summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Input: wacom_w8001 - handle errors from input_mt_init_slots()Ping Cheng2016-07-191-1/+7
| | | | | | | input_mt_init_slots() may fail and we should be handling failures properly. Signed-off-by: Ping Cheng <pingc@wacom.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
* Input: wacom_w8001 - resolution wasn't set for ABS_MT_POSITION_X/YPing Cheng2016-07-191-0/+2
| | | | | Signed-off-by: Ping Cheng <pingc@wacom.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
* Merge branch 'for-linus' into nextDmitry Torokhov2016-07-1910007-248274/+507405
|\ | | | | | | Sync up to bring in wacom_w8001 changes to avoid merge conflicts later.
| * Input: ts4800-ts - add missing of_node_put after calling of_parse_phandlePeter Chen2016-07-151-6/+7
| | | | | | | | | | | | | | of_node_put needs to be called when the device node which is got from of_parse_phandle has finished using. Signed-off-by: Peter Chen <peter.chen@nxp.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
| * Input: synaptics-rmi4 - use of_get_child_by_name() to fix refcountAndrew Duggan2016-07-141-2/+2
| | | | | | | | | | | | | | | | | | | | | | Calling of_find_node_by_name() assumes that the caller has incremented the refcount of the of_node being passed in. Currently, the caller is not incrementing the refcount of the of_node which results in the node being prematurely freed when of_find_node_by_name() calls of_node_put() on it. Instead use of_get_child_by_name() which does not call put on the of_node. Signed-off-by: Andrew Duggan <aduggan@synaptics.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
| * Revert "Input: wacom_w8001 - drop use of ABS_MT_TOOL_TYPE"Dmitry Torokhov2016-07-141-0/+3
| | | | | | | | | | | | | | | | | | | | This reverts commit 5f7e5445a2de848c66d2d80ba5479197e8287c33 because removal of input_mt_report_slot_state() means we no longer generate tracking IDs for the reported contacts. Cc: stable@vger.kernel.org Acked-by: Peter Hutterer <peter.hutterer@who-t.net> Acked-by: Ping Cheng <pinglinux@gmail.com>
| * Input: xpad - validate USB endpoint count during probeCameron Gutman2016-06-291-0/+3
| | | | | | | | | | | | | | This prevents a malicious USB device from causing an oops. Signed-off-by: Cameron Gutman <aicommander@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
| * Input: add SW_PEN_INSERTED defineDouglas Anderson2016-06-291-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Some devices with a pen may have a switch that can be used to detect when the pen is inserted or removed to a slot on the device. Let's add a define to the input event codes so that everyone can be on the same page for what event we should generate when the pen is inserted or removed. In general the pen switch could be used by the software on the device to kick off any number of actions when the pen is inserted or removed. Signed-off-by: Douglas Anderson <dianders@chromium.org> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
| * Input: vmmouse - remove port reservationSinclair Yeh2016-06-241-20/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The VMWare EFI BIOS will expose port 0x5658 as an ACPI resource. This causes the port to be reserved by the APCI module as the system comes up, making it unavailable to be reserved again by other drivers, thus preserving this VMWare port for special use in a VMWare guest. This port is designed to be shared among multiple VMWare services, such as the VMMOUSE. Because of this, VMMOUSE should not try to reserve this port on its own. The VMWare non-EFI BIOS does not do this to preserve compatibility with existing/legacy VMs. It is known that there is small chance a VM may be configured such that these ports get reserved by other non-VMWare devices, and if this ever happens, the result is undefined. Signed-off-by: Sinclair Yeh <syeh@vmware.com> Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com> Cc: <stable@vger.kernel.org> # 4.1- Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
| * Input: elantech - add more IC body types to the listDmitry Torokhov2016-06-231-7/+1
| | | | | | | | | | | | | | | | | | | | | | The touchpad in HP Pavilion 14-ab057ca reports it's version as 12 and according to Elan both 11 and 12 are valid IC types and should be identified as hw_version 4. Reported-by: Patrick Lessard <Patrick.Lessard@cogeco.com> Tested-by: Patrick Lessard <Patrick.Lessard@cogeco.com> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
| * Input: wacom_w8001 - ignore invalid pen data packetsPing Cheng2016-06-231-0/+9
