1. 28 Mar, 2014 7 commits
    • Flavio Leitner's avatar
      openvswitch: fix a possible deadlock and lockdep warning · 4f647e0a
      Flavio Leitner authored
      There are two problematic situations.
      
      A deadlock can happen when is_percpu is false because it can get
      interrupted while holding the spinlock. Then it executes
      ovs_flow_stats_update() in softirq context which tries to get
      the same lock.
      
      The second sitation is that when is_percpu is true, the code
      correctly disables BH but only for the local CPU, so the
      following can happen when locking the remote CPU without
      disabling BH:
      
             CPU#0                            CPU#1
        ovs_flow_stats_get()
         stats_read()
       +->spin_lock remote CPU#1        ovs_flow_stats_get()
       |  <interrupted>                  stats_read()
       |  ...                       +-->  spin_lock remote CPU#0
       |                            |     <interrupted>
       |  ovs_flow_stats_update()   |     ...
       |   spin_lock local CPU#0 <--+     ovs_flow_stats_update()
       +---------------------------------- spin_lock local CPU#1
      
      This patch disables BH for both cases fixing the deadlocks.
      Acked-by: default avatarJesse Gross <jesse@nicira.com>
      
      =================================
      [ INFO: inconsistent lock state ]
      3.14.0-rc8-00007-g632b06aa #1 Tainted: G          I
      ---------------------------------
      inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
      swapper/0/0 [HC0[0]:SC1[5]:HE1:SE0] takes:
      (&(&cpu_stats->lock)->rlock){+.?...}, at: [<ffffffffa05dd8a1>] ovs_flow_stats_update+0x51/0xd0 [openvswitch]
      {SOFTIRQ-ON-W} state was registered at:
      [<ffffffff810f973f>] __lock_acquire+0x68f/0x1c40
      [<ffffffff810fb4e2>] lock_acquire+0xa2/0x1d0
      [<ffffffff817d8d9e>] _raw_spin_lock+0x3e/0x80
      [<ffffffffa05dd9e4>] ovs_flow_stats_get+0xc4/0x1e0 [openvswitch]
      [<ffffffffa05da855>] ovs_flow_cmd_fill_info+0x185/0x360 [openvswitch]
      [<ffffffffa05daf05>] ovs_flow_cmd_build_info.constprop.27+0x55/0x90 [openvswitch]
      [<ffffffffa05db41d>] ovs_flow_cmd_new_or_set+0x4dd/0x570 [openvswitch]
      [<ffffffff816c245d>] genl_family_rcv_msg+0x1cd/0x3f0
      [<ffffffff816c270e>] genl_rcv_msg+0x8e/0xd0
      [<ffffffff816c0239>] netlink_rcv_skb+0xa9/0xc0
      [<ffffffff816c0798>] genl_rcv+0x28/0x40
      [<ffffffff816bf830>] netlink_unicast+0x100/0x1e0
      [<ffffffff816bfc57>] netlink_sendmsg+0x347/0x770
      [<ffffffff81668e9c>] sock_sendmsg+0x9c/0xe0
      [<ffffffff816692d9>] ___sys_sendmsg+0x3a9/0x3c0
      [<ffffffff8166a911>] __sys_sendmsg+0x51/0x90
      [<ffffffff8166a962>] SyS_sendmsg+0x12/0x20
      [<ffffffff817e3ce9>] system_call_fastpath+0x16/0x1b
      irq event stamp: 1740726
      hardirqs last  enabled at (1740726): [<ffffffff8175d5e0>] ip6_finish_output2+0x4f0/0x840
      hardirqs last disabled at (1740725): [<ffffffff8175d59b>] ip6_finish_output2+0x4ab/0x840
      softirqs last  enabled at (1740674): [<ffffffff8109be12>] _local_bh_enable+0x22/0x50
      softirqs last disabled at (1740675): [<ffffffff8109db05>] irq_exit+0xc5/0xd0
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&(&cpu_stats->lock)->rlock);
        <Interrupt>
          lock(&(&cpu_stats->lock)->rlock);
      
       *** DEADLOCK ***
      
      5 locks held by swapper/0/0:
       #0:  (((&ifa->dad_timer))){+.-...}, at: [<ffffffff810a7155>] call_timer_fn+0x5/0x320
       #1:  (rcu_read_lock){.+.+..}, at: [<ffffffff81788a55>] mld_sendpack+0x5/0x4a0
       #2:  (rcu_read_lock_bh){.+....}, at: [<ffffffff8175d149>] ip6_finish_output2+0x59/0x840
       #3:  (rcu_read_lock_bh){.+....}, at: [<ffffffff8168ba75>] __dev_queue_xmit+0x5/0x9b0
       #4:  (rcu_read_lock){.+.+..}, at: [<ffffffffa05e41b5>] internal_dev_xmit+0x5/0x110 [openvswitch]
      
