John Johansen [Thu, 16 Feb 2012 14:28:50 +0000 (06:28 -0800)]
AppArmor: Retrieve the dentry_path for error reporting when path lookup fails
When __d_path and d_absolute_path fail due to the name being outside of
the current namespace no name is reported. Use dentry_path to provide
some hint as to which file was being accessed.
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
John Johansen [Sat, 10 Mar 2012 19:25:30 +0000 (11:25 -0800)]
AppArmor: Fix oops in policy unpack auditing
Post unpacking of policy a verification pass is made on x transition
indexes. When this fails a call to audit_iface is made resulting in an
oops, because audit_iface is expecting a valid buffer position but
since the failure comes from post unpack verification there is none.
Make the position argument optional so that audit_iface can be called
from post unpack verification.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Sat, 10 Mar 2012 19:19:51 +0000 (11:19 -0800)]
AppArmor: Fix error returned when a path lookup is disconnected
The returning of -ESATLE when a path lookup fails as disconnected is wrong.
Since AppArmor is rejecting the access return -EACCES instead.
This also fixes a bug in complain (learning) mode where disconnected paths
are denied because -ESTALE errors are not ignored causing failures that
can change application behavior.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Dan Carpenter [Tue, 6 Mar 2012 13:32:16 +0000 (13:32 +0000)]
KEYS: testing wrong bit for KEY_FLAG_REVOKED
The test for "if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) {"
should actually testing that the (1 << KEY_FLAG_REVOKED) bit is set.
The current code actually checks for KEY_FLAG_DEAD.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
Tetsuo Handa [Wed, 29 Feb 2012 12:53:22 +0000 (21:53 +0900)]
TOMOYO: Fix mount flags checking order.
Userspace can pass in arbitrary combinations of MS_* flags to mount().
If both MS_BIND and one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE are
passed, device name which should be checked for MS_BIND was not checked because
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher priority than MS_BIND.
If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name which
should not be checked for MS_REMOUNT was checked because MS_BIND/MS_MOVE had
higher priority than MS_REMOUNT.
Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND ->
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount() does.
Also, unconditionally return -EINVAL if more than one of
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE is passed so that TOMOYO will not
generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity check mount
flags passed to change_mnt_propagation()" clarified that these flags must be
exclusively passed.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.l.morris@oracle.com>
John Johansen [Thu, 16 Feb 2012 14:21:30 +0000 (06:21 -0800)]
AppArmor: Fix the error case for chroot relative path name lookup
When a chroot relative pathname lookup fails it is falling through to
do a d_absolute_path lookup. This is incorrect as d_absolute_path should
only be used to lookup names for namespace absolute paths.
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
John Johansen [Wed, 22 Feb 2012 08:42:08 +0000 (00:42 -0800)]
AppArmor: fix mapping of META_READ to audit and quiet flags
The mapping of AA_MAY_META_READ for the allow mask was also being mapped
to the audit and quiet masks. This would result in some operations being
audited when the should not.
This flaw was hidden by the previous audit bug which would drop some
messages that where supposed to be audited.
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
John Johansen [Wed, 22 Feb 2012 08:32:30 +0000 (00:32 -0800)]
AppArmor: Fix underflow in xindex calculation
If the xindex value stored in the accept tables is 0, the extraction of
that value will result in an underflow (0 - 4).
In properly compiled policy this should not happen for file rules but
it may be possible for other rule types in the future.
To exploit this underflow a user would have to be able to load a corrupt
policy, which requires CAP_MAC_ADMIN, overwrite system policy in kernel
memory or know of a compiler error resulting in the flaw being present
for loaded policy (no such flaw is known at this time).
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
John Johansen [Wed, 22 Feb 2012 08:20:26 +0000 (00:20 -0800)]
AppArmor: Fix dropping of allowed operations that are force audited
The audit permission flag, that specifies an audit message should be
provided when an operation is allowed, was being ignored in some cases.
This is because the auto audit mode (which determines the audit mode from
system flags) was incorrectly assigned the same value as audit mode. The
shared value would result in messages that should be audited going through
a second evaluation as to whether they should be audited based on the
auto audit, resulting in some messages being dropped.
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
John Johansen [Thu, 16 Feb 2012 15:06:41 +0000 (07:06 -0800)]
AppArmor: Add mising end of structure test to caps unpacking
The unpacking of struct capsx is missing a check for the end of the
caps structure. This can lead to unpack failures depending on what else
is packed into the policy file being unpacked.
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
Kees Cook [Fri, 27 Jan 2012 00:29:23 +0000 (16:29 -0800)]
AppArmor: export known rlimit names/value mappings in securityfs
Since the parser needs to know which rlimits are known to the kernel,
export the list via a mask file in the "rlimit" subdirectory in the
securityfs "features" directory.
Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
Kees Cook [Wed, 15 Feb 2012 00:48:09 +0000 (16:48 -0800)]
Yama: add PR_SET_PTRACER_ANY
For a process to entirely disable Yama ptrace restrictions, it can use
the special PR_SET_PTRACER_ANY pid to indicate that any otherwise allowed
process may ptrace it. This is stronger than calling PR_SET_PTRACER with
pid "1" because it includes processes in external pid namespaces. This is
currently needed by the Chrome renderer, since its crash handler (Breakpad)
runs external to the renderer's pid namespace.
Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <jmorris@namei.org>
Tim Gardner [Tue, 6 Dec 2011 18:29:20 +0000 (11:29 -0700)]
TPM: Zero buffer whole after copying to userspace
Commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 correctly clears the TPM
buffer if the user specified read length is >= the TPM buffer length. However,
if the user specified read length is < the TPM buffer length, then part of the
TPM buffer is left uncleared.
Stefan Berger [Fri, 20 Jan 2012 17:58:50 +0000 (12:58 -0500)]
tpm_tis: Clean up after module_param cleanup
Commit 90ab5ee94171b3e28de6bb42ee30b527014e0be7 changed the
itpm module parameter from int to bool. Some other changes
need to be done to clean up after this change.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Cc: Mauro Carvalho Chehab <mchehab@redhat.com> Cc: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Stefan Berger [Fri, 20 Jan 2012 17:58:49 +0000 (12:58 -0500)]
tpm_tis: Only probe iTPMs
Detect iTPMs through the vendor ID on the hardware interface and only
probe the device if the manufacturer is found to be Intel. This
obsoletes a previously added delay necessary for some TPMs but not iTPMs.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Dmitry Kasatkin [Thu, 2 Feb 2012 08:46:49 +0000 (10:46 +0200)]
digsig: changed type of the timestamp
time_t was used in the signature and key packet headers,
which is typedef of long and is different on 32 and 64 bit architectures.
Signature and key format should be independent of architecture.
Similar to GPG, I have changed the type to uint32_t.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: James Morris <jmorris@namei.org>
Kees Cook [Wed, 21 Dec 2011 20:17:04 +0000 (12:17 -0800)]
security: Yama LSM
This adds the Yama Linux Security Module to collect DAC security
improvements (specifically just ptrace restrictions for now) that have
existed in various forms over the years and have been carried outside the
mainline kernel by other Linux distributions like Openwall and grsecurity.
Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
Kees Cook [Wed, 21 Dec 2011 20:17:03 +0000 (12:17 -0800)]
security: create task_free security callback
The current LSM interface to cred_free is not sufficient for allowing
an LSM to track the life and death of a task. This patch adds the
task_free hook so that an LSM can clean up resources on task death.
Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <jmorris@namei.org>
Linus Torvalds [Thu, 9 Feb 2012 03:11:00 +0000 (19:11 -0800)]
Merge branch 'iommu/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu
One patch fixes an bug in the ARM/MSM IOMMU code which returned sucess
in the unmap function even when an error occured and the other patch
adds a workaround into the AMD IOMMU driver to better handle broken IVRS
ACPI tables (this patch fixes the case when a device is not listed in
the table but actually translated by the iommu).
* 'iommu/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
iommu/msm: Fix error handling in msm_iommu_unmap()
iommu/amd: Work around broken IVRS tables
Linus Torvalds [Thu, 9 Feb 2012 03:09:25 +0000 (19:09 -0800)]
Merge branch '3.3-rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending
This series contains pending target bug-fixes and cleanups for v3.3-rc3
that have been addressed the past weeks in lio-core.git.
Some of the highlights include:
- Fix handling for control CDBs with data greater than PAGE_SIZE (andy)
- Use IP_FREEBIND for iscsi-target to address network portal creation
issues with systemd (dax)
- Allow PERSISTENT RESERVE IN for non-reservation holder (marco)
- Fix iblock se_dev_attrib.unmap_granularity (marco)
- Fix unsupported WRITE_SAME sense payload handling (martin)
- Add workaround for zero-length control CDB handling (nab)
- Fix discovery with INADDR_ANY and IN6ADDR_ANY_INIT (nab)
- Fix target_submit_cmd() exception handling (nab)
- Return correct ASC for unimplemented VPD pages (roland)
- Don't zero pages used for data buffers (roland)
- Fix return code of core_tpg_.*_lun (sebastian)
* '3.3-rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (26 commits)
target: Fix unsupported WRITE_SAME sense payload
iscsi: use IP_FREEBIND socket option
iblock: fix handling of large requests
target: handle empty string writes in sysfs
iscsi_target: in_aton needs linux/inet.h
target: Fix iblock se_dev_attrib.unmap_granularity
target: Fix target_submit_cmd() exception handling
target: Change target_submit_cmd() to return void
target: accept REQUEST_SENSE with 18bytes
target: Fail INQUIRY commands with EVPD==0 but PAGE CODE!=0
target: Return correct ASC for unimplemented VPD pages
iscsi-target: Fix discovery with INADDR_ANY and IN6ADDR_ANY_INIT
target: Allow control CDBs with data > 1 page
iscsi-target: Fix up a few assignments
iscsi-target: make one-bit bitfields unsigned
iscsi-target: Fix double list_add with iscsit_alloc_buffs reject
iscsi-target: Fix reject release handling in iscsit_free_cmd()
target: fix return code of core_tpg_.*_lun
target: use save/restore lock primitive in core_dec_lacl_count()
target: avoid multiple outputs in scsi_dump_inquiry()
...
Linus Torvalds [Thu, 9 Feb 2012 03:05:47 +0000 (19:05 -0800)]
Merge tag 'spi-for-linus' of git://git.secretlab.ca/git/linux-2.6
SPI bug fixes for v3.3-rc2
Minor SPI device driver changes. A rename of the pch_spi_pcidev symbol
that merely eliminates a modpost warning, and a Kconfig change to allow
the Samsung spi driver to build on EXYNOS.
* tag 'spi-for-linus' of git://git.secretlab.ca/git/linux-2.6:
spi-topcliff-pch: rename pch_spi_pcidev to pch_spi_pcidev_driver
spi: Add spi-s3c64xx driver dependency on ARCH_EXYNOS4
Russell King [Thu, 9 Feb 2012 01:13:41 +0000 (17:13 -0800)]
pcmcia: fix socket refcount decrementing on each resume
This fixes a memory-corrupting bug: not only does it cause the warning,
but as a result of dropping the refcount to zero, it causes the
pcmcia_socket0 device structure to be freed while it still has
references, causing slab caches corruption. A fatal oops quickly
follows this warning - often even just a 'dmesg' following the warning
causes the kernel to oops.
While testing suspend/resume on an ARM device with PCMCIA support, and a
CF card inserted, I found that after five suspend and resumes, the
kernel would complain, and shortly die after with slab corruption.
WARNING: at include/linux/kref.h:41 kobject_get+0x28/0x50()
As the message doesn't give a clue about which kobject, and the built-in
debugging in drivers/base/power/main.c happens too late, this was added
right before each get_device():
+ /* now, add the new card */
+ pcmcia_bus_add(skt);
+ return 0;
+}
As can be seen, the original function called pcmcia_get_socket() and
pcmcia_put_socket() around the guts, whereas the replacement code
calls pcmcia_put_socket() only in one path. This creates an imbalance
in the refcounting.
Testing with pcmcia_put_socket() put removed shows that the bug is gone:
Tested-by: Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Cc: Dominik Brodowski <linux@dominikbrodowski.net> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Hugh Dickins [Thu, 9 Feb 2012 01:13:40 +0000 (17:13 -0800)]
mm: fix UP THP spin_is_locked BUGs
Fix CONFIG_TRANSPARENT_HUGEPAGE=y CONFIG_SMP=n CONFIG_DEBUG_VM=y
CONFIG_DEBUG_SPINLOCK=n kernel: spin_is_locked() is then always false,
and so triggers some BUGs in Transparent HugePage codepaths.
asm-generic/bug.h mentions this problem, and provides a WARN_ON_SMP(x);
but being too lazy to add VM_BUG_ON_SMP, BUG_ON_SMP, WARN_ON_SMP_ONCE,
VM_WARN_ON_SMP_ONCE, just test NR_CPUS != 1 in the existing VM_BUG_ONs.
Signed-off-by: Hugh Dickins <hughd@google.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
In current code, pltfm->als_vmin is set to LM3530_ALS_WINDOW_mV and
pltfm->als_vmax is 0. This does not make sense. I think what we want
here is setting pltfm->als_vmax to LM3530_ALS_WINDOW_mV.
Both als_vmin and als_vmax local variables will be set to
pltfm->als_vmin and pltfm->als_vmax by a few lines latter. Thus also
remove a redundant assignment for als_vmin and als_vmax in this patch.
Signed-off-by: Axel Lin <axel.lin@gmail.com> Cc: Shreshtha Kumar Sahu <shreshthakumar.sahu@stericsson.com> Acked-by: Milo(Woogyom) Kim <milo.kim@ti.com> Tested-by: Milo(Woogyom) Kim <milo.kim@ti.com> Cc: Richard Purdie <rpurdie@rpsys.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Mel Gorman [Thu, 9 Feb 2012 01:13:38 +0000 (17:13 -0800)]
mm: compaction: check for overlapping nodes during isolation for migration
When isolating pages for migration, migration starts at the start of a
zone while the free scanner starts at the end of the zone. Migration
avoids entering a new zone by never going beyond the free scanned.
Unfortunately, in very rare cases nodes can overlap. When this happens,
migration isolates pages without the LRU lock held, corrupting lists
which will trigger errors in reclaim or during page free such as in the
following oops
The "X" in the taint flag means that external modules were loaded but but
is unrelated to the bug triggering. The real problem was because the PFN
layout looks like this
The fix is straight-forward. isolate_migratepages() has to make a
similar check to isolate_freepage to ensure that it never isolates pages
from a zone it does not hold the LRU lock for.
