Commit Graph

482092 Commits

Author SHA1 Message Date
Eric W. Biederman 8486a7882b mnt: Move the clear of MNT_LOCKED from copy_tree to it's callers.
Clear MNT_LOCKED in the callers of copy_tree except copy_mnt_ns, and
collect_mounts.  In copy_mnt_ns it is necessary to create an exact
copy of a mount tree, so not clearing MNT_LOCKED is important.
Similarly collect_mounts is used to take a snapshot of the mount tree
for audit logging purposes and auditing using a faithful copy of the
tree is important.

This becomes particularly significant when we start setting MNT_LOCKED
on rootfs to prevent it from being unmounted.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2014-12-02 10:46:50 -06:00
Eric W. Biederman da362b09e4 umount: Do not allow unmounting rootfs.
Andrew Vagin <avagin@parallels.com> writes:

> #define _GNU_SOURCE
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <fcntl.h>
> #include <sched.h>
> #include <unistd.h>
> #include <sys/mount.h>
>
> int main(int argc, char **argv)
> {
> 	int fd;
>
> 	fd = open("/proc/self/ns/mnt", O_RDONLY);
> 	if (fd < 0)
> 	   return 1;
> 	   while (1) {
> 	   	 if (umount2("/", MNT_DETACH) ||
> 		        setns(fd, CLONE_NEWNS))
> 					break;
> 					}
>
> 					return 0;
> }
>
> root@ubuntu:/home/avagin# gcc -Wall nsenter.c -o nsenter
> root@ubuntu:/home/avagin# strace ./nsenter
> execve("./nsenter", ["./nsenter"], [/* 22 vars */]) = 0
> ...
> open("/proc/self/ns/mnt", O_RDONLY)     = 3
> umount("/", MNT_DETACH)                 = 0
> setns(3, 131072)                        = 0
> umount("/", MNT_DETACH
>
causes:

> [  260.548301] ------------[ cut here ]------------
> [  260.550941] kernel BUG at /build/buildd/linux-3.13.0/fs/pnode.c:372!
> [  260.552068] invalid opcode: 0000 [#1] SMP
> [  260.552068] Modules linked in: xt_CHECKSUM iptable_mangle xt_tcpudp xt_addrtype xt_conntrack ipt_MASQUERADE iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack bridge stp llc dm_thin_pool dm_persistent_data dm_bufio dm_bio_prison iptable_filter ip_tables x_tables crct10dif_pclmul crc32_pclmul ghash_clmulni_intel binfmt_misc nfsd auth_rpcgss nfs_acl aesni_intel nfs lockd aes_x86_64 sunrpc fscache lrw gf128mul glue_helper ablk_helper cryptd serio_raw ppdev parport_pc lp parport btrfs xor raid6_pq libcrc32c psmouse floppy
> [  260.552068] CPU: 0 PID: 1723 Comm: nsenter Not tainted 3.13.0-30-generic #55-Ubuntu
> [  260.552068] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> [  260.552068] task: ffff8800376097f0 ti: ffff880074824000 task.ti: ffff880074824000
> [  260.552068] RIP: 0010:[<ffffffff811e9483>]  [<ffffffff811e9483>] propagate_umount+0x123/0x130
> [  260.552068] RSP: 0018:ffff880074825e98  EFLAGS: 00010246
> [  260.552068] RAX: ffff88007c741140 RBX: 0000000000000002 RCX: ffff88007c741190
> [  260.552068] RDX: ffff88007c741190 RSI: ffff880074825ec0 RDI: ffff880074825ec0
> [  260.552068] RBP: ffff880074825eb0 R08: 00000000000172e0 R09: ffff88007fc172e0
> [  260.552068] R10: ffffffff811cc642 R11: ffffea0001d59000 R12: ffff88007c741140
> [  260.552068] R13: ffff88007c741140 R14: ffff88007c741140 R15: 0000000000000000
> [  260.552068] FS:  00007fd5c7e41740(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
> [  260.552068] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  260.552068] CR2: 00007fd5c7968050 CR3: 0000000070124000 CR4: 00000000000406f0
> [  260.552068] Stack:
> [  260.552068]  0000000000000002 0000000000000002 ffff88007c631000 ffff880074825ed8
> [  260.552068]  ffffffff811dcfac ffff88007c741140 0000000000000002 ffff88007c741160
> [  260.552068]  ffff880074825f38 ffffffff811dd12b ffffffff811cc642 0000000075640000
> [  260.552068] Call Trace:
> [  260.552068]  [<ffffffff811dcfac>] umount_tree+0x20c/0x260
> [  260.552068]  [<ffffffff811dd12b>] do_umount+0x12b/0x300
> [  260.552068]  [<ffffffff811cc642>] ? final_putname+0x22/0x50
> [  260.552068]  [<ffffffff811cc849>] ? putname+0x29/0x40
> [  260.552068]  [<ffffffff811dd88c>] SyS_umount+0xdc/0x100
> [  260.552068]  [<ffffffff8172aeff>] tracesys+0xe1/0xe6
> [  260.552068] Code: 89 50 08 48 8b 50 08 48 89 02 49 89 45 08 e9 72 ff ff ff 0f 1f 44 00 00 4c 89 e6 4c 89 e7 e8 f5 f6 ff ff 48 89 c3 e9 39 ff ff ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 66 66 66 66 90 55 b8 01
> [  260.552068] RIP  [<ffffffff811e9483>] propagate_umount+0x123/0x130
> [  260.552068]  RSP <ffff880074825e98>
> [  260.611451] ---[ end trace 11c33d85f1d4c652 ]--

Which in practice is totally uninteresting.  Only the global root user can
do it, and it is just a stupid thing to do.

However that is no excuse to allow a silly way to oops the kernel.

We can avoid this silly problem by setting MNT_LOCKED on the rootfs
mount point and thus avoid needing any special cases in the unmount
code.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2014-12-02 10:46:49 -06:00
Eric W. Biederman b2f5d4dc38 umount: Disallow unprivileged mount force
Forced unmount affects not just the mount namespace but the underlying
superblock as well.  Restrict forced unmount to the global root user
for now.  Otherwise it becomes possible a user in a less privileged
mount namespace to force the shutdown of a superblock of a filesystem
in a more privileged mount namespace, allowing a DOS attack on root.

Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2014-12-02 10:46:48 -06:00
Eric W. Biederman 4a44a19b47 mnt: Update unprivileged remount test
- MNT_NODEV should be irrelevant except when reading back mount flags,
  no longer specify MNT_NODEV on remount.

- Test MNT_NODEV on devpts where it is meaningful even for unprivileged mounts.

- Add a test to verify that remount of a prexisting mount with the same flags
  is allowed and does not change those flags.

