commit 387df1bd3fc46bc695b317dda38b3254f4409036 Author: Greg Kroah-Hartman Date: Mon Apr 14 06:50:10 2014 -0700 Linux 3.14.1 commit cf0983a4a1db58bb7049af652d3979bf6261f939 Author: Ard Biesheuvel Date: Thu Mar 27 18:14:40 2014 +0100 crypto: ghash-clmulni-intel - use C implementation for setkey() commit 8ceee72808d1ae3fb191284afc2257a2be964725 upstream. The GHASH setkey() function uses SSE registers but fails to call kernel_fpu_begin()/kernel_fpu_end(). Instead of adding these calls, and then having to deal with the restriction that they cannot be called from interrupt context, move the setkey() implementation to the C domain. Note that setkey() does not use any particular SSE features and is not expected to become a performance bottleneck. Signed-off-by: Ard Biesheuvel Acked-by: H. Peter Anvin Fixes: 0e1227d356e9b (crypto: ghash - Add PCLMULQDQ accelerated implementation) Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 30062756651927f05191b906236ad030a030dc61 Author: Finn Thain Date: Thu Mar 6 10:29:27 2014 +1100 m68k: Skip futex_atomic_cmpxchg_inatomic() test commit e571c58f313d35c56e0018470e3375ddd1fd320e upstream. Skip the futex_atomic_cmpxchg_inatomic() test in futex_init(). It causes a fatal exception on 68030 (and presumably 68020 also). Signed-off-by: Finn Thain Acked-by: Geert Uytterhoeven Link: http://lkml.kernel.org/r/alpine.LNX.2.00.1403061006440.5525@nippy.intranet Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit d232ed0c0eee44a5d3bbc4f21f136a303e77c34d Author: Heiko Carstens Date: Sun Mar 2 13:09:47 2014 +0100 futex: Allow architectures to skip futex_atomic_cmpxchg_inatomic() test commit 03b8c7b623c80af264c4c8d6111e5c6289933666 upstream. If an architecture has futex_atomic_cmpxchg_inatomic() implemented and there is no runtime check necessary, allow to skip the test within futex_init(). This allows to get rid of some code which would always give the same result, and also allows the compiler to optimize a couple of if statements away. Signed-off-by: Heiko Carstens Cc: Finn Thain Cc: Geert Uytterhoeven Link: http://lkml.kernel.org/r/20140302120947.GA3641@osiris Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit d99a848a2aefccfc7bdc13f09a622006adb69f4b Author: Vineet Gupta Date: Sat Apr 5 15:30:22 2014 +0530 ARC: [nsimosci] Unbork console commit 61fb4bfc010b0d2940f7fd87acbce6a0f03217cb upstream. Despite the switch to right UART driver (prev patch), serial console still doesn't work due to missing CONFIG_SERIAL_OF_PLATFORM Also fix the default cmdline in DT to not refer to out-of-tree ARC framebuffer driver for console. Signed-off-by: Vineet Gupta Cc: Francois Bedard Signed-off-by: Greg Kroah-Hartman commit b46cb9ce8d797382d03943d73b7964df60a7088b Author: Mischa Jonker Date: Thu May 16 19:36:08 2013 +0200 ARC: [nsimosci] Change .dts to use generic 8250 UART commit 6eda477b3c54b8236868c8784e5e042ff14244f0 upstream. The Synopsys APB DW UART has a couple of special features that are not in the System C model. In 3.8, the 8250_dw driver didn't really use these features, but from 3.9 onwards, the 8250_dw driver has become incompatible with our model. Signed-off-by: Mischa Jonker Signed-off-by: Vineet Gupta Cc: Francois Bedard Signed-off-by: Greg Kroah-Hartman commit b025cf09a2c93108eb527f55f62f42e9d2291ffd Author: Eyal Shapira Date: Sun Mar 16 05:23:21 2014 +0200 iwlwifi: mvm: rs: fix search cycle rules commit 8930b05090acd321b1fc7c642528c697cb105c42 upstream. We should explore all possible columns when searching to be as resilient as possible to changing conditions. This fixes for example a scenario where even after a sudden creation of rssi difference between the 2 antennas we would keep doing MIMO at a low rate instead of switching to SISO at a higher rate using the better antenna which was the optimal configuration. Signed-off-by: Eyal Shapira Signed-off-by: Emmanuel Grumbach Signed-off-by: Greg Kroah-Hartman commit 661f2c959342dd73e679adba75b2f8ddbe276981 Author: Gilles Chanteperdrix Date: Sun Apr 6 20:37:44 2014 +0200 net/at91_ether: avoid NULL pointer dereference [ Upstream commit c293fb785bdda64d88f197e6758a3c16ae83e569 ] The at91_ether driver calls macb_mii_init passing a 'struct macb' structure whose tx_clk member is initialized to 0. However, macb_handle_link_change() expects tx_clk to be the result of a call to clk_get, and so IS_ERR(tx_clk) to be true if the clock is invalid. This causes an oops when booting Linux 3.14 on the csb637 board. The following changes avoids this. Signed-off-by: Gilles Chanteperdrix Acked-by: Nicolas Ferre Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit eb3d1ebaa77c257872264015644f182c7888c021 Author: Sasha Levin Date: Sat Mar 29 20:39:35 2014 -0400 rds: prevent dereference of a NULL device in rds_iw_laddr_check [ Upstream commit bf39b4247b8799935ea91d90db250ab608a58e50 ] Binding might result in a NULL device which is later dereferenced without checking. Signed-off-by: Sasha Levin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f9f80fa9755d955425d99220e018ac9618f642f5 Author: Dan Carpenter Date: Tue Apr 8 12:23:09 2014 +0300 isdnloop: several buffer overflows [ Upstream commit 7563487cbf865284dcd35e9ef5a95380da046737 ] There are three buffer overflows addressed in this patch. 1) In isdnloop_fake_err() we add an 'E' to a 60 character string and then copy it into a 60 character buffer. I have made the destination buffer 64 characters and I'm changed the sprintf() to a snprintf(). 2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60 character buffer so we have 54 characters. The ->eazlist[] is 11 characters long. I have modified the code to return if the source buffer is too long. 3) In isdnloop_command() the cbuf[] array was 60 characters long but the max length of the string then can be up to 79 characters. I made the cbuf array 80 characters long and changed the sprintf() to snprintf(). I also removed the temporary "dial" buffer and changed it to use "p" directly. Unfortunately, we pass the "cbuf" string from isdnloop_command() to isdnloop_writecmd() which truncates anything over 60 characters to make it fit in card->omsg[]. (It can accept values up to 255 characters so long as there is a '\n' character every 60 characters). For now I have just fixed the memory corruption bug and left the other problems in this driver alone. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 64eb5b6911e1edbb5db537fe1fa27ac936c1dd0c Author: YOSHIFUJI Hideaki Date: Wed Apr 2 12:48:42 2014 +0900 isdnloop: Validate NUL-terminated strings from user. [ Upstream commit 77bc6bed7121936bb2e019a8c336075f4c8eef62 ] Return -EINVAL unless all of user-given strings are correctly NUL-terminated. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ae8af81b5024a1f451165dd0cde946daad943420 Author: Mike Rapoport Date: Tue Apr 1 09:23:01 2014 +0300 net: vxlan: fix crash when interface is created with no group [ Upstream commit 5933a7bbb5de66482ea8aa874a7ebaf8e67603c4 ] If the vxlan interface is created without explicit group definition, there are corner cases which may cause kernel panic. For instance, in the following scenario: node A: $ ip link add dev vxlan42 address 2c:c2:60:00:10:20 type vxlan id 42 $ ip addr add dev vxlan42 10.0.0.1/24 $ ip link set up dev vxlan42 $ arp -i vxlan42 -s 10.0.0.2 2c:c2:60:00:01:02 $ bridge fdb add dev vxlan42 to 2c:c2:60:00:01:02 dst $ ping 10.0.0.2 node B: $ ip link add dev vxlan42 address 2c:c2:60:00:01:02 type vxlan id 42 $ ip addr add dev vxlan42 10.0.0.2/24 $ ip link set up dev vxlan42 $ arp -i vxlan42 -s 10.0.0.1 2c:c2:60:00:10:20 node B crashes: vxlan42: 2c:c2:60:00:10:20 migrated from 4011:eca4:c0a8:6466:c0a8:6415:8e09:2118 to (invalid address) vxlan42: 2c:c2:60:00:10:20 migrated from 4011:eca4:c0a8:6466:c0a8:6415:8e09:2118 to (invalid address) BUG: unable to handle kernel NULL pointer dereference at 0000000000000046 IP: [] ip6_route_output+0x58/0x82 PGD 7bd89067 PUD 