1. 23 Jul, 2014 5 commits
  2. 21 Jul, 2014 15 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 15ba2236
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Null termination fix in dns_resolver got the pointer dereferncing
          wrong, fix from Ben Hutchings.
      
       2) ip_options_compile() has a benign but real buffer overflow when
          parsing options.  From Eric Dumazet.
      
       3) Table updates can crash in netfilter's nftables if none of the state
          flags indicate an actual change, from Pablo Neira Ayuso.
      
       4) Fix race in nf_tables dumping, also from Pablo.
      
       5) GRE-GRO support broke the forwarding path because the segmentation
          state was not fully initialized in these paths, from Jerry Chu.
      
       6) sunvnet driver leaks objects and potentially crashes on module
          unload, from Sowmini Varadhan.
      
       7) We can accidently generate the same handle for several u32
          classifier filters, fix from Cong Wang.
      
       8) Several edge case bug fixes in fragment handling in xen-netback,
          from Zoltan Kiss.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (21 commits)
        ipv4: fix buffer overflow in ip_options_compile()
        batman-adv: fix TT VLAN inconsistency on VLAN re-add
        batman-adv: drop QinQ claim frames in bridge loop avoidance
        dns_resolver: Null-terminate the right string
        xen-netback: Fix pointer incrementation to avoid incorrect logging
        xen-netback: Fix releasing header slot on error path
        xen-netback: Fix releasing frag_list skbs in error path
        xen-netback: Fix handling frag_list on grant op error path
        net_sched: avoid generating same handle for u32 filters
        net: huawei_cdc_ncm: add "subclass 3" devices
        net: qmi_wwan: add two Sierra Wireless/Netgear devices
        wan/x25_asy: integer overflow in x25_asy_change_mtu()
        net: ppp: fix creating PPP pass and active filters
        net/mlx4_en: cq->irq_desc wasn't set in legacy EQ's
        sunvnet: clean up objects created in vnet_new() on vnet_exit()
        r8169: Enable RX_MULTI_EN for RTL_GIGA_MAC_VER_40
        net-gre-gro: Fix a bug that breaks the forwarding path
        netfilter: nf_tables: 64bit stats need some extra synchronization
        netfilter: nf_tables: set NLM_F_DUMP_INTR if netlink dumping is stale
        netfilter: nf_tables: safe RCU iteration on list when dumping
        ...
      15ba2236
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 89faa06e
      Linus Torvalds authored
      Pull sparc fix from David Miller:
       "Need to hook up the new renameat2 system call"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc: Hook up renameat2 syscall.
      89faa06e
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide · 14867719
      Linus Torvalds authored
      Pull IDE fixes from David Miller:
       - fix interrupt registry for some Atari IDE chipsets.
       - adjust Kconfig dependencies for x86_32 specific chips.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide:
        ide: Fix SC1200 dependencies
        ide: Fix CS5520 and CS5530 dependencies
        m68k/atari - ide: do not register interrupt if host->get_lock is set
      14867719
    • Linus Torvalds's avatar
      Merge tag 'trace-fixes-v3.16-rc6' of... · 8dcc3be2
      Linus Torvalds authored
      Merge tag 'trace-fixes-v3.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
      
      Pull trace fix from Steven Rostedt:
       "Tony Luck found that using the "uptime" trace clock that uses jiffies
        as a counter was converted to nanoseconds (silly), and after 1 hour 11
        minutes and 34 seconds, this monotonic clock would wrap, causing havoc
        with the tracing system and making the clock useless.
      
        He converted that clock to use jiffies_64 and made it into a counter
        instead of nanosecond conversions, and displayed the clock with the
        straight jiffy count, which works much better than it did in the past"
      
      * tag 'trace-fixes-v3.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Fix wraparound problems in "uptime" trace clock
      8dcc3be2
    • David S. Miller's avatar
      sparc: Hook up renameat2 syscall. · 26053926
      David S. Miller authored
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      26053926
    • David S. Miller's avatar
      Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge · 850717ef
      David S. Miller authored
      Antonio Quartulli says:
      
      ====================
      pull request [net]: batman-adv 20140721
      
      here you have two fixes that we have been testing for quite some time
      (this is why they arrived a bit late in the rc cycle).
      
      Patch 1) ensures that BLA packets get dropped and not forwarded to the
      mesh even if they reach batman-adv within QinQ frames. Forwarding them
      into the mesh means messing up with the TT database of other nodes which
      can generate all kind of unexpected behaviours during route computation.
      
      Patch 2) avoids a couple of race conditions triggered upon fast VLAN
      deletion-addition. Such race conditions are pretty dangerous because
      they not only create inconsistencies in the TT database of the nodes
      in the network, but such scenario is also unrecoverable (unless
      nodes are rebooted).
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      850717ef
    • Eric Dumazet's avatar
      ipv4: fix buffer overflow in ip_options_compile() · 10ec9472
      Eric Dumazet authored
      There is a benign buffer overflow in ip_options_compile spotted by
      AddressSanitizer[1] :
      
      Its benign because we always can access one extra byte in skb->head
      (because header is followed by struct skb_shared_info), and in this case
      this byte is not even used.
      
      [28504.910798] ==================================================================
      [28504.912046] AddressSanitizer: heap-buffer-overflow in ip_options_compile
      [28504.913170] Read of size 1 by thread T15843:
      [28504.914026]  [<ffffffff81802f91>] ip_options_compile+0x121/0x9c0
      [28504.915394]  [<ffffffff81804a0d>] ip_options_get_from_user+0xad/0x120
      [28504.916843]  [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
      [28504.918175]  [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
      [28504.919490]  [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
      [28504.920835]  [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
      [28504.922208]  [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
      [28504.923459]  [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
      [28504.924722]
      [28504.925106] Allocated by thread T15843:
      [28504.925815]  [<ffffffff81804995>] ip_options_get_from_user+0x35/0x120
      [28504.926884]  [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
      [28504.927975]  [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
      [28504.929175]  [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
      [28504.930400]  [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
      [28504.931677]  [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
      [28504.932851]  [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
      [28504.934018]
      [28504.934377] The buggy address ffff880026382828 is located 0 bytes to the right
      [28504.934377]  of 40-byte region [ffff880026382800, ffff880026382828)
      [28504.937144]
      [28504.937474] Memory state around the buggy address:
      [28504.938430]  ffff880026382300: ........ rrrrrrrr rrrrrrrr rrrrrrrr
      [28504.939884]  ffff880026382400: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28504.941294]  ffff880026382500: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
      [28504.942504]  ffff880026382600: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28504.943483]  ffff880026382700: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28504.944511] >ffff880026382800: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
      [28504.945573]                         ^
      [28504.946277]  ffff880026382900: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28505.094949]  ffff880026382a00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28505.096114]  ffff880026382b00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28505.097116]  ffff880026382c00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28505.098472]  ffff880026382d00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28505.099804] Legend:
      [28505.100269]  f - 8 freed bytes
      [28505.100884]  r - 8 redzone bytes
      [28505.101649]  . - 8 allocated bytes
      [28505.102406]  x=1..7 - x allocated bytes + (8-x) redzone bytes
      [28505.103637] ==================================================================
      
      [1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernelSigned-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      10ec9472
    • Linus Torvalds's avatar
      Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 67dd8f35
      Linus Torvalds authored
      Pull media fixes from Mauro Carvalho Chehab:
       "A series of driver fixes:
         - fix DVB-S tuning with tda1071
         - fix tuner probe on af9035 when the device has a bad eeprom
         - some fixes for the new si2168/2157 drivers
         - one Kconfig build fix (for omap4iss)
         - fixes at vpif error path
         - don't lock saa7134 ioctl at driver's base core level, as it now
           uses V4L2 and VB2 locking schema
         - fix audio at hdpvr driver
         - fix the aspect ratio at the digital timings table
         - one new USB ID (at gspca_pac7302): Genius i-Look 317 webcam"
      
      * 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        [media] gspca_pac7302: Add new usb-id for Genius i-Look 317
        [media] tda10071: fix returned symbol rate calculation
        [media] tda10071: fix spec inversion reporting
        [media] tda10071: add missing DVB-S2/PSK-8 FEC AUTO
        [media] tda10071: force modulation to QPSK on DVB-S
        [media] hdpvr: fix two audio bugs
        [media] davinci: vpif: missing unlocks on error
        [media] af9035: override tuner id when bad value set into eeprom
        [media] saa7134: use unlocked_ioctl instead of ioctl
        [media] media: v4l2-core: v4l2-dv-timings.c: Cleaning up code wrong value used in aspect ratio
        [media] si2168: firmware download fix
        [media] si2157: add one missing parenthesis
        [media] si2168: add one missing parenthesis
        [media] staging: tighten omap4iss dependencies
      67dd8f35
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 6890ad4b
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Final block fixes for 3.16
      
        Four small fixes that should go into 3.16, have been queued up for a
        bit and delayed due to vacation and other euro duties.  But here they
        are.  The pull request contains:
      
         - Fix for a reported crash with shared tagging on SCSI from Christoph
      
         - A regression fix for drbd.  From Lars Ellenberg.
      
         - Hooking up the compat ioctl for BLKZEROOUT, which requires no
           translation.  From Mikulas.
      
      - A fix for a regression where we woud crash on queue exit if the
        root_blkg is gone/not there. From Tejun"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        block: provide compat ioctl for BLKZEROOUT
        blkcg: don't call into policy draining if root_blkg is already gone
        drbd: fix regression 'out of mem, failed to invoke fence-peer helper'
        block: don't assume last put of shared tags is for the host
      6890ad4b
    • Linus Torvalds's avatar
      Merge branch 'for-3.16-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · d6e6c48e
      Linus Torvalds authored
      Pull libata fixes from Tejun Heo:
       "Late libata fixes.
      
        The most important one is from Kevin Hao which makes sure that libata
        only allocates tags inside the max tag number the controller supports.
        libata always had this problem but the recent tag allocation change
        and addition of support for sata_fsl which only supports queue depth
        of 16 exposed the issue.
      
        Hans de Goede agreed to become the maintainer of libahci_platform
        which is under higher than usual development pressure from all the new
        controllers popping up from the ARM world"
      
      * 'for-3.16-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
        ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode)
        drivers/ata/pata_ep93xx.c: use signed int type for result of platform_get_irq()
        libata: EH should handle AMNF error condition as a media error
        libata: support the ata host which implements a queue depth less than 32
        MAINTAINERS: Add Hans de Goede as ahci-platform maintainer
      d6e6c48e
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 5b2b9d77
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "These are mostly PPC changes for 3.16-new things.  However, there is
        an x86 change too and it is a regression from 3.14.  As it only
        affects nested virtualization and there were other changes in this
        area in 3.16, I am not nominating it for 3.15-stable"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: Check for nested events if there is an injectable interrupt
        KVM: PPC: RTAS: Do byte swaps explicitly
        KVM: PPC: Book3S PR: Fix ABIv2 on LE
        KVM: PPC: Assembly functions exported to modules need _GLOBAL_TOC()
        PPC: Add _GLOBAL_TOC for 32bit
        KVM: PPC: BOOK3S: HV: Use base page size when comparing against slb value
        KVM: PPC: Book3E: Unlock mmu_lock when setting caching atttribute
      5b2b9d77
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 80d6191e
      Linus Torvalds authored
      Pull s390 fixes from Martin Schwidefsky:
       "A couple of last minute bug fixes for 3.16, including a fix for ptrace
        to close a hole which allowed a user space program to write to the
        kernel address space"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: fix restore of invalid floating-point-control
        s390/zcrypt: improve device probing for zcrypt adapter cards
        s390/ptrace: fix PSW mask check
        s390/MSI: Use standard mask and unmask funtions
        s390/3270: correct size detection with the read-partition command
        s390: require mvcos facility, not tod clock steering facility
      80d6191e
    • Tony Luck's avatar
      tracing: Fix wraparound problems in "uptime" trace clock · 58d4e21e
      Tony Luck authored
      The "uptime" trace clock added in:
      
          commit 8aacf017
          tracing: Add "uptime" trace clock that uses jiffies
      
      has wraparound problems when the system has been up more
      than 1 hour 11 minutes and 34 seconds. It converts jiffies
      to nanoseconds using:
              (u64)jiffies_to_usecs(jiffy) * 1000ULL
      but since jiffies_to_usecs() only returns a 32-bit value, it
      truncates at 2^32 microseconds.  An additional problem on 32-bit
      systems is that the argument is "unsigned long", so fixing the
      return value only helps until 2^32 jiffies (49.7 days on a HZ=1000
      system).
      
      Avoid these problems by using jiffies_64 as our basis, and
      not converting to nanoseconds (we do convert to clock_t because
      user facing API must not be dependent on internal kernel
      HZ values).
      
      Link: http://lkml.kernel.org/p/99d63c5bfe9b320a3b428d773825a37095bf6a51.1405708254.git.tony.luck@intel.com
      
      Cc: stable@vger.kernel.org # 3.10+
      Fixes: 8aacf017 "tracing: Add "uptime" trace clock that uses jiffies"
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      58d4e21e
    • Antonio Quartulli's avatar
      batman-adv: fix TT VLAN inconsistency on VLAN re-add · 35df3b29
      Antonio Quartulli authored
      When a VLAN interface (on top of batX) is removed and
      re-added within a short timeframe TT does not have enough
      time to properly cleanup. This creates an internal TT state
      mismatch as the newly created softif_vlan will be
      initialized from scratch with a TT client count of zero
      (even if TT entries for this VLAN still exist). The
      resulting TT messages are bogus due to the counter / tt
      client listing mismatch, thus creating inconsistencies on
      every node in the network
      
      To fix this issue destroy_vlan() has to not free the VLAN
      object immediately but it has to be kept alive until all the
      TT entries for this VLAN have been removed. destroy_vlan()
      still removes the sysfs folder so that the user has the
      feeling that everything went fine.
      
      If the same VLAN is re-added before the old object is free'd,
      then the latter is resurrected and re-used.
      
      Implement such behaviour by increasing the reference counter
      of a softif_vlan object every time a new local TT entry for
      such VLAN is created and remove the object from the list
      only when all the TT entries have been destroyed.
      Signed-off-by: default avatarAntonio Quartulli <antonio@open-mesh.com>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      35df3b29
    • Simon Wunderlich's avatar
      batman-adv: drop QinQ claim frames in bridge loop avoidance · d46b6bfa
      Simon Wunderlich authored
      Since bridge loop avoidance only supports untagged or simple 802.1q
      tagged VLAN claim frames, claim frames with stacked VLAN headers (QinQ)
      should be detected and dropped. Transporting the over the mesh may cause
      problems on the receivers, or create bogus entries in the local tt
      tables.
      Reported-by: default avatarAntonio Quartulli <antonio@open-mesh.com>
      Signed-off-by: default avatarSimon Wunderlich <simon@open-mesh.com>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <antonio@meshcoding.com>
      d46b6bfa
  3. 20 Jul, 2014 20 commits