commit 8518814021e098a07b305a3c98620fc414ac0f20 Author: Ben Hutchings Date: Sat Nov 11 13:34:52 2017 +0000 Linux 3.2.95 commit 747ea873db4fb9836bacfdc6f4d7d7d11d3d808d Author: Uwe Kleine-König Date: Wed Sep 24 08:51:57 2014 +0100 ARM: 8160/1: drop warning about return_address not using unwind tables commit e16343c47e4276f5ebc77ca16feb5e50ca1918f9 upstream. The warning was introduced in 2009 (commit 4bf1fa5a34aa ([ARM] 5613/1: implement CALLER_ADDRESSx)). The only "problem" here is that CALLER_ADDRESSx for x > 1 returns NULL which doesn't do much harm. The drawback of implementing a fix (i.e. use unwind tables to implement CALLER_ADDRESSx) is that much of the unwinder code would need to be marked as not traceable. Signed-off-by: Uwe Kleine-König Signed-off-by: Russell King [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 32a6af2a2753ca072c46887af39e2aaaab38ed4b Author: A Raghavendra Rao Date: Thu Aug 7 14:10:39 2014 +0530 Staging: wlan-ng: fix sparse warning in prism2fw.c commit 41cb65c4854e14f12b1cbb8215e509d8ad4d0c88 upstream. Fix the following sparse warning : In file included from drivers/staging/wlan-ng/prism2usb.c:5:0: drivers/staging/wlan-ng/prism2fw.c: In function ‘read_cardpda.constprop.43’: drivers/staging/wlan-ng/prism2fw.c:792:1: warning: the frame size of 1068 bytes is larger than 1024 bytes [-Wframe-larger-than=] The variable to 'struct p80211msg_p2req_readpda' was previously being created on the stack, which inturn exeeded the frame size limit, resulting in a sparse warning. This patch alloctes the memory to the structure dynamically and the operations are left unchanged. Signed-off-by: A Raghavendra Rao Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 537aebf3c411c6db49d98b0c4c34cd588e632c49 Author: Arnd Bergmann Date: Fri May 5 21:47:23 2017 +0200 staging: vt6655: fix overly large stack usage We get a warning for the large stack usage in some configurations: drivers/staging/vt6655/device_main.c: In function 'device_ioctl': drivers/staging/vt6655/device_main.c:2974:1: warning: the frame size of 1304 bytes is larger than 1024 bytes [-Wframe-larger-than=] This is addressed in linux-3.19 with commit 67013f2c0e58 ("staging: vt6655: mac80211 conversion add main mac80211 functions"), which obsoletes the device_ioctl() function, but as that does not apply to stable kernels, this picks an easier way out by using dynamic allocation. The driver was merged in 2.6.31, and the fix applies to all versions before 3.19. Fixes: 5449c685a4b3 ("Staging: Add pristine upstream vt6655 driver sources") Signed-off-by: Arnd Bergmann [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 5a67995b4fe4b606468374a1a09839042163b434 Author: Arnd Bergmann Date: Fri May 5 21:47:21 2017 +0200 staging: bcm: add 32-bit host dependency The driver uses a 32-bit variable to store a pointer, causing a couple of warnings: ../drivers/staging/bcm/CmHost.c: In function 'StoreCmControlResponseMessage': ../drivers/staging/bcm/CmHost.c:1503:3: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] (struct bcm_connect_mgr_params *) ntohl( ^ ../drivers/staging/bcm/CmHost.c:1546:3: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] (struct bcm_connect_mgr_params *) ntohl( ^ ../drivers/staging/bcm/CmHost.c:1564:3: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] (struct bcm_connect_mgr_params *) ntohl( I fixed other warnings in an earlier commit 9f1c75ac2dba ("staging/bcm: fix most build warnings"), but couldn't figure out what was the intended behavior on 64-bit machines here. The driver was removed in linux-3.19, commit d09e9b160fc1 ("staging: bcm: remove driver") which explains that it never worked on 64-bit machines. This adds a Kconfig dependency instead to prevent it from being built in the known broken configuration. This workaround applies to v2.6.37 or higher. Fixes: f8942e07a3db ("staging: Beeceem USB Wimax driver") Signed-off-by: Arnd Bergmann [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 04508cae9f4237afc39fffb33c7864e245c656fe Author: Jeff Kirsher Date: Thu Sep 18 02:33:41 2014 -0700 am2150: Update nmclan_cs.c to use update PCMCIA API commit 5f5316fcd08ef74b282adf6774956431fac62663 upstream. Resolves compile warning about use of a deprecated function call: drivers/net/ethernet/amd/nmclan_cs.c: In function ‘nmclan_config’: drivers/net/ethernet/amd/nmclan_cs.c:624:3: warning: ‘pcmcia_request_exclusive_irq’ is deprecated (declared at include/pcmcia/ds.h:213) [-Wdeprecated-declarations] ret = pcmcia_request_exclusive_irq(link, mace_interrupt); Updates pcmcia_request_exclusive_irq() to pcmcia_request_irq(). CC: Roger Pao Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 93837ec73439a1e90113b6d782b6099edaaaefeb Author: Arnd Bergmann Date: Wed Jan 28 15:15:04 2015 +0100 net: am2150: fix nmclan_cs.c shared interrupt handling commit 96a30175f927facfb421655ef08b7a0fe546fbed upstream. A recent patch tried to work around a valid warning for the use of a deprecated interface by blindly changing from the old pcmcia_request_exclusive_irq() interface to pcmcia_request_irq(). This driver has an interrupt handler that is not currently aware of shared interrupts, but can be easily converted to be. At the moment, the driver reads the interrupt status register repeatedly until it contains only zeroes in the interesting bits, and handles each bit individually. This patch adds the missing part of returning IRQ_NONE in case none of the bits are set to start with, so we can move on to the next interrupt source. Signed-off-by: Arnd Bergmann Fixes: 5f5316fcd08ef7 ("am2150: Update nmclan_cs.c to use update PCMCIA API") Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 8508994215f57a35adc96516c8dc091ecc773f59 Author: Arnd Bergmann Date: Fri May 5 21:46:53 2017 +0200 scsi: advansys: remove #warning message The advansys driver was converted to the proper DMA API in linux-4.2, but the 3.18-stable kernel still warns about this: drivers/scsi/advansys.c:71:2: warning: #warning this driver is still not properly converted to the DMA API [-Wcpp] The warning clearly is not helpful in 3.18 any more, it just clutters up the build log. This removes the warning instead, and clarifies the comment above it. Cc: Hannes Reinecke Signed-off-by: Arnd Bergmann [bwh: Changed comment to say 3.2] Signed-off-by: Ben Hutchings commit f2765368bd876fe4223d2f46a1ae124dbe3dd9f2 Author: Dan Williams Date: Tue Dec 6 23:24:42 2011 -0800 libsas: prevent double completion of scmds from eh commit a3a142524aa4b1539a64a55087bf12ffa4b1f94e upstream. We invoke task->task_done() to free the task in the eh case, but at this point we are prepared for scsi_eh_flush_done_q() to finish off the scmd. Introduce sas_end_task() to capture the final response status from the lldd and free the task. Also take the opportunity to kill this warning. drivers/scsi/libsas/sas_scsi_host.c: In function ‘sas_end_task’: drivers/scsi/libsas/sas_scsi_host.c:102:3: warning: case value ‘2’ not in enumerated type ‘enum exec_status’ [-Wswitch] Signed-off-by: Dan Williams Signed-off-by: James Bottomley Signed-off-by: Ben Hutchings commit 9e0e927efb469f5e4c4da1e0818ecfc04fe6b82d Author: Andrew Vincer Date: Tue Nov 8 12:43:45 2011 -0300 rc: Fix input deadlock and transmit error in redrat3 driver commit dbea1880368071dfa97d5e6aa4a368e7d0146a85 upstream. Fixed submit urb logic so hardware doesn't hang trying to transmit signal data Removed unneeded enable/disable detector commands in redrat3_transmit_ir (the hardware does this anyway) and converted arguments to unsigned as per 5588dc2 Signed-off-by: Andrew Vincer Cc: Jarod Wilson Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings commit b3391c0f17574392ed04bca6a9148748c006d10c Author: Keith Packard Date: Fri Dec 9 11:33:00 2011 -0800 drm/i915: Clean up multi-threaded forcewake patch commit c7dffff7cc8de748edf0e9f6571cdabecb198705 upstream. We learned that the ECOBUS register was inside the GT power well, and so *did* need force wake to be read, so it gets removed from the list of 'doesn't need force wake' registers. That means the code reading ECOBUS after forcing the mt_force_wake function to be called needs to use I915_READ_NOTRACE; it doesn't need to do more force wake fun as it's already done it manually. This also adds a comment explaining why the MT forcewake testing code only needs to call mt_forcewake_get/put and not disable RC6 manually -- the ECOBUS read will return 0 if the device is in RC6 and isn't using MT forcewake, causing the test to work correctly. Signed-off-by: Keith Packard Cc: Jesse Barnes [bwh: Backported to 3.2: I previously backported a change to NEEDS_FORCE_WAKE() and applied it to the version in i915_drv.c, the one that was actually being used. Move that change to i915_drv.h now.] Signed-off-by: Ben Hutchings commit bc4056f4efd3fee2f89579023aa4bd714beb4131 Author: Dan Carpenter Date: Fri Mar 23 04:35:33 2012 -0300 mxl111sf: remove an unused variable commit 3fd7e4341e04f80e2605f56bbd8cb1e8b027901a upstream. We don't use this any more after 3be5bb71fb "[media] mxl111sf: fix error on stream stop in mxl111sf_ep6_streaming_ctrl()" and it makes GCC complain. Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings commit 1c2fbde8a12870e1301fda3a83cc92636e4ac17c Author: David S. Miller Date: Sat Nov 26 15:41:29 2011 -0500 ray_cs: Fix array bounds warnings. commit b4c0e72e80e2e04b462ea05cc5a001807d7feed6 upstream. rx_msg is defined to have a 1 entry array at the end, so gcc warns: drivers/net/wireless/ray_cs.c: In function ‘rx_authenticate’: drivers/net/wireless/ray_cs.c:2436:3: warning: array subscript is above array bounds [-Warray-bounds] drivers/net/wireless/ray_cs.c:2436:3: warning: array subscript is above array bounds [-Warray-bounds] drivers/net/wireless/ray_cs.c:2436:3: warning: array subscript is above array bounds [-Warray-bounds] drivers/net/wireless/ray_cs.c:2436:3: warning: array subscript is above array bounds [-Warray-bounds] drivers/net/wireless/ray_cs.c:2436:3: warning: array subscript is above array bounds [-Warray-bounds] drivers/net/wireless/ray_cs.c:2439:15: warning: array subscript is above array bounds [-Warray-bounds] drivers/net/wireless/ray_cs.c:2452:16: warning: array subscript is above array bounds [-Warray-bounds] drivers/net/wireless/ray_cs.c:2453:18: warning: array subscript is above array bounds [-Warray-bounds] drivers/net/wireless/ray_cs.c:2453:32: warning: array subscript is above array bounds [-Warray-bounds] Use a zero length array and rename to "ray_rx_msg" to make sure we hit all of the necessary cases. Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 5df98fd0a5d24fd082889eb1448cf68199f77cd9 Author: Ben Hutchings Date: Mon Nov 6 02:50:25 2017 +0000 mct_u232: Fix use of uninitialized pointer in mct_u323_startup() My backport of commit 4e9a0b05257f "USB: mct_u232: add sanity checking in probe" incorrectly added a dev_err() call using port->dev before 'port' was initialised. Use the 'serial' parameter to look up the device instead. Signed-off-by: Ben Hutchings commit a481b9a8b1e54d0ab7acc3ec6eb881bb8a18cdff Author: Randy Dunlap Date: Sun Jun 24 21:35:29 2012 -0700 staging: reduce stack usage in prism2fw.c commit c90e3e80b9751335cc98934ae32188fa7de6bccd upstream. Fix frame size (stack usage) warning by allocating and freeing pointers to the data. drivers/staging/wlan-ng/prism2fw.c:1115:1: warning: the frame size of 4288 bytes is larger than 2048 bytes Signed-off-by: Randy Dunlap Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit b765188ad9753664fc87b74a7ef262cb5bea94d2 Author: Peter Huewe Date: Tue Feb 19 05:18:50 2013 +0100 staging/slicoss: Fix operation may be undefined warning commit 6d1b80fd886937ad4d6169ffa78cb0075eebce53 upstream. gcc complains about an undefined operation: slicoss.c:1417:19: warning: operation on 'rspq->pageindex' may be undefined [-Wsequence-point] The intended operation was (probably) to retrieve the pageindex + 1 and let it wrap around if it reaches the num_pages. Signed-off-by: Peter Huewe Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 0e283937392d4c91189a18b7e48ca3043c70db58 Author: Ben Hutchings Date: Thu Sep 8 02:09:42 2011 +0100 sfc: Merge efx_mcdi_mac_check_fault() and efx_mcdi_get_mac_faults() commit 1daf417029ddc10b7854430c1e1118df791d0eaf upstream. The latter is only called by the former, which is a very short wrapper. Further, gcc 4.5 may currently wrongly warn that the 'faults' variable may be used uninitialised. Signed-off-by: Ben Hutchings [bwh: Backported to 3.2: keep efx_mcdi_get_mac_faults() static] Signed-off-by: Ben Hutchings commit 02d5072ddfc6cdd999a8551ab6ac8ce74767da69 Author: Leed Aguilar Date: Thu Jun 14 11:05:31 2012 -0400 staging:iio:gyro:adis16080: remove sparse warnings commit 4d9505af7743828464d066795c6e1311c7884db4 upstream. Removed the following sparse warning: In function 'adis16080_read_raw': warning: 'ut' may be used uninitialized in this function Signed-off-by: Leed Aguilar Acked-by: Lars-Peter Clausen Cc: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit e11a0bcbcc750360a5ab6342325380d598ce12f8 Author: Reddy, Sreekanth Date: Tue Feb 26 17:36:12 2013 +0530 mpt2sas: fix for unused variable 'event_data' warning commit c3a634bf78242177fba9c85deb709e7b63ed0ef1 upstream. If CONFIG_SCSI_MPT2SAS_LOGGING is undefined, then these warnings are emitted drivers/scsi/mpt2sas/mpt2sas_scsih.c: In function '_scsih_sas_broadcast_primitive_event' drivers/scsi/mpt2sas/mpt2sas_scsih.c:5810:40: warning: unused variable 'event_data' Use pr_info() function instead of dewtprintk(). Signed-off-by: Sreekanth Reddy Signed-off-by: James Bottomley Signed-off-by: Ben Hutchings commit d04373d64108bfb0f65eb4c83882f944e1bc7d02 Author: Michael Hennerich Date: Mon Jul 16 09:42:00 2012 +0100 iio: staging: ad7298_ring: Fix maybe-uninitialized warning commit dfffd0d65fdf16d034681716dcbea74776f62e40 upstream. drivers/staging/iio/adc/ad7298_ring.c:97:37: warning: 'time_ns' may be used uninitialized in this function [-Wmaybe-uninitialized] Reported-by: Fengguang Wu Signed-off-by: Michael Hennerich Signed-off-by: Jonathan Cameron Signed-off-by: Ben Hutchings commit d09fa59c00edc5ece383ce5426d2e88fef7448a4 Author: Andreas Ruprecht Date: Mon Nov 28 16:59:13 2011 +0100 Staging: iio/accel: Changed return type of lis3l02dq_read_event_config() to int commit 28998e005bb669b60de0e432d6f142267f5c1403 upstream. The lis3l02dq_read_event_config() function returned an ssize_t up to now, which lead to a compiler warning in line 660 (initialization from incompatible pointer type). The iio_info struct is defined to accept an int-returning function as the read_event_config parameter. Also it seems odd to have the check for (ret < 0) and return ret in this case, when the return type is signed. Signed-off-by: Andreas Ruprecht Acked-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit cccfdc35d860253f4ce300061c3dc548a9353fbb Author: SeongJae Park Date: Tue Feb 4 17:36:39 2014 +0900 staging: cxt1e1: remove unnecessary function, VMETRO_TRACE commit ce8386da7488c998969288355111996c2c23c892 upstream. VMETRO_TRACE isn't called from anywhere. So delete it. Signed-off-by: SeongJae Park Reviewed-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit b80b24210a8bde6dd3f0a0c559b1db1231029998 Author: Greg Kroah-Hartman Date: Thu Sep 6 11:21:48 2012 -0700 staging: comedi: vmk80xx: fix compiler warning commit 13f7952f8f13fb1bbd18b85988e3a5bbbed00879 upstream. gcc complains about some potentially uninitalized variables here, yet it can not happen, due to an enumerated type (either the board is one type or the other.) Make the compiler happy by providing a default case option that makes the logic a bit simpler for it to determine that there really isn't a problem here. Cc: H Hartley Sweeten Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit a34f9767d4773489538b34af5f1265bba6388141 Author: Hannes Reinecke Date: Mon Jul 6 13:07:58 2015 +0200 aic94xx: Skip reading user settings if flash is not found commit 36dd5acd196574d41de3e81d8264df475bbb7123 upstream. If no user settings are found it's pointless trying to read them from flash. So skip that step. This also fixes a compilation warning about uninitialized variables in aic94xx. Signed-off-by: Hannes Reinecke Reviewed-by: Christoph Hellwig Signed-off-by: James Bottomley Signed-off-by: Ben Hutchings commit f7f4036a240e26e7444245293d7b6b46d0b04978 Author: Paul Bolle Date: Thu Oct 4 17:14:35 2012 -0700 drivers/rtc/rtc-m41t80.c: remove disabled alarm functionality commit 48e9766726ebb8f5d98823fe6b32dff570bc04d8 upstream. Commit c3b79770e51a ("rtc: m41t80: Workaround broken alarm functionality") disabled m41t80's alarm functions. But since those functions were not touched, building this driver triggers these GCC warnings: drivers/rtc/rtc-m41t80.c:216:12: warning: 'm41t80_rtc_alarm_irq_enable' defined but not used [-Wunused-function] drivers/rtc/rtc-m41t80.c:238:12: warning: 'm41t80_rtc_set_alarm' defined but not used [-Wunused-function] drivers/rtc/rtc-m41t80.c:308:12: warning: 'm41t80_rtc_read_alarm' defined but not used [-Wunused-function] Remove these functions (and the commented out references to them) to silence these warnings. Anyone wanting to fix the alarm irq functionality can easily find the removed code in the git log of this file or through some web searches. Signed-off-by: Paul Bolle Cc: John Stultz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 615514a2cac10d1b92e3ed06e1c1d884d8c4333a Author: Andy Shevchenko Date: Wed Jun 7 16:56:15 2017 +0300 platform/x86: samsung-laptop: Initialize loca variable commit 0d2c95354a3b63256e92d9fb865c08902d2c9b0b upstream. The variable is used uninitialized which might come into unexpected behaviour on some Samsung laptops. Initialize it to 0xffff which seems a proper value for non-supported feature. Reported-by: Geert Uytterhoeven Signed-off-by: Andy Shevchenko [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit bb754dd4e818782b0ffa5ab775300882ff54f34f Author: Artem Bityutskiy Date: Thu Dec 29 18:06:01 2011 +0200 mtd: sst25l: kill unused variable commit d81a32f2c16a3c42cf26f2216765c520630daa4e upstream. Fix the following gcc warning: drivers/mtd/devices/sst25l.c: In function ‘sst25l_probe’: drivers/mtd/devices/sst25l.c:381:11: warning: unused variable ‘i’ [-Wunused-variable] Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse Signed-off-by: Ben Hutchings commit fc4922a507301a07fb092629ecdc38c8ac65996d Author: Danny Kukawka Date: Mon Jan 30 23:00:08 2012 +0100 vmw_balloon: fix for a -Wuninitialized warning commit 3e5ba466d515eb3fb1e0e975a3d8e499126ae2b5 upstream. Fix for a -Wuninitialized compiler warning. Changed return value of vmballoon_send_lock_page() from bool to int to be able to distinguish between the error cases to avoid uninitialized use of hv_status in vmballoon_reserve_page() Signed-off-by: Danny Kukawka Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit e09bdbeef9cef82cf5bb11d9b576731db4abdc4c Author: Viresh Kumar Date: Mon Oct 29 22:47:26 2012 +0530 mtd: map: Fix compilation warning commit 3e9ce49e0ef95e22790a74720f0068696b2477c9 upstream. This patch is an attempt to fix following compilation warning. In file included from drivers/mtd/chips/cfi_cmdset_0001.c:35:0: drivers/mtd/chips/cfi_cmdset_0001.c: In function 'cfi_intelext_write_words': include/linux/mtd/map.h:331:11: warning: 'r.x[0]' may be used uninitialized in this function [-Wmaybe-uninitialized] I could have used uninitialized_var() too, but didn't used it as the final else part of map_word_load() is missing. So there is a chance that it might be passed uninitialized. Better initialize to zero. Signed-off-by: Viresh Kumar Signed-off-by: Artem Bityutskiy Signed-off-by: Ben Hutchings commit 5d74ba4ca379c23959c60fbbf18e27dd02ac17f1 Author: Antti Palosaari Date: Thu Aug 9 20:50:35 2012 -0300 tda18212: silence compiler warning commit e666a44fa313cb9329c0381ad02fc6ee1e21cb31 upstream. Trivial fix. Signed-off-by: Antti Palosaari Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings commit 3e7f972470098f82f8a818a47064207e443ea66b Author: Antti Palosaari Date: Thu Aug 9 20:50:37 2012 -0300 tda18218: silence compiler warning commit e0e52d4e9f5bce7ea887027c127473eb654a5a04 upstream. Trivial fix. Signed-off-by: Antti Palosaari Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings commit 3e730c70573d974a4b4d615769c2cbe1d75ddc27 Author: Antonio Alecrim Jr Date: Sat Sep 14 14:20:40 2013 -0300 isdn: hfcpci_softirq: get func return to suppress compiler warning commit d6d6d1bc44362112e10a48d434e5b3c716152003 upstream. Signed-off-by: Antonio Alecrim Jr Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit c67f7e9c10ae7473ee7293605d72612d2ede011b Author: Mauro Carvalho Chehab Date: Mon Oct 29 08:02:31 2012 -0200 xc4000: Fix a few warnings commit 0d0d76e5bcd70439b0e736a99539d7eef4f87baf upstream. drivers/media/tuners/xc4000.c: In function ‘check_firmware’: drivers/media/tuners/xc4000.c:1048:45: warning: ‘fw_minor’ may be used uninitialized in this function [-Wmaybe-uninitialized] drivers/media/tuners/xc4000.c:1048:39: warning: ‘fw_major’ may be used uninitialized in this function [-Wmaybe-uninitialized] drivers/media/tuners/xc4000.c:1062:39: warning: ‘hw_minor’ may be used uninitialized in this function [-Wmaybe-uninitialized] drivers/media/tuners/xc4000.c:1062:33: warning: ‘hw_major’ may be used uninitialized in this function [-Wmaybe-uninitialized] Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit ef6b182cf489ada959d51e222e7aaf83ff0ee73e Author: Danny Kukawka Date: Thu Feb 2 03:20:28 2012 +0000 eicon: fix -Warray-bounds warning commit e1f4c485cdb2b1d7aae172b731f6c2b403381ebb upstream. Fix for a -Warray-bounds warning. mixer_notify_update() tries to write to ((CAPI_MSG *) msg)->info.facility_req.structs[3] while structs is defined as byte structs[1]. Set all 'structs' which are part of the typdefs in the info union to 'byte structs[0]'. v2: set all info.