1. 07 Apr, 2013 18 commits
    • David S. Miller's avatar
      Merge branch 'infoleaks' · f89e8a64
      David S. Miller authored
      Mathias Krause says:
      
      ====================
      a few more info leak fixes in the recvmsg path. The error pattern here
      is the protocol specific recvmsg function is missing the msg_namelen
      assignment -- either completely or in early exit paths that do not
      result in errors in __sys_recvmsg()/sys_recvfrom() and, in turn, make
      them call move_addr_to_user(), leaking the then still uninitialized
      sockaddr_storage stack variable to userland.
      
      My audit was initiated by a rather coarse fix of the leak that can be
      found in the grsecurity patch, putting a penalty on protocols complying
      to the rules of recvmsg. So credits for finding the leak in the recvmsg
      path in __sys_recvmsg() should go to Brad!
      
      The buggy protocols/subsystems are rather obscure anyway. As a missing
      assignment of msg_namelen coupled with a missing filling of msg_name
      would only result in garbage -- the leak -- in case userland would care
      about that information, i.e. would provide a msg_name pointer. But
      obviously current userland does not.
      
      While auditing the code for the above pattern I found a few more
      'uninitialized members' kind of leaks related to the msg_name filling.
      Those are fixed in this series, too.
      
      I have to admit, I failed to test all of the patches due to missing
      hardware, e.g. iucv depends on S390 -- hardware I've no access to :/
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f89e8a64
    • Mathias Krause's avatar
      VSOCK: Fix missing msg_namelen update in vsock_stream_recvmsg() · d5e0d0f6
      Mathias Krause authored
      The code misses to update the msg_namelen member to 0 and therefore
      makes net/socket.c leak the local, uninitialized sockaddr_storage
      variable to userland -- 128 bytes of kernel stack memory.
      
      Cc: Andy King <acking@vmware.com>
      Cc: Dmitry Torokhov <dtor@vmware.com>
      Cc: George Zhang <georgezhang@vmware.com>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d5e0d0f6
    • Mathias Krause's avatar
      VSOCK: vmci - fix possible info leak in vmci_transport_dgram_dequeue() · 680d04e0
      Mathias Krause authored
      In case we received no data on the call to skb_recv_datagram(), i.e.
      skb->data is NULL, vmci_transport_dgram_dequeue() will return with 0
      without updating msg_namelen leading to net/socket.c leaking the local,
      uninitialized sockaddr_storage variable to userland -- 128 bytes of
      kernel stack memory.
      
      Fix this by moving the already existing msg_namelen assignment a few
      lines above.
      
      Cc: Andy King <acking@vmware.com>
      Cc: Dmitry Torokhov <dtor@vmware.com>
      Cc: George Zhang <georgezhang@vmware.com>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      680d04e0
    • Mathias Krause's avatar
      tipc: fix info leaks via msg_name in recv_msg/recv_stream · 60085c3d
      Mathias Krause authored
      The code in set_orig_addr() does not initialize all of the members of
      struct sockaddr_tipc when filling the sockaddr info -- namely the union
      is only partly filled. This will make recv_msg() and recv_stream() --
      the only users of this function -- leak kernel stack memory as the
      msg_name member is a local variable in net/socket.c.
      
      Additionally to that both recv_msg() and recv_stream() fail to update
      the msg_namelen member to 0 while otherwise returning with 0, i.e.
      "success". This is the case for, e.g., non-blocking sockets. This will
      lead to a 128 byte kernel stack leak in net/socket.c.
      
      Fix the first issue by initializing the memory of the union with
      memset(0). Fix the second one by setting msg_namelen to 0 early as it
      will be updated later if we're going to fill the msg_name member.
      
      Cc: Jon Maloy <jon.maloy@ericsson.com>
      Cc: Allan Stephens <allan.stephens@windriver.com>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      60085c3d
    • Mathias Krause's avatar
      rose: fix info leak via msg_name in rose_recvmsg() · 4a184233
      Mathias Krause authored
      The code in rose_recvmsg() does not initialize all of the members of
      struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
      Nor does it initialize the padding bytes of the structure inserted by
      the compiler for alignment. This will lead to leaking uninitialized
      kernel stack bytes in net/socket.c.
      
