profile/common/kernel-common.git
11 years agobatman-adv: Fix NULL pointer dereference in DAT hash collision avoidance
Pau Koning [Tue, 12 Feb 2013 00:18:45 +0000 (00:18 +0000)]
batman-adv: Fix NULL pointer dereference in DAT hash collision avoidance

An entry in DAT with the hashed position of 0 can cause a NULL pointer
dereference when the first entry is checked by batadv_choose_next_candidate.
This first candidate automatically has the max value of 0 and the max_orig_node
of NULL. Not checking max_orig_node for NULL in batadv_is_orig_node_eligible
will lead to a NULL pointer dereference when checking for the lowest address.

This problem was added in 785ea1144182c341b8b85b0f8180291839d176a8
("batman-adv: Distributed ARP Table - create DHT helper functions").

Signed-off-by: Pau Koning <paukoning@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agonet/macb: fix race with RX interrupt while doing NAPI
Nicolas Ferre [Tue, 12 Feb 2013 10:08:48 +0000 (11:08 +0100)]
net/macb: fix race with RX interrupt while doing NAPI

When interrupts are disabled, an RX condition can occur but
it is not reported when enabling interrupts again. We need to check
RSR and use napi_reschedule() if condition is met.

Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoatl1c: add error checking for pci_map_single functions
Huang, Xiong [Mon, 11 Feb 2013 14:44:40 +0000 (14:44 +0000)]
atl1c: add error checking for pci_map_single functions

it is reported that code hit DMA-API errors on 3.8-rc6+,
(see https://bugzilla.redhat.com/show_bug.cgi?id=908436, and
     https://bugzilla.redhat.com/show_bug.cgi?id=908550)

this patch just adds error handler for
    pci_map_single and skb_frag_dma_map.

Signed-off-by: xiong <xiong@qca.qualcomm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agohtb: fix values in opt dump
Jiri Pirko [Tue, 12 Feb 2013 00:12:00 +0000 (00:12 +0000)]
htb: fix values in opt dump

in htb_change_class() cl->buffer and cl->buffer are stored in ns.
So in dump, convert them back to psched ticks.

Note this was introduced by:
commit 56b765b79e9a78dc7d3f8850ba5e5567205a3ecd
    htb: improved accuracy at high rates

Please consider this for -net/-stable.

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoMerge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville...
David S. Miller [Tue, 12 Feb 2013 21:11:09 +0000 (16:11 -0500)]
Merge branch 'for-davem' of git://git./linux/kernel/git/linville/wireless

John W. Linville says:

====================
Here is another handful of late-breaking fixes intended for the 3.8
stream...  Hopefully the will still make it! :-)

There are three mac80211 fixes pulled from Johannes:

"Here are three fixes still for the 3.8 stream, the fix from Cong Ding
for the bad sizeof (Stephen Hemminger had pointed it out before but I'd
promptly forgotten), a mac80211 managed-mode channel context usage fix
where a downgrade would never stop until reaching non-HT and a bug in
the channel determination that could cause invalid channels like HT40+
on channel 11 to be used."

Also included is a mwl8k fix that avoids an oops when using mwl8k
devices that only support the 5 GHz band.

Please let me know if there are problems!
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoixgbe: Only set gso_type to SKB_GSO_TCPV4 as RSC does not support IPv6
Alexander Duyck [Tue, 12 Feb 2013 09:45:44 +0000 (09:45 +0000)]
ixgbe: Only set gso_type to SKB_GSO_TCPV4 as RSC does not support IPv6

The original fix that was applied for setting gso_type required more change
than necessary because it was assumed ixgbe does RSC on IPv6 frames and this
is not correct.  RSC is only supported with IPv4/TCP frames only.  As such we
can simplify the fix and avoid the unnecessary move of eth_type_trans.

The previous patch "ixgbe: fix gso type" and this patch reduce the entire fix
to one line that sets gso_type to TCPV4 if the frame is RSC.

Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agonet: fix infinite loop in __skb_recv_datagram()
Eric Dumazet [Tue, 12 Feb 2013 06:16:53 +0000 (06:16 +0000)]
net: fix infinite loop in __skb_recv_datagram()

Tommi was fuzzing with trinity and reported the following problem :

commit 3f518bf745 (datagram: Add offset argument to __skb_recv_datagram)
missed that a raw socket receive queue can contain skbs with no payload.

We can loop in __skb_recv_datagram() with MSG_PEEK mode, because
wait_for_packet() is not prepared to skip these skbs.

[   83.541011] INFO: rcu_sched detected stalls on CPUs/tasks: {}
(detected by 0, t=26002 jiffies, g=27673, c=27672, q=75)
[   83.541011] INFO: Stall ended before state dump start
[  108.067010] BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child31:2847]
...
[  108.067010] Call Trace:
[  108.067010]  [<ffffffff818cc103>] __skb_recv_datagram+0x1a3/0x3b0
[  108.067010]  [<ffffffff818cc33d>] skb_recv_datagram+0x2d/0x30
[  108.067010]  [<ffffffff819ed43d>] rawv6_recvmsg+0xad/0x240
[  108.067010]  [<ffffffff818c4b04>] sock_common_recvmsg+0x34/0x50
[  108.067010]  [<ffffffff818bc8ec>] sock_recvmsg+0xbc/0xf0
[  108.067010]  [<ffffffff818bf31e>] sys_recvfrom+0xde/0x150
[  108.067010]  [<ffffffff81ca4329>] system_call_fastpath+0x16/0x1b

Reported-by: Tommi Rantala <tt.rantala@gmail.com>
Tested-by: Tommi Rantala <tt.rantala@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Acked-by: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agonet: qmi_wwan: add Yota / Megafon M100-1 4g modem
Bjørn Mork [Tue, 12 Feb 2013 02:42:50 +0000 (02:42 +0000)]
net: qmi_wwan: add Yota / Megafon M100-1 4g modem

Interface layout:

 00 CD-ROM
 01 debug COM port
 02 AP control port
 03 modem
 04 usb-ethernet

Bus=01 Lev=02 Prnt=02 Port=01 Cnt=02 Dev#=  4 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=0408 ProdID=ea42 Rev= 0.00
S:  Manufacturer=Qualcomm, Incorporated
S:  Product=Qualcomm CDMA Technologies MSM
S:  SerialNumber=353568051xxxxxx
C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=84(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=86(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
John W. Linville [Tue, 12 Feb 2013 15:41:46 +0000 (10:41 -0500)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless into for-davem

11 years agomwl8k: fix band for supported channels
Jonas Gorski [Fri, 8 Feb 2013 15:07:25 +0000 (16:07 +0100)]
mwl8k: fix band for supported channels

The band field for the supported channels were left unpopulated, making
them default to 0 == IEEE80211_BAND_2GHZ, even for the 5GHz channels.

This resulted in null pointer accesses if anything tries to access
wiphy->bands[channel->band] of a 5GHz channel on 5GHz only cards, since
wiphy->bands[2GHZ] is NULL for them (e.g. cfg80211_chandef_usable does).

Example kernel OOPS:

[  665.669993] Unable to handle kernel NULL pointer dereference at virtual address 00000016
[  665.678194] pgd = c6d58000
[  665.680941] [00000016] *pgd=06f8a831, *pte=00000000, *ppte=00000000
[  665.687303] Internal error: Oops: 17 [#1]
(...)
[  666.116373] Backtrace:
[  666.118866] [<bf0368dc>] (cfg80211_chandef_usable+0x0/0x1bc [cfg80211]) from [<bf025e64>] (nl80211_leave_mesh+0x244/0x264 [cfg80211])
[  666.130919]  r7:c6d12100 r6:0000143c r5:c0611c48 r4:c0611b98
[  666.136668] [<bf025d84>] (nl80211_leave_mesh+0x164/0x264 [cfg80211]) from [<bf02634c>] (nl80211_remain_on_channel+0x2a0/0x358 [cfg80211])
[  666.149074]  r7:c6d12000 r6:c6d12000 r5:c6f4f368 r4:00000003
[  666.154814] [<bf0262ec>] (nl80211_remain_on_channel+0x240/0x358 [cfg80211]) from [<bf02ddb0>] (nl80211_set_wiphy+0x264/0x560 [cfg80211])
[  666.167150] [<bf02db4c>] (nl80211_set_wiphy+0x0/0x560 [cfg80211]) from [<c01f94e0>] (genl_rcv_msg+0x1b8/0x1f8)
[  666.177205] [<c01f9328>] (genl_rcv_msg+0x0/0x1f8) from [<c01f89a0>] (netlink_rcv_skb+0x58/0xb4)
[  666.185949] [<c01f8948>] (netlink_rcv_skb+0x0/0xb4) from [<c01f931c>] (genl_rcv+0x20/0x2c)
[  666.194251]  r6:c6f70780 r5:0000002c r4:c6f70780 r3:00000001
[  666.199973] [<c01f92fc>] (genl_rcv+0x0/0x2c) from [<c01f8418>] (netlink_unicast+0x154/0x1f4)
[  666.208449]  r4:c785ea00 r3:c01f92fc
[  666.212057] [<c01f82c4>] (netlink_unicast+0x0/0x1f4) from [<c01f8790>] (netlink_sendmsg+0x230/0x2b0)
[  666.221240] [<c01f8560>] (netlink_sendmsg+0x0/0x2b0) from [<c01cccf8>] (sock_sendmsg+0x90/0xa4)
[  666.229986] [<c01ccc68>] (sock_sendmsg+0x0/0xa4) from [<c01cdcb0>] (__sys_sendmsg+0x290/0x298)
[  666.238637]  r9:00000000 r8:c0611ec8 r6:0000002c r5:c0610000 r4:c0611f64
[  666.245411] [<c01cda20>] (__sys_sendmsg+0x0/0x298) from [<c01cf52c>] (sys_sendmsg+0x44/0x6c)
[  666.253897] [<c01cf4e8>] (sys_sendmsg+0x0/0x6c) from [<c00090a0>] (ret_fast_syscall+0x0/0x2c)
[  666.262460]  r6:00000000 r5:beeff96c r4:00000005

Signed-off-by: Jonas Gorski <jogo@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agoMerge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
John W. Linville [Mon, 11 Feb 2013 19:25:28 +0000 (14:25 -0500)]
Merge branch 'for-john' of git://git./linux/kernel/git/jberg/mac80211

11 years agobridge: set priority of STP packets
Stephen Hemminger [Mon, 11 Feb 2013 08:22:22 +0000 (08:22 +0000)]
bridge: set priority of STP packets

Spanning Tree Protocol packets should have always been marked as
control packets, this causes them to get queued in the high prirority
FIFO. As Radia Perlman mentioned in her LCA talk, STP dies if bridge
gets overloaded and can't communicate. This is a long-standing bug back
to the first versions of Linux bridge.

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agomac80211: fix channel selection bug
Johannes Berg [Sat, 9 Feb 2013 20:46:34 +0000 (21:46 +0100)]
mac80211: fix channel selection bug

When trying to connect to an AP that advertises HT but not
VHT, the mac80211 code erroneously uses the configuration
from the AP as is instead of checking it against regulatory
and local capabilities. This can lead to using an invalid
or even inexistent channel (like 11/HT40+).

Additionally, the return flags from downgrading must be
ORed together, to collect them from all of the downgrades.
Also clarify the message.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agoMerge branch 'master' of git://1984.lsi.us.es/nf
David S. Miller [Mon, 11 Feb 2013 01:44:08 +0000 (20:44 -0500)]
Merge branch 'master' of git://1984.lsi.us.es/nf

Pablo Neira Ayuso says:

====================
The following patchset contains Netfilter/IPVS fixes for 3.8-rc7, they are:

* Fix oops in IPVS state-sync due to releasing a random memory area due
  to unitialized pointer, from Dan Carpenter.

* Fix SCTP flow establishment due to bad checksumming mangling in IPVS,
  from Daniel Borkmann.

* Three fixes for the recently added IPv6 NPT, all from YOSHIFUJI Hideaki,
  with an amendment collapsed into those patches from Ulrich Weber. They
  fiix adjustment calculation, fix prefix mangling and ensure LSB of
  prefixes are zeroes (as required by RFC).

Specifically, it took me a while to validate the 1's complement arithmetics/
checksumming approach in the IPv6 NPT code.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoarp: fix possible crash in arp_rcv()
Eric Dumazet [Fri, 8 Feb 2013 18:48:21 +0000 (18:48 +0000)]
arp: fix possible crash in arp_rcv()

We should call skb_share_check() before pskb_may_pull(), or we
can crash in pskb_expand_head()

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoMerge branch 'gso_type'
David S. Miller [Mon, 11 Feb 2013 01:14:46 +0000 (20:14 -0500)]
Merge branch 'gso_type'

Michael S. Tsirkin says:

====================
At the moment, macvtap crashes are observed if macvtap is attached
to an interface with LRO enabled.
The crash in question is BUG() in macvtap_skb_to_vnet_hdr.
This happens because several drivers set gso_size but not gso_type
in incoming skbs.
This didn't use to be the case: with intel cards on 3.2 and older
kernels, with qlogic - on 3.4 and older kernels, so it's a regression if
not a recent one.
The following patches fix this for qlogic, broadcom and intel drivers.

I tested that the patch fixes the crash for ixgbe but
don't have qlogic/broadcom hardware to test.
I also only tested TCPv4.

Please review, and consider for 3.8.

Changes from v1:
- added missing htons as suggested by Eric
- backported the relevant bits from
  cbf1de72324a8105ddcc3d9ce9acbc613faea17e for bnx2x
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agobnx2x: set gso_type
Michael S. Tsirkin [Thu, 7 Feb 2013 03:13:22 +0000 (03:13 +0000)]
bnx2x: set gso_type

In LRO mode, bnx2x set gso_size but not gso type.
This leads to crashes in macvtap.
Commit cbf1de72324a8105ddcc3d9ce9acbc613faea17e
queued for 3.9 includes a more complete fix.
This is a minimal patch to avoid the crash, for 3.8.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoqlcnic: set gso_type
Michael S. Tsirkin [Thu, 7 Feb 2013 03:13:13 +0000 (03:13 +0000)]
qlcnic: set gso_type

qlcnic set gso_size but not gso type. This leads to crashes
in macvtap.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jitendra Kalsaria <jitendra.kalsaria@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoixgbe: fix gso type
Michael S. Tsirkin [Thu, 7 Feb 2013 03:13:05 +0000 (03:13 +0000)]
ixgbe: fix gso type

ixgbe set gso_size but not gso_type. This leads to
crashes in macvtap.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agostmmac: mdio register has to fail if the phy is not found
Giuseppe CAVALLARO [Wed, 6 Feb 2013 20:47:52 +0000 (20:47 +0000)]
stmmac: mdio register has to fail if the phy is not found

With this patch the stmmac fails in case of the phy device
is not found; w/o this fix the mdio can be register twice when
do down/up the iface and this is not correct.

Reported-by: Stas <stsp@list.ru>
Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agostmmac: fix macro used for debugging the xmit
Giuseppe CAVALLARO [Wed, 6 Feb 2013 20:47:51 +0000 (20:47 +0000)]
stmmac: fix macro used for debugging the xmit

This patch fixes the name of the macro used for
debugging the transmit process. I used STMMAC_TX_DEBUG
instead of STMMAC_XMIT_DEBUG.

Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoMerge branch 'davem.r8169' of git://violet.fr.zoreil.com/romieu/linux
David S. Miller [Mon, 11 Feb 2013 00:05:49 +0000 (19:05 -0500)]
Merge branch 'davem.r8169' of git://violet.fr.zoreil.com/romieu/linux

Revert two power saving r8169 changes to fix some regressions
reported.

Reported-by: Jörg Otte <jrg.otte@gmail.com>
Tested-by: Jörg Otte <jrg.otte@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoRevert "r8169: enable internal ASPM and clock request settings".
Francois Romieu [Thu, 1 Nov 2012 16:46:28 +0000 (16:46 +0000)]
Revert "r8169: enable internal ASPM and clock request settings".

This reverts commit d64ec841517a25f6d468bde9f67e5b4cffdc67c7.

Jörg Otte reported his 8168evl to increase boot time link detection
from 1.6 to 10 s.

Hayes suggests reverting it for the time being.

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Cc: Hayes Wang <hayeswang@realtek.com>
Cc: Jörg Otte <jrg.otte@gmail.com>
11 years agoRevert "r8169: enable ALDPS for power saving".
Francois Romieu [Fri, 8 Feb 2013 22:43:20 +0000 (23:43 +0100)]
Revert "r8169: enable ALDPS for power saving".

This reverts commit e0c075577965d1c01b30038d38bf637b027a1df3.

Jörg Otte reported his 8168evl to fail boot time link detection.

Hayes suggests reverting it for the time being.

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Cc: Hayes Wang <hayeswang@realtek.com>
Cc: Jörg Otte <jrg.otte@gmail.com>
11 years agoLinux 3.8-rc7 v3.8-rc7
Linus Torvalds [Fri, 8 Feb 2013 21:20:39 +0000 (08:20 +1100)]
Linux 3.8-rc7

11 years agoMerge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm
Linus Torvalds [Fri, 8 Feb 2013 21:01:18 +0000 (08:01 +1100)]
Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm

Pull ARM fixes from Russell King:
 "I was going to hold these off until v3.8 was out, and send them with a
  stable tag, but as everyone else is pushing much bigger fixes which
  Linus is accepting, let's save people from the hastle of having to
  patch v3.8 back into working or use a stable kernel.

  Looking at the diffstat, this really is high value for its size; this
  is miniscule compared to how the -rc6 to tip diffstat currently looks.

  So, four patches in this set:
   - Punit Agrawal reports that the kernel no longer boots on MPCore due
     to a new assumption made in the GIC code which isn't true of
     earlier GIC designs.  This is the biggest change in this set.
   - Punit's boot log also revealed a bunch of WARN_ON() dumps caused by
     the DT-ification of the GIC support without fixing up non-DT
     Realview - which now sees a greater number of interrupts than it
     did before.
   - A fix for the DMA coherent code from Marek which uses the wrong
     check for atomic allocations; this can result in spinlock lockups
     or other nasty effects.
   - A fix from Will, which will affect all Android based platforms if
     not applied (which use the 2G:2G VM split) - this causes
     particularly 'make' to misbehave unless this bug is fixed."

* 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
  ARM: 7641/1: memory: fix broken mmap by ensuring TASK_UNMAPPED_BASE is aligned
  ARM: DMA mapping: fix bad atomic test
  ARM: realview: ensure that we have sufficient IRQs available
  ARM: GIC: fix GIC cpumask initialization

11 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Linus Torvalds [Fri, 8 Feb 2013 20:55:24 +0000 (07:55 +1100)]
Merge git://git./linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Revert iwlwifi reclaimed packet tracking, it causes problems for a
    bunch of folks.  From Emmanuel Grumbach.

 2) Work limiting code in brcmsmac wifi driver can clear tx status
    without processing the event.  From Arend van Spriel.

 3) rtlwifi USB driver processes wrong SKB, fix from Larry Finger.

 4) l2tp tunnel delete can race with close, fix from Tom Parkin.

 5) pktgen_add_device() failures are not checked at all, fix from Cong
    Wang.

 6) Fix unintentional removal of carrier off from tun_detach(),
    otherwise we confuse userspace, from Michael S.  Tsirkin.

 7) Don't leak socket reference counts and ubufs in vhost-net driver,
    from Jason Wang.

 8) vmxnet3 driver gets it's initial carrier state wrong, fix from Neil
    Horman.

 9) Protect against USB networking devices which spam the host with 0
    length frames, from Bjørn Mork.

10) Prevent neighbour overflows in ipv6 for locally destined routes,
    from Marcelo Ricardo.  This is the best short-term fix for this, a
    longer term fix has been implemented in net-next.

11) L2TP uses ipv4 datagram routines in it's ipv6 code, whoops.  This
    mistake is largely because the ipv6 functions don't even have some
    kind of prefix in their names to suggest they are ipv6 specific.
    From Tom Parkin.

12) Check SYN packet drops properly in tcp_rcv_fastopen_synack(), from
    Yuchung Cheng.

13) Fix races and TX skb freeing bugs in via-rhine's NAPI support, from
    Francois Romieu and your's truly.

14) Fix infinite loops and divides by zero in TCP congestion window
    handling, from Eric Dumazet, Neal Cardwell, and Ilpo Järvinen.

15) AF_PACKET tx ring handling can leak kernel memory to userspace, fix
    from Phil Sutter.

16) Fix error handling in ipv6 GRE tunnel transmit, from Tommi Rantala.

17) Protect XEN netback driver against hostile frontend putting garbage
    into the rings, don't leak pages in TX GOP checking, and add proper
    resource releasing in error path of xen_netbk_get_requests().  From
    Ian Campbell.

18) SCTP authentication keys should be cleared out and released with
    kzfree(), from Daniel Borkmann.

19) L2TP is a bit too clever trying to maintain skb->truesize, and ends
    up corrupting socket memory accounting to the point where packet
    sending is halted indefinitely.  Just remove the adjustments
    entirely, they aren't really needed.  From Eric Dumazet.

20) ATM Iphase driver uses a data type with the same name as the S390
    headers, rename to fix the build.  From Heiko Carstens.

21) Fix a typo in copying the inner network header offset from one SKB
    to another, from Pravin B Shelar.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (56 commits)
  net: sctp: sctp_endpoint_free: zero out secret key data
  net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree
  atm/iphase: rename fregt_t -> ffreg_t
  net: usb: fix regression from FLAG_NOARP code
  l2tp: dont play with skb->truesize
  net: sctp: sctp_auth_key_put: use kzfree instead of kfree
  netback: correct netbk_tx_err to handle wrap around.
  xen/netback: free already allocated memory on failure in xen_netbk_get_requests
  xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.
  xen/netback: shutdown the ring if it contains garbage.
  net: qmi_wwan: add more Huawei devices, including E320
  net: cdc_ncm: add another Huawei vendor specific device
  ipv6/ip6_gre: fix error case handling in ip6gre_tunnel_xmit()
  tcp: fix for zero packets_in_flight was too broad
  brcmsmac: rework of mac80211 .flush() callback operation
  ssb: unregister gpios before unloading ssb
  bcma: unregister gpios before unloading bcma
  rtlwifi: Fix scheduling while atomic bug
  net: usbnet: fix tx_dropped statistics
  tcp: ipv6: Update MIB counters for drops
  ...

11 years agoMerge branch 'sctp_keys'
David S. Miller [Fri, 8 Feb 2013 19:55:08 +0000 (14:55 -0500)]
Merge branch 'sctp_keys'

Daniel Borkmann says:

====================
Cryptographically used keys should be zeroed out when our session
ends resp. memory is freed, thus do not leave them somewhere in the
memory.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agonet: sctp: sctp_endpoint_free: zero out secret key data
Daniel Borkmann [Fri, 8 Feb 2013 03:04:35 +0000 (03:04 +0000)]
net: sctp: sctp_endpoint_free: zero out secret key data

On sctp_endpoint_destroy, previously used sensitive keying material
should be zeroed out before the memory is returned, as we already do
with e.g. auth keys when released.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agonet: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree
Daniel Borkmann [Fri, 8 Feb 2013 03:04:34 +0000 (03:04 +0000)]
net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree

In sctp_setsockopt_auth_key, we create a temporary copy of the user
passed shared auth key for the endpoint or association and after
internal setup, we free it right away. Since it's sensitive data, we
should zero out the key before returning the memory back to the
allocator. Thus, use kzfree instead of kfree, just as we do in
sctp_auth_key_put().

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoatm/iphase: rename fregt_t -> ffreg_t
Heiko Carstens [Fri, 8 Feb 2013 00:19:11 +0000 (00:19 +0000)]
atm/iphase: rename fregt_t -> ffreg_t

We have conflicting type qualifiers for "freg_t" in s390's ptrace.h and the
iphase atm device driver, which causes the compile error below.
Unfortunately the s390 typedef can't be renamed, since it's a user visible api,
nor can I change the include order in s390 code to avoid the conflict.

So simply rename the iphase typedef to a new name. Fixes this compile error:

In file included from drivers/atm/iphase.c:66:0:
drivers/atm/iphase.h:639:25: error: conflicting type qualifiers for 'freg_t'
In file included from next/arch/s390/include/asm/ptrace.h:9:0,
                 from next/arch/s390/include/asm/lowcore.h:12,
                 from next/arch/s390/include/asm/thread_info.h:30,
                 from include/linux/thread_info.h:54,
                 from include/linux/preempt.h:9,
                 from include/linux/spinlock.h:50,
                 from include/linux/seqlock.h:29,
                 from include/linux/time.h:5,
                 from include/linux/stat.h:18,
                 from include/linux/module.h:10,
                 from drivers/atm/iphase.c:43:
next/arch/s390/include/uapi/asm/ptrace.h:197:3: note: previous declaration of 'freg_t' was here

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Acked-by: chas williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoARM: 7641/1: memory: fix broken mmap by ensuring TASK_UNMAPPED_BASE is aligned
Will Deacon [Fri, 8 Feb 2013 11:52:29 +0000 (12:52 +0100)]
ARM: 7641/1: memory: fix broken mmap by ensuring TASK_UNMAPPED_BASE is aligned

We have received multiple reports of mmap failures when running with a
2:2 vm split. These manifest as either -EINVAL with a non page-aligned
address (ending 0xaaa) or a SEGV, depending on the application. The
issue is commonly observed in children of make, which appears to use
bottom-up mmap (assumedly because it changes the stack rlimit).

Further investigation reveals that this regression was triggered by
394ef6403abc ("mm: use vm_unmapped_area() on arm architecture"), whereby
TASK_UNMAPPED_BASE is no longer page-aligned for bottom-up mmap, causing
get_unmapped_area to choke on misaligned addressed.

This patch fixes the problem by defining TASK_UNMAPPED_BASE in terms of
TASK_SIZE and explicitly aligns the result to 16M, matching the other
end of the heap.

Acked-by: Nicolas Pitre <nico@linaro.org>
Reported-by: Steve Capper <steve.capper@arm.com>
Reported-by: Jean-Francois Moine <moinejf@free.fr>
Reported-by: Christoffer Dall <cdall@cs.columbia.edu>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
11 years agoARM: DMA mapping: fix bad atomic test
Russell King [Wed, 30 Jan 2013 23:55:35 +0000 (23:55 +0000)]
ARM: DMA mapping: fix bad atomic test

Realview fails to boot with this warning:
BUG: spinlock lockup suspected on CPU#0, init/1
 lock: 0xcf8bde10, .magic: dead4ead, .owner: init/1, .owner_cpu: 0
Backtrace:
[<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:cf8bde10 r5:cf83d1c0 r4:cf8bde10 r3:cf83d1c0
[<c03294d0>] (dump_stack+0x0/0x1c) from [<c018926c>] (spin_dump+0x84/0x98)
[<c01891e8>] (spin_dump+0x0/0x98) from [<c0189460>] (do_raw_spin_lock+0x100/0x198)
[<c0189360>] (do_raw_spin_lock+0x0/0x198) from [<c032cbac>] (_raw_spin_lock+0x3c/0x44)
[<c032cb70>] (_raw_spin_lock+0x0/0x44) from [<c01c9224>] (pl011_console_write+0xe8/0x11c)
[<c01c913c>] (pl011_console_write+0x0/0x11c) from [<c002aea8>] (call_console_drivers.clone.7+0xdc/0x104)
[<c002adcc>] (call_console_drivers.clone.7+0x0/0x104) from [<c002b320>] (console_unlock+0x2e8/0x454)
[<c002b038>] (console_unlock+0x0/0x454) from [<c002b8b4>] (vprintk_emit+0x2d8/0x594)
[<c002b5dc>] (vprintk_emit+0x0/0x594) from [<c0329718>] (printk+0x3c/0x44)
[<c03296dc>] (printk+0x0/0x44) from [<c002929c>] (warn_slowpath_common+0x28/0x6c)
[<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029304>] (warn_slowpath_null+0x24/0x2c)
[<c00292e0>] (warn_slowpath_null+0x0/0x2c) from [<c0070ab0>] (lockdep_trace_alloc+0xd8/0xf0)
[<c00709d8>] (lockdep_trace_alloc+0x0/0xf0) from [<c00c0850>] (kmem_cache_alloc+0x24/0x11c)
[<c00c082c>] (kmem_cache_alloc+0x0/0x11c) from [<c00bb044>] (__get_vm_area_node.clone.24+0x7c/0x16c)
[<c00bafc8>] (__get_vm_area_node.clone.24+0x0/0x16c) from [<c00bb7b8>] (get_vm_area_caller+0x48/0x54)
[<c00bb770>] (get_vm_area_caller+0x0/0x54) from [<c0020064>] (__alloc_remap_buffer.clone.15+0x38/0xb8)
[<c002002c>] (__alloc_remap_buffer.clone.15+0x0/0xb8) from [<c0020244>] (__dma_alloc+0x160/0x2c8)
[<c00200e4>] (__dma_alloc+0x0/0x2c8) from [<c00204d8>] (arm_dma_alloc+0x88/0xa0)[<c0020450>] (arm_dma_alloc+0x0/0xa0) from [<c00beb00>] (dma_pool_alloc+0xcc/0x1a8)
[<c00bea34>] (dma_pool_alloc+0x0/0x1a8) from [<c01a9d14>] (pl08x_fill_llis_for_desc+0x28/0x568)
[<c01a9cec>] (pl08x_fill_llis_for_desc+0x0/0x568) from [<c01aab8c>] (pl08x_prep_slave_sg+0x258/0x3b0)
[<c01aa934>] (pl08x_prep_slave_sg+0x0/0x3b0) from [<c01c9f74>] (pl011_dma_tx_refill+0x140/0x288)
[<c01c9e34>] (pl011_dma_tx_refill+0x0/0x288) from [<c01ca748>] (pl011_start_tx+0xe4/0x120)
[<c01ca664>] (pl011_start_tx+0x0/0x120) from [<c01c54a4>] (__uart_start+0x48/0x4c)
[<c01c545c>] (__uart_start+0x0/0x4c) from [<c01c632c>] (uart_start+0x2c/0x3c)
[<c01c6300>] (uart_start+0x0/0x3c) from [<c01c795c>] (uart_write+0xcc/0xf4)
[<c01c7890>] (uart_write+0x0/0xf4) from [<c01b0384>] (n_tty_write+0x1c0/0x3e4)
[<c01b01c4>] (n_tty_write+0x0/0x3e4) from [<c01acfe8>] (tty_write+0x144/0x240)
[<c01acea4>] (tty_write+0x0/0x240) from [<c01ad17c>] (redirected_tty_write+0x98/0xac)
[<c01ad0e4>] (redirected_tty_write+0x0/0xac) from [<c00c371c>] (vfs_write+0xbc/0x150)
[<c00c3660>] (vfs_write+0x0/0x150) from [<c00c39c0>] (sys_write+0x4c/0x78)
[<c00c3974>] (sys_write+0x0/0x78) from [<c0014460>] (ret_fast_syscall+0x0/0x3c)

This happens because the DMA allocation code is not respecting atomic
allocations correctly.

GFP flags should not be tested for GFP_ATOMIC to determine if an
atomic allocation is being requested.  GFP_ATOMIC is not a flag but
a value.  The GFP bitmask flags are all prefixed with __GFP_.

The rest of the kernel tests for __GFP_WAIT not being set to indicate
an atomic allocation.  We need to do the same.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
11 years agoARM: realview: ensure that we have sufficient IRQs available
Russell King [Wed, 30 Jan 2013 23:54:26 +0000 (23:54 +0000)]
ARM: realview: ensure that we have sufficient IRQs available

Realview EB with a rev B MPcore tile results in lots of warnings at
boot because it can't allocate enough IRQs.  Fix this by increasing
the number of available IRQs.

WARNING: at /home/rmk/git/linux-rmk/arch/arm/common/gic.c:757 gic_init_bases+0x12c/0x2ec()
Cannot allocate irq_descs @ IRQ96, assuming pre-allocated
Modules linked in:
Backtrace:
[<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:000002f5 r5:c042c62c r4:c044ff40 r3:c045f240
[<c03294d0>] (dump_stack+0x0/0x1c) from [<c00292c8>] (warn_slowpath_common+0x54/0x6c)
[<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029384>] (warn_slowpath_fmt+0x38/0x40)
[<c002934c>] (warn_slowpath_fmt+0x0/0x40) from [<c042c62c>] (gic_init_bases+0x12c/0x2ec)
[<c042c500>] (gic_init_bases+0x0/0x2ec) from [<c042cdc8>] (gic_init_irq+0x8c/0xd8)
[<c042cd3c>] (gic_init_irq+0x0/0xd8) from [<c042827c>] (init_IRQ+0x1c/0x24)
[<c0428260>] (init_IRQ+0x0/0x24) from [<c04256c8>] (start_kernel+0x1a4/0x300)
[<c0425524>] (start_kernel+0x0/0x300) from [<70008070>] (0x70008070)
---[ end trace 1b75b31a2719ed1c ]---
------------[ cut here ]------------
WARNING: at /home/rmk/git/linux-rmk/kernel/irq/irqdomain.c:234 irq_domain_add_legacy+0x80/0x140()
Modules linked in:
Backtrace:
[<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:000000ea r5:c0081a38 r4:00000000 r3:c045f240
[<c03294d0>] (dump_stack+0x0/0x1c) from [<c00292c8>] (warn_slowpath_common+0x54/0x6c)
[<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029304>] (warn_slowpath_null+0x24/0x2c)
[<c00292e0>] (warn_slowpath_null+0x0/0x2c) from [<c0081a38>] (irq_domain_add_legacy+0x80/0x140)
[<c00819b8>] (irq_domain_add_legacy+0x0/0x140) from [<c042c64c>] (gic_init_bases+0x14c/0x2ec)
[<c042c500>] (gic_init_bases+0x0/0x2ec) from [<c042cdc8>] (gic_init_irq+0x8c/0xd8)
[<c042cd3c>] (gic_init_irq+0x0/0xd8) from [<c042827c>] (init_IRQ+0x1c/0x24)
[<c0428260>] (init_IRQ+0x0/0x24) from [<c04256c8>] (start_kernel+0x1a4/0x300)
[<c0425524>] (start_kernel+0x0/0x300) from [<70008070>] (0x70008070)
---[ end trace 1b75b31a2719ed1d ]---
------------[ cut here ]------------
WARNING: at /home/rmk/git/linux-rmk/arch/arm/common/gic.c:762 gic_init_bases+0x170/0x2ec()
Modules linked in:
Backtrace:
[<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:000002fa r5:c042c670 r4:00000000 r3:c045f240
[<c03294d0>] (dump_stack+0x0/0x1c) from [<c00292c8>] (warn_slowpath_common+0x54/0x6c)
[<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029304>] (warn_slowpath_null+0x24/0x2c)
[<c00292e0>] (warn_slowpath_null+0x0/0x2c) from [<c042c670>] (gic_init_bases+0x170/0x2ec)
[<c042c500>] (gic_init_bases+0x0/0x2ec) from [<c042cdc8>] (gic_init_irq+0x8c/0xd8)
[<c042cd3c>] (gic_init_irq+0x0/0xd8) from [<c042827c>] (init_IRQ+0x1c/0x24)
[<c0428260>] (init_IRQ+0x0/0x24) from [<c04256c8>] (start_kernel+0x1a4/0x300)
[<c0425524>] (start_kernel+0x0/0x300) from [<70008070>] (0x70008070)
---[ end trace 1b75b31a2719ed1e ]---

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
11 years agoARM: GIC: fix GIC cpumask initialization
Russell King [Wed, 30 Jan 2013 23:49:57 +0000 (23:49 +0000)]
ARM: GIC: fix GIC cpumask initialization

Punit Agrawal reports:
> I was trying to boot 3.8-rc5 on Realview EB 11MPCore using
> realview-smp_defconfig as a starting point but the kernel failed to
> progress past the log below (config attached).
>
> Pawel suggested I try reverting 384a290283f - "ARM: gic: use a private
> mapping for CPU target interfaces" that you've authored. With this
> commit reverted the kernel boots.
>
> I am not quite sure why the commit breaks 11MPCore but Pawel (cc'd)
> might be able to shed light on that.

Some early GIC implementations return zero for the first distributor
CPU routing register.  This means we can't rely on that telling us
which CPU interface we're connected to.  We know that these platforms
implement PPIs for IRQs 29-31 - but we shouldn't assume that these
will always be populated.

So, instead, scan for a non-zero CPU routing register in the first
32 IRQs and use that as our CPU mask.

Reported-by: Punit Agrawal <punit.agrawal@arm.com>
Reviewed-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
11 years agoMerge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Linus Torvalds [Fri, 8 Feb 2013 08:46:26 +0000 (19:46 +1100)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux

Pull drm regression fix from Dave Airlie:
 "This one fixes a sleep while locked regression that was introduced
  earlier in 3.8."

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm/ttm: fix fence locking in ttm_buffer_object_transfer, 2nd try

11 years agonet: usb: fix regression from FLAG_NOARP code
Lucas Stach [Thu, 7 Feb 2013 16:18:39 +0000 (16:18 +0000)]
net: usb: fix regression from FLAG_NOARP code

In commit 6509141f9c2ba74df6cc72ec35cd1865276ae3a4 ("usbnet: add new
flag FLAG_NOARP for usb net devices"), the newly added flag NOARP was
using an already defined value, which broke drivers using flag
MULTI_PACKET.

Signed-off-by: Lucas Stach <dev@lynxeye.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agol2tp: dont play with skb->truesize
Eric Dumazet [Thu, 7 Feb 2013 14:00:34 +0000 (14:00 +0000)]
l2tp: dont play with skb->truesize

Andrew Savchenko reported a DNS failure and we diagnosed that
some UDP sockets were unable to send more packets because their
sk_wmem_alloc was corrupted after a while (tx_queue column in
following trace)

$ cat /proc/net/udp
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode ref pointer drops
...
  459: 00000000:0270 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4507 2 ffff88003d612380 0
  466: 00000000:0277 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4802 2 ffff88003d613180 0
  470: 076A070A:007B 00000000:0000 07 FFFF4600:00000000 00:00000000 00000000   123        0 5552 2 ffff880039974380 0
  470: 010213AC:007B 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4986 2 ffff88003dbd3180 0
  470: 010013AC:007B 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4985 2 ffff88003dbd2e00 0
  470: 00FCA8C0:007B 00000000:0000 07 FFFFFB00:00000000 00:00000000 00000000     0        0 4984 2 ffff88003dbd2a80 0
...

Playing with skb->truesize is tricky, especially when
skb is attached to a socket, as we can fool memory charging.

Just remove this code, its not worth trying to be ultra
precise in xmit path.

Reported-by: Andrew Savchenko <bircoph@gmail.com>
Tested-by: Andrew Savchenko <bircoph@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agonet: sctp: sctp_auth_key_put: use kzfree instead of kfree
Daniel Borkmann [Thu, 7 Feb 2013 00:55:37 +0000 (00:55 +0000)]
net: sctp: sctp_auth_key_put: use kzfree instead of kfree

For sensitive data like keying material, it is common practice to zero
out keys before returning the memory back to the allocator. Thus, use
kzfree instead of kfree.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoMerge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jesse/openvswit...
David S. Miller [Fri, 8 Feb 2013 04:37:36 +0000 (23:37 -0500)]
Merge branch 'fixes' of git://git./linux/kernel/git/jesse/openvswitch into openvswitch

Jesse Gross says:

====================
One bug fix for net/3.8 for a long standing problem that was reported a few
times recently.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoMerge branch 'netback'
David S. Miller [Fri, 8 Feb 2013 04:31:47 +0000 (23:31 -0500)]
Merge branch 'netback'

Ian Campbell says:

====================
The Xen netback implementation contains a couple of flaws which can
allow a guest to cause a DoS in the backend domain, potentially
affecting other domains in the system.

CVE-2013-0216 is a failure to sanity check the ring producer/consumer
pointers which can allow a guest to cause netback to loop for an
extended period preventing other work from occurring.

CVE-2013-0217 is a memory leak on an error path which is guest
triggerable.

The following series contains the fixes for these issues, as previously
included in Xen Security Advisory 39:
http://lists.xen.org/archives/html/xen-announce/2013-02/msg00001.html

Changes in v2:
 - Typo and block comment format fixes
 - Added stable Cc
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agonetback: correct netbk_tx_err to handle wrap around.
Ian Campbell [Wed, 6 Feb 2013 23:41:38 +0000 (23:41 +0000)]
netback: correct netbk_tx_err to handle wrap around.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoxen/netback: free already allocated memory on failure in xen_netbk_get_requests
Ian Campbell [Wed, 6 Feb 2013 23:41:37 +0000 (23:41 +0000)]
xen/netback: free already allocated memory on failure in xen_netbk_get_requests

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoxen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.
Matthew Daley [Wed, 6 Feb 2013 23:41:36 +0000 (23:41 +0000)]
xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoxen/netback: shutdown the ring if it contains garbage.
Ian Campbell [Wed, 6 Feb 2013 23:41:35 +0000 (23:41 +0000)]
xen/netback: shutdown the ring if it contains garbage.

A buggy or malicious frontend should not be able to confuse netback.
If we spot anything which is not as it should be then shutdown the
device and don't try to continue with the ring in a potentially
hostile state. Well behaved and non-hostile frontends will not be
penalised.

As well as making the existing checks for such errors fatal also add a
new check that ensures that there isn't an insane number of requests
on the ring (i.e. more than would fit in the ring). If the ring
contains garbage then previously is was possible to loop over this
insane number, getting an error each time and therefore not generating
any more pending requests and therefore not exiting the loop in
xen_netbk_tx_build_gops for an externded period.

Also turn various netdev_dbg calls which no precipitate a fatal error
into netdev_err, they are rate limited because the device is shutdown
afterwards.

This fixes at least one known DoS/softlockup of the backend domain.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoMerge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty...
Linus Torvalds [Fri, 8 Feb 2013 01:22:30 +0000 (12:22 +1100)]
Merge tag 'fixes-for-linus' of git://git./linux/kernel/git/rusty/linux

Pull virtio fix from Rusty Russell:
 "Obviously I forgot to push this before linux.conf.au..."

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux:
  virtio_console: Don't access uninitialized data.

11 years agoMerge tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland...
Linus Torvalds [Fri, 8 Feb 2013 01:15:14 +0000 (12:15 +1100)]
Merge tag 'rdma-for-linus' of git://git./linux/kernel/git/roland/infiniband

Pull IB regression fixes from Roland Dreier:

 - Fix mlx4 VFs not working on old guests because of 64B CQE changes

 - Fix ill-considered sparse fix for qib

 - Fix IPoIB crash due to skb double destruct introduced in 3.8-rc1

* tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
  IB/qib: Fix for broken sparse warning fix
  mlx4_core: Fix advertisement of wrong PF context behaviour
  IPoIB: Fix crash due to skb double destruct

11 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux...
Linus Torvalds [Fri, 8 Feb 2013 01:06:46 +0000 (12:06 +1100)]
Merge branch 'for-linus' of git://git./linux/kernel/git/mason/linux-btrfs

Pull btrfs fixes from Chris Mason:
 "We've got corner cases for updating i_size that ceph was hitting,
  error handling for quotas when we run out of space, a very subtle
  snapshot deletion race, a crash while removing devices, and one
  deadlock between subvolume creation and the sb_internal code (thanks
  lockdep)."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
  Btrfs: move d_instantiate outside the transaction during mksubvol
  Btrfs: fix EDQUOT handling in btrfs_delalloc_reserve_metadata
  Btrfs: fix possible stale data exposure
  Btrfs: fix missing i_size update
  Btrfs: fix race between snapshot deletion and getting inode
  Btrfs: fix missing release of the space/qgroup reservation in start_transaction()
  Btrfs: fix wrong sync_writers decrement in btrfs_file_aio_write()
  Btrfs: do not merge logged extents if we've removed them from the tree
  btrfs: don't try to notify udev about missing devices

11 years agoMerge tag 'pinctrl-for-v3.8-late' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Fri, 8 Feb 2013 01:00:44 +0000 (12:00 +1100)]
Merge tag 'pinctrl-for-v3.8-late' of git://git./linux/kernel/git/linusw/linux-pinctrl

Pull late pinctrl fixes from Linus Walleij:
 "Two patches appeared as of late, one was completely news to me, the
  other one was rotated in -next for the next merge window but turned
  out to be a showstopper.

   - Exynos Kconfig fixup
   - SIRF DT translation bug"

* tag 'pinctrl-for-v3.8-late' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl: sirf: replace of_gpio_simple_xlate by sirf specific of_xlate
  pinctrl: exynos: change PINCTRL_EXYNOS option

11 years agoMerge tag 'stable/for-linus-3.8-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Fri, 8 Feb 2013 00:55:27 +0000 (11:55 +1100)]
Merge tag 'stable/for-linus-3.8-rc6-tag' of git://git./linux/kernel/git/konrad/xen

Pull Xen fixes from Konrad Rzeszutek Wilk:
 "This has two fixes.  One is a security fix wherein we would spam the
  kernel printk buffer if one of the guests was misbehaving.  The other
  is much tamer and it was us only checking for one type of error from
  the IRQ subsystem (when allocating new IRQs) instead of for all of
  them.

   - Fix an IRQ allocation where we only check for a specific error (-1).
   - CVE-2013-0231 / XSA-43.  Make xen-pciback rate limit error messages
     from xen_pcibk_enable_msi{,x}()"

* tag 'stable/for-linus-3.8-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
  xen: fix error handling path if xen_allocate_irq_dynamic fails
  xen-pciback: rate limit error messages from xen_pcibk_enable_msi{,x}()

11 years agoMerge tag 'regulator-v3.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broon...
Linus Torvalds [Fri, 8 Feb 2013 00:52:53 +0000 (11:52 +1100)]
Merge tag 'regulator-v3.8-rc6' of git://git./linux/kernel/git/broonie/regulator

Pull regulator fixes from Mark Brown:
 "Mostly driver specific fixes here, though one of them uncovered the
  issue Stephen Warren fixed with multiple OF matches getting upset due
  to a lack of cleanup."

* tag 'regulator-v3.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: s2mps11: fix incorrect register for buck10
  regulator: clear state each invocation of of_regulator_match
  regulator: max8997: Fix using wrong dev argument at various places
  regulator: max77686: Fix using wrong dev argument at various places
  regulator: max8907: Fix using wrong dev argument for calling of_regulator_match
  regulator: max8998: fix incorrect min_uV value for ldo10
  regulator: tps65910: Fix using wrong dev argument for calling of_regulator_match
  regulator: tps65217: Fix using wrong dev argument for calling of_regulator_match

11 years agodrm/ttm: fix fence locking in ttm_buffer_object_transfer, 2nd try
Daniel Vetter [Mon, 14 Jan 2013 14:08:14 +0000 (15:08 +0100)]
drm/ttm: fix fence locking in ttm_buffer_object_transfer, 2nd try

This fixes up

commit e8e89622ed361c46bf90ba4828e685a8b603f7e5
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Tue Dec 18 22:25:11 2012 +0100

    drm/ttm: fix fence locking in ttm_buffer_object_transfer

which leaves behind a might_sleep in atomic context, since the
fence_lock spinlock is held over a kmalloc(GFP_KERNEL) call. The fix
is to revert the above commit and only take the lock where we need it,
around the call to ->sync_obj_ref.

v2: Fixup things noticed by Maarten Lankhorst:
- Brown paper bag locking bug.
- No need for kzalloc if we clear the entire thing on the next line.
- check for bo->sync_obj (totally unlikely race, but still someone
  else could have snuck in) and clear fbo->sync_obj if it's cleared
  already.

Reported-by: Dave Airlie <airlied@gmail.com>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Maarten Lankhorst <maarten.lankhorst@canonical.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
11 years agomac80211: fix managed mode channel context use
Johannes Berg [Thu, 7 Feb 2013 19:54:51 +0000 (20:54 +0100)]
mac80211: fix managed mode channel context use

My commit f2d9d270c15ae0139b54a7e7466d738327e97e03
("mac80211: support VHT association") introduced a
very stupid bug: the loop to downgrade the channel
width never attempted to actually use it again so
it would downgrade all the way to 20_NOHT. Fix it.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agonetfilter: ip6t_NPT: Ensure to check lower part of prefixes are zero
YOSHIFUJI Hideaki / 吉藤英明 [Thu, 7 Feb 2013 10:18:22 +0000 (11:18 +0100)]
netfilter: ip6t_NPT: Ensure to check lower part of prefixes are zero

RFC 6296 points that address bits that are not part of the prefix
has to be zeroed.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
11 years agonetfilter: ip6t_NPT: Fix prefix mangling
YOSHIFUJI Hideaki / 吉藤英明 [Sat, 26 Jan 2013 08:38:44 +0000 (08:38 +0000)]
netfilter: ip6t_NPT: Fix prefix mangling

Make sure only the bits that are part of the prefix are mangled.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
11 years agonetfilter: ip6t_NPT: Fix adjustment calculation
YOSHIFUJI Hideaki / 吉藤英明 [Sat, 26 Jan 2013 08:37:48 +0000 (08:37 +0000)]
netfilter: ip6t_NPT: Fix adjustment calculation

Cast __wsum from/to __sum16 is wrong.  Instead, apply appropriate
conversion function: csum_unfold() or csum_fold().

[ The original patch has been modified to undo the final ~ that
  csum_fold returns. We only need to fold the 32-bit word that
  results from the checksum calculation into a 16-bit to ensure
  that the original subnet is restored appropriately. Spotted by
  Ulrich Weber. ]

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
11 years agovirtio_console: Don't access uninitialized data.
Sjur Brændeland [Mon, 21 Jan 2013 23:20:26 +0000 (09:50 +1030)]
virtio_console: Don't access uninitialized data.

Don't access uninitialized work-queue when removing device.
The work queue is initialized only if the device multi-queue.
So don't call cancel_work unless this is a multi-queue device.

This fixes the following panic:

Kernel panic - not syncing: BUG!
Call Trace:
62031b28:  [<6026085d>] panic+0x16b/0x2d3
62031b30:  [<6004ef5e>] flush_work+0x0/0x1d7
62031b60:  [<602606f2>] panic+0x0/0x2d3
62031b68:  [<600333b0>] memcpy+0x0/0x140
62031b80:  [<6002d58a>] unblock_signals+0x0/0x84
62031ba0:  [<602609c5>] printk+0x0/0xa0
62031bd8:  [<60264e51>] __mutex_unlock_slowpath+0x13d/0x148
62031c10:  [<6004ef5e>] flush_work+0x0/0x1d7
62031c18:  [<60050234>] try_to_grab_pending+0x0/0x17e
62031c38:  [<6004e984>] get_work_gcwq+0x71/0x8f
62031c48:  [<60050539>] __cancel_work_timer+0x5b/0x115
62031c78:  [<628acc85>] unplug_port+0x0/0x191 [virtio_console]
62031c98:  [<6005061c>] cancel_work_sync+0x12/0x14
62031ca8:  [<628ace96>] virtcons_remove+0x80/0x15c [virtio_console]
62031ce8:  [<628191de>] virtio_dev_remove+0x1e/0x7e [virtio]
62031d08:  [<601cf242>] __device_release_driver+0x75/0xe4
62031d28:  [<601cf2dd>] device_release_driver+0x2c/0x40
62031d48:  [<601ce0dd>] driver_unbind+0x7d/0xc6
62031d88:  [<601cd5d9>] drv_attr_store+0x27/0x29
62031d98:  [<60115f61>] sysfs_write_file+0x100/0x14d
62031df8:  [<600b737d>] vfs_write+0xcb/0x184
62031e08:  [<600b58b8>] filp_close+0x88/0x94
62031e38:  [<600b7686>] sys_write+0x59/0x88
62031e88:  [<6001ced1>] handle_syscall+0x5d/0x80
62031ea8:  [<60030a74>] userspace+0x405/0x531
62031f08:  [<600d32cc>] sys_dup+0x0/0x5e
62031f28:  [<601b11d6>] strcpy+0x0/0x18
62031f38:  [<600be46c>] do_execve+0x10/0x12
62031f48:  [<600184c7>] run_init_process+0x43/0x45
62031fd8:  [<60019a91>] new_thread_handler+0xba/0xbc

Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
Cc: stable@kernel.org
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
11 years agoMerge tag 'sound-3.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Linus Torvalds [Wed, 6 Feb 2013 21:43:30 +0000 (08:43 +1100)]
Merge tag 'sound-3.8' of git://git./linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "Just a couple of build regression fixes for ASoC fsl stuff.  It
  doesn't look too trivial, but neither intrusive, so hopefully I can
  avoid your curse..."

Hey, Takashi has a good track record, I think he gets a pass..

* tag 'sound-3.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ASoC: fsl: fix snd-soc-imx-pcm module build
  Revert "ASoC: fsl: fix multiple definition of init_module"

11 years agoMerge branch 'for-linus' of git://git.kernel.dk/linux-block
Linus Torvalds [Wed, 6 Feb 2013 21:38:33 +0000 (08:38 +1100)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-block

Pull block layer updates from Jens Axboe:
 "I've got a few bits pending for 3.8 final, that I better get sent out.
  It's all been sitting for a while, I consider it safe.

  It contains:

   - Two bug fixes for mtip32xx, fixing a driver hang and a crash.

   - A few-liner protocol error fix for drbd.

   - A few fixes for the xen block front/back driver, fixing a potential
     data corruption issue.

   - A race fix for disk_clear_events(), causing spurious warnings.  Out
     of the Chrome OS base.

   - A deadlock fix for disk_clear_events(), moving it to the a
     unfreezable workqueue.  Also from the Chrome OS base."

* 'for-linus' of git://git.kernel.dk/linux-block:
  drbd: fix potential protocol error and resulting disconnect/reconnect
  mtip32xx: fix for crash when the device surprise removed during rebuild
  mtip32xx: fix for driver hang after a command timeout
  block: prevent race/cleanup
  block: remove deadlock in disk_clear_events
  xen-blkfront: handle bvecs with partial data
  llist/xen-blkfront: implement safe version of llist_for_each_entry
  xen-blkback: implement safe iterator for the list of persistent grants

11 years agonet: qmi_wwan: add more Huawei devices, including E320
Bjørn Mork [Wed, 6 Feb 2013 05:22:08 +0000 (05:22 +0000)]
net: qmi_wwan: add more Huawei devices, including E320

Adding new class/subclass/protocol combinations based on the GPLed
out-of-tree Huawei driver. One of these has already appeared on a
device labelled as "E320".

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agonet: cdc_ncm: add another Huawei vendor specific device
Bjørn Mork [Wed, 6 Feb 2013 05:21:53 +0000 (05:21 +0000)]
net: cdc_ncm: add another Huawei vendor specific device

Adding a new vendor specific class/subclass/protocol combination
for CDC NCM devices based on information from a GPLed out-of-tree
driver from Huawei.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoipv6/ip6_gre: fix error case handling in ip6gre_tunnel_xmit()
Tommi Rantala [Wed, 6 Feb 2013 03:24:02 +0000 (03:24 +0000)]
ipv6/ip6_gre: fix error case handling in ip6gre_tunnel_xmit()

ip6gre_tunnel_xmit() is leaking the skb when we hit this error branch,
and the -1 return value from this function is bogus. Use the error
handling we already have in place in ip6gre_tunnel_xmit() for this error
case to fix this.

Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agotcp: fix for zero packets_in_flight was too broad
Ilpo Järvinen [Mon, 4 Feb 2013 02:14:25 +0000 (02:14 +0000)]
tcp: fix for zero packets_in_flight was too broad

There are transients during normal FRTO procedure during which
the packets_in_flight can go to zero between write_queue state
updates and firing the resulting segments out. As FRTO processing
occurs during that window the check must be more precise to
not match "spuriously" :-). More specificly, e.g., when
packets_in_flight is zero but FLAG_DATA_ACKED is true the problematic
branch that set cwnd into zero would not be taken and new segments
might be sent out later.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Tested-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoMerge branch 'wireless'
David S. Miller [Wed, 6 Feb 2013 19:51:14 +0000 (14:51 -0500)]
Merge branch 'wireless'

John W. Linville says:

====================
Please consider this pull request for the 3.8 stream...

Included is a bluetooth pull.  Gustavo says:

"Two simple fixes for 3.8. One of the patches fixes a situation
where the connection wasn't terminated if a timeout ocurrs for LE
an SCO connections.  The other fixes prevent NULL dereference in the
SMP code, it is a security fix as well."

Along with those...

Hauke Mehrtens provides a couple of ssb and bcma bus fixes that
prevent oopses when unloading those modules.

Larry Finger provides and rtlwifi fix to avoid a "scheduling while
atomic" bug.

Last but certainly not least, Arend van Spriel bring a brcmsmac fix that
reworks the mac80211 .flush() callback in order to avoid the dreaded
brcms_c_wait_for_tx_completion warnings.  This one looks a little
large, but I think it is safe and isolated to brcmsmac in any case.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
John W. Linville [Wed, 6 Feb 2013 18:55:44 +0000 (13:55 -0500)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless into for-davem

11 years agoBtrfs: move d_instantiate outside the transaction during mksubvol
Chris Mason [Wed, 6 Feb 2013 17:06:02 +0000 (12:06 -0500)]
Btrfs: move d_instantiate outside the transaction during mksubvol

Dave Sterba triggered a lockdep complaint about lock ordering
between the sb_internal lock and the cleaner semaphore.

btrfs_lookup_dentry() checks for orphans if we're looking up
the inode for a subvolume, and subvolume creation is triggering
the lookup with a transaction running.

This commit moves the d_instantiate after the transaction closes.

Signed-off-by: Chris Mason <chris.mason@fusionio.com>
11 years agomac80211: fix error in sizeof() usage
Cong Ding [Wed, 6 Feb 2013 16:23:45 +0000 (17:23 +0100)]
mac80211: fix error in sizeof() usage

Using 'sizeof' on array given as function argument returns
size of a pointer rather than the size of array.

Cc: stable@vger.kernel.org
Signed-off-by: Cong Ding <dinggnu@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agoxen: fix error handling path if xen_allocate_irq_dynamic fails
Wei Liu [Thu, 31 Jan 2013 14:46:56 +0000 (14:46 +0000)]
xen: fix error handling path if xen_allocate_irq_dynamic fails

It is possible that the call to xen_allocate_irq_dynamic() returns negative
number other than -1.

Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
11 years agoxen-pciback: rate limit error messages from xen_pcibk_enable_msi{,x}()
Jan Beulich [Wed, 6 Feb 2013 15:30:38 +0000 (10:30 -0500)]
xen-pciback: rate limit error messages from xen_pcibk_enable_msi{,x}()

... as being guest triggerable (e.g. by invoking
XEN_PCI_OP_enable_msi{,x} on a device not being MSI/MSI-X capable).

This is CVE-2013-0231 / XSA-43.

Also make the two messages uniform in both their wording and severity.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
11 years agoMerge branch 'fix/fsl' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound...
Takashi Iwai [Wed, 6 Feb 2013 14:16:58 +0000 (15:16 +0100)]
Merge branch 'fix/fsl' of git://git./linux/kernel/git/broonie/sound into for-linus-uncursed

We need this for fixing build error regressions in soc/fsl.

11 years agoBtrfs: fix EDQUOT handling in btrfs_delalloc_reserve_metadata
Jan Schmidt [Mon, 28 Jan 2013 06:26:00 +0000 (23:26 -0700)]
Btrfs: fix EDQUOT handling in btrfs_delalloc_reserve_metadata

When btrfs_qgroup_reserve returned a failure, we were missing a counter
operation for BTRFS_I(inode)->outstanding_extents++, leading to warning
messages about outstanding extents and space_info->bytes_may_use != 0.
Additionally, the error handling code didn't take into account that we
dropped the inode lock which might require more cleanup.

Luckily, all the cleanup code we need is already there and can be shared
with reserve_metadata_bytes, which is exactly what this patch does.

Reported-by: Lev Vainblat <lev@zadarastorage.com>
Signed-off-by: Jan Schmidt <list.btrfs@jan-o-sch.net>
Signed-off-by: Chris Mason <chris.mason@fusionio.com>
11 years agoMerge remote-tracking branch 'regulator/fix/tps65910' into tmp
Mark Brown [Wed, 6 Feb 2013 11:28:53 +0000 (11:28 +0000)]
Merge remote-tracking branch 'regulator/fix/tps65910' into tmp

11 years agoMerge remote-tracking branch 'regulator/fix/tps65217' into tmp
Mark Brown [Wed, 6 Feb 2013 11:28:52 +0000 (11:28 +0000)]
Merge remote-tracking branch 'regulator/fix/tps65217' into tmp

11 years agoMerge remote-tracking branch 'regulator/fix/s2mps11' into tmp
Mark Brown [Wed, 6 Feb 2013 11:28:51 +0000 (11:28 +0000)]
Merge remote-tracking branch 'regulator/fix/s2mps11' into tmp

11 years agoMerge remote-tracking branch 'regulator/fix/of' into tmp
Mark Brown [Wed, 6 Feb 2013 11:28:51 +0000 (11:28 +0000)]
Merge remote-tracking branch 'regulator/fix/of' into tmp

11 years agoMerge remote-tracking branch 'regulator/fix/max8998' into tmp
Mark Brown [Wed, 6 Feb 2013 11:28:50 +0000 (11:28 +0000)]
Merge remote-tracking branch 'regulator/fix/max8998' into tmp

11 years agoMerge remote-tracking branch 'regulator/fix/max8997' into tmp
Mark Brown [Wed, 6 Feb 2013 11:28:49 +0000 (11:28 +0000)]
Merge remote-tracking branch 'regulator/fix/max8997' into tmp

11 years agoMerge remote-tracking branch 'regulator/fix/max8907' into tmp
Mark Brown [Wed, 6 Feb 2013 11:28:48 +0000 (11:28 +0000)]
Merge remote-tracking branch 'regulator/fix/max8907' into tmp

11 years agoMerge remote-tracking branch 'regulator/fix/max77686' into tmp
Mark Brown [Wed, 6 Feb 2013 11:28:48 +0000 (11:28 +0000)]
Merge remote-tracking branch 'regulator/fix/max77686' into tmp

11 years agoipvs: sctp: fix checksumming on snat and dnat handlers
Daniel Borkmann [Tue, 5 Feb 2013 16:21:31 +0000 (17:21 +0100)]
ipvs: sctp: fix checksumming on snat and dnat handlers

In our test lab, we have a simple SCTP client connecting to a SCTP
server via an IPVS load balancer. On some machines, load balancing
works, but on others the initial handshake just fails, thus no
SCTP connection whatsoever can be established!

We observed that the SCTP INIT-ACK handshake reply from the IPVS
machine to the client had a correct IP checksum, but corrupt SCTP
checksum when forwarded, thus on the client-side the packet was
dropped and an intial handshake retriggered until all attempts
run into the void.

To fix this issue, this patch i) adds a missing CHECKSUM_UNNECESSARY
after the full checksum (re-)calculation (as done in IPVS TCP and UDP
code as well), ii) calculates the checksum in little-endian format
(as fixed with the SCTP code in commit 4458f04c: sctp: Clean up sctp
checksumming code) and iii) refactors duplicate checksum code into a
common function. Tested by myself.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
11 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/josef/btrfs-next.git for-chris...
Chris Mason [Wed, 6 Feb 2013 00:24:44 +0000 (19:24 -0500)]
Merge git://git./linux/kernel/git/josef/btrfs-next.git for-chris into for-linus

11 years agoMerge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab...
Linus Torvalds [Tue, 5 Feb 2013 21:36:12 +0000 (08:36 +1100)]
Merge branch 'v4l_for_linus' of git://git./linux/kernel/git/mchehab/linux-media

Pull media fixes from Mauro Carvalho Chehab:
 "For a regression fix on a few radio drivers that were preventing radio
  TX to work on those devices"

* 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  [media] radio: set vfl_dir correctly to fix modulator regression

11 years agoMerge tag 'usb-3.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Linus Torvalds [Tue, 5 Feb 2013 21:32:32 +0000 (08:32 +1100)]
Merge tag 'usb-3.8-rc6' of git://git./linux/kernel/git/gregkh/usb

Pull USB fixes from Greg Kroah-Hartman:
 "Here are a few tiny USB fixes for 3.8-rc6.

  Nothing major here, some host controller bug fixes to resolve a number
  of bugs that people have reported, and a bunch of additional device
  ids are added to a number of drivers (which caused code to be deleted
  from the usb-storage driver, always nice)"

* tag 'usb-3.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (22 commits)
  USB: storage: optimize to match the Huawei USB storage devices and support new switch command
  USB: storage: Define a new macro for USB storage match rules
  USB: ftdi_sio: add Zolix FTDI PID
  USB: option: add Changhong CH690
  USB: ftdi_sio: add PID/VID entries for ELV WS 300 PC II
  USB: add OWL CM-160 support to cp210x driver
  USB: EHCI: fix bug in scheduling periodic split transfers
  USB: EHCI: fix for leaking isochronous data
  USB: option: add support for Telit LE920
  USB: qcserial: add Telit Gobi QDL device
  USB: EHCI: fix timer bug affecting port resume
  USB: UHCI: notify usbcore about port resumes
  USB: EHCI: notify usbcore about port resumes
  USB: add usb_hcd_{start,end}_port_resume
  USB: EHCI: unlink one async QH at a time
  USB: EHCI: remove ASS/PSS polling timeout
  usb: Using correct way to clear usb3.0 device's remote wakeup feature.
  usb: Prevent dead ports when xhci is not enabled
  USB: XHCI: fix memory leak of URB-private data
  drivers: xhci: fix incorrect bit test
  ...

11 years agoMerge branch 'fixes-for-v3.8-rc7' of git://git.linaro.org/people/mszyprowski/linux...
Linus Torvalds [Tue, 5 Feb 2013 21:23:47 +0000 (08:23 +1100)]
Merge branch 'fixes-for-v3.8-rc7' of git://git.linaro.org/people/mszyprowski/linux-dma-mapping

Pull DMA mapping fixes from Marek Szyprowski:
 "This pull request contains important bugfix patches for 9
  architectures, which finally fixes broken allmodconfig builds
  introduced in v3.8-rc1.  Those architectures don't use dma_map_ops
  based implementation and require manual update or additional dummy
  implementations of the missing new dma-mapping api functions:
  dma_mmap_coherent and dma_get_sgtable."

* 'fixes-for-v3.8-rc7' of git://git.linaro.org/people/mszyprowski/linux-dma-mapping:
  xtensa: Provide dummy dma_mmap_coherent() and dma_get_sgtable()
  parisc: Provide dummy dma_mmap_coherent() and dma_get_sgtable()
  mn10300: Provide dummy dma_mmap_coherent() and dma_get_sgtable()
  m68k: Provide dma_mmap_coherent() and dma_get_sgtable()
  frv: Provide dummy dma_mmap_coherent() and dma_get_sgtable()
  cris: Provide dma_mmap_coherent() and dma_get_sgtable()
  c6x: Provide dummy dma_mmap_coherent() and dma_get_sgtable()
  blackfin: Provide dma_mmap_coherent() and dma_get_sgtable()
  avr32: Provide dma_mmap_coherent() and dma_get_sgtable()

11 years agoBtrfs: fix possible stale data exposure
Josef Bacik [Wed, 30 Jan 2013 19:31:31 +0000 (14:31 -0500)]
Btrfs: fix possible stale data exposure

We specifically do not update the disk i_size if there are ordered extents
outstanding for any area between the current disk_i_size and our ordered
extent so that we do not expose stale data.  The problem is the check we
have only checks if the ordered extent starts at or after the current
disk_i_size, which doesn't take into account an ordered extent that starts
before the current disk_i_size and ends past the disk_i_size.  Fix this by
checking if the extent ends past the disk_i_size.  Thanks,

Signed-off-by: Josef Bacik <jbacik@fusionio.com>
11 years agoBtrfs: fix missing i_size update
Josef Bacik [Wed, 30 Jan 2013 19:17:31 +0000 (14:17 -0500)]
Btrfs: fix missing i_size update

If we have an ordered extent before the ordered extent we are currently
completing that is after the current disk_i_size we will put our i_size
update into that ordered extent so that we do not expose stale data.  The
problem is that if our disk i_size is updated past the previous ordered
extent we won't update the i_size with the pending i_size update.  So check
the pending i_size update and if its above the current disk i_size we need
to go ahead and try to update.  Thanks,

Signed-off-by: Josef Bacik <jbacik@fusionio.com>
11 years agoBtrfs: fix race between snapshot deletion and getting inode
Liu Bo [Tue, 29 Jan 2013 03:22:10 +0000 (03:22 +0000)]
Btrfs: fix race between snapshot deletion and getting inode

While running snapshot testscript created by Mitch and David,
the race between autodefrag and snapshot deletion can lead to
corruption of dead_root list so that we can get crash on
btrfs_clean_old_snapshots().

And besides autodefrag, scrub also does the same thing, ie. read
root first and get inode.

Here is the story(take autodefrag as an example):
(1) when we delete a snapshot or subvolume, it will set its root's
refs to zero and do a iput() on its own inode, and if this inode happens
to be the only active in-meory one in root's inode rbtree, it will add
itself to the global dead_roots list for later cleanup.

(2) after (1), the autodefrag thread may read another inode for defrag
and the inode is just in the deleted snapshot/subvolume, but all of these
are without checking if the root is still valid(refs > 0).  So the end up
result is adding the deleted snapshot/subvolume's root to the global
dead_roots list AGAIN.

Fortunately, we already have a srcu lock to avoid the race, ie. subvol_srcu.

So all we need to do is to take the lock to protect 'read root and get inode',
since we synchronize to wait for the rcu grace period before adding something
to the global dead_roots list.

Reported-by: Mitch Harder <mitch.harder@sabayonlinux.org>
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Signed-off-by: Josef Bacik <jbacik@fusionio.com>
11 years agoBtrfs: fix missing release of the space/qgroup reservation in start_transaction()
Miao Xie [Mon, 28 Jan 2013 12:36:22 +0000 (12:36 +0000)]
Btrfs: fix missing release of the space/qgroup reservation in start_transaction()

When we fail to start a transaction, we need to release the reserved free space
and qgroup space, fix it.

Signed-off-by: Miao Xie <miaox@cn.fujitsu.com>
Reviewed-by: Jan Schmidt <list.btrfs@jan-o-sch.net>
Signed-off-by: Josef Bacik <jbacik@fusionio.com>
11 years agoBtrfs: fix wrong sync_writers decrement in btrfs_file_aio_write()
Miao Xie [Mon, 28 Jan 2013 12:34:55 +0000 (12:34 +0000)]
Btrfs: fix wrong sync_writers decrement in btrfs_file_aio_write()

If the checks at the beginning of btrfs_file_aio_write() fail, we needn't
decrease ->sync_writers, because we have not increased it. Fix it.

Signed-off-by: Miao Xie <miaox@cn.fujitsu.com>
Signed-off-by: Josef Bacik <jbacik@fusionio.com>
11 years agoBtrfs: do not merge logged extents if we've removed them from the tree
Josef Bacik [Mon, 28 Jan 2013 14:45:20 +0000 (09:45 -0500)]
Btrfs: do not merge logged extents if we've removed them from the tree

You can run into this problem where if somebody is fsyncing and writing out
the existing extents you will have removed the extent map from the em tree,
but it's still valid for the current fsync so we go ahead and write it.  The
problem is we unconditionally try to merge it back into the em tree, but if
we've removed it from the em tree that will cause use after free problems.
Fix this to only merge if we are still a part of the tree.  Thanks,

Signed-off-by: Josef Bacik <jbacik@fusionio.com>
11 years agoMerge branches 'ipoib', 'mlx4' and 'qib' into for-next
Roland Dreier [Tue, 5 Feb 2013 17:45:25 +0000 (09:45 -0800)]
Merge branches 'ipoib', 'mlx4' and 'qib' into for-next

11 years agoIB/qib: Fix for broken sparse warning fix
Mike Marciniszyn [Thu, 24 Jan 2013 18:59:34 +0000 (18:59 +0000)]
IB/qib: Fix for broken sparse warning fix

Commit 1fb9fed6d489 ("IB/qib: Fix QP RCU sparse warning") broke QP
hash list deletion in qp_remove() badly.

This patch restores the former for loop behavior, while still fixing
the sparse warnings.

Cc: <stable@vger.kernel.org>
Reviewed-by: Gary Leshner <gary.s.leshner@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
11 years agomlx4_core: Fix advertisement of wrong PF context behaviour
Or Gerlitz [Thu, 10 Jan 2013 15:18:35 +0000 (15:18 +0000)]
mlx4_core: Fix advertisement of wrong PF context behaviour

Commit 08ff32352d6f ("mlx4: 64-byte CQE/EQE support") introduced a
regression where older guest VF drivers failed to load even when
64-byte EQEs/CQEs are disabled, since the PF wrongly advertises the
new context behaviour anyway.  The failure looks like:

    mlx4_core 0000:00:07.0: Unknown pf context behaviour
    mlx4_core 0000:00:07.0: Failed to obtain slave caps
    mlx4_core: probe of 0000:00:07.0 failed with error -38

Fix this by basing this advertisement on dev->caps.flags, which is the
operational capabilities used by the QUERY_FUNC_CAP command wrapper
(dev_cap->flags holds the firmware capabilities).

Reported-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
11 years agoIPoIB: Fix crash due to skb double destruct
Shlomo Pongratz [Mon, 4 Feb 2013 15:29:10 +0000 (15:29 +0000)]
IPoIB: Fix crash due to skb double destruct

After commit b13912bbb4a2 ("IPoIB: Call skb_dst_drop() once skb is
enqueued for sending"), using connected mode and running multithreaded
iperf for long time, ie

    iperf -c <IP> -P 16 -t 3600

results in a crash.

After the above-mentioned patch, the driver is calling skb_orphan() and
skb_dst_drop() after calling post_send() in ipoib_cm.c::ipoib_cm_send()
(also in ipoib_ib.c::ipoib_send())

The problem with this is, as is written in a comment in both routines,
"it's entirely possible that the completion handler will run before we
execute anything after the post_send()."  This leads to running the
skb cleanup routines simultaneously in two different contexts.

The solution is to always perform the skb_orphan() and skb_dst_drop()
before queueing the send work request.  If an error occurs, then it
will be no different than the regular case where dev_free_skb_any() in
the completion path, which is assumed to be after these two routines.

Signed-off-by: Shlomo Pongratz <shlomop@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
11 years agopinctrl: sirf: replace of_gpio_simple_xlate by sirf specific of_xlate
Barry Song [Mon, 4 Feb 2013 09:53:34 +0000 (17:53 +0800)]
pinctrl: sirf: replace of_gpio_simple_xlate by sirf specific of_xlate

the default of_gpio_simple_xlate() will make us fail while getting gpios
bigger than 32 by of_get_named_gpio() or related APIs.
this patch adds a specific of_xlate callback for sirf gpio_chip and fix
the problem.

Signed-off-by: Barry Song <Baohua.Song@csr.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
11 years agopinctrl: exynos: change PINCTRL_EXYNOS option
Kukjin Kim [Fri, 18 Jan 2013 19:35:06 +0000 (20:35 +0100)]
pinctrl: exynos: change PINCTRL_EXYNOS option

Since pinctrl-exynos can support exynos4 and exynos5 so changed
the option name to PINCTRL_EXYNOS for more clarity.

Cc: Thomas Abraham <Thomas.abraham@linaro.org>
Cc: Linus Walleij <linus.walleij@linaro.org>
Cc: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
11 years agoMerge branch 'fix-max-write' of git://git.kernel.org/pub/scm/linux/kernel/git/teiglan...
Linus Torvalds [Tue, 5 Feb 2013 09:50:11 +0000 (20:50 +1100)]
Merge branch 'fix-max-write' of git://git./linux/kernel/git/teigland/linux-dlm

Pull dlm fix from David Teigland:
 "Thanks to Jana who reported the problem and was able to test this fix
  so quickly."

This fixes an incorrect size check that triggered for CONFIG_COMPAT
whether the code was actually doing compat or not.  The incorrect write
size check broke userland (clvmd) when maximum resource name lengths are
used.

* 'fix-max-write' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm:
  dlm: check the write size from user

11 years agoMerge branch 'akpm' (Andrew's patch-bomb)
Linus Torvalds [Tue, 5 Feb 2013 09:38:59 +0000 (20:38 +1100)]
Merge branch 'akpm' (Andrew's patch-bomb)

Merge mix fixes from Andrew Morton.

* emailed patches from Andrew Morton <akpm@linux-foundation.org>: (12 commits)
  drivers/rtc/rtc-pl031.c: fix the missing operation on enable
  drivers/rtc/rtc-isl1208.c: call rtc_update_irq() from the alarm irq handler
  samples/seccomp: be less stupid about cross compiling
  checkpatch: fix $Float creation of match variables
  memcg: fix typo in kmemcg cache walk macro
  mm: fix wrong comments about anon_vma lock
  MAINTAINERS: update avr32 web ressources
  mm/hugetlb: set PTE as huge in hugetlb_change_protection and remove_migration_pte
  drivers/rtc/rtc-vt8500.c: fix year field in vt8500_rtc_set_time()
  tools/vm: add .gitignore to ignore built binaries
  thp: avoid dumping huge zero page
  nilfs2: fix fix very long mount time issue

11 years agodrivers/rtc/rtc-pl031.c: fix the missing operation on enable
Haojian Zhuang [Mon, 4 Feb 2013 22:28:54 +0000 (14:28 -0800)]
drivers/rtc/rtc-pl031.c: fix the missing operation on enable

The RTC control register should be enabled in the process of
initializing.

Without this patch, I failed to enable RTC in Hisilicon Hi3620 SoC.  The
register mapping section in RTC is always read as zero.  So I doubt that
ST guys may already enable this register in bootloader.  So they won't
meet this issue.

Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Cc: Srinidhi Kasagar <srinidhi.kasagar@stericsson.com>
Cc: Linus Walleij <linus.walleij@linaro.org>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agodrivers/rtc/rtc-isl1208.c: call rtc_update_irq() from the alarm irq handler
Jan Luebbe [Mon, 4 Feb 2013 22:28:53 +0000 (14:28 -0800)]
drivers/rtc/rtc-isl1208.c: call rtc_update_irq() from the alarm irq handler

Previously the alarm event was not propagated into the RTC subsystem.
By adding a call to rtc_update_irq, this fixes a timeout problem with
the hwclock utility.

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>