*.structs to byte structs[0] Signed-off-by: Danny Kukawka Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit bc23ded31a8b8dbc6fc13a35ed892f9e4f09e37e Author: Paul Bolle Date: Sat Jul 14 23:11:55 2012 +0000 gigaset: silence GCC warning for unused 'format_ie' commit 6ba6047bf99cf4ade4f63b6b3d97cc3ad763b678 upstream. Building Gigaset's CAPI support without Gigaset's debugging enabled triggers this GCC warning: 'format_ie' defined but not used [-Wunused-function] Silence this warning by wrapping format_ie() in an "#ifdef CONFIG_GIGASET_DEBUG" and "#endif" pair. Signed-off-by: Paul Bolle Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 3c64f49a0fad5d83fff4f40467764b4a1c058f9c Author: Paul Bolle Date: Mon Feb 25 09:17:13 2013 -0800 IB/mlx4: Fix compiler warning about uninitialized 'vlan' variable commit 57d88cffc83a2120266bbe9e72cbba5bd5f33675 upstream. Building qp.o triggers this gcc warning: drivers/infiniband/hw/mlx4/qp.c: In function ‘mlx4_ib_post_send’: drivers/infiniband/hw/mlx4/qp.c:1862:62: warning: ‘vlan’ may be used uninitialized in this function [-Wmaybe-uninitialized] drivers/infiniband/hw/mlx4/qp.c:1752:6: note: ‘vlan’ was declared here Looking at the code it is clear 'vlan' is only set and used if 'is_eth' is non-zero. But by initializing 'vlan' to 0xffff, on gcc (Ubuntu 4.7.2-22ubuntu1) 4.7.2 on x86-64 at least, we fix the warning, and the compiler was already setting 'vlan' to 0 in the generated code, so there's no real downside. Signed-off-by: Paul Bolle [ Get rid of unnecessary move of 'is_vlan' initialization. - Roland ] Signed-off-by: Roland Dreier [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 2a53a575db32409beb35f9f856ab3a0c71589f32 Author: David Howells Date: Thu Dec 15 13:03:14 2011 +0000 intel_idle: Fix a cast to pointer from integer of different size warning in intel_idle commit 95e3ec11491d0cbce9fcdf1cc17a527c114c7dcf upstream. Fix the following warning: drivers/idle/intel_idle.c: In function 'intel_idle_cpuidle_devices_init': drivers/idle/intel_idle.c:518:5: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] By making get_driver_data() return a long instead of an int. Signed-off-by: David Howells Signed-off-by: Len Brown Signed-off-by: Ben Hutchings commit a01e2a853c9aa6ca4e5c5f734e151b5cae9efd9b Author: David S. Miller Date: Thu Sep 27 18:35:47 2012 -0400 pkt_sched: Fix warning false positives. commit f54ba7798848ce1385a71b36a2c997422c82220a upstream. GCC refuses to recognize that all error control flows do in fact set err to something. Add an explicit initialization to shut it up. net/sched/sch_drr.c: In function ‘drr_enqueue’: net/sched/sch_drr.c:359:11: warning: ‘err’ may be used uninitialized in this function [-Wmaybe-uninitialized] net/sched/sch_qfq.c: In function ‘qfq_enqueue’: net/sched/sch_qfq.c:885:11: warning: ‘err’ may be used uninitialized in this function [-Wmaybe-uninitialized] Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit a650af0da798563dcd0621f045fa4454c203f307 Author: Guenter Roeck Date: Tue Jun 12 08:27:49 2012 -0700 hwmon: (w83781d) Fix compile warning commit bbc8a569ae91e0951f4b7f8eb33ef1970bf2129c upstream. The following compile warning may be seen if the driver is compiled with -Wuninitialized: drivers/hwmon/w83781d.c: warning: 'sc_addr[1]' may be used uninitialized in this function [-Wuninitialized] While this is a false positive, it is annoying in nightly builds, and may help to conceal real problems. The current code is quite tricky, and and it is easy to rearrage the code to make the warning disappear. So fix it. Cc: Jean Delvare Signed-off-by: Guenter Roeck Signed-off-by: Ben Hutchings commit dc3ff135fa742860da7f17a51a0f9776660067e4 Author: Pablo Neira Ayuso Date: Wed Aug 29 15:58:29 2012 +0000 netfilter: xt_socket: fix compilation warnings with gcc 4.7 commit 6703aa74ad1ba2e598bb49a37f7518da1195bacb upstream. This patch fixes compilation warnings in xt_socket with gcc-4.7. In file included from net/netfilter/xt_socket.c:22:0: net/netfilter/xt_socket.c: In function ‘socket_mt6_v1’: include/net/netfilter/nf_tproxy_core.h:175:23: warning: ‘sport’ may be used uninitialized in this function [-Wmaybe-uninitialized] net/netfilter/xt_socket.c:265:16: note: ‘sport’ was declared here In file included from net/netfilter/xt_socket.c:22:0: include/net/netfilter/nf_tproxy_core.h:175:23: warning: ‘dport’ may be used uninitialized in this function [-Wmaybe-uninitialized] net/netfilter/xt_socket.c:265:9: note: ‘dport’ was declared here In file included from net/netfilter/xt_socket.c:22:0: include/net/netfilter/nf_tproxy_core.h:175:6: warning: ‘saddr’ may be used uninitialized in this function [-Wmaybe-uninitialized] net/netfilter/xt_socket.c:264:27: note: ‘saddr’ was declared here In file included from net/netfilter/xt_socket.c:22:0: include/net/netfilter/nf_tproxy_core.h:175:6: warning: ‘daddr’ may be used uninitialized in this function [-Wmaybe-uninitialized] net/netfilter/xt_socket.c:264:19: note: ‘daddr’ was declared here In file included from net/netfilter/xt_socket.c:22:0: net/netfilter/xt_socket.c: In function ‘socket_match.isra.4’: include/net/netfilter/nf_tproxy_core.h:75:2: warning: ‘protocol’ may be used uninitialized in this function [-Wmaybe-uninitialized] net/netfilter/xt_socket.c:113:5: note: ‘protocol’ was declared here In file included from include/net/tcp.h:37:0, from net/netfilter/xt_socket.c:17: include/net/inet_hashtables.h:356:45: warning: ‘sport’ may be used uninitialized in this function [-Wmaybe-uninitialized] net/netfilter/xt_socket.c:112:16: note: ‘sport’ was declared here In file included from net/netfilter/xt_socket.c:22:0: include/net/netfilter/nf_tproxy_core.h:106:23: warning: ‘dport’ may be used uninitialized in this function [-Wmaybe-uninitialized] net/netfilter/xt_socket.c:112:9: note: ‘dport’ was declared here In file included from include/net/tcp.h:37:0, from net/netfilter/xt_socket.c:17: include/net/inet_hashtables.h:356:15: warning: ‘saddr’ may be used uninitialized in this function [-Wmaybe-uninitialized] net/netfilter/xt_socket.c:111:16: note: ‘saddr’ was declared here In file included from include/net/tcp.h:37:0, from net/netfilter/xt_socket.c:17: include/net/inet_hashtables.h:356:15: warning: ‘daddr’ may be used uninitialized in this function [-Wmaybe-uninitialized] net/netfilter/xt_socket.c:111:9: note: ‘daddr’ was declared here In file included from net/netfilter/xt_socket.c:22:0: net/netfilter/xt_socket.c: In function ‘socket_mt6_v1’: include/net/netfilter/nf_tproxy_core.h:175:23: warning: ‘sport’ may be used uninitialized in this function [-Wmaybe-uninitialized] net/netfilter/xt_socket.c:268:16: note: ‘sport’ was declared here In file included from net/netfilter/xt_socket.c:22:0: include/net/netfilter/nf_tproxy_core.h:175:23: warning: ‘dport’ may be used uninitialized in this function [-Wmaybe-uninitialized] net/netfilter/xt_socket.c:268:9: note: ‘dport’ was declared here In file included from net/netfilter/xt_socket.c:22:0: include/net/netfilter/nf_tproxy_core.h:175:6: warning: ‘saddr’ may be used uninitialized in this function [-Wmaybe-uninitialized] net/netfilter/xt_socket.c:267:27: note: ‘saddr’ was declared here In file included from net/netfilter/xt_socket.c:22:0: include/net/netfilter/nf_tproxy_core.h:175:6: warning: ‘daddr’ may be used uninitialized in this function [-Wmaybe-uninitialized] net/netfilter/xt_socket.c:267:19: note: ‘daddr’ was declared here Signed-off-by: Pablo Neira Ayuso [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 2a731d1fdc3c50e5f2062bc40ae6fa1c7b1ad5a5 Author: Ryusuke Konishi Date: Fri Nov 6 16:32:16 2015 -0800 nilfs2: fix gcc uninitialized-variable warnings in powerpc build commit 4f05028f8d1af782cfd03d09e0a052e9745dc5ad upstream. Some false positive warnings are reported for powerpc build. The following warnings are reported in http://kisskb.ellerman.id.au/kisskb/buildresult/12519703/ CC fs/nilfs2/super.o fs/nilfs2/super.c: In function 'nilfs_resize_fs': fs/nilfs2/super.c:376:2: warning: 'blocknr' may be used uninitialized in this function [-Wuninitialized] fs/nilfs2/super.c:362:11: note: 'blocknr' was declared here CC fs/nilfs2/recovery.o fs/nilfs2/recovery.c: In function 'nilfs_salvage_orphan_logs': fs/nilfs2/recovery.c:631:21: warning: 'sum' may be used uninitialized in this function [-Wuninitialized] fs/nilfs2/recovery.c:585:32: note: 'sum' was declared here fs/nilfs2/recovery.c: In function 'nilfs_search_super_root': fs/nilfs2/recovery.c:873:11: warning: 'sum' may be used uninitialized in this function [-Wuninitialized] Another similar warning is reported in http://kisskb.ellerman.id.au/kisskb/buildresult/12520079/ CC fs/nilfs2/btree.o fs/nilfs2/btree.c: In function 'nilfs_btree_convert_and_insert': include/asm-generic/bitops/non-atomic.h:105:20: warning: 'bh' may be used uninitialized in this function [-Wuninitialized] fs/nilfs2/btree.c:1859:22: note: 'bh' was declared here This cleans out these warnings by forcing the variables to be initialized. Signed-off-by: Ryusuke Konishi Reported-by: Geert Uytterhoeven Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 009a50d49ea0bd44dff14142e27b872f4de2d67f Author: Daniel Mack Date: Mon Jun 18 21:16:31 2012 +0200 ALSA: snd-usb-caiaq: initialize card pointer commit da185443c12f5ef7416af50293833a5654854186 upstream. Fixes the following warning: CC [M] sound/usb/caiaq/device.o sound/usb/caiaq/device.c: In function ‘snd_probe’: sound/usb/caiaq/device.c:500:16: warning: ‘card’ may be used uninitialized in this function [-Wmaybe-uninitialized] Signed-off-by: Daniel Mack Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 4fad0af2782115ba9c0527b297837193af3a9402 Author: Ben Hutchings Date: Mon Nov 6 01:09:48 2017 +0000 edac: i7300_edac: Fix 'may be used uninitialized' warning gcc 4.7 warns that nr_pages may be used uninitialized in i7300_init_csrows(). In fact, the case where it's not initialised is an error that will result in returning early without using it. Silence the warning by initialising to 0. This was done upstream as part of commit 084a4fccef39 "edac: move dimm properties to struct dimm_info". Signed-off-by: Ben Hutchings commit 8ca8e09f7896f9effc62e48119a606243765cd73 Author: Fabio Estevam Date: Mon Dec 24 15:55:37 2012 -0200 ASoC: wm8985: Refactor set_pll code to avoid gcc warnings commit 5f3d25c08dee44a40229f1f9e8934f3217478a67 upstream. Refactor set_pll code to avoid the following warnings: sound/soc/codecs/wm8985.c:852:50: warning: 'pll_div.k' may be used uninitialized in this function sound/soc/codecs/wm8985.c:849:9: warning: 'pll_div.n' may be used uninitialized in this function sound/soc/codecs/wm8985.c:848:23: warning: 'pll_div.div2' may be used uninitialized in this function Do the same as in commit 86ce6c9a (ASoC: WM8804: Refactor set_pll code to avoid GCC warnings). Signed-off-by: Fabio Estevam Signed-off-by: Mark Brown Signed-off-by: Ben Hutchings commit 92920e2bdd9a75b84a459896fa51678c8a179cd0 Author: Fabio Estevam Date: Wed Dec 12 01:24:40 2012 -0200 ASoC: wm8993: Refactor set_pll code to avoid GCC warnings commit 6757d8cc0c6ff2e61972d84797d358a2f69f2217 upstream. Refactor set_pll code to avoid the following warnings: sound/soc/codecs/wm8983.c:873:40: warning: 'pll_div.k' may be used uninitialized in this function [-Wuninitialized] sound/soc/codecs/wm8983.c:870:9: warning: 'pll_div.n' may be used uninitialized in this function [-Wuninitialized] sound/soc/codecs/wm8983.c:869:23: warning: 'pll_div.div2' may be used uninitialized in this function [-Wuninitialized] Do the same as in commit 86ce6c9a (ASoC: WM8804: Refactor set_pll code to avoid GCC warnings). Signed-off-by: Fabio Estevam Signed-off-by: Mark Brown Signed-off-by: Ben Hutchings commit 4bccaa7bea0386fda58b5681b4bc78928c09ee42 Author: David S. Miller Date: Thu Dec 1 14:45:49 2011 -0500 dccp: Fix compile warning in probe code. commit d984e6197ecd2babc1537f42dc1e676133005cda upstream. Commit 1386be55e32a3c5d8ef4a2b243c530a7b664c02c ("dccp: fix auto-loading of dccp(_probe)") fixed a bug but created a new compiler warning: net/dccp/probe.c: In function ‘dccpprobe_init’: net/dccp/probe.c:166:2: warning: the omitted middle operand in ?: will always be ‘true’, suggest explicit middle operand [-Wparentheses] try_then_request_module() is built for situations where the "existence" test is some lookup function that returns a non-NULL object on success, and with a reference count of some kind held. Here we're looking for a success return of zero from the jprobe registry. Instead of fighting the way try_then_request_module() works, simply open code what we want to happen in a local helper function. Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 030ee68b4938cb7fc0bad3f000c87fcc8364ad75 Author: Tim Gardner Date: Sun Mar 10 10:58:21 2013 -0600 ASoC: wm_hubs: Silence reg_r and reg_l 'may be used uninitialized' warnings commit 1f5353e765fe2a1168477bfe55e4dd7cdd96b477 upstream. Return an error from wm_hubs_read_dc_servo() if hubs->dcs_readback_mode is not correctly initialized. You might as well bail out since nothing is likely to work correctly afterwards. sound/soc/codecs/wm_hubs.c:321:11: warning: 'reg_r' may be used uninitialized in this function [-Wuninitialized] sound/soc/codecs/wm_hubs.c:251:13: note: 'reg_r' was declared here sound/soc/codecs/wm_hubs.c:322:11: warning: 'reg_l' may be used uninitialized in this function [-Wuninitialized] sound/soc/codecs/wm_hubs.c:251:6: note: 'reg_l' was declared here gcc version 4.6.3 Signed-off-by: Tim Gardner Signed-off-by: Mark Brown [bwh: Backported to 3.2: There's no separate wm_hubs_read_dc_servo() function, so return directly from calibrate_dc_servo().] Signed-off-by: Ben Hutchings commit ec7deb5897ca9b158713c8c06fb79769606dd7ce Author: Tim Gardner Date: Mon Mar 11 13:18:23 2013 -0600 ASoC: adau1373: adau1373_hw_params: Silence overflow warning commit 14a1b8ca172f4cfbc544051a729d85a380447a82 upstream. ADAU1373_BCLKDIV_SOURCE is defined as BIT(5) which uses UL constants. On amd64 the result of the ones complement operator is then truncated to unsigned int according to the prototype of snd_soc_update_bits(). I think gcc is correctly warning that the upper 32 bits are lost. sound/soc/codecs/adau1373.c: In function 'adau1373_hw_params': sound/soc/codecs/adau1373.c:940:3: warning: large integer implicitly truncated to unsigned type [-Woverflow] gcc version 4.6.3 Add 2 more BCLKDIV mask macros as explained by Lars: The BCLKDIV has three fields. The bitclock divider (bit 0-1), the samplerate (bit 2-4) and the source select (bit 5). Here we want to update the bitclock divider field and the samplerate field. When I wrote the code I was lazy and used ~ADAU1373_BCLKDIV_SOURCE as the mask, which for this register is functionally equivalent to ADAU1373_BCLKDIV_SR_MASK | ADAU1373_BCLKDIV_BCLK_MASK. Signed-off-by: Tim Gardner Acked-by: Lars-Peter Clausen Signed-off-by: Mark Brown Signed-off-by: Ben Hutchings commit b88ca975802fdfc636f36df763628d41a4bd68d4 Author: Cong Wang Date: Tue Apr 3 14:13:36 2012 +0800 drbd: check MODULE for THIS_MODULE commit bc4854bc91c9a7f117437215cd8b16a0a5671d93 upstream. THIS_MODULE is NULL only when drbd is compiled as built-in, so the #ifdef CONFIG_MODULES should be #ifdef MODULE instead. This fixes the warning: drivers/block/drbd/drbd_main.c: In function ‘drbd_buildtag’: drivers/block/drbd/drbd_main.c:4187:24: warning: the comparison will always evaluate as ‘true’ for the address of ‘__this_module’ will never be NULL [-Waddress] Signed-off-by: WANG Cong Signed-off-by: Philipp Reisner Signed-off-by: Lars Ellenberg Signed-off-by: Ben Hutchings commit 2e8f41e0a066e6363bbfe0112282839fd55876ec Author: Danny Kukawka Date: Fri Mar 2 10:48:35 2012 +0100 drivers/block/DAC960: fix -Wuninitialized warning commit cecd353a02fb1405c8a72a324b26b5acf97e7411 upstream. Set CommandMailbox with memset before use it. Fix for: drivers/block/DAC960.c: In function ‘DAC960_V1_EnableMemoryMailboxInterface’: arch/x86/include/asm/io.h:61:1: warning: ‘CommandMailbox.Bytes[12]’ may be used uninitialized in this function [-Wuninitialized] drivers/block/DAC960.c:1175:30: note: ‘CommandMailbox.Bytes[12]’ was declared here Signed-off-by: Danny Kukawka Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings commit 2e28c1e30098626d9b8f79f264629a4aefa9131b Author: Danny Kukawka Date: Fri Mar 2 10:48:32 2012 +0100 drivers/block/DAC960: fix DAC960_V2_IOCTL_Opcode_T -Wenum-compare warning commit bca505f1097c725708ddc055cf8055e922b0904b upstream. Fixed compiler warning: comparison between ‘DAC960_V2_IOCTL_Opcode_T’ and ‘enum ’ Renamed enum, added a new enum for SCSI_10.CommandOpcode in DAC960_V2_ProcessCompletedCommand(). Signed-off-by: Danny Kukawka Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings commit 6670746653490be552e32339f52abca210eca735 Author: Miklos Szeredi Date: Tue Jan 15 12:24:46 2013 +0100 cuse: fix uninitialized variable warnings commit e2560362cc2b39a0567cab510121a7e93dfbe797 upstream. Fix the following compiler warnings: fs/fuse/cuse.c: In function 'cuse_process_init_reply': fs/fuse/cuse.c:288:24: warning: 'val' may be used uninitialized in this function [-Wmaybe-uninitialized] fs/fuse/cuse.c:272:14: note: 'val' was declared here fs/fuse/cuse.c:284:10: warning: 'key' may be used uninitialized in this function [-Wmaybe-uninitialized] fs/fuse/cuse.c:272:8: note: 'key' was declared here Signed-off-by: Miklos Szeredi Signed-off-by: Ben Hutchings commit dffdef9c27c1baa0faf2db2f921301e948ec0ba4 Author: Ben Hutchings Date: Mon Nov 6 00:47:19 2017 +0000 ACPICA: Fix 'may be used uninitialized' warning in acpi_ns_repair_object() gcc 4.7 warns that new_object may be used uninitialized in this function. In fact, all the cases where it's not initialised are errors that will result in returning early without using it. Silence the warning by initialising to NULL. This was done upstream as part of commit d5a36100f62f "ACPICA: Add mechanism for early object repairs on a per-name basis". Signed-off-by: Ben Hutchings commit 8264be3726a0d05711b1df810f2181c48e4c4cf0 Author: Simon Que Date: Thu Jan 17 11:18:20 2013 -0800 eCryptfs: initialize payload_len in keystore.c commit fa5199648e273a5e3e80aca41c1eb53700438dc1 upstream. This is meant to remove a compiler warning. It should not make any functional change. payload_len should be initialized when it is passed to write_tag_64_packet() as a pointer. If that call fails, this function should return early, and payload_len won't be used. Signed-off-by: Simon Que Signed-off-by: Tyler Hicks [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 8434628c8fcfbce59c78b2a48d2e405e901c19d3 Author: Jeff Layton Date: Mon Mar 26 09:55:29 2012 -0400 cifs: silence compiler warnings showing up with gcc-4.7.0 commit b2a3ad9ca502169fc4c11296fa20f56059c7c031 upstream. gcc-4.7.0 has started throwing these warnings when building cifs.ko. CC [M] fs/cifs/cifssmb.o fs/cifs/cifssmb.c: In function ‘CIFSSMBSetCIFSACL’: fs/cifs/cifssmb.c:3905:9: warning: array subscript is above array bounds [-Warray-bounds] fs/cifs/cifssmb.c: In function ‘CIFSSMBSetFileInfo’: fs/cifs/cifssmb.c:5711:8: warning: array subscript is above array bounds [-Warray-bounds] fs/cifs/cifssmb.c: In function ‘CIFSSMBUnixSetFileInfo’: fs/cifs/cifssmb.c:6001:25: warning: array subscript is above array bounds [-Warray-bounds] This patch cleans up the code a bit by using the offsetof macro instead of the funky "&pSMB->hdr.Protocol" construct. Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Ben Hutchings commit d30a95ae76d94760d8b8f9e5c244939772df14c2 Author: Ben Hutchings Date: Mon Nov 6 00:34:07 2017 +0000 mm/huge_memory: Fix unused label warning This label is unused since commit 2ea6895123eb8604c1c0c153e2fcd1305fb96aca "mm/huge_memory.c: fix up "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp" backport". There's no upstream equivalent of this as the label is still used there. Signed-off-by: Ben Hutchings commit d8b2e551d8ecfe59c667923892a50d6ac469ce94 Author: Ben Hutchings Date: Wed Oct 18 00:45:49 2017 +0100 ALSA: seq: Enable 'use' locking in all configurations commit 8009d506a1dd00cf436b0c4cca0dcec130580a21 upstream. The 'use' locking macros are no-ops if neither SMP or SND_DEBUG is enabled. This might once have been OK in non-preemptible configurations, but even in that case snd_seq_read() may sleep while relying on a 'use' lock. So always use the proper implementations. Signed-off-by: Ben Hutchings Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 7c27b82fad16d2804c7c8405316a636f57edeabd Author: Alan Stern Date: Wed Oct 18 12:49:38 2017 -0400 USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() commit 1c0edc3633b56000e18d82fc241e3995ca18a69e upstream. Andrey used the syzkaller fuzzer to find an out-of-bounds memory access in usb_get_bos_descriptor(). The code wasn't checking that the next usb_dev_cap_header structure could fit into the remaining buffer space. This patch fixes the error and also reduces the bNumDeviceCaps field in the header to match the actual number of capabilities found, in cases where there are fewer than expected. Reported-by: Andrey Konovalov Signed-off-by: Alan Stern Tested-by: Andrey Konovalov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 99de0781e0de7c866f762b931351c2a501c3074f Author: Jaejoong Kim Date: Thu Sep 28 19:16:30 2017 +0900 HID: usbhid: fix out-of-bounds bug commit f043bfc98c193c284e2cd768fefabe18ac2fed9b upstream. The hid descriptor identifies the length and type of subordinate descriptors for a device. If the received hid descriptor is smaller than the size of the struct hid_descriptor, it is possible to cause out-of-bounds. In addition, if bNumDescriptors of the hid descriptor have an incorrect value, this can also cause out-of-bounds while approaching hdesc->desc[n]. So check the size of hid descriptor and bNumDescriptors. BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20 Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261 CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #169 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x292/0x395 lib/dump_stack.c:52 print_address_description+0x78/0x280 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 kasan_report+0x22f/0x340 mm/kasan/report.c:409 __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427 usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004 hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944 usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 really_probe drivers/base/dd.c:413 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 device_add+0xd0b/0x1660 drivers/base/core.c:1835 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 really_probe drivers/base/dd.c:413 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 device_add+0xd0b/0x1660 drivers/base/core.c:1835 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 hub_port_connect drivers/usb/core/hub.c:4903 hub_port_connect_change drivers/usb/core/hub.c:5009 port_event drivers/usb/core/hub.c:5115 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 worker_thread+0x221/0x1850 kernel/workqueue.c:2253 kthread+0x3a1/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 Reported-by: Andrey Konovalov Signed-off-by: Jaejoong Kim Tested-by: Andrey Konovalov Acked-by: Alan Stern Signed-off-by: Jiri Kosina Signed-off-by: Ben Hutchings commit f2a780301ae85dbe704499675832487130b8e267 Author: Alan Stern Date: Fri Sep 29 10:54:24 2017 -0400 usb: usbtest: fix NULL pointer dereference commit 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 upstream. If the usbtest driver encounters a device with an IN bulk endpoint but no OUT bulk endpoint, it will try to dereference a NULL pointer (out->desc.bEndpointAddress). The problem can be solved by adding a missing test. Signed-off-by: Alan Stern Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: Felipe Balbi Signed-off-by: Ben Hutchings commit a0e0a5850211dd09725c819a8915c2cbe9067317 Author: Greg Kroah-Hartman Date: Tue Sep 19 15:07:17 2017 +0200 USB: fix out-of-bounds in usb_set_configuration commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb upstream. Andrey Konovalov reported a possible out-of-bounds problem for a USB interface association descriptor. He writes: It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION descriptor. It's only checked that the size is >= 2 in usb_parse_configuration(), so find_iad() might do out-of-bounds access to intf_assoc->bInterfaceCount. And he's right, we don't check for crazy descriptors of this type very well, so resolve this problem. Yet another issue found by syzkaller... Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit 8a930044f0b100d6b28a94525e9cf62787b3ec3a Author: Takashi Iwai Date: Fri Sep 22 16:18:53 2017 +0200 ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor commit bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991 upstream. When a USB-audio device receives a maliciously adjusted or corrupted buffer descriptor, the USB-audio driver may access an out-of-bounce value at its parser. This was detected by syzkaller, something like: BUG: KASAN: slab-out-of-bounds in usb_audio_probe+0x27b2/0x2ab0 Read of size 1 at addr ffff88006b83a9e8 by task kworker/0:1/24 CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #224 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x292/0x395 lib/dump_stack.c:52 print_address_description+0x78/0x280 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 kasan_report+0x22f/0x340 mm/kasan/report.c:409 __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427 snd_usb_create_streams sound/usb/card.c:248 usb_audio_probe+0x27b2/0x2ab0 sound/usb/card.c:605 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 really_probe drivers/base/dd.c:413 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 device_add+0xd0b/0x1660 drivers/base/core.c:1835 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 really_probe drivers/base/dd.c:413 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 device_add+0xd0b/0x1660 drivers/base/core.c:1835 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 hub_port_connect drivers/usb/core/hub.c:4903 hub_port_connect_change drivers/usb/core/hub.c:5009 port_event drivers/usb/core/hub.c:5115 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 worker_thread+0x221/0x1850 kernel/workqueue.c:2253 kthread+0x3a1/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 This patch adds the checks of out-of-bounce accesses at appropriate places and bails out when it goes out of the given buffer. Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: Takashi Iwai [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 72f4b1c7114c1b34302999d72bc5b16c8c1a1945 Author: Takashi Iwai Date: Tue Oct 10 14:10:32 2017 +0200 ALSA: usb-audio: Kill stray URB at exiting commit 124751d5e63c823092060074bd0abaae61aaa9c4 upstream. USB-audio driver may leave a stray URB for the mixer interrupt when it exits by some error during probe. This leads to a use-after-free error as spotted by syzkaller like: ================================================================== BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x292/0x395 lib/dump_stack.c:52 print_address_description+0x78/0x280 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 kasan_report+0x23d/0x350 mm/kasan/report.c:409 __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430 snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490 __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779 .... Allocated by task 1484: save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772 kmalloc ./include/linux/slab.h:493 kzalloc ./include/linux/slab.h:666 snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540 create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516 snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560 create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59 snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560 usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618 .... Freed by task 1484: save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524 slab_free_hook mm/slub.c:1390 slab_free_freelist_hook mm/slub.c:1412 slab_free mm/slub.c:2988 kfree+0xf6/0x2f0 mm/slub.c:3919 snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244 snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250 __snd_device_free+0x1ff/0x380 sound/core/device.c:91 snd_device_free_all+0x8f/0xe0 sound/core/device.c:244 snd_card_do_free sound/core/init.c:461 release_card_device+0x47/0x170 sound/core/init.c:181 device_release+0x13f/0x210 drivers/base/core.c:814 .... Actually such a URB is killed properly at disconnection when the device gets probed successfully, and what we need is to apply it for the error-path, too. In this patch, we apply snd_usb_mixer_disconnect() at releasing. Also introduce a new flag, disconnected, to struct usb_mixer_interface for not performing the disconnection procedure twice. Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: Takashi Iwai [bwh: Backported to 3.2: snd_usb_mixer_disconnect() takes a pointer to usb_mixer_interface::list, not to usb_mixer_interface itself] Signed-off-by: Ben Hutchings commit ca3d015d39f0357889fa3ef6a88028162de17d7d Author: Willem de Bruijn Date: Tue Sep 26 12:19:37 2017 -0400 packet: in packet_do_bind, test fanout with bind_lock held commit 4971613c1639d8e5f102c4e797c3bf8f83a5a69e upstream. Once a socket has po->fanout set, it remains a member of the group until it is destroyed. The prot_hook must be constant and identical across sockets in the group. If fanout_add races with packet_do_bind between the test of po->fanout and taking the lock, the bind call may make type or dev inconsistent with that of the fanout group. Hold po->bind_lock when testing po->fanout to avoid this race. I had to introduce artificial delay (local_bh_enable) to actually observe the race. Fixes: dc99f600698d ("packet: Add fanout support.") Signed-off-by: Willem de Bruijn Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit b2e1f10f138c6cc03a2f5c940b6c4963b07c7296 Author: Willem de Bruijn Date: Thu Sep 14 17:14:41 2017 -0400 packet: hold bind lock when rebinding to fanout hook commit 008ba2a13f2d04c947adc536d19debb8fe66f110 upstream. Packet socket bind operations must hold the po->bind_lock. This keeps po->running consistent with whether the socket is actually on a ptype list to receive packets. fanout_add unbinds a socket and its packet_rcv/tpacket_rcv call, then binds the fanout object to receive through packet_rcv_fanout. Make it hold the po->bind_lock when testing po->running and rebinding. Else, it can race with other rebind operations, such as that in packet_set_ring from packet_rcv to tpacket_rcv. Concurrent updates can result in a socket being added to a fanout group twice, causing use-after-free KASAN bug reports, among others. Reported independently by both trinity and syzkaller. Verified that the syzkaller reproducer passes after this patch. Fixes: dc99f600698d ("packet: Add fanout support.") Reported-by: nixioaming Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller [bwh: Backported to 3.2: use atomic_read() not refcount_read()] Signed-off-by: Ben Hutchings commit 8a5015a7c4b0af2a58d5f393a38385aae49db0f0 Author: Francesco Ruggeri Date: Thu Nov 5 08:16:14 2015 -0800 packet: race condition in packet_bind commit 30f7ea1c2b5f5fb7462c5ae44fe2e40cb2d6a474 upstream. There is a race conditions between packet_notifier and packet_bind{_spkt}. It happens if packet_notifier(NETDEV_UNREGISTER) executes between the time packet_bind{_spkt} takes a reference on the new netdevice and the time packet_do_bind sets po->ifindex. In this case the notification can be missed. If this happens during a dev_change_net_namespace this can result in the netdevice to be moved to the new namespace while the packet_sock in the old namespace still holds a reference on it. When the netdevice is later deleted in the new namespace the deletion hangs since the packet_sock is not found in the new namespace' &net->packet.sklist. It can be reproduced with the script below. This patch makes packet_do_bind check again for the presence of the netdevice in the packet_sock's namespace after the synchronize_net in unregister_prot_hook. More in general it also uses the rcu lock for the duration of the bind to stop dev_change_net_namespace/rollback_registered_many from going past the synchronize_net following unlist_netdevice, so that no NETDEV_UNREGISTER notifications can happen on the new netdevice while the bind is executing. In order to do this some code from packet_bind{_spkt} is consolidated into packet_do_dev. import socket, os, time, sys proto=7 realDev='em1' vlanId=400 if len(sys.argv) > 1: vlanId=int(sys.argv[1]) dev='vlan%d' % vlanId os.system('taskset -p 0x10 %d' % os.getpid()) s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, proto) os.system('ip link add link %s name %s type vlan id %d' % (realDev, dev, vlanId)) os.system('ip netns add dummy') pid=os.fork() if pid == 0: # dev should be moved while packet_do_bind is in synchronize net os.system('taskset -p 0x20000 %d' % os.getpid()) os.system('ip link set %s netns dummy' % dev) os.system('ip netns exec dummy ip link del %s' % dev) s.close() sys.exit(0) time.sleep(.004) try: s.bind(('%s' % dev, proto+1)) except: print 'Could not bind socket' s.close() os.system('ip netns del dummy') sys.exit(0) os.waitpid(pid, 0) s.close() os.system('ip netns del dummy') sys.exit(0) Signed-off-by: Francesco Ruggeri Signed-off-by: David S. Miller [bwh: Backported to 3.2: - Add the 'dev_curr' variable - Drop the packet_cached_dev changes - Adjust context] Signed-off-by: Ben Hutchings commit 57f94e88bb255bf7b7d267c999aefbe4557307c1 Author: David Howells Date: Thu Oct 12 16:00:41 2017 +0100 KEYS: don't let add_key() update an uninstantiated key commit 60ff5b2f547af3828aebafd54daded44cfb0807a upstream. Currently, when passed a key that already exists, add_key() will call the key's ->update() method if such exists. But this is heavily broken in the case where the key is uninstantiated because it doesn't call __key_instantiate_and_link(). Consequently, it doesn't do most of the things that are supposed to happen when the key is instantiated, such as setting the instantiation state, clearing KEY_FLAG_USER_CONSTRUCT and awakening tasks waiting on it, and incrementing key->user->nikeys. It also never takes key_construction_mutex, which means that ->instantiate() can run concurrently with ->update() on the same key. In the case of the "user" and "logon" key types this causes a memory leak, at best. Maybe even worse, the ->update() methods of the "encrypted" and "trusted" key types actually just dereference a NULL pointer when passed an uninstantiated key. Change key_create_or_update() to wait interruptibly for the key to finish construction before continuing. This patch only affects *uninstantiated* keys. For now we still allow a negatively instantiated key to be updated (thereby positively instantiating it), although that's broken too (the next patch fixes it) and I'm not sure that anyone actually uses that functionality either. Here is a simple reproducer for the bug using the "encrypted" key type (requires CONFIG_ENCRYPTED_KEYS=y), though as noted above the bug pertained to more than just the "encrypted" key type: #include #include #include int main(void) { int ringid = keyctl_join_session_keyring(NULL); if (fork()) { for (;;) { const char payload[] = "update user:foo 32"; usleep(rand() % 10000); add_key("encrypted", "desc", payload, sizeof(payload), ringid); keyctl_clear(ringid); } } else { for (;;) request_key("encrypted", "desc", "callout_info", ringid); } } It causes: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 IP: encrypted_update+0xb0/0x170 PGD 7a178067 