1. 01 Apr, 2015 6 commits
  2. 21 Mar, 2015 3 commits
    • Taesoo Kim's avatar
      cifs: potential memory leaks when parsing mnt opts · 2bd50fb3
      Taesoo Kim authored
      For example, when mount opt is redundently specified
      (e.g., "user=A,user=B,user=C"), kernel kept allocating new key/val
      with kstrdup() and overwrite previous ptr (to be freed).
      
      Althouhg mount.cifs in userspace performs a bit of sanitization
      (e.g., forcing one user option), current implementation is not
      robust. Other options such as iocharset and domainanme are similarly
      vulnerable.
      Signed-off-by: default avatarTaesoo Kim <tsgatesv@gmail.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      2bd50fb3
    • David Disseldorp's avatar
      cifs: fix use-after-free bug in find_writable_file · e1e9bda2
      David Disseldorp authored
      Under intermittent network outages, find_writable_file() is susceptible
      to the following race condition, which results in a user-after-free in
      the cifs_writepages code-path:
      
      Thread 1                                        Thread 2
      ========                                        ========
      
      inv_file = NULL
      refind = 0
      spin_lock(&cifs_file_list_lock)
      
      // invalidHandle found on openFileList
      
      inv_file = open_file
      // inv_file->count currently 1
      
      cifsFileInfo_get(inv_file)
      // inv_file->count = 2
      
      spin_unlock(&cifs_file_list_lock);
      
      cifs_reopen_file()                            cifs_close()
      // fails (rc != 0)                            ->cifsFileInfo_put()
                                             spin_lock(&cifs_file_list_lock)
                                             // inv_file->count = 1
                                             spin_unlock(&cifs_file_list_lock)
      
      spin_lock(&cifs_file_list_lock);
      list_move_tail(&inv_file->flist,
            &cifs_inode->openFileList);
      spin_unlock(&cifs_file_list_lock);
      
      cifsFileInfo_put(inv_file);
      ->spin_lock(&cifs_file_list_lock)
      
        // inv_file->count = 0
        list_del(&cifs_file->flist);
        // cleanup!!
        kfree(cifs_file);
      
        spin_unlock(&cifs_file_list_lock);
      
      spin_lock(&cifs_file_list_lock);
      ++refind;
      // refind = 1
      goto refind_writable;
      
      At this point we loop back through with an invalid inv_file pointer
      and a refind value of 1. On second pass, inv_file is not overwritten on
      openFileList traversal, and is subsequently dereferenced.
      Signed-off-by: default avatarDavid Disseldorp <ddiss@suse.de>
      Reviewed-by: default avatarJeff Layton <jlayton@samba.org>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      e1e9bda2
    • Sachin Prabhu's avatar
      cifs: smb2_clone_range() - exit on unhandled error · 2477bc58
      Sachin Prabhu authored
      While attempting to clone a file on a samba server, we receive a
      STATUS_INVALID_DEVICE_REQUEST. This is mapped to -EOPNOTSUPP which
      isn't handled in smb2_clone_range(). We end up looping in the while loop
      making same call to the samba server over and over again.
      
      The proposed fix is to exit and return the error value when encountered
      with an unhandled error.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarSachin Prabhu <sprabhu@redhat.com>
      Signed-off-by: default avatarSteve French <steve.french@primarydata.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      2477bc58
  3. 23 Mar, 2015 3 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 90a5a895
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Validate iov ranges before feeding them into iov_iter_init(), from
          Al Viro.
      
       2) We changed copy_from_msghdr_from_user() to zero out the msg_namelen
          is a NULL pointer is given for the msg_name.  Do the same in the
          compat code too.  From Catalin Marinas.
      
       3) Fix partially initialized tuples in netfilter conntrack helper, from
          Ian Wilson.
      
       4) Missing continue; statement in nft_hash walker can lead to crashes,
          from Herbert Xu.
      
       5) tproxy_tg6_check looks for IP6T_INV_PROTO in ->flags instead of
          ->invflags, fix from Pablo Neira Ayuso.
      
       6) Incorrect memory account of TCP FINs can result in negative socket
          memory accounting values.  Fix from Josh Hunt.
      
       7) Don't allow virtual functions to enable VLAN promiscuous mode in
          be2net driver, from Vasundhara Volam.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set
        cx82310_eth: wait for firmware to become ready
        net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom
        net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour
        be2net: use PCI MMIO read instead of config read for errors
        be2net: restrict MODIFY_EQ_DELAY cmd to a max of 8 EQs
        be2net: Prevent VFs from enabling VLAN promiscuous mode
        tcp: fix tcp fin memory accounting
        ipv6: fix backtracking for throw routes
        net: ethernet: pcnet32: Setup the SRAM and NOUFLO on Am79C97{3, 5}
        ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment
        netfilter: xt_TPROXY: fix invflags check in tproxy_tg6_check()
        netfilter: restore rule tracing via nfnetlink_log
        netfilter: nf_tables: allow to change chain policy without hook if it exists
        netfilter: Fix potential crash in nft_hash walker
        netfilter: Zero the tuple in nfnl_cthelper_parse_tuple()
      90a5a895
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · d5049617
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
       "Some perf bug fixes from David Ahern, and the fix for that nasty
        memmove() bug"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc64: Fix several bugs in memmove().
        sparc: Touch NMI watchdog when walking cpus and calling printk
        sparc: perf: Add support M7 processor
        sparc: perf: Make counting mode actually work
        sparc: perf: Remove redundant perf_pmu_{en|dis}able calls
      d5049617
    • David S. Miller's avatar
      sparc64: Fix several bugs in memmove(). · 2077cef4
      David S. Miller authored
      Firstly, handle zero length calls properly.  Believe it or not there
      are a few of these happening during early boot.
      
      Next, we can't just drop to a memcpy() call in the forward copy case
      where dst <= src.  The reason is that the cache initializing stores
      used in the Niagara memcpy() implementations can end up clearing out
      cache lines before we've sourced their original contents completely.
      
      For example, considering NG4memcpy, the main unrolled loop begins like
      this:
      
           load   src + 0x00
           load   src + 0x08
           load   src + 0x10
           load   src + 0x18
           load   src + 0x20
           store  dst + 0x00
      
      Assume dst is 64 byte aligned and let's say that dst is src - 8 for
      this memcpy() call.  That store at the end there is the one to the
      first line in the cache line, thus clearing the whole line, which thus
      clobbers "src + 0x28" before it even gets loaded.
      
      To avoid this, just fall through to a simple copy only mildly
      optimized for the case where src and dst are 8 byte aligned and the
      length is a multiple of 8 as well.  We could get fancy and call
      GENmemcpy() but this is good enough for how this thing is actually
      used.
      Reported-by: default avatarDavid Ahern <david.ahern@oracle.com>
      Reported-by: default avatarBob Picco <bpicco@meloft.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2077cef4
  4. 22 Mar, 2015 9 commits
  5. 21 Mar, 2015 12 commits
    • Ondrej Zary's avatar
      cx82310_eth: wait for firmware to become ready · f40bff42
      Ondrej Zary authored
      When the device is powered up, some (older) firmware versions fail to work
      properly if we send commands before the boot is complete (everything is OK
      when the device is hot-plugged). The firmware indicates its ready status by
      putting the link up.
      Newer firmwares delay the first command so they don't suffer from this problem.
      They also report the link being always up.
      
      Wait for firmware to become ready (link up) before sending any commands and/or
      data.
      
      This also allows lowering CMD_TIMEOUT value to a reasonable time.
      
      Tested with 4.1.0.9 (old) and 4.1.0.30 (new) firmware versions.
      Signed-off-by: default avatarOndrej Zary <linux@rainbow-software.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f40bff42
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma · f8975224
      Linus Torvalds authored
      Pull slave dmaengine fixes from Vinod Koul:
       "Four fixes for dw, pl08x, imx-sdma and at_hdmac driver.  Nothing
        unusual here, simple fixes to these drivers"
      
      * 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: pl08x: Define capabilities for generic capabilities reporting
        dmaengine: dw: append MODULE_ALIAS for platform driver
        dmaengine: imx-sdma: switch to dynamic context mode after script loaded
        dmaengine: at_hdmac: Fix calculation of the residual bytes
      f8975224
    • Linus Torvalds's avatar
      Merge tag 'pm+acpi-4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 3d7a6db5
      Linus Torvalds authored
      Pull power management and ACPI fixes from Rafael Wysocki:
       "These are fixes for recent regressions (PCI/ACPI resources and at91
        RTC locking), a stable-candidate powercap RAPL driver fix and two ARM
        cpuidle fixes (one stable-candidate too).
      
        Specifics:
      
         - Revert a recent PCI commit related to IRQ resources management that
           introduced a regression for drivers attempting to bind to devices
           whose previous drivers did not balance pci_enable_device() and
           pci_disable_device() as expected (Rafael J Wysocki).
      
         - Fix a deadlock in at91_rtc_interrupt() introduced by a typo in a
           recent commit related to wakeup interrupt handling (Dan Carpenter).
      
         - Allow the power capping RAPL (Running-Average Power Limit) driver
           to use different energy units for domains within one CPU package
           which is necessary to handle Intel Haswell EP processors correctly
           (Jacob Pan).
      
         - Improve the cpuidle mvebu driver's handling of Armada XP SoCs by
           updating the target residency and exit latency numbers for those
           chips (Sebastien Rannou).
      
         - Prevent the cpuidle mvebu driver from calling cpu_pm_enter() twice
           in a row before cpu_pm_exit() is called on the same CPU which
           breaks the core's assumptions regarding the usage of those
           functions (Gregory Clement)"
      
      * tag 'pm+acpi-4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        Revert "x86/PCI: Refine the way to release PCI IRQ resources"
        rtc: at91rm9200: double locking bug in at91_rtc_interrupt()
        powercap / RAPL: handle domains with different energy units
        cpuidle: mvebu: Update cpuidle thresholds for Armada XP SOCs
        cpuidle: mvebu: Fix the CPU PM notifier usage
      3d7a6db5
    • Linus Torvalds's avatar
      Merge git://people.freedesktop.org/~airlied/linux · 97448d5b
      Linus Torvalds authored
      Pull drm updates from Dave Airlie:
       "A bunch of fixes across drivers:
      
        radeon:
           disable two ended allocation for now, it breaks some stuff
      
        amdkfd:
           misc fixes
      
        nouveau:
           fix irq loop problem, add basic support for GM206 (new hw)
      
        i915:
           fix some WARNs people were seeing
      
        exynos:
           fix some iommu interactions causing boot failures"
      
      * git://people.freedesktop.org/~airlied/linux:
        drm/radeon: drop ttm two ended allocation
        drm/exynos: fix the initialization order in FIMD
        drm/exynos: fix typo config name correctly.
        drm/exynos: Check for NULL dereference of crtc
        drm/exynos: IS_ERR() vs NULL bug
        drm/exynos: remove unused files
        drm/i915: Make sure the primary plane is enabled before reading out the fb state
        drm/nouveau/bios: fix i2c table parsing for dcb 4.1
        drm/nouveau/device/gm100: Basic GM206 bring up (as copy of GM204)
        drm/nouveau/device: post write to NV_PMC_BOOT_1 when flipping endian switch
        drm/nouveau/gr/gf100: fix some accidental or'ing of buffer addresses
        drm/nouveau/fifo/nv04: remove the loop from the interrupt handler
        drm/radeon: Changing number of compute pipe lines
        drm/amdkfd: Fix SDMA queue init. in non-HWS mode
        drm/amdkfd: destroy mqd when destroying kernel queue
        drm/i915: Ensure plane->state->fb stays in sync with plane->fb
      97448d5b
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-4.0-part2' of... · bb8ef2fb
      Linus Torvalds authored
      Merge tag 'devicetree-fixes-for-4.0-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux
      
      Pull more DeviceTree fixes vfom Rob Herring:
      
       - revert setting stdout-path as preferred console.  This caused
         regressions in PowerMACs and other systems.
      
       - yet another fix for stdout-path option parsing.
      
       - fix error path handling in of_irq_parse_one
      
      * tag 'devicetree-fixes-for-4.0-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        Revert "of: Fix premature bootconsole disable with 'stdout-path'"
        of: handle both '/' and ':' in path strings
        of: unittest: Add option string test case with longer path
        of/irq: Fix of_irq_parse_one() returned error codes
      bb8ef2fb
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending · e477f3e0
      Linus Torvalds authored
      Pull SCSI target fixes from Nicholas Bellinger:
       "Here are current target-pending fixes for v4.0-rc5 code that have made
        their way into the queue over the last weeks.
      
        The fixes this round include:
      
         - Fix long-standing iser-target logout bug related to early
           conn_logout_comp completion, resulting in iscsi_conn use-after-tree
           OOpsen.  (Sagi + nab)
      
         - Fix long-standing tcm_fc bug in ft_invl_hw_context() failure
           handing for DDP hw offload.  (DanC)
      
         - Fix incorrect use of unprotected __transport_register_session() in
           tcm_qla2xxx + other single local se_node_acl fabrics.  (Bart)
      
         - Fix reference leak in target_submit_cmd() -> target_get_sess_cmd()
           for ack_kref=1 failure path.  (Bart)
      
         - Fix pSCSI backend ->get_device_type() statistics OOPs with
           un-configured device.  (Olaf + nab)
      
         - Fix virtual LUN=0 target_configure_device failure OOPs at modprobe
           time.  (Claudio + nab)
      
         - Fix FUA write false positive failure regression in v4.0-rc1 code.
           (Christophe Vu-Brugier + HCH)"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
        target: do not reject FUA CDBs when write cache is enabled but emulate_write_cache is 0
        target: Fix virtual LUN=0 target_configure_device failure OOPs
        target/pscsi: Fix NULL pointer dereference in get_device_type
        tcm_fc: missing curly braces in ft_invl_hw_context()
        target: Fix reference leak in target_get_sess_cmd() error path
        loop/usb/vhost-scsi/xen-scsiback: Fix use of __transport_register_session
        tcm_qla2xxx: Fix incorrect use of __transport_register_session
        iscsi-target: Avoid early conn_logout_comp for iser connections
        Revert "iscsi-target: Avoid IN_LOGOUT failure case for iser-target"
        target: Disallow changing of WRITE cache/FUA attrs after export
      e477f3e0
    • Linus Torvalds's avatar
      Merge tag 'dm-4.0-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm · da6b9a20
      Linus Torvalds authored
      Pull devicemapper fixes from Mike Snitzer:
       "A handful of stable fixes for DM:
         - fix thin target to always zero-fill reads to unprovisioned blocks
         - fix to interlock device destruction's suspend from internal
           suspends
         - fix 2 snapshot exception store handover bugs
         - fix dm-io to cope with DISCARD and WRITE_SAME capabilities changing"
      
      * tag 'dm-4.0-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm io: deal with wandering queue limits when handling REQ_DISCARD and REQ_WRITE_SAME
        dm snapshot: suspend merging snapshot when doing exception handover
        dm snapshot: suspend origin when doing exception handover
        dm: hold suspend_lock while suspending device during device deletion
        dm thin: fix to consistently zero-fill reads to unprovisioned blocks
      da6b9a20
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 521d4746
      Linus Torvalds authored
      Pull btrfs fixes from Chris Mason:
       "Most of these are fixing extent reservation accounting, or corners
        with tree writeback during commit.
      
        Josef's set does add a test, which isn't strictly a fix, but it'll
        keep us from making this same mistake again"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        Btrfs: fix outstanding_extents accounting in DIO
        Btrfs: add sanity test for outstanding_extents accounting
        Btrfs: just free dummy extent buffers
        Btrfs: account merges/splits properly
        Btrfs: prepare block group cache before writing
        Btrfs: fix ASSERT(list_empty(&cur_trans->dirty_bgs_list)
        Btrfs: account for the correct number of extents for delalloc reservations
        Btrfs: fix merge delalloc logic
        Btrfs: fix comp_oper to get right order
        Btrfs: catch transaction abortion after waiting for it
        btrfs: fix sizeof format specifier in btrfs_check_super_valid()
      521d4746
    • Linus Torvalds's avatar
      Merge branch 'for-4.0' of git://linux-nfs.org/~bfields/linux · 0d122f74
      Linus Torvalds authored
      Pull nfsd bufix from Bruce Fields:
       "This is a fix for a crash easily triggered by 4.1 activity to a server
        built with CONFIG_NFSD_PNFS.
      
        There are some more bugfixes queued up that I intend to pass along
        next week, but this is the most critical"
      
      * 'for-4.0' of git://linux-nfs.org/~bfields/linux:
        Subject: nfsd: don't recursively call nfsd4_cb_layout_fail
      0d122f74
    • Linus Torvalds's avatar
      Merge tag 'upstream-4.0-rc5' of git://git.infradead.org/linux-ubifs · c6ef8145
      Linus Torvalds authored
      Pull UBI fix from Artem Bityutskiy:
       "This fixes a bug introduced during the v4.0 merge window where we
        forgot to put braces where they should be"
      
      * tag 'upstream-4.0-rc5' of git://git.infradead.org/linux-ubifs:
        UBI: fix missing brace control flow
      c6ef8145
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 60ed380e
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
      
       - mm switching fix where the kernel pgd ends up in the user TTBR0 after
         returning from an EFI run-time services call
      
       - fix __GFP_ZERO handling for atomic pool and CMA DMA allocations (the
         generic code does get the gfp flags, so it's left with the arch code
         to memzero accordingly)
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: Honor __GFP_ZERO in dma allocations
        arm64: efi: don't restore TTBR0 if active_mm points at init_mm
      60ed380e
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm · 62a202d7
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
       "Another few ARM fixes.  Fabrice fixed the L2 cache DT parsing to allow
        prefetch configuration to be specified even when the cache size
        parsing fails.
      
        Laura noticed that the setting of page attributes wasn't working for
        modules due to is_module_addr() always returning false.
      
        Marc Gonzalez (aka Mason) noticed a potential latent bug with the way
        we read one of the CPUID registers (where we could attempt to read a
        non-present CPUID register which may fault.)
      
        I've fixed an issue where 32-bit DMA masks were failing with memory
        which extended to the top of physical address space, and I've also
        added debugging output of the page tables when we hit a data access
        exception which we don't specifically handle - prompted by the lack of
        information in a bug report"
      
      * 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
        ARM: 8313/1: Use read_cpuid_ext() macro instead of inline asm
        ARM: 8311/1: Don't use is_module_addr in setting page attributes
        ARM: 8310/1: l2c: Fix prefetch settings dt parsing
        ARM: dump pgd, pmd and pte states on unhandled data abort faults
        ARM: dma-api: fix off-by-one error in __dma_supported()
      62a202d7
  6. 20 Mar, 2015 7 commits