summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2013-12-12include/linux/hugetlb.h: make isolate_huge_page() an inlineNaoya Horiguchi1-1/+4
With CONFIG_HUGETLBFS=n: mm/migrate.c: In function `do_move_page_to_node_array': include/linux/hugetlb.h:140:33: warning: statement with no effect [-Wunused-value] #define isolate_huge_page(p, l) false ^ mm/migrate.c:1170:4: note: in expansion of macro `isolate_huge_page' isolate_huge_page(page, &pagelist); Reported-by: Borislav Petkov <bp@alien8.de> Tested-by: Borislav Petkov <bp@alien8.de> Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> Acked-by: David Rientjes <rientjes@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-12-12Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvmLinus Torvalds4-55/+27
Pull kvm fixes from Paolo Bonzini: "Four security fixes for KVM on x86. Thanks to Andrew Honig and Lars Bull from Google for reporting them" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) KVM: Improve create VCPU parameter (CVE-2013-4587)
2013-12-12Merge tag 'fixes-for-linus' of ↵Linus Torvalds26-158/+409
git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc Pull ARM SoC fixes from Olof Johansson: "Another week, another batch of fixes. Again, OMAP regressions due to move to DT is the bulk of the changes here, but this should be the last of it for 3.13. There are also a handful of OMAP hwmod changes (power management, reset handling) for USB on OMAP3 that fixes some longish-standing bugs around USB resets. There are a couple of other changes that also add up line count a bit: One is a long-standing bug with the keyboard layout on one of the PXA platforms. The other is a fix for highbank that moves their power-off/reset button handling to be done in-kernel since relying on userspace to handle it was fragile and awkward" * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: ARM: sun6i: dt: Fix interrupt trigger types ARM: sun7i: dt: Fix interrupt trigger types MAINTAINERS: merge IMX6 entry into IMX ARM: tegra: add missing break to fuse initialization code ARM: pxa: prevent PXA270 occasional reboot freezes ARM: pxa: tosa: fix keys mapping ARM: OMAP2+: omap_device: add fail hook for runtime_pm when bad data is detected ARM: OMAP2+: hwmod: Fix usage of invalid iclk / oclk when clock node is not present ARM: OMAP3: hwmod data: Don't prevent RESET of USB Host module ARM: OMAP2+: hwmod: Fix SOFTRESET logic ARM: OMAP4+: hwmod data: Don't prevent RESET of USB Host module ARM: dts: Fix booting for secure omaps ARM: OMAP2+: Fix the machine entry for am3517 ARM: dts: Fix missing entries for am3517 ARM: OMAP2+: Fix overwriting hwmod data with data from device tree ARM: davinci: Fix McASP mem resource names ARM: highbank: handle soft poweroff and reset key events ARM: davinci: fix number of resources passed to davinci_gpio_register() gpio: davinci: fix check for unbanked gpio
2013-12-12Merge branch 'for-linus' of ↵Linus Torvalds5-42/+73
git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs Pull btrfs fixes from Chris Mason: "This is a small collection of fixes. It was rebased this morning, but I was just fixing signed-off-by tags with the wrong email" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: Btrfs: fix access_ok() check in btrfs_ioctl_send() Btrfs: make sure we cleanup all reloc roots if error happens Btrfs: skip building backref tree for uuid and quota tree when doing balance relocation Btrfs: fix an oops when doing balance relocation Btrfs: don't miss skinny extent items on delayed ref head contention btrfs: call mnt_drop_write after interrupted subvol deletion Btrfs: don't clear the default compression type
2013-12-12Merge branch 'for-3.13' of git://linux-nfs.org/~bfields/linuxLinus Torvalds1-1/+8
Pull nfsd reply cache bugfix from Bruce Fields: "One bugfix for nfsd crashes" * 'for-3.13' of git://linux-nfs.org/~bfields/linux: nfsd: when reusing an existing repcache entry, unhash it first
2013-12-12mtd: nand: pxa3xx: Use info->use_dma to release DMA resourcesEzequiel Garcia1-1/+1
In commit: commit 62e8b851783138a11da63285be0fbf69530ff73d Author: Ezequiel Garcia <ezequiel.garcia@free-electrons.com> Date: Fri Oct 4 15:30:38 2013 -0300 mtd: nand: pxa3xx: Allocate data buffer on detected flash size the way the buffer is allocated was changed: the first READ_ID is issued with a small kmalloc'ed buffer. Only once the flash page size is detected the DMA buffers are allocated, and info->use_dma is set. Currently, if the device detection fails, the driver checks the 'use_dma' module parameter and tries to release unallocated DMA resources. Fix this by checking the proper indicator of the DMA allocation, which is 'info->use_dma'. Signed-off-by: Ezequiel Garcia <ezequiel.garcia@free-electrons.com> Signed-off-by: Brian Norris <computersforpeace@gmail.com>
