01 Nov, 2017
1 commit
-
MIPS will soon not be a part of Imagination Technologies, and as such
many @imgtec.com email addresses will no longer be valid. This patch
updates the addresses for those who:- Have 10 or more patches in mainline authored using an @imgtec.com
email address, or any patches dated within the past year.- Are still with Imagination but leaving as part of the MIPS business
unit, as determined from an internal email address list.- Haven't already updated their email address (ie. JamesH) or expressed
a desire to be excluded (ie. Maciej).- Acked v2 or earlier of this patch, which leaves Deng-Cheng, Matt &
myself.New addresses are of the form firstname.lastname@mips.com, and all
verified against an internal email address list. An entry is added to
.mailmap for each person such that get_maintainer.pl will report the new
addresses rather than @imgtec.com addresses which will soon be dead.Instances of the affected addresses throughout the tree are then
mechanically replaced with the new @mips.com address.Signed-off-by: Paul Burton
Cc: Deng-Cheng Zhu
Cc: Deng-Cheng Zhu
Acked-by: Dengcheng Zhu
Cc: Matt Redfearn
Cc: Matt Redfearn
Acked-by: Matt Redfearn
Cc: Andrew Morton
Cc: linux-kernel@vger.kernel.org
Cc: linux-mips@linux-mips.org
Cc: trivial@kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/17540/
Signed-off-by: James Hogan
30 Oct, 2017
1 commit
29 Oct, 2017
34 commits
-
Pull networking fixes from David Miller:
1) Fix route leak in xfrm_bundle_create().
2) In mac80211, validate user rate mask before configuring it. From
Johannes Berg.3) Properly enforce memory limits in fair queueing code, from Toke
Hoiland-Jorgensen.4) Fix lockdep splat in inet_csk_route_req(), from Eric Dumazet.
5) Fix TSO header allocation and management in mvpp2 driver, from Yan
Markman.6) Don't take socket lock in BH handler in strparser code, from Tom
Herbert.7) Don't show sockets from other namespaces in AF_UNIX code, from
Andrei Vagin.8) Fix double free in error path of tap_open(), from Girish Moodalbail.
9) Fix TX map failure path in igb and ixgbe, from Jean-Philippe Brucker
and Alexander Duyck.10) Fix DCB mode programming in stmmac driver, from Jose Abreu.
11) Fix err_count handling in various tunnels (ipip, ip6_gre). From Xin
Long.12) Properly align SKB head before building SKB in tuntap, from Jason
Wang.13) Avoid matching qdiscs with a zero handle during lookups, from Cong
Wang.14) Fix various endianness bugs in sctp, from Xin Long.
15) Fix tc filter callback races and add selftests which trigger the
problem, from Cong Wang.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (73 commits)
selftests: Introduce a new test case to tc testsuite
selftests: Introduce a new script to generate tc batch file
net_sched: fix call_rcu() race on act_sample module removal
net_sched: add rtnl assertion to tcf_exts_destroy()
net_sched: use tcf_queue_work() in tcindex filter
net_sched: use tcf_queue_work() in rsvp filter
net_sched: use tcf_queue_work() in route filter
net_sched: use tcf_queue_work() in u32 filter
net_sched: use tcf_queue_work() in matchall filter
net_sched: use tcf_queue_work() in fw filter
net_sched: use tcf_queue_work() in flower filter
net_sched: use tcf_queue_work() in flow filter
net_sched: use tcf_queue_work() in cgroup filter
net_sched: use tcf_queue_work() in bpf filter
net_sched: use tcf_queue_work() in basic filter
net_sched: introduce a workqueue for RCU callbacks of tc filter
sctp: fix some type cast warnings introduced since very beginning
sctp: fix a type cast warnings that causes a_rwnd gets the wrong value
sctp: fix some type cast warnings introduced by transport rhashtable
sctp: fix some type cast warnings introduced by stream reconf
... -
Cong Wang says:
====================
net_sched: fix races with RCU callbacksRecently, the RCU callbacks used in TC filters and TC actions keep
drawing my attention, they introduce at least 4 race condition bugs:1. A simple one fixed by Daniel:
commit c78e1746d3ad7d548bdf3fe491898cc453911a49
Author: Daniel Borkmann
Date: Wed May 20 17:13:33 2015 +0200net: sched: fix call_rcu() race on classifier module unloads
2. A very nasty one fixed by me:
commit 1697c4bb5245649a23f06a144cc38c06715e1b65
Author: Cong Wang
Date: Mon Sep 11 16:33:32 2017 -0700net_sched: carefully handle tcf_block_put()
3. Two more bugs found by Chris:
https://patchwork.ozlabs.org/patch/826696/
https://patchwork.ozlabs.org/patch/826695/Usually RCU callbacks are simple, however for TC filters and actions,
they are complex because at least TC actions could be destroyed
together with the TC filter in one callback. And RCU callbacks are
invoked in BH context, without locking they are parallel too. All of
these contribute to the cause of these nasty bugs.Alternatively, we could also:
a) Introduce a spinlock to serialize these RCU callbacks. But as I
said in commit 1697c4bb5245 ("net_sched: carefully handle
tcf_block_put()"), it is very hard to do because of tcf_chain_dump().
Potentially we need to do a lot of work to make it possible (if not
impossible).b) Just get rid of these RCU callbacks, because they are not
necessary at all, callers of these call_rcu() are all on slow paths
and holding RTNL lock, so blocking is allowed in their contexts.
However, David and Eric dislike adding synchronize_rcu() here.As suggested by Paul, we could defer the work to a workqueue and
gain the permission of holding RTNL again without any performance
impact, however, in tcf_block_put() we could have a deadlock when
flushing workqueue while hodling RTNL lock, the trick here is to
defer the work itself in workqueue and make it queued after all
other works so that we keep the same ordering to avoid any
use-after-free. Please see the first patch for details.Patch 1 introduces the infrastructure, patch 2~12 move each
tc filter to the new tc filter workqueue, patch 13 adds
an assertion to catch potential bugs like this, patch 14
closes another rcu callback race, patch 15 and patch 16 add
new test cases.
====================Reported-by: Chris Mi
Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: John Fastabend
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
In this patchset, we fixed a tc bug. This patch adds the test case
that reproduces the bug. To run this test case, user should specify
an existing NIC device:
# sudo ./tdc.py -d enp4s0f0This test case belongs to category "flower". If user doesn't specify
a NIC device, the test cases belong to "flower" will not be run.In this test case, we create 1M filters and all filters share the same
action. When destroying all filters, kernel should not panic. It takes
about 18s to run it.Acked-by: Jamal Hadi Salim
Acked-by: Lucas Bates
Signed-off-by: Chris Mi
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
# ./tdc_batch.py -h
usage: tdc_batch.py [-h] [-n NUMBER] [-o] [-s] [-p] device fileTC batch file generator
positional arguments:
device device name
file batch file nameoptional arguments:
-h, --help show this help message and exit
-n NUMBER, --number NUMBER
how many lines in batch file
-o, --skip_sw skip_sw (offload), by default skip_hw
-s, --share_action all filters share the same action
-p, --prio all filters have different prioAcked-by: Jamal Hadi Salim
Acked-by: Lucas Bates
Signed-off-by: Chris Mi
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
Similar to commit c78e1746d3ad
("net: sched: fix call_rcu() race on classifier module unloads"),
we need to wait for flying RCU callback tcf_sample_cleanup_rcu().Cc: Yotam Gigi
Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
After previous patches, it is now safe to claim that
tcf_exts_destroy() is always called with RTNL lock.Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: John Fastabend
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.Reported-by: Chris Mi
Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: John Fastabend
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.Reported-by: Chris Mi
Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: John Fastabend
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.Reported-by: Chris Mi
Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: John Fastabend
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.Reported-by: Chris Mi
Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: John Fastabend
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.Reported-by: Chris Mi
Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: John Fastabend
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.Reported-by: Chris Mi
Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: John Fastabend
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.Reported-by: Chris Mi
Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: John Fastabend
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.Reported-by: Chris Mi
Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: John Fastabend
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.Reported-by: Chris Mi
Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: John Fastabend
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.Reported-by: Chris Mi
Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: John Fastabend
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.Reported-by: Chris Mi
Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: John Fastabend
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
This patch introduces a dedicated workqueue for tc filters
so that each tc filter's RCU callback could defer their
action destroy work to this workqueue. The helper
tcf_queue_work() is introduced for them to use.Because we hold RTNL lock when calling tcf_block_put(), we
can not simply flush works inside it, therefore we have to
defer it again to this workqueue and make sure all flying RCU
callbacks have already queued their work before this one, in
other words, to ensure this is the last one to execute to
prevent any use-after-free.On the other hand, this makes tcf_block_put() ugly and
harder to understand. Since David and Eric strongly dislike
adding synchronize_rcu(), this is probably the only
solution that could make everyone happy.Please also see the code comments below.
Reported-by: Chris Mi
Cc: Daniel Borkmann
Cc: Jiri Pirko
Cc: John Fastabend
Cc: Jamal Hadi Salim
Cc: "Paul E. McKenney"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
Xin Long says:
====================
sctp: a bunch of fixes for some sparse warningsAs Eric noticed, when running 'make C=2 M=net/sctp/', a plenty of
warnings or errors checked by sparse appear. They are all problems
about Endian and type cast.Most of them are just warnings by which no issues could be caused
while some might be bugs.This patchset fixes them with four patches basically according to
how they are introduced.
====================Signed-off-by: David S. Miller
-
These warnings were found by running 'make C=2 M=net/sctp/'.
They are there since very beginning.Note after this patch, there still one warning left in
sctp_outq_flush():
sctp_chunk_fail(chunk, SCTP_ERROR_INV_STRM)Since it has been moved to sctp_stream_outq_migrate on net-next,
to avoid the extra job when merging net-next to net, I will post
the fix for it after the merging is done.Reported-by: Eric Dumazet
Signed-off-by: Xin Long
Signed-off-by: David S. Miller -
These warnings were found by running 'make C=2 M=net/sctp/'.
Commit d4d6fb5787a6 ("sctp: Try not to change a_rwnd when faking a
SACK from SHUTDOWN.") expected to use the peers old rwnd and add
our flight size to the a_rwnd. But with the wrong Endian, it may
not work as well as expected.So fix it by converting to the right value.
Fixes: d4d6fb5787a6 ("sctp: Try not to change a_rwnd when faking a SACK from SHUTDOWN.")
Reported-by: Eric Dumazet
Signed-off-by: Xin Long
Signed-off-by: David S. Miller -
These warnings were found by running 'make C=2 M=net/sctp/'.
They are introduced by not aware of Endian for the port when
coding transport rhashtable patches.Fixes: 7fda702f9315 ("sctp: use new rhlist interface on sctp transport rhashtable")
Reported-by: Eric Dumazet
Signed-off-by: Xin Long
Signed-off-by: David S. Miller -
These warnings were found by running 'make C=2 M=net/sctp/'.
They are introduced by not aware of Endian when coding stream
reconf patches.Since commit c0d8bab6ae51 ("sctp: add get and set sockopt for
reconf_enable") enabled stream reconf feature for users, the
Fixes tag below would use it.Fixes: c0d8bab6ae51 ("sctp: add get and set sockopt for reconf_enable")
Reported-by: Eric Dumazet
Signed-off-by: Xin Long
Signed-off-by: David S. Miller -
Davide found the following script triggers a NULL pointer
dereference:ip l a name eth0 type dummy
tc q a dev eth0 parent :1 handle 1: htbThis is because for a freshly created netdevice noop_qdisc
is attached and when passing 'parent :1', kernel actually
tries to match the major handle which is 0 and noop_qdisc
has handle 0 so is matched by mistake. Commit 69012ae425d7
tries to fix a similar bug but still misses this case.Handle 0 is not a valid one, should be just skipped. In
fact, kernel uses it as TC_H_UNSPEC.Fixes: 69012ae425d7 ("net: sched: fix handling of singleton qdiscs with qdisc_hash")
Fixes: 59cc1f61f09c ("net: sched:convert qdisc linked list to hashtable")
Reported-by: Davide Caratti
Cc: Jiri Kosina
Cc: Eric Dumazet
Cc: Jamal Hadi Salim
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
Now when migrating sock to another one in sctp_sock_migrate(), it only
resets owner sk for the data in receive queues, not the chunks on out
queues.It would cause that data chunks length on the sock is not consistent
with sk sk_wmem_alloc. When closing the sock or freeing these chunks,
the old sk would never be freed, and the new sock may crash due to
the overflow sk_wmem_alloc.syzbot found this issue with this series:
r0 = socket$inet_sctp()
sendto$inet(r0)
listen(r0)
accept4(r0)
close(r0)Although listen() should have returned error when one TCP-style socket
is in connecting (I may fix this one in another patch), it could also
be reproduced by peeling off an assoc.This issue is there since very beginning.
This patch is to reset owner sk for the chunks on out queues so that
sk sk_wmem_alloc has correct value after accept one sock or peeloff
an assoc to one sock.Note that when resetting owner sk for chunks on outqueue, it has to
sctp_clear_owner_w/skb_orphan chunks before changing assoc->base.sk
first and then sctp_set_owner_w them after changing assoc->base.sk,
due to that sctp_wfree and it's callees are using assoc->base.sk.Reported-by: Dmitry Vyukov
Signed-off-by: Xin Long
Acked-by: Marcelo Ricardo Leitner
Signed-off-by: David S. Miller -
John Fastabend says:
====================
net: sockmap fixesLast two fixes (as far as I know) for sockmap code this round.
First, we are using the qdisc cb structure when making the data end
calculation. This is really just wrong so, store it with the other
metadata in the correct tcp_skb_cb sturct to avoid breaking things.Next, with recent work to attach multiple programs to a cgroup a
specific enumeration of return codes was agreed upon. However,
I wrote the sk_skb program types before seeing this work and used
a different convention. Patch 2 in the series aligns the return
codes to avoid breaking with this infrastructure and also aligns
with other programming conventions to avoid being the odd duck out
forcing programs to remember SK_SKB programs are different. Pusing
to net because its a user visible change. With this SK_SKB program
return codes are the same as other cgroup program types.
====================Signed-off-by: David S. Miller
-
Recent additions to support multiple programs in cgroups impose
a strict requirement, "all yes is yes, any no is no". To enforce
this the infrastructure requires the 'no' return code, SK_DROP in
this case, to be 0.To apply these rules to SK_SKB program types the sk_actions return
codes need to be adjusted.This fix adds SK_PASS and makes 'SK_DROP = 0'. Finally, remove
SK_ABORTED to remove any chance that the API may allow aborted
program flows to be passed up the stack. This would be incorrect
behavior and allow programs to break existing policies.Signed-off-by: John Fastabend
Acked-by: Alexei Starovoitov
Signed-off-by: David S. Miller -
SK_SKB program types use bpf_compute_data to store the end of the
packet data. However, bpf_compute_data assumes the cb is stored in the
qdisc layer format. But, for SK_SKB this is the wrong layer of the
stack for this type.It happens to work (sort of!) because in most cases nothing happens
to be overwritten today. This is very fragile and error prone.
Fortunately, we have another hole in tcp_skb_cb we can use so lets
put the data_end value there.Note, SK_SKB program types do not use data_meta, they are failed by
sk_skb_is_valid_access().Signed-off-by: John Fastabend
Acked-by: Alexei Starovoitov
Signed-off-by: David S. Miller -
…t/masahiroy/linux-kbuild
Pull Kbuild fixes from Masahiro Yamada:
- fix O= building on dash
- remove unused dependency in Makefile
- fix default of a choice in Kconfig
- fix typos and documentation style
- fix command options unrecognized by sparse
* tag 'kbuild-fixes-v4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
kbuild: clang: fix build failures with sparse check
kbuild doc: a bundle of fixes on makefiles.txt
Makefile: kselftest: fix grammar typo
kbuild: Fix optimization level choice default
kbuild: drop unused symverfile in Makefile.modpost
kbuild: revert $(realpath ...) to $(shell cd ... && /bin/pwd) -
Pull input fixes from Dmitry Torokhov:
- fix gtco tablet driver, tightening parsing of HID descriptors
- add ACPI ID added to Elan driver to be able to handle touchpads found
in Lenovo Ideapad 320/520- fix the Symaptics RMI4 driver to adjust handling of buttons
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: synaptics-rmi4 - limit the range of what GPIOs are buttons
Input: gtco - fix potential out-of-bound access
Input: elan_i2c - add ELAN0611 to the ACPI table -
Pull PCI fix from Bjorn Helgaas:
"Move alpha PCI IRQ map/swizzle functions out of initdata to fix
regression from PCI core IRQ mapping changes (Lorenzo Pieralisi)"* tag 'pci-v4.14-fixes-6' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
alpha/PCI: Move pci_map_irq()/pci_swizzle() out of initdata -
Pull drm fixes from Dave Airlie:
"Two amd fixes, one i915 core and a few i915 GVT fixes, things seem
fairly quiet"* tag 'drm-fixes-for-v4.14-rc7' of git://people.freedesktop.org/~airlied/linux:
drm/i915/gvt: Adding ACTHD mmio read handler
drm/i915/gvt: Extract mmio_read_from_hw() common function
drm/i915/gvt: Refine MMIO_RING_F()
drm/i915/gvt: properly check per_ctx bb valid state
drm/i915/perf: fix perf enable/disable ioctls with 32bits userspace
drm/amd/amdgpu: Remove workaround check for UVD6 on APUs
drm/amd/powerplay: fix uninitialized variable -
Pull SCSI fixes from James Bottomley:
"Six fixes for mostly minor issues, most of which have small race
windows for occurring"* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: Suppress a kernel warning in case the prep function returns BLKPREP_DEFER
scsi: sg: Re-fix off by one in sg_fill_request_table()
scsi: aacraid: Fix controller initialization failure
scsi: hpsa: Fix configured_logical_drive_count·check
scsi: qla2xxx: Initialize Work element before requesting IRQs
scsi: zfcp: fix erp_action use-before-initialize in REC action trace -
This fixes CVE-2017-12193.
