Yuval Mintz [Wed, 10 Apr 2013 10:34:39 +0000 (13:34 +0300)]
bnx2x: Prevent null pointer dereference in AFEX mode
The cnic module is responsible for initializing various bnx2x structs
via callbacks provided by the bnx2x module.
One such struct is the queue object for the FCoE queue.
If a device is working in AFEX mode and its configuration allows FCoE yet
the cnic module is not loaded, it's very likely a null pointer dereference
will occur, as the bnx2x will erroneously access the FCoE's queue object.
Prevent said access until cnic properly registers itself.
Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Neil Horman [Tue, 9 Apr 2013 23:19:00 +0000 (23:19 +0000)]
e100: Add dma mapping error check
e100 uses pci_map_single, but fails to check for a dma mapping error after its
use, resulting in a stack trace:
[ 46.656594] ------------[ cut here ]------------
[ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
[ 46.657004] Hardware name: To Be Filled By O.E.M.
[ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
[ 46.657004] Modules linked in:
[ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
sata_promise crc_itu_t
[ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
[ 46.657004] Call Trace:
[ 46.657004] <IRQ> [<
ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
[ 46.657004] [<
ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
[ 46.657004] [<
ffffffff81364cfb>] check_unmap+0x47b/0x950
[ 46.657004] [<
ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
[ 46.657004] [<
ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
[ 46.657004] [<
ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
[ 46.657004] [<
ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
[ 46.657004] [<
ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
[ 46.657004] [<
ffffffff8159ddb2>] net_rx_action+0x172/0x370
[ 46.657004] [<
ffffffff810703bf>] __do_softirq+0xef/0x3d0
[ 46.657004] [<
ffffffff816e4ebc>] call_softirq+0x1c/0x30
[ 46.657004] [<
ffffffff8101c485>] do_softirq+0x85/0xc0
[ 46.657004] [<
ffffffff81070885>] irq_exit+0xd5/0xe0
[ 46.657004] [<
ffffffff816e5756>] do_IRQ+0x56/0xc0
[ 46.657004] [<
ffffffff816dacb2>] common_interrupt+0x72/0x72
[ 46.657004] <EOI> [<
ffffffff816da1eb>] ?
_raw_spin_unlock_irqrestore+0x3b/0x70
[ 46.657004] [<
ffffffff816d124d>] __slab_free+0x58/0x38b
[ 46.657004] [<
ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
[ 46.657004] [<
ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
[ 46.657004] [<
ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
[ 46.657004] [<
ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
[ 46.657004] [<
ffffffff811b0692>] kmem_cache_free+0x312/0x320
[ 46.657004] [<
ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
[ 46.657004] [<
ffffffff811e8c28>] destroy_inode+0x38/0x60
[ 46.657004] [<
ffffffff811e8d5e>] evict+0x10e/0x1a0
[ 46.657004] [<
ffffffff811e9605>] iput+0xf5/0x180
[ 46.657004] [<
ffffffff811e4338>] dput+0x248/0x310
[ 46.657004] [<
ffffffff811ce0e1>] __fput+0x171/0x240
[ 46.657004] [<
ffffffff811ce26e>] ____fput+0xe/0x10
[ 46.657004] [<
ffffffff8108d54c>] task_work_run+0xac/0xe0
[ 46.657004] [<
ffffffff8106c6ed>] do_exit+0x26d/0xc30
[ 46.657004] [<
ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
[ 46.657004] [<
ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
[ 46.657004] [<
ffffffff8106d139>] do_group_exit+0x49/0xc0
[ 46.657004] [<
ffffffff8106d1c4>] sys_exit_group+0x14/0x20
[ 46.657004] [<
ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
[ 46.657004] ---[ end trace
4468c44e2156e7d1 ]---
[ 46.657004] Mapped at:
[ 46.657004] [<
ffffffff813663d1>] debug_dma_map_page+0x91/0x140
[ 46.657004] [<
ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
[ 46.657004] [<
ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
[ 46.657004] [<
ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
[ 46.657004] [<
ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
dma_mapping_error check in the obvious place
This was reported previously here:
http://article.gmane.org/gmane.linux.network/257893
But nobody stepped up and fixed it.
CC: Josh Boyer <jwboyer@redhat.com>
CC: e1000-devel@lists.sourceforge.net
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Michal Jaegermann <michal@harddata.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 9 Apr 2013 17:24:35 +0000 (13:24 -0400)]
Merge branch 'fixes-for-3.9' of git://gitorious.org/linux-can/linux-can
Marc Kleine-Budde says:
====================
here's a fix for the v3.9 release cycle, if not too late:
Wei Yongjun contributes a patch for the can-gw protocoll. The patch fixes the
memory allocated with kmem_cache_alloc(), is now freed using kmem_cache_free(),
not kfree().
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Mon, 8 Apr 2013 17:58:11 +0000 (17:58 +0000)]
selinux: add a skb_owned_by() hook
Commit
90ba9b1986b5ac (tcp: tcp_make_synack() can use alloc_skb())
broke certain SELinux/NetLabel configurations by no longer correctly
assigning the sock to the outgoing SYNACK packet.
Cost of atomic operations on the LISTEN socket is quite big,
and we would like it to happen only if really needed.
This patch introduces a new security_ops->skb_owned_by() method,
that is a void operation unless selinux is active.
Reported-by: Miroslav Vadkerti <mvadkert@redhat.com>
Diagnosed-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-security-module@vger.kernel.org
Acked-by: James Morris <james.l.morris@oracle.com>
Tested-by: Paul Moore <pmoore@redhat.com>
Acked-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Wei Yongjun [Tue, 9 Apr 2013 06:16:04 +0000 (14:16 +0800)]
can: gw: use kmem_cache_free() instead of kfree()
Memory allocated by kmem_cache_alloc() should be freed using
kmem_cache_free(), not kfree().
Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Wei Yongjun [Tue, 9 Apr 2013 02:07:19 +0000 (10:07 +0800)]
netrom: fix invalid use of sizeof in nr_recvmsg()
sizeof() when applied to a pointer typed expression gives the size of the
pointer, not that of the pointed data.
Introduced by commit 3ce5ef(netrom: fix info leak via msg_name in nr_recvmsg)
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stefan Raspl [Sun, 7 Apr 2013 22:19:27 +0000 (22:19 +0000)]
qeth: fix qeth_wait_for_threads() deadlock for OSN devices
Any recovery thread will deadlock when calling qeth_wait_for_threads(), most
notably when triggering a recovery on an OSN device.
This patch will store the recovery thread's task pointer on recovery
invocation and check in qeth_wait_for_threads() respectively to avoid
deadlocks.
Signed-off-by: Stefan Raspl <raspl@linux.vnet.ibm.com>
Signed-off-by: Frank Blaschka <blaschka@linux.vnet.ibm.com>
Reviewed-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ursula Braun [Sun, 7 Apr 2013 22:19:26 +0000 (22:19 +0000)]
af_iucv: fix recvmsg by replacing skb_pull() function
When receiving data messages, the "BUG_ON(skb->len < skb->data_len)" in
the skb_pull() function triggers a kernel panic.
Replace the skb_pull logic by a per skb offset as advised by
Eric Dumazet.
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: Frank Blaschka <blaschka@linux.vnet.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael Riesch [Mon, 8 Apr 2013 05:45:26 +0000 (05:45 +0000)]
rtnetlink: Call nlmsg_parse() with correct header length
Signed-off-by: Michael Riesch <michael.riesch@omicron.at>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jiri Benc <jbenc@redhat.com>
Cc: "Theodore Ts'o" <tytso@mit.edu>
Cc: linux-kernel@vger.kernel.org
Acked-by: Mark Rustad <mark.d.rustad@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
nikolay@redhat.com [Sat, 6 Apr 2013 00:54:38 +0000 (00:54 +0000)]
bonding: fix bonding_masters race condition in bond unloading
While the bonding module is unloading, it is considered that after
rtnl_link_unregister all bond devices are destroyed but since no
synchronization mechanism exists, a new bond device can be created
via bonding_masters before unregister_pernet_subsys which would
lead to multiple problems (e.g. NULL pointer dereference, wrong RIP,
list corruption).
