xfrm6: Fix the nexthdr offset in _decode_session6.
xfrm_decode_session() was originally designed for the
usage in the receive path where the correct nexthdr offset
is stored in IP6CB(skb)->nhoff. Over time this function
spread to code that is used in the output path (netfilter,
vti) where IP6CB(skb)->nhoff is not set. As a result, we
get a wrong nexthdr and the upper layer flow informations
are wrong. This can leed to incorrect policy lookups.
xfrm6: Fix transport header offset in _decode_session6.
skb->transport_header might not be valid when we do a reverse
decode because the ipv6 tunnel error handlers don't update it
to the inner transport header. This leads to a wrong offset
calculation and to wrong layer 4 informations. We fix this
by using the size of the ipv6 header as the first offset.
Pravin B Shelar [Mon, 1 Dec 2014 07:04:17 +0000 (23:04 -0800)]
openvswitch: Fix flow mask validation.
Following patch fixes typo in the flow validation. This prevented
installation of ARP and IPv6 flows.
Fixes: 19e7a3df72 ("openvswitch: Fix NDP flow mask validation") Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Reviewed-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
Masahiro Yamada [Mon, 1 Dec 2014 01:16:17 +0000 (10:16 +0900)]
uapi: fix to export linux/vm_sockets.h
A typo "header=y" was introduced by commit 7071cf7fc435
(uapi: add missing network related headers to kbuild).
Signed-off-by: Masahiro Yamada <yamada.m@jp.panasonic.com> Cc: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Lino Sanfilippo [Sun, 30 Nov 2014 11:56:51 +0000 (12:56 +0100)]
sky2: avoid pci write posting after disabling irqs
In sky2_change_mtu setting B0_IMSK to 0 may be delayed due to PCI write posting
which could result in irqs being still active when synchronize_irq is called.
Since we are not prepared to handle any further irqs after synchronize_irq
(our resources are freed after that) force the write by a consecutive read from
the same register.
Similar situation in sky2_all_down: Here we disabled irqs by a write to B0_IMSK
but did not ensure that this write took place before synchronize_irq. Fix that
too.
Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de> Acked-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Lino Sanfilippo [Sun, 30 Nov 2014 11:51:31 +0000 (12:51 +0100)]
skge: Unmask interrupts in case of spurious interrupts
In case of a spurious interrupt dont forget to reenable the interrupts that
have been masked by reading the interrupt source register.
Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de> Acked-by: Mirko Lindner <mlindner@marvell.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Lino Sanfilippo [Sun, 30 Nov 2014 10:49:36 +0000 (11:49 +0100)]
pxa168: close race between napi and irq activation
In pxa168_eth_open() the irqs are enabled before napi. This opens a tiny time
window in which the irq handler is processed, disables irqs but then is not able
to schedule the not yet activated napi, leaving irqs disabled forever (since
irqs are reenabled in napi poll function).
Fix this race by activating napi before irqs are activated.
Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de> Signed-off-by: David S. Miller <davem@davemloft.net>
bpf: x86: fix epilogue generation for eBPF programs
classic BPF has a restriction that last insn is always BPF_RET.
eBPF doesn't have BPF_RET instruction and this restriction.
It has BPF_EXIT insn which can appear anywhere in the program
one or more times and it doesn't have to be last insn.
Fix eBPF JIT to emit epilogue when first BPF_EXIT is seen
and all other BPF_EXIT instructions will be emitted as jump.
Since jump offset to epilogue is computed as:
jmp_offset = ctx->cleanup_addr - addrs[i]
we need to change type of cleanup_addr to signed to compute the offset as:
(long long) ((int)20 - (int)30)
instead of:
(long long) ((unsigned int)20 - (int)30)
Fixes: 622582786c9e ("net: filter: x86: internal BPF JIT") Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Tom Herbert [Sat, 29 Nov 2014 17:59:45 +0000 (09:59 -0800)]
gre: Set inner mac header in gro complete
Set the inner mac header to point to the GRE payload when
doing GRO. This is needed if we proceed to send the packet
through GRE GSO which now uses the inner mac header instead
of inner network header to determine the length of encapsulation
headers.
Fixes: 14051f0452a2 ("gre: Use inner mac length when computing tunnel length") Reported-by: Wolfgang Walter <linux@stwm.de> Signed-off-by: Tom Herbert <therbert@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Andy Lutomirski [Wed, 3 Dec 2014 23:37:08 +0000 (15:37 -0800)]
context_tracking: Restore previous state in schedule_user
It appears that some SCHEDULE_USER (asm for schedule_user) callers
in arch/x86/kernel/entry_64.S are called from RCU kernel context,
and schedule_user will return in RCU user context. This causes RCU
warnings and possible failures.
This is intended to be a minimal fix suitable for 3.18.
Reported-and-tested-by: Dave Jones <davej@redhat.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Frédéric Weisbecker <fweisbec@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Wed, 3 Dec 2014 22:08:50 +0000 (14:08 -0800)]
Merge tag 'devicetree-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/glikely/linux
Pull devicetree bugfix from Grant Likely:
"One more bug fix for v3.18. I debated whether or not to send you this
merge request because we're at such a late rc. The bug isn't critical
in that there is only one system known to be affected and the patch is
easy to backport. The codepath is used by pretty much every DT based
system, so there is risk a of regression (it /should/ be safe, but
I've been bitten by stuff that should be safe before). I've had it in
linux-next for a week and haven't received any complaints.
I think it probably should just be merged right away rather than
waiting for the merge window and backporting. It does fix a real bug
and the code is theoretically safer after the change. I can't think
of any situation where it would be dangerous to reserve the DT memory
an extra time.
Summary from tag:
Single bugfix for boot failure seen in the wild. The memory reserve
code tries to be clever about reserving the FDT, but it should just
go ahead and reserve it unconditionally to avoid the problem of
partial overlap described in the patch"
* tag 'devicetree-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/glikely/linux:
of/fdt: memblock_reserve /memreserve/ regions in the case of partial overlap
Linus Torvalds [Wed, 3 Dec 2014 22:05:24 +0000 (14:05 -0800)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-block
Pull block core regression fix from Jens Axboe:
"Single fix for a regression introduced in this development cycle,
where dm on top of dif/dix is broken. From Darrick Wong"
* 'for-linus' of git://git.kernel.dk/linux-block:
block: fix regression where bio_integrity_process uses wrong bio_vec iterator
Linus Torvalds [Wed, 3 Dec 2014 21:51:50 +0000 (13:51 -0800)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
"Radeon and Nouveau fixes:
So nouveau had a few regression introduced, Ben and Maarten finally
tracked down the one that was causing problems on my MacBookPro, also
nvidia gave some info on the an engine we were using incorrectly, so
disable our use of it, and one regresion with pci hotplug affecting
optimus users.
Radeon has an oops fixs, sync fix, and one workaround to avoid broken
functionality on 32-bit x86, this needs better root causing and a
better fix, but the bandaid is a lot safer at this point"
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/radeon: kernel panic in drm_calc_vbltimestamp_from_scanoutpos with 3.18.0-rc6
drm/radeon: Ignore RADEON_GEM_GTT_WC on 32-bit x86
drm/radeon: sync all BOs involved in a CS v2
nouveau: move the hotplug ignore to correct place.
drm/nouveau/gf116: remove copy1 engine
drm/nouveau: prevent stale fence->channel pointers, and protect with rcu
drm/nouveau/fifo/g84-: ack non-stall interrupt before handling it
1) Fill in ethtool link parameters for all link types in cxgb4, from
Hariprasad Shenai.
2) Fix probe regressions in stmmac driver, from Huacai Chen.
3) Network namespace leaks on errirs in rtnetlink, from Nicolas
Dichtel.
4) Remove erroneous BUG check which can actually trigger legitimately,
in xen-netfront. From Seth Forshee.
5) Validate length of IFLA_BOND_ARP_IP_TARGET netlink attributes, from
Thomas Grag.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
cxgb4: Fill in supported link mode for SFP modules
xen-netfront: Remove BUGs on paged skb data which crosses a page boundary
sh_eth: Fix sleeping function called from invalid context
stmmac: platform: Move plat_dat checking earlier
sh_eth: Fix skb alloc size and alignment adjust rule.
rtnetlink: release net refcnt on error in do_setlink()
bond: Check length of IFLA_BOND_ARP_IP_TARGET attributes
Linus Torvalds [Wed, 3 Dec 2014 18:56:12 +0000 (10:56 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull keyring/nfs fixes from James Morris:
"From David Howells:
The first one fixes the handling of maximum buffer size for key
descriptions, fixing the size at 4095 + NUL char rather than whatever
PAGE_SIZE happens to be and permits you to read back the full
description without it getting clipped because some extra information
got prepended.
The second and third fix a bug in NFS idmapper handling whereby a key
representing a mapping between an id and a name expires and causing
EKEYEXPIRED to be seen internally in NFS (which prevents the mapping
from happening) rather than re-looking up the mapping"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
KEYS: request_key() should reget expired keys rather than give EKEYEXPIRED
KEYS: Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags
KEYS: Fix the size of the key description passed to/from userspace
Linus Torvalds [Wed, 3 Dec 2014 17:36:20 +0000 (09:36 -0800)]
Merge branch 'akpm' (patches from Andrew Morton)
Merge misc fixes from Andrew Morton:
"10 fixes"
* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
slab: fix nodeid bounds check for non-contiguous node IDs
lib/genalloc.c: export devm_gen_pool_create() for modules
mm: fix anon_vma_clone() error treatment
mm: fix swapoff hang after page migration and fork
fat: fix oops on corrupted vfat fs
ipc/sem.c: fully initialize sem_array before making it visible
drivers/input/evdev.c: don't kfree() a vmalloc address
mm/vmpressure.c: fix race in vmpressure_work_fn()
mm: frontswap: invalidate expired data on a dup-store failure
mm: do not overwrite reserved pages counter at show_mem()
Paul Mackerras [Tue, 2 Dec 2014 23:59:48 +0000 (15:59 -0800)]
slab: fix nodeid bounds check for non-contiguous node IDs
The bounds check for nodeid in ____cache_alloc_node gives false
positives on machines where the node IDs are not contiguous, leading to
a panic at boot time. For example, on a POWER8 machine the node IDs are
typically 0, 1, 16 and 17. This means that num_online_nodes() returns
4, so when ____cache_alloc_node is called with nodeid = 16 the VM_BUG_ON
triggers, like this:
To fix this, we instead compare the nodeid with MAX_NUMNODES, and
additionally make sure it isn't negative (since nodeid is an int). The
check is there mainly to protect the array dereference in the get_node()
call in the next line, and the array being dereferenced is of size
MAX_NUMNODES. If the nodeid is in range but invalid (for example if the
node is off-line), the BUG_ON in the next line will catch that.
Fixes: 14e50c6a9bc2 ("mm: slab: Verify the nodeid passed to ____cache_alloc_node") Signed-off-by: Paul Mackerras <paulus@samba.org> Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com> Reviewed-by: Pekka Enberg <penberg@kernel.org> Acked-by: David Rientjes <rientjes@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Daniel Forrest [Tue, 2 Dec 2014 23:59:42 +0000 (15:59 -0800)]
mm: fix anon_vma_clone() error treatment
Andrew Morton noticed that the error return from anon_vma_clone() was
being dropped and replaced with -ENOMEM (which is not itself a bug
because the only error return value from anon_vma_clone() is -ENOMEM).
I did an audit of callers of anon_vma_clone() and discovered an actual
bug where the error return was being lost. In __split_vma(), between
Linux 3.11 and 3.12 the code was changed so the err variable is used
before the call to anon_vma_clone() and the default initial value of
-ENOMEM is overwritten. So a failure of anon_vma_clone() will return
success since err at this point is now zero.
Below is a patch which fixes this bug and also propagates the error
return value from anon_vma_clone() in all cases.
Fixes: ef0855d334e1 ("mm: mempolicy: turn vma_set_policy() into vma_dup_policy()") Signed-off-by: Daniel Forrest <dan.forrest@ssec.wisc.edu> Reviewed-by: Michal Hocko <mhocko@suse.cz> Cc: Konstantin Khlebnikov <koct9i@gmail.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Rik van Riel <riel@redhat.com> Cc: Tim Hartrick <tim@edgecast.com> Cc: Hugh Dickins <hughd@google.com> Cc: Michel Lespinasse <walken@google.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: <stable@vger.kernel.org> [3.12+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Hugh Dickins [Tue, 2 Dec 2014 23:59:39 +0000 (15:59 -0800)]
mm: fix swapoff hang after page migration and fork
I've been seeing swapoff hangs in recent testing: it's cycling around
trying unsuccessfully to find an mm for some remaining pages of swap.
I have been exercising swap and page migration more heavily recently,
and now notice a long-standing error in copy_one_pte(): it's trying to
add dst_mm to swapoff's mmlist when it finds a swap entry, but is doing
so even when it's a migration entry or an hwpoison entry.
Which wouldn't matter much, except it adds dst_mm next to src_mm,
assuming src_mm is already on the mmlist: which may not be so. Then if
pages are later swapped out from dst_mm, swapoff won't be able to find
where to replace them.
There's already a !non_swap_entry() test for stats: move that up before
the swap_duplicate() and the addition to mmlist.
Manfred Spraul [Tue, 2 Dec 2014 23:59:34 +0000 (15:59 -0800)]
ipc/sem.c: fully initialize sem_array before making it visible
ipc_addid() makes a new ipc identifier visible to everyone. New objects
start as locked, so that the caller can complete the initialization
after the call. Within struct sem_array, at least sma->sem_base and
sma->sem_nsems are accessed without any locks, therefore this approach
doesn't work.
Thus: Move the ipc_addid() to the end of the initialization.
Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Reported-by: Rik van Riel <riel@redhat.com> Acked-by: Rik van Riel <riel@redhat.com> Acked-by: Davidlohr Bueso <dave@stgolabs.net> Acked-by: Rafael Aquini <aquini@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Seth Forshee [Wed, 26 Nov 2014 02:28:24 +0000 (20:28 -0600)]
xen-netfront: Remove BUGs on paged skb data which crosses a page boundary
These BUGs can be erroneously triggered by frags which refer to
tail pages within a compound page. The data in these pages may
overrun the hardware page while still being contained within the
compound page, but since compound_order() evaluates to 0 for tail
pages the assertion fails. The code already iterates through
subsequent pages correctly in this scenario, so the BUGs are
unnecessary and can be removed.
