Commit Graph

362335 Commits

Author SHA1 Message Date
Eric Dumazet
ca10b9e9a8 selinux: add a skb_owned_by() hook
Commit 90ba9b1986 (tcp: tcp_make_synack() can use alloc_skb())
broke certain SELinux/NetLabel configurations by no longer correctly
assigning the sock to the outgoing SYNACK packet.

Cost of atomic operations on the LISTEN socket is quite big,
and we would like it to happen only if really needed.

This patch introduces a new security_ops->skb_owned_by() method,
that is a void operation unless selinux is active.

Reported-by: Miroslav Vadkerti <mvadkert@redhat.com>
Diagnosed-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-security-module@vger.kernel.org
Acked-by: James Morris <james.l.morris@oracle.com>
Tested-by: Paul Moore <pmoore@redhat.com>
Acked-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-09 13:23:11 -04:00
Wei Yongjun
c802d75962 netrom: fix invalid use of sizeof in nr_recvmsg()
sizeof() when applied to a pointer typed expression gives the size of the
pointer, not that of the pointed data.
Introduced by commit 3ce5ef(netrom: fix info leak via msg_name in nr_recvmsg)

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-08 22:49:23 -04:00
Stefan Raspl
65d8013cbd qeth: fix qeth_wait_for_threads() deadlock for OSN devices
Any recovery thread will deadlock when calling qeth_wait_for_threads(), most
notably when triggering a recovery on an OSN device.
This patch will store the recovery thread's task pointer on recovery
invocation and check in qeth_wait_for_threads() respectively to avoid
deadlocks.

Signed-off-by: Stefan Raspl <raspl@linux.vnet.ibm.com>
Signed-off-by: Frank Blaschka <blaschka@linux.vnet.ibm.com>
Reviewed-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-08 17:16:57 -04:00
Ursula Braun
f9c41a62bb af_iucv: fix recvmsg by replacing skb_pull() function
When receiving data messages, the "BUG_ON(skb->len < skb->data_len)" in
the skb_pull() function triggers a kernel panic.

Replace the skb_pull logic by a per skb offset as advised by
Eric Dumazet.

Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: Frank Blaschka <blaschka@linux.vnet.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-08 17:16:57 -04:00
Michael Riesch
88c5b5ce5c rtnetlink: Call nlmsg_parse() with correct header length
Signed-off-by: Michael Riesch <michael.riesch@omicron.at>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jiri Benc <jbenc@redhat.com>
Cc: "Theodore Ts'o" <tytso@mit.edu>
Cc: linux-kernel@vger.kernel.org
Acked-by: Mark Rustad <mark.d.rustad@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-08 17:12:26 -04:00
nikolay@redhat.com
69b0216ac2 bonding: fix bonding_masters race condition in bond unloading
While the bonding module is unloading, it is considered that after
rtnl_link_unregister all bond devices are destroyed but since no
synchronization mechanism exists, a new bond device can be created
via bonding_masters before unregister_pernet_subsys which would
lead to multiple problems (e.g. NULL pointer dereference, wrong RIP,
list corruption).

This patch fixes the issue by removing any bond devices left in the
netns after bonding_masters is removed from sysfs.

Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Acked-by: Veaceslav Falico <vfalico@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-08 16:45:09 -04:00
nikolay@redhat.com
ffcdedb667 Revert "bonding: remove sysfs before removing devices"
This reverts commit 4de79c737b.

This patch introduces a new bug which causes access to freed memory.
In bond_uninit: list_del(&bond->bond_list);
bond_list is linked in bond_net's dev_list which is freed by
unregister_pernet_subsys.

Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-08 16:45:09 -04:00
David S. Miller
0f27f575f9 Merge branch 'wireless'
John W. Linville says:

====================
For the cfg80211 fix, Johannes says:

"I have another straggler for 3.9, adding locking forgotten in a previous
fix."

On top of that:

Bing Zhao provides an mwifiex fix to properly order a scan completion.

Franky Lin gives us a brcmfmac fix to fail at the firmware loading
stage if the nvram cannot be downloaded.

Gabor Juhos brings what at first looks like a rather big rt2x00 patch.
I think it is OK because it is really just reorganizing some code
within the rt2x00 driver in order to fix a build failure.

Hante Meuleman offers a trio of brcmfmac fixes related to running in
AP mode.

Robert Shade sends an ath9k fix to reenable interrupts even if a
channel change fails.

Tim Gardner gives us an rt2x00 fix to cut-down on some log SPAM.

Please let me know if there are problems!
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-08 16:39:55 -04:00
John W. Linville
64e5751918 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem 2013-04-08 14:26:57 -04:00
willy tarreau
b50b72de2f net: mvneta: enable features before registering the driver
It seems that the reason why the dev features were ignored was because
they were enabled after registeration.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-08 12:16:38 -04:00
Haiyang Zhang
f1ea3cd701 hyperv: Fix RNDIS send_completion code path
In some cases, the VM_PKT_COMP message can arrive later than RNDIS completion
message, which will free the packet memory. This may cause panic due to access
to freed memory in netvsc_send_completion().

This patch fixes this problem by removing rndis_filter_send_request_completion()
from the code path. The function was a no-op.

Reported-by: Long Li <longli@microsoft.com>
Tested-by: Long Li <longli@microsoft.com>
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-08 12:15:17 -04:00
Haiyang Zhang
fd5c07a8d6 hyperv: Fix a kernel warning from netvsc_linkstatus_callback()
The warning about local_bh_enable inside IRQ happens when disconnecting a
virtual NIC.

The reason for the warning is -- netif_tx_disable() is called when the NIC
is disconnected. And it's called within irq context. netif_tx_disable() calls
local_bh_enable() which displays warning if in irq.

The fix is to remove the unnecessary netif_tx_disable & wake_queue() in the
netvsc_linkstatus_callback().

Reported-by: Richard Genoud <richard.genoud@gmail.com>
Tested-by: Long Li <longli@microsoft.com>
Tested-by: Richard Genoud <richard.genoud@gmail.com>
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-08 12:15:17 -04:00
Jiri Pirko
c988d1e8cb net: ipv4: fix schedule while atomic bug in check_lifetime()
move might_sleep operations out of the rcu_read_lock() section.
Also fix iterating over ifa_dev->ifa_list

Introduced by: commit 5c766d642b "ipv4: introduce address lifetime"

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-08 12:04:51 -04:00
Jiri Pirko
05a324b9c5 net: ipv4: reset check_lifetime_work after changing lifetime
This will result in calling check_lifetime in nearest opportunity and
that function will adjust next time to call check_lifetime correctly.
Without this, check_lifetime is called in time computed by previous run,
not affecting modified lifetime.

Introduced by: commit 5c766d642b "ipv4: introduce address lifetime"

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-08 12:04:51 -04:00
Yaniv Rosner
cb28ea3b13 bnx2x: Fix KR2 rapid link flap
Check KR2 recovery time at the beginning of the work-around function.

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 17:17:00 -04:00
Sridhar Samudrala
259c9a1f9e sctp: remove 'sridhar' from maintainers list
Update SCTP maintainers list.

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 17:00:54 -04:00
David S. Miller
f89e8a6432 Merge branch 'infoleaks'
Mathias Krause says:

====================
a few more info leak fixes in the recvmsg path. The error pattern here
is the protocol specific recvmsg function is missing the msg_namelen
assignment -- either completely or in early exit paths that do not
result in errors in __sys_recvmsg()/sys_recvfrom() and, in turn, make
them call move_addr_to_user(), leaking the then still uninitialized
sockaddr_storage stack variable to userland.

My audit was initiated by a rather coarse fix of the leak that can be
found in the grsecurity patch, putting a penalty on protocols complying
to the rules of recvmsg. So credits for finding the leak in the recvmsg
path in __sys_recvmsg() should go to Brad!

The buggy protocols/subsystems are rather obscure anyway. As a missing
assignment of msg_namelen coupled with a missing filling of msg_name
would only result in garbage -- the leak -- in case userland would care
about that information, i.e. would provide a msg_name pointer. But
obviously current userland does not.

While auditing the code for the above pattern I found a few more
'uninitialized members' kind of leaks related to the msg_name filling.
Those are fixed in this series, too.

I have to admit, I failed to test all of the patches due to missing
hardware, e.g. iucv depends on S390 -- hardware I've no access to :/
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:42:40 -04:00
Mathias Krause
d5e0d0f607 VSOCK: Fix missing msg_namelen update in vsock_stream_recvmsg()
The code misses to update the msg_namelen member to 0 and therefore
makes net/socket.c leak the local, uninitialized sockaddr_storage
variable to userland -- 128 bytes of kernel stack memory.