- Cleanup up the definitions of MS_REC, MS_RELATIME, MS_STRICTATIME that are used
  when the code is built in an environment without them.

- Correct the test error messages when tests fail.  There were not 5 tests
  that tested MS_RELATIME.

Cc: stable@vger.kernel.org
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
2014-12-02 10:46:48 -06:00
Eric W. Biederman 3e1866410f mnt: Implicitly add MNT_NODEV on remount when it was implicitly added by mount
Now that remount is properly enforcing the rule that you can't remove
nodev at least sandstorm.io is breaking when performing a remount.

It turns out that there is an easy intuitive solution implicitly
add nodev on remount when nodev was implicitly added on mount.

Tested-by: Cedric Bosdonnat <cbosdonnat@suse.com>
Tested-by: Richard Weinberger <richard@nod.at>
Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2014-12-02 10:46:39 -06:00
Linus Torvalds 5d01410fe4 Linux 3.18-rc6 2014-11-23 15:25:20 -08:00
Andy Lutomirski 82975bc6a6 uprobes, x86: Fix _TIF_UPROBE vs _TIF_NOTIFY_RESUME
x86 call do_notify_resume on paranoid returns if TIF_UPROBE is set but
not on non-paranoid returns.  I suspect that this is a mistake and that
the code only works because int3 is paranoid.

Setting _TIF_NOTIFY_RESUME in the uprobe code was probably a workaround
for the x86 bug.  With that bug fixed, we can remove _TIF_NOTIFY_RESUME
from the uprobes code.

Reported-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Acked-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-11-23 14:25:28 -08:00
Thomas Gleixner 90e362f4a7 sched: Provide update_curr callbacks for stop/idle scheduling classes
Chris bisected a NULL pointer deference in task_sched_runtime() to
commit 6e998916df 'sched/cputime: Fix clock_nanosleep()/clock_gettime()
inconsistency'.

Chris observed crashes in atop or other /proc walking programs when he
started fork bombs on his machine.  He assumed that this is a new exit
race, but that does not make any sense when looking at that commit.

What's interesting is that, the commit provides update_curr callbacks
for all scheduling classes except stop_task and idle_task.

While nothing can ever hit that via the clock_nanosleep() and
clock_gettime() interfaces, which have been the target of the commit in
question, the author obviously forgot that there are other code paths
which invoke task_sched_runtime()

do_task_stat(()
 thread_group_cputime_adjusted()
   thread_group_cputime()
     task_cputime()
       task_sched_runtime()
        if (task_current(rq, p) && task_on_rq_queued(p)) {
          update_rq_clock(rq);
          up->sched_class->update_curr(rq);
        }

If the stats are read for a stomp machine task, aka 'migration/N' and
that task is current on its cpu, this will happily call the NULL pointer
of stop_task->update_curr.  Ooops.

Chris observation that this happens faster when he runs the fork bomb
makes sense as the fork bomb will kick migration threads more often so
the probability to hit the issue will increase.

Add the missing update_curr callbacks to the scheduler classes stop_task
and idle_task.  While idle tasks cannot be monitored via /proc we have
other means to hit the idle case.

Fixes: 6e998916df 'sched/cputime: Fix clock_nanosleep()/clock_gettime() inconsistency'
Reported-by: Chris Mason <clm@fb.com>
Reported-and-tested-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-11-23 14:14:40 -08:00
Linus Torvalds 00c89b2f11 Merge branch 'x86-traps' (trap handling from Andy Lutomirski)
Merge x86-64 iret fixes from Andy Lutomirski:
 "This addresses the following issues:

   - an unrecoverable double-fault triggerable with modify_ldt.
   - invalid stack usage in espfix64 failed IRET recovery from IST
     context.
   - invalid stack usage in non-espfix64 failed IRET recovery from IST
     context.

  It also makes a good but IMO scary change: non-espfix64 failed IRET
  will now report the correct error.  Hopefully nothing depended on the
  old incorrect behavior, but maybe Wine will get confused in some
  obscure corner case"

* emailed patches from Andy Lutomirski <luto@amacapital.net>:
  x86_64, traps: Rework bad_iret
  x86_64, traps: Stop using IST for #SS
  x86_64, traps: Fix the espfix64 #DF fixup and rewrite it in C
2014-11-23 13:56:55 -08:00
Andy Lutomirski b645af2d59 x86_64, traps: Rework bad_iret
It's possible for iretq to userspace to fail.  This can happen because
of a bad CS, SS, or RIP.

Historically, we've handled it by fixing up an exception from iretq to
land at bad_iret, which pretends that the failed iret frame was really
the hardware part of #GP(0) from userspace.  To make this work, there's
an extra fixup to fudge the gs base into a usable state.

This is suboptimal because it loses the original exception.  It's also
buggy because there's no guarantee that we were on the kernel stack to
begin with.  For example, if the failing iret happened on return from an
NMI, then we'll end up executing general_protection on the NMI stack.
This is bad for several reasons, the most immediate of which is that
general_protection, as a non-paranoid idtentry, will try to deliver
signals and/or schedule from the wrong stack.

This patch throws out bad_iret entirely.  As a replacement, it augments
the existing swapgs fudge into a full-blown iret fixup, mostly written
in C.  It's should be clearer and more correct.

Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-11-23 13:56:19 -08:00
Andy Lutomirski 6f442be2fb x86_64, traps: Stop using IST for #SS
On a 32-bit kernel, this has no effect, since there are no IST stacks.

On a 64-bit kernel, #SS can only happen in user code, on a failed iret
to user space, a canonical violation on access via RSP or RBP, or a
genuine stack segment violation in 32-bit kernel code.  The first two
cases don't need IST, and the latter two cases are unlikely fatal bugs,
and promoting them to double faults would be fine.

This fixes a bug in which the espfix64 code mishandles a stack segment
violation.

This saves 4k of memory per CPU and a tiny bit of code.

Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-11-23 13:56:19 -08:00
Andy Lutomirski af726f21ed x86_64, traps: Fix the espfix64 #DF fixup and rewrite it in C
There's nothing special enough about the espfix64 double fault fixup to
justify writing it in assembly.  Move it to C.

This also fixes a bug: if the double fault came from an IST stack, the
old asm code would return to a partially uninitialized stack frame.

Fixes: 3891a04aaf
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-11-23 13:56:18 -08:00
Linus Torvalds 27946315d2 ARM: SoC fixes for 3.18-rc6
A collection of fixes this week:
 
 - A set of clock fixes for shmobile platforms
 - A fix for tegra that moves serial port labels to be per board.
   We're choosing to merge this for 3.18 because the labels will start
   being parsed in 3.19, and without this change serial port numbers that
   used to be stable since the dawn of time will change numbers.
 - A few other DT tweaks for Tegra.
 - A fix for multi_v7_defconfig that makes it stop spewing cpufreq errors on
   Arndale (Exynos).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUciiGAAoJEIwa5zzehBx3jwgQAIHjp02NcGah/8TYwQr9TqW9
 PGRvByKshSCQz8Q/MldSKyp1Ni86m/ZAR27KcPXuPs4Jp7Wuur88PuHOfijO4AvE
 z5s92TIZUaj74emlBbUAT5og8iG5h8+EwzRkcemobgKwTS6xHv6Wch1bBWQbu0Vc
 Zm2/z8ByYD17jCD8Nu6hnBZNs64SjYZixt+DAvRoW0nCm/N7mXajYesCbr/EWt7S
 WtHKcRQwWwr6XixDhCjsgCpsdba6HqX0dvPb4HRUDOCL5jLj8vc65cZZgMOBRsU/
 XSHixBbtSvMiFzfrqppMMjeqp/eo0vcyAi86RpGWRC+t9iqrqCfqysGyfed/tYgc
 t4DAaRC5JBdLSjznuQMSTyexJhVmsxqoByCJcsc/pnaRKXJ2/xlOgTtVNdx70ckf
 w2wrYjCafj/PprOqjUdrvcXDwkzDvvG05Ma4kbhyvmV0fbWqc5DmGVr8VNS0urWZ
 oLpI5R2/A7XpA8n8prfAgzJRhK3qZEwvhYBsSW4JzfnVL0p+LrxnWmfKecl3iizK
 t50vDbcvr/yo9Te08t+iJQGm0Sb2AzXG4dfQgBeIj9rmI892ikBwUKeeusp/XprA
 SOvyZk28rqWRsfPIEJD16vEYFFt2EEWHcQoonf/Dsu62v4i1+goAxoWY6G8NHbA9
 gTaItn0wA+Hv5msYs4HJ
 =FXz0
 -----END PGP SIGNATURE-----

Merge tag 'armsoc-for-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

Pull ARM SoC fixes from Olof Johansson:
 "A collection of fixes this week:

   - A set of clock fixes for shmobile platforms
   - A fix for tegra that moves serial port labels to be per board.
     We're choosing to merge this for 3.18 because the labels will start
     being parsed in 3.19, and without this change serial port numbers
     that used to be stable since the dawn of time will change numbers.
   - A few other DT tweaks for Tegra.
   - A fix for multi_v7_defconfig that makes it stop spewing cpufreq
     errors on Arndale (Exynos)"

* tag 'armsoc-for-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  ARM: multi_v7_defconfig: fix failure setting CPU voltage by enabling dependent I2C controller
  ARM: tegra: roth: Fix SD card VDD_IO regulator
  ARM: tegra: Remove eMMC vmmc property for roth/tn7
  ARM: dts: tegra: move serial aliases to per-board
  ARM: tegra: Add serial port labels to Tegra124 DT
  ARM: shmobile: kzm9g legacy: Set i2c clks_per_count to 2
  ARM: shmobile: r8a7740 dtsi: Correct IIC0 parent clock
  ARM: shmobile: r8a7790: Fix SD3CKCR address to device tree
  ARM: shmobile: r8a7740 legacy: Correct IIC0 parent clock
  ARM: shmobile: r8a7740 legacy: Add missing INTCA clock for irqpin module
  ARM: shmobile: r8a7790: Fix SD3CKCR address
  ARM: dts: sun6i: Re-parent ahb1_mux to pll6 as required by dma controller
2014-11-23 11:46:01 -08:00
Linus Torvalds 9f2e0f6370 Merge branch 'for-3.18-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu
Pull percpu fix from Tejun Heo:
 "This contains one patch to fix a race condition which can lead to
  percpu_ref using a percpu pointer which is corrupted with a set DEAD
  bit.  The bug was introduced while separating out the ATOMIC mode flag
  from the DEAD flag.  The fix is pretty straight forward.

  I just committed the patch to the percpu tree but am sending out the
  pull request early as I'll be on vacation for a week.  The patch
  should be fairly safe and while the latency will be higher I'll be
  checking emails"

* 'for-3.18-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu:
  percpu-ref: fix DEAD flag contamination of percpu pointer
2014-11-23 11:33:49 -08:00
Linus Torvalds d038a63ace Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs
Pull btrfs deadlock fix from Chris Mason:
 "This has a fix for a long standing deadlock that we've been trying to
  nail down for a while.  It ended up being a bad interaction with the
  fair reader/writer locks and the order btrfs reacquires locks in the
  btree"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
  btrfs: fix lockups from btrfs_clear_path_blocking
2014-11-23 11:16:36 -08:00
Tejun Heo 4aab3b5b3c percpu-ref: fix DEAD flag contamination of percpu pointer
While decoupling ATOMIC and DEAD flags, f47ad45784 ("percpu_ref:
decouple switching to percpu mode and reinit") updated
__ref_is_percpu() so that it only tests ATOMIC flag to determine
whether the ref is in percpu mode or not; however, while DEAD implies
ATOMIC, the two flags are set separately during percpu_ref_kill() and
if __ref_is_percpu() races percpu_ref_kill(), it may see DEAD w/o
ATOMIC.  Because __ref_is_percpu() returns @ref->percpu_count_ptr
value verbatim as the percpu pointer after testing ATOMIC, the pointer
may now be contaminated with the DEAD flag.

This can be fixed by clearing the flag bits before returning the
pointer which was the fix proposed by Shaohua; however, as DEAD
implies ATOMIC, we can just test for both flags at once and avoid the
explicit masking.

Update __ref_is_percpu() so that it tests that both ATOMIC and DEAD
are clear before returning @ref->percpu_count_ptr as the percpu
pointer.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-and-Reviewed-by: Shaohua Li <shli@kernel.org>
Link: http://lkml.kernel.org/r/995deb699f5b873c45d667df4add3b06f73c2c25.1416638887.git.shli@kernel.org
Fixes: f47ad45784 ("percpu_ref: decouple switching to percpu mode and reinit")
2014-11-23 12:36:06 -05:00
Linus Torvalds cb95413971 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull timer fix from Thomas Gleixner:
 "A single bugfix for an init order problem in the sun4i subarch
  clockevents code"

* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  clockevent: sun4i: Fix race condition in the probe code
2014-11-22 14:33:11 -08:00
Linus Torvalds ecde00642c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull vfs fixes from Al Viro:
 "Assorted fixes, most in overlayfs land"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  ovl: ovl_dir_fsync() cleanup
  ovl: update MAINTAINERS
  ovl: pass dentry into ovl_dir_read_merged()
  ovl: use lockless_dereference() for upperdentry
  ovl: allow filenames with comma
  ovl: fix race in private xattr checks
  ovl: fix remove/copy-up race
  ovl: rename filesystem type to "overlay"
  isofs: avoid unused function warning
  vfs: fix reference leak in d_prune_aliases()
2014-11-22 14:15:27 -08:00
Linus Torvalds 8a84e01e14 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) Fix BUG when decrypting empty packets in mac80211, from Ronald Wahl.

 2) nf_nat_range is not fully initialized and this is copied back to
    userspace, from Daniel Borkmann.

 3) Fix read past end of b uffer in netfilter ipset, also from Dan
    Carpenter.

 4) Signed integer overflow in ipv4 address mask creation helper
    inet_make_mask(), from Vincent BENAYOUN.

 5) VXLAN, be2net, mlx4_en, and qlcnic need ->ndo_gso_check() methods to
    properly describe the device's capabilities, from Joe Stringer.

 6) Fix memory leaks and checksum miscalculations in openvswitch, from
    Pravin B SHelar and Jesse Gross.

 7) FIB rules passes back ambiguous error code for unreachable routes,
    making behavior confusing for userspace.  Fix from Panu Matilainen.

 8) ieee802154fake_probe() doesn't release resources properly on error,
    from Alexey Khoroshilov.

 9) Fix skb_over_panic in add_grhead(), from Daniel Borkmann.

10) Fix access of stale slave pointers in bonding code, from Nikolay
    Aleksandrov.

11) Fix stack info leak in PPP pptp code, from Mathias Krause.

12) Cure locking bug in IPX stack, from Jiri Bohac.

13) Revert SKB fclone memory freeing optimization that is racey and can
    allow accesses to freed up memory, from Eric Dumazet.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (71 commits)
  tcp: Restore RFC5961-compliant behavior for SYN packets
  net: Revert "net: avoid one atomic operation in skb_clone()"
  virtio-net: validate features during probe
  cxgb4 : Fix DCB priority groups being returned in wrong order
  ipx: fix locking regression in ipx_sendmsg and ipx_recvmsg
  openvswitch: Don't validate IPv6 label masks.
  pptp: fix stack info leak in pptp_getname()
  brcmfmac: don't include linux/unaligned/access_ok.h
  cxgb4i : Don't block unload/cxgb4 unload when remote closes TCP connection
  ipv6: delete protocol and unregister rtnetlink when cleanup
  net/mlx4_en: Add VXLAN ndo calls to the PF net device ops too
  bonding: fix curr_active_slave/carrier with loadbalance arp monitoring
  mac80211: minstrel_ht: fix a crash in rate sorting
  vxlan: Inline vxlan_gso_check().
  can: m_can: update to support CAN FD features
  can: m_can: fix incorrect error messages
  can: m_can: add missing delay after setting CCCR_INIT bit
  can: m_can: fix not set can_dlc for remote frame
  can: m_can: fix possible sleep in napi poll
  can: m_can: add missing message RAM initialization
  ...
2014-11-21 17:20:36 -08:00
Linus Torvalds 928352e9ee Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
 "Just two radeon and two intel fixes: endian and regression fixes"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm/radeon: fix endian swapping in vbios fetch for tdp table
  drm/radeon: disable native backlight control on pre-r6xx asics (v2)
  drm/i915: Kick fbdev before vgacon
  drm/i915: drop WaSetupGtModeTdRowDispatch:snb
2014-11-21 17:15:28 -08:00
Linus Torvalds 9a7e4f5633 sound fixes for 3.18-rc6
This batch ended up as a relatively high volume due to pending
 ASoC fixes.  But most of fixes there are trivial and/or device-
 specific fixes and quirks, so safe to apply.  The only (ASoC)
 core fixes are the DPCM race fix and the machine-driver matching
 fix for componentization.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJUbMUBAAoJEGwxgFQ9KSmkM7MQALi2oHeu089YX0nl2aJr/LeU
 R55yuOCiKmkvikJIccInWbtwAW57K41CbLK9lDZx+6iSfpzAs7Nd554VdACDhtP1
 wnnBGKhUZHF3NMim8UMjXRX/IAwJS1DvTKfULdLyAdG+ptNrmeCA2xBVPSCU+5Fb
 q6QPSuM0A5qP//Ufsi4gHJsTZpe/S42PIh46XK5Z2nOO7Y/J+Ytwi/g6TaauYjDU
 GZK3XNa7vjtZIw42nNyjn8qIIByhji591uHJpizIPVjbVKxhqm3wM1lU5xCYj/cd
 fi1uWOOQ1Gp+DYTScfu0DZj1BaoBCqeQ27pvnDU15+yqDJHmmKvtQbBbETtbba9t
 ajZvg+1J6ONf/wYkNqaSAkSFEMyOQ1NpSRsGMri28ahndkC72h6NBmH5FFEwIg1X
 3XcxEf1BKw3oQXvaoeL8Qin6d+zWBjWHzNSmVeft4MYMf+AxnoXoD0+HmRIGQhVK
 qFFtcuPVnIDHLUHsiVTNvMi7kejzgl8NUW3lGzbaWSSPKdUFHK2lE60uKzvQ5yHm
 0K4CD2H4FVrMM3iqwSsDmUDk+++HOr7LjvC9jMZM5KobZQ9t25Imkt+ZdypQfzJC
 wKz480viZcu3VimEdHYNivM2RLh2kxZtUB26O8DodEI28wr6b4PYlX/4Nzt+rXwu
 YMf3SOUNdPEoAqlcEi9l
 =oc6T
 -----END PGP SIGNATURE-----

Merge tag 'sound-3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "This batch ended up as a relatively high volume due to pending ASoC
  fixes.  But most of fixes there are trivial and/or device- specific
  fixes and quirks, so safe to apply.  The only (ASoC) core fixes are
  the DPCM race fix and the machine-driver matching fix for
  componentization"

* tag 'sound-3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda - fix the mic mute led problem for Latitude E5550
  ALSA: hda - move DELL_WMI_MIC_MUTE_LED to the tail in the quirk chain
  ASoC: wm_adsp: Avoid attempt to free buffers that might still be in use
  ALSA: usb-audio: Set the Control Selector to SU_SELECTOR_CONTROL for UAC2
  ALSA: usb-audio: Add ctrl message delay quirk for Marantz/Denon devices
  ASoC: sgtl5000: Fix SMALL_POP bit definition
  ASoC: cs42l51: re-hook of_match_table pointer
  ASoC: rt5670: change dapm routes of PLL connection
  ASoC: rt5670: correct the incorrect default values
  ASoC: samsung: Add MODULE_DEVICE_TABLE for Snow
  ASoC: max98090: Correct pclk divisor settings
  ASoC: dpcm: Fix race between FE/BE updates and trigger
  ASoC: Fix snd_soc_find_dai() matching component by name
  ASoC: rsnd: remove unsupported PAUSE flag
  ASoC: fsi: remove unsupported PAUSE flag
  ASoC: rt5645: Mark RT5645_TDM_CTRL_3 as readable
  ASoC: rockchip-i2s: fix infinite loop in rockchip_snd_rxctrl
  ASoC: es8328-i2c: Fix i2c_device_id name field in es8328_id
  ASoC: fsl_asrc: Add reg_defaults for regmap to fix kernel dump
2014-11-21 17:11:56 -08:00
Linus Torvalds f100a74674 ACPI power management fix for 3.18-rc6
This is just a one-liner fixing a regression introduced in 3.13 that
 broke system suspend on some Chromebooks.
 
 On those machines there are ACPI device objects for some I2C devices
 that can wake up the system from sleep states, but that is done via
 a platform-specific mechanism and the ACPI objects don't contain any
 wakeup-related information.  When we started to use ACPI power
 management with those devices (which happened during the 3.13 cycle),
 their configuration confused the ACPI PM layer that returned error
 codes from suspend callbacks for them causing system suspend to fail.
 
 However, the ACPI PM layer can safely ignore the wakeup setting from
 a device driver if the ACPI object corresponding to the device in
 question doesn't contain wakeup information in which case the driver
 itself is responsible for setting up the device for system wakeup.
 
 /
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABCAAGBQJUb0/DAAoJEILEb/54YlRxBKcQAIsQBoP6ogxC5DcOiOqCOF9t
 fQyUfrwgltGt8GDbbEeHWrDSBrgIVfZmtK2lm+ak8rkU66k3foD2BDDWv5f1cgDz
 H+Y/aQotkt2RbY67V7ga4HP+2CfWnGVL1E0MN2fcn0DrBei4fPoYfanfUj6dSTg+
 fdXnY5YmSgSfdmnN8MFde13uTxzkwe6bfMwi+PhFk7fp7j6d5+T8rc7Dd9OWRePJ
 +OYW/jrYCxixnIDQGbeaSVzTlunL+Q3mIB2D+Kj6Sy9s9jyEadXPy/bQRCeIdv3v
 Q6Ryi/tsGrs0XVSVy5uNusJcWDOcTcvXA1srwx6Rm8D4+nRAcwYxGyX4n5dew5L/
 uy9PcCLMP1PhI7aIkhZxkIvk+Rp8H2En3QdzqjFbk5YEo003Mq6Lj04pFpWl9W7u
 6wDTRm2eKPzPVyihs4G8gPGeu9CfkTTmLX7HX41FmczIFoMOANNMgF0COmGpgHzu
 v4QKwNsfRl+KPLQZHQlwZkm9RFVc2s6BVLS1//l7d6AGIeQx86WVBEr6qr86OQ/t
 NIPg2W9PsPuzT2SynYjtPnoRb1Mik/78ltx2WR05/yxtOgsOFxjJozdV0QHc7dc0
 Mt1xSqHbgg1fxcwM86QzY1cqaPSmjJQhi4Jk6B/SGFIf14VbCJP/PjYt8wqprIWB
 Ib4Ykw+oswhEtKHUnWNB
 =2pxa
 -----END PGP SIGNATURE-----

Merge tag 'pm+acpi-3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI power management fix from Rafael Wysocki:
 "This is just a one-liner fixing a regression introduced in 3.13 that
  broke system suspend on some Chromebooks.

  On those machines there are ACPI device objects for some I2C devices
  that can wake up the system from sleep states, but that is done via a
  platform-specific mechanism and the ACPI objects don't contain any
  wakeup-related information.  When we started to use ACPI power
  management with those devices (which happened during the 3.13 cycle),
  their configuration confused the ACPI PM layer that returned error
  codes from suspend callbacks for them causing system suspend to fail.

  However, the ACPI PM layer can safely ignore the wakeup setting from a
  device driver if the ACPI object corresponding to the device in
  question doesn't contain wakeup information in which case the driver
  itself is responsible for setting up the device for system wakeup"

* tag 'pm+acpi-3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI / PM: Ignore wakeup setting if the ACPI companion can't wake up
2014-11-21 16:56:25 -08:00
Linus Torvalds 2e29a6d086 DeviceTree fixes for 3.18:
- 2 fixes for OF selftest code
 - Fix for PowerPC address parsing to disable work-around except on old
   PowerMACs
 - Fix a crash when earlycon is enabled, but no device is found
 - DT documentation fixes and missing vendor prefixes
 
 All but the doc updates are also for stable.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJUbqAVAAoJEMhvYp4jgsXiNLUH/A5cpNKcs2D0GCpDxxkZa6X/
 o5vwuECwd7dFH83lkFWdNFCNJ6B7hUUG3RDO63SgzZch2auQR1yETJrXSbUNeDKM
 HMp3CVvVjqFz7h86H2x+mijxUPJl7YWtFuC1RQUJkMGULC16BnYLSVGrrqHI37BJ
 E5hdmfJtARUGcmZO291JB9bdfuR5gAfIR4GIYsAQHn0RbiuST/L1DyL2QFkh69eW
 yyeB9elIw+xYBUlEVMkq5LmH12l0VA1eSIofBWEfj40cCax1CblL1nzV1+s7oHpv
 JrATuyfxlTjs/tdUeeV/lMT4Vg/ICWsbPJKWb4UaJv0nH+u+oGiKSCyl5X4DH4c=
 =M65+
 -----END PGP SIGNATURE-----

Merge tag 'devicetree-fixes-for-3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux

Pull devicetree fixes from Rob Herring:
 "DeviceTree fixes for 3.18:

   - two fixes for OF selftest code
   - fix for PowerPC address parsing to disable work-around except on
     old PowerMACs
   - fix a crash when earlycon is enabled, but no device is found
   - DT documentation fixes and missing vendor prefixes

  All but the doc updates are also for stable"

* tag 'devicetree-fixes-for-3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
  of/selftest: Fix testing when /aliases is missing
  of/selftest: Fix off-by-one error in removal path
  documentation: pinctrl bindings: Fix trivial typo 'abitrary'
  devicetree: bindings: Add vendor prefix for Micron Technology, Inc.
  of: Add vendor prefix for Chips&Media, Inc.
  of/base: Fix PowerPC address parsing hack
  devicetree: vendor-prefixes.txt: fix whitespace
  of: Fix crash if an earlycon driver is not found
  of/irq: Drop obsolete 'interrupts' vs 'interrupts-extended' text
  of: Spelling s/stucture/structure/
  devicetree: bindings: add sandisk to the vendor prefixes
2014-11-21 16:40:41 -08:00
Linus Torvalds 08685897b3 PCI updates for v3.18:
Resource management
     - Support 64-bit bridge windows if we have 64-bit dma_addr_t (Yinghai Lu)
 
   PCI device hotplug
     - Apply _HPX Link Control settings to all devices with a link (Yinghai Lu)
 
   Generic host bridge driver
     - Add DT binding for "linux,pci-domain" property (Lucas Stach)
 
   APM X-Gene
     - Assign resources to bus before adding new devices (Duc Dang)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUbkCkAAoJEFmIoMA60/r8HHcQAMBeaF4pbUYotzpd8kwjFQ2x
 d9DPU3bAfeMY3U4qKRkp/GXV1F1ueVP2KgwaKlV9ytrILFwVYlsy2DZ/JIS3ggw2
 BfjPTVB6rADzhfZB0HNSQQGOcGbKezd4sM45E6hsZqxzlgnVJQ5oL0u/PL5fuvC1
 +1goznoJwOhLMn9bsSS+b/2bgmPG1HYonFu1ehiSTt/g9e0Q2YsMkCZDo8R3i6nl
 W25g93m1yP7KO3AnPsnE9dm9oDEcbqVbfSu+Z8X2NllN8/+e6+z7CtDZx5OfMpRI
 GBQrLuPXi0NxFeFcj+gbAfhV8ZsFDdqNXPHuqC7pOKlveCmyk8tBhXcIr9gTnGQF
 /UjxgWDekH6Cb8DjFVQCj84D5f1U7RNRbpkeEr6gXtoM7vPDfQaCROC5qhBKGV+P
 XAQ4ujGkCe3A9ve2XNsgHzLQgRoRopfI6aN2VZxQYaxvobm+QzuMW7BtKJ72dUKJ
 LIPnlc+X1ccwg+ZyWFvgLByMKCriklTjeFA2UMP6WI7xD3r5N+Y0QP0no4zVPIMN
 no5RAx7sv71yE97Y/SSosirfjQ3YlJ55KJRJY2+j2obD9wLCCEwJuiNnrYU+EB6c
 Z/cPmZhGKZnBcDJMazjULe2gldVDRokIRk069ySob4iUdZ4n/vIdCbNR5Z0f6dAr
 w7SfdPXK2ARn0ulqzdT1
 =smv9
 -----END PGP SIGNATURE-----

Merge tag 'pci-v3.18-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci

Pull PCI fixes from Bjorn Helgaas:
 "These are fixes for an issue with 64-bit PCI bus addresses on 32-bit
  PAE kernels, an APM X-Gene problem (it depended on a generic change we
  removed before merging), a fix for my hotplug device configuration
  changes, and a devicetree documentation update.

  Resource management:
    - Support 64-bit bridge windows if we have 64-bit dma_addr_t (Yinghai Lu)

  PCI device hotplug:
    - Apply _HPX Link Control settings to all devices with a link (Yinghai Lu)

  Generic host bridge driver:
    - Add DT binding for "linux,pci-domain" property (Lucas Stach)

  APM X-Gene:
    - Assign resources to bus before adding new devices (Duc Dang)"

* tag 'pci-v3.18-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  PCI: Support 64-bit bridge windows if we have 64-bit dma_addr_t
  PCI: Apply _HPX Link Control settings to all devices with a link
  PCI: Add missing DT binding for "linux,pci-domain" property
  PCI: xgene: Assign resources to bus before adding new devices
2014-11-21 16:36:42 -08:00
Linus Torvalds a46171d010 Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending
Pull SCSI target fixes from Nicholas Bellinger:
 "Here are the target-pending fixes queued for v3.18-rc6.

  The highlights include:

   - target-core OOPs fix with tcm_qla2xxx + vxworks FC initiators +
     zero length SCSI commands having a transfer direction set.  (Roland
     + Craig Watson)

   - vhost-scsi OOPs fix to explicitly prevent WWPN endpoint configfs
     group removal while qemu still has an active reference.  (Paolo +
     nab)

   - ib_srpt fix for RDMA hardware with lower srp_sq_size limits.
     (Bart)

   - two ib_isert work-arounds for running on ocrdma hardware (Or + Sagi
     + Chris)

   - iscsi-target discovery portal typo + SPC-3 PR Preempt SA key
     matching fix (Steve)"

* git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
  IB/isert: Adjust CQ size to HW limits
  target: return CONFLICT only when SA key unmatched
  iser-target: Handle DEVICE_REMOVAL event on network portal listener correctly
  ib_isert: Add max_send_sge=2 minimum for control PDU responses
  srp-target: Retry when QP creation fails with ENOMEM
  iscsi-target: return the correct port in SendTargets
  vhost-scsi: Take configfs group dependency during VHOST_SCSI_SET_ENDPOINT
  target: Don't call TFO->write_pending if data_length == 0
2014-11-21 16:28:45 -08:00
Linus Torvalds 4ec69c7ebc Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma
Pull dmaengine fixes from Vinod Koul:
 "We have couple of fixes for dmaengine queued up:
   - dma mempcy fix for dma configuration of sun6i by Maxime
   - pl330 fixes: First the fixing allocation for data buffers by Liviu
     and then Jon's fixe for fifo width and usage"

* 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
  dmaengine: Fix allocation size for PL330 data buffer depth.
  dmaengine: pl330: Limit MFIFO usage for memcpy to avoid exhausting entries
  dmaengine: pl330: Align DMA memcpy operations to MFIFO width
  dmaengine: sun6i: Fix memcpy operation
2014-11-21 16:24:27 -08:00
Linus Torvalds e6a588d086 Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
Pull MIPS fixes from Ralf Baechle:
 "More 3.18 fixes for MIPS:

   - backtraces were not quite working on on 64-bit kernels
   - loongson needs a different cache coherency setting
   - Loongson 3 is a MIPS64 R2 version but due to erratum we treat is an
     older architecture revision.
   - fix build errors due to undefined references to __node_distances
     for certain configurations.
   - fix instruction decodig in the jump label code.
   - for certain configurations copy_{from,to}_user destroy the content
     of $3 so that register needs to be marked as clobbed by the calling
     code.
   - Hardware Table Walker fixes.
   - fill the delay slot of the last instruction of memcpy otherwise
     whatever ends up there randomly might have undesirable effects.
   - ensure get_user/__get_user always zero the variable to be read even
     in case of an error"

* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
  MIPS: jump_label.c: Handle the microMIPS J instruction encoding
  MIPS: jump_label.c: Correct the span of the J instruction
  MIPS: Zero variable read by get_user / __get_user in case of an error.
  MIPS: lib: memcpy: Restore NOP on delay slot before returning to caller
  MIPS: tlb-r4k: Add missing HTW stop/start sequences
  MIPS: asm: uaccess: Add v1 register to clobber list on EVA
  MIPS: oprofile: Fix backtrace on 64-bit kernel
  MIPS: Loongson: Set Loongson-3's ISA level to MIPS64R1
  MIPS: Loongson: Fix the write-combine CCA value setting
  MIPS: IP27: Fix __node_distances undefined error
  MIPS: Loongson3: Fix __node_distances undefined error
2014-11-21 16:14:58 -08:00
Linus Torvalds 4fc82c0a76 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux
Pull powerpc fix from Michael Ellerman:
 "One fix from Scott, he says:

  This patch fixes a crash (introduced in v3.18-rc1) in the FSL MSI driver
  when threaded IRQs are enabled"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux:
  powerpc/fsl_msi: mark the msi cascade handler IRQF_NO_THREAD
2014-11-21 16:13:34 -08:00
Linus Torvalds c6c9161d06 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Thomas Gleixner:
 "Misc fixes:
   - gold linker build fix
   - noxsave command line parsing fix
   - bugfix for NX setup
   - microcode resume path bug fix
   - _TIF_NOHZ versus TIF_NOHZ bugfix as discussed in the mysterious
     lockup thread"

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86, syscall: Fix _TIF_NOHZ handling in syscall_trace_enter_phase1
  x86, kaslr: Handle Gold linker for finding bss/brk
  x86, mm: Set NX across entire PMD at boot
  x86, microcode: Update BSPs microcode on resume
  x86: Require exact match for 'noxsave' command line option
2014-11-21 15:46:17 -08:00
Linus Torvalds 8b2ed21e84 Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull scheduler fixes from Ingo Molnar:
 "Misc fixes: two NUMA fixes, two cputime fixes and an RCU/lockdep fix"

* 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  sched/cputime: Fix clock_nanosleep()/clock_gettime() inconsistency
  sched/cputime: Fix cpu_timer_sample_group() double accounting
  sched/numa: Avoid selecting oneself as swap target
  sched/numa: Fix out of bounds read in sched_init_numa()
  sched: Remove lockdep check in sched_move_task()
2014-11-21 15:44:54 -08:00
Linus Torvalds 13f5004c94 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf fixes from Ingo Molnar:
 "Misc fixes: two Intel uncore driver fixes, a CPU-hotplug fix and a
  build dependencies fix"

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf/x86/intel/uncore: Fix boot crash on SBOX PMU on Haswell-EP
  perf/x86/intel/uncore: Fix IRP uncore register offsets on Haswell EP
  perf: Fix corruption of sibling list with hotplug
  perf/x86: Fix embarrasing typo
2014-11-21 15:44:07 -08:00
Linus Torvalds a64bb02f4a Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull core fix from Ingo Molnar:
 "Fix GENMASK macro shift overflow"

Nobody seems to currently use GENMASK() to fill every single last bit
(which is what overflows) in-tree, and gcc would warn about it, so we
have that going for us.  But apparently there are pending changes that
want this.

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  bitops: Fix shift overflow in GENMASK macros
2014-11-21 15:38:21 -08:00
Calvin Owens 0c228e833c tcp: Restore RFC5961-compliant behavior for SYN packets
Commit c3ae62af8e ("tcp: should drop incoming frames without ACK
flag set") was created to mitigate a security vulnerability in which a
local attacker is able to inject data into locally-opened sockets by
using TCP protocol statistics in procfs to quickly find the correct
sequence number.

This broke the RFC5961 requirement to send a challenge ACK in response
to spurious RST packets, which was subsequently fixed by commit
7b514a886b ("tcp: accept RST without ACK flag").

Unfortunately, the RFC5961 requirement that spurious SYN packets be
handled in a similar manner remains broken.

RFC5961 section 4 states that:

   ... the handling of the SYN in the synchronized state SHOULD be
   performed as follows:

   1) If the SYN bit is set, irrespective of the sequence number, TCP
      MUST send an ACK (also referred to as challenge ACK) to the remote
      peer:

      <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>

      After sending the acknowledgment, TCP MUST drop the unacceptable
      segment and stop processing further.

   By sending an ACK, the remote peer is challenged to confirm the loss
   of the previous connection and the request to start a new connection.
   A legitimate peer, after restart, would not have a TCB in the
   synchronized state.  Thus, when the ACK arrives, the peer should send
   a RST segment back with the sequence number derived from the ACK
   field that caused the RST.

   This RST will confirm that the remote peer has indeed closed the
   previous connection.  Upon receipt of a valid RST, the local TCP
   endpoint MUST terminate its connection.  The local TCP endpoint
   should then rely on SYN retransmission from the remote end to
   re-establish the connection.

This patch lets SYN packets through the discard added in c3ae62af8e,
so that spurious SYN packets are properly dealt with as per the RFC.

The challenge ACK is sent unconditionally and is rate-limited, so the
original vulnerability is not reintroduced by this patch.

Signed-off-by: Calvin Owens <calvinowens@fb.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-21 15:33:50 -05:00
Eric Dumazet e7820e39b7 net: Revert "net: avoid one atomic operation in skb_clone()"
Not sure what I was thinking, but doing anything after
releasing a refcount is suicidal or/and embarrassing.

By the time we set skb->fclone to SKB_FCLONE_FREE, another cpu
could have released last reference and freed whole skb.

We potentially corrupt memory or trap if CONFIG_DEBUG_PAGEALLOC is set.

Reported-by: Chris Mason <clm@fb.com>
Fixes: ce1a4ea3f1 ("net: avoid one atomic operation in skb_clone()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-21 15:26:32 -05:00
Al Viro 3035b675ad Merge branch 'overlayfs-current' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs into for-linus
"The biggest change is to rename the filesystem from "overlayfs" to "overlay".
This will allow legacy overlayfs to be easily carried by distros alongside the
new mainline one.  Also fix a couple of copy-up races and allow escaping comma
character in filenames."

The last bit is about commas in pathname mount options...
2014-11-21 11:51:08 -05:00
Jason Wang 892d6eb124 virtio-net: validate features during probe
We currently trigger BUG when VIRTIO_NET_F_CTRL_VQ
is not set but one of features depending on it is.
That's not a friendly way to report errors to
hypervisors.
Let's check, and fail probe instead.

Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Cornelia Huck <cornelia.huck@de.ibm.com>
Cc: Wanlong Gao <gaowanlong@cn.fujitsu.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-21 00:26:43 -05:00
David S. Miller 7e09dccd07 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains two bugfixes for your net tree, they are:

1) Validate netlink group from nfnetlink to avoid an out of bound array
   access. This should only happen with superuser priviledges though.
   Discovered by Andrey Ryabinin using trinity.

2) Don't push ethernet header before calling the netfilter output hook
   for multicast traffic, this breaks ebtables since it expects to see
   skb->data pointing to the network header, patch from Linus Luessing.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-21 00:12:39 -05:00
David S. Miller c857781900 Merge tag 'master-2014-11-20' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
John W. Linville says:

====================
pull request: wireless 2014-11-20

Please full this little batch of fixes intended for the 3.18 stream!

For the mac80211 patch, Johannes says:

"Here's another last minute fix, for minstrel HT crashing
depending on the value of some uninitialised stack."

On top of that...

Ben Greear fixes an ath9k regression in which a BSSID mask is
miscalculated.

Dmitry Torokhov corrects an error handling routing in brcmfmac which
was checking an unsigned variable for a negative value.

Johannes Berg avoids a build problem in brcmfmac for arches where
linux/unaligned/access_ok.h and asm/unaligned.h conflict.

Mathy Vanhoef addresses another brcmfmac issue so as to eliminate a
use-after-free of the URB transfer buffer if a timeout occurs.

Please let me know if there are problems!
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-21 00:07:51 -05:00
Anish Bhatt 17544e2ad7 cxgb4 : Fix DCB priority groups being returned in wrong order
Peer priority groups were being reversed, but this was missed in the previous
fix sent out for this issue.

v2 : Previous patch was doing extra unnecessary work, result is the same.
Please ignore previous patch

Fixes :	ee7bc3cdc2 ('cxgb4 : dcb open-lldp interop fixes')

Signed-off-by: Anish Bhatt <anish@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-21 00:05:55 -05:00
Jiri Bohac 01462405f0 ipx: fix locking regression in ipx_sendmsg and ipx_recvmsg
This fixes an old regression introduced by commit
b0d0d915 (ipx: remove the BKL).

When a recvmsg syscall blocks waiting for new data, no data can be sent on the
same socket with sendmsg because ipx_recvmsg() sleeps with the socket locked.

This breaks mars-nwe (NetWare emulator):
- the ncpserv process reads the request using recvmsg
- ncpserv forks and spawns nwconn
- ncpserv calls a (blocking) recvmsg and waits for new requests
- nwconn deadlocks in sendmsg on the same socket

Commit b0d0d915 has simply replaced BKL locking with
lock_sock/release_sock. Unlike now, BKL got unlocked while
sleeping, so a blocking recvmsg did not block a concurrent
sendmsg.

Only keep the socket locked while actually working with the socket data and
release it prior to calling skb_recv_datagram().

Signed-off-by: Jiri Bohac <jbohac@suse.cz>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-20 22:57:03 -05:00
Joe Stringer d3052bb5d3 openvswitch: Don't validate IPv6 label masks.
When userspace doesn't provide a mask, OVS datapath generates a fully
unwildcarded mask for the flow by copying the flow and setting all bits
in all fields. For IPv6 label, this creates a mask that matches on the
upper 12 bits, causing the following error:

openvswitch: netlink: Invalid IPv6 flow label value (value=ffffffff, max=fffff)

This patch ignores the label validation check for masks, avoiding this
error.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-20 22:56:13 -05:00
Mathias Krause a5f6fc28d6 pptp: fix stack info leak in pptp_getname()
pptp_getname() only partially initializes the stack variable sa,
particularly only fills the pptp part of the sa_addr union. The code
thereby discloses 16 bytes of kernel stack memory via getsockname().

Fix this by memset(0)'ing the union before.

Cc: Dmitry Kozlov <xeb@mail.ru>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-20 22:43:47 -05:00
Dave Airlie a0fc608178 Merge branch 'drm-fixes-3.18' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
fix one regression and one endian issue.

* 'drm-fixes-3.18' of git://people.freedesktop.org/~agd5f/linux:
  drm/radeon: fix endian swapping in vbios fetch for tdp table
  drm/radeon: disable native backlight control on pre-r6xx asics (v2)
2014-11-21 12:19:19 +10:00
Andy Lutomirski b5e212a305 x86, syscall: Fix _TIF_NOHZ handling in syscall_trace_enter_phase1
TIF_NOHZ is 19 (i.e. _TIF_SYSCALL_TRACE | _TIF_NOTIFY_RESUME |
_TIF_SINGLESTEP), not (1<<19).

This code is involved in Dave's trinity lockup, but I don't see why
it would cause any of the problems he's seeing, except inadvertently
by causing a different path through entry_64.S's syscall handling.

Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Cc: Don Zickus <dzickus@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Dave Jones <davej@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/a6cd3b60a3f53afb6e1c8081b0ec30ff19003dd7.1416434075.git.luto@amacapital.net
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2014-11-20 23:01:53 +01:00
Johannes Berg a1d69c60c4 brcmfmac: don't include linux/unaligned/access_ok.h
This is a specific implementation, <asm/unaligned.h> is the
multiplexer that has the arch-specific knowledge of which
of the implementations needs to be used, so include that.

This issue was revealed by kbuild testing
when <asm/unaligned.h> was added in <linux/ieee80211.h>
resulting in redefinition of get_unaligned_be16 (and
probably others).

Cc: stable@vger.kernel.org # v3.17
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2014-11-20 14:46:45 -05:00
Alex Deucher 28731d5818 drm/radeon: fix endian swapping in vbios fetch for tdp table
Value needs to be swapped on BE.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
2014-11-20 11:13:18 -05:00
Alex Deucher b7bc596ebb drm/radeon: disable native backlight control on pre-r6xx asics (v2)
Just use the acpi interface.  That's what windows uses on this
generation and it's the only thing that seems to work reliably
on these generation parts.

You can still force the native backlight interface by setting
radeon.backlight=1

Bug:
https://bugzilla.kernel.org/show_bug.cgi?id=88501

v2: merge into above if/else block

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
2014-11-20 11:12:55 -05:00
Miklos Szeredi 7676895f47 ovl: ovl_dir_fsync() cleanup
Check against !OVL_PATH_LOWER instead of OVL_PATH_MERGE.  For a copied up
directory the two are currently equivalent.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
2014-11-20 16:40:02 +01:00
Miklos Szeredi 1d113735ec ovl: update MAINTAINERS
There's a union/overlay specific mailing list now.  Also add a git tree.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
2014-11-20 16:40:01 +01:00
Miklos Szeredi c9f00fdb9a ovl: pass dentry into ovl_dir_read_merged()
Pass dentry into ovl_dir_read_merged() insted of upperpath and lowerpath.
This cleans up callers and paves the way for multi-layer directory reads.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
2014-11-20 16:40:01 +01:00