summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2013-04-07tipc: fix info leaks via msg_name in recv_msg/recv_streamMathias Krause
The code in set_orig_addr() does not initialize all of the members of struct sockaddr_tipc when filling the sockaddr info -- namely the union is only partly filled. This will make recv_msg() and recv_stream() -- the only users of this function -- leak kernel stack memory as the msg_name member is a local variable in net/socket.c. Additionally to that both recv_msg() and recv_stream() fail to update the msg_namelen member to 0 while otherwise returning with 0, i.e. "success". This is the case for, e.g., non-blocking sockets. This will lead to a 128 byte kernel stack leak in net/socket.c. Fix the first issue by initializing the memory of the union with memset(0). Fix the second one by setting msg_namelen to 0 early as it will be updated later if we're going to fill the msg_name member. Cc: Jon Maloy <jon.maloy@ericsson.com> Cc: Allan Stephens <allan.stephens@windriver.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07rose: fix info leak via msg_name in rose_recvmsg()Mathias Krause
The code in rose_recvmsg() does not initialize all of the members of struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info. Nor does it initialize the padding bytes of the structure inserted by the compiler for alignment. This will lead to leaking uninitialized kernel stack bytes in net/socket.c. Fix the issue by initializing the memory used for sockaddr info with memset(0). Cc: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()Mathias Krause
The code in llcp_sock_recvmsg() does not initialize all the members of struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it initialize the padding bytes of the structure inserted by the compiler for alignment. Also, if the socket is in state LLCP_CLOSED or is shutting down during receive the msg_namelen member is not updated to 0 while otherwise returning with 0, i.e. "success". The msg_namelen update is also missing for stream and seqpacket sockets which don't fill the sockaddr info. Both issues lead to the fact that the code will leak uninitialized kernel stack bytes in net/socket.c. Fix the first issue by initializing the memory used for sockaddr info with memset(0). Fix the second one by setting msg_namelen to 0 early. It will be updated later if we're going to fill the msg_name member. Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org> Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org> Cc: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07netrom: fix info leak via msg_name in nr_recvmsg()Mathias Krause
In case msg_name is set the sockaddr info gets filled out, as requested, but the code fails to initialize the padding bytes of struct sockaddr_ax25 inserted by the compiler for alignment. Also the sax25_ndigis member does not get assigned, leaking four more bytes. Both issues lead to the fact that the code will leak uninitialized kernel stack bytes in net/socket.c. Fix both issues by initializing the memory with memset(0). Cc: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07llc: Fix missing msg_namelen update in llc_ui_recvmsg()Mathias Krause
For stream sockets the code misses to update the msg_namelen member to 0 and therefore makes net/socket.c leak the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. The msg_namelen update is also missing for datagram sockets in case the socket is shutting down during receive. Fix both issues by setting msg_namelen to 0 early. It will be updated later if we're going to fill the msg_name member. Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07l2tp: fix info leak in l2tp_ip6_recvmsg()Mathias Krause
The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack in l2tp_ip6_recvmsg() in case msg_name is set. Initialize l2tp_conn_id with 0 to avoid the info leak. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()Mathias Krause
The current code does not fill the msg_name member in case it is set. It also does not set the msg_namelen member to 0 and therefore makes net/socket.c leak the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Fix that by simply setting msg_namelen to 0 as obviously nobody cared about iucv_sock_recvmsg() not filling the msg_name in case it was set. Cc: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07irda: Fix missing msg_namelen update in irda_recvmsg_dgram()Mathias Krause
The current code does not fill the msg_name member in case it is set. It also does not set the msg_namelen member to 0 and therefore makes net/socket.c leak the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Fix that by simply setting msg_namelen to 0 as obviously nobody cared about irda_recvmsg_dgram() not filling the msg_name in case it was set. Cc: Samuel Ortiz <samuel@sortiz.org> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()Mathias Krause
The current code does not fill the msg_name member in case it is set. It also does not set the msg_namelen member to 0 and therefore makes net/socket.c leak the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Fix that by simply setting msg_namelen to 0 as obviously nobody cared about caif_seqpkt_recvmsg() not filling the msg_name in case it was set. Cc: Sjur Braendeland <sjur.brandeland@stericsson.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg()Mathias Krause
If the socket is in state BT_CONNECT2 and BT_SK_DEFER_SETUP is set in the flags, sco_sock_recvmsg() returns early with 0 without updating the possibly set msg_namelen member. This, in turn, leads to a 128 byte kernel stack leak in net/socket.c. Fix this by updating msg_namelen in this case. For all other cases it will be handled in bt_sock_recvmsg(). Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()Mathias Krause
If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns early with 0 without updating the possibly set msg_namelen member. This, in turn, leads to a 128 byte kernel stack leak in net/socket.c. Fix this by updating msg_namelen in this case. For all other cases it will be handled in bt_sock_stream_recvmsg(). Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07Bluetooth: fix possible info leak in bt_sock_recvmsg()Mathias Krause
In case the socket is already shutting down, bt_sock_recvmsg() returns with 0 without updating msg_namelen leading to net/socket.c leaking the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Fix this by moving the msg_namelen assignment in front of the shutdown test. Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07ax25: fix info leak via msg_name in ax25_recvmsg()Mathias Krause
When msg_namelen is non-zero the sockaddr info gets filled out, as requested, but the code fails to initialize the padding bytes of struct sockaddr_ax25 inserted by the compiler for alignment. Additionally the msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is not always filled up to this size. Both issues lead to the fact that the code will leak uninitialized kernel stack bytes in net/socket.c. Fix both issues by initializing the memory with memset(0). Cc: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07atm: update msg_namelen in vcc_recvmsg()Mathias Krause
The current code does not fill the msg_name member in case it is set. It also does not set the msg_namelen member to 0 and therefore makes net/socket.c leak the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Fix that by simply setting msg_namelen to 0 as obviously nobody cared about vcc_recvmsg() not filling the msg_name in case it was set. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07ipv6/tcp: Stop processing ICMPv6 redirect messagesChristoph Paasch
Tetja Rediske found that if the host receives an ICMPv6 redirect message after sending a SYN+ACK, the connection will be reset. He bisected it down to 093d04d (ipv6: Change skb->data before using icmpv6_notify() to propagate redirect), but the origin of the bug comes from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error handlers.). The bug simply did not trigger prior to 093d04d, because skb->data did not point to the inner IP header and thus icmpv6_notify did not call the correct err_handler. This patch adds the missing "goto out;" in tcp_v6_err. After receiving an ICMPv6 Redirect, we should not continue processing the ICMP in tcp_v6_err, as this may trigger the removal of request-socks or setting sk_err(_soft). Reported-by: Tetja Rediske <tetja@tetja.de> Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-05Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds
Pull networking fixes from David Miller: 1) Fix erroneous sock_orphan() leading to crashes and double kfree_skb() in NFC protocol. From Thierry Escande and Samuel Ortiz. 2) Fix use after free in remain-on-channel mac80211 code, from Johannes Berg. 3) nf_reset() needs to reset the NF tracing cookie, otherwise we can leak it from one namespace into another. Fix from Gao Feng and Patrick McHardy. 4) Fix overflow in channel scanning array of mwifiex driver, from Stone Piao. 5) Fix loss of link after suspend/shutdown in r8169, from Hayes Wang. 6) Synchronization of unicast address lists to the undelying device doesn't work because whether to sync is maintained as a boolean rather than a true count. Fix from Vlad Yasevich. 7) Fix corruption of TSO packets in atl1e by limiting the segmented packet length. From Hannes Frederic Sowa. 8) Revert bogus AF_UNIX credential passing change and fix the coalescing issue properly, from Eric W Biederman. 9) Changes of ipv4 address lifetime settings needs to generate a notification, from Jiri Pirko. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (22 commits) netfilter: don't reset nf_trace in nf_reset() net: ipv4: notify when address lifetime changes ixgbe: fix registration order of driver and DCA nofitication af_unix: If we don't care about credentials coallesce all messages Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" bonding: remove sysfs before removing devices atl1e: limit gso segment size to prevent generation of wrong ip length fields net: count hw_addr syncs so that unsync works properly. r8169: fix auto speed down issue netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths mwifiex: limit channel number not to overflow memory NFC: microread: Fix build failure due to a new MEI bus API iwlwifi: dvm: fix the passive-no-RX workaround netfilter: nf_conntrack: fix error return code NFC: llcp: Keep the connected socket parent pointer alive mac80211: fix idle handling sequence netfilter: nfnetlink_acct: return -EINVAL if object name is empty netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init() netfilter: reset nf_trace in nf_reset mac80211: fix remain-on-channel cancel crash ...
2013-04-05netfilter: don't reset nf_trace in nf_reset()Patrick McHardy
Commit 130549fe ("netfilter: reset nf_trace in nf_reset") added code to reset nf_trace in nf_reset(). This is wrong and unnecessary. nf_reset() is used in the following cases: - when passing packets up the the socket layer, at which point we want to release all netfilter references that might keep modules pinned while the packet is queued. nf_trace doesn't matter anymore at this point. - when encapsulating or decapsulating IPsec packets. We want to continue tracing these packets after IPsec processing. - when passing packets through virtual network devices. Only devices on that encapsulate in IPv4/v6 matter since otherwise nf_trace is not used anymore. Its not entirely clear whether those packets should be traced after that, however we've always done that. - when passing packets through virtual network devices that make the packet cross network namespace boundaries. This is the only cases where we clearly want to reset nf_trace and is also what the original patch intended to fix. Add a new function nf_reset_trace() and use it in dev_forward_skb() to fix this properly. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-05Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linusLinus Torvalds
Pull MIPS fixes from Ralf Baechle: "Fixes for a number of small glitches in various corners of the MIPS tree. No particular areas is standing out. With this applied all MIPS defconfigs are building fine. No merge conflicts are expected." * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: MIPS: Delete definition of SA_RESTORER. MIPS: Fix ISA level which causes secondary cache init bypassing and more MIPS: Fix build error cavium-octeon without CONFIG_SMP MIPS: Kconfig: Rename SNIPROM too MIPS: Alchemy: Fix typo "CONFIG_DEBUG_PCI" MIPS: Unbreak function tracer for 64-bit kernel.
2013-04-05Merge git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-3.0-fixesLinus Torvalds
Pull GFS2 fixes from Steven Whitehouse: "There are two patches which fix up a couple of minor issues in the DLM interface code, a missing error path in gfs2_rs_alloc(), one patch which fixes a problem during "withdraw" and a fix for discards/FITRIM when using 4k sector sized devices." * git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-3.0-fixes: GFS2: Issue discards in 512b sectors GFS2: Fix unlock of fcntl locks during withdrawn state GFS2: return error if malloc failed in gfs2_rs_alloc() GFS2: use memchr_inv GFS2: use kmalloc for lvb bitmap
2013-04-05firmware,IB/qib: revert firmware file moveMike Marciniszyn
Commit e2eed58b4fbf ("IB/qib: change QLogic to Intel") moved a firmware file potentially breaking the ABI. This patch reverts that aspect of the fix as well as reverting the firmware name as used in qib. Reported-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-04-05Merge tag 'spi-fix-v3.9-rc5' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc Pull spi fixes from Mark Brown: "A bunch of small driver fixes plus a fix for error handling in the core - nothing too exciting overall." * tag 'spi-fix-v3.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc: spi/mpc512x-psc: optionally keep PSC SS asserted across xfer segmensts spi: Unlock a spinlock before calling into the controller driver. spi/s3c64xx: modified error interrupt handling and init spi/bcm63xx: don't disable non enabled clocks in probe error path spi/bcm63xx: Remove unused variable spi: slink-tegra20: move runtime pm calls to transfer_one_message
2013-04-05GFS2: Issue discards in 512b sectorsBob Peterson
This patch changes GFS2's discard issuing code so that it calls function sb_issue_discard rather than blkdev_issue_discard. The code was calling blkdev_issue_discard and specifying the correct sector offset and sector size, but blkdev_issue_discard expects these values to be in terms of 512 byte sectors, even if the native sector size for the device is different. Calling sb_issue_discard with the BLOCK size instead ensures the correct block-to-512b-sector translation. I verified that "minlen" is specified in blocks, so comparing it to a number of blocks is correct. Signed-off-by: Bob Peterson <rpeterso@redhat.com> Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
2013-04-05Revert "drivers/rtc/rtc-at91rm9200.c: use a variable for storing IMR"Johan Hovold
This reverts commit 0ef1594c017521ea89278e80fe3f80dafb17abde. This patch introduced a few races which cannot be easily fixed with a small follow-up patch. Furthermore, the SoC with the broken hardware register, which this patch intended to add support for, can only be used with device trees, which this driver currently does not support. [ Here is the discussion that led to this "revert" patch: https://lkml.org/lkml/2013/4/3/176 ] Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <jhovold@gmail.com> Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-04-05Merge tag 'fbdev-fixes-3.9-rc6' of git://gitorious.org/linux-omap-dss2/linuxLinus Torvalds
Pull fbdev fixes from Tomi Valkeinen: "Fix uvesafb crash bug and typoed flag name in fbmon's new videomode code" * tag 'fbdev-fixes-3.9-rc6' of git://gitorious.org/linux-omap-dss2/linux: video:uvesafb: Fix dereference NULL pointer code path fbmon: use VESA_DMT_VSYNC_HIGH to fix typo
2013-04-05Merge tag 'sound-3.9' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "This contains slightly more volumes than usual at this stage, mostly because of my vacation in the last week. Nothing to scare, all small and/or trivial fixes: - Fix loop path handling in ASoC DAPM - Some memory handling fixes in ASoC core - Fix spear_pcm to adapt to the updated API - HD-audio HDMI ELD handling fixes - Fix for CM6331 USB-audio SRC change bugs - Revert power_save_controller option change due to user-space usage - A few other small ASoC and HD-audio fixes" * tag 'sound-3.9' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda/generic - fix uninitialized variable Revert "ALSA: hda - Allow power_save_controller option override DCAPS" ALSA: hda - fix typo in proc output ALSA: hda - Enabling Realtek ALC 671 codec ALSA: usb: Work around CM6631 sample rate change bug ALSA: hda - bug fix on HDMI ELD debug message ALSA: hda - bug fix on return value when getting HDMI ELD info ASoC: dma-sh7760: Fix compile error ASoC: core: fix invalid free of devm_ allocated data ASoC: spear_pcm: Update to new pcm_new() API ASoC:: max98090: Remove executable bit ASoC: dapm: Fix pointer dereference in is_connected_output_ep() ASoC: pcm030 audio fabric: remove __init from probe ASoC: imx-ssi: Fix occasional AC97 reset failure ASoC: core: fix possible memory leak in snd_soc_bytes_put() ASoC: wm_adsp: fix possible memory leak in wm_adsp_load_coeff() ASoC: dapm: Fix handling of loops ASoC: si476x: Add missing break for SNDRV_PCM_FORMAT_S8 switch case
2013-04-05MIPS: Delete definition of SA_RESTORER.Ralf Baechle
SA_RESTORER used to be defined as 0x04000000 but only the O32 ABI ever supported its use and no libc was using it, so the entire sa-restorer functionality was removed with lmo commit 39bffc12c3580ab [Zap sa_restorer.] for 2.5.48 retaining only the SA_RESTORER definition as a reminder to avoid accidental reuse of the mask bit. Upstream cdef9602fbf1871a43f0f1b5cea10dd0f275167d [signal: always clear sa_restorer on execve] adds code that assumes sa_sigaction has an sa_restorer field, if SA_RESTORER is defined which would break MIPS. So remove the SA_RESTORER definition before the v3.8.4 merge. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> (cherry picked from commit 17da8d63add23830892ac4dc2cbb3b5d4ffb79a8)
2013-04-05MIPS: Fix ISA level which causes secondary cache init bypassing and moreDeng-Cheng Zhu
The commit a96102be70 introduced set_isa() where compatible ISA info is also set aside from the one gets passed in. It means, for example, 1004K will have MIPS_CPU_ISA_M32R2/M32R1/II/I flags. This leads to things like the following inappropriate: if (c->isa_level == MIPS_CPU_ISA_M32R1 || c->isa_level == MIPS_CPU_ISA_M32R2 || c->isa_level == MIPS_CPU_ISA_M64R1 || c->isa_level == MIPS_CPU_ISA_M64R2) This patch fixes it. Signed-off-by: Deng-Cheng Zhu <dengcheng.zhu@imgtec.com> Cc: Steven J. Hill <Steven.Hill@imgtec.com> Cc: linux-mips@linux-mips.org Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-04-05MIPS: Fix build error cavium-octeon without CONFIG_SMPEunBong Song
Singed-off-by: EunBong Song <eunb.song@samsung.com> Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-04-05MIPS: Kconfig: Rename SNIPROM tooPaul Bolle
CONFIG_SNIPROM was renamed to CONFIG_FW_SNIPROM in v3.8. Let's rename SNIPROM itself too. Signed-off-by: Paul Bolle <pebolle@tiscali.nl> Cc: linux-mips@linux-mips.org; Cc: linux-kernel@vger.kernel.org Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-04-05MIPS: Alchemy: Fix typo "CONFIG_DEBUG_PCI"Paul Bolle
Commit 7517de348663b08a808aff44b5300e817157a568 ("MIPS: Alchemy: Redo PCI as platform driver") added a reference to CONFIG_DEBUG_PCI. Change it to CONFIG_PCI_DEBUG, as that is a valid Kconfig macro. Also add a newline to a debugging printk that this fix enables. Signed-off-by: Paul Bolle <pebolle@tiscali.nl> Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-04-05MIPS: Unbreak function tracer for 64-bit kernel.David Daney
