platform/kernel/linux-amlogic.git
12 years agonetfilter: nf_conntrack: fix racy timer handling with reliable events
Pablo Neira Ayuso [Wed, 29 Aug 2012 16:25:49 +0000 (16:25 +0000)]
netfilter: nf_conntrack: fix racy timer handling with reliable events

Existing code assumes that del_timer returns true for alive conntrack
entries. However, this is not true if reliable events are enabled.
In that case, del_timer may return true for entries that were
just inserted in the dying list. Note that packets / ctnetlink may
hold references to conntrack entries that were just inserted to such
list.

This patch fixes the issue by adding an independent timer for
event delivery. This increases the size of the ecache extension.
Still we can revisit this later and use variable size extensions
to allocate this area on demand.

Tested-by: Oliver Smith <olipro@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agonetfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP expectation
Pablo Neira Ayuso [Wed, 29 Aug 2012 15:24:09 +0000 (15:24 +0000)]
netfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP expectation

We're hitting bug while trying to reinsert an already existing
expectation:

kernel BUG at kernel/timer.c:895!
invalid opcode: 0000 [#1] SMP
[...]
Call Trace:
 <IRQ>
 [<ffffffffa0069563>] nf_ct_expect_related_report+0x4a0/0x57a [nf_conntrack]
 [<ffffffff812d423a>] ? in4_pton+0x72/0x131
 [<ffffffffa00ca69e>] ip_nat_sdp_media+0xeb/0x185 [nf_nat_sip]
 [<ffffffffa00b5b9b>] set_expected_rtp_rtcp+0x32d/0x39b [nf_conntrack_sip]
 [<ffffffffa00b5f15>] process_sdp+0x30c/0x3ec [nf_conntrack_sip]
 [<ffffffff8103f1eb>] ? irq_exit+0x9a/0x9c
 [<ffffffffa00ca738>] ? ip_nat_sdp_media+0x185/0x185 [nf_nat_sip]

We have to remove the RTP expectation if the RTCP expectation hits EBUSY
since we keep trying with other ports until we succeed.

Reported-by: Rafal Fitt <rafalf@aplusc.com.pl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agonetfilter: nfnetlink_log: fix error return code in init path
Julia Lawall [Wed, 29 Aug 2012 06:49:17 +0000 (06:49 +0000)]
netfilter: nfnetlink_log: fix error return code in init path

Initialize return variable before exiting on an error path.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
(
if@p1 (\(ret < 0\|ret != 0\))
 { ... return ret; }
|
ret@p1 = 0
)
... when != ret = e1
    when != &ret
*if(...)
{
  ... when != ret = e2
      when forall
 return ret;
}

// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agonetfilter: ctnetlink: fix error return code in init path
Julia Lawall [Wed, 29 Aug 2012 06:49:16 +0000 (06:49 +0000)]
netfilter: ctnetlink: fix error return code in init path

Initialize return variable before exiting on an error path.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
(
if@p1 (\(ret < 0\|ret != 0\))
 { ... return ret; }
|
ret@p1 = 0
)
... when != ret = e1
    when != &ret
*if(...)
{
  ... when != ret = e2
      when forall
 return ret;
}

// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoipvs: fix error return code
Julia Lawall [Wed, 29 Aug 2012 06:49:11 +0000 (06:49 +0000)]
ipvs: fix error return code

Initialize return variable before exiting on an error path.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
(
if@p1 (\(ret < 0\|ret != 0\))
 { ... return ret; }
|
ret@p1 = 0
)
... when != ret = e1
    when != &ret
*if(...)
{
  ... when != ret = e2
      when forall
 return ret;
}

// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Acked-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agonetfilter: nfnetlink_log: fix NLA_PUT macro removal bug
Patrick McHardy [Sun, 19 Aug 2012 10:16:08 +0000 (10:16 +0000)]
netfilter: nfnetlink_log: fix NLA_PUT macro removal bug

Commit 1db20a52 (nfnetlink_log: Stop using NLA_PUT*().) incorrectly
converted a NLA_PUT_BE16 macro to nla_put_be32() in nfnetlink_log:

-               NLA_PUT_BE16(inst->skb, NFULA_HWTYPE, htons(skb->dev->type));
+               if (nla_put_be32(inst->skb, NFULA_HWTYPE, htons(skb->dev->type))

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agonet: tcp: move sk_rx_dst_set call after tcp_create_openreq_child()
Neal Cardwell [Sun, 19 Aug 2012 03:30:38 +0000 (03:30 +0000)]
net: tcp: move sk_rx_dst_set call after tcp_create_openreq_child()

This commit removes the sk_rx_dst_set calls from
tcp_create_openreq_child(), because at that point the icsk_af_ops
field of ipv6_mapped TCP sockets has not been set to its proper final
value.

Instead, to make sure we get the right sk_rx_dst_set variant
appropriate for the address family of the new connection, we have
tcp_v{4,6}_syn_recv_sock() directly call the appropriate function
shortly after the call to tcp_create_openreq_child() returns.

This also moves inet6_sk_rx_dst_set() to avoid a forward declaration
with the new approach.

Signed-off-by: Neal Cardwell <ncardwell@google.com>
Reported-by: Artem Savkov <artem.savkov@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonet/core/dev.c: fix kernel-doc warning
Randy Dunlap [Sat, 18 Aug 2012 14:36:44 +0000 (14:36 +0000)]
net/core/dev.c: fix kernel-doc warning

Fix kernel-doc warning:

Warning(net/core/dev.c:5745): No description found for parameter 'dev'

Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonetconsole: remove a redundant netconsole_target_put()
Amerigo Wang [Sat, 18 Aug 2012 07:02:20 +0000 (07:02 +0000)]
netconsole: remove a redundant netconsole_target_put()

This netconsole_target_put() is obviously redundant, and it
causes a kernel segfault when removing a bridge device which has
netconsole running on it.

This is caused by:

commit 8d8fc29d02a33e4bd5f4fa47823c1fd386346093
Author: Amerigo Wang <amwang@redhat.com>
Date:   Thu May 19 21:39:10 2011 +0000

    netpoll: disable netpoll when enslave a device

Cc: David Miller <davem@davemloft.net>
 (for all 3.x stable releases)
Cc: stable@vger.kernel.org
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonet: ipv6: fix oops in inet_putpeer()
Patrick McHardy [Mon, 20 Aug 2012 09:56:56 +0000 (02:56 -0700)]
net: ipv6: fix oops in inet_putpeer()

Commit 97bab73f (inet: Hide route peer accesses behind helpers.) introduced
a bug in xfrm6_policy_destroy(). The xfrm_dst's _rt6i_peer member is not
initialized, causing a false positive result from inetpeer_ptr_is_peer(),
which in turn causes a NULL pointer dereference in inet_putpeer().

Pid: 314, comm: kworker/0:1 Not tainted 3.6.0-rc1+ #17 To Be Filled By O.E.M. To Be Filled By O.E.M./P4S800D-X
EIP: 0060:[<c03abf93>] EFLAGS: 00010246 CPU: 0
EIP is at inet_putpeer+0xe/0x16
EAX: 00000000 EBX: f3481700 ECX: 00000000 EDX: 000dd641
ESI: f3481700 EDI: c05e949c EBP: f551def4 ESP: f551def4
 DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
CR0: 8005003b CR2: 00000070 CR3: 3243d000 CR4: 00000750
DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
DR6: ffff0ff0 DR7: 00000400
 f551df04 c0423de1 00000000 f3481700 f551df18 c038d5f7 f254b9f8 f551df28
 f34f85d8 f551df20 c03ef48d f551df3c c0396870 f30697e8 f24e1738 c05e98f4
 f5509540 c05cd2b4 f551df7c c0142d2b c043feb5 f5509540 00000000 c05cd2e8
 [<c0423de1>] xfrm6_dst_destroy+0x42/0xdb
 [<c038d5f7>] dst_destroy+0x1d/0xa4
 [<c03ef48d>] xfrm_bundle_flo_delete+0x2b/0x36
 [<c0396870>] flow_cache_gc_task+0x85/0x9f
 [<c0142d2b>] process_one_work+0x122/0x441
 [<c043feb5>] ? apic_timer_interrupt+0x31/0x38
 [<c03967eb>] ? flow_cache_new_hashrnd+0x2b/0x2b
 [<c0143e2d>] worker_thread+0x113/0x3cc

Fix by adding a init_dst() callback to struct xfrm_policy_afinfo to
properly initialize the dst's peer pointer.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonet/stmmac: fix issue of clk_get for Loongson1B.
Kelvin Cheung [Sat, 18 Aug 2012 00:16:23 +0000 (00:16 +0000)]
net/stmmac: fix issue of clk_get for Loongson1B.

When getting clock, give a chance to the CPUs without DT support,
which use Common Clock Framework, such as Loongson1B.

Signed-off-by: Kelvin Cheung <keguang.zhang@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agocaif: Do not dereference NULL in chnl_recv_cb()
Jesper Juhl [Fri, 17 Aug 2012 10:33:12 +0000 (10:33 +0000)]
caif: Do not dereference NULL in chnl_recv_cb()

In net/caif/chnl_net.c::chnl_recv_cb() we call skb_header_pointer()
which may return NULL, but we do not check for a NULL pointer before
dereferencing it.
This patch adds such a NULL check and properly free's allocated memory
and return an error (-EINVAL) on failure - much better than crashing..

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Acked-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoMerge git://1984.lsi.us.es/nf
David S. Miller [Mon, 20 Aug 2012 09:44:29 +0000 (02:44 -0700)]
Merge git://1984.lsi.us.es/nf

Pable Neira Ayuso says:

====================
The following five patches contain fixes for 3.6-rc, they are:

* Two fixes for message parsing in the SIP conntrack helper, from
  Patrick McHardy.

* One fix for the SIP helper introduced in the user-space cthelper
  infrastructure, from Patrick McHardy.

* fix missing appropriate locking while modifying one conntrack entry
  from the nfqueue integration code, from myself.

* fix possible access to uninitiliazed timer in the nf_conntrack
  expectation infrastructure, from myself.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoaf_packet: don't emit packet on orig fanout group
Eric Leblond [Thu, 16 Aug 2012 22:02:58 +0000 (22:02 +0000)]
af_packet: don't emit packet on orig fanout group

If a packet is emitted on one socket in one group of fanout sockets,
it is transmitted again. It is thus read again on one of the sockets
of the fanout group. This result in a loop for software which
generate packets when receiving one.
This retransmission is not the intended behavior: a fanout group
must behave like a single socket. The packet should not be
transmitted on a socket if it originates from a socket belonging
to the same fanout group.

This patch fixes the issue by changing the transmission check to
take fanout group info account.

Reported-by: Aleksandr Kotov <a1k@mail.ru>
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agodrivers/net/irda: fix error return code
Julia Lawall [Thu, 16 Aug 2012 21:46:58 +0000 (21:46 +0000)]
drivers/net/irda: fix error return code

Convert a nonnegative error return code to a negative one, as returned
elsewhere in the function.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
identifier ret;
expression e1,e2;
@@

if (ret < 0)
 { ... return ret; }
 ... when != ret = e1
     when forall
*if(...)
 {
  ... when != ret = e2
* return ret;
 }
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agodrivers/net/wan/dscc4.c: fix error return code
Julia Lawall [Thu, 16 Aug 2012 21:46:57 +0000 (21:46 +0000)]
drivers/net/wan/dscc4.c: fix error return code

Move up the initialization of rc so that failure of pci_alloc_consistent
returns -ENOMEM as well.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
identifier ret;
expression e1,e2;
@@

if (ret < 0)
 { ... return ret; }
 ... when != ret = e1
     when forall
*if(...)
 {
  ... when != ret = e2
* return ret;
 }
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agodrivers/net/wimax/i2400m/fw.c: fix error return code
Julia Lawall [Thu, 16 Aug 2012 21:46:56 +0000 (21:46 +0000)]
drivers/net/wimax/i2400m/fw.c: fix error return code

Convert a nonnegative error return code to a negative one, as returned
elsewhere in the function.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
identifier ret;
expression e1,e2;
@@

if (ret < 0)
 { ... return ret; }
 ... when != ret = e1
     when forall
*if(...)
 {
  ... when != ret = e2
* return ret;
 }
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agosmsc75xx: add missing entry to MAINTAINERS
Steve Glendinning [Wed, 15 Aug 2012 21:53:38 +0000 (21:53 +0000)]
smsc75xx: add missing entry to MAINTAINERS

Signed-off-by: Steve Glendinning <steve.glendinning@shawell.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonet: qmi_wwan: new devices: UML290 and K5006-Z
Bjørn Mork [Wed, 15 Aug 2012 03:42:57 +0000 (03:42 +0000)]
net: qmi_wwan: new devices: UML290 and K5006-Z

Newer firmware versions for the Pantech UML290 use a different
subclass ID.  The Windows driver match on both IDs, so we do
that as well.

The ZTE (Vodafone) K5006-Z is a new device.

Cc: Dan Williams <dcbw@redhat.com>
Cc: Thomas Schäfer <tschaefer@t-online.de>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonet: sh_eth: Add eth support for R8A7779 device
Phil Edworthy [Tue, 14 Aug 2012 20:33:29 +0000 (20:33 +0000)]
net: sh_eth: Add eth support for R8A7779 device

Signed-off-by: Phil Edworthy <phil.edworthy@renesas.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonetdev/phy: skip disabled mdio-mux nodes
Timur Tabi [Tue, 14 Aug 2012 13:20:24 +0000 (13:20 +0000)]
netdev/phy: skip disabled mdio-mux nodes

The mdio-mux driver scans all child mdio nodes, without regard to whether
the node is actually used.  Some device trees include all possible
mdio-mux nodes and rely on the boot loader to disable those that are not
present, based on some run-time configuration.  Those nodes need to be
skipped.

Signed-off-by: Timur Tabi <timur@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agodt: introduce for_each_available_child_of_node, of_get_next_available_child
Timur Tabi [Tue, 14 Aug 2012 13:20:23 +0000 (13:20 +0000)]
dt: introduce for_each_available_child_of_node, of_get_next_available_child

Macro for_each_child_of_node() makes it easy to iterate over all of the
children for a given device tree node, including those nodes that are
marked as unavailable (i.e. status = "disabled").

Introduce for_each_available_child_of_node(), which is like
for_each_child_of_node(), but it automatically skips unavailable nodes.
This also requires the introduction of helper function
of_get_next_available_child(), which returns the next available child
node.

Signed-off-by: Timur Tabi <timur@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonet: netprio: fix cgrp create and write priomap race
John Fastabend [Tue, 14 Aug 2012 12:34:35 +0000 (12:34 +0000)]
net: netprio: fix cgrp create and write priomap race

A race exists where creating cgroups and also updating the priomap
may result in losing a priomap update. This is because priomap
writers are not protected by rtnl_lock.

Move priority writer into rtnl_lock()/rtnl_unlock().

CC: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonet: netprio: fd passed in SCM_RIGHTS datagram not set correctly
John Fastabend [Tue, 14 Aug 2012 12:34:30 +0000 (12:34 +0000)]
net: netprio: fd passed in SCM_RIGHTS datagram not set correctly

A socket fd passed in a SCM_RIGHTS datagram was not getting
updated with the new tasks cgrp prioidx. This leaves IO on
the socket tagged with the old tasks priority.

To fix this add a check in the scm recvmsg path to update the
sock cgrp prioidx with the new tasks value.

Thanks to Al Viro for catching this.

CC: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonet: netprio: fix files lock and remove useless d_path bits
John Fastabend [Tue, 14 Aug 2012 12:34:24 +0000 (12:34 +0000)]
net: netprio: fix files lock and remove useless d_path bits

Add lock to prevent a race with a file closing and also remove
useless and ugly sscanf code. The extra code was never needed
and the case it supposedly protected against is in fact handled
correctly by sock_from_file as pointed out by Al Viro.

CC: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoact_mirred: do not drop packets when fails to mirror it
Jason Wang [Wed, 15 Aug 2012 20:44:27 +0000 (20:44 +0000)]
act_mirred: do not drop packets when fails to mirror it

We drop packet unconditionally when we fail to mirror it. This is not intended
in some cases. Consdier for kvm guest, we may mirror the traffic of the bridge
to a tap device used by a VM. When kernel fails to mirror the packet in
conditions such as when qemu crashes or stop polling the tap, it's hard for the
management software to detect such condition and clean the the mirroring
before. This would lead all packets to the bridge to be dropped and break the
netowrk of other virtual machines.

To solve the issue, the patch does not drop packets when kernel fails to mirror
it, and only drop the redirected packets.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonetfilter: nf_ct_expect: fix possible access to uninitialized timer
Pablo Neira Ayuso [Thu, 16 Aug 2012 00:25:24 +0000 (02:25 +0200)]
netfilter: nf_ct_expect: fix possible access to uninitialized timer

In __nf_ct_expect_check, the function refresh_timer returns 1
if a matching expectation is found and its timer is successfully
refreshed. This results in nf_ct_expect_related returning 0.
Note that at this point:

- the passed expectation is not inserted in the expectation table
  and its timer was not initialized, since we have refreshed one
  matching/existing expectation.

- nf_ct_expect_alloc uses kmem_cache_alloc, so the expectation
  timer is in some undefined state just after the allocation,
  until it is appropriately initialized.

This can be a problem for the SIP helper during the expectation
addition:

 ...
 if (nf_ct_expect_related(rtp_exp) == 0) {
         if (nf_ct_expect_related(rtcp_exp) != 0)
                 nf_ct_unexpect_related(rtp_exp);
 ...

Note that nf_ct_expect_related(rtp_exp) may return 0 for the timer refresh
case that is detailed above. Then, if nf_ct_unexpect_related(rtcp_exp)
returns != 0, nf_ct_unexpect_related(rtp_exp) is called, which does:

 spin_lock_bh(&nf_conntrack_lock);
 if (del_timer(&exp->timeout)) {
         nf_ct_unlink_expect(exp);
         nf_ct_expect_put(exp);
 }
 spin_unlock_bh(&nf_conntrack_lock);

Note that del_timer always returns false if the timer has been
initialized.  However, the timer was not initialized since setup_timer
was not called, therefore, the expectation timer remains in some
undefined state. If I'm not missing anything, this may lead to the
removal an unexistent expectation.

To fix this, the optimization that allows refreshing an expectation
is removed. Now nf_conntrack_expect_related looks more consistent
to me since it always add the expectation in case that it returns
success.

Thanks to Patrick McHardy for participating in the discussion of
this patch.

I think this may be the source of the problem described by:
http://marc.info/?l=netfilter-devel&m=134073514719421&w=2

Reported-by: Rafal Fitt <rafalf@aplusc.com.pl>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agonet: fix info leak in compat dev_ifconf()
Mathias Krause [Wed, 15 Aug 2012 11:31:57 +0000 (11:31 +0000)]
net: fix info leak in compat dev_ifconf()

The implementation of dev_ifconf() for the compat ioctl interface uses
an intermediate ifc structure allocated in userland for the duration of
the syscall. Though, it fails to initialize the padding bytes inserted
for alignment and that for leaks four bytes of kernel stack. Add an
explicit memset(0) before filling the structure to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT)
Mathias Krause [Wed, 15 Aug 2012 11:31:56 +0000 (11:31 +0000)]
ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT)

If at least one of CONFIG_IP_VS_PROTO_TCP or CONFIG_IP_VS_PROTO_UDP is
not set, __ip_vs_get_timeouts() does not fully initialize the structure
that gets copied to userland and that for leaks up to 12 bytes of kernel
stack. Add an explicit memset(0) before passing the structure to
__ip_vs_get_timeouts() to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Wensong Zhang <wensong@linux-vs.org>
Cc: Simon Horman <horms@verge.net.au>
Cc: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agodccp: fix info leak via getsockopt(DCCP_SOCKOPT_CCID_TX_INFO)
Mathias Krause [Wed, 15 Aug 2012 11:31:55 +0000 (11:31 +0000)]
dccp: fix info leak via getsockopt(DCCP_SOCKOPT_CCID_TX_INFO)

The CCID3 code fails to initialize the trailing padding bytes of struct
tfrc_tx_info added for alignment on 64 bit architectures. It that for
potentially leaks four bytes kernel stack via the getsockopt() syscall.
Add an explicit memset(0) before filling the structure to avoid the
info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agodccp: check ccid before dereferencing
Mathias Krause [Wed, 15 Aug 2012 11:31:54 +0000 (11:31 +0000)]
dccp: check ccid before dereferencing

ccid_hc_rx_getsockopt() and ccid_hc_tx_getsockopt() might be called with
a NULL ccid pointer leading to a NULL pointer dereference. This could
lead to a privilege escalation if the attacker is able to map page 0 and
prepare it with a fake ccid_ops pointer.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Cc: stable@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agollc: fix info leak via getsockname()
Mathias Krause [Wed, 15 Aug 2012 11:31:53 +0000 (11:31 +0000)]
llc: fix info leak via getsockname()

The LLC code wrongly returns 0, i.e. "success", when the socket is
zapped. Together with the uninitialized uaddrlen pointer argument from
sys_getsockname this leads to an arbitrary memory leak of up to 128
bytes kernel stack via the getsockname() syscall.

Return an error instead when the socket is zapped to prevent the info
leak. Also remove the unnecessary memset(0). We don't directly write to
the memory pointed by uaddr but memcpy() a local structure at the end of
the function that is properly initialized.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agol2tp: fix info leak via getsockname()
Mathias Krause [Wed, 15 Aug 2012 11:31:52 +0000 (11:31 +0000)]
l2tp: fix info leak via getsockname()

The L2TP code for IPv6 fails to initialize the l2tp_unused member of
struct sockaddr_l2tpip6 and that for leaks two bytes kernel stack via
the getsockname() syscall. Initialize l2tp_unused with 0 to avoid the
info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoBluetooth: L2CAP - Fix info leak via getsockname()
Mathias Krause [Wed, 15 Aug 2012 11:31:51 +0000 (11:31 +0000)]
Bluetooth: L2CAP - Fix info leak via getsockname()

The L2CAP code fails to initialize the l2_bdaddr_type member of struct
sockaddr_l2 and the padding byte added for alignment. It that for leaks
two bytes kernel stack via the getsockname() syscall. Add an explicit
memset(0) before filling the structure to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoBluetooth: RFCOMM - Fix info leak via getsockname()
Mathias Krause [Wed, 15 Aug 2012 11:31:50 +0000 (11:31 +0000)]
Bluetooth: RFCOMM - Fix info leak via getsockname()

The RFCOMM code fails to initialize the trailing padding byte of struct
sockaddr_rc added for alignment. It that for leaks one byte kernel stack
via the getsockname() syscall. Add an explicit memset(0) before filling
the structure to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoBluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)
Mathias Krause [Wed, 15 Aug 2012 11:31:49 +0000 (11:31 +0000)]
Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)

The RFCOMM code fails to initialize the two padding bytes of struct
rfcomm_dev_list_req inserted for alignment before copying it to
userland. Additionally there are two padding bytes in each instance of
struct rfcomm_dev_info. The ioctl() that for disclosures two bytes plus
dev_num times two bytes uninitialized kernel heap memory.

Allocate the memory using kzalloc() to fix this issue.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoBluetooth: RFCOMM - Fix info leak in getsockopt(BT_SECURITY)
Mathias Krause [Wed, 15 Aug 2012 11:31:48 +0000 (11:31 +0000)]
Bluetooth: RFCOMM - Fix info leak in getsockopt(BT_SECURITY)

The RFCOMM code fails to initialize the key_size member of struct
bt_security before copying it to userland -- that for leaking one
byte kernel stack. Initialize key_size with 0 to avoid the info
leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoBluetooth: HCI - Fix info leak via getsockname()
Mathias Krause [Wed, 15 Aug 2012 11:31:47 +0000 (11:31 +0000)]
Bluetooth: HCI - Fix info leak via getsockname()

The HCI code fails to initialize the hci_channel member of struct
sockaddr_hci and that for leaks two bytes kernel stack via the
getsockname() syscall. Initialize hci_channel with 0 to avoid the
info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoBluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER)
Mathias Krause [Wed, 15 Aug 2012 11:31:46 +0000 (11:31 +0000)]
Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER)

The HCI code fails to initialize the two padding bytes of struct
hci_ufilter before copying it to userland -- that for leaking two
bytes kernel stack. Add an explicit memset(0) before filling the
structure to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoatm: fix info leak via getsockname()
Mathias Krause [Wed, 15 Aug 2012 11:31:45 +0000 (11:31 +0000)]
atm: fix info leak via getsockname()

The ATM code fails to initialize the two padding bytes of struct
sockaddr_atmpvc inserted for alignment. Add an explicit memset(0)
before filling the structure to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoatm: fix info leak in getsockopt(SO_ATMPVC)
Mathias Krause [Wed, 15 Aug 2012 11:31:44 +0000 (11:31 +0000)]
atm: fix info leak in getsockopt(SO_ATMPVC)

The ATM code fails to initialize the two padding bytes of struct
sockaddr_atmpvc inserted for alignment. Add an explicit memset(0)
before filling the structure to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agovmxnet3: Fix race between dev_open() and register_netdev()
Steve Hodgson [Tue, 14 Aug 2012 16:13:36 +0000 (17:13 +0100)]
vmxnet3: Fix race between dev_open() and register_netdev()

dev_open() can complete before register_netdev() returns.
Fix vmxnet3_probe_device() to support this.

Signed-off-by: Steve Hodgson <steve@purestorage.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agobridge: fix rcu dereference outside of rcu_read_lock
Stephen Hemminger [Tue, 14 Aug 2012 15:19:33 +0000 (08:19 -0700)]
bridge: fix rcu dereference outside of rcu_read_lock

Alternative solution for problem found by Linux Driver Verification
project (linuxtesting.org).

As it noted in the comment before the br_handle_frame_finish
function, this function should be called under rcu_read_lock.

The problem callgraph:
br_dev_xmit -> br_nf_pre_routing_finish_bridge_slow ->
 -> br_handle_frame_finish -> br_port_get_rcu -> rcu_dereference

And in this case there is no read-lock section.

Reported-by: Denis Efremov <yefremov.denis@gmail.com>
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoMerge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville...
David S. Miller [Wed, 15 Aug 2012 00:03:22 +0000 (17:03 -0700)]
Merge branch 'for-davem' of git://git./linux/kernel/git/linville/wireless

John W. Linville says:

====================
Alexey Khoroshilov provides a potential memory leak in rndis_wlan.

Bob Copeland gives us an ath5k fix for a lockdep problem.

Dan Carpenter fixes a signedness mismatch in at76c50x.

Felix Fietkau corrects a regression caused by an earlier commit that can
lead to an IRQ storm.

Lorenzo Bianconi offers a fix for a bad variable initialization in ath9k
that can cause it to improperly mark decrypted frames.

Rajkumar Manoharan fixes ath9k to prevent the btcoex time from running
when the hardware is asleep.

The remainder are Bluetooth fixes, about which Gustavo says:

"Here goes some fixes for 3.6-rc1, there are a few fix to
thte inquiry code by Ram Malovany, support for 2 new devices,
and few others fixes for NULL dereference, possible deadlock
and a memory leak."
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoipv6: addrconf: Avoid calling netdevice notifiers with RCU read-side lock
Ben Hutchings [Tue, 14 Aug 2012 08:54:51 +0000 (08:54 +0000)]
ipv6: addrconf: Avoid calling netdevice notifiers with RCU read-side lock

Cong Wang reports that lockdep detected suspicious RCU usage while
enabling IPV6 forwarding:

 [ 1123.310275] ===============================
 [ 1123.442202] [ INFO: suspicious RCU usage. ]
 [ 1123.558207] 3.6.0-rc1+ #109 Not tainted
 [ 1123.665204] -------------------------------
 [ 1123.768254] include/linux/rcupdate.h:430 Illegal context switch in RCU read-side critical section!
 [ 1123.992320]
 [ 1123.992320] other info that might help us debug this:
 [ 1123.992320]
 [ 1124.307382]
 [ 1124.307382] rcu_scheduler_active = 1, debug_locks = 0
 [ 1124.522220] 2 locks held by sysctl/5710:
 [ 1124.648364]  #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff81768498>] rtnl_trylock+0x15/0x17
 [ 1124.882211]  #1:  (rcu_read_lock){.+.+.+}, at: [<ffffffff81871df8>] rcu_lock_acquire+0x0/0x29
 [ 1125.085209]
 [ 1125.085209] stack backtrace:
 [ 1125.332213] Pid: 5710, comm: sysctl Not tainted 3.6.0-rc1+ #109
 [ 1125.441291] Call Trace:
 [ 1125.545281]  [<ffffffff8109d915>] lockdep_rcu_suspicious+0x109/0x112
 [ 1125.667212]  [<ffffffff8107c240>] rcu_preempt_sleep_check+0x45/0x47
 [ 1125.781838]  [<ffffffff8107c260>] __might_sleep+0x1e/0x19b
[...]
 [ 1127.445223]  [<ffffffff81757ac5>] call_netdevice_notifiers+0x4a/0x4f
[...]
 [ 1127.772188]  [<ffffffff8175e125>] dev_disable_lro+0x32/0x6b
 [ 1127.885174]  [<ffffffff81872d26>] dev_forward_change+0x30/0xcb
 [ 1128.013214]  [<ffffffff818738c4>] addrconf_forward_change+0x85/0xc5
[...]

addrconf_forward_change() uses RCU iteration over the netdev list,
which is unnecessary since it already holds the RTNL lock.  We also
cannot reasonably require netdevice notifier functions not to sleep.

Reported-by: Cong Wang <amwang@redhat.com>
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agodrivers/net/ethernet/mellanox/mlx4/mcg.c: fix error return code
Julia Lawall [Tue, 14 Aug 2012 02:58:34 +0000 (02:58 +0000)]
drivers/net/ethernet/mellanox/mlx4/mcg.c: fix error return code

Convert a 0 error return code to a negative one, as returned elsewhere in the
function.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
identifier ret;
expression e,e1,e2,e3,e4,x;
@@

(
if (\(ret != 0\|ret < 0\) || ...) { ... return ...; }
|
ret = 0
)
... when != ret = e1
*x = \(kmalloc\|kzalloc\|kcalloc\|devm_kzalloc\|ioremap\|ioremap_nocache\|devm_ioremap\|devm_ioremap_nocache\)(...);
... when != x = e2
    when != ret = e3
*if (x == NULL || ...)
{
  ... when != ret = e4
*  return ret;
}
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agodrivers/net/ethernet/freescale/fs_enet: fix error return code
Julia Lawall [Tue, 14 Aug 2012 02:58:33 +0000 (02:58 +0000)]
drivers/net/ethernet/freescale/fs_enet: fix error return code

Convert a 0 error return code to a negative one, as returned elsewhere in the
function.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
identifier ret;
expression e,e1,e2,e3,e4,x;
@@

(
if (\(ret != 0\|ret < 0\) || ...) { ... return ...; }
|
ret = 0
)
... when != ret = e1
*x = \(kmalloc\|kzalloc\|kcalloc\|devm_kzalloc\|ioremap\|ioremap_nocache\|devm_ioremap\|devm_ioremap_nocache\)(...);
... when != x = e2
    when != ret = e3
*if (x == NULL || ...)
{
  ... when != ret = e4
*  return ret;
}
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agodrivers/net/ethernet/ti/davinci_cpdma.c: Remove potential NULL dereference
Julia Lawall [Tue, 14 Aug 2012 05:49:47 +0000 (05:49 +0000)]
drivers/net/ethernet/ti/davinci_cpdma.c: Remove potential NULL dereference

If the NULL test is necessary, the initialization involving a dereference of
the tested value should be moved after the NULL test.

The sematic patch that fixes this problem is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@@
type T;
expression E;
identifier i,fld;
statement S;
@@

- T i = E->fld;
+ T i;
  ... when != E
      when != i
  if (E == NULL) S
+ i = E->fld;
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agollc: Fix races between llc2 handler use and (un)registration
Ben Hutchings [Mon, 13 Aug 2012 02:50:55 +0000 (02:50 +0000)]
llc: Fix races between llc2 handler use and (un)registration

When registering the handlers, any state they rely on must be
completely initialised first.  When unregistering, we must wait until
they are definitely no longer running.  llc_rcv() must also avoid
reading the handler pointers again after checking for NULL.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agollc2: Call llc_station_exit() on llc2_init() failure path
Ben Hutchings [Mon, 13 Aug 2012 02:50:43 +0000 (02:50 +0000)]
llc2: Call llc_station_exit() on llc2_init() failure path

Otherwise the station packet handler will remain registered even though
the module is unloaded.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agollc2: Fix silent failure of llc_station_init()
Ben Hutchings [Mon, 13 Aug 2012 02:49:59 +0000 (02:49 +0000)]
llc2: Fix silent failure of llc_station_init()

llc_station_init() creates and processes an event skb with no effect
other than to change the state from DOWN to UP.  Allocation failure is
reported, but then ignored by its caller, llc2_init().  Remove this
possibility by simply initialising the state as UP.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonet: ipv6: proc: Fix error handling
Igor Maravic [Sun, 12 Aug 2012 22:31:58 +0000 (22:31 +0000)]
net: ipv6: proc: Fix error handling

Fix error handling in case making of dir dev_snmp6 failes

Signed-off-by: Igor Maravic <igorm@etf.rs>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoipv4: Cache local output routes
Yan, Zheng [Sun, 12 Aug 2012 20:09:59 +0000 (20:09 +0000)]
ipv4: Cache local output routes

Commit caacf05e5ad1abf causes big drop of UDP loop back performance.
The cause of the regression is that we do not cache the local output
routes. Each time we send a datagram from unconnected UDP socket,
the kernel allocates a dst_entry and adds it to the rt_uncached_list.
It creates lock contention on the rt_uncached_lock.

Reported-by: Alex Shi <alex.shi@intel.com>
Signed-off-by: Yan, Zheng <zheng.z.yan@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonet: sierra_net: replace whitelist with ifnumber match
Bjørn Mork [Sun, 12 Aug 2012 09:53:38 +0000 (09:53 +0000)]
net: sierra_net: replace whitelist with ifnumber match

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonet: qmi_wwan: compress device_id list using macros
Bjørn Mork [Sun, 12 Aug 2012 09:16:32 +0000 (09:16 +0000)]
net: qmi_wwan: compress device_id list using macros

Take advantage of the matching macros to make the device id
list easier to read and maintain.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonet: qmi_wwan: add Sierra Wireless devices
Bjørn Mork [Sun, 12 Aug 2012 09:16:31 +0000 (09:16 +0000)]
net: qmi_wwan: add Sierra Wireless devices

Add 6 new devices and one modified device, based on
information from laptop vendor Windows drivers.

Sony provides a driver with two new devices using
a Gobi 2k+ layout (1199:68a5 and 1199:68a9).  The
Sony driver also adds a non-standard QMI/net
interface to the already supported 1199:9011
Gobi device. We do not know whether this is an
alternate interface number or an additional
interface which might be present, but that doesn't
really matter.

Lenovo provides a driver supporting 4 new devices:
 - MC7770 (1199:901b) with standard Gobi 2k+ layout
 - MC7700 (0f3d:68a2) with layout similar to MC7710
 - MC7750 (114f:68a2) with layout similar to MC7710
 - EM7700 (1199:901c) with layout similar to MC7710

Note regaring the three devices similar to MC7710:

The Windows drivers only support interface #8 on these
devices.  The MC7710 can support QMI/net functions on
interface #19 and #20 as well, and this driver is
verified to work on interface #19 (a firmware bug is
suspected to prevent #20 from working).

