Andrey Konovalov reported a possible out-of-bounds problem for the
cdc_parse_cdc_header function. He writes:
It looks like cdc_parse_cdc_header() doesn't validate buflen
before accessing buffer[1], buffer[2] and so on. The only check
present is while (buflen > 0).
So fix this issue up by properly validating the buffer length matches
what the descriptor says it is.
(cherry picked from commit 2e1c42391ff2556387b3cb6308b24f6f65619feb)
(The original patch fixed the generic cdc_parser_cdc_header function.
That generic function did not exist in 3.10 but there are a couple
cdc parsers that suffer from the same underlying problem.)
Bug: 69052594
Change-Id: I75b16a1eaad8a06bd9ef1db66148f72e965a341f
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Marissa Wall <marissaw@google.com>
Define a policy for packet pattern attributes in order to fix a
potential read over the end of the buffer during nla_get_u32()
of the NL80211_WOWLAN_PKTPAT_OFFSET attribute.
Note that the data there can always be read due to SKB allocation
(with alignment and struct skb_shared_info at the end), but the
data might be uninitialized. This could be used to leak some data
from uninitialized vmalloc() memory, but most drivers don't allow
an offset (so you'd just get -EINVAL if the data is non-zero) or
just allow it with a fixed value - 100 or 128 bytes, so anything
above that would get -EINVAL. With brcmfmac the limit is 1500 so
(at least) one byte could be obtained.
Cc: stable@kernel.org
Bug: 64403015
Signed-off-by: Peng Xu <pxu@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
[rewrite description based on SKB allocation knowledge]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Change-Id: I6d8975ba163808481637a21fd6e57f917ec10ed4
Git-commit: ad670233c9e1d5feb365d870e30083ef1b889177
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git
CRs-fixed: 2116387
[Backport: Fix conflicts]
Signed-off-by: Vidyullatha Kanchanapally <vidyullatha@codeaurora.org>
Signed-off-by: Peng Xu <pxu@codeaurora.org>
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Add sanity check for vdev id in wma_vdev_start_resp_handler() to prevent
out of bound memory access.
Change-Id: I52575fb065e008caa18a56d3b8f642060c6dd20e
CRs-Fixed: 2120424
Bug: 71501694
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently wake_info->vdev_id, recevied from the FW, is directly used
to refer to wma->interfaces without validating if the vdev_id is valid.
Add sanity check to make sure vdev_id is less than max_bssid before
using it.
Change-Id: I2a1797ed921efb1d8bccd433f4b4ca1de6de94bd
CRs-Fixed: 2114363
Bug: 71501687
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Parsing CDC headers a buffer overflow cannot just be prevented
by checking that the remainder of the buffer is longer than minimum
length. The size of the fields to be parsed must be figured in, too.
In newer kernels this issue has been fixed at a central location with
commit 2e1c42391ff2556387b3cb6308b24f6f65619feb
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu Sep 21 16:58:48 2017 +0200
USB: core: harden cdc_parse_cdc_header
on anything older the parsing had not been centralised, so a separate
fix for each driver is necessary.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e ]
Phil and I found out a problem with commit:
7e860a6e7aa6 ("cdc-acm: add sanity checks")
It added some sanity checks to ignore potential garbage in CDC headers but
also introduced a potential infinite loop. This can happen at the first
loop iteration (elength = 0 in that case) if the description isn't a
DT_CS_INTERFACE or later if 'buffer[0]' is zero.
It should also be noted that the wrong length was being added to 'buffer'
in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
assigned after that check in the loop.
A specially crafted USB device could be used to trigger this infinite loop.
Fixes: 7e860a6e7aa6 ("cdc-acm: add sanity checks")
Change-Id: Ie7ffa235e5200c8e376ecd80c75707dbad695930
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
CC: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
CC: Oliver Neukum <oneukum@suse.de>
CC: Adam Lee <adam8157@gmail.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
[ Upstream commit 7e860a6e7aa62b337a61110430cd633db5b0d2dd ]
Check the special CDC headers for a plausible minimum length.
