24 Oct, 2014

2 commits

  • We currently neither account for the nlattr size, nor do we consider
    the size of the trailing NLMSG_DONE when allocating nlmsg skb.

    This can result in nflog to stop working, as __nfulnl_send() re-tries
    sending forever if it failed to append NLMSG_DONE (which will never
    work if buffer is not large enough).

    Reported-by: Houcheng Lin
    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     
  • Commit 462fb2af9788a82a534f8184abfde31574e1cfa0

    bridge : Sanitize skb before it enters the IP stack

    broke when IP options are actually used because it mangles the
    skb as if it entered the IP stack which is wrong because the
    bridge is supposed to operate below the IP stack.

    Since nobody has actually requested for parsing of IP options
    this patch fixes it by simply reverting to the previous approach
    of ignoring all IP options, i.e., zeroing the IPCB.

    If and when somebody who uses IP options and actually needs them
    to be parsed by the bridge complains then we can revisit this.

    Reported-by: David Newall
    Signed-off-by: Herbert Xu
    Tested-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Herbert Xu
     

22 Oct, 2014

11 commits

  • alloc_percpu returns NULL on failure, not a negative error code.

    Fixes: ff3cd7b3c922 ("netfilter: nf_tables: refactor chain statistic routines")
    Signed-off-by: Sabrina Dubroca
    Signed-off-by: Pablo Neira Ayuso

    Sabrina Dubroca
     
  • The ->ip_set_list[] array is initialized in ip_set_net_init() and it
    has ->ip_set_max elements so this check should be >= instead of >
    otherwise we are off by one.

    Signed-off-by: Dan Carpenter
    Acked-by: Jozsef Kadlecsik
    Signed-off-by: Pablo Neira Ayuso

    Dan Carpenter
     
  • When a port that was used to listen for inbound connections gets closed
    and reused for outgoing connections (like rsh ends up doing for stderr
    flow), current we may reject the SYN/ACK packet for the new connection
    because tcp_conntracks states forbirds a port to become a client while
    there is still a TIME_WAIT entry in there for it.

    As TCP may expire the TIME_WAIT socket in 60s and conntrack's timeout
    for it is 120s, there is a ~60s window that the application can end up
    opening a port that conntrack will end up blocking.

    This patch fixes this by simply allowing such state transition: if we
    see a SYN, in TIME_WAIT state, on REPLY direction, move it to sSS. Note
    that the rest of the code already handles this situation, more
    specificly in tcp_packet(), first switch clause.

    Signed-off-by: Marcelo Ricardo Leitner
    Acked-by: Jozsef Kadlecsik
    Signed-off-by: Pablo Neira Ayuso

    Marcelo Leitner
     
  • Use netdev_alloc_pcpu_stats to allocate percpu stats and initialize syncp.

    Fixes: 22e0f8b9322c "net: sched: make bstats per cpu and estimator RCU safe"
    Signed-off-by: Sabrina Dubroca
    Acked-by: Cong Wang
    Signed-off-by: David S. Miller

    Sabrina Dubroca
     
  • while comparing for verifier state equivalency the comparison
    was missing a check for uninitialized register.
    Make sure it does so and add a testcase.

    Fixes: f1bca824dabb ("bpf: add search pruning optimization to verifier")
    Cc: Hannes Frederic Sowa
    Signed-off-by: Alexei Starovoitov
    Acked-by: Hannes Frederic Sowa
    Signed-off-by: David S. Miller

    Alexei Starovoitov
     
  • The synchronize_rcu() in netlink_release() introduces unacceptable
    latency. Reintroduce minimal lookup so we can drop the
    synchronize_rcu() until socket destruction has been RCUfied.

    Cc: David S. Miller
    Cc: Eric Dumazet
    Reported-by: Steinar H. Gunderson
    Reported-and-tested-by: Heiko Carstens
    Signed-off-by: Thomas Graf
    Signed-off-by: David S. Miller

    Thomas Graf
     
  • When running tipcTC&tipcTS test suite, below lockdep unsafe locking
    scenario is reported:

    [ 1109.997854]
    [ 1109.997988] =================================
    [ 1109.998290] [ INFO: inconsistent lock state ]
    [ 1109.998575] 3.17.0-rc1+ #113 Not tainted
    [ 1109.998762] ---------------------------------
    [ 1109.998762] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
    [ 1109.998762] swapper/7/0 [HC0[0]:SC1[1]:HE1:SE0] takes:
    [ 1109.998762] (slock-AF_TIPC){+.?...}, at: [] tipc_sk_rcv+0x49/0x2b0 [tipc]
    [ 1109.998762] {SOFTIRQ-ON-W} state was registered at:
    [ 1109.998762] [] __lock_acquire+0x6a0/0x1d80
    [ 1109.998762] [] lock_acquire+0x95/0x1e0
    [ 1109.998762] [] _raw_spin_lock+0x3e/0x80
    [ 1109.998762] [] tipc_sk_rcv+0x49/0x2b0 [tipc]
    [ 1109.998762] [] tipc_link_xmit+0xa8/0xc0 [tipc]
    [ 1109.998762] [] tipc_sendmsg+0x15f/0x550 [tipc]
    [ 1109.998762] [] tipc_connect+0x105/0x140 [tipc]
    [ 1109.998762] [] SYSC_connect+0xae/0xc0
    [ 1109.998762] [] SyS_connect+0xe/0x10
    [ 1109.998762] [] compat_SyS_socketcall+0xb8/0x200
    [ 1109.998762] [] sysenter_dispatch+0x7/0x1f
    [ 1109.998762] irq event stamp: 241060
    [ 1109.998762] hardirqs last enabled at (241060): [] __local_bh_enable_ip+0x6d/0xd0
    [ 1109.998762] hardirqs last disabled at (241059): [] __local_bh_enable_ip+0x2f/0xd0
    [ 1109.998762] softirqs last enabled at (241020): [] _local_bh_enable+0x22/0x50
    [ 1109.998762] softirqs last disabled at (241021): [] irq_exit+0x96/0xc0
    [ 1109.998762]
    [ 1109.998762] other info that might help us debug this:
    [ 1109.998762] Possible unsafe locking scenario:
    [ 1109.998762]
    [ 1109.998762] CPU0
    [ 1109.998762] ----
    [ 1109.998762] lock(slock-AF_TIPC);
    [ 1109.998762]
    [ 1109.998762] lock(slock-AF_TIPC);
    [ 1109.998762]
    [ 1109.998762] *** DEADLOCK ***
    [ 1109.998762]
    [ 1109.998762] 2 locks held by swapper/7/0:
    [ 1109.998762] #0: (rcu_read_lock){......}, at: [] __netif_receive_skb_core+0x69/0xb70
    [ 1109.998762] #1: (rcu_read_lock){......}, at: [] tipc_l2_rcv_msg+0x40/0x260 [tipc]
    [ 1109.998762]
    [ 1109.998762] stack backtrace:
    [ 1109.998762] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 3.17.0-rc1+ #113
    [ 1109.998762] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
    [ 1109.998762] ffffffff82745830 ffff880016c03828 ffffffff81a209eb 0000000000000007
    [ 1109.998762] ffff880017b3cac0 ffff880016c03888 ffffffff81a1c5ef 0000000000000001
    [ 1109.998762] ffff880000000001 ffff880000000000 ffffffff81012d4f 0000000000000000
    [ 1109.998762] Call Trace:
    [ 1109.998762] [] dump_stack+0x4e/0x68
    [ 1109.998762] [] print_usage_bug+0x1f1/0x202
    [ 1109.998762] [] ? save_stack_trace+0x2f/0x50
    [ 1109.998762] [] mark_lock+0x28c/0x2f0
    [ 1109.998762] [] ? print_irq_inversion_bug.part.46+0x1f0/0x1f0
    [ 1109.998762] [] __lock_acquire+0x5ad/0x1d80
    [ 1109.998762] [] ? trace_hardirqs_on+0xd/0x10
    [ 1109.998762] [] ? sched_clock_cpu+0x98/0xc0
    [ 1109.998762] [] ? local_clock+0x1b/0x30
    [ 1109.998762] [] ? lock_release_holdtime.part.29+0x1c/0x1a0
    [ 1109.998762] [] ? sched_clock_local+0x25/0x90
    [ 1109.998762] [] ? tipc_sk_get+0x60/0x80 [tipc]
    [ 1109.998762] [] lock_acquire+0x95/0x1e0
    [ 1109.998762] [] ? tipc_sk_rcv+0x49/0x2b0 [tipc]
    [ 1109.998762] [] ? trace_hardirqs_on_caller+0xa6/0x1c0
    [ 1109.998762] [] _raw_spin_lock+0x3e/0x80
    [ 1109.998762] [] ? tipc_sk_rcv+0x49/0x2b0 [tipc]
    [ 1109.998762] [] ? tipc_sk_get+0x60/0x80 [tipc]
    [ 1109.998762] [] tipc_sk_rcv+0x49/0x2b0 [tipc]
    [ 1109.998762] [] tipc_rcv+0x5ed/0x960 [tipc]
    [ 1109.998762] [] tipc_l2_rcv_msg+0xcc/0x260 [tipc]
    [ 1109.998762] [] ? tipc_l2_rcv_msg+0x40/0x260 [tipc]
    [ 1109.998762] [] __netif_receive_skb_core+0x5e5/0xb70
    [ 1109.998762] [] ? __netif_receive_skb_core+0x69/0xb70
    [ 1109.998762] [] ? dev_gro_receive+0x259/0x4e0
    [ 1109.998762] [] __netif_receive_skb+0x26/0x70
    [ 1109.998762] [] netif_receive_skb_internal+0x2d/0x1f0
    [ 1109.998762] [] napi_gro_receive+0xd8/0x240
    [ 1109.998762] [] e1000_clean_rx_irq+0x2c4/0x530
    [ 1109.998762] [] e1000_clean+0x266/0x9c0
    [ 1109.998762] [] ? local_clock+0x1b/0x30
    [ 1109.998762] [] ? sched_clock_local+0x25/0x90
    [ 1109.998762] [] net_rx_action+0x141/0x310
    [ 1109.998762] [] ? handle_fasteoi_irq+0xe0/0x150
    [ 1109.998762] [] __do_softirq+0x116/0x4d0
    [ 1109.998762] [] irq_exit+0x96/0xc0
    [ 1109.998762] [] do_IRQ+0x67/0x110
    [ 1109.998762] [] common_interrupt+0x6f/0x6f
    [ 1109.998762] [] ? default_idle+0x37/0x250
    [ 1109.998762] [] ? default_idle+0x35/0x250
    [ 1109.998762] [] arch_cpu_idle+0xf/0x20
    [ 1109.998762] [] cpu_startup_entry+0x27d/0x4d0
    [ 1109.998762] [] start_secondary+0x188/0x1f0

    When intra-node messages are delivered from one process to another
    process, tipc_link_xmit() doesn't disable BH before it directly calls
    tipc_sk_rcv() on process context to forward messages to destination
    socket. Meanwhile, if messages delivered by remote node arrive at the
    node and their destinations are also the same socket, tipc_sk_rcv()
    running on process context might be preempted by tipc_sk_rcv() running
    BH context. As a result, the latter cannot obtain the socket lock as
    the lock was obtained by the former, however, the former has no chance
    to be run as the latter is owning the CPU now, so headlock happens. To
    avoid it, BH should be always disabled in tipc_sk_rcv().

    Signed-off-by: Ying Xue
    Reviewed-by: Jon Maloy
    Signed-off-by: David S. Miller

    Ying Xue
     
  • Locking dependency detected below possible unsafe locking scenario:

    CPU0 CPU1
    T0: tipc_named_rcv() tipc_rcv()
    T1: [grab nametble write lock]* [grab node lock]*
    T2: tipc_update_nametbl() tipc_node_link_up()
    T3: tipc_nodesub_subscribe() tipc_nametbl_publish()
    T4: [grab node lock]* [grab nametble write lock]*

    The opposite order of holding nametbl write lock and node lock on
    above two different paths may result in a deadlock. If we move the
    the updating of the name table after link state named out of node
    lock, the reverse order of holding locks will be eliminated, and
    as a result, the deadlock risk.

    Signed-off-by: Ying Xue
    Signed-off-by: Jon Maloy
    Signed-off-by: David S. Miller

    Ying Xue
     
  • Govindarajulu Varadarajan says:

    ====================
    enic: Bug fixes

    This series fixes the following problem.

    Please apply this to net.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     
  • In enic_stop, we disable preemption using local_bh_disable(). We disable
    preemption to wait for busy_poll to finish.

    napi_disable should not be called here as it might sleep.

    Moving napi_disable() call out side of local_bh_disable.

    BUG: sleeping function called from invalid context at include/linux/netdevice.h:477
    in_atomic(): 1, irqs_disabled(): 0, pid: 443, name: ifconfig
    INFO: lockdep is turned off.
    Preemption disabled at:[] enic_rfs_flw_tbl_free+0x34/0xd0 [enic]

    CPU: 31 PID: 443 Comm: ifconfig Not tainted 3.17.0-netnext-05504-g59f35b8 #268
    Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
    ffff8800dac10000 ffff88020b8dfcb8 ffffffff8148a57c 0000000000000000
    ffff88020b8dfcd0 ffffffff8107e253 ffff8800dac12a40 ffff88020b8dfd10
    ffffffffa029305b ffff88020b8dfd48 ffff8800dac10000 ffff88020b8dfd48
    Call Trace:
    [] dump_stack+0x4e/0x7a
    [] __might_sleep+0x123/0x1a0
    [] enic_stop+0xdb/0x4d0 [enic]
    [] __dev_close_many+0x9d/0xf0
    [] __dev_close+0x31/0x50
    [] __dev_change_flags+0x98/0x160
    [] dev_change_flags+0x24/0x60
    [] devinet_ioctl+0x63d/0x710
    [] ? might_fault+0x56/0xc0
    [] inet_ioctl+0x65/0x90
    [] sock_do_ioctl+0x20/0x50
    [] sock_ioctl+0x20b/0x2e0
    [] do_vfs_ioctl+0x2e0/0x500
    [] ? sysret_check+0x22/0x5d
    [] ? __this_cpu_preempt_check+0x13/0x20
    [] ? trace_hardirqs_on_caller+0x119/0x270
    [] SyS_ioctl+0x3c/0x80
    [] system_call_fastpath+0x1a/0x1f

    Signed-off-by: Govindarajulu Varadarajan
    Signed-off-by: David S. Miller

    Govindarajulu Varadarajan
     
  • The following warning is shown when spinlock debug is enabled.

    This occurs when enic_flow_may_expire timer function is running and
    enic_stop is called on same CPU.

    Fix this by using spink_lock_bh().

    =================================
    [ INFO: inconsistent lock state ]
    3.17.0-netnext-05504-g59f35b8 #268 Not tainted
    ---------------------------------
    inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
    ifconfig/443 [HC0[0]:SC0[0]:HE1:SE1] takes:
    (&(&enic->rfs_h.lock)->rlock){+.?...}, at:
    enic_rfs_flw_tbl_free+0x34/0xd0 [enic]
    {IN-SOFTIRQ-W} state was registered at:
    [] __lock_acquire+0x83f/0x21c0
    [] lock_acquire+0xa2/0xd0
    [] _raw_spin_lock+0x3c/0x80
    [] enic_flow_may_expire+0x25/0x130[enic]
    [] call_timer_fn+0x77/0x100
    [] run_timer_softirq+0x1e3/0x270
    [] __do_softirq+0x14e/0x280
    [] irq_exit+0x8e/0xb0
    [] smp_apic_timer_interrupt+0x3f/0x50
    [] apic_timer_interrupt+0x72/0x80
    [] default_idle+0x13/0x20
    [] arch_cpu_idle+0xa/0x10
    [] cpu_startup_entry+0x2c6/0x330
    [] start_secondary+0x21d/0x290
    irq event stamp: 2997
    hardirqs last enabled at (2997): [] _raw_spin_unlock_irqrestore+0x65/0x90
    hardirqs last disabled at (2996): [] _raw_spin_lock_irqsave+0x26/0x90
    softirqs last enabled at (2968): [] dev_deactivate_many+0x213/0x260
    softirqs last disabled at (2966): [] dev_deactivate_many+0x1f3/0x260

    other info that might help us debug this:
    Possible unsafe locking scenario:

    CPU0
    ----
    lock(&(&enic->rfs_h.lock)->rlock);

    lock(&(&enic->rfs_h.lock)->rlock);

    *** DEADLOCK ***

    Reported-by: Jan Stancek
    Signed-off-by: Govindarajulu Varadarajan
    Signed-off-by: David S. Miller

    Govindarajulu Varadarajan
     

21 Oct, 2014

4 commits

  • Florian Westphal says:

    ====================
    net: minor gso encapsulation fixes

    The following series fixes a minor bug in the gso segmentation handlers
    when encapsulation offload is used.

    Theoretically this could cause kernel panic when the stack tries
    to software-segment such a GRE offload packet, but it looks like there
    is only one affected call site (tbf scheduler) and it handles NULL
    return value.

    I've included a followup patch to add IS_ERR_OR_NULL checks where needed.

    While looking into this, I also found that size computation of the individual
    segments is incorrect if skb->encapsulation is set.

    Please see individual patches for delta vs. v1.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     
  • if ->encapsulation is set we have to use inner_tcp_hdrlen and add the
    size of the inner network headers too.

    This is 'mostly harmless'; tbf might send skb that is slightly over
    quota or drop skb even if it would have fit.

    Signed-off-by: Florian Westphal
    Signed-off-by: David S. Miller

    Florian Westphal
     
  • skb_gso_segment has three possible return values:
    1. a pointer to the first segmented skb
    2. an errno value (IS_ERR())
    3. NULL. This can happen when GSO is used for header verification.

    However, several callers currently test IS_ERR instead of IS_ERR_OR_NULL
    and would oops when NULL is returned.

    Note that these call sites should never actually see such a NULL return
    value; all callers mask out the GSO bits in the feature argument.

    However, there have been issues with some protocol handlers erronously not
    respecting the specified feature mask in some cases.

    It is preferable to get 'have to turn off hw offloading, else slow' reports
    rather than 'kernel crashes'.

    Signed-off-by: Florian Westphal
    Signed-off-by: David S. Miller

    Florian Westphal
     
  • skb_gso_segment() has a 'features' argument representing offload features
    available to the output path.

    A few handlers, e.g. GRE, instead re-fetch the features of skb->dev and use
    those instead of the provided ones when handing encapsulation/tunnels.

    Depending on dev->hw_enc_features of the output device skb_gso_segment() can
    then return NULL even when the caller has disabled all GSO feature bits,
    as segmentation of inner header thinks device will take care of segmentation.

    This e.g. affects the tbf scheduler, which will silently drop GRE-encap GSO skbs
    that did not fit the remaining token quota as the segmentation does not work
    when device supports corresponding hw offload capabilities.

    Cc: Pravin B Shelar
    Signed-off-by: Florian Westphal
    Signed-off-by: David S. Miller

    Florian Westphal
     

20 Oct, 2014

11 commits

  • Pablo Neira Ayuso says:

    ====================
    netfilter fixes for net

    The following patchset contains netfilter fixes for your net tree,
    they are:

    1) Fix missing MODULE_LICENSE() in the new nf_reject_ipv{4,6} modules.

    2) Restrict nat and masq expressions to the nat chain type. Otherwise,
    users may crash their kernel if they attach a nat/masq rule to a non
    nat chain.

    3) Fix hook validation in nft_compat when non-base chains are used.
    Basically, initialize hook_mask to zero.

    4) Make sure you use match/targets in nft_compat from the right chain
    type. The existing validation relies on the table name which can be
    avoided by

    5) Better netlink attribute validation in nft_nat. This expression has
    to reject the configuration when no address and proto configurations
    are specified.

    6) Interpret NFTA_NAT_REG_*_MAX if only if NFTA_NAT_REG_*_MIN is set.
    Yet another sanity check to reject incorrect configurations from
    userspace.

    7) Conditional NAT attribute dumping depending on the existing
    configuration.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     
  • The following patch fixes a bug which causes the ax88179_178a driver to be
    incapable of being added to a bond.

    When I brought up the issue with the bonding maintainers, they indicated
    that the real problem was with the NIC driver which must return zero for
    success (of setting the MAC address). I see that several other NIC drivers
    follow that pattern by either simply always returing zero, or by passing
    through a negative (error) result while rewriting any positive return code
    to zero. With that same philisophy applied to the ax88179_178a driver, it
    allows it to work correctly with the bonding driver.

    I believe this is suitable for queuing in -stable, as it's a small, simple,
    and obvious fix that corrects a defect with no other known workaround.

    This patch is against vanilla 3.17(.0).

    Signed-off-by: Ian Morgan

    drivers/net/usb/ax88179_178a.c | 7 ++++++-
    1 file changed, 6 insertions(+), 1 deletion(-)
    Signed-off-by: David S. Miller

    Ian Morgan
     
  • Pull ntb (non-transparent bridge) updates from Jon Mason:
    "Add support for Haswell NTB split BARs, a debugfs entry for basic
    debugging info, and some code clean-ups"

    * tag 'ntb-3.18' of git://github.com/jonmason/ntb:
    ntb: Adding split BAR support for Haswell platforms
    ntb: use errata flag set via DID to implement workaround
    ntb: conslidate reading of PPD to move platform detection earlier
    ntb: move platform detection to separate function
    NTB: debugfs device entry

    Linus Torvalds
     
  • Pull i2c updates from Wolfram Sang:
    "Highlights from the I2C subsystem for 3.18:

    - new drivers for Axxia AM55xx, and Hisilicon hix5hd2 SoC.

    - designware driver gained AMD support, exynos gained exynos7 support

    The rest is usual driver stuff. Hopefully no lowlights this time"

    * 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
    i2c: i801: Add Device IDs for Intel Sunrise Point PCH
    i2c: hix5hd2: add i2c controller driver
    i2c-imx: Disable the clock on probe failure
    i2c: designware: Add support for AMD I2C controller
    i2c: designware: Rework probe() to get clock a bit later
    i2c: designware: Default to fast mode in case of ACPI
    i2c: axxia: Add I2C driver for AXM55xx
    i2c: exynos: add support for HSI2C module on Exynos7
    i2c: mxs: detect No Slave Ack on SELECT in PIO mode
    i2c: cros_ec: Remove EC_I2C_FLAG_10BIT
    i2c: cros-ec-tunnel: Add of match table
    i2c: rcar: remove sign-compare flaw
    i2c: ismt: Use minimum descriptor size
    i2c: imx: Add arbitration lost check
    i2c: rk3x: Remove unlikely() annotations
    i2c: rcar: check for no IRQ in rcar_i2c_irq()
    i2c: rcar: make rcar_i2c_prepare_msg() *void*
    i2c: rcar: simplify check for last message
    i2c: designware: add support of platform data to set I2C mode
    i2c: designware: add support of I2C standard mode

    Linus Torvalds
     
  • Pull sound fixes from Takashi Iwai:
    "Here are a collection of small fixes after 3.18 merge.

    The urgent one is the fix for kernel panics with linked PCM substream
    triggered by the recent nonatomic PCM ops support. Other two fixes
    (emu10k1 and bebob) are stable fixes, and one easy PCI ID addition for
    a new Intel HD-audio controller"

    * tag 'sound-fix-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
    ALSA: hda_intel: Add Device IDs for Intel Sunrise Point PCH
    ALSA: emu10k1: Fix deadlock in synth voice lookup
    ALSA: pcm: Fix referred substream in snd_pcm_action_group() unlock loop
    ALSA: bebob: Fix failure to detect source of clock for Terratec Phase 88

    Linus Torvalds
     
  • Pull second round of input updates from Dmitry Torokhov:
    "Mostly simple bug fixes, although we do have one brand new driver for
    Microchip AR1021 i2c touchscreen.

    Also there is the change to stop trying to use i8042 active
    multiplexing by default (it is still possible to activate it via
    i8042.nomux=0 on boxes that implement it)"

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
    Input: xpad - add Thrustmaster as Xbox 360 controller vendor
    Input: xpad - add USB ID for Thrustmaster Ferrari 458 Racing Wheel
    Input: max77693-haptic - fix state check in imax77693_haptic_disable()
    Input: xen-kbdfront - free grant table entry in xenkbd_disconnect_backend
    Input: alps - fix v4 button press recognition
    Input: i8042 - disable active multiplexing by default
    Input: i8042 - add noloop quirk for Asus X750LN
    Input: synaptics - gate forcepad support by DMI check
    Input: Add Microchip AR1021 i2c touchscreen
    Input: cros_ec_keyb - add of match table
    Input: serio - avoid negative serio device numbers
    Input: avoid negative input device numbers
    Input: automatically set EV_ABS bit in input_set_abs_params
    Input: adp5588-keys - cancel workqueue in failure path
    Input: opencores-kbd - switch to using managed resources
    Input: evdev - fix EVIOCG{type} ioctl

    Linus Torvalds
     
  • Pull infiniband/RDMA updates from Roland Dreier:
    - large set of iSER initiator improvements
    - hardware driver fixes for cxgb4, mlx5 and ocrdma
    - small fixes to core midlayer

    * tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband: (47 commits)
    RDMA/cxgb4: Fix ntuple calculation for ipv6 and remove duplicate line
    RDMA/cxgb4: Add missing neigh_release in find_route
    RDMA/cxgb4: Take IPv6 into account for best_mtu and set_emss
    RDMA/cxgb4: Make c4iw_wr_log_size_order static
    IB/core: Fix XRC race condition in ib_uverbs_open_qp
    IB/core: Clear AH attr variable to prevent garbage data
    RDMA/ocrdma: Save the bit environment, spare unncessary parenthesis
    RDMA/ocrdma: The kernel has a perfectly good BIT() macro - use it
    RDMA/ocrdma: Don't memset() buffers we just allocated with kzalloc()
    RDMA/ocrdma: Remove a unused-label warning
    RDMA/ocrdma: Convert kernel VA to PA for mmap in user
    RDMA/ocrdma: Get vlan tag from ib_qp_attrs
    RDMA/ocrdma: Add default GID at index 0
    IB/mlx5, iser, isert: Add Signature API additions
    Target/iser: Centralize ib_sig_domain setting
    IB/iser: Centralize ib_sig_domain settings
    IB/mlx5: Use extended internal signature layout
    IB/iser: Set IP_CSUM as default guard type
    IB/iser: Remove redundant assignment
    IB/mlx5: Use enumerations for PI copy mask
    ...

    Linus Torvalds
     
  • Pull more perf updates from Ingo Molnar:
    "A second (and last) round of late coming fixes and changes, almost all
    of them in perf tooling:

    User visible tooling changes:

    - Add period data column and make it default in 'perf script' (Jiri
    Olsa)

    - Add a visual cue for toggle zeroing of samples in 'perf top'
    (Taeung Song)

    - Improve callchains when using libunwind (Namhyung Kim)

    Tooling fixes and infrastructure changes:

    - Fix for double free in 'perf stat' when using some specific invalid
    command line combo (Yasser Shalabi)

    - Fix off-by-one bugs in map->end handling (Stephane Eranian)

    - Fix off-by-one bug in maps__find(), also related to map->end
    handling (Namhyung Kim)

    - Make struct symbol->end be the first addr after the symbol range,
    to make it match the convention used for struct map->end. (Arnaldo
    Carvalho de Melo)

    - Fix perf_evlist__add_pollfd() error handling in 'perf kvm stat
    live' (Jiri Olsa)

    - Fix python test build by moving callchain_param to an object linked
    into the python binding (Jiri Olsa)

    - Document sysfs events/ interfaces (Cody P Schafer)

    - Fix typos in perf/Documentation (Masanari Iida)

    - Add missing 'struct option' forward declaration (Arnaldo Carvalho
    de Melo)

    - Add option to copy events when queuing for sorting across cpu
    buffers and enable it for 'perf kvm stat live', to avoid having
    events left in the queue pointing to the ring buffer be rewritten
    in high volume sessions. (Alexander Yarygin, improving work done
    by David Ahern):

    - Do not include a struct hists per perf_evsel, untangling the
    histogram code from perf_evsel, to pave the way for exporting a
    minimalistic tools/lib/api/perf/ library usable by tools/perf and
    initially by the rasd daemon being developed by Borislav Petkov,
    Robert Richter and Jean Pihet. (Arnaldo Carvalho de Melo)

    - Make perf_evlist__open(evlist, NULL, NULL), i.e. without cpu and
    thread maps mean syswide monitoring, reducing the boilerplate for
    tools that only want system wide mode. (Arnaldo Carvalho de Melo)

    - Move exit stuff from perf_evsel__delete to perf_evsel__exit, delete
    should be just a front end for exit + free (Arnaldo Carvalho de
    Melo)

    - Add support to new style format of kernel PMU event. (Kan Liang)

    and other misc fixes"

    * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (45 commits)
    perf script: Add period as a default output column
    perf script: Add period data column
    perf evsel: No need to drag util/cgroup.h
    perf evlist: Add missing 'struct option' forward declaration
    perf evsel: Move exit stuff from __delete to __exit
    kprobes/x86: Remove stale ARCH_SUPPORTS_KPROBES_ON_FTRACE define
    perf kvm stat live: Enable events copying
    perf session: Add option to copy events when queueing
    perf Documentation: Fix typos in perf/Documentation
    perf trace: Use thread_{,_set}_priv helpers
    perf kvm: Use thread_{,_set}_priv helpers
    perf callchain: Create an address space per thread
    perf report: Set callchain_param.record_mode for future use
    perf evlist: Fix for double free in tools/perf stat
    perf test: Add test case for pmu event new style format
    perf tools: Add support to new style format of kernel PMU event
    perf tools: Parse the pmu event prefix and suffix
    Revert "perf tools: Default to cpu// for events v5"
    perf Documentation: Remove Ruplicated docs for powerpc cpu specific events
    perf Documentation: sysfs events/ interfaces
    ...

    Linus Torvalds
     
  • Pull sparc fixes from David Miller:
    "Here we have two bug fixes:

    1) The current thread's fault_code is not setup properly upon entry to
    do_sparc64_fault() in some paths, leading to spurious SIGBUS.

    2) Don't use a zero length array at the end of thread_info on sparc64,
    otherwise end_of_stack() isn't right"

    * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
    sparc64: Do not define thread fpregs save area as zero-length array.
    sparc64: Fix corrupted thread fault code.

    Linus Torvalds
     
  • Pull networking fixes from David Miller:
    "A quick batch of bug fixes:

    1) Fix build with IPV6 disabled, from Eric Dumazet.

    2) Several more cases of caching SKB data pointers across calls to
    pskb_may_pull(), thus referencing potentially free'd memory. From
    Li RongQing.

    3) DSA phy code tests operation presence improperly, instead of going:

    if (x->ops->foo)
    r = x->ops->foo(args);

    it was going:

    if (x->ops->foo(args))
    r = x->ops->foo(args);

    Fix from Andew Lunn"

    * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
    Net: DSA: Fix checking for get_phy_flags function
    ipv6: fix a potential use after free in sit.c
    ipv6: fix a potential use after free in ip6_offload.c
    ipv4: fix a potential use after free in gre_offload.c
    tcp: fix build error if IPv6 is not enabled

    Linus Torvalds
     
  • The check for the presence or not of the optional switch function
    get_phy_flags() called the function, rather than checked to see if it
    is a NULL pointer. This causes a derefernce of a NULL pointer on all
    switch chips except the sf2, the only switch to implement this call.

    Signed-off-by: Andrew Lunn
    Fixes: 6819563e646a ("net: dsa: allow switch drivers to specify phy_device::dev_flags")
    Cc: Florian Fainelli
    Signed-off-by: David S. Miller

    Andrew Lunn
     

19 Oct, 2014

12 commits

  • This breaks the stack end corruption detection facility.

    What that facility does it write a magic value to "end_of_stack()"
    and checking to see if it gets overwritten.

    "end_of_stack()" is "task_thread_info(p) + 1", which for sparc64 is
    the beginning of the FPU register save area.

    So once the user uses the FPU, the magic value is overwritten and the
    debug checks trigger.

    Fix this by making the size explicit.

    Due to the size we use for the fpsaved[], gsr[], and xfsr[] arrays we
    are limited to 7 levels of FPU state saves. So each FPU register set
    is 256 bytes, allocate 256 * 7 for the fpregs area.

    Reported-by: Meelis Roos
    Signed-off-by: David S. Miller

    David S. Miller
     
  • Every path that ends up at do_sparc64_fault() must install a valid
    FAULT_CODE_* bitmask in the per-thread fault code byte.

    Two paths leading to the label winfix_trampoline (which expects the
    FAULT_CODE_* mask in register %g4) were not doing so:

    1) For pre-hypervisor TLB protection violation traps, if we took
    the 'winfix_trampoline' path we wouldn't have %g4 initialized
    with the FAULT_CODE_* value yet. Resulting in using the
    TLB_TAG_ACCESS register address value instead.

    2) In the TSB miss path, when we notice that we are going to use a
    hugepage mapping, but we haven't allocated the hugepage TSB yet, we
    still have to take the window fixup case into consideration and
    in that particular path we leave %g4 not setup properly.

    Errors on this sort were largely invisible previously, but after
    commit 4ccb9272892c33ef1c19a783cfa87103b30c2784 ("sparc64: sun4v TLB
    error power off events") we now have a fault_code mask bit
    (FAULT_CODE_BAD_RA) that triggers due to this bug.

    FAULT_CODE_BAD_RA triggers because this bit is set in TLB_TAG_ACCESS
    (see #1 above) and thus we get seemingly random bus errors triggered
    for user processes.

    Fixes: 4ccb9272892c ("sparc64: sun4v TLB error power off events")
    Reported-by: Meelis Roos
    Signed-off-by: David S. Miller

    David S. Miller
     
  • Pull slave-dmaengine updates from Vinod Koul:
    "For dmaengine contributions we have:
    - designware cleanup by Andy
    - my series moving device_control users to dmanegine_xxx APIs for
    later removal of device_control API
    - minor fixes spread over drivers mainly mv_xor, pl330, mmp, imx-sdma
    etc"

    * 'for-linus' of git://git.infradead.org/users/vkoul/slave-dma: (60 commits)
    serial: atmel: add missing dmaengine header
    dmaengine: remove FSLDMA_EXTERNAL_START
    dmaengine: freescale: remove FSLDMA_EXTERNAL_START control method
    carma-fpga: move to fsl_dma_external_start()
    carma-fpga: use dmaengine_xxx() API
    dmaengine: freescale: add and export fsl_dma_external_start()
    dmaengine: add dmaengine_prep_dma_sg() helper
    video: mx3fb: use dmaengine_terminate_all() API
    serial: sh-sci: use dmaengine_terminate_all() API
    net: ks8842: use dmaengine_terminate_all() API
    mtd: sh_flctl: use dmaengine_terminate_all() API
    mtd: fsmc_nand: use dmaengine_terminate_all() API
    V4L2: mx3_camer: use dmaengine_pause() API
    dmaengine: coh901318: use dmaengine_terminate_all() API
    pata_arasan_cf: use dmaengine_terminate_all() API
    dmaengine: edma: check for echan->edesc => NULL in edma_dma_pause()
    dmaengine: dw: export probe()/remove() and Co to users
    dmaengine: dw: enable and disable controller when needed
    dmaengine: dw: always export dw_dma_{en,dis}able
    dmaengine: dw: introduce dw_dma_on() helper
    ...

    Linus Torvalds
     
  • Pull fbdev updates from Tomi Valkeinen:
    - new 6x10 font
    - various small fixes and cleanups

    * tag 'fbdev-3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux: (30 commits)
    fonts: Add 6x10 font
    videomode: provide dummy inline functions for !CONFIG_OF
    video/atmel_lcdfb: Introduce regulator support
    fbdev: sh_mobile_hdmi: Re-init regs before irq re-enable on resume
    framebuffer: fix screen corruption when copying
    framebuffer: fix border color
    arm, fbdev, omap2, LLVMLinux: Remove nested function from omapfb
    arm, fbdev, omap2, LLVMLinux: Remove nested function from omap2 dss
    video: fbdev: valkyriefb.c: use container_of to resolve fb_info_valkyrie from fb_info
    video: fbdev: pxafb.c: use container_of to resolve pxafb_info/layer from fb_info
    video: fbdev: cyber2000fb.c: use container_of to resolve cfb_info from fb_info
    video: fbdev: controlfb.c: use container_of to resolve fb_info_control from fb_info
    video: fbdev: sa1100fb.c: use container_of to resolve sa1100fb_info from fb_info
    video: fbdev: stifb.c: use container_of to resolve stifb_info from fb_info
    video: fbdev: sis: sis_main.c: Cleaning up missing null-terminate in conjunction with strncpy
    video: valkyriefb: Fix unused variable warning in set_valkyrie_clock()
    video: fbdev: use %*ph specifier to dump small buffers
    video: mx3fb: always enable BACKLIGHT_LCD_SUPPORT
    video: fbdev: au1200fb: delete double assignment
    video: fbdev: sis: delete double assignment
    ...

    Linus Torvalds
     
  • Pull second batch of changes for KVM/{arm,arm64} from Marc Zyngier:
    "The most obvious thing is the sizeable MMU changes to support 48bit
    VAs on arm64.

    Summary:

    - support for 48bit IPA and VA (EL2)
    - a number of fixes for devices mapped into guests
    - yet another VGIC fix for BE
    - a fix for CPU hotplug
    - a few compile fixes (disabled VGIC, strict mm checks)"

    [ I'm pulling directly from Marc at the request of Paolo Bonzini, whose
    backpack was stolen at Düsseldorf airport and will do new keys and
    rebuild his web of trust. - Linus ]

    * tag 'kvm-arm-for-3.18-take-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm:
    arm/arm64: KVM: Fix BE accesses to GICv2 EISR and ELRSR regs
    arm: kvm: STRICT_MM_TYPECHECKS fix for user_mem_abort
    arm/arm64: KVM: Ensure memslots are within KVM_PHYS_SIZE
    arm64: KVM: Implement 48 VA support for KVM EL2 and Stage-2
    arm/arm64: KVM: map MMIO regions at creation time
    arm64: kvm: define PAGE_S2_DEVICE as read-only by default
    ARM: kvm: define PAGE_S2_DEVICE as read-only by default
    arm/arm64: KVM: add 'writable' parameter to kvm_phys_addr_ioremap
    arm/arm64: KVM: fix potential NULL dereference in user_mem_abort()
    arm/arm64: KVM: use __GFP_ZERO not memset() to get zeroed pages
    ARM: KVM: fix vgic-disabled build
    arm: kvm: fix CPU hotplug

    Linus Torvalds
     
  • Pull MIPS updates from Ralf Baechle:
    "This is the MIPS pull request for the next kernel:

    - Zubair's patch series adds CMA support for MIPS. Doing so it also
    touches ARM64 and x86.
    - remove the last instance of IRQF_DISABLED from arch/mips
    - updates to two of the MIPS defconfig files.
    - cleanup of how cache coherency bits are handled on MIPS and
    implement support for write-combining.
    - platform upgrades for Alchemy
    - move MIPS DTS files to arch/mips/boot/dts/"

    * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: (24 commits)
    MIPS: ralink: remove deprecated IRQF_DISABLED
    MIPS: pgtable.h: Implement the pgprot_writecombine function for MIPS
    MIPS: cpu-probe: Set the write-combine CCA value on per core basis
    MIPS: pgtable-bits: Define the CCA bit for WC writes on Ingenic cores
    MIPS: pgtable-bits: Move the CCA bits out of the core's ifdef blocks
    MIPS: DMA: Add cma support
    x86: use generic dma-contiguous.h
    arm64: use generic dma-contiguous.h
    asm-generic: Add dma-contiguous.h
    MIPS: BPF: Add new emit_long_instr macro
    MIPS: ralink: Move device-trees to arch/mips/boot/dts/
    MIPS: Netlogic: Move device-trees to arch/mips/boot/dts/
    MIPS: sead3: Move device-trees to arch/mips/boot/dts/
    MIPS: Lantiq: Move device-trees to arch/mips/boot/dts/
    MIPS: Octeon: Move device-trees to arch/mips/boot/dts/
    MIPS: Add support for building device-tree binaries
    MIPS: Create common infrastructure for building built-in device-trees
    MIPS: SEAD3: Enable DEVTMPFS
    MIPS: SEAD3: Regenerate defconfigs
    MIPS: Alchemy: DB1300: Add touch penirq support
    ...

    Linus Torvalds
     
  • Pull powerpc fix from Michael Ellerman:
    "There was a bit of a misunderstanding between us and the ARM guys in
    the device tree PCI code, which is breaking virtio on powerpc.

    This is the minimal fix until we can sort it out properly"

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux:
    powerpc/pci: Fix IO space breakage after of_pci_range_to_resource() change

    Linus Torvalds
     
  • Pull cifs/smb3 updates from Steve French:
    "Improved SMB3 support (symlink and device emulation, and remapping by
    default the 7 reserved posix characters) and a workaround for cifs
    mounts to Mac (working around a commonly encountered Mac server bug)"

    * 'for-linus' of git://git.samba.org/sfrench/cifs-2.6:
    [CIFS] Remove obsolete comment
    Check minimum response length on query_network_interface
    Workaround Mac server problem
    Remap reserved posix characters by default (part 3/3)
    Allow conversion of characters in Mac remap range (part 2)
    Allow conversion of characters in Mac remap range. Part 1
    mfsymlinks support for SMB2.1/SMB3. Part 2 query symlink
    Add mfsymlinks support for SMB2.1/SMB3. Part 1 create symlink
    Allow mknod and mkfifo on SMB2/SMB3 mounts
    add defines for two new file attributes

    Linus Torvalds
     
  • Pull dlm fix from David Teigland:
    "This includes a single commit fixing a missing endian conversion"

    * tag 'dlm-3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm:
    dlm: fix missing endian conversion of rcom_status flags

    Linus Torvalds
     
  • Pull btrfs data corruption fix from Chris Mason:
    "I'm testing a pull with more fixes, but wanted to get this one out so
    Greg can pick it up.

    The corruption isn't easy to hit, you have to do a readonly snapshot
    and have orphans in the snapshot. But my review and testing missed
    the bug. Filipe has added a better xfstest to cover it"

    * 'for-linus-update' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
    Revert "Btrfs: race free update of commit root for ro snapshots"

    Linus Torvalds
     
  • Pull pstore fix from Tony Luck:
    "Ensure unique filenames in pstore"

    * tag 'please-pull-pstore' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux:
    pstore: Fix duplicate {console,ftrace}-efi entries

    Linus Torvalds
     
  • Pull NTFS update from Anton Altaparmakov:
    "Here is a small NTFS update notably implementing FIBMAP ioctl for NTFS
    by adding the bmap address space operation. People seem to still want
    FIBMAP"

    * git://git.kernel.org/pub/scm/linux/kernel/git/aia21/ntfs:
    NTFS: Bump version to 2.1.31.
    NTFS: Add bmap address space operation needed for FIBMAP ioctl.
    NTFS: Remove changelog from Documentation/filesystems/ntfs.txt.
    NTFS: Split ntfs_aops into ntfs_normal_aops and ntfs_compressed_aops in preparation for them diverging.

    Linus Torvalds