Randy Dunlap [Thu, 11 Oct 2012 16:34:11 +0000 (09:34 -0700)]
staging: ramster: depends on NET
ramster uses network interfaces that are only present when
CONFIG_NET is enabled, so it should depend on NET.
Fixes these build errors:
drivers/built-in.o: In function `sc_kref_release':
tcp.c:(.text+0x24b9af): undefined reference to `sock_release'
drivers/built-in.o: In function `r2net_open_listening_sock':
tcp.c:(.text+0x24ca2b): undefined reference to `sock_create'
tcp.c:(.text+0x24cb91): undefined reference to `sock_release'
drivers/built-in.o: In function `r2net_recv_tcp_msg':
tcp.c:(.text+0x24cdbd): undefined reference to `sock_recvmsg'
drivers/built-in.o: In function `r2net_send_tcp_msg':
tcp.c:(.text+0x24d341): undefined reference to `sock_sendmsg'
drivers/built-in.o: In function `r2net_start_connect':
tcp.c:(.text+0x24d8fa): undefined reference to `sock_create'
drivers/built-in.o: In function `r2net_shutdown_sc':
tcp.c:(.text+0x24e30c): undefined reference to `kernel_sock_shutdown'
drivers/built-in.o: In function `r2net_accept_one':
tcp.c:(.text+0x24f392): undefined reference to `sock_create_lite'
tcp.c:(.text+0x24f3c3): undefined reference to `sock_release'
drivers/built-in.o: In function `r2net_stop_listening':
(.text+0x250f63): undefined reference to `sock_release'
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Cc: konrad.wilk@oracle.com Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: omapdrm: fix allocation size for page addresses array
Signed-off-by: Rob Clark <rob@ti.com> Signed-off-by: Vincent Penquerc'h <vincent.penquerch@collabora.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Lukas Czerner [Mon, 22 Oct 2012 22:01:19 +0000 (18:01 -0400)]
ext4: Avoid underflow in ext4_trim_fs()
Currently if len argument in ext4_trim_fs() is smaller than one block,
the 'end' variable underflow. Avoid that by returning EINVAL if len is
smaller than file system block.
Nitin Gupta [Thu, 11 Oct 2012 00:42:18 +0000 (17:42 -0700)]
staging: zram: Fix handling of incompressible pages
Change 130f315a (staging: zram: remove special handle of uncompressed page)
introduced a bug in the handling of incompressible pages which resulted in
memory allocation failure for such pages.
When a page expands on compression, say from 4K to 4K+30, we were trying to
do zsmalloc(pool, 4K+30). However, the maximum size which zsmalloc can
allocate is PAGE_SIZE (for obvious reasons), so such allocation requests
always return failure (0).
For a page that has compressed size larger than the original size (this may
happen with already compressed or random data), there is no point storing
the compressed version as that would take more space and would also require
time for decompression when needed again. So, the fix is to store any page,
whose compressed size exceeds a threshold (max_zpage_size), as-it-is i.e.
without compression. Memory required for storing this uncompressed page can
then be requested from zsmalloc which supports PAGE_SIZE sized allocations.
Lastly, the fix checks that we do not attempt to "decompress" the page which
we stored in the uncompressed form -- we just memcpy() out such pages.
Arve Hjønnevåg [Tue, 16 Oct 2012 22:29:55 +0000 (15:29 -0700)]
Staging: android: binder: Allow using highmem for binder buffers
The default kernel mapping for the pages allocated for the binder
buffers is never used. Set the __GFP_HIGHMEM flag when allocating
these pages so we don't needlessly use low memory pages that may
be required elsewhere.
Eric Dumazet [Mon, 22 Oct 2012 09:03:40 +0000 (09:03 +0000)]
net: fix secpath kmemleak
Mike Kazantsev found 3.5 kernels and beyond were leaking memory,
and tracked the faulty commit to a1c7fff7e18f59e ("net:
netdev_alloc_skb() use build_skb()")
While this commit seems fine, it uncovered a bug introduced
in commit bad43ca8325 ("net: introduce skb_try_coalesce()), in function
kfree_skb_partial()"):
If head is stolen, we free the sk_buff,
without removing references on secpath (skb->sp).