Another big operating systems ignores such garbage.
Signed-off-by: Oliver Neukum <oneukum@suse.de>
CC: stable@vger.kernel.org
Reviewed-by: Adam Lee <adam8157@gmail.com>
Tested-by: Adam Lee <adam8157@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Acked-by: Oliver Neukum <oliver@neukum.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Replace all the kmalloc calls with vos_mem_malloc for tracking
each memory request.
CRs-Fixed: 1034565
Change-Id: Iae5aa03ccad8eff72935b1a9f895364495f323e0
wlan_queue_logmsg_for_app is called while holding spin lock with
interrupts disabled. It may call pr_info to log if node is dropped
while sending to user space.
This may cause interrupts disabled for some time.
As part of fix remove all pr_info from wlan_queue_logmsg_for_app.
Change-Id: Iffa5d463ae4e807bb30ff6eec5f3949735663fd5
CRs-Fixed: 1005714
prima to qcacld-2.0 propagation
Don't log if netlink_broadcast fails with error -ESRCH(-3) since
this error is likely to occur because of no listening process in
the user space. In this case, error logs would give a false
impression that feature is broken though feature is working fine.
Change-Id: Ia111476e44a3dce24afd6b935ff0eca06accc73a
CRs-Fixed: 1039867
prima to qcacld-2.0 propagation
As there are a lot of prints dropped on the console in
short duration, it leads to interrupt disablement on
the cpu.
So reducing the logging level of log statement from
ERROR to INFO
Change-Id: I3eefac49378a7bfbcc235b1dd3362e1213fa1f42
CRs-Fixed: 886644
prima to qcacld-2.0 propagation
Out of bound access is reported by kernel address
sanitizer (KASAN) tool.
=================================================================
BUG: KASAN: slab-out-of-bounds in memcpy+0x28/0x54 at addr
ffffffc03f9b1f94
Read of size 1024 by task WifiLogger_app/662
=================================================================
page dumped because: kasan: bad access detected
-----------------------------------------------------------------
[<ffffffc00008c80c>] dump_backtrace+0x0/0x284
[<ffffffc00008caa0>] show_stack+0x10/0x1c
[<ffffffc001e98084>] dump_stack+0x74/0xfc
[<ffffffc0002f2fac>] print_trailer+0x150/0x164
[<ffffffc0002f3374>] object_err+0x38/0x4c
[<ffffffc0002f88ac>] kasan_report+0x34c/0x504
[<ffffffc0002f7b74>] __asan_loadN+0x20/0x14c
[<ffffffc0002f8078>] memcpy+0x24/0x54
[<ffffffbffc3958ec>] vos_mem_copy+0x68/0x7c [wlan]
[<ffffffbffc307648>] wlan_logging_proc_sock_rx_msg+0x39c/0x3f0 [wlan]
[<ffffffbffc3042f0>] nl_srv_rcv+0x1c0/0x218 [wlan]
[<ffffffc001a28b20>] netlink_unicast+0x3b0/0x4c0
[<ffffffc001a2975c>] netlink_sendmsg+0xa2c/0xb30
[<ffffffc00196b658>] sock_sendmsg+0x1d4/0x22c
[<ffffffc001970278>] SyS_sendto+0x194/0x224
================================================================
There is possibility of out of bound memory access, if user sends
a netlink packet with message length greater than skb data_len.
Don't process netlink packet if message length is greater than
skb data_len.
Change-Id: Ice6492aa191da0af3fe4fc9b58dfddcb2a59d6d0
CRs-Fixed: 975923
In wlan_get_pkt_stats_free_node, skbuff is also reused from
filled list, inconsistent tail and len leads to skb_panic.
Change-Id: If0aad86f005998ae175b61e6741c33f0226ce3be
CRs-Fixed: 997707
prima to qcacld-2.0 propagation
Currently, sizeof(tAniHdr) is not added to payload length in
messages in wlan_send_sock_msg_to_app, ptt_sock_send_msg_to_app.
