Consider the following program, that sets the second argument to the
sendto() syscall incorrectly:
#include <string.h>
#include <arpa/inet.h>
#include <sys/socket.h>
int main(void)
{
int fd;
struct sockaddr_in sa;
fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
if (fd < 0)
return 1;
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr("127.0.0.1");
sa.sin_port = htons(11111);
sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
return 0;
}
We get -ENOMEM:
$ strace -e sendto ./demo
sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ENOMEM (Cannot allocate memory)
Propagate the error code from sctp_user_addto_chunk(), so that we will
tell user space what actually went wrong:
$ strace -e sendto ./demo
sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EFAULT (Bad address)
Noticed while running Trinity (the syscall fuzzer).
Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Trinity (the syscall fuzzer) discovered a memory leak in SCTP,
reproducible e.g. with the sendto() syscall by passing invalid
user space pointer in the second argument:
#include <string.h>
#include <arpa/inet.h>
#include <sys/socket.h>
int main(void)
{
int fd;
struct sockaddr_in sa;
fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
if (fd < 0)
return 1;
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr("127.0.0.1");
sa.sin_port = htons(11111);
sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
return 0;
}
As far as I can tell, the leak has been around since ~2003.
Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Name of pimreg devices are built from following format :
char name[IFNAMSIZ]; // IFNAMSIZ == 16
sprintf(name, "pimreg%u", mrt->id);
We must therefore limit mrt->id to 9 decimal digits
or risk a buffer overflow and a crash.
Restrict table identifiers in [0 ... 999999999] interval.
Reported-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
inet_getpeer_v4() can return NULL under OOM conditions, and while
inet_peer_xrlim_allow() is OK with a NULL peer, inet_putpeer() will
crash.
This code path now uses the same idiom as the others from:
1d861aa4b3 ("inet: Minimize use of
cached route inetpeer.").
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Set in the rx_ifindex to pass the correct interface index in the case of a
message timeout detection. Usually the rx_ifindex value is set at receive
time. But when no CAN frame has been received the RX_TIMEOUT notification
did not contain a valid value.
Cc: linux-stable <stable@vger.kernel.org>
Reported-by: Andre Naujoks <nautsch2@googlemail.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
The skb->tstamp is set to the hardware timestamp when available in the USB
urb message. This leads to user visible timestamps which contain the 'uptime'
of the USB adapter - and not the usual system generated timestamp.
Fix this wrong assignment by applying the available hardware timestamp to the
skb_shared_hwtstamps data structure - which is intended for this purpose.
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Only a single commit for fixing the build error without CONFIG_PM
in hda driver.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQIcBAABAgAGBQJQsKlqAAoJEGwxgFQ9KSmkfrkP/2AyNsDhnZ4k8UjS1chXOCvF
pq3xXJhCKb4pp2o+sPQfwhsFvpNC8R/E5ngoQ6MZcq5kuKWCsagtPjif6AKuBE9r
LW/GJnh+ll4bjhPe0U1PPtzm1lhboy3s8bmDfjoPBpzPNNpb2TuxK0eaWm9adLAa
G6oLPURnbajQDhnU+xcsdnx0YdydXthmKkiwDx+nbPT21EgKgsjJwfS9Lo4xeS7z
73Na+OuobpER8OsbAW/TMGgV879/TCL6yQovSqf7NGzjaI+9W4iQNyH3WX3fhFrD
MsHTT/ztKwg1JO/jKCkW0ZgrY6GkJmHyqeszP4KMZp56dKVphBv0XKTHzLHp8Rgb
QoqdzPglbWFTHxLW3qkoXm9b5/rlRjQcXgPVzz+zysjy+YHkA3lhJh3z/UcFRPe3
Pg0YB3ShK9Pn2yQRlMY8dEEdlachBdqygVw1RxOkCUIS8Erosc7FWk50j00CUwQL
GAsM3k48agfe97ZiZnXvh3pouYzbBFa4L5Jx2WEoHNfPMtUqDgXrvi+kkz4KH8eK
/KrMhC2QN5ARRFIzd0dTkKuWaxHKLEG16SBWXCzHM17i2+PlMVLpuY9nZurYEp69
cl5hKUR0MVpXKcZyaqcm811X4FJ0fY1YbkHE4cQzARitXDvt+YaGWAvxYZDccNYj
zDhUbXj6RV9ugnFAt5Px
=9jnO
-----END PGP SIGNATURE-----
Merge tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound build error fix from Takashi Iwai:
"Only a single commit for fixing the build error without CONFIG_PM in
hda driver."
* tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda - Fix build without CONFIG_PM
I forgot this again... codec->in_pm is in #ifdef CONFIG_PM
Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Pull x86 arch fixes from Peter Anvin:
"Here is a collection of fixes for 3.7-rc7. This is a superset of
tglx' earlier pull request."