So IPsec + IP defrag/reassembly (using skb coalescing), or
TCP coalescing could leak secpath objects.
Fix this bug by calling skb_release_head_state(skb) to properly
release all possible references to linked objects.
Reported-by: Mike Kazantsev <mk.fraggod@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Bisected-by: Mike Kazantsev <mk.fraggod@gmail.com> Tested-by: Mike Kazantsev <mk.fraggod@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Joe Jin [Sun, 21 Oct 2012 14:40:36 +0000 (14:40 +0000)]
qla3xxx: Ensure request/response queue addr writes to the registers
Before use the request and response queue addr, make sure it has wrote
to the registers.
Signed-off-by: Joe Jin <joe.jin@oracle.com> Cc: Jitendra Kalsaria <jitendra.kalsaria@qlogic.com> Cc: Ron Mercer <ron.mercer@qlogic.com> Acked-by: Jitendra Kalsaria <jitendra.kalsaria@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Yuchung Cheng [Fri, 19 Oct 2012 15:14:44 +0000 (15:14 +0000)]
tcp: add SYN/data info to TCP_INFO
Add a bit TCPI_OPT_SYN_DATA (32) to the socket option TCP_INFO:tcpi_options.
It's set if the data in SYN (sent or received) is acked by SYN-ACK. Server or
client application can use this information to check Fast Open success rate.
Signed-off-by: Yuchung Cheng <ycheng@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Ian Abbott [Wed, 3 Oct 2012 15:25:21 +0000 (16:25 +0100)]
staging: comedi: ni_labpc: fix possible NULL deref during detach
`labpc_common_detach()` is called by the comedi core to clean up if
either `labpc_attach()` (including the one in the "ni_labpc_cs" module)
or `labpc_attach_pci()` returns an error. It assumes the `thisboard`
macro (expanding to `((struct labpc_board_struct *)dev->board_ptr)`) is
non-null. This is a valid assumption if `labpc_attach()` fails, but not
if `labpc_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `labpc_common_detach()` and return early
if it is `NULL`. This is okay because the only other thing that could
have been allocated is `dev->private` and that is freed by the comedi
core, not by this function.
Ian Abbott [Wed, 3 Oct 2012 15:25:20 +0000 (16:25 +0100)]
staging: comedi: das08: fix possible NULL deref during detach
`das08_detach()` is called by the comedi core to clean up if either
`das08_attach()` or `das08_attach_pci()` returns an error. It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. This is a valid assumption if `das08_attach()` fails, but not
if `das08_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `das08_detach()` and return early if it
is `NULL`. This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.
Ian Abbott [Wed, 3 Oct 2012 15:25:19 +0000 (16:25 +0100)]
staging: comedi: amplc_pc263: fix possible NULL deref during detach
`pc263_detach()` is called by the comedi core to clean up if either
`pc263_attach()` or `pc263_attach_pci()` returns an error. It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. This is a valid assumption if `pc263_attach()` fails, but not
if `pc263_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `pc263_detach()` and return early if it
is `NULL`. This is okay because no other resources need cleaning up in
this case.
Ian Abbott [Wed, 3 Oct 2012 15:25:18 +0000 (16:25 +0100)]
staging: comedi: amplc_pc236: fix possible NULL deref during detach
`pc236_detach()` is called by the comedi core to clean up if either
`pc236_attach()` or `pc236_attach_pci()` returns an error. It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. This is a valid assumption if `pc236_attach()` fails, but not
if `pc236_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `pc236_detach()` and return early if it
is `NULL`. This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.
Ian Abbott [Wed, 3 Oct 2012 15:25:17 +0000 (16:25 +0100)]
staging: comedi: amplc_pc236: fix invalid register access during detach
`pc236_detach()` is called by the comedi core if it attempted to attach
a device and failed. `pc236_detach()` calls `pc236_intr_disable()` if
the comedi device private data pointer (`devpriv`) is non-null. This
test is insufficient as `pc236_intr_disable()` accesses hardware
registers and the attach routine may have failed before it has saved
their I/O base addresses.
Fix it by checking `dev->iobase` is non-zero before calling
`pc236_intr_disable()` as that means the I/O base addresses have been
saved and the hardware registers can be accessed. It also implies the
comedi device private data pointer is valid, so there is no need to
check it.
Ian Abbott [Wed, 3 Oct 2012 15:25:16 +0000 (16:25 +0100)]
staging: comedi: amplc_dio200: fix possible NULL deref during detach
`dio200_detach()` is called by the comedi core to clean up if either
`dio200_attach()` or `dio200_attach_pci()` return an error. It assigns
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. In the case of a previous call to `dio200_attach()` it won't
be `NULL` because the comedi core will have pointed it to one of the
elements of `dio200_boards[]`, but in the case of a previous call to
`dio200_attach_pci()` it could be `NULL`, leading to a null pointer
dereference.
Check that `thisboard` is valid at the top of `dio200_detach()` and
return early if it is `NULL`. This is okay because the only other thing
that could have been allocated is `dev->private` and that is freed by
the comedi core, not by this function.
Ian Abbott [Wed, 3 Oct 2012 15:25:15 +0000 (16:25 +0100)]
staging: comedi: 8255_pci: fix possible NULL deref during detach
`pci_8255_detach()` will be called by the comedi core if
`pci_8255_attach_pci()` returns an error. It currently assumes that
both `board` (assigned from the return value of `comedi_board(dev)`) and
`devpriv` (assigned from `dev->private`) are non-null, but they might
be null, leading to a null pointer dereference.
`pci_8255_detach()` doesn't need to do anything if either `board` or
`devpriv` are null, so just return early in this case.
Fred Brooks [Tue, 2 Oct 2012 10:10:26 +0000 (11:10 +0100)]
staging: comedi: ni_daq_700: fix dio subdevice regression
Here is a small patch to fix a problem caused by a previous patch that
removed the callback function. The callback remove patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1de02225358988e8fd48d1dc3fd12336bbae258a
I finally booted my dev machine on the latest kernel (running Debian
here so it's still on 3.2 normally) to test the ni_daq_700 driver with
my test program and noticed this bug.
Shift the DIO_R read result to bits 8..15 Digital direction
configuration: channels 0-7 output, 8-15 input (8225 device emu as port
A output, port B input, port C N/A).
Cc: <stable@vger.kernel.org> # 3.6.x Signed-off-by: Fred Brooks <nsaspook@nsaspook.com> Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb hub: send clear_tt_buffer_complete events when canceling TT clear work
There is a race condition in the USB hub code with regard to handling
TT clear requests that can get the HCD driver in a deadlock. Usually
when an TT clear request is scheduled it will be executed immediately:
<7>[ 6.077583] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us]
<3>[ 6.078041] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82
<7>[ 6.078299] hub_tt_work:731
<7>[ 9.309089] usb 2-1.5: link qh1-0e01/f4d506c0 start 0 [1/2 us]
<7>[ 9.324526] ehci_hcd 0000:00:1d.0: reused qh f4d4db00 schedule
<7>[ 9.324539] usb 2-1.3: link qh1-0e01/f4d4db00 start 0 [1/2 us]
<7>[ 9.341530] usb 1-1.1: link qh4-0e01/f397aec0 start 2 [1/2 us]
<7>[ 10.116159] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us]
<3>[ 10.116459] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82
<7>[ 10.116537] hub_tt_work:731
However, if a suspend operation is triggered before hub_tt_work is
scheduled, hub_quiesce will cancel the work without notifying the HCD
driver:
<3>[ 35.033941] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d80
<5>[ 35.034022] sd 0:0:0:0: [sda] Stopping disk
<7>[ 35.034039] hub 2-1:1.0: hub_suspend
<7>[ 35.034067] usb 2-1: unlink qh256-0001/f3b1ab00 start 1 [1/0 us]
<7>[ 35.035085] hub 1-0:1.0: hub_suspend
<7>[ 35.035102] usb usb1: bus suspend, wakeup 0
<7>[ 35.035106] ehci_hcd 0000:00:1a.0: suspend root hub
<7>[ 35.035298] hub 2-0:1.0: hub_suspend
<7>[ 35.035313] usb usb2: bus suspend, wakeup 0
<7>[ 35.035315] ehci_hcd 0000:00:1d.0: suspend root hub
<6>[ 35.250017] PM: suspend of devices complete after 216.979 msecs
<6>[ 35.250822] PM: late suspend of devices complete after 0.799 msecs
<7>[ 35.252343] ehci_hcd 0000:00:1d.0: wakeup: 1
<7>[ 35.262923] ehci_hcd 0000:00:1d.0: --> PCI D3hot
<7>[ 35.263302] ehci_hcd 0000:00:1a.0: wakeup: 1
<7>[ 35.273912] ehci_hcd 0000:00:1a.0: --> PCI D3hot
<6>[ 35.274254] PM: noirq suspend of devices complete after 23.442 msecs
<6>[ 35.274975] ACPI: Preparing to enter system sleep state S3
<6>[ 35.292666] PM: Saving platform NVS memory
<7>[ 35.295030] Disabling non-boot CPUs ...
<6>[ 35.297351] CPU 1 is now offline
<6>[ 35.300345] CPU 2 is now offline
<6>[ 35.303929] CPU 3 is now offline
<7>[ 35.303931] lockdep: fixing up alternatives.
<6>[ 35.304825] Extended CMOS year: 2000
When the device will resume the EHCI driver will get stuck in
ehci_endpoint_disable waiting for the tt_clearing flag to reset:
This patch changes hub_quiesce behavior to flush the TT clear work
instead of canceling it, to make sure that no TT clear request remains
uncompleted before suspend.
Eric Dumazet [Sun, 21 Oct 2012 20:12:09 +0000 (20:12 +0000)]
ipv4: 16 slots in initial fib_info hash table
A small host typically needs ~10 fib_info structures, so create initial
hash table with 16 slots instead of only one. This removes potential
false sharing and reallocs/rehashes (1->2->4->8->16)
Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Sun, 21 Oct 2012 19:57:11 +0000 (19:57 +0000)]
tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation
RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation]
All TCP stacks MAY implement the following mitigation. TCP stacks
that implement this mitigation MUST add an additional input check to
any incoming segment. The ACK value is considered acceptable only if
it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
SND.NXT). All incoming segments whose ACK value doesn't satisfy the
above condition MUST be discarded and an ACK sent back.
Move tcp_send_challenge_ack() before tcp_ack() to avoid a forward
declaration.
Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Cc: Jerry Chu <hkchu@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Ming Lei [Tue, 9 Oct 2012 04:01:04 +0000 (12:01 +0800)]
firmware loader: sync firmware cache by async_synchronize_full_domain
async.c has provided synchronization mechanism on async_schedule_*,
so use async_synchronize_full_domain to sync caching firmware instead
of reinventing the wheel.
Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ming Lei [Tue, 9 Oct 2012 04:01:03 +0000 (12:01 +0800)]
firmware loader: let direct loading back on 'firmware_buf'
Firstly 'firmware_buf' is introduced to make all loading requests
to share one firmware kernel buffer, so firmware_buf should
be used in direct loading for saving memory and speedup firmware
loading.
introduces direct loading for fixing udev regression, but it
bypasses the firmware cache meachnism, so this patch enables
caching firmware for direct loading case since it is still needed
to solve drivers' dependency during system resume.
Cc: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ming Lei [Tue, 9 Oct 2012 04:01:02 +0000 (12:01 +0800)]
firmware loader: fix one reqeust_firmware race
Several loading requests may be pending on one same
firmware buf, and this patch moves fw_map_pages_buf()
before complete_all(&fw_buf->completion) and let all
requests see the mapped 'buf->data' once the loading
is completed.
Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ming Lei [Tue, 9 Oct 2012 04:01:01 +0000 (12:01 +0800)]
firmware loader: cancel uncache work before caching firmware
Under 'Opportunistic sleep' situation, system sleep might be
triggered very frequently, so the uncahce work may not be completed
before caching firmware during next suspend.
This patch cancels the uncache work before caching firmware to
fix the problem above.
Also this patch optimizes the cacheing firmware mechanism a bit by
only storing one firmware cache entry for one firmware image.
So if the firmware is still cached during suspend, it doesn't need
to be loaded from user space any more.
Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>