Commit Graph

603901 Commits

Author SHA1 Message Date
Linus Torvalds
2cc499b398 Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull core fixes from Ingo Molnar:
 "Fix an objtool false positive plus an UP kernel memory corruption bug
  on certain configs"

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  cpu/hotplug: Keep enough storage space if SMP=n to avoid array out of bounds scribble
  objtool: Fix STACK_FRAME_NON_STANDARD macro checking for function symbols
2016-07-14 05:10:28 +09:00
David S. Miller
790e5ef59f Merge branch 'sk_filter-trim-limit'
Willem de Bruijn says:

====================
limit sk_filter trim to payload

Sockets can apply a filter to incoming packets to drop or trim them.
Fix two codepaths that call skb_pull/__skb_pull after sk_filter
without checking for packet length.

Reading beyond skb->tail after trimming happens in more codepaths, but
safety of reading in the linear segment is based on minimum allocation
size (MAX_HEADER, GRO_MAX_HEAD, ..).
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-13 11:53:41 -07:00
Willem de Bruijn
4f0c40d944 dccp: limit sk_filter trim to payload
Dccp verifies packet integrity, including length, at initial rcv in
dccp_invalid_packet, later pulls headers in dccp_enqueue_skb.

A call to sk_filter in-between can cause __skb_pull to wrap skb->len.
skb_copy_datagram_msg interprets this as a negative value, so
(correctly) fails with EFAULT. The negative length is reported in
ioctl SIOCINQ or possibly in a DCCP_WARN in dccp_close.

Introduce an sk_receive_skb variant that caps how small a filter
program can trim packets, and call this in dccp with the header
length. Excessively trimmed packets are now processed normally and
queued for reception as 0B payloads.

Fixes: 7c657876b6 ("[DCCP]: Initial implementation")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-13 11:53:41 -07:00
Willem de Bruijn
f4979fcea7 rose: limit sk_filter trim to payload
Sockets can have a filter program attached that drops or trims
incoming packets based on the filter program return value.

Rose requires data packets to have at least ROSE_MIN_LEN bytes. It
verifies this on arrival in rose_route_frame and unconditionally pulls
the bytes in rose_recvmsg. The filter can trim packets to below this
value in-between, causing pull to fail, leaving the partial header at
the time of skb_copy_datagram_msg.

Place a lower bound on the size to which sk_filter may trim packets
by introducing sk_filter_trim_cap and call this for rose packets.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-13 11:53:40 -07:00
David S. Miller
22cb99fb76 Merge branch 'mlx5-fixes'
Saeed Mahameed says:

====================
mlx5 tx timeout watchdog fixes

This patch set provides two trivial fixes for the tx timeout series lately
applied into net 4.7.

From Daniel, detect stuck queues due to BQL
From Mohamad, fix tx timeout watchdog false alarm

Hopefully those two fixes will make it to -stable, assuming
3947ca1859 ('net/mlx5e: Implement ndo_tx_timeout callback') was also backported to -stable.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-13 11:38:17 -07:00
Mohamad Haj Yahia
c3b7c5c950 net/mlx5e: start/stop all tx queues upon open/close netdev
Start all tx queues (including inactive ones) when opening the netdev.
Stop all tx queues (including inactive ones) when closing the netdev.

This is a workaround for the tx timeout watchdog false alarm issue in
which the netdev watchdog is polling all the tx queues which may include
inactive queues and thus once lowering the real tx queues number
(ethtool -L) it will generate tx timeout watchdog false alarms.

Fixes: 3947ca1859 ('net/mlx5e: Implement ndo_tx_timeout callback')
Signed-off-by: Mohamad Haj Yahia <mohamad@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-13 11:38:16 -07:00
Daniel Jurgens
2c1ccc9937 net/mlx5e: Fix TX Timeout to detect queues stuck on BQL
Change netif_tx_queue_stopped to netif_xmit_stopped.  This will show
when queues are stopped due to byte queue limits.

Fixes: 3947ca1859 ('net/mlx5e: Implement ndo_tx_timeout callback')
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-13 11:38:16 -07:00
Thomas Gleixner
d60585c576 sched/core: Correct off by one bug in load migration calculation
The move of calc_load_migrate() from CPU_DEAD to CPU_DYING did not take into
account that the function is now called from a thread running on the outgoing
CPU. As a result a cpu unplug leakes a load of 1 into the global load
accounting mechanism.

Fix it by adjusting for the currently running thread which calls
calc_load_migrate().

Reported-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
Cc: rt@linutronix.de
Cc: shreyas@linux.vnet.ibm.com
Fixes: e9cd8fa4fc: ("sched/migration: Move calc_load_migrate() into CPU_DYING")
Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1607121744350.4083@nanos
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2016-07-13 14:58:20 +02:00
Linus Torvalds
cf875cc1dc media fixes for v4.7-rc7
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXhhNXAAoJEAhfPr2O5OEVydgP/A6DOW7KTQ/0yRlKxvvGObqV
 Fdxwt2bUypksRhSh0r/cMpI2ILDGbXJyVseyz3zJ8LfRPw5Sm+BqkqiMfNte47c9
 fc1faaIR6MHkfPbzjBYM+4i2GGuHJ6ltjWGrL+ZnaXwYmJQcbGQGBZu/JX5N+gjm
 qc++PFb8P3IieK4IL5+xRWaaXeCceyVIc8KK4f3LHPH7zH5dsuPQEeEOhjK74PLI
 5uxmI6S15tK0OB+PqYAlwIwaGGhXWGOuVboXpCFQ+T6SEHmpblnC90XGjfFDGsIo
 ai5BXGiiokTSD5vvZwa/f0rnEiqk+uxLpibercaI2zUQaoLxqysnDIVZGH9wmMZD
 Ddh2QayZO3xFdGDIt/pXQuxAj/IvRI5IbRJqzKPOw3bJGjrkpJRXqRXUS7nMWCbF
 OJns6HbFq4UaCpxmHjutPA3xE7rWRer25aok1hEMkqAGjFmVK1dmTvinO8eolgc9
 MZlX/J/fGwkcNXzUOAwzrO52DC6qVQbxNfpZ/8daLDjSMNA0IjV/ubpm8TJ/PRn4
 fyefImTiswpq1vJSO9sINitzQIMQEpAA/VokPAkVuDCs7Bu2YLvcSLU2IRIWXetB
 D7ayQxaZnGsbCOCi95IfUvEAdvOpauRf0QvRDnEW4puHvJxrt1a1vjKD8VoArV8M
 U6RVqs7kjqw6FNDAwp3J
 =L9yq
 -----END PGP SIGNATURE-----

Merge tag 'media/v4.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

Pull media fixes from Mauro Carvalho Chehab:
 "Two regression fixes:

  - a regression when handling VIDIOC_CROPCAP at the media core;

  - a regression at adv7604 that was ignoring pad number in subdev ops"

* tag 'media/v4.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  [media] adv7604: Don't ignore pad number in subdev DV timings pad operations
  [media] v4l2-ioctl: fix stupid mistake in cropcap condition
2016-07-13 19:51:49 +09:00
Dan Carpenter
41e8a5788b ALSA: mixart: don't print an unintialized variable on error
My static checker complains that "resp" could be unitialized on error
when we print its value.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-07-13 12:22:42 +02:00
Thomas Gleixner
a7c734140a cpu/hotplug: Keep enough storage space if SMP=n to avoid array out of bounds scribble
Xiaolong Ye reported lock debug warnings triggered by the following commit:

  8de4a0066106 ("perf/x86: Convert the core to the hotplug state machine")

The bug is the following: the cpuhp_bp_states[] array is cut short when
CONFIG_SMP=n, but the dynamically registered callbacks are stored nevertheless
and happily scribble outside of the array bounds...

We need to store them in case that the state is unregistered so we can invoke
the teardown function. That's independent of CONFIG_SMP. Make sure the array
is large enough.

Reported-by: kernel test robot <xiaolong.ye@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Adam Borowski <kilobyte@angband.pl>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Kan Liang <kan.liang@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Stephane Eranian <eranian@google.com>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: lkp@01.org
Cc: stable@vger.kernel.org
Cc: tipbuild@zytor.com
Fixes: cff7d378d3 "cpu/hotplug: Convert to a state machine for the control processor"
Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1607122144560.4083@nanos
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2016-07-13 09:29:39 +02:00
David S. Miller
ea43f860d9 Merge branch 'ethoc-fixes'
Florian Fainelli says:

====================
net: ethoc: Error path and transmit fixes

This patch series contains two patches for the ethoc driver while testing on a
TS-7300 board where ethoc is provided by an on-board FPGA.

First patch was cooked after chasing crashes with invalid resources passed to
the driver.

Second patch was cooked after seeing that an interface configured with IP
192.168.2.2 was sending ARP packets for 192.168.0.0, no wonder why it could not
work.

I don't have access to any other platform using an ethoc interface so
it could be good to some testing on Xtensa for instance.

Changes in v3:

- corrected the error path if skb_put_padto() fails, thanks to Max
  for spotting this!

Changes in v2:

- fixed the first commit message
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-12 23:13:01 -07:00
Florian Fainelli
ee6c21b9c1 net: ethoc: Correctly pad short packets
Even though the hardware can be doing zero padding, we want the SKB to
be going out on the wire with the appropriate size. This fixes packet
truncations observed with e.g: ARP packets.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-12 23:13:01 -07:00
Florian Fainelli
386512d18b net: ethoc: Fix early error paths
In case any operation fails before we can successfully go the point
where we would register a MDIO bus, we would be going to an error label
which involves unregistering then freeing this yet to be created MDIO
bus. Update all error paths to go to label free which is the only one
valid until either the clock is enabled, or the MDIO bus is allocated
and registered. This fixes kernel oops observed while trying to
dereference the MDIO bus structure which is not yet allocated.

Fixes: a170285772 ("net: Add support for the OpenCores 10/100 Mbps Ethernet MAC.")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-12 23:13:01 -07:00
Linus Torvalds
f1b5e4fac1 ACPI fixes for v4.7
- Fix a recent regression in the ACPI EC driver introduced by a fix
    of another problem that uncovered a latent code ordering issue in
    the driver (Lv Zheng).
 
  - Revert a recent ACPICA commit that attempted to address a lock
    ordering issue introduced by a previous fix, but caused Dell
    Precision 5510 to fail to boot, revert that previous fix too and
    finally revert the commit that caused the original problem (a
    deadlock in the ACPICA code) to happen (Rafael Wysocki).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABCAAGBQJXhVOqAAoJEILEb/54YlRxWXsP/2W3HYWabMnCWVobJYyxP0TO
 mCmyZZmPpGqzPi9HV9VLTcKPZrhrLzFwk3LnDkxWWH6aEfDz5gTjrME4DNJdhTsu
 SqNXf77bDdCYX6lgbdvB/ZsZkStV8b5k8gldXaBJHs7MNi33+/xepqXgoUcawB0n
 H/M5udwiDMQyh8m78pkOksuicD+phO+QfdpxTW/qvmFfu7IlqeFlTCepYUyEXu5l
 XwNoaptrWfsEDprg04z4jeB+xta92eUQ+BUzqpQcGAfmXYVUm7XPjhE0wepqgtta
 sfxkdtM66uNZw/r3XbErVPwM/8Fl7Rywdi8qIR5KaQol+icgM62e+WWL1+XMiIiw
 IZSk7XYF7QQVgwMSzPXhBd6HOzYgAgYH5UITtWlQKyi15C1R2ULSW91g92xcjSFP
 Zyb6sN2/VWbN30WVsaZJ1GEGTFUOSE/iE2/R3rnRdgmb5nh4b5d83HmAXf90uBSX
 2U008aqW1mQoRQrVupk/j4Lf6YKZjAGlwb0pmfguI6YROzgCcuaopTEI69bUpgfj
 4LfbNi/b6tOtNrCAsJSvS8A+vYmRuqk5HpJNuECefJbJgSy2xCBWBFT9Il50o/6V
 zl6IOE6WS/Rz77l0tAkzsiQhq4vYWTbQsrtQp7op98R1XHioLABp4fA00kkQpzbw
 SQcHzGFA7sMoWOcuKDbi
 =hkH2
 -----END PGP SIGNATURE-----

Merge tag 'acpi-urgent-4.7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI fixes from Rafael Wysocki:
 "One ACPI EC driver regression fix (code ordering) and three reverts of
  ACPICA commits, one that introduced a problem and two unsuccessful
  attempted fixes on top of it.

  Specifics:

   - Fix a recent regression in the ACPI EC driver introduced by a fix
     of another problem that uncovered a latent code ordering issue in
     the driver (Lv Zheng).

   - Revert a recent ACPICA commit that attempted to address a lock
     ordering issue introduced by a previous fix, but caused Dell
     Precision 5510 to fail to boot, revert that previous fix too and
     finally revert the commit that caused the original problem (a
     deadlock in the ACPICA code) to happen (Rafael Wysocki)"

* tag 'acpi-urgent-4.7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  Revert "ACPI 2.0 / AML: Improve module level execution by moving the If/Else/While execution to per-table basis"
  Revert "ACPICA: Namespace: Fix deadlock triggered by MLC support in dynamic table loading"
  Revert "ACPICA: Namespace: Fix namespace/interpreter lock ordering"
  ACPI / EC: Fix code ordering issue in ec_remove_handlers()
2016-07-13 06:37:03 +09:00
Noam Camus
136ab0d0e1 net: nps_enet: Fix PCS reset
During commit b54b8c2d6e
 ("net: ezchip: adapt driver to little endian architecture")
 adapting to little endian architecture,
 zeroing of controller was left out.

Signed-off-by: Elad Kanfi <eladkan@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-12 13:58:55 -07:00
Rafael J. Wysocki
d0420d20ba Merge branches 'acpica-fixes' and 'acpi-ec-fixes'
* acpica-fixes:
  Revert "ACPI 2.0 / AML: Improve module level execution by moving the If/Else/While execution to per-table basis"
  Revert "ACPICA: Namespace: Fix deadlock triggered by MLC support in dynamic table loading"
  Revert "ACPICA: Namespace: Fix namespace/interpreter lock ordering"

* acpi-ec-fixes:
  ACPI / EC: Fix code ordering issue in ec_remove_handlers()
2016-07-12 22:03:14 +02:00
Linus Torvalds
63bab2203d regulator: Fix qcom-smd list voltage issues for msm8974
This commit looks like a cleanup but in fact by causing the core to go
 down some simplified code paths for noop regulators it avoids a boot
 time crash for msm8974 platforms which was introduced in v4.7.  It has
 been in -next for a while, the issues in mainline for these platforms
 weren't flagged up to me until yesterday (I think it took some time to
 figure out what was going wrong).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXhQPCAAoJECTWi3JdVIfQZAQH/AqXEFh1oZywnf6daYraLUfd
 7W8OXf4nLywazeVaHBaa3hCSrIT4CYiCKcxB8vDm1//nFVcsRJnlxWQxw62/A8dx
 u3ovQjwM1UfTsrR68WmnR47RO71jruex+gtISFCbYvE8NQqPPDHBlA9Q6B4VTd+n
 IcoS8fdUc6QD4M+yveUcsLcppROpCm7/sba49v2qJMWZ62h2CSpZyO7ImYwkmalt
 PJvmkKF7Vl/pnpiWMpGByMvz5o4jDNtaZjVr9wFF3T7otlC62sLi16AnIo+zmWam
 +T9nI+ltZPtV/C46nfXyAPEqtmPyLSueVKpNgTflJPEPKUanXLWpIFZu7+MHpnI=
 =nwMu
 -----END PGP SIGNATURE-----

Merge tag 'qcom-smd-list-voltage' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

Pull regulator fix from Mark Brown:
 "Fix qcom-smd list voltage issues for msm8974

  This commit looks like a cleanup but in fact by causing the core to go
  down some simplified code paths for noop regulators it avoids a boot
  time crash for msm8974 platforms which was introduced in v4.7.  It has
  been in -next for a while, the issues in mainline for these platforms
  weren't flagged up to me until yesterday (I think it took some time to
  figure out what was going wrong)"

* tag 'qcom-smd-list-voltage' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: qcom_smd: Remove list_voltage callback for rpm_smps_ldo_ops_fixed
2016-07-13 04:22:16 +09:00
David S. Miller
92a03eb012 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:

====================
Netfilter/IPVS fixes for net

The following patchset contains Netfilter/IPVS fixes for your net tree.
they are:

1) Fix leak in the error path of nft_expr_init(), from Liping Zhang.

2) Tracing from nf_tables cannot be disabled, also from Zhang.

3) Fix an integer overflow on 32bit archs when setting the number of
   hashtable buckets, from Florian Westphal.

4) Fix configuration of ipvs sync in backup mode with IPv6 address,
   from Quentin Armitage via Simon Horman.

5) Fix incorrect timeout calculation in nft_ct NFT_CT_EXPIRATION,
   from Florian Westphal.

6) Skip clash resolution in conntrack insertion races if NAT is in
   place.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-12 10:21:27 -07:00
Shiraz Saleem
8e0e7aedad i40iw: Enable remote access rights for stag allocation
Fix to enable remote access rights when allocating stag.

Fixes: b7aee855d3 ("RDMA/i40iw: Add base memory management extensions")
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2016-07-12 10:46:34 -04:00
Nicolas Iooss
b0548cff99 i40iw: do not print unitialized variables in error message
i40iw_create_cqp() printed the contents of variables maj_err and min_err
in an error message before they could be initialized (by calling
dev->cqp_ops->cqp_create).

Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2016-07-12 10:46:34 -04:00
Christoph Lameter
c5a81d11d7 IB core: Add port_xmit_wait counter
Add the missing port_xmit_wait counter. This counter is displayed through
some tools like perfquery but is not available via sysfs.

For the PORT_PMA_ATTR macro the _counter field is set to zero
allowing us to specify the offset directly like with PORT_PMA_ATTR_EXT

See also the earlier work in 2008 by Vladimir Skolovsky

https://www.mail-archive.com/general@lists.openfabrics.org/msg20313.html

Signed-off-by: Vladimir Sokolvsky <vlad@mellanox.com>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2016-07-12 10:46:24 -04:00
Tadeusz Struk
98f179a5ea IB/hfi1: Fix sleep inside atomic issue in init_asic_data
The critical section should protect only the list traversal
and dd->asic_data modification, not the memory allocation.
The fix pulls the allocation out of the critical section.

Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Reviewed-by: Sebastian Sanchez <sebastian.sanchez@intel.com>
Reviewed-by: Dean Luick <dean.luick@intel.com>
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2016-07-12 10:46:24 -04:00
Mike Marciniszyn
896ce45da2 IB/hfi1: Correct issues with sc5 computation
There are several computatations of the sc in the
ud receive routine.

Besides the code duplication, all are wrong when the
sc is greater than 15.   In that case the code incorrectly
or's a 1 into the computed sc instead of 1 shifted left
by 4.

Fix precomputed sc5 by using an already implemented routine
hdr2sc() and deleting flawed duplicated code.

Cc: Stable <stable@vger.kernel.org> # 4.6+
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2016-07-12 10:46:24 -04:00
Pablo Neira Ayuso
590b52e10d netfilter: conntrack: skip clash resolution if nat is in place
The clash resolution is not easy to apply if the NAT table is
registered. Even if no NAT rules are installed, the nul-binding ensures
that a unique tuple is used, thus, the packet that loses race gets a
different source port number, as described by:

http://marc.info/?l=netfilter-devel&m=146818011604484&w=2

Clash resolution with NAT is also problematic if addresses/port range
ports are used since the conntrack that wins race may describe a
different mangling that we may have earlier applied to the packet via
nf_nat_setup_info().

Fixes: 71d8c47fc6 ("netfilter: conntrack: introduce clash resolution on insertion race")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Marc Dionne <marc.c.dionne@gmail.com>
2016-07-12 16:28:41 +02:00
Colin Ian King
5137d6da46 ALSA: ak4114: remove redundant check on err being < 0
snd_ak4114_create checks if the error return err is less than zero
or not.  This is a redundant check, err can only be < 0 to get to
the __fail label, in which case just return err and remove the
redundant check (since we never return -EIO).

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-07-12 12:28:04 +02:00
Colin Ian King
3805e6a18d ALSA: ak4117: remove redundant check on err being < 0
snd_ak4117_create checks if the error return err is less than zero
or not.  This is a redundant check, err can only be < 0 to get to
the __fail label, in which case just return err and remove the
redundant check (since we never return -EIO).

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-07-12 12:26:09 +02:00
Awais Belal
d716fb03f7 ALSA: hda: add AMD Stoney PCI ID with proper driver caps
This allows the device to correctly show up as ATI HDMI
rather than a generic one and allows the driver to use
the available caps.

Signed-off-by: Awais Belal <awais_belal@mentor.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-07-12 12:23:55 +02:00
Kalle Kankare
0593d46121 sgtl5000: add Lineout volume control
This controls the volume for the line out pins of SGTL5000.

Signed-off-by: Fabien Lahoudere <fabien.lahoudere@collabora.co.uk>
Signed-off-by: Mark Brown <broonie@kernel.org>
2016-07-12 10:00:44 +01:00
Linus Torvalds
08d27eb206 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull vfs fixes from Al Viro.

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  posix_acl: de-union a_refcount and a_rcu
  nfs_atomic_open(): prevent parallel nfs_lookup() on a negative hashed
  Use the right predicate in ->atomic_open() instances
2016-07-12 16:49:01 +09:00
Amitoj Kaur Chawla
dfa40d3e36 sound: oss: Remove useless initialisation
Remove useless initialisation of variable whose value is reinitialised
later.

The Coccinelle semantic patch used to make this change is as follows:
@@
type T;
identifier x;
constant C;
expression e;
@@

T x
- = C
 ;
x = e;

Signed-off-by: Amitoj Kaur Chawla <amitoj1606@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-07-12 08:06:10 +02:00
David S. Miller
ce9a4f316d Merge branch 'tipc-fixes'
Jon Maloy says:

====================
tipc: three small fixes

Fixes for some broadcast link problems that may occur in large systems.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-11 22:42:13 -07:00
Jon Paul Maloy
1fc07f3e15 tipc: reset all unicast links when broadcast send link fails
In test situations with many nodes and a heavily stressed system we have
observed that the transmission broadcast link may fail due to an
excessive number of retransmissions of the same packet. In such
situations we need to reset all unicast links to all peers, in order to
reset and re-synchronize the broadcast link.

In this commit, we add a new function tipc_bearer_reset_all() to be used
in such situations. The function scans across all bearers and resets all
their pertaining links.

Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-11 22:42:12 -07:00
Jon Paul Maloy
a71eb72035 tipc: ensure correct broadcast send buffer release when peer is lost
After a new receiver peer has been added to the broadcast transmission
link, we allow immediate transmission of new broadcast packets, trusting
that the new peer will not accept the packets until it has received the
previously sent unicast broadcast initialiation message. In the same
way, the sender must not accept any acknowledges until it has itself
received the broadcast initialization from the peer, as well as
confirmation of the reception of its own initialization message.

Furthermore, when a receiver peer goes down, the sender has to produce
the missing acknowledges from the lost peer locally, in order ensure
correct release of the buffers that were expected to be acknowledged by
the said peer.

In a highly stressed system we have observed that contact with a peer
may come up and be lost before the above mentioned broadcast initial-
ization and confirmation have been received. This leads to the locally
produced acknowledges being rejected, and the non-acknowledged buffers
to linger in the broadcast link transmission queue until it fills up
and the link goes into permanent congestion.

In this commit, we remedy this by temporarily setting the corresponding
broadcast receive link state to ESTABLISHED and the 'bc_peer_is_up'
state to true before we issue the local acknowledges. This ensures that
those acknowledges will always be accepted. The mentioned state values
are restored immediately afterwards when the link is reset.

Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-11 22:42:12 -07:00
Jon Paul Maloy
2d18ac4ba7 tipc: extend broadcast link initialization criteria
At first contact between two nodes, an endpoint might sometimes have
time to send out a LINK_PROTOCOL/STATE packet before it has received
the broadcast initialization packet from the peer, i.e., before it has
received a valid broadcast packet number to add to the 'bc_ack' field
of the protocol message.

This means that the peer endpoint will receive a protocol packet with an
invalid broadcast acknowledge value of 0. Under unlucky circumstances
this may lead to the original, already received acknowledge value being
overwritten, so that the whole broadcast link goes stale after a while.

We fix this by delaying the setting of the link field 'bc_peer_is_up'
until we know that the peer really has received our own broadcast
initialization message. The latter is always sent out as the first
unicast message on a link, and always with seqeunce number 1. Because
of this, we only need to look for a non-zero unicast acknowledge value
in the arriving STATE messages, and once that is confirmed we know we
are safe and can set the mentioned field. Before this moment, we must
ignore all broadcast acknowledges from the peer.

Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-11 22:42:12 -07:00
Mario Limonciello
34ee32c9a5 r8152: Add support for setting pass through MAC address on RTL8153-AD
The RTL8153-AD supports a persistent system specific MAC address.
This means a device plugged into two different systems with host side
support will show different (but persistent) MAC addresses.

This information for the system's persistent MAC address is burned in when
the system HW is built and available under \_SB.AMAC in the DSDT at runtime.

This technology is currently implemented in the Dell TB15 and WD15 Type-C
docks.  More information is available here:
http://www.dell.com/support/article/us/en/04/SLN301147

Signed-off-by: Mario Limonciello <mario_limonciello@dell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-11 19:42:30 -07:00
Soheil Hassas Yeganeh
779f1edec6 sock: ignore SCM_RIGHTS and SCM_CREDENTIALS in __sock_cmsg_send
Sergei Trofimovich reported that pulse audio sends SCM_CREDENTIALS
as a control message to TCP. Since __sock_cmsg_send does not
support SCM_RIGHTS and SCM_CREDENTIALS, it returns an error and
hence breaks pulse audio over TCP.

SCM_RIGHTS and SCM_CREDENTIALS are sent on the SOL_SOCKET layer
but they semantically belong to SOL_UNIX. Since all
cmsg-processing functions including sock_cmsg_send ignore control
messages of other layers, it is best to ignore SCM_RIGHTS
and SCM_CREDENTIALS for consistency (and also for fixing pulse
audio over TCP).

Fixes: c14ac9451c ("sock: enable timestamping using control messages")
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Reported-by: Sergei Trofimovich <slyfox@gentoo.org>
Tested-by: Sergei Trofimovich <slyfox@gentoo.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-11 14:32:44 -07:00
Vinod Koul
894a16db29 ASoC: Intel: board: add kabylake machine id
Kabylake platform is similar to Skylake. So, add machine id.
Since same machine driver supports both, add these in id table.

Signed-off-by: Shreyas NC <shreyas.nc@intel.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
2016-07-11 22:20:15 +01:00
Vinod Koul
d06de6d9f1 ASoC: rt286: set combo jack for Kabylake
Like in Skylake, Kabylake also uses combo jack so add Kabylake to
DMI match for combo jack configuration.

Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
2016-07-11 22:20:15 +01:00
Shreyas NC
cc21688703 ASoC: hdac_hdmi: Add device id for Kabylake
Kabylake platform is similar to Skylake. So, add the device id.

Signed-off-by: Shreyas NC <shreyas.nc@intel.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
2016-07-11 22:20:15 +01:00
Vinod Koul
451dfb5f82 ASoC: Intel: add kablake device IDs
Kabylake is next generation Intel platform which has similar
audio controller to Skylake, so add the ID and driver data in
SKL driver.

Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
2016-07-11 22:20:15 +01:00
Julian Anastasov
80610229ef ipv4: reject RTNH_F_DEAD and RTNH_F_LINKDOWN from user space
Vegard Nossum is reporting for a crash in fib_dump_info
when nh_dev = NULL and fib_nhs == 1:

Pid: 50, comm: netlink.exe Not tainted 4.7.0-rc5+
RIP: 0033:[<00000000602b3d18>]
RSP: 0000000062623890  EFLAGS: 00010202
RAX: 0000000000000000 RBX: 000000006261b800 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000024 RDI: 000000006245ba00
RBP: 00000000626238f0 R08: 000000000000029c R09: 0000000000000000
R10: 0000000062468038 R11: 000000006245ba00 R12: 000000006245ba00
R13: 00000000625f96c0 R14: 00000000601e16f0 R15: 0000000000000000
Kernel panic - not syncing: Kernel mode fault at addr 0x2e0, ip 0x602b3d18
CPU: 0 PID: 50 Comm: netlink.exe Not tainted 4.7.0-rc5+ #581
Stack:
 626238f0 960226a02 00000400 000000fe
 62623910 600afca7 62623970 62623a48
 62468038 00000018 00000000 00000000
Call Trace:
 [<602b3e93>] rtmsg_fib+0xd3/0x190
 [<602b6680>] fib_table_insert+0x260/0x500
 [<602b0e5d>] inet_rtm_newroute+0x4d/0x60
 [<60250def>] rtnetlink_rcv_msg+0x8f/0x270
 [<60267079>] netlink_rcv_skb+0xc9/0xe0
 [<60250d4b>] rtnetlink_rcv+0x3b/0x50
 [<60265400>] netlink_unicast+0x1a0/0x2c0
 [<60265e47>] netlink_sendmsg+0x3f7/0x470
 [<6021dc9a>] sock_sendmsg+0x3a/0x90
 [<6021e0d0>] ___sys_sendmsg+0x300/0x360
 [<6021fa64>] __sys_sendmsg+0x54/0xa0
 [<6021fac0>] SyS_sendmsg+0x10/0x20
 [<6001ea68>] handle_syscall+0x88/0x90
 [<600295fd>] userspace+0x3fd/0x500
 [<6001ac55>] fork_handler+0x85/0x90

$ addr2line -e vmlinux -i 0x602b3d18
include/linux/inetdevice.h:222
net/ipv4/fib_semantics.c:1264

Problem happens when RTNH_F_LINKDOWN is provided from user space
when creating routes that do not use the flag, catched with
netlink fuzzer.

Currently, the kernel allows user space to set both flags
to nh_flags and fib_flags but this is not intentional, the
assumption was that they are not set. Fix this by rejecting
both flags with EINVAL.

Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Fixes: 0eeb075fad ("net: ipv4 sysctl option to ignore routes when nexthop link is down")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
Cc: Dinesh Dutt <ddutt@cumulusnetworks.com>
Cc: Scott Feldman <sfeldma@gmail.com>
Reviewed-by: Andy Gospodarek <gospo@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-11 13:41:09 -07:00
Eric Dumazet
75ff39ccc1 tcp: make challenge acks less predictable
Yue Cao claims that current host rate limiting of challenge ACKS
(RFC 5961) could leak enough information to allow a patient attacker
to hijack TCP sessions. He will soon provide details in an academic
paper.

This patch increases the default limit from 100 to 1000, and adds
some randomization so that the attacker can no longer hijack
sessions without spending a considerable amount of probes.

Based on initial analysis and patch from Linus.

Note that we also have per socket rate limiting, so it is tempting
to remove the host limit in the future.

v2: randomize the count of challenge acks per second, not the period.

Fixes: 282f23c6ee ("tcp: implement RFC 5961 3.2")
Reported-by: Yue Cao <ycao009@ucr.edu>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-11 13:33:35 -07:00
Michal Kubeček
a612769774 udp: prevent bugcheck if filter truncates packet too much
If socket filter truncates an udp packet below the length of UDP header
in udpv6_queue_rcv_skb() or udp_queue_rcv_skb(), it will trigger a
BUG_ON in skb_pull_rcsum(). This BUG_ON (and therefore a system crash if
kernel is configured that way) can be easily enforced by an unprivileged
user which was reported as CVE-2016-6162. For a reproducer, see
http://seclists.org/oss-sec/2016/q3/8

Fixes: e6afc8ace6 ("udp: remove headers from UDP packets before queueing")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-11 12:43:15 -07:00
Colin Ian King
f3ea3119ad bnxt_en: initialize rc to zero to avoid returning garbage
rc is not initialized so it can contain garbage if it is not
set by the call to bnxt_read_sfp_module_eeprom_info. Ensure
garbage is not returned by initializing rc to 0.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-11 12:41:36 -07:00
David S. Miller
7d32eb8781 Here are a couple batman-adv bugfix patches, all by Sven Eckelmann:
- Fix possible NULL pointer dereference for vlan_insert_tag (two patches)
 
  - Fix reference handling in some features, which may lead to reference
    leaks or invalid memory access (four patches)
 
  - Fix speedy join: DHCP packets handled by the gateway feature should
    be sent with 4-address unicast instead of 3-address unicast to make
    speedy join work. This fixes/speeds up DHCP assignment for clients
    which join a mesh for the first time. (one patch)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCgAGBQJXf3SCAAoJEKEr45hCkp6hAaAQAJxKFavGbXHWvj1M1VxqVFkN
 AlxP7JZ6OHgnWxBT3drk4ZRaxIA7v/2VkRYrCbxoYjIENiyrmNz+93SAzaBcTKxE
 nnUntdDbQWYE3MOGC1lUBIoPgjvs4DQRejyq5dvG9CYEcK9hE4pDKV7FUfeBgmgL
 dG5+9ht8JEjMYZq48FQp4SQwkQGpWRiS4fekZEUmcO1pIQpx0uOYTMfMZ/HpqpCN
 im1QhUXlAGCBcOIJwztqVb/04LKcuTS8Du+b50BFF5uITmCZdK0NmG5yBH+1Nn8K
 uKYanY3dHYUE4eGw3NAqnJ0uSiMQFlhk3gqKgHY8uu/KoMiqZ3tjBkNp+3fF3KqH
 0AnXEPPsQPU8RJ5WAHH6TR/UNnoCrfqU6AjbIclHNq7l3WY6u0fD2uKHCGlaV13M
 8XolPWECum8iLEptmYDlhYZrh5D9kteGDV7kt3XtQY8Hpv/UE1Jh1/iGrhNjtbdX
 7P6NsZdi/cnkGPhIaRnoEQaWHZVmbO4Rl8Q2Yb3Ze2LEUuLdrkmBjTBKqiOFMnMe
 7ltA3JL7ip/alRPeNsuiHOY28uNaog3YuEHg8QYiyTs449Os/TjWoh9pzD44dhkB
 auIxmiy/IyVdYwlQwfBHDJupVK7WncUq+iF/rv3TfTmY25FO4FC+EV+PsBZdWsc+
 co+amJR57ZOAygd0GgU2
 =7Z04
 -----END PGP SIGNATURE-----

Merge tag 'batadv-net-for-davem-20160708' of git://git.open-mesh.org/linux-merge

Simon Wunderlich says:

====================
Here are a couple batman-adv bugfix patches, all by Sven Eckelmann:

 - Fix possible NULL pointer dereference for vlan_insert_tag (two patches)

 - Fix reference handling in some features, which may lead to reference
   leaks or invalid memory access (four patches)

 - Fix speedy join: DHCP packets handled by the gateway feature should
   be sent with 4-address unicast instead of 3-address unicast to make
   speedy join work. This fixes/speeds up DHCP assignment for clients
   which join a mesh for the first time. (one patch)
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-11 12:28:44 -07:00
Peter Wu
ab58d8cc87 ALSA: hda - fix use-after-free after module unload
register_vga_switcheroo() sets the PM ops from the hda structure which
is freed later in azx_free. Make sure that these ops are cleared.

Caught by KASAN, initially noticed due to a general protection fault.

Fixes: 246efa4a07 ("snd/hda: add runtime suspend/resume on optimus support (v4)")
Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-07-11 20:07:46 +02:00
Jeff Layton
6d4e56ce97 posix_acl: de-union a_refcount and a_rcu
Currently the two are unioned together, but I don't think that's safe.

It looks like get_cached_acl could race with the last put in
posix_acl_release. get_cached_acl calls atomic_inc_not_zero on
a_refcount, but that field could have already been clobbered by
call_rcu, and may no longer be zero. Fix this by de-unioning the two
fields.

Fixes: b8a7a3a667 (posix_acl: Inode acl caching fixes)
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-07-11 13:48:02 -04:00
Alan Cox
a6d4faeb29 ASoC: Intel: atom: fix missing breaks that would cause the wrong operation to execute
Now we correctly error an attempt to execute an unsupported operation.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
2016-07-11 18:19:33 +01:00
Vinod Koul
25f3d86b1d ASoC: Intel: Skylake: Initialize module list for Broxton
The module list was not initialized for Broxton DSP code, so
initialize it.

Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
2016-07-11 18:19:33 +01:00