Michael Neuling [Fri, 9 Aug 2013 07:29:31 +0000 (17:29 +1000)]
powerpc/tm: Fix context switching TAR, PPR and DSCR SPRs
If a transaction is rolled back, the Target Address Register (TAR), Processor
Priority Register (PPR) and Data Stream Control Register (DSCR) should be
restored to the checkpointed values before the transaction began. Any changes
to these SPRs inside the transaction should not be visible in the abort
handler.
Currently Linux doesn't save or restore the checkpointed TAR, PPR or DSCR. If
we preempt a processes inside a transaction which has modified any of these, on
process restore, that same transaction may be aborted we but we won't see the
checkpointed versions of these SPRs.
This adds checkpointed versions of these SPRs to the thread_struct and adds the
save/restore of these three SPRs to the treclaim/trechkpt code.
Without this if any of these SPRs are modified during a transaction, users may
incorrectly see a speculated SPR value even if the transaction is aborted.
Signed-off-by: Michael Neuling <mikey@neuling.org>
Cc: <stable@vger.kernel.org> [v3.10]
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Michael Neuling [Fri, 9 Aug 2013 07:29:30 +0000 (17:29 +1000)]
powerpc: Save the TAR register earlier
This moves us to save the Target Address Register (TAR) a earlier in
__switch_to. It introduces a new function save_tar() to do this.
We need to save the TAR earlier as we will overwrite it in the transactional
memory reclaim/recheckpoint path. We are going to do this in a subsequent
patch which will fix saving the TAR register when it's modified inside a
transaction.
Signed-off-by: Michael Neuling <mikey@neuling.org>
Cc: <stable@vger.kernel.org> [v3.10]
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Michael Neuling [Fri, 9 Aug 2013 07:29:29 +0000 (17:29 +1000)]
powerpc: Fix context switch DSCR on POWER8
POWER8 allows the DSCR to be accessed directly from userspace via a new SPR
number 0x3 (Rather than 0x11. DSCR SPR number 0x11 is still used on POWER8 but
like POWER7, is only accessible in HV and OS modes). Currently, we allow this
by setting H/FSCR DSCR bit on boot.
Unfortunately this doesn't work, as the kernel needs to see the DSCR change so
that it knows to no longer restore the system wide version of DSCR on context
switch (ie. to set thread.dscr_inherit).
This clears the H/FSCR DSCR bit initially. If a process then accesses the DSCR
(via SPR 0x3), it'll trap into the kernel where we set thread.dscr_inherit in
facility_unavailable_exception().
We also change _switch() so that we set or clear the H/FSCR DSCR bit based on
the thread.dscr_inherit.
Signed-off-by: Michael Neuling <mikey@neuling.org>
Cc: <stable@vger.kernel.org> [v3.10]
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Michael Neuling [Fri, 9 Aug 2013 07:29:28 +0000 (17:29 +1000)]
powerpc: Rework setting up H/FSCR bit definitions
This reworks the Facility Status and Control Regsiter (FSCR) config bit
definitions so that we can access the bit numbers. This is needed for a
subsequent patch to fix the userspace DSCR handling.
HFSCR and FSCR bit definitions are the same, so reuse them.
Signed-off-by: Michael Neuling <mikey@neuling.org>
Cc: <stable@vger.kernel.org> [v3.10]
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Michael Neuling [Fri, 9 Aug 2013 07:29:27 +0000 (17:29 +1000)]
powerpc: Fix hypervisor facility unavaliable vector number
Currently if we take hypervisor facility unavaliable (from 0xf80/0x4f80) we
mark it as an OS facility unavaliable (0xf60) as the two share the same code
path.
The becomes a problem in facility_unavailable_exception() as we aren't able to
see the hypervisor facility unavailable exceptions.
Below fixes this by duplication the required macros.
Signed-off-by: Michael Neuling <mikey@neuling.org>
Cc: <stable@vger.kernel.org> [v3.10]
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Thadeu Lima de Souza Cascardo [Wed, 17 Jul 2013 15:10:29 +0000 (12:10 -0300)]
powerpc/kvm/book3s_pr: Return appropriate error when allocation fails
err was overwritten by a previous function call, and checked to be 0. If
the following page allocation fails, 0 is going to be returned instead
of -ENOMEM.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Chen Gang [Mon, 22 Jul 2013 06:32:35 +0000 (14:32 +0800)]
powerpc/kvm: Add signed type cast for comparation
'rmls' is 'unsigned long', lpcr_rmls() will return negative number when
failure occurs, so it need a type cast for comparing.
'lpid' is 'unsigned long', kvmppc_alloc_lpid() return negative number
when failure occurs, so it need a type cast for comparing.
Signed-off-by: Chen Gang <gang.chen@asianux.com>
Acked-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Mike Qiu [Wed, 7 Aug 2013 02:25:14 +0000 (22:25 -0400)]
powerpc/eeh: Add missing procfs entry for PowerNV
The procfs entry for global statistics has been missed on PowerNV
platform and the patch is going to add that.
Signed-off-by: Mike Qiu <qiudayu@linux.vnet.ibm.com>
Acked-by: Gavin Shan <shangw@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Aruna Balakrishnaiah [Thu, 8 Aug 2013 17:04:00 +0000 (22:34 +0530)]
powerpc/pseries: Add backward compatibilty to read old kernel oops-log
Older kernels has just length information in their header. Handle it
while reading old kernel oops log from pstore.
Applies on top of powerpc/pseries: Fix buffer overflow when reading from pstore
Signed-off-by: Aruna Balakrishnaiah <aruna@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Aruna Balakrishnaiah [Thu, 8 Aug 2013 17:03:49 +0000 (22:33 +0530)]
powerpc/pseries: Fix buffer overflow when reading from pstore
When reading from pstore there is a buffer overflow during decompression
due to the header added in unzip_oops. Remove unzip_oops and call
pstore_decompress directly in nvram_pstore_read. Allocate buffer of size
report_length of the oops header as header will not be deallocated in pstore.
Since we have 'openssl' command line tool to decompress the compressed data,
dump the compressed data in case decompression fails instead of not dumping
anything.
Signed-off-by: Aruna Balakrishnaiah <aruna@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Anton Blanchard [Wed, 31 Jul 2013 06:31:26 +0000 (16:31 +1000)]
powerpc: On POWERNV enable PPC_DENORMALISATION by default
We want PPC_DENORMALISATION enabled when POWERNV is enabled,
so update the Kconfig.
Signed-off-by: Anton Blanchard <anton@samba.org>
Acked-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
CC: <stable@vger.kernel.org>
Linus Torvalds [Wed, 7 Aug 2013 20:01:30 +0000 (13:01 -0700)]
Merge tag 'trace-fixes-3.11-rc3' of git://git./linux/kernel/git/rostedt/linux-trace
Pull tracing fixes from Steven Rostedt:
"Oleg Nesterov has been working hard in closing all the holes that can
lead to race conditions between deleting an event and accessing an
event debugfs file. This included a fix to the debugfs system (acked
by Greg Kroah-Hartman). We think that all the holes have been patched
and hopefully we don't find more. I haven't marked all of them for
stable because I need to examine them more to figure out how far back
some of the changes need to go.
Along the way, some other fixes have been made. Alexander Z Lam fixed
some logic where the wrong buffer was being modifed.
Andrew Vagin found a possible corruption for machines that actually
allocate cpumask, as a reference to one was being zeroed out by
mistake.
Dhaval Giani found a bad prototype when tracing is not configured.
And I not only had some changes to help Oleg, but also finally fixed a
long standing bug that Dave Jones and others have been hitting, where
a module unload and reload can cause the function tracing accounting
to get screwed up"
* tag 'trace-fixes-3.11-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
tracing: Fix reset of time stamps during trace_clock changes
tracing: Make TRACE_ITER_STOP_ON_FREE stop the correct buffer
tracing: Fix trace_dump_stack() proto when CONFIG_TRACING is not set
tracing: Fix fields of struct trace_iterator that are zeroed by mistake
tracing/uprobes: Fail to unregister if probe event files are in use
tracing/kprobes: Fail to unregister if probe event files are in use
tracing: Add comment to describe special break case in probe_remove_event_call()
tracing: trace_remove_event_call() should fail if call/file is in use
debugfs: debugfs_remove_recursive() must not rely on list_empty(d_subdirs)
ftrace: Check module functions being traced on reload
ftrace: Consolidate some duplicate code for updating ftrace ops
tracing: Change remove_event_file_dir() to clear "d_subdirs"->i_private
tracing: Introduce remove_event_file_dir()
tracing: Change f_start() to take event_mutex and verify i_private != NULL
tracing: Change event_filter_read/write to verify i_private != NULL
tracing: Change event_enable/disable_read() to verify i_private != NULL
tracing: Turn event/id->i_private into call->event.type
Linus Torvalds [Wed, 7 Aug 2013 20:00:23 +0000 (13:00 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/viro/vfs
Pull vfs fixes from Al Viro.