This was discovered in a 3.0-based kernel but it affects 3.1.x, 3.2.x
and current mainline.
Signed-off-by: Mel Gorman <mgorman@suse.de> Acked-by: Michal Nazarewicz <mina86@mina86.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Wed, 8 Feb 2012 22:56:39 +0000 (14:56 -0800)]
Merge tag 'sound-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
sound fixes #2 for 3.3-rc3
A collection of small fixes, mostly for regressions.
In addition, a few ASoC wm8994 updates are included, too.
* tag 'sound-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ASoC: wm8994: Disable line output discharge prior to ramping VMID
ASoC: wm8994: Fix typo in VMID ramp setting
ALSA: oxygen, virtuoso: fix exchanged L/R volumes of aux and CD inputs
ALSA: usb-audio: add Edirol UM-3G support
ALSA: hda - add support for Uniwill ECS M31EI notebook
ALSA: hda - Fix error handling in patch_ca0132.c
ASoC: wm8994: Enabling VMID should take a runtime PM reference
ALSA: hda/realtek - Fix a wrong condition
ALSA: emu8000: Remove duplicate linux/moduleparam.h include from emu8000_patch.c
ALSA: hda/realtek - Add missing Bass and CLFE as vmaster slaves
ASoC: wm_hubs: Correct line input to line output 2 paths
ASoC: cs42l73: Fix Output [X|A|V]SP_SCLK Sourcing Mode setting for master mode
ASoC: wm8962: Fix word length configuration
ASoC: core: Better support for idle_bias_off suspend ignores
ASoC: wm8994: Remove ASoC level register cache sync
ASoC: wm_hubs: Fix routing of input PGAs to line output mixer
Takashi Iwai [Wed, 8 Feb 2012 20:29:38 +0000 (21:29 +0100)]
Merge tag 'asoc-3.3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
A few small WM8994 updates to go on top of the previous lot of things
that were sent. They collide with some -next work so I'd really like to
get them into 3.3-rc3 if possible to merge back up into the -next code.
All driver specific and unexciting in the grand scheme of things.
Clemens Ladisch [Sat, 4 Feb 2012 19:56:47 +0000 (20:56 +0100)]
ALSA: oxygen, virtuoso: fix exchanged L/R volumes of aux and CD inputs
The driver accidentally exchanged the left/right fields for stereo AC'97
mixer registers. This affected only the aux and CD inputs because the
line input bypasses the AC'97 codec and the mic input is mono; cards
without AC'97 (Xonar DS/DG/HDAV Slim, HG2PCI, HiFier) were not affected.
Reported-and-tested-by: Abby Cedar <abbycedar@yahoo.com.au> Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Cc: 2.6.31+ <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Linus Torvalds [Tue, 7 Feb 2012 23:54:02 +0000 (15:54 -0800)]
Merge tag 'fbdev-fixes-for-3.3-1' of git://github.com/schandinat/linux-2.6
fbdev fixes for 3.3
It includes:
- compile fix for fsl-diu-fb
- fix for a suspend/resume issue in atmel_lcdfb
- fix for a suspend/resume issue in OMAP
- workaround for a hardware bug to avoid physical damage in OMAP
- really trivial dead code removal in intelfb
* tag 'fbdev-fixes-for-3.3-1' of git://github.com/schandinat/linux-2.6:
atmel_lcdfb: fix usage of CONTRAST_CTR in suspend/resume
intelfb: remove some dead code
drivers/video: compile fixes for fsl-diu-fb.c
OMAPDSS: HDMI: PHY burnout fix
OMAP: 4430SDP/Panda: add HDMI HPD gpio
OMAP: 4430SDP/Panda: setup HDMI GPIO muxes
OMAPDSS: remove wrong HDMI HPD muxing
OMAP: 4430SDP/Panda: rename HPD GPIO to CT_CP_HPD
OMAP: 4430SDP/Panda: use gpio_free_array to free HDMI gpios
OMAPDSS: use sync versions of pm_runtime_put
Linus Torvalds [Tue, 7 Feb 2012 22:35:19 +0000 (14:35 -0800)]
Merge tag 'ib-srpt-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband
Cleanups and error path fixes for the new SRP (SCSI RDMA protocol) target.
* tag 'ib-srpt-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
IB/srpt: Don't return freed pointer from srpt_alloc_ioctx_ring()
IB/srpt: Fix ERR_PTR() vs. NULL checking confusion
IB/srpt: Remove unneeded <linux/version.h> include
IB/srpt: Use ARRAY_SIZE() instead of open-coding
IB/srpt: Use DEFINE_SPINLOCK()/LIST_HEAD()
Linus Torvalds [Tue, 7 Feb 2012 22:32:24 +0000 (14:32 -0800)]
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
arch: fix ioport mapping on mips,sh
Kevin Cernekee reported that recent cleanup that replaced pci_iomap with
a generic function failed to take into account the differences in io
port handling on mips and sh architectures.