These missing lengths can cause user space
to drop these messages. Fix this by adding appropriate lengths.
Also, use standard api to add nl message header length in
pkt_stats_fill_headers.
Change-Id: I2609029445110e661440a7fc55f36801e4f72afc
CRs-Fixed: 985614
NLMSG_ALIGN adds 1/2/3 bytes if length of data is not multiple of 4.
This can cause length mismatch between nl_payload_len (without header
length) and skb->len. This can cause mismatch in length vs message
available on the socket check in nl and can result in NL discarding
the message. Fix this by removing NLMSG_ALIGN to make lengths same.
Change-Id: I5e513a448a13450b590960ac49462af27e2eb385
CRs-Fixed: 978511
prima to qcacld-2.0 propagation
Currently all functions swap length before sending message
ANI_NL_MSG_PUMAC to user. But, in send_per_pkt_stats_to_user,
wmsg->length is not swapped. This can cause length to be changed
from one to other endianness and can result in improper length.
Fix this by swapping length.
Change-Id: I06b1f5d26f8ed815e3b0a839832ae6e774ad7cc6
CRs-Fixed: 985606
Currently pktstats are stored in static allocated memory. This
pkt stats can be accessed using
1) procEntry function
2) hal_proxy_daemon
If user access it using procEntry then read pointer is moved ahead
in static memory array because of which incomplete data goes when
queried using hal_proxy_daemon.
Fix this by maintaining the pktstats in link list. When the
request comes from hal_proxy_daemon, complete data is sent
to it from this link list.
Change-Id: I09bbd03fe378b296e110ce52cc8cbeb8cf8d723d
CRs-Fixed: 958544
qcacld-3.0 to qcacld-2.0 propagation
Commit: 78d28e6 ("kill f_dentry macro")
Above commit is to remove the marco of f_dentry since Kernel 3.19.
Avoid to use the Kernel version check by using the field directly.
Change-Id: I7a4b45c62afed402d49d709bb1cb870db352b70e
CRs-fixed: 966066
1) BSS starting path and STA disassoc path should use
different events to perform synchronization
2) BSS starting event object should be reset before
BSS starting/restarting procedure is initiated
Change-Id: I96efd052fa19227c55c4f3af96afa8d590037c2d
CRs-Fixed: 1091108
IE buffers for probe resp, assoc resp and beacon should be freed
when 1)SAP starting fails; 2)SAP starting success event is
signaled
Change-Id: Ic9cc1c8d58667f34fbc877aeca4405b0156b1264
CRs-Fixed: 1071990
Currently, On sending disassoc from HDD lim will process
disassoc and clear's session of station and thus leading to
drop deauth in lim since context is already cleared. Hence
deauth frame is not sent from SoftAP although deauth command
is executed on hostapd_cli.
Fix will ensure to send disassoc command through new API
and doesn't clear's session and the same is cleared after
sending deauth.
Change-Id: I912a91f1df4001bb2d4f1f0d6031cc102d1bbd65
CRs-Fixed: 981121
prima to qcacld-2.0 propagation
Driver do not support Reassoc in security mode and processing
reassoc in security mode may leads to issue like keys are not
negotiated properly.
With this change Driver will allow reassoc to same AP only in
open security mode.
Change-Id: I35d802f564e41ee0b30386ee7b74d2b44eb80ecf
CRs-Fixed: 923219
While processing PNO scan request, there is a possibility of accessing
memory out-of-bound issue because of upper bound check missing while
updating probe request IEs.
Add upper bound length check before copying probe request IEs locally,
sent by the supplicant.
Change-Id: Ia7c923cc5b8082ed7e9ad67786dc5a10c2672514
CRs-Fixed: 2031410
Bug: 37083726
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
uMacPostCtrlMsg allocates memory of size tSirSmeScanAbortReq
for tSirMbMsg structure for scan abort msg that is posted to
mc thread. In limProcessMessages, we typecast the bodyptr to
tSirMbMsg and use data variable which results in slab out of
bounds bug.
Fix is to typecast the bodyptr to tSirSmeScanAbortReq
in limProcessMessages.
Change-Id: Iabeeabcba64ccc30895f57cbe40d969f1a9e6dca
CRs-Fixed: 2031160
Bug: 37082991
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently pmfComebackTimer is not initialized during roaming. This
can lead to error in peDeleteSession when driver tries to destroy
pmfComebackTimer. Fix this by initializing pmfComebackTimer during
roaming. Also, handle status eSIR_MAC_TRY_AGAIN_LATER as failure
during roaming.
Change-Id: Ic9c4e996c4078d09ef7cd9b3b073105d94eb53fb
CRs-Fixed: 1037640
Populate the peer rates irrespective of the HT mode.
The legacy rates should be populated.
CRs-Fixed: 883788
Change-Id: I7e2e655f9fe8688e5cd99de6503137f7bda909da
If there are many beacon/probe received and posted to pe queue
the connection req frames may get delayed and thus effect the
connection. This may also lead to connection failures.
To avoid this prioritize the connection req frames in pe queue.
Change-Id: I5a6fd5c21242205dd080b2ba0cff5f823f51d109
CRs-Fixed: 2013381
uOsRequestedHandoff is not reset in many scenarios after reassoc
fails/timeout. Due to this if the next connect request initiate
scan for ssid to find the AP in local cache, the scan for ssid
complete handler think that OS requested handoff is in progress
and returns without initiating the connect or connect failure.
Thus the HDD remains in connecting state and after that scans
fails.
To fix this reset uOsRequestedHandoff whenever reassoc fails
Change-Id: Ife9ee885cc1638f2bc4e02fd91b000c6e00f0689
CRs-Fixed: 1101706
dmesg shows the following error:
init: write_file: Unable to open
'/proc/sys/kernel/hung_task_timeout_secs': No such file or directory
Change-Id: I3a1c8d88dcb8d2616d71caa85ab1f75f5ad4908d
This aligns every column of elements in wakeup_sources to
conveniently check any specific column for suspicious power
consumption wakeup source or for other easily human readable purpose.
Change-Id: I69137fc4af272f392f3e0c1a4bd48d5a5dee7d2c
Signed-off-by: yangdongdong <yangdongdong@xiaomi.com>
(cherry picked from commit b277da0a8a594308e17881f4926879bd5fca2a2d)
Clear QUEUE_FLAG_ADD_RANDOM in all block drivers that set
QUEUE_FLAG_NONROT.
Historically, all block devices have automatically made entropy
contributions. But as previously stated in commit e2e1a148 ("block: add
sysfs knob for turning off disk entropy contributions"):
- On SSD disks, the completion times aren't as random as they
are for rotational drives. So it's questionable whether they
should contribute to the random pool in the first place.
- Calling add_disk_randomness() has a lot of overhead.
There are more reliable sources for randomness than non-rotational block
devices. From a security perspective it is better to err on the side of
caution than to allow entropy contributions from unreliable "random"
sources.
Change-Id: Iaace159bea0e9245e6825cccd4f6a1152a166ce1
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
(cherry picked from commit 06af1c52c9ea234e0b1266cc0b52c3e0c6c8fe9f)
The current lz4 compress buffer is 16kb on 32-bits, 32kb on 64-bits
system. But, lz4 needs only 16kb on both. On 64-bits, this causes
wasted cpu cycles for additional memset during every compression.
In case of lz4hc, the current buffer size is (256kb + 8) on 32-bits,
(512kb + 16) on 64-bits. But, lz4hc needs only (256kb + 2 * pointer) on
both.
This patch fixes these wrong compress buffer sizes for 64-bits.
Change-Id: Ic686085c21f12cf6c6378caad8ea9884fb27a0c8
Signed-off-by: Bongkyu Kim <bongkyu.kim@lge.com>
Cc: Chanho Min <chanho.min@lge.com>
Cc: Yann Collet <yann.collet.73@gmail.com>
Cc: Kyungsik Lee <kyungsik.lee@lge.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit e02d238c9852a91b30da9ea32ce36d1416cdc683)
Do not __GFP_ZERO allocated zcomp ->private pages. We keep allocated
streams around and use them for read/write requests, so we supply a
zeroed out ->private to compression algorithm as a scratch buffer only
once -- the first time we use that stream. For the rest of IO requests
served by this stream ->private usually contains some temporarily data
from the previous requests.
Change-Id: I045fa84e7edc1a54b298ed8236192a531cf15531
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Acked-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 75d8947a36d0c9aedd69118d1f14bf424005c7c2)
Each zcomp backend uses own gfp flag but it's pointless because the
context they could be called is driven by upper layer(ie, zcomp
frontend). As well, zcomp frondend could call them in different
context. One context(ie, zram init part) is it should be better to make
sure successful allocation other context(ie, further stream allocation
part for accelarating I/O speed) is just optional so let's pass gfp down
from driver (ie, zcomp frontend) like normal MM convention.
[sergey.senozhatsky@gmail.com: add missing __vmalloc zero and highmem gfps]
Signed-off-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: I444cdf49d98d9230bb1a771daef7aaa1988f50af
(cherry picked from commit d913897abace843bba20249f3190167f7895e9c3)
When we're using LZ4 multi compression streams for zram swap, we found
out page allocation failure message in system running test. That was
not only once, but a few(2 - 5 times per test). Also, some failure
cases were continually occurring to try allocation order 3.
In order to make parallel compression private data, we should call
kzalloc() with order 2/3 in runtime(lzo/lz4). But if there is no order
2/3 size memory to allocate in that time, page allocation fails. This
patch makes to use vmalloc() as fallback of kmalloc(), this prevents
page alloc failure warning.
After using this, we never found warning message in running test, also
It could reduce process startup latency about 60-120ms in each case.
For reference a call trace :
Binder_1: page allocation failure: order:3, mode:0x10c0d0
CPU: 0 PID: 424 Comm: Binder_1 Tainted: GW 3.10.49-perf-g991d02b-dirty #20
Call trace:
dump_backtrace+0x0/0x270
show_stack+0x10/0x1c
dump_stack+0x1c/0x28
warn_alloc_failed+0xfc/0x11c
__alloc_pages_nodemask+0x724/0x7f0
__get_free_pages+0x14/0x5c
kmalloc_order_trace+0x38/0xd8
zcomp_lz4_create+0x2c/0x38
zcomp_strm_alloc+0x34/0x78
zcomp_strm_multi_find+0x124/0x1ec
zcomp_strm_find+0xc/0x18
zram_bvec_rw+0x2fc/0x780
zram_make_request+0x25c/0x2d4
generic_make_request+0x80/0xbc
submit_bio+0xa4/0x15c
__swap_writepage+0x218/0x230
swap_writepage+0x3c/0x4c
shrink_page_list+0x51c/0x8d0
shrink_inactive_list+0x3f8/0x60c
shrink_lruvec+0x33c/0x4cc
shrink_zone+0x3c/0x100
try_to_free_pages+0x2b8/0x54c
__alloc_pages_nodemask+0x514/0x7f0
__get_free_pages+0x14/0x5c
proc_info_read+0x50/0xe4
vfs_read+0xa0/0x12c
SyS_read+0x44/0x74
DMA: 3397*4kB (MC) 26*8kB (RC) 0*16kB 0*32kB 0*64kB 0*128kB 0*256kB
0*512kB 0*1024kB 0*2048kB 0*4096kB = 13796kB
[minchan@kernel.org: change vmalloc gfp and adding comment about gfp]
[sergey.senozhatsky@gmail.com: tweak comments and styles]
Signed-off-by: Kyeongdon Kim <kyeongdon.kim@lge.com>
Signed-off-by: Minchan Kim <minchan@kernel.org>
Acked-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: I39b9710d225eb79414976b27962560b0acb107dc
(cherry picked from commit 3d5fe03a3ea013060ebba2a811aeb0f23f56aefa)
We can end up allocating a new compression stream with GFP_KERNEL from
within the IO path, which may result is nested (recursive) IO
operations. That can introduce problems if the IO path in question is a
reclaimer, holding some locks that will deadlock nested IOs.
Allocate streams and working memory using GFP_NOIO flag, forbidding
recursive IO and FS operations.
An example:
inconsistent {IN-RECLAIM_FS-W} -> {RECLAIM_FS-ON-W} usage.
git/20158 [HC0[0]:SC0[0]:HE1:SE1] takes:
(jbd2_handle){+.+.?.}, at: start_this_handle+0x4ca/0x555
{IN-RECLAIM_FS-W} state was registered at:
__lock_acquire+0x8da/0x117b
lock_acquire+0x10c/0x1a7
start_this_handle+0x52d/0x555
jbd2__journal_start+0xb4/0x237
__ext4_journal_start_sb+0x108/0x17e
ext4_dirty_inode+0x32/0x61
__mark_inode_dirty+0x16b/0x60c
iput+0x11e/0x274
__dentry_kill+0x148/0x1b8
shrink_dentry_list+0x274/0x44a
prune_dcache_sb+0x4a/0x55
super_cache_scan+0xfc/0x176
shrink_slab.part.14.constprop.25+0x2a2/0x4d3
shrink_zone+0x74/0x140
kswapd+0x6b7/0x930
kthread+0x107/0x10f
ret_from_fork+0x3f/0x70
irq event stamp: 138297
hardirqs last enabled at (138297): debug_check_no_locks_freed+0x113/0x12f
hardirqs last disabled at (138296): debug_check_no_locks_freed+0x33/0x12f
softirqs last enabled at (137818): __do_softirq+0x2d3/0x3e9
softirqs last disabled at (137813): irq_exit+0x41/0x95
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(jbd2_handle);
<Interrupt>
lock(jbd2_handle);
*** DEADLOCK ***
5 locks held by git/20158:
#0: (sb_writers#7){.+.+.+}, at: [<ffffffff81155411>] mnt_want_write+0x24/0x4b
#1: (&type->i_mutex_dir_key#2/1){+.+.+.}, at: [<ffffffff81145087>] lock_rename+0xd9/0xe3
#2: (&sb->s_type->i_mutex_key#11){+.+.+.}, at: [<ffffffff8114f8e2>] lock_two_nondirectories+0x3f/0x6b
#3: (&sb->s_type->i_mutex_key#11/4){+.+.+.}, at: [<ffffffff8114f909>] lock_two_nondirectories+0x66/0x6b
#4: (jbd2_handle){+.+.?.}, at: [<ffffffff811e31db>] start_this_handle+0x4ca/0x555
stack backtrace:
CPU: 2 PID: 20158 Comm: git Not tainted 4.1.0-rc7-next-20150615-dbg-00016-g8bdf555-dirty #211
Call Trace:
dump_stack+0x4c/0x6e
mark_lock+0x384/0x56d
mark_held_locks+0x5f/0x76
lockdep_trace_alloc+0xb2/0xb5
kmem_cache_alloc_trace+0x32/0x1e2
zcomp_strm_alloc+0x25/0x73 [zram]
zcomp_strm_multi_find+0xe7/0x173 [zram]
zcomp_strm_find+0xc/0xe [zram]
zram_bvec_rw+0x2ca/0x7e0 [zram]
zram_make_request+0x1fa/0x301 [zram]
generic_make_request+0x9c/0xdb
submit_bio+0xf7/0x120
ext4_io_submit+0x2e/0x43
ext4_bio_write_page+0x1b7/0x300
mpage_submit_page+0x60/0x77
mpage_map_and_submit_buffers+0x10f/0x21d
ext4_writepages+0xc8c/0xe1b
do_writepages+0x23/0x2c
__filemap_fdatawrite_range+0x84/0x8b
filemap_flush+0x1c/0x1e
ext4_alloc_da_blocks+0xb8/0x117
ext4_rename+0x132/0x6dc
? mark_held_locks+0x5f/0x76
ext4_rename2+0x29/0x2b
vfs_rename+0x540/0x636
SyS_renameat2+0x359/0x44d
SyS_rename+0x1e/0x20
entry_SYSCALL_64_fastpath+0x12/0x6f
[minchan@kernel.org: add stable mark]
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Acked-by: Minchan Kim <minchan@kernel.org>
Cc: Kyeongdon Kim <kyeongdon.kim@lge.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: I892af96983600cf70dbca103da113a456077ba83
[ Upstream commit 0f9fa831aecfc297b7b45d4f046759bcefcf87f0 ]
When using TCP FastOpen for an active session, we send one wakeup event
from tcp_finish_connect(), right before the data eventually contained in
the received SYNACK is queued to sk->sk_receive_queue.
This means that depending on machine load or luck, poll() users
might receive POLLOUT events instead of POLLIN|POLLOUT
To fix this, we need to move the call to sk->sk_state_change()
after the (optional) call to tcp_rcv_fastopen_synack()
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When SAP is running in 11ac only mode, it should reject the incoming
association requests if one of the following conditions is true:
1) VHT capability IE is missing
2) VHT capability IE is available, but present bit is cleared
Change-Id: Iad0e85a741d36dfd8727db668a4600ee3594f905
CRs-Fixed: 1084052
In sme_set_pdev_ht_vht_ies(), ht_vht_cfg will be freed in
palSendMBMessage.
In sme_set_miracast(), there is dereference before null
check.
Change-Id: Id67a13c6fb2acaf2444212faf0453891558be202
CRs-Fixed: 1002063
When IBSS is started in 2.4 GHz, it uses CBW40 by default.
But the device doesn't support VHT40 in 2.4G for STA/IBSS as
there is no support in firmware to do OBSS scan.
Update cbmode as 20 MHz if the device is in IBSS mode and is
operating in 2.4 GHz.
Change-Id: I01fa0df44f8b6f9ada835c0fc80a46eb0da6d6d7
CRs-Fixed: 1009922
In 2.4GHz irrespective of the dot11mode DUT send VHT capability in
vendor specific IE, if peer contains the VHT capability in vendor
specific IE.
Thus peer believe that DUT support VHT and send data in VHT MCS8/9.
In 2.4Ghz send VHT capability in vendor specific IE only if
dot11mode is 11ac.
Change-Id: I6f9c99a1e9b3f1c97e701451c064d43a739266db
CRs-Fixed: 1006946
Currently driver reports max MCS index 9 for VHT20, but cfg802.11
doesn't support such case, which leads to link speed null returned
to upper-layer.
Update the driver to report max MCS index 8 for VHT20.
Change-Id: I06c97db85d88decf418be602cb5f64135f61a686
CRs-Fixed: 1005141
SoftAP should check gEnableVhtFor24GHzBand ini variable before
enabling vht mode in 2.4Ghz mode.
Added changes to turn off vht mode if gEnableVhtFor24GHzBand is
disabled for 2.4Ghz.
Change-Id: I135e5449f95342a98abfa0b9cd5b1849a84c5c4c
CRs-Fixed: 988240
In 2.4GHz some stations advertise VHT capability IE in Assoc Req frame.
Add support to detect the VHT capability in vendor specific IE in
Assoc Req frame and establish the connection with VHT mode to
improve the performance.
Change-Id: I08dbcb3ce1895aa2108924d7a672e5d9be514e3d
CRs-Fixed: 924814
In 2.4GHz some APs advertise the VHT capability IE in vendor
specific IE.
Add support to detect the VHT capability in vendor specific IE
and establish the connection in VHT mode to improve the performance.
Change-Id: I043188f0b7d205caa0581a9ffb9a5ade1d720473
CRs-Fixed: 739767
prima to qcacld-2.0 propagation
Some AP doesn't announce Extended Capabilities IE in Probe Response.
Device should not send extended Capabilities if AP doesn't support.
Change-Id: I53215b866cb90f4addf45e3b6ed8af435eb57842
CRs-Fixed: 930199