Mathias Krause [Wed, 15 Aug 2012 11:31:49 +0000 (11:31 +0000)]
Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)
The RFCOMM code fails to initialize the two padding bytes of struct
rfcomm_dev_list_req inserted for alignment before copying it to
userland. Additionally there are two padding bytes in each instance of
struct rfcomm_dev_info. The ioctl() that for disclosures two bytes plus
dev_num times two bytes uninitialized kernel heap memory.
Allocate the memory using kzalloc() to fix this issue.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Wed, 15 Aug 2012 11:31:48 +0000 (11:31 +0000)]
Bluetooth: RFCOMM - Fix info leak in getsockopt(BT_SECURITY)
The RFCOMM code fails to initialize the key_size member of struct
bt_security before copying it to userland -- that for leaking one
byte kernel stack. Initialize key_size with 0 to avoid the info
leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Wed, 15 Aug 2012 11:31:47 +0000 (11:31 +0000)]
Bluetooth: HCI - Fix info leak via getsockname()
The HCI code fails to initialize the hci_channel member of struct
sockaddr_hci and that for leaks two bytes kernel stack via the
getsockname() syscall. Initialize hci_channel with 0 to avoid the
info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Wed, 15 Aug 2012 11:31:46 +0000 (11:31 +0000)]
Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER)
The HCI code fails to initialize the two padding bytes of struct
hci_ufilter before copying it to userland -- that for leaking two
bytes kernel stack. Add an explicit memset(0) before filling the
structure to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Wed, 15 Aug 2012 11:31:45 +0000 (11:31 +0000)]
atm: fix info leak via getsockname()
The ATM code fails to initialize the two padding bytes of struct
sockaddr_atmpvc inserted for alignment. Add an explicit memset(0)
before filling the structure to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Wed, 15 Aug 2012 11:31:44 +0000 (11:31 +0000)]
atm: fix info leak in getsockopt(SO_ATMPVC)
The ATM code fails to initialize the two padding bytes of struct
sockaddr_atmpvc inserted for alignment. Add an explicit memset(0)
before filling the structure to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
bridge: fix rcu dereference outside of rcu_read_lock
Alternative solution for problem found by Linux Driver Verification
project (linuxtesting.org).
As it noted in the comment before the br_handle_frame_finish
function, this function should be called under rcu_read_lock.
The problem callgraph:
br_dev_xmit -> br_nf_pre_routing_finish_bridge_slow ->
-> br_handle_frame_finish -> br_port_get_rcu -> rcu_dereference
And in this case there is no read-lock section.
Reported-by: Denis Efremov <yefremov.denis@gmail.com> Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 15 Aug 2012 00:03:22 +0000 (17:03 -0700)]
Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
John W. Linville says:
====================
Alexey Khoroshilov provides a potential memory leak in rndis_wlan.
Bob Copeland gives us an ath5k fix for a lockdep problem.
Dan Carpenter fixes a signedness mismatch in at76c50x.
Felix Fietkau corrects a regression caused by an earlier commit that can
lead to an IRQ storm.
Lorenzo Bianconi offers a fix for a bad variable initialization in ath9k
that can cause it to improperly mark decrypted frames.
Rajkumar Manoharan fixes ath9k to prevent the btcoex time from running
when the hardware is asleep.
The remainder are Bluetooth fixes, about which Gustavo says:
"Here goes some fixes for 3.6-rc1, there are a few fix to
thte inquiry code by Ram Malovany, support for 2 new devices,
and few others fixes for NULL dereference, possible deadlock
and a memory leak."
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
addrconf_forward_change() uses RCU iteration over the netdev list,
which is unnecessary since it already holds the RTNL lock. We also
cannot reasonably require netdevice notifier functions not to sleep.
Reported-by: Cong Wang <amwang@redhat.com> Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Mon, 13 Aug 2012 02:50:55 +0000 (02:50 +0000)]
llc: Fix races between llc2 handler use and (un)registration
When registering the handlers, any state they rely on must be
completely initialised first. When unregistering, we must wait until
they are definitely no longer running. llc_rcv() must also avoid
reading the handler pointers again after checking for NULL.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Mon, 13 Aug 2012 02:49:59 +0000 (02:49 +0000)]
llc2: Fix silent failure of llc_station_init()
llc_station_init() creates and processes an event skb with no effect
other than to change the state from DOWN to UP. Allocation failure is
reported, but then ignored by its caller, llc2_init(). Remove this
possibility by simply initialising the state as UP.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Yan, Zheng [Sun, 12 Aug 2012 20:09:59 +0000 (20:09 +0000)]
ipv4: Cache local output routes
Commit caacf05e5ad1abf causes big drop of UDP loop back performance.
The cause of the regression is that we do not cache the local output
routes. Each time we send a datagram from unconnected UDP socket,
the kernel allocates a dst_entry and adds it to the rt_uncached_list.
It creates lock contention on the rt_uncached_lock.
Reported-by: Alex Shi <alex.shi@intel.com> Signed-off-by: Yan, Zheng <zheng.z.yan@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Bjørn Mork [Sun, 12 Aug 2012 09:16:31 +0000 (09:16 +0000)]
net: qmi_wwan: add Sierra Wireless devices
Add 6 new devices and one modified device, based on
information from laptop vendor Windows drivers.
Sony provides a driver with two new devices using
a Gobi 2k+ layout (1199:68a5 and 1199:68a9). The
Sony driver also adds a non-standard QMI/net
interface to the already supported 1199:9011
Gobi device. We do not know whether this is an
alternate interface number or an additional
interface which might be present, but that doesn't
really matter.
Lenovo provides a driver supporting 4 new devices:
- MC7770 (1199:901b) with standard Gobi 2k+ layout
- MC7700 (0f3d:68a2) with layout similar to MC7710
- MC7750 (114f:68a2) with layout similar to MC7710
- EM7700 (1199:901c) with layout similar to MC7710
Note regaring the three devices similar to MC7710:
The Windows drivers only support interface #8 on these
devices. The MC7710 can support QMI/net functions on
interface #19 and #20 as well, and this driver is
verified to work on interface #19 (a firmware bug is
suspected to prevent #20 from working).
We do not enable these additional interfaces until they
either show up in a Windows driver or are verified to
work in some other way. Therefore limiting the new
devices to interface #8 for now.
Signed-off-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: David S. Miller <davem@davemloft.net>
Bjørn Mork [Sun, 12 Aug 2012 09:16:30 +0000 (09:16 +0000)]
net: qmi_wwan: use fixed interface number matching
This driver support many composite USB devices where the
interface class/subclass/protocol provides no information
about the interface function. Interfaces with different
functions may all use ff/ff/ff, like this example of
a device with three serial interfaces and three QMI/wwan
interfaces:
Instead of class/subclass/protocol the vendor use fixed
interface numbers for each function, and the Windows
drivers use these numbers to match driver and function.
The driver has had its own interface number whitelisting
code to simulate this functionality. Replace this with
generic interface number matching now that the USB subsystem
support is there. This
- removes the need for a driver_info structure per
interface number,
- avoids running the probe function for unsupported
interfaces, and
- simplifies the code.
Signed-off-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: David S. Miller <davem@davemloft.net>
Dirk Gouders [Fri, 10 Aug 2012 01:24:51 +0000 (01:24 +0000)]
netconsole.txt: revision of examples for the receiver of kernel messages
There are at least 4 implementations of netcat with the BSD-based
being the only one that has to be used without the -p switch to
specify the listening port.
Jan Engelhardt suggested to add an example for socat(1).
Signed-off-by: Dirk Gouders <gouders@et.bocholt.fh-gelsenkirchen.de> Signed-off-by: Cong Wang <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Amerigo Wang [Fri, 10 Aug 2012 01:24:49 +0000 (01:24 +0000)]
netpoll: handle vlan tags in netpoll tx and rx path
Without this patch, I can't get netconsole logs remotely over
vlan. The reason is probably we don't handle vlan tags in either
netpoll tx or rx path.
I am not sure if I use these vlan functions correctly, at
least this patch works.
Cc: Benjamin LaHaise <bcrl@kvack.org> Cc: Patrick McHardy <kaber@trash.net> Cc: David Miller <davem@davemloft.net> Signed-off-by: Cong Wang <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Amerigo Wang [Fri, 10 Aug 2012 01:24:48 +0000 (01:24 +0000)]
vlan: clean up vlan_dev_hard_start_xmit()
Clean up vlan_dev_hard_start_xmit() function.
Cc: Benjamin LaHaise <bcrl@kvack.org> Cc: Patrick McHardy <kaber@trash.net> Cc: David Miller <davem@davemloft.net> Signed-off-by: Cong Wang <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Amerigo Wang [Fri, 10 Aug 2012 01:24:47 +0000 (01:24 +0000)]
vlan: clean up some variable names
To be consistent, s/info/vlan/.
Cc: Benjamin LaHaise <bcrl@kvack.org> Cc: Patrick McHardy <kaber@trash.net> Cc: David Miller <davem@davemloft.net> Signed-off-by: Cong Wang <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Amerigo Wang [Fri, 10 Aug 2012 01:24:45 +0000 (01:24 +0000)]
netpoll: check netpoll tx status on the right device
Although this doesn't matter actually, because netpoll_tx_running()
doesn't use the parameter, the code will be more readable.
For team_dev_queue_xmit() we have to move it down to avoid
compile errors.
Cc: David Miller <davem@davemloft.net> Signed-off-by: Jiri Pirko <jiri@resnulli.us> Signed-off-by: Cong Wang <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Amerigo Wang [Fri, 10 Aug 2012 01:24:44 +0000 (01:24 +0000)]
bridge: use list_for_each_entry() in netpoll functions
We don't delete 'p' from the list in the loop,
so we can just use list_for_each_entry().
Cc: David Miller <davem@davemloft.net> Cc: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: Cong Wang <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Amerigo Wang [Fri, 10 Aug 2012 01:24:43 +0000 (01:24 +0000)]
bridge: add some comments for NETDEV_RELEASE
Add comments on why we don't notify NETDEV_RELEASE.
Cc: David Miller <davem@davemloft.net> Cc: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: Cong Wang <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Amerigo Wang [Fri, 10 Aug 2012 01:24:40 +0000 (01:24 +0000)]
netpoll: take rcu_read_lock_bh() in netpoll_rx()
In __netpoll_rx(), it dereferences ->npinfo without rcu_dereference_bh(),
this patch fixes it by using the 'npinfo' passed from netpoll_rx()
where it is already dereferenced with rcu_dereference_bh().
Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Cong Wang <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Amerigo Wang [Fri, 10 Aug 2012 01:24:38 +0000 (01:24 +0000)]
netpoll: make __netpoll_cleanup non-block
Like the previous patch, slave_disable_netpoll() and __netpoll_cleanup()
may be called with read_lock() held too, so we should make them
non-block, by moving the cleanup and kfree() to call_rcu_bh() callbacks.
Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Cong Wang <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Amerigo Wang [Fri, 10 Aug 2012 01:24:37 +0000 (01:24 +0000)]
netpoll: use GFP_ATOMIC in slave_enable_netpoll() and __netpoll_setup()
slave_enable_netpoll() and __netpoll_setup() may be called
with read_lock() held, so should use GFP_ATOMIC to allocate
memory. Eric suggested to pass gfp flags to __netpoll_setup().
Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: "David S. Miller" <davem@davemloft.net> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Cong Wang <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Tue, 14 Aug 2012 04:58:59 +0000 (07:58 +0300)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 patches from Martin Schwidefsky:
"Included are bug fixes and a patch to enable system call filtering
with BPF."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/compat: fix mmap compat system calls
s390/compat: fix compat wrappers for process_vm system calls
s390: do not clobber personality flags in sys_32_personality()
s390/seccomp: add support for system call filtering using BPF
s390/sclp_sdias: Add missing break and "fall through"
s390/mm: remove MAX_PHYSADDR_BITS define
Linus Torvalds [Tue, 14 Aug 2012 04:52:41 +0000 (07:52 +0300)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
"Radeon and intel fixes mostly, one fix to the mgag200 driver to not
hang on certain server variants."
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (32 commits)
drm/radeon: fix typo in function header comment
drm/radeon/kms: implement timestamp userspace query (v2)
drm/radeon/kms: add MSAA texture support for r600-evergreen
drm/radeon/kms: reorder code in r600_check_texture_resource
drm/radeon: fence virtual address and free it once idle v4
drm/radeon: fix some missing parens in asic macros
drm/radeon: add some new SI pci ids
drm/radeon: fix ordering in pll picking on dce4+
drm/radeon: do not reenable crtc after moving vram start address
drm/radeon: fix bank tiling parameters on cayman
drm/radeon: fix bank tiling parameters on evergreen
drm/radeon: fix bank tiling parameters on SI
drm/radeon: properly handle crtc powergating
drm/radeon: properly handle SS overrides on TN (v2)
drm/radeon/dce4+: set a more reasonable cursor watermark
drm/radeon: fix handling for ddc type 5 on combios
drm/mgag200: fix G200ER pll picking algorithm
drm/edid: Fix potential memory leak in edid_load()
drm/udl: Use ERR_CAST inlined function instead of ERR_PTR(PTR_ERR(.. [1]
drm/radeon/kms: allow "invalid" DB formats as a means to disable DB
...
Arnd Bergmann [Mon, 13 Aug 2012 14:36:10 +0000 (14:36 +0000)]
GPIO: gpio-pxa: fix building without CONFIG_OF
Commit 7212157267 ("GPIO: gpio-pxa: fix devicetree functions") added an
"xlate" function pointer to the irq_domain_ops, but this function is nor
declared or defined anywhere when CONFIG_OF is disabled, causing the
build error:
drivers/gpio/gpio-pxa.c:532:11: error: 'irq_domain_xlate_twocell' undeclared here (not in a function)
Extending the DT-only code section to cover the irq_domain_ops and the
pxa_gpio_dt_ids solves this problem and makes it clearer which code is
actually used without DT.
Dave Airlie [Mon, 13 Aug 2012 23:25:01 +0000 (09:25 +1000)]
Merge branch 'drm-fixes-3.6' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
Alex Deucher writes:
This is the current set of radeon fixes for 3.6. Nothing too major.
Highlights:
- various display fixes
- some SI fixes
- new SI pci ids
- major VM fix
- CS checker support for MSAA
I've tested on a number of cards across generations and noticed no problems.
* 'drm-fixes-3.6' of git://people.freedesktop.org/~agd5f/linux:
drm/radeon: fix typo in function header comment
drm/radeon/kms: implement timestamp userspace query (v2)
drm/radeon/kms: add MSAA texture support for r600-evergreen
drm/radeon/kms: reorder code in r600_check_texture_resource
drm/radeon: fence virtual address and free it once idle v4
drm/radeon: fix some missing parens in asic macros
drm/radeon: add some new SI pci ids
drm/radeon: fix ordering in pll picking on dce4+
drm/radeon: do not reenable crtc after moving vram start address
drm/radeon: fix bank tiling parameters on cayman
drm/radeon: fix bank tiling parameters on evergreen
drm/radeon: fix bank tiling parameters on SI
drm/radeon: properly handle crtc powergating
drm/radeon: properly handle SS overrides on TN (v2)
drm/radeon/dce4+: set a more reasonable cursor watermark
drm/radeon: fix handling for ddc type 5 on combios
Bob Copeland [Mon, 13 Aug 2012 01:18:33 +0000 (21:18 -0400)]
ath5k: fix spin_lock_irqsave/spin_lock_bh nesting in mesh
Lockdep found an inconsistent lock state when joining a mesh with
ath5k. The problem is that ath5k takes the lock for its beacon state,
ah->block, with spin_lock_irqsave(), while mesh internally takes the
sync_offset_lock with spin_lock_bh() in mesh_sync_offset_adjust_tbtt(),
which in turn is called under ah->block.
This could deadlock if the beacon tasklet was run on the processor
that held the beacon lock during the do_softirq() in spin_unlock_bh().
We probably shouldn't hold the lock around the callbacks, but the
easiest fix is to switch to spin_lock_bh for ah->block: it doesn't
need interrupts disabled anyway as the data in question is only accessed
in softirq or process context.
Lorenzo Bianconi [Fri, 10 Aug 2012 09:00:24 +0000 (11:00 +0200)]
ath9k: fix decrypt_error initialization in ath_rx_tasklet()
ath_rx_tasklet() calls ath9k_rx_skb_preprocess() and ath9k_rx_skb_postprocess()
in a loop over the received frames. The decrypt_error flag is
initialized to false
just outside ath_rx_tasklet() loop. ath9k_rx_accept(), called by
ath9k_rx_skb_preprocess(),
only sets decrypt_error to true and never to false.
Then ath_rx_tasklet() calls ath9k_rx_skb_postprocess() and passes
decrypt_error to it.
So, after a decryption error, in ath9k_rx_skb_postprocess(), we can
have a leftover value
from another processed frame. In that case, the frame will not be marked with
RX_FLAG_DECRYPTED even if it is decrypted correctly.
When using CCMP encryption this issue can lead to connection stuck
because of CCMP
PN corruption and a waste of CPU time since mac80211 tries to decrypt an already
deciphered frame with ieee80211_aes_ccm_decrypt.
Fix the issue initializing decrypt_error flag at the begging of the
ath_rx_tasklet() loop.
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com> Cc: <stable@kernel.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Jerome Glisse [Mon, 6 Aug 2012 16:32:21 +0000 (12:32 -0400)]
drm/radeon: fence virtual address and free it once idle v4
Virtual address need to be fenced to know when we can safely remove it.
This patch also properly clear the pagetable. Previously it was
serouisly broken.
Kernel 3.5/3.4 need a similar patch but adapted for difference in mutex locking.
v2: For to update pagetable when unbinding bo (don't bailout if
bo_va->valid is true).
v3: Add kernel 3.5/3.4 comment.
v4: Fix compilation warnings.
Signed-off-by: Jerome Glisse <jglisse@redhat.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
drm/radeon: do not reenable crtc after moving vram start address
It seems we can not update the crtc scanout address. After disabling
crtc, update to base address do not take effect after crtc being
reenable leading to at least frame being scanout from the old crtc
base address. Disabling crtc display request lead to same behavior.
So after changing the vram address if we don't keep crtc disabled
we will have the GPU trying to read some random system memory address
with some iommu this will broke the crtc engine and will lead to
broken display and iommu error message.
So to avoid this, disable crtc. For flicker less boot we will need
to avoid moving the vram start address.
Alex Deucher [Thu, 26 Jul 2012 17:38:52 +0000 (13:38 -0400)]
drm/radeon: properly handle crtc powergating
Need to make sure the crtc is gated on before modesetting.
Explicitly gate the crtc on in prepare() and set a flag
so that the dpms functions don't gate it off during
mode set.
Noticed by sylware on IRC.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org
Arnd Bergmann [Wed, 8 Aug 2012 21:27:58 +0000 (05:27 +0800)]
leds: renesas: fix error handling
bfe4c041 "leds: convert Renesas TPU LED driver to devm_kzalloc() and
cleanup error exit path" introduced a possible case in which r_tpu_probe
calls iounmap on a wild pointer. This changes the one case that was
missed in the same way as the other error paths.
Without this patch, building kota2_defconfig results in:
drivers/leds/leds-renesas-tpu.c: In function 'r_tpu_probe':
drivers/leds/leds-renesas-tpu.c:246:6: warning: 'ret' may be used uninitialized in this function [-Wuninitialized]
drivers/leds/leds-renesas-tpu.c:308:17: warning: 'p' may be used uninitialized in this function [-Wuninitialized]
Pull networking changes from David Miller:
"Most importantly this should cure the ipv4-mapped ipv6 socket TCP
crashes some people were seeing, otherwise:
1) Fix e1000e autonegotiation handling regression, from Tushar Dave.
2) Fix TX data corruption race on e1000e down, also from Tushar Dave.
3) Fix bfin_sir IRDA driver build, from Sonic Zhang.
4) AF_PACKET mmap() tests a flag in the TX ring shared between
userspace and the kernel for an internal consistency check. It
really shouldn't do this to validate the kernel's own behavior
because the user can corrupt it to be any value at all. From
Daniel Borkmann.
5) Fix TCP metrics leak on netns dismantle, from Eric Dumazet.
6) Orphan the anonymous TCP socket from the SKB in
ip_send_unicast_reply() so that the rest of the stack needn't see
it. Otherwise we get selinux problems of all sorts, from Eric
Dumazet.
This is the best way to fix this since the socket is just a place
holder for sending packets in a context where we have no real
socket at all.
7) Fix TUN detach crashes, from Stanislav Kinsbursky.
8) dev_set_alias() leaks memory on krealloc() failure, from Alexey
Khoroshilov.
9) FIB trie must use call_rcu() not call_rcu_bh(), because this code
is not universally invoked from software interrupts. From Eric
Dumazet.
10) PPTP looks up ipv4 routes with the wrong network namespace, fix
from Gao Feng."
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (33 commits)
bnx2x: Fix compiler warnings
af_packet: remove BUG statement in tpacket_destruct_skb
macvtap: rcu_dereference outside read-lock section
codel: refine one condition to avoid a nul rec_inv_sqrt
ixgbe: add missing braces
ipv4: fix ip_send_skb()
net: tcp: ipv6_mapped needs sk_rx_dst_set method
ipv4: tcp: unicast_sock should not land outside of TCP stack
bnx2x: Fix recovery flow cleanup during probe
bnx2x: fix unload previous driver flow when flr-capable
tun: don't zeroize sock->file on detach
igb: Fix register defines for all non-82575 hardware
e1000e: fix panic while dumping packets on Tx hang with IOMMU
igb: fix panic while dumping packets on Tx hang with IOMMU
tcp: must free metrics at net dismantle
net/stmmac: mark probe function as __devinit
lpc_eth: remove obsolete ifdefs
net/core: Fix potential memory leak in dev_set_alias()
cdc-phonet: Don't leak in usbpn_open
batman-adv: Fix mem leak in the batadv_tt_local_event() function
...
Linus Torvalds [Mon, 13 Aug 2012 05:40:51 +0000 (08:40 +0300)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending
Pull tcm_vhost level target fabric driver from Nicholas Bellinger:
"Here is the PULL request for the initial merge of tcm_vhost based on
RFC-v5 code with MST's ACK appended to the initial merge commit."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
tcm_vhost: Initial merge for vhost level target fabric driver
Joren Van Onder [Sat, 11 Aug 2012 17:10:35 +0000 (17:10 +0000)]
bnx2x: Fix compiler warnings
Fix the following compiler warnings:
- drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c:2908:3: warning: comparison
of distinct pointer types lacks a cast [enabled by default]
- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c:1709:7: warning: comparison
of distinct pointer types lacks a cast [enabled by default]
Signed-off-by: Joren Van Onder <joren.vanonder@gmail.com> Acked-By: Yuval Mintz <yuvalmin@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
af_packet: remove BUG statement in tpacket_destruct_skb
Here's a quote of the comment about the BUG macro from asm-generic/bug.h:
Don't use BUG() or BUG_ON() unless there's really no way out; one
example might be detecting data structure corruption in the middle
of an operation that can't be backed out of. If the (sub)system
can somehow continue operating, perhaps with reduced functionality,
it's probably not BUG-worthy.
If you're tempted to BUG(), think again: is completely giving up
really the *only* solution? There are usually better options, where
users don't need to reboot ASAP and can mostly shut down cleanly.
In our case, the status flag of a ring buffer slot is managed from both sides,
the kernel space and the user space. This means that even though the kernel
side might work as expected, the user space screws up and changes this flag
right between the send(2) is triggered when the flag is changed to
TP_STATUS_SENDING and a given skb is destructed after some time. Then, this
will hit the BUG macro. As David suggested, the best solution is to simply
remove this statement since it cannot be used for kernel side internal
consistency checks. I've tested it and the system still behaves /stable/ in
this case, so in accordance with the above comment, we should rather remove it.
Signed-off-by: Daniel Borkmann <daniel.borkmann@tik.ee.ethz.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
rcu_dereference occurs in update section. Replacement by
rcu_dereference_protected in order to prevent lockdep
complaint.
Found by Linux Driver Verification project (linuxtesting.org)
Signed-off-by: Denis Efremov <yefremov.denis@gmail.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Sun, 12 Aug 2012 18:45:33 +0000 (21:45 +0300)]
Merge tag 'gpio-fixes-v3.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
Pull gpio fixes from Linus Walleij:
- Fix a resource leak in the SCH driver
- Fix the register address calculation in the MSIC driver
- Fix the PXA driver's devicetree functions
- Delete redundant shadow variable leftovers in the MXC driver
- Specify the GPIO base for the device tree probe in the MXC driver
- Add a modalias for the i.MX driver
- Fix off-by-one bug in the Samsung driver
- Fix erroneous errorpath in the Langwell driver
* tag 'gpio-fixes-v3.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
drivers/gpio/gpio-langwell.c: fix error return code
gpio: samsung: Fix off-by-one bug in gpio addresses
ARM: dts: imx: add alias for gpio
gpio/mxc: specify gpio base for device tree probe
gpio/mxc: remove redundant shadow variables initialization
GPIO: gpio-pxa: fix devicetree functions
gpio: msic: Fix calculating register address in msic_gpio_to_oreg()
gpio-sch: Fix leak of resource
Linus Torvalds [Sun, 12 Aug 2012 18:34:09 +0000 (21:34 +0300)]
Merge tag 'pm-for-3.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull power management fixes from Rafael J. Wysocki:
- Fix for two recent regressions in the generic PM domains framework.
- Revert of a commit that introduced a resume regression and is
conceptually incorrect in my opinion.
- Fix for a return value in pcc-cpufreq.c from Julia Lawall.
- RTC wakeup signaling fix from Neil Brown.
- Suppression of compiler warnings for CONFIG_PM_SLEEP unset in ACPI,
platform/x86 and TPM drivers.
* tag 'pm-for-3.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
tpm_tis / PM: Fix unused function warning for CONFIG_PM_SLEEP
platform / x86 / PM: Fix unused function warnings for CONFIG_PM_SLEEP
ACPI / PM: Fix unused function warnings for CONFIG_PM_SLEEP
Revert "NMI watchdog: fix for lockup detector breakage on resume"
PM: Make dev_pm_get_subsys_data() always return 0 on success
drivers/cpufreq/pcc-cpufreq.c: fix error return code
RTC: Avoid races between RTC alarm wakeup and suspend.
Linus Torvalds [Sun, 12 Aug 2012 18:31:44 +0000 (21:31 +0300)]
Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Pull arm-soc bug fixes from Arnd Bergmann:
"These are a bunch of bug fixes that came in after the merge window and
one update for the MAINTAINERS file.
The largest part of the fixes are patches that address bugs found by
building all the ARM defconfig files. There are a lot more warnings
that we have patches for, but the others are either still under
discussion or are harmless and do not cause actual problems besides
making the build slightly noisy."
* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (30 commits)
ARM: davinci: remove broken ntosd2_init_i2c
ARM: s3c24xx: enable CONFIG_BUG for tct_hammer
omap-rng: fix use of SIMPLE_DEV_PM_OPS
spi/s3c64xx: improve error handling
mtd/omap2: fix dmaengine_slave_config error handling
gpio: em: do not discard em_gio_irq_domain_cleanup
ARM: exynos: exynos_pm_add_dev_to_genpd may be unused
ARM: imx: gpmi-nand depends on mxs-dma
ARM: integrator: include <linux/export.h>
ARM: s3c24xx: use new PWM driver
ARM: sa1100: include linux/io.h in hackkit leds code
Input: eeti_ts: pass gpio value instead of IRQ
ARM: pxa: remove irq_to_gpio from ezx-pcap driver
ARM: tegra: more regulator fixes for Harmony
usb/ohci-omap: remove unused variable
mfd/asic3: fix asic3_mfd_probe return value
ARM: kirkwood: fix typo in Makefile.boot
i.MX27: Fix emma-prp and csi clocks.
ARM: integrator: use clk_prepare_enable() for timer
MAINTAINERS: update entry for Linus Walleij
...
Jeff Mahoney [Fri, 10 Aug 2012 19:07:09 +0000 (15:07 -0400)]
printk: Fix calculation of length used to discard records
While tracking down a weird buffer overflow issue in a program that
looked to be sane, I started double checking the length returned by
syslog(SYSLOG_ACTION_READ_ALL, ...) to make sure it wasn't overflowing
the buffer.
It turns out that the loops that calculate how much space the entries
will take when they're copied don't include the newlines and prefixes
that will be included in the final output since prev flags is passed as
zero.
This patch properly accounts for it and fixes the overflow.
CC: stable@kernel.org Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Eric Dumazet [Sun, 29 Jul 2012 20:52:21 +0000 (20:52 +0000)]
codel: refine one condition to avoid a nul rec_inv_sqrt
One condition before codel_Newton_step() was not good if
we never left the dropping state for a flow. As a result
rec_inv_sqrt was 0, instead of the ~0 initial value.
codel control law was then set to a very aggressive mode, dropping
many packets before reaching 'target' and recovering from this problem.
To keep codel_vars_init() as efficient as possible, refine
the condition to make sure rec_inv_sqrt initial value is correct
Many thanks to Anton Mich for discovering the issue and suggesting
a fix.
Reported-by: Anton Mich <lp2s1h@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Emil Tantilov [Fri, 10 Aug 2012 07:35:14 +0000 (07:35 +0000)]
ixgbe: add missing braces
This patch adds missing braces around the 10gig link check to include the check for KR support.
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com> Reported-by: Sascha Wildner <saw@online.de> Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com> Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 10 Aug 2012 23:26:41 +0000 (16:26 -0700)]
Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
John W. Linville says:
====================
Here is a handful of fixes intended for 3.6.
Daniel Drake offers a cfg80211 fix to consume pending events before
taking a wireless device down. This prevents a resource leak.
Stanislaw Gruszka gives us a fix for a NULL pointer dereference in
rt61pci.
Johannes Berg provides an iwlwifi patch to disable "greenfield" mode.
Use of that mode was causing a rate scaling problem in for iwlwifi.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
During suspend, the device will be moved to FULLSLEEP state.
As btcoex is never been stopped, the btcoex timer is running
and tries to access hw on fullsleep state. Fix that.
Cc: stable@vger.kernel.org Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Dan Carpenter [Thu, 9 Aug 2012 06:57:30 +0000 (09:57 +0300)]
wireless: at76c50x: signedness bug in at76_dfu_get_state()
This return holds the number of bytes transfered (1 byte) or a negative
error code. The type should be int instead of u8.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Pavel Roskin <proski@gnu.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
rndis_wlan: Fix potential memory leak in update_pmkid()
Do not leak memory by updating pointer with potentially NULL realloc return value.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Acked-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Wed, 8 Aug 2012 14:25:03 +0000 (16:25 +0200)]
ath9k: fix interrupt storms on queued hardware reset
commit b74713d04effbacd3d126ce94cec18742187b6ce
"ath9k: Handle fatal interrupts properly" introduced a race condition, where
IRQs are being left enabled, however the irq handler returns IRQ_HANDLED
while the reset is still queued without addressing the IRQ cause.
This leads to an IRQ storm that prevents the system from even getting to
the reset code.
Fix this by disabling IRQs in the handler without touching intr_ref_cnt.
Cc: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> Cc: Sujith Manoharan <c_manoha@qca.qualcomm.com> Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
tpm_tis / PM: Fix unused function warning for CONFIG_PM_SLEEP
According to a compiler warning, the tpm_tis_resume() function is not
used for CONFIG_PM_SLEEP unset, so add a #ifdef to prevent it from
being built in that case.
platform / x86 / PM: Fix unused function warnings for CONFIG_PM_SLEEP
According to compiler warnings, quite some suspend/resume functions
in platform x86 drivers are not used for CONFIG_PM_SLEEP unset, so
add #ifdefs to prevent them from being built in that case.
ACPI / PM: Fix unused function warnings for CONFIG_PM_SLEEP
According to compiler warnings, several suspend/resume functions
in ACPI drivers are not used for CONFIG_PM_SLEEP unset, so add
#ifdefs to prevent them from being built in that case.
ntosd2_init_i2c walks the ntosd2_i2c_info array, which it expects to
be populated with at least one member. gcc correctly warns about
the out-of-bounds access here.
Since this can not possibly work, it's better to disable i2c
support entirely on this board.
Without this patch, building davinci_all_defconfig results in:
arch/arm/mach-davinci/board-neuros-osd2.c: In function 'davinci_ntosd2_init':
arch/arm/mach-davinci/board-neuros-osd2.c:187:20: warning: array subscript is above array bounds [-Warray-bounds]
Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Sekhar Nori <nsekhar@ti.com> Cc: Kevin Hilman <khilman@ti.com> Cc: Andrey Porodko <panda@chelcom.ru>
Arnd Bergmann [Thu, 3 May 2012 12:47:54 +0000 (12:47 +0000)]
ARM: s3c24xx: enable CONFIG_BUG for tct_hammer
Disabling CONFIG_BUG creates an insane amount of build warnings, which
makes it useless to check for building defconfigs to see if new
warnings show up.
Without this patch, building tct_hammer_defconfig results in:
net/packet/af_packet.c: In function 'tpacket_rcv':
net/packet/af_packet.c:1889:30: warning: 'hdrlen' may be used uninitialized in this function [-Wuninitialized]
net/core/ethtool.c: In function 'ethtool_get_feature_mask':
net/core/ethtool.c:213:1: warning: control reaches end of non-void function [-Wreturn-type]
block/cfq-iosched.c: In function 'cfq_async_queue_prio':
block/cfq-iosched.c:2914:1: warning: control reaches end of non-void function [-Wreturn-type]
mm/bootmem.c: In function 'mark_bootmem':
mm/bootmem.c:352:1: warning: control reaches end of non-void function [-Wreturn-type]
net/core/dev.c: In function 'skb_warn_bad_offload':
net/core/dev.c:1904:33: warning: unused variable 'null_features' [-Wunused-variable]
drivers/mtd/chips/cfi_probe.c: In function 'cfi_chip_setup':
include/linux/mtd/cfi.h:489:3: warning: 'r.x[0]' may be used uninitialized in this function [-Wuninitialized]
include/linux/mtd/map.h:394:11: note: 'r.x[0]' was declared here
include/linux/mtd/cfi.h:489:3: warning: 'r.x[0]' may be used uninitialized in this function [-Wuninitialized]
(and many more)
The size of vmlinux increases by 1.78% because of this:
size obj-arm/vmlinux.nobug
text data bss dec hex filename 2108474 116916 55352 2280742 22cd26 obj-arm/vmlinux
size obj-arm/vmlinux.bug
text data bss dec hex filename 2150804 116916 53696 2321416 236c08 obj-arm/vmlinux
Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Kukjin Kim <kgene.kim@samsung.com> Cc: Ben Dooks <ben-linux@fluff.org>
Arnd Bergmann [Fri, 10 Aug 2012 10:28:57 +0000 (12:28 +0200)]
Merge branch 'testing/new-warnings' into fixes
These patches all fix bugs that were newly introduced in v3.6-rc1
and found because they cause a gcc warning with one of the ARM
defconfigs. Most of them are harmless, but since we're trying
to get rid of all warnings eventually, we can start with the ones
that were not there before.
* testing/new-warnings:
omap-rng: fix use of SIMPLE_DEV_PM_OPS
spi/s3c64xx: improve error handling
mtd/omap2: fix dmaengine_slave_config error handling
gpio: em: do not discard em_gio_irq_domain_cleanup
ARM: exynos: exynos_pm_add_dev_to_genpd may be unused
usb/ohci-omap: remove unused variable
mfd/asic3: fix asic3_mfd_probe return value
Arnd Bergmann [Sat, 4 Aug 2012 07:11:34 +0000 (07:11 +0000)]
omap-rng: fix use of SIMPLE_DEV_PM_OPS
omap_rng_suspend and omap_rng_resume are unused if CONFIG_PM is enabled
but CONFIG_PM_SLEEP is disabled. I found this while building all defconfig
files on ARM. It's not clear to me if this is the right solution, but
at least it makes the code consistent again.
Without this patch, building omap1_defconfig results in:
drivers/char/hw_random/omap-rng.c:165:12: warning: 'omap_rng_suspend' defined but not used [-Wunused-function]
drivers/char/hw_random/omap-rng.c:171:12: warning: 'omap_rng_resume' defined but not used [-Wunused-function]
Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Kevin Hilman <khilman@ti.com> Cc: Rafael J. Wysocki <rjw@sisk.pl> Cc: Herbert Xu <herbert@gondor.apana.org.au>
Arnd Bergmann [Sat, 4 Aug 2012 11:18:20 +0000 (11:18 +0000)]
spi/s3c64xx: improve error handling
When a device tree definition os an s3c64xx SPI master is missing
a "controller-data" subnode, the newly added s3c64xx_get_slave_ctrldata
function might use uninitialized memory in place of that node,
which was correctly reported by gcc.
Without this patch, building s3c6400_defconfig results in:
drivers/spi/spi-s3c64xx.c: In function 's3c64xx_get_slave_ctrldata.isra.25':
drivers/spi/spi-s3c64xx.c:841:5: warning: 'data_np' may be used uninitialized in this function [-Wuninitialized]
Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Thomas Abraham <thomas.abraham@linaro.org> Acked-by: Kukjin Kim <kgene.kim@samsung.com> Cc: Jaswinder Singh <jaswinder.singh@linaro.org> Cc: Grant Likely <grant.likely@secretlab.ca>
The newly added dmaengine support in the omap2 nand driver
potentially causes an undefined return value from the
omap_nand_probe function when dmaengine_slave_config
reports an error. Let's handle this by returning the
same error back to the caller.
Without this patch, building omap2plus_defconfig results in:
drivers/mtd/nand/omap2.c: In function 'omap_nand_probe':
drivers/mtd/nand/omap2.c:1154:6: warning: 'err' may be used uninitialized in this function [-Wuninitialized]
Signed-off-by: Arnd Bergmann <arnd@arndb.de> Cc: Russell King <rmk+kernel@arm.linux.org.uk> Cc: Grazvydas Ignotas <notasas@gmail.com>
Arnd Bergmann [Sat, 4 Aug 2012 10:33:24 +0000 (10:33 +0000)]
gpio: em: do not discard em_gio_irq_domain_cleanup
The newly added gpio-em driver marks its em_gio_irq_domain_cleanup
function as __devexit, which would lead to that function being
discarded in case CONFIG_HOTPLUG is disabled. However, the function
is also called by the error handling logic em_gio_probe, which
would cause a jump into a NULL pointer if it was removed from the
kernel or module.
Without this patch, building kzm9d_defconfig results in:
WARNING: drivers/gpio/built-in.o(.devinit.text+0x330): Section mismatch in reference from the function em_gio_probe() to the function .devexit.text:em_gio_irq_domain_cleanup()
The function __devinit em_gio_probe() references
a function __devexit em_gio_irq_domain_cleanup().
This is often seen when error handling in the init function
uses functionality in the exit path.
The fix is often to remove the __devexit annotation of
em_gio_irq_domain_cleanup() so it may be used outside an exit section.
Signed-off-by: Arnd Bergmann <arnd@arndb.de> Cc: Magnus Damm <damm@opensource.se> Cc: Linus Walleij <linus.walleij@linaro.org> Cc: Rafael J. Wysocki <rjw@sisk.pl>
Arnd Bergmann [Sat, 4 Aug 2012 10:28:33 +0000 (10:28 +0000)]
ARM: exynos: exynos_pm_add_dev_to_genpd may be unused
exynos_pm_add_dev_to_genpd is used if one or more out of a large
number of Kconfig symbols are enabled. However the new
exynos_defconfig selects none of those, so the function becomes
unused. Marking it so lets the compiler automatically discard
it.
Without this patch, building exynos_defconfig results in:
arch/arm/mach-exynos/pm_domains.c:118:123: warning: 'exynos_pm_add_dev_to_genpd' defined but not used [-Wunused-function]
Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Thomas Abraham <thomas.abraham@linaro.org> Acked-by: Kukjin Kim <kgene.kim@samsung.com> Cc: Rafael J. Wysocki <rjw@sisk.pl>
Kees Cook [Fri, 10 Aug 2012 02:01:26 +0000 (19:01 -0700)]
Yama: higher restrictions should block PTRACE_TRACEME
The higher ptrace restriction levels should be blocking even
PTRACE_TRACEME requests. The comments in the LSM documentation are
misleading about when the checks happen (the parent does not go through
security_ptrace_access_check() on a PTRACE_TRACEME call).
Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org # 3.5.x and later Signed-off-by: James Morris <james.l.morris@oracle.com>
Fix this using inet_sk_rx_dst_set(), and export this function in case
IPv6 is modular.
Reported-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>