summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2015-03-21cifs: fix use-after-free bug in find_writable_fileDavid Disseldorp1-0/+1
Under intermittent network outages, find_writable_file() is susceptible to the following race condition, which results in a user-after-free in the cifs_writepages code-path: Thread 1 Thread 2 ======== ======== inv_file = NULL refind = 0 spin_lock(&cifs_file_list_lock) // invalidHandle found on openFileList inv_file = open_file // inv_file->count currently 1 cifsFileInfo_get(inv_file) // inv_file->count = 2 spin_unlock(&cifs_file_list_lock); cifs_reopen_file() cifs_close() // fails (rc != 0) ->cifsFileInfo_put() spin_lock(&cifs_file_list_lock) // inv_file->count = 1 spin_unlock(&cifs_file_list_lock) spin_lock(&cifs_file_list_lock); list_move_tail(&inv_file->flist, &cifs_inode->openFileList); spin_unlock(&cifs_file_list_lock); cifsFileInfo_put(inv_file); ->spin_lock(&cifs_file_list_lock) // inv_file->count = 0 list_del(&cifs_file->flist); // cleanup!! kfree(cifs_file); spin_unlock(&cifs_file_list_lock); spin_lock(&cifs_file_list_lock); ++refind; // refind = 1 goto refind_writable; At this point we loop back through with an invalid inv_file pointer and a refind value of 1. On second pass, inv_file is not overwritten on openFileList traversal, and is subsequently dereferenced. Signed-off-by: David Disseldorp <ddiss@suse.de> Reviewed-by: Jeff Layton <jlayton@samba.org> CC: <stable@vger.kernel.org> Signed-off-by: Steve French <smfrench@gmail.com>
2015-03-21cifs: smb2_clone_range() - exit on unhandled errorSachin Prabhu1-1/+2
While attempting to clone a file on a samba server, we receive a STATUS_INVALID_DEVICE_REQUEST. This is mapped to -EOPNOTSUPP which isn't handled in smb2_clone_range(). We end up looping in the while loop making same call to the samba server over and over again. The proposed fix is to exit and return the error value when encountered with an unhandled error. Cc: <stable@vger.kernel.org> Signed-off-by: Sachin Prabhu <sprabhu@redhat.com> Signed-off-by: Steve French <steve.french@primarydata.com> Signed-off-by: Steve French <smfrench@gmail.com>
2015-03-23Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds21-75/+238
Pull networking fixes from David Miller: 1) Validate iov ranges before feeding them into iov_iter_init(), from Al Viro. 2) We changed copy_from_msghdr_from_user() to zero out the msg_namelen is a NULL pointer is given for the msg_name. Do the same in the compat code too. From Catalin Marinas. 3) Fix partially initialized tuples in netfilter conntrack helper, from Ian Wilson. 4) Missing continue; statement in nft_hash walker can lead to crashes, from Herbert Xu. 5) tproxy_tg6_check looks for IP6T_INV_PROTO in ->flags instead of ->invflags, fix from Pablo Neira Ayuso. 6) Incorrect memory account of TCP FINs can result in negative socket memory accounting values. Fix from Josh Hunt. 7) Don't allow virtual functions to enable VLAN promiscuous mode in be2net driver, from Vasundhara Volam. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set cx82310_eth: wait for firmware to become ready net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour be2net: use PCI MMIO read instead of config read for errors be2net: restrict MODIFY_EQ_DELAY cmd to a max of 8 EQs be2net: Prevent VFs from enabling VLAN promiscuous mode tcp: fix tcp fin memory accounting ipv6: fix backtracking for throw routes net: ethernet: pcnet32: Setup the SRAM and NOUFLO on Am79C97{3, 5} ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment netfilter: xt_TPROXY: fix invflags check in tproxy_tg6_check() netfilter: restore rule tracing via nfnetlink_log netfilter: nf_tables: allow to change chain policy without hook if it exists netfilter: Fix potential crash in nft_hash walker netfilter: Zero the tuple in nfnl_cthelper_parse_tuple()
2015-03-23Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparcLinus Torvalds7-15/+141
Pull sparc fixes from David Miller: "Some perf bug fixes from David Ahern, and the fix for that nasty memmove() bug" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc: sparc64: Fix several bugs in memmove(). sparc: Touch NMI watchdog when walking cpus and calling printk sparc: perf: Add support M7 processor sparc: perf: Make counting mode actually work sparc: perf: Remove redundant perf_pmu_{en|dis}able calls