Cc: Andy King <acking@vmware.com>
Cc: Dmitry Torokhov <dtor@vmware.com>
Cc: George Zhang <georgezhang@vmware.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:02 -04:00
Mathias Krause
680d04e0ba VSOCK: vmci - fix possible info leak in vmci_transport_dgram_dequeue()
In case we received no data on the call to skb_recv_datagram(), i.e.
skb->data is NULL, vmci_transport_dgram_dequeue() will return with 0
without updating msg_namelen leading to net/socket.c leaking the local,
uninitialized sockaddr_storage variable to userland -- 128 bytes of
kernel stack memory.

Fix this by moving the already existing msg_namelen assignment a few
lines above.

Cc: Andy King <acking@vmware.com>
Cc: Dmitry Torokhov <dtor@vmware.com>
Cc: George Zhang <georgezhang@vmware.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:02 -04:00
Mathias Krause
60085c3d00 tipc: fix info leaks via msg_name in recv_msg/recv_stream
The code in set_orig_addr() does not initialize all of the members of
struct sockaddr_tipc when filling the sockaddr info -- namely the union
is only partly filled. This will make recv_msg() and recv_stream() --
the only users of this function -- leak kernel stack memory as the
msg_name member is a local variable in net/socket.c.

Additionally to that both recv_msg() and recv_stream() fail to update
the msg_namelen member to 0 while otherwise returning with 0, i.e.
"success". This is the case for, e.g., non-blocking sockets. This will
lead to a 128 byte kernel stack leak in net/socket.c.

Fix the first issue by initializing the memory of the union with
memset(0). Fix the second one by setting msg_namelen to 0 early as it
will be updated later if we're going to fill the msg_name member.

Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Allan Stephens <allan.stephens@windriver.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:02 -04:00
Mathias Krause
4a184233f2 rose: fix info leak via msg_name in rose_recvmsg()
The code in rose_recvmsg() does not initialize all of the members of
struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
Nor does it initialize the padding bytes of the structure inserted by
the compiler for alignment. This will lead to leaking uninitialized
kernel stack bytes in net/socket.c.

Fix the issue by initializing the memory used for sockaddr info with
memset(0).

Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:02 -04:00
Mathias Krause
d26d6504f2 NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()
The code in llcp_sock_recvmsg() does not initialize all the members of
struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it
initialize the padding bytes of the structure inserted by the compiler
for alignment.

Also, if the socket is in state LLCP_CLOSED or is shutting down during
receive the msg_namelen member is not updated to 0 while otherwise
returning with 0, i.e. "success". The msg_namelen update is also
missing for stream and seqpacket sockets which don't fill the sockaddr
info.

Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.

Fix the first issue by initializing the memory used for sockaddr info
with memset(0). Fix the second one by setting msg_namelen to 0 early.
It will be updated later if we're going to fill the msg_name member.

Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
Cc: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:02 -04:00
Mathias Krause
3ce5efad47 netrom: fix info leak via msg_name in nr_recvmsg()
In case msg_name is set the sockaddr info gets filled out, as
requested, but the code fails to initialize the padding bytes of
struct sockaddr_ax25 inserted by the compiler for alignment. Also
the sax25_ndigis member does not get assigned, leaking four more
bytes.

Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.

Fix both issues by initializing the memory with memset(0).

Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:02 -04:00
Mathias Krause
c77a4b9cff llc: Fix missing msg_namelen update in llc_ui_recvmsg()
For stream sockets the code misses to update the msg_namelen member
to 0 and therefore makes net/socket.c leak the local, uninitialized
sockaddr_storage variable to userland -- 128 bytes of kernel stack
memory. The msg_namelen update is also missing for datagram sockets
in case the socket is shutting down during receive.

Fix both issues by setting msg_namelen to 0 early. It will be
updated later if we're going to fill the msg_name member.

Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:01 -04:00
Mathias Krause
b860d3cc62 l2tp: fix info leak in l2tp_ip6_recvmsg()
The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of
struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack
in l2tp_ip6_recvmsg() in case msg_name is set.

Initialize l2tp_conn_id with 0 to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:01 -04:00
Mathias Krause
a5598bd9c0 iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.

Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about iucv_sock_recvmsg() not filling the msg_name in case it was set.

Cc: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:01 -04:00
Mathias Krause
5ae94c0d2f irda: Fix missing msg_namelen update in irda_recvmsg_dgram()
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.

Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about irda_recvmsg_dgram() not filling the msg_name in case it was
set.

Cc: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:01 -04:00
Mathias Krause
2d6fbfe733 caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.

Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about caif_seqpkt_recvmsg() not filling the msg_name in case it was
set.

Cc: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:01 -04:00
Mathias Krause
c8c499175f Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg()
If the socket is in state BT_CONNECT2 and BT_SK_DEFER_SETUP is set in
the flags, sco_sock_recvmsg() returns early with 0 without updating the
possibly set msg_namelen member. This, in turn, leads to a 128 byte
kernel stack leak in net/socket.c.

Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_recvmsg().

Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:01 -04:00
Mathias Krause
e11e0455c0 Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()
If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
early with 0 without updating the possibly set msg_namelen member. This,
in turn, leads to a 128 byte kernel stack leak in net/socket.c.

Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_stream_recvmsg().

Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:00 -04:00
Mathias Krause
4683f42fde Bluetooth: fix possible info leak in bt_sock_recvmsg()
In case the socket is already shutting down, bt_sock_recvmsg() returns
with 0 without updating msg_namelen leading to net/socket.c leaking the
local, uninitialized sockaddr_storage variable to userland -- 128 bytes
of kernel stack memory.

Fix this by moving the msg_namelen assignment in front of the shutdown
test.

Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:00 -04:00
Mathias Krause
ef3313e84a ax25: fix info leak via msg_name in ax25_recvmsg()
When msg_namelen is non-zero the sockaddr info gets filled out, as
requested, but the code fails to initialize the padding bytes of struct
sockaddr_ax25 inserted by the compiler for alignment. Additionally the
msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
not always filled up to this size.

Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.

Fix both issues by initializing the memory with memset(0).

Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:00 -04:00
Mathias Krause
9b3e617f3d atm: update msg_namelen in vcc_recvmsg()
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.

Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about vcc_recvmsg() not filling the msg_name in case it was set.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:00 -04:00
Christoph Paasch
50a75a8914 ipv6/tcp: Stop processing ICMPv6 redirect messages
Tetja Rediske found that if the host receives an ICMPv6 redirect message
after sending a SYN+ACK, the connection will be reset.

He bisected it down to 093d04d (ipv6: Change skb->data before using
icmpv6_notify() to propagate redirect), but the origin of the bug comes
from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
handlers.). The bug simply did not trigger prior to 093d04d, because
skb->data did not point to the inner IP header and thus icmpv6_notify
did not call the correct err_handler.

This patch adds the missing "goto out;" in tcp_v6_err. After receiving
an ICMPv6 Redirect, we should not continue processing the ICMP in
tcp_v6_err, as this may trigger the removal of request-socks or setting
sk_err(_soft).

Reported-by: Tetja Rediske <tetja@tetja.de>
Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 12:36:08 -04:00
Linus Torvalds
53f63189b1 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) Fix erroneous sock_orphan() leading to crashes and double
    kfree_skb() in NFC protocol.  From Thierry Escande and Samuel Ortiz.

 2) Fix use after free in remain-on-channel mac80211 code, from Johannes
    Berg.

 3) nf_reset() needs to reset the NF tracing cookie, otherwise we can
    leak it from one namespace into another.  Fix from Gao Feng and
    Patrick McHardy.

 4) Fix overflow in channel scanning array of mwifiex driver, from Stone
    Piao.

 5) Fix loss of link after suspend/shutdown in r8169, from Hayes Wang.

 6) Synchronization of unicast address lists to the undelying device
    doesn't work because whether to sync is maintained as a boolean
    rather than a true count.  Fix from Vlad Yasevich.

 7) Fix corruption of TSO packets in atl1e by limiting the segmented
    packet length.  From Hannes Frederic Sowa.

 8) Revert bogus AF_UNIX credential passing change and fix the
    coalescing issue properly, from Eric W Biederman.

 9) Changes of ipv4 address lifetime settings needs to generate a
    notification, from Jiri Pirko.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (22 commits)
  netfilter: don't reset nf_trace in nf_reset()
  net: ipv4: notify when address lifetime changes
  ixgbe: fix registration order of driver and DCA nofitication
  af_unix: If we don't care about credentials coallesce all messages
  Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
  bonding: remove sysfs before removing devices
  atl1e: limit gso segment size to prevent generation of wrong ip length fields
  net: count hw_addr syncs so that unsync works properly.
  r8169: fix auto speed down issue
  netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
  mwifiex: limit channel number not to overflow memory
  NFC: microread: Fix build failure due to a new MEI bus API
  iwlwifi: dvm: fix the passive-no-RX workaround
  netfilter: nf_conntrack: fix error return code
  NFC: llcp: Keep the connected socket parent pointer alive
  mac80211: fix idle handling sequence
  netfilter: nfnetlink_acct: return -EINVAL if object name is empty
  netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
  netfilter: reset nf_trace in nf_reset
  mac80211: fix remain-on-channel cancel crash
  ...
2013-04-05 14:04:10 -07:00
Patrick McHardy
124dff01af netfilter: don't reset nf_trace in nf_reset()
Commit 130549fe ("netfilter: reset nf_trace in nf_reset") added code
to reset nf_trace in nf_reset(). This is wrong and unnecessary.

nf_reset() is used in the following cases:

- when passing packets up the the socket layer, at which point we want to
  release all netfilter references that might keep modules pinned while
  the packet is queued. nf_trace doesn't matter anymore at this point.

- when encapsulating or decapsulating IPsec packets. We want to continue
  tracing these packets after IPsec processing.

- when passing packets through virtual network devices. Only devices on
  that encapsulate in IPv4/v6 matter since otherwise nf_trace is not
  used anymore. Its not entirely clear whether those packets should
  be traced after that, however we've always done that.

- when passing packets through virtual network devices that make the
  packet cross network namespace boundaries. This is the only cases
  where we clearly want to reset nf_trace and is also what the
  original patch intended to fix.

Add a new function nf_reset_trace() and use it in dev_forward_skb() to
fix this properly.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-05 15:38:10 -04:00
Linus Torvalds
6cfa92382e Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
Pull MIPS fixes from Ralf Baechle:
 "Fixes for a number of small glitches in various corners of the MIPS
  tree.  No particular areas is standing out.

  With this applied all MIPS defconfigs are building fine.  No merge
  conflicts are expected."

* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
  MIPS: Delete definition of SA_RESTORER.
  MIPS: Fix ISA level which causes secondary cache init bypassing and more
  MIPS: Fix build error cavium-octeon without CONFIG_SMP
  MIPS: Kconfig: Rename SNIPROM too
  MIPS: Alchemy: Fix typo "CONFIG_DEBUG_PCI"
  MIPS: Unbreak function tracer for 64-bit kernel.
2013-04-05 12:23:12 -07:00
Linus Torvalds
00fa6fe963 Merge git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-3.0-fixes
Pull GFS2 fixes from Steven Whitehouse:
 "There are two patches which fix up a couple of minor issues in the DLM
  interface code, a missing error path in gfs2_rs_alloc(), one patch
  which fixes a problem during "withdraw" and a fix for discards/FITRIM
  when using 4k sector sized devices."

* git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-3.0-fixes:
  GFS2: Issue discards in 512b sectors
  GFS2: Fix unlock of fcntl locks during withdrawn state
  GFS2: return error if malloc failed in gfs2_rs_alloc()
  GFS2: use memchr_inv
  GFS2: use kmalloc for lvb bitmap
2013-04-05 12:22:02 -07:00
Mike Marciniszyn
ff802e31b5 firmware,IB/qib: revert firmware file move
Commit e2eed58b4f ("IB/qib: change QLogic to Intel") moved a firmware
file potentially breaking the ABI.

This patch reverts that aspect of the fix as well as reverting the
firmware name as used in qib.

Reported-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-04-05 12:19:39 -07:00
Linus Torvalds
e0a77f2631 spi: Fixes for v3.9
A bunch of small driver fixes plus a fix for error handling in the core
 - nothing too exciting overall.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABAgAGBQJRXt12AAoJELSic+t+oim9PNIP/RPojoOyrzSr2knNwgFHtxo7
 rcQqxq/Z0Ah6B/BKZ5qomzIaUPzLoKGM2ND4KhCJjBrXY3PR6hJQK6b4M2ocXbpK
 whC5lt36M9/3b/eLGH9lIfKGXPKT+n2qfvbALdlxWYTcLbeoiMfakwcGhZngihEq
 H96x7+xOuBheF8dx46+zG10uUm0lP3hpELzXKqHi/K173FEfgIeq9iELzfTiQbIw
 tdXUl7jrUwifvBlUx3/tRM334K4pAGeq+hLtftxvX/qFBqNIZ6bO3ZguZLaPNgXd
 NvQ1AtsArf2KmL+/093Zesz+b7fqfLEjsBqecWjhT7UWEs1y8qmmTBNM6cgAOzyg
 OZnFzZ8fl3G9YuLgktAFr1pWT9T43B/ZFbQ4NQzkxVOh1QvOz1Xkx9JS0hCigVBu
 pen6n5L2OWzxcGsDiB38b4HSCzLgNt4QtsXCtQZaDKUJ6Q8pmsCWClyPfqJwbEWR
 5QNW/8x2BCuQMSa4aKvPhjw9bIfOhOYX/+JQezHdS/pu6nwAGHHM5Yohtjn9/hm/
 6hXniAzctT6rbk4ZDr5ux1CBxyBzjcTAL0tdiqFglAYcXwRNpzqm714jKN57yH6p
 YXD3V2aRF7h7honDJqav18M9opuIo4rNg0lBCreA+5FJ+MmQHLIU/DvfO6qUV2/0
 XO540x4NdS1PMAX02P1h
 =eqgv
 -----END PGP SIGNATURE-----

Merge tag 'spi-fix-v3.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc

Pull spi fixes from Mark Brown:
 "A bunch of small driver fixes plus a fix for error handling in the
  core - nothing too exciting overall."

* tag 'spi-fix-v3.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc:
  spi/mpc512x-psc: optionally keep PSC SS asserted across xfer segmensts
  spi: Unlock a spinlock before calling into the controller driver.
  spi/s3c64xx: modified error interrupt handling and init
  spi/bcm63xx: don't disable non enabled clocks in probe error path
  spi/bcm63xx: Remove unused variable
  spi: slink-tegra20: move runtime pm calls to transfer_one_message
2013-04-05 10:04:41 -07:00
Bob Peterson
b2c87cae0e GFS2: Issue discards in 512b sectors
This patch changes GFS2's discard issuing code so that it calls
function sb_issue_discard rather than blkdev_issue_discard. The
code was calling blkdev_issue_discard and specifying the correct
sector offset and sector size, but blkdev_issue_discard expects
these values to be in terms of 512 byte sectors, even if the native
sector size for the device is different. Calling sb_issue_discard
with the BLOCK size instead ensures the correct block-to-512b-sector
translation. I verified that "minlen" is specified in blocks, so
comparing it to a number of blocks is correct.

Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
2013-04-05 17:55:13 +01:00
Johan Hovold
e24b0bfa2f Revert "drivers/rtc/rtc-at91rm9200.c: use a variable for storing IMR"
This reverts commit 0ef1594c01.

This patch introduced a few races which cannot be easily fixed with a
small follow-up patch. Furthermore, the SoC with the broken hardware
register, which this patch intended to add support for, can only be used
with device trees, which this driver currently does not support.

[ Here is the discussion that led to this "revert" patch:
  https://lkml.org/lkml/2013/4/3/176 ]

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-04-05 09:36:53 -07:00
Linus Torvalds
c4c80f63fb Fix uvesafb crash bug and typoed flag name in fbmon's new videomode code
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJRXrj5AAoJEPo9qoy8lh71MVEQAIpbZnMGuzhPbVdDfVZCkNt+
 GNGhRaYNODoVhAaiIJ4kcCtCpM36EHXZozw/Jlc0hjVuWBptZI2W8vnoH/utrdCD
 Dh6SxKVc8QwGz2Ybhjqy8U1Bpw3GVGHbPzLz/6gmZQy34ownOeM5qqSLXXuxF8NW
 LiALmD1nUZwg+Mn9aF8Hvu8BMM4lxK90oM3XTGfru3LmgN2ING5sgb6eLaTPAxPd
 +vDmeynekPWd+yDjmHC0Es5Xx1J0tuOi/qepWYH1pok9R+dtsyfAOmeXoUjcbKct
 5Vpx/3Y/exzGQeiZuFYlpKYCtDqYh26CwJjPKpbMPztTJMgdmCRFJxMiISmNdu9k
 cVQ0V3oJr92uAtX6gl5/5YM1nmXeH0Y9LwHVdgN6Tjiwe54FhGq8url2HqZINjQI
 B19Jwx6XHsZ2P7Yr9LDqmrGFEMjv/ufdV/qhrLt+bxjxu/8DIxrPG37N7beFPZbE
 KbPnxy6zDD2ROBtheTVFNdL5FkZbplJKaqhUMpfuBsDo/w0mpQADOJOPEQCgOC8I
 CaaGfuBqbRBlO6R02bCmnLaeFwOSUIKjqLmug3IOcpZ+uZym3RPMZuMsRnHTIoYh
 tD8+zfQ6z9iEYaoQO6CjzHLzvqCKdG1t0ksDp+FmhCfFlityuzXhvHvP9rI72ys2
 /6ECxV0W4m3zLLKofxOM
 =lKy5
 -----END PGP SIGNATURE-----

Merge tag 'fbdev-fixes-3.9-rc6' of git://gitorious.org/linux-omap-dss2/linux

Pull fbdev fixes from Tomi Valkeinen:
 "Fix uvesafb crash bug and typoed flag name in fbmon's new videomode
  code"

* tag 'fbdev-fixes-3.9-rc6' of git://gitorious.org/linux-omap-dss2/linux:
  video:uvesafb: Fix dereference NULL pointer code path
  fbmon: use VESA_DMT_VSYNC_HIGH to fix typo
2013-04-05 09:15:46 -07:00
Linus Torvalds
8f09aacfa6 Sound fixes for 3.9-rc6
This contains slightly more volumes than usual at this stage, mostly
 because of my vacation in the last week.
 Nothing to scare, all small and/or trivial fixes:
 
 - Fix loop path handling in ASoC DAPM
 - Some memory handling fixes in ASoC core
 - Fix spear_pcm to adapt to the updated API
 - HD-audio HDMI ELD handling fixes
 - Fix for CM6331 USB-audio SRC change bugs
 - Revert power_save_controller option change due to user-space usage
 - A few other small ASoC and HD-audio fixes
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQIcBAABAgAGBQJRXl85AAoJEGwxgFQ9KSmkDzAQALJU/3Bn/tRJMFDwmVPYbuoi
 /mJ8iTBLz7uvKTnGaOIPg+vrt2SOkpcfE/bkv2d8GL/YMbXC7RY2j+37D8LYlnZQ
 rhUlM7VbkFsmoXR9GtgeWdZyrQSVNi7KFCfNLSNZmZAkDkopq0VzW4Ll+q4wyPWQ
 taZDQ0g3fnbAegiri246cb8nKH8gTzKRG16I/5N1S7fxLinQ6u5W4IPu9jHxNhiW
 sOyQOXwYp7CpgmqKBbjES8oncbgwSnk55YPY3Si+vfYIHy18yR9yCNyGsrGN8M0W
 c4oTU8EoNzGrwE4/+MSvkWwA4qYBEqRkEwS8eL2QlcyNpeZq1mROWnEa1BZz3PJ/
 uw4M5GrVYFD/w95XRX/hJmenQelSV5S2EfCmxAbMQwXX9je2q9RzM0AeaORNUPYT
 Iy8S4+d9KBWBcLxmAASLUPTk5nl4bTPW/yy/Cb5ICQdnhHGTmKnJjQdIbP9tiiDD
 jfnftPUDBONRnCe24AtxQzDmj2wfikkMkQoR/nENKKR+u56zy6Le+m4zmv7OlfLX
 lqcWHh/Sgsg+B960GUPZSEqpDaXA5hkpXTz/foWbeu8Go0JVQTV9/+HDomrfP0VE
 EoRrApZf35PBSo2rqC6lyKhAp+OgWKmXoWelzCY3//4kYXl2cEK1voa5zFhgVRGD
 tccXSAxPyW4HsIg+4hqF
 =L1Ya
 -----END PGP SIGNATURE-----

Merge tag 'sound-3.9' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "This contains slightly more volumes than usual at this stage, mostly
  because of my vacation in the last week.  Nothing to scare, all small
  and/or trivial fixes:

   - Fix loop path handling in ASoC DAPM
   - Some memory handling fixes in ASoC core
   - Fix spear_pcm to adapt to the updated API
   - HD-audio HDMI ELD handling fixes
   - Fix for CM6331 USB-audio SRC change bugs
   - Revert power_save_controller option change due to user-space usage
   - A few other small ASoC and HD-audio fixes"

* tag 'sound-3.9' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda/generic - fix uninitialized variable
  Revert "ALSA: hda - Allow power_save_controller option override DCAPS"
  ALSA: hda - fix typo in proc output
  ALSA: hda - Enabling Realtek ALC 671 codec
  ALSA: usb: Work around CM6631 sample rate change bug
  ALSA: hda - bug fix on HDMI ELD debug message
  ALSA: hda - bug fix on return value when getting HDMI ELD info
  ASoC: dma-sh7760: Fix compile error
  ASoC: core: fix invalid free of devm_ allocated data
  ASoC: spear_pcm: Update to new pcm_new() API
  ASoC:: max98090: Remove executable bit
  ASoC: dapm: Fix pointer dereference in is_connected_output_ep()
  ASoC: pcm030 audio fabric: remove __init from probe
  ASoC: imx-ssi: Fix occasional AC97 reset failure
  ASoC: core: fix possible memory leak in snd_soc_bytes_put()
  ASoC: wm_adsp: fix possible memory leak in wm_adsp_load_coeff()
  ASoC: dapm: Fix handling of loops
  ASoC: si476x: Add missing break for SNDRV_PCM_FORMAT_S8 switch case
2013-04-05 09:06:57 -07:00
Ralf Baechle
80fa8181aa MIPS: Delete definition of SA_RESTORER.
SA_RESTORER used to be defined as 0x04000000 but only the O32 ABI ever
supported its use and no libc was using it, so the entire sa-restorer
functionality was removed with lmo commit 39bffc12c3580ab [Zap sa_restorer.]
for 2.5.48 retaining only the SA_RESTORER definition as a reminder to avoid
accidental reuse of the mask bit.

Upstream cdef9602fbf1871a43f0f1b5cea10dd0f275167d [signal: always clear
sa_restorer on execve] adds code that assumes sa_sigaction has an
sa_restorer field, if SA_RESTORER is defined which would break MIPS.
So remove the SA_RESTORER definition before the v3.8.4 merge.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
(cherry picked from commit 17da8d63add23830892ac4dc2cbb3b5d4ffb79a8)
2013-04-05 15:10:51 +02:00
Deng-Cheng Zhu
adb3789264 MIPS: Fix ISA level which causes secondary cache init bypassing and more
The commit a96102be70 introduced set_isa() where compatible ISA info is
also set aside from the one gets passed in. It means, for example, 1004K
will have MIPS_CPU_ISA_M32R2/M32R1/II/I flags. This leads to things like
the following inappropriate:

if (c->isa_level == MIPS_CPU_ISA_M32R1 ||
    c->isa_level == MIPS_CPU_ISA_M32R2 ||
    c->isa_level == MIPS_CPU_ISA_M64R1 ||
    c->isa_level == MIPS_CPU_ISA_M64R2)

This patch fixes it.

Signed-off-by: Deng-Cheng Zhu <dengcheng.zhu@imgtec.com>
Cc: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: linux-mips@linux-mips.org
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-04-05 15:10:45 +02:00
EunBong Song
ed1197f931 MIPS: Fix build error cavium-octeon without CONFIG_SMP
Singed-off-by: EunBong Song <eunb.song@samsung.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-04-05 15:10:39 +02:00
Paul Bolle
aaa9fad32f MIPS: Kconfig: Rename SNIPROM too
CONFIG_SNIPROM was renamed to CONFIG_FW_SNIPROM in v3.8. Let's rename
SNIPROM itself too.

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Cc: linux-mips@linux-mips.org;
Cc: linux-kernel@vger.kernel.org
Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-04-05 15:10:33 +02:00
Paul Bolle
143f0f6599 MIPS: Alchemy: Fix typo "CONFIG_DEBUG_PCI"
Commit 7517de3486 ("MIPS: Alchemy: Redo
PCI as platform driver") added a reference to CONFIG_DEBUG_PCI. Change
it to CONFIG_PCI_DEBUG, as that is a valid Kconfig macro.

Also add a newline to a debugging printk that this fix enables.

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-04-05 15:10:27 +02:00
David Daney
ad8c396936 MIPS: Unbreak function tracer for 64-bit kernel.
Commit 58b69401c7 [MIPS: Function tracer: Fix broken function tracing]
completely broke the function tracer for 64-bit kernels.  The symptom is
a system hang very early in the boot process.

The fix: Remove/fix $sp adjustments for 64-bit case.

Signed-off-by: David Daney <david.daney@cavium.com>
Cc: linux-mips@linux-mips.org
Cc: Al Cooper <alcooperx@gmail.com>
Cc: viric@viric.name
Cc: stable@vger.kernel.org # 3.8.x
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-04-05 15:10:22 +02:00