Fixes: f36c374782e4 ("xen/netfront: handle compound page fragments on transmit") Cc: <stable@vger.kernel.org> # 3.7+ Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Reviewed-by: David Vrabel <david.vrabel@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Weijie Yang [Tue, 2 Dec 2014 23:59:25 +0000 (15:59 -0800)]
mm: frontswap: invalidate expired data on a dup-store failure
If a frontswap dup-store failed, it should invalidate the expired page
in the backend, or it could trigger some data corruption issue.
Such as:
1. use zswap as the frontswap backend with writeback feature
2. store a swap page(version_1) to entry A, success
3. dup-store a newer page(version_2) to the same entry A, fail
4. use __swap_writepage() write version_2 page to swapfile, success
5. zswap do shrink, writeback version_1 page to swapfile
6. version_2 page is overwrited by version_1, data corrupt.
This patch fixes this issue by invalidating expired data immediately
when meet a dup-store failure.
Signed-off-by: Weijie Yang <weijie.yang@samsung.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Seth Jennings <sjennings@variantweb.net> Cc: Dan Streetman <ddstreet@ieee.org> Cc: Minchan Kim <minchan@kernel.org> Cc: Bob Liu <bob.liu@oracle.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Dave Airlie [Wed, 3 Dec 2014 00:48:54 +0000 (10:48 +1000)]
Merge branch 'drm-fixes-3.18' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
A few more small fixes for 3.18.
* 'drm-fixes-3.18' of git://people.freedesktop.org/~agd5f/linux:
drm/radeon: kernel panic in drm_calc_vbltimestamp_from_scanoutpos with 3.18.0-rc6
drm/radeon: Ignore RADEON_GEM_GTT_WC on 32-bit x86
drm/radeon: sync all BOs involved in a CS v2
Darrick J. Wong [Wed, 26 Nov 2014 01:40:25 +0000 (17:40 -0800)]
block: fix regression where bio_integrity_process uses wrong bio_vec iterator
bio integrity handling is broken on a system with LVM layered atop a
DIF/DIX SCSI drive because device mapper clones the bio, modifies the
clone, and sends the clone to the lower layers for processing.
However, the clone bio has bi_vcnt == 0, which means that when the sd
driver calls bio_integrity_process to attach DIX data, the
for_each_segment_all() call (which uses bi_vcnt) returns immediately
and random garbage is sent to the disk on a disk write. The disk of
course returns an error.
Therefore, teach bio_integrity_process() to use bio_for_each_segment()
to iterate the bio_vecs, since the per-bio iterator tracks which
bio_vecs are associated with that particular bio. The integrity
handling code is effectively part of the "driver" (it's not the bio
owner), so it must use the correct iterator function.
v2: Fix a compiler warning about abandoned local variables. This
patch supersedes "block: bio_integrity_process uses wrong bio_vec
iterator". Patch applies against 3.18-rc6.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Acked-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Jens Axboe <axboe@fb.com>
Dave Airlie [Tue, 2 Dec 2014 05:40:16 +0000 (15:40 +1000)]
Merge branch 'linux-3.18' of git://anongit.freedesktop.org/git/nouveau/linux-2.6 into drm-fixes
Just a couple of fixes for the fallout from the fence rework.
* 'linux-3.18' of git://anongit.freedesktop.org/git/nouveau/linux-2.6:
drm/nouveau/gf116: remove copy1 engine
drm/nouveau: prevent stale fence->channel pointers, and protect with rcu
drm/nouveau/fifo/g84-: ack non-stall interrupt before handling it
Ilia Mirkin [Sun, 30 Nov 2014 17:56:18 +0000 (12:56 -0500)]
drm/nouveau/gf116: remove copy1 engine
Indications are that no GF116's actually have a copy engine there, but
actually have the decompression engine. This engine can be made to do
copies, but that should be done separately.
Unclear why this didn't turn up on all GF116's, but perhaps the
non-mobile ones came with enough VRAM to not trigger ttm migrations in
test scenarios.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=85465 Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=59168 Cc: stable@vger.kernel.org Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu> Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Linus Torvalds [Tue, 2 Dec 2014 04:11:49 +0000 (20:11 -0800)]
Merge tag 'ext4_for_linus_urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
Pull ext4 bugfix from Ted Ts'o:
"Fix an ext4 metadata checksum regression introduced in v3.18-rc3"
* tag 'ext4_for_linus_urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
jbd2: fix regression where we fail to initialize checksum seed when loading
Darrick J. Wong [Tue, 2 Dec 2014 00:22:23 +0000 (16:22 -0800)]
jbd2: fix regression where we fail to initialize checksum seed when loading
When we're enabling journal features, we cannot use the predicate
jbd2_journal_has_csum_v2or3() because we haven't yet set the sb
feature flag fields! Moreover, we just finished loading the shash
driver, so the test is unnecessary; calculate the seed always.
Without this patch, we fail to initialize the checksum seed the first
time we turn on journal_checksum, which means that all journal blocks
written during that first mount are corrupt. Transactions written
after the second mount will be fine, since the feature flag will be
set in the journal superblock. xfstests generic/{034,321,322} are the
regression tests.
(This is important for 3.18.)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.coM> Reported-by: Eric Whitney <enwlinux@gmail.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Thierry Reding [Thu, 27 Nov 2014 08:54:09 +0000 (09:54 +0100)]
PCI: tegra: Use physical range for I/O mapping
Commit 0b0b0893d49b ("of/pci: Fix the conversion of IO ranges into IO
resources") changed how I/O resources are parsed from DT. Rather than
containing the physical address of the I/O region, the addresses will now
be in I/O address space.
On Tegra the union of all ranges is used to expose a top-level memory-
mapped resource for the PCI host bridge. This helps to make /proc/iomem
more readable.
Combining both of the above, the union would now include the I/O space
region. This causes a regression on Tegra20, where the physical base
address of the PCIe controller (and therefore of the union) is located at
physical address 0x80000000. Since I/O space starts at 0, the union will
now include all of system RAM which starts at 0x00000000.
This commit fixes this by keeping two copies of the I/O range: one that
represents the range in the CPU's physical address space, the other for the
range in the I/O address space. This allows the translation setup within
the driver to reuse the physical addresses. The code registering the I/O
region with the PCI core uses both ranges to establish the mapping.
Fixes: 0b0b0893d49b ("of/pci: Fix the conversion of IO ranges into IO resources") Reported-by: Marc Zyngier <marc.zyngier@arm.com> Tested-by: Marc Zyngier <marc.zyngier@arm.com> Suggested-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Thierry Reding <treding@nvidia.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Reviewed-by: Arnd Bergmann <arnd@arndb.de>
David Howells [Mon, 1 Dec 2014 22:52:53 +0000 (22:52 +0000)]
KEYS: request_key() should reget expired keys rather than give EKEYEXPIRED
Since the keyring facility can be viewed as a cache (at least in some
applications), the local expiration time on the key should probably be viewed
as a 'needs updating after this time' property rather than an absolute 'anyone
now wanting to use this object is out of luck' property.
Since request_key() is the main interface for the usage of keys, this should
update or replace an expired key rather than issuing EKEYEXPIRED if the local
expiration has been reached (ie. it should refresh the cache).
For absolute conditions where refreshing the cache probably doesn't help, the
key can be negatively instantiated using KEYCTL_REJECT_KEY with EKEYEXPIRED
given as the error to issue. This will still cause request_key() to return
EKEYEXPIRED as that was explicitly set.
In the future, if the key type has an update op available, we might want to
upcall with the expired key and allow the upcall to update it. We would pass
a different operation name (the first column in /etc/request-key.conf) to the
request-key program.
request_key() returning EKEYEXPIRED is causing an NFS problem which Chuck
Lever describes thusly:
After about 10 minutes, my NFSv4 functional tests fail because the
ownership of the test files goes to "-2". Looking at /proc/keys
shows that the id_resolv keys that map to my test user ID have
expired. The ownership problem persists until the expired keys are
purged from the keyring, and fresh keys are obtained.
I bisected the problem to 3.13 commit b2a4df200d57 ("KEYS: Expand
the capacity of a keyring"). This commit inadvertantly changes the
API contract of the internal function keyring_search_aux().
The root cause appears to be that b2a4df200d57 made "no state check"
the default behavior. "No state check" means the keyring search
iterator function skips checking the key's expiry timeout, and
returns expired keys. request_key_and_link() depends on getting
an -EAGAIN result code to know when to perform an upcall to refresh
an expired key.
This patch can be tested directly by:
keyctl request2 user debug:fred a @s
keyctl timeout %user:debug:fred 3
sleep 4
keyctl request2 user debug:fred a @s
Without the patch, the last command gives error EKEYEXPIRED, but with the
command it gives a new key.
Reported-by: Carl Hetherington <cth@carlh.net> Reported-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Chuck Lever <chuck.lever@oracle.com>
Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags to be two variations of the
same flag. They are effectively mutually exclusive and one or the other
should be provided, but not both.
Keyring cycle detection and key possession determination are the only things
that set NO_STATE_CHECK, except that neither flag really does anything there
because neither purpose makes use of the keyring_search_iterator() function,
but rather provides their own.
For cycle detection we definitely want to check inside of expired keyrings,
just so that we don't create a cycle we can't get rid of. Revoked keyrings
are cleared at revocation time and can't then be reused, so shouldn't be a
problem either way.
For possession determination, we *might* want to validate each keyring before
searching it: do you possess a key that's hidden behind an expired or just
plain inaccessible keyring? Currently, the answer is yes. Note that you
cannot, however, possess a key behind a revoked keyring because they are
cleared on revocation.
keyring_search() sets DO_STATE_CHECK, which is correct.
request_key_and_link() currently doesn't specify whether to check the key
state or not - but it should set DO_STATE_CHECK.
key_get_instantiation_authkey() also currently doesn't specify whether to
check the key state or not - but it probably should also set DO_STATE_CHECK.
Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Chuck Lever <chuck.lever@oracle.com>
David Howells [Mon, 1 Dec 2014 22:52:45 +0000 (22:52 +0000)]
KEYS: Fix the size of the key description passed to/from userspace
When a key description argument is imported into the kernel from userspace, as
happens in add_key(), request_key(), KEYCTL_JOIN_SESSION_KEYRING,
KEYCTL_SEARCH, the description is copied into a buffer up to PAGE_SIZE in size.
PAGE_SIZE, however, is a variable quantity, depending on the arch. Fix this at
4096 instead (ie. 4095 plus a NUL termination) and define a constant
(KEY_MAX_DESC_SIZE) to this end.
When reading the description back with KEYCTL_DESCRIBE, a PAGE_SIZE internal
buffer is allocated into which the information and description will be
rendered. This means that the description will get truncated if an extremely
long description it has to be crammed into the buffer with the stringified
information. There is no particular need to copy the description into the
buffer, so just copy it directly to userspace in a separate operation.
Reported-by: Christian Kastner <debian@kvr.at> Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Christian Kastner <debian@kvr.at>
Sebastian Ott [Fri, 28 Nov 2014 14:40:57 +0000 (15:40 +0100)]
s390: fix machine check handling
Commit eb7e7d76 "s390: Replace __get_cpu_var uses" broke machine check
handling.
We copy machine check information from per-cpu to a stack variable for
local processing. Next we should zap the per-cpu variable, not the
stack variable.
Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com> Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com> Acked-by: Christoph Lameter <cl@linux.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Linus Torvalds [Mon, 1 Dec 2014 00:21:37 +0000 (16:21 -0800)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
"Two i915 regressions and one dual-gpu laptop radeon fix"
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/radeon: report disconnected for LVDS/eDP with PX if ddc fails
drm/i915: Cancel vdd off work before suspend
drm/i915: Ignore SURFLIVE and flip counter when the GPU gets reset
Chris Mason [Sun, 30 Nov 2014 13:56:33 +0000 (08:56 -0500)]
btrfs: zero out left over bytes after processing compression streams
Don Bailey noticed that our page zeroing for compression at end-io time
isn't complete. This reworks a patch from Linus to push the zeroing
into the zlib and lzo specific functions instead of trying to handle the
corners inside btrfs_decompress_buf2page
Signed-off-by: Chris Mason <clm@fb.com> Reviewed-by: Josef Bacik <jbacik@fb.com> Reported-by: Don A. Bailey <donb@securitymouse.com>
cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Mitsuhiro Kimura [Fri, 28 Nov 2014 01:04:15 +0000 (10:04 +0900)]
sh_eth: Fix sleeping function called from invalid context
This resolves the following bug which can be reproduced by building the
kernel with CONFIG_DEBUG_ATOMIC_SLEEP=y and reading network statistics
while the network interface is down.
e.g.:
ifconfig eth0 down
cat /sys/class/net/eth0/statistics/tx_errors
----
[ 1238.161349] BUG: sleeping function called from invalid context at drivers/base/power/runtime.c:952
[ 1238.188279] in_atomic(): 1, irqs_disabled(): 0, pid: 1388, name: cat
[ 1238.207425] CPU: 0 PID: 1388 Comm: cat Not tainted 3.10.31-ltsi-00046-gefa0b46 #1087
[ 1238.230737] Backtrace:
[ 1238.238123] [<c0012e64>] (dump_backtrace+0x0/0x10c) from [<c0013000>] (show_stack+0x18/0x1c)
[ 1238.263499] r6:000003b8 r5:c06160c0 r4:c0669e00 r3:00404000
[ 1238.280583] [<c0012fe8>] (show_stack+0x0/0x1c) from [<c04515a4>] (dump_stack+0x20/0x28)
[ 1238.304631] [<c0451584>] (dump_stack+0x0/0x28) from [<c004970c>] (__might_sleep+0xf8/0x118)
[ 1238.329734] [<c0049614>] (__might_sleep+0x0/0x118) from [<c02465ac>] (__pm_runtime_resume+0x38/0x90)
[ 1238.357170] r7:d616f000 r6:c049c458 r5:00000004 r4:d6a17210
[ 1238.374251] [<c0246574>] (__pm_runtime_resume+0x0/0x90) from [<c029b1c4>] (sh_eth_get_stats+0x44/0x280)
[ 1238.402468] r7:d616f000 r6:c049c458 r5:d5c21000 r4:d5c21000
[ 1238.419552] [<c029b180>] (sh_eth_get_stats+0x0/0x280) from [<c03ae39c>] (dev_get_stats+0x54/0x88)
[ 1238.446204] r5:d5c21000 r4:d5ed7e08
[ 1238.456980] [<c03ae348>] (dev_get_stats+0x0/0x88) from [<c03c677c>] (netstat_show.isra.15+0x54/0x9c)
[ 1238.484413] r6:d5c21000 r5:d5c21238 r4:00000028 r3:00000001
[ 1238.501495] [<c03c6728>] (netstat_show.isra.15+0x0/0x9c) from [<c03c69b8>] (show_tx_errors+0x18/0x1c)
[ 1238.529196] r7:d5f945d8 r6:d5f945c0 r5:c049716c r4:c0650e7c
[ 1238.546279] [<c03c69a0>] (show_tx_errors+0x0/0x1c) from [<c023963c>] (dev_attr_show+0x24/0x50)
[ 1238.572157] [<c0239618>] (dev_attr_show+0x0/0x50) from [<c010c148>] (sysfs_read_file+0xb0/0x140)
[ 1238.598554] r5:c049716c r4:d5c21240
[ 1238.609326] [<c010c098>] (sysfs_read_file+0x0/0x140) from [<c00b9ee4>] (vfs_read+0xb0/0x13c)
[ 1238.634679] [<c00b9e34>] (vfs_read+0x0/0x13c) from [<c00ba0ac>] (SyS_read+0x44/0x74)
[ 1238.657944] r8:bef45bf0 r7:00000000 r6:d6ac0600 r5:00000000 r4:00000000
[ 1238.678172] [<c00ba068>] (SyS_read+0x0/0x74) from [<c000eec0>] (ret_fast_syscall+0x0/0x30)
----
Signed-off-by: Mitsuhiro Kimura <mitsuhiro.kimura.kc@renesas.com> Signed-off-by: Yoshihiro Kaneko <ykaneko0929@gmail.com> Signed-off-by: Simon Horman <horms+renesas@verge.net.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Mitsuhiro Kimura [Thu, 27 Nov 2014 11:34:00 +0000 (20:34 +0900)]
sh_eth: Fix skb alloc size and alignment adjust rule.
In the current driver, allocation size of skb does not care the alignment
adjust after allocation.
And also, in the current implementation, buffer alignment method by
sh_eth_set_receive_align function has a bug that this function displace
buffer start address forcedly when the alignment is corrected.
In the result, tail of the skb will exceed allocated area and kernel panic
will be occurred.
This patch fix this issue.
Signed-off-by: Mitsuhiro Kimura <mitsuhiro.kimura.kc@renesas.com> Signed-off-by: Yoshihiro Kaneko <ykaneko0929@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Nicolas Dichtel [Thu, 27 Nov 2014 09:16:15 +0000 (10:16 +0100)]
rtnetlink: release net refcnt on error in do_setlink()
rtnl_link_get_net() holds a reference on the 'struct net', we need to release
it in case of error.
CC: Eric W. Biederman <ebiederm@xmission.com> Fixes: b51642f6d77b ("net: Enable a userns root rtnl calls that are safe for unprivilged users") Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Thomas Graf [Wed, 26 Nov 2014 23:22:33 +0000 (00:22 +0100)]
bond: Check length of IFLA_BOND_ARP_IP_TARGET attributes
Fixes: 7f28fa10 ("bonding: add arp_ip_target netlink support") Reported-by: John Fastabend <john.fastabend@gmail.com> Cc: Scott Feldman <sfeldma@cumulusnetworks.com> Signed-off-by: Thomas Graf <tgraf@suug.ch> Acked-by: John Fastabend <john.r.fastabend@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Sat, 29 Nov 2014 18:49:24 +0000 (10:49 -0800)]
Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull irq fixes from Thomas Gleixner:
"Three fixlets from the ARM SoC camp:
- correct irqdomain initialization for atmel-aic
- correct error handling for device tree parsing in bcm controllers"
* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
irqchip: brcmstb-l2: Fix error handling of irq_of_parse_and_map
irqchip: bcm7120-l2: Fix error handling of irq_of_parse_and_map
irqchip: atmel-aic: Fix irqdomain initialization
Linus Torvalds [Sat, 29 Nov 2014 18:15:31 +0000 (10:15 -0800)]
Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"This is a set of ten fixes: 8 for UFS including four static checker
warnings, a potential null deref in the voltage regulator code, a race
on module unload, a ref counting fix on the well known LUNs which made
it impossible to remove the ufs module and fix to correct the
information in pwr_info.
In addition to UFS, there's a blacklist for the Intel Multi-Flex array
which chokes on report supported operation codes and a fix to an oops
in bnx2fc caused by shared skbs"
[ For us non-SCSI people: "UFS" here is "Universal Flash Storage" not
the filesystem. - Linus ]
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
ufs: fix NULL dereference when no regulators are defined
ufs: ensure clk gating work is finished before module unloading
scsi: ufs: fix static checker warning in ufshcd_parse_clock_info
scsi: ufs: fix static checker warning in __ufshcd_setup_clocks
scsi: ufs: fix static checker warning in ufshcd_populate_vreg
scsi: ufs: fix static checker errors in ufshcd_system_suspend
ufs: fix power info after link start-up
ufs: fix reference counting of W-LUs
scsi: add Intel Multi-Flex to scsi scan blacklist
bnx2fc: do not add shared skbs to the fcoe_rx_list
Linus Torvalds [Sat, 29 Nov 2014 00:08:09 +0000 (16:08 -0800)]
Merge tag 'staging-3.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
Pull staging/IIO driver fixes from Greg KH:
"Here are some staging and IIO driver fixes for 3.18-rc7 that resolve a
number of reported issues, and a new device id for a staging wireless
driver.
All of these have been in linux-next"
* tag 'staging-3.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
staging: r8188eu: Add new device ID for DLink GO-USB-N150
staging: r8188eu: Fix scheduling while atomic error introduced in commit fadbe0cd
iio: accel: bmc150: set low default thresholds
iio: accel: bmc150: Fix iio_event_spec direction
iio: accel: bmc150: Send x, y and z motion separately
iio: accel: bmc150: Error handling when mode set fails
iio: gyro: bmg160: Fix iio_event_spec direction
iio: gyro: bmg160: Send x, y and z motion separately
iio: gyro: bmg160: Don't let interrupt mode to be open drain
iio: gyro: bmg160: Error handling when mode set fails
iio: adc: men_z188_adc: Add terminating entry for men_z188_ids
iio: accel: kxcjk-1013: Fix kxcjk10013_set_range
iio: Fix IIO_EVENT_CODE_EXTRACT_DIR bit mask
Linus Torvalds [Fri, 28 Nov 2014 23:55:14 +0000 (15:55 -0800)]
Merge tag 'usb-3.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB fixes from Greg KH:
"Here are some USB driver fixes and new device ids for 3.18-rc7.
Full details are in the shortlog, and all of these have been in the
linux-next tree for a while"
* tag 'usb-3.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
usb-quirks: Add reset-resume quirk for MS Wireless Laser Mouse 6000
usb: xhci: rework root port wake bits if controller isn't allowed to wakeup
USB: xhci: Reset a halted endpoint immediately when we encounter a stall.
Revert "xhci: clear root port wake on bits if controller isn't wake-up capable"
USB: xhci: don't start a halted endpoint before its new dequeue is set
USB: uas: Add no-uas quirk for Hitachi usb-3 enclosures 4971:1012
USB: ssu100: fix overrun-error reporting
USB: keyspan: fix overrun-error reporting
USB: keyspan: fix tty line-status reporting
usb: serial: ftdi_sio: add PIDs for Matrix Orbital products
usb: dwc3: ep0: fix for dead code
USB: serial: cp210x: add IDs for CEL MeshConnect USB Stick
Linus Torvalds [Fri, 28 Nov 2014 22:00:33 +0000 (14:00 -0800)]
Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
Pull thermal fixes from Eduardo Valentin:
"In this -rc still very minor changes:
- Lee Jones fixes compilation warning in sti thermal driver
- Marjus Elfring removes unnecessary checks in exynos thermal driver
(as per coccinelle)
- Now we always update cpufreq policies, and thus get (hopefully)
always in sync with cpufreq, thanks to Yadwinder"
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal:
thermal: Exynos: Deletion of unnecessary checks before two function calls
thermal: sti: Ignore suspend/resume functions when !PM_SLEEP
thermal: cpu_cooling: Update always cpufreq policy with thermal constraints
Linus Torvalds [Fri, 28 Nov 2014 21:54:53 +0000 (13:54 -0800)]
Merge tag 'sound-3.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"No excitement, here are only minor fixes: an endian fix for the new
DSD format we added in 3.18, a fix for HP mute LED, and a fix for
Native Instrument quirk"
* tag 'sound-3.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: pcm: Add big-endian DSD sample formats and fix XMOS DSD sample format
ALSA: hda - One more HP machine needs to change mute led quirk
ALSA: usb-audio: Use snd_usb_ctl_msg() for Native Instruments quirk
Linus Torvalds [Fri, 28 Nov 2014 21:34:32 +0000 (13:34 -0800)]
Merge tag 'armsoc-for-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Pull ARM SoC fixes from Arnd Bergmann:
"Not much interesting going on fixes-wise for us this week, as it
should be for an -rc7. I'm not expecting Olof to work much over
Thanksgiving weekend, so I decided to take over again and push these
out to you.
Just four simple fixes this week:
- one missing of_node_put() on armv7 based mvebu
- forcing the USB host into the right mode on Chromebook
(exynos5-snow)
- enabling two important drivers for exynos_defconfig
- fixing a noncritical bug for tegra that would cause a regression
with common code patches queued for 3.19"
* tag 'armsoc-for-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
ARM: tegra: irq: fix buggy usage of irq_data irq field
ARM: exynos_defconfig: Enable max77802 rtc and clock drivers
ARM: dts: Explicitly set dr_mode on exynos5250-snow
ARM: mvebu: add missing of_node_put() call in coherency.c
Linus Torvalds [Fri, 28 Nov 2014 21:32:47 +0000 (13:32 -0800)]
Merge branch 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm
Pull ARM fixes from Russell King:
"Another round of relatively small ARM fixes.
Thomas spotted that the strex backoff delay bit was a disable bit, so
it needed to be clear for this to work. Vladimir spotted that using a
restart block for the cache flush operation would return -EINTR, which
userspace was not expecting. Dmitry spotted that the auxiliary
control register accesses for Xscale were not correct"
* 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
ARM: 8226/1: cacheflush: get rid of restarting block
ARM: 8222/1: mvebu: enable strex backoff delay
ARM: 8216/1: xscale: correct auxiliary register in suspend/resume
Dave Airlie [Fri, 28 Nov 2014 03:56:31 +0000 (13:56 +1000)]
Merge tag 'drm-intel-fixes-2014-11-27' of git://anongit.freedesktop.org/drm-intel into drm-fixes
Two regression fixes from Ville.
* tag 'drm-intel-fixes-2014-11-27' of git://anongit.freedesktop.org/drm-intel:
drm/i915: Cancel vdd off work before suspend
drm/i915: Ignore SURFLIVE and flip counter when the GPU gets reset
Linus Torvalds [Fri, 28 Nov 2014 02:32:49 +0000 (18:32 -0800)]
Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
Pull mips fixes from Ralf Baechle:
"The hopefully final round of fixes for 3.18:
- Fix a number of build errors affecting particular configurations.
- Handle EVA correctly when flushing a signal trampoline and dcache
lines.
- Fix printks printing jibberish.
- Handle 64 bit memory addresses correctly when adding memory chunk
on 32 bit kernels.
- Fix a race condition in the hardware tablewalker code"
* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
MIPS: tlbex: Fix potential HTW race on TLBL/M/S handlers
MIPS: Fix address type used for early memory detection.
MIPS: Kconfig: Don't allow both microMIPS and SmartMIPS to be selected.
MIPS: kernel: cps-vec: Set ISA level to mips32r2 for the MIPS MT ASE
MIPS: Netlogic: handle modular AHCI builds
MIPS: Netlogic: handle modular USB case
MIPS: Loongson: Make platform serial setup always built-in.
MIPS: fix EVA & non-SMP non-FPU FP context signal handling
MIPS: cpu-probe: Set the FTLB probability bit on supported cores
MIPS: BMIPS: Fix ".previous without corresponding .section" warnings
MIPS: uaccess.h: Fix strnlen_user comment.
MIPS: r4kcache: Add EVA case for protected_writeback_dcache_line
MIPS: Fix info about plat_setup in arch_mem_init comment
MIPS: rtlx: Remove KERN_DEBUG from pr_debug() arguments in rtlx.c
MIPS: SEAD3: Fix LED device registration.
MIPS: Fix a copy & paste error in unistd.h
Linus Torvalds [Fri, 28 Nov 2014 02:23:41 +0000 (18:23 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux
Pull powerpc fixes from Michael Ellerman:
"Here are five fixes for you to pull please.
They're all CC'ed to stable except the "Fix PE state format" one which
went in this release"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux:
powerpc: 32 bit getcpu VDSO function uses 64 bit instructions
powerpc/powernv: Replace OPAL_DEASSERT_RESET with EEH_RESET_DEACTIVATE
powerpc/eeh: Fix PE state format
powerpc/pseries: Fix endiannes issue in RTAS call from xmon
powerpc/powernv: Fix the hmi event version check.
Pull sparc fixlet from David Miller:
"Aparc fix to add dma_cache_sync(), even if a nop it should be provided
if dma_{alloc,free}_noncoherent() is provided too"
Pull networking fixes from David Miller:
"Several small fixes here:
1) Don't crash in tg3 driver when the number of tx queues has been
configured to be different from the number of rx queues. From
Thadeu Lima de Souza Cascardo.
2) VLAN filter not disabled properly in promisc mode in ixgbe driver,
from Vlad Yasevich.
3) Fix OOPS on dellink op in VTI tunnel driver, from Xin Long.
4) IPV6 GRE driver WCCP code checks skb->protocol for ETH_P_IP
instead of ETH_P_IPV6, whoops. From Yuri Chislov.
5) Socket matching in ping driver is buggy when packet AF does not
match socket's AF. Fix from Jane Zhou.
6) Fix checksum calculation errors in VXLAN due to where the
udp_tunnel6_xmit_skb() helper gets it's saddr/daddr from. From
Alexander Duyck.
7) Fix 5G detection problem in rtlwifi driver, from Larry Finger.
8) Fix NULL deref in tcp_v{4,6}_send_reset, from Eric Dumazet.
9) Various missing netlink attribute verifications in bridging code,
from Thomas Graf.
