Commit Graph

495404 Commits

Author SHA1 Message Date
Daniel Borkmann
600ddd6825 net: sctp: fix slab corruption from use after free on INIT collisions
When hitting an INIT collision case during the 4WHS with AUTH enabled, as
already described in detail in commit 1be9a950c6 ("net: sctp: inherit
auth_capable on INIT collisions"), it can happen that we occasionally
still remotely trigger the following panic on server side which seems to
have been uncovered after the fix from commit 1be9a950c6 ...

[  533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff
[  533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230
[  533.940559] PGD 5030f2067 PUD 0
[  533.957104] Oops: 0000 [#1] SMP
[  533.974283] Modules linked in: sctp mlx4_en [...]
[  534.939704] Call Trace:
[  534.951833]  [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
[  534.984213]  [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
[  535.015025]  [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
[  535.045661]  [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
[  535.074593]  [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
[  535.105239]  [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
[  535.138606]  [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0
[  535.166848]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b

... or depending on the the application, for example this one:

[ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff
[ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
[ 1370.054568] PGD 633c94067 PUD 0
[ 1370.070446] Oops: 0000 [#1] SMP
[ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
[ 1370.963431] Call Trace:
[ 1370.974632]  [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
[ 1371.000863]  [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
[ 1371.027154]  [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
[ 1371.054679]  [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
[ 1371.080183]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b

With slab debugging enabled, we can see that the poison has been overwritten:

[  669.826368] BUG kmalloc-128 (Tainted: G        W     ): Poison overwritten
[  669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
[  669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
[  669.826424]  __slab_alloc+0x4bf/0x566
[  669.826433]  __kmalloc+0x280/0x310
[  669.826453]  sctp_auth_create_key+0x23/0x50 [sctp]
[  669.826471]  sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
[  669.826488]  sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
[  669.826505]  sctp_do_sm+0x29d/0x17c0 [sctp] [...]
[  669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
[  669.826635]  __slab_free+0x39/0x2a8
[  669.826643]  kfree+0x1d6/0x230
[  669.826650]  kzfree+0x31/0x40
[  669.826666]  sctp_auth_key_put+0x19/0x20 [sctp]
[  669.826681]  sctp_assoc_update+0x1ee/0x2d0 [sctp]
[  669.826695]  sctp_do_sm+0x674/0x17c0 [sctp]

Since this only triggers in some collision-cases with AUTH, the problem at
heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
when having refcnt 1, once directly in sctp_assoc_update() and yet again
from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
the already kzfree'd memory, which is also consistent with the observation
of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
at a later point in time when poison is checked on new allocation).

Reference counting of auth keys revisited:

Shared keys for AUTH chunks are being stored in endpoints and associations
in endpoint_shared_keys list. On endpoint creation, a null key is being
added; on association creation, all endpoint shared keys are being cached
and thus cloned over to the association. struct sctp_shared_key only holds
a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
keeps track of users internally through refcounting. Naturally, on assoc
or enpoint destruction, sctp_shared_key are being destroyed directly and
the reference on sctp_auth_bytes dropped.

User space can add keys to either list via setsockopt(2) through struct
sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
with refcount 1 and in case of replacement drops the reference on the old
sctp_auth_bytes. A key can be set active from user space through setsockopt()
on the id via sctp_auth_set_active_key(), which iterates through either
endpoint_shared_keys and in case of an assoc, invokes (one of various places)
sctp_auth_asoc_init_active_key().

sctp_auth_asoc_init_active_key() computes the actual secret from local's
and peer's random, hmac and shared key parameters and returns a new key
directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
the reference if there was a previous one. The secret, which where we
eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
intitial refcount of 1, which also stays unchanged eventually in
sctp_assoc_update(). This key is later being used for crypto layer to
set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().

To close the loop: asoc->asoc_shared_key is freshly allocated secret
material and independant of the sctp_shared_key management keeping track
of only shared keys in endpoints and assocs. Hence, also commit 4184b2a79a
("net: sctp: fix memory leak in auth key management") is independant of
this bug here since it concerns a different layer (though same structures
being used eventually). asoc->asoc_shared_key is reference dropped correctly
on assoc destruction in sctp_association_free() and when active keys are
being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
to remove that sctp_auth_key_put() from there which fixes these panics.

Fixes: 730fc3d05c ("[SCTP]: Implete SCTP-AUTH parameter processing")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 17:02:05 -08:00
Ezequiel Garcia
9e911414af net: mv643xx_eth: Fix highmem support in non-TSO egress path
Commit 69ad0dd7af
Author: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
Date:   Mon May 19 13:59:59 2014 -0300

    net: mv643xx_eth: Use dma_map_single() to map the skb fragments

caused a nasty regression by removing the support for highmem skb
fragments. By using page_address() to get the address of a fragment's
page, we are assuming a lowmem page. However, such assumption is incorrect,
as fragments can be in highmem pages, resulting in very nasty issues.

This commit fixes this by using the skb_frag_dma_map() helper,
which takes care of mapping the skb fragment properly. Additionally,
the type of mapping is now tracked, so it can be unmapped using
dma_unmap_page or dma_unmap_single when appropriate.

This commit also fixes the error path in txq_init() to release the
resources properly.

Fixes: 69ad0dd7af ("net: mv643xx_eth: Use dma_map_single() to map the skb fragments")
Reported-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 16:14:40 -08:00
David S. Miller
9d08da9630 Merge branch 'sh_eth'
Ben Hutchings says:

====================
Fixes for sh_eth #2

I'm continuing review and testing of Ethernet support on the R-Car H2
chip.  This series fixes more of the issues I've found, but it won't be
the last set.

These are not tested on any of the other supported chips.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 16:13:20 -08:00
Ben Hutchings
283e38db65 sh_eth: Fix serialisation of interrupt disable with interrupt & NAPI handlers
In order to stop the RX path accessing the RX ring while it's being
stopped or resized, we clear the interrupt mask (EESIPR) and then call
free_irq() or synchronise_irq().  This is insufficient because the
interrupt handler or NAPI poller may set EESIPR again after we clear
it.  Also, in sh_eth_set_ringparam() we currently don't disable NAPI
polling at all.

I could easily trigger a crash by running the loop:

   while ethtool -G eth0 rx 128 && ethtool -G eth0 rx 64; do echo -n .; done

and 'ping -f' toward the sh_eth port from another machine.

To fix this:
- Add a software flag (irq_enabled) to signal whether interrupts
  should be enabled
- In the interrupt handler, if the flag is clear then clear EESIPR
  and return
- In the NAPI poller, if the flag is clear then don't set EESIPR
- Set the flag before enabling interrupts in sh_eth_dev_init() and
  sh_eth_set_ringparam()
- Clear the flag and serialise with the interrupt and NAPI
  handlers before clearing EESIPR in sh_eth_close() and
  sh_eth_set_ringparam()

After this, I could run the loop for 100,000 iterations successfully.

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 16:13:15 -08:00
Ben Hutchings
084236d8c5 sh_eth: Fix crash or memory leak when resizing rings on device that is down
If the device is down then no packet buffers should be allocated.
We also must not touch its registers as it may be powered off.

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 16:13:15 -08:00
Ben Hutchings
bd8889163a sh_eth: Detach net device when stopping queue to resize DMA rings
We must only ever stop TX queues when they are full or the net device
is not 'ready' so far as the net core, and specifically the watchdog,
is concerned.  Otherwise, the watchdog may fire *immediately* if no
packets have been added to the queue in the last 5 seconds.

What's more, sh_eth_tx_timeout() will likely crash if called while
we're resizing the TX ring.

I could easily trigger this by running the loop:

   while ethtool -G eth0 rx 128 && ethtool -G eth0 rx 64; do echo -n .; done

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 16:13:15 -08:00
Ben Hutchings
eebfb643c0 sh_eth: Fix padding of short frames on TX
If an skb to be transmitted is shorter than the minimum Ethernet frame
length, we currently set the DMA descriptor length to the minimum but
do not add zero-padding.  This could result in leaking sensitive
data.  We also pass different lengths to dma_map_single() and
dma_unmap_single().

Use skb_padto() to pad properly, before calling dma_map_single().

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 16:13:15 -08:00
Mugunthan V N
02a54164c5 drivers: net: cpsw: discard dual emac default vlan configuration
In Dual EMAC, the default VLANs are used to segregate Rx packets between
the ports, so adding the same default VLAN to the switch will affect the
normal packet transfers. So returning error on addition of dual EMAC
default VLANs.

Even if EMAC 0 default port VLAN is added to EMAC 1, it will lead to
break dual EMAC port separations.

Fixes: d9ba8f9e62 (driver: net: ethernet: cpsw: dual emac interface implementation)
Cc: <stable@vger.kernel.org> # v3.9+
Reported-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 16:05:50 -08:00
David S. Miller
b6663ad702 Merge branch 'cls_bpf'
Daniel Borkmann says:

====================
Two cls_bpf fixes

Found them while doing a review on act_bpf and going over the
cls_bpf code again. Will also address the first issue in act_bpf
as it needs to be fixed there, too.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 15:50:24 -08:00
Daniel Borkmann
3f2ab13594 net: cls_bpf: fix auto generation of per list handles
When creating a bpf classifier in tc with priority collisions and
invoking automatic unique handle assignment, cls_bpf_grab_new_handle()
will return a wrong handle id which in fact is non-unique. Usually
altering of specific filters is being addressed over major id, but
in case of collisions we result in a filter chain, where handle ids
address individual cls_bpf_progs inside the classifier.

Issue is, in cls_bpf_grab_new_handle() we probe for head->hgen handle
in cls_bpf_get() and in case we found a free handle, we're supposed
to use exactly head->hgen. In case of insufficient numbers of handles,
we bail out later as handle id 0 is not allowed.

Fixes: 7d1d65cb84 ("net: sched: cls_bpf: add BPF-based classifier")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Jiri Pirko <jiri@resnulli.us>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 15:50:19 -08:00
Daniel Borkmann
7913ecf69e net: cls_bpf: fix size mismatch on filter preparation
In cls_bpf_modify_existing(), we read out the number of filter blocks,
do some sanity checks, allocate a block on that size, and copy over the
BPF instruction blob from user space, then pass everything through the
classic BPF checker prior to installation of the classifier.

We should reject mismatches here, there are 2 scenarios: the number of
filter blocks could be smaller than the provided instruction blob, so
we do a partial copy of the BPF program, and thus the instructions will
either be rejected from the verifier or a valid BPF program will be run;
in the other case, we'll end up copying more than we're supposed to,
and most likely the trailing garbage will be rejected by the verifier
as well (i.e. we need to fit instruction pattern, ret {A,K} needs to be
last instruction, load/stores must be correct, etc); in case not, we
would leak memory when dumping back instruction patterns. The code should
have only used nla_len() as Dave noted to avoid this from the beginning.
Anyway, lets fix it by rejecting such load attempts.

Fixes: 7d1d65cb84 ("net: sched: cls_bpf: add BPF-based classifier")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 15:50:18 -08:00
David S. Miller
9e79ce66c6 linux-can-fixes-for-3.19-20150121
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJUwB19AAoJECte4hHFiupUuqAQAJ0S6SpHAKFbsb1c3a4Av6fT
 BlztznoxHPFdRhWg6RG4fnV1HhXWvBWSqsmPKapsfMIIDfonTasGks3ALocCJzYl
 9JvSNrj+VKh9ecE1Qkr53WNmxlqoHHgCioMXrTK5y8fBxqCqsfprDH+Q1U+Eh7sM
 P7JyjwbSj/m2TTZHaBd8lAf4qzm/xHH+56XK2BmSTWN3Fd3tmaGH+wRjF4maeF2F
 jG97x7Ev7vek8vBsCCfkt+mPQ9amu4+ptRfqOn/akQPvGxicfb3HOUglADHt8JaH
 7ISU96q5IGu4VpXJQd3idzJlwANp1kydLf0KLm1vSxlzEp27nQ6ewea3uf5SnJ6m
 uIa3QG4D7KX2qSvrNQ1MBLjDALdJMF0MIooSLMWi094z2C6OZ5A20lCIrGEv2lAo
 YyKUFQObhZzwWgjs3gGanYr4N5pi6vtYqwuYLje1v8XGgBo6rKTA9V7l8MG+2IN3
 JORpQBsCMHb15PrAH3aRBxcU9QpeP7244sWGSIdrSk3tyEr0wSn8v0y/Ef2g5MNv
 LHjupwWBLmgT/zVD3N8s+ZPcZxFdXo7zmXuHAvkAZzLD2RfogRkrlVIcRt/OQfhY
 r8V7F+VM1T6hrtJrzp7MDI/ZzraK5jk9mZHR8exOA1d2UYPiaha8N/athxMD/3TI
 pksebn/jqvJrO46R77mX
 =k63Q
 -----END PGP SIGNATURE-----

Merge tag 'linux-can-fixes-for-3.19-20150121' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
pull-request: can 2015-01-21

this is a pull request for v3.19, net/master, which consists of a single patch.

Viktor Babrian fixes the issue in the c_can dirver, that the CAN interface
might continue to send frames after the interface has been shut down.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 15:24:14 -08:00
David S. Miller
03a605804b Merge branch 's390'
Ursula Braun says:

====================
s390/qeth patches for net

here are two s390/qeth patches built for net.
One patch is quite large, but we would like to fix the locking warning
seen in recent kernels as soon as possible. But if you want me to submit
these patches for net-next, I will do.
Or Gerlitz says:
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-25 23:38:20 -08:00
Thomas Richter
1aec42bcc0 390/qeth: Fix locking warning during qeth device setup
Do not wait for channel command buffers in IPA commands.
The potential wait could be done while holding a spin lock and causes
in recent kernels such a bug if kernel lock debugging is enabled:

kernel: BUG: sleeping function called from invalid context at drivers/s390/net/qeth_core_main.c:
794
kernel: in_atomic(): 1, irqs_disabled(): 0, pid: 2031, name: NetworkManager
kernel: 2 locks held by NetworkManager/2031:
kernel:  #0:  (rtnl_mutex){+.+.+.}, at: [<00000000006e0d7a>] rtnetlink_rcv+0x32/0x50
kernel:  #1:  (_xmit_ETHER){+.....}, at: [<00000000006cfe90>] dev_set_rx_mode+0x30/0x50
kernel: CPU: 0 PID: 2031 Comm: NetworkManager Not tainted 3.18.0-rc5-next-20141124 #1
kernel:        00000000275fb1f0 00000000275fb280 0000000000000002 0000000000000000
               00000000275fb320 00000000275fb298 00000000275fb298 00000000007e326a
               0000000000000000 000000000099ce2c 00000000009b4988 000000000000000b
               00000000275fb2e0 00000000275fb280 0000000000000000 0000000000000000
               0000000000000000 00000000001129c8 00000000275fb280 00000000275fb2e0
kernel: Call Trace:
kernel: ([<00000000001128b0>] show_trace+0xf8/0x158)
kernel:  [<000000000011297a>] show_stack+0x6a/0xe8
kernel:  [<00000000007e995a>] dump_stack+0x82/0xb0
kernel:  [<000000000017d668>] ___might_sleep+0x170/0x228
kernel:  [<000003ff80026f0e>] qeth_wait_for_buffer+0x36/0xd0 [qeth]
kernel:  [<000003ff80026fe2>] qeth_get_ipacmd_buffer+0x3a/0xc0 [qeth]
kernel:  [<000003ff80105078>] qeth_l3_send_setdelmc+0x58/0xf8 [qeth_l3]
kernel:  [<000003ff8010b1fe>] qeth_l3_set_ip_addr_list+0x2c6/0x848 [qeth_l3]
kernel:  [<000003ff8010bbb4>] qeth_l3_set_multicast_list+0x434/0xc48 [qeth_l3]
kernel:  [<00000000006cfe9a>] dev_set_rx_mode+0x3a/0x50
kernel:  [<00000000006cff90>] __dev_open+0xe0/0x140
kernel:  [<00000000006d02a0>] __dev_change_flags+0xa0/0x178
kernel:  [<00000000006d03a8>] dev_change_flags+0x30/0x70
kernel:  [<00000000006e14ee>] do_setlink+0x346/0x9a0
...

The device driver has plenty of command buffers available
per channel for channel command communication.
In the extremely rare case when there is no command buffer
available, return a NULL pointer and issue a warning
in the kernel log. The caller handles the case when
a NULL pointer is encountered and returns an error.

In the case the wait for command buffer is possible
(because no lock is held as in the OSN case), still wait
until a channel command buffer is available.

Signed-off-by: Thomas Richter <tmricht@linux.vnet.ibm.com>
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Reviewed-by: Eugene Crosser <Eugene.Crosser@ru.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-25 23:38:16 -08:00
Eugene Crosser
efbbc1d567 qeth: clean up error handling
In the functions that are registering and unregistering MAC
addresses in the qeth-handled hardware, remove callback functions
that are unnesessary, as only the return code is analyzed.
Translate hardware response codes to semi-standard 'errno'-like
codes for readability.

Add kernel-doc description to the internal API function
qeth_send_control_data().

Signed-off-by: Eugene Crosser <Eugene.Crosser@ru.ibm.com>
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Reviewed-by: Thomas-Mich Richter <tmricht@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-25 23:38:16 -08:00
Martin KaFai Lau
b0a1ba5992 ipv6: Fix __ip6_route_redirect
In my last commit (a3c00e4: ipv6: Remove BACKTRACK macro), the changes in
__ip6_route_redirect is incorrect.  The following case is missed:
1. The for loop tries to find a valid gateway rt. If it fails to find
   one, rt will be NULL.
2. When rt is NULL, it is set to the ip6_null_entry.
3. The newly added 'else if', from a3c00e4, will stop the backtrack from
   happening.

Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-25 22:09:51 -08:00
Vivien Didelot
24df8986f3 net: dsa: set slave MII bus PHY mask
When registering a mdio bus, Linux assumes than every port has a PHY and tries
to scan it. If a switch port has no PHY registered, DSA will fail to register
the slave MII bus. To fix this, set the slave MII bus PHY mask to the switch
PHYs mask.

As an example, if we use a Marvell MV88E6352 (which is a 7-port switch with no
registered PHYs for port 5 and port 6), with the following declared names:

	static struct dsa_chip_data switch_cdata = {
		[...]
		.port_names[0] = "sw0",
		.port_names[1] = "sw1",
		.port_names[2] = "sw2",
		.port_names[3] = "sw3",
		.port_names[4] = "sw4",
		.port_names[5] = "cpu",
	};

DSA will fail to create the switch instance. With the PHY mask set for the
slave MII bus, only the PHY for ports 0-4 will be scanned and the instance will
be successfully created.

Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Tested-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-25 16:00:54 -08:00
Mahesh Bandewar
2aab9525c3 ipvlan: fix incorrect usage of IS_ERR() macro in IPv6 code path.
The ip6_route_output() always returns a valid dst pointer unlike in IPv4
case. So the validation has to be different from the IPv4 path. Correcting
that error in this patch.

This was picked up by a static checker with a following warning -

   drivers/net/ipvlan/ipvlan_core.c:380 ipvlan_process_v6_outbound()
        warn: 'dst' isn't an ERR_PTR

Signed-off-by: Mahesh Bandewar <maheshb@google.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-25 00:24:19 -08:00
Sasha Levin
6b8d9117cc net: llc: use correct size for sysctl timeout entries
The timeout entries are sizeof(int) rather than sizeof(long), which
means that when they were getting read we'd also leak kernel memory
to userspace along with the timeout values.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-25 00:23:21 -08:00
Eric Dumazet
6088beef3f netxen: fix netxen_nic_poll() logic
NAPI poll logic now enforces that a poller returns exactly the budget
when it wants to be called again.

If a driver limits TX completion, it has to return budget as well when
the limit is hit, not the number of received packets.

Reported-and-tested-by: Mike Galbraith <umgwanakikbuti@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: d75b1ade56 ("net: less interrupt masking in NAPI")
Cc: Manish Chopra <manish.chopra@qlogic.com>
Acked-by: Manish Chopra <manish.chopra@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-25 00:21:45 -08:00
Govindarajulu Varadarajan
f104fedc0d enic: fix rx napi poll return value
With the commit d75b1ade56 ("net: less interrupt masking in NAPI") napi repoll
is done only when work_done == budget. When we are in busy_poll we return 0 in
napi_poll. We should return budget.

Signed-off-by: Govindarajulu Varadarajan <_govind@gmx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-24 22:39:03 -08:00
David S. Miller
5d7b045b73 ath9k:
* fix an IRQ storm caused by commit 872b5d814f
 
 iwlwifi:
 
 * A fix for scan that fixes a firmware assertion
 
 * A fix that improves roaming behavior. Same fix has been tested for
   a while in iwldvm. This is a bit of a work around, but the real fix
   should be in mac80211 and will come later.
 
 * A fix for BARs that avoids a WARNING.
 
 * one fix for rfkill while scheduled scan is running.
   Linus's system hit this issue. WiFi would be unavailable
   after this has happpened because of bad state in cfg80211.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQEcBAABAgAGBQJUvhf2AAoJEG4XJFUm622blNIH/3JlfJZxjfFs5nCkLPRS03m1
 GNMhwHuoFDUSHNUCO57kROVcoryvd3D9kNA5bDGXkNHQIS1DQj4K44mZFKfF6L1K
 Kon/OP+pxJXpDV+5G42zF5QSRLg6uGb/cvxKEXyU9MhISXcWIIyncqAwZZWzoaFS
 ZcjqhvO0iUbdywrbU8nAAOH8+8zwL16A5nZxadeBF6yMf939EUsDzcDW9WoSNSsE
 vYZlHTRsymx2TANquoFBo8/mSeB0jcd+1eBr6mMetzUJLfjvxihbyP9Ci+C31ov4
 592s9dGQpxgri/qbRMt0XjwxAXRYnXluu2Rcf4jmmilQON7cZiZKZQnukpgIu3I=
 =cq2e
 -----END PGP SIGNATURE-----

Merge tag 'wireless-drivers-for-davem-2015-01-20' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers

ath9k:

* fix an IRQ storm caused by commit 872b5d814f

iwlwifi:

* A fix for scan that fixes a firmware assertion

* A fix that improves roaming behavior. Same fix has been tested for
  a while in iwldvm. This is a bit of a work around, but the real fix
  should be in mac80211 and will come later.

* A fix for BARs that avoids a WARNING.

* one fix for rfkill while scheduled scan is running.
  Linus's system hit this issue. WiFi would be unavailable
  after this has happpened because of bad state in cfg80211.

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-24 21:55:26 -08:00
Nimrod Andy
9143e398a4 ARM: dts: imx6sx: correct i.MX6sx sdb board enet phy address
The commit (3d125f9c91) cause i.MX6SX sdb enet cannot work. The cause is
the commit add mdio node with un-correct phy address.

The patch just correct i.MX6sx sdb board enet phy address.

V2:
* As Shawn's suggestion that unit-address should match 'reg' property, so
  update ethernet-phy unit-address.

Acked-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Fugang Duan <B38611@freescale.com>
Acked-by: Shawn Guo <shawn.guo@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-24 21:54:59 -08:00
Lendacky, Thomas
e2a2729a92 amd-xgbe: Use proper Rx flow control register
Updated hardware documention shows the Rx flow control settings were
moved from the Rx queue operation mode register to a new Rx queue flow
control register.  The old flow control settings are now reserved areas
of the Rx queue operation mode register. Update the code to use the new
register.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-23 22:17:06 -08:00
Viktor Babrian
7ffd7b4e16 can: c_can: end pending transmission on network stop (ifdown)
Put controller into init mode in network stop to end pending transmissions. The
issue is observed in cases when transmitted frame is not acked.

Signed-off-by: Viktor Babrian <babrian.viktor@renyi.mta.hu>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2015-01-21 22:43:14 +01:00
Linus Torvalds
06efe0e540 Pin control fixes for the v3.19 series:
- Fix two deadlocks around the pin control mutexes,
   a long-standing issue that manifest itself in
   plug/unplug of pin controllers. (Tagged for stable.)
 
 - Handle an error path with zero functions in the
   Qualcomm pin controller.
 
 - Drop a bogus second GPIO chip added in the Lantiq
   driver.
 
 - Fix sudden IRQ loss on Rockchip pin controllers.
 
 - Register the GIT tree in MAINTAINERS.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUvhsCAAoJEEEQszewGV1zZMoP/AoewI2od036rhGKD5IqH1/F
 6khikDo6e3TbAHdx4iGWVzzFOK+V66lc4eokTIMDfxiaovcSBNqYBVdaIM/xunc0
 S7jxTGp1EdSMqyYv6L7h+EycDAZ/sfHobOWhhgV38o5fWuGI5fGzIC2Pj0kWU/vr
 sMInof+dJeSPLLYMMruQpik08tku5tuGHlPnA8knRCkZxHtHWwqYiU+zl2gfDfvO
 uC0cQm+rXtUn/m6ua0pRSjujZDyxVOkLiBHk01qfqNfCDlBgg4J9wI+HE08HWaMC
 lr03oV4nZQ91aEih16g4UgsOGnxHfDZS6EU6alCWIyUPs3LEwZ07twCk1lLAjkAu
 Jswx8bZCmbndUfcnoImgtJLT+7zU8utBpbhzHi5rmoHF0/pVA/estk1lRGanid1B
 OHg3HZv30T9xdVvZCVHUD+O4b/8HQWB8EJte5yt3Qs+B6M/N3Fw1o5+fgCTXR9C1
 zTRVu3VIOOX8IuY3rJ7DCme/b/N2kAkGAckbnOSoTx1MO4ECIAR0CCiF2eKzjwi6
 xCAeA+4aEsJXAQQqMY4UBdpgdXtc9hRW5C4iMjcbPicoZqgAJhL8kyIyuJjOgHDy
 4l6hFhFaLGEIzWMfpP7wi9y/CyZabeKq30UgInJu1GJsj7H/ZE7aPSv/vjrGyEh6
 4ukizhEn8NEhVm15SUbg
 =YGym
 -----END PGP SIGNATURE-----

Merge tag 'pinctrl-v3.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

Pull pin control fixes from Linus Walleij:
 "Here is a (hopefully final) slew of pin control fixes for the v3.19
  series.  The deadlock fix is kind of serious and tagged for stable,
  the rest is business as usual.

   - Fix two deadlocks around the pin control mutexes, a long-standing
     issue that manifest itself in plug/unplug of pin controllers.
     (Tagged for stable.)

   - Handle an error path with zero functions in the Qualcomm pin
     controller.

   - Drop a bogus second GPIO chip added in the Lantiq driver.

   - Fix sudden IRQ loss on Rockchip pin controllers.

   - Register the GIT tree in MAINTAINERS"

* tag 'pinctrl-v3.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl: MAINTAINERS: add git tree reference
  pinctrl: qcom: Don't iterate past end of function array
  pinctrl: lantiq: remove bogus of_gpio_chip_add
  pinctrl: Fix two deadlocks
  pinctrl: rockchip: Avoid losing interrupts when supporting both edges
2015-01-20 21:23:41 +12:00
Linus Torvalds
eef8f4c2ac Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) Socket addresses returned in the error queue need to be fully
    initialized before being passed on to userspace, fix from Willem de
    Bruijn.

 2) Interrupt handling fixes to davinci_emac driver from Tony Lindgren.

 3) Fix races between receive packet steering and cpu hotplug, from Eric
    Dumazet.

 4) Allowing netlink sockets to subscribe to unknown multicast groups
    leads to crashes, don't allow it.  From Johannes Berg.

 5) One to many socket races in SCTP fixed by Daniel Borkmann.

 6) Put in a guard against the mis-use of ipv6 atomic fragments, from
    Hagen Paul Pfeifer.

 7) Fix promisc mode and ethtool crashes in sh_eth driver, from Ben
    Hutchings.

 8) NULL deref and double kfree fix in sxgbe driver from Girish K.S and
    Byungho An.

 9) cfg80211 deadlock fix from Arik Nemtsov.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (36 commits)
  s2io: use snprintf() as a safety feature
  r8152: remove sram_read
  r8152: remove generic_ocp_read before writing
  bgmac: activate irqs only if there is nothing to poll
  bgmac: register napi before the device
  sh_eth: Fix ethtool operation crash when net device is down
  sh_eth: Fix promiscuous mode on chips without TSU
  ipv6: stop sending PTB packets for MTU < 1280
  net: sctp: fix race for one-to-many sockets in sendmsg's auto associate
  genetlink: synchronize socket closing and family removal
  genetlink: disallow subscribing to unknown mcast groups
  genetlink: document parallel_ops
  net: rps: fix cpu unplug
  net: davinci_emac: Add support for emac on dm816x
  net: davinci_emac: Fix ioremap for devices with MDIO within the EMAC address space
  net: davinci_emac: Fix incomplete code for getting the phy from device tree
  net: davinci_emac: Free clock after checking the frequency
  net: davinci_emac: Fix runtime pm calls for davinci_emac
  net: davinci_emac: Fix hangs with interrupts
  ip: zero sockaddr returned on error queue
  ...
2015-01-20 18:19:31 +12:00
Linus Torvalds
2262889091 Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto fix from Herbert Xu:
 "This fixes a regression that arose from the change to add a crypto
  prefix to module names which was done to prevent the loading of
  arbitrary modules through the Crypto API.

  In particular, a number of modules were missing the crypto prefix
  which meant that they could no longer be autoloaded"

* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: add missing crypto module aliases
2015-01-20 18:17:34 +12:00
Dan Carpenter
a8c1d28ac3 s2io: use snprintf() as a safety feature
"sp->desc[i]" has 25 characters.  "dev->name" has 15 characters.  If we
used all 15 characters then the sprintf() would overflow.

I changed the "sprintf(sp->name, "%s Neterion %s"" to snprintf(), as
well, even though it can't overflow just to be consistent.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-19 19:42:21 -05:00
David S. Miller
ef5a1ba145 Merge branch 'r8152'
Hayes Wang says:

====================
r8152: couldn't read OCP_SRAM_DATA

Read OCP_SRAM_DATA would read additional bytes and may let
the hw abnormal.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-19 16:16:36 -05:00
hayeswang
b4d99def09 r8152: remove sram_read
Read OCP register 0xa43a~0xa43b would clear some flags which the hw
would use, and it may let the device lost. However, the unit of
reading is 4 bytes. That is, it would read 0xa438~0xa43b when calling
sram_read() to read OCP_SRAM_DATA.

Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-19 16:16:32 -05:00
hayeswang
8cb3db24c8 r8152: remove generic_ocp_read before writing
For ocp_write_word() and ocp_write_byte(), there is a generic_ocp_read()
which is used to read the whole 4 byte data, keep the unchanged bytes,
and modify the expected bytes. However, the "byen" could be used to
determine which bytes of the 4 bytes to write, so the action could be
removed.

Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-19 16:16:32 -05:00
David S. Miller
e60bf80615 Merge branch 'bgmac'
Hauke Mehrtens says:

====================
bgmac: some fixes to napi usage

I compared the napi documentation with the bgmac driver and found some
problems in that driver. These two patches should fix the problems.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-19 16:00:02 -05:00
Hauke Mehrtens
43f159c60a bgmac: activate irqs only if there is nothing to poll
IRQs should only get activated when there is nothing to poll in the
queue any more and to after every poll.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-19 15:59:57 -05:00
Hauke Mehrtens
6216642f20 bgmac: register napi before the device
napi should get registered before the netdev and not after.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-19 15:59:57 -05:00
David S. Miller
852c5d9c98 Merge branch 'sh_eth'
Ben Hutchings says:

====================
sh_eth fixes

I'm currently looking at Ethernet support on the R-Car H2 chip,
reviewing and testing the sh_eth driver.  Here are fixes for two fairly
obvious bugs in the driver; I will probably have some more later.

These are not tested on any of the other supported chips.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-19 15:37:44 -05:00
Ben Hutchings
4f9dce230b sh_eth: Fix ethtool operation crash when net device is down
The driver connects and disconnects the PHY device whenever the
net device is brought up and down.  The ethtool get_settings,
set_settings and nway_reset operations will dereference a null
or dangling pointer if called while it is down.

I think it would be preferable to keep the PHY connected, but there
may be good reasons not to.

As an immediate fix for this bug:
- Set the phydev pointer to NULL after disconnecting the PHY
- Change those three operations to return -ENODEV while the PHY is
  not connected

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-19 15:37:40 -05:00
Ben Hutchings
b37feed7c2 sh_eth: Fix promiscuous mode on chips without TSU
Currently net_device_ops::set_rx_mode is only implemented for
chips with a TSU (multiple address table).  However we do need
to turn the PRM (promiscuous) flag on and off for other chips.

- Remove the unlikely() from the TSU functions that we may safely
  call for chips without a TSU
- Make setting of the MCT flag conditional on the tsu capability flag
- Rename sh_eth_set_multicast_list() to sh_eth_set_rx_mode() and plumb
  it into both net_device_ops structures
- Remove the previously-unreachable branch in sh_eth_rx_mode() that
  would otherwise reset the flags to defaults for non-TSU chips

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-19 15:37:40 -05:00
Hagen Paul Pfeifer
9d289715eb ipv6: stop sending PTB packets for MTU < 1280
Reduce the attack vector and stop generating IPv6 Fragment Header for
paths with an MTU smaller than the minimum required IPv6 MTU
size (1280 byte) - called atomic fragments.

See IETF I-D "Deprecating the Generation of IPv6 Atomic Fragments" [1]
for more information and how this "feature" can be misused.

[1] https://tools.ietf.org/html/draft-ietf-6man-deprecate-atomfrag-generation-00

Signed-off-by: Fernando Gont <fgont@si6networks.com>
Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-19 14:52:07 -05:00
Felix Fietkau
e3f31175a3 ath9k: fix race condition in irq processing during hardware reset
To fix invalid hardware accesses, the commit 872b5d814f ("ath9k: do not
access hardware on IRQs during reset") made the irq handler ignore interrupts
emitted after queueing a hardware reset (which disables the IRQ). This left a
small time window for the IRQ to get re-enabled by the tasklet, which caused
IRQ storms.  Instead of returning IRQ_NONE when ATH_OP_HW_RESET is set, disable
the IRQ entirely for the duration of the reset.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2015-01-19 14:32:29 +02:00
Linus Walleij
dbe752a34d pinctrl: MAINTAINERS: add git tree reference
Reference my pinctrl GIT tree @kernel.org

Reported-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2015-01-19 11:27:19 +01:00
Stephen Boyd
bcd53f858d pinctrl: qcom: Don't iterate past end of function array
Timur reports that this code crashes if nfunctions is 0. Fix the
loop iteration to only consider valid elements of the functions
array.

Reported-by: Timur Tabi <timur@codeaurora.org>
Cc: Pramod Gurav <pramod.gurav@smartplayin.com>
Cc: Bjorn Andersson <bjorn.andersson@sonymobile.com>
Cc: Ivan T. Ivanov <iivanov@mm-sol.com>
Cc: Andy Gross <agross@codeaurora.org>
Fixes: 327455817a "pinctrl: qcom: Add support for reset for apq8064"
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2015-01-19 11:17:45 +01:00
Kalle Valo
7b05520160 * one fix for rfkill while scheduled scan is running.
Linus's system hit this issue. WiFi would be unavailable
   after this has happpened because of bad state in cfg80211.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUvBLgAAoJEC0Llv5uNjIBn60QAJlN62JnZu5X6XCnzK8hdTe3
 4AFKf9e+ejBDEfFTcGLA+fX0fDgCaWkY5kYmS0jlqd60u7BUUOENxJGgv1FRGcqr
 fIjN8nfjbr5p6FZk6E+sVvDgs4NJ+tosnZofxwBOflVK9cAON01MsV/SuUHh9A8i
 qBVn9aZHbpjSNPSOIjZgvcOTREE0ckHVYJEpAlR0IXYUKRxY3+XtpmruSnoNNnox
 XKljOQRzMR/LwTIX1De4Uw09NDjWL+u5KpZNuXmaG6Z/4HoKDlqN+ZTJtxSGXo8m
 F6VkTXQPmZc9+7ELzMYn5o5CDaEGejCVxMP7AhYzztCDwrmV0cGMb6wKcJFMbE8M
 l+8VikOGtEnbAWh+vfLyKsB0hMb5SBjxxh2Vu3xpglOLinZKHwdJPAweoCwRgp8Y
 u+Ra21u+giJPeyMTVnzTVO4M0TQ6UuvVP7Zreq51TXaLYrQzObDf+JtRROQMm84k
 llhQ9dwSznVZ7Ub1cYh0wbJ7FVDV7RT0fSbmtmHY9LBSPffdigvZtzVMEYM+kbDm
 72Rqjd/2JqYCvFJpj6j6bpOZUdfT5pmq30eknyGY22wChgC3rkNp2TKHRfVOq2lK
 kSLTgzCAXhI21/UWbSwyKft5w/3u7RdFFNdaZA7KQTgAGYQESf9EHaPq3o+/hlRy
 ofJWo4B2ctiiKl2IC1uW
 =WBj6
 -----END PGP SIGNATURE-----

Merge tag 'iwlwifi-for-kalle-2015-01-15' of https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes

* one fix for rfkill while scheduled scan is running.
  Linus's system hit this issue. WiFi would be unavailable
  after this has happpened because of bad state in cfg80211.
2015-01-19 09:47:28 +02:00
Emmanuel Grumbach
90ea15c114 iwlwifi: mvm: abort scheduled scan upon RFKILL
When we have an active scheduled scan, and the RFKILL
interrupt kicks in, the stack will cancel the scheduled
scan as part of the down flow. But cancelling scheduled
scan usually implies sending a command to the firwmare
which has been killed as part of the RFKILL interrupt
handling.
Because of that, we returned an error to mac80211 when
it asked to stop the scheduled scan and didn't notify the
end of the scheduled scan. Besides a fat warning, this led
to a situation in which cfg80211 would refuse any new scan
request.

To disentangle this, fake that the scheduled scan has been
stopped without sending the command to the firwmare, return
0 after having properly let cfg80211 know that the scan
has been cancelled.

This is basically the same as:
commit 9b520d8495
Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Date:   Tue Nov 4 15:54:11 2014 +0200

    iwlwifi: mvm: abort scan upon RFKILL

    This code existed but not for all the different FW APIs
    we support.
    Fix this.

but for the scheduled scan case.

Link: http://permalink.gmane.org/gmane.linux.kernel.wireless.general/133232
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2015-01-18 22:04:37 +02:00
Linus Torvalds
b62a9c2058 A slew of fixes dealing with some irritating bugs (non-regressions)
that have been around forever in the GPIO subsystem, most of them
 also tagged for stable:
 
 - A large slew of fixes from Johan Hovold who is finally testing and
   reviewing the removal path of the GPIO drivers.
 
 - Fix of_get_named_gpiod_flags() so it works as expected.
 
