14 May, 2015
1 commit
-
…nux-stable into ti-linux-3.14.y
This is the 3.14.42 stable release
* tag 'v3.14.42' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable: (26 commits)
Linux 3.14.42
ARC: signal handling robustify
UBI: fix soft lockup in ubi_check_volume()
compal-laptop: Fix leaking hwmon device
Drivers: hv: vmbus: Don't wait after requesting offers
staging: panel: fix lcd type
usb: gadget: printer: enqueue printer's response for setup request
usb: host: ehci: use new USB_RESUME_TIMEOUT
usb: host: oxu210hp: use new USB_RESUME_TIMEOUT
usb: musb: use new USB_RESUME_TIMEOUT
drm/radeon: add SI DPM quirk for Sapphire R9 270 Dual-X 2G GDDR5
3w-sas: fix command completion race
3w-9xxx: fix command completion race
3w-xxxx: fix command completion race
ext4: fix data corruption caused by unwritten and delayed extents
rbd: end I/O the entire obj_request on error
tty/serial: at91: maxburst was missing for dma transfers
ASoC: dapm: Enable autodisable on SOC_DAPM_SINGLE_TLV_AUTODISABLE
serial: of-serial: Remove device_type = "serial" registration
ALSA: hda - Add mute-LED mode control to Thinkpad
...Conflicts:
drivers/usb/musb/musb_core.cSigned-off-by: Dan Murphy <dmurphy@ti.com>
13 May, 2015
1 commit
-
[ Upstream commit a134f083e79fb4c3d0a925691e732c56911b4326 ]
If we don't do that, then the poison value is left in the ->pprev
backlink.This can cause crashes if we do a disconnect, followed by a connect().
Tested-by: Linus Torvalds
Reported-by: Wen Xu
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
07 May, 2015
6 commits
-
…nux-stable into ti-linux-3.14.y
This is the 3.14.41 stable release
* tag 'v3.14.41' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable: (93 commits)
Linux 3.14.41
nosave: consolidate __nosave_{begin,end} in <asm/sections.h>
fs: take i_mutex during prepare_binprm for set[ug]id executables
driver core: bus: Goto appropriate labels on failure in bus_add_device
memstick: mspro_block: add missing curly braces
C6x: time: Ensure consistency in __init
crypto: omap-aes - Fix support for unequal lengths
wl18xx: show rx_frames_per_rates as an array as it really is
lib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR
e1000: add dummy allocator to fix race condition between mtu change and netpoll
ksoftirqd: Enable IRQs and call cond_resched() before poking RCU
RCU pathwalk breakage when running into a symlink overmounting something
drm/i915: cope with large i2c transfers
drm/radeon: fix doublescan modes (v2)
i2c: core: Export bus recovery functions
IB/mlx4: Fix WQE LSO segment calculation
IB/core: don't disallow registering region starting at 0x0
IB/core: disallow registering 0-sized memory region
stk1160: Make sure current buffer is released
mvsas: fix panic on expander attached SATA devices
...Signed-off-by: Texas Instruments Auto Merger <lcpd_integration@list.ti.com>
-
[ Upstream commit 2ea2f62c8bda242433809c7f4e9eae1c52c40bbe ]
When I added pfmemalloc support in build_skb(), I forgot netlink
was using build_skb() with a vmalloc() area.In this patch I introduce __build_skb() for netlink use,
and build_skb() is a wrapper handling both skb->head_frag and
skb->pfmemallocThis means netlink no longer has to hack skb->head_frag
[ 1567.700067] kernel BUG at arch/x86/mm/physaddr.c:26!
[ 1567.700067] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[ 1567.700067] Dumping ftrace buffer:
[ 1567.700067] (ftrace buffer empty)
[ 1567.700067] Modules linked in:
[ 1567.700067] CPU: 9 PID: 16186 Comm: trinity-c182 Not tainted 4.0.0-next-20150424-sasha-00037-g4796e21 #2167
[ 1567.700067] task: ffff880127efb000 ti: ffff880246770000 task.ti: ffff880246770000
[ 1567.700067] RIP: __phys_addr (arch/x86/mm/physaddr.c:26 (discriminator 3))
[ 1567.700067] RSP: 0018:ffff8802467779d8 EFLAGS: 00010202
[ 1567.700067] RAX: 000041000ed8e000 RBX: ffffc9008ed8e000 RCX: 000000000000002c
[ 1567.700067] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffffb3fd6049
[ 1567.700067] RBP: ffff8802467779f8 R08: 0000000000000019 R09: ffff8801d0168000
[ 1567.700067] R10: ffff8801d01680c7 R11: ffffed003a02d019 R12: ffffc9000ed8e000
[ 1567.700067] R13: 0000000000000f40 R14: 0000000000001180 R15: ffffc9000ed8e000
[ 1567.700067] FS: 00007f2a7da3f700(0000) GS:ffff8801d1000000(0000) knlGS:0000000000000000
[ 1567.700067] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1567.700067] CR2: 0000000000738308 CR3: 000000022e329000 CR4: 00000000000007e0
[ 1567.700067] Stack:
[ 1567.700067] ffffc9000ed8e000 ffff8801d0168000 ffffc9000ed8e000 ffff8801d0168000
[ 1567.700067] ffff880246777a28 ffffffffad7c0a21 0000000000001080 ffff880246777c08
[ 1567.700067] ffff88060d302e68 ffff880246777b58 ffff880246777b88 ffffffffad9a6821
[ 1567.700067] Call Trace:
[ 1567.700067] build_skb (include/linux/mm.h:508 net/core/skbuff.c:316)
[ 1567.700067] netlink_sendmsg (net/netlink/af_netlink.c:1633 net/netlink/af_netlink.c:2329)
[ 1567.774369] ? sched_clock_cpu (kernel/sched/clock.c:311)
[ 1567.774369] ? netlink_unicast (net/netlink/af_netlink.c:2273)
[ 1567.774369] ? netlink_unicast (net/netlink/af_netlink.c:2273)
[ 1567.774369] sock_sendmsg (net/socket.c:614 net/socket.c:623)
[ 1567.774369] sock_write_iter (net/socket.c:823)
[ 1567.774369] ? sock_sendmsg (net/socket.c:806)
[ 1567.774369] __vfs_write (fs/read_write.c:479 fs/read_write.c:491)
[ 1567.774369] ? get_lock_stats (kernel/locking/lockdep.c:249)
[ 1567.774369] ? default_llseek (fs/read_write.c:487)
[ 1567.774369] ? vtime_account_user (kernel/sched/cputime.c:701)
[ 1567.774369] ? rw_verify_area (fs/read_write.c:406 (discriminator 4))
[ 1567.774369] vfs_write (fs/read_write.c:539)
[ 1567.774369] SyS_write (fs/read_write.c:586 fs/read_write.c:577)
[ 1567.774369] ? SyS_read (fs/read_write.c:577)
[ 1567.774369] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[ 1567.774369] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2594 kernel/locking/lockdep.c:2636)
[ 1567.774369] ? trace_hardirqs_on_thunk (arch/x86/lib/thunk_64.S:42)
[ 1567.774369] system_call_fastpath (arch/x86/kernel/entry_64.S:261)Fixes: 79930f5892e ("net: do not deplete pfmemalloc reserve")
Signed-off-by: Eric Dumazet
Reported-by: Sasha Levin
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 79930f5892e134c6da1254389577fffb8bd72c66 ]
build_skb() should look at the page pfmemalloc status.
If set, this means page allocator allocated this page in the
expectation it would help to free other pages. Networking
stack can do that only if skb->pfmemalloc is also set.Also, we must refrain using high order pages from the pfmemalloc
reserve, so __page_frag_refill() must also use __GFP_NOMEMALLOC for
them. Under memory pressure, using order-0 pages is probably the best
strategy.Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 845704a535e9b3c76448f52af1b70e4422ea03fd ]
Presence of an unbound loop in tcp_send_fin() had always been hard
to explain when analyzing crash dumps involving gigantic dying processes
with millions of sockets.Lets try a different strategy :
In case of memory pressure, try to add the FIN flag to last packet
in write queue, even if packet was already sent. TCP stack will
be able to deliver this FIN after a timeout event. Note that this
FIN being delivered by a retransmit, it also carries a Push flag
given our current implementation.By checking sk_under_memory_pressure(), we anticipate that cooking
many FIN packets might deplete tcp memory.In the case we could not allocate a packet, even with __GFP_WAIT
allocation, then not sending a FIN seems quite reasonable if it allows
to get rid of this socket, free memory, and not block the process from
eventually doing other useful work.Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit d83769a580f1132ac26439f50068a29b02be535e ]
Using sk_stream_alloc_skb() in tcp_send_fin() is dangerous in
case a huge process is killed by OOM, and tcp_mem[2] is hit.To be able to free memory we need to make progress, so this
patch allows FIN packets to not care about tcp_mem[2], if
skb allocation succeeded.In a follow-up patch, we might abort tcp_send_fin() infinite loop
in case TIF_MEMDIE is set on this thread, as memory allocator
did its best getting extra memory already.This patch reverts d22e15371811 ("tcp: fix tcp fin memory accounting")
Fixes: d22e15371811 ("tcp: fix tcp fin memory accounting")
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 2ab957492d13bb819400ac29ae55911d50a82a13 ]
Initial discussion was:
[FYI] xfrm: Don't lookup sk_policy for timewait socketsForwarded frames should not have a socket attached. Especially
tw sockets will lead to panics later-on in the stack.This was observed with TPROXY assigning a tw socket and broken
policy routing (misconfigured). As a result frame enters
forwarding path instead of input. We cannot solve this in
TPROXY as it cannot know that policy routing is broken.v2:
Remove useless commentSigned-off-by: Sebastian Poehn
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
02 May, 2015
4 commits
-
TI-Feature: rpmsg
TI-Tree: git://git.ti.com/rpmsg/rpmsg.git
TI-Branch: rpmsg-ti-linux-3.14.y* 'rpmsg-ti-linux-3.14.y' of git://git.ti.com/rpmsg/rpmsg:
net/rpmsg: unblock reader threads operating on errored sockets
net/rpmsg: return ENOLINK upon Rx on errored socketsSigned-off-by: Texas Instruments Auto Merger
-
Pull in fixes in the rpmsg-proto driver to unblock a thread waiting for
data on an errored socket, and return appropriate error on such errored
out Rx sockets.* 'rpmsg-linux-3.14.y' of git://git.ti.com/rpmsg/rpmsg:
net/rpmsg: unblock reader threads operating on errored sockets
net/rpmsg: return ENOLINK upon Rx on errored socketsSigned-off-by: Suman Anna
-
The rpmsg_proto driver is used to provide a socket interface
to userspace under the AF_RPMSG address family, and is used
by the TI IPC MessageQ stack. The typical usage for receiving
messages include a thread blocked on a select() call with
appropriate socket fds, followed by a recvfrom() on the fd
returned/marked ready by select().The rpmsg_sock_poll() function implements the logic needed
by the select() call, and marks a socket ready only when there
is data to be read currently. Any reader thread waiting on the
select() call to return is currently not unblocked when a remote
processor goes through an error recovery, and can remain blocked
forever as its remote processor peer thread may never send it
another message. Enhance the rpmsg_proto driver so that a waiting
thread can be unblocked by waking it up during the process of
marking the open sockets with the error status RPMSG_ERROR. This
is achieved by using the socket's .sk_error_report() ops, and is
preferred over the .sk_state_change() ops to wakeup only a single
exclusive thread.Signed-off-by: Suman Anna
-
The rpmsg_proto driver is used to provide a socket interface to
userspace under the AF_RPMSG address family, and is used by the TI
IPC MessageQ stack. The rpmsg proto driver creates a rpmsg channel
device per remote processor (a Rx socket) for each MessageQ object
through the socket's bind() call. These rpmsg channel devices are
cleaned up normally either when the userspace application closes
them or through the automatic cleanup of the file descriptors when
a process is terminated/closed. These devices can also be cleaned
up by the rpmsg_proto driver as part of the error recovery of a
remote processor, with the parent Rx sockets simply marked with
the error status RPMSG_ERROR.This error status is not currently being returned to the userspace
in the socket's recvfrom() interface. Fix this by specifically
checking for this error status, and returning an error value of
ENOLINK back to userspace. The ENOLINK error code is used to allow
the userspace to differentiate this terminal error from other errors
on the Rx sockets and take appropriate action. This error code on
Rx sockets serves the same as the error code ESHUTDOWN used for Tx
sockets, and is chosen specifically to have a meaningful strerror
message appropriate to Rx sockets.Signed-off-by: Suman Anna
29 Apr, 2015
7 commits
-
…nux-stable into ti-linux-3.14.y
This is the 3.14.40 stable release
* tag 'v3.14.40' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable: (44 commits)
Linux 3.14.40
arc: mm: Fix build failure
proc/pagemap: walk page tables under pte lock
mm: softdirty: unmapped addresses between VMAs are clean
sb_edac: avoid INTERNAL ERROR message in EDAC with unspecified channel
x86: mm: move mmap_sem unlock from mm_fault_error() to caller
ARM: 8109/1: mm: Modify pte_write and pmd_write logic for LPAE
ARM: 8108/1: mm: Introduce {pte,pmd}_isset and {pte,pmd}_isclear
vm: make stack guard page errors return VM_FAULT_SIGSEGV rather than SIGBUS
vm: add VM_FAULT_SIGSEGV handling support
sched: declare pid_alive as inline
move d_rcu from overlapping d_child to overlapping d_alias
KVM: x86: SYSENTER emulation is broken
netfilter: conntrack: disable generic tracking for known protocols
mm: hwpoison: drop lru_add_drain_all() in __soft_offline_page()
Bluetooth: Add USB device 04ca:3010 as Atheros AR3012
Bluetooth: ath3k: Add support of MCI 13d3:3408 bt device
Bluetooth: Add support for Acer [0489:e078]
Add a new PID/VID 0227/0930 for AR3012.
Bluetooth: Add support for Broadcom device of Asus Z97-DELUXE motherboard
...Signed-off-by: Texas Instruments Auto Merger <lcpd_integration@list.ti.com>
-
commit db29a9508a9246e77087c5531e45b2c88ec6988b upstream.
Given following iptables ruleset:
-P FORWARD DROP
-A FORWARD -m sctp --dport 9 -j ACCEPT
-A FORWARD -p tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPTOne would assume that this allows SCTP on port 9 and TCP on port 80.
Unfortunately, if the SCTP conntrack module is not loaded, this allows
*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
which we think is a security issue.This is because on the first SCTP packet on port 9, we create a dummy
"generic l4" conntrack entry without any port information (since
conntrack doesn't know how to extract this information).All subsequent packets that are unknown will then be in established
state since they will fallback to proto_generic and will match the
'generic' entry.Our originally proposed version [1] completely disabled generic protocol
tracking, but Jozsef suggests to not track protocols for which a more
suitable helper is available, hence we now mitigate the issue for in
tree known ct protocol helpers only, so that at least NAT and direction
information will still be preserved for others.[1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
Joint work with Daniel Borkmann.
Fixes CVE-2014-8160.
Signed-off-by: Florian Westphal
Signed-off-by: Daniel Borkmann
Acked-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Zhiqiang Zhang
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit b50edd7812852d989f2ef09dcfc729690f54a42d ]
I noticed tcpdump was giving funky timestamps for locally
generated SYNACK messages on loopback interface.11:42:46.938990 IP 127.0.0.1.48245 > 127.0.0.2.23850: S
945476042:945476042(0) win 4369020:28:58.502209 IP 127.0.0.2.23850 > 127.0.0.1.48245: S
3160535375:3160535375(0) ack 945476043 win 43690This is because we need to clear skb->tstamp before
entering lower stack, otherwise net_timestamp_check()
does not set skb->tstamp.Fixes: 7faee5c0d514 ("tcp: remove TCP_SKB_CB(skb)->when")
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit f60e5990d9c1424af9dbca60a23ba2a1c7c1ce90 ]
We should not consult skb->sk for output decisions in xmit recursion
levels > 0 in the stack. Otherwise local socket settings could influence
the result of e.g. tunnel encapsulation process.ipv6 does not conform with this in three places:
1) ip6_fragment: we do consult ipv6_npinfo for frag_size
2) sk_mc_loop in ipv6 uses skb->sk and checks if we should
loop the packet back to the local socket3) ip6_skb_dst_mtu could query the settings from the user socket and
force a wrong MTUFurthermore:
In sk_mc_loop we could potentially land in WARN_ON(1) if we use a
PF_PACKET socket ontop of an IPv6-backed vxlan device.Reuse xmit_recursion as we are currently only interested in protecting
tunnel devices.Cc: Jiri Pirko
Signed-off-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 666b805150efd62f05810ff0db08f44a2370c937 ]
On processing cumulative ACKs, the FRTO code was not checking the
SACKed bit, meaning that there could be a spurious FRTO undo on a
cumulative ACK of a previously SACKed skb.The FRTO code should only consider a cumulative ACK to indicate that
an original/unretransmitted skb is newly ACKed if the skb was not yet
SACKed.The effect of the spurious FRTO undo would typically be to make the
connection think that all previously-sent packets were in flight when
they really weren't, leading to a stall and an RTO.Signed-off-by: Neal Cardwell
Signed-off-by: Yuchung Cheng
Fixes: e33099f96d99c ("tcp: implement RFC5682 F-RTO")
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a ]
A local route may have a lower hop_limit set than global routes do.
RFC 3756, Section 4.2.7, "Parameter Spoofing"
> 1. The attacker includes a Current Hop Limit of one or another small
> number which the attacker knows will cause legitimate packets to
> be dropped before they reach their destination.> As an example, one possible approach to mitigate this threat is to
> ignore very small hop limits. The nodes could implement a
> configurable minimum hop limit, and ignore attempts to set it below
> said limit.Signed-off-by: D.S. Ljungmark
Acked-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit d0c294c53a771ae7e84506dfbd8c18c30f078735 ]
On s390x, gcc 4.8 compiles this part of tcp_v6_early_demux()
struct dst_entry *dst = sk->sk_rx_dst;
if (dst)
dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie);to code reading sk->sk_rx_dst twice, once for the test and once for
the argument of ip6_dst_check() (dst_check() is inline). This allows
ip6_dst_check() to be called with null first argument, causing a crash.Protect sk->sk_rx_dst access by ACCESS_ONCE() both in IPv4 and IPv6
TCP early demux code.Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.")
Fixes: c7109986db3c ("ipv6: Early TCP socket demux")
Signed-off-by: Michal Kubecek
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
19 Apr, 2015
4 commits
-
…nux-stable into ti-linux-3.14.y
This is the 3.14.39 stable release
* tag 'v3.14.39' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable: (44 commits)
Linux 3.14.39
IB/mlx4: Saturate RoCE port PMA counters in case of overflow
net: llc: use correct size for sysctl timeout entries
net: rds: use correct size for max unacked packets and bytes
media: s5p-mfc: fix mmap support for 64bit arch
sh_veu: v4l2_dev wasn't set
iscsi target: fix oops when adding reject pdu
ioctx_alloc(): fix vma (and file) leak on failure
ocfs2: _really_ sync the right range
be2iscsi: Fix kernel panic when device initialization fails
cifs: fix use-after-free bug in find_writable_file
cifs: smb2_clone_range() - exit on unhandled error
n_tty: Fix read buffer overwrite when no newline
tty: serial: fsl_lpuart: clear receive flag on FIFO flush
usb: xhci: apply XHCI_AVOID_BEI quirk to all Intel xHCI controllers
usb: xhci: handle Config Error Change (CEC) in xhci driver
cpuidle: ACPI: do not overwrite name and description of C0
cpuidle: remove state_count field from struct cpuidle_device
can: flexcan: Deferred on Regulator return EPROBE_DEFER
x86/reboot: Add ASRock Q1900DC-ITX mainboard reboot quirk
...Signed-off-by: Texas Instruments Auto Merger <lcpd_integration@list.ti.com>
-
commit 6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 upstream.
The timeout entries are sizeof(int) rather than sizeof(long), which
means that when they were getting read we'd also leak kernel memory
to userspace along with the timeout values.Signed-off-by: Sasha Levin
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
commit db27ebb111e9f69efece08e4cb6a34ff980f8896 upstream.
Max unacked packets/bytes is an int while sizeof(long) was used in the
sysctl table.This means that when they were getting read we'd also leak kernel memory
to userspace along with the timeout values.Signed-off-by: Sasha Levin
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
skb rather than using skb_copy_expand().The open-coded copy does not cover the skb_shared_info::gso_segs
field, so in the new skb it is left set to 0. When this commit was
backported into stable branches between 3.10.y and 3.16.7-ckty
inclusive, it triggered the BUG() in tcp_transmit_skb().Since Linux 3.18 the GSO segment count is kept in the
tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
tcp_skb_cb structure to the new skb, so mainline and newer stable
branches are not affected.Set skb_shared_info::gso_segs to the correct value of 1.
Signed-off-by: Ben Hutchings
Acked-by: Eric Dumazet
Signed-off-by: Greg Kroah-Hartman
13 Apr, 2015
4 commits
-
…nux-stable into ti-linux-3.14.y
This is the 3.14.38 stable release
* tag 'v3.14.38' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable: (39 commits)
Linux 3.14.38
mfd: kempld-core: Fix callback return value check
net: ethernet: pcnet32: Setup the SRAM and NOUFLO on Am79C97{3, 5}
powerpc/mpc85xx: Add ranges to etsec2 nodes
powerpc/pseries: Little endian fixes for post mobility device tree update
arm64: Use the reserved TTBR0 if context switching to the init_mm
powerpc/book3s: Fix the MCE code to use CONFIG_KVM_BOOK3S_64_HANDLER
hfsplus: fix B-tree corruption after insertion at position 0
spi: trigger trace event for message-done before mesg->complete
dm io: deal with wandering queue limits when handling REQ_DISCARD and REQ_WRITE_SAME
dm: hold suspend_lock while suspending device during device deletion
dmaengine: dw: append MODULE_ALIAS for platform driver
vt6655: RFbSetPower fix missing rate RATE_12M
staging: vt6656: vnt_rf_setpower: fix missing rate RATE_12M
perf: Fix irq_work 'tail' recursion
of/irq: Fix of_irq_parse_one() returned error codes
phy: Find the right match in devm_phy_destroy()
Revert "iwlwifi: mvm: fix failure path when power_update fails in add_interface"
mac80211: drop unencrypted frames in mesh fwding
mac80211: disable u-APSD queues by default
...Signed-off-by: Texas Instruments Auto Merger <lcpd_integration@list.ti.com>
-
commit d0c22119f574b851e63360c6b8660fe9593bbc3c upstream.
The mesh forwarding path was not checking that data
frames were protected when running an encrypted network;
add the necessary check.Reported-by: Johannes Berg
Signed-off-by: Bob Copeland
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman -
commit aa75ebc275b2a91b193654a177daf900ad6703f0 upstream.
Some APs experience problems when working with
U-APSD. Decreasing the probability of that
happening by using legacy mode for all ACs but VO
isn't enough.Cisco 4410N originally forced us to enable VO by
default only because it treated non-VO ACs as
legacy.However some APs (notably Netgear R7000) silently
reclassify packets to different ACs. Since u-APSD
ACs require trigger frames for frame retrieval
clients would never see some frames (e.g. ARP
responses) or would fetch them accidentally after
a long time.It makes little sense to enable u-APSD queues by
default because it needs userspace applications to
be aware of it to actually take advantage of the
possible additional powersavings. Implicitly
depending on driver autotrigger frame support
doesn't make much sense.Signed-off-by: Michal Kazior
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman -
commit 496fcc294daab18799e190c0264863d653588d1f upstream.
As HT/VHT depend heavily on QoS/WMM, it's not a good idea to
let userspace add clients that have HT/VHT but not QoS/WMM.
Since it does so in certain cases we've observed (client is
using HT IEs but not QoS/WMM) just ignore the HT/VHT info at
this point and don't pass it down to the drivers which might
unconditionally use it.Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman
02 Apr, 2015
1 commit
-
…nux-stable into ti-linux-3.14.y
This is the 3.14.37 stable release
* tag 'v3.14.37' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable: (175 commits)
Linux 3.14.37
target: Allow Write Exclusive non-reservation holders to READ
target: Allow AllRegistrants to re-RESERVE existing reservation
target: Avoid dropping AllRegistrants reservation during unregister
target: Fix R_HOLDER bit usage for AllRegistrants
target/pscsi: Fix NULL pointer dereference in get_device_type
iscsi-target: Avoid early conn_logout_comp for iser connections
target: Fix virtual LUN=0 target_configure_device failure OOPs
target: Fix reference leak in target_get_sess_cmd() error path
ARM: dts: DRA7x: Fix the bypass clock source for dpll_iva and others
ARM: at91: pm: fix at91rm9200 standby
arm64: Honor __GFP_ZERO in dma allocations
netfilter: xt_socket: fix a stack corruption bug
netfilter: nft_compat: fix module refcount underflow
ipvs: rerouting to local clients is not needed anymore
ipvs: add missing ip_vs_pe_put in sync code
x86/vdso: Fix the build on GCC5
x86/fpu: Drop_fpu() should not assume that tsk equals current
x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig()
crypto: aesni - fix memory usage in GCM decryption
...Signed-off-by: Texas Instruments Auto Merger <lcpd_integration@list.ti.com>
26 Mar, 2015
12 commits
-
commit 78296c97ca1fd3b104f12e1f1fbc06c46635990b upstream.
As soon as extract_icmp6_fields() returns, its local storage (automatic
variables) is deallocated and can be overwritten.Lets add an additional parameter to make sure storage is valid long
enough.While we are at it, adds some const qualifiers.
Signed-off-by: Eric Dumazet
Fixes: b64c9256a9b76 ("tproxy: added IPv6 support to the socket match")
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Greg Kroah-Hartman -
commit 520aa7414bb590f39d0d1591b06018e60cbc7cf4 upstream.
Feb 12 18:20:42 nfdev kernel: ------------[ cut here ]------------
Feb 12 18:20:42 nfdev kernel: WARNING: CPU: 4 PID: 4359 at kernel/module.c:963 module_put+0x9b/0xba()
Feb 12 18:20:42 nfdev kernel: CPU: 4 PID: 4359 Comm: ebtables-compat Tainted: G W 3.19.0-rc6+ #43
[...]
Feb 12 18:20:42 nfdev kernel: Call Trace:
Feb 12 18:20:42 nfdev kernel: [] dump_stack+0x4c/0x65
Feb 12 18:20:42 nfdev kernel: [] warn_slowpath_common+0x9c/0xb6
Feb 12 18:20:42 nfdev kernel: [] ? module_put+0x9b/0xba
Feb 12 18:20:42 nfdev kernel: [] warn_slowpath_null+0x15/0x17
Feb 12 18:20:42 nfdev kernel: [] module_put+0x9b/0xba
Feb 12 18:20:42 nfdev kernel: [] nft_match_destroy+0x45/0x4c
Feb 12 18:20:42 nfdev kernel: [] nf_tables_rule_destroy+0x28/0x70Reported-by: Arturo Borrero Gonzalez
Signed-off-by: Pablo Neira Ayuso
Tested-by: Arturo Borrero Gonzalez
Signed-off-by: Greg Kroah-Hartman -
commit 579eb62ac35845686a7c4286c0a820b4eb1f96aa upstream.
commit f5a41847acc5 ("ipvs: move ip_route_me_harder for ICMP")
from 2.6.37 introduced ip_route_me_harder() call for responses to
local clients, so that we can provide valid rt_src after SNAT.
It was used by TCP to provide valid daddr for ip_send_reply().
After commit 0a5ebb8000c5 ("ipv4: Pass explicit daddr arg to
ip_send_reply()." from 3.0 this rerouting is not needed anymore
and should be avoided, especially in LOCAL_IN.Fixes 3.12.33 crash in xfrm reported by Florian Wiessner:
"3.12.33 - BUG xfrm_selector_match+0x25/0x2f6"Reported-by: Smart Weblications GmbH - Florian Wiessner
Tested-by: Smart Weblications GmbH - Florian Wiessner
Signed-off-by: Julian Anastasov
Signed-off-by: Simon Horman
Signed-off-by: Greg Kroah-Hartman -
commit 528c943f3bb919aef75ab2fff4f00176f09a4019 upstream.
ip_vs_conn_fill_param_sync() gets in param.pe a module
reference for persistence engine from __ip_vs_pe_getbyname()
but forgets to put it. Problem occurs in backup for
sync protocol v1 (2.6.39).Also, pe_data usually comes in sync messages for
connection templates and ip_vs_conn_new() copies
the pointer only in this case. Make sure pe_data
is not leaked if it comes unexpectedly for normal
connections. Leak can happen only if bogus messages
are sent to backup server.Fixes: fe5e7a1efb66 ("IPVS: Backup, Adding Version 1 receive capability")
Signed-off-by: Julian Anastasov
Signed-off-by: Simon Horman
Signed-off-by: Greg Kroah-Hartman -
commit 969439016d2cf61fef53a973d7e6d2061c3793b1 upstream.
When accessing CAN network interfaces with AF_PACKET sockets e.g. by dhclient
this can lead to a skb_under_panic due to missing skb initialisations.Add the missing initialisations at the CAN skbuff creation times on driver
level (rx path) and in the network layer (tx path).Reported-by: Austin Schuh
Reported-by: Daniel Steer
Signed-off-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 355a901e6cf1b2b763ec85caa2a9f04fbcc4ab4a ]
While working on sk_forward_alloc problems reported by Denys
Fedoryshchenko, we found that tcp connect() (and fastopen) do not call
sk_wmem_schedule() for SYN packet (and/or SYN/DATA packet), so
sk_forward_alloc is negative while connect is in progress.We can fix this by calling regular sk_stream_alloc_skb() both for the
SYN packet (in tcp_connect()) and the syn_data packet in
tcp_send_syn_data()Then, tcp_send_syn_data() can avoid copying syn_data as we simply
can manipulate syn_data->cb[] to remove SYN flag (and increment seq)Instead of open coding memcpy_fromiovecend(), simply use this helper.
This leaves in socket write queue clean fast clone skbs.
This was tested against our fastopen packetdrill tests.
Reported-by: Denys Fedoryshchenko
Signed-off-by: Eric Dumazet
Acked-by: Yuchung Cheng
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 91edd096e224941131f896b86838b1e59553696a ]
Commit db31c55a6fb2 (net: clamp ->msg_namelen instead of returning an
error) introduced the clamping of msg_namelen when the unsigned value
was larger than sizeof(struct sockaddr_storage). This caused a
msg_namelen of -1 to be valid. The native code was subsequently fixed by
commit dbb490b96584 (net: socket: error on a negative msg_namelen).In addition, the native code sets msg_namelen to 0 when msg_name is
NULL. This was done in commit (6a2a2b3ae075 net:socket: set msg_namelen
to 0 if msg_name is passed as NULL in msghdr struct from userland) and
subsequently updated by 08adb7dabd48 (fold verify_iovec() into
copy_msghdr_from_user()).This patch brings the get_compat_msghdr() in line with
copy_msghdr_from_user().Fixes: db31c55a6fb2 (net: clamp ->msg_namelen instead of returning an error)
Cc: David S. Miller
Cc: Dan Carpenter
Signed-off-by: Catalin Marinas
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit d22e1537181188e5dc8cbc51451832625035bdc2 ]
tcp_send_fin() does not account for the memory it allocates properly, so
sk_forward_alloc can be negative in cases where we've sent a FIN:ss example output (ss -amn | grep -B1 f4294):
tcp FIN-WAIT-1 0 1 192.168.0.1:45520 192.0.2.1:8080
skmem:(r0,rb87380,t0,tb87380,f4294966016,w1280,o0,bl0)
Acked-by: Eric DumazetSigned-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 73ba57bfae4a1914f6a6dac71e3168dd900e00af ]
for throw routes to trigger evaluation of other policy rules
EAGAIN needs to be propagated up to fib_rules_lookup
similar to how its done for IPv4A simple testcase for verification is:
ip -6 rule add lookup 33333 priority 33333
ip -6 route add throw 2001:db8::1
ip -6 route add 2001:db8::1 via fe80::1 dev wlan0 table 33333
ip route get 2001:db8::1Signed-off-by: Steven Barth
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 7d985ed1dca5c90535d67ce92ef6ca520302340a ]
[I would really like an ACK on that one from dhowells; it appears to be
quite straightforward, but...]MSG_PEEK isn't passed to ->recvmsg() via msg->msg_flags; as the matter of
fact, neither the kernel users of rxrpc, nor the syscalls ever set that bit
in there. It gets passed via flags; in fact, another such check in the same
function is done correctly - as flags & MSG_PEEK.It had been that way (effectively disabled) for 8 years, though, so the patch
needs beating up - that case had never been tested. If it is correct, it's
-stable fodder.Signed-off-by: Al Viro
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 3eeff778e00c956875c70b145c52638c313dfb23 ]
It should be checking flags, not msg->msg_flags. It's ->sendmsg()
instances that need to look for that in ->msg_flags, ->recvmsg() ones
(including the other ->recvmsg() instance in that file, as well as
unix_dgram_recvmsg() this one claims to be imitating) check in flags.
Braino had been introduced in commit dcda13 ("caif: Bugfix - use MSG_TRUNC
in receive") back in 2010, so it goes quite a while back.Signed-off-by: Al Viro
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit c8e2c80d7ec00d020320f905822bf49c5ad85250 ]
inet_diag_dump_one_icsk() allocates too small skb.
Add inet_sk_attr_size() helper right before inet_sk_diag_fill()
so that it can be updated if/when new attributes are added.iproute2/ss currently does not use this dump_one() interface,
this might explain nobody noticed this problem yet.Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman