1. 24 7月, 2014 2 次提交
  2. 22 7月, 2014 12 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 15ba2236
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Null termination fix in dns_resolver got the pointer dereferncing
          wrong, fix from Ben Hutchings.
      
       2) ip_options_compile() has a benign but real buffer overflow when
          parsing options.  From Eric Dumazet.
      
       3) Table updates can crash in netfilter's nftables if none of the state
          flags indicate an actual change, from Pablo Neira Ayuso.
      
       4) Fix race in nf_tables dumping, also from Pablo.
      
       5) GRE-GRO support broke the forwarding path because the segmentation
          state was not fully initialized in these paths, from Jerry Chu.
      
       6) sunvnet driver leaks objects and potentially crashes on module
          unload, from Sowmini Varadhan.
      
       7) We can accidently generate the same handle for several u32
          classifier filters, fix from Cong Wang.
      
       8) Several edge case bug fixes in fragment handling in xen-netback,
          from Zoltan Kiss.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (21 commits)
        ipv4: fix buffer overflow in ip_options_compile()
        batman-adv: fix TT VLAN inconsistency on VLAN re-add
        batman-adv: drop QinQ claim frames in bridge loop avoidance
        dns_resolver: Null-terminate the right string
        xen-netback: Fix pointer incrementation to avoid incorrect logging
        xen-netback: Fix releasing header slot on error path
        xen-netback: Fix releasing frag_list skbs in error path
        xen-netback: Fix handling frag_list on grant op error path
        net_sched: avoid generating same handle for u32 filters
        net: huawei_cdc_ncm: add "subclass 3" devices
        net: qmi_wwan: add two Sierra Wireless/Netgear devices
        wan/x25_asy: integer overflow in x25_asy_change_mtu()
        net: ppp: fix creating PPP pass and active filters
        net/mlx4_en: cq->irq_desc wasn't set in legacy EQ's
        sunvnet: clean up objects created in vnet_new() on vnet_exit()
        r8169: Enable RX_MULTI_EN for RTL_GIGA_MAC_VER_40
        net-gre-gro: Fix a bug that breaks the forwarding path
        netfilter: nf_tables: 64bit stats need some extra synchronization
        netfilter: nf_tables: set NLM_F_DUMP_INTR if netlink dumping is stale
        netfilter: nf_tables: safe RCU iteration on list when dumping
        ...
      15ba2236
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 89faa06e
      Linus Torvalds 提交于
      Pull sparc fix from David Miller:
       "Need to hook up the new renameat2 system call"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc: Hook up renameat2 syscall.
      89faa06e
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide · 14867719
      Linus Torvalds 提交于
      Pull IDE fixes from David Miller:
       - fix interrupt registry for some Atari IDE chipsets.
       - adjust Kconfig dependencies for x86_32 specific chips.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide:
        ide: Fix SC1200 dependencies
        ide: Fix CS5520 and CS5530 dependencies
        m68k/atari - ide: do not register interrupt if host->get_lock is set
      14867719
    • L
      Merge tag 'trace-fixes-v3.16-rc6' of... · 8dcc3be2
      Linus Torvalds 提交于
      Merge tag 'trace-fixes-v3.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
      
      Pull trace fix from Steven Rostedt:
       "Tony Luck found that using the "uptime" trace clock that uses jiffies
        as a counter was converted to nanoseconds (silly), and after 1 hour 11
        minutes and 34 seconds, this monotonic clock would wrap, causing havoc
        with the tracing system and making the clock useless.
      
        He converted that clock to use jiffies_64 and made it into a counter
        instead of nanosecond conversions, and displayed the clock with the
        straight jiffy count, which works much better than it did in the past"
      
      * tag 'trace-fixes-v3.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Fix wraparound problems in "uptime" trace clock
      8dcc3be2
    • D
      sparc: Hook up renameat2 syscall. · 26053926
      David S. Miller 提交于
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      26053926
    • D
      Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge · 850717ef
      David S. Miller 提交于
      Antonio Quartulli says:
      
      ====================
      pull request [net]: batman-adv 20140721
      
      here you have two fixes that we have been testing for quite some time
      (this is why they arrived a bit late in the rc cycle).
      
