1. 22 Mar, 2013 7 commits
    • Russ Anderson's avatar
      mm: zone_end_pfn is too small · f9228b20
      Russ Anderson authored
      Booting with 32 TBytes memory hits BUG at mm/page_alloc.c:552! (output
      below).
      
      The key hint is "page 4294967296 outside zone".
      4294967296 = 0x100000000 (bit 32 is set).
      
      The problem is in include/linux/mmzone.h:
      
        530 static inline unsigned zone_end_pfn(const struct zone *zone)
        531 {
        532         return zone->zone_start_pfn + zone->spanned_pages;
        533 }
      
      zone_end_pfn is "unsigned" (32 bits).  Changing it to "unsigned long"
      (64 bits) fixes the problem.
      
      zone_end_pfn() was added recently in commit 108bcc96 ("mm: add & use
      zone_end_pfn() and zone_spans_pfn()")
      
      Output from the failure.
      
        No AGP bridge found
        page 4294967296 outside zone [ 4294967296 - 4327469056 ]
        ------------[ cut here ]------------
        kernel BUG at mm/page_alloc.c:552!
        invalid opcode: 0000 [#1] SMP
        Modules linked in:
        CPU 0
        Pid: 0, comm: swapper Not tainted 3.9.0-rc2.dtp+ #10
        RIP: free_one_page+0x382/0x430
        Process swapper (pid: 0, threadinfo ffffffff81942000, task ffffffff81955420)
        Call Trace:
          __free_pages_ok+0x96/0xb0
          __free_pages+0x25/0x50
          __free_pages_bootmem+0x8a/0x8c
          __free_memory_core+0xea/0x131
          free_low_memory_core_early+0x4a/0x98
          free_all_bootmem+0x45/0x47
          mem_init+0x7b/0x14c
          start_kernel+0x216/0x433
          x86_64_start_reservations+0x2a/0x2c
          x86_64_start_kernel+0x144/0x153
        Code: 89 f1 ba 01 00 00 00 31 f6 d3 e2 4c 89 ef e8 66 a4 01 00 e9 2c fe ff ff 0f 0b eb fe 0f 0b 66 66 2e 0f 1f 84 00 00 00 00 00 eb f3 <0f> 0b eb fe 0f 0b 0f 1f 84 00 00 00 00 00 eb f6 0f 0b eb fe 49
      Signed-off-by: default avatarRuss Anderson <rja@sgi.com>
      Reported-by: default avatarGeorge Beshers <gbeshers@sgi.com>
      Acked-by: default avatarHedi Berriche <hedi@sgi.com>
      Cc: Cody P Schafer <cody@linux.vnet.ibm.com>
      Cc: Michal Hocko <mhocko@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f9228b20
    • Oleg Nesterov's avatar
      poweroff: change orderly_poweroff() to use schedule_work() · 2ca067ef
      Oleg Nesterov authored
      David said:
      
          Commit 6c0c0d4d ("poweroff: fix bug in orderly_poweroff()")
          apparently fixes one bug in orderly_poweroff(), but introduces
          another.  The comments on orderly_poweroff() claim it can be called
          from any context - and indeed we call it from interrupt context in
          arch/powerpc/platforms/pseries/ras.c for example.  But since that
          commit this is no longer safe, since call_usermodehelper_fns() is not
          safe in interrupt context without the UMH_NO_WAIT option.
      
      orderly_poweroff() can be used from any context but UMH_WAIT_EXEC is
      sleepable.  Move the "force" logic into __orderly_poweroff() and change
      orderly_poweroff() to use the global poweroff_work which simply calls
      __orderly_poweroff().
      
      While at it, remove the unneeded "int argc" and change argv_split() to
      use GFP_KERNEL.
      
      We use the global "bool poweroff_force" to pass the argument, this can
      obviously affect the previous request if it is pending/running.  So we
      only allow the "false => true" transition assuming that the pending
      "true" should succeed anyway.  If schedule_work() fails after that we
      know that work->func() was not called yet, it must see the new value.
      
      This means that orderly_poweroff() becomes async even if we do not run
      the command and always succeeds, schedule_work() can only fail if the
      work is already pending.  We can export __orderly_poweroff() and change
      the non-atomic callers which want the old semantics.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Reported-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Reported-by: default avatarDavid Gibson <david@gibson.dropbear.id.au>
      Cc: Lucas De Marchi <lucas.demarchi@profusion.mobi>
      Cc: Feng Hong <hongfeng@marvell.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Serge Hallyn <serge.hallyn@canonical.com>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      2ca067ef
    • Wanpeng Li's avatar
      mm/hugetlb: fix total hugetlbfs pages count when using memory overcommit accouting · d0028588
      Wanpeng Li authored
      hugetlb_total_pages is used for overcommit calculations but the current
      implementation considers only the default hugetlb page size (which is
      either the first defined hugepage size or the one specified by
      default_hugepagesz kernel boot parameter).
      
      If the system is configured for more than one hugepage size, which is
      possible since commit a137e1cc ("hugetlbfs: per mount huge page
      sizes") then the overcommit estimation done by __vm_enough_memory()
      (resp.  shown by meminfo_proc_show) is not precise - there is an
      impression of more available/allowed memory.  This can lead to an
      unexpected ENOMEM/EFAULT resp.  SIGSEGV when memory is accounted.
      
      Testcase:
        boot: hugepagesz=1G hugepages=1
        the default overcommit ratio is 50
        before patch:
      
          egrep 'CommitLimit' /proc/meminfo
          CommitLimit:     55434168 kB
      
        after patch:
      
          egrep 'CommitLimit' /proc/meminfo
          CommitLimit:     54909880 kB
      
      [akpm@linux-foundation.org: coding-style tweak]
      Signed-off-by: default avatarWanpeng Li <liwanp@linux.vnet.ibm.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.cz>
      Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
      Cc: Hillf Danton <dhillf@gmail.com>
      Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
      Cc: <stable@vger.kernel.org>		[3.0+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d0028588
    • Frederic Weisbecker's avatar
      printk: Provide a wake_up_klogd() off-case · dc72c32e
      Frederic Weisbecker authored
      wake_up_klogd() is useless when CONFIG_PRINTK=n because neither printk()
      nor printk_sched() are in use and there are actually no waiter on
      log_wait waitqueue.  It should be a stub in this case for users like
      bust_spinlocks().
      
      Otherwise this results in this warning when CONFIG_PRINTK=n and
      CONFIG_IRQ_WORK=n:
      
      	kernel/built-in.o In function `wake_up_klogd':
      	(.text.wake_up_klogd+0xb4): undefined reference to `irq_work_queue'
      
      To fix this, provide an off-case for wake_up_klogd() when
      CONFIG_PRINTK=n.
      
      There is much more from console_unlock() and other console related code
      in printk.c that should be moved under CONFIG_PRINTK.  But for now,
      focus on a minimal fix as we passed the merged window already.
      
      [akpm@linux-foundation.org: include printk.h in bust_spinlocks.c]
      Signed-off-by: default avatarFrederic Weisbecker <fweisbec@gmail.com>
      Reported-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ingo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      dc72c32e
    • James Hogan's avatar
      irq_work.h: fix warning when CONFIG_IRQ_WORK=n · fe8d5261
      James Hogan authored
      A randconfig caught repeated compiler warnings when CONFIG_IRQ_WORK=n
      due to the definition of a non-inline static function in
      <linux/irq_work.h>:
      
        include/linux/irq_work.h +40 : warning: 'irq_work_needs_cpu' defined but not used
      
      Make it inline to supress the warning.  This is caused commit
      00b42959 ("irq_work: Don't stop the tick with pending works") merged
      in v3.9-rc1.
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarFrederic Weisbecker <fweisbec@gmail.com>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      fe8d5261
    • Linus Torvalds's avatar
      Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6 · 9217cbb8
      Linus Torvalds authored
      Pull CIFS fixes from Steve French:
       "Three small CIFS Fixes (the most important of the three fixes a recent
        problem authenticating to Windows 8 using cifs rather than SMB2)"
      
      * 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: ignore everything in SPNEGO blob after mechTypes
        cifs: delay super block destruction until all cifsFileInfo objects are gone
        cifs: map NT_STATUS_SHARING_VIOLATION to EBUSY instead of ETXTBSY
      9217cbb8
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_linue' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · d3c92626
      Linus Torvalds authored
      Pull ext4 fixes from Ted Ts'o:
       "Fix a number of regression and other bugs in ext4, most of which were
        relatively obscure cornercases or races that were found using
        regression tests."
      
      * tag 'ext4_for_linue' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: (21 commits)
        ext4: fix data=journal fast mount/umount hang
        ext4: fix ext4_evict_inode() racing against workqueue processing code
        ext4: fix memory leakage in mext_check_coverage
        ext4: use s_extent_max_zeroout_kb value as number of kb
        ext4: use atomic64_t for the per-flexbg free_clusters count
        jbd2: fix use after free in jbd2_journal_dirty_metadata()
        ext4: reserve metadata block for every delayed write
        ext4: update reserved space after the 'correction'
        ext4: do not use yield()
        ext4: remove unused variable in ext4_free_blocks()
        ext4: fix WARN_ON from ext4_releasepage()
        ext4: fix the wrong number of the allocated blocks in ext4_split_extent()
        ext4: update extent status tree after an extent is zeroed out
        ext4: fix wrong m_len value after unwritten extent conversion
        ext4: add self-testing infrastructure to do a sanity check
        ext4: avoid a potential overflow in ext4_es_can_be_merged()
        ext4: invalidate extent status tree during extent migration
        ext4: remove unnecessary wait for extent conversion in ext4_fallocate()
        ext4: add warning to ext4_convert_unwritten_extents_endio
        ext4: disable merging of uninitialized extents
        ...
      d3c92626
  2. 21 Mar, 2013 7 commits
    • Jeff Layton's avatar
      cifs: ignore everything in SPNEGO blob after mechTypes · f853c616
      Jeff Layton authored
      We've had several reports of people attempting to mount Windows 8 shares
      and getting failures with a return code of -EINVAL. The default sec=
      mode changed recently to sec=ntlmssp. With that, we expect and parse a
      SPNEGO blob from the server in the NEGOTIATE reply.
      
      The current decode_negTokenInit function first parses all of the
      mechTypes and then tries to parse the rest of the negTokenInit reply.
      The parser however currently expects a mechListMIC or nothing to follow the
      mechTypes, but Windows 8 puts a mechToken field there instead to carry
      some info for the new NegoEx stuff.
      
      In practice, we don't do anything with the fields after the mechTypes
      anyway so I don't see any real benefit in continuing to parse them.
      This patch just has the kernel ignore the fields after the mechTypes.
      We'll probably need to reinstate some of this if we ever want to support
      NegoEx.
      Reported-by: default avatarJason Burgess <jason@jacknife2.dns2go.com>
      Reported-by: default avatarYan Li <elliot.li.tech@gmail.com>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
      f853c616
    • Linus Torvalds's avatar
      Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux · 0a7e4531
      Linus Torvalds authored
      Pull thermal management fixes from Zhang Rui.
      
      * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
        thermal: exynos_thermal: return a proper error code while thermal_zone_device_register fail.
        thermal: rcar_thermal: propagate return value of thermal_zone_device_register
        Thermal: kirkwood: Convert to devm_ioremap_resource()
        Thermal: rcar: Convert to devm_ioremap_resource()
        Thermal: dove: Convert to devm_ioremap_resource()
        thermal: rcar: fix missing unlock on error in rcar_thermal_update_temp()
      0a7e4531
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · cd823469
      Linus Torvalds authored
      Pull perf fixes from Ingo Molnar:
       "A fair chunk of the linecount comes from a fix for a tracing bug that
        corrupts latency tracing buffers when the overwrite mode is changed on
        the fly - the rest is mostly assorted fewliner fixlets."
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/x86: Add SNB/SNB-EP scheduling constraints for cycle_activity event
        kprobes/x86: Check Interrupt Flag modifier when registering probe
        kprobes: Make hash_64() as always inlined
        perf: Generate EXIT event only once per task context
        perf: Reset hwc->last_period on sw clock events
        tracing: Prevent buffer overwrite disabled for latency tracers
        tracing: Keep overwrite in sync between regular and snapshot buffers
        tracing: Protect tracer flags with trace_types_lock
        perf tools: Fix LIBNUMA build with glibc 2.12 and older.
        tracing: Fix free of probe entry by calling call_rcu_sched()
        perf/POWER7: Create a sysfs format entry for Power7 events
        perf probe: Fix segfault
        libtraceevent: Remove hard coded include to /usr/local/include in Makefile
        perf record: Fix -C option
        perf tools: check if -DFORTIFY_SOURCE=2 is allowed
        perf report: Fix build with NO_NEWT=1
        perf annotate: Fix build with NO_NEWT=1
        tracing: Fix race in snapshot swapping
      cd823469
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 172a271b
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Radeon, intel and nouveau, along with one mgag200 fix
      
         - intel fix for an ioctl overflow, along with a regression fix for
           some phantom irqs on Ironlake.
         - nouveau has a lockdep warning and a bunch of thermal fixes
         - radeon has new pci ids and some minor fixes."
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (26 commits)
        drm/mgag200: Bug fix: Modified pll algorithm for EH project
        drm/i915: stop using GMBUS IRQs on Gen4 chips
        drm/nv50/kms: prevent lockdep false-positive in page flipping path
        drm/nouveau/core: fix return value of nouveau_object_del()
        MAINTAINERS: intel-gfx is no longer subscribers-only
        drm/i915: Use the fixed pixel clock for eDP in intel_dp_set_m_n()
        drm/nouveau/hwmon: do not expose a buggy temperature if it is unavailable
        drm/nouveau/therm: display the availability of the internal sensor
        drm/nouveau/therm: disable temperature management if the sensor isn't readable
        drm/nouveau/therm: disable auto fan management if temperature is not available
        drm/nv40/therm: reserve negative temperatures for errors
        drm/nv40/therm: disable temperature reading if the bios misses some parameters
        drm/nouveau/therm-ic: the temperature is off by sensor_constant, warn the user
        drm/nouveau/therm: remove some confusion introduced by therm_mode
        drm/nouveau/therm: do not make assumptions on temperature
        drm/nv40/therm: increase the sensor's settling delay to 20ms
        drm/nv40/therm: improve selection between the old and the new style
        Revert "drm/i915: try to train DP even harder"
        drm/radeon: add Richland pci ids
        drm/radeon: add support for Richland APUs
        ...
      172a271b
    • Linus Torvalds's avatar
      Merge tag 'dm-3.9-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-dm · 85ab3c46
      Linus Torvalds authored
      Pull device-mapper fixes from Alasdair G Kergon:
       "Fix reported data loss with discards and thin snapshots; avoid a
        deadlock observed in dm verity; fix a race in the new dm cache code
        along with some other minor bugs; store the cache policy version on
        disk to make the stored hints format future-proof."
      
      * tag 'dm-3.9-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-dm:
        dm cache: policy ignore hints if generated by different version
        dm cache: policy change version from string to integer set
        dm cache: fix race in writethrough implementation
        dm cache: metadata clear dirty bits on clean shutdown
        dm cache: avoid calling policy destructor twice on error
        dm cache: detect cache_create failure
        dm cache: avoid 64 bit division on 32 bit
        dm verity: avoid deadlock
        dm thin: fix non power of two discard granularity calc
        dm thin: fix discard corruption
      85ab3c46
    • Dave Airlie's avatar
      Merge branch 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel into drm-next · b56fb708
      Dave Airlie authored
      Daniel writes:
      Bunch of fixes, all pretty high-priority
      - Fix execbuf argument checking (Kees Cook)
      - Optionally obfuscate kernel addresses in dumps (Kees Cook)
      - Two patches from Takashi Iwai to fix DP link training regressions he's
        seen.
      - intel-gfx is no longer subscribers-only (well, just no longer moderated
        in an annoying way for non-subscribers), update MAINTAINERS
      - gm45 gmbus irq fallout fix (Jiri Kosina)
      
      * 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel:
        drm/i915: stop using GMBUS IRQs on Gen4 chips
        MAINTAINERS: intel-gfx is no longer subscribers-only
        drm/i915: Use the fixed pixel clock for eDP in intel_dp_set_m_n()
        Revert "drm/i915: try to train DP even harder"
        drm/i915: bounds check execbuffer relocation count
        drm/i915: restrict kernel address leak in debugfs
      b56fb708
    • Julia Lemire's avatar
      drm/mgag200: Bug fix: Modified pll algorithm for EH project · 260b3f12
      Julia Lemire authored
      While testing the mgag200 kms driver on the HP ProLiant Gen8, a
      bug was seen.  Once the bootloader would load the selected kernel,
      the screen would go black.  At first it was assumed that the
      mgag200 kms driver was hanging.  But after setting up the grub
      serial output, it was seen that the driver was being loaded
      properly.  After trying serval monitors, one finaly displayed
      the message "Frequency Out of Range".  By comparing the kms pll
      algorithm with the previous mgag200 xorg driver pll algorithm,
      discrepencies were found.  Once the kms pll algorithm was
      modified, the expected pll values were produced.  This fix was
      tested on several monitors of varying native resolutions.
      Signed-off-by: default avatarJulia Lemire <jlemire@matrox.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      260b3f12
  3. 20 Mar, 2013 16 commits
    • Mike Snitzer's avatar
      dm cache: policy ignore hints if generated by different version · ea2dd8c1
      Mike Snitzer authored
      When reading the dm cache metadata from disk, ignore the policy hints
      unless they were generated by the same major version number of the same
      policy module.
      
      The hints are considered to be private data belonging to the specific
      module that generated them and there is no requirement for them to make
      sense to different versions of the policy that generated them.
      Policy modules are all required to work fine if no previous hints are
      supplied (or if existing hints are lost).
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      ea2dd8c1
    • Mike Snitzer's avatar
      dm cache: policy change version from string to integer set · 4e7f506f
      Mike Snitzer authored
      Separate dm cache policy version string into 3 unsigned numbers
      corresponding to major, minor and patchlevel and store them at the end
      of the on-disk metadata so we know which version of the policy generated
      the hints in case a future version wants to use them differently.
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      4e7f506f
    • Joe Thornber's avatar
      dm cache: fix race in writethrough implementation · e2e74d61
      Joe Thornber authored
      We have found a race in the optimisation used in the dm cache
      writethrough implementation.  Currently, dm core sends the cache target
      two bios, one for the origin device and one for the cache device and
      these are processed in parallel.  This patch avoids the race by
      changing the code back to a simpler (slower) implementation which
      processes the two writes in series, one after the other, until we can
      develop a complete fix for the problem.
      
      When the cache is in writethrough mode it needs to send WRITE bios to
      both the origin and cache devices.
      
      Previously we've been implementing this by having dm core query the
      cache target on every write to find out how many copies of the bio it
      wants.  The cache will ask for two bios if the block is in the cache,
      and one otherwise.
      
      Then main problem with this is it's racey.  At the time this check is
      made the bio hasn't yet been submitted and so isn't being taken into
      account when quiescing a block for migration (promotion or demotion).
      This means a single bio may be submitted when two were needed because
      the block has since been promoted to the cache (catastrophic), or two
      bios where only one is needed (harmless).
      
      I really don't want to start entering bios into the quiescing system
      (deferred_set) in the get_num_write_bios callback.  Instead this patch
      simplifies things; only one bio is submitted by the core, this is
      first written to the origin and then the cache device in series.
      Obviously this will have a latency impact.
      
      deferred_writethrough_bios is introduced to record bios that must be
      later issued to the cache device from the worker thread.  This deferred
      submission, after the origin bio completes, is required given that we're
      in interrupt context (writethrough_endio).
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      e2e74d61
    • Joe Thornber's avatar
      dm cache: metadata clear dirty bits on clean shutdown · 79ed9caf
      Joe Thornber authored
      When writing the dirty bitset to the metadata device on a clean
      shutdown, clear the dirty bits.  Previously they were left indicating
      the cache was dirty. This led to confusion about whether there really
      was dirty data in the cache or not.  (This was a harmless bug.)
      Reported-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      79ed9caf
    • Heinz Mauelshagen's avatar
      dm cache: avoid calling policy destructor twice on error · b978440b
      Heinz Mauelshagen authored
      If the cache policy's config values are not able to be set we must
      set the policy to NULL after destroying it in create_cache_policy()
      so we don't attempt to destroy it a second time later.
      Signed-off-by: default avatarHeinz Mauelshagen <heinzm@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      b978440b
    • Heinz Mauelshagen's avatar
      dm cache: detect cache_create failure · 617a0b89
      Heinz Mauelshagen authored
      Return error if cache_create() fails.
      
      A missing return check made cache_ctr continue even after an error in
      cache_create() resulting in the cache object being destroyed.  So a
      simple failure like an odd number of cache policy config value arguments
      would result in an oops.
      Signed-off-by: default avatarHeinz Mauelshagen <heinzm@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      617a0b89
    • Joe Thornber's avatar
      dm cache: avoid 64 bit division on 32 bit · 414dd67d
      Joe Thornber authored
      Squash various 32bit link errors.
      
        >> on i386:
        >> drivers/built-in.o: In function `is_discarded_oblock':
        >> dm-cache-target.c:(.text+0x1ea28e): undefined reference to `__udivdi3'
        ...
      Reported-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      414dd67d
    • Mikulas Patocka's avatar
      dm verity: avoid deadlock · 3b6b7813
      Mikulas Patocka authored
      A deadlock was found in the prefetch code in the dm verity map
      function.  This patch fixes this by transferring the prefetch
      to a worker thread and skipping it completely if kmalloc fails.
      
      If generic_make_request is called recursively, it queues the I/O
      request on the current->bio_list without making the I/O request
      and returns. The routine making the recursive call cannot wait
      for the I/O to complete.
      
      The deadlock occurs when one thread grabs the bufio_client
      mutex and waits for an I/O to complete but the I/O is queued
      on another thread's current->bio_list and is waiting to get
      the mutex held by the first thread.
      
      The fix recognises that prefetching is not essential.  If memory
      can be allocated, it queues the prefetch request to the worker thread,
      but if not, it does nothing.
      Signed-off-by: default avatarPaul Taysom <taysom@chromium.org>
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Cc: stable@kernel.org
      3b6b7813
    • Joe Thornber's avatar
      dm thin: fix non power of two discard granularity calc · 58051b94
      Joe Thornber authored
      Fix a discard granularity calculation to work for non power of 2 block sizes.
      
      In order for thinp to passdown discard bios to the underlying data
      device, the data device must have a discard granularity that is a
      factor of the thinp block size.  Originally this check was done by
      using bitops since the block_size was known to be a power of two.
      
      Introduced by commit f13945d7
      ("dm thin: support a non power of 2 discard_granularity").
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      58051b94
    • Joe Thornber's avatar
      dm thin: fix discard corruption · f046f89a
      Joe Thornber authored
      Fix a bug in dm_btree_remove that could leave leaf values with incorrect
      reference counts.  The effect of this was that removal of a shared block
      could result in the space maps thinking the block was no longer used.
      More concretely, if you have a thin device and a snapshot of it, sending
      a discard to a shared region of the thin could corrupt the snapshot.
      
      Thinp uses a 2-level nested btree to store it's mappings.  This first
      level is indexed by thin device, and the second level by logical
      block.
      
      Often when we're removing an entry in this mapping tree we need to
      rebalance nodes, which can involve shadowing them, possibly creating a
      copy if the block is shared.  If we do create a copy then children of
      that node need to have their reference counts incremented.  In this
      way reference counts percolate down the tree as shared trees diverge.
      
      The rebalance functions were incrementing the children at the
      appropriate time, but they were always assuming the children were
      internal nodes.  This meant the leaf values (in our case packed
      block/flags entries) were not being incremented.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      f046f89a
    • Theodore Ts'o's avatar
      ext4: fix data=journal fast mount/umount hang · 2b405bfa
      Theodore Ts'o authored
      In data=journal mode, if we unmount the file system before a
      transaction has a chance to complete, when the journal inode is being
      evicted, we can end up calling into jbd2_log_wait_commit() for the
      last transaction, after the journalling machinery has been shut down.
      
      Arguably we should adjust ext4_should_journal_data() to return FALSE
      for the journal inode, but the only place it matters is
      ext4_evict_inode(), and so to save a bit of CPU time, and to make the
      patch much more obviously correct by inspection(tm), we'll fix it by
      explicitly not trying to waiting for a journal commit when we are
      evicting the journal inode, since it's guaranteed to never succeed in
      this case.
      
      This can be easily replicated via: 
      
           mount -t ext4 -o data=journal /dev/vdb /vdb ; umount /vdb
      
      ------------[ cut here ]------------
      WARNING: at /usr/projects/linux/ext4/fs/jbd2/journal.c:542 __jbd2_log_start_commit+0xba/0xcd()
      Hardware name: Bochs
      JBD2: bad log_start_commit: 3005630206 3005630206 0 0
      Modules linked in:
      Pid: 2909, comm: umount Not tainted 3.8.0-rc3 #1020
      Call Trace:
       [<c015c0ef>] warn_slowpath_common+0x68/0x7d
       [<c02b7e7d>] ? __jbd2_log_start_commit+0xba/0xcd
       [<c015c177>] warn_slowpath_fmt+0x2b/0x2f
       [<c02b7e7d>] __jbd2_log_start_commit+0xba/0xcd
       [<c02b8075>] jbd2_log_start_commit+0x24/0x34
       [<c0279ed5>] ext4_evict_inode+0x71/0x2e3
       [<c021f0ec>] evict+0x94/0x135
       [<c021f9aa>] iput+0x10a/0x110
       [<c02b7836>] jbd2_journal_destroy+0x190/0x1ce
       [<c0175284>] ? bit_waitqueue+0x50/0x50
       [<c028d23f>] ext4_put_super+0x52/0x294
       [<c020efe3>] generic_shutdown_super+0x48/0xb4
       [<c020f071>] kill_block_super+0x22/0x60
       [<c020f3e0>] deactivate_locked_super+0x22/0x49
       [<c020f5d6>] deactivate_super+0x30/0x33
       [<c0222795>] mntput_no_expire+0x107/0x10c
       [<c02233a7>] sys_umount+0x2cf/0x2e0
       [<c02233ca>] sys_oldumount+0x12/0x14
       [<c08096b8>] syscall_call+0x7/0xb
      ---[ end trace 6a954cc790501c1f ]---
      jbd2_log_wait_commit: error: j_commit_request=-1289337090, tid=0
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Cc: stable@vger.kernel.org
      2b405bfa
    • Theodore Ts'o's avatar
      ext4: fix ext4_evict_inode() racing against workqueue processing code · 1ada47d9
      Theodore Ts'o authored
      Commit 84c17543 (ext4: move work from io_end to inode) triggered a
      regression when running xfstest #270 when the file system is mounted
      with dioread_nolock.
      
      The problem is that after ext4_evict_inode() calls ext4_ioend_wait(),
      this guarantees that last io_end structure has been freed, but it does
      not guarantee that the workqueue structure, which was moved into the
      inode by commit 84c17543, is actually finished.  Once
      ext4_flush_completed_IO() calls ext4_free_io_end() on CPU #1, this
      will allow ext4_ioend_wait() to return on CPU #2, at which point the
      evict_inode() codepath can race against the workqueue code on CPU #1
      accessing EXT4_I(inode)->i_unwritten_work to find the next item of
      work to do.
      
      Fix this by calling cancel_work_sync() in ext4_ioend_wait(), which
      will be renamed ext4_ioend_shutdown(), since it is only used by
      ext4_evict_inode().  Also, move the call to ext4_ioend_shutdown()
      until after truncate_inode_pages() and filemap_write_and_wait() are
      called, to make sure all dirty pages have been written back and
      flushed from the page cache first.
      
      BUG: unable to handle kernel NULL pointer dereference at   (null)
      IP: [<c01dda6a>] cwq_activate_delayed_work+0x3b/0x7e
      *pdpt = 0000000030bc3001 *pde = 0000000000000000 
      Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
      Modules linked in:
      Pid: 6, comm: kworker/u:0 Not tainted 3.8.0-rc3-00013-g84c17543-dirty #91 Bochs Bochs
      EIP: 0060:[<c01dda6a>] EFLAGS: 00010046 CPU: 0
      EIP is at cwq_activate_delayed_work+0x3b/0x7e
      EAX: 00000000 EBX: 00000000 ECX: f505fe54 EDX: 00000000
      ESI: ed5b697c EDI: 00000006 EBP: f64b7e8c ESP: f64b7e84
       DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      CR0: 8005003b CR2: 00000000 CR3: 30bc2000 CR4: 000006f0
      DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      DR6: ffff0ff0 DR7: 00000400
      Process kworker/u:0 (pid: 6, ti=f64b6000 task=f64b4160 task.ti=f64b6000)
      Stack:
       f505fe00 00000006 f64b7e9c c01de3d7 f6435540 00000003 f64b7efc c01def1d
       f6435540 00000002 00000000 0000008a c16d0808 c040a10b c16d07d8 c16d08b0
       f505fe00 c16d0780 00000000 00000000 ee153df4 c1ce4a30 c17d0e30 00000000
      Call Trace:
       [<c01de3d7>] cwq_dec_nr_in_flight+0x71/0xfb
       [<c01def1d>] process_one_work+0x5d8/0x637
       [<c040a10b>] ? ext4_end_bio+0x300/0x300
       [<c01e3105>] worker_thread+0x249/0x3ef
       [<c01ea317>] kthread+0xd8/0xeb
       [<c01e2ebc>] ? manage_workers+0x4bb/0x4bb
       [<c023a370>] ? trace_hardirqs_on+0x27/0x37
       [<c0f1b4b7>] ret_from_kernel_thread+0x1b/0x28
       [<c01ea23f>] ? __init_kthread_worker+0x71/0x71
      Code: 01 83 15 ac ff 6c c1 00 31 db 89 c6 8b 00 a8 04 74 12 89 c3 30 db 83 05 b0 ff 6c c1 01 83 15 b4 ff 6c c1 00 89 f0 e8 42 ff ff ff <8b> 13 89 f0 83 05 b8 ff 6c c1
       6c c1 00 31 c9 83
      EIP: [<c01dda6a>] cwq_activate_delayed_work+0x3b/0x7e SS:ESP 0068:f64b7e84
      CR2: 0000000000000000
      ---[ end trace a1923229da53d8a4 ]---
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Cc: Jan Kara <jack@suse.cz>
      1ada47d9
    • Dave Airlie's avatar
      Merge branch 'drm-fixes-3.9' of git://people.freedesktop.org/~agd5f/linux into drm-next · 236f651b
      Dave Airlie authored
      Alex writes:
      "Mostly just small bug fixes.  Big change is new pci ids
      for Richland APUs."
      
      * 'drm-fixes-3.9' of git://people.freedesktop.org/~agd5f/linux:
        drm/radeon: add Richland pci ids
        drm/radeon: add support for Richland APUs
        drm/radeon/benchmark: allow same domains for dma copy
        drm/radeon/benchmark: make sure bo blit copy exists before using it
        drm/radeon: fix backend map setup on 1 RB trinity boards
        drm/radeon: fix S/R on VM systems (cayman/TN/SI)
      236f651b
    • Dave Airlie's avatar
      Merge branch 'drm-nouveau-fixes-3.9' of... · cf9a625f
      Dave Airlie authored
      Merge branch 'drm-nouveau-fixes-3.9' of git://anongit.freedesktop.org/git/nouveau/linux-2.6 into drm-next
      
      Lots of thermal fixes and fix a lockdep warning we've been seeing.
      
      * 'drm-nouveau-fixes-3.9' of git://anongit.freedesktop.org/git/nouveau/linux-2.6:
        drm/nv50/kms: prevent lockdep false-positive in page flipping path
        drm/nouveau/core: fix return value of nouveau_object_del()
        drm/nouveau/hwmon: do not expose a buggy temperature if it is unavailable
        drm/nouveau/therm: display the availability of the internal sensor
        drm/nouveau/therm: disable temperature management if the sensor isn't readable
        drm/nouveau/therm: disable auto fan management if temperature is not available
        drm/nv40/therm: reserve negative temperatures for errors
        drm/nv40/therm: disable temperature reading if the bios misses some parameters
        drm/nouveau/therm-ic: the temperature is off by sensor_constant, warn the user
        drm/nouveau/therm: remove some confusion introduced by therm_mode
        drm/nouveau/therm: do not make assumptions on temperature
        drm/nv40/therm: increase the sensor's settling delay to 20ms
        drm/nv40/therm: improve selection between the old and the new style
      cf9a625f
    • Linus Torvalds's avatar
      Merge tag 'vfio-v3.9-rc4' of git://github.com/awilliam/linux-vfio · 2ffdd7e2
      Linus Torvalds authored
      Pull vfio fix from Alex Williamson.
      
      * tag 'vfio-v3.9-rc4' of git://github.com/awilliam/linux-vfio:
        vfio: include <linux/slab.h> for kmalloc
      2ffdd7e2
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/virt/kvm/kvm · ea4a0ce1
      Linus Torvalds authored
      Pull kvm fixes from Marcelo Tosatti.
      
      * git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
        KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
        KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
        KVM: x86: fix deadlock in clock-in-progress request handling
        KVM: allow host header to be included even for !CONFIG_KVM
      ea4a0ce1
  4. 19 Mar, 2013 10 commits
    • Jiri Kosina's avatar
      drm/i915: stop using GMBUS IRQs on Gen4 chips · c12aba5a
      Jiri Kosina authored
      Commit 28c70f16 ("drm/i915: use the gmbus irq for waits") switched to
      using GMBUS irqs instead of GPIO bit-banging for chipset generations 4
      and above.
      
      It turns out though that on many systems this leads to spurious interrupts
      being generated, long after the register write to disable the IRQs has been
      issued.
      
      Typically this results in the spurious interrupt source getting
      disabled:
      
      [    9.636345] irq 16: nobody cared (try booting with the "irqpoll" option)
      [    9.637915] Pid: 4157, comm: ifup Tainted: GF            3.9.0-rc2-00341-g08637024 #422
      [    9.639484] Call Trace:
      [    9.640731]  <IRQ>  [<ffffffff8109b40d>] __report_bad_irq+0x1d/0xc7
      [    9.640731]  [<ffffffff8109b7db>] note_interrupt+0x15b/0x1e8
      [    9.640731]  [<ffffffff810999f7>] handle_irq_event_percpu+0x1bf/0x214
      [    9.640731]  [<ffffffff81099a88>] handle_irq_event+0x3c/0x5c
      [    9.640731]  [<ffffffff8109c139>] handle_fasteoi_irq+0x7a/0xb0
      [    9.640731]  [<ffffffff8100400e>] handle_irq+0x1a/0x24
      [    9.640731]  [<ffffffff81003d17>] do_IRQ+0x48/0xaf
      [    9.640731]  [<ffffffff8142f1ea>] common_interrupt+0x6a/0x6a
      [    9.640731]  <EOI>  [<ffffffff8142f952>] ? system_call_fastpath+0x16/0x1b
      [    9.640731] handlers:
      [    9.640731] [<ffffffffa000d771>] usb_hcd_irq [usbcore]
      [    9.640731] [<ffffffffa0306189>] yenta_interrupt [yenta_socket]
      [    9.640731] Disabling IRQ #16
      
      The really curious thing is now that irq 16 is _not_ the interrupt for
      the i915 driver when using MSI, but it _is_ the interrupt when not
      using MSI. So by all indications it seems like gmbus is able to
      generate a legacy (shared) interrupt in MSI mode on some
      configurations. I've tried to reproduce this and the differentiating
      thing seems to be that on unaffected systems no other device uses irq
      16 (which seems to be the non-MSI intel gfx interrupt on all gm45).
      
      I have no idea how that even can happen.
      
      To avoid tempting this elephant into a rage, just disable gmbus
      interrupt support on gen 4.
      
      v2: Improve the commit message with exact details of what's going on.
      Also add a comment in the code to warn against this particular
      elephant in the room.
      
      v3: Move the comment explaing how gen4 blows up next to the definition
      of HAS_GMBUS_IRQ to keep the code-flow straight. Suggested by Chris
      Wilson.
      
      Signed-off-by: Jiri Kosina <jkosina@suse.cz> (v1)
      Acked-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      References: https://lkml.org/lkml/2013/3/8/325Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      c12aba5a
    • Linus Torvalds's avatar
      Merge tag 'for-linus-v3.9-rc4' of git://oss.sgi.com/xfs/xfs · 10b38669
      Linus Torvalds authored
      Pull XFS fixes from Ben Myers:
      
       - Fix for a potential infinite loop which was introduced in commit
         4d559a3b ("xfs: limit speculative prealloc near ENOSPC
         thresholds")
      
       - Fix for the return type of xfs_iomap_eof_prealloc_initial_size from
         commit a1e16c26 ("xfs: limit speculative prealloc size on sparse
         files")
      
       - Fix for a failed buffer readahead causing subsequent callers to fail
         incorrectly
      
      * tag 'for-linus-v3.9-rc4' of git://oss.sgi.com/xfs/xfs:
        xfs: ensure we capture IO errors correctly
        xfs: fix xfs_iomap_eof_prealloc_initial_size type
        xfs: fix potential infinite loop in xfs_iomap_prealloc_size()
      10b38669
    • Matthew Garrett's avatar
      PCI: Use ROM images from firmware only if no other ROM source available · 547b5246
      Matthew Garrett authored
      Mantas Mikulėnas reported that his graphics hardware failed to
      initialise after commit f9a37be0 ("x86: Use PCI setup data").
      
      The aim of this commit was to ensure that ROM images were available on
      some Apple systems that don't expose the GPU ROM via any other source.
      In this case, UEFI appears to have provided a broken ROM image that we
      were using even though there was a perfectly valid ROM available via
      other sources.  The simplest way to handle this seems to be to just
      re-order pci_map_rom() and leave any firmare-supplied ROM to last.
      Signed-off-by: default avatarMatthew Garrett <matthew.garrett@nebula.com>
      Tested-by: default avatarMantas Mikulėnas <grawity@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      547b5246
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 5c7c3361
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
       "Just some minor fixups, a sunsu console setup panic cure, and
        recognition of a Fujitsu sun4v cpu."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc: remove unused "config BITS"
        sparc: delete "if !ULTRA_HAS_POPULATION_COUNT"
        sparc64: correctly recognize SPARC64-X chips
        sparc,leon: fix GRPCI2 device0 PCI config space access
        sunsu: Fix panic in case of nonexistent port at "console=ttySY" cmdline option
      5c7c3361
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64 · e7489622
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
      
       - Fix !SMP build error.
      
       - Fix padding computation in struct ucontext (no ABI change).
      
       - Minor clean-up after the signal patches (unused var).
      
       - Two old Kconfig options clean-up.
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64:
        arm64: Kconfig.debug: Remove unused CONFIG_DEBUG_ERRORS
        arm64: Do not select GENERIC_HARDIRQS_NO_DEPRECATED
        arm64: fix padding computation in struct ucontext
        arm64: Fix build error with !SMP
        arm64: Removed unused variable in compat_setup_rt_frame()
      e7489622
    • Paul Bolle's avatar
      sparc: remove unused "config BITS" · f58b20bd
      Paul Bolle authored
      sparc's asm/module.h got removed in commit
      786d35d4 ("Make most arch asm/module.h
      files use asm-generic/module.h"). That removed the only two uses of this
      Kconfig symbol. So we can remove its entry too.
      
      > >From arch/sparc/Makefile:
      >     ifeq ($(CONFIG_SPARC32),y)
      >     [...]
      >
      >     [...]
      >     export BITS    := 32
      >     [...]
      >
      >     else
      >     [...]
      >
      >     [...]
      >     export BITS   := 64
      >     [...]
      >
      > So $(BITS) is set depending on whether CONFIG_SPARC32 is set or not.
      > Using $(BITS) in sparc's Makefiles is not using CONFIG_BITS. That
      > doesn't count as usage of "config BITS".
      Signed-off-by: default avatarPaul Bolle <pebolle@tiscali.nl>
      Acked-by: default avatarSam Ravnborg <sam@ravnborg.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f58b20bd
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 7b1b3fd7
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix ARM BPF JIT handling of negative 'k' values, from Chen Gang.
      
       2) Insufficient space reserved for bridge netlink values, fix from
          Stephen Hemminger.
      
       3) Some dst_neigh_lookup*() callers don't interpret error pointer
          correctly, fix from Zhouyi Zhou.
      
       4) Fix transport match in SCTP active_path loops, from Xugeng Zhang.
      
       5) Fix qeth driver handling of multi-order SKB frags, from Frank
          Blaschka.
      
       6) fec driver is missing napi_disable() call, resulting in crashes on
          unload, from Georg Hofmann.
      
       7) Don't try to handle PMTU events on a listening socket, fix from Eric
          Dumazet.
      
       8) Fix timestamp location calculations in IP option processing, from
          David Ward.
      
       9) FIB_TABLE_HASHSZ setting is not controlled by the correct kconfig
          tests, from Denis V Lunev.
      
      10) Fix TX descriptor push handling in SFC driver, from Ben Hutchings.
      
      11) Fix isdn/hisax and tulip/de4x5 kconfig dependencies, from Arnd
          Bergmann.
      
      12) bnx2x statistics don't handle 4GB rollover correctly, fix from
          Maciej Żenczykowski.
      
      13) Openvswitch bug fixes for vport del/new error reporting, missing
          genlmsg_end() call in netlink processing, and mis-parsing of
          LLC/SNAP ethernet types.  From Rich Lane.
      
      14) SKB pfmemalloc state should only be propagated from the head page of
          a compound page, fix from Pavel Emelyanov.
      
      15) Fix link handling in tg3 driver for 5715 chips when autonegotation
          is disabled.  From Nithin Sujir.
      
      16) Fix inverted test of cpdma_check_free_tx_desc return value in
          davinci_emac driver, from Mugunthan V N.
      
      17) vlan_depth is incorrectly calculated in skb_network_protocol(), from
          Li RongQing.
      
      18) Fix probing of Gobi 1K devices in qmi_wwan driver, and fix NCM
          device mode backwards compat in cdc_ncm driver.  From Bjørn Mork.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (52 commits)
        inet: limit length of fragment queue hash table bucket lists
        qeth: Fix scatter-gather regression
        qeth: Fix invalid router settings handling
        qeth: delay feature trace
        tcp: dont handle MTU reduction on LISTEN socket
        bnx2x: fix occasional statistics off-by-4GB error
        vhost/net: fix heads usage of ubuf_info
        bridge: Add support for setting BR_ROOT_BLOCK flag.
        bnx2x: add missing napi deletion in error path
        drivers: net: ethernet: ti: davinci_emac: fix usage of cpdma_check_free_tx_desc()
        ethernet/tulip: DE4x5 needs VIRT_TO_BUS
        isdn: hisax: netjet requires VIRT_TO_BUS
        net: cdc_ncm, cdc_mbim: allow user to prefer NCM for backwards compatibility
        rtnetlink: Mask the rta_type when range checking
        Revert "ip_gre: make ipgre_tunnel_xmit() not parse network header as IP unconditionally"
        Fix dst_neigh_lookup/dst_neigh_lookup_skb return value handling bug
        smsc75xx: configuration help incorrectly mentions smsc95xx
        net: fec: fix missing napi_disable call
        net: fec: restart the FEC when PHY speed changes
        skb: Propagate pfmemalloc on skb from head page only
        ...
      7b1b3fd7
    • Paul Bolle's avatar
      sparc: delete "if !ULTRA_HAS_POPULATION_COUNT" · e0b20296
      Paul Bolle authored
      Commit 2d78d4be ("[PATCH] bitops:
      sparc64: use generic bitops") made the default of GENERIC_HWEIGHT depend
      on !ULTRA_HAS_POPULATION_COUNT. But since there's no Kconfig symbol with
      that name, this always evaluates to true. Delete this dependency.
      Signed-off-by: default avatarPaul Bolle <pebolle@tiscali.nl>
      Acked-by: default avatarSam Ravnborg <sam@ravnborg.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e0b20296
    • Andy Honig's avatar
      KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) · a2c118bf
      Andy Honig authored
      If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
      that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
      that request.  ioapic_read_indirect contains an
      ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
      non-debug builds.  In recent kernels this allows a guest to cause a kernel
      oops by reading invalid memory.  In older kernels (pre-3.3) this allows a
      guest to read from large ranges of host memory.
      
      Tested: tested against apic unit tests.
      Signed-off-by: default avatarAndrew Honig <ahonig@google.com>
      Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
      a2c118bf
    • Andy Honig's avatar
      KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) · 0b79459b
      Andy Honig authored
      There is a potential use after free issue with the handling of
      MSR_KVM_SYSTEM_TIME.  If the guest specifies a GPA in a movable or removable
      memory such as frame buffers then KVM might continue to write to that
      address even after it's removed via KVM_SET_USER_MEMORY_REGION.  KVM pins
      the page in memory so it's unlikely to cause an issue, but if the user
      space component re-purposes the memory previously used for the guest, then
      the guest will be able to corrupt that memory.
      
      Tested: Tested against kvmclock unit test
      Signed-off-by: default avatarAndrew Honig <ahonig@google.com>
      Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
      0b79459b