1. 20 Mar, 2013 8 commits
  2. 14 Mar, 2013 32 commits
    • Greg Kroah-Hartman's avatar
      Linux 3.8.3 · 1a45c310
      Greg Kroah-Hartman authored
      1a45c310
    • David S. Miller's avatar
      6lowpan: Remove __init tag from lowpan_netlink_fini(). · 3bc7100a
      David S. Miller authored
      commit a07fdcec upstream.
      
      It's called from both __init and __exit code, so neither
      tag is appropriate.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3bc7100a
    • Eric W. Biederman's avatar
      userns: Don't allow CLONE_NEWUSER | CLONE_FS · 364709dd
      Eric W. Biederman authored
      commit e66eded8 upstream.
      
      Don't allowing sharing the root directory with processes in a
      different user namespace.  There doesn't seem to be any point, and to
      allow it would require the overhead of putting a user namespace
      reference in fs_struct (for permission checks) and incrementing that
      reference count on practically every call to fork.
      
      So just perform the inexpensive test of forbidding sharing fs_struct
      acrosss processes in different user namespaces.  We already disallow
      other forms of threading when unsharing a user namespace so this
      should be no real burden in practice.
      
      This updates setns, clone, and unshare to disallow multiple user
      namespaces sharing an fs_struct.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      364709dd
    • Hauke Mehrtens's avatar
      w1-gpio: fix section mismatch · f7322a37
      Hauke Mehrtens authored
      commit 06a8f1fe upstream.
      
      This fixes the following section mismatch:
      
      WARNING: drivers/w1/masters/w1-gpio.o(.data+0x188): Section mismatch in
      reference from the variable w1_gpio_driver to the function
      .init.text:w1_gpio_probe()
      The variable w1_gpio_driver references
      the function __init w1_gpio_probe()
      If the reference is valid then annotate the
      variable with __init* or __refdata (see linux/init.h) or name the variable:
      *_template, *_timer, *_sht, *_ops, *_probe, *_probe_one, *_console
      Signed-off-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Acked-by: default avatarEvgeniy Polyakov <zbr@ioremap.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f7322a37
    • Greg Kroah-Hartman's avatar
      Revert "xen/blkback: Don't trust the handle from the frontend." · 32f4d10e
      Greg Kroah-Hartman authored
      This reverts commit 01c681d4 upstream
      (ef56ca64 in this tree), as it wasn't
      supposed to have been applied to the stable tree.
      
      Cc: Jan Beulich <jbeulich@suse.com>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      32f4d10e
    • Sarah Sharp's avatar
      USB: Fix connected device switch to Inactive state. · d7930304
      Sarah Sharp authored
      [This is upstream commit d3b9d7a9.
      It needs to be backported to kernels as old as 3.2, because it fixes the
      buggy commit 65bdac5e "USB: Handle warm
      reset failure on empty port."]
      
      A USB 3.0 device can transition to the Inactive state if a U1 or U2 exit
      transition fails.  The current code in hub_events simply issues a warm
      reset, but does not call any pre-reset or post-reset driver methods (or
      unbind/rebind drivers without them).  Therefore the drivers won't know
      their device has just been reset.
      
      hub_events should instead call usb_reset_device.  This means
      hub_port_reset now needs to figure out whether it should issue a warm
      reset or a hot reset.
      
      Remove the FIXME note about needing disconnect() for a NOTATTACHED
      device.  This patch fixes that.
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7930304
    • Sarah Sharp's avatar
      USB: Rip out recursive call on warm port reset. · 2373f5ae
      Sarah Sharp authored
      [This is upstream commit a24a6078.
      It needs to be backported to kernels as old as 3.2, because it fixes the
      buggy commit 65bdac5e "USB: Handle warm
      reset failure on empty port."]
      
      When a hot reset fails on a USB 3.0 port, the current port reset code
      recursively calls hub_port_reset inside hub_port_wait_reset.  This isn't
      ideal, since we should avoid recursive calls in the kernel, and it also
      doesn't allow us to issue multiple warm resets on reset failures.
      
      Rip out the recursive call.  Instead, add code to hub_port_reset to
      issue a warm reset if the hot reset fails, and try multiple warm resets
      before giving up on the port.
      
