] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1814.850518] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 1814.850723] Call Trace: [ 1814.850875] hrtimer_try_to_cancel+0x1a/0x93 [ 1814.851047] hrtimer_cancel+0x15/0x20 [ 1814.851211] qdisc_watchdog_cancel+0x12/0x14 [ 1814.851383] netem_reset+0xe6/0xed [sch_netem] [ 1814.851561] qdisc_destroy+0x8b/0xe5 [ 1814.851723] qdisc_create_dflt+0x86/0x94 [ 1814.851890] ? dev_activate+0x129/0x129 [ 1814.852057] attach_one_default_qdisc+0x36/0x63 [ 1814.852232] netdev_for_each_tx_queue+0x3d/0x48 [ 1814.852406] dev_activate+0x4b/0x129 [ 1814.852569] __dev_open+0xe7/0x104 [ 1814.852730] __dev_change_flags+0xc6/0x15c [ 1814.852899] dev_change_flags+0x25/0x59 [ 1814.853064] do_setlink+0x30c/0xb3f [ 1814.853228] ? check_chain_key+0xb0/0xfd [ 1814.853396] ? check_chain_key+0xb0/0xfd [ 1814.853565] rtnl_newlink+0x3a4/0x729 [ 1814.853728] ? rtnl_newlink+0x117/0x729 [ 1814.853905] ? ns_capable_common+0xd/0xb1 [ 1814.854072] ? ns_capable+0x13/0x15 [ 1814.854234] rtnetlink_rcv_msg+0x188/0x197 [ 1814.854404] ? rcu_read_unlock+0x3e/0x5f [ 1814.854572] ? rtnl_newlink+0x729/0x729 [ 1814.854737] netlink_rcv_skb+0x6c/0xce [ 1814.854902] rtnetlink_rcv+0x23/0x2a [ 1814.855064] netlink_unicast+0x103/0x181 [ 1814.855230] netlink_sendmsg+0x326/0x337 [ 1814.855398] sock_sendmsg_nosec+0x14/0x3f [ 1814.855584] sock_sendmsg+0x29/0x2e [ 1814.855747] ___sys_sendmsg+0x209/0x28b [ 1814.855912] ? do_raw_spin_unlock+0xcd/0xf8 [ 1814.856082] ? _raw_spin_unlock+0x27/0x31 [ 1814.856251] ? __handle_mm_fault+0x651/0xdb1 [ 1814.856421] ? check_chain_key+0xb0/0xfd [ 1814.856592] __sys_sendmsg+0x45/0x63 [ 1814.856755] ? __sys_sendmsg+0x45/0x63 [ 1814.856923] SyS_sendmsg+0x19/0x1b [ 1814.857083] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 1814.857256] RIP: 0033:0x7f733b2dd690 [ 1814.857419] RSP: 002b:00007ffe1d3387d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 1814.858238] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f733b2dd690 [ 1814.858445] RDX: 0000000000000000 RSI: 00007ffe1d338820 RDI: 0000000000000003 [ 1814.858651] RBP: ffff88005adcbf98 R08: 0000000000000001 R09: 0000000000000003 [ 1814.858856] R10: 00007ffe1d3385a0 R11: 0000000000000246 R12: 0000000000000002 [ 1814.859060] R13: 000000000066f1a0 R14: 00007ffe1d3408d0 R15: 0000000000000000 [ 1814.859267] ? trace_hardirqs_off_caller+0xa7/0xcf [ 1814.859446] Code: 10 55 48 89 c7 48 89 e5 e8 45 a1 fb ff 31 c0 5d c3 31 c0 c3 66 66 66 66 90 55 48 89 e5 41 56 41 55 41 54 53 49 89 fd 49 8b 45 30 <4c> 8b 20 41 8b 5c 24 38 31 c9 31 d2 48 c7 c7 50 8e 1d 82 41 89 [ 1814.860022] RIP: hrtimer_active+0x17/0x8a RSP: ffff88005adcb590 [ 1814.860214] CR2: 0000000000000000 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 191fd165da1de27a2a61267f18eb65419ea938d5 Author: Nikolay Aleksandrov Date: Wed Aug 30 12:49:02 2017 +0300 sch_fq_codel: avoid double free on init failure commit 30c31d746d0eb458ae327f522bc8e4c44cbea0f0 upstream. It is very unlikely to happen but the backlogs memory allocation could fail and will free q->flows, but then ->destroy() will free q->flows too. For correctness remove the first free and let ->destroy clean up. Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [bwh: Backported to 3.16: fq_codel used different alloc/free functions] Signed-off-by: Ben Hutchings commit addb3a32b0ed9de074b9c84b094b060141fcfa94 Author: Nikolay Aleksandrov Date: Wed Aug 30 12:49:01 2017 +0300 sch_cbq: fix null pointer dereferences on init failure commit 3501d059921246ff617b43e86250a719c140bd97 upstream. CBQ can fail on ->init by wrong nl attributes or simply for missing any, f.e. if it's set as a default qdisc then TCA_OPTIONS (opt) will be NULL when it is activated. The first thing init does is parse opt but it will dereference a null pointer if used as a default qdisc, also since init failure at default qdisc invokes ->reset() which cancels all timers then we'll also dereference two more null pointers (timer->base) as they were never initialized. To reproduce: $ sysctl net.core.default_qdisc=cbq $ ip l set ethX up Crash log of the first null ptr deref: [44727.907454] BUG: unable to handle kernel NULL pointer dereference at (null) [44727.907600] IP: cbq_init+0x27/0x205 [44727.907676] PGD 59ff4067 [44727.907677] P4D 59ff4067 [44727.907742] PUD 59c70067 [44727.907807] PMD 0 [44727.907873] [44727.907982] Oops: 0000 [#1] SMP [44727.908054] Modules linked in: [44727.908126] CPU: 1 PID: 21312 Comm: ip Not tainted 4.13.0-rc6+ #60 [44727.908235] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [44727.908477] task: ffff88005ad42700 task.stack: ffff880037214000 [44727.908672] RIP: 0010:cbq_init+0x27/0x205 [44727.908838] RSP: 0018:ffff8800372175f0 EFLAGS: 00010286 [44727.909018] RAX: ffffffff816c3852 RBX: ffff880058c53800 RCX: 0000000000000000 [44727.909222] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff8800372175f8 [44727.909427] RBP: ffff880037217650 R08: ffffffff81b0f380 R09: 0000000000000000 [44727.909631] R10: ffff880037217660 R11: 0000000000000020 R12: ffffffff822a44c0 [44727.909835] R13: ffff880058b92000 R14: 00000000ffffffff R15: 0000000000000001 [44727.910040] FS: 00007ff8bc583740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000 [44727.910339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [44727.910525] CR2: 0000000000000000 CR3: 00000000371e5000 CR4: 00000000000406e0 [44727.910731] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [44727.910936] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [44727.911141] Call Trace: [44727.911291] ? lockdep_init_map+0xb6/0x1ba [44727.911461] ? qdisc_alloc+0x14e/0x187 [44727.911626] qdisc_create_dflt+0x7a/0x94 [44727.911794] ? dev_activate+0x129/0x129 [44727.911959] attach_one_default_qdisc+0x36/0x63 [44727.912132] netdev_for_each_tx_queue+0x3d/0x48 [44727.912305] dev_activate+0x4b/0x129 [44727.912468] __dev_open+0xe7/0x104 [44727.912631] __dev_change_flags+0xc6/0x15c [44727.912799] dev_change_flags+0x25/0x59 [44727.912966] do_setlink+0x30c/0xb3f [44727.913129] ? check_chain_key+0xb0/0xfd [44727.913294] ? check_chain_key+0xb0/0xfd [44727.913463] rtnl_newlink+0x3a4/0x729 [44727.913626] ? rtnl_newlink+0x117/0x729 [44727.913801] ? ns_capable_common+0xd/0xb1 [44727.913968] ? ns_capable+0x13/0x15 [44727.914131] rtnetlink_rcv_msg+0x188/0x197 [44727.914300] ? rcu_read_unlock+0x3e/0x5f [44727.914465] ? rtnl_newlink+0x729/0x729 [44727.914630] netlink_rcv_skb+0x6c/0xce [44727.914796] rtnetlink_rcv+0x23/0x2a [44727.914956] netlink_unicast+0x103/0x181 [44727.915122] netlink_sendmsg+0x326/0x337 [44727.915291] sock_sendmsg_nosec+0x14/0x3f [44727.915459] sock_sendmsg+0x29/0x2e [44727.915619] ___sys_sendmsg+0x209/0x28b [44727.915784] ? do_raw_spin_unlock+0xcd/0xf8 [44727.915954] ? _raw_spin_unlock+0x27/0x31 [44727.916121] ? __handle_mm_fault+0x651/0xdb1 [44727.916290] ? check_chain_key+0xb0/0xfd [44727.916461] __sys_sendmsg+0x45/0x63 [44727.916626] ? __sys_sendmsg+0x45/0x63 [44727.916792] SyS_sendmsg+0x19/0x1b [44727.916950] entry_SYSCALL_64_fastpath+0x23/0xc2 [44727.917125] RIP: 0033:0x7ff8bbc96690 [44727.917286] RSP: 002b:00007ffc360991e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [44727.917579] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007ff8bbc96690 [44727.917783] RDX: 0000000000000000 RSI: 00007ffc36099230 RDI: 0000000000000003 [44727.917987] RBP: ffff880037217f98 R08: 0000000000000001 R09: 0000000000000003 [44727.918190] R10: 00007ffc36098fb0 R11: 0000000000000246 R12: 0000000000000006 [44727.918393] R13: 000000000066f1a0 R14: 00007ffc360a12e0 R15: 0000000000000000 [44727.918597] ? trace_hardirqs_off_caller+0xa7/0xcf [44727.918774] Code: 41 5f 5d c3 66 66 66 66 90 55 48 8d 56 04 45 31 c9 49 c7 c0 80 f3 b0 81 48 89 e5 41 55 41 54 53 48 89 fb 48 8d 7d a8 48 83 ec 48 <0f> b7 0e be 07 00 00 00 83 e9 04 e8 e6 f7 d8 ff 85 c0 0f 88 bb [44727.919332] RIP: cbq_init+0x27/0x205 RSP: ffff8800372175f0 [44727.919516] CR2: 0000000000000000 Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [bwh: Backported to 3.16: - Keep using HRTIMER_MODE_ABS - Adjust context] Signed-off-by: Ben Hutchings commit a92fac339e56453f210608c1d8b17aa60fac47df Author: Nikolay Aleksandrov Date: Wed Aug 30 12:49:00 2017 +0300 sch_hfsc: fix null pointer deref and double free on init failure commit 3bdac362a2f89ed3e148fa6f38c5f5d858f50b1a upstream. Depending on where ->init fails we can get a null pointer deref due to uninitialized hires timer (watchdog) or a double free of the qdisc hash because it is already freed by ->destroy(). Fixes: 8d5537387505 ("net/sched/hfsc: allocate tcf block for hfsc root class") Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [bwh: Backported to 3.16: sch_hfsc doesn't use a tcf block] Signed-off-by: Ben Hutchings commit a65830f1ab55943f1d60831fa7f3a82dacb57fba Author: Nikolay Aleksandrov Date: Wed Aug 30 12:48:59 2017 +0300 sch_hhf: fix null pointer dereference on init failure commit 32db864d33c21fd70a217ba53cb7224889354ffb upstream. If sch_hhf fails in its ->init() function (either due to wrong user-space arguments as below or memory alloc failure of hh_flows) it will do a null pointer deref of q->hh_flows in its ->destroy() function. To reproduce the crash: $ tc qdisc add dev eth0 root hhf quantum 2000000 non_hh_weight 10000000 Crash log: [ 690.654882] BUG: unable to handle kernel NULL pointer dereference at (null) [ 690.655565] IP: hhf_destroy+0x48/0xbc [ 690.655944] PGD 37345067 [ 690.655948] P4D 37345067 [ 690.656252] PUD 58402067 [ 690.656554] PMD 0 [ 690.656857] [ 690.657362] Oops: 0000 [#1] SMP [ 690.657696] Modules linked in: [ 690.658032] CPU: 3 PID: 920 Comm: tc Not tainted 4.13.0-rc6+ #57 [ 690.658525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 690.659255] task: ffff880058578000 task.stack: ffff88005acbc000 [ 690.659747] RIP: 0010:hhf_destroy+0x48/0xbc [ 690.660146] RSP: 0018:ffff88005acbf9e0 EFLAGS: 00010246 [ 690.660601] RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000 [ 690.661155] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff821f63f0 [ 690.661710] RBP: ffff88005acbfa08 R08: ffffffff81b10a90 R09: 0000000000000000 [ 690.662267] R10: 00000000f42b7019 R11: ffff880058578000 R12: 00000000ffffffea [ 690.662820] R13: ffff8800372f6400 R14: 0000000000000000 R15: 0000000000000000 [ 690.663769] FS: 00007f8ae5e8b740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000 [ 690.667069] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 690.667965] CR2: 0000000000000000 CR3: 0000000058523000 CR4: 00000000000406e0 [ 690.668918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 690.669945] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 690.671003] Call Trace: [ 690.671743] qdisc_create+0x377/0x3fd [ 690.672534] tc_modify_qdisc+0x4d2/0x4fd [ 690.673324] rtnetlink_rcv_msg+0x188/0x197 [ 690.674204] ? rcu_read_unlock+0x3e/0x5f [ 690.675091] ? rtnl_newlink+0x729/0x729 [ 690.675877] netlink_rcv_skb+0x6c/0xce [ 690.676648] rtnetlink_rcv+0x23/0x2a [ 690.677405] netlink_unicast+0x103/0x181 [ 690.678179] netlink_sendmsg+0x326/0x337 [ 690.678958] sock_sendmsg_nosec+0x14/0x3f [ 690.679743] sock_sendmsg+0x29/0x2e [ 690.680506] ___sys_sendmsg+0x209/0x28b [ 690.681283] ? __handle_mm_fault+0xc7d/0xdb1 [ 690.681915] ? check_chain_key+0xb0/0xfd [ 690.682449] __sys_sendmsg+0x45/0x63 [ 690.682954] ? __sys_sendmsg+0x45/0x63 [ 690.683471] SyS_sendmsg+0x19/0x1b [ 690.683974] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 690.684516] RIP: 0033:0x7f8ae529d690 [ 690.685016] RSP: 002b:00007fff26d2d6b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 690.685931] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f8ae529d690 [ 690.686573] RDX: 0000000000000000 RSI: 00007fff26d2d700 RDI: 0000000000000003 [ 690.687047] RBP: ffff88005acbff98 R08: 0000000000000001 R09: 0000000000000000 [ 690.687519] R10: 00007fff26d2d480 R11: 0000000000000246 R12: 0000000000000002 [ 690.687996] R13: 0000000001258070 R14: 0000000000000001 R15: 0000000000000000 [ 690.688475] ? trace_hardirqs_off_caller+0xa7/0xcf [ 690.688887] Code: 00 00 e8 2a 02 ae ff 49 8b bc 1d 60 02 00 00 48 83 c3 08 e8 19 02 ae ff 48 83 fb 20 75 dc 45 31 f6 4d 89 f7 4d 03 bd 20 02 00 00 <49> 8b 07 49 39 c7 75 24 49 83 c6 10 49 81 fe 00 40 00 00 75 e1 [ 690.690200] RIP: hhf_destroy+0x48/0xbc RSP: ffff88005acbf9e0 [ 690.690636] CR2: 0000000000000000 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 859cc1d7c2230cb3eca91920560b136a6c5f7286 Author: Nikolay Aleksandrov Date: Wed Aug 30 12:48:58 2017 +0300 sch_multiq: fix double free on init failure commit e89d469e3be3ed3d7124a803211a463ff83d0964 upstream. The below commit added a call to ->destroy() on init failure, but multiq still frees ->queues on error in init, but ->queues is also freed by ->destroy() thus we get double free and corrupted memory. Very easy to reproduce (eth0 not multiqueue): $ tc qdisc add dev eth0 root multiq RTNETLINK answers: Operation not supported $ ip l add dumdum type dummy (crash) Trace log: [ 3929.467747] general protection fault: 0000 [#1] SMP [ 3929.468083] Modules linked in: [ 3929.468302] CPU: 3 PID: 967 Comm: ip Not tainted 4.13.0-rc6+ #56 [ 3929.468625] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 3929.469124] task: ffff88003716a700 task.stack: ffff88005872c000 [ 3929.469449] RIP: 0010:__kmalloc_track_caller+0x117/0x1be [ 3929.469746] RSP: 0018:ffff88005872f6a0 EFLAGS: 00010246 [ 3929.470042] RAX: 00000000000002de RBX: 0000000058a59000 RCX: 00000000000002df [ 3929.470406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff821f7020 [ 3929.470770] RBP: ffff88005872f6e8 R08: 000000000001f010 R09: 0000000000000000 [ 3929.471133] R10: ffff88005872f730 R11: 0000000000008cdd R12: ff006d75646d7564 [ 3929.471496] R13: 00000000014000c0 R14: ffff88005b403c00 R15: ffff88005b403c00 [ 3929.471869] FS: 00007f0b70480740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000 [ 3929.472286] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3929.472677] CR2: 00007ffcee4f3000 CR3: 0000000059d45000 CR4: 00000000000406e0 [ 3929.473209] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3929.474109] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3929.474873] Call Trace: [ 3929.475337] ? kstrdup_const+0x23/0x25 [ 3929.475863] kstrdup+0x2e/0x4b [ 3929.476338] kstrdup_const+0x23/0x25 [ 3929.478084] __kernfs_new_node+0x28/0xbc [ 3929.478478] kernfs_new_node+0x35/0x55 [ 3929.478929] kernfs_create_link+0x23/0x76 [ 3929.479478] sysfs_do_create_link_sd.isra.2+0x85/0xd7 [ 3929.480096] sysfs_create_link+0x33/0x35 [ 3929.480649] device_add+0x200/0x589 [ 3929.481184] netdev_register_kobject+0x7c/0x12f [ 3929.481711] register_netdevice+0x373/0x471 [ 3929.482174] rtnl_newlink+0x614/0x729 [ 3929.482610] ? rtnl_newlink+0x17f/0x729 [ 3929.483080] rtnetlink_rcv_msg+0x188/0x197 [ 3929.483533] ? rcu_read_unlock+0x3e/0x5f [ 3929.483984] ? rtnl_newlink+0x729/0x729 [ 3929.484420] netlink_rcv_skb+0x6c/0xce [ 3929.484858] rtnetlink_rcv+0x23/0x2a [ 3929.485291] netlink_unicast+0x103/0x181 [ 3929.485735] netlink_sendmsg+0x326/0x337 [ 3929.486181] sock_sendmsg_nosec+0x14/0x3f [ 3929.486614] sock_sendmsg+0x29/0x2e [ 3929.486973] ___sys_sendmsg+0x209/0x28b [ 3929.487340] ? do_raw_spin_unlock+0xcd/0xf8 [ 3929.487719] ? _raw_spin_unlock+0x27/0x31 [ 3929.488092] ? __handle_mm_fault+0x651/0xdb1 [ 3929.488471] ? check_chain_key+0xb0/0xfd [ 3929.488847] __sys_sendmsg+0x45/0x63 [ 3929.489206] ? __sys_sendmsg+0x45/0x63 [ 3929.489576] SyS_sendmsg+0x19/0x1b [ 3929.489901] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 3929.490172] RIP: 0033:0x7f0b6fb93690 [ 3929.490423] RSP: 002b:00007ffcee4ed588 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 3929.490881] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f0b6fb93690 [ 3929.491198] RDX: 0000000000000000 RSI: 00007ffcee4ed5d0 RDI: 0000000000000003 [ 3929.491521] RBP: ffff88005872ff98 R08: 0000000000000001 R09: 0000000000000000 [ 3929.491801] R10: 00007ffcee4ed350 R11: 0000000000000246 R12: 0000000000000002 [ 3929.492075] R13: 000000000066f1a0 R14: 00007ffcee4f5680 R15: 0000000000000000 [ 3929.492352] ? trace_hardirqs_off_caller+0xa7/0xcf [ 3929.492590] Code: 8b 45 c0 48 8b 45 b8 74 17 48 8b 4d c8 83 ca ff 44 89 ee 4c 89 f7 e8 83 ca ff ff 49 89 c4 eb 49 49 63 56 20 48 8d 48 01 4d 8b 06 <49> 8b 1c 14 48 89 c2 4c 89 e0 65 49 0f c7 08 0f 94 c0 83 f0 01 [ 3929.493335] RIP: __kmalloc_track_caller+0x117/0x1be RSP: ffff88005872f6a0 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: f07d1501292b ("multiq: Further multiqueue cleanup") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [bwh: Backported to 3.16: delete now-unused 'err' variable] Signed-off-by: Ben Hutchings commit 7de86dc840d6f03da5c272c6df3bdf18cd2b459e Author: Nikolay Aleksandrov Date: Wed Aug 30 12:48:57 2017 +0300 sch_htb: fix crash on init failure commit 88c2ace69dbef696edba77712882af03879abc9c upstream. The commit below added a call to the ->destroy() callback for all qdiscs which failed in their ->init(), but some were not prepared for such change and can't handle partially initialized qdisc. HTB is one of them and if any error occurs before the qdisc watchdog timer and qdisc work are initialized then we can hit either a null ptr deref (timer->base) when canceling in ->destroy or lockdep error info about trying to register a non-static key and a stack dump. So to fix these two move the watchdog timer and workqueue init before anything that can err out. To reproduce userspace needs to send broken htb qdisc create request, tested with a modified tc (q_htb.c). Trace log: [ 2710.897602] BUG: unable to handle kernel NULL pointer dereference at (null) [ 2710.897977] IP: hrtimer_active+0x17/0x8a [ 2710.898174] PGD 58fab067 [ 2710.898175] P4D 58fab067 [ 2710.898353] PUD 586c0067 [ 2710.898531] PMD 0 [ 2710.898710] [ 2710.899045] Oops: 0000 [#1] SMP [ 2710.899232] Modules linked in: [ 2710.899419] CPU: 1 PID: 950 Comm: tc Not tainted 4.13.0-rc6+ #54 [ 2710.899646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 2710.900035] task: ffff880059ed2700 task.stack: ffff88005ad4c000 [ 2710.900262] RIP: 0010:hrtimer_active+0x17/0x8a [ 2710.900467] RSP: 0018:ffff88005ad4f960 EFLAGS: 00010246 [ 2710.900684] RAX: 0000000000000000 RBX: ffff88003701e298 RCX: 0000000000000000 [ 2710.900933] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003701e298 [ 2710.901177] RBP: ffff88005ad4f980 R08: 0000000000000001 R09: 0000000000000001 [ 2710.901419] R10: ffff88005ad4f800 R11: 0000000000000400 R12: 0000000000000000 [ 2710.901663] R13: ffff88003701e298 R14: ffffffff822a4540 R15: ffff88005ad4fac0 [ 2710.901907] FS: 00007f2f5e90f740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000 [ 2710.902277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2710.902500] CR2: 0000000000000000 CR3: 0000000058ca3000 CR4: 00000000000406e0 [ 2710.902744] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2710.902977] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2710.903180] Call Trace: [ 2710.903332] hrtimer_try_to_cancel+0x1a/0x93 [ 2710.903504] hrtimer_cancel+0x15/0x20 [ 2710.903667] qdisc_watchdog_cancel+0x12/0x14 [ 2710.903866] htb_destroy+0x2e/0xf7 [ 2710.904097] qdisc_create+0x377/0x3fd [ 2710.904330] tc_modify_qdisc+0x4d2/0x4fd [ 2710.904511] rtnetlink_rcv_msg+0x188/0x197 [ 2710.904682] ? rcu_read_unlock+0x3e/0x5f [ 2710.904849] ? rtnl_newlink+0x729/0x729 [ 2710.905017] netlink_rcv_skb+0x6c/0xce [ 2710.905183] rtnetlink_rcv+0x23/0x2a [ 2710.905345] netlink_unicast+0x103/0x181 [ 2710.905511] netlink_sendmsg+0x326/0x337 [ 2710.905679] sock_sendmsg_nosec+0x14/0x3f [ 2710.905847] sock_sendmsg+0x29/0x2e [ 2710.906010] ___sys_sendmsg+0x209/0x28b [ 2710.906176] ? do_raw_spin_unlock+0xcd/0xf8 [ 2710.906346] ? _raw_spin_unlock+0x27/0x31 [ 2710.906514] ? __handle_mm_fault+0x651/0xdb1 [ 2710.906685] ? check_chain_key+0xb0/0xfd [ 2710.906855] __sys_sendmsg+0x45/0x63 [ 2710.907018] ? __sys_sendmsg+0x45/0x63 [ 2710.907185] SyS_sendmsg+0x19/0x1b [ 2710.907344] entry_SYSCALL_64_fastpath+0x23/0xc2 Note that probably this bug goes further back because the default qdisc handling always calls ->destroy on init failure too. Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 16df526e7fde6c3c609baebfb745bd9292a852c9 Author: Eric Dumazet Date: Fri Feb 10 10:31:49 2017 -0800 net_sched: fix error recovery at qdisc creation commit 87b60cfacf9f17cf71933c6e33b66e68160af71d upstream. Dmitry reported uses after free in qdisc code [1] The problem here is that ops->init() can return an error. qdisc_create_dflt() then call ops->destroy(), while qdisc_create() does _not_ call it. Four qdisc chose to call their own ops->destroy(), assuming their caller would not. This patch makes sure qdisc_create() calls ops->destroy() and fixes the four qdisc to avoid double free. [1] BUG: KASAN: use-after-free in mq_destroy+0x242/0x290 net/sched/sch_mq.c:33 at addr ffff8801d415d440 Read of size 8 by task syz-executor2/5030 CPU: 0 PID: 5030 Comm: syz-executor2 Not tainted 4.3.5-smp-DEV #119 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000046 ffff8801b435b870 ffffffff81bbbed4 ffff8801db000400 ffff8801d415d440 ffff8801d415dc40 ffff8801c4988510 ffff8801b435b898 ffffffff816682b1 ffff8801b435b928 ffff8801d415d440 ffff8801c49880c0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x6c/0x98 lib/dump_stack.c:51 [] kasan_object_err+0x21/0x70 mm/kasan/report.c:158 [] print_address_description mm/kasan/report.c:196 [inline] [] kasan_report_error+0x1b4/0x4b0 mm/kasan/report.c:285 [] kasan_report mm/kasan/report.c:305 [inline] [] __asan_report_load8_noabort+0x43/0x50 mm/kasan/report.c:326 [] mq_destroy+0x242/0x290 net/sched/sch_mq.c:33 [] qdisc_destroy+0x12d/0x290 net/sched/sch_generic.c:953 [] qdisc_create_dflt+0xf0/0x120 net/sched/sch_generic.c:848 [] attach_default_qdiscs net/sched/sch_generic.c:1029 [inline] [] dev_activate+0x6ad/0x880 net/sched/sch_generic.c:1064 [] __dev_open+0x221/0x320 net/core/dev.c:1403 [] __dev_change_flags+0x15e/0x3e0 net/core/dev.c:6858 [] dev_change_flags+0x8e/0x140 net/core/dev.c:6926 [] dev_ifsioc+0x446/0x890 net/core/dev_ioctl.c:260 [] dev_ioctl+0x1ba/0xb80 net/core/dev_ioctl.c:546 [] sock_do_ioctl+0x99/0xb0 net/socket.c:879 [] sock_ioctl+0x2a0/0x390 net/socket.c:958 [] vfs_ioctl fs/ioctl.c:44 [inline] [] do_vfs_ioctl+0x8a8/0xe50 fs/ioctl.c:611 [] SYSC_ioctl fs/ioctl.c:626 [inline] [] SyS_ioctl+0x94/0xc0 fs/ioctl.c:617 [] entry_SYSCALL_64_fastpath+0x12/0x17 Signed-off-by: Eric Dumazet Reported-by: Dmitry Vyukov Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 13219ab8a808cce5d94747bdd4289b5762672786 Author: Steve French Date: Sun Aug 27 16:56:08 2017 -0500 CIFS: remove endian related sparse warning commit 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 upstream. Recent patch had an endian warning ie cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() Signed-off-by: Steve French CC: Ronnie Sahlberg Acked-by: Pavel Shilovsky Signed-off-by: Ben Hutchings commit 09a6509424fecaaf585ad43055d58b4f6939ccac Author: Pavel Shilovsky Date: Thu Aug 24 15:16:40 2017 -0700 CIFS: Fix maximum SMB2 header size commit 9e37b1784f2be9397a903307574ee565bbadfd75 upstream. Currently the maximum size of SMB2/3 header is set incorrectly which leads to hanging of directory listing operations on encrypted SMB3 connections. Fix this by setting the maximum size to 170 bytes that is calculated as RFC1002 length field size (4) + transform header size (52) + SMB2 header size (64) + create response size (56). Signed-off-by: Pavel Shilovsky Signed-off-by: Steve French Acked-by: Sachin Prabhu Signed-off-by: Ben Hutchings commit cd039997715628f2f59ad660778e0175bc4bd525 Author: Stephen Douthit Date: Mon Aug 7 17:11:00 2017 -0400 i2c: ismt: Return EMSGSIZE for block reads with bogus length commit ba201c4f5ebe13d7819081756378777d8153f23e upstream. Compare the number of bytes actually seen on the wire to the byte count field returned by the slave device. Previously we just overwrote the byte count returned by the slave with the real byte count and let the caller figure out if the message was sane. Signed-off-by: Stephen Douthit Tested-by: Dan Priamo Acked-by: Neil Horman Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit 4351fb55a37d2b4bc8f90fdf835b7b02e8910658 Author: Stephen Douthit Date: Mon Aug 7 17:10:59 2017 -0400 i2c: ismt: Don't duplicate the receive length for block reads commit b6c159a9cb69c2cf0bf59d4e12c3a2da77e4d994 upstream. According to Table 15-14 of the C2000 EDS (Intel doc #510524) the rx data pointed to by the descriptor dptr contains the byte count. desc->rxbytes reports all bytes read on the wire, including the "byte count" byte. So if a device sends 4 bytes in response to a block read, on the wire and in the DMA buffer we see: count data1 data2 data3 data4 0x04 0xde 0xad 0xbe 0xef That's what we want to return in data->block to the next level. Instead we were actually prefixing that with desc->rxbytes: bad count count data1 data2 data3 data4 0x05 0x04 0xde 0xad 0xbe 0xef This was discovered while developing a BMC solution relying on the ipmi_ssif.c driver which was trying to interpret the bogus length field as part of the IPMI response. Signed-off-by: Stephen Douthit Tested-by: Dan Priamo Acked-by: Neil Horman Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit e522f3751cc6d7bdb55b284f4aecd53108ffa0dd Author: Ben Hutchings Date: Thu Oct 1 01:35:55 2015 +0100 alpha: uapi: Add support for __SANE_USERSPACE_TYPES__ commit cec80d82142ab25c71eee24b529cfeaf17c43062 upstream. This fixes compiler errors in perf such as: tests/attr.c: In function 'store_event': tests/attr.c:66:27: error: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__u64 {aka long unsigned int}' [-Werror=format=] snprintf(path, PATH_MAX, "%s/event-%d-%llu-%d", dir, ^ Signed-off-by: Ben Hutchings Tested-by: Michael Cree Signed-off-by: Matt Turner commit 94941fd6a437d0f408c3f6f72657e1b75a2163ef Author: Dan Carpenter Date: Fri Aug 18 13:30:30 2017 +0300 x86/ldt: Fix off by one in get_segment_base() commit eaa2f87c6b840b83827c40db6eb8481689570259 upstream. ldt->entries[] is allocated in alloc_ldt_struct(). It has ldt->nr_entries elements and ldt->nr_entries is capped at LDT_ENTRIES. So if "idx" is == ldt->nr_entries then we're reading beyond the end of the buffer. It seems duplicative to have two limit checks when one would work just as well so I removed the check against LDT_ENTRIES. The gdt_page.gdt[] array has GDT_ENTRIES entries. Signed-off-by: Dan Carpenter Acked-by: Andy Lutomirski Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: kernel-janitors@vger.kernel.org Fixes: d07bdfd322d3 ("perf/x86: Fix USER/KERNEL tagging of samples properly") Link: http://lkml.kernel.org/r/20170818102516.gqwm4xdvvuvjw5ho@mwanda Signed-off-by: Ingo Molnar [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings commit ab9224e92d75a971ef263871c38997b04c160b7c Author: Tejun Heo Date: Mon Aug 28 14:51:27 2017 -0700 cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs commit b339752d054fb32863418452dff350a1086885b1 upstream. When !NUMA, cpumask_of_node(@node) equals cpu_online_mask regardless of @node. The assumption seems that if !NUMA, there shouldn't be more than one node and thus reporting cpu_online_mask regardless of @node is correct. However, that assumption was broken years ago to support DISCONTIGMEM and whether a system has multiple nodes or not is separately controlled by NEED_MULTIPLE_NODES. This means that, on a system with !NUMA && NEED_MULTIPLE_NODES, cpumask_of_node() will report cpu_online_mask for all possible nodes, indicating that the CPUs are associated with multiple nodes which is an impossible configuration. This bug has been around forever but doesn't look like it has caused any noticeable symptoms. However, it triggers a WARN recently added to workqueue to verify NUMA affinity configuration. Fix it by reporting empty cpumask on non-zero nodes if !NUMA. Signed-off-by: Tejun Heo Reported-and-tested-by: Geert Uytterhoeven Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 0933273ce750969715646c4589ccda3e676239ba Author: Wei Wang Date: Fri Aug 25 15:03:10 2017 -0700 ipv6: fix sparse warning on rt6i_node commit 4e587ea71bf924f7dac621f1351653bd41e446cb upstream. Commit c5cff8561d2d adds rcu grace period before freeing fib6_node. This generates a new sparse warning on rt->rt6i_node related code: net/ipv6/route.c:1394:30: error: incompatible types in comparison expression (different address spaces) ./include/net/ip6_fib.h:187:14: error: incompatible types in comparison expression (different address spaces) This commit adds "__rcu" tag for rt6i_node and makes sure corresponding rcu API is used for it. After this fix, sparse no longer generates the above warning. Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node") Signed-off-by: Wei Wang Acked-by: Eric Dumazet Acked-by: Martin KaFai Lau Signed-off-by: David S. Miller [bwh: Backported to 3.16: drop changes in rt6_cache_allowed_for_pmtu()] Signed-off-by: Ben Hutchings commit cdf3de08e9b080f78583e46ad3668ab2bfe7c2f1 Author: Guillaume Nault Date: Fri Aug 25 16:51:46 2017 +0200 l2tp: hold tunnel used while creating sessions with netlink commit e702c1204eb57788ef189c839c8c779368267d70 upstream. Use l2tp_tunnel_get() to retrieve tunnel, so that it can't go away on us. Otherwise l2tp_tunnel_destruct() might release the last reference count concurrently, thus freeing the tunnel while we're using it. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit fc555cf5f5724a10d47ee7ececb492e11557827f Author: Guillaume Nault Date: Tue Apr 11 13:12:13 2017 +0200 l2tp: remove useless duplicate session detection in l2tp_netlink commit af87ae465abdc070de0dc35d6c6a9e7a8cd82987 upstream. There's no point in checking for duplicate sessions at the beginning of l2tp_nl_cmd_session_create(); the ->session_create() callbacks already return -EEXIST when the session already exists. Furthermore, even if l2tp_session_find() returns NULL, a new session might be created right after the test. So relying on ->session_create() to avoid duplicate session is the only sane behaviour. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.16: also delete the now-unused local variable] Signed-off-by: Ben Hutchings commit e9176e5d4eecd1fdb20ff5aaf9d77faac286ce6f Author: Guillaume Nault Date: Fri Aug 25 16:51:43 2017 +0200 l2tp: hold tunnel while handling genl TUNNEL_GET commands commit 4e4b21da3acc68a7ea55f850cacc13706b7480e9 upstream. Use l2tp_tunnel_get() instead of l2tp_tunnel_find() so that we get a reference on the tunnel, preventing l2tp_tunnel_destruct() from freeing it from under us. Also move l2tp_tunnel_get() below nlmsg_new() so that we only take the reference when needed. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 9f691d8120877645a55e42d72bcea3d7a862ae7b Author: Guillaume Nault Date: Fri Aug 25 16:51:42 2017 +0200 l2tp: hold tunnel while handling genl tunnel updates commit 8c0e421525c9eb50d68e8f633f703ca31680b746 upstream. We need to make sure the tunnel is not going to be destroyed by l2tp_tunnel_destruct() concurrently. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 68f93847e5a02f4ccce70b01dc90325ff9c3252e Author: Guillaume Nault Date: Fri Aug 25 16:51:42 2017 +0200 l2tp: hold tunnel while processing genl delete command commit bb0a32ce4389e17e47e198d2cddaf141561581ad upstream. l2tp_nl_cmd_tunnel_delete() needs to take a reference on the tunnel, to prevent it from being concurrently freed by l2tp_tunnel_destruct(). Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 76ff5e22f1e08cbef99eda237c9e4f0c0082719e Author: Guillaume Nault Date: Fri Aug 25 16:51:40 2017 +0200 l2tp: hold tunnel while looking up sessions in l2tp_netlink commit 54652eb12c1b72e9602d09cb2821d5760939190f upstream. l2tp_tunnel_find() doesn't take a reference on the returned tunnel. Therefore, it's unsafe to use it because the returned tunnel can go away on us anytime. Fix this by defining l2tp_tunnel_get(), which works like l2tp_tunnel_find(), but takes a reference on the returned tunnel. Caller then has to drop this reference using l2tp_tunnel_dec_refcount(). As l2tp_tunnel_dec_refcount() needs to be moved to l2tp_core.h, let's simplify the patch and not move the L2TP_REFCNT_DEBUG part. This code has been broken (not even compiling) in May 2012 by commit a4ca44fa578c ("net: l2tp: Standardize logging styles") and fixed more than two years later by commit 29abe2fda54f ("l2tp: fix missing line continuation"). So it doesn't appear to be used by anyone. Same thing for l2tp_tunnel_free(); instead of moving it to l2tp_core.h, let's just simplify things and call kfree_rcu() directly in l2tp_tunnel_dec_refcount(). Extra assertions and debugging code provided by l2tp_tunnel_free() didn't help catching any of the reference counting and socket handling issues found while working on this series. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.16: keep using atomic_t functions] Signed-off-by: Ben Hutchings commit ceb8f6b23a38f4feaef670359c61c595b6a56da5 Author: Guillaume Nault Date: Wed Apr 12 10:05:29 2017 +0200 l2tp: define parameters of l2tp_session_get*() as "const" commit 9aaef50c44f132e040dcd7686c8e78a3390037c5 upstream. Make l2tp_pernet()'s parameter constant, so that l2tp_session_get*() can declare their "net" variable as "const". Also constify "ifname" in l2tp_session_get_by_ifname(). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 0295d020b63f9ed8cd3492b97d38bcc0c4a2155c Author: Guillaume Nault Date: Fri Aug 25 16:22:17 2017 +0200 l2tp: initialise session's refcount before making it reachable commit 9ee369a405c57613d7c83a3967780c3e30c52ecc upstream. Sessions must be fully initialised before calling l2tp_session_add_to_tunnel(). Otherwise, there's a short time frame where partially initialised sessions can be accessed by external users. Fixes: dbdbc73b4478 ("l2tp: fix duplicate session creation") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.16: keep using l2tp_session_inc_refcount()] Signed-off-by: Ben Hutchings commit 1f088ec594208a1d858bb1353552f078f82924c5 Author: Bart Van Assche Date: Wed Aug 9 11:32:11 2017 -0700 dm: fix printk() rate limiting code commit 604407890ecf624c2fb41013c82b22aade59b455 upstream. Using the same rate limiting state for different kinds of messages is wrong because this can cause a high frequency message to suppress a report of a low frequency message. Hence use a unique rate limiting state per message type. Fixes: 71a16736a15e ("dm: use local printk ratelimit") Signed-off-by: Bart Van Assche Signed-off-by: Mike Snitzer Signed-off-by: Ben Hutchings commit 197e224488cb0844ad236adde6e009dede19bf00 Author: Joe Perches Date: Thu Apr 20 10:46:07 2017 -0700 dm: convert DM printk macros to pr_ macros commit d2c3c8dcb5987b8352e82089c79a41b6e17e28d2 upstream. Using pr_ is the more common logging style. Standardize style and use new macro DM_FMT. Use no_printk in DMDEBUG macros when CONFIG_DM_DEBUG is not #defined. Signed-off-by: Joe Perches Signed-off-by: Mike Snitzer Signed-off-by: Ben Hutchings commit 16ff4b32645396613b9d0e8707fa65143a36ee5a Author: Mathias Krause Date: Sat Aug 26 17:09:00 2017 +0200 xfrm_user: fix info leak in build_aevent() commit 931e79d7a7ddee4709c56b39de169a36804589a1 upstream. The memory reserved to dump the ID of the xfrm state includes a padding byte in struct xfrm_usersa_id added by the compiler for alignment. To prevent the heap info leak, memset(0) the sa_id before filling it. Cc: Jamal Hadi Salim Fixes: d51d081d6504 ("[IPSEC]: Sync series - user") Signed-off-by: Mathias Krause Signed-off-by: Steffen Klassert Signed-off-by: Ben Hutchings commit 6e5fe5f1b4a5b89f37e67d604288fd14d4171653 Author: Mathias Krause Date: Sat Aug 26 17:08:58 2017 +0200 xfrm_user: fix info leak in xfrm_notify_sa() commit 50329c8a340c9dea60d837645fcf13fc36bfb84d upstream. The memory reserved to dump the ID of the xfrm state includes a padding byte in struct xfrm_usersa_id added by the compiler for alignment. To prevent the heap info leak, memset(0) the whole struct before filling it. Cc: Herbert Xu Fixes: 0603eac0d6b7 ("[IPSEC]: Add XFRMA_SA/XFRMA_POLICY for delete notification") Signed-off-by: Mathias Krause Signed-off-by: Steffen Klassert Signed-off-by: Ben Hutchings commit 0ad3abfdc63abef74a235389c311d89891929c00 Author: Linus Torvalds Date: Sun Aug 27 12:12:25 2017 -0700 Clarify (and fix) MAX_LFS_FILESIZE macros commit 0cc3b0ec23ce4c69e1e890ed2b8d2fa932b14aad upstream. We have a MAX_LFS_FILESIZE macro that is meant to be filled in by filesystems (and other IO targets) that know they are 64-bit clean and don't have any 32-bit limits in their IO path. It turns out that our 32-bit value for that limit was bogus. On 32-bit, the VM layer is limited by the page cache to only 32-bit index values, but our logic for that was confusing and actually wrong. We used to define that value to (((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1) which is actually odd in several ways: it limits the index to 31 bits, and then it limits files so that they can't have data in that last byte of a page that has the highest 31-bit index (ie page index 0x7fffffff). Neither of those limitations make sense. The index is actually the full 32 bit unsigned value, and we can use that whole full page. So the maximum size of the file would logically be "PAGE_SIZE << BITS_PER_LONG". However, we do wan tto avoid the maximum index, because we have code that iterates over the page indexes, and we don't want that code to overflow. So the maximum size of a file on a 32-bit host should actually be one page less than the full 32-bit index. So the actual limit is ULONG_MAX << PAGE_SHIFT. That means that we will not actually be using the page of that last index (ULONG_MAX), but we can grow a file up to that limit. The wrong value of MAX_LFS_FILESIZE actually caused problems for Doug Nazar, who was still using a 32-bit host, but with a 9.7TB 2 x RAID5 volume. It turns out that our old MAX_LFS_FILESIZE was 8TiB (well, one byte less), but the actual true VM limit is one page less than 16TiB. This was invisible until commit c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()"), which started applying that MAX_LFS_FILESIZE limit to block devices too. NOTE! On 64-bit, the page index isn't a limiter at all, and the limit is actually just the offset type itself (loff_t), which is signed. But for clarity, on 64-bit, just use the maximum signed value, and don't make people have to count the number of 'f' characters in the hex constant. So just use LLONG_MAX for the 64-bit case. That was what the value had been before too, just written out as a hex constant. Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()") Reported-and-tested-by: Doug Nazar Cc: Andreas Dilger Cc: Mark Fasheh Cc: Joel Becker Cc: Dave Kleikamp Signed-off-by: Linus Torvalds [bwh: Backported to 3.16: 32-bit definition still used PAGE_CACHE_SIZE] Signed-off-by: Ben Hutchings commit bc9f33ef48a6911985750200dd094966fdded324 Author: Florian Fainelli Date: Thu Aug 24 18:34:44 2017 -0700 r8169: Be drop monitor friendly commit 7a4b813cb739ce598ffbad2e84d19d13fa23e25d upstream. rtl_tx() is the TX reclamation process whereas rtl8169_tx_clear_range() does the TX ring cleaning during shutdown, both of these functions should call dev_consume_skb_any() to be drop monitor friendly. Fixes: cac4b22f3d6a ("r8169: do not account fragments as packets") Fixes: eb781397904e ("r8169: Do not use dev_kfree_skb in xmit path") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 2edc7704ee7395b36f2d5fa8db1594d28146c930 Author: Florian Fainelli Date: Thu Aug 24 18:34:43 2017 -0700 r8169: Do not increment tx_dropped in TX ring cleaning commit 1089650d8837095f63e001bbf14d7b48043d67ad upstream. rtl8169_tx_clear_range() is responsible for cleaning up the TX ring during interface shutdown, incrementing tx_dropped for every SKB that we left at the time in the ring is misleading. Fixes: cac4b22f3d6a ("r8169: do not account fragments as packets") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 6da0c15f9c7bdeabf720792a58b62dd51e17c3fa Author: Steffen Klassert Date: Fri Aug 25 09:05:42 2017 +0200 ipv6: Fix may be used uninitialized warning in rt6_check commit 3614364527daa870264f6dde77f02853cdecd02c upstream. rt_cookie might be used uninitialized, fix this by initializing it. Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node") Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 5f4755d9f0667bf283a6546fced108d4a6904e31 Author: Wei Wang Date: Mon Aug 21 09:47:10 2017 -0700 ipv6: add rcu grace period before freeing fib6_node commit c5cff8561d2d0006e972bd114afd51f082fee77c upstream. We currently keep rt->rt6i_node pointing to the fib6_node for the route. And some functions make use of this pointer to dereference the fib6_node from rt structure, e.g. rt6_check(). However, as there is neither refcount nor rcu taken when dereferencing rt->rt6i_node, it could potentially cause crashes as rt->rt6i_node could be set to NULL by other CPUs when doing a route deletion. This patch introduces an rcu grace period before freeing fib6_node and makes sure the functions that dereference it takes rcu_read_lock(). Note: there is no "Fixes" tag because this bug was there in a very early stage. Signed-off-by: Wei Wang Acked-by: Eric Dumazet Acked-by: Martin KaFai Lau Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 3ebe28a44b3c0f7f06eb5bf7661ef452ea613c52 Author: Martin KaFai Lau Date: Fri May 22 20:56:01 2015 -0700 ipv6: Add rt6_get_cookie() function commit b197df4f0f3782782e9ea8996e91b65ae33e8dd9 upstream. Instead of doing the rt6->rt6i_node check whenever we need to get the route's cookie. Refactor it into rt6_get_cookie(). It is a prep work to handle FLOWI_FLAG_KNOWN_NH and also percpu rt6_info later. Signed-off-by: Martin KaFai Lau Cc: Hannes Frederic Sowa Cc: Steffen Klassert Cc: Julian Anastasov Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 71f1b6f16c3c2884ddb6c2a1fec277dd401cd39a Author: Chen Yu Date: Fri Aug 25 15:55:30 2017 -0700 PM/hibernate: touch NMI watchdog when creating snapshot commit 556b969a1cfe2686aae149137fa1dfcac0eefe54 upstream. There is a problem that when counting the pages for creating the hibernation snapshot will take significant amount of time, especially on system with large memory. Since the counting job is performed with irq disabled, this might lead to NMI lockup. The following warning were found on a system with 1.5TB DRAM: Freezing user space processes ... (elapsed 0.002 seconds) done. OOM killer disabled. PM: Preallocating image memory... NMI watchdog: Watchdog detected hard LOCKUP on cpu 27 CPU: 27 PID: 3128 Comm: systemd-sleep Not tainted 4.13.0-0.rc2.git0.1.fc27.x86_64 #1 task: ffff9f01971ac000 task.stack: ffffb1a3f325c000 RIP: 0010:memory_bm_find_bit+0xf4/0x100 Call Trace: swsusp_set_page_free+0x2b/0x30 mark_free_pages+0x147/0x1c0 count_data_pages+0x41/0xa0 hibernate_preallocate_memory+0x80/0x450 hibernation_snapshot+0x58/0x410 hibernate+0x17c/0x310 state_store+0xdf/0xf0 kobj_attr_store+0xf/0x20 sysfs_kf_write+0x37/0x40 kernfs_fop_write+0x11c/0x1a0 __vfs_write+0x37/0x170 vfs_write+0xb1/0x1a0 SyS_write+0x55/0xc0 entry_SYSCALL_64_fastpath+0x1a/0xa5 ... done (allocated 6590003 pages) PM: Allocated 26360012 kbytes in 19.89 seconds (1325.28 MB/s) It has taken nearly 20 seconds(2.10GHz CPU) thus the NMI lockup was triggered. In case the timeout of the NMI watch dog has been set to 1 second, a safe interval should be 6590003/20 = 320k pages in theory. However there might also be some platforms running at a lower frequency, so feed the watchdog every 100k pages. [yu.c.chen@intel.com: simplification] Link: http://lkml.kernel.org/r/1503460079-29721-1-git-send-email-yu.c.chen@intel.com [yu.c.chen@intel.com: use interval of 128k instead of 100k to avoid modulus] Link: http://lkml.kernel.org/r/1503328098-5120-1-git-send-email-yu.c.chen@intel.com Signed-off-by: Chen Yu Reported-by: Jan Filipcewicz Suggested-by: Michal Hocko Reviewed-by: Michal Hocko Acked-by: Rafael J. Wysocki Cc: Mel Gorman Cc: Vlastimil Babka Cc: Len Brown Cc: Dan Williams Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 3d64999a2430985579000d116c1292916cd1144b Author: Mark Rutland Date: Thu Jun 22 15:41:38 2017 +0100 perf/core: Fix group {cpu,task} validation commit 64aee2a965cf2954a038b5522f11d2cd2f0f8f3e upstream. Regardless of which events form a group, it does not make sense for the events to target different tasks and/or CPUs, as this leaves the group inconsistent and impossible to schedule. The core perf code assumes that these are consistent across (successfully intialised) groups. Core perf code only verifies this when moving SW events into a HW context. Thus, we can violate this requirement for pure SW groups and pure HW groups, unless the relevant PMU driver happens to perform this verification itself. These mismatched groups subsequently wreak havoc elsewhere. For example, we handle watchpoints as SW events, and reserve watchpoint HW on a per-CPU basis at pmu::event_init() time to ensure that any event that is initialised is guaranteed to have a slot at pmu::add() time. However, the core code only checks the group leader's cpu filter (via event_filter_match()), and can thus install follower events onto CPUs violating thier (mismatched) CPU filters, potentially installing them into a CPU without sufficient reserved slots. This can be triggered with the below test case, resulting in warnings from arch backends. #define _GNU_SOURCE #include #include #include #include #include #include #include static int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu, int group_fd, unsigned long flags) { return syscall(__NR_perf_event_open, attr, pid, cpu, group_fd, flags); } char watched_char; struct perf_event_attr wp_attr = { .type = PERF_TYPE_BREAKPOINT, .bp_type = HW_BREAKPOINT_RW, .bp_addr = (unsigned long)&watched_char, .bp_len = 1, .size = sizeof(wp_attr), }; int main(int argc, char *argv[]) { int leader, ret; cpu_set_t cpus; /* * Force use of CPU0 to ensure our CPU0-bound events get scheduled. */ CPU_ZERO(&cpus); CPU_SET(0, &cpus); ret = sched_setaffinity(0, sizeof(cpus), &cpus); if (ret) { printf("Unable to set cpu affinity\n"); return 1; } /* open leader event, bound to this task, CPU0 only */ leader = perf_event_open(&wp_attr, 0, 0, -1, 0); if (leader < 0) { printf("Couldn't open leader: %d\n", leader); return 1; } /* * Open a follower event that is bound to the same task, but a * different CPU. This means that the group should never be possible to * schedule. */ ret = perf_event_open(&wp_attr, 0, 1, leader, 0); if (ret < 0) { printf("Couldn't open mismatched follower: %d\n", ret); return 1; } else { printf("Opened leader/follower with mismastched CPUs\n"); } /* * Open as many independent events as we can, all bound to the same * task, CPU0 only. */ do { ret = perf_event_open(&wp_attr, 0, 0, -1, 0); } while (ret >= 0); /* * Force enable/disble all events to trigger the erronoeous * installation of the follower event. */ printf("Opened all events. Toggling..\n"); for (;;) { prctl(PR_TASK_PERF_EVENTS_DISABLE, 0, 0, 0, 0); prctl(PR_TASK_PERF_EVENTS_ENABLE, 0, 0, 0, 0); } return 0; } Fix this by validating this requirement regardless of whether we're moving events. Signed-off-by: Mark Rutland Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Zhou Chengming Link: http://lkml.kernel.org/r/1498142498-15758-1-git-send-email-mark.rutland@arm.com Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings commit 7874b21a45a6ac84fbcef2fd8c760a73cb6211c2 Author: stephen hemminger Date: Thu Aug 24 16:49:16 2017 -0700 netvsc: fix deadlock betwen link status and removal commit 9b4e946ce14e20d7addbfb7d9139e604f9fda107 upstream. There is a deadlock possible when canceling the link status delayed work queue. The removal process is run with RTNL held, and the link status callback is acquring RTNL. Resolve the issue by using trylock and rescheduling. If cancel is in process, that block it from happening. Fixes: 122a5f6410f4 ("staging: hv: use delayed_work for netvsc_send_garp()") Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller [bwh: Backported to 3.16: - Move assignment of ndev_ctx before this new use - LINKCHANGE_INT is not defined; substitute its upstream definition] Signed-off-by: Ben Hutchings commit 48bc9aef7eea8801fcb606a946407070efd764f0 Author: Uwe Kleine-König Date: Wed Aug 23 09:03:04 2017 +0200 mtd: nandsim: remove debugfs entries in error path commit b974696da1cfc5aa0c29ed97dc8f6c239899e64b upstream. The debugfs entries must be removed before an error is returned in the probe function. Otherwise another try to load the module fails and when the debugfs files are accessed without the module loaded, the kernel still tries to call a function in that module. Fixes: 5346c27c5fed ("mtd: nandsim: Introduce debugfs infrastructure") Signed-off-by: Uwe Kleine-König Reviewed-by: Richard Weinberger Acked-by: Boris Brezillon Signed-off-by: Brian Norris Signed-off-by: Ben Hutchings commit ca839d18870de4ce31678ca360826ac199843e83 Author: Florian Fainelli Date: Thu Aug 24 16:01:13 2017 -0700 net: systemport: Free DMA coherent descriptors on errors commit c2062ee3d9615828109ffe8089fbf69bed394d05 upstream. In case bcm_sysport_init_tx_ring() is not able to allocate ring->cbs, we would return with an error, and call bcm_sysport_fini_tx_ring() and it would see that ring->cbs is NULL and do nothing. This would leak the coherent DMA descriptor area, so we need to free it on error before returning. Reported-by: Eric Dumazet Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 1542dc39b5e0ca72d4cd6cf54e59293938bdab84 Author: Florian Fainelli Date: Thu Aug 24 15:56:29 2017 -0700 net: bcmgenet: Be drop monitor friendly commit d4fec855905fa8bd5fb1c59f73ad2d74a944876a upstream. There are 3 spots where we call dev_kfree_skb() but we are actually just doing a normal SKB consumption: __bcmgenet_tx_reclaim() for normal TX reclamation, bcmgenet_alloc_rx_buffers() during the initial RX ring setup and bcmgenet_free_rx_buffers() during RX ring cleanup. Fixes: d6707bec5986 ("net: bcmgenet: rewrite bcmgenet_rx_refill()") Fixes: f48bed16a756 ("net: bcmgenet: Free skb after last Tx frag") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 0d47b7347c76f16c856978839eb938a88d582489 Author: Florian Fainelli Date: Thu Aug 24 15:20:41 2017 -0700 net: systemport: Be drop monitor friendly commit c45182eb967af11e9482168be5be41aa22e5d321 upstream. Utilize dev_consume_skb_any(cb->skb) in bcm_sysport_free_cb() which is used when a TX packet is completed, as well as when the RX ring is cleaned on shutdown. None of these two cases are packet drops, so be drop monitor friendly. Suggested-by: Eric Dumazet Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 4466e838926df69266e3d2ee47a7b4c1a2f2a35f Author: Chuck Lever Date: Fri Aug 18 11:12:19 2017 -0400 nfsd: Limit end of page list when decoding NFSv4 WRITE commit fc788f64f1f3eb31e87d4f53bcf1ab76590d5838 upstream. When processing an NFSv4 WRITE operation, argp->end should never point past the end of the data in the final page of the page list. Otherwise, nfsd4_decode_compound can walk into uninitialized memory. More critical, nfsd4_decode_write is failing to increment argp->pagelen when it increments argp->pagelist. This can cause later xdr decoders to assume more data is available than really is, which can cause server crashes on malformed requests. Signed-off-by: Chuck Lever Signed-off-by: J. Bruce Fields Signed-off-by: Ben Hutchings commit 8a79247136fbdce4ac20dc73e2362f6225049159 Author: Arnd Bergmann Date: Wed Aug 23 15:59:49 2017 +0200 qlge: avoid memcpy buffer overflow commit e58f95831e7468d25eb6e41f234842ecfe6f014f upstream. gcc-8.0.0 (snapshot) points out that we copy a variable-length string into a fixed length field using memcpy() with the destination length, and that ends up copying whatever follows the string: inlined from 'ql_core_dump' at drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:1106:2: drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:708:2: error: 'memcpy' reading 15 bytes from a region of size 14 [-Werror=stringop-overflow=] memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1); Changing it to use strncpy() will instead zero-pad the destination, which seems to be the right thing to do here. The bug is probably harmless, but it seems like a good idea to address it in stable kernels as well, if only for the purpose of building with gcc-8 without warnings. Fixes: a61f80261306 ("qlge: Add ethtool register dump function.") Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 718554be5c541ce8ef5bdb6fa34c0574fcbe5039 Author: Steven Rostedt (VMware) Date: Wed Aug 23 12:46:27 2017 -0400 tracing: Fix freeing of filter in create_filter() when set_str is false commit 8b0db1a5bdfcee0dbfa89607672598ae203c9045 upstream. Performing the following task with kmemleak enabled: # cd /sys/kernel/tracing/events/irq/irq_handler_entry/ # echo 'enable_event:kmem:kmalloc:3 if irq >' > trigger # echo 'enable_event:kmem:kmalloc:3 if irq > 31' > trigger # echo scan > /sys/kernel/debug/kmemleak # cat /sys/kernel/debug/kmemleak unreferenced object 0xffff8800b9290308 (size 32): comm "bash", pid 1114, jiffies 4294848451 (age 141.139s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] kmemleak_alloc+0x4a/0xa0 [] kmem_cache_alloc_trace+0x158/0x290 [] create_filter_start.constprop.28+0x99/0x940 [] create_filter+0xa9/0x160 [] create_event_filter+0xc/0x10 [] set_trigger_filter+0xe5/0x210 [] event_enable_trigger_func+0x324/0x490 [] event_trigger_write+0x1a2/0x260 [] __vfs_write+0xd7/0x380 [] vfs_write+0x101/0x260 [] SyS_write+0xab/0x130 [] entry_SYSCALL_64_fastpath+0x1f/0xbe [] 0xffffffffffffffff The function create_filter() is passed a 'filterp' pointer that gets allocated, and if "set_str" is true, it is up to the caller to free it, even on error. The problem is that the pointer is not freed by create_filter() when set_str is false. This is a bug, and it is not up to the caller to free the filter on error if it doesn't care about the string. Link: http://lkml.kernel.org/r/1502705898-27571-2-git-send-email-chuhu@redhat.com Fixes: 38b78eb85 ("tracing: Factorize filter creation") Reported-by: Chunyu Hu Tested-by: Chunyu Hu Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Ben Hutchings commit f519fdfd341728f59483c58f4b76a8524fdadbdb Author: Ronnie Sahlberg Date: Wed Aug 23 14:48:14 2017 +1000 cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() commit d3edede29f74d335f81d95a4588f5f136a9f7dcf upstream. Add checking for the path component length and verify it is <= the maximum that the server advertizes via FileFsAttributeInformation. With this patch cifs.ko will now return ENAMETOOLONG instead of ENOENT when users to access an overlong path. To test this, try to cd into a (non-existing) directory on a CIFS share that has a too long name: cd /mnt/aaaaaaaaaaaaaaa... and it now should show a good error message from the shell: bash: cd: /mnt/aaaaaaaaaaaaaaaa...aaaaaa: File name too long rh bz 1153996 Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Signed-off-by: Ben Hutchings commit 6e0385bc72b316e24d7a1b59db48a285441289e5 Author: Sachin Prabhu Date: Thu Aug 3 13:09:03 2017 +0530 cifs: Fix df output for users with quota limits commit 42bec214d8bd432be6d32a1acb0a9079ecd4d142 upstream. The df for a SMB2 share triggers a GetInfo call for FS_FULL_SIZE_INFORMATION. The values returned are used to populate struct statfs. The problem is that none of the information returned by the call contains the total blocks available on the filesystem. Instead we use the blocks available to the user ie. quota limitation when filling out statfs.f_blocks. The information returned does contain Actual free units on the filesystem and is used to populate statfs.f_bfree. For users with quota enabled, it can lead to situations where the total free space reported is more than the total blocks on the system ending up with df reports like the following # df -h /mnt/a Filesystem Size Used Avail Use% Mounted on //192.168.22.10/a 2.5G -2.3G 2.5G - /mnt/a To fix this problem, we instead populate both statfs.f_bfree with the same value as statfs.f_bavail ie. CallerAvailableAllocationUnits. This is similar to what is done already in the code for cifs and df now reports the quota information for the user used to mount the share. # df --si /mnt/a Filesystem Size Used Avail Use% Mounted on //192.168.22.10/a 2.7G 101M 2.6G 4% /mnt/a Signed-off-by: Sachin Prabhu Signed-off-by: Pierguido Lambri Signed-off-by: Steve French Signed-off-by: Ben Hutchings commit bfb1cb9813d01616fbe789d36c13fba51c655276 Author: Takashi Iwai Date: Wed Aug 23 09:30:17 2017 +0200 ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978) commit bbba6f9d3da357bbabc6fda81e99ff5584500e76 upstream. Lenovo G50-70 (17aa:3978) with Conexant codec chip requires the similar workaround for the inverted stereo dmic like other Lenovo models. Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1020657 Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit db33dd10ea6ea6805df397b1b188beefbf988381 Author: Stefano Brivio Date: Fri Aug 18 14:40:53 2017 +0200 ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() commit 3de33e1ba0506723ab25734e098cf280ecc34756 upstream. A packet length of exactly IPV6_MAXPLEN is allowed, we should refuse parsing options only if the size is 64KiB or more. While at it, remove one extra variable and one assignment which were also introduced by the commit that introduced the size check. Checking the sum 'offset + len' and only later adding 'len' to 'offset' doesn't provide any advantage over directly summing to 'offset' and checking it. Fixes: 6399f1fae4ec ("ipv6: avoid overflow of offset in ip6_find_1stfragopt") Signed-off-by: Stefano Brivio Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit bf92188bedad0787cf810cb7427864543d7f7f6c Author: Mark Rutland Date: Tue Jul 11 15:19:22 2017 +0100 arm64: mm: abort uaccess retries upon fatal signal commit 289d07a2dc6c6b6f3e4b8a62669320d99dbe6c3d upstream. When there's a fatal signal pending, arm64's do_page_fault() implementation returns 0. The intent is that we'll return to the faulting userspace instruction, delivering the signal on the way. However, if we take a fatal signal during fixing up a uaccess, this results in a return to the faulting kernel instruction, which will be instantly retried, resulting in the same fault being taken forever. As the task never reaches userspace, the signal is not delivered, and the task is left unkillable. While the task is stuck in this state, it can inhibit the forward progress of the system. To avoid this, we must ensure that when a fatal signal is pending, we apply any necessary fixup for a faulting kernel instruction. Thus we will return to an error path, and it is up to that code to make forward progress towards delivering the fatal signal. Cc: Catalin Marinas Cc: Laura Abbott Reviewed-by: Steve Capper Tested-by: Steve Capper Reviewed-by: James Morse Tested-by: James Morse Signed-off-by: Mark Rutland Signed-off-by: Will Deacon [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit d1494b93409c5b43931354fba5adbd29bec934fe Author: Dave Martin Date: Fri Aug 18 16:57:01 2017 +0100 arm64: fpsimd: Prevent registers leaking across exec commit 096622104e14d8a1db4860bd557717067a0515d2 upstream. There are some tricky dependencies between the different stages of flushing the FPSIMD register state during exec, and these can race with context switch in ways that can cause the old task's regs to leak across. In particular, a context switch during the memset() can cause some of the task's old FPSIMD registers to reappear. Disabling preemption for this small window would be no big deal for performance: preemption is already disabled for similar scenarios like updating the FPSIMD registers in sigreturn. So, instead of rearranging things in ways that might swap existing subtle bugs for new ones, this patch just disables preemption around the FPSIMD state flushing so that races of this type can't occur here. This brings fpsimd_flush_thread() into line with other code paths. Fixes: 674c242c9323 ("arm64: flush FP/SIMD state correctly after execve()") Reviewed-by: Ard Biesheuvel Signed-off-by: Dave Martin Signed-off-by: Will Deacon [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 599b7ea66b61f103f95ba7f67ac6c8ac098e7b32 Author: Takashi Iwai Date: Tue Aug 22 08:15:13 2017 +0200 ALSA: core: Fix unexpected error at replacing user TLV commit 88c54cdf61f508ebcf8da2d819f5dfc03e954d1d upstream. When user tries to replace the user-defined control TLV, the kernel checks the change of its content via memcmp(). The problem is that the kernel passes the return value from memcmp() as is. memcmp() gives a non-zero negative value depending on the comparison result, and this shall be recognized as an error code. The patch covers that corner-case, return 1 properly for the changed TLV. Fixes: 8aa9b586e420 ("[ALSA] Control API - more robust TLV implementation") Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 75152c6491999fa856390d196a38f4d03c184682 Author: Chris Wilson Date: Sat Aug 19 13:05:58 2017 +0100 drm: Release driver tracking before making the object available again commit fe4600a548f2763dec91b3b27a1245c370ceee2a upstream. This is the same bug as we fixed in commit f6cd7daecff5 ("drm: Release driver references to handle before making it available again"), but now the exposure is via the PRIME lookup tables. If we remove the object/handle from the PRIME lut, then a new request for the same object/fd will generate a new handle, thus for a short window that object is known to userspace by two different handles. Fix this by releasing the driver tracking before PRIME. Fixes: 0ff926c7d4f0 ("drm/prime: add exported buffers to current fprivs imported buffer list (v2)") Signed-off-by: Chris Wilson Cc: David Airlie Cc: Daniel Vetter Cc: Rob Clark Cc: Ville Syrjälä Cc: Thierry Reding Reviewed-by: Daniel Vetter Signed-off-by: Joonas Lahtinen Link: https://patchwork.freedesktop.org/patch/msgid/20170819120558.6465-1-chris@chris-wilson.co.uk [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit ade0a88ae1b4543978264d24ff30a0315f3cc6a2 Author: Konstantin Khlebnikov Date: Sat Aug 19 15:37:07 2017 +0300 net_sched: fix order of queue length updates in qdisc_replace() commit 68a66d149a8c78ec6720f268597302883e48e9fa upstream. This important to call qdisc_tree_reduce_backlog() after changing queue length. Parent qdisc should deactivate class in ->qlen_notify() called from qdisc_tree_reduce_backlog() but this happens only if qdisc->q.qlen in zero. Missed class deactivations leads to crashes/warnings at picking packets from empty qdisc and corrupting state at reactivating this class in future. Signed-off-by: Konstantin Khlebnikov Fixes: 86a7996cc8a0 ("net_sched: introduce qdisc_replace() helper") Acked-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 601385b7486aefb53ab8eb4de5966a98adbd50a5 Author: Dragos Bogdan Date: Fri Aug 4 01:37:27 2017 +0300 iio: imu: adis16480: Fix acceleration scale factor for adis16480 commit fdd0d32eb95f135041236a6885d9006315aa9a1d upstream. According to the datasheet, the range of the acceleration is [-10 g, + 10 g], so the scale factor should be 10 instead of 5. Signed-off-by: Dragos Bogdan Acked-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Signed-off-by: Ben Hutchings commit 1eeac6efe7339a3cefa4ee7a804344194b7ad85a Author: Aaron Ma Date: Fri Aug 18 12:17:21 2017 -0700 Input: trackpoint - add new trackpoint firmware ID commit ec667683c532c93fb41e100e5d61a518971060e2 upstream. Synaptics add new TP firmware ID: 0x2 and 0x3, for now both lower 2 bits are indicated as TP. Change the constant to bitwise values. This makes trackpoint to be recognized on Lenovo Carbon X1 Gen5 instead of it being identified as "PS/2 Generic Mouse". Signed-off-by: Aaron Ma Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings commit db2e2ec108a0155ed2f9266dce28e6535c6744e8 Author: Wei Wang Date: Wed Aug 16 11:18:09 2017 -0700 ipv6: reset fn->rr_ptr when replacing route commit 383143f31d7d3525a1dbff733d52fff917f82f15 upstream. syzcaller reported the following use-after-free issue in rt6_select(): BUG: KASAN: use-after-free in rt6_select net/ipv6/route.c:755 [inline] at addr ffff8800bc6994e8 BUG: KASAN: use-after-free in ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084 at addr ffff8800bc6994e8 Read of size 4 by task syz-executor1/439628 CPU: 0 PID: 439628 Comm: syz-executor1 Not tainted 4.3.5+ #8 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88018fe435b0 ffffffff81ca384d ffff8801d3588c00 ffff8800bc699380 ffff8800bc699500 dffffc0000000000 ffff8801d40a47c0 ffff88018fe435d8 ffffffff81735751 ffff88018fe43660 ffff8800bc699380 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 sctp: [Deprecated]: syz-executor0 (pid 439615) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead [] kasan_object_err+0x21/0x70 mm/kasan/report.c:158 [] print_address_description mm/kasan/report.c:196 [inline] [] kasan_report_error+0x1b4/0x4a0 mm/kasan/report.c:285 [] kasan_report mm/kasan/report.c:305 [inline] [] __asan_report_load4_noabort+0x43/0x50 mm/kasan/report.c:325 [] rt6_select net/ipv6/route.c:755 [inline] [] ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084 [] ip6_pol_route_output+0x81/0xb0 net/ipv6/route.c:1203 [] fib6_rule_action+0x1f0/0x680 net/ipv6/fib6_rules.c:95 [] fib_rules_lookup+0x2a6/0x7a0 net/core/fib_rules.c:223 [] fib6_rule_lookup+0xd0/0x250 net/ipv6/fib6_rules.c:41 [] ip6_route_output+0x1d6/0x2c0 net/ipv6/route.c:1224 [] ip6_dst_lookup_tail+0x4d2/0x890 net/ipv6/ip6_output.c:943 [] ip6_dst_lookup_flow+0x9a/0x250 net/ipv6/ip6_output.c:1079 [] ip6_datagram_dst_update+0x538/0xd40 net/ipv6/datagram.c:91 [] __ip6_datagram_connect net/ipv6/datagram.c:251 [inline] [] ip6_datagram_connect+0x518/0xe50 net/ipv6/datagram.c:272 [] ip6_datagram_connect_v6_only+0x63/0x90 net/ipv6/datagram.c:284 [] inet_dgram_connect+0x170/0x1f0 net/ipv4/af_inet.c:564 [] SYSC_connect+0x1a7/0x2f0 net/socket.c:1582 [] SyS_connect+0x29/0x30 net/socket.c:1563 [] entry_SYSCALL_64_fastpath+0x12/0x17 Object at ffff8800bc699380, in cache ip6_dst_cache size: 384 The root cause of it is that in fib6_add_rt2node(), when it replaces an existing route with the new one, it does not update fn->rr_ptr. This commit resets fn->rr_ptr to NULL when it points to a route which is replaced in fib6_add_rt2node(). Fixes: 27596472473a ("ipv6: fix ECMP route replacement") Signed-off-by: Wei Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 9b4d9ce2a4c079f0a5bb082b69e84a73261f032c Author: Charles Milette Date: Fri Aug 18 16:30:34 2017 -0400 staging: rtl8188eu: add RNX-N150NUB support commit f299aec6ebd747298e35934cff7709c6b119ca52 upstream. Add support for USB Device Rosewill RNX-N150NUB. VendorID: 0x0bda, ProductID: 0xffef Signed-off-by: Charles Milette Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 7bd0cdad74409e093556f200b788f45cdb2064ee Author: zhong jiang Date: Fri Aug 18 15:16:24 2017 -0700 mm/mempolicy: fix use after free when calling get_mempolicy commit 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 upstream. I hit a use after free issue when executing trinity and repoduced it with KASAN enabled. The related call trace is as follows. BUG: KASan: use after free in SyS_get_mempolicy+0x3c8/0x960 at addr ffff8801f582d766 Read of size 2 by task syz-executor1/798 INFO: Allocated in mpol_new.part.2+0x74/0x160 age=3 cpu=1 pid=799 __slab_alloc+0x768/0x970 kmem_cache_alloc+0x2e7/0x450 mpol_new.part.2+0x74/0x160 mpol_new+0x66/0x80 SyS_mbind+0x267/0x9f0 system_call_fastpath+0x16/0x1b INFO: Freed in __mpol_put+0x2b/0x40 age=4 cpu=1 pid=799 __slab_free+0x495/0x8e0 kmem_cache_free+0x2f3/0x4c0 __mpol_put+0x2b/0x40 SyS_mbind+0x383/0x9f0 system_call_fastpath+0x16/0x1b INFO: Slab 0xffffea0009cb8dc0 objects=23 used=8 fp=0xffff8801f582de40 flags=0x200000000004080 INFO: Object 0xffff8801f582d760 @offset=5984 fp=0xffff8801f582d600 Bytes b4 ffff8801f582d750: ae 01 ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ Object ffff8801f582d760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffff8801f582d770: 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkk. Redzone ffff8801f582d778: bb bb bb bb bb bb bb bb ........ Padding ffff8801f582d8b8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ Memory state around the buggy address: ffff8801f582d600: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801f582d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801f582d700: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fc !shared memory policy is not protected against parallel removal by other thread which is normally protected by the mmap_sem. do_get_mempolicy, however, drops the lock midway while we can still access it later. Early premature up_read is a historical artifact from times when put_user was called in this path see https://lwn.net/Articles/124754/ but that is gone since 8bccd85ffbaf ("[PATCH] Implement sys_* do_* layering in the memory policy layer."). but when we have the the current mempolicy ref count model. The issue was introduced accordingly. Fix the issue by removing the premature release. Link: http://lkml.kernel.org/r/1502950924-27521-1-git-send-email-zhongjiang@huawei.com Signed-off-by: zhong jiang Acked-by: Michal Hocko Cc: Minchan Kim Cc: Vlastimil Babka Cc: David Rientjes Cc: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit a59bf9f5d63f451a09b9f300269f0350a68bb98e Author: Colin Ian King Date: Fri Aug 18 14:12:06 2017 +0100 netxen: fix incorrect loop counter decrement commit a120d9ab65354727559b9db75ded8071b7ef19e2 upstream. The loop counter k is currently being decremented from zero which is incorrect. Fix this by incrementing k instead Detected by CoverityScan, CID#401847 ("Infinite loop") Fixes: 83f18a557c6d ("netxen_nic: fw dump support") Signed-off-by: Colin Ian King Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 4ca5fab7674eab8511029b0b6cf5b8832fe12b95 Author: Takashi Iwai Date: Wed Aug 16 14:18:37 2017 +0200 ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices commit 0f174b3525a43bd51f9397394763925e0ebe7bc7 upstream. C-Media devices (at least some models) mute the playback stream when volumes are set to the minimum value. But this isn't informed via TLV and the user-space, typically PulseAudio, gets confused as if it's still played in a low volume. This patch adds the new flag, min_mute, to struct usb_mixer_elem_info for indicating that the mixer element is with the minimum-mute volume. This flag is set for known C-Media devices in snd_usb_mixer_fu_apply_quirk() in turn. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196669 Signed-off-by: Takashi Iwai [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 36284647e2096b8bcc238772b644151967a5189b Author: Thomas Bogendoerfer Date: Sat Aug 12 23:36:47 2017 +0200 parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo commit 4098116039911e8870d84c975e2ec22dab65a909 upstream. For 64bit kernels the lmmio_space_offset of the host bridge window isn't set correctly on systems with dino/cujo PCI host bridges. This leads to not assigned memory bars and failing drivers, which need to use these bars. Signed-off-by: Thomas Bogendoerfer Acked-by: Helge Deller Signed-off-by: Helge Deller Signed-off-by: Ben Hutchings commit bdfa92ae225700b121b9b90be1fa29793cb44f2f Author: Konstantin Khlebnikov Date: Tue Aug 15 16:37:04 2017 +0300 net_sched/sfq: update hierarchical backlog when drop packet commit 325d5dc3f7e7c2840b65e4a2988c082c2c0025c5 upstream. When sfq_enqueue() drops head packet or packet from another queue it have to update backlog at upper qdiscs too. Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") Signed-off-by: Konstantin Khlebnikov Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 3c3d78ba8d6a7deda74c51cca717d5b5fb95ce20 Author: Eric Dumazet Date: Tue Aug 15 05:26:17 2017 -0700 ipv4: fix NULL dereference in free_fib_info_rcu() commit 187e5b3ac84d3421d2de3aca949b2791fbcad554 upstream. If fi->fib_metrics could not be allocated in fib_create_info() we attempt to dereference a NULL pointer in free_fib_info_rcu() : m = fi->fib_metrics; if (m != &dst_default_metrics && atomic_dec_and_test(&m->refcnt)) kfree(m); Before my recent patch, we used to call kfree(NULL) and nothing wrong happened. Instead of using RCU to defer freeing while we are under memory stress, it seems better to take immediate action. This was reported by syzkaller team. Fixes: 3fb07daff8e9 ("ipv4: add reference counting to metrics") Signed-off-by: Eric Dumazet Reported-by: Dmitry Vyukov Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 593d4b8f764c3cca8db64d1d4449ae7cce7ae64a Author: Eric Dumazet Date: Thu May 25 14:27:35 2017 -0700 ipv4: add reference counting to metrics commit 3fb07daff8e99243366a081e5129560734de4ada upstream. Andrey Konovalov reported crashes in ipv4_mtu() I could reproduce the issue with KASAN kernels, between 10.246.7.151 and 10.246.7.152 : 1) 20 concurrent netperf -t TCP_RR -H 10.246.7.152 -l 1000 & 2) At the same time run following loop : while : do ip ro add 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500 ip ro del 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500 done Cong Wang attempted to add back rt->fi in commit 82486aa6f1b9 ("ipv4: restore rt->fi for reference counting") but this proved to add some issues that were complex to solve. Instead, I suggested to add a refcount to the metrics themselves, being a standalone object (in particular, no reference to other objects) I tried to make this patch as small as possible to ease its backport, instead of being super clean. Note that we believe that only ipv4 dst need to take care of the metric refcount. But if this is wrong, this patch adds the basic infrastructure to extend this to other families. Many thanks to Julian Anastasov for reviewing this patch, and Cong Wang for his efforts on this problem. Fixes: 2860583fe840 ("ipv4: Kill rt->fi") Signed-off-by: Eric Dumazet Reported-by: Andrey Konovalov Reviewed-by: Julian Anastasov Acked-by: Cong Wang Signed-off-by: David S. Miller [bwh: Backported to 3.16: - Give DST_METRICS_REFCOUNTED a value of 4 and struct dst_metrics an alignment of 8 - Update dst_metrics cache size - Adjust context] Signed-off-by: Ben Hutchings commit 6ddcce5b29278618ae2fb08058e48568aba0cd19 Author: Ben Hutchings Date: Sun Nov 5 13:36:18 2017 +0000 dst: Increase alignment of metrics to allow extra flag on pointers For the backport of "ipv4: add reference counting to metrics", we will need a third flag on metrics pointers. This was not needed upstream as the DST_METRICS_FORCE_OVERWRITE flag has been eliminated there. In order to use three flag bits we need to increase the alignment of metrics from 4 to 8 bytes. Signed-off-by: Ben Hutchings commit 9301343bc8d20d23c951dad6495b334ea797b5be Author: Jan Kara Date: Tue Aug 15 13:00:36 2017 +0200 audit: Fix use after free in audit_remove_watch_rule() commit d76036ab47eafa6ce52b69482e91ca3ba337d6d6 upstream. audit_remove_watch_rule() drops watch's reference to parent but then continues to work with it. That is not safe as parent can get freed once we drop our reference. The following is a trivial reproducer: mount -o loop image /mnt touch /mnt/file auditctl -w /mnt/file -p wax umount /mnt auditctl -D Grab our own reference in audit_remove_watch_rule() earlier to make sure mark does not get freed under us. Reported-by: Tony Jones Signed-off-by: Jan Kara Tested-by: Tony Jones Signed-off-by: Paul Moore Signed-off-by: Ben Hutchings commit 6bc75b150488993ba0957ed6a4bceed93d57ce69 Author: Eric Dumazet Date: Mon Aug 14 10:16:45 2017 -0700 af_key: do not use GFP_KERNEL in atomic contexts commit 36f41f8fc6d8aa9f8c9072d66ff7cf9055f5e69b upstream. pfkey_broadcast() might be called from non process contexts, we can not use GFP_KERNEL in these cases [1]. This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock() section. [1] : syzkaller reported : in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439 3 locks held by syzkaller183439/2932: #0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649 #1: (&pfk->dump_lock){+.+.+.}, at: [] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293 #2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [] spin_lock_bh include/linux/spinlock.h:304 [inline] #2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028 CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994 __might_sleep+0x95/0x190 kernel/sched/core.c:5947 slab_pre_alloc_hook mm/slab.h:416 [inline] slab_alloc mm/slab.c:3383 [inline] kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559 skb_clone+0x1a0/0x400 net/core/skbuff.c:1037 pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207 pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281 dump_sp+0x3d6/0x500 net/key/af_key.c:2685 xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042 pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695 pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299 pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722 pfkey_process+0x606/0x710 net/key/af_key.c:2814 pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xca/0x110 net/socket.c:643 ___sys_sendmsg+0x755/0x890 net/socket.c:2035 __sys_sendmsg+0xe5/0x210 net/socket.c:2069 SYSC_sendmsg net/socket.c:2080 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2076 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x445d79 RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79 RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008 RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700 R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000 R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000 Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key") Signed-off-by: Eric Dumazet Reported-by: Dmitry Vyukov Cc: David Ahern Acked-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 941579201ed272223f69b1ef954e14e859b109cb Author: Omar Sandoval Date: Fri Aug 11 09:00:06 2017 -0700 xfs: fix inobt inode allocation search optimization commit c44245b3d5435f533ca8346ece65918f84c057f9 upstream. When we try to allocate a free inode by searching the inobt, we try to find the inode nearest the parent inode by searching chunks both left and right of the chunk containing the parent. As an optimization, we cache the leftmost and rightmost records that we previously searched; if we do another allocation with the same parent inode, we'll pick up the search where it last left off. There's a bug in the case where we found a free inode to the left of the parent's chunk: we need to update the cached left and right records, but because we already reassigned the right record to point to the left, we end up assigning the left record to both the cached left and right records. This isn't a correctness problem strictly, but it can result in the next allocation rechecking chunks unnecessarily or allocating inodes further away from the parent than it needs to. Fix it by swapping the record pointer after we update the cached left and right records. Fixes: bd169565993b ("xfs: speed up free inode search") Signed-off-by: Omar Sandoval Reviewed-by: Christoph Hellwig Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings commit 7b590b41334c3bdaff71038b46a2ed81731573af Author: Nadav Amit Date: Thu Aug 10 15:23:56 2017 -0700 mm: migrate: prevent racy access to tlb_flush_pending commit 16af97dc5a8975371a83d9e30a64038b48f40a2d upstream. Patch series "fixes of TLB batching races", v6. It turns out that Linux TLB batching mechanism suffers from various races. Races that are caused due to batching during reclamation were recently handled by Mel and this patch-set deals with others. The more fundamental issue is that concurrent updates of the page-tables allow for TLB flushes to be batched on one core, while another core changes the page-tables. This other core may assume a PTE change does not require a flush based on the updated PTE value, while it is unaware that TLB flushes are still pending. This behavior affects KSM (which may result in memory corruption) and MADV_FREE and MADV_DONTNEED (which may result in incorrect behavior). A proof-of-concept can easily produce the wrong behavior of MADV_DONTNEED. Memory corruption in KSM is harder to produce in practice, but was observed by hacking the kernel and adding a delay before flushing and replacing the KSM page. Finally, there is also one memory barrier missing, which may affect architectures with weak memory model. This patch (of 7): Setting and clearing mm->tlb_flush_pending can be performed by multiple threads, since mmap_sem may only be acquired for read in task_numa_work(). If this happens, tlb_flush_pending might be cleared while one of the threads still changes PTEs and batches TLB flushes. This can lead to the same race between migration and change_protection_range() that led to the introduction of tlb_flush_pending. The result of this race was data corruption, which means that this patch also addresses a theoretically possible data corruption. An actual data corruption was not observed, yet the race was was confirmed by adding assertion to check tlb_flush_pending is not set by two threads, adding artificial latency in change_protection_range() and using sysctl to reduce kernel.numa_balancing_scan_delay_ms. Link: http://lkml.kernel.org/r/20170802000818.4760-2-namit@vmware.com Fixes: 20841405940e ("mm: fix TLB flush race between migration, and change_protection_range") Signed-off-by: Nadav Amit Acked-by: Mel Gorman Acked-by: Rik van Riel Acked-by: Minchan Kim Cc: Andy Lutomirski Cc: Hugh Dickins Cc: "David S. Miller" Cc: Andrea Arcangeli Cc: Heiko Carstens Cc: Ingo Molnar Cc: Jeff Dike Cc: Martin Schwidefsky Cc: Mel Gorman Cc: Russell King Cc: Sergey Senozhatsky Cc: Tony Luck Cc: Yoshinori Sato Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.16: - Drop change to dump_mm() - Adjust context] Signed-off-by: Ben Hutchings commit 61ff439853d2e1c72c97325e6045cd0fb9b62fb9 Author: Kai-Heng Feng Date: Tue Aug 8 17:51:27 2017 +0800 usb: quirks: Add no-lpm quirk for Moshi USB to Ethernet Adapter commit 7496cfe5431f21da5d27a8388c326397e3f0a5db upstream. Moshi USB to Ethernet Adapter internally uses a Genesys Logic hub to connect to Realtek r8153. The Realtek r8153 ethernet does not work on the internal hub, no-lpm quirk can make it work. Since another r8153 dongle at my hand does not have the issue, so add the quirk to the Genesys Logic hub instead. Signed-off-by: Kai-Heng Feng Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 5a3434cddddc31617e02a75d5dfe7c9ca6b9442a Author: Alan Stern Date: Tue Aug 1 10:41:56 2017 -0400 USB: Check for dropped connection before switching to full speed commit 94c43b9897abf4ea366ed4dba027494e080c7050 upstream. Some buggy USB disk adapters disconnect and reconnect multiple times during the enumeration procedure. This may lead to a device connecting at full speed instead of high speed, because when the USB stack sees that a device isn't able to enumerate at high speed, it tries to hand the connection over to a full-speed companion controller. The logic for doing this is careful to check that the device is still connected. But this check is inadequate if the device disconnects and reconnects before the check is done. The symptom is that a device works, but much more slowly than it is capable of operating. The situation was made worse recently by commit 22547c4cc4fe ("usb: hub: Wait for connection to be reestablished after port reset"), which increases the delay following a reset before a disconnect is recognized, thus giving the device more time to reconnect. This patch makes the check more robust. If the device was disconnected at any time during enumeration, we will now skip the full-speed handover. Signed-off-by: Alan Stern Reported-and-tested-by: Zdenek Kabelac Reviewed-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 4f5914bb59d3ca5d88fcdb401559f0ab69a4fc48 Author: Sandeep Singh Date: Fri Aug 4 16:35:56 2017 +0530 usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume commit e788787ef4f9c24aafefc480a8da5f92b914e5e6 upstream. Certain HP keyboards would keep inputting a character automatically which is the wake-up key after S3 resume On some AMD platforms USB host fails to respond (by holding resume-K) to USB device (an HP keyboard) resume request within 1ms (TURSM) and ensures that resume is signaled for at least 20 ms (TDRSMDN), which is defined in USB 2.0 spec. The result is that the keyboard is out of function. In SNPS USB design, the host responds to the resume request only after system gets back to S0 and the host gets to functional after the internal HW restore operation that is more than 1 second after the initial resume request from the USB device. As a workaround for specific keyboard ID(HP Keyboards), applying port reset after resume when the keyboard is plugged in. Signed-off-by: Sandeep Singh Signed-off-by: Shyam Sundar S K cc: Nehal Shah Reviewed-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 7a73be81963c1a9fbaab38a05f9b4dd035819af6 Author: Andy Lutomirski Date: Mon Aug 7 19:43:13 2017 -0700 x86/asm/64: Clear AC on NMI entries commit e93c17301ac55321fc18e0f8316e924e58a83c8c upstream. This closes a hole in our SMAP implementation. This patch comes from grsecurity. Good catch! Signed-off-by: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/314cc9f294e8f14ed85485727556ad4f15bb1659.1502159503.git.luto@kernel.org Signed-off-by: Ingo Molnar [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings commit f504b65b31a8a24c20d051c5bfbfe8128aa43491 Author: megha.dey@linux.intel.com Date: Wed Aug 2 13:49:09 2017 -0700 crypto: x86/sha1 - Fix reads beyond the number of blocks passed commit 8861249c740fc4af9ddc5aee321eafefb960d7c6 upstream. It was reported that the sha1 AVX2 function(sha1_transform_avx2) is reading ahead beyond its intended data, and causing a crash if the next block is beyond page boundary: http://marc.info/?l=linux-crypto-vger&m=149373371023377 This patch makes sure that there is no overflow for any buffer length. It passes the tests written by Jan Stancek that revealed this problem: https://github.com/jstancek/sha1-avx2-crash I have re-enabled sha1-avx2 by reverting commit b82ce24426a4071da9529d726057e4e642948667 Fixes: b82ce24426a4 ("crypto: sha1-ssse3 - Disable avx2") Originally-by: Ilya Albrekht Tested-by: Jan Stancek Signed-off-by: Megha Dey Reported-by: Jan Stancek Signed-off-by: Herbert Xu [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit a2308d6b0021dd405026c657d3dea333ea0e281a Author: Willem de Bruijn Date: Tue Aug 8 14:22:55 2017 -0400 net: avoid skb_warn_bad_offload false positives on UFO commit 8d63bee643f1fb53e472f0e135cae4eb99d62d19 upstream. skb_warn_bad_offload triggers a warning when an skb enters the GSO stack at __skb_gso_segment that does not have CHECKSUM_PARTIAL checksum offload set. Commit b2504a5dbef3 ("net: reduce skb_warn_bad_offload() noise") observed that SKB_GSO_DODGY producers can trigger the check and that passing those packets through the GSO handlers will fix it up. But, the software UFO handler will set ip_summed to CHECKSUM_NONE. When __skb_gso_segment is called from the receive path, this triggers the warning again. Make UFO set CHECKSUM_UNNECESSARY instead of CHECKSUM_NONE. On Tx these two are equivalent. On Rx, this better matches the skb state (checksum computed), as CHECKSUM_NONE here means no checksum computed. See also this thread for context: http://patchwork.ozlabs.org/patch/799015/ Fixes: b2504a5dbef3 ("net: reduce skb_warn_bad_offload() noise") Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 4ffc0d8ecffe12f004f74cf1f4421992b6be56ed Author: Eric Dumazet Date: Fri Feb 3 14:29:42 2017 -0800 net: skb_needs_check() accepts CHECKSUM_NONE for tx commit 6e7bc478c9a006c701c14476ec9d389a484b4864 upstream. My recent change missed fact that UFO would perform a complete UDP checksum before segmenting in frags. In this case skb->ip_summed is set to CHECKSUM_NONE. We need to add this valid case to skb_needs_check() Fixes: b2504a5dbef3 ("net: reduce skb_warn_bad_offload() noise") Signed-off-by: Eric Dumazet Cc: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 17e5c0ec3ad638503aa18df1f45c15ba402b0fd9 Author: Eric Dumazet Date: Tue Jan 31 10:20:32 2017 -0800 net: reduce skb_warn_bad_offload() noise commit b2504a5dbef3305ef41988ad270b0e8ec289331c upstream. Dmitry reported warnings occurring in __skb_gso_segment() [1] All SKB_GSO_DODGY producers can allow user space to feed packets that trigger the current check. We could prevent them from doing so, rejecting packets, but this might add regressions to existing programs. It turns out our SKB_GSO_DODGY handlers properly set up checksum information that is needed anyway when packets needs to be segmented. By checking again skb_needs_check() after skb_mac_gso_segment(), we should remove these pesky warnings, at a very minor cost. With help from Willem de Bruijn [1] WARNING: CPU: 1 PID: 6768 at net/core/dev.c:2439 skb_warn_bad_offload+0x2af/0x390 net/core/dev.c:2434 lo: caps=(0x000000a2803b7c69, 0x0000000000000000) len=138 data_len=0 gso_size=15883 gso_type=4 ip_summed=0 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 6768 Comm: syz-executor1 Not tainted 4.9.0 #5 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c063ecd8 ffffffff82346bdf ffffffff00000001 1ffff100380c7d2e ffffed00380c7d26 0000000041b58ab3 ffffffff84b37e38 ffffffff823468f1 ffffffff84820740 ffffffff84f289c0 dffffc0000000000 ffff8801c063ee20 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x2ee/0x3ef lib/dump_stack.c:51 [] panic+0x1fb/0x412 kernel/panic.c:179 [] __warn+0x1c4/0x1e0 kernel/panic.c:542 [] warn_slowpath_fmt+0xc5/0x100 kernel/panic.c:565 [] skb_warn_bad_offload+0x2af/0x390 net/core/dev.c:2434 [] __skb_gso_segment+0x482/0x780 net/core/dev.c:2706 [] skb_gso_segment include/linux/netdevice.h:3985 [inline] [] validate_xmit_skb+0x5c9/0xc20 net/core/dev.c:2969 [] __dev_queue_xmit+0xe6b/0x1e70 net/core/dev.c:3383 [] dev_queue_xmit+0x17/0x20 net/core/dev.c:3424 [] packet_snd net/packet/af_packet.c:2930 [inline] [] packet_sendmsg+0x32ed/0x4d30 net/packet/af_packet.c:2955 [] sock_sendmsg_nosec net/socket.c:621 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:631 [] ___sys_sendmsg+0x8fa/0x9f0 net/socket.c:1954 [] __sys_sendmsg+0x138/0x300 net/socket.c:1988 [] SYSC_sendmsg net/socket.c:1999 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:1995 [] entry_SYSCALL_64_fastpath+0x1f/0xc2 Signed-off-by: Eric Dumazet Reported-by: Dmitry Vyukov Cc: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 0d33299eb57c07d991e2bc2ebd4790660b81bfa6 Author: françois romieu Date: Tue Jul 15 23:55:35 2014 +0200 net: remove open-coded skb_cow_head. commit a40e0a664bce465a3b8ad1d792153cef8ded9f7d upstream. Signed-off-by: Francois Romieu Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit ced5e0b0bcfdade45e09dbf19a589b31fb62d7c2 Author: Bodo Stroesser Date: Tue Aug 1 14:42:54 2017 +0200 scsi: st: fix blk_get_queue usage commit 180efde0a3f43dbe533e4be203c2918793482d4e upstream. If blk_queue_get() in st_probe fails, disk->queue must not be set to SDp->request_queue, as that would result in put_disk() dropping a not taken reference. Thus, disk->queue should be set only after a successful blk_queue_get(). Fixes: 2b5bebccd282 ("st: Take additional queue ref in st_probe") Signed-off-by: Bodo Stroesser Acked-by: Shirish Pargaonkar Signed-off-by: Hannes Reinecke Reviewed-by: Ewan D. Milne Acked-by: Kai Mäkisara Signed-off-by: Martin K. Petersen Signed-off-by: Ben Hutchings commit 4c4141d5b5e38c81b044813c111699ad8b09b9d0 Author: Julian Wiedmann Date: Mon Aug 7 13:28:39 2017 +0200 s390/qeth: fix L3 next-hop in xmit qeth hdr commit ec2c6726322f0d270bab477e4904bf9496f70ee5 upstream. On L3, the qeth_hdr struct