commit 47026b1fcb6328417277bb3a61b055f138d29eda Author: Greg Kroah-Hartman Date: Thu Jun 26 15:15:55 2014 -0400 Linux 3.14.9 commit d30b5ce4b5da77451fad1f454f3d456f8d3040cf Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:35 2014 +0200 ALSA: control: Make sure that id->index does not overflow commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream. The ALSA control code expects that the range of assigned indices to a control is continuous and does not overflow. Currently there are no checks to enforce this. If a control with a overflowing index range is created that control becomes effectively inaccessible and unremovable since snd_ctl_find_id() will not be able to find it. This patch adds a check that makes sure that controls with a overflowing index range can not be created. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8e1853b436edc41ee4e0214cf5a2fc04201915f8 Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:34 2014 +0200 ALSA: control: Handle numid overflow commit ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream. Each control gets automatically assigned its numids when the control is created. The allocation is done by incrementing the numid by the amount of allocated numids per allocation. This means that excessive creation and destruction of controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to eventually overflow. Currently when this happens for the control that caused the overflow kctl->id.numid + kctl->count will also over flow causing it to be smaller than kctl->id.numid. Most of the code assumes that this is something that can not happen, so we need to make sure that it won't happen Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1637a83bb15491efb3e7c8cd746471ef3710e79d Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:33 2014 +0200 ALSA: control: Don't access controls outside of protected regions commit fd9f26e4eca5d08a27d12c0933fceef76ed9663d upstream. A control that is visible on the card->controls list can be freed at any time. This means we must not access any of its memory while not holding the controls_rw_lock. Otherwise we risk a use after free access. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 99e6d92ad48b8df440f9466c82c839b74ce95dcd Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:32 2014 +0200 ALSA: control: Fix replacing user controls commit 82262a46627bebb0febcc26664746c25cef08563 upstream. There are two issues with the current implementation for replacing user controls. The first is that the code does not check if the control is actually a user control and neither does it check if the control is owned by the process that tries to remove it. That allows userspace applications to remove arbitrary controls, which can cause a user after free if a for example a driver does not expect a control to be removed from under its feed. The second issue is that on one hand when a control is replaced the user_ctl_count limit is not checked and on the other hand the user_ctl_count is increased (even though the number of user controls does not change). This allows userspace, once the user_ctl_count limit as been reached, to repeatedly replace a control until user_ctl_count overflows. Once that happens new controls can be added effectively bypassing the user_ctl_count limit. Both issues can be fixed by instead of open-coding the removal of the control that is to be replaced to use snd_ctl_remove_user_ctl(). This function does proper permission checks as well as decrements user_ctl_count after the control has been removed. Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at beginning of the function if the control already exists is removed. This is not a problem though since the check is quite useless, because the lock that is protecting the control list is released between the check and before adding the new control to the list, which means that it is possible that a different control with the same settings is added to the list after the check. Luckily there is another check that is done while holding the lock in snd_ctl_add(), so we'll rely on that to make sure that the same control is not added twice. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d8e2983ef545510f39b3b67d639d807672ee0893 Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:31 2014 +0200 ALSA: control: Protect user controls against concurrent access commit 07f4d9d74a04aa7c72c5dae0ef97565f28f17b92 upstream. The user-control put and get handlers as well as the tlv do not protect against concurrent access from multiple threads. Since the state of the control is not updated atomically it is possible that either two write operations or a write and a read operation race against each other. Both can lead to arbitrary memory disclosure. This patch introduces a new lock that protects user-controls from concurrent access. Since applications typically access controls sequentially than in parallel a single lock per card should be fine. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6eba2a0e3f4ce79578f302d4abec48a03959f798 Author: David Henningsson Date: Fri Jun 13 11:15:44 2014 +0200 ALSA: hda - Add quirk for external mic on Lifebook U904 commit 2041d56464a067461d7cc21734a0f024587ed2ff upstream. According to the bug reporter (Данило Шеган), the external mic starts to work and has proper jack detection if only pin 0x19 is marked properly as an external headset mic. AlsaInfo at https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1328587/+attachment/4128991/+files/AlsaInfo.txt BugLink: https://bugs.launchpad.net/bugs/1328587 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ce51407d95775c0d9b0c53f7b1863b11f5cde350 Author: Kailang Yang Date: Fri Jun 13 17:16:31 2014 +0800 ALSA: hda/realtek - Add more entry for enable HP mute led commit 8a02b164d4bfac108bfe37e98108bff1e062bd3d upstream. More HP machine need mute led support. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9bbc557d1980beb49b8a7b6328a109294e148463 Author: Kailang Yang Date: Thu Jun 5 11:13:44 2014 +0800 ALSA: hda/realtek - Add support of ALC891 codec commit b6c5fbad16aa5026f508093a8d651c25e1cb6179 upstream. New codec support for ALC891. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 17f3cebf00d4134accd1842095c80a3a13a1d818 Author: Wang, Xiaoming Date: Thu Jun 12 18:47:07 2014 -0400 ALSA: compress: Cancel the optimization of compiler and fix the size of struct for all platform. commit 2bd0ae464a6cf7363bbf72c8545e0aa43caa57f0 upstream. Cancel the optimization of compiler for struct snd_compr_avail which size will be 0x1c in 32bit kernel while 0x20 in 64bit kernel under the optimizer. That will make compaction between 32bit and 64bit. So add packed to fix the size of struct snd_compr_avail to 0x1c for all platform. Signed-off-by: Zhang Dongxing Signed-off-by: xiaoming wang Acked-by: Vinod Koul Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 5f32449c2863adf190b83402e9a4069cee054f9d Author: Greg Kroah-Hartman Date: Fri Jun 20 22:01:41 2014 -0700 lz4: ensure length does not wrap commit 206204a1162b995e2185275167b22468c00d6b36 upstream. Given some pathologically compressed data, lz4 could possibly decide to wrap a few internal variables, causing unknown things to happen. Catch this before the wrapping happens and abort the decompression. Reported-by: "Don A. Bailey" Signed-off-by: Greg Kroah-Hartman commit b13fdebb805e4a4c7130f7405d7d3ddd3eeb2a77 Author: Greg Kroah-Hartman Date: Fri Jun 20 22:00:53 2014 -0700 lzo: properly check for overruns commit 206a81c18401c0cde6e579164f752c4b147324ce upstream. The lzo decompressor can, if given some really crazy data, possibly overrun some variable types. Modify the checking logic to properly detect overruns before they happen. Reported-by: "Don A. Bailey" Tested-by: "Don A. Bailey" Signed-off-by: Greg Kroah-Hartman commit 74c68519ea6c2ef5e1b5a0a588647048865e200d Author: Peter Meerwald Date: Tue May 20 08:36:00 2014 +0100 iio: Fix two mpl3115 issues in measurement conversion commit d29f592929489d0a7c414396fae28119f3d280e1 upstream. (i) pressure is 20-bit unsigned, not signed; the buffer description is incorrect; for raw reads, this is just cosmetic (ii) temperature is 12-bit signed, not 16-bit; this affects readout of temperatures below zero as the sign bit is incorrectly processed reported via private mail Signed-off-by: Peter Meerwald Reported-by: Robert Deliën Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 48c941af0db1354ebef774db3d7eee1bb38f534a Author: Peter Meerwald Date: Tue May 6 09:53:00 2014 +0100 iio: Fix endianness issue in ak8975_read_axis() commit 8ba42fb7b17649c9ab5b5e79d4e90370a0b4645e upstream. i2c_smbus_read_word_data() does host endian conversion already, no need for le16_to_cpu() Signed-off-by: Peter Meerwald Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 0a6e41e28bc5c93c16cec7ae78300440a94a3751 Author: Dan Carpenter Date: Thu Nov 6 09:13:00 2014 +0000 iio: adc: at91: signedness bug in at91_adc_get_trigger_value_by_name() commit 4f3bcd878f1d3c730fe00f619b7260c6125d49eb upstream. at91_adc_get_trigger_value_by_name() was returning -ENOMEM truncated to a positive u8 and that doesn't work. I've changed it to int and refactored it to preserve the error code. Signed-off-by: Dan Carpenter Acked-by: Alexandre Belloni Tested-by: Alexandre Belloni Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit a7527d068f2c3cd06c41c8ec1021c2c3214f067e Author: Robert Hodaszi Date: Mon Oct 6 14:41:00 2014 +0100 iio: mxs-lradc: fix divider commit 19bc4981a213d0c5b0e1e8b08815c0b26f01ec54 upstream. All channels' single measurement are happening on CH 0. So enabling / disabling the divider once is not enough, because it has impact on all channels. Set only a flag, then check this on each measurement, and enable / disable the divider as required. Signed-off-by: Robert Hodaszi Acked-by: Alexandre Belloni Acked-by: Marek Vasut Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit f7519c94637e800a5e80f76653bb228e1c75bf0e Author: Mario Schuknecht Date: Tue May 27 07:19:00 2014 +0100 staging: iio: tsl2x7x_core: fix proximity treshold commit c404618cd06dad771495fe1cf9d5a63b5664f65f upstream. Consider high byte of proximity min and max treshold in function 'tsl2x7x_chip_on'. So far, the high byte was not set. Signed-off-by: Mario Schuknecht Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 554da9dbc2b3ba0bbef4a3aaba86f71dda2233d8 Author: Jonathan Cameron Date: Sat May 24 12:52:10 2014 +0100 iio:adc:max1363 incorrect resolutions for max11604, max11605, max11610 and max11611. commit a91a73c8b39a6b8bcc53fafa5372c65387c81233 upstream. Reported-by: Erik Habbinga Signed-off-by: Jonathan Cameron Acked-by: Hartmut Knaack Signed-off-by: Greg Kroah-Hartman commit b35347ee071409270e2917cf506f8f43f0d480af Author: Peter Ujfalusi Date: Fri May 30 16:47:41 2014 +0300 ASoC: tlv320aci3x: Fix custom snd_soc_dapm_put_volsw_aic3x() function commit e6c111fac4464e3f4bf7b3802b517dafc80f8e0f upstream. For some unknown reason the parameters for snd_soc_test_bits() were in wrong order: It was: snd_soc_test_bits(codec, val, mask, reg); /* WRONG!!! */ while it should be: snd_soc_test_bits(codec, reg, mask, val); Signed-off-by: Peter Ujfalusi Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit a2d26d3fae7024abcbc100d06affce2990e01560 Author: Liam Girdwood Date: Fri May 16 16:55:20 2014 +0300 ASoC: max98090: Fix reset at resume time commit 25b4ab430f8e166c9b63f4db28e7e812d5a59396 upstream. Reset needs to wait 20ms before other codec IO is performed. This wait was not being performed. Fix this by making sure the reset register is not restored with the cache, but use the manual reset method in resume with the wait. Signed-off-by: Liam Girdwood Signed-off-by: Jarkko Nikula Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 5540c02cd6c8be3f0960f743940aa9e762470a39 Author: Lars-Peter Clausen Date: Sun May 4 19:17:05 2014 +0200 ASoC: dapm: Make sure to always update the DAPM graph in _put_volsw() commit c9e065c27fe9b81e5d6e7681d77a24f7b9616675 upstream. When using auto-muted controls it may happen that the register value will not change when changing a control from enabled to disabled (since the control might be physically disabled due to the auto-muting). We have to make sure to still update the DAPM graph and disconnect the mixer input. Fixes: commit 5729507 ("ASoC: dapm: Implement mixer input auto-disable") Signed-off-by: Lars-Peter Clausen Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit fd81b2dc6f499f8a572363bedfac5ead050842e2 Author: Radim Krčmář Date: Tue May 27 19:16:20 2014 +0200 hv: use correct order when freeing monitor_pages commit a100d88df1e924e5c9678fabf054d1bae7ab74fb upstream. We try to free two pages when only one has been allocated. Cleanup path is unlikely, so I haven't found any trace that would fit, but I hope that free_pages_prepare() does catch it. Signed-off-by: Radim Krčmář Reviewed-by: Amos Kong Acked-by: Jason Wang Signed-off-by: Greg Kroah-Hartman commit bdfbec3be201afa519e98b49984997dd2d4a509f Author: K. Y. Srinivasan Date: Wed Apr 23 13:53:39 2014 -0700 Drivers: hv: balloon: Ensure pressure reports are posted regularly commit ae339336dc950b9b05e7ccd3565dd3e8781c06d9 upstream. The current code posts periodic memory pressure status from a dedicated thread. Under some conditions, especially when we are releasing a lot of memory into the guest, we may not send timely pressure reports back to the host. Fix this issue by reporting pressure in all contexts that can be active in this driver. Signed-off-by: K. Y. Srinivasan Signed-off-by: Greg Kroah-Hartman commit f4c3b805f663386b2a6c873ee836f987b278bcc1 Author: Johan Hovold Date: Mon May 26 19:23:45 2014 +0200 USB: cdc-acm: fix runtime PM imbalance at shutdown commit 5292afa657d0e790b7479ad8eef9450c1e040b3d upstream. Make sure only to decrement the PM counters if they were actually incremented. Note that the USB PM counter, but not necessarily the driver core PM counter, is reset when the interface is unbound. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 78914c967de06d682a9ea8aa25f5e3106832fcba Author: Johan Hovold Date: Mon May 26 19:23:44 2014 +0200 USB: cdc-acm: fix I/O after failed open commit e4c36076c2a6195ec62c35b03c3fde84d0087dc8 upstream. Make sure to kill any already submitted read urbs on read-urb submission failures in open in order to prevent doing I/O for a closed port. Fixes: 088c64f81284 ("USB: cdc-acm: re-write read processing") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit bb086f8a1da9a7c521cc36b2087a544290b17e94 Author: Johan Hovold Date: Mon May 26 19:23:41 2014 +0200 USB: cdc-acm: fix potential urb leak and PM imbalance in write commit 183a45087d126d126e8dd1d9b2602fc129dff9ad upstream. Make sure to check return value of autopm get in write() in order to avoid urb leak and PM counter imbalance on errors. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 7dfa070023fee95f181e0cd2bec1cb57417f41e2 Author: Johan Hovold Date: Mon May 26 19:23:40 2014 +0200 USB: cdc-acm: fix shutdown and suspend race commit ed797074031a37bb9bf4a70952fffc606b77274d upstream. We should stop I/O unconditionally at suspend rather than rely on the tty-port initialised flag (which is set prior to stopping I/O during shutdown) in order to prevent suspend returning with URBs still active. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 4c60d2f5dfad5a48f418191d01117c03a4afbef0 Author: Johan Hovold Date: Mon May 26 19:23:39 2014 +0200 USB: cdc-acm: fix runtime PM for control messages commit bae3f4c53585e9a170da9436e0f06919874bda9a upstream. Fix runtime PM handling of control messages by adding the required PM counter operations. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit ef9bfefb7f9395ef376df34e43a208e1793a3fd8 Author: Johan Hovold Date: Mon May 26 19:23:38 2014 +0200 USB: cdc-acm: fix broken runtime suspend commit 140cb81ac8c625942a1d695875932c615767a526 upstream. The current ACM runtime-suspend implementation is broken in several ways: Firstly, it buffers only the first write request being made while suspended -- any further writes are silently dropped. Secondly, writes being dropped also leak write urbs, which are never reclaimed (until the device is unbound). Thirdly, even the single buffered write is not cleared at shutdown (which may happen before the device is resumed), something which can lead to another urb leak as well as a PM usage-counter leak. Fix this by implementing a delayed-write queue using urb anchors and making sure to discard the queue properly at shutdown. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Reported-by: Xiao Jin Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 39d43e4ede7dbb4001a025e157688139c1e2dbdb Author: Johan Hovold Date: Mon May 26 19:23:37 2014 +0200 USB: cdc-acm: fix write and resume race commit e144ed28bed10684f9aaec6325ed974d53f76110 upstream. Fix race between write() and resume() due to improper locking that could lead to writes being reordered. Resume must be done atomically and susp_count be protected by the write_lock in order to prevent racing with write(). This could otherwise lead to writes being reordered if write() grabs the write_lock after susp_count is decremented, but before the delayed urb is submitted. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 2d0227bd3d32c96be8c14fd860b0de9fbc87b155 Author: Johan Hovold Date: Mon May 26 19:23:36 2014 +0200 USB: cdc-acm: fix write and suspend race commit 5a345c20c17d87099224a4be12e69e5bd7023dca upstream. Fix race between write() and suspend() which could lead to writes being dropped (or I/O while suspended) if the device is runtime suspended while a write request is being processed. Specifically, suspend() releases the write_lock after determining the device is idle but before incrementing the susp_count, thus leaving a window where a concurrent write() can submit an urb. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit e0303ebe7ffffe1fabed0c3924e4e5d24a391174 Author: James Hogan Date: Thu May 29 10:16:23 2014 +0100 MIPS: KVM: Allocate at least 16KB for exception handlers commit 7006e2dfda9adfa40251093604db76d7e44263b3 upstream. Each MIPS KVM guest has its own copy of the KVM exception vector. This contains the TLB refill exception handler at offset 0x000, the general exception handler at offset 0x180, and interrupt exception handlers at offset 0x200 in case Cause_IV=1. A common handler is copied to offset 0x2000 and offset 0x3000 is used for temporarily storing k1 during entry from guest. However the amount of memory allocated for this purpose is calculated as 0x200 rounded up to the next page boundary, which is insufficient if 4KB pages are in use. This can lead to the common handler at offset 0x2000 being overwritten and infinitely recursive exceptions on the next exit from the guest. Increase the minimum size from 0x200 to 0x4000 to cover the full use of the page. Signed-off-by: James Hogan Cc: Paolo Bonzini Cc: Gleb Natapov Cc: kvm@vger.kernel.org Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: Sanjay Lal Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 00e623665a21a0cc8c19072e734dcc8ca3b2fe2e Author: Boris BREZILLON Date: Fri Jun 6 14:36:11 2014 -0700 ARM: at91: fix at91_sysirq_mask_rtc for sam9x5 SoCs commit 9dcc87fec8947308e0111c65dcd881e6aa5b1673 upstream. sam9x5 SoCs have the following errata: "RTC: Interrupt Mask Register cannot be used Interrupt Mask Register read always returns 0." Hence we should not rely on what IMR claims about already masked IRQs and just disable all IRQs. Signed-off-by: Boris BREZILLON Reported-by: Bryan Evenson Reviewed-by: Johan Hovold Acked-by: Nicolas Ferre Cc: Bryan Evenson Cc: Andrew Victor Cc: Jean-Christophe Plagniol-Villard Cc: Alessandro Zummo Cc: Mark Roszko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3ffd4a4939073cb8dc0fb6af7006c3f84acf4304 Author: Paolo Bonzini Date: Wed May 14 17:40:58 2014 +0200 KVM: lapic: sync highest ISR to hardware apic on EOI commit fc57ac2c9ca8109ea97fcc594f4be436944230cc upstream. When Hyper-V enlightenments are in effect, Windows prefers to issue an Hyper-V MSR write to issue an EOI rather than an x2apic MSR write. The Hyper-V MSR write is not handled by the processor, and besides being slower, this also causes bugs with APIC virtualization. The reason is that on EOI the processor will modify the highest in-service interrupt (SVI) field of the VMCS, as explained in section 29.1.4 of the SDM; every other step in EOI virtualization is already done by apic_send_eoi or on VM entry, but this one is missing. We need to do the same, and be careful not to muck with the isr_count and highest_isr_cache fields that are unused when virtual interrupt delivery is enabled. Reviewed-by: Yang Zhang Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 53a22ba62cdc49b48c52ad78517aec9acf3587ec Author: Wei Yang Date: Sun Jun 8 13:49:46 2014 +0300 net/mlx4_core: Keep only one driver entry release mlx4_priv [ Upstream commit da1de8dfff09d33d4a5345762c21b487028e25f5 ] Following commit befdf89 "net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one()", there are two mlx4 pci callbacks which will attempt to release the mlx4_priv object -- .shutdown and .remove. This leads to a use-after-free access to the already freed mlx4_priv instance and trigger a "Kernel access of bad area" crash when both .shutdown and .remove are called. During reboot or kexec, .shutdown is called, with the VFs probed to the host going through shutdown first and then the PF. Later, the PF will trigger VFs' .remove since VFs still have driver attached. Fix that by keeping only one driver entry which releases mlx4_priv. Fixes: befdf89 ('net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one()') CC: Bjorn Helgaas Signed-off-by: Or Gerlitz Signed-off-by: Jack Morgenstein Signed-off-by: Wei Yang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c14081e87483057105fd0684160960715ff7e5a2 Author: Wei Yang Date: Sun Jun 1 15:24:35 2014 +0800 net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one() [ Upstream commit befdf8978accecac2e0739e6b5075afc62db37fe ] pci_match_id() just match the static pci_device_id, which may return NULL if someone binds the driver to a device manually using /sys/bus/pci/drivers/.../new_id. This patch wrap up a helper function __mlx4_remove_one() which does the tear down function but preserve the drv_data. Functions like mlx4_pci_err_detected() and mlx4_restart_one() will call this one with out releasing drvdata. Fixes: 97a5221 "net/mlx4_core: pass pci_device_id.driver_data to __mlx4_init_one during reset". CC: Bjorn Helgaas CC: Amir Vadai CC: Jack Morgenstein CC: Or Gerlitz Signed-off-by: Wei Yang Acked-by: Jack Morgenstein Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 724d0d32fa2a6242a0f03c1baeb8310e7ddcf9a9 Author: Eric Dumazet Date: Thu Jun 12 16:13:06 2014 -0700 udp: ipv4: do not waste time in __udp4_lib_mcast_demux_lookup [ Upstream commit 63c6f81cdde58c41da62a8d8a209592e42a0203e ] Its too easy to add thousand of UDP sockets on a particular bucket, and slow down an innocent multicast receiver. Early demux is supposed to be an optimization, we should avoid spending too much time in it. It is interesting to note __udp4_lib_demux_lookup() only tries to match first socket in the chain. 10 is the threshold we already have in __udp4_lib_lookup() to switch to secondary hash. Fixes: 421b3885bf6d5 ("udp: ipv4: Add udp early demux") Signed-off-by: Eric Dumazet Reported-by: David Held Cc: Shawn Bohrer Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d5570b211c0e04553c2774c459852425eb8c7172 Author: Cong Wang Date: Thu Jun 12 11:53:10 2014 -0700 vxlan: use dev->needed_headroom instead of dev->hard_header_len [ Upstream commit 2853af6a2ea1a8ed09b09dd4fb578e7f435e8d34 ] When we mirror packets from a vxlan tunnel to other device, the mirror device should see the same packets (that is, without outer header). Because vxlan tunnel sets dev->hard_header_len, tcf_mirred() resets mac header back to outer mac, the mirror device actually sees packets with outer headers Vxlan tunnel should set dev->needed_headroom instead of dev->hard_header_len, like what other ip tunnels do. This fixes the above problem. Cc: "David S. Miller" Cc: stephen hemminger Cc: Pravin B Shelar Signed-off-by: Cong Wang Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 322a117adb270457d409535feaebe36ddfa23025 Author: Michal Schmidt Date: Wed May 28 14:15:19 2014 +0200 rtnetlink: fix userspace API breakage for iproute2 < v3.9.0 [ Upstream commit e5eca6d41f53db48edd8cf88a3f59d2c30227f8e ] When running RHEL6 userspace on a current upstream kernel, "ip link" fails to show VF information. The reason is a kernel<->userspace API change introduced by commit 88c5b5ce5cb57 ("rtnetlink: Call nlmsg_parse() with correct header length"), after which the kernel does not see iproute2's IFLA_EXT_MASK attribute in the netlink request. iproute2 adjusted for the API change in its commit 63338dca4513 ("libnetlink: Use ifinfomsg instead of rtgenmsg in rtnl_wilddump_req_filter"). The problem has been noticed before: http://marc.info/?l=linux-netdev&m=136692296022182&w=2 (Subject: Re: getting VF link info seems to be broken in 3.9-rc8) We can do better than tell those with old userspace to upgrade. We can recognize the old iproute2 in the kernel by checking the netlink message length. Even when including the IFLA_EXT_MASK attribute, its netlink message is shorter than struct ifinfomsg. With this patch "ip link" shows VF information in both old and new iproute2 versions. Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4c6c201fa9aa76b57b98c993826c4bd9ecb0f264 Author: Xufeng Zhang Date: Thu Jun 12 10:53:36 2014 +0800 sctp: Fix sk_ack_backlog wrap-around problem [ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ] Consider the scenario: For a TCP-style socket, while processing the COOKIE_ECHO chunk in sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check, a new association would be created in sctp_unpack_cookie(), but afterwards, some processing maybe failed, and sctp_association_free() will be called to free the previously allocated association, in sctp_association_free(), sk_ack_backlog value is decremented for this socket, since the initial value for sk_ack_backlog is 0, after the decrement, it will be 65535, a wrap-around problem happens, and if we want to establish new associations afterward in the same socket, ABORT would be triggered since sctp deem the accept queue as full. Fix this issue by only decrementing sk_ack_backlog for associations in the endpoint's list. Fix-suggested-by: Neil Horman Signed-off-by: Xufeng Zhang Acked-by: Daniel Borkmann Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3480c0154964f155afef8abceb1118debaf3d5b3 Author: Eric Dumazet Date: Tue Jun 10 06:43:01 2014 -0700 ipv4: fix a race in ip4_datagram_release_cb() [ Upstream commit 9709674e68646cee5a24e3000b3558d25412203a ] Alexey gave a AddressSanitizer[1] report that finally gave a good hint at where was the origin of various problems already reported by Dormando in the past [2] Problem comes from the fact that UDP can have a lockless TX path, and concurrent threads can manipulate sk_dst_cache, while another thread, is holding socket lock and calls __sk_dst_set() in ip4_datagram_release_cb() (this was added in linux-3.8) It seems that all we need to do is to use sk_dst_check() and sk_dst_set() so that all the writers hold same spinlock (sk->sk_dst_lock) to prevent corruptions. TCP stack do not need this protection, as all sk_dst_cache writers hold the socket lock. [1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel AddressSanitizer: heap-use-after-free in ipv4_dst_check Read of size 2 by thread T15453: [] ipv4_dst_check+0x1a/0x90 ./net/ipv4/route.c:1116 [] __sk_dst_check+0x89/0xe0 ./net/core/sock.c:531 [] ip4_datagram_release_cb+0x46/0x390 ??:0 [] release_sock+0x17a/0x230 ./net/core/sock.c:2413 [] ip4_datagram_connect+0x462/0x5d0 ??:0 [] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534 [] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701 [] SyS_connect+0xe/0x10 ./net/socket.c:1682 [] system_call_fastpath+0x16/0x1b ./arch/x86/kernel/entry_64.S:629 Freed by thread T15455: [] dst_destroy+0xa8/0x160 ./net/core/dst.c:251 [] dst_release+0x45/0x80 ./net/core/dst.c:280 [] ip4_datagram_connect+0xa1/0x5d0 ??:0 [] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534 [] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701 [] SyS_connect+0xe/0x10 ./net/socket.c:1682 [] system_call_fastpath+0x16/0x1b ./arch/x86/kernel/entry_64.S:629 Allocated by thread T15453: [] dst_alloc+0x81/0x2b0 ./net/core/dst.c:171 [] rt_dst_alloc+0x47/0x50 ./net/ipv4/route.c:1406 [< inlined >] __ip_route_output_key+0x3e8/0xf70 __mkroute_output ./net/ipv4/route.c:1939 [] __ip_route_output_key+0x3e8/0xf70 ./net/ipv4/route.c:2161 [] ip_route_output_flow+0x14/0x30 ./net/ipv4/route.c:2249 [] ip4_datagram_connect+0x317/0x5d0 ??:0 [] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534 [] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701 [] SyS_connect+0xe/0x10 ./net/socket.c:1682 [] system_call_fastpath+0x16/0x1b ./arch/x86/kernel/entry_64.S:629 [2] <4>[196727.311203] general protection fault: 0000 [#1] SMP <4>[196727.311224] Modules linked in: xt_TEE xt_dscp xt_DSCP macvlan bridge coretemp crc32_pclmul ghash_clmulni_intel gpio_ich microcode ipmi_watchdog ipmi_devintf sb_edac edac_core lpc_ich mfd_core tpm_tis tpm tpm_bios ipmi_si ipmi_msghandler isci igb libsas i2c_algo_bit ixgbe ptp pps_core mdio <4>[196727.311333] CPU: 17 PID: 0 Comm: swapper/17 Not tainted 3.10.26 #1 <4>[196727.311344] Hardware name: Supermicro X9DRi-LN4+/X9DR3-LN4+/X9DRi-LN4+/X9DR3-LN4+, BIOS 3.0 07/05/2013 <4>[196727.311364] task: ffff885e6f069700 ti: ffff885e6f072000 task.ti: ffff885e6f072000 <4>[196727.311377] RIP: 0010:[] [] ipv4_dst_destroy+0x4f/0x80 <4>[196727.311399] RSP: 0018:ffff885effd23a70 EFLAGS: 00010282 <4>[196727.311409] RAX: dead000000200200 RBX: ffff8854c398ecc0 RCX: 0000000000000040 <4>[196727.311423] RDX: dead000000100100 RSI: dead000000100100 RDI: dead000000200200 <4>[196727.311437] RBP: ffff885effd23a80 R08: ffffffff815fd9e0 R09: ffff885d5a590800 <4>[196727.311451] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 <4>[196727.311464] R13: ffffffff81c8c280 R14: 0000000000000000 R15: ffff880e85ee16ce <4>[196727.311510] FS: 0000000000000000(0000) GS:ffff885effd20000(0000) knlGS:0000000000000000 <4>[196727.311554] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4>[196727.311581] CR2: 00007a46751eb000 CR3: 0000005e65688000 CR4: 00000000000407e0 <4>[196727.311625] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 <4>[196727.311669] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 <4>[196727.311713] Stack: <4>[196727.311733] ffff8854c398ecc0 ffff8854c398ecc0 ffff885effd23ab0 ffffffff815b7f42 <4>[196727.311784] ffff88be6595bc00 ffff8854c398ecc0 0000000000000000 ffff8854c398ecc0 <4>[196727.311834] ffff885effd23ad0 ffffffff815b86c6 ffff885d5a590800 ffff8816827821c0 <4>[196727.311885] Call Trace: <4>[196727.311907] <4>[196727.311912] [] dst_destroy+0x32/0xe0 <4>[196727.311959] [] dst_release+0x56/0x80 <4>[196727.311986] [] tcp_v4_do_rcv+0x2a5/0x4a0 <4>[196727.312013] [] tcp_v4_rcv+0x7da/0x820 <4>[196727.312041] [] ? ip_rcv_finish+0x360/0x360 <4>[196727.312070] [] ? nf_hook_slow+0x7d/0x150 <4>[196727.312097] [] ? ip_rcv_finish+0x360/0x360 <4>[196727.312125] [] ip_local_deliver_finish+0xb2/0x230 <4>[196727.312154] [] ip_local_deliver+0x4a/0x90 <4>[196727.312183] [] ip_rcv_finish+0x119/0x360 <4>[196727.312212] [] ip_rcv+0x22b/0x340 <4>[196727.312242] [] ? macvlan_broadcast+0x160/0x160 [macvlan] <4>[196727.312275] [] __netif_receive_skb_core+0x512/0x640 <4>[196727.312308] [] ? kmem_cache_alloc+0x13b/0x150 <4>[196727.312338] [] __netif_receive_skb+0x21/0x70 <4>[196727.312368] [] netif_receive_skb+0x31/0xa0 <4>[196727.312397] [] napi_gro_receive+0xe8/0x140 <4>[196727.312433] [] ixgbe_poll+0x551/0x11f0 [ixgbe] <4>[196727.312463] [] ? ip_rcv+0x22b/0x340 <4>[196727.312491] [] net_rx_action+0x111/0x210 <4>[196727.312521] [] ? __netif_receive_skb+0x21/0x70 <4>[196727.312552] [] __do_softirq+0xd0/0x270 <4>[196727.312583] [] call_softirq+0x1c/0x30 <4>[196727.312613] [] do_softirq+0x55/0x90 <4>[196727.312640] [] irq_exit+0x55/0x60 <4>[196727.312668] [] do_IRQ+0x63/0xe0 <4>[196727.312696] [] common_interrupt+0x6a/0x6a <4>[196727.312722] <1>[196727.313071] RIP [] ipv4_dst_destroy+0x4f/0x80 <4>[196727.313100] RSP <4>[196727.313377] ---[ end trace 64b3f14fae0f2e29 ]--- <0>[196727.380908] Kernel panic - not syncing: Fatal exception in interrupt Reported-by: Alexey Preobrazhensky Reported-by: dormando Signed-off-by: Eric Dumazet Fixes: 8141ed9fcedb2 ("ipv4: Add a socket release callback for datagram sockets") Cc: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7c9a26c2c40b732a3886c4ee55a8a5e7437d46bf Author: Jon Cooper Date: Wed Jun 11 14:33:08 2014 +0100 sfc: PIO:Restrict to 64bit arch and use 64-bit writes. [ Upstream commit daf37b556e437ec1ea1a597dcfeff338068380e1 ] Fixes:ee45fd92c739 ("sfc: Use TX PIO for sufficiently small packets") The linux net driver uses memcpy_toio() in order to copy into the PIO buffers. Even on a 64bit machine this causes 32bit accesses to a write- combined memory region. There are hardware limitations that mean that only 64bit naturally aligned accesses are safe in all cases. Due to being write-combined memory region two 32bit accesses may be coalesced to form a 64bit non 64bit aligned access. Solution was to open-code the memory copy routines using pointers and to only enable PIO for x86_64 machines. Not tested on platforms other than x86_64 because this patch disables the PIO feature on other platforms. Compile-tested on x86 to ensure that works. The WARN_ON_ONCE() code in the previous version of this patch has been moved into the internal sfc debug driver as the assertion was unnecessary in the upstream kernel code. This bug fix applies to v3.13 and v3.14 stable branches. Signed-off-by: Shradha Shah Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a7b791bc2b6fcc29f7c56a375823d436f7f233ce Author: Dmitry Popov Date: Fri Jun 6 23:19:21 2014 +0400 ipip, sit: fix ipv4_{update_pmtu,redirect} calls [ Upstream commit 2346829e641b804ece9ac9298136b56d9567c278 ] ipv4_{update_pmtu,redirect} were called with tunnel's ifindex (t->dev is a tunnel netdevice). It caused wrong route lookup and failure of pmtu update or redirect. We should use the same ifindex that we use in ip_route_output_* in *tunnel_xmit code. It is t->parms.link . Signed-off-by: Dmitry Popov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0d0fc9f9e888a6e3fdabdfc08b7c4044b58bc87a Author: Eric Dumazet Date: Fri Jun 6 06:44:03 2014 -0700 net: force a list_del() in unregister_netdevice_many() [ Upstream commit 87757a917b0b3c0787e0563c679762152be81312 ] unregister_netdevice_many() API is error prone and we had too many bugs because of dangling LIST_HEAD on stacks. See commit f87e6f47933e3e ("net: dont leave active on stack LIST_HEAD") In fact, instead of making sure no caller leaves an active list_head, just force a list_del() in the callee. No one seems to need to access the list after unregister_netdevice_many() Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cff9d473bda5185fd537e93cefd70c4bc4eb4e99 Author: Bjørn Mork Date: Fri Jun 6 17:27:59 2014 +0200 net: qmi_wwan: add Olivetti Olicard modems [ Upstream commit ba6de0f5304ccdc45ae260e7e0feb6e0ef2dd558 ] Lars writes: "I'm only 99% sure that the net interfaces are qmi interfaces, nothing to lose by adding them in my opinion." And I tend to agree based on the similarity with the two Olicard modems we already have here. Reported-by: Lars Melin Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 99d7f734f70326448bb5a7f9cc1d0b089fa5a1c2 Author: Alexei Starovoitov Date: Fri Jun 6 08:35:59 2014 -0700 net: filter: fix sparc32 typo [ Upstream commit 588f5d629b3369aba88f52217d1c473a28fa7723 ] Fixes: 569810d1e327 ("net: filter: fix typo in sparc BPF JIT") Signed-off-by: Alexei Starovoitov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9fb67f93beb0f41811ca8ea7a1f0f1a124d6580b Author: Alexei Starovoitov Date: Thu Jun 5 22:47:44 2014 -0700 net: filter: fix typo in sparc BPF JIT [ Upstream commit 569810d1e3278907264f5b115281fca3f0038d53 ] fix typo in sparc codegen for SKF_AD_IFINDEX and SKF_AD_HATYPE classic BPF extensions Fixes: 2809a2087cc4 ("net: filter: Just In Time compiler for sparc") Signed-off-by: Alexei Starovoitov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1aa189a65047012497a6bed9b25fd29d7b0af22f Author: Sergei Shtylyov Date: Tue Jun 3 23:42:26 2014 +0400 sh_eth: fix SH7619/771x support [ Upstream commit d8b0426af5b67973585712c9af36b86f6ea97815 ] Commit 4a55530f38e4 (net: sh_eth: modify the definitions of register) managed to leave out the E-DMAC register entries in sh_eth_offset_fast_sh3_sh2[], thus totally breaking SH7619/771x support. Add the missing entries using the data from before that commit. Signed-off-by: Sergei Shtylyov Acked-by: Yoshihiro Shimoda Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f18562e9098b62cf0e0192c37e15d6f2fd758962 Author: Ben Dooks Date: Tue Jun 3 12:21:13 2014 +0100 sh_eth: use RNC mode for packet reception [ Upstream commit 530aa2d0d9d55ab2775d47621ddf4b5b15bc1110 ] The current behaviour of the sh_eth driver is not to use the RNC bit for the receive ring. This means that every packet recieved is not only generating an IRQ but it also stops the receive ring DMA as well until the driver re-enables it after unloading the packet. This means that a number of the following errors are generated due to the receive packet FIFO overflowing due to nowhere to put packets: net eth0: Receive FIFO Overflow Since feedback from Yoshihiro Shimoda shows that every supported LSI for this driver should have the bit enabled it seems the best way is to remove the RMCR default value from the per-system data and just write it when initialising the RMCR value. This is discussed in the message (http://www.spinics.net/lists/netdev/msg284912.html). I have tested the RMCR_RNC configuration with NFS root filesystem and the driver has not failed yet. There are further test reports from Sergei Shtylov and others for both the R8A7790 and R8A7791. There is also feedback fron Cao Minh Hiep[1] which reports the same issue in (http://comments.gmane.org/gmane.linux.network/316285) showing this fixes issues with losing UDP datagrams under iperf. Tested-by: Sergei Shtylyov Signed-off-by: Ben Dooks Acked-by: Yoshihiro Shimoda Acked-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d86b9e396a82cf7988a9ba3b9943f47f146ad770 Author: Yuchung Cheng Date: Fri May 30 15:25:59 2014 -0700 tcp: fix cwnd undo on DSACK in F-RTO [ Upstream commit 0cfa5c07d6d1d7f8e710fc671c5ba1ce85e09fa4 ] This bug is discovered by an recent F-RTO issue on tcpm list https://www.ietf.org/mail-archive/web/tcpm/current/msg08794.html The bug is that currently F-RTO does not use DSACK to undo cwnd in certain cases: upon receiving an ACK after the RTO retransmission in F-RTO, and the ACK has DSACK indicating the retransmission is spurious, the sender only calls tcp_try_undo_loss() if some never retransmisted data is sacked (FLAG_ORIG_DATA_SACKED). The correct behavior is to unconditionally call tcp_try_undo_loss so the DSACK information is used properly to undo the cwnd reduction. Signed-off-by: Yuchung Cheng Signed-off-by: Neal Cardwell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 03bcf77669fbe71906c92b25a450e9b1dc2b4ee4 Author: Jiri Pirko Date: Thu May 29 20:46:17 2014 +0200 team: fix mtu setting [ Upstream commit 9d0d68faea6962d62dd501cd6e71ce5cc8ed262b ] Now it is not possible to set mtu to team device which has a port enslaved to it. The reason is that when team_change_mtu() calls dev_set_mtu() for port device, notificator for NETDEV_PRECHANGEMTU event is called and team_device_event() returns NOTIFY_BAD forbidding the change. So fix this by returning NOTIFY_DONE here in case team is changing mtu in team_change_mtu(). Introduced-by: 3d249d4c "net: introduce ethernet teaming device" Signed-off-by: Jiri Pirko Acked-by: Flavio Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e5ec00f5d24123cca753234933abe5bf75b1a4d4 Author: Eric Dumazet Date: Thu May 29 08:45:14 2014 -0700 net: fix inet_getid() and ipv6_select_ident() bugs [ Upstream commit 39c36094d78c39e038c1e499b2364e13bce36f54 ] I noticed we were sending wrong IPv4 ID in TCP flows when MTU discovery is disabled. Note how GSO/TSO packets do not have monotonically incrementing ID. 06:37:41.575531 IP (id 14227, proto: TCP (6), length: 4396) 06:37:41.575534 IP (id 14272, proto: TCP (6), length: 65212) 06:37:41.575544 IP (id 14312, proto: TCP (6), length: 57972) 06:37:41.575678 IP (id 14317, proto: TCP (6), length: 7292) 06:37:41.575683 IP (id 14361, proto: TCP (6), length: 63764) It appears I introduced this bug in linux-3.1. inet_getid() must return the old value of peer->ip_id_count, not the new one. Lets revert this part, and remove the prevention of a null identification field in IPv6 Fragment Extension Header, which is dubious and not even done properly. Fixes: 87c48fa3b463 ("ipv6: make fragment identifications less predictable") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 54b3bda49c9888d8e1655bf8c7b73c5d15fda34c Author: Tom Gundersen Date: Thu May 15 23:21:30 2014 +0200 net: tunnels - enable module autoloading [ Upstream commit f98f89a0104454f35a62d681683c844f6dbf4043 ] Enable the module alias hookup to allow tunnel modules to be autoloaded on demand. This is in line with how most other netdev kinds work, and will allow userspace to create tunnels without having CAP_SYS_MODULE. Signed-off-by: Tom Gundersen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 317d1e9c6a1c6f045b1b40e9baf60de6a3927f06 Author: Toshiaki Makita Date: Mon May 26 15:15:53 2014 +0900 bridge: Prevent insertion of FDB entry with disallowed vlan [ Upstream commit e0d7968ab6c8bce2437b36fa7f04117e333f196d ] br_handle_local_finish() is allowing us to insert an FDB entry with disallowed vlan. For example, when port 1 and 2 are communicating in vlan 10, and even if vlan 10 is disallowed on port 3, port 3 can interfere with their communication by spoofed src mac address with vlan id 10. Note: Even if it is judged that a frame should not be learned, it should not be dropped because it is destined for not forwarding layer but higher layer. See IEEE 802.1Q-2011 8.13.10. Signed-off-by: Toshiaki Makita Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1ab214eb6e840d3a4a1165a6978cff2448f97739 Author: Michal Schmidt Date: Mon Jun 2 18:25:02 2014 +0200 netlink: rate-limit leftover bytes warning and print process name [ Upstream commit bfc5184b69cf9eeb286137640351c650c27f118a ] Any process is able to send netlink messages with leftover bytes. Make the warning rate-limited to prevent too much log spam. The warning is supposed to help find userspace bugs, so print the triggering command name to implicate the buggy program. [v2: Use pr_warn_ratelimited instead of printk_ratelimited.] Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a81347b883e3150b0cbabdb1a8e6c5d5120f80fb Author: Sven Wegener Date: Thu May 29 20:27:05 2014 +0000 ipv6: Fix regression caused by efe4208 in udp_v6_mcast_next() [ Upstream commit 3bfdc59a6c24608ed23e903f670aaf5f58c7a6f3 ] Commit efe4208 ("ipv6: make lookups simpler and faster") introduced a regression in udp_v6_mcast_next(), resulting in multicast packets not reaching the destination sockets under certain conditions. The packet's IPv6 addresses are wrongly compared to the IPv6 addresses from the function's socket argument, which indicates the starting point for looping, instead of the loop variable. If the addresses from the first socket do not match the packet's addresses, no socket in the list will match. Signed-off-by: Sven Wegener Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c7d7c4dfa788306b2000ecac562eab43016b41b7 Author: Dan Carpenter Date: Fri May 23 19:37:21 2014 +0300 qlcnic: info leak in qlcnic_dcb_peer_app_info() [ Upstream commit 7df566bbdd0af0785542b89466a937e94257fcfb ] This function is called from dcbnl_build_peer_app(). The "info" struct isn't initialized at all so we disclose 2 bytes of uninitialized stack data. We should clear it before passing it to the user. Fixes: 48365e485275 ('qlcnic: dcb: Add support for CEE Netlink interface.') Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 17f46a4cedce238dc24a21674756a732816d6f0c Author: Eric W. Biederman Date: Fri May 30 11:04:00 2014 -0700 netlink: Only check file credentials for implicit destinations [ Upstream commit 2d7a85f4b06e9c27ff629f07a524c48074f07f81 ] It was possible to get a setuid root or setcap executable to write to it's stdout or stderr (which has been set made a netlink socket) and inadvertently reconfigure the networking stack. To prevent this we check that both the creator of the socket and the currentl applications has permission to reconfigure the network stack. Unfortunately this breaks Zebra which always uses sendto/sendmsg and creates it's socket without any privileges. To keep Zebra working don't bother checking if the creator of the socket has privilege when a destination address is specified. Instead rely exclusively on the privileges of the sender of the socket. Note from Andy: This is exactly Eric's code except for some comment clarifications and formatting fixes. Neither I nor, I think, anyone else is thrilled with this approach, but I'm hesitant to wait on a better fix since 3.15 is almost here. Note to stable maintainers: This is a mess. An earlier series of patches in 3.15 fix a rather serious security issue (CVE-2014-0181), but they did so in a way that breaks Zebra. The offending series includes: commit aa4cf9452f469f16cea8c96283b641b4576d4a7b Author: Eric W. Biederman Date: Wed Apr 23 14:28:03 2014 -0700 net: Add variants of capable for use on netlink messages If a given kernel version is missing that series of fixes, it's probably worth backporting it and this patch. if that series is present, then this fix is critical if you care about Zebra. Cc: stable@vger.kernel.org Signed-off-by: "Eric W. Biederman" Signed-off-by: Andy Lutomirski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit be0ef855baab7248d0fc71cdf78a47fcfd3708f1 Author: Eric W. Biederman Date: Wed Apr 23 14:29:27 2014 -0700 net: Use netlink_ns_capable to verify the permisions of netlink messages [ Upstream commit 90f62cf30a78721641e08737bda787552428061e ] It is possible by passing a netlink socket to a more privileged executable and then to fool that executable into writing to the socket data that happens to be valid netlink message to do something that privileged executable did not intend to do. To keep this from happening replace bare capable and ns_capable calls with netlink_capable, netlink_net_calls and netlink_ns_capable calls. Which act the same as the previous calls except they verify that the opener of the socket had the desired permissions as well. Reported-by: Andy Lutomirski Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d8d52aa168fc662f66b5525b7c16cc9de33b74da Author: Eric W. Biederman Date: Wed Apr 23 14:28:03 2014 -0700 net: Add variants of capable for use on netlink messages [ Upstream commit aa4cf9452f469f16cea8c96283b641b4576d4a7b ] netlink_net_capable - The common case use, for operations that are safe on a network namespace netlink_capable - For operations that are only known to be safe for the global root netlink_ns_capable - The general case of capable used to handle special cases __netlink_ns_capable - Same as netlink_ns_capable except taking a netlink_skb_parms instead of the skbuff of a netlink message. Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2eeb40639c9aa350f67a612c3b9fdeaead3ceb81 Author: Eric W. Biederman Date: Wed Apr 23 14:26:56 2014 -0700 net: Add variants of capable for use on on sockets [ Upstream commit a3b299da869d6e78cf42ae0b1b41797bcb8c5e4b ] sk_net_capable - The common case, operations that are safe in a network namespace. sk_capable - Operations that are not known to be safe in a network namespace sk_ns_capable - The general case for special cases. Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 286a056788f863a2abe103a0efa46f6c412eb850 Author: Eric W. Biederman Date: Wed Apr 23 14:26:25 2014 -0700 net: Move the permission check in sock_diag_put_filterinfo to packet_diag_dump [ Upstream commit a53b72c83a4216f2eb883ed45a0cbce014b8e62d ] The permission check in sock_diag_put_filterinfo is wrong, and it is so removed from it's sources it is not clear why it is wrong. Move the computation into packet_diag_dump and pass a bool of the result into sock_diag_filterinfo. This does not yet correct the capability check but instead simply moves it to make it clear what is going on. Reported-by: Andy Lutomirski Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8cc00d08cd6f880a67371c7a838379be2b2a894c Author: Eric W. Biederman Date: Wed Apr 23 14:25:48 2014 -0700 netlink: Rename netlink_capable netlink_allowed [ Upstream commit 5187cd055b6e81fc6526109456f8b20623148d5f ] netlink_capable is a static internal function in af_netlink.c and we have better uses for the name netlink_capable. Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 73b49c736fefb5f772e13df33c44356e42e18e0b Author: Mimi Zohar Date: Sun May 11 00:05:23 2014 -0400 evm: prohibit userspace writing 'security.evm' HMAC value commit 2fb1c9a4f2dbc2f0bd2431c7fa64d0b5483864e4 upstream. Calculating the 'security.evm' HMAC value requires access to the EVM encrypted key. Only the kernel should have access to it. This patch prevents userspace tools(eg. setfattr, cp --preserve=xattr) from setting/modifying the 'security.evm' HMAC value directly. Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit a3af538e0c6af0b6d1ab8da37b1b6796300b6c2e Author: Dmitry Kasatkin Date: Thu May 8 14:03:22 2014 +0300 ima: introduce ima_kernel_read() commit 0430e49b6e7c6b5e076be8fefdee089958c9adad upstream. Commit 8aac62706 "move exit_task_namespaces() outside of exit_notify" introduced the kernel opps since the kernel v3.10, which happens when Apparmor and IMA-appraisal are enabled at the same time. ---------------------------------------------------------------------- [ 106.750167] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 [ 106.750221] IP: [] our_mnt+0x1a/0x30 [ 106.750241] PGD 0 [ 106.750254] Oops: 0000 [#1] SMP [ 106.750272] Modules linked in: cuse parport_pc ppdev bnep rfcomm bluetooth rpcsec_gss_krb5 nfsd auth_rpcgss nfs_acl nfs lockd sunrpc fscache dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp kvm_intel snd_hda_codec_hdmi kvm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd snd_hda_codec_realtek dcdbas snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_seq_midi snd_seq_midi_event snd_rawmidi psmouse snd_seq microcode serio_raw snd_timer snd_seq_device snd soundcore video lpc_ich coretemp mac_hid lp parport mei_me mei nbd hid_generic e1000e usbhid ahci ptp hid libahci pps_core [ 106.750658] CPU: 6 PID: 1394 Comm: mysqld Not tainted 3.13.0-rc7-kds+ #15 [ 106.750673] Hardware name: Dell Inc. OptiPlex 9010/0M9KCM, BIOS A08 09/19/2012 [ 106.750689] task: ffff8800de804920 ti: ffff880400fca000 task.ti: ffff880400fca000 [ 106.750704] RIP: 0010:[] [] our_mnt+0x1a/0x30 [ 106.750725] RSP: 0018:ffff880400fcba60 EFLAGS: 00010286 [ 106.750738] RAX: 0000000000000000 RBX: 0000000000000100 RCX: ffff8800d51523e7 [ 106.750764] RDX: ffffffffffffffea RSI: ffff880400fcba34 RDI: ffff880402d20020 [ 106.750791] RBP: ffff880400fcbae0 R08: 0000000000000000 R09: 0000000000000001 [ 106.750817] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8800d5152300 [ 106.750844] R13: ffff8803eb8df510 R14: ffff880400fcbb28 R15: ffff8800d51523e7 [ 106.750871] FS: 0000000000000000(0000) GS:ffff88040d200000(0000) knlGS:0000000000000000 [ 106.750910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 106.750935] CR2: 0000000000000018 CR3: 0000000001c0e000 CR4: 00000000001407e0 [ 106.750962] Stack: [ 106.750981] ffffffff813434eb ffff880400fcbb20 ffff880400fcbb18 0000000000000000 [ 106.751037] ffff8800de804920 ffffffff8101b9b9 0001800000000000 0000000000000100 [ 106.751093] 0000010000000000 0000000000000002 000000000000000e ffff8803eb8df500 [ 106.751149] Call Trace: [ 106.751172] [] ? aa_path_name+0x2ab/0x430 [ 106.751199] [] ? sched_clock+0x9/0x10 [ 106.751225] [] aa_path_perm+0x7d/0x170 [ 106.751250] [] ? native_sched_clock+0x15/0x80 [ 106.751276] [] aa_file_perm+0x33/0x40 [ 106.751301] [] common_file_perm+0x8e/0xb0 [ 106.751327] [] apparmor_file_permission+0x18/0x20 [ 106.751355] [] security_file_permission+0x23/0xa0 [ 106.751382] [] rw_verify_area+0x52/0xe0 [ 106.751407] [] vfs_read+0x6d/0x170 [ 106.751432] [] kernel_read+0x41/0x60 [ 106.751457] [] ima_calc_file_hash+0x225/0x280 [ 106.751483] [] ? ima_calc_file_hash+0x32/0x280 [ 106.751509] [] ima_collect_measurement+0x9d/0x160 [ 106.751536] [] ? trace_hardirqs_on+0xd/0x10 [ 106.751562] [] ? ima_file_free+0x6c/0xd0 [ 106.751587] [] ima_update_xattr+0x34/0x60 [ 106.751612] [] ima_file_free+0xc0/0xd0 [ 106.751637] [] __fput+0xd5/0x300 [ 106.751662] [] ____fput+0xe/0x10 [ 106.751687] [] task_work_run+0xc4/0xe0 [ 106.751712] [] do_exit+0x2bd/0xa90 [ 106.751738] [] ? retint_swapgs+0x13/0x1b [ 106.751763] [] do_group_exit+0x4c/0xc0 [ 106.751788] [] SyS_exit_group+0x14/0x20 [ 106.751814] [] system_call_fastpath+0x1a/0x1f [ 106.751839] Code: c3 0f 1f 44 00 00 55 48 89 e5 e8 22 fe ff ff 5d c3 0f 1f 44 00 00 55 65 48 8b 04 25 c0 c9 00 00 48 8b 80 28 06 00 00 48 89 e5 5d <48> 8b 40 18 48 39 87 c0 00 00 00 0f 94 c0 c3 0f 1f 80 00 00 00 [ 106.752185] RIP [] our_mnt+0x1a/0x30 [ 106.752214] RSP [ 106.752236] CR2: 0000000000000018 [ 106.752258] ---[ end trace 3c520748b4732721 ]--- ---------------------------------------------------------------------- The reason for the oops is that IMA-appraisal uses "kernel_read()" when file is closed. kernel_read() honors LSM security hook which calls Apparmor handler, which uses current->nsproxy->mnt_ns. The 'guilty' commit changed the order of cleanup code so that nsproxy->mnt_ns was not already available for Apparmor. Discussion about the issue with Al Viro and Eric W. Biederman suggested that kernel_read() is too high-level for IMA. Another issue, except security checking, that was identified is mandatory locking. kernel_read honors it as well and it might prevent IMA from calculating necessary hash. It was suggested to use simplified version of the function without security and locking checks. This patch introduces special version ima_kernel_read(), which skips security and mandatory locking checking. It prevents the kernel oops to happen. Signed-off-by: Dmitry Kasatkin Suggested-by: Eric W. Biederman Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit ca7919db0c6dd616f2d1102f40fe7aacfd730121 Author: Mimi Zohar Date: Mon May 12 09:28:11 2014 -0400 ima: audit log files opened with O_DIRECT flag commit f9b2a735bdddf836214b5dca74f6ca7712e5a08c upstream. Files are measured or appraised based on the IMA policy. When a file, in policy, is opened with the O_DIRECT flag, a deadlock occurs. The first attempt at resolving this lockdep temporarily removed the O_DIRECT flag and restored it, after calculating the hash. The second attempt introduced the O_DIRECT_HAVELOCK flag. Based on this flag, do_blockdev_direct_IO() would skip taking the i_mutex a second time. The third attempt, by Dmitry Kasatkin, resolves the i_mutex locking issue, by re-introducing the IMA mutex, but uncovered another problem. Reading a file with O_DIRECT flag set, writes directly to userspace pages. A second patch allocates a user-space like memory. This works for all IMA hooks, except ima_file_free(), which is called on __fput() to recalculate the file hash. Until this last issue is addressed, do not 'collect' the measurement for measuring, appraising, or auditing files opened with the O_DIRECT flag set. Based on policy, permit or deny file access. This patch defines a new IMA policy rule option named 'permit_directio'. Policy rules could be defined, based on LSM or other criteria, to permit specific applications to open files with the O_DIRECT flag set. Changelog v1: - permit or deny file access based IMA policy rules Signed-off-by: Mimi Zohar Acked-by: Dmitry Kasatkin Signed-off-by: Greg Kroah-Hartman commit 124067ae6606c2e9433a912b3c57fcc78b484362 Author: Nicholas Bellinger Date: Thu Jun 5 18:08:57 2014 -0700 iscsi-target: Reject mutual authentication with reflected CHAP_C commit 1d2b60a5545942b1376cb48c1d55843d71e3a08f upstream. This patch adds an explicit check in chap_server_compute_md5() to ensure the CHAP_C value received from the initiator during mutual authentication does not match the original CHAP_C provided by the target. This is in line with RFC-3720, section 8.2.1: Originators MUST NOT reuse the CHAP challenge sent by the Responder for the other direction of a bidirectional authentication. Responders MUST check for this condition and close the iSCSI TCP connection if it occurs. Reported-by: Tejas Vaykole Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 4b71e348b5e49ab1f43319b390c64bd97bfb958b Author: Nicholas Bellinger Date: Thu Jun 12 12:45:02 2014 -0700 target: Fix NULL pointer dereference for XCOPY in target_put_sess_cmd commit 0ed6e189e3f6ac3a25383ed5cc8b0ac24c9b97b7 upstream. This patch fixes a NULL pointer dereference regression bug that was introduced with: commit 1e1110c43b1cda9fe77fc4a04835e460550e6b3c Author: Mikulas Patocka Date: Sat May 17 06:49:22 2014 -0400 target: fix memory leak on XCOPY Now that target_put_sess_cmd() -> kref_put_spinlock_irqsave() is called with a valid se_cmd->cmd_kref, a NULL pointer dereference is triggered because the XCOPY passthrough commands don't have an associated se_session pointer. To address this bug, go ahead and checking for a NULL se_sess pointer within target_put_sess_cmd(), and call se_cmd->se_tfo->release_cmd() to release the XCOPY's xcopy_pt_cmd memory. Reported-by: Thomas Glanzmann Cc: Thomas Glanzmann Cc: Mikulas Patocka Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 5802b6a0e257b54656bf1f776b3ff48e006c7239 Author: Boris BREZILLON Date: Fri Jun 6 14:36:09 2014 -0700 rtc: rtc-at91rm9200: fix infinite wait for ACKUPD irq commit 2fe121e1f5aa3bf31b418a9790db6c400e922291 upstream. The rtc user must wait at least 1 sec between each time/calandar update (see atmel's datasheet chapter "Updating Time/Calendar"). Use the 1Hz interrupt to update the at91_rtc_upd_rdy flag and wait for the at91_rtc_wait_upd_rdy event if the rtc is not ready. This patch fixes a deadlock in an uninterruptible wait when the RTC is updated more than once every second. AFAICT the bug is here from the beginning, but I think we should at least backport this fix to 3.10 and the following longterm and stable releases. Signed-off-by: Boris BREZILLON Reported-by: Bryan Evenson Tested-by: Bryan Evenson Cc: Andrew Victor Cc: Nicolas Ferre Cc: Jean-Christophe Plagniol-Villard Cc: Alessandro Zummo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman