1. 30 Apr, 2014 40 commits
    • Emmanuel Grumbach's avatar
      iwlwifi: dvm: take mutex when sending SYNC BT config command · 769ddc4b
      Emmanuel Grumbach authored
      commit 82e5a649 upstream.
      
      There is a flow in which we send the host command in SYNC
      mode, but we don't take priv->mutex.
      
      Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1046495Reviewed-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      [bwh: Backported to 3.2:
       - Adjust filename, context
       - mutex is priv->shrd->mutex]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      769ddc4b
    • Ajesh Kunhipurayil Vijayan's avatar
      jffs2: Fix crash due to truncation of csize · 65417cd8
      Ajesh Kunhipurayil Vijayan authored
      commit 41bf1a24 upstream.
      
      mounting JFFS2 partition sometimes crashes with this call trace:
      
      [ 1322.240000] Kernel bug detected[#1]:
      [ 1322.244000] Cpu 2
      [ 1322.244000] $ 0   : 0000000000000000 0000000000000018 000000003ff00070 0000000000000001
      [ 1322.252000] $ 4   : 0000000000000000 c0000000f3980150 0000000000000000 0000000000010000
      [ 1322.260000] $ 8   : ffffffffc09cd5f8 0000000000000001 0000000000000088 c0000000ed300de8
      [ 1322.268000] $12   : e5e19d9c5f613a45 ffffffffc046d464 0000000000000000 66227ba5ea67b74e
      [ 1322.276000] $16   : c0000000f1769c00 c0000000ed1e0200 c0000000f3980150 0000000000000000
      [ 1322.284000] $20   : c0000000f3a80000 00000000fffffffc c0000000ed2cfbd8 c0000000f39818f0
      [ 1322.292000] $24   : 0000000000000004 0000000000000000
      [ 1322.300000] $28   : c0000000ed2c0000 c0000000ed2cfab8 0000000000010000 ffffffffc039c0b0
      [ 1322.308000] Hi    : 000000000000023c
      [ 1322.312000] Lo    : 000000000003f802
      [ 1322.316000] epc   : ffffffffc039a9f8 check_tn_node+0x88/0x3b0
      [ 1322.320000]     Not tainted
      [ 1322.324000] ra    : ffffffffc039c0b0 jffs2_do_read_inode_internal+0x1250/0x1e48
      [ 1322.332000] Status: 5400f8e3    KX SX UX KERNEL EXL IE
      [ 1322.336000] Cause : 00800034
      [ 1322.340000] PrId  : 000c1004 (Netlogic XLP)
      [ 1322.344000] Modules linked in:
      [ 1322.348000] Process jffs2_gcd_mtd7 (pid: 264, threadinfo=c0000000ed2c0000, task=c0000000f0e68dd8, tls=0000000000000000)
      [ 1322.356000] Stack : c0000000f1769e30 c0000000ed010780 c0000000ed010780 c0000000ed300000
              c0000000f1769c00 c0000000f3980150 c0000000f3a80000 00000000fffffffc
              c0000000ed2cfbd8 ffffffffc039c0b0 ffffffffc09c6340 0000000000001000
              0000000000000dec ffffffffc016c9d8 c0000000f39805a0 c0000000f3980180
              0000008600000000 0000000000000000 0000000000000000 0000000000000000
              0001000000000dec c0000000f1769d98 c0000000ed2cfb18 0000000000010000
              0000000000010000 0000000000000044 c0000000f3a80000 c0000000f1769c00
              c0000000f3d207a8 c0000000f1769d98 c0000000f1769de0 ffffffffc076f9c0
              0000000000000009 0000000000000000 0000000000000000 ffffffffc039cf90
              0000000000000017 ffffffffc013fbdc 0000000000000001 000000010003e61c
              ...
      [ 1322.424000] Call Trace:
      [ 1322.428000] [<ffffffffc039a9f8>] check_tn_node+0x88/0x3b0
      [ 1322.432000] [<ffffffffc039c0b0>] jffs2_do_read_inode_internal+0x1250/0x1e48
      [ 1322.440000] [<ffffffffc039cf90>] jffs2_do_crccheck_inode+0x70/0xd0
      [ 1322.448000] [<ffffffffc03a1b80>] jffs2_garbage_collect_pass+0x160/0x870
      [ 1322.452000] [<ffffffffc03a392c>] jffs2_garbage_collect_thread+0xdc/0x1f0
      [ 1322.460000] [<ffffffffc01541c8>] kthread+0xb8/0xc0
      [ 1322.464000] [<ffffffffc0106d18>] kernel_thread_helper+0x10/0x18
      [ 1322.472000]
      [ 1322.472000]
      Code: 67bd0050  94a4002c  2c830001 <00038036> de050218  2403fffc  0080a82d  00431824  24630044
      [ 1322.480000] ---[ end trace b052bb90e97dfbf5 ]---
      
      The variable csize in structure jffs2_tmp_dnode_info is of type uint16_t, but it
      is used to hold the compressed data length(csize) which is declared as uint32_t.
      So, when the value of csize exceeds 16bits, it gets truncated when assigned to
      tn->csize. This is causing a kernel BUG.
      Changing the definition of csize in jffs2_tmp_dnode_info to uint32_t fixes the issue.
      Signed-off-by: default avatarAjesh Kunhipurayil Vijayan <ajesh@broadcom.com>
      Signed-off-by: default avatarKamlakant Patel <kamlakant.patel@broadcom.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      65417cd8
    • Kamlakant Patel's avatar
      jffs2: Fix segmentation fault found in stress test · 9634d073
      Kamlakant Patel authored
      commit 3367da56 upstream.
      
      Creating a large file on a JFFS2 partition sometimes crashes with this call
      trace:
      
      [  306.476000] CPU 13 Unable to handle kernel paging request at virtual address c0000000dfff8002, epc == ffffffffc03a80a8, ra == ffffffffc03a8044
      [  306.488000] Oops[#1]:
      [  306.488000] Cpu 13
      [  306.492000] $ 0   : 0000000000000000 0000000000000000 0000000000008008 0000000000008007
      [  306.500000] $ 4   : c0000000dfff8002 000000000000009f c0000000e0007cde c0000000ee95fa58
      [  306.508000] $ 8   : 0000000000000001 0000000000008008 0000000000010000 ffffffffffff8002
      [  306.516000] $12   : 0000000000007fa9 000000000000ff0e 000000000000ff0f 80e55930aebb92bb
      [  306.524000] $16   : c0000000e0000000 c0000000ee95fa5c c0000000efc80000 ffffffffc09edd70
      [  306.532000] $20   : ffffffffc2b60000 c0000000ee95fa58 0000000000000000 c0000000efc80000
      [  306.540000] $24   : 0000000000000000 0000000000000004
      [  306.548000] $28   : c0000000ee950000 c0000000ee95f738 0000000000000000 ffffffffc03a8044
      [  306.556000] Hi    : 00000000000574a5
      [  306.560000] Lo    : 6193b7a7e903d8c9
      [  306.564000] epc   : ffffffffc03a80a8 jffs2_rtime_compress+0x98/0x198
      [  306.568000]     Tainted: G        W
      [  306.572000] ra    : ffffffffc03a8044 jffs2_rtime_compress+0x34/0x198
      [  306.580000] Status: 5000f8e3    KX SX UX KERNEL EXL IE
      [  306.584000] Cause : 00800008
      [  306.588000] BadVA : c0000000dfff8002
      [  306.592000] PrId  : 000c1100 (Netlogic XLP)
      [  306.596000] Modules linked in:
      [  306.596000] Process dd (pid: 170, threadinfo=c0000000ee950000, task=c0000000ee6e0858, tls=0000000000c47490)
      [  306.608000] Stack : 7c547f377ddc7ee4 7ffc7f967f5d7fae 7f617f507fc37ff4 7e7d7f817f487f5f
              7d8e7fec7ee87eb3 7e977ff27eec7f9e 7d677ec67f917f67 7f3d7e457f017ed7
              7fd37f517f867eb2 7fed7fd17ca57e1d 7e5f7fe87f257f77 7fd77f0d7ede7fdb
              7fba7fef7e197f99 7fde7fe07ee37eb5 7f5c7f8c7fc67f65 7f457fb87f847e93
              7f737f3e7d137cd9 7f8e7e9c7fc47d25 7dbb7fac7fb67e52 7ff17f627da97f64
              7f6b7df77ffa7ec5 80057ef17f357fb3 7f767fa27dfc7fd5 7fe37e8e7fd07e53
              7e227fcf7efb7fa1 7f547e787fa87fcc 7fcb7fc57f5a7ffb 7fc07f6c7ea97e80
              7e2d7ed17e587ee0 7fb17f9d7feb7f31 7f607e797e887faa 7f757fdd7c607ff3
              7e877e657ef37fbd 7ec17fd67fe67ff7 7ff67f797ff87dc4 7eef7f3a7c337fa6
              7fe57fc97ed87f4b 7ebe7f097f0b8003 7fe97e2a7d997cba 7f587f987f3c7fa9
              ...
      [  306.676000] Call Trace:
      [  306.680000] [<ffffffffc03a80a8>] jffs2_rtime_compress+0x98/0x198
      [  306.684000] [<ffffffffc0394f10>] jffs2_selected_compress+0x110/0x230
      [  306.692000] [<ffffffffc039508c>] jffs2_compress+0x5c/0x388
      [  306.696000] [<ffffffffc039dc58>] jffs2_write_inode_range+0xd8/0x388
      [  306.704000] [<ffffffffc03971bc>] jffs2_write_end+0x16c/0x2d0
      [  306.708000] [<ffffffffc01d3d90>] generic_file_buffered_write+0xf8/0x2b8
      [  306.716000] [<ffffffffc01d4e7c>] __generic_file_aio_write+0x1ac/0x350
      [  306.720000] [<ffffffffc01d50a0>] generic_file_aio_write+0x80/0x168
      [  306.728000] [<ffffffffc021f7dc>] do_sync_write+0x94/0xf8
      [  306.732000] [<ffffffffc021ff6c>] vfs_write+0xa4/0x1a0
      [  306.736000] [<ffffffffc02202e8>] SyS_write+0x50/0x90
      [  306.744000] [<ffffffffc0116cc0>] handle_sys+0x180/0x1a0
      [  306.748000]
      [  306.748000]
      Code: 020b202d  0205282d  90a50000 <90840000> 14a40038  00000000  0060602d  0000282d  016c5823
      [  306.760000] ---[ end trace 79dd088435be02d0 ]---
      Segmentation fault
      
      This crash is caused because the 'positions' is declared as an array of signed
      short. The value of position is in the range 0..65535, and will be converted
      to a negative number when the position is greater than 32767 and causes a
      corruption and crash. Changing the definition to 'unsigned short' fixes this
      issue
      Signed-off-by: default avatarJayachandran C <jchandra@broadcom.com>
      Signed-off-by: default avatarKamlakant Patel <kamlakant.patel@broadcom.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9634d073
    • Li Zefan's avatar
      jffs2: avoid soft-lockup in jffs2_reserve_space_gc() · 62a9eee3
      Li Zefan authored
      commit 13b546d9 upstream.
      
      We triggered soft-lockup under stress test on 2.6.34 kernel.
      
      BUG: soft lockup - CPU#1 stuck for 60009ms! [lockf2.test:14488]
      ...
      [<bf09a4d4>] (jffs2_do_reserve_space+0x420/0x440 [jffs2])
      [<bf09a528>] (jffs2_reserve_space_gc+0x34/0x78 [jffs2])
      [<bf0a1350>] (jffs2_garbage_collect_dnode.isra.3+0x264/0x478 [jffs2])
      [<bf0a2078>] (jffs2_garbage_collect_pass+0x9c0/0xe4c [jffs2])
      [<bf09a670>] (jffs2_reserve_space+0x104/0x2a8 [jffs2])
      [<bf09dc48>] (jffs2_write_inode_range+0x5c/0x4d4 [jffs2])
      [<bf097d8c>] (jffs2_write_end+0x198/0x2c0 [jffs2])
      [<c00e00a4>] (generic_file_buffered_write+0x158/0x200)
      [<c00e14f4>] (__generic_file_aio_write+0x3a4/0x414)
      [<c00e15c0>] (generic_file_aio_write+0x5c/0xbc)
      [<c012334c>] (do_sync_write+0x98/0xd4)
      [<c0123a84>] (vfs_write+0xa8/0x150)
      [<c0123d74>] (sys_write+0x3c/0xc0)]
      
      Fix this by adding a cond_resched() in the while loop.
      
      [akpm@linux-foundation.org: don't initialize `ret']
      Signed-off-by: default avatarLi Zefan <lizefan@huawei.com>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Cc: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      62a9eee3
    • Li Zefan's avatar
      jffs2: remove from wait queue after schedule() · 22af2c50
      Li Zefan authored
      commit 3ead9578 upstream.
      
      @wait is a local variable, so if we don't remove it from the wait queue
      list, later wake_up() may end up accessing invalid memory.
      
      This was spotted by eyes.
      Signed-off-by: default avatarLi Zefan <lizefan@huawei.com>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Cc: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      22af2c50
    • Hidetoshi Seto's avatar
      Btrfs: skip submitting barrier for missing device · b58d5a52
      Hidetoshi Seto authored
      commit f88ba6a2 upstream.
      
      I got an error on v3.13:
       BTRFS error (device sdf1) in write_all_supers:3378: errno=-5 IO failure (errors while submitting device barriers.)
      
      how to reproduce:
        > mkfs.btrfs -f -d raid1 /dev/sdf1 /dev/sdf2
        > wipefs -a /dev/sdf2
        > mount -o degraded /dev/sdf1 /mnt
        > btrfs balance start -f -sconvert=single -mconvert=single -dconvert=single /mnt
      
      The reason of the error is that barrier_all_devices() failed to submit
      barrier to the missing device.  However it is clear that we cannot do
      anything on missing device, and also it is not necessary to care chunks
      on the missing device.
      
      This patch stops sending/waiting barrier if device is missing.
      Signed-off-by: default avatarHidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
      Signed-off-by: default avatarJosef Bacik <jbacik@fb.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b58d5a52
    • Himangi Saraogi's avatar
      staging:serqt_usb2: Fix sparse warning restricted __le16 degrades to integer · de12340b
      Himangi Saraogi authored
      commit abe5d64d upstream.
      
      This patch fixes the following sparse warning :
      drivers/staging/serqt_usb2/serqt_usb2.c:727:40: warning: restricted __le16 degrades to integer
      Signed-off-by: default avatarHimangi Saraogi <himangi774@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      de12340b
    • Larry Finger's avatar
      rtlwifi: rtl8192se: Fix too long disable of IRQs · 721c5416
      Larry Finger authored
      commit 2610decd upstream.
      
      In commit f78bccd7 entitled "rtlwifi:
      rtl8192ce: Fix too long disable of IRQs", Olivier Langlois
      <olivier@trillion01.com> fixed a problem caused by an extra long disabling
      of interrupts. This patch makes the same fix for rtl8192se.
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      [bwh: Backported to 3.2:
       - Adjust context
       - Drop change to an error path that we don't have]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      721c5416
    • Roman Pen's avatar
      blktrace: fix accounting of partially completed requests · 5b85afa6
      Roman Pen authored
      commit af5040da upstream.
      
      trace_block_rq_complete does not take into account that request can
      be partially completed, so we can get the following incorrect output
      of blkparser:
      
        C   R 232 + 240 [0]
        C   R 240 + 232 [0]
        C   R 248 + 224 [0]
        C   R 256 + 216 [0]
      
      but should be:
      
        C   R 232 + 8 [0]
        C   R 240 + 8 [0]
        C   R 248 + 8 [0]
        C   R 256 + 8 [0]
      
      Also, the whole output summary statistics of completed requests and
      final throughput will be incorrect.
      
