commit 22a6cbf9f36ee3ae2878efcbdde33e6ca00b9c4b Author: Sasha Levin Date: Mon Jul 20 21:13:10 2015 -0400 Linux 3.18.19 Signed-off-by: Sasha Levin commit 54f642ea6676705893c34a0bf53880aea29a1363 Author: David Vrabel Date: Thu Feb 19 15:23:17 2015 +0000 x86/xen: allow privcmd hypercalls to be preempted [ Upstream commit db0e2aa47f0a45fc56592c25ad370f8836cbb128 ] Hypercalls submitted by user space tools via the privcmd driver can take a long time (potentially many 10s of seconds) if the hypercall has many sub-operations. A fully preemptible kernel may deschedule such as task in any upcall called from a hypercall continuation. However, in a kernel with voluntary or no preemption, hypercall continuations in Xen allow event handlers to be run but the task issuing the hypercall will not be descheduled until the hypercall is complete and the ioctl returns to user space. These long running tasks may also trigger the kernel's soft lockup detection. Add xen_preemptible_hcall_begin() and xen_preemptible_hcall_end() to bracket hypercalls that may be preempted. Use these in the privcmd driver. When returning from an upcall, call xen_maybe_preempt_hcall() which adds a schedule point if if the current task was within a preemptible hypercall. Since _cond_resched() can move the task to a different CPU, clear and set xen_in_preemptible_hcall around the call. Signed-off-by: David Vrabel Reviewed-by: Boris Ostrovsky Signed-off-by: Sasha Levin commit c35f0b5937875df73c8ca6cdffe38c668ae2a686 Author: Nicolas Dichtel Date: Thu Jul 16 11:31:43 2015 +0200 rtnl: restore notifications for deleted interfaces The commit 984ff7a3e060 is an upstream backport. In fact, it depends on commit 395eea6ccf2b ("rtnetlink: delay RTM_DELLINK notification until after ndo_uninit()") which has not been backported in 3.18.y. Before commit 395eea6ccf2b, rollback_registered_many() uses rtmsg_ifinfo(). The call to this function is done with dev->reg_state set to NETREG_UNREGISTERING, thus testing this reg_state in rtmsg_ifinfo() is wrong. This patch partially reverts commit 984ff7a3e060. Fixes: 984ff7a3e060 ("rtnl/bond: don't send rtnl msg for unregistered iface") Reported-by: Kristian Evensen Signed-off-by: Nicolas Dichtel Signed-off-by: Sasha Levin commit 14123aec27a6ff419a88bd531ce58932fea3a945 Author: Peter Hutterer Date: Mon Jun 8 10:17:32 2015 -0700 Input: synaptics - add min/max quirk for Lenovo S540 [ Upstream commit 7f2ca8b55aeff1fe51ed3570200ef88a96060917 ] https://bugzilla.redhat.com/show_bug.cgi?id=1223051#c2 Cc: stable@vger.kernel.org Tested-by: tommy.gagnes@gmail.com Signed-off-by: Peter Hutterer Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 5b76011bd4b0692b749f1c8fe60cc7ffe2b8641f Author: Sasha Levin Date: Tue Jul 14 14:58:30 2015 -0400 Revert "Input: synaptics - add min/max quirk for Lenovo S540" This reverts commit e73268af3e137b1f69d0f82d80aa88e0e8c7cbbe. Seems like an incorrect merge on my end, will pick the upstream version again next. Signed-off-by: Sasha Levin commit 2514b961f3db872fd58ddcc327a9f4687666467d Author: Sasha Levin Date: Mon Jul 13 08:56:15 2015 -0400 Revert "nfs: take extra reference to fl->fl_file when running a LOCKU operation" This reverts commit ed7f7f145ec1445a130513db9ad8f1547f77a578. Reverting from stable tree as fix was found to be buggy. New fix pending. Signed-off-by: Sasha Levin commit b3ba162c05c8c7097bd58c468bb6f59ef890226b Author: Fabian Frederick Date: Wed Jun 17 18:15:45 2015 +0200 fs/ufs: restore s_lock mutex_init() [ Upstream commit e4f95517f18271b1da36cfc5d700e46844396d6e ] Add last missing line in commit "cdd9eefdf905" ("fs/ufs: restore s_lock mutex") Signed-off-by: Fabian Frederick Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 427786d3e35a8c9edbe6e4560d5db3d5e399e317 Author: Jan Kara Date: Tue Jun 2 11:26:34 2015 +0200 ufs: Fix possible deadlock when looking up directories [ Upstream commit 514d748f69c97a51a2645eb198ac5c6218f22ff9 ] Commit e4502c63f56aeca88 (ufs: deal with nfsd/iget races) made ufs create inodes with I_NEW flag set. However ufs_mkdir() never cleared this flag. Thus if someone ever tried to lookup the directory by inode number, he would deadlock waiting for I_NEW to be cleared. Luckily this mostly happens only if the filesystem is exported over NFS since otherwise we have the inode attached to dentry and don't look it up by inode number. In rare cases dentry can get freed without inode being freed and then we'd hit the deadlock even without NFS export. Fix the problem by clearing I_NEW before instantiating new directory inode. Fixes: e4502c63f56aeca887ced37f24e0def1ef11cec8 Reported-by: Fabian Frederick Signed-off-by: Jan Kara Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 529a7fac10b86e5496de18164190260dff24b3ca Author: Jan Kara Date: Mon Jun 1 14:52:04 2015 +0200 ufs: Fix warning from unlock_new_inode() [ Upstream commit 12ecbb4b1d765a5076920999298d9625439dbe58 ] Commit e4502c63f56aeca88 (ufs: deal with nfsd/iget races) introduced unlock_new_inode() call into ufs_add_nondir(). However that function gets called also from ufs_link() which hands it already initialized inode and thus unlock_new_inode() complains. The problem is harmless but annoying. Fix the problem by opencoding necessary stuff in ufs_link() Fixes: e4502c63f56aeca887ced37f24e0def1ef11cec8 Signed-off-by: Jan Kara Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit e4102c423958dc4c88a5e4062f66976974709a6d Author: Eric W. Biederman Date: Wed Jan 7 08:10:09 2015 -0600 vfs: Ignore unlocked mounts in fs_fully_visible [ Upstream commit c89d4319ae55186496c43b7a6e510aa1d09dd387 ] commit ceeb0e5d39fcdf4dca2c997bf225c7fc49200b37 upstream. Limit the mounts fs_fully_visible considers to locked mounts. Unlocked can always be unmounted so considering them adds hassle but no security benefit. Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4f2e3f88a6fae8882371378d1d1cb493ca51a50c Author: Radim Krčmář Date: Tue Jun 30 22:19:17 2015 +0200 KVM: x86: properly restore LVT0 [ Upstream commit 58382447b9a9989da551a7b17e72756f6e238bb8 ] commit db1385624c686fe99fe2d1b61a36e1537b915d08 upstream. Legacy NMI watchdog didn't work after migration/resume, because vapics_in_nmi_mode was left at 0. Signed-off-by: Radim Krčmář Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 436a76ef9e7f33d2186e2d9f60d0b2b2f2ebeda5 Author: Cornelia Huck Date: Mon Jun 29 16:44:01 2015 +0200 KVM: s390: virtio-ccw: don't overwrite config space values [ Upstream commit 431dae778aea4eed31bd12e5ee82edc571cd4d70 ] Eric noticed problems with vhost-scsi and virtio-ccw: vhost-scsi complained about overwriting values in the config space, which was triggered by a broken implementation of virtio-ccw's config get/set routines. It was probably sheer luck that we did not hit this before. When writing a value to the config space, the WRITE_CONF ccw will always write from the beginning of the config space up to and including the value to be set. If the config space up to the value has not yet been retrieved from the device, however, we'll end up overwriting values. Keep track of the known config space and update if needed to avoid this. Moreover, READ_CONF will only read the number of bytes it has been instructed to retrieve, so we must not copy more than that to the buffer, or we might overwrite trailing values. Reported-by: Eric Farman Signed-off-by: Cornelia Huck Reviewed-by: Eric Farman Tested-by: Eric Farman Signed-off-by: Christian Borntraeger Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit f0f61c29dfb02b38431cef9058044a86bfa8f0cc Author: J. Bruce Fields Date: Thu Jun 4 15:57:25 2015 -0400 selinux: fix setting of security labels on NFS [ Upstream commit 9fc2b4b436cff7d8403034676014f1be9d534942 ] Before calling into the filesystem, vfs_setxattr calls security_inode_setxattr, which ends up calling selinux_inode_setxattr in our case. That returns -EOPNOTSUPP whenever SBLABEL_MNT is not set. SBLABEL_MNT was supposed to be set by sb_finish_set_opts, which sets it only if selinux_is_sblabel_mnt returns true. The selinux_is_sblabel_mnt logic was broken by eadcabc697e9 "SELinux: do all flags twiddling in one place", which didn't take into the account the SECURITY_FS_USE_NATIVE behavior that had been introduced for nfs with eb9ae686507b "SELinux: Add new labeling type native labels". This caused setxattr's of security labels over NFSv4.2 to fail. Cc: stable@kernel.org # 3.13 Cc: Eric Paris Cc: David Quigley Reported-by: Richard Chan Signed-off-by: J. Bruce Fields Acked-by: Stephen Smalley [PM: added the stable dependency] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 00bd69b2ec9d3d4fabb1d00fb90756fe22c3ba4d Author: Rui Miguel Silva Date: Wed May 20 14:52:40 2015 +0100 usb: gadget: f_fs: add extra check before unregister_gadget_item [ Upstream commit f14e9ad17f46051b02bffffac2036486097de19e ] ffs_closed can race with configfs_rmdir which will call config_item_release, so add an extra check to avoid calling the unregister_gadget_item with an null gadget item. Signed-off-by: Rui Miguel Silva Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 71e331989c7b5bdf5b910d718ce206f431323039 Author: Palik, Imre Date: Mon Jun 8 14:46:49 2015 +0200 perf/x86: Honor the architectural performance monitoring version [ Upstream commit 2c33645d366d13b969d936b68b9f4875b1fdddea ] Architectural performance monitoring, version 1, doesn't support fixed counters. Currently, even if a hypervisor advertises support for architectural performance monitoring version 1, perf may still try to use the fixed counters, as the constraints are set up based on the CPU model. This patch ensures that perf honors the architectural performance monitoring version returned by CPUID, and it only uses the fixed counters for version 2 and above. (Some of the ideas in this patch came from Peter Zijlstra.) Signed-off-by: Imre Palik Signed-off-by: Peter Zijlstra (Intel) Cc: Andrew Morton Cc: Andy Lutomirski Cc: Anthony Liguori Cc: Arnaldo Carvalho de Melo Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Oleg Nesterov Cc: Paul Mackerras Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1433767609-1039-1-git-send-email-imrep.amz@gmail.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit eb1ea7225f048971e596f26dbda4f7089869b553 Author: Oleg Nesterov Date: Sat May 30 22:04:25 2015 +0200 perf: Fix ring_buffer_attach() RCU sync, again [ Upstream commit 2f993cf093643b98477c421fa2b9a98dcc940323 ] While looking for other users of get_state/cond_sync. I Found ring_buffer_attach() and it looks obviously buggy? Don't we need to ensure that we have "synchronize" _between_ list_del() and list_add() ? IOW. Suppose that ring_buffer_attach() preempts right_after get_state_synchronize_rcu() and gp completes before spin_lock(). In this case cond_synchronize_rcu() does nothing and we reuse ->rb_entry without waiting for gp in between? It also moves the ->rcu_pending check under "if (rb)", to make it more readable imo. Signed-off-by: Oleg Nesterov Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Andrew Morton Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Paul E. McKenney Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: dave@stgolabs.net Cc: der.herr@hofr.at Cc: josh@joshtriplett.org Cc: tj@kernel.org Fixes: b69cf53640da ("perf: Fix a race between ring_buffer_detach() and ring_buffer_attach()") Link: http://lkml.kernel.org/r/20150530200425.GA15748@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 41a9cc4cdc9f75335731631575632a36c9c96d16 Author: Borislav Petkov Date: Fri Jun 19 13:49:06 2015 +0200 x86/boot: Fix overflow warning with 32-bit binutils [ Upstream commit 04c17341b42699a5859a8afa05e64ba08a4e5235 ] When building the kernel with 32-bit binutils built with support only for the i386 target, we get the following warning: arch/x86/kernel/head_32.S:66: Warning: shift count out of range (32 is not between 0 and 31) The problem is that in that case, binutils' internal type representation is 32-bit wide and the shift range overflows. In order to fix this, manipulate the shift expression which creates the 4GiB constant to not overflow the shift count. Suggested-by: Michael Matz Reported-and-tested-by: Enrico Mioso Signed-off-by: Borislav Petkov Cc: Andrew Morton Cc: Borislav Petkov Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 1bbf6a5be19ef725e3887a45ec86a133f13a4426 Author: Eric W. Biederman Date: Sun May 24 09:25:00 2015 -0500 vfs: Remove incorrect debugging WARN in prepend_path [ Upstream commit 93e3bce6287e1fb3e60d3324ed08555b5bbafa89 ] The warning message in prepend_path is unclear and outdated. It was added as a warning that the mechanism for generating names of pseudo files had been removed from prepend_path and d_dname should be used instead. Unfortunately the warning reads like a general warning, making it unclear what to do with it. Remove the warning. The transition it was added to warn about is long over, and I added code several years ago which in rare cases causes the warning to fire on legitimate code, and the warning is now firing and scaring people for no good reason. Cc: stable@vger.kernel.org Reported-by: Ivan Delalande Reported-by: Omar Sandoval Fixes: f48cfddc6729e ("vfs: In d_path don't call d_dname on a mount point") Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin commit 26f6fb3b8eaaca7f35a7b8d86ed5e6eb7592b306 Author: Radim Krčmář Date: Wed Jul 1 15:31:49 2015 +0200 KVM: x86: make vapics_in_nmi_mode atomic [ Upstream commit 42720138b06301cc8a7ee8a495a6d021c4b6a9bc ] Writes were a bit racy, but hard to turn into a bug at the same time. (Particularly because modern Linux doesn't use this feature anymore.) Signed-off-by: Radim Krčmář [Actually the next patch makes it much, much easier to trigger the race so I'm including this one for stable@ as well. - Paolo] Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 7464fcc6df1189e2088cb846fc73838edd70af87 Author: Marc Zyngier Date: Mon Mar 16 10:59:43 2015 +0000 arm: KVM: force execution of HCPTR access on VM exit [ Upstream commit 85e84ba31039595995dae80b277378213602891b ] On VM entry, we disable access to the VFP registers in order to perform a lazy save/restore of these registers. On VM exit, we restore access, test if we did enable them before, and save/restore the guest/host registers if necessary. In this sequence, the FPEXC register is always accessed, irrespective of the trapping configuration. If the guest didn't touch the VFP registers, then the HCPTR access has now enabled such access, but we're missing a barrier to ensure architectural execution of the new HCPTR configuration. If the HCPTR access has been delayed/reordered, the subsequent access to FPEXC will cause a trap, which we aren't prepared to handle at all. The same condition exists when trapping to enable VFP for the guest. The fix is to introduce a barrier after enabling VFP access. In the vmexit case, it can be relaxed to only takes place if the guest hasn't accessed its view of the VFP registers, making the access to FPEXC safe. The set_hcptr macro is modified to deal with both vmenter/vmexit and vmtrap operations, and now takes an optional label that is branched to when the guest hasn't touched the VFP registers. Reported-by: Vikram Sethi Cc: stable@kernel.org # v3.9+ Signed-off-by: Marc Zyngier Signed-off-by: Sasha Levin commit f4edd6d5e39a5340b6c01dce0fbd5e2d61427973 Author: Joerg Roedel Date: Thu Jun 18 10:48:34 2015 +0200 iommu/amd: Handle large pages correctly in free_pagetable [ Upstream commit 0b3fff54bc01e8e6064d222a33e6fa7adabd94cd ] Make sure that we are skipping over large PTEs while walking the page-table tree. Cc: stable@kernel.org Fixes: 5c34c403b723 ("iommu/amd: Fix memory leak in free_pagetable") Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 8729369484a2c655c5f351ad507e6bf099bc8f5e Author: Geoff Levand Date: Fri Oct 31 23:06:47 2014 +0000 arm64/kvm: Fix assembler compatibility of macros [ Upstream commit 286fb1cc32b11c18da3573a8c8c37a4f9da16e30 ] Some of the macros defined in kvm_arm.h are useful in assembly files, but are not compatible with the assembler. Change any C language integer constant definitions using appended U, UL, or ULL to the UL() preprocessor macro. Also, add a preprocessor include of the asm/memory.h file which defines the UL() macro. Fixes build errors like these when using kvm_arm.h in assembly source files: Error: unexpected characters following instruction at operand 3 -- `and x0,x1,#((1U<<25)-1)' Acked-by: Mark Rutland Signed-off-by: Geoff Levand Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit e30a208ef738474220c53e91294c05659fa4acf0 Author: Bandan Das Date: Thu Jun 11 02:05:33 2015 -0400 KVM: nSVM: Check for NRIPS support before updating control field [ Upstream commit f104765b4f81fd74d69e0eb161e89096deade2db ] If hardware doesn't support DecodeAssist - a feature that provides more information about the intercept in the VMCB, KVM decodes the instruction and then updates the next_rip vmcb control field. However, NRIP support itself depends on cpuid Fn8000_000A_EDX[NRIPS]. Since skip_emulated_instruction() doesn't verify nrip support before accepting control.next_rip as valid, avoid writing this field if support isn't present. Signed-off-by: Bandan Das Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 2bb39098bfba54f29f1d3edb5c5f995fb81ee24f Author: Sebastien Szymanski Date: Wed May 20 16:30:37 2015 +0200 ARM: clk-imx6q: refine sata's parent [ Upstream commit 3a3ac04f0e0ef48c2d30ae6df7b8906421c2b35d ] commit da946aeaeadcd24ff0cda9984c6fb8ed2bfd462a upstream. According to IMX6D/Q RM, table 18-3, sata clock's parent is ahb, not ipg. Signed-off-by: Sebastien Szymanski Reviewed-by: Fabio Estevam Signed-off-by: Shawn Guo [dirk.behme: Adjust moved file] Signed-off-by: Dirk Behme Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 55e97f654cbbbef70f9714f0e113604dd931e360 Author: Filipe Manana Date: Sun Nov 9 08:38:39 2014 +0000 Btrfs: make xattr replace operations atomic [ Upstream commit 02590fd855d1690568b2fa439c942e933221b57a ] commit 5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339 upstream. Replacing a xattr consists of doing a lookup for its existing value, delete the current value from the respective leaf, release the search path and then finally insert the new value. This leaves a time window where readers (getxattr, listxattrs) won't see any value for the xattr. Xattrs are used to store ACLs, so this has security implications. This change also fixes 2 other existing issues which were: *) Deleting the old xattr value without verifying first if the new xattr will fit in the existing leaf item (in case multiple xattrs are packed in the same item due to name hash collision); *) Returning -EEXIST when the flag XATTR_CREATE is given and the xattr doesn't exist but we have have an existing item that packs muliple xattrs with the same name hash as the input xattr. In this case we should return ENOSPC. A test case for xfstests follows soon. Thanks to Alexandre Oliva for reporting the non-atomicity of the xattr replace implementation. Reported-by: Alexandre Oliva Signed-off-by: Filipe Manana Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5ba6a2f494ab6e6d6e7fb58f099dde2f9ad06f3b Author: Quentin Casasnovas Date: Tue Feb 3 13:00:22 2015 +0100 x86/microcode/intel: Guard against stack overflow in the loader [ Upstream commit f84598bd7c851f8b0bf8cd0d7c3be0d73c432ff4 ] mc_saved_tmp is a static array allocated on the stack, we need to make sure mc_saved_count stays within its bounds, otherwise we're overflowing the stack in _save_mc(). A specially crafted microcode header could lead to a kernel crash or potentially kernel execution. Signed-off-by: Quentin Casasnovas Cc: "H. Peter Anvin" Cc: Fenghua Yu Link: http://lkml.kernel.org/r/1422964824-22056-1-git-send-email-quentin.casasnovas@oracle.com Signed-off-by: Borislav Petkov Signed-off-by: Sasha Levin commit ab297a497046d0726b31316258177f5183c5fbc8 Author: Pablo Neira Ayuso Date: Tue Mar 17 13:21:42 2015 +0100 netfilter: nf_tables: allow to change chain policy without hook if it exists [ Upstream commit d6b6cb1d3e6f78d55c2d4043d77d0d8def3f3b99 ] If there's an existing base chain, we have to allow to change the default policy without indicating the hook information. However, if the chain doesn't exists, we have to enforce the presence of the hook attribute. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 70d9847bcbbe12714e9535c2375b03217c711c4d Author: Pablo Neira Ayuso Date: Sat Mar 21 19:25:05 2015 +0100 netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set [ Upstream commit 749177ccc74f9c6d0f51bd78a15c652a2134aa11 ] ip6tables extensions check for this flag to restrict match/target to a given protocol. Without this flag set, SYNPROXY6 returns an error. Signed-off-by: Pablo Neira Ayuso Acked-by: Patrick McHardy Signed-off-by: Sasha Levin commit ade6bee2556071469ea10cb113912ee0ed841977 Author: Ian Wilson Date: Thu Mar 12 09:37:58 2015 +0000 netfilter: Zero the tuple in nfnl_cthelper_parse_tuple() [ Upstream commit 78146572b9cd20452da47951812f35b1ad4906be ] nfnl_cthelper_parse_tuple() is called from nfnl_cthelper_new(), nfnl_cthelper_get() and nfnl_cthelper_del(). In each case they pass a pointer to an nf_conntrack_tuple data structure local variable: struct nf_conntrack_tuple tuple; ... ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]); The problem is that this local variable is not initialized, and nfnl_cthelper_parse_tuple() only initializes two fields: src.l3num and dst.protonum. This leaves all other fields with undefined values based on whatever is on the stack: tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM])); tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]); The symptom observed was that when the rpc and tns helpers were added then traffic to port 1536 was being sent to user-space. Signed-off-by: Ian Wilson Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit f1576d2ef7c36cae51803a33a46437dd38a873b6 Author: Jim Snow Date: Tue Nov 18 14:51:09 2014 +0100 sb_edac: Fix erroneous bytes->gigabytes conversion [ Upstream commit ece9210859abb2cc0126f8adbfbbdee668d4906a ] commit 8c009100295597f23978c224aec5751a365bc965 upstream. Signed-off-by: Jim Snow Signed-off-by: Lukasz Anaczkowski Signed-off-by: Mauro Carvalho Chehab [ vlee: Backported to 3.14. Adjusted context. ] Signed-off-by: Vinson Lee Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c29e4d9d00f9d64aeb5af9806042c3dc4008b107 Author: Steven Rostedt Date: Mon Jun 15 17:50:25 2015 -0400 tracing: Have filter check for balanced ops [ Upstream commit 2cf30dc180cea808077f003c5116388183e54f9e ] When the following filter is used it causes a warning to trigger: # cd /sys/kernel/debug/tracing # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter -bash: echo: write error: Invalid argument # cat events/ext4/ext4_truncate_exit/filter ((dev==1)blocks==2) ^ parse_error: No error ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1223 at kernel/trace/trace_events_filter.c:1640 replace_preds+0x3c5/0x990() Modules linked in: bnep lockd grace bluetooth ... CPU: 3 PID: 1223 Comm: bash Tainted: G W 4.1.0-rc3-test+ #450 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012 0000000000000668 ffff8800c106bc98 ffffffff816ed4f9 ffff88011ead0cf0 0000000000000000 ffff8800c106bcd8 ffffffff8107fb07 ffffffff8136b46c ffff8800c7d81d48 ffff8800d4c2bc00 ffff8800d4d4f920 00000000ffffffea Call Trace: [] dump_stack+0x4c/0x6e [] warn_slowpath_common+0x97/0xe0 [] ? _kstrtoull+0x2c/0x80 [] warn_slowpath_null+0x1a/0x20 [] replace_preds+0x3c5/0x990 [] create_filter+0x82/0xb0 [] apply_event_filter+0xd4/0x180 [] event_filter_write+0x8f/0x120 [] __vfs_write+0x28/0xe0 [] ? __sb_start_write+0x53/0xf0 [] ? security_file_permission+0x30/0xc0 [] vfs_write+0xb8/0x1b0 [] SyS_write+0x4f/0xb0 [] system_call_fastpath+0x12/0x6a ---[ end trace e11028bd95818dcd ]--- Worse yet, reading the error message (the filter again) it says that there was no error, when there clearly was. The issue is that the code that checks the input does not check for balanced ops. That is, having an op between a closed parenthesis and the next token. This would only cause a warning, and fail out before doing any real harm, but it should still not caues a warning, and the error reported should work: # cd /sys/kernel/debug/tracing # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter -bash: echo: write error: Invalid argument # cat events/ext4/ext4_truncate_exit/filter ((dev==1)blocks==2) ^ parse_error: Meaningless filter expression And give no kernel warning. Link: http://lkml.kernel.org/r/20150615175025.7e809215@gandalf.local.home Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo Cc: stable@vger.kernel.org # 2.6.31+ Reported-by: Vince Weaver Tested-by: Vince Weaver Signed-off-by: Steven Rostedt Signed-off-by: Sasha Levin commit df93988e8b5cd9fe6b1b73c5da668d7e0ca018a4 Author: Jan Kara Date: Thu May 21 16:05:52 2015 +0200 fs: Fix S_NOSEC handling [ Upstream commit 2426f3910069ed47c0cc58559a6d088af7920201 ] file_remove_suid() could mistakenly set S_NOSEC inode bit when root was modifying the file. As a result following writes to the file by ordinary user would avoid clearing suid or sgid bits. Fix the bug by checking actual mode bits before setting S_NOSEC. CC: stable@vger.kernel.org Signed-off-by: Jan Kara Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit c215cf258214858a5a6c3e63cd7ee78b92d210b2 Author: Oliver Hartkopp Date: Sun Jun 21 18:50:44 2015 +0200 can: fix loss of CAN frames in raw_rcv [ Upstream commit 36c01245eb8046c16eee6431e7dbfbb302635fa8 ] As reported by Manfred Schlaegl here http://marc.info/?l=linux-netdev&m=143482089824232&w=2 commit 514ac99c64b "can: fix multiple delivery of a single CAN frame for overlapping CAN filters" requires the skb->tstamp to be set to check for identical CAN skbs. As net timestamping is influenced by several players (netstamp_needed and netdev_tstamp_prequeue) Manfred missed a proper timestamp which leads to CAN frame loss. As skb timestamping became now mandatory for CAN related skbs this patch makes sure that received CAN skbs always have a proper timestamp set. Maybe there's a better solution in the future but this patch fixes the CAN frame loss so far. Reported-by: Manfred Schlaegl Signed-off-by: Oliver Hartkopp Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit e47534f4c52e9e18445d24c04b5c3366278589ee Author: Fabian Frederick Date: Wed Jun 10 10:09:32 2015 +1000 fs/ufs: restore s_lock mutex [ Upstream commit cdd9eefdf905e92e7fc6cc393314efe68dc6ff66 ] Commit 0244756edc4b98c ("ufs: sb mutex merge + mutex_destroy") generated deadlocks in read/write mode on mkdir. This patch partially reverts it keeping fixes by Andrew Morton and mutex_destroy() [AV: fixed a missing bit in ufs_remount()] Signed-off-by: Fabian Frederick Reported-by: Ian Campbell Suggested-by: Jan Kara Cc: Ian Campbell Cc: Evgeniy Dushistov Cc: Alexey Khoroshilov Cc: Roger Pau Monne Cc: Ian Jackson Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 1834887a14a7abe4ec4d3870df7c2197bbbad480 Author: Fabian Frederick Date: Wed Jun 10 10:09:32 2015 +1000 fs/ufs: revert "ufs: fix deadlocks introduced by sb mutex merge" [ Upstream commit 13b987ea275840d74d9df9a44326632fab1894da ] This reverts commit 9ef7db7f38d0 ("ufs: fix deadlocks introduced by sb mutex merge") That patch tried to solve commit 0244756edc4b98c ("ufs: sb mutex merge + mutex_destroy") which is itself partially reverted due to multiple deadlocks. Signed-off-by: Fabian Frederick Suggested-by: Jan Kara Cc: Ian Campbell Cc: Evgeniy Dushistov Cc: Alexey Khoroshilov Cc: Roger Pau Monne Cc: Ian Jackson Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 82e9d5be4deab3829fb6d2738578582b4b1752ec Author: Chen Gang Date: Wed Dec 24 23:04:54 2014 +0800 netfilter: nfnetlink_cthelper: Remove 'const' and '&' to avoid warnings [ Upstream commit b18c5d15e8714336365d9d51782d5b53afa0443c ] The related code can be simplified, and also can avoid related warnings (with allmodconfig under parisc): CC [M] net/netfilter/nfnetlink_cthelper.o net/netfilter/nfnetlink_cthelper.c: In function ‘nfnl_cthelper_from_nlattr’: net/netfilter/nfnetlink_cthelper.c:97:9: warning: passing argument 1 o ‘memcpy’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-array-qualifiers] memcpy(&help->data, nla_data(attr), help->helper->data_len); ^ In file included from include/linux/string.h:17:0, from include/uapi/linux/uuid.h:25, from include/linux/uuid.h:23, from include/linux/mod_devicetable.h:12, from ./arch/parisc/include/asm/hardware.h:4, from ./arch/parisc/include/asm/processor.h:15, from ./arch/parisc/include/asm/spinlock.h:6, from ./arch/parisc/include/asm/atomic.h:21, from include/linux/atomic.h:4, from ./arch/parisc/include/asm/bitops.h:12, from include/linux/bitops.h:36, from include/linux/kernel.h:10, from include/linux/list.h:8, from include/linux/module.h:9, from net/netfilter/nfnetlink_cthelper.c:11: ./arch/parisc/include/asm/string.h:8:8: note: expected ‘void *’ but argument is of type ‘const char (*)[]’ void * memcpy(void * dest,const void *src,size_t count); ^ Signed-off-by: Chen Gang Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit a61452a5be39fc0d385dd48eb6fc15ce14cdf8a3 Author: Konrad Rzeszutek Wilk Date: Fri Apr 17 15:04:48 2015 -0400 config: Enable NEED_DMA_MAP_STATE by default when SWIOTLB is selected [ Upstream commit a6dfa128ce5c414ab46b1d690f7a1b8decb8526d ] A huge amount of NIC drivers use the DMA API, however if compiled under 32-bit an very important part of the DMA API can be ommitted leading to the drivers not working at all (especially if used with 'swiotlb=force iommu=soft'). As Prashant Sreedharan explains it: "the driver [tg3] uses DEFINE_DMA_UNMAP_ADDR(), dma_unmap_addr_set() to keep a copy of the dma "mapping" and dma_unmap_addr() to get the "mapping" value. On most of the platforms this is a no-op, but ... with "iommu=soft and swiotlb=force" this house keeping is required, ... otherwise we pass 0 while calling pci_unmap_/pci_dma_sync_ instead of the DMA address." As such enable this even when using 32-bit kernels. Reported-by: Ian Jackson Signed-off-by: Konrad Rzeszutek Wilk Acked-by: David S. Miller Acked-by: Prashant Sreedharan Cc: Borislav Petkov Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Michael Chan Cc: Thomas Gleixner Cc: boris.ostrovsky@oracle.com Cc: cascardo@linux.vnet.ibm.com Cc: david.vrabel@citrix.com Cc: sanjeevb@broadcom.com Cc: siva.kallam@broadcom.com Cc: vyasevich@gmail.com Cc: xen-devel@lists.xensource.com Link: http://lkml.kernel.org/r/20150417190448.GA9462@l.oracle.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit b7f25a6e37630d82ecff01ac5ae033b644c7f139 Author: Eugene Shatokhin Date: Tue Mar 17 19:09:18 2015 +0900 kprobes/x86: Return correct length in __copy_instruction() [ Upstream commit c80e5c0c23ce2282476fdc64c4b5e3d3a40723fd ] On x86-64, __copy_instruction() always returns 0 (error) if the instruction uses %rip-relative addressing. This is because kernel_insn_init() is called the second time for 'insn' instance in such cases and sets all its fields to 0. Because of this, trying to place a kprobe on such instruction will fail, register_kprobe() will return -EINVAL. This patch fixes the problem. Signed-off-by: Eugene Shatokhin Signed-off-by: Masami Hiramatsu Link: http://lkml.kernel.org/r/20150317100918.28349.94654.stgit@localhost.localdomain Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 1551f2cd43d93d2990e5a05e167494fe2c489f81 Author: Eric W. Biederman Date: Fri May 8 23:49:47 2015 -0500 mnt: Modify fs_fully_visible to deal with locked ro nodev and atime [ Upstream commit 8c6cf9cc829fcd0b179b59f7fe288941d0e31108 ] Ignore an existing mount if the locked readonly, nodev or atime attributes are less permissive than the desired attributes of the new mount. On success ensure the new mount locks all of the same readonly, nodev and atime attributes as the old mount. The nosuid and noexec attributes are not checked here as this change is destined for stable and enforcing those attributes causes a regression in lxc and libvirt-lxc where those applications will not start and there are no known executables on sysfs or proc and no known way to create exectuables without code modifications Cc: stable@vger.kernel.org Fixes: e51db73532955 ("userns: Better restrictions on when proc and sysfs can be mounted") Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin commit 0ee51b6117def6d60ea5a4eb3db8f0ef9f6a0fdf Author: Nicolas Ferre Date: Mon May 11 13:00:31 2015 +0200 tty/serial: at91: RS485 mode: 0 is valid for delay_rts_after_send [ Upstream commit 8687634b7908c42eb700e0469e110e02833611d1 ] In RS485 mode, we may want to set the delay_rts_after_send value to 0. In the datasheet, the 0 value is said to "disable" the Transmitter Timeguard but this is exactly the expected behavior if we want no delay... Moreover, if the value was set to non-zero value by device-tree or earlier ioctl command, it was impossible to change it back to zero. Reported-by: Sami Pietikäinen Signed-off-by: Nicolas Ferre Cc: stable@vger.kernel.org # 3.2+ Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 78ee73651f6e3f0b53ca6e00615c2ca43a57174e Author: Eric W. Biederman Date: Fri May 8 23:22:29 2015 -0500 mnt: Refactor the logic for mounting sysfs and proc in a user namespace [ Upstream commit 1b852bceb0d111e510d1a15826ecc4a19358d512 ] Fresh mounts of proc and sysfs are a very special case that works very much like a bind mount. Unfortunately the current structure can not preserve the MNT_LOCK... mount flags. Therefore refactor the logic into a form that can be modified to preserve those lock bits. Add a new filesystem flag FS_USERNS_VISIBLE that requires some mount of the filesystem be fully visible in the current mount namespace, before the filesystem may be mounted. Move the logic for calling fs_fully_visible from proc and sysfs into fs/namespace.c where it has greater access to mount namespace state. Cc: stable@vger.kernel.org Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin