openwrt/staging/blogic.git
10 years agox86/mm: Fix zone ranges boot printout
Xishi Qiu [Wed, 10 Dec 2014 02:09:01 +0000 (10:09 +0800)]
x86/mm: Fix zone ranges boot printout

This is the usual physical memory layout boot printout:
...
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x00001000-0x00ffffff]
[    0.000000]   DMA32    [mem 0x01000000-0xffffffff]
[    0.000000]   Normal   [mem 0x100000000-0xc3fffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00001000-0x00099fff]
[    0.000000]   node   0: [mem 0x00100000-0xbf78ffff]
[    0.000000]   node   0: [mem 0x100000000-0x63fffffff]
[    0.000000]   node   1: [mem 0x640000000-0xc3fffffff]
...

This is the log when we set "mem=2G" on the boot cmdline:
...
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x00001000-0x00ffffff]
[    0.000000]   DMA32    [mem 0x01000000-0xffffffff]  // should be 0x7fffffff, right?
[    0.000000]   Normal   empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00001000-0x00099fff]
[    0.000000]   node   0: [mem 0x00100000-0x7fffffff]
...

This patch fixes the printout, the following log shows the right
ranges:
...
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x00001000-0x00ffffff]
[    0.000000]   DMA32    [mem 0x01000000-0x7fffffff]
[    0.000000]   Normal   empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00001000-0x00099fff]
[    0.000000]   node   0: [mem 0x00100000-0x7fffffff]
...

Suggested-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>
Cc: Linux MM <linux-mm@kvack.org>
Cc: <dave@sr71.net>
Cc: Rik van Riel <riel@redhat.com>
Link: http://lkml.kernel.org/r/5487AB3D.6070306@huawei.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
10 years agox86/doc: Update documentation after file shuffling
Luis R. Rodriguez [Tue, 9 Dec 2014 22:54:44 +0000 (14:54 -0800)]
x86/doc: Update documentation after file shuffling

While at it, also refer to the 32 bit entry file.

Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: linux-doc@vger.kernel.org
Cc: bpoirier@suse.de
Link: http://lkml.kernel.org/r/1418165684-6226-1-git-send-email-mcgrof@do-not-panic.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
10 years agox86, microcode: Limit the microcode reloading to 64-bit for now
Borislav Petkov [Sun, 30 Nov 2014 13:26:39 +0000 (14:26 +0100)]
x86, microcode: Limit the microcode reloading to 64-bit for now

First, there was this: https://bugzilla.kernel.org/show_bug.cgi?id=88001

The problem there was that microcode patches are not being reapplied
after suspend-to-ram. It was important to reapply them, though, because
of for example Haswell's TSX erratum which disabled TSX instructions
with a microcode patch.

A simple fix was fb86b97300d9 ("x86, microcode: Update BSPs microcode
on resume") but, as it is often the case, simple fixes are too
simple. This one causes 32-bit resume to fail:

https://bugzilla.kernel.org/show_bug.cgi?id=88391

Properly fixing this would require more involved changes for which it
is too late now, right before the merge window. Thus, limit this to
64-bit only temporarily.

Signed-off-by: Borislav Petkov <bp@suse.de>
Link: http://lkml.kernel.org/r/1417353999-32236-1-git-send-email-bp@alien8.de
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
10 years agox86: Use $(OBJDUMP) instead of plain objdump
Chris Clayton [Sat, 22 Nov 2014 09:51:10 +0000 (09:51 +0000)]
x86: Use $(OBJDUMP) instead of plain objdump

commit e6023367d779 'x86, kaslr: Prevent .bss from overlaping initrd'
broke the cross compile of x86. It added a objdump invocation, which
invokes the host native objdump and ignores an active cross tool
chain.

Use $(OBJDUMP) instead which takes the CROSS_COMPILE prefix into
account.

[ tglx: Massage changelog and use $(OBJDUMP) ]

Fixes: e6023367d779 'x86, kaslr: Prevent .bss from overlaping initrd'
Signed-off-by: Chris Clayton <chris2553@googlemail.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Borislav Petkov <bp@suse.de>
Cc: Junjie Mao <eternal.n08@gmail.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: H. Peter Anvin <hpa@linux.intel.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/54705C8E.1080400@googlemail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
10 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Linus Torvalds [Sat, 22 Nov 2014 01:20:36 +0000 (17:20 -0800)]
Merge git://git./linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Fix BUG when decrypting empty packets in mac80211, from Ronald Wahl.

 2) nf_nat_range is not fully initialized and this is copied back to
    userspace, from Daniel Borkmann.

 3) Fix read past end of b uffer in netfilter ipset, also from Dan
    Carpenter.

 4) Signed integer overflow in ipv4 address mask creation helper
    inet_make_mask(), from Vincent BENAYOUN.

 5) VXLAN, be2net, mlx4_en, and qlcnic need ->ndo_gso_check() methods to
    properly describe the device's capabilities, from Joe Stringer.

 6) Fix memory leaks and checksum miscalculations in openvswitch, from
    Pravin B SHelar and Jesse Gross.

 7) FIB rules passes back ambiguous error code for unreachable routes,
    making behavior confusing for userspace.  Fix from Panu Matilainen.

 8) ieee802154fake_probe() doesn't release resources properly on error,
    from Alexey Khoroshilov.

 9) Fix skb_over_panic in add_grhead(), from Daniel Borkmann.

10) Fix access of stale slave pointers in bonding code, from Nikolay
    Aleksandrov.

11) Fix stack info leak in PPP pptp code, from Mathias Krause.

12) Cure locking bug in IPX stack, from Jiri Bohac.

13) Revert SKB fclone memory freeing optimization that is racey and can
    allow accesses to freed up memory, from Eric Dumazet.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (71 commits)
  tcp: Restore RFC5961-compliant behavior for SYN packets
  net: Revert "net: avoid one atomic operation in skb_clone()"
  virtio-net: validate features during probe
  cxgb4 : Fix DCB priority groups being returned in wrong order
  ipx: fix locking regression in ipx_sendmsg and ipx_recvmsg
  openvswitch: Don't validate IPv6 label masks.
  pptp: fix stack info leak in pptp_getname()
  brcmfmac: don't include linux/unaligned/access_ok.h
  cxgb4i : Don't block unload/cxgb4 unload when remote closes TCP connection
  ipv6: delete protocol and unregister rtnetlink when cleanup
  net/mlx4_en: Add VXLAN ndo calls to the PF net device ops too
  bonding: fix curr_active_slave/carrier with loadbalance arp monitoring
  mac80211: minstrel_ht: fix a crash in rate sorting
  vxlan: Inline vxlan_gso_check().
  can: m_can: update to support CAN FD features
  can: m_can: fix incorrect error messages
  can: m_can: add missing delay after setting CCCR_INIT bit
  can: m_can: fix not set can_dlc for remote frame
  can: m_can: fix possible sleep in napi poll
  can: m_can: add missing message RAM initialization
  ...

10 years agoMerge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Linus Torvalds [Sat, 22 Nov 2014 01:15:28 +0000 (17:15 -0800)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux

Pull drm fixes from Dave Airlie:
 "Just two radeon and two intel fixes: endian and regression fixes"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm/radeon: fix endian swapping in vbios fetch for tdp table
  drm/radeon: disable native backlight control on pre-r6xx asics (v2)
  drm/i915: Kick fbdev before vgacon
  drm/i915: drop WaSetupGtModeTdRowDispatch:snb

10 years agoMerge tag 'sound-3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai...
Linus Torvalds [Sat, 22 Nov 2014 01:11:56 +0000 (17:11 -0800)]
Merge tag 'sound-3.18-rc6' of git://git./linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "This batch ended up as a relatively high volume due to pending ASoC
  fixes.  But most of fixes there are trivial and/or device- specific
  fixes and quirks, so safe to apply.  The only (ASoC) core fixes are
  the DPCM race fix and the machine-driver matching fix for
  componentization"

* tag 'sound-3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda - fix the mic mute led problem for Latitude E5550
  ALSA: hda - move DELL_WMI_MIC_MUTE_LED to the tail in the quirk chain
  ASoC: wm_adsp: Avoid attempt to free buffers that might still be in use
  ALSA: usb-audio: Set the Control Selector to SU_SELECTOR_CONTROL for UAC2
  ALSA: usb-audio: Add ctrl message delay quirk for Marantz/Denon devices
  ASoC: sgtl5000: Fix SMALL_POP bit definition
  ASoC: cs42l51: re-hook of_match_table pointer
  ASoC: rt5670: change dapm routes of PLL connection
  ASoC: rt5670: correct the incorrect default values
  ASoC: samsung: Add MODULE_DEVICE_TABLE for Snow
  ASoC: max98090: Correct pclk divisor settings
  ASoC: dpcm: Fix race between FE/BE updates and trigger
  ASoC: Fix snd_soc_find_dai() matching component by name
  ASoC: rsnd: remove unsupported PAUSE flag
  ASoC: fsi: remove unsupported PAUSE flag
  ASoC: rt5645: Mark RT5645_TDM_CTRL_3 as readable
  ASoC: rockchip-i2s: fix infinite loop in rockchip_snd_rxctrl
  ASoC: es8328-i2c: Fix i2c_device_id name field in es8328_id
  ASoC: fsl_asrc: Add reg_defaults for regmap to fix kernel dump

10 years agoMerge tag 'pm+acpi-3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael...
Linus Torvalds [Sat, 22 Nov 2014 00:56:25 +0000 (16:56 -0800)]
Merge tag 'pm+acpi-3.18-rc6' of git://git./linux/kernel/git/rafael/linux-pm

Pull ACPI power management fix from Rafael Wysocki:
 "This is just a one-liner fixing a regression introduced in 3.13 that
  broke system suspend on some Chromebooks.

  On those machines there are ACPI device objects for some I2C devices
  that can wake up the system from sleep states, but that is done via a
  platform-specific mechanism and the ACPI objects don't contain any
  wakeup-related information.  When we started to use ACPI power
  management with those devices (which happened during the 3.13 cycle),
  their configuration confused the ACPI PM layer that returned error
  codes from suspend callbacks for them causing system suspend to fail.

  However, the ACPI PM layer can safely ignore the wakeup setting from a
  device driver if the ACPI object corresponding to the device in
  question doesn't contain wakeup information in which case the driver
  itself is responsible for setting up the device for system wakeup"

* tag 'pm+acpi-3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI / PM: Ignore wakeup setting if the ACPI companion can't wake up

10 years agoMerge tag 'devicetree-fixes-for-3.18' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sat, 22 Nov 2014 00:40:41 +0000 (16:40 -0800)]
Merge tag 'devicetree-fixes-for-3.18' of git://git./linux/kernel/git/robh/linux

Pull devicetree fixes from Rob Herring:
 "DeviceTree fixes for 3.18:

   - two fixes for OF selftest code
   - fix for PowerPC address parsing to disable work-around except on
     old PowerMACs
   - fix a crash when earlycon is enabled, but no device is found
   - DT documentation fixes and missing vendor prefixes

  All but the doc updates are also for stable"

* tag 'devicetree-fixes-for-3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
  of/selftest: Fix testing when /aliases is missing
  of/selftest: Fix off-by-one error in removal path
  documentation: pinctrl bindings: Fix trivial typo 'abitrary'
  devicetree: bindings: Add vendor prefix for Micron Technology, Inc.
  of: Add vendor prefix for Chips&Media, Inc.
  of/base: Fix PowerPC address parsing hack
  devicetree: vendor-prefixes.txt: fix whitespace
  of: Fix crash if an earlycon driver is not found
  of/irq: Drop obsolete 'interrupts' vs 'interrupts-extended' text
  of: Spelling s/stucture/structure/
  devicetree: bindings: add sandisk to the vendor prefixes

10 years agoMerge tag 'pci-v3.18-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaa...
Linus Torvalds [Sat, 22 Nov 2014 00:36:42 +0000 (16:36 -0800)]
Merge tag 'pci-v3.18-fixes-3' of git://git./linux/kernel/git/helgaas/pci

Pull PCI fixes from Bjorn Helgaas:
 "These are fixes for an issue with 64-bit PCI bus addresses on 32-bit
  PAE kernels, an APM X-Gene problem (it depended on a generic change we
  removed before merging), a fix for my hotplug device configuration
  changes, and a devicetree documentation update.

  Resource management:
    - Support 64-bit bridge windows if we have 64-bit dma_addr_t (Yinghai Lu)

  PCI device hotplug:
    - Apply _HPX Link Control settings to all devices with a link (Yinghai Lu)

  Generic host bridge driver:
    - Add DT binding for "linux,pci-domain" property (Lucas Stach)

  APM X-Gene:
    - Assign resources to bus before adding new devices (Duc Dang)"

* tag 'pci-v3.18-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  PCI: Support 64-bit bridge windows if we have 64-bit dma_addr_t
  PCI: Apply _HPX Link Control settings to all devices with a link
  PCI: Add missing DT binding for "linux,pci-domain" property
  PCI: xgene: Assign resources to bus before adding new devices

10 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending
Linus Torvalds [Sat, 22 Nov 2014 00:28:45 +0000 (16:28 -0800)]
Merge git://git./linux/kernel/git/nab/target-pending

Pull SCSI target fixes from Nicholas Bellinger:
 "Here are the target-pending fixes queued for v3.18-rc6.

  The highlights include:

   - target-core OOPs fix with tcm_qla2xxx + vxworks FC initiators +
     zero length SCSI commands having a transfer direction set.  (Roland
     + Craig Watson)

   - vhost-scsi OOPs fix to explicitly prevent WWPN endpoint configfs
     group removal while qemu still has an active reference.  (Paolo +
     nab)

   - ib_srpt fix for RDMA hardware with lower srp_sq_size limits.
     (Bart)

   - two ib_isert work-arounds for running on ocrdma hardware (Or + Sagi
     + Chris)

   - iscsi-target discovery portal typo + SPC-3 PR Preempt SA key
     matching fix (Steve)"

* git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
  IB/isert: Adjust CQ size to HW limits
  target: return CONFLICT only when SA key unmatched
  iser-target: Handle DEVICE_REMOVAL event on network portal listener correctly
  ib_isert: Add max_send_sge=2 minimum for control PDU responses
  srp-target: Retry when QP creation fails with ENOMEM
  iscsi-target: return the correct port in SendTargets
  vhost-scsi: Take configfs group dependency during VHOST_SCSI_SET_ENDPOINT
  target: Don't call TFO->write_pending if data_length == 0

10 years agoMerge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma
Linus Torvalds [Sat, 22 Nov 2014 00:24:27 +0000 (16:24 -0800)]
Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma

Pull dmaengine fixes from Vinod Koul:
 "We have couple of fixes for dmaengine queued up:
   - dma mempcy fix for dma configuration of sun6i by Maxime
   - pl330 fixes: First the fixing allocation for data buffers by Liviu
     and then Jon's fixe for fifo width and usage"

* 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
  dmaengine: Fix allocation size for PL330 data buffer depth.
  dmaengine: pl330: Limit MFIFO usage for memcpy to avoid exhausting entries
  dmaengine: pl330: Align DMA memcpy operations to MFIFO width
  dmaengine: sun6i: Fix memcpy operation

10 years agoMerge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
Linus Torvalds [Sat, 22 Nov 2014 00:14:58 +0000 (16:14 -0800)]
Merge branch 'upstream' of git://git.linux-mips.org/ralf/upstream-linus

Pull MIPS fixes from Ralf Baechle:
 "More 3.18 fixes for MIPS:

   - backtraces were not quite working on on 64-bit kernels
   - loongson needs a different cache coherency setting
   - Loongson 3 is a MIPS64 R2 version but due to erratum we treat is an
     older architecture revision.
   - fix build errors due to undefined references to __node_distances
     for certain configurations.
   - fix instruction decodig in the jump label code.
   - for certain configurations copy_{from,to}_user destroy the content
     of $3 so that register needs to be marked as clobbed by the calling
     code.
   - Hardware Table Walker fixes.
   - fill the delay slot of the last instruction of memcpy otherwise
     whatever ends up there randomly might have undesirable effects.
   - ensure get_user/__get_user always zero the variable to be read even
     in case of an error"

* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
  MIPS: jump_label.c: Handle the microMIPS J instruction encoding
  MIPS: jump_label.c: Correct the span of the J instruction
  MIPS: Zero variable read by get_user / __get_user in case of an error.
  MIPS: lib: memcpy: Restore NOP on delay slot before returning to caller
  MIPS: tlb-r4k: Add missing HTW stop/start sequences
  MIPS: asm: uaccess: Add v1 register to clobber list on EVA
  MIPS: oprofile: Fix backtrace on 64-bit kernel
  MIPS: Loongson: Set Loongson-3's ISA level to MIPS64R1
  MIPS: Loongson: Fix the write-combine CCA value setting
  MIPS: IP27: Fix __node_distances undefined error
  MIPS: Loongson3: Fix __node_distances undefined error

10 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux
Linus Torvalds [Sat, 22 Nov 2014 00:13:34 +0000 (16:13 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/mpe/linux

Pull powerpc fix from Michael Ellerman:
 "One fix from Scott, he says:

  This patch fixes a crash (introduced in v3.18-rc1) in the FSL MSI driver
  when threaded IRQs are enabled"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux:
  powerpc/fsl_msi: mark the msi cascade handler IRQF_NO_THREAD

10 years agoMerge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Fri, 21 Nov 2014 23:46:17 +0000 (15:46 -0800)]
Merge branch 'x86-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull x86 fixes from Thomas Gleixner:
 "Misc fixes:
   - gold linker build fix
   - noxsave command line parsing fix
   - bugfix for NX setup
   - microcode resume path bug fix
   - _TIF_NOHZ versus TIF_NOHZ bugfix as discussed in the mysterious
     lockup thread"

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86, syscall: Fix _TIF_NOHZ handling in syscall_trace_enter_phase1
  x86, kaslr: Handle Gold linker for finding bss/brk
  x86, mm: Set NX across entire PMD at boot
  x86, microcode: Update BSPs microcode on resume
  x86: Require exact match for 'noxsave' command line option

10 years agoMerge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Fri, 21 Nov 2014 23:44:54 +0000 (15:44 -0800)]
Merge branch 'sched-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull scheduler fixes from Ingo Molnar:
 "Misc fixes: two NUMA fixes, two cputime fixes and an RCU/lockdep fix"

* 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  sched/cputime: Fix clock_nanosleep()/clock_gettime() inconsistency
  sched/cputime: Fix cpu_timer_sample_group() double accounting
  sched/numa: Avoid selecting oneself as swap target
  sched/numa: Fix out of bounds read in sched_init_numa()
  sched: Remove lockdep check in sched_move_task()

10 years agoMerge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Fri, 21 Nov 2014 23:44:07 +0000 (15:44 -0800)]
Merge branch 'perf-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull perf fixes from Ingo Molnar:
 "Misc fixes: two Intel uncore driver fixes, a CPU-hotplug fix and a
  build dependencies fix"

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf/x86/intel/uncore: Fix boot crash on SBOX PMU on Haswell-EP
  perf/x86/intel/uncore: Fix IRP uncore register offsets on Haswell EP
  perf: Fix corruption of sibling list with hotplug
  perf/x86: Fix embarrasing typo

10 years agoMerge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Fri, 21 Nov 2014 23:38:21 +0000 (15:38 -0800)]
Merge branch 'core-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull core fix from Ingo Molnar:
 "Fix GENMASK macro shift overflow"

Nobody seems to currently use GENMASK() to fill every single last bit
(which is what overflows) in-tree, and gcc would warn about it, so we
have that going for us.  But apparently there are pending changes that
want this.

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  bitops: Fix shift overflow in GENMASK macros

10 years agotcp: Restore RFC5961-compliant behavior for SYN packets
Calvin Owens [Thu, 20 Nov 2014 23:09:53 +0000 (15:09 -0800)]
tcp: Restore RFC5961-compliant behavior for SYN packets

Commit c3ae62af8e755 ("tcp: should drop incoming frames without ACK
flag set") was created to mitigate a security vulnerability in which a
local attacker is able to inject data into locally-opened sockets by
using TCP protocol statistics in procfs to quickly find the correct
sequence number.

This broke the RFC5961 requirement to send a challenge ACK in response
to spurious RST packets, which was subsequently fixed by commit
7b514a886ba50 ("tcp: accept RST without ACK flag").

Unfortunately, the RFC5961 requirement that spurious SYN packets be
handled in a similar manner remains broken.

RFC5961 section 4 states that:

   ... the handling of the SYN in the synchronized state SHOULD be
   performed as follows:

   1) If the SYN bit is set, irrespective of the sequence number, TCP
      MUST send an ACK (also referred to as challenge ACK) to the remote
      peer:

      <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>

      After sending the acknowledgment, TCP MUST drop the unacceptable
      segment and stop processing further.

   By sending an ACK, the remote peer is challenged to confirm the loss
   of the previous connection and the request to start a new connection.
   A legitimate peer, after restart, would not have a TCB in the
   synchronized state.  Thus, when the ACK arrives, the peer should send
   a RST segment back with the sequence number derived from the ACK
   field that caused the RST.

   This RST will confirm that the remote peer has indeed closed the
   previous connection.  Upon receipt of a valid RST, the local TCP
   endpoint MUST terminate its connection.  The local TCP endpoint
   should then rely on SYN retransmission from the remote end to
   re-establish the connection.

This patch lets SYN packets through the discard added in c3ae62af8e755,
so that spurious SYN packets are properly dealt with as per the RFC.

The challenge ACK is sent unconditionally and is rate-limited, so the
original vulnerability is not reintroduced by this patch.

Signed-off-by: Calvin Owens <calvinowens@fb.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonet: Revert "net: avoid one atomic operation in skb_clone()"
Eric Dumazet [Fri, 21 Nov 2014 19:47:16 +0000 (11:47 -0800)]
net: Revert "net: avoid one atomic operation in skb_clone()"

Not sure what I was thinking, but doing anything after
releasing a refcount is suicidal or/and embarrassing.

By the time we set skb->fclone to SKB_FCLONE_FREE, another cpu
could have released last reference and freed whole skb.

We potentially corrupt memory or trap if CONFIG_DEBUG_PAGEALLOC is set.

Reported-by: Chris Mason <clm@fb.com>
Fixes: ce1a4ea3f1258 ("net: avoid one atomic operation in skb_clone()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agovirtio-net: validate features during probe
Jason Wang [Thu, 20 Nov 2014 09:03:05 +0000 (17:03 +0800)]
virtio-net: validate features during probe

We currently trigger BUG when VIRTIO_NET_F_CTRL_VQ
is not set but one of features depending on it is.
That's not a friendly way to report errors to
hypervisors.
Let's check, and fail probe instead.

Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Cornelia Huck <cornelia.huck@de.ibm.com>
Cc: Wanlong Gao <gaowanlong@cn.fujitsu.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
David S. Miller [Fri, 21 Nov 2014 05:12:39 +0000 (00:12 -0500)]
Merge git://git./pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains two bugfixes for your net tree, they are:

1) Validate netlink group from nfnetlink to avoid an out of bound array
   access. This should only happen with superuser priviledges though.
   Discovered by Andrey Ryabinin using trinity.

2) Don't push ethernet header before calling the netfilter output hook
   for multicast traffic, this breaks ebtables since it expects to see
   skb->data pointing to the network header, patch from Linus Luessing.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoMerge tag 'master-2014-11-20' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...
David S. Miller [Fri, 21 Nov 2014 05:07:51 +0000 (00:07 -0500)]
Merge tag 'master-2014-11-20' of git://git./linux/kernel/git/linville/wireless

John W. Linville says:

====================
pull request: wireless 2014-11-20

Please full this little batch of fixes intended for the 3.18 stream!

For the mac80211 patch, Johannes says:

"Here's another last minute fix, for minstrel HT crashing
depending on the value of some uninitialised stack."

On top of that...

Ben Greear fixes an ath9k regression in which a BSSID mask is
miscalculated.

Dmitry Torokhov corrects an error handling routing in brcmfmac which
was checking an unsigned variable for a negative value.

Johannes Berg avoids a build problem in brcmfmac for arches where
linux/unaligned/access_ok.h and asm/unaligned.h conflict.

Mathy Vanhoef addresses another brcmfmac issue so as to eliminate a
use-after-free of the URB transfer buffer if a timeout occurs.

Please let me know if there are problems!
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agocxgb4 : Fix DCB priority groups being returned in wrong order
Anish Bhatt [Fri, 21 Nov 2014 01:11:46 +0000 (17:11 -0800)]
cxgb4 : Fix DCB priority groups being returned in wrong order

Peer priority groups were being reversed, but this was missed in the previous
fix sent out for this issue.

v2 : Previous patch was doing extra unnecessary work, result is the same.
Please ignore previous patch

Fixes : ee7bc3cdc270 ('cxgb4 : dcb open-lldp interop fixes')

Signed-off-by: Anish Bhatt <anish@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoipx: fix locking regression in ipx_sendmsg and ipx_recvmsg
Jiri Bohac [Wed, 19 Nov 2014 22:05:49 +0000 (23:05 +0100)]
ipx: fix locking regression in ipx_sendmsg and ipx_recvmsg

This fixes an old regression introduced by commit
b0d0d915 (ipx: remove the BKL).

When a recvmsg syscall blocks waiting for new data, no data can be sent on the
same socket with sendmsg because ipx_recvmsg() sleeps with the socket locked.

This breaks mars-nwe (NetWare emulator):
- the ncpserv process reads the request using recvmsg
- ncpserv forks and spawns nwconn
- ncpserv calls a (blocking) recvmsg and waits for new requests
- nwconn deadlocks in sendmsg on the same socket

Commit b0d0d915 has simply replaced BKL locking with
lock_sock/release_sock. Unlike now, BKL got unlocked while
sleeping, so a blocking recvmsg did not block a concurrent
sendmsg.

Only keep the socket locked while actually working with the socket data and
release it prior to calling skb_recv_datagram().

Signed-off-by: Jiri Bohac <jbohac@suse.cz>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoopenvswitch: Don't validate IPv6 label masks.
Joe Stringer [Wed, 19 Nov 2014 21:54:49 +0000 (13:54 -0800)]
openvswitch: Don't validate IPv6 label masks.

When userspace doesn't provide a mask, OVS datapath generates a fully
unwildcarded mask for the flow by copying the flow and setting all bits
in all fields. For IPv6 label, this creates a mask that matches on the
upper 12 bits, causing the following error:

openvswitch: netlink: Invalid IPv6 flow label value (value=ffffffff, max=fffff)

This patch ignores the label validation check for masks, avoiding this
error.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agopptp: fix stack info leak in pptp_getname()
Mathias Krause [Wed, 19 Nov 2014 17:05:26 +0000 (18:05 +0100)]
pptp: fix stack info leak in pptp_getname()

pptp_getname() only partially initializes the stack variable sa,
particularly only fills the pptp part of the sa_addr union. The code
thereby discloses 16 bytes of kernel stack memory via getsockname().

Fix this by memset(0)'ing the union before.

Cc: Dmitry Kozlov <xeb@mail.ru>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoMerge branch 'drm-fixes-3.18' of git://people.freedesktop.org/~agd5f/linux into drm...
Dave Airlie [Fri, 21 Nov 2014 02:19:19 +0000 (12:19 +1000)]
Merge branch 'drm-fixes-3.18' of git://people.freedesktop.org/~agd5f/linux into drm-fixes

fix one regression and one endian issue.

* 'drm-fixes-3.18' of git://people.freedesktop.org/~agd5f/linux:
  drm/radeon: fix endian swapping in vbios fetch for tdp table
  drm/radeon: disable native backlight control on pre-r6xx asics (v2)

10 years agox86, syscall: Fix _TIF_NOHZ handling in syscall_trace_enter_phase1
Andy Lutomirski [Wed, 19 Nov 2014 21:56:19 +0000 (13:56 -0800)]
x86, syscall: Fix _TIF_NOHZ handling in syscall_trace_enter_phase1

TIF_NOHZ is 19 (i.e. _TIF_SYSCALL_TRACE | _TIF_NOTIFY_RESUME |
_TIF_SINGLESTEP), not (1<<19).

This code is involved in Dave's trinity lockup, but I don't see why
it would cause any of the problems he's seeing, except inadvertently
by causing a different path through entry_64.S's syscall handling.

Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Cc: Don Zickus <dzickus@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Dave Jones <davej@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/a6cd3b60a3f53afb6e1c8081b0ec30ff19003dd7.1416434075.git.luto@amacapital.net
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
10 years agobrcmfmac: don't include linux/unaligned/access_ok.h
Johannes Berg [Wed, 19 Nov 2014 21:13:10 +0000 (22:13 +0100)]
brcmfmac: don't include linux/unaligned/access_ok.h

This is a specific implementation, <asm/unaligned.h> is the
multiplexer that has the arch-specific knowledge of which
of the implementations needs to be used, so include that.

This issue was revealed by kbuild testing
when <asm/unaligned.h> was added in <linux/ieee80211.h>
resulting in redefinition of get_unaligned_be16 (and
probably others).

Cc: stable@vger.kernel.org # v3.17
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
10 years agodrm/radeon: fix endian swapping in vbios fetch for tdp table
Alex Deucher [Thu, 13 Nov 2014 00:17:02 +0000 (19:17 -0500)]
drm/radeon: fix endian swapping in vbios fetch for tdp table

Value needs to be swapped on BE.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
10 years agodrm/radeon: disable native backlight control on pre-r6xx asics (v2)
Alex Deucher [Wed, 19 Nov 2014 18:12:54 +0000 (13:12 -0500)]
drm/radeon: disable native backlight control on pre-r6xx asics (v2)

Just use the acpi interface.  That's what windows uses on this
generation and it's the only thing that seems to work reliably
on these generation parts.

You can still force the native backlight interface by setting
radeon.backlight=1

Bug:
https://bugzilla.kernel.org/show_bug.cgi?id=88501

v2: merge into above if/else block

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
10 years agoof/selftest: Fix testing when /aliases is missing
Grant Likely [Wed, 19 Nov 2014 17:13:44 +0000 (17:13 +0000)]
of/selftest: Fix testing when /aliases is missing

The /aliases node isn't always present in the device tree, but the
unittest code assumes that /aliases is there. Add a check when inserting
the testcase data to see if of_aliases needs to be updated, and undo the
settings when the nodes are removed.

Signed-off-by: Grant Likely <grant.likely@linaro.org>
Cc: Rob Herring <robh+dt@kernel.org>
Cc: Gaurav Minocha <gaurav.minocha.os@gmail.com>
Cc: <stable@vger.kernel.org>
10 years agoIB/isert: Adjust CQ size to HW limits
Chris Moore [Tue, 4 Nov 2014 16:28:29 +0000 (16:28 +0000)]
IB/isert: Adjust CQ size to HW limits

isert has an issue of trying to create a CQ with more CQEs than are
supported by the hardware, that currently results in failures during
isert_device creation during first session login.

This is the isert version of the patch that Minh Tran submitted for
iser, and is simple a workaround required to function with existing
ocrdma hardware.

Signed-off-by: Chris Moore <chris.moore@emulex.com>
Reviewied-by: Sagi Grimberg <sagig@mellanox.com>
Cc: <stable@vger.kernel.org> # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoMerge tag 'drm-intel-fixes-2014-11-19' of git://anongit.freedesktop.org/drm-intel...
Dave Airlie [Thu, 20 Nov 2014 02:58:11 +0000 (12:58 +1000)]
Merge tag 'drm-intel-fixes-2014-11-19' of git://anongit.freedesktop.org/drm-intel into drm-fixes

two regression fixes.

* tag 'drm-intel-fixes-2014-11-19' of git://anongit.freedesktop.org/drm-intel:
  drm/i915: Kick fbdev before vgacon
  drm/i915: drop WaSetupGtModeTdRowDispatch:snb

10 years agoACPI / PM: Ignore wakeup setting if the ACPI companion can't wake up
Rafael J. Wysocki [Wed, 19 Nov 2014 00:44:11 +0000 (01:44 +0100)]
ACPI / PM: Ignore wakeup setting if the ACPI companion can't wake up

As reported by Dmitry, on some Chromebooks there are devices with
corresponding ACPI objects and with unusual system wakeup
configuration.  Namely, they technically are wakeup-capable, but the
wakeup is handled via a platform-specific out-of-band mechanism and
the ACPI PM layer has no information on the wakeup capability.  As
a result, device_may_wakeup(dev) called from acpi_dev_suspend_late()
returns 'true' for those devices, but the wakeup.flags.valid flag is
unset for the corresponding ACPI device objects, so acpi_device_wakeup()
reproducibly fails for them causing acpi_dev_suspend_late() to return
an error code.  The entire system suspend is then aborted and the
machines in question cannot suspend at all.

Address the problem by ignoring the device_may_wakeup(dev) return
value in acpi_dev_suspend_late() if the ACPI companion of the device
being handled has wakeup.flags.valid unset (in which case it is clear
that the wakeup is supposed to be handled by other means).

This fixes a regression introduced by commit a76e9bd89ae7 (i2c:
attach/detach I2C client device to the ACPI power domain) as the
affected systems could suspend and resume successfully before that
commit.

Fixes: a76e9bd89ae7 (i2c: attach/detach I2C client device to the ACPI power domain)
Reported-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
Cc: 3.13+ <stable@vger.kernel.org> # 3.13+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
10 years agocxgb4i : Don't block unload/cxgb4 unload when remote closes TCP connection
Anish Bhatt [Wed, 19 Nov 2014 03:09:51 +0000 (19:09 -0800)]
cxgb4i : Don't block unload/cxgb4 unload when remote closes TCP connection

cxgb4i was returning wrong error and not releasing module reference if remote
end abruptly closed TCP connection. This prevents the cxgb4 network module from
being unloaded, further affecting other network drivers dependent on cxgb4

Sending to net as this affects all cxgb4 based network drivers.

Signed-off-by: Anish Bhatt <anish@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoipv6: delete protocol and unregister rtnetlink when cleanup
Duan Jiong [Wed, 19 Nov 2014 01:35:39 +0000 (09:35 +0800)]
ipv6: delete protocol and unregister rtnetlink when cleanup

pim6_protocol was added when initiation, but it not deleted.
Similarly, unregister RTNL_FAMILY_IP6MR rtnetlink.

Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com>
Reviewed-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoPCI: Support 64-bit bridge windows if we have 64-bit dma_addr_t
Yinghai Lu [Wed, 19 Nov 2014 21:30:32 +0000 (14:30 -0700)]
PCI: Support 64-bit bridge windows if we have 64-bit dma_addr_t

Aaron reported that a 32-bit x86 kernel with Physical Address Extension
(PAE) support complains about bridge prefetchable memory windows above 4GB:

  pci_bus 0000:00: root bus resource [mem 0x380000000000-0x383fffffffff]
  ...
  pci 0000:03:00.0: reg 0x10: [mem 0x383fffc00000-0x383fffdfffff 64bit pref]
  pci 0000:03:00.0: reg 0x20: [mem 0x383fffe04000-0x383fffe07fff 64bit pref]
  pci 0000:03:00.1: reg 0x10: [mem 0x383fffa00000-0x383fffbfffff 64bit pref]
  pci 0000:03:00.1: reg 0x20: [mem 0x383fffe00000-0x383fffe03fff 64bit pref]
  pci 0000:00:02.2: PCI bridge to [bus 03-04]
  pci 0000:00:02.2:   bridge window [io  0x1000-0x1fff]
  pci 0000:00:02.2:   bridge window [mem 0x91900000-0x91cfffff]
  pci 0000:00:02.2: can't handle 64-bit address space for bridge

In this kernel, unsigned long is 32 bits and dma_addr_t is 64 bits.
Previously we used "unsigned long" to hold the bridge window address.  But
this is a bus address, so we should use dma_addr_t instead.

Use dma_addr_t to hold the bridge window base and limit.

The question of whether the CPU can actually *address* the window is
separate and depends on what the physical address space of the CPU is and
whether the host bridge does any address translation.

[bhelgaas: fix "shift count > width of type", changelog, stable tag]
Fixes: d56dbf5bab8c ("PCI: Allocate 64-bit BARs above 4G when possible")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=88131
Reported-by: Aaron Ma <mapengyu@gmail.com>
Tested-by: Aaron Ma <mapengyu@gmail.com>
Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: stable@vger.kernel.org # v3.14+
10 years agoMerge tag 'mac80211-for-john-2014-11-18' of git://git.kernel.org/pub/scm/linux/kernel...
John W. Linville [Wed, 19 Nov 2014 20:44:40 +0000 (15:44 -0500)]
Merge tag 'mac80211-for-john-2014-11-18' of git://git./linux/kernel/git/jberg/mac80211

Johannes Berg <johannes@sipsolutions.net> says:

"Here's another last minute fix, for minstrel HT crashing
depending on the value of some uninitialised stack."

Signed-off-by: John W. Linville <linville@tuxdriver.com>
10 years agoMerge tag 'linux-can-fixes-for-3.18-20141118' of git://gitorious.org/linux-can/linux-can
David S. Miller [Wed, 19 Nov 2014 20:28:58 +0000 (15:28 -0500)]
Merge tag 'linux-can-fixes-for-3.18-20141118' of git://gitorious.org/linux-can/linux-can

Marc Kleine-Budde says:

====================
pull-request: can 2014-11-18

this is a pull request of 17 patches for net/master for the v3.18 release
cycle.

The last patch of this pull request ("can: m_can: update to support CAN FD
features") adds, as the description says, a new feature to the m_can driver. As
the m_can driver has been added in v3.18 there is no risk of causing a
regression. Give me a note if this is not okay and I'll create a new pull
request without it.

There is a patch for the CAN infrastructure by Thomas Körper which fixes
calling kfree_skb() from interrupt context. Roman Fietze fixes a typo also in
the infrastructure. A patch by Dong Aisheng adds a generic helper function to
tell if a skb is normal CAN or CAN-FD frame. Alexey Khoroshilov of the Linux
Driver Verification project fixes a memory leak in the esd_usb2 driver. Two
patches by Sudip Mukherjee remove unused variables and fixe the signess of a
variable. Three patches by me add the missing .ndo_change_mtu callback to the
xilinx_can, rcar_can and gs_usb driver.

The remaining patches improve the m_can driver: David Cohen adds the missing
CONFIG_HAS_IOMEM dependency. Dong Aisheng provides 6 bugfix patches (most
important: missing RAM init, sleep in NAPI poll, dlc in RTR). While the last of
his patches adds CAN FD support to the driver.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonet/mlx4_en: Add VXLAN ndo calls to the PF net device ops too
Or Gerlitz [Tue, 18 Nov 2014 15:51:27 +0000 (17:51 +0200)]
net/mlx4_en: Add VXLAN ndo calls to the PF net device ops too

This is currently missing, which results in a crash when one attempts
to set VXLAN tunnel over the mlx4_en when acting as PF.

[ 2408.785472] BUG: unable to handle kernel NULL pointer dereference at (null)
[...]
[ 2408.994104] Call Trace:
[ 2408.996584]  [<ffffffffa021f7f5>] ? vxlan_get_rx_port+0xd6/0x103 [vxlan]
[ 2409.003316]  [<ffffffffa021f71f>] ? vxlan_lowerdev_event+0xf2/0xf2 [vxlan]
[ 2409.010225]  [<ffffffffa0630358>] mlx4_en_start_port+0x862/0x96a [mlx4_en]
[ 2409.017132]  [<ffffffffa063070f>] mlx4_en_open+0x17f/0x1b8 [mlx4_en]

While here, make sure to invoke vxlan_get_rx_port() only when VXLAN
offloads are actually enabled and not when they are only supported.

Reported-by: Ido Shamay <idos@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agobonding: fix curr_active_slave/carrier with loadbalance arp monitoring
Nikolay Aleksandrov [Tue, 18 Nov 2014 14:14:44 +0000 (15:14 +0100)]
bonding: fix curr_active_slave/carrier with loadbalance arp monitoring

Since commit 6fde8f037e60 ("bonding: fix locking in
bond_loadbalance_arp_mon()") we can have a stale bond carrier state and
stale curr_active_slave when using arp monitoring in loadbalance modes. The
reason is that in bond_loadbalance_arp_mon() we can't have
do_failover == true but slave_state_changed == false, whenever do_failover
is true then slave_state_changed is also true. Then the following piece
from bond_loadbalance_arp_mon():
                if (slave_state_changed) {
                        bond_slave_state_change(bond);
                        if (BOND_MODE(bond) == BOND_MODE_XOR)
                                bond_update_slave_arr(bond, NULL);
                } else if (do_failover) {
                        block_netpoll_tx();
                        bond_select_active_slave(bond);
                        unblock_netpoll_tx();
                }

will execute only the first branch, always and regardless of do_failover.
Since these two events aren't related in such way, we need to decouple and
consider them separately.

For example this issue could lead to the following result:
Bonding Mode: load balancing (round-robin)
*MII Status: down*
MII Polling Interval (ms): 0
Up Delay (ms): 0
Down Delay (ms): 0
ARP Polling Interval (ms): 100
ARP IP target/s (n.n.n.n form): 192.168.9.2

Slave Interface: ens12
*MII Status: up*
Speed: 10000 Mbps
Duplex: full
Link Failure Count: 2
Permanent HW addr: 00:0f:53:01:42:2c
Slave queue ID: 0

Slave Interface: eth1
*MII Status: up*
Speed: Unknown
Duplex: Unknown
Link Failure Count: 70
Permanent HW addr: 52:54:00:2f:0f:8e
Slave queue ID: 0

Since some interfaces are up, then the status of the bond should also be
up, but it will never change unless something invokes bond_set_carrier()
(i.e. enslave, bond_select_active_slave etc). Now, if I force the
calling of bond_select_active_slave via for example changing
primary_reselect (it can change in any mode), then the MII status goes to
"up" because it calls bond_select_active_slave() which should've been done
from bond_loadbalance_arp_mon() itself.

CC: Veaceslav Falico <vfalico@gmail.com>
CC: Jay Vosburgh <j.vosburgh@gmail.com>
CC: Andy Gospodarek <andy@greyhouse.net>
CC: Ding Tianhong <dingtianhong@huawei.com>
Fixes: 6fde8f037e60 ("bonding: fix locking in bond_loadbalance_arp_mon()")
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Acked-by: Veaceslav Falico <vfalico@gmail.com>
Acked-by: Andy Gospodarek <gospo@cumulusnetworks.com>
Acked-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoof/selftest: Fix off-by-one error in removal path
Grant Likely [Wed, 19 Nov 2014 16:22:32 +0000 (16:22 +0000)]
of/selftest: Fix off-by-one error in removal path

The removal path for selftest data has an off by one error that causes
the code to dereference beyond the end of the nodes[] array on the first
pass through. The old code only worked by chance on a lot of platforms,
but the bug was recently exposed on aarch64.

The fix is simple. Decrement the node count before dereferencing, not
after.

Reported-by: Kevin Hilman <khilman@linaro.org>
Cc: Rob Herring <robh+dt@kernel.org>
Cc: Gaurav Minocha <gaurav.minocha.os@gmail.com>
Cc: <stable@vger.kernel.org> # v3.17+
10 years agoMIPS: jump_label.c: Handle the microMIPS J instruction encoding
Maciej W. Rozycki [Mon, 17 Nov 2014 16:10:32 +0000 (16:10 +0000)]
MIPS: jump_label.c: Handle the microMIPS J instruction encoding

Implement the microMIPS encoding of the J instruction for the purpose of
the static keys feature, fixing a crash early on in bootstrap as the
kernel is unhappy seeing the ISA bit set in jump table entries.  Make
sure the ISA bit correctly reflects the instruction encoding chosen for
the kernel, 0 for the standard MIPS and 1 for the microMIPS encoding.

Also make sure the instruction to patch is a 32-bit NOP in the microMIPS
mode as by default the 16-bit short encoding is assumed

Signed-off-by: Maciej W. Rozycki <macro@codesourcery.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/8516/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
10 years agoMIPS: jump_label.c: Correct the span of the J instruction
Maciej W. Rozycki [Mon, 17 Nov 2014 16:09:54 +0000 (16:09 +0000)]
MIPS: jump_label.c: Correct the span of the J instruction

Correct the check for the span of the 256MB segment addressable by the J
instruction according to this instruction's semantics.  The calculation
of the jump target is applied to the address of the delay-slot
instruction that immediately follows.  Adjust the check accordingly by
adding 4 to `e->code' that holds the address of the J instruction
itself.

Signed-off-by: Maciej W. Rozycki <macro@codesourcery.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/8515/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
10 years agoMIPS: Zero variable read by get_user / __get_user in case of an error.
Ralf Baechle [Tue, 18 Nov 2014 17:47:13 +0000 (18:47 +0100)]
MIPS: Zero variable read by get_user / __get_user in case of an error.

This wasn't happening in all cases.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
10 years agoMIPS: lib: memcpy: Restore NOP on delay slot before returning to caller
Markos Chandras [Mon, 17 Nov 2014 09:32:38 +0000 (09:32 +0000)]
MIPS: lib: memcpy: Restore NOP on delay slot before returning to caller

Commit cf62a8b8134dd3 ("MIPS: lib: memcpy: Use macro to build the
copy_user code") switched to a macro in order to build the memcpy
symbols in preparation for the EVA support. However, this commit
also removed the NOP instruction after the 'jr ra' when returning
back to the caller. This had no visible side-effects since the next
instruction was a load to the t0 register which was already in the
clobbered list, but it may have undesired effects in the future
if some other code is introduced in between the .Ldone and
the .Ll_exc_copy labels.

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: <stable@vger.kernel.org> # v3.15+
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/8512/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
10 years agoMIPS: tlb-r4k: Add missing HTW stop/start sequences
Markos Chandras [Mon, 17 Nov 2014 09:31:07 +0000 (09:31 +0000)]
MIPS: tlb-r4k: Add missing HTW stop/start sequences

HTW needs to stop and start again whenever the EntryHI register
changes otherwise an inflight HTW operation might use the new
EntryHI register for updating an old entry and that could lead
to crashes or even a machine check exception. We fix this by
ensuring the HTW has stop whenever the EntryHI register is about
to change

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: <stable@vger.kernel.org> # v3.17+
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/8511/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
10 years agoMIPS: asm: uaccess: Add v1 register to clobber list on EVA
Markos Chandras [Mon, 17 Nov 2014 09:30:23 +0000 (09:30 +0000)]
MIPS: asm: uaccess: Add v1 register to clobber list on EVA

When EVA is turned on and prefetching is being used in memcpy.S,
the v1 register is being used as a helper register to the PREFE
instruction. However, v1 ($3) was not in the clobber list, which
means that the compiler did not preserve it across function calls,
and that could corrupt the value of the register leading to all
sorts of userland crashes. We fix this problem by using the
DADDI_SCRATCH macro to define the clobbered register when
CONFIG_EVA && CONFIG_CPU_HAS_PREFETCH are enabled.

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: <stable@vger.kernel.org> # v3.15+
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/8510/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
10 years agoMIPS: oprofile: Fix backtrace on 64-bit kernel
Aaro Koskinen [Fri, 17 Oct 2014 15:10:24 +0000 (18:10 +0300)]
MIPS: oprofile: Fix backtrace on 64-bit kernel

Fix incorrect cast that always results in wrong address for the new
frame on 64-bit kernels.

Signed-off-by: Aaro Koskinen <aaro.koskinen@nsn.com>
Cc: stable@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/8110/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
10 years agoMIPS: Loongson: Set Loongson-3's ISA level to MIPS64R1
Huacai Chen [Tue, 4 Nov 2014 06:13:23 +0000 (14:13 +0800)]
MIPS: Loongson: Set Loongson-3's ISA level to MIPS64R1

In CPU manual Loongson-3 is MIPS64R2 compatible, but during tests we
found that its EI/DI instructions have problems. So we just set the ISA
level to MIPS64R1.

Signed-off-by: Huacai Chen <chenhc@lemote.com>
Cc: John Crispin <john@phrozen.org>
Cc: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Fuxin Zhang <zhangfx@lemote.com>
Cc: Zhangjin Wu <wuzhangjin@gmail.com>
Patchwork: https://patchwork.linux-mips.org/patch/8320/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
10 years agoMIPS: Loongson: Fix the write-combine CCA value setting
Huacai Chen [Tue, 4 Nov 2014 06:13:22 +0000 (14:13 +0800)]
MIPS: Loongson: Fix the write-combine CCA value setting

All Loongson-2/3 processors support _CACHE_UNCACHED_ACCELERATED, not
only Loongson-3A.

Signed-off-by: Huacai Chen <chenhc@lemote.com>
Cc: John Crispin <john@phrozen.org>
Cc: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Fuxin Zhang <zhangfx@lemote.com>
Cc: Zhangjin Wu <wuzhangjin@gmail.com>
Patchwork: https://patchwork.linux-mips.org/patch/8319/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
10 years agoMIPS: IP27: Fix __node_distances undefined error
James Cowgill [Thu, 13 Nov 2014 11:08:07 +0000 (11:08 +0000)]
MIPS: IP27: Fix __node_distances undefined error

export the __node_distances symbol in the ip27 memory code to fix the
build error:

  Building modules, stage 2.
  MODPOST 311 modules
ERROR: "__node_distances" [drivers/block/nvme.ko] undefined!
scripts/Makefile.modpost:90: recipe for target '__modpost' failed

when building the kernel with:
 CONFIG_SGI_IP27=y
 CONFIG_BLK_DEV_NVME=m

Signed-off-by: James Cowgill <James.Cowgill@imgtec.com>
Cc: <stable@vger.kernel.org> # v3.15+
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
10 years agoMIPS: Loongson3: Fix __node_distances undefined error
James Cowgill [Thu, 13 Nov 2014 11:08:06 +0000 (11:08 +0000)]
MIPS: Loongson3: Fix __node_distances undefined error

export the __node_distances symbol in the loongson3 numa code to fix the
build error:

  Building modules, stage 2.
  MODPOST 221 modules
ERROR: "__node_distances" [drivers/block/nvme.ko] undefined!
scripts/Makefile.modpost:90: recipe for target '__modpost' failed

when building the kernel with:
 CONFIG_CPU_LOONGSON3=y
 CONFIG_NUMA=y
 CONFIG_BLK_DEV_NVME=m

Signed-off-by: James Cowgill <James.Cowgill@imgtec.com>
Cc: <stable@vger.kernel.org> # v3.17+
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Huacai Chen <chenhc@lemote.com>
Cc: linux-mips@linux-mips.org
Cc: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Patchwork: https://patchwork.linux-mips.org/patch/8444/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
10 years agomac80211: minstrel_ht: fix a crash in rate sorting
Felix Fietkau [Tue, 18 Nov 2014 21:35:31 +0000 (22:35 +0100)]
mac80211: minstrel_ht: fix a crash in rate sorting

The commit 5935839ad73583781b8bbe8d91412f6826e218a4
"mac80211: improve minstrel_ht rate sorting by throughput & probability"

introduced a crash on rate sorting that occurs when the rate added to
the sorting array is faster than all the previous rates. Due to an
off-by-one error, it reads the rate index from tp_list[-1], which
contains uninitialized stack garbage, and then uses the resulting index
for accessing the group rate stats, leading to a crash if the garbage
value is big enough.

Cc: Thomas Huehn <thomas@net.t-labs.tu-berlin.de>
Reported-by: Jouni Malinen <j@w1.fi>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
10 years agovxlan: Inline vxlan_gso_check().
Joe Stringer [Tue, 18 Nov 2014 00:24:54 +0000 (16:24 -0800)]
vxlan: Inline vxlan_gso_check().

Suggested-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agocan: m_can: update to support CAN FD features
Dong Aisheng [Tue, 18 Nov 2014 11:00:55 +0000 (19:00 +0800)]
can: m_can: update to support CAN FD features

Bosch M_CAN is CAN FD capable device. This patch implements the CAN
FD features include up to 64 bytes payload and bitrate switch function.
1) Change the Rx FIFO and Tx Buffer to 64 bytes for support CAN FD
   up to 64 bytes payload. It's backward compatible with old 8 bytes
   normal CAN frame.
2) Allocate can frame or canfd frame based on EDL bit
3) Bitrate Switch function is disabled by default and will be enabled
   according to CANFD_BRS bit in cf->flags.

Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Dong Aisheng <b29396@freescale.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: m_can: fix incorrect error messages
Dong Aisheng [Wed, 29 Oct 2014 10:45:22 +0000 (18:45 +0800)]
can: m_can: fix incorrect error messages

Fix a few error messages.

Signed-off-by: Dong Aisheng <b29396@freescale.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: m_can: add missing delay after setting CCCR_INIT bit
Dong Aisheng [Wed, 29 Oct 2014 10:45:24 +0000 (18:45 +0800)]
can: m_can: add missing delay after setting CCCR_INIT bit

The spec mentions there may be a delay until the value written to INIT can be
read back due to the synchronization mechanism between the two clock domains.
But it does not indicate the exact clock cycles needed. The 5us delay is a
test value and seems ok.

Without the delay, CCCR.CCE bit may fail to be set and then the initialization
fail sometimes when do repeatly up and down.

Signed-off-by: Dong Aisheng <b29396@freescale.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: m_can: fix not set can_dlc for remote frame
Dong Aisheng [Tue, 18 Nov 2014 11:00:54 +0000 (19:00 +0800)]
can: m_can: fix not set can_dlc for remote frame

The original code missed to set the cf->can_dlc in the RTR case, so add it.

Signed-off-by: Dong Aisheng <b29396@freescale.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: m_can: fix possible sleep in napi poll
Dong Aisheng [Wed, 29 Oct 2014 10:45:21 +0000 (18:45 +0800)]
can: m_can: fix possible sleep in napi poll

The m_can_get_berr_counter function can sleep and it may be called in napi poll
function. Rework it to fix the following warning.

root@imx6qdlsolo:~# cangen can0 -f -L 12 -D 112233445566778899001122
[ 1846.017565] m_can 20e8000.can can0: entered error warning state
[ 1846.023551] ------------[ cut here ]------------
[ 1846.028216] WARNING: CPU: 0 PID: 560 at kernel/locking/mutex.c:867 mutex_trylock+0x218/0x23c()
[ 1846.036889] DEBUG_LOCKS_WARN_ON(in_interrupt())
[ 1846.041263] Modules linked in:
[ 1846.044594] CPU: 0 PID: 560 Comm: cangen Not tainted 3.17.0-rc4-next-20140915-00010-g032d018-dirty #477
[ 1846.054033] Backtrace:
[ 1846.056557] [<80012448>] (dump_backtrace) from [<80012728>] (show_stack+0x18/0x1c)
[ 1846.064180]  r6:809a07ec r5:809a07ec r4:00000000 r3:00000000
[ 1846.069966] [<80012710>] (show_stack) from [<806c9ee0>] (dump_stack+0x8c/0xa4)
[ 1846.077264] [<806c9e54>] (dump_stack) from [<8002aa78>] (warn_slowpath_common+0x70/0x94)
[ 1846.085403]  r6:806cd1b0 r5:00000009 r4:be1d5c20 r3:be07b0c0
[ 1846.091204] [<8002aa08>] (warn_slowpath_common) from [<8002aad4>] (warn_slowpath_fmt+0x38/0x40)
[ 1846.099951]  r8:8119106c r7:80515aa4 r6:be027000 r5:00000001 r4:809d1df4
[ 1846.106830] [<8002aaa0>] (warn_slowpath_fmt) from [<806cd1b0>] (mutex_trylock+0x218/0x23c)
[ 1846.115141]  r3:80851c88 r2:8084fb74
[ 1846.118804] [<806ccf98>] (mutex_trylock) from [<80515aa4>] (clk_prepare_lock+0x14/0xf4)
[ 1846.126859]  r8:00000040 r7:be1d5cec r6:be027000 r5:be255800 r4:be027000
[ 1846.133737] [<80515a90>] (clk_prepare_lock) from [<80517660>] (clk_prepare+0x14/0x2c)
[ 1846.141583]  r5:be255800 r4:be027000
[ 1846.145272] [<8051764c>] (clk_prepare) from [<8041ff14>] (m_can_get_berr_counter+0x20/0xd4)
[ 1846.153672]  r4:be255800 r3:be07b0c0
[ 1846.157325] [<8041fef4>] (m_can_get_berr_counter) from [<80420428>] (m_can_poll+0x310/0x8fc)
[ 1846.165809]  r7:bd4dc540 r6:00000744 r5:11300000 r4:be255800
[ 1846.171590] [<80420118>] (m_can_poll) from [<8056a468>] (net_rx_action+0xcc/0x1b4)
[ 1846.179204]  r10:00000101 r9:be255ebc r8:00000040 r7:be7c3208 r6:8097c100 r5:be7c3200
[ 1846.187192]  r4:0000012c
[ 1846.189779] [<8056a39c>] (net_rx_action) from [<8002deec>] (__do_softirq+0xfc/0x2c4)
[ 1846.197568]  r10:00000101 r9:8097c088 r8:00000003 r7:8097c080 r6:40000001 r5:8097c08c
[ 1846.205559]  r4:00000020
[ 1846.208144] [<8002ddf0>] (__do_softirq) from [<8002e194>] (do_softirq+0x7c/0x88)
[ 1846.215588]  r10:00000000 r9:bd516a60 r8:be18ce00 r7:00000000 r6:be255800 r5:8056c0ec
[ 1846.223578]  r4:60000093
[ 1846.226163] [<8002e118>] (do_softirq) from [<8002e288>] (__local_bh_enable_ip+0xe8/0x10c)
[ 1846.234386]  r4:00000200 r3:be1d4000
[ 1846.238036] [<8002e1a0>] (__local_bh_enable_ip) from [<8056c108>] (__dev_queue_xmit+0x314/0x6b0)
[ 1846.246868]  r6:be255800 r5:bd516a00 r4:00000000 r3:be07b0c0
[ 1846.252645] [<8056bdf4>] (__dev_queue_xmit) from [<8056c4b8>] (dev_queue_xmit+0x14/0x18)

Signed-off-by: Dong Aisheng <b29396@freescale.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: m_can: add missing message RAM initialization
Dong Aisheng [Fri, 7 Nov 2014 08:45:14 +0000 (16:45 +0800)]
can: m_can: add missing message RAM initialization

The M_CAN message RAM is usually equipped with a parity or ECC functionality.
But RAM cells suffer a hardware reset and can therefore hold arbitrary content
at startup - including parity and/or ECC bits.

To prevent the M_CAN controller detecting checksum errors when reading
potentially uninitialized TX message RAM content to transmit CAN frames the TX
message RAM has to be written with (any kind of) initial data.

Signed-off-by: Dong Aisheng <b29396@freescale.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: m_can: add CONFIG_HAS_IOMEM dependence
David Cohen [Wed, 15 Oct 2014 21:41:50 +0000 (14:41 -0700)]
can: m_can: add CONFIG_HAS_IOMEM dependence

m_can uses io memory which makes it not compilable on architectures
without HAS_IOMEM such as UML:

drivers/built-in.o: In function `m_can_plat_probe':
m_can.c:(.text+0x218cc5): undefined reference to `devm_ioremap_resource'
m_can.c:(.text+0x218df9): undefined reference to `devm_ioremap'

Signed-off-by: David Cohen <david.a.cohen@linux.intel.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: m_can: add .ndo_change_mtu function
Dong Aisheng [Wed, 29 Oct 2014 10:45:23 +0000 (18:45 +0800)]
can: m_can: add .ndo_change_mtu function

Use common can_change_mtu function.

Signed-off-by: Dong Aisheng <b29396@freescale.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: gs_usb: add .ndo_change_mtu function
Marc Kleine-Budde [Tue, 18 Nov 2014 12:16:13 +0000 (13:16 +0100)]
can: gs_usb: add .ndo_change_mtu function

Use common can_change_mtu function.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agodocumentation: pinctrl bindings: Fix trivial typo 'abitrary'
Soren Brinkmann [Thu, 6 Nov 2014 15:38:51 +0000 (07:38 -0800)]
documentation: pinctrl bindings: Fix trivial typo 'abitrary'

A misspelled 'arbitrary' propagated to quite a few locations in the DT
binding documentation for pin-controllers. Fixing by:
  git grep abitrary | cut -f1 -d: | xargs sed -i 's/abitrary/arbitrary/'

Reported-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Signed-off-by: Rob Herring <robh@kernel.org>
10 years agodevicetree: bindings: Add vendor prefix for Micron Technology, Inc.
bpqw [Wed, 12 Nov 2014 14:26:42 +0000 (14:26 +0000)]
devicetree: bindings: Add vendor prefix for Micron Technology, Inc.

This patch is used to add vendor prefix for Micron Technology, Inc. in
the vendor-prefixes.txt file.

Micron Technology, Inc. is an American multinational corporation based
in Boise, Idaho, best known for producing many forms of semiconductor
devices. This includes DRAM, SDRAM, flash memory, eMMC and SSDs.

Signed-off-by: Bean Huo <bpqw@micron.com>
[robh: cleanup commit msg formatting and company name]
Signed-off-by: Rob Herring <robh@kernel.org>
10 years agoof: Add vendor prefix for Chips&Media, Inc.
Philipp Zabel [Wed, 14 May 2014 09:24:43 +0000 (11:24 +0200)]
of: Add vendor prefix for Chips&Media, Inc.

Chips&Media is a developer of Video Codec IP cores.

Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
[robh: fix-up alphabetical ordering]
Signed-off-by: Rob Herring <robh@kernel.org>
10 years agoof/base: Fix PowerPC address parsing hack
Benjamin Herrenschmidt [Fri, 14 Nov 2014 06:55:03 +0000 (17:55 +1100)]
of/base: Fix PowerPC address parsing hack

We have a historical hack that treats missing ranges properties as the
equivalent of an empty one. This is needed for ancient PowerMac "bad"
device-trees, and shouldn't be enabled for any other PowerPC platform,
otherwise we get some nasty layout of devices in sysfs or even
duplication when a set of otherwise identically named devices is
created multiple times under a different parent node with no ranges
property.

This fix is needed for the PowerNV i2c busses to be exposed properly
and will fix a number of other embedded cases.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
CC: <stable@vger.kernel.org>
Acked-by: Grant Likely <grant.likely@linaro.org>
Signed-off-by: Rob Herring <robh@kernel.org>
10 years agodevicetree: vendor-prefixes.txt: fix whitespace
Antony Pavlov [Sat, 8 Nov 2014 22:37:34 +0000 (01:37 +0300)]
devicetree: vendor-prefixes.txt: fix whitespace

Signed-off-by: Antony Pavlov <antonynpavlov@gmail.com>
Signed-off-by: Rob Herring <robh@kernel.org>
10 years agoof: Fix crash if an earlycon driver is not found
Kevin Cernekee [Sun, 9 Nov 2014 08:55:47 +0000 (00:55 -0800)]
of: Fix crash if an earlycon driver is not found

__earlycon_of_table_sentinel.compatible is a char[128], not a pointer, so
it will never be NULL.  Checking it against NULL causes the match loop to
run past the end of the array, and eventually match a bogus entry, under
the following conditions:

 - Kernel command line specifies "earlycon" with no parameters
 - DT has a stdout-path pointing to a UART node
 - The UART driver doesn't use OF_EARLYCON_DECLARE (or maybe the console
   driver is compiled out)

Fix this by checking to see if match->compatible is a non-empty string.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Cc: <stable@vger.kernel.org> # 3.16+
Signed-off-by: Rob Herring <robh@kernel.org>
10 years agoof/irq: Drop obsolete 'interrupts' vs 'interrupts-extended' text
Bjorn Helgaas [Sat, 1 Nov 2014 23:35:31 +0000 (17:35 -0600)]
of/irq: Drop obsolete 'interrupts' vs 'interrupts-extended' text

a9ecdc0fdc54 ("of/irq: Fix lookup to use 'interrupts-extended' property
first") updated the description to say that:

  - Both 'interrupts' and 'interrupts-extended' may be present
  - Software should prefer 'interrupts-extended'
  - Software that doesn't comprehend 'interrupts-extended' may use
    'interrupts'

But there is still a paragraph at the end that prohibits having both and
says 'interrupts' should be preferred.

Remove the contradictory text.

Fixes: a9ecdc0fdc54 ("of/irq: Fix lookup to use 'interrupts-extended' property first")
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: stable@vger.kernel.org # v3.13+
Acked-by: Brian Norris <computersforpeace@gmail.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Rob Herring <robh@kernel.org>
10 years agoof: Spelling s/stucture/structure/
Geert Uytterhoeven [Wed, 22 Oct 2014 09:49:01 +0000 (11:49 +0200)]
of: Spelling s/stucture/structure/

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Cc: Grant Likely <grant.likely@linaro.org>
Cc: Rob Herring <robh+dt@kernel.org>
Signed-off-by: Rob Herring <robh@kernel.org>
10 years agox86, kaslr: Handle Gold linker for finding bss/brk
Kees Cook [Tue, 18 Nov 2014 00:16:04 +0000 (16:16 -0800)]
x86, kaslr: Handle Gold linker for finding bss/brk

When building with the Gold linker, the .bss and .brk areas of vmlinux
are shown as consecutive instead of having the same file offset. Allow
for either state, as long as things add up correctly.

Fixes: e6023367d779 ("x86, kaslr: Prevent .bss from overlaping initrd")
Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Junjie Mao <eternal.n08@gmail.com>
Link: http://lkml.kernel.org/r/20141118001604.GA25045@www.outflux.net
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
10 years agox86, mm: Set NX across entire PMD at boot
Kees Cook [Fri, 14 Nov 2014 19:47:37 +0000 (11:47 -0800)]
x86, mm: Set NX across entire PMD at boot

When setting up permissions on kernel memory at boot, the end of the
PMD that was split from bss remained executable. It should be NX like
the rest. This performs a PMD alignment instead of a PAGE alignment to
get the correct span of memory.

Before:
---[ High Kernel Mapping ]---
...
0xffffffff8202d000-0xffffffff82200000  1868K     RW       GLB NX pte
0xffffffff82200000-0xffffffff82c00000    10M     RW   PSE GLB NX pmd
0xffffffff82c00000-0xffffffff82df5000  2004K     RW       GLB NX pte
0xffffffff82df5000-0xffffffff82e00000    44K     RW       GLB x  pte
0xffffffff82e00000-0xffffffffc0000000   978M                     pmd

After:
---[ High Kernel Mapping ]---
...
0xffffffff8202d000-0xffffffff82200000  1868K     RW       GLB NX pte
0xffffffff82200000-0xffffffff82e00000    12M     RW   PSE GLB NX pmd
0xffffffff82e00000-0xffffffffc0000000   978M                     pmd

[ tglx: Changed it to roundup(_brk_end, PMD_SIZE) and added a comment.
        We really should unmap the reminder along with the holes
        caused by init,initdata etc. but thats a different issue ]

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Toshi Kani <toshi.kani@hp.com>
Cc: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Wang Nan <wangnan0@huawei.com>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20141114194737.GA3091@www.outflux.net
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
10 years agox86, microcode: Update BSPs microcode on resume
Borislav Petkov [Tue, 18 Nov 2014 09:46:57 +0000 (10:46 +0100)]
x86, microcode: Update BSPs microcode on resume

In the situation when we apply early microcode but do *not* apply late
microcode, we fail to update the BSP's microcode on resume because we
haven't initialized the uci->mc microcode pointer. So, in order to
alleviate that, we go and dig out the stashed microcode patch during
early boot. It is basically the same thing that is done on the APs early
during boot so do that too here.

Tested-by: alex.schnaidt@gmail.com
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=88001
Cc: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: <stable@vger.kernel.org> # v3.9
Signed-off-by: Borislav Petkov <bp@suse.de>
Link: http://lkml.kernel.org/r/20141118094657.GA6635@pd.tnic
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
10 years agodevicetree: bindings: add sandisk to the vendor prefixes
Robert Jarzmik [Thu, 25 Sep 2014 22:26:27 +0000 (00:26 +0200)]
devicetree: bindings: add sandisk to the vendor prefixes

Add sandisk to the list of vendors. This prefix should be used
also for companies absorbed by Sandisk, like M-Systems.

Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Rob Herring <robh@kernel.org>
10 years agocan: rcar_can: add .ndo_change_mtu function
Marc Kleine-Budde [Tue, 18 Nov 2014 12:16:13 +0000 (13:16 +0100)]
can: rcar_can: add .ndo_change_mtu function

Use common can_change_mtu function.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: xilinx_can: add .ndo_change_mtu function
Marc Kleine-Budde [Tue, 18 Nov 2014 12:16:13 +0000 (13:16 +0100)]
can: xilinx_can: add .ndo_change_mtu function

Use common can_change_mtu function.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: xilinx_can: fix comparison of unsigned variable
Sudip Mukherjee [Tue, 18 Nov 2014 13:47:07 +0000 (19:17 +0530)]
can: xilinx_can: fix comparison of unsigned variable

The variable err was of the type u32. It was being compared with < 0, and being
an unsigned variable the comparison would have been always false.

Moreover, err was getting the return value from set_reset_mode() and
xcan_set_bittiming(), and both are returning int.

Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
Reviewed-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: remove unused variable
Sudip Mukherjee [Tue, 18 Nov 2014 13:47:06 +0000 (19:17 +0530)]
can: remove unused variable

these variable were only assigned some values, but then never
reused again.
so they are safe to be removed.

Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: esd_usb2: fix memory leak on disconnect
Alexey Khoroshilov [Fri, 10 Oct 2014 20:31:07 +0000 (00:31 +0400)]
can: esd_usb2: fix memory leak on disconnect

It seems struct esd_usb2 dev is not deallocated on disconnect. The patch adds
the missing deallocation.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Acked-by: Matthias Fuchs <matthias.fuchs@esd.eu>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: dev: add can_is_canfd_skb() API
Dong Aisheng [Fri, 7 Nov 2014 08:45:12 +0000 (16:45 +0800)]
can: dev: add can_is_canfd_skb() API

The CAN device drivers can use can_is_canfd_skb() to check if the frame to send
is on CAN FD mode or normal CAN mode.

Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Dong Aisheng <b29396@freescale.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: dev: fix typo CIA -> CiA, CAN in Automation
Roman Fietze [Mon, 20 Oct 2014 08:32:42 +0000 (10:32 +0200)]
can: dev: fix typo CIA -> CiA, CAN in Automation

This patch fixes a typo in CAN's dev.c:

    CIA -> CiA

which stands for CAN in Automation.

Signed-off-by: Roman Fietze <roman.fietze@telemotive.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agocan: dev: avoid calling kfree_skb() from interrupt context
Thomas Körper [Fri, 31 Oct 2014 06:33:54 +0000 (07:33 +0100)]
can: dev: avoid calling kfree_skb() from interrupt context

ikfree_skb() is Called in can_free_echo_skb(), which might be called from (TX
Error) interrupt, which triggers the folloing warning:

[ 1153.360705] ------------[ cut here ]------------
[ 1153.360715] WARNING: CPU: 0 PID: 31 at net/core/skbuff.c:563 skb_release_head_state+0xb9/0xd0()
[ 1153.360772] Call Trace:
[ 1153.360778]  [<c167906f>] dump_stack+0x41/0x52
[ 1153.360782]  [<c105bb7e>] warn_slowpath_common+0x7e/0xa0
[ 1153.360784]  [<c158b909>] ? skb_release_head_state+0xb9/0xd0
[ 1153.360786]  [<c158b909>] ? skb_release_head_state+0xb9/0xd0
[ 1153.360788]  [<c105bc42>] warn_slowpath_null+0x22/0x30
[ 1153.360791]  [<c158b909>] skb_release_head_state+0xb9/0xd0
[ 1153.360793]  [<c158be90>] skb_release_all+0x10/0x30
[ 1153.360795]  [<c158bf06>] kfree_skb+0x36/0x80
[ 1153.360799]  [<f8486938>] ? can_free_echo_skb+0x28/0x40 [can_dev]
[ 1153.360802]  [<f8486938>] can_free_echo_skb+0x28/0x40 [can_dev]
[ 1153.360805]  [<f849a12c>] esd_pci402_interrupt+0x34c/0x57a [esd402]
[ 1153.360809]  [<c10a75b5>] handle_irq_event_percpu+0x35/0x180
[ 1153.360811]  [<c10a7623>] ? handle_irq_event_percpu+0xa3/0x180
[ 1153.360813]  [<c10a7731>] handle_irq_event+0x31/0x50
[ 1153.360816]  [<c10a9c7f>] handle_fasteoi_irq+0x6f/0x120
[ 1153.360818]  [<c10a9c10>] ? handle_edge_irq+0x110/0x110
[ 1153.360822]  [<c1011b61>] handle_irq+0x71/0x90
[ 1153.360823]  <IRQ>  [<c168152c>] do_IRQ+0x3c/0xd0
[ 1153.360829]  [<c1680b6c>] common_interrupt+0x2c/0x34
[ 1153.360834]  [<c107d277>] ? finish_task_switch+0x47/0xf0
[ 1153.360836]  [<c167c27b>] __schedule+0x35b/0x7e0
[ 1153.360839]  [<c10a5334>] ? console_unlock+0x2c4/0x4d0
[ 1153.360842]  [<c13df500>] ? n_tty_receive_buf_common+0x890/0x890
[ 1153.360845]  [<c10707b6>] ? process_one_work+0x196/0x370
[ 1153.360847]  [<c167c723>] schedule+0x23/0x60
[ 1153.360849]  [<c1070de1>] worker_thread+0x161/0x460
[ 1153.360852]  [<c1090fcf>] ? __wake_up_locked+0x1f/0x30
[ 1153.360854]  [<c1070c80>] ? rescuer_thread+0x2f0/0x2f0
[ 1153.360856]  [<c1074f01>] kthread+0xa1/0xc0
[ 1153.360859]  [<c1680401>] ret_from_kernel_thread+0x21/0x30
[ 1153.360861]  [<c1074e60>] ? kthread_create_on_node+0x110/0x110
[ 1153.360863] ---[ end trace 5ff83639cbb74b35 ]---

This patch replaces the kfree_skb() by dev_kfree_skb_any().

Signed-off-by: Thomas Körper <thomas.koerper@esd.eu>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
10 years agoALSA: hda - fix the mic mute led problem for Latitude E5550
Hui Wang [Tue, 18 Nov 2014 09:57:41 +0000 (17:57 +0800)]
ALSA: hda - fix the mic mute led problem for Latitude E5550

The microphone mute led on the Latitude E5550 can't work. We need to
apply DELL_WMI_MIC_MUTE_LED quirk to this machine.

The machine uses alc293 codec and already applied the quirk
ALC293_FIXUP_DELL1_MIC_NO_PRESENCE through pin_fixup_tbl[].

Here we just let DELL_WMI_MIC_MUTE_LED be chained to
ALC269_FIXUP_HEADSET_MODE, then the machine will have these
quirks ALC293_FIXUP_DELL1_MIC_NO_PRESENCE-->
ALC269_FIXUP_HEADSET_MODE-->ALC255_FIXUP_DELL_WMI_MIC_MUTE_LED.