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86-64: Fix ordering of CFI directives and recent ASM_CLAC additions
x86, microcode, AMD: Add support for family 16h processors
x86-32: Export kernel_stack_pointer() for modules
x86-32: Fix invalid stack address while in softirq
x86, efi: Fix processor-specific memcpy() build error
x86: remove dummy long from EFI stub
x86, mm: Correct vmflag test for checking VM_HUGETLB
x86, amd: Disable way access filter on Piledriver CPUs
x86/mce: Do not change worker's running cpu in cmci_rediscover().
x86/ce4100: Fix PCI configuration register access for devices without interrupts
x86/ce4100: Fix reboot by forcing the reboot method to be KBD
x86/ce4100: Fix pm_poweroff
MAINTAINERS: Update email address for Robert Richter
x86, microcode_amd: Change email addresses, MAINTAINERS entry
MAINTAINERS: Change Boris' email address
EDAC: Change Boris' email address
x86, AMD: Change Boris' email address
NAND chip detection, introduced by some rework which went into 3.7. The
initial fix wasn't quite complete, so it's in two parts. In fact the
first part is committed twice (Artem committed his own copy of the same
patch) and I've merged Artem's tree into mine which already had that fix.
I'd have recommitted that to make it somewhat cleaner, but figured by
this point in the release cycle it was better to merge *exactly* the
commits which have been in linux-next.
If I'd recommitted, I'd also omit the sparse warning fix. But it's there,
and it's harmless — just marking one function as 'static' in onenand code.
This also includes a couple more fixes for stable: an AB-BA deadlock in
JFFS2, and an invalid range check in slram.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEABECAAYFAlCwEIsACgkQdwG7hYl686NfZgCfSYFA2q8yp7jEMdDaxpFPuuDm
FFMAoI3V27BpWxRab6GylYh8erHp9ful
=Wo+T
-----END PGP SIGNATURE-----
Merge tag 'for-linus-20121123' of git://git.infradead.org/mtd-2.6
Pull MTD fixes from David Woodhouse:
"The most important part of this is that it fixes a regression in
Samsung NAND chip detection, introduced by some rework which went into
3.7. The initial fix wasn't quite complete, so it's in two parts. In
fact the first part is committed twice (Artem committed his own copy
of the same patch) and I've merged Artem's tree into mine which
already had that fix.
I'd have recommitted that to make it somewhat cleaner, but figured by
this point in the release cycle it was better to merge *exactly* the
commits which have been in linux-next.
If I'd recommitted, I'd also omit the sparse warning fix. But it's
there, and it's harmless — just marking one function as 'static' in
onenand code.
This also includes a couple more fixes for stable: an AB-BA deadlock
in JFFS2, and an invalid range check in slram."
* tag 'for-linus-20121123' of git://git.infradead.org/mtd-2.6:
mtd: nand: fix Samsung SLC detection regression
mtd: nand: fix Samsung SLC NAND identification regression
jffs2: Fix lock acquisition order bug in jffs2_write_begin
mtd: onenand: Make flexonenand_set_boundary static
mtd: slram: invalid checking of absolute end address
mtd: ofpart: Fix incorrect NULL check in parse_ofoldpart_partitions()
mtd: nand: fix Samsung SLC NAND identification regression
Simple build regression fix for DT device drivers on Sparc. An earlier
change had masked out the of_iomap() helper on SPARC.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABAgAGBQJQr/PiAAoJEEFnBt12D9kB5vsP/RpNnzUAE/tORTGqu/gHpMf/
doi88Y7+on68ZrQeHrtGhVQBvBrZiAohlP9z62qYkSThBb1m63k3HRvX4/Ygk8Qd
AID6TvtPTbsivaRh4l5cbROmKW7j22XUBUGDBO4mczbtxhTrvc58+51CPrBBH0GO
NGv+sBgaKO97dfflgnUtgFftZ9XYDtiSpL64fQ2dvAMoz9tHhOtYt9YS2egDHV49
wN8g8VjK7pZpuX7mRB3cCHujqEka59iFhitAzisqbr+3q4Hl6YSNAEhaNPRkuyRa
Jn5JLV1gKi5g3j3wh9P2y8ZiDhjUidBD8kk13mPTdDJCNo7PV89zB678+9U6n74N
5l2ZSzjO6ylWteag9pJJsfMQbybtsD8od2fOg+qa9KIl+cYtJV9NNg1WhBTnYDmG
iiOqZW0UyIn3YuAXSDP5T1PuiBtHHlFJwmZFNYMEMRf6tbQOs1MvNw9JYokZgO8f
j09M28yO2YafoTppBcyyYWUyLEl7iKV9lS2JaZA7OLNAlA58dmxB9Ge9RiTB4pbD
Z665edAnzWMZS320Mg5oyLJv33u7GyuVC1jm10O1ZNonhlUkUzSOnxpOMhnObJYN
Bfhl7MFFNqyUFu+1R6DACxeEU3Rk+CEMeOrSVvwS6bfVvWib+BFmZz/sS2YzOZyv
Rk14JvH91UBhXfThqnQ0
=yKFc
-----END PGP SIGNATURE-----
Merge tag 'devicetree-for-linus' of git://git.secretlab.ca/git/linux-2.6
Pull device tree regression fix from Grant Likely:
"Simple build regression fix for DT device drivers on Sparc. An
earlier change had masked out the of_iomap() helper on SPARC."
* tag 'devicetree-for-linus' of git://git.secretlab.ca/git/linux-2.6:
of/address: sparc: Declare of_iomap as an extern function for sparc again
Fix for an incorrect error condition check in device PM QoS code
that may lead to an Oops from Guennadi Liakhovetski.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQIcBAABAgAGBQJQr+LlAAoJEKhOf7ml8uNsXkYP/1pUcPa51Afn0qR68EjEZj9e
H+XVD+TCPsrtscK35ylQNxJ/jLB+syP5poaFKGo8vcDAEETuBwBNgJFl+71wR2a9
r4JMkM6QfISfBAwoO2FAdrtxiAFnsKFL0GYMsmOMwb+DkUym3qGcjcu2mon2AObN
fa8NuJ2IAcPX7kfbIyhc2En3eGjY9P/aB6UiEn3cORWmQvRxiKz4zP8tzsU++Iuf
jjxEDqCmyflmLSuEMLdMBOhHGPSgnAfJ36/qQFCnWUAtFxB/TFxGl+YEmaZrydoG
cPvL/sZybRbBNjsVxc5kEoOC84GaJ0a2e3EyM9ZlbzPqNVaEThQ/Vtk0tjsOq9Lf
OBQ7BYJE9DKv2PNiwzFjlt4uJWDmhavsb20Loc/61nX9wit1k55xI7ube1nTdHhH
3w/bbhNSYem1addzYbDdTYMj8Kj6m09/eJP1wwTuXC02hnVY7uihvdKBk4hcIBTa
+qFkptldEEBwH3bLKkOwng2NM87kG4Wsdxvym58Gklw+drpJx1OtAQnlhTRtAsbP
f4LKepIL4xrgkZNge5k4ZK++pK9LpBt3Gc03rh9uW8PVBnilw5cKk3/7cflkZjzT
YERuMLvddBJbLpPucF7yC8kfpciweYRP1qbtRSS1Hs6vL//fxmlILECIWj1nclW6
jlMOMAP6vowiZ+4mQt3A
=uXpU
-----END PGP SIGNATURE-----
Merge tag 'pm-for-3.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull power management update from Rafael Wysocki:
"Fix for an incorrect error condition check in device PM QoS code that
may lead to an Oops from Guennadi Liakhovetski."
* tag 'pm-for-3.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
PM / QoS: fix wrong error-checking condition
- raid5 discard has problems
- raid10 replacement devices have problems
- bad block lock seqlock usage has problems
- dm-raid doesn't free everything
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQIVAwUAUK/PfTnsnt1WYoG5AQJlFBAAry6TrfIEed7Sz1BwY0w1Ofd5ZFt6DCN3
CXc6yi7LQhaMAUYsMcF07BFfuphal0St68vwckFkd1jPShUgruetzsUPLdS1+cql
AKOQZmJegN+yvpf+N6PxER8z0Ju8M0RNVCvgRZB166ujmoEHGf7A564Hby+FINpZ
zk1d5eVtcRL05oV0NbeLaX8bNp42nNx2wwvFtM6NEVF4vwbzGzXkC9ePQ6oERJvQ
Oqsu6F+TzqztIPYk/fbl1Yr/FPVAWXi4dR7KNxs/jHFcnWPi9vKcjjh1jrq46rNy
xQY+y0xW6FlN0uApIKT6NC3UWutgwOGUqRdCRc4LJ1nT6aHVIn5OCIsipgRrlV0O
da5pM+rgIMJK3kyT6NjhtuWuQZE4P4OSOmnq5q81VT9XOKADVsFOfibtrIr8cxYS
c/8mNJVfd+cU58XNKGIEt886DsN+uzWiY8U8HZVckfeVxrBTIPas4ERXlurx+G1D
jhXqK8TuEfi6ILNdBlWPphAr2ytFqWWpQIGXgYGHEIJp5WaUHoEoEblznl1MiRlZ
+tYIYy0SRkcZuxs6nUNF8Or5vFidjvaIFJPjIJwSIhwgzkaV+YFad4GfI7/WgWaq
7VU12MG7UlXLlaGN1Yadvh3jAk7L45DPzWUa/Zgvvtrvvdp3JU7VQhD8d6oc/kxD
3IOrUdAXWxU=
=fznK
-----END PGP SIGNATURE-----
Merge tag 'md-3.7-fixes' of git://neil.brown.name/md
Pull md fixes from NeilBrown:
"Several bug fixes for md in 3.7:
- raid5 discard has problems
- raid10 replacement devices have problems
- bad block lock seqlock usage has problems
- dm-raid doesn't free everything"
* tag 'md-3.7-fixes' of git://neil.brown.name/md:
md/raid10: decrement correct pending counter when writing to replacement.
md/raid10: close race that lose writes lost when replacement completes.
md/raid5: Make sure we clear R5_Discard when discard is finished.
md/raid5: move resolving of reconstruct_state earlier in stripe_handle.
md/raid5: round discard alignment up to power of 2.
md: make sure everything is freed when dm-raid stops an array.
md: Avoid write invalid address if read_seqretry returned true.
md: Reassigned the parameters if read_seqretry returned true in func md_is_badblock.
Pull block layer fixes from Jens Axboe:
"Distilled down version of bug fixes for 3.7. The patches have been
well tested. If you notice that commit dates are from today, it's
because I pulled less important bits out and shuffled them into the
3.8 mix. Apart from that, no changes, base still the same.
It contains:
- Fix for aoe, don't run request_fn while it's plugged.
- Fix for a regression in floppy since 3.6, which causes problems if
no floppy is found.
- Stable fix for blk_exec(), don't touch a request after it has been
sent to the scheduler (and the device as well).
- Five fixes for various nasties in mtip32xx."
* 'for-linus' of git://git.kernel.dk/linux-block:
block: Don't access request after it might be freed
mtip32xx: Fix padding issue
aoe: avoid running request handler on plugged queue
mtip32xx: fix potential NULL pointer dereference in mtip_timeout_function()
mtip32xx: fix shift larger than type warning
mtip32xx: Fix incorrect mask used for erase mode
mtip32xx: Fix to make lba address correct in big-endian systems
mtip32xx: fix potential crash on SEC_ERASE_UNIT
dm: fix deadlock with request based dm and queue request_fn recursion
floppy: destroy floppy workqueue before cleaning up the queue
This bug-fix makes sure that of_iomap is defined extern for sparc so that the
sparc-specific implementation of_iomap is once again used when including
include/linux/of_address.h in a sparc context. OF_GPIO that is now available for
sparc relies on this.
The bug was inadvertently introduced in a850a75, "of/address: add empty static
inlines for !CONFIG_OF", that added a static dummy inline for of_iomap when
!CONFIG_OF_ADDRESS. However, CONFIG_OF_ADDRESS is never defined for sparc, but
there is a sparc-specific implementation /arch/sparc/kernel/of_device_common.c.
This fix takes the same approach as 0bce04b that solved the equivalent problem
for of_address_to_resource.
Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABAgAGBQJQr1wOAAoJEPo9qoy8lh71lhgP/iJhDRXhyBQ113ebm8BeGSYY
prYrUzNFbz2qb9q8LeQejgMSNSnFgj9vvdwox/bwvbloDUSrFSEcSvHzL1blaufD
GXMqdRxHYOs6k1Yiltf7jchSEeX20PCWRBcSlket8jDY1kzy3siOVlpc9O/53Hj9
hnCGhwO0D53tgeUnCm4B6VtqmspjoX4eJO6AL9WRlCm/vTre4bk43/hfUNusP5uw
7cplGxpOQMKLOQuMIIuOBsVVXMQFkVO7FK48keGrxhwWaQZMJUKf4up73625eBTn
81WhexRPmJ8+kXFY+/qRrKy02j61xfOeJJD/Eh7J6u+FeMoqe9LyxtVzxUeOrLr8
iV/VWyQnppBiVAc865QQLVyPBHi9OGOPkzGBcWvy/4jv8uxvmG3hiIAxHlTwGrjK
1deLjbj/smDlgvQ5j9T43+NABiIzUQoNVgRm2iWDh12KGKORwlaBb2hU7r0BLV+D
/q2BJFPIAkafdQ47eWMPkNvhpMOeOJx6MXv0kQ7kAgq9CcHt1sQpzYZFzZa+CeYZ
Iq+oLj+ByLj3KbKMmSzJtYW+JLGeguSGgiegRW9s/BESxj0cNjPNLHtNMcrklpjk
sMrCd04dNlFMJUabKr380l9yVnCRX+tNGc8wYTPRRe7iz8G1Ps9Y9cu7py2xQ5/N
GIt8UIGa0PeY8R04N/YV
=1jPB
-----END PGP SIGNATURE-----
Merge tag 'omapdss-for-3.7-rc' of git://gitorious.org/linux-omap-dss2/linux
Pull omapdss fixes from Tomi Valkeinen:
"Here are a few OMAPDSS fixes for the next -rc. I'm sending these
directly to you, and quite late, as the fbdev tree maintainer
(Florian) has been busy with his work and hasn't had time to manage
the fb patches."
* tag 'omapdss-for-3.7-rc' of git://gitorious.org/linux-omap-dss2/linux:
OMAPDSS: do not fail if dpll4_m4_ck is missing
OMAPFB: Fix possible null pointer dereferencing
OMAPDSS: HDMI: fix missing unlock on error in hdmi_dump_regs()
omapdss: dss: Fix clocks on OMAP363x
OMAPDSS: DSI: fix dsi_get_dsidev_from_id()
Pull i2c fixes from Wolfram Sang:
"Bugfixes for the i2c subsystem.
Except for a few one-liners, there is mainly one revert because of an
overlooked dependency. Since there is no linux-next at the moment, I
did some extra testing, and all was fine for me."
* 'i2c-embedded/for-current' of git://git.pengutronix.de/git/wsa/linux:
i2c: mxs: Handle i2c DMA failure properly
i2c: s3c2410: Fix code to free gpios
i2c: omap: ensure writes to dev->buf_len are ordered
Revert "ARM: OMAP: convert I2C driver to PM QoS for MPU latency constraints"
i2c: at91: fix SMBus quick command
The highlight of this update is the fixes for ASoC kirkwood by Russell.
