Permalink
Commits on May 16, 2017
  1. Merge tag 'v4.4.68' into linux-4.4-at91

    noglitch committed May 16, 2017
    This is the 4.4.68 stable release
  2. at91: isc: integrate pipeline

    Songjun Wu authored and noglitch committed May 16, 2017
    Integrate pipeline.
    
    Signed-off-by: Songjun Wu <songjun.wu@microchip.com>
Commits on May 14, 2017
  1. Linux 4.4.68

    gregkh committed May 14, 2017
  2. block: get rid of blk_integrity_revalidate()

    idryomov authored and gregkh committed Apr 18, 2017
    commit 19b7ccf upstream.
    
    Commit 25520d5 ("block: Inline blk_integrity in struct gendisk")
    introduced blk_integrity_revalidate(), which seems to assume ownership
    of the stable pages flag and unilaterally clears it if no blk_integrity
    profile is registered:
    
        if (bi->profile)
                disk->queue->backing_dev_info->capabilities |=
                        BDI_CAP_STABLE_WRITES;
        else
                disk->queue->backing_dev_info->capabilities &=
                        ~BDI_CAP_STABLE_WRITES;
    
    It's called from revalidate_disk() and rescan_partitions(), making it
    impossible to enable stable pages for drivers that support partitions
    and don't use blk_integrity: while the call in revalidate_disk() can be
    trivially worked around (see zram, which doesn't support partitions and
    hence gets away with zram_revalidate_disk()), rescan_partitions() can
    be triggered from userspace at any time.  This breaks rbd, where the
    ceph messenger is responsible for generating/verifying CRCs.
    
    Since blk_integrity_{un,}register() "must" be used for (un)registering
    the integrity profile with the block layer, move BDI_CAP_STABLE_WRITES
    setting there.  This way drivers that call blk_integrity_register() and
    use integrity infrastructure won't interfere with drivers that don't
    but still want stable pages.
    
    Fixes: 25520d5 ("block: Inline blk_integrity in struct gendisk")
    Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Mike Snitzer <snitzer@redhat.com>
    Tested-by: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    [idryomov@gmail.com: backport to < 4.11: bdi is embedded in queue]
    Signed-off-by: Jens Axboe <axboe@fb.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  3. drm/ttm: fix use-after-free races in vm fault handling

    Nicolai Hähnle authored and gregkh committed Feb 18, 2017
    commit 3089c1d upstream.
    
    The vm fault handler relies on the fact that the VMA owns a reference
    to the BO. However, once mmap_sem is released, other tasks are free to
    destroy the VMA, which can lead to the BO being freed. Fix two code
    paths where that can happen, both related to vm fault retries.
    
    Found via a lock debugging warning which flagged &bo->wu_mutex as
    locked while being destroyed.
    
    Fixes: cbe12e7 ("drm/ttm: Allow vm fault retries")
    Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
    Reviewed-by: Christian König <christian.koenig@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  4. f2fs: sanity check segment count

    Jin Qian authored and gregkh committed Apr 25, 2017
    commit b9dd461 upstream.
    
    F2FS uses 4 bytes to represent block address. As a result, supported
    size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.
    
    Signed-off-by: Jin Qian <jinqian@google.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  5. bnxt_en: allocate enough space for ->ntp_fltr_bmap

    Dan Carpenter authored and gregkh committed May 6, 2017
    [ Upstream commit ac45bd9 ]
    
    We have the number of longs, but we need to calculate the number of
    bytes required.
    
    Fixes: c0c050c ("bnxt_en: New Broadcom ethernet driver.")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Michael Chan <michael.chan@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  6. ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf

    congwang authored and gregkh committed May 8, 2017
    [ Upstream commit 242d3a4 ]
    
    For each netns (except init_net), we initialize its null entry
    in 3 places:
    
    1) The template itself, as we use kmemdup()
    2) Code around dst_init_metrics() in ip6_route_net_init()
    3) ip6_route_dev_notify(), which is supposed to initialize it after
       loopback registers
    
    Unfortunately the last one still happens in a wrong order because
    we expect to initialize net->ipv6.ip6_null_entry->rt6i_idev to
    net->loopback_dev's idev, thus we have to do that after we add
    idev to loopback. However, this notifier has priority == 0 same as
    ipv6_dev_notf, and ipv6_dev_notf is registered after
    ip6_route_dev_notifier so it is called actually after
    ip6_route_dev_notifier. This is similar to commit 2f46093
    ("ipv6: initialize route null entry in addrconf_init()") which
    fixes init_net.
    
