Matthew Dempsky [Fri, 6 Jun 2014 21:36:42 +0000 (14:36 -0700)]
ptrace: fix fork event messages across pid namespaces
commit
4e52365f279564cef0ddd41db5237f0471381093 upstream.
When tracing a process in another pid namespace, it's important for fork
event messages to contain the child's pid as seen from the tracer's pid
namespace, not the parent's. Otherwise, the tracer won't be able to
correlate the fork event with later SIGTRAP signals it receives from the
child.
We still risk a race condition if a ptracer from a different pid
namespace attaches after we compute the pid_t value. However, sending a
bogus fork event message in this unlikely scenario is still a vast
improvement over the status quo where we always send bogus fork event
messages to debuggers in a different pid namespace than the forking
process.
Signed-off-by: Matthew Dempsky <mdempsky@chromium.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Julien Tinnes <jln@chromium.org>
Cc: Roland McGrath <mcgrathr@chromium.org>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johannes Weiner [Fri, 6 Jun 2014 21:35:35 +0000 (14:35 -0700)]
mm: vmscan: clear kswapd's special reclaim powers before exiting
commit
71abdc15adf8c702a1dd535f8e30df50758848d2 upstream.
When kswapd exits, it can end up taking locks that were previously held
by allocating tasks while they waited for reclaim. Lockdep currently
warns about this:
On Wed, May 28, 2014 at 06:06:34PM +0800, Gu Zheng wrote:
> inconsistent {RECLAIM_FS-ON-W} -> {IN-RECLAIM_FS-R} usage.
> kswapd2/1151 [HC0[0]:SC0[0]:HE1:SE1] takes:
> (&sig->group_rwsem){+++++?}, at: exit_signals+0x24/0x130
> {RECLAIM_FS-ON-W} state was registered at:
> mark_held_locks+0xb9/0x140
> lockdep_trace_alloc+0x7a/0xe0
> kmem_cache_alloc_trace+0x37/0x240
> flex_array_alloc+0x99/0x1a0
> cgroup_attach_task+0x63/0x430
> attach_task_by_pid+0x210/0x280
> cgroup_procs_write+0x16/0x20
> cgroup_file_write+0x120/0x2c0
> vfs_write+0xc0/0x1f0
> SyS_write+0x4c/0xa0
> tracesys+0xdd/0xe2
> irq event stamp: 49
> hardirqs last enabled at (49): _raw_spin_unlock_irqrestore+0x36/0x70
> hardirqs last disabled at (48): _raw_spin_lock_irqsave+0x2b/0xa0
> softirqs last enabled at (0): copy_process.part.24+0x627/0x15f0
> softirqs last disabled at (0): (null)
>
> other info that might help us debug this:
> Possible unsafe locking scenario:
>
> CPU0
> ----
> lock(&sig->group_rwsem);
> <Interrupt>
> lock(&sig->group_rwsem);
>
> *** DEADLOCK ***
>
> no locks held by kswapd2/1151.
>
> stack backtrace:
> CPU: 30 PID: 1151 Comm: kswapd2 Not tainted 3.10.39+ #4
> Call Trace:
> dump_stack+0x19/0x1b
> print_usage_bug+0x1f7/0x208
> mark_lock+0x21d/0x2a0
> __lock_acquire+0x52a/0xb60
> lock_acquire+0xa2/0x140
> down_read+0x51/0xa0
> exit_signals+0x24/0x130
> do_exit+0xb5/0xa50
> kthread+0xdb/0x100
> ret_from_fork+0x7c/0xb0
This is because the kswapd thread is still marked as a reclaimer at the
time of exit. But because it is exiting, nobody is actually waiting on
it to make reclaim progress anymore, and it's nothing but a regular
thread at this point. Be tidy and strip it of all its powers
(PF_MEMALLOC, PF_SWAPWRITE, PF_KSWAPD, and the lockdep reclaim state)
before returning from the thread function.
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Reported-by: Gu Zheng <guz.fnst@cn.fujitsu.com>
Cc: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
Cc: Tang Chen <tangchen@cn.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kees Cook [Thu, 17 Apr 2014 20:22:09 +0000 (13:22 -0700)]
HID: core: fix validation of report id 0
commit
1b15d2e5b8077670b1e6a33250a0d9577efff4a5 upstream.
Some drivers use the first HID report in the list instead of using an
index. In these cases, validation uses ID 0, which was supposed to mean
"first known report". This fixes the problem, which was causing at least
the lgff family of devices to stop working since hid_validate_values
was being called with ID 0, but the devices used single numbered IDs
for their reports:
0x05, 0x01, /* Usage Page (Desktop), */
0x09, 0x05, /* Usage (Gamepad), */
0xA1, 0x01, /* Collection (Application), */
0xA1, 0x02, /* Collection (Logical), */
0x85, 0x01, /* Report ID (1), */
...
Reported-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Hugh Dickins [Wed, 4 Jun 2014 23:05:33 +0000 (16:05 -0700)]
mm: fix sleeping function warning from __put_anon_vma
commit
7f39dda9d86fb4f4f17af0de170decf125726f8c upstream.
Trinity reports BUG:
sleeping function called from invalid context at kernel/locking/rwsem.c:47
in_atomic(): 0, irqs_disabled(): 0, pid: 5787, name: trinity-c27
__might_sleep < down_write < __put_anon_vma < page_get_anon_vma <
migrate_pages < compact_zone < compact_zone_order < try_to_compact_pages ..
Right, since conversion to mutex then rwsem, we should not put_anon_vma()
from inside an rcu_read_lock()ed section: fix the two places that did so.
And add might_sleep() to anon_vma_free(), as suggested by Peter Zijlstra.
Fixes:
88c22088bf23 ("mm: optimize page_lock_anon_vma() fast-path")
Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Naoya Horiguchi [Wed, 4 Jun 2014 23:11:02 +0000 (16:11 -0700)]
mm/memory-failure.c: support use of a dedicated thread to handle SIGBUS(BUS_MCEERR_AO)
commit
3ba08129e38437561df44c36b7ea9081185d5333 upstream.
Currently memory error handler handles action optional errors in the
deferred manner by default. And if a recovery aware application wants
to handle it immediately, it can do it by setting PF_MCE_EARLY flag.
However, such signal can be sent only to the main thread, so it's
problematic if the application wants to have a dedicated thread to
handler such signals.
So this patch adds dedicated thread support to memory error handler. We
have PF_MCE_EARLY flags for each thread separately, so with this patch
AO signal is sent to the thread with PF_MCE_EARLY flag set, not the main
thread. If you want to implement a dedicated thread, you call prctl()
to set PF_MCE_EARLY on the thread.
Memory error handler collects processes to be killed, so this patch lets
it check PF_MCE_EARLY flag on each thread in the collecting routines.
No behavioral change for all non-early kill cases.
Tony said:
: The old behavior was crazy - someone with a multithreaded process might
: well expect that if they call prctl(PF_MCE_EARLY) in just one thread, then
: that thread would see the SIGBUS with si_code = BUS_MCEERR_A0 - even if
: that thread wasn't the main thread for the process.
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Cc: Kamil Iskra <iskra@mcs.anl.gov>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Chen Gong <gong.chen@linux.jf.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tony Luck [Wed, 4 Jun 2014 23:11:01 +0000 (16:11 -0700)]
mm/memory-failure.c: don't let collect_procs() skip over processes for MF_ACTION_REQUIRED
commit
74614de17db6fb472370c426d4f934d8d616edf2 upstream.
When Linux sees an "action optional" machine check (where h/w has reported
an error that is not in the current execution path) we generally do not
want to signal a process, since most processes do not have a SIGBUS
handler - we'd just prematurely terminate the process for a problem that
they might never actually see.
task_early_kill() decides whether to consider a process - and it checks
whether this specific process has been marked for early signals with
"prctl", or if the system administrator has requested early signals for
all processes using /proc/sys/vm/memory_failure_early_kill.
But for MF_ACTION_REQUIRED case we must not defer. The error is in the
execution path of the current thread so we must send the SIGBUS
immediatley.
Fix by passing a flag argument through collect_procs*() to
task_early_kill() so it knows whether we can defer or must take action.
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Chen Gong <gong.chen@linux.jf.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tony Luck [Wed, 4 Jun 2014 23:10:59 +0000 (16:10 -0700)]
mm/memory-failure.c-failure: send right signal code to correct thread
commit
a70ffcac741d31a406c1d2b832ae43d658e7e1cf upstream.
When a thread in a multi-threaded application hits a machine check because
of an uncorrectable error in memory - we want to send the SIGBUS with
si.si_code = BUS_MCEERR_AR to that thread. Currently we fail to do that
if the active thread is not the primary thread in the process.
collect_procs() just finds primary threads and this test:
if ((flags & MF_ACTION_REQUIRED) && t == current) {
will see that the thread we found isn't the current thread and so send a
si.si_code = BUS_MCEERR_AO to the primary (and nothing to the active
thread at this time).
We can fix this by checking whether "current" shares the same mm with the
process that collect_procs() said owned the page. If so, we send the
SIGBUS to current (with code BUS_MCEERR_AR).
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Reported-by: Otto Bruggeman <otto.g.bruggeman@intel.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Chen Gong <gong.chen@linux.jf.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mel Gorman [Wed, 4 Jun 2014 23:10:16 +0000 (16:10 -0700)]
mm: page_alloc: use word-based accesses for get/set pageblock bitmaps
commit
e58469bafd0524e848c3733bc3918d854595e20f upstream.
The test_bit operations in get/set pageblock flags are expensive. This
patch reads the bitmap on a word basis and use shifts and masks to isolate
the bits of interest. Similarly masks are used to set a local copy of the
bitmap and then use cmpxchg to update the bitmap if there have been no
other changes made in parallel.
In a test running dd onto tmpfs the overhead of the pageblock-related
functions went from 1.27% in profiles to 0.5%.
In addition to the performance benefits, this patch closes races that are
possible between:
a) get_ and set_pageblock_migratetype(), where get_pageblock_migratetype()
reads part of the bits before and other part of the bits after
set_pageblock_migratetype() has updated them.
b) set_pageblock_migratetype() and set_pageblock_skip(), where the non-atomic
read-modify-update set bit operation in set_pageblock_skip() will cause
lost updates to some bits changed in the set_pageblock_migratetype().
Joonsoo Kim first reported the case a) via code inspection. Vlastimil
Babka's testing with a debug patch showed that either a) or b) occurs
roughly once per mmtests' stress-highalloc benchmark (although not
necessarily in the same pageblock). Furthermore during development of
unrelated compaction patches, it was observed that frequent calls to
{start,undo}_isolate_page_range() the race occurs several thousands of
times and has resulted in NULL pointer dereferences in move_freepages()
and free_one_page() in places where free_list[migratetype] is
manipulated by e.g. list_move(). Further debugging confirmed that
migratetype had invalid value of 6, causing out of bounds access to the
free_list array.
That confirmed that the race exist, although it may be extremely rare,
and currently only fatal where page isolation is performed due to
memory hot remove. Races on pageblocks being updated by
set_pageblock_migratetype(), where both old and new migratetype are
lower MIGRATE_RESERVE, currently cannot result in an invalid value
being observed, although theoretically they may still lead to
unexpected creation or destruction of MIGRATE_RESERVE pageblocks.
Furthermore, things could get suddenly worse when memory isolation is
used more, or when new migratetypes are added.
After this patch, the race has no longer been observed in testing.
Signed-off-by: Mel Gorman <mgorman@suse.de>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Reported-and-tested-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Hugh Dickins <hughd@google.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mel Gorman [Wed, 4 Jun 2014 23:07:35 +0000 (16:07 -0700)]
mm: vmscan: do not throttle based on pfmemalloc reserves if node has no ZONE_NORMAL
commit
675becce15f320337499bc1a9356260409a5ba29 upstream.
throttle_direct_reclaim() is meant to trigger during swap-over-network
during which the min watermark is treated as a pfmemalloc reserve. It
throttes on the first node in the zonelist but this is flawed.
The user-visible impact is that a process running on CPU whose local
memory node has no ZONE_NORMAL will stall for prolonged periods of time,
possibly indefintely. This is due to throttle_direct_reclaim thinking the
pfmemalloc reserves are depleted when in fact they don't exist on that
node.
On a NUMA machine running a 32-bit kernel (I know) allocation requests
from CPUs on node 1 would detect no pfmemalloc reserves and the process
gets throttled. This patch adjusts throttling of direct reclaim to
throttle based on the first node in the zonelist that has a usable
ZONE_NORMAL or lower zone.
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Mel Gorman <mgorman@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tetsuo Handa [Wed, 4 Jun 2014 23:05:36 +0000 (16:05 -0700)]
kthread: fix return value of kthread_create() upon SIGKILL.
commit
8fe6929cfd43c44834858a53e129ffdc7c166298 upstream.
Commit
786235eeba0e ("kthread: make kthread_create() killable") meant
for allowing kthread_create() to abort as soon as killed by the
OOM-killer. But returning -ENOMEM is wrong if killed by SIGKILL from
userspace. Change kthread_create() to return -EINTR upon SIGKILL.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Oleg Nesterov <oleg@redhat.com>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Naoya Horiguchi [Wed, 4 Jun 2014 23:05:35 +0000 (16:05 -0700)]
hugetlb: restrict hugepage_migration_support() to x86_64
commit
c177c81e09e517bbf75b67762cdab1b83aba6976 upstream.
Currently hugepage migration is available for all archs which support
pmd-level hugepage, but testing is done only for x86_64 and there're
bugs for other archs. So to avoid breaking such archs, this patch
limits the availability strictly to x86_64 until developers of other
archs get interested in enabling this feature.
Simply disabling hugepage migration on non-x86_64 archs is not enough to
fix the reported problem where sys_move_pages() hits the BUG_ON() in
follow_page(FOLL_GET), so let's fix this by checking if hugepage
migration is supported in vma_migratable().
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Reported-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Michael Ellerman <mpe@ellerman.id.au>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Russell King <rmk@arm.linux.org.uk>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 26 May 2014 17:23:10 +0000 (19:23 +0200)]
USB: option: fix runtime PM handling
commit
acf47d4f9c39b1cba467aa9442fc2efe0b1da741 upstream.
Fix potential I/O while runtime suspended due to missing PM operations
in send_setup.
Fixes:
383cedc3bb43 ("USB: serial: full autosuspend support for the
option driver")
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alan Stern [Tue, 3 Jun 2014 15:00:27 +0000 (11:00 -0400)]
USB: EHCI: avoid BIOS handover on the HASEE E200
commit
b0a50e92bda3c4aeb8017d4e6c6e92146ebd5c9b upstream.
Leandro Liptak reports that his HASEE E200 computer hangs when we ask
the BIOS to hand over control of the EHCI host controller. This
definitely sounds like a bug in the BIOS, but at the moment there is
no way to fix it.
This patch works around the problem by avoiding the handoff whenever
the motherboard and BIOS version match those of Leandro's computer.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Leandro Liptak <leandroliptak@gmail.com>
Tested-by: Leandro Liptak <leandroliptak@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Paul Bolle [Fri, 16 May 2014 10:00:57 +0000 (12:00 +0200)]
ARM: OMAP: replace checks for CONFIG_USB_GADGET_OMAP
commit
77c2f02edbeda9409a7cf3fd66233015820c213a upstream.
Commit
193ab2a60700 ("usb: gadget: allow multiple gadgets to be built")
apparently required that checks for CONFIG_USB_GADGET_OMAP would be
replaced with checks for CONFIG_USB_OMAP. Do so now for the remaining
checks for CONFIG_USB_GADGET_OMAP, even though these checks have
basically been broken since v3.1.
And, since we're touching this code, use the IS_ENABLED() macro, so
things will now (hopefully) also work if USB_OMAP is modular.
Fixes:
193ab2a60700 ("usb: gadget: allow multiple gadgets to be built")
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Felipe Balbi [Wed, 16 Apr 2014 15:30:33 +0000 (10:30 -0500)]
usb: dwc3: gadget: clear stall when disabling endpoint
commit
687ef9817df7ed960d14575b9033dde3d04631fe upstream.
so it seems like DWC3 IP doesn't clear stalls
automatically when we disable an endpoint, because
of that, we _must_ make sure stalls are cleared
before clearing the proper bit in DALEPENA register.
Reported-by: Johannes Stezenbach <js@sig21.net>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Paul Bolle [Mon, 26 May 2014 21:37:09 +0000 (23:37 +0200)]
usb: gadget: rename CONFIG_USB_GADGET_PXA25X
commit
d30f2065d6da377cc76771aca5a9850cfca8723b upstream.
Commit
193ab2a60700 ("usb: gadget: allow multiple gadgets to be built")
basically renamed the Kconfig symbol USB_GADGET_PXA25X to USB_PXA25X. It
did not rename the related macros in use at that time. Commit
c0a39151a405 ("ARM: pxa: fix inconsistent CONFIG_USB_PXA27X") did so for
all but one macro. Rename that last macro too now.
Fixes:
193ab2a60700 ("usb: gadget: allow multiple gadgets to be built")
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alan Stern [Tue, 3 Jun 2014 15:11:34 +0000 (11:11 -0400)]
USB: usbtest: add a timeout for scatter-gather tests
commit
32b36eeae6a859670d2939a7d6136cb5e9ed64f8 upstream.
In usbtest, tests 5 - 8 use the scatter-gather library in usbcore
without any sort of timeout. If there's a problem in the gadget or
host controller being tested, the test can hang.
This patch adds a 10-second timeout to the tests, so that they will
fail gracefully with an ETIMEDOUT error instead of hanging.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Huang Rui <ray.huang@amd.com>
Tested-by: Huang Rui <ray.huang@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Huang Rui [Mon, 26 May 2014 02:55:36 +0000 (10:55 +0800)]
usb: usbtest: fix unlink write error with pattern 1
commit
e4d58f5dcb7d7be45df8def31881ebfae99c75da upstream.
TEST 12 and TEST 24 unlinks the URB write request for N times. When
host and gadget both initialize pattern 1 (mod 63) data series to
transfer, the gadget side will complain the wrong data which is not
expected. Because in host side, usbtest doesn't fill the data buffer
as mod 63 and this patch fixed it.
[20285.488974] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready
[20285.489181] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Not Active
[20285.489423] dwc3 dwc3.0.auto: ep1out-bulk: req
ffff8800aa6cb480 dma
aeb50800 length 512 last
[20285.489727] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Start Transfer' params
00000000 a9eaf000 00000000
[20285.490055] dwc3 dwc3.0.auto: Command Complete --> 0
[20285.490281] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready
[20285.490492] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Active
[20285.490713] dwc3 dwc3.0.auto: ep1out-bulk: endpoint busy
[20285.490909] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Complete
[20285.491117] dwc3 dwc3.0.auto: request
ffff8800aa6cb480 from ep1out-bulk completed 512/512 ===> 0
[20285.491431] zero gadget: bad OUT byte, buf[1] = 0
[20285.491605] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Set Stall' params
00000000 00000000 00000000
[20285.491915] dwc3 dwc3.0.auto: Command Complete --> 0
[20285.492099] dwc3 dwc3.0.auto: queing request
ffff8800aa6cb480 to ep1out-bulk length 512
[20285.492387] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready
[20285.492595] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Not Active
[20285.492830] dwc3 dwc3.0.auto: ep1out-bulk: req
ffff8800aa6cb480 dma
aeb51000 length 512 last
[20285.493135] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Start Transfer' params
00000000 a9eaf000 00000000
[20285.493465] dwc3 dwc3.0.auto: Command Complete --> 0
Signed-off-by: Huang Rui <ray.huang@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Carpenter [Fri, 9 May 2014 11:59:16 +0000 (14:59 +0300)]
applicom: dereferencing NULL on error path
commit
8bab797c6e5724a43b7666ad70860712365cdb71 upstream.
This is a static checker fix. The "dev" variable is always NULL after
the while statement so we would be dereferencing a NULL pointer here.
Fixes:
819a3eba4233 ('[PATCH] applicom: fix error handling')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stephen Boyd [Sat, 24 May 2014 00:16:53 +0000 (17:16 -0700)]
staging/mt29f_spinand: Terminate of match table
commit
ffd07de65ef5315053ea16356cd533b7f47c17e9 upstream.
Failure to terminate this match table can lead to boot failures
depending on where the compiler places the match table.
Cc: Kamlakant Patel <kamlakant.patel@broadcom.com>
Cc: Mona Anonuevo <manonuevo@micron.com>
Cc: linux-mtd@lists.infradead.org
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Carpenter [Mon, 7 Apr 2014 06:31:21 +0000 (09:31 +0300)]
Staging: rtl8188eu: overflow in update_sta_support_rate()
commit
9dbd79aeb9842144d9a114a979a12c0949ee11eb upstream.
The ->SupportedRates[] array has NDIS_802_11_LENGTH_RATES_EX (16)
elements. Since "ie_len" comes from then network and can go up to 255
then it means we should add a range check to prevent memory corruption.
Fixes:
d6846af679e0 ('staging: r8188eu: Add files for new driver - part 7')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Paul Bolle [Mon, 26 May 2014 19:47:11 +0000 (21:47 +0200)]
staging: tidspbridge: check for CONFIG_SND_OMAP_SOC_MCBSP
commit
d3921a03a89acb1b9ca599590c0131c89f8737d8 upstream.
Commit
d0f47ff17f29 ("ASoC: OMAP: Build config cleanup for McBSP")
removed the Kconfig symbol OMAP_MCBSP. It left two checks for
CONFIG_OMAP_MCBSP untouched.
Convert these to checks for CONFIG_SND_OMAP_SOC_MCBSP. That must be
correct, since that re-enables calls to functions that are all found in
sound/soc/omap/mcbsp.c. And that file is built only if
CONFIG_SND_OMAP_SOC_MCBSP is defined.
Fixes:
d0f47ff17f29 ("ASoC: OMAP: Build config cleanup for McBSP")
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Antoine Ténart [Mon, 12 May 2014 12:56:28 +0000 (14:56 +0200)]
phy: exynos-mipi-video: fix check on array index
commit
98c3b32229f2685c13436b652b8959c99dfc5a31 upstream.
The phys array is of size EXYNOS_MIPI_PHYS_NUM. Trying to access the
index EXYNOS_MIPI_PHYS_NUM should return an error.
Fixes:
069d2e26e9d6 "phy: Add driver for Exynos MIPI CSIS/DSIM DPHYs"
Signed-off-by: Antoine Ténart <antoine.tenart@free-electrons.com>
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Krzysztof Kozlowski [Fri, 18 Apr 2014 14:47:30 +0000 (16:47 +0200)]
extcon: max14577: Properly handle regmap_irq_get_virq error
commit
369afd4ba22f5b8de0c9229b6e62b3f9e2207034 upstream.
The regmap_irq_get_virq may return 0 or -EINVAL on error. Fail the probe
in both situations.
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Krzysztof Kozlowski [Wed, 9 Apr 2014 09:56:09 +0000 (11:56 +0200)]
extcon: max14577: Fix probe failure on successful work queue
commit
12adef5b49e98eb181b4163c36e2998169e1379b upstream.