We do not enable these additional interfaces until they
either show up in a Windows driver or are verified to
work in some other way.  Therefore limiting the new
devices to interface #8 for now.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonet: qmi_wwan: use fixed interface number matching
Bjørn Mork [Sun, 12 Aug 2012 09:16:30 +0000 (09:16 +0000)]
net: qmi_wwan: use fixed interface number matching

This driver support many composite USB devices where the
interface class/subclass/protocol provides no information
about the interface function. Interfaces with different
functions may all use ff/ff/ff, like this example of
a device with three serial interfaces and three QMI/wwan
interfaces:

T:  Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=116 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=1199 ProdID=68a2 Rev= 0.06
S:  Manufacturer=Sierra Wireless, Incorporated
S:  Product=MC7710
S:  SerialNumber=3581780xxxxxx
C:* #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=  0mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=qcserial
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=qcserial
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qcserial
E:  Ad=83(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 8 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
E:  Ad=85(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#=19 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
E:  Ad=87(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#=20 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
E:  Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms

Instead of class/subclass/protocol the vendor use fixed
interface numbers for each function, and the Windows
drivers use these numbers to match driver and function.

The driver has had its own interface number whitelisting
code to simulate this functionality.  Replace this with
generic interface number matching now that the USB subsystem
support is there. This
 - removes the need for a driver_info structure per
   interface number,
 - avoids running the probe function for unsupported
   interfaces, and
 - simplifies the code.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonetconsole.txt: revision of examples for the receiver of kernel messages
Dirk Gouders [Fri, 10 Aug 2012 01:24:51 +0000 (01:24 +0000)]
netconsole.txt: revision of examples for the receiver of kernel messages

There are at least 4 implementations of netcat with the BSD-based
being the only one that has to be used without the -p switch to
specify the listening port.

Jan Engelhardt suggested to add an example for socat(1).

Signed-off-by: Dirk Gouders <gouders@et.bocholt.fh-gelsenkirchen.de>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonetpoll: re-enable irq in poll_napi()
Amerigo Wang [Fri, 10 Aug 2012 01:24:50 +0000 (01:24 +0000)]
netpoll: re-enable irq in poll_napi()

napi->poll() needs IRQ enabled, so we have to re-enable IRQ before
calling it.

Cc: David Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonetpoll: handle vlan tags in netpoll tx and rx path
Amerigo Wang [Fri, 10 Aug 2012 01:24:49 +0000 (01:24 +0000)]
netpoll: handle vlan tags in netpoll tx and rx path

Without this patch, I can't get netconsole logs remotely over
vlan. The reason is probably we don't handle vlan tags in either
netpoll tx or rx path.

I am not sure if I use these vlan functions correctly, at
least this patch works.

Cc: Benjamin LaHaise <bcrl@kvack.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agovlan: clean up vlan_dev_hard_start_xmit()
Amerigo Wang [Fri, 10 Aug 2012 01:24:48 +0000 (01:24 +0000)]
vlan: clean up vlan_dev_hard_start_xmit()

Clean up vlan_dev_hard_start_xmit() function.

Cc: Benjamin LaHaise <bcrl@kvack.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agovlan: clean up some variable names
Amerigo Wang [Fri, 10 Aug 2012 01:24:47 +0000 (01:24 +0000)]
vlan: clean up some variable names

To be consistent, s/info/vlan/.

Cc: Benjamin LaHaise <bcrl@kvack.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonetpoll: convert several functions to bool
Amerigo Wang [Fri, 10 Aug 2012 01:24:46 +0000 (01:24 +0000)]
netpoll: convert several functions to bool

These functions are just boolean, let them return
bool instead of int.

Cc: David Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonetpoll: check netpoll tx status on the right device
Amerigo Wang [Fri, 10 Aug 2012 01:24:45 +0000 (01:24 +0000)]
netpoll: check netpoll tx status on the right device

Although this doesn't matter actually, because netpoll_tx_running()
doesn't use the parameter, the code will be more readable.

For team_dev_queue_xmit() we have to move it down to avoid
compile errors.

Cc: David Miller <davem@davemloft.net>
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agobridge: use list_for_each_entry() in netpoll functions
Amerigo Wang [Fri, 10 Aug 2012 01:24:44 +0000 (01:24 +0000)]
bridge: use list_for_each_entry() in netpoll functions

We don't delete 'p' from the list in the loop,
so we can just use list_for_each_entry().

Cc: David Miller <davem@davemloft.net>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agobridge: add some comments for NETDEV_RELEASE
Amerigo Wang [Fri, 10 Aug 2012 01:24:43 +0000 (01:24 +0000)]
bridge: add some comments for NETDEV_RELEASE

Add comments on why we don't notify NETDEV_RELEASE.

Cc: David Miller <davem@davemloft.net>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonetpoll: take rcu_read_lock_bh() in netpoll_send_skb_on_dev()
Amerigo Wang [Fri, 10 Aug 2012 01:24:42 +0000 (01:24 +0000)]
netpoll: take rcu_read_lock_bh() in netpoll_send_skb_on_dev()

This patch fixes several problems in the call path of
netpoll_send_skb_on_dev():

1. Disable IRQ's before calling netpoll_send_skb_on_dev().

2. All the callees of netpoll_send_skb_on_dev() should use
   rcu_dereference_bh() to dereference ->npinfo.

3. Rename arp_reply() to netpoll_arp_reply(), the former is too generic.

Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonetpoll: use netpoll_rx_on() in netpoll_rx()
Amerigo Wang [Fri, 10 Aug 2012 01:24:41 +0000 (01:24 +0000)]
netpoll: use netpoll_rx_on() in netpoll_rx()

The logic of the code is same, just call netpoll_rx_on().

Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonetpoll: take rcu_read_lock_bh() in netpoll_rx()
Amerigo Wang [Fri, 10 Aug 2012 01:24:40 +0000 (01:24 +0000)]
netpoll: take rcu_read_lock_bh() in netpoll_rx()

In __netpoll_rx(), it dereferences ->npinfo without rcu_dereference_bh(),
this patch fixes it by using the 'npinfo' passed from netpoll_rx()
where it is already dereferenced with rcu_dereference_bh().

Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonetconsole: do not release spin_lock when calling __netpoll_cleanup
Amerigo Wang [Fri, 10 Aug 2012 01:24:39 +0000 (01:24 +0000)]
netconsole: do not release spin_lock when calling __netpoll_cleanup

With the previous patch applied, __netpoll_cleanup() is non-block now,
so we don't need to release the spin_lock before calling it.

Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonetpoll: make __netpoll_cleanup non-block
Amerigo Wang [Fri, 10 Aug 2012 01:24:38 +0000 (01:24 +0000)]
netpoll: make __netpoll_cleanup non-block

Like the previous patch, slave_disable_netpoll() and __netpoll_cleanup()
may be called with read_lock() held too, so we should make them
non-block, by moving the cleanup and kfree() to call_rcu_bh() callbacks.

Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agonetpoll: use GFP_ATOMIC in slave_enable_netpoll() and __netpoll_setup()
Amerigo Wang [Fri, 10 Aug 2012 01:24:37 +0000 (01:24 +0000)]
netpoll: use GFP_ATOMIC in slave_enable_netpoll() and __netpoll_setup()

slave_enable_netpoll() and __netpoll_setup() may be called
with read_lock() held, so should use GFP_ATOMIC to allocate
memory. Eric suggested to pass gfp flags to __netpoll_setup().

Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
John W. Linville [Tue, 14 Aug 2012 18:42:54 +0000 (14:42 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless into for-davem

12 years agonetfilter: ctnetlink: fix missing locking while changing conntrack from nfqueue
Pablo Neira Ayuso [Tue, 14 Aug 2012 10:47:37 +0000 (12:47 +0200)]
netfilter: ctnetlink: fix missing locking while changing conntrack from nfqueue

Since 9cb017665 netfilter: add glue code to integrate nfnetlink_queue and
ctnetlink, we can modify the conntrack entry via nfnl_queue. However, the
change of the conntrack entry via nfnetlink_queue requires appropriate
locking to avoid concurrent updates.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Linus Torvalds [Tue, 14 Aug 2012 04:58:59 +0000 (07:58 +0300)]
Merge branch 'for-linus' of git://git./linux/kernel/git/s390/linux

Pull s390 patches from Martin Schwidefsky:
 "Included are bug fixes and a patch to enable system call filtering
  with BPF."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/compat: fix mmap compat system calls
  s390/compat: fix compat wrappers for process_vm system calls
  s390: do not clobber personality flags in sys_32_personality()
  s390/seccomp: add support for system call filtering using BPF
  s390/sclp_sdias: Add missing break and "fall through"
  s390/mm: remove MAX_PHYSADDR_BITS define

12 years agoMerge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Linus Torvalds [Tue, 14 Aug 2012 04:52:41 +0000 (07:52 +0300)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux

Pull drm fixes from Dave Airlie:
 "Radeon and intel fixes mostly, one fix to the mgag200 driver to not
  hang on certain server variants."

