Commit Graph

349801 Commits

Author SHA1 Message Date
Matthew Daley 7d5145d8eb xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-07 23:29:28 -05:00
Ian Campbell 48856286b6 xen/netback: shutdown the ring if it contains garbage.
A buggy or malicious frontend should not be able to confuse netback.
If we spot anything which is not as it should be then shutdown the
device and don't try to continue with the ring in a potentially
hostile state. Well behaved and non-hostile frontends will not be
penalised.

As well as making the existing checks for such errors fatal also add a
new check that ensures that there isn't an insane number of requests
on the ring (i.e. more than would fit in the ring). If the ring
contains garbage then previously is was possible to loop over this
insane number, getting an error each time and therefore not generating
any more pending requests and therefore not exiting the loop in
xen_netbk_tx_build_gops for an externded period.

Also turn various netdev_dbg calls which no precipitate a fatal error
into netdev_err, they are rate limited because the device is shutdown
afterwards.

This fixes at least one known DoS/softlockup of the backend domain.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-07 23:29:28 -05:00
Linus Torvalds 124b69b6cc Obviously I forgot to push this before linux.conf.au...
Thanks,
 Rusty.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJREv9NAAoJENkgDmzRrbjxQgcP/jHYPMo6FIC3/3c0TiUET303
 4W3VRP6XQa2QkPnD30ZAc1aadX+ztsGEbW+g3HF2tJXR4jxL2SQzoHSrHWyBwK9l
 3kAUF29amHT++CBIiRTIykcUWuQbjivTM+vply/xMdAO+jXKm9JcrGbuNrM+lT0v
 GozKhGe1c0C4nvy5ifbttTHYfpBncsBtOPjid6NEbGqr9awWIMZL1LQ6FkR8CpfF
 3ANG2q4YPmqi2t7L4rN5UDCu305PVE85tn85XjEBiU/vW257e8OlXkA+9OmOvgYa
 Wp4HjWEUok6a4XO7yhNxBXNEofL2LTqT+n7xEKxf0S7HtIb5nI1C8v7xCrgWRalU
 wXKbSj+KFKPkQQGO4dRNZ0hZqfoHsqZ9Z/yx8RmT9StPc8Eb7Hvx8KuoVCJSc5mj
 Eb2zrdZWZGXDvwoBHkNv8cXrdq9aIe3jORcCA4QVJ3QXqnPXMU2AItDha1jmC3Ur
 CUDOZU+6IdzNRlaH5zXI2PaplY4l5SuB/BKyAsDJ/47kpeN/JpvXQHK/DpgOnYQl
 4PvThZQVAt3xfZO3STMXL9wGl9J7ktnf/IuFFlt0+2M2QnP/ZOm+pxL+AlmViUn+
 8BzmGkCgBxvxlINN5wAKGjpKaSdPIaIqfDoFHbxcHJqIAsCxvGEg9mmpwZREMbXr
 aBIw3O9hZBdG+qvkBoO8
 =msXl
 -----END PGP SIGNATURE-----

Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux

Pull virtio fix from Rusty Russell:
 "Obviously I forgot to push this before linux.conf.au..."

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux:
  virtio_console: Don't access uninitialized data.
2013-02-08 12:22:30 +11:00
Linus Torvalds bb5204c2eb IB regression fixes for 3.8:
- Fix mlx4 VFs not working on old guests because of 64B CQE changes
  - Fix ill-considered sparse fix for qib
  - Fix IPoIB crash due to skb double destruct introduced in 3.8-rc1
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABCAAGBQJREutcAAoJEENa44ZhAt0hjFwP/3SCQr/eboXyJV9GBlmbU9y2
 X7t6JS1n9R5KxBj54XBL8ZA7qcaw7rQj8VgPC4qlMWTR1/fXHsrtiRtQU1VMBcBP
 Eh50iE5BEq4kpK93IYZZei+I7J/0O1Hpj1JwUuvGr7/hQltMWXItuPTlO4Ror5Kk
 Vvu/waQh9DDp1uQRSPbSqAhEx7cGbl27UT7BLPqszVla59GA8UOUcfit8I9CyTmk
 ySP2zrDC7JtPoOPYy6w32K4NSjp3KTR4EHWX0G3t/b0LvwEHARwQZ3RI4ZjNMqLl
 mtKfqaYjqCeSlaT6MAODlN0aTp38GFAU0RaGePL5GurxQExwGnVZfTRUJDkNGTGO
 vPDq6+L6XwPHgYTs1knafs3OT24nwv/vzZ/SLV7gcssbxdL8Cru16E4CO3Vpryrl
 5B0w2+ld+L1lw/m4rSuqzQYpS6NpW35ATKzMhQNwk9cLCLNCOqv247WDvhBZDnpV
 lhLQ+RGs6DK7CQQ8w4rYLFBVk+1kPlZYILV0Rjni6vv7w9S/byVrshqE8eIkQwqE
 BEl0gMc83VZj5WH5s5MJEx+T5H2lZ80rIDKuamSz7wEduXWWENEqj5k7mBHa66Sn
 0aHcrXDe26Cj1TUCGbrgeFPMlucVAK+fSjvEzZrzQwxLspnKXlFw5v0DvqmTqBok
 hO0iE4ajfXl9RfIC7KrK
 =bmKU
 -----END PGP SIGNATURE-----

