Commit Graph

399886 Commits

Author SHA1 Message Date
Kees Cook
35a4a5733b isdn: clean up debug format string usage
Avoid unneeded local string buffers for constructing debug output.  Also
cleans up debug calls that contain a single parameter so that they cannot
be accidentally parsed as format strings.

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-13 20:02:50 -04:00
Libo Chen
a2a69f0b35 drivers/atm/he.c: convert to module_pci_driver
Signed-off-by: Libo Chen <libo.chen@huawei.com>
Cc: Chas Williams <chas@cmf.nrl.navy.mil>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-13 20:02:50 -04:00
David S. Miller
c9771bfd6d Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net
Jeff Kirsher says:

====================
Intel Wired LAN Driver Updates

This series contains updates to ixgbe and e1000e.

Jacob provides a ixgbe patch to fix the configure_rx patch to properly
disable RSC hardware logic when a user disables it.  Previously we only
disabled RSC in the queue settings, but this does not fully disable
hardware RSC logic which can lead to unexpected performance issues.

Emil provides three fixes for ixgbe.  First fixes the ethtool loopback
test when DCB is enabled, where the frames may be modified on Tx
(by adding VLAN tag) which will fail the check on receive.  Then a fix
for QSFP+ modules, limit the speed setting to advertise only one speed
at a time since the QSFP+ modules do not support auto negotiation.
Lastly, resolve an issue where the driver will display incorrect info
for QSFP+ modules that were inserted after the driver has been loaded.

David Ertman provides to fixes for e1000e, one removes a comparison to
the boolean value true where evaluating the lvalue will produce the
same result.  The other fixes an error in the calculation of the
rar_entry_count, which causes a write of unkown/undefined register
space in the MAC to unknown/undefined register space in the PHY.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-13 19:35:24 -04:00
Björn Jacke
81b66220a9 cifs: update cifs.txt and remove some outdated infos
Acked-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Björn JACKE <bj@sernet.de>
Signed-off-by: Steve French <smfrench@gmail.com>
2013-09-13 16:29:58 -05:00
Sachin Prabhu
466bd31bbd cifs: Avoid calling unlock_page() twice in cifs_readpage() when using fscache
When reading a single page with cifs_readpage(), we make a call to
fscache_read_or_alloc_page() which once done, asynchronously calls
the completion function cifs_readpage_from_fscache_complete(). This
completion function unlocks the page once it has been populated from
cache. The module then attempts to unlock the page a second time in
cifs_readpage() which leads to warning messages.

In case of a successful call to fscache_read_or_alloc_page() we should skip
the second unlock_page() since this will be called by the
cifs_readpage_from_fscache_complete() once the page has been populated by
fscache.

With the modifications to cifs_readpage_worker(), we will need to re-grab the
page lock in cifs_write_begin().

The problem was first noticed when testing new fscache patches for cifs.
https://bugzilla.redhat.com/show_bug.cgi?id=1005737

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
2013-09-13 16:24:49 -05:00
Sachin Prabhu
a9e9b7bc15 cifs: Do not take a reference to the page in cifs_readpage_worker()
We do not need to take a reference to the pagecache in
cifs_readpage_worker() since the calling function will have already
taken one before passing the pointer to the page as an argument to the
function.

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
2013-09-13 16:24:43 -05:00
Linus Torvalds
bdbdfdef57 Some more low risk cleanup patches:
Remove unnecessary pci_set_drvdata in k10temp driver from Jingoo Han
 Fix return values in several drivers from Sachin Kamat
 Remove redundant break in amc6821 driver from Sachin Kamat
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABAgAGBQJSMeiEAAoJEMsfJm/On5mBi78P/jBVis7/4KDVFV1KAy1NhzAD
 EzxRN7X2sM3Iihj1wjMflcW6k9JSzIbC/Q82ouvVNzlgOZu85yoi926p0PIH7A/g
 E/X4hlictBzTsc9SjTGio9E6f59wFroBSDnquEo6JRCgdX9DqeaGzh8W/0PR5wSh
 SkZgXGoXxAK1fH26UZ1sXf2k4y4d6xNGVAv/HIb3jHu1EhDTb0cHzg+5m+qvdSuD
 5RBfVJMEiJITCHAhP9IdiWP6k8iePLnaBaR77J6vAxWrSBD6a3D4loDkd/FguqGJ
 svkyldm5CB0bhHCMEP6IwGNeyr1W/D2OcueYmMDc99HIY+zAOjhAnge1skBIr6A/
 hmNf7UT3xH0AQMp4I1ALgdu1Ie95lq3COGXwKy1ir/BVCYAeWC1MWb7qtmRcxqyt
 pwc9DHaplIRLoKM+CJEwV6o+gaP9L6+BiBn15g5Rv0RA7vvpl0d/Yrjx4ChWL06K
 paQcxvML/WUjq5uBIFzJmpfXhsUYcMC+YlPRwYhmEql0nTAFWnLejQrIMeSiH0VW
 ADWlN6DFJz75B7HnVnP9jk4H0ljMS9FJBhC2IkH1pDBrtLZs8ChCGXc4md0LwT7T
 1yB2AQGUhb/izDXlw/0I7Q7mJYgYfggaXg1LkRWrV9zjetvzwnArMQ/K4AOiV6yo
 Kxx5tUAkMaFzobqowgvQ
 =Lcfb
 -----END PGP SIGNATURE-----

Merge tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull hwmon fixes from Guenter Roeck:
 "Some more low risk cleanup patches:

   - Remove unnecessary pci_set_drvdata in k10temp driver from Jingoo Han
   - Fix return values in several drivers from Sachin Kamat
   - Remove redundant break in amc6821 driver from Sachin Kamat"

* tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (k10temp) remove unnecessary pci_set_drvdata()
  hwmon: (tmp421) Fix return value
  hwmon: (amc6821) Remove redundant break
  hwmon: (amc6821) Fix return value
  hwmon: (ibmaem) Fix return value
  hwmon: (emc2103) Fix return value
2013-09-13 10:58:41 -07:00
Linus Torvalds
6700215140 Xtensa patchset for v3.12
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABAgAGBQJSMiG+AAoJEI9vqH3mFV2sLDwP/04Zt2Wvurdwd3tAW2fgJ3c/
 RJ2nQwt1w/YhMVUz/52QOtFiOrYF8fldpS3+51FphRiBPZa9oWPafCGWLotMnnfB
 myVeJ9xArscVpzLCAMONaBazE39/HoHGHtsRSjn8WGymbDByIH8PDwA6zSX9zPTu
 HuwdAH+x40wEEN6zFxQJyS4tdnHszOrJfHozwYZkSuXApHUkfBxxRQ5teV5u7ozF
 PSRfuNjiKs9BfDobhU7olIGx+ccUspYY695B9i+ChTNkgVZDSz+HKymYAzCMuPUr
 z++1qJCp5jR08/48X2UMwevpZr9NuR7Xf1hFGZ/tplCx0DBaTYi4sotviKPINp8R
 GuVH7SMkVdR4SdarigfoRpKSB/RZ7PvyfAP5bFfFTc8gQR8R8VLLQDp+9D2j2aeU
 BKxUVFGgXj65hEQaiTJrXXNrSciGE7I64CBGgmmvOGjo5pD8m9hcRaD2HhHontdr
 N/aM6ryRxadssoFoeo3KXVhnm0X7AxuIjYWexnc7BR3w7lG2VA6hh0DSuI5B1h05
 E/oWIsZWLseSojCuPIpPTpgFidx5lG4KYBA/irz5wi2bsFwVkVzGTNFzKe4Vaki2
 R4FxBVan7NuxEcS2gjBhkonPKlyCiTWLFGQcrzNY75sDIASmzpBQWjVe8J12Z+T7
 V3z8DwIcJuVdZcoyKRth
 =O8Zr
 -----END PGP SIGNATURE-----

Merge tag 'xtensa-next-20130912' of git://github.com/czankel/xtensa-linux

Pull Xtensa updates from Chris Zankel.