7bd4e067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: CPU: 1 PID: 0 Comm: swapper/1 Not tainted 3.14.0-rc8-hvx-xen-00019-g97a5221-dirty #154 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 task: ffff88007c774f50 ti: ffff88007c79c000 task.ti: ffff88007c79c000 RIP: 0010:[] [] ip6_route_output+0x58/0x82 RSP: 0018:ffff88007fd03668 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffff8186a000 RCX: 0000000000000040 RDX: 0000000000000000 RSI: ffff88007b0e4a80 RDI: ffff88007fd03754 RBP: ffff88007fd03688 R08: ffff88007b0e4a80 R09: 0000000000000000 R10: 0200000a0100000a R11: 0001002200000000 R12: ffff88007fd03740 R13: ffff88007b0e4a80 R14: ffff88007b0e4a80 R15: ffff88007bba0c50 FS: 0000000000000000(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000046 CR3: 000000007bb60000 CR4: 00000000000006e0 Stack: 0000000000000000 ffff88007fd037a0 ffffffff8186a000 ffff88007fd03740 ffff88007fd036c8 ffffffff814320bb 0000000000006e49 ffff88007b8b7360 ffff88007bdbf200 ffff88007bcbc000 ffff88007b8b7000 ffff88007b8b7360 Call Trace: [] ip6_dst_lookup_tail+0x2d/0xa4 [] ip6_dst_lookup+0x10/0x12 [] vxlan_xmit_one+0x32a/0x68c [] ? _raw_spin_unlock_irqrestore+0x12/0x14 [] ? lock_timer_base.isra.23+0x26/0x4b [] vxlan_xmit+0x66a/0x6a8 [] ? ipt_do_table+0x35f/0x37e [] ? selinux_ip_postroute+0x41/0x26e [] dev_hard_start_xmit+0x2ce/0x3ce [] __dev_queue_xmit+0x2d0/0x392 [] ? eth_header+0x28/0xb5 [] dev_queue_xmit+0xb/0xd [] neigh_resolve_output+0x134/0x152 [] ip_finish_output2+0x236/0x299 [] ip_finish_output+0x98/0x9d [] ip_output+0x62/0x67 [] dst_output+0xf/0x11 [] ip_local_out+0x1b/0x1f [] ip_send_skb+0x11/0x37 [] ip_push_pending_frames+0x2f/0x33 [] icmp_push_reply+0x106/0x115 [] icmp_reply+0x142/0x164 [] icmp_echo.part.16+0x46/0x48 [] ? nf_iterate+0x43/0x80 [] ? xfrm4_policy_check.constprop.11+0x52/0x52 [] icmp_echo+0x25/0x27 [] icmp_rcv+0x1d2/0x20a [] ? xfrm4_policy_check.constprop.11+0x52/0x52 [] ip_local_deliver_finish+0xd6/0x14f [] ? xfrm4_policy_check.constprop.11+0x52/0x52 [] NF_HOOK.constprop.10+0x4c/0x53 [] ip_local_deliver+0x4a/0x4f [] ip_rcv_finish+0x253/0x26a [] ? inet_add_protocol+0x3e/0x3e [] NF_HOOK.constprop.10+0x4c/0x53 [] ip_rcv+0x2a6/0x2ec [] __netif_receive_skb_core+0x43e/0x478 [] ? virtqueue_poll+0x16/0x27 [] __netif_receive_skb+0x55/0x5a [] process_backlog+0x76/0x12f [] net_rx_action+0xa2/0x1ab [] __do_softirq+0xca/0x1d1 [] irq_exit+0x3e/0x85 [] do_IRQ+0xa9/0xc4 [] common_interrupt+0x6d/0x6d [] ? native_safe_halt+0x6/0x8 [] default_idle+0x9/0xd [] arch_cpu_idle+0x13/0x1c [] cpu_startup_entry+0xbc/0x137 [] start_secondary+0x1a0/0x1a5 Code: 24 14 e8 f1 e5 01 00 31 d2 a8 32 0f 95 c2 49 8b 44 24 2c 49 0b 44 24 24 74 05 83 ca 04 eb 1c 4d 85 ed 74 17 49 8b 85 a8 02 00 00 <66> 8b 40 46 66 c1 e8 07 83 e0 07 c1 e0 03 09 c2 4c 89 e6 48 89 RIP [] ip6_route_output+0x58/0x82 RSP CR2: 0000000000000046 ---[ end trace 4612329caab37efd ]--- When vxlan interface is created without explicit group definition, the default_dst protocol family is initialiazed to AF_UNSPEC and the driver assumes IPv4 configuration. On the other side, the default_dst protocol family is used to differentiate between IPv4 and IPv6 cases and, since, AF_UNSPEC != AF_INET, the processing takes the IPv6 path. Making the IPv4 assumption explicit by settting default_dst protocol family to AF_INET4 and preventing mixing of IPv4 and IPv6 addresses in snooped fdb entries fixes the corner case crashes. Signed-off-by: Mike Rapoport Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 98fa11217eb8362e6a87e8c608595e97ff90342d Author: Daniel Pieczko Date: Tue Apr 1 13:10:34 2014 +0100 Call efx_set_channels() before efx->type->dimension_resources() [ Upstream commit 52ad762b85ed7947ec9eff6b036eb985352f6874 ] When using the "separate_tx_channels=1" module parameter, the TX queues are initially numbered starting from the first TX-only channel number (after all the RX-only channels). efx_set_channels() renumbers the queues so that they are indexed from zero. On EF10, the TX queues need to be relabelled in this way before calling the dimension_resources NIC type operation, otherwise the TX queue PIO buffers can be linked to the wrong VIs when using "separate_tx_channels=1". Added comments to explain UC/WC mappings for PIO buffers Signed-off-by: Shradha Shah Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7caaadd87daa11474872b63ff4edf745c6cb8550 Author: Wei Liu Date: Tue Apr 1 12:46:12 2014 +0100 xen-netback: disable rogue vif in kthread context [ Upstream commit e9d8b2c2968499c1f96563e6522c56958d5a1d0d ] When netback discovers frontend is sending malformed packet it will disables the interface which serves that frontend. However disabling a network interface involving taking a mutex which cannot be done in softirq context, so we need to defer this process to kthread context. This patch does the following: 1. introduce a flag to indicate the interface is disabled. 2. check that flag in TX path, don't do any work if it's true. 3. check that flag in RX path, turn off that interface if it's true. The reason to disable it in RX path is because RX uses kthread. After this change the behavior of netback is still consistent -- it won't do any TX work for a rogue frontend, and the interface will be eventually turned off. Also change a "continue" to "break" after xenvif_fatal_tx_err, as it doesn't make sense to continue processing packets if frontend is rogue. This is a fix for XSA-90. Reported-by: Török Edwin Signed-off-by: Wei Liu Cc: Ian Campbell Reviewed-by: David Vrabel Acked-by: Ian Campbell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4370f4e5d510643604b6e650d551534074e73f6a Author: Pablo Neira Date: Tue Apr 1 19:38:44 2014 +0200 netlink: don't compare the nul-termination in nla_strcmp [ Upstream commit 8b7b932434f5eee495b91a2804f5b64ebb2bc835 ] nla_strcmp compares the string length plus one, so it's implicitly including the nul-termination in the comparison. int nla_strcmp(const struct nlattr *nla, const char *str) { int len = strlen(str) + 1; ... d = memcmp(nla_data(nla), str, len); However, if NLA_STRING is used, userspace can send us a string without the nul-termination. This is a problem since the string comparison will not match as the last byte may be not the nul-termination. Fix this by skipping the comparison of the nul-termination if the attribute data is nul-terminated. Suggested by Thomas Graf. Cc: Florian Westphal Cc: Thomas Graf Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b88dbb025dd2c418227b300d66f75e31435ebf9d Author: Hannes Frederic Sowa Date: Mon Mar 31 20:14:10 2014 +0200 ipv6: some ipv6 statistic counters failed to disable bh [ Upstream commit 43a43b6040165f7b40b5b489fe61a4cb7f8c4980 ] After commit c15b1ccadb323ea ("ipv6: move DAD and addrconf_verify processing to workqueue") some counters are now updated in process context and thus need to disable bh before doing so, otherwise deadlocks can happen on 32-bit archs. Fabio Estevam noticed this while while mounting a NFS volume on an ARM board. As a compensation for missing this I looked after the other *_STATS_BH and found three other calls which need updating: 1) icmp6_send: ip6_fragment -> icmpv6_send -> icmp6_send (error handling) 2) ip6_push_pending_frames: rawv6_sendmsg -> rawv6_push_pending_frames -> ... (only in case of icmp protocol with raw sockets in error handling) 3) ping6_v6_sendmsg (error handling) Fixes: c15b1ccadb323ea ("ipv6: move DAD and addrconf_verify processing to workqueue") Reported-by: Fabio Estevam Tested-by: Fabio Estevam Cc: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2ea4f5269f58ace4684e35b54b04f655c9cd37e9 Author: Paul Durrant Date: Fri Mar 28 11:39:07 2014 +0000 xen-netback: BUG_ON in xenvif_rx_action() not catching overflow [ Upstream commit 1425c7a4e8d3d2eebf308bcbdc3fa3c1247686b4 ] The BUG_ON to catch ring overflow in xenvif_rx_action() makes the assumption that meta_slots_used == ring slots used. This is not necessarily the case for GSO packets, because the non-prefix GSO protocol consumes one more ring slot than meta-slot for the 'extra_info'. This patch changes the test to actually check ring slots. Signed-off-by: Paul Durrant Cc: Ian Campbell Cc: Wei Liu Cc: Sander Eikelenboom Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6240b9f5211277efd093b6470d9dba33931684e0 Author: Paul Durrant Date: Fri Mar 28 11:39:06 2014 +0000 xen-netback: worse-case estimate in xenvif_rx_action is underestimating [ Upstream commit a02eb4732cf975d7fc71b6d1a71c058c9988b949 ] The worse-case estimate for skb ring slot usage in xenvif_rx_action() fails to take fragment page_offset into account. The page_offset does, however, affect the number of times the fragmentation code calls start_new_rx_buffer() (i.e. consume another slot) and the worse-case should assume that will always return true. This patch adds the page_offset into the DIV_ROUND_UP for each frag. Unfortunately some frontends aggressively limit the number of requests they post into the shared ring so to avoid an estimate that is 'too' pessimal it is capped at MAX_SKB_FRAGS. Signed-off-by: Paul Durrant Cc: Ian Campbell Cc: Wei Liu Cc: Sander Eikelenboom Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4d1893255fd1d4bad3f4e4187cc817d60795f0de Author: Paul Durrant Date: Fri Mar 28 11:39:05 2014 +0000 xen-netback: remove pointless clause from if statement [ Upstream commit 0576eddf24df716d8570ef8ca11452a9f98eaab2 ] This patch removes a test in start_new_rx_buffer() that checks whether a copy operation is less than MAX_BUFFER_OFFSET in length, since MAX_BUFFER_OFFSET is defined to be PAGE_SIZE and the only caller of start_new_rx_buffer() already limits copy operations to PAGE_SIZE or less. Signed-off-by: Paul Durrant Cc: Ian Campbell Cc: Wei Liu Cc: Sander Eikelenboom Reported-By: Sander Eikelenboom Tested-By: Sander Eikelenboom Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8e58cd80d042569da7af501de897c5e0538d99b0 Author: Linus Torvalds Date: Tue Apr 8 15:30:07 2014 -0700 futex: avoid race between requeue and wake commit 69cd9eba38867a493a043bb13eb9b33cad5f1a9a upstream. Jan Stancek reported: "pthread_cond_broadcast/4-1.c testcase from openposix testsuite (LTP) occasionally fails, because some threads fail to wake up. Testcase creates 5 threads, which are all waiting on same condition. Main thread then calls pthread_cond_broadcast() without holding mutex, which calls: futex(uaddr1, FUTEX_CMP_REQUEUE_PRIVATE, 1, 2147483647, uaddr2, ..) This immediately wakes up single thread A, which unlocks mutex and tries to wake up another thread: futex(uaddr2, FUTEX_WAKE_PRIVATE, 1) If thread A manages to call futex_wake() before any waiters are requeued for uaddr2, no other thread is woken up" The ordering constraints for the hash bucket waiter counting are that the waiter counts have to be incremented _before_ getting the spinlock (because the spinlock acts as part of the memory barrier), but the "requeue" operation didn't honor those rules, and nobody had even thought about that case. This fairly simple patch just increments the waiter count for the target hash bucket (hb2) when requeing a futex before taking the locks. It then decrements them again after releasing the lock - the code that actually moves the futex(es) between hash buckets will do the additional required waiter count housekeeping. Reported-and-tested-by: Jan Stancek Acked-by: Davidlohr Bueso Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 579d8f085b5745ea443a7e79b8283178f28981e0 Author: Borislav Petkov Date: Sat Jan 18 12:48:17 2014 +0100 x86/efi: Make efi virtual runtime map passing more robust commit b7b898ae0c0a82489511a1ce1b35f26215e6beb5 upstream. Currently, running SetVirtualAddressMap() and passing the physical address of the virtual map array was working only by a lucky coincidence because the memory was present in the EFI page table too. Until Toshi went and booted this on a big HP box - the