1. 12 Feb, 2016 4 commits
  2. 11 Feb, 2016 5 commits
    • Linus Torvalds's avatar
      Merge tag 'gpio-v4.5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · c05235d5
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       - Probe errorpath fix for the Altera
       - irqchip ofnode pointer added to the DaVinci driver
       - controller instance number correction for DaVinci
      
      * tag 'gpio-v4.5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: davinci: Fix the number of controllers allocated
        gpio: davinci: Add the missing of-node pointer
        gpio: gpio-altera: Remove gpiochip on probe failure.
      c05235d5
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v4.5-3' of... · da2f912a
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v4.5-3' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86
      
      Pull x86 platform driver fixes from Darren Hart:
       "Just two small fixes for the 4.5-rc cycle:
      
        intel_scu_ipcutil:
         - underflow in scu_reg_access()
      
        intel-hid:
         - fix incorrect entries in intel_hid_keymap"
      
      * tag 'platform-drivers-x86-v4.5-3' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86:
        intel_scu_ipcutil: underflow in scu_reg_access()
        intel-hid: fix incorrect entries in intel_hid_keymap
      da2f912a
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 5de6ac75
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix BPF handling of branch offset adjustmnets on backjumps, from
          Daniel Borkmann.
      
       2) Make sure selinux knows about SOCK_DESTROY netlink messages, from
          Lorenzo Colitti.
      
       3) Fix openvswitch tunnel mtu regression, from David Wragg.
      
       4) Fix ICMP handling of TCP sockets in syn_recv state, from Eric
          Dumazet.
      
       5) Fix SCTP user hmacid byte ordering bug, from Xin Long.
      
       6) Fix recursive locking in ipv6 addrconf, from Subash Abhinov
          Kasiviswanathan.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        bpf: fix branch offset adjustment on backjumps after patching ctx expansion
        vxlan, gre, geneve: Set a large MTU on ovs-created tunnel devices
        geneve: Relax MTU constraints
        vxlan: Relax MTU constraints
        flow_dissector: Fix unaligned access in __skb_flow_dissector when used by eth_get_headlen
        of: of_mdio: Add marvell, 88e1145 to whitelist of PHY compatibilities.
        selinux: nlmsgtab: add SOCK_DESTROY to the netlink mapping tables
        sctp: translate network order to host order when users get a hmacid
        enic: increment devcmd2 result ring in case of timeout
        tg3: Fix for tg3 transmit queue 0 timed out when too many gso_segs
        net:Add sysctl_max_skb_frags
        tcp: do not drop syn_recv on all icmp reports
        ipv6: fix a lockdep splat
        unix: correctly track in-flight fds in sending process user_struct
        update be2net maintainers' email addresses
        dwc_eth_qos: Reset hardware before PHY start
        ipv6: addrconf: Fix recursive spin lock call
      5de6ac75
    • David Sterba's avatar
      btrfs: properly set the termination value of ctx->pos in readdir · bc4ef759
      David Sterba authored
      The value of ctx->pos in the last readdir call is supposed to be set to
      INT_MAX due to 32bit compatibility, unless 'pos' is intentially set to a
      larger value, then it's LLONG_MAX.
      
      There's a report from PaX SIZE_OVERFLOW plugin that "ctx->pos++"
      overflows (https://forums.grsecurity.net/viewtopic.php?f=1&t=4284), on a
      64bit arch, where the value is 0x7fffffffffffffff ie. LLONG_MAX before
      the increment.
      
      We can get to that situation like that:
      
      * emit all regular readdir entries
      * still in the same call to readdir, bump the last pos to INT_MAX
      * next call to readdir will not emit any entries, but will reach the
        bump code again, finds pos to be INT_MAX and sets it to LLONG_MAX
      
      Normally this is not a problem, but if we call readdir again, we'll find
      'pos' set to LLONG_MAX and the unconditional increment will overflow.
      