* tag 'xtensa-next-20130912' of git://github.com/czankel/xtensa-linux:
  xtensa: Fix broken allmodconfig build
  xtensa: remove CCOUNT_PER_JIFFY
  xtensa: fix !CONFIG_XTENSA_CALIBRATE_CCOUNT build failure
  xtensa: don't use echo -e needlessly
  xtensa: new fast_alloca handler
  xtensa: keep a3 and excsave1 on entry to exception handlers
  xtensa: enable kernel preemption
  xtensa: check thread flags atomically on return from user exception
2013-09-13 10:57:48 -07:00
Linus Torvalds
9bf12df31f Merge git://git.kvack.org/~bcrl/aio-next
Pull aio changes from Ben LaHaise:
 "First off, sorry for this pull request being late in the merge window.
  Al had raised a couple of concerns about 2 items in the series below.
  I addressed the first issue (the race introduced by Gu's use of
  mm_populate()), but he has not provided any further details on how he
  wants to rework the anon_inode.c changes (which were sent out months
  ago but have yet to be commented on).

  The bulk of the changes have been sitting in the -next tree for a few
  months, with all the issues raised being addressed"

* git://git.kvack.org/~bcrl/aio-next: (22 commits)
  aio: rcu_read_lock protection for new rcu_dereference calls
  aio: fix race in ring buffer page lookup introduced by page migration support
  aio: fix rcu sparse warnings introduced by ioctx table lookup patch
  aio: remove unnecessary debugging from aio_free_ring()
  aio: table lookup: verify ctx pointer
  staging/lustre: kiocb->ki_left is removed
  aio: fix error handling and rcu usage in "convert the ioctx list to table lookup v3"
  aio: be defensive to ensure request batching is non-zero instead of BUG_ON()
  aio: convert the ioctx list to table lookup v3
  aio: double aio_max_nr in calculations
  aio: Kill ki_dtor
  aio: Kill ki_users
  aio: Kill unneeded kiocb members
  aio: Kill aio_rw_vect_retry()
  aio: Don't use ctx->tail unnecessarily
  aio: io_cancel() no longer returns the io_event
  aio: percpu ioctx refcount
  aio: percpu reqs_available
  aio: reqs_active -> reqs_available
  aio: fix build when migration is disabled
  ...
2013-09-13 10:55:58 -07:00
David Ertman
c3a0dce35a e1000e: fix overrun of PHY RAR array
When copying the MAC RAR registers to PHY there is an error in the
calculation of the rar_entry_count, which causes a write of unknown/
undefined register space in the MAC to unknown/undefined register space in
the PHY.

This patch fixes the overrun with writing to the PHY RAR and also fixes the
ethtool offline register tests so that the correctly addressed registers
have the appropriate bitmasks for R/W and RO bits for affected parts.

Shawn Rader gets credit for finding and fixing the register overrun.

Signed-off-by: Dave Ertman <davidx.m.ertman@intel.com>
CC: Shawn Rader <shawn.t.rader@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-09-13 10:19:56 -07:00
David Ertman
138953bb6a e1000e: cleanup boolean comparison to true
Removing a comparison to the boolean value true where simply interrogating
the lvalue will produce the same result.

Signed-off-by: David Ertman <davidx.m.ertman@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-09-13 10:06:55 -07:00
Emil Tantilov
0f8fdab133 ixgbe: fix ethtool reporting of supported links for SFP modules
This patch resolves an issue where the driver will display incorrect info
for Q/SFP+ modules that were inserted after the driver has been loaded.

This patch adds a call to identify_phy() in ixgbe_get_settings() prior to
calling get_link_capabilities() which needs the PHY data in order to
determine the correct settings.

Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-09-13 09:58:12 -07:00
Emil Tantilov
ed33ff66d8 ixgbe: limit setting speed to only one at a time for QSFP modules
QSFP+ modules do not support auto negotiation and should advertise only
one speed at a time.

This patch adds logic in ethtool to allow setting and reporting the
advertised speed at either 1Gbps or 10Gbps, but not both. Also limits
the speed set in ixgbe_sfp_link_config_subtask() to highest supported.
Previously the link was set to whatever the supported speeds were.

Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-09-13 09:51:03 -07:00
Emil Tantilov
91ffdc842b ixgbe: fix ethtool loopback diagnostic with DCB enabled
This patch disables DCB prior to running the loopback test.
When DCB is enabled the frames may be modified on Tx (by adding vlan tag)
which will fail the check on Rx.

Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com>
Tested-by: Jack Morgan <jack.morgan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-09-13 09:41:33 -07:00
Chris Metcalf
35fab6118f tile: remove stale arch/tile/kernel/futex_64.S
This should have been removed with commit 47d632f9f8, but
it was overlooked.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
2013-09-13 11:15:24 -04:00
Chris Metcalf
4b12909fd1 tile: remove HUGE_VMAP dead code
A config option to allow a variant vmap() using huge pages that was never
upstreamed had some bits of code related to it scattered around the tile
architecture; the config option was removed downstream and this commit
cleans up the scattered evidence of it from the upstream as well.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
2013-09-13 11:15:24 -04:00
Chris Metcalf
8629470ef8 tile: use pmd_pfn() instead of casting via pte_t
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
2013-09-13 11:14:25 -04:00
Chris Metcalf
4db30e38ec tile: fix typos in comment in arch/tile/kernel/unaligned.c
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
2013-09-13 10:57:54 -04:00
Jacob Keller
6dcc28b93e ixgbe: fully disable hardware RSC logic when disabling RSC
This patch modifies the configure_rx path in order to properly disable RSC
hardware logic when the user disables it. Previously we only disabled RSC in the
queue settings, but this does not fully disable hardware RSC logic which can
lead to some unexpected performance issues.

Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-09-13 07:39:29 -07:00
Linus Torvalds
399a946edb Merge branch 'genirq' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull generic hardirq option removal from Martin Schwidefsky:
 "All architectures now use generic hardirqs, s390 has been last to
  switch.

  With that the code under !CONFIG_GENERIC_HARDIRQS and the related
  HAVE_GENERIC_HARDIRQS and GENERIC_HARDIRQS config options can be
  removed.  Yay!"

* 'genirq' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  Remove GENERIC_HARDIRQ config option
2013-09-13 07:31:38 -07:00
Linus Torvalds
183c420323 Merge branch 'kconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild
Pull kconfig fix from Michal Marek:
 "This is a fix for a regression caused by my previous pull request.

  A sed command in scripts/config that used colons as separator was
  accidentally changed to use slashes, which fails when you use slashes
  in a value.  Changing it back to colons is of course not a proper fix,
  but at least it will be broken in the same way it had been for four
  years.  A proper fix is pending"

* 'kconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
  scripts/config: fix variable substitution command
2013-09-13 07:30:17 -07:00
Linus Torvalds
951a730af4 blackfin updates for Linux 3.12
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJSMoABAAoJEJommM3PjknHeK0QAMCWvahMa3bHu1lPbvYoUKZ8
 lFYWye3RLpXQQgLcKTfVH/qoci1I4ssr5MmChZ88TmAZgojRlPk95rBu0pX08+dI
 6Ro6rfAYCd6LT06YFb1hOYzBkqmz2SCY1R+MKLPu2kzTC06lnd+iF2sEpBpyBSTq
 YyW42ZRgOcGf+/iqiBUo112ZbP2V00jQIeQNyvgwF7GKy+lx86SYxzsIukteSCgI
 W1pNNUnshXT9sH8tGLLtHEkAkYzSkL0mDLdpztkYKiVqXUaSZAz2jfz6CDqfTiNj
 i+wqTG02NN8lMSH8no8Eko9svzuGAmQVYQiSCL2y0Xesy4P2HW2B5uzVD0oKQXp3
 dKAmzUlhoSakAcq/6Rf11HYNYfeCN0T1VqnDt4U/OrIIq/WbK0qPsRtawYw0A5tZ
 4uOCZqxfcUW4y0y6TXBRToFb4Fa0vmGX3WGi6DnW6wU1PaEnW14tkqqvCOA9EUHr
 SZePAkPldRqLxCaJkhqS5eh6SlkObO81Nxtq7D0a1KkT6e2pYToq7QPKECitfs4U
 q5Q6PxKbxrLBRQRIYmU62dQYGsMinwaqjkOsyU0+e89iA4NGu+vq/SVRgYWiSxWF
 BHFW+OBZdYvhyTVYRF5ruSPdMxR6uUVSgMwYPYUUKaXgJ8qV9zaRhrFtdsYmweVc
 AVH7Iay5w9WSO7WghTTS
 =Shbz
 -----END PGP SIGNATURE-----

Merge tag 'blackfin-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/realmz6/blackfin-linux

Pull blackfin updates from Steven Miao.