10) tcp_recvmsg() unconditionally calls ipv4 ip_recv_error even for
ipv6 sockets, whoops. Fix from Willem de Bruijn"
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (29 commits)
net-timestamp: make tcp_recvmsg call ipv6_recv_error for AF_INET6 socks
bridge: Sanitize IFLA_EXT_MASK for AF_BRIDGE:RTM_GETLINK
bridge: Add missing policy entry for IFLA_BRPORT_FAST_LEAVE
net: Check for presence of IFLA_AF_SPEC
net: Validate IFLA_BRIDGE_MODE attribute length
bridge: Validate IFLA_BRIDGE_FLAGS attribute length
stmmac: platform: fix default values of the filter bins setting
net/mlx4_core: Limit count field to 24 bits in qp_alloc_res
net: dsa: bcm_sf2: reset switch prior to initialization
net: dsa: bcm_sf2: fix unmapping registers in case of errors
tg3: fix ring init when there are more TX than RX channels
tcp: fix possible NULL dereference in tcp_vX_send_reset()
rtlwifi: Change order in device startup
rtlwifi: rtl8821ae: Fix 5G detection problem
Revert "netfilter: conntrack: fix race in __nf_conntrack_confirm against get_next_corpse"
vxlan: Fix boolean flip in VXLAN_F_UDP_ZERO_CSUM6_[TX|RX]
ip6_udp_tunnel: Fix checksum calculation
net-timestamp: Fix a documentation typo
net/ping: handle protocol mismatching scenario
af_packet: fix sparse warning
...
Linus Torvalds [Fri, 28 Nov 2014 01:55:42 +0000 (17:55 -0800)]
Merge tag 'spi-v3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"There's a couple of driver fixes here, plus one core fix for the DMA
mapping which wasn't doing the right thing for vmalloc()ed addresses
that hadn't been through kmap(). It's fairly rare to use vmalloc()
with SPI and it's a subset of those users who might fail so it's
unsurprising that this wasn't noticed sooner"
* tag 'spi-v3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: sirf: fix word width configuration
spi: Fix mapping from vmalloc-ed buffer to scatter list
spi: dw: Fix dynamic speed change.
Linus Torvalds [Fri, 28 Nov 2014 01:51:50 +0000 (17:51 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input layer fixes from Dmitry Torokhov:
"The main change is to fix breakage in Elantech driver introduced by
the recent commit adding trackpoint reporting to protocol v4. Now we
are trusting the hardware to advertise the trackpoint properly and do
not try to decode the data as trackpoint if firmware told us it is not
present"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: xpad - use proper endpoint type
Input: elantech - trust firmware about trackpoint presence
Input: synaptics - adjust min/max on Thinkpad E540
Leonid Yegoshin [Thu, 27 Nov 2014 11:13:08 +0000 (11:13 +0000)]
MIPS: tlbex: Fix potential HTW race on TLBL/M/S handlers
There is a potential race when probing the TLB in TLBL/M/S exception
handlers for a matching entry. Between the time we hit a TLBL/S/M
exception and the time we get to execute the TLBP instruction, the
HTW may have replaced the TLB entry we are interested in hence the TLB
probe may fail. However, in the existing handlers, we never checked the
status of the TLBP (ie check the result in the C0/Index register). We
fix this by adding such a check when the core implements the HTW. If
we couldn't find a matching entry, we return back and try again.
Vladimir Murzin [Thu, 27 Nov 2014 10:39:04 +0000 (11:39 +0100)]
ARM: 8226/1: cacheflush: get rid of restarting block
We cannot restart cacheflush safely if a process provides user-defined
signal handler and signal is pending. In this case -EINTR is returned
and it is expected that process re-invokes syscall. However, there are
a few problems with that:
* looks like nobody bothers checking return value from cacheflush
* but if it did, we don't provide the restart address for that, so the
process has to use the same range again
* ...and again, what might lead to looping forever
So, remove cacheflush restarting code and terminate cache flushing
as early as fatal signal is pending.
Cc: stable@vger.kernel.org # 3.12+ Reported-by: Chanho Min <chanho.min@lge.com> Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com> Acked-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Thomas Petazzoni [Tue, 25 Nov 2014 17:43:15 +0000 (18:43 +0100)]
ARM: 8222/1: mvebu: enable strex backoff delay
Under extremely rare conditions, in an MPCore node consisting of at
least 3 CPUs, two CPUs trying to perform a STREX to data on the same
shared cache line can enter a livelock situation.
This patch enables the HW mechanism that overcomes the bug. This fixes
the incorrect setup of the STREX backoff delay bit due to a wrong
description in the specification.
Note that enabling the STREX backoff delay mechanism is done by
leaving the bit *cleared*, while the bit was currently being set by
the proc-v7.S code.
[Thomas: adapt to latest mainline, slightly reword the commit log, add
stable markers.]
Fixes: de4901933f6d ("arm: mm: Add support for PJ4B cpu and init routines") Cc: <stable@vger.kernel.org> # v3.8+ Signed-off-by: Nadav Haklai <nadavh@marvell.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Acked-by: Gregory CLEMENT <gregory.clement@free-electrons.com> Acked-by: Jason Cooper <jason@lakedaemon.net> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Arnd Bergmann [Thu, 27 Nov 2014 13:26:52 +0000 (14:26 +0100)]
Merge tag 'samsung-defconfig-v3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung into fixes
Pull "Samsung defconfig update for v3.18" from Kukjin Kim:
- enable max77802 rtc and clock drivers for exynos_defconfig
: enable the kernel config options to have the drivers for
max77802 including rtc and 2-ch 32kHz clock outputs
* tag 'samsung-defconfig-v3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung:
ARM: exynos_defconfig: Enable max77802 rtc and clock drivers
Marc Zyngier [Wed, 26 Nov 2014 17:55:31 +0000 (17:55 +0000)]
ARM: tegra: irq: fix buggy usage of irq_data irq field
The crazy gic_arch_extn thing that Tegra uses contains multiple
references to the irq field in struct irq_data, and uses this
to directly poke hardware register.
But irq is the *virtual* irq number, something that has nothing
to do with the actual HW irq (stored in the hwirq field). And once
we put the stacked domain code in action, the whole thing explodes,
as these two values are *very* different:
Alex Deucher [Fri, 14 Nov 2014 17:08:34 +0000 (12:08 -0500)]
drm/radeon: report disconnected for LVDS/eDP with PX if ddc fails
If ddc fails, presumably the i2c mux (and hopefully the signal
mux) are switched to the other GPU so don't fetch the edid from
the vbios so that the connector reports disconnected.
Anton Blanchard [Wed, 26 Nov 2014 21:11:28 +0000 (08:11 +1100)]
powerpc: 32 bit getcpu VDSO function uses 64 bit instructions
I used some 64 bit instructions when adding the 32 bit getcpu VDSO
function. Fix it.
Fixes: 18ad51dd342a ("powerpc: Add VDSO version of getcpu") Cc: stable@vger.kernel.org Signed-off-by: Anton Blanchard <anton@samba.org> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Gavin Shan [Mon, 24 Nov 2014 22:26:59 +0000 (09:26 +1100)]
powerpc/powernv: Replace OPAL_DEASSERT_RESET with EEH_RESET_DEACTIVATE
The flag passed to ioda_eeh_phb_reset() should be EEH_RESET_DEACTIVATE,
which is translated to OPAL_DEASSERT_RESET or something else by the
EEH backend accordingly.
The patch replaces OPAL_DEASSERT_RESET with EEH_RESET_DEACTIVATE for
ioda_eeh_phb_reset().
Cc: stable@vger.kernel.org Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Gavin Shan [Mon, 24 Nov 2014 22:26:58 +0000 (09:26 +1100)]
powerpc/eeh: Fix PE state format
Obviously I had wrong format given to the PE state output from
/sys/bus/pci/devices/xxxx/eeh_pe_state with some typoes, which
was introduced by commit 2013add4ce73. The patch fixes it up.
Fixes: 2013add4ce73 ("powerpc/eeh: Show hex prefix for PE state sysfs") Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
The current HMI event structure is an ABI and carries a version field to
accommodate future changes without affecting/rearranging current structure
members that are valid for previous versions.
The current version check "if (hmi_evt->version != OpalHMIEvt_V1)"
doesn't accomodate the fact that the version number may change in
future.
If firmware starts returning an HMI event with version > 1, this check
will fail and no HMI information will be printed on older kernels.
Larry Finger [Wed, 12 Nov 2014 16:07:49 +0000 (10:07 -0600)]
staging: r8188eu: Fix scheduling while atomic error introduced in commit fadbe0cd
In commit fadbe0cd5292851608e2e01b91d9295fa287b9fe entitled "staging:
rtl8188eu:Remove rtw_zmalloc(), wrapper for kzalloc()", the author failed
to note that the original code in the wrapper tested whether the caller
could sleep, and set the flags argument to kzalloc() appropriately.
After the patch, GFP_KERNEL is used unconditionally. Unfortunately, several
of the routines may be entered from an interrupt routine and generate
a BUG splat for every such call. Routine rtw_sitesurvey_cmd() is used in the
example below:
Additional routines that generate this BUG are rtw_joinbss_cmd(),
rtw_dynamic_chk_wk_cmd(), rtw_lps_ctrl_wk_cmd(), rtw_rpt_timer_cfg_cmd(),
rtw_ps_cmd(), report_survey_event(), report_join_res(), survey_timer_hdl(),
and rtw_check_bcn_info().
Please pull this little batch of fixes intended for the 3.18 stream...
For the iwlwifi one, Emmanuel says:
"Not all the firmware know how to handle the HOT_SPOT_CMD.
Make sure that the firmware will know this command before
sending it. This avoids a firmware crash."
Along with that, Larry sends a pair of rtlwifi fixes to address some
discrepancies from moving drivers out of staging. Larry says:
"These two patches are needed to fix a regression introduced when
driver rtl8821ae was moved from staging to the regular wireless tree."
Please let me know if there are problems!
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Willem de Bruijn [Wed, 26 Nov 2014 19:53:02 +0000 (14:53 -0500)]
net-timestamp: make tcp_recvmsg call ipv6_recv_error for AF_INET6 socks
TCP timestamping introduced MSG_ERRQUEUE handling for TCP sockets.
If the socket is of family AF_INET6, call ipv6_recv_error instead
of ip_recv_error.
This change is more complex than a single branch due to the loadable
ipv6 module. It reuses a pre-existing indirect function call from
ping. The ping code is safe to call, because it is part of the core
ipv6 module and always present when AF_INET6 sockets are active.
Fixes: 4ed2d765 (net-timestamp: TCP timestamping) Signed-off-by: Willem de Bruijn <willemb@google.com>
----
It may also be worthwhile to add WARN_ON_ONCE(sk->family == AF_INET6)
to ip_recv_error. Signed-off-by: David S. Miller <davem@davemloft.net>
Thomas Graf [Wed, 26 Nov 2014 12:42:20 +0000 (13:42 +0100)]
bridge: Sanitize IFLA_EXT_MASK for AF_BRIDGE:RTM_GETLINK
Only search for IFLA_EXT_MASK if the message actually carries a
ifinfomsg header and validate minimal length requirements for
IFLA_EXT_MASK.
Fixes: 6cbdceeb ("bridge: Dump vlan information from a bridge port") Cc: Vlad Yasevich <vyasevic@redhat.com> Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
Thomas Graf [Wed, 26 Nov 2014 12:42:19 +0000 (13:42 +0100)]
bridge: Add missing policy entry for IFLA_BRPORT_FAST_LEAVE
Fixes: c2d3babf ("bridge: implement multicast fast leave") Cc: David S. Miller <davem@davemloft.net> Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
Thomas Graf [Wed, 26 Nov 2014 12:42:18 +0000 (13:42 +0100)]
net: Check for presence of IFLA_AF_SPEC
ndo_bridge_setlink() is currently only called on the slave if
IFLA_AF_SPEC is set but this is a very fragile assumption and may
change in the future.
Cc: Ajit Khaparde <ajit.khaparde@emulex.com> Cc: John Fastabend <john.r.fastabend@intel.com> Signed-off-by: Thomas Graf <tgraf@suug.ch> Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Thomas Graf [Wed, 26 Nov 2014 12:42:17 +0000 (13:42 +0100)]
net: Validate IFLA_BRIDGE_MODE attribute length
Payload is currently accessed blindly and may exceed valid message
boundaries.
Fixes: a77dcb8c8 ("be2net: set and query VEB/VEPA mode of the PF interface") Fixes: 815cccbf1 ("ixgbe: add setlink, getlink support to ixgbe and ixgbevf") Cc: Ajit Khaparde <ajit.khaparde@emulex.com> Cc: John Fastabend <john.r.fastabend@intel.com> Signed-off-by: Thomas Graf <tgraf@suug.ch> Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Acked-by: John Fastabend <john.r.fastabend@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Payload is currently accessed blindly and may exceed valid message
boundaries.
Fixes: 407af3299 ("bridge: Add netlink interface to configure vlans on bridge ports") Cc: Vlad Yasevich <vyasevic@redhat.com> Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Wed, 26 Nov 2014 19:16:44 +0000 (11:16 -0800)]
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull kvm fixes from Paolo Bonzini:
"Last minute KVM/ARM fixes; even the generic change actually affects
nothing but ARM"
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
kvm: fix kvm_is_mmio_pfn() and rename to kvm_is_reserved_pfn()
arm/arm64: kvm: drop inappropriate use of kvm_is_mmio_pfn()
arm/arm64: KVM: vgic: Fix error code in kvm_vgic_create()
arm64: KVM: Handle traps of ICC_SRE_EL1 as RAZ/WI
arm64: KVM: fix unmapping with 48-bit VAs
Merge tag 'iio-fixes-for-3.18c' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus
Jonathan writes:
Third set of IIO fixes for the 3.18 cycle.
Most of these are fairly standard little fixes, a bmc150 and bmg160 patch
is to make an ABI change to indicated a specific axis in an event rather
than the generic option in the original drivers. As both of these drivers
are new in this cycle it would be ideal to push this minor change through
even though it isn't strictly a fix. A couple of other 'fixes' change
defaults for some settings on these new drivers to more intuitive calues.
Looks like some useful feedback has been coming in for this driver
since it was applied.
* IIO_EVENT_CODE_EXTRACT_DIR bit mask was wrong and has been for a while
0xCF clearly doesn't give a contiguous bitmask.
* kxcjk-1013 range setting was failing to mask out the previous value
in the register and hence was 'enable only'.
* men_z188 device id table wasn't null terminated.
* bmg160 and bmc150 both failed to correctly handling an error in mode
setting.
* bmg160 and bmc150 both had a bug in setting the event direction in the
event spec (leads to an attribute name being incorrect)
* bmg160 defaulted to an open drain output for the interrupt - as a default
this obviously only works with some interrupt chips - hence change the
default to push-pull (note this is a new driver so we aren't going to
cause any regressions with this change).
* bmc150 had an unintuitive default for the rate of change (motion detector)
so change it to 0 (new driver so change of default won't cause any
regressions).