1. 12 Mar, 2015 7 commits
  2. 11 Mar, 2015 1 commit
  3. 04 Mar, 2015 3 commits
  4. 03 Mar, 2015 17 commits
  5. 02 Mar, 2015 12 commits
    • Hans de Goede's avatar
      ideapad-laptop: Change Lenovo Yoga 2 series rfkill handling · f58ad536
      Hans de Goede authored
      commit ce363c2b upstream.
      
      It seems that the same problems which lead to adding an rfkill blacklist and
      putting the Lenovo Yoga 2 11 on it are also present on the Lenovo Yoga 2 13
      and Lenovo Yoga 2 Pro too:
      https://bugzilla.redhat.com/show_bug.cgi?id=1021036
      https://forums.lenovo.com/t5/Linux-Discussion/Yoga-2-13-not-Pro-Linux-Warning/m-p/1517612
      
      Testing has shown that the firmware rfkill settings are persistent over
      reboots. So blacklisting the driver is not good enough, if the wifi is blocked
      at the firmware level the wifi needs to be explictly unblocked through the
      ideapad-laptop interface.
      
      And at least on the Lenovo Yoga 2 13 the VPCCMD_RF register which on devices
      with hardware kill switch reports the hardware switch state, needs to be
      explictly set to 1 (radio enabled / not blocked).
      
      So this patch does 3 things to get proper rfkill handling on these models:
      
      1) Instead of blacklisting the rfkill functionality, which means that people
      with a firmware blocked wifi get stuck in that situation, ignore the value
      reported by the not present hardware rfkill switch, as this is what is causing
      ideapad-laptop to wrongly report all radios as hardware blocks. But do register
      the rfkill interfaces so that the user can soft [un]block them.
      
      2) On models without a hardware rfkill switch, explictly set VPCCMD_RF to 1
      
      3) Drop the " 11" postfix from the dmi match string, as the entire Yoga 2
      series is affected.
      
      Yoga 2 11:
      Reported-and-tested-by: default avatarVincent Gerris <vgerris@gmail.com>
      
      Yoga 2 13:
      Tested-by: madls05 <http://ubuntuforums.org/showthread.php?t=2215044>
      
      Yoga 2 Pro:
      Reported-and-tested-by: default avatarPeter F. Patel-Schneider <pfpschneider@gmail.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarMatthew Garrett <matthew.garrett@nebula.com>
      Cc: Gaudenz Steinlin <gaudenz@debian.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      f58ad536
    • Daniel Borkmann's avatar
      ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs · c562e7c8
      Daniel Borkmann authored
      commit 4c672e4b upstream.
      
      It has been reported that generating an MLD listener report on
      devices with large MTUs (e.g. 9000) and a high number of IPv6
      addresses can trigger a skb_over_panic():
      
      skbuff: skb_over_panic: text:ffffffff80612a5d len:3776 put:20
      head:ffff88046d751000 data:ffff88046d751010 tail:0xed0 end:0xec0
      dev:port1
       ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:100!
      invalid opcode: 0000 [#1] SMP
      Modules linked in: ixgbe(O)
      CPU: 3 PID: 0 Comm: swapper/3 Tainted: G O 3.14.23+ #4
      [...]
      Call Trace:
       <IRQ>
       [<ffffffff80578226>] ? skb_put+0x3a/0x3b
       [<ffffffff80612a5d>] ? add_grhead+0x45/0x8e
       [<ffffffff80612e3a>] ? add_grec+0x394/0x3d4
       [<ffffffff80613222>] ? mld_ifc_timer_expire+0x195/0x20d
       [<ffffffff8061308d>] ? mld_dad_timer_expire+0x45/0x45
       [<ffffffff80255b5d>] ? call_timer_fn.isra.29+0x12/0x68
       [<ffffffff80255d16>] ? run_timer_softirq+0x163/0x182
       [<ffffffff80250e6f>] ? __do_softirq+0xe0/0x21d
       [<ffffffff8025112b>] ? irq_exit+0x4e/0xd3
       [<ffffffff802214bb>] ? smp_apic_timer_interrupt+0x3b/0x46
       [<ffffffff8063f10a>] ? apic_timer_interrupt+0x6a/0x70
      
      mld_newpack() skb allocations are usually requested with dev->mtu
      in size, since commit 72e09ad1 ("ipv6: avoid high order allocations")
      we have changed the limit in order to be less likely to fail.
      
      However, in MLD/IGMP code, we have some rather ugly AVAILABLE(skb)
      macros, which determine if we may end up doing an skb_put() for
      adding another record. To avoid possible fragmentation, we check
      the skb's tailroom as skb->dev->mtu - skb->len, which is a wrong
      assumption as the actual max allocation size can be much smaller.
      
      The IGMP case doesn't have this issue as commit 57e1ab6e
      ("igmp: refine skb allocations") stores the allocation size in
      the cb[].
      
      Set a reserved_tailroom to make it fit into the MTU and use
      skb_availroom() helper instead. This also allows to get rid of
      igmp_skb_size().
      Reported-by: default avatarWei Liu <lw1a2.jing@gmail.com>
      Fixes: 72e09ad1 ("ipv6: avoid high order allocations")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Cc: David L Stevens <david.stevens@oracle.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c562e7c8
    • Johan Hovold's avatar
      gpio: sysfs: fix gpio attribute-creation race · 58409c4e
      Johan Hovold authored
      commit ebbeba12 upstream.
      
      Fix attribute-creation race with userspace by using the default group
      to create also the contingent gpio device attributes.
      
      Fixes: d8f388d8 ("gpio: sysfs interface")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      [ luis: backported to 3.16:
        - all changes in drivers/gpio/gpiolib.c
        - adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      58409c4e
    • Daniel Borkmann's avatar
      net: sctp: fix race for one-to-many sockets in sendmsg's auto associate · 11fd056b
      Daniel Borkmann authored
      commit 2061dcd6 upstream.
      
      I.e. one-to-many sockets in SCTP are not required to explicitly
      call into connect(2) or sctp_connectx(2) prior to data exchange.
      Instead, they can directly invoke sendmsg(2) and the SCTP stack
      will automatically trigger connection establishment through 4WHS
      via sctp_primitive_ASSOCIATE(). However, this in its current
      implementation is racy: INIT is being sent out immediately (as
      it cannot be bundled anyway) and the rest of the DATA chunks are
      queued up for later xmit when connection is established, meaning
      sendmsg(2) will return successfully. This behaviour can result
      in an undesired side-effect that the kernel made the application
      think the data has already been transmitted, although none of it
      has actually left the machine, worst case even after close(2)'ing
      the socket.
      
      Instead, when the association from client side has been shut down
      e.g. first gracefully through SCTP_EOF and then close(2), the
      client could afterwards still receive the server's INIT_ACK due
      to a connection with higher latency. This INIT_ACK is then considered
      out of the blue and hence responded with ABORT as there was no
      alive assoc found anymore. This can be easily reproduced f.e.
      with sctp_test application from lksctp. One way to fix this race
      is to wait for the handshake to actually complete.
      
      The fix defers waiting after sctp_primitive_ASSOCIATE() and
      sctp_primitive_SEND() succeeded, so that DATA chunks cooked up
      from sctp_sendmsg() have already been placed into the output
      queue through the side-effect interpreter, and therefore can then
      be bundeled together with COOKIE_ECHO control chunks.
      
      strace from example application (shortened):
      
      socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP) = 3
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(0)=[], msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */, cmsg_type=, ...},
                 msg_flags=0}, 0) = 0 // graceful shutdown for SOCK_SEQPACKET via SCTP_EOF
      close(3) = 0
      
      tcpdump before patch (fooling the application):
      
      22:33:36.306142 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 3879023686] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3139201684]
      22:33:36.316619 IP 192.168.1.115.8888 > 192.168.1.114.41462: sctp (1) [INIT ACK] [init tag: 3345394793] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 3380109591]
      22:33:36.317600 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [ABORT]
      
      tcpdump after patch:
      
      14:28:58.884116 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 438593213] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3092969729]
      14:28:58.888414 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [INIT ACK] [init tag: 381429855] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 2141904492]
      14:28:58.888638 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [COOKIE ECHO] , (2) [DATA] (B)(E) [TSN: 3092969729] [...]
      14:28:58.893278 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [COOKIE ACK] , (2) [SACK] [cum ack 3092969729] [a_rwnd 106491] [#gap acks 0] [#dup tsns 0]
      14:28:58.893591 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969730] [...]
      14:28:59.096963 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969730] [a_rwnd 106496] [#gap acks 0] [#dup tsns 0]
      14:28:59.097086 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969731] [...] , (2) [DATA] (B)(E) [TSN: 3092969732] [...]
      14:28:59.103218 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969732] [a_rwnd 106486] [#gap acks 0] [#dup tsns 0]
      14:28:59.103330 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN]
      14:28:59.107793 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SHUTDOWN ACK]
      14:28:59.107890 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN COMPLETE]
      
      Looks like this bug is from the pre-git history museum. ;)
      
      Fixes: 08707d54 ("lksctp-2_5_31-0_5_1.patch")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      11fd056b
    • Alexander Duyck's avatar
      fib_trie: Fix /proc/net/fib_trie when CONFIG_IP_MULTIPLE_TABLES is not defined · 952a63d1
      Alexander Duyck authored
      commit a5a519b2 upstream.
      
      In recent testing I had disabled CONFIG_IP_MULTIPLE_TABLES and as a result
      when I ran "cat /proc/net/fib_trie" the main trie was displayed multiple
      times.  I found that the problem line of code was in the function
      fib_trie_seq_next.  Specifically the line below caused the indexes to go in
      the opposite direction of our traversal:
      
      	h = tb->tb_id & (FIB_TABLE_HASHSZ - 1);
      
      This issue was that the RT tables are defined such that RT_TABLE_LOCAL is ID
      255, while it is located at TABLE_LOCAL_INDEX of 0, and RT_TABLE_MAIN is 254
      with a TABLE_MAIN_INDEX of 1.  This means that the above line will return 1
      for the local table and 0 for main.  The result is that fib_trie_seq_next
      will return NULL at the end of the local table, fib_trie_seq_start will
      return the start of the main table, and then fib_trie_seq_next will loop on
      main forever as h will always return 0.
      
      The fix for this is to reverse the ordering of the two tables.  It has the
      advantage of making it so that the tables now print in the same order
      regardless of if multiple tables are enabled or not.  In order to make the
      definition consistent with the multiple tables case I simply masked the to
      RT_TABLE_XXX values by (FIB_TABLE_HASHSZ - 1).  This way the two table
      layouts should always stay consistent.
      
      Fixes: 93456b6d ("[IPV4]: Unify access to the routing tables")
      Signed-off-by: default avatarAlexander Duyck <alexander.h.duyck@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      952a63d1
    • Seth Forshee's avatar
      HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events · 06edf928
      Seth Forshee authored
      commit 6d00f37e upstream.
      
      d1c7e29e (HID: i2c-hid: prevent buffer overflow in early IRQ)
      changed hid_get_input() to read ihid->bufsize bytes, which can be
      more than wMaxInputLength. This is the case with the Dell XPS 13
      9343, and it is causing events to be missed. In some cases the
      missed events are releases, which can cause the cursor to jump or
      freeze, among other problems. Limit the number of bytes read to
      min(wMaxInputLength, ihid->bufsize) to prevent such problems.
      