Fix a case in the assoc_array implementation in which a new leaf is
added that needs to go into a node that happens to be full, where the
existing leaves in that node cluster together at that level to the
exclusion of new leaf.What needs to happen is that the existing leaves get moved out to a new
node, N1, at level + 1 and the existing node needs replacing with one,
N0, that has pointers to the new leaf and to N1.The code that tries to do this gets this wrong in two ways:
(1) The pointer that should've pointed from N0 to N1 is set to point
recursively to N0 instead.(2) The backpointer from N0 needs to be set correctly in the case N0 is
either the root node or reached through a shortcut.Fix this by removing this path and using the split_node path instead,
which achieves the same end, but in a more general way (thanks to Eric
Biggers for spotting the redundancy).The problem manifests itself as:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: assoc_array_apply_edit+0x59/0xe5Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
Reported-and-tested-by: WU Fan
Signed-off-by: David Howells
Cc: stable@vger.kernel.org [v3.13-rc1+]
Signed-off-by: Linus Torvalds
28 Oct, 2017
4 commits
-
Pull cifs fixes from Steve French:
"Various SMB3 fixes for 4.14 and stable"* tag '4.14-smb3-fixes-for-stable' of git://git.samba.org/sfrench/cifs-2.6:
SMB3: Validate negotiate request must always be signed
SMB: fix validate negotiate info uninitialised memory use
SMB: fix leak of validate negotiate info response buffer
CIFS: Fix NULL pointer deref on SMB2_tcon() failure
CIFS: do not send invalid input buffer on QUERY_INFO requests
cifs: Select all required crypto modules
CIFS: SMBD: Fix the definition for SMB2_CHANNEL_RDMA_V1_INVALIDATE
cifs: handle large EA requests more gracefully in smb2+
Fix encryption labels and lengths for SMB3.1.1 -
Pull overlayfs fixes from Miklos Szeredi:
"Fix several issues, most of them introduced in the last release"* 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
ovl: do not cleanup unsupported index entries
ovl: handle ENOENT on index lookup
ovl: fix EIO from lookup of non-indexed upper
ovl: Return -ENOMEM if an allocation fails ovl_lookup()
ovl: add NULL check in ovl_alloc_inode -
Pull fuse fix from Miklos Szeredi:
"This fixes a longstanding bug, which can be triggered by interrupting
a directory reading syscall"* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
fuse: fix READDIRPLUS skipping an entry -
The commit 9a393b5d5988 ("tap: tap as an independent module") created a
separate tap module that implements tap functionality and exports
interfaces that will be used by macvtap and ipvtap modules to create
create respective tap devices.However, that patch introduced a regression wherein the modules macvtap
and ipvtap can be removed (through modprobe -r) while there are
applications using the respective /dev/tapX devices. These applications
cause kernel to hold reference to /dev/tapX through 'struct cdev
macvtap_cdev' and 'struct cdev ipvtap_dev' defined in macvtap and ipvtap
modules respectively. So, when the application is later closed the
kernel panics because we are referencing KVA that is present in the
unloaded modules.----------8
BUG: unable to handle kernel paging request at ffffffffa038c500
IP: cdev_put+0xf/0x30
----------8
Signed-off-by: David S. Miller