krealloc() manner of resizing the memmap we're doing did allocate from such physical addresses which were not mapped anymore and boom: http://lkml.kernel.org/r/1386806463.1791.295.camel@misato.fc.hp.com One way to take care of that issue is to reimplement the krealloc thing but with pages. We start with contiguous pages of order 1, i.e. 2 pages, and when we deplete that memory (shouldn't happen all that often but you know firmware) we realloc the next power-of-two pages. Having the pages, it is much more handy and easy to map them into the EFI page table with the already existing mapping code which we're using for building the virtual mappings. Thanks to Toshi Kani and Matt for the great debugging help. Reported-by: Toshi Kani Signed-off-by: Borislav Petkov Tested-by: Toshi Kani Signed-off-by: Matt Fleming Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit 6f48949f01c41782a3215a8fbff0997c5199d2c1 Author: Borislav Petkov Date: Sat Jan 18 12:48:16 2014 +0100 x86, pageattr: Export page unmapping interface commit 42a5477251f0e0f33ad5f6a95c48d685ec03191e upstream. We will use it in efi so expose it. Signed-off-by: Borislav Petkov Tested-by: Toshi Kani Signed-off-by: Matt Fleming Signed-off-by: Greg Kroah-Hartman commit bc24d1c70285a22ddce970ca2e889c3b6965bd4e Author: Paul Moore Date: Wed Mar 19 16:46:18 2014 -0400 selinux: correctly label /proc inodes in use before the policy is loaded commit f64410ec665479d7b4b77b7519e814253ed0f686 upstream. This patch is based on an earlier patch by Eric Paris, he describes the problem below: "If an inode is accessed before policy load it will get placed on a list of inodes to be initialized after policy load. After policy load we call inode_doinit() which calls inode_doinit_with_dentry() on all inodes accessed before policy load. In the case of inodes in procfs that means we'll end up at the bottom where it does: /* Default to the fs superblock SID. */ isec->sid = sbsec->sid; if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { if (opt_dentry) { isec->sclass = inode_mode_to_security_class(...) rc = selinux_proc_get_sid(opt_dentry, isec->sclass, &sid); if (rc) goto out_unlock; isec->sid = sid; } } Since opt_dentry is null, we'll never call selinux_proc_get_sid() and will leave the inode labeled with the label on the superblock. I believe a fix would be to mimic the behavior of xattrs. Look for an alias of the inode. If it can't be found, just leave the inode uninitialized (and pick it up later) if it can be found, we should be able to call selinux_proc_get_sid() ..." On a system exhibiting this problem, you will notice a lot of files in /proc with the generic "proc_t" type (at least the ones that were accessed early in the boot), for example: # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }' system_u:object_r:proc_t:s0 /proc/sys/kernel/shmmax However, with this patch in place we see the expected result: # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }' system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/shmmax Cc: Eric Paris Signed-off-by: Paul Moore Acked-by: Eric Paris Signed-off-by: Greg Kroah-Hartman commit 6f313710385a57bfe767ae355b17e7b558acc89e Author: Takashi Iwai Date: Tue Apr 8 18:49:00 2014 +0200 Revert "ALSA: hda - Increment default stream numbers for AMD HDMI controllers" This reverts commit 7546abfb8e1f9933b549f05898377e9444ee4cb2. The commit [7546abfb: ALSA: hda - Increment default stream numbers for AMD HDMI controllers] introduced a regression where the AMD HDMI playback streams don't work properly. As the simplest fix, this patch reverts that commit. The upstream code has been changed largely and already contains another fix (by changing the stream assignment order), this revert should be applied only to 3.14 kernel where the regression was introduced. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=77002 Reported-by: Christian Güdel Reported-by: Anssi Hannula Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman