1. 07 Apr, 2015 1 commit
    • Alexey Dobriyan's avatar
      xfrm: fix xfrm_input/xfrm_tunnel_check oops · 68c11e98
      Alexey Dobriyan authored
      https://bugzilla.kernel.org/show_bug.cgi?id=95211
      
      Commit 70be6c91
      ("xfrm: Add xfrm_tunnel_skb_cb to the skb common buffer") added check
      which dereferences ->outer_mode too early but larval SAs don't have
      this pointer set (yet). So check for tunnel stuff later.
      
      Mike Noordermeer reported this bug and patiently applied all the debugging.
      
      Technically this is remote-oops-in-interrupt-context type of thing.
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000034
      IP: [<ffffffff8150dca2>] xfrm_input+0x3c2/0x5a0
      	...
      [<ffffffff81500fc6>] ? xfrm4_esp_rcv+0x36/0x70
      [<ffffffff814acc9a>] ? ip_local_deliver_finish+0x9a/0x200
      [<ffffffff81471b83>] ? __netif_receive_skb_core+0x6f3/0x8f0
      	...
      
      RIP  [<ffffffff8150dca2>] xfrm_input+0x3c2/0x5a0
      Kernel panic - not syncing: Fatal exception in interrupt
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      68c11e98
  2. 06 Apr, 2015 8 commits
    • Linus Torvalds's avatar
      Linux 4.0-rc7 · f22e6e84
      Linus Torvalds authored
      f22e6e84
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 442bb4ba
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) In TCP, don't register an FRTO for cumulatively ACK'd data that was
          previously SACK'd, from Neal Cardwell.
      
       2) Need to hold RNL mutex in ipv4 multicast code namespace cleanup,
          from Cong WANG.
      
       3) Similarly we have to hold RNL mutex for fib_rules_unregister(), also
          from Cong WANG.
      
       4) Revert and rework netns nsid allocation fix, from Nicolas Dichtel.
      
       5) When we encapsulate for a tunnel device, skb->sk still points to the
          user socket.  So this leads to cases where we retraverse the
          ipv4/ipv6 output path with skb->sk being of some other address
          family (f.e. AF_PACKET).  This can cause things to crash since the
          ipv4 output path is dereferencing an AF_PACKET socket as if it were
          an ipv4 one.
      
          The short term fix for 'net' and -stable is to elide these socket
          checks once we've entered an encapsulation sequence by testing
          xmit_recursion.
      
          Longer term we have a better solution wherein we pass the tunnel's
          socket down through the output paths, but that is way too invasive
          for 'net' and -stable.
      
          From Hannes Frederic Sowa.
      
       6) l2tp_init() failure path forgets to unregister per-net ops, from
          Cong WANG.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        net/mlx4_core: Fix error message deprecation for ConnectX-2 cards
        net: dsa: fix filling routing table from OF description
        l2tp: unregister l2tp_net_ops on failure path
        mvneta: dont call mvneta_adjust_link() manually
        ipv6: protect skb->sk accesses from recursive dereference inside the stack
        netns: don't allocate an id for dead netns
        Revert "netns: don't clear nsid too early on removal"
        ip6mr: call del_timer_sync() in ip6mr_free_table()
        net: move fib_rules_unregister() under rtnl lock
        ipv4: take rtnl_lock and mark mrt table as freed on namespace cleanup
        tcp: fix FRTO undo on cumulative ACK of SACKed range
        xen-netfront: transmit fully GSO-sized packets
      442bb4ba
    • Jack Morgenstein's avatar
      net/mlx4_core: Fix error message deprecation for ConnectX-2 cards · fde913e2
      Jack Morgenstein authored
      Commit 1daa4303 ("net/mlx4_core: Deprecate error message at
      ConnectX-2 cards startup to debug") did the deprecation only for port 1
      of the card. Need to deprecate for port 2 as well.
      
      Fixes: 1daa4303 ("net/mlx4_core: Deprecate error message at ConnectX-2 cards startup to debug")
      Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarAmir Vadai <amirv@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fde913e2
    • Pavel Nakonechny's avatar
      net: dsa: fix filling routing table from OF description · 30303813
      Pavel Nakonechny authored
      According to description in 'include/net/dsa.h', in cascade switches
      configurations where there are more than one interconnected devices,
      'rtable' array in 'dsa_chip_data' structure is used to indicate which
      port on this switch should be used to send packets to that are destined
      for corresponding switch.
      
      However, dsa_of_setup_routing_table() fills 'rtable' with port numbers
      of the _target_ switch, but not current one.
      
      This commit removes redundant devicetree parsing and adds needed port
      number as a function argument. So dsa_of_setup_routing_table() now just
      looks for target switch number by parsing parent of 'link' device node.
      
      To remove possible misunderstandings with the way of determining target
      switch number, a corresponding comment was added to the source code and
      to the DSA device tree bindings documentation file.
      
      This was tested on a custom board with two Marvell 88E6095 switches with
      following corresponding routing tables: { -1, 10 } and { 8, -1 }.
      Signed-off-by: default avatarPavel Nakonechny <pavel.nakonechny@skitlab.ru>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      30303813
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 9e441639
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
       "Updates for the input subsystem - two more tweaks for ALPS driver to
        work out kinks after splitting the touchpad, trackstick, and potential
        external PS/2 mouse into separate input devices.
      
        Changes to support ALPS SS4 devices (protocol V8) will be coming in
        4.1..."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: alps - document stick behavior for protocol V2
        Input: alps - report V2 Dualpoint Stick events via the right evdev node
        Input: alps - report interleaved bare PS/2 packets via dev3
      9e441639
    • WANG Cong's avatar
      67e04c29
    • Stas Sergeev's avatar
      mvneta: dont call mvneta_adjust_link() manually · ecf7b361
      Stas Sergeev authored
      mvneta_adjust_link() is a callback for of_phy_connect() and should
      not be called directly. The result of calling it directly is as below:
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ecf7b361
    • hannes@stressinduktion.org's avatar
      ipv6: protect skb->sk accesses from recursive dereference inside the stack · f60e5990
      hannes@stressinduktion.org authored
      We should not consult skb->sk for output decisions in xmit recursion
      levels > 0 in the stack. Otherwise local socket settings could influence
      the result of e.g. tunnel encapsulation process.
      
      ipv6 does not conform with this in three places:
      
      1) ip6_fragment: we do consult ipv6_npinfo for frag_size
      
      2) sk_mc_loop in ipv6 uses skb->sk and checks if we should
         loop the packet back to the local socket
      
      3) ip6_skb_dst_mtu could query the settings from the user socket and
         force a wrong MTU
      
      Furthermore:
      In sk_mc_loop we could potentially land in WARN_ON(1) if we use a
      PF_PACKET socket ontop of an IPv6-backed vxlan device.
      
      Reuse xmit_recursion as we are currently only interested in protecting
      tunnel devices.
      
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f60e5990
  3. 05 Apr, 2015 3 commits
  4. 04 Apr, 2015 3 commits
    • Linus Torvalds's avatar
      Merge tag 'usb-4.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · f8b3d8a5
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some small USB fixes and new device ids for 4.0-rc6.  Nothing
        major, some xhci fixes for reported problems, and some usb-serial
        device ids.
      
        All have been in linux-next for a while"
      
      * tag 'usb-4.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        USB: ftdi_sio: Use jtag quirk for SNAP Connect E10
        usb: isp1760: fix spin unlock in the error path of isp1760_udc_start
        usb: xhci: apply XHCI_AVOID_BEI quirk to all Intel xHCI controllers
        usb: xhci: handle Config Error Change (CEC) in xhci driver
        USB: keyspan_pda: add new device id
        USB: ftdi_sio: Added custom PID for Synapse Wireless product
      f8b3d8a5
    • Linus Torvalds's avatar
      Merge tag 'staging-4.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 8eb6dcf9
      Linus Torvalds authored
      Pull staging driver fixes from Greg KH:
       "Here are some staging driver fixes, well, really all just IIO driver
        fixes, for 4.0-rc6.  They fix issues that have been reported with
        these drivers.
      
        All of these patches have been in linux-next for a while"
      
      * tag 'staging-4.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        iio: imu: Use iio_trigger_get for indio_dev->trig assignment
        iio: adc: vf610: use ADC clock within specification
        iio/adc/cc10001_adc.c: Fix !HAS_IOMEM build
        iio: core: Fix double free.
        iio:inv-mpu6050: Fix inconsistency for the scale channel
        staging: iio: dummy: Fix undefined symbol build error
        iio: inv_mpu6050: Clear timestamps fifo while resetting hardware fifo
        staging: iio: hmc5843: Set iio name property in sysfs
        iio: bmc150: change sampling frequency
        iio: fix drivers that check buffer->scan_mask
      8eb6dcf9
    • Linus Torvalds's avatar
      Merge tag 'tty-4.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · eca8258b
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are 3 serial driver fixes for 4.0-rc6.  They fix some reported
        issues with the samsung and fsl_lpuart drivers.
      
        All have been in linux-next for a while"
      
      * tag 'tty-4.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        tty: serial: fsl_lpuart: clear receive flag on FIFO flush
        tty: serial: fsl_lpuart: specify transmit FIFO size
        serial: samsung: Clear operation mode on UART shutdown
      eca8258b
  5. 03 Apr, 2015 12 commits
  6. 02 Apr, 2015 13 commits
    • Linus Torvalds's avatar
      Merge tag 'irqchip-fixes-4.0-2' of git://git.infradead.org/users/jcooper/linux · 4e8a4830
      Linus Torvalds authored
      Pull irqchip fixes from Jason Cooper:
       "This is the second round of fixes for irqchip.  It contains some fixes
        found while the arm64 guys were writing the kvm gicv3 its emulation.
      
        GICv3 ITS:
          - Small batch of fixes discovered while writing the kvm ITS emulation"
      
      * tag 'irqchip-fixes-4.0-2' of git://git.infradead.org/users/jcooper/linux:
        irqchip: gicv3-its: Use non-cacheable accesses when no shareability
        irqchip: gicv3-its: Fix PROP/PEND and BASE/CBASE confusion
        irqchip: gicv3-its: Fix device ID encoding
        irqchip: gicv3-its: Fix encoding of collection's target redistributor
      4e8a4830
    • Dave Airlie's avatar
      Merge branch 'drm-fixes-4.0' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · 51b52fac
      Dave Airlie authored
      Just two small fixes for radeon, both destined for stable.
      
      * 'drm-fixes-4.0' of git://people.freedesktop.org/~agd5f/linux:
        drm/radeon: fix wait in radeon_mn_invalidate_range_start
        drm/radeon: add extra check in radeon_ttm_tt_unpin_userptr
      51b52fac
    • Dave Airlie's avatar
      Merge branch 'exynos-drm-fixes' of... · 165b11bf
      Dave Airlie authored
      Merge branch 'exynos-drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-fixes
      
      Fix display on issue to Exynos5250 based Snow(1366x768) board.
      
      * 'exynos-drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos:
        drm: Exynos: Respect framebuffer pitch for FIMD/Mixer
      165b11bf
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2015-04-02' of git://anongit.freedesktop.org/drm-intel into drm-fixes · 3fa50dc3
      Dave Airlie authored
      one oops fixes and a 0-length allocation fix from next backported.
      
      * tag 'drm-intel-fixes-2015-04-02' of git://anongit.freedesktop.org/drm-intel:
        drm/i915: Reject the colorkey ioctls for primary and cursor planes
        drm/i915: Skip allocating shadow batch for 0-length batches
      3fa50dc3
    • Dave Airlie's avatar
      Merge tag 'topic/drm-fixes-2015-04-02' of git://anongit.freedesktop.org/drm-intel into drm-fixes · c7d74874
      Dave Airlie authored
      Here's a single drm core fix, cc: stable, that affects i915
      users.
      
      * tag 'topic/drm-fixes-2015-04-02' of git://anongit.freedesktop.org/drm-intel:
        drm/edid: set ELD for firmware and debugfs override EDIDs
      c7d74874
    • Linus Torvalds's avatar
      Merge tag 'stable/for-linus-4.0-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · b0838b15
      Linus Torvalds authored
      Pull xen regression fixes from David Vrabel:
       "Fix two regressions in the balloon driver's use of memory hotplug when
        used in a PV guest"
      
      * tag 'stable/for-linus-4.0-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/balloon: before adding hotplugged memory, set frames to invalid
        x86/xen: prepare p2m list for memory hotplug
      b0838b15
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux · 1d514333
      Linus Torvalds authored
      Pull powerpc fix from Michael Ellerman:
       "Fix memory corruption by pnv_alloc_idle_core_states"
      
      * tag 'powerpc-4.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux:
        powerpc: fix memory corruption by pnv_alloc_idle_core_states
      1d514333
    • Neal Cardwell's avatar
      tcp: fix FRTO undo on cumulative ACK of SACKed range · 666b8051
      Neal Cardwell authored
      On processing cumulative ACKs, the FRTO code was not checking the
      SACKed bit, meaning that there could be a spurious FRTO undo on a
      cumulative ACK of a previously SACKed skb.
      
      The FRTO code should only consider a cumulative ACK to indicate that
      an original/unretransmitted skb is newly ACKed if the skb was not yet
      SACKed.
      
      The effect of the spurious FRTO undo would typically be to make the
      connection think that all previously-sent packets were in flight when
      they really weren't, leading to a stall and an RTO.
      Signed-off-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarYuchung Cheng <ycheng@google.com>
      Fixes: e33099f9 ("tcp: implement RFC5682 F-RTO")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      666b8051
    • Linus Torvalds's avatar
      Merge tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband · 06459fc0
      Linus Torvalds authored
      Pull infiniband/rdma fix from Roland Dreier:
       "Fix for exploitable integer overflow in uverbs interface"
      
      * tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
        IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic
      06459fc0
    • Jonathan Davies's avatar
      xen-netfront: transmit fully GSO-sized packets · 0c36820e
      Jonathan Davies authored
      xen-netfront limits transmitted skbs to be at most 44 segments in size. However,
      GSO permits up to 65536 bytes, which means a maximum of 45 segments of 1448
      bytes each. This slight reduction in the size of packets means a slight loss in
      efficiency.
      
      Since c/s 9ecd1a75, xen-netfront sets gso_max_size to
          XEN_NETIF_MAX_TX_SIZE - MAX_TCP_HEADER,
      where XEN_NETIF_MAX_TX_SIZE is 65535 bytes.
      
      The calculation used by tcp_tso_autosize (and also tcp_xmit_size_goal since c/s
      6c09fa09) in determining when to split an skb into two is
          sk->sk_gso_max_size - 1 - MAX_TCP_HEADER.
      
      So the maximum permitted size of an skb is calculated to be
          (XEN_NETIF_MAX_TX_SIZE - MAX_TCP_HEADER) - 1 - MAX_TCP_HEADER.
      
      Intuitively, this looks like the wrong formula -- we don't need two TCP headers.
      Instead, there is no need to deviate from the default gso_max_size of 65536 as
      this already accommodates the size of the header.
      
      Currently, the largest skb transmitted by netfront is 63712 bytes (44 segments
      of 1448 bytes each), as observed via tcpdump. This patch makes netfront send
      skbs of up to 65160 bytes (45 segments of 1448 bytes each).
      
      Similarly, the maximum allowable mtu does not need to subtract MAX_TCP_HEADER as
      it relates to the size of the whole packet, including the header.
      
      Fixes: 9ecd1a75 ("xen-netfront: reduce gso_max_size to account for max TCP header")
      Signed-off-by: default avatarJonathan Davies <jonathan.davies@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c36820e
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma · 0a481279
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
       "This time we have addition of caps for jz4740 which fixes intentional
        warning at boot.  Then we have memory leak issues in drivers using
        virt-dma by Peter on few drive"
      
      * 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: moxart-dma: Fix memory leak when stopping a running transfer
        dmaengine: bcm2835-dma: Fix memory leak when stopping a running transfer
        dmaengine: omap-dma: Fix memory leak when terminating running transfer
        dmaengine: edma: fix memory leak when terminating running transfers
        dmaengine: jz4740: Define capabilities
      0a481279
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 8172ba51
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix use-after-free with mac80211 RX A-MPDU reorder timer, from
          Johannes Berg.
      
       2) iwlwifi leaks memory every module load/unload cycles, fix from Larry
          Finger.
      
       3) Need to use for_each_netdev_safe() in rtnl_group_changelink()
          otherwise we can crash, from WANG Cong.
      
       4) mlx4 driver does register_netdev() too early in the probe sequence,
          from Ido Shamay.
      
       5) Don't allow router discovery hop limit to decrease the interface's
          hop limit, from D.S. Ljungmark.
      
       6) tx_packets and tx_bytes improperly accounted for certain classes of
          USB network devices, fix from Ben Hutchings.
      
       7) ip{6}mr_rules_init() mistakenly use plain kfree to release the ipmr
          tables in the error path, they must instead use ip{6}mr_free_table().
          Fix from WANG Cong.
      
       8) cxgb4 doesn't properly quiesce all RX activity before unregistering
          the netdevice.  Fix from Hariprasad Shenai.
      
       9) Fix hash corruptions in ipvlan driver, from Jiri Benc.
      
      10) nla_memcpy(), like a real memcpy, should fully initialize the
          destination buffer, even if the source attribute is smaller.  Fix
          from Jiri Benc.
      
      11) Fix wrong error code returned from iucv_sock_sendmsg().  We should
          use whatever sock_alloc_send_skb() put into 'err'.  From Eugene
          Crosser.
      
      12) Fix slab object leak on module unload in TIPC, from Ying Xue.
      
      13) Need a READ_ONCE() when reading the cached RX socket route in
          tcp_v{4,6}_early_demux().  From Michal Kubecek.
      
      14) Still too many problems with TPC support in the ath9k driver, so
          disable it for now.  From Felix Fietkau.
      
      15) When in AP mode the rtlwifi driver can leak DMA mappings, fix from
          Larry Finger.
      
      16) Missing kzalloc() failure check in gs_usb CAN driver, from Colin Ian
          King.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (52 commits)
        cxgb4: Fix to dump devlog, even if FW is crashed
        cxgb4: Firmware macro changes for fw verison 1.13.32.0
        bnx2x: Fix kdump when iommu=on
        bnx2x: Fix kdump on 4-port device
        mac80211: fix RX A-MPDU session reorder timer deletion
        MAINTAINERS: Update Intel Wired Ethernet Driver info
        tipc: fix a slab object leak
        net/usb/r8152: add device id for Lenovo TP USB 3.0 Ethernet
        af_iucv: fix AF_IUCV sendmsg() errno
        openvswitch: Return vport module ref before destruction
        netlink: pad nla_memcpy dest buffer with zeroes
        bonding: Bonding Overriding Configuration logic restored.
        ipvlan: fix check for IP addresses in control path
        ipvlan: do not use rcu operations for address list
        ipvlan: protect against concurrent link removal
        ipvlan: fix addr hash list corruption
        net: fec: setup right value for mdio hold time
        net: tcp6: fix double call of tcp_v6_fill_cb()
        cxgb4vf: Fix sparse warnings
        netns: don't clear nsid too early on removal
        ...
      8172ba51
    • Shachar Raindel's avatar
      IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic · 8494057a
      Shachar Raindel authored
      Properly verify that the resulting page aligned end address is larger
      than both the start address and the length of the memory area requested.
      
      Both the start and length arguments for ib_umem_get are controlled by
      the user. A misbehaving user can provide values which will cause an
      integer overflow when calculating the page aligned end address.
      
      This overflow can cause also miscalculation of the number of pages
      mapped, and additional logic issues.
      
      Addresses: CVE-2014-8159
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarShachar Raindel <raindel@mellanox.com>
      Signed-off-by: default avatarJack Morgenstein <jackm@mellanox.com>
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      8494057a