In probe the driver queued delayed work for cable detection and
returned the result of queue_delayed_work() call. However the return
value of queue_delayed_work() does not indicate an error and in normal
condition it returns true which means successful work queue.
This effectively resulted in probe failure:
[ 2.088204] max14577-muic: probe of max77836-muic failed with error 1
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Fixes:
962e56bfcf0b ("extcon: max14577: Add extcon-max14577 driver...")
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Krzysztof Kozlowski [Wed, 9 Apr 2014 13:20:12 +0000 (15:20 +0200)]
extcon: max77693: Fix two NULL pointer exceptions on missing pdata
commit
d5653f2b7304f05eeb45d84f123cf02f840b8537 upstream.
Fix NULL pointer exceptions when platform data is not supplied.
Trace of one exception:
Unable to handle kernel NULL pointer dereference at virtual address
00000008
pgd =
c0004000
[
00000008] *pgd=
00000000
Internal error: Oops: 5 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 2 PID: 1 Comm: swapper/0 Not tainted 3.14.0-12045-gead5dd4687a6-dirty #1628
task:
eea80000 ti:
eea88000 task.ti:
eea88000
PC is at max77693_muic_probe+0x27c/0x528
LR is at regmap_write+0x50/0x60
pc : [<
c041d1c8>] lr : [<
c02eba60>] psr:
20000113
sp :
eea89e38 ip :
00000000 fp :
c098a834
r10:
ee1a5a10 r9 :
00000005 r8 :
c098a83c
r7 :
0000000a r6 :
c098a774 r5 :
00000005 r4 :
eeb006d0
r3 :
c0697bd8 r2 :
00000000 r1 :
00000001 r0 :
00000000
Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
Control:
10c5387d Table:
4000404a DAC:
00000015
Process swapper/0 (pid: 1, stack limit = 0xeea88240)
Stack: (0xeea89e38 to 0xeea8a000)
9e20:
c08499fc eeb006d0
9e40:
00000000 00000000 c0915f98 00000001 00000000 ee1a5a10 c098a730 c09a88b8
9e60:
00000000 c098a730 c0915f98 00000000 00000000 c02d6aa0 c02d6a88 ee1a5a10
9e80:
c0a712c8 c02d54e4 00001204 c0628b00 ee1a5a10 c098a730 ee1a5a44 00000000
9ea0:
eea88000 c02d57b4 00000000 c098a730 c02d5728 c02d3a24 ee813e5c eeb9d534
9ec0:
c098a730 ee22f700 c097c720 c02d4b14 c08174ec c098a730 00000006 c098a730
9ee0:
00000006 c092fd30 c09b8500 c02d5df8 00000000 c093cbb8 00000006 c0008928
9f00:
000000c3 ef7fc785 00000000 ef7fc794 00000000 c08af968 00000072 eea89f30
9f20:
ef7fc85e c065f198 000000c3 c003e87c 00000003 00000000 c092fd3c 00000000
9f40:
c08af618 c0826d58 00000006 00000006 c0956f58 c093cbb8 00000006 c092fd30
9f60:
c09b8500 000000c3 c092fd3c c08e8510 00000000 c08e8bb0 00000006 00000006
9f80:
c08e8510 c0c0c0c0 00000000 c0628fac 00000000 00000000 00000000 00000000
9fa0:
00000000 c0628fb4 00000000 c000f038 00000000 00000000 00000000 00000000
9fc0:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0:
00000000 00000000 00000000 00000000 00000013 00000000 c0c0c0c0 c0c0c0c0
[<
c041d1c8>] (max77693_muic_probe) from [<
c02d6aa0>] (platform_drv_probe+0x18/0x48)
[<
c02d6aa0>] (platform_drv_probe) from [<
c02d54e4>] (driver_probe_device+0x140/0x384)
[<
c02d54e4>] (driver_probe_device) from [<
c02d57b4>] (__driver_attach+0x8c/0x90)
[<
c02d57b4>] (__driver_attach) from [<
c02d3a24>] (bus_for_each_dev+0x54/0x88)
[<
c02d3a24>] (bus_for_each_dev) from [<
c02d4b14>] (bus_add_driver+0xe8/0x204)
[<
c02d4b14>] (bus_add_driver) from [<
c02d5df8>] (driver_register+0x78/0xf4)
[<
c02d5df8>] (driver_register) from [<
c0008928>] (do_one_initcall+0xc4/0x174)
[<
c0008928>] (do_one_initcall) from [<
c08e8bb0>] (kernel_init_freeable+0xfc/0x1c8)
[<
c08e8bb0>] (kernel_init_freeable) from [<
c0628fb4>] (kernel_init+0x8/0xec)
[<
c0628fb4>] (kernel_init) from [<
c000f038>] (ret_from_fork+0x14/0x3c)
Code:
caffffe7 e59d200c e3550001 b3a05001 (
e5923008)
---[ end trace
85db969ce011bde7 ]---
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Fixes:
190d7cfc8632
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Krzysztof Kozlowski [Wed, 9 Apr 2014 13:20:14 +0000 (15:20 +0200)]
extcon: max8997: Fix NULL pointer exception on missing pdata
commit
dfee4111febf3d9ef3a640b2cd6205c75f4e7e3d upstream.
Fix NULL pointer exception when platform data is not supplied. The
driver dereferenced pdata pointer where it could be NULL.
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Fixes:
810d601f07c
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Thu, 8 May 2014 08:09:23 +0000 (10:09 +0200)]
net: cpsw: fix null dereference at probe
commit
6954cc1f238199e971ec905c5cc87120806ac981 upstream.
Fix null-pointer dereference at probe when the mdio platform device is
missing (e.g. when it has been disabled in DT).
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ursula Braun [Tue, 13 May 2014 12:38:02 +0000 (14:38 +0200)]
af_iucv: wrong mapping of sent and confirmed skbs
commit
f5738e2ef88070ef1372e6e718124d88e9abe4ac upstream.
When sending data through IUCV a MESSAGE COMPLETE interrupt
signals that sent data memory can be freed or reused again.
With commit
f9c41a62bba3f3f7ef3541b2a025e3371bcbba97
"af_iucv: fix recvmsg by replacing skb_pull() function" the
MESSAGE COMPLETE callback iucv_callback_txdone() identifies
the wrong skb as being confirmed, which leads to data corruption.
This patch fixes the skb mapping logic in iucv_callback_txdone().
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stephane Grosjean [Tue, 20 May 2014 09:38:56 +0000 (11:38 +0200)]
can: peak_pci: prevent use after free at netdev removal
commit
0b5a958cf4df3a5cd578b861471e62138f55c85e upstream.
As remarked by Christopher R. Baker in his post at
http://marc.info/?l=linux-can&m=
139707295706465&w=2
there's a possibility for an use after free condition at device removal.
This simplified patch introduces an additional variable to prevent the issue.
Thanks for catching this.
Reported-by: Christopher R. Baker <cbaker@rec.ri.cmu.edu>
Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Thu, 8 May 2014 08:09:22 +0000 (10:09 +0200)]
Revert "net: eth: cpsw: Correctly attach to GPIO bitbang MDIO driver"
commit
59993f48b38fd46863b23bb1bb1dc3291e7278fb upstream.
This reverts commit
f8d56d8f892be43a2404356073e16401eb5a42e6 ("net:
eth: cpsw: Correctly attach to GPIO bitbang MDIO driver").
Fix potential null-pointer dereference at probe if the mdio-gpio device
has not been successfully probed yet.
The offending commit is plain wrong for a number of reasons. First of
all it accesses internal driver data of an unrelated device. Neither
does it check that the data is non-null (which it is in case the device
has not been probed yet).
Furthermore, the decision on whether to treat any driver data according
to the mdio-gpio driver's internals is made based on the node name. But
the name is not compared against "mdio" which is the normal name for the
node, but rather against "gpio" which the node does not have to be named
(and shouldn't be according to the binding documentation). [ If this
hack is to be kept out-of-tree it should at least be matching against
the compatible property. ]
Cc: Stefan Roese <sr@denx.de>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Greg Kroah-Hartman [Thu, 26 Jun 2014 19:15:55 +0000 (15:15 -0400)]
Linux 3.14.9
Lars-Peter Clausen [Wed, 18 Jun 2014 11:32:35 +0000 (13:32 +0200)]
ALSA: control: Make sure that id->index does not overflow
commit
883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream.
The ALSA control code expects that the range of assigned indices to a control is
continuous and does not overflow. Currently there are no checks to enforce this.
If a control with a overflowing index range is created that control becomes
effectively inaccessible and unremovable since snd_ctl_find_id() will not be
able to find it. This patch adds a check that makes sure that controls with a
overflowing index range can not be created.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Lars-Peter Clausen [Wed, 18 Jun 2014 11:32:34 +0000 (13:32 +0200)]
ALSA: control: Handle numid overflow
commit
ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream.
Each control gets automatically assigned its numids when the control is created.
The allocation is done by incrementing the numid by the amount of allocated
numids per allocation. This means that excessive creation and destruction of
controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to
eventually overflow. Currently when this happens for the control that caused the
overflow kctl->id.numid + kctl->count will also over flow causing it to be
smaller than kctl->id.numid. Most of the code assumes that this is something
that can not happen, so we need to make sure that it won't happen
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Lars-Peter Clausen [Wed, 18 Jun 2014 11:32:33 +0000 (13:32 +0200)]
ALSA: control: Don't access controls outside of protected regions
commit
fd9f26e4eca5d08a27d12c0933fceef76ed9663d upstream.
A control that is visible on the card->controls list can be freed at any time.
This means we must not access any of its memory while not holding the
controls_rw_lock. Otherwise we risk a use after free access.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Lars-Peter Clausen [Wed, 18 Jun 2014 11:32:32 +0000 (13:32 +0200)]
ALSA: control: Fix replacing user controls
commit
82262a46627bebb0febcc26664746c25cef08563 upstream.
There are two issues with the current implementation for replacing user
controls. The first is that the code does not check if the control is actually a
user control and neither does it check if the control is owned by the process
that tries to remove it. That allows userspace applications to remove arbitrary
controls, which can cause a user after free if a for example a driver does not
expect a control to be removed from under its feed.
The second issue is that on one hand when a control is replaced the
user_ctl_count limit is not checked and on the other hand the user_ctl_count is
increased (even though the number of user controls does not change). This allows
userspace, once the user_ctl_count limit as been reached, to repeatedly replace
a control until user_ctl_count overflows. Once that happens new controls can be
added effectively bypassing the user_ctl_count limit.
Both issues can be fixed by instead of open-coding the removal of the control
that is to be replaced to use snd_ctl_remove_user_ctl(). This function does
proper permission checks as well as decrements user_ctl_count after the control
has been removed.
Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at
beginning of the function if the control already exists is removed. This is not
a problem though since the check is quite useless, because the lock that is
protecting the control list is released between the check and before adding the
new control to the list, which means that it is possible that a different
control with the same settings is added to the list after the check. Luckily
there is another check that is done while holding the lock in snd_ctl_add(), so
we'll rely on that to make sure that the same control is not added twice.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Lars-Peter Clausen [Wed, 18 Jun 2014 11:32:31 +0000 (13:32 +0200)]
ALSA: control: Protect user controls against concurrent access
commit
07f4d9d74a04aa7c72c5dae0ef97565f28f17b92 upstream.
The user-control put and get handlers as well as the tlv do not protect against
concurrent access from multiple threads. Since the state of the control is not
updated atomically it is possible that either two write operations or a write
and a read operation race against each other. Both can lead to arbitrary memory
disclosure. This patch introduces a new lock that protects user-controls from
concurrent access. Since applications typically access controls sequentially
than in parallel a single lock per card should be fine.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
David Henningsson [Fri, 13 Jun 2014 09:15:44 +0000 (11:15 +0200)]
ALSA: hda - Add quirk for external mic on Lifebook U904
commit
2041d56464a067461d7cc21734a0f024587ed2ff upstream.
