summaryrefslogtreecommitdiff
path: root/include
AgeCommit message (Collapse)AuthorFilesLines
2012-09-26Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds1-3/+16
Pull more networking fixes from David Miller: 1) Eric Dumazet discovered and fixed what turned out to be a family of bugs. These functions were using pskb_may_pull() which might need to reallocate the linear SKB data buffer, but the callers were not expecting this possibility. The callers have cached pointers to the packet header areas, and would need to reload them if we were to continue using pskb_may_pull(). So they could end up reading garbage. It's easier to just change these RAW4/RAW6/MIP6 routines to use skb_header_pointer() instead of pskb_may_pull(), which won't modify the linear SKB data area. 2) Dave Jone's syscall spammer caught a case where a non-TCP socket can call down into the TCP keepalive code. The case basically involves creating a raw socket with sk_protocol == IPPROTO_TCP, then calling setsockopt(sock_fd, SO_KEEPALIVE, ...) Fixed by Eric Dumazet. 3) Bluetooth devices do not get configured properly while being powered on, resulting in always using legacy pairing instead of SSP. Fix from Andrzej Kaczmarek. 4) Bluetooth cancels delayed work erroneously, put stricter checks in place. From Andrei Emeltchenko. 5) Fix deadlock between cfg80211_mutex and reg_regdb_search_mutex in cfg80211, from Luis R. Rodriguez. 6) Fix interrupt double release in iwlwifi, from Emmanuel Grumbach. 7) Missing module license in bcm87xx driver, from Peter Huewe. 8) Team driver can lose port changed events when adding devices to a team, fix from Jiri Pirko. 9) Fix endless loop when trying ot unregister PPPOE device in zombie state, from Xiaodong Xu. 10) batman-adv layer needs to set MAC address of software device earlier, otherwise we call tt_local_add with it uninitialized. 11) Fix handling of KSZ8021 PHYs, it's matched currently by KS8051 but that doesn't program the device properly. From Marek Vasut. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: ipv6: mip6: fix mip6_mh_filter() ipv6: raw: fix icmpv6_filter() net: guard tcp_set_keepalive() to tcp sockets phy/micrel: Add missing header to micrel_phy.h phy/micrel: Rename KS80xx to KSZ80xx phy/micrel: Implement support for KSZ8021 batman-adv: Fix symmetry check / route flapping in multi interface setups batman-adv: Fix change mac address of soft iface. pppoe: drop PPPOX_ZOMBIEs in pppoe_release team: send port changed when added ipv4: raw: fix icmp_filter() net/phy/bcm87xx: Add MODULE_LICENSE("GPL") to GPL driver iwlwifi: don't double free the interrupt in failure path cfg80211: fix possible circular lock on reg_regdb_search() Bluetooth: Fix not removing power_off delayed work Bluetooth: Fix freeing uninitialized delayed works Bluetooth: mgmt: Fix enabling LE while powered off Bluetooth: mgmt: Fix enabling SSP while powered off
2012-09-25c/r: prctl: fix build error for no-MMU caseMark Salter1-0/+1
Commit 1ad75b9e1628 ("c/r: prctl: add minimal address test to PR_SET_MM") added some address checking to prctl_set_mm() used by checkpoint-restore. This causes a build error for no-MMU systems: kernel/sys.c: In function 'prctl_set_mm': kernel/sys.c:1868:34: error: 'mmap_min_addr' undeclared (first use in this function) The test for mmap_min_addr doesn't make a lot of sense for no-MMU code as noted in commit 6e1415467614 ("NOMMU: Optimise away the {dac_,}mmap_min_addr tests"). This patch defines mmap_min_addr as 0UL in the no-MMU case so that the compiler will optimize away tests for "addr < mmap_min_addr". Signed-off-by: Mark Salter <msalter@redhat.com> Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org> Cc: <stable@vger.kernel.org> [3.6.x] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-09-24phy/micrel: Add missing header to micrel_phy.hMarek Vasut1-0/+12
The license header was missing in micrel_phy.h . This patch adds one. Signed-off-by: Marek Vasut <marex@denx.de> Cc: David J. Choi <david.choi@micrel.com> Cc: David S. Miller <davem@davemloft.net> Cc: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-24phy/micrel: Rename KS80xx to KSZ80xxMarek Vasut1-3/+3
There is no such part as KS8001, KS8041 or KS8051. There are only KSZ8001, KSZ8041 and KSZ8051. Rename these parts as such to match the Micrel naming. Signed-off-by: Marek Vasut <marex@denx.de> Cc: David J. Choi <david.choi@micrel.com> Cc: David S. Miller <davem@davemloft.net> Cc: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com> Cc: Linux ARM kernel <linux-arm-kernel@lists.infradead.org> Cc: Fabio Estevam <fabio.estevam@freescale.com> Cc: Shawn Guo <shawn.guo@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-24phy/micrel: Implement support for KSZ8021Marek Vasut1-0/+1
The KSZ8021 PHY was previously caught by KS8051, which is not correct. This PHY needs additional setup if it is strapped for address 0. In such case an reserved bit must be written in the 0x16, "Operation Mode Strap Override" register. According to the KS8051 datasheet, that bit means "PHY Address 0 in non-broadcast" and it indeed behaves as such on KSZ8021. The issue where the ethernet controller (Freescale FEC) did not communicate with network is fixed by writing this bit as 1. Signed-off-by: Marek Vasut <marex@denx.de> Cc: David J. Choi <david.choi@micrel.com> Cc: David S. Miller <davem@davemloft.net> Cc: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-22Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds5-5/+15
Pull networking updates from David Miller: "More bug fixes, nothing gets past these guys" 1) More kernel info leaks found by Mathias Krause, this time in the IPSEC configuration layers. 2) When IPSEC policies change, we do not properly make sure that cached routes (which could now be stale) throughout the system will be revalidated. Fix this by generalizing the generation count invalidation scheme used by ipv4. From Nicolas Dichtel. 3) When repairing TCP sockets, we need to allow to restore not just the send window scale, but the receive one too. Extend the existing interface to achieve this in a backwards compatible way. From Andrey Vagin. 4) A fix for FCOE scatter gather feature validation erroneously caused scatter gather to be disabled for things like AOE too. From Ed L Cashin. 5) Several cases of mishandling of error pointers, from Mathias Krause, Wei Yongjun, and Devendra Naga. 6) Fix gianfar build, from Richard Cochran. 7) CAP_NET_* failures should return -EPERM not -EACCES, from Zhao Hongjiang. 8) Hardware reset fix in janz-ican3 CAN driver, from Ira W Snyder. 9) Fix oops during rmmod in ti_hecc CAN driver, from Marc Kleine-Budde. 10) The removal of the conditional compilation of the clk support code in the stmmac driver broke things. This is because the interfaces used are the ones that don't also perform the enable/disable of the clk. Fix from Stefan Roese. 11) The QFQ packet scheduler can record out of range virtual start times, resulting later in misbehavior and even crashes. Fix from Paolo Valente. 12) If MSG_WAITALL is used with IOAT DMA under TCP, we can wedge the receiver when the advertised receive window goes to zero. Detect this case and force the processing of the IOAT DMA queue when it happens to avoid getting stuck. Fix from Michal Kubecek. 13) batman-adv assumes that test_bit() returns only 0 or 1, but this is not true for x86 (which returns -1 or 0, via the 'sbb' instruction). Fix from Linus Lussing. 14) Fix small packet corruption in e1000, from Tushar Dave. 15) make_blackhole() in the IPSEC policy code can do one read unlock too many, fix from Li RongQing. 16) The new tcp_try_coalesce() code introduced a bug in TCP URG handling, fix from Eric Dumazet. 17) Fix memory leak in __netif_receive_skb() when doing zerocopy and when hit an OOM condition. From Michael S Tsirkin. 18) netxen blindly deferences pdev->bus->self, which is not guarenteed to be non-NULL. Fix from Nikolay Aleksandrov. 19) Fix a performance regression caused by mistakes in ipv6 checksum validation in the bnx2x driver, fix from Michal Schmidt. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (45 commits) net/stmmac: Use clk_prepare_enable and clk_disable_unprepare net: change return values from -EACCES to -EPERM net/irda: sh_sir: fix return value check in sh_sir_set_baudrate() stmmac: fix return value check in stmmac_open_ext_timer() gianfar: fix phc index build failure ipv6: fix return value check in fib6_add() bnx2x: remove false warning regarding interrupt number can: ti_hecc: fix oops during rmmod can: janz-ican3: fix support for older hardware revisions net: do not disable sg for packets requiring no checksum aoe: assert AoE packets marked as requiring no checksum at91ether: return PTR_ERR if call to clk_get fails xfrm_user: don't copy esn replay window twice for new states xfrm_user: ensure user supplied esn replay window is valid xfrm_user: fix info leak in copy_to_user_tmpl() xfrm_user: fix info leak in copy_to_user_policy() xfrm_user: fix info leak in copy_to_user_state() xfrm_user: fix info leak in copy_to_user_auth() net: qmi_wwan: adding Huawei E367, ZTE MF683 and Pantech P4200 tcp: restore rcv_wscale in a repair mode (v2) ...
2012-09-22Merge branch 'perf-urgent-for-linus' of ↵Linus Torvalds2-2/+4
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Ingo Molnar: "Small perf fixlets" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: tracing: Don't call page_to_pfn() if page is NULL perf/x86: Fix Intel Ivy Bridge support perf/x86/ibs: Check syscall attribute flags perf/x86: Export Sandy Bridge uncore clockticks event in sysfs
2012-09-21Merge tag 'hwmon-for-linus' of ↵Linus Torvalds1-1/+1
git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: - Add missing 'name' sysfs attributes to ad7314 and ads7871 drivers - Bump maximum wait time for applesmc driver (again) - Fix build warning seen with W=1 in include/linux/kernel.h, introduced with commit b6d86d3d6d6e ("Fix DIV_ROUND_CLOSEST to support negative dividends") * tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: linux/kernel.h: Fix warning seen with W=1 due to change in DIV_ROUND_CLOSEST hwmon: (applesmc) Bump max wait hwmon: (ad7314) Add 'name' sysfs attribute hwmon: (ads7871) Add 'name' sysfs attribute
2012-09-21Merge tag 'stable/for-linus-3.6-rc6-tag' of ↵Linus Torvalds1-1/+2
git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen Pull Xen bug-fixes from Konrad Rzeszutek Wilk: - Fix M2P batching re-using the incorrect structure field. In v3.5 we added batching for M2P override (Machine Frame Number -> Physical Frame Number), but the original MFN was saved in an incorrect structure - and we would oops/restore when restoring with the old MFN. - Disable BIOS SMP MP table search. A bootup issue that we had ignored until we found that on DL380 G6 it was needed. * tag 'stable/for-linus-3.6-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen: xen/boot: Disable BIOS SMP MP table search. xen/m2p: do not reuse kmap_op->dev_bus_addr
2012-09-21xfrm_user: ensure user supplied esn replay window is validMathias Krause1-0/+2
The current code fails to ensure that the netlink message actually contains as many bytes as the header indicates. If a user creates a new state or updates an existing one but does not supply the bytes for the whole ESN replay window, the kernel copies random heap bytes into the replay bitmap, the ones happen to follow the XFRMA_REPLAY_ESN_VAL netlink attribute. This leads to following issues: 1. The replay window has random bits set confusing the replay handling code later on. 2. A malicious user could use this flaw to leak up to ~3.5kB of heap memory when she has access to the XFRM netlink interface (requires CAP_NET_ADMIN). Known users of the ESN replay window are strongSwan and Steffen's iproute2 patch (<http://patchwork.ozlabs.org/patch/85962/>). The latter uses the interface with a bitmap supplied while the former does not. strongSwan is therefore prone to run into issue 1. To fix both issues without breaking existing userland allow using the XFRMA_REPLAY_ESN_VAL netlink attribute with either an empty bitmap or a fully specified one. For the former case we initialize the in-kernel bitmap with zero, for the latter we copy the user supplied bitmap. For state updates the full bitmap must be supplied. To prevent overflows in the bitmap length calculation the maximum size of bmp_len is limited to 128 by this patch -- resulting in a maximum replay window of 4096 packets. This should be sufficient for all real life scenarios (RFC 4303 recommends a default replay window size of 64). Cc: Steffen Klassert <steffen.klassert@secunet.com> Cc: Martin Willi <martin@revosec.ch> Cc: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-20tracing: Don't call page_to_pfn() if page is NULLWen Congyang1-2/+2
