summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-11-23ixgbe: fix use after free adapter->state test in ixgbe_remove/ixgbe_probeDaniel Borkmann
While working on a different issue, I noticed an annoying use after free bug on my machine when unloading the ixgbe driver: [ 8642.318797] ixgbe 0000:02:00.1: removed PHC on p2p2 [ 8642.742716] ixgbe 0000:02:00.1: complete [ 8642.743784] BUG: unable to handle kernel paging request at ffff8807d3740a90 [ 8642.744828] IP: [<ffffffffa01c77dc>] ixgbe_remove+0xfc/0x1b0 [ixgbe] [ 8642.745886] PGD 20c6067 PUD 81c1f6067 PMD 81c15a067 PTE 80000007d3740060 [ 8642.746956] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC [ 8642.748039] Modules linked in: [...] [ 8642.752929] CPU: 1 PID: 1225 Comm: rmmod Not tainted 3.18.0-rc2+ #49 [ 8642.754203] Hardware name: Supermicro X10SLM-F/X10SLM-F, BIOS 1.1b 11/01/2013 [ 8642.755505] task: ffff8807e34d3fe0 ti: ffff8807b7204000 task.ti: ffff8807b7204000 [ 8642.756831] RIP: 0010:[<ffffffffa01c77dc>] [<ffffffffa01c77dc>] ixgbe_remove+0xfc/0x1b0 [ixgbe] [...] [ 8642.774335] Stack: [ 8642.775805] ffff8807ee824098 ffff8807ee824098 ffffffffa01f3000 ffff8807ee824000 [ 8642.777326] ffff8807b7207e18 ffffffff8137720f ffff8807ee824098 ffff8807ee824098 [ 8642.778848] ffffffffa01f3068 ffff8807ee8240f8 ffff8807b7207e38 ffffffff8144180f [ 8642.780365] Call Trace: [ 8642.781869] [<ffffffff8137720f>] pci_device_remove+0x3f/0xc0 [ 8642.783395] [<ffffffff8144180f>] __device_release_driver+0x7f/0xf0 [ 8642.784876] [<ffffffff814421f8>] driver_detach+0xb8/0xc0 [ 8642.786352] [<ffffffff814414a9>] bus_remove_driver+0x59/0xe0 [ 8642.787783] [<ffffffff814429d0>] driver_unregister+0x30/0x70 [ 8642.789202] [<ffffffff81375c65>] pci_unregister_driver+0x25/0xa0 [ 8642.790657] [<ffffffffa01eb38e>] ixgbe_exit_module+0x1c/0xc8e [ixgbe] [ 8642.792064] [<ffffffff810f93a2>] SyS_delete_module+0x132/0x1c0 [ 8642.793450] [<ffffffff81012c61>] ? do_notify_resume+0x61/0xa0 [ 8642.794837] [<ffffffff816d2029>] system_call_fastpath+0x12/0x17 The issue is that test_and_set_bit() done on adapter->state is being performed *after* the netdevice has been freed via free_netdev(). When netdev is being allocated on initialization time, it allocates a private area, here struct ixgbe_adapter, that resides after the net_device structure. In ixgbe_probe(), the device init routine, we set up the adapter after alloc_etherdev_mq() on the private area and add a reference for the pci_dev as well via pci_set_drvdata(). Both in the error path of ixgbe_probe(), but also on module unload when ixgbe_remove() is being called, commit 41c62843eb6a ("ixgbe: Fix rcu warnings induced by LER") accesses adapter after free_netdev(). The patch stores the result in a bool and thus fixes above oops on my side. Fixes: 41c62843eb6a ("ixgbe: Fix rcu warnings induced by LER") Cc: stable <stable@vger.kernel.org> Cc: Mark Rustad <mark.d.rustad@intel.com> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-23ixgbe: Correctly disable VLAN filter in promiscuous modeVlad Yasevich
IXGBE adapter seems to require that VLAN filtering be enabled if VMDQ or SRIOV are enabled. When those functions are disabled, VLAN filtering may be disabled in promiscuous mode. Prior to commit a9b8943ee129 ("ixgbe: remove vlan_filter_disable and enable functions") The logic was correct. However, after the commit the logic got reversed and VLAN filtered in now turned on when VMDQ/SRIOV is disabled. This patch changes the condition to enable hw vlan filtered when VMDQ or SRIOV is enabled. Fixes: a9b8943ee129 ("ixgbe: remove vlan_filter_disable and enable functions") Cc: stable <stable@vger.kernel.org> CC: Jacob Keller <jacob.e.keller@intel.com> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com> Acked-by: Emil Tantilov <emil.s.tantilov@intel.com> Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-23ipv6: Do not treat a GSO_TCPV4 request from UDP tunnel over IPv6 as invalidAlexander Duyck
This patch adds SKB_GSO_TCPV4 to the list of supported GSO types handled by the IPv6 GSO offloads. Without this change VXLAN tunnels running over IPv6 do not currently handle IPv4 TCP TSO requests correctly and end up handing the non-segmented frame off to the device. Below is the before and after for a simple netperf TCP_STREAM test between two endpoints tunneling IPv4 over a VXLAN tunnel running on IPv6 on top of a 1Gb/s network adapter. Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 10.29 0.88 Before 87380 16384 16384 10.03 895.69 After Signed-off-by: Alexander Duyck <alexander.h.duyck@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-21Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds
Pull networking fixes from David Miller: 1) Fix BUG when decrypting empty packets in mac80211, from Ronald Wahl. 2) nf_nat_range is not fully initialized and this is copied back to userspace, from Daniel Borkmann. 3) Fix read past end of b uffer in netfilter ipset, also from Dan Carpenter. 4) Signed integer overflow in ipv4 address mask creation helper inet_make_mask(), from Vincent BENAYOUN. 5) VXLAN, be2net, mlx4_en, and qlcnic need ->ndo_gso_check() methods to properly describe the device's capabilities, from Joe Stringer. 6) Fix memory leaks and checksum miscalculations in openvswitch, from Pravin B SHelar and Jesse Gross. 7) FIB rules passes back ambiguous error code for unreachable routes, making behavior confusing for userspace. Fix from Panu Matilainen. 8) ieee802154fake_probe() doesn't release resources properly on error, from Alexey Khoroshilov. 9) Fix skb_over_panic in add_grhead(), from Daniel Borkmann. 10) Fix access of stale slave pointers in bonding code, from Nikolay Aleksandrov. 11) Fix stack info leak in PPP pptp code, from Mathias Krause. 12) Cure locking bug in IPX stack, from Jiri Bohac. 13) Revert SKB fclone memory freeing optimization that is racey and can allow accesses to freed up memory, from Eric Dumazet. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (71 commits) tcp: Restore RFC5961-compliant behavior for SYN packets net: Revert "net: avoid one atomic operation in skb_clone()" virtio-net: validate features during probe cxgb4 : Fix DCB priority groups being returned in wrong order ipx: fix locking regression in ipx_sendmsg and ipx_recvmsg openvswitch: Don't validate IPv6 label masks. pptp: fix stack info leak in pptp_getname() brcmfmac: don't include linux/unaligned/access_ok.h cxgb4i : Don't block unload/cxgb4 unload when remote closes TCP connection ipv6: delete protocol and unregister rtnetlink when cleanup net/mlx4_en: Add VXLAN ndo calls to the PF net device ops too bonding: fix curr_active_slave/carrier with loadbalance arp monitoring mac80211: minstrel_ht: fix a crash in rate sorting vxlan: Inline vxlan_gso_check(). can: m_can: update to support CAN FD features can: m_can: fix incorrect error messages can: m_can: add missing delay after setting CCCR_INIT bit can: m_can: fix not set can_dlc for remote frame can: m_can: fix possible sleep in napi poll can: m_can: add missing message RAM initialization ...
2014-11-21Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linuxLinus Torvalds
Pull drm fixes from Dave Airlie: "Just two radeon and two intel fixes: endian and regression fixes" * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: drm/radeon: fix endian swapping in vbios fetch for tdp table drm/radeon: disable native backlight control on pre-r6xx asics (v2) drm/i915: Kick fbdev before vgacon drm/i915: drop WaSetupGtModeTdRowDispatch:snb
2014-11-21Merge tag 'sound-3.18-rc6' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "This batch ended up as a relatively high volume due to pending ASoC fixes. But most of fixes there are trivial and/or device- specific fixes and quirks, so safe to apply. The only (ASoC) core fixes are the DPCM race fix and the machine-driver matching fix for componentization" * tag 'sound-3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda - fix the mic mute led problem for Latitude E5550 ALSA: hda - move DELL_WMI_MIC_MUTE_LED to the tail in the quirk chain ASoC: wm_adsp: Avoid attempt to free buffers that might still be in use ALSA: usb-audio: Set the Control Selector to SU_SELECTOR_CONTROL for UAC2 ALSA: usb-audio: Add ctrl message delay quirk for Marantz/Denon devices ASoC: sgtl5000: Fix SMALL_POP bit definition ASoC: cs42l51: re-hook of_match_table pointer ASoC: rt5670: change dapm routes of PLL connection ASoC: rt5670: correct the incorrect default values ASoC: samsung: Add MODULE_DEVICE_TABLE for Snow ASoC: max98090: Correct pclk divisor settings ASoC: dpcm: Fix race between FE/BE updates and trigger ASoC: Fix snd_soc_find_dai() matching component by name ASoC: rsnd: remove unsupported PAUSE flag ASoC: fsi: remove unsupported PAUSE flag ASoC: rt5645: Mark RT5645_TDM_CTRL_3 as readable ASoC: rockchip-i2s: fix infinite loop in rockchip_snd_rxctrl ASoC: es8328-i2c: Fix i2c_device_id name field in es8328_id ASoC: fsl_asrc: Add reg_defaults for regmap to fix kernel dump
2014-11-21Merge tag 'pm+acpi-3.18-rc6' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI power management fix from Rafael Wysocki: "This is just a one-liner fixing a regression introduced in 3.13 that broke system suspend on some Chromebooks. On those machines there are ACPI device objects for some I2C devices that can wake up the system from sleep states, but that is done via a platform-specific mechanism and the ACPI objects don't contain any wakeup-related information. When we started to use ACPI power management with those devices (which happened during the 3.13 cycle), their configuration confused the ACPI PM layer that returned error codes from suspend callbacks for them causing system suspend to fail. However, the ACPI PM layer can safely ignore the wakeup setting from a device driver if the ACPI object corresponding to the device in question doesn't contain wakeup information in which case the driver itself is responsible for setting up the device for system wakeup" * tag 'pm+acpi-3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI / PM: Ignore wakeup setting if the ACPI companion can't wake up
2014-11-21Merge tag 'devicetree-fixes-for-3.18' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux Pull devicetree fixes from Rob Herring: "DeviceTree fixes for 3.18: - two fixes for OF selftest code - fix for PowerPC address parsing to disable work-around except on old PowerMACs - fix a crash when earlycon is enabled, but no device is found - DT documentation fixes and missing vendor prefixes All but the doc updates are also for stable" * tag 'devicetree-fixes-for-3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux: of/selftest: Fix testing when /aliases is missing of/selftest: Fix off-by-one error in removal path documentation: pinctrl bindings: Fix trivial typo 'abitrary' devicetree: bindings: Add vendor prefix for Micron Technology, Inc. of: Add vendor prefix for Chips&Media, Inc. of/base: Fix PowerPC address parsing hack devicetree: vendor-prefixes.txt: fix whitespace of: Fix crash if an earlycon driver is not found of/irq: Drop obsolete 'interrupts' vs 'interrupts-extended' text of: Spelling s/stucture/structure/ devicetree: bindings: add sandisk to the vendor prefixes
