The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.
Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about irda_recvmsg_dgram() not filling the msg_name in case it was
set.
Cc: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.
Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about caif_seqpkt_recvmsg() not filling the msg_name in case it was
set.
Cc: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
If the socket is in state BT_CONNECT2 and BT_SK_DEFER_SETUP is set in
the flags, sco_sock_recvmsg() returns early with 0 without updating the
possibly set msg_namelen member. This, in turn, leads to a 128 byte
kernel stack leak in net/socket.c.
Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_recvmsg().
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
early with 0 without updating the possibly set msg_namelen member. This,
in turn, leads to a 128 byte kernel stack leak in net/socket.c.
Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_stream_recvmsg().
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
In case the socket is already shutting down, bt_sock_recvmsg() returns
with 0 without updating msg_namelen leading to net/socket.c leaking the
local, uninitialized sockaddr_storage variable to userland -- 128 bytes
of kernel stack memory.
Fix this by moving the msg_namelen assignment in front of the shutdown
test.
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When msg_namelen is non-zero the sockaddr info gets filled out, as
requested, but the code fails to initialize the padding bytes of struct
sockaddr_ax25 inserted by the compiler for alignment. Additionally the
msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
not always filled up to this size.
Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.
Fix both issues by initializing the memory with memset(0).
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.
Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about vcc_recvmsg() not filling the msg_name in case it was set.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pull KVM fix from Gleb Natapov:
"Bugfix for the regression introduced by commit c300aa64ddf5"
* git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: Allow cross page reads and writes from cached translations.
Pull x86 fixes from Peter Anvin:
"Two quite small fixes: one a build problem, and the other fixes
seccomp filters on x32."
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86: Fix rebuild with EFI_STUB enabled
x86: remove the x32 syscall bitmask from syscall_get_nr()
Interrupt handlers are always invoked with interrupts disabled, so
remove all uses of the deprecated IRQF_DISABLED flag.
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Reviewed-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Michael Cree <mcree@orcon.net.nz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linux has expected that interrupt handlers are executed with local
interrupts disabled for a while now, so ensure that this is the case on
Alpha even for non-device interrupts such as IPIs.
Without this patch, secondary boot results in the following backtrace:
warning: at kernel/softirq.c:139 __local_bh_enable+0xb8/0xd0()
trace:
__local_bh_enable+0xb8/0xd0
irq_enter+0x74/0xa0
scheduler_ipi+0x50/0x100
handle_ipi+0x84/0x260
do_entint+0x1ac/0x2e0
irq_exit+0x60/0xa0
handle_irq+0x98/0x100
do_entint+0x2c8/0x2e0
ret_from_sys_call+0x0/0x10
load_balance+0x3e4/0x870
cpu_idle+0x24/0x80
rcu_eqs_enter_common.isra.38+0x0/0x120
cpu_idle+0x40/0x80
rest_init+0xc0/0xe0
_stext+0x1c/0x20
A similar dump occurs if you try to reboot using magic-sysrq.
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Reviewed-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Michael Cree <mcree@orcon.net.nz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Due to all of the goodness being packed into today's kernels, the
resulting image isn't as slim as it once was.
In light of this, don't pass -msmall-data to gcc, which otherwise results
in link failures due to impossible relocations when compiling anything but
the most trivial configurations.
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Reviewed-by: Matt Turner <mattst88@gmail.com>
Tested-by: Thorsten Kranzkowski <dl8bcu@dl8bcu.de>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Michael Cree <mcree@orcon.net.nz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Fixes a NULL pointer dereference at boot on UP1500.
Cc: stable@vger.kernel.org
Reviewed-and-Tested-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Jay Estabrook <jay.estabrook@gmail.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Michael Cree <mcree@orcon.net.nz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Tetja Rediske found that if the host receives an ICMPv6 redirect message
after sending a SYN+ACK, the connection will be reset.
He bisected it down to 093d04d (ipv6: Change skb->data before using
icmpv6_notify() to propagate redirect), but the origin of the bug comes
from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
handlers.). The bug simply did not trigger prior to 093d04d, because
skb->data did not point to the inner IP header and thus icmpv6_notify
did not call the correct err_handler.
This patch adds the missing "goto out;" in tcp_v6_err. After receiving
an ICMPv6 Redirect, we should not continue processing the ICMP in
tcp_v6_err, as this may trigger the removal of request-socks or setting
sk_err(_soft).
Reported-by: Tetja Rediske <tetja@tetja.de>
Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch adds support for kvm_gfn_to_hva_cache_init functions for
reads and writes that will cross a page. If the range falls within
the same memslot, then this will be a fast operation. If the range
is split between two memslots, then the slower kvm_read_guest and
kvm_write_guest are used.
Tested: Test against kvm_clock unit tests.
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
The usb_control_msg() function expects __u16 types and performs
the endianness conversions by itself.
However, in three places, a conversion is performed before it is
handed over to usb_control_msg(), which leads to a double conversion
(= no conversion):
* snd_usb_nativeinstruments_boot_quirk()
* snd_nativeinstruments_control_get()
* snd_nativeinstruments_control_put()
Caught by sparse:
sound/usb/mixer_quirks.c:512:38: warning: incorrect type in argument 6 (different base types)
sound/usb/mixer_quirks.c:512:38: expected unsigned short [unsigned] [usertype] index
sound/usb/mixer_quirks.c:512:38: got restricted __le16 [usertype] <noident>
sound/usb/mixer_quirks.c:543:35: warning: incorrect type in argument 5 (different base types)
sound/usb/mixer_quirks.c:543:35: expected unsigned short [unsigned] [usertype] value
sound/usb/mixer_quirks.c:543:35: got restricted __le16 [usertype] <noident>
sound/usb/mixer_quirks.c:543:56: warning: incorrect type in argument 6 (different base types)
sound/usb/mixer_quirks.c:543:56: expected unsigned short [unsigned] [usertype] index
sound/usb/mixer_quirks.c:543:56: got restricted __le16 [usertype] <noident>
sound/usb/quirks.c:502:35: warning: incorrect type in argument 5 (different base types)
sound/usb/quirks.c:502:35: expected unsigned short [unsigned] [usertype] value
sound/usb/quirks.c:502:35: got restricted __le16 [usertype] <noident>
Signed-off-by: Eldad Zack <eldad@fogrefinery.com>
Acked-by: Daniel Mack <zonque@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
If a result of the SMP discover function is PHY VACANT,
the content of discover response structure (dr) is not valid.
It sometimes happens that dr->attached_sas_addr can contain
even SAS address of other phy. In such case an invalid phy
is created, what causes NULL pointer dereference during
destruction of expander's phys.
So if a result of SMP function is PHY VACANT, the content of discover
response structure (dr) must not be copied to phy structure.
This patch fixes the following bug:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
IP: [<ffffffff811c9002>] sysfs_find_dirent+0x12/0x90
Call Trace:
[<ffffffff811c95f5>] sysfs_get_dirent+0x35/0x80
[<ffffffff811cb55e>] sysfs_unmerge_group+0x1e/0xb0
[<ffffffff813329f4>] dpm_sysfs_remove+0x24/0x90
[<ffffffff8132b0f4>] device_del+0x44/0x1d0
[<ffffffffa016fc59>] sas_rphy_delete+0x9/0x20 [scsi_transport_sas]
[<ffffffffa01a16f6>] sas_destruct_devices+0xe6/0x110 [libsas]
[<ffffffff8107ac7c>] process_one_work+0x16c/0x350
[<ffffffff8107d84a>] worker_thread+0x17a/0x410
[<ffffffff81081b76>] kthread+0x96/0xa0
[<ffffffff81464944>] kernel_thread_helper+0x4/0x10
Signed-off-by: Lukasz Dorau <lukasz.dorau@intel.com>
Signed-off-by: Pawel Baldysiak <pawel.baldysiak@intel.com>
Reviewed-by: Maciej Patelczyk <maciej.patelczyk@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
No locks should be held when calling scsi_adjust_queue_depth
so drop the lock in slave_configure prior to calling it.
Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Acked-by: Robert Jennings <rcj@linux.vnet.ibm.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
System crashes, in initiator mode operation, with
qla2xxx_copy_atioqueues() in stack trace when firmware dump is
attempted.
Check for atio_q_length alone does not indicate if atio_ring is
allocated, make explicit check of atio_ring to avoid the crash.
Applicable to ISP24xx, ISP25xx, ISP81xx & ISP83xx line of HBAs.
Signed-off-by: Arun Easi <arun.easi@qlogic.com>
Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
The original patch was not covering all the adapters and firmwares.
This commit reverts 3a11711ad0.
Signed-off-by: Joe Carnuccio <joe.carnuccio@qlogic.com>
Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Reinitialize resource queue prior to freeing resource entries to ensure they
are not referenced. This fixes an issue with target_destoy accessing memory
after it was freed.
Signed-off-by: Wen Xiong <wenxiong@linux.vnet.ibm.com>
Acked-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
The abort command issued by ipr_cancel_op() is being added to the wrong
HRRQ free queue after the command returns. Fix it by using the HRRQ
pointer in the ipr command struct itself.
Signed-off-by: Kleber Sacilotto de Souza <klebers@linux.vnet.ibm.com>
Signed-off-by: Wen Xiong <wenxiong@linux.vnet.ibm.com>
Acked-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
This patch fixes a reference count bug in the SCSI tape driver which can be
reproduced with the following:
* Boot with slub_debug=FZPU, tape drive attached
* echo 1 > /sys/devices/... tape device pci path .../remove
* Wait for device removal
* echo 1 > /sys/kernel/slab/blkdev_queue/validate
* Slub debug complains about corrupted poison pattern
In commit 523e1d39 (block: make gendisk hold a reference to its queue)
add_disk() and disk_release() were modified to get/put an additional
reference on a disk queue to fix a reference counting discrepency
between bdev release and SCSI device removal. The ST driver never
calls add_disk(), so this commit introduced an extra kref put when the
ST driver frees its struct gendisk.
Attempts were made to fix this bug at the block level [1] but later
abandoned due to floppy driver issues [2].
[1] https://lkml.org/lkml/2012/8/27/354
[2] https://lkml.org/lkml/2012/9/22/113
Signed-off-by: Joe Lawrence <joe.lawrence@stratus.com>
Tested-by: Ewan D. Milne <emilne@redhat.com>
Acked-by: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
In fact the disc_resp buffer will be overwrite by smp response, so we never
found this typo, correct it by using the right one.
Signed-off-by: John Gong <john_gong@usish.com>
Signed-off-by: Jack Wang <jack_wang@usish.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Loading ipr modules failed(-22) with msi-x enabled adapter. In ipr_test_msi(),
We need to pass the first vector of msix vectors instead of using pdev->irq
to request_irq() when adapter enables msix feature.
Signed-off-by: Wen Xiong <wenxiong@linux.vnet.ibm.com>
Acked-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
cache target when the device being cached is not itself wrapped with
device-mapper.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABAgAGBQJRXuMlAAoJEK2W1qbAHj1n44cQAJYD4CFKQn3Mv1YkpkTeuuy6
N6kLmKl5leFNk8y6dwGtcRMtn7ZkVJLrDFXoi+pa46geG1WfCuAVhqm1y9t+Fa+m
mWJgSutkvEdI5OiU7SfoK0m0zGsB8B5k5G2rp0vT7sRmIWmPKPH6GUP7Fw0QRDYl
kXkxO9P6GM8kU5H/7SqVqtbvD1tNgEeME8vqAFJU3xC7PrfcknpnFD5kJeBMcddD
NZUXPDmUv20G2WySxLWbX4eBNNsqpI7QwX0Mthab8OusCOaLLID3P388ZLRyAqLx
/ja8rIKPdjRBOgyJ/kkemybffle69Bg5M+mfPygGATyUsPeVXmi/6u2AHLTcVj9e
tsF2MjHNYfEZE7Bq4rmEKrRk/pec+2UbgYj41mhQ06ICK+FlSDxIJWHN8fyrVpvu
0bT2f9Ddqwd6fZX8Wwd6xIaH+Nv7EZRNChdF0uUsHkjZbBWkojdFsdUSuDJWN87p
TjYCZJuRmStyDPTvnJeikuaXJ0DAs+OZ0w9I4HCNWNNF1rUbUEH5ixOcNwGA54IN
EGvbnGNfZlwYNCVpBRB+srlGPTTP8y63m3IZsCYc6VL2G9VBBZiIUBSNQMqUD3d4
Cnfr1crEC2EqPPd6XjCeRPv4dHuDMVwH4MA3SSvjL+j1jkxnz6prZPsBHu70aRWh
OFnV+n4YX8VJnAT5Rn0N
=LUeu
-----END PGP SIGNATURE-----
Merge tag 'dm-3.9-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-dm
Pull device-mapper fixes from Alasdair Kergon:
"A pair of patches to fix the writethrough mode of the device-mapper
cache target when the device being cached is not itself wrapped with
device-mapper."
* tag 'dm-3.9-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-dm:
dm cache: reduce bio front_pad size in writeback mode
dm cache: fix writes to cache device in writethrough mode
ASPM
Revert "PCI/ACPI: Request _OSC control before scanning PCI root bus"
kexec
PCI: Don't try to disable Bus Master on disconnected PCI devices
Platform ROM images
PCI: Add PCI ROM helper for platform-provided ROM images
nouveau: Attempt to use platform-provided ROM image
radeon: Attempt to use platform-provided ROM image
Hotplug
PCI/ACPI: Always resume devices on ACPI wakeup notifications
PCI/PM: Disable runtime PM of PCIe ports
EISA
EISA/PCI: Fix bus res reference
EISA/PCI: Init EISA early, before PNP
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABAgAGBQJRXzmPAAoJEFmIoMA60/r8svoQAIb1Z11DAdPfTaXThwEIURZb
KC4wzfLMAZCRvfY6j6qZw6Qi3NT6ZqgrZxSXgV0myB6Luwcv80+D2BHmDnRoxRYD
ywAm2m8vwoUq5s7MsaGHRLViBafL5TDs1KQLVEPkJ+B1gCzo61UWXPVDu+z9u+Fx
t9fNV5Xc/uaxciXZYVnPGTCFjCVTqa95x16bF6NgmG1j1DHYuX7fBVSsJc2CS77m
P2oyrfLmsKUA7jKHD4ntbIslYcqUC5NF8wcRad324Pzi93IwdktUSn8tqqNFCX9T
EE8hxCp24CPm6ngyCFIIkqYM/MMDM8YVqBwuZjngm3+tjaS3hBIrr1jBDenUgncY
2WRomgRzBwaa8nTr5xhin3kYGRkQAEf3M8RWG70YBppTidvvoUt0bfxSfSlN9R/t
g/7Eu4u35+lJ9F+Gg4unc0JrydkSJG1tfE+0LaEOhqXgCwloPR3kk08qcHPA2NHQ
dlEMJ3FSUHvINoRE7pm6+E2lcbGvZjCa9Cvd9IbdJ6r4wVYI7pHl8Zlp/sf3HZdV
sKRAw7fSazoFCX73lHR0f1zx7l1OdTmDSxEHv/pQA+xVt7K0DcOq+Mj0B84pVYcl
WSRUcr6jAi91syuKX+8TRpbfACb25PkPrEFEsjsGcBq+I/a15e8a+sIW31Z66PNu
ICejTqh/2/aOlgFg9OBs
=gIGr
-----END PGP SIGNATURE-----
Merge tag 'pci-v3.9-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
Pull PCI fixes from Bjorn Helgaas:
"PCI updates for v3.9:
ASPM
Revert "PCI/ACPI: Request _OSC control before scanning PCI root bus"
kexec
PCI: Don't try to disable Bus Master on disconnected PCI devices
Platform ROM images
PCI: Add PCI ROM helper for platform-provided ROM images
nouveau: Attempt to use platform-provided ROM image
radeon: Attempt to use platform-provided ROM image
Hotplug
PCI/ACPI: Always resume devices on ACPI wakeup notifications
PCI/PM: Disable runtime PM of PCIe ports
EISA
EISA/PCI: Fix bus res reference
EISA/PCI: Init EISA early, before PNP"
* tag 'pci-v3.9-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
PCI/PM: Disable runtime PM of PCIe ports
PCI/ACPI: Always resume devices on ACPI wakeup notifications
PCI: Don't try to disable Bus Master on disconnected PCI devices
Revert "PCI/ACPI: Request _OSC control before scanning PCI root bus"
radeon: Attempt to use platform-provided ROM image
nouveau: Attempt to use platform-provided ROM image
EISA/PCI: Init EISA early, before PNP
EISA/PCI: Fix bus res reference
PCI: Add PCI ROM helper for platform-provided ROM images
Pull networking fixes from David Miller:
1) Fix erroneous sock_orphan() leading to crashes and double
kfree_skb() in NFC protocol. From Thierry Escande and Samuel Ortiz.
2) Fix use after free in remain-on-channel mac80211 code, from Johannes
Berg.
3) nf_reset() needs to reset the NF tracing cookie, otherwise we can
leak it from one namespace into another. Fix from Gao Feng and
Patrick McHardy.
4) Fix overflow in channel scanning array of mwifiex driver, from Stone
Piao.
5) Fix loss of link after suspend/shutdown in r8169, from Hayes Wang.
6) Synchronization of unicast address lists to the undelying device
doesn't work because whether to sync is maintained as a boolean
rather than a true count. Fix from Vlad Yasevich.
7) Fix corruption of TSO packets in atl1e by limiting the segmented
packet length. From Hannes Frederic Sowa.
8) Revert bogus AF_UNIX credential passing change and fix the
coalescing issue properly, from Eric W Biederman.
9) Changes of ipv4 address lifetime settings needs to generate a
notification, from Jiri Pirko.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (22 commits)
netfilter: don't reset nf_trace in nf_reset()
net: ipv4: notify when address lifetime changes
ixgbe: fix registration order of driver and DCA nofitication
af_unix: If we don't care about credentials coallesce all messages
Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
bonding: remove sysfs before removing devices
atl1e: limit gso segment size to prevent generation of wrong ip length fields
net: count hw_addr syncs so that unsync works properly.
r8169: fix auto speed down issue
netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
mwifiex: limit channel number not to overflow memory
NFC: microread: Fix build failure due to a new MEI bus API
iwlwifi: dvm: fix the passive-no-RX workaround
netfilter: nf_conntrack: fix error return code
NFC: llcp: Keep the connected socket parent pointer alive
mac80211: fix idle handling sequence
netfilter: nfnetlink_acct: return -EINVAL if object name is empty
netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
netfilter: reset nf_trace in nf_reset
mac80211: fix remain-on-channel cancel crash
...
If the call to rpciod_up() fails, we currently leak a reference to the
struct rpc_xprt.
As part of the fix, we also remove the redundant check for xprt!=NULL.
This is already taken care of by the callers.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
eboot.o and efi_stub_$(BITS).o didn't get added to "targets", and hence
their .cmd files don't get included by the build machinery, leading to
the files always getting rebuilt.
Rather than adding the two files individually, take the opportunity and
add $(VMLINUX_OBJS) to "targets" instead, thus allowing the assignment
at the top of the file to be shrunk quite a bit.
At the same time, remove a pointless flags override line - the variable
assigned to was misspelled anyway, and the options added are
meaningless for assembly sources.
[ hpa: the patch is not minimal, but I am taking it for -urgent anyway
since the excess impact of the patch seems to be small enough. ]
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Link: http://lkml.kernel.org/r/515C5D2502000078000CA6AD@nat28.tlf.novell.com
Cc: Matthew Garrett <mjg@redhat.com>
Cc: Matt Fleming <matt.fleming@intel.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
It is unsafe to use list_for_each_entry_safe() here, because
when we drop the nn->nfs_client_lock, we pin the _current_ list
entry and ensure that it stays in the list, but we don't do the
same for the _next_ list entry. Use of list_for_each_entry() is
therefore the correct thing to do.
Also fix the refcounting in nfs41_walk_client_list().
Finally, ensure that the nfs_client has finished being initialised
and, in the case of NFSv4.1, that the session is set up.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Chuck Lever <chuck.lever@oracle.com>
Cc: Bryan Schumaker <bjschuma@netapp.com>
Cc: stable@vger.kernel.org [>= 3.7]
When we assign a new rpc_client to clp->cl_rpcclient, we need to destroy
the old one.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Chuck Lever <chuck.lever@oracle.com>
Cc: stable@vger.kernel.org [>=3.7]
While testing error cases where rpc_new_client() fails, I saw
some oopses.
If rpc_new_client() fails, it already invokes xprt_put(). Thus
__rpc_clone_client() does not need to invoke it again.
Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
Fri Sep 14, 2012.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: stable@vger.kernel.org [>=3.7]
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Commit 130549fe ("netfilter: reset nf_trace in nf_reset") added code
to reset nf_trace in nf_reset(). This is wrong and unnecessary.
nf_reset() is used in the following cases:
- when passing packets up the the socket layer, at which point we want to
release all netfilter references that might keep modules pinned while
the packet is queued. nf_trace doesn't matter anymore at this point.
- when encapsulating or decapsulating IPsec packets. We want to continue
tracing these packets after IPsec processing.
- when passing packets through virtual network devices. Only devices on
that encapsulate in IPv4/v6 matter since otherwise nf_trace is not
used anymore. Its not entirely clear whether those packets should
be traced after that, however we've always done that.
- when passing packets through virtual network devices that make the
packet cross network namespace boundaries. This is the only cases
where we clearly want to reset nf_trace and is also what the
original patch intended to fix.
Add a new function nf_reset_trace() and use it in dev_forward_skb() to
fix this properly.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pull MIPS fixes from Ralf Baechle:
"Fixes for a number of small glitches in various corners of the MIPS
tree. No particular areas is standing out.
With this applied all MIPS defconfigs are building fine. No merge
conflicts are expected."
* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
MIPS: Delete definition of SA_RESTORER.
MIPS: Fix ISA level which causes secondary cache init bypassing and more
MIPS: Fix build error cavium-octeon without CONFIG_SMP
MIPS: Kconfig: Rename SNIPROM too
MIPS: Alchemy: Fix typo "CONFIG_DEBUG_PCI"
MIPS: Unbreak function tracer for 64-bit kernel.
Pull GFS2 fixes from Steven Whitehouse:
"There are two patches which fix up a couple of minor issues in the DLM
interface code, a missing error path in gfs2_rs_alloc(), one patch
which fixes a problem during "withdraw" and a fix for discards/FITRIM
when using 4k sector sized devices."
* git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-3.0-fixes:
GFS2: Issue discards in 512b sectors
GFS2: Fix unlock of fcntl locks during withdrawn state
GFS2: return error if malloc failed in gfs2_rs_alloc()
GFS2: use memchr_inv
GFS2: use kmalloc for lvb bitmap
Commit e2eed58b4f ("IB/qib: change QLogic to Intel") moved a firmware
file potentially breaking the ABI.
This patch reverts that aspect of the fix as well as reverting the
firmware name as used in qib.
Reported-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
A bunch of small driver fixes plus a fix for error handling in the core
- nothing too exciting overall.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAABAgAGBQJRXt12AAoJELSic+t+oim9PNIP/RPojoOyrzSr2knNwgFHtxo7
rcQqxq/Z0Ah6B/BKZ5qomzIaUPzLoKGM2ND4KhCJjBrXY3PR6hJQK6b4M2ocXbpK
whC5lt36M9/3b/eLGH9lIfKGXPKT+n2qfvbALdlxWYTcLbeoiMfakwcGhZngihEq
H96x7+xOuBheF8dx46+zG10uUm0lP3hpELzXKqHi/K173FEfgIeq9iELzfTiQbIw
tdXUl7jrUwifvBlUx3/tRM334K4pAGeq+hLtftxvX/qFBqNIZ6bO3ZguZLaPNgXd
NvQ1AtsArf2KmL+/093Zesz+b7fqfLEjsBqecWjhT7UWEs1y8qmmTBNM6cgAOzyg
OZnFzZ8fl3G9YuLgktAFr1pWT9T43B/ZFbQ4NQzkxVOh1QvOz1Xkx9JS0hCigVBu
pen6n5L2OWzxcGsDiB38b4HSCzLgNt4QtsXCtQZaDKUJ6Q8pmsCWClyPfqJwbEWR
5QNW/8x2BCuQMSa4aKvPhjw9bIfOhOYX/+JQezHdS/pu6nwAGHHM5Yohtjn9/hm/
6hXniAzctT6rbk4ZDr5ux1CBxyBzjcTAL0tdiqFglAYcXwRNpzqm714jKN57yH6p
YXD3V2aRF7h7honDJqav18M9opuIo4rNg0lBCreA+5FJ+MmQHLIU/DvfO6qUV2/0
XO540x4NdS1PMAX02P1h
=eqgv
-----END PGP SIGNATURE-----
Merge tag 'spi-fix-v3.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc
Pull spi fixes from Mark Brown:
"A bunch of small driver fixes plus a fix for error handling in the
core - nothing too exciting overall."
* tag 'spi-fix-v3.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc:
spi/mpc512x-psc: optionally keep PSC SS asserted across xfer segmensts
spi: Unlock a spinlock before calling into the controller driver.
spi/s3c64xx: modified error interrupt handling and init
spi/bcm63xx: don't disable non enabled clocks in probe error path
spi/bcm63xx: Remove unused variable
spi: slink-tegra20: move runtime pm calls to transfer_one_message
This patch changes GFS2's discard issuing code so that it calls
function sb_issue_discard rather than blkdev_issue_discard. The
code was calling blkdev_issue_discard and specifying the correct
sector offset and sector size, but blkdev_issue_discard expects
these values to be in terms of 512 byte sectors, even if the native
sector size for the device is different. Calling sb_issue_discard
with the BLOCK size instead ensures the correct block-to-512b-sector
translation. I verified that "minlen" is specified in blocks, so
comparing it to a number of blocks is correct.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
This reverts commit 0ef1594c01.
This patch introduced a few races which cannot be easily fixed with a
small follow-up patch. Furthermore, the SoC with the broken hardware
register, which this patch intended to add support for, can only be used
with device trees, which this driver currently does not support.
[ Here is the discussion that led to this "revert" patch:
https://lkml.org/lkml/2013/4/3/176 ]
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABAgAGBQJRXrj5AAoJEPo9qoy8lh71MVEQAIpbZnMGuzhPbVdDfVZCkNt+
GNGhRaYNODoVhAaiIJ4kcCtCpM36EHXZozw/Jlc0hjVuWBptZI2W8vnoH/utrdCD
Dh6SxKVc8QwGz2Ybhjqy8U1Bpw3GVGHbPzLz/6gmZQy34ownOeM5qqSLXXuxF8NW
LiALmD1nUZwg+Mn9aF8Hvu8BMM4lxK90oM3XTGfru3LmgN2ING5sgb6eLaTPAxPd
+vDmeynekPWd+yDjmHC0Es5Xx1J0tuOi/qepWYH1pok9R+dtsyfAOmeXoUjcbKct
5Vpx/3Y/exzGQeiZuFYlpKYCtDqYh26CwJjPKpbMPztTJMgdmCRFJxMiISmNdu9k
cVQ0V3oJr92uAtX6gl5/5YM1nmXeH0Y9LwHVdgN6Tjiwe54FhGq8url2HqZINjQI
B19Jwx6XHsZ2P7Yr9LDqmrGFEMjv/ufdV/qhrLt+bxjxu/8DIxrPG37N7beFPZbE
KbPnxy6zDD2ROBtheTVFNdL5FkZbplJKaqhUMpfuBsDo/w0mpQADOJOPEQCgOC8I
CaaGfuBqbRBlO6R02bCmnLaeFwOSUIKjqLmug3IOcpZ+uZym3RPMZuMsRnHTIoYh
tD8+zfQ6z9iEYaoQO6CjzHLzvqCKdG1t0ksDp+FmhCfFlityuzXhvHvP9rI72ys2
/6ECxV0W4m3zLLKofxOM
=lKy5
-----END PGP SIGNATURE-----
Merge tag 'fbdev-fixes-3.9-rc6' of git://gitorious.org/linux-omap-dss2/linux
Pull fbdev fixes from Tomi Valkeinen:
"Fix uvesafb crash bug and typoed flag name in fbmon's new videomode
code"
* tag 'fbdev-fixes-3.9-rc6' of git://gitorious.org/linux-omap-dss2/linux:
video:uvesafb: Fix dereference NULL pointer code path
fbmon: use VESA_DMT_VSYNC_HIGH to fix typo
This contains slightly more volumes than usual at this stage, mostly
because of my vacation in the last week.
Nothing to scare, all small and/or trivial fixes:
- Fix loop path handling in ASoC DAPM
- Some memory handling fixes in ASoC core
- Fix spear_pcm to adapt to the updated API
- HD-audio HDMI ELD handling fixes
- Fix for CM6331 USB-audio SRC change bugs
- Revert power_save_controller option change due to user-space usage
- A few other small ASoC and HD-audio fixes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQIcBAABAgAGBQJRXl85AAoJEGwxgFQ9KSmkDzAQALJU/3Bn/tRJMFDwmVPYbuoi
/mJ8iTBLz7uvKTnGaOIPg+vrt2SOkpcfE/bkv2d8GL/YMbXC7RY2j+37D8LYlnZQ
rhUlM7VbkFsmoXR9GtgeWdZyrQSVNi7KFCfNLSNZmZAkDkopq0VzW4Ll+q4wyPWQ
taZDQ0g3fnbAegiri246cb8nKH8gTzKRG16I/5N1S7fxLinQ6u5W4IPu9jHxNhiW
sOyQOXwYp7CpgmqKBbjES8oncbgwSnk55YPY3Si+vfYIHy18yR9yCNyGsrGN8M0W
c4oTU8EoNzGrwE4/+MSvkWwA4qYBEqRkEwS8eL2QlcyNpeZq1mROWnEa1BZz3PJ/
uw4M5GrVYFD/w95XRX/hJmenQelSV5S2EfCmxAbMQwXX9je2q9RzM0AeaORNUPYT
Iy8S4+d9KBWBcLxmAASLUPTk5nl4bTPW/yy/Cb5ICQdnhHGTmKnJjQdIbP9tiiDD
jfnftPUDBONRnCe24AtxQzDmj2wfikkMkQoR/nENKKR+u56zy6Le+m4zmv7OlfLX
lqcWHh/Sgsg+B960GUPZSEqpDaXA5hkpXTz/foWbeu8Go0JVQTV9/+HDomrfP0VE
EoRrApZf35PBSo2rqC6lyKhAp+OgWKmXoWelzCY3//4kYXl2cEK1voa5zFhgVRGD
tccXSAxPyW4HsIg+4hqF
=L1Ya
-----END PGP SIGNATURE-----
Merge tag 'sound-3.9' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"This contains slightly more volumes than usual at this stage, mostly
because of my vacation in the last week. Nothing to scare, all small
and/or trivial fixes:
- Fix loop path handling in ASoC DAPM
- Some memory handling fixes in ASoC core
- Fix spear_pcm to adapt to the updated API
- HD-audio HDMI ELD handling fixes
- Fix for CM6331 USB-audio SRC change bugs
- Revert power_save_controller option change due to user-space usage
- A few other small ASoC and HD-audio fixes"
* tag 'sound-3.9' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda/generic - fix uninitialized variable
Revert "ALSA: hda - Allow power_save_controller option override DCAPS"
ALSA: hda - fix typo in proc output
ALSA: hda - Enabling Realtek ALC 671 codec
ALSA: usb: Work around CM6631 sample rate change bug
ALSA: hda - bug fix on HDMI ELD debug message
ALSA: hda - bug fix on return value when getting HDMI ELD info
ASoC: dma-sh7760: Fix compile error
ASoC: core: fix invalid free of devm_ allocated data
ASoC: spear_pcm: Update to new pcm_new() API
ASoC:: max98090: Remove executable bit
ASoC: dapm: Fix pointer dereference in is_connected_output_ep()
ASoC: pcm030 audio fabric: remove __init from probe
ASoC: imx-ssi: Fix occasional AC97 reset failure
ASoC: core: fix possible memory leak in snd_soc_bytes_put()
ASoC: wm_adsp: fix possible memory leak in wm_adsp_load_coeff()
ASoC: dapm: Fix handling of loops
ASoC: si476x: Add missing break for SNDRV_PCM_FORMAT_S8 switch case
Even in failed case of pm_runtime_get_sync, the usage_count
is incremented. In order to keep the usage_count with correct
value and runtime power management to behave correctly, call
pm_runtime_put_noidle in such case.
In __hwspin_lock_request, module_put is also called before
return in pm_runtime_get_sync failed case.
Cc: stable@vger.kernel.org
Signed-off-by Liu Chuansheng <chuansheng.liu@intel.com>
Signed-off-by: Li Fei <fei.li@intel.com>
[edit commit log]
Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com>
A recent patch to fix the dm cache target's writethrough mode extended
the bio's front_pad to include a 1056-byte struct dm_bio_details.
Writeback mode doesn't need this, so this patch reduces the
per_bio_data_size to 16 bytes in this case instead of 1096.
The dm_bio_details structure was added in "dm cache: fix writes to
cache device in writethrough mode" which fixed commit e2e74d617e ("dm
cache: fix race in writethrough implementation"). In writeback mode
we avoid allocating the writethrough-specific members of the
per_bio_data structure (the dm_bio_details structure included).
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
The dm-cache writethrough strategy introduced by commit e2e74d617e
("dm cache: fix race in writethrough implementation") issues a bio to
the origin device, remaps and then issues the bio to the cache device.
This more conservative in-series approach was selected to favor
correctness over performance (of the previous parallel writethrough).
However, this in-series implementation that reuses the same bio to write
both the origin and cache device didn't take into account that the block
layer's req_bio_endio() modifies a completing bio's bi_sector and
bi_size. So the new writethrough strategy needs to preserve these bio
fields, and restore them before submission to the cache device,
otherwise nothing gets written to the cache (because bi_size is 0).
This patch adds a struct dm_bio_details field to struct per_bio_data,
and uses dm_bio_record() and dm_bio_restore() to ensure the bio is
restored before reissuing to the cache device. Adding such a large
structure to the per_bio_data is not ideal but we can improve this
later, for now correctness is the important thing.
This problem initially went unnoticed because the dm-cache test-suite
uses a linear DM device for the dm-cache device's origin device.
Writethrough worked as expected because DM submits a *clone* of the
original bio, so the original bio which was reused for the cache was
never touched.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
SA_RESTORER used to be defined as 0x04000000 but only the O32 ABI ever
supported its use and no libc was using it, so the entire sa-restorer
functionality was removed with lmo commit 39bffc12c3580ab [Zap sa_restorer.]
for 2.5.48 retaining only the SA_RESTORER definition as a reminder to avoid
accidental reuse of the mask bit.
Upstream cdef9602fbf1871a43f0f1b5cea10dd0f275167d [signal: always clear
sa_restorer on execve] adds code that assumes sa_sigaction has an
sa_restorer field, if SA_RESTORER is defined which would break MIPS.
So remove the SA_RESTORER definition before the v3.8.4 merge.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
(cherry picked from commit 17da8d63add23830892ac4dc2cbb3b5d4ffb79a8)