 - Fix an IRQ handling bug in the crystalcove driver.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUu4HCAAoJEEEQszewGV1zx9wP/3oREk/os8ZvWbbXnsLiJ2lf
 v7Oa0kZtIqS5zhE6MOmjEuMoKJBvIjv89n3xwydXfWN9SImhJzjYkhkVYMs8zysh
 li0AgmVzYHM3+/cuX/qtyV57WhP5WNW3B4j5WXdDQEDMvPhH3Rdbgke2cgVsuAfm
 Z+yddAwy18iqPaCy5BKc4JbHH5NWF7ntkGD5Loryt0VPZeJFiXvf6Y1qCpxRXe0k
 acj03QOBiwGJFCYGyXOJn8wjjuM/vLJ+XFchF144EUR6ECKYoMbnn+JjQURaWYrq
 ubc+B0A5fwsmWBwKcvRfPfgDwwnm3BNFK0I1R/ZvRJWRCwCxsuUmW2gnpi9PlD/G
 iQ0aCudrqBQfOLBRkDrtSMpVnD3A6pxRWx7cHAe24mx6ORNXs1EpmSgjA2mk08LL
 hr1w9tp0L4huGQ/5b9P7S6Oz+KTyH+OBQU6VKxBxJ24raDVigkSXe9YGXlbupruB
 B7JpgEdzvHp1YcBEYB8Bu+p89/NdFN4VdoSwnLKttFaPxIX+i1J4PyZaGNIhB8HI
 flIapWbbcQ4jJA9Ym7r7Vc/i3ATBoq+znq/VPNNlfPu767GLukyln3KvFHpBJVd4
 JR3zCuWwlsgz9uDPSwl1h6gIeCFiXGvxk9LWBcbjTdDKZzE4i0rqpfPU36WSFeyP
 NKUck+bcPcqKuo0EoDU6
 =ekXq
 -----END PGP SIGNATURE-----

Merge tag 'gpio-v3.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio

Pull GPIO fixes from Linus Walleij:
 "Here is a set of fixes that mainly appeared when Johan Hovold started
  exercising the removal path of the GPIO library, dealing with
  hotplugging of GPIO controllers. Details from tag:

  A slew of fixes dealing with some irritating bugs (non-regressions)
  that have been around forever in the GPIO subsystem, most of them also
  tagged for stable:

   - A large slew of fixes from Johan Hovold who is finally testing and
     reviewing the removal path of the GPIO drivers.

   - Fix of_get_named_gpiod_flags() so it works as expected.

   - Fix an IRQ handling bug in the crystalcove driver"

* tag 'gpio-v3.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
  gpiolib: of: Correct error handling in of_get_named_gpiod_flags
  gpio: sysfs: fix gpio attribute-creation race
  gpio: sysfs: fix gpio device-attribute leak
  gpio: sysfs: fix gpio-chip device-attribute leak
  gpio: unregister gpiochip device before removing it
  gpio: fix sleep-while-atomic in gpiochip_remove
  gpio: fix memory leak and sleep-while-atomic
  gpio: clean up gpiochip_add error handling
  gpio: fix gpio-chip list corruption
  gpio: fix memory and reference leaks in gpiochip_add error path
  gpio: crystalcove: use handle_nested_irq
2015-01-19 05:03:13 +12:00
Linus Torvalds
66893885bb Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input subsystem fixes from Dmitry Torokhov.

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: uinput - fix ioctl nr overflow for UI_GET_SYSNAME/VERSION
  Input: I8042 - add Acer Aspire 7738 to the nomux list
  Input: elantech - support new ICs types for version 4
  Input: i8042 - reset keyboard to fix Elantech touchpad detection
  MAINTAINERS: remove Dmitry Torokhov's alternate address
2015-01-19 04:55:23 +12:00
Linus Torvalds
ec6f34e5b5 Linux 3.19-rc5 2015-01-18 18:02:20 +12:00
Linus Torvalds
d0ac5d8e67 ARM: SoC fixes
We've been sitting on our fixes branch for a while, so this batch is
 unfortunately on the large side.
 
 A lot of these are tweaks and fixes to device trees, fixing various bugs
 around clocks, reg ranges, etc. There's also a few defconfig updates
 (which are on the late side, no more of those).
 
 All in all the diffstat is bigger than ideal at this time, but the nothing
 in here seems particularly risky.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUudSXAAoJEIwa5zzehBx3WmkP/RDPvMHGllPxZ7jDTBK2scGY
 U0zg3zeIKbJANke8BZNaYNnYmLtvOcwiqA80CsOE23+l1zv2tSf8v/je1dENFmzr
 rHahs1ZAQ2fv5k1NCazOxkeTcu5frcDujoHkDVo2b4ofLzhlTYP5UEkapLBdihrB
 KLGCXynjmMLXDViLw7mhaM0gZOxyyO3CTaBUJeLPWqTpy26LliFdJfDxe+oa+dx9
 CX3YbfKKHJ9ENFwHB6oLk0cQy1eLieWTcYJk06wUsCdcsoZmWySiaWpLFb9MIyoT
 eLqT4k8cNMNdB49GNvwZz7NxbG9RetzNd5Ixglr9NodB3mNxpW3PyU3lxrRUSc4X
 6Ij9rgFWwfRKlmCFZnHF5mxSx7z4NoBQJWsVBB4EFjfyX8eVkZ+Gu82gK6V/2HNa
 vpMAqmNCM99VXx4nsoiNBpYVShAgXxC0r8D5MKNaITZ/Z7tarJe/M2JDnxyR+r5L
 DCyjj3swQ21hKMv8FFXkOSfXir9v9bQg5KMeA7HNPCsKjvcWxpHGQdVZVkGQ3D8J
 umFsForMr3AY0G+HtmP+ntVEEB8g8AiTQgiC7gyfAKhJhjMd/vYmJdsVvsXk2SL/
 yh1y08f46FFasbVR2TTYPt6njj4FdcbDDsB5ks2gBpkb4qjutoMlNRDOYbfoN7eX
 VTacVVRJy4ftSLeNnN70
 =lJPi
 -----END PGP SIGNATURE-----

Merge tag 'armsoc-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

Pull ARM SoC fixes from Olof Johansson:
 "We've been sitting on our fixes branch for a while, so this batch is
  unfortunately on the large side.

  A lot of these are tweaks and fixes to device trees, fixing various
  bugs around clocks, reg ranges, etc.  There's also a few defconfig
  updates (which are on the late side, no more of those).

  All in all the diffstat is bigger than ideal at this time, but nothing
  in here seems particularly risky"

* tag 'armsoc-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (31 commits)
  reset: sunxi: fix spinlock initialization
  ARM: dts: disable CCI on exynos5420 based arndale-octa
  drivers: bus: check cci device tree node status
  ARM: rockchip: disable jtag/sdmmc autoswitching on rk3288
  ARM: nomadik: fix up leftover device tree pins
  ARM: at91: board-dt-sama5: add phy_fixup to override NAND_Tree
  ARM: at91/dt: sam9263: Add missing clocks to lcdc node
  ARM: at91: sama5d3: dt: correct the sound route
  ARM: at91/dt: sama5d4: fix the timer reg length
  ARM: exynos_defconfig: Enable LM90 driver
  ARM: exynos_defconfig: Enable options for display panel support
  arm: dts: Use pmu_system_controller phandle for dp phy
  ARM: shmobile: sh73a0 legacy: Set .control_parent for all irqpin instances
  ARM: dts: berlin: correct BG2Q's SM GPIO location.
  ARM: dts: berlin: add broken-cd and set bus width for eMMC in Marvell DMP DT
  ARM: dts: berlin: fix io clk and add missing core clk for BG2Q sdhci2 host
  ARM: dts: Revert disabling of smc91x for n900
  ARM: dts: imx51-babbage: Fix ULPI PHY reset modelling
  ARM: dts: dra7-evm: fix qspi device tree partition size
  ARM: omap2plus_defconfig: use CONFIG_CPUFREQ_DT
  ...
2015-01-18 18:00:40 +12:00
Daniel Borkmann
2061dcd6bf net: sctp: fix race for one-to-many sockets in sendmsg's auto associate
I.e. one-to-many sockets in SCTP are not required to explicitly
call into connect(2) or sctp_connectx(2) prior to data exchange.
Instead, they can directly invoke sendmsg(2) and the SCTP stack
will automatically trigger connection establishment through 4WHS
via sctp_primitive_ASSOCIATE(). However, this in its current
implementation is racy: INIT is being sent out immediately (as
it cannot be bundled anyway) and the rest of the DATA chunks are
queued up for later xmit when connection is established, meaning
sendmsg(2) will return successfully. This behaviour can result
in an undesired side-effect that the kernel made the application
think the data has already been transmitted, although none of it
has actually left the machine, worst case even after close(2)'ing
the socket.

Instead, when the association from client side has been shut down
e.g. first gracefully through SCTP_EOF and then close(2), the
client could afterwards still receive the server's INIT_ACK due
to a connection with higher latency. This INIT_ACK is then considered
out of the blue and hence responded with ABORT as there was no
alive assoc found anymore. This can be easily reproduced f.e.
with sctp_test application from lksctp. One way to fix this race
is to wait for the handshake to actually complete.

The fix defers waiting after sctp_primitive_ASSOCIATE() and
sctp_primitive_SEND() succeeded, so that DATA chunks cooked up
from sctp_sendmsg() have already been placed into the output
queue through the side-effect interpreter, and therefore can then
be bundeled together with COOKIE_ECHO control chunks.

strace from example application (shortened):

socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP) = 3
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
           msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
           msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
           msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
           msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
           msg_iov(0)=[], msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */, cmsg_type=, ...},
           msg_flags=0}, 0) = 0 // graceful shutdown for SOCK_SEQPACKET via SCTP_EOF
close(3) = 0

tcpdump before patch (fooling the application):

22:33:36.306142 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 3879023686] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3139201684]
22:33:36.316619 IP 192.168.1.115.8888 > 192.168.1.114.41462: sctp (1) [INIT ACK] [init tag: 3345394793] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 3380109591]
22:33:36.317600 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [ABORT]

tcpdump after patch:

14:28:58.884116 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 438593213] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3092969729]
14:28:58.888414 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [INIT ACK] [init tag: 381429855] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 2141904492]
14:28:58.888638 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [COOKIE ECHO] , (2) [DATA] (B)(E) [TSN: 3092969729] [...]
14:28:58.893278 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [COOKIE ACK] , (2) [SACK] [cum ack 3092969729] [a_rwnd 106491] [#gap acks 0] [#dup tsns 0]
14:28:58.893591 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969730] [...]
14:28:59.096963 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969730] [a_rwnd 106496] [#gap acks 0] [#dup tsns 0]
14:28:59.097086 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969731] [...] , (2) [DATA] (B)(E) [TSN: 3092969732] [...]
14:28:59.103218 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969732] [a_rwnd 106486] [#gap acks 0] [#dup tsns 0]
14:28:59.103330 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN]
14:28:59.107793 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SHUTDOWN ACK]
14:28:59.107890 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN COMPLETE]

Looks like this bug is from the pre-git history museum. ;)

Fixes: 08707d5482df ("lksctp-2_5_31-0_5_1.patch")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-17 23:52:20 -05:00
Linus Torvalds
12ba8571ab Small number of fixes for clock drivers and a single null pointer
dereference fix in the framework core code. The driver fixes vary from
 fixing section mismatch warnings to preventing machines from hanging
 (and preventing developers from crying).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUuuT0AAoJEDqPOy9afJhJTCIP/iZ2AtnG/5mbYR8i7FzfSR8y
 gm+vpTvKAhIkWxj1DNUMtSTRBvfxO8xpnsXJ4BibIhmtO8yJbYI8LIEycIJ4TcWC
 4s0MDQsaMGVEfSI8K+OoFsXI+WzU1j28le2yYE6oHVuLe7gdLnpx6sheNdnL0XxX
 sv8HoI/pTFpw0jI20EZUcX/pEELGWlAZN9NCpW74cbVl/wusvV20CYG5n879Sg8n
 Zl26wXusys83+0mFgs6+Kvpeuxo78XXveTSvB+aJ5VEWDfm10kE5bqyo6iOL0rpI
 luGIMf6Uufq6+1Hzp8whgE59FOvugNjay3OR+pz7P+gWk1Ea5c9qXpBtg3gEtjF9
 JoMpjPSXAnGgjhJsuZhO4+z23OhpB+FcuC1x6EcL0i6iqpzbNpJTYa8eNMOOt8FR
 h3YCzr32IHZ6a2YutCuEdof8d9GZ5I2r8G9p8ezv7CJEBHIrLVTyu3xELwN9Ijuj
 p83716w0NU2avN2N6nF2sAF26UJhG/GbmQWkOSnj2cmeDI5xxnClJD/3etgtIaIj
 RA/WLVfUscszR52IZ2V56KKTrRJkNz04Zsx803yNZKXkNIrJ+I04xBAvQETKk24f
 fImY65mkJWC8iAErEKHYZi8WxdHAu5xRYwL34HvIfpDAsHvqHNZBltYTee6HuM2k
 wbD42D8XsOoBfZwg07RF
 =B+t3
 -----END PGP SIGNATURE-----

Merge tag 'clk-fixes-for-linus' of git://git.linaro.org/people/mike.turquette/linux

Pull clock driver fixes from Mike Turquette:
 "Small number of fixes for clock drivers and a single null pointer
  dereference fix in the framework core code.

  The driver fixes vary from fixing section mismatch warnings to
  preventing machines from hanging (and preventing developers from
  crying)"

* tag 'clk-fixes-for-linus' of git://git.linaro.org/people/mike.turquette/linux:
  clk: fix possible null pointer dereference
  Revert "clk: ppc-corenet: Fix Section mismatch warning"
  clk: rockchip: fix deadlock possibility in cpuclk
  clk: berlin: bg2q: remove non-exist "smemc" gate clock
  clk: at91: keep slow clk enabled to prevent system hang
  clk: rockchip: fix rk3288 cpuclk core dividers
  clk: rockchip: fix rk3066 pll lock bit location
  clk: rockchip: Fix clock gate for rk3188 hclk_emem_peri
  clk: rockchip: add CLK_IGNORE_UNUSED flag to fix rk3066/rk3188 USB Host
2015-01-18 15:29:11 +12:00