Merge tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband

Pull IB regression fixes from Roland Dreier:

 - Fix mlx4 VFs not working on old guests because of 64B CQE changes

 - Fix ill-considered sparse fix for qib

 - Fix IPoIB crash due to skb double destruct introduced in 3.8-rc1

* tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
  IB/qib: Fix for broken sparse warning fix
  mlx4_core: Fix advertisement of wrong PF context behaviour
  IPoIB: Fix crash due to skb double destruct
2013-02-08 12:15:14 +11:00
Linus Torvalds 8d19514fad Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs
Pull btrfs fixes from Chris Mason:
 "We've got corner cases for updating i_size that ceph was hitting,
  error handling for quotas when we run out of space, a very subtle
  snapshot deletion race, a crash while removing devices, and one
  deadlock between subvolume creation and the sb_internal code (thanks
  lockdep)."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
  Btrfs: move d_instantiate outside the transaction during mksubvol
  Btrfs: fix EDQUOT handling in btrfs_delalloc_reserve_metadata
  Btrfs: fix possible stale data exposure
  Btrfs: fix missing i_size update
  Btrfs: fix race between snapshot deletion and getting inode
  Btrfs: fix missing release of the space/qgroup reservation in start_transaction()
  Btrfs: fix wrong sync_writers decrement in btrfs_file_aio_write()
  Btrfs: do not merge logged extents if we've removed them from the tree
  btrfs: don't try to notify udev about missing devices
2013-02-08 12:06:46 +11:00
Linus Torvalds 95436adaa0 Late pinctrl fixes. Luckily just two patches:
- Exynos Kconfig fixup
 - SIRF DT translation bug
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.10 (GNU/Linux)
 
 iQIcBAABAgAGBQJREtLpAAoJEEEQszewGV1zXEMQALKGMnrNhcKF8W6MM3YiqxIz
 XhvrjrY+tebEX2g/jg7Jb/JIToaZplS1F7Thla2Tpkd7mcg792E7tRC98tnxSLBl
 aVOS7frSoMrCzrM8VUeVC6uW4qNV5mUrKTuoVGRAYZqhxt4Znfxw+LAYRqjUXmtL
 OrVTKJrUzvTLD1WvbNWyvZH/Jg2EmoyQcRy+YLXu3gxi6vXIbSA/sRa7ynCkAdxE
 VO098vpwfTSxr0kHafOOZJsJwdedMJvyYWyfKkLUtWOe/jibT8QwpAWCMAVxzbxu
 q7gKIZK7EBu3f9NlcO+9ue4QRspqFxWrtFSPzLMPRoK0sinPjQYDFILiLF+fAcBO
 NI2TnPx6w+/eiXMWvmT+2X9xcbiqDH6kicKRAGsypJVdQS7Q/VVuUivYzA2B8ebo
 zx0qlG+SQlx4X409JyGO8xmtV9SxM4h4b7qP2Rjik26FA9UkapyKaC/MaOwEvLSR
 TyqqXSs/ZrE+GM3R98ql/0fZbFf4ZY5LqdPrhi3Lh9m1TqpX8U7NzcbAmYZC7cnt
 9IT/z7ZTelYOKDJKX4rKSbyApWqH2KlW7LqBj4NdOzAeucLMParZtdkjFMLmk2Wd
 TVVtsw23e/whiHjok5BgA+55BtRbHERjR4nC/GGaxB6HMdV8LQni3TL225XmbKmA
 JkkmEQR6koEtVh2+8IFm
 =e21G
 -----END PGP SIGNATURE-----

Merge tag 'pinctrl-for-v3.8-late' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

Pull late pinctrl fixes from Linus Walleij:
 "Two patches appeared as of late, one was completely news to me, the
  other one was rotated in -next for the next merge window but turned
  out to be a showstopper.

   - Exynos Kconfig fixup
   - SIRF DT translation bug"

* tag 'pinctrl-for-v3.8-late' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl: sirf: replace of_gpio_simple_xlate by sirf specific of_xlate
  pinctrl: exynos: change PINCTRL_EXYNOS option
2013-02-08 12:00:44 +11:00
Linus Torvalds a04521ab80 Two fixes:
- Fix an IRQ allocation where we only check for a specific error (-1).
  - CVE-2013-0231 / XSA-43. Make xen-pciback rate limit error messages from xen_pcibk_enable_msi{,x}()
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQEcBAABAgAGBQJREocJAAoJEFjIrFwIi8fJJEMIAIDgSoSXCmKIpL5tx9gqjOVY
 tINOuotRP1fYRMNLtQUVWL/cLrZ3MK/t49ae7Vx9HAbvggAgQV6GSytSDop5umtY
 W/XZIizBXwRv749IliEbCO/N7t1Ithvkl1C6UHJ40u2R1qDeboGqE9YT+31YtRtg
 yXWtlPu3HZzx3xJAsoERt8AtSILklFhTrZ+lW69Et2M1vTJFQ0DFz/Ch5oLEuYy0
 Vkj/wBwte/J4Bfm8ClroskKg8STkIKPg44pe1VuoomMzO2tNNh4gT0aOdbSdvcEa
 dhWqlVxXuChAgt/NpznLcpdiv6CsxdQ5u1AwGL3ALs8bNdZ2MRP/HzsOfZ89ZPw=
 =pL4V
 -----END PGP SIGNATURE-----

Merge tag 'stable/for-linus-3.8-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen

Pull Xen fixes from Konrad Rzeszutek Wilk:
 "This has two fixes.  One is a security fix wherein we would spam the
  kernel printk buffer if one of the guests was misbehaving.  The other
  is much tamer and it was us only checking for one type of error from
  the IRQ subsystem (when allocating new IRQs) instead of for all of
  them.

   - Fix an IRQ allocation where we only check for a specific error (-1).
   - CVE-2013-0231 / XSA-43.  Make xen-pciback rate limit error messages
     from xen_pcibk_enable_msi{,x}()"

* tag 'stable/for-linus-3.8-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
  xen: fix error handling path if xen_allocate_irq_dynamic fails
  xen-pciback: rate limit error messages from xen_pcibk_enable_msi{,x}()
2013-02-08 11:55:27 +11:00
Linus Torvalds 3227e04e21 regulator: Fixes for v3.8-rc7
Mostly driver specific fixes here, though one of them uncovered the
 issue Stephen Warren fixed with multiple OF matches getting upset due to
 a lack of cleanup.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABAgAGBQJRElLlAAoJELSic+t+oim9puEP/ApGVWBrkh/YCD0MjGNx0Ovi
 xJ45rByfhXmPbFa5HP21/bh/p17TMwMrmdxqMlY1dpxXhb7wsTB2D8z6uVvhPLvt
 QuYphS5tqER/7KuFY6hpKy/DVJpIbIx0kcxQWAZ+hkOawwAEpi/rv36NYgRQPc8v
 vBdoeuS8dj5PMHQyWZu0HvVVX2s4wB7sDMHfrpaW6mfzPT1AncDEksnsE5Yr8pba
 NPQHQ4bo6Jd7EkOUoP5VLLj6e63RdLyVockiRZHrvx8q2BXrGBHhHE634VqVNAu5
 wznAPv7nfj4S1OJxguBao3dYfvyfXuVx8/A7qfnO2DgmFd+9DNdzcKxK4EyMq9Uh
 Lb/6D4SA3KmIeWMZ+aVf7nz/UdSYQnj3qgJHnk5G8wM7LVsUIC23l2g2ZvCppEi+
 iarpB86jJfSqNRiRaDf+UGgNHgeqAMJTtO++aUKgDwuJtx3TgKMW+Ek3VsSuLVLT
 zJHwH1Ounr++gK288dTgMT3fNb0mgE+kgkV9MzaGbceLfmkD8rEL8JsPQnV2YV+K
 0BU7oEC1sqzM2KdDryu+L4DtjCQkeq/eTSz9vFRZVovaCMRxJ9ygWQwd0ytloe1A
 mBRBVJ69p2LPitkQL8ALU9P65Cj57ermmzeYtUSRA5ySYue2VDED73ZBFuWI8kte
 v5xAyCuv1MFLJUAwXjOv
 =JgF9
 -----END PGP SIGNATURE-----

Merge tag 'regulator-v3.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

Pull regulator fixes from Mark Brown:
 "Mostly driver specific fixes here, though one of them uncovered the
  issue Stephen Warren fixed with multiple OF matches getting upset due
  to a lack of cleanup."

* tag 'regulator-v3.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: s2mps11: fix incorrect register for buck10
  regulator: clear state each invocation of of_regulator_match
  regulator: max8997: Fix using wrong dev argument at various places
  regulator: max77686: Fix using wrong dev argument at various places
  regulator: max8907: Fix using wrong dev argument for calling of_regulator_match
  regulator: max8998: fix incorrect min_uV value for ldo10
  regulator: tps65910: Fix using wrong dev argument for calling of_regulator_match
  regulator: tps65217: Fix using wrong dev argument for calling of_regulator_match
2013-02-08 11:52:53 +11:00
Daniel Vetter ff7c60c580 drm/ttm: fix fence locking in ttm_buffer_object_transfer, 2nd try
This fixes up

commit e8e89622ed
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Tue Dec 18 22:25:11 2012 +0100

    drm/ttm: fix fence locking in ttm_buffer_object_transfer

which leaves behind a might_sleep in atomic context, since the
fence_lock spinlock is held over a kmalloc(GFP_KERNEL) call. The fix
is to revert the above commit and only take the lock where we need it,
around the call to ->sync_obj_ref.

v2: Fixup things noticed by Maarten Lankhorst:
- Brown paper bag locking bug.
- No need for kzalloc if we clear the entire thing on the next line.
- check for bo->sync_obj (totally unlikely race, but still someone
  else could have snuck in) and clear fbo->sync_obj if it's cleared
  already.

Reported-by: Dave Airlie <airlied@gmail.com>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Maarten Lankhorst <maarten.lankhorst@canonical.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2013-02-08 10:44:31 +10:00
Johannes Berg d601cd8d95 mac80211: fix managed mode channel context use
My commit f2d9d270c1
("mac80211: support VHT association") introduced a
very stupid bug: the loop to downgrade the channel
width never attempted to actually use it again so
it would downgrade all the way to 20_NOHT. Fix it.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-02-07 20:56:01 +01:00
Kees Cook e575a86fdc x86: Do not leak kernel page mapping locations
Without this patch, it is trivial to determine kernel page
mappings by examining the error code reported to dmesg[1].
Instead, declare the entire kernel memory space as a violation
of a present page.

Additionally, since show_unhandled_signals is enabled by
default, switch branch hinting to the more realistic
expectation, and unobfuscate the setting of the PF_PROT bit to
improve readability.

[1] http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/

Reported-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Suggested-by: Brad Spengler <spender@grsecurity.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Acked-by: H. Peter Anvin <hpa@zytor.com>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Link: http://lkml.kernel.org/r/20130207174413.GA12485@www.outflux.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2013-02-07 19:57:44 +01:00
YOSHIFUJI Hideaki / 吉藤英明 edb27228db netfilter: ip6t_NPT: Ensure to check lower part of prefixes are zero
RFC 6296 points that address bits that are not part of the prefix
has to be zeroed.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-02-07 18:40:27 +01:00
YOSHIFUJI Hideaki / 吉藤英明 d4c38fa87d netfilter: ip6t_NPT: Fix prefix mangling
Make sure only the bits that are part of the prefix are mangled.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-02-07 18:40:26 +01:00
YOSHIFUJI Hideaki / 吉藤英明 f5271fff56 netfilter: ip6t_NPT: Fix adjustment calculation
Cast __wsum from/to __sum16 is wrong.  Instead, apply appropriate
conversion function: csum_unfold() or csum_fold().

[ The original patch has been modified to undo the final ~ that
  csum_fold returns. We only need to fold the 32-bit word that
  results from the checksum calculation into a 16-bit to ensure
  that the original subnet is restored appropriately. Spotted by
  Ulrich Weber. ]

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-02-07 18:37:41 +01:00
Sjur Brændeland aded024a12 virtio_console: Don't access uninitialized data.
Don't access uninitialized work-queue when removing device.
The work queue is initialized only if the device multi-queue.
So don't call cancel_work unless this is a multi-queue device.

This fixes the following panic:

Kernel panic - not syncing: BUG!
Call Trace:
62031b28:  [<6026085d>] panic+0x16b/0x2d3
62031b30:  [<6004ef5e>] flush_work+0x0/0x1d7
62031b60:  [<602606f2>] panic+0x0/0x2d3
62031b68:  [<600333b0>] memcpy+0x0/0x140
62031b80:  [<6002d58a>] unblock_signals+0x0/0x84
62031ba0:  [<602609c5>] printk+0x0/0xa0
62031bd8:  [<60264e51>] __mutex_unlock_slowpath+0x13d/0x148
62031c10:  [<6004ef5e>] flush_work+0x0/0x1d7
62031c18:  [<60050234>] try_to_grab_pending+0x0/0x17e
62031c38:  [<6004e984>] get_work_gcwq+0x71/0x8f
62031c48:  [<60050539>] __cancel_work_timer+0x5b/0x115
62031c78:  [<628acc85>] unplug_port+0x0/0x191 [virtio_console]
62031c98:  [<6005061c>] cancel_work_sync+0x12/0x14
62031ca8:  [<628ace96>] virtcons_remove+0x80/0x15c [virtio_console]
62031ce8:  [<628191de>] virtio_dev_remove+0x1e/0x7e [virtio]
62031d08:  [<601cf242>] __device_release_driver+0x75/0xe4
62031d28:  [<601cf2dd>] device_release_driver+0x2c/0x40
62031d48:  [<601ce0dd>] driver_unbind+0x7d/0xc6
62031d88:  [<601cd5d9>] drv_attr_store+0x27/0x29
62031d98:  [<60115f61>] sysfs_write_file+0x100/0x14d
62031df8:  [<600b737d>] vfs_write+0xcb/0x184
62031e08:  [<600b58b8>] filp_close+0x88/0x94
62031e38:  [<600b7686>] sys_write+0x59/0x88
62031e88:  [<6001ced1>] handle_syscall+0x5d/0x80
62031ea8:  [<60030a74>] userspace+0x405/0x531
62031f08:  [<600d32cc>] sys_dup+0x0/0x5e
62031f28:  [<601b11d6>] strcpy+0x0/0x18
62031f38:  [<600be46c>] do_execve+0x10/0x12
62031f48:  [<600184c7>] run_init_process+0x43/0x45
62031fd8:  [<60019a91>] new_thread_handler+0xba/0xbc

Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
Cc: stable@kernel.org
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2013-02-07 11:37:37 +10:30
H. Peter Anvin bb9b1a834f Retract MCE-specific UAPI exports which are unused and shouldn't be
used.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABAgAGBQJQ7XZeAAoJEBLB8Bhh3lVKzAAQAKJPmNM4jK3o7QixkySFOKAN
 GKDmciwBCSLDvhDU5bXSKEzhxaWq+/Wp8aTy0u28TUtIq+Dnya8+9xAMZqe56lNv
 slBNk1N2IIJBqZoul1FCY7MyBnss19nh2h/jN9PChcY9dGpgkRnKc3rkjjy4UJ10
 YibUm/wLuzNGCskt6nGO4uVSDXyv5W6PCnpOb6IW5KFywHE0ojsVwZQM5Vnakjrd
 vsyicHHaIXSnRtyDWGZSX4JxY7HDK7+v03OHNvO3FtFzNjTJ8r1qU7LVbC1yBPP6
 uFN+piBUYn6q6Gsy67H1FcufGTz0IzFwyx/akW1MkgdN4FggrLiFf0a10Fh0Dx3s
 jd2tuCv72rfOQUZAYg9kobHk1NecCZt0Wt3NWul3WjZHZC35nFgznnUiznAPhoCI
 /sBKE2VQt0CejigNTIEpaToc/kHuQy3RzmMphknROEehXdm79TqdirNNHKrDkYug
 U9SV4nsOaRFcSZDPXK52xFIEb9Uc90zSWqNblhBRXt7sBC34EqZk95jYDgOrZxHQ
 v8iNieYgOezXzIyyUAHC7dlIUbkHlBsPG+8eEoWFcvOBI3UbGvOv3abMO18yBZqr
 28An+v8pMsT9Q5sUwHFwvblD/vDaj/NIO0OP+y40Z96KnXz8Cm4mpkzBvBdVVxUs
 cmaDId47QRqdvIW2mBZZ
 =2Zr4
 -----END PGP SIGNATURE-----

Merge tag 'ras_for_3.8' into x86/urgent

Retract MCE-specific UAPI exports which are unused and shouldn't be
used.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
2013-02-06 14:18:53 -08:00
Linus Torvalds 6bacaa9dda Sound fixes for 3.8-rc7
Just a couple of build regression fixes for ASoC fsl stuff.
 It doesn't look too trivial, but neither intrusive, so hopefully I can
 avoid your curse...
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQIcBAABAgAGBQJREpMVAAoJEGwxgFQ9KSmkv6kQALfUxqUWVb0RAYqd36Wp2SIx
 HqXw11vvDM6Wc91Prrj9a1q5J/M4RMZXfLqdgB4Zdt5q9Fyvrwi7hSO1lkGsEL1T
 hpAkBLxIGlnFr+RT60J7zBvca1RZfi6hebrSzJAfOi4u88LFcKgiGzm96CvbLAsg
 3F4+hsKVrWOfNmwZNLD85oW+me66A2TWLhBsSyeoSY/S+b1HtLNGDszURjB1WpwE
 SF2AkjoWI9oQdS3juMt31Slt3XufHU2JBU/Jqhq/iyHiM70mI4gS/NuvMmG7kNKS
 4+KdDFkB/wDfkL2wLHqvzlCzRw5QoHr1EhjzP4+BmIEyPiMEXe4ft4/mQFSVGMsi
 PFlzI44Oaq57dnEDbVrVYHZ7kBFxoqoLJb753uI5bL2hQvFfRRV3RdCJC3hPzzaX
 jjDK1jPyn4dDV6sVVkYpz3OXrwKhHFldJ9vvBwx2J6+XSp1TY7U9/UUO5OUTjPum
 RQNjtobYcRVtCJsFkb790N7uInT3oO0e6qiMNzRZtYnZfLXf8mFcM0Qu1N55/i64
 ocH6bZTvkxrAakMvbn8c8iEuicz7i3AgVBclek/8stb1RRuAqjTzxbvZQmnYCV5S
 0ESccRWKPw7bHPk7wyhXgTw7GMXSlsaC4WI9O7y2CK73BhQJOH1gpSAMrhpY9rOm
 0keeiokI1/r0pk7R8WRN
 =zsuc
 -----END PGP SIGNATURE-----

Merge tag 'sound-3.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "Just a couple of build regression fixes for ASoC fsl stuff.  It
  doesn't look too trivial, but neither intrusive, so hopefully I can
  avoid your curse..."

Hey, Takashi has a good track record, I think he gets a pass..

* tag 'sound-3.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ASoC: fsl: fix snd-soc-imx-pcm module build
  Revert "ASoC: fsl: fix multiple definition of init_module"
2013-02-07 08:43:30 +11:00
Linus Torvalds 2110cf029a Merge branch 'for-linus' of git://git.kernel.dk/linux-block
Pull block layer updates from Jens Axboe:
 "I've got a few bits pending for 3.8 final, that I better get sent out.
  It's all been sitting for a while, I consider it safe.

  It contains:

   - Two bug fixes for mtip32xx, fixing a driver hang and a crash.

   - A few-liner protocol error fix for drbd.

   - A few fixes for the xen block front/back driver, fixing a potential
     data corruption issue.

   - A race fix for disk_clear_events(), causing spurious warnings.  Out
     of the Chrome OS base.

   - A deadlock fix for disk_clear_events(), moving it to the a
     unfreezable workqueue.  Also from the Chrome OS base."

* 'for-linus' of git://git.kernel.dk/linux-block:
  drbd: fix potential protocol error and resulting disconnect/reconnect
  mtip32xx: fix for crash when the device surprise removed during rebuild
  mtip32xx: fix for driver hang after a command timeout
  block: prevent race/cleanup
  block: remove deadlock in disk_clear_events
  xen-blkfront: handle bvecs with partial data
  llist/xen-blkfront: implement safe version of llist_for_each_entry
  xen-blkback: implement safe iterator for the list of persistent grants
2013-02-07 08:38:33 +11:00
Bjørn Mork e21b9d031f net: qmi_wwan: add more Huawei devices, including E320
Adding new class/subclass/protocol combinations based on the GPLed
out-of-tree Huawei driver. One of these has already appeared on a
device labelled as "E320".

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-06 16:09:40 -05:00
Bjørn Mork 96316c5956 net: cdc_ncm: add another Huawei vendor specific device
Adding a new vendor specific class/subclass/protocol combination
for CDC NCM devices based on information from a GPLed out-of-tree
driver from Huawei.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-06 16:09:40 -05:00
Tommi Rantala 41ab3e31bd ipv6/ip6_gre: fix error case handling in ip6gre_tunnel_xmit()
ip6gre_tunnel_xmit() is leaking the skb when we hit this error branch,
and the -1 return value from this function is bogus. Use the error
handling we already have in place in ip6gre_tunnel_xmit() for this error
case to fix this.

Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-06 16:02:05 -05:00
Ilpo Järvinen 6731d2095b tcp: fix for zero packets_in_flight was too broad
There are transients during normal FRTO procedure during which
the packets_in_flight can go to zero between write_queue state
updates and firing the resulting segments out. As FRTO processing
occurs during that window the check must be more precise to
not match "spuriously" :-). More specificly, e.g., when
packets_in_flight is zero but FLAG_DATA_ACKED is true the problematic
branch that set cwnd into zero would not be taken and new segments
might be sent out later.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Tested-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-06 15:53:03 -05:00
David S. Miller b6ec447df9 Merge branch 'wireless'
John W. Linville says:

====================
Please consider this pull request for the 3.8 stream...

Included is a bluetooth pull.  Gustavo says:

"Two simple fixes for 3.8. One of the patches fixes a situation
where the connection wasn't terminated if a timeout ocurrs for LE
an SCO connections.  The other fixes prevent NULL dereference in the
SMP code, it is a security fix as well."

Along with those...

Hauke Mehrtens provides a couple of ssb and bcma bus fixes that
prevent oopses when unloading those modules.

Larry Finger provides and rtlwifi fix to avoid a "scheduling while
atomic" bug.

Last but certainly not least, Arend van Spriel bring a brcmsmac fix that
reworks the mac80211 .flush() callback in order to avoid the dreaded
brcms_c_wait_for_tx_completion warnings.  This one looks a little
large, but I think it is safe and isolated to brcmsmac in any case.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-06 14:51:14 -05:00
John W. Linville b3b66ae4c8 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem 2013-02-06 13:55:44 -05:00
Chris Mason 1a65e24b0b Btrfs: move d_instantiate outside the transaction during mksubvol
Dave Sterba triggered a lockdep complaint about lock ordering
between the sb_internal lock and the cleaner semaphore.

btrfs_lookup_dentry() checks for orphans if we're looking up
the inode for a subvolume, and subvolume creation is triggering
the lookup with a transaction running.

This commit moves the d_instantiate after the transaction closes.

Signed-off-by: Chris Mason <chris.mason@fusionio.com>
2013-02-06 12:11:10 -05:00
Cong Ding 9887dbf5b2 mac80211: fix error in sizeof() usage
Using 'sizeof' on array given as function argument returns
size of a pointer rather than the size of array.

Cc: stable@vger.kernel.org
Signed-off-by: Cong Ding <dinggnu@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-02-06 17:31:55 +01:00
Wei Liu 68ba45ff38 xen: fix error handling path if xen_allocate_irq_dynamic fails
It is possible that the call to xen_allocate_irq_dynamic() returns negative
number other than -1.

Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2013-02-06 10:32:45 -05:00
Jan Beulich 51ac8893a7 xen-pciback: rate limit error messages from xen_pcibk_enable_msi{,x}()
... as being guest triggerable (e.g. by invoking
XEN_PCI_OP_enable_msi{,x} on a device not being MSI/MSI-X capable).

This is CVE-2013-0231 / XSA-43.

Also make the two messages uniform in both their wording and severity.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2013-02-06 10:31:08 -05:00
Takashi Iwai 6baa4afa04 Merge branch 'fix/fsl' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus-uncursed
We need this for fixing build error regressions in soc/fsl.
2013-02-06 15:49:07 +01:00
Jan Schmidt eb6b88d92c Btrfs: fix EDQUOT handling in btrfs_delalloc_reserve_metadata
When btrfs_qgroup_reserve returned a failure, we were missing a counter
operation for BTRFS_I(inode)->outstanding_extents++, leading to warning
messages about outstanding extents and space_info->bytes_may_use != 0.
Additionally, the error handling code didn't take into account that we
dropped the inode lock which might require more cleanup.

Luckily, all the cleanup code we need is already there and can be shared
with reserve_metadata_bytes, which is exactly what this patch does.

Reported-by: Lev Vainblat <lev@zadarastorage.com>
Signed-off-by: Jan Schmidt <list.btrfs@jan-o-sch.net>
Signed-off-by: Chris Mason <chris.mason@fusionio.com>
2013-02-06 09:24:40 -05:00
Mark Brown 53e5da79fa Merge remote-tracking branch 'regulator/fix/tps65910' into tmp 2013-02-06 11:28:53 +00:00
Mark Brown e04702c8b2 Merge remote-tracking branch 'regulator/fix/tps65217' into tmp 2013-02-06 11:28:52 +00:00
Mark Brown 918d623b04 Merge remote-tracking branch 'regulator/fix/s2mps11' into tmp 2013-02-06 11:28:51 +00:00
Mark Brown 44784cb32b Merge remote-tracking branch 'regulator/fix/of' into tmp 2013-02-06 11:28:51 +00:00
Mark Brown 98380536ee Merge remote-tracking branch 'regulator/fix/max8998' into tmp 2013-02-06 11:28:50 +00:00
Mark Brown 3886f91b96 Merge remote-tracking branch 'regulator/fix/max8997' into tmp 2013-02-06 11:28:49 +00:00
Mark Brown c48c43aa2d Merge remote-tracking branch 'regulator/fix/max8907' into tmp 2013-02-06 11:28:48 +00:00
Mark Brown ac58291c75 Merge remote-tracking branch 'regulator/fix/max77686' into tmp 2013-02-06 11:28:48 +00:00
Greg Ungerer e95c3f7a09 m68knommu: fix trap on execing /bin/init
As of commit fea82210 ("m68k: switch to saner kernel_execve() semantics")
the non-mmu m68k targets have trapped on booting. The execing of /bin/init
causes the exec path to try and return through a 0x0 return address - thus
trapping or otherwise hanging or crashing.

The problem isn't in the exec path as such though, but rather in the
m68knommu start_thread() macro. It is trying to clear the a6 register that
it assumes is part of a struct switch_stack below the thread registers on
our stack. But that is not what the stack frames look like when this is run.
So it ends up corrupting our call stack and zeroing out a function return
address that is sitting there.

The clearing of a6 was introduced many years ago in commit 7bf9a37d8d
("m68knommu: force stack alignment on ColdFire"). It used to work because
the kernel init exec code path had a short cut back to the exception return
code, and it didn't need to return through the calls on the stack.

Signed-off-by: Greg Ungerer <gerg@uclinux.org>
2013-02-06 11:13:23 +10:00
Daniel Borkmann 4b47bc9a9e ipvs: sctp: fix checksumming on snat and dnat handlers
In our test lab, we have a simple SCTP client connecting to a SCTP
server via an IPVS load balancer. On some machines, load balancing
works, but on others the initial handshake just fails, thus no
SCTP connection whatsoever can be established!

We observed that the SCTP INIT-ACK handshake reply from the IPVS
machine to the client had a correct IP checksum, but corrupt SCTP
checksum when forwarded, thus on the client-side the packet was
dropped and an intial handshake retriggered until all attempts
run into the void.

To fix this issue, this patch i) adds a missing CHECKSUM_UNNECESSARY
after the full checksum (re-)calculation (as done in IPVS TCP and UDP
code as well), ii) calculates the checksum in little-endian format
(as fixed with the SCTP code in commit 4458f04c: sctp: Clean up sctp
checksumming code) and iii) refactors duplicate checksum code into a
common function. Tested by myself.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
2013-02-06 09:56:50 +09:00
Chris Mason 24f8ebe918 Merge git://git.kernel.org/pub/scm/linux/kernel/git/josef/btrfs-next.git for-chris into for-linus 2013-02-05 19:24:44 -05:00
Linus Torvalds 1589a3e777 Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
Pull media fixes from Mauro Carvalho Chehab:
 "For a regression fix on a few radio drivers that were preventing radio
  TX to work on those devices"

* 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  [media] radio: set vfl_dir correctly to fix modulator regression
2013-02-06 08:36:12 +11:00
Linus Torvalds 0f632118a1 USB fixes for 3.8-rc6
Here are a few tiny USB fixes for 3.8-rc6.
 
 Nothing major here, some host controller bug fixes to resolve a number
 of bugs that people have reported, and a bunch of additional device ids
 are added to a number of drivers (which caused code to be deleted from
 the usb-storage driver, always nice.)
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iEYEABECAAYFAlERRT4ACgkQMUfUDdst+ylxAQCghY23x/0vT9oCsrWZzKeOFOMB
 J64AoNjVngpCpIcmh/yk1tgjSRSQu3dn
 =p4nA
 -----END PGP SIGNATURE-----

Merge tag 'usb-3.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB fixes from Greg Kroah-Hartman:
 "Here are a few tiny USB fixes for 3.8-rc6.

  Nothing major here, some host controller bug fixes to resolve a number
  of bugs that people have reported, and a bunch of additional device
  ids are added to a number of drivers (which caused code to be deleted
  from the usb-storage driver, always nice)"

* tag 'usb-3.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (22 commits)
  USB: storage: optimize to match the Huawei USB storage devices and support new switch command
  USB: storage: Define a new macro for USB storage match rules
  USB: ftdi_sio: add Zolix FTDI PID
  USB: option: add Changhong CH690
  USB: ftdi_sio: add PID/VID entries for ELV WS 300 PC II
  USB: add OWL CM-160 support to cp210x driver
  USB: EHCI: fix bug in scheduling periodic split transfers
  USB: EHCI: fix for leaking isochronous data
  USB: option: add support for Telit LE920
  USB: qcserial: add Telit Gobi QDL device
  USB: EHCI: fix timer bug affecting port resume
  USB: UHCI: notify usbcore about port resumes
  USB: EHCI: notify usbcore about port resumes
  USB: add usb_hcd_{start,end}_port_resume
  USB: EHCI: unlink one async QH at a time
  USB: EHCI: remove ASS/PSS polling timeout
  usb: Using correct way to clear usb3.0 device's remote wakeup feature.
  usb: Prevent dead ports when xhci is not enabled
  USB: XHCI: fix memory leak of URB-private data
  drivers: xhci: fix incorrect bit test
  ...
2013-02-06 08:32:32 +11:00
Linus Torvalds 85e28c76e2 Merge branch 'fixes-for-v3.8-rc7' of git://git.linaro.org/people/mszyprowski/linux-dma-mapping
Pull DMA mapping fixes from Marek Szyprowski:
 "This pull request contains important bugfix patches for 9
  architectures, which finally fixes broken allmodconfig builds
  introduced in v3.8-rc1.  Those architectures don't use dma_map_ops
  based implementation and require manual update or additional dummy
  implementations of the missing new dma-mapping api functions:
  dma_mmap_coherent and dma_get_sgtable."

* 'fixes-for-v3.8-rc7' of git://git.linaro.org/people/mszyprowski/linux-dma-mapping:
  xtensa: Provide dummy dma_mmap_coherent() and dma_get_sgtable()
  parisc: Provide dummy dma_mmap_coherent() and dma_get_sgtable()
  mn10300: Provide dummy dma_mmap_coherent() and dma_get_sgtable()
  m68k: Provide dma_mmap_coherent() and dma_get_sgtable()
  frv: Provide dummy dma_mmap_coherent() and dma_get_sgtable()
  cris: Provide dma_mmap_coherent() and dma_get_sgtable()
  c6x: Provide dummy dma_mmap_coherent() and dma_get_sgtable()
  blackfin: Provide dma_mmap_coherent() and dma_get_sgtable()
  avr32: Provide dma_mmap_coherent() and dma_get_sgtable()
2013-02-06 08:23:47 +11:00
Josef Bacik 59fe4f4197 Btrfs: fix possible stale data exposure
We specifically do not update the disk i_size if there are ordered extents
outstanding for any area between the current disk_i_size and our ordered
extent so that we do not expose stale data.  The problem is the check we
have only checks if the ordered extent starts at or after the current
disk_i_size, which doesn't take into account an ordered extent that starts
before the current disk_i_size and ends past the disk_i_size.  Fix this by
checking if the extent ends past the disk_i_size.  Thanks,

Signed-off-by: Josef Bacik <jbacik@fusionio.com>
2013-02-05 16:09:16 -05:00
Josef Bacik 5d1f40202b Btrfs: fix missing i_size update
If we have an ordered extent before the ordered extent we are currently
completing that is after the current disk_i_size we will put our i_size
update into that ordered extent so that we do not expose stale data.  The
problem is that if our disk i_size is updated past the previous ordered
extent we won't update the i_size with the pending i_size update.  So check
the pending i_size update and if its above the current disk i_size we need
to go ahead and try to update.  Thanks,

Signed-off-by: Josef Bacik <jbacik@fusionio.com>
2013-02-05 16:09:14 -05:00
Liu Bo 6f1c36055f Btrfs: fix race between snapshot deletion and getting inode
While running snapshot testscript created by Mitch and David,
the race between autodefrag and snapshot deletion can lead to
corruption of dead_root list so that we can get crash on
btrfs_clean_old_snapshots().

And besides autodefrag, scrub also does the same thing, ie. read
root first and get inode.

Here is the story(take autodefrag as an example):
(1) when we delete a snapshot or subvolume, it will set its root's
refs to zero and do a iput() on its own inode, and if this inode happens
to be the only active in-meory one in root's inode rbtree, it will add
itself to the global dead_roots list for later cleanup.

(2) after (1), the autodefrag thread may read another inode for defrag
and the inode is just in the deleted snapshot/subvolume, but all of these
are without checking if the root is still valid(refs > 0).  So the end up
result is adding the deleted snapshot/subvolume's root to the global
dead_roots list AGAIN.

Fortunately, we already have a srcu lock to avoid the race, ie. subvol_srcu.

So all we need to do is to take the lock to protect 'read root and get inode',
since we synchronize to wait for the rcu grace period before adding something
to the global dead_roots list.

Reported-by: Mitch Harder <mitch.harder@sabayonlinux.org>
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Signed-off-by: Josef Bacik <jbacik@fusionio.com>
2013-02-05 16:09:13 -05:00
Miao Xie 843fcf3573 Btrfs: fix missing release of the space/qgroup reservation in start_transaction()
When we fail to start a transaction, we need to release the reserved free space
and qgroup space, fix it.

Signed-off-by: Miao Xie <miaox@cn.fujitsu.com>
Reviewed-by: Jan Schmidt <list.btrfs@jan-o-sch.net>
Signed-off-by: Josef Bacik <jbacik@fusionio.com>
2013-02-05 16:09:11 -05:00
Miao Xie 0a3404dcff Btrfs: fix wrong sync_writers decrement in btrfs_file_aio_write()
If the checks at the beginning of btrfs_file_aio_write() fail, we needn't
decrease ->sync_writers, because we have not increased it. Fix it.

Signed-off-by: Miao Xie <miaox@cn.fujitsu.com>
Signed-off-by: Josef Bacik <jbacik@fusionio.com>
2013-02-05 16:09:10 -05:00
Josef Bacik 222c81dc38 Btrfs: do not merge logged extents if we've removed them from the tree
You can run into this problem where if somebody is fsyncing and writing out
the existing extents you will have removed the extent map from the em tree,
but it's still valid for the current fsync so we go ahead and write it.  The
problem is we unconditionally try to merge it back into the em tree, but if
we've removed it from the em tree that will cause use after free problems.
Fix this to only merge if we are still a part of the tree.  Thanks,

Signed-off-by: Josef Bacik <jbacik@fusionio.com>
2013-02-05 16:09:03 -05:00