3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit ac443624490f7033aefd06713e7761aee5977de3 upstream.

Use the more generic functions get_signal() signal_setup_done() for signal delivery.

Acked-by: Richard Kuo rkuo@codeaurora.org Signed-off-by: Richard Weinberger richard@nod.at [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/hexagon/kernel/signal.c | 45 +++++++++++++++--------------------- 1 file changed, 18 insertions(+), 27 deletions(-)

--- a/arch/hexagon/kernel/signal.c +++ b/arch/hexagon/kernel/signal.c @@ -112,20 +112,20 @@ static int restore_sigcontext(struct pt_ /* * Setup signal stack frame with siginfo structure */ -static int setup_rt_frame(int signr, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs *regs) +static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { int err = 0; struct rt_sigframe __user *frame; struct hexagon_vdso *vdso = current->mm->context.vdso;

- frame = get_sigframe(ka, regs, sizeof(struct rt_sigframe)); + frame = get_sigframe(&ksig->ka, regs, sizeof(struct rt_sigframe));

if (!access_ok(VERIFY_WRITE, frame, sizeof(struct rt_sigframe))) - goto sigsegv; + return -EFAULT;

- if (copy_siginfo_to_user(&frame->info, info)) - goto sigsegv; + if (copy_siginfo_to_user(&frame->info, &ksig->info)) + return -EFAULT;

/* The on-stack signal trampoline is no longer executed; * however, the libgcc signal frame unwinding code checks for @@ -137,29 +137,26 @@ static int setup_rt_frame(int signr, str err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set)); err |= __save_altstack(&frame->uc.uc_stack, user_stack_pointer(regs)); if (err) - goto sigsegv; + return -EFAULT;

/* Load r0/r1 pair with signumber/siginfo pointer... */ regs->r0100 = ((unsigned long long)((unsigned long)&frame->info) << 32) - | (unsigned long long)signr; + | (unsigned long long)ksig->sig; regs->r02 = (unsigned long) &frame->uc; regs->r31 = (unsigned long) vdso->rt_signal_trampoline; pt_psp(regs) = (unsigned long) frame; - pt_set_elr(regs, (unsigned long)ka->sa.sa_handler); + pt_set_elr(regs, (unsigned long)ksig->ka.sa.sa_handler);

return 0; - -sigsegv: - force_sigsegv(signr, current); - return -EFAULT; }

/* * Setup invocation of signal handler */ -static void handle_signal(int sig, siginfo_t *info, struct k_sigaction *ka, - struct pt_regs *regs) +static void handle_signal(struct ksignal *ksig, struct pt_regs *regs) { + int ret; + /* * If we're handling a signal that aborted a system call, * set up the error return value before adding the signal @@ -173,7 +170,7 @@ static void handle_signal(int sig, sigin regs->r00 = -EINTR; break; case -ERESTARTSYS: - if (!(ka->sa.sa_flags & SA_RESTART)) { + if (!(ksig->ka.sa.sa_flags & SA_RESTART)) { regs->r00 = -EINTR; break; } @@ -193,11 +190,9 @@ static void handle_signal(int sig, sigin * only set up the rt_frame flavor. */ /* If there was an error on setup, no signal was delivered. */ - if (setup_rt_frame(sig, ka, info, sigmask_to_save(), regs) < 0) - return; + ret = setup_rt_frame(ksig, sigmask_to_save(), regs);

- signal_delivered(sig, info, ka, regs, - test_thread_flag(TIF_SINGLESTEP)); + signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP)); }

/* @@ -205,17 +200,13 @@ static void handle_signal(int sig, sigin */ void do_signal(struct pt_regs *regs) { - struct k_sigaction sigact; - siginfo_t info; - int signo; + struct ksignal ksig;

if (!user_mode(regs)) return;

- signo = get_signal_to_deliver(&info, &sigact, regs, NULL); - - if (signo > 0) { - handle_signal(signo, &info, &sigact, regs); + if (get_signal(&ksig)) { + handle_signal(&ksig, regs); return; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Feras Daoud ferasda@mellanox.com

commit 6ab4aba00f811a5265acc4d3eb1863bb3ca60562 upstream.

The following BUG was reported by kasan:

BUG: KASAN: use-after-free in ipoib_cm_tx_start+0x430/0x1390 [ib_ipoib] Read of size 80 at addr ffff88034c30bcd0 by task kworker/u16:1/24020

Workqueue: ipoib_wq ipoib_cm_tx_start [ib_ipoib] Call Trace: dump_stack+0x9a/0xeb print_address_description+0xe3/0x2e0 kasan_report+0x18a/0x2e0 ? ipoib_cm_tx_start+0x430/0x1390 [ib_ipoib] memcpy+0x1f/0x50 ipoib_cm_tx_start+0x430/0x1390 [ib_ipoib] ? kvm_clock_read+0x1f/0x30 ? ipoib_cm_skb_reap+0x610/0x610 [ib_ipoib] ? __lock_is_held+0xc2/0x170 ? process_one_work+0x880/0x1960 ? process_one_work+0x912/0x1960 process_one_work+0x912/0x1960 ? wq_pool_ids_show+0x310/0x310 ? lock_acquire+0x145/0x440 worker_thread+0x87/0xbb0 ? process_one_work+0x1960/0x1960 kthread+0x314/0x3d0 ? kthread_create_worker_on_cpu+0xc0/0xc0 ret_from_fork+0x3a/0x50

Allocated by task 0: kasan_kmalloc+0xa0/0xd0 kmem_cache_alloc_trace+0x168/0x3e0 path_rec_create+0xa2/0x1f0 [ib_ipoib] ipoib_start_xmit+0xa98/0x19e0 [ib_ipoib] dev_hard_start_xmit+0x159/0x8d0 sch_direct_xmit+0x226/0xb40 __dev_queue_xmit+0x1d63/0x2950 neigh_update+0x889/0x1770 arp_process+0xc47/0x21f0 arp_rcv+0x462/0x760 __netif_receive_skb_core+0x1546/0x2da0 netif_receive_skb_internal+0xf2/0x590 napi_gro_receive+0x28e/0x390 ipoib_ib_handle_rx_wc_rss+0x873/0x1b60 [ib_ipoib] ipoib_rx_poll_rss+0x17d/0x320 [ib_ipoib] net_rx_action+0x427/0xe30 __do_softirq+0x28e/0xc42

Freed by task 26680: __kasan_slab_free+0x11d/0x160 kfree+0xf5/0x360 ipoib_flush_paths+0x532/0x9d0 [ib_ipoib] ipoib_set_mode_rss+0x1ad/0x560 [ib_ipoib] set_mode+0xc8/0x150 [ib_ipoib] kernfs_fop_write+0x279/0x440 __vfs_write+0xd8/0x5c0 vfs_write+0x15e/0x470 ksys_write+0xb8/0x180 do_syscall_64+0x9b/0x420 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88034c30bcc8 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of 512-byte region [ffff88034c30bcc8, ffff88034c30bec8) The buggy address belongs to the page:

The following race between change mode and xmit flow is the reason for this use-after-free:

Change mode Send packet 1 to GID XX Send packet 2 to GID XX | | | start | | | | | | | | | Create new path for GID XX | | and update neigh path | | | | | | | | | | flush_paths | | | | queue_work(cm.start_task) | | Path for GID XX not found | create new path | | start_task runs with old released path

There is no locking to protect the lifetime of the path through the ipoib_cm_tx struct, so delete it entirely and always use the newly looked up path under the priv->lock.

Fixes: 546481c2816e ("IB/ipoib: Fix memory corruption in ipoib cm mode connect flow") Signed-off-by: Feras Daoud ferasda@mellanox.com Reviewed-by: Erez Shitrit erezsh@mellanox.com Signed-off-by: Leon Romanovsky leonro@mellanox.com Signed-off-by: Jason Gunthorpe jgg@mellanox.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/infiniband/ulp/ipoib/ipoib.h | 1 - drivers/infiniband/ulp/ipoib/ipoib_cm.c | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/infiniband/ulp/ipoib/ipoib.h +++ b/drivers/infiniband/ulp/ipoib/ipoib.h @@ -228,7 +228,6 @@ struct ipoib_cm_tx { struct list_head list; struct net_device *dev; struct ipoib_neigh *neigh; - struct ipoib_path *path; struct ipoib_cm_tx_buf *tx_ring; unsigned tx_head; unsigned tx_tail; --- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c @@ -1279,7 +1279,6 @@ struct ipoib_cm_tx *ipoib_cm_create_tx(s

neigh->cm = tx; tx->neigh = neigh; - tx->path = path; tx->dev = dev; list_add(&tx->list, &priv->cm.start_list); set_bit(IPOIB_FLAG_INITIALIZED, &tx->flags); @@ -1338,7 +1337,7 @@ static void ipoib_cm_tx_start(struct wor neigh->daddr + QPN_AND_OPTIONS_OFFSET); goto free_neigh; } - memcpy(&pathrec, &p->path->pathrec, sizeof pathrec); + memcpy(&pathrec, &path->pathrec, sizeof(pathrec));

spin_unlock_irqrestore(&priv->lock, flags); netif_tx_unlock_bh(dev);

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit 9c53c7ec14a5738ae3117d7d71b7abf630526c9f upstream.

Use the more generic functions get_signal() signal_setup_done() for signal delivery.

Signed-off-by: Richard Weinberger richard@nod.at [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/microblaze/kernel/signal.c | 48 ++++++++++++--------------------- 1 file changed, 17 insertions(+), 31 deletions(-)

--- a/arch/microblaze/kernel/signal.c +++ b/arch/microblaze/kernel/signal.c @@ -156,11 +156,11 @@ get_sigframe(struct k_sigaction *ka, str return (void __user *)((sp - frame_size) & -8UL); }

-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs *regs) +static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { struct rt_sigframe __user *frame; - int err = 0; + int err = 0, sig = ksig->sig; int signal; unsigned long address = 0; #ifdef CONFIG_MMU @@ -168,10 +168,10 @@ static int setup_rt_frame(int sig, struc pte_t *ptep; #endif

- frame = get_sigframe(ka, regs, sizeof(*frame)); + frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + return -EFAULT;

signal = current_thread_info()->exec_domain && current_thread_info()->exec_domain->signal_invmap @@ -179,8 +179,8 @@ static int setup_rt_frame(int sig, struc ? current_thread_info()->exec_domain->signal_invmap[sig] : sig;

- if (info) - err |= copy_siginfo_to_user(&frame->info, info); + if (ksig->ka.sa.sa_flags & SA_SIGINFO) + err |= copy_siginfo_to_user(&frame->info, &ksig->info);

/* Create the ucontext. */ err |= __put_user(0, &frame->uc.uc_flags); @@ -227,7 +227,7 @@ static int setup_rt_frame(int sig, struc flush_dcache_range(address, address + 8); #endif if (err) - goto give_sigsegv; + return -EFAULT;

/* Set up registers for signal handler */ regs->r1 = (unsigned long) frame; @@ -237,7 +237,7 @@ static int setup_rt_frame(int sig, struc regs->r6 = (unsigned long) &frame->info; /* arg 1: siginfo */ regs->r7 = (unsigned long) &frame->uc; /* arg2: ucontext */ /* Offset to handle microblaze rtid r14, 0 */ - regs->pc = (unsigned long)ka->sa.sa_handler; + regs->pc = (unsigned long)ksig->ka.sa.sa_handler;

set_fs(USER_DS);

@@ -247,10 +247,6 @@ static int setup_rt_frame(int sig, struc #endif

return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

/* Handle restarting system calls */ @@ -283,23 +279,15 @@ do_restart: */

static void -handle_signal(unsigned long sig, struct k_sigaction *ka, - siginfo_t *info, struct pt_regs *regs) +handle_signal(struct ksignal *ksig, struct pt_regs *regs) { sigset_t *oldset = sigmask_to_save(); int ret;

/* Set up the stack frame */ - if (ka->sa.sa_flags & SA_SIGINFO) - ret = setup_rt_frame(sig, ka, info, oldset, regs); - else - ret = setup_rt_frame(sig, ka, NULL, oldset, regs); - - if (ret) - return; + ret = setup_rt_frame(ksig, oldset, regs);

- signal_delivered(sig, info, ka, regs, - test_thread_flag(TIF_SINGLESTEP)); + signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP)); }

/* @@ -313,21 +301,19 @@ handle_signal(unsigned long sig, struct */ static void do_signal(struct pt_regs *regs, int in_syscall) { - siginfo_t info; - int signr; - struct k_sigaction ka; + struct ksignal ksig; + #ifdef DEBUG_SIG pr_info("do signal: %p %d\n", regs, in_syscall); pr_info("do signal2: %lx %lx %ld [%lx]\n", regs->pc, regs->r1, regs->r12, current_thread_info()->flags); #endif

- signr = get_signal_to_deliver(&info, &ka, regs, NULL); - if (signr > 0) { + if (get_signal(&ksig)) { /* Whee! Actually deliver the signal. */ if (in_syscall) - handle_restart(regs, &ka, 1); - handle_signal(signr, &ka, &info, regs); + handle_restart(regs, &ksig.ka, 1); + handle_signal(&ksig, regs); return; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai tiwai@suse.de

commit 3e96d7280f16e2f787307f695a31296b9e4a1cd7 upstream.

There are a few places where we access the data without checking the actual object size from the USB audio descriptor. This may result in OOB access, as recently reported.

This patch addresses these missing checks. Most of added codes are simple bLength checks in the caller side. For the input and output terminal parsers, we put the length check in the parser functions. For the input terminal, a new argument is added to distinguish between UAC1 and the rest, as they treat different objects.

Reported-by: Mathias Payer mathias.payer@nebelwelt.net Reported-by: Hui Peng benquike@163.com Tested-by: Hui Peng benquike@163.com Signed-off-by: Takashi Iwai tiwai@suse.de [bwh: Backported to 3.16: - Drop changes in parse_audio_input_terminal() and UAC3 handling - Adjust context, indentation] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/sound/usb/card.c +++ b/sound/usb/card.c @@ -258,6 +258,11 @@ static int snd_usb_create_streams(struct return -EINVAL; }

+ if (h1->bLength < sizeof(*h1)) { + dev_err(&dev->dev, "cannot find UAC_HEADER\n"); + return -EINVAL; + } + if (!h1->bInCollection) { dev_info(&dev->dev, "skipping empty audio interface (v1)\n"); return -EINVAL; --- a/sound/usb/stream.c +++ b/sound/usb/stream.c @@ -412,12 +412,8 @@ static int parse_uac_endpoint_attributes csep = snd_usb_find_desc(alts->extra, alts->extralen, NULL, USB_DT_CS_ENDPOINT);

if (!csep || csep->bLength < 7 || - csep->bDescriptorSubtype != UAC_EP_GENERAL) { - usb_audio_warn(chip, - "%u:%d : no or invalid class specific endpoint descriptor\n", - iface_no, altsd->bAlternateSetting); - return 0; - } + csep->bDescriptorSubtype != UAC_EP_GENERAL) + goto error;

if (protocol == UAC_VERSION_1) { attributes = csep->bmAttributes; @@ -425,6 +421,8 @@ static int parse_uac_endpoint_attributes struct uac2_iso_endpoint_descriptor *csep2 = (struct uac2_iso_endpoint_descriptor *) csep;

+ if (csep2->bLength < sizeof(*csep2)) + goto error; attributes = csep->bmAttributes & UAC_EP_CS_ATTR_FILL_MAX;

/* emulate the endpoint attributes of a v1 device */ @@ -433,6 +431,12 @@ static int parse_uac_endpoint_attributes }

return attributes; + + error: + usb_audio_warn(chip, + "%u:%d : no or invalid class specific endpoint descriptor\n", + iface_no, altsd->bAlternateSetting); + return 0; }

/* find an input terminal descriptor (either UAC1 or UAC2) with the given @@ -440,13 +444,17 @@ static int parse_uac_endpoint_attributes */ static void * snd_usb_find_input_terminal_descriptor(struct usb_host_interface *ctrl_iface, - int terminal_id) + int terminal_id, bool uac2) { struct uac2_input_terminal_descriptor *term = NULL; + size_t minlen = uac2 ? sizeof(struct uac2_input_terminal_descriptor) : + sizeof(struct uac_input_terminal_descriptor);

while ((term = snd_usb_find_csint_desc(ctrl_iface->extra, ctrl_iface->extralen, term, UAC_INPUT_TERMINAL))) { + if (term->bLength < minlen) + continue; if (term->bTerminalID == terminal_id) return term; } @@ -463,7 +471,8 @@ static struct uac2_output_terminal_descr while ((term = snd_usb_find_csint_desc(ctrl_iface->extra, ctrl_iface->extralen, term, UAC_OUTPUT_TERMINAL))) { - if (term->bTerminalID == terminal_id) + if (term->bLength >= sizeof(*term) && + term->bTerminalID == terminal_id) return term; }

@@ -561,7 +570,8 @@ int snd_usb_parse_audio_interface(struct format = le16_to_cpu(as->wFormatTag); /* remember the format value */

iterm = snd_usb_find_input_terminal_descriptor(chip->ctrl_intf, - as->bTerminalLink); + as->bTerminalLink, + false); if (iterm) { num_channels = iterm->bNrChannels; chconfig = le16_to_cpu(iterm->wChannelConfig); @@ -597,7 +607,8 @@ int snd_usb_parse_audio_interface(struct /* lookup the terminal associated to this interface * to extract the clock */ input_term = snd_usb_find_input_terminal_descriptor(chip->ctrl_intf, - as->bTerminalLink); + as->bTerminalLink, + true); if (input_term) { clock = input_term->bCSourceID; if (!chconfig && (num_channels == input_term->bNrChannels))

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit 720f36b983224ac52b6acdd8b646ce30f6b38763 upstream.

Use the more generic functions get_signal() signal_setup_done() for signal delivery.

Signed-off-by: Richard Weinberger richard@nod.at [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/frv/kernel/signal.c | 99 ++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 59 deletions(-)

--- a/arch/frv/kernel/signal.c +++ b/arch/frv/kernel/signal.c @@ -180,17 +180,17 @@ static inline void __user *get_sigframe( /* * */ -static int setup_frame(int sig, struct k_sigaction *ka, sigset_t *set) +static int setup_frame(struct ksignal *ksig, sigset_t *set) { struct sigframe __user *frame; - int rsig; + int rsig, sig = ksig->sig;

set_fs(USER_DS);

- frame = get_sigframe(ka, sizeof(*frame)); + frame = get_sigframe(&ksig->ka, sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + return -EFAULT;

rsig = sig; if (sig < 32 && @@ -199,22 +199,22 @@ static int setup_frame(int sig, struct k rsig = __current_thread_info->exec_domain->signal_invmap[sig];

if (__put_user(rsig, &frame->sig) < 0) - goto give_sigsegv; + return -EFAULT;

if (setup_sigcontext(&frame->sc, set->sig[0])) - goto give_sigsegv; + return -EFAULT;

if (_NSIG_WORDS > 1) { if (__copy_to_user(frame->extramask, &set->sig[1], sizeof(frame->extramask))) - goto give_sigsegv; + return -EFAULT; }

/* Set up to return from userspace. If provided, use a stub * already in userspace. */ - if (ka->sa.sa_flags & SA_RESTORER) { - if (__put_user(ka->sa.sa_restorer, &frame->pretcode) < 0) - goto give_sigsegv; + if (ksig->ka.sa.sa_flags & SA_RESTORER) { + if (__put_user(ksig->ka.sa.sa_restorer, &frame->pretcode) < 0) + return -EFAULT; } else { /* Set up the following code on the stack: @@ -224,7 +224,7 @@ static int setup_frame(int sig, struct k if (__put_user((__sigrestore_t)frame->retcode, &frame->pretcode) || __put_user(0x8efc0000|__NR_sigreturn, &frame->retcode[0]) || __put_user(0xc0700000, &frame->retcode[1])) - goto give_sigsegv; + return -EFAULT;

flush_icache_range((unsigned long) frame->retcode, (unsigned long) (frame->retcode + 2)); @@ -233,14 +233,14 @@ static int setup_frame(int sig, struct k /* Set up registers for the signal handler */ if (current->personality & FDPIC_FUNCPTRS) { struct fdpic_func_descriptor __user *funcptr = - (struct fdpic_func_descriptor __user *) ka->sa.sa_handler; + (struct fdpic_func_descriptor __user *) ksig->ka.sa.sa_handler; struct fdpic_func_descriptor desc; if (copy_from_user(&desc, funcptr, sizeof(desc))) - goto give_sigsegv; + return -EFAULT; __frame->pc = desc.text; __frame->gr15 = desc.GOT; } else { - __frame->pc = (unsigned long) ka->sa.sa_handler; + __frame->pc = (unsigned long) ksig->ka.sa.sa_handler; __frame->gr15 = 0; }

@@ -255,29 +255,23 @@ static int setup_frame(int sig, struct k #endif

return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; - } /* end setup_frame() */

/*****************************************************************************/ /* * */ -static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set) +static int setup_rt_frame(struct ksignal *ksig, sigset_t *set) { struct rt_sigframe __user *frame; - int rsig; + int rsig, sig = ksig->sig;

set_fs(USER_DS);

- frame = get_sigframe(ka, sizeof(*frame)); + frame = get_sigframe(&ksig->ka, sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + return -EFAULT;

rsig = sig; if (sig < 32 && @@ -288,28 +282,28 @@ static int setup_rt_frame(int sig, struc if (__put_user(rsig, &frame->sig) || __put_user(&frame->info, &frame->pinfo) || __put_user(&frame->uc, &frame->puc)) - goto give_sigsegv; + return -EFAULT;

- if (copy_siginfo_to_user(&frame->info, info)) - goto give_sigsegv; + if (copy_siginfo_to_user(&frame->info, &ksig->info)) + return -EFAULT;

/* Create the ucontext. */ if (__put_user(0, &frame->uc.uc_flags) || __put_user(NULL, &frame->uc.uc_link) || __save_altstack(&frame->uc.uc_stack, __frame->sp)) - goto give_sigsegv; + return -EFAULT;

if (setup_sigcontext(&frame->uc.uc_mcontext, set->sig[0])) - goto give_sigsegv; + return -EFAULT;

if (__copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set))) - goto give_sigsegv; + return -EFAULT;

/* Set up to return from userspace. If provided, use a stub * already in userspace. */ - if (ka->sa.sa_flags & SA_RESTORER) { - if (__put_user(ka->sa.sa_restorer, &frame->pretcode)) - goto give_sigsegv; + if (ksig->ka.sa.sa_flags & SA_RESTORER) { + if (__put_user(ksig->ka.sa.sa_restorer, &frame->pretcode)) + return -EFAULT; } else { /* Set up the following code on the stack: @@ -319,7 +313,7 @@ static int setup_rt_frame(int sig, struc if (__put_user((__sigrestore_t)frame->retcode, &frame->pretcode) || __put_user(0x8efc0000|__NR_rt_sigreturn, &frame->retcode[0]) || __put_user(0xc0700000, &frame->retcode[1])) - goto give_sigsegv; + return -EFAULT;

flush_icache_range((unsigned long) frame->retcode, (unsigned long) (frame->retcode + 2)); @@ -328,14 +322,14 @@ static int setup_rt_frame(int sig, struc /* Set up registers for signal handler */ if (current->personality & FDPIC_FUNCPTRS) { struct fdpic_func_descriptor __user *funcptr = - (struct fdpic_func_descriptor __user *) ka->sa.sa_handler; + (struct fdpic_func_descriptor __user *) ksig->ka.sa.sa_handler; struct fdpic_func_descriptor desc; if (copy_from_user(&desc, funcptr, sizeof(desc))) - goto give_sigsegv; + return -EFAULT; __frame->pc = desc.text; __frame->gr15 = desc.GOT; } else { - __frame->pc = (unsigned long) ka->sa.sa_handler; + __frame->pc = (unsigned long) ksig->ka.sa.sa_handler; __frame->gr15 = 0; }

@@ -349,21 +343,15 @@ static int setup_rt_frame(int sig, struc sig, current->comm, current->pid, frame, __frame->pc, frame->pretcode); #endif - return 0;

-give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; - } /* end setup_rt_frame() */

/*****************************************************************************/ /* * OK, we're invoking a handler */ -static void handle_signal(unsigned long sig, siginfo_t *info, - struct k_sigaction *ka) +static void handle_signal(struct ksignal *ksig) { sigset_t *oldset = sigmask_to_save(); int ret; @@ -378,7 +366,7 @@ static void handle_signal(unsigned long break;

case -ERESTARTSYS: - if (!(ka->sa.sa_flags & SA_RESTART)) { + if (!(ksig->ka.sa.sa_flags & SA_RESTART)) { __frame->gr8 = -EINTR; break; } @@ -392,16 +380,12 @@ static void handle_signal(unsigned long }

/* Set up the stack frame */ - if (ka->sa.sa_flags & SA_SIGINFO) - ret = setup_rt_frame(sig, ka, info, oldset); + if (ksig->ka.sa.sa_flags & SA_SIGINFO) + ret = setup_rt_frame(ksig, oldset); else - ret = setup_frame(sig, ka, oldset); + ret = setup_frame(ksig, oldset);

- if (ret) - return; - - signal_delivered(sig, info, ka, __frame, - test_thread_flag(TIF_SINGLESTEP)); + signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP)); } /* end handle_signal() */

/*****************************************************************************/ @@ -412,13 +396,10 @@ static void handle_signal(unsigned long */ static void do_signal(void) { - struct k_sigaction ka; - siginfo_t info; - int signr; - - signr = get_signal_to_deliver(&info, &ka, __frame, NULL); - if (signr > 0) { - handle_signal(signr, &info, &ka); + struct ksignal ksig; + + if (get_signal(&ksig)) { + handle_signal(&ksig); return; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit b3707c7ed013d36752272ca2f9ed20dc8aed92e4 upstream.

Use the more generic functions get_signal() signal_setup_done() for signal delivery.

Signed-off-by: Richard Weinberger richard@nod.at Acked-by: Chris Metcalf cmetcalf@tilera.com [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/tile/include/asm/compat.h | 3 +- arch/tile/kernel/compat_signal.c | 29 ++++++++--------- arch/tile/kernel/signal.c | 54 ++++++++++++++------------------ 3 files changed, 40 insertions(+), 46 deletions(-)

--- a/arch/tile/include/asm/compat.h +++ b/arch/tile/include/asm/compat.h @@ -267,8 +267,7 @@ static inline int is_compat_task(void) return current_thread_info()->status & TS_COMPAT; }

-extern int compat_setup_rt_frame(int sig, struct k_sigaction *ka, - siginfo_t *info, sigset_t *set, +extern int compat_setup_rt_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs);

/* Compat syscalls. */ --- a/arch/tile/kernel/compat_signal.c +++ b/arch/tile/kernel/compat_signal.c @@ -190,18 +190,18 @@ static inline void __user *compat_get_si return (void __user *) sp; }

-int compat_setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs *regs) +int compat_setup_rt_frame(struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { unsigned long restorer; struct compat_rt_sigframe __user *frame; - int err = 0; + int err = 0, sig = ksig->sig; int usig;

- frame = compat_get_sigframe(ka, regs, sizeof(*frame)); + frame = compat_get_sigframe(&ksig->ka, regs, sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + goto err;

usig = current_thread_info()->exec_domain && current_thread_info()->exec_domain->signal_invmap @@ -210,12 +210,12 @@ int compat_setup_rt_frame(int sig, struc : sig;

/* Always write at least the signal number for the stack backtracer. */ - if (ka->sa.sa_flags & SA_SIGINFO) { + if (ksig->ka.sa.sa_flags & SA_SIGINFO) { /* At sigreturn time, restore the callee-save registers too. */ - err |= copy_siginfo_to_user32(&frame->info, info); + err |= copy_siginfo_to_user32(&frame->info, &ksig->info); regs->flags |= PT_FLAGS_RESTORE_REGS; } else { - err |= __put_user(info->si_signo, &frame->info.si_signo); + err |= __put_user(ksig->info.si_signo, &frame->info.si_signo); }

/* Create the ucontext. */ @@ -226,11 +226,11 @@ int compat_setup_rt_frame(int sig, struc err |= setup_sigcontext(&frame->uc.uc_mcontext, regs); err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set)); if (err) - goto give_sigsegv; + goto err;

restorer = VDSO_SYM(&__vdso_rt_sigreturn); - if (ka->sa.sa_flags & SA_RESTORER) - restorer = ptr_to_compat_reg(ka->sa.sa_restorer); + if (ksig->ka.sa.sa_flags & SA_RESTORER) + restorer = ptr_to_compat_reg(ksig->ka.sa.sa_restorer);

/* * Set up registers for signal handler. @@ -239,7 +239,7 @@ int compat_setup_rt_frame(int sig, struc * We always pass siginfo and mcontext, regardless of SA_SIGINFO, * since some things rely on this (e.g. glibc's debug/segfault.c). */ - regs->pc = ptr_to_compat_reg(ka->sa.sa_handler); + regs->pc = ptr_to_compat_reg(ksig->ka.sa.sa_handler); regs->ex1 = PL_ICS_EX1(USER_PL, 1); /* set crit sec in handler */ regs->sp = ptr_to_compat_reg(frame); regs->lr = restorer; @@ -249,7 +249,8 @@ int compat_setup_rt_frame(int sig, struc regs->flags |= PT_FLAGS_CALLER_SAVES; return 0;

-give_sigsegv: - signal_fault("bad setup frame", regs, frame, sig); +err: + trace_unhandled_signal("bad sigreturn frame", regs, + (unsigned long)frame, SIGSEGV); return -EFAULT; } --- a/arch/tile/kernel/signal.c +++ b/arch/tile/kernel/signal.c @@ -153,18 +153,18 @@ static inline void __user *get_sigframe( return (void __user *) sp; }

-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs *regs) +static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { unsigned long restorer; struct rt_sigframe __user *frame; - int err = 0; + int err = 0, sig = ksig->sig; int usig;

- frame = get_sigframe(ka, regs, sizeof(*frame)); + frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + goto err;

usig = current_thread_info()->exec_domain && current_thread_info()->exec_domain->signal_invmap @@ -173,12 +173,12 @@ static int setup_rt_frame(int sig, struc : sig;

/* Always write at least the signal number for the stack backtracer. */ - if (ka->sa.sa_flags & SA_SIGINFO) { + if (ksig->ka.sa.sa_flags & SA_SIGINFO) { /* At sigreturn time, restore the callee-save registers too. */ - err |= copy_siginfo_to_user(&frame->info, info); + err |= copy_siginfo_to_user(&frame->info, &ksig->info); regs->flags |= PT_FLAGS_RESTORE_REGS; } else { - err |= __put_user(info->si_signo, &frame->info.si_signo); + err |= __put_user(ksig->info.si_signo, &frame->info.si_signo); }

/* Create the ucontext. */ @@ -189,11 +189,11 @@ static int setup_rt_frame(int sig, struc err |= setup_sigcontext(&frame->uc.uc_mcontext, regs); err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set)); if (err) - goto give_sigsegv; + goto err;

restorer = VDSO_SYM(&__vdso_rt_sigreturn); - if (ka->sa.sa_flags & SA_RESTORER) - restorer = (unsigned long) ka->sa.sa_restorer; + if (ksig->ka.sa.sa_flags & SA_RESTORER) + restorer = (unsigned long) ksig->ka.sa.sa_restorer;

/* * Set up registers for signal handler. @@ -202,7 +202,7 @@ static int setup_rt_frame(int sig, struc * We always pass siginfo and mcontext, regardless of SA_SIGINFO, * since some things rely on this (e.g. glibc's debug/segfault.c). */ - regs->pc = (unsigned long) ka->sa.sa_handler; + regs->pc = (unsigned long) ksig->ka.sa.sa_handler; regs->ex1 = PL_ICS_EX1(USER_PL, 1); /* set crit sec in handler */ regs->sp = (unsigned long) frame; regs->lr = restorer; @@ -212,8 +212,9 @@ static int setup_rt_frame(int sig, struc regs->flags |= PT_FLAGS_CALLER_SAVES; return 0;

-give_sigsegv: - signal_fault("bad setup frame", regs, frame, sig); +err: + trace_unhandled_signal("bad sigreturn frame", regs, + (unsigned long)frame, SIGSEGV); return -EFAULT; }

@@ -221,9 +222,7 @@ give_sigsegv: * OK, we're invoking a handler */

-static void handle_signal(unsigned long sig, siginfo_t *info, - struct k_sigaction *ka, - struct pt_regs *regs) +static void handle_signal(struct ksignal *ksig, struct pt_regs *regs) { sigset_t *oldset = sigmask_to_save(); int ret; @@ -238,7 +237,7 @@ static void handle_signal(unsigned long break;

case -ERESTARTSYS: - if (!(ka->sa.sa_flags & SA_RESTART)) { + if (!(ksig->ka.sa.sa_flags & SA_RESTART)) { regs->regs[0] = -EINTR; break; } @@ -254,14 +253,12 @@ static void handle_signal(unsigned long /* Set up the stack frame */ #ifdef CONFIG_COMPAT if (is_compat_task()) - ret = compat_setup_rt_frame(sig, ka, info, oldset, regs); + ret = compat_setup_rt_frame(ksig, oldset, regs); else #endif - ret = setup_rt_frame(sig, ka, info, oldset, regs); - if (ret) - return; - signal_delivered(sig, info, ka, regs, - test_thread_flag(TIF_SINGLESTEP)); + ret = setup_rt_frame(ksig, oldset, regs); + + signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP)); }

/* @@ -271,9 +268,7 @@ static void handle_signal(unsigned long */ void do_signal(struct pt_regs *regs) { - siginfo_t info; - int signr; - struct k_sigaction ka; + struct ksignal ksig;

/* * i386 will check if we're coming from kernel mode and bail out @@ -282,10 +277,9 @@ void do_signal(struct pt_regs *regs) * helpful, we can reinstate the check on "!user_mode(regs)". */

- signr = get_signal_to_deliver(&info, &ka, regs, NULL); - if (signr > 0) { + if (get_signal(&ksig)) { /* Whee! Actually deliver the signal. */ - handle_signal(signr, &info, &ka, regs); + handle_signal(&ksig, regs); goto done; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jonathan Bakker xc-racer2@live.ca

commit 90cc55f067f6ca0e64e5e52883ece47d8af7b67b upstream.

Otherwise we introduce a race condition where userspace can request input before we're ready leading to null pointer dereference such as

input: bma150 as /devices/platform/i2c-gpio-2/i2c-5/5-0038/input/input3 Unable to handle kernel NULL pointer dereference at virtual address 00000018 pgd = (ptrval) [00000018] *pgd=55dac831, *pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] PREEMPT ARM Modules linked in: bma150 input_polldev [last unloaded: bma150] CPU: 0 PID: 2870 Comm: accelerometer Not tainted 5.0.0-rc3-dirty #46 Hardware name: Samsung S5PC110/S5PV210-based board PC is at input_event+0x8/0x60 LR is at bma150_report_xyz+0x9c/0xe0 [bma150] pc : [<80450f70>] lr : [<7f0a614c>] psr: 800d0013 sp : a4c1fd78 ip : 00000081 fp : 00020000 r10: 00000000 r9 : a5e2944c r8 : a7455000 r7 : 00000016 r6 : 00000101 r5 : a7617940 r4 : 80909048 r3 : fffffff2 r2 : 00000000 r1 : 00000003 r0 : 00000000 Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: 54e34019 DAC: 00000051 Process accelerometer (pid: 2870, stack limit = 0x(ptrval)) Stackck: (0xa4c1fd78 to 0xa4c20000) fd60: fffffff3 fc813f6c fd80: 40410581 d7530ce3 a5e2817c a7617f00 a5e29404 a5e2817c 00000000 7f008324 fda0: a5e28000 8044f59c a5fdd9d0 a5e2945c a46a4a00 a5e29668 a7455000 80454f10 fdc0: 80909048 a5e29668 a5fdd9d0 a46a4a00 806316d0 00000000 a46a4a00 801df5f0 fde0: 00000000 d7530ce3 a4c1fec0 a46a4a00 00000000 a5fdd9d0 a46a4a08 801df53c fe00: 00000000 801d74bc a4c1fec0 00000000 a4c1ff70 00000000 a7038da8 00000000 fe20: a46a4a00 801e91fc a411bbe0 801f2e88 00000004 00000000 80909048 00000041 fe40: 00000000 00020000 00000000 dead4ead a6a88da0 00000000 ffffe000 806fcae8 fe60: a4c1fec8 00000000 80909048 00000002 a5fdd9d0 a7660110 a411bab0 00000001 fe80: dead4ead ffffffff ffffffff a4c1fe8c a4c1fe8c d7530ce3 20000013 80909048 fea0: 80909048 a4c1ff70 00000001 fffff000 a4c1e000 00000005 00026038 801eabd8 fec0: a7660110 a411bab0 b9394901 00000006 a696201b 76fb3000 00000000 a7039720 fee0: a5fdd9d0 00000101 00000002 00000096 00000000 00000000 00000000 a4c1ff00 ff00: a6b310f4 805cb174 a6b310f4 00000010 00000fe0 00000010 a4c1e000 d7530ce3 ff20: 00000003 a5f41400 a5f41424 00000000 a6962000 00000000 00000003 00000002 ff40: ffffff9c 000a0000 80909048 d7530ce3 a6962000 00000003 80909048 ffffff9c ff60: a6962000 801d890c 00000000 00000000 00020000 a7590000 00000004 00000100 ff80: 00000001 d7530ce3 000288b8 00026320 000288b8 00000005 80101204 a4c1e000 ffa0: 00000005 80101000 000288b8 00026320 000288b8 000a0000 00000000 00000000 ffc0: 000288b8 00026320 000288b8 00000005 7eef3bac 000264e8 00028ad8 00026038 ffe0: 00000005 7eef3300 76f76e91 76f78546 800d0030 000288b8 00000000 00000000 [<80450f70>] (input_event) from [<a5e2817c>] (0xa5e2817c) Code: e1a08148 eaffffa8 e351001f 812fff1e (e590c018) ---[ end trace 1c691ee85f2ff243 ]---

Signed-off-by: Jonathan Bakker xc-racer2@live.ca Signed-off-by: Paweł Chmiel pawel.mikolaj.chmiel@gmail.com Signed-off-by: Dmitry Torokhov dmitry.torokhov@gmail.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/input/misc/bma150.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/input/misc/bma150.c +++ b/drivers/input/misc/bma150.c @@ -483,13 +483,14 @@ static int bma150_register_input_device( idev->close = bma150_irq_close; input_set_drvdata(idev, bma150);

+ bma150->input = idev; + error = input_register_device(idev); if (error) { input_free_device(idev); return error; }

- bma150->input = idev; return 0; }

@@ -512,15 +513,15 @@ static int bma150_register_polled_device

bma150_init_input_device(bma150, ipoll_dev->input);

+ bma150->input_polled = ipoll_dev; + bma150->input = ipoll_dev->input; + error = input_register_polled_device(ipoll_dev); if (error) { input_free_polled_device(ipoll_dev); return error; }

- bma150->input_polled = ipoll_dev; - bma150->input = ipoll_dev->input; - return 0; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: YueHaibing yuehaibing@huawei.com

commit 58bdd544e2933a21a51eecf17c3f5f94038261b5 upstream.

KASAN report this:

BUG: KASAN: null-ptr-deref in nfc_llcp_build_gb+0x37f/0x540 [nfc] Read of size 3 at addr 0000000000000000 by task syz-executor.0/5401

CPU: 0 PID: 5401 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xfa/0x1ce lib/dump_stack.c:113 kasan_report+0x171/0x18d mm/kasan/report.c:321 memcpy+0x1f/0x50 mm/kasan/common.c:130 nfc_llcp_build_gb+0x37f/0x540 [nfc] nfc_llcp_register_device+0x6eb/0xb50 [nfc] nfc_register_device+0x50/0x1d0 [nfc] nfcsim_device_new+0x394/0x67d [nfcsim] ? 0xffffffffc1080000 nfcsim_init+0x6b/0x1000 [nfcsim] do_one_initcall+0xfa/0x5ca init/main.c:887 do_init_module+0x204/0x5f6 kernel/module.c:3460 load_module+0x66b2/0x8570 kernel/module.c:3808 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x462e99 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9cb79dcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 RBP: 00007f9cb79dcc70 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9cb79dd6bc R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004

nfc_llcp_build_tlv will return NULL on fails, caller should check it, otherwise will trigger a NULL dereference.

Reported-by: Hulk Robot hulkci@huawei.com Fixes: eda21f16a5ed ("NFC: Set MIU and RW values from CONNECT and CC LLCP frames") Fixes: d646960f7986 ("NFC: Initial LLCP support") Signed-off-by: YueHaibing yuehaibing@huawei.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/nfc/llcp_commands.c | 20 ++++++++++++++++++++ net/nfc/llcp_core.c | 24 ++++++++++++++++++++---- 2 files changed, 40 insertions(+), 4 deletions(-)

--- a/net/nfc/llcp_commands.c +++ b/net/nfc/llcp_commands.c @@ -418,6 +418,10 @@ int nfc_llcp_send_connect(struct nfc_llc sock->service_name, sock->service_name_len, &service_name_tlv_length); + if (!service_name_tlv) { + err = -ENOMEM; + goto error_tlv; + } size += service_name_tlv_length; }

@@ -428,9 +432,17 @@ int nfc_llcp_send_connect(struct nfc_llc

miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0, &miux_tlv_length); + if (!miux_tlv) { + err = -ENOMEM; + goto error_tlv; + } size += miux_tlv_length;

rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length); + if (!rw_tlv) { + err = -ENOMEM; + goto error_tlv; + } size += rw_tlv_length;

pr_debug("SKB size %d SN length %zu\n", size, sock->service_name_len); @@ -484,9 +496,17 @@ int nfc_llcp_send_cc(struct nfc_llcp_soc

miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0, &miux_tlv_length); + if (!miux_tlv) { + err = -ENOMEM; + goto error_tlv; + } size += miux_tlv_length;

rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length); + if (!rw_tlv) { + err = -ENOMEM; + goto error_tlv; + } size += rw_tlv_length;

skb = llcp_allocate_pdu(sock, LLCP_PDU_CC, size); --- a/net/nfc/llcp_core.c +++ b/net/nfc/llcp_core.c @@ -531,10 +531,10 @@ static u8 nfc_llcp_reserve_sdp_ssap(stru

static int nfc_llcp_build_gb(struct nfc_llcp_local *local) { - u8 *gb_cur, *version_tlv, version, version_length; - u8 *lto_tlv, lto_length; - u8 *wks_tlv, wks_length; - u8 *miux_tlv, miux_length; + u8 *gb_cur, version, version_length; + u8 lto_length, wks_length, miux_length; + u8 *version_tlv = NULL, *lto_tlv = NULL, + *wks_tlv = NULL, *miux_tlv = NULL; __be16 wks = cpu_to_be16(local->local_wks); u8 gb_len = 0; int ret = 0; @@ -542,17 +542,33 @@ static int nfc_llcp_build_gb(struct nfc_ version = LLCP_VERSION_11; version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version, 1, &version_length); + if (!version_tlv) { + ret = -ENOMEM; + goto out; + } gb_len += version_length;

lto_tlv = nfc_llcp_build_tlv(LLCP_TLV_LTO, &local->lto, 1, &lto_length); + if (!lto_tlv) { + ret = -ENOMEM; + goto out; + } gb_len += lto_length;

pr_debug("Local wks 0x%lx\n", local->local_wks); wks_tlv = nfc_llcp_build_tlv(LLCP_TLV_WKS, (u8 *)&wks, 2, &wks_length); + if (!wks_tlv) { + ret = -ENOMEM; + goto out; + } gb_len += wks_length;

miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0, &miux_length); + if (!miux_tlv) { + ret = -ENOMEM; + goto out; + } gb_len += miux_length;

gb_len += ARRAY_SIZE(llcp_magic);

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit fa0197722eb7559a6a9733881bbb8d9e76364f33 upstream.

Use the more generic functions get_signal() signal_setup_done() for signal delivery.

Signed-off-by: Richard Weinberger richard@nod.at [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/cris/arch-v10/kernel/signal.c | 79 +++++++++++++----------------- arch/cris/arch-v32/kernel/signal.c | 77 ++++++++++++----------------- 2 files changed, 63 insertions(+), 93 deletions(-)

--- a/arch/cris/arch-v10/kernel/signal.c +++ b/arch/cris/arch-v10/kernel/signal.c @@ -228,33 +228,33 @@ get_sigframe(struct k_sigaction *ka, str * user-mode trampoline. */

-static int setup_frame(int sig, struct k_sigaction *ka, - sigset_t *set, struct pt_regs *regs) +static int setup_frame(struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { struct sigframe __user *frame; unsigned long return_ip; int err = 0;

- frame = get_sigframe(ka, regs, sizeof(*frame)); + frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + return -EFAULT;

err |= setup_sigcontext(&frame->sc, regs, set->sig[0]); if (err) - goto give_sigsegv; + return -EFAULT;

if (_NSIG_WORDS > 1) { err |= __copy_to_user(frame->extramask, &set->sig[1], sizeof(frame->extramask)); } if (err) - goto give_sigsegv; + return -EFAULT;

/* Set up to return from userspace. If provided, use a stub already in userspace. */ - if (ka->sa.sa_flags & SA_RESTORER) { - return_ip = (unsigned long)ka->sa.sa_restorer; + if (ksig->ka.sa.sa_flags & SA_RESTORER) { + return_ip = (unsigned long)ksig->ka.sa.sa_restorer; } else { /* trampoline - the desired return ip is the retcode itself */ return_ip = (unsigned long)&frame->retcode; @@ -265,42 +265,38 @@ static int setup_frame(int sig, struct k }

if (err) - goto give_sigsegv; + return -EFAULT;

/* Set up registers for signal handler */

- regs->irp = (unsigned long) ka->sa.sa_handler; /* what we enter NOW */ + regs->irp = (unsigned long) ksig->ka.sa.sa_handler; /* what we enter NOW */ regs->srp = return_ip; /* what we enter LATER */ - regs->r10 = sig; /* first argument is signo */ + regs->r10 = ksig->sig; /* first argument is signo */

/* actually move the usp to reflect the stacked frame */

wrusp((unsigned long)frame);

return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs *regs) +static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { struct rt_sigframe __user *frame; unsigned long return_ip; int err = 0;

- frame = get_sigframe(ka, regs, sizeof(*frame)); + frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + return -EFAULT;

err |= __put_user(&frame->info, &frame->pinfo); err |= __put_user(&frame->uc, &frame->puc); - err |= copy_siginfo_to_user(&frame->info, info); + err |= copy_siginfo_to_user(&frame->info, &ksig->info); if (err) - goto give_sigsegv; + return -EFAULT;

/* Clear all the bits of the ucontext we don't use. */ err |= __clear_user(&frame->uc, offsetof(struct ucontext, uc_mcontext)); @@ -312,12 +308,12 @@ static int setup_rt_frame(int sig, struc err |= __save_altstack(&frame->uc.uc_stack, rdusp());

if (err) - goto give_sigsegv; + return -EFAULT;

/* Set up to return from userspace. If provided, use a stub already in userspace. */ - if (ka->sa.sa_flags & SA_RESTORER) { - return_ip = (unsigned long)ka->sa.sa_restorer; + if (ksig->ka.sa.sa_flags & SA_RESTORER) { + return_ip = (unsigned long)ksig->ka.sa.sa_restorer; } else { /* trampoline - the desired return ip is the retcode itself */ return_ip = (unsigned long)&frame->retcode; @@ -329,18 +325,18 @@ static int setup_rt_frame(int sig, struc }

if (err) - goto give_sigsegv; + return -EFAULT;

/* TODO what is the current->exec_domain stuff and invmap ? */

/* Set up registers for signal handler */

/* What we enter NOW */ - regs->irp = (unsigned long) ka->sa.sa_handler; + regs->irp = (unsigned long) ksig->ka.sa.sa_handler; /* What we enter LATER */ regs->srp = return_ip; /* First argument is signo */ - regs->r10 = sig; + regs->r10 = ksig->sig; /* Second argument is (siginfo_t *) */ regs->r11 = (unsigned long)&frame->info; /* Third argument is unused */ @@ -350,19 +346,14 @@ static int setup_rt_frame(int sig, struc wrusp((unsigned long)frame);

return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

/* * OK, we're invoking a handler */

-static inline void handle_signal(int canrestart, unsigned long sig, - siginfo_t *info, struct k_sigaction *ka, - struct pt_regs *regs) +static inline void handle_signal(int canrestart, struct ksignal *ksig, + struct pt_regs *regs) { sigset_t *oldset = sigmask_to_save(); int ret; @@ -383,7 +374,7 @@ static inline void handle_signal(int can /* ERESTARTSYS means to restart the syscall if * there is no handler or the handler was * registered with SA_RESTART */ - if (!(ka->sa.sa_flags & SA_RESTART)) { + if (!(ksig->ka.sa.sa_flags & SA_RESTART)) { regs->r10 = -EINTR; break; } @@ -396,13 +387,12 @@ static inline void handle_signal(int can }

/* Set up the stack frame */ - if (ka->sa.sa_flags & SA_SIGINFO) - ret = setup_rt_frame(sig, ka, info, oldset, regs); + if (ksig->ka.sa.sa_flags & SA_SIGINFO) + ret = setup_rt_frame(ksig, oldset, regs); else - ret = setup_frame(sig, ka, oldset, regs); + ret = setup_frame(ksig, oldset, regs);

- if (ret == 0) - signal_delivered(sig, info, ka, regs, 0); + signal_setup_done(ret, ksig, 0); }

/* @@ -419,9 +409,7 @@ static inline void handle_signal(int can

void do_signal(int canrestart, struct pt_regs *regs) { - siginfo_t info; - int signr; - struct k_sigaction ka; + struct ksignal ksig;

/* * We want the common case to go fast, which @@ -432,10 +420,9 @@ void do_signal(int canrestart, struct pt if (!user_mode(regs)) return;

- signr = get_signal_to_deliver(&info, &ka, regs, NULL); - if (signr > 0) { + if (get_signal(&ksig)) { /* Whee! Actually deliver the signal. */ - handle_signal(canrestart, signr, &info, &ka, regs); + handle_signal(canrestart, &ksig, regs); return; }

--- a/arch/cris/arch-v32/kernel/signal.c +++ b/arch/cris/arch-v32/kernel/signal.c @@ -215,23 +215,22 @@ get_sigframe(struct k_sigaction *ka, str * trampoline. */ static int -setup_frame(int sig, struct k_sigaction *ka, sigset_t *set, - struct pt_regs * regs) +setup_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs) { int err; unsigned long return_ip; struct signal_frame __user *frame;

err = 0; - frame = get_sigframe(ka, regs, sizeof(*frame)); + frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + return -EFAULT;

err |= setup_sigcontext(&frame->sc, regs, set->sig[0]);

if (err) - goto give_sigsegv; + return -EFAULT;

if (_NSIG_WORDS > 1) { err |= __copy_to_user(frame->extramask, &set->sig[1], @@ -239,14 +238,14 @@ setup_frame(int sig, struct k_sigaction }

if (err) - goto give_sigsegv; + return -EFAULT;

/* * Set up to return from user-space. If provided, use a stub * already located in user-space. */ - if (ka->sa.sa_flags & SA_RESTORER) { - return_ip = (unsigned long)ka->sa.sa_restorer; + if (ksig->ka.sa.sa_flags & SA_RESTORER) { + return_ip = (unsigned long)ksig->ka.sa.sa_restorer; } else { /* Trampoline - the desired return ip is in the signal return page. */ return_ip = cris_signal_return_page; @@ -264,7 +263,7 @@ setup_frame(int sig, struct k_sigaction }

if (err) - goto give_sigsegv; + return -EFAULT;

/* * Set up registers for signal handler. @@ -273,42 +272,37 @@ setup_frame(int sig, struct k_sigaction * Where the code enter later. * First argument, signo. */ - regs->erp = (unsigned long) ka->sa.sa_handler; + regs->erp = (unsigned long) ksig->ka.sa.sa_handler; regs->srp = return_ip; - regs->r10 = sig; + regs->r10 = ksig->sig;

/* Actually move the USP to reflect the stacked frame. */ wrusp((unsigned long)frame);

return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

static int -setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs * regs) +setup_rt_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs) { int err; unsigned long return_ip; struct rt_signal_frame __user *frame;

err = 0; - frame = get_sigframe(ka, regs, sizeof(*frame)); + frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + return -EFAULT;

/* TODO: what is the current->exec_domain stuff and invmap ? */

err |= __put_user(&frame->info, &frame->pinfo); err |= __put_user(&frame->uc, &frame->puc); - err |= copy_siginfo_to_user(&frame->info, info); + err |= copy_siginfo_to_user(&frame->info, &ksig->info);

if (err) - goto give_sigsegv; + return -EFAULT;

/* Clear all the bits of the ucontext we don't use. */ err |= __clear_user(&frame->uc, offsetof(struct ucontext, uc_mcontext)); @@ -317,14 +311,14 @@ setup_rt_frame(int sig, struct k_sigacti err |= __save_altstack(&frame->uc.uc_stack, rdusp());

if (err) - goto give_sigsegv; + return -EFAULT;

/* * Set up to return from user-space. If provided, use a stub * already located in user-space. */ - if (ka->sa.sa_flags & SA_RESTORER) { - return_ip = (unsigned long) ka->sa.sa_restorer; + if (ksig->ka.sa.sa_flags & SA_RESTORER) { + return_ip = (unsigned long) ksig->ka.sa.sa_restorer; } else { /* Trampoline - the desired return ip is in the signal return page. */ return_ip = cris_signal_return_page + 6; @@ -345,7 +339,7 @@ setup_rt_frame(int sig, struct k_sigacti }

if (err) - goto give_sigsegv; + return -EFAULT;

/* * Set up registers for signal handler. @@ -356,9 +350,9 @@ setup_rt_frame(int sig, struct k_sigacti * Second argument is (siginfo_t *). * Third argument is unused. */ - regs->erp = (unsigned long) ka->sa.sa_handler; + regs->erp = (unsigned long) ksig->ka.sa.sa_handler; regs->srp = return_ip; - regs->r10 = sig; + regs->r10 = ksig->sig; regs->r11 = (unsigned long) &frame->info; regs->r12 = 0;

@@ -366,17 +360,11 @@ setup_rt_frame(int sig, struct k_sigacti wrusp((unsigned long)frame);

return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

/* Invoke a signal handler to, well, handle the signal. */ static inline void -handle_signal(int canrestart, unsigned long sig, - siginfo_t *info, struct k_sigaction *ka, - struct pt_regs * regs) +handle_signal(int canrestart, struct ksignal *ksig, struct pt_regs *regs) { sigset_t *oldset = sigmask_to_save(); int ret; @@ -404,7 +392,7 @@ handle_signal(int canrestart, unsigned l * there is no handler, or the handler * was registered with SA_RESTART. */ - if (!(ka->sa.sa_flags & SA_RESTART)) { + if (!(ksig->ka.sa.sa_flags & SA_RESTART)) { regs->r10 = -EINTR; break; } @@ -423,13 +411,12 @@ handle_signal(int canrestart, unsigned l }

/* Set up the stack frame. */ - if (ka->sa.sa_flags & SA_SIGINFO) - ret = setup_rt_frame(sig, ka, info, oldset, regs); + if (ksig->ka.sa.sa_flags & SA_SIGINFO) + ret = setup_rt_frame(ksig, oldset, regs); else - ret = setup_frame(sig, ka, oldset, regs); + ret = setup_frame(ksig, oldset, regs);

- if (ret == 0) - signal_delivered(sig, info, ka, regs, 0); + signal_setup_done(ret, ksig, 0); }

/* @@ -446,9 +433,7 @@ handle_signal(int canrestart, unsigned l void do_signal(int canrestart, struct pt_regs *regs) { - int signr; - siginfo_t info; - struct k_sigaction ka; + struct ksignal ksig;

/* * The common case should go fast, which is why this point is @@ -458,11 +443,9 @@ do_signal(int canrestart, struct pt_regs if (!user_mode(regs)) return;

- signr = get_signal_to_deliver(&info, &ka, regs, NULL); - - if (signr > 0) { + if (get_signal(&ksig)) { /* Whee! Actually deliver the signal. */ - handle_signal(canrestart, signr, &info, &ka, regs); + handle_signal(canrestart, &ksig, regs); return; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit 5bdb7611eb7987102f3c0fef1220dd64b6fbd9fd upstream.

Use the more generic functions get_signal() signal_setup_done() for signal delivery.

Signed-off-by: Richard Weinberger richard@nod.at [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/xtensa/kernel/signal.c | 43 ++++++++++++++----------------------- 1 file changed, 16 insertions(+), 27 deletions(-)

diff --git a/arch/xtensa/kernel/signal.c b/arch/xtensa/kernel/signal.c index 98b67d5f1514..4612321c73cc 100644 --- a/arch/xtensa/kernel/signal.c +++ b/arch/xtensa/kernel/signal.c @@ -331,17 +331,17 @@ gen_return_code(unsigned char *codemem) }

-static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs *regs) +static int setup_frame(struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { struct rt_sigframe *frame; - int err = 0; + int err = 0, sig = ksig->sig; int signal; unsigned long sp, ra, tp;

sp = regs->areg[1];

- if ((ka->sa.sa_flags & SA_ONSTACK) != 0 && sas_ss_flags(sp) == 0) { + if ((ksig->ka.sa.sa_flags & SA_ONSTACK) != 0 && sas_ss_flags(sp) == 0) { sp = current->sas_ss_sp + current->sas_ss_size; }

@@ -351,7 +351,7 @@ static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info, panic ("Double exception sys_sigreturn\n");

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) { - goto give_sigsegv; + return -EFAULT; }

signal = current_thread_info()->exec_domain @@ -360,8 +360,8 @@ static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info, ? current_thread_info()->exec_domain->signal_invmap[sig] : sig;

- if (ka->sa.sa_flags & SA_SIGINFO) { - err |= copy_siginfo_to_user(&frame->info, info); + if (ksig->ka.sa.sa_flags & SA_SIGINFO) { + err |= copy_siginfo_to_user(&frame->info, &ksig->info); }

/* Create the user context. */ @@ -372,8 +372,8 @@ static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info, err |= setup_sigcontext(frame, regs); err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));

- if (ka->sa.sa_flags & SA_RESTORER) { - ra = (unsigned long)ka->sa.sa_restorer; + if (ksig->ka.sa.sa_flags & SA_RESTORER) { + ra = (unsigned long)ksig->ka.sa.sa_restorer; } else {

/* Create sys_rt_sigreturn syscall in stack frame */ @@ -381,7 +381,7 @@ static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info, err |= gen_return_code(frame->retcode);

if (err) { - goto give_sigsegv; + return -EFAULT; } ra = (unsigned long) frame->retcode; } @@ -393,7 +393,7 @@ static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info,

/* Set up registers for signal handler; preserve the threadptr */ tp = regs->threadptr; - start_thread(regs, (unsigned long) ka->sa.sa_handler, + start_thread(regs, (unsigned long) ksig->ka.sa.sa_handler, (unsigned long) frame);

/* Set up a stack frame for a call4 @@ -416,10 +416,6 @@ static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info, #endif

return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

/* @@ -433,15 +429,11 @@ static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info, */ static void do_signal(struct pt_regs *regs) { - siginfo_t info; - int signr; - struct k_sigaction ka; + struct ksignal ksig;

task_pt_regs(current)->icountlevel = 0;

- signr = get_signal_to_deliver(&info, &ka, regs, NULL); - - if (signr > 0) { + if (get_signal(&ksig)) { int ret;

/* Are we from a system call? */ @@ -457,7 +449,7 @@ static void do_signal(struct pt_regs *regs) break;

case -ERESTARTSYS: - if (!(ka.sa.sa_flags & SA_RESTART)) { + if (!(ksig.ka.sa.sa_flags & SA_RESTART)) { regs->areg[2] = -EINTR; break; } @@ -476,11 +468,8 @@ static void do_signal(struct pt_regs *regs)

/* Whee! Actually deliver the signal. */ /* Set up the stack frame */ - ret = setup_frame(signr, &ka, &info, sigmask_to_save(), regs); - if (ret) - return; - - signal_delivered(signr, &info, &ka, regs, 0); + ret = setup_frame(&ksig, sigmask_to_save(), regs); + signal_setup_done(ret, &ksig, 0); if (current->ptrace & PT_SINGLESTEP) task_pt_regs(current)->icountlevel = 1;

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paul Elder paul.elder@ideasonboard.com

commit c418fd6c01fbc5516a2cd1eaf1df1ec86869028a upstream.

Handling short packets (length < max packet size) in the Inventra DMA engine in the MUSB driver causes the MUSB DMA controller to hang. An example of a problem that is caused by this problem is when streaming video out of a UVC gadget, only the first video frame is transferred.

For short packets (mode-0 or mode-1 DMA), MUSB_TXCSR_TXPKTRDY must be set manually by the driver. This was previously done in musb_g_tx (musb_gadget.c), but incorrectly (all csr flags were cleared, and only MUSB_TXCSR_MODE and MUSB_TXCSR_TXPKTRDY were set). Fixing that problem allows some requests to be transferred correctly, but multiple requests were often put together in one USB packet, and caused problems if the packet size was not a multiple of 4. Instead, set MUSB_TXCSR_TXPKTRDY in dma_controller_irq (musbhsdma.c), just like host mode transfers.

This topic was originally tackled by Nicolas Boichat [0] [1] and is discussed further at [2] as part of his GSoC project [3].

[0] https://groups.google.com/forum/?hl=en#%21topic/beagleboard-gsoc/k8Azwfp75CU [1] https://gitorious.org/beagleboard-usbsniffer/beagleboard-usbsniffer-kernel/c... [2] http://beagleboard-usbsniffer.blogspot.com/2010/07/musb-isochronous-transfer... [3] http://elinux.org/BeagleBoard/GSoC/USBSniffer

Fixes: 550a7375fe72 ("USB: Add MUSB and TUSB support") Signed-off-by: Paul Elder paul.elder@ideasonboard.com Signed-off-by: Bin Liu b-liu@ti.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: - Fold in the earlier commit fb91cddc54e7 "usb: musb: Remove DMA ifdef for musb_gadget.c short_packet" - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/musb/musb_gadget.c | 13 +------------ drivers/usb/musb/musbhsdma.c | 21 +++++++++++---------- 2 files changed, 12 insertions(+), 22 deletions(-)

--- a/drivers/usb/musb/musb_gadget.c +++ b/drivers/usb/musb/musb_gadget.c @@ -488,10 +488,8 @@ void musb_g_tx(struct musb *musb, u8 epn }

if (request) { - u8 is_dma = 0;

if (dma && (csr & MUSB_TXCSR_DMAENAB)) { - is_dma = 1; csr |= MUSB_TXCSR_P_WZC_BITS; csr &= ~(MUSB_TXCSR_DMAENAB | MUSB_TXCSR_P_UNDERRUN | MUSB_TXCSR_TXPKTRDY | MUSB_TXCSR_AUTOSET); @@ -507,15 +505,10 @@ void musb_g_tx(struct musb *musb, u8 epn * First, maybe a terminating short packet. Some DMA * engines might handle this by themselves. */ - if ((request->zero && request->length + if ((request->zero && request->length) && (request->length % musb_ep->packet_sz == 0) - && (request->actual == request->length)) -#if defined(CONFIG_USB_INVENTRA_DMA) || defined(CONFIG_USB_UX500_DMA) - || (is_dma && (!dma->desired_mode || - (request->actual & - (musb_ep->packet_sz - 1)))) -#endif - ) { + && (request->actual == request->length)) { + /* * On DMA completion, FIFO may not be * available yet... --- a/drivers/usb/musb/musbhsdma.c +++ b/drivers/usb/musb/musbhsdma.c @@ -319,12 +319,10 @@ static irqreturn_t dma_controller_irq(in channel->status = MUSB_DMA_STATUS_FREE;

/* completed */ - if ((devctl & MUSB_DEVCTL_HM) - && (musb_channel->transmit) - && ((channel->desired_mode == 0) - || (channel->actual_len & - (musb_channel->max_packet_sz - 1))) - ) { + if (musb_channel->transmit && + (!channel->desired_mode || + (channel->actual_len % + musb_channel->max_packet_sz))) { u8 epnum = musb_channel->epnum; int offset = MUSB_EP_OFFSET(epnum, MUSB_TXCSR); @@ -336,11 +334,14 @@ static irqreturn_t dma_controller_irq(in */ musb_ep_select(mbase, epnum); txcsr = musb_readw(mbase, offset); - txcsr &= ~(MUSB_TXCSR_DMAENAB + if (channel->desired_mode == 1) { + txcsr &= ~(MUSB_TXCSR_DMAENAB | MUSB_TXCSR_AUTOSET); - musb_writew(mbase, offset, txcsr); - /* Send out the packet */ - txcsr &= ~MUSB_TXCSR_DMAMODE; + musb_writew(mbase, offset, txcsr); + /* Send out the packet */ + txcsr &= ~MUSB_TXCSR_DMAMODE; + txcsr |= MUSB_TXCSR_DMAENAB; + } txcsr |= MUSB_TXCSR_TXPKTRDY; musb_writew(mbase, offset, txcsr); }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dexuan Cui decui@microsoft.com

commit ba50bf1ce9a51fc97db58b96d01306aa70bc3979 upstream.

fc96df16a1ce is good and can already fix the "return stack garbage" issue, but let's also improve hv_ringbuffer_get_debuginfo(), which would silently return stack garbage, if people forget to check channel->state or ring_info->ring_buffer, when using the function in the future.

Having an error check in the function would eliminate the potential risk.

Add a Fixes tag to indicate the patch depdendency.