needs to be filled with the next-hop IP address. The current code accesses rtable->rt_gateway without checking that rtable is a valid address. The accidental access to a lowcore area results in a random next-hop address in the qeth_hdr. rtable (or more precisely, skb_dst(skb)) can be NULL in rare cases (for instance together with AF_PACKET sockets). This patch adds the missing NULL-ptr checks. Signed-off-by: Julian Wiedmann Signed-off-by: Ursula Braun Fixes: 87e7597b5a3 qeth: Move away from using neighbour entries in qeth_l3_fill_header() Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 30f0846d4100defc9c9e4ef7dad7d52c31940d22 Author: Florian Fainelli Date: Thu Jul 27 15:38:17 2017 -0700 irqchip: brcmstb-l2: Define an irq_pm_shutdown function commit c017d21147848fe017772764a77a7f32c5b017f9 upstream. The Broadcom STB platforms support S5 and we allow specific hardware wake-up events to take us out of this state. Because we were not defining an irq_pm_shutdown() function pointer, we would not be correctly masking non-wakeup events, which would result in spurious wake-ups from sources that were not explicitly configured for wake-up. Fixes: 7f646e92766e ("irqchip: brcmstb-l2: Add Broadcom Set Top Box Level-2 interrupt controller") Acked-by: Gregory Fong Signed-off-by: Florian Fainelli Signed-off-by: Marc Zyngier Signed-off-by: Ben Hutchings commit a2fe336823dadb704b19376a52ca67c71ca33124 Author: Nicholas Bellinger Date: Fri Aug 4 23:59:31 2017 -0700 iscsi-target: Fix iscsi_np reset hung task during parallel delete commit 978d13d60c34818a41fc35962602bdfa5c03f214 upstream. This patch fixes a bug associated with iscsit_reset_np_thread() that can occur during parallel configfs rmdir of a single iscsi_np used across multiple iscsi-target instances, that would result in hung task(s) similar to below where configfs rmdir process context was blocked indefinately waiting for iscsi_np->np_restart_comp to finish: [ 6726.112076] INFO: task dcp_proxy_node_:15550 blocked for more than 120 seconds. [ 6726.119440] Tainted: G W O 4.1.26-3321 #2 [ 6726.125045] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 6726.132927] dcp_proxy_node_ D ffff8803f202bc88 0 15550 1 0x00000000 [ 6726.140058] ffff8803f202bc88 ffff88085c64d960 ffff88083b3b1ad0 ffff88087fffeb08 [ 6726.147593] ffff8803f202c000 7fffffffffffffff ffff88083f459c28 ffff88083b3b1ad0 [ 6726.155132] ffff88035373c100 ffff8803f202bca8 ffffffff8168ced2 ffff8803f202bcb8 [ 6726.162667] Call Trace: [ 6726.165150] [] schedule+0x32/0x80 [ 6726.170156] [] schedule_timeout+0x214/0x290 [ 6726.176030] [] ? __send_signal+0x52/0x4a0 [ 6726.181728] [] wait_for_completion+0x96/0x100 [ 6726.187774] [] ? wake_up_state+0x10/0x10 [ 6726.193395] [] iscsit_reset_np_thread+0x62/0xe0 [iscsi_target_mod] [ 6726.201278] [] iscsit_tpg_disable_portal_group+0x96/0x190 [iscsi_target_mod] [ 6726.210033] [] lio_target_tpg_store_enable+0x4f/0xc0 [iscsi_target_mod] [ 6726.218351] [] configfs_write_file+0xaa/0x110 [ 6726.224392] [] vfs_write+0xa4/0x1b0 [ 6726.229576] [] SyS_write+0x41/0xb0 [ 6726.234659] [] system_call_fastpath+0x12/0x71 It would happen because each iscsit_reset_np_thread() sets state to ISCSI_NP_THREAD_RESET, sends SIGINT, and then blocks waiting for completion on iscsi_np->np_restart_comp. However, if iscsi_np was active processing a login request and more than a single iscsit_reset_np_thread() caller to the same iscsi_np was blocked on iscsi_np->np_restart_comp, iscsi_np kthread process context in __iscsi_target_login_thread() would flush pending signals and only perform a single completion of np->np_restart_comp before going back to sleep within transport specific iscsit_transport->iscsi_accept_np code. To address this bug, add a iscsi_np->np_reset_count and update __iscsi_target_login_thread() to keep completing np->np_restart_comp until ->np_reset_count has reached zero. Reported-by: Gary Guo Tested-by: Gary Guo Cc: Mike Christie Cc: Hannes Reinecke Signed-off-by: Nicholas Bellinger [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings commit a867769b692058279887f06702312440dc0ab6b4 Author: Jerry Lee Date: Sun Aug 6 01:18:31 2017 -0400 ext4: fix overflow caused by missing cast in ext4_resize_fs() commit aec51758ce10a9c847a62a48a168f8c804c6e053 upstream. On a 32-bit platform, the value of n_blcoks_count may be wrong during the file system is resized to size larger than 2^32 blocks. This may caused the superblock being corrupted with zero blocks count. Fixes: 1c6bd7173d66 Signed-off-by: Jerry Lee Signed-off-by: Theodore Ts'o Signed-off-by: Ben Hutchings commit 9ce36a5423e65a70ea2b8a895de8f6ddda1e6557 Author: Jan Kara Date: Sat Aug 5 17:43:24 2017 -0400 ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize commit fcf5ea10992fbac3c7473a1db33d56a139333cd1 upstream. ext4_find_unwritten_pgoff() does not properly handle a situation when starting index is in the middle of a page and blocksize < pagesize. The following command shows the bug on filesystem with 1k blocksize: xfs_io -f -c "falloc 0 4k" \ -c "pwrite 1k 1k" \ -c "pwrite 3k 1k" \ -c "seek -a -r 0" foo In this example, neither lseek(fd, 1024, SEEK_HOLE) nor lseek(fd, 2048, SEEK_DATA) will return the correct result. Fix the problem by neglecting buffers in a page before starting offset. Reported-by: Andreas Gruenbacher Signed-off-by: Theodore Ts'o Signed-off-by: Jan Kara Signed-off-by: Ben Hutchings commit c71b1637652cece3f346cc35d3652e651bfe758e Author: Yishai Hadas Date: Tue Aug 1 09:41:36 2017 +0300 IB/uverbs: Fix device cleanup commit efdd6f53b10aead0f5cf19a93dd3eb268ac0d991 upstream. Uverbs device should be cleaned up only when there is no potential usage of. As part of ib_uverbs_remove_one which might be triggered upon reset flow the device reference count is decreased as expected and leave the final cleanup to the FDs that were opened. Current code increases reference count upon opening a new command FD and decreases it upon closing the file. The event FD is opened internally and rely on the command FD by taking on it a reference count. In case that the command FD was closed and just later the event FD we may ensure that the device resources as of srcu are still alive as they are still in use. Fixing the above by moving the reference count decreasing to the place where the command FD is really freed instead of doing that when it was just closed. fixes: 036b10635739 ("IB/uverbs: Enable device removal when there are active user space applications") Signed-off-by: Yishai Hadas Reviewed-by: Matan Barak Reviewed-by: Jason Gunthorpe Tested-by: Jason Gunthorpe Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings commit 39f81fff2762e1d69b3ccdcdd79a726e24e66473 Author: Leon Romanovsky Date: Tue Aug 1 09:41:35 2017 +0300 RDMA/uverbs: Prevent leak of reserved field commit f7a6cb7b38c6845b26aaa8bbdf519ff6e3090831 upstream. initialize to zero the response structure to prevent the leakage of "resp.reserved" field. drivers/infiniband/core/uverbs_cmd.c:1178 ib_uverbs_resize_cq() warn: check that 'resp.reserved' doesn't leak information Fixes: 33b9b3ee9709 ("IB: Add userspace support for resizing CQs") Signed-off-by: Leon Romanovsky Reviewed-by: Dennis Dalessandro Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings commit c40ae33aa5d0e3897f5fdb98247e423cededd420 Author: Xin Long Date: Thu Aug 3 14:13:46 2017 +0800 ipv6: set rt6i_protocol properly in the route when it is installed commit b91d532928dff2141ea9c107c3e73104d9843767 upstream. After commit c2ed1880fd61 ("net: ipv6: check route protocol when deleting routes"), ipv6 route checks rt protocol when trying to remove a rt entry. It introduced a side effect causing 'ip -6 route flush cache' not to work well. When flushing caches with iproute, all route caches get dumped from kernel then removed one by one by sending DELROUTE requests to kernel for each cache. The thing is iproute sends the request with the cache whose proto is set with RTPROT_REDIRECT by rt6_fill_node() when kernel dumps it. But in kernel the rt_cache protocol is still 0, which causes the cache not to be matched and removed. So the real reason is rt6i_protocol in the route is not set when it is allocated. As David Ahern's suggestion, this patch is to set rt6i_protocol properly in the route when it is installed and remove the codes setting rtm_protocol according to rt6i_flags in rt6_fill_node. This is also an improvement to keep rt6i_protocol consistent with rtm_protocol. Fixes: c2ed1880fd61 ("net: ipv6: check route protocol when deleting routes") Reported-by: Jianlin Shi Suggested-by: David Ahern Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit d81a8a231247ed6a8317fe15a5df98fb88d02d16 Author: Jan Kara Date: Wed Aug 2 13:32:30 2017 -0700 ocfs2: don't clear SGID when inheriting ACLs commit 19ec8e48582670c021e998b9deb88e39a842ff45 upstream. When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit set, DIR1 is expected to have SGID bit set (and owning group equal to the owning group of 'DIR0'). However when 'DIR0' also has some default ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on 'DIR1' to get cleared if user is not member of the owning group. Fix the problem by moving posix_acl_update_mode() out of ocfs2_set_acl() into ocfs2_iop_set_acl(). That way the function will not be called when inheriting ACLs which is what we want as it prevents SGID bit clearing and the mode has been properly set by posix_acl_create() anyway. Also posix_acl_chmod() that is calling ocfs2_set_acl() takes care of updating mode itself. Fixes: 073931017b4 ("posix_acl: Clear SGID bit when setting file permissions") Link: http://lkml.kernel.org/r/20170801141252.19675-3-jack@suse.cz Signed-off-by: Jan Kara Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Joseph Qi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.16: - ocfs2_iop_set_acl() doesn't take a lock, so simply return on error - Add the status variable in ocfs2_iop_set_acl() - Pass NULL as the bh argument to ocfs2_acl_set_mode() - Adjust context] Signed-off-by: Ben Hutchings commit f0f2427a25425804d1eb091c333e5dd237b3e9c8 Author: Inbar Karmy Date: Tue Aug 1 16:43:43 2017 +0300 net/mlx4_en: Fix wrong indication of Wake-on-LAN (WoL) support commit c994f778bb1cca8ebe7a4e528cefec233e93b5cc upstream. Currently when WoL is supported but disabled, ethtool reports: "Supports Wake-on: d". Fix the indication of Wol support, so that the indication remains "g" all the time if the NIC supports WoL. Tested: As accepted, when NIC supports WoL- ethtool reports: Supports Wake-on: g Wake-on: d when NIC doesn't support WoL- ethtool reports: Supports Wake-on: d Wake-on: d Fixes: 14c07b1358ed ("mlx4: Wake on LAN support") Signed-off-by: Inbar Karmy Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit d7753f34015c7be1d91239b04c7329068685abc4 Author: Sergei A. Trusov Date: Wed Aug 2 20:23:48 2017 +1000 ALSA: hda - Fix speaker output from VAIO VPCL14M1R commit 3f3c371421e601fa93b6cb7fb52da9ad59ec90b4 upstream. Sony VAIO VPCL14M1R needs the quirk to make the speaker working properly. Tested-by: Dmitriy Signed-off-by: Sergei A. Trusov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit c2b5bfd7f6b24ff312c84f55ae3f5caa1263c4b8 Author: Michał Mirosław Date: Tue Jul 18 14:35:45 2017 +0200 gpio: tegra: fix unbalanced chained_irq_enter/exit commit 9e9509e38fbe034782339eb09c915f0b5765ff69 upstream. When more than one GPIO IRQs are triggered simultaneously, tegra_gpio_irq_handler() called chained_irq_exit() multiple times for one chained_irq_enter(). Fixes: 3c92db9ac0ca3eee8e46e2424b6c074e2e394ad9 Signed-off-by: Michał Mirosław [Also changed the variable to a bool] Signed-off-by: Linus Walleij [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit ac499561d314a1d5df6db459d3ad4a92a7519bfc Author: Florian Fainelli Date: Tue Aug 1 12:11:08 2017 -0700 ixgbe: Initialize 64-bit stats seqcounts commit 7c3a4626eb65e78ebe208f48ffa21a5002f7f38e upstream. On 32-bit hosts and with CONFIG_DEBUG_LOCK_ALLOC we should be seeing a lockdep splat indicating this seqcount is not correctly initialized, fix that. Fixes: 4197aa7bb818 ("ixgbevf: provide 64 bit statistics") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit db318b8d8935a157c91eed1990b56236659f033b Author: Florian Fainelli Date: Tue Aug 1 12:11:07 2017 -0700 i40e: Initialize 64-bit statistics TX ring seqcount commit 7d6d067790289e4f61f59fa60550ca5918aa25bd upstream. On 32-bit hosts and with CONFIG_DEBUG_LOCK_ALLOC we should be seeing a lockdep splat indicating this seqcount is not correctly initialized, fix that. Fixes: 980e9b118642 ("i40e: Add support for 64 bit netstats") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit a1a45a3afd51f0f4c6b0bcacab8a204739cdd633 Author: Florian Fainelli Date: Tue Aug 1 12:11:06 2017 -0700 b44: Initialize 64-bit stats seqcount commit e43c9f23efadade684773a855675c99da278c862 upstream. On 32-bit hosts and with CONFIG_DEBUG_LOCK_ALLOC we should be seeing a lockdep splat indicating this seqcount is not correctly initialized, fix that. Fixes: eeda8585522b ("b44: add 64 bit stats") Signed-off-by: Florian Fainelli Acked-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit f62e59581213e16a9550383024e0600cf202e29d Author: Wanpeng Li Date: Tue Aug 1 05:20:03 2017 -0700 KVM: async_pf: make rcu irq exit if not triggered from idle task commit 337c017ccdf2653d0040099433fc1a2b1beb5926 upstream. WARNING: CPU: 5 PID: 1242 at kernel/rcu/tree_plugin.h:323 rcu_note_context_switch+0x207/0x6b0 CPU: 5 PID: 1242 Comm: unity-settings- Not tainted 4.13.0-rc2+ #1 RIP: 0010:rcu_note_context_switch+0x207/0x6b0 Call Trace: __schedule+0xda/0xba0 ? kvm_async_pf_task_wait+0x1b2/0x270 schedule+0x40/0x90 kvm_async_pf_task_wait+0x1cc/0x270 ? prepare_to_swait+0x22/0x70 do_async_page_fault+0x77/0xb0 ? do_async_page_fault+0x77/0xb0 async_page_fault+0x28/0x30 RIP: 0010:__d_lookup_rcu+0x90/0x1e0 I encounter this when trying to stress the async page fault in L1 guest w/ L2 guests running. Commit 9b132fbe5419 (Add rcu user eqs exception hooks for async page fault) adds rcu_irq_enter/exit() to kvm_async_pf_task_wait() to exit cpu idle eqs when needed, to protect the code that needs use rcu. However, we need to call the pair even if the function calls schedule(), as seen from the above backtrace. This patch fixes it by informing the RCU subsystem exit/enter the irq towards/away from idle for both n.halted and !n.halted. Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Paul E. McKenney Signed-off-by: Wanpeng Li Reviewed-by: Paolo Bonzini Signed-off-by: Radim Krčmář Signed-off-by: Ben Hutchings commit 7bdb3e7e18fefdf70fc821763395f715ecfc0827 Author: Dan Carpenter Date: Fri Jun 30 10:59:15 2017 +0300 drm/msm: fix an integer overflow test commit 65e93108891e571f177c202add9288eda9ac4100 upstream. We recently added an integer overflow check but it needs an additional tweak to work properly on 32 bit systems. The problem is that we're doing the right hand side of the assignment as type unsigned long so the max it will have an integer overflow instead of being larger than SIZE_MAX. That means the "sz > SIZE_MAX" condition is never true even on 32 bit systems. We need to first cast it to u64 and then do the math. Fixes: 4a630fadbb29 ("drm/msm: Fix potential buffer overflow issue") Signed-off-by: Dan Carpenter Acked-by: Jordan Crouse Signed-off-by: Rob Clark [bwh: Backported to 3.16: submit_create() only supports a variable number of bos] Signed-off-by: Ben Hutchings commit c73391e6723e4117c79970e6fa6540797c09f6f4 Author: Kasin Li Date: Mon Jun 19 15:36:53 2017 -0600 drm/msm: Fix potential buffer overflow issue commit 4a630fadbb29d9efaedb525f1a8f7449ad107641 upstream. In function submit_create, if nr_cmds or nr_bos is assigned with negative value, the allocated buffer may be small than intended. Using this buffer will lead to buffer overflow issue. Signed-off-by: Kasin Li Signed-off-by: Jordan Crouse Signed-off-by: Rob Clark [bwh: Backported to 3.16: submit_create() only supports a variable number of bos] Signed-off-by: Ben Hutchings commit f4de49e78a07aba793ae76022b882c3941cd7fc6 Author: Hector Martin Date: Wed Aug 2 00:45:06 2017 +0900 USB: serial: option: add D-Link DWM-222 device ID commit fd1b8668af59a11bb754a6c9b0051c6c5ce73b74 upstream. Add device id for D-Link DWM-222. Signed-off-by: Hector Martin Signed-off-by: Johan Hovold Signed-off-by: Ben Hutchings commit fee1b2d6cb6314bc37b2fbd729e2419effd5ba3a Author: Max Filippov Date: Tue Aug 1 11:15:15 2017 -0700 xtensa: mm/cache: add missing EXPORT_SYMBOLs commit bc652eb6a0d5cffaea7dc8e8ad488aab2a1bf1ed upstream. Functions clear_user_highpage, copy_user_highpage, flush_dcache_page, local_flush_cache_range and local_flush_cache_page may be used from modules. Export them. Signed-off-by: Max Filippov [bwh: Backported to 3.16: drop exports of {clear,copy}_user_highpage()] Signed-off-by: Ben Hutchings commit 5d1b0b9cc8bbfe8a96a9d2fff9567472ab8d5513 Author: Max Filippov Date: Tue Aug 1 11:02:46 2017 -0700 xtensa: don't limit csum_partial export by CONFIG_NET commit 7f81e55c737a8fa82c71f290945d729a4902f8d2 upstream. csum_partial and csum_partial_copy_generic are defined unconditionally and are available even when CONFIG_NET is disabled. They are used not only by the network drivers, but also by scsi and media. Don't limit these functions export by CONFIG_NET. Signed-off-by: Max Filippov Signed-off-by: Ben Hutchings commit fcc9886ab509935abe7f3e8ee8164480bad4afab Author: Naftali Goldstein Date: Thu Jul 27 04:53:55 2017 +0300 iwlwifi: mvm: set the RTS_MIMO_PROT bit in flag mask when sending sta to fw commit 8addabf8e6e299f790038fdc92ddceaaf76adab8 upstream. Set the STA_FLG_RTS_MIMO_PROT bit in station_flags_msk of the add sta command, so that when smps mode changes, the FW will know about it. In particular, in AP mode, clients are added upon receival of an auth request, at which point there's no knowledge of the client's smps mode. When the assoc request arrives, the add_sta command is resent to modify the station parameters. At this point the driver knows the smps mode, but since the corresponding bit in the mask is not set, the fw doesn't update this field so there's no rts protection for mimo. Fixes: 5bc5aaad407c ("iwlwifi: mvm: set up initial SMPS/NSS station info") Signed-off-by: Naftali Goldstein Signed-off-by: Luca Coelho [bwh: Backported to 3.16: adjust filename, context, indentation] Signed-off-by: Ben Hutchings commit 74d332fbc5c44df9085220118133fa4b4fc9641d Author: Icenowy Zheng Date: Sat Jul 22 10:50:53 2017 +0800 pinctrl: sunxi: add a missing function of A10/A20 pinctrl driver commit d81ece747d8727bb8b1cfc9a20dbe62f09a4e35a upstream. The PH16 pin has a function with mux id 0x5, which is the DET pin of the "sim" (smart card reader) IP block. This function is missing in old versions of A10/A20 SoCs' datasheets and user manuals, so it's also missing in the old drivers. The newest A10 Datasheet V1.70 and A20 Datasheet V1.41 contain this pin function, and it's discovered during implementing R40 pinctrl driver. Add it to the driver. As we now merged A20 pinctrl driver to the A10 one, we need to only fix the A10 driver now. Fixes: f2821b1ca3a2 ("pinctrl: sunxi: Move Allwinner A10 pinctrl driver to a driver of its own") Signed-off-by: Icenowy Zheng Reviewed-by: Chen-Yu Tsai Signed-off-by: Linus Walleij Signed-off-by: Ben Hutchings commit 75c7343aede572e3ab358822de67d17ce7341b3a Author: Linus Lüssing Date: Thu Jul 6 07:02:25 2017 +0200 batman-adv: fix TT sync flag inconsistencies commit 54e22f265e872ae140755b3318521d400a094605 upstream. This patch fixes an issue in the translation table code potentially leading to a TT Request + Response storm. The issue may occur for nodes involving BLA and an inconsistent configuration of the batman-adv AP isolation feature. However, since the new multicast optimizations, a single, malformed packet may lead to a mesh-wide, persistent Denial-of-Service, too. The issue occurs because nodes are currently OR-ing the TT sync flags of all originators announcing a specific MAC address via the translation table. When an intermediate node now receives a TT Request and wants to answer this on behalf of the destination node, then this intermediate node now responds with an altered flag field and broken CRC. The next OGM of the real destination will lead to a CRC mismatch and triggering a TT Request and Response again. Furthermore, the OR-ing is currently never undone as long as at least one originator announcing the according MAC address remains, leading to the potential persistency of this issue. This patch fixes this issue by storing the flags used in the CRC calculation on a a per TT orig entry basis to be able to respond with the correct, original flags in an intermediate TT Response for one thing. And to be able to correctly unset sync flags once all nodes announcing a sync flag vanish for another. Fixes: e9c00136a475 ("batman-adv: fix tt_global_entries flags update") Signed-off-by: Linus Lüssing Acked-by: Antonio Quartulli [sw: typo in commit message] Signed-off-by: Simon Wunderlich [bwh: Backported to 3.16: - Drop changes to batadv_tt_global_dump_subentry() - Use batadv_tt_orig_list_entry_free_ref() instead of batadv_tt_orig_list_entry_put() - Adjust context] Signed-off-by: Ben Hutchings commit 9f75f725f71027bde70f8e3e63a928b27c0251e7 Author: Alan Swanson Date: Wed Jul 26 12:03:33 2017 +0100 uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069 commit 89f23d51defcb94a5026d4b5da13faf4e1150a6f upstream. Similar to commit d595259fbb7a ("usb-storage: Add ignore-residue quirk for Initio INIC-3619") for INIC-3169 in unusual_devs.h but INIC-3069 already present in unusual_uas.h. Both in same controller IC family. Issue is that MakeMKV fails during key exchange with installed bluray drive with following error: 002004:0000 Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0' Signed-off-by: Alan Swanson Acked-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 4371f924ef0a9685a8dbad734868208977cedfcc Author: Rafael J. Wysocki Date: Tue Jul 25 23:58:50 2017 +0200 USB: hcd: Mark secondary HCD as dead if the primary one died commit cd5a6a4fdaba150089af2afc220eae0fef74878a upstream. Make usb_hc_died() clear the HCD_FLAG_RH_RUNNING flag for the shared HCD and set HCD_FLAG_DEAD for it, in analogy with what is done for the primary one. Among other thigs, this prevents check_root_hub_suspended() from returning -EBUSY for dead HCDs which helps to work around system suspend issues in some situations. This actually fixes occasional suspend failures on one of my test machines. Suggested-by: Alan Stern Signed-off-by: Rafael J. Wysocki Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit d7450ff86ef72e74935d8f8d48892f904b1ddd83 Author: Max Filippov Date: Fri Jul 28 17:42:59 2017 -0700 xtensa: fix cache aliasing handling code for WT cache commit 6d0f581d1768d3eaba15776e7dd1fdfec10cfe36 upstream. Currently building kernel for xtensa core with aliasing WT cache fails with the following messages: mm/memory.c:2152: undefined reference to `flush_dcache_page' mm/memory.c:2332: undefined reference to `local_flush_cache_page' mm/memory.c:1919: undefined reference to `local_flush_cache_range' mm/memory.c:4179: undefined reference to `copy_to_user_page' mm/memory.c:4183: undefined reference to `copy_from_user_page' This happens because implementation of these functions is only compiled when data cache is WB, which looks wrong: even when data cache doesn't need flushing it still needs invalidation. The functions like __flush_[invalidate_]dcache_* are correctly defined for both WB and WT caches (and even if they weren't that'd still be ok, just slower). Fix this by providing the same implementation of the above functions for both WB and WT cache. Signed-off-by: Max Filippov [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 4f8117a2da4dd48688123db5bc83c8691f2e322b Author: Michael Ellerman Date: Wed Jul 26 23:19:04 2017 +1000 powerpc/boot: Fix 64-bit boot wrapper build with non-biarch compiler commit 65c5ec11c25eff6ba6e9b1cbfff014875fddd1e0 upstream. Historically the boot wrapper was always built 32-bit big endian, even for 64-bit kernels. That was because old firmwares didn't necessarily support booting a 64-bit image. Because of that arch/powerpc/boot/Makefile uses CROSS32CC for compilation. However when we added 64-bit little endian support, we also added support for building the boot wrapper 64-bit. However we kept using CROSS32CC, because in most cases it is just CC and everything works. However if the user doesn't specify CROSS32_COMPILE (which no one ever does AFAIK), and CC is *not* biarch (32/64-bit capable), then CROSS32CC becomes just "gcc". On native systems that is probably OK, but if we're cross building it definitely isn't, leading to eg: gcc ... -m64 -mlittle-endian -mabi=elfv2 ... arch/powerpc/boot/cpm-serial.c gcc: error: unrecognized argument in option ‘-mabi=elfv2’ gcc: error: unrecognized command line option ‘-mlittle-endian’ make: *** [zImage] Error 2 To fix it, stop using CROSS32CC, because we may or may not be building 32-bit. Instead setup a BOOTCC, which defaults to CC, and only use CROSS32_COMPILE if it's set and we're building for 32-bit. Fixes: 147c05168fc8 ("powerpc/boot: Add support for 64bit little endian wrapper") Signed-off-by: Michael Ellerman Reviewed-by: Cyril Bur [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit a59d9ead65b9a405a274d55b0a50ff7c10650da3 Author: Arnd Bergmann Date: Wed Mar 19 18:41:37 2014 +0100 ARM: pxa: select both FB and FB_W100 for eseries commit 1d20d8a9fce8f1e2ef00a0f3d068fa18d59ddf8f upstream. We get a link error trying to access the w100fb_gpio_read/write functions from the platform when the driver is a loadable module or not built-in, so the platform already uses 'select' to hard-enable the driver. However, that fails if the framebuffer subsystem is disabled altogether. I've considered various ways to fix this properly, but they all seem like too much work or too risky, so this simply adds another 'select' to force the subsystem on as well. Fixes: 82427de2c7c3 ("ARM: pxa: PXA_ESERIES depends on FB_W100.") Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 6149ffd3af2fd3a23fc6c3f265a6a2b5b6ed2d11 Author: Moshe Shemesh Date: Sun Jun 25 18:45:32 2017 +0300 net/mlx5: Fix command bad flow on command entry allocation failure commit 219c81f7d1d5a89656cb3b53d3b4e11e93608d80 upstream. When driver fail to allocate an entry to send command to FW, it must notify the calling function and release the memory allocated for this command. Fixes: e126ba97dba9e ('mlx5: Add driver for Mellanox Connect-IB adapters') Signed-off-by: Moshe Shemesh Cc: kernel-team@fb.com Signed-off-by: Saeed Mahameed [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 707cd7de3f59a6c8c70940c2730ed038ee323c9b Author: Xin Long Date: Wed Jul 26 16:24:59 2017 +0800 sctp: fix the check for _sctp_walk_params and _sctp_walk_errors commit 6b84202c946cd3da3a8daa92c682510e9ed80321 upstream. Commit b1f5bfc27a19 ("sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()") tried to fix the issue that it may overstep the chunk end for _sctp_walk_{params, errors} with 'chunk_end > offset(length) + sizeof(length)'. But it introduced a side effect: When processing INIT, it verifies the chunks with 'param.v == chunk_end' after iterating all params by sctp_walk_params(). With the check 'chunk_end > offset(length) + sizeof(length)', it would return when the last param is not yet accessed. Because the last param usually is fwdtsn supported param whose size is 4 and 'chunk_end == offset(length) + sizeof(length)' This is a badly issue even causing sctp couldn't process 4-shakes. Client would always get abort when connecting to server, due to the failure of INIT chunk verification on server. The patch is to use 'chunk_end <= offset(length) + sizeof(length)' instead of 'chunk_end < offset(length) + sizeof(length)' for both _sctp_walk_params and _sctp_walk_errors. Fixes: b1f5bfc27a19 ("sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()") Signed-off-by: Xin Long Acked-by: Neil Horman Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 0a7b80709e11465d274d598195e5931fef78aa9e Author: Alexander Potapenko Date: Fri Jul 14 18:32:45 2017 +0200 sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}() commit b1f5bfc27a19f214006b9b4db7b9126df2dfdf5a upstream. If the length field of the iterator (|pos.p| or |err|) is past the end of the chunk, we shouldn't access it. This bug has been detected by KMSAN. For the following pair of system calls: socket(PF_INET6, SOCK_STREAM, 0x84 /* IPPROTO_??? */) = 3 sendto(3, "A", 1, MSG_OOB, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 1 the tool has reported a use of uninitialized memory: ================================================================== BUG: KMSAN: use of uninitialized memory in sctp_rcv+0x17b8/0x43b0 CPU: 1 PID: 2940 Comm: probe Not tainted 4.11.0-rc5+ #2926 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x172/0x1c0 lib/dump_stack.c:52 kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:927 __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:469 __sctp_rcv_init_lookup net/sctp/input.c:1074 __sctp_rcv_lookup_harder net/sctp/input.c:1233 __sctp_rcv_lookup net/sctp/input.c:1255 sctp_rcv+0x17b8/0x43b0 net/sctp/input.c:170 sctp6_rcv+0x32/0x70 net/sctp/ipv6.c:984 ip6_input_finish+0x82f/0x1ee0 net/ipv6/ip6_input.c:279 NF_HOOK ./include/linux/netfilter.h:257 ip6_input+0x239/0x290 net/ipv6/ip6_input.c:322 dst_input ./include/net/dst.h:492 ip6_rcv_finish net/ipv6/ip6_input.c:69 NF_HOOK ./include/linux/netfilter.h:257 ipv6_rcv+0x1dbd/0x22e0 net/ipv6/ip6_input.c:203 __netif_receive_skb_core+0x2f6f/0x3a20 net/core/dev.c:4208 __netif_receive_skb net/core/dev.c:4246 process_backlog+0x667/0xba0 net/core/dev.c:4866 napi_poll net/core/dev.c:5268 net_rx_action+0xc95/0x1590 net/core/dev.c:5333 __do_softirq+0x485/0x942 kernel/softirq.c:284 do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:902 do_softirq kernel/softirq.c:328 __local_bh_enable_ip+0x25b/0x290 kernel/softirq.c:181 local_bh_enable+0x37/0x40 ./include/linux/bottom_half.h:31 rcu_read_unlock_bh ./include/linux/rcupdate.h:931 ip6_finish_output2+0x19b2/0x1cf0 net/ipv6/ip6_output.c:124 ip6_finish_output+0x764/0x970 net/ipv6/ip6_output.c:149 NF_HOOK_COND ./include/linux/netfilter.h:246 ip6_output+0x456/0x520 net/ipv6/ip6_output.c:163 dst_output ./include/net/dst.h:486 NF_HOOK ./include/linux/netfilter.h:257 ip6_xmit+0x1841/0x1c00 net/ipv6/ip6_output.c:261 sctp_v6_xmit+0x3b7/0x470 net/sctp/ipv6.c:225 sctp_packet_transmit+0x38cb/0x3a20 net/sctp/output.c:632 sctp_outq_flush+0xeb3/0x46e0 net/sctp/outqueue.c:885 sctp_outq_uncork+0xb2/0xd0 net/sctp/outqueue.c:750 sctp_side_effects net/sctp/sm_sideeffect.c:1773 sctp_do_sm+0x6962/0x6ec0 net/sctp/sm_sideeffect.c:1147 sctp_primitive_ASSOCIATE+0x12c/0x160 net/sctp/primitive.c:88 sctp_sendmsg+0x43e5/0x4f90 net/sctp/socket.c:1954 inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 sock_sendmsg net/socket.c:643 SYSC_sendto+0x608/0x710 net/socket.c:1696 SyS_sendto+0x8a/0xb0 net/socket.c:1664 do_syscall_64+0xe6/0x130 arch/x86/entry/common.c:285 entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246 RIP: 0033:0x401133 RSP: 002b:00007fff6d99cd38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000401133 RDX: 0000000000000001 RSI: 0000000000494088 RDI: 0000000000000003 RBP: 00007fff6d99cd90 R08: 00007fff6d99cd50 R09: 000000000000001c R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000 R13: 00000000004063d0 R14: 0000000000406460 R15: 0000000000000000 origin: save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302 kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:198 kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:211 slab_alloc_node mm/slub.c:2743 __kmalloc_node_track_caller+0x200/0x360 mm/slub.c:4351 __kmalloc_reserve net/core/skbuff.c:138 __alloc_skb+0x26b/0x840 net/core/skbuff.c:231 alloc_skb ./include/linux/skbuff.h:933 sctp_packet_transmit+0x31e/0x3a20 net/sctp/output.c:570 sctp_outq_flush+0xeb3/0x46e0 net/sctp/outqueue.c:885 sctp_outq_uncork+0xb2/0xd0 net/sctp/outqueue.c:750 sctp_side_effects net/sctp/sm_sideeffect.c:1773 sctp_do_sm+0x6962/0x6ec0 net/sctp/sm_sideeffect.c:1147 sctp_primitive_ASSOCIATE+0x12c/0x160 net/sctp/primitive.c:88 sctp_sendmsg+0x43e5/0x4f90 net/sctp/socket.c:1954 inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 sock_sendmsg net/socket.c:643 SYSC_sendto+0x608/0x710 net/socket.c:1696 SyS_sendto+0x8a/0xb0 net/socket.c:1664 do_syscall_64+0xe6/0x130 arch/x86/entry/common.c:285 return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246 ================================================================== Signed-off-by: Alexander Potapenko Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 0cec8c03e95ec3bbd05c3f2e77d4f32465baf9a0 Author: Aneesh Kumar K.V Date: Sat Jun 17 20:00:55 2017 +0530 powerpc/mm/hash: Free the subpage_prot_table correctly commit 0da12a7a81f1e2255e89dc783c565e84801475a2 upstream. Fixes: dad6f37c2602e ("powerpc: subpage_protect: Increase the array size to take care of 64TB") Signed-off-by: Aneesh Kumar K.V Tested-by: Ram Pai Signed-off-by: Michael Ellerman Signed-off-by: Ben Hutchings commit 02f7d95b916a446745aaacfe21dbbfdc72df3c18 Author: Joerg Roedel Date: Wed Jul 26 14:17:55 2017 +0200 iommu/amd: Fix schedule-while-atomic BUG in initialization code commit 74ddda71f44c84af62f736a77fb9fcebe5bb436a upstream. The register_syscore_ops() function takes a mutex and might sleep. In the IOMMU initialization code it is invoked during irq-remapping setup already, where irqs are disabled. This causes a schedule-while-atomic bug: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:747 in_atomic(): 0, irqs_disabled(): 1, pid: 1, name: swapper/0 no locks held by swapper/0/1. irq event stamp: 304 hardirqs last enabled at (303): [] _raw_spin_unlock_irqrestore+0x36/0x60 hardirqs last disabled at (304): [] enable_IR_x2apic+0x79/0x196 softirqs last enabled at (36): [] __do_softirq+0x35f/0x4ec softirqs last disabled at (31): [] irq_exit+0x105/0x120 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.13.0-rc2.1.el7a.test.x86_64.debug #1 Hardware name: PowerEdge C6145 /040N24, BIOS 3.5.0 10/28/2014 Call Trace: dump_stack+0x85/0xca ___might_sleep+0x22a/0x260 __might_sleep+0x4a/0x80 __mutex_lock+0x58/0x960 ? iommu_completion_wait.part.17+0xb5/0x160 ? register_syscore_ops+0x1d/0x70 ? iommu_flush_all_caches+0x120/0x150 mutex_lock_nested+0x1b/0x20 register_syscore_ops+0x1d/0x70 state_next+0x119/0x910 iommu_go_to_state+0x29/0x30 amd_iommu_enable+0x13/0x23 Fix it by moving the register_syscore_ops() call to the next initialization step, which runs with irqs enabled. Reported-by: Artem Savkov Tested-by: Artem Savkov Acked-by: Thomas Gleixner Fixes: 2c0ae1720c09 ('iommu/amd: Convert iommu initialization to state machine') Signed-off-by: Joerg Roedel Signed-off-by: Ben Hutchings commit b9dda61b15cc0c09f42de4f7677e639471468752 Author: Prabhakar Lad Date: Thu Jul 20 08:02:09 2017 -0400 media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl commit da05d52d2f0f6bd61094a0cd045fed94bf7d673a upstream. this patch makes sure VPFE_CMD_S_CCDC_RAW_PARAMS ioctl no longer works for vpfe_capture driver with a minimal patch suitable for backporting. - This ioctl was never in public api and was only defined in kernel header. - The function set_params constantly mixes up pointers and phys_addr_t numbers. - This is part of a 'VPFE_CMD_S_CCDC_RAW_PARAMS' ioctl command that is described as an 'experimental ioctl that will change in future kernels'. - The code to allocate the table never gets called after we copy_from_user the user input over the kernel settings, and then compare them for inequality. - We then go on to use an address provided by user space as both the __user pointer for input and pass it through phys_to_virt to come up with a kernel pointer to copy the data to. This looks like a trivially exploitable root hole. Due to these reasons we make sure this ioctl now returns -EINVAL and backport this patch as far as possible. Fixes: 5f15fbb68fd7 ("V4L/DVB (12251): v4l: dm644x ccdc module for vpfe capture driver") Signed-off-by: Lad, Prabhakar Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings commit 6b6d3bd7364db0c2f9dfaf8de55f00384e959a4c Author: Sean Young Date: Fri Jul 7 18:49:18 2017 -0300 media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds commit 9f5039ba440e499d85c29b1ddbc3cbc9dc90e44b upstream. Since commit e8f4818895b3 ("[media] lirc: advertise LIRC_CAN_GET_REC_RESOLUTION and improve") lircd uses the ioctl LIRC_GET_REC_RESOLUTION to determine the shortest pulse or space that the hardware can detect. This breaks decoding in lirc because lircd expects the answer in microseconds, but nanoseconds is returned. Reported-by: Derek Tested-by: Derek Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit c61f8727c91f2ef9158c6b5a170786d29a166240 Author: Laurent Vivier Date: Fri Jul 21 16:51:39 2017 +0200 powerpc/pseries: Fix of_node_put() underflow during reconfig remove commit 4fd1bd443e80b12f0a01a45fb9a793206b41cb72 upstream. As for commit 68baf692c435 ("powerpc/pseries: Fix of_node_put() underflow during DLPAR remove"), the call to of_node_put() must be removed from pSeries_reconfig_remove_node(). dlpar_detach_node() and pSeries_reconfig_remove_node() both call of_detach_node(), and thus the node should not be released in both cases. Fixes: 0829f6d1f69e ("of: device_node kobject lifecycle fixes") Signed-off-by: Laurent Vivier Reviewed-by: David Gibson Signed-off-by: Michael Ellerman Signed-off-by: Ben Hutchings commit 5b470a940f3c6dd918ef075e3b3c6094c4d4c437 Author: Tejun Heo Date: Sun Jul 23 08:36:15 2017 -0400 workqueue: implicit ordered attribute should be overridable commit 0a94efb5acbb6980d7c9ab604372d93cd507e4d8 upstream. 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 to be ordered") automatically enabled ordered attribute for unbound workqueues w/ max_active == 1. Because ordered workqueues reject max_active and some attribute changes, this implicit ordered mode broke cases where the user creates an unbound workqueue w/ max_active == 1 and later explicitly changes the related attributes. This patch distinguishes explicit and implicit ordered setting and overrides from attribute changes if implict. Signed-off-by: Tejun Heo Fixes: 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 to be ordered") [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 093f3e07cb396ffa28304ea1f1f0291ec1604d33 Author: Ofer Heifetz Date: Mon Jul 24 09:17:40 2017 +0300 md/raid5: add thread_group worker async_tx_issue_pending_all commit 7e96d559634b73a8158ee99a7abece2eacec2668 upstream. Since thread_group worker and raid5d kthread are not in sync, if worker writes stripe before raid5d then requests will be waiting for issue_pendig. Issue observed when building raid5 with ext4, in some build runs jbd2 would get hung and requests were waiting in the HW engine waiting to be issued. Fix this by adding a call to async_tx_issue_pending_all in the raid5_do_work. Signed-off-by: Ofer Heifetz Signed-off-by: Shaohua Li Signed-off-by: Ben Hutchings commit 528473c94fcbf295051e4eabe59fae3b192a6cfc Author: Masami Hiramatsu Date: Fri Jul 21 23:45:52 2017 +0900 kprobes/x86: Release insn_slot in failure path commit 38115f2f8cec8087d558c062e779c443a01f87d6 upstream. The following commit: 003002e04ed3 ("kprobes: Fix arch_prepare_kprobe to handle copy insn failures") returns an error if the copying of the instruction, but does not release the allocated insn_slot. Clean up correctly. Signed-off-by: Masami Hiramatsu Cc: Ananth N Mavinakayanahalli Cc: Anil S Keshavamurthy Cc: David S . Miller Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 003002e04ed3 ("kprobes: Fix arch_prepare_kprobe to handle copy insn failures") Link: http://lkml.kernel.org/r/150064834183.6172.11694375818447664416.stgit@devbox Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings commit f673d5b06e8c9e4592b49a16d3eeefe01287b317 Author: Paul Mackerras Date: Fri Jul 21 13:57:14 2017 +1000 KVM: PPC: Book3S HV: Enable TM before accessing TM registers commit e47057151422a67ce08747176fa21cb3b526a2c9 upstream. Commit 46a704f8409f ("KVM: PPC: Book3S HV: Preserve userspace HTM state properly", 2017-06-15) added code to read transactional memory (TM) registers but forgot to enable TM before doing so. The result is that if userspace does have live values in the TM registers, a KVM_RUN ioctl will cause a host kernel crash like this: [ 181.328511] Unrecoverable TM Unavailable Exception f60 at d00000001e7d9980 [ 181.328605] Oops: Unrecoverable TM Unavailable Exception, sig: 6 [#1] [ 181.328613] SMP NR_CPUS=2048 [ 181.328613] NUMA [ 181.328618] PowerNV [ 181.328646] Modules linked in: vhost_net vhost tap nfs_layout_nfsv41_files rpcsec_gss_krb5 nfsv4 dns_resolver nfs +fscache xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat +nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun ebtable_filter ebtables +ip6table_filter ip6_tables iptable_filter bridge stp llc kvm_hv kvm nfsd ses enclosure scsi_transport_sas ghash_generic +auth_rpcgss gf128mul xts sg ctr nfs_acl lockd vmx_crypto shpchp ipmi_powernv i2c_opal grace ipmi_devintf i2c_core +powernv_rng sunrpc ipmi_msghandler ibmpowernv uio_pdrv_genirq uio leds_powernv powernv_op_panel ip_tables xfs sd_mod +lpfc ipr bnx2x libata mdio ptp pps_core scsi_transport_fc libcrc32c dm_mirror dm_region_hash dm_log dm_mod [ 181.329278] CPU: 40 PID: 9926 Comm: CPU 0/KVM Not tainted 4.12.0+ #1 [ 181.329337] task: c000003fc6980000 task.stack: c000003fe4d80000 [ 181.329396] NIP: d00000001e7d9980 LR: d00000001e77381c CTR: d00000001e7d98f0 [ 181.329465] REGS: c000003fe4d837e0 TRAP: 0f60 Not tainted (4.12.0+) [ 181.329523] MSR: 9000000000009033 [ 181.329527] CR: 24022448 XER: 00000000 [ 181.329608] CFAR: d00000001e773818 SOFTE: 1 [ 181.329608] GPR00: d00000001e77381c c000003fe4d83a60 d00000001e7ef410 c000003fdcfe0000 [ 181.329608] GPR04: c000003fe4f00000 0000000000000000 0000000000000000 c000003fd7954800 [ 181.329608] GPR08: 0000000000000001 c000003fc6980000 0000000000000000 d00000001e7e2880 [ 181.329608] GPR12: d00000001e7d98f0 c000000007b19000 00000001295220e0 00007fffc0ce2090 [ 181.329608] GPR16: 0000010011886608 00007fff8c89f260 0000000000000001 00007fff8c080028 [ 181.329608] GPR20: 0000000000000000 00000100118500a6 0000010011850000 0000010011850000 [ 181.329608] GPR24: 00007fffc0ce1b48 0000010011850000 00000000d673b901 0000000000000000 [ 181.329608] GPR28: 0000000000000000 c000003fdcfe0000 c000003fdcfe0000 c000003fe4f00000 [ 181.330199] NIP [d00000001e7d9980] kvmppc_vcpu_run_hv+0x90/0x6b0 [kvm_hv] [ 181.330264] LR [d00000001e77381c] kvmppc_vcpu_run+0x2c/0x40 [kvm] [ 181.330322] Call Trace: [ 181.330351] [c000003fe4d83a60] [d00000001e773478] kvmppc_set_one_reg+0x48/0x340 [kvm] (unreliable) [ 181.330437] [c000003fe4d83b30] [d00000001e77381c] kvmppc_vcpu_run+0x2c/0x40 [kvm] [ 181.330513] [c000003fe4d83b50] [d00000001e7700b4] kvm_arch_vcpu_ioctl_run+0x114/0x2a0 [kvm] [ 181.330586] [c000003fe4d83bd0] [d00000001e7642f8] kvm_vcpu_ioctl+0x598/0x7a0 [kvm] [ 181.330658] [c000003fe4d83d40] [c0000000003451b8] do_vfs_ioctl+0xc8/0x8b0 [ 181.330717] [c000003fe4d83de0] [c000000000345a64] SyS_ioctl+0xc4/0x120 [ 181.330776] [c000003fe4d83e30] [c00000000000b004] system_call+0x58/0x6c [ 181.330833] Instruction dump: [ 181.330869] e92d0260 e9290b50 e9290108 792807e3 41820058 e92d0260 e9290b50 e9290108 [ 181.330941] 792ae8a4 794a1f87 408204f4 e92d0260 <7d4022a6> f9490ff0 e92d0260 7d4122a6 [ 181.331013] ---[ end trace 6f6ddeb4bfe92a92 ]--- The fix is just to turn on the TM bit in the MSR before accessing the registers. Fixes: 46a704f8409f ("KVM: PPC: Book3S HV: Preserve userspace HTM state properly") Reported-by: Jan Stancek Tested-by: Jan Stancek Signed-off-by: Paul Mackerras Signed-off-by: Ben Hutchings commit e6d62d574c56c1f8e1b0d6d4878564b8527194b8 Author: Leon Romanovsky Date: Sat Jul 15 16:26:55 2017 +0300 IB/ipoib: Remove double pointer assigning commit 1b355094b308f3377c8f574ce86135ee159c6285 upstream. There is no need to assign "p" pointer twice. This patch fixes the following smatch warning: drivers/infiniband/ulp/ipoib/ipoib_cm.c:517 ipoib_cm_rx_handler() warn: missing break? reassigning 'p->id' Fixes: 839fcaba355a ("IPoIB: Connected mode experimental support") Signed-off-by: Leon Romanovsky Signed-off-by: Ben Hutchings commit 8708c117be46f5875008e583db9a82d305aa20c6 Author: Feras Daoud Date: Sun Jul 16 11:33:01 2017 +0300 IB/ipoib: Set IPOIB_NEIGH_TBL_FLUSH after flushed completion initialization commit d2e46fccc3e3d73a741efe433f00960331280696 upstream. Set IPOIB_NEIGH_TBL_FLUSH bit after initializing the neighbor flushed completion, otherwise the garbage collector may signal a completion while it is not initialized yet. Fixes: b63b70d87741 ("IPoIB: Use a private hash table for path lookup in xmit path") Signed-off-by: Feras Daoud Signed-off-by: Alex Vesker Signed-off-by: Leon Romanovsky Signed-off-by: Ben Hutchings commit 78f1a3477607a19cb1c82e7ee1e37ae7cf2d992c Author: Alex Vesker Date: Thu Jul 13 11:27:12 2017 +0300 IB/ipoib: Prevent setting negative values to max_nonsrq_conn_qp commit 11f74b40359b19f760964e71d04882a6caf530cc upstream. Don't allow negative values to max_nonsrq_conn_qp. There is no functional impact on a negative value but it is logicically incorrect. Fixes: 68e995a29572 ("IPoIB/cm: Add connected mode support for devices without SRQs") Signed-off-by: Alex Vesker Signed-off-by: Leon Romanovsky Signed-off-by: Ben Hutchings commit 926d02342c743538d37616d0a2facdb95f6153f8 Author: Emmanuel Grumbach Date: Thu Jun 8 10:55:26 2017 +0300 iwlwifi: dvm: prevent an out of bounds access commit 0b0f934e92a8eaed2e6c48a50eae6f84661f74f3 upstream. iwlagn_check_ratid_empty takes the tid as a parameter, but it doesn't check that it is not IWL_TID_NON_QOS. Since IWL_TID_NON_QOS = 8 and iwl_priv::tid_data is an array with 8 entries, accessing iwl_priv::tid_data[IWL_TID_NON_QOS] is a bad idea. This happened in iwlagn_rx_reply_tx. Since iwlagn_check_ratid_empty is relevant only to check whether we can open A-MPDU, this flow is irrelevant if tid is IWL_TID_NON_QOS. Call iwlagn_check_ratid_empty only inside the if (tid != IWL_TID_NON_QOS) a few lines earlier in the function. Reported-by: Seraphime Kirkovski Tested-by: Seraphime Kirkovski Signed-off-by: Emmanuel Grumbach Signed-off-by: Luca Coelho [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings commit f9cb7d4772ef1eee1fd73efc14a9f978b9cfc5dc Author: Jiri Olsa Date: Thu Jul 20 16:14:55 2017 +0200 perf/core: Fix locking for children siblings group read commit 2aeb1883547626d82c597cce2c99f0b9c62e2425 upstream. We're missing ctx lock when iterating children siblings within the perf_read path for group reading. Following race and crash can happen: User space doing read syscall on event group leader: T1: perf_read lock event->ctx->mutex perf_read_group lock leader->child_mutex __perf_read_group_add(child) list_for_each_entry(sub, &leader->sibling_list, group_entry) ----> sub might be invalid at this point, because it could get removed via perf_event_exit_task_context in T2 Child exiting and cleaning up its events: T2: perf_event_exit_task_context lock ctx->mutex list_for_each_entry_safe(child_event, next, &child_ctx->event_list,... perf_event_exit_event(child) lock ctx->lock perf_group_detach(child) unlock ctx->lock ----> child is removed from sibling_list without any sync with T1 path above ... free_event(child) Before the child is removed from the leader's child_list, (and thus is omitted from perf_read_group processing), we need to ensure that perf_read_group touches child's siblings under its ctx->lock. Peter further notes: | One additional note; this bug got exposed by commit: | | ba5213ae6b88 ("perf/core: Correct event creation with PERF_FORMAT_GROUP") | | which made it possible to actually trigger this code-path. Tested-by: Andi Kleen Signed-off-by: Jiri Olsa Acked-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: ba5213ae6b88 ("perf/core: Correct event creation with PERF_FORMAT_GROUP") Link: http://lkml.kernel.org/r/20170720141455.2106-1-jolsa@kernel.org Signed-off-by: Ingo Molnar [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 2bb3fde41e58571be15b4f064a6cf821b8cec848 Author: Peter Zijlstra Date: Thu Sep 3 20:07:49 2015 -0700 perf/core: Invert perf_read_group() loops commit fa8c269353d560b7c28119ad7617029f92e40b15 upstream. In order to enable the use of perf_event_read(.group = true), we need to invert the sibling-child loop nesting of perf_read_group(). Currently we iterate the child list for each sibling, this precludes using group reads. Flip things around so we iterate each group for each child. Signed-off-by: Peter Zijlstra (Intel) [ Made the patch compile and things. ] Signed-off-by: Sukadev Bhattiprolu Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Michael Ellerman Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Link: http://lkml.kernel.org/r/1441336073-22750-7-git-send-email-sukadev@linux.vnet.ibm.com Signed-off-by: Ingo Molnar [bwh: Backported to 3.16 as a dependency of commit 2aeb18835476 ("perf/core: Fix locking for children siblings group read"): - Keep the function name perf_event_read_group() - Keep using perf_event_read_value()] Signed-off-by: Ben Hutchings commit 21a968ffb0e828e5d7e3c83826fc6d21a632fbca Author: Mahesh Bandewar Date: Wed Jul 19 15:41:33 2017 -0700 ipv4: initialize fib_trie prior to register_netdev_notifier call. commit 8799a221f5944a7d74516ecf46d58c28ec1d1f75 upstream. Net stack initialization currently initializes fib-trie after the first call to netdevice_notifier() call. In fact fib_trie initialization needs to happen before first rtnl_register(). It does not cause any problem since there are no devices UP at this moment, but trying to bring 'lo' UP at initialization would make this assumption wrong and exposes the issue. Fixes following crash Call Trace: ? alternate_node_alloc+0x76/0xa0 fib_table_insert+0x1b7/0x4b0 fib_magic.isra.17+0xea/0x120 fib_add_ifaddr+0x7b/0x190 fib_netdev_event+0xc0/0x130 register_netdevice_notifier+0x1c1/0x1d0 ip_fib_init+0x72/0x85 ip_rt_init+0x187/0x1e9 ip_init+0xe/0x1a inet_init+0x171/0x26c ? ipv4_offload_init+0x66/0x66 do_one_initcall+0x43/0x160 kernel_init_freeable+0x191/0x219 ? rest_init+0x80/0x80 kernel_init+0xe/0x150 ret_from_fork+0x22/0x30 Code: f6 46 23 04 74 86 4c 89 f7 e8 ae 45 01 00 49 89 c7 4d 85 ff 0f 85 7b ff ff ff 31 db eb 08 4c 89 ff e8 16 47 01 00 48 8b 44 24 38 <45> 8b 6e 14 4d 63 76 74 48 89 04 24 0f 1f 44 00 00 48 83 c4 08 RIP: kmem_cache_alloc+0xcf/0x1c0 RSP: ffff9b1500017c28 CR2: 0000000000000014 Fixes: 7b1a74fdbb9e ("[NETNS]: Refactor fib initialization so it can handle multiple namespaces.") Fixes: 7f9b80529b8a ("[IPV4]: fib hash|trie initialization") Signed-off-by: Mahesh Bandewar Acked-by: "Eric W. Biederman" Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit fc6b51e80a09e4a101428560bb38398dc32b66e1 Author: Ismail, Mustafa Date: Fri Jul 14 09:41:31 2017 -0500 RDMA/core: Initialize port_num in qp_attr commit a62ab66b13a0f9bcb17b7b761f6670941ed5cd62 upstream. Initialize the port_num for iWARP in rdma_init_qp_attr. Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds") Reviewed-by: Steve Wise Signed-off-by: Mustafa Ismail Tested-by: Mike Marciniszyn Signed-off-by: Doug Ledford [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit f0f5c6562893005b27fd69cadffbb963c71a0def Author: Ismail, Mustafa Date: Fri Jul 14 09:41:30 2017 -0500 RDMA/uverbs: Fix the check for port number commit 5a7a88f1b488e4ee49eb3d5b82612d4d9ffdf2c3 upstream. The port number is only valid if IB_QP_PORT is set in the mask. So only check port number if it is valid to prevent modify_qp from failing due to an invalid port number. Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds") Reviewed-by: Steve Wise Signed-off-by: Mustafa Ismail Tested-by: Mike Marciniszyn Signed-off-by: Doug Ledford [bwh: Backported to 3.16: command structure is cmd not cmd->base] Signed-off-by: Ben Hutchings commit 271d389cf00f17111e67f39ca854f239f2afec6d Author: Kalderon, Michal Date: Thu Jul 6 23:22:11 2017 +0300 IB/cma: Fix reference count leak when no ipv4 addresses are set commit 963916fdb3e5ad4af57ac959b5a03bf23f7568ca upstream. Once in_dev_get is called to receive in_device pointer, the in_device reference counter is increased, but if there are no ipv4 addresses configured on the net-device the ifa_list will be null, resulting in a flow that doesn't call in_dev_put to decrease the ref_cnt. This was exposed when running RoCE over ipv6 without any ipv4 addresses configured Fixes: commit 8e3867310c90 ("IB/cma: Fix a race condition in iboe_addr_get_sgid()") Signed-off-by: Michal Kalderon Signed-off-by: Ariel Elior Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings commit c871f0da17bc87c9b4847d9af9b7b5d4ef43ae5e Author: Bart Van Assche Date: Mon Dec 19 18:00:05 2016 +0100 IB/cma: Fix a race condition in iboe_addr_get_sgid() commit fba332b079029c2f4f7e84c1c1cd8e3867310c90 upstream. Code that dereferences the struct net_device ip_ptr member must be protected with an in_dev_get() / in_dev_put() pair. Hence insert calls to these functions. Fixes: commit 7b85627b9f02 ("IB/cma: IBoE (RoCE) IP-based GID addressing") Signed-off-by: Bart Van Assche Reviewed-by: Moni Shoua Cc: Or Gerlitz Cc: Roland Dreier Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings commit ec1efa4985d84dc4a4a7067eb2fd33f9d30a20eb Author: Dan Carpenter Date: Thu Jul 13 10:46:49 2017 +0300 RDMA/ocrdma: Fix error codes in ocrdma_create_srq() commit f0c6e88288d65c93bbc7da4fb6f7d51b2733228a upstream. If either of these allocations fail then we return ERR_PTR(0). That's equivalent to NULL and results in a NULL pointer dereference in the caller. Fixes: fe2caefcdf58 ("RDMA/ocrdma: Add driver for Emulex OneConnect IBoE RDMA adapter") Signed-off-by: Dan Carpenter Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings commit 3708b2b526b62929eb4b60cb81d8140a66d3f174 Author: Dan Carpenter Date: Thu Jul 13 10:46:14 2017 +0300 RDMA/ocrdma: Fix an error code in ocrdma_alloc_pd() commit dd75cfa6d3216c79c695f5af13e52208afe374ad upstream. We should preserve the original "status" error code instead of resetting it to zero. Returning ERR_PTR(0) is the same as NULL and results in a NULL dereference in the callers. I added a printk() on error instead. Fixes: 45e86b33ec8b ("RDMA/ocrdma: Cache recv DB until QP moved to RTR") Signed-off-by: Dan Carpenter Signed-off-by: Doug Ledford [bwh: Backported to 3.16: keep calling ocrdma_mbx_dealloc_pd()] Signed-off-by: Ben Hutchings commit dc847c71fbae10c20ef5064a487616378c5d09f3 Author: Dan Carpenter Date: Thu Jul 13 10:48:00 2017 +0300 IB/cxgb3: Fix error codes in iwch_alloc_mr() commit 9064d6055c14f700aa13f7c72fd3e63d12bee643 upstream. We accidentally don't set the error code on some error paths. It means return ERR_PTR(0) which is NULL and results in a NULL dereference in the caller. Fixes: 13a239330abd ("RDMA/cxgb3: Don't ignore insert_handle() failures") Signed-off-by: Dan Carpenter Acked-by: Steve Wise Signed-off-by: Doug Ledford [bwh: Backported to 3.16: drop inapplicable hunk] Signed-off-by: Ben Hutchings commit 8334f036a426eaf07e040ba525ba2e4681e1eb32 Author: Dan Carpenter Date: Thu Jul 13 10:47:40 2017 +0300 cxgb4: Fix error codes in c4iw_create_cq() commit 6ebedacbb44602d4dec3348dee5ec31dd9b09521 upstream. If one of these kmalloc() calls fails then we return ERR_PTR(0) which is NULL. It results in a NULL dereference in the callers. Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC") Signed-off-by: Dan Carpenter Acked-by: Steve Wise Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings commit ea4b5c69bbf3482240305cce0e598720987a2e93 Author: Chunyu Hu Date: Thu Jul 20 18:36:09 2017 +0800 tracing: Fix kmemleak in instance_rmdir commit db9108e054700c96322b0f0028546aa4e643cf0b upstream. Hit the kmemleak when executing instance_rmdir, it forgot releasing mem of tracing_cpumask. With this fix, the warn does not appear any more. unreferenced object 0xffff93a8dfaa7c18 (size 8): comm "mkdir", pid 1436, jiffies 4294763622 (age 9134.308s) hex dump (first 8 bytes): ff ff ff ff ff ff ff ff ........ backtrace: [] kmemleak_alloc+0x4a/0xa0 [] __kmalloc_node+0xf1/0x280 [] alloc_cpumask_var_node+0x23/0x30 [] alloc_cpumask_var+0xe/0x10 [] instance_mkdir+0x90/0x240 [] tracefs_syscall_mkdir+0x40/0x70 [] vfs_mkdir+0x109/0x1b0 [] SyS_mkdir+0xd0/0x100 [] do_syscall_64+0x67/0x150 [] return_from_SYSCALL_64+0x0/0x6a [] 0xffffffffffffffff Link: http://lkml.kernel.org/r/1500546969-12594-1-git-send-email-chuhu@redhat.com Fixes: ccfe9e42e451 ("tracing: Make tracing_cpumask available for all instances") Signed-off-by: Chunyu Hu Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Ben Hutchings commit b2766186277169636ac0a504df1891322bb5c5fc Author: Shu Wang Date: Thu Jul 20 14:48:31 2017 +0300 xhci: fix memleak in xhci_run() commit d6f5f071f1e13cadecf8aef1faa7e5d6fbc9f33b upstream. Found this issue by kmemleak. xhci_run() did not check return val and free command for xhci_queue_vendor_command() unreferenced object 0xffff88011c0be500 (size 64): comm "kworker/0:1", pid 58, jiffies 4294670908 (age 50.420s) hex dump (first 32 bytes): backtrace: [] kmemleak_alloc+0x4a/0xa0 [] kmem_cache_alloc_trace+0xca/0x1d0 [] xhci_alloc_command+0x44/0x130 [] xhci_run+0x4cc/0x630 [] usb_add_hcd+0x3bb/0x950 [] usb_hcd_pci_probe+0x188/0x500 [] xhci_pci_probe+0x2c/0x220 [] local_pci_probe+0x45/0xa0 [] work_for_cpu_fn+0x14/0x20 [] process_one_work+0x149/0x360 [] worker_thread+0x1d8/0x3c0 [] kthread+0x109/0x140 [] ret_from_fork+0x25/0x30 [] 0xffffffffffffffff Signed-off-by: Shu Wang Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit ff65ed9416d5a55e787ca2f67f990ec447622f49 Author: Mathias Nyman Date: Thu Jul 20 14:48:29 2017 +0300 xhci: fix 20000ms port resume timeout commit a54408d0a004757789863d74e29c2297edae0b4d upstream. A uncleared PLC (port link change) bit will prevent furuther port event interrupts for that port. Leaving it uncleared caused get_port_status() to timeout after 20000ms while waiting to get the final port event interrupt for resume -> U0 state change. This is a targeted fix for a specific case where we get a port resume event racing with xhci resume. The port event interrupt handler notices xHC is not yet running and bails out early, leaving PLC uncleared. The whole xhci port resuming needs more attention, but while working on it it anyways makes sense to always ensure PLC is cleared in get_port_status before setting a new link state and waiting for its completion. Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 65653306e9aedbc349451e0f1c8df99089a2cce8 Author: Jiahau Chang Date: Thu Jul 20 14:48:27 2017 +0300 xhci: Bad Ethernet performance plugged in ASM1042A host commit 9da5a1092b13468839b1a864b126cacfb72ad016 upstream. When USB Ethernet is plugged in ASMEDIA ASM1042A xHCI host, bad performance was manifesting in Web browser use (like download large file such as ISO image). It is known limitation of ASM1042A that is not compatible with driver scheduling, As a workaround we can modify flow control handling of ASM1042A. The register we modify is changes the behavior [use quirk bit 28, usleep_range 40-60us, empty non-pci function -Mathias] Signed-off-by: Jiahau Chang Signed-off-by: Ian Pilcher Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 96bfb7d0843a57f033c8d91a306ef4270d798e85 Author: Mathias Nyman Date: Thu Jul 20 14:48:26 2017 +0300 xhci: Fix NULL pointer dereference when cleaning up streams for removed host commit 4b895868bb2da60a386a17cde3bf9ecbc70c79f4 upstream. This off by one in stream_id indexing caused NULL pointer dereference and soft lockup on machines with USB attached SCSI devices connected to a hotpluggable xhci controller. The code that cleans up pending URBs for dead hosts tried to dereference a stream ring at the invalid stream_id 0. ep->stream_info->stream_rings[0] doesn't point to a ring. Start looping stream_id from 1 like in all the other places in the driver, and check that the ring exists before trying to kill URBs on it. Reported-by: rocko r Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 4053c6292e6991e9241f221ce5b4a0e771f7118d Author: Russell King Date: Wed Jul 19 23:09:58 2017 +0100 ARM: kexec: fix failure to boot crash kernel commit 0d70262a2d60886da6fe5b1fc8bbcd76cbbc306d upstream. When kexec was converted to DTB, the dtb address was passed between machine_kexec_prepare() and machine_kexec() using a static variable. This is bad news if you load a crash kernel followed by a normal kernel or vice versa - the last loaded kernel overwrites the dtb address. This can result in kexec failures, as (eg) we try to boot the crash kernel with the last loaded dtb. For example, with: the crash kernel fails to find the dtb. Avoid this by defining a kimage architecture structure, and store the address to be passed in r2 there, which will either be the ATAGs or the dtb blob. Fixes: 4cabd1d9625c ("ARM: 7539/1: kexec: scan for dtb magic in segments") Fixes: 42d720d1731a ("ARM: kexec: Make .text R/W in machine_kexec") Reported-by: Keerthy Tested-by: Keerthy Signed-off-by: Russell King Signed-off-by: Ben Hutchings commit aa9a2ec0e82b64db1851d96ab1e9c83f8ea17a39 Author: Nikolay Borisov Date: Mon May 12 10:31:56 2014 +0100 ARM: kexec: Make .text R/W in machine_kexec commit 42d720d1731a9d7035c2812437c35e271ec4dd78 upstream. With the introduction of Kees Cook's patch to make the kernel .text read-only the existing method by which kexec works got broken since it directly pokes some values in the template code, which resides in the .text section. The current patch changes the way those values are inserted so that poking .text section occurs only in machine_kexec (e.g when we are about to nuke the old kernel and are beyond the point of return). This allows to use set_kernel_text_rw() to directly patch the values in the .text section. I had already sent a patch which achieved this but it was significantly more complicated, so this is a cleaner/straight-forward approach. Signed-off-by: Nikolay Borisov Acked-by: Will Deacon [kees: collapsed kexec_boot_atags (will.daecon)] [kees: for bisectability, moved set_kernel_text_rw() to RODATA patch] Signed-off-by: Kees Cook Acked-by: Nicolas Pitre Signed-off-by: Ben Hutchings commit 52b12e5aeae7f71567348776d4f7f12b83788d15 Author: Seunghun Han Date: Tue Jul 18 20:03:51 2017 +0900 x86/acpi: Prevent out of bound access caused by broken ACPI tables commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 upstream. The bus_irq argument of mp_override_legacy_irq() is used as the index into the isa_irq_to_gsi[] array. The bus_irq argument originates from ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI tables, but is nowhere sanity checked. That allows broken or malicious ACPI tables to overwrite memory, which might cause malfunction, panic or arbitrary code execution. Add a sanity check and emit a warning when that triggers. [ tglx: Added warning and rewrote changelog ] Signed-off-by: Seunghun Han Signed-off-by: Thomas Gleixner Cc: security@kernel.org Cc: "Rafael J. Wysocki" Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings commit 2de4a9b1b6a73b3e8b3a7d827445ea2af5236bbb Author: Steve Dickson Date: Thu Jun 29 11:48:26 2017 -0400 mount: copy the port field into the cloned nfs_server structure. commit 89a6814d9b665b196aa3a102f96b6dc7e8cb669e upstream. Doing this copy eliminates the "port=0" entry in the /proc/mounts entries Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=69241 Signed-off-by: Steve Dickson Signed-off-by: Anna Schumaker Signed-off-by: Ben Hutchings commit 90b9dd315e958cc60ff25006f6f811056c3e3bba Author: Tejun Heo Date: Tue Jul 18 18:41:52 2017 -0400 workqueue: restore WQ_UNBOUND/max_active==1 to be ordered commit 5c0338c68706be53b3dc472e4308961c36e4ece1 upstream. The combination of WQ_UNBOUND and max_active == 1 used to imply ordered execution. After NUMA affinity 4c16bd327c74 ("workqueue: implement NUMA affinity for unbound workqueues"), this is no longer true due to per-node worker pools. While the right way to create an ordered workqueue is alloc_ordered_workqueue(), the documentation has been misleading for a long time and people do use WQ_UNBOUND and max_active == 1 for ordered workqueues which can lead to subtle bugs which are very difficult to trigger. It's unlikely that we'd see noticeable performance impact by enforcing ordering on WQ_UNBOUND / max_active == 1 workqueues. Let's automatically set __WQ_ORDERED for those workqueues. Signed-off-by: Tejun Heo Reported-by: Christoph Hellwig Reported-by: Alexei Potashnik Fixes: 4c16bd327c74 ("workqueue: implement NUMA affinity for unbound workqueues") Signed-off-by: Ben Hutchings commit 292e98fc5ef1144637f87f5a9dd5d53c1ff833cd Author: Dan Carpenter Date: Wed Jul 19 13:06:41 2017 +0300 libata: array underflow in ata_find_dev() commit 59a5e266c3f5c1567508888dd61a45b86daed0fa upstream. My static checker complains that "devno" can be negative, meaning that we read before the start of the loop. I've looked at the code, and I think the warning is right. This come from /proc so it's root only or it would be quite a quite a serious bug. The call tree looks like this: proc_scsi_write() <- gets id and channel from simple_strtoul() -> scsi_add_single_device() <- calls shost->transportt->user_scan() -> ata_scsi_user_scan() -> ata_find_dev() Signed-off-by: Dan Carpenter Signed-off-by: Tejun Heo Signed-off-by: Ben Hutchings commit 1b0326513bc8b9a3bd77f00e64b0e2e16f24b1cf Author: Sabrina Dubroca Date: Tue Jul 18 14:56:17 2017 +0200 netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry commit 3840538ad384fb7891adeeaf36624f870c51fc0e upstream. When we delete a netns with a CLUSTERIP rule, clusterip_net_exit() is called first, removing /proc/net/ipt_CLUSTERIP. Then clusterip_config_entry_put() is called from clusterip_tg_destroy(), and tries to remove its entry under /proc/net/ipt_CLUSTERIP/. Fix this by checking that the parent directory of the entry to remove hasn't already been deleted. The following triggers a KASAN splat (stealing the reproducer from 202f59afd441, thanks to Jianlin Shi and Xin Long): ip netns add test ip link add veth0_in type veth peer name veth0_out ip link set veth0_in netns test ip netns exec test ip link set lo up ip netns exec test ip link set veth0_in up ip netns exec test iptables -I INPUT -d 1.2.3.4 -i veth0_in -j \ CLUSTERIP --new --clustermac 89:d4:47:eb:9a:fa --total-nodes 3 \ --local-node 1 --hashmode sourceip-sourceport ip netns del test Fixes: ce4ff76c15a8 ("netfilter: ipt_CLUSTERIP: make proc directory per net namespace") Signed-off-by: Sabrina Dubroca Reviewed-by: Xin Long Signed-off-by: Pablo Neira Ayuso Signed-off-by: Ben Hutchings commit 1b8baa968e3153ae275d6de4b59c043675ffb906 Author: Yoshihiro Shimoda Date: Wed Jul 19 16:16:55 2017 +0900 usb: renesas_usbhs: gadget: disable all eps when the driver stops commit b8b9c974afee685789fcbb191b52d1790be3608c upstream. A gadget driver will not disable eps immediately when ->disconnect() is called. But, since this driver assumes all eps stop after the ->disconnect(), unexpected behavior happens (especially in system suspend). So, this patch disables all eps in usbhsg_try_stop(). After disabling eps by renesas_usbhs driver, since some functions will be called by both a gadget and renesas_usbhs driver, renesas_usbhs driver should protect uep->pipe. To protect uep->pipe easily, this patch adds a new lock in struct usbhsg_uep. Fixes: 2f98382dc ("usb: renesas_usbhs: Add Renesas USBHS Gadget") Signed-off-by: Yoshihiro Shimoda Signed-off-by: Felipe Balbi Signed-off-by: Ben Hutchings commit 6e3e6f7558a050325e7baa19752c8a40ffbb2767 Author: Yoshihiro Shimoda Date: Wed Jul 19 16:16:54 2017 +0900 usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL commit 59a0879a0e17b2e43ecdc5e3299da85b8410d7ce upstream. This patch fixes an issue that some registers may be not initialized after resume if the USBHSF_RUNTIME_PWCTRL is not set. Otherwise, if a cable is not connected, the driver will not enable INTENB0.VBSE after resume. And then, the driver cannot detect the VBUS. Fixes: ca8a282a5373 ("usb: gadget: renesas_usbhs: add suspend/resume support") Signed-off-by: Yoshihiro Shimoda Signed-off-by: Felipe Balbi Signed-off-by: Ben Hutchings commit 17a8d42b76bc778d613f7a2d95aaee26edf8579a Author: Yoshihiro Shimoda Date: Wed Nov 18 14:33:35 2015 +0900 usb: renesas_usbhs: gadget: Fix NULL pointer dereference in usbhsg_ep_dequeue() commit c9eb29503e9655e70448bbbf3697d08a56d24854 upstream. This patch fixes an issue that NULL pointer dereference happens when a gadget driver calls usb_ep_dequeue() for ep0 after disconnected a usb cable. This is because that usbhsg_try_stop() will call usbhsg_ep_disable(&dcp->ep) when a usb cable is disconnected and the pipe of dcp (ep0) is set to NULL. Signed-off-by: Yoshihiro Shimoda Signed-off-by: Felipe Balbi Signed-off-by: Ben Hutchings commit dd2bae4a085e8fe6e21a1c35217a911037e67870 Author: Yoshihiro Shimoda Date: Wed Jul 9 20:30:13 2014 +0900 usb: renesas_usbhs: gadget: fix re-enabling pipe without re-connecting commit dfb87b8bfe09f933abaf387693992089f6f9053e upstream. This patch fixes an issue that the renesas_usbhs driver in gadget mode cannot work correctly even if I disabled DMAC of the driver when I used the g_zero driver and the testusb tool. When a usb cable is re-connected, the renesas_usbhs driver calls the usbhsp_flags_init() (via usbhs_hotplug() --> usbhs_mod_call(start) --> usbhsg_try_start() --> usbhs_pipe_init()). However, the driver doesn't call the usbhsp_flags_init() when usbhsg_ep_disable() is called. So, if a gadget driver calls usb_ep_enable() and usb_ep_disable() again and again, the renesas_usbhs driver will output the following log: renesas_usbhs renesas_usbhs: can't get pipe (BULK) renesas_usbhs renesas_usbhs: wrong recip request Acked-by: Kuninori Morimoto Signed-off-by: Yoshihiro Shimoda Signed-off-by: Felipe Balbi [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 8b0544af34a67d4fe93286cd452f6824582346a0 Author: Michael Gugino Date: Mon Jul 17 13:29:09 2017 -0400 staging: rtl8188eu: add TL-WN722N v2 support commit 5a1d4c5dd4eb2f1f8a9b30e61762f3b3b564df70 upstream. Add support for USB Device TP-Link TL-WN722N v2. VendorID: 0x2357, ProductID: 0x010c Signed-off-by: Michael Gugino Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 08b49dcb56ac850cbc7f0147222c0e72e6154956 Author: Sinclair Yeh Date: Mon Jul 17 23:28:36 2017 -0700 drm/vmwgfx: Fix gcc-7.1.1 warning commit fcfffdd8f98ac305285dca568b5065ef86be6458 upstream. The current code does not look correct, and the reason for it is probably lost. Since this now generates a compiler warning, fix it to what makes sense. Reported-by: Arnd Bergmann Reported-by: Linus Torvalds Signed-off-by: Sinclair Yeh Reviewed-by: Brian Paul Signed-off-by: Ben Hutchings commit 44b304389172ab6635936f33cb2067a590c4cc6a Author: Banajit Goswami Date: Fri Jul 14 23:15:05 2017 -0700 ASoC: do not close shared backend dailink commit b1cd2e34c69a2f3988786af451b6e17967c293a0 upstream. Multiple frontend dailinks may be connected to a backend dailink at the same time. When one of frontend dailinks is closed, the associated backend dailink should not be closed if it is connected to other active frontend dailinks. Change ensures that backend dailink is closed only after all connected frontend dailinks are closed. Signed-off-by: Gopikrishnaiah Anandan Signed-off-by: Banajit Goswami Signed-off-by: Patrick Lai Signed-off-by: Mark Brown Signed-off-by: Ben Hutchings commit ba22880e58c2d77370d6a5cc5f384098fc037a48 Author: Bjorn Andersson Date: Thu Jun 29 14:46:44 2017 -0700 spmi: Include OF based modalias in device uevent commit d50daa2af2618dab6d21634e65a5fbcf4ae437d6 upstream. Include the OF-based modalias in the uevent sent when registering SPMI devices, so that user space has a chance to autoload the kernel module for the device. Tested-by: Rob Clark Reported-by: Rob Clark Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 7a732c6c8de5e7eaef901b5dc1220afa6a39b5aa Author: Stephen Boyd Date: Wed Dec 28 14:56:48 2016 -0800 of: device: Export of_device_{get_modalias, uvent_modalias} to modules commit 7a3b7cd332db08546f3cdd984f11773e0d1999e7 upstream. The ULPI bus can be built as a module, and it will soon be calling these functions when it supports probing devices from DT. Export them so they can be used by the ULPI module. Acked-by: Rob Herring Cc: Signed-off-by: Stephen Boyd Signed-off-by: Peter Chen Signed-off-by: Ben Hutchings commit d1e6ab4c9f9e6c442ca2e0076754e1b94ba20f50 Author: Dan Carpenter Date: Mon Jul 17 11:13:35 2017 +0300 libceph: potential NULL dereference in ceph_msg_data_create() commit 7c40b22f6f84c98a1d36e6d0a4346e58f05e45d8 upstream. If kmem_cache_zalloc() returns NULL then the INIT_LIST_HEAD(&data->links); will Oops. The callers aren't really prepared for NULL returns so it doesn't make a lot of difference in real life. Fixes: 5240d9f95dfe ("libceph: replace message data pointer with list") Signed-off-by: Dan Carpenter Signed-off-by: Ilya Dryomov Signed-off-by: Ben Hutchings commit 272665bcb551c14c23ef73e6ab1a151da8498c9c Author: Colin Ian King Date: Thu Jul 6 16:06:32 2017 +0100 usb: storage: return on error to avoid a null pointer dereference commit 446230f52a5bef593554510302465eabab45a372 upstream. When us->extra is null the driver is not initialized, however, a later call to osd200_scsi_to_ata is made that dereferences us->extra, causing a null pointer dereference. The code currently detects and reports that the driver is not initialized; add a return to avoid the subsequent dereference issue in this check. Thanks to Alan Stern for pointing out that srb->result needs setting to DID_ERROR << 16 Detected by CoverityScan, CID#100308 ("Dereference after null check") Signed-off-by: Colin Ian King Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 92e3509372f0956cc2fe4a59c4e8a7a92a4b73b4 Author: Johan Hovold Date: Wed Jul 12 15:08:39 2017 +0200 USB: cdc-acm: add device-id for quirky printer commit fe855789d605590e57f9cd968d85ecce46f5c3fd upstream. Add device-id entry for DATECS FP-2000 fiscal printer needing the NO_UNION_NORMAL quirk. Reported-by: Anton Avramov Signed-off-by: Johan Hovold Acked-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 32b14451e4e85c9b3b2c9ed397669af3d05d556e Author: Stefan Triller Date: Fri Jun 30 14:44:03 2017 +0200 USB: serial: cp210x: add support for Qivicon USB ZigBee dongle commit 9585e340db9f6cc1c0928d82c3a23cc4460f0a3f upstream. The German Telekom offers a ZigBee USB Stick under the brand name Qivicon for their SmartHome Home Base in its 1. Generation. The productId is not known by the according kernel module, this patch adds support for it. Signed-off-by: Stefan Triller Reviewed-by: Frans Klaver Signed-off-by: Johan Hovold Signed-off-by: Ben Hutchings commit 71b14eeede3a240a9c1cfae02529eb94cda923da Author: Chris Gorman Date: Wed Jul 12 13:31:26 2017 -0400 i2c: mux: pinctrl: mention correct module name in Kconfig help text commit d1510a2e5ab6cb3a67f1c55ca5e7a6d2c6dec340 upstream. Kconfig says the resulting module is pinctrl-i2cmux, but the module when built is i2c-mux-pinctrl. Fixes: ae58d1e40698 ("i2c: Add generic I2C multiplexer using pinctrl API") Signed-off-by: Chris Gorman Signed-off-by: Peter Rosin Signed-off-by: Ben Hutchings commit fb4ca2b4bc6712a6ad635df5b9b41131846589f9 Author: Doug Berger Date: Fri Jul 14 16:12:10 2017 -0700 net: bcmgenet: Free skb after last Tx frag commit f48bed16a756f5bc0244acd581f61968f7d7c2a4 upstream. Since the skb is attached to the first control block of a fragmented skb it is possible that the skb could be freed when reclaiming that control block before all fragments of the skb have been consumed by the hardware and unmapped. This commit introduces first_cb and last_cb pointers to the skb control block used by the driver to keep track of which transmit control blocks within a transmit ring are the first and last ones associated with the skb. It then splits the bcmgenet_free_cb() function into transmit (bcmgenet_free_tx_cb) and receive (bcmgenet_free_rx_cb) versions that can handle the unmapping of dma mapped memory and cleaning up the corresponding control block structure so that the skb is only freed after the last associated transmit control block is reclaimed. Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") Signed-off-by: Doug Berger Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 3bdf77194ea822390b405639b77659071fd2c2e9 Author: Doug Berger Date: Fri Jul 14 16:12:09 2017 -0700 net: bcmgenet: Fix unmapping of fragments in bcmgenet_xmit() commit 876dbadd53a7102e2a84afc84ea2bd3ee6dc5636 upstream. In case we fail to map a single fragment, we would be leaving the transmit ring populated with stale entries. This commit introduces the helper function bcmgenet_put_txcb() which takes care of rewinding the per-ring write pointer back to where we left. It also consolidates the functionality of bcmgenet_xmit_single() and bcmgenet_xmit_frag() into the bcmgenet_xmit() function to make the unmapping of control blocks cleaner. Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") Suggested-by: Florian Fainelli Signed-off-by: Doug Berger Signed-off-by: David S. Miller [bwh: Backported to 3.16: - There's no tx_dma_failed statistic - Adjust context] Signed-off-by: Ben Hutchings commit 8c79cf0578ffb524ae7fa856b3b8a2b39fc6ea29 Author: Petri Gynther Date: Tue Apr 5 14:00:00 2016 -0700 net: bcmgenet: cleanup for bcmgenet_xmit_frag() commit 824ba603573d910e32df75fe6a5e7d7ec2a0a6a7 upstream. Add frag_size = skb_frag_size(frag) and use it when needed. Signed-off-by: Petri Gynther Acked-by: Florian Fainelli Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 25668c21623ca65833a90e95bfd2e5e0ab749128 Author: Petri Gynther Date: Thu Mar 24 11:27:20 2016 -0700 net: bcmgenet: fix dev->stats.tx_bytes accounting commit 55868120a3e5420bf5aa26a816c07d691579c9e6 upstream. 1. Add bytes_compl local variable to __bcmgenet_tx_reclaim() to collect transmitted bytes. dev->stats updates can then be moved outside the while-loop. bytes_compl is also needed for future BQL support. 2. When bcmgenet device uses Tx checksum offload, each transmitted skb gets an extra 64-byte header prepended to it. Before this header is prepended to the skb, we need to save the skb "wire" length in GENET_CB(skb)->bytes_sent, so that proper Tx bytes accounting can be done in __bcmgenet_tx_reclaim(). 3. skb->len covers the entire length of skb, whether it is linear or fragmented. Thus, when we clean the fragments, do not increase transmitted bytes. Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") Signed-off-by: Petri Gynther Signed-off-by: David S. Miller [bwh: Backported to 3.16: - Also update tx_packets accounting, as done in upstream commit 4092e6acf5cb "net: bcmgenet: fix throughtput regression" - Adjust context] Signed-off-by: Ben Hutchings commit 1664ba161f7c117a2d9b7fe2f5c56cce88c53c3e Author: Florian Fainelli Date: Fri Mar 13 12:11:06 2015 -0700 net: bcmgenet: update ring producer index and buffer count in xmit commit ae67bf0188cbb9d1786bdfcca9e1976cb36ee327 upstream. There is no need to have both bcmgenet_xmit_single() and bcmgenet_xmit_frag() perform a free_bds decrement and a prod_index increment by one. In case one of these functions fails to map a SKB or fragment for transmit, we will return and exit bcmgenet_xmit() with an error. We can therefore safely use our local copy of nr_frags to know by how much we should decrement the number of free buffers available, and by how much the producer count must be incremented and do this in the tail of bcmgenet_xmit(). Signed-off-by: Florian Fainelli Acked-by: Petri Gynther Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 17968a0445271b02bfbc637c63dfaba908af8267 Author: Petri Gynther Date: Thu Mar 12 15:48:00 2015 -0700 net: bcmgenet: rewrite bcmgenet_rx_refill() commit d6707bec598649450ee0887bf11896e525777874 upstream. Currently, bcmgenet_desc_rx() calls bcmgenet_rx_refill() at the end of Rx packet processing loop, after the current Rx packet has already been passed to napi_gro_receive(). However, bcmgenet_rx_refill() might fail to allocate a new Rx skb, thus leaving a hole on the Rx queue where no valid Rx buffer exists. To eliminate this situation: 1. Rewrite bcmgenet_rx_refill() to retain the current Rx skb on the Rx queue if a new replacement Rx skb can't be allocated and DMA-mapped. In this case, the data on the current Rx skb is effectively dropped. 2. Modify bcmgenet_desc_rx() to call bcmgenet_rx_refill() at the top of Rx packet processing loop, so that the new replacement Rx skb is already in place before the current Rx skb is processed. Signed-off-by: Petri Gynther Tested-by: Jaedon Shin -- Reviewed-by: Florian Fainelli Tested-by: Florian Fainelli Signed-off-by: David S. Miller [bwh: Backported to 3.16: - There's no alloc_rx_buff_failed statistic - Adjust context] Signed-off-by: Ben Hutchings commit 78bfefd6324b0d7304e128a18ca60bd3f3273064 Author: Petri Gynther Date: Wed Mar 4 14:30:01 2015 -0800 net: bcmgenet: simplify __bcmgenet_tx_reclaim() commit 66d06757d9eb74a29775737b8c770e3b57e536d9 upstream. 1. Use c_index and ring->c_index to determine how many TxCBs/TxBDs are ready for cleanup - c_index = the current value of TDMA_CONS_INDEX - TDMA_CONS_INDEX is HW-incremented and auto-wraparound (0x0-0xFFFF) - ring->c_index = __bcmgenet_tx_reclaim() cleaned up to this point on the previous invocation 2. Add bcmgenet_tx_ring->clean_ptr - index of the next TxCB to be cleaned - incremented as TxCBs/TxBDs are processed - value always in range [ring->cb_ptr, ring->end_ptr] 3. Fix incrementing of dev->stats.tx_packets - should be incremented only when tx_cb_ptr->skb != NULL These changes simplify __bcmgenet_tx_reclaim(). Furthermore, Tx ring size can now be any value. With the old code, Tx ring size had to be a power-of-2: num_tx_bds = ring->size; c_index &= (num_tx_bds - 1); last_c_index &= (num_tx_bds - 1); Signed-off-by: Petri Gynther Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller [bwh: Backported to 3.16: - __bcmgenet_tx_reclaim() did not count completions - In bcmgenet_init_tx_ring(), use write_ptr not start_ptr - Adjust context] Signed-off-by: Ben Hutchings commit 16f67a227538d0eba4f2589c132973ec320e9656 Author: Florian Fainelli Date: Fri Oct 10 10:51:52 2014 -0700 net: bcmgenet: fix off-by-one in incrementing read pointer commit cf377d886f7944a5ccdbd164b89949e13617b096 upstream. Commit b629be5c8399d7c423b92135eb43a86c924d1cbc ("net: bcmgenet: check harder for out of memory conditions") moved the increment of the local read pointer *before* reading from the hardware descriptor using dmadesc_get_length_status(), which creates an off-by-one situation. Fix this by moving again the read_ptr increment after we have read the hardware descriptor to get both the control block and the read pointer back in sync. Fixes: b629be5c8399 ("net: bcmgenet: check harder for out of memory conditions") Signed-off-by: Jaedon Shin Signed-off-by: Florian Fainelli Acked-by: Petri Gynther Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 935cd13f823941cb24cadc7196b456fb06894d27 Author: Florian Fainelli Date: Mon Sep 8 11:37:52 2014 -0700 net: bcmgenet: check harder for out of memory conditions commit b629be5c8399d7c423b92135eb43a86c924d1cbc upstream. There is a potential case where we might be failing to refill a control block, leaving it with both a NULL skb pointer *and* a NULL dma_unmap_addr. The way we process incoming packets, by first calling dma_unmap_single(), and then only checking for a potential NULL skb can lead to situations where do pass a NULL dma_unmap_addr() to dma_unmap_single(), resulting in an oops. Fix this my moving the NULL skb check earlier, since no backing skb also means no corresponding DMA mapping for this packet. Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit bd5162bee81b53b431bbd0c2d3b44c86bd5c19ba Author: Arnd Bergmann Date: Fri Jul 14 11:31:03 2017 +0200 staging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read commit 105967ad68d2eb1a041bc041f9cf96af2a653b65 upstream. gcc-7 points out an older regression: drivers/staging/iio/resolver/ad2s1210.c: In function 'ad2s1210_read_raw': drivers/staging/iio/resolver/ad2s1210.c:515:42: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context] The original code had 'unsigned short' here, but incorrectly got converted to 'bool'. This reverts the regression and uses a normal type instead. Fixes: 29148543c521 ("staging:iio:resolver:ad2s1210 minimal chan spec conversion.") Signed-off-by: Arnd Bergmann Signed-off-by: Jonathan Cameron Signed-off-by: Ben Hutchings commit ab2a0702387ad19c62e7f9e22739c2866c69f44a Author: Iván Briano Date: Thu Jul 13 09:46:58 2017 -0700 net/packet: Fix Tx queue selection for AF_PACKET commit ccd4eb49f3392ebf989d58bd013a7bf44cdca4d6 upstream. When PACKET_QDISC_BYPASS is not used, Tx queue selection will be done before the packet is enqueued, taking into account any mappings set by a queuing discipline such as mqprio without hardware offloading. This selection may be affected by a previously saved queue_mapping, either on the Rx path, or done before the packet reaches the device, as it's currently the case for AF_PACKET. In order for queue selection to work as expected when using traffic control, there can't be another selection done before that point is reached, so move the call to packet_pick_tx_queue to packet_direct_xmit, leaving the default xmit path as it was before PACKET_QDISC_BYPASS was introduced. A forward declaration of packet_pick_tx_queue() is introduced to avoid the need to reorder the functions within the file. Fixes: d346a3fae3ff ("packet: introduce PACKET_QDISC_BYPASS socket option") Signed-off-by: Iván Briano Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 27f77efc48edfe8b5a02bf959e5acdd905947004 Author: Nikolay Aleksandrov Date: Thu Jul 13 16:09:10 2017 +0300 net: bridge: fix dest lookup when vlan proto doesn't match commit 31a4562d7408493c6377933ff2f7d7302dbdea80 upstream. With 802.1ad support the vlan_ingress code started checking for vlan protocol mismatch which causes the current tag to be inserted and the bridge vlan protocol & pvid to be set. The vlan tag insertion changes the skb mac_header and thus the lookup mac dest pointer which was loaded prior to calling br_allowed_ingress in br_handle_frame_finish is VLAN_HLEN bytes off now, pointing to the last two bytes of the destination mac and the first four of the source mac causing lookups to always fail and broadcasting all such packets to all ports. Same thing happens for locally originated packets when passing via br_dev_xmit. So load the dest pointer after the vlan checks and possible skb change. Fixes: 8580e2117c06 ("bridge: Prepare for 802.1ad vlan filtering support") Reported-by: Anitha Narasimha Murthy Signed-off-by: Nikolay Aleksandrov Acked-by: Toshiaki Makita Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 7aece5143fa6c900e052c156b845ff77e6aca536 Author: Jin Yao Date: Thu Jun 8 14:01:44 2017 +0800 perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target commit 80f62589fa52f530cffc50e78c0b5a2ae572d61e upstream. When the jump instruction is displayed at the row 0 in annotate view, the arrow is broken. An example: 16.86 │ ┌──je 82 0.01 │ movsd (%rsp),%xmm0 │ movsd 0x8(%rsp),%xmm4 │ movsd 0x8(%rsp),%xmm1 │ movsd (%rsp),%xmm3 │ divsd %xmm4,%xmm0 │ divsd %xmm3,%xmm1 │ movsd (%rsp),%xmm2 │ addsd %xmm1,%xmm0 │ addsd %xmm2,%xmm0 │ movsd %xmm0,(%rsp) │82: sub $0x1,%ebx 83.03 │ ↑ jne 38 │ add $0x10,%rsp │ xor %eax,%eax │ pop %rbx │ ← retq The patch increments the row number before checking with 0. Signed-off-by: Yao Jin Tested-by: Arnaldo Carvalho de Melo Cc: Alexander Shishkin Cc: Andi Kleen Cc: Jiri Olsa Cc: Kan Liang Cc: Peter Zijlstra Fixes: 944e1abed9e1 ("perf ui browser: Add method to draw up/down arrow line") Link: http://lkml.kernel.org/r/1496901704-30275-1-git-send-email-yao.jin@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Ben Hutchings commit d3ddb7cfd6c5e00d6a3887a21f9790f4b8fafdb9 Author: Xiao Ni Date: Wed Jul 5 17:34:04 2017 +0800 Raid5 should update rdev->sectors after reshape commit b5d27718f38843a74552e9a93d32e2391fd3999f upstream. The raid5 md device is created by the disks which we don't use the total size. For example, the size of the device is 5G and it just uses 3G of the devices to create one raid5 device. Then change the chunksize and wait reshape to finish. After reshape finishing stop the raid and assemble it again. It fails. mdadm -CR /dev/md0 -l5 -n3 /dev/loop[0-2] --size=3G --chunk=32 --assume-clean mdadm /dev/md0 --grow --chunk=64 wait reshape to finish mdadm -S /dev/md0 mdadm -As The error messages: [197519.814302] md: loop1 does not have a valid v1.2 superblock, not importing! [197519.821686] md: md_import_device returned -22 After reshape the data offset is changed. It selects backwards direction in this condition. In function super_1_load it compares the available space of the underlying device with sb->data_size. The new data offset gets bigger after reshape. So super_1_load returns -EINVAL. rdev->sectors is updated in md_finish_reshape. Then sb->data_size is set in super_1_sync based on rdev->sectors. So add md_finish_reshape in end_reshape. Signed-off-by: Xiao Ni Acked-by: Guoqing Jiang Signed-off-by: Shaohua Li Signed-off-by: Ben Hutchings commit 2ca15e62fea09f86eb3fea839a136f83db5b488a Author: Stefan-Gabriel Mirea Date: Thu Jul 6 10:06:41 2017 +0100 iio: adc: vf610_adc: Fix VALT selection value for REFSEL bits commit d466d3c1217406b14b834335b5b4b33c0d45bd09 upstream. In order to select the alternate voltage reference pair (VALTH/VALTL), the right value for the REFSEL field in the ADCx_CFG register is "01", leading to 0x800 as register mask. See section 8.2.6.4 in the reference manual[1]. [1] http://www.nxp.com/docs/en/reference-manual/VFXXXRM.pdf Fixes: a775427632fd ("iio:adc:imx: add Freescale Vybrid vf610 adc driver") Signed-off-by: Stefan-Gabriel Mirea Signed-off-by: Jonathan Cameron Signed-off-by: Ben Hutchings commit 63e9aee5769ede99cd23321986ff4fb4dafd0532 Author: Akinobu Mita Date: Wed Jun 21 01:46:37 2017 +0900 iio: light: tsl2563: use correct event code commit a3507e48d3f99a93a3056a34a5365f310434570f upstream. The TSL2563 driver provides three iio channels, two of which are raw ADC channels (channel 0 and channel 1) in the device and the remaining one is calculated by the two. The ADC channel 0 only supports programmable interrupt with threshold settings and this driver supports the event but the generated event code does not contain the corresponding iio channel type. This is going to change userspace ABI. Hopefully fixing this to be what it should always have been won't break any userspace code. Cc: Jonathan Cameron Signed-off-by: Akinobu Mita Signed-off-by: Jonathan Cameron Signed-off-by: Ben Hutchings commit 5b7024ecc540d96fe65c8378a57ba4891aa95577 Author: Mateusz Jurczyk Date: Wed Jun 7 12:26:49 2017 +0200 fuse: initialize the flock flag in fuse_file on allocation commit 68227c03cba84a24faf8a7277d2b1a03c8959c2c upstream. Before the patch, the flock flag could remain uninitialized for the lifespan of the fuse_file allocation. Unless set to true in fuse_file_flock(), it would remain in an indeterminate state until read in an if statement in fuse_release_common(). This could consequently lead to taking an unexpected branch in the code. The bug was discovered by a runtime instrumentation designed to detect use of uninitialized memory in the kernel. Signed-off-by: Mateusz Jurczyk Fixes: 37fb3a30b462 ("fuse: fix flock") Signed-off-by: Miklos Szeredi Signed-off-by: Ben Hutchings