1. 11 Apr, 2013 4 commits
  2. 10 Apr, 2013 10 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · fe2971a0
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) cfg80211_conn_scan() must be called with the sched_scan_mutex, fix
          from Artem Savkov.
      
       2) Fix regression in TCP ICMPv6 processing, we do not want to treat
          redirects as socket errors, from Christoph Paasch.
      
       3) Fix several recvmsg() msg_name kernel memory leaks into userspace,
          in ATM, AX25, Bluetooth, CAIF, IRDA, s390 IUCV, L2TP, LLC, Netrom,
          NFC, Rose, TIPC, and VSOCK.  From Mathias Krause and Wei Yongjun.
      
       4) Fix AF_IUCV handling of segmented SKBs in recvmsg(), from Ursula
          Braun and Eric Dumazet.
      
       5) CAN gw.c code does kfree() on SLAB cache memory, use
          kmem_cache_free() instead.  Fix from Wei Yongjun.
      
       6) Fix LSM regression on TCP SYN/ACKs, some LSMs such as SELINUX want
          an skb->sk socket context available for these packets, but nothing
          else requires it.  From Eric Dumazet and Paul Moore.
      
       7) Fix ipv4 address lifetime processing so that we don't perform
          sleepable acts inside of rcu_read_lock() sections, do them in an
          rtnl_lock() section instead.  From Jiri Pirko.
      
       8) mvneta driver accidently sets HW features after device registry, it
          should do so beforehand.  Fix from Willy Tarreau.
      
       9) Fix bonding unload races more correctly, from Nikolay Aleksandrov
          and Veaceslav Falico.
      
      10) rtnl_dump_ifinfo() and rtnl_calcit() invoke nlmsg_parse() with wrong
          header size argument.  Fix from Michael Riesch.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (44 commits)
        lsm: add the missing documentation for the security_skb_owned_by() hook
        bnx2x: Prevent null pointer dereference in AFEX mode
        e100: Add dma mapping error check
        selinux: add a skb_owned_by() hook
        can: gw: use kmem_cache_free() instead of kfree()
        netrom: fix invalid use of sizeof in nr_recvmsg()
        qeth: fix qeth_wait_for_threads() deadlock for OSN devices
        af_iucv: fix recvmsg by replacing skb_pull() function
        rtnetlink: Call nlmsg_parse() with correct header length
        bonding: fix bonding_masters race condition in bond unloading
        Revert "bonding: remove sysfs before removing devices"
        net: mvneta: enable features before registering the driver
        hyperv: Fix RNDIS send_completion code path
        hyperv: Fix a kernel warning from netvsc_linkstatus_callback()
        net: ipv4: fix schedule while atomic bug in check_lifetime()
        net: ipv4: reset check_lifetime_work after changing lifetime
        bnx2x: Fix KR2 rapid link flap
        sctp: remove 'sridhar' from maintainers list
        VSOCK: Fix missing msg_namelen update in vsock_stream_recvmsg()
        VSOCK: vmci - fix possible info leak in vmci_transport_dgram_dequeue()
        ...
      fe2971a0
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://linux-c6x.org/git/projects/linux-c6x-upstreaming · eb02db38
      Linus Torvalds authored
      Pull C6X fix from Mark Salter.
      
      Final (?) fix from the barrier discussion.
      
      * tag 'for-linus' of git://linux-c6x.org/git/projects/linux-c6x-upstreaming:
        add memory barrier to arch_local_irq_restore
      eb02db38
    • Paul Moore's avatar
      lsm: add the missing documentation for the security_skb_owned_by() hook · 6b07a24f
      Paul Moore authored
      Unfortunately we didn't catch the missing comments earlier when the
      patch was merged.
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6b07a24f
    • Yuval Mintz's avatar
      bnx2x: Prevent null pointer dereference in AFEX mode · fea75645
      Yuval Mintz authored
      The cnic module is responsible for initializing various bnx2x structs
      via callbacks provided by the bnx2x module.
      One such struct is the queue object for the FCoE queue.
      
      If a device is working in AFEX mode and its configuration allows FCoE yet
      the cnic module is not loaded, it's very likely a null pointer dereference
      will occur, as the bnx2x will erroneously access the FCoE's queue object.
      
      Prevent said access until cnic properly registers itself.
      Signed-off-by: default avatarYuval Mintz <yuvalmin@broadcom.com>
      Signed-off-by: default avatarAriel Elior <ariele@broadcom.com>
      Signed-off-by: default avatarEilon Greenstein <eilong@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fea75645
    • Neil Horman's avatar
      e100: Add dma mapping error check · 61a0f6ef
      Neil Horman authored
      e100 uses pci_map_single, but fails to check for a dma mapping error after its
      use, resulting in a stack trace:
      
      [   46.656594] ------------[ cut here ]------------
      [   46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
      [   46.657004] Hardware name: To Be Filled By O.E.M.
      [   46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
      error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
      [   46.657004] Modules linked in:
      [   46.657004]  w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
      snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
      e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
      k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
      sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
      drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
      sata_promise crc_itu_t
      [   46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
      [   46.657004] Call Trace:
      [   46.657004]  <IRQ>  [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
      [   46.657004]  [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
      [   46.657004]  [<ffffffff81364cfb>] check_unmap+0x47b/0x950
      [   46.657004]  [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
      [   46.657004]  [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
      [   46.657004]  [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
      [   46.657004]  [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
      [   46.657004]  [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
      [   46.657004]  [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
      [   46.657004]  [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
      [   46.657004]  [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
      [   46.657004]  [<ffffffff8101c485>] do_softirq+0x85/0xc0
      [   46.657004]  [<ffffffff81070885>] irq_exit+0xd5/0xe0
      [   46.657004]  [<ffffffff816e5756>] do_IRQ+0x56/0xc0
      [   46.657004]  [<ffffffff816dacb2>] common_interrupt+0x72/0x72
      [   46.657004]  <EOI>  [<ffffffff816da1eb>] ?
      _raw_spin_unlock_irqrestore+0x3b/0x70
      [   46.657004]  [<ffffffff816d124d>] __slab_free+0x58/0x38b
      [   46.657004]  [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
      [   46.657004]  [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
      [   46.657004]  [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
      [   46.657004]  [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
      [   46.657004]  [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
      [   46.657004]  [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
      [   46.657004]  [<ffffffff811e8c28>] destroy_inode+0x38/0x60
      [   46.657004]  [<ffffffff811e8d5e>] evict+0x10e/0x1a0
      [   46.657004]  [<ffffffff811e9605>] iput+0xf5/0x180
      [   46.657004]  [<ffffffff811e4338>] dput+0x248/0x310
      [   46.657004]  [<ffffffff811ce0e1>] __fput+0x171/0x240
      [   46.657004]  [<ffffffff811ce26e>] ____fput+0xe/0x10
      [   46.657004]  [<ffffffff8108d54c>] task_work_run+0xac/0xe0
      [   46.657004]  [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
      [   46.657004]  [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
      [   46.657004]  [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
      [   46.657004]  [<ffffffff8106d139>] do_group_exit+0x49/0xc0
      [   46.657004]  [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
      [   46.657004]  [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
      [   46.657004] ---[ end trace 4468c44e2156e7d1 ]---
      [   46.657004] Mapped at:
      [   46.657004]  [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
      [   46.657004]  [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
      [   46.657004]  [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
      [   46.657004]  [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
      [   46.657004]  [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
      
      Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
      dma_mapping_error check in the obvious place
      
      This was reported previously here:
      http://article.gmane.org/gmane.linux.network/257893
      
      But nobody stepped up and fixed it.
      
      CC: Josh Boyer <jwboyer@redhat.com>
      CC: e1000-devel@lists.sourceforge.net
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Reported-by: default avatarMichal Jaegermann <michal@harddata.com>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      61a0f6ef
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-3.9-5' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 51de0170
      Linus Torvalds authored
      Pull another nfs fixlet from Trond Myklebust:
       "I suddenly noticed that a one-line issue that I _thought_ I had fixed
        with the nfs41_walk_client_list patch was apparently still there in
        the pull request I sent earlier today.  I'm very sorry for not
        catching that in time.
      
         - Fix a brain fart in nfs41_walk_client_list"
      
      * tag 'nfs-for-3.9-5' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
      51de0170
    • Trond Myklebust's avatar
      NFSv4: Doh! Typo in the fix to nfs41_walk_client_list · eb04e0ac
      Trond Myklebust authored
      Make sure that we set the status to 0 on success. Missed in testing
      because it never appears when doing multiple mounts to _different_
      servers.
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd1: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
      eb04e0ac
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-3.9-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · f94eeb42
      Linus Torvalds authored
      Pull NFS client bugfixes from Trond Myklebust:
       - fix for memory corruption issues in nfs4[01]_walk_client_list (stable)
       - fix for an Oopsable bug in rpc_clone_client (stable)
       - another state manager deadlock in the NFSv4 open code
       - memory leaks in nfs4_discover_server_trunking and rpc_new_client
      
      * tag 'nfs-for-3.9-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        NFSv4: Fix another potential state manager deadlock
        SUNRPC: Fix a potential memory leak in rpc_new_client
        NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
        NFSv4: Fix a memory leak in nfs4_discover_server_trunking
        SUNRPC: Remove extra xprt_put()
      f94eeb42
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · d02a9a89
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
       "This fixes a GCM bug that breaks IPsec and a compile problem in
        ux500."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: ux500 - add missing comma
        crypto: gcm - fix assumption that assoc has one segment
      d02a9a89
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 49b442ca
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Just a spare semicolon in nouveau that caused some issues, and an
        mgag200 fix"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
        drm/nouveau: fix unconditional return waiting on memory
      49b442ca
  3. 09 Apr, 2013 18 commits
  4. 08 Apr, 2013 8 commits
    • Dave Airlie's avatar
      Merge branch 'drm-nouveau-fixes-3.9' of... · c9cdee17
      Dave Airlie authored
      Merge branch 'drm-nouveau-fixes-3.9' of git://anongit.freedesktop.org/git/nouveau/linux-2.6 into drm-fixes
      
      too many semicolons.
      
      * 'drm-nouveau-fixes-3.9' of git://anongit.freedesktop.org/git/nouveau/linux-2.6:
        drm/nouveau: fix unconditional return waiting on memory
      c9cdee17
    • Calvin Owens's avatar
      drm/nouveau: fix unconditional return waiting on memory · b1ea3e6e
      Calvin Owens authored
      Typo in nv50_display_flip_wait allows page flipping to run ahead before
      memory has time to settle.
      Signed-off-by: default avatarCalvin Owens <jcalvinowens@gmail.com>
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
      b1ea3e6e
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sfr/next-fixes · f011a08c
      Linus Torvalds authored
      Pull powerpc bugfix from Stephen Rothwell:
       "A single BUG_ON fix for a condition that could happen for machines
        with certain hardware installed."
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sfr/next-fixes:
        powerpc: pSeries_lpar_hpte_remove fails from Adjunct partition being performed before the ANDCOND test
      f011a08c
    • Christian Ruppert's avatar
      ARC: Add implicit compiler barrier to raw_local_irq* functions · 79e5f05e
      Christian Ruppert authored
      ARC irqsave/restore macros were missing the compiler barrier, causing a
      stale load in irq-enabled region be used in irq-safe region, despite
      being changed, because the register holding the value was still live.
      
      The problem manifested as random crashes in timer code when stress
      testing ARCLinux (3.9-rc3) on a !SMP && !PREEMPT_COUNT
      
      Here's the exact sequence which caused this:
       (0). tv1[x] <----> t1 <---> t2
       (1). mod_timer(t1) interrupted after it calls timer_pending()
       (2). mod_timer(t2) completes
       (3). mod_timer(t1) resumes but messes up the list
       (4). __runt_timers( ) uses bogus timer_list entry / crashes in
            timer->function
      
      Essentially mod_timer() was racing against itself and while the spinlock
      serialized the tv1[] timer link list, timer_pending() called outside the
      spinlock, cached timer link list element in a register.
      With low register pressure (and a deep register file), lack of barrier
      in raw_local_irqsave() as well as preempt_disable (!PREEMPT_COUNT
      version), there was nothing to force gcc to reload across the spinlock,
      causing a stale value in reg be used for link list manipulation - ensuing
      a corruption.
      
      ARcompact disassembly which shows the culprit generated code:
      
      mod_timer:
          push_s blink
          mov_s r13,r0	# timer, timer
      ..
          ###### timer_pending( )
          ld_s r3,[r13]       # <------ <variable>.entry.next LOADED
          brne r3, 0, @.L163
      
      .L163:
      ..
          ###### spin_lock_irq( )
          lr  r5, [status32]  # flags
          bic r4, r5, 6       # temp, flags,
          and.f 0, r5, 6      # flags,
          flag.nz r4
      
          ###### detach_if_pending( ) begins
      
          tst_s r3,r3  <--------------
      			# timer_pending( ) checks timer->entry.next
                              # r3 is NOT reloaded by gcc, using stale value
          beq.d @.L169
          mov.eq r0,0
      
          #####  detach_timer( ): __list_del( )
      
          ld r4,[r13,4]    	# <variable>.entry.prev, D.31439
          st r4,[r3,4]     	# <variable>.prev, D.31439
          st r3,[r4]       	# <variable>.next, D.30246
      
      We initially tried to fix this by adding barrier() to preempt_* macros
      for !PREEMPT_COUNT but Linus clarified that it was anything but wrong.
      http://www.spinics.net/lists/kernel/msg1512709.html
      
      [vgupta: updated commitlog]
      
      Reported-by/Signed-off-by: Christian Ruppert <christian.ruppert@abilis.com>
      Cc: Christian Ruppert <christian.ruppert@abilis.com>
      Cc: Pierrick Hascoet <pierrick.hascoet@abilis.com>
      Debugged-by/Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      79e5f05e
    • Linus Torvalds's avatar
      Merge tag 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev · f465d40d
      Linus Torvalds authored
      Pull libata fixes from Jeff Garzik:
       "The HDIO_DRIVE_* fix is really the biggie.
      
        1) Fix ATAPI regression, noticed mainly on tape drives, due to a
           commit which mistakenly changed an 'int' return type to a 'bool'.
           Broken by commit 4dce8ba9 ("libata: Use 'bool' return value for
           ata_id_XXX")
      
        2) Add Slimtype DVD A DS8A8SH ATAPI quirk
      
        3) ata_piix: Intel Haswell platform quirk
      
        4) Avoid DMA'ing to stack buffer, when obtaining DEVSLP timings.  IMO
           a mild regression, given that libata previously did not DMA to a
           stack buffer.  Broken by commit commit 803739d2 ("[libata]
           replace sata_settings with devslp_timing")
      
        5) Fix regression impacting SMART and smartd, broken by commit
           84a9a8cd ("[libata] Set proper SK when CK_COND is set")"
      
      * tag 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev:
        [libata] Fix HDIO_DRIVE_* ioctl() Linux 3.9 regression
        libata: fix DMA to stack in reading devslp_timing parameters
        ata_piix: Fix DVD not dectected at some Haswell platforms
        libata: Set max sector to 65535 for Slimtype DVD A DS8A8SH drive
        libata: Use integer return value for atapi_command_packet_set
      f465d40d
    • Linus Torvalds's avatar
      Merge tag 'trace-fixes-3.9-rc6' of... · 5f2f280f
      Linus Torvalds authored
      Merge tag 'trace-fixes-3.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
      
      Pull tracing fixes from Steven Rostedt:
       "This includes three fixes.  Two fix features added in 3.9 and one
        fixes a long time minor bug.
      
        The first patch fixes a race that can happen if the user switches from
        the irqsoff tracer to another tracer.  If a irqs off latency is
        detected, it will try to use the snapshot buffer, but the new tracer
        wont have it allocated.  There's a nasty warning that gets printed and
        the trace is ignored.  Nothing crashes, just a nasty WARN_ON is shown.
      
        The second patch fixes an issue where if the sysctl is used to disable
        and enable function tracing, it can put the function tracing into an
        unstable state.
      
        The third patch fixes an issue with perf using the function tracer.
        An update was done, where the stub function could be called during the
        perf function tracing, and that stub function wont have the "control"
        flag set and cause a nasty warning when running perf."
      
      * tag 'trace-fixes-3.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        ftrace: Do not call stub functions in control loop
        ftrace: Consistently restore trace function on sysctl enabling
        tracing: Fix race with update_max_tr_single and changing tracers
      5f2f280f
    • Stefan Raspl's avatar
      qeth: fix qeth_wait_for_threads() deadlock for OSN devices · 65d8013c
      Stefan Raspl authored
      Any recovery thread will deadlock when calling qeth_wait_for_threads(), most
      notably when triggering a recovery on an OSN device.
      This patch will store the recovery thread's task pointer on recovery
      invocation and check in qeth_wait_for_threads() respectively to avoid
      deadlocks.
      Signed-off-by: default avatarStefan Raspl <raspl@linux.vnet.ibm.com>
      Signed-off-by: default avatarFrank Blaschka <blaschka@linux.vnet.ibm.com>
      Reviewed-by: default avatarUrsula Braun <ursula.braun@de.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      65d8013c
    • Ursula Braun's avatar
      af_iucv: fix recvmsg by replacing skb_pull() function · f9c41a62
      Ursula Braun authored
      When receiving data messages, the "BUG_ON(skb->len < skb->data_len)" in
      the skb_pull() function triggers a kernel panic.
      
      Replace the skb_pull logic by a per skb offset as advised by
      Eric Dumazet.
      Signed-off-by: default avatarUrsula Braun <ursula.braun@de.ibm.com>
      Signed-off-by: default avatarFrank Blaschka <blaschka@linux.vnet.ibm.com>
      Reviewed-by: default avatarHendrik Brueckner <brueckner@linux.vnet.ibm.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9c41a62