Jon Maxwell [Wed, 22 Mar 2017 11:31:33 +0000 (11:31 +0000)]
dccp/tcp: fix routing redirect race
am:
4ab956b561
Change-Id: I9cb352108500198e4d94eb8e08b53065e29e31d4
Florian Westphal [Wed, 22 Mar 2017 11:31:22 +0000 (11:31 +0000)]
bridge: drop netfilter fake rtable unconditionally
am:
56f9b9502f
Change-Id: I286db307416cce649790533419ec6a735bbcbb3d
Florian Westphal [Wed, 22 Mar 2017 11:31:13 +0000 (11:31 +0000)]
ipv6: avoid write to a possibly cloned skb
am:
aed728c38c
Change-Id: I7bbff2dcff94ea2804d3f21cd0341379332a47e6
Sabrina Dubroca [Wed, 22 Mar 2017 11:31:04 +0000 (11:31 +0000)]
ipv6: make ECMP route replacement less greedy
am:
5f8bc3856e
Change-Id: I6abea1ee369e3ae901dbb615991a112621da03f9
David Ahern [Wed, 22 Mar 2017 11:30:56 +0000 (11:30 +0000)]
mpls: Send route delete notifications when router module is unloaded
am:
b57955ea30
Change-Id: Ica14abfb917ddcf236459f3e6886234a9daac40b
Etienne Noss [Wed, 22 Mar 2017 11:30:47 +0000 (11:30 +0000)]
act_connmark: avoid crashing on malformed nlattrs with null parms
am:
710fbeb3f5
Change-Id: Ie14c5fad2baf06f9d7669ef68b16023bd165af17
Dmitry V. Levin [Wed, 22 Mar 2017 11:30:38 +0000 (11:30 +0000)]
uapi: fix linux/packet_diag.h userspace compilation error
am:
6c72458ab4
Change-Id: I107c3b445b4f92b52be422542062a0d6e147cc3d
David Ahern [Wed, 22 Mar 2017 11:30:30 +0000 (11:30 +0000)]
vrf: Fix use-after-free in vrf_xmit
am:
e671f1cc58
Change-Id: I9252af147439040890edc2f612d4868806c2324a
Eric Dumazet [Wed, 22 Mar 2017 11:30:21 +0000 (11:30 +0000)]
dccp: fix use-after-free in dccp_feat_activate_values
am:
d0ebde92fb
Change-Id: I80863cbb814b1486069ee311e3f8543c7d34b74a
Eric Dumazet [Wed, 22 Mar 2017 11:30:11 +0000 (11:30 +0000)]
net: fix socket refcounting in skb_complete_tx_timestamp()
am:
ec4d8692b7
Change-Id: Idc05607ffe99175575d7f07e3138e2f4496a5110
Eric Dumazet [Wed, 22 Mar 2017 11:30:01 +0000 (11:30 +0000)]
net: fix socket refcounting in skb_complete_wifi_ack()
am:
9e7683301b
Change-Id: I00fea5d105075ad526ca753b463f91bcd5db30d0
Eric Dumazet [Wed, 22 Mar 2017 11:29:50 +0000 (11:29 +0000)]
tcp: fix various issues for sockets morphing to listen state
am:
2681a7853a
Change-Id: I9dd8b9c075e54c8b5fbff08ff06dcd74c7e56d4a
Arnaldo Carvalho de Melo [Wed, 22 Mar 2017 11:29:41 +0000 (11:29 +0000)]
dccp: Unlock sock before calling sk_free()
am:
9216632bf4
Change-Id: Id3dda6def7939123cc232d10fefcd0bb2b020ccc
Eric Dumazet [Wed, 22 Mar 2017 11:29:30 +0000 (11:29 +0000)]
net: net_enable_timestamp() can be called from irq contexts
am:
a70c328597
Change-Id: I79a15d07b95126c554366c5b9c266cdb73e8f823
Alexander Potapenko [Wed, 22 Mar 2017 11:29:19 +0000 (11:29 +0000)]
net: don't call strlen() on the user buffer in packet_bind_spkt()
am:
f331d6445a
Change-Id: If72ad0b49abc6132a8e67dede206504aa3985da9
Paul Hber [Wed, 22 Mar 2017 11:29:11 +0000 (11:29 +0000)]
l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv
am:
2cd0afc64e
Change-Id: Ib7bcb274c63e13807b1e25f74b6018866e2d8eb1
Julian Anastasov [Wed, 22 Mar 2017 11:29:01 +0000 (11:29 +0000)]
ipv4: mask tos for input route
am:
354f79125f
Change-Id: I39b7ce23fe7319187421d3e6f0cdd91b16d1fb8c
David Forster [Wed, 22 Mar 2017 11:28:51 +0000 (11:28 +0000)]
vti6: return GRE_KEY for vti6
am:
f1b3aae1f1
Change-Id: I62e249897c31124ca45296c2563c9e3d665e49fb
Matthias Schiffer [Wed, 22 Mar 2017 11:28:41 +0000 (11:28 +0000)]
vxlan: correctly validate VXLAN ID against VXLAN_N_VID
am:
51a219a137
Change-Id: Ibe33b8e55a3c7625b7b985260b38b443ffbfadc9
Florian Westphal [Wed, 22 Mar 2017 11:28:31 +0000 (11:28 +0000)]
netlink: remove mmapped netlink support
am:
0c0be310ba
Change-Id: I85d714d9cc491fd7cb3d1af553864f22c4f1e8fb
Jon Maxwell [Fri, 10 Mar 2017 05:40:33 +0000 (16:40 +1100)]
dccp/tcp: fix routing redirect race
[ Upstream commit
45caeaa5ac0b4b11784ac6f932c0ad4c6b67cda0 ]
As Eric Dumazet pointed out this also needs to be fixed in IPv6.
v2: Contains the IPv6 tcp/Ipv6 dccp patches as well.
We have seen a few incidents lately where a dst_enty has been freed
with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that
dst_entry. If the conditions/timings are right a crash then ensues when the
freed dst_entry is referenced later on. A Common crashing back trace is:
#8 [] page_fault at
ffffffff8163e648
[exception RIP: __tcp_ack_snd_check+74]
.
.
#9 [] tcp_rcv_established at
ffffffff81580b64
#10 [] tcp_v4_do_rcv at
ffffffff8158b54a
#11 [] tcp_v4_rcv at
ffffffff8158cd02
#12 [] ip_local_deliver_finish at
ffffffff815668f4
#13 [] ip_local_deliver at
ffffffff81566bd9
#14 [] ip_rcv_finish at
ffffffff8156656d
#15 [] ip_rcv at
ffffffff81566f06
#16 [] __netif_receive_skb_core at
ffffffff8152b3a2
#17 [] __netif_receive_skb at
ffffffff8152b608
#18 [] netif_receive_skb at
ffffffff8152b690
#19 [] vmxnet3_rq_rx_complete at
ffffffffa015eeaf [vmxnet3]
#20 [] vmxnet3_poll_rx_only at
ffffffffa015f32a [vmxnet3]
#21 [] net_rx_action at
ffffffff8152bac2
#22 [] __do_softirq at
ffffffff81084b4f
#23 [] call_softirq at
ffffffff8164845c
#24 [] do_softirq at
ffffffff81016fc5
#25 [] irq_exit at
ffffffff81084ee5
#26 [] do_IRQ at
ffffffff81648ff8
Of course it may happen with other NIC drivers as well.
It's found the freed dst_entry here:
224 static bool tcp_in_quickack_mode(struct sock *sk)↩
225 {↩
226 ▹ const struct inet_connection_sock *icsk = inet_csk(sk);↩
227 ▹ const struct dst_entry *dst = __sk_dst_get(sk);↩
228 ↩
229 ▹ return (dst && dst_metric(dst, RTAX_QUICKACK)) ||↩
230 ▹ ▹ (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);↩
231 }↩
But there are other backtraces attributed to the same freed dst_entry in
netfilter code as well.
All the vmcores showed 2 significant clues:
- Remote hosts behind the default gateway had always been redirected to a
different gateway. A rtable/dst_entry will be added for that host. Making
more dst_entrys with lower reference counts. Making this more probable.
- All vmcores showed a postitive LockDroppedIcmps value, e.g:
LockDroppedIcmps 267
A closer look at the tcp_v4_err() handler revealed that do_redirect() will run
regardless of whether user space has the socket locked. This can result in a
race condition where the same dst_entry cached in sk->sk_dst_entry can be
decremented twice for the same socket via:
do_redirect()->__sk_dst_check()-> dst_release().
Which leads to the dst_entry being prematurely freed with another socket
pointing to it via sk->sk_dst_cache and a subsequent crash.
To fix this skip do_redirect() if usespace has the socket locked. Instead let
the redirect take place later when user space does not have the socket
locked.
The dccp/IPv6 code is very similar in this respect, so fixing it there too.
As Eric Garver pointed out the following commit now invalidates routes. Which
can set the dst->obsolete flag so that ipv4_dst_check() returns null and
triggers the dst_release().
Fixes:
ceb3320610d6 ("ipv4: Kill routes during PMTU/redirect updates.")
Cc: Eric Garver <egarver@redhat.com>
Cc: Hannes Sowa <hsowa@redhat.com>
Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Florian Westphal [Mon, 13 Mar 2017 16:38:17 +0000 (17:38 +0100)]
bridge: drop netfilter fake rtable unconditionally
[ Upstream commit
a13b2082ece95247779b9995c4e91b4246bed023 ]
Andreas reports kernel oops during rmmod of the br_netfilter module.
Hannes debugged the oops down to a NULL rt6info->rt6i_indev.
Problem is that br_netfilter has the nasty concept of adding a fake
rtable to skb->dst; this happens in a br_netfilter prerouting hook.
A second hook (in bridge LOCAL_IN) is supposed to remove these again
before the skb is handed up the stack.
However, on module unload hooks get unregistered which means an
skb could traverse the prerouting hook that attaches the fake_rtable,
while the 'fake rtable remove' hook gets removed from the hooklist
immediately after.
Fixes:
34666d467cbf1e2e3c7 ("netfilter: bridge: move br_netfilter out of the core")
Reported-by: Andreas Karis <akaris@redhat.com>
Debugged-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Florian Westphal [Mon, 13 Mar 2017 15:24:28 +0000 (16:24 +0100)]
ipv6: avoid write to a possibly cloned skb
[ Upstream commit
79e49503efe53a8c51d8b695bedc8a346c5e4a87 ]
ip6_fragment, in case skb has a fraglist, checks if the
skb is cloned. If it is, it will move to the 'slow path' and allocates
new skbs for each fragment.
However, right before entering the slowpath loop, it updates the
nexthdr value of the last ipv6 extension header to NEXTHDR_FRAGMENT,
to account for the fragment header that will be inserted in the new
ipv6-fragment skbs.
In case original skb is cloned this munges nexthdr value of another
skb. Avoid this by doing the nexthdr update for each of the new fragment
skbs separately.
This was observed with tcpdump on a bridge device where netfilter ipv6
reassembly is active: tcpdump shows malformed fragment headers as
the l4 header (icmpv6, tcp, etc). is decoded as a fragment header.
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Reported-by: Andreas Karis <akaris@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sabrina Dubroca [Mon, 13 Mar 2017 12:28:09 +0000 (13:28 +0100)]
ipv6: make ECMP route replacement less greedy
[ Upstream commit
67e194007be08d071294456274dd53e0a04fdf90 ]
Commit
27596472473a ("ipv6: fix ECMP route replacement") introduced a
loop that removes all siblings of an ECMP route that is being
replaced. However, this loop doesn't stop when it has replaced
siblings, and keeps removing other routes with a higher metric.
We also end up triggering the WARN_ON after the loop, because after
this nsiblings < 0.
Instead, stop the loop when we have taken care of all routes with the
same metric as the route being replaced.
Reproducer:
===========
#!/bin/sh
ip netns add ns1
ip netns add ns2
ip -net ns1 link set lo up
for x in 0 1 2 ; do
ip link add veth$x netns ns2 type veth peer name eth$x netns ns1
ip -net ns1 link set eth$x up
ip -net ns2 link set veth$x up
done
ip -net ns1 -6 r a 2000::/64 nexthop via fe80::0 dev eth0 \
nexthop via fe80::1 dev eth1 nexthop via fe80::2 dev eth2
ip -net ns1 -6 r a 2000::/64 via fe80::42 dev eth0 metric 256
ip -net ns1 -6 r a 2000::/64 via fe80::43 dev eth0 metric 2048
echo "before replace, 3 routes"
ip -net ns1 -6 r | grep -v '^fe80\|^ff00'
echo
ip -net ns1 -6 r c 2000::/64 nexthop via fe80::4 dev eth0 \
nexthop via fe80::5 dev eth1 nexthop via fe80::6 dev eth2
echo "after replace, only 2 routes, metric 2048 is gone"
ip -net ns1 -6 r | grep -v '^fe80\|^ff00'
Fixes:
27596472473a ("ipv6: fix ECMP route replacement")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
David Ahern [Fri, 10 Mar 2017 17:46:15 +0000 (09:46 -0800)]
mpls: Send route delete notifications when router module is unloaded
[ Upstream commit
e37791ec1ad785b59022ae211f63a16189bacebf ]
When the mpls_router module is unloaded, mpls routes are deleted but
notifications are not sent to userspace leaving userspace caches
out of sync. Add the call to mpls_notify_route in mpls_net_exit as
routes are freed.
Fixes:
0189197f44160 ("mpls: Basic routing support")
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Etienne Noss [Fri, 10 Mar 2017 15:55:32 +0000 (16:55 +0100)]
act_connmark: avoid crashing on malformed nlattrs with null parms
[ Upstream commit
52491c7607c5527138095edf44c53169dc1ddb82 ]
tcf_connmark_init does not check in its configuration if TCA_CONNMARK_PARMS
is set, resulting in a null pointer dereference when trying to access it.
[501099.043007] BUG: unable to handle kernel NULL pointer dereference at
0000000000000004
[501099.043039] IP: [<
ffffffffc10c60fb>] tcf_connmark_init+0x8b/0x180 [act_connmark]
...
[501099.044334] Call Trace:
[501099.044345] [<
ffffffffa47270e8>] ? tcf_action_init_1+0x198/0x1b0
[501099.044363] [<
ffffffffa47271b0>] ? tcf_action_init+0xb0/0x120
[501099.044380] [<
ffffffffa47250a4>] ? tcf_exts_validate+0xc4/0x110
[501099.044398] [<
ffffffffc0f5fa97>] ? u32_set_parms+0xa7/0x270 [cls_u32]
[501099.044417] [<
ffffffffc0f60bf0>] ? u32_change+0x680/0x87b [cls_u32]
[501099.044436] [<
ffffffffa4725d1d>] ? tc_ctl_tfilter+0x4dd/0x8a0
[501099.044454] [<
ffffffffa44a23a1>] ? security_capable+0x41/0x60
[501099.044471] [<
ffffffffa470ca01>] ? rtnetlink_rcv_msg+0xe1/0x220
[501099.044490] [<
ffffffffa470c920>] ? rtnl_newlink+0x870/0x870
[501099.044507] [<
ffffffffa472cc61>] ? netlink_rcv_skb+0xa1/0xc0
[501099.044524] [<
ffffffffa47073f4>] ? rtnetlink_rcv+0x24/0x30
[501099.044541] [<
ffffffffa472c634>] ? netlink_unicast+0x184/0x230
[501099.044558] [<
ffffffffa472c9d8>] ? netlink_sendmsg+0x2f8/0x3b0
[501099.044576] [<
ffffffffa46d8880>] ? sock_sendmsg+0x30/0x40
[501099.044592] [<
ffffffffa46d8e03>] ? SYSC_sendto+0xd3/0x150
[501099.044608] [<
ffffffffa425fda1>] ? __do_page_fault+0x2d1/0x510
[501099.044626] [<
ffffffffa47fbd7b>] ? system_call_fast_compare_end+0xc/0x9b
Fixes:
22a5dc0e5e3e ("net: sched: Introduce connmark action")
Signed-off-by: Étienne Noss <etienne.noss@wifirst.fr>
Signed-off-by: Victorien Molle <victorien.molle@wifirst.fr>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dmitry V. Levin [Tue, 7 Mar 2017 20:50:50 +0000 (23:50 +0300)]
uapi: fix linux/packet_diag.h userspace compilation error
[ Upstream commit
745cb7f8a5de0805cade3de3991b7a95317c7c73 ]
Replace MAX_ADDR_LEN with its numeric value to fix the following
linux/packet_diag.h userspace compilation error:
/usr/include/linux/packet_diag.h:67:17: error: 'MAX_ADDR_LEN' undeclared here (not in a function)
__u8 pdmc_addr[MAX_ADDR_LEN];
This is not the first case in the UAPI where the numeric value
of MAX_ADDR_LEN is used instead of symbolic one, uapi/linux/if_link.h
already does the same:
$ grep MAX_ADDR_LEN include/uapi/linux/if_link.h
__u8 mac[32]; /* MAX_ADDR_LEN */
There are no UAPI headers besides these two that use MAX_ADDR_LEN.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Acked-by: Pavel Emelyanov <xemul@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
David Ahern [Mon, 6 Mar 2017 16:53:04 +0000 (08:53 -0800)]
vrf: Fix use-after-free in vrf_xmit
[ Upstream commit
f7887d40e541f74402df0684a1463c0a0bb68c68 ]
KASAN detected a use-after-free:
[ 269.467067] BUG: KASAN: use-after-free in vrf_xmit+0x7f1/0x827 [vrf] at addr
ffff8800350a21c0
[ 269.467067] Read of size 4 by task ssh/1879
[ 269.467067] CPU: 1 PID: 1879 Comm: ssh Not tainted 4.10.0+ #249
[ 269.467067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 269.467067] Call Trace:
[ 269.467067] dump_stack+0x81/0xb6
[ 269.467067] kasan_object_err+0x21/0x78
[ 269.467067] kasan_report+0x2f7/0x450
[ 269.467067] ? vrf_xmit+0x7f1/0x827 [vrf]
[ 269.467067] ? ip_output+0xa4/0xdb
[ 269.467067] __asan_load4+0x6b/0x6d
[ 269.467067] vrf_xmit+0x7f1/0x827 [vrf]
...
Which corresponds to the skb access after xmit handling. Fix by saving
skb->len and using the saved value to update stats.
Fixes:
193125dbd8eb2 ("net: Introduce VRF device driver")
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Sun, 5 Mar 2017 18:52:16 +0000 (10:52 -0800)]
dccp: fix use-after-free in dccp_feat_activate_values
[ Upstream commit
62f8f4d9066c1c6f2474845d1ca7e2891f2ae3fd ]
Dmitry reported crashes in DCCP stack [1]
Problem here is that when I got rid of listener spinlock, I missed the
fact that DCCP stores a complex state in struct dccp_request_sock,
while TCP does not.
Since multiple cpus could access it at the same time, we need to add
protection.
[1]
BUG: KASAN: use-after-free in dccp_feat_activate_values+0x967/0xab0
net/dccp/feat.c:1541 at addr
ffff88003713be68
Read of size 8 by task syz-executor2/8457
CPU: 2 PID: 8457 Comm: syz-executor2 Not tainted 4.10.0-rc7+ #127
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:15 [inline]
dump_stack+0x292/0x398 lib/dump_stack.c:51
kasan_object_err+0x1c/0x70 mm/kasan/report.c:162
print_address_description mm/kasan/report.c:200 [inline]
kasan_report_error mm/kasan/report.c:289 [inline]
kasan_report.part.1+0x20e/0x4e0 mm/kasan/report.c:311
kasan_report mm/kasan/report.c:332 [inline]
__asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:332
dccp_feat_activate_values+0x967/0xab0 net/dccp/feat.c:1541
dccp_create_openreq_child+0x464/0x610 net/dccp/minisocks.c:121
dccp_v6_request_recv_sock+0x1f6/0x1960 net/dccp/ipv6.c:457
dccp_check_req+0x335/0x5a0 net/dccp/minisocks.c:186
dccp_v6_rcv+0x69e/0x1d00 net/dccp/ipv6.c:711
ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279
NF_HOOK include/linux/netfilter.h:257 [inline]
ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322
dst_input include/net/dst.h:507 [inline]
ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69
NF_HOOK include/linux/netfilter.h:257 [inline]
ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203
__netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190
__netif_receive_skb+0x2a/0x170 net/core/dev.c:4228
process_backlog+0xe5/0x6c0 net/core/dev.c:4839
napi_poll net/core/dev.c:5202 [inline]
net_rx_action+0xe70/0x1900 net/core/dev.c:5267
__do_softirq+0x2fb/0xb7d kernel/softirq.c:284
do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:902
</IRQ>
do_softirq.part.17+0x1e8/0x230 kernel/softirq.c:328
do_softirq kernel/softirq.c:176 [inline]
__local_bh_enable_ip+0x1f2/0x200 kernel/softirq.c:181
local_bh_enable include/linux/bottom_half.h:31 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:971 [inline]
ip6_finish_output2+0xbb0/0x23d0 net/ipv6/ip6_output.c:123
ip6_finish_output+0x302/0x960 net/ipv6/ip6_output.c:148
NF_HOOK_COND include/linux/netfilter.h:246 [inline]
ip6_output+0x1cb/0x8d0 net/ipv6/ip6_output.c:162
ip6_xmit+0xcdf/0x20d0 include/net/dst.h:501
inet6_csk_xmit+0x320/0x5f0 net/ipv6/inet6_connection_sock.c:179
dccp_transmit_skb+0xb09/0x1120 net/dccp/output.c:141
dccp_xmit_packet+0x215/0x760 net/dccp/output.c:280
dccp_write_xmit+0x168/0x1d0 net/dccp/output.c:362
dccp_sendmsg+0x79c/0xb10 net/dccp/proto.c:796
inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
sock_sendmsg_nosec net/socket.c:635 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:645
SYSC_sendto+0x660/0x810 net/socket.c:1687
SyS_sendto+0x40/0x50 net/socket.c:1655
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x4458b9
RSP: 002b:
00007f8ceb77bb58 EFLAGS:
00000282 ORIG_RAX:
000000000000002c
RAX:
ffffffffffffffda RBX:
0000000000000017 RCX:
00000000004458b9
RDX:
0000000000000023 RSI:
0000000020e60000 RDI:
0000000000000017
RBP:
00000000006e1b90 R08:
00000000200f9fe1 R09:
0000000000000020
R10:
0000000000008010 R11:
0000000000000282 R12:
00000000007080a8
R13:
0000000000000000 R14:
00007f8ceb77c9c0 R15:
00007f8ceb77c700
Object at
ffff88003713be50, in cache kmalloc-64 size: 64
Allocated:
PID = 8446
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:502
set_track mm/kasan/kasan.c:514 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605
kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2738
kmalloc include/linux/slab.h:490 [inline]
dccp_feat_entry_new+0x214/0x410 net/dccp/feat.c:467
dccp_feat_push_change+0x38/0x220 net/dccp/feat.c:487
__feat_register_sp+0x223/0x2f0 net/dccp/feat.c:741
dccp_feat_propagate_ccid+0x22b/0x2b0 net/dccp/feat.c:949
dccp_feat_server_ccid_dependencies+0x1b3/0x250 net/dccp/feat.c:1012
dccp_make_response+0x1f1/0xc90 net/dccp/output.c:423
dccp_v6_send_response+0x4ec/0xc20 net/dccp/ipv6.c:217
dccp_v6_conn_request+0xaba/0x11b0 net/dccp/ipv6.c:377
dccp_rcv_state_process+0x51e/0x1650 net/dccp/input.c:606
dccp_v6_do_rcv+0x213/0x350 net/dccp/ipv6.c:632
sk_backlog_rcv include/net/sock.h:893 [inline]
__sk_receive_skb+0x36f/0xcc0 net/core/sock.c:479
dccp_v6_rcv+0xba5/0x1d00 net/dccp/ipv6.c:742
ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279
NF_HOOK include/linux/netfilter.h:257 [inline]
ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322
dst_input include/net/dst.h:507 [inline]
ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69
NF_HOOK include/linux/netfilter.h:257 [inline]
ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203
__netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190
__netif_receive_skb+0x2a/0x170 net/core/dev.c:4228
process_backlog+0xe5/0x6c0 net/core/dev.c:4839
napi_poll net/core/dev.c:5202 [inline]
net_rx_action+0xe70/0x1900 net/core/dev.c:5267
__do_softirq+0x2fb/0xb7d kernel/softirq.c:284
Freed:
PID = 15
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:502
set_track mm/kasan/kasan.c:514 [inline]
kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2954 [inline]
kfree+0xe8/0x2b0 mm/slub.c:3874
dccp_feat_entry_destructor.part.4+0x48/0x60 net/dccp/feat.c:418
dccp_feat_entry_destructor net/dccp/feat.c:416 [inline]
dccp_feat_list_pop net/dccp/feat.c:541 [inline]
dccp_feat_activate_values+0x57f/0xab0 net/dccp/feat.c:1543
dccp_create_openreq_child+0x464/0x610 net/dccp/minisocks.c:121
dccp_v6_request_recv_sock+0x1f6/0x1960 net/dccp/ipv6.c:457
dccp_check_req+0x335/0x5a0 net/dccp/minisocks.c:186
dccp_v6_rcv+0x69e/0x1d00 net/dccp/ipv6.c:711
ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279
NF_HOOK include/linux/netfilter.h:257 [inline]
ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322
dst_input include/net/dst.h:507 [inline]
ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69
NF_HOOK include/linux/netfilter.h:257 [inline]
ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203
__netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190
__netif_receive_skb+0x2a/0x170 net/core/dev.c:4228
process_backlog+0xe5/0x6c0 net/core/dev.c:4839
napi_poll net/core/dev.c:5202 [inline]
net_rx_action+0xe70/0x1900 net/core/dev.c:5267
__do_softirq+0x2fb/0xb7d kernel/softirq.c:284
Memory state around the buggy address:
ffff88003713bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88003713bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>
ffff88003713be00: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
^
Fixes:
079096f103fa ("tcp/dccp: install syn_recv requests into ehash table")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Sat, 4 Mar 2017 05:01:03 +0000 (21:01 -0800)]
net: fix socket refcounting in skb_complete_tx_timestamp()
[ Upstream commit
9ac25fc063751379cb77434fef9f3b088cd3e2f7 ]
TX skbs do not necessarily hold a reference on skb->sk->sk_refcnt
By the time TX completion happens, sk_refcnt might be already 0.
sock_hold()/sock_put() would then corrupt critical state, like
sk_wmem_alloc and lead to leaks or use after free.
Fixes:
62bccb8cdb69 ("net-timestamp: Make the clone operation stand-alone from phy timestamping")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Alexander Duyck <alexander.h.duyck@intel.com>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Soheil Hassas Yeganeh <soheil@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Sat, 4 Mar 2017 05:01:02 +0000 (21:01 -0800)]
net: fix socket refcounting in skb_complete_wifi_ack()
[ Upstream commit
dd4f10722aeb10f4f582948839f066bebe44e5fb ]
TX skbs do not necessarily hold a reference on skb->sk->sk_refcnt
By the time TX completion happens, sk_refcnt might be already 0.
sock_hold()/sock_put() would then corrupt critical state, like
sk_wmem_alloc.
Fixes:
bf7fa551e0ce ("mac80211: Resolve sk_refcnt/sk_wmem_alloc issue in wifi ack path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Alexander Duyck <alexander.h.duyck@intel.com>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Soheil Hassas Yeganeh <soheil@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Fri, 3 Mar 2017 22:08:21 +0000 (14:08 -0800)]
tcp: fix various issues for sockets morphing to listen state
[ Upstream commit
02b2faaf0af1d85585f6d6980e286d53612acfc2 ]
Dmitry Vyukov reported a divide by 0 triggered by syzkaller, exploiting
tcp_disconnect() path that was never really considered and/or used
before syzkaller ;)
I was not able to reproduce the bug, but it seems issues here are the
three possible actions that assumed they would never trigger on a
listener.
1) tcp_write_timer_handler
2) tcp_delack_timer_handler
3) MTU reduction
Only IPv6 MTU reduction was properly testing TCP_CLOSE and TCP_LISTEN
states from tcp_v6_mtu_reduced()
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arnaldo Carvalho de Melo [Wed, 1 Mar 2017 19:35:07 +0000 (16:35 -0300)]
dccp: Unlock sock before calling sk_free()
[ Upstream commit
d5afb6f9b6bb2c57bd0c05e76e12489dc0d037d9 ]
The code where sk_clone() came from created a new socket and locked it,
but then, on the error path didn't unlock it.
This problem stayed there for a long while, till
b0691c8ee7c2 ("net:
Unlock sock before calling sk_free()") fixed it, but unfortunately the
callers of sk_clone() (now sk_clone_locked()) were not audited and the
one in dccp_create_openreq_child() remained.
Now in the age of the syskaller fuzzer, this was finally uncovered, as
reported by Dmitry:
---- 8< ----
I've got the following report while running syzkaller fuzzer on
86292b33d4b7 ("Merge branch 'akpm' (patches from Andrew)")
[ BUG: held lock freed! ]
4.10.0+ #234 Not tainted
-------------------------
syz-executor6/6898 is freeing memory
ffff88006286cac0-
ffff88006286d3b7, with a lock still held there!
(slock-AF_INET6){+.-...}, at: [<
ffffffff8362c2c9>] spin_lock
include/linux/spinlock.h:299 [inline]
(slock-AF_INET6){+.-...}, at: [<
ffffffff8362c2c9>]
sk_clone_lock+0x3d9/0x12c0 net/core/sock.c:1504
5 locks held by syz-executor6/6898:
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<
ffffffff839a34b4>] lock_sock
include/net/sock.h:1460 [inline]
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<
ffffffff839a34b4>]
inet_stream_connect+0x44/0xa0 net/ipv4/af_inet.c:681
#1: (rcu_read_lock){......}, at: [<
ffffffff83bc1c2a>]
inet6_csk_xmit+0x12a/0x5d0 net/ipv6/inet6_connection_sock.c:126
#2: (rcu_read_lock){......}, at: [<
ffffffff8369b424>] __skb_unlink
include/linux/skbuff.h:1767 [inline]
#2: (rcu_read_lock){......}, at: [<
ffffffff8369b424>] __skb_dequeue
include/linux/skbuff.h:1783 [inline]
#2: (rcu_read_lock){......}, at: [<
ffffffff8369b424>]
process_backlog+0x264/0x730 net/core/dev.c:4835
#3: (rcu_read_lock){......}, at: [<
ffffffff83aeb5c0>]
ip6_input_finish+0x0/0x1700 net/ipv6/ip6_input.c:59
#4: (slock-AF_INET6){+.-...}, at: [<
ffffffff8362c2c9>] spin_lock
include/linux/spinlock.h:299 [inline]
#4: (slock-AF_INET6){+.-...}, at: [<
ffffffff8362c2c9>]
sk_clone_lock+0x3d9/0x12c0 net/core/sock.c:1504
Fix it just like was done by
b0691c8ee7c2 ("net: Unlock sock before calling
sk_free()").
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20170301153510.GE15145@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Wed, 1 Mar 2017 22:28:39 +0000 (14:28 -0800)]
net: net_enable_timestamp() can be called from irq contexts
[ Upstream commit
13baa00ad01bb3a9f893e3a08cbc2d072fc0c15d ]
It is now very clear that silly TCP listeners might play with
enabling/disabling timestamping while new children are added
to their accept queue.
Meaning net_enable_timestamp() can be called from BH context
while current state of the static key is not enabled.
Lets play safe and allow all contexts.
The work queue is scheduled only under the problematic cases,
which are the static key enable/disable transition, to not slow down
critical paths.
This extends and improves what we did in commit
5fa8bbda38c6 ("net: use
a work queue to defer net_disable_timestamp() work")
Fixes:
b90e5794c5bd ("net: dont call jump_label_dec from irq context")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alexander Potapenko [Wed, 1 Mar 2017 11:57:20 +0000 (12:57 +0100)]
net: don't call strlen() on the user buffer in packet_bind_spkt()
[ Upstream commit
540e2894f7905538740aaf122bd8e0548e1c34a4 ]
KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
uninitialized memory in packet_bind_spkt():
Acked-by: Eric Dumazet <edumazet@google.com>
==================================================================
BUG: KMSAN: use of unitialized memory
CPU: 0 PID: 1074 Comm: packet Not tainted 4.8.0-rc6+ #1891
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
01/01/2011
0000000000000000 ffff88006b6dfc08 ffffffff82559ae8 ffff88006b6dfb48
ffffffff818a7c91 ffffffff85b9c870 0000000000000092 ffffffff85b9c550
0000000000000000 0000000000000092 00000000ec400911 0000000000000002
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<
ffffffff82559ae8>] dump_stack+0x238/0x290 lib/dump_stack.c:51
[<
ffffffff818a6626>] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1003
[<
ffffffff818a783b>] __msan_warning+0x5b/0xb0
mm/kmsan/kmsan_instr.c:424
[< inline >] strlen lib/string.c:484
[<
ffffffff8259b58d>] strlcpy+0x9d/0x200 lib/string.c:144
[<
ffffffff84b2eca4>] packet_bind_spkt+0x144/0x230
net/packet/af_packet.c:3132
[<
ffffffff84242e4d>] SYSC_bind+0x40d/0x5f0 net/socket.c:1370
[<
ffffffff84242a22>] SyS_bind+0x82/0xa0 net/socket.c:1356
[<
ffffffff8515991b>] entry_SYSCALL_64_fastpath+0x13/0x8f
arch/x86/entry/entry_64.o:?
chained origin:
00000000eba00911
[<
ffffffff810bb787>] save_stack_trace+0x27/0x50
arch/x86/kernel/stacktrace.c:67
[< inline >] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322
[< inline >] kmsan_save_stack mm/kmsan/kmsan.c:334
[<
ffffffff818a59f8>] kmsan_internal_chain_origin+0x118/0x1e0
mm/kmsan/kmsan.c:527
[<
ffffffff818a7773>] __msan_set_alloca_origin4+0xc3/0x130
mm/kmsan/kmsan_instr.c:380
[<
ffffffff84242b69>] SYSC_bind+0x129/0x5f0 net/socket.c:1356
[<
ffffffff84242a22>] SyS_bind+0x82/0xa0 net/socket.c:1356
[<
ffffffff8515991b>] entry_SYSCALL_64_fastpath+0x13/0x8f
arch/x86/entry/entry_64.o:?
origin description: ----address@SYSC_bind (origin=
00000000eb400911)
==================================================================
(the line numbers are relative to 4.8-rc6, but the bug persists
upstream)
, when I run the following program as root:
=====================================
#include <string.h>
#include <sys/socket.h>
#include <netpacket/packet.h>
#include <net/ethernet.h>
int main() {
struct sockaddr addr;
memset(&addr, 0xff, sizeof(addr));
addr.sa_family = AF_PACKET;
int fd = socket(PF_PACKET, SOCK_PACKET, htons(ETH_P_ALL));
bind(fd, &addr, sizeof(addr));
return 0;
}
=====================================
This happens because addr.sa_data copied from the userspace is not
zero-terminated, and copying it with strlcpy() in packet_bind_spkt()
results in calling strlen() on the kernel copy of that non-terminated
buffer.
Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Paul Hüber [Sun, 26 Feb 2017 16:58:19 +0000 (17:58 +0100)]
l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv
[ Upstream commit
51fb60eb162ab84c5edf2ae9c63cf0b878e5547e ]
l2tp_ip_backlog_recv may not return -1 if the packet gets dropped.
The return value is passed up to ip_local_deliver_finish, which treats
negative values as an IP protocol number for resubmission.
Signed-off-by: Paul Hüber <phueber@kernsp.in>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Julian Anastasov [Sun, 26 Feb 2017 15:14:35 +0000 (17:14 +0200)]
ipv4: mask tos for input route
[ Upstream commit
6e28099d38c0e50d62c1afc054e37e573adf3d21 ]
Restore the lost masking of TOS in input route code to
allow ip rules to match it properly.
Problem [1] noticed by Shmulik Ladkani <shmulik.ladkani@gmail.com>
[1] http://marc.info/?t=
137331755300040&r=1&w=2
Fixes:
89aef8921bfb ("ipv4: Delete routing cache.")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
David Forster [Fri, 24 Feb 2017 14:20:32 +0000 (14:20 +0000)]
vti6: return GRE_KEY for vti6
[ Upstream commit
7dcdf941cdc96692ab99fd790c8cc68945514851 ]
Align vti6 with vti by returning GRE_KEY flag. This enables iproute2
to display tunnel keys on "ip -6 tunnel show"
Signed-off-by: David Forster <dforster@brocade.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Matthias Schiffer [Thu, 23 Feb 2017 16:19:41 +0000 (17:19 +0100)]
vxlan: correctly validate VXLAN ID against VXLAN_N_VID
[ Upstream commit
4e37d6911f36545b286d15073f6f2222f840e81c ]
The incorrect check caused an off-by-one error: the maximum VID 0xffffff
was unusable.
Fixes:
d342894c5d2f ("vxlan: virtual extensible lan")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Acked-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Florian Westphal [Thu, 18 Feb 2016 14:03:24 +0000 (15:03 +0100)]
netlink: remove mmapped netlink support
commit
d1b4c689d4130bcfd3532680b64db562300716b6 upstream.
mmapped netlink has a number of unresolved issues:
- TX zerocopy support had to be disabled more than a year ago via
commit
4682a0358639b29cf ("netlink: Always copy on mmap TX.")
because the content of the mmapped area can change after netlink
attribute validation but before message processing.
- RX support was implemented mainly to speed up nfqueue dumping packet
payload to userspace. However, since commit
ae08ce0021087a5d812d2
("netfilter: nfnetlink_queue: zero copy support") we avoid one copy
with the socket-based interface too (via the skb_zerocopy helper).
The other problem is that skbs attached to mmaped netlink socket
behave different from normal skbs:
- they don't have a shinfo area, so all functions that use skb_shinfo()
(e.g. skb_clone) cannot be used.
- reserving headroom prevents userspace from seeing the content as
it expects message to start at skb->head.
See for instance
commit
aa3a022094fa ("netlink: not trim skb for mmaped socket when dump").
- skbs handed e.g. to netlink_ack must have non-NULL skb->sk, else we
crash because it needs the sk to check if a tx ring is attached.
Also not obvious, leads to non-intuitive bug fixes such as
7c7bdf359
("netfilter: nfnetlink: use original skbuff when acking batches").
mmaped netlink also didn't play nicely with the skb_zerocopy helper
used by nfqueue and openvswitch. Daniel Borkmann fixed this via
commit
6bb0fef489f6 ("netlink, mmap: fix edge-case leakages in nf queue
zero-copy")' but at the cost of also needing to provide remaining
length to the allocation function.
nfqueue also has problems when used with mmaped rx netlink:
- mmaped netlink doesn't allow use of nfqueue batch verdict messages.
Problem is that in the mmap case, the allocation time also determines
the ordering in which the frame will be seen by userspace (A
allocating before B means that A is located in earlier ring slot,
but this also means that B might get a lower sequence number then A
since seqno is decided later. To fix this we would need to extend the
spinlocked region to also cover the allocation and message setup which
isn't desirable.
- nfqueue can now be configured to queue large (GSO) skbs to userspace.
Queing GSO packets is faster than having to force a software segmentation
in the kernel, so this is a desirable option. However, with a mmap based
ring one has to use 64kb per ring slot element, else mmap has to fall back
to the socket path (NL_MMAP_STATUS_COPY) for all large packets.
To use the mmap interface, userspace not only has to probe for mmap netlink
support, it also has to implement a recv/socket receive path in order to
handle messages that exceed the size of an rx ring element.
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Shi Yuejie <shiyuejie@outlook.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jin Qian [Tue, 21 Mar 2017 18:43:02 +0000 (11:43 -0700)]
ANDROID: mmc: core: export emmc revision
Change-Id: If23bc838327ef751ee65baadc429e218eaa2a848
Signed-off-by: Jin Qian <jinqian@google.com>
Jungseung Lee [Thu, 22 Dec 2016 03:37:34 +0000 (12:37 +0900)]
BACKPORT: mmc: core: Export device lifetime information through sysfs
In the eMMC 5.0 version of the spec, several EXT_CSD fields about
device lifetime are added.
- Two types of estimated indications reflected by averaged wear out of memory
- An indication reflected by average reserved blocks
Export the information through sysfs.
Signed-off-by: Jungseung Lee <js07.lee@samsung.com>
Reviewed-by: Jaehoon Chung <jh80.chung@samsung.com>
Reviewed-by: Shawn Lin <shawn.lin@rock-chips.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Badhri Jagan Sridharan [Mon, 20 Mar 2017 21:06:27 +0000 (14:06 -0700)]
ANDROID: android-verity: do not compile as independent module
dm-android-verity depends on optional kernel command line parameters.
When compiled as module the __setup macro ends up being a no-op
resulting in the following warnings:
/work/build/batch/drivers/md/dm-android-verity.c:91:19: warning: 'verity_buildvariant' defined but not used [-Wunused-function]
static int __init verity_buildvariant(char *line)
^~~~~~~~~~~~~~~~~~~
/work/build/batch/drivers/md/dm-android-verity.c:83:19: warning: 'verity_keyid_param' defined but not used [-Wunused-function]
static int __init verity_keyid_param(char *line)
^~~~~~~~~~~~~~~~~~
/work/build/batch/drivers/md/dm-android-verity.c:75:19: warning: 'verity_mode_param' defined but not used [-Wunused-function]
static int __init verity_mode_param(char *line)
^~~~~~~~~~~~~~~~~
/work/build/batch/drivers/md/dm-android-verity.c:67:19: warning: 'verified_boot_state_param' defined but not used [-Wunused-function]
static int __init verified_boot_state_param(char *line)
^~~~~~~~~~~~~~~~~~~~~~~~~
Tested with allmodconfig.
Change-Id: Idfe0c97b216bb620cc7264e968b494eb3a765157
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Todd Kjos [Mon, 20 Mar 2017 15:55:18 +0000 (08:55 -0700)]
resolve merge conflicts of
1c5265be54d3 to android-4.4
Change-Id: Idd5f2956c09b193b2a6ba02410e90b52aa2284d7
Mikulas Patocka [Sat, 18 Mar 2017 11:25:00 +0000 (11:25 +0000)]
dm: flush queued bios when process blocks to avoid deadlock
am:
cd8ad4d9eb
Change-Id: I3348df4146daa436541af94224776d3cbc6f45b2
Dan Williams [Sat, 18 Mar 2017 11:24:51 +0000 (11:24 +0000)]
nfit, libnvdimm: fix interleave set cookie calculation
am:
66dd58f56e
Change-Id: If1b31bbd5fe6a404d167a6b207bef928b998fba0
Michael Holzheu [Sat, 18 Mar 2017 11:24:41 +0000 (11:24 +0000)]
s390/kdump: Use "LINUX" ELF note name instead of "CORE"
am:
a084aeef56
Change-Id: I0bc63ef6143c3bbe7e50c89ece98ab39a93d0082
Janosch Frank [Sat, 18 Mar 2017 11:24:32 +0000 (11:24 +0000)]
KVM: s390: Fix guest migration for huge guests resulting in panic
am:
b0e85701a7
Change-Id: I12bd03d14c3bf2c1e5d2c70e1765eba1d6d202b9
Luis de Bethencourt [Sat, 18 Mar 2017 11:24:22 +0000 (11:24 +0000)]
mvsas: fix misleading indentation
am:
61fbad6a28
Change-Id: I5422457ab66bd8a08f22fae79351dc7133d4f225
Krzysztof Kozlowski [Sat, 18 Mar 2017 11:24:12 +0000 (11:24 +0000)]
serial: samsung: Continue to work if DMA request fails
am:
72ca0ab306
Change-Id: I6b2c536ac7ea2371badb4b8080d2806a001a44d1
Johan Hovold [Sat, 18 Mar 2017 11:24:04 +0000 (11:24 +0000)]
USB: serial: io_ti: fix information leak in completion handler
am:
72bb2b96b8
Change-Id: Ie1079bef9c43dce4ccecb52acbee12b4dd044e3f
Johan Hovold [Sat, 18 Mar 2017 11:23:55 +0000 (11:23 +0000)]
USB: serial: io_ti: fix NULL-deref in interrupt callback
am:
e71c7bad68
Change-Id: I865b297bdb9d8c9eb69e7548ceef6e640f9061e6
Johan Hovold [Sat, 18 Mar 2017 11:23:45 +0000 (11:23 +0000)]
USB: iowarrior: fix NULL-deref in write
am:
6498086195
Change-Id: Ib6ec11fa0bef224af9368ee4aba48d8d4663da50
Johan Hovold [Sat, 18 Mar 2017 11:23:37 +0000 (11:23 +0000)]
USB: iowarrior: fix NULL-deref at probe
am:
179295c38d
Change-Id: If8771741f6228ec6af891a160d5af5f6789f5409
Johan Hovold [Sat, 18 Mar 2017 11:23:27 +0000 (11:23 +0000)]
USB: serial: omninet: fix reference leaks at open
am:
54f11a9662
Change-Id: If2605f1daf506ae915776138b6268d0769a39487
Johan Hovold [Sat, 18 Mar 2017 11:23:18 +0000 (11:23 +0000)]
USB: serial: safe_serial: fix information leak in completion handler
am:
3cdc946387
Change-Id: I2a29b5d7a753bd94d320bda52427bd62ab042787
Guenter Roeck [Sat, 18 Mar 2017 11:23:09 +0000 (11:23 +0000)]
usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers
am:
cf09c7d60c
Change-Id: I5cab1e3af61dd148ff737ba1dc68935407342983
Peter Chen [Sat, 18 Mar 2017 11:22:59 +0000 (11:22 +0000)]
usb: host: xhci-dbg: HCIVERSION should be a binary number
am:
40c5634ffe
Change-Id: I41ed67d92ce661cb607ae65e297856b34e6a05d5
Felipe Balbi [Sat, 18 Mar 2017 11:22:49 +0000 (11:22 +0000)]
usb: gadget: function: f_fs: pass companion descriptor along
am:
4a1a3bb70f
Change-Id: I7b29e1d8050144b745f4885566e37d2bbca122a3
Felipe Balbi [Sat, 18 Mar 2017 11:22:39 +0000 (11:22 +0000)]
usb: dwc3: gadget: make Set Endpoint Configuration macros safe
am:
10af248565
Change-Id: I5c852ac4d0fbe9276986df1a57e93979ec8f6cf9
Peter Chen [Sat, 18 Mar 2017 11:22:28 +0000 (11:22 +0000)]
usb: gadget: dummy_hcd: clear usb_gadget region before registration
am:
f47b97f2cd
Change-Id: Ifad25d5604ef1bc2c10cc4c5414348c23f37beb0
Ravi Bangoria [Sat, 18 Mar 2017 11:22:17 +0000 (11:22 +0000)]
powerpc: Emulation support for load/store instructions on LE
am:
2ca39d1300
Change-Id: I4db441c5727a8caef2b50f3a385197a1076ab55d
Rik van Riel [Sat, 18 Mar 2017 11:22:06 +0000 (11:22 +0000)]
tracing: Add #undef to fix compile error
am:
074893495b
Change-Id: I20f387e74bc1cdd5c4a11d55b65e443b85606c0b
James Hogan [Sat, 18 Mar 2017 11:21:55 +0000 (11:21 +0000)]
MIPS: Netlogic: Fix CP0_EBASE redefinition warnings
am:
1276510585
Change-Id: Ib7ca5ebf52d798a057a0d509226b59116da302e9
Ralf Baechle [Sat, 18 Mar 2017 11:21:45 +0000 (11:21 +0000)]
MIPS: DEC: Avoid la pseudo-instruction in delay slots
am:
2e4aff2405
Change-Id: Ia06f405fc818fa7f147d9ae2ac32f74451d580fa
Arnd Bergmann [Sat, 18 Mar 2017 11:21:33 +0000 (11:21 +0000)]
mm: memcontrol: avoid unused function warning
am:
5fad174344
Change-Id: I6734d095131126260931a16a670c66ec58ba4896
Arnd Bergmann [Sat, 18 Mar 2017 11:21:22 +0000 (11:21 +0000)]
cpmac: remove hopeless #warning
am:
5e45d834f7
Change-Id: Icfecd82f0ed400d01e16c1719451ddbdc886c5ef
Arnd Bergmann [Sat, 18 Mar 2017 11:21:11 +0000 (11:21 +0000)]
MIPS: ralink: Remove unused rt*_wdt_reset functions
am:
32883383f5
Change-Id: I1c172b4be8bd694e5781d5f248ed19f8f6bb16e4
John Crispin [Sat, 18 Mar 2017 11:20:59 +0000 (11:20 +0000)]
MIPS: ralink: Cosmetic change to prom_init().
am:
4b91e7a2a9
Change-Id: Icd9d99ba438913cca6698b67caba94acd5416f1d
Arnd Bergmann [Sat, 18 Mar 2017 11:20:47 +0000 (11:20 +0000)]
mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy
am:
3dc8f1e3a8
Change-Id: If4374a22df01b414e950e9621d7b0a0353b0dc3d
Arnd Bergmann [Sat, 18 Mar 2017 11:20:36 +0000 (11:20 +0000)]
MIPS: Update lemote2f_defconfig for CPU_FREQ_STAT change
am:
d2a8d746ae
Change-Id: I2acfec230eda26006b4730a91067e86df5ad9c7e
Arnd Bergmann [Sat, 18 Mar 2017 11:20:25 +0000 (11:20 +0000)]
MIPS: ip22: Fix ip28 build for modern gcc
am:
c018595d83
Change-Id: Ibe3c6e3b5e809d24bd298007154b29936ebfdbdb
Arnd Bergmann [Sat, 18 Mar 2017 11:20:14 +0000 (11:20 +0000)]
MIPS: Update ip27_defconfig for SCSI_DH change
am:
7a6a965f35
Change-Id: Ibbda685b2c909cba88f0ec18af89dc23547b719f
Arnd Bergmann [Sat, 18 Mar 2017 11:20:05 +0000 (11:20 +0000)]
MIPS: ip27: Disable qlge driver in defconfig
am:
8ed0fdcc0c
Change-Id: Ie42b6a5c3da2ae00167f31199f5c6c16de680bc0
Arnd Bergmann [Sat, 18 Mar 2017 11:19:53 +0000 (11:19 +0000)]
MIPS: Update defconfigs for NF_CT_PROTO_DCCP/UDPLITE change
am:
adc48c710b
Change-Id: Ib9e9d4fb9330edb63756d893ca382a9e070a2edb
Arnd Bergmann [Sat, 18 Mar 2017 11:19:44 +0000 (11:19 +0000)]
crypto: improve gcc optimization flags for serpent and wp512
am:
e041ad0664
Change-Id: I8ef3c2a7ccc25e521ab9bd5cd21702c695107411
Johan Hovold [Sat, 18 Mar 2017 11:19:34 +0000 (11:19 +0000)]
USB: serial: digi_acceleport: fix OOB-event processing
am:
a8cb5c02a2
Change-Id: I542f42e517db3d00ff3a2b5735149af2bf989c55
Johan Hovold [Sat, 18 Mar 2017 11:19:21 +0000 (11:19 +0000)]
USB: serial: digi_acceleport: fix OOB data sanity check
am:
4d95645f3d
Change-Id: Iabb41fdc9064da31bd16e93ecc1ed5846fca8df5
Greg Kroah-Hartman [Sat, 18 Mar 2017 11:10:23 +0000 (19:10 +0800)]
Linux 4.4.55
Mikulas Patocka [Wed, 15 Feb 2017 16:26:10 +0000 (11:26 -0500)]
dm: flush queued bios when process blocks to avoid deadlock
commit
d67a5f4b5947aba4bfe9a80a2b86079c215ca755 upstream.
Commit
df2cb6daa4 ("block: Avoid deadlocks with bio allocation by
stacking drivers") created a workqueue for every bio set and code
in bio_alloc_bioset() that tries to resolve some low-memory deadlocks
by redirecting bios queued on current->bio_list to the workqueue if the
system is low on memory. However other deadlocks (see below **) may
happen, without any low memory condition, because generic_make_request
is queuing bios to current->bio_list (rather than submitting them).
** the related dm-snapshot deadlock is detailed here:
https://www.redhat.com/archives/dm-devel/2016-July/msg00065.html
Fix this deadlock by redirecting any bios on current->bio_list to the
bio_set's rescue workqueue on every schedule() call. Consequently,
when the process blocks on a mutex, the bios queued on
current->bio_list are dispatched to independent workqueus and they can
complete without waiting for the mutex to be available.
The structure blk_plug contains an entry cb_list and this list can contain
arbitrary callback functions that are called when the process blocks.
To implement this fix DM (ab)uses the onstack plug's cb_list interface
to get its flush_current_bio_list() called at schedule() time.
This fixes the snapshot deadlock - if the map method blocks,
flush_current_bio_list() will be called and it redirects bios waiting
on current->bio_list to appropriate workqueues.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=
1267650
Depends-on:
df2cb6daa4 ("block: Avoid deadlocks with bio allocation by stacking drivers")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Williams [Wed, 1 Mar 2017 02:32:48 +0000 (18:32 -0800)]
nfit, libnvdimm: fix interleave set cookie calculation
commit
86ef58a4e35e8fa66afb5898cf6dec6a3bb29f67 upstream.
The interleave-set cookie is a sum that sanity checks the composition of
an interleave set has not changed from when the namespace was initially
created. The checksum is calculated by sorting the DIMMs by their
location in the interleave-set. The comparison for the sort must be
64-bit wide, not byte-by-byte as performed by memcmp() in the broken
case.
Fix the implementation to accept correct cookie values in addition to
the Linux "memcmp" order cookies, but only allow correct cookies to be
generated going forward. It does mean that namespaces created by
third-party-tooling, or created by newer kernels with this fix, will not
validate on older kernels. However, there are a couple mitigating
conditions:
1/ platforms with namespace-label capable NVDIMMs are not widely
available.
2/ interleave-sets with a single-dimm are by definition not affected
(nothing to sort). This covers the QEMU-KVM NVDIMM emulation case.
The cookie stored in the namespace label will be fixed by any write the
namespace label, the most straightforward way to achieve this is to
write to the "alt_name" attribute of a namespace in sysfs.
Fixes:
eaf961536e16 ("libnvdimm, nfit: add interleave-set state-tracking infrastructure")
Reported-by: Nicholas Moulin <nicholas.w.moulin@linux.intel.com>
Tested-by: Nicholas Moulin <nicholas.w.moulin@linux.intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Michael Holzheu [Tue, 7 Feb 2017 17:09:14 +0000 (18:09 +0100)]
s390/kdump: Use "LINUX" ELF note name instead of "CORE"
commit
a4a81d8eebdc1d209d034f62a082a5131e4242b5 upstream.
In binutils/libbfd (bfd/elf.c) it is enforced that all s390 specific ELF
notes like e.g. NT_S390_PREFIX or NT_S390_CTRS have "LINUX" specified
as note name. Otherwise the notes are ignored.
For /proc/vmcore we currently use "CORE" for these notes.
Up to now this has not been a real problem because the dump analysis tool
"crash" does not check the note name. But it will break all programs that
use libbfd for processing ELF notes.
So fix this and use "LINUX" for all s390 specific notes to comply with
libbfd.
Reported-by: Philipp Rudo <prudo@linux.vnet.ibm.com>
Reviewed-by: Philipp Rudo <prudo@linux.vnet.ibm.com>
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Janosch Frank [Thu, 2 Mar 2017 14:23:42 +0000 (15:23 +0100)]
KVM: s390: Fix guest migration for huge guests resulting in panic
commit
2e4d88009f57057df7672fa69a32b5224af54d37 upstream.
While we can technically not run huge page guests right now, we can
setup a guest with huge pages. Trying to migrate it will trigger a
VM_BUG_ON and, if the kernel is not configured to panic on a BUG, it
will happily try to work on non-existing page table entries.
With this patch, we always return "dirty" if we encounter a large page
when migrating. This at least fixes the immediate problem until we
have proper handling for both kind of pages.
Fixes:
15f36eb ("KVM: s390: Add proper dirty bitmap support to S390 kvm.")
Cc: <stable@vger.kernel.org> # 3.16+
Signed-off-by: Janosch Frank <frankja@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Luis de Bethencourt [Mon, 30 Nov 2015 14:32:17 +0000 (14:32 +0000)]
mvsas: fix misleading indentation
commit
7789cd39274c51bf475411fe22a8ee7255082809 upstream.
Fix a smatch warning:
drivers/scsi/mvsas/mv_sas.c:740 mvs_task_prep() warn: curly braces intended?
The code is correct, the indention is misleading. When the device is not
ready we want to return SAS_PHY_DOWN. But current indentation makes it
look like we only do so in the else branch of if (mvi_dev).
Signed-off-by: Luis de Bethencourt <luisbg@osg.samsung.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Krzysztof Kozlowski [Sat, 25 Feb 2017 16:36:44 +0000 (18:36 +0200)]
serial: samsung: Continue to work if DMA request fails
commit
f98c7bce570bdbe344b74ff5daa7dfeef3f22929 upstream.
If DMA is not available (even when configured in DeviceTree), the driver
will fail the startup procedure thus making serial console not
available.
For example this causes boot failure on QEMU ARMv7 (Exynos4210, SMDKC210):
[ 1.302575] OF: amba_device_add() failed (-19) for /amba/pdma@
12680000
...
[ 11.435732] samsung-uart
13800000.serial: DMA request failed
[ 72.963893] samsung-uart
13800000.serial: DMA request failed
[ 73.143361] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000000
DMA is not necessary for serial to work, so continue with UART startup
after emitting a warning.
Fixes:
62c37eedb74c ("serial: samsung: add dma reqest/release functions")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 6 Mar 2017 16:36:40 +0000 (17:36 +0100)]
USB: serial: io_ti: fix information leak in completion handler
commit
654b404f2a222f918af9b0cd18ad469d0c941a8e upstream.
Add missing sanity check to the bulk-in completion handler to avoid an
integer underflow that can be triggered by a malicious device.
This avoids leaking 128 kB of memory content from after the URB transfer
buffer to user space.
Fixes:
8c209e6782ca ("USB: make actual_length in struct urb field u32")
Fixes:
1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 6 Mar 2017 16:36:37 +0000 (17:36 +0100)]
USB: serial: io_ti: fix NULL-deref in interrupt callback
commit
0b1d250afb8eb9d65afb568bac9b9f9253a82b49 upstream.
Fix a NULL-pointer dereference in the interrupt callback should a
malicious device send data containing a bad port number by adding the
missing sanity check.
Fixes:
1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Tue, 7 Mar 2017 15:11:04 +0000 (16:11 +0100)]
USB: iowarrior: fix NULL-deref in write
commit
de46e56653de7b3b54baa625bd582635008b8d05 upstream.
Make sure to verify that we have the required interrupt-out endpoint for
IOWarrior56 devices to avoid dereferencing a NULL-pointer in write
should a malicious device lack such an endpoint.
Fixes:
946b960d13c1 ("USB: add driver for iowarrior devices.")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Tue, 7 Mar 2017 15:11:03 +0000 (16:11 +0100)]
USB: iowarrior: fix NULL-deref at probe
commit
b7321e81fc369abe353cf094d4f0dc2fe11ab95f upstream.
Make sure to check for the required interrupt-in endpoint to avoid
dereferencing a NULL-pointer should a malicious device lack such an
endpoint.
Note that a fairly recent change purported to fix this issue, but added
an insufficient test on the number of endpoints only, a test which can
now be removed.
Fixes:
4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
Fixes:
946b960d13c1 ("USB: add driver for iowarrior devices.")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 6 Mar 2017 16:36:38 +0000 (17:36 +0100)]
USB: serial: omninet: fix reference leaks at open
commit
30572418b445d85fcfe6c8fe84c947d2606767d8 upstream.
This driver needlessly took another reference to the tty on open, a
reference which was then never released on close. This lead to not just
a leak of the tty, but also a driver reference leak that prevented the
driver from being unloaded after a port had once been opened.
Fixes:
4a90f09b20f4 ("tty: usb-serial krefs")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Theodore Ts'o [Tue, 14 Feb 2017 16:31:15 +0000 (11:31 -0500)]
ext4: don't BUG when truncating encrypted inodes on the orphan list
commit
0d06863f903ac5f4f6efb0273079d27de3e53a28 upstream.
Fix a BUG when the kernel tries to mount a file system constructed as
follows:
echo foo > foo.txt
mke2fs -Fq -t ext4 -O encrypt foo.img 100
debugfs -w foo.img << EOF
write foo.txt a
set_inode_field a i_flags 0x80800
set_super_value s_last_orphan 12
quit
EOF
root@kvm-xfstests:~# mount -o loop foo.img /mnt
[ 160.238770] ------------[ cut here ]------------
[ 160.240106] kernel BUG at /usr/projects/linux/ext4/fs/ext4/inode.c:3874!
[ 160.240106] invalid opcode: 0000 [#1] SMP
[ 160.240106] Modules linked in:
[ 160.240106] CPU: 0 PID: 2547 Comm: mount Tainted: G W
4.10.0-rc3-00034-gcdd33b941b67 #227
[ 160.240106] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1 04/01/2014
[ 160.240106] task:
f4518000 task.stack:
f47b6000
[ 160.240106] EIP: ext4_block_zero_page_range+0x1a7/0x2b4
[ 160.240106] EFLAGS:
00010246 CPU: 0
[ 160.240106] EAX:
00000001 EBX:
f7be4b50 ECX:
f47b7dc0 EDX:
00000007
[ 160.240106] ESI:
f43b05a8 EDI:
f43babec EBP:
f47b7dd0 ESP:
f47b7dac
[ 160.240106] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 160.240106] CR0:
80050033 CR2:
bfd85b08 CR3:
34a00680 CR4:
000006f0
[ 160.240106] Call Trace:
[ 160.240106] ext4_truncate+0x1e9/0x3e5
[ 160.240106] ext4_fill_super+0x286f/0x2b1e
[ 160.240106] ? set_blocksize+0x2e/0x7e
[ 160.240106] mount_bdev+0x114/0x15f
[ 160.240106] ext4_mount+0x15/0x17
[ 160.240106] ? ext4_calculate_overhead+0x39d/0x39d
[ 160.240106] mount_fs+0x58/0x115
[ 160.240106] vfs_kern_mount+0x4b/0xae
[ 160.240106] do_mount+0x671/0x8c3
[ 160.240106] ? _copy_from_user+0x70/0x83
[ 160.240106] ? strndup_user+0x31/0x46
[ 160.240106] SyS_mount+0x57/0x7b
[ 160.240106] do_int80_syscall_32+0x4f/0x61
[ 160.240106] entry_INT80_32+0x2f/0x2f
[ 160.240106] EIP: 0xb76b919e
[ 160.240106] EFLAGS:
00000246 CPU: 0
[ 160.240106] EAX:
ffffffda EBX:
08053838 ECX:
08052188 EDX:
080537e8
[ 160.240106] ESI:
c0ed0000 EDI:
00000000 EBP:
080537e8 ESP:
bfa13660
[ 160.240106] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
[ 160.240106] Code: 59 8b 00 a8 01 0f 84 09 01 00 00 8b 07 66 25 00 f0 66 3d 00 80 75 61 89 f8 e8 3e e2 ff ff 84 c0 74 56 83 bf 48 02 00 00 00 75 02 <0f> 0b 81 7d e8 00 10 00 00 74 02 0f 0b 8b 43 04 8b 53 08 31 c9
[ 160.240106] EIP: ext4_block_zero_page_range+0x1a7/0x2b4 SS:ESP: 0068:
f47b7dac
[ 160.317241] ---[ end trace
d6a773a375c810a5 ]---
The problem is that when the kernel tries to truncate an inode in
ext4_truncate(), it tries to clear any on-disk data beyond i_size.
Without the encryption key, it can't do that, and so it triggers a
BUG.
E2fsck does *not* provide this service, and in practice most file
systems have their orphan list processed by e2fsck, so to avoid
crashing, this patch skips this step if we don't have access to the
encryption key (which is the case when processing the orphan list; in
all other cases, we will have the encryption key, or the kernel
wouldn't have allowed the file to be opened).
An open question is whether the fact that e2fsck isn't clearing the
bytes beyond i_size causing problems --- and if we've lived with it
not doing it for so long, can we drop this from the kernel replay of
the orphan list in all cases (not just when we don't have the key for
encrypted inodes).
Addresses-Google-Bug: #
35209576
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 6 Mar 2017 16:36:41 +0000 (17:36 +0100)]
USB: serial: safe_serial: fix information leak in completion handler
commit
8c76d7cd520ebffc1ea9ea0850d87a224a50c7f2 upstream.
Add missing sanity check to the bulk-in completion handler to avoid an
integer underflow that could be triggered by a malicious device.
This avoids leaking up to 56 bytes from after the URB transfer buffer to
user space.
Fixes:
1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Guenter Roeck [Thu, 9 Mar 2017 13:39:37 +0000 (15:39 +0200)]
usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers
commit
dcc7620cad5ad1326a78f4031a7bf4f0e5b42984 upstream.
Upstream commit
98d74f9ceaef ("xhci: fix 10 second timeout on removal of
PCI hotpluggable xhci controllers") fixes a problem with hot pluggable PCI
xhci controllers which can result in excessive timeouts, to the point where
the system reports a deadlock.
The same problem is seen with hot pluggable xhci controllers using the
xhci-plat driver, such as the driver used for Type-C ports on rk3399.
Similar to hot-pluggable PCI controllers, the driver for this chip
removes the xhci controller from the system when the Type-C cable is
disconnected.
The solution for PCI devices works just as well for non-PCI devices
and avoids the problem.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Peter Chen [Thu, 9 Mar 2017 13:39:36 +0000 (15:39 +0200)]
usb: host: xhci-dbg: HCIVERSION should be a binary number
commit
f95e60a7dbecd2de816bb3ad517b3d4fbc20b507 upstream.
According to xHCI spec, HCIVERSION containing a BCD encoding
of the xHCI specification revision number, 0100h corresponds
to xHCI version 1.0. Change "100" as "0x100".
Cc: Lu Baolu <baolu.lu@linux.intel.com>
Fixes:
04abb6de2825 ("xhci: Read and parse new xhci 1.1 capability register")
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Felipe Balbi [Tue, 31 Jan 2017 12:54:45 +0000 (14:54 +0200)]
usb: gadget: function: f_fs: pass companion descriptor along
commit
2bfa0719ac2a9b2f3c91345873d3cdebd0296ba9 upstream.
If we're dealing with SuperSpeed endpoints, we need
to make sure to pass along the companion descriptor
and initialize fields needed by the Gadget
API. Eventually, f_fs.c should be converted to use
config_ep_by_speed() like all other functions,
though.
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Felipe Balbi [Tue, 31 Jan 2017 11:24:54 +0000 (13:24 +0200)]
usb: dwc3: gadget: make Set Endpoint Configuration macros safe
commit
7369090a9fb57c3fc705ce355d2e4523a5a24716 upstream.
Some gadget drivers are bad, bad boys. We notice
that ADB was passing bad Burst Size which caused top
bits of param0 to be overwritten which confused DWC3
when running this command.
In order to avoid future issues, we're going to make
sure values passed by macros are always safe for the
controller. Note that ADB still needs a fix to *not*
pass bad values.
Reported-by: Mohamed Abbas <mohamed.abbas@intel.com>
Sugested-by: Adam Andruszak <adam.andruszak@intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Peter Chen [Tue, 28 Feb 2017 06:25:45 +0000 (14:25 +0800)]
usb: gadget: dummy_hcd: clear usb_gadget region before registration
commit
5bbc852676ae08e818241cf66a3ffe4be44225c4 upstream.
When the user does device unbind and rebind test, the kernel will
show below dump due to usb_gadget memory region is dirty after unbind.
Clear usb_gadget region for every new probe.
root@imx6qdlsolo:/sys/bus/platform/drivers/dummy_udc# echo dummy_udc.0 > bind
[ 102.523312] kobject (
eddd78b0): tried to init an initialized object, something is seriously wrong.
[ 102.532447] CPU: 0 PID: 734 Comm: sh Not tainted
4.10.0-rc7-00872-g1b2b8e9 #1298
[ 102.539866] Hardware name: Freescale i.MX6 SoloX (Device Tree)
[ 102.545717] Backtrace:
[ 102.548225] [<
c010d090>] (dump_backtrace) from [<
c010d338>] (show_stack+0x18/0x1c)
[ 102.555822] r7:
ede34000 r6:
60010013 r5:
00000000 r4:
c0f29418
[ 102.561512] [<
c010d320>] (show_stack) from [<
c040c2a4>] (dump_stack+0xb4/0xe8)
[ 102.568764] [<
c040c1f0>] (dump_stack) from [<
c040e6d4>] (kobject_init+0x80/0x9c)
[ 102.576187] r10:
0000001f r9:
eddd7000 r8:
eeaf8c10 r7:
eddd78a8 r6:
c177891c r5:
c0f3b060
[ 102.584036] r4:
eddd78b0 r3:
00000000
[ 102.587641] [<
c040e654>] (kobject_init) from [<
c05359a4>] (device_initialize+0x28/0xf8)
[ 102.595665] r5:
eebc4800 r4:
eddd78a8
[ 102.599268] [<
c053597c>] (device_initialize) from [<
c05382ac>] (device_register+0x14/0x20)
[ 102.607556] r7:
eddd78a8 r6:
00000000 r5:
eebc4800 r4:
eddd78a8
[ 102.613256] [<
c0538298>] (device_register) from [<
c0668ef4>] (usb_add_gadget_udc_release+0x8c/0x1ec)
[ 102.622410] r5:
eebc4800 r4:
eddd7860
[ 102.626015] [<
c0668e68>] (usb_add_gadget_udc_release) from [<
c0669068>] (usb_add_gadget_udc+0x14/0x18)
[ 102.635351] r10:
0000001f r9:
eddd7000 r8:
eddd788c r7:
bf003770 r6:
eddd77f8 r5:
eddd7818
[ 102.643198] r4:
eddd785c r3:
eddd7b24
[ 102.646834] [<
c0669054>] (usb_add_gadget_udc) from [<
bf003428>] (dummy_udc_probe+0x170/0x1c4 [dummy_hcd])
[ 102.656458] [<
bf0032b8>] (dummy_udc_probe [dummy_hcd]) from [<
c053d114>] (platform_drv_probe+0x54/0xb8)
[ 102.665881] r10:
00000008 r9:
c1778960 r8:
bf004128 r7:
fffffdfb r6:
bf004128 r5:
eeaf8c10
[ 102.673727] r4:
eeaf8c10
[ 102.676293] [<
c053d0c0>] (platform_drv_probe) from [<
c053b160>] (driver_probe_device+0x264/0x474)
[ 102.685186] r7:
00000000 r6:
00000000 r5:
c1778960 r4:
eeaf8c10
[ 102.690876] [<
c053aefc>] (driver_probe_device) from [<
c05397c4>] (bind_store+0xb8/0x14c)
[ 102.698994] r10:
eeb3bb4c r9:
ede34000 r8:
0000000c r7:
eeaf8c44 r6:
bf004128 r5:
c0f3b668
[ 102.706840] r4:
eeaf8c10
[ 102.709402] [<
c053970c>] (bind_store) from [<
c0538ca8>] (drv_attr_store+0x28/0x34)
[ 102.716998] r9:
ede34000 r8:
00000000 r7:
ee3863c0 r6:
ee3863c0 r5:
c0538c80 r4:
c053970c
[ 102.724776] [<
c0538c80>] (drv_attr_store) from [<
c029c930>] (sysfs_kf_write+0x50/0x54)
[ 102.732711] r5:
c0538c80 r4:
0000000c
[ 102.736313] [<
c029c8e0>] (sysfs_kf_write) from [<
c029be84>] (kernfs_fop_write+0x100/0x214)
[ 102.744599] r7:
ee3863c0 r6:
eeb3bb40 r5:
00000000 r4:
00000000
[ 102.750287] [<
c029bd84>] (kernfs_fop_write) from [<
c0222dd8>] (__vfs_write+0x34/0x120)
[ 102.758231] r10:
00000000 r9:
ede34000 r8:
c0108bc4 r7:
0000000c r6:
ede35f80 r5:
c029bd84
[ 102.766077] r4:
ee223780
[ 102.768638] [<
c0222da4>] (__vfs_write) from [<
c0224678>] (vfs_write+0xa8/0x170)
[ 102.775974] r9:
ede34000 r8:
c0108bc4 r7:
ede35f80 r6:
01861cb0 r5:
ee223780 r4:
0000000c
[ 102.783743] [<
c02245d0>] (vfs_write) from [<
c0225498>] (SyS_write+0x4c/0xa8)
[ 102.790818] r9:
ede34000 r8:
c0108bc4 r7:
0000000c r6:
01861cb0 r5:
ee223780 r4:
ee223780
[ 102.798595] [<
c022544c>] (SyS_write) from [<
c0108a20>] (ret_fast_syscall+0x0/0x1c)
[ 102.806188] r7:
00000004 r6:
b6e83d58 r5:
01861cb0 r4:
0000000c
Fixes:
90fccb529d24 ("usb: gadget: Gadget directory cleanup - group UDC drivers")
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Tested-by: Xiaolong Ye <xiaolong.ye@intel.com>
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ravi Bangoria [Tue, 14 Feb 2017 09:16:42 +0000 (14:46 +0530)]
powerpc: Emulation support for load/store instructions on LE
commit
e148bd17f48bd17fca2f4f089ec879fa6e47e34c upstream.
emulate_step() uses a number of underlying kernel functions that were
initially not enabled for LE. This has been rectified since. So, fix
emulate_step() for LE for the corresponding instructions.
Reported-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Rik van Riel [Thu, 29 Sep 2016 02:55:54 +0000 (22:55 -0400)]
tracing: Add #undef to fix compile error
commit
bf7165cfa23695c51998231c4efa080fe1d3548d upstream.
There are several trace include files that define TRACE_INCLUDE_FILE.
Include several of them in the same .c file (as I currently have in
some code I am working on), and the compile will blow up with a
"warning: "TRACE_INCLUDE_FILE" redefined #define TRACE_INCLUDE_FILE syscalls"
Every other include file in include/trace/events/ avoids that issue
by having a #undef TRACE_INCLUDE_FILE before the #define; syscalls.h
should have one, too.
Link: http://lkml.kernel.org/r/20160928225554.13bd7ac6@annuminas.surriel.com
Fixes:
b8007ef74222 ("tracing: Separate raw syscall from syscall tracer")
Signed-off-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
James Hogan [Thu, 28 Apr 2016 16:06:16 +0000 (17:06 +0100)]
MIPS: Netlogic: Fix CP0_EBASE redefinition warnings
commit
32eb6e8bee147b45e5e59230630d59541ccbb6e5 upstream.
A couple of netlogic assembly files define CP0_EBASE to $15, the same as
CP0_PRID in mipsregs.h, and use it for accessing both CP0_PRId and
CP0_EBase registers. However commit
609cf6f2291a ("MIPS: CPS: Early
debug using an ns16550-compatible UART") added a different definition of
CP0_EBASE to mipsregs.h, which included a register select of 1. This
causes harmless build warnings like the following:
arch/mips/netlogic/common/reset.S:53:0: warning: "CP0_EBASE" redefined
#define CP0_EBASE $15
^
In file included from arch/mips/netlogic/common/reset.S:41:0:
./arch/mips/include/asm/mipsregs.h:63:0: note: this is the location of the previous definition
#define CP0_EBASE $15, 1
^
Update the code to use the definitions from mipsregs.h for accessing
both registers.
Fixes:
609cf6f2291a ("MIPS: CPS: Early debug using an ns16550-compatible UART")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Acked-by: Jayachandran C <jchandra@broadcom.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13183/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>