1. 23 Jun, 2014 9 commits
    • Ben Collins's avatar
      [SCSI] megaraid: Use resource_size_t for PCI resources, not long · 9ddfb780
      Ben Collins authored
      commit 11f8a7b3 upstream.
      
      The assumption that sizeof(long) >= sizeof(resource_size_t) can lead to
      truncation of the PCI resource address, meaning this driver didn't work
      on 32-bit systems with 64-bit PCI adressing ranges.
      Signed-off-by: default avatarBen Collins <ben.c@servergy.com>
      Acked-by: default avatarSumit Saxena <sumit.saxena@lsi.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      9ddfb780
    • Andy Lutomirski's avatar
      auditsc: audit_krule mask accesses need bounds checking · d30e7212
      Andy Lutomirski authored
      commit a3c54931 upstream.
      
      Fixes an easy DoS and possible information disclosure.
      
      This does nothing about the broken state of x32 auditing.
      
      eparis: If the admin has enabled auditd and has specifically loaded
      audit rules.  This bug has been around since before git.  Wow...
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      d30e7212
    • Andy Lutomirski's avatar
      fs,userns: Change inode_capable to capable_wrt_inode_uidgid · 841c4562
      Andy Lutomirski authored
      commit 23adbe12 upstream.
      
      The kernel has no concept of capabilities with respect to inodes; inodes
      exist independently of namespaces.  For example, inode_capable(inode,
      CAP_LINUX_IMMUTABLE) would be nonsense.
      
      This patch changes inode_capable to check for uid and gid mappings and
      renames it to capable_wrt_inode_uidgid, which should make it more
      obvious what it does.
      
      Fixes CVE-2014-4014.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Dave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [ luis: backported to 3.11: based on 3.10 backport ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      841c4562
    • Jean Delvare's avatar
      hwmon: (ntc_thermistor) Fix OF device ID mapping · 7f7129a7
      Jean Delvare authored
      commit ead82d67 upstream.
      
      The mapping from OF device IDs to platform device IDs is wrong.
      TYPE_NCPXXWB473 is 0, TYPE_NCPXXWL333 is 1, so
      ntc_thermistor_id[TYPE_NCPXXWB473] is { "ncp15wb473", TYPE_NCPXXWB473 }
      while
      ntc_thermistor_id[TYPE_NCPXXWL333] is { "ncp18wb473", TYPE_NCPXXWB473 }.
      
      So the name is wrong for all but the "ntc,ncp15wb473" entry, and the
      type is wrong for the "ntc,ncp15wl333" entry.
      
      So map the entries by index, it is neither elegant nor robust but at
      least it is correct.
      Signed-off-by: default avatarJean Delvare <jdelvare@suse.de>
      Fixes: 9e8269de hwmon: (ntc_thermistor) Add DT with IIO support to NTC thermistor driver
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Cc: Naveen Krishna Chatradhi <ch.naveen@samsung.com>
      Cc: Doug Anderson <dianders@chromium.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      7f7129a7
    • Jean Delvare's avatar
      hwmon: (ntc_thermistor) Fix dependencies · ce7b1171
      Jean Delvare authored
      commit 59cf4243 upstream.
      
      In commit 9e8269de, support was added for ntc_thermistor devices being
      declared in the device tree and implemented on top of IIO. With that
      change, a dependency was added to the ntc_thermistor driver:
      
      	depends on (!OF && !IIO) || (OF && IIO)
      
      This construct has the drawback that the driver can no longer be
      selected when OF is set and IIO isn't, nor when IIO is set and OF is
      not. This is a regression for the original users of the driver.
      
      As the new code depends on IIO and is useless without OF, include it
      only if both are enabled, and set the dependencies accordingly. This
      is clearer, more simple and more correct.
      Signed-off-by: default avatarJean Delvare <jdelvare@suse.de>
      Fixes: 9e8269de hwmon: (ntc_thermistor) Add DT with IIO support to NTC thermistor driver
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Cc: Naveen Krishna Chatradhi <ch.naveen@samsung.com>
      Cc: Doug Anderson <dianders@chromium.org>
      [ luis: backported to 3.11: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      ce7b1171
    • Peter Zijlstra's avatar
      perf: Fix race in removing an event · 2cacba42
      Peter Zijlstra authored
      commit 46ce0fe9 upstream.
      
      When removing a (sibling) event we do:
      
      	raw_spin_lock_irq(&ctx->lock);
      	perf_group_detach(event);
      	raw_spin_unlock_irq(&ctx->lock);
      
      	<hole>
      
      	perf_remove_from_context(event);
      		raw_spin_lock_irq(&ctx->lock);
      		...
      		raw_spin_unlock_irq(&ctx->lock);
      
      Now, assuming the event is a sibling, it will be 'unreachable' for
      things like ctx_sched_out() because that iterates the
      groups->siblings, and we just unhooked the sibling.
      
