- 25 Jul, 2012 21 commits
-
-
Avi Kivity authored
commit f2ebd422 upstream. kvm_set_irq() has an internal buffer of three irq routing entries, allowing connecting a GSI to three IRQ chips or on MSI. However setup_routing_entry() does not properly enforce this, allowing three irqchip routes followed by an MSI route to overflow the buffer. Fix by ensuring that an MSI entry is added to an empty list. Signed-off-by:
Avi Kivity <avi@redhat.com> Signed-off-by:
Ben Hutchings <ben@decadent.org.uk>
-
Jason Wang authored
commit b92946e2 upstream. There're several reasons that the vectors need to be validated: - Return error when caller provides vectors whose num is greater than UIO_MAXIOV. - Linearize part of skb when userspace provides vectors grater than MAX_SKB_FRAGS. - Return error when userspace provides vectors whose total length may exceed - MAX_SKB_FRAGS * PAGE_SIZE. Signed-off-by:
Jason Wang <jasowang@redhat.com> Signed-off-by:
Michael S. Tsirkin <mst@redhat.com> Signed-off-by:
-
Jason Wang authored
commit 01d6657b upstream. Current the SKBTX_DEV_ZEROCOPY is set unconditionally after zerocopy_sg_from_iovec(), this would lead NULL pointer when macvtap fails to build zerocopy skb because destructor_arg was not initialized. Solve this by set this flag after the skb were built successfully. Signed-off-by:
-
Jason Wang authored
commit 02ce04bb upstream. When get_user_pages_fast() fails to get all requested pages, we could not use kfree_skb() to free it as it has not been put in the skb fragments. So we need to call put_page() instead. Signed-off-by:
-
Jason Wang authored
commit 4ef67ebe upstream. As the skb fragment were pinned/built from user pages, we should account the page instead of length for truesize. Signed-off-by:
-
Jason Wang authored
commit 3afc9621 upstream. This patch fixes the offset calculation when building skb: - offset1 were used as skb data offset not vector offset - reset offset to zero only when we advance to next vector Signed-off-by:
-
Trond Myklebust authored
commit 685f50f9 upstream. Don't allocate the legacy idmapper tables until we actually need them. Signed-off-by:
Trond Myklebust <Trond.Myklebust@netapp.com> Reviewed-by:
Jeff Layton <jlayton@redhat.com> [bwh: Backported to 3.2: adjust context in nfs_idmap_delete()] Signed-off-by:
-
Trond Myklebust authored
commit d073e9b5 upstream. Instead of pre-allocating the storage for all the strings, we can significantly reduce the size of that table by doing the allocation when we do the downcall. Signed-off-by:
-
David Gibson authored
commit 90481622 upstream. hugetlbfs_{get,put}_quota() are badly named. They don't interact with the general quota handling code, and they don't much resemble its behaviour. Rather than being about maintaining limits on on-disk block usage by particular users, they are instead about maintaining limits on in-memory page usage (including anonymous MAP_PRIVATE copied-on-write pages) associated with a particular hugetlbfs filesystem instance. Worse, they work by having callbacks to the hugetlbfs filesystem code from the low-level page handling code, in particular from free_huge_page(). This is a layering violation of itself, but more importantly, if the kernel does a get_user_pages() on hugepages (which can happen from KVM amongst others), then the free_huge_page() can be delayed until after the associated inode has already been freed. If an unmount occurs at the wrong time, even the hugetlbfs superblock where the "quota" limits are stored may have been freed. Andrew Barry proposed a patch to fix this by having hugepages, instead of storing a pointer to their address_space and reaching the superblock from there, had the hugepages store pointers directly to the superblock, bumping the reference count as appropriate to avoid it being freed. Andrew Morton rejected that version, however, on the grounds that it made the existing layering violation worse. This is a reworked version of Andrew's patch, which removes the extra, and some of the existing, layering violation. It works by introducing the concept of a hugepage "subpool" at the lower hugepage mm layer - that is a finite logical pool of hugepages to allocate from. hugetlbfs now creates a subpool for each filesystem instance with a page limit set, and a pointer to the subpool gets added to each allocated hugepage, instead of the address_space pointer used now. The subpool has its own lifetime and is only freed once all pages in it _and_ all other references to it (i.e. superblocks) are gone. subpools are optional - a NULL subpool pointer is taken by the code to mean that no subpool limits are in effect. Previous discussion of this bug found in: "Fix refcounting in hugetlbfs quota handling.". See: https://lkml.org/lkml/2011/8/11/28 or http://marc.info/?l=linux-mm&m=126928970510627&w=1 v2: Fixed a bug spotted by Hillf Danton, and removed the extra parameter to alloc_huge_page() - since it already takes the vma, it is not necessary. Signed-off-by:
Andrew Barry <abarry@cray.com> Signed-off-by:
David Gibson <david@gibson.dropbear.id.au> Cc: Hugh Dickins <hughd@google.com> Cc: Mel Gorman <mgorman@suse.de> Cc: Minchan Kim <minchan.kim@gmail.com> Cc: Hillf Danton <dhillf@gmail.com> Cc: Paul Mackerras <paulus@samba.org> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> [bwh: Backported to 3.2: adjust context to apply after commit c50ac050 'hugetlb: fix resv_map leak in error path', backported in 3.2.20] Signed-off-by:
-
Ben Hutchings authored
commit 1d526fc9 upstream. Currently the value reported for max_batch_time is really the value of min_batch_time. Reported-by:
Russell Coker <russell@coker.com.au> Signed-off-by:
-
William Dauchy authored
commit 96dcadc2 upstream. Adding rate limit on `Lock reclaim failed` messages since it could fill up system logs Signed-off-by:
William Dauchy <wdauchy@gmail.com> Signed-off-by:
-
Eldad Zack authored
commit 6ead629b upstream. I keep getting the following messages on the log buffer: [ 2167.097507] ieee80211 phy0: brcms_c_dotxstatus: INTERMEDIATE but not AMPDU [ 2281.331305] ieee80211 phy0: brcms_c_dotxstatus: INTERMEDIATE but not AMPDU [ 2281.332539] ieee80211 phy0: brcms_c_dotxstatus: INTERMEDIATE but not AMPDU [ 2329.876605] ieee80211 phy0: brcms_c_dotxstatus: INTERMEDIATE but not AMPDU [ 2329.877354] ieee80211 phy0: brcms_c_dotxstatus: INTERMEDIATE but not AMPDU [ 2462.280756] ieee80211 phy0: brcms_c_dotxstatus: INTERMEDIATE but not AMPDU [ 2615.651689] ieee80211 phy0: brcms_c_dotxstatus: INTERMEDIATE but not AMPDU From the code comment I understand that this something that can - and does, quite frequently - happen. Signed-off-by:
Eldad Zack <eldad@fogrefinery.com> Acked-by: Franky Lin<frankyl@broadcom.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com> Signed-off-by:
-
Lucas De Marchi authored
commit 620c231c upstream. scripts/depmod.sh checks for the output of '-V' expecting that it has module-init-tools in it. It's a hack to prevent users from using modutils instead of module-init-tools, that only works with 2.4.x kernels. This however prints an annoying warning for kmod tool, that is currently replacing module-init-tools. Rather than putting another check for kmod's version, just remove it since users of 2.4.x kernel are unlikely to upgrade to 3.x, and if they do, let depmod fail in that case because they should know what they are doing. Signed-off-by:
Lucas De Marchi <lucas.demarchi@profusion.mobi> Acked-by:
WANG Cong <amwang@redhat.com> Acked-By:
Kay Sievers <kay.sievers@vrfy.org> Signed-off-by:
Michal Marek <mmarek@suse.cz> Signed-off-by:
-
Eugeni Dodonov authored
commit c0e2ee1b upstream. As noticed by Torsten Kaiser, the operator precedence can play tricks with us here. CC: Dave Airlie <airlied@redhat.com> Signed-off-by:
Eugeni Dodonov <eugeni.dodonov@intel.com> Signed-off-by:
Jesse Barnes <jbarnes@virtuousgeek.org> Signed-off-by:
-
Eugeni Dodonov authored
commit 1c8ecf80 upstream. With base on latest findings, RC6p seems to be respondible for RC6-related issues on Sandy Bridge platform. To work-around those issues, the previous solution was to completely disable RC6 on Sandy Bridge for the past few releases, even if plain RC6 was not giving any issues. What this patch does is preventing RC6p from being enabled on Sandy Bridge even if users enable RC6 via a kernel parameter. So it won't change the defaults in any way, but will ensure that if users do enable RC6 manually it won't break their machines by enabling this extra state. Proper fix for this (enabling specific RC6 states according to the GPU generation) were proposed for the -next kernel, but we are too late in the release process now to pick such changes. Acked-by:
Keith Packard <keithp@keithp.com> Signed-off-by:
-
Stanislav Yakovlev authored
commit a141e6a0 upstream. Driver doesn't report its supported cipher suites through cfg80211 interface. It still uses wext interface and probably will not work through nl80211, but will at least correctly advertise supported features. Bug was reported by Omar Siam. https://bugzilla.kernel.org/show_bug.cgi?id=43049Signed-off-by:
Stanislav Yakovlev <stas.yakovlev@gmail.com> Signed-off-by:
-
Stanislaw Gruszka authored
commit 0fde0a8c upstream. Fix: BUG: sleeping function called from invalid context at kernel/workqueue.c:2547 in_atomic(): 1, irqs_disabled(): 0, pid: 629, name: wpa_supplicant 2 locks held by wpa_supplicant/629: #0: (rtnl_mutex){+.+.+.}, at: [<c08b2b84>] rtnl_lock+0x14/0x20 #1: (&trigger->leddev_list_lock){.+.?..}, at: [<c0867f41>] led_trigger_event+0x21/0x80 Pid: 629, comm: wpa_supplicant Not tainted 3.3.0-0.rc3.git5.1.fc17.i686 Call Trace: [<c046a9f6>] __might_sleep+0x126/0x1d0 [<c0457d6c>] wait_on_work+0x2c/0x1d0 [<c045a09a>] __cancel_work_timer+0x6a/0x120 [<c045a160>] cancel_delayed_work_sync+0x10/0x20 [<f7dd3c22>] rtl8187_led_brightness_set+0x82/0xf0 [rtl8187] [<c0867f7c>] led_trigger_event+0x5c/0x80 [<f7ff5e6d>] ieee80211_led_radio+0x1d/0x40 [mac80211] [<f7ff3583>] ieee80211_stop_device+0x13/0x230 [mac80211] Removing _sync is ok, because if led_on work is currently running it will be finished before led_off work start to perform, since they are always queued on the same mac80211 local->workqueue. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=795176Signed-off-by:
Stanislaw Gruszka <sgruszka@redhat.com> Acked-by:
Larry Finger <Larry.Finger@lwfinger.net> Acked-by:
Hin-Tak Leung <htl10@users.sourceforge.net> Signed-off-by:
-
Matt Carlson authored
commit b7abee6e upstream. 5906 devices also need the short DMA fragment workaround. This patch makes the necessary change. Signed-off-by:
Matt Carlson <mcarlson@broadcom.com> Tested-by:
Christian Kujau <lists@nerdbynature.de> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Eric Dumazet authored
commit fdf5af0d upstream. Denys Fedoryshchenko reported that SYN+FIN attacks were bringing his linux machines to their limits. Dont call conn_request() if the TCP flags includes SYN flag Reported-by:
Denys Fedoryshchenko <denys@visp.net.lb> Signed-off-by:
Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by:
-
Shaohua Li authored
commit fab363b5 upstream. There isn't locking setting STRIPE_DELAYED and STRIPE_PREREAD_ACTIVE bits, but the two bits have relationship. A delayed stripe can be moved to hold list only when preread active stripe count is below IO_THRESHOLD. If a stripe has both the bits set, such stripe will be in delayed list and preread count not 0, which will make such stripe never leave delayed list. Signed-off-by:
Shaohua Li <shli@fusionio.com> Signed-off-by:
NeilBrown <neilb@suse.de> Signed-off-by:
-
Corentin Chary authored
commit 3be324a9 upstream. This enable the driver for everything that look like a laptop and is from vendor "SAMSUNG ELECTRONICS CO., LTD.". Note that laptop supported by samsung-q10 seem to have a different vendor strict. Also remove every log output until we know that we have a SABI interface (except if the driver is forced to load, or debug is enabled). Keeping a whitelist of laptop with a model granularity is something that can't work without close vendor cooperation (and we don't have that). Signed-off-by:
Corentin Chary <corentincj@iksaif.net> Acked-by:
Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by:
Matthew Garrett <mjg@redhat.com> [bwh: Backported to 3.2: - Adjust context - Drop changes relating to ACPI video] Signed-off-by:
-
- 12 Jul, 2012 19 commits
-
-
Ben Hutchings authored
-
Linus Torvalds authored
commit 332a2e12 upstream. We already use them for openat() and friends, but fchdir() also wants to be able to use O_PATH file descriptors. This should make it comparable to the O_SEARCH of Solaris. In particular, O_PATH allows you to access (not-quite-open) a directory you don't have read persmission to, only execute permission. Noticed during development of multithread support for ksh93. Reported-by:
ольга крыжановская <olga.kryzhanovska@gmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
-
Mark Rustad authored
commit 863555be upstream. Use rcu_dereference_protected to tell rcu that the ft_lport_lock is held during ft_lport_create. This resolved "suspicious RCU usage" warnings when debugging options are turned on. Signed-off-by:
Mark Rustad <mark.d.rustad@intel.com> Tested-by:
Ross Brattain <ross.b.brattain@intel.com> Signed-off-by:
Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by:
-
Andy Lutomirski authored
commit 9ab4233d upstream. Otherwise the code races with munmap (causing a use-after-free of the vma) or with close (causing a use-after-free of the struct file). The bug was introduced by commit 90ed52eb ("[PATCH] holepunch: fix mmap_sem i_mutex deadlock") Cc: Hugh Dickins <hugh@veritas.com> Cc: Miklos Szeredi <mszeredi@suse.cz> Cc: Badari Pulavarty <pbadari@us.ibm.com> Cc: Nick Piggin <npiggin@suse.de> Signed-off-by:
Andy Lutomirski <luto@amacapital.net> Signed-off-by:
-
Dan Carpenter authored
commit 48f8b641 upstream. The intent here was clearly to set result to true if the 0x40000000 flag was set. But instead there was a | vs & typo and we always set result to true. Artem: check the spec at wiki.laptop.org/images/5/5c/88ALP01_Datasheet_July_2007.pdf and this fix looks correct. Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com> Signed-off-by:
-
Junxiao Bi authored
commit 2dfd0603 upstream. Ocfs2 uses kiocb.*private as a flag of unsigned long size. In commit a11f7e63 ocfs2: serialize unaligned aio, the unaligned io flag is involved in it to serialize the unaligned aio. As *private is not initialized in init_sync_kiocb() of do_sync_write(), this unaligned io flag may be unexpectly set in an aligned dio. And this will cause OCFS2_I(inode)->ip_unaligned_aio decreased to -1 in ocfs2_dio_end_io(), thus the following unaligned dio will hang forever at ocfs2_aiodio_wait() in ocfs2_file_aio_write(). Signed-off-by:
Junxiao Bi <junxiao.bi@oracle.com> Acked-by:
Jeff Moyer <jmoyer@redhat.com> Signed-off-by:
Joel Becker <jlbec@evilplan.org> Signed-off-by:
-
Junxiao Bi authored
commit 3e5d3c35 upstream. The unaligned io flag is set in the kiocb when an unaligned dio is issued, it should be cleared even when the dio fails, or it may affect the following io which are using the same kiocb. Signed-off-by:
-
Jeff Layton authored
commit ec01d738 upstream. When the server doesn't advertise CAP_LARGE_READ_X, then MS-CIFS states that you must cap the size of the read at the client's MaxBufferSize. Unfortunately, testing with many older servers shows that they often can't service a read larger than their own MaxBufferSize. Since we can't assume what the server will do in this situation, we must be conservative here for the default. When the server can't do large reads, then assume that it can't satisfy any read larger than its MaxBufferSize either. Luckily almost all modern servers can do large reads, so this won't affect them. This is really just for older win9x and OS/2 era servers. Also, note that this patch just governs the default rsize. The admin can always override this if he so chooses. Reported-by:
David H. Durgee <dhdurgee@acm.org> Signed-off-by:
Steven French <sfrench@w500smf.(none)> Signed-off-by:
-
Chris Mason authored
commit b6305567 upstream. While we are resolving directory modifications in the tree log, we are triggering delayed metadata updates to the filesystem btrees. This commit forces the delayed updates to run so the replay code can find any modifications done. It stops us from crashing because the directory deleltion replay expects items to be removed immediately from the tree. Signed-off-by:
Chris Mason <chris.mason@fusionio.com> Signed-off-by:
-
stephen hemminger authored
[ Upstream commit 149ddd83 ] This ensures that bridges created with brctl(8) or ioctl(2) directly also carry IFLA_LINKINFO when dumped over netlink. This also allows to create a bridge with ioctl(2) and delete it with RTM_DELLINK. Signed-off-by:
Thomas Graf <tgraf@suug.ch> Signed-off-by:
Stephen Hemminger <shemminger@vyatta.com> Signed-off-by:
-
Thomas Graf authored
[ Upstream commit d189634e ] /proc/net/ipv6_route reflects the contents of fib_table_hash. The proc handler is installed in ip6_route_net_init() whereas fib_table_hash is allocated in fib6_net_init() _after_ the proc handler has been installed. This opens up a short time frame to access fib_table_hash with its pants down. Move the registration of the proc files to a later point in the init order to avoid the race. Tested :-) Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit 954fba02 ] Bogdan Hamciuc diagnosed and fixed following bug in netpoll_send_udp() : "skb->len += len;" instead of "skb_put(skb, len);" Meaning that _if_ a network driver needs to call skb_realloc_headroom(), only packet headers would be copied, leaving garbage in the payload. However the skb_realloc_headroom() must be avoided as much as possible since it requires memory and netpoll tries hard to work even if memory is exhausted (using a pool of preallocated skbs) It appears netpoll_send_udp() reserved 16 bytes for the ethernet header, which happens to work for typicall drivers but not all. Right thing is to use LL_RESERVED_SPACE(dev) (And also add dev->needed_tailroom of tailroom) This patch combines both fixes. Many thanks to Bogdan for raising this issue. Reported-by:
Bogdan Hamciuc <bogdan.hamciuc@freescale.com> Signed-off-by:
Eric Dumazet <edumazet@google.com> Tested-by:
Neil Horman <nhorman@tuxdriver.com> Reviewed-by:
Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by:
-
Michał Mirosław authored
[ Upstream commit f80400a2 ] Allow ETHTOOL_GSSET_INFO ethtool ioctl() for unprivileged users. ETHTOOL_GSTRINGS is already allowed, but is unusable without this one. Signed-off-by:
Michał Mirosław <mirq-linux@rere.qmqm.pl> Acked-by:
Ben Hutchings <bhutchings@solarflare.com> Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit 5ee31c68 ] In the transmit path of the bonding driver, skb->cb is used to stash the skb->queue_mapping so that the bonding device can set its own queue mapping. This value becomes corrupted since the skb->cb is also used in __dev_xmit_skb. When transmitting through bonding driver, bond_select_queue is called from dev_queue_xmit. In bond_select_queue the original skb->queue_mapping is copied into skb->cb (via bond_queue_mapping) and skb->queue_mapping is overwritten with the bond driver queue. Subsequently in dev_queue_xmit, __dev_xmit_skb is called which writes the packet length into skb->cb, thereby overwriting the stashed queue mappping. In bond_dev_queue_xmit (called from hard_start_xmit), the queue mapping for the skb is set to the stashed value which is now the skb length and hence is an invalid queue for the slave device. If we want to save skb->queue_mapping into skb->cb[], best place is to add a field in struct qdisc_skb_cb, to make sure it wont conflict with other layers (eg : Qdiscc, Infiniband...) This patchs also makes sure (struct qdisc_skb_cb)->data is aligned on 8 bytes : netem qdisc for example assumes it can store an u64 in it, without misalignment penalty. Note : we only have 20 bytes left in (struct qdisc_skb_cb)->data[]. The largest user is CHOKe and it fills it. Based on a previous patch from Tom Herbert. Signed-off-by:
Tom Herbert <therbert@google.com> Cc: John Fastabend <john.r.fastabend@intel.com> Cc: Roland Dreier <roland@kernel.org> Acked-by:
-
Eric Dumazet authored
[ Upstream commit 16b0dc29 ] Trying to "modprobe dummy numdummies=30000" triggers : INFO: rcu_sched self-detected stall on CPU { 8} (t=60000 jiffies) After this splat, RTNL is locked and reboot is needed. We must call cond_resched() to avoid this, even holding RTNL. Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit cd8f76c0 ] As soon as hardware is notified of a transmit, we no longer can assume skb can be dereferenced, as TX completion might have freed the packet. Signed-off-by:
-
stephen hemminger authored
[ Upstream commit 5ff0feac ] The newer flavors of Yukon II use a different method for receive checksum offload. This is indicated in the driver by the SKY2_HW_NEW_LE flag. On these newer chips, the BMU_ENA_RX_CHKSUM should not be set. The driver would get incorrectly toggle the bit, enabling the old checksum logic on these chips and cause a BUG_ON() assertion. If receive checksum was toggled via ethtool. Reported-by:
Kirill Smelkov <kirr@mns.spb.ru> Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit 4399a4df ] Commit 081b1b1b (l2tp: fix l2tp_ip_sendmsg() route handling) added a race, in case IP route cache is disabled. In this case, we should not do the dst_release(&rt->dst), since it'll free the dst immediately, instead of waiting a RCU grace period. Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit a06998b8 ] We must prevent module unloading if some devices are still attached to l2tp_eth driver. Signed-off-by:
-
