Skip to content

L
linux
Switch branch/tag
  1. 17 Feb, 2016 1 commit
  3. 13 Feb, 2016 1 commit
  5. 12 Feb, 2016 22 commits
  7. 11 Feb, 2016 10 commits
    • Linus Torvalds's avatar
      Merge tag 'gpio-v4.5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · c05235d5
      Linus Torvalds authored 
      Pull GPIO fixes from Linus Walleij:
 - Probe errorpath fix for the Altera
 - irqchip ofnode pointer added to the DaVinci driver
 - controller instance number correction for DaVinci

* tag 'gpio-v4.5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
  gpio: davinci: Fix the number of controllers allocated
  gpio: davinci: Add the missing of-node pointer
  gpio: gpio-altera: Remove gpiochip on probe failure.
      c05235d5
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v4.5-3' of... · da2f912a
      Linus Torvalds authored 
      Merge tag 'platform-drivers-x86-v4.5-3' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86

Pull x86 platform driver fixes from Darren Hart:
 "Just two small fixes for the 4.5-rc cycle:

  intel_scu_ipcutil:
   - underflow in scu_reg_access()

  intel-hid:
   - fix incorrect entries in intel_hid_keymap"

* tag 'platform-drivers-x86-v4.5-3' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86:
  intel_scu_ipcutil: underflow in scu_reg_access()
  intel-hid: fix incorrect entries in intel_hid_keymap
      da2f912a
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 5de6ac75
      Linus Torvalds authored 
      Pull networking fixes from David Miller:

 1) Fix BPF handling of branch offset adjustmnets on backjumps, from
    Daniel Borkmann.

 2) Make sure selinux knows about SOCK_DESTROY netlink messages, from
    Lorenzo Colitti.

 3) Fix openvswitch tunnel mtu regression, from David Wragg.

 4) Fix ICMP handling of TCP sockets in syn_recv state, from Eric
    Dumazet.

 5) Fix SCTP user hmacid byte ordering bug, from Xin Long.

 6) Fix recursive locking in ipv6 addrconf, from Subash Abhinov
    Kasiviswanathan.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
  bpf: fix branch offset adjustment on backjumps after patching ctx expansion
  vxlan, gre, geneve: Set a large MTU on ovs-created tunnel devices
  geneve: Relax MTU constraints
  vxlan: Relax MTU constraints
  flow_dissector: Fix unaligned access in __skb_flow_dissector when used by eth_get_headlen
  of: of_mdio: Add marvell, 88e1145 to whitelist of PHY compatibilities.
  selinux: nlmsgtab: add SOCK_DESTROY to the netlink mapping tables
  sctp: translate network order to host order when users get a hmacid
  enic: increment devcmd2 result ring in case of timeout
  tg3: Fix for tg3 transmit queue 0 timed out when too many gso_segs
  net:Add sysctl_max_skb_frags
  tcp: do not drop syn_recv on all icmp reports
  ipv6: fix a lockdep splat
  unix: correctly track in-flight fds in sending process user_struct
  update be2net maintainers' email addresses
  dwc_eth_qos: Reset hardware before PHY start
  ipv6: addrconf: Fix recursive spin lock call
      5de6ac75
    • Ulf Hansson's avatar
      Revert "mmc: block: don't use parameter prefix if built as module" · a5ebb87d
      Ulf Hansson authored 
      This reverts commit 829b6962.

Revert this change as it causes a sysfs path to change and therefore
introduces and ABI regression. More precisely Android's vold is not being
able to access /sys/module/mmcblk/parameters/perdev_minors any more, since
the path becomes changed to: "/sys/module/mmc_block/..."

Fixes: 829b6962 ("mmc: block: don't use parameter prefix if built as
module")
Reported-by: default avatarJohn Stultz <john.stultz@linaro.org>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      a5ebb87d
    • David Sterba's avatar
      btrfs: properly set the termination value of ctx->pos in readdir · bc4ef759
      David Sterba authored 
      The value of ctx->pos in the last readdir call is supposed to be set to
INT_MAX due to 32bit compatibility, unless 'pos' is intentially set to a
larger value, then it's LLONG_MAX.

There's a report from PaX SIZE_OVERFLOW plugin that "ctx->pos++"
overflows (https://forums.grsecurity.net/viewtopic.php?f=1&t=4284), on a
64bit arch, where the value is 0x7fffffffffffffff ie. LLONG_MAX before
the increment.

We can get to that situation like that:

* emit all regular readdir entries
* still in the same call to readdir, bump the last pos to INT_MAX
* next call to readdir will not emit any entries, but will reach the
  bump code again, finds pos to be INT_MAX and sets it to LLONG_MAX

Normally this is not a problem, but if we call readdir again, we'll find
'pos' set to LLONG_MAX and the unconditional increment will overflow.

The report from Victor at
(http://thread.gmane.org/gmane.comp.file-systems.btrfs/49500) with debugging
print shows that pattern:

 Overflow: e
 Overflow: 7fffffff
 Overflow: 7fffffffffffffff
 PAX: size overflow detected in function btrfs_real_readdir
   fs/btrfs/inode.c:5760 cicus.935_282 max, count: 9, decl: pos; num: 0;
   context: dir_context;
 CPU: 0 PID: 2630 Comm: polkitd Not tainted 4.2.3-grsec #1
 Hardware name: Gigabyte Technology Co., Ltd. H81ND2H/H81ND2H, BIOS F3 08/11/2015
  ffffffff81901608 0000000000000000 ffffffff819015e6 ffffc90004973d48
  ffffffff81742f0f 0000000000000007 ffffffff81901608 ffffc90004973d78
  ffffffff811cb706 0000000000000000 ffff8800d47359e0 ffffc90004973ed8
 Call Trace:
  [<ffffffff81742f0f>] dump_stack+0x4c/0x7f
  [<ffffffff811cb706>] report_size_overflow+0x36/0x40
  [<ffffffff812ef0bc>] btrfs_real_readdir+0x69c/0x6d0
  [<ffffffff811dafc8>] iterate_dir+0xa8/0x150
  [<ffffffff811e6d8d>] ? __fget_light+0x2d/0x70
  [<ffffffff811dba3a>] SyS_getdents+0xba/0x1c0
 Overflow: 1a
  [<ffffffff811db070>] ? iterate_dir+0x150/0x150
  [<ffffffff81749b69>] entry_SYSCALL_64_fastpath+0x12/0x83

The jump from 7fffffff to 7fffffffffffffff happens when new dir entries
are not yet synced and are processed from the delayed list. Then the code
could go to the bump section again even though it might not emit any new
dir entries from the delayed list.

The fix avoids entering the "bump" section again once we've finished
emitting the entries, both for synced and delayed entries.

References: https://forums.grsecurity.net/viewtopic.php?f=1&t=4284Reported-by: default avatarVictor <services@swwu.com>
CC: stable@vger.kernel.org
Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
Tested-by: default avatarHolger Hoffstätte <holger.hoffstaette@googlemail.com>
Signed-off-by: default avatarChris Mason <clm@fb.com>
      bc4ef759
    • Adrian Hunter's avatar
      mmc: sdhci-acpi: Fix card detect race for Intel BXT/APL · 6a645dd8
      Adrian Hunter authored 
      Intel BXT/APL use a card detect GPIO however the host controller
will not enable bus power unless it's card detect also reflects
the presence of a card.  Unfortunately those 2 things race which
can result in commands not starting, after which the controller
does nothing and there is a 10 second wait for the driver's
10-second timer to timeout.

That is fixed by having the driver look also at the present state
register to determine if the card is present.  Consequently, provide
a 'get_cd' mmc host operation for BXT/APL that does that.
Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      6a645dd8
    • Adrian Hunter's avatar
      mmc: sdhci-pci: Fix card detect race for Intel BXT/APL · 163cbe31
      Adrian Hunter authored 
      Intel BXT/APL use a card detect GPIO however the host controller
will not enable bus power unless it's card detect also reflects
the presence of a card.  Unfortunately those 2 things race which
can result in commands not starting, after which the controller
does nothing and there is a 10 second wait for the driver's
10-second timer to timeout.

That is fixed by having the driver look also at the present state
register to determine if the card is present.  Consequently, provide
a 'get_cd' mmc host operation for BXT/APL that does that.
Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      163cbe31
    • Adrian Hunter's avatar
      mmc: sdhci: Allow override of get_cd() called from sdhci_request() · 8d28b7a7
      Adrian Hunter authored 
      Drivers may need to provide their own get_cd() mmc host op, but
currently the internals of the current op (sdhci_get_cd()) are
provided by sdhci_do_get_cd() which is also called from
sdhci_request().

To allow override of the get_cd functionality, change sdhci_request()
to call ->get_cd() instead of sdhci_do_get_cd().

Note, in the future the call to ->get_cd() will likely be removed
from sdhci_request() since most drivers don't need actually it.
However this change is being done now to facilitate a subsequent
bug fix.
Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      8d28b7a7
    • Adrian Hunter's avatar
      mmc: sdhci: Allow override of mmc host operations · bf60e592
      Adrian Hunter authored 
      In the past, fixes for specific hardware devices were implemented
in sdhci using quirks.  That approach is no longer accepted because
the growing number of quirks was starting to make the code difficult
to understand and maintain.

One alternative to quirks, is to allow drivers to override the default
mmc host operations.  This patch makes it easy to do that, and it is
needed for a subsequent bug fix, for which separate patches are
provided.
Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      bf60e592
    • Chris Mason's avatar
      Merge branch 'integration-4.5' of... · 43d871f0
      Chris Mason authored 
      Merge branch 'integration-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/fdmanana/linux into for-linus-4.5
      43d871f0
  9. 10 Feb, 2016 6 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma · 721675fc
      Linus Torvalds authored 
      Pull rdma fixes from Doug Ledford:
 "A few more minor fixes for rc3:

   - One fix to ipoib
   - One fix to core sysfs code
   - Four patches that resolve an oops found in testing of ocrdma and a
     couple other ocrdma issues"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
  RDMA/ocrdma: Fixing ocrdma debugfs directory remove
  RDMA/ocrdma: Fix pkey_index returned by driver in rq work completion
  RDMA/ocrdma: populate max_sge_rd in device attributes
  RDMA/ocrdma: Initialize stats resources in the driver before ib device registration.
  IB/sysfs: remove unused va_list args
  IB/IPoIB: Do not set skb truesize since using one linearskb
      721675fc
    • Dave Airlie's avatar
      Merge branch 'drm-fixes-4.5' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · c92a428f
      Dave Airlie authored 
      radeon and amdgpu fixes for 4.5.  Highlights:
- powerplay fixes for amdgpu
- race fixes in the sub-allocator in radeon and amdgpu
- hibernate fix for amdgpu
- fix a possible circular locking in userptr handling in amdgpu

* 'drm-fixes-4.5' of git://people.freedesktop.org/~agd5f/linux: (21 commits)
  drm/amdgpu: fix issue with overlapping userptrs
  drm/radeon: hold reference to fences in radeon_sa_bo_new
  drm/amdgpu: remove unnecessary forward declaration
  drm/amdgpu: hold reference to fences in amdgpu_sa_bo_new (v2)
  drm/amdgpu: fix s4 resume
  drm/amdgpu/cz: plumb pg flags through to powerplay
  drm/amdgpu/tonga: plumb pg flags through to powerplay
  drma/dmgpu: move cg and pg flags into shared headers
  drm/amdgpu: remove unused cg defines
  drm/amdgpu: add a cgs interface to fetch cg and pg flags
  drm/amd/powerplay/tonga: disable vce pg
  drm/amd/powerplay/tonga: disable uvd pg
  drm/amd/powerplay/cz: disable vce pg
  drm/amd/powerplay/cz: disable uvd pg
  drm/amdgpu: be consistent with uvd cg flags
  drm/amdgpu: clean up vce pg flags for cz/st
  drm/amdgpu: handle vce pg flags properly
  drm/amdgpu: handle uvd pg flags properly
  drm/amdgpu/dpm/ci: switch over to the common pcie caps interface
  drm/amdgpu/cik: don't mess with aspm if gpu is root bus
  ...
      c92a428f
    • Daniel Borkmann's avatar
      bpf: fix branch offset adjustment on backjumps after patching ctx expansion · a1b14d27
      Daniel Borkmann authored 
      When ctx access is used, the kernel often needs to expand/rewrite
instructions, so after that patching, branch offsets have to be
adjusted for both forward and backward jumps in the new eBPF program,
but for backward jumps it fails to account the delta. Meaning, for
example, if the expansion happens exactly on the insn that sits at
the jump target, it doesn't fix up the back jump offset.

Analysis on what the check in adjust_branches() is currently doing:

  /* adjust offset of jmps if necessary */
  if (i < pos && i + insn->off + 1 > pos)
    insn->off += delta;
  else if (i > pos && i + insn->off + 1 < pos)
    insn->off -= delta;

First condition (forward jumps):

  Before:                         After:

  insns[0]                        insns[0]
  insns[1] <--- i/insn            insns[1] <--- i/insn
  insns[2] <--- pos               insns[P] <--- pos
  insns[3]                        insns[P]  `------| delta
  insns[4] <--- target_X          insns[P]   `-----|
  insns[5]                        insns[3]
                                  insns[4] <--- target_X
                                  insns[5]

First case is if we cross pos-boundary and the jump instruction was
before pos. This is handeled correctly. I.e. if i == pos, then this
would mean our jump that we currently check was the patchlet itself
that we just injected. Since such patchlets are self-contained and
have no awareness of any insns before or after the patched one, the
delta is correctly not adjusted. Also, for the second condition in
case of i + insn->off + 1 == pos, means we jump to that newly patched
instruction, so no offset adjustment are needed. That part is correct.

Second condition (backward jumps):

  Before:                         After:

  insns[0]                        insns[0]
  insns[1] <--- target_X          insns[1] <--- target_X
  insns[2] <--- pos <-- target_Y  insns[P] <--- pos <-- target_Y
  insns[3]                        insns[P]  `------| delta
  insns[4] <--- i/insn            insns[P]   `-----|
  insns[5]                        insns[3]
                                  insns[4] <--- i/insn
                                  insns[5]

Second interesting case is where we cross pos-boundary and the jump
instruction was after pos. Backward jump with i == pos would be
impossible and pose a bug somewhere in the patchlet, so the first
condition checking i > pos is okay only by itself. However, i +
insn->off + 1 < pos does not always work as intended to trigger the
adjustment. It works when jump targets would be far off where the
delta wouldn't matter. But, for example, where the fixed insn->off
before pointed to pos (target_Y), it now points to pos + delta, so
that additional room needs to be taken into account for the check.
This means that i) both tests here need to be adjusted into pos + delta,
and ii) for the second condition, the test needs to be <= as pos
itself can be a target in the backjump, too.

Fixes: 9bac3d6d ("bpf: allow extended BPF programs access skb fields")
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a1b14d27
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 74c7b2af
      Linus Torvalds authored 
      Pull input updates from Dmitry Torokhov:
 "Just small driver fixups"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: colibri-vf50-ts - add missing #include <linux/of.h>
  Input: adp5589 - fix row 5 handling for adp5589
  Input: edt-ft5x06 - fix setting gain, offset, and threshold via device tree
  Input: vmmouse - fix absolute device registration
  Input: serio - drop warnings in case of EPROBE_DEFER from serio_find_driver()
  Input: cap11xx - add missing of_node_put
  Input: sirfsoc-onkey - allow modular build
  Input: xpad - remove unused function
      74c7b2af
    • Linus Torvalds's avatar
      Merge branch 'for-4.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · 4e541699
      Linus Torvalds authored 
      Pull libata fixes from Tejun Heo:

 - PORTS_IMPL workaround for very early ahci controllers is misbehaving
   on new systems.  Disabled on recent ahci versions.

 - Old-style PIO state machine had a horrible locking problem.  Don't
   know how we've been getting away this far.  Fixed.

 - Other device specific updates.

* 'for-4.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
  ahci: Intel DNV device IDs SATA
  libata: fix sff host state machine locking while polling
  libata-sff: use WARN instead of BUG on illegal host state machine state
  libata: disable forced PORTS_IMPL for >= AHCI 1.3
  libata: blacklist a Viking flash model for MWDMA corruption
  drivers: ata: wake port before DMA stop for ALPM
      4e541699
    • Linus Torvalds's avatar
      Merge branch 'for-4.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · fb0dc5f1
      Linus Torvalds authored 
      Pull cgroup fixes from Tejun Heo:

 - The destruction path of cgroup objects are asynchronous and
   multi-staged and some of them ended up destroying parents before
   children leading to failures in cpu and memory controllers.  Ensure
   that parents are always destroyed after children.

 - cpuset mm node migration was performed synchronously while holding
   threadgroup and cgroup mutexes and the recent threadgroup locking
   update resulted in a possible deadlock.  The migration is best effort
   and shouldn't have been performed under those locks to begin with.
   Made asynchronous.

 - Minor documentation fix.

* 'for-4.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
  Documentation: cgroup: Fix 'cgroup-legacy' -> 'cgroup-v1'
  cgroup: make sure a parent css isn't freed before its children
  cgroup: make sure a parent css isn't offlined before its children
  cpuset: make mm migration asynchronous
      fb0dc5f1
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7