466e69b8b03b8c1987367912782bc12988ad8794 dropped busmaster enable from the
global drm code and moved it to the individual drivers, but missed the savage
driver. So, this re-adds busmaster enable to the savage driver, fixing the
regression.
Signed-off-by: Florian Zumbiehl <florz@florz.de> Reviewed-by: Alex Deucher <alexdeucher@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie <airlied@redhat.com>
Dave Airlie [Wed, 3 Oct 2012 00:32:58 +0000 (10:32 +1000)]
Merge branch 'drm-next-3.7' of git://people.freedesktop.org/~agd5f/linux into drm-next
Alex writes:
"The big changes for 3.7 include:
- Asynchronous VM page table updates for Cayman/SI
- 2 level VM page table support. Saves memory compared to 1 level
page tables.
- Reworked PLL handing in the display code allows lots more
combinations of monitors to work, including more than two
DP displays assuming compatible clocks across shared PLLs.
This also allows us to power down extra PLLs when we can
share a single one across multiple displays which saves power.
- Native backlight control on ATOMBIOS systems.
- Improved ACPI support for interacting with the GPU. Fixes
backlight control on some laptops.
- Document AMD ACPI interfaces
- Lots of code cleanup
- Bug fixes"
* 'drm-next-3.7' of git://people.freedesktop.org/~agd5f/linux: (79 commits)
drm/radeon: add vm set_page() callback for SI
drm/radeon: rework the vm_flush interface
drm/radeon: use WRITE_DATA packets for vm flush on SI
drm/radeon/pm: fix multi-head profile handling on BTC+ (v2)
drm/radeon: fix radeon power state debug output
drm/radeon: force MSIs on RS690 asics
drm/radeon: Add MSI quirk for gateway RS690
drm/radeon: allow MIP_ADDRESS=0 for MSAA textures on Evergreen
drm/radeon/kms: allow STRMOUT_BASE_UPDATE on RS780 and RS880
drm/radeon: add 2-level VM pagetables support v9
drm/radeon: refactor set_page chipset interface v5
drm/radeon: Fix scratch register leak in IB test.
drm/radeon: restore backlight level on resume
drm/radeon: add get_backlight_level callback
drm/radeon: only adjust default clocks on NI GPUs
drm/radeon: validate PPLL in crtc fixup
drm/radeon: work around KMS modeset limitations in PLL allocation (v2)
drm/radeon: make non-DP PPLL sharing more robust
drm/radeon: store the encoder in the radeon_crtc
drm/radeon: rework crtc pll setup to better support PPLL sharing
...
Rob Clark [Thu, 13 Sep 2012 03:34:08 +0000 (03:34 +0000)]
drm: change ioctl permissions
Previously read-only KMS ioctls had some somewhat inconsistent settings
regarding whether mastership was required. For example, GETRESOURCES
did not require master, but GETPLANERESOURCES, GETPROPERTY, etc. did.
At least for debugging, it is nice to be able to use modetest to dump
property values while another process is master, and there seems to
be no harm in allowing read-only access to the KMS state to other
processes.
Signed-off-by: Rob Clark <rob@ti.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Rob Clark [Tue, 4 Sep 2012 16:35:56 +0000 (16:35 +0000)]
drm: support for rotated scanout
For drivers that can support rotated scanout, the extra parameter
checking in drm-core, while nice, tends to get confused. To solve
this drivers can set the crtc or plane invert_dimensions field so
that the dimension checking takes into account the rotation that
the driver is performing.
v1: original
v2: remove invert_dimensions from plane, at Ville's suggestion.
Userspace can give rotated src coordinates, so invert_dimensions
is not required for planes.
Signed-off-by: Rob Clark <rob@ti.com> Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Rob Clark [Wed, 5 Sep 2012 21:48:38 +0000 (21:48 +0000)]
drm: refcnt drm_framebuffer (v4.1)
This simplifies drm fb lifetime, and if the crtc/plane needs to hold
a ref to the fb when disabling a pipe until the next vblank, this
avoids the need to make disabling an overlay synchronous. This is a
problem that shows up when userspace is using a drm plane to
implement a hw cursor.. making overlay disable synchronous causes
a performance problem when x11 is rapidly enabling/disabling the
hw cursor. But not making it synchronous opens up a race condition
for crashing if userspace turns around and immediately deletes the
fb. Refcnt'ing the fb makes it possible to solve this problem.
v1: original
v2: add drm_framebuffer_remove() which is called in all paths where
fb->funcs->destroy() was directly called before. This cleans
up the CRTCs/planes that the fb was attached to. You should
only directly use drm_framebuffer_unreference() if you are also
using drm_framebuffer_reference() to keep a ref to the fb.
v3: add comment explaining the fb refcount
v4: remove duplicate 'list_del(&fb->filp_head)'
[airlied: v4.1: fix local rejection]
Signed-off-by: Rob Clark <rob@ti.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
@unchanged exists@
position r.p1,r.p2;
expression e <= r.x,x,e1;
iterator I;
statement S;
@@
if (x@p1 == NULL) { ... when != I(x,...) S
when != e = e1
when != e += e1
when != e -= e1
when != ++e
when != --e
when != e++
when != e--
when != &e
kfree@p2(x); ... return ...; }
@ok depends on unchanged exists@
position any r.p1;
position r.p2;
expression x;
@@
... when != true x@p1 == NULL
kfree@p2(x);
@depends on !ok && unchanged@
position r.p2;
expression x;
@@
*kfree@p2(x);
// </smpl>
Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Chris Wilson [Mon, 17 Sep 2012 09:38:03 +0000 (09:38 +0000)]
drm: Destroy the planes prior to destroying the associated CRTC
As during the plane cleanup, we wish to disable the hardware and
so may modify state on the associated CRTC, that CRTC must continue to
exist until we are finished.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=54101 Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: Jesse Barnes <jbarnes@virtuousgeek.org> Cc: stable@vger.kernel.org Reviewed-by: Jesse Barnes <jbarnes@virtuousgeek.org> Tested-by: lu hua <huax.lu@intel.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
drm/udl: Add missing static storage class specifiers in udl_fb.c
Fixes the following sparse warnings:
drivers/gpu/drm/udl/udl_fb.c:360:6: warning:
symbol 'udl_crtc_fb_gamma_set' was not declared. Should it be static?
drivers/gpu/drm/udl/udl_fb.c:365:6: warning:
symbol 'udl_crtc_fb_gamma_get' was not declared. Should it be static?
Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
Fixes the following sparse warnings:
drivers/gpu/drm/udl/udl_transfer.c:129:50:
drivers/gpu/drm/udl/udl_transfer.c:130:50:
drivers/gpu/drm/udl/udl_transfer.c:131:45:
drivers/gpu/drm/udl/udl_transfer.c:132:61:
warning: Using plain integer as NULL pointer
Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
Dave Airlie [Mon, 1 Oct 2012 23:19:32 +0000 (09:19 +1000)]
Merge branch 'for-airlied' of git://people.freedesktop.org/~danvet/drm-intel into drm-next
Last pile of stuff for 3.7, essentially just a bunch of bigger fixes and a
few less intrusive features:
- cpu freq interface in sysfs from Ben
- cpu edp fixes and some related cleanups
- write-combining ptes for pre-gen6 (Chris)
- basic CADL support (Peter Wu), this fixes quite a few issues with
backlights ...
- rework of the gem backing pages handling (preps for stolen mem handling)
from Chris
- some more cleanup-fallout from the modeset-rework
On top of that I've done a backmerge of -rc7(since the conflicts got too
messy and I've pushed out broken merged trees too often). I've also
included 3 fixes on top of what QA beat on:
- Fix for a infoframe handling regression in 3.5 - infoframe blows up too
often and 3.6 is pretty much done, so I'd like to merge that through
-next and the stable process and give it more exposure before it lands
in a stable tree.
- ioctl cosmetics^Wspelling fix in the structs (userspace won't be
affected, since all existing userspace uses private copies of the ioctl
struct definitions, and the struct layout itself is abi compatible).
- Bugfix for a regression introduced in this pull's testing cycle.
* 'for-airlied' of git://people.freedesktop.org/~danvet/drm-intel: (695 commits)
drm/i915: Wrap external callers to IPS state with appropriate locks
drm/i915: s/cacheing/caching/
drm/i915: make sure we write all the DIP data bytes
drm/i915: BUG() on unexpected HDMI register
...
Marek Olšák [Tue, 25 Sep 2012 01:34:01 +0000 (03:34 +0200)]
drm/radeon: allow MIP_ADDRESS=0 for MSAA textures on Evergreen
MIP_ADDRESS should point to the resolved FMASK for an MSAA texture.
Setting MIP_ADDRESS to 0 means the FMASK pointer is invalid (the GPU
won't read the memory then).
The userspace has to set MIP_ADDRESS to 0 and *not* emit any relocation
for it.
Signed-off-by: Marek Olšák <maraeo@gmail.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org
PDE/PTE update code uses CP ring for memory writes.
All page table entries are preallocated for now in alloc_pt().
It is made as whole because it's hard to divide it to several patches
that compile and doesn't break anything being applied separately.
Tested on cayman card.
v2: rebased on top of "refactor set_page chipset interface v3",
code cleanups
v3: switched offsets calc macros to inline funcs where possible,
remove pd_addr from radeon_vm, switched RADEON_BLOCK_SIZE define,
to 9 (and PTE_COUNT to 1 << BLOCK_SIZE)
v4 (ck): move "incr" documentation to previous patch, cleanup and
document RADEON_VM_* constants, change commit message to
our usual format, simplify patch allot by removing
everything current not necessary, disable SI workaround.
v5: (agd5f): Fix typo in tables_size calculation in
radeon_vm_alloc_pt(). Second line should have been
'+=' rather than '='.
v6: fix npdes calculation. In scenario when pfns to be mapped overlap
two PDE spans:
the following npdes calculation gives incorrect result:
npdes = (nptes >> RADEON_VM_BLOCK_SIZE) + 1;
For the case above picture it should give npdes = 2, but gives one.
This patch corrects it by rounding last pfn up to 512 border,
first - down to 512 border and then subtracting and dividing by 512.
v7: Make npde calculation clearer, fix ndw calculation.
v8: (agd5f): reserve enough for 2 full VM PTs, add some
additional comments.
v9: fix typo in npde calculation
Signed-off-by: Dmitry Cherkasov <Dmitrii.Cherkasov@amd.com> Signed-off-by: Christian König <deathsimple@vodafone.de> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cleanup the interface in preparation for hierarchical page tables.
v2: add incr parameter to set_page for simple scattered PTs uptates
added PDE-specific flags to r600_flags and radeon_drm.h
removed superfluous value masking with 0xffffffff
v3: removed superfluous bo_va->valid checking
changed R600_PTE_VALID to R600_ENTRY_VALID to handle PDE too
v4 (ck): fix indention style, rework and fix typos in commit message,
add documentation for incr parameter, also use incr
parameter for system pages
v5 (agd5f): use upper_32_bits() and minor white space fixes
Signed-off-by: Christian König <deathsimple@vodafone.de> Signed-off-by: Dmitry Cherkassov <Dmitrii.Cherkasov@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Michel Dänzer [Thu, 20 Sep 2012 08:31:10 +0000 (10:31 +0200)]
drm/radeon: Fix scratch register leak in IB test.
Restructure the code to jump out via labels instead of directly returning
early. Also make error reporting consistent across all hardware generations.
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com> Reviewed-by: Simon Kitching <skitching@vonos.net> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Alex Deucher [Fri, 14 Sep 2012 13:45:50 +0000 (09:45 -0400)]
drm/radeon: restore backlight level on resume
Restore the backlight level on resume. Some systems
need to explicitly restore the backlight level on
resume.
Fixes panel resume on my Trinity laptop and may fix the
following bugs:
https://bugs.freedesktop.org/show_bug.cgi?id=43829
https://bugzilla.kernel.org/show_bug.cgi?id=46241
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Alex Deucher [Mon, 17 Sep 2012 21:34:45 +0000 (17:34 -0400)]
drm/radeon: work around KMS modeset limitations in PLL allocation (v2)
Since the current KMS API sets the mode independantly on
each crtc, we may end up with resource conflicts. The PLL
allocation is one of those cases. In the following example
we have 3 crtcs in use driving 2 DVI connectors and 1 DP
connector. On the initial kernel modeset for fbdev, the
display topology ends up as follows:
crtc0 -> DP-0
crtc1 -> DVI-0
crtc2 -> DVI-1
Because this is the first modeset, all of the PLLs are
available as none have been assigned. So we end up with
the following:
However, since the KMS API is per crtc, we set the mode on each
crtc independantly. When it comes time to set the mode on crtc0,
the topology for crtc1 and crtc2 are still intact. crtc1 and
crtc2 are already assigned PPLL2 and PPLL1 so when it comes time
to set the mode on crtc0, crtc1 and crtc2 have not been torn down
yet, so there appears to be no PLLs available. In reality, we
are reconfiguring the entire display topology, however, since
each crtc is handled independantly, we don't know that in the
driver at each crtc mode set time.
This patch checks to see if the same connector is being driven by
another crtc, and if so, uses the PLL already associated with it.
v2: store connector in the radeon crtc struct, simplify checking.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
The core functions were annotated with their locking requirements, but
we overlooked that they were exported, without any control over the
locking, to debugfs. So in order to enable debugfs to read the registers
without triggering sanity checks, we change the exported entry points to
properly take the required locks before calling the core routines.
Reported-by: yangguang <guang.a.yang@intel.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=55304 Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Paulo Zanoni [Tue, 25 Sep 2012 16:23:34 +0000 (13:23 -0300)]
drm/i915: make sure we write all the DIP data bytes
... even if the actual infoframe is smaller than the maximum possible
size.
If we don't write all the 32 DIP data bytes the InfoFrame ECC may not
be correctly calculated in some cases (e.g., when changing the port),
and this will lead to black screens on HDMI monitors. The ECC value is
generated by the hardware.
I don't see how this should break anything since we're writing 0 and
that should be the correct value, so this patch should be safe.
Notice that on IVB and older we actually have 64 bytes available for
VIDEO_DIP_DATA, but only bytes 0-31 actually store infoframe data: the
others are either read-only ECC values or marked as "reserved". On HSW
we only have 32 bytes, and the ECC value is stored on its own separate
read-only register. See BSpec.
This patch fixes bug #46761, which is marked as a regression
introduced by commit 4e89ee174bb2da341bf90a84321c7008a3c9210d:
drm/i915: set the DIP port on ibx_write_infoframe
Before commit 4e89 we were just failing to send AVI infoframes when we
needed to change the port, which can lead to black screens in some
cases. After commit 4e89 we started sending infoframes, but with a
possibly wrong ECC value. After this patch I hope we start sending
correct infoframes.
Version 2:
- Improve commit message
- Try to make the code more clear
Cc: stable@vger.kernel.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=46761 Signed-off-by: Paulo Zanoni <paulo.r.zanoni@intel.com> Reviewed-by: Rodrigo Vivi <rodrigo.vivi@gmail.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
drm/i915: HDMI - Clear Audio Enable bit for Hot Plug
Since this code moved around a lot in -next git put that snippet at
the wrong spot. I've tried to fix this by making the conflict explicit
by merging a version for next with:
drm/i915: HDMI - Clear Audio Enable bit for Hot Plug unconditionally
But that failed to solve the entire problem. To avoid pushing out
further -nightly branch to our QA where this is broken, do the
backmerge and manually add the stuff git adds to -next from the patch
in -fixes.
Note that this doesn't show up in git's merge diff (and hence is also
not handled by git rerere), which adds to the reasons why I'd like to
fix this with a verbose backmerge. The git merge diff only shows a
bunch of trivial conflicts of the "code changed in lines next to each
another" kind.
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Paulo Zanoni [Mon, 24 Sep 2012 13:32:54 +0000 (10:32 -0300)]
drm/i915: BUG() on unexpected HDMI register
This should never happen, but the silent "return" makes me wonder
every time I try to debug InfoFrame bugs, so promote this to BUG() to
make sure people will complain if we ever break this.
Signed-off-by: Paulo Zanoni <paulo.r.zanoni@intel.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Merge branch 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild
Pull kbuild fixes from Michal Marek:
"There are two more kbuild fixes for 3.6.
One fixes a race between x86's archscripts target and the rule
(re)building scripts/basic/fixdep. The second is a fix for the
previous attempt at fixing make firmware_install with make 3.82.
This new solution should work with any version of GNU make"
* 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
x86/kbuild: archscripts depends on scripts_basic
firmware: fix directory creation rule matching with make 3.80
Merge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging
Pull hwmon subsystem fixes from Jean Delvare.
* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
hwmon: (fam15h_power) Tweak runavg_range on resume
hwmon: (coretemp) Use get_online_cpus to avoid races involving CPU hotplug
hwmon: (via-cputemp) Use get_online_cpus to avoid races involving CPU hotplug
Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"This is a set of four essential fixes: two oops related (bnx2i,
virtio-scsi), one data corruption related (hpsa) and one failure to
boot due to interrupt routing issues (mpt2ss).
Signed-off-by: James Bottomley <JBottomley@Parallels.com>"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
[SCSI] hpsa: fix handling of protocol error
[SCSI] mpt2sas: Fix for issue - Unable to boot from the drive connected to HBA
[SCSI] bnx2i: Fixed NULL ptr deference for 1G bnx2 Linux iSCSI offload
[SCSI] scsi: virtio-scsi: Fix address translation failure of HighMem pages used by sg list
edac_mc: edac_mc_free() cannot assume mem_ctl_info is registered in sysfs.
Fix potential NULL pointer dereference in edac_unregister_sysfs() on
system boot introduced in 3.6-rc1.
Since commit 7a623c039 ("edac: rewrite the sysfs code to use struct
device") edac_mc_alloc() no longer initializes embedded kobjects in
struct mem_ctl_info. Therefore edac_mc_free() can no longer simply
decrement a kobject reference count to free the allocated memory unless
the memory controller driver module had also called edac_mc_add_mc().
Now edac_mc_free() will check if the newly embedded struct device has
been registered with sysfs before using either the standard device
release functions or freeing the data structures itself with logic
pulled out of the error path of edac_mc_alloc().
The BUG this patch resolves for me:
BUG: unable to handle kernel NULL pointer dereference at (null)
EIP is at __wake_up_common+0x1a/0x6a
Process modprobe (pid: 933, ti=f3dc6000 task=f3db9520 task.ti=f3dc6000)
Call Trace:
complete_all+0x3f/0x50
device_pm_remove+0x23/0xa2
device_del+0x34/0x142
edac_unregister_sysfs+0x3b/0x5c [edac_core]
edac_mc_free+0x29/0x2f [edac_core]
e7xxx_probe1+0x268/0x311 [e7xxx_edac]
e7xxx_init_one+0x56/0x61 [e7xxx_edac]
local_pci_probe+0x13/0x15
...
and that code block seem to mess things up in several ways (double free, memory
leak, out-of-bound reads etc.):
L422: The iterator "chn" and bound "tot_channels" are totally wrong. Should be
"row" and "tot_csrows" respectively. Which means either memory leak, or
out-of-bound reads (which if does not trigger an immediate page fault
error, will further lead to kfree() on random addresses).
L425: The inner loop is reusing the same iterator "chn" as the outer loop,
which could lead to premature end of the outer loop, and hence memory leak.
L429: The array index 'i' in mci->csrows[i] is a temporary value used in
previous loops, and won't change at all in the current loop. Which
means either out-of-bound read and possibly kfree(random number), or the
same mci->csrows[i] get freed once and again, and possibly double free
for the kfree(csr) in L427.
L426/L427: a kfree(csr->channels) is needed in between to avoid leaking the memory.
The buggy code was introduced by commit de3910eb ("edac: change the mem
allocation scheme to make Documentation/kobject.txt happy") in the 3.6-rc1
merge window. Fix it by freeing up resources in this order:
Andreas Herrmann [Sun, 23 Sep 2012 18:27:32 +0000 (20:27 +0200)]
hwmon: (fam15h_power) Tweak runavg_range on resume
The quirk introduced with commit 00250ec90963b7ef6678438888f3244985ecde14 (hwmon: fam15h_power: fix
bogus values with current BIOSes) is not only required during driver
load but also when system resumes from suspend. The BIOS might set the
previously recommended (but unsuitable) initilization value for the
running average range register during resume.
Signed-off-by: Andreas Herrmann <andreas.herrmann3@amd.com> Tested-by: Andreas Hartmann <andihartmann@01019freenet.de> Signed-off-by: Jean Delvare <khali@linux-fr.org> Cc: stable@vger.kernel.org # 3.0+
hwmon: (coretemp) Use get_online_cpus to avoid races involving CPU hotplug
coretemp_init loops with for_each_online_cpu, adding platform_devices
and sysfs interfaces, then calls register_hotcpu_notifier. There is a
race if a CPU is offlined or onlined after the loop, but before
register_hotcpu_notifier. The race might result in the absence of a
platform_device+sysfs interface for an online CPU, or the presence of
a platform_device+sysfs interface for an offline CPU. A similar race
occurs during coretemp_exit, after the module calls
unregister_hotcpu_notifier, but before it unregisters all devices, a
CPU might offline and a device for an offline CPU will exist for a
short while.
This fix surrounds for_each_online_cpu and register_hotcpu_notifier
with get_online_cpus+put_online_cpus; and surrounds
unregister_hotcpu_notifier and device unregistering with
get_online_cpus+put_online_cpus.
Build tested.
Signed-off-by: Silas Boyd-Wickizer <sbw@mit.edu> Signed-off-by: Jean Delvare <khali@linux-fr.org>
hwmon: (via-cputemp) Use get_online_cpus to avoid races involving CPU hotplug
via_cputemp_init loops with for_each_online_cpu, adding
platform_devices, then calls register_hotcpu_notifier. If a CPU is
offlined between the loop and register_hotcpu_notifier, then later
onlined, via_cputemp_device_add will attempt to add platform devices
with the same ID. A similar race occurs during via_cputemp_exit,
after the module calls unregister_hotcpu_notifier, a CPU might offline
and a device will exist for a CPU that is offline.
This fix surrounds for_each_online_cpu and register_hotcpu_notifier
with get_online_cpus+put_online_cpus; and surrounds
unregister_hotcpu_notifier and device unregistering with
get_online_cpus+put_online_cpus.
Build tested.
Signed-off-by: Silas Boyd-Wickizer <sbw@mit.edu> Acked-by: Harald Welte <laforge@gnumonks.org> Signed-off-by: Jean Delvare <khali@linux-fr.org>
Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
Pull MIPS fixes from Ralf Baechle:
"Random fixes across arch/mips, essentially.
One fix for an issue in get_user_pages_fast() which previously was
discovered on x86, a miscalculation in the support for the MIPS MT
hardware multithreading support, the RTC support for the Malta and a
fix for a spurious interrupt issue that seems to bite only very
special Malta configurations."
* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
MIPS: Malta: Don't crash on spurious interrupt.
MIPS: Malta: Remove RTC Data Mode bootstrap breakage
MIPS: mm: Add compound tail page _mapcount when mapped
MIPS: CMP/SMTC: Fix tc_id calculation
Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm
Pull ARM and clkdev fixes from Russell King:
"Two patches for clkdev which resolve the long standing issue that the
devm_* versions were dependent on clkdev, which they shouldn't have
been. Instead, they're dependent on HAVE_CLK instead, which implies
that you're providing clk_get() and clk_put().
A small fix to the ARM decompressor to ensure that the page tables are
properly interpreted by the CPU, and reserve syscall 378 for kcmp (the
checksyscalls.sh script is unfortunately currently broken so arch
maintainers aren't getting notified of new syscalls...)
Lastly, a larger fix for an issue between the common clk subsystem and
smp_twd which causes warnings to be spat out."
* 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
ARM: reserve syscall 378 for kcmp
ARM: 7535/1: Reprogram smp_twd based on new common clk framework notifiers
ARM: 7537/1: clk: Fix release in devm_clk_put()
ARM: 7532/1: decompressor: reset SCTLR.TRE for VMSA ARMv7 cores
ARM: 7534/1: clk: Make the managed clk functions generically available
Merge branch 'upstream-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
Pull HID fixes from Jiri Kosina:
"The most important fix is Logitech Unifying receiver regression in
device enumeration fix from Nestor Lopez Casado. In addition to that,
there is a small memory leak fix for Thinkpad keyboard driver from
Axel Lin."