This patch fixes the issue by removing any bond devices left in the
netns after bonding_masters is removed from sysfs.
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Acked-by: Veaceslav Falico <vfalico@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
nikolay@redhat.com [Sat, 6 Apr 2013 00:54:37 +0000 (00:54 +0000)]
Revert "bonding: remove sysfs before removing devices"
This reverts commit
4de79c737b200492195ebc54a887075327e1ec1d.
This patch introduces a new bug which causes access to freed memory.
In bond_uninit: list_del(&bond->bond_list);
bond_list is linked in bond_net's dev_list which is freed by
unregister_pernet_subsys.
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 8 Apr 2013 20:39:55 +0000 (16:39 -0400)]
Merge branch 'wireless'
John W. Linville says:
====================
For the cfg80211 fix, Johannes says:
"I have another straggler for 3.9, adding locking forgotten in a previous
fix."
On top of that:
Bing Zhao provides an mwifiex fix to properly order a scan completion.
Franky Lin gives us a brcmfmac fix to fail at the firmware loading
stage if the nvram cannot be downloaded.
Gabor Juhos brings what at first looks like a rather big rt2x00 patch.
I think it is OK because it is really just reorganizing some code
within the rt2x00 driver in order to fix a build failure.
Hante Meuleman offers a trio of brcmfmac fixes related to running in
AP mode.
Robert Shade sends an ath9k fix to reenable interrupts even if a
channel change fails.
Tim Gardner gives us an rt2x00 fix to cut-down on some log SPAM.
Please let me know if there are problems!
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
John W. Linville [Mon, 8 Apr 2013 18:26:57 +0000 (14:26 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless into for-davem
willy tarreau [Sat, 6 Apr 2013 08:47:01 +0000 (08:47 +0000)]
net: mvneta: enable features before registering the driver
It seems that the reason why the dev features were ignored was because
they were enabled after registeration.
Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Haiyang Zhang [Fri, 5 Apr 2013 11:44:40 +0000 (11:44 +0000)]
hyperv: Fix RNDIS send_completion code path
In some cases, the VM_PKT_COMP message can arrive later than RNDIS completion
message, which will free the packet memory. This may cause panic due to access
to freed memory in netvsc_send_completion().
This patch fixes this problem by removing rndis_filter_send_request_completion()
from the code path. The function was a no-op.
Reported-by: Long Li <longli@microsoft.com>
Tested-by: Long Li <longli@microsoft.com>
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Haiyang Zhang [Fri, 5 Apr 2013 11:44:39 +0000 (11:44 +0000)]
hyperv: Fix a kernel warning from netvsc_linkstatus_callback()
The warning about local_bh_enable inside IRQ happens when disconnecting a
virtual NIC.
The reason for the warning is -- netif_tx_disable() is called when the NIC
is disconnected. And it's called within irq context. netif_tx_disable() calls
local_bh_enable() which displays warning if in irq.
The fix is to remove the unnecessary netif_tx_disable & wake_queue() in the
netvsc_linkstatus_callback().
Reported-by: Richard Genoud <richard.genoud@gmail.com>
Tested-by: Long Li <longli@microsoft.com>
Tested-by: Richard Genoud <richard.genoud@gmail.com>
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Pirko [Thu, 4 Apr 2013 23:39:39 +0000 (23:39 +0000)]
net: ipv4: fix schedule while atomic bug in check_lifetime()
move might_sleep operations out of the rcu_read_lock() section.
Also fix iterating over ifa_dev->ifa_list
Introduced by: commit
5c766d642bcaf "ipv4: introduce address lifetime"
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Pirko [Thu, 4 Apr 2013 23:39:38 +0000 (23:39 +0000)]
net: ipv4: reset check_lifetime_work after changing lifetime
This will result in calling check_lifetime in nearest opportunity and
that function will adjust next time to call check_lifetime correctly.
Without this, check_lifetime is called in time computed by previous run,
not affecting modified lifetime.
Introduced by: commit
5c766d642bcaf "ipv4: introduce address lifetime"
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Sun, 7 Apr 2013 05:36:23 +0000 (05:36 +0000)]
bnx2x: Fix KR2 rapid link flap
Check KR2 recovery time at the beginning of the work-around function.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sridhar Samudrala [Tue, 2 Apr 2013 12:35:31 +0000 (12:35 +0000)]
sctp: remove 'sridhar' from maintainers list
Update SCTP maintainers list.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Sun, 7 Apr 2013 20:42:40 +0000 (16:42 -0400)]
Merge branch 'infoleaks'
Mathias Krause says:
====================
a few more info leak fixes in the recvmsg path. The error pattern here
is the protocol specific recvmsg function is missing the msg_namelen
assignment -- either completely or in early exit paths that do not
result in errors in __sys_recvmsg()/sys_recvfrom() and, in turn, make
them call move_addr_to_user(), leaking the then still uninitialized
sockaddr_storage stack variable to userland.
My audit was initiated by a rather coarse fix of the leak that can be
found in the grsecurity patch, putting a penalty on protocols complying
to the rules of recvmsg. So credits for finding the leak in the recvmsg
path in __sys_recvmsg() should go to Brad!
The buggy protocols/subsystems are rather obscure anyway. As a missing
assignment of msg_namelen coupled with a missing filling of msg_name
would only result in garbage -- the leak -- in case userland would care
about that information, i.e. would provide a msg_name pointer. But
obviously current userland does not.
While auditing the code for the above pattern I found a few more
'uninitialized members' kind of leaks related to the msg_name filling.
Those are fixed in this series, too.
I have to admit, I failed to test all of the patches due to missing
hardware, e.g. iucv depends on S390 -- hardware I've no access to :/
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:52:02 +0000 (01:52 +0000)]
VSOCK: Fix missing msg_namelen update in vsock_stream_recvmsg()
The code misses to update the msg_namelen member to 0 and therefore
makes net/socket.c leak the local, uninitialized sockaddr_storage
variable to userland -- 128 bytes of kernel stack memory.
Cc: Andy King <acking@vmware.com>
Cc: Dmitry Torokhov <dtor@vmware.com>
Cc: George Zhang <georgezhang@vmware.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:52:01 +0000 (01:52 +0000)]
VSOCK: vmci - fix possible info leak in vmci_transport_dgram_dequeue()
In case we received no data on the call to skb_recv_datagram(), i.e.
skb->data is NULL, vmci_transport_dgram_dequeue() will return with 0
without updating msg_namelen leading to net/socket.c leaking the local,
uninitialized sockaddr_storage variable to userland -- 128 bytes of
kernel stack memory.
Fix this by moving the already existing msg_namelen assignment a few
lines above.
Cc: Andy King <acking@vmware.com>
Cc: Dmitry Torokhov <dtor@vmware.com>
Cc: George Zhang <georgezhang@vmware.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:52:00 +0000 (01:52 +0000)]
tipc: fix info leaks via msg_name in recv_msg/recv_stream
The code in set_orig_addr() does not initialize all of the members of
struct sockaddr_tipc when filling the sockaddr info -- namely the union
is only partly filled. This will make recv_msg() and recv_stream() --
the only users of this function -- leak kernel stack memory as the
msg_name member is a local variable in net/socket.c.
Additionally to that both recv_msg() and recv_stream() fail to update
the msg_namelen member to 0 while otherwise returning with 0, i.e.
"success". This is the case for, e.g., non-blocking sockets. This will
lead to a 128 byte kernel stack leak in net/socket.c.
Fix the first issue by initializing the memory of the union with
memset(0). Fix the second one by setting msg_namelen to 0 early as it
will be updated later if we're going to fill the msg_name member.
Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Allan Stephens <allan.stephens@windriver.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:51:59 +0000 (01:51 +0000)]
rose: fix info leak via msg_name in rose_recvmsg()
The code in rose_recvmsg() does not initialize all of the members of
struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
Nor does it initialize the padding bytes of the structure inserted by
the compiler for alignment. This will lead to leaking uninitialized
kernel stack bytes in net/socket.c.
Fix the issue by initializing the memory used for sockaddr info with
memset(0).
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:51:58 +0000 (01:51 +0000)]
NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()
The code in llcp_sock_recvmsg() does not initialize all the members of
struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it
initialize the padding bytes of the structure inserted by the compiler
for alignment.
Also, if the socket is in state LLCP_CLOSED or is shutting down during
receive the msg_namelen member is not updated to 0 while otherwise
returning with 0, i.e. "success". The msg_namelen update is also
missing for stream and seqpacket sockets which don't fill the sockaddr
info.
Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.
Fix the first issue by initializing the memory used for sockaddr info
with memset(0). Fix the second one by setting msg_namelen to 0 early.
It will be updated later if we're going to fill the msg_name member.
Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
Cc: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:51:57 +0000 (01:51 +0000)]
netrom: fix info leak via msg_name in nr_recvmsg()
In case msg_name is set the sockaddr info gets filled out, as
requested, but the code fails to initialize the padding bytes of
struct sockaddr_ax25 inserted by the compiler for alignment. Also
the sax25_ndigis member does not get assigned, leaking four more
bytes.
Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.
Fix both issues by initializing the memory with memset(0).
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:51:56 +0000 (01:51 +0000)]
llc: Fix missing msg_namelen update in llc_ui_recvmsg()
For stream sockets the code misses to update the msg_namelen member
to 0 and therefore makes net/socket.c leak the local, uninitialized
sockaddr_storage variable to userland -- 128 bytes of kernel stack
memory. The msg_namelen update is also missing for datagram sockets
in case the socket is shutting down during receive.
Fix both issues by setting msg_namelen to 0 early. It will be
updated later if we're going to fill the msg_name member.
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:51:55 +0000 (01:51 +0000)]
l2tp: fix info leak in l2tp_ip6_recvmsg()
The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of
struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack
in l2tp_ip6_recvmsg() in case msg_name is set.
Initialize l2tp_conn_id with 0 to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:51:54 +0000 (01:51 +0000)]
iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.
Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about iucv_sock_recvmsg() not filling the msg_name in case it was set.
Cc: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:51:53 +0000 (01:51 +0000)]
irda: Fix missing msg_namelen update in irda_recvmsg_dgram()
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.
Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about irda_recvmsg_dgram() not filling the msg_name in case it was
set.
Cc: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:51:52 +0000 (01:51 +0000)]
caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.
Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about caif_seqpkt_recvmsg() not filling the msg_name in case it was
set.
Cc: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:51:51 +0000 (01:51 +0000)]
Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg()
If the socket is in state BT_CONNECT2 and BT_SK_DEFER_SETUP is set in
the flags, sco_sock_recvmsg() returns early with 0 without updating the
possibly set msg_namelen member. This, in turn, leads to a 128 byte
kernel stack leak in net/socket.c.
Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_recvmsg().
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:51:50 +0000 (01:51 +0000)]
Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()
If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
early with 0 without updating the possibly set msg_namelen member. This,
in turn, leads to a 128 byte kernel stack leak in net/socket.c.
Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_stream_recvmsg().
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:51:49 +0000 (01:51 +0000)]
Bluetooth: fix possible info leak in bt_sock_recvmsg()
In case the socket is already shutting down, bt_sock_recvmsg() returns
with 0 without updating msg_namelen leading to net/socket.c leaking the
local, uninitialized sockaddr_storage variable to userland -- 128 bytes
of kernel stack memory.
Fix this by moving the msg_namelen assignment in front of the shutdown
test.
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:51:48 +0000 (01:51 +0000)]
ax25: fix info leak via msg_name in ax25_recvmsg()
When msg_namelen is non-zero the sockaddr info gets filled out, as
requested, but the code fails to initialize the padding bytes of struct
sockaddr_ax25 inserted by the compiler for alignment. Additionally the
msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
not always filled up to this size.
Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.
Fix both issues by initializing the memory with memset(0).
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Sun, 7 Apr 2013 01:51:47 +0000 (01:51 +0000)]
atm: update msg_namelen in vcc_recvmsg()
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.
Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about vcc_recvmsg() not filling the msg_name in case it was set.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Christoph Paasch [Sun, 7 Apr 2013 04:53:15 +0000 (04:53 +0000)]
ipv6/tcp: Stop processing ICMPv6 redirect messages
Tetja Rediske found that if the host receives an ICMPv6 redirect message
after sending a SYN+ACK, the connection will be reset.
He bisected it down to
093d04d (ipv6: Change skb->data before using
icmpv6_notify() to propagate redirect), but the origin of the bug comes
from
ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
handlers.). The bug simply did not trigger prior to
093d04d, because
skb->data did not point to the inner IP header and thus icmpv6_notify
did not call the correct err_handler.
This patch adds the missing "goto out;" in tcp_v6_err. After receiving
an ICMPv6 Redirect, we should not continue processing the ICMP in
tcp_v6_err, as this may trigger the removal of request-socks or setting
sk_err(_soft).
Reported-by: Tetja Rediske <tetja@tetja.de>
Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Fri, 5 Apr 2013 21:04:10 +0000 (14:04 -0700)]
Merge git://git./linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Fix erroneous sock_orphan() leading to crashes and double
kfree_skb() in NFC protocol. From Thierry Escande and Samuel Ortiz.
2) Fix use after free in remain-on-channel mac80211 code, from Johannes
Berg.
3) nf_reset() needs to reset the NF tracing cookie, otherwise we can
leak it from one namespace into another. Fix from Gao Feng and
Patrick McHardy.
4) Fix overflow in channel scanning array of mwifiex driver, from Stone
Piao.
5) Fix loss of link after suspend/shutdown in r8169, from Hayes Wang.
6) Synchronization of unicast address lists to the undelying device
doesn't work because whether to sync is maintained as a boolean
rather than a true count. Fix from Vlad Yasevich.
7) Fix corruption of TSO packets in atl1e by limiting the segmented
packet length. From Hannes Frederic Sowa.
8) Revert bogus AF_UNIX credential passing change and fix the
coalescing issue properly, from Eric W Biederman.
9) Changes of ipv4 address lifetime settings needs to generate a
notification, from Jiri Pirko.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (22 commits)
netfilter: don't reset nf_trace in nf_reset()
net: ipv4: notify when address lifetime changes
ixgbe: fix registration order of driver and DCA nofitication
af_unix: If we don't care about credentials coallesce all messages
Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
bonding: remove sysfs before removing devices
atl1e: limit gso segment size to prevent generation of wrong ip length fields
net: count hw_addr syncs so that unsync works properly.
r8169: fix auto speed down issue
netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
mwifiex: limit channel number not to overflow memory
NFC: microread: Fix build failure due to a new MEI bus API
iwlwifi: dvm: fix the passive-no-RX workaround
netfilter: nf_conntrack: fix error return code
NFC: llcp: Keep the connected socket parent pointer alive
mac80211: fix idle handling sequence
netfilter: nfnetlink_acct: return -EINVAL if object name is empty
netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
netfilter: reset nf_trace in nf_reset
mac80211: fix remain-on-channel cancel crash
...
Patrick McHardy [Fri, 5 Apr 2013 18:42:05 +0000 (20:42 +0200)]
netfilter: don't reset nf_trace in nf_reset()
Commit
130549fe ("netfilter: reset nf_trace in nf_reset") added code
to reset nf_trace in nf_reset(). This is wrong and unnecessary.
nf_reset() is used in the following cases:
- when passing packets up the the socket layer, at which point we want to
release all netfilter references that might keep modules pinned while
the packet is queued. nf_trace doesn't matter anymore at this point.