Rather than revert the changes reintroducing the code duplication, this
patchset fixes this by adding ability for architectures to override
ioport mapping for pci devices.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
sh: use the the PCI channels's io_map_base
mips: use the the PCI controller's io_map_base
lib: add NO_GENERIC_PCI_IOPORT_MAP
Linus Torvalds [Tue, 7 Feb 2012 22:07:20 +0000 (14:07 -0800)]
Merge git://git.samba.org/sfrench/cifs-2.6
* git://git.samba.org/sfrench/cifs-2.6:
cifs: Fix oops in session setup code for null user mounts
[CIFS] Update cifs Kconfig title to match removal of experimental dependency
cifs: fix printk format warnings
cifs: check offset in decode_ntlmssp_challenge()
cifs: NULL dereference on allocation failure
Linus Torvalds [Tue, 7 Feb 2012 22:05:49 +0000 (14:05 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6:
mfd: Avoid twl6040-codec PLL reconfiguration when not needed
mfd: Store twl6040-codec mclk configuration
Takashi Iwai [Tue, 7 Feb 2012 10:00:53 +0000 (11:00 +0100)]
ALSA: hda - Fix error handling in patch_ca0132.c
In patch_ca0132.c, the error returned from chipio_write() isn't checked
always. Also, the power-up/down sequence isn't tracked properly in some
error paths.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Takashi Iwai [Tue, 7 Feb 2012 10:04:48 +0000 (11:04 +0100)]
Merge tag 'asoc-3.3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
The only particularly remarkable change here is the one for handling of
the Android suspend ignore code for idle_bias_off CODECs. That one is
actually a regression fix as some of the new power savings that have
been introduced confused the suspend ignore code, making devices that
are active for non-audio reasons look like they are idle causing them to
be suspended instead of being kept active.
Martin Svec [Tue, 7 Feb 2012 06:13:25 +0000 (22:13 -0800)]
target: Fix unsupported WRITE_SAME sense payload
This patch fixes a bug in target-core where unsupported WRITE_SAME ops
from a target_check_write_same_discard() failure was incorrectly
returning CHECK_CONDITION w/ TCM_INVALID_CDB_FIELD sense data.
This was causing some clients to not properly fall back, so go ahead
and use the correct TCM_UNSUPPORTED_SCSI_OPCODE sense for this case.
Reported-by: Martin Svec <martin.svec@zoner.cz> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Dax Kelson [Sat, 4 Feb 2012 06:40:25 +0000 (23:40 -0700)]
iscsi: use IP_FREEBIND socket option
Use IP_FREEBIND socket option so that iscsi portal configuration with
explicit IP addresses can happen during boot, before network interfaces
have been assigned IPs.
This is especially important on systemd based Linux boxes where system
boot happens asynchronously and non-trivial configuration must be done
to get targetcli.service to start synchronously after the network is
configured.
Stephen Rothwell [Mon, 23 Jan 2012 00:39:49 +0000 (11:39 +1100)]
iscsi_target: in_aton needs linux/inet.h
Fixes this error after a recent nfs cleanup:
drivers/target/iscsi/iscsi_target_configfs.c: In function 'lio_target_call_addnptotpg':
drivers/target/iscsi/iscsi_target_configfs.c:214:3: error: implicit declaration of function 'in6_pton' [-Werror=implicit-function-declaration]
drivers/target/iscsi/iscsi_target_configfs.c:239:3: error: implicit declaration of function 'in_aton' [-Werror=implicit-function-declaration]
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
The block layer keeps q->limits.discard_granularity in bytes, but iblock
(and the SCSI Block Limits VPD page) keep unmap_granularity in blocks.
Report the correct value when exporting block devices by dividing to
convert bytes to blocks.
Signed-off-by: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
This patch fixes a bug in target_submit_cmd() where the failure path
for transport_generic_allocate_tasks() made a direct call to
transport_send_check_condition_and_sense() and not calling the
final target_put_sess_cmd() release callback.
For transport_generic_allocate_tasks() failures, use the proper call to
transport_generic_request_failure() to handle kref_put() along
with potential internal queue full response processing.
It also makes transport_lookup_cmd_lun() failures in
target_submit_cmd() use transport_send_check_condition_and_sense() and
target_put_sess_cmd() directly to avoid se_cmd->se_dev reference in
transport_generic_request_failure() handling.
Finally it drops the out_check_cond: label and use direct reference for
allocate task failures, and per-se_device queue_full handling is
currently not supported for transport_lookup_cmd_lun() failure
descriptors due to se_device dependency.
Reported-by: Roland Dreier <roland@purestorage.com> Cc: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Andy Grover [Thu, 19 Jan 2012 21:39:23 +0000 (13:39 -0800)]
target: Change target_submit_cmd() to return void
Retval not very useful, and may even be harmful. Once submitted, fabrics
should expect a sense error if anything goes wrong. All fabrics checking
of this retval are useless or broken:
fc checks it just to emit more debug output.
ib_srpt trickles retval up, then it is ignored.
qla2xxx trickles it up, which then causes a bug because the abort goto
in qla_target.c thinks cmd hasn't been sent to target.
Just returning nothing is best.
Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
WindowsXP+BOT issues a MODE_SENSE request with page 0x1c which is not
suppoerted by target. Target rejects that command with
TCM_INVALID_CDB_FIELD, so far so good. On BOT I can't send the SENSE
response back, instead I can only reply that an error occured. The next
thing happens is a REQUEST_SENSE request with 18 bytes length. Since the
check here is more than 18 bytes I have to NACK that request as well.
This is not really required: We check for some additional room, but we
never use it. The additional length is set to 0xa so the total length is
0xa + 8 = 18 which is fine with my 18 bytes.
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
NeilBrown [Tue, 7 Feb 2012 01:01:51 +0000 (12:01 +1100)]
md: two small fixes to handling interrupt resync.
1/ If a resync is aborted we should record how far we got
(recovery_cp) the last request that we know has completed
(->curr_resync_completed) rather than the last request that was
submitted (->curr_resync).
2/ When a resync aborts we still want to update the metadata with
any changes, so set MD_CHANGE_DEVS even if we 'skip'.
Linus Torvalds [Tue, 7 Feb 2012 00:26:58 +0000 (16:26 -0800)]
Merge branch 'kvm-updates/3.3' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Fixing a regression with the PMU MSRs when PMU virtualization is
disabled, a guest-internal DoS with the SYSCALL instruction, and a dirty
memory logging race that may cause live migration to fail.
* 'kvm-updates/3.3' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: do not #GP on perf MSR writes when vPMU is disabled
KVM: x86: fix missing checks in syscall emulation
KVM: x86: extend "struct x86_emulate_ops" with "get_cpuid"
KVM: Fix __set_bit() race in mark_page_dirty() during dirty logging
Linus Torvalds [Mon, 6 Feb 2012 23:29:56 +0000 (15:29 -0800)]
Merge tag 'gpio-for-linus' of git://git.secretlab.ca/git/linux-2.6
GPIO fixes for v3.3-rc2
Straight forward bug fixes in this branch. A couple of x86 gpio drivers
missing spinlock initialization, an API change fixup for the samsung driver
and a name typo fix.
* tag 'gpio-for-linus' of git://git.secretlab.ca/git/linux-2.6:
gpio: Add missing spin_lock_init in gpio-ml-ioh driver
gpio: Add missing spin_lock_init in gpio-pch driver
gpio: samsung: adapt to changes in gpio specifier translator function declaration
Correct bad gpio naming
Linus Torvalds [Mon, 6 Feb 2012 23:25:48 +0000 (15:25 -0800)]
Merge tag 'hwmon-fixes-for-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
One patch to fix fan detection on NCT6776F.
* tag 'hwmon-fixes-for-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
hwmon: (w83627ehf) Fix number of fans for NCT6776F
Heiko Carstens [Sat, 4 Feb 2012 09:47:10 +0000 (10:47 +0100)]
exec: fix use-after-free bug in setup_new_exec()
Setting the task name is done within setup_new_exec() by accessing
bprm->filename. However this happens after flush_old_exec().
This may result in a use after free bug, flush_old_exec() may
"complete" vfork_done, which will wake up the parent which in turn
may free the passed in filename.
To fix this add a new tcomm field in struct linux_binprm which
contains the now early generated task name until it is used.
Przemo Firszt [Sun, 5 Feb 2012 22:35:24 +0000 (22:35 +0000)]
HID: wacom: Fix invalid power_supply_powers calls
power_supply_powers calls added in 35b4c01e2 ("power_supply: add "powers" links
to self-powered HID devices") have to be called after power device is created.
This patch also fixes the second call - it has to be "ac" instead of "battery"
Jiri Kosina [Mon, 6 Feb 2012 15:11:09 +0000 (16:11 +0100)]
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux into upstream-fixes
Sync with Linus' tree. This is necessary to have a base for
patch that fixes commit 35b4c01e29b ("power_supply: add "powers"
links to self-powered HID devices") which went in through Anton's
tree.
Takashi Iwai [Mon, 6 Feb 2012 09:24:04 +0000 (10:24 +0100)]
ALSA: hda/realtek - Fix a wrong condition
sparse complains that "spec->multiout.dac_nids" is a pointer.
sound/pci/hda/patch_realtek.c:2321:37: error: incompatible types for operation (>)
sound/pci/hda/patch_realtek.c:2321:37: left side has type unsigned short const [usertype] *dac_nids
sound/pci/hda/patch_realtek.c:2321:37: right side has type int
It was meant to be num_dacs instead of dac_nids.
Although the current code still works as expected (when num_dacs is zero,
dac_nids should be NULL, too), better to fix now, of course.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: David Henningsson <david.henningsson@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
spi: Add spi-s3c64xx driver dependency on ARCH_EXYNOS4
The spi-s3c64xx driver is also used on Exynos4 so update the dependency
to enable build on those platforms.
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
[grant.likely: relax depends to ARCH_EXYNOS instead of ARCH_EXYNOS4] Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Guenter Roeck [Fri, 27 Jan 2012 13:43:59 +0000 (05:43 -0800)]
hwmon: (w83627ehf) Fix number of fans for NCT6776F
NCT6776F can select fan input pins for fans 3 to 5 with a secondary set of
chip register bits. Check that second set of bits in addition to the first set
to detect if fans 3..5 are monitored.
Linus Torvalds [Sat, 4 Feb 2012 23:21:39 +0000 (15:21 -0800)]
Merge tag 'pm-fixes-for-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Power management fixes for 3.3-rc3
Three power management regression fixes, one for a recent regression introcuded
by the freezer changes during the 3.3 merge window and two for regressions
in cpuidle (resulting from PM QoS changes) and in the hibernate user space
interface, both introduced during the 3.2 development cycle.
They include:
* Two hibernate (s2disk) regression fixes from Srivatsa S. Bhat (for
regressions introduced during the 3.3 merge window and during the 3.2
development cycle).
* A cpuidle fix from Venki Pallipadi for a regression resulting from PM QoS
changes during the 3.2 development cycle causing cpuidle to work incorrectly
for CONFIG_PM unset.
* tag 'pm-fixes-for-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
PM / QoS: CPU C-state breakage with PM Qos change
PM / Freezer: Thaw only kernel threads if freezing of kernel threads fails
PM / Hibernate: Thaw kernel threads in SNAPSHOT_CREATE_IMAGE ioctl path
Looks like change "PM QoS: Move and rename the implementation files"
merged during the 3.2 development cycle made PM QoS depend on
CONFIG_PM which depends on (PM_SLEEP || PM_RUNTIME).
That breaks CPU C-states with kernels not having these CONFIGs, causing CPUs
to spend time in Polling loop idle instead of going into deep C-states,
consuming way way more power. This is with either acpi idle or intel idle
enabled.
Either CONFIG_PM should be enabled with any pm_qos users or
the !CONFIG_PM pm_qos_request() should return sane defaults not to break
the existing users. Here's is the patch for the latter option.
[rjw: Modified the changelog slightly.]
Signed-off-by: Venkatesh Pallipadi <venki@google.com> Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Cc: stable@vger.kernel.org
PM / Freezer: Thaw only kernel threads if freezing of kernel threads fails
If freezing of kernel threads fails, we are expected to automatically
thaw tasks in the error recovery path. However, at times, we encounter
situations in which we would like the automatic error recovery path
to thaw only the kernel threads, because we want to be able to do
some more cleanup before we thaw userspace. Something like:
error = freeze_kernel_threads();
if (error) {
/* Do some cleanup */
/* Only then thaw userspace tasks*/
thaw_processes();
}
An example of such a situation is where we freeze/thaw filesystems
during suspend/hibernation. There, if freezing of kernel threads
fails, we would like to thaw the frozen filesystems before thawing
the userspace tasks.
So, modify freeze_kernel_threads() to thaw only kernel threads in
case of freezing failure. And change suspend_freeze_processes()
accordingly. (At the same time, let us also get rid of the rather
cryptic usage of the conditional operator (:?) in that function.)
[rjw: In fact, this patch fixes a regression introduced during the
3.3 merge window, because without it thaw_processes() may be called
before swsusp_free() in some situations and that may lead to massive
memory allocation failures.]
Signed-off-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com> Acked-by: Tejun Heo <tj@kernel.org> Acked-by: Nigel Cunningham <nigel@tuxonice.net> Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Linus Torvalds [Sat, 4 Feb 2012 20:11:40 +0000 (12:11 -0800)]
Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
arm-soc fixes for 3.3-rc
* A series of OMAP regression fixes for merge window fallout
* Two patches for Davinci, one removes some misdefined clocks, the other
is a regression fix for merge window fallout
* Two patches that makes Broadcom bcmring build again (and removes a
bunch of unused code in the process)
breaks building of this platform, since what used to be the
last field of the MACHINE_START/END block didn't have a
trailing comma. Once another field was added below, we get:
arch/arm/mach-bcmring/arch.c:198: error: request for member 'restart' in something not a structure or union
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Acked-by: Jiandong Zheng <jdzheng@broadcom.com> Signed-off-by: Olof Johansson <olof@lixom.net>
Linus Torvalds [Sat, 4 Feb 2012 18:54:26 +0000 (10:54 -0800)]
Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma
* 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
i.MX SDMA: Fix burstsize settings
ARM: mach-shmobile: both USB DMAC instances on sh7372 are slave-only
dma: sh_dma: not all SH DMAC implementations support MEMCPY
at_hdmac: bugfix for enabling channel irq
dmaengine: fix missing 'cnt' in ?: in dmatest
Linus Torvalds [Sat, 4 Feb 2012 15:17:47 +0000 (07:17 -0800)]
Merge tag 'for-linus-3.3' of git://git.infradead.org/~dwmw2/mtd-3.3
- Fix a regression in 16-bit Atmel NAND flash which was introduced in 3.1
- Fix breakage with MTD suspend caused by the API rework
- Fix a problem with resetting the MX28 BCH module
- A couple of other trivial fixes
* tag 'for-linus-3.3-20120204' of git://git.infradead.org/~dwmw2/mtd-3.3:
Revert "mtd: atmel_nand: optimize read/write buffer functions"
mtd: fix MTD suspend
jffs2: do not initialize variable unnecessarily
mtd: gpmi-nand bugfix: reset the BCH module when it is not MX23
mtd: nand: fix typo in comment
Nicolas Ferre <nicolas.ferre@atmel.com> alco confirmed:
"After double checking with designers, I must admit that I misunderstood
the way of optimizing accesses to SMC. 16 bit nand is not so common
those days..."
Reported-by: Nikolaus Voss <n.voss@weinmann.de> Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com> Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Cc: stable@kernel.org [3.1+]
Mel Gorman [Fri, 3 Feb 2012 23:37:18 +0000 (15:37 -0800)]
mm: compaction: check pfn_valid when entering a new MAX_ORDER_NR_PAGES block during isolation for migration
When isolating for migration, migration starts at the start of a zone
which is not necessarily pageblock aligned. Further, it stops isolating
when COMPACT_CLUSTER_MAX pages are isolated so migrate_pfn is generally
not aligned. This allows isolate_migratepages() to call pfn_to_page() on
an invalid PFN which can result in a crash. This was originally reported
against a 3.0-based kernel with the following trace in a crash dump.
The migrate_pfn is just below a memory hole and the free scanner is beyond
the hole. When isolate_migratepages started, it scans from migrate_pfn to
migrate_pfn+pageblock_nr_pages which is now in a memory hole. It checks
pfn_valid() on the first PFN but then scans into the hole where there are
not necessarily valid struct pages.
This patch ensures that isolate_migratepages calls pfn_valid when
necessary.
Reported-by: Herbert van den Bergh <herbert.van.den.bergh@oracle.com> Tested-by: Herbert van den Bergh <herbert.van.den.bergh@oracle.com> Signed-off-by: Mel Gorman <mgorman@suse.de> Acked-by: Michal Nazarewicz <mina86@mina86.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Shaohua Li [Fri, 3 Feb 2012 23:37:17 +0000 (15:37 -0800)]
readahead: fix pipeline break caused by block plug
Herbert Poetzl reported a performance regression since 2.6.39. The test
is a simple dd read, but with big block size. The reason is:
T1: ra (A, A+128k), (A+128k, A+256k)
T2: lock_page for page A, submit the 256k
T3: hit page A+128K, ra (A+256k, A+384). the range isn't submitted
because of plug and there isn't any lock_page till we hit page A+256k
because all pages from A to A+256k is in memory
T4: hit page A+256k, ra (A+384, A+ 512). Because of plug, the range isn't
submitted again.
T5: lock_page A+256k, so (A+256k, A+512k) will be submitted. The task is
waitting for (A+256k, A+512k) finish.
There is no request to disk in T3 and T4, so readahead pipeline breaks.
We really don't need block plug for generic_file_aio_read() for buffered
I/O. The readahead already has plug and has fine grained control when I/O
should be submitted. Deleting plug for buffered I/O fixes the regression.
One side effect is plug makes the request size 256k, the size is 128k
without it. This is because default ra size is 128k and not a reason we
need plug here.
Vivek said:
: We submit some readahead IO to device request queue but because of nested
: plug, queue never gets unplugged. When read logic reaches a page which is
: not in page cache, it waits for page to be read from the disk
: (lock_page_killable()) and that time we flush the plug list.
:
: So effectively read ahead logic is kind of broken in parts because of
: nested plugging. Removing top level plug (generic_file_aio_read()) for
: buffered reads, will allow unplugging queue earlier for readahead.
Signed-off-by: Shaohua Li <shaohua.li@intel.com> Signed-off-by: Wu Fengguang <fengguang.wu@intel.com> Reported-by: Herbert Poetzl <herbert@13thfloor.at> Tested-by: Eric Dumazet <eric.dumazet@gmail.com> Cc: Christoph Hellwig <hch@infradead.org> Cc: Jens Axboe <axboe@kernel.dk> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>