* 'upstream-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: Fix logitech-dj: missing Unifying device issue
HID: lenovo-tpkbd: Fix memory leak in tpkbd_remove_tp()
This patch fixes an issue introduced after commit 4ea5454203d991ec
("HID: Fix race condition between driver core and ll-driver").
After that commit, hid-core discards any incoming packet that arrives while
hid driver's probe function is being executed.
This broke the enumeration process of hid-logitech-dj, that must receive
control packets in-band with the mouse and keyboard packets. Discarding mouse
or keyboard data at the very begining is usually fine, but it is not the case
for control packets.
This patch forces a re-enumeration of the paired devices when a packet arrives
that comes from an unknown device.
Based on a patch originally written by Benjamin Tissoires.
Pull networking updates from David Miller:
"More bug fixes, nothing gets past these guys"
1) More kernel info leaks found by Mathias Krause, this time in the
IPSEC configuration layers.
2) When IPSEC policies change, we do not properly make sure that cached
routes (which could now be stale) throughout the system will be
revalidated. Fix this by generalizing the generation count
invalidation scheme used by ipv4. From Nicolas Dichtel.
3) When repairing TCP sockets, we need to allow to restore not just the
send window scale, but the receive one too. Extend the existing
interface to achieve this in a backwards compatible way. From
Andrey Vagin.
4) A fix for FCOE scatter gather feature validation erroneously caused
scatter gather to be disabled for things like AOE too. From Ed L
Cashin.
5) Several cases of mishandling of error pointers, from Mathias Krause,
Wei Yongjun, and Devendra Naga.
6) Fix gianfar build, from Richard Cochran.
7) CAP_NET_* failures should return -EPERM not -EACCES, from Zhao
Hongjiang.
8) Hardware reset fix in janz-ican3 CAN driver, from Ira W Snyder.
9) Fix oops during rmmod in ti_hecc CAN driver, from Marc Kleine-Budde.
10) The removal of the conditional compilation of the clk support code
in the stmmac driver broke things. This is because the interfaces
used are the ones that don't also perform the enable/disable of the
clk. Fix from Stefan Roese.
11) The QFQ packet scheduler can record out of range virtual start
times, resulting later in misbehavior and even crashes. Fix from
Paolo Valente.
12) If MSG_WAITALL is used with IOAT DMA under TCP, we can wedge the
receiver when the advertised receive window goes to zero. Detect
this case and force the processing of the IOAT DMA queue when it
happens to avoid getting stuck. Fix from Michal Kubecek.
13) batman-adv assumes that test_bit() returns only 0 or 1, but this is
not true for x86 (which returns -1 or 0, via the 'sbb' instruction).
Fix from Linus Lussing.
14) Fix small packet corruption in e1000, from Tushar Dave.
15) make_blackhole() in the IPSEC policy code can do one read unlock too
many, fix from Li RongQing.
16) The new tcp_try_coalesce() code introduced a bug in TCP URG
handling, fix from Eric Dumazet.
17) Fix memory leak in __netif_receive_skb() when doing zerocopy and
when hit an OOM condition. From Michael S Tsirkin.
18) netxen blindly deferences pdev->bus->self, which is not guarenteed
to be non-NULL. Fix from Nikolay Aleksandrov.
19) Fix a performance regression caused by mistakes in ipv6 checksum
validation in the bnx2x driver, fix from Michal Schmidt.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (45 commits)
net/stmmac: Use clk_prepare_enable and clk_disable_unprepare
net: change return values from -EACCES to -EPERM
net/irda: sh_sir: fix return value check in sh_sir_set_baudrate()
stmmac: fix return value check in stmmac_open_ext_timer()
gianfar: fix phc index build failure
ipv6: fix return value check in fib6_add()
bnx2x: remove false warning regarding interrupt number
can: ti_hecc: fix oops during rmmod
can: janz-ican3: fix support for older hardware revisions
net: do not disable sg for packets requiring no checksum
aoe: assert AoE packets marked as requiring no checksum
at91ether: return PTR_ERR if call to clk_get fails
xfrm_user: don't copy esn replay window twice for new states
xfrm_user: ensure user supplied esn replay window is valid
xfrm_user: fix info leak in copy_to_user_tmpl()
xfrm_user: fix info leak in copy_to_user_policy()
xfrm_user: fix info leak in copy_to_user_state()
xfrm_user: fix info leak in copy_to_user_auth()
net: qmi_wwan: adding Huawei E367, ZTE MF683 and Pantech P4200
tcp: restore rcv_wscale in a repair mode (v2)
...
1) Debugging builds on 32-bit sparc need to handle the R_SPARC_DISP32
relocation, not just 64-bit sparc. From Andreas Larsson.
2) Wei Yongjun noticed that module_alloc() on sparc can return an
error pointer, but that's not allowed. module_alloc() should
return only a valid pointer, or NULL.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
sparc: fix the return value of module_alloc()
sparc32: Enable the relocation target R_SPARC_DISP32 for sparc32
Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Ingo Molnar:
"Small fixlets"
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/mm/init.c: Fix devmem_is_allowed() off by one
x86/kconfig: Remove outdated reference to Intel CPUs in CONFIG_SWIOTLB
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
"Fixes for big 3 drivers:
nouveau: revert earlier MBP fix, put a dmi based MBP fix in its place
(fixes a regression we found on some Dell eDP panels doing some
internal testing)
radeon: revert pll fixes, real fix is too invasive, fix scratch leak
intel: 3 minor fixes, one for HDMI audio."
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/nouveau: add dmi quirk for gpio reset
drm/radeon: Prevent leak of scratch register on resume from suspend
Revert "drm/nv50-/gpio: initialise to vbios defaults during init"
Revert "drm/radeon: rework pll selection (v3)"
drm/i915: HDMI - Clear Audio Enable bit for Hot Plug
drm/i915: Reduce a pin-leak BUG into a WARN
drm/i915: enable lvds pin pairs before dpll on gen2
Merge tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
Pull hwmon fixes from Guenter Roeck:
- Add missing 'name' sysfs attributes to ad7314 and ads7871 drivers
- Bump maximum wait time for applesmc driver (again)
- Fix build warning seen with W=1 in include/linux/kernel.h, introduced
with commit b6d86d3d6d6e ("Fix DIV_ROUND_CLOSEST to support negative
dividends")
* tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
linux/kernel.h: Fix warning seen with W=1 due to change in DIV_ROUND_CLOSEST
hwmon: (applesmc) Bump max wait
hwmon: (ad7314) Add 'name' sysfs attribute
hwmon: (ads7871) Add 'name' sysfs attribute
Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma
Pull slave-dmaengine fixes from Vinod Koul:
"There are two trivial fixes in pl330 driver and two in at_hdmac
driver."
* 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
DMA: PL330: Check the pointer returned by kzalloc
DMA: PL330: Fix potential NULL pointer dereference in pl330_submit_req()
dmaengine: at_hdmac: check that each sg data length is non-null
dmaengine: at_hdmac: fix comment in atc_prep_slave_sg()
Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Pull arm-soc bug fixes from Olof Johansson:
"A couple of samsung clock locking fixes, at91 device tree gpio
configuration fix and a couple more for shmobile and i.MX.
All small targeted fixes."
* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
ARM i.MX25: Make timer irq work again
ARM: imx: armadillo5x0: Fix illegal register access
ARM: shmobile: kzm9g: bugfix: correct mmcif interrupt settings
ARM: SAMSUNG: Use spin_lock_{irqsave,irqrestore} in clk_set_rate
ARM: at91: fix missing #interrupt-cells on gpio-controller
ARM: SAMSUNG: use spin_lock_irqsave() in clk_set_parent
In case of error, function module_alloc() in other platform never
returns ERR_PTR(), and all of the user only check for NULL, so
we'd better return NULL instead of ERR_PTR().
dpatch engine is used to auto generated this patch.
(https://github.com/weiyj/dpatch)
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Signed-off-by: David S. Miller <davem@davemloft.net>
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 fixes from Martin Schwidefsky:
"Bug fixes for 3.6-rc7, including some important patches for large page
related memory management issues."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/dasd: fix read unit address configuration loop
s390/dasd: fix pathgroup race
s390/mm: fix user access page-table walk code
s390/hwcaps: do not report high gprs for 31 bit kernel
s390/cio: invalidate cdev pointer before deregistration
s390/cio: fix IO subchannel event race
s390/dasd: move wake_up call
s390/hugetlb: use direct TLB flushing for hugetlbfs pages
s390/mm: fix deadlock in unmap_hugepage_range()
Merge tag 'stable/for-linus-3.6-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen
Pull Xen bug-fixes from Konrad Rzeszutek Wilk:
- Fix M2P batching re-using the incorrect structure field.
In v3.5 we added batching for M2P override (Machine Frame Number ->
Physical Frame Number), but the original MFN was saved in an
incorrect structure - and we would oops/restore when restoring with
the old MFN.
- Disable BIOS SMP MP table search.
A bootup issue that we had ignored until we found that on DL380 G6 it
was needed.
* tag 'stable/for-linus-3.6-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
xen/boot: Disable BIOS SMP MP table search.
xen/m2p: do not reuse kmap_op->dev_bus_addr
Stefan Roese [Fri, 21 Sep 2012 01:06:29 +0000 (01:06 +0000)]
net/stmmac: Use clk_prepare_enable and clk_disable_unprepare
This patch fixes an issue introduced by commit ID 6a81c26f
[net/stmmac: remove conditional compilation of clk code], which
switched from the internal stmmac_clk_{en}{dis}able calls to
clk_{en}{dis}able. By this, calling clk_prepare and clk_unprepare
was removed.
clk_{un}prepare is mandatory for platforms using common clock framework.
Since these drivers are used by SPEAr platform, which supports common
clock framework, add clk_{un}prepare() support for them. Otherwise
the clocks are not correctly en-/disabled and ethernet support doesn't
work.
Signed-off-by: Stefan Roese <sr@denx.de> Cc: Viresh Kumar <viresh.kumar@linaro.org> Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com> Reviewed-by: Viresh Kumar <viresh.kumar@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
The format_array_alloc() function is fundamentally racy, in that it
prints the array twice: once to figure out how much space to allocate
for the buffer, and the second time to actually print out the data.
If any of the array contents changes in between, the allocation size may
be wrong, and the end result may be truncated in odd ways.
Just don't do it. Allocate a maximum-sized array up-front, and just
format the array contents once. The only user of the u32_array
interfaces is the Xen spinlock statistics code, and it has 31 entries in
the arrays, so the maximum size really isn't that big, and the end
result is much simpler code without the bug.
David S. Miller [Fri, 21 Sep 2012 17:49:59 +0000 (13:49 -0400)]
Merge branch 'fixes-for-3.6' of git://gitorious.org/linux-can/linux-can
Marc Kleine-Budde says:
====================
two patches for the v3.6 release cycle. Ira W. Snyder fixed support for the
older version of the Janz CMOD-IO Carrier Board. I found and fixed an oops in
the ti_hecc driver, which occurs when removing the module if the network
interface is still open.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
net/irda: sh_sir: fix return value check in sh_sir_set_baudrate()
In case of error, the function clk_get() returns ERR_PTR()
and never returns NULL pointer. The NULL test in the error
handling should be replaced with IS_ERR().
dpatch engine is used to auto generated this patch.
(https://github.com/weiyj/dpatch)
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Signed-off-by: David S. Miller <davem@davemloft.net>
stmmac: fix return value check in stmmac_open_ext_timer()
In case of error, the function clk_get() returns ERR_PTR()
and never returns NULL pointer. The NULL test in the error
handling should be replaced with IS_ERR().
dpatch engine is used to auto generated this patch.
(https://github.com/weiyj/dpatch)
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Signed-off-by: David S. Miller <davem@davemloft.net>
Richard Cochran [Thu, 20 Sep 2012 19:11:12 +0000 (19:11 +0000)]
gianfar: fix phc index build failure
This patch fixes a build failure introduced in commit 66636287
("gianfar: Support the get_ts_info ethtool method."). Not only was a
global variable inconsistently named, but also it was not exported as
it should have been.
This fix is also needed in stable version 3.5.
Signed-off-by: Richard Cochran <richardcochran@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
David Rientjes [Fri, 21 Sep 2012 09:16:29 +0000 (02:16 -0700)]
debugfs: fix race in u32_array_read and allocate array at open
u32_array_open() is racy when multiple threads read from a file with a
seek position of zero, i.e. when two or more simultaneous reads are
occurring after the non-seekable files are created. It is possible that
file->private_data is double-freed because the threads races between
kfree(file->private-data);
and
file->private_data = NULL;
The fix is to only do format_array_alloc() when the file is opened and
free it when it is closed.
Note that because the file has always been non-seekable, you can't open
it and read it multiple times anyway, so the data has always been
generated just once. The difference is that now it is generated at open
time rather than at the time of the first read, and that avoids the
race.
Reported-by: Dave Jones <davej@redhat.com> Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Tested-by: Raghavendra <raghavendra.kt@linux.vnet.ibm.com> Signed-off-by: David Rientjes <rientjes@google.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
bnx2x: remove false warning regarding interrupt number
Since version 7.4 the FW configures in the pci config space the max
number of interrupts available to the physical function, instead of
the exact number to use.
This causes a false warning in driver when comparing the number of
configured interrupts to the number about to be used.
Signed-off-by: Ariel Elior <ariele@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Russell King [Fri, 21 Sep 2012 16:55:20 +0000 (17:55 +0100)]
ARM: reserve syscall 378 for kcmp
kcmp has appeared on x86, but has not been noticed because
checksyscalls.sh is broken at the moment. Reserve ARM syscall 378
for this should we ever need it, and add an __IGNORE entry for this
unimplemented syscall.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Jeff Mahoney [Thu, 20 Sep 2012 14:28:45 +0000 (10:28 -0400)]
x86/kbuild: archscripts depends on scripts_basic
While building the SUSE kernel packages, which build the scripts,
make clean, and then build everything, we have been running into spurious
build failures. We tracked them down to a simple dependency issue:
$ make mrproper
CLEAN arch/x86/tools
CLEAN scripts/basic
$ cp patches/config/x86_64/desktop .config
$ make archscripts
HOSTCC arch/x86/tools/relocs
/bin/sh: scripts/basic/fixdep: No such file or directory
make[3]: *** [arch/x86/tools/relocs] Error 1
make[2]: *** [archscripts] Error 2
make[1]: *** [sub-make] Error 2
make: *** [all] Error 2
This was introduced by commit 6520fe55 (x86, realmode: 16-bit real-mode code support for relocs),
which added the archscripts dependency to archprepare.
This patch adds the scripts_basic dependency to the x86 archscripts.
Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Michal Marek <mmarek@suse.cz>
Mark Asselstine [Wed, 19 Sep 2012 20:30:44 +0000 (16:30 -0400)]
firmware: fix directory creation rule matching with make 3.80
Since make 3.80 doesn't support secondary expansion it uses a fallback
rule to create firmware directories which is matched after primary
expansion of the $(installed-fw) rule's prerequisite. Commit 6c7080a61fc7 [firmware: fix directory creation rule matching with make
3.82] changed the expression generated after primary expansion such
that the fallback was not matched. Updating the fallback rule to match
the new look primary expansion is not an option for various reasons.
The trailing slash added here to $(INSTALL_FW_PATH)/. while defining
installed-fw-dirs fixes builds with make 3.82 since this will provide
a matching rule for $(INSTALL_FW_PATH)/$$(dir %) when % is in the base
firmware directory (ie. $(dir %) gives './'). Versions of make prior
to 3.82 will strip this trailing slash along with the one generated by
$(dir %) when % is in the base firmware directory and as such continue
to function as before.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> Tested-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Michal Marek <mmarek@suse.cz>
This patch fixes an oops which occurs when unloading the driver, while the
network interface is still up. The problem is that first the io mapping is
teared own, then the CAN device is unregistered, resulting in accessing the
hardware's iomem:
Ira W. Snyder [Tue, 11 Sep 2012 22:58:15 +0000 (15:58 -0700)]
can: janz-ican3: fix support for older hardware revisions
The Revision 1.0 Janz CMOD-IO Carrier Board does not have support for
the reset registers. To support older hardware, the code is changed to
use the hardware reset register on the Janz VMOD-ICAN3 hardware itself.
Cc: stable <stable@vger.kernel.org> Signed-off-by: Ira W. Snyder <iws@ovro.caltech.edu> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Dave Airlie [Fri, 21 Sep 2012 10:46:01 +0000 (20:46 +1000)]
Merge branch 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel into drm-fixes
Daniel writes:
Essentially just flush my -fixes queue before I head off to xdc.
- gen2 regression fixer, we've enabled the lvds stuff too late. Not
causing any known issues, but this restores the sequence before a
refactor that landed in 3.5, and lvds is a fickle beast. And seriously,
who runs gen2 still ...
- downgrade a BUG to a WARN - we haven't root-caused/fixed the underlying
issue yet, but this should help bug reporters quite a bit.
- properly disable hdmi audio - we've lost track of this, which resulted
in the alsa driver again losing track of the unplug event.
* 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel:
drm/i915: HDMI - Clear Audio Enable bit for Hot Plug
drm/i915: Reduce a pin-leak BUG into a WARN
drm/i915: enable lvds pin pairs before dpll on gen2
Ed Cashin [Wed, 19 Sep 2012 15:49:00 +0000 (15:49 +0000)]
net: do not disable sg for packets requiring no checksum
A change in a series of VLAN-related changes appears to have
inadvertently disabled the use of the scatter gather feature of
network cards for transmission of non-IP ethernet protocols like ATA
over Ethernet (AoE). Below is a reference to the commit that
introduces a "harmonize_features" function that turns off scatter
gather when the NIC does not support hardware checksumming for the
ethernet protocol of an sk buff.
net offloading: Generalize netif_get_vlan_features().
The can_checksum_protocol function is not equipped to consider a
protocol that does not require checksumming. Calling it for a
protocol that requires no checksum is inappropriate.
The patch below has harmonize_features call can_checksum_protocol when
the protocol needs a checksum, so that the network layer is not forced
to perform unnecessary skb linearization on the transmission of AoE
packets. Unnecessary linearization results in decreased performance
and increased memory pressure, as reported here:
The problem has probably not been widely experienced yet, because
only recently has the kernel.org-distributed aoe driver acquired the
ability to use payloads of over a page in size, with the patchset
recently included in the mm tree:
https://lkml.org/lkml/2012/8/28/140
The coraid.com-distributed aoe driver already could use payloads of
greater than a page in size, but its users generally do not use the
newest kernels.
Signed-off-by: Ed Cashin <ecashin@coraid.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Ed Cashin [Wed, 19 Sep 2012 15:46:39 +0000 (15:46 +0000)]
aoe: assert AoE packets marked as requiring no checksum
In order for the network layer to see that AoE requires
no checksumming in a generic way, the packets must be
marked as requiring no checksum, so we make this requirement
explicit with the assertion.
Signed-off-by: Ed Cashin <ecashin@coraid.com> Signed-off-by: David S. Miller <davem@davemloft.net>
at91ether: return PTR_ERR if call to clk_get fails
we are currently returning ENODEV, as the clk_get may give a exact
error code in its returned pointer, assign it to the ret by using the
PTR_ERR function, so that the subsequent goto label will jump to the
error path and clean the driver and return the error correctly.
Signed-off-by: Devendra Naga <devendra.aaru@gmail.com> Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
xfrm_user: ensure user supplied esn replay window is valid
The current code fails to ensure that the netlink message actually
contains as many bytes as the header indicates. If a user creates a new
state or updates an existing one but does not supply the bytes for the
whole ESN replay window, the kernel copies random heap bytes into the
replay bitmap, the ones happen to follow the XFRMA_REPLAY_ESN_VAL
netlink attribute. This leads to following issues:
1. The replay window has random bits set confusing the replay handling
code later on.
2. A malicious user could use this flaw to leak up to ~3.5kB of heap
memory when she has access to the XFRM netlink interface (requires
CAP_NET_ADMIN).
Known users of the ESN replay window are strongSwan and Steffen's
iproute2 patch (<http://patchwork.ozlabs.org/patch/85962/>). The latter
uses the interface with a bitmap supplied while the former does not.
strongSwan is therefore prone to run into issue 1.
To fix both issues without breaking existing userland allow using the
XFRMA_REPLAY_ESN_VAL netlink attribute with either an empty bitmap or a
fully specified one. For the former case we initialize the in-kernel
bitmap with zero, for the latter we copy the user supplied bitmap. For
state updates the full bitmap must be supplied.
To prevent overflows in the bitmap length calculation the maximum size
of bmp_len is limited to 128 by this patch -- resulting in a maximum
replay window of 4096 packets. This should be sufficient for all real
life scenarios (RFC 4303 recommends a default replay window size of 64).
Cc: Steffen Klassert <steffen.klassert@secunet.com> Cc: Martin Willi <martin@revosec.ch> Cc: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
The memory used for the template copy is a local stack variable. As
struct xfrm_user_tmpl contains multiple holes added by the compiler for
alignment, not initializing the memory will lead to leaking stack bytes
to userland. Add an explicit memset(0) to avoid the info leak.
Initial version of the patch by Brad Spengler.
Cc: Brad Spengler <spender@grsecurity.net> Signed-off-by: Mathias Krause <minipli@googlemail.com> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
The memory reserved to dump the xfrm policy includes multiple padding
bytes added by the compiler for alignment (padding bytes in struct
xfrm_selector and struct xfrm_userpolicy_info). Add an explicit
memset(0) before filling the buffer to avoid the heap info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
The memory reserved to dump the xfrm state includes the padding bytes of
struct xfrm_usersa_info added by the compiler for alignment (7 for
amd64, 3 for i386). Add an explicit memset(0) before filling the buffer
to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
copy_to_user_auth() fails to initialize the remainder of alg_name and
therefore discloses up to 54 bytes of heap memory via netlink to
userland.
Use strncpy() instead of strcpy() to fill the trailing bytes of alg_name
with null bytes.
Signed-off-by: Mathias Krause <minipli@googlemail.com> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Huawei use subclass and protocol to identify vendor specific
functions, so adding a new vendor rule for this combination.
The Pantech devices UML290 (106c:3718) and P4200 (106c:3721) use
the same subclass to identify the QMI/wwan function. Replace the
existing device specific UML290 entries with generic vendor matching,
adding support for the Pantech P4200.
The ZTE MF683 has 6 vendor specific interfaces, all using
ff/ff/ff for cls/sub/prot. Adding a match on interface #5 which
is a QMI/wwan interface.
Cc: Fangxiaozhi (Franko) <fangxiaozhi@huawei.com> Cc: Thomas Schäfer <tschaefer@t-online.de> Cc: Dan Williams <dcbw@redhat.com> Cc: Shawn J. Goff <shawn7400@gmail.com> Signed-off-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: David S. Miller <davem@davemloft.net>
rcv_wscale is a symetric parameter with snd_wscale.
Both this parameters are set on a connection handshake.
Without this value a remote window size can not be interpreted correctly,
because a value from a packet should be shifted on rcv_wscale.
And one more thing is that wscale_ok should be set too.
This patch doesn't break a backward compatibility.
If someone uses it in a old scheme, a rcv window
will be restored with the same bug (rcv_wscale = 0).
v2: Save backward compatibility on big-endian system. Before
the first two bytes were snd_wscale and the second two bytes were
rcv_wscale. Now snd_wscale is opt_val & 0xFFFF and rcv_wscale >> 16.
This approach is independent on byte ordering.
Cc: David S. Miller <davem@davemloft.net> Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Cc: James Morris <jmorris@namei.org> Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Cc: Patrick McHardy <kaber@trash.net> CC: Pavel Emelyanov <xemul@parallels.com> Signed-off-by: Andrew Vagin <avagin@openvz.org> Acked-by: Pavel Emelyanov <xemul@parallels.com> Signed-off-by: David S. Miller <davem@davemloft.net>
projects / linux-beck.git / log