2013-12-12Partially revert "mtd: nand: pxa3xx: Introduce 'marvell,armada370-nand' ↵Ezequiel Garcia1-4/+0
compatible string" This partially reverts c0f3b8643a6fa2461d70760ec49d21d2b031d611. The "armada370-nand" compatible support is not complete, and it was mistake to add it. Revert it and postpone the support until the infrastructure is in place. Cc: <stable@vger.kernel.org> # 3.12 Signed-off-by: Ezequiel Garcia <ezequiel.garcia@free-electrons.com> Acked-by: Jason Cooper <jason@lakedaemon.net> Signed-off-by: Brian Norris <computersforpeace@gmail.com>
2013-12-12selinux: process labeled IPsec TCP SYN-ACK packets properly in ↵Paul Moore1-7/+35
selinux_ip_postroute() Due to difficulty in arriving at the proper security label for TCP SYN-ACK packets in selinux_ip_postroute(), we need to check packets while/before they are undergoing XFRM transforms instead of waiting until afterwards so that we can determine the correct security label. Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-12selinux: look for IPsec labels on both inbound and outbound packetsPaul Moore3-14/+47
Previously selinux_skb_peerlbl_sid() would only check for labeled IPsec security labels on inbound packets, this patch enables it to check both inbound and outbound traffic for labeled IPsec security labels. Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-12selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()Paul Moore1-15/+53
In selinux_ip_postroute() we perform access checks based on the packet's security label. For locally generated traffic we get the packet's security label from the associated socket; this works in all cases except for TCP SYN-ACK packets. In the case of SYN-ACK packet's the correct security label is stored in the connection's request_sock, not the server's socket. Unfortunately, at the point in time when selinux_ip_postroute() is called we can't query the request_sock directly, we need to recreate the label using the same logic that originally labeled the associated request_sock. See the inline comments for more explanation. Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Tested-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-12selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output()Paul Moore1-2/+23
In selinux_ip_output() we always label packets based on the parent socket. While this approach works in almost all cases, it doesn't work in the case of TCP SYN-ACK packets when the correct label is not the label of the parent socket, but rather the label of the larval socket represented by the request_sock struct. Unfortunately, since the request_sock isn't queued on the parent socket until *after* the SYN-ACK packet is sent, we can't lookup the request_sock to determine the correct label for the packet; at this point in time the best we can do is simply pass/NF_ACCEPT the packet. It must be said that simply passing the packet without any explicit labeling action, while far from ideal, is not terrible as the SYN-ACK packet will inherit any IP option based labeling from the initial connection request so the label *should* be correct and all our access controls remain in place so we shouldn't have to worry about information leaks. Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Tested-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-12i2c: imx: Check the return value from clk_prepare_enable()Fabio Estevam1-1/+3
clk_prepare_enable() may fail, so let's check its return value and propagate it in the case of error. Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com> Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
2013-12-12KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)Gleb Natapov1-1/+4
A guest can cause a BUG_ON() leading to a host kernel crash. When the guest writes to the ICR to request an IPI, while in x2apic mode the following things happen, the destination is read from ICR2, which is a register that the guest can control. kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the cluster id. A BUG_ON is triggered, which is a protection against accessing map->logical_map with an out-of-bounds access and manages to avoid that anything really unsafe occurs. The logic in the code is correct from real HW point of view. The problem is that KVM supports only one cluster with ID 0 in clustered mode, but the code that has the bug does not take this into account. Reported-by: Lars Bull <larsbull@google.com> Cc: stable@vger.kernel.org Signed-off-by: Gleb Natapov <gleb@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-12-12KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368)Andy Honig3-53/+18
In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the potential to corrupt kernel memory if userspace provides an address that is at the end of a page. This patches concerts those functions to use kvm_write_guest_cached and kvm_read_guest_cached. It also checks the vapic_address specified by userspace during ioctl processing and returns an error to userspace if the address is not a valid GPA. This is generally not guest triggerable, because the required write is done by firmware that runs before the guest. Also, it only affects AMD processors and oldish Intel that do not have the FlexPriority feature (unless you disable FlexPriority, of course; then newer processors are also affected). Fixes: b93463aa59d6 ('KVM: Accelerated apic support') Reported-by: Andrew Honig <ahonig@google.com> Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig <ahonig@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-12-12KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)Andy Honig1-1/+2
Under guest controllable circumstances apic_get_tmcct will execute a divide by zero and cause a crash. If the guest cpuid support tsc deadline timers and performs the following sequence of requests the host will crash. - Set the mode to periodic - Set the TMICT to 0 - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline) - Set the TMICT to non-zero. Then the lapic_timer.period will be 0, but the TMICT will not be. If the guest then reads from the TMCCT then the host will perform a divide by 0. This patch ensures that if the lapic_timer.period is 0, then the division does not occur. Reported-by: Andrew Honig <ahonig@google.com> Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig <ahonig@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-12-12KVM: Improve create VCPU parameter (CVE-2013-4587)Andy Honig1-0/+3
In multiple functions the vcpu_id is used as an offset into a bitfield. Ag malicious user could specify a vcpu_id greater than 255 in order to set or clear bits in kernel memory. This could be used to elevate priveges in the kernel. This patch verifies that the vcpu_id provided is less than 255. The api documentation already specifies that the vcpu_id must be less than max_vcpus, but this is currently not checked. Reported-by: Andrew Honig <ahonig@google.com> Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig <ahonig@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-12-12i2c: mux: Inherit retry count and timeout from parent for muxed busElie De Brauwer1-0/+2
If a muxed i2c bus gets created the default retry count and timeout of the muxed bus is zero. Hence it it possible that you end up with a situation where the parent controller sets a default retry count and timeout which gets applied and used while the muxed bus (using the same controller) has a default retry count of zero and a default timeout of 1s (set in i2c_add_adapter()). This can be solved by initializing the retry count and timeout of the muxed bus with the values used by the the parent at creation time. Signed-off-by: Elie De Brauwer <eliedebrauwer@gmail.com> Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
2013-12-12Merge tag 'sound-3.13-rc4' of ↵Linus Torvalds9-9/+78
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Still a slightly high amount of changes than wished, but they are all good regression and/or device-specific fixes. Majority of commits are for HD-audio, an HDMI ctl index fix that hits old graphics boards, regression fixes for AD codecs and a few quirks. Other than that, two major fixes are included: a 64bit ABI fix for compress offload, and 64bit dma_addr_t truncation fix, which had hit on PAE kernels" * tag 'sound-3.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda - Add static DAC/pin mapping for AD1986A codec ALSA: hda - One more Dell headset detection quirk ALSA: hda - hdmi: Fix IEC958 ctl indexes for some simple HDMI devices ALSA: hda - Mute all aamix inputs as default ALSA: compress: Fix 64bit ABI incompatibility ALSA: memalloc.h - fix wrong truncation of dma_addr_t ALSA: hda - Another Dell headset detection quirk ALSA: hda - A Dell headset detection quirk ALSA: hda - Remove quirk for Dell Vostro 131 ALSA: usb-audio: fix uninitialized variable compile warning ALSA: hda - fix mic issues on Acer Aspire E-572
2013-12-12Merge branch 'for-linus' of ↵Linus Torvalds2-8/+18
git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input fixes from Dmitry Torokhov: "A fix for recent sysfs breakage in serio subsystem plus a fixup to adxl34x driver" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: adxl34x - Fix bug in definition of ADXL346_2D_ORIENT Input: serio - fix sysfs layout
2013-12-12xen-netback: fix gso_prefix checkPaul Durrant1-1/+1
There is a mistake in checking the gso_prefix mask when passing large packets to a guest. The wrong shift is applied to the bit - the raw skb gso type is used rather then the translated one. This leads to large packets being handed to the guest without the GSO metadata. This patch fixes the check. The mistake manifested as errors whilst running Microsoft HCK large packet offload tests between a pair of Windows 8 VMs. I have verified this patch fixes those errors. Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: David Vrabel <david.vrabel@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-12net: make neigh_priv_len in struct net_device 16bit instead of 8bitSebastian Siewior1-1/+1
neigh_priv_len is defined as u8. With all debug enabled struct ipoib_neigh has 200 bytes. The largest part is sk_buff_head with 96 bytes and here the spinlock with 72 bytes. The size value still fits in this u8 leaving some room for more. On -RT struct ipoib_neigh put on weight and has 392 bytes. The main reason is sk_buff_head with 288 and the fatty here is spinlock with 192 bytes. This does no longer fit into into neigh_priv_len and gcc complains. This patch changes neigh_priv_len from being 8bit to 16bit. Since the following element (dev_id) is 16bit followed by a spinlock which is aligned, the struct remains with a total size of 3200 (allmodconfig) / 2048 (with as much debug off as possible) bytes on x86-64. On x86-32 the struct is 1856 (allmodconfig) / 1216 (with as much debug off as possible) bytes long. The numbers were gained with and without the patch to prove that this change does not increase the size of the struct. Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-12Merge branch 'v4l_for_linus' of ↵Linus Torvalds70-190/+293
git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media fixes from Mauro Carvalho Chehab: "A dvb core deadlock fix, a couple videobuf2 fixes an a series of media driver fixes" * 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (30 commits) [media] videobuf2-dma-sg: fix possible memory leak [media] vb2: regression fix: always set length field. [media] mt9p031: Include linux/of.h header [media] rtl2830: add parent for I2C adapter [media] media: marvell-ccic: use devm to release clk [media] ths7303: Declare as static a private function [media] em28xx-video: Swap release order to avoid lock nesting [media] usbtv: Add support for PAL video source [media] media_tree: Fix spelling errors [media] videobuf2: Add support for file access mode flags for DMABUF exporting [media] radio-shark2: Mark shark_resume_leds() inline to kill compiler warning [media] radio-shark: Mark shark_resume_leds() inline to kill compiler warning [media] af9035: unlock on error in af9035_i2c_master_xfer() [media] af9033: fix broken I2C [media] v4l: omap3isp: Don't check for missing get_fmt op on remote subdev [media] af9035: fix broken I2C and USB I/O [media] wm8775: fix broken audio routing [media] marvell-ccic: drop resource free in driver remove [media] tef6862/radio-tea5764: actually assign clamp result [media] cx231xx: use after free on error path in probe ...
2013-12-12Merge tag 'hwmon-for-linus' of ↵Linus Torvalds1-2/+14
git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fix from Guenter Roeck: "Fix HIH-6130 driver to work with BeagleBone" * tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: HIH-6130: Support I2C bus drivers without I2C_FUNC_SMBUS_QUICK
2013-12-12Merge branch 'hwmon-for-linus' of ↵Linus Torvalds5-7/+16
git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging Pull hwmon fixes from Jean Delvare. * 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging: hwmon: Prevent some divide by zeros in FAN_TO_REG() hwmon: (w83l768ng) Fix fan speed control range hwmon: (w83l786ng) Fix fan speed control mode setting and reporting hwmon: (lm90) Unregister hwmon device if interrupt setup fails
2013-12-12drivers: net: cpsw: fix for cpsw crash when build as modulesMugunthan V N1-3/+14
When CPSW and Davinci MDIO are build as modules, CPSW crashes when accessing CPSW registers in CPSW probe. The same is working in built-in as the CPSW clocks are enabled in Davindi MDIO probe, SO Enabling the clocks before accessing the version register and moving out the other register access to cpsw device open. Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com> Signed-off-by: Felipe Balbi <balbi@ti.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-12word-at-a-time: provide generic big-endian zero_bytemask implementationWill Deacon1-0/+8
Whilst architectures may be able to do better than this (which they can, by simply defining their own macro), this is a generic stab at a zero_bytemask implementation for the asm-generic, big-endian word-at-a-time implementation. On arm64, a clz instruction is used to implement the fls efficiently. Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-12-12dcache: allow word-at-a-time name hashing with big-endian CPUsWill Deacon3-7/+4
When explicitly hashing the end of a string with the word-at-a-time interface, we have to be careful which end of the word we pick up. On big-endian CPUs, the upper-bits will contain the data we're after, so ensure we generate our masks accordingly (and avoid hashing whatever random junk may have been sitting after the string). This patch adds a new dcache helper, bytemask_from_count, which creates a mask appropriate for the CPU endianness. Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-12-12xen-netback: napi: don't prematurely request a tx eventPaul Durrant1-1/+1
This patch changes the RING_FINAL_CHECK_FOR_REQUESTS in xenvif_build_tx_gops to a check for RING_HAS_UNCONSUMED_REQUESTS as the former call has the side effect of advancing the ring event pointer and therefore inviting another interrupt from the frontend before the napi poll has actually finished, thereby defeating the point of napi. The event pointer is updated by RING_FINAL_CHECK_FOR_REQUESTS in xenvif_poll, the napi poll function, if the work done is less than the budget i.e. when actually transitioning back to interrupt mode. Reported-by: Malcolm Crossley <malcolm.crossley@citrix.com> Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: David Vrabel <david.vrabel@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-12xen-netback: napi: fix abuse of budgetPaul Durrant1-7/+7
netback seems to be somewhat confused about the napi budget parameter. The parameter is supposed to limit the number of skbs processed in each poll, but netback has this confused with grant operations. This patch fixes that, properly limiting the work done in each poll. Note that this limit makes sure we do not process any more data from the shared ring than we intend to pass back from the poll. This is important to prevent tx_queue potentially growing without bound. Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: David Vrabel <david.vrabel@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-12Merge tag 'iommu-fixes-for-v3.13-rc4' of git://github.com/awilliam/linux-vfioLinus Torvalds1-38/+28
Pull iommu fixes from Alex Williamson: "arm/smmu driver updates via Will Deacon fixing locking around page table walks and a couple other issues" * tag 'iommu-fixes-for-v3.13-rc4' of git://github.com/awilliam/linux-vfio: iommu/arm-smmu: fix error return code in arm_smmu_device_dt_probe() iommu/arm-smmu: remove potential NULL dereference on mapping path iommu/arm-smmu: use mutex instead of spinlock for locking page tables
2013-12-12Merge tag 'keys-devel-20131210' of ↵Linus Torvalds11-36/+64
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs Pull misc keyrings fixes from David Howells: "These break down into five sets: - A patch to error handling in the big_key type for huge payloads. If the payload is larger than the "low limit" and the backing store allocation fails, then big_key_instantiate() doesn't clear the payload pointers in the key, assuming them to have been previously cleared - but only one of them is. Unfortunately, the garbage collector still calls big_key_destroy() when sees one of the pointers with a weird value in it (and not NULL) which it then tries to clean up. - Three patches to fix the keyring type: * A patch to fix the hash function to correctly divide keyrings off from keys in the topology of the tree inside the associative array. This is only a problem if searching through nested keyrings - and only if the hash function incorrectly puts the a keyring outside of the 0 branch of the root node. * A patch to fix keyrings' use of the associative array. The __key_link_begin() function initially passes a NULL key pointer to assoc_array_insert() on the basis that it's holding a place in the tree whilst it does more allocation and stuff. This is only a problem when a node contains 16 keys that match at that level and we want to add an also matching 17th. This should easily be manufactured with a keyring full of keyrings (without chucking any other sort of key into the mix) - except for (a) above which makes it on average adding the 65th keyring. * A patch to fix searching down through nested keyrings, where any keyring in the set has more than 16 keyrings and none of the first keyrings we look through has a match (before the tree iteration needs to step to a more distal node). Test in keyutils test suite: http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/commit/?id=8b4ae963ed92523aea18dfbb8cab3f4979e13bd1 - A patch to fix the big_key type's use of a shmem file as its backing store causing audit messages and LSM check failures. This is done by setting S_PRIVATE on the file to avoid LSM checks on the file (access to the shmem file goes through the keyctl() interface and so is gated by the LSM that way). This isn't normally a problem if a key is used by the context that generated it - and it's currently only used by libkrb5. Test in keyutils test suite: http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/commit/?id=d9a53cbab42c293962f2f78f7190253fc73bd32e - A patch to add a generated file to .gitignore. - A patch to fix the alignment of the system certificate data such that it it works on s390. As I understand it, on the S390 arch, symbols must be 2-byte aligned because loading the address discards the least-significant bit" * tag 'keys-devel-20131210' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: KEYS: correct alignment of system_certificate_list content in assembly file Ignore generated file kernel/x509_certificate_list security: shmem: implement kernel private shmem inodes KEYS: Fix searching of nested keyrings KEYS: Fix multiple key add into associative array KEYS: Fix the keyring hash function KEYS: Pre-clear struct key on allocation
2013-12-12Merge tag 'xfs-for-linus-v3.13-rc4' of git://oss.sgi.com/xfs/xfsLinus Torvalds4-5/+12
Pull xfs bugfixes from Ben Myers: - fix for buffer overrun in agfl with growfs on v4 superblock - return EINVAL if requested discard length is less than a block - fix possible memory corruption in xfs_attrlist_by_handle() * tag 'xfs-for-linus-v3.13-rc4' of git://oss.sgi.com/xfs/xfs: xfs: growfs overruns AGFL buffer on V4 filesystems xfs: don't perform discard if the given range length is less than block size xfs: underflow bug in xfs_attrlist_by_handle()
2013-12-12futex: move user address verification up to common codeLinus Torvalds1-2/+3
When debugging the read-only hugepage case, I was confused by the fact that get_futex_key() did an access_ok() only for the non-shared futex case, since the user address checking really isn't in any way specific to the private key handling. Now, it turns out that the shared key handling does effectively do the equivalent checks inside get_user_pages_fast() (it doesn't actually check the address range on x86, but does check the page protections for being a user page). So it wasn't actually a bug, but the fact that we treat the address differently for private and shared futexes threw me for a loop. Just move the check up, so that it gets done for both cases. Also, use the 'rw' parameter for the type, even if it doesn't actually matter any more (it's a historical artifact of the old racy i386 "page faults from kernel space don't check write protections"). Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-12-12futex: fix handling of read-only-mapped hugepagesLinus Torvalds1-1/+1
The hugepage code had the exact same bug that regular pages had in commit 7485d0d3758e ("futexes: Remove rw parameter from get_futex_key()"). The regular page case was fixed by commit 9ea71503a8ed ("futex: Fix regression with read only mappings"), but the transparent hugepage case (added in a5b338f2b0b1: "thp: update futex compound knowledge") case remained broken. Found by Dave Jones and his trinity tool. Reported-and-tested-by: Dave Jones <davej@fedoraproject.org> Cc: stable@kernel.org # v2.6.38+ Acked-by: Thomas Gleixner <tglx@linutronix.de> Cc: Mel Gorman <mgorman@suse.de> Cc: Darren Hart <dvhart@linux.intel.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-12-12ALSA: hda - Add enable_msi=0 workaround for four HP machinesDavid Henningsson1-0/+4
While enabling these machines, we found we would sometimes lose an interrupt if we change hardware volume during playback, and that disabling msi fixed this issue. (Losing the interrupt caused underruns and crackling audio, as the one second timeout is usually bigger than the period size.) The machines were all machines from HP, running AMD Hudson controller, and Realtek ALC282 codec. Cc: stable@vger.kernel.org BugLink: https://bugs.launchpad.net/bugs/1260225 Signed-off-by: David Henningsson <david.henningsson@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2013-12-12Btrfs: fix access_ok() check in btrfs_ioctl_send()Dan Carpenter1-2/+2
The closing parenthesis is in the wrong place. We want to check "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of "sizeof(*arg->clone_sources * arg->clone_sources_count)". Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Jie Liu <jeff.liu@oracle.com> Signed-off-by: Chris Mason <clm@fb.com> cc: stable@vger.kernel.org
2013-12-12Btrfs: make sure we cleanup all reloc roots if error happensWang Shilong1-0/+7
I hit an oops when merging reloc roots fails, the reason is that new reloc roots may be added and we should make sure we cleanup all reloc roots. Signed-off-by: Wang Shilong <wangsl.fnst@cn.fujitsu.com> Signed-off-by: Chris Mason <clm@fb.com>
2013-12-12Btrfs: skip building backref tree for uuid and quota tree when doing balance ↵Wang Shilong1-1/+3
relocation Quota tree and UUID Tree is only cowed, they can not be snapshoted. Signed-off-by: Wang Shilong <wangsl.fnst@cn.fujitsu.com> Signed-off-by: Chris Mason <clm@fb.com>
2013-12-12Btrfs: fix an oops when doing balance relocationWang Shilong1-23/+47
I hit an oops when inserting reloc root into @reloc_root_tree(it can be easily triggered when forcing cow for relocation root) [ 866.494539] [<ffffffffa0499579>] btrfs_init_reloc_root+0x79/0xb0 [btrfs] [ 866.495321] [<ffffffffa044c240>] record_root_in_trans+0xb0/0x110 [btrfs] [ 866.496109] [<ffffffffa044d758>] btrfs_record_root_in_trans+0x48/0x80 [btrfs] [ 866.496908] [<ffffffffa0494da8>] select_reloc_root+0xa8/0x210 [btrfs] [ 866.497703] [<ffffffffa0495c8a>] do_relocation+0x16a/0x540 [btrfs] This is because reloc root inserted into @reloc_root_tree is not within one transaction,reloc root may be cowed and root block bytenr will be reused then oops happens.We should update reloc root in @reloc_root_tree when cow reloc root node, fix it. Signed-off-by: Wang Shilong <wangsl.fnst@cn.fujitsu.com> Reviewed-by: Miao Xie <miaox@cn.fujitsu.com> Signed-off-by: Chris Mason <clm@fb.com>
2013-12-12Btrfs: don't miss skinny extent items on delayed ref head contentionFilipe David Borba Manana1-12/+10
Currently extent-tree.c:btrfs_lookup_extent_info() can miss the lookup of skinny extent items. This can happen when the execution flow is the following: * We do an extent tree lookup and fail to find a skinny extent item; * As a result, we attempt to see if a non-skinny extent item exists, either by looking at previous item in the leaf or by doing another full extent tree search; * We have a transaction and then we check for a matching delayed ref head in the transaction's delayed refs rbtree; * We find such delayed ref head and then we try to lock it with a call to mutex_trylock(); * The lock was contended so we jump to the label "again", which repeats the extent tree search but for a non-skinny extent item, because we set previously metadata variable to 0 and the search key to look for a non-skinny extent-item; * After the jump (and after releasing the transaction's delayed refs lock), a skinny extent item might have been added to the extent tree but we will miss it because metadata is set to 0 and the search key is set for a non-skinny extent-item. The fix here is to not reset metadata to 0 and to jump to the initial search key setup if the delayed ref head is contended, instead of jumping directly to the extent tree search label ("again"). This issue was found while investigating the issue reported at Bugzilla 64961. David Sterba suspected this function was missing extent items, and that this could be caused by the last change to this function, which was made in the following patch: [PATCH] Btrfs: optimize btrfs_lookup_extent_info() (commit 74be9510876a66ad9826613ac8a526d26f9e7f01) But in fact this issue already existed before, because after failing to find a skinny extent item, the code set the search key for a non-skinny extent item, and on contention of a matching delayed ref head it would not search the extent tree for a skinny extent item anymore. Signed-off-by: Filipe David Borba Manana <fdmanana@gmail.com> Reviewed-by: Liu Bo <bo.li.liu@oracle.com> Signed-off-by: Chris Mason <clm@fb.com>
2013-12-12btrfs: call mnt_drop_write after interrupted subvol deletionDavid Sterba1-1/+2
If btrfs_ioctl_snap_destroy blocks on the mutex and the process is killed, mnt_write count is unbalanced and leads to unmountable filesystem. CC: stable@vger.kernel.org Signed-off-by: David Sterba <dsterba@suse.cz> Signed-off-by: Chris Mason <clm@fb.com>
2013-12-12Btrfs: don't clear the default compression typeMiao Xie1-3/+2
We met a oops caused by the wrong compression type: [ 556.512356] BUG: unable to handle kernel NULL pointer dereference at (null) [ 556.512370] IP: [<ffffffff811dbaa0>] __list_del_entry+0x1/0x98 [SNIP] [ 556.512490] [<ffffffff811dbb44>] ? list_del+0xd/0x2b [ 556.512539] [<ffffffffa05dd5ce>] find_workspace+0x97/0x175 [btrfs] [ 556.512546] [<ffffffff813c14b5>] ? _raw_spin_lock+0xe/0x10 [ 556.512576] [<ffffffffa05de276>] btrfs_compress_pages+0x2d/0xa2 [btrfs] [ 556.512601] [<ffffffffa05af060>] compress_file_range.constprop.54+0x1f2/0x4e8 [btrfs] [ 556.512627] [<ffffffffa05af388>] async_cow_start+0x32/0x4d [btrfs] [ 556.512655] [<ffffffffa05cc7a1>] worker_loop+0x144/0x4c3 [btrfs] [ 556.512661] [<ffffffff81059404>] ? finish_task_switch+0x80/0xb8 [ 556.512689] [<ffffffffa05cc65d>] ? btrfs_queue_worker+0x244/0x244 [btrfs] [ 556.512695] [<ffffffff8104fa4e>] kthread+0x8d/0x95 [ 556.512699] [<ffffffff81050000>] ? bit_waitqueue+0x34/0x7d [ 556.512704] [<ffffffff8104f9c1>] ? __kthread_parkme+0x65/0x65 [ 556.512709] [<ffffffff813c7eec>] ret_from_fork+0x7c/0xb0 [ 556.512713] [<ffffffff8104f9c1>] ? __kthread_parkme+0x65/0x65 Steps to reproduce: # mkfs.btrfs -f <dev> # mount -o nodatacow <dev> <mnt> # touch <mnt>/<file> # chattr =c <mnt>/<file> # dd if=/dev/zero of=<mnt>/<file> bs=1M count=10 It is because we cleared the default compression type when setting the nodatacow. In fact, we needn't do it because we have used COMPRESS flag to indicate if we need compressed the file data or not, needn't use the variant -- compress_type -- in btrfs_info to do the same thing, and just use it to hold the default compression type. Or we would get a wrong compress type for a file whose own compress flag is set but the compress flag of its filesystem is not set. Reported-by: Tsutomu Itoh <t-itoh@jp.fujitsu.com> Signed-off-by: Miao Xie <miaox@cn.fujitsu.com> Reviewed-by: Liu Bo <bo.li.liu@oracle.com> Signed-off-by: Chris Mason <clm@fb.com>
2013-12-12hwmon: Prevent some divide by zeros in FAN_TO_REG()Dan Carpenter3-1/+5
The "rpm * div" operations can overflow here, so this patch adds an upper limit to rpm to prevent that. Jean Delvare helped me with this patch. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Roger Lucas <vt8231@hiddenengine.co.uk> Cc: stable@vger.kernel.org Signed-off-by: Jean Delvare <khali@linux-fr.org>
2013-12-12hwmon: (w83l768ng) Fix fan speed control rangeJean Delvare1-3/+6
The W83L786NG stores the fan speed on 4 bits while the sysfs interface uses a 0-255 range. Thus the driver should scale the user input down to map it to the device range, and scale up the value read from the device before presenting it to the user. The reserved register nibble should be left unchanged. Signed-off-by: Jean Delvare <khali@linux-fr.org> Cc: stable@vger.kernel.org Reviewed-by: Guenter Roeck <linux@roeck-us.net>
2013-12-12hwmon: (w83l786ng) Fix fan speed control mode setting and reportingBrian Carnes1-2/+2
The wrong mask is used, which causes some fan speed control modes (pwmX_enable) to be incorrectly reported, and some modes to be impossible to set. [JD: add subject and description.] Signed-off-by: Brian Carnes <bmcarnes@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Jean Delvare <khali@linux-fr.org>
2013-12-12hwmon: (lm90) Unregister hwmon device if interrupt setup failsGuenter Roeck1-1/+3
Commit 109b1283fb (hwmon: (lm90) Add support to handle IRQ) introduced interrupt support. Its error handling code fails to unregister the already registered hwmon device. Fixes: 109b1283fb532ac773a076748ffccf76a7067cab Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Jean Delvare <khali@linux-fr.org>
2013-12-11sch_tbf: use do_div() for 64-bit divideYang Yingliang1-2/+4
It's doing a 64-bit divide which is not supported on 32-bit architectures in psched_ns_t2l(). The correct way to do this is to use do_div(). It's introduced by commit cc106e441a63 ("net: sched: tbf: fix the calculation of max_size") Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-11udp: ipv4: must add synchronization in udp_sk_rx_dst_set()Eric Dumazet1-6/+16
Unlike TCP, UDP input path does not hold the socket lock. Before messing with sk->sk_rx_dst, we must use a spinlock, otherwise multiple cpus could leak a refcount. This patch also takes care of renewing a stale dst entry. (When the sk->sk_rx_dst would not be used by IP early demux) Fixes: 421b3885bf6d ("udp: ipv4: Add udp early demux") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Shawn Bohrer <sbohrer@rgmadvisors.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-11net:fec: remove duplicate lines in comment about errata ERR006358Philippe De Muyter1-4/+0
commit 031916568a1aa2ef1809f86d26f0bcfa215ff5c0 worked around errata ERR006358, but comment contains duplicated lines, impairing the readability. Remove them. Signed-off-by: Philippe De Muyter <phdm@macqel.be> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-11ARM: sun6i: dt: Fix interrupt trigger typesMaxime Ripard1-12/+15
The Allwinner A31 uses the ARM GIC as its internal interrupts controller. The GIC can work on several interrupt triggers, and the A31 was actually setting it up to use a rising edge as a trigger, while it was actually a level high trigger, leading to some interrupts that would be completely ignored if the edge was missed. Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com> Acked-by: Hans de Goede <hdegoede@redhat.com> Cc: stable@vger.kernel.org # 3.12+ Signed-off-by: Olof Johansson <olof@lixom.net>