      Fixes: d1c7e29e "HID: i2c-hid: prevent buffer overflow in early IRQ"
      Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      06edf928
    • Sasha Levin's avatar
      net: rds: use correct size for max unacked packets and bytes · 065f3735
      Sasha Levin authored
      commit db27ebb1 upstream.
      
      Max unacked packets/bytes is an int while sizeof(long) was used in the
      sysctl table.
      
      This means that when they were getting read we'd also leak kernel memory
      to userspace along with the timeout values.
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Cc: Moritz Muehlenhoff <jmm@inutil.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      065f3735
    • Sasha Levin's avatar
      net: llc: use correct size for sysctl timeout entries · 42182789
      Sasha Levin authored
      commit 6b8d9117 upstream.
      
      The timeout entries are sizeof(int) rather than sizeof(long), which
      means that when they were getting read we'd also leak kernel memory
      to userspace along with the timeout values.
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Cc: Moritz Muehlenhoff <jmm@inutil.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      42182789
    • Andrew Elble's avatar
      GFS2: Fix crash during ACL deletion in acl max entry check in gfs2_set_acl() · 9e2feaeb
      Andrew Elble authored
      commit 27870207 upstream.
      
      Fixes: e01580bf ("gfs2: use generic posix ACL infrastructure")
      Reported-by: default avatarEric Meddaugh <etmsys@rit.edu>
      Tested-by: default avatarEric Meddaugh <etmsys@rit.edu>
      Signed-off-by: default avatarAndrew Elble <aweits@rit.edu>
      Signed-off-by: default avatarSteven Whitehouse <swhiteho@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      9e2feaeb
    • Dan Carpenter's avatar
      ALSA: off by one bug in snd_riptide_joystick_probe() · 3a87ac14
      Dan Carpenter authored
      commit e4940626 upstream.
      
      The problem here is that we check:
      
      	if (dev >= SNDRV_CARDS)
      
      Then we increment "dev".
      
             if (!joystick_port[dev++])
      
      Then we use it as an offset into a array with SNDRV_CARDS elements.
      
      	if (!request_region(joystick_port[dev], 8, "Riptide gameport")) {
      
      This has 3 effects:
      1) If you use the module option to specify the joystick port then it has
         to be shifted one space over.
      2) The wrong error message will be printed on failure if you have over
         32 cards.
      3) Static checkers will correctly complain that are off by one.
      
      Fixes: db1005ec ('ALSA: riptide - Fix joystick resource handling')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3a87ac14
    • Uwe Kleine-König's avatar
      pinctrl: pinctrl-imx: don't use invalid value of conf_reg · dd89ea7a
      Uwe Kleine-König authored
      commit 4ff0f034 upstream.
      
      The right check for conf_reg to be invalid it testing against -1 not 0
      as is done in the rest of the driver.
      
      This fixes an oops that can be triggered by:
      
      	cat /sys/kernel/debug/pinctrl/43fac000.iomuxc/*
      
      Fixes: ae75ff81 ("pinctrl: pinctrl-imx: add imx pinctrl core driver")
      Signed-off-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      [ luis: backported to 3.16:
        - file rename: drivers/pinctrl/freescale/pinctrl-imx.c ->
          drivers/pinctrl/pinctrl-imx.c ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      dd89ea7a
    • Gavin Shan's avatar
      powerpc/kernel: Avoid memory corruption at early stage · 79e43709
      Gavin Shan authored
      commit 6f20e7f2 upstream.
      
      When calling to early_setup(), we pick "boot_paca" up for the master CPU
      and initialize that with initialise_paca(). At that point, the SLB
      shadow buffer isn't populated yet. Updating the SLB shadow buffer should
      corrupt what we had in physical address 0 where the trap instruction is
      usually stored.
      
      This hasn't been observed to cause any trouble in practice, but is
      obviously fishy.
      
      Fixes: 6f4441ef ("powerpc: Dynamically allocate slb_shadow from memblock")
      Signed-off-by: default avatarGavin Shan <gwshan@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      79e43709