Avinash Patil [Sat, 12 Oct 2013 01:31:31 +0000 (18:31 -0700)]
mwifiex: inform cfg80211 about disconnect if device is removed
If device is surprise removed, commands sent to FW including
deauthenticate command fail as bus writes fail.
We update our media_connected status to false and inform cfg80211
about disconnection only when command is successful. Since cfg80211
assumes device is still connected, it results into following
WARN_ON during unload:
WARNING: CPU: 0 PID: 18245 at net/wireless/core.c:937
cfg80211_netdev_notifier_call+0x175/0x4d0 [cfg80211]()
Avoid this by emitting cfg80211_disconnected event even if the
deauthenticate command fails.
Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
John W. Linville [Mon, 14 Oct 2013 17:22:59 +0000 (13:22 -0400)]
Merge branch 'for-john' of git://git./linux/kernel/git/jberg/mac80211
Johannes Berg [Fri, 11 Oct 2013 13:47:06 +0000 (15:47 +0200)]
mac80211: fix crash if bitrate calculation goes wrong
If a frame's timestamp is calculated, and the bitrate
calculation goes wrong and returns zero, the system
will attempt to divide by zero and crash. Catch this
case and print the rate information that the driver
reported when this happens.
Cc: stable@vger.kernel.org
Reported-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Fri, 11 Oct 2013 12:47:05 +0000 (14:47 +0200)]
wireless: radiotap: fix parsing buffer overrun
When parsing an invalid radiotap header, the parser can overrun
the buffer that is passed in because it doesn't correctly check
1) the minimum radiotap header size
2) the space for extended bitmaps
The first issue doesn't affect any in-kernel user as they all
check the minimum size before calling the radiotap function.
The second issue could potentially affect the kernel if an skb
is passed in that consists only of the radiotap header with a
lot of extended bitmaps that extend past the SKB. In that case
a read-only buffer overrun by at most 4 bytes is possible.
Fix this by adding the appropriate checks to the parser.
Cc: stable@vger.kernel.org
Reported-by: Evan Huus <eapache@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Solomon Peachy [Wed, 9 Oct 2013 16:15:11 +0000 (12:15 -0400)]
wireless: cw1200: acquire hwbus lock around cw1200_irq_handler() call.
This fixes "lost interrupt" problems that occurred on SPI-based systems.
cw1200_irq_handler() expects the hwbus to be locked, but on the
SPI-path, that lock wasn't taken (unlike in the SDIO-path, where the
generic SDIO-code takes care of acquiring the lock).
Cc: stable@vger.kernel.org
Signed-off-by: David Mosberger <davidm@egauge.net>
Signed-off-by: Solomon Peachy <pizza@shaftnet.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Mark Cave-Ayland [Tue, 8 Oct 2013 15:18:20 +0000 (10:18 -0500)]
rtlwifi: rtl8192cu: Fix error in pointer arithmetic
An error in calculating the offset in an skb causes the driver to read
essential device info from the wrong locations. The main effect is that
automatic gain calculations are nonsense.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org> [2.6.39+]
Signed-off-by: John W. Linville <linville@tuxdriver.com>
John W. Linville [Thu, 10 Oct 2013 17:19:58 +0000 (13:19 -0400)]
Merge branch 'for-john' of git://git./linux/kernel/git/jberg/mac80211
Emmanuel Grumbach [Tue, 17 Sep 2013 12:20:13 +0000 (15:20 +0300)]
cfg80211: don't add p2p device while in RFKILL
Since P2P device doesn't have a netdev associated to it,
we cannot prevent the user to start it when in RFKILL.
So refuse to even add it when in RFKILL.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Emmanuel Grumbach [Mon, 16 Sep 2013 08:12:07 +0000 (11:12 +0300)]
mac80211: correctly close cancelled scans
__ieee80211_scan_completed is called from a worker. This
means that the following flow is possible.
* driver calls ieee80211_scan_completed
* mac80211 cancels the scan (that is already complete)
* __ieee80211_scan_completed runs
When scan_work will finally run, it will see that the scan
hasn't been aborted and might even trigger another scan on
another band. This leads to a situation where cfg80211's
scan is not done and no further scan can be issued.
Fix this by setting a new flag when a HW scan is being
cancelled so that no other scan will be triggered.
Cc: stable@vger.kernel.org
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Mon, 30 Sep 2013 09:02:46 +0000 (11:02 +0200)]
iwlwifi: pcie: fix merge damage
The merge
b35c8097 seems to have lost commit
eabc4ac5d,
put the code back.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Sat, 5 Oct 2013 12:09:30 +0000 (14:09 +0200)]
ath9k: fix tx queue scheduling after channel changes
Otherwise, if queues are full during a scan, tx scheduling does not
resume after switching back to the home channel.
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
John W. Linville [Mon, 7 Oct 2013 17:25:18 +0000 (13:25 -0400)]
Merge branch 'for-john' of git://git./linux/kernel/git/iwlwifi/iwlwifi-fixes
Emmanuel Grumbach [Sun, 15 Sep 2013 11:39:02 +0000 (14:39 +0300)]
iwlwifi: mvm: call ieee80211_scan_completed when needed
When RFKill cuts short a scan, mac80211 cancels the scan.
This is done by sending a host command to the firmware, but
this command was dropped because of RFKill. Flag this
command as "SEND_IN_RFKILL" to make sure it is sent to the
firmware. The firmware will send SCAN_COMPLETE_NOTIFICATION
which will trigger a call to ieee80211_scan_completed.
If the scan cannot be aborted, it is because the firmware
already finished the scan but we hadn't notified mac80211
at the time mac80211 decided to cancel the scan. By the time
we see the scan could not be aborted, mac80211 has been
notified already.
This patch fixes situations in which we didn't notify
mac80211 upon completion of the scan that was cut short
by RFkill.
Cc: stable@vger.kernel.org [3.10+]
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Emmanuel Grumbach [Tue, 24 Sep 2013 16:34:26 +0000 (19:34 +0300)]
iwlwifi: pcie: add SKUs for 6000, 6005 and 6235 series
Add some new PCI IDs to the table for 6000, 6005 and 6235 series.
Cc: stable@vger.kernel.org
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Emmanuel Grumbach [Sun, 15 Sep 2013 08:37:17 +0000 (11:37 +0300)]
iwlwifi: don't WARN on host commands sent when firmware is dead
This triggers automatic bug reports and add no valuable
information. Print a simple error instead and drop the
host command.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Matti Gottlieb [Sun, 22 Sep 2013 05:23:23 +0000 (08:23 +0300)]
iwlwifi: pcie: add new SKUs for 7000 & 3160 NIC series
Add some new PCI IDs to the table for 7000 & 3160 series
Cc: stable@vger.kernel.org
Signed-off-by: Matti Gottlieb <matti.gottlieb@intel.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Emmanuel Grumbach [Wed, 24 Jul 2013 11:15:21 +0000 (14:15 +0300)]
iwlwifi: pcie: don't reset the TX queue counter
A few NICs can get into trouble if we reset the TX queue
counters in certain very rare situation. To be on the safe
side, simply avoid to reset the TX queue counter.
This is relevant for non-AMPDU queues only since on AMPDU
we have no choice - we must start the TX queue at the right
index.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Alexander Bondar [Fri, 30 Aug 2013 08:12:05 +0000 (11:12 +0300)]
iwlwifi: mvm: Disable uAPSD for D3 image
The D3 firmware image doesn't support uAPSD, so disable it.
Signed-off-by: Alexander Bondar <alexander.bondar@intel.com>
Reviewed-by: Guy Cohen <guy.cohen@intel.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Felix Fietkau [Sun, 29 Sep 2013 11:06:31 +0000 (13:06 +0200)]
ath9k: fix powersave response handling for BA session packets
When a packet is passed from mac80211 to the driver with the
IEEE80211_TX_CTL_PS_RESPONSE flag set, it bypasses the normal driver
internal queueing and goes directly to the UAPSD queue.
When that happens, packets that are part of a BlockAck session still
need to be tracked as such inside the driver, otherwise it will create
discrepancies in the receiver BA reorder window, causing traffic stalls.
This only happens in AP mode with powersave-enabled clients.
This patch fixes the regression introduced in the commit
"ath9k: use software queues for un-aggregated data packets"
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Amitkumar Karwar [Fri, 27 Sep 2013 17:55:38 +0000 (10:55 -0700)]
mwifiex: fix SDIO interrupt lost issue
601216e "mwifiex: process RX packets in SDIO IRQ thread directly"
introduced a command timeout issue which can be reproduced easily on
an AM33xx platform using a test application written by Daniel Mack:
https://gist.github.com/zonque/
6579314
mwifiex_main_process() is called from both the SDIO handler and
the workqueue. In case an interrupt occurs right after the
int_status check, but before updating the mwifiex_processing flag,
this interrupt gets lost, resulting in a command timeout and
consequently a card reset.
Let main_proc_lock protect both int_status and mwifiex_processing
flag. This fixes the interrupt lost issue.
Cc: <stable@vger.kernel.org> # 3.7+
Reported-by: Sven Neumann <s.neumann@raumfeld.com>
Reported-by: Andreas Fenkart <andreas.fenkart@streamunlimited.com>
Tested-by: Daniel Mack <zonque@gmail.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Paul Stewart <pstew@chromium.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Stanislaw Gruszka [Mon, 23 Sep 2013 02:08:13 +0000 (04:08 +0200)]
Revert "rt2x00pci: Use PCI MSIs whenever possible"
This reverts commit
9483f40d8d01918b399b4e24d0c1111db0afffeb.
Some devices stop to connect with above commit, see:
https://bugzilla.kernel.org/show_bug.cgi?id=61621
Since there is no clear benefit of having MSI enabled, just revert
change to fix the problem.
Cc: stable@vger.kernel.org # 3.11+
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Jakub Kicinski <kubakici@wp.pl>
Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
John W. Linville [Mon, 30 Sep 2013 20:14:27 +0000 (16:14 -0400)]
Merge branch 'for-john' of git://git./linux/kernel/git/jberg/mac80211
Jouni Malinen [Mon, 30 Sep 2013 09:36:05 +0000 (12:36 +0300)]
mac80211: Run deferred scan if last roc_list item is not started
mac80211 scan processing could get stuck if roc work for pending, but
not started when a scan request was deferred due to such roc item.
Normally the deferred scan would be started from
ieee80211_start_next_roc(), but ieee80211_sw_roc_work() calls that only
if the finished ROC was started. Fix this by calling
ieee80211_run_deferred_scan() in the case the last ROC was not actually
started.
This issue was hit relatively easily in P2P find operations where Listen
state (remain-on-channel) and Search state (scan) are repeated in a
loop.
Signed-off-by: Jouni Malinen <j@w1.fi>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Felix Fietkau [Sun, 29 Sep 2013 19:39:34 +0000 (21:39 +0200)]
mac80211: update sta->last_rx on acked tx frames
When clients are idle for too long, hostapd sends nullfunc frames for
probing. When those are acked by the client, the idle time needs to be
updated.
To make this work (and to avoid unnecessary probing), update sta->last_rx
whenever an ACK was received for a tx packet. Only do this if the flag
IEEE80211_HW_REPORTS_TX_ACK_STATUS is set.
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Felix Fietkau [Sun, 29 Sep 2013 19:39:33 +0000 (21:39 +0200)]
mac80211: use sta_info_get_bss() for nl80211 tx and client probing
This allows calls for clients in AP_VLANs (e.g. for 4-addr) to succeed
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Thu, 26 Sep 2013 18:03:45 +0000 (20:03 +0200)]
cfg80211: fix sysfs registration race
My locking rework/race fixes caused a regression in the
registration, causing uevent notifications for wireless
devices before the device is really fully registered and
available in nl80211.
Fix this by moving the device_add() under rtnl and move
the rfkill to afterwards (it can't be under rtnl.)
Reported-and-tested-by: Maxime Bizon <mbizon@freebox.fr>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Arend van Spriel [Wed, 25 Sep 2013 10:11:03 +0000 (12:11 +0200)]
brcmsmac: call bcma_core_pci_power_save() from non-atomic context
This patch adds explicit call to bcma_core_pci_power_save() from
a non-atomic context resolving 'scheduling while atomic' issue.
[ 13.224317] BUG: scheduling while atomic: dhcpcd/1800/0x00000202
[ 13.224322] Modules linked in: brcmsmac nouveau coretemp kvm_intel kvm cordic brcmutil bcma dell_wmi atl1c ttm mxm_wmi wmi
[ 13.224354] CPU: 0 PID: 1800 Comm: dhcpcd Tainted: G W 3.11.0-wl #1
[ 13.224359] Hardware name: Alienware M11x R2/M11x R2, BIOS A04 11/23/2010
[ 13.224363]
ffff880177c12c40 ffff880170fd1968 ffffffff8169af5b 0000000000000007
[ 13.224374]
ffff880170fd1ad0 ffff880170fd1978 ffffffff81697ee2 ffff880170fd19f8
[ 13.224383]
ffffffff816a19f5 00000000000f4240 000000000000d080 ffff880170fd1fd8
[ 13.224391] Call Trace:
[ 13.224399] [<
ffffffff8169af5b>] dump_stack+0x4f/0x84
[ 13.224403] [<
ffffffff81697ee2>] __schedule_bug+0x43/0x51
[ 13.224409] [<
ffffffff816a19f5>] __schedule+0x6e5/0x810
[ 13.224412] [<
ffffffff816a1c34>] schedule+0x24/0x70
[ 13.224416] [<
ffffffff816a04fc>] schedule_hrtimeout_range_clock+0x10c/0x150
[ 13.224420] [<
ffffffff810684e0>] ? update_rmtp+0x60/0x60
[ 13.224424] [<
ffffffff8106915f>] ? hrtimer_start_range_ns+0xf/0x20
[ 13.224429] [<
ffffffff816a054e>] schedule_hrtimeout_range+0xe/0x10
[ 13.224432] [<
ffffffff8104f6fb>] usleep_range+0x3b/0x40
[ 13.224437] [<
ffffffffa003733a>] bcma_pcie_mdio_read.isra.5+0x8a/0x100 [bcma]
[ 13.224442] [<
ffffffffa00374a5>] bcma_pcie_mdio_writeread.isra.6.constprop.13+0x25/0x30 [bcma]
[ 13.224448] [<
ffffffffa00374f9>] bcma_core_pci_power_save+0x49/0x80 [bcma]
[ 13.224452] [<
ffffffffa003765d>] bcma_core_pci_up+0x2d/0x60 [bcma]
[ 13.224460] [<
ffffffffa03dc17c>] brcms_c_up+0xfc/0x430 [brcmsmac]
[ 13.224467] [<
ffffffffa03d1a7d>] brcms_up+0x1d/0x20 [brcmsmac]
[ 13.224473] [<
ffffffffa03d2498>] brcms_ops_start+0x298/0x340 [brcmsmac]
[ 13.224478] [<
ffffffff81600a12>] ? cfg80211_netdev_notifier_call+0xd2/0x5f0
[ 13.224483] [<
ffffffff815fa53d>] ? packet_notifier+0xad/0x1d0
[ 13.224487] [<
ffffffff81656e75>] ieee80211_do_open+0x325/0xf80
[ 13.224491] [<
ffffffff8106ac09>] ? __raw_notifier_call_chain+0x9/0x10
[ 13.224495] [<
ffffffff81657b41>] ieee80211_open+0x71/0x80
[ 13.224498] [<
ffffffff81526267>] __dev_open+0x87/0xe0
[ 13.224502] [<
ffffffff8152650c>] __dev_change_flags+0x9c/0x180
[ 13.224505] [<
ffffffff815266a3>] dev_change_flags+0x23/0x70
[ 13.224509] [<
ffffffff8158cd68>] devinet_ioctl+0x5b8/0x6a0
[ 13.224512] [<
ffffffff8158d5c5>] inet_ioctl+0x75/0x90
[ 13.224516] [<
ffffffff8150b38b>] sock_do_ioctl+0x2b/0x70
[ 13.224519] [<
ffffffff8150b681>] sock_ioctl+0x71/0x2a0
[ 13.224523] [<
ffffffff8114ed47>] do_vfs_ioctl+0x87/0x520
[ 13.224528] [<
ffffffff8113f159>] ? ____fput+0x9/0x10
[ 13.224533] [<
ffffffff8106228c>] ? task_work_run+0x9c/0xd0
[ 13.224537] [<
ffffffff8114f271>] SyS_ioctl+0x91/0xb0
[ 13.224541] [<
ffffffff816aa252>] system_call_fastpath+0x16/0x1b
Cc: <stable@vger.kernel.org> # 3.11.x
Cc: Tod Jackson <tod.jackson@gmail.com>
Cc: Joe Perches <joe@perches.com>
Cc: Rafal Milecki <zajec5@gmail.com>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Arend van Spriel [Wed, 25 Sep 2013 10:11:02 +0000 (12:11 +0200)]
bcma: make bcma_core_pci_{up,down}() callable from atomic context
This patch removes the bcma_core_pci_power_save() call from
the bcma_core_pci_{up,down}() functions as it tries to schedule
thus requiring to call them from non-atomic context. The function
bcma_core_pci_power_save() is now exported so the calling module
can explicitly use it in non-atomic context. This fixes the
'scheduling while atomic' issue reported by Tod Jackson and
Joe Perches.
[ 13.210710] BUG: scheduling while atomic: dhcpcd/1800/0x00000202
[ 13.210718] Modules linked in: brcmsmac nouveau coretemp kvm_intel kvm cordic brcmutil bcma dell_wmi atl1c ttm mxm_wmi wmi
[ 13.210756] CPU: 2 PID: 1800 Comm: dhcpcd Not tainted 3.11.0-wl #1
[ 13.210762] Hardware name: Alienware M11x R2/M11x R2, BIOS A04 11/23/2010
[ 13.210767]
ffff880177c92c40 ffff880170fd1948 ffffffff8169af5b 0000000000000007
[ 13.210777]
ffff880170fd1ab0 ffff880170fd1958 ffffffff81697ee2 ffff880170fd19d8
[ 13.210785]
ffffffff816a19f5 00000000000f4240 000000000000d080 ffff880170fd1fd8
[ 13.210794] Call Trace:
[ 13.210813] [<
ffffffff8169af5b>] dump_stack+0x4f/0x84
[ 13.210826] [<
ffffffff81697ee2>] __schedule_bug+0x43/0x51
[ 13.210837] [<
ffffffff816a19f5>] __schedule+0x6e5/0x810
[ 13.210845] [<
ffffffff816a1c34>] schedule+0x24/0x70
[ 13.210855] [<
ffffffff816a04fc>] schedule_hrtimeout_range_clock+0x10c/0x150
[ 13.210867] [<
ffffffff810684e0>] ? update_rmtp+0x60/0x60
[ 13.210877] [<
ffffffff8106915f>] ? hrtimer_start_range_ns+0xf/0x20
[ 13.210887] [<
ffffffff816a054e>] schedule_hrtimeout_range+0xe/0x10
[ 13.210897] [<
ffffffff8104f6fb>] usleep_range+0x3b/0x40
[ 13.210910] [<
ffffffffa00371af>] bcma_pcie_mdio_set_phy.isra.3+0x4f/0x80 [bcma]
[ 13.210921] [<
ffffffffa003729f>] bcma_pcie_mdio_write.isra.4+0xbf/0xd0 [bcma]
[ 13.210932] [<
ffffffffa0037498>] bcma_pcie_mdio_writeread.isra.6.constprop.13+0x18/0x30 [bcma]
[ 13.210942] [<
ffffffffa00374ee>] bcma_core_pci_power_save+0x3e/0x80 [bcma]
[ 13.210953] [<
ffffffffa003765d>] bcma_core_pci_up+0x2d/0x60 [bcma]
[ 13.210975] [<
ffffffffa03dc17c>] brcms_c_up+0xfc/0x430 [brcmsmac]
[ 13.210989] [<
ffffffffa03d1a7d>] brcms_up+0x1d/0x20 [brcmsmac]
[ 13.211003] [<
ffffffffa03d2498>] brcms_ops_start+0x298/0x340 [brcmsmac]
[ 13.211020] [<
ffffffff81600a12>] ? cfg80211_netdev_notifier_call+0xd2/0x5f0
[ 13.211030] [<
ffffffff815fa53d>] ? packet_notifier+0xad/0x1d0
[ 13.211064] [<
ffffffff81656e75>] ieee80211_do_open+0x325/0xf80
[ 13.211076] [<
ffffffff8106ac09>] ? __raw_notifier_call_chain+0x9/0x10
[ 13.211086] [<
ffffffff81657b41>] ieee80211_open+0x71/0x80
[ 13.211101] [<
ffffffff81526267>] __dev_open+0x87/0xe0
[ 13.211109] [<
ffffffff8152650c>] __dev_change_flags+0x9c/0x180
[ 13.211117] [<
ffffffff815266a3>] dev_change_flags+0x23/0x70
[ 13.211127] [<
ffffffff8158cd68>] devinet_ioctl+0x5b8/0x6a0
[ 13.211136] [<
ffffffff8158d5c5>] inet_ioctl+0x75/0x90
[ 13.211147] [<
ffffffff8150b38b>] sock_do_ioctl+0x2b/0x70
[ 13.211155] [<
ffffffff8150b681>] sock_ioctl+0x71/0x2a0
[ 13.211169] [<
ffffffff8114ed47>] do_vfs_ioctl+0x87/0x520
[ 13.211180] [<
ffffffff8113f159>] ? ____fput+0x9/0x10
[ 13.211198] [<
ffffffff8106228c>] ? task_work_run+0x9c/0xd0
[ 13.211202] [<
ffffffff8114f271>] SyS_ioctl+0x91/0xb0
[ 13.211208] [<
ffffffff816aa252>] system_call_fastpath+0x16/0x1b
[ 13.211217] NOHZ: local_softirq_pending 202
The issue was introduced in v3.11 kernel by following commit:
commit
aa51e598d04c6acf5477934cd6383f5a17ce9029
Author: Hauke Mehrtens <hauke@hauke-m.de>
Date: Sat Aug 24 00:32:31 2013 +0200
brcmsmac: use bcma PCIe up and down functions
replace the calls to bcma_core_pci_extend_L1timer() by calls to the
newly introduced bcma_core_pci_ip() and bcma_core_pci_down()
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Cc: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This fix has been discussed with Hauke Mehrtens [1] selection
option 3) and is intended for v3.12.
Ref:
[1] http://mid.gmane.org/
5239B12D.
3040206@hauke-m.de
Cc: <stable@vger.kernel.org> # 3.11.x
Cc: Tod Jackson <tod.jackson@gmail.com>
Cc: Joe Perches <joe@perches.com>
Cc: Rafal Milecki <zajec5@gmail.com>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Arend van Spriel [Wed, 25 Sep 2013 10:11:01 +0000 (12:11 +0200)]
brcmfmac: obtain platform data upon module initialization
The driver uses platform_driver_probe() to obtain platform data
if any. However, that function is placed in the .init section so
it must be called upon driver module initialization.
The problem was reported by Fenguang Wu resulting in a kernel
oops because the .init section was already freed.
[ 48.966342] Switched to clocksource tsc
[ 48.970002] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[ 48.970851] BUG: unable to handle kernel paging request at
ffffffff82196446
[ 48.970957] IP: [<
ffffffff82196446>] classes_init+0x26/0x26
[ 48.970957] PGD
1e76067 PUD
1e77063 PMD
f388063 PTE
8000000002196163
[ 48.970957] Oops: 0011 [#1]
[ 48.970957] CPU: 0 PID: 17 Comm: kworker/0:1 Not tainted
3.11.0-rc7-00444-gc52dd7f #23
[ 48.970957] Workqueue: events brcmf_driver_init
[ 48.970957] task:
ffff8800001d2000 ti:
ffff8800001d4000 task.ti:
ffff8800001d4000
[ 48.970957] RIP: 0010:[<
ffffffff82196446>] [<
ffffffff82196446>] classes_init+0x26/0x26
[ 48.970957] RSP: 0000:
ffff8800001d5d40 EFLAGS:
00000286
[ 48.970957] RAX:
0000000000000001 RBX:
ffffffff820c5620 RCX:
0000000000000000
[ 48.970957] RDX:
0000000000000001 RSI:
ffffffff816f7380 RDI:
ffffffff820c56c0
[ 48.970957] RBP:
ffff8800001d5d50 R08:
ffff8800001d2508 R09:
0000000000000002
[ 48.970957] R10:
0000000000000000 R11:
0001f7ce298c5620 R12:
ffff8800001c76b0
[ 48.970957] R13:
ffffffff81e91d40 R14:
0000000000000000 R15:
ffff88000e0ce300
[ 48.970957] FS:
0000000000000000(0000) GS:
ffffffff81e84000(0000) knlGS:
0000000000000000
[ 48.970957] CS: 0010 DS: 0000 ES: 0000 CR0:
000000008005003b
[ 48.970957] CR2:
ffffffff82196446 CR3:
0000000001e75000 CR4:
00000000000006b0
[ 48.970957] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 48.970957] DR3:
0000000000000000 DR6:
0000000000000000 DR7:
0000000000000000
[ 48.970957] Stack:
[ 48.970957]
ffffffff816f7df8 ffffffff820c5620 ffff8800001d5d60 ffffffff816eeec9
[ 48.970957]
ffff8800001d5de0 ffffffff81073dc5 ffffffff81073d68 ffff8800001d5db8
[ 48.970957]
0000000000000086 ffffffff820c5620 ffffffff824f7fd0 0000000000000000
[ 48.970957] Call Trace:
[ 48.970957] [<
ffffffff816f7df8>] ? brcmf_sdio_init+0x18/0x70
[ 48.970957] [<
ffffffff816eeec9>] brcmf_driver_init+0x9/0x10
[ 48.970957] [<
ffffffff81073dc5>] process_one_work+0x1d5/0x480
[ 48.970957] [<
ffffffff81073d68>] ? process_one_work+0x178/0x480
[ 48.970957] [<
ffffffff81074188>] worker_thread+0x118/0x3a0
[ 48.970957] [<
ffffffff81074070>] ? process_one_work+0x480/0x480
[ 48.970957] [<
ffffffff8107aa17>] kthread+0xe7/0xf0
[ 48.970957] [<
ffffffff810829f7>] ? finish_task_switch.constprop.57+0x37/0xd0
[ 48.970957] [<
ffffffff8107a930>] ? __kthread_parkme+0x80/0x80
[ 48.970957] [<
ffffffff81a6923a>] ret_from_fork+0x7a/0xb0
[ 48.970957] [<
ffffffff8107a930>] ? __kthread_parkme+0x80/0x80
[ 48.970957] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc cc cc <cc> cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
[ 48.970957] RIP [<
ffffffff82196446>] classes_init+0x26/0x26
[ 48.970957] RSP <
ffff8800001d5d40>
[ 48.970957] CR2:
ffffffff82196446
[ 48.970957] ---[ end trace
62980817cd525f14 ]---
Cc: <stable@vger.kernel.org> # 3.10.x, 3.11.x
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Tested-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Bing Zhao [Wed, 25 Sep 2013 02:31:25 +0000 (19:31 -0700)]
mwifiex: fix NULL pointer dereference in usb suspend handler
Bug 60815 - Interface hangs in mwifiex_usb
https://bugzilla.kernel.org/show_bug.cgi?id=60815
[ 2.883807] BUG: unable to handle kernel NULL pointer dereference
at
0000000000000048
[ 2.883813] IP: [<
ffffffff815a65e0>] pfifo_fast_enqueue+0x90/0x90
[ 2.883834] CPU: 1 PID: 3220 Comm: kworker/u8:90 Not tainted
3.11.1-monotone-l0 #6
[ 2.883834] Hardware name: Microsoft Corporation Surface with
Windows 8 Pro/Surface with Windows 8 Pro,
BIOS 1.03.0450 03/29/2013
On Surface Pro, suspend to ram gives a NULL pointer dereference in
pfifo_fast_enqueue(). The stack trace reveals that the offending
call is clearing carrier in mwifiex_usb suspend handler.
Since commit
1499d9f "mwifiex: don't drop carrier flag over suspend"
has removed the carrier flag handling over suspend/resume in SDIO
and PCIe drivers, I'm removing it in USB driver too. This also fixes
the bug for Surface Pro.
Cc: <stable@vger.kernel.org> # 3.5+
Tested-by: Dmitry Khromov <icechrome@gmail.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Amitkumar Karwar [Wed, 25 Sep 2013 02:31:24 +0000 (19:31 -0700)]
mwifiex: fix hang issue for USB chipsets
Bug 60815 - Interface hangs in mwifiex_usb
https://bugzilla.kernel.org/show_bug.cgi?id=60815
We have 4 bytes of interface header for packets delivered to SDIO
and PCIe, but not for USB interface.
In Tx AMSDU case, currently 4 bytes of garbage data is unnecessarily
appended for USB packets. This sometimes leads to a firmware hang,
because it may not interpret the data packet correctly.
Problem is fixed by removing this redundant headroom for USB.
Cc: <stable@vger.kernel.org> # 3.5+
Tested-by: Dmitry Khromov <icechrome@gmail.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Christian Lamparter [Tue, 24 Sep 2013 19:56:46 +0000 (21:56 +0200)]
p54usb: add USB ID for Corega WLUSB2GTST USB adapter
Added USB ID for Corega WLUSB2GTST USB adapter.
Cc: <stable@vger.kernel.org>
Reported-by: Joerg Kalisch <the_force@gmx.de>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Solomon Peachy [Mon, 23 Sep 2013 20:00:04 +0000 (16:00 -0400)]
cw1200: Use a threaded oneshot irq handler for cw1200_spi
This supercedes the older patch ("cw1200: Don't perform SPI transfers in
interrupt context") that badly attempted to fix this problem.
This is a far simpler solution, which has the added benefit of
actually working.
Signed-off-by: Solomon Peachy <pizza@shaftnet.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Solomon Peachy [Mon, 23 Sep 2013 20:00:03 +0000 (16:00 -0400)]
Revert "cw1200: Don't perform SPI transfers in interrupt context"
This reverts commit
aec8e88c947b7017e2b4bbcb68a4bfc4a1f8ad35.
This solution turned out to cause interrupt delivery problems, and
rather than trying to fix this approach, it has been scrapped in favor
of an alternative (and far simpler) implementation.
Signed-off-by: Solomon Peachy <pizza@shaftnet.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Bing Zhao [Sat, 21 Sep 2013 02:56:45 +0000 (19:56 -0700)]
mwifiex: fix PCIe hs_cfg cancel cmd timeout
For pcie8897, the hs_cfg cancel command (0xe5) times out when host
comes out of suspend. This is caused by an incompleted host sleep
handshake between driver and firmware.
Like SDIO interface, PCIe also needs to go through firmware power
save events to complete the handshake for host sleep configuration.
Only USB interface doesn't require power save events for hs_cfg.
Cc: <stable@vger.kernel.org> # 3.10+
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Larry Finger [Thu, 19 Sep 2013 02:21:35 +0000 (21:21 -0500)]
rtlwifi: Align private space in rtl_priv struct
The private array at the end of the rtl_priv struct is not aligned.
On ARM architecture, this causes an alignment trap and is fixed by aligning
that array with __align(sizeof(void *)). That should properly align that
space according to the requirements of all architectures.
Reported-by: Jason Andrews <jasona@cadence.com>
Tested-by: Jason Andrews <jasona@cadence.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Wed, 18 Sep 2013 13:23:41 +0000 (15:23 +0200)]
ath9k: add txq locking for ath_tx_aggr_start
Prevents race conditions when un-aggregated frames are pending in the
driver.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Alexey Khoroshilov [Tue, 17 Sep 2013 20:57:59 +0000 (00:57 +0400)]
p54usb: fix leak at failure path in p54u_load_firmware()
If request_firmware_nowait() fails in p54u_load_firmware(),
p54u_load_firmware_cb is not called and no one decrements usb_dev refcnt.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Tue, 17 Sep 2013 10:05:15 +0000 (12:05 +0200)]
ath9k: don't use BAW tracking on PS responses for non-AMPDU packets
When .release_buffered_frames was implemented, only A-MPDU packets were
buffered internally. Now that this has changed, the BUF_AMPDU flag needs
to be checked before calling ath_tx_addto_baw
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Sujith Manoharan [Mon, 16 Sep 2013 04:54:51 +0000 (10:24 +0530)]
ath9k: Fix regression in LNA diversity
The commit "ath9k: Optimize LNA check" tried
to use the "rs_firstaggr" flag to optimize the LNA
combining algorithm when processing subframes in
an A-MPDU. This doesn't appear to work well in practice,
so revert it and use the old method of relying on
"rs_moreaggr".
Cc: stable@vger.kernel.org # 3.11
Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Sat, 14 Sep 2013 15:02:29 +0000 (17:02 +0200)]
ath9k: do not link bf_next across multiple A-MPDUs
This might trip up tx completion processing, although the condition that
triggers this should not (yet) occur in practice.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Sat, 14 Sep 2013 13:46:33 +0000 (15:46 +0200)]
ath9k: fix stale flag handling on buffer clone
Fixes a regression from commit
"ath9k: shrink a few data structures by reordering fields"
When cloning a buffer, the stale flag (part of bf_state now) needs to be
reset after copying the state to prevent tx processing hangs.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Chun-Yeow Yeoh [Sun, 8 Sep 2013 06:40:44 +0000 (23:40 -0700)]
mac80211: fix the setting of extended supported rate IE
The patch "mac80211: select and adjust bitrates according to
channel mode" causes regression and breaks the extended supported rate
IE setting. Since "i" is starting with 8, so this is not necessary
to introduce "skip" here.
Signed-off-by: Chun-Yeow Yeoh <yeohchunyeow@cozybit.com>
Signed-off-by: Colleen Twitty <colleen@cozybit.com>
Reviewed-by: Jason Abele <jason@cozybit.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Felix Fietkau [Tue, 17 Sep 2013 09:15:43 +0000 (11:15 +0200)]
mac80211: drop spoofed packets in ad-hoc mode
If an Ad-Hoc node receives packets with the Cell ID or its own MAC
address as source address, it hits a WARN_ON in sta_info_insert_check()
With many packets, this can massively spam the logs. One way that this
can easily happen is through having Cisco APs in the area with rouge AP
detection and countermeasures enabled.
Such Cisco APs will regularly send fake beacons, disassoc and deauth
packets that trigger these warnings.
To fix this issue, drop such spoofed packets early in the rx path.
Cc: stable@vger.kernel.org
Reported-by: Thomas Huehn <thomas@net.t-labs.tu-berlin.de>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
John W. Linville [Thu, 26 Sep 2013 17:47:05 +0000 (13:47 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/bluetooth/bluetooth
Bruno Randolf [Thu, 26 Sep 2013 15:55:28 +0000 (16:55 +0100)]
cfg80211: fix warning when using WEXT for IBSS
Fix kernel warning when using WEXT for configuring ad-hoc mode,
e.g. "iwconfig wlan0 essid test channel 1"
WARNING: at net/wireless/chan.c:373 cfg80211_chandef_usable+0x50/0x21c [cfg80211]()
The warning is caused by an uninitialized variable center_freq1.
Cc: stable@vger.kernel.org
Signed-off-by: Bruno Randolf <br1@einfach.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Luciano Coelho [Thu, 29 Aug 2013 10:26:57 +0000 (13:26 +0300)]
cfg80211: use the correct macro to check for active monitor support
Use MONITOR_FLAG_ACTIVE, which is a flag mask, instead of
NL80211_MNTR_FLAG_ACTIVE, which is a flag index, when checking if the
hardware supports active monitoring.
Cc: stable@vger.kernel.org
Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Ken O'Brien [Sat, 21 Sep 2013 18:14:43 +0000 (19:14 +0100)]
Bluetooth: btusb: Add support for Belkin
F8065bf
Add generic rule on encountering Belkin bluetooth usb device
F8065bf.
Relevant section from /sys/kernel/debug/usb/devices:
T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=050d ProdID=065a Rev= 1.12
S: Manufacturer=Broadcom Corp
S: Product=BCM20702A0
S: SerialNumber=
0002723E2D29
C:* #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=100mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
Signed-off-by: Ken O'Brien <kernel@kenobrien.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Gianluca Anzolin [Tue, 27 Aug 2013 16:28:46 +0000 (18:28 +0200)]
Bluetooth: don't release the port in rfcomm_dev_state_change()
When the dlc is closed, rfcomm_dev_state_change() tries to release the
port in the case it cannot get a reference to the tty. However this is
racy and not even needed.
Infact as Peter Hurley points out:
1. Only consider dlcs that are 'stolen' from a connected socket, ie.
reused. Allocated dlcs cannot have been closed prior to port
activate and so for these dlcs a tty reference will always be avail
in rfcomm_dev_state_change() -- except for the conditions covered by
#2b below.
2. If a tty was at some point previously created for this rfcomm, then
either
(a) the tty reference is still avail, so rfcomm_dev_state_change()
will perform a hangup. So nothing to do, or,
(b) the tty reference is no longer avail, and the tty_port will be
destroyed by the last tty_port_put() in rfcomm_tty_cleanup.
Again, no action required.
3. Prior to obtaining the dlc lock in rfcomm_dev_add(),
rfcomm_dev_state_change() will not 'see' a rfcomm_dev so nothing to
do here.