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
vfs: add missing check for __O_TMPFILE in fcntl_init()
fs: Allow unprivileged linkat(..., AT_EMPTY_PATH) aka flink
fs: Fix file mode for O_TMPFILE
reiserfs: fix deadlock in umount
Linus Torvalds [Tue, 6 Aug 2013 21:00:28 +0000 (14:00 -0700)]
Merge branch 'for-3.11-fixes' of git://git./linux/kernel/git/tj/libata
Pull libata fix from Tejun Heo:
"Just the addition of MODULE_DEVICE_TABLE() for a platform driver"
* 'for-3.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
pata_imx: expose module alias for loading from device-tree
Linus Torvalds [Tue, 6 Aug 2013 20:59:28 +0000 (13:59 -0700)]
Merge branch 'for-3.11-fixes' of git://git./linux/kernel/git/tj/cgroup
Pull cgroup fix from Tejun Heo:
"Fix for a minor memory leak bug in the cgroup init failure path"
* 'for-3.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
cgroup: fix a leak when percpu_ref_init() fails
Linus Torvalds [Tue, 6 Aug 2013 20:58:34 +0000 (13:58 -0700)]
Merge branch 'for-3.11-fixes' of git://git./linux/kernel/git/tj/wq
Pull two workqueue fixes from Tejun Heo:
"A lockdep notation update so that nested work_on_cpu() invocations
don't lead to spurious lockdep warnings and fix for an unbound attr
bug which made what's shown in sysfs deviate from the actual ones.
Both patches have pretty limited scope"
* 'for-3.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
workqueue: copy workqueue_attrs with all fields
workqueue: allow work_on_cpu() to be called recursively
Linus Torvalds [Tue, 6 Aug 2013 20:18:52 +0000 (13:18 -0700)]
Merge branch 'x86-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull misc x86 fixes from Peter Anvin.
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86, amd, microcode: Fix error path in apply_microcode_amd()
x86, fpu: correct the asm constraints for fxsave, unbreak mxcsr.daz
x86, efi: correct call to free_pages
x86/iommu/vt-d: Expand interrupt remapping quirk to cover x58 chipset
Steven Rostedt [Tue, 6 Aug 2013 02:55:28 +0000 (22:55 -0400)]
printk: Fix return of braille_register_console()
Some of my configs I test with have CONFIG_A11Y_BRAILLE_CONSOLE set.
When I started testing against v3.11-rc4 my console went bonkers. Using
ktest to bisect the issue, it came down to:
commit
bbeddf52a "printk: move braille console support into separate
braille.[ch] files"
Looking into the patch I found the problem. It's with the return of
braille_register_console(). As anything other than NULL is considered a
failure.
But for those of us that have CONFIG_A11Y_BRAILLE_CONSOLE set but do not
define a "brl" or "brl=" on the command line, we still may want a
console that those with sight can still use.
Return NULL (success) if "brl" or "brl=" is not on the console line.
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Acked-by: Joe Perches <joe@perches.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Oleg Nesterov [Tue, 6 Aug 2013 15:43:37 +0000 (17:43 +0200)]
Revert "ptrace: PTRACE_DETACH should do flush_ptrace_hw_breakpoint(child)"
This reverts commit
fab840fc2d542fabcab903db8e03589a6702ba5f.
This commit even has the test-case to prove that the tracee
can be killed by SIGTRAP if the debugger does not remove the
breakpoints before PTRACE_DETACH.
However, this is exactly what wineserver deliberately does,
set_thread_context() calls PTRACE_ATTACH + PTRACE_DETACH just
for PTRACE_POKEUSER(DR*) in between.
So we should revert this fix and document that PTRACE_DETACH
should keep the breakpoints.
Reported-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Tue, 6 Aug 2013 20:14:43 +0000 (13:14 -0700)]
Merge branch 'upstream' of git://git.linux-mips.org/ralf/upstream-linus
Pull MIPS fixes from Ralf Baechle:
"Two platform-specific fixes plus a fix for oprofile which was calling
smp_processor_id() in preemptible code"
* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
MIPS: BMIPS: fix hardware interrupt routing for boot CPU != 0
MIPS: oprofile: Fix BUG due to smp_processor_id() in preemptible code.
MIPS: PNX833x: PNX8335_PCI_ETHERNET_INT depends on CONFIG_SOC_PNX8335
Linus Torvalds [Tue, 6 Aug 2013 20:13:58 +0000 (13:13 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/s390/linux
Pull s390 fixes from Martin Schwidefsky:
"Enable LZ4 compression for the kernel image, add the machine id for
the new zBC12 model, fix an issue with hanging dasd devices, correct a
Kconfig dependency, fix a compile error in the perf module with
CONFIG_KVM=n and fix the find_next_bit_left primitive for the PCI base
layer"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/dasd: fix hanging devices after path events
s390/perf: fix compile error (undefined reference sie_exit)
s390/bitops: fix find_next_bit_left
s390: add support for IBM zBC12 machine
s390/Kconfig: select 'TTY' when 'S390_GUEST' is enabled
s390: add support for LZ4-compressed kernel
Oleg Nesterov [Tue, 6 Aug 2013 17:38:55 +0000 (19:38 +0200)]
userns: unshare_userns(&cred) should not populate cred on failure
unshare_userns(new_cred) does *new_cred = prepare_creds() before
create_user_ns() which can fail. However, the caller expects that
it doesn't need to take care of new_cred if unshare_userns() fails.
We could change the single caller, sys_unshare(), but I think it
would be more clean to avoid the side effects on failure, so with
this patch unshare_userns() does put_cred() itself and initializes
*new_cred only if create_user_ns() succeeeds.
Cc: stable@vger.kernel.org
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Zheng Liu [Thu, 25 Jul 2013 00:13:19 +0000 (08:13 +0800)]
vfs: add missing check for __O_TMPFILE in fcntl_init()
As comment in include/uapi/asm-generic/fcntl.h described, when
introducing new O_* bits, we need to check its uniqueness in
fcntl_init(). But __O_TMPFILE bit is missing. So fix it.
Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Andy Lutomirski [Fri, 2 Aug 2013 04:44:31 +0000 (21:44 -0700)]
fs: Allow unprivileged linkat(..., AT_EMPTY_PATH) aka flink
Every now and then someone proposes a new flink syscall, and this spawns
a long discussion of whether it would be a security problem. I think
that this is missing the point: flink is *already* allowed without
privilege as long as /proc is mounted -- it's called AT_SYMLINK_FOLLOW.
Now that O_TMPFILE is here, the ability to create a file with O_TMPFILE,
write it, and link it in is very convenient. The only problem is that
it requires that /proc be mounted so that you can do:
linkat(AT_FDCWD, "/proc/self/fd/<tmpfd>", dfd, path, AT_SYMLINK_NOFOLLOW)
This sucks -- it's much nicer to do:
linkat(tmpfd, "", dfd, path, AT_EMPTY_PATH)
Let's allow it.
If this turns out to be excessively scary, it we could instead require
that the inode in question be I_LINKABLE, but this seems pointless given
the /proc situation
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Andy Lutomirski [Fri, 2 Aug 2013 04:07:52 +0000 (21:07 -0700)]
fs: Fix file mode for O_TMPFILE
O_TMPFILE, like O_CREAT, should respect the requested mode and should
create regular files.
This fixes two bugs: O_TMPFILE required privilege (because the mode
ended up as 000) and it produced bogus inodes with no type.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 5 Aug 2013 13:37:37 +0000 (17:37 +0400)]
reiserfs: fix deadlock in umount
Since remove_proc_entry() started to wait for IO in progress (i.e.
since 2007 or so), the locking in fs/reiserfs/proc.c became wrong;
if procfs read happens between the moment when umount() locks the
victim superblock and removal of /proc/fs/reiserfs/<device>/*,
we'll get a deadlock - read will wait for s_umount (in sget(),
called by r_start()), while umount will wait in remove_proc_entry()
for that read to finish, holding s_umount all along.
Fortunately, the same change allows a much simpler race avoidance -
all we need to do is remove the procfs entries in the very beginning
of reiserfs ->kill_sb(); that'll guarantee that pointer to superblock
will remain valid for the duration for procfs IO, so we don't need
sget() to keep the sucker alive. As the matter of fact, we can
get rid of the home-grown iterator completely, and use single_open()
instead.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Florian Fainelli [Mon, 5 Aug 2013 10:50:25 +0000 (11:50 +0100)]
MIPS: BMIPS: fix hardware interrupt routing for boot CPU != 0
The hardware interrupt routing for boot CPU != 0 is wrong because it
will route all the hardware interrupts to TP0 which is not the one we
booted from. Fix this by properly checking which boot CPU we are booting
from and updating the right interrupt mask for the boot CPU. This fixes
booting on BCM3368 with bmips_smp_emabled = 0.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
Cc: linux-mips@linux-mips.org
Cc: blogic@openwrt.org
Cc: jogo@openwrt.org
Cc: cernekee@gmail.com
Patchwork: https://patchwork.linux-mips.org/patch/5650/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Ralf Baechle [Thu, 1 Aug 2013 16:31:05 +0000 (18:31 +0200)]
MIPS: oprofile: Fix BUG due to smp_processor_id() in preemptible code.
current_cpu_type() is not preemption-safe.
If CONFIG_PREEMPT is enabled then mipsxx_reg_setup() can be called from preemptible state.
Added get_cpu()/put_cpu() pair to make it preemption-safe.
This was found while testing oprofile with CONFIG_DEBUG_PREEMPT enable.
/usr/zntestsuite # opcontrol --init
/usr/zntestsuite # opcontrol --setup --event=L2_CACHE_ACCESSES:500 --event=L2_CACHE_MISSES:500 --no-vmlinux
/usr/zntestsuite # opcontrol --start
Using 2.6+ OProfile kernel interface.
BUG: using smp_processor_id() in preemptible [
00000000] code: oprofiled/1362
caller is mipsxx_reg_setup+0x11c/0x164
CPU: 0 PID: 1362 Comm: oprofiled Not tainted 3.10.4 #18
Stack :
00000006 70757465 00000000 00000000 00000000 00000000 80b173f6 00000037
80b10000 00000000 80b21614 88f5a220 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 89c49c00 89c49c2c 80721254 807b7927 8012c1d0
80b10000 80721254 00000000 00000552 88f5a220 80b1335c 807b78e6 89c49ba8
...
Call Trace:
[<
801099a4>] show_stack+0x64/0x7c
[<
80665520>] dump_stack+0x20/0x2c
[<
803a2250>] debug_smp_processor_id+0xe0/0xf0
[<
8052df24>] mipsxx_reg_setup+0x11c/0x164
[<
8052cd70>] op_mips_setup+0x24/0x4c
[<
80529cfc>] oprofile_setup+0x5c/0x12c
[<
8052b9f8>] event_buffer_open+0x78/0xf8
[<
801c3150>] do_dentry_open.isra.15+0x2b8/0x3b0
[<
801c3270>] finish_open+0x28/0x4c
[<
801d49b8>] do_last.isra.41+0x2cc/0xd00
[<
801d54a0>] path_openat+0xb4/0x4c4
[<
801d5c44>] do_filp_open+0x3c/0xac
[<
801c4744>] do_sys_open+0x110/0x1f4
[<
8010f47c>] stack_done+0x20/0x44
Bug reported and original patch by Jerin Jacob <jerinjacobk@gmail.com>.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Acked-by: Jerin Jacob <jerinjacobk@gmail.com>
Markos Chandras [Tue, 9 Jul 2013 08:21:35 +0000 (09:21 +0100)]
MIPS: PNX833x: PNX8335_PCI_ETHERNET_INT depends on CONFIG_SOC_PNX8335
The PNX8335_PCI_ETHERNET_INT macro is defined in
arch/mips/include/asm/mach-pnx833x/irq-mapping.h
only if CONFIG_SOC_PNX8335 is selected.
Fixes the following randconfig problem:
arch/mips/pnx833x/common/platform.c:210:12:
error: 'PNX8335_PIC_ETHERNET_INT' undeclared here
(not in a function)
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Acked-by: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/5585/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Linus Torvalds [Sun, 4 Aug 2013 20:46:46 +0000 (13:46 -0700)]
Linux 3.11-rc4
Linus Torvalds [Sun, 4 Aug 2013 18:46:07 +0000 (11:46 -0700)]
Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma
Pull dmaengine fixes from Vinod Koul:
"Two fixes for slave dmaengine. The first fixes cyclic dma transfers
for pl330 and the second one makes us return the correct error code on
probe"
* 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
dma: pl330: Fix cyclic transfers
pch_dma: fix error return code in pch_dma_probe()
Linus Torvalds [Sun, 4 Aug 2013 18:44:18 +0000 (11:44 -0700)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fix from Dave Airlie:
"Just a quick fix that a few people have reported, be nice to have in
asap"
The drm tree seems to be very confused about 64-bit divides. Here it
uses a slow 64-by-64 bit divide to divide by a small constant. Oh well.
Doesn't look performance-critical, just stupid.
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/radeon: fix 64 bit divide in SI spm code
Hugh Dickins [Sun, 4 Aug 2013 18:30:25 +0000 (11:30 -0700)]
tmpfs: fix SEEK_DATA/SEEK_HOLE regression
Commit
46a1c2c7ae53 ("vfs: export lseek_execute() to modules") broke the
tmpfs SEEK_DATA/SEEK_HOLE implementation, because vfs_setpos() converts
the carefully prepared -ENXIO to -EINVAL. Other filesystems avoid it in
error cases: do the same in tmpfs.
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Jie Liu <jeff.liu@oracle.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Sun, 4 Aug 2013 18:00:43 +0000 (11:00 -0700)]
Merge tag 'sound-3.11' of git://git./linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"All small regression or small fixes, nothing surprising at this stage.
- regression fix for intel Mac Mini quirk
- compress ioctl error fix
- ASoC fixes for control change notifications, some UI fixes,
driver-specific fixes (resource leak, build errors, etc)"
* tag 'sound-3.11' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda - Fix missing fixup for Mac Mini with STAC9221
ASoC: wm0010: Fix resource leak
ASoC: au1x: Fix build
ASoC: bf5xx-ac97: Fix compile error with SND_BF5XX_HAVE_COLD_RESET
ASoC: bfin-ac97: Fix prototype error following AC'97 refactoring
ALSA: compress: fix the return value for SNDRV_COMPRESS_VERSION
ASoC: dapm: Fix return value of snd_soc_dapm_put_{volsw,enum_virt}()
Alex Deucher [Thu, 1 Aug 2013 13:03:29 +0000 (09:03 -0400)]
drm/radeon: fix 64 bit divide in SI spm code
Forgot to use the appropriate math64 function.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@gmail.com>
Linus Torvalds [Sat, 3 Aug 2013 22:00:23 +0000 (15:00 -0700)]
Merge git://git./linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Don't ignore user initiated wireless regulatory settings on cards
with custom regulatory domains, from Arik Nemtsov.
2) Fix length check of bluetooth information responses, from Jaganath
Kanakkassery.
3) Fix misuse of PTR_ERR in btusb, from Adam Lee.
4) Handle rfkill properly while iwlwifi devices are offline, from
Emmanuel Grumbach.
5) Fix r815x devices DMA'ing to stack buffers, from Hayes Wang.
6) Kernel info leak in ATM packet scheduler, from Dan Carpenter.
7) 8139cp doesn't check for DMA mapping errors, from Neil Horman.
8) Fix bridge multicast code to not snoop when no querier exists,
otherwise mutlicast traffic is lost. From Linus Lüssing.
9) Avoid soft lockups in fib6_run_gc(), from Michal Kubecek.
10) Fix races in automatic address asignment on ipv6, which can result
in incorrect lifetime assignments. From Jiri Benc.
11) Cure build bustage when CONFIG_NET_LL_RX_POLL is not set and rename
it CONFIG_NET_RX_BUSY_POLL to eliminate the last reference to the
original naming of this feature. From Cong Wang.
12) Fix crash in TIPC when server socket creation fails, from Ying Xue.
13) macvlan_changelink() silently succeeds when it shouldn't, from
Michael S Tsirkin.
14) HTB packet scheduler can crash due to sign extension, fix from
Stephen Hemminger.
15) With the cable unplugged, r8169 prints out a message every 10
seconds, make it netif_dbg() instead of netif_warn(). From Peter
Wu.
16) Fix memory leak in rtm_to_ifaddr(), from Daniel Borkmann.
17) sis900 gets spurious TX queue timeouts due to mismanagement of link
carrier state, from Denis Kirjanov.
18) Validate somaxconn sysctl to make sure it fits inside of a u16.
From Roman Gushchin.
19) Fix MAC address filtering on qlcnic, from Shahed Shaikh.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (68 commits)
qlcnic: Fix for flash update failure on 83xx adapter
qlcnic: Fix link speed and duplex display for 83xx adapter
qlcnic: Fix link speed display for 82xx adapter
qlcnic: Fix external loopback test.
qlcnic: Removed adapter series name from warning messages.
qlcnic: Free up memory in error path.
qlcnic: Fix ingress MAC learning
qlcnic: Fix MAC address filter issue on 82xx adapter
net: ethernet: davinci_emac: drop IRQF_DISABLED
netlabel: use domain based selectors when address based selectors are not available
net: check net.core.somaxconn sysctl values
sis900: Fix the tx queue timeout issue
net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
r8169: remove "PHY reset until link up" log spam
net: ethernet: cpsw: drop IRQF_DISABLED
htb: fix sign extension bug
macvlan: handle set_promiscuity failures
macvlan: better mode validation
tipc: fix oops when creating server socket fails
net: rename CONFIG_NET_LL_RX_POLL to CONFIG_NET_RX_BUSY_POLL
...
Himanshu Madhani [Sat, 3 Aug 2013 03:16:01 +0000 (23:16 -0400)]
qlcnic: Fix for flash update failure on 83xx adapter
Flash update routine was improperly checking register read API return value.
Modify register read API and perform proper error check.
Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Rajesh Borundia [Sat, 3 Aug 2013 03:16:00 +0000 (23:16 -0400)]
qlcnic: Fix link speed and duplex display for 83xx adapter
o Set link speed and duplex to unknown when link is not up.
Signed-off-by: Rajesh Borundia <rajesh.borundia@qlogic.com>
Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Rajesh Borundia [Sat, 3 Aug 2013 03:15:59 +0000 (23:15 -0400)]
qlcnic: Fix link speed display for 82xx adapter
o Do not obtain link speed from register when adapter
link is down.
Signed-off-by: Rajesh Borundia <rajesh.borundia@qlogic.com>
Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Shahed Shaikh [Sat, 3 Aug 2013 03:15:58 +0000 (23:15 -0400)]
qlcnic: Fix external loopback test.
Driver was not handling external loopback diagnostic
test request.
Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pratik Pujar [Sat, 3 Aug 2013 03:15:57 +0000 (23:15 -0400)]
qlcnic: Removed adapter series name from warning messages.
Signed-off-by: Pratik Pujar <pratik.pujar@qlogic.com>
Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Himanshu Madhani [Sat, 3 Aug 2013 03:15:56 +0000 (23:15 -0400)]
qlcnic: Free up memory in error path.
Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Shahed Shaikh [Sat, 3 Aug 2013 03:15:55 +0000 (23:15 -0400)]
qlcnic: Fix ingress MAC learning
o Delete MAC address from the adapter's filter table
if the source MAC address of ingress packet matches.
Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Shahed Shaikh [Sat, 3 Aug 2013 03:15:54 +0000 (23:15 -0400)]
qlcnic: Fix MAC address filter issue on 82xx adapter
Driver was passing the address of a pointer instead of
the pointer itself.
Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mugunthan V N [Sat, 3 Aug 2013 11:09:45 +0000 (16:39 +0530)]
net: ethernet: davinci_emac: drop IRQF_DISABLED
IRQF_DISABLED is a no-op by now and should be removed.
Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Sat, 3 Aug 2013 18:15:03 +0000 (11:15 -0700)]
Merge branch 'for-3.11' of git://linux-nfs.org/~bfields/linux
Pull nfsd bugfixes from Bruce Fields:
"Most of this is due to a screwup on my part -- some gss-proxy crashes
got fixed before the merge window but somehow never made it out of a
temporary git repo on my laptop...."
* 'for-3.11' of git://linux-nfs.org/~bfields/linux:
svcrpc: set cr_gss_mech from gss-proxy as well as legacy upcall
svcrpc: fix kfree oops in gss-proxy code
svcrpc: fix gss-proxy xdr decoding oops
svcrpc: fix gss_rpc_upcall create error
NFSD/sunrpc: avoid deadlock on TCP connection due to memory pressure.
Linus Torvalds [Sat, 3 Aug 2013 18:14:25 +0000 (11:14 -0700)]
Merge tag 'hwmon-for-linus' of git://git./linux/kernel/git/groeck/linux-staging
Pull hwmon fix from Guenter Roeck:
"Fix chip initialization/configuration in MAX6697 driver"
* tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
hwmon: (max6697) fix MAX6581 ideality
Linus Torvalds [Sat, 3 Aug 2013 18:12:09 +0000 (11:12 -0700)]
Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm
Pull arm fixes fixes from Russell King:
"This fixes a couple of problems with commit
48be69a026b2 ("ARM: move
signal handlers into a vdso-like page"), one of which was originally
discovered via my testing originally, but the fix for it was never
actually committed.
The other shows up on noMMU builds, and such platforms are extremely
rare and as such are not part of my nightly testing"
* 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
ARM: fix nommu builds with
48be69a02 (ARM: move signal handlers into a vdso-like page)
ARM: fix a cockup in
48be69a02 (ARM: move signal handlers into a vdso-like page)
Vivien Didelot [Tue, 30 Jul 2013 21:14:34 +0000 (17:14 -0400)]
hwmon: (max6697) fix MAX6581 ideality
Without this patch, the values for ideality (register 0x4b) and ideality
selection mask (register 0x4c) are inverted.
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Cc: stable@vger.kernel.org # 3.9+
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Russell King [Sat, 3 Aug 2013 09:49:38 +0000 (10:49 +0100)]
Merge branch 'security-fixes' into fixes
Russell King [Sat, 3 Aug 2013 09:39:51 +0000 (10:39 +0100)]
ARM: fix nommu builds with
48be69a02 (ARM: move signal handlers into a vdso-like page)
Olof reports that noMMU builds error out with:
arch/arm/kernel/signal.c: In function 'setup_return':
arch/arm/kernel/signal.c:413:25: error: 'mm_context_t' has no member named 'sigpage'
This shows one of the evilnesses of IS_ENABLED(). Get rid of it here
and replace it with #ifdef's - and as no noMMU platform can make use
of sigpage, depend on CONIFG_MMU not CONFIG_ARM_MPU.
Reported-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Russell King [Sat, 3 Aug 2013 09:30:05 +0000 (10:30 +0100)]
ARM: fix a cockup in
48be69a02 (ARM: move signal handlers into a vdso-like page)
Unfortunately, I never committed the fix to a nasty oops which can
occur as a result of that commit:
------------[ cut here ]------------
kernel BUG at /home/olof/work/batch/include/linux/mm.h:414!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 490 Comm: killall5 Not tainted 3.11.0-rc3-00288-gabe0308 #53
task:
e90acac0 ti:
e9be8000 task.ti:
e9be8000
PC is at special_mapping_fault+0xa4/0xc4
LR is at __do_fault+0x68/0x48c
This doesn't show up unless you do quite a bit of testing; a simple
boot test does not do this, so all my nightly tests were passing fine.
The reason for this is that install_special_mapping() expects the
page array to stick around, and as this was only inserting one page
which was stored on the kernel stack, that's why this was blowing up.
Reported-by: Olof Johansson <olof@lixom.net>
Tested-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Alexander Z Lam [Sat, 3 Aug 2013 01:36:16 +0000 (18:36 -0700)]
tracing: Fix reset of time stamps during trace_clock changes
Fixed two issues with changing the timestamp clock with trace_clock:
- The global buffer was reset on instance clock changes. Change this to pass
the correct per-instance buffer
- ftrace_now() is used to set buf->time_start in tracing_reset_online_cpus().
This was incorrect because ftrace_now() used the global buffer's clock to
return the current time. Change this to use buffer_ftrace_now() which
returns the current time for the correct per-instance buffer.
Also removed tracing_reset_current() because it is not used anywhere
Link: http://lkml.kernel.org/r/1375493777-17261-2-git-send-email-azl@google.com
Cc: Vaibhav Nagarnaik <vnagarnaik@google.com>
Cc: David Sharp <dhsharp@google.com>
Cc: Alexander Z Lam <lambchop468@gmail.com>
Cc: stable@vger.kernel.org # 3.10
Signed-off-by: Alexander Z Lam <azl@google.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Alexander Z Lam [Sat, 3 Aug 2013 01:36:15 +0000 (18:36 -0700)]
tracing: Make TRACE_ITER_STOP_ON_FREE stop the correct buffer
Releasing the free_buffer file in an instance causes the global buffer
to be stopped when TRACE_ITER_STOP_ON_FREE is enabled. Operate on the
correct buffer.
Link: http://lkml.kernel.org/r/1375493777-17261-1-git-send-email-azl@google.com
Cc: Vaibhav Nagarnaik <vnagarnaik@google.com>
Cc: David Sharp <dhsharp@google.com>
Cc: Alexander Z Lam <lambchop468@gmail.com>
Cc: stable@vger.kernel.org # 3.10
Signed-off-by: Alexander Z Lam <azl@google.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Dhaval Giani [Fri, 2 Aug 2013 18:47:29 +0000 (14:47 -0400)]
tracing: Fix trace_dump_stack() proto when CONFIG_TRACING is not set
When CONFIG_TRACING is not enabled, the stub prototype for trace_dump_stack()
is incorrect. It has (void) when it should be (int).
Link: http://lkml.kernel.org/r/CAPhKKr_H=ukFnBL4WgDOVT5ay2xeF-Ho+CA0DWZX0E2JW-=vSQ@mail.gmail.com
Signed-off-by: Dhaval Giani <dhaval.giani@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Andrew Vagin [Fri, 2 Aug 2013 17:16:43 +0000 (21:16 +0400)]
tracing: Fix fields of struct trace_iterator that are zeroed by mistake
tracing_read_pipe zeros all fields bellow "seq". The declaration contains
a comment about that, but it doesn't help.
The first field is "snapshot", it's true when current open file is
snapshot. Looks obvious, that it should not be zeroed.
The second field is "started". It was converted from cpumask_t to
cpumask_var_t (v2.6.28-4983-g4462344), in other words it was
converted from cpumask to pointer on cpumask.
Currently the reference on "started" memory is lost after the first read
from tracing_read_pipe and a proper object will never be freed.
The "started" is never dereferenced for trace_pipe, because trace_pipe
can't have the TRACE_FILE_ANNOTATE options.
Link: http://lkml.kernel.org/r/1375463803-3085183-1-git-send-email-avagin@openvz.org
Cc: stable@vger.kernel.org # 2.6.30
Signed-off-by: Andrew Vagin <avagin@openvz.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Paul Moore [Fri, 2 Aug 2013 18:45:08 +0000 (14:45 -0400)]
netlabel: use domain based selectors when address based selectors are not available
NetLabel has the ability to selectively assign network security labels
to outbound traffic based on either the LSM's "domain" (different for
each LSM), the network destination, or a combination of both. Depending
on the type of traffic, local or forwarded, and the type of traffic
selector, domain or address based, different hooks are used to label the
traffic; the goal being minimal overhead.
Unfortunately, there is a bug such that a system using NetLabel domain
based traffic selectors does not correctly label outbound local traffic
that is not assigned to a socket. The issue is that in these cases
the associated NetLabel hook only looks at the address based selectors
and not the domain based selectors. This patch corrects this by
checking both the domain and address based selectors so that the correct
labeling is applied, regardless of the configuration type.
In order to acomplish this fix, this patch also simplifies some of the
NetLabel domainhash structures to use a more common outbound traffic
mapping type: struct netlbl_dommap_def. This simplifies some of the code
in this patch and paves the way for further simplifications in the
future.
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Roman Gushchin [Fri, 2 Aug 2013 14:36:40 +0000 (18:36 +0400)]
net: check net.core.somaxconn sysctl values
It's possible to assign an invalid value to the net.core.somaxconn
sysctl variable, because there is no checks at all.
The sk_max_ack_backlog field of the sock structure is defined as
unsigned short. Therefore, the backlog argument in inet_listen()
shouldn't exceed USHRT_MAX. The backlog argument in the listen() syscall
is truncated to the somaxconn value. So, the somaxconn value shouldn't
exceed 65535 (USHRT_MAX).
Also, negative values of somaxconn are meaningless.
before:
$ sysctl -w net.core.somaxconn=256
net.core.somaxconn = 256
$ sysctl -w net.core.somaxconn=65536
net.core.somaxconn = 65536
$ sysctl -w net.core.somaxconn=-100
net.core.somaxconn = -100
after:
$ sysctl -w net.core.somaxconn=256
net.core.somaxconn = 256
$ sysctl -w net.core.somaxconn=65536
error: "Invalid argument" setting key "net.core.somaxconn"
$ sysctl -w net.core.somaxconn=-100
error: "Invalid argument" setting key "net.core.somaxconn"
Based on a prior patch from Changli Gao.
Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
Reported-by: Changli Gao <xiaosuo@gmail.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Denis Kirjanov [Fri, 2 Aug 2013 09:50:54 +0000 (13:50 +0400)]
sis900: Fix the tx queue timeout issue
[ 198.720048] ------------[ cut here ]------------
[ 198.720108] WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:255 dev_watchdog+0x229/0x240()
[ 198.720118] NETDEV WATCHDOG: eth0 (sis900): transmit queue 0 timed out
[ 198.720125] Modules linked in: bridge stp llc dmfe sundance 3c59x sis900 mii
[ 198.720159] CPU: 0 PID: 0 Comm: swapper Not tainted 3.11.0-rc3+ #12
[ 198.720167] Hardware name: System Manufacturer System Name/TUSI-M, BIOS ASUS TUSI-M ACPI BIOS
Revision 1013 Beta 001 12/14/2001
[ 198.720175]
000000ff c13fa6b9 c169ddcc c12208d6 c169ddf8 c1031e4d c1664a84 c169de24
[ 198.720197]
00000000 c165f5ea 000000ff c13fa6b9 00000001 000000ff c1664a84 c169de10
[ 198.720217]
c1031f13 00000009 c169de08 c1664a84 c169de24 c169de50 c13fa6b9 c165f5ea
[ 198.720240] Call Trace:
[ 198.720257] [<
c13fa6b9>] ? dev_watchdog+0x229/0x240
[ 198.720274] [<
c12208d6>] dump_stack+0x16/0x20
[ 198.720306] [<
c1031e4d>] warn_slowpath_common+0x7d/0xa0
[ 198.720318] [<
c13fa6b9>] ? dev_watchdog+0x229/0x240
[ 198.720330] [<
c1031f13>] warn_slowpath_fmt+0x33/0x40
[ 198.720342] [<
c13fa6b9>] dev_watchdog+0x229/0x240
[ 198.720357] [<
c103f158>] call_timer_fn+0x78/0x150
[ 198.720369] [<
c103f0e0>] ? internal_add_timer+0x40/0x40
[ 198.720381] [<
c13fa490>] ? dev_init_scheduler+0xa0/0xa0
[ 198.720392] [<
c103f33f>] run_timer_softirq+0x10f/0x200
[ 198.720412] [<
c103954f>] ? __do_softirq+0x6f/0x210
[ 198.720424] [<
c13fa490>] ? dev_init_scheduler+0xa0/0xa0
[ 198.720435] [<
c1039598>] __do_softirq+0xb8/0x210
[ 198.720467] [<
c14b54d2>] ? _raw_spin_unlock+0x22/0x30
[ 198.720484] [<
c1003245>] ? handle_irq+0x25/0xd0
[ 198.720496] [<
c1039c0c>] irq_exit+0x9c/0xb0
[ 198.720508] [<
c14bc9d7>] do_IRQ+0x47/0x94
[ 198.720534] [<
c1056078>] ? hrtimer_start+0x28/0x30
[ 198.720564] [<
c14bc8b1>] common_interrupt+0x31/0x38
[ 198.720589] [<
c1008692>] ? default_idle+0x22/0xa0
[ 198.720600] [<
c10083c7>] arch_cpu_idle+0x17/0x30
[ 198.720631] [<
c106d23d>] cpu_startup_entry+0xcd/0x180
[ 198.720643] [<
c14ae30a>] rest_init+0xaa/0xb0
[ 198.720654] [<
c14ae260>] ? reciprocal_value+0x50/0x50
[ 198.720668] [<
c17044e0>] ? repair_env_string+0x60/0x60
[ 198.720679] [<
c1704bda>] start_kernel+0x29a/0x350
[ 198.720690] [<
c17044e0>] ? repair_env_string+0x60/0x60
[ 198.720721] [<
c1704269>] i386_start_kernel+0x39/0xa0
[ 198.720729] ---[ end trace
81e0a6266f5c73a8 ]---
[ 198.720740] eth0: Transmit timeout, status
00000204 00000000
timer routine checks the link status and if it's up calls
netif_carrier_on() allowing upper layer to start the tx queue
even if the auto-negotiation process is not finished.
Also remove ugly auto-negotiation check from the sis900_start_xmit()
CC: Duan Fugang <B38611@freescale.com>
CC: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: Denis Kirjanov <kda@linux-powerpc.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Fri, 2 Aug 2013 21:58:30 +0000 (14:58 -0700)]
Merge tag 'rdma-for-linus' of git://git./linux/kernel/git/roland/infiniband
Pull infiniband/rdma fixes from Roland Dreier:
- Fixes for the newly merged mlx5 hardware driver
- Stack info leak fixes from Dan Carpenter
- Fixes for pkey table handling with SR-IOV
- A few other small things
* tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
IPoIB: Fix pkey change flow for virtualization environments
IPoIB: Make sure child devices use valid/proper pkeys
IB/core: Create QP1 using the pkey index which contains the default pkey
mlx5_core: Variable may be used uninitialized
mlx5_core: Implement new initialization sequence
mlx5_core: Fix use after free in mlx5_cmd_comp_handler()
IB/mlx5: Fix stack info leak in mlx5_ib_alloc_ucontext()
IB/mlx5: Fix error return code in init_one()
IB/mlx4: Use default pkey when creating tunnel QPs
RDMA/cma: Only call cma_save_ib_info() for CM REQs
RDMA/cma: Fix accessing invalid private data for UD
RDMA/cma: Fix gcc warning
Revert "RDMA/nes: Fix compilation error when nes_debug is enabled"
IB/qib: Add err_decode() call for ring dump
RDMA/cxgb3: Fix stack info leak in iwch_create_cq()
RDMA/nes: Fix info leaks in nes_create_qp() and nes_create_cq()
RDMA/ocrdma: Fix several stack info leaks
RDMA/cxgb4: Fix stack info leak in c4iw_create_qp()
RDMA/ocrdma: Remove unused include
Linus Torvalds [Fri, 2 Aug 2013 21:57:24 +0000 (14:57 -0700)]
Merge tag 'gpio-for-v3.11-3' of git://git./linux/kernel/git/linusw/linux-gpio
Pull GPIO fixes from Linus Walleij:
"Yet another GPIO pull request, fixing the fix from the last one. It
turns out that fixing the boot path for device tree boots on OMAP
breaks out antique systems (such as OMAP1) and we need to find a
better way. So we're reverting that "fix" for the moment and thinking
about something better.
Also fixing a build issue on the MSM driver"
* tag 'gpio-for-v3.11-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
gpio_msm: Fix build error due to missing err.h
Revert "gpio/omap: don't create an IRQ mapping for every GPIO on DT"
Revert "gpio/omap: auto request GPIO as input if used as IRQ via DT"
Revert "gpio/omap: fix build error when OF_GPIO is not defined."
Daniel Borkmann [Fri, 2 Aug 2013 09:32:43 +0000 (11:32 +0200)]
net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
Commit
5c766d642 ("ipv4: introduce address lifetime") leaves the ifa
resource that was allocated via inet_alloc_ifa() unfreed when returning
the function with -EINVAL. Thus, free it first via inet_free_ifa().
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Reviewed-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Lekensteyn [Fri, 2 Aug 2013 08:36:55 +0000 (10:36 +0200)]
r8169: remove "PHY reset until link up" log spam
This message was added in commit
a7154cb8 (June 2004, [PATCH] r8169:
link handling and phy reset rework) and is printed every ten seconds
when no cable is connected and runtime power management is disabled.
(Before that commit, "Reset RTL8169s PHY" would be printed instead.)
Signed-off-by: Peter Wu <lekensteyn@gmail.com>
Acked-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Felipe Balbi [Fri, 2 Aug 2013 07:44:10 +0000 (10:44 +0300)]
net: ethernet: cpsw: drop IRQF_DISABLED
IRQF_DISABLED is a no-op by now and should be
removed.
Signed-off-by: Felipe Balbi <balbi@ti.com>
Acked-by: Mugunthan V N <mugunthanvnm@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
stephen hemminger [Fri, 2 Aug 2013 05:32:07 +0000 (22:32 -0700)]
htb: fix sign extension bug
When userspace passes a large priority value
the assignment of the unsigned value hopt->prio
to signed int cl->prio causes cl->prio to become negative and the
comparison is with TC_HTB_NUMPRIO is always false.
The result is that HTB crashes by referencing outside
the array when processing packets. With this patch the large value
wraps around like other values outside the normal range.
See: https://bugzilla.kernel.org/show_bug.cgi?id=60669
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Fri, 2 Aug 2013 21:39:49 +0000 (14:39 -0700)]
Merge branch 'merge' of git://git./linux/kernel/git/benh/powerpc
Pull powerpc fixes from Ben Herrenschmidt:
"Here is not quite a handful of powerpc fixes for rc3.
The windfarm fix is a regression fix (though not a new one), the PMU
interrupt rename is not a fix per-se but has been submitted a long
time ago and I kept forgetting to put it in (it puts us back in sync
with x86), the other perf bit is just about putting an API/ABI bit
definition in the right place for userspace to consume, and finally,
we have a fix for the VPHN (Virtual Partition Home Node) feature
(notification that the hypervisor is moving nodes around) which could
cause lockups so we may as well fix it now"
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
powerpc/windfarm: Fix noisy slots-fan on Xserve (rm31)
powerpc: VPHN topology change updates all siblings
powerpc/perf: Export PERF_EVENT_CONFIG_EBB_SHIFT to userspace
powerpc: Rename PMU interrupts from CNT to PMI
Linus Torvalds [Fri, 2 Aug 2013 21:37:45 +0000 (14:37 -0700)]
Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm
Pull ARM fixes from Russell King:
"I've thought long and hard about what to say for this pull request,
and I really can't work out anything sane to say to summarise much of
these commits. The problem is, for most of these are, yet again, lots
of small bits scattered around the place without any real overall
theme to them"
Most notable is probably the kuser page helper improvements.
* 'fixes' of git://git.linaro.org/people/rmk/linux-arm: (22 commits)
ARM: Add .text annotations where required after __CPUINIT removal
ARM: 7803/1: Fix deadlock scenario with smp_send_stop()
ARM: make vectors page inaccessible from userspace
ARM: move signal handlers into a vdso-like page
ARM: allow kuser helpers to be removed from the vector page
ARM: update FIQ support for relocation of vectors
ARM: use linker magic for vectors and vector stubs
ARM: move vector stubs
ARM: poison memory between kuser helpers
ARM: poison the vectors page
ARM: 7801/1: v6: prevent gcc 4.5 from reordering extended CP15 reads above is_smp() test
ARM: 7800/1: ARMv7-M: Fix name of NVIC handler function
ARM: Fix sorting of machine- initializers
ARM: 7791/1: a.out: remove partial a.out support
ARM: 7790/1: Fix deferred mm switch on VIVT processors
ARM: 7789/1: Do not run dummy_flush_tlb_a15_erratum() on non-Cortex-A15
ARM: 7787/1: virt: ensure visibility of __boot_cpu_mode
ARM: 7788/1: elf: fix lpae hwcap feature reporting in proc/cpuinfo
ARM: 7786/1: hyp: fix macro parameterisation
ARM: 7785/1: mm: restrict early_alloc to section-aligned memory
...
Linus Torvalds [Fri, 2 Aug 2013 21:36:32 +0000 (14:36 -0700)]
Merge branch 'parisc-3.11-rc4' of git://git./linux/kernel/git/deller/parisc-linux
Pull parisc updates from Helge Deller:
"The majority of lines changed are due the addition of a defconfig for
the C8000 machine. Even the fix in parisc/kernel/cache.c file is
actually ony a 10-line fix, but the change became bigger (and much
nicer) to avoid errors of the checkpatch script.
Here is the short-changelog:
This round of parisc updates includes mostly fixes for the C8000
workstation. We have a new defconfig file for this machine, as well
as fixes for it's serial port, the AGP driver and the cache routines
to cope with the vmas of the FireGL card in a C8000. The sys32.h
header file was not used and as such it's now gone"
* 'parisc-3.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
parisc: Fix interrupt routing for C8000 serial ports
parisc: Remove arch/parisc/kernel/sys32.h header
parisc: add defconfig for c8000 machine
parisc: agp/parisc-agp: allow binding of user memory to the AGP GART
parisc: Fix cache routines to ignore vma's with an invalid pfn
Linus Torvalds [Fri, 2 Aug 2013 21:22:15 +0000 (14:22 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jikos/hid
Pull HID fixes from Jiri Kosina:
- fix hid-sony PS3 sixaxxis breakage from Benjamin Tissories
- fix hidraw race condition from Yonghua Zheng
- fix/bandaid for rare device enumeration problems of Logitech Unifying
receivers from Nestor Lopez Casado
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: hidraw: fix improper mutex release
HID: sony: fix HID mapping for PS3 sixaxis controller
HID: hid-logitech-dj: querying_devices was never set
HID: Revert "Revert "HID: Fix logitech-dj: missing Unifying device issue""
Linus Torvalds [Fri, 2 Aug 2013 21:21:44 +0000 (14:21 -0700)]
Merge tag 'please-pull-fix-mce-regression' of git://git./linux/kernel/git/ras/ras
Pull MCE fix from Tony Luck:
"Fix a regression in mce-severity.c"
* tag 'please-pull-fix-mce-regression' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras:
x86/mce: Fix mce regression from recent cleanup
Linus Torvalds [Fri, 2 Aug 2013 20:12:52 +0000 (13:12 -0700)]
Merge tag 'pci-v3.11-fixes-1' of git://git./linux/kernel/git/helgaas/pci
Pull PCI fixes from Bjorn Helgaas:
"Yinghai fixed a couple regressions: one resource assignment problem
introduced in v3.10 that showed up with SR-IOV on powerpc, and another
SR-IOV hot-remove issue related to refcounting changes we merged for
v3.11.
Yinghai is still working on another SR-IOV-related fix or two, which
will be simpler if pciehp is non-modular, so I included the Kconfig
changes now to get them in earlier.
Finally, a minor fix for the ARM Marvell EBU host bridge driver that
was merged for v3.11
Hotplug:
PCI: pciehp: Fix null pointer deref when hot-removing SR-IOV device
PCI: hotplug: Convert to be builtin only, not modular
PCI: pciehp: Convert pciehp to be builtin only, not modular
Resource allocation:
PCI: Retry allocation of only the resource type that failed
ARM:
PCI: mvebu: Disable prefetchable memory support in PCI-to-PCI bridge"
* tag 'pci-v3.11-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
PCI: mvebu: Disable prefetchable memory support in PCI-to-PCI bridge
PCI: Retry allocation of only the resource type that failed
PCI: pciehp: Convert pciehp to be builtin only, not modular
PCI: hotplug: Convert to be builtin only, not modular
PCI: pciehp: Fix null pointer deref when hot-removing SR-IOV device
Linus Torvalds [Fri, 2 Aug 2013 19:21:32 +0000 (12:21 -0700)]
Merge tag 'pm+acpi-3.11-rc4' of git://git./linux/kernel/git/rafael/linux-pm
Pull ACPI and power management fixes from Rafael Wysocki:
- Revert two cpuidle commits added during the 3.8 development cycle
that turn out to have introduced a significant performance regression
as requested by Jeremy Eder.
- The recent patches that made the freezer less heavy-weight introduced
a regression causing user-space-driven hibernation using the ioctl()
interface to block indefinitely when the hibernate process executes
try_to_freeze(). Fix from Colin Cross addresses this by adding a
process flag to mark the hibernate/suspend process to inform the
freezer that that process should be ignored.
- One of the recent cpufreq reverts uncovered a problem in the core
causing the cpufreq driver module refcount to become negative after a
system suspend-resume cycle. Fix from Rafael J Wysocki.
- The evaluation of the ACPI battery _BIX method has never worked
correctly, because the commit that added support for it forgot to
take the "Revision" field in the return package into account. As a
result, the reading of battery info doesn't work at all on some
systems, which is addressed by a fix from Lan Tianyu.
* tag 'pm+acpi-3.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
freezer: set PF_SUSPEND_TASK flag on tasks that call freeze_processes
ACPI / battery: Fix parsing _BIX return value
cpufreq: Fix cpufreq driver module refcount balance after suspend/resume
Revert "cpuidle: Quickly notice prediction failure for repeat mode"
Revert "cpuidle: Quickly notice prediction failure in general case"
Takashi Iwai [Thu, 1 Aug 2013 06:38:27 +0000 (08:38 +0200)]
ALSA: hda - Fix missing fixup for Mac Mini with STAC9221
A fixup for Apple Mac Mini was lost during the adaption to the generic
parser because the fallback for the generic ID 8384:7680 was dropped,
and it resulted in the silence output (and maybe other problems).
Unfortunately, just adding the missing subsystem ID wasn't enough, in
this case. The subsystem ID of this machine is 0000:0100 (what Apple
thought...?), and since snd_hda_pick_fixup() doesn't take the vendor
id zero into account, the driver ignored this entry. Now it's fixed
to regard the vendor id zero as a valid value.
Reported-and-tested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org> [v3.9+]
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Michael S. Tsirkin [Thu, 1 Aug 2013 10:50:10 +0000 (13:50 +0300)]
macvlan: handle set_promiscuity failures
It's quite unlikely that dev_set_promiscuity will fail,
but worth checking just in case.
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael S. Tsirkin [Thu, 1 Aug 2013 10:43:19 +0000 (13:43 +0300)]
macvlan: better mode validation
macvlan passthrough mode is special: it's not possible to switch to or
from it through a netlink command.
But if you try, the command will succeed, which is
confusing.
Validate input and return error to user.
Cc: Sridhar Samudrala <sri@us.ibm.com>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ying Xue [Thu, 1 Aug 2013 12:29:18 +0000 (08:29 -0400)]
tipc: fix oops when creating server socket fails
When creation of TIPC internal server socket fails,
we get an oops with the following dump:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000020
IP: [<
ffffffffa0011f49>] tipc_close_conn+0x59/0xb0 [tipc]
PGD
13719067 PUD
12008067 PMD 0
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
Modules linked in: tipc(+)
CPU: 4 PID: 4340 Comm: insmod Not tainted 3.10.0+ #1
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
task:
ffff880014360000 ti:
ffff88001374c000 task.ti:
ffff88001374c000
RIP: 0010:[<
ffffffffa0011f49>] [<
ffffffffa0011f49>] tipc_close_conn+0x59/0xb0 [tipc]
RSP: 0018:
ffff88001374dc98 EFLAGS:
00010292
RAX:
0000000000000000 RBX:
ffff880012ac09d8 RCX:
0000000000000000
RDX:
0000000000000046 RSI:
0000000000000001 RDI:
ffff880014360000
RBP:
ffff88001374dcb8 R08:
0000000000000001 R09:
0000000000000001
R10:
0000000000000000 R11:
0000000000000000 R12:
ffffffffa0016fa0
R13:
ffffffffa0017010 R14:
ffffffffa0017010 R15:
ffff880012ac09d8
FS:
0000000000000000(0000) GS:
ffff880016600000(0063) knlGS:
00000000f76668d0
CS: 0010 DS: 002b ES: 002b CR0:
000000008005003b
CR2:
0000000000000020 CR3:
0000000012227000 CR4:
00000000000006e0
Stack:
ffff88001374dcb8 ffffffffa0016fa0 0000000000000000 0000000000000001
ffff88001374dcf8 ffffffffa0012922 ffff88001374dce8 00000000ffffffea
ffffffffa0017100 0000000000000000 ffff8800134241a8 ffffffffa0017150
Call Trace:
[<
ffffffffa0012922>] tipc_server_stop+0xa2/0x1b0 [tipc]
[<
ffffffffa0009995>] tipc_subscr_stop+0x15/0x20 [tipc]
[<
ffffffffa00130f5>] tipc_core_stop+0x1d/0x33 [tipc]
[<
ffffffffa001f0d4>] tipc_init+0xd4/0xf8 [tipc]
[<
ffffffffa001f000>] ? 0xffffffffa001efff
[<
ffffffff8100023f>] do_one_initcall+0x3f/0x150
[<
ffffffff81082f4d>] ? __blocking_notifier_call_chain+0x7d/0xd0
[<
ffffffff810cc58a>] load_module+0x11aa/0x19c0
[<
ffffffff810c8d60>] ? show_initstate+0x50/0x50
[<
ffffffff8190311c>] ? retint_restore_args+0xe/0xe
[<
ffffffff810cce79>] SyS_init_module+0xd9/0x110
[<
ffffffff8190dc65>] sysenter_dispatch+0x7/0x1f
Code: 6c 24 70 4c 89 ef e8 b7 04 8f e1 8b 73 04 4c 89 e7 e8 7c 9e 32 e1 41 83 ac 24
b8 00 00 00 01 4c 89 ef e8 eb 0a 8f e1 48 8b 43 08 <4c> 8b 68 20 4d 8d a5 48 03 00
00 4c 89 e7 e8 04 05 8f e1 4c 89
RIP [<
ffffffffa0011f49>] tipc_close_conn+0x59/0xb0 [tipc]
RSP <
ffff88001374dc98>
CR2:
0000000000000020
---[ end trace
b02321f40e4269a3 ]---
We have the following call chain:
tipc_core_start()
ret = tipc_subscr_start()
ret = tipc_server_start(){
server->enabled = 1;
ret = tipc_open_listening_sock()
}
I.e., the server->enabled flag is unconditionally set to 1, whatever
the return value of tipc_open_listening_sock().
This causes a crash when tipc_core_start() tries to clean up
resources after a failed initialization:
if (ret == failed)
tipc_subscr_stop()
tipc_server_stop(){
if (server->enabled)
tipc_close_conn(){
NULL reference of con->sock-sk
OOPS!
}
}
To avoid this, tipc_server_start() should only set server->enabled
to 1 in case of a succesful socket creation. In case of failure, it
should release all allocated resources before returning.
Problem introduced in commit
c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f
("tipc: introduce new TIPC server infrastructure") in v3.11-rc1.
Note that it won't be seen often; it takes a module load under memory
constrained conditions in order to trigger the failure condition.
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Steven Rostedt (Red Hat) [Thu, 4 Jul 2013 03:33:51 +0000 (23:33 -0400)]
tracing/uprobes: Fail to unregister if probe event files are in use
Uprobes suffer the same problem that kprobes have. There's a race between
writing to the "enable" file and removing the probe. The probe checks for
it being in use and if it is not, goes about deleting the probe and the
event that represents it. But the problem with that is, after it checks
if it is in use it can be enabled, and the deletion of the event (access
to the probe) will fail, as it is in use. But the uprobe will still be
deleted. This is a problem as the event can reference the uprobe that
was deleted.
The fix is to remove the event first, and check to make sure the event
removal succeeds. Then it is safe to remove the probe.
When the event exists, either ftrace or perf can enable the probe and
prevent the event from being removed.
Link: http://lkml.kernel.org/r/20130704034038.991525256@goodmis.org
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Cong Wang [Thu, 1 Aug 2013 03:10:25 +0000 (11:10 +0800)]
net: rename CONFIG_NET_LL_RX_POLL to CONFIG_NET_RX_BUSY_POLL
Eliezer renames several *ll_poll to *busy_poll, but forgets
CONFIG_NET_LL_RX_POLL, so in case of confusion, rename it too.
Cc: Eliezer Tamir <eliezer.tamir@linux.intel.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cong Wang [Thu, 1 Aug 2013 03:10:24 +0000 (11:10 +0800)]
net: fix a compile error when CONFIG_NET_LL_RX_POLL is not set
When CONFIG_NET_LL_RX_POLL is not set, I got:
net/socket.c: In function ‘sock_poll’:
net/socket.c:1165:4: error: implicit declaration of function ‘sk_busy_loop’ [-Werror=implicit-function-declaration]
Fix this by adding a nop when !CONFIG_NET_LL_RX_POLL.
Cc: Eliezer Tamir <eliezer.tamir@linux.intel.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jack Morgenstein [Thu, 1 Aug 2013 16:55:01 +0000 (19:55 +0300)]
net/mlx4_core: VFs must ignore the enable_64b_cqe_eqe module param
Slaves get the 64B CQE/EQE state from QUERY_HCA, not from the module parameter.
If the parameter is set to zero, the slave outputs an incorrect/irrelevant
warning message that 64B CQEs/EQEs are supported but not enabled (even if the
hypervisor has enabled 64B CQEs/EQEs).
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Or Gerlitz [Thu, 1 Aug 2013 16:55:00 +0000 (19:55 +0300)]
net/mlx4_core: Don't give VFs MAC addresses which are derived from the PF MAC
If the user has not assigned a MAC address to a VM, then don't give it MAC which
is based on the PF one. The current derivation scheme is wrong and leads to VM
MAC collisions when the number of cards/hypervisors becomes big enough.
Instead, just give it zeros and let them figure out what to do with that.
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Benc [Thu, 1 Aug 2013 08:41:28 +0000 (10:41 +0200)]
ipv6: prevent race between address creation and removal
There's a race in IPv6 automatic addess assignment. The address is created
with zero lifetime when it's added to various address lists. Before it gets
assigned the correct lifetime, there's a window where a new address may be
configured. This causes the semi-initiated address to be deleted in
addrconf_verify.
This was discovered as a reference leak caused by concurrent run of
__ipv6_ifa_notify for both RTM_NEWADDR and RTM_DELADDR with the same
address.
Fix this by setting the lifetime before the address is added to
inet6_addr_lst.
A few notes:
1. In addrconf_prefix_rcv, by setting update_lft to zero, the
if (update_lft) { ... } condition is no longer executed for newly
created addresses. This is okay, as the ifp fields are set in
ipv6_add_addr now and ipv6_ifa_notify is called (and has been called)
through addrconf_dad_start.
2. The removal of the whole block under ifp->lock in inet6_addr_add is okay,
too, as tstamp is initialized to jiffies in ipv6_add_addr.
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Pirko [Thu, 1 Aug 2013 08:41:27 +0000 (10:41 +0200)]
ipv6: move peer_addr init into ipv6_add_addr()
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michal Kubeček [Thu, 1 Aug 2013 08:04:24 +0000 (10:04 +0200)]
ipv6: update ip6_rt_last_gc every time GC is run
As pointed out by Eric Dumazet, net->ipv6.ip6_rt_last_gc should
hold the last time garbage collector was run so that we should
update it whenever fib6_run_gc() calls fib6_clean_all(), not only
if we got there from ip6_dst_gc().
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michal Kubeček [Thu, 1 Aug 2013 08:04:14 +0000 (10:04 +0200)]
ipv6: prevent fib6_run_gc() contention
On a high-traffic router with many processors and many IPv6 dst
entries, soft lockup in fib6_run_gc() can occur when number of
entries reaches gc_thresh.
This happens because fib6_run_gc() uses fib6_gc_lock to allow
only one thread to run the garbage collector but ip6_dst_gc()
doesn't update net->ipv6.ip6_rt_last_gc until fib6_run_gc()
returns. On a system with many entries, this can take some time
so that in the meantime, other threads pass the tests in
ip6_dst_gc() (ip6_rt_last_gc is still not updated) and wait for
the lock. They then have to run the garbage collector one after
another which blocks them for quite long.
Resolve this by replacing special value ~0UL of expire parameter
to fib6_run_gc() by explicit "force" parameter to choose between
spin_lock_bh() and spin_trylock_bh() and call fib6_run_gc() with
force=false if gc_thresh is reached but not max_size.
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Thomas Petazzoni [Thu, 1 Aug 2013 13:44:19 +0000 (15:44 +0200)]
PCI: mvebu: Disable prefetchable memory support in PCI-to-PCI bridge
The Marvell PCIe driver uses an emulated PCI-to-PCI bridge to be able
to dynamically set up MBus address decoding windows for PCI I/O and
memory regions depending on the PCI devices enumerated by Linux.
However, this emulated PCI-to-PCI bridge logic makes the Linux PCI
core believe that prefetchable memory regions are supported (because
the registers are read/write), while in fact no adress decoding window
is ever created for such regions. Since the Marvell MBus address
decoding windows do not distinguish memory regions and prefetchable
memory regions, this patch takes a simple approach: change the
PCI-to-PCI bridge emulation to let the Linux PCI core know that we
don't support prefetchable memory regions.
To achieve this, we simply make the prefetchable memory base a
read-only register that always returns 0. Reading/writing all the
other prefetchable memory related registers has no effect.
This problem was originally reported by Finn Hoffmann
<finn@uni-bremen.de>, who couldn't get a RTL8111/8168B PCI NIC working
on the NSA310 Kirkwood platform after updating to 3.11-rc. The problem
was that the PCI-to-PCI bridge emulation was making the Linux PCI core
believe that we support prefetchable memory, so the Linux PCI core was
only filling the prefetchable memory base and limit registers, which
does not lead to a MBus window being created. The below patch has been
confirmed by Finn Hoffmann to fix his problem on Kirkwood, and has
otherwise been successfully tested on the Armada XP GP platform with a
e1000e PCIe NIC and a Marvell SATA PCIe card.
Reported-by: Finn Hoffmann <finn@uni-bremen.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
David S. Miller [Thu, 1 Aug 2013 19:57:52 +0000 (12:57 -0700)]
Merge branch 'for-davem' of git://git./linux/kernel/git/linville/wireless
John W. Linville says:
====================
This pull request is intended for the 3.11 stream. It is a bit
larger than usual, as it includes pulls from most of my feeder trees
as well...
For the Bluetooth bits, Gustavo says:
"A few fixes and devices ID additions for 3.11:
* There are 4 new ath3k device ids
* Fixed stack memory usage in ath3k.
* Fixed the init process of BlueFRITZ! devices, they were failing to init
due to an unsupported command we sent.
* Fixed wrong use of PTR_ERR in btusb code that was preventing intel devices
to work properly.
* Fixed race condition between hci_register_dev() and hci_dev_open() that
could cause a NULL pointer dereference.
* Fixed race condition that could call hci_req_cmd_complete() and make some
devices to fail as showed in the log added to the commit message."
Regarding the NFC bits, Samuel says:
"We have:
1) A build failure fix for the NCI SPI transport layer due to a
missing CRC_CCITT Kconfig dependency.
2) A netlink command rename: CMD_FW_UPLOAD was merged during the 3.11
merge window but the typical terminology for loading a firmware to a
target is firmware download rather than upload. In order to avoid any
confusion in a file exported to userspace, we rename this command to
CMD_FW_DOWNLOAD."
Samuel's item #2 isn't strictly a fix, but it seems safe and should
avoid confusion in the future.
As for the mac80211 bits, Johannes says:
"I only have three fixes this time, a fix for a suspend regression, a
patch correcting the initiator in regulatory code and one fix for mesh
station powersave."
With respect to the iwlwifi bits, Johannes says:
"We have a scan fix for passive channels, a new PCI device ID for an old
device, a NIC reset fix, an RF-Kill fix, a fix for powersave when GO
interfaces are present as well as an aggregation session fix (for a
corner case) and a workaround for a firmware design issue - it only
supports a single GTK in D3."
Bringing-up the rear with the Atheros trees, Kalle says:
"Geert Uytterhoeven fixed an ath10k build problem when NO_DMA=y. I added
a missing MAINTAINERS entry for ath10k and updated ath6kl git tree
location."
Along with the above...
Arend van Spriel fixes a brcmfmac WARNING when unplugging the device.
Avinash Patil proves a couple of minor mwifiex fixes relating to P2P mode.
Luciano Coelho updates the MAINTAINERS entry for the wilink drivers.
Stanislaw Gruszka brings an rt2x00 fix for a queue start/stop problem.
Stone Piao fixes another mwifiex problem, a command timeout related to P2P mode.
Tomasz Moń corrects an endian problem in mwifiex.
I'll remind my feeder maintainers to slowdown the patchflow.
Beyond that, please let me know if there are problems!
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Russell King [Thu, 1 Aug 2013 19:51:13 +0000 (20:51 +0100)]
Merge branch 'security-fixes' into fixes
John W. Linville [Thu, 1 Aug 2013 18:30:59 +0000 (14:30 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless into for-davem
Russell King [Wed, 31 Jul 2013 10:37:17 +0000 (11:37 +0100)]
ARM: Add .text annotations where required after __CPUINIT removal
Commit
8bd26e3a7 (arm: delete __cpuinit/__CPUINIT usage from all ARM
users) caused some code to leak into sections which are discarded
through the removal of __CPUINIT annotations. Add appropriate .text
annotations to bring these back into the kernel text.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Stephen Boyd [Tue, 30 Jul 2013 22:09:46 +0000 (23:09 +0100)]
ARM: 7803/1: Fix deadlock scenario with smp_send_stop()
If one process calls sys_reboot and that process then stops other
CPUs while those CPUs are within a spin_lock() region we can
potentially encounter a deadlock scenario like below.
CPU 0 CPU 1
----- -----
spin_lock(my_lock)
smp_send_stop()
<send IPI> handle_IPI()
disable_preemption/irqs
while(1);
<PREEMPT>
spin_lock(my_lock) <--- Waits forever
We shouldn't attempt to run any other tasks after we send a stop
IPI to a CPU so disable preemption so that this task runs to
completion. We use local_irq_disable() here for cross-arch
consistency with x86.
Reported-by: Sundarajan Srinivasan <sundaraj@codeaurora.com>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Russell King [Wed, 31 Jul 2013 20:58:56 +0000 (21:58 +0100)]
ARM: make vectors page inaccessible from userspace
If kuser helpers are not provided by the kernel, disable user access to
the vectors page. With the kuser helpers gone, there is no reason for
this page to be visible to userspace.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Russell King [Tue, 23 Jul 2013 23:29:18 +0000 (00:29 +0100)]
ARM: move signal handlers into a vdso-like page
Move the signal handlers into a VDSO page rather than keeping them in
the vectors page. This allows us to place them randomly within this
page, and also map the page at a random location within userspace
further protecting these code fragments from ROP attacks. The new
VDSO page is also poisoned in the same way as the vector page.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
J. Bruce Fields [Wed, 31 Jul 2013 21:51:42 +0000 (17:51 -0400)]
svcrpc: set cr_gss_mech from gss-proxy as well as legacy upcall
The change made to rsc_parse() in
0dc1531aca7fd1440918bd55844a054e9c29acad "svcrpc: store gss mech in
svc_cred" should also have been propagated to the gss-proxy codepath.
This fixes a crash in the gss-proxy case.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
J. Bruce Fields [Wed, 31 Jul 2013 18:11:14 +0000 (14:11 -0400)]
svcrpc: fix kfree oops in gss-proxy code
mech_oid.data is an array, not kmalloc()'d memory.
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
J. Bruce Fields [Fri, 7 Jun 2013 14:11:19 +0000 (10:11 -0400)]
svcrpc: fix gss-proxy xdr decoding oops
Uninitialized stack data was being used as the destination for memcpy's.
Longer term we'll just delete some of this code; all we're doing is
skipping over xdr that we don't care about.
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
J. Bruce Fields [Mon, 10 Jun 2013 20:06:44 +0000 (16:06 -0400)]
svcrpc: fix gss_rpc_upcall create error
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
NeilBrown [Thu, 25 Jul 2013 01:30:23 +0000 (11:30 +1000)]
NFSD/sunrpc: avoid deadlock on TCP connection due to memory pressure.
Since we enabled auto-tuning for sunrpc TCP connections we do not
guarantee that there is enough write-space on each connection to
queue a reply.
If memory pressure causes the window to shrink too small, the request
throttling in sunrpc/svc will not accept any requests so no more requests
will be handled. Even when pressure decreases the window will not
grow again until data is sent on the connection.
This means we get a deadlock: no requests will be handled until there
is more space, and no space will be allocated until a request is
handled.
This can be simulated by modifying svc_tcp_has_wspace to inflate the
number of byte required and removing the 'svc_sock_setbufsize' calls
in svc_setup_socket.
I found that multiplying by 16 was enough to make the requirement
exceed the default allocation. With this modification in place:
mount -o vers=3,proto=tcp 127.0.0.1:/home /mnt
would block and eventually time out because the nfs server could not
accept any requests.
This patch relaxes the request throttling to always allow at least one
request through per connection. It does this by checking both
sk_stream_min_wspace() and xprt->xpt_reserved
are zero.
The first is zero when the TCP transmit queue is empty.
The second is zero when there are no RPC requests being processed.
When both of these are zero the socket is idle and so one more
request can safely be allowed through.
Applying this patch allows the above mount command to succeed cleanly.
Tracing shows that the allocated write buffer space quickly grows and
after a few requests are handled, the extra tests are no longer needed
to permit further requests to be processed.
The main purpose of request throttling is to handle the case when one
client is slow at collecting replies and the send queue gets full of
replies that the client hasn't acknowledged (at the TCP level) yet.
As we only change behaviour when the send queue is empty this main
purpose is still preserved.
Reported-by: Ben Myers <bpm@sgi.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Shaohua Li [Thu, 1 Aug 2013 01:56:36 +0000 (09:56 +0800)]
workqueue: copy workqueue_attrs with all fields
$echo '0' > /sys/bus/workqueue/devices/xxx/numa
$cat /sys/bus/workqueue/devices/xxx/numa
I got 1. It should be 0, the reason is copy_workqueue_attrs() called
in apply_workqueue_attrs() doesn't copy no_numa field.
Fix it by making copy_workqueue_attrs() copy ->no_numa too. This
would also make get_unbound_pool() set a pool's ->no_numa attribute
according to the workqueue attributes used when the pool was created.
While harmelss, as ->no_numa isn't a pool attribute, this is a bit
confusing. Clear it explicitly.
tj: Updated description and comments a bit.
Signed-off-by: Shaohua Li <shli@fusionio.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: stable@vger.kernel.org
Takashi Iwai [Thu, 1 Aug 2013 09:12:10 +0000 (11:12 +0200)]
Merge tag 'asoc-v3.11-rc3' of git://git./linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v3.11
A fix to make sure userspace knows when control writes have caused a
change in value, fixing some UIs, plus a few few driver fixes mainly
cleaning up issues from recent refactorings on less mainstream platforms.