    Fix it by picking a smaller priority for ip6_route_dev_notifier.
    Also, we have to release the refcnt accordingly when unregistering
    loopback_dev because device exit functions are called before subsys
    exit functions.
    
    Acked-by: David Ahern <dsahern@gmail.com>
    Tested-by: David Ahern <dsahern@gmail.com>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  7. ipv6: initialize route null entry in addrconf_init()

    congwang authored and gregkh committed May 4, 2017
    [ Upstream commit 2f46093 ]
    
    Andrey reported a crash on init_net.ipv6.ip6_null_entry->rt6i_idev
    since it is always NULL.
    
    This is clearly wrong, we have code to initialize it to loopback_dev,
    unfortunately the order is still not correct.
    
    loopback_dev is registered very early during boot, we lose a chance
    to re-initialize it in notifier. addrconf_init() is called after
    ip6_route_init(), which means we have no chance to correct it.
    
    Fix it by moving this initialization explicitly after
    ipv6_add_dev(init_net.loopback_dev) in addrconf_init().
    
    Reported-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Tested-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  8. rtnetlink: NUL-terminate IFLA_PHYS_PORT_NAME string

    michich authored and gregkh committed May 4, 2017
    [ Upstream commit 77ef033 ]
    
    IFLA_PHYS_PORT_NAME is a string attribute, so terminate it with \0.
    Otherwise libnl3 fails to validate netlink messages with this attribute.
    "ip -detail a" assumes too that the attribute is NUL-terminated when
    printing it. It often was, due to padding.
    
    I noticed this as libvirtd failing to start on a system with sfc driver
    after upgrading it to Linux 4.11, i.e. when sfc added support for
    phys_port_name.
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  9. ipv4, ipv6: ensure raw socket message is big enough to hold an IP header

    ramosian-glider authored and gregkh committed May 3, 2017
    [ Upstream commit 86f4c90 ]
    
    raw_send_hdrinc() and rawv6_send_hdrinc() expect that the buffer copied
    from the userspace contains the IPv4/IPv6 header, so if too few bytes are
    copied, parts of the header may remain uninitialized.
    
    This bug has been detected with KMSAN.
    
    For the record, the KMSAN report:
    
    ==================================================================
    BUG: KMSAN: use of unitialized memory in nf_ct_frag6_gather+0xf5a/0x44a0
    inter: 0
    CPU: 0 PID: 1036 Comm: probe Not tainted 4.11.0-rc5+ #2455
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:16
     dump_stack+0x143/0x1b0 lib/dump_stack.c:52
     kmsan_report+0x16b/0x1e0 mm/kmsan/kmsan.c:1078
     __kmsan_warning_32+0x5c/0xa0 mm/kmsan/kmsan_instr.c:510
     nf_ct_frag6_gather+0xf5a/0x44a0 net/ipv6/netfilter/nf_conntrack_reasm.c:577
     ipv6_defrag+0x1d9/0x280 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
     nf_hook_entry_hookfn ./include/linux/netfilter.h:102
     nf_hook_slow+0x13f/0x3c0 net/netfilter/core.c:310
     nf_hook ./include/linux/netfilter.h:212
     NF_HOOK ./include/linux/netfilter.h:255
     rawv6_send_hdrinc net/ipv6/raw.c:673
     rawv6_sendmsg+0x2fcb/0x41a0 net/ipv6/raw.c:919
     inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
     sock_sendmsg_nosec net/socket.c:633
     sock_sendmsg net/socket.c:643
     SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
     SyS_sendto+0xbc/0xe0 net/socket.c:1664
     do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
     entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246
    RIP: 0033:0x436e03
    RSP: 002b:00007ffce48baf38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
    RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000436e03
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
    RBP: 00007ffce48baf90 R08: 00007ffce48baf50 R09: 000000000000001c
    R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
    R13: 0000000000401790 R14: 0000000000401820 R15: 0000000000000000
    origin: 00000000d9400053
     save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:362
     kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:257
     kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:270
     slab_alloc_node mm/slub.c:2735
     __kmalloc_node_track_caller+0x1f4/0x390 mm/slub.c:4341
     __kmalloc_reserve net/core/skbuff.c:138
     __alloc_skb+0x2cd/0x740 net/core/skbuff.c:231
     alloc_skb ./include/linux/skbuff.h:933
     alloc_skb_with_frags+0x209/0xbc0 net/core/skbuff.c:4678
     sock_alloc_send_pskb+0x9ff/0xe00 net/core/sock.c:1903
     sock_alloc_send_skb+0xe4/0x100 net/core/sock.c:1920
     rawv6_send_hdrinc net/ipv6/raw.c:638
     rawv6_sendmsg+0x2918/0x41a0 net/ipv6/raw.c:919
     inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
     sock_sendmsg_nosec net/socket.c:633
     sock_sendmsg net/socket.c:643
     SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
     SyS_sendto+0xbc/0xe0 net/socket.c:1664
     do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
     return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246
    ==================================================================
    
    , triggered by the following syscalls:
      socket(PF_INET6, SOCK_RAW, IPPROTO_RAW) = 3
      sendto(3, NULL, 0, 0, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "ff00::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EPERM
    
    A similar report is triggered in net/ipv4/raw.c if we use a PF_INET socket
    instead of a PF_INET6 one.
    
    Signed-off-by: Alexander Potapenko <glider@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  10. tcp: do not inherit fastopen_req from parent

    Eric Dumazet authored and gregkh committed May 3, 2017
    [ Upstream commit 8b485ce ]
    
    Under fuzzer stress, it is possible that a child gets a non NULL
    fastopen_req pointer from its parent at accept() time, when/if parent
    morphs from listener to active session.
    
    We need to make sure this can not happen, by clearing the field after
    socket cloning.
    
    BUG: Double free or freeing an invalid pointer
    Unexpected shadow byte: 0xFB
    CPU: 3 PID: 20933 Comm: syz-executor3 Not tainted 4.11.0+ #306
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
    01/01/2011
    Call Trace:
     <IRQ>
     __dump_stack lib/dump_stack.c:16 [inline]
     dump_stack+0x292/0x395 lib/dump_stack.c:52
     kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
     kasan_report_double_free+0x5c/0x70 mm/kasan/report.c:185
     kasan_slab_free+0x9d/0xc0 mm/kasan/kasan.c:580
     slab_free_hook mm/slub.c:1357 [inline]
     slab_free_freelist_hook mm/slub.c:1379 [inline]
     slab_free mm/slub.c:2961 [inline]
     kfree+0xe8/0x2b0 mm/slub.c:3882
     tcp_free_fastopen_req net/ipv4/tcp.c:1077 [inline]
     tcp_disconnect+0xc15/0x13e0 net/ipv4/tcp.c:2328
     inet_child_forget+0xb8/0x600 net/ipv4/inet_connection_sock.c:898
     inet_csk_reqsk_queue_add+0x1e7/0x250
    net/ipv4/inet_connection_sock.c:928
     tcp_get_cookie_sock+0x21a/0x510 net/ipv4/syncookies.c:217
     cookie_v4_check+0x1a19/0x28b0 net/ipv4/syncookies.c:384
     tcp_v4_cookie_check net/ipv4/tcp_ipv4.c:1384 [inline]
     tcp_v4_do_rcv+0x731/0x940 net/ipv4/tcp_ipv4.c:1421
     tcp_v4_rcv+0x2dc0/0x31c0 net/ipv4/tcp_ipv4.c:1715
     ip_local_deliver_finish+0x4cc/0xc20 net/ipv4/ip_input.c:216
     NF_HOOK include/linux/netfilter.h:257 [inline]
     ip_local_deliver+0x1ce/0x700 net/ipv4/ip_input.c:257
     dst_input include/net/dst.h:492 [inline]
     ip_rcv_finish+0xb1d/0x20b0 net/ipv4/ip_input.c:396
     NF_HOOK include/linux/netfilter.h:257 [inline]
     ip_rcv+0xd8c/0x19c0 net/ipv4/ip_input.c:487
     __netif_receive_skb_core+0x1ad1/0x3400 net/core/dev.c:4210
     __netif_receive_skb+0x2a/0x1a0 net/core/dev.c:4248
     process_backlog+0xe5/0x6c0 net/core/dev.c:4868
     napi_poll net/core/dev.c:5270 [inline]
     net_rx_action+0xe70/0x18e0 net/core/dev.c:5335
     __do_softirq+0x2fb/0xb99 kernel/softirq.c:284
     do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:899
     </IRQ>
     do_softirq.part.17+0x1e8/0x230 kernel/softirq.c:328
     do_softirq kernel/softirq.c:176 [inline]
     __local_bh_enable_ip+0x1cf/0x1e0 kernel/softirq.c:181
     local_bh_enable include/linux/bottom_half.h:31 [inline]
     rcu_read_unlock_bh include/linux/rcupdate.h:931 [inline]
     ip_finish_output2+0x9ab/0x15e0 net/ipv4/ip_output.c:230
     ip_finish_output+0xa35/0xdf0 net/ipv4/ip_output.c:316
     NF_HOOK_COND include/linux/netfilter.h:246 [inline]
     ip_output+0x1f6/0x7b0 net/ipv4/ip_output.c:404
     dst_output include/net/dst.h:486 [inline]
     ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
     ip_queue_xmit+0x9a8/0x1a10 net/ipv4/ip_output.c:503
     tcp_transmit_skb+0x1ade/0x3470 net/ipv4/tcp_output.c:1057
     tcp_write_xmit+0x79e/0x55b0 net/ipv4/tcp_output.c:2265
     __tcp_push_pending_frames+0xfa/0x3a0 net/ipv4/tcp_output.c:2450
     tcp_push+0x4ee/0x780 net/ipv4/tcp.c:683
     tcp_sendmsg+0x128d/0x39b0 net/ipv4/tcp.c:1342
     inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
     sock_sendmsg_nosec net/socket.c:633 [inline]
     sock_sendmsg+0xca/0x110 net/socket.c:643
     SYSC_sendto+0x660/0x810 net/socket.c:1696
     SyS_sendto+0x40/0x50 net/socket.c:1664
     entry_SYSCALL_64_fastpath+0x1f/0xbe
    RIP: 0033:0x446059
    RSP: 002b:00007faa6761fb58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c
    RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000000446059
    RDX: 0000000000000001 RSI: 0000000020ba3fcd RDI: 0000000000000017
    RBP: 00000000006e40a0 R08: 0000000020ba4ff0 R09: 0000000000000010
    R10: 0000000020000000 R11: 0000000000000282 R12: 0000000000708150
    R13: 0000000000000000 R14: 00007faa676209c0 R15: 00007faa67620700
    Object at ffff88003b5bbcb8, in cache kmalloc-64 size: 64
    Allocated:
    PID = 20909
     save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
     save_stack+0x43/0xd0 mm/kasan/kasan.c:513
     set_track mm/kasan/kasan.c:525 [inline]
     kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
     kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2745
     kmalloc include/linux/slab.h:490 [inline]
     kzalloc include/linux/slab.h:663 [inline]
     tcp_sendmsg_fastopen net/ipv4/tcp.c:1094 [inline]
     tcp_sendmsg+0x221a/0x39b0 net/ipv4/tcp.c:1139
     inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
     sock_sendmsg_nosec net/socket.c:633 [inline]
     sock_sendmsg+0xca/0x110 net/socket.c:643
     SYSC_sendto+0x660/0x810 net/socket.c:1696
     SyS_sendto+0x40/0x50 net/socket.c:1664
     entry_SYSCALL_64_fastpath+0x1f/0xbe
    Freed:
    PID = 20909
     save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
     save_stack+0x43/0xd0 mm/kasan/kasan.c:513
     set_track mm/kasan/kasan.c:525 [inline]
     kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589
     slab_free_hook mm/slub.c:1357 [inline]
     slab_free_freelist_hook mm/slub.c:1379 [inline]
     slab_free mm/slub.c:2961 [inline]
     kfree+0xe8/0x2b0 mm/slub.c:3882
     tcp_free_fastopen_req net/ipv4/tcp.c:1077 [inline]
     tcp_disconnect+0xc15/0x13e0 net/ipv4/tcp.c:2328
     __inet_stream_connect+0x20c/0xf90 net/ipv4/af_inet.c:593
     tcp_sendmsg_fastopen net/ipv4/tcp.c:1111 [inline]
     tcp_sendmsg+0x23a8/0x39b0 net/ipv4/tcp.c:1139
     inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
     sock_sendmsg_nosec net/socket.c:633 [inline]
     sock_sendmsg+0xca/0x110 net/socket.c:643
     SYSC_sendto+0x660/0x810 net/socket.c:1696
     SyS_sendto+0x40/0x50 net/socket.c:1664
     entry_SYSCALL_64_fastpath+0x1f/0xbe
    
    Fixes: e994b2f ("tcp: do not lock listener to process SYN packets")
    Fixes: 7db9236 ("tcp: fix potential double free issue for fastopen_req")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Andrey Konovalov <andreyknvl@google.com>
    Acked-by: Wei Wang <weiwan@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  11. tcp: fix wraparound issue in tcp_lp

    Eric Dumazet authored and gregkh committed May 1, 2017
    [ Upstream commit a9f11f9 ]
    
    Be careful when comparing tcp_time_stamp to some u32 quantity,
    otherwise result can be surprising.
    
    Fixes: 7c106d7 ("[TCP]: TCP Low Priority congestion control")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  12. bpf, arm64: fix jit branch offset related to ldimm64

    borkmann authored and gregkh committed May 2, 2017
    [ Upstream commit ddc665a ]
    
    When the instruction right before the branch destination is
    a 64 bit load immediate, we currently calculate the wrong
    jump offset in the ctx->offset[] array as we only account
    one instruction slot for the 64 bit load immediate although
    it uses two BPF instructions. Fix it up by setting the offset
    into the right slot after we incremented the index.
    
    Before (ldimm64 test 1):
    
      [...]
      00000020:  52800007  mov w7, #0x0 // #0
      00000024:  d2800060  mov x0, #0x3 // #3
      00000028:  d2800041  mov x1, #0x2 // #2
      0000002c:  eb01001f  cmp x0, x1
      00000030:  54ffff82  b.cs 0x00000020
      00000034:  d29fffe7  mov x7, #0xffff // #65535
      00000038:  f2bfffe7  movk x7, #0xffff, lsl #16
      0000003c:  f2dfffe7  movk x7, #0xffff, lsl #32
      00000040:  f2ffffe7  movk x7, #0xffff, lsl #48
      00000044:  d29dddc7  mov x7, #0xeeee // #61166
      00000048:  f2bdddc7  movk x7, #0xeeee, lsl #16
      0000004c:  f2ddddc7  movk x7, #0xeeee, lsl #32
      00000050:  f2fdddc7  movk x7, #0xeeee, lsl #48
      [...]
    
    After (ldimm64 test 1):
    
      [...]
      00000020:  52800007  mov w7, #0x0 // #0
      00000024:  d2800060  mov x0, #0x3 // #3
      00000028:  d2800041  mov x1, #0x2 // #2
      0000002c:  eb01001f  cmp x0, x1
      00000030:  540000a2  b.cs 0x00000044
      00000034:  d29fffe7  mov x7, #0xffff // #65535
      00000038:  f2bfffe7  movk x7, #0xffff, lsl #16
      0000003c:  f2dfffe7  movk x7, #0xffff, lsl #32
      00000040:  f2ffffe7  movk x7, #0xffff, lsl #48
      00000044:  d29dddc7  mov x7, #0xeeee // #61166
      00000048:  f2bdddc7  movk x7, #0xeeee, lsl #16
      0000004c:  f2ddddc7  movk x7, #0xeeee, lsl #32
      00000050:  f2fdddc7  movk x7, #0xeeee, lsl #48
      [...]
    
    Also, add a couple of test cases to make sure JITs pass
    this test. Tested on Cavium ThunderX ARMv8. The added
    test cases all pass after the fix.
    
    Fixes: 8eee539 ("arm64: bpf: fix out-of-bounds read in bpf2a64_offset()")
    Reported-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Acked-by: Alexei Starovoitov <ast@kernel.org>
    Cc: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  13. tcp: do not underestimate skb->truesize in tcp_trim_head()

    Eric Dumazet authored and gregkh committed Apr 27, 2017
    [ Upstream commit 7162fb2 ]
    
    Andrey found a way to trigger the WARN_ON_ONCE(delta < len) in
    skb_try_coalesce() using syzkaller and a filter attached to a TCP
    socket over loopback interface.
    
    I believe one issue with looped skbs is that tcp_trim_head() can end up
    producing skb with under estimated truesize.
    
    It hardly matters for normal conditions, since packets sent over
    loopback are never truncated.
    
    Bytes trimmed from skb->head should not change skb truesize, since
    skb->head is not reallocated.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Andrey Konovalov <andreyknvl@google.com>
    Tested-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  14. ALSA: hda - Fix deadlock of controller device lock at unbinding

    tiwai authored and gregkh committed Jan 2, 2017
    commit ab949d5 upstream.
    
    Imre Deak reported a deadlock of HD-audio driver at unbinding while
    it's still in probing.  Since we probe the codecs asynchronously in a
    work, the codec driver probe may still be kicked off while the
    controller itself is being unbound.  And, azx_remove() tries to
    process all pending tasks via cancel_work_sync() for fixing the other
    races (see commit [0b8c821: ALSA: hda - Cancel probe work instead
    of flush at remove]), now we may meet a bizarre deadlock:
    
    Unbind snd_hda_intel via sysfs:
      device_release_driver() ->
        device_lock(snd_hda_intel) ->
          azx_remove() ->
            cancel_work_sync(azx_probe_work)
    
    azx_probe_work():
      codec driver probe() ->
         __driver_attach() ->
           device_lock(snd_hda_intel)
    
    This deadlock is caused by the fact that both device_release_driver()
    and driver_probe_device() take both the device and its parent locks at
    the same time.  The codec device sets the controller device as its
    parent, and this lock is taken before the probe() callback is called,
    while the controller remove() callback gets called also with the same
    lock.
    
    In this patch, as an ugly workaround, we unlock the controller device
    temporarily during cancel_work_sync() call.  The race against another
    bind call should be still suppressed by the parent's device lock.
    
    Reported-by: Imre Deak <imre.deak@intel.com>
    Fixes: 0b8c821 ("ALSA: hda - Cancel probe work instead of flush at remove")
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  15. staging: emxx_udc: remove incorrect __init annotations

    arndb authored and gregkh committed Dec 16, 2016
    commit 4f34450 upstream.
    
    The probe function is not marked __init, but some other functions
    are. This leads to a warning on older compilers (e.g. gcc-4.3),
    and can cause executing freed memory when built with those
    compilers:
    
    WARNING: drivers/staging/emxx_udc/emxx_udc.o(.text+0x2d78): Section mismatch in reference from the function nbu2ss_drv_probe() to the function .init.text:nbu2ss_drv_contest_init()
    
    This removes the annotations.
    
    Fixes: 33aa8d4 ("staging: emxx_udc: Add Emma Mobile USB Gadget driver")
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  16. staging: wlan-ng: add missing byte order conversion

    ipylypiv authored and gregkh committed Jan 31, 2017
    commit 2c474b8 upstream.
    
    Conversion macros le16_to_cpu was removed and that caused new sparse warning
    
    sparse output:
    drivers/staging/wlan-ng/p80211netdev.c:241:44: warning: incorrect type in argument 2 (different base types)
    drivers/staging/wlan-ng/p80211netdev.c:241:44:    expected unsigned short [unsigned] [usertype] fc
    drivers/staging/wlan-ng/p80211netdev.c:241:44:    got restricted __le16 [usertype] fc
    
    Fixes: 7ad8257 ("staging:wlan-ng:Fix sparse warning")
    Signed-off-by: Igor Pylypiv <igor.pylypiv@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  17. brcmfmac: Make skb header writable before use

    JamesH65 authored and gregkh committed Apr 25, 2017
    commit 9cc4b7c upstream.
    
    The driver was making changes to the skb_header without
    ensuring it was writable (i.e. uncloned).
    This patch also removes some boiler plate header size
    checking/adjustment code as that is also handled by the
    skb_cow_header function used to make header writable.
    
    Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
    Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  18. brcmfmac: Ensure pointer correctly set if skb data location changes

    JamesH65 authored and gregkh committed Apr 24, 2017
    commit 455a1eb upstream.
    
    The incoming skb header may be resized if header space is
    insufficient, which might change the data adddress in the skb.
    Ensure that a cached pointer to that data is correctly set by
    moving assignment to after any possible changes.
    
    Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
    Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  19. MIPS: R2-on-R6 MULTU/MADDU/MSUBU emulation bugfix

    Leonid Yegoshin authored and gregkh committed Aug 25, 2016
    commit d65e567 upstream.
    
    MIPS instructions MULTU, MADDU and MSUBU emulation requires registers HI/LO
    to be converted to signed 32bits before 64bit sign extension on MIPS64.
    
    Bug was found on running MIPS32 R2 test application on MIPS64 R6 kernel.
    
    Fixes: b0a668f ("MIPS: kernel: mips-r2-to-r6-emul: Add R2 emulator for MIPS R6")
    Signed-off-by: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>
    Reported-by: Nikola.Veljkovic@imgtec.com
    Cc: paul.burton@imgtec.com
    Cc: yamada.masahiro@socionext.com
    Cc: akpm@linux-foundation.org
    Cc: andrea.gelmini@gelma.net
    Cc: macro@imgtec.com
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/14043/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  20. scsi: mac_scsi: Fix MAC_SCSI=m option when SCSI=m

    fthain authored and gregkh committed Feb 22, 2017
    commit 2559a1e upstream.
    
    The mac_scsi driver still gets disabled when SCSI=m. This should have
    been fixed back when I enabled the tristate but I didn't see the bug.
    
    Fixes: 6e9ae6d ("[PATCH] mac_scsi: Add module option to Kconfig")
    Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  21. serial: 8250_omap: Fix probe and remove for PM runtime

    tmlind authored and gregkh committed Jan 20, 2017
    commit 4e0f5cc upstream.
    
    Otherwise the interconnect related code implementing PM runtime will
    produce these errors on a failed probe:
    
    omap_uart 48066000.serial: omap_device: omap_device_enable() called from invalid state 1
    omap_uart 48066000.serial: use pm_runtime_put_sync_suspend() in driver?
    
    Note that we now also need to check for priv in omap8250_runtime_suspend()
    as it has not yet been registered if probe fails. And we need to use
    pm_runtime_put_sync() to properly idle the device like we already do
    in omap8250_remove().
    
    Fixes: 61929cf ("tty: serial: Add 8250-core based omap driver")
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  22. phy: qcom-usb-hs: Add depends on EXTCON

    bebarino authored and gregkh committed Mar 9, 2017
    commit 1a09b6a upstream.
    
    We get the following compile errors if EXTCON is enabled as a
    module but this driver is builtin:
    
    drivers/built-in.o: In function `qcom_usb_hs_phy_power_off':
    phy-qcom-usb-hs.c:(.text+0x1089): undefined reference to `extcon_unregister_notifier'
    drivers/built-in.o: In function `qcom_usb_hs_phy_probe':
    phy-qcom-usb-hs.c:(.text+0x11b5): undefined reference to `extcon_get_edev_by_phandle'
    drivers/built-in.o: In function `qcom_usb_hs_phy_power_on':
    phy-qcom-usb-hs.c:(.text+0x128e): undefined reference to `extcon_get_state'
    phy-qcom-usb-hs.c:(.text+0x12a9): undefined reference to `extcon_register_notifier'
    
    so let's mark this as needing to follow the modular status of
    the extcon framework.
    
    Fixes: 9994a33 e2427b0 (phy: Add support for Qualcomm's USB HS phy")
    Signed-off-by: Stephen Boyd <stephen.boyd@linaro.org>
    Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  23. USB: serial: io_edgeport: fix descriptor error handling

    jhovold authored and gregkh committed Jan 12, 2017
    commit 3c0e25d upstream.
    
    Make sure to detect short control-message transfers and log an error
    when reading incomplete manufacturer and boot descriptors.
    
    Note that the default all-zero descriptors will now be used after a
    short transfer is detected instead of partially initialised ones.
    
    Fixes: 1da177e ("Linux-2.6.12-rc2")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  24. USB: serial: mct_u232: fix modem-status error handling

    jhovold authored and gregkh committed Jan 12, 2017
    commit 36356a6 upstream.
    
    Make sure to detect short control-message transfers so that errors are
    logged when reading the modem status at open.
    
    Note that while this also avoids initialising the modem status using
    uninitialised heap data, these bits could not leak to user space as they
    are currently not used.
    
    Fixes: 1da177e ("Linux-2.6.12-rc2")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  25. USB: serial: quatech2: fix control-message error handling

    jhovold authored and gregkh committed Jan 12, 2017
    commit 8c34cb8 upstream.
    
    Make sure to detect short control-message transfers when fetching
    modem and line state in open and when retrieving registers.
    
    This specifically makes sure that an errno is returned to user space on
    errors in TIOCMGET instead of a zero bitmask.
    
    Also drop the unused getdevice function which also lacked appropriate
    error handling.
    
    Fixes: f7a33e6 ("USB: serial: add quatech2 usb to serial driver")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  26. USB: serial: ftdi_sio: fix latency-timer error handling

    jhovold authored and gregkh committed Jan 12, 2017
    commit e3e574a upstream.
    
    Make sure to detect short responses when reading the latency timer to
    avoid using stale buffer data.
    
    Note that no heap data would currently leak through sysfs as
    ASYNC_LOW_LATENCY is set by default.
    
    Fixes: 1da177e ("Linux-2.6.12-rc2")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  27. USB: serial: ark3116: fix open error handling

    jhovold authored and gregkh committed Jan 12, 2017
    commit b631433 upstream.
    
    Fix open error handling which failed to detect errors when reading the
    MSR and LSR registers, something which could lead to the shadow
    registers being initialised from errnos.
    
    Note that calling the generic close implementation is sufficient in the
    error paths as the interrupt urb has not yet been submitted and the
    register updates have not been made.
    
    Fixes: f4c1e8d ("USB: ark3116: Make existing functions 16450-aware
    and add close and release functions.")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  28. USB: serial: ti_usb_3410_5052: fix control-message error handling

    jhovold authored and gregkh committed Jan 12, 2017
    commit 39712e8 upstream.
    
    Make sure to detect and return an error on zero-length control-message
    transfers when reading from the device.
    
    This addresses a potential failure to detect an empty transmit buffer
    during close.
    
    Also remove a redundant check for short transfer when sending a command.
    
    Fixes: 1da177e ("Linux-2.6.12-rc2")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  29. USB: serial: io_edgeport: fix epic-descriptor handling

    jhovold authored and gregkh committed Jan 12, 2017
    commit e4457d9 upstream.
    
    Use a dedicated buffer for the DMA transfer and make sure to detect
    short transfers to avoid parsing a corrupt descriptor.
    
    Fixes: 6e8cf77 ("USB: add EPIC support to the io_edgeport driver")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  30. USB: serial: ssu100: fix control-message error handling

    jhovold authored and gregkh committed Jan 12, 2017
    commit 1eac5c2 upstream.
    
    Make sure to detect short control-message transfers rather than continue
    with zero-initialised data when retrieving modem status and during
    device initialisation.
    
    Fixes: 52af954 ("USB: add USB serial ssu100 driver")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  31. USB: serial: digi_acceleport: fix incomplete rx sanity check

    jhovold authored and gregkh committed Jan 31, 2017
    commit 1b0aed2 upstream.
    
    Make sure the received data has the required headers before parsing it.
    
    Also drop the redundant urb-status check, which has already been handled
    by the caller.
    
    Fixes: 1da177e ("Linux-2.6.12-rc2")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  32. USB: serial: keyspan_pda: fix receive sanity checks

    jhovold authored and gregkh committed Jan 31, 2017
    commit c528fcb upstream.
    
    Make sure to check for short transfers before parsing the receive buffer
    to avoid acting on stale data.
    
    Fixes: 1da177e ("Linux-2.6.12-rc2")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>