In addition to that, a couple of regression fixes for HD-audio due to
the runtime PM support on 3.7, and other driver-specific regression
fixes like USB MIDI on non-standard USB audio drivers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQIcBAABAgAGBQJQrzbsAAoJEGwxgFQ9KSmk8ZUP+QEw/yuIThjnkpQyLOVOBOnR
r/skbaKiZ9CcPRLmRyCWL+16BnXIVi4mATlUzCUtR6ftiQ9wG0FhbeZbyZi856PO
FDA2TAbrdSUTxixgC0G0N0MpxD33qyYUFUZ9Yz9StpRoIplkDtvCPfRAkir8AGNI
p5/mDOTtN8c5lZt4HZFUDs3GgnFMtLGcV13dECM4Spq1HXimdfQcOlQR5NuM9ZaS
BbAG7nf+7SWLmFdmfMxgy+SZXcnEZXkOK5oi3tzJ/LctZSXKWoaFsu9nkd20a4BK
fG4pNbD8Tct/Z4I8vnc8EScqNyhtFp52F4qmZL+xK8cj2xU1XbhTJafDbnR2ZRlv
rIdVaE4PkfMBz21Nhzq54ue3M4GOqOljvRTtNIxi/9rEyyK1+1GJnWk2Bc3tDiZ6
zOK+24us4NKT4YL6m/Y199Ax1t2TlvHzd7bvakbHrtS9j+E4enO8maLVrnt6a7U+
c9coVL9/zK98lxPny5CsjUkZarTARw3gCuddJ+NdFqkS0obLosnAgc3fu/0XVAM2
ybN7OPEPsW4LVeaa+T93ZtNvUOc7/h+CY5FXi33U24CzPoK9jG8sGTbRqInXShgn
uDUP2wO3bKBTKwtMX6JpDrSgTX4RkKHN6USLpgUuDTZKzcr/jyxJ/vsN20CT3zIZ
K3nDzmvbLuhGS4i0Adwu
=wOVN
-----END PGP SIGNATURE-----
Merge tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"The highlight of this update is the fixes for ASoC kirkwood by
Russell. In addition to that, a couple of regression fixes for
HD-audio due to the runtime PM support on 3.7, and other driver-
specific regression fixes like USB MIDI on non-standard USB audio
drivers."
* tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: snd-usb: properly initialize the sync endpoint
ALSA: hda - Cirrus: Correctly clear line_out_pins when moving to speaker
ALSA: hda - Add support for Realtek ALC292
ASoC: kirkwood-i2s: more pause-mode fixes
ASoC: kirkwood-i2s: fix DMA underruns
ASoC: kirkwood-i2s: fix DCO lock detection
ASoC: kirkwood-dma: don't ignore other irq causes on error
ASoC: kirkwood-dma: fix use of virt_to_phys()
ALSA: hda - Limit runtime PM support only to known Intel chips
ALSA: hda - Fix recursive suspend/resume call
ALSA: ua101, usx2y: fix broken MIDI output
ASoC: arizona: Fix typo - Swap value in 48k_rates[] and 44k1_rates[]
ASoC: bells: Fix up git patch application failure
ASoC: cs4271: free allocated GPIO
Pull networkign fixes from David Miller:
"Networking bug fixes, Cacio e Pepe edition:
1) BNX2X accidently accesses chip rev specific registers without an
appropriate guard, fix from Ariel Elior.
2) When we removed the routing cache, we set ip_rt_max_size to ~0 just
to keep reporting a value to userspace via sysfs. But the ipv4
IPSEC layer was using this to tune itself which is completely bogus
to now do. Fix from Steffen Klassert.
3) Missing initialization in netfilter ipset code from Jozsef
Kadlecsik.
4) Check CTA_TIMEOUT_NAME length properly in netfilter cttimeout code,
fix from Florian Westphal.
5) After removing the routing cache, we inadvertantly are caching
multicast routes that end up looping back locally, we cannot do
that legitimately any more. Fix from Julian Anastasov.
6) Revert a race fix for 8139cp qemu/kvm that doesn't actually work
properly on real hardware. From Francois Romieu.
7) Fixup errors in example command lines in VXLAN device docs."
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
bnx2x: remove redundant warning log
vxlan: fix command usage in its doc
8139cp: revert "set ring address before enabling receiver"
ipv4: do not cache looped multicasts
netfilter: cttimeout: fix buffer overflow
netfilter: ipset: Fix range bug in hash:ip,port,net
xfrm: Fix the gc threshold value for ipv4
Pull sparc fix from David Miller:
"Bug fix from Al Viro"
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
sparc64: not any error from do_sigaltstack() should fail rt_sigreturn()
I missed one pull request from Samsung with one fix in the previous
batch. Here it is -- a dma driver fix for an early version of silicon
that they still support.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABAgAGBQJQryb2AAoJEIwa5zzehBx376QP/0dN0vu+OAqmE74nl6/1wgoe
f2bS2G7rv3RL6Grr6M8sJyex0+BXU3bRa9jvHvlNZksgKWZh3QZpe0BfePVY0noP
0CDYjGxmnSFjo71vDnz2IrkrRVeFYcrnTENzzX3W9ym0yNkAM4Qf9XADHmFMk9uJ
B0v5+I5DV4J72L3ZEIcGv7xzuoMLFNXGTxLizsId7CzlAqqp1zUgAjDWFbRnkY1x
MnwqRBSAYijNNw5ddPZxz6LDDzUFyrUuCosF9Y4C2wngaCUXNVpo4N0hZxsVSBNO
dIiAYI1ARWWc8B8qN6UOapMUrwKK+vJ5BsNwJX+mwpSIQjo0tX86PuIDkMqngvOK
0/R1bnvyBeSKOvnYcW4oXAl+JHusEXKl1yYIUtoXCv7w2anR774Ocb+ctFTJFtfj
KsPSJUMo05U/AY2F/4b7k2SWy52SgZ4/ZlRXp16IJKZv7y2qr/R9eEZeNZuovK/y
j2iNbRY/ZXAuAf8vm25mL0RpxdBtKGCRGYiB37uYWrNtrkUjPlWldVqte0grX29I
B+igzsptf8oi3/rBHov2drx/vcQsWHmJOpt+mKdrAK/trrmylsmklxTxmWIamz7f
+1ILpLqnm1fxwHgIPWboV4DEX/oXpsRXZdcIn6cOa6t9pmldt31RvfKMtA8mCX85
01+SsGhNJxlEAotW49qv
=bSmr
-----END PGP SIGNATURE-----
Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Pull one more ARM SoC fix from Olof Johansson:
"I missed one pull request from Samsung with one fix in the previous
batch. Here it is -- a dma driver fix for an early version of silicon
that they still support."
* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
ARM: EXYNOS: PL330 MDMA1 fix for revision 0 of Exynos4210 SOC
dev_pm_qos_add_request() can return 0, 1, or a negative error code,
therefore the correct error test is "if (error < 0)." Checking just for
non-zero return code leads to erroneous setting of the req->dev pointer
to NULL, which then leads to a repeated call to
dev_pm_qos_add_ancestor_request() in st1232_ts_irq_handler(). This in turn
leads to an Oops, when the I2C host adapter is unloaded and reloaded again
because of the inconsistent state of its QoS request list.
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
fix bug where a register which was only meant to be read in 578xx/57712
devices causes a bogus error message to be logged when read from other
devices.
Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Some commands don't work in its example doc. The patch will fix it.
Signed-off-by: Zhi Yong Wu <wuzhy@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch reverts b01af4579e.
The original patch was tested with emulated hardware. Real
hardware chokes.
Fixes https://bugzilla.kernel.org/show_bug.cgi?id=47041
Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Acked-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
After we've done __elv_add_request() and __blk_run_queue() in
blk_execute_rq_nowait(), the request might finish and be freed
immediately. Therefore checking if the type is REQ_TYPE_PM_RESUME
isn't safe afterwards, because if it isn't, rq might be gone.
Instead, check beforehand and stash the result in a temporary.
This fixes crashes in blk_execute_rq_nowait() I get occasionally when
running with lots of memory debugging options enabled -- I think this
race is usually harmless because the window for rq to be reallocated
is so small.
Signed-off-by: Roland Dreier <roland@purestorage.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Hi Jens,
Another tiny patch.
Removed __packed before the struct smart_attr and added __packed at end of
the structure to fix padding issue.
Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Calling the request handler directly on a plugged queue defeats
the performance improvements provided by the plugging mechanism.
Use the __blk_run_queue function instead of calling the request
handler directly, so that we don't interfere with the block
layer's ability to plug the queue.
Signed-off-by: Ed Cashin <ecashin@coraid.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
The dereference to port should be moved below the NULL test.
dpatch engine is used to auto generate this patch.
(https://github.com/weiyj/dpatch)
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
If we're building a 32-bit kernel and CONFIG_LBADF isn't set,
sector_t is 32-bits wide. The shifts by 32 and 40 are thus
larger than we support.
Cast the sector offset to a u64 to avoid these warnings.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Previous commit use value 3 for erasemode mask.
Changing the mask to correct value to 2
Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Earlier lba address was assigned directly to lba_low and lba_low_ex,
which would result in a different number (bytes reversed) in
big-endian systems. Now assigning lba address byte-by-byte to fis.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
The mtip driver lifted this code from elsewhere and then added a special
handling check for SEC_ERASE_UNIT. If the caller tries to do a security
erase but passes no output data for the command then outbuf is not
allocated and the driver duly explodes.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Request based dm attempts to re-run the request queue off the
request completion path. If used with a driver that potentially does
end_io from its request_fn, we could deadlock trying to recurse
back into request dispatch. Fix this by punting the request queue
run to kblockd.
Tested to fix a quickly reproducible deadlock in such a scenario.
Cc: stable@kernel.org
Acked-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Pull input updates from Dmitry Torokhov:
"This fixes recent regression where /dev/input/mice got assigned wrong
device node which messed up setups with static /dev, and a regression
in ads7846 GPIO debounce setup."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
ARM - OMAP: ads7846: fix pendown debounce setting
Input: ads7846 - enable pendown GPIO debounce time setting
Input: mousedev - move /dev/input/mice to the correct minor
Input: MT - document new 'flags' argument of input_mt_init_slots()
From Kukjin Kim:
Here is Samsung fixes for v3.7 and it is for fixing of mdma1 address
for exynos4210 rev0 SoC.
* 'v3.7-samsung-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung:
ARM: EXYNOS: PL330 MDMA1 fix for revision 0 of Exynos4210 SOC
Signed-off-by: Olof Johansson <olof@lixom.net>
Properly terminate the DMA transfer in case the DMA PIO transfer
or setup fails for any reason.
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
Starting from 3.6 we cache output routes for
multicasts only when using route to 224/4. For local receivers
we can set RTCF_LOCAL flag depending on the membership but
in such case we use maddr and saddr which are not caching
keys as before. Additionally, we can not use same place to
cache routes that differ in RTCF_LOCAL flag value.
Fix it by caching only RTCF_MULTICAST entries
without RTCF_LOCAL (send-only, no loopback). As a side effect,
we avoid unneeded lookup for fnhe when not caching because
multicasts are not redirected and they do not learn PMTU.
Thanks to Maxime Bizon for showing the caching
problems in __mkroute_output for 3.6 kernels: different
RTCF_LOCAL flag in cache can lead to wrong ip_mc_output or
ip_output call and the visible problem is that traffic can
not reach local receivers via loopback.
Reported-by: Maxime Bizon <mbizon@freebox.fr>
Tested-by: Maxime Bizon <mbizon@freebox.fr>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pablo Neira Ayuso says:
====================
The following patchset contains two Netfilter fixes:
* Fix buffer overflow in the name of the timeout policy object
in the cttimeout infrastructure, from Florian Westphal.
* Fix a bug in the hash set in case that IP ranges are
specified, from Jozsef Kadlecsik.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Steffen Klassert says:
====================
This pull request is intended for 3.7 and contains a single patch to
fix the IPsec gc threshold value for ipv4.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Jeffrey Barish reported an obvious bug in the pcm part of the usb-audio
driver which causes the code to not initialize the sync endpoint from
configure_endpoint().
Reported-by: Jeffrey Barish <jeff_barish@earthlink.net>
Signed-off-by: Daniel Mack <zonque@gmail.com>
Cc: stable@kernel.org [3.5+]
Signed-off-by: Takashi Iwai <tiwai@suse.de>
A few more fixes for final 3.7. Two dealing with pinmux setup on OMAP, and
one dealing with TV output on DaVinci. And one small MAINTAINER update.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABAgAGBQJQrWG6AAoJEIwa5zzehBx3NyoP/0GKwGZAPnCCWuzdMc/8geQu
QfPuZqmaRiJXp58CfuOi/2kyw1EPkSVwg7I2i3q+ki9U/H7UlvBPBVIiqnvGwg6o
oNRHHGyfp2EtLCU01+faLZTPHXh7BPRzuq5Mp7puPDnNMhgBWjHi3Qmpcf7HX8Gb
SkY3WBlMiH0xmWA2vNTRMslHbs3/CXYRzQ82KdttV4qoAbWyt7OAv7UbhKCKuAE7
R1gtH7oVnKPrRjp6G1PvxWfCzSDz+XYWZnSGTGtBPEVUWg9p1J/SV0MhQxvlVG9a
8ABLPGUQXn1ElsblSjyvFJSpVDTa+PxbfYXUGfC8xppmP+Q/fI/Ycp0dwnSvXYsN
Pvm6ONQAbkWCrNXMFjz2de9C0/4VcPIArirV7vPW0PwBdPfaKMDSw28obrAoamG1
taJy1fJvUetVaGN2u7LcQfvwecHevHyJBo2fgqukqKrapAmqKINU7MBjYATW371K
Ean7vVH/HzSfEkFl8mT/azTZYeWp4zhMyXKQ+KbhEWYLUSGmeUEqlJIvu6QzQ/Y3
JBx8bJ9mwaCx9JMjyaEqbixKr6ceiseOcO3moduAg2UIWNAa3fwRN1VkZB4vzxQ2
VZswVg2/tTVVZ03cqnR78vi6mKDBwBbvwRL1WyGP4oWubFtBj8DpkO1rqfW5Pqgo
4c1u/OuUOascJ2baJy2v
=FhMC
-----END PGP SIGNATURE-----
Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Pull ARM SoC fixes from Olof Johansson:
"A few more fixes for final 3.7. Two dealing with pinmux setup on
OMAP, and one dealing with TV output on DaVinci. And one small
MAINTAINER update."
* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
ARM: davinci: dm644x: fix out range signal for ED
ARM: OMAP4: TWL: mux sys_drm_msecure as output for PMIC
ARM: OMAP3: igep0020: Set WIFI/BT GPIO pins in correct mux mode
ARM: OMAP: Add maintainer entry for IGEP machines
This is two bug fixes: one fixes a loophole where rt_sigprocmask() with the
wrong values panics the box (Denial of Service) and the other fixes an
aliasing problem with get_shared_area() which could cause data corruption.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAABAgAGBQJQrfisAAoJEDeqqVYsXL0MabcIALeL/hMtLSdwo01AG47Z6v6u
jNuQIE6v3mvsaoJ5zxhM570/SZc+waDojfNpax+RjJc4vppDHq40xhI19RHczCvo
AIASYIZynMHF1kqXsFpWfDtOGUzRtFjn8g60rfX593ghtpuliTXm+WgYCl43SyYm
Ee1rLAFrEiXKAHyTO+QXi/EiTHPDGxw84fZdypIC7Bxi0JZg7SX5g/KXwGC2JT7M
fRW2SmrfgFOLMvmYYbyk4BWvZ4dneikcUhOJGiLcpSy++MJF6ccjbfiCD4i6gD9e
cM57jLnHnV2U+qp4e2Rcosi9AQwfSYRkr7j37/OT0KoCLmSRZbwqpF1RMjMKyGM=
=ckHH
-----END PGP SIGNATURE-----
Merge tag 'parisc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/parisc-2.6
Pull PARISC fixes from James Bottomley:
"This is two bug fixes: one fixes a loophole where rt_sigprocmask()
with the wrong values panics the box (Denial of Service) and the other
fixes an aliasing problem with get_shared_area() which could cause
data corruption.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>"
* tag 'parisc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/parisc-2.6:
[PARISC] fix user-triggerable panic on parisc
[PARISC] fix virtual aliasing issue in get_shared_area()
This is a set of four bug fixes. The isci one is an obvious thinko (using
request buffer instead of response buffer) which causes a command to fail.
The three others are DIF/DIX updates which are required because they're part
of a series of ten patches, the other seven of which went into the block layer
during the merge window meaning our current DIF/DIX implementation is broken
without these three.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAABAgAGBQJQre/4AAoJEDeqqVYsXL0MrxwH/A+b3aYvany+ZPg+elAFBCFm
3qHJ2Bys+M/kTkb0Fqb/l1KQfGFjooqcozm6eTgIeZ67bK947pxzu4Txy4JmeXvC
cHQ2lzEzcIFjiyVqV0tQ/wxMCnHTeqDx1WX02aw3T6e5JxObe+gC1pAEoMz2unSk
kpsSvFKBfCBMY6bmbVY5c2vpFTgD4UKtBiKn/GKtLtIDvynRx0P5e7/TNawxUB64
QZ/tu3Z2Ov5g9VWod+LpQwjVI+bIBlBEV4Of+91zou64aocrqXtSoky+ae9mwfPy
7KLLZzz5Fzc5KwT8ynEECtU2iFQXJ/zXNDRh7gBffc0ReljpuouOvIgqdZEW8d0=
=kQyb
-----END PGP SIGNATURE-----
Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"This is a set of four bug fixes.
The isci one is an obvious thinko (using request buffer instead of
response buffer) which causes a command to fail.
The three others are DIF/DIX updates which are required because
they're part of a series of ten patches, the other seven of which went
into the block layer during the merge window meaning our current
DIF/DIX implementation is broken without these three.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
[SCSI] sd: Implement support for WRITE SAME
[SCSI] sd: Permit merged discard requests
[SCSI] Add a report opcode helper
[SCSI] isci: copy fis 0x34 response into proper buffer
Pull drm fixes from Dave Airlie.
Small fixes for (mostly Nouveau, some radeon) regressions.
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/nouveau: use the correct fence implementation for nv50
drm/radeon: add new SI pci id
radeon: add AGPMode 1 quirk for RV250
drm/radeon: properly track the crtc not_enabled case evergreen_mc_stop()
drm/nouveau/bios: fix DCB v1.5 parsing
drm/nouveau: add missing pll_calc calls
drm/nouveau: fix crash with noaccel=1
drm/nv40: allocate ctxprog with kmalloc
drm/nvc0/disp: fix thinko in vblank regression fix..
Do not fail if dpll4_m4_ck is missing. The clock is not there on omap24xx,
so this should not be a hard error.
The patch retains the functionality before the commit 185bae10 (OMAPDSS:
DSS: Cleanup cpu_is_xxxx checks).
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
int sys32_rt_sigprocmask(int how, compat_sigset_t __user *set, compat_sigset_t __user *oset,
unsigned int sigsetsize)
{
sigset_t old_set, new_set;
int ret;
if (set && get_sigset32(set, &new_set, sigsetsize))
...
static int
get_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz)
{
compat_sigset_t s;
int r;
if (sz != sizeof *set) panic("put_sigset32()");
In other words, rt_sigprocmask(69, (void *)69, 69) done by 32bit process
will promptly panic the box.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
When a write to a replacement device completes, we carefully
and correctly found the rdev that the write actually went to
and the blithely called rdev_dec_pending on the primary rdev,
even if this write was to the replacement.
This means that any writes to an array while a replacement
was ongoing would cause the nr_pending count for the primary
device to go negative, so it could never be removed.
This bug has been present since replacement was introduced in
3.3, so it is suitable for any -stable kernel since then.
Reported-by: "George Spelvin" <linux@horizon.com>
Cc: stable@vger.kernel.org
Signed-off-by: NeilBrown <neilb@suse.de>
When a replacement operation completes there is a small window
when the original device is marked 'faulty' and the replacement
still looks like a replacement. The faulty should be removed and
the replacement moved in place very quickly, bit it isn't instant.
So the code write out to the array must handle the possibility that
the only working device for some slot in the replacement - but it
doesn't. If the primary device is faulty it just gives up. This
can lead to corruption.
So make the code more robust: if either the primary or the
replacement is present and working, write to them. Only when
neither are present do we give up.
This bug has been present since replacement was introduced in
3.3, so it is suitable for any -stable kernel since then.
Reported-by: "George Spelvin" <linux@horizon.com>
Cc: stable@vger.kernel.org
Signed-off-by: NeilBrown <neilb@suse.de>