      In hub_port_wait_reset, remove the recursive call and re-indent.  The
      code is basically the same, except:
      
      1. It bails out early if the port has transitioned to Inactive or
      Compliance Mode after the reset completed.
      
      2. It doesn't consider a connect status change to be a failed reset.  If
      multiple warm resets needed to be issued, the connect status may have
      changed, so we need to ignore that and look at the port link state
      instead.  hub_port_reset will now do that.
      
      3. It unconditionally sets udev->speed on all types of successful
      resets.  The old recursive code would set the port speed when the second
      hub_port_reset returned.
      
      The old code did not handle connected devices needing a warm reset well.
      There were only two situations that the old code handled correctly: an
      empty port needing a warm reset, and a hot reset that migrated to a warm
      reset.
      
      When an empty port needed a warm reset, hub_port_reset was called with
      the warm variable set.  The code in hub_port_finish_reset would skip
      telling the USB core and the xHC host that the device was reset, because
      otherwise that would result in a NULL pointer dereference.
      
      When a USB 3.0 device reset migrated to a warm reset, the recursive call
      made the call stack look like this:
      
      hub_port_reset(warm = false)
              hub_wait_port_reset(warm = false)
                      hub_port_reset(warm = true)
                              hub_wait_port_reset(warm = true)
                              hub_port_finish_reset(warm = true)
                              (return up the call stack to the first wait)
      
              hub_port_finish_reset(warm = false)
      
      The old code didn't want to notify the USB core or the xHC host of device reset
      twice, so it only did it in the second call to hub_port_finish_reset,
      when warm was set to false.  This was necessary because
      before patch two ("USB: Ignore xHCI Reset Device status."), the USB core
      would pay attention to the xHC Reset Device command error status, and
      the second call would always fail.
      
      Now that we no longer have the recursive call, and warm can change from
      false to true in hub_port_reset, we need to have hub_port_finish_reset
      unconditionally notify the USB core and the xHC of the device reset.
      
      In hub_port_finish_reset, unconditionally clear the connect status
      change (CSC) bit for USB 3.0 hubs when the port reset is done.  If we
      had to issue multiple warm resets for a device, that bit may have been
      set if the device went into SS.Inactive and then was successfully warm
      reset.
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2373f5ae
    • Sarah Sharp's avatar
      USB: Prepare for refactoring by adding extra udev checks. · 1d4b0111
      Sarah Sharp authored
      [This is upstream commit 2d4fa940.
      It needs to be backported to kernels as old as 3.2, because it fixes the
      buggy commit 65bdac5e "USB: Handle warm
      reset failure on empty port."]
      
      The next patch will refactor the hub port code to rip out the recursive
      call to hub_port_reset on a failed hot reset.  In preparation for that,
      make sure all code paths can deal with being called with a NULL udev.
      The usb_device will not be valid if warm reset was issued because a port
      transitioned to the Inactive or Compliance Mode on a device connect.
      
      This patch should have no effect on current behavior.
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d4b0111
    • Sarah Sharp's avatar
      USB: Don't use EHCI port sempahore for USB 3.0 hubs. · 4b996365
      Sarah Sharp authored
      [This is upstream commit 0fe51aa5.
      It needs to be backported to kernels as old as 3.2, because it fixes the
      buggy commit 65bdac5e "USB: Handle warm
      reset failure on empty port."]
      
      The EHCI host controller needs to prevent EHCI initialization when the
      UHCI or OHCI companion controller is in the middle of a port reset.  It
      uses ehci_cf_port_reset_rwsem to do this.  USB 3.0 hubs can't be under
      an EHCI host controller, so it makes no sense to down the semaphore for
      USB 3.0 hubs.  It also makes the warm port reset code more complex.
      
      Don't down ehci_cf_port_reset_rwsem for USB 3.0 hubs.
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4b996365
    • Matthew Garrett's avatar
      efi: be more paranoid about available space when creating variables · 9f677cf2
      Matthew Garrett authored
      commit 68d92986 upstream.
      
      UEFI variables are typically stored in flash. For various reasons, avaiable
      space is typically not reclaimed immediately upon the deletion of a
      variable - instead, the system will garbage collect during initialisation
      after a reboot.
      
      Some systems appear to handle this garbage collection extremely poorly,
      failing if more than 50% of the system flash is in use. This can result in
      the machine refusing to boot. The safest thing to do for the moment is to
      forbid writes if they'd end up using more than half of the storage space.
      We can make this more finegrained later if we come up with a method for
      identifying the broken machines.
      Signed-off-by: default avatarMatthew Garrett <matthew.garrett@nebula.com>
      Cc: Josh Boyer <jwboyer@redhat.com>
      Signed-off-by: default avatarMatt Fleming <matt.fleming@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9f677cf2
    • Seiji Aguchi's avatar
      efivars: Disable external interrupt while holding efivars->lock · 71727cd9
      Seiji Aguchi authored
      commit 81fa4e58 upstream.
      
      [Problem]
      There is a scenario which efi_pstore fails to log messages in a panic case.
      
       - CPUA holds an efi_var->lock in either efivarfs parts
         or efi_pstore with interrupt enabled.
       - CPUB panics and sends IPI to CPUA in smp_send_stop().
       - CPUA stops with holding the lock.
       - CPUB kicks efi_pstore_write() via kmsg_dump(KSMG_DUMP_PANIC)
         but it returns without logging messages.
      
      [Patch Description]
      This patch disables an external interruption while holding efivars->lock
      as follows.
      
      In efi_pstore_write() and get_var_data(), spin_lock/spin_unlock is
      replaced by spin_lock_irqsave/spin_unlock_irqrestore because they may
      be called in an interrupt context.
      
      In other functions, they are replaced by spin_lock_irq/spin_unlock_irq.
      because they are all called from a process context.
      
      By applying this patch, we can avoid the problem above with
      a following senario.
      
       - CPUA holds an efi_var->lock with interrupt disabled.
       - CPUB panics and sends IPI to CPUA in smp_send_stop().
       - CPUA receives the IPI after releasing the lock because it is
         disabling interrupt while holding the lock.
       - CPUB waits for one sec until CPUA releases the lock.
       - CPUB kicks efi_pstore_write() via kmsg_dump(KSMG_DUMP_PANIC)
         And it can hold the lock successfully.
      Signed-off-by: default avatarSeiji Aguchi <seiji.aguchi@hds.com>
      Acked-by: default avatarMike Waychison <mikew@google.com>
      Acked-by: default avatarMatt Fleming <matt.fleming@intel.com>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Cc: Josh Boyer <jwboyer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      71727cd9
    • Steven Rostedt's avatar
      ftrace: Update the kconfig for DYNAMIC_FTRACE · 33452b6b
      Steven Rostedt authored
      commit db05021d upstream.
      
      The prompt to enable DYNAMIC_FTRACE (the ability to nop and
      enable function tracing at run time) had a confusing statement:
      
       "enable/disable ftrace tracepoints dynamically"
      
      This was written before tracepoints were added to the kernel,
      but now that tracepoints have been added, this is very confusing
      and has confused people enough to give wrong information during
      presentations.
      
      Not only that, I looked at the help text, and it still references
      that dreaded daemon that use to wake up once a second to update
      the nop locations and brick NICs, that hasn't been around for over
      five years.
      
      Time to bring the text up to the current decade.
      Reported-by: default avatarEzequiel Garcia <elezegarcia@gmail.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      33452b6b
    • Michael Ellerman's avatar
      powerpc: Apply early paca fixups to boot_paca and the boot cpu's paca · 849149f2
      Michael Ellerman authored
      commit 25e13814 upstream.
      
      In commit 466921c5 we added a hack to set the paca data_offset to zero so
      that per-cpu accesses would work on the boot cpu prior to per-cpu areas
      being setup. This fixed a problem with lockdep touching per-cpu areas
      very early in boot.
      
      However if we combine CONFIG_LOCK_STAT=y with any of the PPC_EARLY_DEBUG
      options, we can hit the same problem in udbg_early_init(). To avoid that
      we need to set the data_offset of the boot_paca also. So factor out the
      fixup logic and call it for both the boot_paca, and "the paca of the
      boot cpu".
      Signed-off-by: default avatarMichael Ellerman <michael@ellerman.id.au>
      Tested-by: default avatarGeoff Levand <geoff@infradead.org>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      849149f2
    • Jason Cooper's avatar
      ARM: kirkwood: of_serial: fix clock gating by removing clock-frequency · 9fae6bc0
      Jason Cooper authored
      commit 93fff4ce upstream.
      
      When DT support for kirkwood was first introduced, there was no clock
      infrastructure.  As a result, we had to manually pass the
      clock-frequency to the driver from the device node.
      
      Unfortunately, on kirkwood, with minimal config or all module configs,
      clock-frequency breaks booting because of_serial doesn't consume the
      gate_clk when clock-frequency is defined.
      
      The end result on kirkwood is that runit gets gated, and then the boot
      fails when the kernel tries to write to the serial port.
      
      Fix the issue by removing the clock-frequency parameter from all
      kirkwood dts files.
      
      Booted on dreamplug without earlyprintk and successfully logged in via
      ttyS0.
      Reported-by: default avatarSimon Baatz <gmbnomis@gmail.com>
      Tested-by: default avatarSimon Baatz <gmbnomis@gmail.com>
      Signed-off-by: default avatarJason Cooper <jason@lakedaemon.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9fae6bc0
    • Fabio Estevam's avatar
      ARM: mxs_defconfig: Make USB host functional again · f64d7275
      Fabio Estevam authored
      commit f6c49da9 upstream.
      
      commit 09f6ffde (USB: EHCI: fix build error by making ChipIdea host a normal
      EHCI driver) introduced CONFIG_USB_EHCI_HCD as a dependency for USB_CHIPIDEA_HOST.
      
      Select CONFIG_USB_EHCI_HCD, so that USB host can be functional again.
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Signed-off-by: default avatarShawn Guo <shawn.guo@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f64d7275
    • Andrew Lunn's avatar
      gpio: mvebu: Add clk support to prevent lockup · d10d54ce
      Andrew Lunn authored
      commit de88747f upstream.
      
      The kirkwood SoC GPIO cores use the runit clock. Add code to
      clk_prepare_enable() runit, otherwise there is a danger of locking up
      the SoC by accessing the GPIO registers when runit clock is not
      ticking.
      Reported-by: default avatarSimon Baatz <gmbnomis@gmail.com>
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Tested-by: default avatarSimon Baatz <gmbnomis@gmail.com>
      Acked-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarJason Cooper <jason@lakedaemon.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d10d54ce
    • Andrew Lunn's avatar
      rtc: rtc-mv: Add support for clk to avoid lockups · 728bcbfa
      Andrew Lunn authored
      commit 89c58c19 upstream.
      
      The Marvell RTC on Kirkwood makes use of the runit clock. Ensure the
      driver clk_prepare_enable() this clock, otherwise there is a danger
      the SoC will lockup when accessing RTC registers with the clock
      disabled.
      Reported-by: default avatarSimon Baatz <gmbnomis@gmail.com>
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Tested-by: default avatarSimon Baatz <gmbnomis@gmail.com>
      Signed-off-by: default avatarJason Cooper <jason@lakedaemon.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      728bcbfa
    • Al Viro's avatar
      vfs: fix pipe counter breakage · 1d37307a
      Al Viro authored
      commit a930d879 upstream.
      
      If you open a pipe for neither read nor write, the pipe code will not
      add any usage counters to the pipe, causing the 'struct pipe_inode_info"
      to be potentially released early.
      
      That doesn't normally matter, since you cannot actually use the pipe,
      but the pipe release code - particularly fasync handling - still expects
      the actual pipe infrastructure to all be there.  And rather than adding
      NULL pointer checks, let's just disallow this case, the same way we
      already do for the named pipe ("fifo") case.
      
      This is ancient going back to pre-2.4 days, and until trinity, nobody
      naver noticed.
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d37307a
    • Mathieu Desnoyers's avatar
      Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys · 5f4027c6
      Mathieu Desnoyers authored
      commit 8aec0f5d upstream.
      
      Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
      compat_process_vm_rw() shows that the compatibility code requires an
      explicit "access_ok()" check before calling
      compat_rw_copy_check_uvector(). The same difference seems to appear when
      we compare fs/read_write.c:do_readv_writev() to
      fs/compat.c:compat_do_readv_writev().
      
      This subtle difference between the compat and non-compat requirements
      should probably be debated, as it seems to be error-prone. In fact,
      there are two others sites that use this function in the Linux kernel,
      and they both seem to get it wrong:
      
      Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
      also ends up calling compat_rw_copy_check_uvector() through
      aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
      be missing. Same situation for
      security/keys/compat.c:compat_keyctl_instantiate_key_iov().
      
      I propose that we add the access_ok() check directly into
      compat_rw_copy_check_uvector(), so callers don't have to worry about it,
      and it therefore makes the compat call code similar to its non-compat
      counterpart. Place the access_ok() check in the same location where
      copy_from_user() can trigger a -EFAULT error in the non-compat code, so
      the ABI behaviors are alike on both compat and non-compat.
      
      While we are here, fix compat_do_readv_writev() so it checks for
      compat_rw_copy_check_uvector() negative return values.
      
      And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
      handling.
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Acked-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Signed-off-by: default avatarMathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5f4027c6
    • David Howells's avatar
      keys: fix race with concurrent install_user_keyrings() · 71d039e2
      David Howells authored
      commit 0da9dfdd upstream.
      
      This fixes CVE-2013-1792.
      
      There is a race in install_user_keyrings() that can cause a NULL pointer
      dereference when called concurrently for the same user if the uid and
      uid-session keyrings are not yet created.  It might be possible for an
      unprivileged user to trigger this by calling keyctl() from userspace in
      parallel immediately after logging in.
      
      Assume that we have two threads both executing lookup_user_key(), both
      looking for KEY_SPEC_USER_SESSION_KEYRING.
      
      	THREAD A			THREAD B
      	===============================	===============================
      					==>call install_user_keyrings();
      	if (!cred->user->session_keyring)
      	==>call install_user_keyrings()
      					...
      					user->uid_keyring = uid_keyring;
      	if (user->uid_keyring)
      		return 0;
      	<==
      	key = cred->user->session_keyring [== NULL]
      					user->session_keyring = session_keyring;
      	atomic_inc(&key->usage); [oops]
      
      At the point thread A dereferences cred->user->session_keyring, thread B
      hasn't updated user->session_keyring yet, but thread A assumes it is
      populated because install_user_keyrings() returned ok.
      
      The race window is really small but can be exploited if, for example,
      thread B is interrupted or preempted after initializing uid_keyring, but
      before doing setting session_keyring.
      
      This couldn't be reproduced on a stock kernel.  However, after placing
      systemtap probe on 'user->session_keyring = session_keyring;' that
      introduced some delay, the kernel could be crashed reliably.
      
      Fix this by checking both pointers before deciding whether to return.
      Alternatively, the test could be done away with entirely as it is checked
      inside the mutex - but since the mutex is global, that may not be the best
      way.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reported-by: default avatarMateusz Guzik <mguzik@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      71d039e2
    • Ming Lei's avatar
      usbnet: smsc95xx: fix suspend failure · 53be86cb
      Ming Lei authored
      commit 76437214 upstream.
      
      The three below functions:
      
      	smsc95xx_enter_suspend0()
      	smsc95xx_enter_suspend1()
      	smsc95xx_enter_suspend2()
      
      return > 0 in case of success, so they will cause smsc95xx_suspend()
      to return > 0 and cause suspend failure.
      
      The bug is introduced in commit 3b9f7d(smsc95xx: fix error handling
      in suspend failure case).
      Signed-off-by: default avatarMing Lei <ming.lei@canonical.com>
      Cc: Steve Glendinning <steve.glendinning@shawell.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      53be86cb
    • Lee, Chun-Yi's avatar
      acer-wmi: avoid the warning of 'devices' may be used uninitialized · d79ba097
      Lee, Chun-Yi authored
      commit f24c96ea upstream.
      
      Fengguang Wu run kernel build test to platform-drivers-x86/linux-next git tree
      on x86_64 architecture and found a warning that was introduced by
      727651bf738b6b917335025d09323d0962eda114 commit:
      
      drivers/platform/x86/acer-wmi.c: In function ‘WMID_set_capabilities’:
      drivers/platform/x86/acer-wmi.c:1211: warning: ‘devices’ may be used
      uninitialized in this function
      
      This patch fixes the above warning message.
      Signed-off-by: default avatarLee, Chun-Yi <jlee@suse.com>
      Cc: Carlos Corbacho <carlos@strangeworlds.co.uk>
      Cc: Matthew Garrett <mjg@redhat.com>
      Cc: Dmitry Torokhov <dtor@mail.ru>
      Cc: Corentin Chary <corentincj@iksaif.net>
      Cc: Fengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarMatthew Garrett <matthew.garrett@nebula.com>
      Signed-off-by: default avatarPaul Bolle <pebolle@tiscali.nl>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d79ba097
    • Mathias Krause's avatar
      crypto: user - fix info leaks in report API · 71ed58b0
      Mathias Krause authored
      commit 9a5467bf upstream.
      
      Three errors resulting in kernel memory disclosure:
      
      1/ The structures used for the netlink based crypto algorithm report API
      are located on the stack. As snprintf() does not fill the remainder of
      the buffer with null bytes, those stack bytes will be disclosed to users
      of the API. Switch to strncpy() to fix this.
      
      2/ crypto_report_one() does not initialize all field of struct
      crypto_user_alg. Fix this to fix the heap info leak.
      
      3/ For the module name we should copy only as many bytes as
      module_name() returns -- not as much as the destination buffer could
      hold. But the current code does not and therefore copies random data
      from behind the end of the module name, as the module name is always
      shorter than CRYPTO_MAX_ALG_NAME.
      
      Also switch to use strncpy() to copy the algorithm's name and
      driver_name. They are strings, after all.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      71ed58b0
    • Wei WANG's avatar
      mfd: rtsx: Fix issue that booting OS with SD card inserted · 58e0b94e
      Wei WANG authored
      commit c3481955 upstream.
      
      Realtek card reader supports both SD and MS card. According to the
      settings of rtsx MFD driver, SD host will be probed before MS host.
      If we boot/reboot Linux with SD card inserted, the resetting flow of SD
      card will succeed, and the following resetting flow of MS is sure to fail.
      Then MS upper-level driver will ask rtsx driver to turn power off. This
      request leads to the result that the following SD commands fail and SD card
      can't be accessed again.
      
      In this commit, Realtek's SD and MS host driver will check whether the card
      that upper driver requesting is the one existing in the slot. If not, Realtek's
      host driver will refuse the operation to make sure the exlusive accessing
      at the same time.
      Signed-off-by: default avatarWei WANG <wei_wang@realsil.com.cn>
      Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
      Cc: Tim Gardner <rtg.canonical@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      58e0b94e
    • Wei WANG's avatar
      mfd: rtsx: Optimize card detect flow · d233157a
      Wei WANG authored
      commit 504decc0 upstream.
      
      1. Schedule card detect work at the end of the ISR
      2. Callback function ops->cd_deglitch may delay for a period of time.
      It is not proper to call this callback when local irq disabled.
      3. Card detect flow can't be executed in parallel with other card reader
      operations, so it's better to be protected by mutex.
      Signed-off-by: default avatarWei WANG <wei_wang@realsil.com.cn>
      Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
      Cc: Tim Gardner <rtg.canonical@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d233157a
    • Peter Hurley's avatar
      x86/kvm: Fix pvclock vsyscall fixmap · ff8b1fdc
      Peter Hurley authored
      commit 3d2a80a2 upstream.
      
      The physical memory fixmapped for the pvclock clock_gettime vsyscall
      was allocated, and thus is not a kernel symbol. __pa() is the proper
      method to use in this case.
      
      Fixes the crash below when booting a next-20130204+ smp guest on a
      3.8-rc5+ KVM host.
      
      [    0.666410] udevd[97]: starting version 175
      [    0.674043] udevd[97]: udevd:[97]: segfault at ffffffffff5fd020
           ip 00007fff069e277f sp 00007fff068c9ef8 error d
      Acked-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarGleb Natapov <gleb@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ff8b1fdc
    • Josef Bacik's avatar
      Btrfs: cleanup orphan reservation if truncate fails · 5cb065d3
      Josef Bacik authored
      commit 4a7d0f68 upstream.
      
      I noticed we were getting lots of warnings with xfstest 83 because we have
      reservations outstanding.  This is because we moved the orphan add outside
      of the truncate, but we don't actually cleanup our reservation if something
      fails.  This fixes the problem and I no longer see warnings.  Thanks,
      Signed-off-by: default avatarJosef Bacik <jbacik@fusionio.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5cb065d3
    • Josef Bacik's avatar
      Btrfs: account for orphan inodes properly during cleanup · 5f62c696
      Josef Bacik authored
      commit 925396ec upstream.
      
      Dave sent me a panic where we were doing the orphan cleanup and panic'ed
      trying to release our reservation from the orphan block rsv.  The reason for
      this is because our orphan block rsv had been free'd out from underneath us
      because the transaction commit found that there were no orphan inodes
      according to its count and decided to free it.  This is incorrect so make
      sure we inc the orphan inodes count so the accounting is all done properly.
      This would also cause the warning in the orphan commit code normally if you
      had any orphans to cleanup as they would only decrement the orphan count so
      you'd get a negative orphan count which could cause problems during runtime.
      Thanks,
      Signed-off-by: default avatarJosef Bacik <jbacik@fusionio.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5f62c696
    • Benjamin Tissoires's avatar
      HID: logitech-dj: do not directly call hid_output_raw_report() during probe · f3df1362
      Benjamin Tissoires authored
      commit dcd9006b upstream.
      
      hid_output_raw_report() makes a direct call to usb_control_msg(). However,
      some USB3 boards have shown that the usb device is not ready during the
      .probe(). This blocks the entire usb device, and the paired mice, keyboards
      are not functional. The dmesg output is the following:
      
      [   11.912287] logitech-djreceiver 0003:046D:C52B.0003: hiddev0,hidraw0: USB HID v1.11 Device [Logitech USB Receiver] on usb-0000:00:14.0-2/input2
      [   11.912537] logitech-djreceiver 0003:046D:C52B.0003: logi_dj_probe:logi_dj_recv_query_paired_devices error:-32
      [   11.912636] logitech-djreceiver: probe of 0003:046D:C52B.0003 failed with error -32
      
      Relying on the scheduled call to usbhid_submit_report() fixes the problem.
      
      related bugs:
      https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1072082
      https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1039143
      https://bugzilla.redhat.com/show_bug.cgi?id=840391
      https://bugzilla.kernel.org/show_bug.cgi?id=49781Reported-and-tested-by: default avatarBob Bowles <bobjohnbowles@gmail.com>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3df1362
    • Marcelo Tosatti's avatar
      x86: pvclock kvm: align allocation size to page size · 054489e1
      Marcelo Tosatti authored
      commit ed55705d upstream.
      
      To match whats mapped via vsyscalls to userspace.
      Reported-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      054489e1
    • Eric W. Biederman's avatar
      userns: Stop oopsing in key_change_session_keyring · f6eff272
      Eric W. Biederman authored
      commit ba0e3427 upstream.
      
      Dave Jones <davej@redhat.com> writes:
      > Just hit this on Linus' current tree.
      >
      > [   89.621770] BUG: unable to handle kernel NULL pointer dereference at 00000000000000c8
      > [   89.623111] IP: [<ffffffff810784b0>] commit_creds+0x250/0x2f0
      > [   89.624062] PGD 122bfd067 PUD 122bfe067 PMD 0
      > [   89.624901] Oops: 0000 [#1] PREEMPT SMP
      > [   89.625678] Modules linked in: caif_socket caif netrom bridge hidp 8021q garp stp mrp rose llc2 af_rxrpc phonet af_key binfmt_misc bnep l2tp_ppp can_bcm l2tp_core pppoe pppox can_raw scsi_transport_iscsi ppp_generic slhc nfnetlink can ipt_ULOG ax25 decnet irda nfc rds x25 crc_ccitt appletalk atm ipx p8023 psnap p8022 llc lockd sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables btusb bluetooth snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_pcm vhost_net snd_page_alloc snd_timer tun macvtap usb_debug snd rfkill microcode macvlan edac_core pcspkr serio_raw kvm_amd soundcore kvm r8169 mii
      > [   89.637846] CPU 2
      > [   89.638175] Pid: 782, comm: trinity-main Not tainted 3.8.0+ #63 Gigabyte Technology Co., Ltd. GA-MA78GM-S2H/GA-MA78GM-S2H
      > [   89.639850] RIP: 0010:[<ffffffff810784b0>]  [<ffffffff810784b0>] commit_creds+0x250/0x2f0
      > [   89.641161] RSP: 0018:ffff880115657eb8  EFLAGS: 00010207
      > [   89.641984] RAX: 00000000000003e8 RBX: ffff88012688b000 RCX: 0000000000000000
      > [   89.643069] RDX: 0000000000000000 RSI: ffffffff81c32960 RDI: ffff880105839600
      > [   89.644167] RBP: ffff880115657ed8 R08: 0000000000000000 R09: 0000000000000000
      > [   89.645254] R10: 0000000000000001 R11: 0000000000000246 R12: ffff880105839600
      > [   89.646340] R13: ffff88011beea490 R14: ffff88011beea490 R15: 0000000000000000
      > [   89.647431] FS:  00007f3ac063b740(0000) GS:ffff88012b200000(0000) knlGS:0000000000000000
      > [   89.648660] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      > [   89.649548] CR2: 00000000000000c8 CR3: 0000000122bfc000 CR4: 00000000000007e0
      > [   89.650635] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      > [   89.651723] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      > [   89.652812] Process trinity-main (pid: 782, threadinfo ffff880115656000, task ffff88011beea490)
      > [   89.654128] Stack:
      > [   89.654433]  0000000000000000 ffff8801058396a0 ffff880105839600 ffff88011beeaa78
      > [   89.655769]  ffff880115657ef8 ffffffff812c7d9b ffffffff82079be0 0000000000000000
      > [   89.657073]  ffff880115657f28 ffffffff8106c665 0000000000000002 ffff880115657f58
      > [   89.658399] Call Trace:
      > [   89.658822]  [<ffffffff812c7d9b>] key_change_session_keyring+0xfb/0x140
      > [   89.659845]  [<ffffffff8106c665>] task_work_run+0xa5/0xd0
      > [   89.660698]  [<ffffffff81002911>] do_notify_resume+0x71/0xb0
      > [   89.661581]  [<ffffffff816c9a4a>] int_signal+0x12/0x17
      > [   89.662385] Code: 24 90 00 00 00 48 8b b3 90 00 00 00 49 8b 4c 24 40 48 39 f2 75 08 e9 83 00 00 00 48 89 ca 48 81 fa 60 29 c3 81 0f 84 41 fe ff ff <48> 8b 8a c8 00 00 00 48 39 ce 75 e4 3b 82 d0 00 00 00 0f 84 4b
      > [   89.667778] RIP  [<ffffffff810784b0>] commit_creds+0x250/0x2f0
      > [   89.668733]  RSP <ffff880115657eb8>
      > [   89.669301] CR2: 00000000000000c8
      >
      > My fastest trinity induced oops yet!
      >
      >
      > Appears to be..
      >
      >                 if ((set_ns == subset_ns->parent)  &&
      >      850:       48 8b 8a c8 00 00 00    mov    0xc8(%rdx),%rcx
      >
      > from the inlined cred_cap_issubset
      
      By historical accident we have been reading trying to set new->user_ns
      from new->user_ns.  Which is totally silly as new->user_ns is NULL (as
      is every other field in new except session_keyring at that point).
      
      The intent is clearly to copy all of the fields from old to new so copy
      old->user_ns into  into new->user_ns.
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Tested-by: default avatarDave Jones <davej@redhat.com>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f6eff272
    • Matt Fleming's avatar
      efivarfs: return accurate error code in efivarfs_fill_super() · 4040a8aa
      Matt Fleming authored
      commit feff5dc4 upstream.
      
      Joseph was hitting a failure case when mounting efivarfs which
      resulted in an incorrect error message,
      
        $ sudo mount -v /sys/firmware/efi/efivars mount: Cannot allocate memory
      
      triggered when efivarfs_valid_name() returned -EINVAL.
      
      Make sure we pass accurate return values up the stack if
      efivarfs_fill_super() fails to build inodes for EFI variables.
      Reported-by: default avatarJoseph Yasi <joe.yasi@gmail.com>
      Reported-by: default avatarLingzhu Xiang <lxiang@redhat.com>
      Cc: Josh Boyer <jwboyer@redhat.com>
      Cc: Jeremy Kerr <jk@ozlabs.org>
      Cc: Matthew Garrett <mjg59@srcf.ucam.org>
      Signed-off-by: default avatarMatt Fleming <matt.fleming@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4040a8aa