According to the bug reporter (Данило Шеган), the external mic
starts to work and has proper jack detection if only pin 0x19
is marked properly as an external headset mic.
AlsaInfo at https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1328587/+attachment/4128991/+files/AlsaInfo.txt
BugLink: https://bugs.launchpad.net/bugs/1328587
Signed-off-by: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kailang Yang [Fri, 13 Jun 2014 09:16:31 +0000 (17:16 +0800)]
ALSA: hda/realtek - Add more entry for enable HP mute led
commit
8a02b164d4bfac108bfe37e98108bff1e062bd3d upstream.
More HP machine need mute led support.
Signed-off-by: Kailang Yang <kailang@realtek.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kailang Yang [Thu, 5 Jun 2014 03:13:44 +0000 (11:13 +0800)]
ALSA: hda/realtek - Add support of ALC891 codec
commit
b6c5fbad16aa5026f508093a8d651c25e1cb6179 upstream.
New codec support for ALC891.
Signed-off-by: Kailang Yang <kailang@realtek.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wang, Xiaoming [Thu, 12 Jun 2014 22:47:07 +0000 (18:47 -0400)]
ALSA: compress: Cancel the optimization of compiler and fix the size of struct for all platform.
commit
2bd0ae464a6cf7363bbf72c8545e0aa43caa57f0 upstream.
Cancel the optimization of compiler for struct snd_compr_avail
which size will be 0x1c in 32bit kernel while 0x20 in 64bit
kernel under the optimizer. That will make compaction between
32bit and 64bit. So add packed to fix the size of struct
snd_compr_avail to 0x1c for all platform.
Signed-off-by: Zhang Dongxing <dongxing.zhang@intel.com>
Signed-off-by: xiaoming wang <xiaoming.wang@intel.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Greg Kroah-Hartman [Sat, 21 Jun 2014 05:01:41 +0000 (22:01 -0700)]
lz4: ensure length does not wrap
commit
206204a1162b995e2185275167b22468c00d6b36 upstream.
Given some pathologically compressed data, lz4 could possibly decide to
wrap a few internal variables, causing unknown things to happen. Catch
this before the wrapping happens and abort the decompression.
Reported-by: "Don A. Bailey" <donb@securitymouse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Greg Kroah-Hartman [Sat, 21 Jun 2014 05:00:53 +0000 (22:00 -0700)]
lzo: properly check for overruns
commit
206a81c18401c0cde6e579164f752c4b147324ce upstream.
The lzo decompressor can, if given some really crazy data, possibly
overrun some variable types. Modify the checking logic to properly
detect overruns before they happen.
Reported-by: "Don A. Bailey" <donb@securitymouse.com>
Tested-by: "Don A. Bailey" <donb@securitymouse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Peter Meerwald [Tue, 20 May 2014 07:36:00 +0000 (08:36 +0100)]
iio: Fix two mpl3115 issues in measurement conversion
commit
d29f592929489d0a7c414396fae28119f3d280e1 upstream.
(i) pressure is 20-bit unsigned, not signed; the buffer description
is incorrect; for raw reads, this is just cosmetic
(ii) temperature is 12-bit signed, not 16-bit; this affects
readout of temperatures below zero as the sign bit is incorrectly
processed
reported via private mail
Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net>
Reported-by: Robert Deliën <robert@delien.nl>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Peter Meerwald [Tue, 6 May 2014 08:53:00 +0000 (09:53 +0100)]
iio: Fix endianness issue in ak8975_read_axis()
commit
8ba42fb7b17649c9ab5b5e79d4e90370a0b4645e upstream.
i2c_smbus_read_word_data() does host endian conversion already,
no need for le16_to_cpu()
Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Carpenter [Thu, 6 Nov 2014 09:13:00 +0000 (09:13 +0000)]
iio: adc: at91: signedness bug in at91_adc_get_trigger_value_by_name()
commit
4f3bcd878f1d3c730fe00f619b7260c6125d49eb upstream.
at91_adc_get_trigger_value_by_name() was returning -ENOMEM truncated to
a positive u8 and that doesn't work. I've changed it to int and
refactored it to preserve the error code.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Tested-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Robert Hodaszi [Mon, 6 Oct 2014 13:41:00 +0000 (14:41 +0100)]
iio: mxs-lradc: fix divider
commit
19bc4981a213d0c5b0e1e8b08815c0b26f01ec54 upstream.
All channels' single measurement are happening on CH 0. So enabling / disabling
the divider once is not enough, because it has impact on all channels.
Set only a flag, then check this on each measurement, and enable / disable the
divider as required.
Signed-off-by: Robert Hodaszi <robert.hodaszi@digi.com>
Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Acked-by: Marek Vasut <marex@denx.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mario Schuknecht [Tue, 27 May 2014 06:19:00 +0000 (07:19 +0100)]
staging: iio: tsl2x7x_core: fix proximity treshold
commit
c404618cd06dad771495fe1cf9d5a63b5664f65f upstream.
Consider high byte of proximity min and max treshold in function
'tsl2x7x_chip_on'. So far, the high byte was not set.
Signed-off-by: Mario Schuknecht <mario.schuknecht@dresearch-fe.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jonathan Cameron [Sat, 24 May 2014 11:52:10 +0000 (12:52 +0100)]
iio:adc:max1363 incorrect resolutions for max11604, max11605, max11610 and max11611.
commit
a91a73c8b39a6b8bcc53fafa5372c65387c81233 upstream.
Reported-by: Erik Habbinga <Erik.Habbinga@schneider-electric.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Acked-by: Hartmut Knaack <knaack.h@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Peter Ujfalusi [Fri, 30 May 2014 13:47:41 +0000 (16:47 +0300)]
ASoC: tlv320aci3x: Fix custom snd_soc_dapm_put_volsw_aic3x() function
commit
e6c111fac4464e3f4bf7b3802b517dafc80f8e0f upstream.
For some unknown reason the parameters for snd_soc_test_bits() were in wrong
order:
It was:
snd_soc_test_bits(codec, val, mask, reg); /* WRONG!!! */
while it should be:
snd_soc_test_bits(codec, reg, mask, val);
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Liam Girdwood [Fri, 16 May 2014 13:55:20 +0000 (16:55 +0300)]
ASoC: max98090: Fix reset at resume time
commit
25b4ab430f8e166c9b63f4db28e7e812d5a59396 upstream.
Reset needs to wait 20ms before other codec IO is performed. This wait
was not being performed. Fix this by making sure the reset register is not
restored with the cache, but use the manual reset method in resume with
the wait.
Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Lars-Peter Clausen [Sun, 4 May 2014 17:17:05 +0000 (19:17 +0200)]
ASoC: dapm: Make sure to always update the DAPM graph in _put_volsw()
commit
c9e065c27fe9b81e5d6e7681d77a24f7b9616675 upstream.
When using auto-muted controls it may happen that the register value will not
change when changing a control from enabled to disabled (since the control might
be physically disabled due to the auto-muting). We have to make sure to still
update the DAPM graph and disconnect the mixer input.
Fixes: commit 5729507 ("ASoC: dapm: Implement mixer input auto-disable")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Radim Krčmář [Tue, 27 May 2014 17:16:20 +0000 (19:16 +0200)]
hv: use correct order when freeing monitor_pages
commit
a100d88df1e924e5c9678fabf054d1bae7ab74fb upstream.
We try to free two pages when only one has been allocated.
Cleanup path is unlikely, so I haven't found any trace that would fit,
but I hope that free_pages_prepare() does catch it.
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Reviewed-by: Amos Kong <akong@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
K. Y. Srinivasan [Wed, 23 Apr 2014 20:53:39 +0000 (13:53 -0700)]
Drivers: hv: balloon: Ensure pressure reports are posted regularly
commit
ae339336dc950b9b05e7ccd3565dd3e8781c06d9 upstream.
The current code posts periodic memory pressure status from a dedicated thread.
Under some conditions, especially when we are releasing a lot of memory into
the guest, we may not send timely pressure reports back to the host. Fix this
issue by reporting pressure in all contexts that can be active in this driver.
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 26 May 2014 17:23:45 +0000 (19:23 +0200)]
USB: cdc-acm: fix runtime PM imbalance at shutdown
commit
5292afa657d0e790b7479ad8eef9450c1e040b3d upstream.
Make sure only to decrement the PM counters if they were actually
incremented.
Note that the USB PM counter, but not necessarily the driver core PM
counter, is reset when the interface is unbound.
Fixes:
11ea859d64b6 ("USB: additional power savings for cdc-acm devices
that support remote wakeup")
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 26 May 2014 17:23:44 +0000 (19:23 +0200)]
USB: cdc-acm: fix I/O after failed open
commit
e4c36076c2a6195ec62c35b03c3fde84d0087dc8 upstream.
Make sure to kill any already submitted read urbs on read-urb submission
failures in open in order to prevent doing I/O for a closed port.
Fixes:
088c64f81284 ("USB: cdc-acm: re-write read processing")
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 26 May 2014 17:23:41 +0000 (19:23 +0200)]
USB: cdc-acm: fix potential urb leak and PM imbalance in write
commit
183a45087d126d126e8dd1d9b2602fc129dff9ad upstream.
Make sure to check return value of autopm get in write() in order to
avoid urb leak and PM counter imbalance on errors.
Fixes:
11ea859d64b6 ("USB: additional power savings for cdc-acm devices
that support remote wakeup")
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 26 May 2014 17:23:40 +0000 (19:23 +0200)]
USB: cdc-acm: fix shutdown and suspend race
commit
ed797074031a37bb9bf4a70952fffc606b77274d upstream.
We should stop I/O unconditionally at suspend rather than rely on the
tty-port initialised flag (which is set prior to stopping I/O during
shutdown) in order to prevent suspend returning with URBs still active.
Fixes:
11ea859d64b6 ("USB: additional power savings for cdc-acm devices
that support remote wakeup")
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 26 May 2014 17:23:39 +0000 (19:23 +0200)]
USB: cdc-acm: fix runtime PM for control messages
commit
bae3f4c53585e9a170da9436e0f06919874bda9a upstream.
Fix runtime PM handling of control messages by adding the required PM
counter operations.
Fixes:
11ea859d64b6 ("USB: additional power savings for cdc-acm devices
that support remote wakeup")
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 26 May 2014 17:23:38 +0000 (19:23 +0200)]
USB: cdc-acm: fix broken runtime suspend
commit
140cb81ac8c625942a1d695875932c615767a526 upstream.
The current ACM runtime-suspend implementation is broken in several
ways:
Firstly, it buffers only the first write request being made while
suspended -- any further writes are silently dropped.
Secondly, writes being dropped also leak write urbs, which are never
reclaimed (until the device is unbound).
Thirdly, even the single buffered write is not cleared at shutdown
(which may happen before the device is resumed), something which can
lead to another urb leak as well as a PM usage-counter leak.
Fix this by implementing a delayed-write queue using urb anchors and
making sure to discard the queue properly at shutdown.
Fixes:
11ea859d64b6 ("USB: additional power savings for cdc-acm devices
that support remote wakeup")
Reported-by: Xiao Jin <jin.xiao@intel.com>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 26 May 2014 17:23:37 +0000 (19:23 +0200)]
USB: cdc-acm: fix write and resume race
commit
e144ed28bed10684f9aaec6325ed974d53f76110 upstream.
Fix race between write() and resume() due to improper locking that could
lead to writes being reordered.
Resume must be done atomically and susp_count be protected by the
write_lock in order to prevent racing with write(). This could otherwise
lead to writes being reordered if write() grabs the write_lock after
susp_count is decremented, but before the delayed urb is submitted.
Fixes:
11ea859d64b6 ("USB: additional power savings for cdc-acm devices
that support remote wakeup")
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 26 May 2014 17:23:36 +0000 (19:23 +0200)]
USB: cdc-acm: fix write and suspend race
commit
5a345c20c17d87099224a4be12e69e5bd7023dca upstream.
Fix race between write() and suspend() which could lead to writes being
dropped (or I/O while suspended) if the device is runtime suspended
while a write request is being processed.
Specifically, suspend() releases the write_lock after determining the
device is idle but before incrementing the susp_count, thus leaving a
window where a concurrent write() can submit an urb.
Fixes:
11ea859d64b6 ("USB: additional power savings for cdc-acm devices
that support remote wakeup")
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
James Hogan [Thu, 29 May 2014 09:16:23 +0000 (10:16 +0100)]
MIPS: KVM: Allocate at least 16KB for exception handlers
commit
7006e2dfda9adfa40251093604db76d7e44263b3 upstream.
Each MIPS KVM guest has its own copy of the KVM exception vector. This
contains the TLB refill exception handler at offset 0x000, the general
exception handler at offset 0x180, and interrupt exception handlers at
offset 0x200 in case Cause_IV=1. A common handler is copied to offset
0x2000 and offset 0x3000 is used for temporarily storing k1 during entry
from guest.
However the amount of memory allocated for this purpose is calculated as
0x200 rounded up to the next page boundary, which is insufficient if 4KB
pages are in use. This can lead to the common handler at offset 0x2000
being overwritten and infinitely recursive exceptions on the next exit
from the guest.
Increase the minimum size from 0x200 to 0x4000 to cover the full use of
the page.
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Gleb Natapov <gleb@kernel.org>
Cc: kvm@vger.kernel.org
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: Sanjay Lal <sanjayl@kymasys.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Boris BREZILLON [Fri, 6 Jun 2014 21:36:11 +0000 (14:36 -0700)]
ARM: at91: fix at91_sysirq_mask_rtc for sam9x5 SoCs
commit
9dcc87fec8947308e0111c65dcd881e6aa5b1673 upstream.
sam9x5 SoCs have the following errata:
"RTC: Interrupt Mask Register cannot be used
Interrupt Mask Register read always returns 0."
Hence we should not rely on what IMR claims about already masked IRQs
and just disable all IRQs.
Signed-off-by: Boris BREZILLON <boris.brezillon@free-electrons.com>
Reported-by: Bryan Evenson <bevenson@melinkcorp.com>
Reviewed-by: Johan Hovold <johan@hovold.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Cc: Bryan Evenson <bevenson@melinkcorp.com>
Cc: Andrew Victor <linux@maxim.org.za>
Cc: Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: Mark Roszko <mark.roszko@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Paolo Bonzini [Wed, 14 May 2014 15:40:58 +0000 (17:40 +0200)]
KVM: lapic: sync highest ISR to hardware apic on EOI
commit
fc57ac2c9ca8109ea97fcc594f4be436944230cc upstream.
When Hyper-V enlightenments are in effect, Windows prefers to issue an
Hyper-V MSR write to issue an EOI rather than an x2apic MSR write.
The Hyper-V MSR write is not handled by the processor, and besides
being slower, this also causes bugs with APIC virtualization. The
reason is that on EOI the processor will modify the highest in-service
interrupt (SVI) field of the VMCS, as explained in section 29.1.4 of
the SDM; every other step in EOI virtualization is already done by
apic_send_eoi or on VM entry, but this one is missing.
We need to do the same, and be careful not to muck with the isr_count
and highest_isr_cache fields that are unused when virtual interrupt
delivery is enabled.
Reviewed-by: Yang Zhang <yang.z.zhang@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wei Yang [Sun, 8 Jun 2014 10:49:46 +0000 (13:49 +0300)]
net/mlx4_core: Keep only one driver entry release mlx4_priv
[ Upstream commit
da1de8dfff09d33d4a5345762c21b487028e25f5 ]
Following commit befdf89 "net/mlx4_core: Preserve pci_dev_data after
__mlx4_remove_one()", there are two mlx4 pci callbacks which will
attempt to release the mlx4_priv object -- .shutdown and .remove.
This leads to a use-after-free access to the already freed mlx4_priv
instance and trigger a "Kernel access of bad area" crash when both
.shutdown and .remove are called.
During reboot or kexec, .shutdown is called, with the VFs probed to
the host going through shutdown first and then the PF. Later, the PF
will trigger VFs' .remove since VFs still have driver attached.
Fix that by keeping only one driver entry which releases mlx4_priv.
Fixes: befdf89 ('net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one()')
CC: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Wei Yang <weiyang@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wei Yang [Sun, 1 Jun 2014 07:24:35 +0000 (15:24 +0800)]
net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one()
[ Upstream commit
befdf8978accecac2e0739e6b5075afc62db37fe ]
pci_match_id() just match the static pci_device_id, which may return NULL if
someone binds the driver to a device manually using
/sys/bus/pci/drivers/.../new_id.
This patch wrap up a helper function __mlx4_remove_one() which does the tear
down function but preserve the drv_data. Functions like
mlx4_pci_err_detected() and mlx4_restart_one() will call this one with out
releasing drvdata.
Fixes: 97a5221 "net/mlx4_core: pass pci_device_id.driver_data to __mlx4_init_one during reset".
CC: Bjorn Helgaas <bhelgaas@google.com>
CC: Amir Vadai <amirv@mellanox.com>
CC: Jack Morgenstein <jackm@dev.mellanox.co.il>
CC: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Wei Yang <weiyang@linux.vnet.ibm.com>
Acked-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Thu, 12 Jun 2014 23:13:06 +0000 (16:13 -0700)]
udp: ipv4: do not waste time in __udp4_lib_mcast_demux_lookup
[ Upstream commit
63c6f81cdde58c41da62a8d8a209592e42a0203e ]
Its too easy to add thousand of UDP sockets on a particular bucket,
and slow down an innocent multicast receiver.
Early demux is supposed to be an optimization, we should avoid spending
too much time in it.
It is interesting to note __udp4_lib_demux_lookup() only tries to
match first socket in the chain.
10 is the threshold we already have in __udp4_lib_lookup() to switch
to secondary hash.
Fixes:
421b3885bf6d5 ("udp: ipv4: Add udp early demux")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: David Held <drheld@google.com>
Cc: Shawn Bohrer <sbohrer@rgmadvisors.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cong Wang [Thu, 12 Jun 2014 18:53:10 +0000 (11:53 -0700)]
vxlan: use dev->needed_headroom instead of dev->hard_header_len
[ Upstream commit
2853af6a2ea1a8ed09b09dd4fb578e7f435e8d34 ]
When we mirror packets from a vxlan tunnel to other device,
the mirror device should see the same packets (that is, without
outer header). Because vxlan tunnel sets dev->hard_header_len,
tcf_mirred() resets mac header back to outer mac, the mirror device
actually sees packets with outer headers
Vxlan tunnel should set dev->needed_headroom instead of
dev->hard_header_len, like what other ip tunnels do. This fixes
the above problem.
Cc: "David S. Miller" <davem@davemloft.net>
Cc: stephen hemminger <stephen@networkplumber.org>
Cc: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Michal Schmidt [Wed, 28 May 2014 12:15:19 +0000 (14:15 +0200)]
rtnetlink: fix userspace API breakage for iproute2 < v3.9.0
[ Upstream commit
e5eca6d41f53db48edd8cf88a3f59d2c30227f8e ]
When running RHEL6 userspace on a current upstream kernel, "ip link"
fails to show VF information.
The reason is a kernel<->userspace API change introduced by commit
88c5b5ce5cb57 ("rtnetlink: Call nlmsg_parse() with correct header length"),
after which the kernel does not see iproute2's IFLA_EXT_MASK attribute
in the netlink request.
iproute2 adjusted for the API change in its commit
63338dca4513
("libnetlink: Use ifinfomsg instead of rtgenmsg in rtnl_wilddump_req_filter").
The problem has been noticed before:
http://marc.info/?l=linux-netdev&m=
136692296022182&w=2
(Subject: Re: getting VF link info seems to be broken in 3.9-rc8)
We can do better than tell those with old userspace to upgrade. We can
recognize the old iproute2 in the kernel by checking the netlink message
length. Even when including the IFLA_EXT_MASK attribute, its netlink
message is shorter than struct ifinfomsg.
With this patch "ip link" shows VF information in both old and new
iproute2 versions.
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Xufeng Zhang [Thu, 12 Jun 2014 02:53:36 +0000 (10:53 +0800)]
sctp: Fix sk_ack_backlog wrap-around problem
[ Upstream commit
d3217b15a19a4779c39b212358a5c71d725822ee ]
Consider the scenario:
For a TCP-style socket, while processing the COOKIE_ECHO chunk in
sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check,
a new association would be created in sctp_unpack_cookie(), but afterwards,
some processing maybe failed, and sctp_association_free() will be called to
free the previously allocated association, in sctp_association_free(),
sk_ack_backlog value is decremented for this socket, since the initial
value for sk_ack_backlog is 0, after the decrement, it will be 65535,
a wrap-around problem happens, and if we want to establish new associations
afterward in the same socket, ABORT would be triggered since sctp deem the
accept queue as full.
Fix this issue by only decrementing sk_ack_backlog for associations in
the endpoint's list.
Fix-suggested-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Tue, 10 Jun 2014 13:43:01 +0000 (06:43 -0700)]
ipv4: fix a race in ip4_datagram_release_cb()
[ Upstream commit
9709674e68646cee5a24e3000b3558d25412203a ]
Alexey gave a AddressSanitizer[1] report that finally gave a good hint
at where was the origin of various problems already reported by Dormando
in the past [2]
Problem comes from the fact that UDP can have a lockless TX path, and
concurrent threads can manipulate sk_dst_cache, while another thread,
is holding socket lock and calls __sk_dst_set() in
ip4_datagram_release_cb() (this was added in linux-3.8)
It seems that all we need to do is to use sk_dst_check() and
sk_dst_set() so that all the writers hold same spinlock
(sk->sk_dst_lock) to prevent corruptions.
TCP stack do not need this protection, as all sk_dst_cache writers hold
the socket lock.
[1]
https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
AddressSanitizer: heap-use-after-free in ipv4_dst_check
Read of size 2 by thread T15453:
[<
ffffffff817daa3a>] ipv4_dst_check+0x1a/0x90 ./net/ipv4/route.c:1116
[<
ffffffff8175b789>] __sk_dst_check+0x89/0xe0 ./net/core/sock.c:531
[<
ffffffff81830a36>] ip4_datagram_release_cb+0x46/0x390 ??:0
[<
ffffffff8175eaea>] release_sock+0x17a/0x230 ./net/core/sock.c:2413
[<
ffffffff81830882>] ip4_datagram_connect+0x462/0x5d0 ??:0
[<
ffffffff81846d06>] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534
[<
ffffffff817580ac>] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701
[<
ffffffff817596ce>] SyS_connect+0xe/0x10 ./net/socket.c:1682
[<
ffffffff818b0a29>] system_call_fastpath+0x16/0x1b
./arch/x86/kernel/entry_64.S:629
Freed by thread T15455:
[<
ffffffff8178d9b8>] dst_destroy+0xa8/0x160 ./net/core/dst.c:251
[<
ffffffff8178de25>] dst_release+0x45/0x80 ./net/core/dst.c:280
[<
ffffffff818304c1>] ip4_datagram_connect+0xa1/0x5d0 ??:0
[<
ffffffff81846d06>] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534
[<
ffffffff817580ac>] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701
[<
ffffffff817596ce>] SyS_connect+0xe/0x10 ./net/socket.c:1682
[<
ffffffff818b0a29>] system_call_fastpath+0x16/0x1b
./arch/x86/kernel/entry_64.S:629
Allocated by thread T15453:
[<
ffffffff8178d291>] dst_alloc+0x81/0x2b0 ./net/core/dst.c:171
[<
ffffffff817db3b7>] rt_dst_alloc+0x47/0x50 ./net/ipv4/route.c:1406
[< inlined >] __ip_route_output_key+0x3e8/0xf70
__mkroute_output ./net/ipv4/route.c:1939
[<
ffffffff817dde08>] __ip_route_output_key+0x3e8/0xf70 ./net/ipv4/route.c:2161
[<
ffffffff817deb34>] ip_route_output_flow+0x14/0x30 ./net/ipv4/route.c:2249
[<
ffffffff81830737>] ip4_datagram_connect+0x317/0x5d0 ??:0
[<
ffffffff81846d06>] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534
[<
ffffffff817580ac>] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701
[<
ffffffff817596ce>] SyS_connect+0xe/0x10 ./net/socket.c:1682
[<
ffffffff818b0a29>] system_call_fastpath+0x16/0x1b
./arch/x86/kernel/entry_64.S:629
[2]
<4>[196727.311203] general protection fault: 0000 [#1] SMP
<4>[196727.311224] Modules linked in: xt_TEE xt_dscp xt_DSCP macvlan bridge coretemp crc32_pclmul ghash_clmulni_intel gpio_ich microcode ipmi_watchdog ipmi_devintf sb_edac edac_core lpc_ich mfd_core tpm_tis tpm tpm_bios ipmi_si ipmi_msghandler isci igb libsas i2c_algo_bit ixgbe ptp pps_core mdio
<4>[196727.311333] CPU: 17 PID: 0 Comm: swapper/17 Not tainted 3.10.26 #1
<4>[196727.311344] Hardware name: Supermicro X9DRi-LN4+/X9DR3-LN4+/X9DRi-LN4+/X9DR3-LN4+, BIOS 3.0 07/05/2013
<4>[196727.311364] task:
ffff885e6f069700 ti:
ffff885e6f072000 task.ti:
ffff885e6f072000
<4>[196727.311377] RIP: 0010:[<
ffffffff815f8c7f>] [<
ffffffff815f8c7f>] ipv4_dst_destroy+0x4f/0x80
<4>[196727.311399] RSP: 0018:
ffff885effd23a70 EFLAGS:
00010282
<4>[196727.311409] RAX:
dead000000200200 RBX:
ffff8854c398ecc0 RCX:
0000000000000040
<4>[196727.311423] RDX:
dead000000100100 RSI:
dead000000100100 RDI:
dead000000200200
<4>[196727.311437] RBP:
ffff885effd23a80 R08:
ffffffff815fd9e0 R09:
ffff885d5a590800
<4>[196727.311451] R10:
0000000000000000 R11:
0000000000000000 R12:
0000000000000000
<4>[196727.311464] R13:
ffffffff81c8c280 R14:
0000000000000000 R15:
ffff880e85ee16ce
<4>[196727.311510] FS:
0000000000000000(0000) GS:
ffff885effd20000(0000) knlGS:
0000000000000000
<4>[196727.311554] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
<4>[196727.311581] CR2:
00007a46751eb000 CR3:
0000005e65688000 CR4:
00000000000407e0
<4>[196727.311625] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
<4>[196727.311669] DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
<4>[196727.311713] Stack:
<4>[196727.311733]
ffff8854c398ecc0 ffff8854c398ecc0 ffff885effd23ab0 ffffffff815b7f42
<4>[196727.311784]
ffff88be6595bc00 ffff8854c398ecc0 0000000000000000 ffff8854c398ecc0
<4>[196727.311834]
ffff885effd23ad0 ffffffff815b86c6 ffff885d5a590800 ffff8816827821c0
<4>[196727.311885] Call Trace:
<4>[196727.311907] <IRQ>
<4>[196727.311912] [<
ffffffff815b7f42>] dst_destroy+0x32/0xe0
<4>[196727.311959] [<
ffffffff815b86c6>] dst_release+0x56/0x80
<4>[196727.311986] [<
ffffffff81620bd5>] tcp_v4_do_rcv+0x2a5/0x4a0
<4>[196727.312013] [<
ffffffff81622b5a>] tcp_v4_rcv+0x7da/0x820
<4>[196727.312041] [<
ffffffff815fd9e0>] ? ip_rcv_finish+0x360/0x360
<4>[196727.312070] [<
ffffffff815de02d>] ? nf_hook_slow+0x7d/0x150
<4>[196727.312097] [<
ffffffff815fd9e0>] ? ip_rcv_finish+0x360/0x360
<4>[196727.312125] [<
ffffffff815fda92>] ip_local_deliver_finish+0xb2/0x230
<4>[196727.312154] [<
ffffffff815fdd9a>] ip_local_deliver+0x4a/0x90
<4>[196727.312183] [<
ffffffff815fd799>] ip_rcv_finish+0x119/0x360
<4>[196727.312212] [<
ffffffff815fe00b>] ip_rcv+0x22b/0x340
<4>[196727.312242] [<
ffffffffa0339680>] ? macvlan_broadcast+0x160/0x160 [macvlan]
<4>[196727.312275] [<
ffffffff815b0c62>] __netif_receive_skb_core+0x512/0x640
<4>[196727.312308] [<
ffffffff811427fb>] ? kmem_cache_alloc+0x13b/0x150
<4>[196727.312338] [<
ffffffff815b0db1>] __netif_receive_skb+0x21/0x70
<4>[196727.312368] [<
ffffffff815b0fa1>] netif_receive_skb+0x31/0xa0
<4>[196727.312397] [<
ffffffff815b1ae8>] napi_gro_receive+0xe8/0x140
<4>[196727.312433] [<
ffffffffa00274f1>] ixgbe_poll+0x551/0x11f0 [ixgbe]
<4>[196727.312463] [<
ffffffff815fe00b>] ? ip_rcv+0x22b/0x340
<4>[196727.312491] [<
ffffffff815b1691>] net_rx_action+0x111/0x210
<4>[196727.312521] [<
ffffffff815b0db1>] ? __netif_receive_skb+0x21/0x70
<4>[196727.312552] [<
ffffffff810519d0>] __do_softirq+0xd0/0x270
<4>[196727.312583] [<
ffffffff816cef3c>] call_softirq+0x1c/0x30
<4>[196727.312613] [<
ffffffff81004205>] do_softirq+0x55/0x90
<4>[196727.312640] [<
ffffffff81051c85>] irq_exit+0x55/0x60
<4>[196727.312668] [<
ffffffff816cf5c3>] do_IRQ+0x63/0xe0
<4>[196727.312696] [<
ffffffff816c5aaa>] common_interrupt+0x6a/0x6a
<4>[196727.312722] <EOI>
<1>[196727.313071] RIP [<
ffffffff815f8c7f>] ipv4_dst_destroy+0x4f/0x80
<4>[196727.313100] RSP <
ffff885effd23a70>
<4>[196727.313377] ---[ end trace
64b3f14fae0f2e29 ]---
<0>[196727.380908] Kernel panic - not syncing: Fatal exception in interrupt
Reported-by: Alexey Preobrazhensky <preobr@google.com>
Reported-by: dormando <dormando@rydia.ne>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes:
8141ed9fcedb2 ("ipv4: Add a socket release callback for datagram sockets")
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jon Cooper [Wed, 11 Jun 2014 13:33:08 +0000 (14:33 +0100)]
sfc: PIO:Restrict to 64bit arch and use 64-bit writes.
[ Upstream commit
daf37b556e437ec1ea1a597dcfeff338068380e1 ]
Fixes:
ee45fd92c739
("sfc: Use TX PIO for sufficiently small packets")
The linux net driver uses memcpy_toio() in order to copy into
the PIO buffers.
Even on a 64bit machine this causes 32bit accesses to a write-
combined memory region.
There are hardware limitations that mean that only 64bit
naturally aligned accesses are safe in all cases.
Due to being write-combined memory region two 32bit accesses
may be coalesced to form a 64bit non 64bit aligned access.
Solution was to open-code the memory copy routines using pointers
and to only enable PIO for x86_64 machines.
Not tested on platforms other than x86_64 because this patch
disables the PIO feature on other platforms.
Compile-tested on x86 to ensure that works.
The WARN_ON_ONCE() code in the previous version of this patch
has been moved into the internal sfc debug driver as the
assertion was unnecessary in the upstream kernel code.
This bug fix applies to v3.13 and v3.14 stable branches.
Signed-off-by: Shradha Shah <sshah@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dmitry Popov [Fri, 6 Jun 2014 19:19:21 +0000 (23:19 +0400)]
ipip, sit: fix ipv4_{update_pmtu,redirect} calls
[ Upstream commit
2346829e641b804ece9ac9298136b56d9567c278 ]
ipv4_{update_pmtu,redirect} were called with tunnel's ifindex (t->dev is a
tunnel netdevice). It caused wrong route lookup and failure of pmtu update or
redirect. We should use the same ifindex that we use in ip_route_output_* in
*tunnel_xmit code. It is t->parms.link .
Signed-off-by: Dmitry Popov <ixaphire@qrator.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Fri, 6 Jun 2014 13:44:03 +0000 (06:44 -0700)]
net: force a list_del() in unregister_netdevice_many()
[ Upstream commit
87757a917b0b3c0787e0563c679762152be81312 ]
unregister_netdevice_many() API is error prone and we had too
many bugs because of dangling LIST_HEAD on stacks.
See commit
f87e6f47933e3e ("net: dont leave active on stack LIST_HEAD")
In fact, instead of making sure no caller leaves an active list_head,
just force a list_del() in the callee. No one seems to need to access
the list after unregister_netdevice_many()
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bjørn Mork [Fri, 6 Jun 2014 15:27:59 +0000 (17:27 +0200)]
net: qmi_wwan: add Olivetti Olicard modems
[ Upstream commit
ba6de0f5304ccdc45ae260e7e0feb6e0ef2dd558 ]
Lars writes: "I'm only 99% sure that the net interfaces are qmi
interfaces, nothing to lose by adding them in my opinion."
And I tend to agree based on the similarity with the two Olicard
modems we already have here.
Reported-by: Lars Melin <larsm17@gmail.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alexei Starovoitov [Fri, 6 Jun 2014 15:35:59 +0000 (08:35 -0700)]
net: filter: fix sparc32 typo
[ Upstream commit
588f5d629b3369aba88f52217d1c473a28fa7723 ]
Fixes:
569810d1e327 ("net: filter: fix typo in sparc BPF JIT")
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alexei Starovoitov [Fri, 6 Jun 2014 05:47:44 +0000 (22:47 -0700)]
net: filter: fix typo in sparc BPF JIT
[ Upstream commit
569810d1e3278907264f5b115281fca3f0038d53 ]
fix typo in sparc codegen for SKF_AD_IFINDEX and SKF_AD_HATYPE
classic BPF extensions
Fixes:
2809a2087cc4 ("net: filter: Just In Time compiler for sparc")
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sergei Shtylyov [Tue, 3 Jun 2014 19:42:26 +0000 (23:42 +0400)]
sh_eth: fix SH7619/771x support
[ Upstream commit
d8b0426af5b67973585712c9af36b86f6ea97815 ]
Commit
4a55530f38e4 (net: sh_eth: modify the definitions of register) managed
to leave out the E-DMAC register entries in sh_eth_offset_fast_sh3_sh2[], thus
totally breaking SH7619/771x support. Add the missing entries using the data
from before that commit.
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Acked-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ben Dooks [Tue, 3 Jun 2014 11:21:13 +0000 (12:21 +0100)]
sh_eth: use RNC mode for packet reception
[ Upstream commit
530aa2d0d9d55ab2775d47621ddf4b5b15bc1110 ]
The current behaviour of the sh_eth driver is not to use the RNC bit
for the receive ring. This means that every packet recieved is not only
generating an IRQ but it also stops the receive ring DMA as well until
the driver re-enables it after unloading the packet.
This means that a number of the following errors are generated due to
the receive packet FIFO overflowing due to nowhere to put packets:
net eth0: Receive FIFO Overflow
Since feedback from Yoshihiro Shimoda shows that every supported LSI
for this driver should have the bit enabled it seems the best way is
to remove the RMCR default value from the per-system data and just
write it when initialising the RMCR value. This is discussed in
the message (http://www.spinics.net/lists/netdev/msg284912.html).
I have tested the RMCR_RNC configuration with NFS root filesystem and
the driver has not failed yet. There are further test reports from
Sergei Shtylov and others for both the R8A7790 and R8A7791.
There is also feedback fron Cao Minh Hiep[1] which reports the
same issue in (http://comments.gmane.org/gmane.linux.network/316285)
showing this fixes issues with losing UDP datagrams under iperf.
Tested-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
Acked-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Acked-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Yuchung Cheng [Fri, 30 May 2014 22:25:59 +0000 (15:25 -0700)]
tcp: fix cwnd undo on DSACK in F-RTO
[ Upstream commit
0cfa5c07d6d1d7f8e710fc671c5ba1ce85e09fa4 ]
This bug is discovered by an recent F-RTO issue on tcpm list
https://www.ietf.org/mail-archive/web/tcpm/current/msg08794.html
The bug is that currently F-RTO does not use DSACK to undo cwnd in
certain cases: upon receiving an ACK after the RTO retransmission in
F-RTO, and the ACK has DSACK indicating the retransmission is spurious,
the sender only calls tcp_try_undo_loss() if some never retransmisted
data is sacked (FLAG_ORIG_DATA_SACKED).
The correct behavior is to unconditionally call tcp_try_undo_loss so
the DSACK information is used properly to undo the cwnd reduction.
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jiri Pirko [Thu, 29 May 2014 18:46:17 +0000 (20:46 +0200)]
team: fix mtu setting
[ Upstream commit
9d0d68faea6962d62dd501cd6e71ce5cc8ed262b ]
Now it is not possible to set mtu to team device which has a port
enslaved to it. The reason is that when team_change_mtu() calls
dev_set_mtu() for port device, notificator for NETDEV_PRECHANGEMTU
event is called and team_device_event() returns NOTIFY_BAD forbidding
the change. So fix this by returning NOTIFY_DONE here in case team is
changing mtu in team_change_mtu().
Introduced-by: 3d249d4c "net: introduce ethernet teaming device"
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Acked-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Thu, 29 May 2014 15:45:14 +0000 (08:45 -0700)]
net: fix inet_getid() and ipv6_select_ident() bugs
[ Upstream commit
39c36094d78c39e038c1e499b2364e13bce36f54 ]
I noticed we were sending wrong IPv4 ID in TCP flows when MTU discovery
is disabled.
Note how GSO/TSO packets do not have monotonically incrementing ID.
06:37:41.575531 IP (id 14227, proto: TCP (6), length: 4396)
06:37:41.575534 IP (id 14272, proto: TCP (6), length: 65212)
06:37:41.575544 IP (id 14312, proto: TCP (6), length: 57972)
06:37:41.575678 IP (id 14317, proto: TCP (6), length: 7292)
06:37:41.575683 IP (id 14361, proto: TCP (6), length: 63764)
It appears I introduced this bug in linux-3.1.
inet_getid() must return the old value of peer->ip_id_count,
not the new one.
Lets revert this part, and remove the prevention of
a null identification field in IPv6 Fragment Extension Header,
which is dubious and not even done properly.
Fixes:
87c48fa3b463 ("ipv6: make fragment identifications less predictable")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tom Gundersen [Thu, 15 May 2014 21:21:30 +0000 (23:21 +0200)]
net: tunnels - enable module autoloading
[ Upstream commit
f98f89a0104454f35a62d681683c844f6dbf4043 ]
Enable the module alias hookup to allow tunnel modules to be autoloaded on demand.
This is in line with how most other netdev kinds work, and will allow userspace
to create tunnels without having CAP_SYS_MODULE.
Signed-off-by: Tom Gundersen <teg@jklm.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Toshiaki Makita [Mon, 26 May 2014 06:15:53 +0000 (15:15 +0900)]
bridge: Prevent insertion of FDB entry with disallowed vlan
[ Upstream commit
e0d7968ab6c8bce2437b36fa7f04117e333f196d ]
br_handle_local_finish() is allowing us to insert an FDB entry with
disallowed vlan. For example, when port 1 and 2 are communicating in
vlan 10, and even if vlan 10 is disallowed on port 3, port 3 can
interfere with their communication by spoofed src mac address with
vlan id 10.
Note: Even if it is judged that a frame should not be learned, it should
not be dropped because it is destined for not forwarding layer but higher
layer. See IEEE 802.1Q-2011 8.13.10.
Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Acked-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Michal Schmidt [Mon, 2 Jun 2014 16:25:02 +0000 (18:25 +0200)]
netlink: rate-limit leftover bytes warning and print process name
[ Upstream commit
bfc5184b69cf9eeb286137640351c650c27f118a ]
Any process is able to send netlink messages with leftover bytes.
Make the warning rate-limited to prevent too much log spam.
The warning is supposed to help find userspace bugs, so print the
triggering command name to implicate the buggy program.
[v2: Use pr_warn_ratelimited instead of printk_ratelimited.]
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sven Wegener [Thu, 29 May 2014 20:27:05 +0000 (20:27 +0000)]
ipv6: Fix regression caused by efe4208 in udp_v6_mcast_next()
[ Upstream commit
3bfdc59a6c24608ed23e903f670aaf5f58c7a6f3 ]
Commit efe4208 ("ipv6: make lookups simpler and faster") introduced a
regression in udp_v6_mcast_next(), resulting in multicast packets not
reaching the destination sockets under certain conditions.
The packet's IPv6 addresses are wrongly compared to the IPv6 addresses
from the function's socket argument, which indicates the starting point
for looping, instead of the loop variable. If the addresses from the
first socket do not match the packet's addresses, no socket in the list
will match.
Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Carpenter [Fri, 23 May 2014 16:37:21 +0000 (19:37 +0300)]
qlcnic: info leak in qlcnic_dcb_peer_app_info()
[ Upstream commit
7df566bbdd0af0785542b89466a937e94257fcfb ]
This function is called from dcbnl_build_peer_app(). The "info"
struct isn't initialized at all so we disclose 2 bytes of uninitialized
stack data. We should clear it before passing it to the user.
Fixes:
48365e485275 ('qlcnic: dcb: Add support for CEE Netlink interface.')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric W. Biederman [Fri, 30 May 2014 18:04:00 +0000 (11:04 -0700)]
netlink: Only check file credentials for implicit destinations
[ Upstream commit
2d7a85f4b06e9c27ff629f07a524c48074f07f81 ]
It was possible to get a setuid root or setcap executable to write to
it's stdout or stderr (which has been set made a netlink socket) and
inadvertently reconfigure the networking stack.
To prevent this we check that both the creator of the socket and
the currentl applications has permission to reconfigure the network
stack.
Unfortunately this breaks Zebra which always uses sendto/sendmsg
and creates it's socket without any privileges.
To keep Zebra working don't bother checking if the creator of the
socket has privilege when a destination address is specified. Instead
rely exclusively on the privileges of the sender of the socket.
Note from Andy: This is exactly Eric's code except for some comment
clarifications and formatting fixes. Neither I nor, I think, anyone
else is thrilled with this approach, but I'm hesitant to wait on a
better fix since 3.15 is almost here.
Note to stable maintainers: This is a mess. An earlier series of
patches in 3.15 fix a rather serious security issue (CVE-2014-0181),
but they did so in a way that breaks Zebra. The offending series
includes:
commit
aa4cf9452f469f16cea8c96283b641b4576d4a7b
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Wed Apr 23 14:28:03 2014 -0700
net: Add variants of capable for use on netlink messages
If a given kernel version is missing that series of fixes, it's
probably worth backporting it and this patch. if that series is
present, then this fix is critical if you care about Zebra.
Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric W. Biederman [Wed, 23 Apr 2014 21:29:27 +0000 (14:29 -0700)]
net: Use netlink_ns_capable to verify the permisions of netlink messages
[ Upstream commit
90f62cf30a78721641e08737bda787552428061e ]
It is possible by passing a netlink socket to a more privileged
executable and then to fool that executable into writing to the socket
data that happens to be valid netlink message to do something that
privileged executable did not intend to do.
To keep this from happening replace bare capable and ns_capable calls
with netlink_capable, netlink_net_calls and netlink_ns_capable calls.
Which act the same as the previous calls except they verify that the
opener of the socket had the desired permissions as well.
Reported-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric W. Biederman [Wed, 23 Apr 2014 21:28:03 +0000 (14:28 -0700)]
net: Add variants of capable for use on netlink messages
[ Upstream commit
aa4cf9452f469f16cea8c96283b641b4576d4a7b ]
netlink_net_capable - The common case use, for operations that are safe on a network namespace
netlink_capable - For operations that are only known to be safe for the global root
netlink_ns_capable - The general case of capable used to handle special cases
__netlink_ns_capable - Same as netlink_ns_capable except taking a netlink_skb_parms instead of
the skbuff of a netlink message.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric W. Biederman [Wed, 23 Apr 2014 21:26:56 +0000 (14:26 -0700)]
net: Add variants of capable for use on on sockets
[ Upstream commit
a3b299da869d6e78cf42ae0b1b41797bcb8c5e4b ]
sk_net_capable - The common case, operations that are safe in a network namespace.
sk_capable - Operations that are not known to be safe in a network namespace
sk_ns_capable - The general case for special cases.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric W. Biederman [Wed, 23 Apr 2014 21:26:25 +0000 (14:26 -0700)]
net: Move the permission check in sock_diag_put_filterinfo to packet_diag_dump
[ Upstream commit
a53b72c83a4216f2eb883ed45a0cbce014b8e62d ]
The permission check in sock_diag_put_filterinfo is wrong, and it is so removed
from it's sources it is not clear why it is wrong. Move the computation
into packet_diag_dump and pass a bool of the result into sock_diag_filterinfo.
This does not yet correct the capability check but instead simply moves it to make
it clear what is going on.
Reported-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric W. Biederman [Wed, 23 Apr 2014 21:25:48 +0000 (14:25 -0700)]
netlink: Rename netlink_capable netlink_allowed
[ Upstream commit
5187cd055b6e81fc6526109456f8b20623148d5f ]
netlink_capable is a static internal function in af_netlink.c and we
have better uses for the name netlink_capable.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mimi Zohar [Sun, 11 May 2014 04:05:23 +0000 (00:05 -0400)]
evm: prohibit userspace writing 'security.evm' HMAC value
commit
2fb1c9a4f2dbc2f0bd2431c7fa64d0b5483864e4 upstream.
Calculating the 'security.evm' HMAC value requires access to the
EVM encrypted key. Only the kernel should have access to it. This
patch prevents userspace tools(eg. setfattr, cp --preserve=xattr)
from setting/modifying the 'security.evm' HMAC value directly.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dmitry Kasatkin [Thu, 8 May 2014 11:03:22 +0000 (14:03 +0300)]
ima: introduce ima_kernel_read()
commit
0430e49b6e7c6b5e076be8fefdee089958c9adad upstream.
Commit
8aac62706 "move exit_task_namespaces() outside of exit_notify"
introduced the kernel opps since the kernel v3.10, which happens when
Apparmor and IMA-appraisal are enabled at the same time.
----------------------------------------------------------------------
[ 106.750167] BUG: unable to handle kernel NULL pointer dereference at
0000000000000018
[ 106.750221] IP: [<
ffffffff811ec7da>] our_mnt+0x1a/0x30
[ 106.750241] PGD 0
[ 106.750254] Oops: 0000 [#1] SMP
[ 106.750272] Modules linked in: cuse parport_pc ppdev bnep rfcomm
bluetooth rpcsec_gss_krb5 nfsd auth_rpcgss nfs_acl nfs lockd sunrpc
fscache dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp
kvm_intel snd_hda_codec_hdmi kvm crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul
ablk_helper cryptd snd_hda_codec_realtek dcdbas snd_hda_intel
snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_seq_midi
snd_seq_midi_event snd_rawmidi psmouse snd_seq microcode serio_raw
snd_timer snd_seq_device snd soundcore video lpc_ich coretemp mac_hid lp
parport mei_me mei nbd hid_generic e1000e usbhid ahci ptp hid libahci
pps_core
[ 106.750658] CPU: 6 PID: 1394 Comm: mysqld Not tainted 3.13.0-rc7-kds+ #15
[ 106.750673] Hardware name: Dell Inc. OptiPlex 9010/0M9KCM, BIOS A08
09/19/2012
[ 106.750689] task:
ffff8800de804920 ti:
ffff880400fca000 task.ti:
ffff880400fca000
[ 106.750704] RIP: 0010:[<
ffffffff811ec7da>] [<
ffffffff811ec7da>]
our_mnt+0x1a/0x30
[ 106.750725] RSP: 0018:
ffff880400fcba60 EFLAGS:
00010286
[ 106.750738] RAX:
0000000000000000 RBX:
0000000000000100 RCX:
ffff8800d51523e7
[ 106.750764] RDX:
ffffffffffffffea RSI:
ffff880400fcba34 RDI:
ffff880402d20020
[ 106.750791] RBP:
ffff880400fcbae0 R08:
0000000000000000 R09:
0000000000000001
[ 106.750817] R10:
0000000000000000 R11:
0000000000000001 R12:
ffff8800d5152300
[ 106.750844] R13:
ffff8803eb8df510 R14:
ffff880400fcbb28 R15:
ffff8800d51523e7
[ 106.750871] FS:
0000000000000000(0000) GS:
ffff88040d200000(0000)
knlGS:
0000000000000000
[ 106.750910] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 106.750935] CR2:
0000000000000018 CR3:
0000000001c0e000 CR4:
00000000001407e0
[ 106.750962] Stack:
[ 106.750981]
ffffffff813434eb ffff880400fcbb20 ffff880400fcbb18
0000000000000000
[ 106.751037]
ffff8800de804920 ffffffff8101b9b9 0001800000000000
0000000000000100
[ 106.751093]
0000010000000000 0000000000000002 000000000000000e
ffff8803eb8df500
[ 106.751149] Call Trace:
[ 106.751172] [<
ffffffff813434eb>] ? aa_path_name+0x2ab/0x430
[ 106.751199] [<
ffffffff8101b9b9>] ? sched_clock+0x9/0x10
[ 106.751225] [<
ffffffff8134a68d>] aa_path_perm+0x7d/0x170
[ 106.751250] [<
ffffffff8101b945>] ? native_sched_clock+0x15/0x80
[ 106.751276] [<
ffffffff8134aa73>] aa_file_perm+0x33/0x40
[ 106.751301] [<
ffffffff81348c5e>] common_file_perm+0x8e/0xb0
[ 106.751327] [<
ffffffff81348d78>] apparmor_file_permission+0x18/0x20
[ 106.751355] [<
ffffffff8130c853>] security_file_permission+0x23/0xa0
[ 106.751382] [<
ffffffff811c77a2>] rw_verify_area+0x52/0xe0
[ 106.751407] [<
ffffffff811c789d>] vfs_read+0x6d/0x170
[ 106.751432] [<
ffffffff811cda31>] kernel_read+0x41/0x60
[ 106.751457] [<
ffffffff8134fd45>] ima_calc_file_hash+0x225/0x280
[ 106.751483] [<
ffffffff8134fb52>] ? ima_calc_file_hash+0x32/0x280
[ 106.751509] [<
ffffffff8135022d>] ima_collect_measurement+0x9d/0x160
[ 106.751536] [<
ffffffff810b552d>] ? trace_hardirqs_on+0xd/0x10
[ 106.751562] [<
ffffffff8134f07c>] ? ima_file_free+0x6c/0xd0
[ 106.751587] [<
ffffffff81352824>] ima_update_xattr+0x34/0x60
[ 106.751612] [<
ffffffff8134f0d0>] ima_file_free+0xc0/0xd0
[ 106.751637] [<
ffffffff811c9635>] __fput+0xd5/0x300
[ 106.751662] [<
ffffffff811c98ae>] ____fput+0xe/0x10
[ 106.751687] [<
ffffffff81086774>] task_work_run+0xc4/0xe0
[ 106.751712] [<
ffffffff81066fad>] do_exit+0x2bd/0xa90
[ 106.751738] [<
ffffffff8173c958>] ? retint_swapgs+0x13/0x1b
[ 106.751763] [<
ffffffff8106780c>] do_group_exit+0x4c/0xc0
[ 106.751788] [<
ffffffff81067894>] SyS_exit_group+0x14/0x20
[ 106.751814] [<
ffffffff8174522d>] system_call_fastpath+0x1a/0x1f
[ 106.751839] Code: c3 0f 1f 44 00 00 55 48 89 e5 e8 22 fe ff ff 5d c3
0f 1f 44 00 00 55 65 48 8b 04 25 c0 c9 00 00 48 8b 80 28 06 00 00 48 89
e5 5d <48> 8b 40 18 48 39 87 c0 00 00 00 0f 94 c0 c3 0f 1f 80 00 00 00
[ 106.752185] RIP [<
ffffffff811ec7da>] our_mnt+0x1a/0x30
[ 106.752214] RSP <
ffff880400fcba60>
[ 106.752236] CR2:
0000000000000018
[ 106.752258] ---[ end trace
3c520748b4732721 ]---
----------------------------------------------------------------------
The reason for the oops is that IMA-appraisal uses "kernel_read()" when
file is closed. kernel_read() honors LSM security hook which calls
Apparmor handler, which uses current->nsproxy->mnt_ns. The 'guilty'
commit changed the order of cleanup code so that nsproxy->mnt_ns was
not already available for Apparmor.
Discussion about the issue with Al Viro and Eric W. Biederman suggested
that kernel_read() is too high-level for IMA. Another issue, except
security checking, that was identified is mandatory locking. kernel_read
honors it as well and it might prevent IMA from calculating necessary hash.
It was suggested to use simplified version of the function without security
and locking checks.
This patch introduces special version ima_kernel_read(), which skips security
and mandatory locking checking. It prevents the kernel oops to happen.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Suggested-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mimi Zohar [Mon, 12 May 2014 13:28:11 +0000 (09:28 -0400)]
ima: audit log files opened with O_DIRECT flag
commit
f9b2a735bdddf836214b5dca74f6ca7712e5a08c upstream.
Files are measured or appraised based on the IMA policy. When a
file, in policy, is opened with the O_DIRECT flag, a deadlock
occurs.
The first attempt at resolving this lockdep temporarily removed the
O_DIRECT flag and restored it, after calculating the hash. The
second attempt introduced the O_DIRECT_HAVELOCK flag. Based on this
flag, do_blockdev_direct_IO() would skip taking the i_mutex a second
time. The third attempt, by Dmitry Kasatkin, resolves the i_mutex
locking issue, by re-introducing the IMA mutex, but uncovered
another problem. Reading a file with O_DIRECT flag set, writes
directly to userspace pages. A second patch allocates a user-space
like memory. This works for all IMA hooks, except ima_file_free(),
which is called on __fput() to recalculate the file hash.
Until this last issue is addressed, do not 'collect' the
measurement for measuring, appraising, or auditing files opened
with the O_DIRECT flag set. Based on policy, permit or deny file
access. This patch defines a new IMA policy rule option named
'permit_directio'. Policy rules could be defined, based on LSM
or other criteria, to permit specific applications to open files
with the O_DIRECT flag set.
Changelog v1:
- permit or deny file access based IMA policy rules
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Nicholas Bellinger [Fri, 6 Jun 2014 01:08:57 +0000 (18:08 -0700)]
iscsi-target: Reject mutual authentication with reflected CHAP_C
commit
1d2b60a5545942b1376cb48c1d55843d71e3a08f upstream.
This patch adds an explicit check in chap_server_compute_md5() to ensure
the CHAP_C value received from the initiator during mutual authentication
does not match the original CHAP_C provided by the target.
This is in line with RFC-3720, section 8.2.1:
Originators MUST NOT reuse the CHAP challenge sent by the Responder
for the other direction of a bidirectional authentication.
Responders MUST check for this condition and close the iSCSI TCP
connection if it occurs.
Reported-by: Tejas Vaykole <tejas.vaykole@calsoftinc.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Nicholas Bellinger [Thu, 12 Jun 2014 19:45:02 +0000 (12:45 -0700)]
target: Fix NULL pointer dereference for XCOPY in target_put_sess_cmd
commit
0ed6e189e3f6ac3a25383ed5cc8b0ac24c9b97b7 upstream.
This patch fixes a NULL pointer dereference regression bug that was
introduced with:
commit
1e1110c43b1cda9fe77fc4a04835e460550e6b3c
Author: Mikulas Patocka <mpatocka@redhat.com>
Date: Sat May 17 06:49:22 2014 -0400
target: fix memory leak on XCOPY
Now that target_put_sess_cmd() -> kref_put_spinlock_irqsave() is
called with a valid se_cmd->cmd_kref, a NULL pointer dereference
is triggered because the XCOPY passthrough commands don't have
an associated se_session pointer.
To address this bug, go ahead and checking for a NULL se_sess pointer
within target_put_sess_cmd(), and call se_cmd->se_tfo->release_cmd()
to release the XCOPY's xcopy_pt_cmd memory.
Reported-by: Thomas Glanzmann <thomas@glanzmann.de>
Cc: Thomas Glanzmann <thomas@glanzmann.de>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Boris BREZILLON [Fri, 6 Jun 2014 21:36:09 +0000 (14:36 -0700)]
rtc: rtc-at91rm9200: fix infinite wait for ACKUPD irq
commit
2fe121e1f5aa3bf31b418a9790db6c400e922291 upstream.
The rtc user must wait at least 1 sec between each time/calandar update
(see atmel's datasheet chapter "Updating Time/Calendar").
Use the 1Hz interrupt to update the at91_rtc_upd_rdy flag and wait for
the at91_rtc_wait_upd_rdy event if the rtc is not ready.
This patch fixes a deadlock in an uninterruptible wait when the RTC is
updated more than once every second. AFAICT the bug is here from the
beginning, but I think we should at least backport this fix to 3.10 and
the following longterm and stable releases.
Signed-off-by: Boris BREZILLON <boris.brezillon@free-electrons.com>
Reported-by: Bryan Evenson <bevenson@melinkcorp.com>
Tested-by: Bryan Evenson <bevenson@melinkcorp.com>
Cc: Andrew Victor <linux@maxim.org.za>
Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
Cc: Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>