Paul Moore [Tue, 29 Nov 2011 10:10:54 +0000 (10:10 +0000)]
netlabel: Fix build problems when IPv6 is not enabled
A recent fix to the the NetLabel code caused build problem with
configurations that did not have IPv6 enabled; see below:
netlabel_kapi.c: In function 'netlbl_cfg_unlbl_map_add':
netlabel_kapi.c:165:4:
error: implicit declaration of function 'netlbl_af6list_add'
This patch fixes this problem by making the IPv6 specific code conditional
on the IPv6 configuration flags as we done in the rest of NetLabel and the
network stack as a whole. We have to move some variable declarations
around as a result so things may not be quite as pretty, but at least it
builds cleanly now.
Some additional IPv6 conditionals were added to the NetLabel code as well
for the sake of consistency.
Reported-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Paul Moore <pmoore@redhat.com> Acked-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Xi Wang [Tue, 29 Nov 2011 09:26:30 +0000 (09:26 +0000)]
sctp: better integer overflow check in sctp_auth_create_key()
The check from commit 30c2235c is incomplete and cannot prevent
cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
left-hand side of the check (INT_MAX - key_len), which is unsigned,
becomes 0xffffffff (UINT_MAX) and bypasses the check.
However this shouldn't be a security issue. The function is called
from the following two code paths:
1) setsockopt()
2) sctp_auth_asoc_set_secret()
In case (1), sca_keylength is never going to exceed 65535 since it's
bounded by a u16 from the user API. As such, the key length will
never overflow.
In case (2), sca_keylength is computed based on the user key (1 short)
and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
will not overflow.
In other words, this overflow check is not really necessary. Just
make it more correct.
Signed-off-by: Xi Wang <xi.wang@gmail.com> Cc: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
John F Leach [Tue, 29 Nov 2011 00:41:27 +0000 (19:41 -0500)]
ALSA: usb-audio - Support for Roland GAIA SH-01 Synthesizer
Added table quirks entry for Roland GAIA SH-01 Synthesizer based upon
Roland SH-201 table entry as template. USB MIDI and audio was tested
with Muse and Audacity.
Signed-off-by: John F Leach <jfleach@jfleach.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Xi Wang [Tue, 22 Nov 2011 15:55:30 +0000 (15:55 +0000)]
sctp: integer overflow in sctp_auth_create_key()
The previous commit 30c2235c is incomplete and cannot prevent integer
overflows. For example, when key_len is 0x80000000 (INT_MAX + 1), the
left-hand side of the check, (INT_MAX - key_len), which is unsigned,
becomes 0xffffffff (UINT_MAX) and bypasses the check.
Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Tue, 29 Nov 2011 03:28:32 +0000 (19:28 -0800)]
Merge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
hwmon: convert drivers/hwmon/* to use module_platform_driver()
hwmon: Remove redundant spi driver bus initialization
Christoph Fritz [Mon, 28 Nov 2011 22:49:33 +0000 (23:49 +0100)]
efivars: add missing parameter to efi_pstore_read()
In the case where CONFIG_PSTORE=n, the function efi_pstore_read() doesn't
have the correct list of parameters. This patch provides a definition
of efi_pstore_read() with 'char **buf' added to fix this warning:
"drivers/firmware/efivars.c:609: warning: initialization from".
Li Wei [Sun, 27 Nov 2011 21:33:34 +0000 (21:33 +0000)]
ipv6: Set mcast_hops to IPV6_DEFAULT_MCASTHOPS when -1 was given.
We need to set np->mcast_hops to it's default value at this moment
otherwise when we use it and found it's value is -1, the logic to
get default hop limit doesn't take multicast into account and will
return wrong hop limit(IPV6_DEFAULT_HOPLIMIT) which is for unicast.
Signed-off-by: Li Wei <lw@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Anton Blanchard [Sun, 27 Nov 2011 21:14:46 +0000 (21:14 +0000)]
net: Fix corruption in /proc/*/net/dev_mcast
I just hit this during my testing. Isn't there another bug lurking?
BUG kmalloc-8: Redzone overwritten
INFO: 0xc0000000de9dec48-0xc0000000de9dec4b. First byte 0x0 instead of 0xcc
INFO: Allocated in .__seq_open_private+0x30/0xa0 age=0 cpu=5 pid=3896
.__kmalloc+0x1e0/0x2d0
.__seq_open_private+0x30/0xa0
.seq_open_net+0x60/0xe0
.dev_mc_seq_open+0x4c/0x70
.proc_reg_open+0xd8/0x260
.__dentry_open.clone.11+0x2b8/0x400
.do_last+0xf4/0x950
.path_openat+0xf8/0x480
.do_filp_open+0x48/0xc0
.do_sys_open+0x140/0x250
syscall_exit+0x0/0x40
dev_mc_seq_ops uses dev_seq_start/next/stop but only allocates
sizeof(struct seq_net_private) of private data, whereas it expects
sizeof(struct dev_iter_state):
Linus Torvalds [Mon, 28 Nov 2011 21:49:43 +0000 (13:49 -0800)]
Merge branch 'for-3.2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu
* 'for-3.2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu:
percpu: explain why per_cpu_ptr_to_phys() is more complicated than necessary
percpu: fix chunk range calculation
percpu: rename pcpu_mem_alloc to pcpu_mem_zalloc
mac80211: fix race between the AGG SM and the Tx data path
When a packet is supposed to sent be as an a-MPDU, mac80211 sets
IEEE80211_TX_CTL_AMPDU to let the driver know. On the other
hand, mac80211 configures the driver for aggregration with the
ampdu_action callback.
There is race between these two mechanisms since the following
scenario can occur when the BA agreement is torn down:
check OPERATIONAL bit
Set the TX_CTL_AMPDU bit in the packet
clear OPERATIONAL bit
stop Tx AGG
Pass Tx packet to the driver.
In that case the driver would get a packet with TX_CTL_AMPDU set
although it has already been notified that the BA session has been
torn down.
To fix this, we need to synchronize all the Qdisc activity after we
cleared the OPERATIONAL bit. After that step, all the following
packets will be buffered until the driver reports it is ready to get
new packets for this RA / TID. This buffering allows not to run into
another race that would send packets with TX_CTL_AMPDU unset while
the driver hasn't been requested to tear down the BA session yet.
This race occurs in practice and iwlwifi complains with a WARN_ON
when it happens.
Cc: stable@kernel.org Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Nikolay Martynov [Mon, 28 Nov 2011 08:18:00 +0000 (09:18 +0100)]
mac80211: fix race condition caused by late addBA response
If addBA responses comes in just after addba_resp_timer has
expired mac80211 will still accept it and try to open the
aggregation session. This causes drivers to be confused and
in some cases even crash.
This patch fixes the race condition and makes sure that if
addba_resp_timer has expired addBA response is not longer
accepted and we do not try to open half-closed session.
Cc: stable@vger.kernel.org Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
[some adjustments] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
ath9k: Revert change that broke AR928X on Acer Ferrari One
Revert a hunk in drivers/net/wireless/ath/ath9k/hw.c introduced by
commit 2577c6e8f2320f1d2f09be122efef5b9118efee4 (ath9k_hw: Add
support for AR946/8x chipsets) that caused a nasty regression to
appear on my Acer Ferrari One (the box locks up entirely at random
times after the wireless has been started without any way to get
debug information out of it).
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Johannes Berg [Thu, 24 Nov 2011 19:06:14 +0000 (20:06 +0100)]
mac80211: don't stop a single aggregation session twice
Nikolay noticed (by code review) that mac80211 can
attempt to stop an aggregation session while it is
already being stopped. So to fix it, check whether
stop is already being done and bail out if so.
Also move setting the STOPPING state into the lock
so things are properly atomic.
Cc: stable@vger.kernel.org Reported-by: Nikolay Martynov <mar.kolya@gmail.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Andiry Xu [Thu, 17 Nov 2011 05:07:44 +0000 (13:07 +0800)]
xHCI: reset-on-resume quirk for NEC uPD720200
Julian Sikorski reports NEC uPD720200 does not work stable after suspend
and resume. Re-initialize the host in xhci_resume().
This should be backported to stable kernels as old as 2.6.37. The
kernel will need to include
commit c877b3b2ad5cb9d4fe523c5496185cc328ff3ae9
"xhci: Add reset on resume quirk for asrock p67 host"
for this patch to work.
Linus Torvalds [Mon, 28 Nov 2011 16:43:52 +0000 (08:43 -0800)]
Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
hrtimer: Fix extra wakeups from __remove_hrtimer()
timekeeping: add arch_offset hook to ktime_get functions
clocksource: Avoid selecting mult values that might overflow when adjusted
time: Improve documentation of timekeeeping_adjust()
Edward Donovan [Mon, 28 Nov 2011 04:07:34 +0000 (23:07 -0500)]
genirq: fix regression in irqfixup, irqpoll
Commit fa27271bc8d2("genirq: Fixup poll handling") introduced a
regression that broke irqfixup/irqpoll for some hardware configurations.
Amidst reorganizing 'try_one_irq', that patch removed a test that
checked for 'action->handler' returning IRQ_HANDLED, before acting on
the interrupt. Restoring this test back returns the functionality lost
since 2.6.39. In the current set of tests, after 'action' is set, it
must precede '!action->next' to take effect.
With this and my previous patch to irq/spurious.c, c75d720fca8a, all
IRQ regressions that I have encountered are fixed.
Signed-off-by: Edward Donovan <edward.donovan@numble.net> Reported-and-tested-by: Rogério Brito <rbrito@ime.usp.br> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: stable@kernel.org (2.6.39+) Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Aries Lee [Mon, 21 Nov 2011 10:20:42 +0000 (10:20 +0000)]
jme: PHY configuration for compatible issue
To perform PHY calibration and set a different EA value by chip ID,
Whenever the NIC chip power on, ie booting or resuming, we need to
force HW to calibrate PHY parameter again, and also set a proper EA
value which gather from experiment.
Those procedures help to reduce compatible issues(NIC is unable to link
up in some special case) in giga speed.
Signed-off-by: AriesLee <AriesLee@jmicron.com> Signed-off-by: Guo-Fu Tseng <cooldavid@cooldavid.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Sun, 27 Nov 2011 20:05:56 +0000 (12:05 -0800)]
Merge branch 'fbdev-for-linus' of git://github.com/schandinat/linux-2.6
* 'fbdev-for-linus' of git://github.com/schandinat/linux-2.6:
viafb: correct sync polarity for OLPC DCON
video:da8xx-fb: Disable and reset sequence on version2 of LCDC
OMAPDSS: DISPC: skip scaling calculations when not scaling
OMAPFB: fix compilation warnings due to missing include
OMAPDSS: HDMI: fix returned HDMI pixel clock
ath9k: Revert change that broke AR928X on Acer Ferrari One
Revert a hunk in drivers/net/wireless/ath/ath9k/hw.c introduced by
commit 2577c6e8f232 ("ath9k_hw: Add support for AR946/8x chipsets") that
caused a nasty regression to appear on my Acer Ferrari One (the box
locks up entirely at random times after the wireless has been started
without any way to get debug information out of it).
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Acked-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Xi Wang [Fri, 25 Nov 2011 21:46:51 +0000 (16:46 -0500)]
Staging: comedi: fix integer overflow in do_insnlist_ioctl()
There is a potential integer overflow in do_insnlist_ioctl() if
userspace passes in a large insnlist.n_insns. The call to kmalloc()
would allocate a small buffer, leading to a memory corruption.
The bug was reported by Dan Carpenter <dan.carpenter@oracle.com>
and Haogang Chen <haogangchen@gmail.com>. The patch was suggested by
Ian Abbott <abbotti@mev.co.uk> and Lars-Peter Clausen <lars@metafoo.de>.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Reported-by: Haogang Chen <haogangchen@gmail.com>. Cc: Ian Abbott <abbotti@mev.co.uk> Cc: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Takashi Iwai [Thu, 24 Nov 2011 15:33:09 +0000 (16:33 +0100)]
ALSA: hda - Fix jack-detection control of VT1708
VT1708 has no support for unsolicited events per jack-plug, the driver
implements the workq for polling the jack-detection. The mixer element
"Jack Detect" was supposed to control this behavior on/off, but this
doesn't work properly as is now. The workq is always started and the
HP automute is always enabled.
This patch fixes the jack-detect control behavior by triggering / stopping
the work appropriately at the state change. Also the work checks the
internal state to continue scheduling or not.
Dan Carpenter [Fri, 4 Nov 2011 18:20:43 +0000 (21:20 +0300)]
Staging: comedi: integer overflow in do_insnlist_ioctl()
There is an integer overflow here that could cause memory corruption
on 32 bit systems.
insnlist.n_insns could be a very high value size calculation for
kmalloc() could overflow resulting in a smaller "insns" than
expected. In the for (i = 0; i < insnlist.n_insns; i++) {... loop
we would read past the end of the buffer, possibly corrupting memory
as well.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Federico Vaga [Sat, 29 Oct 2011 07:45:39 +0000 (09:45 +0200)]
Staging: comedi: fix mmap_count
In comedi_fops, mmap_count is decremented at comedi_vm_ops->close but
it is not incremented at comedi_vm_ops->open. This may result in a negative
counter. The patch introduces the open method to keep the counter
consistent.
Bart Westgeest [Tue, 1 Nov 2011 19:01:28 +0000 (15:01 -0400)]
staging: usbip: bugfix for deadlock
Interrupts must be disabled prior to calling usb_hcd_unlink_urb_from_ep.
If interrupts are not disabled, it can potentially lead to a deadlock.
The deadlock is readily reproduceable on a slower (ARM based) device
such as the TI Pandaboard.
Eric Dumazet [Sat, 26 Nov 2011 12:13:44 +0000 (12:13 +0000)]
inet: add a redirect generation id in inetpeer
Now inetpeer is the place where we cache redirect information for ipv4
destinations, we must be able to invalidate informations when a route is
added/removed on host.
As inetpeer is not yet namespace aware, this patch adds a shared
redirect_genid, and a per inetpeer redirect_genid. This might be changed
later if inetpeer becomes ns aware.
Cache information for one inerpeer is valid as long as its
redirect_genid has the same value than global redirect_genid.
Reported-by: Arkadiusz Miśkiewicz <a.miskiewicz@gmail.com> Tested-by: Arkadiusz Miśkiewicz <a.miskiewicz@gmail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Will Deacon [Fri, 25 Nov 2011 18:23:36 +0000 (19:23 +0100)]
ARM: 7177/1: GIC: avoid skipping non-existent PPIs in irq_start calculation
Commit 4294f8baa ("ARM: gic: add irq_domain support") defines irq_start
as irq_start = (irq_start & ~31) + 16; On a platform with a GIC and a
CPU without PPIs, this results in irq_start being off by 16.
This patch fixes gic_init so that we only carve out a PPI space when
PPIs exist for the GIC being initialised.
Cc: Rob Herring <rob.herring@calxeda.com> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Marc Zyngier [Fri, 25 Nov 2011 16:58:19 +0000 (17:58 +0100)]
ARM: 7176/1: cpu_pm: register GIC PM notifier only once
When multiple GICs exist on a platform (RealView PB1176/11MP),
we must make sure the PM notifier block is only registered
once, otherwise we end up corrupting the PM notifier list.
The fix is to only register the notifier when initializing
the first GIC, as the power management functions seem
to iterate over all the registered GICs.
Tested on PB11MP and PB1176.
Reported-by: Will Deacon <will.deacon@arm.com> Tested-by: Will Deacon <will.deacon@arm.com> Cc: Colin Cross <ccross@android.com> Signed-off-by: Marc Zyngier <marc.zyngier@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Axel Lin [Thu, 24 Nov 2011 23:23:28 +0000 (00:23 +0100)]
ARM: 7175/1: add subname parameter to mfp_set_groupg callers
commit 798681bf "ARM: 7158/1: add new MFP implement for NUC900"
adds subname parameter for mfp_set_groupg.
Thus add subname parameter to the callers.
Signed-off-by: Axel Lin <axel.lin@gmail.com> Acked-by: Mark Brown <broonie@opensource.wolfsonmicro.com> Acked-by: Wan Zongshun <mcuos.com@gmail.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Jon Medhurst [Thu, 24 Nov 2011 12:01:08 +0000 (13:01 +0100)]
ARM: 7174/1: Fix build error in kprobes test code on Thumb2 kernels
When compiling kprobes-test-thumb.c an error like below may occur:
/tmp/ccKcuJcG.s:19179: Error: offset out of range
This is caused by the compiler underestimating the size of the inline
assembler instructions containing ".space 0x1000" and failing to spill
the literal pool in time to prevent the generation of PC relative load
instruction with invalid offsets.
The fix implemented by this patch is to replace a single large .space
directive by a number of 4 byte .space's. This requires splitting the
macros which generate test cases for branch instructions into two forms:
one with, and one without support for inserting extra code between
branch and target.
Acked-by: Nicolas Pitre <nicolas.pitre@linaro.org> Signed-off-by: Jon Medhurst <jon.medhurst@linaro.org> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>