When allocating memory fails, page is NULL. page_to_pfn() will cause the kernel panicked if we don't use sparsemem vmemmap. Link: http://lkml.kernel.org/r/505AB1FF.8020104@cn.fujitsu.com Cc: Frederic Weisbecker <fweisbec@gmail.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: stable <stable@vger.kernel.org> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: Minchan Kim <minchan@kernel.org> Signed-off-by: Wen Congyang <wency@cn.fujitsu.com> Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2012-09-19linux/kernel.h: Fix warning seen with W=1 due to change in DIV_ROUND_CLOSESTGuenter Roeck1-1/+1
After commit b6d86d3d (Fix DIV_ROUND_CLOSEST to support negative dividends), the following warning is seen if the kernel is compiled with W=1 (-Wextra): warning: comparison of unsigned expression >= 0 is always true The warning is due to the test '((typeof(x))-1) >= 0', which is used to detect if the variable type is unsigned. Research on the web suggests that the warning disappears if '>' instead of '>=' is used for the comparison. Tests after changing the macro along that line show that the warning is gone, and that the result is still correct: i=-4: DIV_ROUND_CLOSEST(i, 2)=-2 i=-3: DIV_ROUND_CLOSEST(i, 2)=-2 i=-2: DIV_ROUND_CLOSEST(i, 2)=-1 i=-1: DIV_ROUND_CLOSEST(i, 2)=-1 i=0: DIV_ROUND_CLOSEST(i, 2)=0 i=1: DIV_ROUND_CLOSEST(i, 2)=1 i=2: DIV_ROUND_CLOSEST(i, 2)=1 i=3: DIV_ROUND_CLOSEST(i, 2)=2 i=4: DIV_ROUND_CLOSEST(i, 2)=2 Code size is the same as before. Signed-off-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Mauro Carvalho Chehab <mchehab@redhat.com> Acked-by: Jean Delvare <khali@linux-fr.org>
2012-09-18ipv6: use net->rt_genid to check dst validityNicolas Dichtel1-3/+2
IPv6 dst should take care of rt_genid too. When a xfrm policy is inserted or deleted, all dst should be invalidated. To force the validation, dst entries should be created with ->obsolete set to DST_OBSOLETE_FORCE_CHK. This was already the case for all functions calling ip6_dst_alloc(), except for ip6_rt_copy(). As a consequence, we can remove the specific code in inet6_connection_sock. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-18netns: move net->ipv4.rt_genid to net->rt_genidNicolas Dichtel2-1/+10
This commit prepares the use of rt_genid by both IPv4 and IPv6. Initialization is left in IPv4 part. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-18ipv4/route: arg delay is useless in rt_cache_flush()Nicolas Dichtel1-1/+1
Since route cache deletion (89aef8921bfbac22f), delay is no more used. Remove it. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-18vfs: dcache: use DCACHE_DENTRY_KILLED instead of DCACHE_DISCONNECTED in d_kill()Miklos Szeredi1-0/+2
IBM reported a soft lockup after applying the fix for the rename_lock deadlock. Commit c83ce989cb5f ("VFS: Fix the nfs sillyrename regression in kernel 2.6.38") was found to be the culprit. The nfs sillyrename fix used DCACHE_DISCONNECTED to indicate that the dentry was killed. This flag can be set on non-killed dentries too, which results in infinite retries when trying to traverse the dentry tree. This patch introduces a separate flag: DCACHE_DENTRY_KILLED, which is only set in d_kill() and makes try_to_ascend() test only this flag. IBM reported successful test results with this patch. Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Cc: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-09-18compiler.h: add __visibleAndi Kleen2-0/+11
gcc 4.6+ has support for a externally_visible attribute that prevents the optimizer from optimizing unused symbols away. Add a __visible macro to use it with that compiler version or later. This is used (at least) by the "Link Time Optimization" patchset. Signed-off-by: Andi Kleen <ak@linux.intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-09-18include/net/sock.h: squelch compiler warning in sk_rmem_schedule()Chuck Lever1-1/+1
This warning: In file included from linux/include/linux/tcp.h:227:0, from linux/include/linux/ipv6.h:221, from linux/include/net/ipv6.h:16, from linux/include/linux/sunrpc/clnt.h:26, from linux/net/sunrpc/stats.c:22: linux/include/net/sock.h: In function `sk_rmem_schedule': linux/nfs-2.6/include/net/sock.h:1339:13: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] is seen with gcc (GCC) 4.6.3 20120306 (Red Hat 4.6.3-2) using the -Wextra option. Commit c76562b6709f ("netvm: prevent a stream-specific deadlock") accidentally replaced the "size" parameter of sk_rmem_schedule() with an unsigned int. This changes the semantics of the comparison in the return statement. In sk_wmem_schedule we have syntactically the same comparison, but "size" is a signed integer. In addition, __sk_mem_schedule() takes a signed integer for its "size" parameter, so there is an implicit type conversion in sk_rmem_schedule() anyway. Revert the "size" parameter back to a signed integer so that the semantics of the expressions in both sk_[rw]mem_schedule() are exactly the same. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Mel Gorman <mgorman@suse.de> Cc: David Miller <davem@davemloft.net> Cc: Joonsoo Kim <js1304@gmail.com> Cc: David Rientjes <rientjes@google.com> Cc: Pekka Enberg <penberg@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-09-18mm/ia64: fix a memory block size bugJianguo Wu1-1/+1
I found following definition in include/linux/memory.h, in my IA64 platform, SECTION_SIZE_BITS is equal to 32, and MIN_MEMORY_BLOCK_SIZE will be 0. #define MIN_MEMORY_BLOCK_SIZE (1 << SECTION_SIZE_BITS) Because MIN_MEMORY_BLOCK_SIZE is int type and length of 32bits, so MIN_MEMORY_BLOCK_SIZE(1 << 32) will will equal to 0. Actually when SECTION_SIZE_BITS >= 31, MIN_MEMORY_BLOCK_SIZE will be wrong. This will cause wrong system memory infomation in sysfs. I think it should be: #define MIN_MEMORY_BLOCK_SIZE (1UL << SECTION_SIZE_BITS) And "echo offline > memory0/state" will cause following call trace: kernel BUG at mm/memory_hotplug.c:885! sh[6455]: bugcheck! 0 [1] Pid: 6455, CPU 0, comm: sh psr : 0000101008526030 ifs : 8000000000000fa4 ip : [<a0000001008c40f0>] Not tainted (3.6.0-rc1) ip is at offline_pages+0x210/0xee0 Call Trace: show_stack+0x80/0xa0 show_regs+0x640/0x920 die+0x190/0x2c0 die_if_kernel+0x50/0x80 ia64_bad_break+0x3d0/0x6e0 ia64_native_leave_kernel+0x0/0x270 offline_pages+0x210/0xee0 alloc_pages_current+0x180/0x2a0 Signed-off-by: Jianguo Wu <wujianguo@huawei.com> Signed-off-by: Jiang Liu <jiang.liu@huawei.com> Cc: "Luck, Tony" <tony.luck@intel.com> Reviewed-by: Michal Hocko <mhocko@suse.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-09-17Merge tag 'mfd-for-linus-3.6-2' of ↵Linus Torvalds2-4/+12
git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6 Pull mfd fixes from Samuel Ortiz: "This is the remaining MFD fixes for 3.6, with 5 pending fixes: - A tps65217 build error fix. - A lcp_ich regression fix caused by the MFD driver failing to initialize the watchdog sub device due to ACPI conflicts. - 2 MAX77693 interrupt handling bug fixes. - An MFD core fix, adding an IRQ domain argument to the MFD device addition API in order to prevent silent and potentially harmful remapping behaviour changes for drivers supporting non-DT platforms." * tag 'mfd-for-linus-3.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6: mfd: MAX77693: Fix NULL pointer error when initializing irqs mfd: MAX77693: Fix interrupt handling bug mfd: core: Push irqdomain mapping out into devices mfd: lpc_ich: Fix a 3.5 kernel regression for iTCO_wdt driver mfd: Move tps65217 regulator plat data handling to regulator
2012-09-17Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pendingLinus Torvalds2-1/+4
Pull scsi target fixes from Nicholas Bellinger: "Here is the current set of target-pending fixes headed for v3.6-final The main parts of this series include bug-fixes from Paolo Bonzini to address an use-after-free bug in pSCSI sense exception handling, along with addressing some long-standing bugs wrt the handling of zero- length SCSI CDB payloads also specific to pSCSI pass-through device backends." * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: target: go through normal processing for zero-length REQUEST_SENSE target: support zero allocation length in REQUEST SENSE target: support zero-size allocation lengths in transport_kmap_data_sg target: fail REPORT LUNS with less than 16 bytes of payload target: report too-small parameter lists everywhere target: go through normal processing for zero-length PSCSI commands target: fix use-after-free with PSCSI sense data target: simplify code around transport_get_sense_data target: move transport_get_sense_data target: Check idr_get_new return value in iscsi_login_zero_tsih_s1 target: Fix ->data_length re-assignment bug with SCSI overflow
2012-09-16Merge tag 'sound-3.6' of ↵Linus Torvalds1-0/+1
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull more sound fixes from Takashi Iwai: "Yet more (a bunch of) small fixes that slipped from the previous pull request. Most of commits are pending ASoC fixes, all of which are fairly trivial commits." * tag 'sound-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ASoC: wm8904: correct the index ALSA: hda - Yet another position_fix quirk for ASUS machines ASoC: tegra: fix maxburst settings in dmaengine code ASoC: samsung dma - Don't indicate support for pause/resume. ASoC: mc13783: Remove mono support ASoC: arizona: Fix typo in 44.1kHz rates ASoC: spear: correct the check for NULL dma_buffer pointer sound: tegra_alc5632: remove HP detect GPIO inversion ASoC: atmel-ssc: include linux/io.h for raw io ASoC: dapm: Don't force card bias level to be updated ASoC: dapm: Make sure we update the bias level for CODECs with no op ASoC: am3517evm: fix error return code ASoC: ux500_msp_i2s: better use devm functions and fix error return code ASoC: imx-sgtl5000: fix error return code
2012-09-16Revert "sched: Improve scalability via 'CPU buddies', which withstand random ↵Linus Torvalds1-1/+0
perturbations" This reverts commit 970e178985cadbca660feb02f4d2ee3a09f7fdda. Nikolay Ulyanitsky reported thatthe 3.6-rc5 kernel has a 15-20% performance drop on PostgreSQL 9.2 on his machine (running "pgbench"). Borislav Petkov was able to reproduce this, and bisected it to this commit 970e178985ca ("sched: Improve scalability via 'CPU buddies' ...") apparently because the new single-idle-buddy model simply doesn't find idle CPU's to reschedule on aggressively enough. Mike Galbraith suspects that it is likely due to the user-mode spinlocks in PostgreSQL not reacting well to preemption, but we don't really know the details - I'll just revert the commit for now. There are hopefully other approaches to improve scheduler scalability without it causing these kinds of downsides. Reported-by: Nikolay Ulyanitsky <lystor@gmail.com> Bisected-by: Borislav Petkov <bp@alien8.de> Acked-by: Mike Galbraith <efault@gmx.de> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-09-16mfd: core: Push irqdomain mapping out into devicesMark Brown1-1/+3
Currently the MFD core supports remapping MFD cell interrupts using an irqdomain but only if the MFD is being instantiated using device tree and only if the device tree bindings use the pattern of registering IPs in the device tree with compatible properties. This will be actively harmful for drivers which support non-DT platforms and use this pattern for their DT bindings as it will mean that the core will silently change remapping behaviour and it is also limiting for drivers which don't do DT with this particular pattern. There is also a potential fragility if there are interrupts not associated with MFD cells and all the cells are omitted from the device tree for some reason. Instead change the code to take an IRQ domain as an optional argument, allowing drivers to take the decision about the parent domain for their interrupts. The one current user of this feature is ab8500-core, it has the domain lookup pushed out into the driver. Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-09-15Merge tag 'asoc-3.6' of ↵Takashi Iwai39-63/+110
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Updates for 3.6 A bigger set of updates than I'm entirely comfortable with - things backed up a bit due to travel. As ever the majority of these are small, focused updates for specific drivers though there are a couple of core changes. There's been good exposure in -next. The AT91 patch fixes a build break.
2012-09-15Merge branch 'i2c-embedded/for-current' of ↵Linus Torvalds1-0/+1
git://git.pengutronix.de/git/wsa/linux Pull i2c embedded fixes from Wolfram Sang: "The last bunch of (typical) i2c-embedded driver fixes for 3.6. Also update the MAINTAINERS file to point to my tree since people keep asking where to find their patches." * 'i2c-embedded/for-current' of git://git.pengutronix.de/git/wsa/linux: i2c: algo: pca: Fix mode selection for PCA9665 MAINTAINERS: fix tree for current i2c-embedded development i2c: mxs: correctly setup speed for non devicetree i2c: pnx: Fix read transactions of >= 2 bytes i2c: pnx: Fix bit definitions
2012-09-15Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linuxLinus Torvalds1-5/+1
Pull drm fixes from Dave Airlie: "I realise this a bit bigger than I would want at this point. Exynos is a large chunk, I got them to half what they wanted already, and hey its ARM based, so not going to hurt many people. Radeon has only two fixes, but the PLL fixes were a bit bigger, but required for a lot of scenarios, the fence fix is really urgent. vmwgfx: I've pulled in a dumb ioctl support patch that I was going to shove in later and cc stable, but we need it asap, its mainly to stop mesa growing a really ugly dependency in userspace to run stuff on vmware, and if I don't stick it in the kernel now, everyone will have to ship ugly userspace libs to workaround it. nouveau: single urgent fix found in F18 testing, causes X to not start properly when f18 plymouth is used i915: smattering of fixes and debug quieting gma500: single regression fix So as I said a bit large, but its fairly well scattered and its all stuff I'll be shipping in F18's 3.6 kernel." * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (26 commits) drm/nouveau: fix booting with plymouth + dumb support drm/radeon: make 64bit fences more robust v3 drm/radeon: rework pll selection (v3) drm: Drop the NV12M and YUV420M formats drm/exynos: remove DRM_FORMAT_NV12M from plane module drm/exynos: fix double call of drm_prime_(init/destroy)_file_private drm/exynos: add dummy support for dmabuf-mmap drm/exynos: Add missing braces around sizeof in exynos_mixer.c drm/exynos: Add missing braces around sizeof in exynos_hdmi.c drm/exynos: Make g2d_pm_ops static drm/exynos: Add dependency for G2D in Kconfig drm/exynos: fixed page align bug. drm/exynos: Use ERR_CAST inlined function instead of ERR_PTR(PTR_ERR(.. [1] drm/exynos: Use devm_* functions in exynos_drm_g2d.c file drm/exynos: Use devm_kzalloc in exynos_drm_hdmi.c file drm/exynos: Use devm_kzalloc in exynos_drm_vidi.c file drm/exynos: Remove redundant check in exynos_drm_fimd.c file drm/exynos: Remove redundant check in exynos_hdmi.c file vmwgfx: add dumb ioctl support gma500: Fix regression on Oaktrail devices ...
2012-09-15Merge branch 'perf-urgent-for-linus' of ↵Linus Torvalds1-1/+3
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Ingo Molnar: "This tree includes various fixes" Ingo really needs to improve on the whole "explain git pull" part. "Various fixes" indeed. * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/hwpb: Invoke __perf_event_disable() if interrupts are already disabled perf/x86: Enable Intel Cedarview Atom suppport perf_event: Switch to internal refcount, fix race with close() oprofile, s390: Fix uninitialized memory access when writing to oprofilefs perf/x86: Fix microcode revision check for SNB-PEBS
2012-09-15Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds4-2/+18
Pull networking fixes from David Miller: 1) Use after free and new device IDs in bluetooth from Andre Guedes, Yevgeniy Melnichuk, Gustavo Padovan, and Henrik Rydberg. 2) Fix crashes with short packet lengths and VLAN in pktgen, from Nishank Trivedi. 3) mISDN calls flush_work_sync() with locks held, fix from Karsten Keil. 4) Packet scheduler gred parameters are reported to userspace improperly scaled, and WRED idling is not performed correctly. All from David Ward. 5) Fix TCP socket refcount problem in ipv6, from Julian Anastasov. 6) ibmveth device has RX queue alignment requirements which are not being explicitly met resulting in sporadic failures, fix from Santiago Leon. 7) Netfilter needs to take care when interpreting sockets attached to socket buffers, they could be time-wait minisockets. Fix from Eric Dumazet. 8) sock_edemux() has the same issue as netfilter did in #7 above, fix from Eric Dumazet. 9) Avoid infinite loops in CBQ scheduler with some configurations, from Eric Dumazet. 10) Deal with "Reflection scan: an Off-Path Attack on TCP", from Jozsef Kadlecsik. 11) SCTP overcharges socket for TX packets, fix from Thomas Graf. 12) CODEL packet scheduler should not reset it's state every time it builds a new flow, fix from Eric Dumazet. 13) Fix memory leak in nl80211, from Wei Yongjun. 14) NETROM doesn't check skb_copy_datagram_iovec() return values, from Alan Cox. 15) l2tp ethernet was using sizeof(ETH_HLEN) instead of plain ETH_HLEN, oops. From Eric Dumazet. 16) Fix selection of ath9k chips on which PA linearization and AM2PM predistoration are used, from Felix Fietkau. 17) Flow steering settings in mlx4 driver need to be validated properly, from Hadar Hen Zion. 18) bnx2x doesn't show the correct link duplex setting, from Yaniv Rosner. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (75 commits) pktgen: fix crash with vlan and packet size less than 46 bnx2x: Add missing afex code bnx2x: fix registers dumped bnx2x: correct advertisement of pause capabilities bnx2x: display the correct duplex value bnx2x: prevent timeouts when using PFC bnx2x: fix stats copying logic bnx2x: Avoid sending multiple statistics queries net: qmi_wwan: call subdriver with control intf only net_sched: gred: actually perform idling in WRED mode net_sched: gred: fix qave reporting via netlink net_sched: gred: eliminate redundant DP prio comparisons net_sched: gred: correct comment about qavg calculation in RIO mode mISDN: Fix wrong usage of flush_work_sync while holding locks netfilter: log: Fix log-level processing net-sched: sch_cbq: avoid infinite loop net: qmi_wwan: fix Gobi device probing for un2430 net: fix net/core/sock.c build error ixp4xx_hss: fix build failure due to missing linux/module.h inclusion caif: move the dereference below the NULL test ...
2012-09-15Merge tag 'driver-core-3.6-rc6' of ↵Linus Torvalds1-1/+1
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core fix from Greg Kroah-Hartman: "Here is one fix for 3.6-rc6 for the kobject.h file. It fixes a reported oops if CONFIG_HOTPLUG is disabled. It's been in the linux-next tree for a while now. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>" * tag 'driver-core-3.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: kobject: fix oops with "input0: bad kobj_uevent_env content in show_uevent()"
2012-09-13mISDN: Fix wrong usage of flush_work_sync while holding locksKarsten Keil1-1/+1
It is a bad idea to hold a spinlock and call flush_work_sync. Move the workqueue cleanup outside the spinlock and use cancel_work_sync, on closing the channel this seems to be the more correct function. Remove the never used and constant return value of mISDN_freebchannel. Signed-off-by: Karsten Keil <keil@b1-systems.de> Cc: <stable@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-13perf/x86/ibs: Check syscall attribute flagsRobert Richter1-0/+2
Current implementation simply ignores attribute flags. Thus, there is no notification to userland of unsupported features. Check syscall's attribute flags to let userland know if a feature is supported by the kernel. This is also needed to distinguish between future kernels what might support a feature. Cc: <stable@vger.kernel.org> v3.5.. Signed-off-by: Robert Richter <robert.richter@amd.com> Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl> Link: http://lkml.kernel.org/r/20120910093018.GO8285@erda.amd.com Signed-off-by: Ingo Molnar <mingo@kernel.org>
2012-09-13drm: Drop the NV12M and YUV420M formatsVille Syrjälä1-5/+1
The NV12M/YUV420M formats are identical to the NV12/YUV420 formats. So just remove these duplicated format names. This might look like breaking the ABI, but the code has never actually accepted these formats, so nothing can be using them. Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Signed-off-by: Inki Dae <inki.dae@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
2012-09-13Merge tag 'nfs-for-3.6-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfsLinus Torvalds3-6/+4
Pull NFS client bugfixes from Trond Myklebust: - Final (hopefully) fix for the range checking code in NFSv4 getacl. This should fix the Oopses being seen when the acl size is close to PAGE_SIZE. - Fix a regression with the legacy binary mount code - Fix a regression in the readdir cookieverf initialisation - Fix an RPC over UDP regression - Ensure that we report all errors in the NFSv4 open code - Ensure that fsync() reports all relevant synchronisation errors. * tag 'nfs-for-3.6-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: NFS: fsync() must exit with an error if page writeback failed SUNRPC: Fix a UDP transport regression NFS: return error from decode_getfh in decode open NFSv4: Fix buffer overflow checking in __nfs4_get_acl_uncached NFSv4: Fix range checking in __nfs4_get_acl_uncached and __nfs4_proc_set_acl NFS: Fix a problem with the legacy binary mount code NFS: Fix the initialisation of the readdir 'cookieverf' array
2012-09-12i2c: pnx: Fix read transactions of >= 2 bytesRoland Stigge1-0/+1
On transactions with n>=2 bytes, the controller actually wrongly clocks in n+1 bytes. This is caused by the (wrong) assumption that RFE in the Status Register is 1 iff there is no byte already ordered (via a dummy TX byte). This lead to the implementation of synchronized byte ordering, e.g.: Dummy-TX - RX - Dummy-TX - RX - ... But since RFE actually stays high after some Dummy-TX, it rather looks like: Dummy-TX - Dummy-TX - RX - Dummy-TX - RX - (RX) The last RX byte is clocked in by the bus controller, but ignored by the kernel when filling the userspace buffer. This patch fixes the issue by asking for RX via Dummy-TX asynchronously. Introducing a separate counter for TX bytes. Signed-off-by: Roland Stigge <stigge@antcom.de> Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
2012-09-12xen/m2p: do not reuse kmap_op->dev_bus_addrStefano Stabellini1-1/+2
If the caller passes a valid kmap_op to m2p_add_override, we use kmap_op->dev_bus_addr to store the original mfn, but dev_bus_addr is part of the interface with Xen and if we are batching the hypercalls it might not have been written by the hypervisor yet. That means that later on Xen will write to it and we'll think that the original mfn is actually what Xen has written to it. Rather than "stealing" struct members from kmap_op, keep using page->index to store the original mfn and add another parameter to m2p_remove_override to get the corresponding kmap_op instead. It is now responsibility of the caller to keep track of which kmap_op corresponds to a particular page in the m2p_override (gntdev, the only user of this interface that passes a valid kmap_op, is already doing that). CC: stable@kernel.org Reported-and-Tested-By: Sander Eikelenboom <linux@eikelenboom.it> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2012-09-07Merge branch 'master' of ↵John W. Linville1-1/+1
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem John W. Linville says: ==================== Please pull these fixes intended for 3.6. There are more commits here than I would like -- I got a bit behind while I was stalking Steven Rostedt in San Diego last week... I'll slow it down after this! There are a couple of pulls here. One is from Johannes: "Please pull (according to the below information) to get a few fixes. * a fix to properly disconnect in the driver when authentication or association fails * a fix to prevent invalid information about mesh paths being reported to userspace * a memory leak fix in an nl80211 error path" The other comes via Gustavo: "A few updates for the 3.6 kernel. There are two btusb patches to add more supported devices through the new USB_VENDOR_AND_INTEFACE_INFO() macro and another one that add a new device id for a Sony Vaio laptop, one fix for a user-after-free and, finally, two patches from Vinicius to fix a issue in SMP pairing." Along with those... Arend van Spriel provides a fix for a use-after-free bug in brcmfmac. Daniel Drake avoids a hang by not trying to touch the libertas hardware duing suspend if it is already powered-down. Felix Fietkau provides a batch of ath9k fixes that adress some potential problems with power settings, as well as a fix to avoid a potential interrupt storm. Gertjan van Wingerde provides a register-width fix for rt2x00, and a rt2x00 fix to prevent incorrectly detecting the rfkill status. He also provides a device ID patch. Hante Meuleman gives us three brcmfmac fixes, one that properly initializes a command structure, one that fixes a race condition that could lose usb requests, and one that removes some log spam. Marc Kleine-Budde offers an rt2x00 fix for a voltage setting on some specific devices. Mohammed Shafi Shajakhan sent an ath9k fix to avoid a crash related to using timers that aren't allocated when 2 wire bluetooth coexistence hardware is in use. Sergei Poselenov changes rt2800usb to do some validity checking for received packets, avoiding crashes on an ARM Soc. Stone Piao gives us an mwifiex fix for an incorrectly set skb length value for a command buffer. All of these are localized to their specific drivers, and relatively small. The power-related patches from Felix are bigger than I would like, but I merged them in consideration of their isolation to ath9k and the sensitive nature of power settings in wireless devices. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-07target: support zero allocation length in REQUEST SENSEPaolo Bonzini1-0/+1
Similar to INQUIRY and MODE SENSE, construct the sense data in a buffer and later copy it to the scatterlist. Do not do anything, but still clear a pending unit attention condition, if the allocation length is zero. However, SPC tells us that "If a REQUEST SENSE command is terminated with CHECK CONDITION status [and] the REQUEST SENSE command was received on an I_T nexus with a pending unit attention condition (i.e., before the device server reports CHECK CONDITION status), then the device server shall not clear the pending unit attention condition." Do the transport_kmap_data_sg early to detect this case. It also tells us "Device servers shall not adjust the additional sense length to reflect truncation if the allocation length is less than the sense data available", so do not do that! Note that the err variable is write-only. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2012-09-07net/mlx4_core: Add security check / enforcement for flow steering rules set ↵Hadar Hen Zion1-0/+11
for VMs Since VFs may be mapped to VMs which aren't trusted entities, flow steering rules attached through the wrapper on behalf of VFs must be checked to make sure that their L2 specification relate to MAC address assigned to that VF, and add L2 specification if its missing. Signed-off-by: Hadar Hen Zion <hadarh@mellanox.com> Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-07net/mlx4_core: Put Firmware flow steering structures in common header filesHadar Hen Zion1-0/+2
To allow for usage of the flow steering Firmware structures in more locations over the driver, such as the resource tracker, move them from mcg.c to common header files. Signed-off-by: Hadar Hen Zion <hadarh@mellanox.com> Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-07SUNRPC: Fix a UDP transport regressionTrond Myklebust1-0/+3
Commit 43cedbf0e8dfb9c5610eb7985d5f21263e313802 (SUNRPC: Ensure that we grab the XPRT_LOCK before calling xprt_alloc_slot) is causing hangs in the case of NFS over UDP mounts. Since neither the UDP or the RDMA transport mechanism use dynamic slot allocation, we can skip grabbing the socket lock for those transports. Add a new rpc_xprt_op to allow switching between the TCP and UDP/RDMA case. Note that the NFSv4.1 back channel assigns the slot directly through rpc_run_bc_task, so we can ignore that case. Reported-by: Dick Streefland <dick.streefland@altium.nl> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: stable@vger.kernel.org [>= 3.1]
2012-09-06kobject: fix oops with "input0: bad kobj_uevent_env content in show_uevent()"Bjørn Mork1-1/+1
Fengguang Wu <fengguang.wu@intel.com> writes: > After the __devinit* removal series, I can still get kernel panic in > show_uevent(). So there are more sources of bug.. > > Debug patch: > > @@ -343,8 +343,11 @@ static ssize_t show_uevent(struct device > goto out; > > /* copy keys to file */ > - for (i = 0; i < env->envp_idx; i++) > + dev_err(dev, "uevent %d env[%d]: %s/.../%s\n", env->buflen, env->envp_idx, top_kobj->name, dev->kobj.name); > + for (i = 0; i < env->envp_idx; i++) { > + printk(KERN_ERR "uevent %d env[%d]: %s\n", (int)count, i, env->envp[i]); > count += sprintf(&buf[count], "%s\n", env->envp[i]); > + } > > Oops message, the env[] is again not properly initilized: > > [ 44.068623] input input0: uevent 61 env[805306368]: input0/.../input0 > [ 44.069552] uevent 0 env[0]: (null) This is a completely different CONFIG_HOTPLUG problem, only demonstrating another reason why CONFIG_HOTPLUG should go away. I had a hard time trying to disable it anyway ;-) The problem this time is lots of code assuming that a call to add_uevent_var() will guarantee that env->buflen > 0. This is not true if CONFIG_HOTPLUG is unset. So things like this end up overwriting env->envp_idx because the array index is -1: if (add_uevent_var(env, "MODALIAS=")) return -ENOMEM; len = input_print_modalias(&env->buf[env->buflen - 1], sizeof(env->buf) - env->buflen, dev, 0); Don't know what the best action is, given that there seem to be a *lot* of this around the kernel. This patch "fixes" the problem for me, but I don't know if it can be considered an appropriate fix. [ It is the correct fix for now, for 3.7 forcing CONFIG_HOTPLUG to always be on is the longterm fix, but it's too late for 3.6 and older kernels to resolve this that way - gregkh ] Reported-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Bjørn Mork <bjorn@mork.no> Tested-by: Fengguang Wu <fengguang.wu@intel.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2012-09-06Merge tag 'hwmon-for-linus' of ↵Linus Torvalds1-2/+10
git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull a hwmon fix from Guenter Roeck: "One patch, fixing DIV_ROUND_CLOSEST to support negative dividends. While the changes are not in the drivers/hwmon directory, the problem primarily affects hwmon drivers, and it makes sense to push the patch through the hwmon tree." * tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: linux/kernel.h: Fix DIV_ROUND_CLOSEST to support negative dividends
2012-09-06NFSv4: Fix buffer overflow checking in __nfs4_get_acl_uncachedTrond Myklebust1-1/+1
Pass the checks made by decode_getacl back to __nfs4_get_acl_uncached so that it knows if the acl has been truncated. The current overflow checking is broken, resulting in Oopses on user-triggered nfs4_getfacl calls, and is opaque to the point where several attempts at fixing it have failed. This patch tries to clean up the code in addition to fixing the Oopses by ensuring that the overflow checks are performed in a single place (decode_getacl). If the overflow check failed, we will still be able to report the acl length, but at least we will no longer attempt to cache the acl or copy the truncated contents to user space. Reported-by: Sachin Prabhu <sprabhu@redhat.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Tested-by: Sachin Prabhu <sprabhu@redhat.com>
2012-09-06Merge tag 'mmc-fixes-for-3.6-rc5' of ↵Linus Torvalds1-0/+1
git://git.kernel.org/pub/scm/linux/kernel/git/cjb/mmc Pull MMC fixes from Chris Ball: - a firmware bug on several Samsung MoviNAND eMMC models causes permanent corruption on the device when secure erase and secure trim requests are made, so we disable those requests on these eMMC devices. - atmel-mci: fix a hang with some SD cards by waiting for not-busy flag. - dw_mmc: low-power mode breaks SDIO interrupts; fix PIO error handling; fix handling of error interrupts. - mxs-mmc: fix deadlocks; fix compile error due to dma.h arch change. - omap: fix broken PIO mode causing memory corruption. - sdhci-esdhc: fix card detection. * tag 'mmc-fixes-for-3.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/cjb/mmc: mmc: omap: fix broken PIO mode mmc: card: Skip secure erase on MoviNAND; causes unrecoverable corruption. mmc: dw_mmc: Disable low power mode if SDIO interrupts are used mmc: dw_mmc: fix error handling in PIO mode mmc: dw_mmc: correct mishandling error interrupt mmc: dw_mmc: amend using error interrupt status mmc: atmel-mci: not busy flag has also to be used for read operations mmc: sdhci-esdhc: break out early if clock is 0 mmc: mxs-mmc: fix deadlock caused by recursion loop mmc: mxs-mmc: fix deadlock in SDIO IRQ case mmc: bfin_sdh: fix dma_desc_array build error
2012-09-06target: fix use-after-free with PSCSI sense dataPaolo Bonzini1-1/+3
The pointer to the sense buffer is fetched by transport_get_sense_data, but this is called by target_complete_ok_work long after pscsi_req_done has freed the struct that contains it. Pass instead the fabric's sense buffer to transport_complete, and copy the data to it directly in transport_complete. Setting SCF_TRANSPORT_TASK_SENSE also becomes a duty of transport_complete. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2012-09-05Merge commit '4cb38750d49010ae72e718d46605ac9ba5a851b4' into ↵Konrad Rzeszutek Wilk333-6288/+6434
stable/for-linus-3.6 * commit '4cb38750d49010ae72e718d46605ac9ba5a851b4': (6849 commits) bcma: fix invalid PMU chip control masks [libata] pata_cmd64x: whitespace cleanup libata-acpi: fix up for acpi_pm_device_sleep_state API sata_dwc_460ex: device tree may specify dma_channel ahci, trivial: fixed coding style issues related to braces ahci_platform: add hibernation callbacks libata-eh.c: local functions should not be exposed globally libata-transport.c: local functions should not be exposed globally sata_dwc_460ex: support hardreset ata: use module_pci_driver drivers/ata/pata_pcmcia.c: adjust suspicious bit operation pata_imx: Convert to clk_prepare_enable/clk_disable_unprepare ahci: Enable SB600 64bit DMA on MSI K9AGM2 (MS-7327) v2 [libata] Prevent interface errors with Seagate FreeAgent GoFlex drivers/acpi/glue: revert accidental license-related 6b66d95895c bits libata-acpi: add missing inlines in libata.h i2c-omap: Add support for I2C_M_STOP message flag i2c: Fall back to emulated SMBus if the operation isn't supported natively i2c: Add SCCB support i2c-tiny-usb: Add support for the Robofuzz OSIF USB/I2C converter ...
2012-09-04NFS: Fix the initialisation of the readdir 'cookieverf' arrayTrond Myklebust1-5/+0
When the NFS_COOKIEVERF helper macro was converted into a static inline function in commit 99fadcd764 (nfs: convert NFS_*(inode) helpers to static inline), we broke the initialisation of the readdir cookies, since that depended on doing a memset with an argument of 'sizeof(NFS_COOKIEVERF(inode))' which therefore changed from sizeof(be32 cookieverf[2]) to sizeof(be32 *). At this point, NFS_COOKIEVERF seems to be more of an obfuscation than a helper, so the best thing would be to just get rid of it. Also see: https://bugzilla.kernel.org/show_bug.cgi?id=46881 Reported-by: Andi Kleen <andi@firstfloor.org> Reported-by: David Binderman <dcb314@hotmail.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: stable@vger.kernel.org
2012-09-04xfrm: Workaround incompatibility of ESN and async cryptoSteffen Klassert1-0/+3
ESN for esp is defined in RFC 4303. This RFC assumes that the sequence number counters are always up to date. However, this is not true if an async crypto algorithm is employed. If the sequence number counters are not up to date on sequence number check, we may incorrectly update the upper 32 bit of the sequence number. This leads to a DOS. We workaround this by comparing the upper sequence number, (used for authentication) with the upper sequence number computed after the async processing. We drop the packet if these numbers are different. To do this, we introduce a recheck function that does this check in the ESN case. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-04mmc: card: Skip secure erase on MoviNAND; causes unrecoverable corruption.Ian Chen1-0/+1
For several MoviNAND eMMC parts, there are known issues with secure erase and secure trim. For these specific MoviNAND devices, we skip these operations. Specifically, there is a bug in the eMMC firmware that causes unrecoverable corruption when the MMC is erased with MMC_CAP_ERASE enabled. References: http://forum.xda-developers.com/showthread.php?t=1644364 https://plus.google.com/111398485184813224730/posts/21pTYfTsCkB#111398485184813224730/posts/21pTYfTsCkB Signed-off-by: Ian Chen <ian.cy.chen@samsung.com> Reviewed-by: Namjae Jeon <linkinjeon@gmail.com> Acked-by: Jaehoon Chung <jh80.chung@samsung.com> Reviewed-by: Linus Walleij <linus.walleij@linaro.org> Cc: stable <stable@vger.kernel.org> [3.0+] Signed-off-by: Chris Ball <cjb@laptop.org>