BugLink: https://bugs.launchpad.net/bugs/1381856
Reported-and-tested-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
10 years agoALSA: hda - move DELL_WMI_MIC_MUTE_LED to the tail in the quirk chain
Hui Wang [Tue, 18 Nov 2014 09:57:40 +0000 (17:57 +0800)]
ALSA: hda - move DELL_WMI_MIC_MUTE_LED to the tail in the quirk chain

We have one more Dell machine needs DELL_WMI_MIC_MUTE_LED quirk, but
the machine uses alc293 instead of alc255. So if
DELL_WMI_MIC_MUTE_LED still chain ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
the machine can't use this quirk.

To change this situation, let the DELL_WMI_MIC_MUTE_LED to be a
standalone quirk, and let other quirks chain it.

After this change, this quirk can be chained to any existing quirks,
and as a result, it is possible that this quirk is applied to
a non-Dell machine or a Dell machine without mic mute led on it, but
it is still safe since alc_fixup_dell_wmi() will return an error in
these situations.

And remove the quirk for machine with subsystem id 0x6010 and 0x601f,
these two machines will fall back to the quirk
ALC255_FIXUP_DELL1_MIC_NO_PRESENCE-->ALC255_FIXUP_HEADSET_MODE-->
ALC255_FIXUP_DELL_WMI_MIC_MUTE_LED through pin_fixup_tbl[].

BugLink: https://bugs.launchpad.net/bugs/1381856
Reported-and-tested-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
10 years agopowerpc/fsl_msi: mark the msi cascade handler IRQF_NO_THREAD
Kevin Hao [Fri, 14 Nov 2014 05:51:22 +0000 (13:51 +0800)]
powerpc/fsl_msi: mark the msi cascade handler IRQF_NO_THREAD

The commit 543c043cbae7 ("powerpc/fsl_msi: change the irq handler from
chained to normal") changes the msi cascade handler from chained to
normal. Since cascade handler must run in hard interrupt context, this
will cause kernel panic if we force threading of all the interrupt
handler via kernel command parameter 'threadirqs'. So mark the irq
handler IRQF_NO_THREAD explicitly.

Signed-off-by: Kevin Hao <haokexin@gmail.com>
Signed-off-by: Scott Wood <scottwood@freescale.com>
10 years agoMerge tag 'asoc-v3.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie...
Takashi Iwai [Mon, 17 Nov 2014 21:16:03 +0000 (22:16 +0100)]
Merge tag 'asoc-v3.18-rc5' of git://git./linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v3.18

As well as the usual driver fixes there's a few other things here:

One is a fix for a race in DPCM which is unfortuantely a rather large
diffstat, this is the result of growing usage of the mainline code and
hence more detailed testing so I'm relatively happy.

The other is a fix for non-DT machine driver matching following some of
the componentization work which is much more focused.

Both have had a while to cook in -next.

10 years agobrcmfmac: fix error handling of irq_of_parse_and_map
Dmitry Torokhov [Fri, 14 Nov 2014 22:12:21 +0000 (14:12 -0800)]
brcmfmac: fix error handling of irq_of_parse_and_map

Return value of irq_of_parse_and_map() is unsigned int, with 0
indicating failure, so testing for negative result never works.

Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Cc: stable@vger.kernel.org # v3.17
Acked-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
10 years agobrcmfmac: kill URB when request timed out
Mathy Vanhoef [Thu, 13 Nov 2014 02:33:34 +0000 (21:33 -0500)]
brcmfmac: kill URB when request timed out

Kill the submitted URB in brcmf_usb_dl_cmd if the request timed out. This
assures the URB is never submitted twice. It also prevents a possible
use-after-free of the URB transfer buffer if a timeout occurs.

Signed-off-by: Mathy Vanhoef <vanhoefm@gmail.com>
Acked-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
10 years agoath9k: fix regression in bssidmask calculation
Ben Greear [Tue, 4 Nov 2014 23:22:50 +0000 (15:22 -0800)]
ath9k: fix regression in bssidmask calculation

The commit that went into 3.17:

    ath9k: Summarize hw state per channel context

    Group and set hw state (opmode, primary_sta, beacon conf) per
    channel context instead of whole list of vifs. This would allow
    each channel context to run in different mode (STA/AP).

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
broke multi-vif configuration due to not properly calculating
the bssid mask.

The test case that caught this was:

 create wlan0 and sta0-4 (6 total), not sure how much that matters.
 associate all 6 (works fine)
 disconnect 5 of them, leaving sta0 up
 Start trying to bring up the other 5 one at a time.  It will
 fail, with iw events looking like this (in these logs, several
 sta are trying to come up, but symptom is the same with just one)

The patch causing the regression made quite a few changes, but
the part I think caused this particular problem was not
recalculating the bssid mask when adding and removing interfaces.

Re-adding those calls fixes my test case.  Fix bad comment
as well.

Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
10 years agoMerge remote-tracking branches 'asoc/fix/rt5670', 'asoc/fix/samsung' and 'asoc/fix...
Mark Brown [Mon, 17 Nov 2014 16:41:11 +0000 (16:41 +0000)]
Merge remote-tracking branches 'asoc/fix/rt5670', 'asoc/fix/samsung' and 'asoc/fix/sgtl5000' into asoc-linus

10 years agoMerge remote-tracking branches 'asoc/fix/adsp', 'asoc/fix/cs41l51', 'asoc/fix/dpcm...
Mark Brown [Mon, 17 Nov 2014 16:41:06 +0000 (16:41 +0000)]
Merge remote-tracking branches 'asoc/fix/adsp', 'asoc/fix/cs41l51', 'asoc/fix/dpcm', 'asoc/fix/es8328', 'asoc/fix/fsl-asrc', 'asoc/fix/max98090', 'asoc/fix/rcar', 'asoc/fix/rockchip' and 'asoc/fix/rt5645' into asoc-linus

10 years agoMerge remote-tracking branch 'asoc/fix/core' into asoc-linus
Mark Brown [Mon, 17 Nov 2014 16:41:05 +0000 (16:41 +0000)]
Merge remote-tracking branch 'asoc/fix/core' into asoc-linus

10 years agoASoC: wm_adsp: Avoid attempt to free buffers that might still be in use
Charles Keepax [Mon, 17 Nov 2014 10:48:21 +0000 (10:48 +0000)]
ASoC: wm_adsp: Avoid attempt to free buffers that might still be in use

We should not free any buffers associated with writing out coefficients
to the DSP until all the async writes have completed. This patch updates
the out of memory path when allocating a new buffer to include a call to
regmap_async_complete.

Reported-by: JS Park <aitdark.park@samsung.com>
Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
10 years agoALSA: usb-audio: Set the Control Selector to SU_SELECTOR_CONTROL for UAC2
Johan Rastén [Mon, 17 Nov 2014 07:39:33 +0000 (08:39 +0100)]
ALSA: usb-audio: Set the Control Selector to SU_SELECTOR_CONTROL for UAC2

Specified in section 5.2.5.6.1 of the USB Audio Class 2.0 definition.

Solves the following error for C-Media 6632A (Asus Xonar U7):
[ 8219.676164] cannot get ctl value: req = 0x81, wValue = 0x0, wIndex = 0x1400, type = 3

Signed-off-by: Johan Rastén <johan@oljud.se>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
10 years agobridge: fix netfilter/NF_BR_LOCAL_OUT for own, locally generated queries
Linus Lüssing [Mon, 17 Nov 2014 11:20:28 +0000 (12:20 +0100)]
bridge: fix netfilter/NF_BR_LOCAL_OUT for own, locally generated queries

Ebtables on the OUTPUT chain (NF_BR_LOCAL_OUT) would not work as expected
for both locally generated IGMP and MLD queries. The IP header specific
filter options are off by 14 Bytes for netfilter (actual output on
interfaces is fine).

NF_HOOK() expects the skb->data to point to the IP header, not the
ethernet one (while dev_queue_xmit() does not). Luckily there is an
br_dev_queue_push_xmit() helper function already - let's just use that.

Introduced by eb1d16414339a6e113d89e2cca2556005d7ce919
("bridge: Add core IGMP snooping support")

Ebtables example:

$ ebtables -I OUTPUT -p IPv6 -o eth1 --logical-out br0 \
--log --log-level 6 --log-ip6 --log-prefix="~EBT: " -j DROP

before (broken):

~EBT:  IN= OUT=eth1 MAC source = 02:04:64:a4:39:c2 \
MAC dest = 33:33:00:00:00:01 proto = 0x86dd IPv6 \
SRC=64a4:39c2:86dd:6000:0000:0020:0001:fe80 IPv6 \
DST=0000:0000:0000:0004:64ff:fea4:39c2:ff02, \
IPv6 priority=0x3, Next Header=2

after (working):

~EBT:  IN= OUT=eth1 MAC source = 02:04:64:a4:39:c2 \
MAC dest = 33:33:00:00:00:01 proto = 0x86dd IPv6 \
SRC=fe80:0000:0000:0000:0004:64ff:fea4:39c2 IPv6 \
DST=ff02:0000:0000:0000:0000:0000:0000:0001, \
IPv6 priority=0x0, Next Header=0

Signed-off-by: Linus Lüssing <linus.luessing@web.de>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agonetfilter: nfnetlink: fix insufficient validation in nfnetlink_bind
Pablo Neira Ayuso [Fri, 14 Nov 2014 17:14:33 +0000 (18:14 +0100)]
netfilter: nfnetlink: fix insufficient validation in nfnetlink_bind

Make sure the netlink group exists, otherwise you can trigger an out
of bound array memory access from the netlink_bind() path. This splat
can only be triggered only by superuser.

[  180.203600] UBSan: Undefined behaviour in ../net/netfilter/nfnetlink.c:467:28
[  180.204249] index 9 is out of range for type 'int [9]'
[  180.204697] CPU: 0 PID: 1771 Comm: trinity-main Not tainted 3.18.0-rc4-mm1+ #122
[  180.205365] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org
+04/01/2014
[  180.206498]  0000000000000018 0000000000000000 0000000000000009 ffff88007bdf7da8
[  180.207220]  ffffffff82b0ef5f 0000000000000092 ffffffff845ae2e0 ffff88007bdf7db8
[  180.207887]  ffffffff8199e489 ffff88007bdf7e18 ffffffff8199ea22 0000003900000000
[  180.208639] Call Trace:
[  180.208857] dump_stack (lib/dump_stack.c:52)
[  180.209370] ubsan_epilogue (lib/ubsan.c:174)
[  180.209849] __ubsan_handle_out_of_bounds (lib/ubsan.c:400)
[  180.210512] nfnetlink_bind (net/netfilter/nfnetlink.c:467)
[  180.210986] netlink_bind (net/netlink/af_netlink.c:1483)
[  180.211495] SYSC_bind (net/socket.c:1541)

Moreover, define the missing nf_tables and nf_acct multicast groups too.

Reported-by: Andrey Ryabinin <a.ryabinin@samsung.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>