1. 24 Mar, 2014 22 commits
    • Trond Myklebust's avatar
      NFS: Fix a delegation callback race · e877d416
      Trond Myklebust authored
      commit 755a48a7 upstream.
      
      The clean-up in commit 36281caa ended up removing a NULL pointer check
      that is needed in order to prevent an Oops in
      nfs_async_inode_return_delegation().
      Reported-by: default avatar"Yan, Zheng" <zheng.z.yan@intel.com>
      Link: http://lkml.kernel.org/r/5313E9F6.2020405@intel.com
      Fixes: 36281caa (NFSv4: Further clean-ups of delegation stateid validation)
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e877d416
    • Michele Baldessari's avatar
      libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for Seagate Momentus SpinPoint M8 (2BA30001) · 02a4ed4a
      Michele Baldessari authored
      commit b28a613e upstream.
      
      Via commit 87809942 "libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk
      for Seagate Momentus SpinPoint M8" we added a quirk for disks named
      "ST1000LM024 HN-M101MBB" with firmware revision "2AR10001".
      
      As reported on https://bugzilla.redhat.com/show_bug.cgi?id=1073901,
      we need to also add firmware revision 2BA30001 as it is broken as well.
      Reported-by: default avatarNicholas <arealityfarbetween@googlemail.com>
      Signed-off-by: default avatarMichele Baldessari <michele@acksyn.org>
      Tested-by: default avatarGuilherme Amadio <guilherme.amadio@gmail.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      02a4ed4a
    • Tejun Heo's avatar
      firewire: don't use PREPARE_DELAYED_WORK · f8637162
      Tejun Heo authored
      commit 70044d71 upstream.
      
      PREPARE_[DELAYED_]WORK() are being phased out.  They have few users
      and a nasty surprise in terms of reentrancy guarantee as workqueue
      considers work items to be different if they don't have the same work
      function.
      
      firewire core-device and sbp2 have been been multiplexing work items
      with multiple work functions.  Introduce fw_device_workfn() and
      sbp2_lu_workfn() which invoke fw_device->workfn and
      sbp2_logical_unit->workfn respectively and always use the two
      functions as the work functions and update the users to set the
      ->workfn fields instead of overriding work functions using
      PREPARE_DELAYED_WORK().
      
      This fixes a variety of possible regressions since a2c1c57b
      "workqueue: consider work function when searching for busy work items"
      due to which fw_workqueue lost its required non-reentrancy property.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Acked-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
      Cc: linux1394-devel@lists.sourceforge.net
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8637162
    • Stefan Richter's avatar
      firewire: net: fix use after free · f37058b8
      Stefan Richter authored
      commit 89875833 upstream.
      
      Commit 8408dc1c "firewire: net: use dev_printk API" introduced a
      use-after-free in a failure path.  fwnet_transmit_packet_failed(ptask)
      may free ptask, then the dev_err() call dereferenced it.  The fix is
      straightforward; simply reorder the two calls.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f37058b8
    • Steven Rostedt (Red Hat)'s avatar
      tracing: Do not add event files for modules that fail tracepoints · a2998041
      Steven Rostedt (Red Hat) authored
      commit 45ab2813 upstream.
      
      If a module fails to add its tracepoints due to module tainting, do not
      create the module event infrastructure in the debugfs directory. As the events
      will not work and worse yet, they will silently fail, making the user wonder
      why the events they enable do not display anything.
      
      Having a warning on module load and the events not visible to the users
      will make the cause of the problem much clearer.
      
      Link: http://lkml.kernel.org/r/20140227154923.265882695@goodmis.org
      
      Fixes: 6d723736 "tracing/events: add support for modules to TRACE_EVENT"
      Acked-by: default avatarMathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2998041
    • Li Zefan's avatar
      cpuset: fix a race condition in __cpuset_node_allowed_softwall() · c5ad4fde
      Li Zefan authored
      commit 99afb0fd upstream.
      
      It's not safe to access task's cpuset after releasing task_lock().
      Holding callback_mutex won't help.
      Signed-off-by: default avatarLi Zefan <lizefan@huawei.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c5ad4fde
    • Chuansheng Liu's avatar
      genirq: Remove racy waitqueue_active check · b46741f2
      Chuansheng Liu authored
      commit c685689f upstream.
      
      We hit one rare case below:
      
      T1 calling disable_irq(), but hanging at synchronize_irq()
      always;
      The corresponding irq thread is in sleeping state;
      And all CPUs are in idle state;
      
      After analysis, we found there is one possible scenerio which
      causes T1 is waiting there forever:
      CPU0                                       CPU1
       synchronize_irq()
        wait_event()
          spin_lock()
                                                 atomic_dec_and_test(&threads_active)
            insert the __wait into queue
          spin_unlock()
                                                 if(waitqueue_active)
          atomic_read(&threads_active)
                                                   wake_up()
      
      Here after inserted the __wait into queue on CPU0, and before
      test if queue is empty on CPU1, there is no barrier, it maybe
      cause it is not visible for CPU1 immediately, although CPU0 has
      updated the queue list.
      It is similar for CPU0 atomic_read() threads_active also.
      
      So we'd need one smp_mb() before waitqueue_active.that, but removing
      the waitqueue_active() check solves it as wel l and it makes
      things simple and clear.
      Signed-off-by: default avatarChuansheng Liu <chuansheng.liu@intel.com>
      Cc: Xiaoming Wang <xiaoming.wang@intel.com>
      Link: http://lkml.kernel.org/r/1393212590-32543-1-git-send-email-chuansheng.liu@intel.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b46741f2
    • Daniel J Blueman's avatar
      x86/amd/numa: Fix northbridge quirk to assign correct NUMA node · bb7d79fc
      Daniel J Blueman authored
      commit 847d7970 upstream.
      
      For systems with multiple servers and routed fabric, all
      northbridges get assigned to the first server. Fix this by also
      using the node reported from the PCI bus. For single-fabric
      systems, the northbriges are on PCI bus 0 by definition, which
      are on NUMA node 0 by definition, so this is invarient on most
      systems.
      
      Tested on fam10h and fam15h single and multi-fabric systems and
      candidate for stable.
      Signed-off-by: default avatarDaniel J Blueman <daniel@numascale.com>
      Acked-by: default avatarSteffen Persvold <sp@numascale.com>
      Acked-by: default avatarBorislav Petkov <bp@suse.de>
      Link: http://lkml.kernel.org/r/1394710981-3596-1-git-send-email-daniel@numascale.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bb7d79fc
    • Linus Walleij's avatar
      ARM: 7991/1: sa1100: fix compile problem on Collie · 8271b4d8
      Linus Walleij authored
      commit 052450fd upstream.
      
      Due to a problem in the MFD Kconfig it was not possible to
      compile the UCB battery driver for the Collie SA1100 system,
      in turn making it impossible to compile in the battery driver.
      (See patch "mfd: include all drivers in subsystem menu".)
      
      After fixing the MFD Kconfig (separate patch) a compile error
      appears in the Collie battery driver due to the <mach/collie.h>
      implicitly requiring <mach/hardware.h> through <linux/gpio.h>
      via <mach/gpio.h> prior to commit
      40ca061b "ARM: 7841/1: sa1100: remove complex GPIO interface".
      
      Fix this up by including the required header into
      <mach/collie.h>.
      
      Cc: Andrea Adami <andrea.adami@gmail.com>
      Cc: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8271b4d8
    • Anton Blanchard's avatar
      powerpc: Align p_dyn, p_rela and p_st symbols · ec012303
      Anton Blanchard authored
      commit a5b2cf5b upstream.
      
      The 64bit relocation code places a few symbols in the text segment.
      These symbols are only 4 byte aligned where they need to be 8 byte
      aligned. Add an explicit alignment.
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Tested-by: default avatarLaurent Dufour <ldufour@linux.vnet.ibm.com>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ec012303
    • Takashi Iwai's avatar
      ALSA: usb-audio: Add quirk for Logitech Webcam C500 · 377f8ac2
      Takashi Iwai authored
      commit e805ca8b upstream.
      
      Logitech C500 (046d:0807) needs the same workaround like other
      Logitech Webcams.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      377f8ac2
    • Roman Volkov's avatar
      ALSA: oxygen: Xonar DG(X): capture from I2S channel 1, not 2 · 99792c01
      Roman Volkov authored
      commit 3dd77654 upstream.
      
      Actually CS4245 connected to the I2S channel 1 for
      capture, not channel 2. Otherwise capturing and
      playback does not work for CS4245.
      Signed-off-by: default avatarRoman Volkov <v1ron@mail.ru>
      Signed-off-by: default avatarClemens Ladisch <clemens@ladisch.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99792c01
    • Rob Clark's avatar
      drm/ttm: don't oops if no invalidate_caches() · cf828d9f
      Rob Clark authored
      commit 9ef7506f upstream.
      
      A few of the simpler TTM drivers (cirrus, ast, mgag200) do not implement
      this function.  Yet can end up somehow with an evicted bo:
      
        BUG: unable to handle kernel NULL pointer dereference at           (null)
        IP: [<          (null)>]           (null)
        PGD 16e761067 PUD 16e6cf067 PMD 0
        Oops: 0010 [#1] SMP
        Modules linked in: bnep bluetooth rfkill fuse ip6t_rpfilter ip6t_REJECT ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter ip_tables sg btrfs zlib_deflate raid6_pq xor dm_queue_length iTCO_wdt iTCO_vendor_support coretemp kvm dcdbas dm_service_time microcode serio_raw pcspkr lpc_ich mfd_core i7core_edac edac_core ses enclosure ipmi_si ipmi_msghandler shpchp acpi_power_meter mperf nfsd auth_rpcgss nfs_acl lockd uinput sunrpc dm_multipath xfs libcrc32c ata_generic pata_acpi sr_mod cdrom
         sd_mod usb_storage mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit lpfc drm_kms_helper ttm crc32c_intel ata_piix bfa drm ixgbe libata i2c_core mdio crc_t10dif ptp crct10dif_common pps_core scsi_transport_fc dca scsi_tgt megaraid_sas bnx2 dm_mirror dm_region_hash dm_log dm_mod
        CPU: 16 PID: 2572 Comm: X Not tainted 3.10.0-86.el7.x86_64 #1
        Hardware name: Dell Inc. PowerEdge R810/0H235N, BIOS 0.3.0 11/14/2009
        task: ffff8801799dabc0 ti: ffff88016c884000 task.ti: ffff88016c884000
        RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
        RSP: 0018:ffff88016c885ad8  EFLAGS: 00010202
        RAX: ffffffffa04e94c0 RBX: ffff880178937a20 RCX: 0000000000000000
        RDX: 0000000000000000 RSI: 0000000000240004 RDI: ffff880178937a00
        RBP: ffff88016c885b60 R08: 00000000000171a0 R09: ffff88007cf171a0
        R10: ffffea0005842540 R11: ffffffff810487b9 R12: ffff880178937b30
        R13: ffff880178937a00 R14: ffff88016c885b78 R15: ffff880179929400
        FS:  00007f81ba2ef980(0000) GS:ffff88007cf00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000000000 CR3: 000000016e763000 CR4: 00000000000007e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
        Stack:
         ffffffffa0306fae ffff8801799295c0 0000000000260004 0000000000000001
         ffff88016c885b60 ffffffffa0307669 00ff88007cf17738 ffff88017cf17700
         ffff880178937a00 ffff880100000000 ffff880100000000 0000000079929400
        Call Trace:
         [<ffffffffa0306fae>] ? ttm_bo_handle_move_mem+0x54e/0x5b0 [ttm]
         [<ffffffffa0307669>] ? ttm_bo_mem_space+0x169/0x340 [ttm]
         [<ffffffffa0307bd7>] ttm_bo_move_buffer+0x117/0x130 [ttm]
         [<ffffffff81130001>] ? perf_event_init_context+0x141/0x220
         [<ffffffffa0307cb1>] ttm_bo_validate+0xc1/0x130 [ttm]
         [<ffffffffa04e7377>] mgag200_bo_pin+0x87/0xc0 [mgag200]
         [<ffffffffa04e56c4>] mga_crtc_cursor_set+0x474/0xbb0 [mgag200]
         [<ffffffff811971d2>] ? __mem_cgroup_commit_charge+0x152/0x3b0
         [<ffffffff815c4182>] ? mutex_lock+0x12/0x2f
         [<ffffffffa0201433>] drm_mode_cursor_common+0x123/0x170 [drm]
         [<ffffffffa0205231>] drm_mode_cursor_ioctl+0x41/0x50 [drm]
         [<ffffffffa01f5ca2>] drm_ioctl+0x502/0x630 [drm]
         [<ffffffff815cbab4>] ? __do_page_fault+0x1f4/0x510
         [<ffffffff8101cb68>] ? __restore_xstate_sig+0x218/0x4f0
         [<ffffffff811b4445>] do_vfs_ioctl+0x2e5/0x4d0
         [<ffffffff8124488e>] ? file_has_perm+0x8e/0xa0
         [<ffffffff811b46b1>] SyS_ioctl+0x81/0xa0
         [<ffffffff815d05d9>] system_call_fastpath+0x16/0x1b
        Code:  Bad RIP value.
        RIP  [<          (null)>]           (null)
         RSP <ffff88016c885ad8>
        CR2: 0000000000000000
      Signed-off-by: default avatarRob Clark <rclark@redhat.com>
      Reviewed-by: default avatarJérôme Glisse <jglisse@redhat.com>
      Reviewed-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf828d9f
    • Amitkumar Karwar's avatar
      mwifiex: copy AP's HT capability info correctly · c7fc368e
      Amitkumar Karwar authored
      commit c99b1861 upstream.
      
      While preparing association request, intersection of device's HT
      capability information and corresponding fields advertised by AP
      is used.
      
      This patch fixes an error while copying this field from AP's
      beacon.
      Signed-off-by: default avatarAmitkumar Karwar <akarwar@marvell.com>
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c7fc368e
    • Sujith Manoharan's avatar
      ath9k: Fix ETSI compliance for AR9462 2.0 · 8509583a
      Sujith Manoharan authored
      commit b3050248 upstream.
      
      The minimum CCA power threshold values have to be adjusted
      for existing cards to be in compliance with new regulations.
      Newer cards will make use of the values obtained from EEPROM,
      support for this was added earlier. To make sure that cards
      that are already in use and don't have proper values in EEPROM,
      do not violate regulations, use the initvals instead.
      Reported-by: default avatarJeang Daniel <dyjeong@qca.qualcomm.com>
      Signed-off-by: default avatarSujith Manoharan <c_manoha@qca.qualcomm.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8509583a
    • Emmanuel Grumbach's avatar
      mac80211: fix AP powersave TX vs. wakeup race · 46a5a549
      Emmanuel Grumbach authored
      commit 1d147bfa upstream.
      
      There is a race between the TX path and the STA wakeup: while
      a station is sleeping, mac80211 buffers frames until it wakes
      up, then the frames are transmitted. However, the RX and TX
      path are concurrent, so the packet indicating wakeup can be
      processed while a packet is being transmitted.
      
      This can lead to a situation where the buffered frames list
      is emptied on the one side, while a frame is being added on
      the other side, as the station is still seen as sleeping in
      the TX path.
      
      As a result, the newly added frame will not be send anytime
      soon. It might be sent much later (and out of order) when the
      station goes to sleep and wakes up the next time.
      
      Additionally, it can lead to the crash below.
      
      Fix all this by synchronising both paths with a new lock.
      Both path are not fastpath since they handle PS situations.
      
      In a later patch we'll remove the extra skb queue locks to
      reduce locking overhead.
      
      BUG: unable to handle kernel
      NULL pointer dereference at 000000b0
      IP: [<ff6f1791>] ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
      *pde = 00000000
      Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
      EIP: 0060:[<ff6f1791>] EFLAGS: 00210282 CPU: 1
      EIP is at ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
      EAX: e5900da0 EBX: 00000000 ECX: 00000001 EDX: 00000000
      ESI: e41d00c0 EDI: e5900da0 EBP: ebe458e4 ESP: ebe458b0
       DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      CR0: 8005003b CR2: 000000b0 CR3: 25a78000 CR4: 000407d0
      DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      DR6: ffff0ff0 DR7: 00000400
      Process iperf (pid: 3934, ti=ebe44000 task=e757c0b0 task.ti=ebe44000)
      iwlwifi 0000:02:00.0: I iwl_pcie_enqueue_hcmd Sending command LQ_CMD (#4e), seq: 0x0903, 92 bytes at 3[3]:9
      Stack:
       e403b32c ebe458c4 00200002 00200286 e403b338 ebe458cc c10960bb e5900da0
       ff76a6ec ebe458d8 00000000 e41d00c0 e5900da0 ebe458f0 ff6f1b75 e403b210
       ebe4598c ff723dc1 00000000 ff76a6ec e597c978 e403b758 00000002 00000002
      Call Trace:
       [<ff6f1b75>] ieee80211_free_txskb+0x15/0x20 [mac80211]
       [<ff723dc1>] invoke_tx_handlers+0x1661/0x1780 [mac80211]
       [<ff7248a5>] ieee80211_tx+0x75/0x100 [mac80211]
       [<ff7249bf>] ieee80211_xmit+0x8f/0xc0 [mac80211]
       [<ff72550e>] ieee80211_subif_start_xmit+0x4fe/0xe20 [mac80211]
       [<c149ef70>] dev_hard_start_xmit+0x450/0x950
       [<c14b9aa9>] sch_direct_xmit+0xa9/0x250
       [<c14b9c9b>] __qdisc_run+0x4b/0x150
       [<c149f732>] dev_queue_xmit+0x2c2/0xca0
      Reported-by: default avatarYaara Rozenblum <yaara.rozenblum@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Reviewed-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      [reword commit log, use a separate lock]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      46a5a549
    • Daniel Borkmann's avatar
      net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable · 18684dfb
      Daniel Borkmann authored
      [ Upstream commit ec0223ec ]
      
      RFC4895 introduced AUTH chunks for SCTP; during the SCTP
      handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS
      being optional though):
      
        ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
        <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
      
      A special case is when an endpoint requires COOKIE-ECHO
      chunks to be authenticated:
      
        ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
        <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
        ------------------ AUTH; COOKIE-ECHO ---------------->
        <-------------------- COOKIE-ACK ---------------------
      
      RFC4895, section 6.3. Receiving Authenticated Chunks says:
      
        The receiver MUST use the HMAC algorithm indicated in
        the HMAC Identifier field. If this algorithm was not
        specified by the receiver in the HMAC-ALGO parameter in
        the INIT or INIT-ACK chunk during association setup, the
        AUTH chunk and all the chunks after it MUST be discarded
        and an ERROR chunk SHOULD be sent with the error cause
        defined in Section 4.1. [...] If no endpoint pair shared
        key has been configured for that Shared Key Identifier,
        all authenticated chunks MUST be silently discarded. [...]
      
        When an endpoint requires COOKIE-ECHO chunks to be
        authenticated, some special procedures have to be followed
        because the reception of a COOKIE-ECHO chunk might result
        in the creation of an SCTP association. If a packet arrives
        containing an AUTH chunk as a first chunk, a COOKIE-ECHO
        chunk as the second chunk, and possibly more chunks after
        them, and the receiver does not have an STCB for that
        packet, then authentication is based on the contents of
        the COOKIE-ECHO chunk. In this situation, the receiver MUST
        authenticate the chunks in the packet by using the RANDOM
        parameters, CHUNKS parameters and HMAC_ALGO parameters
        obtained from the COOKIE-ECHO chunk, and possibly a local
        shared secret as inputs to the authentication procedure
        specified in Section 6.3. If authentication fails, then
        the packet is discarded. If the authentication is successful,
        the COOKIE-ECHO and all the chunks after the COOKIE-ECHO
        MUST be processed. If the receiver has an STCB, it MUST
        process the AUTH chunk as described above using the STCB
        from the existing association to authenticate the
        COOKIE-ECHO chunk and all the chunks after it. [...]
      
      Commit bbd0d598 introduced the possibility to receive
      and verification of AUTH chunk, including the edge case for
      authenticated COOKIE-ECHO. On reception of COOKIE-ECHO,
      the function sctp_sf_do_5_1D_ce() handles processing,
      unpacks and creates a new association if it passed sanity
      checks and also tests for authentication chunks being
      present. After a new association has been processed, it
      invokes sctp_process_init() on the new association and
      walks through the parameter list it received from the INIT
      chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO
      and SCTP_PARAM_CHUNKS, and copies them into asoc->peer
      meta data (peer_random, peer_hmacs, peer_chunks) in case
      sysctl -w net.sctp.auth_enable=1 is set. If in INIT's
      SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set,
      peer_random != NULL and peer_hmacs != NULL the peer is to be
      assumed asoc->peer.auth_capable=1, in any other case
      asoc->peer.auth_capable=0.
      
      Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is
      available, we set up a fake auth chunk and pass that on to
      sctp_sf_authenticate(), which at latest in
      sctp_auth_calculate_hmac() reliably dereferences a NULL pointer
      at position 0..0008 when setting up the crypto key in
      crypto_hash_setkey() by using asoc->asoc_shared_key that is
      NULL as condition key_id == asoc->active_key_id is true if
      the AUTH chunk was injected correctly from remote. This
      happens no matter what net.sctp.auth_enable sysctl says.
      
      The fix is to check for net->sctp.auth_enable and for
      asoc->peer.auth_capable before doing any operations like
      sctp_sf_authenticate() as no key is activated in
      sctp_auth_asoc_init_active_key() for each case.
      
      Now as RFC4895 section 6.3 states that if the used HMAC-ALGO
      passed from the INIT chunk was not used in the AUTH chunk, we
      SHOULD send an error; however in this case it would be better
      to just silently discard such a maliciously prepared handshake
      as we didn't even receive a parameter at all. Also, as our
      endpoint has no shared key configured, section 6.3 says that
      MUST silently discard, which we are doing from now onwards.
      
      Before calling sctp_sf_pdiscard(), we need not only to free
      the association, but also the chunk->auth_chunk skb, as
      commit bbd0d598 created a skb clone in that case.
      
      I have tested this locally by using netfilter's nfqueue and
      re-injecting packets into the local stack after maliciously
      modifying the INIT chunk (removing RANDOM; HMAC-ALGO param)
      and the SCTP packet containing the COOKIE_ECHO (injecting
      AUTH chunk before COOKIE_ECHO). Fixed with this patch applied.
      
      Fixes: bbd0d598 ("[SCTP]: Implement the receive and verification of AUTH chunk")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Vlad Yasevich <yasevich@gmail.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18684dfb
    • Michael Chan's avatar
      tg3: Don't check undefined error bits in RXBD · fc8927f2
      Michael Chan authored
      [ Upstream commit d7b95315 ]
      
      Redefine the RXD_ERR_MASK to include only relevant error bits. This fixes
      a customer reported issue of randomly dropping packets on the 5719.
      Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fc8927f2
    • Jason Wang's avatar
      virtio-net: alloc big buffers also when guest can receive UFO · 73c64222
      Jason Wang authored
      [ Upstream commit 0e7ede80 ]
      
      We should alloc big buffers also when guest can receive UFO
      packets to let the big packets fit into guest rx buffer.
      
      Fixes 5c516751
      (virtio-net: Allow UFO feature to be set and advertised.)
      
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: Michael S. Tsirkin <mst@redhat.com>
      Cc: Sridhar Samudrala <sri@us.ibm.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      73c64222
    • George McCollister's avatar
      sched: Fix double normalization of vruntime · 6ba4d1d9
      George McCollister authored
      commit 791c9e02 upstream.
      
      dequeue_entity() is called when p->on_rq and sets se->on_rq = 0
      which appears to guarentee that the !se->on_rq condition is met.
      If the task has done set_current_state(TASK_INTERRUPTIBLE) without
      schedule() the second condition will be met and vruntime will be
      incorrectly adjusted twice.
      
      In certain cases this can result in the task's vruntime never increasing
      past the vruntime of other tasks on the CFS' run queue, starving them of
      CPU time.
      
      This patch changes switched_from_fair() to use !p->on_rq instead of
      !se->on_rq.
      
      I'm able to cause a task with a priority of 120 to starve all other
      tasks with the same priority on an ARM platform running 3.2.51-rt72
      PREEMPT RT by writing one character at time to a serial tty (16550 UART)
      in a tight loop. I'm also able to verify making this change corrects the
      problem on that platform and kernel version.
      Signed-off-by: default avatarGeorge McCollister <george.mccollister@gmail.com>
      Signed-off-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Link: http://lkml.kernel.org/r/1392767811-28916-1-git-send-email-george.mccollister@gmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ba4d1d9
    • Al Viro's avatar
      ocfs2 syncs the wrong range... · efcb9185
      Al Viro authored
      commit 1b56e989 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      efcb9185
    • Jan Kara's avatar
      ocfs2: fix quota file corruption · e7f76c83
      Jan Kara authored
      commit 15c34a76 upstream.
      
      Global quota files are accessed from different nodes.  Thus we cannot
      cache offset of quota structure in the quota file after we drop our node
      reference count to it because after that moment quota structure may be
      freed and reallocated elsewhere by a different node resulting in
      corruption of quota file.
      
      Fix the problem by clearing dq_off when we are releasing dquot structure.
      We also remove the DB_READ_B handling because it is useless -
      DQ_ACTIVE_B is set iff DQ_READ_B is set.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Cc: Goldwyn Rodrigues <rgoldwyn@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Reviewed-by: default avatarMark Fasheh <mfasheh@suse.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7f76c83
  2. 11 Mar, 2014 18 commits