| | | | | | | | | | | | | | | | | | | | | | ThinkPad X60 Tablet PC (pen only device) sometime posts packets that are larger than W8001_PKTLEN_TPCPEN. Reported-by: Chris J Arges <christopherarges@gmail.com> Tested-by: Chris J Arges <christopherarges@gmail.com> Signed-off-by: Ping Cheng <pingc@wacom.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
| * Input: wacom_w8001 - w8001_MAX_LENGTH should be 13Ping Cheng2016-06-231-1/+1
| | | | | | | | | | | | | | | | | | Somehow the patch that added two-finger touch support forgot to update W8001_MAX_LENGTH from 11 to 13. Signed-off-by: Ping Cheng <pingc@wacom.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
| * Input: xpad - fix oops when attaching an unknown Xbox One gamepadCameron Gutman2016-06-231-10/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Xbox One controllers have multiple interfaces which all have the same class, subclass, and protocol. One of the these interfaces has only a single endpoint. When Xpad attempts to bind to this interface, it causes an oops when trying initialize the output URB by trying to access the second endpoint's descriptor. This situation was avoided for known Xbox One devices by checking the XTYPE constant associated with the VID and PID tuple. However, this breaks when new or previously unknown Xbox One controllers are attached to the system. This change addresses the problem by deriving the XTYPE for Xbox One controllers based on the interface protocol before checking the interface number. Fixes: 1a48ff81b391 ("Input: xpad - add support for Xbox One controllers") Signed-off-by: Cameron Gutman <aicommander@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
| * MAINTAINERS: add Pali Rohár as reviewer of ALPS PS/2 touchpad driverPali Rohár2016-06-191-0/+4
| | | | | | | | Signed-off-by: Pali Rohár <pali.rohar@gmail.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
| * Merge branch 'cec-defines' into for-linusDmitry Torokhov2016-06-199990-248158/+507228
| |\ | | | | | | | | | | | | Let's bring in HDMI CEC defines to ease merging CEC support in the next merge window.
| | * Input: add HDMI CEC specific keycodesKamil Debski2016-06-181-0/+31
| | | | | | | | | | | | | | | | | | | | | Add HDMI CEC specific keycodes to the keycodes definition. Signed-off-by: Kamil Debski <kamil@wypas.org> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
| | * Input: add BUS_CEC typeHans Verkuil2016-06-181-0/+1
| | | | | | | | | | | | | | | | | | Inputs can come in over the HDMI CEC bus, so add a new type for this. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
| | * Linux 4.6v4.6Linus Torvalds2016-05-161-1/+1
| | |
| | * Merge branch 'x86-urgent-for-linus' of ↵Linus Torvalds2016-05-151-2/+2
| | |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fix from Thomas Gleixner: "Just the missing compat entry for the new pread/writev2" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86: Use compat version for preadv2 and pwritev2
| | | * x86: Use compat version for preadv2 and pwritev2Dmitry V. Levin2016-05-121-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Similar to preadv and pwritev, preadv2 and pwritev2 need compat entries in the 32-bit syscall table. This bug was found by strace test suite. Fixes: 4babf2c5efb7 ("x86: wire up preadv2 and pwritev2") Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Acked-by: Christoph Hellwig <hch@lst.de> Link: http://lkml.kernel.org/r/20160511084817.GA29823@altlinux.org Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
| | * | Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds2016-05-1416-45/+175
| | |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pull networking fixes from David Miller: 1) Fix mvneta/bm dependencies, from Arnd Bergmann. 2) RX completion hw bug workaround in bnxt_en, from Michael Chan. 3) Kernel pointer leak in nf_conntrack, from Linus. 4) Hoplimit route attribute limits not enforced properly, from Paolo Abeni. 5) qlcnic driver NULL deref fix from Dan Carpenter. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: arm64: bpf: jit JMP_JSET_{X,K} net/route: enforce hoplimit max value nf_conntrack: avoid kernel pointer value leak in slab name drivers: net: xgene: fix register offset drivers: net: xgene: fix statistics counters race condition drivers: net: xgene: fix ununiform latency across queues drivers: net: xgene: fix sharing of irqs drivers: net: xgene: fix IPv4 forward crash xen-netback: fix extra_info handling in xenvif_tx_err() net: mvneta: bm: fix dependencies again bnxt_en: Add workaround to detect bad opaque in rx completion (part 2) bnxt_en: Add workaround to detect bad opaque in rx completion (part 1) qlcnic: potential NULL dereference in qlcnic_83xx_get_minidump_template()
| | | * | arm64: bpf: jit JMP_JSET_{X,K}Zi Shen Lim2016-05-141-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Original implementation commit e54bcde3d69d ("arm64: eBPF JIT compiler") had the relevant code paths, but due to an oversight always fail jiting. As a result, we had been falling back to BPF interpreter whenever a BPF program has JMP_JSET_{X,K} instructions. With this fix, we confirm that the corresponding tests in lib/test_bpf continue to pass, and also jited. ... [ 2.784553] test_bpf: #30 JSET jited:1 188 192 197 PASS [ 2.791373] test_bpf: #31 tcpdump port 22 jited:1 325 677 625 PASS [ 2.808800] test_bpf: #32 tcpdump complex jited:1 323 731 991 PASS ... [ 3.190759] test_bpf: #237 JMP_JSET_K: if (0x3 & 0x2) return 1 jited:1 110 PASS [ 3.192524] test_bpf: #238 JMP_JSET_K: if (0x3 & 0xffffffff) return 1 jited:1 98 PASS [ 3.211014] test_bpf: #249 JMP_JSET_X: if (0x3 & 0x2) return 1 jited:1 120 PASS [ 3.212973] test_bpf: #250 JMP_JSET_X: if (0x3 & 0xffffffff) return 1 jited:1 89 PASS ... Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler") Signed-off-by: Zi Shen Lim <zlim.lnx@gmail.com> Acked-by: Will Deacon <will.deacon@arm.com> Acked-by: Yang Shi <yang.shi@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| | | * | net/route: enforce hoplimit max valuePaolo Abeni2016-05-142-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, when creating or updating a route, no check is performed in both ipv4 and ipv6 code to the hoplimit value. The caller can i.e. set hoplimit to 256, and when such route will be used, packets will be sent with hoplimit/ttl equal to 0. This commit adds checks for the RTAX_HOPLIMIT value, in both ipv4 ipv6 route code, substituting any value greater than 255 with 255. This is consistent with what is currently done for ADVMSS and MTU in the ipv4 code. Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | | * | nf_conntrack: avoid kernel pointer value leak in slab nameLinus Torvalds2016-05-141-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The slab name ends up being visible in the directory structure under /sys, and even if you don't have access rights to the file you can see the filenames. Just use a 64-bit counter instead of the pointer to the 'net' structure to generate a unique name. This code will go away in 4.7 when the conntrack code moves to a single kmemcache, but this is the backportable simple solution to avoiding leaking kernel pointers to user space. Fixes: 5b3501faa874 ("netfilter: nf_conntrack: per netns nf_conntrack_cachep") Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>
| | | * | Merge branch 'xgene-fixes'David S. Miller2016-05-147-41/+94
| | | |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Iyappan Subramanian says: ==================== drivers: net: xgene: Bug fixes This patch set addresses the following bug fixes that were found during testing. 1. IPv4 forward test crash - drivers: net: xgene: fix IPv4 forward crash 2. Sharing of irqs - drivers: net: xgene: fix sharing of irqs 3. Ununiform latency across queues - drivers: net: xgene: fix ununiform latency across queues 4. Fix statistics counters race condition - drivers: net: xgene: fix statistics counters race condition 5. Correcting register offset and field lengths - drivers: net: xgene: fix register offset v2: Address review comments from v1 - Defer TSO fix, and reposting all other patches from v1 v1: - Initial version ==================== Signed-off-by: Iyappan Subramanian <isubramanian@apm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | | | * | drivers: net: xgene: fix register offsetIyappan Subramanian2016-05-142-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes SG_RX_DV_GATE_REG_0_ADDR register offset and ring state field lengths. Signed-off-by: Iyappan Subramanian <isubramanian@apm.com> Tested-by: Toan Le <toanle@apm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | | | * | drivers: net: xgene: fix statistics counters race conditionIyappan Subramanian2016-05-144-19/+53
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the race condition on updating the statistics counters by moving the counters to the ring structure. Signed-off-by: Iyappan Subramanian <isubramanian@apm.com> Tested-by: Toan Le <toanle@apm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | | | * | drivers: net: xgene: fix ununiform latency across queuesIyappan Subramanian2016-05-142-11/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch addresses ununiform latency across queues by adding more queues to match with, upto number of CPU cores. Also, number of interrupts are increased and the channel numbers are reordered. Signed-off-by: Iyappan Subramanian <isubramanian@apm.com> Tested-by: Toan Le <toanle@apm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | | | * | drivers: net: xgene: fix sharing of irqsIyappan Subramanian2016-05-141-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since hardware doesn't allow sharing of interrupts, this patch fixes the same by removing IRQF_SHARED flag. Signed-off-by: Iyappan Subramanian <isubramanian@apm.com> Tested-by: Toan Le <toanle@apm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | | | * | drivers: net: xgene: fix IPv4 forward crashIyappan Subramanian2016-05-142-5/+8
| | | |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the crash observed during IPv4 forward test by setting the drop field in the dbptr. Signed-off-by: Iyappan Subramanian <isubramanian@apm.com> Tested-by: Toan Le <toanle@apm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | | * | xen-netback: fix extra_info handling in xenvif_tx_err()Paul Durrant2016-05-131-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Patch 562abd39 "xen-netback: support multiple extra info fragments passed from frontend" contained a mistake which can result in an in- correct number of responses being generated when handling errors encountered when processing packets containing extra info fragments. This patch fixes the problem. Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Reported-by: Jan Beulich <JBeulich@suse.com> Cc: Wei Liu <wei.liu2@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | | * | net: mvneta: bm: fix dependencies againArnd Bergmann2016-05-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I tried to fix this before, but my previous fix was incomplete and we can still get the same link error in randconfig builds because of the way that Kconfig treats the default y if MVNETA=y && MVNETA_BM_ENABLE line that does not actually trigger when MVNETA_BM_ENABLE=m, unlike I intended. Changing the line to use MVNETA_BM_ENABLE!=n however has the desired effect and hopefully makes all configurations work as expected. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Fixes: 019ded3aa7c9 ("net: mvneta: bm: clarify dependencies") Acked-by: Gregory CLEMENT <gregory.clement@free-electrons.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | | * | Merge branch 'bnxt_en-fixes'David S. Miller2016-05-122-0/+65
| | | |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Michael Chan says: ==================== bnxt_en: Add workaround to detect bad opaque in rx completion. 2-part workaround for this hardware bug. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
| | | | * | bnxt_en: Add workaround to detect bad opaque in rx completion (part 2)Michael Chan2016-05-122-0/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add detection and recovery code when the hardware returned opaque value does not match the expected consumer index. Once the issue is detected, we skip the processing of all RX and LRO/GRO packets. These completion entries are discarded without sending the SKB to the stack and without producing new buffers. The function will be reset from a workqueue. Signed-off-by: Michael Chan <michael.chan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | | | * | bnxt_en: Add workaround to detect bad opaque in rx completion (part 1)Michael Chan2016-05-122-0/+4
| | | |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is a rare hardware bug that can cause a bad opaque value in the RX or TPA completion. When this happens, the hardware may have used the same buffer twice for 2 rx packets. In addition, the driver will also crash later using the bad opaque as the index into the ring. The rx opaque value is predictable and is always monotonically increasing. The workaround is to keep track of the expected next opaque value and compare it with the one returned by hardware during RX and TPA start completions. If they miscompare, we will not process any more RX and TPA completions and exit NAPI. We will then schedule a workqueue to reset the function. This patch adds the logic to keep track of the next rx consumer index. Signed-off-by: Michael Chan <michael.chan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | | * / qlcnic: potential NULL dereference in qlcnic_83xx_get_minidump_template()Dan Carpenter2016-05-121-2/+6
| | | |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If qlcnic_fw_cmd_get_minidump_temp() fails then "fw_dump->tmpl_hdr" is NULL or possibly freed. It can lead to an oops later. Fixes: d01a6d3c8ae1 ('qlcnic: Add support to enable capability to extend minidump for iSCSI') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * | Merge branch 'for-linus' of ↵Linus Torvalds2016-05-1411-91/+152
| | |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs fixes from Al Viro: "Overlayfs fixes from Miklos, assorted fixes from me. Stable fodder of varying severity, all sat in -next for a while" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: ovl: ignore permissions on underlying lookup vfs: add lookup_hash() helper vfs: rename: check backing inode being equal vfs: add vfs_select_inode() helper get_rock_ridge_filename(): handle malformed NM entries ecryptfs: fix handling of directory opening atomic_open(): fix the handling of create_error fix the copy vs. map logics in blk_rq_map_user_iov() do_splice_to(): cap the size before passing to ->splice_read()
| | | * \ Merge branch 'ovl-fixes' into for-linusAl Viro2016-05-111573-10194/+17108
| | | |\ \
| | | | * | ovl: ignore permissions on underlying lookupMiklos Szeredi2016-05-111-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Generally permission checking is not necessary when overlayfs looks up a dentry on one of the underlying layers, since search permission on base directory was already checked in ovl_permission(). More specifically using lookup_one_len() causes a problem when the lower directory lacks search permission for a specific user while the upper directory does have search permission. Since lookups are cached, this causes inconsistency in behavior: success depends on who did the first lookup. So instead use lookup_hash() which doesn't do the permission check. Reported-by: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
| | | | * | vfs: add lookup_hash() helperMiklos Szeredi2016-05-112-5/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Overlayfs needs lookup without inode_permission() and already has the name hash (in form of dentry->d_name on overlayfs dentry). It also doesn't support filesystems with d_op->d_hash() so basically it only needs the actual hashed lookup from lookup_one_len_unlocked() So add a new helper that does unlocked lookup of a hashed name. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
| | | | * | vfs: rename: check backing inode being equalMiklos Szeredi2016-05-111-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a file is renamed to a hardlink of itself POSIX specifies that rename(2) should do nothing and return success. This condition is checked in vfs_rename(). However it won't detect hard links on overlayfs where these are given separate inodes on the overlayfs layer. Overlayfs itself detects this condition and returns success without doing anything, but then vfs_rename() will proceed as if this was a successful rename (detach_mounts(), d_move()). The correct thing to do is to detect this condition before even calling into overlayfs. This patch does this by calling vfs_select_inode() to get the underlying inodes. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Cc: <stable@vger.kernel.org> # v4.2+
| | | | * | vfs: add vfs_select_inode() helperMiklos Szeredi2016-05-112-8/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Cc: <stable@vger.kernel.org> # v4.2+
| | | * | | get_rock_ridge_filename(): handle malformed NM entriesAl Viro2016-05-081-3/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Payloads of NM entries are not supposed to contain NUL. When we run into such, only the part prior to the first NUL goes into the concatenation (i.e. the directory entry name being encoded by a bunch of NM entries). We do stop when the amount collected so far + the claimed amount in the current NM entry exceed 254. So far, so good, but what we return as the total length is the sum of *claimed* sizes, not the actual amount collected. And that can grow pretty large - not unlimited, since you'd need to put CE entries in between to be able to get more than the maximum that could be contained in one isofs directory entry / continuation chunk and we are stop once we'd encountered 32 CEs, but you can get about 8Kb easily. And that's what will be passed to readdir callback as the name length. 8Kb __copy_to_user() from a buffer allocated by __get_free_page() Cc: stable@vger.kernel.org # 0.98pl6+ (yes, really) Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| | | * | | ecryptfs: fix handling of directory openingAl Viro2016-05-041-16/+55
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | First of all, trying to open them r/w is idiocy; it's guaranteed to fail. Moreover, assigning ->f_pos and assuming that everything will work is blatantly broken - try that with e.g. tmpfs as underlying layer and watch the fireworks. There may be a non-trivial amount of state associated with current IO position, well beyond the numeric offset. Using the single struct file associated with underlying inode is really not a good idea; we ought to open one for each ecryptfs directory struct file. Additionally, file_operations both for directories and non-directories are full of pointless methods; non-directories should *not* have ->iterate(), directories should not have ->flush(), ->fasync() and ->splice_read(). Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| | | * | | atomic_open(): fix the handling of create_errorAl Viro2016-04-301-16/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * if we have a hashed negative dentry and either CREAT|EXCL on r/o filesystem, or CREAT|TRUNC on r/o filesystem, or CREAT|EXCL with failing may_o_create(), we should fail with EROFS or the error may_o_create() has returned, but not ENOENT. Which is what the current code ends up returning. * if we have CREAT|TRUNC hitting a regular file on a read-only filesystem, we can't fail with EROFS here. At the very least, not until we'd done follow_managed() - we might have a writable file (or a device, for that matter) bound on top of that one. Moreover, the code downstream will see that O_TRUNC and attempt to grab the write access (*after* following possible mount), so if we really should fail with EROFS, it will happen. No need to do that inside atomic_open(). The real logics is much simpler than what the current code is trying to do - if we decided to go for simple lookup, ended up with a negative dentry *and* had create_error set, fail with create_error. No matter whether we'd got that negative dentry from lookup_real() or had found it in dcache. Cc: stable@vger.kernel.org # v3.6+ Acked-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| | | * | | fix the copy vs. map logics in blk_rq_map_user_iov()Al Viro2016-04-093-39/+28
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| | | * | | do_splice_to(): cap the size before passing to ->splice_read()Al Viro2016-04-041-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | pipe capacity won't exceed 2G anyway. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| | * | | | Merge branch 'for-4.6-fixes' of ↵Linus Torvalds2016-05-144-3/+83
| | |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup Pull cgroup fixes from Tejun Heo: "During v4.6-rc1 cgroup namespace support was merged. There is an issue where it's impossible to tell whether a given cgroup mount point is bind mounted or namespaced. Serge has been working on the issue but it took longer than expected to resolve, so the late pull request. Given that it's a completely new feature and the patches don't touch anything else, the risk seems acceptable. However, if this is too late, an alternative is plugging new cgroup ns creation for v4.6 and retrying for v4.7" * 'for-4.6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cgroup: fix compile warning kernfs: kernfs_sop_show_path: don't return 0 after seq_dentry call cgroup, kernfs: make mountinfo show properly scoped path for cgroup namespaces kernfs_path_from_node_locked: don't overwrite nlen
| | | * | | | cgroup: fix compile warningFelipe Balbi2016-05-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 4f41fc59620f ("cgroup, kernfs: make mountinfo show properly scoped path for cgroup namespaces") added the following compile warning: kernel/cgroup.c: In function ‘cgroup_show_path’: kernel/cgroup.c:1634:15: warning: unused variable ‘ret’ [-Wunused-variable] int len = 0, ret = 0; ^ fix it. Fixes: 4f41fc59620f ("cgroup, kernfs: make mountinfo show properly scoped path for cgroup namespaces") Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Tejun Heo <tj@kernel.org>
| | | * | | | kernfs: kernfs_sop_show_path: don't return 0 after seq_dentry callSerge E. Hallyn2016-05-121-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Our caller expects 0 on success, not >0. This fixes a bug in the patch cgroup, kernfs: make mountinfo show properly scoped path for cgroup namespaces where /sys does not show up in mountinfo, breaking criu. Thanks for catching this, Andrei. Reported-by: Andrei Vagin <avagin@gmail.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Tejun Heo <tj@kernel.org>