Jesper Dangaard Brouer [Sat, 4 Jan 2014 13:10:43 +0000 (14:10 +0100)]
netfilter: only warn once on wrong seqadj usage
Avoid potentially spamming the kernel log with WARN splash messages
when catching wrong usage of seqadj, by simply using WARN_ONCE.
This is a followup to commit
db12cf274353 (netfilter: WARN about
wrong usage of sequence number adjustments)
Suggested-by: Flavio Leitner <fbl@redhat.com>
Suggested-by: Daniel Borkmann <dborkman@redhat.com>
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Daniel Borkmann [Tue, 31 Dec 2013 15:28:39 +0000 (16:28 +0100)]
netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper
Commit
5901b6be885e attempted to introduce IPv6 support into
IRC NAT helper. By doing so, the following code seemed to be removed
by accident:
ip = ntohl(exp->master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip);
sprintf(buffer, "%u %u", ip, port);
pr_debug("nf_nat_irc: inserting '%s' == %pI4, port %u\n", buffer, &ip, port);
This leads to the fact that buffer[] was left uninitialized and
contained some stack value. When we call nf_nat_mangle_tcp_packet(),
we call strlen(buffer) on excatly this uninitialized buffer. If we
are unlucky and the skb has enough tailroom, we overwrite resp. leak
contents with values that sit on our stack into the packet and send
that out to the receiver.
Since the rather informal DCC spec [1] does not seem to specify
IPv6 support right now, we log such occurences so that admins can
act accordingly, and drop the packet. I've looked into XChat source,
and IPv6 is not supported there: addresses are in u32 and print
via %u format string.
Therefore, restore old behaviour as in IPv4, use snprintf(). The
IRC helper does not support IPv6 by now. By this, we can safely use
strlen(buffer) in nf_nat_mangle_tcp_packet() and prevent a buffer
overflow. Also simplify some code as we now have ct variable anyway.
[1] http://www.irchelp.org/irchelp/rfc/ctcpspec.html
Fixes:
5901b6be885e ("netfilter: nf_nat: support IPv6 in IRC NAT helper")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Harald Welte <laforge@gnumonks.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Josh Boyer [Sun, 5 Jan 2014 15:24:01 +0000 (10:24 -0500)]
xen-netback: Include header for vmalloc
Commit
ac3d5ac27735 ("xen-netback: fix guest-receive-side array sizes")
added calls to vmalloc and vfree in the interface.c file without including
<linux/vmalloc.h>. This causes build failures if the
-Werror=implicit-function-declaration flag is passed.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Daniel Borkmann [Mon, 6 Jan 2014 00:45:50 +0000 (01:45 +0100)]
net: 6lowpan: fix lowpan_header_create non-compression memcpy call
In function lowpan_header_create(), we invoke the following code
construct:
struct ipv6hdr *hdr;
...
hdr = ipv6_hdr(skb);
...
if (...)
memcpy(hc06_ptr + 1, &hdr->flow_lbl[1], 2);
else
memcpy(hc06_ptr, &hdr, 4);
Where the else path of the condition, that is, non-compression
path, calls memcpy() with a pointer to struct ipv6hdr *hdr as
source, thus two levels of indirection. This cannot be correct,
and likely only one level of pointer was intended as source
buffer for memcpy() here.
Fixes:
44331fe2aa0d ("IEEE802.15.4: 6LoWPAN basic support")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Alexander Smirnov <alex.bluesman.smirnov@gmail.com>
Cc: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Cc: Werner Almesberger <werner@almesberger.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fabio Estevam [Mon, 6 Jan 2014 00:08:25 +0000 (22:08 -0200)]
fec: Revert "fec: Do not assume that PHY reset is active low"
In order to keep DT compatibility we need to revert this, otherwise the original
dts files will no longer work with this driver change.
This reverts commit
7a399e3a2e05bc580a78ea72371b3896827f72e1.
Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 6 Jan 2014 01:23:12 +0000 (20:23 -0500)]
Merge branch 'bnx2x'
Yuval Mintz says:
====================
bnx2x: Bug fixes patch series
Most of what this parch series contains is SR-IOV related bug fixes.
Additionally, it contains some small fixes for legacy devices/modes.
Please consider applying these patches to `net'.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Yuval Mintz [Sun, 5 Jan 2014 16:33:54 +0000 (18:33 +0200)]
bnx2x: fix VLAN configuration for VFs.
If the hypervisor configures a vlan for the VF via the PF, the expected
result is that only packets tagged by said vlan will be received by the VF
(and that vlan will be silently removed).
Due to an incorrect manipulation of vlan filters in the driver, the
VF can receive untagged traffic even if the hypervisor configured
some vlan for it.
This patch corrects the behaviour.
Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yuval Mintz [Sun, 5 Jan 2014 16:33:53 +0000 (18:33 +0200)]
bnx2x: fix AFEX memory overflow
There are 2 different (related) flows in the slowpath configuration
that utilize the same pointer and cast it to different structs;
This is obviously incorrect as the intended allocated memory is that
of the smaller struct, possibly causing the flow utilizing the larger
struct to corrupt other slowpath configuration.
Since both flows are exclusive, set the allocated memory to be a union
of both structs.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michal Kalderon [Sun, 5 Jan 2014 16:33:52 +0000 (18:33 +0200)]
bnx2x: Clean before update RSS arrives
When a PF receives a VF message indicating a change in RSS properties
it should clean the flags' bit-fields; Otherwise, it's possible that
some random values will be considered as flags by the lower layers configuring
the RSS in FW.
Signed-off-by: Michal Kalderon <michals@broadcom.com>
Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michal Kalderon [Sun, 5 Jan 2014 16:33:51 +0000 (18:33 +0200)]
bnx2x: Correct number of MSI-X vectors for VFs
Number of VFs in PCIe configuration space is zero-based. Driver incorrectly
sets the number of VFs to be larger by one than what actually is feasible by
HW, which might cause later VFs to fail to allocate their MSI-X interrupts.
Signed-off-by: Michal Kalderon <michals@broadcom.com>
Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dmitry Kravkov [Sun, 5 Jan 2014 16:33:50 +0000 (18:33 +0200)]
bnx2x: limit number of interrupt vectors for 57711
Original straightforward division may lead to zeroing number of SB and
null-pointer dereference when device is short of MSIX vectors or lacks
MSIX capabilities.
Reported-by: Vladislav Zolotarov <vladz@cloudius-systems.com>
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Shahed Shaikh [Fri, 3 Jan 2014 06:34:28 +0000 (01:34 -0500)]
qlcnic: Fix bug in Tx completion path
o Driver is using common tx_clean_lock for all Tx queues. This patch
adds per queue tx_clean_lock.
o Driver is not updating sw_consumer while processing Tx completion
when interface is going down. Fixed in this patch.
Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
Signed-off-by: Manish Chopra <manish.chopra@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Hangbin Liu [Fri, 3 Jan 2014 03:33:45 +0000 (11:33 +0800)]
infiniband: make sure the src net is infiniband when create new link
When we create a new infiniband link with uninfiniband device, e.g. `ip link
add link em1 type ipoib pkey 0x8001`. We will get a NULL pointer dereference
cause other dev like Ethernet don't have struct ib_device.
The code path is:
rtnl_newlink
|-- ipoib_new_child_link
|-- __ipoib_vlan_add
|-- ipoib_set_dev_features
|-- ib_query_device
Fix this bug by make sure the src net is infiniband when create new link.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
fan.du [Fri, 3 Jan 2014 02:18:58 +0000 (10:18 +0800)]
{vxlan, inet6} Mark vxlan_dev flags with VXLAN_F_IPV6 properly
Even if user doesn't supply the physical netdev to attach vxlan dev
to, and at the same time user want to vxlan sit top of IPv6, mark
vxlan_dev flags with VXLAN_F_IPV6 to create IPv6 based socket.