* tag 'blackfin-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/realmz6/blackfin-linux:
  blackfin: Ignore generated uImages
  blackfin: Add STMMAC platform data to enable dwmac1000 driver on BF60x.
  bf609: adv7343: add S-Video and Component output support
  bf609: add adv7343 video encoder support
  clock: add stmmac clock for ethernet driver
  blackfin: scb: Add SCB1 to SCB9 config options and data.
  blackfin: scb: Add system crossbar init code.
2013-09-13 07:23:49 -07:00
Linus Torvalds
0898d2aa9d Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto fixes from Herbert Xu:
 "This fixes a 7+ year race condition in the crypto API that causes
  sporadic crashes when multiple threads load the same algorithm.

  It also fixes the crct10dif algorithm again to prevent boot failures
  on systems where the initramfs tool ignores module softdeps"

* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: crct10dif - Add fallback for broken initrds
  crypto: api - Fix race condition in larval lookup
2013-09-13 07:11:14 -07:00
Benjamin Tissoires
0ccdd9e747 HID: lenovo-tpkbd: fix leak if tpkbd_probe_tp fails
If tpkbd_probe_tp() bails out, the probe() function return an error,
but hid_hw_stop() is never called.

fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1003998

Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-09-13 15:15:11 +02:00
Benjamin Tissoires
8821f5dc18 HID: multitouch: validate indexes details
When working on report indexes, always validate that they are in bounds.
Without this, a HID device could report a malicious feature report that
could trick the driver into a heap overflow:

[  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
...
[  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten

Note that we need to change the indexes from s8 to s16 as they can
be between -1 and 255.

CVE-2013-2897

Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-09-13 15:13:52 +02:00
Kees Cook
297502abb3 HID: logitech-dj: validate output report details
A HID device could send a malicious output report that would cause the
logitech-dj HID driver to leak kernel memory contents to the device, or
trigger a NULL dereference during initialization:

[  304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
...
[  304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
[  304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90

CVE-2013-2895

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-09-13 15:13:32 +02:00
Benjamin Tissoires
cc6b54aa54 HID: validate feature and input report details
When dealing with usage_index, be sure to properly use unsigned instead of
int to avoid overflows.

When working on report fields, always validate that their report_counts are
in bounds.
Without this, a HID device could report a malicious feature report that
could trick the driver into a heap overflow:

[  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
...
[  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten

CVE-2013-2897

Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-09-13 15:13:22 +02:00
Kees Cook
0a9cd0a80a HID: lenovo-tpkbd: validate output report details
A HID device could send a malicious output report that would cause the
lenovo-tpkbd HID driver to write just beyond the output report allocation
during initialization, causing a heap overflow:

[   76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
...
[   80.462540] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten

CVE-2013-2894

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-09-13 15:13:00 +02:00
Markos Chandras
1b4676330a MIPS: kernel: vpe: Make vpe_attrs an array of pointers.
Commit 567b21e973
"mips: convert vpe_class to use dev_groups"

broke the build on MIPS since vpe_attrs should be an array
of 'struct device_attribute' pointers.

Fixes the following build problem:
arch/mips/kernel/vpe.c:1372:2: error: missing braces around initializer
[-Werror=missing-braces]
arch/mips/kernel/vpe.c:1372:2: error: (near initialization for 'vpe_attrs[0]')
[-Werror=missing-braces]

Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: John Crispin <blogic@openwrt.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/5819/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-09-13 15:12:48 +02:00
Kees Cook
0fb6bd06e0 HID: LG: validate HID output report details
A HID device could send a malicious output report that would cause the
lg, lg3, and lg4 HID drivers to write beyond the output report allocation
during an event, causing a heap overflow:

[  325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
...
[  414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten

Additionally, while lg2 did correctly validate the report details, it was
cleaned up and shortened.

CVE-2013-2893

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-09-13 15:12:39 +02:00
Kees Cook
41df7f6d43 HID: steelseries: validate output report details
A HID device could send a malicious output report that would cause the
steelseries HID driver to write beyond the output report allocation
during initialization, causing a heap overflow:

[  167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
...
[  182.050547] BUG kmalloc-256 (Tainted: G        W   ): Redzone overwritten

CVE-2013-2891

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-09-13 15:12:28 +02:00
Kees Cook
9446edb9a1 HID: sony: validate HID output report details
This driver must validate the availability of the HID output report and
its size before it can write LED states via buzz_set_leds(). This stops
a heap overflow that is possible if a device provides a malicious HID
output report:

[  108.171280] usb 1-1: New USB device found, idVendor=054c, idProduct=0002
...
[  117.507877] BUG kmalloc-192 (Not tainted): Redzone overwritten

CVE-2013-2890

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org #3.11
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-09-13 15:12:12 +02:00
Kees Cook
78214e81a1 HID: zeroplus: validate output report details
The zeroplus HID driver was not checking the size of allocated values
in fields it used. A HID device could send a malicious output report
that would cause the driver to write beyond the output report allocation
during initialization, causing a heap overflow:

[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
...
[ 1466.243173] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten

CVE-2013-2889

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-09-13 15:11:34 +02:00
Kees Cook
331415ff16 HID: provide a helper for validating hid reports
Many drivers need to validate the characteristics of their HID report
during initialization to avoid misusing the reports. This adds a common
helper to perform validation of the report exisitng, the field existing,
and the expected number of values within the field.

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-09-13 15:11:21 +02:00
Martin Schwidefsky
0244ad004a Remove GENERIC_HARDIRQ config option
After the last architecture switched to generic hard irqs the config
options HAVE_GENERIC_HARDIRQS & GENERIC_HARDIRQS and the related code
for !CONFIG_GENERIC_HARDIRQS can be removed.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2013-09-13 15:09:52 +02:00
Clement Chauplannaz
86eb781889 scripts/config: fix variable substitution command
Commit 229455bc02b87f7128f190c4491b4ceffff38648 accidentally changed the
separator between sed `s' command and its parameters from ':' to '/'.

Revert this change.

Reported-and-tested-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Clement Chauplannaz <chauplac@gmail.com>
Signed-off-by: Michal Marek <mmarek@suse.cz>
2013-09-13 13:06:59 +02:00
Leonid Yegoshin
670bac3a8c MIPS: Fix SMP core calculations when using MT support.
The TCBIND register is only available if the core has MT support. It
should not be read otherwise. Secondly, the number of TCs (siblings)
are calculated differently depending on if the kernel is configured
as SMVP or SMTC.

Signed-off-by: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>
Signed-off-by: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/5822/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-09-13 11:59:51 +02:00
Phil Oester
d830f0fa1d netfilter: nf_nat_proto_icmpv6:: fix wrong comparison in icmpv6_manip_pkt
In commit 58a317f1 (netfilter: ipv6: add IPv6 NAT support), icmpv6_manip_pkt
was added with an incorrect comparison of ICMP codes to types.  This causes
problems when using NAT rules with the --random option.  Correct the
comparison.

This closes netfilter bugzilla #851, reported by Alexander Neumann.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-09-13 11:58:48 +02:00
Michal Kubeček
c13a84a830 netfilter: nf_conntrack: use RCU safe kfree for conntrack extensions
Commit 68b80f11 (netfilter: nf_nat: fix RCU races) introduced
RCU protection for freeing extension data when reallocation
moves them to a new location. We need the same protection when
freeing them in nf_ct_ext_free() in order to prevent a
use-after-free by other threads referencing a NAT extension data
via bysource list.

Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-09-13 11:58:40 +02:00
Maciej W. Rozycki
5359b938c0 MIPS: DECstation I/O ASIC DMA interrupt handling fix
This change complements commit d0da7c002f7b2a93582187a9e3f73891a01d8ee4
and brings clear_ioasic_irq back, renaming it to clear_ioasic_dma_irq at
the same time, to make I/O ASIC DMA interrupts functional.

Unlike ordinary I/O ASIC interrupts DMA interrupts need to be deasserted
by software by writing 0 to the respective bit in I/O ASIC's System
Interrupt Register (SIR), similarly to how CP0.Cause.IP0 and CP0.Cause.IP1
bits are handled in the CPU (the difference is SIR DMA interrupt bits are
R/W0C so there's no need for an RMW cycle).  Otherwise the handler is
reentered over and over again.

The only current user is the DEC LANCE Ethernet driver and its extremely
uncommon DMA memory error handler that does not care when exactly the
interrupt is cleared.  Anticipating the use of DMA interrupts by the Zilog
SCC driver this change however exports clear_ioasic_dma_irq for device
drivers to choose the right application-specific sequence to clear the
request explicitly rather than calling it implicitly in the .irq_eoi
handler of `struct irq_chip'.  Previously these interrupts were cleared in
the .end handler of the said structure, before it was removed.

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/5826/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-09-13 11:57:40 +02:00
Maciej W. Rozycki
daed1285c3 MIPS: DECstation HRT initialization rearrangement
Not all I/O ASIC versions have the free-running counter implemented, an
early revision used in the 5000/1xx models aka 3MIN and 4MIN did not have
it.  Therefore we cannot unconditionally use it as a clock source.
Fortunately if not implemented its register slot has a fixed value so it
is enough if we check for the value at the end of the calibration period
being the same as at the beginning.

This also means we need to look for another high-precision clock source on
the systems affected.  The 5000/1xx can have an R4000SC processor
installed where the CP0 Count register can be used as a clock source.
Unfortunately all the R4k DECstations suffer from the missed timer
interrupt on CP0 Count reads erratum, so we cannot use the CP0 timer as a
clock source and a clock event both at a time.  However we never need an
R4k clock event device because all DECstations have a DS1287A RTC chip
whose periodic interrupt can be used as a clock source.

This gives us the following four configuration possibilities for I/O ASIC
DECstations:

1. No I/O ASIC counter and no CP0 timer, e.g. R3k 5000/1xx (3MIN).

2. No I/O ASIC counter but the CP0 timer, i.e. R4k 5000/150 (4MIN).

3. The I/O ASIC counter but no CP0 timer, e.g. R3k 5000/240 (3MAX+).

4. The I/O ASIC counter and the CP0 timer, e.g. R4k 5000/260 (4MAX+).

For #1 and #2 this change stops the I/O ASIC free-running counter from
being installed as a clock source of a 0Hz frequency.  For #2 it also
arranges for the CP0 timer to be used as a clock source rather than a
clock event device, because having an accurate wall clock is more
important than a high-precision interval timer.  For #3 there is no
change.  For #4 the change makes the I/O ASIC free-running counter
installed as a clock source so that the CP0 timer can be used as a clock
event device.

Unfortunately the use of the CP0 timer as a clock event device relies on a
succesful completion of c0_compare_interrupt.  That never happens, because
while waiting for a CP0 Compare interrupt to happen the function spins in
a loop reading the CP0 Count register.  This makes the CP0 Count erratum
trigger reliably causing the interrupt waited for to be lost in all cases.
As a result #4 resorts to using the CP0 timer as a clock source as well,
just as #2.  However we want to keep this separate arrangement in case
(hope) c0_compare_interrupt is eventually rewritten such that it avoids
the erratum.

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/5825/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-09-13 11:56:13 +02:00
Alexey Khoroshilov
8947312987 net/irda/mcs7780: fix memory leaks in mcs_net_open()
If rx_urb allocation fails in mcs_setup_urbs(), tx_urb leaks.
If mcs_receive_start() fails in mcs_net_open(), the both urbs are not deallocated.

The patch fixes the issues and by the way fixes label indentation.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-12 23:43:56 -04:00
Eugenia Emantayev
38463e2c29 net/mlx4_en: Check device state when setting coalescing
When the device is down, CQs are freed. We must check the device state
to avoid issuing firmware commands on non existing CQs.

CC: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Eugenia Emantayev <eugenia@mellanox.com>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-12 23:42:15 -04:00
Herbert Xu
be4f154d5e bridge: Clamp forward_delay when enabling STP
At some point limits were added to forward_delay.  However, the
limits are only enforced when STP is enabled.  This created a
scenario where you could have a value outside the allowed range
while STP is disabled, which then stuck around even after STP
is enabled.

This patch fixes this by clamping the value when we enable STP.

I had to move the locking around a bit to ensure that there is
no window where someone could insert a value outside the range
while we're in the middle of enabling STP.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Cheers,
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-12 23:32:14 -04:00
Chris Healy
9a0620133c resubmit bridge: fix message_age_timer calculation
This changes the message_age_timer calculation to use the BPDU's max age as
opposed to the local bridge's max age.  This is in accordance with section
8.6.2.3.2 Step 2 of the 802.1D-1998 sprecification.

With the current implementation, when running with very large bridge
diameters, convergance will not always occur even if a root bridge is
configured to have a longer max age.

Tested successfully on bridge diameters of ~200.

Signed-off-by: Chris Healy <cphealy@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-12 23:30:37 -04:00
Michael Opdenacker
f25672f1f9 net: tulip: remove deprecated IRQF_DISABLED
This patch proposes to remove the IRQF_DISABLED flag from
drivers/net/ethernet/dec/tulip/de4x5.c

It's a NOOP since 2.6.35 and it will be removed one day.

Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com>
Acked-by: Grant Grundler <grundler@parisc-linux.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-12 23:27:09 -04:00
Michael Opdenacker
7bebd005af ethernet: amd: remove deprecated IRQF_DISABLED
This patch proposes to remove the IRQF_DISABLED flag from
drivers/net/ethernet/amd/sun3lance.c

It's a NOOP since 2.6.35 and it will be removed one day.

Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-12 23:27:09 -04:00
Michael Opdenacker
46c915f84f ehea: remove deprecated IRQF_DISABLED
This patch proposes to remove the IRQF_DISABLED flag from
drivers/net/ethernet/ibm/ehea/ehea_main.c

It's a NOOP since 2.6.35 and it will be removed one day.

Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-12 23:27:09 -04:00
Michael Opdenacker
63aca0f7fa bfin_mac: remove deprecated IRQF_DISABLED
This patch proposes to remove the IRQF_DISABLED flag from
drivers/net/ethernet/adi/bfin_mac.c.

It's a NOOP since 2.6.35 and it will be removed one day.

Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com>
Reviewed-by: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-12 23:27:09 -04:00
David Vrabel
6e43fc04a6 xen-netback: count number required slots for an skb more carefully
When a VM is providing an iSCSI target and the LUN is used by the
backend domain, the generated skbs for direct I/O writes to the disk
have large, multi-page skb->data but no frags.

With some lengths and starting offsets, xen_netbk_count_skb_slots()
would be one short because the simple calculation of
DIV_ROUND_UP(skb_headlen(), PAGE_SIZE) was not accounting for the
decisions made by start_new_rx_buffer() which does not guarantee
responses are fully packed.

For example, a skb with length < 2 pages but which spans 3 pages would
be counted as requiring 2 slots but would actually use 3 slots.

skb->data:

    |        1111|222222222222|3333        |

Fully packed, this would need 2 slots:

    |111122222222|22223333    |

But because the 2nd page wholy fits into a slot it is not split across
slots and goes into a slot of its own:

    |1111        |222222222222|3333        |

Miscounting the number of slots means netback may push more responses
than the number of available requests.  This will cause the frontend
to get very confused and report "Too many frags/slots".  The frontend
never recovers and will eventually BUG.

Fix this by counting the number of required slots more carefully.  In
xen_netbk_count_skb_slots(), more closely follow the algorithm used by
xen_netbk_gop_skb() by introducing xen_netbk_count_frag_slots() which
is the dry-run equivalent of netbk_gop_frag_copy().

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-12 23:22:13 -04:00