      stack backtrace:
      CPU: 0 PID: 0 Comm: swapper/0 Tainted: G          I  3.14.0-rc8-00007-g632b06aa #1
      Hardware name:                  /DX58SO, BIOS SOX5810J.86A.5599.2012.0529.2218 05/29/2012
       0000000000000000 0fcf20709903df0c ffff88042d603808 ffffffff817cfe3c
       ffffffff81c134c0 ffff88042d603858 ffffffff817cb6da 0000000000000005
       ffffffff00000001 ffff880400000000 0000000000000006 ffffffff81c134c0
      Call Trace:
       <IRQ>  [<ffffffff817cfe3c>] dump_stack+0x4d/0x66
       [<ffffffff817cb6da>] print_usage_bug+0x1f4/0x205
       [<ffffffff810f7f10>] ? check_usage_backwards+0x180/0x180
       [<ffffffff810f8963>] mark_lock+0x223/0x2b0
       [<ffffffff810f96d3>] __lock_acquire+0x623/0x1c40
       [<ffffffff810f5707>] ? __lock_is_held+0x57/0x80
       [<ffffffffa05e26c6>] ? masked_flow_lookup+0x236/0x250 [openvswitch]
       [<ffffffff810fb4e2>] lock_acquire+0xa2/0x1d0
       [<ffffffffa05dd8a1>] ? ovs_flow_stats_update+0x51/0xd0 [openvswitch]
       [<ffffffff817d8d9e>] _raw_spin_lock+0x3e/0x80
       [<ffffffffa05dd8a1>] ? ovs_flow_stats_update+0x51/0xd0 [openvswitch]
       [<ffffffffa05dd8a1>] ovs_flow_stats_update+0x51/0xd0 [openvswitch]
       [<ffffffffa05dcc64>] ovs_dp_process_received_packet+0x84/0x120 [openvswitch]
       [<ffffffff810f93f7>] ? __lock_acquire+0x347/0x1c40
       [<ffffffffa05e3bea>] ovs_vport_receive+0x2a/0x30 [openvswitch]
       [<ffffffffa05e4218>] internal_dev_xmit+0x68/0x110 [openvswitch]
       [<ffffffffa05e41b5>] ? internal_dev_xmit+0x5/0x110 [openvswitch]
       [<ffffffff8168b4a6>] dev_hard_start_xmit+0x2e6/0x8b0
       [<ffffffff8168be87>] __dev_queue_xmit+0x417/0x9b0
       [<ffffffff8168ba75>] ? __dev_queue_xmit+0x5/0x9b0
       [<ffffffff8175d5e0>] ? ip6_finish_output2+0x4f0/0x840
       [<ffffffff8168c430>] dev_queue_xmit+0x10/0x20
       [<ffffffff8175d641>] ip6_finish_output2+0x551/0x840
       [<ffffffff8176128a>] ? ip6_finish_output+0x9a/0x220
       [<ffffffff8176128a>] ip6_finish_output+0x9a/0x220
       [<ffffffff8176145f>] ip6_output+0x4f/0x1f0
       [<ffffffff81788c29>] mld_sendpack+0x1d9/0x4a0
       [<ffffffff817895b8>] mld_send_initial_cr.part.32+0x88/0xa0
       [<ffffffff817691b0>] ? addrconf_dad_completed+0x220/0x220
       [<ffffffff8178e301>] ipv6_mc_dad_complete+0x31/0x50
       [<ffffffff817690d7>] addrconf_dad_completed+0x147/0x220
       [<ffffffff817691b0>] ? addrconf_dad_completed+0x220/0x220
       [<ffffffff8176934f>] addrconf_dad_timer+0x19f/0x1c0
       [<ffffffff810a71e9>] call_timer_fn+0x99/0x320
       [<ffffffff810a7155>] ? call_timer_fn+0x5/0x320
       [<ffffffff817691b0>] ? addrconf_dad_completed+0x220/0x220
       [<ffffffff810a76c4>] run_timer_softirq+0x254/0x3b0
       [<ffffffff8109d47d>] __do_softirq+0x12d/0x480
      Signed-off-by: default avatarFlavio Leitner <fbl@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f647e0a
    • Toshiaki Makita's avatar
      bridge: Fix handling stacked vlan tags · 99b192da
      Toshiaki Makita authored
      If a bridge with vlan_filtering enabled receives frames with stacked
      vlan tags, i.e., they have two vlan tags, br_vlan_untag() strips not
      only the outer tag but also the inner tag.
      
      br_vlan_untag() is called only from br_handle_vlan(), and in this case,
      it is enough to set skb->vlan_tci to 0 here, because vlan_tci has already
      been set before calling br_handle_vlan().
      Signed-off-by: default avatarToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Acked-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      99b192da
    • Toshiaki Makita's avatar
      bridge: Fix inabillity to retrieve vlan tags when tx offload is disabled · 12464bb8
      Toshiaki Makita authored
      Bridge vlan code (br_vlan_get_tag()) assumes that all frames have vlan_tci
      if they are tagged, but if vlan tx offload is manually disabled on bridge
      device and frames are sent from vlan device on the bridge device, the tags
      are embedded in skb->data and they break this assumption.
      Extract embedded vlan tags and move them to vlan_tci at ingress.
      Signed-off-by: default avatarToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Acked-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      12464bb8
    • Michael S. Tsirkin's avatar
      vhost: validate vhost_get_vq_desc return value · a39ee449
      Michael S. Tsirkin authored
      vhost fails to validate negative error code
      from vhost_get_vq_desc causing
      a crash: we are using -EFAULT which is 0xfffffff2
      as vector size, which exceeds the allocated size.
      
      The code in question was introduced in commit
      8dd014ad
          vhost-net: mergeable buffers support
      
      CVE-2014-0055
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a39ee449
    • Michael S. Tsirkin's avatar
      vhost: fix total length when packets are too short · d8316f39
      Michael S. Tsirkin authored
      When mergeable buffers are disabled, and the
      incoming packet is too large for the rx buffer,
      get_rx_bufs returns success.
      
      This was intentional in order for make recvmsg
      truncate the packet and then handle_rx would
      detect err != sock_len and drop it.
      
      Unfortunately we pass the original sock_len to
      recvmsg - which means we use parts of iov not fully
      validated.
      
      Fix this up by detecting this overrun and doing packet drop
      immediately.
      
      CVE-2014-0077
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d8316f39
    • Sasha Levin's avatar
      random32: avoid attempt to late reseed if in the middle of seeding · 05efa8c9
      Sasha Levin authored
      Commit 4af712e8 ("random32: add prandom_reseed_late() and call when
      nonblocking pool becomes initialized") has added a late reseed stage
      that happens as soon as the nonblocking pool is marked as initialized.
      
      This fails in the case that the nonblocking pool gets initialized
      during __prandom_reseed()'s call to get_random_bytes(). In that case
      we'd double back into __prandom_reseed() in an attempt to do a late
      reseed - deadlocking on 'lock' early on in the boot process.
      
      Instead, just avoid even waiting to do a reseed if a reseed is already
      occuring.
      
      Fixes: 4af712e8 ("random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized")
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      05efa8c9
    • Sasha Levin's avatar
      random32: assign to network folks in MAINTAINERS · 335a67d2
      Sasha Levin authored
      lib/random32.c was split out of the network code and is de-facto
      still maintained by the almighty net/ gods.
      
      Make it a bit more official so that people who aren't aware of
      that know where to send their patches.
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      335a67d2
  2. 27 Mar, 2014 5 commits
  3. 26 Mar, 2014 7 commits
    • Eric Dumazet's avatar
      net: unix: non blocking recvmsg() should not return -EINTR · de144391
      Eric Dumazet authored
      Some applications didn't expect recvmsg() on a non blocking socket
      could return -EINTR. This possibility was added as a side effect
      of commit b3ca9b02 ("net: fix multithreaded signal handling in
      unix recv routines").
      
      To hit this bug, you need to be a bit unlucky, as the u->readlock
      mutex is usually held for very small periods.
      
      Fixes: b3ca9b02 ("net: fix multithreaded signal handling in unix recv routines")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      de144391
    • David S. Miller's avatar
      Merge branch 'mvneta' · dc0fe58f
      David S. Miller authored
      Thomas Petazzoni says:
      
      ====================
      net: mvneta: fix usage as a module
      
      The following set of two patches fix the usage of the mvneta driver
      when built as a module, and used in RGMII configurations. It is
      somewhat similar to a previous fix that was made by Arnaud Patard, but
      which was limited to SGMII configurations.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dc0fe58f
    • Thomas Petazzoni's avatar
      net: mvneta: use devm_ioremap_resource() instead of of_iomap() · b5f3b75d
      Thomas Petazzoni authored
      The mvneta driver currently uses of_iomap(), which has two drawbacks:
      it doesn't request the resource, and it isn't devm-style so some error
      handling is needed.
      
      This commit switches to use devm_ioremap_resource() instead, which
      automatically requests the resource (so the I/O registers region shows
      up properly in /proc/iomem), and also is devm-style, which allows to
      get rid of some error handling to unmap the I/O registers region.
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b5f3b75d
    • Thomas Petazzoni's avatar
      net: mvneta: fix usage as a module on RGMII configurations · e3a8786c
      Thomas Petazzoni authored
      Commit 5445eaf3 ('mvneta: Try to fix mvneta when compiled as
      module') fixed the mvneta driver to make it work properly when loaded
      as a module in SGMII configuration, which was tested successful by the
      author on the Armada XP OpenBlocks AX3, which uses SGMII.
      