Otherwise kernel crashes safely every time spitting below messages,
Steps to reproduce:
ip link add vxlan0 type vxlan id 42 group ff0e::110
ip link set vxlan0 up
[ 62.656266] BUG: unable to handle kernel NULL pointer dereference[ 62.656320] ip (3008) used greatest stack depth: 3912 bytes left
at
0000000000000046
[ 62.656423] IP: [<
ffffffff816d822d>] ip6_route_output+0xbd/0xe0
[ 62.656525] PGD
2c966067 PUD
2c9a2067 PMD 0
[ 62.656674] Oops: 0000 [#1] SMP
[ 62.656781] Modules linked in: vxlan netconsole deflate zlib_deflate af_key
[ 62.657083] CPU: 1 PID: 2128 Comm: whoopsie Not tainted 3.12.0+ #182
[ 62.657083] Hardware name: innotek GmbH VirtualBox, BIOS VirtualBox 12/01/2006
[ 62.657083] task:
ffff88002e2335d0 ti:
ffff88002c94c000 task.ti:
ffff88002c94c000
[ 62.657083] RIP: 0010:[<
ffffffff816d822d>] [<
ffffffff816d822d>] ip6_route_output+0xbd/0xe0
[ 62.657083] RSP: 0000:
ffff88002fd038f8 EFLAGS:
00210296
[ 62.657083] RAX:
0000000000000000 RBX:
ffff88002fd039e0 RCX:
0000000000000000
[ 62.657083] RDX:
ffff88002fd0eb68 RSI:
ffff88002fd0d278 RDI:
ffff88002fd0d278
[ 62.657083] RBP:
ffff88002fd03918 R08:
0000000002000000 R09:
0000000000000000
[ 62.657083] R10:
00000000000001ff R11:
0000000000000000 R12:
0000000000000001
[ 62.657083] R13:
ffff88002d96b480 R14:
ffffffff81c8e2c0 R15:
0000000000000001
[ 62.657083] FS:
0000000000000000(0000) GS:
ffff88002fd00000(0063) knlGS:
00000000f693b740
[ 62.657083] CS: 0010 DS: 002b ES: 002b CR0:
0000000080050033
[ 62.657083] CR2:
0000000000000046 CR3:
000000002c9d2000 CR4:
00000000000006e0
[ 62.657083] Stack:
[ 62.657083]
ffff88002fd03a40 ffffffff81c8e2c0 ffff88002fd039e0 ffff88002d96b480
[ 62.657083]
ffff88002fd03958 ffffffff816cac8b ffff880019277cc0 ffff8800192b5d00
[ 62.657083]
ffff88002d5bc000 ffff880019277cc0 0000000000001821 0000000000000001
[ 62.657083] Call Trace:
[ 62.657083] <IRQ>
[ 62.657083] [<
ffffffff816cac8b>] ip6_dst_lookup_tail+0xdb/0xf0
[ 62.657083] [<
ffffffff816caea0>] ip6_dst_lookup+0x10/0x20
[ 62.657083] [<
ffffffffa0020c13>] vxlan_xmit_one+0x193/0x9c0 [vxlan]
[ 62.657083] [<
ffffffff8137b3b7>] ? account+0xc7/0x1f0
[ 62.657083] [<
ffffffffa0021513>] vxlan_xmit+0xd3/0x400 [vxlan]
[ 62.657083] [<
ffffffff8161390d>] dev_hard_start_xmit+0x49d/0x5e0
[ 62.657083] [<
ffffffff81613d29>] dev_queue_xmit+0x2d9/0x480
[ 62.657083] [<
ffffffff817cb854>] ? _raw_write_unlock_bh+0x14/0x20
[ 62.657083] [<
ffffffff81630565>] ? eth_header+0x35/0xe0
[ 62.657083] [<
ffffffff8161bc5e>] neigh_resolve_output+0x11e/0x1e0
[ 62.657083] [<
ffffffff816ce0e0>] ? ip6_fragment+0xad0/0xad0
[ 62.657083] [<
ffffffff816cb465>] ip6_finish_output2+0x2f5/0x470
[ 62.657083] [<
ffffffff816ce166>] ip6_finish_output+0x86/0xc0
[ 62.657083] [<
ffffffff816ce218>] ip6_output+0x78/0xb0
[ 62.657083] [<
ffffffff816eadd6>] mld_sendpack+0x256/0x2a0
[ 62.657083] [<
ffffffff816ebd8c>] mld_ifc_timer_expire+0x17c/0x290
[ 62.657083] [<
ffffffff816ebc10>] ? igmp6_timer_handler+0x80/0x80
[ 62.657083] [<
ffffffff816ebc10>] ? igmp6_timer_handler+0x80/0x80
[ 62.657083] [<
ffffffff81051065>] call_timer_fn+0x45/0x150
[ 62.657083] [<
ffffffff816ebc10>] ? igmp6_timer_handler+0x80/0x80
[ 62.657083] [<
ffffffff81052353>] run_timer_softirq+0x1f3/0x2a0
[ 62.657083] [<
ffffffff8102dfd8>] ? lapic_next_event+0x18/0x20
[ 62.657083] [<
ffffffff8109e36f>] ? clockevents_program_event+0x6f/0x110
[ 62.657083] [<
ffffffff8104a2f6>] __do_softirq+0xd6/0x2b0
[ 62.657083] [<
ffffffff8104a75e>] irq_exit+0x7e/0xa0
[ 62.657083] [<
ffffffff8102ea15>] smp_apic_timer_interrupt+0x45/0x60
[ 62.657083] [<
ffffffff817d3eca>] apic_timer_interrupt+0x6a/0x70
[ 62.657083] <EOI>
[ 62.657083] [<
ffffffff817d4a35>] ? sysenter_dispatch+0x7/0x1a
[ 62.657083] Code: 4d 8b 85 a8 02 00 00 4c 89 e9 ba 03 04 00 00 48 c7 c6 c0 be 8d 81 48 c7 c7 48 35 a3 81 31 c0 e8 db 68 0e 00 49 8b 85 a8 02 00 00 <0f> b6 40 46 c0 e8 05 0f b6 c0 c1 e0 03 41 09 c4 e9 77 ff ff ff
[ 62.657083] RIP [<
ffffffff816d822d>] ip6_route_output+0xbd/0xe0
[ 62.657083] RSP <
ffff88002fd038f8>
[ 62.657083] CR2:
0000000000000046
[ 62.657083] ---[ end trace
ba8a9583d7cd1934 ]---
[ 62.657083] Kernel panic - not syncing: Fatal exception in interrupt
Signed-off-by: Fan Du <fan.du@windriver.com>
Reported-by: Ryan Whelan <rcwhelan@gmail.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Thadeu Lima de Souza Cascardo [Mon, 23 Dec 2013 17:34:29 +0000 (15:34 -0200)]
cxgb4: allow large buffer size to have page size
Since commit
52367a763d8046190754ab43743e42638564a2d1
("cxgb4/cxgb4vf: Code cleanup to enable T4 Configuration File support"),
we have failures like this during cxgb4 probe:
cxgb4 0000:01:00.4: bad SGE FL page buffer sizes [65536, 65536]
cxgb4: probe of 0000:01:00.4 failed with error -22
This happens whenever software parameters are used, without a
configuration file. That happens when the hardware was already
initialized (after kexec, or after csiostor is loaded).
It happens that these values are acceptable, rendering fl_pg_order equal
to 0, which is the case of a hard init when the page size is equal or
larger than 65536.
Accepting fl_large_pg equal to fl_small_pg solves the issue, and
shouldn't cause any trouble besides a possible performance reduction
when smaller pages are used. And that can be fixed by a configuration
file.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 3 Jan 2014 00:50:52 +0000 (19:50 -0500)]
netpoll: Fix missing TXQ unlock and and OOPS.
The VLAN tag handling code in netpoll_send_skb_on_dev() has two problems.
1) It exits without unlocking the TXQ.
2) It then tries to queue a NULL skb to npinfo->txq.
Reported-by: Ahmed Tamrawi <atamrawi@iastate.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Li RongQing [Thu, 2 Jan 2014 06:24:36 +0000 (14:24 +0800)]
ipv6: fix the use of pcpu_tstats in ip6_vti.c
when read/write the 64bit data, the correct lock should be hold.
and we can use the generic vti6_get_stats to return stats, and
not define a new one in ip6_vti.c
Fixes:
87b6d218f3adb ("tunnel: implement 64 bits statistics")
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Li RongQing [Thu, 2 Jan 2014 05:20:12 +0000 (13:20 +0800)]
ipv6: fix the use of pcpu_tstats in ip6_tunnel
when read/write the 64bit data, the correct lock should be hold.
Fixes:
87b6d218f3adb ("tunnel: implement 64 bits statistics")
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yasushi Asano [Tue, 31 Dec 2013 03:04:19 +0000 (12:04 +0900)]
ipv6 addrconf: fix preferred lifetime state-changing behavior while valid_lft is infinity
Fixed a problem with setting the lifetime of an IPv6
address. When setting preferred_lft to a value not zero or
infinity, while valid_lft is infinity(0xffffffff) preferred
lifetime is set to forever and does not update. Therefore
preferred lifetime never becomes deprecated. valid lifetime
and preferred lifetime should be set independently, even if
valid lifetime is infinity, preferred lifetime must expire
correctly (meaning it must eventually become deprecated)
Signed-off-by: Yasushi Asano <yasushi.asano@jp.fujitsu.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Daniel Borkmann [Mon, 30 Dec 2013 22:40:50 +0000 (23:40 +0100)]
net: llc: fix use after free in llc_ui_recvmsg
While commit
30a584d944fb fixes datagram interface in LLC, a use
after free bug has been introduced for SOCK_STREAM sockets that do
not make use of MSG_PEEK.
The flow is as follow ...
if (!(flags & MSG_PEEK)) {
...
sk_eat_skb(sk, skb, false);
...
}
...
if (used + offset < skb->len)
continue;
... where sk_eat_skb() calls __kfree_skb(). Therefore, cache
original length and work on skb_len to check partial reads.
Fixes:
30a584d944fb ("[LLX]: SOCK_DGRAM interface fixes")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jason Wang [Mon, 30 Dec 2013 03:34:40 +0000 (11:34 +0800)]
virtio-net: fix refill races during restore
During restoring, try_fill_recv() was called with neither napi lock nor napi
disabled. This can lead two try_fill_recv() was called in the same time. Fix
this by refilling before trying to enable napi.
Fixes
0741bcb5584f9e2390ae6261573c4de8314999f2
(virtio: net: Add freeze, restore handlers to support S4).
Cc: Amit Shah <amit.shah@redhat.com>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Wei-Chun Chao [Thu, 26 Dec 2013 21:10:22 +0000 (13:10 -0800)]
ipv4: fix tunneled VM traffic over hw VXLAN/GRE GSO NIC
VM to VM GSO traffic is broken if it goes through VXLAN or GRE
tunnel and the physical NIC on the host supports hardware VXLAN/GRE
GSO offload (e.g. bnx2x and next-gen mlx4).
Two issues -
(VXLAN) VM traffic has SKB_GSO_DODGY and SKB_GSO_UDP_TUNNEL with
SKB_GSO_TCP/UDP set depending on the inner protocol. GSO header
integrity check fails in udp4_ufo_fragment if inner protocol is
TCP. Also gso_segs is calculated incorrectly using skb->len that
includes tunnel header. Fix: robust check should only be applied
to the inner packet.
(VXLAN & GRE) Once GSO header integrity check passes, NULL segs
is returned and the original skb is sent to hardware. However the
tunnel header is already pulled. Fix: tunnel header needs to be
restored so that hardware can perform GSO properly on the original
packet.
Signed-off-by: Wei-Chun Chao <weichunc@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Thu, 2 Jan 2014 19:39:44 +0000 (14:39 -0500)]
sctp: Remove outqueue empty state
The SCTP outqueue structure maintains a data chunks
that are pending transmission, the list of chunks that
are pending a retransmission and a length of data in
flight. It also tries to keep the emtpy state so that
it can performe shutdown sequence or notify user.
The problem is that the empy state is inconsistently
tracked. It is possible to completely drain the queue
without sending anything when using PR-SCTP. In this
case, the empty state will not be correctly state as
report by Jamal Hadi Salim <jhs@mojatatu.com>. This
can cause an association to be perminantly stuck in the
SHUTDOWN_PENDING state.
Additionally, SCTP is incredibly inefficient when setting
the empty state. Even though all the data is availaible
in the outqueue structure, we ignore it and walk a list
of trasnports.
In the end, we can completely remove the extra empty
state and figure out if the queue is empty by looking
at 3 things: length of pending data, length of in-flight
data, and exisiting of retransmit data. All of these
are already in the strucutre.
Reported-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Manish Chopra [Thu, 2 Jan 2014 18:38:44 +0000 (13:38 -0500)]
qlcnic: Fix resource allocation for TX queues
o TX queues allocation was getting distributed equally among all the
functions of the port including VFs and PF. Which was leading to failure
in PF's multiple TX queues creation.
o Instead of dividing queues equally allocate one TX queue for each VF as VF
doesn't support multiple TX queues.
Signed-off-by: Manish Chopra <manish.chopra@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Manish Chopra [Thu, 2 Jan 2014 18:38:43 +0000 (13:38 -0500)]
qlcnic: Fix loopback diagnostic test
o Adapter requires that if the port is in loopback mode no traffic should
be flowing through that port, so on arrival of Link up AEN, do not advertise
Link up to the stack until port is out of loopback mode
Signed-off-by: Manish Chopra <manish.chopra@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Li RongQing [Thu, 2 Jan 2014 00:49:36 +0000 (08:49 +0800)]
ipv6: fix the use of pcpu_tstats in sit
when read/write the 64bit data, the correct lock should be hold.
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Daniel Borkmann [Wed, 1 Jan 2014 22:04:25 +0000 (23:04 +0100)]
net: llc: fix order of evaluation in llc_conn_ac_inc_vr_by_1
Function llc_conn_ac_inc_vr_by_1() evaluates via macro
PDU_GET_NEXT_Vr() into ...
llc_sk(sk)->vR = ++llc_sk(sk)->vR & 0xffffffffffffff7f
... but the order in which the side effects take place is
undefined because there is no intervening sequence point.
As llc_sk(sk)->vR is written in llc_sk(sk)->vR (assignment
left-hand side) and written in ++llc_sk(sk)->vR & 0xffffffffffffff7f
this might possibly yield undefined behavior.
The final value of llc_sk(sk)->vR is ambiguous, because,
depending on the order of expression evaluation, the
increment may occur before, after, or interleaved with
the assignment. In C, evaluating such an expression yields
undefined behavior.
Since we're doing the increment via PDU_GET_NEXT_Vr() macro
and the only place it is being used is from
llc_conn_ac_inc_vr_by_1(), in order to increment vR by 1
with a follow-up optimized modulo, rewrite the expression
into ((vR + 1) & CONST) in order to fix this.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Wed, 1 Jan 2014 09:06:45 +0000 (11:06 +0200)]
bnx2x: Fix KR2 work-around detection of BCM8073
KR2 work-around is based on detecting non-KR2 devices which may not link up
in this mode. One such link-partner is the BCM8073 which has specific
advertisement characteristics in specific mode, and this condition was not set
correctly.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Wed, 1 Jan 2014 09:06:44 +0000 (11:06 +0200)]
bnx2x: Fix incorrect link-up report
Fix a problem where link is reported to be up when SFP+ module is plugged in
without cable. This occurs with specific module types which may generate
temporary TX_FAULT indication. Solution is to avoid changing any link parameters
when checking TX_FAULT indication while physical link is down.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Wed, 1 Jan 2014 09:06:43 +0000 (11:06 +0200)]
bnx2x: Fix Duplex setting for 54618se
BCM54618SE is used to advertise half-duplex even if HD was not requested by the
user. This change makes the legacy speed/duplex advertisement for this PHY
exactly according to the requested speed and duplex.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Wed, 1 Jan 2014 09:06:42 +0000 (11:06 +0200)]
bnx2x: Fix passive DAC cable detection
Fix Passive DAC detection for specific cables, such that even in case
SFP_CABLE_TECHNOLOGY option is not set in the EEPROM (offset 8), treat it as a
passive DAC cable, since some cables don't have this indication.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Wed, 1 Jan 2014 09:06:41 +0000 (11:06 +0200)]
bnx2x: Fix 578xx-KR 1G link
Fix a problem where 578xx-KR is unable to get link when connected to 1G link
partner. Two fixes were required:
One was to force CL37 sync_status low to prevent Warpcore from getting stuck in
CL73 parallel detect loop while link partner is sending.
Second fix was to enable auto-detect mode, thus allowing the Warpcore to select
the higher speed protocol between 10G-KR (over CL73), or go down to 1G over CL73
when there's indication for it.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Octavian Purdila [Mon, 23 Dec 2013 17:06:31 +0000 (19:06 +0200)]
usbnet: mcs7830: rework link state detection
Even with the quirks in commit
dabdaf0c (mcs7830: Fix link state
detection) there are still spurious link-down events for some chips
where the false link-down events count go over a few hundreds.
This patch takes a more conservative approach and only looks at
link-down events where the link-down state is not combined with other
states (e.g. half/full speed, pending frames in SRAM or TX status
information valid). In all other cases we assume the link is up.
Tested on MCS7830CV-DA (USB ID 9710:7830).
Cc: Ondrej Zary <linux@rainbow-software.org>
Cc: Michael Leun <lkml20120218@newton.leun.net>
Cc: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Octavian Purdila <octavian.purdila@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 31 Dec 2013 21:23:35 +0000 (16:23 -0500)]
vlan: Fix header ops passthru when doing TX VLAN offload.
When the vlan code detects that the real device can do TX VLAN offloads
in hardware, it tries to arrange for the real device's header_ops to
be invoked directly.
But it does so illegally, by simply hooking the real device's
header_ops up to the VLAN device.
This doesn't work because we will end up invoking a set of header_ops
routines which expect a device type which matches the real device, but
will see a VLAN device instead.
Fix this by providing a pass-thru set of header_ops which will arrange
to pass the proper real device instead.
To facilitate this add a dev_rebuild_header(). There are
implementations which provide a ->cache and ->create but not a
->rebuild (f.e. PLIP). So we need a helper function just like
dev_hard_header() to avoid crashes.
Use this helper in the one existing place where the
header_ops->rebuild was being invoked, the neighbour code.
With lots of help from Florian Westphal.
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Mon, 30 Dec 2013 22:31:11 +0000 (14:31 -0800)]
Merge tag 'dt-fixes-for-3.13' of git://git./linux/kernel/git/robh/linux
Pull devicetree fixes from Rob Herring:
- Fix 2 regressions found on PPC
- Allow NULL ptr in unflatten_and_copy_device_tree
- Update my email address
* tag 'dt-fixes-for-3.13' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
MAINTAINERS: Update Rob Herring's email address
of/irq: Fix device_node refcount in of_irq_parse_raw()
of/Kconfig: Spelling s/one/once/
Revert "of/address: Handle #address-cells > 2 specially"
of: Fix NULL dereference in unflatten_and_copy()
Linus Torvalds [Mon, 30 Dec 2013 18:22:57 +0000 (10:22 -0800)]
Merge branch 'merge' of git://git./linux/kernel/git/benh/powerpc
Pull powerpc fixes from Ben Herrenschmidt:
"A bit more endian problems found during testing of 3.13 and a few
other simple fixes and regressions fixes"
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
powerpc: Fix alignment of secondary cpu spin vars
powerpc: Align p_end
powernv/eeh: Add buffer for P7IOC hub error data
powernv/eeh: Fix possible buffer overrun in ioda_eeh_phb_diag()
powerpc: Make 64-bit non-VMX __copy_tofrom_user bi-endian
powerpc: Make unaligned accesses endian-safe for powerpc
powerpc: Fix bad stack check in exception entry
powerpc/512x: dts: disable MPC5125 usb module
powerpc/512x: dts: remove misplaced IRQ spec from 'soc' node (5125)
Rob Herring [Mon, 30 Dec 2013 18:09:47 +0000 (12:09 -0600)]
Merge remote-tracking branch 'grant/devicetree/merge' into dt-fixes
Linus Torvalds [Mon, 30 Dec 2013 17:33:30 +0000 (09:33 -0800)]
Merge git://git./linux/kernel/git/davem/net
Pull networking fixes from David Miller:
"Some holiday bug fixes for 3.13... There is still one bug I'd like to
get fixed before 3.13-final.
The vlan code erroneously assignes the header ops of the underlying
real device to the VLAN device above it when the real device can
hardware offload VLAN handling. That's completely bogus because
header ops are tied to the device type, so they only expect to see a
'dev' argument compatible with their ops.
The fix is the have the VLAN code use a special set of header ops that
does the pass-thru correctly, by calling the underlying real device's
header ops but _also_ passing in the real device instead of the VLAN
device.
That fix is currently waiting some testing.
Anyways, of note here:
1) Fix bitmap edge case in radiotap, from Johannes Berg.
2) Fix oops on driver unload in rtlwifi, from Larry Finger.
3) Bonding doesn't do locking correctly during speed/duplex/link
changes, from Ding Tianhong.
4) Fix header parsing in GRE code, this bug has been around for a few
releases. From Timo Teräs.
5) SIT tunnel driver MTU check needs to take GSO into account, from
Eric Dumazet.
6) Minor info leak in inet_diag, from Daniel Borkmann.
7) Info leak in YAM hamradio driver, from Salva Peiró.
8) Fix route expiration state handling in ipv6 routing code, from Li
RongQing.
9) DCCP probe module does not check request_module()'s return value,
from Wang Weidong.
10) cpsw driver passes NULL device names to request_irq(), from
Mugunthan V N.
11) Prevent a NULL splat in RDS binding code, from Sasha Levin.
12) Fix 4G overflow test in tg3 driver, from Nithin Sujir.
13) Cure use after free in arc_emac and fec driver's software
timestamp handling, from Eric Dumazet.
14) SIT driver can fail to release the route when
iptunnel_handle_offloads() throws an error. From Li RongQing.
15) Several batman-adv fixes from Simon Wunderlich and Antonio
Quartulli.
16) Fix deadlock during TIPC socket release, from Ying Xue.
17) Fix regression in ROSE protocol recvmsg() msg_name handling, from
Florian Westphal.
18) stmmac PTP support releases wrong spinlock, from Vince Bridgers"
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (73 commits)
stmmac: Fix incorrect spinlock release and PTP cap detection.
phy: IRQ cannot be shared
net: rose: restore old recvmsg behavior
xen-netback: fix guest-receive-side array sizes
fec: Do not assume that PHY reset is active low
tipc: fix deadlock during socket release
netfilter: nf_tables: fix wrong datatype in nft_validate_data_load()
batman-adv: fix vlan header access
batman-adv: clean nf state when removing protocol header
batman-adv: fix alignment for batadv_tvlv_tt_change
batman-adv: fix size of batadv_bla_claim_dst
batman-adv: fix size of batadv_icmp_header
batman-adv: fix header alignment by unrolling batadv_header
batman-adv: fix alignment for batadv_coded_packet
netfilter: nf_tables: fix oops when updating table with user chains
netfilter: nf_tables: fix dumping with large number of sets
ipv6: release dst properly in ipip6_tunnel_xmit
netxen: Correct off-by-one errors in bounds checks
net: Add some clarification to skb_tx_timestamp() comment.
arc_emac: fix potential use after free
...
Rob Herring [Tue, 3 Dec 2013 16:20:16 +0000 (10:20 -0600)]
MAINTAINERS: Update Rob Herring's email address
My Calxeda email address is going away.
Signed-off-by: Rob Herring <rob.herring@calxeda.com>
Signed-off-by: Rob Herring <robh@kernel.org>
Cédric Le Goater [Tue, 17 Dec 2013 17:32:53 +0000 (18:32 +0100)]
of/irq: Fix device_node refcount in of_irq_parse_raw()
Commit
2361613206e6, "of/irq: Refactor interrupt-map parsing" changed
the refcount on the device_node causing an error in of_node_put():
ERROR: Bad of_node_put() on /pci@
800000020000000
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.13.0-rc3-dirty #2
Call Trace:
[
c00000003e403500] [
c0000000000144fc] .show_stack+0x7c/0x1f0 (unreliable)
[
c00000003e4035d0] [
c00000000070f250] .dump_stack+0x88/0xb4
[
c00000003e403650] [
c0000000005e8768] .of_node_release+0xd8/0xf0
[
c00000003e4036e0] [
c0000000005eeafc] .of_irq_parse_one+0x10c/0x280
[
c00000003e4037a0] [
c0000000005efd4c] .of_irq_parse_pci+0x3c/0x1d0
[
c00000003e403840] [
c000000000038240] .pcibios_setup_device+0xa0/0x2e0
[
c00000003e403910] [
c0000000000398f0] .pcibios_setup_bus_devices+0x60/0xd0
[
c00000003e403990] [
c00000000003b3a4] .__of_scan_bus+0x1a4/0x2b0
[
c00000003e403a80] [
c00000000003a62c] .pcibios_scan_phb+0x30c/0x410
[
c00000003e403b60] [
c0000000009fe430] .pcibios_init+0x7c/0xd4
This patch adjusts the refcount in the walk of the interrupt tree.
When a match is found, there is no need to increase the refcount
on 'out_irq->np' as 'newpar' is already holding a ref. The refcount
balance between 'ipar' and 'newpar' is maintained in the skiplevel:
goto label.
This patch also removes the usage of the device_node variable 'old'
which seems useless after the latest changes.
Signed-off-by: Cédric Le Goater <clg@fr.ibm.com>
Signed-off-by: Rob Herring <robh@kernel.org>
Geert Uytterhoeven [Tue, 24 Dec 2013 20:06:01 +0000 (21:06 +0100)]
of/Kconfig: Spelling s/one/once/
Signed-off-by: Geert Uytterhoeven <geert+renesas@linux-m68k.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Rob Herring [Mon, 30 Dec 2013 01:37:43 +0000 (19:37 -0600)]
Revert "of/address: Handle #address-cells > 2 specially"
This reverts commit
e38c0a1fbc5803cbacdaac0557c70ac8ca5152e7.
Nikita Yushchenko reports:
While trying to make freescale p2020ds and mpc8572ds boards working
with mainline kernel, I faced that commit
e38c0a1f (Handle
Both these boards have uli1575 chip.
Corresponding part in device tree is something like
uli1575@0 {
reg = <0x0 0x0 0x0 0x0 0x0>;
#size-cells = <2>;
#address-cells = <3>;
ranges = <0x2000000 0x0 0x80000000
0x2000000 0x0 0x80000000
0x0 0x20000000
0x1000000 0x0 0x0
0x1000000 0x0 0x0
0x0 0x10000>;
isa@1e {
...
I.e. it has #address-cells = <3>
With commit
e38c0a1f reverted, devices under uli1575 are registered
correctly, e.g. for rtc
OF: ** translation for device /pcie@
ffe09000/pcie@0/uli1575@0/isa@1e/rtc@70 **
OF: bus is isa (na=2, ns=1) on /pcie@
ffe09000/pcie@0/uli1575@0/isa@1e
OF: translating address:
00000001 00000070
OF: parent bus is default (na=3, ns=2) on /pcie@
ffe09000/pcie@0/uli1575@0
OF: walking ranges...
OF: ISA map, cp=0, s=1000, da=70
OF: parent translation for:
01000000 00000000 00000000
OF: with offset: 70
OF: one level translation:
00000000 00000000 00000070
OF: parent bus is pci (na=3, ns=2) on /pcie@
ffe09000/pcie@0
OF: walking ranges...
OF: default map, cp=
a0000000, s=
20000000, da=70
OF: default map, cp=0, s=10000, da=70
OF: parent translation for:
01000000 00000000 00000000
OF: with offset: 70
OF: one level translation:
01000000 00000000 00000070
OF: parent bus is pci (na=3, ns=2) on /pcie@
ffe09000
OF: walking ranges...
OF: PCI map, cp=0, s=10000, da=70
OF: parent translation for:
01000000 00000000 00000000
OF: with offset: 70
OF: one level translation:
01000000 00000000 00000070
OF: parent bus is default (na=2, ns=2) on /
OF: walking ranges...
OF: PCI map, cp=0, s=10000, da=70
OF: parent translation for:
00000000 ffc10000
OF: with offset: 70
OF: one level translation:
00000000 ffc10070
OF: reached root node
With commit
e38c0a1f in place, address translation fails:
OF: ** translation for device /pcie@
ffe09000/pcie@0/uli1575@0/isa@1e/rtc@70 **
OF: bus is isa (na=2, ns=1) on /pcie@
ffe09000/pcie@0/uli1575@0/isa@1e
OF: translating address:
00000001 00000070
OF: parent bus is default (na=3, ns=2) on /pcie@
ffe09000/pcie@0/uli1575@0
OF: walking ranges...
OF: ISA map, cp=0, s=1000, da=70
OF: parent translation for:
01000000 00000000 00000000
OF: with offset: 70
OF: one level translation:
00000000 00000000 00000070
OF: parent bus is pci (na=3, ns=2) on /pcie@
ffe09000/pcie@0
OF: walking ranges...
OF: default map, cp=
a0000000, s=
20000000, da=70
OF: default map, cp=0, s=10000, da=70
OF: not found !
Thierry Reding confirmed this commit was not needed after all:
"We ended up merging a different address representation for Tegra PCIe
and I've confirmed that reverting this commit doesn't cause any obvious
regressions. I think all other drivers in drivers/pci/host ended up
copying what we did on Tegra, so I wouldn't expect any other breakage
either."
There doesn't appear to be a simple way to support both behaviours, so
reverting this as nothing should be depending on the new behaviour.
Cc: stable@vger.kernel.org # v3.7+
Signed-off-by: Rob Herring <robh@kernel.org>
Benjamin Herrenschmidt [Mon, 30 Dec 2013 03:48:27 +0000 (14:48 +1100)]
Merge remote-tracking branch 'agust/merge' into merge
Anatolij writes:
Please pull two DTS fixes for MPC5125 tower board. Without
them the v3.13-rcX kernels do not boot.
Vince Bridgers [Fri, 20 Dec 2013 17:19:34 +0000 (11:19 -0600)]
stmmac: Fix incorrect spinlock release and PTP cap detection.
This patch corrects a problem in stmmac_ptp.c, functions
stmmac_adjust_time and stmmac_adjust_freq where the incorrect spinlocks
were released. This patch also addresses a problem in stmmac_main,
function stmmac_init_ptp where the capability detection for
advanced timestamping was masked by message masking.
This patch was touch tested using linuxptp, and runs without the previously
observed instabilities. More extensive testing is ongoing.
Vince
Signed-off-by: Vince Bridgers <vbridgers2013@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sergei Shtylyov [Fri, 20 Dec 2013 19:09:04 +0000 (22:09 +0300)]
phy: IRQ cannot be shared
With the way PHY IRQ handler is implemented (all real handling being pushed to
the workqueue and returning IRQ_HANDLED all the time PHY is active), we cannot
really claim that PHY IRQ can be shared when calling request_irq().
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Westphal [Sun, 22 Dec 2013 23:32:31 +0000 (00:32 +0100)]
net: rose: restore old recvmsg behavior
recvmsg handler in net/rose/af_rose.c performs size-check ->msg_namelen.
After commit
f3d3342602f8bcbf37d7c46641cb9bca7618eb1c
(net: rework recvmsg handler msg_name and msg_namelen logic), we now
always take the else branch due to namelen being initialized to 0.
Digging in netdev-vger-cvs git repo shows that msg_namelen was
initialized with a fixed-size since at least 1995, so the else branch
was never taken.
Compile tested only.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Paul Durrant [Mon, 23 Dec 2013 09:27:17 +0000 (09:27 +0000)]
xen-netback: fix guest-receive-side array sizes
The sizes chosen for the metadata and grant_copy_op arrays on the guest
receive size are wrong;
- The meta array is needlessly twice the ring size, when we only ever
consume a single array element per RX ring slot
- The grant_copy_op array is way too small. It's sized based on a bogus
assumption: that at most two copy ops will be used per ring slot. This
may have been true at some point in the past but it's clear from looking
at start_new_rx_buffer() that a new ring slot is only consumed if a frag
would overflow the current slot (plus some other conditions) so the actual
limit is MAX_SKB_FRAGS grant_copy_ops per ring slot.
This patch fixes those two sizing issues and, because grant_copy_ops grows
so much, it pulls it out into a separate chunk of vmalloc()ed memory.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fabio Estevam [Tue, 24 Dec 2013 14:16:01 +0000 (12:16 -0200)]
fec: Do not assume that PHY reset is active low
We should not assume that the PHY reset is always active low.
Retrieve this information from the device tree instead, so that the PHY reset
can work on both cases.
Reported-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ying Xue [Fri, 27 Dec 2013 02:18:28 +0000 (10:18 +0800)]
tipc: fix deadlock during socket release
A deadlock might occur if name table is withdrawn in socket release
routine, and while packets are still being received from bearer.
CPU0 CPU1
T0: recv_msg() release()
T1: tipc_recv_msg() tipc_withdraw()
T2: [grab node lock] [grab port lock]
T3: tipc_link_wakeup_ports() tipc_nametbl_withdraw()
T4: [grab port lock]* named_cluster_distribute()
T5: wakeupdispatch() tipc_link_send()
T6: [grab node lock]*
The opposite order of holding port lock and node lock on above two
different paths may result in a deadlock. If socket lock instead of
port lock is used to protect port instance in tipc_withdraw(), the
reverse order of holding port lock and node lock will be eliminated,
as a result, the deadlock is killed as well.
Reported-by: Lars Everbrand <lars.everbrand@ericsson.com>
Reviewed-by: Erik Hugne <erik.hugne@ericsson.com>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Olof Johansson [Sat, 28 Dec 2013 21:01:47 +0000 (13:01 -0800)]
powerpc: Fix alignment of secondary cpu spin vars
Commit
5c0484e25ec0 ('powerpc: Endian safe trampoline') resulted in
losing proper alignment of the spinlock variables used when booting
secondary CPUs, causing some quite odd issues with failing to boot on
PA Semi-based systems.
This showed itself on ppc64_defconfig, but not on pasemi_defconfig,
so it had gone unnoticed when I initially tested the LE patch set.
Fix is to add explicit alignment instead of relying on good luck. :)
[ It appears that there is a different issue with PA Semi systems
however this fix is definitely correct so applying anyway -- BenH
]
Fixes:
5c0484e25ec0 ('powerpc: Endian safe trampoline')
Reported-by: Christian Zigotzky <chzigotzky@xenosoft.de>
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=67811
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Anton Blanchard [Mon, 23 Dec 2013 01:19:51 +0000 (12:19 +1100)]
powerpc: Align p_end
p_end is an 8 byte value embedded in the text section. This means it
is only 4 byte aligned when it should be 8 byte aligned. Fix this
by adding an explicit alignment.
This fixes an issue where POWER7 little endian builds with
CONFIG_RELOCATABLE=y fail to boot.
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Brian W Hart [Fri, 20 Dec 2013 19:06:01 +0000 (13:06 -0600)]
powernv/eeh: Add buffer for P7IOC hub error data
Prevent ioda_eeh_hub_diag() from clobbering itself when called by supplying
a per-PHB buffer for P7IOC hub diagnostic data. Take care to inform OPAL of
the correct size for the buffer.
[Small style change to the use of sizeof -- BenH]
Signed-off-by: Brian W Hart <hartb@linux.vnet.ibm.com>
Acked-by: Gavin Shan <shangw@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Brian W Hart [Thu, 19 Dec 2013 23:14:07 +0000 (17:14 -0600)]
powernv/eeh: Fix possible buffer overrun in ioda_eeh_phb_diag()
PHB diagnostic buffer may be smaller than PAGE_SIZE, especially when
PAGE_SIZE > 4KB.
Signed-off-by: Brian W Hart <hartb@linux.vnet.ibm.com>
Acked-by: Gavin Shan <shangw@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Paul E. McKenney [Tue, 17 Dec 2013 22:29:57 +0000 (09:29 +1100)]
powerpc: Make 64-bit non-VMX __copy_tofrom_user bi-endian
The powerpc 64-bit __copy_tofrom_user() function uses shifts to handle
unaligned invocations. However, these shifts were designed for
big-endian systems: On little-endian systems, they must shift in the
opposite direction.
This commit relies on the C preprocessor to insert the correct shifts
into the assembly code.
[ This is a rare but nasty LE issue. Most of the time we use the POWER7
optimised __copy_tofrom_user_power7 loop, but when it hits an exception
we fall back to the base __copy_tofrom_user loop. - Anton ]
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Rajesh B Prathipati [Mon, 16 Dec 2013 07:58:22 +0000 (18:58 +1100)]
powerpc: Make unaligned accesses endian-safe for powerpc
The generic put_unaligned/get_unaligned macros were made endian-safe by
calling the appropriate endian dependent macros based on the endian type
of the powerpc processor.
Signed-off-by: Rajesh B Prathipati <rprathip@linux.vnet.ibm.com>
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Michael Neuling [Mon, 16 Dec 2013 04:12:43 +0000 (15:12 +1100)]
powerpc: Fix bad stack check in exception entry
In EXCEPTION_PROLOG_COMMON() we check to see if the stack pointer (r1)
is valid when coming from the kernel. If it's not valid, we die but
with a nice oops message.
Currently we allocate a stack frame (subtract INT_FRAME_SIZE) before we
check to see if the stack pointer is negative. Unfortunately, this
won't detect a bad stack where r1 is less than INT_FRAME_SIZE.
This patch fixes the check to compare the modified r1 with
-INT_FRAME_SIZE. With this, bad kernel stack pointers (including NULL
pointers) are correctly detected again.
Kudos to Paulus for finding this.
Signed-off-by: Michael Neuling <mikey@neuling.org>
cc: stable@vger.kernel.org
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Linus Torvalds [Mon, 30 Dec 2013 00:01:33 +0000 (16:01 -0800)]
Linux 3.13-rc6
Linus Torvalds [Sun, 29 Dec 2013 21:49:51 +0000 (13:49 -0800)]
Merge tag 'fixes-for-linus' of git://git./linux/kernel/git/arm/arm-soc
Pull ARM SoC fixes from Olof Johansson:
"Another smallish batch of fixes, it's been quiet due to the holidays.
Nothing controversial here, a handful of things across the board"
* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
ARM: pxa: fix USB gadget driver compilation regression
ARM: OMAP2+: Fix LCD panel backlight regression for LDP legacy booting
ARM: OMAP2+: hwmod_data: fix missing OMAP_INTC_START in irq data
ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL
ARM: shmobile: r8a7790: fix shdi resource sizes
ARM: shmobile: bockw: fixup DMA mask
ARM: shmobile: armadillo: Add PWM backlight power supply
Linus Torvalds [Sun, 29 Dec 2013 21:35:04 +0000 (13:35 -0800)]
Merge branch 'x86-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull x86 fixes from Peter Anvin:
"There is a small EFI fix and a big power regression fix in this batch.
My queue also had a fix for downing a CPU when there are insufficient
number of IRQ vectors available, but I'm holding that one for now due
to recent bug reports"
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/efi: Don't select EFI from certain special ACPI drivers
x86 idle: Repair large-server 50-watt idle-power regression
Linus Torvalds [Sun, 29 Dec 2013 21:27:51 +0000 (13:27 -0800)]
Merge tag 'pm+acpi-3.13-rc6' of git://git./linux/kernel/git/rafael/linux-pm
Pull ACPI and power management fixes and new device IDs from Rafael Wysocki:
- Fix for a cpufreq regression causing stale sysfs files to be left
behind during system resume if cpufreq_add_dev() fails for one or
more CPUs from Viresh Kumar.
- Fix for a bug in cpufreq causing CONFIG_CPU_FREQ_DEFAULT_* to be
ignored when the intel_pstate driver is used from Jason Baron.
- System suspend fix for a memory leak in pm_vt_switch_unregister()
that forgot to release objects after removing them from
pm_vt_switch_list. From Masami Ichikawa.
- Intel Valley View device ID and energy unit encoding update for the
(recently added) Intel RAPL (Running Average Power Limit) driver from
Jacob Pan.
- Intel Bay Trail SoC GPIO and ACPI device IDs for the Low Power
Subsystem (LPSS) ACPI driver from Paul Drews.
* tag 'pm+acpi-3.13-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
powercap / RAPL: add support for ValleyView Soc
PM / sleep: Fix memory leak in pm_vt_switch_unregister().
cpufreq: Use CONFIG_CPU_FREQ_DEFAULT_* to set initial policy for setpolicy drivers
cpufreq: remove sysfs files for CPUs which failed to come back after resume
ACPI: Add BayTrail SoC GPIO and LPSS ACPI IDs
David S. Miller [Sun, 29 Dec 2013 05:30:59 +0000 (00:30 -0500)]
Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge
Included changes:
- reset netfilter-bridge state when removing the batman-adv
header from an incoming packet. This prevents netfilter
bridge from being fooled when the same packet enters a
bridge twice (or more): the first time within the
batman-adv header and the second time without.
- adjust the packet layout to prevent any architecture from
adding padding bytes. All the structs sent over the wire
now have size multiple of 4bytes (unless pack(2) is used).
- fix access to the inner vlan_eth header when reading the
VID in the rx path.
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Sun, 29 Dec 2013 05:24:28 +0000 (00:24 -0500)]
Merge branch 'master' of git://git./linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter/IPVS fixes for net
This patchset contains four nf_tables fixes, one IPVS fix due to
missing updates in the interaction with the new sedadj conntrack
extension that was added to support the netfilter synproxy code,
and a couple of one-liners to fix netnamespace netfilter issues.
More specifically, they are:
* Fix ipv6_find_hdr() call without offset being explicitly initialized
in nft_exthdr, as required by that function, from Daniel Borkmann.
* Fix oops in nfnetlink_log when using netns and unloading the kernel
module, from Gao feng.
* Fix BUG_ON in nf_ct_timestamp extension after netns is destroyed,
from Helmut Schaa.
* Fix crash in IPVS due to missing sequence adjustment extension being
allocated in the conntrack, from Jesper Dangaard Brouer.
* Add bugtrap to spot a warning in case you deference sequence adjustment
conntrack area when not available, this should help to catch similar
invalid dereferences in the Netfilter tree, also from Jesper.
* Fix incomplete dumping of sets in nf_tables when retrieving by family,
from me.
* Fix oops when updating the table state (dormant <-> active) and having
user (not base ) chains, from me.
* Fix wrong validation in set element data that results in returning
-EINVAL when using the nf_tables dictionary feature with mappings,
also from me.
We don't usually have this amount of fixes by this time (as we're already
in -rc5 of the development cycle), although half of them are related to
nf_tables which is a relatively new thing, and I also believe that holidays
have also delayed the flight of bugfixes to mainstream a bit.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Olof Johansson [Sat, 28 Dec 2013 23:38:32 +0000 (15:38 -0800)]
Merge tag 'omap-for-v3.13/intc-ldp-fix' of git://git./linux/kernel/git/tmlind/linux-omap into fixes
From Tony Lindgren:
Fix a regression for wrong interrupt numbers for some devices after
the sparse IRQ conversion, fix DRA7 console output for earlyprintk,
and fix the LDP LCD backlight when DSS is built into the kernel and
not as a loadable module.
* tag 'omap-for-v3.13/intc-ldp-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap:
ARM: OMAP2+: Fix LCD panel backlight regression for LDP legacy booting
ARM: OMAP2+: hwmod_data: fix missing OMAP_INTC_START in irq data
ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL
+ v3.13-rc5
Signed-off-by: Olof Johansson <olof@lixom.net>
Olof Johansson [Sat, 28 Dec 2013 23:20:35 +0000 (15:20 -0800)]
Merge tag 'renesas-fixes2-for-v3.13' of git://git./linux/kernel/git/horms/renesas into fixes
From Simon Horman:
Second Round of Renesas ARM based SoC Fixes for v3.13
* r8a7790 (R-Car H2) based Lager board
- Correct SHDI resource sizes
This bug has been present since sdhi resources were added to the r8a7790 by
8c9b1aa41853272a ("ARM: shmobile: r8a7790: add MMCIF and SDHI DT
templates") in v3.11-rc2.
* r8a7778 (R-Car M1) based Bock-W board
- Correct DMA mask
This resolves a regression introduced by
4dcfa60071b3d23f
("ARM: DMA-API: better handing of DMA masks for coherent allocations")
in v3.12-rc1.
* r8a7740 (R-Mobile A1) based Armadillo board
- Add PWM backlight power supply
This resolves a regression introduced by
22ceeee16eb8f0d0
("pwm-backlight: Add power supply support") in v3.12.
* tag 'renesas-fixes2-for-v3.13' of git://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas:
ARM: shmobile: r8a7790: fix shdi resource sizes
ARM: shmobile: bockw: fixup DMA mask
ARM: shmobile: armadillo: Add PWM backlight power supply
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Olof Johansson <olof@lixom.net>
Linus Walleij [Wed, 11 Dec 2013 08:48:58 +0000 (09:48 +0100)]
ARM: pxa: fix USB gadget driver compilation regression
After commit
88f718e3fa4d67f3a8dbe79a2f97d722323e4051
"ARM: pxa: delete the custom GPIO header" a compilation
error was introduced in the PXA25x gadget driver.
An attempt to fix the problem was made in
commit
b144e4ab1ef130e8bf30bcd3e529b7f35112c503
"usb: gadget: fix pxa25x compilation problems"
by explictly stating the driver needs the <mach/hardware.h>
header, which solved the compilation for a few boards,
such as the pxa255-idp and its defconfig.
However the Lubbock board has this special clause in
drivers/usb/gadget/pxa25x_udc.c:
This include file has an implicit dependency on
<mach/irqs.h> having been included before <mach/lubbock.h>
was included.
Before commit
88f718e3fa4d67f3a8dbe79a2f97d722323e4051
"ARM: pxa: delete the custom GPIO header" this implicit
dependency for the pxa25x_udc compile on the Lubbock was
satisfied by <linux/gpio.h> implicitly including
<mach/gpio.h> which was in turn including <mach/irqs.h>,
apart from the earlier added <mach/hardware.h>.
Fix this by having the PXA25x <mach/lubbock.h> explicitly
include <mach/irqs.h>.
Reported-by: Russell King <rmk+kernel@arm.linux.org.uk>
Cc: Greg Kroah-Hartmann <gregkh@linuxfoundation.org>
Cc: Felipe Balbi <balbi@ti.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Haojian Zhuang <haojian.zhuang@gmail.com>
Signed-off-by: Olof Johansson <olof@lixom.net>
Pablo Neira Ayuso [Fri, 27 Dec 2013 23:59:38 +0000 (00:59 +0100)]
netfilter: nf_tables: fix wrong datatype in nft_validate_data_load()
This patch fixes dictionary mappings, eg.
add rule ip filter input meta dnat set tcp dport map { 22 => 1.1.1.1, 23 => 2.2.2.2 }
The kernel was returning -EINVAL in nft_validate_data_load() since
the type of the set element data that is passed was the real userspace
datatype instead of NFT_DATA_VALUE.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Antonio Quartulli [Mon, 23 Dec 2013 20:43:39 +0000 (21:43 +0100)]
batman-adv: fix vlan header access
When batadv_get_vid() is invoked in interface_rx() the
batman-adv header has already been removed, therefore
the header_len argument has to be 0.
Introduced by
c018ad3de61a1dc4194879a53e5559e094aa7b1a
("batman-adv: add the VLAN ID attribute to the TT entry")
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Antonio Quartulli [Mon, 23 Dec 2013 00:28:05 +0000 (01:28 +0100)]
batman-adv: clean nf state when removing protocol header
If an interface enslaved into batman-adv is a bridge (or a
virtual interface built on top of a bridge) the nf_bridge
member of the skbs reaching the soft-interface is filled
with the state about "netfilter bridge" operations.
Then, if one of such skbs is locally delivered, the nf_bridge
member should be cleaned up to avoid that the old state
could mess up with other "netfilter bridge" operations when
entering a second bridge.
This is needed because batman-adv is an encapsulation
protocol.
However at the moment skb->nf_bridge is not released at all
leading to bogus "netfilter bridge" behaviours.
Fix this by cleaning the netfilter state of the skb before
it gets delivered to the upper layer in interface_rx().
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Antonio Quartulli [Sun, 15 Dec 2013 12:26:55 +0000 (13:26 +0100)]
batman-adv: fix alignment for batadv_tvlv_tt_change
Make struct batadv_tvlv_tt_change a multiple 4 bytes long
to avoid padding on any architecture.
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Simon Wunderlich [Mon, 2 Dec 2013 19:38:33 +0000 (20:38 +0100)]
batman-adv: fix size of batadv_bla_claim_dst
Since this is a mac address and always 48 bit, and we can assume that
it is always aligned to 2-byte boundaries, add a pack(2) pragma.
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Antonio Quartulli [Thu, 5 Dec 2013 14:33:00 +0000 (15:33 +0100)]
batman-adv: fix size of batadv_icmp_header
struct batadv_icmp_header currently has a size of 17, which
will be padded to 20 on some architectures. Fix this by
unrolling the header into the parent structures.
Moreover keep the ICMP parsing functions as generic as they
are now by using a stub icmp_header struct during packet
parsing.
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Simon Wunderlich [Mon, 2 Dec 2013 19:38:31 +0000 (20:38 +0100)]
batman-adv: fix header alignment by unrolling batadv_header
The size of the batadv_header of 3 is problematic on some architectures
which automatically pad all structures to a 32 bit boundary. To not lose
performance by packing this struct, better embed it into the various
host structures.
Reported-by: Russell King <linux@arm.linux.org.uk>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Simon Wunderlich [Mon, 2 Dec 2013 19:38:30 +0000 (20:38 +0100)]
batman-adv: fix alignment for batadv_coded_packet
The compiler may decide to pad the structure, and then it does not
have the expected size of 46 byte. Fix this by moving it in the
pragma pack(2) part of the code.
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Pablo Neira Ayuso [Fri, 27 Dec 2013 09:44:23 +0000 (10:44 +0100)]
netfilter: nf_tables: fix oops when updating table with user chains
This patch fixes a crash while trying to deactivate a table that
contains user chains. You can reproduce it via:
% nft add table table1
% nft add chain table1 chain1
% nft-table-upd ip table1 dormant
[ 253.021026] BUG: unable to handle kernel NULL pointer dereference at
0000000000000030
[ 253.021114] IP: [<
ffffffff8134cebd>] nf_register_hook+0x35/0x6f
[ 253.021167] PGD
30fa5067 PUD
30fa2067 PMD 0
[ 253.021208] Oops: 0000 [#1] SMP
[...]
[ 253.023305] Call Trace:
[ 253.023331] [<
ffffffffa0885020>] nf_tables_newtable+0x11c/0x258 [nf_tables]
[ 253.023385] [<
ffffffffa0878592>] nfnetlink_rcv_msg+0x1f4/0x226 [nfnetlink]
[ 253.023438] [<
ffffffffa0878418>] ? nfnetlink_rcv_msg+0x7a/0x226 [nfnetlink]
[ 253.023491] [<
ffffffffa087839e>] ? nfnetlink_bind+0x45/0x45 [nfnetlink]
[ 253.023542] [<
ffffffff8134b47e>] netlink_rcv_skb+0x3c/0x88
[ 253.023586] [<
ffffffffa0878973>] nfnetlink_rcv+0x3af/0x3e4 [nfnetlink]
[ 253.023638] [<
ffffffff813fb0d4>] ? _raw_read_unlock+0x22/0x34
[ 253.023683] [<
ffffffff8134af17>] netlink_unicast+0xe2/0x161
[ 253.023727] [<
ffffffff8134b29a>] netlink_sendmsg+0x304/0x332
[ 253.023773] [<
ffffffff8130d250>] __sock_sendmsg_nosec+0x25/0x27
[ 253.023820] [<
ffffffff8130fb93>] sock_sendmsg+0x5a/0x7b
[ 253.023861] [<
ffffffff8130d5d5>] ? copy_from_user+0x2a/0x2c
[ 253.023905] [<
ffffffff8131066f>] ? move_addr_to_kernel+0x35/0x60
[ 253.023952] [<
ffffffff813107b3>] SYSC_sendto+0x119/0x15c
[ 253.023995] [<
ffffffff81401107>] ? sysret_check+0x1b/0x56
[ 253.024039] [<
ffffffff8108dc30>] ? trace_hardirqs_on_caller+0x140/0x1db
[ 253.024090] [<
ffffffff8120164e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 253.024141] [<
ffffffff81310caf>] SyS_sendto+0x9/0xb
[ 253.026219] [<
ffffffff814010e2>] system_call_fastpath+0x16/0x1b
Reported-by: Alex Wei <alex.kern.mentor@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Pablo Neira Ayuso [Tue, 24 Dec 2013 17:32:35 +0000 (18:32 +0100)]
netfilter: nf_tables: fix dumping with large number of sets
If not table name is specified, the dumping of the existing sets
may be incomplete with a sufficiently large number of sets and
tables. This patch fixes missing reset of the cursors after
finding the location of the last object that has been included
in the previous multi-part message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Li RongQing [Fri, 20 Dec 2013 09:20:12 +0000 (17:20 +0800)]
ipv6: release dst properly in ipip6_tunnel_xmit
if a dst is not attached to anywhere, it should be released before
exit ipip6_tunnel_xmit, otherwise cause dst memory leakage.
Fixes:
61c1db7fae21 ("ipv6: sit: add GSO/TSO support")
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Gibson [Fri, 20 Dec 2013 04:10:44 +0000 (15:10 +1100)]
netxen: Correct off-by-one errors in bounds checks
netxen_process_lro() contains two bounds checks. One for the ring number
against the number of rings, and one for the Rx buffer ID against the
array of receive buffers.
Both of these have off-by-one errors, using > instead of >=. The correct
versions are used in netxen_process_rcv(), they're just wrong in
netxen_process_lro().
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 27 Dec 2013 18:04:33 +0000 (13:04 -0500)]
net: Add some clarification to skb_tx_timestamp() comment.
We've seen so many instances of people invoking skb_tx_timestamp()
after the device already has been given the packet, that it's worth
being a little bit more verbose and explicit in this comment.
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Fri, 20 Dec 2013 02:10:40 +0000 (18:10 -0800)]
arc_emac: fix potential use after free
Signed-off-by: Eric Dumazet <edumazet@google.com>
skb_tx_timestamp(skb) should be called _before_ TX completion
has a chance to trigger, otherwise it is too late and we access
freed memory.
Fixes:
e4f2379db6c6 ("ethernet/arc/arc_emac - Add new driver")
From: Eric Dumazet <edumazet@google.com>
Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nithin Sujir [Fri, 20 Dec 2013 01:44:11 +0000 (17:44 -0800)]
tg3: Expand 4g_overflow_test workaround to skb fragments of any size.
The current driver assumes that an skb fragment can only be upto jumbo
size. Presumably this was a fast-path optimization. This assumption is
no longer true as fragments can be upto 32k.
v2: Remove unnecessary parantheses per Eric Dumazet.
Cc: stable@vger.kernel.org
Signed-off-by: Nithin Nayak Sujir <nsujir@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tony Lindgren [Fri, 27 Dec 2013 17:51:25 +0000 (09:51 -0800)]
Merge tag 'for-v3.13-rc/hwmod-fixes-b' of git://git./linux/kernel/git/pjw/omap-pending into debug-ll-and-ldp-backlight-fix
A few OMAP hwmod fixes for v3.13-rc. One patch fixes some IRQ
problems with GPMC, RNG, and ISP/IVA MMUs on OMAP2/3. The other fixes
some problems with DEBUG_LL on DRA7xx.
Basic build, boot, and PM test logs are available here:
http://www.pwsan.com/omap/testlogs/hwmod_fixes_b_v3.13-rc/
20131226021920/
Jamal Hadi Salim [Mon, 23 Dec 2013 13:02:11 +0000 (08:02 -0500)]
net_sched: act: Dont increment refcnt on replace
This is a bug fix. The existing code tries to kill many
birds with one stone: Handling binding of actions to
filters, new actions and replacing of action
attributes. A simple test case to illustrate:
XXXX
moja@fe1:~$ sudo tc actions add action drop index 12
moja@fe1:~$ actions get action gact index 12
action order 1: gact action drop
random type none pass val 0
index 12 ref 1 bind 0
moja@fe1:~$ sudo tc actions replace action ok index 12
moja@fe1:~$ actions get action gact index 12
action order 1: gact action drop
random type none pass val 0
index 12 ref 2 bind 0
XXXX
The above shows the refcounf being wrongly incremented on replace.
There are more complex scenarios with binding of actions to filters
that i am leaving out that didnt work as well...
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sasha Levin [Thu, 19 Dec 2013 04:49:42 +0000 (23:49 -0500)]
rds: prevent dereference of a NULL device
Binding might result in a NULL device, which is dereferenced
causing this BUG:
[ 1317.260548] BUG: unable to handle kernel NULL pointer dereference at
000000000000097
4
[ 1317.261847] IP: [<
ffffffff84225f52>] rds_ib_laddr_check+0x82/0x110
[ 1317.263315] PGD
418bcb067 PUD
3ceb21067 PMD 0
[ 1317.263502] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 1317.264179] Dumping ftrace buffer:
[ 1317.264774] (ftrace buffer empty)
[ 1317.265220] Modules linked in:
[ 1317.265824] CPU: 4 PID: 836 Comm: trinity-child46 Tainted: G W 3.13.0-rc4-
next-20131218-sasha-00013-g2cebb9b-dirty #4159
[ 1317.267415] task:
ffff8803ddf33000 ti:
ffff8803cd31a000 task.ti:
ffff8803cd31a000
[ 1317.268399] RIP: 0010:[<
ffffffff84225f52>] [<
ffffffff84225f52>] rds_ib_laddr_check+
0x82/0x110
[ 1317.269670] RSP: 0000:
ffff8803cd31bdf8 EFLAGS:
00010246
[ 1317.270230] RAX:
0000000000000000 RBX:
ffff88020b0dd388 RCX:
0000000000000000
[ 1317.270230] RDX:
ffffffff8439822e RSI:
00000000000c000a RDI:
0000000000000286
[ 1317.270230] RBP:
ffff8803cd31be38 R08:
0000000000000000 R09:
0000000000000000
[ 1317.270230] R10:
0000000000000000 R11:
0000000000000001 R12:
0000000000000000
[ 1317.270230] R13:
0000000054086700 R14:
0000000000a25de0 R15:
0000000000000031
[ 1317.270230] FS:
00007ff40251d700(0000) GS:
ffff88022e200000(0000) knlGS:
000000000000
0000
[ 1317.270230] CS: 0010 DS: 0000 ES: 0000 CR0:
000000008005003b
[ 1317.270230] CR2:
0000000000000974 CR3:
00000003cd478000 CR4:
00000000000006e0
[ 1317.270230] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 1317.270230] DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000090602
[ 1317.270230] Stack:
[ 1317.270230]
0000000054086700 5408670000a25de0 5408670000000002 0000000000000000
[ 1317.270230]
ffffffff84223542 00000000ea54c767 0000000000000000 ffffffff86d26160
[ 1317.270230]
ffff8803cd31be68 ffffffff84223556 ffff8803cd31beb8 ffff8800c6765280
[ 1317.270230] Call Trace:
[ 1317.270230] [<
ffffffff84223542>] ? rds_trans_get_preferred+0x42/0xa0
[ 1317.270230] [<
ffffffff84223556>] rds_trans_get_preferred+0x56/0xa0
[ 1317.270230] [<
ffffffff8421c9c3>] rds_bind+0x73/0xf0
[ 1317.270230] [<
ffffffff83e4ce62>] SYSC_bind+0x92/0xf0
[ 1317.270230] [<
ffffffff812493f8>] ? context_tracking_user_exit+0xb8/0x1d0
[ 1317.270230] [<
ffffffff8119313d>] ? trace_hardirqs_on+0xd/0x10
[ 1317.270230] [<
ffffffff8107a852>] ? syscall_trace_enter+0x32/0x290
[ 1317.270230] [<
ffffffff83e4cece>] SyS_bind+0xe/0x10
[ 1317.270230] [<
ffffffff843a6ad0>] tracesys+0xdd/0xe2
[ 1317.270230] Code: 00 8b 45 cc 48 8d 75 d0 48 c7 45 d8 00 00 00 00 66 c7 45 d0 02 00
89 45 d4 48 89 df e8 78 49 76 ff 41 89 c4 85 c0 75 0c 48 8b 03 <80> b8 74 09 00 00 01 7
4 06 41 bc 9d ff ff ff f6 05 2a b6 c2 02
[ 1317.270230] RIP [<
ffffffff84225f52>] rds_ib_laddr_check+0x82/0x110
[ 1317.270230] RSP <
ffff8803cd31bdf8>
[ 1317.270230] CR2:
0000000000000974
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tony Lindgren [Fri, 27 Dec 2013 17:33:27 +0000 (09:33 -0800)]
ARM: OMAP2+: Fix LCD panel backlight regression for LDP legacy booting
Looks like the LCD panel on LDP has been broken quite a while, and
recently got fixed by commit
0b2aa8bed3e1 (gpio: twl4030: Fix regression
for twl gpio output). However, there's still an issue left where the panel
backlight does not come on if the LCD drivers are built into the
kernel.
Fix the issue by registering the DPI LCD panel only after the twl4030
GPIO has probed.
Reported-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
[tony@atomide.com: updated per Tomi's comments]
Signed-off-by: Tony Lindgren <tony@atomide.com>
Jesper Dangaard Brouer [Mon, 16 Dec 2013 16:09:47 +0000 (17:09 +0100)]
ipvs: correct usage/allocation of seqadj ext in ipvs
The IPVS FTP helper ip_vs_ftp could trigger an OOPS in nf_ct_seqadj_set,
after commit
41d73ec053d2 (netfilter: nf_conntrack: make sequence number
adjustments usuable without NAT).
This is because, the seqadj ext is now allocated dynamically, and the
IPVS code didn't handle this situation. Fix this in the IPVS nfct
code by invoking the alloc function nfct_seqadj_ext_add().
Fixes:
41d73ec053d2 (netfilter: nf_conntrack: make sequence number adjustments usuable without NAT)
Suggested-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Jesper Dangaard Brouer [Mon, 16 Dec 2013 16:09:41 +0000 (17:09 +0100)]
netfilter: WARN about wrong usage of sequence number adjustments
Since commit
41d73ec053d2 (netfilter: nf_conntrack: make sequence
number adjustments usuable without NAT), the sequence number extension
is dynamically allocated.
Instead of dying, give a WARN splash, in case of wrong usage of the
seqadj code, e.g. when forgetting to allocate via nfct_seqadj_ext_add().
Wrong usage have been seen in the IPVS code path.
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Rafael J. Wysocki [Thu, 26 Dec 2013 23:43:24 +0000 (00:43 +0100)]
Merge branches 'powercap' and 'acpi-lpss' with new device IDs
* powercap:
powercap / RAPL: add support for ValleyView Soc
* acpi-lpss:
ACPI: Add BayTrail SoC GPIO and LPSS ACPI IDs
Rafael J. Wysocki [Thu, 26 Dec 2013 23:42:27 +0000 (00:42 +0100)]
Merge branches 'pm-cpufreq' and 'pm-sleep' containing PM fixes
* pm-cpufreq:
cpufreq: Use CONFIG_CPU_FREQ_DEFAULT_* to set initial policy for setpolicy drivers
cpufreq: remove sysfs files for CPUs which failed to come back after resume
* pm-sleep:
PM / sleep: Fix memory leak in pm_vt_switch_unregister().
Florian Westphal [Thu, 26 Dec 2013 11:17:00 +0000 (12:17 +0100)]
macvlan: fix netdev feature propagation from lower device
There are inconsistencies wrt. feature propagation/inheritance between
macvlan and the underlying interface.
When a feature is turned off on the real device before a macvlan is
created on top, these will remain enabled on the macvlan device, whereas
turning off the feature on the lower device after macvlan creation the
kernel will propagate the changes to the macvlan.
The second issue is that, when propagating changes from underlying device
to the macvlan interface, macvlan can erronously lose its NETIF_F_LLTX flag,
as features are anded with the underlying device.
However, LLTX should be kept since it has no dependencies on physical
hardware (LLTX is set on macvlan creation regardless of the lower
device properties, see
8ffab51b3dfc54876f145f15b351c41f3f703195
(macvlan: lockless tx path).
The LLTX flag is now forced regardless of user settings in absence of
layer2 hw acceleration (
a6cc0cfa72e0b6d9f2c8fd858aa,
net: Add layer 2 hardware acceleration operations for macvlan devices).
Use netdev_increment_features to rebuild the feature set on capability
changes on either the lower device or on the macvlan interface.
As pointed out by Ben Hutchings, use netdev_update_features on
NETDEV_FEAT_CHANGE event (it calls macvlan_fix_features/netdev_features_change
if needed).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Thu, 26 Dec 2013 17:26:12 +0000 (09:26 -0800)]
Merge tag 'ext4_for_linus' of git://git./linux/kernel/git/tytso/ext4
Pull ext4 fixes from Ted Ts'o:
"A collection of bug fixes destined for stable and some printk cleanups
and a patch so that instead of BUG'ing we use the ext4_error()
framework to mark the file system is corrupted"
* tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
ext4: add explicit casts when masking cluster sizes
ext4: fix deadlock when writing in ENOSPC conditions
jbd2: rename obsoleted msg JBD->JBD2
jbd2: revise KERN_EMERG error messages
jbd2: don't BUG but return ENOSPC if a handle runs out of space
ext4: Do not reserve clusters when fs doesn't support extents
ext4: fix del_timer() misuse for ->s_err_report
ext4: check for overlapping extents in ext4_valid_extent_entries()
ext4: fix use-after-free in ext4_mb_new_blocks
ext4: call ext4_error_inode() if jbd2_journal_dirty_metadata() fails
Suman Anna [Mon, 23 Dec 2013 22:53:11 +0000 (16:53 -0600)]
ARM: OMAP2+: hwmod_data: fix missing OMAP_INTC_START in irq data
Commit
7d7e1eb (ARM: OMAP2+: Prepare for irqs.h removal) and commit
ec2c082 (ARM: OMAP2+: Remove hardcoded IRQs and enable SPARSE_IRQ)
updated the way interrupts for OMAP2/3 devices are defined in the
HWMOD data structures to being an index plus a fixed offset (defined
by OMAP_INTC_START).
Couple of irqs in the OMAP2/3 hwmod data were misconfigured completely
as they were missing this OMAP_INTC_START relative offset. Add this
offset back to fix the incorrect irq data for the following modules:
OMAP2 - GPMC, RNG
OMAP3 - GPMC, ISP MMU & IVA MMU
Signed-off-by: Suman Anna <s-anna@ti.com>
Fixes:
7d7e1eba7e92 ("ARM: OMAP2+: Prepare for irqs.h removal")
Fixes:
ec2c0825ca31 ("ARM: OMAP2+: Remove hardcoded IRQs and enable SPARSE_IRQ")
Cc: Tony Lindgren <tony@atomide.com>
Signed-off-by: Paul Walmsley <paul@pwsan.com>
Rajendra Nayak [Thu, 12 Dec 2013 09:52:49 +0000 (15:22 +0530)]
ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL
With commit '
7dedd34: ARM: OMAP2+: hwmod: Fix a crash in _setup_reset() with
DEBUG_LL' we moved from parsing cmdline to identify uart used for earlycon
to using the requsite hwmod CONFIG_DEBUG_OMAPxUARTy FLAGS.
On DRA7 though, we seem to be missing this flag, and atleast on the DRA7 EVM
where we use uart1 for console, boot fails with DEBUG_LL enabled.
Reported-by: Lokesh Vutla <lokeshvutla@ti.com>
Tested-by: Lokesh Vutla <lokeshvutla@ti.com> # on a different base
Signed-off-by: Rajendra Nayak <rnayak@ti.com>
Fixes:
7dedd346941d ("ARM: OMAP2+: hwmod: Fix a crash in _setup_reset() with DEBUG_LL")
Signed-off-by: Paul Walmsley <paul@pwsan.com>
Linus Torvalds [Tue, 24 Dec 2013 18:06:03 +0000 (10:06 -0800)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-block
Pull block fixes from Jens Axboe:
- fix for a memory leak on certain unplug events
- a collection of bcache fixes from Kent and Nicolas
- a few null_blk fixes and updates form Matias
- a marking of static of functions in the stec pci-e driver
* 'for-linus' of git://git.kernel.dk/linux-block:
null_blk: support submit_queues on use_per_node_hctx
null_blk: set use_per_node_hctx param to false
null_blk: corrections to documentation
null_blk: warning on ignored submit_queues param
null_blk: refactor init and init errors code paths
null_blk: documentation
null_blk: mem garbage on NUMA systems during init
drivers: block: Mark the functions as static in skd_main.c
bcache: New writeback PD controller
bcache: bugfix for race between moving_gc and bucket_invalidate
bcache: fix for gc and writeback race
bcache: bugfix - moving_gc now moves only correct buckets
bcache: fix for gc crashing when no sectors are used
bcache: Fix heap_peek() macro
bcache: Fix for can_attach_cache()
bcache: Fix dirty_data accounting
bcache: Use uninterruptible sleep in writeback
bcache: kthread don't set writeback task to INTERUPTIBLE
block: fix memory leaks on unplugging block device
bcache: fix sparse non static symbol warning
Linus Torvalds [Tue, 24 Dec 2013 17:49:20 +0000 (09:49 -0800)]
Merge branch 'for-3.13-fixes' of git://git./linux/kernel/git/tj/cgroup
Pull cgroup fixes from Tejun Heo:
"Two fixes. One fixes a bug in the error path of cgroup_create(). The
other changes cgrp->id lifetime rule so that the id doesn't get
recycled before all controller states are destroyed. This premature
id recycling made memcg malfunction"
* 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
cgroup: don't recycle cgroup id until all csses' have been destroyed
cgroup: fix cgroup_create() error handling path
Linus Torvalds [Tue, 24 Dec 2013 17:48:43 +0000 (09:48 -0800)]
Merge branch 'for-3.13-fixes' of git://git./linux/kernel/git/tj/percpu
Pull percpu fix from Tejun Heo:
"A single commit to fix a spurious sparse warning coming from
DEFINE_PER_CPU()'s hack to support the use of weak symbols. Shouldn't
cause observable behavior change"
* 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu:
percpu: fix spurious sparse warnings from DEFINE_PER_CPU()
Linus Torvalds [Tue, 24 Dec 2013 17:35:58 +0000 (09:35 -0800)]
Merge branch 'for-3.13-fixes' of git://git./linux/kernel/git/tj/libata
Pull libata fixes from Tejun Heo:
"There's one interseting commit - "libata, freezer: avoid block device
removal while system is frozen". It's an ugly hack working around a
deadlock condition between driver core resume and block layer device
removal paths through freezer which was made more reproducible by
writeback being converted to workqueue some releases ago. The bug has
nothing to do with libata but it's just an workaround which is easy to
backport. After discussion, Rafael and I seem to agree that we don't
really need kernel freezables - both kthread and workqueue. There are
few specific workqueues which constitute PM operations and require
freezing, which will be converted to use workqueue_set_max_active()
instead. All other kernel freezer uses are planned to be removed,
followed by the removal of kthread and workqueue freezer support,
hopefully.
Others are device-specific fixes. The most notable is the addition of
NO_NCQ_TRIM which is used to disable queued TRIM commands to Micro
M500 SSDs which otherwise suffers data corruption"
* 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
libata, freezer: avoid block device removal while system is frozen
libata: implement ATA_HORKAGE_NO_NCQ_TRIM and apply it to Micro M500 SSDs
libata: disable a disk via libata.force params
ahci: bail out on ICH6 before using AHCI BAR
ahci: imx: Explicitly clear IMX6Q_GPR13_SATA_MPLL_CLK_EN
libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for Seagate Momentus SpinPoint M8
Ard Biesheuvel [Mon, 23 Dec 2013 17:49:30 +0000 (18:49 +0100)]
auxvec.h: account for AT_HWCAP2 in AT_VECTOR_SIZE_BASE
Commit
2171364d1a92 ("powerpc: Add HWCAP2 aux entry") introduced a new
AT_ auxv entry type AT_HWCAP2 but failed to update AT_VECTOR_SIZE_BASE
accordingly.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Fixes:
2171364d1a92 (powerpc: Add HWCAP2 aux entry)
Cc: stable@vger.kernel.org
Acked-by: Michael Neuling <michael@neuling.org>
Cc: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Tue, 24 Dec 2013 01:37:20 +0000 (17:37 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jmorris/linux-security
Pull SELinux fixes from James Morris.
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock()
selinux: fix broken peer recv check
Linus Torvalds [Tue, 24 Dec 2013 01:24:38 +0000 (17:24 -0800)]
Merge branch 'for_linus' of git://git./linux/kernel/git/jack/linux-fs
Pull ext2 fix from Jan Kara:
"One simple fix of oops in ext2 which was recently hit by Christoph"
* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
ext2: Fix oops in ext2_get_block() called from ext2_quota_write()
Linus Torvalds [Tue, 24 Dec 2013 01:23:42 +0000 (17:23 -0800)]
Merge tag 'rdma-for-linus' of git://git./linux/kernel/git/roland/infiniband
Pull infiniband fixes from Roland Dreier:
"Last batch of InfiniBand/RDMA changes for 3.13 / 2014:
- Additional checks for uverbs to ensure forward compatibility,
handle malformed input better.
- Fix potential use-after-free in iWARP connection manager.
- Make a function static"
* tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
IB/uverbs: Check access to userspace response buffer in extended command
IB/uverbs: Check input length in flow steering uverbs
IB/uverbs: Set error code when fail to consume all flow_spec items
IB/uverbs: Check reserved fields in create_flow
IB/uverbs: Check comp_mask in destroy_flow
IB/uverbs: Check reserved field in extended command header
IB/uverbs: New macro to set pointers to NULL if length is 0 in INIT_UDATA()
IB/core: const'ify inbuf in struct ib_udata
RDMA/iwcm: Don't touch cm_id after deref in rem_ref
RDMA/cxgb4: Make _c4iw_write_mem_dma() static