4. After releasing the dlc lock in rfcomm_dev_add(),
rfcomm_dev_state_change() will 'see' an incomplete rfcomm_dev if a
tty reference could not be obtained. Again, the best thing to do here
is nothing. Any future attempted open() will block on
rfcomm_dev_carrier_raised(). The unconnected device will exist until
released by ioctl(RFCOMMRELEASEDEV).
The patch removes the aforementioned code and uses the
tty_port_tty_hangup() helper to hangup the tty.
Signed-off-by: Gianluca Anzolin <gianluca@sottospazio.it>
Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Linus Torvalds [Thu, 19 Sep 2013 18:57:28 +0000 (13:57 -0500)]
Merge git://git./linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) If the local_df boolean is set on an SKB we have to allocate a
unique ID even if IP_DF is set in the ipv4 headers, from Ansis
Atteka.
2) Some fixups for the new chipset support that went into the sfc
driver, from Ben Hutchings.
3) Because SCTP bypasses a good chunk of, and actually duplicates, the
logic of the ipv6 output path, some IPSEC things don't get done
properly. Integrate SCTP better into the ipv6 output path so that
these problems are fixed and such issues don't get missed in the
future either. From Daniel Borkmann.
4) Fix skge regressions added by the DMA mapping error return checking
added in v3.10, from Mikulas Patocka.
5) Kill some more IRQF_DISABLED references, from Michael Opdenacker.
6) Fix races and deadlocks in the bridging code, from Hong Zhiguo.
7) Fix error handling in tun_set_iff(), in particular don't leak
resources. From Jason Wang.
8) Prevent format-string injection into xen-netback driver, from Kees
Cook.
9) Fix regression added to netpoll ARP packet handling, in particular
check for the right ETH_P_ARP protocol code. From Sonic Zhang.
10) Try to deal with AMD IOMMU errors when using r8169 chips, from
Francois Romieu.
11) Cure freezes due to recent changes in the rt2x00 wireless driver,
from Stanislaw Gruszka.
12) Don't do SPI transfers (which can sleep) in interrupt context in
cw1200 driver, from Solomon Peachy.
13) Fix LEDs handling bug in 5720 tg3 chips already handled for 5719.
From Nithin Sujir.
14) Make xen_netbk_count_skb_slots() count the actual number of slots
that will be used, taking into consideration packing and other
issues that the transmit path will run into. From David Vrabel.
15) Use the correct maximum age when calculating the bridge
message_age_timer, from Chris Healy.
16) Get rid of memory leaks in mcs7780 IRDA driver, from Alexey
Khoroshilov.
17) Netfilter conntrack extensions were converted to RCU but are not
always freed properly using kfree_rcu(). Fix from Michal Kubecek.
18) VF reset recovery not being done correctly in qlcnic driver, from
Manish Chopra.
19) Fix inverted test in ATM nicstar driver, from Andy Shevchenko.
20) Missing workqueue destroy in cxgb4 error handling, from Wei Yang.
21) Internal switch not initialized properly in bgmac driver, from Rafał
Miłecki.
22) Netlink messages report wrong local and remote addresses in IPv6
tunneling, from Ding Zhi.
23) ICMP redirects should not generate socket errors in DCCP and SCTP.
We're still working out how this should be handled for RAW and UDP
sockets. From Daniel Borkmann and Duan Jiong.
24) We've had several bugs wherein the network namespace's loopback
device gets accessed after it is free'd, NULL it out so that we can
catch these problems more readily. From Eric W Biederman.
25) Fix regression in TCP RTO calculations, from Neal Cardwell.
26) Fix too early free of xen-netback network device when VIFs still
exist. From Paul Durrant.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits)
netconsole: fix a deadlock with rtnl and netconsole's mutex
netpoll: fix NULL pointer dereference in netpoll_cleanup
skge: fix broken driver
ip: generate unique IP identificator if local fragmentation is allowed
ip: use ip_hdr() in __ip_make_skb() to retrieve IP header
xen-netback: Don't destroy the netdev until the vif is shut down
net:dccp: do not report ICMP redirects to user space
cnic: Fix crash in cnic_bnx2x_service_kcq()
bnx2x, cnic, bnx2i, bnx2fc: Fix bnx2i and bnx2fc regressions.
vxlan: Avoid creating fdb entry with NULL destination
tcp: fix RTO calculated from cached RTT
drivers: net: phy: cicada.c: clears warning Use #include <linux/io.h> instead of <asm/io.h>
net loopback: Set loopback_dev to NULL when freed
batman-adv: set the TAG flag for the vid passed to BLA
netfilter: nfnetlink_queue: use network skb for sequence adjustment
net: sctp: rfc4443: do not report ICMP redirects to user space
net: usb: cdc_ether: use usb.h macros whenever possible
net: usb: cdc_ether: fix checkpatch errors and warnings
net: usb: cdc_ether: Use wwan interface for Telit modules
ip6_tunnels: raddr and laddr are inverted in nl msg
...
Nikolay Aleksandrov [Thu, 19 Sep 2013 13:02:36 +0000 (15:02 +0200)]
netconsole: fix a deadlock with rtnl and netconsole's mutex
This bug was introduced by commit
7a163bfb7ce50895bbe67300ea610d31b9c09230 ("netconsole: avoid a crash with
multiple sysfs writers"). In store_enabled() we have the following
sequence: acquire nt->mutex then rtnl, but in the netconsole netdev
notifier we have rtnl then nt->mutex effectively leading to a deadlock.
The NULL pointer dereference that the above commit tries to fix is
actually due to another bug in netpoll_cleanup(). This is fixed by dropping
the mutex from the netdev notifier as it's already protected by rtnl.
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nikolay Aleksandrov [Thu, 19 Sep 2013 13:02:35 +0000 (15:02 +0200)]
netpoll: fix NULL pointer dereference in netpoll_cleanup
I've been hitting a NULL ptr deref while using netconsole because the
np->dev check and the pointer manipulation in netpoll_cleanup are done
without rtnl and the following sequence happens when having a netconsole
over a vlan and we remove the vlan while disabling the netconsole:
CPU 1 CPU2
removes vlan and calls the notifier
enters store_enabled(), calls
netdev_cleanup which checks np->dev
and then waits for rtnl
executes the netconsole netdev
release notifier making np->dev
== NULL and releases rtnl
continues to dereference a member of
np->dev which at this point is == NULL
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mikulas Patocka [Thu, 19 Sep 2013 18:13:17 +0000 (14:13 -0400)]
skge: fix broken driver
The patch
136d8f377e1575463b47840bc5f1b22d94bf8f63 broke the skge driver.
Note this part of the patch:
+ if (skge_rx_setup(skge, e, nskb, skge->rx_buf_size) < 0) {
+ dev_kfree_skb(nskb);
+ goto resubmit;
+ }
+
pci_unmap_single(skge->hw->pdev,
dma_unmap_addr(e, mapaddr),
dma_unmap_len(e, maplen),
PCI_DMA_FROMDEVICE);
skb = e->skb;
prefetch(skb->data);
- skge_rx_setup(skge, e, nskb, skge->rx_buf_size);
The function skge_rx_setup modifies e->skb to point to the new skb. Thus,
after this change, the new buffer, not the old, is returned to the
networking stack.
This bug is present in kernels 3.11, 3.11.1 and 3.12-rc1. The patch should
be queued for 3.11-stable.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Vasiliy Glazov <vascom2@gmail.com>
Tested-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ansis Atteka [Wed, 18 Sep 2013 22:29:53 +0000 (15:29 -0700)]
ip: generate unique IP identificator if local fragmentation is allowed
If local fragmentation is allowed, then ip_select_ident() and
ip_select_ident_more() need to generate unique IDs to ensure
correct defragmentation on the peer.
For example, if IPsec (tunnel mode) has to encrypt large skbs
that have local_df bit set, then all IP fragments that belonged
to different ESP datagrams would have used the same identificator.
If one of these IP fragments would get lost or reordered, then
peer could possibly stitch together wrong IP fragments that did
not belong to the same datagram. This would lead to a packet loss
or data corruption.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ansis Atteka [Wed, 18 Sep 2013 22:29:52 +0000 (15:29 -0700)]
ip: use ip_hdr() in __ip_make_skb() to retrieve IP header
skb->data already points to IP header, but for the sake of
consistency we can also use ip_hdr() to retrieve it.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Paul Durrant [Tue, 17 Sep 2013 16:46:08 +0000 (17:46 +0100)]
xen-netback: Don't destroy the netdev until the vif is shut down
Without this patch, if a frontend cycles through states Closing
and Closed (which Windows frontends need to do) then the netdev
will be destroyed and requires re-invocation of hotplug scripts
to restore state before the frontend can move to Connected. Thus
when udev is not in use the backend gets stuck in InitWait.
With this patch, the netdev is left alone whilst the backend is
still online and is only de-registered and freed just prior to
destroying the vif (which is also nicely symmetrical with the
netdev allocation and registration being done during probe) so
no re-invocation of hotplug scripts is required.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Wei Liu <wei.liu2@citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Thu, 19 Sep 2013 17:52:25 +0000 (12:52 -0500)]
Merge branch 'upstream' of git://git.linux-mips.org/ralf/upstream-linus
Pull MIPS updates from Ralf Baechle:
- Minor updates and fixes to the Octeon ethernet driver in staging
- A fix to VGA_MAP_MEM() for 64 bit platforms
- Fix a workaround for 74K/1074K processors
- The symlink arch/mips/boot/dts/include/dt-bindings was pointing to a
a file with a name ending in \n. I think this may have been caused
by a git bug with with patches sent by email
- A build fix for VGA console on BCM1480-based systems
- Fix PCI device access via "/sys/bus/pci/.../resource0" or similar
work for Alchemy platforms
- Fix potential data leak on MIPS R5 cores. This doesn't add proper
support for any R5 features, just ensures a kernel without such
support will be secure to run
- Adding a macros for the CP0 Config5 register to be used by the R5 fix
- Make get_cycles() actually return something useful where possible
This also requires a preparatory patch for performance sake
- Fix a warning about the use of smp_processor_id() in preemptible
code. Again this includes a preparatory patch adding the
infrastructure to be used by the actual patch
- Finally remove pointless one-line comment
* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
MIPS: Fix invalid symbolic link file
MIPS: PCI: pci-bcm1480: Include missing vt.h header
MIPS: Disable usermode switching of the FR bit for MIPS R5 CPUs.
MIPS: Add MIPS R5 config5 register.
MIPS: PCI: Use pci_resource_to_user to map pci memory space properly
MIPS: 74K/1074K: Correct erratum workaround.
MIPS: Cleanup CP0 PRId and CP1 FPIR register access masks
MIPS: Remove useless comment about kprobe from arch/mips/Makefile
MIPS: Fix VGA_MAP_MEM macro.
MIPS: Reimplement get_cycles().
MIPS: Optimize current_cpu_type() for better code.
MIPS: Fix accessing to per-cpu data when flushing the cache
MIPS: Provide nice way to access boot CPU's data.
staging: octeon-ethernet: rgmii: enable interrupts that we can handle
staging: octeon-ethernet: remove skb alloc failure warnings
staging: octeon-ethernet: make dropped packets to consume NAPI budget
Linus Torvalds [Thu, 19 Sep 2013 17:50:37 +0000 (12:50 -0500)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sage/ceph-client
Pull ceph fixes from Sage Weil:
"These fix several bugs with RBD from 3.11 that didn't get tested in
time for the merge window: some error handling, a use-after-free, and
a sequencing issue when unmapping and image races with a notify
operation.
There is also a patch fixing a problem with the new ceph + fscache
code that just went in"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
fscache: check consistency does not decrement refcount
rbd: fix error handling from rbd_snap_name()
rbd: ignore unmapped snapshots that no longer exist
rbd: fix use-after free of rbd_dev->disk
rbd: make rbd_obj_notify_ack() synchronous
rbd: complete notifies before cleaning up osd_client and rbd_dev
libceph: add function to ensure notifies are complete
Madhavan Srinivasan [Thu, 19 Sep 2013 13:09:08 +0000 (18:39 +0530)]
MIPS: Fix invalid symbolic link file
Commit
3b29aa5ba204c [MIPS: add <dt-bindings/> symlink] created a symlink
file in include/dt-bindings. Even though commit diff is fine, the symlink
is invalid and ls -lb shows a newline character at the end of the filename:
lrwxrwxrwx 1 maddy maddy 35 Sep 19 18:11 dt-bindings ->
../../../../../include/dt-bindings\n
Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
Cc: steven.hill@imgtec.com
Cc: mmarek@suse.cz
Cc: swarren@nvidia.com
Cc: linux-mips@linux-mips.org
Cc: linux-kbuild@vger.kernel.org
Cc: james.hogan@imgtec.com
Patchwork: https://patchwork.linux-mips.org/patch/5859/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Markos Chandras [Thu, 19 Sep 2013 09:27:52 +0000 (10:27 +0100)]
MIPS: PCI: pci-bcm1480: Include missing vt.h header
It's needed for the MAX_NR_CONSOLES macro.
Fixes the following build problem on a randconfig:
arch/mips/pci/pci-bcm1480.c: In function 'bcm1480_pcibios_init':
arch/mips/pci/pci-bcm1480.c:261:36: error: 'MAX_NR_CONSOLES'
undeclared (first use in this function)
arch/mips/pci/pci-bcm1480.c:261:36: note: each undeclared
identifier is reported only once for each function it appears in
make[1]: *** [arch/mips/pci/pci-bcm1480.o] Error 1
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/5858/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Ralf Baechle [Thu, 19 Sep 2013 09:15:49 +0000 (11:15 +0200)]
MIPS: Disable usermode switching of the FR bit for MIPS R5 CPUs.
Currently the kernel will always use the FR=0 register model for O32. If
an O32 application did enable FR=1 mode, some data from another application
might be leaked in the extra registers becoming visible.
Iow, this patch is meant to make the kernel MIPS R5 tolerant but leaves
proper MIPS R5 support to a future patchset.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Ralf Baechle [Thu, 19 Sep 2013 09:09:48 +0000 (11:09 +0200)]
MIPS: Add MIPS R5 config5 register.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Linus Torvalds [Thu, 19 Sep 2013 02:17:44 +0000 (21:17 -0500)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm radeon/nouveau/core fixes from Dave Airlie:
"Mostly radeon fixes, with some nouveau bios parser, ttm fix and a fix
for AST driver"
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (42 commits)
drm/fb-helper: don't sleep for screen unblank when an oops is in progress
drm, ttm Fix uninitialized warning
drm/ttm: fix the tt_populated check in ttm_tt_destroy()
drm/nouveau/ttm: prevent double-free in nouveau_sgdma_create_ttm() failure path
drm/nouveau/bios/init: fix thinko in INIT_CONFIGURE_MEM
drm/nouveau/kms: enable for non-vga pci classes
drm/nouveau/bios/init: stub opcode 0xaa
drm/radeon: avoid UVD corruptions on AGP cards
drm/radeon: fix panel scaling with eDP and LVDS bridges
drm/radeon/dpm: rework auto performance level enable
drm/radeon: Fix hmdi typo
drm/radeon/dpm/rs780: fix force_performance state for same sclks
drm/radeon/dpm/rs780: don't enable sclk scaling if not required
drm/radeon/dpm/rs780: add some sanity checking to sclk scaling
drm/radeon/dpm/rs780: use drm_mode_vrefresh()
drm/udl: rip out set_need_resched
drm/ast: fix the ast open key function
drm/radeon/dpm: add bapm callback for kb/kv
drm/radeon/dpm: add bapm callback for trinity
drm/radeon/dpm: add infrastructure to properly handle bapm
...
Daniel Vetter [Fri, 13 Sep 2013 21:49:57 +0000 (14:49 -0700)]
drm/fb-helper: don't sleep for screen unblank when an oops is in progress
Otherwise the system will burn even brighter and worse, leave the user
wondering what's going on exactly.
Since we already have a panic handler which will (try) to restore the
entire fbdev console mode, we can just bail out. Inspired by a patch from
Konstantin Khlebnikov. The callchain leading to this, cut&pasted from
Konstantin's original patch:
callstack:
panic()
bust_spinlocks(1)
unblank_screen()
vc->vc_sw->con_blank()
fbcon_blank()
fb_blank()
info->fbops->fb_blank()
drm_fb_helper_blank()
drm_fb_helper_dpms()
drm_modeset_lock_all()
mutex_lock(&dev->mode_config.mutex)
Note that the entire locking in the fb helper around panic/sysrq and kdbg
is ... non-existant. So we have a decent change of blowing up
everything. But since reworking this ties in with funny concepts like the
fbdev notifier chain or the impressive things which happen around
console_lock while oopsing, I'll leave that as an exercise for braver
souls than me.
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Dave Airlie <airlied@gmail.com>
Reviewed-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Prarit Bhargava [Fri, 13 Sep 2013 12:33:34 +0000 (08:33 -0400)]
drm, ttm Fix uninitialized warning
Fix uninitialized warning.
drivers/gpu/drm/ttm/ttm_object.c: In function ‘ttm_base_object_lookup’:
drivers/gpu/drm/ttm/ttm_object.c:213:10: error: ‘base’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
kref_put(&base->refcount, ttm_release_base);
^
drivers/gpu/drm/ttm/ttm_object.c:221:26: note: ‘base’ was declared here
struct ttm_base_object *base;
Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Reviewed-by: Rob Clark <robdclark@gmail.com>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Ben Skeggs [Tue, 17 Sep 2013 04:21:15 +0000 (14:21 +1000)]
drm/ttm: fix the tt_populated check in ttm_tt_destroy()
After a vmalloc failure in ttm_dma_tt_alloc_page_directory(),
ttm_dma_tt_init() will call ttm_tt_destroy() to cleanup, and end up
inside the driver's unpopulate() hook when populate() has never yet
been called.
On nouveau, the first issue to be hit because of this is that
dma_address[] may be a NULL pointer. After working around this,
ttm_pool_unpopulate() may potentially hit the same issue with
the pages[] array.
It seems to make more sense to avoid calling unpopulate on already
unpopulated TTMs than to add checks to all the implementations.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
Cc: stable@vger.kernel.org
Cc: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Dave Airlie [Thu, 19 Sep 2013 01:47:23 +0000 (11:47 +1000)]
Merge branch 'drm-nouveau-next' of git://anongit.freedesktop.org/git/nouveau/linux-2.6 into drm-fixes
A couple of bios parser fixes (one for ancient chips, another for new ones - important in Optimus configs). Another to make sure KMS is enabled on certain Optimus configs, and a TTM failure path fix.
* 'drm-nouveau-next' of git://anongit.freedesktop.org/git/nouveau/linux-2.6:
drm/nouveau/ttm: prevent double-free in nouveau_sgdma_create_ttm() failure path
drm/nouveau/bios/init: fix thinko in INIT_CONFIGURE_MEM
drm/nouveau/kms: enable for non-vga pci classes
drm/nouveau/bios/init: stub opcode 0xaa
Linus Torvalds [Thu, 19 Sep 2013 00:22:22 +0000 (19:22 -0500)]
Merge branch 'for-linus' of git://git./linux/kernel/git/viro/vfs
Pull vfs fixes from Al Viro:
"atomic_open-related fixes (Miklos' series, with EEXIST-related parts
replaced with fix in fs/namei.c:atomic_open() instead of messing with
the instances) + race fix in autofs + leak on failure exit in 9p"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
9p: don't forget to destroy inode cache if fscache registration fails
atomic_open: take care of EEXIST in no-open case with O_CREAT|O_EXCL in fs/namei.c
vfs: don't set FILE_CREATED before calling ->atomic_open()
nfs: set FILE_CREATED
gfs2: set FILE_CREATED
cifs: fix filp leak in cifs_atomic_open()
vfs: improve i_op->atomic_open() documentation
autofs4: close the races around autofs4_notify_daemon()
Wolfgang Grandegger [Mon, 13 Dec 2010 20:48:10 +0000 (21:48 +0100)]
MIPS: PCI: Use pci_resource_to_user to map pci memory space properly
[ralf@linux-mips.org: This only matters to Alchemy platforms. On other
platforms fixup_bigphys_addr is just an identidy mapping.]
Signed-off-by: Wolfgang Grandegger <wg@denx.de>
Cc: tiejun.chen <tiejun.chen@windriver.com>
Cc: Linux-MIPS <linux-mips@linux-mips.org>
Patchwork: https://patchwork.linux-mips.org/patch/1868/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Maciej W. Rozycki [Wed, 18 Sep 2013 18:08:15 +0000 (19:08 +0100)]
MIPS: 74K/1074K: Correct erratum workaround.
Make sure 74K revision numbers are not applied to the 1074K. Also catch
invalid usage.
Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/5857/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Maciej W. Rozycki [Tue, 17 Sep 2013 15:58:10 +0000 (16:58 +0100)]
MIPS: Cleanup CP0 PRId and CP1 FPIR register access masks
Replace hardcoded CP0 PRId and CP1 FPIR register access masks throughout.
The change does not touch places that use shifted or partial masks.
Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/5838/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Linus Torvalds [Wed, 18 Sep 2013 17:39:40 +0000 (12:39 -0500)]
Merge tag 'please-pull-pstore' of git://git./linux/kernel/git/aegl/linux
Pull pstore/compression fixes from Tony Luck:
"Three pstore fixes related to compression:
1) Better adjustment of size of compression buffer (was too big for
EFIVARS backend resulting in compression failure
2) Use zlib_inflateInit2 instead of zlib_inflateInit
3) Don't print messages about compression failure. They will waste
space that may better be used to log console output leading to the
crash"
* tag 'please-pull-pstore' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux:
pstore: Remove the messages related to compression failure
pstore: Use zlib_inflateInit2 instead of zlib_inflateInit
pstore: Adjust buffer size for compression for smaller registered buffers
Johan Hedberg [Fri, 13 Sep 2013 05:58:18 +0000 (08:58 +0300)]
Bluetooth: Fix rfkill functionality during the HCI setup stage
We need to let the setup stage complete cleanly even when the HCI device
is rfkilled. Otherwise the HCI device will stay in an undefined state
and never get notified to user space through mgmt (even when it gets
unblocked through rfkill).
This patch makes sure that hci_dev_open() can be called in the HCI_SETUP
stage, that blocking the device doesn't abort the setup stage, and that
the device gets proper powered down as soon as the setup stage completes
in case it was blocked meanwhile.
The bug that this patch fixed can be very easily reproduced using e.g.
the rfkill command line too. By running "rfkill block all" before
inserting a Bluetooth dongle the resulting HCI device goes into a state
where it is never announced over mgmt, not even when "rfkill unblock all"
is run.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Cc: stable@vger.kernel.org
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Johan Hedberg [Fri, 13 Sep 2013 05:58:17 +0000 (08:58 +0300)]
Bluetooth: Introduce a new HCI_RFKILLED flag
This makes it more convenient to check for rfkill (no need to check for
dev->rfkill before calling rfkill_blocked()) and also avoids potential
races if the RFKILL state needs to be checked from within the rfkill
callback.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Cc: stable@vger.kernel.org
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Wu Zhangjin [Tue, 9 Nov 2010 16:25:53 +0000 (00:25 +0800)]
MIPS: Remove useless comment about kprobe from arch/mips/Makefile
The commit
c1bf207d6ee1eb72e9c10365edbdc7c9ff7fb9b0 (kernel.org) rsp.
58e9ad32a48dce37ffeea912f55bd1c94b85ad7f (lmo) [MIPS: kprobe: Add support]
introduced a useless comment.
Signed-off-by: Wu Zhangjin <wuzhangjin@gmail.com>
Cc: linux-mips@linux-mips.org
Cc: David Daney <ddaney@caviumnetworks.com>
Patchwork: https://patchwork.linux-mips.org/patch/1765/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Duan Jiong [Wed, 18 Sep 2013 12:03:27 +0000 (20:03 +0800)]
net:dccp: do not report ICMP redirects to user space
DCCP shouldn't be setting sk_err on redirects as it
isn't an error condition. it should be doing exactly
what tcp is doing and leaving the error handler without
touching the socket.
Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Wed, 18 Sep 2013 16:26:17 +0000 (11:26 -0500)]
Merge branch 'x86-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull x86 fixes from Ingo Molnar:
"Misc fixes"
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/intel/lpss: Add pin control support to Intel low power subsystem
perf/x86/intel: Mark MEM_LOAD_UOPS_MISS_RETIRED as precise on SNB
x86: Remove now-unused save_rest()
x86/smpboot: Fix announce_cpu() to printk() the last "OK" properly
Linus Torvalds [Wed, 18 Sep 2013 16:24:49 +0000 (11:24 -0500)]
Merge branch 'timers-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull timer fix from Ingo Molnar:
"An NTP related lockup fix"
* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
timekeeping: Fix HRTICK related deadlock from ntp lock changes
Michael Chan [Wed, 18 Sep 2013 08:50:39 +0000 (01:50 -0700)]
cnic: Fix crash in cnic_bnx2x_service_kcq()
commit
104a43edb264321a4d41850e98153b4fa8a9ef42
cnic: Use CHIP_NUM macros from bnx2x.h
changed the code to use the bnx2x macro NO_FCOE() to determine if FCoE
is supported or not. There is another place in cnic that is still using
the old method to determine if FCoE is supported or not. The 2 methods
may not yield the same result after the network interface is brought down
and up. This will cause the crash as cnic_bnx2x_service_kcq() will access
the uninitialized cp->kcq2.
The fix is to consistently use the same macro CNIC_SUPPORTS_FCOE() which
uses the bnx2x NO_FCOE() macro. As a follow-up, we can clean up the code
to remove the old method as it is no longer needed.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael Chan [Wed, 18 Sep 2013 08:50:38 +0000 (01:50 -0700)]
bnx2x, cnic, bnx2i, bnx2fc: Fix bnx2i and bnx2fc regressions.
commit
b9871bcfd211d316adee317608dab44c58d6ea2d
bnx2x: VF RSS support - PF side
changed the configuration of the doorbell HW and it broke iSCSI and FCoE.
We fix this by making compatible changes to the doorbell address in bnx2i
and bnx2fc. For the userspace driver, we need to pass a modified CID
so that the existing userspace driver will calculate the correct doorbell
address and continue to work.
Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: Eddie Wai <eddie.wai@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Wed, 18 Sep 2013 16:23:32 +0000 (11:23 -0500)]
Merge branch 'sched-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull scheduler fixes from Ingo Molnar:
"Misc fixes"
* 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
sched: Fix comment for sched_info_depart
sched/Documentation: Update sched-design-CFS.txt documentation
sched/debug: Take PID namespace into account
sched/fair: Fix small race where child->se.parent,cfs_rq might point to invalid ones
Linus Torvalds [Wed, 18 Sep 2013 16:22:53 +0000 (11:22 -0500)]
Merge branch 'perf-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull perf fixes from Ingo Molnar:
"Two small fixes"
* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
perf: Fix UAPI export of PERF_EVENT_IOC_ID
perf/x86/intel: Fix Silvermont offcore masks
David S. Miller [Wed, 18 Sep 2013 16:22:17 +0000 (12:22 -0400)]
Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge
Included change:
- fix the Bridge Loop Avoidance component by marking the variables containing
the VLAN ID with the HAS_TAG flag when needed.
Leonid Yegoshin [Wed, 11 Sep 2013 00:36:04 +0000 (19:36 -0500)]
MIPS: Fix VGA_MAP_MEM macro.
Use the CKSEG1ADDR macro when calculating VGA_MAP_MEM.
[ralf@linux-mips.org: Include <asm/addrspace.h for CKSEG1ADDR.]
Signed-off-by: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>
Signed-off-by: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/5814/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Ralf Baechle [Thu, 12 Sep 2013 11:47:32 +0000 (13:47 +0200)]
MIPS: Reimplement get_cycles().
This essentially reverts commit
efb9ca08b5a2374b29938cdcab417ce4feb14b54
(kernel.org) / 58020a106879a8b372068741c81f0015c9b0b96dbv [[MIPS] Change
get_cycles to always return 0.]
Most users of get_cycles() invoke it as a timing interface. That's why
in modern kernels it was never very much missed for. /dev/random however
uses get_cycles() in the how the jitter in the interrupt timing contains
some useful entropy.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Vince Weaver [Tue, 17 Sep 2013 18:53:41 +0000 (14:53 -0400)]
perf: Fix UAPI export of PERF_EVENT_IOC_ID
Without the following patch I have problems compiling code using
the new PERF_EVENT_IOC_ID ioctl(). It looks like u64 was used
instead of __u64
Signed-off-by: Vince Weaver <vincent.weaver@maine.edu>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1309171450380.11444@vincent-weaver-1.um.maine.edu
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Al Viro [Tue, 17 Sep 2013 12:10:18 +0000 (08:10 -0400)]
9p: don't forget to destroy inode cache if fscache registration fails
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Linus Torvalds [Wed, 18 Sep 2013 02:20:30 +0000 (22:20 -0400)]
Merge branch 'fixes' of git://git./virt/kvm/kvm
Pull KVM fixes from Gleb Natapov.
* 'fixes' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: VMX: set "blocked by NMI" flag if EPT violation happens during IRET from NMI
kvm: free resources after canceling async_pf
KVM: nEPT: reset PDPTR register cache on nested vmentry emulation
KVM: mmu: allow page tables to be in read-only slots
KVM: x86 emulator: emulate RETF imm
Linus Torvalds [Wed, 18 Sep 2013 01:54:05 +0000 (21:54 -0400)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jikos/hid
Pull HID updates from Jiri Kosina:
"Fixes for CVE-2013-2897, CVE-2013-2895, CVE-2013-2897, CVE-2013-2894,
CVE-2013-2893, CVE-2013-2891, CVE-2013-2890, CVE-2013-2889.
All the bugs are triggerable only by specially crafted evil-on-purpose
HW devices. Fixes by Kees Cook and Benjamin Tissoires"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: lenovo-tpkbd: fix leak if tpkbd_probe_tp fails
HID: multitouch: validate indexes details
HID: logitech-dj: validate output report details
HID: validate feature and input report details
HID: lenovo-tpkbd: validate output report details
HID: LG: validate HID output report details
HID: steelseries: validate output report details
HID: sony: validate HID output report details
HID: zeroplus: validate output report details
HID: provide a helper for validating hid reports
Oleg Nesterov [Sun, 15 Sep 2013 15:50:26 +0000 (17:50 +0200)]
tty: disassociate_ctty() sends the extra SIGCONT
Starting from v3.10 (probably commit
f91e2590410b: "tty: Signal
foreground group processes in hangup") disassociate_ctty() sends SIGCONT
if tty && on_exit. This breaks LSB test-suite, in particular test8 in
_exit.c and test40 in sigcon5.c.
Put the "!on_exit" check back to restore the old behaviour.
Review by Peter Hurley:
"Yes, this regression was introduced by me in that commit. The effect
of the regression is that ptys will receive a SIGCONT when, in similar
circumstances, ttys would not.
The fact that two test vectors accidentally tripped over this
regression suggests that some other apps may as well.
Thanks for catching this"
Cc: stable@vger.kernel.org # v3.10+
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Karel Srot <ksrot@redhat.com>
Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
David S. Miller [Wed, 18 Sep 2013 00:22:53 +0000 (20:22 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
The following patchset contains Netfilter fixes for you net tree,
mostly targeted to ipset, they are:
* Fix ICMPv6 NAT due to wrong comparison, code instead of type, from
Phil Oester.
* Fix RCU race in conntrack extensions release path, from Michal Kubecek.
* Fix missing inversion in the userspace ipset test command match if
the nomatch option is specified, from Jozsef Kadlecsik.
* Skip layer 4 protocol matching in ipset in case of IPv6 fragments,
also from Jozsef Kadlecsik.
* Fix sequence adjustment in nfnetlink_queue due to using the netlink
skb instead of the network skb, from Gao feng.
* Make sure we cannot swap of sets with different layer 3 family in
ipset, from Jozsef Kadlecsik.
* Fix possible bogus matching in ipset if hash sets with net elements
are used, from Oliver Smith.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Sridhar Samudrala [Tue, 17 Sep 2013 19:12:40 +0000 (12:12 -0700)]
vxlan: Avoid creating fdb entry with NULL destination
Commit
afbd8bae9c798c5cdbe4439d3a50536b5438247c
vxlan: add implicit fdb entry for default destination
creates an implicit fdb entry for default destination. This results
in an invalid fdb entry if default destination is not specified.
For ex:
ip link add vxlan1 type vxlan id 100
creates the following fdb entry
00:00:00:00:00:00 dev vxlan1 dst 0.0.0.0 self permanent
This patch fixes this issue by creating an fdb entry only if a
valid default destination is specified.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Neal Cardwell [Tue, 17 Sep 2013 01:44:20 +0000 (21:44 -0400)]
tcp: fix RTO calculated from cached RTT
Commit
1b7fdd2ab5852 ("tcp: do not use cached RTT for RTT estimation")
did not correctly account for the fact that crtt is the RTT shifted
left 3 bits. Fix the calculation to consistently reflect this fact.
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-By: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Avinash Kumar [Mon, 16 Sep 2013 16:09:41 +0000 (21:39 +0530)]
drivers: net: phy: cicada.c: clears warning Use #include <linux/io.h> instead of <asm/io.h>
clears following warnings :
WARNING: Use include <linux/io.h> instead of <asm/io.h>
WARNING: Use include <linux/uaccess.h> instead of <asm/uaccess.h>
Signed-off-by: Avinash Kumar <avi.kp.137@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric W. Biederman [Mon, 16 Sep 2013 23:52:41 +0000 (16:52 -0700)]
net loopback: Set loopback_dev to NULL when freed
It has recently turned up that we have a number of long standing bugs
in the network stack cleanup code with use of the loopback device
after it has been freed that have not turned up because in most cases
the storage allocated to the loopback device is not reused, when those
accesses happen.
Set looback_dev to NULL to trigger oopses instead of silent data corrupt
when we hit this class of bug.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Al Viro [Mon, 16 Sep 2013 23:22:33 +0000 (19:22 -0400)]
atomic_open: take care of EEXIST in no-open case with O_CREAT|O_EXCL in fs/namei.c
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Antonio Quartulli [Wed, 11 Sep 2013 17:14:44 +0000 (19:14 +0200)]
batman-adv: set the TAG flag for the vid passed to BLA
When receiving or sending a packet a packet on a VLAN, the
vid has to be marked with the TAG flag in order to make any
component in batman-adv understand that the packet is coming
from a really tagged network.
This fix the Bridge Loop Avoidance behaviour which was not
able to send announces over VLAN interfaces.
Introduced by
0b1da1765fdb00ca5d53bc95c9abc70dfc9aae5b
("batman-adv: change VID semantic in the BLA code")
Signed-off-by: Antonio Quartulli <antonio@open-mesh.org>
Acked-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Ralf Baechle [Tue, 17 Sep 2013 08:25:47 +0000 (10:25 +0200)]
MIPS: Optimize current_cpu_type() for better code.
o Move current_cpu_type() to a separate header file
o #ifdefing on supported CPU types lets modern GCC know that certain
code in callers may be discarded ideally turning current_cpu_type() into
a function returning a constant.
o Use current_cpu_type() rather than direct access to struct cpuinfo_mips.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Cc: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/5833/
Gleb Natapov [Sun, 15 Sep 2013 08:07:23 +0000 (11:07 +0300)]
KVM: VMX: set "blocked by NMI" flag if EPT violation happens during IRET from NMI
Set "blocked by NMI" flag if EPT violation happens during IRET from NMI
otherwise NMI can be called recursively causing stack corruption.
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Ralf Baechle [Tue, 17 Sep 2013 10:44:31 +0000 (12:44 +0200)]
MIPS: Fix accessing to per-cpu data when flushing the cache
This fixes the following issue
BUG: using smp_processor_id() in preemptible [
00000000] code: kjournald/1761
caller is blast_dcache32+0x30/0x254
Call Trace:
[<
8047f02c>] dump_stack+0x8/0x34
[<
802e7e40>] debug_smp_processor_id+0xe0/0xf0
[<
80114d94>] blast_dcache32+0x30/0x254
[<
80118484>] r4k_dma_cache_wback_inv+0x200/0x288
[<
80110ff0>] mips_dma_map_sg+0x108/0x180
[<
80355098>] ide_dma_prepare+0xf0/0x1b8
[<
8034eaa4>] do_rw_taskfile+0x1e8/0x33c
[<
8035951c>] ide_do_rw_disk+0x298/0x3e4
[<
8034a3c4>] do_ide_request+0x2e0/0x704
[<
802bb0dc>] __blk_run_queue+0x44/0x64
[<
802be000>] queue_unplugged.isra.36+0x1c/0x54
[<
802beb94>] blk_flush_plug_list+0x18c/0x24c
[<
802bec6c>] blk_finish_plug+0x18/0x48
[<
8026554c>] journal_commit_transaction+0x3b8/0x151c
[<
80269648>] kjournald+0xec/0x238
[<
8014ac00>] kthread+0xb8/0xc0
[<
8010268c>] ret_from_kernel_thread+0x14/0x1c
Caches in most systems are identical - but not always, so we can't avoid
the use of smp_call_function() by just looking at the boot CPU's data,
have to fiddle with preemption instead.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Cc: Markos Chandras <markos.chandras@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/5835