Linus Torvalds [Sat, 18 Aug 2012 23:20:05 +0000 (16:20 -0700)]
Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm
Pull ARM fixes from Russell King:
"The largest thing in this set of changes is bringing back some of the
ARMv3 code to fix a compile problem noticed on RiscPC, which we still
support, even though we only support ARMv4 there.
(The reason is that the system bus doesn't support ARMv4 half-word
accesses, so we need the ARMv3 library code for this platform.)
The rest are all quite minor fixes."
* 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
ARM: 7490/1: Drop duplicate select for GENERIC_IRQ_PROBE
ARM: Bring back ARMv3 IO and user access code
ARM: 7489/1: errata: fix workaround for erratum #720789 on UP systems
ARM: 7488/1: mm: use 5 bits for swapfile type encoding
ARM: 7487/1: mm: avoid setting nG bit for user mappings that aren't present
ARM: 7486/1: sched_clock: update epoch_cyc on resume
ARM: 7484/1: Don't enable GENERIC_LOCKBREAK with ticket spinlocks
ARM: 7483/1: vfp: only advertise VFPv4 in hwcaps if CONFIG_VFPv3 is enabled
ARM: 7482/1: topology: fix section mismatch warning for init_cpu_topology
Linus Torvalds [Sat, 18 Aug 2012 21:39:19 +0000 (14:39 -0700)]
Merge tag 'pm-for-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull power management fixes from Rafael J. Wysocki:
- Fixes for three obscure problems in the runtime PM core code found
recently.
- Two fixes for the new "coupled" cpuidle code from Colin Cross and Jon
Medhurst.
- intel_idle driver fix from Konrad Rzeszutek Wilk.
* tag 'pm-for-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
intel_idle: Check cpu_idle_get_driver() for NULL before dereferencing it.
cpuidle: Prevent null pointer dereference in cpuidle_coupled_cpu_notify
cpuidle: coupled: fix sleeping while atomic in cpu notifier
PM / Runtime: Check device PM QoS setting before "no callbacks" check
PM / Runtime: Clear power.deferred_resume on success in rpm_suspend()
PM / Runtime: Fix rpm_resume() return value for power.no_callbacks set
Linus Torvalds [Sat, 18 Aug 2012 17:02:17 +0000 (10:02 -0700)]
Merge branch 'vfs-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs
Pull vfs fixes from Miklos Szeredi.
This mainly fixes some confusion about whether the open 'mode' variable
passed around should contain the full file type (S_IFREG etc)
information or just the permission mode. In particular, the lack of
proper file type information had confused fuse.
* 'vfs-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
vfs: fix propagation of atomic_open create error on negative dentry
fuse: check create mode in atomic open
vfs: pass right create mode to may_o_create()
vfs: atomic_open(): fix create mode usage
vfs: canonicalize create mode in build_open_flags()
Sven Schnelle [Fri, 17 Aug 2012 19:43:43 +0000 (21:43 +0200)]
USB: CDC ACM: Fix NULL pointer dereference
If a device specifies zero endpoints in its interface descriptor,
the kernel oopses in acm_probe(). Even though that's clearly an
invalid descriptor, we should test wether we have all endpoints.
This is especially bad as this oops can be triggered by just
plugging a USB device in.
USB: emi62: remove __devinit* from the struct usb_device_id table
This structure needs to always stick around, even if CONFIG_HOTPLUG
is disabled, otherwise we can oops when trying to probe a device that
was added after the structure is thrown away.
Thanks to Fengguang Wu and Bjørn Mork for tracking this issue down.
Reported-by: Fengguang Wu <fengguang.wu@intel.com> Reported-by: Bjørn Mork <bjorn@mork.no> Cc: stable <stable@vger.kernel.org> CC: Paul Gortmaker <paul.gortmaker@windriver.com> CC: Andrew Morton <akpm@linux-foundation.org> CC: Felipe Balbi <balbi@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: winbond: remove __devinit* from the struct usb_device_id table
This structure needs to always stick around, even if CONFIG_HOTPLUG
is disabled, otherwise we can oops when trying to probe a device that
was added after the structure is thrown away.
Thanks to Fengguang Wu and Bjørn Mork for tracking this issue down.
USB: vt6656: remove __devinit* from the struct usb_device_id table
This structure needs to always stick around, even if CONFIG_HOTPLUG
is disabled, otherwise we can oops when trying to probe a device that
was added after the structure is thrown away.
Thanks to Fengguang Wu and Bjørn Mork for tracking this issue down.
Reported-by: Fengguang Wu <fengguang.wu@intel.com> Reported-by: Bjørn Mork <bjorn@mork.no> Cc: stable <stable@vger.kernel.org> CC: Forest Bond <forest@alittletooquiet.net> CC: Marcos Paulo de Souza <marcos.souza.org@gmail.com> CC: "David S. Miller" <davem@davemloft.net> CC: Jesper Juhl <jj@chaosbits.net> CC: Jiri Pirko <jpirko@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: rtl8187: remove __devinit* from the struct usb_device_id table
This structure needs to always stick around, even if CONFIG_HOTPLUG
is disabled, otherwise we can oops when trying to probe a device that
was added after the structure is thrown away.
Thanks to Fengguang Wu and Bjørn Mork for tracking this issue down.
USB: p54usb: remove __devinit* from the struct usb_device_id table
This structure needs to always stick around, even if CONFIG_HOTPLUG
is disabled, otherwise we can oops when trying to probe a device that
was added after the structure is thrown away.
Thanks to Fengguang Wu and Bjørn Mork for tracking this issue down.
USB: spca506: remove __devinit* from the struct usb_device_id table
This structure needs to always stick around, even if CONFIG_HOTPLUG
is disabled, otherwise we can oops when trying to probe a device that
was added after the structure is thrown away.
Thanks to Fengguang Wu and Bjørn Mork for tracking this issue down.
USB: jl2005bcd: remove __devinit* from the struct usb_device_id table
This structure needs to always stick around, even if CONFIG_HOTPLUG
is disabled, otherwise we can oops when trying to probe a device that
was added after the structure is thrown away.
Thanks to Fengguang Wu and Bjørn Mork for tracking this issue down.
USB: smsusb: remove __devinit* from the struct usb_device_id table
This structure needs to always stick around, even if CONFIG_HOTPLUG
is disabled, otherwise we can oops when trying to probe a device that
was added after the structure is thrown away.
Thanks to Fengguang Wu and Bjørn Mork for tracking this issue down.
Linus Torvalds [Sat, 18 Aug 2012 00:47:32 +0000 (17:47 -0700)]
Merge tag 'md-3.6-fixes' of git://neil.brown.name/md
Pull md fixes from NeilBrown:
"2 fixes for md, tagged for -stable"
* tag 'md-3.6-fixes' of git://neil.brown.name/md:
md/raid10: fix problem with on-stack allocation of r10bio structure.
md: Don't truncate size at 4TB for RAID0 and Linear
NeilBrown [Fri, 17 Aug 2012 23:51:42 +0000 (09:51 +1000)]
md/raid10: fix problem with on-stack allocation of r10bio structure.
A 'struct r10bio' has an array of per-copy information at the end.
This array is declared with size [0] and r10bio_pool_alloc allocates
enough extra space to store the per-copy information depending on the
number of copies needed.
So declaring a 'struct r10bio on the stack isn't going to work. It
won't allocate enough space, and memory corruption will ensue.
So in the two places where this is done, declare a sufficiently large
structure and use that instead.
The two call-sites of this bug were introduced in 3.4 and 3.5
so this is suitable for both those kernels. The patch will have to
be modified for 3.4 as it only has one bug.
Cc: stable@vger.kernel.org Reported-by: Ivan Vasilyev <ivan.vasilyev@gmail.com> Tested-by: Ivan Vasilyev <ivan.vasilyev@gmail.com> Signed-off-by: NeilBrown <neilb@suse.de>
Linus Torvalds [Fri, 17 Aug 2012 18:45:58 +0000 (11:45 -0700)]
Merge tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband
Pull infiniband/rdma fixes from Roland Dreier:
"Grab bag of InfiniBand/RDMA fixes:
- IPoIB fixes for regressions introduced by path database conversion
- mlx4 fixes for bugs with large memory systems and regressions from
SR-IOV patches
- RDMA CM fix for passing bad event up to userspace
- Other minor fixes"
* tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
IB/mlx4: Check iboe netdev pointer before dereferencing it
mlx4_core: Clean up buddy bitmap allocation
mlx4_core: Fix integer overflow issues around MTT table
mlx4_core: Allow large mlx4_buddy bitmaps
IB/srp: Fix a race condition
IB/qib: Fix error return code in qib_init_7322_variables()
IB: Fix typos in infiniband drivers
IB/ipoib: Fix RCU pointer dereference of wrong object
IB/ipoib: Add missing locking when CM object is deleted
RDMA/ucma.c: Fix for events with wrong context on iWARP
RDMA/ocrdma: Don't call vlan_dev_real_dev() for non-VLAN netdevs
IB/mlx4: Fix possible deadlock on sm_lock spinlock
intel_idle: Check cpu_idle_get_driver() for NULL before dereferencing it.
If the machine is booted without any cpu_idle driver set
(b/c disable_cpuidle() has been called) we should follow
other users of cpu_idle API and check the return value
for NULL before using it.
Reported-and-tested-by: Mark van Dijk <mark@internecto.net> Suggested-by: Jan Beulich <JBeulich@suse.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
cpuidle: Prevent null pointer dereference in cpuidle_coupled_cpu_notify
When a kernel is built to support multiple hardware types it's possible
that CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is set but the hardware the
kernel is run on doesn't support cpuidle and therefore doesn't load a
driver for it. In this case, when the system is shut down,
cpuidle_coupled_cpu_notify() gets called with cpuidle_devices set to
NULL. There are quite possibly other circumstances where this
situation can also occur and we should check for it.
Signed-off-by: Jon Medhurst <tixy@linaro.org> Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Colin Cross [Wed, 15 Aug 2012 20:10:50 +0000 (22:10 +0200)]
cpuidle: coupled: fix sleeping while atomic in cpu notifier
The cpu hotplug notifier gets called in both atomic and non-atomic
contexts, it is not always safe to lock a mutex. Filter out all events
except the six necessary ones, which are all sleepable, before taking
the mutex.