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (32 commits)
  drm/radeon: fix typo in function header comment
  drm/radeon/kms: implement timestamp userspace query (v2)
  drm/radeon/kms: add MSAA texture support for r600-evergreen
  drm/radeon/kms: reorder code in r600_check_texture_resource
  drm/radeon: fence virtual address and free it once idle v4
  drm/radeon: fix some missing parens in asic macros
  drm/radeon: add some new SI pci ids
  drm/radeon: fix ordering in pll picking on dce4+
  drm/radeon: do not reenable crtc after moving vram start address
  drm/radeon: fix bank tiling parameters on cayman
  drm/radeon: fix bank tiling parameters on evergreen
  drm/radeon: fix bank tiling parameters on SI
  drm/radeon: properly handle crtc powergating
  drm/radeon: properly handle SS overrides on TN (v2)
  drm/radeon/dce4+: set a more reasonable cursor watermark
  drm/radeon: fix handling for ddc type 5 on combios
  drm/mgag200: fix G200ER pll picking algorithm
  drm/edid: Fix potential memory leak in edid_load()
  drm/udl: Use ERR_CAST inlined function instead of ERR_PTR(PTR_ERR(.. [1]
  drm/radeon/kms: allow "invalid" DB formats as a means to disable DB
  ...

12 years agoGPIO: gpio-pxa: fix building without CONFIG_OF
Arnd Bergmann [Mon, 13 Aug 2012 14:36:10 +0000 (14:36 +0000)]
GPIO: gpio-pxa: fix building without CONFIG_OF

Commit 7212157267 ("GPIO: gpio-pxa: fix devicetree functions") added an
"xlate" function pointer to the irq_domain_ops, but this function is nor
declared or defined anywhere when CONFIG_OF is disabled, causing the
build error:

  drivers/gpio/gpio-pxa.c:532:11: error: 'irq_domain_xlate_twocell' undeclared here (not in a function)

Extending the DT-only code section to cover the irq_domain_ops and the
pxa_gpio_dt_ids solves this problem and makes it clearer which code is
actually used without DT.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoMerge branch 'drm-fixes-3.6' of git://people.freedesktop.org/~agd5f/linux into drm...
Dave Airlie [Mon, 13 Aug 2012 23:25:01 +0000 (09:25 +1000)]
Merge branch 'drm-fixes-3.6' of git://people.freedesktop.org/~agd5f/linux into drm-fixes

Alex Deucher writes:
This is the current set of radeon fixes for 3.6.  Nothing too major.

Highlights:
- various display fixes
- some SI fixes
- new SI pci ids
- major VM fix
- CS checker support for MSAA

I've tested on a number of cards across generations and noticed no problems.

* 'drm-fixes-3.6' of git://people.freedesktop.org/~agd5f/linux:
  drm/radeon: fix typo in function header comment
  drm/radeon/kms: implement timestamp userspace query (v2)
  drm/radeon/kms: add MSAA texture support for r600-evergreen
  drm/radeon/kms: reorder code in r600_check_texture_resource
  drm/radeon: fence virtual address and free it once idle v4
  drm/radeon: fix some missing parens in asic macros
  drm/radeon: add some new SI pci ids
  drm/radeon: fix ordering in pll picking on dce4+
  drm/radeon: do not reenable crtc after moving vram start address
  drm/radeon: fix bank tiling parameters on cayman
  drm/radeon: fix bank tiling parameters on evergreen
  drm/radeon: fix bank tiling parameters on SI
  drm/radeon: properly handle crtc powergating
  drm/radeon: properly handle SS overrides on TN (v2)
  drm/radeon/dce4+: set a more reasonable cursor watermark
  drm/radeon: fix handling for ddc type 5 on combios

12 years agoath5k: fix spin_lock_irqsave/spin_lock_bh nesting in mesh
Bob Copeland [Mon, 13 Aug 2012 01:18:33 +0000 (21:18 -0400)]
ath5k: fix spin_lock_irqsave/spin_lock_bh nesting in mesh

Lockdep found an inconsistent lock state when joining a mesh with
ath5k.  The problem is that ath5k takes the lock for its beacon state,
ah->block, with spin_lock_irqsave(), while mesh internally takes the
sync_offset_lock with spin_lock_bh() in mesh_sync_offset_adjust_tbtt(),
which in turn is called under ah->block.

This could deadlock if the beacon tasklet was run on the processor
that held the beacon lock during the do_softirq() in spin_unlock_bh().

We probably shouldn't hold the lock around the callbacks, but the
easiest fix is to switch to spin_lock_bh for ah->block: it doesn't
need interrupts disabled anyway as the data in question is only accessed
in softirq or process context.

Fixes the following lockdep warning:

[  446.892304] WARNING: at kernel/softirq.c:159 _local_bh_enable_ip+0x38/0xa6()
[  446.892306] Hardware name: MacBook1,1
[  446.892309] Modules linked in: tcp_lp fuse sunrpc cpufreq_ondemand acpi_cpufreq mperf ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 nf_conntrack_ipv4 ip6table_filter nf_defrag_ipv4 xt_state nf_conntrack ip6_tables ext2 arc4 btusb bluetooth snd_hda_codec_idt snd_hda_intel carl9170 snd_hda_codec coretemp joydev ath5k snd_hwdep snd_seq isight_firmware ath snd_seq_device snd_pcm applesmc appletouch mac80211 input_polldev snd_timer microcode cfg80211 snd lpc_ich pcspkr i2c_i801 mfd_core soundcore rfkill snd_page_alloc sky2 tpm_infineon virtio_net kvm_intel kvm i915 drm_kms_helper drm i2c_algo_bit i2c_core video
[  446.892385] Pid: 1892, comm: iw Not tainted 3.6.0-rc1-wl+ #296
[  446.892387] Call Trace:
[  446.892394]  [<c0432958>] warn_slowpath_common+0x7c/0x91
[  446.892398]  [<c04399d7>] ? _local_bh_enable_ip+0x38/0xa6
[  446.892403]  [<c04399d7>] ? _local_bh_enable_ip+0x38/0xa6
[  446.892459]  [<f7f9ae3b>] ? mesh_sync_offset_adjust_tbtt+0x95/0x99 [mac80211]
[  446.892464]  [<c043298f>] warn_slowpath_null+0x22/0x24
[  446.892468]  [<c04399d7>] _local_bh_enable_ip+0x38/0xa6
[  446.892473]  [<c0439a52>] local_bh_enable_ip+0xd/0xf
[  446.892479]  [<c088004f>] _raw_spin_unlock_bh+0x34/0x37
[  446.892527]  [<f7f9ae3b>] mesh_sync_offset_adjust_tbtt+0x95/0x99 [mac80211]
[  446.892569]  [<f7f7650f>] ieee80211_beacon_get_tim+0x28f/0x4e0 [mac80211]
[  446.892575]  [<c047ceeb>] ? trace_hardirqs_on_caller+0x10e/0x13f
[  446.892591]  [<f7fdc541>] ath5k_beacon_update+0x40/0x26b [ath5k]
[  446.892597]  [<c047ad67>] ? lock_acquired+0x1f5/0x21e
[  446.892612]  [<f7fdf9fb>] ? ath5k_bss_info_changed+0x167/0x1b2 [ath5k]
[  446.892617]  [<c087f9ea>] ? _raw_spin_lock_irqsave+0x78/0x82
[  446.892632]  [<f7fdf9fb>] ? ath5k_bss_info_changed+0x167/0x1b2 [ath5k]
[  446.892647]  [<f7fdfa09>] ath5k_bss_info_changed+0x175/0x1b2 [ath5k]
[  446.892651]  [<c0479dd4>] ? lock_is_held+0x73/0x7b
[  446.892662]  [<c0458fd5>] ? __might_sleep+0xa7/0x17a
[  446.892698]  [<f7f5d8f7>] ieee80211_bss_info_change_notify+0x1ed/0x21a [mac80211]
[  446.892703]  [<c0449875>] ? queue_work+0x24/0x32
[  446.892718]  [<f7fdf894>] ? ath5k_configure_filter+0x163/0x163 [ath5k]
[  446.892766]  [<f7f95fa4>] ieee80211_start_mesh+0xb9/0xbd [mac80211]
[  446.892806]  [<f7f6e610>] ieee80211_join_mesh+0x10c/0x116 [mac80211]
[  446.892834]  [<f7a96b90>] __cfg80211_join_mesh+0x176/0x1b3 [cfg80211]
[  446.892855]  [<f7a96c1c>] cfg80211_join_mesh+0x4f/0x6a [cfg80211]
[  446.892875]  [<f7a89891>] nl80211_join_mesh+0x1de/0x1ed [cfg80211]
[  446.892908]  [<f7a8db99>] ? nl80211_set_wiphy+0x4cf/0x4cf [cfg80211]
[  446.892919]  [<c07cfa36>] genl_rcv_msg+0x1d5/0x1f3
[  446.892940]  [<c07cf861>] ? genl_rcv+0x25/0x25
[  446.892946]  [<c07cf009>] netlink_rcv_skb+0x37/0x78
[  446.892950]  [<c07cf85a>] genl_rcv+0x1e/0x25
[  446.892955]  [<c07cebf3>] netlink_unicast+0xc3/0x12d
[  446.892959]  [<c07cee46>] netlink_sendmsg+0x1e9/0x213
[  446.892966]  [<c079f282>] sock_sendmsg+0x79/0x96
[  446.892972]  [<c04eb90d>] ? might_fault+0x9d/0xa3
[  446.892978]  [<c07a81d8>] ? copy_from_user+0x8/0xa
[  446.892983]  [<c07a852c>] ? verify_iovec+0x43/0x77
[  446.892987]  [<c079f4d8>] __sys_sendmsg+0x180/0x215
[  446.892993]  [<c045f107>] ? sched_clock_cpu+0x134/0x144
[  446.892997]  [<c047992f>] ? trace_hardirqs_off+0xb/0xd
[  446.893002]  [<c047bf88>] ? __lock_acquire+0x46b/0xb6e
[  446.893006]  [<c047992f>] ? trace_hardirqs_off+0xb/0xd
[  446.893010]  [<c045f149>] ? local_clock+0x32/0x49
[  446.893015]  [<c0479ec1>] ? lock_release_holdtime.part.9+0x4b/0x51
[  446.893020]  [<c0479dd4>] ? lock_is_held+0x73/0x7b
[  446.893025]  [<c050d127>] ? fcheck_files+0x97/0xcd
[  446.893029]  [<c050d4df>] ? fget_light+0x2d/0x81
[  446.893034]  [<c07a01f3>] sys_sendmsg+0x3b/0x52
[  446.893038]  [<c07a07b4>] sys_socketcall+0x238/0x2a2
[  446.893044]  [<c0885edf>] sysenter_do_call+0x12/0x38
[  446.893047] ---[ end trace a9af5998f929270f ]---
[  447.627222]
[  447.627232] =================================
[  447.627237] [ INFO: inconsistent lock state ]
[  447.627244] 3.6.0-rc1-wl+ #296 Tainted: G        W
[  447.627248] ---------------------------------
[  447.627253] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
[  447.627260] swapper/0/0 [HC0[0]:SC1[1]:HE1:SE0] takes:
[  447.627264]  (&(&ah->block)->rlock){+.?...}, at: [<f7fdd2d1>] ath5k_tasklet_beacon+0x91/0xa7 [ath5k]
[  447.627299] {SOFTIRQ-ON-W} state was registered at:
[  447.627304]   [<c047cdbf>] mark_held_locks+0x59/0x77
[  447.627316]   [<c047ceeb>] trace_hardirqs_on_caller+0x10e/0x13f
[  447.627324]   [<c047cf27>] trace_hardirqs_on+0xb/0xd
[  447.627332]   [<c0439a3d>] _local_bh_enable_ip+0x9e/0xa6
[  447.627342]   [<c0439a52>] local_bh_enable_ip+0xd/0xf
[  447.627349]   [<c088004f>] _raw_spin_unlock_bh+0x34/0x37
[  447.627359]   [<f7f9ae3b>] mesh_sync_offset_adjust_tbtt+0x95/0x99 [mac80211]
[  447.627451]   [<f7f7650f>] ieee80211_beacon_get_tim+0x28f/0x4e0 [mac80211]
[  447.627526]   [<f7fdc541>] ath5k_beacon_update+0x40/0x26b [ath5k]
[  447.627547]   [<f7fdfa09>] ath5k_bss_info_changed+0x175/0x1b2 [ath5k]
[  447.627569]   [<f7f5d8f7>] ieee80211_bss_info_change_notify+0x1ed/0x21a [mac80211]
[  447.627628]   [<f7f95fa4>] ieee80211_start_mesh+0xb9/0xbd [mac80211]
[  447.627712]   [<f7f6e610>] ieee80211_join_mesh+0x10c/0x116 [mac80211]
[  447.627782]   [<f7a96b90>] __cfg80211_join_mesh+0x176/0x1b3 [cfg80211]
[  447.627816]   [<f7a96c1c>] cfg80211_join_mesh+0x4f/0x6a [cfg80211]
[  447.627845]   [<f7a89891>] nl80211_join_mesh+0x1de/0x1ed [cfg80211]
[  447.627872]   [<c07cfa36>] genl_rcv_msg+0x1d5/0x1f3
[  447.627881]   [<c07cf009>] netlink_rcv_skb+0x37/0x78
[  447.627891]   [<c07cf85a>] genl_rcv+0x1e/0x25
[  447.627898]   [<c07cebf3>] netlink_unicast+0xc3/0x12d
[  447.627907]   [<c07cee46>] netlink_sendmsg+0x1e9/0x213
[  447.627915]   [<c079f282>] sock_sendmsg+0x79/0x96
[  447.627926]   [<c079f4d8>] __sys_sendmsg+0x180/0x215
[  447.627934]   [<c07a01f3>] sys_sendmsg+0x3b/0x52
[  447.627941]   [<c07a07b4>] sys_socketcall+0x238/0x2a2
[  447.627949]   [<c0885edf>] sysenter_do_call+0x12/0x38
[  447.627959] irq event stamp: 1929200
[  447.627963] hardirqs last  enabled at (1929200): [<c043a0e9>] tasklet_hi_action+0x3e/0xbf
[  447.627972] hardirqs last disabled at (1929199): [<c043a0c0>] tasklet_hi_action+0x15/0xbf
[  447.627981] softirqs last  enabled at (1929196): [<c043999d>] _local_bh_enable+0x12/0x14
[  447.627989] softirqs last disabled at (1929197): [<c040443b>] do_softirq+0x63/0xb8
[  447.627999]
[  447.627999] other info that might help us debug this:
[  447.628004]  Possible unsafe locking scenario:
[  447.628004]
[  447.628009]        CPU0
[  447.628012]        ----
[  447.628016]   lock(&(&ah->block)->rlock);
[  447.628023]   <Interrupt>
[  447.628027]     lock(&(&ah->block)->rlock);
[  447.628034]
[  447.628034]  *** DEADLOCK ***

Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
12 years agoath9k: fix decrypt_error initialization in ath_rx_tasklet()
Lorenzo Bianconi [Fri, 10 Aug 2012 09:00:24 +0000 (11:00 +0200)]
ath9k: fix decrypt_error initialization in ath_rx_tasklet()

ath_rx_tasklet() calls ath9k_rx_skb_preprocess() and ath9k_rx_skb_postprocess()
in a loop over the received frames. The decrypt_error flag is
initialized to false
just outside ath_rx_tasklet() loop. ath9k_rx_accept(), called by
ath9k_rx_skb_preprocess(),
only sets decrypt_error to true and never to false.
Then ath_rx_tasklet() calls ath9k_rx_skb_postprocess() and passes
decrypt_error to it.
So, after a decryption error, in ath9k_rx_skb_postprocess(), we can
have a leftover value
from another processed frame. In that case, the frame will not be marked with
RX_FLAG_DECRYPTED even if it is decrypted correctly.
When using CCMP encryption this issue can lead to connection stuck
because of CCMP
PN corruption and a waste of CPU time since mac80211 tries to decrypt an already
deciphered frame with ieee80211_aes_ccm_decrypt.
Fix the issue initializing decrypt_error flag at the begging of the
ath_rx_tasklet() loop.

Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
Cc: <stable@kernel.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
12 years agodrm/radeon: fix typo in function header comment
Dmitrii Cherkasov [Mon, 13 Aug 2012 14:53:29 +0000 (10:53 -0400)]
drm/radeon: fix typo in function header comment

Signed-off-by: Dmitrii Cherkasov <DCherkasov@luxsoft.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
12 years agodrm/radeon/kms: implement timestamp userspace query (v2)
Marek Olšák [Thu, 9 Aug 2012 14:34:17 +0000 (16:34 +0200)]
drm/radeon/kms: implement timestamp userspace query (v2)

Returns a snapshot of the GPU clock counter.  Needed
for certain OpenGL extensions.

v2: agd5f
- address Jerome's comments
- add function documentation

Signed-off-by: Marek Olšák <maraeo@gmail.com>
Reviewed-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
12 years agodrm/radeon/kms: add MSAA texture support for r600-evergreen
Marek Olšák [Thu, 9 Aug 2012 14:34:16 +0000 (16:34 +0200)]
drm/radeon/kms: add MSAA texture support for r600-evergreen

Most of the checking seems to be in place already. As you can see,
log2(number of samples) resides in LAST_LEVEL.

This is required for MSAA support (namely for depth-stencil resolve and
blitting between MSAA resources).

Signed-off-by: Marek Olšák <maraeo@gmail.com>
Reviewed-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
12 years agodrm/radeon/kms: reorder code in r600_check_texture_resource
Marek Olšák [Thu, 9 Aug 2012 14:34:15 +0000 (16:34 +0200)]
drm/radeon/kms: reorder code in r600_check_texture_resource

Signed-off-by: Marek Olšák <maraeo@gmail.com>
Reviewed-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
12 years agodrm/radeon: fence virtual address and free it once idle v4
Jerome Glisse [Mon, 6 Aug 2012 16:32:21 +0000 (12:32 -0400)]
drm/radeon: fence virtual address and free it once idle v4

Virtual address need to be fenced to know when we can safely remove it.
This patch also properly clear the pagetable. Previously it was
serouisly broken.