      The report from Victor at
      (http://thread.gmane.org/gmane.comp.file-systems.btrfs/49500) with debugging
      print shows that pattern:
      
       Overflow: e
       Overflow: 7fffffff
       Overflow: 7fffffffffffffff
       PAX: size overflow detected in function btrfs_real_readdir
         fs/btrfs/inode.c:5760 cicus.935_282 max, count: 9, decl: pos; num: 0;
         context: dir_context;
       CPU: 0 PID: 2630 Comm: polkitd Not tainted 4.2.3-grsec #1
       Hardware name: Gigabyte Technology Co., Ltd. H81ND2H/H81ND2H, BIOS F3 08/11/2015
        ffffffff81901608 0000000000000000 ffffffff819015e6 ffffc90004973d48
        ffffffff81742f0f 0000000000000007 ffffffff81901608 ffffc90004973d78
        ffffffff811cb706 0000000000000000 ffff8800d47359e0 ffffc90004973ed8
       Call Trace:
        [<ffffffff81742f0f>] dump_stack+0x4c/0x7f
        [<ffffffff811cb706>] report_size_overflow+0x36/0x40
        [<ffffffff812ef0bc>] btrfs_real_readdir+0x69c/0x6d0
        [<ffffffff811dafc8>] iterate_dir+0xa8/0x150
        [<ffffffff811e6d8d>] ? __fget_light+0x2d/0x70
        [<ffffffff811dba3a>] SyS_getdents+0xba/0x1c0
       Overflow: 1a
        [<ffffffff811db070>] ? iterate_dir+0x150/0x150
        [<ffffffff81749b69>] entry_SYSCALL_64_fastpath+0x12/0x83
      
      The jump from 7fffffff to 7fffffffffffffff happens when new dir entries
      are not yet synced and are processed from the delayed list. Then the code
      could go to the bump section again even though it might not emit any new
      dir entries from the delayed list.
      
      The fix avoids entering the "bump" section again once we've finished
      emitting the entries, both for synced and delayed entries.
      
      References: https://forums.grsecurity.net/viewtopic.php?f=1&t=4284Reported-by: default avatarVictor <services@swwu.com>
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Tested-by: default avatarHolger Hoffstätte <holger.hoffstaette@googlemail.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      bc4ef759
    • Chris Mason's avatar
      Merge branch 'integration-4.5' of... · 43d871f0
      Chris Mason authored
      Merge branch 'integration-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/fdmanana/linux into for-linus-4.5
      43d871f0
  3. 10 Feb, 2016 15 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma · 721675fc
      Linus Torvalds authored
      Pull rdma fixes from Doug Ledford:
       "A few more minor fixes for rc3:
      
         - One fix to ipoib
         - One fix to core sysfs code
         - Four patches that resolve an oops found in testing of ocrdma and a
           couple other ocrdma issues"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
        RDMA/ocrdma: Fixing ocrdma debugfs directory remove
        RDMA/ocrdma: Fix pkey_index returned by driver in rq work completion
        RDMA/ocrdma: populate max_sge_rd in device attributes
        RDMA/ocrdma: Initialize stats resources in the driver before ib device registration.
        IB/sysfs: remove unused va_list args
        IB/IPoIB: Do not set skb truesize since using one linearskb
      721675fc
    • Daniel Borkmann's avatar
      bpf: fix branch offset adjustment on backjumps after patching ctx expansion · a1b14d27
      Daniel Borkmann authored
      When ctx access is used, the kernel often needs to expand/rewrite
      instructions, so after that patching, branch offsets have to be
      adjusted for both forward and backward jumps in the new eBPF program,
      but for backward jumps it fails to account the delta. Meaning, for
      example, if the expansion happens exactly on the insn that sits at
      the jump target, it doesn't fix up the back jump offset.
      
      Analysis on what the check in adjust_branches() is currently doing:
      
        /* adjust offset of jmps if necessary */
        if (i < pos && i + insn->off + 1 > pos)
          insn->off += delta;
        else if (i > pos && i + insn->off + 1 < pos)
          insn->off -= delta;
      
      First condition (forward jumps):
      
        Before:                         After:
      
        insns[0]                        insns[0]
        insns[1] <--- i/insn            insns[1] <--- i/insn
        insns[2] <--- pos               insns[P] <--- pos
        insns[3]                        insns[P]  `------| delta
        insns[4] <--- target_X          insns[P]   `-----|
        insns[5]                        insns[3]
                                        insns[4] <--- target_X
                                        insns[5]
      
      First case is if we cross pos-boundary and the jump instruction was
      before pos. This is handeled correctly. I.e. if i == pos, then this
      would mean our jump that we currently check was the patchlet itself
      that we just injected. Since such patchlets are self-contained and
      have no awareness of any insns before or after the patched one, the
      delta is correctly not adjusted. Also, for the second condition in
      case of i + insn->off + 1 == pos, means we jump to that newly patched
      instruction, so no offset adjustment are needed. That part is correct.
      