      This patch takes into account real completion size of the request and
      fixes wrong completion accounting.
      Signed-off-by: default avatarRoman Pen <r.peniaev@gmail.com>
      CC: Steven Rostedt <rostedt@goodmis.org>
      CC: Frederic Weisbecker <fweisbec@gmail.com>
      CC: Ingo Molnar <mingo@redhat.com>
      CC: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      [bwh: Backported to 3.2: drop change in blk-mq.c]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5b85afa6
    • Gregory CLEMENT's avatar
      usb: gadget: atmel_usba: fix crashed during stopping when DEBUG is enabled · 631f96b5
      Gregory CLEMENT authored
      commit d8eb6c65 upstream.
      
      commit 511f3c53 (usb: gadget: udc-core: fix a regression during gadget driver
      unbinding) introduced a crash when DEBUG is enabled.
      
      The debug trace in the atmel_usba_stop function made the assumption that the
      driver pointer passed in parameter was not NULL, but since the commit above,
      such assumption was no longer always true.
      
      This commit now uses the driver pointer stored in udc which fixes this
      issue.
      
      [ balbi@ti.com : improved commit log a bit ]
      Acked-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      631f96b5
    • Oleksij Rempel's avatar
      uvcvideo: Do not use usb_set_interface on bulk EP · 165f9a52
      Oleksij Rempel authored
      commit b1e43f23 upstream.
      
      The UVC specification uses alternate setting selection to notify devices
      of stream start/stop. This breaks when using bulk-based devices, as the
      video streaming interface has a single alternate setting in that case,
      making video stream start and video stream stop events to appear
      identical to the device. Bulk-based devices are thus not well supported
      by UVC.
      
      The webcam built in the Asus Zenbook UX302LA ignores the set interface
      request and will keep the video stream enabled when the driver tries to
      stop it. If USB autosuspend is enabled the device will then be suspended
      and will crash, requiring a cold reboot.
      
      USB trace capture showed that Windows sends a CLEAR_FEATURE(HALT)
      request to the bulk endpoint when stopping the stream instead of
      selecting alternate setting 0. The camera then behaves correctly, and
      thus seems to require that behaviour.
      
      Replace selection of alternate setting 0 with clearing of the endpoint
      halt feature at video stream stop for bulk-based devices. Let's refrain
      from blaming Microsoft this time, as it's not clear whether this
      Windows-specific but USB-compliant behaviour was specifically developed
      to handle bulkd-based UVC devices, or if the camera just took advantage
      of it.
      Signed-off-by: default avatarOleksij Rempel <linux@rempel-privat.de>
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <m.chehab@samsung.com>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      165f9a52
    • Hannes Reinecke's avatar
      tty: Set correct tty name in 'active' sysfs attribute · 66f328f3
      Hannes Reinecke authored
      commit 723abd87 upstream.
      
      The 'active' sysfs attribute should refer to the currently active tty
      devices the console is running on, not the currently active console. The
      console structure doesn't refer to any device in sysfs, only the tty the
      console is running on has. So we need to print out the tty names in
      'active', not the console names.
      
      There is one special-case, which is tty0. If the console is directed to
      it, we want 'tty0' to show up in the file, so user-space knows that the
      messages get forwarded to the active VT. The ->device() callback would
      resolve tty0, though. Hence, treat it special and don't call into the VT
      layer to resolve it (plymouth is known to depend on it).
      
      Cc: Lennart Poettering <lennart@poettering.net>
      Cc: Kay Sievers <kay@vrfy.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Jiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWerner Fink <werner@suse.de>
      Signed-off-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarDavid Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: no TTY_DRIVER_UNNUMBERED_NODE case in tty_line_name()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      66f328f3
    • Wolfram Sang's avatar
      media: gspca: sn9c20x: add ID for Genius Look 1320 V2 · 4a4033cb
      Wolfram Sang authored
      commit 61f03191 upstream.
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <m.chehab@samsung.com>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4a4033cb
    • Huang Rui's avatar
      usb: dwc3: fix wrong bit mask in dwc3_event_devt · 8359dbeb
      Huang Rui authored
      commit 06f9b6e5 upstream.
      
      Around DWC USB3 2.30a release another bit has been added to the
      Device-Specific Event (DEVT) Event Information (EvtInfo) bitfield.
      
      Because of that, what used to be 8 bits long, has become 9 bits long.
      
      Per dwc3 2.30a+ spec in the Device-Specific Event (DEVT), the field of
      Event Information Bits(EvtInfo) uses [24:16] bits, and it has 9 bits
      not 8 bits. And the following reserved field uses [31:25] bits not
      [31:24] bits, and it has 7 bits.
      
      So in dwc3_event_devt, the bit mask should be:
      event_info	[24:16]		9 bits
      reserved31_25	[31:25]		7 bits
      
      This patch makes sure that newer core releases will work fine with
      Linux and that we will decode the event information properly on new
      core releases.
      
      [ balbi@ti.com : improve commit log a bit ]
      Signed-off-by: default avatarHuang Rui <ray.huang@amd.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8359dbeb
    • Paul Gortmaker's avatar
      hvc: ensure hvc_init is only ever called once in hvc_console.c · d666ac7d
      Paul Gortmaker authored
      commit f76a1cbe upstream.
      
      Commit 3e6c6f63 ("Delay creation of
      khcvd thread") moved the call of hvc_init from being a device_initcall
      into hvc_alloc, and used a non-null hvc_driver as indication of whether
      hvc_init had already been called.
      
      The problem with this is that hvc_driver is only assigned a value
      at the bottom of hvc_init, and so there is a window where multiple
      hvc_alloc calls can be in progress at the same time and hence try
      and call hvc_init multiple times.  Previously the use of device_init
      guaranteed that hvc_init was only called once.
      
      This manifests itself as sporadic instances of two hvc_init calls
      racing each other, and with the loser of the race getting -EBUSY
      from tty_register_driver() and hence that virtual console fails:
      
          Couldn't register hvc console driver
          virtio-ports vport0p1: error -16 allocating hvc for port
      
      Here we add an atomic_t to guarantee we'll never run hvc_init twice.
      
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Fixes: 3e6c6f63 ("Delay creation of khcvd thread")
      Reported-by: default avatarJim Somerville <Jim.Somerville@windriver.com>
      Tested-by: default avatarJim Somerville <Jim.Somerville@windriver.com>
      Signed-off-by: default avatarPaul Gortmaker <paul.gortmaker@windriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d666ac7d
    • Mikulas Patocka's avatar
      tgafb: fix data copying · 1c579197
      Mikulas Patocka authored
      commit 6b0df682 upstream.
      
      The functions for data copying copyarea_foreward_8bpp and
      copyarea_backward_8bpp are buggy, they produce screen corruption.
      
      This patch fixes the functions and moves the logic to one function
      "copyarea_8bpp". For simplicity, the function only handles copying that
      is aligned on 8 pixes. If we copy an unaligned area, generic function
      cfb_copyarea is used.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1c579197
    • Mikulas Patocka's avatar
      mach64: fix cursor when character width is not a multiple of 8 pixels · 9542ff41
      Mikulas Patocka authored
      commit 43751a1b upstream.
      
      This patch fixes the hardware cursor on mach64 when font width is not a
      multiple of 8 pixels.
      
      If you load such a font, the cursor is expanded to the next 8-byte
      boundary and a part of the next character after the cursor is not
      visible.
      For example, when you load a font with 12-pixel width, the cursor width
      is 16 pixels and when the cursor is displayed, 4 pixels of the next
      character are not visible.
      
      The reason is this: atyfb_cursor is called with proper parameters to
      load an image that is 12-pixel wide. However, the number is aligned on
      the next 8-pixel boundary on the line
      "unsigned int width = (cursor->image.width + 7) >> 3;" and the whole
      function acts as it is was loading a 16-pixel image.
      
      This patch fixes it so that the value written to the framebuffer is
      padded with 0xaaaa (the transparent pattern) when the image size it not
      a multiple of 8 pixels. The transparent pattern causes that the cursor
      will not interfere with the next character.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9542ff41
    • Mikulas Patocka's avatar
      mach64: use unaligned access · 1a2417a2
      Mikulas Patocka authored
      commit c29dd869 upstream.
      
      This patch fixes mach64 to use unaligned access to the font bitmap.
      
      This fixes unaligned access warning on sparc64 when 14x8 font is loaded.
      
      On x86(64), unaligned access is handled in hardware, so both functions
      le32_to_cpup and get_unaligned_le32 perform the same operation.
      
      On RISC machines, unaligned access is not handled in hardware, so we
      better use get_unaligned_le32 to avoid the unaligned trap and warning.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1a2417a2
    • Mikulas Patocka's avatar
      framebuffer: fix cfb_copyarea · eda5fd3e
      Mikulas Patocka authored
      commit 00a9d699 upstream.
      
      The function cfb_copyarea is buggy when the copy operation is not aligned on
      long boundary (4 bytes on 32-bit machines, 8 bytes on 64-bit machines).
      
      How to reproduce:
      - use x86-64 machine
      - use a framebuffer driver without acceleration (for example uvesafb)
      - set the framebuffer to 8-bit depth
      	(for example fbset -a 1024x768-60 -depth 8)
      - load a font with character width that is not a multiple of 8 pixels
      	note: the console-tools package cannot load a font that has
      	width different from 8 pixels. You need to install the packages
      	"kbd" and "console-terminus" and use the program "setfont" to
      	set font width (for example: setfont Uni2-Terminus20x10)
      - move some text left and right on the bash command line and you get a
      	screen corruption
      
      To expose more bugs, put this line to the end of uvesafb_init_info:
      info->flags |= FBINFO_HWACCEL_COPYAREA | FBINFO_READS_FAST;
      - Now framebuffer console will use cfb_copyarea for console scrolling.
      You get a screen corruption when console is scrolled.
      
      This patch is a rewrite of cfb_copyarea. It fixes the bugs, with this
      patch, console scrolling in 8-bit depth with a font width that is not a
      multiple of 8 pixels works fine.
      
      The cfb_copyarea code was very buggy and it looks like it was written
      and never tried with non-8-pixel font.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      eda5fd3e
    • Mikulas Patocka's avatar
      matroxfb: restore the registers M_ACCESS and M_PITCH · ac572a61
      Mikulas Patocka authored
      commit a772d473 upstream.
      
      When X11 is running and the user switches back to console, the card
      modifies the content of registers M_MACCESS and M_PITCH in periodic
      intervals.
      
      This patch fixes it by restoring the content of these registers before
      issuing any accelerator command.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ac572a61
    • Will Deacon's avatar
      ARM: 7954/1: mm: remove remaining domain support from ARMv6 · 2324f8a2
      Will Deacon authored
      commit b6ccb980 upstream.
      
      CPU_32v6 currently selects CPU_USE_DOMAINS if CPU_V6 and MMU. This is
      because ARM 1136 r0pX CPUs lack the v6k extensions, and therefore do
      not have hardware thread registers. The lack of these registers requires
      the kernel to update the vectors page at each context switch in order to
      write a new TLS pointer. This write must be done via the userspace
      mapping, since aliasing caches can lead to expensive flushing when using
      kmap. Finally, this requires the vectors page to be mapped r/w for
      kernel and r/o for user, which has implications for things like put_user
      which must trigger CoW appropriately when targetting user pages.
      
      The upshot of all this is that a v6/v7 kernel makes use of domains to
      segregate kernel and user memory accesses. This has the nasty
      side-effect of making device mappings executable, which has been
      observed to cause subtle bugs on recent cores (e.g. Cortex-A15
      performing a speculative instruction fetch from the GIC and acking an
      interrupt in the process).
      
      This patch solves this problem by removing the remaining domain support
      from ARMv6. A new memory type is added specifically for the vectors page
      which allows that page (and only that page) to be mapped as user r/o,
      kernel r/w. All other user r/o pages are mapped also as kernel r/o.
      Patch co-developed with Russell King.
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      [bwh: Backported to 3.2:
       - Adjust filename, context
       - Drop condition on CONFIG_ARM_LPAE]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2324f8a2
    • Will Deacon's avatar
      ARM: mm: introduce present, faulting entries for PAGE_NONE · 960bd8ae
      Will Deacon authored
      commit 26ffd0d4 upstream.
      
      PROT_NONE mappings apply the page protection attributes defined by _P000
      which translate to PAGE_NONE for ARM. These attributes specify an XN,
      RDONLY pte that is inaccessible to userspace. However, on kernels
      configured without support for domains, such a pte *is* accessible to
      the kernel and can be read via get_user, allowing tasks to read
      PROT_NONE pages via syscalls such as read/write over a pipe.
      
      This patch introduces a new software pte flag, L_PTE_NONE, that is set
      to identify faulting, present entries.
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      [bwh: Backported to 3.2 as dependency of commit b6ccb980
       ('ARM: 7954/1: mm: remove remaining domain support from ARMv6'):
       - Drop 3-level changes
       - Adjust filename, context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      960bd8ae
    • David Fries's avatar
      w1: fix w1_send_slave dropping a slave id · 25f60b03
      David Fries authored
      commit 6b355b33 upstream.
      
      Previous logic,
      if (avail > 8) {
      	store slave;
      	return;
      }
      send data; clear;
      
      The logic error is, if there isn't space send the buffer and clear,
      but the slave wasn't added to the now empty buffer loosing that slave
      id.  It also should have been "if (avail >= 8)" because when it is 8,
      there is space.
      
      Instead, if there isn't space send and clear the buffer, then there is
      always space for the slave id.
      Signed-off-by: default avatarDavid Fries <David@Fries.net>
      Acked-by: default avatarEvgeniy Polyakov <zbr@ioremap.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      25f60b03
    • Jani Nikula's avatar
      drm/i915: quirk invert brightness for Acer Aspire 5336 · fd87fcdb
      Jani Nikula authored
      commit 0f540c3a upstream.
      
      Since
      commit ee1452d7
      Author: Jani Nikula <jani.nikula@intel.com>
      Date:   Fri Sep 20 15:05:30 2013 +0300
      
          drm/i915: assume all GM45 Acer laptops use inverted backlight PWM
      
      failed and was later reverted in
      commit be505f64
      Author: Alexander van Heukelum <heukelum@fastmail.fm>
      Date:   Sat Dec 28 21:00:39 2013 +0100
      
          Revert "drm/i915: assume all GM45 Acer laptops use inverted backlight PWM"
      
      fix the individual broken machine instead.
      
      Note to backporters:
      
      http://patchwork.freedesktop.org/patch/17837/
      
      is the patch you want for 3.13 and older.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=54171
      Reference: http://mid.gmane.org/DUB115-W7628C7C710EA51AA110CD4A5000@phx.gblSigned-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Reviewed-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      [danvet: Patch mangling for 3.14 plus adding the link to the original
      for 3.13.]
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fd87fcdb
    • Daniel Vetter's avatar
      drm/i915: inverted brightness quirk for Acer Aspire 4736Z · dfd8ed90
      Daniel Vetter authored
      commit ac4199e0 upstream.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=53881
      Cc: Jani Nikula <jani.nikula@intel.com>
      Tested-by: default avatarJani Monoses <jani@ubuntu.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dfd8ed90
    • Sabrina Dubroca's avatar
      ipv6: don't set DST_NOCOUNT for remotely added routes · 5aa3bcdd
      Sabrina Dubroca authored
      commit c88507fb upstream.
      
      DST_NOCOUNT should only be used if an authorized user adds routes
      locally. In case of routes which are added on behalf of router
      advertisments this flag must not get used as it allows an unlimited
      number of routes getting added remotely.
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2: adjust context]
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5aa3bcdd
    • Dave Kleikamp's avatar
      sparc64: don't treat 64-bit syscall return codes as 32-bit · b2d56d0f
      Dave Kleikamp authored
      [ Upstream commit 1535bd8a ]
      
      When checking a system call return code for an error,
      linux_sparc_syscall was sign-extending the lower 32-bit value and
      comparing it to -ERESTART_RESTARTBLOCK. lseek can return valid return
      codes whose lower 32-bits alone would indicate a failure (such as 4G-1).
      Use the whole 64-bit value to check for errors. Only the 32-bit path
      should sign extend the lower 32-bit value.
      Signed-off-by: default avatarDave Kleikamp <dave.kleikamp@oracle.com>
      Acked-by: default avatarBob Picco <bob.picco@oracle.com>
      Acked-by: default avatarAllen Pais <allen.pais@oracle.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: sparclinux@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b2d56d0f
    • Paul Gortmaker's avatar
      sparc32: fix build failure for arch_jump_label_transform · 8a937060
      Paul Gortmaker authored
      [ Upstream commit 4f6500ff ]
      
