Commit Graph

562457 Commits

Author SHA1 Message Date
Tilman Schmidt
4c5e354a97 ser_gigaset: fix deallocation of platform device structure
When shutting down the device, the struct ser_cardstate must not be
kfree()d immediately after the call to platform_device_unregister()
since the embedded struct platform_device is still in use.
Move the kfree() call to the release method instead.

Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Fixes: 2869b23e4b ("drivers/isdn/gigaset: new M101 driver (v2)")
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-15 13:24:21 -05:00
Alan Cox
ede03d306b ser_gigaset: turn nonsense checks into WARN_ON
These checks do nothing useful to protect the code from races. On the
other hand if the old code has been masking a real bug we would like to
know about it.

The check for tiocmset is kept because it is valid for a tty driver to
have a NULL tiocmset method. That in itself is probably a mistake given
modern coding practices - but needs fixing in the tty layer.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Acked-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-15 13:24:21 -05:00
Tilman Schmidt
74375c0528 ser_gigaset: fix up NULL checks
Commit f34d7a5b70 ("tty: The big operations rework") changed
tty->driver to tty->ops but left NULL checks for tty->driver untouched.
Fix.

Signed-off-by: Tilman Schmidt <tilman@imap.cc>
[pebolle: removed Fixes tag]
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-15 13:24:20 -05:00
Linus Torvalds
ca43444e43 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto fix from Herbert Xu:
 "This fixes a boundary condition in the blkcipher SG walking code that
  can lead to a crash when used with the new chacha20 algorithm"

* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: skcipher - Copy iv from desc even for 0-len walks
2015-12-15 10:21:04 -08:00
Linus Torvalds
173ae9ba63 Fix user-visible spelling error
Pavel Machek reports a warning about W+X pages found in the "Persisent"
kmap area.  After grepping for it (using the correct spelling), and not
finding it, I noticed how the debug printk was just misspelled.  Fix it.

The actual mapping bug that Pavel reported is still open.  It's
apparently a separate issue from the known EFI page tables, looks like
it's related to the HIGHMEM mappings.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-12-15 10:15:57 -08:00
Dan Carpenter
389e4e04ad qlcnic: fix a timeout loop
The problem here is that at the end of the loop we test for if
idc->vnic_wait_limit is zero, but since idc->vnic_wait_limit-- is a
post-op, it actually ends up set to (u8)-1.  I have fixed this by
moving the decrement inside the loop.

Fixes: 486a5bc77a ('qlcnic: Add support for 83xx suspend and resume.')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-15 13:11:05 -05:00
Mark Brown
2b235a3da5 rcar: mux: Avoid use of ret uninitialised
We use ret as the return value from the rsnd_mix_probe() but if there
are no child nodes and no errors then we will never initialize ret leading
to build warnings. Ensure ret is initialized before we iterate over the
child nodes to avoid this.

Signed-off-by: Mark Brown <broonie@kernel.org>
2015-12-15 17:47:54 +00:00
Mark Brown
2e4118dac3 rcar: dvc: Avoid use of ret uninitialised
We use ret as the return value from the rsnd_dvc_probe() but if there
are no child nodes and no errors then we will never initialize ret leading
to build warnings. Ensure ret is initialized before we iterate over the
child nodes to avoid this.

Signed-off-by: Mark Brown <broonie@kernel.org>
2015-12-15 17:47:53 +00:00
Mark Brown
76ca997032 rcar: ctu: Avoid use of ret uninitialised
We use ret as the return value from the rsnd_ctu_probe() but if there
are no child nodes and no errors then we will never initialize ret leading
to build warnings. Ensure ret is initialized before we iterate over the
child nodes to avoid this.

Signed-off-by: Mark Brown <broonie@kernel.org>
2015-12-15 17:47:53 +00:00
Dan Carpenter
fe0be35e2c sfc: fix a timeout loop
We test for if "tries" is zero at the end but "tries--" is a post-op so
it will end with "tries" set to -1.  I have changed it to a pre-op
instead.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-15 12:46:26 -05:00
Dan Carpenter
351434c6ba qlge: fix a timeout loop in ql_change_rx_buffers()
The problem here is that after the loop we test for "if (!i) " but
because "i--" is a post-op we exit with i set to -1.  I have fixed this
by changing it to a pre-op instead.  I had to change the starting value
from 3 to 4 so that we still iterate 3 times.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-15 12:46:03 -05:00
Dan Carpenter
c7557e6a56 amd-xgbe: fix a couple timeout loops
At the end of the loop we test "if (!count)" but because "count--" is
a post-op then the loop will end with count set to -1.  I have fixed
this by changing it to --count.

Fixes: c5aa9e3b81 ('amd-xgbe: Initial AMD 10GbE platform driver')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-15 12:43:01 -05:00
Dan Carpenter
40d24c4d8a mISDN: fix a loop count
There are two issue here.
1)  cnt starts as maxloop + 1 so all these loops iterate one more time
    than intended.
2)  At the end of the loop we test for "if (maxloop && !cnt)" but for
    the first two loops, we end with cnt equal to -1.  Changing this to
    a pre-op means we end with cnt set to 0.

Fixes: cae86d4a4e ('mISDN: Add driver for Infineon ISDN chipset family')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-15 12:42:27 -05:00
Chris Mason
1d3a5a82fe Merge branch 'for-chris-4.4' of git://git.kernel.org/pub/scm/linux/kernel/git/fdmanana/linux into for-linus-4.4 2015-12-15 09:09:59 -08:00
Chris Mason
bb1591b4ea Btrfs: check prepare_uptodate_page() error code earlier
prepare_pages() may end up calling prepare_uptodate_page() twice if our
write only spans a single page.  But if the first call returns an error,
our page will be unlocked and its not safe to call it again.

This bug goes all the way back to 2011, and it's not something commonly
hit.

While we're here, add a more explicit check for the page being truncated
away.  The bare lock_page() alone is protected only by good thoughts and
i_mutex, which we're sure to regret eventually.

Reported-by: Dave Jones <dsj@fb.com>
Signed-off-by: Chris Mason <clm@fb.com>
2015-12-15 09:09:38 -08:00
Chris Mason
1b9b922a3a Btrfs: check for empty bitmap list in setup_cluster_bitmaps
Dave Jones found a warning from kasan in setup_cluster_bitmaps()

==================================================================
BUG: KASAN: stack-out-of-bounds in setup_cluster_bitmap+0xc4/0x5a0 at
addr ffff88039bef6828
Read of size 8 by task nfsd/1009
page:ffffea000e6fbd80 count:0 mapcount:0 mapping:          (null)
index:0x0
flags: 0x8000000000000000()
page dumped because: kasan: bad access detected
CPU: 1 PID: 1009 Comm: nfsd Tainted: G        W
4.4.0-rc3-backup-debug+ #1
 ffff880065647b50 000000006bb712c2 ffff88039bef6640 ffffffffa680a43e
 0000004559c00000 ffff88039bef66c8 ffffffffa62638d1 ffffffffa61121c0
 ffff8803a5769de8 0000000000000296 ffff8803a5769df0 0000000000046280
Call Trace:
 [<ffffffffa680a43e>] dump_stack+0x4b/0x6d
 [<ffffffffa62638d1>] kasan_report_error+0x501/0x520
 [<ffffffffa61121c0>] ? debug_show_all_locks+0x1e0/0x1e0
 [<ffffffffa6263948>] kasan_report+0x58/0x60
 [<ffffffffa6814b00>] ? rb_last+0x10/0x40
 [<ffffffffa66f8af4>] ? setup_cluster_bitmap+0xc4/0x5a0
 [<ffffffffa6262ead>] __asan_load8+0x5d/0x70
 [<ffffffffa66f8af4>] setup_cluster_bitmap+0xc4/0x5a0
 [<ffffffffa66f675a>] ? setup_cluster_no_bitmap+0x6a/0x400
 [<ffffffffa66fcd16>] btrfs_find_space_cluster+0x4b6/0x640
 [<ffffffffa66fc860>] ? btrfs_alloc_from_cluster+0x4e0/0x4e0
 [<ffffffffa66fc36e>] ? btrfs_return_cluster_to_free_space+0x9e/0xb0
 [<ffffffffa702dc37>] ? _raw_spin_unlock+0x27/0x40
 [<ffffffffa666a1a1>] find_free_extent+0xba1/0x1520

Andrey noticed this was because we were doing list_first_entry on a list
that might be empty.  Rework the tests a bit so we don't do that.

Signed-off-by: Chris Mason <clm@fb.com>
Reprorted-by: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Reported-by:  Dave Jones <dsj@fb.com>
2015-12-15 09:09:33 -08:00
Andrzej Hajda
2b2b31c845 net/mlx4_core: fix handling return value of mlx4_slave_convert_port
The function can return negative values, so its result should
be assigned to signed variable.

The problem has been detected using proposed semantic patch
scripts/coccinelle/tests/assign_signed_to_unsigned.cocci [1].

[1]: http://permalink.gmane.org/gmane.linux.kernel/2046107

Fixes: fc48866f7 ('net/mlx4: Adapt code for N-Port VF')
Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Acked-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-15 11:54:43 -05:00
Takashi Iwai
b6903c0ed9 ALSA: hda - Add a fixup for Thinkpad X1 Carbon 2nd
Apply the same fixup for Thinkpad with dock to Thinkpad X1 Carbon 2nd,
too.  This reduces the annoying loud cracking noise problem, as well
as the support of missing docking port.

Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=958439
Reported-and-tested-by: Benjamin Poirier <bpoirier@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-12-15 15:11:59 +01:00
Takashi Iwai
70a0976b0c ALSA: hda - Set codec to D3 at reboot/shutdown on Thinkpads
Lenovo Thinkpads with Realtek codecs may still have some loud
crackling noises at reboot/shutdown even though a few previous fixes
have been applied.  It's because the previous fix (disabling the
default shutup callback) takes effect only at transition of the codec
power state.  Meanwhile, at reboot or shutdown, we don't take down the
codec power as default, thus it triggers the same problem unless the
codec is powered down casually by runtime PM.

This patch tries to address the issue.  It gives two things:
- implement the separate reboot_notify hook to struct alc_spec, and
  call it optionally if defined.
- turn off the codec to D3 for Thinkpad models via this new callback

Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=958439
Reported-and-tested-by: Benjamin Poirier <bpoirier@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-12-15 15:11:58 +01:00
Takashi Iwai
157f0b7f6c ALSA: hda - Apply click noise workaround for Thinkpads generically
It seems that a workaround for Thinkpad T440s crackling noise can be
applied generically to all Thinkpad models: namely, disabling the
default alc269 shutup callback.  This patch moves it to the existing
alc_fixup_tpt440_dock() while also replacing the rest code with
another existing alc_fixup_disable_aamix().  It resulted in a good
code reduction.

Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=958439
Reported-and-tested-by: Benjamin Poirier <bpoirier@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-12-15 15:06:14 +01:00
David Henningsson
c04017ea81 ALSA: hda - Fix headphone mic input on a few Dell ALC293 machines
These laptops support both headphone, headset and mic modes
for the 3.5mm jack.

Cc: stable@vger.kernel.org
BugLink: https://bugs.launchpad.net/bugs/1526330
Signed-off-by: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-12-15 14:52:02 +01:00
Eyal Shapira
cf1e05c636 mac80211: handle width changes from opmode notification IE in beacon
An AP can send an operating channel width change in a beacon
opmode notification IE as long as there's a change in the nss as
well (See 802.11ac-2013 section 10.41).
So don't limit updating to nss only from an opmode notification IE.

Signed-off-by: Eyal Shapira <eyalx.shapira@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-12-15 13:16:47 +01:00
Johannes Berg
a87da0cbc4 mac80211: suppress unchanged "limiting TX power" messages
When the AP is advertising limited TX power, the message can be
printed over and over again. Suppress it when the power level
isn't changing.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=106011

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-12-15 13:14:04 +01:00
Johannes Berg
1ea2c86480 mac80211: reprogram in interface order
During reprogramming, mac80211 currently first adds all the channel
contexts, then binds them to the vifs and then goes to reconfigure
all the interfaces. Drivers might, perhaps implicitly, rely on the
operation order for certain things that typically happen within a
single function elsewhere in mac80211. To avoid problems with that,
reorder the code in mac80211's restart/reprogramming to work fully
within the interface loop so that the order of operations is like
in normal operation.

For iwlwifi, this fixes a firmware crash when reprogramming with an
AP/GO interface active.

Reported-by: David Spinadel <david.spinadel@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-12-15 13:13:59 +01:00
Johannes Berg
74430f9489 mac80211: run scan completed work on reconfig failure
When reconfiguration during resume fails while a scan is pending
for completion work, that work will never run, and the scan will
be stuck forever. Factor out the code to recover this and call it
also in ieee80211_handle_reconfig_failure().

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-12-15 13:12:50 +01:00
Ola Olsson
707554b4d1 nl80211: Fix potential memory leak in nl80211_connect
Free cached keys if the last early return path is taken.

Signed-off-by: Ola Olsson <ola.olsson@sonymobile.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-12-15 13:11:26 +01:00
Ola Olsson
e5dbe0701a nl80211: Fix potential memory leak in nl80211_set_wowlan
Compared to cfg80211_rdev_free_wowlan in core.h,
the error goto label lacks the freeing of nd_config.
Fix that.

Signed-off-by: Ola Olsson <ola.olsson@sonymobile.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-12-15 13:10:05 +01:00
Ola Olsson
09d118008f nl80211: fix a few memory leaks in reg.c
The first leak occurs when entering the default case
in the switch for the initiator in set_regdom.
The second leaks a platform_device struct if the
platform registration in regulatory_init succeeds but
the sub sequent regulatory hint fails due to no memory.

Signed-off-by: Ola Olsson <ola.olsson@sonymobile.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-12-15 13:08:02 +01:00
Shengjiu Wang
34bfbae33a ARM: 8475/1: SWP emulation: Restore original *data when failed
__user_swpX_asm maybe failed in first STREX operation, emulate_swpX
will try again, but the *data has been changed in first time. which
causes the result is wrong.
This patch is to fix this issue. When STREX succeed, change the *data.
if it fail, *data is not changed.

Signed-off-by: Shengjiu Wang <shengjiu.wang@freescale.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2015-12-15 11:51:42 +00:00
Anson Huang
fa0708b320 ARM: 8471/1: need to save/restore arm register(r11) when it is corrupted
In cpu_v7_do_suspend routine, r11 is used while it is NOT
saved/restored, different compiler may have different usage
of ARM general registers, so it may cause issues during
calling cpu_v7_do_suspend.

We meet kernel fault occurs when using GCC 4.8.3, r11 contains
valid value before calling into cpu_v7_do_suspend, but when returned
from this routine, r11 is corrupted and lead to kernel fault.
Doing save/restore for those corrupted registers is a must in
assemble code.

Signed-off-by: Anson Huang <Anson.Huang@freescale.com>
Reviewed-by: Nicolas Pitre <nico@linaro.org>
Cc: <stable@vger.kernel.org> # v3.3+
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2015-12-15 11:51:41 +00:00
Russell King
c014953d84 ARM: fix uaccess_with_memcpy() with SW_DOMAIN_PAN
The uaccess_with_memcpy() code is currently incompatible with the SW
PAN code: it takes locks within the region that we've changed the DACR,
potentially sleeping as a result.  As we do not save and restore the
DACR across co-operative sleep events, can lead to an incorrect DACR
value later in this code path.

Reported-by: Peter Rosin <peda@axentia.se>
Tested-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2015-12-15 11:51:02 +00:00
Vlad Yasevich
f654861569 skbuff: Fix offset error in skb_reorder_vlan_header
skb_reorder_vlan_header is called after the vlan header has
been pulled.  As a result the offset of the begining of
the mac header has been incrased by 4 bytes (VLAN_HLEN).
When moving the mac addresses, include this incrase in
the offset calcualation so that the mac addresses are
copied correctly.

Fixes: a6e18ff111 (vlan: Fix untag operations of stacked vlans with REORDER_HEADER off)
CC: Nicolas Dichtel <nicolas.dichtel@6wind.com>
CC: Patrick McHardy <kaber@trash.net>
Signed-off-by: Vladislav Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-15 00:30:41 -05:00
WANG Cong
09ccfd238e pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
Reported-by: Dmitry Vyukov <dvyukov@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-15 00:29:34 -05:00
Kazuya Mizuguchi
54499969c9 ravb: Add disable 10base
Ethernet AVB does not support 10 Mbps transfer speed.

Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
Signed-off-by: Yoshihiro Kaneko <ykaneko0929@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-15 00:26:31 -05:00
Sergei Shtylyov
1299653aff sh_eth: fix descriptor access endianness
The driver never  calls cpu_to_edmac() when writing the descriptor address
and edmac_to_cpu() when reading it, although it should -- fix this.

Note that the frame/buffer length descriptor field accesses also need fixing
but since they are both 16-bit we can't  use {cpu|edmac}_to_{edmac|cpu}()...

Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-15 00:25:00 -05:00
Sergei Shtylyov
3e2309937f sh_eth: fix TX buffer byte-swapping
For the little-endian SH771x kernels the driver has to byte-swap the RX/TX
buffers,  however yet unset physcial address from the TX descriptor is used
to call sh_eth_soft_swap(). Use 'skb->data' instead...

Fixes: 31fcb99d99 ("net: sh_eth: remove __flush_purge_region")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-15 00:25:00 -05:00
Eric Dumazet
5037e9ef94 net: fix IP early demux races
David Wilder reported crashes caused by dst reuse.

<quote David>
  I am seeing a crash on a distro V4.2.3 kernel caused by a double
  release of a dst_entry.  In ipv4_dst_destroy() the call to
  list_empty() finds a poisoned next pointer, indicating the dst_entry
  has already been removed from the list and freed. The crash occurs
  18 to 24 hours into a run of a network stress exerciser.
</quote>

Thanks to his detailed report and analysis, we were able to understand
the core issue.

IP early demux can associate a dst to skb, after a lookup in TCP/UDP
sockets.

When socket cache is not properly set, we want to store into
sk->sk_dst_cache the dst for future IP early demux lookups,
by acquiring a stable refcount on the dst.

Problem is this acquisition is simply using an atomic_inc(),
which works well, unless the dst was queued for destruction from
dst_release() noticing dst refcount went to zero, if DST_NOCACHE
was set on dst.

We need to make sure current refcount is not zero before incrementing
it, or risk double free as David reported.

This patch, being a stable candidate, adds two new helpers, and use
them only from IP early demux problematic paths.

It might be possible to merge in net-next skb_dst_force() and
skb_dst_force_safe(), but I prefer having the smallest patch for stable
kernels : Maybe some skb_dst_force() callers do not expect skb->dst
can suddenly be cleared.

Can probably be backported back to linux-3.6 kernels

Reported-by: David J. Wilder <dwilder@us.ibm.com>
Tested-by: David J. Wilder <dwilder@us.ibm.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-14 23:52:00 -05:00
Ville Syrjälä
4655a12b81 drm: Don't overwrite UNVERFIED mode status to OK
The way the mode probing works is this:
1. All modes currently on the mode list are marked as UNVERIFIED
2. New modes are on the probed_modes list (they start with
   status OK)
3. Modes are moved from the probed_modes list to the actual
   mode list. If a mode already on the mode list is deemed
   to match one of the probed modes, the duplicate is dropped
   and the mode status updated to OK. After this the
   probed_modes list will be empty.
4. All modes on the mode list are verified to not violate any
   constraints. Any that do are marked as such.
5. Any mode left with a non-OK status is pruned from the list,
   with an appropriate debug message.

What all this means is that any mode on the original list that
didn't have a duplicate on the probed_modes list, should be left
with status UNVERFIED (or previously could have been left with
some other status, but never OK).

I broke that in
commit 05acaec334 ("drm: Reorganize probed mode validation")
by always assigning something to the mode->status during the validation
step. So any mode from the old list that still passed the validation
would be left on the list with status OK in the end.

Fix this by not doing the basic mode validation unless the mode
already has status OK (meaning it came from the probed_modes list,
or at least a duplicate of it was on that list). This way we will
correctly prune away any mode from the old mode list that didn't
appear on the probed_modes list.

Cc: stable@vger.kernel.org
Cc: Adam Jackson <ajax@redhat.com>
Fixes: 05acaec334 ("drm: Reorganize probed mode validation")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1449177255-9515-2-git-send-email-ville.syrjala@linux.intel.com
Testcase: igt/kms_force_connector_basic/prune-stale-modes
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93332
[danvet: Also applying to drm-misc to avoid too much conflict hell -
there's a big pile of patches from Ville on top of this one.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2015-12-15 11:00:10 +10:00
Dave Airlie
2344164a27 Merge tag 'drm-intel-fixes-2015-12-11' of git://anongit.freedesktop.org/drm-intel into drm-fixes
Here are some i915 fixes for v4.4, sorry for being late this week.

* tag 'drm-intel-fixes-2015-12-11' of git://anongit.freedesktop.org/drm-intel:
  drm/i915: Do a better job at disabling primary plane in the noatomic case.
  drm/i915/skl: Double RC6 WRL always on
  drm/i915/skl: Disable coarse power gating up until F0
  drm/i915: Remove incorrect warning in context cleanup
2015-12-15 10:25:21 +10:00
Dave Airlie
8e13c10a7c omapdrm fix for 4.4
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJWbsToAAoJEPo9qoy8lh71QVAP/jmIsh0SDB7BRRkhBYtg1Yqj
 WV18ooiwPHFI1j8PwkyRaMM400m2UWfNmToe8dWE/gadhImTKC5Z3sVaWXLGc6lA
 tit9OSR+7oiN+9H9rkHGnF0CYGqRw5UtZiL9Jr9O2HCHSXKHntMvvBTvuxnXkuE+
 iyvfEdxQgRWgxXoeDXq0Iet/W2w0LcZ1INXmWyQwl1Tut33K9y363AL/DnM2Xfiu
 oBjuzTOvsGqusiR6FO++H9Urntpw0BOc7NCsdq9pOz3f9TvnLaolLmg1wy3Yv0bL
 GY+bKFG/PUPOosgNUccuyQdGwnbBArhs4OqOBmdz5uwQJGFfQoIP9Cbc8IM4B8ve
 GGJfCf/snIeEXfZWq2Pkm8nZ2gJmLdvX/kLQJhJqifHQKKKlr4Veov7+8HSawgp2
 M+MwScTZ/rz0FiKGiq6EmcY/E5g8O/izpozJus1yjHjKhV6wQf2sbnadIe86bVJc
 gT+0bET/pQ6OfEacN2OYI+gdYDm9VTqqdUrHJWsx0wXK8NDjyQdLjcZZCnxz0abf
 mgcLb+c3wxktHIxSu703m061muNwO7BanIUCFcdZ+vOHt+/LHgtpRclhY49p4b0k
 bJ/Lg46i4/CqaXpcWQDHOvxU0piK3fH2KE/wEL08cFF6R7Me/x3jBleHpF9a1T1r
 dChbrwHgu08vnSYEztmQ
 =hSBP
 -----END PGP SIGNATURE-----

Merge tag 'omapdrm-4.4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux into drm-fixes

omapdrm fix for 4.4

* tag 'omapdrm-4.4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux:
  drm/omap: fix fbdev pix format to support all platforms
2015-12-15 10:24:52 +10:00
Rafael J. Wysocki
f1b9fc591e Merge branches 'powercap', 'pm-cpufreq' and 'pm-domains'
* powercap:
  powercap / RAPL: fix BIOS lock check

* pm-cpufreq:
  cpufreq: intel_pstate: Minor cleanup for FRAC_BITS
  cpufreq: tegra: add regulator dependency for T124

* pm-domains:
  PM / Domains: Allow runtime PM callbacks to be re-used during system PM
2015-12-14 22:58:57 +01:00
Sergei Shtylyov
2274d3753f sh_eth: uninline sh_eth_{write|read}()
Commit 3365711df0 ("sh_eth: WARN on access to a register not implemented in
in  a particular chip") added WARN_ON() to sh_eth_{read|write}(), thus making
it  unacceptable for these functions to be *inline* anymore. Remove *inline*
and move the functions from the header to the driver itself. Below   is our
code economy with ARM gcc 4.7.3:

$ size drivers/net/ethernet/renesas/sh_eth.o{~,}
   text	   data	    bss	    dec	    hex	filename
  32489	   1140	      0	  33629	   835d	drivers/net/ethernet/renesas/sh_eth.o~
  25413	   1140	      0	  26553	   67b9	drivers/net/ethernet/renesas/sh_eth.o

Suggested-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-14 16:25:21 -05:00
Chen-Yu Tsai
d856c16d8a stmmac: dwmac-sunxi: Call exit cleanup function in probe error path
dwmac-sunxi has 2 callbacks that were called from stmmac_platform as
part of the probe and remove sequences.

Ater the conversion of dwmac-sunxi into a standalone platform driver,
the .init function is called before calling into the stmmac driver
core, but .exit is not called to clean up if stmmac returns an error.

This patch fixes the probe error path. This properly cleans up and
releases resources when the driver core fails to probe.

Cc: Joachim Eastwood <manabian@gmail.com>
Fixes: 9a9e9a1ede ("stmmac: dwmac-sunxi: turn setup callback into a
		      probe function")
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-14 16:11:59 -05:00
Hannes Frederic Sowa
79462ad02e net: add validation for the socket syscall protocol argument
郭永刚 reported that one could simply crash the kernel as root by
using a simple program:

	int socket_fd;
	struct sockaddr_in addr;
	addr.sin_port = 0;
	addr.sin_addr.s_addr = INADDR_ANY;
	addr.sin_family = 10;

	socket_fd = socket(10,3,0x40000000);
	connect(socket_fd , &addr,16);

AF_INET, AF_INET6 sockets actually only support 8-bit protocol
identifiers. inet_sock's skc_protocol field thus is sized accordingly,
thus larger protocol identifiers simply cut off the higher bits and
store a zero in the protocol fields.

This could lead to e.g. NULL function pointer because as a result of
the cut off inet_num is zero and we call down to inet_autobind, which
is NULL for raw sockets.

kernel: Call Trace:
kernel:  [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
kernel:  [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
kernel:  [<ffffffff81645069>] SYSC_connect+0xd9/0x110
kernel:  [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
kernel:  [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
kernel:  [<ffffffff81645e0e>] SyS_connect+0xe/0x10
kernel:  [<ffffffff81779515>] tracesys_phase2+0x84/0x89

I found no particular commit which introduced this problem.

CVE: CVE-2015-8543
Cc: Cong Wang <cwang@twopensource.com>
Reported-by: 郭永刚 <guoyonggang@360.cn>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-14 16:09:30 -05:00
Tobias Klauser
20b08e1a79 net: phy: mdio-mux: Check return value of mdiobus_alloc()
mdiobus_alloc() might return NULL, but its return value is not
checked in mdio_mux_init(). This could potentially lead to a NULL
pointer dereference. Fix it by checking the return value

Fixes: 0ca2997d14 ("netdev/of/phy: Add MDIO bus multiplexer support.")
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-14 14:27:40 -05:00
Paolo Abeni
e5f5d74747 openvswitch: fix trivial comment typo
The commit 33db4125ec ("openvswitch: Rename LABEL->LABELS") left
over an old OVS_CT_ATTR_LABEL instance, fix it.

Fixes: 33db4125ec ("openvswitch: Rename LABEL->LABELS")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Joe Stringer <joe@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-14 14:00:09 -05:00
Tony Luck
2780188515 [IA64] Enable mlock2 syscall for ia64
New system call added in
  commit a8ca5d0ecb
  mm: mlock: add new mlock system call

Signed-off-by: Tony Luck <tony.luck@intel.com>
2015-12-14 10:30:02 -08:00
David S. Miller
9e5be5bd43 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:

====================
netfilter fixes for net

The following patchset contains Netfilter fixes for you net tree,
specifically for nf_tables and nfnetlink_queue, they are:

1) Avoid a compilation warning in nfnetlink_queue that was introduced
   in the previous merge window with the simplification of the conntrack
   integration, from Arnd Bergmann.

2) nfnetlink_queue is leaking the pernet subsystem registration from
   a failure path, patch from Nikolay Borisov.

3) Pass down netns pointer to batch callback in nfnetlink, this is the
   largest patch and it is not a bugfix but it is a dependency to
   resolve a splat in the correct way.

4) Fix a splat due to incorrect socket memory accounting with nfnetlink
   skbuff clones.

5) Add missing conntrack dependencies to NFT_DUP_IPV4 and NFT_DUP_IPV6.

6) Traverse the nftables commit list in reverse order from the commit
   path, otherwise we crash when the user applies an incremental update
   via 'nft -f' that deletes an object that was just introduced in this
   batch, from Xin Long.

Regarding the compilation warning fix, many people have sent us (and
keep sending us) patches to address this, that's why I'm including this
batch even if this is not critical.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-14 11:09:01 -05:00
Joerg Roedel
7f8312a3b3 iommu/vt-d: Do access checks before calling handle_mm_fault()
Not doing so is a bug and might trigger a BUG_ON in
handle_mm_fault(). So add the proper permission checks
before calling into mm code.

Reviewed-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Acked-By: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
2015-12-14 15:37:55 +01:00
Joerg Roedel
7b5cc1a9c9 iommu/amd: Do proper access checking before calling handle_mm_fault()
The handle_mm_fault function expects the caller to do the
access checks. Not doing so and calling the function with
wrong permissions is a bug (catched by a BUG_ON).
So fix this bug by adding proper access checking to the io
page-fault code in the AMD IOMMUv2 driver.

Reviewed-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Acked-By: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
2015-12-14 15:37:47 +01:00