      Second condition (backward jumps):
      
        Before:                         After:
      
        insns[0]                        insns[0]
        insns[1] <--- target_X          insns[1] <--- target_X
        insns[2] <--- pos <-- target_Y  insns[P] <--- pos <-- target_Y
        insns[3]                        insns[P]  `------| delta
        insns[4] <--- i/insn            insns[P]   `-----|
        insns[5]                        insns[3]
                                        insns[4] <--- i/insn
                                        insns[5]
      
      Second interesting case is where we cross pos-boundary and the jump
      instruction was after pos. Backward jump with i == pos would be
      impossible and pose a bug somewhere in the patchlet, so the first
      condition checking i > pos is okay only by itself. However, i +
      insn->off + 1 < pos does not always work as intended to trigger the
      adjustment. It works when jump targets would be far off where the
      delta wouldn't matter. But, for example, where the fixed insn->off
      before pointed to pos (target_Y), it now points to pos + delta, so
      that additional room needs to be taken into account for the check.
      This means that i) both tests here need to be adjusted into pos + delta,
      and ii) for the second condition, the test needs to be <= as pos
      itself can be a target in the backjump, too.
      
      Fixes: 9bac3d6d ("bpf: allow extended BPF programs access skb fields")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a1b14d27
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 74c7b2af
      Linus Torvalds authored
      Pull input updates from Dmitry Torokhov:
       "Just small driver fixups"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: colibri-vf50-ts - add missing #include <linux/of.h>
        Input: adp5589 - fix row 5 handling for adp5589
        Input: edt-ft5x06 - fix setting gain, offset, and threshold via device tree
        Input: vmmouse - fix absolute device registration
        Input: serio - drop warnings in case of EPROBE_DEFER from serio_find_driver()
        Input: cap11xx - add missing of_node_put
        Input: sirfsoc-onkey - allow modular build
        Input: xpad - remove unused function
      74c7b2af
    • Linus Torvalds's avatar
      Merge branch 'for-4.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · 4e541699
      Linus Torvalds authored
      Pull libata fixes from Tejun Heo:
      
       - PORTS_IMPL workaround for very early ahci controllers is misbehaving
         on new systems.  Disabled on recent ahci versions.
      
       - Old-style PIO state machine had a horrible locking problem.  Don't
         know how we've been getting away this far.  Fixed.
      
       - Other device specific updates.
      
      * 'for-4.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
        ahci: Intel DNV device IDs SATA
        libata: fix sff host state machine locking while polling
        libata-sff: use WARN instead of BUG on illegal host state machine state
        libata: disable forced PORTS_IMPL for >= AHCI 1.3
        libata: blacklist a Viking flash model for MWDMA corruption
        drivers: ata: wake port before DMA stop for ALPM
      4e541699
    • Linus Torvalds's avatar
      Merge branch 'for-4.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · fb0dc5f1
      Linus Torvalds authored
      Pull cgroup fixes from Tejun Heo:
      
       - The destruction path of cgroup objects are asynchronous and
         multi-staged and some of them ended up destroying parents before
         children leading to failures in cpu and memory controllers.  Ensure
         that parents are always destroyed after children.
      
       - cpuset mm node migration was performed synchronously while holding
         threadgroup and cgroup mutexes and the recent threadgroup locking
         update resulted in a possible deadlock.  The migration is best effort
         and shouldn't have been performed under those locks to begin with.
         Made asynchronous.
      
       - Minor documentation fix.
      
      * 'for-4.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        Documentation: cgroup: Fix 'cgroup-legacy' -> 'cgroup-v1'
        cgroup: make sure a parent css isn't freed before its children
        cgroup: make sure a parent css isn't offlined before its children
        cpuset: make mm migration asynchronous
      fb0dc5f1
    • Linus Torvalds's avatar
      Merge branch 'for-4.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq · 9aece75c
      Linus Torvalds authored
      Pull workqueue fixes from Tejun Heo:
       "Workqueue fixes for v4.5-rc3.
      
         - Remove a spurious triggering of flush dependency warning.
      
         - Officially break local execution guarantee of unbound work items
           and add a debug feature to flush out usages which depend on it.
      
         - Work around CPU -> NODE mapping becoming invalid on CPU offline.
      
        The branch is young but pushing out early as stable kernels are being
        affected"
      
      * 'for-4.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
        workqueue: handle NUMA_NO_NODE for unbound pool_workqueue lookup
        workqueue: implement "workqueue.debug_force_rr_cpu" debug feature
        workqueue: schedule WORK_CPU_UNBOUND work on wq_unbound_cpumask CPUs
        Revert "workqueue: make sure delayed work run in local cpu"
        workqueue: skip flush dependency checks for legacy workqueues
      9aece75c
    • Tejun Heo's avatar
      workqueue: handle NUMA_NO_NODE for unbound pool_workqueue lookup · d6e022f1
      Tejun Heo authored
      When looking up the pool_workqueue to use for an unbound workqueue,
      workqueue assumes that the target CPU is always bound to a valid NUMA
      node.  However, currently, when a CPU goes offline, the mapping is
      destroyed and cpu_to_node() returns NUMA_NO_NODE.
      
      This has always been broken but hasn't triggered often enough before
      874bbfe6 ("workqueue: make sure delayed work run in local cpu").
      After the commit, workqueue forcifully assigns the local CPU for
      delayed work items without explicit target CPU to fix a different
      issue.  This widens the window where CPU can go offline while a
      delayed work item is pending causing delayed work items dispatched
      with target CPU set to an already offlined CPU.  The resulting
      NUMA_NO_NODE mapping makes workqueue try to queue the work item on a
      NULL pool_workqueue and thus crash.
      
      While 874bbfe6 has been reverted for a different reason making the
      bug less visible again, it can still happen.  Fix it by mapping
      NUMA_NO_NODE to the default pool_workqueue from unbound_pwq_by_node().
      This is a temporary workaround.  The long term solution is keeping CPU
      -> NODE mapping stable across CPU off/online cycles which is being
      worked on.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarMike Galbraith <umgwanakikbuti@gmail.com>
      Cc: Tang Chen <tangchen@cn.fujitsu.com>
      Cc: Rafael J. Wysocki <rafael@kernel.org>
      Cc: Len Brown <len.brown@intel.com>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/g/1454424264.11183.46.camel@gmail.com
      Link: http://lkml.kernel.org/g/1453702100-2597-1-git-send-email-tangchen@cn.fujitsu.com
      d6e022f1
    • Alexandra Yates's avatar
      ahci: Intel DNV device IDs SATA · 342decff
      Alexandra Yates authored
      Adding Intel codename DNV platform device IDs for SATA.
      Signed-off-by: default avatarAlexandra Yates <alexandra.yates@linux.intel.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: stable@vger.kernel.org
      342decff
    • David S. Miller's avatar
      Merge branch 'ovs-tunnel-mtu' · 1902750b
      David S. Miller authored
      David Wragg says:
      
      ====================
      Set a large MTU on ovs-created tunnel devices
      
      Prior to 4.3, openvswitch tunnel vports (vxlan, gre and geneve) could
      transmit vxlan packets of any size, constrained only by the ability to
      send out the resulting packets.  4.3 introduced netdevs corresponding
      to tunnel vports.  These netdevs have an MTU, which limits the size of
      a packet that can be successfully encapsulated.  The default MTU
      values are low (1500 or less), which is awkwardly small in the context
      of physical networks supporting jumbo frames, and leads to a
      conspicuous change in behaviour for userspace.
      
      This patch series sets the MTU on openvswitch-created netdevs to be
      the relevant maximum (i.e. the maximum IP packet size minus any
      relevant overhead), effectively restoring the behaviour prior to 4.3.
      
      Where relevant, the limits on MTU values that can be directly set on
      the netdevs are also relaxed.
      
      Changes in v2:
      * Extend to all openvswitch tunnel types, i.e. gre and geneve as well
      * Use IP_MAX_MTU
      
      Changes in v3:
      * Fix block comment style
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1902750b
    • David Wragg's avatar
      vxlan, gre, geneve: Set a large MTU on ovs-created tunnel devices · 7e059158
      David Wragg authored
      Prior to 4.3, openvswitch tunnel vports (vxlan, gre and geneve) could
      transmit vxlan packets of any size, constrained only by the ability to
      send out the resulting packets.  4.3 introduced netdevs corresponding
      to tunnel vports.  These netdevs have an MTU, which limits the size of
      a packet that can be successfully encapsulated.  The default MTU
      values are low (1500 or less), which is awkwardly small in the context
      of physical networks supporting jumbo frames, and leads to a
      conspicuous change in behaviour for userspace.
      
      Instead, set the MTU on openvswitch-created netdevs to be the relevant
      maximum (i.e. the maximum IP packet size minus any relevant overhead),
      effectively restoring the behaviour prior to 4.3.
      Signed-off-by: default avatarDavid Wragg <david@weave.works>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7e059158
    • David Wragg's avatar
      geneve: Relax MTU constraints · 55e5bfb5
      David Wragg authored
      Allow the MTU of geneve devices to be set to large values, in order to
      exploit underlying networks with larger frame sizes.
      
      GENEVE does not have a fixed encapsulation overhead (an openvswitch
      rule can add variable length options), so there is no relevant maximum
      MTU to enforce.  A maximum of IP_MAX_MTU is used instead.
      Encapsulated packets that are too big for the underlying network will
      get dropped on the floor.
      Signed-off-by: default avatarDavid Wragg <david@weave.works>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      55e5bfb5
    • David Wragg's avatar
      vxlan: Relax MTU constraints · 72564b59
      David Wragg authored
      Allow the MTU of vxlan devices without an underlying device to be set
      to larger values (up to a maximum based on IP packet limits and vxlan
      overhead).
      
      Previously, their MTUs could not be set to higher than the
      conventional ethernet value of 1500.  This is a very arbitrary value
      in the context of vxlan, and prevented vxlan devices from being able
      to take advantage of jumbo frames etc.
      
      The default MTU remains 1500, for compatibility.
      Signed-off-by: default avatarDavid Wragg <david@weave.works>
      Acked-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      72564b59
    • Lokesh Vutla's avatar
      gpio: davinci: Fix the number of controllers allocated · 6ec9249a
      Lokesh Vutla authored
      Driver only needs to allocate for [ngpio / 32] controllers,
      as each controller handles 32 gpios. But the current driver
      allocates for ngpio of which the extra allocated are unused.
      Fix it be registering only the required number of controllers.
      Signed-off-by: default avatarLokesh Vutla <lokeshvutla@ti.com>
      Signed-off-by: default avatarKeerthy <j-keerthy@ti.com>
      Reviewed-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      6ec9249a
    • Keerthy's avatar
      gpio: davinci: Add the missing of-node pointer · 310a7e60
      Keerthy authored
      Currently the first parameter of irq_domain_add_legacy is NULL.
      irq_find_host function returns NULL when we do not populate the of_node
      and hence irq_of_parse_and_map call fails whenever we want to request a
      gpio irq. This fixes the request_irq failures for gpio interrupts.
      Signed-off-by: default avatarKeerthy <j-keerthy@ti.com>
      Reviewed-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      310a7e60
    • Linus Torvalds's avatar
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux · 2178cbc6
      Linus Torvalds authored
      Pull module fixes from Rusty Russell:
       "Fix for async_probe module param added in 4.3 (clearly not widely used
        yet), and a much more interesting kallsyms race which has been around
        approximately forever.  This fix is more invasive, and will require
        some care in backporting, but I hated all the bandaids I could think
        of, so...
      
        There are some more coming, which are only for breakages introduced
        this cycle (livepatch), but wanted these in now"
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux:
        modules: fix longstanding /proc/kallsyms vs module insertion race.
        module: wrapper for symbol name.
        modules: fix modparam async_probe request
      2178cbc6
  4. 09 Feb, 2016 16 commits