2015-03-23sparc64: Fix several bugs in memmove().David S. Miller1-3/+32
Firstly, handle zero length calls properly. Believe it or not there are a few of these happening during early boot. Next, we can't just drop to a memcpy() call in the forward copy case where dst <= src. The reason is that the cache initializing stores used in the Niagara memcpy() implementations can end up clearing out cache lines before we've sourced their original contents completely. For example, considering NG4memcpy, the main unrolled loop begins like this: load src + 0x00 load src + 0x08 load src + 0x10 load src + 0x18 load src + 0x20 store dst + 0x00 Assume dst is 64 byte aligned and let's say that dst is src - 8 for this memcpy() call. That store at the end there is the one to the first line in the cache line, thus clearing the whole line, which thus clobbers "src + 0x28" before it even gets loaded. To avoid this, just fall through to a simple copy only mildly optimized for the case where src and dst are 8 byte aligned and the length is a multiple of 8 as well. We could get fancy and call GENmemcpy() but this is good enough for how this thing is actually used. Reported-by: David Ahern <david.ahern@oracle.com> Reported-by: Bob Picco <bpicco@meloft.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2015-03-22Linux 4.0-rc5Linus Torvalds1-1/+1
2015-03-22Merge tag 'md/4.0-rc4-fix' of git://neil.brown.name/mdLinus Torvalds2-3/+2
Pull bugfix for md from Neil Brown: "One fix for md in 4.0-rc4 Regression in recent patch causes crash on error path" * tag 'md/4.0-rc4-fix' of git://neil.brown.name/md: md: fix problems with freeing private data after ->run failure.
2015-03-22Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nfDavid S. Miller10-13/+61
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for your net tree, they are: 1) Fix missing initialization of tuple structure in nfnetlink_cthelper to avoid mismatches when looking up to attach userspace helpers to flows, from Ian Wilson. 2) Fix potential crash in nft_hash when we hit -EAGAIN in nft_hash_walk(), from Herbert Xu. 3) We don't need to indicate the hook information to update the basechain default policy in nf_tables. 4) Restore tracing over nfnetlink_log due to recent rework to accomodate logging infrastructure into nf_tables. 5) Fix wrong IP6T_INV_PROTO check in xt_TPROXY. 6) Set IP6T_F_PROTO flag in nft_compat so we can use SYNPROXY6 and REJECT6 from xt over nftables. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2015-03-22Merge tag 'driver-core-4.0-rc5' of ↵Linus Torvalds2-0/+4
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core fixes from Greg KH: "Here are two bugfixes for things reported. One regression in kernfs, and another issue fixed in the LZ4 code that was fixed in the "upstream" codebase that solves a reported kernel crash Both have been in linux-next for a while" * tag 'driver-core-4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: LZ4 : fix the data abort issue kernfs: handle poll correctly on 'direct_read' files.
2015-03-22Merge tag 'char-misc-4.0-rc5' of ↵Linus Torvalds3-183/+3
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc fixes from Greg KH: "Here are three fixes for 4.0-rc5 that revert 3 PCMCIA patches that were merged in 4.0-rc1 that cause regressions. So let's revert them for now and they will be reworked and resent sometime in the future. All have been tested in linux-next for a while" * tag 'char-misc-4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: Revert "pcmcia: add a new resource manager for non ISA systems" Revert "pcmcia: fix incorrect bracketing on a test" Revert "pcmcia: add missing include for new pci resource handler"
2015-03-22Merge tag 'staging-4.0-rc5' of ↵Linus Torvalds3-17/+17
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging driver fixes from Greg KH: "Here are four small staging driver fixes, all for the vt6656 and vt6655 drivers, that resolve some reported issues with them. All of these patches have been in linux next for a while" * tag 'staging-4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: vt6655: Fix late setting of byRFType. vt6655: RFbSetPower fix missing rate RATE_12M staging: vt6656: vnt_rf_setpower: fix missing rate RATE_12M staging: vt6655: vnt_tx_packet fix dma_idx selection.
2015-03-22Merge tag 'tty-4.0-rc5' of ↵Linus Torvalds1-3/+12
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial driver fix from Greg KH: "Here's a single 8250 serial driver that fixes a reported deadlock with the serial console and the tty driver. It's been in linux-next for a while now" * tag 'tty-4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: serial: 8250_dw: Fix deadlock in LCR workaround
2015-03-22Merge tag 'usb-4.0-rc5' of ↵Linus Torvalds34-719/+131
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB / PHY driver fixes from Greg KH: "Here's a number of USB and PHY driver fixes for 4.0-rc5. The largest thing here is a revert of a gadget function driver patch that removes 500 lines of code. Other than that, it's a number of reported bugs fixes and new quirk/id entries. All have been in linux-next for a while" * tag 'usb-4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (33 commits) usb: common: otg-fsm: only signal connect after switching to peripheral uas: Add US_FL_NO_ATA_1X for Initio Corporation controllers / devices USB: ehci-atmel: rework clk handling MAINTAINERS: add entry for USB OTG FSM usb: chipidea: otg: add a_alt_hnp_support response for B device phy: omap-usb2: Fix missing clk_prepare call when using old dt name phy: ti/omap: Fix modalias phy: core: Fixup return value of phy_exit when !pm_runtime_enabled phy: miphy28lp: Convert to devm_kcalloc and fix wrong sizof phy: miphy365x: Convert to devm_kcalloc and fix wrong sizeof phy: twl4030-usb: Remove redundant assignment for twl->linkstat phy: exynos5-usbdrd: Fix off-by-one valid value checking for args->args[0] phy: Find the right match in devm_phy_destroy() phy: rockchip-usb: Fixup rockchip_usb_phy_power_on failure path phy: ti-pipe3: Simplify ti_pipe3_dpll_wait_lock implementation phy: samsung-usb2: Remove NULL terminating entry from phys array phy: hix5hd2-sata: Check return value of platform_get_resource phy: exynos-dp-video: Kill exynos_dp_video_phy_pwr_isol function Revert "usb: gadget: zero: Add support for interrupt EP" Revert "xhci: Clear the host side toggle manually when endpoint is 'soft reset'" ...
2015-03-22netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is setPablo Neira Ayuso1-0/+6
ip6tables extensions check for this flag to restrict match/target to a given protocol. Without this flag set, SYNPROXY6 returns an error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Patrick McHardy <kaber@trash.net>
2015-03-21cx82310_eth: wait for firmware to become readyOndrej Zary1-6/+24
When the device is powered up, some (older) firmware versions fail to work properly if we send commands before the boot is complete (everything is OK when the device is hot-plugged). The firmware indicates its ready status by putting the link up. Newer firmwares delay the first command so they don't suffer from this problem. They also report the link being always up. Wait for firmware to become ready (link up) before sending any commands and/or data. This also allows lowering CMD_TIMEOUT value to a reasonable time. Tested with 4.1.0.9 (old) and 4.1.0.30 (new) firmware versions. Signed-off-by: Ondrej Zary <linux@rainbow-software.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2015-03-21Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dmaLinus Torvalds5-80/+137
Pull slave dmaengine fixes from Vinod Koul: "Four fixes for dw, pl08x, imx-sdma and at_hdmac driver. Nothing unusual here, simple fixes to these drivers" * 'fixes' of git://git.infradead.org/users/vkoul/slave-dma: dmaengine: pl08x: Define capabilities for generic capabilities reporting dmaengine: dw: append MODULE_ALIAS for platform driver dmaengine: imx-sdma: switch to dynamic context mode after script loaded dmaengine: at_hdmac: Fix calculation of the residual bytes
2015-03-21Merge tag 'pm+acpi-4.0-rc5' of ↵Linus Torvalds8-54/+78
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management and ACPI fixes from Rafael Wysocki: "These are fixes for recent regressions (PCI/ACPI resources and at91 RTC locking), a stable-candidate powercap RAPL driver fix and two ARM cpuidle fixes (one stable-candidate too). Specifics: - Revert a recent PCI commit related to IRQ resources management that introduced a regression for drivers attempting to bind to devices whose previous drivers did not balance pci_enable_device() and pci_disable_device() as expected (Rafael J Wysocki). - Fix a deadlock in at91_rtc_interrupt() introduced by a typo in a recent commit related to wakeup interrupt handling (Dan Carpenter). - Allow the power capping RAPL (Running-Average Power Limit) driver to use different energy units for domains within one CPU package which is necessary to handle Intel Haswell EP processors correctly (Jacob Pan). - Improve the cpuidle mvebu driver's handling of Armada XP SoCs by updating the target residency and exit latency numbers for those chips (Sebastien Rannou). - Prevent the cpuidle mvebu driver from calling cpu_pm_enter() twice in a row before cpu_pm_exit() is called on the same CPU which breaks the core's assumptions regarding the usage of those functions (Gregory Clement)" * tag 'pm+acpi-4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: Revert "x86/PCI: Refine the way to release PCI IRQ resources" rtc: at91rm9200: double locking bug in at91_rtc_interrupt() powercap / RAPL: handle domains with different energy units cpuidle: mvebu: Update cpuidle thresholds for Armada XP SOCs cpuidle: mvebu: Fix the CPU PM notifier usage
2015-03-21Merge git://people.freedesktop.org/~airlied/linuxLinus Torvalds18-372/+159
Pull drm updates from Dave Airlie: "A bunch of fixes across drivers: radeon: disable two ended allocation for now, it breaks some stuff amdkfd: misc fixes nouveau: fix irq loop problem, add basic support for GM206 (new hw) i915: fix some WARNs people were seeing exynos: fix some iommu interactions causing boot failures" * git://people.freedesktop.org/~airlied/linux: drm/radeon: drop ttm two ended allocation drm/exynos: fix the initialization order in FIMD drm/exynos: fix typo config name correctly. drm/exynos: Check for NULL dereference of crtc drm/exynos: IS_ERR() vs NULL bug drm/exynos: remove unused files drm/i915: Make sure the primary plane is enabled before reading out the fb state drm/nouveau/bios: fix i2c table parsing for dcb 4.1 drm/nouveau/device/gm100: Basic GM206 bring up (as copy of GM204) drm/nouveau/device: post write to NV_PMC_BOOT_1 when flipping endian switch drm/nouveau/gr/gf100: fix some accidental or'ing of buffer addresses drm/nouveau/fifo/nv04: remove the loop from the interrupt handler drm/radeon: Changing number of compute pipe lines drm/amdkfd: Fix SDMA queue init. in non-HWS mode drm/amdkfd: destroy mqd when destroying kernel queue drm/i915: Ensure plane->state->fb stays in sync with plane->fb
2015-03-21Merge tag 'devicetree-fixes-for-4.0-part2' of ↵Linus Torvalds3-12/+14
git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux Pull more DeviceTree fixes vfom Rob Herring: - revert setting stdout-path as preferred console. This caused regressions in PowerMACs and other systems. - yet another fix for stdout-path option parsing. - fix error path handling in of_irq_parse_one * tag 'devicetree-fixes-for-4.0-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux: Revert "of: Fix premature bootconsole disable with 'stdout-path'" of: handle both '/' and ':' in path strings of: unittest: Add option string test case with longer path of/irq: Fix of_irq_parse_one() returned error codes
2015-03-21Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pendingLinus Torvalds14-47/+61
Pull SCSI target fixes from Nicholas Bellinger: "Here are current target-pending fixes for v4.0-rc5 code that have made their way into the queue over the last weeks. The fixes this round include: - Fix long-standing iser-target logout bug related to early conn_logout_comp completion, resulting in iscsi_conn use-after-tree OOpsen. (Sagi + nab) - Fix long-standing tcm_fc bug in ft_invl_hw_context() failure handing for DDP hw offload. (DanC) - Fix incorrect use of unprotected __transport_register_session() in tcm_qla2xxx + other single local se_node_acl fabrics. (Bart) - Fix reference leak in target_submit_cmd() -> target_get_sess_cmd() for ack_kref=1 failure path. (Bart) - Fix pSCSI backend ->get_device_type() statistics OOPs with un-configured device. (Olaf + nab) - Fix virtual LUN=0 target_configure_device failure OOPs at modprobe time. (Claudio + nab) - Fix FUA write false positive failure regression in v4.0-rc1 code. (Christophe Vu-Brugier + HCH)" * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: target: do not reject FUA CDBs when write cache is enabled but emulate_write_cache is 0 target: Fix virtual LUN=0 target_configure_device failure OOPs target/pscsi: Fix NULL pointer dereference in get_device_type tcm_fc: missing curly braces in ft_invl_hw_context() target: Fix reference leak in target_get_sess_cmd() error path loop/usb/vhost-scsi/xen-scsiback: Fix use of __transport_register_session tcm_qla2xxx: Fix incorrect use of __transport_register_session iscsi-target: Avoid early conn_logout_comp for iser connections Revert "iscsi-target: Avoid IN_LOGOUT failure case for iser-target" target: Disallow changing of WRITE cache/FUA attrs after export
2015-03-21Merge tag 'dm-4.0-fixes' of ↵Linus Torvalds5-26/+142
git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull devicemapper fixes from Mike Snitzer: "A handful of stable fixes for DM: - fix thin target to always zero-fill reads to unprovisioned blocks - fix to interlock device destruction's suspend from internal suspends - fix 2 snapshot exception store handover bugs - fix dm-io to cope with DISCARD and WRITE_SAME capabilities changing" * tag 'dm-4.0-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm io: deal with wandering queue limits when handling REQ_DISCARD and REQ_WRITE_SAME dm snapshot: suspend merging snapshot when doing exception handover dm snapshot: suspend origin when doing exception handover dm: hold suspend_lock while suspending device during device deletion dm thin: fix to consistently zero-fill reads to unprovisioned blocks
2015-03-21Merge branch 'for-linus' of ↵Linus Torvalds8-46/+352
git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs Pull btrfs fixes from Chris Mason: "Most of these are fixing extent reservation accounting, or corners with tree writeback during commit. Josef's set does add a test, which isn't strictly a fix, but it'll keep us from making this same mistake again" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: Btrfs: fix outstanding_extents accounting in DIO Btrfs: add sanity test for outstanding_extents accounting Btrfs: just free dummy extent buffers Btrfs: account merges/splits properly Btrfs: prepare block group cache before writing Btrfs: fix ASSERT(list_empty(&cur_trans->dirty_bgs_list) Btrfs: account for the correct number of extents for delalloc reservations Btrfs: fix merge delalloc logic Btrfs: fix comp_oper to get right order Btrfs: catch transaction abortion after waiting for it btrfs: fix sizeof format specifier in btrfs_check_super_valid()
2015-03-21Merge branch 'for-4.0' of git://linux-nfs.org/~bfields/linuxLinus Torvalds1-2/+0
Pull nfsd bufix from Bruce Fields: "This is a fix for a crash easily triggered by 4.1 activity to a server built with CONFIG_NFSD_PNFS. There are some more bugfixes queued up that I intend to pass along next week, but this is the most critical" * 'for-4.0' of git://linux-nfs.org/~bfields/linux: Subject: nfsd: don't recursively call nfsd4_cb_layout_fail
2015-03-21Merge tag 'upstream-4.0-rc5' of git://git.infradead.org/linux-ubifsLinus Torvalds1-1/+2
Pull UBI fix from Artem Bityutskiy: "This fixes a bug introduced during the v4.0 merge window where we forgot to put braces where they should be" * tag 'upstream-4.0-rc5' of git://git.infradead.org/linux-ubifs: UBI: fix missing brace control flow
2015-03-21Merge tag 'arm64-fixes' of ↵Linus Torvalds3-5/+19
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Catalin Marinas: - mm switching fix where the kernel pgd ends up in the user TTBR0 after returning from an EFI run-time services call - fix __GFP_ZERO handling for atomic pool and CMA DMA allocations (the generic code does get the gfp flags, so it's left with the arch code to memzero accordingly) * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: Honor __GFP_ZERO in dma allocations arm64: efi: don't restore TTBR0 if active_mm points at init_mm
2015-03-21Merge branch 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-armLinus Torvalds5-23/+23
Pull ARM fixes from Russell King: "Another few ARM fixes. Fabrice fixed the L2 cache DT parsing to allow prefetch configuration to be specified even when the cache size parsing fails. Laura noticed that the setting of page attributes wasn't working for modules due to is_module_addr() always returning false. Marc Gonzalez (aka Mason) noticed a potential latent bug with the way we read one of the CPUID registers (where we could attempt to read a non-present CPUID register which may fault.) I've fixed an issue where 32-bit DMA masks were failing with memory which extended to the top of physical address space, and I've also added debugging output of the page tables when we hit a data access exception which we don't specifically handle - prompted by the lack of information in a bug report" * 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm: ARM: 8313/1: Use read_cpuid_ext() macro instead of inline asm ARM: 8311/1: Don't use is_module_addr in setting page attributes ARM: 8310/1: l2c: Fix prefetch settings dt parsing ARM: dump pgd, pmd and pte states on unhandled data abort faults ARM: dma-api: fix off-by-one error in __dma_supported()
2015-03-21Merge branches 'pm-cpuidle', 'powercap', 'irq-pm' and 'acpi-resources'Rafael J. Wysocki266-1509/+2867
* pm-cpuidle: cpuidle: mvebu: Update cpuidle thresholds for Armada XP SOCs cpuidle: mvebu: Fix the CPU PM notifier usage * powercap: powercap / RAPL: handle domains with different energy units * irq-pm: rtc: at91rm9200: double locking bug in at91_rtc_interrupt() * acpi-resources: Revert "x86/PCI: Refine the way to release PCI IRQ resources"
2015-03-21md: fix problems with freeing private data after ->run failure.NeilBrown2-3/+2
If ->run() fails, it can either free the data structures it allocated, or leave that task to ->free() which will be called on failures. However: md.c calls ->free() even if ->private_data is NULL, which causes problems in some personalities. raid0.c frees the data, but doesn't clear ->private_data, which will become a problem when we fix md.c So better fix both these issues at once. Reported-by: Richard W.M. Jones <rjones@redhat.com> Fixes: 5aa61f427e4979be733e4847b9199ff9cc48a47e URL: https://bugzilla.kernel.org/show_bug.cgi?id=94381 Signed-off-by: NeilBrown <neilb@suse.de>
2015-03-20net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfromAl Viro1-0/+4
Cc: stable@vger.kernel.org # v3.19 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2015-03-20net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() ↵Catalin Marinas1-0/+7
behaviour Commit db31c55a6fb2 (net: clamp ->msg_namelen instead of returning an error) introduced the clamping of msg_namelen when the unsigned value was larger than sizeof(struct sockaddr_storage). This caused a msg_namelen of -1 to be valid. The native code was subsequently fixed by commit dbb490b96584 (net: socket: error on a negative msg_namelen). In addition, the native code sets msg_namelen to 0 when msg_name is NULL. This was done in commit (6a2a2b3ae075 net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland) and subsequently updated by 08adb7dabd48 (fold verify_iovec() into copy_msghdr_from_user()). This patch brings the get_compat_msghdr() in line with copy_msghdr_from_user(). Fixes: db31c55a6fb2 (net: clamp ->msg_namelen instead of returning an error) Cc: David S. Miller <davem@davemloft.net> Cc: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2015-03-20arm64: Honor __GFP_ZERO in dma allocationsSuzuki K. Poulose1-3/+9
Current implementation doesn't zero out the pages allocated. Honor the __GFP_ZERO flag and zero out if set. Cc: <stable@vger.kernel.org> # v3.14+ Acked-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Suzuki K. Poulose <suzuki.poulose@arm.com> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2015-03-20Merge branch 'be2net'David S. Miller4-44/+108
Sathya Perla says: ==================== be2net: patch set Hi David, this patch set includes 3 bug fixes to the be2net driver. Patch 1 fixes a vlan isolation issue with VFs. When a VF is placed in promiscous mode, it could receive packets belonging to any vlan, as the PF driver grants vlan promisc capability to VFs. The PF driver now disables the vlan promisc capability for VFs to fix this problem. Patch 2 fixes the call to MODIFY_EQ_DELAY FW cmd to not include more than 8 EQs per cmd. The FW is not capable of handling more than 8 EQs per cmd. Patch 3 fixes an EEH error detection issue. On Power platforms, when an EEH error occurs, the slot disconnect state is more reliably detected via an MMIO read compared to a config read. So, the error register reads that occur every second are now done via MMIO. Pls apply this patch set to the "net" tree. Thanks! ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2015-03-20be2net: use PCI MMIO read instead of config read for errorsSuresh Reddy2-11/+23
When an EEH error occurs, the device/slot is disconnected. This condition is more reliably detected (i.e., returns all ones) with an MMIO read rather than a config read -- especially on power platforms. Hence, this patch fixes EEH error detection by replacing config reads with MMIO reads for reading the error registers. The error registers in Skyhawk-R/BE2/BE3 are accessible both via the config space and the PCICFG (BAR0) memory space. Reported-by: Gavin Shan <gwshan@linux.vnet.ibm.com> Signed-off-by: Suresh Reddy <Suresh.Reddy@emulex.com> Signed-off-by: Sathya Perla <sathya.perla@emulex.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2015-03-20be2net: restrict MODIFY_EQ_DELAY cmd to a max of 8 EQsSuresh Reddy1-9/+5
Issuing this cmd for more than 8 EQs does not have the intended effect even on BEx and Skyhawk-R. This patch fixes this by issuing this cmd for upto 8 EQs at a time. Signed-off-by: Suresh Reddy <Suresh.Reddy@emulex.com> Signed-off-by: Sathya Perla <sathya.perla@emulex.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2015-03-20be2net: Prevent VFs from enabling VLAN promiscuous modeVasundhara Volam4-24/+80
Currently, a PF does not restrict its VF interface from enabling vlan promiscuous mode. This breaks vlan isolation when a vlan (transparent tagging) is configured on a VF. This patch fixes this problem by disabling the vlan promisc capability for VFs. Reported-by: Yoann Juet <veilletechno-irts@univ-nantes.fr> Signed-off-by: Vasundhara Volam <vasundhara.volam@emulex.com> Signed-off-by: Sathya Perla <sathya.perla@emulex.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2015-03-20tcp: fix tcp fin memory accountingJosh Hunt1-5/+1
tcp_send_fin() does not account for the memory it allocates properly, so sk_forward_alloc can be negative in cases where we've sent a FIN: ss example output (ss -amn | grep -B1 f4294): tcp FIN-WAIT-1 0 1 192.168.0.1:45520 192.0.2.1:8080 skmem:(r0,rb87380,t0,tb87380,f4294966016,w1280,o0,bl0) Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2015-03-20arm64: efi: don't restore TTBR0 if active_mm points at init_mmWill Deacon2-2/+10
init_mm isn't a normal mm: it has swapper_pg_dir as its pgd (which contains kernel mappings) and is used as the active_mm for the idle thread. When restoring the pgd after an EFI call, we write current->active_mm into TTBR0. If the current task is actually the idle thread (e.g. when initialising the EFI RTC before entering userspace), then the TLB can erroneously populate itself with junk global entries as a result of speculative table walks. When we do eventually return to userspace, the task can end up hitting these junk mappings leading to lockups, corruption or crashes. This patch fixes the problem in the same way as the CPU suspend code by ensuring that we never switch to the init_mm in efi_set_pgd and instead point TTBR0 at the zero page. A check is also added to cpu_switch_mm to BUG if we get passed swapper_pg_dir. Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Fixes: f3cdfd239da5 ("arm64/efi: move SetVirtualAddressMap() to UEFI stub") Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2015-03-20ipv6: fix backtracking for throw routesSteven Barth1-0/+1
for throw routes to trigger evaluation of other policy rules EAGAIN needs to be propagated up to fib_rules_lookup similar to how its done for IPv4 A simple testcase for verification is: ip -6 rule add lookup 33333 priority 33333 ip -6 route add throw 2001:db8::1 ip -6 route add 2001:db8::1 via fe80::1 dev wlan0 table 33333 ip route get 2001:db8::1 Signed-off-by: Steven Barth <cyrus@openwrt.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2015-03-20net: ethernet: pcnet32: Setup the SRAM and NOUFLO on Am79C97{3, 5}Markos Chandras1-2/+29
On a MIPS Malta board, tons of fifo underflow errors have been observed when using u-boot as bootloader instead of YAMON. The reason for that is that YAMON used to set the pcnet device to SRAM mode but u-boot does not. As a result, the default Tx threshold (64 bytes) is now too small to keep the fifo relatively used and it can result to Tx fifo underflow errors. As a result of which, it's best to setup the SRAM on supported controllers so we can always use the NOUFLO bit. Cc: <netdev@vger.kernel.org> Cc: <stable@vger.kernel.org> Cc: <linux-kernel@vger.kernel.org> Cc: Don Fry <pcnet32@frontier.com> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2015-03-20ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in ↵Sabrina Dubroca1-5/+3
udp6_ufo_fragment Matt Grant reported frequent crashes in ipv6_select_ident when udp6_ufo_fragment is called from openvswitch on a skb that doesn't have a dst_entry set. ipv6_proxy_select_ident generates the frag_id without using the dst associated with the skb. This approach was suggested by Vladislav Yasevich. Fixes: 0508c07f5e0c ("ipv6: Select fragment id during UFO segmentation if not set.") Cc: Vladislav Yasevich <vyasevic@redhat.com> Reported-by: Matt Grant <matt@mattgrant.net.nz> Tested-by: Matt Grant <matt@mattgrant.net.nz> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Acked-by: Vladislav Yasevich <vyasevic@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2015-03-20Revert "x86/PCI: Refine the way to release PCI IRQ resources"Rafael J. Wysocki5-32/+32
Commit b4b55cda5874 (Refine the way to release PCI IRQ resources) introduced a regression in the PCI IRQ resource management by causing the IRQ resource of a device, established when pci_enabled_device() is called on a fully disabled device, to be released when the driver is unbound from the device, regardless of the enable_cnt. This leads to the situation that an ill-behaved driver can now make a device unusable to subsequent drivers by an imbalance in their use of pci_enable/disable_device(). That is a serious problem for secondary drivers like vfio-pci, which are innocent of the transgressions of the previous driver. Since the solution of this problem is not immediate and requires further discussion, revert commit b4b55cda5874 and the issue it was supposed to address (a bug related to xen-pciback) will be taken care of in a different way going forward. Reported-by: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2015-03-20netfilter: xt_TPROXY: fix invflags check in tproxy_tg6_check()Pablo Neira Ayuso1-2/+2
We have to check for IP6T_INV_PROTO in invflags, instead of flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Balazs Scheidler <bazsi@balabit.hu>
2015-03-20Merge tag 'drm-intel-fixes-2015-03-19' of ↵Dave Airlie1-4/+28
git://anongit.freedesktop.org/drm-intel into drm-fixes Backporting a couple of plane related fixes from drm-next to v4.0. * tag 'drm-intel-fixes-2015-03-19' of git://anongit.freedesktop.org/drm-intel: drm/i915: Make sure the primary plane is enabled before reading out the fb state drm/i915: Ensure plane->state->fb stays in sync with plane->fb
2015-03-20Merge tag 'drm-amdkfd-fixes-2015-03-19' of ↵Dave Airlie3-11/+23
git://people.freedesktop.org/~gabbayo/linux into drm-fixes - Fixing SDMA initialization when in non-HWS mode (debug mode) - Memory leak fix when destroying kernel queue - Fix number of available compute pipelines according to new firmware * tag 'drm-amdkfd-fixes-2015-03-19' of git://people.freedesktop.org/~gabbayo/linux: drm/radeon: Changing number of compute pipe lines drm/amdkfd: Fix SDMA queue init. in non-HWS mode drm/amdkfd: destroy mqd when destroying kernel queue
2015-03-19target: do not reject FUA CDBs when write cache is enabled but ↵Christophe Vu-Brugier4-18/+17
emulate_write_cache is 0 A check that rejects a CDB with FUA bit set if no write cache is emulated was added by the following commit: fde9f50 target: Add sanity checks for DPO/FUA bit usage The condition is as follows: if (!dev->dev_attrib.emulate_fua_write || !dev->dev_attrib.emulate_write_cache) However, this check is wrong if the backend device supports WCE but "emulate_write_cache" is disabled. This patch uses se_dev_check_wce() (previously named spc_check_dev_wce) to invoke transport->get_write_cache() if the device has a write cache or check the "emulate_write_cache" attribute otherwise. Reported-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Christophe Vu-Brugier <cvubrugier@fastmail.fm> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2015-03-19target: Fix virtual LUN=0 target_configure_device failure OOPsNicholas Bellinger1-2/+2
This patch fixes a NULL pointer dereference triggered by a late target_configure_device() -> alloc_workqueue() failure that results in target_free_device() being called with DF_CONFIGURED already set, which subsequently OOPses in destroy_workqueue() code. Currently this only happens at modprobe target_core_mod time when core_dev_setup_virtual_lun0() -> target_configure_device() fails, and the explicit target_free_device() gets called. To address this bug originally introduced by commit 0fd97ccf45, go ahead and move DF_CONFIGURED to end of target_configure_device() code to handle this special failure case. Reported-by: Claudio Fleiner <cmf@daterainc.com> Cc: Claudio Fleiner <cmf@daterainc.com> Cc: Christoph Hellwig <hch@lst.de> Cc: <stable@vger.kernel.org> # v3.7+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2015-03-19target/pscsi: Fix NULL pointer dereference in get_device_typeNicholas Bellinger1-1/+1
This patch fixes a NULL pointer dereference OOPs with pSCSI backends within target_core_stat.c code. The bug is caused by a configfs attr read if no pscsi_dev_virt->pdv_sd has been configured. Reported-by: Olaf Hering <olaf@aepfle.de> Cc: <stable@vger.kernel.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2015-03-19tcm_fc: missing curly braces in ft_invl_hw_context()Dan Carpenter1-1/+2
This patch adds a missing set of conditional check braces in ft_invl_hw_context() originally introduced by commit dcd998ccd when handling DDP failures in ft_recv_write_data() code. commit dcd998ccdbf74a7d8fe0f0a44e85da1ed5975946 Author: Kiran Patil <kiran.patil@intel.com> Date: Wed Aug 3 09:20:01 2011 +0000 tcm_fc: Handle DDP/SW fc_frame_payload_get failures in ft_recv_write_data Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: Kiran Patil <kiran.patil@intel.com> Cc: <stable@vger.kernel.org> # 3.1+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2015-03-19target: Fix reference leak in target_get_sess_cmd() error pathBart Van Assche1-0/+4
This patch fixes a se_cmd->cmd_kref leak buf when se_sess->sess_tearing_down is true within target_get_sess_cmd() submission path code. This se_cmd reference leak can occur during active session shutdown when ack_kref=1 is passed by target_submit_cmd_[map_sgls,tmr]() callers. Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com> Cc: <stable@vger.kernel.org> # 3.6+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2015-03-19loop/usb/vhost-scsi/xen-scsiback: Fix use of __transport_register_sessionBart Van Assche4-16/+8
This patch changes loopback, usb-gadget, vhost-scsi and xen-scsiback fabric code to invoke transport_register_session() instead of the unprotected flavour, to ensure se_tpg->session_lock is taken when adding new session list nodes to se_tpg->tpg_sess_list. Note that since these four fabric drivers already hold their own internal TPG mutexes when accessing se_tpg->tpg_sess_list, and consist of a single se_session created through configfs attribute access, no list corruption can currently occur. So for correctness sake, go ahead and use the se_tpg->session_lock protected version for these four fabric drivers. Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>