      In arch/sparc/Kernel/Makefile, we see:
      
         obj-$(CONFIG_SPARC64)   += jump_label.o
      
      However, the Kconfig selects HAVE_ARCH_JUMP_LABEL unconditionally
      for all SPARC.  This in turn leads to the following failure when
      doing allmodconfig coverage builds:
      
      kernel/built-in.o: In function `__jump_label_update':
      jump_label.c:(.text+0x8560c): undefined reference to `arch_jump_label_transform'
      kernel/built-in.o: In function `arch_jump_label_transform_static':
      (.text+0x85cf4): undefined reference to `arch_jump_label_transform'
      make: *** [vmlinux] Error 1
      
      Change HAVE_ARCH_JUMP_LABEL to be conditional on SPARC64 so that it
      matches the Makefile.
      Signed-off-by: default avatarPaul Gortmaker <paul.gortmaker@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8a937060
    • Dave Kleikamp's avatar
      Revert "sparc64: Fix __copy_{to,from}_user_inatomic defines." · ab29430a
      Dave Kleikamp authored
      [ Upstream commit 16932237 ]
      
      This reverts commit 145e1c00.
      
      This commit broke the behavior of __copy_from_user_inatomic when
      it is only partially successful. Instead of returning the number
      of bytes not copied, it now returns 1. This translates to the
      wrong value being returned by iov_iter_copy_from_user_atomic.
      
      xfstests generic/246 and LTP writev01 both fail on btrfs and nfs
      because of this.
      Signed-off-by: default avatarDave Kleikamp <dave.kleikamp@oracle.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: sparclinux@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ab29430a
    • oftedal's avatar
      sparc: PCI: Fix incorrect address calculation of PCI Bridge windows on Simba-bridges · 0fc0d40b
      oftedal authored
      [ Upstream commit 557fc587 ]
      
      The SIMBA APB Bridges lacks the 'ranges' of-property describing the
      PCI I/O and memory areas located beneath the bridge. Faking this
      information has been performed by reading range registers in the
      APB bridge, and calculating the corresponding areas.
      
      In commit 01f94c4a
      ("Fix sabre pci controllers with new probing scheme.") a bug was
      introduced into this calculation, causing the PCI memory areas
      to be calculated incorrectly: The shift size was set to be
      identical for I/O and MEM ranges, which is incorrect.
      
      This patch set the shift size of the MEM range back to the
      value used before 01f94c4a.
      Signed-off-by: default avatarKjetil Oftedal <oftedal@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0fc0d40b
    • Sasha Levin's avatar
      rds: prevent dereference of a NULL device in rds_iw_laddr_check · 710da494
      Sasha Levin authored
      [ Upstream commit bf39b424 ]
      
      Binding might result in a NULL device which is later dereferenced
      without checking.
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      710da494
    • Dan Carpenter's avatar
      isdnloop: several buffer overflows · a0035ead
      Dan Carpenter authored
      [ Upstream commit 7563487c ]
      
      There are three buffer overflows addressed in this patch.
      
      1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
      then copy it into a 60 character buffer.  I have made the destination
      buffer 64 characters and I'm changed the sprintf() to a snprintf().
      
      2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
      character buffer so we have 54 characters.  The ->eazlist[] is 11
      characters long.  I have modified the code to return if the source
      buffer is too long.
      
      3) In isdnloop_command() the cbuf[] array was 60 characters long but the
      max length of the string then can be up to 79 characters.  I made the
      cbuf array 80 characters long and changed the sprintf() to snprintf().
      I also removed the temporary "dial" buffer and changed it to use "p"
      directly.
      
      Unfortunately, we pass the "cbuf" string from isdnloop_command() to
      isdnloop_writecmd() which truncates anything over 60 characters to make
      it fit in card->omsg[].  (It can accept values up to 255 characters so
      long as there is a '\n' character every 60 characters).  For now I have
      just fixed the memory corruption bug and left the other problems in this
      driver alone.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a0035ead
    • YOSHIFUJI Hideaki / 吉藤英明's avatar
      isdnloop: Validate NUL-terminated strings from user. · b6de0f96
      YOSHIFUJI Hideaki / 吉藤英明 authored
      [ Upstream commit 77bc6bed ]
      
      Return -EINVAL unless all of user-given strings are correctly
      NUL-terminated.
      Signed-off-by: default avatarYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b6de0f96
    • Pablo Neira's avatar
      netlink: don't compare the nul-termination in nla_strcmp · e78fe1b4
      Pablo Neira authored
      [ Upstream commit 8b7b9324 ]
      
      nla_strcmp compares the string length plus one, so it's implicitly
      including the nul-termination in the comparison.
      
       int nla_strcmp(const struct nlattr *nla, const char *str)
       {
              int len = strlen(str) + 1;
              ...
                      d = memcmp(nla_data(nla), str, len);
      
      However, if NLA_STRING is used, userspace can send us a string without
      the nul-termination. This is a problem since the string
      comparison will not match as the last byte may be not the
      nul-termination.
      
      Fix this by skipping the comparison of the nul-termination if the
      attribute data is nul-terminated. Suggested by Thomas Graf.
      
      Cc: Florian Westphal <fw@strlen.de>
      Cc: Thomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e78fe1b4
    • Hannes Frederic Sowa's avatar
      ipv6: some ipv6 statistic counters failed to disable bh · 4af949fd
      Hannes Frederic Sowa authored
      [ Upstream commit 43a43b60 ]
      
      After commit c15b1cca ("ipv6: move DAD and addrconf_verify
      processing to workqueue") some counters are now updated in process context
      and thus need to disable bh before doing so, otherwise deadlocks can
      happen on 32-bit archs. Fabio Estevam noticed this while while mounting
      a NFS volume on an ARM board.
      
      As a compensation for missing this I looked after the other *_STATS_BH
      and found three other calls which need updating:
      
      1) icmp6_send: ip6_fragment -> icmpv6_send -> icmp6_send (error handling)
      2) ip6_push_pending_frames: rawv6_sendmsg -> rawv6_push_pending_frames -> ...
         (only in case of icmp protocol with raw sockets in error handling)
      3) ping6_v6_sendmsg (error handling)
      
      Fixes: c15b1cca ("ipv6: move DAD and addrconf_verify processing to workqueue")
      Reported-by: default avatarFabio Estevam <festevam@gmail.com>
      Tested-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4af949fd
    • Paul Durrant's avatar
      xen-netback: remove pointless clause from if statement · 4399eeb6
      Paul Durrant authored
      [ Upstream commit 0576eddf ]
      
      This patch removes a test in start_new_rx_buffer() that checks whether
      a copy operation is less than MAX_BUFFER_OFFSET in length, since
      MAX_BUFFER_OFFSET is defined to be PAGE_SIZE and the only caller of
      start_new_rx_buffer() already limits copy operations to PAGE_SIZE or less.
      Signed-off-by: default avatarPaul Durrant <paul.durrant@citrix.com>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Cc: Wei Liu <wei.liu2@citrix.com>
      Cc: Sander Eikelenboom <linux@eikelenboom.it>
      Reported-By: default avatarSander Eikelenboom <linux@eikelenboom.it>
      Tested-By: default avatarSander Eikelenboom <linux@eikelenboom.it>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4399eeb6
    • Michael S. Tsirkin's avatar
      vhost: validate vhost_get_vq_desc return value · 4334fca3
      Michael S. Tsirkin authored
      [ Upstream commit a39ee449 ]
      
      vhost fails to validate negative error code
      from vhost_get_vq_desc causing
      a crash: we are using -EFAULT which is 0xfffffff2
      as vector size, which exceeds the allocated size.
      
      The code in question was introduced in commit
      8dd014ad
          vhost-net: mergeable buffers support
      
      CVE-2014-0055
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4334fca3
    • Michael S. Tsirkin's avatar
      vhost: fix total length when packets are too short · cb505037
      Michael S. Tsirkin authored
      [ Upstream commit d8316f39 ]
      
      When mergeable buffers are disabled, and the
      incoming packet is too large for the rx buffer,
      get_rx_bufs returns success.
      
      This was intentional in order for make recvmsg
      truncate the packet and then handle_rx would
      detect err != sock_len and drop it.
      
      Unfortunately we pass the original sock_len to
      recvmsg - which means we use parts of iov not fully
      validated.
      
      Fix this up by detecting this overrun and doing packet drop
      immediately.
      
      CVE-2014-0077
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cb505037
    • lucien's avatar
      ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly · ea1e320e
      lucien authored
      [ Upstream commit e367c2d0 ]
      
      In ip6_append_data_mtu(), when the xfrm mode is not tunnel(such as
      transport),the ipsec header need to be added in the first fragment, so the mtu
      will decrease to reserve space for it, then the second fragment come, the mtu
      should be turn back, as the commit 0c183379
      said.  however, in the commit a493e60ac4bbe2e977e7129d6d8cbb0dd236be, it use
      *mtu = min(*mtu, ...) to change the mtu, which lead to the new mtu is alway
      equal with the first fragment's. and cannot turn back.
      
      when I test through  ping6 -c1 -s5000 $ip (mtu=1280):
      ...frag (0|1232) ESP(spi=0x00002000,seq=0xb), length 1232
      ...frag (1232|1216)
      ...frag (2448|1216)
      ...frag (3664|1216)
      ...frag (4880|164)
      
      which should be:
      ...frag (0|1232) ESP(spi=0x00001000,seq=0x1), length 1232
      ...frag (1232|1232)
      ...frag (2464|1232)
      ...frag (3696|1232)
      ...frag (4928|116)
      
      so delete the min() when change back the mtu.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Fixes: 75a493e6 ("ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size")
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ea1e320e
    • Heiner Kallweit's avatar
      ipv6: Avoid unnecessary temporary addresses being generated · 49ff1279
      Heiner Kallweit authored
      [ Upstream commit ecab6701 ]
      
      tmp_prefered_lft is an offset to ifp->tstamp, not now. Therefore
      age needs to be added to the condition.
      
      Age calculation in ipv6_create_tempaddr is different from the one
      in addrconf_verify and doesn't consider ADDRCONF_TIMER_FUZZ_MINUS.
      This can cause age in ipv6_create_tempaddr to be less than the one
      in addrconf_verify and therefore unnecessary temporary address to
      be generated.
      Use age calculation as in addrconf_modify to avoid this.
      Signed-off-by: default avatarHeiner Kallweit <heiner.kallweit@web.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      49ff1279