Fixes: fc96df16a1ce ("Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels") Cc: K. Y. Srinivasan kys@microsoft.com Cc: Haiyang Zhang haiyangz@microsoft.com Signed-off-by: Stephen Hemminger sthemmin@microsoft.com Signed-off-by: Dexuan Cui decui@microsoft.com Signed-off-by: Sasha Levin sashal@kernel.org [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hv/ring_buffer.c | 31 +++++++------- drivers/hv/vmbus_drv.c | 91 +++++++++++++++++++++++++++------------- include/linux/hyperv.h | 5 ++- 3 files changed, 79 insertions(+), 48 deletions(-)

--- a/drivers/hv/ring_buffer.c +++ b/drivers/hv/ring_buffer.c @@ -329,26 +329,25 @@ static u32 hv_copyto_ringbuffer( * Get various debug metrics for the specified ring buffer * */ -void hv_ringbuffer_get_debuginfo(struct hv_ring_buffer_info *ring_info, - struct hv_ring_buffer_debug_info *debug_info) +int hv_ringbuffer_get_debuginfo(struct hv_ring_buffer_info *ring_info, + struct hv_ring_buffer_debug_info *debug_info) { u32 bytes_avail_towrite; u32 bytes_avail_toread;

- if (ring_info->ring_buffer) { - hv_get_ringbuffer_availbytes(ring_info, - &bytes_avail_toread, - &bytes_avail_towrite); + if (!ring_info->ring_buffer) + return -EINVAL;

- debug_info->bytes_avail_toread = bytes_avail_toread; - debug_info->bytes_avail_towrite = bytes_avail_towrite; - debug_info->current_read_index = - ring_info->ring_buffer->read_index; - debug_info->current_write_index = - ring_info->ring_buffer->write_index; - debug_info->current_interrupt_mask = - ring_info->ring_buffer->interrupt_mask; - } + hv_get_ringbuffer_availbytes(ring_info, + &bytes_avail_toread, + &bytes_avail_towrite); + debug_info->bytes_avail_toread = bytes_avail_toread; + debug_info->bytes_avail_towrite = bytes_avail_towrite; + debug_info->current_read_index = ring_info->ring_buffer->read_index; + debug_info->current_write_index = ring_info->ring_buffer->write_index; + debug_info->current_interrupt_mask + = ring_info->ring_buffer->interrupt_mask; + return 0; }

/* --- a/drivers/hv/vmbus_drv.c +++ b/drivers/hv/vmbus_drv.c @@ -257,12 +257,16 @@ static ssize_t out_intr_mask_show(struct { struct hv_device *hv_dev = device_to_hv_device(dev); struct hv_ring_buffer_debug_info outbound; + int ret;

if (!hv_dev->channel) return -ENODEV; - if (hv_dev->channel->state != CHANNEL_OPENED_STATE) - return -EINVAL; - hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + + ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, + &outbound); + if (ret < 0) + return ret; + return sprintf(buf, "%d\n", outbound.current_interrupt_mask); } static DEVICE_ATTR_RO(out_intr_mask); @@ -272,12 +276,15 @@ static ssize_t out_read_index_show(struc { struct hv_device *hv_dev = device_to_hv_device(dev); struct hv_ring_buffer_debug_info outbound; + int ret;

if (!hv_dev->channel) return -ENODEV; - if (hv_dev->channel->state != CHANNEL_OPENED_STATE) - return -EINVAL; - hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + + ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, + &outbound); + if (ret < 0) + return ret; return sprintf(buf, "%d\n", outbound.current_read_index); } static DEVICE_ATTR_RO(out_read_index); @@ -288,12 +295,15 @@ static ssize_t out_write_index_show(stru { struct hv_device *hv_dev = device_to_hv_device(dev); struct hv_ring_buffer_debug_info outbound; + int ret;

if (!hv_dev->channel) return -ENODEV; - if (hv_dev->channel->state != CHANNEL_OPENED_STATE) - return -EINVAL; - hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + + ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, + &outbound); + if (ret < 0) + return ret; return sprintf(buf, "%d\n", outbound.current_write_index); } static DEVICE_ATTR_RO(out_write_index); @@ -304,12 +314,15 @@ static ssize_t out_read_bytes_avail_show { struct hv_device *hv_dev = device_to_hv_device(dev); struct hv_ring_buffer_debug_info outbound; + int ret;

if (!hv_dev->channel) return -ENODEV; - if (hv_dev->channel->state != CHANNEL_OPENED_STATE) - return -EINVAL; - hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + + ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, + &outbound); + if (ret < 0) + return ret; return sprintf(buf, "%d\n", outbound.bytes_avail_toread); } static DEVICE_ATTR_RO(out_read_bytes_avail); @@ -320,12 +333,15 @@ static ssize_t out_write_bytes_avail_sho { struct hv_device *hv_dev = device_to_hv_device(dev); struct hv_ring_buffer_debug_info outbound; + int ret;

if (!hv_dev->channel) return -ENODEV; - if (hv_dev->channel->state != CHANNEL_OPENED_STATE) - return -EINVAL; - hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + + ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, + &outbound); + if (ret < 0) + return ret; return sprintf(buf, "%d\n", outbound.bytes_avail_towrite); } static DEVICE_ATTR_RO(out_write_bytes_avail); @@ -335,12 +351,15 @@ static ssize_t in_intr_mask_show(struct { struct hv_device *hv_dev = device_to_hv_device(dev); struct hv_ring_buffer_debug_info inbound; + int ret;

if (!hv_dev->channel) return -ENODEV; - if (hv_dev->channel->state != CHANNEL_OPENED_STATE) - return -EINVAL; - hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + + ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + if (ret < 0) + return ret; + return sprintf(buf, "%d\n", inbound.current_interrupt_mask); } static DEVICE_ATTR_RO(in_intr_mask); @@ -350,12 +369,15 @@ static ssize_t in_read_index_show(struct { struct hv_device *hv_dev = device_to_hv_device(dev); struct hv_ring_buffer_debug_info inbound; + int ret;

if (!hv_dev->channel) return -ENODEV; - if (hv_dev->channel->state != CHANNEL_OPENED_STATE) - return -EINVAL; - hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + + ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + if (ret < 0) + return ret; + return sprintf(buf, "%d\n", inbound.current_read_index); } static DEVICE_ATTR_RO(in_read_index); @@ -365,12 +387,15 @@ static ssize_t in_write_index_show(struc { struct hv_device *hv_dev = device_to_hv_device(dev); struct hv_ring_buffer_debug_info inbound; + int ret;

if (!hv_dev->channel) return -ENODEV; - if (hv_dev->channel->state != CHANNEL_OPENED_STATE) - return -EINVAL; - hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + + ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + if (ret < 0) + return ret; + return sprintf(buf, "%d\n", inbound.current_write_index); } static DEVICE_ATTR_RO(in_write_index); @@ -381,12 +406,15 @@ static ssize_t in_read_bytes_avail_show( { struct hv_device *hv_dev = device_to_hv_device(dev); struct hv_ring_buffer_debug_info inbound; + int ret;

if (!hv_dev->channel) return -ENODEV; - if (hv_dev->channel->state != CHANNEL_OPENED_STATE) - return -EINVAL; - hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + + ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + if (ret < 0) + return ret; + return sprintf(buf, "%d\n", inbound.bytes_avail_toread); } static DEVICE_ATTR_RO(in_read_bytes_avail); @@ -397,12 +425,15 @@ static ssize_t in_write_bytes_avail_show { struct hv_device *hv_dev = device_to_hv_device(dev); struct hv_ring_buffer_debug_info inbound; + int ret;

if (!hv_dev->channel) return -ENODEV; - if (hv_dev->channel->state != CHANNEL_OPENED_STATE) - return -EINVAL; - hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + + ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + if (ret < 0) + return ret; + return sprintf(buf, "%d\n", inbound.bytes_avail_towrite); } static DEVICE_ATTR_RO(in_write_bytes_avail); --- a/drivers/hv/hyperv_vmbus.h +++ b/drivers/hv/hyperv_vmbus.h @@ -580,8 +580,9 @@ int hv_ringbuffer_read(struct hv_ring_bu u32 offset, bool *signal);

-void hv_ringbuffer_get_debuginfo(struct hv_ring_buffer_info *ring_info, - struct hv_ring_buffer_debug_info *debug_info); + +int hv_ringbuffer_get_debuginfo(struct hv_ring_buffer_info *ring_info, + struct hv_ring_buffer_debug_info *debug_info);

void hv_begin_read(struct hv_ring_buffer_info *rbi);

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Florian Westphal fw@strlen.de

commit b8e9dc1c75714ceb53615743e1036f76e00f5a17 upstream.

Taehee Yoo reported following bug: iptables-compat -I OUTPUT -m cpu --cpu 0 iptables-compat -F lsmod |grep xt_cpu xt_cpu 16384 1

Quote: "When above command is given, a netlink message has two expressions that are the cpu compat and the nft_counter. The nft_expr_type_get() in the nf_tables_expr_parse() successes first expression then, calls select_ops callback. (allocates memory and holds module) But, second nft_expr_type_get() in the nf_tables_expr_parse() returns -EAGAIN because of request_module(). In that point, by the 'goto err1', the 'module_put(info[i].ops->type->owner)' is called. There is no release routine."

The core problem is that unlike all other expression, nft_compat select_ops has side effects.

1. it allocates dynamic memory which holds an nft ops struct. In all other expressions, ops has static storage duration. 2. It grabs references to the xt module that it is supposed to invoke.

Depending on where things go wrong, error unwinding doesn't always do the right thing.

In the above scenario, a new nft_compat_expr is created and xt_cpu module gets loaded with a refcount of 1.

Due to to -EAGAIN, the netlink messages get re-parsed. When that happens, nft_compat finds that xt_cpu is already present and increments module refcount again.

This fixes the problem by making select_ops to have no visible side effects and removes all extra module_get/put.

When select_ops creates a new nft_compat expression, the new expression has a refcount of 0, and the xt module gets its refcount incremented.

When error happens, the next call finds existing entry, but will no longer increase the reference count -- the presence of existing nft_xt means we already hold a module reference.

Because nft_xt_put is only called from nft_compat destroy hook, it will never see the initial zero reference count. ->destroy can only be called after ->init(), and that will increase the refcount.

Lastly, we now free nft_xt struct with kfree_rcu. Else, we get use-after free in nf_tables_rule_destroy:

while (expr != nft_expr_last(rule) && expr->ops) { nf_tables_expr_destroy(ctx, expr); expr = nft_expr_next(expr); // here

nft_expr_next() dereferences expr->ops. This is safe for all users, as ops have static storage duration. In nft_compat case however, its ->destroy callback can free the memory that hold the ops structure.

Tested-by: Taehee Yoo ap420073@gmail.com Reported-by: Taehee Yoo ap420073@gmail.com Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/netfilter/nft_compat.c | 92 ++++++++++++++++++++++++-------------- 1 file changed, 58 insertions(+), 34 deletions(-)

--- a/net/netfilter/nft_compat.c +++ b/net/netfilter/nft_compat.c @@ -26,14 +26,24 @@ struct nft_xt { struct list_head head; struct nft_expr_ops ops; unsigned int refcnt; + + /* Unlike other expressions, ops doesn't have static storage duration. + * nft core assumes they do. We use kfree_rcu so that nft core can + * can check expr->ops->size even after nft_compat->destroy() frees + * the nft_xt struct that holds the ops structure. + */ + struct rcu_head rcu_head; };

-static void nft_xt_put(struct nft_xt *xt) +static bool nft_xt_put(struct nft_xt *xt) { if (--xt->refcnt == 0) { list_del(&xt->head); - kfree(xt); + kfree_rcu(xt, rcu_head); + return true; } + + return false; }

union nft_entry { @@ -177,6 +187,7 @@ nft_target_init(const struct nft_ctx *ct struct xt_target *target = expr->ops->data; struct xt_tgchk_param par; size_t size = XT_ALIGN(nla_len(tb[NFTA_TARGET_INFO])); + struct nft_xt *nft_xt; u8 proto = 0; bool inv = false; union nft_entry e = {}; @@ -187,25 +198,22 @@ nft_target_init(const struct nft_ctx *ct if (ctx->nla[NFTA_RULE_COMPAT]) { ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv); if (ret < 0) - goto err; + return ret; }

nft_target_set_tgchk_param(&par, ctx, target, info, &e, proto, inv);

ret = xt_check_target(&par, size, proto, inv); if (ret < 0) - goto err; + return ret;

/* The standard target cannot be used */ - if (target->target == NULL) { - ret = -EINVAL; - goto err; - } + if (!target->target) + return -EINVAL;

+ nft_xt = container_of(expr->ops, struct nft_xt, ops); + nft_xt->refcnt++; return 0; -err: - module_put(target->me); - return ret; }

static void @@ -222,8 +230,8 @@ nft_target_destroy(const struct nft_ctx if (par.target->destroy != NULL) par.target->destroy(&par);

- nft_xt_put(container_of(expr->ops, struct nft_xt, ops)); - module_put(target->me); + if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops))) + module_put(target->me); }

static int @@ -383,6 +391,7 @@ nft_match_init(const struct nft_ctx *ctx struct xt_match *match = expr->ops->data; struct xt_mtchk_param par; size_t size = XT_ALIGN(nla_len(tb[NFTA_MATCH_INFO])); + struct nft_xt *nft_xt; u8 proto = 0; bool inv = false; union nft_entry e = {}; @@ -393,19 +402,18 @@ nft_match_init(const struct nft_ctx *ctx if (ctx->nla[NFTA_RULE_COMPAT]) { ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv); if (ret < 0) - goto err; + return ret; }

nft_match_set_mtchk_param(&par, ctx, match, info, &e, proto, inv);

ret = xt_check_match(&par, size, proto, inv); if (ret < 0) - goto err; + return ret;

+ nft_xt = container_of(expr->ops, struct nft_xt, ops); + nft_xt->refcnt++; return 0; -err: - module_put(match->me); - return ret; }

static void @@ -423,8 +431,8 @@ nft_match_destroy(const struct nft_ctx * if (par.match->destroy != NULL) par.match->destroy(&par);

- nft_xt_put(container_of(expr->ops, struct nft_xt, ops)); - module_put(me); + if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops))) + module_put(me); }

static int @@ -653,13 +661,8 @@ nft_match_select_ops(const struct nft_ct list_for_each_entry(nft_match, &nft_match_list, head) { struct xt_match *match = nft_match->ops.data;

- if (nft_match_cmp(match, mt_name, rev, family)) { - if (!try_module_get(match->me)) - return ERR_PTR(-ENOENT); - - nft_match->refcnt++; + if (nft_match_cmp(match, mt_name, rev, family)) return &nft_match->ops; - } }

match = xt_request_find_match(family, mt_name, rev); @@ -671,7 +674,7 @@ nft_match_select_ops(const struct nft_ct if (nft_match == NULL) return ERR_PTR(-ENOMEM);

- nft_match->refcnt = 1; + nft_match->refcnt = 0; nft_match->ops.type = &nft_match_type; nft_match->ops.size = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize) + nft_compat_match_offset(match)); @@ -728,13 +731,8 @@ nft_target_select_ops(const struct nft_c list_for_each_entry(nft_target, &nft_target_list, head) { struct xt_target *target = nft_target->ops.data;

- if (nft_target_cmp(target, tg_name, rev, family)) { - if (!try_module_get(target->me)) - return ERR_PTR(-ENOENT); - - nft_target->refcnt++; + if (nft_target_cmp(target, tg_name, rev, family)) return &nft_target->ops; - } }

target = xt_request_find_target(family, tg_name, rev); @@ -746,7 +744,7 @@ nft_target_select_ops(const struct nft_c if (nft_target == NULL) return ERR_PTR(-ENOMEM);

- nft_target->refcnt = 1; + nft_target->refcnt = 0; nft_target->ops.type = &nft_target_type; nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize) + nft_compat_target_offset(target)); @@ -801,6 +799,32 @@ err_match:

static void __exit nft_compat_module_exit(void) { + struct nft_xt *xt, *next; + + /* list should be empty here, it can be non-empty only in case there + * was an error that caused nft_xt expr to not be initialized fully + * and noone else requested the same expression later. + * + * In this case, the lists contain 0-refcount entries that still + * hold module reference. + */ + list_for_each_entry_safe(xt, next, &nft_target_list, head) { + struct xt_target *target = xt->ops.data; + + if (WARN_ON_ONCE(xt->refcnt)) + continue; + module_put(target->me); + kfree(xt); + } + + list_for_each_entry_safe(xt, next, &nft_match_list, head) { + struct xt_match *match = xt->ops.data; + + if (WARN_ON_ONCE(xt->refcnt)) + continue; + module_put(match->me); + kfree(xt); + } nfnetlink_subsys_unregister(&nfnl_compat_subsys); nft_unregister_expr(&nft_target_type); nft_unregister_expr(&nft_match_type);

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lukas Wunner lukas@wunner.de

commit f7da7782aba92593f7b82f03d2409a1c5f4db91b upstream.

If IRQ handlers are threaded (either because CONFIG_PREEMPT_RT_BASE is enabled or "threadirqs" was passed on the command line) and if system load is sufficiently high that wakeup latency of IRQ threads degrades, SPI DMA transactions on the BCM2835 occasionally break like this:

ks8851 spi0.0: SPI transfer timed out bcm2835-dma 3f007000.dma: DMA transfer could not be terminated ks8851 spi0.0 eth2: ks8851_rdfifo: spi_sync() failed

The root cause is an assumption made by the DMA driver which is documented in a code comment in bcm2835_dma_terminate_all():

/* * Stop DMA activity: we assume the callback will not be called * after bcm_dma_abort() returns (even if it does, it will see * c->desc is NULL and exit.) */

That assumption falls apart if the IRQ handler bcm2835_dma_callback() is threaded: A client may terminate a descriptor and issue a new one before the IRQ handler had a chance to run. In fact the IRQ handler may miss an *arbitrary* number of descriptors. The result is the following race condition:

1. A descriptor finishes, its interrupt is deferred to the IRQ thread. 2. A client calls dma_terminate_async() which sets channel->desc = NULL. 3. The client issues a new descriptor. Because channel->desc is NULL, bcm2835_dma_issue_pending() immediately starts the descriptor. 4. Finally the IRQ thread runs and writes BCM2835_DMA_INT to the CS register to acknowledge the interrupt. This clears the ACTIVE flag, so the newly issued descriptor is paused in the middle of the transaction. Because channel->desc is not NULL, the IRQ thread finalizes the descriptor and tries to start the next one.

I see two possible solutions: The first is to call synchronize_irq() in bcm2835_dma_issue_pending() to wait until the IRQ thread has finished before issuing a new descriptor. The downside of this approach is unnecessary latency if clients desire rapidly terminating and re-issuing descriptors and don't have any use for an IRQ callback. (The SPI TX DMA channel is a case in point.)

A better alternative is to make the IRQ thread recognize that it has missed descriptors and avoid finalizing the newly issued descriptor. So first of all, set the ACTIVE flag when acknowledging the interrupt. This keeps a newly issued descriptor running.

If the descriptor was finished, the channel remains idle despite the ACTIVE flag being set. However the ACTIVE flag can then no longer be used to check whether the channel is idle, so instead check whether the register containing the current control block address is zero and finalize the current descriptor only if so.

That way, there is no impact on latency and throughput if the client doesn't care for the interrupt: Only minimal additional overhead is introduced for non-cyclic descriptors as one further MMIO read is necessary per interrupt to check for idleness of the channel. Cyclic descriptors are sped up slightly by removing one MMIO write per interrupt.

Fixes: 96286b576690 ("dmaengine: Add support for BCM2835") Signed-off-by: Lukas Wunner lukas@wunner.de Cc: Frank Pavlic f.pavlic@kunbus.de Cc: Martin Sperl kernel@martin.sperl.org Cc: Florian Meier florian.meier@koalo.de Cc: Clive Messer clive.m.messer@gmail.com Cc: Matthias Reichl hias@horus.com Tested-by: Stefan Wahren stefan.wahren@i2se.com Acked-by: Florian Kauer florian.kauer@koalo.de Signed-off-by: Vinod Koul vkoul@kernel.org [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/dma/bcm2835-dma.c | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-)

--- a/drivers/dma/bcm2835-dma.c +++ b/drivers/dma/bcm2835-dma.c @@ -197,7 +197,12 @@ static int bcm2835_dma_abort(void __iome long int timeout = 10000;

cs = readl(chan_base + BCM2835_DMA_CS); - if (!(cs & BCM2835_DMA_ACTIVE)) + + /* + * A zero control block address means the channel is idle. + * (The ACTIVE flag in the CS register is not a reliable indicator.) + */ + if (!readl(chan_base + BCM2835_DMA_ADDR)) return 0;

/* Write 0 to the active bit - Pause the DMA */ @@ -252,8 +257,15 @@ static irqreturn_t bcm2835_dma_callback(

spin_lock_irqsave(&c->vc.lock, flags);

- /* Acknowledge interrupt */ - writel(BCM2835_DMA_INT, c->chan_base + BCM2835_DMA_CS); + /* + * Clear the INT flag to receive further interrupts. Keep the channel + * active in case the descriptor is cyclic or in case the client has + * already terminated the descriptor and issued a new one. (May happen + * if this IRQ handler is threaded.) If the channel is finished, it + * will remain idle despite the ACTIVE flag being set. + */ + writel(BCM2835_DMA_INT | BCM2835_DMA_ACTIVE, + c->chan_base + BCM2835_DMA_CS);

d = c->desc;

@@ -262,9 +274,6 @@ static irqreturn_t bcm2835_dma_callback( vchan_cyclic_callback(&d->vd); }

- /* Keep the DMA engine running */ - writel(BCM2835_DMA_ACTIVE, c->chan_base + BCM2835_DMA_CS); - spin_unlock_irqrestore(&c->vc.lock, flags);

return IRQ_HANDLED; @@ -507,19 +516,14 @@ static int bcm2835_dma_terminate_all(str list_del_init(&c->node); spin_unlock(&d->lock);

- /* - * Stop DMA activity: we assume the callback will not be called - * after bcm_dma_abort() returns (even if it does, it will see - * c->desc is NULL and exit.) - */ + /* stop DMA activity */ if (c->desc) { c->desc = NULL; bcm2835_dma_abort(c->chan_base);

/* Wait for stopping */ while (--timeout) { - if (!(readl(c->chan_base + BCM2835_DMA_CS) & - BCM2835_DMA_ACTIVE)) + if (!readl(c->chan_base + BCM2835_DMA_ADDR)) break;

cpu_relax();

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit 2bb12b773feb3e792145961e57ab356e6134d4a5 upstream.

Use the more generic functions get_signal() signal_setup_done() for signal delivery.

Acked-by: Lennox Wu lennox.wu@gmail.com Signed-off-by: Richard Weinberger richard@nod.at [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/score/kernel/signal.c | 43 ++++++++++++++++---------------------- 1 file changed, 18 insertions(+), 25 deletions(-)

--- a/arch/score/kernel/signal.c +++ b/arch/score/kernel/signal.c @@ -173,15 +173,15 @@ badframe: return 0; }

-static int setup_rt_frame(struct k_sigaction *ka, struct pt_regs *regs, - int signr, sigset_t *set, siginfo_t *info) +static int setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs, + sigset_t *set) { struct rt_sigframe __user *frame; int err = 0;

- frame = get_sigframe(ka, regs, sizeof(*frame)); + frame = get_sigframe(&ksig->ka, regs, sizeof(*frame)); if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + return -EFAULT;

/* * Set up the return code ... @@ -194,7 +194,7 @@ static int setup_rt_frame(struct k_sigac err |= __put_user(0x80008002, frame->rs_code + 1); flush_cache_sigtramp((unsigned long) frame->rs_code);

- err |= copy_siginfo_to_user(&frame->rs_info, info); + err |= copy_siginfo_to_user(&frame->rs_info, &ksig->info); err |= __put_user(0, &frame->rs_uc.uc_flags); err |= __put_user(NULL, &frame->rs_uc.uc_link); err |= __save_altstack(&frame->rs_uc.uc_stack, regs->regs[0]); @@ -202,26 +202,23 @@ static int setup_rt_frame(struct k_sigac err |= __copy_to_user(&frame->rs_uc.uc_sigmask, set, sizeof(*set));

if (err) - goto give_sigsegv; + return -EFAULT;

regs->regs[0] = (unsigned long) frame; regs->regs[3] = (unsigned long) frame->rs_code; - regs->regs[4] = signr; + regs->regs[4] = ksig->sig; regs->regs[5] = (unsigned long) &frame->rs_info; regs->regs[6] = (unsigned long) &frame->rs_uc; - regs->regs[29] = (unsigned long) ka->sa.sa_handler; - regs->cp0_epc = (unsigned long) ka->sa.sa_handler; + regs->regs[29] = (unsigned long) ksig->ka.sa.sa_handler; + regs->cp0_epc = (unsigned long) ksig->ka.sa.sa_handler;

return 0; - -give_sigsegv: - force_sigsegv(signr, current); - return -EFAULT; }

-static void handle_signal(unsigned long sig, siginfo_t *info, - struct k_sigaction *ka, struct pt_regs *regs) +static void handle_signal(struct ksignal *ksig, struct pt_regs *regs) { + int ret; + if (regs->is_syscall) { switch (regs->regs[4]) { case ERESTART_RESTARTBLOCK: @@ -229,7 +226,7 @@ static void handle_signal(unsigned long regs->regs[4] = EINTR; break; case ERESTARTSYS: - if (!(ka->sa.sa_flags & SA_RESTART)) { + if (!(ksig->ka.sa.sa_flags & SA_RESTART)) { regs->regs[4] = EINTR; break; } @@ -245,17 +242,14 @@ static void handle_signal(unsigned long /* * Set up the stack frame */ - if (setup_rt_frame(ka, regs, sig, sigmask_to_save(), info) < 0) - return; + ret = setup_rt_frame(ksig, regs, sigmask_to_save());

- signal_delivered(sig, info, ka, regs, 0); + signal_setup_done(ret, ksig, 0); }

static void do_signal(struct pt_regs *regs) { - struct k_sigaction ka; - siginfo_t info; - int signr; + struct ksignal ksig;

/* * We want the common case to go fast, which is why we may in certain @@ -265,10 +259,9 @@ static void do_signal(struct pt_regs *re if (!user_mode(regs)) return;

- signr = get_signal_to_deliver(&info, &ka, regs, NULL); - if (signr > 0) { + if (get_signal(&ksig)) { /* Actually deliver the signal. */ - handle_signal(signr, &info, &ka, regs); + handle_signal(&ksig, regs); return; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit 067bf2d4d3a7aedc5982f6a58716054e5004b801 upstream.

Use the more generic functions get_signal() signal_setup_done() for signal delivery.

Signed-off-by: Richard Weinberger richard@nod.at [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/s390/kernel/compat_signal.c | 79 ++++++++++++++------------------ arch/s390/kernel/entry.h | 4 +- arch/s390/kernel/signal.c | 78 +++++++++++++------------------ 3 files changed, 69 insertions(+), 92 deletions(-)

--- a/arch/s390/kernel/compat_signal.c +++ b/arch/s390/kernel/compat_signal.c @@ -320,38 +320,39 @@ static inline int map_signal(int sig) return sig; }

-static int setup_frame32(int sig, struct k_sigaction *ka, - sigset_t *set, struct pt_regs * regs) +static int setup_frame32(struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { - sigframe32 __user *frame = get_sigframe(ka, regs, sizeof(sigframe32)); + int sig = ksig->sig; + sigframe32 __user *frame = get_sigframe(&ksig->ka, regs, sizeof(sigframe32));

if (frame == (void __user *) -1UL) - goto give_sigsegv; + return -EFAULT;

if (__copy_to_user(&frame->sc.oldmask, &set->sig, _SIGMASK_COPY_SIZE32)) - goto give_sigsegv; + return -EFAULT;

if (save_sigregs32(regs, &frame->sregs)) - goto give_sigsegv; + return -EFAULT; if (save_sigregs_gprs_high(regs, frame->gprs_high)) - goto give_sigsegv; + return -EFAULT; if (__put_user((unsigned long) &frame->sregs, &frame->sc.sregs)) - goto give_sigsegv; + return -EFAULT;

/* Set up to return from userspace. If provided, use a stub already in userspace. */ - if (ka->sa.sa_flags & SA_RESTORER) { - regs->gprs[14] = (__u64 __force) ka->sa.sa_restorer | PSW32_ADDR_AMODE; + if (ksig->ka.sa.sa_flags & SA_RESTORER) { + regs->gprs[14] = (__u64 __force) ksig->ka.sa.sa_restorer | PSW32_ADDR_AMODE; } else { regs->gprs[14] = (__u64 __force) frame->retcode | PSW32_ADDR_AMODE; if (__put_user(S390_SYSCALL_OPCODE | __NR_sigreturn, (u16 __force __user *)(frame->retcode))) - goto give_sigsegv; + return -EFAULT; }

/* Set up backchain. */ if (__put_user(regs->gprs[15], (unsigned int __user *) frame)) - goto give_sigsegv; + return -EFAULT;

/* Set up registers for signal handler */ regs->gprs[15] = (__force __u64) frame; @@ -359,7 +360,7 @@ static int setup_frame32(int sig, struct regs->psw.mask = PSW_MASK_BA | (PSW_USER_BITS & PSW_MASK_ASC) | (regs->psw.mask & ~PSW_MASK_ASC); - regs->psw.addr = (__force __u64) ka->sa.sa_handler; + regs->psw.addr = (__force __u64) ksig->ka.sa.sa_handler;

regs->gprs[2] = map_signal(sig); regs->gprs[3] = (__force __u64) &frame->sc; @@ -376,25 +377,21 @@ static int setup_frame32(int sig, struct

/* Place signal number on stack to allow backtrace from handler. */ if (__put_user(regs->gprs[2], (int __force __user *) &frame->signo)) - goto give_sigsegv; + return -EFAULT; return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

-static int setup_rt_frame32(int sig, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs * regs) +static int setup_rt_frame32(struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { int err = 0; - rt_sigframe32 __user *frame = get_sigframe(ka, regs, sizeof(rt_sigframe32)); + rt_sigframe32 __user *frame = get_sigframe(&ksig->ka, regs, sizeof(rt_sigframe32));

if (frame == (void __user *) -1UL) - goto give_sigsegv; + return -EFAULT;

- if (copy_siginfo_to_user32(&frame->info, info)) - goto give_sigsegv; + if (copy_siginfo_to_user32(&frame->info, &ksig->info)) + return -EFAULT;

/* Create the ucontext. */ err |= __put_user(UC_EXTENDED, &frame->uc.uc_flags); @@ -404,22 +401,22 @@ static int setup_rt_frame32(int sig, str err |= save_sigregs_gprs_high(regs, frame->gprs_high); err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set)); if (err) - goto give_sigsegv; + return -EFAULT;

/* Set up to return from userspace. If provided, use a stub already in userspace. */ - if (ka->sa.sa_flags & SA_RESTORER) { - regs->gprs[14] = (__u64 __force) ka->sa.sa_restorer | PSW32_ADDR_AMODE; + if (ksig->ka.sa.sa_flags & SA_RESTORER) { + regs->gprs[14] = (__u64 __force) ksig->ka.sa.sa_restorer | PSW32_ADDR_AMODE; } else { regs->gprs[14] = (__u64 __force) frame->retcode | PSW32_ADDR_AMODE; if (__put_user(S390_SYSCALL_OPCODE | __NR_rt_sigreturn, (u16 __force __user *)(frame->retcode))) - goto give_sigsegv; + return -EFAULT; }

/* Set up backchain. */ if (__put_user(regs->gprs[15], (unsigned int __force __user *) frame)) - goto give_sigsegv; + return -EFAULT;

/* Set up registers for signal handler */ regs->gprs[15] = (__force __u64) frame; @@ -427,36 +424,30 @@ static int setup_rt_frame32(int sig, str regs->psw.mask = PSW_MASK_BA | (PSW_USER_BITS & PSW_MASK_ASC) | (regs->psw.mask & ~PSW_MASK_ASC); - regs->psw.addr = (__u64 __force) ka->sa.sa_handler; + regs->psw.addr = (__u64 __force) ksig->ka.sa.sa_handler;

- regs->gprs[2] = map_signal(sig); + regs->gprs[2] = map_signal(ksig->sig); regs->gprs[3] = (__force __u64) &frame->info; regs->gprs[4] = (__force __u64) &frame->uc; regs->gprs[5] = task_thread_info(current)->last_break; return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

/* * OK, we're invoking a handler */

-void handle_signal32(unsigned long sig, struct k_sigaction *ka, - siginfo_t *info, sigset_t *oldset, struct pt_regs *regs) +void handle_signal32(struct ksignal *ksig, sigset_t *oldset, + struct pt_regs *regs) { int ret;

/* Set up the stack frame */ - if (ka->sa.sa_flags & SA_SIGINFO) - ret = setup_rt_frame32(sig, ka, info, oldset, regs); + if (ksig->ka.sa.sa_flags & SA_SIGINFO) + ret = setup_rt_frame32(ksig, oldset, regs); else - ret = setup_frame32(sig, ka, oldset, regs); - if (ret) - return; - signal_delivered(sig, info, ka, regs, - test_thread_flag(TIF_SINGLE_STEP)); + ret = setup_frame32(ksig, oldset, regs); + + signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLE_STEP)); }

--- a/arch/s390/kernel/entry.h +++ b/arch/s390/kernel/entry.h @@ -48,8 +48,8 @@ void do_per_trap(struct pt_regs *regs); void syscall_trace(struct pt_regs *regs, int entryexit); void kernel_stack_overflow(struct pt_regs * regs); void do_signal(struct pt_regs *regs); -void handle_signal32(unsigned long sig, struct k_sigaction *ka, - siginfo_t *info, sigset_t *oldset, struct pt_regs *regs); +void handle_signal32(struct ksignal *ksig, sigset_t *oldset, + struct pt_regs *regs); void do_notify_resume(struct pt_regs *regs);

void __init init_IRQ(void); --- a/arch/s390/kernel/signal.c +++ b/arch/s390/kernel/signal.c @@ -200,15 +200,15 @@ static int setup_frame(int sig, struct k frame = get_sigframe(ka, regs, sizeof(sigframe));

if (frame == (void __user *) -1UL) - goto give_sigsegv; + return -EFAULT;

if (__copy_to_user(&frame->sc.oldmask, &set->sig, _SIGMASK_COPY_SIZE)) - goto give_sigsegv; + return -EFAULT;

if (save_sigregs(regs, &frame->sregs)) - goto give_sigsegv; + return -EFAULT; if (__put_user(&frame->sregs, &frame->sc.sregs)) - goto give_sigsegv; + return -EFAULT;

/* Set up to return from userspace. If provided, use a stub already in userspace. */ @@ -220,12 +220,12 @@ static int setup_frame(int sig, struct k frame->retcode | PSW_ADDR_AMODE; if (__put_user(S390_SYSCALL_OPCODE | __NR_sigreturn, (u16 __user *)(frame->retcode))) - goto give_sigsegv; + return -EFAULT; }

/* Set up backchain. */ if (__put_user(regs->gprs[15], (addr_t __user *) frame)) - goto give_sigsegv; + return -EFAULT;

/* Set up registers for signal handler */ regs->gprs[15] = (unsigned long) frame; @@ -250,27 +250,23 @@ static int setup_frame(int sig, struct k

/* Place signal number on stack to allow backtrace from handler. */ if (__put_user(regs->gprs[2], (int __user *) &frame->signo)) - goto give_sigsegv; + return -EFAULT; return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs * regs) +static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { int err = 0; rt_sigframe __user *frame;

- frame = get_sigframe(ka, regs, sizeof(rt_sigframe)); + frame = get_sigframe(&ksig->ka, regs, sizeof(rt_sigframe));

if (frame == (void __user *) -1UL) - goto give_sigsegv; + return -EFAULT;

- if (copy_siginfo_to_user(&frame->info, info)) - goto give_sigsegv; + if (copy_siginfo_to_user(&frame->info, &ksig->info)) + return -EFAULT;

/* Create the ucontext. */ err |= __put_user(0, &frame->uc.uc_flags); @@ -279,24 +275,24 @@ static int setup_rt_frame(int sig, struc err |= save_sigregs(regs, &frame->uc.uc_mcontext); err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set)); if (err) - goto give_sigsegv; + return -EFAULT;

/* Set up to return from userspace. If provided, use a stub already in userspace. */ - if (ka->sa.sa_flags & SA_RESTORER) { + if (ksig->ka.sa.sa_flags & SA_RESTORER) { regs->gprs[14] = (unsigned long) - ka->sa.sa_restorer | PSW_ADDR_AMODE; + ksig->ka.sa.sa_restorer | PSW_ADDR_AMODE; } else { regs->gprs[14] = (unsigned long) frame->retcode | PSW_ADDR_AMODE; if (__put_user(S390_SYSCALL_OPCODE | __NR_rt_sigreturn, (u16 __user *)(frame->retcode))) - goto give_sigsegv; + return -EFAULT; }

/* Set up backchain. */ if (__put_user(regs->gprs[15], (addr_t __user *) frame)) - goto give_sigsegv; + return -EFAULT;

/* Set up registers for signal handler */ regs->gprs[15] = (unsigned long) frame; @@ -304,34 +300,27 @@ static int setup_rt_frame(int sig, struc regs->psw.mask = PSW_MASK_EA | PSW_MASK_BA | (PSW_USER_BITS & PSW_MASK_ASC) | (regs->psw.mask & ~PSW_MASK_ASC); - regs->psw.addr = (unsigned long) ka->sa.sa_handler | PSW_ADDR_AMODE; + regs->psw.addr = (unsigned long) ksig->ka.sa.sa_handler | PSW_ADDR_AMODE;

- regs->gprs[2] = map_signal(sig); + regs->gprs[2] = map_signal(ksig->sig); regs->gprs[3] = (unsigned long) &frame->info; regs->gprs[4] = (unsigned long) &frame->uc; regs->gprs[5] = task_thread_info(current)->last_break; return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

-static void handle_signal(unsigned long sig, struct k_sigaction *ka, - siginfo_t *info, sigset_t *oldset, - struct pt_regs *regs) +static void handle_signal(struct ksignal *ksig, sigset_t *oldset, + struct pt_regs *regs) { int ret;

/* Set up the stack frame */ - if (ka->sa.sa_flags & SA_SIGINFO) - ret = setup_rt_frame(sig, ka, info, oldset, regs); + if (ksig->ka.sa.sa_flags & SA_SIGINFO) + ret = setup_rt_frame(ksig, oldset, regs); else - ret = setup_frame(sig, ka, oldset, regs); - if (ret) - return; - signal_delivered(sig, info, ka, regs, - test_thread_flag(TIF_SINGLE_STEP)); + ret = setup_frame(ksig->sig, &ksig->ka, oldset, regs); + + signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLE_STEP)); }

/* @@ -345,9 +334,7 @@ static void handle_signal(unsigned long */ void do_signal(struct pt_regs *regs) { - siginfo_t info; - int signr; - struct k_sigaction ka; + struct ksignal ksig; sigset_t *oldset = sigmask_to_save();

/* @@ -357,9 +344,8 @@ void do_signal(struct pt_regs *regs) */ current_thread_info()->system_call = test_pt_regs_flag(regs, PIF_SYSCALL) ? regs->int_code : 0; - signr = get_signal_to_deliver(&info, &ka, regs, NULL);

- if (signr > 0) { + if (get_signal(&ksig)) { /* Whee! Actually deliver the signal. */ if (current_thread_info()->system_call) { regs->int_code = current_thread_info()->system_call; @@ -370,7 +356,7 @@ void do_signal(struct pt_regs *regs) regs->gprs[2] = -EINTR; break; case -ERESTARTSYS: - if (!(ka.sa.sa_flags & SA_RESTART)) { + if (!(ksig.ka.sa.sa_flags & SA_RESTART)) { regs->gprs[2] = -EINTR; break; } @@ -387,9 +373,9 @@ void do_signal(struct pt_regs *regs) clear_pt_regs_flag(regs, PIF_SYSCALL);

if (is_compat_task()) - handle_signal32(signr, &ka, &info, oldset, regs); + handle_signal32(&ksig, oldset, regs); else - handle_signal(signr, &ka, &info, oldset, regs); + handle_signal(&ksig, oldset, regs); return; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit b46e848768acc458ba94feef162b8901592dbb9c upstream.

Use the more generic functions get_signal() signal_setup_done() for signal delivery.

Signed-off-by: Richard Weinberger richard@nod.at [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/sh/kernel/signal_32.c | 79 +++++++++++++++--------------------- arch/sh/kernel/signal_64.c | 82 +++++++++++++++----------------------- 2 files changed, 64 insertions(+), 97 deletions(-)

--- a/arch/sh/kernel/signal_32.c +++ b/arch/sh/kernel/signal_32.c @@ -262,17 +262,17 @@ get_sigframe(struct k_sigaction *ka, uns extern void __kernel_sigreturn(void); extern void __kernel_rt_sigreturn(void);

-static int setup_frame(int sig, struct k_sigaction *ka, - sigset_t *set, struct pt_regs *regs) +static int setup_frame(struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { struct sigframe __user *frame; - int err = 0; + int err = 0, sig = ksig->sig; int signal;

- frame = get_sigframe(ka, regs->regs[15], sizeof(*frame)); + frame = get_sigframe(&ksig->ka, regs->regs[15], sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + return -EFAULT;

signal = current_thread_info()->exec_domain && current_thread_info()->exec_domain->signal_invmap @@ -288,8 +288,8 @@ static int setup_frame(int sig, struct k

/* Set up to return from userspace. If provided, use a stub already in userspace. */ - if (ka->sa.sa_flags & SA_RESTORER) { - regs->pr = (unsigned long) ka->sa.sa_restorer; + if (ksig->ka.sa.sa_flags & SA_RESTORER) { + regs->pr = (unsigned long) ksig->ka.sa.sa_restorer; #ifdef CONFIG_VSYSCALL } else if (likely(current->mm->context.vdso)) { regs->pr = VDSO_SYM(&__kernel_sigreturn); @@ -309,7 +309,7 @@ static int setup_frame(int sig, struct k }

if (err) - goto give_sigsegv; + return -EFAULT;

/* Set up registers for signal handler */ regs->regs[15] = (unsigned long) frame; @@ -319,15 +319,15 @@ static int setup_frame(int sig, struct k

if (current->personality & FDPIC_FUNCPTRS) { struct fdpic_func_descriptor __user *funcptr = - (struct fdpic_func_descriptor __user *)ka->sa.sa_handler; + (struct fdpic_func_descriptor __user *)ksig->ka.sa.sa_handler;

err |= __get_user(regs->pc, &funcptr->text); err |= __get_user(regs->regs[12], &funcptr->GOT); } else - regs->pc = (unsigned long)ka->sa.sa_handler; + regs->pc = (unsigned long)ksig->ka.sa.sa_handler;

if (err) - goto give_sigsegv; + return -EFAULT;

set_fs(USER_DS);

@@ -335,23 +335,19 @@ static int setup_frame(int sig, struct k current->comm, task_pid_nr(current), frame, regs->pc, regs->pr);

return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs *regs) +static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { struct rt_sigframe __user *frame; - int err = 0; + int err = 0, sig = ksig->sig; int signal;

- frame = get_sigframe(ka, regs->regs[15], sizeof(*frame)); + frame = get_sigframe(&ksig->ka, regs->regs[15], sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + return -EFAULT;

signal = current_thread_info()->exec_domain && current_thread_info()->exec_domain->signal_invmap @@ -359,7 +355,7 @@ static int setup_rt_frame(int sig, struc ? current_thread_info()->exec_domain->signal_invmap[sig] : sig;

- err |= copy_siginfo_to_user(&frame->info, info); + err |= copy_siginfo_to_user(&frame->info, &ksig->info);

/* Create the ucontext. */ err |= __put_user(0, &frame->uc.uc_flags); @@ -371,8 +367,8 @@ static int setup_rt_frame(int sig, struc

/* Set up to return from userspace. If provided, use a stub already in userspace. */ - if (ka->sa.sa_flags & SA_RESTORER) { - regs->pr = (unsigned long) ka->sa.sa_restorer; + if (ksig->ka.sa.sa_flags & SA_RESTORER) { + regs->pr = (unsigned long) ksig->ka.sa.sa_restorer; #ifdef CONFIG_VSYSCALL } else if (likely(current->mm->context.vdso)) { regs->pr = VDSO_SYM(&__kernel_rt_sigreturn); @@ -392,7 +388,7 @@ static int setup_rt_frame(int sig, struc }

if (err) - goto give_sigsegv; + return -EFAULT;

/* Set up registers for signal handler */ regs->regs[15] = (unsigned long) frame; @@ -402,15 +398,15 @@ static int setup_rt_frame(int sig, struc

if (current->personality & FDPIC_FUNCPTRS) { struct fdpic_func_descriptor __user *funcptr = - (struct fdpic_func_descriptor __user *)ka->sa.sa_handler; + (struct fdpic_func_descriptor __user *)ksig->ka.sa.sa_handler;

err |= __get_user(regs->pc, &funcptr->text); err |= __get_user(regs->regs[12], &funcptr->GOT); } else - regs->pc = (unsigned long)ka->sa.sa_handler; + regs->pc = (unsigned long)ksig->ka.sa.sa_handler;

if (err) - goto give_sigsegv; + return -EFAULT;

set_fs(USER_DS);

@@ -418,10 +414,6 @@ static int setup_rt_frame(int sig, struc current->comm, task_pid_nr(current), frame, regs->pc, regs->pr);

return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

static inline void @@ -455,22 +447,18 @@ handle_syscall_restart(unsigned long sav * OK, we're invoking a handler */ static void -handle_signal(unsigned long sig, struct k_sigaction *ka, siginfo_t *info, - struct pt_regs *regs, unsigned int save_r0) +handle_signal(struct ksignal *ksig, struct pt_regs *regs, unsigned int save_r0) { sigset_t *oldset = sigmask_to_save(); int ret;

/* Set up the stack frame */ - if (ka->sa.sa_flags & SA_SIGINFO) - ret = setup_rt_frame(sig, ka, info, oldset, regs); + if (ksig->ka.sa.sa_flags & SA_SIGINFO) + ret = setup_rt_frame(ksig, oldset, regs); else - ret = setup_frame(sig, ka, oldset, regs); + ret = setup_frame(ksig, oldset, regs);

- if (ret) - return; - signal_delivered(sig, info, ka, regs, - test_thread_flag(TIF_SINGLESTEP)); + signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP)); }

/* @@ -484,9 +472,7 @@ handle_signal(unsigned long sig, struct */ static void do_signal(struct pt_regs *regs, unsigned int save_r0) { - siginfo_t info; - int signr; - struct k_sigaction ka; + struct ksignal ksig;

/* * We want the common case to go fast, which @@ -497,12 +483,11 @@ static void do_signal(struct pt_regs *re if (!user_mode(regs)) return;

- signr = get_signal_to_deliver(&info, &ka, regs, NULL); - if (signr > 0) { - handle_syscall_restart(save_r0, regs, &ka.sa); + if (get_signal(&ksig)) { + handle_syscall_restart(save_r0, regs, &ksig.ka.sa);

/* Whee! Actually deliver the signal. */ - handle_signal(signr, &ka, &info, regs, save_r0); + handle_signal(&ksig, regs, save_r0); return; }

--- a/arch/sh/kernel/signal_64.c +++ b/arch/sh/kernel/signal_64.c @@ -41,8 +41,7 @@ #define DEBUG_SIG 0

static void -handle_signal(unsigned long sig, siginfo_t *info, struct k_sigaction *ka, - struct pt_regs * regs); +handle_signal(struct ksignal *ksig, struct pt_regs *regs);

static inline void handle_syscall_restart(struct pt_regs *regs, struct sigaction *sa) @@ -82,9 +81,7 @@ handle_syscall_restart(struct pt_regs *r */ static void do_signal(struct pt_regs *regs) { - siginfo_t info; - int signr; - struct k_sigaction ka; + struct ksignal ksig;

/* * We want the common case to go fast, which @@ -95,12 +92,11 @@ static void do_signal(struct pt_regs *re if (!user_mode(regs)) return;

- signr = get_signal_to_deliver(&info, &ka, regs, 0); - if (signr > 0) { - handle_syscall_restart(regs, &ka.sa); + if (get_signal(&ksig)) { + handle_syscall_restart(regs, &ksig.ka.sa);

/* Whee! Actually deliver the signal. */ - handle_signal(signr, &info, &ka, regs); + handle_signal(&ksig, regs); return; }

@@ -378,17 +374,16 @@ get_sigframe(struct k_sigaction *ka, uns void sa_default_restorer(void); /* See comments below */ void sa_default_rt_restorer(void); /* See comments below */

-static int setup_frame(int sig, struct k_sigaction *ka, - sigset_t *set, struct pt_regs *regs) +static int setup_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs) { struct sigframe __user *frame; - int err = 0; + int err = 0, sig = ksig->sig; int signal;

- frame = get_sigframe(ka, regs->regs[REG_SP], sizeof(*frame)); + frame = get_sigframe(&ksig->ka, regs->regs[REG_SP], sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + return -EFAULT;

signal = current_thread_info()->exec_domain && current_thread_info()->exec_domain->signal_invmap @@ -400,7 +395,7 @@ static int setup_frame(int sig, struct k

/* Give up earlier as i386, in case */ if (err) - goto give_sigsegv; + return -EFAULT;

if (_NSIG_WORDS > 1) { err |= __copy_to_user(frame->extramask, &set->sig[1], @@ -408,16 +403,16 @@ static int setup_frame(int sig, struct k

/* Give up earlier as i386, in case */ if (err) - goto give_sigsegv; + return -EFAULT;

/* Set up to return from userspace. If provided, use a stub already in userspace. */ - if (ka->sa.sa_flags & SA_RESTORER) { + if (ksig->ka.sa.sa_flags & SA_RESTORER) { /* * On SH5 all edited pointers are subject to NEFF */ DEREF_REG_PR = neff_sign_extend((unsigned long) - ka->sa.sa_restorer | 0x1); + ksig->ka->sa.sa_restorer | 0x1); } else { /* * Different approach on SH5. @@ -435,7 +430,7 @@ static int setup_frame(int sig, struct k

if (__copy_to_user(frame->retcode, (void *)((unsigned long)sa_default_restorer & (~1)), 16) != 0) - goto give_sigsegv; + return -EFAULT;

/* Cohere the trampoline with the I-cache. */ flush_cache_sigtramp(DEREF_REG_PR-1); @@ -460,7 +455,7 @@ static int setup_frame(int sig, struct k regs->regs[REG_ARG2] = (unsigned long long)(unsigned long)(signed long)&frame->sc; regs->regs[REG_ARG3] = (unsigned long long)(unsigned long)(signed long)&frame->sc;

- regs->pc = neff_sign_extend((unsigned long)ka->sa.sa_handler); + regs->pc = neff_sign_extend((unsigned long)ksig->ka.sa.sa_handler);

set_fs(USER_DS);

@@ -471,23 +466,19 @@ static int setup_frame(int sig, struct k DEREF_REG_PR >> 32, DEREF_REG_PR & 0xffffffff);

return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs *regs) +static int setup_rt_frame(struct ksignal *kig, sigset_t *set, + struct pt_regs *regs) { struct rt_sigframe __user *frame; - int err = 0; + int err = 0, sig = ksig->sig; int signal;

- frame = get_sigframe(ka, regs->regs[REG_SP], sizeof(*frame)); + frame = get_sigframe(&ksig->ka, regs->regs[REG_SP], sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + return -EFAULT;

signal = current_thread_info()->exec_domain && current_thread_info()->exec_domain->signal_invmap @@ -497,11 +488,11 @@ static int setup_rt_frame(int sig, struc

err |= __put_user(&frame->info, &frame->pinfo); err |= __put_user(&frame->uc, &frame->puc); - err |= copy_siginfo_to_user(&frame->info, info); + err |= copy_siginfo_to_user(&frame->info, &ksig->info);

/* Give up earlier as i386, in case */ if (err) - goto give_sigsegv; + return -EFAULT;

/* Create the ucontext. */ err |= __put_user(0, &frame->uc.uc_flags); @@ -513,16 +504,16 @@ static int setup_rt_frame(int sig, struc

/* Give up earlier as i386, in case */ if (err) - goto give_sigsegv; + return -EFAULT;

/* Set up to return from userspace. If provided, use a stub already in userspace. */ - if (ka->sa.sa_flags & SA_RESTORER) { + if (ksig->ka.sa.sa_flags & SA_RESTORER) { /* * On SH5 all edited pointers are subject to NEFF */ DEREF_REG_PR = neff_sign_extend((unsigned long) - ka->sa.sa_restorer | 0x1); + ksig->ka.sa.sa_restorer | 0x1); } else { /* * Different approach on SH5. @@ -540,7 +531,7 @@ static int setup_rt_frame(int sig, struc

if (__copy_to_user(frame->retcode, (void *)((unsigned long)sa_default_rt_restorer & (~1)), 16) != 0) - goto give_sigsegv; + return -EFAULT;

/* Cohere the trampoline with the I-cache. */ flush_icache_range(DEREF_REG_PR-1, DEREF_REG_PR-1+15); @@ -554,7 +545,7 @@ static int setup_rt_frame(int sig, struc regs->regs[REG_ARG1] = signal; /* Arg for signal handler */ regs->regs[REG_ARG2] = (unsigned long long)(unsigned long)(signed long)&frame->info; regs->regs[REG_ARG3] = (unsigned long long)(unsigned long)(signed long)&frame->uc.uc_mcontext; - regs->pc = neff_sign_extend((unsigned long)ka->sa.sa_handler); + regs->pc = neff_sign_extend((unsigned long)ksig->ka.sa.sa_handler);

set_fs(USER_DS);

@@ -564,33 +555,24 @@ static int setup_rt_frame(int sig, struc DEREF_REG_PR >> 32, DEREF_REG_PR & 0xffffffff);

return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

/* * OK, we're invoking a handler */ static void -handle_signal(unsigned long sig, siginfo_t *info, struct k_sigaction *ka, - struct pt_regs * regs) +handle_signal(struct ksignal *ksig, struct pt_regs *regs) { sigset_t *oldset = sigmask_to_save(); int ret;

/* Set up the stack frame */ - if (ka->sa.sa_flags & SA_SIGINFO) - ret = setup_rt_frame(sig, ka, info, oldset, regs); + if (ksig->ka.sa.sa_flags & SA_SIGINFO) + ret = setup_rt_frame(ksig, oldset, regs); else - ret = setup_frame(sig, ka, oldset, regs); - - if (ret) - return; + ret = setup_frame(ksig, oldset, regs);

- signal_delivered(sig, info, ka, regs, - test_thread_flag(TIF_SINGLESTEP)); + signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP)); }

asmlinkage void do_notify_resume(struct pt_regs *regs, unsigned long thread_info_flags)

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Linus Torvalds torvalds@linux-foundation.org

commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 upstream.

We used to delay switching to the new credentials until after we had mapped the executable (and possible elf interpreter). That was kind of odd to begin with, since the new executable will actually then _run_ with the new creds, but whatever.

The bigger problem was that we also want to make sure that we turn off prof events and tracing before we start mapping the new executable state. So while this is a cleanup, it's also a fix for a possible information leak.

Reported-by: Robert Święcki robert@swiecki.net Tested-by: Peter Zijlstra peterz@infradead.org Acked-by: David Howells dhowells@redhat.com Acked-by: Oleg Nesterov oleg@redhat.com Acked-by: Andy Lutomirski luto@amacapital.net Acked-by: Eric W. Biederman ebiederm@xmission.com Cc: Willy Tarreau w@1wt.eu Cc: Kees Cook keescook@chromium.org Cc: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/binfmt_elf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -736,6 +736,7 @@ static int load_elf_binary(struct linux_ current->flags |= PF_RANDOMIZE;

setup_new_exec(bprm); + install_exec_creds(bprm);

/* Do this so that we can load the interpreter, if need be. We will change some of these later */ @@ -951,7 +952,6 @@ static int load_elf_binary(struct linux_ } #endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */

- install_exec_creds(bprm); retval = create_elf_tables(bprm, &loc->elf_ex, load_addr, interp_load_addr); if (retval < 0) {

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Martin Sperl kernel@martin.sperl.org

commit e42685d7a7d5afa6278561ffd85c475eae246be3 upstream.

Add additional defines describing the DMA registers as well as adding some more documentation to those registers.

Signed-off-by: Martin Sperl kernel@martin.sperl.org Reviewed-by: Eric Anholt eric@anholt.net Signed-off-by: Eric Anholt eric@anholt.net Signed-off-by: Vinod Koul vinod.koul@intel.com [bwh: Backported to 3.16 as dependency of commit 9e528c799d17 "dmaengine: bcm2835: Fix abort of transactions"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/dma/bcm2835-dma.c | 57 +++++++++++++++++++++++++++++++++------ 1 file changed, 49 insertions(+), 8 deletions(-)

--- a/drivers/dma/bcm2835-dma.c +++ b/drivers/dma/bcm2835-dma.c @@ -91,26 +91,67 @@ struct bcm2835_desc {

#define BCM2835_DMA_CS 0x00 #define BCM2835_DMA_ADDR 0x04 +#define BCM2835_DMA_TI 0x08 #define BCM2835_DMA_SOURCE_AD 0x0c #define BCM2835_DMA_DEST_AD 0x10 -#define BCM2835_DMA_NEXTCB 0x1C +#define BCM2835_DMA_LEN 0x14 +#define BCM2835_DMA_STRIDE 0x18 +#define BCM2835_DMA_NEXTCB 0x1c +#define BCM2835_DMA_DEBUG 0x20

/* DMA CS Control and Status bits */ -#define BCM2835_DMA_ACTIVE BIT(0) -#define BCM2835_DMA_INT BIT(2) +#define BCM2835_DMA_ACTIVE BIT(0) /* activate the DMA */ +#define BCM2835_DMA_END BIT(1) /* current CB has ended */ +#define BCM2835_DMA_INT BIT(2) /* interrupt status */ +#define BCM2835_DMA_DREQ BIT(3) /* DREQ state */ #define BCM2835_DMA_ISPAUSED BIT(4) /* Pause requested or not active */ #define BCM2835_DMA_ISHELD BIT(5) /* Is held by DREQ flow control */ -#define BCM2835_DMA_ERR BIT(8) +#define BCM2835_DMA_WAITING_FOR_WRITES BIT(6) /* waiting for last + * AXI-write to ack + */ +#define BCM2835_DMA_ERR BIT(8) +#define BCM2835_DMA_PRIORITY(x) ((x & 15) << 16) /* AXI priority */ +#define BCM2835_DMA_PANIC_PRIORITY(x) ((x & 15) << 20) /* panic priority */ +/* current value of TI.BCM2835_DMA_WAIT_RESP */ +#define BCM2835_DMA_WAIT_FOR_WRITES BIT(28) +#define BCM2835_DMA_DIS_DEBUG BIT(29) /* disable debug pause signal */ #define BCM2835_DMA_ABORT BIT(30) /* Stop current CB, go to next, WO */ #define BCM2835_DMA_RESET BIT(31) /* WO, self clearing */

+/* Transfer information bits - also bcm2835_cb.info field */ #define BCM2835_DMA_INT_EN BIT(0) +#define BCM2835_DMA_TDMODE BIT(1) /* 2D-Mode */ +#define BCM2835_DMA_WAIT_RESP BIT(3) /* wait for AXI-write to be acked */ #define BCM2835_DMA_D_INC BIT(4) -#define BCM2835_DMA_D_DREQ BIT(6) +#define BCM2835_DMA_D_WIDTH BIT(5) /* 128bit writes if set */ +#define BCM2835_DMA_D_DREQ BIT(6) /* enable DREQ for destination */ +#define BCM2835_DMA_D_IGNORE BIT(7) /* ignore destination writes */ #define BCM2835_DMA_S_INC BIT(8) -#define BCM2835_DMA_S_DREQ BIT(10) +#define BCM2835_DMA_S_WIDTH BIT(9) /* 128bit writes if set */ +#define BCM2835_DMA_S_DREQ BIT(10) /* enable SREQ for source */ +#define BCM2835_DMA_S_IGNORE BIT(11) /* ignore source reads - read 0 */ +#define BCM2835_DMA_BURST_LENGTH(x) ((x & 15) << 12) +#define BCM2835_DMA_PER_MAP(x) ((x & 31) << 16) /* REQ source */ +#define BCM2835_DMA_WAIT(x) ((x & 31) << 21) /* add DMA-wait cycles */ +#define BCM2835_DMA_NO_WIDE_BURSTS BIT(26) /* no 2 beat write bursts */

-#define BCM2835_DMA_PER_MAP(x) ((x) << 16) +/* debug register bits */ +#define BCM2835_DMA_DEBUG_LAST_NOT_SET_ERR BIT(0) +#define BCM2835_DMA_DEBUG_FIFO_ERR BIT(1) +#define BCM2835_DMA_DEBUG_READ_ERR BIT(2) +#define BCM2835_DMA_DEBUG_OUTSTANDING_WRITES_SHIFT 4 +#define BCM2835_DMA_DEBUG_OUTSTANDING_WRITES_BITS 4 +#define BCM2835_DMA_DEBUG_ID_SHIFT 16 +#define BCM2835_DMA_DEBUG_ID_BITS 9 +#define BCM2835_DMA_DEBUG_STATE_SHIFT 16 +#define BCM2835_DMA_DEBUG_STATE_BITS 9 +#define BCM2835_DMA_DEBUG_VERSION_SHIFT 25 +#define BCM2835_DMA_DEBUG_VERSION_BITS 3 +#define BCM2835_DMA_DEBUG_LITE BIT(28) + +/* shared registers for all dma channels */ +#define BCM2835_DMA_INT_STATUS 0xfe0 +#define BCM2835_DMA_ENABLE 0xff0

#define BCM2835_DMA_DATA_TYPE_S8 1 #define BCM2835_DMA_DATA_TYPE_S16 2

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit 828b1f65d23cf8a68795739f6dd08fc8abd9ee64 upstream.

Now we can turn get_signal() to the main function.

Signed-off-by: Richard Weinberger richard@nod.at [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/linux/signal.h | 14 +------------- kernel/signal.c | 23 ++++++++++++----------- 2 files changed, 13 insertions(+), 24 deletions(-)

--- a/include/linux/signal.h +++ b/include/linux/signal.h @@ -279,7 +279,7 @@ struct ksignal { int sig; };

-extern int get_signal_to_deliver(siginfo_t *info, struct k_sigaction *return_ka, struct pt_regs *regs, void *cookie); +extern int get_signal(struct ksignal *ksig); extern void signal_setup_done(int failed, struct ksignal *ksig, int stepping); extern void exit_signals(struct task_struct *tsk); extern void kernel_sigaction(int, __sighandler_t); @@ -299,18 +299,6 @@ static inline void disallow_signal(int s kernel_sigaction(sig, SIG_IGN); }

-/* - * Eventually that'll replace get_signal_to_deliver(); macro for now, - * to avoid nastiness with include order. - */ -#define get_signal(ksig) \ -({ \ - struct ksignal *p = (ksig); \ - p->sig = get_signal_to_deliver(&p->info, &p->ka, \ - signal_pt_regs(), NULL);\ - p->sig > 0; \ -}) - extern struct kmem_cache *sighand_cachep;

int unhandled_signal(struct task_struct *tsk, int sig); --- a/kernel/signal.c +++ b/kernel/signal.c @@ -2174,8 +2174,7 @@ static int ptrace_signal(int signr, sigi return signr; }

-int get_signal_to_deliver(siginfo_t *info, struct k_sigaction *return_ka, - struct pt_regs *regs, void *cookie) +int get_signal(struct ksignal *ksig) { struct sighand_struct *sighand = current->sighand; struct signal_struct *signal = current->signal; @@ -2245,13 +2244,13 @@ relock: goto relock; }

- signr = dequeue_signal(current, &current->blocked, info); + signr = dequeue_signal(current, &current->blocked, &ksig->info);

if (!signr) break; /* will return 0 */

if (unlikely(current->ptrace) && signr != SIGKILL) { - signr = ptrace_signal(signr, info); + signr = ptrace_signal(signr, &ksig->info); if (!signr) continue; } @@ -2259,13 +2258,13 @@ relock: ka = &sighand->action[signr-1];

/* Trace actually delivered signals. */ - trace_signal_deliver(signr, info, ka); + trace_signal_deliver(signr, &ksig->info, ka);

if (ka->sa.sa_handler == SIG_IGN) /* Do nothing. */ continue; if (ka->sa.sa_handler != SIG_DFL) { /* Run the handler. */ - *return_ka = *ka; + ksig->ka = *ka;

if (ka->sa.sa_flags & SA_ONESHOT) ka->sa.sa_handler = SIG_DFL; @@ -2315,7 +2314,7 @@ relock: spin_lock_irq(&sighand->siglock); }

- if (likely(do_signal_stop(info->si_signo))) { + if (likely(do_signal_stop(ksig->info.si_signo))) { /* It released the siglock. */ goto relock; } @@ -2336,7 +2335,7 @@ relock:

if (sig_kernel_coredump(signr)) { if (print_fatal_signals) - print_fatal_signal(info->si_signo); + print_fatal_signal(ksig->info.si_signo); proc_coredump_connector(current); /* * If it was able to dump core, this kills all @@ -2346,17 +2345,19 @@ relock: * first and our do_group_exit call below will use * that value and ignore the one we pass it. */ - do_coredump(info); + do_coredump(&ksig->info); }

/* * Death signals, no core dump. */ - do_group_exit(info->si_signo); + do_group_exit(ksig->info.si_signo); /* NOTREACHED */ } spin_unlock_irq(&sighand->siglock); - return signr; + + ksig->sig = signr; + return ksig->sig > 0; }

/**

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arend van Spriel arend@broadcom.com

commit 796cfb65e3ed01a9b08e3a0b93e34120c54bbbd2 upstream.

Avoid spreading the ifidx in the driver, but have it return the struct brcmf_if instance.

Reviewed-by: Hante Meuleman meuleman@broadcom.com Reviewed-by: Franky (Zhenhui) Lin frankyl@broadcom.com Reviewed-by: Pieter-Paul Giesberts pieterpg@broadcom.com Signed-off-by: Arend van Spriel arend@broadcom.com Signed-off-by: Kalle Valo kvalo@codeaurora.org [bwh: Backported to 3.16: - Drop changes to PCIe bus support - Adjust filenames] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/net/wireless/brcm80211/brcmfmac/bcdc.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/bcdc.c @@ -272,11 +272,11 @@ brcmf_proto_bcdc_hdrpush(struct brcmf_pu }

static int -brcmf_proto_bcdc_hdrpull(struct brcmf_pub *drvr, bool do_fws, u8 *ifidx, - struct sk_buff *pktbuf) +brcmf_proto_bcdc_hdrpull(struct brcmf_pub *drvr, bool do_fws, + struct sk_buff *pktbuf, struct brcmf_if **ifp) { struct brcmf_proto_bcdc_header *h; - struct brcmf_if *ifp; + struct brcmf_if *tmp_if;

brcmf_dbg(BCDC, "Enter\n");

@@ -290,21 +290,21 @@ brcmf_proto_bcdc_hdrpull(struct brcmf_pu trace_brcmf_bcdchdr(pktbuf->data); h = (struct brcmf_proto_bcdc_header *)(pktbuf->data);

- ifp = brcmf_get_ifp(drvr, BCDC_GET_IF_IDX(h)); - if (IS_ERR_OR_NULL(ifp)) { + tmp_if = brcmf_get_ifp(drvr, BCDC_GET_IF_IDX(h)); + if (!tmp_if) { brcmf_dbg(INFO, "no matching ifp found\n"); return -EBADE; } if (((h->flags & BCDC_FLAG_VER_MASK) >> BCDC_FLAG_VER_SHIFT) != BCDC_PROTO_VER) { brcmf_err("%s: non-BCDC packet received, flags 0x%x\n", - brcmf_ifname(drvr, ifp->ifidx), h->flags); + brcmf_ifname(drvr, tmp_if->ifidx), h->flags); return -EBADE; }

if (h->flags & BCDC_FLAG_SUM_GOOD) { brcmf_dbg(BCDC, "%s: BDC rcv, good checksum, flags 0x%x\n", - brcmf_ifname(drvr, ifp->ifidx), h->flags); + brcmf_ifname(drvr, tmp_if->ifidx), h->flags); pktbuf->ip_summed = CHECKSUM_UNNECESSARY; }

@@ -312,7 +312,7 @@ brcmf_proto_bcdc_hdrpull(struct brcmf_pu

skb_pull(pktbuf, BCDC_HEADER_LEN); if (do_fws) - brcmf_fws_hdrpull(drvr, ifp->ifidx, h->data_offset << 2, + brcmf_fws_hdrpull(drvr, tmp_if->ifidx, h->data_offset << 2, pktbuf); else skb_pull(pktbuf, h->data_offset << 2); @@ -320,7 +320,7 @@ brcmf_proto_bcdc_hdrpull(struct brcmf_pu if (pktbuf->len == 0) return -ENODATA;

- *ifidx = ifp->ifidx; + *ifp = tmp_if; return 0; }

--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c @@ -85,7 +85,7 @@ struct brcmf_if *brcmf_get_ifp(struct br { if (ifidx < 0 || ifidx >= BRCMF_MAX_IFS) { brcmf_err("ifidx %d out of range\n", ifidx); - return ERR_PTR(-ERANGE); + return NULL; }

/* The ifidx is the idx to map to matching netdev/ifp. When receiving @@ -537,17 +537,15 @@ void brcmf_rx_frame(struct device *dev, struct brcmf_bus *bus_if = dev_get_drvdata(dev); struct brcmf_pub *drvr = bus_if->drvr; struct brcmf_skb_reorder_data *rd; - u8 ifidx; int ret;

brcmf_dbg(DATA, "Enter: %s: rxp=%p\n", dev_name(dev), skb);

/* process and remove protocol-specific header */ - ret = brcmf_proto_hdrpull(drvr, true, &ifidx, skb); - ifp = drvr->iflist[ifidx]; + ret = brcmf_proto_hdrpull(drvr, true, skb, &ifp);

if (ret || !ifp || !ifp->ndev) { - if ((ret != -ENODATA) && ifp) + if (ret != -ENODATA && ifp) ifp->stats.rx_errors++; brcmu_pkt_buf_free_skb(skb); return; @@ -590,17 +588,17 @@ void brcmf_txcomplete(struct device *dev { struct brcmf_bus *bus_if = dev_get_drvdata(dev); struct brcmf_pub *drvr = bus_if->drvr; - u8 ifidx; + struct brcmf_if *ifp;

/* await txstatus signal for firmware if active */ if (brcmf_fws_fc_active(drvr->fws)) { if (!success) brcmf_fws_bustxfail(drvr->fws, txp); } else { - if (brcmf_proto_hdrpull(drvr, false, &ifidx, txp)) + if (brcmf_proto_hdrpull(drvr, false, txp, &ifp)) brcmu_pkt_buf_free_skb(txp); else - brcmf_txfinalize(drvr, txp, ifidx, success); + brcmf_txfinalize(drvr, txp, ifp->ifidx, success); } }

--- a/drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c @@ -1420,7 +1420,7 @@ brcmf_fws_txs_process(struct brcmf_fws_i struct sk_buff *skb; struct brcmf_skbuff_cb *skcb; struct brcmf_fws_mac_descriptor *entry = NULL; - u8 ifidx; + struct brcmf_if *ifp;

brcmf_dbg(DATA, "flags %d\n", flags);

@@ -1469,15 +1469,16 @@ brcmf_fws_txs_process(struct brcmf_fws_i } brcmf_fws_macdesc_return_req_credit(skb);

- if (brcmf_proto_hdrpull(fws->drvr, false, &ifidx, skb)) { + ret = brcmf_proto_hdrpull(fws->drvr, false, skb, &ifp); + if (ret) { brcmu_pkt_buf_free_skb(skb); return -EINVAL; } if (!remove_from_hanger) - ret = brcmf_fws_txstatus_suppressed(fws, fifo, skb, ifidx, + ret = brcmf_fws_txstatus_suppressed(fws, fifo, skb, ifp->ifidx, genbit, seq); if (remove_from_hanger || ret) - brcmf_txfinalize(fws->drvr, skb, ifidx, true); + brcmf_txfinalize(fws->drvr, skb, ifp->ifidx, true);

return 0; } @@ -1820,7 +1821,7 @@ static int brcmf_fws_commit_skb(struct b entry->transit_count--; if (entry->suppressed) entry->suppr_transit_count--; - brcmf_proto_hdrpull(fws->drvr, false, &ifidx, skb); + (void)brcmf_proto_hdrpull(fws->drvr, false, skb, NULL); goto rollback; }

--- a/drivers/net/wireless/brcm80211/brcmfmac/proto.h +++ b/drivers/net/wireless/brcm80211/brcmfmac/proto.h @@ -17,8 +17,8 @@ #define BRCMFMAC_PROTO_H

struct brcmf_proto { - int (*hdrpull)(struct brcmf_pub *drvr, bool do_fws, u8 *ifidx, - struct sk_buff *skb); + int (*hdrpull)(struct brcmf_pub *drvr, bool do_fws, + struct sk_buff *skb, struct brcmf_if **ifp); int (*query_dcmd)(struct brcmf_pub *drvr, int ifidx, uint cmd, void *buf, uint len); int (*set_dcmd)(struct brcmf_pub *drvr, int ifidx, uint cmd, void *buf, @@ -33,9 +33,19 @@ int brcmf_proto_attach(struct brcmf_pub void brcmf_proto_detach(struct brcmf_pub *drvr);

static inline int brcmf_proto_hdrpull(struct brcmf_pub *drvr, bool do_fws, - u8 *ifidx, struct sk_buff *skb) + struct sk_buff *skb, + struct brcmf_if **ifp) { - return drvr->proto->hdrpull(drvr, do_fws, ifidx, skb); + struct brcmf_if *tmp = NULL; + + /* assure protocol is always called with + * non-null initialized pointer. + */ + if (ifp) + *ifp = NULL; + else + ifp = &tmp; + return drvr->proto->hdrpull(drvr, do_fws, skb, ifp); } static inline int brcmf_proto_query_dcmd(struct brcmf_pub *drvr, int ifidx, uint cmd, void *buf, uint len)

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nicolas Pitre nicolas.pitre@linaro.org

commit 0c9b1965faddad7534b6974b5b36c4ad37998f8e upstream.

User space using poll() on /dev/vcs devices are not awaken when a screen size change occurs. Let's fix that.

Signed-off-by: Nicolas Pitre nico@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/vt/vt.c | 1 + 1 file changed, 1 insertion(+)

--- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -953,6 +953,7 @@ static int vc_do_resize(struct tty_struc if (CON_IS_VISIBLE(vc)) update_screen(vc); vt_event_post(VT_EVENT_RESIZE, vc->vc_num, vc->vc_num); + notify_update(vc); return err; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Hellstrom thellstrom@vmware.com

commit 728354c005c36eaf44b6e5552372b67e60d17f56 upstream.

The function was unconditionally returning 0, and a caller would have to rely on the returned fence pointer being NULL to detect errors. However, the function vmw_execbuf_copy_fence_user() would expect a non-zero error code in that case and would BUG otherwise.

So make sure we return a proper non-zero error code if the fence pointer returned is NULL.

Fixes: ae2a104058e2: ("vmwgfx: Implement fence objects") Signed-off-by: Thomas Hellstrom thellstrom@vmware.com Reviewed-by: Deepak Rawat drawat@vmware.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c @@ -2326,7 +2326,7 @@ int vmw_execbuf_fence_commands(struct dr *p_fence = NULL; }

- return 0; + return ret; }

/**

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Daniele Palmas dnlplm@gmail.com

commit 34aabf918717dd14e05051896aaecd3b16b53d95 upstream.

Telit 3G Intel based modems require zero packet to be sent if out data size is equal to the endpoint max packet size.

Signed-off-by: Daniele Palmas dnlplm@gmail.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/class/cdc-acm.c | 7 +++++++ 1 file changed, 7 insertions(+)

--- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -1903,6 +1903,13 @@ static const struct usb_device_id acm_id .driver_info = IGNORE_DEVICE, },

+ { USB_DEVICE(0x1bc7, 0x0021), /* Telit 3G ACM only composition */ + .driver_info = SEND_ZERO_PACKET, + }, + { USB_DEVICE(0x1bc7, 0x0023), /* Telit 3G ACM + ECM composition */ + .driver_info = SEND_ZERO_PACKET, + }, + /* control interfaces without any protocol set */ { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM, USB_CDC_PROTO_NONE) },

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Pablo Neira Ayuso pablo@netfilter.org

commit 753c111f655e38bbd52fc01321266633f022ebe2 upstream.

Fetch pointer to module before target object is released.

Fixes: 29e3880109e3 ("netfilter: nf_tables: fix use-after-free when deleting compat expressions") Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/netfilter/nft_compat.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/netfilter/nft_compat.c +++ b/net/netfilter/nft_compat.c @@ -221,6 +221,7 @@ nft_target_destroy(const struct nft_ctx { struct xt_target *target = expr->ops->data; void *info = nft_expr_priv(expr); + struct module *me = target->me; struct xt_tgdtor_param par;

par.net = ctx->net; @@ -231,7 +232,7 @@ nft_target_destroy(const struct nft_ctx par.target->destroy(&par);

if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops))) - module_put(target->me); + module_put(me); }

static int

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Rajasingh Thavamani T.Rajasingh@landisgyr.com

commit 232ba3a51cc224b339c7114888ed7f0d4d95695e upstream.

With Micrel KSZ8061 PHY, the link may occasionally not come up after Ethernet cable connect. The vendor's (Microchip, former Micrel) errata sheet 80000688A.pdf descripes the problem and possible workarounds in detail, see below. The batch implements workaround 1, which permanently fixes the issue.

DESCRIPTION Link-up may not occur properly when the Ethernet cable is initially connected. This issue occurs more commonly when the cable is connected slowly, but it may occur any time a cable is connected. This issue occurs in the auto-negotiation circuit, and will not occur if auto-negotiation is disabled (which requires that the two link partners be set to the same speed and duplex).

END USER IMPLICATIONS When this issue occurs, link is not established. Subsequent cable plug/unplaug cycle will not correct the issue.

WORk AROUND There are four approaches to work around this issue: 1. This issue can be prevented by setting bit 15 in MMD device address 1, register 2, prior to connecting the cable or prior to setting the Restart Auto-negotiation bit in register 0h. The MMD registers are accessed via the indirect access registers Dh and Eh, or via the Micrel EthUtil utility as shown here: . if using the EthUtil utility (usually with a Micrel KSZ8061 Evaluation Board), type the following commands: > address 1 > mmd 1 > iw 2 b61a . Alternatively, write the following registers to write to the indirect MMD register: Write register Dh, data 0001h Write register Eh, data 0002h Write register Dh, data 4001h Write register Eh, data B61Ah 2. The issue can be avoided by disabling auto-negotiation in the KSZ8061, either by the strapping option, or by clearing bit 12 in register 0h. Care must be taken to ensure that the KSZ8061 and the link partner will link with the same speed and duplex. Note that the KSZ8061 defaults to full-duplex when auto-negotiation is off, but other devices may default to half-duplex in the event of failed auto-negotiation. 3. The issue can be avoided by connecting the cable prior to powering-up or resetting the KSZ8061, and leaving it plugged in thereafter. 4. If the above measures are not taken and the problem occurs, link can be recovered by setting the Restart Auto-Negotiation bit in register 0h, or by resetting or power cycling the device. Reset may be either hardware reset or software reset (register 0h, bit 15).

PLAN This errata will not be corrected in the future revision.

Fixes: 7ab59dc15e2f ("drivers/net/phy/micrel_phy: Add support for new PHYs") Signed-off-by: Alexander Onnasch alexander.onnasch@landisgyr.com Signed-off-by: Rajasingh Thavamani T.Rajasingh@landisgyr.com Reviewed-by: Andrew Lunn andrew@lunn.ch Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: - Include <linux/mdio.h> for register definition - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/net/phy/micrel.c +++ b/drivers/net/phy/micrel.c @@ -26,6 +26,7 @@ #include <linux/phy.h> #include <linux/micrel_phy.h> #include <linux/of.h> +#include <linux/mdio.h>

/* Operation Mode Strap Override */ #define MII_KSZPHY_OMSO 0x16 @@ -211,6 +212,17 @@ static int ks8051_config_init(struct phy return rc < 0 ? rc : 0; }

+static int ksz8061_config_init(struct phy_device *phydev) +{ + int ret; + + ret = phy_write_mmd(phydev, MDIO_MMD_PMAPMD, MDIO_DEVID1, 0xB61A); + if (ret) + return ret; + + return kszphy_config_init(phydev); +} + static int ksz9021_load_values_from_of(struct phy_device *phydev, struct device_node *of_node, u16 reg, char *field1, char *field2, @@ -565,7 +577,7 @@ static struct phy_driver ksphy_driver[] .phy_id_mask = 0x00fffff0, .features = (PHY_BASIC_FEATURES | SUPPORTED_Pause), .flags = PHY_HAS_MAGICANEG | PHY_HAS_INTERRUPT, - .config_init = kszphy_config_init, + .config_init = ksz8061_config_init, .config_aneg = genphy_config_aneg, .read_status = genphy_read_status, .ack_interrupt = kszphy_ack_interrupt,

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alex Williamson alex.williamson@redhat.com

commit 492855939bdb59c6f947b0b5b44af9ad82b7e38c upstream.

Memory backed DMA mappings are accounted against a user's locked memory limit, including multiple mappings of the same memory. This accounting bounds the number of such mappings that a user can create. However, DMA mappings that are not backed by memory, such as DMA mappings of device MMIO via mmaps, do not make use of page pinning and therefore do not count against the user's locked memory limit. These mappings still consume memory, but the memory is not well associated to the process for the purpose of oom killing a task.

To add bounding on this use case, we introduce a limit to the total number of concurrent DMA mappings that a user is allowed to create. This limit is exposed as a tunable module option where the default value of 64K is expected to be well in excess of any reasonable use case (a large virtual machine configuration would typically only make use of tens of concurrent mappings).

This fixes CVE-2019-3882.

Reviewed-by: Eric Auger eric.auger@redhat.com Tested-by: Eric Auger eric.auger@redhat.com Reviewed-by: Peter Xu peterx@redhat.com Reviewed-by: Cornelia Huck cohuck@redhat.com Signed-off-by: Alex Williamson alex.williamson@redhat.com [bwh: Backported to 3.16: - Add the out_unlock label in vfio_dma_do_map() - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/vfio/vfio_iommu_type1.c +++ b/drivers/vfio/vfio_iommu_type1.c @@ -53,10 +53,16 @@ module_param_named(disable_hugepages, MODULE_PARM_DESC(disable_hugepages, "Disable VFIO IOMMU support for IOMMU hugepages.");

+static unsigned int dma_entry_limit __read_mostly = U16_MAX; +module_param_named(dma_entry_limit, dma_entry_limit, uint, 0644); +MODULE_PARM_DESC(dma_entry_limit, + "Maximum number of user DMA mappings per container (65535)."); + struct vfio_iommu { struct list_head domain_list; struct mutex lock; struct rb_root dma_list; + unsigned int dma_avail; bool v2; };

@@ -364,6 +370,7 @@ static void vfio_remove_dma(struct vfio_ vfio_unmap_unpin(iommu, dma); vfio_unlink_dma(iommu, dma); kfree(dma); + iommu->dma_avail++; }

static unsigned long vfio_pgsize_bitmap(struct vfio_iommu *iommu) @@ -549,12 +556,18 @@ static int vfio_dma_do_map(struct vfio_i return -EEXIST; }

+ if (!iommu->dma_avail) { + ret = -ENOSPC; + goto out_unlock; + } + dma = kzalloc(sizeof(*dma), GFP_KERNEL); if (!dma) { mutex_unlock(&iommu->lock); return -ENOMEM; }

+ iommu->dma_avail--; dma->iova = iova; dma->vaddr = vaddr; dma->prot = prot; @@ -586,6 +599,7 @@ static int vfio_dma_do_map(struct vfio_i if (ret) vfio_remove_dma(iommu, dma);

+out_unlock: mutex_unlock(&iommu->lock); return ret; } @@ -816,6 +830,7 @@ static void *vfio_iommu_type1_open(unsig

INIT_LIST_HEAD(&iommu->domain_list); iommu->dma_list = RB_ROOT; + iommu->dma_avail = dma_entry_limit; mutex_init(&iommu->lock); iommu->v2 = (arg == VFIO_TYPE1v2_IOMMU);

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" ebiederm@xmission.com

commit 2236d4d39035b9839944603ec4b65ce71180a9ea upstream.

The 0day kernel test build report reported an oops:

IP: put_pid+0x22/0x5c PGD 19efa067 P4D 19efa067 PUD 0 Oops: 0000 [#1] CPU: 0 PID: 727 Comm: trinity Not tainted 4.16.0-rc2-00010-g98f929b #1 RIP: 0010:put_pid+0x22/0x5c RSP: 0018:ffff986719f73e48 EFLAGS: 00010202 RAX: 00000006d765f710 RBX: ffff98671a4fa4d0 RCX: ffff986719f73d40 RDX: 000000006f6e6125 RSI: 0000000000000000 RDI: ffffffffa01e6d21 RBP: ffffffffa0955fe0 R08: 0000000000000020 R09: 0000000000000000 R10: 0000000000000078 R11: ffff986719f73e76 R12: 0000000000001000 R13: 00000000ffffffea R14: 0000000054000fb0 R15: 0000000000000000 FS: 00000000028c2880(0000) GS:ffffffffa06ad000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000677846439 CR3: 0000000019fc1005 CR4: 00000000000606b0 Call Trace: ? ipc_update_pid+0x36/0x3e ? newseg+0x34c/0x3a6 ? ipcget+0x5d/0x528 ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 ? SyS_shmget+0x5a/0x84 ? do_syscall_64+0x194/0x1b3 ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 Code: ff 05 e7 20 9b 03 58 c9 c3 48 ff 05 85 21 9b 03 48 85 ff 74 4f 8b 47 04 8b 17 48 ff 05 7c 21 9b 03 48 83 c0 03 48 c1 e0 04 ff ca <48> 8b 44 07 08 74 1f 48 ff 05 6c 21 9b 03 ff 0f 0f 94 c2 48 ff RIP: put_pid+0x22/0x5c RSP: ffff986719f73e48 CR2: 0000000677846439 ---[ end trace ab8c5cb4389d37c5 ]--- Kernel panic - not syncing: Fatal exception

In newseg when changing shm_cprid and shm_lprid from pid_t to struct pid* I misread the kvmalloc as kvzalloc and thought shp was initialized to 0. As that is not the case it is not safe to for the error handling to address shm_cprid and shm_lprid before they are initialized.

Therefore move the cleanup of shm_cprid and shm_lprid from the no_file error cleanup path to the no_id error cleanup path. Ensuring that an early error exit won't cause the oops above.

Reported-by: kernel test robot fengguang.wu@intel.com Reviewed-by: Nagarathnam Muthusamy nagarathnam.muthusamy@oracle.com Signed-off-by: Eric W. Biederman ebiederm@xmission.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- ipc/shm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/ipc/shm.c +++ b/ipc/shm.c @@ -620,12 +620,12 @@ static int newseg(struct ipc_namespace * return error;

no_id: + ipc_update_pid(&shp->shm_cprid, NULL); + ipc_update_pid(&shp->shm_lprid, NULL); if (is_file_hugepages(file) && shp->mlock_user) user_shm_unlock(size, shp->mlock_user); fput(file); no_file: - ipc_update_pid(&shp->shm_cprid, NULL); - ipc_update_pid(&shp->shm_lprid, NULL); ipc_rcu_putref(shp, shm_rcu_free); return error; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet edumazet@google.com

commit 797a22bd5298c2674d927893f46cadf619dad11d upstream.

syzbot was able to trigger another soft lockup [1]

I first thought it was the O(N^2) issue I mentioned in my prior fix (f657d22ee1f "net/x25: do not hold the cpu too long in x25_new_lci()"), but I eventually found that x25_bind() was not checking SOCK_ZAPPED state under socket lock protection.

This means that multiple threads can end up calling x25_insert_socket() for the same socket, and corrupt x25_list

[1] watchdog: BUG: soft lockup - CPU#0 stuck for 123s! [syz-executor.2:10492] Modules linked in: irq event stamp: 27515 hardirqs last enabled at (27514): [<ffffffff81006673>] trace_hardirqs_on_thunk+0x1a/0x1c hardirqs last disabled at (27515): [<ffffffff8100668f>] trace_hardirqs_off_thunk+0x1a/0x1c softirqs last enabled at (32): [<ffffffff8632ee73>] x25_get_neigh+0xa3/0xd0 net/x25/x25_link.c:336 softirqs last disabled at (34): [<ffffffff86324bc3>] x25_find_socket+0x23/0x140 net/x25/af_x25.c:341 CPU: 0 PID: 10492 Comm: syz-executor.2 Not tainted 5.0.0-rc7+ #88 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__sanitizer_cov_trace_pc+0x4/0x50 kernel/kcov.c:97 Code: f4 ff ff ff e8 11 9f ea ff 48 c7 05 12 fb e5 08 00 00 00 00 e9 c8 e9 ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 <48> 8b 75 08 65 48 8b 04 25 40 ee 01 00 65 8b 15 38 0c 92 7e 81 e2 RSP: 0018:ffff88806e94fc48 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: 1ffff1100d84dac5 RBX: 0000000000000001 RCX: ffffc90006197000 RDX: 0000000000040000 RSI: ffffffff86324bf3 RDI: ffff88806c26d628 RBP: ffff88806e94fc48 R08: ffff88806c1c6500 R09: fffffbfff1282561 R10: fffffbfff1282560 R11: ffffffff89412b03 R12: ffff88806c26d628 R13: ffff888090455200 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f3a107e4700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3a107e3db8 CR3: 00000000a5544000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __x25_find_socket net/x25/af_x25.c:327 [inline] x25_find_socket+0x7d/0x140 net/x25/af_x25.c:342 x25_new_lci net/x25/af_x25.c:355 [inline] x25_connect+0x380/0xde0 net/x25/af_x25.c:784 __sys_connect+0x266/0x330 net/socket.c:1662 __do_sys_connect net/socket.c:1673 [inline] __se_sys_connect net/socket.c:1670 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:1670 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457e29 Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f3a107e3c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457e29 RDX: 0000000000000012 RSI: 0000000020000200 RDI: 0000000000000005 RBP: 000000000073c040 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3a107e46d4 R13: 00000000004be362 R14: 00000000004ceb98 R15: 00000000ffffffff Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 10493 Comm: syz-executor.3 Not tainted 5.0.0-rc7+ #88 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__read_once_size include/linux/compiler.h:193 [inline] RIP: 0010:queued_write_lock_slowpath+0x143/0x290 kernel/locking/qrwlock.c:86 Code: 4c 8d 2c 01 41 83 c7 03 41 0f b6 45 00 41 38 c7 7c 08 84 c0 0f 85 0c 01 00 00 8b 03 3d 00 01 00 00 74 1a f3 90 41 0f b6 55 00 <41> 38 d7 7c eb 84 d2 74 e7 48 89 df e8 cc aa 4e 00 eb dd be 04 00 RSP: 0018:ffff888085c47bd8 EFLAGS: 00000206 RAX: 0000000000000300 RBX: ffffffff89412b00 RCX: 1ffffffff1282560 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff89412b00 RBP: ffff888085c47c70 R08: 1ffffffff1282560 R09: fffffbfff1282561 R10: fffffbfff1282560 R11: ffffffff89412b03 R12: 00000000000000ff R13: fffffbfff1282560 R14: 1ffff11010b88f7d R15: 0000000000000003 FS: 00007fdd04086700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdd04064db8 CR3: 0000000090be0000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: queued_write_lock include/asm-generic/qrwlock.h:104 [inline] do_raw_write_lock+0x1d6/0x290 kernel/locking/spinlock_debug.c:203 __raw_write_lock_bh include/linux/rwlock_api_smp.h:204 [inline] _raw_write_lock_bh+0x3b/0x50 kernel/locking/spinlock.c:312 x25_insert_socket+0x21/0xe0 net/x25/af_x25.c:267 x25_bind+0x273/0x340 net/x25/af_x25.c:703 __sys_bind+0x23f/0x290 net/socket.c:1481 __do_sys_bind net/socket.c:1492 [inline] __se_sys_bind net/socket.c:1490 [inline] __x64_sys_bind+0x73/0xb0 net/socket.c:1490 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457e29

Fixes: 90c27297a9bf ("X.25 remove bkl in bind") Signed-off-by: Eric Dumazet edumazet@google.com Cc: andrew hendry andrew.hendry@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/x25/af_x25.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/net/x25/af_x25.c +++ b/net/x25/af_x25.c @@ -680,8 +680,7 @@ static int x25_bind(struct socket *sock, struct sockaddr_x25 *addr = (struct sockaddr_x25 *)uaddr; int len, i, rc = 0;

- if (!sock_flag(sk, SOCK_ZAPPED) || - addr_len != sizeof(struct sockaddr_x25) || + if (addr_len != sizeof(struct sockaddr_x25) || addr->sx25_family != AF_X25) { rc = -EINVAL; goto out; @@ -696,9 +695,13 @@ static int x25_bind(struct socket *sock, }

lock_sock(sk); - x25_sk(sk)->source_addr = addr->sx25_addr; - x25_insert_socket(sk); - sock_reset_flag(sk, SOCK_ZAPPED); + if (sock_flag(sk, SOCK_ZAPPED)) { + x25_sk(sk)->source_addr = addr->sx25_addr; + x25_insert_socket(sk); + sock_reset_flag(sk, SOCK_ZAPPED); + } else { + rc = -EINVAL; + } release_sock(sk); SOCK_DEBUG(sk, "x25_bind: socket is bound\n"); out:

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit e19c025bc9a184ed9c5daf06ffb89abc81d1696a upstream.

Use the more generic functions get_signal() signal_setup_done() for signal delivery.

Tested-by: Mark Salter msalter@redhat.com Acked-by: Mark Salter msalter@redhat.com Signed-off-by: Richard Weinberger richard@nod.at [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/c6x/kernel/signal.c | 43 +++++++++++++++++----------------------- 1 file changed, 18 insertions(+), 25 deletions(-)

--- a/arch/c6x/kernel/signal.c +++ b/arch/c6x/kernel/signal.c @@ -146,21 +146,21 @@ static inline void __user *get_sigframe( return (void __user *)((sp - framesize) & ~7); }

-static int setup_rt_frame(int signr, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs *regs) +static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { struct rt_sigframe __user *frame; unsigned long __user *retcode; int err = 0;

- frame = get_sigframe(ka, regs, sizeof(*frame)); + frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto segv_and_exit; + return -EFAULT;

err |= __put_user(&frame->info, &frame->pinfo); err |= __put_user(&frame->uc, &frame->puc); - err |= copy_siginfo_to_user(&frame->info, info); + err |= copy_siginfo_to_user(&frame->info, &ksig->info);

/* Clear all the bits of the ucontext we don't use. */ err |= __clear_user(&frame->uc, offsetof(struct ucontext, uc_mcontext)); @@ -188,7 +188,7 @@ static int setup_rt_frame(int signr, str #undef COPY

if (err) - goto segv_and_exit; + return -EFAULT;

flush_icache_range((unsigned long) &frame->retcode, (unsigned long) &frame->retcode + RETCODE_SIZE); @@ -198,10 +198,10 @@ static int setup_rt_frame(int signr, str /* Change user context to branch to signal handler */ regs->sp = (unsigned long) frame - 8; regs->b3 = (unsigned long) retcode; - regs->pc = (unsigned long) ka->sa.sa_handler; + regs->pc = (unsigned long) ksig->ka.sa.sa_handler;

/* Give the signal number to the handler */ - regs->a4 = signr; + regs->a4 = ksig->sig;

/* * For realtime signals we must also set the second and third @@ -212,10 +212,6 @@ static int setup_rt_frame(int signr, str regs->a6 = (unsigned long)&frame->uc;

return 0; - -segv_and_exit: - force_sigsegv(signr, current); - return -EFAULT; }

static inline void @@ -245,10 +241,11 @@ do_restart: /* * handle the actual delivery of a signal to userspace */ -static void handle_signal(int sig, - siginfo_t *info, struct k_sigaction *ka, - struct pt_regs *regs, int syscall) +static void handle_signal(struct ksignal *ksig, struct pt_regs *regs, + int syscall) { + int ret; + /* Are we from a system call? */ if (syscall) { /* If so, check system call restarting.. */ @@ -259,7 +256,7 @@ static void handle_signal(int sig, break;

case -ERESTARTSYS: - if (!(ka->sa.sa_flags & SA_RESTART)) { + if (!(ksig->ka.sa.sa_flags & SA_RESTART)) { regs->a4 = -EINTR; break; } @@ -272,9 +269,8 @@ static void handle_signal(int sig, }

/* Set up the stack frame */ - if (setup_rt_frame(sig, ka, info, sigmask_to_save(), regs) < 0) - return; - signal_delivered(sig, info, ka, regs, 0); + ret = setup_rt_frame(ksig, sigmask_to_save(), regs); + signal_setup_done(ret, ksig, 0); }

/* @@ -282,18 +278,15 @@ static void handle_signal(int sig, */ static void do_signal(struct pt_regs *regs, int syscall) { - struct k_sigaction ka; - siginfo_t info; - int signr; + struct ksignal ksig;

/* we want the common case to go fast, which is why we may in certain * cases get here from kernel mode */ if (!user_mode(regs)) return;

- signr = get_signal_to_deliver(&info, &ka, regs, NULL); - if (signr > 0) { - handle_signal(signr, &info, &ka, regs, syscall); + if (get_signal(&ksig)) { + handle_signal(&ksig, regs, syscall); return; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit 00554fa4f80279db92f82c4f52c8ae72711f173e upstream.

Use the more generic functions get_signal() signal_setup_done() for signal delivery.

Signed-off-by: Richard Weinberger richard@nod.at [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm64/include/asm/signal32.h | 11 ++++--- arch/arm64/kernel/signal.c | 48 +++++++++++++------------------ arch/arm64/kernel/signal32.c | 14 ++++----- 3 files changed, 32 insertions(+), 41 deletions(-)

--- a/arch/arm64/include/asm/signal32.h +++ b/arch/arm64/include/asm/signal32.h @@ -24,22 +24,21 @@

extern const compat_ulong_t aarch32_sigret_code[6];

-int compat_setup_frame(int usig, struct k_sigaction *ka, sigset_t *set, +int compat_setup_frame(int usig, struct ksignal *ksig, sigset_t *set, struct pt_regs *regs); -int compat_setup_rt_frame(int usig, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs *regs); +int compat_setup_rt_frame(int usig, struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs);

void compat_setup_restart_syscall(struct pt_regs *regs); #else

-static inline int compat_setup_frame(int usid, struct k_sigaction *ka, +static inline int compat_setup_frame(int usid, struct ksignal *ksig, sigset_t *set, struct pt_regs *regs) { return -ENOSYS; }

-static inline int compat_setup_rt_frame(int usig, struct k_sigaction *ka, - siginfo_t *info, sigset_t *set, +static inline int compat_setup_rt_frame(int usig, struct ksignal *ksig, sigset_t *set, struct pt_regs *regs) { return -ENOSYS; --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -253,13 +253,13 @@ static void setup_return(struct pt_regs regs->regs[30] = (unsigned long)sigtramp; }

-static int setup_rt_frame(int usig, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs *regs) +static int setup_rt_frame(int usig, struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { struct rt_sigframe __user *frame; int err = 0;

- frame = get_sigframe(ka, regs); + frame = get_sigframe(&ksig->ka, regs); if (!frame) return 1;

@@ -269,9 +269,9 @@ static int setup_rt_frame(int usig, stru err |= __save_altstack(&frame->uc.uc_stack, regs->sp); err |= setup_sigframe(frame, regs, set); if (err == 0) { - setup_return(regs, ka, frame, usig); - if (ka->sa.sa_flags & SA_SIGINFO) { - err |= copy_siginfo_to_user(&frame->info, info); + setup_return(regs, &ksig->ka, frame, usig); + if (ksig->ka.sa.sa_flags & SA_SIGINFO) { + err |= copy_siginfo_to_user(&frame->info, &ksig->info); regs->regs[1] = (unsigned long)&frame->info; regs->regs[2] = (unsigned long)&frame->uc; } @@ -291,13 +291,12 @@ static void setup_restart_syscall(struct /* * OK, we're invoking a handler */ -static void handle_signal(unsigned long sig, struct k_sigaction *ka, - siginfo_t *info, struct pt_regs *regs) +static void handle_signal(struct ksignal *ksig, struct pt_regs *regs) { struct thread_info *thread = current_thread_info(); struct task_struct *tsk = current; sigset_t *oldset = sigmask_to_save(); - int usig = sig; + int usig = ksig->sig; int ret;

/* @@ -310,13 +309,12 @@ static void handle_signal(unsigned long * Set up the stack frame */ if (is_compat_task()) { - if (ka->sa.sa_flags & SA_SIGINFO) - ret = compat_setup_rt_frame(usig, ka, info, oldset, - regs); + if (ksig->ka.sa.sa_flags & SA_SIGINFO) + ret = compat_setup_rt_frame(usig, ksig, oldset, regs); else - ret = compat_setup_frame(usig, ka, oldset, regs); + ret = compat_setup_frame(usig, ksig, oldset, regs); } else { - ret = setup_rt_frame(usig, ka, info, oldset, regs); + ret = setup_rt_frame(usig, ksig, oldset, regs); }

/* @@ -324,18 +322,14 @@ static void handle_signal(unsigned long */ ret |= !valid_user_regs(&regs->user_regs, current);

- if (ret != 0) { - force_sigsegv(sig, tsk); - return; - } - /* * Fast forward the stepping logic so we step into the signal * handler. */ - user_fastforward_single_step(tsk); + if (!ret) + user_fastforward_single_step(tsk);

- signal_delivered(sig, info, ka, regs, 0); + signal_setup_done(ret, ksig, 0); }

/* @@ -350,10 +344,9 @@ static void handle_signal(unsigned long static void do_signal(struct pt_regs *regs) { unsigned long continue_addr = 0, restart_addr = 0; - struct k_sigaction ka; - siginfo_t info; - int signr, retval = 0; + int retval = 0; int syscall = (int)regs->syscallno; + struct ksignal ksig;

/* * If we were from a system call, check for system call restarting... @@ -387,8 +380,7 @@ static void do_signal(struct pt_regs *re * Get the signal to deliver. When running under ptrace, at this point * the debugger may change all of our registers. */ - signr = get_signal_to_deliver(&info, &ka, regs, NULL); - if (signr > 0) { + if (get_signal(&ksig)) { /* * Depending on the signal settings, we may need to revert the * decision to restart the system call, but skip this if a @@ -398,12 +390,12 @@ static void do_signal(struct pt_regs *re (retval == -ERESTARTNOHAND || retval == -ERESTART_RESTARTBLOCK || (retval == -ERESTARTSYS && - !(ka.sa.sa_flags & SA_RESTART)))) { + !(ksig.ka.sa.sa_flags & SA_RESTART)))) { regs->regs[0] = -EINTR; regs->pc = continue_addr; }

- handle_signal(signr, &ka, &info, regs); + handle_signal(&ksig, regs); return; }

--- a/arch/arm64/kernel/signal32.c +++ b/arch/arm64/kernel/signal32.c @@ -543,18 +543,18 @@ static int compat_setup_sigframe(struct /* * 32-bit signal handling routines called from signal.c */ -int compat_setup_rt_frame(int usig, struct k_sigaction *ka, siginfo_t *info, +int compat_setup_rt_frame(int usig, struct ksignal *ksig, sigset_t *set, struct pt_regs *regs) { struct compat_rt_sigframe __user *frame; int err = 0;

- frame = compat_get_sigframe(ka, regs, sizeof(*frame)); + frame = compat_get_sigframe(&ksig->ka, regs, sizeof(*frame));

if (!frame) return 1;

- err |= copy_siginfo_to_user32(&frame->info, info); + err |= copy_siginfo_to_user32(&frame->info, &ksig->info);

__put_user_error(0, &frame->sig.uc.uc_flags, err); __put_user_error(0, &frame->sig.uc.uc_link, err); @@ -564,7 +564,7 @@ int compat_setup_rt_frame(int usig, stru err |= compat_setup_sigframe(&frame->sig, regs, set);

if (err == 0) { - compat_setup_return(regs, ka, frame->sig.retcode, frame, usig); + compat_setup_return(regs, &ksig->ka, frame->sig.retcode, frame, usig); regs->regs[1] = (compat_ulong_t)(unsigned long)&frame->info; regs->regs[2] = (compat_ulong_t)(unsigned long)&frame->sig.uc; } @@ -572,13 +572,13 @@ int compat_setup_rt_frame(int usig, stru return err; }

-int compat_setup_frame(int usig, struct k_sigaction *ka, sigset_t *set, +int compat_setup_frame(int usig, struct ksignal *ksig, sigset_t *set, struct pt_regs *regs) { struct compat_sigframe __user *frame; int err = 0;

- frame = compat_get_sigframe(ka, regs, sizeof(*frame)); + frame = compat_get_sigframe(&ksig->ka, regs, sizeof(*frame));

if (!frame) return 1; @@ -587,7 +587,7 @@ int compat_setup_frame(int usig, struct

err |= compat_setup_sigframe(frame, regs, set); if (err == 0) - compat_setup_return(regs, ka, frame->retcode, frame, usig); + compat_setup_return(regs, &ksig->ka, frame->retcode, frame, usig);

return err; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Biggers ebiggers@google.com

commit ede0fa98a900e657d1fcd80b50920efc896c1a4c upstream.

syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin() called from construct_alloc_key() during sys_request_key(), because the length of the key description was never calculated.

The problem is that we rely on ->desc_len being initialized by search_process_keyrings(), specifically by search_nested_keyrings(). But, if the process isn't subscribed to any keyrings that never happens.

Fix it by always initializing keyring_index_key::desc_len as soon as the description is set, like we already do in some places.

The following program reproduces the BUG_ON() when it's run as root and no session keyring has been installed. If it doesn't work, try removing pam_keyinit.so from /etc/pam.d/login and rebooting.

#include <stdlib.h> #include <unistd.h> #include <keyutils.h>

int main(void) { int id = add_key("keyring", "syz", NULL, 0, KEY_SPEC_USER_KEYRING);

keyctl_setperm(id, KEY_OTH_WRITE); setreuid(5000, 5000); request_key("user", "desc", "", id); }

Reported-by: syzbot+ec24e95ea483de0a24da@syzkaller.appspotmail.com Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring") Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: David Howells dhowells@redhat.com Signed-off-by: James Morris james.morris@microsoft.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- security/keys/keyring.c | 4 +--- security/keys/proc.c | 3 +-- security/keys/request_key.c | 1 + security/keys/request_key_auth.c | 2 +- 4 files changed, 4 insertions(+), 6 deletions(-)

--- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -604,9 +604,6 @@ static bool search_nested_keyrings(struc ctx->index_key.type->name, ctx->index_key.description);

- if (ctx->index_key.description) - ctx->index_key.desc_len = strlen(ctx->index_key.description); - /* Check to see if this top-level keyring is what we are looking for * and whether it is valid or not. */ @@ -870,6 +867,7 @@ key_ref_t keyring_search(key_ref_t keyri struct keyring_search_context ctx = { .index_key.type = type, .index_key.description = description, + .index_key.desc_len = strlen(description), .cred = current_cred(), .match = type->match, .match_data = description, --- a/security/keys/proc.c +++ b/security/keys/proc.c @@ -191,8 +191,7 @@ static int proc_keys_show(struct seq_fil int rc;

struct keyring_search_context ctx = { - .index_key.type = key->type, - .index_key.description = key->description, + .index_key = key->index_key, .cred = m->file->f_cred, .match = lookup_user_key_possessed, .match_data = key, --- a/security/keys/request_key.c +++ b/security/keys/request_key.c @@ -561,6 +561,7 @@ struct key *request_key_and_link(struct struct keyring_search_context ctx = { .index_key.type = type, .index_key.description = description, + .index_key.desc_len = strlen(description), .cred = current_cred(), .match = type->match, .match_data = description, --- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c @@ -233,7 +233,7 @@ struct key *key_get_instantiation_authke struct key *authkey; key_ref_t authkey_ref;

- sprintf(description, "%x", target_id); + ctx.index_key.desc_len = sprintf(description, "%x", target_id);

authkey_ref = search_process_keyrings(&ctx);

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" ebiederm@xmission.com

commit 7146db3317c67b517258cb5e1b08af387da0618b upstream.

Recently syzkaller was able to create unkillablle processes by creating a timer that is delivered as a thread local signal on SIGHUP, and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop failing to deliver SIGHUP but always trying.

When the stack overflows delivery of SIGHUP fails and force_sigsegv is called. Unfortunately because SIGSEGV is numerically higher than SIGHUP next_signal tries again to deliver a SIGHUP.

=46roma quality of implementation standpoint attempting to deliver the timer SIGHUP signal is wrong. We should attempt to deliver the synchronous SIGSEGV signal we just forced.

We can make that happening in a fairly straight forward manner by instead of just looking at the signal number we also look at the si_code. In particular for exceptions (aka synchronous signals) the si_code is always greater than 0.

That still has the potential to pick up a number of asynchronous signals as in a few cases the same si_codes that are used for synchronous signals are also used for asynchronous signals, and SI_KERNEL is also included in the list of possible si_codes.

Still the heuristic is much better and timer signals are definitely excluded. Which is enough to prevent all known ways for someone sending a process signals fast enough to cause unexpected and arguably incorrect behavior.

Fixes: a27341cd5fcb ("Prioritize synchronous signals over 'normal' signals") Tested-by: Dmitry Vyukov dvyukov@google.com Reported-by: Dmitry Vyukov dvyukov@google.com Signed-off-by: "Eric W. Biederman" ebiederm@xmission.com [bwh: Backported to 3.16: s/kernel_siginfo_t/siginfo_t/] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/signal.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-)

--- a/kernel/signal.c +++ b/kernel/signal.c @@ -684,6 +684,48 @@ int dequeue_signal(struct task_struct *t return signr; }

+static int dequeue_synchronous_signal(siginfo_t *info) +{ + struct task_struct *tsk = current; + struct sigpending *pending = &tsk->pending; + struct sigqueue *q, *sync = NULL; + + /* + * Might a synchronous signal be in the queue? + */ + if (!((pending->signal.sig[0] & ~tsk->blocked.sig[0]) & SYNCHRONOUS_MASK)) + return 0; + + /* + * Return the first synchronous signal in the queue. + */ + list_for_each_entry(q, &pending->list, list) { + /* Synchronous signals have a postive si_code */ + if ((q->info.si_code > SI_USER) && + (sigmask(q->info.si_signo) & SYNCHRONOUS_MASK)) { + sync = q; + goto next; + } + } + return 0; +next: + /* + * Check if there is another siginfo for the same signal. + */ + list_for_each_entry_continue(q, &pending->list, list) { + if (q->info.si_signo == sync->info.si_signo) + goto still_pending; + } + + sigdelset(&pending->signal, sync->info.si_signo); + recalc_sigpending(); +still_pending: + list_del_init(&sync->list); + copy_siginfo(info, &sync->info); + __sigqueue_free(sync); + return info->si_signo; +} + /* * Tell a process that it has a new active signal.. * @@ -2249,7 +2291,15 @@ relock: goto relock; }

- signr = dequeue_signal(current, &current->blocked, &ksig->info); + /* + * Signals generated by the execution of an instruction + * need to be delivered before any other pending signals + * so that the instruction pointer in the signal stack + * frame points to the faulting instruction. + */ + signr = dequeue_synchronous_signal(&ksig->info); + if (!signr) + signr = dequeue_signal(current, &current->blocked, &ksig->info);

if (!signr) break; /* will return 0 */

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Darrick J. Wong" darrick.wong@oracle.com

commit 29b00e609960ae0fcff382f4c7079dd0874a5311 upstream.

When we made the shmem_reserve_inode call in shmem_link conditional, we forgot to update the declaration for ret so that it always has a known value. Dan Carpenter pointed out this deficiency in the original patch.

Fixes: 1062af920c07 ("tmpfs: fix link accounting when a tmpfile is linked in") Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Darrick J. Wong darrick.wong@oracle.com Signed-off-by: Hugh Dickins hughd@google.com Cc: Matej Kupljen matej.kupljen@gmail.com Cc: Al Viro viro@zeniv.linux.org.uk Cc: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- mm/shmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/shmem.c +++ b/mm/shmem.c @@ -2007,7 +2007,7 @@ static int shmem_create(struct inode *di static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentry *dentry) { struct inode *inode = old_dentry->d_inode; - int ret; + int ret = 0;

/* * No ordinary (disk based) filesystem counts links as inodes;

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jack Stocker jackstocker.93@gmail.com

commit 3483254b89438e60f719937376c5e0ce2bc46761 upstream.

To match the Corsair Strafe RGB, the Corsair K70 RGB also requires USB_QUIRK_DELAY_CTRL_MSG to completely resolve boot connection issues discussed here: https://github.com/ckb-next/ckb-next/issues/42. Otherwise roughly 1 in 10 boots the keyboard will fail to be detected.

Patch that applied delay control quirk for Corsair Strafe RGB: cb88a0588717 ("usb: quirks: add control message delay for 1b1c:1b20")

Previous K70 RGB patch to add delay-init quirk: 7a1646d92257 ("Add delay-init quirk for Corsair K70 RGB keyboards")

Signed-off-by: Jack Stocker jackstocker.93@gmail.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/core/quirks.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -240,7 +240,8 @@ static const struct usb_device_id usb_qu { USB_DEVICE(0x1a40, 0x0101), .driver_info = USB_QUIRK_HUB_SLOW_RESET },

/* Corsair K70 RGB */ - { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT }, + { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT | + USB_QUIRK_DELAY_CTRL_MSG },

/* Corsair Strafe */ { USB_DEVICE(0x1b1c, 0x1b15), .driver_info = USB_QUIRK_DELAY_INIT |

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Gustavo A. R. Silva" gustavo@embeddedor.com

commit 701956d4018e5d5438570e39e8bda47edd32c489 upstream.

ipcnum is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/char/mwave/mwavedd.c:299 mwave_ioctl() warn: potential spectre issue 'pDrvData->IPCs' [w] (local cap)

Fix this by sanitizing ipcnum before using it to index pDrvData->IPCs.

Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Signed-off-by: Gustavo A. R. Silva gustavo@embeddedor.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/char/mwave/mwavedd.c | 7 +++++++ 1 file changed, 7 insertions(+)

--- a/drivers/char/mwave/mwavedd.c +++ b/drivers/char/mwave/mwavedd.c @@ -59,6 +59,7 @@ #include <linux/mutex.h> #include <linux/delay.h> #include <linux/serial_8250.h> +#include <linux/nospec.h> #include "smapi.h" #include "mwavedd.h" #include "3780i.h" @@ -289,6 +290,8 @@ static long mwave_ioctl(struct file *fil ipcnum); return -EINVAL; } + ipcnum = array_index_nospec(ipcnum, + ARRAY_SIZE(pDrvData->IPCs)); PRINTK_3(TRACE_MWAVE, "mwavedd::mwave_ioctl IOCTL_MW_REGISTER_IPC" " ipcnum %x entry usIntCount %x\n", @@ -317,6 +320,8 @@ static long mwave_ioctl(struct file *fil " Invalid ipcnum %x\n", ipcnum); return -EINVAL; } + ipcnum = array_index_nospec(ipcnum, + ARRAY_SIZE(pDrvData->IPCs)); PRINTK_3(TRACE_MWAVE, "mwavedd::mwave_ioctl IOCTL_MW_GET_IPC" " ipcnum %x, usIntCount %x\n", @@ -383,6 +388,8 @@ static long mwave_ioctl(struct file *fil ipcnum); return -EINVAL; } + ipcnum = array_index_nospec(ipcnum, + ARRAY_SIZE(pDrvData->IPCs)); mutex_lock(&mwave_mutex); if (pDrvData->IPCs[ipcnum].bIsEnabled == TRUE) { pDrvData->IPCs[ipcnum].bIsEnabled = FALSE;

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Zhiqiang Liu liuzhiqiang26@huawei.com

commit e75913c93f7cd5f338ab373c34c93a655bd309cb upstream.

Follow those steps: # ip addr add 2001:123::1/32 dev eth0 # ip addr add 2001:123:456::2/64 dev eth0 # ip addr del 2001:123::1/32 dev eth0 # ip addr del 2001:123:456::2/64 dev eth0 and then prefix route of 2001:123::1/32 will still exist.

This is because ipv6_prefix_equal in check_cleanup_prefix_route func does not check whether two IPv6 addresses have the same prefix length. If the prefix of one address starts with another shorter address prefix, even though their prefix lengths are different, the return value of ipv6_prefix_equal is true.

Here I add a check of whether two addresses have the same prefix to decide whether their prefixes are equal.

Fixes: 5b84efecb7d9 ("ipv6 addrconf: don't cleanup prefix route for IFA_F_NOPREFIXROUTE") Signed-off-by: Zhiqiang Liu liuzhiqiang26@huawei.com Reported-by: Wenhao Zhang zhangwenhao8@huawei.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/ipv6/addrconf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -943,7 +943,8 @@ check_cleanup_prefix_route(struct inet6_ list_for_each_entry(ifa, &idev->addr_list, if_list) { if (ifa == ifp) continue; - if (!ipv6_prefix_equal(&ifa->addr, &ifp->addr, + if (ifa->prefix_len != ifp->prefix_len || + !ipv6_prefix_equal(&ifa->addr, &ifp->addr, ifp->prefix_len)) continue; if (ifa->flags & (IFA_F_PERMANENT | IFA_F_NOPREFIXROUTE))

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Shuah Khan shuah.kh@samsung.com

commit 6eb5e3399e8f45aa191ad21c0556bece8ea559f2 upstream.

em28xx_dvb_resume() unregisters i2c tuner, i2c demod, and dvb. This erroneous cleanup results in i2c tuner, i2c demod, and dvb devices unregistered and removed during resume. This error is a result of merge conflict between two patches that went into 3.15.

Signed-off-by: Shuah Khan shuah.kh@samsung.com Reviewed-by: Antti Palosaari crope@iki.fi Signed-off-by: Mauro Carvalho Chehab m.chehab@samsung.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/media/usb/em28xx/em28xx-dvb.c | 17 ----------------- 1 file changed, 17 deletions(-)

--- a/drivers/media/usb/em28xx/em28xx-dvb.c +++ b/drivers/media/usb/em28xx/em28xx-dvb.c @@ -1712,7 +1712,6 @@ static int em28xx_dvb_resume(struct em28 em28xx_info("Resuming DVB extension\n"); if (dev->dvb) { struct em28xx_dvb *dvb = dev->dvb; - struct i2c_client *client = dvb->i2c_client_tuner;

if (dvb->fe[0]) { ret = dvb_frontend_resume(dvb->fe[0]); @@ -1723,22 +1722,6 @@ static int em28xx_dvb_resume(struct em28 ret = dvb_frontend_resume(dvb->fe[1]); em28xx_info("fe1 resume %d\n", ret); } - /* remove I2C tuner */ - if (client) { - module_put(client->dev.driver->owner); - i2c_unregister_device(client); - } - - /* remove I2C demod */ - client = dvb->i2c_client_demod; - if (client) { - module_put(client->dev.driver->owner); - i2c_unregister_device(client); - } - - em28xx_unregister_dvb(dvb); - kfree(dvb); - dev->dvb = NULL; }

return 0;

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jun-Ru Chang jrjang@realtek.com

commit 2b424cfc69728224fcb5fad138ea7260728e0901 upstream.

Patch (b6c7a324df37b "MIPS: Fix get_frame_info() handling of microMIPS function size.") introduces additional function size check for microMIPS by only checking insn between ip and ip + func_size. However, func_size in get_frame_info() is always 0 if KALLSYMS is not enabled. This causes get_frame_info() to return immediately without calculating correct frame_size, which in turn causes "Can't analyze schedule() prologue" warning messages at boot time.

This patch removes func_size check, and let the frame_size check run up to 128 insns for both MIPS and microMIPS.

Signed-off-by: Jun-Ru Chang jrjang@realtek.com Signed-off-by: Tony Wu tonywu@realtek.com Signed-off-by: Paul Burton paul.burton@mips.com Fixes: b6c7a324df37b ("MIPS: Fix get_frame_info() handling of microMIPS function size.") Cc: ralf@linux-mips.org Cc: jhogan@kernel.org Cc: macro@mips.com Cc: yamada.masahiro@socionext.com Cc: peterz@infradead.org Cc: mingo@kernel.org Cc: linux-mips@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/kernel/process.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/arch/mips/kernel/process.c +++ b/arch/mips/kernel/process.c @@ -373,7 +373,7 @@ static inline int is_sp_move_ins(union m static int get_frame_info(struct mips_frame_info *info) { bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS); - union mips_instruction insn, *ip, *ip_end; + union mips_instruction insn, *ip; const unsigned int max_insns = 128; unsigned int last_insn_size = 0; unsigned int i; @@ -385,10 +385,9 @@ static int get_frame_info(struct mips_fr if (!ip) goto err;

- ip_end = (void *)ip + info->func_size; - - for (i = 0; i < max_insns && ip < ip_end; i++) { + for (i = 0; i < max_insns; i++) { ip = (void *)ip + last_insn_size; + if (is_mmips && mm_insn_16bit(ip->halfword[0])) { insn.word = ip->halfword[0] << 16; last_insn_size = 2;

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ingo Molnar mingo@kernel.org

commit 528871b456026e6127d95b1b2bd8e3a003dc1614 upstream.

The following commit:

9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes")

results in perf recording failures with larger mmap areas:

root@skl:/tmp# perf record -g -a failed to mmap with 12 (Cannot allocate memory)

The root cause is that the following condition is buggy:

if (order_base_2(size) >= MAX_ORDER) goto fail;

The problem is that @size is in bytes and MAX_ORDER is in pages, so the right test is:

if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER) goto fail;

Fix it.

Reported-by: "Jin, Yao" yao.jin@linux.intel.com Bisected-by: Borislav Petkov bp@alien8.de Analyzed-by: Peter Zijlstra peterz@infradead.org Cc: Julien Thierry julien.thierry@arm.com Cc: Mark Rutland mark.rutland@arm.com Cc: Alexander Shishkin alexander.shishkin@linux.intel.com Cc: Arnaldo Carvalho de Melo acme@redhat.com Cc: Jiri Olsa jolsa@redhat.com Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Namhyung Kim namhyung@kernel.org Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Fixes: 9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes") Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/events/ring_buffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/events/ring_buffer.c +++ b/kernel/events/ring_buffer.c @@ -282,7 +282,7 @@ struct ring_buffer *rb_alloc(int nr_page size = sizeof(struct ring_buffer); size += nr_pages * sizeof(void *);

- if (order_base_2(size) >= MAX_ORDER) + if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER) goto fail;

rb = kzalloc(size, GFP_KERNEL);

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: John Garry john.garry@huawei.com

commit ffeafdd2bf0b280d67ec1a47ea6287910d271f3f upstream.

The sysfs phy_identifier attribute for a sas_end_device comes from the rphy phy_identifier value.

Currently this is not being set for rphys with an end device attached, so we see incorrect symlinks from systemd disk/by-path:

root@localhost:~# ls -l /dev/disk/by-path/ total 0 lrwxrwxrwx 1 root root 9 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0 -> ../../sdb lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part1 -> ../../sdb1 lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part2 -> ../../sdb2 lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part3 -> ../../sdc3

Indeed, each sas_end_device phy_identifier value is 0:

root@localhost:/# more sys/class/sas_device/end_device-0:0:2/phy_identifier 0 root@localhost:/# more sys/class/sas_device/end_device-0:0:10/phy_identifier 0

This patch fixes the discovery code to set the phy_identifier. With this, we now get proper symlinks:

root@localhost:~# ls -l /dev/disk/by-path/ total 0 lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy10-lun-0 -> ../../sdg lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy11-lun-0 -> ../../sdh lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0 -> ../../sda lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0-part1 -> ../../sda1 lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0 -> ../../sdb lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part1 -> ../../sdb1 lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part2 -> ../../sdb2 lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0 -> ../../sdc lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part1 -> ../../sdc1 lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part2 -> ../../sdc2 lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part3 -> ../../sdc3 lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy5-lun-0 -> ../../sdd lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0 -> ../../sde lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part1 -> ../../sde1 lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part2 -> ../../sde2 lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part3 -> ../../sde3 lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0 -> ../../sdf lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part1 -> ../../sdf1 lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part2 -> ../../sdf2 lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part3 -> ../../sdf3

Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") Reported-by: dann frazier dann.frazier@canonical.com Signed-off-by: John Garry john.garry@huawei.com Reviewed-by: Jason Yan yanaijie@huawei.com Tested-by: dann frazier dann.frazier@canonical.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/scsi/libsas/sas_expander.c | 2 ++ 1 file changed, 2 insertions(+)

--- a/drivers/scsi/libsas/sas_expander.c +++ b/drivers/scsi/libsas/sas_expander.c @@ -817,6 +817,7 @@ static struct domain_device *sas_ex_disc rphy = sas_end_device_alloc(phy->port); if (!rphy) goto out_free; + rphy->identify.phy_identifier = phy_id;

child->rphy = rphy; get_device(&rphy->dev); @@ -844,6 +845,7 @@ static struct domain_device *sas_ex_disc

child->rphy = rphy; get_device(&rphy->dev); + rphy->identify.phy_identifier = phy_id; sas_fill_in_rphy(child, rphy);

list_add_tail(&child->disco_list_node, &parent->port->disco_list);

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Rundong Ge rdong.ge@gmail.com

commit 17ab4f61b8cd6f9c38e9d0b935d86d73b5d0d2b5 upstream.

The unbalance of master's promiscuity or allmulti will happen after ifdown and ifup a slave interface which is in a bridge.

When we ifdown a slave interface , both the 'dsa_slave_close' and 'dsa_slave_change_rx_flags' will clear the master's flags. The flags of master will be decrease twice. In the other hand, if we ifup the slave interface again, since the slave's flags were cleared the 'dsa_slave_open' won't set the master's flag, only 'dsa_slave_change_rx_flags' that triggered by 'br_add_if' will set the master's flags. The flags of master is increase once.

Only propagating flag changes when a slave interface is up makes sure this does not happen. The 'vlan_dev_change_rx_flags' had the same problem and was fixed, and changes here follows that fix.

Fixes: 91da11f870f0 ("net: Distributed Switch Architecture protocol support") Signed-off-by: Rundong Ge rdong.ge@gmail.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/dsa/slave.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/net/dsa/slave.c +++ b/net/dsa/slave.c @@ -117,11 +117,14 @@ static void dsa_slave_change_rx_flags(st { struct dsa_slave_priv *p = netdev_priv(dev); struct net_device *master = p->parent->dst->master_netdev; - - if (change & IFF_ALLMULTI) - dev_set_allmulti(master, dev->flags & IFF_ALLMULTI ? 1 : -1); - if (change & IFF_PROMISC) - dev_set_promiscuity(master, dev->flags & IFF_PROMISC ? 1 : -1); + if (dev->flags & IFF_UP) { + if (change & IFF_ALLMULTI) + dev_set_allmulti(master, + dev->flags & IFF_ALLMULTI ? 1 : -1); + if (change & IFF_PROMISC) + dev_set_promiscuity(master, + dev->flags & IFF_PROMISC ? 1 : -1); + } }

static void dsa_slave_set_rx_mode(struct net_device *dev)

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Martin Schwidefsky schwidefsky@de.ibm.com

commit a38662084c8bdb829ff486468c7ea801c13fcc34 upstream.

The ASCE of an mm_struct can be modified after a task has been created, e.g. via crst_table_downgrade for a compat process. The active_mm logic to avoid the switch_mm call if the next task is a kernel thread can lead to a situation where switch_mm is called where 'prev == next' is true but 'prev->context.asce == next->context.asce' is not.

This can lead to a situation where a CPU uses the outdated ASCE to run a task. The result can be a crash, endless loops and really subtle problem due to TLBs being created with an invalid ASCE.

Fixes: 53e857f30867 ("s390/mm,tlb: race of lazy TLB flush vs. recreation") Reported-by: Heiko Carstens heiko.carstens@de.ibm.com Reviewed-by: Heiko Carstens heiko.carstens@de.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com [bwh: Backported to 3.16: - Keep the updates of mm_context_t::attach_count conditional on prev != next - Keep the update of mm_context_t::cpu_attach_mask conditional on both MACHINE_HAS_TLB_LC and prev != next - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/arch/s390/include/asm/mmu_context.h +++ b/arch/s390/include/asm/mmu_context.h @@ -69,17 +69,17 @@ static inline void switch_mm(struct mm_s { int cpu = smp_processor_id();

- if (prev == next) - return; if (MACHINE_HAS_TLB_LC) cpumask_set_cpu(cpu, &next->context.cpu_attach_mask); /* Clear old ASCE by loading the kernel ASCE. */ __ctl_load(S390_lowcore.kernel_asce, 1, 1); __ctl_load(S390_lowcore.kernel_asce, 7, 7); - atomic_inc(&next->context.attach_count); - atomic_dec(&prev->context.attach_count); - if (MACHINE_HAS_TLB_LC) - cpumask_clear_cpu(cpu, &prev->context.cpu_attach_mask); + if (prev != next) { + atomic_inc(&next->context.attach_count); + atomic_dec(&prev->context.attach_count); + if (MACHINE_HAS_TLB_LC) + cpumask_clear_cpu(cpu, &prev->context.cpu_attach_mask); + } S390_lowcore.user_asce = next->context.asce_bits | __pa(next->pgd); }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arend van Spriel arend.vanspriel@broadcom.com

commit 1b5e2423164b3670e8bc9174e4762d297990deff upstream.

The SSID length as received from firmware should not exceed IEEE80211_MAX_SSID_LEN as that would result in heap overflow.

Reviewed-by: Hante Meuleman hante.meuleman@broadcom.com Reviewed-by: Pieter-Paul Giesberts pieter-paul.giesberts@broadcom.com Reviewed-by: Franky Lin franky.lin@broadcom.com Signed-off-by: Arend van Spriel arend.vanspriel@broadcom.com Signed-off-by: Kalle Valo kvalo@codeaurora.org [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 2 ++ 1 file changed, 2 insertions(+)

--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c @@ -3082,6 +3082,8 @@ brcmf_notify_sched_scan_results(struct b

brcmf_dbg(SCAN, "SSID:%s Channel:%d\n", netinfo->SSID, netinfo->channel); + if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN) + netinfo->SSID_len = IEEE80211_MAX_SSID_LEN; memcpy(ssid[i].ssid, netinfo->SSID, netinfo->SSID_len); ssid[i].ssid_len = netinfo->SSID_len; request->n_ssids++;

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings ben@decadent.org.uk

Commit ea08dc5191d9 "fs/binfmt_elf.c: fix bug in loading of PIE binaries", which was a backport of commit a87938b2e246 upstream, added a new failure path to load_elf_binary().

Before commit 19d860a140be "handle suicide on late failure exits in execve() in search_binary_handler()", load_elf_binary() wass responsible for sending a fatal signal to the task in case of an error after flushing the old executable. Add that to the new failure path.

Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -822,6 +822,7 @@ static int load_elf_binary(struct linux_ total_size = total_mapping_size(elf_phdata, loc->elf_ex.e_phnum); if (!total_size) { + send_sig(SIGKILL, current, 0); retval = -EINVAL; goto out_free_dentry; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Zach Brown zach.brown@ni.com

commit b866203d872d5deeafcecd25ea429d6748b5bd56 upstream.

The commit ("net/phy: micrel: Add workaround for bad autoneg") fixes an autoneg failure case by resetting the hardware. This turns off intterupts. Things will work themselves out if the phy polls, as it will figure out it's state during a poll. However if the phy uses only intterupts, the phy will stall, since interrupts are off. This patch fixes the issue by calling config_intr after resetting the phy.

Fixes: d2fd719bcb0e ("net/phy: micrel: Add workaround for bad autoneg ") Signed-off-by: Zach Brown zach.brown@ni.com Reviewed-by: Andrew Lunn andrew@lunn.ch Reviewed-by: Florian Fainelli f.fainelli@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/phy/micrel.c | 2 ++ 1 file changed, 2 insertions(+)

--- a/drivers/net/phy/micrel.c +++ b/drivers/net/phy/micrel.c @@ -431,6 +431,8 @@ static int ksz9031_read_status(struct ph if ((regval & 0xFF) == 0xFF) { phy_init_hw(phydev); phydev->link = 0; + if (phydev->drv->config_intr && phy_interrupt_is_valid(phydev)) + phydev->drv->config_intr(phydev); }

return 0;

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Heiner Kallweit hkallweit1@gmail.com

commit 1d16073a326891c2a964e4cb95bc18fbcafb5f74 upstream.

So far genphy_soft_reset was used automatically if the PHY driver didn't implement the soft_reset callback. This changed with the mentioned commit and broke KSZ9031. To fix this configure the KSZ9031 PHY driver to use genphy_soft_reset.

Fixes: 6e2d85ec0559 ("net: phy: Stop with excessive soft reset") Reported-by: Tony Lindgren tony@atomide.com Signed-off-by: Heiner Kallweit hkallweit1@gmail.com Tested-by: Tony Lindgren tony@atomide.com Tested-by: Sekhar Nori nsekhar@ti.com Reviewed-by: Florian Fainelli f.fainelli@gmail.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/phy/micrel.c | 1 + 1 file changed, 1 insertion(+)

--- a/drivers/net/phy/micrel.c +++ b/drivers/net/phy/micrel.c @@ -596,6 +596,7 @@ static struct phy_driver ksphy_driver[] .flags = PHY_HAS_MAGICANEG | PHY_HAS_INTERRUPT, .config_init = ksz9031_config_init, .config_aneg = genphy_config_aneg, + .soft_reset = genphy_soft_reset, .read_status = ksz9031_read_status, .ack_interrupt = kszphy_ack_interrupt, .config_intr = ksz9021_config_intr,

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alexandru Ardelean alexandru.ardelean@analog.com

commit 0255200bd29afc320c6ea4c1adf8bdc13a9b3c15 upstream.

After the DMA transfer is done, we don't need to call the un-mapping code in 3 places. One is enough.

Signed-off-by: Alexandru Ardelean alexandru.ardelean@analog.com Signed-off-by: Vinod Koul vkoul@kernel.org [bwh: Backported to 3.16 as dependency of commit 6454368a804c "dmaengine: dmatest: Abort test in case of mapping error"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/dma/dmatest.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/dma/dmatest.c +++ b/drivers/dma/dmatest.c @@ -638,14 +638,14 @@ static int dmatest_func(void *data)

status = dma_async_is_tx_complete(chan, cookie, NULL, NULL);

+ dmaengine_unmap_put(um); + if (!done->done) { - dmaengine_unmap_put(um); result("test timed out", total_tests, src_off, dst_off, len, 0); failed_tests++; continue; } else if (status != DMA_COMPLETE) { - dmaengine_unmap_put(um); result(status == DMA_ERROR ? "completion error status" : "completion busy status", total_tests, src_off, @@ -654,8 +654,6 @@ static int dmatest_func(void *data) continue; }

- dmaengine_unmap_put(um); - if (params->noverify) { verbose_result("test passed", total_tests, src_off, dst_off, len, 0);

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bin Liu b-liu@ti.com

commit a53469a68eb886e84dd8b69a1458a623d3591793 upstream.

power off the phy should be done before populate the phy. Otherwise, am335x_init() could be called by the phy owner to power on the phy first, then am335x_phy_probe() turns off the phy again without the caller knowing it.

Fixes: 2fc711d76352 ("usb: phy: am335x: Enable USB remote wakeup using PHY wakeup") Signed-off-by: Bin Liu b-liu@ti.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/phy/phy-am335x.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-)

--- a/drivers/usb/phy/phy-am335x.c +++ b/drivers/usb/phy/phy-am335x.c @@ -56,9 +56,6 @@ static int am335x_phy_probe(struct platf if (ret) return ret;

- ret = usb_add_phy_dev(&am_phy->usb_phy_gen.phy); - if (ret) - return ret; am_phy->usb_phy_gen.phy.init = am335x_init; am_phy->usb_phy_gen.phy.shutdown = am335x_shutdown;

@@ -77,7 +74,7 @@ static int am335x_phy_probe(struct platf device_set_wakeup_enable(dev, false); phy_ctrl_power(am_phy->phy_ctrl, am_phy->id, false);

- return 0; + return usb_add_phy_dev(&am_phy->usb_phy_gen.phy); }

static int am335x_phy_remove(struct platform_device *pdev)

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann sven@narfation.org

commit 9114daa825fc3f335f9bea3313ce667090187280 upstream.

The caller of ndo_start_xmit may not already have called skb_reset_mac_header. The returned value of skb_mac_header/eth_hdr therefore can be in the wrong position and even outside the current skbuff. This for example happens when the user binds to the device using a PF_PACKET-SOCK_RAW with enabled qdisc-bypass:

int opt = 4; setsockopt(sock, SOL_PACKET, PACKET_QDISC_BYPASS, &opt, sizeof(opt));

Since eth_hdr is used all over the codebase, the batadv_interface_tx function must always take care of resetting it.

Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") Reported-by: syzbot+9d7405c7faa390e60b4e@syzkaller.appspotmail.com Reported-by: syzbot+7d20bc3f1ddddc0f9079@syzkaller.appspotmail.com Signed-off-by: Sven Eckelmann sven@narfation.org Signed-off-by: Simon Wunderlich sw@simonwunderlich.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/batman-adv/soft-interface.c | 2 ++ 1 file changed, 2 insertions(+)

--- a/net/batman-adv/soft-interface.c +++ b/net/batman-adv/soft-interface.c @@ -180,6 +180,8 @@ static int batadv_interface_tx(struct sk

soft_iface->trans_start = jiffies; vid = batadv_get_vid(skb, 0); + + skb_reset_mac_header(skb); ethhdr = eth_hdr(skb);

switch (ntohs(ethhdr->h_proto)) {

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Charles Keepax ckeepax@opensource.cirrus.com

commit 4f2ab5e1d13d6aa77c55f4914659784efd776eb4 upstream.

It is normal user behaviour to start, stop, then start a stream again without closing it. Currently this works for compressed playback streams but not capture ones.

The states on a compressed capture stream go directly from OPEN to PREPARED, unlike a playback stream which moves to SETUP and waits for a write of data before moving to PREPARED. Currently however, when a stop is sent the state is set to SETUP for both types of streams. This leaves a capture stream in the situation where a new start can't be sent as that requires the state to be PREPARED and a new set_params can't be sent as that requires the state to be OPEN. The only option being to close the stream, and then reopen.

Correct this issues by allowing snd_compr_drain_notify to set the state depending on the stream direction, as we already do in set_params.

Fixes: 49bb6402f1aa ("ALSA: compress_core: Add support for capture streams") Signed-off-by: Charles Keepax ckeepax@opensource.cirrus.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/sound/compress_driver.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/include/sound/compress_driver.h +++ b/include/sound/compress_driver.h @@ -176,7 +176,11 @@ static inline void snd_compr_drain_notif if (snd_BUG_ON(!stream)) return;

- stream->runtime->state = SNDRV_PCM_STATE_SETUP; + if (stream->direction == SND_COMPRESS_PLAYBACK) + stream->runtime->state = SNDRV_PCM_STATE_SETUP; + else + stream->runtime->state = SNDRV_PCM_STATE_PREPARED; + wake_up(&stream->runtime->sleep); }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jonathan Hunter jonathanh@nvidia.com

commit ac4ca4b9f4623ba5e1ea7a582f286567c611e027 upstream.

The tps6586x driver creates an irqchip that is used by its various child devices for managing interrupts. The tps6586x-rtc device is one of its children that uses the tps6586x irqchip. When using the tps6586x-rtc as a wake-up device from suspend, the following is seen:

PM: Syncing filesystems ... done. Freezing user space processes ... (elapsed 0.001 seconds) done. OOM killer disabled. Freezing remaining freezable tasks ... (elapsed 0.000 seconds) done. Disabling non-boot CPUs ... Entering suspend state LP1 Enabling non-boot CPUs ... CPU1 is up tps6586x 3-0034: failed to read interrupt status tps6586x 3-0034: failed to read interrupt status

The reason why the tps6586x interrupt status cannot be read is because the tps6586x interrupt is not masked during suspend and when the tps6586x-rtc interrupt occurs, to wake-up the device, the interrupt is seen before the i2c controller has been resumed in order to read the tps6586x interrupt status.

The tps6586x-rtc driver sets it's interrupt as a wake-up source during suspend, which gets propagated to the parent tps6586x interrupt. However, the tps6586x-rtc driver cannot disable it's interrupt during suspend otherwise we would never be woken up and so the tps6586x must disable it's interrupt instead.

Prevent the tps6586x interrupt handler from executing on exiting suspend before the i2c controller has been resumed by disabling the tps6586x interrupt on entering suspend and re-enabling it on resuming from suspend.

Signed-off-by: Jon Hunter jonathanh@nvidia.com Reviewed-by: Dmitry Osipenko digetx@gmail.com Tested-by: Dmitry Osipenko digetx@gmail.com Acked-by: Thierry Reding treding@nvidia.com Signed-off-by: Lee Jones lee.jones@linaro.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/mfd/tps6586x.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+)

--- a/drivers/mfd/tps6586x.c +++ b/drivers/mfd/tps6586x.c @@ -601,6 +601,29 @@ static int tps6586x_i2c_remove(struct i2 return 0; }

+static int __maybe_unused tps6586x_i2c_suspend(struct device *dev) +{ + struct tps6586x *tps6586x = dev_get_drvdata(dev); + + if (tps6586x->client->irq) + disable_irq(tps6586x->client->irq); + + return 0; +} + +static int __maybe_unused tps6586x_i2c_resume(struct device *dev) +{ + struct tps6586x *tps6586x = dev_get_drvdata(dev); + + if (tps6586x->client->irq) + enable_irq(tps6586x->client->irq); + + return 0; +} + +static SIMPLE_DEV_PM_OPS(tps6586x_pm_ops, tps6586x_i2c_suspend, + tps6586x_i2c_resume); + static const struct i2c_device_id tps6586x_id_table[] = { { "tps6586x", 0 }, { }, @@ -612,6 +635,7 @@ static struct i2c_driver tps6586x_driver .name = "tps6586x", .owner = THIS_MODULE, .of_match_table = of_match_ptr(tps6586x_of_match), + .pm = &tps6586x_pm_ops, }, .probe = tps6586x_i2c_probe, .remove = tps6586x_i2c_remove,

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit 7c4f563507c33ca97dcfbd62dba1e9232575d499 upstream.

Use sigsp() instead of the open coded variant.

Signed-off-by: Richard Weinberger richard@nod.at [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/kernel/signal.c | 10 ++++------ arch/mips/kernel/signal32.c | 4 ++-- arch/mips/kernel/signal_n32.c | 2 +- 3 files changed, 7 insertions(+), 9 deletions(-)

--- a/arch/mips/kernel/signal.c +++ b/arch/mips/kernel/signal.c @@ -280,7 +280,7 @@ int restore_sigcontext(struct pt_regs *r return err; }

-void __user *get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, +void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, size_t frame_size) { unsigned long sp; @@ -295,9 +295,7 @@ void __user *get_sigframe(struct k_sigac */ sp -= 32;

- /* This is the X/Open sanctioned signal stack switching. */ - if ((ka->sa.sa_flags & SA_ONSTACK) && (sas_ss_flags (sp) == 0)) - sp = current->sas_ss_sp + current->sas_ss_size; + sp = sigsp(sp, ksig);

return (void __user *)((sp - frame_size) & (ICACHE_REFILLS_WORKAROUND_WAR ? ~(cpu_icache_line_size()-1) : ALMASK)); } @@ -434,7 +432,7 @@ static int setup_frame(void *sig_return, struct sigframe __user *frame; int err = 0;

- frame = get_sigframe(&ksig->ka, regs, sizeof(*frame)); + frame = get_sigframe(ksig, regs, sizeof(*frame)); if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame))) return -EFAULT;

@@ -473,7 +471,7 @@ static int setup_rt_frame(void *sig_retu struct rt_sigframe __user *frame; int err = 0;

- frame = get_sigframe(&ksig->ka, regs, sizeof(*frame)); + frame = get_sigframe(ksig, regs, sizeof(*frame)); if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame))) return -EFAULT;

--- a/arch/mips/kernel/signal32.c +++ b/arch/mips/kernel/signal32.c @@ -494,7 +494,7 @@ static int setup_frame_32(void *sig_retu struct sigframe32 __user *frame; int err = 0;

- frame = get_sigframe(&ksig->ka, regs, sizeof(*frame)); + frame = get_sigframe(ksig, regs, sizeof(*frame)); if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame))) return -EFAULT;

@@ -534,7 +534,7 @@ static int setup_rt_frame_32(void *sig_r struct rt_sigframe32 __user *frame; int err = 0;

- frame = get_sigframe(&ksig->ka, regs, sizeof(*frame)); + frame = get_sigframe(ksig, regs, sizeof(*frame)); if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame))) return -EFAULT;

--- a/arch/mips/kernel/signal_n32.c +++ b/arch/mips/kernel/signal_n32.c @@ -108,7 +108,7 @@ static int setup_rt_frame_n32(void *sig_ struct rt_sigframe_n32 __user *frame; int err = 0;

- frame = get_sigframe(&ksig->ka, regs, sizeof(*frame)); + frame = get_sigframe(ksig, regs, sizeof(*frame)); if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame))) return -EFAULT;

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter dan.carpenter@oracle.com

commit 10628e3ecf544fa2e4e24f8e112d95c37884dc98 upstream.

This function is supposed to return zero on success or negative error codes on error. Unfortunately, there is a bug so it sometimes returns non-zero, positive numbers on success.

I noticed this bug during review and I can't test it. It does appear that the return is sometimes propogated back to _regmap_read() where all non-zero returns are treated as failure so this may affect run time.

Fixes: 47c1697508f2 ("mfd: Align ab8500 with the abx500 interface") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Reviewed-by: Linus Walleij linus.walleij@linaro.org Signed-off-by: Lee Jones lee.jones@linaro.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/mfd/ab8500-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mfd/ab8500-core.c +++ b/drivers/mfd/ab8500-core.c @@ -259,7 +259,7 @@ static int get_register_interruptible(st mutex_unlock(&ab8500->lock); dev_vdbg(ab8500->dev, "rd: addr %#x => data %#x\n", addr, ret);

- return ret; + return (ret < 0) ? ret : 0; }

static int ab8500_get_register(struct device *dev, u8 bank,

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mark Rutland mark.rutland@arm.com

commit 9dff0aa95a324e262ffb03f425d00e4751f3294e upstream.

The perf tool uses /proc/sys/kernel/perf_event_mlock_kb to determine how large its ringbuffer mmap should be. This can be configured to arbitrary values, which can be larger than the maximum possible allocation from kmalloc.

When this is configured to a suitably large value (e.g. thanks to the perf fuzzer), attempting to use perf record triggers a WARN_ON_ONCE() in __alloc_pages_nodemask():

WARNING: CPU: 2 PID: 5666 at mm/page_alloc.c:4511 __alloc_pages_nodemask+0x3f8/0xbc8

Let's avoid this by checking that the requested allocation is possible before calling kzalloc.

Reported-by: Julien Thierry julien.thierry@arm.com Signed-off-by: Mark Rutland mark.rutland@arm.com Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Reviewed-by: Julien Thierry julien.thierry@arm.com Cc: Alexander Shishkin alexander.shishkin@linux.intel.com Cc: Arnaldo Carvalho de Melo acme@redhat.com Cc: Jiri Olsa jolsa@redhat.com Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Namhyung Kim namhyung@kernel.org Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Link: https://lkml.kernel.org/r/20190110142745.25495-1-mark.rutland@arm.com Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/events/ring_buffer.c | 3 +++ 1 file changed, 3 insertions(+)

--- a/kernel/events/ring_buffer.c +++ b/kernel/events/ring_buffer.c @@ -282,6 +282,9 @@ struct ring_buffer *rb_alloc(int nr_page size = sizeof(struct ring_buffer); size += nr_pages * sizeof(void *);

+ if (order_base_2(size) >= MAX_ORDER) + goto fail; + rb = kzalloc(size, GFP_KERNEL); if (!rb) goto fail;

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet edumazet@google.com

commit 4179cb5a4c924cd233eaadd081882425bc98f44e upstream.

netif_rx() must be called under a strict contract.

At device dismantle phase, core networking clears IFF_UP and flush_all_backlogs() is called after rcu grace period to make sure no incoming packet might be in a cpu backlog and still referencing the device.

Most drivers call netif_rx() from their interrupt handler, and since the interrupts are disabled at device dismantle, netif_rx() does not have to check dev->flags & IFF_UP

Virtual drivers do not have this guarantee, and must therefore make the check themselves.

Otherwise we risk use-after-free and/or crashes.

Note this patch also fixes a small issue that came with commit ce6502a8f957 ("vxlan: fix a use after free in vxlan_encap_bypass"), since the dev->stats.rx_dropped change was done on the wrong device.

Fixes: d342894c5d2f ("vxlan: virtual extensible lan") Fixes: ce6502a8f957 ("vxlan: fix a use after free in vxlan_encap_bypass") Signed-off-by: Eric Dumazet edumazet@google.com Cc: Petr Machata petrm@mellanox.com Cc: Ido Schimmel idosch@mellanox.com Cc: Roopa Prabhu roopa@cumulusnetworks.com Cc: Stefano Brivio sbrivio@redhat.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/vxlan.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-)

--- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -1772,7 +1772,7 @@ static void vxlan_encap_bypass(struct sk struct pcpu_sw_netstats *tx_stats, *rx_stats; union vxlan_addr loopback; union vxlan_addr *remote_ip = &dst_vxlan->default_dst.remote_ip; - struct net_device *dev = skb->dev; + struct net_device *dev; int len = skb->len;

tx_stats = this_cpu_ptr(src_vxlan->dev->tstats); @@ -1792,8 +1792,15 @@ static void vxlan_encap_bypass(struct sk #endif }

+ rcu_read_lock(); + dev = skb->dev; + if (unlikely(!(dev->flags & IFF_UP))) { + kfree_skb(skb); + goto drop; + } + if (dst_vxlan->flags & VXLAN_F_LEARN) - vxlan_snoop(skb->dev, &loopback, eth_hdr(skb)->h_source); + vxlan_snoop(dev, &loopback, eth_hdr(skb)->h_source);

u64_stats_update_begin(&tx_stats->syncp); tx_stats->tx_packets++; @@ -1806,8 +1813,10 @@ static void vxlan_encap_bypass(struct sk rx_stats->rx_bytes += len; u64_stats_update_end(&rx_stats->syncp); } else { +drop: dev->stats.rx_dropped++; } + rcu_read_unlock(); }

static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Cong Wang xiyou.wangcong@gmail.com

commit 2fdeee2549231b1f989f011bb18191f5660d3745 upstream.

The current opt_inst_list operations inside team_nl_cmd_options_set() is too complex to track:

LIST_HEAD(opt_inst_list); nla_for_each_nested(...) { list_for_each_entry(opt_inst, &team->option_inst_list, list) { if (__team_option_inst_tmp_find(&opt_inst_list, opt_inst)) continue; list_add(&opt_inst->tmp_list, &opt_inst_list); } } team_nl_send_event_options_get(team, &opt_inst_list);

as while we retrieve 'opt_inst' from team->option_inst_list, it could be added to the local 'opt_inst_list' for multiple times. The __team_option_inst_tmp_find() doesn't work, as the setter team_mode_option_set() still calls team->ops.exit() which uses ->tmp_list too in __team_options_change_check().

Simplify the list operations by moving the 'opt_inst_list' and team_nl_send_event_options_get() into the nla_for_each_nested() loop so that it can be guranteed that we won't insert a same list entry for multiple times. Therefore, __team_option_inst_tmp_find() can be removed too.

Fixes: 4fb0534fb7bb ("team: avoid adding twice the same option to the event list") Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message") Reported-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com Reported-by: syzbot+68ee510075cf64260cc4@syzkaller.appspotmail.com Cc: Jiri Pirko jiri@resnulli.us Cc: Paolo Abeni pabeni@redhat.com Signed-off-by: Cong Wang xiyou.wangcong@gmail.com Acked-by: Jiri Pirko jiri@mellanox.com Reviewed-by: Paolo Abeni pabeni@redhat.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/team/team.c | 27 +++++---------------------- 1 file changed, 5 insertions(+), 22 deletions(-)

--- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c @@ -253,17 +253,6 @@ static void __team_option_inst_mark_remo } }

-static bool __team_option_inst_tmp_find(const struct list_head *opts, - const struct team_option_inst *needle) -{ - struct team_option_inst *opt_inst; - - list_for_each_entry(opt_inst, opts, tmp_list) - if (opt_inst == needle) - return true; - return false; -} - static int __team_options_register(struct team *team, const struct team_option *option, size_t option_count) @@ -2420,7 +2409,6 @@ static int team_nl_cmd_options_set(struc int err = 0; int i; struct nlattr *nl_option; - LIST_HEAD(opt_inst_list);

team = team_nl_team_get(info); if (!team) @@ -2436,6 +2424,7 @@ static int team_nl_cmd_options_set(struc struct nlattr *opt_attrs[TEAM_ATTR_OPTION_MAX + 1]; struct nlattr *attr; struct nlattr *attr_data; + LIST_HEAD(opt_inst_list); enum team_option_type opt_type; int opt_port_ifindex = 0; /* != 0 for per-port options */ u32 opt_array_index = 0; @@ -2539,23 +2528,17 @@ static int team_nl_cmd_options_set(struc if (err) goto team_put; opt_inst->changed = true; - - /* dumb/evil user-space can send us duplicate opt, - * keep only the last one - */ - if (__team_option_inst_tmp_find(&opt_inst_list, - opt_inst)) - continue; - list_add(&opt_inst->tmp_list, &opt_inst_list); } if (!opt_found) { err = -ENOENT; goto team_put; } - }

- err = team_nl_send_event_options_get(team, &opt_inst_list); + err = team_nl_send_event_options_get(team, &opt_inst_list); + if (err) + break; + }

team_put: team_nl_team_put(team);

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Biggers ebiggers@google.com

commit 8f9c469348487844328e162db57112f7d347c49f upstream.

Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte 'enckeylen', followed by an authentication key and an encryption key. crypto_authenc_extractkeys() parses the key to find the inner keys.

However, it fails to consider the case where the rtattr's payload is longer than 4 bytes but not 4-byte aligned, and where the key ends before the next 4-byte aligned boundary. In this case, 'keylen -= RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This causes a buffer overread and crash during crypto_ahash_setkey().

Fix it by restricting the rtattr payload to the expected size.

Reproducer using AF_ALG:

#include <linux/if_alg.h> #include <linux/rtnetlink.h> #include <sys/socket.h>

int main() { int fd; struct sockaddr_alg addr = { .salg_type = "aead", .salg_name = "authenc(hmac(sha256),cbc(aes))", }; struct { struct rtattr attr; __be32 enckeylen; char keys[1]; } __attribute__((packed)) key = { .attr.rta_len = sizeof(key), .attr.rta_type = 1 /* CRYPTO_AUTHENC_KEYA_PARAM */, };

fd = socket(AF_ALG, SOCK_SEQPACKET, 0); bind(fd, (void *)&addr, sizeof(addr)); setsockopt(fd, SOL_ALG, ALG_SET_KEY, &key, sizeof(key)); }

It caused:

BUG: unable to handle kernel paging request at ffff88007ffdc000 PGD 2e01067 P4D 2e01067 PUD 2e04067 PMD 2e05067 PTE 0 Oops: 0000 [#1] SMP CPU: 0 PID: 883 Comm: authenc Not tainted 4.20.0-rc1-00108-g00c9fe37a7f27 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014 RIP: 0010:sha256_ni_transform+0xb3/0x330 arch/x86/crypto/sha256_ni_asm.S:155 [...] Call Trace: sha256_ni_finup+0x10/0x20 arch/x86/crypto/sha256_ssse3_glue.c:321 crypto_shash_finup+0x1a/0x30 crypto/shash.c:178 shash_digest_unaligned+0x45/0x60 crypto/shash.c:186 crypto_shash_digest+0x24/0x40 crypto/shash.c:202 hmac_setkey+0x135/0x1e0 crypto/hmac.c:66 crypto_shash_setkey+0x2b/0xb0 crypto/shash.c:66 shash_async_setkey+0x10/0x20 crypto/shash.c:223 crypto_ahash_setkey+0x2d/0xa0 crypto/ahash.c:202 crypto_authenc_setkey+0x68/0x100 crypto/authenc.c:96 crypto_aead_setkey+0x2a/0xc0 crypto/aead.c:62 aead_setkey+0xc/0x10 crypto/algif_aead.c:526 alg_setkey crypto/af_alg.c:223 [inline] alg_setsockopt+0xfe/0x130 crypto/af_alg.c:256 __sys_setsockopt+0x6d/0xd0 net/socket.c:1902 __do_sys_setsockopt net/socket.c:1913 [inline] __se_sys_setsockopt net/socket.c:1910 [inline] __x64_sys_setsockopt+0x1f/0x30 net/socket.c:1910 do_syscall_64+0x4a/0x180 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: e236d4a89a2f ("[CRYPTO] authenc: Move enckeylen into key itself") Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Ben Hutchings ben@decadent.org.uk --- crypto/authenc.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-)

--- a/crypto/authenc.c +++ b/crypto/authenc.c @@ -62,14 +62,22 @@ int crypto_authenc_extractkeys(struct cr return -EINVAL; if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM) return -EINVAL; - if (RTA_PAYLOAD(rta) < sizeof(*param)) + + /* + * RTA_OK() didn't align the rtattr's payload when validating that it + * fits in the buffer. Yet, the keys should start on the next 4-byte + * aligned boundary. To avoid confusion, require that the rtattr + * payload be exactly the param struct, which has a 4-byte aligned size. + */ + if (RTA_PAYLOAD(rta) != sizeof(*param)) return -EINVAL; + BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO);

param = RTA_DATA(rta); keys->enckeylen = be32_to_cpu(param->enckeylen);

- key += RTA_ALIGN(rta->rta_len); - keylen -= RTA_ALIGN(rta->rta_len); + key += rta->rta_len; + keylen -= rta->rta_len;

if (keylen < keys->enckeylen) return -EINVAL;

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit 98c20309b97fc30001adf643cf876125f334fd8a upstream.

Use the more generic functions get_signal() signal_setup_done() for signal delivery. This inverts also the return codes of force_sigsegv_info() and setup_frame() to follow the kernel convention.

Signed-off-by: Richard Weinberger richard@nod.at [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/ia64/kernel/signal.c | 46 ++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 25 deletions(-)

--- a/arch/ia64/kernel/signal.c +++ b/arch/ia64/kernel/signal.c @@ -309,12 +309,11 @@ force_sigsegv_info (int sig, void __user si.si_uid = from_kuid_munged(current_user_ns(), current_uid()); si.si_addr = addr; force_sig_info(SIGSEGV, &si, current); - return 0; + return 1; }

static long -setup_frame (int sig, struct k_sigaction *ka, siginfo_t *info, sigset_t *set, - struct sigscratch *scr) +setup_frame(struct ksignal *ksig, sigset_t *set, struct sigscratch *scr) { extern char __kernel_sigtramp[]; unsigned long tramp_addr, new_rbs = 0, new_sp; @@ -323,7 +322,7 @@ setup_frame (int sig, struct k_sigaction

new_sp = scr->pt.r12; tramp_addr = (unsigned long) __kernel_sigtramp; - if (ka->sa.sa_flags & SA_ONSTACK) { + if (ksig->ka.sa.sa_flags & SA_ONSTACK) { int onstack = sas_ss_flags(new_sp);

if (onstack == 0) { @@ -347,29 +346,29 @@ setup_frame (int sig, struct k_sigaction */ check_sp = (new_sp - sizeof(*frame)) & -STACK_ALIGN; if (!likely(on_sig_stack(check_sp))) - return force_sigsegv_info(sig, (void __user *) + return force_sigsegv_info(ksig->sig, (void __user *) check_sp); } } frame = (void __user *) ((new_sp - sizeof(*frame)) & -STACK_ALIGN);

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - return force_sigsegv_info(sig, frame); + return force_sigsegv_info(ksig->sig, frame);

- err = __put_user(sig, &frame->arg0); + err = __put_user(ksig->sig, &frame->arg0); err |= __put_user(&frame->info, &frame->arg1); err |= __put_user(&frame->sc, &frame->arg2); err |= __put_user(new_rbs, &frame->sc.sc_rbs_base); err |= __put_user(0, &frame->sc.sc_loadrs); /* initialize to zero */ - err |= __put_user(ka->sa.sa_handler, &frame->handler); + err |= __put_user(ksig->ka.sa.sa_handler, &frame->handler);

- err |= copy_siginfo_to_user(&frame->info, info); + err |= copy_siginfo_to_user(&frame->info, &ksig->info);

err |= __save_altstack(&frame->sc.sc_stack, scr->pt.r12); err |= setup_sigcontext(&frame->sc, set, scr);

if (unlikely(err)) - return force_sigsegv_info(sig, frame); + return force_sigsegv_info(ksig->sig, frame);

scr->pt.r12 = (unsigned long) frame - 16; /* new stack pointer */ scr->pt.ar_fpsr = FPSR_DEFAULT; /* reset fpsr for signal handler */ @@ -394,22 +393,20 @@ setup_frame (int sig, struct k_sigaction

#if DEBUG_SIG printk("SIG deliver (%s:%d): sig=%d sp=%lx ip=%lx handler=%p\n", - current->comm, current->pid, sig, scr->pt.r12, frame->sc.sc_ip, frame->handler); + current->comm, current->pid, ksig->sig, scr->pt.r12, frame->sc.sc_ip, frame->handler); #endif - return 1; + return 0; }

static long -handle_signal (unsigned long sig, struct k_sigaction *ka, siginfo_t *info, - struct sigscratch *scr) +handle_signal (struct ksignal *ksig, struct sigscratch *scr) { - if (!setup_frame(sig, ka, info, sigmask_to_save(), scr)) - return 0; + int ret = setup_frame(ksig, sigmask_to_save(), scr);

- signal_delivered(sig, info, ka, &scr->pt, - test_thread_flag(TIF_SINGLESTEP)); + if (!ret) + signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP));

- return 1; + return ret; }

/* @@ -419,17 +416,16 @@ handle_signal (unsigned long sig, struct void ia64_do_signal (struct sigscratch *scr, long in_syscall) { - struct k_sigaction ka; - siginfo_t info; long restart = in_syscall; long errno = scr->pt.r8; + struct ksignal ksig;

/* * This only loops in the rare cases of handle_signal() failing, in which case we * need to push through a forced SIGSEGV. */ while (1) { - int signr = get_signal_to_deliver(&info, &ka, &scr->pt, NULL); + get_signal(&ksig);

/* * get_signal_to_deliver() may have run a debugger (via notify_parent()) @@ -446,7 +442,7 @@ ia64_do_signal (struct sigscratch *scr, */ restart = 0;

- if (signr <= 0) + if (ksig.sig <= 0) break;

if (unlikely(restart)) { @@ -458,7 +454,7 @@ ia64_do_signal (struct sigscratch *scr, break;

case ERESTARTSYS: - if ((ka.sa.sa_flags & SA_RESTART) == 0) { + if ((ksig.ka.sa.sa_flags & SA_RESTART) == 0) { scr->pt.r8 = EINTR; /* note: scr->pt.r10 is already -1 */ break; @@ -473,7 +469,7 @@ ia64_do_signal (struct sigscratch *scr, * Whee! Actually deliver the signal. If the delivery failed, we need to * continue to iterate in this loop so we can deliver the SIGSEGV... */ - if (handle_signal(signr, &ka, &info, scr)) + if (handle_signal(&ksig, scr)) return; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit 0f5bef660a7c3b030eb60ceb29e3b2d89f894f56 upstream.

Use the more generic functions get_signal() signal_setup_done() for signal delivery.

Signed-off-by: Richard Weinberger richard@nod.at [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/m32r/kernel/signal.c | 47 +++++++++++++++++---------------------- 1 file changed, 20 insertions(+), 27 deletions(-)

--- a/arch/m32r/kernel/signal.c +++ b/arch/m32r/kernel/signal.c @@ -173,17 +173,17 @@ get_sigframe(struct k_sigaction *ka, uns return (void __user *)((sp - frame_size) & -8ul); }

-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info, - sigset_t *set, struct pt_regs *regs) +static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, + struct pt_regs *regs) { struct rt_sigframe __user *frame; int err = 0; - int signal; + int signal, sig = ksig->sig;

- frame = get_sigframe(ka, regs->spu, sizeof(*frame)); + frame = get_sigframe(&ksig->ka, regs->spu, sizeof(*frame));

if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) - goto give_sigsegv; + return -EFAULT;

signal = current_thread_info()->exec_domain && current_thread_info()->exec_domain->signal_invmap @@ -193,13 +193,13 @@ static int setup_rt_frame(int sig, struc

err |= __put_user(signal, &frame->sig); if (err) - goto give_sigsegv; + return -EFAULT;

err |= __put_user(&frame->info, &frame->pinfo); err |= __put_user(&frame->uc, &frame->puc); - err |= copy_siginfo_to_user(&frame->info, info); + err |= copy_siginfo_to_user(&frame->info, &ksig->info); if (err) - goto give_sigsegv; + return -EFAULT;

/* Create the ucontext. */ err |= __put_user(0, &frame->uc.uc_flags); @@ -208,17 +208,17 @@ static int setup_rt_frame(int sig, struc err |= setup_sigcontext(&frame->uc.uc_mcontext, regs, set->sig[0]); err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set)); if (err) - goto give_sigsegv; + return -EFAULT;

/* Set up to return from userspace. */ - regs->lr = (unsigned long)ka->sa.sa_restorer; + regs->lr = (unsigned long)ksig->ka.sa.sa_restorer;

/* Set up registers for signal handler */ regs->spu = (unsigned long)frame; regs->r0 = signal; /* Arg for signal handler */ regs->r1 = (unsigned long)&frame->info; regs->r2 = (unsigned long)&frame->uc; - regs->bpc = (unsigned long)ka->sa.sa_handler; + regs->bpc = (unsigned long)ksig->ka.sa.sa_handler;

set_fs(USER_DS);

@@ -228,10 +228,6 @@ static int setup_rt_frame(int sig, struc #endif

return 0; - -give_sigsegv: - force_sigsegv(sig, current); - return -EFAULT; }

static int prev_insn(struct pt_regs *regs) @@ -252,9 +248,10 @@ static int prev_insn(struct pt_regs *reg */

static void -handle_signal(unsigned long sig, struct k_sigaction *ka, siginfo_t *info, - struct pt_regs *regs) +handle_signal(struct ksignal *ksig, struct pt_regs *regs) { + int ret; + /* Are we from a system call? */ if (regs->syscall_nr >= 0) { /* If so, check system call restarting.. */ @@ -265,7 +262,7 @@ handle_signal(unsigned long sig, struct break;

case -ERESTARTSYS: - if (!(ka->sa.sa_flags & SA_RESTART)) { + if (!(ksig->ka.sa.sa_flags & SA_RESTART)) { regs->r0 = -EINTR; break; } @@ -278,10 +275,9 @@ handle_signal(unsigned long sig, struct }

/* Set up the stack frame */ - if (setup_rt_frame(sig, ka, info, sigmask_to_save(), regs)) - return; + ret = setup_rt_frame(ksig, sigmask_to_save(), regs);

- signal_delivered(sig, info, ka, regs, 0); + signal_setup_done(ret, ksig, 0); }

/* @@ -291,9 +287,7 @@ handle_signal(unsigned long sig, struct */ static void do_signal(struct pt_regs *regs) { - siginfo_t info; - int signr; - struct k_sigaction ka; + struct ksignal ksig;

/* * We want the common case to go fast, which @@ -304,8 +298,7 @@ static void do_signal(struct pt_regs *re if (!user_mode(regs)) return;

- signr = get_signal_to_deliver(&info, &ka, regs, NULL); - if (signr > 0) { + if (get_signal(&ksig)) { /* Re-enable any watchpoints before delivering the * signal to user space. The processor register will * have been cleared if the watchpoint triggered @@ -313,7 +306,7 @@ static void do_signal(struct pt_regs *re */

/* Whee! Actually deliver the signal. */ - handle_signal(signr, &ka, &info, regs); + handle_signal(&ksig, regs);

return; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger richard@nod.at

commit 1270cff147a39f7da5b25225dca6ca3132ca6130 upstream.

Use the more generic functions get_signal() signal_setup_done() for signal delivery.

Signed-off-by: Richard Weinberger richard@nod.at Acked-by: Steven Miao realmz6@gmail.com [bwh: Backported to 3.16 as dependency of commit 35634ffa1751 "signal: Always notice exiting tasks"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/blackfin/kernel/signal.c | 39 +++++++++++++++-------------------- 1 file changed, 17 insertions(+), 22 deletions(-)

--- a/arch/blackfin/kernel/signal.c +++ b/arch/blackfin/kernel/signal.c @@ -152,23 +152,22 @@ static inline void *get_sigframe(struct }

static int -setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t * info, - sigset_t * set, struct pt_regs *regs) +setup_rt_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs) { struct rt_sigframe *frame; int err = 0;

- frame = get_sigframe(ka, regs, sizeof(*frame)); + frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));

err |= __put_user((current_thread_info()->exec_domain && current_thread_info()->exec_domain->signal_invmap - && sig < 32 + && ksig->sig < 32 ? current_thread_info()->exec_domain-> - signal_invmap[sig] : sig), &frame->sig); + signal_invmap[ksig->sig] : ksig->sig), &frame->sig);

err |= __put_user(&frame->info, &frame->pinfo); err |= __put_user(&frame->uc, &frame->puc); - err |= copy_siginfo_to_user(&frame->info, info); + err |= copy_siginfo_to_user(&frame->info, &ksig->info);

/* Create the ucontext. */ err |= __put_user(0, &frame->uc.uc_flags); @@ -183,7 +182,7 @@ setup_rt_frame(int sig, struct k_sigacti /* Set up registers for signal handler */ if (current->personality & FDPIC_FUNCPTRS) { struct fdpic_func_descriptor __user *funcptr = - (struct fdpic_func_descriptor *) ka->sa.sa_handler; + (struct fdpic_func_descriptor *) ksig->ka.sa.sa_handler; u32 pc, p3; err |= __get_user(pc, &funcptr->text); err |= __get_user(p3, &funcptr->GOT); @@ -192,7 +191,7 @@ setup_rt_frame(int sig, struct k_sigacti regs->pc = pc; regs->p3 = p3; } else - regs->pc = (unsigned long)ka->sa.sa_handler; + regs->pc = (unsigned long)ksig->ka.sa.sa_handler; wrusp((unsigned long)frame); regs->rets = SIGRETURN_STUB;

@@ -237,20 +236,19 @@ handle_restart(struct pt_regs *regs, str * OK, we're invoking a handler */ static void -handle_signal(int sig, siginfo_t *info, struct k_sigaction *ka, - struct pt_regs *regs) +handle_signal(struct ksignal *ksig, struct pt_regs *regs) { + int ret; + /* are we from a system call? to see pt_regs->orig_p0 */ if (regs->orig_p0 >= 0) /* If so, check system call restarting.. */ - handle_restart(regs, ka, 1); + handle_restart(regs, &ksig->ka, 1);

/* set up the stack frame */ - if (setup_rt_frame(sig, ka, info, sigmask_to_save(), regs) < 0) - force_sigsegv(sig, current); - else - signal_delivered(sig, info, ka, regs, - test_thread_flag(TIF_SINGLESTEP)); + ret = setup_rt_frame(ksig, sigmask_to_save(), regs); + + signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP)); }

/* @@ -264,16 +262,13 @@ handle_signal(int sig, siginfo_t *info, */ asmlinkage void do_signal(struct pt_regs *regs) { - siginfo_t info; - int signr; - struct k_sigaction ka; + struct ksignal ksig;

current->thread.esp0 = (unsigned long)regs;

- signr = get_signal_to_deliver(&info, &ka, regs, NULL); - if (signr > 0) { + if (get_signal(&ksig)) { /* Whee! Actually deliver the signal. */ - handle_signal(signr, &info, &ka, regs); + handle_signal(&ksig, regs); return; }

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Christoph Paasch cpaasch@apple.com

commit 398f0132c14754fcd03c1c4f8e7176d001ce8ea1 upstream.

Since commit fc62814d690c ("net/packet: fix 4gb buffer limit due to overflow check") one can now allocate packet ring buffers >= UINT_MAX. However, syzkaller found that that triggers a warning:

[ 21.100000] WARNING: CPU: 2 PID: 2075 at mm/page_alloc.c:4584 __alloc_pages_nod0 [ 21.101490] Modules linked in: [ 21.101921] CPU: 2 PID: 2075 Comm: syz-executor.0 Not tainted 5.0.0 #146 [ 21.102784] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011 [ 21.103887] RIP: 0010:__alloc_pages_nodemask+0x2a0/0x630 [ 21.104640] Code: fe ff ff 65 48 8b 04 25 c0 de 01 00 48 05 90 0f 00 00 41 bd 01 00 00 00 48 89 44 24 48 e9 9c fe 3 [ 21.107121] RSP: 0018:ffff88805e1cf920 EFLAGS: 00010246 [ 21.107819] RAX: 0000000000000000 RBX: ffffffff85a488a0 RCX: 0000000000000000 [ 21.108753] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000 [ 21.109699] RBP: 1ffff1100bc39f28 R08: ffffed100bcefb67 R09: ffffed100bcefb67 [ 21.110646] R10: 0000000000000001 R11: ffffed100bcefb66 R12: 000000000000000d [ 21.111623] R13: 0000000000000000 R14: ffff88805e77d888 R15: 000000000000000d [ 21.112552] FS: 00007f7c7de05700(0000) GS:ffff88806d100000(0000) knlGS:0000000000000000 [ 21.113612] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.114405] CR2: 000000000065c000 CR3: 000000005e58e006 CR4: 00000000001606e0 [ 21.115367] Call Trace: [ 21.115705] ? __alloc_pages_slowpath+0x21c0/0x21c0 [ 21.116362] alloc_pages_current+0xac/0x1e0 [ 21.116923] kmalloc_order+0x18/0x70 [ 21.117393] kmalloc_order_trace+0x18/0x110 [ 21.117949] packet_set_ring+0x9d5/0x1770 [ 21.118524] ? packet_rcv_spkt+0x440/0x440 [ 21.119094] ? lock_downgrade+0x620/0x620 [ 21.119646] ? __might_fault+0x177/0x1b0 [ 21.120177] packet_setsockopt+0x981/0x2940 [ 21.120753] ? __fget+0x2fb/0x4b0 [ 21.121209] ? packet_release+0xab0/0xab0 [ 21.121740] ? sock_has_perm+0x1cd/0x260 [ 21.122297] ? selinux_secmark_relabel_packet+0xd0/0xd0 [ 21.123013] ? __fget+0x324/0x4b0 [ 21.123451] ? selinux_netlbl_socket_setsockopt+0x101/0x320 [ 21.124186] ? selinux_netlbl_sock_rcv_skb+0x3a0/0x3a0 [ 21.124908] ? __lock_acquire+0x529/0x3200 [ 21.125453] ? selinux_socket_setsockopt+0x5d/0x70 [ 21.126075] ? __sys_setsockopt+0x131/0x210 [ 21.126533] ? packet_release+0xab0/0xab0 [ 21.127004] __sys_setsockopt+0x131/0x210 [ 21.127449] ? kernel_accept+0x2f0/0x2f0 [ 21.127911] ? ret_from_fork+0x8/0x50 [ 21.128313] ? do_raw_spin_lock+0x11b/0x280 [ 21.128800] __x64_sys_setsockopt+0xba/0x150 [ 21.129271] ? lockdep_hardirqs_on+0x37f/0x560 [ 21.129769] do_syscall_64+0x9f/0x450 [ 21.130182] entry_SYSCALL_64_after_hwframe+0x49/0xbe

We should allocate with __GFP_NOWARN to handle this.

Cc: Kal Conley kal.conley@dectris.com Cc: Andrey Konovalov andreyknvl@google.com Fixes: fc62814d690c ("net/packet: fix 4gb buffer limit due to overflow check") Signed-off-by: Christoph Paasch cpaasch@apple.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/packet/af_packet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3828,7 +3828,7 @@ static struct pgv *alloc_pg_vec(struct t struct pgv *pg_vec; int i;

- pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL); + pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL | __GFP_NOWARN); if (unlikely(!pg_vec)) goto out;

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vineet Gupta vgupta@synopsys.com

commit ab6c03676cb190156603cf4c5ecf97aa406c9c53 upstream.

and use smaller/on-stack buffer instead

The motivation for this change was lockdep splat like below.

| potentially unexpected fatal signal 11. | BUG: sleeping function called from invalid context at ../mm/page_alloc.c:4317 | in_atomic(): 1, irqs_disabled(): 0, pid: 57, name: segv | no locks held by segv/57. | Preemption disabled at: | [<8182f17e>] get_signal+0x4a6/0x7c4 | CPU: 0 PID: 57 Comm: segv Not tainted 4.17.0+ #23 | | Stack Trace: | arc_unwind_core.constprop.1+0xd0/0xf4 | __might_sleep+0x1f6/0x234 | __get_free_pages+0x174/0xca0 | show_regs+0x22/0x330 | get_signal+0x4ac/0x7c4 # print_fatal_signals() -> preempt_disable() | do_signal+0x30/0x224 | resume_user_mode_begin+0x90/0xd8

So signal handling core calls show_regs() with preemption disabled but an ensuing GFP_KERNEL page allocator call is flagged by lockdep.

We could have switched to GFP_NOWAIT, but turns out that is not enough anways and eliding page allocator call leads to less code and instruction traces to sift thru when debugging pesky crashes.

FWIW, this patch doesn't cure the lockdep splat (which next patch does).

Reviewed-by: William Kucharski william.kucharski@oracle.com Signed-off-by: Vineet Gupta vgupta@synopsys.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arc/kernel/troubleshoot.c | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-)

--- a/arch/arc/kernel/troubleshoot.c +++ b/arch/arc/kernel/troubleshoot.c @@ -15,6 +15,8 @@ #include <linux/file.h> #include <asm/arcregs.h>

+#define ARC_PATH_MAX 256 + /* * Common routine to print scratch regs (r0-r12) or callee regs (r13-r25) * -Prints 3 regs per line and a CR. @@ -52,12 +54,13 @@ static void show_callee_regs(struct call print_reg_file(&(cregs->r13), 13); }

-static void print_task_path_n_nm(struct task_struct *tsk, char *buf) +static void print_task_path_n_nm(struct task_struct *tsk) { struct path path; char *path_nm = NULL; struct mm_struct *mm; struct file *exe_file; + char buf[ARC_PATH_MAX];

mm = get_task_mm(tsk); if (!mm) @@ -70,7 +73,7 @@ static void print_task_path_n_nm(struct path = exe_file->f_path; path_get(&exe_file->f_path); fput(exe_file); - path_nm = d_path(&path, buf, 255); + path_nm = d_path(&path, buf, ARC_PATH_MAX-1); path_put(&path); }

@@ -78,13 +81,12 @@ done: pr_info("Path: %s\n", path_nm); }

-static void show_faulting_vma(unsigned long address, char *buf) +static void show_faulting_vma(unsigned long address) { struct vm_area_struct *vma; struct inode *inode; unsigned long ino = 0; dev_t dev = 0; - char *nm = buf; struct mm_struct *active_mm = current->active_mm;

/* can't use print_vma_addr() yet as it doesn't check for @@ -98,9 +100,12 @@ static void show_faulting_vma(unsigned l */ if (vma && (vma->vm_start <= address)) { struct file *file = vma->vm_file; + char buf[ARC_PATH_MAX]; + char *nm = "?"; + if (file) { struct path *path = &file->f_path; - nm = d_path(path, buf, PAGE_SIZE - 1); + nm = d_path(path, buf, ARC_PATH_MAX-1); inode = file_inode(vma->vm_file); dev = inode->i_sb->s_dev; ino = inode->i_ino; @@ -165,13 +170,8 @@ void show_regs(struct pt_regs *regs) { struct task_struct *tsk = current; struct callee_regs *cregs; - char *buf;

- buf = (char *)__get_free_page(GFP_TEMPORARY); - if (!buf) - return; - - print_task_path_n_nm(tsk, buf); + print_task_path_n_nm(tsk); show_regs_print_info(KERN_INFO);

show_ecr_verbose(regs); @@ -181,7 +181,7 @@ void show_regs(struct pt_regs *regs) (void *)regs->blink, (void *)regs->ret);

if (user_mode(regs)) - show_faulting_vma(regs->ret, buf); /* faulting code, not data */ + show_faulting_vma(regs->ret); /* faulting code, not data */

pr_info("[STAT32]: 0x%08lx", regs->status32);

@@ -205,8 +205,6 @@ void show_regs(struct pt_regs *regs) cregs = (struct callee_regs *)current->thread.callee_reg; if (cregs) show_callee_regs(cregs); - - free_page((unsigned long)buf); }

void show_kernel_fault_diag(const char *str, struct pt_regs *regs,

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Shakeel Butt shakeelb@google.com

commit cefc7ef3c87d02fc9307835868ff721ea12cc597 upstream.

Syzbot instance running on upstream kernel found a use-after-free bug in oom_kill_process. On further inspection it seems like the process selected to be oom-killed has exited even before reaching read_lock(&tasklist_lock) in oom_kill_process(). More specifically the tsk->usage is 1 which is due to get_task_struct() in oom_evaluate_task() and the put_task_struct within for_each_thread() frees the tsk and for_each_thread() tries to access the tsk. The easiest fix is to do get/put across the for_each_thread() on the selected task.

Now the next question is should we continue with the oom-kill as the previously selected task has exited? However before adding more complexity and heuristics, let's answer why we even look at the children of oom-kill selected task? The select_bad_process() has already selected the worst process in the system/memcg. Due to race, the selected process might not be the worst at the kill time but does that matter? The userspace can use the oom_score_adj interface to prefer children to be killed before the parent. I looked at the history but it seems like this is there before git history.

Link: http://lkml.kernel.org/r/20190121215850.221745-1-shakeelb@google.com Reported-by: syzbot+7fbbfa368521945f0e3d@syzkaller.appspotmail.com Fixes: 6b0c81b3be11 ("mm, oom: reduce dependency on tasklist_lock") Signed-off-by: Shakeel Butt shakeelb@google.com Reviewed-by: Roman Gushchin guro@fb.com Acked-by: Michal Hocko mhocko@suse.com Cc: David Rientjes rientjes@google.com Cc: Johannes Weiner hannes@cmpxchg.org Cc: Tetsuo Handa penguin-kernel@i-love.sakura.ne.jp Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- mm/oom_kill.c | 8 ++++++++ 1 file changed, 8 insertions(+)

--- a/mm/oom_kill.c +++ b/mm/oom_kill.c @@ -466,6 +466,13 @@ void oom_kill_process(struct task_struct * still freeing memory. */ read_lock(&tasklist_lock); + + /* + * The task 'p' might have already exited before reaching here. The + * put_task_struct() will free task_struct 'p' while the loop still try + * to access the field of 'p', so, get an extra reference. + */ + get_task_struct(p); for_each_thread(p, t) { list_for_each_entry(child, &t->children, sibling) { unsigned int child_points; @@ -485,6 +492,7 @@ void oom_kill_process(struct task_struct } } } + put_task_struct(p); read_unlock(&tasklist_lock);

p = find_lock_task_mm(victim);

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra peterz@infradead.org

commit 79c9ce57eb2d5f1497546a3946b4ae21b6fdc438 upstream.

Jann reported that the ptrace_may_access() check in find_lively_task_by_vpid() is racy against exec().

Specifically:

perf_event_open() execve()

ptrace_may_access() commit_creds() ... if (get_dumpable() != SUID_DUMP_USER) perf_event_exit_task(); perf_install_in_context()

would result in installing a counter across the creds boundary.

Fix this by wrapping lots of perf_event_open() in cred_guard_mutex. This should be fine as perf_event_exit_task() is already called with cred_guard_mutex held, so all perf locks already nest inside it.

Reported-by: Jann Horn jannh@google.com Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Cc: Alexander Shishkin alexander.shishkin@linux.intel.com Cc: Arnaldo Carvalho de Melo acme@redhat.com Cc: Jiri Olsa jolsa@redhat.com Cc: Peter Zijlstra peterz@infradead.org Cc: Stephane Eranian eranian@google.com Cc: Thomas Gleixner tglx@linutronix.de Cc: Vince Weaver vincent.weaver@maine.edu Signed-off-by: Ingo Molnar mingo@kernel.org [bwh: Backported to 3.16: - Update another failure path in perf_event_open() - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/events/core.c | 52 ++++++++++++++++++++++++++++++-------------- 1 file changed, 36 insertions(+), 16 deletions(-)

--- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -936,6 +936,7 @@ static void put_ctx(struct perf_event_co * function. * * Lock order: + * cred_guard_mutex * task_struct::perf_event_mutex * perf_event_context::mutex * perf_event_context::lock @@ -3231,7 +3232,6 @@ static struct task_struct * find_lively_task_by_vpid(pid_t vpid) { struct task_struct *task; - int err;

rcu_read_lock(); if (!vpid) @@ -3245,16 +3245,7 @@ find_lively_task_by_vpid(pid_t vpid) if (!task) return ERR_PTR(-ESRCH);

- /* Reuse ptrace permission checks for now. */ - err = -EACCES; - if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) - goto errout; - return task; -errout: - put_task_struct(task); - return ERR_PTR(err); - }

/* @@ -7491,18 +7482,36 @@ SYSCALL_DEFINE5(perf_event_open,

get_online_cpus();

+ if (task) { + err = mutex_lock_interruptible(&task->signal->cred_guard_mutex); + if (err) + goto err_cpus; + + /* + * Reuse ptrace permission checks for now. + * + * We must hold cred_guard_mutex across this and any potential + * perf_install_in_context() call for this new event to + * serialize against exec() altering our credentials (and the + * perf_event_exit_task() that could imply). + */ + err = -EACCES; + if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) + goto err_cred; + } + event = perf_event_alloc(&attr, cpu, task, group_leader, NULL, NULL, NULL); if (IS_ERR(event)) { err = PTR_ERR(event); - goto err_cpus; + goto err_cred; }

if (flags & PERF_FLAG_PID_CGROUP) { err = perf_cgroup_connect(pid, event, &attr, group_leader); if (err) { __free_event(event); - goto err_cpus; + goto err_cred; } }

@@ -7552,11 +7561,6 @@ SYSCALL_DEFINE5(perf_event_open, goto err_alloc; }

- if (task) { - put_task_struct(task); - task = NULL; - } - /* * Look up the group leader (we will attach this event to it): */ @@ -7658,6 +7662,11 @@ SYSCALL_DEFINE5(perf_event_open,

WARN_ON_ONCE(ctx->parent_ctx);

+ /* + * This is the point on no return; we cannot fail hereafter. This is + * where we start modifying current state. + */ + if (move_group) { /* * Wait for everybody to stop referencing the events through @@ -7683,6 +7692,11 @@ SYSCALL_DEFINE5(perf_event_open, } mutex_unlock(&ctx->mutex);

+ if (task) { + mutex_unlock(&task->signal->cred_guard_mutex); + put_task_struct(task); + } + put_online_cpus();

event->owner = current; @@ -7722,6 +7736,9 @@ err_alloc: */ if (!event_file) free_event(event); +err_cred: + if (task) + mutex_unlock(&task->signal->cred_guard_mutex); err_cpus: put_online_cpus(); err_task: @@ -7956,6 +7973,9 @@ static void perf_event_exit_task_context

/* * When a child task exits, feed back event values to parent events. + * + * Can be called with cred_guard_mutex held when called from + * install_exec_creds(). */ void perf_event_exit_task(struct task_struct *child) {

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arend van Spriel arend@broadcom.com

commit 75effb03ee8e4c9d4bbc909118ce5444b047dfde upstream.

In rx path the firmware provide an interface index which is used to map to a struct brcmf_if instance. However, this involves some trick that is done in two places. This is changed by having driver core providing brcmf_get_ifp() function.

Reviewed-by: Hante Meuleman meuleman@broadcom.com Reviewed-by: Franky (Zhenhui) Lin frankyl@broadcom.com Reviewed-by: Pieter-Paul Giesberts pieterpg@broadcom.com Signed-off-by: Arend van Spriel arend@broadcom.com Signed-off-by: Kalle Valo kvalo@codeaurora.org [bwh: Backported to 3.16: - Drop changes to PCIe bus support - Adjust filenames] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/net/wireless/brcm80211/brcmfmac/bcdc.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/bcdc.c @@ -276,6 +276,7 @@ brcmf_proto_bcdc_hdrpull(struct brcmf_pu struct sk_buff *pktbuf) { struct brcmf_proto_bcdc_header *h; + struct brcmf_if *ifp;

brcmf_dbg(BCDC, "Enter\n");

@@ -289,30 +290,21 @@ brcmf_proto_bcdc_hdrpull(struct brcmf_pu trace_brcmf_bcdchdr(pktbuf->data); h = (struct brcmf_proto_bcdc_header *)(pktbuf->data);

- *ifidx = BCDC_GET_IF_IDX(h); - if (*ifidx >= BRCMF_MAX_IFS) { - brcmf_err("rx data ifnum out of range (%d)\n", *ifidx); + ifp = brcmf_get_ifp(drvr, BCDC_GET_IF_IDX(h)); + if (IS_ERR_OR_NULL(ifp)) { + brcmf_dbg(INFO, "no matching ifp found\n"); return -EBADE; } - /* The ifidx is the idx to map to matching netdev/ifp. When receiving - * events this is easy because it contains the bssidx which maps - * 1-on-1 to the netdev/ifp. But for data frames the ifidx is rcvd. - * bssidx 1 is used for p2p0 and no data can be received or - * transmitted on it. Therefor bssidx is ifidx + 1 if ifidx > 0 - */ - if (*ifidx) - (*ifidx)++; - if (((h->flags & BCDC_FLAG_VER_MASK) >> BCDC_FLAG_VER_SHIFT) != BCDC_PROTO_VER) { brcmf_err("%s: non-BCDC packet received, flags 0x%x\n", - brcmf_ifname(drvr, *ifidx), h->flags); + brcmf_ifname(drvr, ifp->ifidx), h->flags); return -EBADE; }

if (h->flags & BCDC_FLAG_SUM_GOOD) { brcmf_dbg(BCDC, "%s: BDC rcv, good checksum, flags 0x%x\n", - brcmf_ifname(drvr, *ifidx), h->flags); + brcmf_ifname(drvr, ifp->ifidx), h->flags); pktbuf->ip_summed = CHECKSUM_UNNECESSARY; }

@@ -320,12 +312,15 @@ brcmf_proto_bcdc_hdrpull(struct brcmf_pu

skb_pull(pktbuf, BCDC_HEADER_LEN); if (do_fws) - brcmf_fws_hdrpull(drvr, *ifidx, h->data_offset << 2, pktbuf); + brcmf_fws_hdrpull(drvr, ifp->ifidx, h->data_offset << 2, + pktbuf); else skb_pull(pktbuf, h->data_offset << 2);

if (pktbuf->len == 0) return -ENODATA; + + *ifidx = ifp->ifidx; return 0; }

--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c @@ -81,6 +81,25 @@ char *brcmf_ifname(struct brcmf_pub *drv return "<if_none>"; }

+struct brcmf_if *brcmf_get_ifp(struct brcmf_pub *drvr, int ifidx) +{ + if (ifidx < 0 || ifidx >= BRCMF_MAX_IFS) { + brcmf_err("ifidx %d out of range\n", ifidx); + return ERR_PTR(-ERANGE); + } + + /* The ifidx is the idx to map to matching netdev/ifp. When receiving + * events this is easy because it contains the bssidx which maps + * 1-on-1 to the netdev/ifp. But for data frames the ifidx is rcvd. + * bssidx 1 is used for p2p0 and no data can be received or + * transmitted on it. Therefor bssidx is ifidx + 1 if ifidx > 0 + */ + if (ifidx) + ifidx++; + + return drvr->iflist[ifidx]; +} + static void _brcmf_set_multicast_list(struct work_struct *work) { struct brcmf_if *ifp; --- a/drivers/net/wireless/brcm80211/brcmfmac/dhd.h +++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd.h @@ -178,7 +178,7 @@ int brcmf_netdev_wait_pend8021x(struct n

/* Return pointer to interface name */ char *brcmf_ifname(struct brcmf_pub *drvr, int idx); - +struct brcmf_if *brcmf_get_ifp(struct brcmf_pub *drvr, int ifidx); int brcmf_net_attach(struct brcmf_if *ifp, bool rtnl_locked); struct brcmf_if *brcmf_add_if(struct brcmf_pub *drvr, s32 bssidx, s32 ifidx, char *name, u8 *mac_addr);

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arend van Spriel arend@broadcom.com

commit 9c349892ccc90c6de2baaa69cc78449f58082273 upstream.

Move event handling out of brcmf_netif_rx() avoiding the need to pass a flag. This flag is only ever true for USB hosts as other interface use separate brcmf_rx_event() function.

Reviewed-by: Hante Meuleman hante.meuleman@broadcom.com Reviewed-by: Pieter-Paul Giesberts pieter-paul.giesberts@broadcom.com Reviewed-by: Franky Lin franky.lin@broadcom.com Signed-off-by: Arend van Spriel arend@broadcom.com Signed-off-by: Kalle Valo kvalo@codeaurora.org [bwh: Backported to 3.16 as dependency of commit a4176ec356c7 "brcmfmac: add subtype check for event handling in data path" - Drop changes to PCIe bus support - Adjust filenames] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h +++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h @@ -168,7 +168,7 @@ bool brcmf_c_prec_enq(struct device *dev int prec);

/* Receive frame for delivery to OS. Callee disposes of rxp. */ -void brcmf_rx_frame(struct device *dev, struct sk_buff *rxp, bool handle_evnt); +void brcmf_rx_frame(struct device *dev, struct sk_buff *rxp, bool handle_event); /* Receive async event packet from firmware. Callee disposes of rxp. */ void brcmf_rx_event(struct device *dev, struct sk_buff *rxp);

--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c @@ -306,18 +306,11 @@ void brcmf_txflowblock(struct device *de brcmf_fws_bus_blocked(drvr, state); }

-static void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb, - bool handle_event) +static void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb) { - skb->protocol = eth_type_trans(skb, ifp->ndev); - if (skb->pkt_type == PACKET_MULTICAST) ifp->stats.multicast++;

- /* Process special event packets */ - if (handle_event) - brcmf_fweh_process_skb(ifp->drvr, skb); - if (!(ifp->ndev->flags & IFF_UP)) { brcmu_pkt_buf_free_skb(skb); return; @@ -377,7 +370,7 @@ static void brcmf_rxreorder_process_info /* validate flags and flow id */ if (flags == 0xFF) { brcmf_err("invalid flags...so ignore this packet\n"); - brcmf_netif_rx(ifp, pkt, false); + brcmf_netif_rx(ifp, pkt); return; }

@@ -389,7 +382,7 @@ static void brcmf_rxreorder_process_info if (rfi == NULL) { brcmf_dbg(INFO, "received flags to cleanup, but no flow (%d) yet\n", flow_id); - brcmf_netif_rx(ifp, pkt, false); + brcmf_netif_rx(ifp, pkt); return; }

@@ -414,7 +407,7 @@ static void brcmf_rxreorder_process_info rfi = kzalloc(buf_size, GFP_ATOMIC); if (rfi == NULL) { brcmf_err("failed to alloc buffer\n"); - brcmf_netif_rx(ifp, pkt, false); + brcmf_netif_rx(ifp, pkt); return; }

@@ -528,11 +521,11 @@ static void brcmf_rxreorder_process_info netif_rx: skb_queue_walk_safe(&reorder_list, pkt, pnext) { __skb_unlink(pkt, &reorder_list); - brcmf_netif_rx(ifp, pkt, false); + brcmf_netif_rx(ifp, pkt); } }

-void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_evnt) +void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_event) { struct brcmf_if *ifp; struct brcmf_bus *bus_if = dev_get_drvdata(dev); @@ -552,11 +545,18 @@ void brcmf_rx_frame(struct device *dev, return; }

+ skb->protocol = eth_type_trans(skb, ifp->ndev); + rd = (struct brcmf_skb_reorder_data *)skb->cb; - if (rd->reorder) + if (rd->reorder) { brcmf_rxreorder_process_info(ifp, rd->reorder, skb); - else - brcmf_netif_rx(ifp, skb, handle_evnt); + } else { + /* Process special event packets */ + if (handle_event) + brcmf_fweh_process_skb(ifp->drvr, skb); + + brcmf_netif_rx(ifp, skb); + } }

void brcmf_rx_event(struct device *dev, struct sk_buff *skb)

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Pavel Shilovsky pshilov@microsoft.com

commit 082aaa8700415f6471ec9c5ef0c8307ca214989a upstream.

When doing reads beyound the end of a file the server returns error STATUS_END_OF_FILE error which is mapped to -ENODATA. Currently we report it as a failure which confuses read stats. Change it to not consider -ENODATA as failure for stat purposes.

Signed-off-by: Pavel Shilovsky pshilov@microsoft.com Signed-off-by: Steve French stfrench@microsoft.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/cifs/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -1861,7 +1861,7 @@ smb2_readv_callback(struct mid_q_entry * rdata->result = -EIO; }

- if (rdata->result) + if (rdata->result && rdata->result != -ENODATA) cifs_stats_fail_inc(tcon, SMB2_READ_HE);

queue_work(cifsiod_wq, &rdata->work);

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi mszeredi@redhat.com

commit a2ebba824106dabe79937a9f29a875f837e1b6d4 upstream.

NR_WRITEBACK_TEMP is accounted on the temporary page in the request, not the page cache page.

Fixes: 8b284dc47291 ("fuse: writepages: handle same page rewrites") Signed-off-by: Miklos Szeredi mszeredi@redhat.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/fuse/file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -1846,7 +1846,7 @@ static bool fuse_writepage_in_flight(str spin_unlock(&fc->lock);

dec_bdi_stat(bdi, BDI_WRITEBACK); - dec_zone_page_state(page, NR_WRITEBACK_TEMP); + dec_zone_page_state(new_req->pages[0], NR_WRITEBACK_TEMP); bdi_writeout_inc(bdi); fuse_writepage_free(fc, new_req); fuse_request_free(new_req);

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Shubhrajyoti Datta shubhrajyoti.datta@xilinx.com

commit d358def706880defa4c9e87381c5bf086a97d5f9 upstream.

In case the hold bit is not needed we are carrying the old values. Fix the same by resetting the bit when not needed.

Fixes the sporadic i2c bus lockups on National Instruments Zynq-based devices.

Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller") Reported-by: Kyle Roeschley kyle.roeschley@ni.com Acked-by: Michal Simek michal.simek@xilinx.com Signed-off-by: Shubhrajyoti Datta shubhrajyoti.datta@xilinx.com Tested-by: Kyle Roeschley kyle.roeschley@ni.com Signed-off-by: Wolfram Sang wsa@the-dreams.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/i2c/busses/i2c-cadence.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/drivers/i2c/busses/i2c-cadence.c +++ b/drivers/i2c/busses/i2c-cadence.c @@ -320,8 +320,10 @@ static void cdns_i2c_mrecv(struct cdns_i * Check for the message size against FIFO depth and set the * 'hold bus' bit if it is greater than FIFO depth. */ - if (id->recv_count > CDNS_I2C_FIFO_DEPTH) + if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) ctrl_reg |= CDNS_I2C_CR_HOLD; + else + ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD;

cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET);

@@ -375,8 +377,11 @@ static void cdns_i2c_msend(struct cdns_i * Check for the message size against FIFO depth and set the * 'hold bus' bit if it is greater than FIFO depth. */ - if (id->send_count > CDNS_I2C_FIFO_DEPTH) + if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) ctrl_reg |= CDNS_I2C_CR_HOLD; + else + ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET);

/* Clear the interrupts in interrupt status register. */

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hui Peng benquike@163.com

commit cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 upstream.

In `create_composite_quirk`, the terminating condition of for loops is `quirk->ifnum < 0`. So any composite quirks should end with `struct snd_usb_audio_quirk` object with ifnum < 0.

for (quirk = quirk_comp->data; quirk->ifnum >= 0; ++quirk) {

..... }

the data field of Bower's & Wilkins PX headphones usb device device quirks do not end with {.ifnum = -1}, wihch may result in out-of-bound read.

This Patch fix the bug by adding an ending quirk object.

Fixes: 240a8af929c7 ("ALSA: usb-audio: Add a quirck for B&W PX headphones") Signed-off-by: Hui Peng benquike@163.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/usb/quirks-table.h | 6 ++++++ 1 file changed, 6 insertions(+)

--- a/sound/usb/quirks-table.h +++ b/sound/usb/quirks-table.h @@ -3304,6 +3304,12 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge } } }, + { + .ifnum = -1 + }, + { + .ifnum = -1 + }, } } },

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" ebiederm@xmission.com

commit 35634ffa1751b6efd8cf75010b509dcb0263e29b upstream.

Recently syzkaller was able to create unkillablle processes by creating a timer that is delivered as a thread local signal on SIGHUP, and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop failing to deliver SIGHUP but always trying.

Upon examination it turns out part of the problem is actually most of the solution. Since 2.5 signal delivery has found all fatal signals, marked the signal group for death, and queued SIGKILL in every threads thread queue relying on signal->group_exit_code to preserve the information of which was the actual fatal signal.

The conversion of all fatal signals to SIGKILL results in the synchronous signal heuristic in next_signal kicking in and preferring SIGHUP to SIGKILL. Which is especially problematic as all fatal signals have already been transformed into SIGKILL.

Instead of dequeueing signals and depending upon SIGKILL to be the first signal dequeued, first test if the signal group has already been marked for death. This guarantees that nothing in the signal queue can prevent a process that needs to exit from exiting.

Tested-by: Dmitry Vyukov dvyukov@google.com Reported-by: Dmitry Vyukov dvyukov@google.com Ref: ebf5ebe31d2c ("[PATCH] signal-fixes-2.5.59-A4") History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git Signed-off-by: "Eric W. Biederman" ebiederm@xmission.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/signal.c | 6 ++++++ 1 file changed, 6 insertions(+)

--- a/kernel/signal.c +++ b/kernel/signal.c @@ -2231,6 +2231,11 @@ relock: goto relock; }

+ /* Has this task already been marked for death? */ + ksig->info.si_signo = signr = SIGKILL; + if (signal_group_exit(signal)) + goto fatal; + for (;;) { struct k_sigaction *ka;

@@ -2326,6 +2331,7 @@ relock: continue; }

+ fatal: spin_unlock_irq(&sighand->siglock);

/*

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jann Horn jannh@google.com

commit 0a1d52994d440e21def1c2174932410b4f2a98a1 upstream.

security_mmap_addr() does a capability check with current_cred(), but we can reach this code from contexts like a VFS write handler where current_cred() must not be used.

This can be abused on systems without SMAP to make NULL pointer dereferences exploitable again.

Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses") Signed-off-by: Jann Horn jannh@google.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- mm/mmap.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/mm/mmap.c +++ b/mm/mmap.c @@ -2244,12 +2244,11 @@ int expand_downwards(struct vm_area_stru unsigned long address) { struct vm_area_struct *prev; - int error; + int error = 0;

address &= PAGE_MASK; - error = security_mmap_addr(address); - if (error) - return error; + if (address < mmap_min_addr) + return -EPERM;

/* Enforce stack_guard_gap */ prev = vma->vm_prev;

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oleg Nesterov oleg@redhat.com

commit 32e4e6d5cbb0c0e427391635991fe65e17797af8 upstream.

expand_stack(vma) fails if address < stack_guard_gap even if there is no vma->vm_prev. I don't think this makes sense, and we didn't do this before the recent commit 1be7107fbe18 ("mm: larger stack guard gap, between vmas").

We do not need a gap in this case, any address is fine as long as security_mmap_addr() doesn't object.

This also simplifies the code, we know that address >= prev->vm_end and thus underflow is not possible.

Link: http://lkml.kernel.org/r/20170628175258.GA24881@redhat.com Signed-off-by: Oleg Nesterov oleg@redhat.com Acked-by: Michal Hocko mhocko@suse.com Cc: Hugh Dickins hughd@google.com Cc: Larry Woodman lwoodman@redhat.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- mm/mmap.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-)

--- a/mm/mmap.c +++ b/mm/mmap.c @@ -2244,7 +2244,6 @@ int expand_downwards(struct vm_area_stru unsigned long address) { struct vm_area_struct *prev; - unsigned long gap_addr; int error;

address &= PAGE_MASK; @@ -2253,15 +2252,12 @@ int expand_downwards(struct vm_area_stru return error;

/* Enforce stack_guard_gap */ - gap_addr = address - stack_guard_gap; - if (gap_addr > address) - return -ENOMEM; prev = vma->vm_prev; - if (prev && prev->vm_end > gap_addr && + /* Check that both stack segments have the same anon_vma? */ + if (prev && !(prev->vm_flags & VM_GROWSDOWN) && (prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) { - if (!(prev->vm_flags & VM_GROWSDOWN)) + if (address - prev->vm_end < stack_guard_gap) return -ENOMEM; - /* Check that both stack segments have the same anon_vma? */ }

/* We must make sure the anon_vma is allocated. */

3.16.66-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski luto@kernel.org

commit 2a418cf3f5f1caf911af288e978d61c9844b0695 upstream.

When calling __put_user(foo(), ptr), the __put_user() macro would call foo() in between __uaccess_begin() and __uaccess_end(). If that code were buggy, then those bugs would be run without SMAP protection.

Fortunately, there seem to be few instances of the problem in the kernel. Nevertheless, __put_user() should be fixed to avoid doing this. Therefore, evaluate __put_user()'s argument before setting AC.

This issue was noticed when an objtool hack by Peter Zijlstra complained about genregs_get() and I compared the assembly output to the C source.

[ bp: Massage commit message and fixed up whitespace. ]

Fixes: 11f1a4b9755f ("x86: reorganize SMAP handling in user space accesses") Signed-off-by: Andy Lutomirski luto@kernel.org Signed-off-by: Borislav Petkov bp@suse.de Acked-by: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Brian Gerst brgerst@gmail.com Cc: Josh Poimboeuf jpoimboe@redhat.com Cc: Denys Vlasenko dvlasenk@redhat.com Link: http://lkml.kernel.org/r/20190225125231.845656645@infradead.org [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -311,8 +311,7 @@ do { \ __put_user_asm(x, ptr, retval, "l", "k", "ir", errret); \ break; \ case 8: \ - __put_user_asm_u64((__typeof__(*ptr))(x), ptr, retval, \ - errret); \ + __put_user_asm_u64(x, ptr, retval, errret); \ break; \ default: \ __put_user_bad(); \ @@ -423,8 +422,10 @@ do { \ #define __put_user_nocheck(x, ptr, size) \ ({ \ int __pu_err; \ + __typeof__(*(ptr)) __pu_val; \ + __pu_val = x; \ __uaccess_begin(); \ - __put_user_size((x), (ptr), (size), __pu_err, -EFAULT); \ + __put_user_size(__pu_val, (ptr), (size), __pu_err, -EFAULT); \ __uaccess_end(); \ __pu_err; \ })