Signed-off-by: Colin Cross <ccross@android.com> Reviewed-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com> Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
PM / Runtime: Check device PM QoS setting before "no callbacks" check
If __dev_pm_qos_read_value(dev) returns a negative value,
rpm_suspend() should return -EPERM for dev even if its
power.no_callbacks flag is set. For this to happen, the device's
power.no_callbacks flag has to be checked after the PM QoS check,
so move the PM QoS check to rpm_check_suspend_allowed() (this will
make it cover idle notifications as well as runtime suspend too).
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Acked-by: Alan Stern <stern@rowland.harvard.edu> Cc: stable@vger.kernel.org
PM / Runtime: Clear power.deferred_resume on success in rpm_suspend()
The power.deferred_resume can only be set if the runtime PM status
of device is RPM_SUSPENDING and it should be cleared after its
status has been changed, regardless of whether or not the runtime
suspend has been successful. However, it only is cleared on
suspend failure, while it may remain set on successful suspend and
is happily leaked to rpm_resume() executed in that case.
That shouldn't happen, so if power.deferred_resume is set in
rpm_suspend() after the status has been changed to RPM_SUSPENDED,
clear it before calling rpm_resume(). Then, it doesn't need to be
cleared before changing the status to RPM_SUSPENDING any more,
because it's always cleared after the status has been changed to
either RPM_SUSPENDED (on success) or RPM_ACTIVE (on failure).
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Acked-by: Alan Stern <stern@rowland.harvard.edu> Cc: stable@vger.kernel.org
PM / Runtime: Fix rpm_resume() return value for power.no_callbacks set
For devices whose power.no_callbacks flag is set, rpm_resume()
should return 1 if the device's parent is already active, so that
the callers of pm_runtime_get() don't think that they have to wait
for the device to resume (asynchronously) in that case (the core
won't queue up an asynchronous resume in that case, so there's
nothing to wait for anyway).
Modify the code accordingly (and make sure that an idle notification
will be queued up on success, even if 1 is to be returned).
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Acked-by: Alan Stern <stern@rowland.harvard.edu> Cc: stable@vger.kernel.org
Linus Torvalds [Fri, 17 Aug 2012 17:17:03 +0000 (10:17 -0700)]
Merge tag 'staging-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
Pull staging fixes from Greg Kroah-Hartman:
"Here are some staging driver fixes (and iio driver fixes, they get
lumped in with the staging stuff due to dependancies) for your 3.6-rc3
tree.
Nothing major, just a bunch of fixes that people have reported.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"
* tag 'staging-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (26 commits)
iio: lm3533-als: Fix build warnings
staging:iio:ad7780: Mark channels as unsigned
staging:iio:ad7192: Report offset and scale for temperature channel
staging:iio:ad7192: Report channel offset
staging:iio:ad7192: Mark channels as unsigned
staging:iio:ad7192: Fix setting ACX
staging:iio:ad7192: Add missing break in switch statement
staging:iio:ad7793: Fix internal reference value
staging:iio:ad7793: Follow new IIO naming spec
staging:iio:ad7793: Fix temperature scale and offset
staging:iio:ad7793: Report channel offset
staging:iio:ad7793: Mark channels as unsigned
staging:iio:ad7793: Add missing break in switch statement
iio/adjd_s311: Fix potential memory leak in adjd_s311_update_scan_mode()
iio: frequency: ADF4350: Fix potential reference div factor overflow.
iio: staging: ad7298_ring: Fix maybe-uninitialized warning
staging: comedi: usbduxfast: Declare MODULE_FIRMWARE usage
staging: comedi: usbdux: Declare MODULE_FIRMWARE usage
staging: comedi: usbduxsigma: Declare MODULE_FIRMWARE usage
staging: csr: add INET dependancy
...
Linus Torvalds [Fri, 17 Aug 2012 17:16:30 +0000 (10:16 -0700)]
Merge tag 'driver-core-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
Pull driver core fixes from Greg Kroah-Hartman:
"Here are two tiny patches, one fixing a dynamic debug problem that the
printk rework turned up, and the other one fixing an extcon problem
that people reported.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"
* tag 'driver-core-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
extcon: extcon_gpio: Replace gpio_request_one by devm_gpio_request_one
drivers-core: make structured logging play nice with dynamic-debug
Linus Torvalds [Fri, 17 Aug 2012 17:15:57 +0000 (10:15 -0700)]
Merge tag 'char-misc-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
Pull Char / Misc driver fixes from Greg Kroah-Hartman:
"Here are some small misc and w1 driver fixes for 3.6-rc3. Nothing
major, just some some bugfixes and a new device id for a w1 driver.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"
* tag 'char-misc-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
1-Wire: Add support for the maxim ds1825 temperature sensor
ti-st: Fix check for pdata->chip_awake function pointer
mei: add mei_quirk_probe function
mei: fix device stall after wd is stopped
Linus Torvalds [Fri, 17 Aug 2012 17:14:53 +0000 (10:14 -0700)]
Merge tag 'usb-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB patches from Greg Kroah-Hartman:
"Here are a number of small USB patches for 3.6-rc3.
The "large" one is just a number of device id updates to the option
driver, done by the manufacturer, properly fixing up the device ids
based on shipping devices.
Other than that, some gadget driver fixes, the obligitary XHCI
patches, and some other device ids and bugs fixed.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"
* tag 'usb-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (26 commits)
USB: qcserial: fix port handling on Gobi 1K and 2K+
USB: serial: Fix mos7840 timeout
USB: option: add ZTE K5006-Z
usb: gadget: u_ether: fix kworker 100% CPU issue with still used interfaces in eth_stop
usb: host: tegra: fix warning messages in ehci_remove
usb: host: mips: sead3: Update for EHCI register structure.
usb: renesas_usbhs: fixup resume method for autonomy mode
usb: renesas_usbhs: mod_host: add missing .bus_suspend/resume
update MAINTAINERS for Oliver Neukum
usb: usb_wwan: resume/suspend can be called after port is gone
usb: serial: prevent suspend/resume from racing against probe/remove
usb: usb_wwan: replace release and disconnect with a port_remove hook
usb: serial: mos7840: Fixup mos7840_chars_in_buffer()
USB: isp1362-hcd.c: usb message always saved in case of underrun
OMAP: USB : Fix the EHCI enumeration and core retention issue
usb: chipidea: fix and improve dependencies if usb host or gadget support is built as module
USB: support the new interfaces of Huawei Data Card devices in option driver
USB: ftdi_sio: Add VID/PID for Kondo Serial USB
xhci: Switch PPT ports to EHCI on shutdown.
xhci: Fix bug after deq ptr set to link TRB.
...
Linus Torvalds [Fri, 17 Aug 2012 15:04:47 +0000 (08:04 -0700)]
Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
Pull ext4 bug fixes from Ted Ts'o:
"The following are all bug fixes and regressions. The most notable are
the ones which cause problems for ext4 on RAID --- a performance
problem when mounting very large filesystems, and a kernel OOPS when
doing an rm -rf on large directory hierarchies on fast devices."
* tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
ext4: fix kernel BUG on large-scale rm -rf commands
ext4: fix long mount times on very big file systems
ext4: don't call ext4_error while block group is locked
ext4: avoid kmemcheck complaint from reading uninitialized memory
ext4: make sure the journal sb is written in ext4_clear_journal_err()
Ian Kent [Fri, 17 Aug 2012 03:09:04 +0000 (11:09 +0800)]
autofs4 - fix expire check
In some cases when an autofs indirect mount is contained in a file
system that is marked as shared (such as when systemd does the
equivalent of "mount --make-rshared /" early in the boot), mounts
stop expiring.
When this happens the first expiry check on a mountpoint dentry in
autofs_expire_indirect() sees a mountpoint dentry with a higher
than minimal reference count. Consequently the dentry is condidered
busy and the actual expiry check is never done.
This particular check was originally meant as an optimisation to
detect a path walk in progress but with the addition of rcu-walk
it can be ineffective anyway.
Removing the test allows automounts to expire again since the
actual expire check doesn't rely on the dentry reference count.
Signed-off-by: Ian Kent <raven@themaw.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Theodore Ts'o [Fri, 17 Aug 2012 12:54:52 +0000 (08:54 -0400)]
ext4: fix kernel BUG on large-scale rm -rf commands
Commit 968dee7722: "ext4: fix hole punch failure when depth is greater
than 0" introduced a regression in v3.5.1/v3.6-rc1 which caused kernel
crashes when users ran run "rm -rf" on large directory hierarchy on
ext4 filesystems on RAID devices:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
The problem in commit 968dee7722 was that caused the variable 'i' to
be left uninitialized if the truncate required more space than was
available in the journal. This resulted in the function
ext4_ext_truncate_extend_restart() returning -EAGAIN, which caused
ext4_ext_remove_space() to restart the truncate operation after
starting a new jbd2 handle.
Theodore Ts'o [Thu, 16 Aug 2012 15:59:04 +0000 (11:59 -0400)]
ext4: fix long mount times on very big file systems
Commit 8aeb00ff85a: "ext4: fix overhead calculation used by
ext4_statfs()" introduced a O(n**2) calculation which makes very large
file systems take forever to mount. Fix this with an optimization for
non-bigalloc file systems. (For bigalloc file systems the overhead
needs to be set in the the superblock.)
Theodore Ts'o [Fri, 10 Aug 2012 17:57:52 +0000 (13:57 -0400)]
ext4: don't call ext4_error while block group is locked
While in ext4_validate_block_bitmap(), if an block allocation bitmap
is found to be invalid, we call ext4_error() while the block group is
still locked. This causes ext4_commit_super() to call a function
which might sleep while in an atomic context.
There's no need to keep the block group locked at this point, so hoist
the ext4_error() call up to ext4_validate_block_bitmap() and release
the block group spinlock before calling ext4_error().
Kees Cook [Wed, 15 Aug 2012 18:41:55 +0000 (11:41 -0700)]
Yama: access task_struct->comm directly
The core ptrace access checking routine holds a task lock, and when
reporting a failure, Yama takes a separate task lock. To avoid a
potential deadlock with two ptracers taking the opposite locks, do not
use get_task_comm() and just use ->comm directly since accuracy is not
important for the report.
John Fastabend [Tue, 14 Aug 2012 12:34:35 +0000 (12:34 +0000)]
net: netprio: fix cgrp create and write priomap race
A race exists where creating cgroups and also updating the priomap
may result in losing a priomap update. This is because priomap
writers are not protected by rtnl_lock.
Move priority writer into rtnl_lock()/rtnl_unlock().
CC: Neil Horman <nhorman@tuxdriver.com> Reported-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: John Fastabend <john.r.fastabend@intel.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
John Fastabend [Tue, 14 Aug 2012 12:34:30 +0000 (12:34 +0000)]
net: netprio: fd passed in SCM_RIGHTS datagram not set correctly
A socket fd passed in a SCM_RIGHTS datagram was not getting
updated with the new tasks cgrp prioidx. This leaves IO on
the socket tagged with the old tasks priority.
To fix this add a check in the scm recvmsg path to update the
sock cgrp prioidx with the new tasks value.
Thanks to Al Viro for catching this.
CC: Neil Horman <nhorman@tuxdriver.com> Reported-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: John Fastabend <john.r.fastabend@intel.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
John Fastabend [Tue, 14 Aug 2012 12:34:24 +0000 (12:34 +0000)]
net: netprio: fix files lock and remove useless d_path bits
Add lock to prevent a race with a file closing and also remove
useless and ugly sscanf code. The extra code was never needed
and the case it supposedly protected against is in fact handled
correctly by sock_from_file as pointed out by Al Viro.
CC: Neil Horman <nhorman@tuxdriver.com> Reported-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: John Fastabend <john.r.fastabend@intel.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Jason Wang [Wed, 15 Aug 2012 20:44:27 +0000 (20:44 +0000)]
act_mirred: do not drop packets when fails to mirror it
We drop packet unconditionally when we fail to mirror it. This is not intended
in some cases. Consdier for kvm guest, we may mirror the traffic of the bridge
to a tap device used by a VM. When kernel fails to mirror the packet in
conditions such as when qemu crashes or stop polling the tap, it's hard for the
management software to detect such condition and clean the the mirroring
before. This would lead all packets to the bridge to be dropped and break the
netowrk of other virtual machines.
To solve the issue, the patch does not drop packets when kernel fails to mirror
it, and only drop the redirected packets.
Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Merge tag 'v3.6-rc1-iio-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus
IIO fixes for v3.6-rc1
These mostly consist of fixes from Lars-Peter Clausen that were
the first part of a large series reworking the drivers concerned.
Turns out these drivers had quite a wealth of minor bugs.
Also here are some build warning fixes for lm3533-als and
adjd_s111 (both new drives in this cycle).
Final elements are a a div factor overflow and a warning
related fix in a couple of Analog Devices drivers.
All in all nothing major, but a worthwhile bunch of short
fixes.
Axel Lin [Thu, 2 Aug 2012 10:10:00 +0000 (11:10 +0100)]
iio: lm3533-als: Fix build warnings
Fix below build warnings:
CC [M] drivers/iio/light/lm3533-als.o
drivers/iio/light/lm3533-als.c:667:8: warning: initialization from incompatible pointer type [enabled by default]
drivers/iio/light/lm3533-als.c:667:8: warning: (near initialization for 'dev_attr_in_illuminance0_thresh_either_en.show') [enabled by default]
drivers/iio/light/lm3533-als.c:667:8: warning: initialization from incompatible pointer type [enabled by default]
drivers/iio/light/lm3533-als.c:667:8: warning: (near initialization for 'dev_attr_in_illuminance0_thresh_either_en.store') [enabled by default]
staging:iio:ad7192: Report offset and scale for temperature channel
The temperature channel reports values in degree Kelvin with sensitivity of 5630
codes per degree. If the chip is configured in bipolar mode there is an
additional binary offset of 0x800000 and the sensitivity is divided by two.
Currently the driver does the mapping from the raw value to degree Celsius when
doing a manual conversion. This has several disadvantages, the major one being
that it does not work for buffered mode, also by doing the division by the
sensitivity in the driver the precession of the reported value is needlessly
reduced.
Furthermore the current calculation only works in bipolar mode and the current
scale is of by a factor of 1000.
This patch modifies the driver to report correct offset and scale values in
both unipolar and bipolar mode and to report the raw temperature value
for manual conversions.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
In bipolar mode there is a a binary offset of 2**(N-1) (with N being the number
of bits) on the reported value. Currently this value is subtracted when doing a
manual read. While this works for manual channel readings it does not work for
buffered mode. So report the offset in the channels offset property, which will
work in both modes.
The values reported by the AD7793 are unsigned.
In uniploar mode:
0x000000 is zeroscale
0xffffff is fullscale
In bipolar mode:
0x000000 is negative fullscale
0x800000 is zeroscale
0xffffff is positive fullscale
In bipolar mode there is a binary offset, but the values are still unsigned.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
staging:iio:ad7793: Fix temperature scale and offset
The temperature channel uses the internal 1.17V reference with 0.81 mv/C. The
reported temperature is in Kevlin, so we need to add the Kelvin to Celcius
offset when reporting the offset for the temperature channel.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
In bipolar mode there is a a binary offset of 2**(N-1) (with N being the number
of bits) on the reported value. Currently this value is subtracted when doing a
manual read. While this works for manual channel readings it does not work for
buffered mode. So report the offset in the channels offset property, which will
work in both modes.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
The values reported by the AD7793 are unsigned.
In uniploar mode:
0x000000 is zeroscale
0xffffff is fullscale
In bipolar mode:
0x000000 is negative fullscale
0x800000 is zeroscale
0xffffff is positive fullscale
In bipolar mode there is a binary offset, but the values are still unsigned.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
iio/adjd_s311: Fix potential memory leak in adjd_s311_update_scan_mode()
Do not leak memory by updating pointer with potentially NULL realloc return value.
There is no need to preserve data in the buffer,
so replace krealloc() by kfree()-kmalloc() pair.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Acked-by: Peter Meerwald <pmeerw@pmeerw.net> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
iio: frequency: ADF4350: Fix potential reference div factor overflow.
With small channel spacing values and high reference frequencies it is
possible to exceed the range of the 10-bit counter.
Workaround by checking the range and widening some constrains.
We don't use the REG1_PHASE value in this case the datasheet recommends to set
it to 1 if not used.
Signed-off-by: Michael Hennerich <michael.hennerich@analog.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Jason Wessel [Sun, 12 Aug 2012 12:16:43 +0000 (07:16 -0500)]
pmac_zilog,kdb: Fix console poll hook to return instead of loop
kdb <-> kgdb transitioning does not work properly with this UART
driver because the get character routine loops indefinitely as opposed
to returning NO_POLL_CHAR per the expectation of the KDB I/O driver
API.
The symptom is a kernel hang when trying to switch debug modes.
Cc: Alan Cox <alan@linux.intel.com> Signed-off-by: Jason Wessel <jason.wessel@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Huang Shijie [Wed, 8 Aug 2012 02:37:59 +0000 (10:37 +0800)]
serial: mxs-auart: fix the wrong RTS hardware flow control
Without checking if the auart supports the hardware flow control or not,
the old mxs_auart_set_mctrl() asserted the RTS pin blindly.
This will causes the auart receives wrong data in the following case:
The far-end has already started the write operation, and wait for
the auart asserts the RTS pin. Then the auart starts the read operation,
but mxs_auart_set_mctrl() may be called before we set the RTSCTS in the
mxs_auart_settermios(). So the RTS pin is asserted in a wrong situation,
and we get the wrong data in the end.
This bug has been catched when I connect the mx23(DTE) to the mx53(DCE).
This patch also replaces the AUART_CTRL2_RTS with AUART_CTRL2_RTSEN.
We should use the real the hardware flow control, not the software-controled
hardware flow control.
Ian Kent [Mon, 6 Aug 2012 01:37:47 +0000 (09:37 +0800)]
autofs4 - fix get_next_positive_subdir()
Following a report of a crash during an automount expire I found that
the locking in fs/autofs4/expire.c:get_next_positive_subdir() was wrong.
Not only is the locking wrong but the function is more complex than it
needs to be.
The function is meant to calculate (and dget) the next entry in the list
of directories contained in the root of an autofs mount point (an autofs
indirect mount to be precise). The main problem was that the d_lock of
the owner of the list was not being taken when walking the list, which
lead to list corruption under load. The only other lock that needs to
be taken is against the next dentry candidate so it can be checked for
usability.
Signed-off-by: Ian Kent <raven@themaw.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Thu, 16 Aug 2012 18:47:42 +0000 (11:47 -0700)]
Merge tag 'vfio-for-v3.6-rc1' of git://github.com/awilliam/linux-vfio
Pull VFIO fix from Alex Williamson:
"Just a trivial patch to include vfio.h in the installed headers so we
can complete userspace integration into QEMU."
* tag 'vfio-for-v3.6-rc1' of git://github.com/awilliam/linux-vfio:
vfio: Include vfio.h in installed headers
Linus Torvalds [Thu, 16 Aug 2012 18:31:59 +0000 (11:31 -0700)]
Merge tag 'stable/for-linus-3.6-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen
Pull Xen fix from Konrad Rzeszutek Wilk:
"Way back in v3.5 we added a mechanism to populate back pages that were
released (they overlapped with MMIO regions), but neglected to reserve
the proper amount of virtual space for extend_brk to work properly.
Coincidentally some other commit aligned the _brk space to larger area
so I didn't trigger this until it was run on a machine with more than
2GB of MMIO space."
* On machines with large MMIO/PCI E820 spaces we fail to boot b/c
we failed to pre-allocate large enough virtual space for extend_brk.
* tag 'stable/for-linus-3.6-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
xen/p2m: Reserve 8MB of _brk space for P2M leafs when populating back.
Linus Torvalds [Thu, 16 Aug 2012 18:13:16 +0000 (11:13 -0700)]
Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma
Pull two slave-dmaengine fixes from Vinod Koul:
"One fixes the correct use of clock API in imx driver and the other
enables clock for tegra driver, which is used for other tegra driver
conversion to dmanegine in -next."
* 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
dma: tegra: enable/disable dma clock
dma: imx-dma: Fix kernel crash due to missing clock conversion
Linus Torvalds [Thu, 16 Aug 2012 18:08:32 +0000 (11:08 -0700)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull more drm fixes from Dave Airlie:
"Just some intel and nouveau ones this time, intel has more edp panel
fixes for macbooks and nouveau has a suspend/resume regression fix in
there."
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/i915: Apply post-sync write for pipe control invalidates
drm/i915: reorder edp disabling to fix ivb MacBook Air
drm/nv86/fifo: suspend fix
drm/nouveau: disable copy engine on NVAF
nouveau: fixup scanout enable in nvc0_pm
drm/nouveau/aux: mask off higher bits of auxch index in i2c table entry
drm/nvd0/disp: mask off high 16 bit of negative cursor x-coordinate
drm/i915: ensure i2c adapter is all set before adding it
drm/i915: ignore eDP bpc settings from vbt
drm/i915: Fix blank panel at reopening lid
drm/nve0/fifo: add support for the flip completion swmthd
Tomas Winkler [Mon, 6 Aug 2012 12:23:55 +0000 (15:23 +0300)]
mei: add mei_quirk_probe function
The main purpose of this function is to exclude ME devices
without support for MEI/HECI interface from binding
Currently affected systems are C600/X79 based servers
that expose PCI device even though it doesn't supported ME Interface.
MEI driver accessing such nonfunctional device can corrupt
the system.
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sage Weil [Wed, 15 Aug 2012 20:30:12 +0000 (13:30 -0700)]
vfs: fix propagation of atomic_open create error on negative dentry
If ->atomic_open() returns -ENOENT, we take care to return the create
error (e.g., EACCES), if any. Do the same when ->atomic_open() returns 1
and provides a negative dentry.
This fixes a regression where an unprivileged open O_CREAT fails with
ENOENT instead of EACCES, introduced with the new atomic_open code. It
is tested by the open/08.t test in the pjd posix test suite, and was
observed on top of fuse (backed by ceph-fuse).
Signed-off-by: Sage Weil <sage@inktank.com> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Jim Cromie [Thu, 19 Jul 2012 19:46:21 +0000 (13:46 -0600)]
drivers-core: make structured logging play nice with dynamic-debug
commit c4e00daaa96d3a0786f1f4fe6456281c60ef9a16 changed __dev_printk
in a way that broke dynamic-debug's ability to control the dynamic
prefix of dev_dbg(dev,..), but not dev_dbg(NULL,..) or pr_debug(..),
which is why it wasnt noticed sooner.
When dev==NULL, __dev_printk() just calls printk(), which just works.
But otherwise, it assumed that level was always a string like "<L>"
and just plucked out the 'L', ignoring the rest. However,
dynamic_emit_prefix() adds "[tid] module:func:line:" to the string,
those additions all got lost.
Signed-off-by: Jim Cromie <jim.cromie@gmail.com> Acked-by: Jason Baron <jbaron@redhat.com> Cc: stable <stable@vger.kernel.org> Cc: Kay Sievers <kay.sievers@vrfy.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Williams [Mon, 23 Jul 2012 19:26:07 +0000 (14:26 -0500)]
USB: qcserial: fix port handling on Gobi 1K and 2K+
Bjorn's latest patchset does break Gobi 1K and 2K because on both
devices as it claims usb interface 0. That's because usbif 0 is not
handled in the switch statement, and thus the if0 gets claimed when it
should not. So let's just make things even simpler yet, and handle both
the 1K and 2K+ cases separately. This patch should not affect the new
Sierra device support, because those devices are matched via
interface-specific matching and thus should never hit the composite
code.
Signed-off-by: Dan Williams <dcbw@redhat.com> Tested-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
IB/mlx4: Check iboe netdev pointer before dereferencing it
Unlike other parts of the mlx4_ib code, the function build_mlx_header()
doesn't check if the iboe netdev of the given port is valid before
dereferencing it, which can cause a crash if the ethernet interface
has already been taken down.
Fix this by checking for a valid netdev pointer before using it to get
the port MAC address.
Signed-off-by: Kleber Sacilotto de Souza <klebers@linux.vnet.ibm.com> Signed-off-by: Roland Dreier <roland@purestorage.com>
changed 0.90 metadata handling to truncated size to 4TB as that is
all that 0.90 can record.
However for RAID0 and Linear, 0.90 doesn't need to record the size, so
this truncation is not needed and causes working arrays to become too small.
So avoid the truncation for RAID0 and Linear
This bug was introduced in 3.1 and is suitable for any stable kernels
from then onwards.
As the offending commit was tagged for 'stable', any stable kernel
that it was applied to should also get this patch. That includes
at least 2.6.32, 2.6.33 and 3.0. (Thanks to Ben Hutchings for
providing that list).
Cc: stable@vger.kernel.org Signed-off-by: Neil Brown <neilb@suse.de>
Takashi Iwai [Wed, 15 Aug 2012 10:32:00 +0000 (12:32 +0200)]
ALSA: usb-audio: Fix scheduling-while-atomic bug in PCM capture stream
A PCM capture stream on usb-audio causes a scheduling-while-atomic
BUG, as reported in the bugzilla entry below. It's because
snd_usb_endpoint_start() is called at first at trigger START for a
capture stream, and this function contains the left-over EP
deactivation codes. The problem doesn't happen for a playback stream
because the function is called at PCM prepare time, which can sleep.
This patch fixes the BUG by moving the EP deactivation code into the
PCM prepare callback.
Mathias Krause [Wed, 15 Aug 2012 11:31:57 +0000 (11:31 +0000)]
net: fix info leak in compat dev_ifconf()
The implementation of dev_ifconf() for the compat ioctl interface uses
an intermediate ifc structure allocated in userland for the duration of
the syscall. Though, it fails to initialize the padding bytes inserted
for alignment and that for leaks four bytes of kernel stack. Add an
explicit memset(0) before filling the structure to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Wed, 15 Aug 2012 11:31:56 +0000 (11:31 +0000)]
ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT)
If at least one of CONFIG_IP_VS_PROTO_TCP or CONFIG_IP_VS_PROTO_UDP is
not set, __ip_vs_get_timeouts() does not fully initialize the structure
that gets copied to userland and that for leaks up to 12 bytes of kernel
stack. Add an explicit memset(0) before passing the structure to
__ip_vs_get_timeouts() to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Wensong Zhang <wensong@linux-vs.org> Cc: Simon Horman <horms@verge.net.au> Cc: Julian Anastasov <ja@ssi.bg> Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Wed, 15 Aug 2012 11:31:55 +0000 (11:31 +0000)]
dccp: fix info leak via getsockopt(DCCP_SOCKOPT_CCID_TX_INFO)
The CCID3 code fails to initialize the trailing padding bytes of struct
tfrc_tx_info added for alignment on 64 bit architectures. It that for
potentially leaks four bytes kernel stack via the getsockopt() syscall.
Add an explicit memset(0) before filling the structure to avoid the
info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Wed, 15 Aug 2012 11:31:54 +0000 (11:31 +0000)]
dccp: check ccid before dereferencing
ccid_hc_rx_getsockopt() and ccid_hc_tx_getsockopt() might be called with
a NULL ccid pointer leading to a NULL pointer dereference. This could
lead to a privilege escalation if the attacker is able to map page 0 and
prepare it with a fake ccid_ops pointer.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk> Cc: stable@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Wed, 15 Aug 2012 11:31:53 +0000 (11:31 +0000)]
llc: fix info leak via getsockname()
The LLC code wrongly returns 0, i.e. "success", when the socket is
zapped. Together with the uninitialized uaddrlen pointer argument from
sys_getsockname this leads to an arbitrary memory leak of up to 128
bytes kernel stack via the getsockname() syscall.
Return an error instead when the socket is zapped to prevent the info
leak. Also remove the unnecessary memset(0). We don't directly write to
the memory pointed by uaddr but memcpy() a local structure at the end of
the function that is properly initialized.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Wed, 15 Aug 2012 11:31:52 +0000 (11:31 +0000)]
l2tp: fix info leak via getsockname()
The L2TP code for IPv6 fails to initialize the l2tp_unused member of
struct sockaddr_l2tpip6 and that for leaks two bytes kernel stack via
the getsockname() syscall. Initialize l2tp_unused with 0 to avoid the
info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Wed, 15 Aug 2012 11:31:51 +0000 (11:31 +0000)]
Bluetooth: L2CAP - Fix info leak via getsockname()
The L2CAP code fails to initialize the l2_bdaddr_type member of struct
sockaddr_l2 and the padding byte added for alignment. It that for leaks
two bytes kernel stack via the getsockname() syscall. Add an explicit
memset(0) before filling the structure to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Wed, 15 Aug 2012 11:31:50 +0000 (11:31 +0000)]
Bluetooth: RFCOMM - Fix info leak via getsockname()
The RFCOMM code fails to initialize the trailing padding byte of struct
sockaddr_rc added for alignment. It that for leaks one byte kernel stack
via the getsockname() syscall. Add an explicit memset(0) before filling
the structure to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Wed, 15 Aug 2012 11:31:49 +0000 (11:31 +0000)]
Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)
The RFCOMM code fails to initialize the two padding bytes of struct
rfcomm_dev_list_req inserted for alignment before copying it to
userland. Additionally there are two padding bytes in each instance of
struct rfcomm_dev_info. The ioctl() that for disclosures two bytes plus
dev_num times two bytes uninitialized kernel heap memory.
Allocate the memory using kzalloc() to fix this issue.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Wed, 15 Aug 2012 11:31:48 +0000 (11:31 +0000)]
Bluetooth: RFCOMM - Fix info leak in getsockopt(BT_SECURITY)
The RFCOMM code fails to initialize the key_size member of struct
bt_security before copying it to userland -- that for leaking one
byte kernel stack. Initialize key_size with 0 to avoid the info
leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
projects / karo-tx-linux.git / log