P4D 7a178067 PUD 77269067 PMD 0 PREEMPT SMP CPU: 0 PID: 340 Comm: reproduce Tainted: G D 4.14.0-rc1-00025-g428490e38b2e #796 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff8a467a39a340 task.stack: ffffb15c40770000 RIP: 0010:encrypted_update+0xb0/0x170 RSP: 0018:ffffb15c40773de8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8a467a275b00 RCX: 0000000000000000 RDX: 0000000000000005 RSI: ffff8a467a275b14 RDI: ffffffffb742f303 RBP: ffffb15c40773e20 R08: 0000000000000000 R09: ffff8a467a275b17 R10: 0000000000000020 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: ffff8a4677057180 R15: ffff8a467a275b0f FS: 00007f5d7fb08700(0000) GS:ffff8a467f200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 0000000077262005 CR4: 00000000001606f0 Call Trace: key_create_or_update+0x2bc/0x460 SyS_add_key+0x10c/0x1d0 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x7f5d7f211259 RSP: 002b:00007ffed03904c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 RAX: ffffffffffffffda RBX: 000000003b2a7955 RCX: 00007f5d7f211259 RDX: 00000000004009e4 RSI: 00000000004009ff RDI: 0000000000400a04 RBP: 0000000068db8bad R08: 000000003b2a7955 R09: 0000000000000004 R10: 000000000000001a R11: 0000000000000246 R12: 0000000000400868 R13: 00007ffed03905d0 R14: 0000000000000000 R15: 0000000000000000 Code: 77 28 e8 64 34 1f 00 45 31 c0 31 c9 48 8d 55 c8 48 89 df 48 8d 75 d0 e8 ff f9 ff ff 85 c0 41 89 c4 0f 88 84 00 00 00 4c 8b 7d c8 <49> 8b 75 18 4c 89 ff e8 24 f8 ff ff 85 c0 41 89 c4 78 6d 49 8b RIP: encrypted_update+0xb0/0x170 RSP: ffffb15c40773de8 CR2: 0000000000000018 Reported-by: Eric Biggers Signed-off-by: David Howells cc: Eric Biggers [bwh: Backported to 3.2: - Use the 'error' label to return, not 'error_free_prep' - Adjust context] Signed-off-by: Ben Hutchings commit c3895a053b2505f9e409e6d6c57dcece714ab486 Author: Takashi Iwai Date: Mon Oct 9 11:09:20 2017 +0200 ALSA: seq: Fix use-after-free at creating a port commit 71105998845fb012937332fe2e806d443c09e026 upstream. There is a potential race window opened at creating and deleting a port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates a port object and returns its pointer, but it doesn't take the refcount, thus it can be deleted immediately by another thread. Meanwhile, snd_seq_ioctl_create_port() still calls the function snd_seq_system_client_ev_port_start() with the created port object that is being deleted, and this triggers use-after-free like: BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511 ___slab_alloc+0x425/0x460 __slab_alloc+0x20/0x40 kmem_cache_alloc_trace+0x150/0x190 snd_seq_create_port+0x94/0x9b0 [snd_seq] snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] snd_seq_ioctl+0x40/0x80 [snd_seq] do_vfs_ioctl+0x54b/0xda0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x16/0x75 INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717 __slab_free+0x204/0x310 kfree+0x15f/0x180 port_delete+0x136/0x1a0 [snd_seq] snd_seq_delete_port+0x235/0x350 [snd_seq] snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] snd_seq_ioctl+0x40/0x80 [snd_seq] do_vfs_ioctl+0x54b/0xda0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x16/0x75 Call Trace: [] dump_stack+0x63/0x82 [] print_trailer+0xfb/0x160 [] object_err+0x34/0x40 [] kasan_report.part.2+0x223/0x520 [] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] [] __asan_report_load1_noabort+0x2e/0x30 [] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] [] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq] [] ? taskstats_exit+0xbc0/0xbc0 [] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] [] snd_seq_ioctl+0x40/0x80 [snd_seq] [] ? acct_account_cputime+0x63/0x80 [] do_vfs_ioctl+0x54b/0xda0 ..... We may fix this in a few different ways, and in this patch, it's fixed simply by taking the refcount properly at snd_seq_create_port() and letting the caller unref the object after use. Also, there is another potential use-after-free by sprintf() call in snd_seq_create_port(), and this is moved inside the lock. This fix covers CVE-2017-15265. Reported-and-tested-by: Michael23 Yu Suggested-by: Linus Torvalds Signed-off-by: Takashi Iwai [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit ef810e7c3d2a8fb3bbd23726599c487c30ea747e Author: Johannes Berg Date: Tue Sep 5 14:54:54 2017 +0200 mac80211: accept key reinstall without changing anything commit fdf7cb4185b60c68e1a75e61691c4afdc15dea0e upstream. When a key is reinstalled we can reset the replay counters etc. which can lead to nonce reuse and/or replay detection being impossible, breaking security properties, as described in the "KRACK attacks". In particular, CVE-2017-13080 applies to GTK rekeying that happened in firmware while the host is in D3, with the second part of the attack being done after the host wakes up. In this case, the wpa_supplicant mitigation isn't sufficient since wpa_supplicant doesn't know the GTK material. In case this happens, simply silently accept the new key coming from userspace but don't take any action on it since it's the same key; this keeps the PN replay counters intact. Signed-off-by: Johannes Berg [bwh: Backported to 3.2: - Use __ieee80211_key_free() instead of ieee80211_key_free_unused() - Adjust context] Signed-off-by: Ben Hutchings commit 9ff5d8fe36745867da8a028b3ea58629f7546155 Author: Vitaly Mayatskikh Date: Fri Sep 22 01:18:39 2017 -0400 fix unbalanced page refcounting in bio_map_user_iov commit 95d78c28b5a85bacbc29b8dba7c04babb9b0d467 upstream. bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page merges them into one, but the page reference is never dropped. Signed-off-by: Vitaly Mayatskikh Signed-off-by: Al Viro [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit 90d8668e4ac34a84c52dc5b078af9d982323502c Author: Ronnie Sahlberg Date: Mon Oct 30 13:28:03 2017 +1100 cifs: check MaxPathNameComponentLength != 0 before using it commit f74bc7c6679200a4a83156bb89cbf6c229fe8ec0 upstream. And fix tcon leak in error path. Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Reviewed-by: David Disseldorp [bwh: Backported to 3.2: cifs_tcon pointer is tcon, and there's no leak to fix] Signed-off-by: Ben Hutchings commit 47dcfde4a9cc9f0e2dbe3fab9d8fc10ad42f1c00 Author: Oleg Nesterov Date: Fri Sep 1 18:55:33 2017 +0200 epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove() commit 138e4ad67afd5c6c318b056b4d17c17f2c0ca5c0 upstream. The race was introduced by me in commit 971316f0503a ("epoll: ep_unregister_pollwait() can use the freed pwq->whead"). I did not realize that nothing can protect eventpoll after ep_poll_callback() sets ->whead = NULL, only whead->lock can save us from the race with ep_free() or ep_remove(). Move ->whead = NULL to the end of ep_poll_callback() and add the necessary barriers. TODO: cleanup the ewake/EPOLLEXCLUSIVE logic, it was confusing even before this patch. Hopefully this explains use-after-free reported by syzcaller: BUG: KASAN: use-after-free in debug_spin_lock_before ... _raw_spin_lock_irqsave+0x4a/0x60 kernel/locking/spinlock.c:159 ep_poll_callback+0x29f/0xff0 fs/eventpoll.c:1148 this is spin_lock(eventpoll->lock), ... Freed by task 17774: ... kfree+0xe8/0x2c0 mm/slub.c:3883 ep_free+0x22c/0x2a0 fs/eventpoll.c:865 Fixes: 971316f0503a ("epoll: ep_unregister_pollwait() can use the freed pwq->whead") Reported-by: 范龙飞 Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: - Use smp_mb() and ACCESS_ONCE() instead of smp_{load_acquire,store_release}() - EPOLLEXCLUSIVE is not supported] Signed-off-by: Ben Hutchings commit 34e618bfcf9c9a41ed188c74e585e37ebe872eaf Author: Cong Wang Date: Thu Aug 31 16:47:43 2017 +0200 wl1251: add a missing spin_lock_init() commit f581a0dd744fe32b0a8805e279c59ec1ac676d60 upstream. wl1251: add a missing spin_lock_init() This fixes the following kernel warning: [ 5668.771453] BUG: spinlock bad magic on CPU#0, kworker/u2:3/9745 [ 5668.771850] lock: 0xce63ef20, .magic: 00000000, .owner: /-1, .owner_cpu: 0 [ 5668.772277] CPU: 0 PID: 9745 Comm: kworker/u2:3 Tainted: G W 4.12.0-03002-gec979a4-dirty #40 [ 5668.772796] Hardware name: Nokia RX-51 board [ 5668.773071] Workqueue: phy1 wl1251_irq_work [ 5668.773345] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 5668.773803] [] (show_stack) from [] (do_raw_spin_lock+0x6c/0xa0) [ 5668.774230] [] (do_raw_spin_lock) from [] (_raw_spin_lock_irqsave+0x10/0x18) [ 5668.774658] [] (_raw_spin_lock_irqsave) from [] (wl1251_op_tx+0x38/0x5c) [ 5668.775115] [] (wl1251_op_tx) from [] (ieee80211_tx_frags+0x188/0x1c0) [ 5668.775543] [] (ieee80211_tx_frags) from [] (__ieee80211_tx+0x6c/0x130) [ 5668.775970] [] (__ieee80211_tx) from [] (ieee80211_tx+0xdc/0x104) [ 5668.776367] [] (ieee80211_tx) from [] (__ieee80211_subif_start_xmit+0x454/0x8c8) [ 5668.776824] [] (__ieee80211_subif_start_xmit) from [] (ieee80211_subif_start_xmit+0x30/0x2fc) [ 5668.777343] [] (ieee80211_subif_start_xmit) from [] (dev_hard_start_xmit+0x80/0x118) ... by adding the missing spin_lock_init(). Reported-by: Pavel Machek Cc: Kalle Valo Signed-off-by: Cong Wang Acked-by: Pavel Machek Signed-off-by: Kalle Valo Signed-off-by: Pavel Machek Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit cc6db6b3a840a4914ba34e4507ac8fcfcca85500 Author: Nikolay Aleksandrov Date: Wed Aug 30 12:49:05 2017 +0300 sch_tbf: fix two null pointer dereferences on init failure commit c2d6511e6a4f1f3673d711569c00c3849549e9b0 upstream. sch_tbf calls qdisc_watchdog_cancel() in both its ->reset and ->destroy callbacks but it may fail before the timer is initialized due to missing options (either not supplied by user-space or set as a default qdisc), also q->qdisc is used by ->reset and ->destroy so we need it initialized. Reproduce: $ sysctl net.core.default_qdisc=tbf $ ip l set ethX up Crash log: [ 959.160172] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 [ 959.160323] IP: qdisc_reset+0xa/0x5c [ 959.160400] PGD 59cdb067 [ 959.160401] P4D 59cdb067 [ 959.160466] PUD 59ccb067 [ 959.160532] PMD 0 [ 959.160597] [ 959.160706] Oops: 0000 [#1] SMP [ 959.160778] Modules linked in: sch_tbf sch_sfb sch_prio sch_netem [ 959.160891] CPU: 2 PID: 1562 Comm: ip Not tainted 4.13.0-rc6+ #62 [ 959.160998] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 959.161157] task: ffff880059c9a700 task.stack: ffff8800376d0000 [ 959.161263] RIP: 0010:qdisc_reset+0xa/0x5c [ 959.161347] RSP: 0018:ffff8800376d3610 EFLAGS: 00010286 [ 959.161531] RAX: ffffffffa001b1dd RBX: ffff8800373a2800 RCX: 0000000000000000 [ 959.161733] RDX: ffffffff8215f160 RSI: ffffffff8215f160 RDI: 0000000000000000 [ 959.161939] RBP: ffff8800376d3618 R08: 00000000014080c0 R09: 00000000ffffffff [ 959.162141] R10: ffff8800376d3578 R11: 0000000000000020 R12: ffffffffa001d2c0 [ 959.162343] R13: ffff880037538000 R14: 00000000ffffffff R15: 0000000000000001 [ 959.162546] FS: 00007fcc5126b740(0000) GS:ffff88005d900000(0000) knlGS:0000000000000000 [ 959.162844] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 959.163030] CR2: 0000000000000018 CR3: 000000005abc4000 CR4: 00000000000406e0 [ 959.163233] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 959.163436] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 959.163638] Call Trace: [ 959.163788] tbf_reset+0x19/0x64 [sch_tbf] [ 959.163957] qdisc_destroy+0x8b/0xe5 [ 959.164119] qdisc_create_dflt+0x86/0x94 [ 959.164284] ? dev_activate+0x129/0x129 [ 959.164449] attach_one_default_qdisc+0x36/0x63 [ 959.164623] netdev_for_each_tx_queue+0x3d/0x48 [ 959.164795] dev_activate+0x4b/0x129 [ 959.164957] __dev_open+0xe7/0x104 [ 959.165118] __dev_change_flags+0xc6/0x15c [ 959.165287] dev_change_flags+0x25/0x59 [ 959.165451] do_setlink+0x30c/0xb3f [ 959.165613] ? check_chain_key+0xb0/0xfd [ 959.165782] rtnl_newlink+0x3a4/0x729 [ 959.165947] ? rtnl_newlink+0x117/0x729 [ 959.166121] ? ns_capable_common+0xd/0xb1 [ 959.166288] ? ns_capable+0x13/0x15 [ 959.166450] rtnetlink_rcv_msg+0x188/0x197 [ 959.166617] ? rcu_read_unlock+0x3e/0x5f [ 959.166783] ? rtnl_newlink+0x729/0x729 [ 959.166948] netlink_rcv_skb+0x6c/0xce [ 959.167113] rtnetlink_rcv+0x23/0x2a [ 959.167273] netlink_unicast+0x103/0x181 [ 959.167439] netlink_sendmsg+0x326/0x337 [ 959.167607] sock_sendmsg_nosec+0x14/0x3f [ 959.167772] sock_sendmsg+0x29/0x2e [ 959.167932] ___sys_sendmsg+0x209/0x28b [ 959.168098] ? do_raw_spin_unlock+0xcd/0xf8 [ 959.168267] ? _raw_spin_unlock+0x27/0x31 [ 959.168432] ? __handle_mm_fault+0x651/0xdb1 [ 959.168602] ? check_chain_key+0xb0/0xfd [ 959.168773] __sys_sendmsg+0x45/0x63 [ 959.168934] ? __sys_sendmsg+0x45/0x63 [ 959.169100] SyS_sendmsg+0x19/0x1b [ 959.169260] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 959.169432] RIP: 0033:0x7fcc5097e690 [ 959.169592] RSP: 002b:00007ffd0d5c7b48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 959.169887] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007fcc5097e690 [ 959.170089] RDX: 0000000000000000 RSI: 00007ffd0d5c7b90 RDI: 0000000000000003 [ 959.170292] RBP: ffff8800376d3f98 R08: 0000000000000001 R09: 0000000000000003 [ 959.170494] R10: 00007ffd0d5c7910 R11: 0000000000000246 R12: 0000000000000006 [ 959.170697] R13: 000000000066f1a0 R14: 00007ffd0d5cfc40 R15: 0000000000000000 [ 959.170900] ? trace_hardirqs_off_caller+0xa7/0xcf [ 959.171076] Code: 00 41 c7 84 24 14 01 00 00 00 00 00 00 41 c7 84 24 98 00 00 00 00 00 00 00 41 5c 41 5d 41 5e 5d c3 66 66 66 66 90 55 48 89 e5 53 <48> 8b 47 18 48 89 fb 48 8b 40 48 48 85 c0 74 02 ff d0 48 8b bb [ 959.171637] RIP: qdisc_reset+0xa/0x5c RSP: ffff8800376d3610 [ 959.171821] CR2: 0000000000000018 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit d1e4c9f184408fb9282a9c17a976cb8fe1fb49d8 Author: Nikolay Aleksandrov Date: Wed Aug 30 12:49:03 2017 +0300 sch_netem: avoid null pointer deref on init failure commit 634576a1844dba15bc5e6fc61d72f37e13a21615 upstream. netem can fail in ->init due to missing options (either not supplied by user-space or used as a default qdisc) causing a timer->base null pointer deref in its ->destroy() and ->reset() callbacks. Reproduce: $ sysctl net.core.default_qdisc=netem $ ip l set ethX up Crash log: [ 1814.846943] BUG: unable to handle kernel NULL pointer dereference at (null) [ 1814.847181] IP: hrtimer_active+0x17/0x8a [ 1814.847270] PGD 59c34067 [ 1814.847271] P4D 59c34067 [ 1814.847337] PUD 37374067 [ 1814.847403] PMD 0 [ 1814.847468] [ 1814.847582] Oops: 0000 [#1] SMP [ 1814.847655] Modules linked in: sch_netem(O) sch_fq_codel(O) [ 1814.847761] CPU: 3 PID: 1573 Comm: ip Tainted: G O 4.13.0-rc6+ #62 [ 1814.847884] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 1814.848043] task: ffff88003723a700 task.stack: ffff88005adc8000 [ 1814.848235] RIP: 0010:hrtimer_active+0x17/0x8a [ 1814.848407] RSP: 0018:ffff88005adcb590 EFLAGS: 00010246 [ 1814.848590] RAX: 0000000000000000 RBX: ffff880058e359d8 RCX: 0000000000000000 [ 1814.848793] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880058e359d8 [ 1814.848998] RBP: ffff88005adcb5b0 R08: 00000000014080c0 R09: 00000000ffffffff [ 1814.849204] R10: ffff88005adcb660 R11: 0000000000000020 R12: 0000000000000000 [ 1814.849410] R13: ffff880058e359d8 R14: 00000000ffffffff R15: 0000000000000001 [ 1814.849616] FS: 00007f733bbca740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000 [ 1814.849919] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1814.850107] CR2: 0000000000000000 CR3: 0000000059f0d000 CR4: 00000000000406e0 [ 1814.850313] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1814.850518] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 1814.850723] Call Trace: [ 1814.850875] hrtimer_try_to_cancel+0x1a/0x93 [ 1814.851047] hrtimer_cancel+0x15/0x20 [ 1814.851211] qdisc_watchdog_cancel+0x12/0x14 [ 1814.851383] netem_reset+0xe6/0xed [sch_netem] [ 1814.851561] qdisc_destroy+0x8b/0xe5 [ 1814.851723] qdisc_create_dflt+0x86/0x94 [ 1814.851890] ? dev_activate+0x129/0x129 [ 1814.852057] attach_one_default_qdisc+0x36/0x63 [ 1814.852232] netdev_for_each_tx_queue+0x3d/0x48 [ 1814.852406] dev_activate+0x4b/0x129 [ 1814.852569] __dev_open+0xe7/0x104 [ 1814.852730] __dev_change_flags+0xc6/0x15c [ 1814.852899] dev_change_flags+0x25/0x59 [ 1814.853064] do_setlink+0x30c/0xb3f [ 1814.853228] ? check_chain_key+0xb0/0xfd [ 1814.853396] ? check_chain_key+0xb0/0xfd [ 1814.853565] rtnl_newlink+0x3a4/0x729 [ 1814.853728] ? rtnl_newlink+0x117/0x729 [ 1814.853905] ? ns_capable_common+0xd/0xb1 [ 1814.854072] ? ns_capable+0x13/0x15 [ 1814.854234] rtnetlink_rcv_msg+0x188/0x197 [ 1814.854404] ? rcu_read_unlock+0x3e/0x5f [ 1814.854572] ? rtnl_newlink+0x729/0x729 [ 1814.854737] netlink_rcv_skb+0x6c/0xce [ 1814.854902] rtnetlink_rcv+0x23/0x2a [ 1814.855064] netlink_unicast+0x103/0x181 [ 1814.855230] netlink_sendmsg+0x326/0x337 [ 1814.855398] sock_sendmsg_nosec+0x14/0x3f [ 1814.855584] sock_sendmsg+0x29/0x2e [ 1814.855747] ___sys_sendmsg+0x209/0x28b [ 1814.855912] ? do_raw_spin_unlock+0xcd/0xf8 [ 1814.856082] ? _raw_spin_unlock+0x27/0x31 [ 1814.856251] ? __handle_mm_fault+0x651/0xdb1 [ 1814.856421] ? check_chain_key+0xb0/0xfd [ 1814.856592] __sys_sendmsg+0x45/0x63 [ 1814.856755] ? __sys_sendmsg+0x45/0x63 [ 1814.856923] SyS_sendmsg+0x19/0x1b [ 1814.857083] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 1814.857256] RIP: 0033:0x7f733b2dd690 [ 1814.857419] RSP: 002b:00007ffe1d3387d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 1814.858238] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f733b2dd690 [ 1814.858445] RDX: 0000000000000000 RSI: 00007ffe1d338820 RDI: 0000000000000003 [ 1814.858651] RBP: ffff88005adcbf98 R08: 0000000000000001 R09: 0000000000000003 [ 1814.858856] R10: 00007ffe1d3385a0 R11: 0000000000000246 R12: 0000000000000002 [ 1814.859060] R13: 000000000066f1a0 R14: 00007ffe1d3408d0 R15: 0000000000000000 [ 1814.859267] ? trace_hardirqs_off_caller+0xa7/0xcf [ 1814.859446] Code: 10 55 48 89 c7 48 89 e5 e8 45 a1 fb ff 31 c0 5d c3 31 c0 c3 66 66 66 66 90 55 48 89 e5 41 56 41 55 41 54 53 49 89 fd 49 8b 45 30 <4c> 8b 20 41 8b 5c 24 38 31 c9 31 d2 48 c7 c7 50 8e 1d 82 41 89 [ 1814.860022] RIP: hrtimer_active+0x17/0x8a RSP: ffff88005adcb590 [ 1814.860214] CR2: 0000000000000000 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit bab76fa57b0a989367a247dc415ced410367444a Author: Nikolay Aleksandrov Date: Wed Aug 30 12:49:01 2017 +0300 sch_cbq: fix null pointer dereferences on init failure commit 3501d059921246ff617b43e86250a719c140bd97 upstream. CBQ can fail on ->init by wrong nl attributes or simply for missing any, f.e. if it's set as a default qdisc then TCA_OPTIONS (opt) will be NULL when it is activated. The first thing init does is parse opt but it will dereference a null pointer if used as a default qdisc, also since init failure at default qdisc invokes ->reset() which cancels all timers then we'll also dereference two more null pointers (timer->base) as they were never initialized. To reproduce: $ sysctl net.core.default_qdisc=cbq $ ip l set ethX up Crash log of the first null ptr deref: [44727.907454] BUG: unable to handle kernel NULL pointer dereference at (null) [44727.907600] IP: cbq_init+0x27/0x205 [44727.907676] PGD 59ff4067 [44727.907677] P4D 59ff4067 [44727.907742] PUD 59c70067 [44727.907807] PMD 0 [44727.907873] [44727.907982] Oops: 0000 [#1] SMP [44727.908054] Modules linked in: [44727.908126] CPU: 1 PID: 21312 Comm: ip Not tainted 4.13.0-rc6+ #60 [44727.908235] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [44727.908477] task: ffff88005ad42700 task.stack: ffff880037214000 [44727.908672] RIP: 0010:cbq_init+0x27/0x205 [44727.908838] RSP: 0018:ffff8800372175f0 EFLAGS: 00010286 [44727.909018] RAX: ffffffff816c3852 RBX: ffff880058c53800 RCX: 0000000000000000 [44727.909222] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff8800372175f8 [44727.909427] RBP: ffff880037217650 R08: ffffffff81b0f380 R09: 0000000000000000 [44727.909631] R10: ffff880037217660 R11: 0000000000000020 R12: ffffffff822a44c0 [44727.909835] R13: ffff880058b92000 R14: 00000000ffffffff R15: 0000000000000001 [44727.910040] FS: 00007ff8bc583740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000 [44727.910339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [44727.910525] CR2: 0000000000000000 CR3: 00000000371e5000 CR4: 00000000000406e0 [44727.910731] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [44727.910936] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [44727.911141] Call Trace: [44727.911291] ? lockdep_init_map+0xb6/0x1ba [44727.911461] ? qdisc_alloc+0x14e/0x187 [44727.911626] qdisc_create_dflt+0x7a/0x94 [44727.911794] ? dev_activate+0x129/0x129 [44727.911959] attach_one_default_qdisc+0x36/0x63 [44727.912132] netdev_for_each_tx_queue+0x3d/0x48 [44727.912305] dev_activate+0x4b/0x129 [44727.912468] __dev_open+0xe7/0x104 [44727.912631] __dev_change_flags+0xc6/0x15c [44727.912799] dev_change_flags+0x25/0x59 [44727.912966] do_setlink+0x30c/0xb3f [44727.913129] ? check_chain_key+0xb0/0xfd [44727.913294] ? check_chain_key+0xb0/0xfd [44727.913463] rtnl_newlink+0x3a4/0x729 [44727.913626] ? rtnl_newlink+0x117/0x729 [44727.913801] ? ns_capable_common+0xd/0xb1 [44727.913968] ? ns_capable+0x13/0x15 [44727.914131] rtnetlink_rcv_msg+0x188/0x197 [44727.914300] ? rcu_read_unlock+0x3e/0x5f [44727.914465] ? rtnl_newlink+0x729/0x729 [44727.914630] netlink_rcv_skb+0x6c/0xce [44727.914796] rtnetlink_rcv+0x23/0x2a [44727.914956] netlink_unicast+0x103/0x181 [44727.915122] netlink_sendmsg+0x326/0x337 [44727.915291] sock_sendmsg_nosec+0x14/0x3f [44727.915459] sock_sendmsg+0x29/0x2e [44727.915619] ___sys_sendmsg+0x209/0x28b [44727.915784] ? do_raw_spin_unlock+0xcd/0xf8 [44727.915954] ? _raw_spin_unlock+0x27/0x31 [44727.916121] ? __handle_mm_fault+0x651/0xdb1 [44727.916290] ? check_chain_key+0xb0/0xfd [44727.916461] __sys_sendmsg+0x45/0x63 [44727.916626] ? __sys_sendmsg+0x45/0x63 [44727.916792] SyS_sendmsg+0x19/0x1b [44727.916950] entry_SYSCALL_64_fastpath+0x23/0xc2 [44727.917125] RIP: 0033:0x7ff8bbc96690 [44727.917286] RSP: 002b:00007ffc360991e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [44727.917579] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007ff8bbc96690 [44727.917783] RDX: 0000000000000000 RSI: 00007ffc36099230 RDI: 0000000000000003 [44727.917987] RBP: ffff880037217f98 R08: 0000000000000001 R09: 0000000000000003 [44727.918190] R10: 00007ffc36098fb0 R11: 0000000000000246 R12: 0000000000000006 [44727.918393] R13: 000000000066f1a0 R14: 00007ffc360a12e0 R15: 0000000000000000 [44727.918597] ? trace_hardirqs_off_caller+0xa7/0xcf [44727.918774] Code: 41 5f 5d c3 66 66 66 66 90 55 48 8d 56 04 45 31 c9 49 c7 c0 80 f3 b0 81 48 89 e5 41 55 41 54 53 48 89 fb 48 8d 7d a8 48 83 ec 48 <0f> b7 0e be 07 00 00 00 83 e9 04 e8 e6 f7 d8 ff 85 c0 0f 88 bb [44727.919332] RIP: cbq_init+0x27/0x205 RSP: ffff8800372175f0 [44727.919516] CR2: 0000000000000000 Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [bwh: Backported to 3.2: - Keep using HRTIMER_MODE_ABS - Adjust context] Signed-off-by: Ben Hutchings commit c80cb643423d8ea1748f57c51480742f554830ec Author: Nikolay Aleksandrov Date: Wed Aug 30 12:49:00 2017 +0300 sch_hfsc: fix null pointer deref and double free on init failure commit 3bdac362a2f89ed3e148fa6f38c5f5d858f50b1a upstream. Depending on where ->init fails we can get a null pointer deref due to uninitialized hires timer (watchdog) or a double free of the qdisc hash because it is already freed by ->destroy(). Fixes: 8d5537387505 ("net/sched/hfsc: allocate tcf block for hfsc root class") Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [bwh: Backported to 3.2: sch_hfsc doesn't use a tcf block] Signed-off-by: Ben Hutchings commit 1c2197aa2ed034eb01faf94aa0b4e3a972216244 Author: Nikolay Aleksandrov Date: Wed Aug 30 12:48:58 2017 +0300 sch_multiq: fix double free on init failure commit e89d469e3be3ed3d7124a803211a463ff83d0964 upstream. The below commit added a call to ->destroy() on init failure, but multiq still frees ->queues on error in init, but ->queues is also freed by ->destroy() thus we get double free and corrupted memory. Very easy to reproduce (eth0 not multiqueue): $ tc qdisc add dev eth0 root multiq RTNETLINK answers: Operation not supported $ ip l add dumdum type dummy (crash) Trace log: [ 3929.467747] general protection fault: 0000 [#1] SMP [ 3929.468083] Modules linked in: [ 3929.468302] CPU: 3 PID: 967 Comm: ip Not tainted 4.13.0-rc6+ #56 [ 3929.468625] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 3929.469124] task: ffff88003716a700 task.stack: ffff88005872c000 [ 3929.469449] RIP: 0010:__kmalloc_track_caller+0x117/0x1be [ 3929.469746] RSP: 0018:ffff88005872f6a0 EFLAGS: 00010246 [ 3929.470042] RAX: 00000000000002de RBX: 0000000058a59000 RCX: 00000000000002df [ 3929.470406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff821f7020 [ 3929.470770] RBP: ffff88005872f6e8 R08: 000000000001f010 R09: 0000000000000000 [ 3929.471133] R10: ffff88005872f730 R11: 0000000000008cdd R12: ff006d75646d7564 [ 3929.471496] R13: 00000000014000c0 R14: ffff88005b403c00 R15: ffff88005b403c00 [ 3929.471869] FS: 00007f0b70480740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000 [ 3929.472286] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3929.472677] CR2: 00007ffcee4f3000 CR3: 0000000059d45000 CR4: 00000000000406e0 [ 3929.473209] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3929.474109] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3929.474873] Call Trace: [ 3929.475337] ? kstrdup_const+0x23/0x25 [ 3929.475863] kstrdup+0x2e/0x4b [ 3929.476338] kstrdup_const+0x23/0x25 [ 3929.478084] __kernfs_new_node+0x28/0xbc [ 3929.478478] kernfs_new_node+0x35/0x55 [ 3929.478929] kernfs_create_link+0x23/0x76 [ 3929.479478] sysfs_do_create_link_sd.isra.2+0x85/0xd7 [ 3929.480096] sysfs_create_link+0x33/0x35 [ 3929.480649] device_add+0x200/0x589 [ 3929.481184] netdev_register_kobject+0x7c/0x12f [ 3929.481711] register_netdevice+0x373/0x471 [ 3929.482174] rtnl_newlink+0x614/0x729 [ 3929.482610] ? rtnl_newlink+0x17f/0x729 [ 3929.483080] rtnetlink_rcv_msg+0x188/0x197 [ 3929.483533] ? rcu_read_unlock+0x3e/0x5f [ 3929.483984] ? rtnl_newlink+0x729/0x729 [ 3929.484420] netlink_rcv_skb+0x6c/0xce [ 3929.484858] rtnetlink_rcv+0x23/0x2a [ 3929.485291] netlink_unicast+0x103/0x181 [ 3929.485735] netlink_sendmsg+0x326/0x337 [ 3929.486181] sock_sendmsg_nosec+0x14/0x3f [ 3929.486614] sock_sendmsg+0x29/0x2e [ 3929.486973] ___sys_sendmsg+0x209/0x28b [ 3929.487340] ? do_raw_spin_unlock+0xcd/0xf8 [ 3929.487719] ? _raw_spin_unlock+0x27/0x31 [ 3929.488092] ? __handle_mm_fault+0x651/0xdb1 [ 3929.488471] ? check_chain_key+0xb0/0xfd [ 3929.488847] __sys_sendmsg+0x45/0x63 [ 3929.489206] ? __sys_sendmsg+0x45/0x63 [ 3929.489576] SyS_sendmsg+0x19/0x1b [ 3929.489901] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 3929.490172] RIP: 0033:0x7f0b6fb93690 [ 3929.490423] RSP: 002b:00007ffcee4ed588 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 3929.490881] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f0b6fb93690 [ 3929.491198] RDX: 0000000000000000 RSI: 00007ffcee4ed5d0 RDI: 0000000000000003 [ 3929.491521] RBP: ffff88005872ff98 R08: 0000000000000001 R09: 0000000000000000 [ 3929.491801] R10: 00007ffcee4ed350 R11: 0000000000000246 R12: 0000000000000002 [ 3929.492075] R13: 000000000066f1a0 R14: 00007ffcee4f5680 R15: 0000000000000000 [ 3929.492352] ? trace_hardirqs_off_caller+0xa7/0xcf [ 3929.492590] Code: 8b 45 c0 48 8b 45 b8 74 17 48 8b 4d c8 83 ca ff 44 89 ee 4c 89 f7 e8 83 ca ff ff 49 89 c4 eb 49 49 63 56 20 48 8d 48 01 4d 8b 06 <49> 8b 1c 14 48 89 c2 4c 89 e0 65 49 0f c7 08 0f 94 c0 83 f0 01 [ 3929.493335] RIP: __kmalloc_track_caller+0x117/0x1be RSP: ffff88005872f6a0 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: f07d1501292b ("multiq: Further multiqueue cleanup") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [bwh: Backported to 3.2: delete now-unused 'err' variable] Signed-off-by: Ben Hutchings commit dba1fd9993877e4a8ea0f2e8059d4140c7dcc0b6 Author: Nikolay Aleksandrov Date: Wed Aug 30 12:48:57 2017 +0300 sch_htb: fix crash on init failure commit 88c2ace69dbef696edba77712882af03879abc9c upstream. The commit below added a call to the ->destroy() callback for all qdiscs which failed in their ->init(), but some were not prepared for such change and can't handle partially initialized qdisc. HTB is one of them and if any error occurs before the qdisc watchdog timer and qdisc work are initialized then we can hit either a null ptr deref (timer->base) when canceling in ->destroy or lockdep error info about trying to register a non-static key and a stack dump. So to fix these two move the watchdog timer and workqueue init before anything that can err out. To reproduce userspace needs to send broken htb qdisc create request, tested with a modified tc (q_htb.c). Trace log: [ 2710.897602] BUG: unable to handle kernel NULL pointer dereference at (null) [ 2710.897977] IP: hrtimer_active+0x17/0x8a [ 2710.898174] PGD 58fab067 [ 2710.898175] P4D 58fab067 [ 2710.898353] PUD 586c0067 [ 2710.898531] PMD 0 [ 2710.898710] [ 2710.899045] Oops: 0000 [#1] SMP [ 2710.899232] Modules linked in: [ 2710.899419] CPU: 1 PID: 950 Comm: tc Not tainted 4.13.0-rc6+ #54 [ 2710.899646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 2710.900035] task: ffff880059ed2700 task.stack: ffff88005ad4c000 [ 2710.900262] RIP: 0010:hrtimer_active+0x17/0x8a [ 2710.900467] RSP: 0018:ffff88005ad4f960 EFLAGS: 00010246 [ 2710.900684] RAX: 0000000000000000 RBX: ffff88003701e298 RCX: 0000000000000000 [ 2710.900933] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003701e298 [ 2710.901177] RBP: ffff88005ad4f980 R08: 0000000000000001 R09: 0000000000000001 [ 2710.901419] R10: ffff88005ad4f800 R11: 0000000000000400 R12: 0000000000000000 [ 2710.901663] R13: ffff88003701e298 R14: ffffffff822a4540 R15: ffff88005ad4fac0 [ 2710.901907] FS: 00007f2f5e90f740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000 [ 2710.902277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2710.902500] CR2: 0000000000000000 CR3: 0000000058ca3000 CR4: 00000000000406e0 [ 2710.902744] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2710.902977] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2710.903180] Call Trace: [ 2710.903332] hrtimer_try_to_cancel+0x1a/0x93 [ 2710.903504] hrtimer_cancel+0x15/0x20 [ 2710.903667] qdisc_watchdog_cancel+0x12/0x14 [ 2710.903866] htb_destroy+0x2e/0xf7 [ 2710.904097] qdisc_create+0x377/0x3fd [ 2710.904330] tc_modify_qdisc+0x4d2/0x4fd [ 2710.904511] rtnetlink_rcv_msg+0x188/0x197 [ 2710.904682] ? rcu_read_unlock+0x3e/0x5f [ 2710.904849] ? rtnl_newlink+0x729/0x729 [ 2710.905017] netlink_rcv_skb+0x6c/0xce [ 2710.905183] rtnetlink_rcv+0x23/0x2a [ 2710.905345] netlink_unicast+0x103/0x181 [ 2710.905511] netlink_sendmsg+0x326/0x337 [ 2710.905679] sock_sendmsg_nosec+0x14/0x3f [ 2710.905847] sock_sendmsg+0x29/0x2e [ 2710.906010] ___sys_sendmsg+0x209/0x28b [ 2710.906176] ? do_raw_spin_unlock+0xcd/0xf8 [ 2710.906346] ? _raw_spin_unlock+0x27/0x31 [ 2710.906514] ? __handle_mm_fault+0x651/0xdb1 [ 2710.906685] ? check_chain_key+0xb0/0xfd [ 2710.906855] __sys_sendmsg+0x45/0x63 [ 2710.907018] ? __sys_sendmsg+0x45/0x63 [ 2710.907185] SyS_sendmsg+0x19/0x1b [ 2710.907344] entry_SYSCALL_64_fastpath+0x23/0xc2 Note that probably this bug goes further back because the default qdisc handling always calls ->destroy on init failure too. Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 7df9c70f74dcb511381c65334f785fc84c39e5a7 Author: Eric Dumazet Date: Fri Feb 10 10:31:49 2017 -0800 net_sched: fix error recovery at qdisc creation commit 87b60cfacf9f17cf71933c6e33b66e68160af71d upstream. Dmitry reported uses after free in qdisc code [1] The problem here is that ops->init() can return an error. qdisc_create_dflt() then call ops->destroy(), while qdisc_create() does _not_ call it. Four qdisc chose to call their own ops->destroy(), assuming their caller would not. This patch makes sure qdisc_create() calls ops->destroy() and fixes the four qdisc to avoid double free. [1] BUG: KASAN: use-after-free in mq_destroy+0x242/0x290 net/sched/sch_mq.c:33 at addr ffff8801d415d440 Read of size 8 by task syz-executor2/5030 CPU: 0 PID: 5030 Comm: syz-executor2 Not tainted 4.3.5-smp-DEV #119 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000046 ffff8801b435b870 ffffffff81bbbed4 ffff8801db000400 ffff8801d415d440 ffff8801d415dc40 ffff8801c4988510 ffff8801b435b898 ffffffff816682b1 ffff8801b435b928 ffff8801d415d440 ffff8801c49880c0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x6c/0x98 lib/dump_stack.c:51 [] kasan_object_err+0x21/0x70 mm/kasan/report.c:158 [] print_address_description mm/kasan/report.c:196 [inline] [] kasan_report_error+0x1b4/0x4b0 mm/kasan/report.c:285 [] kasan_report mm/kasan/report.c:305 [inline] [] __asan_report_load8_noabort+0x43/0x50 mm/kasan/report.c:326 [] mq_destroy+0x242/0x290 net/sched/sch_mq.c:33 [] qdisc_destroy+0x12d/0x290 net/sched/sch_generic.c:953 [] qdisc_create_dflt+0xf0/0x120 net/sched/sch_generic.c:848 [] attach_default_qdiscs net/sched/sch_generic.c:1029 [inline] [] dev_activate+0x6ad/0x880 net/sched/sch_generic.c:1064 [] __dev_open+0x221/0x320 net/core/dev.c:1403 [] __dev_change_flags+0x15e/0x3e0 net/core/dev.c:6858 [] dev_change_flags+0x8e/0x140 net/core/dev.c:6926 [] dev_ifsioc+0x446/0x890 net/core/dev_ioctl.c:260 [] dev_ioctl+0x1ba/0xb80 net/core/dev_ioctl.c:546 [] sock_do_ioctl+0x99/0xb0 net/socket.c:879 [] sock_ioctl+0x2a0/0x390 net/socket.c:958 [] vfs_ioctl fs/ioctl.c:44 [inline] [] do_vfs_ioctl+0x8a8/0xe50 fs/ioctl.c:611 [] SYSC_ioctl fs/ioctl.c:626 [inline] [] SyS_ioctl+0x94/0xc0 fs/ioctl.c:617 [] entry_SYSCALL_64_fastpath+0x12/0x17 Signed-off-by: Eric Dumazet Reported-by: Dmitry Vyukov Signed-off-by: David S. Miller [bwh: Backported to 3.2: - Drop changes to sch_hhf (doesn't exist) and sch_sfq (doesn't have this bug) - Adjust context] Signed-off-by: Ben Hutchings commit 70e9d1906a0fc524bd8d8ba371debb3abcb8cf5b Author: Steve French Date: Sun Aug 27 16:56:08 2017 -0500 CIFS: remove endian related sparse warning commit 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 upstream. Recent patch had an endian warning ie cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() Signed-off-by: Steve French CC: Ronnie Sahlberg Acked-by: Pavel Shilovsky [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 3a8d1a0bec2f09ad46e03850abfb3bfd3fe7aeda Author: Ben Hutchings Date: Thu Oct 1 01:35:55 2015 +0100 alpha: uapi: Add support for __SANE_USERSPACE_TYPES__ commit cec80d82142ab25c71eee24b529cfeaf17c43062 upstream. This fixes compiler errors in perf such as: tests/attr.c: In function 'store_event': tests/attr.c:66:27: error: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__u64 {aka long unsigned int}' [-Werror=format=] snprintf(path, PATH_MAX, "%s/event-%d-%llu-%d", dir, ^ Signed-off-by: Ben Hutchings Tested-by: Michael Cree Signed-off-by: Matt Turner commit f26ddcdac427e02459ed6ec84dfde76719233756 Author: Tejun Heo Date: Mon Aug 28 14:51:27 2017 -0700 cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs commit b339752d054fb32863418452dff350a1086885b1 upstream. When !NUMA, cpumask_of_node(@node) equals cpu_online_mask regardless of @node. The assumption seems that if !NUMA, there shouldn't be more than one node and thus reporting cpu_online_mask regardless of @node is correct. However, that assumption was broken years ago to support DISCONTIGMEM and whether a system has multiple nodes or not is separately controlled by NEED_MULTIPLE_NODES. This means that, on a system with !NUMA && NEED_MULTIPLE_NODES, cpumask_of_node() will report cpu_online_mask for all possible nodes, indicating that the CPUs are associated with multiple nodes which is an impossible configuration. This bug has been around forever but doesn't look like it has caused any noticeable symptoms. However, it triggers a WARN recently added to workqueue to verify NUMA affinity configuration. Fix it by reporting empty cpumask on non-zero nodes if !NUMA. Signed-off-by: Tejun Heo Reported-and-tested-by: Geert Uytterhoeven Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 58ca58151b6b7c80d1b5628c6068f3b9c02b15ab Author: Wei Wang Date: Fri Aug 25 15:03:10 2017 -0700 ipv6: fix sparse warning on rt6i_node commit 4e587ea71bf924f7dac621f1351653bd41e446cb upstream. Commit c5cff8561d2d adds rcu grace period before freeing fib6_node. This generates a new sparse warning on rt->rt6i_node related code: net/ipv6/route.c:1394:30: error: incompatible types in comparison expression (different address spaces) ./include/net/ip6_fib.h:187:14: error: incompatible types in comparison expression (different address spaces) This commit adds "__rcu" tag for rt6i_node and makes sure corresponding rcu API is used for it. After this fix, sparse no longer generates the above warning. Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node") Signed-off-by: Wei Wang Acked-by: Eric Dumazet Acked-by: Martin KaFai Lau Signed-off-by: David S. Miller [bwh: Backported to 3.2: - fib6_add_rt2node() has only one assignment to update - Drop changes in rt6_cache_allowed_for_pmtu() - Adjust context] Signed-off-by: Ben Hutchings commit a0fd6e87599055abd81716c16fbc5c13df8528e8 Author: Guillaume Nault Date: Fri Aug 25 16:51:46 2017 +0200 l2tp: hold tunnel used while creating sessions with netlink commit e702c1204eb57788ef189c839c8c779368267d70 upstream. Use l2tp_tunnel_get() to retrieve tunnel, so that it can't go away on us. Otherwise l2tp_tunnel_destruct() might release the last reference count concurrently, thus freeing the tunnel while we're using it. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit d47ca949d189f932857182fe098a6513a4d2545a Author: Guillaume Nault Date: Tue Apr 11 13:12:13 2017 +0200 l2tp: remove useless duplicate session detection in l2tp_netlink commit af87ae465abdc070de0dc35d6c6a9e7a8cd82987 upstream. There's no point in checking for duplicate sessions at the beginning of l2tp_nl_cmd_session_create(); the ->session_create() callbacks already return -EEXIST when the session already exists. Furthermore, even if l2tp_session_find() returns NULL, a new session might be created right after the test. So relying on ->session_create() to avoid duplicate session is the only sane behaviour. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.2: also delete the now-unused local variable] Signed-off-by: Ben Hutchings commit 37e611e909ecc247cb6a3cfa4b9bd74235025b00 Author: Guillaume Nault Date: Fri Aug 25 16:51:43 2017 +0200 l2tp: hold tunnel while handling genl TUNNEL_GET commands commit 4e4b21da3acc68a7ea55f850cacc13706b7480e9 upstream. Use l2tp_tunnel_get() instead of l2tp_tunnel_find() so that we get a reference on the tunnel, preventing l2tp_tunnel_destruct() from freeing it from under us. Also move l2tp_tunnel_get() below nlmsg_new() so that we only take the reference when needed. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit a8f8415ccfd9d3cc99eef6342eb1f0e990e8347b Author: Guillaume Nault Date: Fri Aug 25 16:51:42 2017 +0200 l2tp: hold tunnel while handling genl tunnel updates commit 8c0e421525c9eb50d68e8f633f703ca31680b746 upstream. We need to make sure the tunnel is not going to be destroyed by l2tp_tunnel_destruct() concurrently. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 9bc71efe0a49f0c3d2d02fb9ad78330ef1f6c3da Author: Guillaume Nault Date: Fri Aug 25 16:51:42 2017 +0200 l2tp: hold tunnel while processing genl delete command commit bb0a32ce4389e17e47e198d2cddaf141561581ad upstream. l2tp_nl_cmd_tunnel_delete() needs to take a reference on the tunnel, to prevent it from being concurrently freed by l2tp_tunnel_destruct(). Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 303729df68d582e92eea7e8ca3bb2286a5ee0388 Author: Guillaume Nault Date: Fri Aug 25 16:51:40 2017 +0200 l2tp: hold tunnel while looking up sessions in l2tp_netlink commit 54652eb12c1b72e9602d09cb2821d5760939190f upstream. l2tp_tunnel_find() doesn't take a reference on the returned tunnel. Therefore, it's unsafe to use it because the returned tunnel can go away on us anytime. Fix this by defining l2tp_tunnel_get(), which works like l2tp_tunnel_find(), but takes a reference on the returned tunnel. Caller then has to drop this reference using l2tp_tunnel_dec_refcount(). As l2tp_tunnel_dec_refcount() needs to be moved to l2tp_core.h, let's simplify the patch and not move the L2TP_REFCNT_DEBUG part. This code has been broken (not even compiling) in May 2012 by commit a4ca44fa578c ("net: l2tp: Standardize logging styles") and fixed more than two years later by commit 29abe2fda54f ("l2tp: fix missing line continuation"). So it doesn't appear to be used by anyone. Same thing for l2tp_tunnel_free(); instead of moving it to l2tp_core.h, let's just simplify things and call kfree_rcu() directly in l2tp_tunnel_dec_refcount(). Extra assertions and debugging code provided by l2tp_tunnel_free() didn't help catching any of the reference counting and socket handling issues found while working on this series. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.2: l2tp_tunnel_free() does more than just kfree_rcu(), so don't remove it] Signed-off-by: Ben Hutchings commit 9b8a799108b6060bc96d5ad6e35789d4bcbe7969 Author: Guillaume Nault Date: Wed Apr 12 10:05:29 2017 +0200 l2tp: define parameters of l2tp_session_get*() as "const" commit 9aaef50c44f132e040dcd7686c8e78a3390037c5 upstream. Make l2tp_pernet()'s parameter constant, so that l2tp_session_get*() can declare their "net" variable as "const". Also constify "ifname" in l2tp_session_get_by_ifname(). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 81beca86edb32fbf5cec019d522889b765539639 Author: Guillaume Nault Date: Fri Aug 25 16:22:17 2017 +0200 l2tp: initialise session's refcount before making it reachable commit 9ee369a405c57613d7c83a3967780c3e30c52ecc upstream. Sessions must be fully initialised before calling l2tp_session_add_to_tunnel(). Otherwise, there's a short time frame where partially initialised sessions can be accessed by external users. Fixes: dbdbc73b4478 ("l2tp: fix duplicate session creation") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.2: keep using l2tp_session_inc_refcount()] Signed-off-by: Ben Hutchings commit 62b3046afa78f34d1e05997ce86e4ce6f2f060d1 Author: Bart Van Assche Date: Wed Aug 9 11:32:11 2017 -0700 dm: fix printk() rate limiting code commit 604407890ecf624c2fb41013c82b22aade59b455 upstream. Using the same rate limiting state for different kinds of messages is wrong because this can cause a high frequency message to suppress a report of a low frequency message. Hence use a unique rate limiting state per message type. Fixes: 71a16736a15e ("dm: use local printk ratelimit") Signed-off-by: Bart Van Assche Signed-off-by: Mike Snitzer Signed-off-by: Ben Hutchings commit b3a6804d1ad844ec55aa96e81cae1825313daf11 Author: Joe Perches Date: Thu Apr 20 10:46:07 2017 -0700 dm: convert DM printk macros to pr_ macros commit d2c3c8dcb5987b8352e82089c79a41b6e17e28d2 upstream. Using pr_ is the more common logging style. Standardize style and use new macro DM_FMT. Use no_printk in DMDEBUG macros when CONFIG_DM_DEBUG is not #defined. Signed-off-by: Joe Perches Signed-off-by: Mike Snitzer Signed-off-by: Ben Hutchings commit 27558df8159c056fb5d84511b4aef3381cc93242 Author: Mathias Krause Date: Sat Aug 26 17:09:00 2017 +0200 xfrm_user: fix info leak in build_aevent() commit 931e79d7a7ddee4709c56b39de169a36804589a1 upstream. The memory reserved to dump the ID of the xfrm state includes a padding byte in struct xfrm_usersa_id added by the compiler for alignment. To prevent the heap info leak, memset(0) the sa_id before filling it. Cc: Jamal Hadi Salim Fixes: d51d081d6504 ("[IPSEC]: Sync series - user") Signed-off-by: Mathias Krause Signed-off-by: Steffen Klassert [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 2b666024123b0ba131d4fb2c3f7584ceb41feee6 Author: Mathias Krause Date: Sat Aug 26 17:08:58 2017 +0200 xfrm_user: fix info leak in xfrm_notify_sa() commit 50329c8a340c9dea60d837645fcf13fc36bfb84d upstream. The memory reserved to dump the ID of the xfrm state includes a padding byte in struct xfrm_usersa_id added by the compiler for alignment. To prevent the heap info leak, memset(0) the whole struct before filling it. Cc: Herbert Xu Fixes: 0603eac0d6b7 ("[IPSEC]: Add XFRMA_SA/XFRMA_POLICY for delete notification") Signed-off-by: Mathias Krause Signed-off-by: Steffen Klassert Signed-off-by: Ben Hutchings commit be2539a9b072d882141d3b4bfd7b2052c0370b22 Author: Florian Fainelli Date: Thu Aug 24 18:34:43 2017 -0700 r8169: Do not increment tx_dropped in TX ring cleaning commit 1089650d8837095f63e001bbf14d7b48043d67ad upstream. rtl8169_tx_clear_range() is responsible for cleaning up the TX ring during interface shutdown, incrementing tx_dropped for every SKB that we left at the time in the ring is misleading. Fixes: cac4b22f3d6a ("r8169: do not account fragments as packets") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 239dd6f928f51241453c6d0b19eb6143774e0879 Author: Steffen Klassert Date: Fri Aug 25 09:05:42 2017 +0200 ipv6: Fix may be used uninitialized warning in rt6_check commit 3614364527daa870264f6dde77f02853cdecd02c upstream. rt_cookie might be used uninitialized, fix this by initializing it. Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node") Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit e2a6e2a4dfb9e36ec34bc7a5817a1f36bc95998e Author: Wei Wang Date: Mon Aug 21 09:47:10 2017 -0700 ipv6: add rcu grace period before freeing fib6_node commit c5cff8561d2d0006e972bd114afd51f082fee77c upstream. We currently keep rt->rt6i_node pointing to the fib6_node for the route. And some functions make use of this pointer to dereference the fib6_node from rt structure, e.g. rt6_check(). However, as there is neither refcount nor rcu taken when dereferencing rt->rt6i_node, it could potentially cause crashes as rt->rt6i_node could be set to NULL by other CPUs when doing a route deletion. This patch introduces an rcu grace period before freeing fib6_node and makes sure the functions that dereference it takes rcu_read_lock(). Note: there is no "Fixes" tag because this bug was there in a very early stage. Signed-off-by: Wei Wang Acked-by: Eric Dumazet Acked-by: Martin KaFai Lau Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 22d2b8ef67c6f31540bf8bf141bba5adca231009 Author: Martin KaFai Lau Date: Fri May 22 20:56:01 2015 -0700 ipv6: Add rt6_get_cookie() function commit b197df4f0f3782782e9ea8996e91b65ae33e8dd9 upstream. Instead of doing the rt6->rt6i_node check whenever we need to get the route's cookie. Refactor it into rt6_get_cookie(). It is a prep work to handle FLOWI_FLAG_KNOWN_NH and also percpu rt6_info later. Signed-off-by: Martin KaFai Lau Cc: Hannes Frederic Sowa Cc: Steffen Klassert Cc: Julian Anastasov Signed-off-by: David S. Miller [bwh: Backported to 3.2: - Drop changes in inet6_sk_rx_dst_set(), sctp_v6_get_dst() - Adjust context] Signed-off-by: Ben Hutchings commit abf387aec55213809ce53091979dbb383b150085 Author: Chen Yu Date: Fri Aug 25 15:55:30 2017 -0700 PM/hibernate: touch NMI watchdog when creating snapshot commit 556b969a1cfe2686aae149137fa1dfcac0eefe54 upstream. There is a problem that when counting the pages for creating the hibernation snapshot will take significant amount of time, especially on system with large memory. Since the counting job is performed with irq disabled, this might lead to NMI lockup. The following warning were found on a system with 1.5TB DRAM: Freezing user space processes ... (elapsed 0.002 seconds) done. OOM killer disabled. PM: Preallocating image memory... NMI watchdog: Watchdog detected hard LOCKUP on cpu 27 CPU: 27 PID: 3128 Comm: systemd-sleep Not tainted 4.13.0-0.rc2.git0.1.fc27.x86_64 #1 task: ffff9f01971ac000 task.stack: ffffb1a3f325c000 RIP: 0010:memory_bm_find_bit+0xf4/0x100 Call Trace: swsusp_set_page_free+0x2b/0x30 mark_free_pages+0x147/0x1c0 count_data_pages+0x41/0xa0 hibernate_preallocate_memory+0x80/0x450 hibernation_snapshot+0x58/0x410 hibernate+0x17c/0x310 state_store+0xdf/0xf0 kobj_attr_store+0xf/0x20 sysfs_kf_write+0x37/0x40 kernfs_fop_write+0x11c/0x1a0 __vfs_write+0x37/0x170 vfs_write+0xb1/0x1a0 SyS_write+0x55/0xc0 entry_SYSCALL_64_fastpath+0x1a/0xa5 ... done (allocated 6590003 pages) PM: Allocated 26360012 kbytes in 19.89 seconds (1325.28 MB/s) It has taken nearly 20 seconds(2.10GHz CPU) thus the NMI lockup was triggered. In case the timeout of the NMI watch dog has been set to 1 second, a safe interval should be 6590003/20 = 320k pages in theory. However there might also be some platforms running at a lower frequency, so feed the watchdog every 100k pages. [yu.c.chen@intel.com: simplification] Link: http://lkml.kernel.org/r/1503460079-29721-1-git-send-email-yu.c.chen@intel.com [yu.c.chen@intel.com: use interval of 128k instead of 100k to avoid modulus] Link: http://lkml.kernel.org/r/1503328098-5120-1-git-send-email-yu.c.chen@intel.com Signed-off-by: Chen Yu Reported-by: Jan Filipcewicz Suggested-by: Michal Hocko Reviewed-by: Michal Hocko Acked-by: Rafael J. Wysocki Cc: Mel Gorman Cc: Vlastimil Babka Cc: Len Brown Cc: Dan Williams Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 116dc14b8304162144cdba3666030b7d53e61dc2 Author: Mark Rutland Date: Thu Jun 22 15:41:38 2017 +0100 perf/core: Fix group {cpu,task} validation commit 64aee2a965cf2954a038b5522f11d2cd2f0f8f3e upstream. Regardless of which events form a group, it does not make sense for the events to target different tasks and/or CPUs, as this leaves the group inconsistent and impossible to schedule. The core perf code assumes that these are consistent across (successfully intialised) groups. Core perf code only verifies this when moving SW events into a HW context. Thus, we can violate this requirement for pure SW groups and pure HW groups, unless the relevant PMU driver happens to perform this verification itself. These mismatched groups subsequently wreak havoc elsewhere. For example, we handle watchpoints as SW events, and reserve watchpoint HW on a per-CPU basis at pmu::event_init() time to ensure that any event that is initialised is guaranteed to have a slot at pmu::add() time. However, the core code only checks the group leader's cpu filter (via event_filter_match()), and can thus install follower events onto CPUs violating thier (mismatched) CPU filters, potentially installing them into a CPU without sufficient reserved slots. This can be triggered with the below test case, resulting in warnings from arch backends. #define _GNU_SOURCE #include #include #include #include #include #include #include static int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu, int group_fd, unsigned long flags) { return syscall(__NR_perf_event_open, attr, pid, cpu, group_fd, flags); } char watched_char; struct perf_event_attr wp_attr = { .type = PERF_TYPE_BREAKPOINT, .bp_type = HW_BREAKPOINT_RW, .bp_addr = (unsigned long)&watched_char, .bp_len = 1, .size = sizeof(wp_attr), }; int main(int argc, char *argv[]) { int leader, ret; cpu_set_t cpus; /* * Force use of CPU0 to ensure our CPU0-bound events get scheduled. */ CPU_ZERO(&cpus); CPU_SET(0, &cpus); ret = sched_setaffinity(0, sizeof(cpus), &cpus); if (ret) { printf("Unable to set cpu affinity\n"); return 1; } /* open leader event, bound to this task, CPU0 only */ leader = perf_event_open(&wp_attr, 0, 0, -1, 0); if (leader < 0) { printf("Couldn't open leader: %d\n", leader); return 1; } /* * Open a follower event that is bound to the same task, but a * different CPU. This means that the group should never be possible to * schedule. */ ret = perf_event_open(&wp_attr, 0, 1, leader, 0); if (ret < 0) { printf("Couldn't open mismatched follower: %d\n", ret); return 1; } else { printf("Opened leader/follower with mismastched CPUs\n"); } /* * Open as many independent events as we can, all bound to the same * task, CPU0 only. */ do { ret = perf_event_open(&wp_attr, 0, 0, -1, 0); } while (ret >= 0); /* * Force enable/disble all events to trigger the erronoeous * installation of the follower event. */ printf("Opened all events. Toggling..\n"); for (;;) { prctl(PR_TASK_PERF_EVENTS_DISABLE, 0, 0, 0, 0); prctl(PR_TASK_PERF_EVENTS_ENABLE, 0, 0, 0, 0); } return 0; } Fix this by validating this requirement regardless of whether we're moving events. Signed-off-by: Mark Rutland Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Zhou Chengming Link: http://lkml.kernel.org/r/1498142498-15758-1-git-send-email-mark.rutland@arm.com Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings commit 5f542f7740bc8db862b8078e6a621ee7a13427b8 Author: Peter Zijlstra Date: Fri Jan 23 11:19:48 2015 +0100 perf: Tighten (and fix) the grouping condition commit c3c87e770458aa004bd7ed3f29945ff436fd6511 upstream. The fix from 9fc81d87420d ("perf: Fix events installation during moving group") was incomplete in that it failed to recognise that creating a group with events for different CPUs is semantically broken -- they cannot be co-scheduled. Furthermore, it leads to real breakage where, when we create an event for CPU Y and then migrate it to form a group on CPU X, the code gets confused where the counter is programmed -- triggered in practice as well by me via the perf fuzzer. Fix this by tightening the rules for creating groups. Only allow grouping of counters that can be co-scheduled in the same context. This means for the same task and/or the same cpu. Fixes: 9fc81d87420d ("perf: Fix events installation during moving group") Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Link: http://lkml.kernel.org/r/20150123125834.090683288@infradead.org Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings commit 5d093344a90a5a6bbe6fde90d2d23370f029df0c Author: Arnd Bergmann Date: Wed Aug 23 15:59:49 2017 +0200 qlge: avoid memcpy buffer overflow commit e58f95831e7468d25eb6e41f234842ecfe6f014f upstream. gcc-8.0.0 (snapshot) points out that we copy a variable-length string into a fixed length field using memcpy() with the destination length, and that ends up copying whatever follows the string: inlined from 'ql_core_dump' at drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:1106:2: drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:708:2: error: 'memcpy' reading 15 bytes from a region of size 14 [-Werror=stringop-overflow=] memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1); Changing it to use strncpy() will instead zero-pad the destination, which seems to be the right thing to do here. The bug is probably harmless, but it seems like a good idea to address it in stable kernels as well, if only for the purpose of building with gcc-8 without warnings. Fixes: a61f80261306 ("qlge: Add ethtool register dump function.") Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit ae91ea20bd9da01e477bfcc474f717f2a1b36ff8 Author: Ronnie Sahlberg Date: Wed Aug 23 14:48:14 2017 +1000 cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() commit d3edede29f74d335f81d95a4588f5f136a9f7dcf upstream. Add checking for the path component length and verify it is <= the maximum that the server advertizes via FileFsAttributeInformation. With this patch cifs.ko will now return ENAMETOOLONG instead of ENOENT when users to access an overlong path. To test this, try to cd into a (non-existing) directory on a CIFS share that has a too long name: cd /mnt/aaaaaaaaaaaaaaa... and it now should show a good error message from the shell: bash: cd: /mnt/aaaaaaaaaaaaaaaa...aaaaaa: File name too long rh bz 1153996 Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French [bwh: Backported to 3.2: name checks are done only in cifs_lookup()] Signed-off-by: Ben Hutchings commit 88658a57f08e627849fce1bf154d54811742057c Author: Takashi Iwai Date: Wed Aug 23 09:30:17 2017 +0200 ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978) commit bbba6f9d3da357bbabc6fda81e99ff5584500e76 upstream. Lenovo G50-70 (17aa:3978) with Conexant codec chip requires the similar workaround for the inverted stereo dmic like other Lenovo models. Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1020657 Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 30e9111ccd2919150e4217922e8053f4c1ab20de Author: Stefano Brivio Date: Fri Aug 18 14:40:53 2017 +0200 ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() commit 3de33e1ba0506723ab25734e098cf280ecc34756 upstream. A packet length of exactly IPV6_MAXPLEN is allowed, we should refuse parsing options only if the size is 64KiB or more. While at it, remove one extra variable and one assignment which were also introduced by the commit that introduced the size check. Checking the sum 'offset + len' and only later adding 'len' to 'offset' doesn't provide any advantage over directly summing to 'offset' and checking it. Fixes: 6399f1fae4ec ("ipv6: avoid overflow of offset in ip6_find_1stfragopt") Signed-off-by: Stefano Brivio Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit 5bb5cc4ec4fa756070edf5e851fa9607dbf6d3a8 Author: Takashi Iwai Date: Tue Aug 22 08:15:13 2017 +0200 ALSA: core: Fix unexpected error at replacing user TLV commit 88c54cdf61f508ebcf8da2d819f5dfc03e954d1d upstream. When user tries to replace the user-defined control TLV, the kernel checks the change of its content via memcmp(). The problem is that the kernel passes the return value from memcmp() as is. memcmp() gives a non-zero negative value depending on the comparison result, and this shall be recognized as an error code. The patch covers that corner-case, return 1 properly for the changed TLV. Fixes: 8aa9b586e420 ("[ALSA] Control API - more robust TLV implementation") Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit b24bc551bf907ff6a5200b990a95b43a1938123b Author: Aaron Ma Date: Fri Aug 18 12:17:21 2017 -0700 Input: trackpoint - add new trackpoint firmware ID commit ec667683c532c93fb41e100e5d61a518971060e2 upstream. Synaptics add new TP firmware ID: 0x2 and 0x3, for now both lower 2 bits are indicated as TP. Change the constant to bitwise values. This makes trackpoint to be recognized on Lenovo Carbon X1 Gen5 instead of it being identified as "PS/2 Generic Mouse". Signed-off-by: Aaron Ma Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings commit cb46e434ba111d1fd83dcb8bcc44c404e9d12a16 Author: zhong jiang Date: Fri Aug 18 15:16:24 2017 -0700 mm/mempolicy: fix use after free when calling get_mempolicy commit 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 upstream. I hit a use after free issue when executing trinity and repoduced it with KASAN enabled. The related call trace is as follows. BUG: KASan: use after free in SyS_get_mempolicy+0x3c8/0x960 at addr ffff8801f582d766 Read of size 2 by task syz-executor1/798 INFO: Allocated in mpol_new.part.2+0x74/0x160 age=3 cpu=1 pid=799 __slab_alloc+0x768/0x970 kmem_cache_alloc+0x2e7/0x450 mpol_new.part.2+0x74/0x160 mpol_new+0x66/0x80 SyS_mbind+0x267/0x9f0 system_call_fastpath+0x16/0x1b INFO: Freed in __mpol_put+0x2b/0x40 age=4 cpu=1 pid=799 __slab_free+0x495/0x8e0 kmem_cache_free+0x2f3/0x4c0 __mpol_put+0x2b/0x40 SyS_mbind+0x383/0x9f0 system_call_fastpath+0x16/0x1b INFO: Slab 0xffffea0009cb8dc0 objects=23 used=8 fp=0xffff8801f582de40 flags=0x200000000004080 INFO: Object 0xffff8801f582d760 @offset=5984 fp=0xffff8801f582d600 Bytes b4 ffff8801f582d750: ae 01 ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ Object ffff8801f582d760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffff8801f582d770: 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkk. Redzone ffff8801f582d778: bb bb bb bb bb bb bb bb ........ Padding ffff8801f582d8b8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ Memory state around the buggy address: ffff8801f582d600: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801f582d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801f582d700: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fc !shared memory policy is not protected against parallel removal by other thread which is normally protected by the mmap_sem. do_get_mempolicy, however, drops the lock midway while we can still access it later. Early premature up_read is a historical artifact from times when put_user was called in this path see https://lwn.net/Articles/124754/ but that is gone since 8bccd85ffbaf ("[PATCH] Implement sys_* do_* layering in the memory policy layer."). but when we have the the current mempolicy ref count model. The issue was introduced accordingly. Fix the issue by removing the premature release. Link: http://lkml.kernel.org/r/1502950924-27521-1-git-send-email-zhongjiang@huawei.com Signed-off-by: zhong jiang Acked-by: Michal Hocko Cc: Minchan Kim Cc: Vlastimil Babka Cc: David Rientjes Cc: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 2d8d59253baf248b3aed6335fa3e17b233a44167 Author: Takashi Iwai Date: Wed Aug 16 14:18:37 2017 +0200 ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices commit 0f174b3525a43bd51f9397394763925e0ebe7bc7 upstream. C-Media devices (at least some models) mute the playback stream when volumes are set to the minimum value. But this isn't informed via TLV and the user-space, typically PulseAudio, gets confused as if it's still played in a low volume. This patch adds the new flag, min_mute, to struct usb_mixer_elem_info for indicating that the mixer element is with the minimum-mute volume. This flag is set for known C-Media devices in snd_usb_mixer_fu_apply_quirk() in turn. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196669 Signed-off-by: Takashi Iwai [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 02b1ca57b42bd07c90e45ab507fadec0c808bb1d Author: Thomas Bogendoerfer Date: Sat Aug 12 23:36:47 2017 +0200 parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo commit 4098116039911e8870d84c975e2ec22dab65a909 upstream. For 64bit kernels the lmmio_space_offset of the host bridge window isn't set correctly on systems with dino/cujo PCI host bridges. This leads to not assigned memory bars and failing drivers, which need to use these bars. Signed-off-by: Thomas Bogendoerfer Acked-by: Helge Deller Signed-off-by: Helge Deller Signed-off-by: Ben Hutchings commit c13e7423c71b5cb912aa7fb307b412f4d8d79cf6 Author: Jan Kara Date: Tue Aug 15 13:00:36 2017 +0200 audit: Fix use after free in audit_remove_watch_rule() commit d76036ab47eafa6ce52b69482e91ca3ba337d6d6 upstream. audit_remove_watch_rule() drops watch's reference to parent but then continues to work with it. That is not safe as parent can get freed once we drop our reference. The following is a trivial reproducer: mount -o loop image /mnt touch /mnt/file auditctl -w /mnt/file -p wax umount /mnt auditctl -D Grab our own reference in audit_remove_watch_rule() earlier to make sure mark does not get freed under us. Reported-by: Tony Jones Signed-off-by: Jan Kara Tested-by: Tony Jones Signed-off-by: Paul Moore [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 861bde555a4d16330f82cb5e232d423e42468c98 Author: Eric Dumazet Date: Mon Aug 14 10:16:45 2017 -0700 af_key: do not use GFP_KERNEL in atomic contexts commit 36f41f8fc6d8aa9f8c9072d66ff7cf9055f5e69b upstream. pfkey_broadcast() might be called from non process contexts, we can not use GFP_KERNEL in these cases [1]. This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock() section. [1] : syzkaller reported : in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439 3 locks held by syzkaller183439/2932: #0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649 #1: (&pfk->dump_lock){+.+.+.}, at: [] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293 #2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [] spin_lock_bh include/linux/spinlock.h:304 [inline] #2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028 CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994 __might_sleep+0x95/0x190 kernel/sched/core.c:5947 slab_pre_alloc_hook mm/slab.h:416 [inline] slab_alloc mm/slab.c:3383 [inline] kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559 skb_clone+0x1a0/0x400 net/core/skbuff.c:1037 pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207 pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281 dump_sp+0x3d6/0x500 net/key/af_key.c:2685 xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042 pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695 pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299 pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722 pfkey_process+0x606/0x710 net/key/af_key.c:2814 pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xca/0x110 net/socket.c:643 ___sys_sendmsg+0x755/0x890 net/socket.c:2035 __sys_sendmsg+0xe5/0x210 net/socket.c:2069 SYSC_sendmsg net/socket.c:2080 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2076 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x445d79 RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79 RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008 RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700 R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000 R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000 Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key") Signed-off-by: Eric Dumazet Reported-by: Dmitry Vyukov Cc: David Ahern Acked-by: David Ahern Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit fa992618a7e9301b9d894683542794c461fc6a91 Author: Omar Sandoval Date: Fri Aug 11 09:00:06 2017 -0700 xfs: fix inobt inode allocation search optimization commit c44245b3d5435f533ca8346ece65918f84c057f9 upstream. When we try to allocate a free inode by searching the inobt, we try to find the inode nearest the parent inode by searching chunks both left and right of the chunk containing the parent. As an optimization, we cache the leftmost and rightmost records that we previously searched; if we do another allocation with the same parent inode, we'll pick up the search where it last left off. There's a bug in the case where we found a free inode to the left of the parent's chunk: we need to update the cached left and right records, but because we already reassigned the right record to point to the left, we end up assigning the left record to both the cached left and right records. This isn't a correctness problem strictly, but it can result in the next allocation rechecking chunks unnecessarily or allocating inodes further away from the parent than it needs to. Fix it by swapping the record pointer after we update the cached left and right records. Fixes: bd169565993b ("xfs: speed up free inode search") Signed-off-by: Omar Sandoval Reviewed-by: Christoph Hellwig Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit 25f8872127547bc3162ab5914f289c2675f83f0c Author: Yishai Hadas Date: Tue Aug 1 09:41:36 2017 +0300 IB/uverbs: Fix device cleanup commit efdd6f53b10aead0f5cf19a93dd3eb268ac0d991 upstream. Uverbs device should be cleaned up only when there is no potential usage of. As part of ib_uverbs_remove_one which might be triggered upon reset flow the device reference count is decreased as expected and leave the final cleanup to the FDs that were opened. Current code increases reference count upon opening a new command FD and decreases it upon closing the file. The event FD is opened internally and rely on the command FD by taking on it a reference count. In case that the command FD was closed and just later the event FD we may ensure that the device resources as of srcu are still alive as they are still in use. Fixing the above by moving the reference count decreasing to the place where the command FD is really freed instead of doing that when it was just closed. fixes: 036b10635739 ("IB/uverbs: Enable device removal when there are active user space applications") Signed-off-by: Yishai Hadas Reviewed-by: Matan Barak Reviewed-by: Jason Gunthorpe Tested-by: Jason Gunthorpe Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings commit 68c76de3c2355927f22cd96f59a00fc7906d8777 Author: Leon Romanovsky Date: Tue Aug 1 09:41:35 2017 +0300 RDMA/uverbs: Prevent leak of reserved field commit f7a6cb7b38c6845b26aaa8bbdf519ff6e3090831 upstream. initialize to zero the response structure to prevent the leakage of "resp.reserved" field. drivers/infiniband/core/uverbs_cmd.c:1178 ib_uverbs_resize_cq() warn: check that 'resp.reserved' doesn't leak information Fixes: 33b9b3ee9709 ("IB: Add userspace support for resizing CQs") Signed-off-by: Leon Romanovsky Reviewed-by: Dennis Dalessandro Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings commit 9cc02d9d8003c1a1b01e3a482beaad1932c4e355 Author: Jan Kara Date: Wed Aug 2 13:32:30 2017 -0700 ocfs2: don't clear SGID when inheriting ACLs commit 19ec8e48582670c021e998b9deb88e39a842ff45 upstream. When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit set, DIR1 is expected to have SGID bit set (and owning group equal to the owning group of 'DIR0'). However when 'DIR0' also has some default ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on 'DIR1' to get cleared if user is not member of the owning group. Fix the problem by moving posix_acl_update_mode() out of ocfs2_set_acl() into ocfs2_iop_set_acl(). That way the function will not be called when inheriting ACLs which is what we want as it prevents SGID bit clearing and the mode has been properly set by posix_acl_create() anyway. Also posix_acl_chmod() that is calling ocfs2_set_acl() takes care of updating mode itself. Fixes: 073931017b4 ("posix_acl: Clear SGID bit when setting file permissions") Link: http://lkml.kernel.org/r/20170801141252.19675-3-jack@suse.cz Signed-off-by: Jan Kara Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Joseph Qi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: Move the call to posix_acl_update_mode() into ocfs2_xattr_set_acl(). Pass NULL as the bh argument to ocfs2_acl_set_mode(). Reuse the existing cleanup label.] Signed-off-by: Ben Hutchings commit 967d0125c4f681921cf805d0121b9f72f00e03f8 Author: Inbar Karmy Date: Tue Aug 1 16:43:43 2017 +0300 net/mlx4_en: Fix wrong indication of Wake-on-LAN (WoL) support commit c994f778bb1cca8ebe7a4e528cefec233e93b5cc upstream. Currently when WoL is supported but disabled, ethtool reports: "Supports Wake-on: d". Fix the indication of Wol support, so that the indication remains "g" all the time if the NIC supports WoL. Tested: As accepted, when NIC supports WoL- ethtool reports: Supports Wake-on: g Wake-on: d when NIC doesn't support WoL- ethtool reports: Supports Wake-on: d Wake-on: d Fixes: 14c07b1358ed ("mlx4: Wake on LAN support") Signed-off-by: Inbar Karmy Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 31c0eacab3d550945ced448b9e31280d0b9cc3e1 Author: Michał Mirosław Date: Tue Jul 18 14:35:45 2017 +0200 gpio: tegra: fix unbalanced chained_irq_enter/exit commit 9e9509e38fbe034782339eb09c915f0b5765ff69 upstream. When more than one GPIO IRQs are triggered simultaneously, tegra_gpio_irq_handler() called chained_irq_exit() multiple times for one chained_irq_enter(). Fixes: 3c92db9ac0ca3eee8e46e2424b6c074e2e394ad9 Signed-off-by: Michał Mirosław [Also changed the variable to a bool] Signed-off-by: Linus Walleij [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit cfd73915e217c3580ce4fd6c3f52d2422028adea Author: Max Filippov Date: Tue Aug 1 11:15:15 2017 -0700 xtensa: mm/cache: add missing EXPORT_SYMBOLs commit bc652eb6a0d5cffaea7dc8e8ad488aab2a1bf1ed upstream. Functions clear_user_highpage, copy_user_highpage, flush_dcache_page, local_flush_cache_range and local_flush_cache_page may be used from modules. Export them. Signed-off-by: Max Filippov [bwh: Backported to 3.2: drop exports of {clear,copy}_user_highpage()] Signed-off-by: Ben Hutchings commit 2ff806d71195c6fd669cee77cfe41b34d20b70df Author: Max Filippov Date: Tue Aug 1 11:02:46 2017 -0700 xtensa: don't limit csum_partial export by CONFIG_NET commit 7f81e55c737a8fa82c71f290945d729a4902f8d2 upstream. csum_partial and csum_partial_copy_generic are defined unconditionally and are available even when CONFIG_NET is disabled. They are used not only by the network drivers, but also by scsi and media. Don't limit these functions export by CONFIG_NET. Signed-off-by: Max Filippov Signed-off-by: Ben Hutchings commit 07d2b8fb011731d1582e87189f83c786938e7612 Author: Max Filippov Date: Mon Sep 17 05:44:56 2012 +0400 xtensa: add missing symbol exports commit d3738f407c8ced4fd17dccf6cce729023c735c73 upstream. Signed-off-by: Max Filippov Signed-off-by: Chris Zankel [bwh: Backported to 3.2: drop exports of some functions that aren't defined here] Signed-off-by: Ben Hutchings commit 621206936ccee3b37f3e4a7d061ea8da54097fe5 Author: Rafael J. Wysocki Date: Tue Jul 25 23:58:50 2017 +0200 USB: hcd: Mark secondary HCD as dead if the primary one died commit cd5a6a4fdaba150089af2afc220eae0fef74878a upstream. Make usb_hc_died() clear the HCD_FLAG_RH_RUNNING flag for the shared HCD and set HCD_FLAG_DEAD for it, in analogy with what is done for the primary one. Among other thigs, this prevents check_root_hub_suspended() from returning -EBUSY for dead HCDs which helps to work around system suspend issues in some situations. This actually fixes occasional suspend failures on one of my test machines. Suggested-by: Alan Stern Signed-off-by: Rafael J. Wysocki Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 55c487ff37aa6b54d790fee87aa175a010878442 Author: Max Filippov Date: Fri Jul 28 17:42:59 2017 -0700 xtensa: fix cache aliasing handling code for WT cache commit 6d0f581d1768d3eaba15776e7dd1fdfec10cfe36 upstream. Currently building kernel for xtensa core with aliasing WT cache fails with the following messages: mm/memory.c:2152: undefined reference to `flush_dcache_page' mm/memory.c:2332: undefined reference to `local_flush_cache_page' mm/memory.c:1919: undefined reference to `local_flush_cache_range' mm/memory.c:4179: undefined reference to `copy_to_user_page' mm/memory.c:4183: undefined reference to `copy_from_user_page' This happens because implementation of these functions is only compiled when data cache is WB, which looks wrong: even when data cache doesn't need flushing it still needs invalidation. The functions like __flush_[invalidate_]dcache_* are correctly defined for both WB and WT caches (and even if they weren't that'd still be ok, just slower). Fix this by providing the same implementation of the above functions for both WB and WT cache. Signed-off-by: Max Filippov [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 7994d69893ffffa96dd81b2b63246f92e89fa4c8 Author: Arnd Bergmann Date: Wed Mar 19 18:41:37 2014 +0100 ARM: pxa: select both FB and FB_W100 for eseries commit 1d20d8a9fce8f1e2ef00a0f3d068fa18d59ddf8f upstream. We get a link error trying to access the w100fb_gpio_read/write functions from the platform when the driver is a loadable module or not built-in, so the platform already uses 'select' to hard-enable the driver. However, that fails if the framebuffer subsystem is disabled altogether. I've considered various ways to fix this properly, but they all seem like too much work or too risky, so this simply adds another 'select' to force the subsystem on as well. Fixes: 82427de2c7c3 ("ARM: pxa: PXA_ESERIES depends on FB_W100.") Signed-off-by: Arnd Bergmann [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit f874b9cb76d0348925b8defa5f68270498559f7d Author: Xin Long Date: Wed Jul 26 16:24:59 2017 +0800 sctp: fix the check for _sctp_walk_params and _sctp_walk_errors commit 6b84202c946cd3da3a8daa92c682510e9ed80321 upstream. Commit b1f5bfc27a19 ("sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()") tried to fix the issue that it may overstep the chunk end for _sctp_walk_{params, errors} with 'chunk_end > offset(length) + sizeof(length)'. But it introduced a side effect: When processing INIT, it verifies the chunks with 'param.v == chunk_end' after iterating all params by sctp_walk_params(). With the check 'chunk_end > offset(length) + sizeof(length)', it would return when the last param is not yet accessed. Because the last param usually is fwdtsn supported param whose size is 4 and 'chunk_end == offset(length) + sizeof(length)' This is a badly issue even causing sctp couldn't process 4-shakes. Client would always get abort when connecting to server, due to the failure of INIT chunk verification on server. The patch is to use 'chunk_end <= offset(length) + sizeof(length)' instead of 'chunk_end < offset(length) + sizeof(length)' for both _sctp_walk_params and _sctp_walk_errors. Fixes: b1f5bfc27a19 ("sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()") Signed-off-by: Xin Long Acked-by: Neil Horman Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 87d54a1143a7c349e51a2d1fdca7723521edb98e Author: Alexander Potapenko Date: Fri Jul 14 18:32:45 2017 +0200 sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}() commit b1f5bfc27a19f214006b9b4db7b9126df2dfdf5a upstream. If the length field of the iterator (|pos.p| or |err|) is past the end of the chunk, we shouldn't access it. This bug has been detected by KMSAN. For the following pair of system calls: socket(PF_INET6, SOCK_STREAM, 0x84 /* IPPROTO_??? */) = 3 sendto(3, "A", 1, MSG_OOB, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 1 the tool has reported a use of uninitialized memory: ================================================================== BUG: KMSAN: use of uninitialized memory in sctp_rcv+0x17b8/0x43b0 CPU: 1 PID: 2940 Comm: probe Not tainted 4.11.0-rc5+ #2926 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x172/0x1c0 lib/dump_stack.c:52 kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:927 __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:469 __sctp_rcv_init_lookup net/sctp/input.c:1074 __sctp_rcv_lookup_harder net/sctp/input.c:1233 __sctp_rcv_lookup net/sctp/input.c:1255 sctp_rcv+0x17b8/0x43b0 net/sctp/input.c:170 sctp6_rcv+0x32/0x70 net/sctp/ipv6.c:984 ip6_input_finish+0x82f/0x1ee0 net/ipv6/ip6_input.c:279 NF_HOOK ./include/linux/netfilter.h:257 ip6_input+0x239/0x290 net/ipv6/ip6_input.c:322 dst_input ./include/net/dst.h:492 ip6_rcv_finish net/ipv6/ip6_input.c:69 NF_HOOK ./include/linux/netfilter.h:257 ipv6_rcv+0x1dbd/0x22e0 net/ipv6/ip6_input.c:203 __netif_receive_skb_core+0x2f6f/0x3a20 net/core/dev.c:4208 __netif_receive_skb net/core/dev.c:4246 process_backlog+0x667/0xba0 net/core/dev.c:4866 napi_poll net/core/dev.c:5268 net_rx_action+0xc95/0x1590 net/core/dev.c:5333 __do_softirq+0x485/0x942 kernel/softirq.c:284 do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:902 do_softirq kernel/softirq.c:328 __local_bh_enable_ip+0x25b/0x290 kernel/softirq.c:181 local_bh_enable+0x37/0x40 ./include/linux/bottom_half.h:31 rcu_read_unlock_bh ./include/linux/rcupdate.h:931 ip6_finish_output2+0x19b2/0x1cf0 net/ipv6/ip6_output.c:124 ip6_finish_output+0x764/0x970 net/ipv6/ip6_output.c:149 NF_HOOK_COND ./include/linux/netfilter.h:246 ip6_output+0x456/0x520 net/ipv6/ip6_output.c:163 dst_output ./include/net/dst.h:486 NF_HOOK ./include/linux/netfilter.h:257 ip6_xmit+0x1841/0x1c00 net/ipv6/ip6_output.c:261 sctp_v6_xmit+0x3b7/0x470 net/sctp/ipv6.c:225 sctp_packet_transmit+0x38cb/0x3a20 net/sctp/output.c:632 sctp_outq_flush+0xeb3/0x46e0 net/sctp/outqueue.c:885 sctp_outq_uncork+0xb2/0xd0 net/sctp/outqueue.c:750 sctp_side_effects net/sctp/sm_sideeffect.c:1773 sctp_do_sm+0x6962/0x6ec0 net/sctp/sm_sideeffect.c:1147 sctp_primitive_ASSOCIATE+0x12c/0x160 net/sctp/primitive.c:88 sctp_sendmsg+0x43e5/0x4f90 net/sctp/socket.c:1954 inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 sock_sendmsg net/socket.c:643 SYSC_sendto+0x608/0x710 net/socket.c:1696 SyS_sendto+0x8a/0xb0 net/socket.c:1664 do_syscall_64+0xe6/0x130 arch/x86/entry/common.c:285 entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246 RIP: 0033:0x401133 RSP: 002b:00007fff6d99cd38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000401133 RDX: 0000000000000001 RSI: 0000000000494088 RDI: 0000000000000003 RBP: 00007fff6d99cd90 R08: 00007fff6d99cd50 R09: 000000000000001c R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000 R13: 00000000004063d0 R14: 0000000000406460 R15: 0000000000000000 origin: save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302 kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:198 kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:211 slab_alloc_node mm/slub.c:2743 __kmalloc_node_track_caller+0x200/0x360 mm/slub.c:4351 __kmalloc_reserve net/core/skbuff.c:138 __alloc_skb+0x26b/0x840 net/core/skbuff.c:231 alloc_skb ./include/linux/skbuff.h:933 sctp_packet_transmit+0x31e/0x3a20 net/sctp/output.c:570 sctp_outq_flush+0xeb3/0x46e0 net/sctp/outqueue.c:885 sctp_outq_uncork+0xb2/0xd0 net/sctp/outqueue.c:750 sctp_side_effects net/sctp/sm_sideeffect.c:1773 sctp_do_sm+0x6962/0x6ec0 net/sctp/sm_sideeffect.c:1147 sctp_primitive_ASSOCIATE+0x12c/0x160 net/sctp/primitive.c:88 sctp_sendmsg+0x43e5/0x4f90 net/sctp/socket.c:1954 inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 sock_sendmsg net/socket.c:643 SYSC_sendto+0x608/0x710 net/socket.c:1696 SyS_sendto+0x8a/0xb0 net/socket.c:1664 do_syscall_64+0xe6/0x130 arch/x86/entry/common.c:285 return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246 ================================================================== Signed-off-by: Alexander Potapenko Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 8d76d29eab01999d82b679ed28e24173b317fac2 Author: Leon Romanovsky Date: Sat Jul 15 16:26:55 2017 +0300 IB/ipoib: Remove double pointer assigning commit 1b355094b308f3377c8f574ce86135ee159c6285 upstream. There is no need to assign "p" pointer twice. This patch fixes the following smatch warning: drivers/infiniband/ulp/ipoib/ipoib_cm.c:517 ipoib_cm_rx_handler() warn: missing break? reassigning 'p->id' Fixes: 839fcaba355a ("IPoIB: Connected mode experimental support") Signed-off-by: Leon Romanovsky Signed-off-by: Ben Hutchings commit e9b5743885065ef50f74ec6a0b76693f3073ad26 Author: Alex Vesker Date: Thu Jul 13 11:27:12 2017 +0300 IB/ipoib: Prevent setting negative values to max_nonsrq_conn_qp commit 11f74b40359b19f760964e71d04882a6caf530cc upstream. Don't allow negative values to max_nonsrq_conn_qp. There is no functional impact on a negative value but it is logicically incorrect. Fixes: 68e995a29572 ("IPoIB/cm: Add connected mode support for devices without SRQs") Signed-off-by: Alex Vesker Signed-off-by: Leon Romanovsky Signed-off-by: Ben Hutchings commit 347598eafdfa48e43ca200959ded2b79c3109fd7 Author: Jiri Olsa Date: Thu Jul 20 16:14:55 2017 +0200 perf/core: Fix locking for children siblings group read commit 2aeb1883547626d82c597cce2c99f0b9c62e2425 upstream. We're missing ctx lock when iterating children siblings within the perf_read path for group reading. Following race and crash can happen: User space doing read syscall on event group leader: T1: perf_read lock event->ctx->mutex perf_read_group lock leader->child_mutex __perf_read_group_add(child) list_for_each_entry(sub, &leader->sibling_list, group_entry) ----> sub might be invalid at this point, because it could get removed via perf_event_exit_task_context in T2 Child exiting and cleaning up its events: T2: perf_event_exit_task_context lock ctx->mutex list_for_each_entry_safe(child_event, next, &child_ctx->event_list,... perf_event_exit_event(child) lock ctx->lock perf_group_detach(child) unlock ctx->lock ----> child is removed from sibling_list without any sync with T1 path above ... free_event(child) Before the child is removed from the leader's child_list, (and thus is omitted from perf_read_group processing), we need to ensure that perf_read_group touches child's siblings under its ctx->lock. Peter further notes: | One additional note; this bug got exposed by commit: | | ba5213ae6b88 ("perf/core: Correct event creation with PERF_FORMAT_GROUP") | | which made it possible to actually trigger this code-path. Tested-by: Andi Kleen Signed-off-by: Jiri Olsa Acked-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: ba5213ae6b88 ("perf/core: Correct event creation with PERF_FORMAT_GROUP") Link: http://lkml.kernel.org/r/20170720141455.2106-1-jolsa@kernel.org Signed-off-by: Ingo Molnar [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit e4847c6f688433f3696d490485049c60f8e5debd Author: Peter Zijlstra Date: Thu Sep 3 20:07:49 2015 -0700 perf/core: Invert perf_read_group() loops commit fa8c269353d560b7c28119ad7617029f92e40b15 upstream. In order to enable the use of perf_event_read(.group = true), we need to invert the sibling-child loop nesting of perf_read_group(). Currently we iterate the child list for each sibling, this precludes using group reads. Flip things around so we iterate each group for each child. Signed-off-by: Peter Zijlstra (Intel) [ Made the patch compile and things. ] Signed-off-by: Sukadev Bhattiprolu Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Michael Ellerman Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Link: http://lkml.kernel.org/r/1441336073-22750-7-git-send-email-sukadev@linux.vnet.ibm.com Signed-off-by: Ingo Molnar [bwh: Backported to 3.2 as a dependency of commit 2aeb18835476 ("perf/core: Fix locking for children siblings group read"): - Keep the function name perf_event_read_group() - Keep using perf_event_read_value()] Signed-off-by: Ben Hutchings commit 59725da61d5cd96b2b3a1b478cc1255b162c801d Author: Mahesh Bandewar Date: Wed Jul 19 15:41:33 2017 -0700 ipv4: initialize fib_trie prior to register_netdev_notifier call. commit 8799a221f5944a7d74516ecf46d58c28ec1d1f75 upstream. Net stack initialization currently initializes fib-trie after the first call to netdevice_notifier() call. In fact fib_trie initialization needs to happen before first rtnl_register(). It does not cause any problem since there are no devices UP at this moment, but trying to bring 'lo' UP at initialization would make this assumption wrong and exposes the issue. Fixes following crash Call Trace: ? alternate_node_alloc+0x76/0xa0 fib_table_insert+0x1b7/0x4b0 fib_magic.isra.17+0xea/0x120 fib_add_ifaddr+0x7b/0x190 fib_netdev_event+0xc0/0x130 register_netdevice_notifier+0x1c1/0x1d0 ip_fib_init+0x72/0x85 ip_rt_init+0x187/0x1e9 ip_init+0xe/0x1a inet_init+0x171/0x26c ? ipv4_offload_init+0x66/0x66 do_one_initcall+0x43/0x160 kernel_init_freeable+0x191/0x219 ? rest_init+0x80/0x80 kernel_init+0xe/0x150 ret_from_fork+0x22/0x30 Code: f6 46 23 04 74 86 4c 89 f7 e8 ae 45 01 00 49 89 c7 4d 85 ff 0f 85 7b ff ff ff 31 db eb 08 4c 89 ff e8 16 47 01 00 48 8b 44 24 38 <45> 8b 6e 14 4d 63 76 74 48 89 04 24 0f 1f 44 00 00 48 83 c4 08 RIP: kmem_cache_alloc+0xcf/0x1c0 RSP: ffff9b1500017c28 CR2: 0000000000000014 Fixes: 7b1a74fdbb9e ("[NETNS]: Refactor fib initialization so it can handle multiple namespaces.") Fixes: 7f9b80529b8a ("[IPV4]: fib hash|trie initialization") Signed-off-by: Mahesh Bandewar Acked-by: "Eric W. Biederman" Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit c76068253d8aefd4bc66c1609d2c397d843a45ca Author: Ismail, Mustafa Date: Fri Jul 14 09:41:31 2017 -0500 RDMA/core: Initialize port_num in qp_attr commit a62ab66b13a0f9bcb17b7b761f6670941ed5cd62 upstream. Initialize the port_num for iWARP in rdma_init_qp_attr. Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds") Reviewed-by: Steve Wise Signed-off-by: Mustafa Ismail Tested-by: Mike Marciniszyn Signed-off-by: Doug Ledford [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 42b5def9c7b335dacd71aeb58afae37cdb7d3344 Author: Ismail, Mustafa Date: Fri Jul 14 09:41:30 2017 -0500 RDMA/uverbs: Fix the check for port number commit 5a7a88f1b488e4ee49eb3d5b82612d4d9ffdf2c3 upstream. The port number is only valid if IB_QP_PORT is set in the mask. So only check port number if it is valid to prevent modify_qp from failing due to an invalid port number. Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds") Reviewed-by: Steve Wise Signed-off-by: Mustafa Ismail Tested-by: Mike Marciniszyn Signed-off-by: Doug Ledford [bwh: Backported to 3.2: command structure is cmd not cmd->base] Signed-off-by: Ben Hutchings commit 16ebb03ba24c5241025a86aa6f2cd60f9667e849 Author: Dan Carpenter Date: Thu Jul 13 10:48:00 2017 +0300 IB/cxgb3: Fix error codes in iwch_alloc_mr() commit 9064d6055c14f700aa13f7c72fd3e63d12bee643 upstream. We accidentally don't set the error code on some error paths. It means return ERR_PTR(0) which is NULL and results in a NULL dereference in the caller. Fixes: 13a239330abd ("RDMA/cxgb3: Don't ignore insert_handle() failures") Signed-off-by: Dan Carpenter Acked-by: Steve Wise Signed-off-by: Doug Ledford [bwh: Backported to 3.2: drop inapplicable hunk] Signed-off-by: Ben Hutchings commit ce56b921aade5f233c3814c5ff28461133117078 Author: Dan Carpenter Date: Thu Jul 13 10:47:40 2017 +0300 cxgb4: Fix error codes in c4iw_create_cq() commit 6ebedacbb44602d4dec3348dee5ec31dd9b09521 upstream. If one of these kmalloc() calls fails then we return ERR_PTR(0) which is NULL. It results in a NULL dereference in the callers. Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC") Signed-off-by: Dan Carpenter Acked-by: Steve Wise Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings commit 96301209473afd3f2f274b91cb7082d161b9be65 Author: Seunghun Han Date: Tue Jul 18 20:03:51 2017 +0900 x86/acpi: Prevent out of bound access caused by broken ACPI tables commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 upstream. The bus_irq argument of mp_override_legacy_irq() is used as the index into the isa_irq_to_gsi[] array. The bus_irq argument originates from ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI tables, but is nowhere sanity checked. That allows broken or malicious ACPI tables to overwrite memory, which might cause malfunction, panic or arbitrary code execution. Add a sanity check and emit a warning when that triggers. [ tglx: Added warning and rewrote changelog ] Signed-off-by: Seunghun Han Signed-off-by: Thomas Gleixner Cc: security@kernel.org Cc: "Rafael J. Wysocki" Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings commit 57f45c30eee35f02adee5d96442e38d6c3884263 Author: Steve Dickson Date: Thu Jun 29 11:48:26 2017 -0400 mount: copy the port field into the cloned nfs_server structure. commit 89a6814d9b665b196aa3a102f96b6dc7e8cb669e upstream. Doing this copy eliminates the "port=0" entry in the /proc/mounts entries Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=69241 Signed-off-by: Steve Dickson Signed-off-by: Anna Schumaker [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 2679d58535a3b67664655760611920c32fe5279f Author: Dan Carpenter Date: Wed Jul 19 13:06:41 2017 +0300 libata: array underflow in ata_find_dev() commit 59a5e266c3f5c1567508888dd61a45b86daed0fa upstream. My static checker complains that "devno" can be negative, meaning that we read before the start of the loop. I've looked at the code, and I think the warning is right. This come from /proc so it's root only or it would be quite a quite a serious bug. The call tree looks like this: proc_scsi_write() <- gets id and channel from simple_strtoul() -> scsi_add_single_device() <- calls shost->transportt->user_scan() -> ata_scsi_user_scan() -> ata_find_dev() Signed-off-by: Dan Carpenter Signed-off-by: Tejun Heo Signed-off-by: Ben Hutchings commit afad72d4c8e92a16194d7e7d264329e10c4aef0d Author: Yoshihiro Shimoda Date: Wed Jul 19 16:16:54 2017 +0900 usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL commit 59a0879a0e17b2e43ecdc5e3299da85b8410d7ce upstream. This patch fixes an issue that some registers may be not initialized after resume if the USBHSF_RUNTIME_PWCTRL is not set. Otherwise, if a cable is not connected, the driver will not enable INTENB0.VBSE after resume. And then, the driver cannot detect the VBUS. Fixes: ca8a282a5373 ("usb: gadget: renesas_usbhs: add suspend/resume support") Signed-off-by: Yoshihiro Shimoda Signed-off-by: Felipe Balbi Signed-off-by: Ben Hutchings commit e3c23e02b688cd2c22d01f0bbe62053dfafa6769 Author: Kuninori Morimoto Date: Sun Aug 5 22:44:43 2012 -0700 usb: renesas_usbhs: fixup resume method for autonomy mode commit 5b50d3b52601651ef3183cfb33d03cf486180e48 upstream. If renesas_usbhs is probed as autonomy mode, phy reset should be called after power resumed, and manual cold-plug should be called with slight delay. Signed-off-by: Kuninori Morimoto Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 04501c718370434109b14b5d42ad252eab687cd4 Author: Colin Ian King Date: Thu Jul 6 16:06:32 2017 +0100 usb: storage: return on error to avoid a null pointer dereference commit 446230f52a5bef593554510302465eabab45a372 upstream. When us->extra is null the driver is not initialized, however, a later call to osd200_scsi_to_ata is made that dereferences us->extra, causing a null pointer dereference. The code currently detects and reports that the driver is not initialized; add a return to avoid the subsequent dereference issue in this check. Thanks to Alan Stern for pointing out that srb->result needs setting to DID_ERROR << 16 Detected by CoverityScan, CID#100308 ("Dereference after null check") Signed-off-by: Colin Ian King Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 9da6f42c0fd7001c00c705993776db62e2fa7820 Author: Johan Hovold Date: Wed Jul 12 15:08:39 2017 +0200 USB: cdc-acm: add device-id for quirky printer commit fe855789d605590e57f9cd968d85ecce46f5c3fd upstream. Add device-id entry for DATECS FP-2000 fiscal printer needing the NO_UNION_NORMAL quirk. Reported-by: Anton Avramov Signed-off-by: Johan Hovold Acked-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit e11c146ca3ae231b81212c37d2dc59273dfaf6b2 Author: Stefan Triller Date: Fri Jun 30 14:44:03 2017 +0200 USB: serial: cp210x: add support for Qivicon USB ZigBee dongle commit 9585e340db9f6cc1c0928d82c3a23cc4460f0a3f upstream. The German Telekom offers a ZigBee USB Stick under the brand name Qivicon for their SmartHome Home Base in its 1. Generation. The productId is not known by the according kernel module, this patch adds support for it. Signed-off-by: Stefan Triller Reviewed-by: Frans Klaver Signed-off-by: Johan Hovold Signed-off-by: Ben Hutchings commit 9efc2878cceb846fd9abc4917434370c8cf49056 Author: Arnd Bergmann Date: Fri Jul 14 11:31:03 2017 +0200 staging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read commit 105967ad68d2eb1a041bc041f9cf96af2a653b65 upstream. gcc-7 points out an older regression: drivers/staging/iio/resolver/ad2s1210.c: In function 'ad2s1210_read_raw': drivers/staging/iio/resolver/ad2s1210.c:515:42: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context] The original code had 'unsigned short' here, but incorrectly got converted to 'bool'. This reverts the regression and uses a normal type instead. Fixes: 29148543c521 ("staging:iio:resolver:ad2s1210 minimal chan spec conversion.") Signed-off-by: Arnd Bergmann Signed-off-by: Jonathan Cameron Signed-off-by: Ben Hutchings commit 8ca0b1e2b9956b442e19dadcd7394d62ca57ebb9 Author: Akinobu Mita Date: Wed Jun 21 01:46:37 2017 +0900 iio: light: tsl2563: use correct event code commit a3507e48d3f99a93a3056a34a5365f310434570f upstream. The TSL2563 driver provides three iio channels, two of which are raw ADC channels (channel 0 and channel 1) in the device and the remaining one is calculated by the two. The ADC channel 0 only supports programmable interrupt with threshold settings and this driver supports the event but the generated event code does not contain the corresponding iio channel type. This is going to change userspace ABI. Hopefully fixing this to be what it should always have been won't break any userspace code. Cc: Jonathan Cameron Signed-off-by: Akinobu Mita Signed-off-by: Jonathan Cameron [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit 76a3bcccbb04338180475763cbef6128f040a065 Author: Mateusz Jurczyk Date: Wed Jun 7 12:26:49 2017 +0200 fuse: initialize the flock flag in fuse_file on allocation commit 68227c03cba84a24faf8a7277d2b1a03c8959c2c upstream. Before the patch, the flock flag could remain uninitialized for the lifespan of the fuse_file allocation. Unless set to true in fuse_file_flock(), it would remain in an indeterminate state until read in an if statement in fuse_release_common(). This could consequently lead to taking an unexpected branch in the code. The bug was discovered by a runtime instrumentation designed to detect use of uninitialized memory in the kernel. Signed-off-by: Mateusz Jurczyk Fixes: 37fb3a30b462 ("fuse: fix flock") Signed-off-by: Miklos Szeredi Signed-off-by: Ben Hutchings