1. 08 Jul, 2016 1 commit
    • Vegard Nossum's avatar
      apparmor: fix oops, validate buffer size in apparmor_setprocattr() · 30a46a46
      Vegard Nossum authored
      When proc_pid_attr_write() was changed to use memdup_user apparmor's
      (interface violating) assumption that the setprocattr buffer was always
      a single page was violated.
      
      The size test is not strictly speaking needed as proc_pid_attr_write()
      will reject anything larger, but for the sake of robustness we can keep
      it in.
      
      SMACK and SELinux look safe to me, but somebody else should probably
      have a look just in case.
      
      Based on original patch from Vegard Nossum <vegard.nossum@oracle.com>
      modified for the case that apparmor provides null termination.
      
      Fixes: bb646cdbReported-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: John Johansen <john.johansen@canonical.com>
      Cc: Paul Moore <paul@paul-moore.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Eric Paris <eparis@parisplace.org>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Reviewed-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      30a46a46
  2. 07 Jul, 2016 2 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · ac904ae6
      Linus Torvalds authored
      Pull block IO fixes from Jens Axboe:
       "Three small fixes that have been queued up and tested for this series:
      
         - A bug fix for xen-blkfront from Bob Liu, fixing an issue with
           incomplete requests during migration.
      
         - A fix for an ancient issue in retrieving the IO priority of a
           different PID than self, preventing that task from going away while
           we access it.  From Omar.
      
         - A writeback fix from Tahsin, fixing a case where we'd call ihold()
           with a zero ref count inode"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        block: fix use-after-free in sys_ioprio_get()
        writeback: inode cgroup wb switch should not call ihold()
        xen-blkfront: save uncompleted reqs in blkfront_resume()
      ac904ae6
    • Linus Torvalds's avatar
      Merge tag 'configfs-for-4.7' of git://git.infradead.org/users/hch/configfs · 4c2a8499
      Linus Torvalds authored
      Pull configfs fix from Christoph Hellwig:
       "A fix from Marek for ppos handling in configfs_write_bin_file, which
        was introduced in Linux 4.5, but didn't have any users until recently"
      
      * tag 'configfs-for-4.7' of git://git.infradead.org/users/hch/configfs:
        configfs: Remove ppos increment in configfs_write_bin_file
      4c2a8499
  3. 06 Jul, 2016 4 commits
    • Randy Dunlap's avatar
      init/Kconfig: keep Expert users menu together · 076501ff
      Randy Dunlap authored
      The "expert" menu was broken (split) such that all entries in it after
      KALLSYMS were displayed in the "General setup" area instead of in the
      "Expert users" area.  Fix this by adding one kconfig dependency.
      
      Yes, the Expert users menu is fragile.  Problems like this have happened
      several times in the past.  I will attempt to isolate the Expert users
      menu if there is interest in that.
      
      Fixes: 4d5d5664 ("x86: kallsyms: disable absolute percpu symbols on !SMP")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: stable@vger.kernel.org  # 4.6
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      076501ff
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · bc867651
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) All users of AF_PACKET's fanout feature want a symmetric packet
          header hash for load balancing purposes, so give it to them.
      
       2) Fix vlan state synchronization in e1000e, from Jarod Wilson.
      
       3) Use correct socket pointer in ip_skb_dst_mtu(), from Shmulik
          Ladkani.
      
       4) mlx5 bug fixes from Mohamad Haj Yahia, Daniel Jurgens, Matthew
          Finlay, Rana Shahout, and Shaker Daibes.  Mostly to do with
          operation timeouts and PCI error handling.
      
       5) Fix checksum handling in mirred packet action, from WANG Cong.
      
       6) Set skb->dev correctly when transmitting in !protect_frames case of
          macsec driver, from Daniel Borkmann.
      
       7) Fix MTU calculation in geneve driver, from Haishuang Yan.
      
       8) Missing netif_napi_del() in unregister path of qeth driver, from
          Ursula Braun.
      
       9) Handle malformed route netlink messages in decnet properly, from
          Vergard Nossum.
      
      10) Memory leak of percpu data in ipv6 routing code, from Martin KaFai
          Lau.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (41 commits)
        ipv6: Fix mem leak in rt6i_pcpu
        net: fix decnet rtnexthop parsing
        cxgb4: update latest firmware version supported
        net/mlx5: Avoid setting unused var when modifying vport node GUID
        bonding: fix enslavement slave link notifications
        r8152: fix runtime function for RTL8152
        qeth: delete napi struct when removing a qeth device
        Revert "fsl/fman: fix error handling"
        fsl/fman: fix error handling
        cdc_ncm: workaround for EM7455 "silent" data interface
        RDS: fix rds_tcp_init() error path
        geneve: fix max_mtu setting
        net: phy: dp83867: Fix initialization of PHYCR register
        enc28j60: Fix race condition in enc28j60 driver
        net: stmmac: Fix null-function call in ISR on stmmac1000
        tipc: fix nl compat regression for link statistics
        net: bcmsysport: Device stats are unsigned long
        macsec: set actual real device for xmit when !protect_frames
        net_sched: fix mirrored packets checksum
        packet: Use symmetric hash for PACKET_FANOUT_HASH.
        ...
      bc867651
    • Linus Torvalds's avatar
      Merge tag 'sound-4.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 4cdbbbd1
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Here are a collection of small fixes: at this time, we've got a
        slightly high amount, but all small and trivial fixes, and nothing
        scary can be seen there"
      
      * tag 'sound-4.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (21 commits)
        ALSA: hda/realtek: Add Lenovo L460 to docking unit fixup
        ALSA: timer: Fix negative queue usage by racy accesses
        ASoC: rt5645: fix reg-2f default value.
        ASoC: fsl_ssi: Fix number of words per frame for I2S-slave mode
        ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()
        ALSA: hda - Add PCI ID for Kabylake-H
        ALSA: echoaudio: Fix memory allocation
        ASoC: Intel: atom: fix missing breaks that would cause the wrong operation to execute
        ALSA: hda - fix read before array start
        ASoC: cx20442: set tty->receiver_room in v253_open
        ASoC: ak4613: Enable cache usage to fix crashes on resume
        ASoC: wm8940: Enable cache usage to fix crashes on resume
        ASoC: Intel: Skylake: Initialize module list for Broxton
        ASoC: wm5102: Correct supported channels on trace compressed DAI
        ASoC: wm5110: Add missing route from OUT3R to SYSCLK
        ASoC: rt5670: fix HP Playback Volume control
        ASoC: hdmi-codec: select CONFIG_HDMI
        ASoC: davinci-mcasp: Fix dra7 DMA offset when using CFG port
        ASoC: hdac_hdmi: Fix potential NULL dereference
        ASoC: ak4613: Remove owner assignment from platform_driver
        ...
      4cdbbbd1
    • Linus Torvalds's avatar
      Merge tag 'chrome-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/olof/chrome-platform · 4d0a279c
      Linus Torvalds authored
      Pull chrome platform fix from Olof Johansson:
       "A single fix this time, closing a window where ioctl args are fetched
        twice"
      
      * tag 'chrome-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/olof/chrome-platform:
        platform/chrome: cros_ec_dev - double fetch bug in ioctl
      4d0a279c
  4. 05 Jul, 2016 11 commits
  5. 04 Jul, 2016 5 commits
  6. 03 Jul, 2016 5 commits
  7. 02 Jul, 2016 10 commits
    • Stefan Hauser's avatar
      net: phy: dp83867: Fix initialization of PHYCR register · b291c418
      Stefan Hauser authored
      When initializing the PHY control register, the FIFO depth bits are
      written without reading the previous register value, i.e. all other
      bits are overwritten with zero. This disables automatic MDI-X
      configuration, which is enabled by default. Fix initialization by doing
      a read/modify/write operation.
      Signed-off-by: default avatarStefan Hauser <stefan@shauser.net>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b291c418
    • Sergio Valverde's avatar
      enc28j60: Fix race condition in enc28j60 driver · 373819ec
      Sergio Valverde authored
      The interrupt worker code for the enc28j60 relies only on the TXIF flag to
      determinate if the packet transmission was completed. However the datasheet
      specifies in section 12.1.3 that TXERIF will clear the TXRTS after a
      transmit abort. Also in section 12.1.4 that TXIF will be set
      when TXRTS transitions from '1' to '0'. Therefore the TXIF flag is enabled
      during transmission errors.
      
      This causes a race condition, since the worker code will invoke
      enc28j60_tx_clear() -> netif_wake_queue(), potentially invoking the
      ndo_start_xmit function to send a new packet. The enc28j60_send_packet function
      uses a workqueue that invokes enc28j60_hw_tx(). In between this function is
      called, the worker from the interrupt handler will enter the path for error
      handler because of the TXERIF flag, causing to invoke enc28j60_tx_clear() again
      and releasing the packet scheduled for transmission, causing a kernel crash with
      due a NULL pointer.
      
      These crashes due a NULL pointer were observed under stress conditions of the
      device. A BUG_ON() sequence was used to validate the issue was fixed, and has
      been running without problems for 2 years now.
      Signed-off-by: default avatarDiego Dompe <dompe@hpe.com>
      Acked-by: default avatarSergio Valverde <sergio.valverde@hpe.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      373819ec
    • Matt Corallo's avatar
      net: stmmac: Fix null-function call in ISR on stmmac1000 · a8b7d770
      Matt Corallo authored
      (resent due to overhelpful mail client corrupting patch)
      
      At least on Meson GXBB, the CORE_IRQ_MTL_RX_OVERFLOW interrupt is thrown
      with the stmmac1000 driver, which does not support set_rx_tail_ptr. With
      this patch and the clock fixes, 1G ethernet works on ODROID-C2.
      Signed-off-by: default avatarMatt Corallo <git@bluematt.me>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8b7d770
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.7-rc6' of git://people.freedesktop.org/~airlied/linux · 99b0f54e
      Linus Torvalds authored
      Pull drm fixes frlm Dave Airlie:
       "Just some AMD and Intel fixes, the AMD ones are further production
        Polaris fixes, and the Intel ones fix some early timeouts, some PCI ID
        changes and a couple of other fixes.
      
        Still a bit Internet challenged here, hopefully end of next week will
        solve it"
      
      * tag 'drm-fixes-for-v4.7-rc6' of git://people.freedesktop.org/~airlied/linux:
        drm/i915: Fix missing unlock on error in i915_ppgtt_info()
        drm/amd/powerplay: workaround for UVD clock issue
        drm/amdgpu: add ACLK_CNTL setting for polaris10
        drm/amd/powerplay: fix issue uvd dpm can't enabled on Polaris11.
        drm/amd/powerplay: Workaround for Memory EDC Error on Polaris10.
        drm/i915: Removing PCI IDs that are no longer listed as Kabylake.
        drm/i915: Add more Kabylake PCI IDs.
        drm/i915: Avoid early timeout during AUX transfers
        drm/i915/hsw: Avoid early timeout during LCPLL disable/restore
        drm/i915/lpt: Avoid early timeout during FDI PHY reset
        drm/i915/bxt: Avoid early timeout during PLL enable
        drm/i915: Refresh cached DP port register value on resume
        drm/amd/powerplay: Update CKS on/ CKS off voltage offset calculation
        drm/amd/powerplay: disable FFC.
        drm/amd/powerplay: add some definition for FFC feature on polaris.
      99b0f54e
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 467ce769
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A few small driver-specific fixes for SPI, all in the normal important
        if you hit them category especially the rockchip driver fix which
        addresses a race which has been exposed more frequently with some
        recent performance improvements"
      
      * tag 'spi-fix-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: sunxi: fix transfer timeout
        spi: sun4i: fix FIFO limit
        spi: rockchip: Signal unfinished DMA transfers
        spi: spi-ti-qspi: Suspend the queue before removing the device
      467ce769
    • Linus Torvalds's avatar
      Merge tag 'regulator-fix-v4.7-rc5' of... · a2b0db5b
      Linus Torvalds authored
      Merge tag 'regulator-fix-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
      
      Pull regulator fixes from Mark Brown:
       "Two small fixes for the regulator subsystem - one fixing a crash with
        one of the devices supported by the max77620 driver, another fixing
        startup for the anatop regulator when it starts up with the regulator
        in bypass mode"
      
      * tag 'regulator-fix-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
        regulator: max77620: check for valid regulator info
        regulator: anatop: allow regulator to be in bypass mode
      a2b0db5b
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 44385120
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A small fix for the newly added oxnas clk driver and a handful of
        rockchip clk driver fixes for newly added rk3399 support"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: Fix return value check in oxnas_stdclk_probe()
        clk: rockchip: release io resource when failing to init clk on rk3399
        clk: rockchip: fix cpuclk registration error handling
        clk: rockchip: Revert "clk: rockchip: reset init state before mmc card initialization"
        clk: rockchip: fix incorrect parent for rk3399's {c,g}pll_aclk_perihp_src
        clk: rockchip: mark rk3399 GIC clocks as critical
        clk: rockchip: initialize flags of clk_init_data in mmc-phase clock
      44385120
    • Takashi Iwai's avatar
      Merge tag 'asoc-fix-v4.7-rc5' of... · 046e9cee
      Takashi Iwai authored
      Merge tag 'asoc-fix-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: Fixes for v4.7
      
      A small clutch of hardware specific fixes for various ASoC devices, all
      small individually and important if you have that device but not
      otherwise.
      046e9cee
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2016-06-30' of git://anongit.freedesktop.org/drm-intel into drm-fixes · 88c08710
      Dave Airlie authored
      here's a batch of i915 fixes for 4.7.
      
      * tag 'drm-intel-fixes-2016-06-30' of git://anongit.freedesktop.org/drm-intel:
        drm/i915: Fix missing unlock on error in i915_ppgtt_info()
        drm/i915: Removing PCI IDs that are no longer listed as Kabylake.
        drm/i915: Add more Kabylake PCI IDs.
        drm/i915: Avoid early timeout during AUX transfers
        drm/i915/hsw: Avoid early timeout during LCPLL disable/restore
        drm/i915/lpt: Avoid early timeout during FDI PHY reset
        drm/i915/bxt: Avoid early timeout during PLL enable
        drm/i915: Refresh cached DP port register value on resume
      88c08710
    • Dave Airlie's avatar
      Merge branch 'drm-fixes-4.7' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · 40793e85
      Dave Airlie authored
      Just a few more late fixes for Polaris cards.
      
      * 'drm-fixes-4.7' of git://people.freedesktop.org/~agd5f/linux:
        drm/amd/powerplay: workaround for UVD clock issue
        drm/amdgpu: add ACLK_CNTL setting for polaris10
        drm/amd/powerplay: fix issue uvd dpm can't enabled on Polaris11.
        drm/amd/powerplay: Workaround for Memory EDC Error on Polaris10.
        drm/amd/powerplay: Update CKS on/ CKS off voltage offset calculation
        drm/amd/powerplay: disable FFC.
        drm/amd/powerplay: add some definition for FFC feature on polaris.
      40793e85
  8. 01 Jul, 2016 2 commits
    • Ralf Baechle's avatar
      MIPS: Fix possible corruption of cache mode by mprotect. · 6d037de9
      Ralf Baechle authored
      The following testcase may result in a page table entries with a invalid
      CCA field being generated:
      
      static void *bindstack;
      
      static int sysrqfd;
      
      static void protect_low(int protect)
      {
      	mprotect(bindstack, BINDSTACK_SIZE, protect);
      }
      
      static void sigbus_handler(int signal, siginfo_t * info, void *context)
      {
      	void *addr = info->si_addr;
      
      	write(sysrqfd, "x", 1);
      
      	printf("sigbus, fault address %p (should not happen, but might)\n",
      	       addr);
      	abort();
      }
      
      static void run_bind_test(void)
      {
      	unsigned int *p = bindstack;
      
      	p[0] = 0xf001f001;
      
      	write(sysrqfd, "x", 1);
      
      	/* Set trap on access to p[0] */
      	protect_low(PROT_NONE);
      
      	write(sysrqfd, "x", 1);
      
      	/* Clear trap on access to p[0] */
      	protect_low(PROT_READ | PROT_WRITE | PROT_EXEC);
      
      	write(sysrqfd, "x", 1);
      
      	/* Check the contents of p[0] */
      	if (p[0] != 0xf001f001) {
      		write(sysrqfd, "x", 1);
      
      		/* Reached, but shouldn't be */
      		printf("badness, shouldn't happen but does\n");
      		abort();
      	}
      }
      
      int main(void)
      {
      	struct sigaction sa;
      
      	sysrqfd = open("/proc/sysrq-trigger", O_WRONLY);
      
      	if (sigprocmask(SIG_BLOCK, NULL, &sa.sa_mask)) {
      		perror("sigprocmask");
      		return 0;
      	}
      
      	sa.sa_sigaction = sigbus_handler;
      	sa.sa_flags = SA_SIGINFO | SA_NODEFER | SA_RESTART;
      	if (sigaction(SIGBUS, &sa, NULL)) {
      		perror("sigaction");
      		return 0;
      	}
      
      	bindstack = mmap(NULL,
      			 BINDSTACK_SIZE,
      			 PROT_READ | PROT_WRITE | PROT_EXEC,
      			 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
      	if (bindstack == MAP_FAILED) {
      		perror("mmap bindstack");
      		return 0;
      	}
      
      	printf("bindstack: %p\n", bindstack);
      
      	run_bind_test();
      
      	printf("done\n");
      
      	return 0;
      }
      
      There are multiple ingredients for this:
      
       1) PAGE_NONE is defined to _CACHE_CACHABLE_NONCOHERENT, which is CCA 3
          on all platforms except SB1 where it's CCA 5.
       2) _page_cachable_default must have bits set which are not set
          _CACHE_CACHABLE_NONCOHERENT.
       3) Either the defective version of pte_modify for XPA or the standard
          version must be in used.  However pte_modify for the 36 bit address
          space support is no affected.
      
      In that case additional bits in the final CCA mode may generate an invalid
      value for the CCA field.  On the R10000 system where this was tracked
      down for example a CCA 7 has been observed, which is Uncached Accelerated.
      
      Fixed by:
      
       1) Using the proper CCA mode for PAGE_NONE just like for all the other
          PAGE_* pte/pmd bits.
       2) Fix the two affected variants of pte_modify.
      
      Further code inspection also shows the same issue to exist in pmd_modify
      which would affect huge page systems.
      
      Issue in pte_modify tracked down by Alastair Bridgewater, PAGE_NONE
      and pmd_modify issue found by me.
      
      The history of this goes back beyond Linus' git history.  Chris Dearman's
      commit 35133692 ("[MIPS] Allow setting of
      the cache attribute at run time.") missed the opportunity to fix this
      but it was originally introduced in lmo commit
      d523832cf12007b3242e50bb77d0c9e63e0b6518 ("Missing from last commit.")
      and 32cc38229ac7538f2346918a09e75413e8861f87 ("New configuration option
      CONFIG_MIPS_UNCACHED.")
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Reported-by: default avatarAlastair Bridgewater <alastair.bridgewater@gmail.com>
      6d037de9
    • Linus Torvalds's avatar
      Merge tag 'acpi-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · dbdc3bb7
      Linus Torvalds authored
      Pull ACPI fix from Rafael Wysocki:
       "Fix an expression in the ACPI PCI IRQ management code added by a
        recent commit that overlooked missing parens in it, so the result of
        the computation is incorrect in some cases (Sinan Kaya)"
      
      * tag 'acpi-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI,PCI,IRQ: correct operator precedence
      dbdc3bb7