- when encapsulating or decapsulating IPsec packets. We want to continue
tracing these packets after IPsec processing.
- when passing packets through virtual network devices. Only devices on
that encapsulate in IPv4/v6 matter since otherwise nf_trace is not
used anymore. Its not entirely clear whether those packets should
be traced after that, however we've always done that.
- when passing packets through virtual network devices that make the
packet cross network namespace boundaries. This is the only cases
where we clearly want to reset nf_trace and is also what the
original patch intended to fix.
Add a new function nf_reset_trace() and use it in dev_forward_skb() to
fix this properly.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Fri, 5 Apr 2013 19:23:12 +0000 (12:23 -0700)]
Merge branch 'upstream' of git://git.linux-mips.org/ralf/upstream-linus
Pull MIPS fixes from Ralf Baechle:
"Fixes for a number of small glitches in various corners of the MIPS
tree. No particular areas is standing out.
With this applied all MIPS defconfigs are building fine. No merge
conflicts are expected."
* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
MIPS: Delete definition of SA_RESTORER.
MIPS: Fix ISA level which causes secondary cache init bypassing and more
MIPS: Fix build error cavium-octeon without CONFIG_SMP
MIPS: Kconfig: Rename SNIPROM too
MIPS: Alchemy: Fix typo "CONFIG_DEBUG_PCI"
MIPS: Unbreak function tracer for 64-bit kernel.
Linus Torvalds [Fri, 5 Apr 2013 19:22:02 +0000 (12:22 -0700)]
Merge git://git./linux/kernel/git/steve/gfs2-3.0-fixes
Pull GFS2 fixes from Steven Whitehouse:
"There are two patches which fix up a couple of minor issues in the DLM
interface code, a missing error path in gfs2_rs_alloc(), one patch
which fixes a problem during "withdraw" and a fix for discards/FITRIM
when using 4k sector sized devices."
* git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-3.0-fixes:
GFS2: Issue discards in 512b sectors
GFS2: Fix unlock of fcntl locks during withdrawn state
GFS2: return error if malloc failed in gfs2_rs_alloc()
GFS2: use memchr_inv
GFS2: use kmalloc for lvb bitmap
Mike Marciniszyn [Fri, 5 Apr 2013 18:30:13 +0000 (14:30 -0400)]
firmware,IB/qib: revert firmware file move
Commit
e2eed58b4fbf ("IB/qib: change QLogic to Intel") moved a firmware
file potentially breaking the ABI.
This patch reverts that aspect of the fix as well as reverting the
firmware name as used in qib.
Reported-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Fri, 5 Apr 2013 17:04:41 +0000 (10:04 -0700)]
Merge tag 'spi-fix-v3.9-rc5' of git://git./linux/kernel/git/broonie/misc
Pull spi fixes from Mark Brown:
"A bunch of small driver fixes plus a fix for error handling in the
core - nothing too exciting overall."
* tag 'spi-fix-v3.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc:
spi/mpc512x-psc: optionally keep PSC SS asserted across xfer segmensts
spi: Unlock a spinlock before calling into the controller driver.
spi/s3c64xx: modified error interrupt handling and init
spi/bcm63xx: don't disable non enabled clocks in probe error path
spi/bcm63xx: Remove unused variable
spi: slink-tegra20: move runtime pm calls to transfer_one_message
Bob Peterson [Fri, 22 Mar 2013 14:07:24 +0000 (10:07 -0400)]
GFS2: Issue discards in 512b sectors
This patch changes GFS2's discard issuing code so that it calls
function sb_issue_discard rather than blkdev_issue_discard. The
code was calling blkdev_issue_discard and specifying the correct
sector offset and sector size, but blkdev_issue_discard expects
these values to be in terms of 512 byte sectors, even if the native
sector size for the device is different. Calling sb_issue_discard
with the BLOCK size instead ensures the correct block-to-512b-sector
translation. I verified that "minlen" is specified in blocks, so
comparing it to a number of blocks is correct.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
Johan Hovold [Fri, 5 Apr 2013 16:16:34 +0000 (18:16 +0200)]
Revert "drivers/rtc/rtc-at91rm9200.c: use a variable for storing IMR"
This reverts commit
0ef1594c017521ea89278e80fe3f80dafb17abde.
This patch introduced a few races which cannot be easily fixed with a
small follow-up patch. Furthermore, the SoC with the broken hardware
register, which this patch intended to add support for, can only be used
with device trees, which this driver currently does not support.
[ Here is the discussion that led to this "revert" patch:
https://lkml.org/lkml/2013/4/3/176 ]
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Fri, 5 Apr 2013 16:15:46 +0000 (09:15 -0700)]
Merge tag 'fbdev-fixes-3.9-rc6' of git://gitorious.org/linux-omap-dss2/linux
Pull fbdev fixes from Tomi Valkeinen:
"Fix uvesafb crash bug and typoed flag name in fbmon's new videomode
code"
* tag 'fbdev-fixes-3.9-rc6' of git://gitorious.org/linux-omap-dss2/linux:
video:uvesafb: Fix dereference NULL pointer code path
fbmon: use VESA_DMT_VSYNC_HIGH to fix typo
Linus Torvalds [Fri, 5 Apr 2013 16:06:57 +0000 (09:06 -0700)]
Merge tag 'sound-3.9' of git://git./linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"This contains slightly more volumes than usual at this stage, mostly
because of my vacation in the last week. Nothing to scare, all small
and/or trivial fixes:
- Fix loop path handling in ASoC DAPM
- Some memory handling fixes in ASoC core
- Fix spear_pcm to adapt to the updated API
- HD-audio HDMI ELD handling fixes
- Fix for CM6331 USB-audio SRC change bugs
- Revert power_save_controller option change due to user-space usage
- A few other small ASoC and HD-audio fixes"
* tag 'sound-3.9' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda/generic - fix uninitialized variable
Revert "ALSA: hda - Allow power_save_controller option override DCAPS"
ALSA: hda - fix typo in proc output
ALSA: hda - Enabling Realtek ALC 671 codec
ALSA: usb: Work around CM6631 sample rate change bug
ALSA: hda - bug fix on HDMI ELD debug message
ALSA: hda - bug fix on return value when getting HDMI ELD info
ASoC: dma-sh7760: Fix compile error
ASoC: core: fix invalid free of devm_ allocated data
ASoC: spear_pcm: Update to new pcm_new() API
ASoC:: max98090: Remove executable bit
ASoC: dapm: Fix pointer dereference in is_connected_output_ep()
ASoC: pcm030 audio fabric: remove __init from probe
ASoC: imx-ssi: Fix occasional AC97 reset failure
ASoC: core: fix possible memory leak in snd_soc_bytes_put()
ASoC: wm_adsp: fix possible memory leak in wm_adsp_load_coeff()
ASoC: dapm: Fix handling of loops
ASoC: si476x: Add missing break for SNDRV_PCM_FORMAT_S8 switch case
Ralf Baechle [Mon, 25 Mar 2013 12:43:14 +0000 (13:43 +0100)]
MIPS: Delete definition of SA_RESTORER.
SA_RESTORER used to be defined as 0x04000000 but only the O32 ABI ever
supported its use and no libc was using it, so the entire sa-restorer
functionality was removed with lmo commit
39bffc12c3580ab [Zap sa_restorer.]
for 2.5.48 retaining only the SA_RESTORER definition as a reminder to avoid
accidental reuse of the mask bit.
Upstream
cdef9602fbf1871a43f0f1b5cea10dd0f275167d [signal: always clear
sa_restorer on execve] adds code that assumes sa_sigaction has an
sa_restorer field, if SA_RESTORER is defined which would break MIPS.
So remove the SA_RESTORER definition before the v3.8.4 merge.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
(cherry picked from commit
17da8d63add23830892ac4dc2cbb3b5d4ffb79a8)
Deng-Cheng Zhu [Mon, 1 Apr 2013 18:14:28 +0000 (18:14 +0000)]
MIPS: Fix ISA level which causes secondary cache init bypassing and more
The commit
a96102be70 introduced set_isa() where compatible ISA info is
also set aside from the one gets passed in. It means, for example, 1004K
will have MIPS_CPU_ISA_M32R2/M32R1/II/I flags. This leads to things like
the following inappropriate:
if (c->isa_level == MIPS_CPU_ISA_M32R1 ||
c->isa_level == MIPS_CPU_ISA_M32R2 ||
c->isa_level == MIPS_CPU_ISA_M64R1 ||
c->isa_level == MIPS_CPU_ISA_M64R2)
This patch fixes it.
Signed-off-by: Deng-Cheng Zhu <dengcheng.zhu@imgtec.com>
Cc: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: linux-mips@linux-mips.org
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
EunBong Song [Sun, 24 Mar 2013 22:18:35 +0000 (22:18 +0000)]
MIPS: Fix build error cavium-octeon without CONFIG_SMP
Singed-off-by: EunBong Song <eunb.song@samsung.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Paul Bolle [Mon, 25 Mar 2013 09:39:54 +0000 (09:39 +0000)]
MIPS: Kconfig: Rename SNIPROM too
CONFIG_SNIPROM was renamed to CONFIG_FW_SNIPROM in v3.8. Let's rename
SNIPROM itself too.
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Cc: linux-mips@linux-mips.org;
Cc: linux-kernel@vger.kernel.org
Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Paul Bolle [Thu, 4 Apr 2013 12:47:01 +0000 (12:47 +0000)]
MIPS: Alchemy: Fix typo "CONFIG_DEBUG_PCI"
Commit
7517de348663b08a808aff44b5300e817157a568 ("MIPS: Alchemy: Redo
PCI as platform driver") added a reference to CONFIG_DEBUG_PCI. Change
it to CONFIG_PCI_DEBUG, as that is a valid Kconfig macro.
Also add a newline to a debugging printk that this fix enables.
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
David Daney [Tue, 2 Apr 2013 22:59:29 +0000 (22:59 +0000)]
MIPS: Unbreak function tracer for 64-bit kernel.
Commit
58b69401c797 [MIPS: Function tracer: Fix broken function tracing]
completely broke the function tracer for 64-bit kernels. The symptom is
a system hang very early in the boot process.
The fix: Remove/fix $sp adjustments for 64-bit case.
Signed-off-by: David Daney <david.daney@cavium.com>
Cc: linux-mips@linux-mips.org
Cc: Al Cooper <alcooperx@gmail.com>
Cc: viric@viric.name
Cc: stable@vger.kernel.org # 3.8.x
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Jiri Slaby [Thu, 4 Apr 2013 20:32:10 +0000 (22:32 +0200)]
ALSA: hda/generic - fix uninitialized variable
changed is not initialized in path_power_down_sync, but it is expected
to be false in case no change happened in the loop. So set it to
false.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Jiri Pirko [Thu, 4 Apr 2013 08:33:00 +0000 (08:33 +0000)]
net: ipv4: notify when address lifetime changes
if userspace changes lifetime of address, send netlink notification and
call notifier.
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jakub Kicinski [Wed, 3 Apr 2013 16:50:54 +0000 (16:50 +0000)]
ixgbe: fix registration order of driver and DCA nofitication
ixgbe_notify_dca cannot be called before driver registration
because it expects driver's klist_devices to be allocated and
initialized. While on it make sure debugfs files are removed
when registration fails.
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Jakub Kicinski <jakub.kicinski@intel.com>
Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric W. Biederman [Wed, 3 Apr 2013 16:14:47 +0000 (16:14 +0000)]
af_unix: If we don't care about credentials coallesce all messages
It was reported that the following LSB test case failed
https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
were not coallescing unix stream messages when the application was
expecting us to.
The problem was that the first send was before the socket was accepted
and thus sock->sk_socket was NULL in maybe_add_creds, and the second
send after the socket was accepted had a non-NULL value for sk->socket
and thus we could tell the credentials were not needed so we did not
bother.
The unnecessary credentials on the first message cause
unix_stream_recvmsg to start verifying that all messages had the same
credentials before coallescing and then the coallescing failed because
the second message had no credentials.
Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
long standing pessimization which would fail to coallesce messages when
reading from a unix stream socket if the senders were different even if
we did not care about their credentials.
I have tested this and verified that the in the LSB test case mentioned
above that the messages do coallesce now, while the were failing to
coallesce without this change.
Reported-by: Karel Srot <ksrot@redhat.com>
Reported-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric W. Biederman [Wed, 3 Apr 2013 16:13:35 +0000 (16:13 +0000)]
Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
This reverts commit
14134f6584212d585b310ce95428014b653dfaf6.
The problem that the above patch was meant to address is that af_unix
messages are not being coallesced because we are sending unnecesarry
credentials. Not sending credentials in maybe_add_creds totally
breaks unconnected unix domain sockets that wish to send credentails
to other sockets.
In practice this break some versions of udev because they receive a
message and the sending uid is bogus so they drop the message.
Reported-by: Sven Joachim <svenjoac@gmx.de>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Veaceslav Falico [Wed, 3 Apr 2013 05:46:33 +0000 (05:46 +0000)]
bonding: remove sysfs before removing devices
We have a race condition if we try to rmmod bonding and simultaneously add
a bond master through sysfs. In bonding_exit() we first remove the devices
(through rtnl_link_unregister() ) and only after that we remove the sysfs.
If we manage to add a device through sysfs after that the devices were
removed - we'll end up with that device/sysfs structure and with the module
unloaded.
Fix this by first removing the sysfs and only after that calling
rtnl_link_unregister().
Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Hannes Frederic Sowa [Tue, 2 Apr 2013 14:36:46 +0000 (14:36 +0000)]
atl1e: limit gso segment size to prevent generation of wrong ip length fields
The limit of 0x3c00 is taken from the windows driver.
Suggested-by: Huang, Xiong <xiong@qca.qualcomm.com>
Cc: Huang, Xiong <xiong@qca.qualcomm.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Tue, 2 Apr 2013 21:10:07 +0000 (17:10 -0400)]
net: count hw_addr syncs so that unsync works properly.
A few drivers use dev_uc_sync/unsync to synchronize the
address lists from master down to slave/lower devices. In
some cases (bond/team) a single address list is synched down
to multiple devices. At the time of unsync, we have a leak
in these lower devices, because "synced" is treated as a
boolean and the address will not be unsynced for anything after
the first device/call.
Treat "synced" as a count (same as refcount) and allow all
unsync calls to work.
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Thu, 4 Apr 2013 22:56:28 +0000 (15:56 -0700)]
Merge tag 'pm+acpi-3.9-rc6' of git://git./linux/kernel/git/rafael/linux-pm
Pull ACPI and power management fixes from Rafael Wysocki:
- Revert of a recent cpuidle change that caused Nehalem machines to
hang on boot from Alex Shi.
- USB power management fix addressing a crash in the port device
object's release routine from Rafael J Wysocki.
- Device PM QoS fix for a potential deadlock related to sysfs interface
from Rafael J Wysocki.
- Fix for a cpufreq crash when the /cpus Device Tree node is missing
from Paolo Pisati.
- Fix for a build issue on ia64 related to the Boot Graphics Resource
Table (BGRT) from Tony Luck.
- Two fixes for ACPI handles being set incorrectly for device objects
that don't correspond to any ACPI namespace nodes in the I2C and SPI
subsystems from Rafael J Wysocki.
- Fix for compiler warnings related to CONFIG_PM_DEVFREQ being unset
from Rajagopal Venkat.
- Fix for a symbol definition typo in cpufreq_governor.h from Borislav
Petkov.
* tag 'pm+acpi-3.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
ACPI / BGRT: Don't let users configure BGRT on non X86 systems
cpuidle / ACPI: recover percpu ACPI processor cstate
ACPI / I2C: Use parent's ACPI_HANDLE() in acpi_i2c_register_devices()
cpufreq: Correct header guards typo
ACPI / SPI: Use parent's ACPI_HANDLE() in acpi_register_spi_devices()
cpufreq: check OF node /cpus presence before dereferencing it
PM / devfreq: Fix compiler warnings for CONFIG_PM_DEVFREQ unset
PM / QoS: Avoid possible deadlock related to sysfs access
USB / PM: Don't try to hide PM QoS flags from usb_port_device_release()
hayeswang [Sun, 31 Mar 2013 17:02:04 +0000 (17:02 +0000)]
r8169: fix auto speed down issue
It would cause no link after suspending or shutdowning when the
nic changes the speed to 10M and connects to a link partner which
forces the speed to 100M.
Check the link partner ability to determine which speed to set.
Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Acked-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Thu, 4 Apr 2013 21:41:53 +0000 (17:41 -0400)]
Merge branch 'master' of git://1984.lsi.us.es/nf
Pablo Neira Ayuso says:
====================
The following patchset contains netfilter updates for your net tree,
they are:
* Fix missing the skb->trace reset in nf_reset, noticed by Gao Feng
while using the TRACE target with several net namespaces.
* Fix prefix translation in IPv6 NPT if non-multiple of 32 prefixes
are used, from Matthias Schiffer.
* Fix invalid nfacct objects with empty name, they are now rejected
with -EINVAL, spotted by Michael Zintakis, patch from myself.
* A couple of fixes for wrong return values in the error path of
nfnetlink_queue and nf_conntrack, from Wei Yongjun.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Thu, 4 Apr 2013 21:39:06 +0000 (17:39 -0400)]
Merge branch 'for-davem' of git://git./linux/kernel/git/linville/wireless into wireless
John W. Linville says:
====================
Here are some more fixes intended for the 3.9 stream...
Regarding the mac80211 bits, Johannes says:
"I had changed the idle handling to simplify it, but broken the
sequencing of commands, at least for ath9k-htc, one patch restores the
sequence. The other patch fixes a crash Jouni found while stress-testing
the remain-on-channel code, when an item is deleted the work struct can
run twice and crash the second time."
As for the iwlwifi bits, Johannes says:
"The only fix here is to the passive-no-RX firmware regulatory
enforcement driver support code to not drop auth frames in quick
succession, leading to not being able to connect to APs on passive
channels in certain circumstances."
Don't forget the NFC bits, about which Samuel says:
"This time we have:
- A crash fix for when a DGRAM LLCP socket is listening while the NFC adapter
is physically removed.
- A potential double skb free when the LLCP socket receive queue is full.
- A fix for properly handling multiple and consecutive LLCP connections, and
not trash the socket ack log.
- A build failure for the MEI microread physical layer, now that the MEI bus
APIs have been merged into char-misc-next."
On top of that, Stone Piao provides an mwifiex fix to avoid accessing
beyond the end of a buffer.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan Stancek [Thu, 4 Apr 2013 18:35:10 +0000 (11:35 -0700)]
mm: prevent mmap_cache race in find_vma()
find_vma() can be called by multiple threads with read lock
held on mm->mmap_sem and any of them can update mm->mmap_cache.
Prevent compiler from re-fetching mm->mmap_cache, because other
readers could update it in the meantime:
thread 1 thread 2
|
find_vma() | find_vma()
struct vm_area_struct *vma = NULL; |
vma = mm->mmap_cache; |
if (!(vma && vma->vm_end > addr |
&& vma->vm_start <= addr)) { |
| mm->mmap_cache = vma;
return vma; |
^^ compiler may optimize this |
local variable out and re-read |
mm->mmap_cache |
This issue can be reproduced with gcc-4.8.0-1 on s390x by running
mallocstress testcase from LTP, which triggers:
kernel BUG at mm/rmap.c:1088!
Call Trace:
([<
000003d100c57000>] 0x3d100c57000)
[<
000000000023a1c0>] do_wp_page+0x2fc/0xa88
[<
000000000023baae>] handle_pte_fault+0x41a/0xac8
[<
000000000023d832>] handle_mm_fault+0x17a/0x268
[<
000000000060507a>] do_protection_exception+0x1e2/0x394
[<
0000000000603a04>] pgm_check_handler+0x138/0x13c
[<
000003fffcf1f07a>] 0x3fffcf1f07a
Last Breaking-Event-Address:
[<
000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
Thanks to Jakub Jelinek for his insight on gcc and helping to
track this down.
Signed-off-by: Jan Stancek <jstancek@redhat.com>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Thu, 4 Apr 2013 15:41:43 +0000 (08:41 -0700)]
Merge tag 'upstream-3.9-rc6' of git://git.infradead.org/linux-ubifs
Pull UBIFS fix from Artem Bityutskiy:
"Make the space fixup feature work in the case when the file-system is
first mounted R/O and then remounted R/W."
* tag 'upstream-3.9-rc6' of git://git.infradead.org/linux-ubifs:
UBIFS: make space fixup work in the remount case
Rafael J. Wysocki [Thu, 4 Apr 2013 15:41:10 +0000 (17:41 +0200)]
Merge branch 'pm-fixes' into fixes
* pm-fixes:
cpufreq: Correct header guards typo
cpufreq: check OF node /cpus presence before dereferencing it
PM / devfreq: Fix compiler warnings for CONFIG_PM_DEVFREQ unset
PM / QoS: Avoid possible deadlock related to sysfs access
USB / PM: Don't try to hide PM QoS flags from usb_port_device_release()
Rafael J. Wysocki [Thu, 4 Apr 2013 15:40:59 +0000 (17:40 +0200)]
Merge branch 'acpi-fixes' into fixes
* acpi-fixes:
ACPI / BGRT: Don't let users configure BGRT on non X86 systems
cpuidle / ACPI: recover percpu ACPI processor cstate
ACPI / I2C: Use parent's ACPI_HANDLE() in acpi_i2c_register_devices()
ACPI / SPI: Use parent's ACPI_HANDLE() in acpi_register_spi_devices()
Linus Torvalds [Thu, 4 Apr 2013 15:40:45 +0000 (08:40 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jikos/hid
Pull HID fixes from Jiri Kosina:
- Workaround for device ID conflict between Masterkit MA901 usb radio
device and Atmel V-USB devices, to avoid regressions from older
kernels, by Alexey Klimov
- fix for possible race during input device registration in magicmouse
driver, by Benjamin Tissoires
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: magicmouse: fix race between input_register() and probe()
media: radio-ma901: return ENODEV in probe if usb_device doesn't match
HID: fix Masterkit MA901 hid quirks
Linus Torvalds [Thu, 4 Apr 2013 15:40:14 +0000 (08:40 -0700)]
Merge tag 'gpio-fixes-v3.9' of git://git./linux/kernel/git/linusw/linux-gpio
Pull GPIO fixes from Linus Walleij:
"Two GPIO fixes for the v3.9 series:
- Fix erroneous return value in the ICH driver
- Make the STMPE driver proper properly on device tree boots"
* tag 'gpio-fixes-v3.9' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
gpio: stmpe: pass DT node to irqdomain
gpio-ich: Fix value returned by ichx_gpio_request
Takashi Iwai [Thu, 4 Apr 2013 13:35:24 +0000 (15:35 +0200)]
Revert "ALSA: hda - Allow power_save_controller option override DCAPS"
This reverts commit
6ab317419c62850a71e2adfd1573e5ee87d8774f.
The commit [
6ab317419c: ALSA: hda - Allow power_save_controller option
override DCAPS] changed the behavior of power_save_controller so that
it can override the driver capability. This assumed that this option
is rarely changed dynamically unlike power_save option. Too naive.
It turned out that the user-space power-management tool tries to set
power_save_controller option to 1 together with power_save option
without knowing what's actually doing. This enabled forcibly the
runtime PM of the controller, which is known to be broken om many
chips thus disabled as default.
So, the only sane fix is to revert this commit again. It was intended
to ease debugging/testing for runtime PM enablement, but obviously we
need another way for it.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=56171
Reported-and-tested-by: Nikita Tsukanov <keks9n@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
David Henningsson [Thu, 4 Apr 2013 09:47:13 +0000 (11:47 +0200)]
ALSA: hda - fix typo in proc output
Rename "Digitial In" to "Digital In". This function is only used for
proc output, so should not cause any problems to change.
Signed-off-by: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Steven Whitehouse [Thu, 14 Mar 2013 15:49:59 +0000 (15:49 +0000)]
GFS2: Fix unlock of fcntl locks during withdrawn state
When withdraw occurs, we need to continue to allow unlocks of fcntl
locks to occur, however these will only be local, since the node has
withdrawn from the cluster. This prevents triggering a VFS level
bug trap due to locks remaining when a file is closed.
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
Wei Yongjun [Mon, 11 Mar 2013 15:01:37 +0000 (23:01 +0800)]
GFS2: return error if malloc failed in gfs2_rs_alloc()
The error code in gfs2_rs_alloc() is set to ENOMEM when error
but never be used, instead, gfs2_rs_alloc() always return 0.
Fix to return 'error'.
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
Akinobu Mita [Thu, 7 Mar 2013 14:42:52 +0000 (23:42 +0900)]
GFS2: use memchr_inv
Use memchr_inv to verify that the specified memory range is cleared.
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Cc: Steven Whitehouse <swhiteho@redhat.com>
Cc: cluster-devel@redhat.com
Cc: Christine Caulfield <ccaulfie@redhat.com>
Cc: David Teigland <teigland@redhat.com>
David Teigland [Tue, 5 Mar 2013 21:01:47 +0000 (16:01 -0500)]
GFS2: use kmalloc for lvb bitmap
The temp lvb bitmap was on the stack, which could
be an alignment problem for __set_bit_le. Use
kmalloc for it instead.
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
Benjamin Tissoires [Tue, 2 Apr 2013 09:11:52 +0000 (11:11 +0200)]
HID: magicmouse: fix race between input_register() and probe()
Since kernel 3.7, it appears that the input registration occured before
the end of magicmouse_setup_input(). This is shown by receiving a lot of
"EV_SYN SYN_REPORT 1" instead of normal "EV_SYN SYN_REPORT 0".
This value means that the output buffer is full, and the user space
is loosing events.
Using .input_configured guarantees that the race is not occuring, and that
the call of "input_set_events_per_packet(input, 60)" is taken into account
by input_register().
Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=908604
Cc: stable@vger.kernel.org
Reported-and-Tested-By: Clarke Wixon <cwixon@usa.net>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Rainer Koenig [Thu, 4 Apr 2013 06:40:38 +0000 (08:40 +0200)]
ALSA: hda - Enabling Realtek ALC 671 codec
* Added the device ID to the modalias list and assinged ALC662 patches
for it
* Added 4 port support for the device ID 0671 in alc662_parse_auto_config
Signed-off-by: Rainer Koenig <Rainer.Koenig@ts.fujitsu.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Linus Torvalds [Wed, 3 Apr 2013 23:15:17 +0000 (16:15 -0700)]
Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm
Pull ARM fixes from Russell King:
"Another round of ARM fixes, which include:
- Fixing a problem with LPAE mapping sections
- Reporting of some hwcaps on Krait CPUs
- Avoiding repetitive warnings in the breakpoint code
- Fixing a build error noticed on Dove platforms with PJ4 CPUs
- Fix masking of level 2 cache revision.
- Fixing timer-based udelay()
- A larger fix for an erratum causing people major grief with Cortex
A15 CPUs"
* 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
ARM: 7690/1: mm: fix CONFIG_LPAE typos
ARM: 7689/1: add unwind annotations to ftrace asm
ARM: 7685/1: delay: use private ticks_per_jiffy field for timer-based delay ops
ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
ARM: 7682/1: cache-l2x0: fix masking of RTL revision numbering and set_debug init
ARM: iWMMXt: always enable iWMMXt support with PJ4 CPUs
ARM: 7681/1: hw_breakpoint: use warn_once to avoid spam from reset_ctrl_regs()
ARM: 7678/1: Work around faulty ISAR0 register in some Krait CPUs
ARM: 7680/1: Detect support for SDIV/UDIV from ISAR0 register
ARM: 7679/1: Clear IDIVT hwcap if CONFIG_ARM_THUMB=n
ARM: 7677/1: LPAE: Fix mapping in alloc_init_section for unaligned addresses
ARM: KVM: vgic: take distributor lock on sync_hwstate path
ARM: KVM: vgic: force EOIed LRs to the empty state
Gabor Juhos [Fri, 29 Mar 2013 14:52:27 +0000 (15:52 +0100)]
rt2x00: rt2x00pci: fix build error on Ralink RT3x5x SoCs
The rt2800pci driver supports the built-in wireless
MAC of the Ralink RT3x5x SoCs. However building the
driver for these SoCs leads to the following error:
LD init/built-in.o
drivers/built-in.o: In function `rt2800pci_rxdone_tasklet':
<...>/drivers/net/wireless/rt2x00/rt2800pci.c:1012: undefined reference to `rt2x00pci_rxdone'
drivers/built-in.o:(.rodata+0x4780): undefined reference to `rt2x00pci_initialize'
drivers/built-in.o:(.rodata+0x4784): undefined reference to `rt2x00pci_uninitialize'
drivers/built-in.o:(.rodata+0x47bc): undefined reference to `rt2x00pci_flush_queue'
drivers/built-in.o:(.rodata+0x4818): undefined reference to `rt2x00pci_regbusy_read'
make[5]: *** [vmlinux] Error 1
The missing functions are provided by the rt2x00pci
module. This module is only selected by the rt2800pci
driver if PCI support is enabled in the kernel, because
some parts of the rt2x00pci code depends on PCI support.
PCI support is not available on the RT3x5x SoCs because
those have no PCI host controller at all.
Move the non PCI specific code from rt2x00pci into a
separate module. This makes it possible to use that
code even if PCI support is disabled. The affected
functions are used by all of the rt2x00 PCI drivers
so select the new module for those drivers.
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Tim Gardner [Mon, 18 Feb 2013 19:56:28 +0000 (12:56 -0700)]
rt2x00: rt2x00pci_regbusy_read() - only print register access failure once
BugLink: http://bugs.launchpad.net/bugs/1128840
It appears that when this register read fails it never recovers, so
I think there is no need to repeat the same error message ad infinitum.
Cc: Ivo van Doorn <IvDoorn@gmail.com>
Cc: Gertjan van Wingerde <gwingerde@gmail.com>
Cc: Helmut Schaa <helmut.schaa@googlemail.com>
Cc: "John W. Linville" <linville@tuxdriver.com>
Cc: linux-wireless@vger.kernel.org
Cc: users@rt2x00.serialmonkey.com
Cc: netdev@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Robert Shade [Tue, 2 Apr 2013 23:52:45 +0000 (19:52 -0400)]
ath9k: Re-enable interrupts after a channel change failure
ath_complete_reset will not be called if ath9k_hw_reset
is unsuccessful, so we need to re-enable intertupts to
balence the previous ath_prepare_reset call. Also schedule a
reset as a best effort method to recover the chip from
whatever state caused the channel change failure.
Fixes https://bugzilla.kernel.org/show_bug.cgi?id=55771
Signed-off-by: Robert Shade <robert.shade@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Franky Lin [Tue, 2 Apr 2013 19:06:20 +0000 (21:06 +0200)]
brcmfmac: do not proceed if fail to download nvram to dongle
Nvram contains critical initialization parameter for firmware to run. Host
driver should not proceed if nvram fails to be downloaded to dongle.
Reviewed-by: Piotr Haber <phaber@broadcom.com>
Reviewed-by: Arend van Spriel <arend@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Franky Lin <frankyl@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Hante Meuleman [Tue, 2 Apr 2013 19:06:19 +0000 (21:06 +0200)]
brcmfmac: fix returning cipher_suite for get_key operation.
When multiple cipher suites have been programmed then the lowest
suite is to be retured. This fixes issue when AP mode is using
CCMP and TKIP WPA combination where rekeying will fail.
Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Piotr Haber <phaber@broadcom.com>
Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Hante Meuleman [Tue, 2 Apr 2013 19:06:18 +0000 (21:06 +0200)]
brcmfmac: fix stopping AP.
on stop_ap the dongle was not properly shutdown. As a result it was
not possible to restart AP or STA after AP operation without
restarting the device. This patch will fix that.
Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Piotr Haber <phaber@broadcom.com>
Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Hante Meuleman [Tue, 2 Apr 2013 19:06:17 +0000 (21:06 +0200)]
brcmfmac: fix tkip mic tx/rx ap swap bug.
tx and rx michael tkip keys are always swapped in case being
configured per mac. This is wrong for AP. The swap should only
be done for STA mode.
Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Piotr Haber <phaber@broadcom.com>
Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Bing Zhao [Mon, 1 Apr 2013 19:44:45 +0000 (12:44 -0700)]
mwifiex: complete last internal scan
We are waiting on first scan command of internal scan request
before association, so we should complete on last internal scan
command response.
Cc: <stable@vger.kernel.org> # 3.8
Tested-by: Daniel Drake <dsd@laptop.org>
Tested-by: Marco Cesarano <marco@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Linus Torvalds [Wed, 3 Apr 2013 18:21:13 +0000 (11:21 -0700)]
Merge tag 'ext4_for_linus_stable' of git://git./linux/kernel/git/tytso/ext4
Pull ext4 fixes from Ted Ts'o:
"Unfortunately, we introduced some big-endian bugs during the last
merge window. Fortunately, Cai and Christian noticed before 3.9
shipped."
* tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
ext4: fix big-endian bugs which could cause fs corruptions
John W. Linville [Wed, 3 Apr 2013 18:19:48 +0000 (14:19 -0400)]
Merge branch 'for-john' of git://git./linux/kernel/git/jberg/mac80211
John W. Linville [Wed, 3 Apr 2013 17:50:34 +0000 (13:50 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless into for-davem
Linus Torvalds [Wed, 3 Apr 2013 17:49:27 +0000 (10:49 -0700)]
Merge branch 'for_linus' of git://git./linux/kernel/git/jack/linux-fs
Pull reiserfs fix from Jan Kara:
"A fix for reiserfs xattr bug exposed by changes to lookup_one_len()"
* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
reiserfs: Fix warning and inode leak when deleting inode with xattrs
Linus Torvalds [Wed, 3 Apr 2013 17:48:22 +0000 (10:48 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/s390/linux
Pull s390 fixes from Martin Schwidefsky:
"Just a bunch of bugfixes"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/mm: provide emtpy check_pgt_cache() function
s390/uaccess: fix page table walk
s390/3270: fix minor_start issue
s390/uaccess: fix clear_user_pt()
s390/scm_blk: fix error return code in scm_blk_init()
s390/scm_block: fix printk format string
drivers/Kconfig: add several missing GENERIC_HARDIRQS dependencies
Zheng Liu [Wed, 3 Apr 2013 16:27:18 +0000 (12:27 -0400)]
ext4: fix big-endian bugs which could cause fs corruptions
When an extent was zeroed out, we forgot to do convert from cpu to le16.
It could make us hit a BUG_ON when we try to write dirty pages out. So
fix it.
[ Also fix a bug found by Dmitry Monakhov where we were missing
le32_to_cpu() calls in the new indirect punch hole code.
There are a number of other big endian warnings found by static code
analyzers, but we'll wait for the next merge window to fix them all
up. These fixes are designed to be Obviously Correct by code
inspection, and easy to demonstrate that it won't make any
difference (and hence, won't introduce any bugs) on little endian
architectures such as x86. --tytso ]
Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Reported-by: CAI Qian <caiqian@redhat.com>
Reported-by: Christian Kujau <lists@nerdbynature.de>
Cc: Dmitry Monakhov <dmonakhov@openvz.org>
Paul Bolle [Wed, 3 Apr 2013 11:24:45 +0000 (12:24 +0100)]
ARM: 7690/1: mm: fix CONFIG_LPAE typos
CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
up the two typos under arch/arm/.
The fix to head.S is slightly scary, but this is just for setting up
an early io-mapping for the serial port when running on a big-endian,
LPAE system. Since these systems don't exist in the wild (at least, I
have no access to one outside of kvmtool, which doesn't provide a serial
port suitable for earlyprintk), then we can revisit the code later if it
causes any problems.
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Rabin Vincent [Tue, 2 Apr 2013 21:11:46 +0000 (22:11 +0100)]
ARM: 7689/1: add unwind annotations to ftrace asm
Add unwind annotations to the ftrace assembly code so that the function
tracer's stacktracing options (func_stack_trace, etc.) work when
CONFIG_ARM_UNWIND is enabled.
Signed-off-by: Rabin Vincent <rabin@rab.in>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Will Deacon [Thu, 28 Mar 2013 10:17:55 +0000 (11:17 +0100)]
ARM: 7685/1: delay: use private ticks_per_jiffy field for timer-based delay ops
Commit
70264367a243 ("ARM: 7653/2: do not scale loops_per_jiffy when
using a constant delay clock") fixed a problem with our timer-based
delay loop, where loops_per_jiffy is scaled by cpufreq yet used directly
by the timer delay ops.
This patch fixes the problem in a more elegant way by keeping a private
ticks_per_jiffy field in the delay ops, independent of loops_per_jiffy
and therefore not subject to scaling. The loop-based delay continues to
use loops_per_jiffy directly, as it should.
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Catalin Marinas [Tue, 26 Mar 2013 22:35:04 +0000 (23:35 +0100)]
ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
all use of the old entries. This patch implements the erratum workaround
which consists of:
1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
2. Send IPI to the CPUs that are running the same mm (and ASID) as the
one being invalidated (or all the online CPUs for global pages).
3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
return code already).
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Rob Herring [Mon, 25 Mar 2013 16:02:48 +0000 (17:02 +0100)]
ARM: 7682/1: cache-l2x0: fix masking of RTL revision numbering and set_debug init
Commit
b8db6b8 (ARM: 7547/4: cache-l2x0: add support for Aurora L2 cache
ctrl) moved the masking of the part ID which caused the RTL version to be
lost. Commit
6248d06 (ARM: 7545/1: cache-l2x0: make outer_cache_fns a
field of l2x0_of_data) changed how .set_debug is initialized. Both commits
break commit
74ddcdb (ARM: 7608/1: l2x0: Only set .set_debug
on PL310 r3p0 and earlier) which uses the RTL version to conditionally set
.set_debug function pointer. Commit
b8db6b8 also caused the printed cache
ID to be missing the version information.
Fix this by reverting how the part number is masked so the RTL version
info is maintained. The cache-id-part DT property does not set the RTL
bits so masking them should have no effect. Also, re-arrange the order
of the function pointer init so the .set_debug function can be overridden.
Reported-by: Paolo Pisati <paolo.pisati@canonical.com>
Signed-off-by: Rob Herring <rob.herring@calxeda.com>
Cc: Gregory CLEMENT <gregory.clement@free-electrons.com>
Cc: Yehuda Yitschak <yehuday@marvell.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>