      So, if during <hole> we get ctx_sched_out(), it will miss the event
      and not call event_sched_out() on it, leaving it programmed on the
      PMU.
      
      The subsequent perf_remove_from_context() call will find the ctx is
      inactive and only call list_del_event() to remove the event from all
      other lists.
      
      Hereafter we can proceed to free the event; while still programmed!
      
      Close this hole by moving perf_group_detach() inside the same
      ctx->lock region(s) perf_remove_from_context() has.
      
      The condition on inherited events only in __perf_event_exit_task() is
      likely complete crap because non-inherited events are part of groups
      too and we're tearing down just the same. But leave that for another
      patch.
      
      Most-likely-Fixes: e03a9a55 ("perf: Change close() semantics for group events")
      Reported-by: default avatarVince Weaver <vincent.weaver@maine.edu>
      Tested-by: default avatarVince Weaver <vincent.weaver@maine.edu>
      Much-staring-at-traces-by: default avatarVince Weaver <vincent.weaver@maine.edu>
      Much-staring-at-traces-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Link: http://lkml.kernel.org/r/20140505093124.GN17778@laptop.programming.kicks-ass.netSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      [ luis: backported to 3.11: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      2cacba42
    • Markos Chandras's avatar
      MIPS: asm: thread_info: Add _TIF_SECCOMP flag · 6a0370c8
      Markos Chandras authored
      commit 137f7df8 upstream.
      
      Add _TIF_SECCOMP flag to _TIF_WORK_SYSCALL_ENTRY to indicate
      that the system call needs to be checked against a seccomp filter.
      Signed-off-by: default avatarMarkos Chandras <markos.chandras@imgtec.com>
      Reviewed-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Reviewed-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/6405/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Cc: Ben Hutchings <ben@decadent.org.uk>
      [ luis: backported to 3.11: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      6a0370c8
    • Vlastimil Babka's avatar
      mm: compaction: detect when scanners meet in isolate_freepages · c4e3efce
      Vlastimil Babka authored
      commit 7ed695e0 upstream.
      
      Compaction of a zone is finished when the migrate scanner (which begins
      at the zone's lowest pfn) meets the free page scanner (which begins at
      the zone's highest pfn).  This is detected in compact_zone() and in the
      case of direct compaction, the compact_blockskip_flush flag is set so
      that kswapd later resets the cached scanner pfn's, and a new compaction
      may again start at the zone's borders.
      
      The meeting of the scanners can happen during either scanner's activity.
      However, it may currently fail to be detected when it occurs in the free
      page scanner, due to two problems.  First, isolate_freepages() keeps
      free_pfn at the highest block where it isolated pages from, for the
      purposes of not missing the pages that are returned back to allocator
      when migration fails.  Second, failing to isolate enough free pages due
      to scanners meeting results in -ENOMEM being returned by
      migrate_pages(), which makes compact_zone() bail out immediately without
      calling compact_finished() that would detect scanners meeting.
      
      This failure to detect scanners meeting might result in repeated
      attempts at compaction of a zone that keep starting from the cached
      pfn's close to the meeting point, and quickly failing through the
      -ENOMEM path, without the cached pfns being reset, over and over.  This
      has been observed (through additional tracepoints) in the third phase of
      the mmtests stress-highalloc benchmark, where the allocator runs on an
      otherwise idle system.  The problem was observed in the DMA32 zone,
      which was used as a fallback to the preferred Normal zone, but on the
      4GB system it was actually the largest zone.  The problem is even
      amplified for such fallback zone - the deferred compaction logic, which
      could (after being fixed by a previous patch) reset the cached scanner
      pfn's, is only applied to the preferred zone and not for the fallbacks.
      
      The problem in the third phase of the benchmark was further amplified by
      commit 81c0a2bb ("mm: page_alloc: fair zone allocator policy") which
      resulted in a non-deterministic regression of the allocation success
      rate from ~85% to ~65%.  This occurs in about half of benchmark runs,
      making bisection problematic.  It is unlikely that the commit itself is
      buggy, but it should put more pressure on the DMA32 zone during phases 1
      and 2, which may leave it more fragmented in phase 3 and expose the bugs
      that this patch fixes.
      
      The fix is to make scanners meeting in isolate_freepage() stay that way,
      and to check in compact_zone() for scanners meeting when migrate_pages()
      returns -ENOMEM.  The result is that compact_finished() also detects
      scanners meeting and sets the compact_blockskip_flush flag to make
      kswapd reset the scanner pfn's.
      
      The results in stress-highalloc benchmark show that the "regression" by
      commit 81c0a2bb in phase 3 no longer occurs, and phase 1 and 2
      allocation success rates are also significantly improved.
      Signed-off-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [ luis: backported to 3.11: based on vbabka's backport for 3.10 ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c4e3efce
    • Vlastimil Babka's avatar
      mm: compaction: reset cached scanner pfn's before reading them · 8c446668
      Vlastimil Babka authored
      commit d3132e4b upstream.
      
      Compaction caches pfn's for its migrate and free scanners to avoid
      scanning the whole zone each time.  In compact_zone(), the cached values
      are read to set up initial values for the scanners.  There are several
      situations when these cached pfn's are reset to the first and last pfn
      of the zone, respectively.  One of these situations is when a compaction
      has been deferred for a zone and is now being restarted during a direct
      compaction, which is also done in compact_zone().
      
      However, compact_zone() currently reads the cached pfn's *before*
      resetting them.  This means the reset doesn't affect the compaction that
      performs it, and with good chance also subsequent compactions, as
      update_pageblock_skip() is likely to be called and update the cached
      pfn's to those being processed.  Another chance for a successful reset
      is when a direct compaction detects that migration and free scanners
      meet (which has its own problems addressed by another patch) and sets
      update_pageblock_skip flag which kswapd uses to do the reset because it
      goes to sleep.
      
      This is clearly a bug that results in non-deterministic behavior, so
      this patch moves the cached pfn reset to be performed *before* the
      values are read.
      Signed-off-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Acked-by: default avatarMel Gorman <mgorman@suse.de>
      Acked-by: default avatarRik van Riel <riel@redhat.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [ luis: backported to 3.11: used vbabka's backport for 3.10 ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      8c446668
  2. 12 Jun, 2014 3 commits
    • Nicholas Bellinger's avatar
      target: Allow READ_CAPACITY opcode in ALUA Standby access state · fc177e7c
      Nicholas Bellinger authored
      commit e7810c2d upstream.
      
      This patch allows READ_CAPACITY + SAI_READ_CAPACITY_16 opcode
      processing to occur while the associated ALUA group is in Standby
      access state.
      
      This is required to avoid host side LUN probe failures during the
      initial scan if an ALUA group has already implicitly changed into
      Standby access state.
      
      This addresses a bug reported by Chris + Philip using dm-multipath
      + ESX hosts configured with ALUA multipath.
      
      (Drop v3.15 specific set_ascq usage - nab)
      Reported-by: default avatarChris Boot <crb@tiger-computing.co.uk>
      Reported-by: default avatarPhilip Gaw <pgaw@darktech.org.uk>
      Cc: Chris Boot <crb@tiger-computing.co.uk>
      Cc: Philip Gaw <pgaw@darktech.org.uk>
      Cc: Hannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [ luis: backported to 3.11: Used nab's backport to 3.10 ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      fc177e7c
    • Nicholas Bellinger's avatar
      iser-target: Fix multi network portal shutdown regression · 0af3a40f
      Nicholas Bellinger authored
      commit 2363d196 upstream.
      
      This patch fixes a iser-target specific regression introduced in
      v3.15-rc6 with:
      
      commit 14f4b54f
      Author: Sagi Grimberg <sagig@mellanox.com>
      Date:   Tue Apr 29 13:13:47 2014 +0300
      
          Target/iscsi,iser: Avoid accepting transport connections during stop stage
      
      where the change to set iscsi_np->enabled = false within
      iscsit_clear_tpg_np_login_thread() meant that a iscsi_np with
      two iscsi_tpg_np exports would have it's parent iscsi_np set
      to a disabled state, even if other iscsi_tpg_np exports still
      existed.
      
      This patch changes iscsit_clear_tpg_np_login_thread() to only
      set iscsi_np->enabled = false when shutdown = true, and also
      changes iscsit_del_np() to set iscsi_np->enabled = true when
      iscsi_np->np_exports is non zero.
      
      (Fix up context changes for v3.10.y - nab)
      
      Cc: Sagi Grimberg <sagig@dev.mellanox.co.il>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [ luis: backported to 3.11: Used nab's backport to 3.10 ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      0af3a40f
    • Sagi Grimberg's avatar
      Target/iscsi,iser: Avoid accepting transport connections during stop stage · 43c10f49
      Sagi Grimberg authored
      commit 14f4b54f upstream.
      
      When the target is in stop stage, iSER transport initiates RDMA disconnects.
      The iSER initiator may wish to establish a new connection over the
      still existing network portal. In this case iSER transport should not
      accept and resume new RDMA connections. In order to learn that, iscsi_np
      is added with enabled flag so the iSER transport can check when deciding
      weather to accept and resume a new connection request.
      
      The iscsi_np is enabled after successful transport setup, and disabled
      before iscsi_np login threads are cleaned up.
      
      (Fix up context changes for v3.10.y - nab)
      Signed-off-by: default avatarSagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [ luis: backported to 3.11: Used nab's backport to 3.10 ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      43c10f49
  3. 09 Jun, 2014 28 commits