Commit 58b69401c797 [MIPS: Function tracer: Fix broken function tracing] completely broke the function tracer for 64-bit kernels. The symptom is a system hang very early in the boot process. The fix: Remove/fix $sp adjustments for 64-bit case. Signed-off-by: David Daney <david.daney@cavium.com> Cc: linux-mips@linux-mips.org Cc: Al Cooper <alcooperx@gmail.com> Cc: viric@viric.name Cc: stable@vger.kernel.org # 3.8.x Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-04-05ALSA: hda/generic - fix uninitialized variableJiri Slaby
changed is not initialized in path_power_down_sync, but it is expected to be false in case no change happened in the loop. So set it to false. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2013-04-05net: ipv4: notify when address lifetime changesJiri Pirko
if userspace changes lifetime of address, send netlink notification and call notifier. Signed-off-by: Jiri Pirko <jiri@resnulli.us> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-05ixgbe: fix registration order of driver and DCA nofiticationJakub Kicinski
ixgbe_notify_dca cannot be called before driver registration because it expects driver's klist_devices to be allocated and initialized. While on it make sure debugfs files are removed when registration fails. Cc: stable <stable@vger.kernel.org> Signed-off-by: Jakub Kicinski <jakub.kicinski@intel.com> Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-05af_unix: If we don't care about credentials coallesce all messagesEric W. Biederman
It was reported that the following LSB test case failed https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we were not coallescing unix stream messages when the application was expecting us to. The problem was that the first send was before the socket was accepted and thus sock->sk_socket was NULL in maybe_add_creds, and the second send after the socket was accepted had a non-NULL value for sk->socket and thus we could tell the credentials were not needed so we did not bother. The unnecessary credentials on the first message cause unix_stream_recvmsg to start verifying that all messages had the same credentials before coallescing and then the coallescing failed because the second message had no credentials. Ignoring credentials when we don't care in unix_stream_recvmsg fixes a long standing pessimization which would fail to coallesce messages when reading from a unix stream socket if the senders were different even if we did not care about their credentials. I have tested this and verified that the in the LSB test case mentioned above that the messages do coallesce now, while the were failing to coallesce without this change. Reported-by: Karel Srot <ksrot@redhat.com> Reported-by: Ding Tianhong <dingtianhong@huawei.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-05Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"Eric W. Biederman
This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. The problem that the above patch was meant to address is that af_unix messages are not being coallesced because we are sending unnecesarry credentials. Not sending credentials in maybe_add_creds totally breaks unconnected unix domain sockets that wish to send credentails to other sockets. In practice this break some versions of udev because they receive a message and the sending uid is bogus so they drop the message. Reported-by: Sven Joachim <svenjoac@gmx.de> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-05bonding: remove sysfs before removing devicesVeaceslav Falico
We have a race condition if we try to rmmod bonding and simultaneously add a bond master through sysfs. In bonding_exit() we first remove the devices (through rtnl_link_unregister() ) and only after that we remove the sysfs. If we manage to add a device through sysfs after that the devices were removed - we'll end up with that device/sysfs structure and with the module unloaded. Fix this by first removing the sysfs and only after that calling rtnl_link_unregister(). Signed-off-by: Veaceslav Falico <vfalico@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-05atl1e: limit gso segment size to prevent generation of wrong ip length fieldsHannes Frederic Sowa
The limit of 0x3c00 is taken from the windows driver. Suggested-by: Huang, Xiong <xiong@qca.qualcomm.com> Cc: Huang, Xiong <xiong@qca.qualcomm.com> Cc: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-05net: count hw_addr syncs so that unsync works properly.Vlad Yasevich
A few drivers use dev_uc_sync/unsync to synchronize the address lists from master down to slave/lower devices. In some cases (bond/team) a single address list is synched down to multiple devices. At the time of unsync, we have a leak in these lower devices, because "synced" is treated as a boolean and the address will not be unsynced for anything after the first device/call. Treat "synced" as a count (same as refcount) and allow all unsync calls to work. Signed-off-by: Vlad Yasevich <vyasevic@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-04Merge tag 'pm+acpi-3.9-rc6' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI and power management fixes from Rafael Wysocki: - Revert of a recent cpuidle change that caused Nehalem machines to hang on boot from Alex Shi. - USB power management fix addressing a crash in the port device object's release routine from Rafael J Wysocki. - Device PM QoS fix for a potential deadlock related to sysfs interface from Rafael J Wysocki. - Fix for a cpufreq crash when the /cpus Device Tree node is missing from Paolo Pisati. - Fix for a build issue on ia64 related to the Boot Graphics Resource Table (BGRT) from Tony Luck. - Two fixes for ACPI handles being set incorrectly for device objects that don't correspond to any ACPI namespace nodes in the I2C and SPI subsystems from Rafael J Wysocki. - Fix for compiler warnings related to CONFIG_PM_DEVFREQ being unset from Rajagopal Venkat. - Fix for a symbol definition typo in cpufreq_governor.h from Borislav Petkov. * tag 'pm+acpi-3.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI / BGRT: Don't let users configure BGRT on non X86 systems cpuidle / ACPI: recover percpu ACPI processor cstate ACPI / I2C: Use parent's ACPI_HANDLE() in acpi_i2c_register_devices() cpufreq: Correct header guards typo ACPI / SPI: Use parent's ACPI_HANDLE() in acpi_register_spi_devices() cpufreq: check OF node /cpus presence before dereferencing it PM / devfreq: Fix compiler warnings for CONFIG_PM_DEVFREQ unset PM / QoS: Avoid possible deadlock related to sysfs access USB / PM: Don't try to hide PM QoS flags from usb_port_device_release()
2013-04-04r8169: fix auto speed down issuehayeswang
It would cause no link after suspending or shutdowning when the nic changes the speed to 10M and connects to a link partner which forces the speed to 100M. Check the link partner ability to determine which speed to set. Signed-off-by: Hayes Wang <hayeswang@realtek.com> Acked-by: Francois Romieu <romieu@fr.zoreil.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-04Merge branch 'master' of git://1984.lsi.us.es/nfDavid S. Miller
Pablo Neira Ayuso says: ==================== The following patchset contains netfilter updates for your net tree, they are: * Fix missing the skb->trace reset in nf_reset, noticed by Gao Feng while using the TRACE target with several net namespaces. * Fix prefix translation in IPv6 NPT if non-multiple of 32 prefixes are used, from Matthias Schiffer. * Fix invalid nfacct objects with empty name, they are now rejected with -EINVAL, spotted by Michael Zintakis, patch from myself. * A couple of fixes for wrong return values in the error path of nfnetlink_queue and nf_conntrack, from Wei Yongjun. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-04Merge branch 'for-davem' of ↵David S. Miller
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into wireless John W. Linville says: ==================== Here are some more fixes intended for the 3.9 stream... Regarding the mac80211 bits, Johannes says: "I had changed the idle handling to simplify it, but broken the sequencing of commands, at least for ath9k-htc, one patch restores the sequence. The other patch fixes a crash Jouni found while stress-testing the remain-on-channel code, when an item is deleted the work struct can run twice and crash the second time." As for the iwlwifi bits, Johannes says: "The only fix here is to the passive-no-RX firmware regulatory enforcement driver support code to not drop auth frames in quick succession, leading to not being able to connect to APs on passive channels in certain circumstances." Don't forget the NFC bits, about which Samuel says: "This time we have: - A crash fix for when a DGRAM LLCP socket is listening while the NFC adapter is physically removed. - A potential double skb free when the LLCP socket receive queue is full. - A fix for properly handling multiple and consecutive LLCP connections, and not trash the socket ack log. - A build failure for the MEI microread physical layer, now that the MEI bus APIs have been merged into char-misc-next." On top of that, Stone Piao provides an mwifiex fix to avoid accessing beyond the end of a buffer. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-04mm: prevent mmap_cache race in find_vma()Jan Stancek
find_vma() can be called by multiple threads with read lock held on mm->mmap_sem and any of them can update mm->mmap_cache. Prevent compiler from re-fetching mm->mmap_cache, because other readers could update it in the meantime: thread 1 thread 2 | find_vma() | find_vma() struct vm_area_struct *vma = NULL; | vma = mm->mmap_cache; | if (!(vma && vma->vm_end > addr | && vma->vm_start <= addr)) { | | mm->mmap_cache = vma; return vma; | ^^ compiler may optimize this | local variable out and re-read | mm->mmap_cache | This issue can be reproduced with gcc-4.8.0-1 on s390x by running mallocstress testcase from LTP, which triggers: kernel BUG at mm/rmap.c:1088! Call Trace: ([<000003d100c57000>] 0x3d100c57000) [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 [<000000000023baae>] handle_pte_fault+0x41a/0xac8 [<000000000023d832>] handle_mm_fault+0x17a/0x268 [<000000000060507a>] do_protection_exception+0x1e2/0x394 [<0000000000603a04>] pgm_check_handler+0x138/0x13c [<000003fffcf1f07a>] 0x3fffcf1f07a Last Breaking-Event-Address: [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 Thanks to Jakub Jelinek for his insight on gcc and helping to track this down. Signed-off-by: Jan Stancek <jstancek@redhat.com> Acked-by: David Rientjes <rientjes@google.com> Signed-off-by: Hugh Dickins <hughd@google.com> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-04-04Merge tag 'upstream-3.9-rc6' of git://git.infradead.org/linux-ubifsLinus Torvalds
Pull UBIFS fix from Artem Bityutskiy: "Make the space fixup feature work in the case when the file-system is first mounted R/O and then remounted R/W." * tag 'upstream-3.9-rc6' of git://git.infradead.org/linux-ubifs: UBIFS: make space fixup work in the remount case
2013-04-04Merge branch 'pm-fixes' into fixesRafael J. Wysocki
* pm-fixes: cpufreq: Correct header guards typo cpufreq: check OF node /cpus presence before dereferencing it PM / devfreq: Fix compiler warnings for CONFIG_PM_DEVFREQ unset PM / QoS: Avoid possible deadlock related to sysfs access USB / PM: Don't try to hide PM QoS flags from usb_port_device_release()
2013-04-04Merge branch 'acpi-fixes' into fixesRafael J. Wysocki
* acpi-fixes: ACPI / BGRT: Don't let users configure BGRT on non X86 systems cpuidle / ACPI: recover percpu ACPI processor cstate ACPI / I2C: Use parent's ACPI_HANDLE() in acpi_i2c_register_devices() ACPI / SPI: Use parent's ACPI_HANDLE() in acpi_register_spi_devices()
2013-04-04Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid Pull HID fixes from Jiri Kosina: - Workaround for device ID conflict between Masterkit MA901 usb radio device and Atmel V-USB devices, to avoid regressions from older kernels, by Alexey Klimov - fix for possible race during input device registration in magicmouse driver, by Benjamin Tissoires * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: HID: magicmouse: fix race between input_register() and probe() media: radio-ma901: return ENODEV in probe if usb_device doesn't match HID: fix Masterkit MA901 hid quirks
2013-04-04Merge tag 'gpio-fixes-v3.9' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio Pull GPIO fixes from Linus Walleij: "Two GPIO fixes for the v3.9 series: - Fix erroneous return value in the ICH driver - Make the STMPE driver proper properly on device tree boots" * tag 'gpio-fixes-v3.9' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpio: stmpe: pass DT node to irqdomain gpio-ich: Fix value returned by ichx_gpio_request
2013-04-04Revert "ALSA: hda - Allow power_save_controller option override DCAPS"Takashi Iwai
This reverts commit 6ab317419c62850a71e2adfd1573e5ee87d8774f. The commit [6ab317419c: ALSA: hda - Allow power_save_controller option override DCAPS] changed the behavior of power_save_controller so that it can override the driver capability. This assumed that this option is rarely changed dynamically unlike power_save option. Too naive. It turned out that the user-space power-management tool tries to set power_save_controller option to 1 together with power_save option without knowing what's actually doing. This enabled forcibly the runtime PM of the controller, which is known to be broken om many chips thus disabled as default. So, the only sane fix is to revert this commit again. It was intended to ease debugging/testing for runtime PM enablement, but obviously we need another way for it. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=56171 Reported-and-tested-by: Nikita Tsukanov <keks9n@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>