      However, it turns out that the Armada XP GP, which uses RGMII, is
      affected by a similar problem: its SERDES configuration is lost when
      mvneta is loaded as a module, because this configuration is set by the
      bootloader, and then lost because the clock is gated by the clock
      framework until the mvneta driver is loaded again and the clock is
      re-enabled.
      
      However, it turns out that for the RGMII case, setting the SERDES
      configuration is not sufficient: the PCS enable bit in the
      MVNETA_GMAC_CTRL_2 register must also be set, like in the SGMII
      configuration.
      
      Therefore, this commit reworks the SGMII/RGMII initialization: the
      only difference between the two now is a different SERDES
      configuration, all the rest is identical.
      
      In detail, to achieve this, the commit:
      
       * Renames MVNETA_SGMII_SERDES_CFG to MVNETA_SERDES_CFG because it is
         not specific to SGMII, but also used on RGMII configurations.
      
       * Adds a MVNETA_RGMII_SERDES_PROTO definition, that must be used as
         the MVNETA_SERDES_CFG value in RGMII configurations.
      
       * Removes the mvneta_gmac_rgmii_set() and mvneta_port_sgmii_config()
         functions, and instead directly do the SGMII/RGMII configuration in
         mvneta_port_up(), from where those functions where called. It is
         worth mentioning that mvneta_gmac_rgmii_set() had an 'enable'
         parameter that was always passed as '1', so it was pretty useless.
      
       * Reworks the mvneta_port_up() function to set the MVNETA_SERDES_CFG
         register to the appropriate value depending on the RGMII vs. SGMII
         configuration. It also unconditionally set the PCS_ENABLE bit (was
         already done for SGMII, but is now also needed for RGMII), and sets
         the PORT_RGMII bit (which was already done for both SGMII and
         RGMII).
      
      This commit was successfully tested with mvneta compiled as a module,
      on both the OpenBlocks AX3 (SGMII configuration) and the Armada XP GP
      (RGMII configuration).
      Reported-by: default avatarSteve McIntyre <steve@einval.com>
      Cc: stable@vger.kernel.org # 3.11.x: 5445eaf3 mvneta: Try to fix mvneta when compiled as module
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3a8786c
    • Thomas Petazzoni's avatar
      net: mvneta: rename MVNETA_GMAC2_PSC_ENABLE to MVNETA_GMAC2_PCS_ENABLE · a79121d3
      Thomas Petazzoni authored
      Bit 3 of the MVNETA_GMAC_CTRL_2 is actually used to enable the PCS,
      not the PSC: there was a typo in the name of the define, which this
      commit fixes.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a79121d3
    • Vlad Yasevich's avatar
      tg3: Do not include vlan acceleration features in vlan_features · 51dfe7b9
      Vlad Yasevich authored
      Including hardware acceleration features in vlan_features breaks
      stacked vlans (Q-in-Q) by marking the bottom vlan interface as
      capable of acceleration.  This causes one of the tags to be lost
      and the packets are sent with a sing vlan header.
      
      CC: Nithin Nayak Sujir <nsujir@broadcom.com>
      CC: Michael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51dfe7b9
    • Pravin B Shelar's avatar
      ip_tunnel: Fix dst ref-count. · fbd02dd4
      Pravin B Shelar authored
      Commit 10ddceb2 (ip_tunnel:multicast process cause panic due
      to skb->_skb_refdst NULL pointer) removed dst-drop call from
      ip-tunnel-recv.
      
      Following commit reintroduce dst-drop and fix the original bug by
      checking loopback packet before releasing dst.
      Original bug: https://bugzilla.kernel.org/show_bug.cgi?id=70681
      
      CC: Xin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarPravin B Shelar <pshelar@nicira.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fbd02dd4
  4. 25 Mar, 2014 6 commits
    • Linus Torvalds's avatar
      Merge branch 'nfsd-next' of git://linux-nfs.org/~bfields/linux · 632b06aa
      Linus Torvalds authored
      Pull nfsd fix frm Bruce Fields:
       "J R Okajima sent this early and I was just slow to pass it along,
        apologies.  Fortunately it's a simple fix"
      
      * 'nfsd-next' of git://linux-nfs.org/~bfields/linux:
        nfsd: fix lost nfserrno() call in nfsd_setattr()
      632b06aa
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 3e79d978
      Linus Torvalds authored
      Pull vfs fixes from Al Viro:
       "These four commits are obvious fixes (a couple of fdget_pos()-related
        ones from Eric Biggers, prepend_name() fix, missing checks for false
        negatives from __lookup_mnt() in fs/namei.c)"
      
      For now I'm pulling just the four obvious fixes, there's another four
      pending in Al's 'for-linus' branch wrt the mnt_hash list that were more
      involved.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        rcuwalk: recheck mount_lock after mountpoint crossing attempts
        make prepend_name() work correctly when called with negative *buflen
        vfs: Don't let __fdget_pos() get FMODE_PATH files
        vfs: atomic f_pos access in llseek()
      3e79d978
    • Linus Torvalds's avatar
      Linux 3.14-rc8 · b098d672
      Linus Torvalds authored
      b098d672
    • Linus Torvalds's avatar
      Merge branch 'parisc-3.14' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 82231646
      Linus Torvalds authored
      Pull parisc updates from Helge Deller:
       - revert parts of the latest patch regarding font selection with STICON
         console
       - wire up the utimes() syscall for parisc
       - remove the unused parisc tmpalias code and unnecessary arch*relax
         defines
      
      * 'parisc-3.14' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: locks: remove redundant arch_*_relax operations
        parisc: wire up sys_utimes
        parisc: Remove unused CONFIG_PARISC_TMPALIAS code
        partly revert commit 8a10bc9d: parisc/sti_console: prefer Linux fonts over built-in ROM fonts
      82231646
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 56f1f4b2
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
      
       1) Do serial locking in a way that makes things clear that these are
          IRQ spinlocks.
      
       2) Conversion to generic idle loop broke first generation Niagara
          machines, need to have %pil interrupts enabled during cpu yield
          hypervisor call.
      
       3) Do not use magic constants for iterations over tsb tables, from Doug
          Wilson.
      
       4) Fix erroneous truncation of 64-bit system call return values to
          32-bit.  From Dave Kleikamp.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc64: Make sure %pil interrupts are enabled during hypervisor yield.
        sparc64:tsb.c:use array size macro rather than number
        sparc64: don't treat 64-bit syscall return codes as 32-bit
        sparc: serial: Clean up the locking for -rt
      56f1f4b2
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 8a109446
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) OpenVswitch's lookup_datapath() returns error pointers, so don't
          check against NULL.  From Jiri Pirko.
      
       2) pfkey_compile_policy() code path tries to do a GFP_KERNEL allocation
          under RCU locks, fix by using GFP_ATOMIC when necessary.  From
          Nikolay Aleksandrov.
      
       3) phy_suspend() indirectly passes uninitialized data into the ethtool
          get wake-on-land implementations.  Fix from Sebastian Hesselbarth.
      
       4) CPSW driver unregisters CPTS twice, fix from Benedikt Spranger.
      
       5) If SKB allocation of reply packet fails, vxlan's arp_reduce() defers
          a NULL pointer.  Fix from David Stevens.
      
       6) IPV6 neigh handling in vxlan doesn't validate the destination
          address properly, and it builds a packet with the src and dst
          reversed.  Fix also from David Stevens.
      
       7) Fix spinlock recursion during subscription failures in TIPC stack,
          from Erik Hugne.
      
       8) Revert buggy conversion of davinci_emac to devm_request_irq, from
          Chrstian Riesch.
      
       9) Wrong flags passed into forwarding database netlink notifications,
          from Nicolas Dichtel.
      
      10) The netpoll neighbour soliciation handler checks wrong ethertype,
          needs to be ETH_P_IPV6 rather than ETH_P_ARP.  Fix from Li RongQing.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (34 commits)
        tipc: fix spinlock recursion bug for failed subscriptions
        vxlan: fix nonfunctional neigh_reduce()
        net: davinci_emac: Fix rollback of emac_dev_open()
        net: davinci_emac: Replace devm_request_irq with request_irq
        netpoll: fix the skb check in pkt_is_ns
        net: micrel : ks8851-ml: add vdd-supply support
        ip6mr: fix mfc notification flags
        ipmr: fix mfc notification flags
        rtnetlink: fix fdb notification flags
        tcp: syncookies: do not use getnstimeofday()
        netlink: fix setsockopt in mmap examples in documentation
        openvswitch: Correctly report flow used times for first 5 minutes after boot.
        via-rhine: Disable device in error path
        ATHEROS-ATL1E: Convert iounmap to pci_iounmap
        vxlan: fix potential NULL dereference in arp_reduce()
        cnic: Update version to 2.5.20 and copyright year.
        cnic,bnx2i,bnx2fc: Fix inconsistent use of page size
        cnic: Use proper ulp_ops for per device operations.
        net: cdc_ncm: fix control message ordering
        ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly
        ...
      8a109446
  5. 24 Mar, 2014 8 commits
    • Erik Hugne's avatar
      tipc: fix spinlock recursion bug for failed subscriptions · a5d0e7c0
      Erik Hugne authored
      If a topology event subscription fails for any reason, such as out
      of memory, max number reached or because we received an invalid
      request the correct behavior is to terminate the subscribers
      connection to the topology server. This is currently broken and
      produces the following oops:
      
      [27.953662] tipc: Subscription rejected, illegal request
      [27.955329] BUG: spinlock recursion on CPU#1, kworker/u4:0/6
      [27.957066]  lock: 0xffff88003c67f408, .magic: dead4ead, .owner: kworker/u4:0/6, .owner_cpu: 1
      [27.958054] CPU: 1 PID: 6 Comm: kworker/u4:0 Not tainted 3.14.0-rc6+ #5
      [27.960230] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [27.960874] Workqueue: tipc_rcv tipc_recv_work [tipc]
      [27.961430]  ffff88003c67f408 ffff88003de27c18 ffffffff815c0207 ffff88003de1c050
      [27.962292]  ffff88003de27c38 ffffffff815beec5 ffff88003c67f408 ffffffff817f0a8a
      [27.963152]  ffff88003de27c58 ffffffff815beeeb ffff88003c67f408 ffffffffa0013520
      [27.964023] Call Trace:
      [27.964292]  [<ffffffff815c0207>] dump_stack+0x45/0x56
      [27.964874]  [<ffffffff815beec5>] spin_dump+0x8c/0x91
      [27.965420]  [<ffffffff815beeeb>] spin_bug+0x21/0x26
      [27.965995]  [<ffffffff81083df6>] do_raw_spin_lock+0x116/0x140
      [27.966631]  [<ffffffff815c6215>] _raw_spin_lock_bh+0x15/0x20
      [27.967256]  [<ffffffffa0008540>] subscr_conn_shutdown_event+0x20/0xa0 [tipc]
      [27.968051]  [<ffffffffa000fde4>] tipc_close_conn+0xa4/0xb0 [tipc]
      [27.968722]  [<ffffffffa00101ba>] tipc_conn_terminate+0x1a/0x30 [tipc]
      [27.969436]  [<ffffffffa00089a2>] subscr_conn_msg_event+0x1f2/0x2f0 [tipc]
      [27.970209]  [<ffffffffa0010000>] tipc_receive_from_sock+0x90/0xf0 [tipc]
      [27.970972]  [<ffffffffa000fa79>] tipc_recv_work+0x29/0x50 [tipc]
      [27.971633]  [<ffffffff8105dbf5>] process_one_work+0x165/0x3e0
      [27.972267]  [<ffffffff8105e869>] worker_thread+0x119/0x3a0
      [27.972896]  [<ffffffff8105e750>] ? manage_workers.isra.25+0x2a0/0x2a0
      [27.973622]  [<ffffffff810648af>] kthread+0xdf/0x100
      [27.974168]  [<ffffffff810647d0>] ? kthread_create_on_node+0x1a0/0x1a0
      [27.974893]  [<ffffffff815ce13c>] ret_from_fork+0x7c/0xb0
      [27.975466]  [<ffffffff810647d0>] ? kthread_create_on_node+0x1a0/0x1a0
      
      The recursion occurs when subscr_terminate tries to grab the
      subscriber lock, which is already taken by subscr_conn_msg_event.
      We fix this by checking if the request to establish a new
      subscription was successful, and if not we initiate termination of
      the subscriber after we have released the subscriber lock.
      Signed-off-by: default avatarErik Hugne <erik.hugne@ericsson.com>
      Reviewed-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a5d0e7c0
    • David Stevens's avatar
      vxlan: fix nonfunctional neigh_reduce() · 4b29dba9
      David Stevens authored
      The VXLAN neigh_reduce() code is completely non-functional since
      check-in. Specific errors:
      
      1) The original code drops all packets with a multicast destination address,
      	even though neighbor solicitations are sent to the solicited-node
      	address, a multicast address. The code after this check was never run.
      2) The neighbor table lookup used the IPv6 header destination, which is the
      	solicited node address, rather than the target address from the
      	neighbor solicitation. So neighbor lookups would always fail if it
      	got this far. Also for L3MISSes.
      3) The code calls ndisc_send_na(), which does a send on the tunnel device.
      	The context for neigh_reduce() is the transmit path, vxlan_xmit(),
      	where the host or a bridge-attached neighbor is trying to transmit
      	a neighbor solicitation. To respond to it, the tunnel endpoint needs
      	to do a *receive* of the appropriate neighbor advertisement. Doing a
      	send, would only try to send the advertisement, encapsulated, to the
      	remote destinations in the fdb -- hosts that definitely did not do the
      	corresponding solicitation.
      4) The code uses the tunnel endpoint IPv6 forwarding flag to determine the
      	isrouter flag in the advertisement. This has nothing to do with whether
      	or not the target is a router, and generally won't be set since the
      	tunnel endpoint is bridging, not routing, traffic.
      
      	The patch below creates a proxy neighbor advertisement to respond to
      neighbor solicitions as intended, providing proper IPv6 support for neighbor
      reduction.
      Signed-off-by: default avatarDavid L Stevens <dlstevens@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4b29dba9
    • David S. Miller's avatar
      Merge branch 'davinci_emac' · 866b7cdf
      David S. Miller authored
      Christian Riesch says:
      
      ====================
      net: davinci_emac: Fix interrupt requests and error handling
      
      since commit 6892b41d (Linux 3.11) the
      davinci_emac driver is broken. After doing ifconfig down, ifconfig up,
      requesting the interrupts for the driver fails. The interface remains dead
      until the board is rebooted.
      
      The first patch in this patchset reverts commit
      6892b41d partially and makes the driver
      useable again.
      
      During the work on the first patch, a number of bugs in the error handling
      of the driver's ndo_open code were found. The second patch fixes these bugs.
      
      I believe the first patch meets the rules for stable kernels, I therefore added
      the stable tag to this patch. The second patch is just cleanup, the code
      that is fixed by this patch is only executed in case of an error.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      866b7cdf
    • Christian Riesch's avatar
      net: davinci_emac: Fix rollback of emac_dev_open() · cd11cf50
      Christian Riesch authored
      If an error occurs during the initialization in emac_dev_open() (the
      driver's ndo_open function), interrupts, DMA descriptors etc. must be freed.
      The current rollback code is buggy in several ways.
      
        1) Freeing the interrupts. The current code will not free all interrupts
           that were requested by the driver. Furthermore,  the code tries to do a
           platform_get_resource(priv->pdev, IORESOURCE_IRQ, -1) in its last
           iteration.
      
           This patch fixes these bugs.
      
        2) Wrong order of err: and rollback: labels. If the setup of the PHY in
           the code fails, the interrupts that have been requested before are
           not freed:
      
              request irq
                      if requesting irqs fails, goto rollback
              setup phy
                      if phy setup fails, goto err
              return 0
      
           rollback:
              free irqs
           err:
      
           This patch brings the code into the correct order.
      
        3) The code calls napi_enable() and emac_int_enable(), but does not
           undo both in case of an error.
      
           This patch adds calls of emac_int_disable() and napi_disable() to the
           rollback code.
      
        4) RX DMA descriptors are not freed in case of an error: Right before
           requesting the irqs, the function creates DMA descriptors for the
           RX channel. These RX descriptors are never freed when we jump to either
           rollback or err.
      
           This patch adds code for freeing the DMA descriptors in the case of
           an initialization error. This required a modification of
           cpdma_ctrl_stop() in davinci_cpdma.c: We must be able to call this
           function to free the DMA descriptors while the DMA channels are
           in IDLE state (before cpdma_ctlr_start() was called).
      
      Tested on a custom board with the Texas Instruments AM1808.
      Signed-off-by: default avatarChristian Riesch <christian.riesch@omicron.at>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cd11cf50
    • Christian Riesch's avatar
      net: davinci_emac: Replace devm_request_irq with request_irq · 33b7107f
      Christian Riesch authored
      In commit 6892b41d
      
      Author: Lad, Prabhakar <prabhakar.csengg@gmail.com>
      Date:   Tue Jun 25 21:24:51 2013 +0530
      net: davinci: emac: Convert to devm_* api
      
      the call of request_irq is replaced by devm_request_irq and the call
      of free_irq is removed. But since interrupts are requested in
      emac_dev_open, doing ifconfig up/down on the board requests the
      interrupts again each time, causing devm_request_irq to fail. The
      interface is dead until the device is rebooted.
      
      This patch reverts said commit partially: It changes the driver back
      to use request_irq instead of devm_request_irq, puts free_irq back in
      place, but keeps the remaining changes of the original patch.
      Reported-by: default avatarJon Ringle <jon@ringle.org>
      Signed-off-by: default avatarChristian Riesch <christian.riesch@omicron.at>
      Cc: Lad, Prabhakar <prabhakar.csengg@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      33b7107f
    • Li RongQing's avatar
      netpoll: fix the skb check in pkt_is_ns · c27f0872
      Li RongQing authored
      Neighbor Solicitation is ipv6 protocol, so we should check
      skb->protocol with ETH_P_IPV6
      Signed-off-by: default avatarLi RongQing <roy.qing.li@gmail.com>
      Cc: WANG Cong <amwang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c27f0872
    • David S. Miller's avatar
      sparc64: Make sure %pil interrupts are enabled during hypervisor yield. · cb3042d6
      David S. Miller authored
      In arch_cpu_idle() we must enable %pil based interrupts before
      potentially invoking the hypervisor cpu yield call.
      
      As per the Hypervisor API documentation for cpu_yield:
      
      	Interrupts which are blocked by some mechanism other that
      	pstate.ie (for example %pil) are not guaranteed to cause
      	a return from this service.
      
      It seems that only first generation Niagara chips are hit by this
      bug.  My best guess is that later chips implement this in hardware
      and wake up anyways from %pil events, whereas in first generation
      chips the yield is implemented completely in hypervisor code and
      requires %pil to be enabled in order to wake properly from this
      call.
      
      Fixes: 87fa05ae ("sparc: Use generic idle loop")
      Reported-by: default avatarFabio M. Di Nitto <fabbione@fabbione.net>
      Reported-by: default avatarJan Engelhardt <jengelh@inai.de>
      Tested-by: default avatarJan Engelhardt <jengelh@inai.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cb3042d6
    • Nishanth Menon's avatar
      net: micrel : ks8851-ml: add vdd-supply support · ebf4ad95
      Nishanth Menon authored
      Few platforms use external regulator to keep the ethernet MAC supplied.
      So, request and enable the regulator for driver functionality.
      
      Fixes: 66fda75f (regulator: core: Replace direct ops->disable usage)
      Reported-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Suggested-by: default avatarMarkus Pargmann <mpa@pengutronix.de>
      Signed-off-by: default avatarNishanth Menon <nm@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ebf4ad95
  6. 23 Mar, 2014 7 commits
    • Will Deacon's avatar
      parisc: locks: remove redundant arch_*_relax operations · a34fe107
      Will Deacon authored
      Now that the arch_{spin,read,write}_relax macros default to cpu_relax(),
      remove the redundant definitions for parisc.
      
      Cc: Helge Deller <deller@gmx.de>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      a34fe107
    • Helge Deller's avatar
      parisc: wire up sys_utimes · e9af8b7a
      Helge Deller authored
      We seem to be nearly the only platform which does not provide the
      sys_utimes syscall.  Adding it now makes our life much easier with
      userspace applications (like dietlibc and e2fsprogs) since we then
      behave like all other platforms too and don't need extra patches which
      are hard to get upstream anyway because we are not a mainstream
      architecture.
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Cc: stable@vger.kernel.org # v3.13
      e9af8b7a
    • John David Anglin's avatar
      parisc: Remove unused CONFIG_PARISC_TMPALIAS code · 4b02a72a
      John David Anglin authored
      The attached change removes the unused and experimental
      CONFIG_PARISC_TMPALIAS code. It doesn't work and I don't believe it will
      ever be used.
      Signed-off-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      4b02a72a
    • Helge Deller's avatar
      partly revert commit 8a10bc9d: parisc/sti_console: prefer Linux fonts over built-in ROM fonts · a2fb4d78
      Helge Deller authored
      STI console is used on parisc and m68k HP machines. This patch partly reverts
      my previous commit and as such restores the fonts for the m68k machines.
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Cc: stable@vger.kernel.org # v3.13
      a2fb4d78
    • Al Viro's avatar
      rcuwalk: recheck mount_lock after mountpoint crossing attempts · b37199e6
      Al Viro authored
      We can get false negative from __lookup_mnt() if an unrelated vfsmount
      gets moved.  In that case legitimize_mnt() is guaranteed to fail,
      and we will fall back to non-RCU walk... unless we end up running
      into a hard error on a filesystem object we wouldn't have reached
      if not for that false negative.  IOW, delaying that check until
      the end of pathname resolution is wrong - we should recheck right
      after we attempt to cross the mountpoint.  We don't need to recheck
      unless we see d_mountpoint() being true - in that case even if
      we have just raced with mount/umount, we can simply go on as if
      we'd come at the moment when the sucker wasn't a mountpoint; if we
      run into a hard error as the result, it was a legitimate outcome.
      __lookup_mnt() returning NULL is different in that respect, since
      it might've happened due to operation on completely unrelated
      mountpoint.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b37199e6
    • Al Viro's avatar
      make prepend_name() work correctly when called with negative *buflen · e825196d
      Al Viro authored
      In all callchains leading to prepend_name(), the value left in *buflen
      is eventually discarded unused if prepend_name() has returned a negative.
      So we are free to do what prepend() does, and subtract from *buflen
      *before* checking for underflow (which turns into checking the sign
      of subtraction result, of course).
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      e825196d
    • Eric Biggers's avatar
      vfs: Don't let __fdget_pos() get FMODE_PATH files · 99aea681
      Eric Biggers authored
      Commit bd2a31d5 ("get rid of fget_light()") introduced the
      __fdget_pos() function, which returns the resulting file pointer and
      fdput flags combined in an 'unsigned long'.  However, it also changed the
      behavior to return files with FMODE_PATH set, which shouldn't happen
      because read(), write(), lseek(), etc. aren't allowed on such files.
      This commit restores the old behavior.
      
      This regression actually had no effect on read() and write() since
      FMODE_READ and FMODE_WRITE are not set on file descriptors opened with
      O_PATH, but it did cause lseek() on a file descriptor opened with O_PATH
      to fail with ESPIPE rather than EBADF.
      Signed-off-by: default avatarEric Biggers <ebiggers3@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      99aea681