      Fix the issue by initializing the memory used for sockaddr info with
      memset(0).
      
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4a184233
    • Mathias Krause's avatar
      NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg() · d26d6504
      Mathias Krause authored
      The code in llcp_sock_recvmsg() does not initialize all the members of
      struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it
      initialize the padding bytes of the structure inserted by the compiler
      for alignment.
      
      Also, if the socket is in state LLCP_CLOSED or is shutting down during
      receive the msg_namelen member is not updated to 0 while otherwise
      returning with 0, i.e. "success". The msg_namelen update is also
      missing for stream and seqpacket sockets which don't fill the sockaddr
      info.
      
      Both issues lead to the fact that the code will leak uninitialized
      kernel stack bytes in net/socket.c.
      
      Fix the first issue by initializing the memory used for sockaddr info
      with memset(0). Fix the second one by setting msg_namelen to 0 early.
      It will be updated later if we're going to fill the msg_name member.
      
      Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
      Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
      Cc: Samuel Ortiz <sameo@linux.intel.com>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d26d6504
    • Mathias Krause's avatar
      netrom: fix info leak via msg_name in nr_recvmsg() · 3ce5efad
      Mathias Krause authored
      In case msg_name is set the sockaddr info gets filled out, as
      requested, but the code fails to initialize the padding bytes of
      struct sockaddr_ax25 inserted by the compiler for alignment. Also
      the sax25_ndigis member does not get assigned, leaking four more
      bytes.
      
      Both issues lead to the fact that the code will leak uninitialized
      kernel stack bytes in net/socket.c.
      
      Fix both issues by initializing the memory with memset(0).
      
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3ce5efad
    • Mathias Krause's avatar
      llc: Fix missing msg_namelen update in llc_ui_recvmsg() · c77a4b9c
      Mathias Krause authored
      For stream sockets the code misses to update the msg_namelen member
      to 0 and therefore makes net/socket.c leak the local, uninitialized
      sockaddr_storage variable to userland -- 128 bytes of kernel stack
      memory. The msg_namelen update is also missing for datagram sockets
      in case the socket is shutting down during receive.
      
      Fix both issues by setting msg_namelen to 0 early. It will be
      updated later if we're going to fill the msg_name member.
      
      Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c77a4b9c
    • Mathias Krause's avatar
      l2tp: fix info leak in l2tp_ip6_recvmsg() · b860d3cc
      Mathias Krause authored
      The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of
      struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack
      in l2tp_ip6_recvmsg() in case msg_name is set.
      
      Initialize l2tp_conn_id with 0 to avoid the info leak.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b860d3cc
    • Mathias Krause's avatar
      iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() · a5598bd9
      Mathias Krause authored
      The current code does not fill the msg_name member in case it is set.
      It also does not set the msg_namelen member to 0 and therefore makes
      net/socket.c leak the local, uninitialized sockaddr_storage variable
      to userland -- 128 bytes of kernel stack memory.
      
      Fix that by simply setting msg_namelen to 0 as obviously nobody cared
      about iucv_sock_recvmsg() not filling the msg_name in case it was set.
      
      Cc: Ursula Braun <ursula.braun@de.ibm.com>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a5598bd9
    • Mathias Krause's avatar
      irda: Fix missing msg_namelen update in irda_recvmsg_dgram() · 5ae94c0d
      Mathias Krause authored
      The current code does not fill the msg_name member in case it is set.
      It also does not set the msg_namelen member to 0 and therefore makes
      net/socket.c leak the local, uninitialized sockaddr_storage variable
      to userland -- 128 bytes of kernel stack memory.
      
      Fix that by simply setting msg_namelen to 0 as obviously nobody cared
      about irda_recvmsg_dgram() not filling the msg_name in case it was
      set.
      
      Cc: Samuel Ortiz <samuel@sortiz.org>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5ae94c0d
    • Mathias Krause's avatar
      caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg() · 2d6fbfe7
      Mathias Krause authored
      The current code does not fill the msg_name member in case it is set.
      It also does not set the msg_namelen member to 0 and therefore makes
      net/socket.c leak the local, uninitialized sockaddr_storage variable
      to userland -- 128 bytes of kernel stack memory.
      
      Fix that by simply setting msg_namelen to 0 as obviously nobody cared
      about caif_seqpkt_recvmsg() not filling the msg_name in case it was
      set.
      
      Cc: Sjur Braendeland <sjur.brandeland@stericsson.com>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2d6fbfe7
    • Mathias Krause's avatar
      Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg() · c8c49917
      Mathias Krause authored
      If the socket is in state BT_CONNECT2 and BT_SK_DEFER_SETUP is set in
      the flags, sco_sock_recvmsg() returns early with 0 without updating the
      possibly set msg_namelen member. This, in turn, leads to a 128 byte
      kernel stack leak in net/socket.c.
      
      Fix this by updating msg_namelen in this case. For all other cases it
      will be handled in bt_sock_recvmsg().
      
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Gustavo Padovan <gustavo@padovan.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8c49917
    • Mathias Krause's avatar
      Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg() · e11e0455
      Mathias Krause authored
      If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
      early with 0 without updating the possibly set msg_namelen member. This,
      in turn, leads to a 128 byte kernel stack leak in net/socket.c.
      
      Fix this by updating msg_namelen in this case. For all other cases it
      will be handled in bt_sock_stream_recvmsg().
      
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Gustavo Padovan <gustavo@padovan.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e11e0455
    • Mathias Krause's avatar
      Bluetooth: fix possible info leak in bt_sock_recvmsg() · 4683f42f
      Mathias Krause authored
      In case the socket is already shutting down, bt_sock_recvmsg() returns
      with 0 without updating msg_namelen leading to net/socket.c leaking the
      local, uninitialized sockaddr_storage variable to userland -- 128 bytes
      of kernel stack memory.
      
      Fix this by moving the msg_namelen assignment in front of the shutdown
      test.
      
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Gustavo Padovan <gustavo@padovan.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4683f42f
    • Mathias Krause's avatar
      ax25: fix info leak via msg_name in ax25_recvmsg() · ef3313e8
      Mathias Krause authored
      When msg_namelen is non-zero the sockaddr info gets filled out, as
      requested, but the code fails to initialize the padding bytes of struct
      sockaddr_ax25 inserted by the compiler for alignment. Additionally the
      msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
      not always filled up to this size.
      
      Both issues lead to the fact that the code will leak uninitialized
      kernel stack bytes in net/socket.c.
      
      Fix both issues by initializing the memory with memset(0).
      
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ef3313e8
    • Mathias Krause's avatar
      atm: update msg_namelen in vcc_recvmsg() · 9b3e617f
      Mathias Krause authored
      The current code does not fill the msg_name member in case it is set.
      It also does not set the msg_namelen member to 0 and therefore makes
      net/socket.c leak the local, uninitialized sockaddr_storage variable
      to userland -- 128 bytes of kernel stack memory.
      
      Fix that by simply setting msg_namelen to 0 as obviously nobody cared
      about vcc_recvmsg() not filling the msg_name in case it was set.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9b3e617f
    • Christoph Paasch's avatar
      ipv6/tcp: Stop processing ICMPv6 redirect messages · 50a75a89
      Christoph Paasch authored
      Tetja Rediske found that if the host receives an ICMPv6 redirect message
      after sending a SYN+ACK, the connection will be reset.
      
      He bisected it down to 093d04d4 (ipv6: Change skb->data before using
      icmpv6_notify() to propagate redirect), but the origin of the bug comes
      from ec18d9a2 (ipv6: Add redirect support to all protocol icmp error
      handlers.). The bug simply did not trigger prior to 093d04d4, because
      skb->data did not point to the inner IP header and thus icmpv6_notify
      did not call the correct err_handler.
      
      This patch adds the missing "goto out;" in tcp_v6_err. After receiving
      an ICMPv6 Redirect, we should not continue processing the ICMP in
      tcp_v6_err, as this may trigger the removal of request-socks or setting
      sk_err(_soft).
      Reported-by: default avatarTetja Rediske <tetja@tetja.de>
      Signed-off-by: default avatarChristoph Paasch <christoph.paasch@uclouvain.be>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50a75a89
  2. 05 Apr, 2013 22 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 53f63189
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix erroneous sock_orphan() leading to crashes and double
          kfree_skb() in NFC protocol.  From Thierry Escande and Samuel Ortiz.
      
       2) Fix use after free in remain-on-channel mac80211 code, from Johannes
          Berg.
      
       3) nf_reset() needs to reset the NF tracing cookie, otherwise we can
          leak it from one namespace into another.  Fix from Gao Feng and
          Patrick McHardy.
      
       4) Fix overflow in channel scanning array of mwifiex driver, from Stone
          Piao.
      
       5) Fix loss of link after suspend/shutdown in r8169, from Hayes Wang.
      
       6) Synchronization of unicast address lists to the undelying device
          doesn't work because whether to sync is maintained as a boolean
          rather than a true count.  Fix from Vlad Yasevich.
      
       7) Fix corruption of TSO packets in atl1e by limiting the segmented
          packet length.  From Hannes Frederic Sowa.
      
       8) Revert bogus AF_UNIX credential passing change and fix the
          coalescing issue properly, from Eric W Biederman.
      
       9) Changes of ipv4 address lifetime settings needs to generate a
          notification, from Jiri Pirko.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (22 commits)
        netfilter: don't reset nf_trace in nf_reset()
        net: ipv4: notify when address lifetime changes
        ixgbe: fix registration order of driver and DCA nofitication
        af_unix: If we don't care about credentials coallesce all messages
        Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
        bonding: remove sysfs before removing devices
        atl1e: limit gso segment size to prevent generation of wrong ip length fields
        net: count hw_addr syncs so that unsync works properly.
        r8169: fix auto speed down issue
        netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
        mwifiex: limit channel number not to overflow memory
        NFC: microread: Fix build failure due to a new MEI bus API
        iwlwifi: dvm: fix the passive-no-RX workaround
        netfilter: nf_conntrack: fix error return code
        NFC: llcp: Keep the connected socket parent pointer alive
        mac80211: fix idle handling sequence
        netfilter: nfnetlink_acct: return -EINVAL if object name is empty
        netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
        netfilter: reset nf_trace in nf_reset
        mac80211: fix remain-on-channel cancel crash
        ...
      53f63189
    • Patrick McHardy's avatar
      netfilter: don't reset nf_trace in nf_reset() · 124dff01
      Patrick McHardy authored
      Commit 130549fe ("netfilter: reset nf_trace in nf_reset") added code
      to reset nf_trace in nf_reset(). This is wrong and unnecessary.
      
      nf_reset() is used in the following cases:
      
      - when passing packets up the the socket layer, at which point we want to
        release all netfilter references that might keep modules pinned while
        the packet is queued. nf_trace doesn't matter anymore at this point.
      
      - when encapsulating or decapsulating IPsec packets. We want to continue
        tracing these packets after IPsec processing.
      
      - when passing packets through virtual network devices. Only devices on
        that encapsulate in IPv4/v6 matter since otherwise nf_trace is not
        used anymore. Its not entirely clear whether those packets should
        be traced after that, however we've always done that.
      
      - when passing packets through virtual network devices that make the
        packet cross network namespace boundaries. This is the only cases
        where we clearly want to reset nf_trace and is also what the
        original patch intended to fix.
      
      Add a new function nf_reset_trace() and use it in dev_forward_skb() to
      fix this properly.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      124dff01
    • Linus Torvalds's avatar
      Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus · 6cfa9238
      Linus Torvalds authored
      Pull MIPS fixes from Ralf Baechle:
       "Fixes for a number of small glitches in various corners of the MIPS
        tree.  No particular areas is standing out.
      
        With this applied all MIPS defconfigs are building fine.  No merge
        conflicts are expected."
      
      * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
        MIPS: Delete definition of SA_RESTORER.
        MIPS: Fix ISA level which causes secondary cache init bypassing and more
        MIPS: Fix build error cavium-octeon without CONFIG_SMP
        MIPS: Kconfig: Rename SNIPROM too
        MIPS: Alchemy: Fix typo "CONFIG_DEBUG_PCI"
        MIPS: Unbreak function tracer for 64-bit kernel.
      6cfa9238
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-3.0-fixes · 00fa6fe9
      Linus Torvalds authored
      Pull GFS2 fixes from Steven Whitehouse:
       "There are two patches which fix up a couple of minor issues in the DLM
        interface code, a missing error path in gfs2_rs_alloc(), one patch
        which fixes a problem during "withdraw" and a fix for discards/FITRIM
        when using 4k sector sized devices."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-3.0-fixes:
        GFS2: Issue discards in 512b sectors
        GFS2: Fix unlock of fcntl locks during withdrawn state
        GFS2: return error if malloc failed in gfs2_rs_alloc()
        GFS2: use memchr_inv
        GFS2: use kmalloc for lvb bitmap
      00fa6fe9
    • Mike Marciniszyn's avatar
      firmware,IB/qib: revert firmware file move · ff802e31
      Mike Marciniszyn authored
      Commit e2eed58b ("IB/qib: change QLogic to Intel") moved a firmware
      file potentially breaking the ABI.
      
      This patch reverts that aspect of the fix as well as reverting the
      firmware name as used in qib.
      Reported-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
      Signed-off-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ff802e31
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v3.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc · e0a77f26
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A bunch of small driver fixes plus a fix for error handling in the
        core - nothing too exciting overall."
      
      * tag 'spi-fix-v3.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc:
        spi/mpc512x-psc: optionally keep PSC SS asserted across xfer segmensts
        spi: Unlock a spinlock before calling into the controller driver.
        spi/s3c64xx: modified error interrupt handling and init
        spi/bcm63xx: don't disable non enabled clocks in probe error path
        spi/bcm63xx: Remove unused variable
        spi: slink-tegra20: move runtime pm calls to transfer_one_message
      e0a77f26
    • Bob Peterson's avatar
      GFS2: Issue discards in 512b sectors · b2c87cae
      Bob Peterson authored
      This patch changes GFS2's discard issuing code so that it calls
      function sb_issue_discard rather than blkdev_issue_discard. The
      code was calling blkdev_issue_discard and specifying the correct
      sector offset and sector size, but blkdev_issue_discard expects
      these values to be in terms of 512 byte sectors, even if the native
      sector size for the device is different. Calling sb_issue_discard
      with the BLOCK size instead ensures the correct block-to-512b-sector
      translation. I verified that "minlen" is specified in blocks, so
      comparing it to a number of blocks is correct.
      Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
      Signed-off-by: default avatarSteven Whitehouse <swhiteho@redhat.com>
      b2c87cae
    • Johan Hovold's avatar
      Revert "drivers/rtc/rtc-at91rm9200.c: use a variable for storing IMR" · e24b0bfa
      Johan Hovold authored
      This reverts commit 0ef1594c.
      
      This patch introduced a few races which cannot be easily fixed with a
      small follow-up patch. Furthermore, the SoC with the broken hardware
      register, which this patch intended to add support for, can only be used
      with device trees, which this driver currently does not support.
      
      [ Here is the discussion that led to this "revert" patch:
        https://lkml.org/lkml/2013/4/3/176 ]
      
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e24b0bfa
    • Linus Torvalds's avatar
      Merge tag 'fbdev-fixes-3.9-rc6' of git://gitorious.org/linux-omap-dss2/linux · c4c80f63
      Linus Torvalds authored
      Pull fbdev fixes from Tomi Valkeinen:
       "Fix uvesafb crash bug and typoed flag name in fbmon's new videomode
        code"
      
      * tag 'fbdev-fixes-3.9-rc6' of git://gitorious.org/linux-omap-dss2/linux:
        video:uvesafb: Fix dereference NULL pointer code path
        fbmon: use VESA_DMT_VSYNC_HIGH to fix typo
      c4c80f63
    • Linus Torvalds's avatar
      Merge tag 'sound-3.9' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 8f09aacf
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This contains slightly more volumes than usual at this stage, mostly
        because of my vacation in the last week.  Nothing to scare, all small
        and/or trivial fixes:
      
         - Fix loop path handling in ASoC DAPM
         - Some memory handling fixes in ASoC core
         - Fix spear_pcm to adapt to the updated API
         - HD-audio HDMI ELD handling fixes
         - Fix for CM6331 USB-audio SRC change bugs
         - Revert power_save_controller option change due to user-space usage
         - A few other small ASoC and HD-audio fixes"
      
      * tag 'sound-3.9' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/generic - fix uninitialized variable
        Revert "ALSA: hda - Allow power_save_controller option override DCAPS"
        ALSA: hda - fix typo in proc output
        ALSA: hda - Enabling Realtek ALC 671 codec
        ALSA: usb: Work around CM6631 sample rate change bug
        ALSA: hda - bug fix on HDMI ELD debug message
        ALSA: hda - bug fix on return value when getting HDMI ELD info
        ASoC: dma-sh7760: Fix compile error
        ASoC: core: fix invalid free of devm_ allocated data
        ASoC: spear_pcm: Update to new pcm_new() API
        ASoC:: max98090: Remove executable bit
        ASoC: dapm: Fix pointer dereference in is_connected_output_ep()
        ASoC: pcm030 audio fabric: remove __init from probe
        ASoC: imx-ssi: Fix occasional AC97 reset failure
        ASoC: core: fix possible memory leak in snd_soc_bytes_put()
        ASoC: wm_adsp: fix possible memory leak in wm_adsp_load_coeff()
        ASoC: dapm: Fix handling of loops
        ASoC: si476x: Add missing break for SNDRV_PCM_FORMAT_S8 switch case
      8f09aacf
    • Ralf Baechle's avatar
      MIPS: Delete definition of SA_RESTORER. · 80fa8181
      Ralf Baechle authored
      SA_RESTORER used to be defined as 0x04000000 but only the O32 ABI ever
      supported its use and no libc was using it, so the entire sa-restorer
      functionality was removed with lmo commit 39bffc12c3580ab [Zap sa_restorer.]
      for 2.5.48 retaining only the SA_RESTORER definition as a reminder to avoid
      accidental reuse of the mask bit.
      
      Upstream cdef9602 [signal: always clear
      sa_restorer on execve] adds code that assumes sa_sigaction has an
      sa_restorer field, if SA_RESTORER is defined which would break MIPS.
      So remove the SA_RESTORER definition before the v3.8.4 merge.
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      (cherry picked from commit 17da8d63add23830892ac4dc2cbb3b5d4ffb79a8)
      80fa8181
    • Deng-Cheng Zhu's avatar
      MIPS: Fix ISA level which causes secondary cache init bypassing and more · adb37892
      Deng-Cheng Zhu authored
      The commit a96102be introduced set_isa() where compatible ISA info is
      also set aside from the one gets passed in. It means, for example, 1004K
      will have MIPS_CPU_ISA_M32R2/M32R1/II/I flags. This leads to things like
      the following inappropriate:
      
      if (c->isa_level == MIPS_CPU_ISA_M32R1 ||
          c->isa_level == MIPS_CPU_ISA_M32R2 ||
          c->isa_level == MIPS_CPU_ISA_M64R1 ||
          c->isa_level == MIPS_CPU_ISA_M64R2)
      
      This patch fixes it.
      Signed-off-by: default avatarDeng-Cheng Zhu <dengcheng.zhu@imgtec.com>
      Cc: Steven J. Hill <Steven.Hill@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      adb37892
    • EunBong Song's avatar
      MIPS: Fix build error cavium-octeon without CONFIG_SMP · ed1197f9
      EunBong Song authored
      Singed-off-by: default avatarEunBong Song <eunb.song@samsung.com>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      ed1197f9
    • Paul Bolle's avatar
      MIPS: Kconfig: Rename SNIPROM too · aaa9fad3
      Paul Bolle authored
      CONFIG_SNIPROM was renamed to CONFIG_FW_SNIPROM in v3.8. Let's rename
      SNIPROM itself too.
      Signed-off-by: default avatarPaul Bolle <pebolle@tiscali.nl>
      Cc: linux-mips@linux-mips.org;
      Cc: linux-kernel@vger.kernel.org
      Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      aaa9fad3
    • Paul Bolle's avatar
      MIPS: Alchemy: Fix typo "CONFIG_DEBUG_PCI" · 143f0f65
      Paul Bolle authored
      Commit 7517de34 ("MIPS: Alchemy: Redo
      PCI as platform driver") added a reference to CONFIG_DEBUG_PCI. Change
      it to CONFIG_PCI_DEBUG, as that is a valid Kconfig macro.
      
      Also add a newline to a debugging printk that this fix enables.
      Signed-off-by: default avatarPaul Bolle <pebolle@tiscali.nl>
      Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      143f0f65
    • David Daney's avatar
      MIPS: Unbreak function tracer for 64-bit kernel. · ad8c3969
      David Daney authored
      Commit 58b69401 [MIPS: Function tracer: Fix broken function tracing]
      completely broke the function tracer for 64-bit kernels.  The symptom is
      a system hang very early in the boot process.
      
      The fix: Remove/fix $sp adjustments for 64-bit case.
      Signed-off-by: default avatarDavid Daney <david.daney@cavium.com>
      Cc: linux-mips@linux-mips.org
      Cc: Al Cooper <alcooperx@gmail.com>
      Cc: viric@viric.name
      Cc: stable@vger.kernel.org # 3.8.x
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      ad8c3969
    • Jiri Slaby's avatar
      ALSA: hda/generic - fix uninitialized variable · 868211db
      Jiri Slaby authored
      changed is not initialized in path_power_down_sync, but it is expected
      to be false in case no change happened in the loop. So set it to
      false.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      868211db
    • Jiri Pirko's avatar
      net: ipv4: notify when address lifetime changes · 34e2ed34
      Jiri Pirko authored
      if userspace changes lifetime of address, send netlink notification and
      call notifier.
      Signed-off-by: default avatarJiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      34e2ed34
    • Jakub Kicinski's avatar
      ixgbe: fix registration order of driver and DCA nofitication · f01fc1a8
      Jakub Kicinski authored
      ixgbe_notify_dca cannot be called before driver registration
      because it expects driver's klist_devices to be allocated and
      initialized. While on it make sure debugfs files are removed
      when registration fails.
      
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@intel.com>
      Tested-by: default avatarPhil Schmitt <phillip.j.schmitt@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f01fc1a8
    • Eric W. Biederman's avatar
      af_unix: If we don't care about credentials coallesce all messages · 0e82e7f6
      Eric W. Biederman authored
      It was reported that the following LSB test case failed
      https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
      were not coallescing unix stream messages when the application was
      expecting us to.
      
      The problem was that the first send was before the socket was accepted
      and thus sock->sk_socket was NULL in maybe_add_creds, and the second
      send after the socket was accepted had a non-NULL value for sk->socket
      and thus we could tell the credentials were not needed so we did not
      bother.
      
      The unnecessary credentials on the first message cause
      unix_stream_recvmsg to start verifying that all messages had the same
      credentials before coallescing and then the coallescing failed because
      the second message had no credentials.
      
      Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
      long standing pessimization which would fail to coallesce messages when
      reading from a unix stream socket if the senders were different even if
      we did not care about their credentials.
      
      I have tested this and verified that the in the LSB test case mentioned
      above that the messages do coallesce now, while the were failing to
      coallesce without this change.
      Reported-by: default avatarKarel Srot <ksrot@redhat.com>
      Reported-by: default avatarDing Tianhong <dingtianhong@huawei.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0e82e7f6
    • Eric W. Biederman's avatar
      Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" · 25da0e3e
      Eric W. Biederman authored
      This reverts commit 14134f65.
      
      The problem that the above patch was meant to address is that af_unix
      messages are not being coallesced because we are sending unnecesarry
      credentials.  Not sending credentials in maybe_add_creds totally
      breaks unconnected unix domain sockets that wish to send credentails
      to other sockets.
      
      In practice this break some versions of udev because they receive a
      message and the sending uid is bogus so they drop the message.
      Reported-by: default avatarSven Joachim <svenjoac@gmx.de>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      25da0e3e
    • Veaceslav Falico's avatar
      bonding: remove sysfs before removing devices · 4de79c73
      Veaceslav Falico authored
      We have a race condition if we try to rmmod bonding and simultaneously add
      a bond master through sysfs. In bonding_exit() we first remove the devices
      (through rtnl_link_unregister() ) and only after that we remove the sysfs.
      If we manage to add a device through sysfs after that the devices were
      removed - we'll end up with that device/sysfs structure and with the module
      unloaded.
      
      Fix this by first removing the sysfs and only after that calling
      rtnl_link_unregister().
      Signed-off-by: default avatarVeaceslav Falico <vfalico@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4de79c73