2014-11-21Merge tag 'pci-v3.18-fixes-3' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci Pull PCI fixes from Bjorn Helgaas: "These are fixes for an issue with 64-bit PCI bus addresses on 32-bit PAE kernels, an APM X-Gene problem (it depended on a generic change we removed before merging), a fix for my hotplug device configuration changes, and a devicetree documentation update. Resource management: - Support 64-bit bridge windows if we have 64-bit dma_addr_t (Yinghai Lu) PCI device hotplug: - Apply _HPX Link Control settings to all devices with a link (Yinghai Lu) Generic host bridge driver: - Add DT binding for "linux,pci-domain" property (Lucas Stach) APM X-Gene: - Assign resources to bus before adding new devices (Duc Dang)" * tag 'pci-v3.18-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci: PCI: Support 64-bit bridge windows if we have 64-bit dma_addr_t PCI: Apply _HPX Link Control settings to all devices with a link PCI: Add missing DT binding for "linux,pci-domain" property PCI: xgene: Assign resources to bus before adding new devices
2014-11-21Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pendingLinus Torvalds
Pull SCSI target fixes from Nicholas Bellinger: "Here are the target-pending fixes queued for v3.18-rc6. The highlights include: - target-core OOPs fix with tcm_qla2xxx + vxworks FC initiators + zero length SCSI commands having a transfer direction set. (Roland + Craig Watson) - vhost-scsi OOPs fix to explicitly prevent WWPN endpoint configfs group removal while qemu still has an active reference. (Paolo + nab) - ib_srpt fix for RDMA hardware with lower srp_sq_size limits. (Bart) - two ib_isert work-arounds for running on ocrdma hardware (Or + Sagi + Chris) - iscsi-target discovery portal typo + SPC-3 PR Preempt SA key matching fix (Steve)" * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: IB/isert: Adjust CQ size to HW limits target: return CONFLICT only when SA key unmatched iser-target: Handle DEVICE_REMOVAL event on network portal listener correctly ib_isert: Add max_send_sge=2 minimum for control PDU responses srp-target: Retry when QP creation fails with ENOMEM iscsi-target: return the correct port in SendTargets vhost-scsi: Take configfs group dependency during VHOST_SCSI_SET_ENDPOINT target: Don't call TFO->write_pending if data_length == 0
2014-11-21Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dmaLinus Torvalds
Pull dmaengine fixes from Vinod Koul: "We have couple of fixes for dmaengine queued up: - dma mempcy fix for dma configuration of sun6i by Maxime - pl330 fixes: First the fixing allocation for data buffers by Liviu and then Jon's fixe for fifo width and usage" * 'fixes' of git://git.infradead.org/users/vkoul/slave-dma: dmaengine: Fix allocation size for PL330 data buffer depth. dmaengine: pl330: Limit MFIFO usage for memcpy to avoid exhausting entries dmaengine: pl330: Align DMA memcpy operations to MFIFO width dmaengine: sun6i: Fix memcpy operation
2014-11-21Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linusLinus Torvalds
Pull MIPS fixes from Ralf Baechle: "More 3.18 fixes for MIPS: - backtraces were not quite working on on 64-bit kernels - loongson needs a different cache coherency setting - Loongson 3 is a MIPS64 R2 version but due to erratum we treat is an older architecture revision. - fix build errors due to undefined references to __node_distances for certain configurations. - fix instruction decodig in the jump label code. - for certain configurations copy_{from,to}_user destroy the content of $3 so that register needs to be marked as clobbed by the calling code. - Hardware Table Walker fixes. - fill the delay slot of the last instruction of memcpy otherwise whatever ends up there randomly might have undesirable effects. - ensure get_user/__get_user always zero the variable to be read even in case of an error" * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: MIPS: jump_label.c: Handle the microMIPS J instruction encoding MIPS: jump_label.c: Correct the span of the J instruction MIPS: Zero variable read by get_user / __get_user in case of an error. MIPS: lib: memcpy: Restore NOP on delay slot before returning to caller MIPS: tlb-r4k: Add missing HTW stop/start sequences MIPS: asm: uaccess: Add v1 register to clobber list on EVA MIPS: oprofile: Fix backtrace on 64-bit kernel MIPS: Loongson: Set Loongson-3's ISA level to MIPS64R1 MIPS: Loongson: Fix the write-combine CCA value setting MIPS: IP27: Fix __node_distances undefined error MIPS: Loongson3: Fix __node_distances undefined error
2014-11-21Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux Pull powerpc fix from Michael Ellerman: "One fix from Scott, he says: This patch fixes a crash (introduced in v3.18-rc1) in the FSL MSI driver when threaded IRQs are enabled" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux: powerpc/fsl_msi: mark the msi cascade handler IRQF_NO_THREAD
2014-11-21Merge branch 'x86-urgent-for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Thomas Gleixner: "Misc fixes: - gold linker build fix - noxsave command line parsing fix - bugfix for NX setup - microcode resume path bug fix - _TIF_NOHZ versus TIF_NOHZ bugfix as discussed in the mysterious lockup thread" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86, syscall: Fix _TIF_NOHZ handling in syscall_trace_enter_phase1 x86, kaslr: Handle Gold linker for finding bss/brk x86, mm: Set NX across entire PMD at boot x86, microcode: Update BSPs microcode on resume x86: Require exact match for 'noxsave' command line option
2014-11-21Merge branch 'sched-urgent-for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fixes from Ingo Molnar: "Misc fixes: two NUMA fixes, two cputime fixes and an RCU/lockdep fix" * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/cputime: Fix clock_nanosleep()/clock_gettime() inconsistency sched/cputime: Fix cpu_timer_sample_group() double accounting sched/numa: Avoid selecting oneself as swap target sched/numa: Fix out of bounds read in sched_init_numa() sched: Remove lockdep check in sched_move_task()
2014-11-21Merge branch 'perf-urgent-for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Ingo Molnar: "Misc fixes: two Intel uncore driver fixes, a CPU-hotplug fix and a build dependencies fix" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/x86/intel/uncore: Fix boot crash on SBOX PMU on Haswell-EP perf/x86/intel/uncore: Fix IRP uncore register offsets on Haswell EP perf: Fix corruption of sibling list with hotplug perf/x86: Fix embarrasing typo
2014-11-21Merge branch 'core-urgent-for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull core fix from Ingo Molnar: "Fix GENMASK macro shift overflow" Nobody seems to currently use GENMASK() to fill every single last bit (which is what overflows) in-tree, and gcc would warn about it, so we have that going for us. But apparently there are pending changes that want this. * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: bitops: Fix shift overflow in GENMASK macros
2014-11-21tcp: Restore RFC5961-compliant behavior for SYN packetsCalvin Owens
Commit c3ae62af8e755 ("tcp: should drop incoming frames without ACK flag set") was created to mitigate a security vulnerability in which a local attacker is able to inject data into locally-opened sockets by using TCP protocol statistics in procfs to quickly find the correct sequence number. This broke the RFC5961 requirement to send a challenge ACK in response to spurious RST packets, which was subsequently fixed by commit 7b514a886ba50 ("tcp: accept RST without ACK flag"). Unfortunately, the RFC5961 requirement that spurious SYN packets be handled in a similar manner remains broken. RFC5961 section 4 states that: ... the handling of the SYN in the synchronized state SHOULD be performed as follows: 1) If the SYN bit is set, irrespective of the sequence number, TCP MUST send an ACK (also referred to as challenge ACK) to the remote peer: <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK> After sending the acknowledgment, TCP MUST drop the unacceptable segment and stop processing further. By sending an ACK, the remote peer is challenged to confirm the loss of the previous connection and the request to start a new connection. A legitimate peer, after restart, would not have a TCB in the synchronized state. Thus, when the ACK arrives, the peer should send a RST segment back with the sequence number derived from the ACK field that caused the RST. This RST will confirm that the remote peer has indeed closed the previous connection. Upon receipt of a valid RST, the local TCP endpoint MUST terminate its connection. The local TCP endpoint should then rely on SYN retransmission from the remote end to re-establish the connection. This patch lets SYN packets through the discard added in c3ae62af8e755, so that spurious SYN packets are properly dealt with as per the RFC. The challenge ACK is sent unconditionally and is rate-limited, so the original vulnerability is not reintroduced by this patch. Signed-off-by: Calvin Owens <calvinowens@fb.com> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-21net: Revert "net: avoid one atomic operation in skb_clone()"Eric Dumazet
Not sure what I was thinking, but doing anything after releasing a refcount is suicidal or/and embarrassing. By the time we set skb->fclone to SKB_FCLONE_FREE, another cpu could have released last reference and freed whole skb. We potentially corrupt memory or trap if CONFIG_DEBUG_PAGEALLOC is set. Reported-by: Chris Mason <clm@fb.com> Fixes: ce1a4ea3f1258 ("net: avoid one atomic operation in skb_clone()") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-21virtio-net: validate features during probeJason Wang
We currently trigger BUG when VIRTIO_NET_F_CTRL_VQ is not set but one of features depending on it is. That's not a friendly way to report errors to hypervisors. Let's check, and fail probe instead. Cc: Rusty Russell <rusty@rustcorp.com.au> Cc: Cornelia Huck <cornelia.huck@de.ibm.com> Cc: Wanlong Gao <gaowanlong@cn.fujitsu.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-21Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nfDavid S. Miller
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains two bugfixes for your net tree, they are: 1) Validate netlink group from nfnetlink to avoid an out of bound array access. This should only happen with superuser priviledges though. Discovered by Andrey Ryabinin using trinity. 2) Don't push ethernet header before calling the netfilter output hook for multicast traffic, this breaks ebtables since it expects to see skb->data pointing to the network header, patch from Linus Luessing. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-21Merge tag 'master-2014-11-20' of ↵David S. Miller
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless John W. Linville says: ==================== pull request: wireless 2014-11-20 Please full this little batch of fixes intended for the 3.18 stream! For the mac80211 patch, Johannes says: "Here's another last minute fix, for minstrel HT crashing depending on the value of some uninitialised stack." On top of that... Ben Greear fixes an ath9k regression in which a BSSID mask is miscalculated. Dmitry Torokhov corrects an error handling routing in brcmfmac which was checking an unsigned variable for a negative value. Johannes Berg avoids a build problem in brcmfmac for arches where linux/unaligned/access_ok.h and asm/unaligned.h conflict. Mathy Vanhoef addresses another brcmfmac issue so as to eliminate a use-after-free of the URB transfer buffer if a timeout occurs. Please let me know if there are problems! ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-21cxgb4 : Fix DCB priority groups being returned in wrong orderAnish Bhatt
Peer priority groups were being reversed, but this was missed in the previous fix sent out for this issue. v2 : Previous patch was doing extra unnecessary work, result is the same. Please ignore previous patch Fixes : ee7bc3cdc270 ('cxgb4 : dcb open-lldp interop fixes') Signed-off-by: Anish Bhatt <anish@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-20ipx: fix locking regression in ipx_sendmsg and ipx_recvmsgJiri Bohac
This fixes an old regression introduced by commit b0d0d915 (ipx: remove the BKL). When a recvmsg syscall blocks waiting for new data, no data can be sent on the same socket with sendmsg because ipx_recvmsg() sleeps with the socket locked. This breaks mars-nwe (NetWare emulator): - the ncpserv process reads the request using recvmsg - ncpserv forks and spawns nwconn - ncpserv calls a (blocking) recvmsg and waits for new requests - nwconn deadlocks in sendmsg on the same socket Commit b0d0d915 has simply replaced BKL locking with lock_sock/release_sock. Unlike now, BKL got unlocked while sleeping, so a blocking recvmsg did not block a concurrent sendmsg. Only keep the socket locked while actually working with the socket data and release it prior to calling skb_recv_datagram(). Signed-off-by: Jiri Bohac <jbohac@suse.cz> Reviewed-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-20openvswitch: Don't validate IPv6 label masks.Joe Stringer
When userspace doesn't provide a mask, OVS datapath generates a fully unwildcarded mask for the flow by copying the flow and setting all bits in all fields. For IPv6 label, this creates a mask that matches on the upper 12 bits, causing the following error: openvswitch: netlink: Invalid IPv6 flow label value (value=ffffffff, max=fffff) This patch ignores the label validation check for masks, avoiding this error. Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-20pptp: fix stack info leak in pptp_getname()Mathias Krause
pptp_getname() only partially initializes the stack variable sa, particularly only fills the pptp part of the sa_addr union. The code thereby discloses 16 bytes of kernel stack memory via getsockname(). Fix this by memset(0)'ing the union before. Cc: Dmitry Kozlov <xeb@mail.ru> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-21Merge branch 'drm-fixes-3.18' of git://people.freedesktop.org/~agd5f/linux ↵Dave Airlie
into drm-fixes fix one regression and one endian issue. * 'drm-fixes-3.18' of git://people.freedesktop.org/~agd5f/linux: drm/radeon: fix endian swapping in vbios fetch for tdp table drm/radeon: disable native backlight control on pre-r6xx asics (v2)
2014-11-20x86, syscall: Fix _TIF_NOHZ handling in syscall_trace_enter_phase1Andy Lutomirski
TIF_NOHZ is 19 (i.e. _TIF_SYSCALL_TRACE | _TIF_NOTIFY_RESUME | _TIF_SINGLESTEP), not (1<<19). This code is involved in Dave's trinity lockup, but I don't see why it would cause any of the problems he's seeing, except inadvertently by causing a different path through entry_64.S's syscall handling. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Cc: Don Zickus <dzickus@redhat.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Dave Jones <davej@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Link: http://lkml.kernel.org/r/a6cd3b60a3f53afb6e1c8081b0ec30ff19003dd7.1416434075.git.luto@amacapital.net Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2014-11-20brcmfmac: don't include linux/unaligned/access_ok.hJohannes Berg
This is a specific implementation, <asm/unaligned.h> is the multiplexer that has the arch-specific knowledge of which of the implementations needs to be used, so include that. This issue was revealed by kbuild testing when <asm/unaligned.h> was added in <linux/ieee80211.h> resulting in redefinition of get_unaligned_be16 (and probably others). Cc: stable@vger.kernel.org # v3.17 Reported-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2014-11-20drm/radeon: fix endian swapping in vbios fetch for tdp tableAlex Deucher
Value needs to be swapped on BE. Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org
2014-11-20drm/radeon: disable native backlight control on pre-r6xx asics (v2)Alex Deucher
Just use the acpi interface. That's what windows uses on this generation and it's the only thing that seems to work reliably on these generation parts. You can still force the native backlight interface by setting radeon.backlight=1 Bug: https://bugzilla.kernel.org/show_bug.cgi?id=88501 v2: merge into above if/else block Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org
2014-11-20of/selftest: Fix testing when /aliases is missingGrant Likely
The /aliases node isn't always present in the device tree, but the unittest code assumes that /aliases is there. Add a check when inserting the testcase data to see if of_aliases needs to be updated, and undo the settings when the nodes are removed. Signed-off-by: Grant Likely <grant.likely@linaro.org> Cc: Rob Herring <robh+dt@kernel.org> Cc: Gaurav Minocha <gaurav.minocha.os@gmail.com> Cc: <stable@vger.kernel.org>
2014-11-19IB/isert: Adjust CQ size to HW limitsChris Moore
isert has an issue of trying to create a CQ with more CQEs than are supported by the hardware, that currently results in failures during isert_device creation during first session login. This is the isert version of the patch that Minh Tran submitted for iser, and is simple a workaround required to function with existing ocrdma hardware. Signed-off-by: Chris Moore <chris.moore@emulex.com> Reviewied-by: Sagi Grimberg <sagig@mellanox.com> Cc: <stable@vger.kernel.org> # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-11-20Merge tag 'drm-intel-fixes-2014-11-19' of ↵Dave Airlie
git://anongit.freedesktop.org/drm-intel into drm-fixes two regression fixes. * tag 'drm-intel-fixes-2014-11-19' of git://anongit.freedesktop.org/drm-intel: drm/i915: Kick fbdev before vgacon drm/i915: drop WaSetupGtModeTdRowDispatch:snb
2014-11-20ACPI / PM: Ignore wakeup setting if the ACPI companion can't wake upRafael J. Wysocki
As reported by Dmitry, on some Chromebooks there are devices with corresponding ACPI objects and with unusual system wakeup configuration. Namely, they technically are wakeup-capable, but the wakeup is handled via a platform-specific out-of-band mechanism and the ACPI PM layer has no information on the wakeup capability. As a result, device_may_wakeup(dev) called from acpi_dev_suspend_late() returns 'true' for those devices, but the wakeup.flags.valid flag is unset for the corresponding ACPI device objects, so acpi_device_wakeup() reproducibly fails for them causing acpi_dev_suspend_late() to return an error code. The entire system suspend is then aborted and the machines in question cannot suspend at all. Address the problem by ignoring the device_may_wakeup(dev) return value in acpi_dev_suspend_late() if the ACPI companion of the device being handled has wakeup.flags.valid unset (in which case it is clear that the wakeup is supposed to be handled by other means). This fixes a regression introduced by commit a76e9bd89ae7 (i2c: attach/detach I2C client device to the ACPI power domain) as the affected systems could suspend and resume successfully before that commit. Fixes: a76e9bd89ae7 (i2c: attach/detach I2C client device to the ACPI power domain) Reported-by: Dmitry Torokhov <dtor@chromium.org> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> Cc: 3.13+ <stable@vger.kernel.org> # 3.13+ Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2014-11-19cxgb4i : Don't block unload/cxgb4 unload when remote closes TCP connectionAnish Bhatt
cxgb4i was returning wrong error and not releasing module reference if remote end abruptly closed TCP connection. This prevents the cxgb4 network module from being unloaded, further affecting other network drivers dependent on cxgb4 Sending to net as this affects all cxgb4 based network drivers. Signed-off-by: Anish Bhatt <anish@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-19ipv6: delete protocol and unregister rtnetlink when cleanupDuan Jiong
pim6_protocol was added when initiation, but it not deleted. Similarly, unregister RTNL_FAMILY_IP6MR rtnetlink. Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com> Reviewed-by: Cong Wang <cwang@twopensource.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-19PCI: Support 64-bit bridge windows if we have 64-bit dma_addr_tYinghai Lu
Aaron reported that a 32-bit x86 kernel with Physical Address Extension (PAE) support complains about bridge prefetchable memory windows above 4GB: pci_bus 0000:00: root bus resource [mem 0x380000000000-0x383fffffffff] ... pci 0000:03:00.0: reg 0x10: [mem 0x383fffc00000-0x383fffdfffff 64bit pref] pci 0000:03:00.0: reg 0x20: [mem 0x383fffe04000-0x383fffe07fff 64bit pref] pci 0000:03:00.1: reg 0x10: [mem 0x383fffa00000-0x383fffbfffff 64bit pref] pci 0000:03:00.1: reg 0x20: [mem 0x383fffe00000-0x383fffe03fff 64bit pref] pci 0000:00:02.2: PCI bridge to [bus 03-04] pci 0000:00:02.2: bridge window [io 0x1000-0x1fff] pci 0000:00:02.2: bridge window [mem 0x91900000-0x91cfffff] pci 0000:00:02.2: can't handle 64-bit address space for bridge In this kernel, unsigned long is 32 bits and dma_addr_t is 64 bits. Previously we used "unsigned long" to hold the bridge window address. But this is a bus address, so we should use dma_addr_t instead. Use dma_addr_t to hold the bridge window base and limit. The question of whether the CPU can actually *address* the window is separate and depends on what the physical address space of the CPU is and whether the host bridge does any address translation. [bhelgaas: fix "shift count > width of type", changelog, stable tag] Fixes: d56dbf5bab8c ("PCI: Allocate 64-bit BARs above 4G when possible") Link: https://bugzilla.kernel.org/show_bug.cgi?id=88131 Reported-by: Aaron Ma <mapengyu@gmail.com> Tested-by: Aaron Ma <mapengyu@gmail.com> Signed-off-by: Yinghai Lu <yinghai@kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> CC: stable@vger.kernel.org # v3.14+
2014-11-19Merge tag 'mac80211-for-john-2014-11-18' of ↵John W. Linville
git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg <johannes@sipsolutions.net> says: "Here's another last minute fix, for minstrel HT crashing depending on the value of some uninitialised stack." Signed-off-by: John W. Linville <linville@tuxdriver.com>
2014-11-19Merge tag 'linux-can-fixes-for-3.18-20141118' of ↵David S. Miller
git://gitorious.org/linux-can/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2014-11-18 this is a pull request of 17 patches for net/master for the v3.18 release cycle. The last patch of this pull request ("can: m_can: update to support CAN FD features") adds, as the description says, a new feature to the m_can driver. As the m_can driver has been added in v3.18 there is no risk of causing a regression. Give me a note if this is not okay and I'll create a new pull request without it. There is a patch for the CAN infrastructure by Thomas Körper which fixes calling kfree_skb() from interrupt context. Roman Fietze fixes a typo also in the infrastructure. A patch by Dong Aisheng adds a generic helper function to tell if a skb is normal CAN or CAN-FD frame. Alexey Khoroshilov of the Linux Driver Verification project fixes a memory leak in the esd_usb2 driver. Two patches by Sudip Mukherjee remove unused variables and fixe the signess of a variable. Three patches by me add the missing .ndo_change_mtu callback to the xilinx_can, rcar_can and gs_usb driver. The remaining patches improve the m_can driver: David Cohen adds the missing CONFIG_HAS_IOMEM dependency. Dong Aisheng provides 6 bugfix patches (most important: missing RAM init, sleep in NAPI poll, dlc in RTR). While the last of his patches adds CAN FD support to the driver. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-19net/mlx4_en: Add VXLAN ndo calls to the PF net device ops tooOr Gerlitz
This is currently missing, which results in a crash when one attempts to set VXLAN tunnel over the mlx4_en when acting as PF. [ 2408.785472] BUG: unable to handle kernel NULL pointer dereference at (null) [...] [ 2408.994104] Call Trace: [ 2408.996584] [<ffffffffa021f7f5>] ? vxlan_get_rx_port+0xd6/0x103 [vxlan] [ 2409.003316] [<ffffffffa021f71f>] ? vxlan_lowerdev_event+0xf2/0xf2 [vxlan] [ 2409.010225] [<ffffffffa0630358>] mlx4_en_start_port+0x862/0x96a [mlx4_en] [ 2409.017132] [<ffffffffa063070f>] mlx4_en_open+0x17f/0x1b8 [mlx4_en] While here, make sure to invoke vxlan_get_rx_port() only when VXLAN offloads are actually enabled and not when they are only supported. Reported-by: Ido Shamay <idos@mellanox.com> Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-19bonding: fix curr_active_slave/carrier with loadbalance arp monitoringNikolay Aleksandrov
Since commit 6fde8f037e60 ("bonding: fix locking in bond_loadbalance_arp_mon()") we can have a stale bond carrier state and stale curr_active_slave when using arp monitoring in loadbalance modes. The reason is that in bond_loadbalance_arp_mon() we can't have do_failover == true but slave_state_changed == false, whenever do_failover is true then slave_state_changed is also true. Then the following piece from bond_loadbalance_arp_mon(): if (slave_state_changed) { bond_slave_state_change(bond); if (BOND_MODE(bond) == BOND_MODE_XOR) bond_update_slave_arr(bond, NULL); } else if (do_failover) { block_netpoll_tx(); bond_select_active_slave(bond); unblock_netpoll_tx(); } will execute only the first branch, always and regardless of do_failover. Since these two events aren't related in such way, we need to decouple and consider them separately. For example this issue could lead to the following result: Bonding Mode: load balancing (round-robin) *MII Status: down* MII Polling Interval (ms): 0 Up Delay (ms): 0 Down Delay (ms): 0 ARP Polling Interval (ms): 100 ARP IP target/s (n.n.n.n form): 192.168.9.2 Slave Interface: ens12 *MII Status: up* Speed: 10000 Mbps Duplex: full Link Failure Count: 2 Permanent HW addr: 00:0f:53:01:42:2c Slave queue ID: 0 Slave Interface: eth1 *MII Status: up* Speed: Unknown Duplex: Unknown Link Failure Count: 70 Permanent HW addr: 52:54:00:2f:0f:8e Slave queue ID: 0 Since some interfaces are up, then the status of the bond should also be up, but it will never change unless something invokes bond_set_carrier() (i.e. enslave, bond_select_active_slave etc). Now, if I force the calling of bond_select_active_slave via for example changing primary_reselect (it can change in any mode), then the MII status goes to "up" because it calls bond_select_active_slave() which should've been done from bond_loadbalance_arp_mon() itself. CC: Veaceslav Falico <vfalico@gmail.com> CC: Jay Vosburgh <j.vosburgh@gmail.com> CC: Andy Gospodarek <andy@greyhouse.net> CC: Ding Tianhong <dingtianhong@huawei.com> Fixes: 6fde8f037e60 ("bonding: fix locking in bond_loadbalance_arp_mon()") Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> Acked-by: Veaceslav Falico <vfalico@gmail.com> Acked-by: Andy Gospodarek <gospo@cumulusnetworks.com> Acked-by: Ding Tianhong <dingtianhong@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-19of/selftest: Fix off-by-one error in removal pathGrant Likely
The removal path for selftest data has an off by one error that causes the code to dereference beyond the end of the nodes[] array on the first pass through. The old code only worked by chance on a lot of platforms, but the bug was recently exposed on aarch64. The fix is simple. Decrement the node count before dereferencing, not after. Reported-by: Kevin Hilman <khilman@linaro.org> Cc: Rob Herring <robh+dt@kernel.org> Cc: Gaurav Minocha <gaurav.minocha.os@gmail.com> Cc: <stable@vger.kernel.org> # v3.17+
2014-11-19MIPS: jump_label.c: Handle the microMIPS J instruction encodingMaciej W. Rozycki
Implement the microMIPS encoding of the J instruction for the purpose of the static keys feature, fixing a crash early on in bootstrap as the kernel is unhappy seeing the ISA bit set in jump table entries. Make sure the ISA bit correctly reflects the instruction encoding chosen for the kernel, 0 for the standard MIPS and 1 for the microMIPS encoding. Also make sure the instruction to patch is a 32-bit NOP in the microMIPS mode as by default the 16-bit short encoding is assumed Signed-off-by: Maciej W. Rozycki <macro@codesourcery.com> Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/8516/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-11-19MIPS: jump_label.c: Correct the span of the J instructionMaciej W. Rozycki
Correct the check for the span of the 256MB segment addressable by the J instruction according to this instruction's semantics. The calculation of the jump target is applied to the address of the delay-slot instruction that immediately follows. Adjust the check accordingly by adding 4 to `e->code' that holds the address of the J instruction itself. Signed-off-by: Maciej W. Rozycki <macro@codesourcery.com> Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/8515/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-11-19MIPS: Zero variable read by get_user / __get_user in case of an error.Ralf Baechle
This wasn't happening in all cases. Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-11-19MIPS: lib: memcpy: Restore NOP on delay slot before returning to callerMarkos Chandras
Commit cf62a8b8134dd3 ("MIPS: lib: memcpy: Use macro to build the copy_user code") switched to a macro in order to build the memcpy symbols in preparation for the EVA support. However, this commit also removed the NOP instruction after the 'jr ra' when returning back to the caller. This had no visible side-effects since the next instruction was a load to the t0 register which was already in the clobbered list, but it may have undesired effects in the future if some other code is introduced in between the .Ldone and the .Ll_exc_copy labels. Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> Cc: <stable@vger.kernel.org> # v3.15+ Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/8512/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-11-19MIPS: tlb-r4k: Add missing HTW stop/start sequencesMarkos Chandras
HTW needs to stop and start again whenever the EntryHI register changes otherwise an inflight HTW operation might use the new EntryHI register for updating an old entry and that could lead to crashes or even a machine check exception. We fix this by ensuring the HTW has stop whenever the EntryHI register is about to change Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> Cc: <stable@vger.kernel.org> # v3.17+ Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/8511/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-11-19MIPS: asm: uaccess: Add v1 register to clobber list on EVAMarkos Chandras
When EVA is turned on and prefetching is being used in memcpy.S, the v1 register is being used as a helper register to the PREFE instruction. However, v1 ($3) was not in the clobber list, which means that the compiler did not preserve it across function calls, and that could corrupt the value of the register leading to all sorts of userland crashes. We fix this problem by using the DADDI_SCRATCH macro to define the clobbered register when CONFIG_EVA && CONFIG_CPU_HAS_PREFETCH are enabled. Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> Cc: <stable@vger.kernel.org> # v3.15+ Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/8510/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-11-19MIPS: oprofile: Fix backtrace on 64-bit kernelAaro Koskinen
Fix incorrect cast that always results in wrong address for the new frame on 64-bit kernels. Signed-off-by: Aaro Koskinen <aaro.koskinen@nsn.com> Cc: stable@vger.kernel.org Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/8110/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>