Kernel 3.5/3.4 need a similar patch but adapted for difference in mutex locking.

v2: For to update pagetable when unbinding bo (don't bailout if
    bo_va->valid is true).
v3: Add kernel 3.5/3.4 comment.
v4: Fix compilation warnings.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
12 years agodrm/radeon: fix some missing parens in asic macros
Alex Deucher [Fri, 3 Aug 2012 15:50:54 +0000 (11:50 -0400)]
drm/radeon: fix some missing parens in asic macros

Better safe than sorry.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Jerome Glisse <jglisse@redhat.com>
12 years agodrm/radeon: add some new SI pci ids
Alex Deucher [Mon, 6 Aug 2012 14:03:59 +0000 (10:03 -0400)]
drm/radeon: add some new SI pci ids

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
12 years agodrm/radeon: fix ordering in pll picking on dce4+
Alex Deucher [Mon, 6 Aug 2012 21:06:03 +0000 (17:06 -0400)]
drm/radeon: fix ordering in pll picking on dce4+

No functional change, but re-order the cases so they
evaluate properly due to the way the DCE macros work.

Noticed by kallisti5 on IRC.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
12 years agodrm/radeon: do not reenable crtc after moving vram start address
Jerome Glisse [Fri, 27 Jul 2012 20:32:24 +0000 (16:32 -0400)]
drm/radeon: do not reenable crtc after moving vram start address

It seems we can not update the crtc scanout address. After disabling
crtc, update to base address do not take effect after crtc being
reenable leading to at least frame being scanout from the old crtc
base address. Disabling crtc display request lead to same behavior.

So after changing the vram address if we don't keep crtc disabled
we will have the GPU trying to read some random system memory address
with some iommu this will broke the crtc engine and will lead to
broken display and iommu error message.

So to avoid this, disable crtc. For flicker less boot we will need
to avoid moving the vram start address.

This patch should also fix :

https://bugs.freedesktop.org/show_bug.cgi?id=42373

Cc: <stable@vger.kernel.org>
Signed-off-by: Jerome Glisse <jglisse@redhat.com>
12 years agodrm/radeon: fix bank tiling parameters on cayman
Alex Deucher [Tue, 31 Jul 2012 15:05:11 +0000 (11:05 -0400)]
drm/radeon: fix bank tiling parameters on cayman

Handle the 16 bank case.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
12 years agodrm/radeon: fix bank tiling parameters on evergreen
Alex Deucher [Tue, 31 Jul 2012 15:01:10 +0000 (11:01 -0400)]
drm/radeon: fix bank tiling parameters on evergreen

Handle the 16 bank case.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
12 years agodrm/radeon: fix bank tiling parameters on SI
Christian König [Tue, 31 Jul 2012 11:48:51 +0000 (13:48 +0200)]
drm/radeon: fix bank tiling parameters on SI

The sixteen bank case wasn't handled here, leading to GPU
crashes because of userspace miscalculation.

Signed-off-by: Christian König <deathsimple@vodafone.de>
Cc: stable@vger.kernel.org
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
12 years agodrm/radeon: properly handle crtc powergating
Alex Deucher [Thu, 26 Jul 2012 17:38:52 +0000 (13:38 -0400)]
drm/radeon: properly handle crtc powergating

Need to make sure the crtc is gated on before modesetting.
Explicitly gate the crtc on in prepare() and set a flag
so that the dpms functions don't gate it off during
mode set.

Noticed by sylware on IRC.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
12 years agodrm/radeon: properly handle SS overrides on TN (v2)
Alex Deucher [Wed, 25 Jul 2012 16:32:59 +0000 (12:32 -0400)]
drm/radeon: properly handle SS overrides on TN (v2)

The IntegratedSystemInfo table changed versions
on TN.  Update the SS override lookup to handle it.

v2: fix copy-paste typo.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
12 years agodrm/radeon/dce4+: set a more reasonable cursor watermark
Alex Deucher [Tue, 10 Jul 2012 19:20:24 +0000 (15:20 -0400)]
drm/radeon/dce4+: set a more reasonable cursor watermark

Set a more reasonable default cursor watermark. The
recommended default value is 4.  This should reduce
urgency requests to the MC form the display hw.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
12 years agodrm/radeon: fix handling for ddc type 5 on combios
Alex Deucher [Fri, 20 Jul 2012 00:11:44 +0000 (20:11 -0400)]
drm/radeon: fix handling for ddc type 5 on combios

When ddc type is 5, need to look up the i2c channel
in the i2c table.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
12 years agoMerge branch 'fixes-for-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/coolone...
Linus Torvalds [Mon, 13 Aug 2012 06:59:04 +0000 (09:59 +0300)]
Merge branch 'fixes-for-3.6' of git://git./linux/kernel/git/cooloney/linux-leds

Pull leds fixes/revert from Bryan Wu.

* 'fixes-for-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/linux-leds:
  leds: renesas: fix error handling
  Revert "leds: use led_set_brightness in led_trigger_event"
  leds: lp8788: Fix updating scale configuration bits

12 years agoleds: renesas: fix error handling
Arnd Bergmann [Wed, 8 Aug 2012 21:27:58 +0000 (05:27 +0800)]
leds: renesas: fix error handling

bfe4c041 "leds: convert Renesas TPU LED driver to devm_kzalloc() and
cleanup error exit path" introduced a possible case in which r_tpu_probe
calls iounmap on a wild pointer. This changes the one case that was
missed in the same way as the other error paths.

Without this patch, building kota2_defconfig results in:

drivers/leds/leds-renesas-tpu.c: In function 'r_tpu_probe':
drivers/leds/leds-renesas-tpu.c:246:6: warning: 'ret' may be used uninitialized in this function [-Wuninitialized]
drivers/leds/leds-renesas-tpu.c:308:17: warning: 'p' may be used uninitialized in this function [-Wuninitialized]

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Magnus Damm <damm@opensource.se>
Signed-off-by: Bryan Wu <bryan.wu@canonical.com>
12 years agoRevert "leds: use led_set_brightness in led_trigger_event"
Fabio Baltieri [Mon, 13 Aug 2012 06:27:24 +0000 (14:27 +0800)]
Revert "leds: use led_set_brightness in led_trigger_event"

This reverts commit a0193cbee0809d65362a0767b2d50306b145b2f5.

The problem with the original commit was that it caused a warning with
the MMC trigger calling del_timer_sync from hard-irq context.

Signed-off-by: Fabio Baltieri <fabio.baltieri@gmail.com>
Reported-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Bryan Wu <bryan.wu@canonical.com>
12 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Linus Torvalds [Mon, 13 Aug 2012 06:18:19 +0000 (09:18 +0300)]
Merge git://git./linux/kernel/git/davem/net

Pull networking changes from David Miller:
 "Most importantly this should cure the ipv4-mapped ipv6 socket TCP
  crashes some people were seeing, otherwise:

   1) Fix e1000e autonegotiation handling regression, from Tushar Dave.

   2) Fix TX data corruption race on e1000e down, also from Tushar Dave.

   3) Fix bfin_sir IRDA driver build, from Sonic Zhang.

   4) AF_PACKET mmap() tests a flag in the TX ring shared between
      userspace and the kernel for an internal consistency check.  It
      really shouldn't do this to validate the kernel's own behavior
      because the user can corrupt it to be any value at all.  From
      Daniel Borkmann.

   5) Fix TCP metrics leak on netns dismantle, from Eric Dumazet.

   6) Orphan the anonymous TCP socket from the SKB in
      ip_send_unicast_reply() so that the rest of the stack needn't see
      it.  Otherwise we get selinux problems of all sorts, from Eric
      Dumazet.

      This is the best way to fix this since the socket is just a place
      holder for sending packets in a context where we have no real
      socket at all.

   7) Fix TUN detach crashes, from Stanislav Kinsbursky.

   8) dev_set_alias() leaks memory on krealloc() failure, from Alexey
      Khoroshilov.

   9) FIB trie must use call_rcu() not call_rcu_bh(), because this code
      is not universally invoked from software interrupts.  From Eric
      Dumazet.

  10) PPTP looks up ipv4 routes with the wrong network namespace, fix
      from Gao Feng."

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (33 commits)
  bnx2x: Fix compiler warnings
  af_packet: remove BUG statement in tpacket_destruct_skb
  macvtap: rcu_dereference outside read-lock section
  codel: refine one condition to avoid a nul rec_inv_sqrt
  ixgbe: add missing braces
  ipv4: fix ip_send_skb()
  net: tcp: ipv6_mapped needs sk_rx_dst_set method
  ipv4: tcp: unicast_sock should not land outside of TCP stack
  bnx2x: Fix recovery flow cleanup during probe
  bnx2x: fix unload previous driver flow when flr-capable
  tun: don't zeroize sock->file on detach
  igb: Fix register defines for all non-82575 hardware
  e1000e: fix panic while dumping packets on Tx hang with IOMMU
  igb: fix panic while dumping packets on Tx hang with IOMMU
  tcp: must free metrics at net dismantle
  net/stmmac: mark probe function as __devinit
  lpc_eth: remove obsolete ifdefs
  net/core: Fix potential memory leak in dev_set_alias()
  cdc-phonet: Don't leak in usbpn_open
  batman-adv: Fix mem leak in the batadv_tt_local_event() function
  ...