      Patch 1) ensures that BLA packets get dropped and not forwarded to the
      mesh even if they reach batman-adv within QinQ frames. Forwarding them
      into the mesh means messing up with the TT database of other nodes which
      can generate all kind of unexpected behaviours during route computation.
      
      Patch 2) avoids a couple of race conditions triggered upon fast VLAN
      deletion-addition. Such race conditions are pretty dangerous because
      they not only create inconsistencies in the TT database of the nodes
      in the network, but such scenario is also unrecoverable (unless
      nodes are rebooted).
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      850717ef
    • E
      ipv4: fix buffer overflow in ip_options_compile() · 10ec9472
      Eric Dumazet 提交于
      There is a benign buffer overflow in ip_options_compile spotted by
      AddressSanitizer[1] :
      
      Its benign because we always can access one extra byte in skb->head
      (because header is followed by struct skb_shared_info), and in this case
      this byte is not even used.
      
      [28504.910798] ==================================================================
      [28504.912046] AddressSanitizer: heap-buffer-overflow in ip_options_compile
      [28504.913170] Read of size 1 by thread T15843:
      [28504.914026]  [<ffffffff81802f91>] ip_options_compile+0x121/0x9c0
      [28504.915394]  [<ffffffff81804a0d>] ip_options_get_from_user+0xad/0x120
      [28504.916843]  [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
      [28504.918175]  [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
      [28504.919490]  [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
      [28504.920835]  [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
      [28504.922208]  [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
      [28504.923459]  [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
      [28504.924722]
      [28504.925106] Allocated by thread T15843:
      [28504.925815]  [<ffffffff81804995>] ip_options_get_from_user+0x35/0x120
      [28504.926884]  [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
      [28504.927975]  [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
      [28504.929175]  [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
      [28504.930400]  [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
      [28504.931677]  [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
      [28504.932851]  [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
      [28504.934018]
      [28504.934377] The buggy address ffff880026382828 is located 0 bytes to the right
      [28504.934377]  of 40-byte region [ffff880026382800, ffff880026382828)
      [28504.937144]
      [28504.937474] Memory state around the buggy address:
      [28504.938430]  ffff880026382300: ........ rrrrrrrr rrrrrrrr rrrrrrrr
      [28504.939884]  ffff880026382400: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28504.941294]  ffff880026382500: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
      [28504.942504]  ffff880026382600: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28504.943483]  ffff880026382700: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28504.944511] >ffff880026382800: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
      [28504.945573]                         ^
      [28504.946277]  ffff880026382900: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28505.094949]  ffff880026382a00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28505.096114]  ffff880026382b00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28505.097116]  ffff880026382c00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28505.098472]  ffff880026382d00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
      [28505.099804] Legend:
      [28505.100269]  f - 8 freed bytes
      [28505.100884]  r - 8 redzone bytes
      [28505.101649]  . - 8 allocated bytes
      [28505.102406]  x=1..7 - x allocated bytes + (8-x) redzone bytes
      [28505.103637] ==================================================================
      
      [1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernelSigned-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      10ec9472
    • L
      Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 67dd8f35
      Linus Torvalds 提交于
      Pull media fixes from Mauro Carvalho Chehab:
       "A series of driver fixes:
         - fix DVB-S tuning with tda1071
         - fix tuner probe on af9035 when the device has a bad eeprom
         - some fixes for the new si2168/2157 drivers
         - one Kconfig build fix (for omap4iss)
         - fixes at vpif error path
         - don't lock saa7134 ioctl at driver's base core level, as it now
           uses V4L2 and VB2 locking schema
         - fix audio at hdpvr driver
         - fix the aspect ratio at the digital timings table
         - one new USB ID (at gspca_pac7302): Genius i-Look 317 webcam"
      
      * 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        [media] gspca_pac7302: Add new usb-id for Genius i-Look 317
        [media] tda10071: fix returned symbol rate calculation
        [media] tda10071: fix spec inversion reporting
        [media] tda10071: add missing DVB-S2/PSK-8 FEC AUTO
        [media] tda10071: force modulation to QPSK on DVB-S
        [media] hdpvr: fix two audio bugs
        [media] davinci: vpif: missing unlocks on error
        [media] af9035: override tuner id when bad value set into eeprom
        [media] saa7134: use unlocked_ioctl instead of ioctl
        [media] media: v4l2-core: v4l2-dv-timings.c: Cleaning up code wrong value used in aspect ratio
        [media] si2168: firmware download fix
        [media] si2157: add one missing parenthesis
        [media] si2168: add one missing parenthesis
        [media] staging: tighten omap4iss dependencies
      67dd8f35
    • L
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 6890ad4b
      Linus Torvalds 提交于
      Pull block fixes from Jens Axboe:
       "Final block fixes for 3.16
      
        Four small fixes that should go into 3.16, have been queued up for a
        bit and delayed due to vacation and other euro duties.  But here they
        are.  The pull request contains:
      
         - Fix for a reported crash with shared tagging on SCSI from Christoph
      
         - A regression fix for drbd.  From Lars Ellenberg.
      
         - Hooking up the compat ioctl for BLKZEROOUT, which requires no
           translation.  From Mikulas.
      
      - A fix for a regression where we woud crash on queue exit if the
        root_blkg is gone/not there. From Tejun"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        block: provide compat ioctl for BLKZEROOUT
        blkcg: don't call into policy draining if root_blkg is already gone
        drbd: fix regression 'out of mem, failed to invoke fence-peer helper'
        block: don't assume last put of shared tags is for the host
      6890ad4b
    • L
      Merge branch 'for-3.16-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · d6e6c48e
      Linus Torvalds 提交于
      Pull libata fixes from Tejun Heo:
       "Late libata fixes.
      
        The most important one is from Kevin Hao which makes sure that libata
        only allocates tags inside the max tag number the controller supports.
        libata always had this problem but the recent tag allocation change
        and addition of support for sata_fsl which only supports queue depth
        of 16 exposed the issue.
      
        Hans de Goede agreed to become the maintainer of libahci_platform
        which is under higher than usual development pressure from all the new
        controllers popping up from the ARM world"
      
      * 'for-3.16-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
        ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode)
        drivers/ata/pata_ep93xx.c: use signed int type for result of platform_get_irq()
        libata: EH should handle AMNF error condition as a media error
        libata: support the ata host which implements a queue depth less than 32
        MAINTAINERS: Add Hans de Goede as ahci-platform maintainer
      d6e6c48e
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 5b2b9d77
      Linus Torvalds 提交于
      Pull kvm fixes from Paolo Bonzini:
       "These are mostly PPC changes for 3.16-new things.  However, there is
        an x86 change too and it is a regression from 3.14.  As it only
        affects nested virtualization and there were other changes in this
        area in 3.16, I am not nominating it for 3.15-stable"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: Check for nested events if there is an injectable interrupt
        KVM: PPC: RTAS: Do byte swaps explicitly
        KVM: PPC: Book3S PR: Fix ABIv2 on LE
        KVM: PPC: Assembly functions exported to modules need _GLOBAL_TOC()
        PPC: Add _GLOBAL_TOC for 32bit
        KVM: PPC: BOOK3S: HV: Use base page size when comparing against slb value
        KVM: PPC: Book3E: Unlock mmu_lock when setting caching atttribute
      5b2b9d77
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 80d6191e
      Linus Torvalds 提交于
      Pull s390 fixes from Martin Schwidefsky:
       "A couple of last minute bug fixes for 3.16, including a fix for ptrace
        to close a hole which allowed a user space program to write to the
        kernel address space"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: fix restore of invalid floating-point-control
        s390/zcrypt: improve device probing for zcrypt adapter cards
        s390/ptrace: fix PSW mask check
        s390/MSI: Use standard mask and unmask funtions
        s390/3270: correct size detection with the read-partition command
        s390: require mvcos facility, not tod clock steering facility
      80d6191e
  3. 21 7月, 2014 19 次提交
  4. 20 7月, 2014 7 次提交
    • R
      um: segv: Save regs only in case of a kernel mode fault · bb6a1b2e
      Richard Weinberger 提交于
      ...otherwise me lose user mode regs and the resulting
      stack trace is useless.
      Signed-off-by: NRichard Weinberger <richard@nod.at>
      bb6a1b2e
    • R
      um: Fix hung task in fix_range_common() · 468f6597
      Richard Weinberger 提交于
      If do_ops() fails we have to release current->mm->mmap_sem
      otherwise the failing task will never terminate.
      Reported-by: NToralf Förster <toralf.foerster@gmx.de>
      Signed-off-by: NRichard Weinberger <richard@nod.at>
      468f6597
    • R
      um: Ensure that a stub page cannot get unmapped · 284e6d39
      Richard Weinberger 提交于
      Trinity discovered an execution path such that a task
      can unmap his stub page.
      Reported-by: NToralf Förster <toralf.foerster@gmx.de>
      Signed-off-by: NRichard Weinberger <richard@nod.at>
      284e6d39
    • R
      Revert "um: Fix wait_stub_done() error handling" · ae5db6d1
      Richard Weinberger 提交于
      This reverts commit 0974a9ca.
      The real for for that issue is to release current->mm->mmap_sem in
      fix_range_common().
      Signed-off-by: NRichard Weinberger <richard@nod.at>
      ae5db6d1
    • E
      btrfs: test for valid bdev before kobj removal in btrfs_rm_device · 0bfaa9c5
      Eric Sandeen 提交于
      commit 99994cde btrfs: dev delete should remove sysfs entry
      added a btrfs_kobj_rm_device, which dereferences device->bdev...
      right after we check whether device->bdev might be NULL.
      
      I don't honestly know if it's possible to have a NULL device->bdev
      here, but assuming that it is (given the test), we need to move
      the kobject removal to be under that test.
      
      (Coverity spotted this)
      Signed-off-by: NEric Sandeen <sandeen@redhat.com>
      Signed-off-by: NChris Mason <clm@fb.com>
      0bfaa9c5
    • L
      Btrfs: fix abnormal long waiting in fsync · 98ce2ded
      Liu Bo 提交于
      xfstests generic/127 detected this problem.
      
      With commit 7fc34a62, now fsync will only flush
      data within the passed range.  This is the cause of the above problem,
      -- btrfs's fsync has a stage called 'sync log' which will wait for all the
      ordered extents it've recorded to finish.
      
      In xfstests/generic/127, with mixed operations such as truncate, fallocate,
      punch hole, and mapwrite, we get some pre-allocated extents, and mapwrite will
      mmap, and then msync.  And I find that msync will wait for quite a long time
      (about 20s in my case), thanks to ftrace, it turns out that the previous
      fallocate calls 'btrfs_wait_ordered_range()' to flush dirty pages, but as the
      range of dirty pages may be larger than 'btrfs_wait_ordered_range()' wants,
      there can be some ordered extents created but not getting corresponding pages
      flushed, then they're left in memory until we fsync which runs into the
      stage 'sync log', and fsync will just wait for the system writeback thread
      to flush those pages and get ordered extents finished, so the latency is
      inevitable.
      
      This adds a flush similar to btrfs_start_ordered_extent() in
      btrfs_wait_logged_extents() to fix that.
      Reviewed-by: NMiao Xie <miaox@cn.fujitsu.com>
      Signed-off-by: NLiu Bo <bo.li.liu@oracle.com>
      Signed-off-by: NChris Mason <clm@fb.com>
      98ce2ded
    • L
      Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · d0571909
      Linus Torvalds 提交于
      Pull locking fixes from Thomas Gleixner:
       "The locking department delivers:
      
         - A rather large and intrusive bundle of fixes to address serious
           performance regressions introduced by the new rwsem / mcs
           technology.  Simpler solutions have been discussed, but they would
           have been ugly bandaids with more risk than doing the right thing.
      
         - Make the rwsem spin on owner technology opt-in for architectures
           and enable it only on the known to work ones.
      
         - A few fixes to the lockdep userspace library"
      
      * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        locking/rwsem: Add CONFIG_RWSEM_SPIN_ON_OWNER
        locking/mutex: Disable optimistic spinning on some architectures
        locking/rwsem: Reduce the size of struct rw_semaphore
        locking/rwsem: Rename 'activity' to 'count'
        locking/spinlocks/mcs: Micro-optimize osq_unlock()
        locking/spinlocks/mcs: Introduce and use init macro and function for osq locks
        locking/spinlocks/mcs: Convert osq lock to atomic_t to reduce overhead
        locking/spinlocks/mcs: Rename optimistic_spin_queue() to optimistic_spin_node()
        locking/rwsem: Allow conservative optimistic spinning when readers have lock
        tools/liblockdep: Account for bitfield changes in lockdeps lock_acquire
        tools/liblockdep: Remove debug print left over from development
        tools/liblockdep: Fix comparison of a boolean value with a value of 2
      d0571909