openwrt/staging/blogic.git
9 years agoscripts/gdb: fix lx-lsmod refcnt
Adrien Schildknecht [Thu, 28 May 2015 22:44:40 +0000 (15:44 -0700)]
scripts/gdb: fix lx-lsmod refcnt

Commit 2f35c41f58a9 ("module: Replace module_ref with atomic_t refcnt")
changes the way refcnt is handled but did not update the gdb script to
use the new variable.

Since refcnt is not per-cpu anymore, we can directly read its value.

Signed-off-by: Adrien Schildknecht <adrien+dev@schischi.me>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Pantelis Koukousoulas <pktoss@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
9 years agoomfs: fix potential integer overflow in allocator
Bob Copeland [Thu, 28 May 2015 22:44:37 +0000 (15:44 -0700)]
omfs: fix potential integer overflow in allocator

Both 'i' and 'bits_per_entry' are signed integers but the result is a
u64 block number.  Cast i to u64 to avoid truncation on 32-bit targets.

Found by Coverity (CID 200679).

Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
9 years agoomfs: fix sign confusion for bitmap loop counter
Bob Copeland [Thu, 28 May 2015 22:44:35 +0000 (15:44 -0700)]
omfs: fix sign confusion for bitmap loop counter

The count variable is used to iterate down to (below) zero from the size
of the bitmap and handle the one-filling the remainder of the last
partial bitmap block.  The loop conditional expects count to be signed
in order to detect when the final block is processed, after which count
goes negative.

Unfortunately, a recent change made this unsigned along with some other
related fields.  The result of is this is that during mount,
omfs_get_imap will overrun the bitmap array and corrupt memory unless
number of blocks happens to be a multiple of 8 * blocksize.

Fix by changing count back to signed: it is guaranteed to fit in an s32
without overflow due to an enforced limit on the number of blocks in the
filesystem.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
9 years agoomfs: set error return when d_make_root() fails
Bob Copeland [Thu, 28 May 2015 22:44:32 +0000 (15:44 -0700)]
omfs: set error return when d_make_root() fails

A static checker found the following issue in the error path for
omfs_fill_super:

    fs/omfs/inode.c:552 omfs_fill_super()
    warn: missing error code here? 'd_make_root()' failed. 'ret' = '0'

Fix by returning -ENOMEM in this case.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
9 years agofs, omfs: add NULL terminator in the end up the token list
Sasha Levin [Thu, 28 May 2015 22:44:29 +0000 (15:44 -0700)]
fs, omfs: add NULL terminator in the end up the token list

match_token() expects a NULL terminator at the end of the token list so
that it would know where to stop.  Not having one causes it to overrun
to invalid memory.

In practice, passing a mount option that omfs didn't recognize would
sometimes panic the system.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
9 years agoMAINTAINERS: update CAPABILITIES pattern
Joe Perches [Thu, 28 May 2015 22:44:27 +0000 (15:44 -0700)]
MAINTAINERS: update CAPABILITIES pattern

Commit 1ddd3b4e07a4 ("LSM: Remove unused capability.c") removed the
file, remove the file pattern.

Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
9 years agofs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings
Andrew Morton [Thu, 28 May 2015 22:44:24 +0000 (15:44 -0700)]
fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings

load_elf_binary() returns `retval', not `error'.

Fixes: a87938b2e246b81b4fb ("fs/binfmt_elf.c: fix bug in loading of PIE binaries")
Reported-by: James Hogan <james.hogan@imgtec.com>
Cc: Michael Davidson <md@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
9 years agotracing/mm: don't trace mm_page_pcpu_drain on offline cpus
Shreyas B. Prabhu [Thu, 28 May 2015 22:44:22 +0000 (15:44 -0700)]
tracing/mm: don't trace mm_page_pcpu_drain on offline cpus

Since tracepoints use RCU for protection, they must not be called on
offline cpus.  trace_mm_page_pcpu_drain can be called on an offline cpu
in this scenario caught by LOCKDEP:

     ===============================
     [ INFO: suspicious RCU usage. ]
     4.1.0-rc1+ #9 Not tainted
     -------------------------------
     include/trace/events/kmem.h:265 suspicious rcu_dereference_check() usage!

    other info that might help us debug this:

    RCU used illegally from offline CPU!
    rcu_scheduler_active = 1, debug_locks = 1
     1 lock held by swapper/5/0:
      #0:  (&(&zone->lock)->rlock){..-...}, at: [<c0000000002073b0>] .free_pcppages_bulk+0x70/0x920

    stack backtrace:
     CPU: 5 PID: 0 Comm: swapper/5 Not tainted 4.1.0-rc1+ #9
     Call Trace:
       .dump_stack+0x98/0xd4 (unreliable)
       .lockdep_rcu_suspicious+0x108/0x170
       .free_pcppages_bulk+0x60c/0x920
       .free_hot_cold_page+0x208/0x280
       .destroy_context+0x90/0xd0
       .__mmdrop+0x58/0x160
       .idle_task_exit+0xf0/0x100
       .pnv_smp_cpu_kill_self+0x58/0x2c0
       .cpu_die+0x34/0x50
       .arch_cpu_idle_dead+0x20/0x40
       .cpu_startup_entry+0x708/0x7a0
       .start_secondary+0x36c/0x3a0
       start_secondary_prolog+0x10/0x14

Fix this by converting mm_page_pcpu_drain trace point into
TRACE_EVENT_CONDITION where condition is cpu_online(smp_processor_id())

Signed-off-by: Shreyas B. Prabhu <shreyas@linux.vnet.ibm.com>
Reviewed-by: Preeti U Murthy <preeti@linux.vnet.ibm.com>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
9 years agotracing/mm: don't trace mm_page_free on offline cpus
Shreyas B. Prabhu [Thu, 28 May 2015 22:44:19 +0000 (15:44 -0700)]
tracing/mm: don't trace mm_page_free on offline cpus

Since tracepoints use RCU for protection, they must not be called on
offline cpus.  trace_mm_page_free can be called on an offline cpu in this
scenario caught by LOCKDEP:

     ===============================
     [ INFO: suspicious RCU usage. ]
     4.1.0-rc1+ #9 Not tainted
     -------------------------------
     include/trace/events/kmem.h:170 suspicious rcu_dereference_check() usage!

    other info that might help us debug this:

    RCU used illegally from offline CPU!
    rcu_scheduler_active = 1, debug_locks = 1
     no locks held by swapper/1/0.

    stack backtrace:
     CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.1.0-rc1+ #9
     Call Trace:
       .dump_stack+0x98/0xd4 (unreliable)
       .lockdep_rcu_suspicious+0x108/0x170
       .free_pages_prepare+0x494/0x680
       .free_hot_cold_page+0x50/0x280
       .destroy_context+0x90/0xd0
       .__mmdrop+0x58/0x160
       .idle_task_exit+0xf0/0x100
       .pnv_smp_cpu_kill_self+0x58/0x2c0
       .cpu_die+0x34/0x50
       .arch_cpu_idle_dead+0x20/0x40
       .cpu_startup_entry+0x708/0x7a0
       .start_secondary+0x36c/0x3a0
       start_secondary_prolog+0x10/0x14

Fix this by converting mm_page_free trace point into TRACE_EVENT_CONDITION
where condition is cpu_online(smp_processor_id())

Signed-off-by: Shreyas B. Prabhu <shreyas@linux.vnet.ibm.com>
Reviewed-by: Preeti U Murthy <preeti@linux.vnet.ibm.com>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
9 years agotracing/mm: don't trace kmem_cache_free on offline cpus
Shreyas B. Prabhu [Thu, 28 May 2015 22:44:16 +0000 (15:44 -0700)]
tracing/mm: don't trace kmem_cache_free on offline cpus

Since tracepoints use RCU for protection, they must not be called on
offline cpus.  trace_kmem_cache_free can be called on an offline cpu in
this scenario caught by LOCKDEP:

    ===============================
    [ INFO: suspicious RCU usage. ]
    4.1.0-rc1+ #9 Not tainted
    -------------------------------
    include/trace/events/kmem.h:148 suspicious rcu_dereference_check() usage!

    other info that might help us debug this:

    RCU used illegally from offline CPU!
    rcu_scheduler_active = 1, debug_locks = 1
    no locks held by swapper/1/0.

    stack backtrace:
    CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.1.0-rc1+ #9
    Call Trace:
      .dump_stack+0x98/0xd4 (unreliable)
      .lockdep_rcu_suspicious+0x108/0x170
      .kmem_cache_free+0x344/0x4b0
      .__mmdrop+0x4c/0x160
      .idle_task_exit+0xf0/0x100
      .pnv_smp_cpu_kill_self+0x58/0x2c0
      .cpu_die+0x34/0x50
      .arch_cpu_idle_dead+0x20/0x40
      .cpu_startup_entry+0x708/0x7a0
      .start_secondary+0x36c/0x3a0
      start_secondary_prolog+0x10/0x14

Fix this by converting kmem_cache_free trace point into
TRACE_EVENT_CONDITION where condition is cpu_online(smp_processor_id())

Signed-off-by: Shreyas B. Prabhu <shreyas@linux.vnet.ibm.com>
Reported-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Reviewed-by: Preeti U Murthy <preeti@linux.vnet.ibm.com>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
9 years agoMerge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6
Linus Torvalds [Wed, 27 May 2015 21:09:16 +0000 (14:09 -0700)]
Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6

Pull cifs fixes from Steve French:
 "Back from SambaXP - now have 8 small CIFS bug fixes to merge"

* 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
  CIFS: Fix race condition on RFC1002_NEGATIVE_SESSION_RESPONSE
  Fix to convert SURROGATE PAIR
  cifs: potential missing check for posix_lock_file_wait
  Fix to check Unique id and FileType when client refer file directly.
  CIFS: remove an unneeded NULL check
  [cifs] fix null pointer check
  Fix that several functions handle incorrect value of mapchars
  cifs: Don't replace dentries for dfs mounts

9 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Linus Torvalds [Wed, 27 May 2015 20:41:13 +0000 (13:41 -0700)]
Merge git://git./linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Don't use MMIO on certain iwlwifi devices otherwise we get a
    firmware crash.

 2) Don't corrupt the GRO lists of mac80211 contexts by doing sends via
    timer interrupt, from Johannes Berg.

 3) SKB tailroom is miscalculated in AP_VLAN crypto code, from Michal
    Kazior.

 4) Fix fw_status memory leak in iwlwifi, from Haim Dreyfuss.

 5) Fix use after free in iwl_mvm_d0i3_enable_tx(), from Eliad Peller.

 6) JIT'ing of large BPF programs is broken on x86, from Alexei
    Starovoitov.

 7) EMAC driver ethtool register dump size is miscalculated, from Ivan
    Mikhaylov.

 8) Fix PHY initial link mode when autonegotiation is disabled in
    amd-xgbe, from Tom Lendacky.

 9) Fix NULL deref on SOCK_DEAD socket in AF_UNIX and CAIF protocols,
    from Mark Salyzyn.

10) credit_bytes not initialized properly in xen-netback, from Ross
   Lagerwall.

11) Fallback from MSI-X to INTx interrupts not handled properly in mlx4
    driver, fix from Benjamin Poirier.

12) Perform ->attach() after binding dev->qdisc in packet scheduler,
    otherwise we can crash.  From Cong WANG.

13) Don't clobber data in sctp_v4_map_v6().  From Jason Gunthorpe.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (30 commits)
  sctp: Fix mangled IPv4 addresses on a IPv6 listening socket
  net_sched: invoke ->attach() after setting dev->qdisc
  xen-netfront: properly destroy queues when removing device
  mlx4_core: Fix fallback from MSI-X to INTx
  xen/netback: Properly initialize credit_bytes
  net: netxen: correct sysfs bin attribute return code
  tools: bpf_jit_disasm: fix segfault on disabled debugging log output
  unix/caif: sk_socket can disappear when state is unlocked
  amd-xgbe-phy: Fix initial mode when autoneg is disabled
  net: dp83640: fix improper double spin locking.
  net: dp83640: reinforce locking rules.
  net: dp83640: fix broken calibration routine.
  net: stmmac: create one debugfs dir per net-device
  net/ibm/emac: fix size of emac dump memory areas
  x86: bpf_jit: fix compilation of large bpf programs
  net: phy: bcm7xxx: Fix 7425 PHY ID and flags
  iwlwifi: mvm: avoid use-after-free on iwl_mvm_d0i3_enable_tx()
  iwlwifi: mvm: clean net-detect info if device was reset during suspend
  iwlwifi: mvm: take the UCODE_DOWN reference when resuming
  iwlwifi: mvm: BT Coex - duplicate the command if sent ASYNC
  ...

9 years agosctp: Fix mangled IPv4 addresses on a IPv6 listening socket
Jason Gunthorpe [Tue, 26 May 2015 23:30:17 +0000 (17:30 -0600)]
sctp: Fix mangled IPv4 addresses on a IPv6 listening socket

sctp_v4_map_v6 was subtly writing and reading from members
of a union in a way the clobbered data it needed to read before
it read it.

Zeroing the v6 flowinfo overwrites the v4 sin_addr with 0, meaning
that every place that calls sctp_v4_map_v6 gets ::ffff:0.0.0.0 as the
result.

Reorder things to guarantee correct behaviour no matter what the
union layout is.

This impacts user space clients that open an IPv6 SCTP socket and
receive IPv4 connections. Prior to 299ee user space would see a
sockaddr with AF_INET and a correct address, after 299ee the sockaddr
is AF_INET6, but the address is wrong.

Fixes: 299ee123e198 (sctp: Fixup v4mapped behaviour to comply with Sock API)
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet_sched: invoke ->attach() after setting dev->qdisc
WANG Cong [Tue, 26 May 2015 23:08:48 +0000 (16:08 -0700)]
net_sched: invoke ->attach() after setting dev->qdisc

For mq qdisc, we add per tx queue qdisc to root qdisc
for display purpose, however, that happens too early,
before the new dev->qdisc is finally set, this causes
q->list points to an old root qdisc which is going to be
freed right before assigning with a new one.

Fix this by moving ->attach() after setting dev->qdisc.

For the record, this fixes the following crash:

 ------------[ cut here ]------------
 WARNING: CPU: 1 PID: 975 at lib/list_debug.c:59 __list_del_entry+0x5a/0x98()
 list_del corruption. prev->next should be ffff8800d1998ae8, but was 6b6b6b6b6b6b6b6b
 CPU: 1 PID: 975 Comm: tc Not tainted 4.1.0-rc4+ #1019
 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
  0000000000000009 ffff8800d73fb928 ffffffff81a44e7f 0000000047574756
  ffff8800d73fb978 ffff8800d73fb968 ffffffff810790da ffff8800cfc4cd20
  ffffffff814e725b ffff8800d1998ae8 ffffffff82381250 0000000000000000
 Call Trace:
  [<ffffffff81a44e7f>] dump_stack+0x4c/0x65
  [<ffffffff810790da>] warn_slowpath_common+0x9c/0xb6
  [<ffffffff814e725b>] ? __list_del_entry+0x5a/0x98
  [<ffffffff81079162>] warn_slowpath_fmt+0x46/0x48
  [<ffffffff81820eb0>] ? dev_graft_qdisc+0x5e/0x6a
  [<ffffffff814e725b>] __list_del_entry+0x5a/0x98
  [<ffffffff814e72a7>] list_del+0xe/0x2d
  [<ffffffff81822f05>] qdisc_list_del+0x1e/0x20
  [<ffffffff81820cd1>] qdisc_destroy+0x30/0xd6
  [<ffffffff81822676>] qdisc_graft+0x11d/0x243
  [<ffffffff818233c1>] tc_get_qdisc+0x1a6/0x1d4
  [<ffffffff810b5eaf>] ? mark_lock+0x2e/0x226
  [<ffffffff817ff8f5>] rtnetlink_rcv_msg+0x181/0x194
  [<ffffffff817ff72e>] ? rtnl_lock+0x17/0x19
  [<ffffffff817ff72e>] ? rtnl_lock+0x17/0x19
  [<ffffffff817ff774>] ? __rtnl_unlock+0x17/0x17
  [<ffffffff81855dc6>] netlink_rcv_skb+0x4d/0x93
  [<ffffffff817ff756>] rtnetlink_rcv+0x26/0x2d
  [<ffffffff818544b2>] netlink_unicast+0xcb/0x150
  [<ffffffff81161db9>] ? might_fault+0x59/0xa9
  [<ffffffff81854f78>] netlink_sendmsg+0x4fa/0x51c
  [<ffffffff817d6e09>] sock_sendmsg_nosec+0x12/0x1d
  [<ffffffff817d8967>] sock_sendmsg+0x29/0x2e
  [<ffffffff817d8cf3>] ___sys_sendmsg+0x1b4/0x23a
  [<ffffffff8100a1b8>] ? native_sched_clock+0x35/0x37
  [<ffffffff810a1d83>] ? sched_clock_local+0x12/0x72
  [<ffffffff810a1fd4>] ? sched_clock_cpu+0x9e/0xb7
  [<ffffffff810def2a>] ? current_kernel_time+0xe/0x32
  [<ffffffff810b4bc5>] ? lock_release_holdtime.part.29+0x71/0x7f
  [<ffffffff810ddebf>] ? read_seqcount_begin.constprop.27+0x5f/0x76
  [<ffffffff810b6292>] ? trace_hardirqs_on_caller+0x17d/0x199
  [<ffffffff811b14d5>] ? __fget_light+0x50/0x78
  [<ffffffff817d9808>] __sys_sendmsg+0x42/0x60
  [<ffffffff817d9838>] SyS_sendmsg+0x12/0x1c
  [<ffffffff81a50e97>] system_call_fastpath+0x12/0x6f
 ---[ end trace ef29d3fb28e97ae7 ]---

For long term, we probably need to clean up the qdisc_graft() code
in case it hides other bugs like this.

Fixes: 95dc19299f74 ("pkt_sched: give visibility to mq slave qdiscs")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoxen-netfront: properly destroy queues when removing device
David Vrabel [Wed, 27 May 2015 14:46:10 +0000 (15:46 +0100)]
xen-netfront: properly destroy queues when removing device

xennet_remove() freed the queues before freeing the netdevice which
results in a use-after-free when free_netdev() tries to delete the
napi instances that have already been freed.

Fix this by fully destroy the queues (which includes deleting the napi
instances) before freeing the netdevice.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Wed, 27 May 2015 18:00:50 +0000 (11:00 -0700)]
Merge branch 'x86-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull x86 fixes from Ingo Molnar:
 "This tree includes:

   - a fix that disables the compacted FPU XSAVE format by disabling
     XSAVES support: the fixes are too complex and the breakages
     ABI-affecting, so we want this to be quirked off in a robust way
     and backported, to make sure no broken kernel is exposed to the new
     hardware (which exposure is still very limited).

   - an MCE printk message fix

   - a documentation fix"

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/fpu: Disable XSAVES* support for now
  x86/Documentation: Update the contact email for L3 cache index disable functionality
  x86/mce: Fix MCE severity messages

9 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88...
Linus Torvalds [Wed, 27 May 2015 17:52:13 +0000 (10:52 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/mattst88/alpha

Pull alpha updates from Matt Turner:
 "Please pull a small collection of patches that I've been neglecting.

  Probably most importantly are the patches that wire up the new
  syscalls needed by udev and the fix to the bootp{,z}file targets"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88/alpha:
  alpha: kernel: osf_sys: Set 'kts.tv_nsec' only when 'tv' has effect
  alpha: Wire up all missing implemented syscalls
  alpha: Fix bootpfile and bootpzfile make targets
  alpha: copy_thread(): rename 'arg' argument to 'kthread_arg'
  alpha: delete non-required instances of <linux/init.h>
  alpha: don't use module_init for non-modular core code
  smp, alpha: kill SMP single function call interrupt
  alpha: Remove #include <uapi/asm/types.h> from <asm/types.h>
  alpha: clean up unnecessary MSI/MSI-X capability find

9 years agomlx4_core: Fix fallback from MSI-X to INTx
Benjamin Poirier [Fri, 22 May 2015 23:12:26 +0000 (16:12 -0700)]
mlx4_core: Fix fallback from MSI-X to INTx

The test in mlx4_load_one() to remove MLX4_FLAG_MSI_X expects mlx4_NOP() to
fail with -EBUSY. It is also necessary to avoid the reset since the device
is not fully reinitialized before calling mlx4_start_hca() a second time.

Note that this will also affect mlx4_test_interrupts(), the only other user
of MLX4_CMD_NOP.

Fixes: f5aef5a ("net/mlx4_core: Activate reset flow upon fatal command cases")
Signed-off-by: Benjamin Poirier <bpoirier@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agolguest: fix out-by-one error in address checking.
Rusty Russell [Wed, 27 May 2015 01:29:26 +0000 (10:59 +0930)]
lguest: fix out-by-one error in address checking.

This bug has been there since day 1; addresses in the top guest physical
page weren't considered valid.  You could map that page (the check in
check_gpte() is correct), but if a guest tried to put a pagetable there
we'd check that address manually when walking it, and kill the guest.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
9 years agoxen/netback: Properly initialize credit_bytes
Ross Lagerwall [Wed, 27 May 2015 10:44:32 +0000 (11:44 +0100)]
xen/netback: Properly initialize credit_bytes

Commit e9ce7cb6b107 ("xen-netback: Factor queue-specific data into queue
struct") introduced a regression when moving queue-specific data into
the queue struct by failing to set the credit_bytes field. This
prevented bandwidth limiting from working. Initialize the field as it
was done before multiqueue support was added.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge branch 'overlayfs-next' of git://git.kernel.org/pub/scm/linux/kernel/git/mszere...
Linus Torvalds [Wed, 27 May 2015 16:47:57 +0000 (09:47 -0700)]
Merge branch 'overlayfs-next' of git://git./linux/kernel/git/mszeredi/vfs

Pull two overlayfs fixes from Miklos Szeredi:
 "Overlayfs rmdir() failed to check for emptiness in one case; this was
  introduced in 4.0.  The other bug was there since day one: failure to
  mount if upper fs is full, which bit some OpenWRT folks"

* 'overlayfs-next' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
  ovl: mount read-only if workdir can't be created
  ovl: don't remove non-empty opaque directory

9 years agoMerge tag 'mfd-fixes-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd
Linus Torvalds [Wed, 27 May 2015 16:06:59 +0000 (09:06 -0700)]
Merge tag 'mfd-fixes-4.1' of git://git./linux/kernel/git/lee/mfd

Pull an MFD fix from Lee Jones:
 "One simple fix to repair broken regulator probe() in DA9052"

* tag 'mfd-fixes-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd:
  mfd: da9052: Fix broken regulator probe

9 years agoMerge tag 'backlight-fixes-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Wed, 27 May 2015 15:56:21 +0000 (08:56 -0700)]
Merge tag 'backlight-fixes-4.1' of git://git./linux/kernel/git/lee/backlight

Pull backlight fix from Lee Jones:
 "One simple fix to correctly handle -EPROBE_DEFER"

* tag 'backlight-fixes-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight:
  backlight: pwm: Handle EPROBE_DEFER while requesting the PWM

9 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Linus Torvalds [Wed, 27 May 2015 15:40:44 +0000 (08:40 -0700)]
Merge git://git./linux/kernel/git/herbert/crypto-2.6

Pull crypto fix from Herbert Xu:
 "This disables the newly (4.1) added user-space AEAD interface so that
  we can fix issues in the underlying kernel AEAD interface.  Once the
  new kernel AEAD interface is ready we can then reenable the user-space
  AEAD interface"

* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: algif_aead - Disable AEAD user-space for now

9 years agomfd: da9052: Fix broken regulator probe
Johan Hovold [Fri, 15 May 2015 14:27:40 +0000 (16:27 +0200)]
mfd: da9052: Fix broken regulator probe

Fix broken probe of da9052 regulators, which since commit b3f6c73db732
("mfd: da9052-core: Fix platform-device id collision") use a
non-deterministic platform-device id to retrieve static regulator
information. Fortunately, adequate error handling was in place so probe
would simply fail with an error message.

Update the mfd-cell ids to be zero-based and use those to identify the
cells when probing the regulator devices.

Fixes: b3f6c73db732 ("mfd: da9052-core: Fix platform-device id collision")
Cc: stable <stable@vger.kernel.org> # v3.19
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
9 years agonet: netxen: correct sysfs bin attribute return code
Vladimir Zapolskiy [Tue, 26 May 2015 00:50:04 +0000 (03:50 +0300)]
net: netxen: correct sysfs bin attribute return code

If read() syscall requests unexpected number of bytes from "dimm" binary
attribute file, return EINVAL instead of EPERM.

At the same time pin down sysfs file size to the fixed
sizeof(struct netxen_dimm_cfg), which allows to exploit some missing
sanity checks from kernfs (file boundary checks vs offset etc.)

Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agotools: bpf_jit_disasm: fix segfault on disabled debugging log output
Daniel Borkmann [Mon, 25 May 2015 12:08:03 +0000 (14:08 +0200)]
tools: bpf_jit_disasm: fix segfault on disabled debugging log output

With recent debugging, I noticed that bpf_jit_disasm segfaults when
there's no debugging output from the JIT compiler to the kernel log.

Reason is that when regexec(3) doesn't match on anything, start/end
offsets are not being filled out and contain some uninitialized garbage
from stack. Thus, we need zero out offsets first.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agounix/caif: sk_socket can disappear when state is unlocked
Mark Salyzyn [Tue, 26 May 2015 15:22:19 +0000 (08:22 -0700)]
unix/caif: sk_socket can disappear when state is unlocked

got a rare NULL pointer dereference in clear_bit

Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
----
v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c
v3: return -ECONNRESET in upstream caller of wait function for SOCK_DEAD
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoamd-xgbe-phy: Fix initial mode when autoneg is disabled
Lendacky, Thomas [Tue, 26 May 2015 14:51:49 +0000 (09:51 -0500)]
amd-xgbe-phy: Fix initial mode when autoneg is disabled

When the ethtool command is used to set the speed of the device while
the device is down, the check to set the initial mode may fail when
the device is brought up, causing failure to bring the device up.

Update the code to set the initial mode based on the desired speed if
auto-negotiation is disabled.

This patch fixes a bug introduced by:
d9663c8c2149 ("amd-xgbe-phy: Use phydev advertising field vs supported")

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge tag 'mac80211-for-davem-2015-05-26' of git://git.kernel.org/pub/scm/linux/kerne...
David S. Miller [Tue, 26 May 2015 23:38:53 +0000 (19:38 -0400)]
Merge tag 'mac80211-for-davem-2015-05-26' of git://git./linux/kernel/git/jberg/mac80211

Johannes Berg says:

====================
We have three more fixes:
 * AP_VLAN tailroom calculation fix, the bug leads to warnings
   along with dropped packets
 * NAPI context issue, calling napi_gro_receive() from a timer
   (obviously) can lead to crashes
 * remain-on-channel combining leads to dropped requests and not
   being able to finish certain operations, so remove it
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoalpha: kernel: osf_sys: Set 'kts.tv_nsec' only when 'tv' has effect
Chen Gang [Mon, 18 May 2015 04:37:08 +0000 (12:37 +0800)]
alpha: kernel: osf_sys: Set 'kts.tv_nsec' only when 'tv' has effect

The related warning:

    CC      init/do_mounts.o
  arch/alpha/kernel/osf_sys.c: In function 'SyS_osf_settimeofday':
  arch/alpha/kernel/osf_sys.c:1028:14: warning: 'kts.tv_nsec' may be used uninitialized in this function [-Wmaybe-uninitialized]
    kts.tv_nsec *= 1000;
                ^
  arch/alpha/kernel/osf_sys.c:1016:18: note: 'kts' was declared here
    struct timespec kts;
                    ^

Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
9 years agoalpha: Wire up all missing implemented syscalls
Chen Gang [Mon, 18 May 2015 04:36:50 +0000 (12:36 +0800)]
alpha: Wire up all missing implemented syscalls

And still left the missing unimplemented syscalls as warnings. The
related warnings for missing implemented syscalls:

    CALL    scripts/checksyscalls.sh
  <stdin>:1241:2: warning: #warning syscall getrandom not implemented [-Wcpp]
  <stdin>:1244:2: warning: #warning syscall memfd_create not implemented [-Wcpp]
  <stdin>:1250:2: warning: #warning syscall execveat not implemented [-Wcpp]

Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
9 years agoalpha: Fix bootpfile and bootpzfile make targets
Helge Deller [Mon, 23 Mar 2015 21:47:21 +0000 (22:47 +0100)]
alpha: Fix bootpfile and bootpzfile make targets

Fix the bootpfile and bootpzfile make targets to creat BOOTP images.
Both targets were broken due to some missing defines to re-map ELF
constants. In addition the old code used the generic vsprintf function
of the kernel which we now replace by a simple and much smaller
implementation for the bootloader.

Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
9 years agoalpha: copy_thread(): rename 'arg' argument to 'kthread_arg'
Alex Dowad [Fri, 13 Mar 2015 18:04:17 +0000 (20:04 +0200)]
alpha: copy_thread(): rename 'arg' argument to 'kthread_arg'

The 'arg' argument to copy_thread() is only ever used when forking a new
kernel thread. Hence, rename it to 'kthread_arg' for clarity (and consistency
with do_fork() and other arch-specific implementations of copy_thread()).

Signed-off-by: Alex Dowad <alexinbeijing@gmail.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
9 years agoalpha: delete non-required instances of <linux/init.h>
Paul Gortmaker [Tue, 21 Jan 2014 21:22:40 +0000 (16:22 -0500)]
alpha: delete non-required instances of <linux/init.h>

None of these files are actually using any __init type directives
and hence don't need to include <linux/init.h>.  Most are just a
left over from __devinit and __cpuinit removal, or simply due to
code getting copied from one driver to the next.

Acked-by: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Cc: linux-alpha@vger.kernel.org
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
9 years agoalpha: don't use module_init for non-modular core code
Paul Gortmaker [Fri, 10 Jan 2014 22:02:02 +0000 (17:02 -0500)]
alpha: don't use module_init for non-modular core code

The srm console is always built in.  It will never be modular,
so using module_init as an alias for __initcall is rather
misleading.

Fix this up now, so that we can relocate module_init from
init.h into module.h in the future.  If we don't do this, we'd
have to add module.h to obviously non-modular code, and that
would be a worse thing.

Direct use of __initcall is discouraged, vs prioritized ones.
Use of device_initcall is consistent with what __initcall
maps onto, and hence does not change the init order, making the
impact of this change zero.   Should someone with real hardware
for boot testing want to change it later to arch_initcall or
console_initcall, they can do that at a later date.

Reviewed-by: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Acked-by: Matt Turner <mattst88@gmail.com>
Cc: linux-alpha@vger.kernel.org
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
9 years agosmp, alpha: kill SMP single function call interrupt
Jiang Liu [Sun, 15 Dec 2013 16:36:25 +0000 (00:36 +0800)]
smp, alpha: kill SMP single function call interrupt

Commit 9a46ad6d6df3b54 "smp: make smp_call_function_many() use logic
similar to smp_call_function_single()" has unified the way to handle
single and multiple cross-CPU function calls. Now only one interrupt
is needed for architecture specific code to support generic SMP function
call interfaces, so kill the redundant single function call interrupt.

Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Shaohua Li <shli@kernel.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Jiri Kosina <trivial@kernel.org>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Acked-by: Matt Turner <mattst88@gmail.com>
Cc: linux-alpha@vger.kernel.org
Signed-off-by: Jiang Liu <liuj97@gmail.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
9 years agoalpha: Remove #include <uapi/asm/types.h> from <asm/types.h>
Geert Uytterhoeven [Mon, 25 Nov 2013 08:55:22 +0000 (09:55 +0100)]
alpha: Remove #include <uapi/asm/types.h> from <asm/types.h>

Everything in arch/alpha/include/uapi/asm/types.h is protected by
"#ifndef __KERNEL__", so it's unused for kernelspace.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Acked-by: Matt Turner <mattst88@gmail.com>
Cc: linux-alpha@vger.kernel.org
Signed-off-by: Matt Turner <mattst88@gmail.com>
9 years agoalpha: clean up unnecessary MSI/MSI-X capability find
Yijing Wang [Thu, 8 Aug 2013 13:13:54 +0000 (21:13 +0800)]
alpha: clean up unnecessary MSI/MSI-X capability find

PCI core will initialize device MSI/MSI-X capability in
pci_msi_init_pci_dev(). So device driver should use
pci_dev->msi_cap/msix_cap to determine whether the device
support MSI/MSI-X instead of using
pci_find_capability(pci_dev, PCI_CAP_ID_MSI/MSIX).
Access to PCIe device config space again will consume more time.

Signed-off-by: Yijing Wang <wangyijing@huawei.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Acked-by: Matt Turner <mattst88@gmail.com>
Cc: Phil Carmody <pc+lkml@asdf.org>
Cc: linux-alpha@vger.kernel.org
Signed-off-by: Matt Turner <mattst88@gmail.com>
9 years agocrypto: algif_aead - Disable AEAD user-space for now
Herbert Xu [Tue, 26 May 2015 07:32:42 +0000 (15:32 +0800)]
crypto: algif_aead - Disable AEAD user-space for now

The newly added AEAD user-space isn't quite ready for prime time
just yet.  In particular it is conflicting with the AEAD single
SG list interface change so this patch disables it now.

Once the SG list stuff is completely done we can then renable
this interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agobacklight: pwm: Handle EPROBE_DEFER while requesting the PWM
Nicolas Ferre [Thu, 19 Feb 2015 09:30:14 +0000 (10:30 +0100)]
backlight: pwm: Handle EPROBE_DEFER while requesting the PWM

When trying to request the PWM device with devm_pwm_get(), the EPROBE_DEFER
flag is not handled properly. It can lead to the PWM not being found.

Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Acked-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
9 years agoMerge branch 'phyter-bug-fixes'
David S. Miller [Mon, 25 May 2015 22:22:00 +0000 (18:22 -0400)]
Merge branch 'phyter-bug-fixes'

Richard Cochran says:

====================
phyter bug fixes

While working on a project using the phyter, I noticed some bugs that
have crept in over time.  This series fixes those bugs.  These patches
are also meant for stable.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: dp83640: fix improper double spin locking.
Richard Cochran [Mon, 25 May 2015 09:55:45 +0000 (11:55 +0200)]
net: dp83640: fix improper double spin locking.

A pair of nested spin locks was introduced in commit 63502b8d0
"dp83640: Fix receive timestamp race condition".

Unfortunately the 'flags' parameter was reused for the inner lock,
clobbering the originally saved IRQ state.  This patch fixes the issue
by changing the inner lock to plain spin_lock without irqsave.

Signed-off-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: dp83640: reinforce locking rules.
Richard Cochran [Mon, 25 May 2015 09:55:44 +0000 (11:55 +0200)]
net: dp83640: reinforce locking rules.

Callers of the ext_write function are supposed to hold a mutex that
protects the state of the dialed page, but one caller was missing the
lock from the very start, and over time the code has been changed
without following the rule.  This patch cleans up the call sites in
violation of the rule.

Signed-off-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: dp83640: fix broken calibration routine.
Richard Cochran [Mon, 25 May 2015 09:55:43 +0000 (11:55 +0200)]
net: dp83640: fix broken calibration routine.

Currently, the calibration function that corrects the initial offsets
among multiple devices only works the first time.  If the function is
called more than once, the calibration fails and bogus offsets will be
programmed into the devices.

In a well hidden spot, the device documentation tells that trigger indexes
0 and 1 are special in allowing the TRIG_IF_LATE flag to actually work.

This patch fixes the issue by using one of the special triggers during the
recalibration method.

Signed-off-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge tag 'pinctrl-v4.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw...
Linus Torvalds [Mon, 25 May 2015 22:15:54 +0000 (15:15 -0700)]
Merge tag 'pinctrl-v4.1-4' of git://git./linux/kernel/git/linusw/linux-pinctrl

Pull pin control fixes from Linus Walleij:
 "Here are some three pin control fixes for the v4.1 cycle, all
  driver-specific.  Business as usual and calm as it should be in this
  portion of the merge window.

   - IRQ trigger fix for the Intel Cherryview

   - GPIO-to-pin mapping fix for the Cygnus driver

   - GPIO-to-pin mapping fix for the Meson8b driver"

* tag 'pinctrl-v4.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl: Fix gpio/pin mapping for Meson8b
  pinctrl: cygnus: fixed incorrect GPIO-pin mapping
  pinctrl: cherryview: Read triggering type from HW if not set when requested

9 years agoMerge tag 'gpio-v4.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux...
Linus Torvalds [Mon, 25 May 2015 22:10:59 +0000 (15:10 -0700)]
Merge tag 'gpio-v4.1-3' of git://git./linux/kernel/git/linusw/linux-gpio

Pull GPIO fixes from Linus Walleij:
 "Here are two GPIO fixes targeted for stable:

   - a leak in gpiochip_add path destined for stable

   - a kempld driver bug destined for stable"

* tag 'gpio-v4.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
  gpio: gpio-kempld: Fix get_direction return value
  gpio: fix gpio leak in gpiochip_add error path

9 years agonet: stmmac: create one debugfs dir per net-device
Mathieu Olivari [Sat, 23 May 2015 02:03:29 +0000 (19:03 -0700)]
net: stmmac: create one debugfs dir per net-device

stmmac DebugFS entries are currently global to the driver. As a result,
having more than one stmmac device in the system creates the following
error:
* ERROR stmmaceth, debugfs create directory failed
* stmmac_hw_setup: failed debugFS registration

This also results in being able to access the debugfs information for
the first registered device only.

This patch changes the debugfs structure to have one sub-directory per
net-device. Files under "/sys/kernel/debug/stmmaceth" will now show-up
under /sys/kernel/debug/stmmaceth/ethN/.

Signed-off-by: Mathieu Olivari <mathieu@codeaurora.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet/ibm/emac: fix size of emac dump memory areas
Ivan Mikhaylov [Thu, 21 May 2015 15:11:02 +0000 (19:11 +0400)]
net/ibm/emac: fix size of emac dump memory areas

Fix in send of emac regs dump to ethtool which
causing in wrong data interpretation on ethtool
layer for MII and EMAC.

Signed-off-by: Ivan Mikhaylov <ivan@ru.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge tag 'wireless-drivers-for-davem-2015-05-25' of git://git.kernel.org/pub/scm...
David S. Miller [Mon, 25 May 2015 17:08:59 +0000 (13:08 -0400)]
Merge tag 'wireless-drivers-for-davem-2015-05-25' of git://git./linux/kernel/git/kvalo/wireless-drivers

Kalle Valo says:

====================
iwlwifi:

* fix firmware name and other things to enable 3165
* fix bad APMG configuration for 8000 (no AMPG on these devices)
* fix MAC address assignment for 8000
* fix firmware debugging triggers (MLME)
* fix several bugs in low power states code (net-detect, d0i3)

ssb:

* fix reboot after device reset for WRT350N v1
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agox86: bpf_jit: fix compilation of large bpf programs
Alexei Starovoitov [Fri, 22 May 2015 22:42:55 +0000 (15:42 -0700)]
x86: bpf_jit: fix compilation of large bpf programs

x86 has variable length encoding. x86 JIT compiler is trying
to pick the shortest encoding for given bpf instruction.
While doing so the jump targets are changing, so JIT is doing
multiple passes over the program. Typical program needs 3 passes.
Some very short programs converge with 2 passes. Large programs
may need 4 or 5. But specially crafted bpf programs may hit the
pass limit and if the program converges on the last iteration
the JIT compiler will be producing an image full of 'int 3' insns.
Fix this corner case by doing final iteration over bpf program.

Fixes: 0a14842f5a3c ("net: filter: Just In Time compiler for x86-64")
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Tested-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: phy: bcm7xxx: Fix 7425 PHY ID and flags
Florian Fainelli [Fri, 22 May 2015 21:07:30 +0000 (14:07 -0700)]
net: phy: bcm7xxx: Fix 7425 PHY ID and flags

While adding support for 7425 PHY in the 7xxx PHY driver, the ID that
was used was actually coming from an external PHY: a BCM5461x. Fix this
by using the proper ID for the internal 7425 PHY and set the
PHY_IS_INTERNAL flag, otherwise consumers of this PHY driver would not
be able to properly identify it as such.

Fixes: d068b02cfdfc2 ("net: phy: add BCM7425 and BCM7429 PHYs")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Reviewed-by: Petri Gynther <pgynther@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoLinux 4.1-rc5
Linus Torvalds [Mon, 25 May 2015 01:22:35 +0000 (18:22 -0700)]
Linux 4.1-rc5

9 years agoMerge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Linus Torvalds [Sun, 24 May 2015 18:15:28 +0000 (11:15 -0700)]
Merge tag 'scsi-fixes' of git://git./linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "This is a set of five fixes: Two MAINTAINER email updates (urgent
  because the non-avagotech emails will start bouncing) an lpfc big
  endian oops fix, a 256 byte sector hang fix (to eliminate 256 byte
  sectors) and a storvsc fix which could cause test unit ready failures
  on bringup"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  MAINTAINERS: Revise lpfc maintainers for Avago Technologies ownership of Emulex
  MAINTAINERS, be2iscsi: change email domain
  sd: Disable support for 256 byte/sector disks
  lpfc: Fix breakage on big endian kernels
  storvsc: Set the SRB flags correctly when no data transfer is needed

9 years agoMerge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sun, 24 May 2015 00:57:40 +0000 (17:57 -0700)]
Merge branch 'timers-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull timer fix from Thomas Gleixner:
 "One more fix from the timer departement:

    - Handle division of negative nanosecond values proper on 32bit.

      A recent cleanup wrecked the sign handling of the dividend and
      dropped the check for negative divisors"

* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  ktime: Fix ktime_divns to do signed division

9 years agoMerge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sun, 24 May 2015 00:33:10 +0000 (17:33 -0700)]
Merge branch 'irq-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull irqchip fix from Thomas Gleixner:
 "A fix for a GIC-V3 irqchip regression which prevents some systems from
  booting"

* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  irqchip/gicv3-its: ITS table size should not be smaller than PSZ

9 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph...
Linus Torvalds [Sat, 23 May 2015 18:28:25 +0000 (11:28 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sage/ceph-client

Pull two Ceph fixes from Sage Weil:
 "These fix an issue with the RBD notifications when there are topology
  changes in the cluster"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
  Revert "libceph: clear r_req_lru_item in __unregister_linger_request()"
  libceph: request a new osdmap if lingering request maps to no osd

9 years agoMerge branch 'for-linus-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mason...
Linus Torvalds [Sat, 23 May 2015 18:14:10 +0000 (11:14 -0700)]
Merge branch 'for-linus-4.1' of git://git./linux/kernel/git/mason/linux-btrfs

Pull btrfs fixes from Chris Mason:
 "I fixed up a regression from 4.0 where conversion between different
  raid levels would sometimes bail out without converting.

  Filipe tracked down a race where it was possible to double allocate
  chunks on the drive.

  Mark has a fix for fiemap.  All three will get bundled off for stable
  as well"

* 'for-linus-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
  Btrfs: fix regression in raid level conversion
  Btrfs: fix racy system chunk allocation when setting block group ro
  btrfs: clear 'ret' in btrfs_check_shared() loop

9 years agoMerge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Linus Torvalds [Sat, 23 May 2015 00:34:24 +0000 (17:34 -0700)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux

Pull drm fixes from Dave Airlie:
 "Radeon has two displayport fixes, one for a regression.

  i915 regression flicker fix needed so 4.0 can get fixed.

  A bunch of msm fixes and a bunch of exynos fixes, these two are
  probably a bit larger than I'd like, but most of them seems pretty
  good"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (29 commits)
  drm/radeon: fix error flag checking in native aux path
  drm/radeon: retry dcpd fetch
  drm/msm/mdp5: fix incorrect parameter for msm_framebuffer_iova()
  drm/exynos: dp: Lower level of EDID read success message
  drm/exynos: cleanup exynos_drm_plane
  drm/exynos: 'win' is always unsigned
  drm/exynos: mixer: don't dump registers under spinlock
  drm/exynos: Consolidate return statements in fimd_bind()
  drm/exynos: Constify exynos_drm_crtc_ops
  drm/exynos: Fix build breakage on !DRM_EXYNOS_FIMD
  drm/exynos: mixer: Constify platform_device_id
  drm/exynos: mixer: cleanup pixelformat handling
  drm/exynos: mixer: also allow NV21 for the video processor
  drm/exynos: mixer: remove buffer count handling in vp_video_buffer()
  drm/exynos: plane: honor buffer offset for dma_addr
  drm/exynos: fb: use drm_format_num_planes to get buffer count
  drm/i915: fix screen flickering
  drm/msm: fix locking inconsistencies in gpu->destroy()
  drm/msm/dsi: Simplify the code to get the number of read byte
  drm/msm: Attach assigned encoder to eDP and DSI connectors
  ...

9 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Linus Torvalds [Fri, 22 May 2015 22:44:50 +0000 (15:44 -0700)]
Merge git://git./linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Don't leak ipvs->sysctl_tbl, from Tommi Rentala.

 2) Fix neighbour table entry leak in rocker driver, from Ying Xue.

 3) Do not emit bonding notifications for unregistered interfaces, from
    Nicolas Dichtel.

 4) Set ipv6 flow label properly when in TIME_WAIT state, from Florent
    Fourcot.

 5) Fix regression in ipv6 multicast filter test, from Henning Rogge.

 6) do_replace() in various footables netfilter modules is missing a
    check for 0 counters in the datastructure provided by the user.  Fix
    from Dave Jones, and found with trinity.

 7) Fix RCU bug in packet scheduler classifier module unloads, from
    Daniel Borkmann.

 8) Avoid deadlock in tcp_get_info() by using u64_sync.  From Eric
    Dumzaet.

 9) Input packet processing can race with inetdev_destroy() teardown,
    fix potential OOPS in ip_error() by explicitly testing whether the
    inetdev is still attached.  From Eric W Biederman.

10) MLDv2 parser in bridge multicast code breaks too early while
    parsing.  Fix from Thadeu Lima de Souza Cascardo.

11) Asking for settings on non-zero PHYID doesn't work because we do not
    import the command structure from the user and use the PHYID
    provided there.  Fix from Arun Parameswaran.

12) Fix UDP checksums with IPV6 RAW sockets, from Vlad Yasevich.

13) Missing NF_TABLES depends for TPROXY etc can cause build failures,
    fix from Florian Westphal.

14) Fix netfilter conntrack to handle RFC5961 challenge ACKs properly,
    from Jesper Dangaard Brouer.

15) If netlink autobind retry fails, we have to reset the sockets portid
    back to zero.  From Herbert Xu.

16) VXLAN netns exit code unregisters using wrong device, from John W
    Linville.

17) Add some USB device IDs to ath3k and btusb bluetooth drivers, from
    Dmitry Tunin and Wen-chien Jesse Sung.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (44 commits)
  bridge: fix lockdep splat
  net: core: 'ethtool' issue with querying phy settings
  bridge: fix parsing of MLDv2 reports
  ARM: zynq: DT: Use the zynq binding with macb
  net: macb: Disable half duplex gigabit on Zynq
  net: macb: Document zynq gem dt binding
  ipv4: fill in table id when replacing a route
  cdc_ncm: Fix tx_bytes statistics
  ipv4: Avoid crashing in ip_error
  tcp: fix a potential deadlock in tcp_get_info()
  net: sched: fix call_rcu() race on classifier module unloads
  net: phy: Make sure phy_start() always re-enables the phy interrupts
  ipv6: fix ECMP route replacement
  ipv6: do not delete previously existing ECMP routes if add fails
  Revert "netfilter: bridge: query conntrack about skb dnat"
  netfilter: ensure number of counters is >0 in do_replace()
  netfilter: nfnetlink_{log,queue}: Register pernet in first place
  tcp: don't over-send F-RTO probes
  tcp: only undo on partial ACKs in CA_Loss
  net/ipv6/udp: Fix ipv6 multicast socket filter regression
  ...

9 years agoMerge branch 'for-linus' of git://git.kernel.dk/linux-block
Linus Torvalds [Fri, 22 May 2015 22:15:30 +0000 (15:15 -0700)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-block

Pull block fixes from Jens Axboe:
 "Three small fixes that have been picked up the last few weeks.
  Specifically:

   - Fix a memory corruption issue in NVMe with malignant user
     constructed request.  From Christoph.

   - Kill (now) unused blk_queue_bio(), dm was changed to not need this
     anymore.  From Mike Snitzer.

   - Always use blk_schedule_flush_plug() from the io_schedule() path
     when flushing a plug, fixing a !TASK_RUNNING warning with md.  From
     Shaohua"

* 'for-linus' of git://git.kernel.dk/linux-block:
  sched: always use blk_schedule_flush_plug in io_schedule_out
  nvme: fix kernel memory corruption with short INQUIRY buffers
  block: remove export for blk_queue_bio

9 years agoMerge tag 'md/4.1-rc4-fixes' of git://neil.brown.name/md
Linus Torvalds [Fri, 22 May 2015 22:10:07 +0000 (15:10 -0700)]
Merge tag 'md/4.1-rc4-fixes' of git://neil.brown.name/md

Pull md bugfixes from Neil Brown:
 "I have a few more raid5 bugfixes pending, but I want them to get a bit
  more review first.  In the meantime:

   - one serious RAID0 data corruption - caused by recent bugfix that
     wasn't reviewed properly.

   - one raid5 fix in new code (a couple more of those to come).

   - one little fix to stop static analysis complaining about silly rcu
     annotation"

* tag 'md/4.1-rc4-fixes' of git://neil.brown.name/md:
  md/bitmap: remove rcu annotation from pointer arithmetic.
  md/raid0: fix restore to sector variable in raid0_make_request
  raid5: fix broken async operation chain

9 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Linus Torvalds [Fri, 22 May 2015 21:49:55 +0000 (14:49 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/dtor/input

Pull input fixes from Dmitry Torokhov:
 "Updates for the input subsystem.

  The main change is that we tell joydev not to touch "absolute mice",
  such as VMware virtual mouse, as that produced bad result (cursor
  stuck in upper right corner) with games"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: smtpe-ts - wait 50mS until polling for pen-up
  Input: smtpe-ts - use msecs_to_jiffies() instead of HZ
  Input: joydev - don't classify the vmmouse as a joystick
  Input: vmmouse - do not reference non-existing version of X driver
  Input: alps - fix finger jumps on lifting 2 fingers on v7 touchpad
  Input: elantech - fix semi-mt protocol for v3 HW
  Input: sx8654 - fix memory allocation check

9 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Linus Torvalds [Fri, 22 May 2015 21:26:36 +0000 (14:26 -0700)]
Merge git://git./linux/kernel/git/herbert/crypto-2.6

Pull another crypto fix from Herbert Xu:
 "Fix ICV corruption in s390/ghash when the same tfm is used by more
  than one thread"

* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: s390/ghash - Fix incorrect ghash icv buffer handling.

9 years agobridge: fix lockdep splat
Eric Dumazet [Thu, 21 May 2015 20:28:29 +0000 (13:28 -0700)]
bridge: fix lockdep splat

Following lockdep splat was reported :

[   29.382286] ===============================
[   29.382315] [ INFO: suspicious RCU usage. ]
[   29.382344] 4.1.0-0.rc0.git11.1.fc23.x86_64 #1 Not tainted
[   29.382380] -------------------------------
[   29.382409] net/bridge/br_private.h:626 suspicious
rcu_dereference_check() usage!
[   29.382455]
               other info that might help us debug this:

[   29.382507]
               rcu_scheduler_active = 1, debug_locks = 0
[   29.382549] 2 locks held by swapper/0/0:
[   29.382576]  #0:  (((&p->forward_delay_timer))){+.-...}, at:
[<ffffffff81139f75>] call_timer_fn+0x5/0x4f0
[   29.382660]  #1:  (&(&br->lock)->rlock){+.-...}, at:
[<ffffffffa0450dc1>] br_forward_delay_timer_expired+0x31/0x140
[bridge]
[   29.382754]
               stack backtrace:
[   29.382787] CPU: 0 PID: 0 Comm: swapper/0 Not tainted
4.1.0-0.rc0.git11.1.fc23.x86_64 #1
[   29.382838] Hardware name: LENOVO 422916G/LENOVO, BIOS A1KT53AUS 04/07/2015
[   29.382882]  0000000000000000 3ebfc20364115825 ffff880666603c48
ffffffff81892d4b
[   29.382943]  0000000000000000 ffffffff81e124e0 ffff880666603c78
ffffffff8110bcd7
[   29.383004]  ffff8800785c9d00 ffff88065485ac58 ffff880c62002800
ffff880c5fc88ac0
[   29.383065] Call Trace:
[   29.383084]  <IRQ>  [<ffffffff81892d4b>] dump_stack+0x4c/0x65
[   29.383130]  [<ffffffff8110bcd7>] lockdep_rcu_suspicious+0xe7/0x120
[   29.383178]  [<ffffffffa04520f9>] br_fill_ifinfo+0x4a9/0x6a0 [bridge]
[   29.383225]  [<ffffffffa045266b>] br_ifinfo_notify+0x11b/0x4b0 [bridge]
[   29.383271]  [<ffffffffa0450d90>] ? br_hold_timer_expired+0x70/0x70 [bridge]
[   29.383320]  [<ffffffffa0450de8>]
br_forward_delay_timer_expired+0x58/0x140 [bridge]
[   29.383371]  [<ffffffffa0450d90>] ? br_hold_timer_expired+0x70/0x70 [bridge]
[   29.383416]  [<ffffffff8113a033>] call_timer_fn+0xc3/0x4f0
[   29.383454]  [<ffffffff81139f75>] ? call_timer_fn+0x5/0x4f0
[   29.383493]  [<ffffffff8110a90f>] ? lock_release_holdtime.part.29+0xf/0x200
[   29.383541]  [<ffffffffa0450d90>] ? br_hold_timer_expired+0x70/0x70 [bridge]
[   29.383587]  [<ffffffff8113a6a4>] run_timer_softirq+0x244/0x490
[   29.383629]  [<ffffffff810b68cc>] __do_softirq+0xec/0x670
[   29.383666]  [<ffffffff810b70d5>] irq_exit+0x145/0x150
[   29.383703]  [<ffffffff8189f506>] smp_apic_timer_interrupt+0x46/0x60
[   29.383744]  [<ffffffff8189d523>] apic_timer_interrupt+0x73/0x80
[   29.383782]  <EOI>  [<ffffffff816f131f>] ? cpuidle_enter_state+0x5f/0x2f0
[   29.383832]  [<ffffffff816f131b>] ? cpuidle_enter_state+0x5b/0x2f0

Problem here is that br_forward_delay_timer_expired() is a timer
handler, calling br_ifinfo_notify() which assumes either rcu_read_lock()
or RTNL are held.

Simplest fix seems to add rcu read lock section.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
Reported-by: Dominick Grift <dac.override@gmail.com>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: core: 'ethtool' issue with querying phy settings
Arun Parameswaran [Wed, 20 May 2015 21:35:30 +0000 (14:35 -0700)]
net: core: 'ethtool' issue with querying phy settings

When trying to configure the settings for PHY1, using commands
like 'ethtool -s eth0 phyad 1 speed 100', the 'ethtool' seems to
modify other settings apart from the speed of the PHY1, in the
above case.

The ethtool seems to query the settings for PHY0, and use this
as the base to apply the new settings to the PHY1. This is
causing the other settings of the PHY 1 to be wrongly
configured.

The issue is caused by the '_ethtool_get_settings()' API, which
gets called because of the 'ETHTOOL_GSET' command, is clearing
the 'cmd' pointer (of type 'struct ethtool_cmd') by calling
memset. This clears all the parameters (if any) passed for the
'ETHTOOL_GSET' cmd. So the driver's callback is always invoked
with 'cmd->phy_address' as '0'.

The '_ethtool_get_settings()' is called from other files in the
'net/core'. So the fix is applied to the 'ethtool_get_settings()'
which is only called in the context of the 'ethtool'.

Signed-off-by: Arun Parameswaran <aparames@broadcom.com>
Reviewed-by: Ray Jui <rjui@broadcom.com>
Reviewed-by: Scott Branden <sbranden@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agobridge: fix parsing of MLDv2 reports
Thadeu Lima de Souza Cascardo [Fri, 22 May 2015 15:18:59 +0000 (12:18 -0300)]
bridge: fix parsing of MLDv2 reports

When more than a multicast address is present in a MLDv2 report, all but
the first address is ignored, because the code breaks out of the loop if
there has not been an error adding that address.

This has caused failures when two guests connected through the bridge
tried to communicate using IPv6. Neighbor discoveries would not be
transmitted to the other guest when both used a link-local address and a
static address.

This only happens when there is a MLDv2 querier in the network.

The fix will only break out of the loop when there is a failure adding a
multicast address.

The mdb before the patch:

dev ovirtmgmt port vnet0 grp ff02::1:ff7d:6603 temp
dev ovirtmgmt port vnet1 grp ff02::1:ff7d:6604 temp
dev ovirtmgmt port bond0.86 grp ff02::2 temp

After the patch:

dev ovirtmgmt port vnet0 grp ff02::1:ff7d:6603 temp
dev ovirtmgmt port vnet1 grp ff02::1:ff7d:6604 temp
dev ovirtmgmt port bond0.86 grp ff02::fb temp
dev ovirtmgmt port bond0.86 grp ff02::2 temp
dev ovirtmgmt port bond0.86 grp ff02::d temp
dev ovirtmgmt port vnet0 grp ff02::1:ff00:76 temp
dev ovirtmgmt port bond0.86 grp ff02::16 temp
dev ovirtmgmt port vnet1 grp ff02::1:ff00:77 temp
dev ovirtmgmt port bond0.86 grp ff02::1:ff00:def temp
dev ovirtmgmt port bond0.86 grp ff02::1:ffa1:40bf temp

Fixes: 08b202b67264 ("bridge br_multicast: IPv6 MLD support.")
Reported-by: Rik Theys <Rik.Theys@esat.kuleuven.be>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Tested-by: Rik Theys <Rik.Theys@esat.kuleuven.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoARM: zynq: DT: Use the zynq binding with macb
Nathan Sullivan [Fri, 22 May 2015 14:22:11 +0000 (09:22 -0500)]
ARM: zynq: DT: Use the zynq binding with macb

Use the new zynq binding for macb ethernet, since it will disable half
duplex gigabit like the Zynq TRM says to do.

Signed-off-by: Nathan Sullivan <nathan.sullivan@ni.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: macb: Disable half duplex gigabit on Zynq
Nathan Sullivan [Fri, 22 May 2015 14:22:10 +0000 (09:22 -0500)]
net: macb: Disable half duplex gigabit on Zynq

According to the Zynq TRM, gigabit half duplex is not supported.  Add a
new cap and compatible string so Zynq can avoid advertising that mode.

Signed-off-by: Nathan Sullivan <nathan.sullivan@ni.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: macb: Document zynq gem dt binding
Nathan Sullivan [Fri, 22 May 2015 14:22:09 +0000 (09:22 -0500)]
net: macb: Document zynq gem dt binding

Signed-off-by: Nathan Sullivan <nathan.sullivan@ni.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoipv4: fill in table id when replacing a route
Michal Kubeček [Fri, 22 May 2015 11:40:09 +0000 (13:40 +0200)]
ipv4: fill in table id when replacing a route

When replacing an IPv4 route, tb_id member of the new fib_alias
structure is not set in the replace code path so that the new route is
ignored.

Fixes: 0ddcf43d5d4a ("ipv4: FIB Local/MAIN table collapse")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Acked-by: Alexander Duyck <alexander.h.duyck@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agocdc_ncm: Fix tx_bytes statistics
Bjørn Mork [Fri, 22 May 2015 11:15:22 +0000 (13:15 +0200)]
cdc_ncm: Fix tx_bytes statistics

The tx_curr_frame_payload field is u32. When we try to calculate a
small negative delta based on it, we end up with a positive integer
close to 2^32 instead.  So the tx_bytes pointer increases by about
2^32 for every transmitted frame.

Fix by calculating the delta as a signed long.

Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Reported-by: Florian Bruhin <me@the-compiler.org>
Fixes: 7a1e890e2168 ("usbnet: Fix tx_bytes statistic running backward in cdc_ncm")
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
David S. Miller [Fri, 22 May 2015 18:25:45 +0000 (14:25 -0400)]
Merge git://git./pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contain Netfilter fixes for your net tree, they are:

1) Fix a race in nfnetlink_log and nfnetlink_queue that can lead to a crash.
   This problem is due to wrong order in the per-net registration and netlink
   socket events. Patch from Francesco Ruggeri.

2) Make sure that counters that userspace pass us are higher than 0 in all the
   x_tables frontends. Discovered via Trinity, patch from Dave Jones.

3) Revert a patch for br_netfilter to rely on the conntrack status bits. This
   breaks stateless IPv6 NAT transformations. Patch from Florian Westphal.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoipv4: Avoid crashing in ip_error
Eric W. Biederman [Fri, 22 May 2015 09:58:12 +0000 (04:58 -0500)]
ipv4: Avoid crashing in ip_error

ip_error does not check if in_dev is NULL before dereferencing it.

IThe following sequence of calls is possible:
CPU A                          CPU B
ip_rcv_finish
    ip_route_input_noref()
        ip_route_input_slow()
                               inetdev_destroy()
    dst_input()

With the result that a network device can be destroyed while processing
an input packet.

A crash was triggered with only unicast packets in flight, and
forwarding enabled on the only network device.   The error condition
was created by the removal of the network device.

As such it is likely the that error code was -EHOSTUNREACH, and the
action taken by ip_error (if in_dev had been accessible) would have
been to not increment any counters and to have tried and likely failed
to send an icmp error as the network device is going away.

Therefore handle this weird case by just dropping the packet if
!in_dev.  It will result in dropping the packet sooner, and will not
result in an actual change of behavior.

Fixes: 251da4130115b ("ipv4: Cache ip_error() routes even when not forwarding.")
Reported-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Tested-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agotcp: fix a potential deadlock in tcp_get_info()
Eric Dumazet [Fri, 22 May 2015 04:51:19 +0000 (21:51 -0700)]
tcp: fix a potential deadlock in tcp_get_info()

Taking socket spinlock in tcp_get_info() can deadlock, as
inet_diag_dump_icsk() holds the &hashinfo->ehash_locks[i],
while packet processing can use the reverse locking order.

We could avoid this locking for TCP_LISTEN states, but lockdep would
certainly get confused as all TCP sockets share same lockdep classes.

[  523.722504] ======================================================
[  523.728706] [ INFO: possible circular locking dependency detected ]
[  523.734990] 4.1.0-dbg-DEV #1676 Not tainted
[  523.739202] -------------------------------------------------------
[  523.745474] ss/18032 is trying to acquire lock:
[  523.750002]  (slock-AF_INET){+.-...}, at: [<ffffffff81669d44>] tcp_get_info+0x2c4/0x360
[  523.758129]
[  523.758129] but task is already holding lock:
[  523.763968]  (&(&hashinfo->ehash_locks[i])->rlock){+.-...}, at: [<ffffffff816bcb75>] inet_diag_dump_icsk+0x1d5/0x6c0
[  523.774661]
[  523.774661] which lock already depends on the new lock.
[  523.774661]
[  523.782850]
[  523.782850] the existing dependency chain (in reverse order) is:
[  523.790326]
-> #1 (&(&hashinfo->ehash_locks[i])->rlock){+.-...}:
[  523.796599]        [<ffffffff811126bb>] lock_acquire+0xbb/0x270
[  523.802565]        [<ffffffff816f5868>] _raw_spin_lock+0x38/0x50
[  523.808628]        [<ffffffff81665af8>] __inet_hash_nolisten+0x78/0x110
[  523.815273]        [<ffffffff816819db>] tcp_v4_syn_recv_sock+0x24b/0x350
[  523.822067]        [<ffffffff81684d41>] tcp_check_req+0x3c1/0x500
[  523.828199]        [<ffffffff81682d09>] tcp_v4_do_rcv+0x239/0x3d0
[  523.834331]        [<ffffffff816842fe>] tcp_v4_rcv+0xa8e/0xc10
[  523.840202]        [<ffffffff81658fa3>] ip_local_deliver_finish+0x133/0x3e0
[  523.847214]        [<ffffffff81659a9a>] ip_local_deliver+0xaa/0xc0
[  523.853440]        [<ffffffff816593b8>] ip_rcv_finish+0x168/0x5c0
[  523.859624]        [<ffffffff81659db7>] ip_rcv+0x307/0x420

Lets use u64_sync infrastructure instead. As a bonus, 64bit
arches get optimized, as these are nop for them.

Fixes: 0df48c26d841 ("tcp: add tcpi_bytes_acked to tcp_info")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge tag 'iwlwifi-for-kalle-2015-05-21' of https://git.kernel.org/pub/scm/linux...
Kalle Valo [Fri, 22 May 2015 07:47:02 +0000 (10:47 +0300)]
Merge tag 'iwlwifi-for-kalle-2015-05-21' of https://git./linux/kernel/git/iwlwifi/iwlwifi-fixes

* fix firmware name and other things to enable 3165
* fix bad APMG configuration for 8000 (no AMPG on these devices)
* fix MAC address assignment for 8000
* fix firmware debugging triggers (MLME)
* fix several bugs in low power states code (net-detect,
  d0i3)

9 years agoMerge branch 'drm-fixes-4.1' of git://people.freedesktop.org/~agd5f/linux into drm...
Dave Airlie [Fri, 22 May 2015 03:31:54 +0000 (13:31 +1000)]
Merge branch 'drm-fixes-4.1' of git://people.freedesktop.org/~agd5f/linux into drm-fixes

Just two small DP fixes for 4.1

* 'drm-fixes-4.1' of git://people.freedesktop.org/~agd5f/linux:
  drm/radeon: fix error flag checking in native aux path
  drm/radeon: retry dcpd fetch

9 years agoMerge tag 'drm-intel-fixes-2015-05-21' of git://anongit.freedesktop.org/drm-intel...
Dave Airlie [Fri, 22 May 2015 03:31:03 +0000 (13:31 +1000)]
Merge tag 'drm-intel-fixes-2015-05-21' of git://anongit.freedesktop.org/drm-intel into drm-fixes

There's a stable backport from Ander [1] that combines this and a few
other commits to fix the flickering on v4.0, reported in [2] among
others. Having this upstream is obviously a requirement for stable.

* tag 'drm-intel-fixes-2015-05-21' of git://anongit.freedesktop.org/drm-intel:
  drm/i915: fix screen flickering

9 years agocrypto: s390/ghash - Fix incorrect ghash icv buffer handling.
Harald Freudenberger [Thu, 21 May 2015 08:01:11 +0000 (10:01 +0200)]
crypto: s390/ghash - Fix incorrect ghash icv buffer handling.

Multitheaded tests showed that the icv buffer in the current ghash
implementation is not handled correctly. A move of this working ghash
buffer value to the descriptor context fixed this. Code is tested and
verified with an multithreaded application via af_alg interface.

Cc: stable@vger.kernel.org
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
Signed-off-by: Gerald Schaefer <geraldsc@linux.vnet.ibm.com>
Reported-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoMerge tag 'for-linus-4.1b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Fri, 22 May 2015 03:19:38 +0000 (20:19 -0700)]
Merge tag 'for-linus-4.1b-rc4-tag' of git://git./linux/kernel/git/xen/tip

Pull two xen bugfixes from David Vrabel:

 - fix ARM build regression.

 - fix VIRQ_CONSOLE related oops.

* tag 'for-linus-4.1b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen/events: don't bind non-percpu VIRQs with percpu chip
  xen/arm: Define xen_arch_suspend()

9 years agoMerge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Linus Torvalds [Fri, 22 May 2015 03:15:16 +0000 (20:15 -0700)]
Merge tag 'for-linus' of git://git./virt/kvm/kvm

Pull KVM fixes from Paolo Bonzini:
 "This includes a fix for two oopses, one on PPC and on x86.

  The rest is fixes for bugs with newer Intel processors"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  kvm/fpu: Enable eager restore kvm FPU for MPX
  Revert "KVM: x86: drop fpu_activate hook"
  kvm: fix crash in kvm_vcpu_reload_apic_access_page
  KVM: MMU: fix SMAP virtualization
  KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages
  KVM: MMU: fix smap permission check
  KVM: PPC: Book3S HV: Fix list traversal in error case

9 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Linus Torvalds [Fri, 22 May 2015 02:54:50 +0000 (19:54 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/s390/linux

Pull s390 fixes from Martin Schwidefsky:
 "Bug fixes.

  Three for our crypto code, two for eBPF, and one memory management fix
  to get machines with memory > 8TB working"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/mm: correct return value of pmd_pfn
  s390/crypto: fix stckf loop
  s390/zcrypt: Fix invalid domain handling during ap module unload
  s390/bpf: Fix gcov stack space problem
  s390/zcrypt: fixed ap poll timer behavior
  s390/bpf: Adjust ALU64_DIV/MOD to match interpreter change

9 years agoMerge tag 'sound-4.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai...
Linus Torvalds [Fri, 22 May 2015 00:54:00 +0000 (17:54 -0700)]
Merge tag 'sound-4.1-rc5' of git://git./linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "This batch became slightly large, just because I've been on vacation
  for the last two weeks.  Nothing to scare much here, all
  device-specific fixes, mostly small patches.

  Majority of patches are for HD-audio, especially Dell machines.  The
  rest are small ASoC fixes for various codecs, and a USB-audio quirk.

  One PCM fix is included to ease the faulty condition checks in the
  case of two periods PCM buffers"

* tag 'sound-4.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda - Disable widget power-saving for ALC292 & co
  ALSA: hda - Reduce verbs by node power-saves
  ALSA: sound/atmel/ac97c.c: remove unused variable
  ALSA: usb-audio: Add quirk for MS LifeCam Studio
  ALSA: pcm: Modify double acknowledged interrupts check condition
  ALSA: hda/realtek - ALC292 dock fix for Thinkpad L450
  ALSA: hda - Add Conexant codecs CX20721, CX20722, CX20723 and CX20724
  ALSA: hda - Fix headset mic and mic-in for a Dell desktop
  ASoC: wm8994: correct BCLK DIV 348 to 384
  ASoC: wm8960: fix "RINPUT3" audio route error
  ASoC: dapm: Modify widget stream name according to prefix
  ALSA: hda - Add headset mic quirk for Dell Inspiron 5548
  ASoC: rt5645: Fix mask for setting RT5645_DMIC_2_DP_GPIO12 bit
  ASoC: rt5645: Add ACPI match ID
  ALSA: hda/realtek - Add ALC298 alias name for Dell
  ASoC: uda1380: Avoid accessing i2c bus when codec is disabled
  ALSA: hda/realtek - Fix typo for ALC286/ALC288
  ASoC: mc13783: Fix wrong mask value used in mc13xxx_reg_rmw() calls
  ALSA: hda - Add headphone quirk for Lifebook E752
  ASoC: davinci-mcasp: Correct pm status check in suspend callback

9 years agoMerge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux
Linus Torvalds [Fri, 22 May 2015 00:42:54 +0000 (17:42 -0700)]
Merge branch 'for-rc' of git://git./linux/kernel/git/rzhang/linux

Pull thermal fixes from Zhang Rui:
 "Three fixes for Armada (380) and TI (dra7 and OMAP5) thermal soc
  drivers"

* 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
  thermal: armada: Update Armada 380 thermal sensor coefficients
  thermal: ti-soc-thermal: OMAP5: Implement Workaround for Errata i813
  thermal: ti-soc-thermal: dra7: Implement Workaround for Errata i814

9 years agoMerge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma
Linus Torvalds [Fri, 22 May 2015 00:36:23 +0000 (17:36 -0700)]
Merge tag 'for-linus' of git://git./linux/kernel/git/dledford/rdma

Pull infiniband/rdma fixes from Doug Ledford:
 "This should hopefully be the last request for 4.1-rc for the RDMA
  stack.  It contains some late ocrdma fixes that I'm including because
  they are small and self contained.  It also contains two bug fixes
  that are simple and easily verified.

  Summary:

   - a number of small, well contained bug fixes for ocrdma driver

   - a simple fix for the connection negotiation sequence on IB

   - fix for broken AF_IB address on UD queue pair support"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
  IB/cma: Fix broken AF_IB UD support
  ib/cm: Change reject message type when destroying cm_id
  RDMA/ocrdma: Update ocrdma version number
  RDMA/ocrdma: Fail connection for MTU lesser than 512
  RDMA/ocrdma: Fix dmac resolution for link local address
  RDMA/ocrdma: Prevent allocation of DPP PDs if FW doesnt support it
  RDMA/ocrdma: Fix the request length for RDMA_QUERY_QP mailbox command to FW.
  RDMA/ocrdma: Use VID 0 if PFC is enabled and vlan is not configured
  RDMA/ocrdma: Fix QP state transition in destroy_qp
  RDMA/ocrdma: Report EQ full fatal error
  RDMA/ocrdma: Fix EQ destroy failure during driver unload

9 years agoMerge tag 'mmc-4.1-rc3' of git://git.linaro.org/people/ulf.hansson/mmc
Linus Torvalds [Fri, 22 May 2015 00:31:31 +0000 (17:31 -0700)]
Merge tag 'mmc-4.1-rc3' of git://git.linaro.org/people/ulf.hansson/mmc

Pull MMC fix from Ulf Hansson:
 "One more mmc fix intended for v4.1 rc5:

  MMC host:
   - atmel-mci: fix bad variable type for clkdiv"

* tag 'mmc-4.1-rc3' of git://git.linaro.org/people/ulf.hansson/mmc:
  mmc: atmel-mci: fix bad variable type for clkdiv

9 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
Linus Torvalds [Fri, 22 May 2015 00:23:11 +0000 (17:23 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jikos/hid

Pull HID fixes from Jiri Kosina:
 "Bugfixes for HID subsystem that should go in 4.1.  Important
  highlights:

   - the patch that extended support for HID++ protocol for TK820
     touchpad turns out to be causing regressions due to firmware
     issues; patch reverting back to basic support from Benjamin
     Tissoires

   - Wacom driver can oops for devices that report non-touch data on
     touch interfaces.  Fix from Ping Cheng

   - gpiolib is not mandatory for i2c-hid, so the driver shouldn't fail
     if gpiolib is not enabled.  Fix from Mika Westerberg"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: wacom: fix an Oops caused by wacom_wac_finger_count_touches
  HID: usbhid: Add HID_QUIRK_NOGET for Aten DVI KVM switch
  HID: hid-sensor-hub: Fix debug lock warning
  Revert "HID: logitech-hidpp: support combo keyboard touchpad TK820"
  HID: i2c-hid: Do not fail probing if gpiolib is not enabled

9 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Linus Torvalds [Fri, 22 May 2015 00:16:49 +0000 (17:16 -0700)]
Merge git://git./linux/kernel/git/herbert/crypto-2.6

Pull crypto fix from Herbert Xu:
 "This fixes a the crash in the newly added algif_aead interface when it
  tries to link SG lists"

* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: algif_aead - fix invalid sgl linking

9 years agoInput: smtpe-ts - wait 50mS until polling for pen-up
Marek Vasut [Fri, 8 May 2015 05:25:49 +0000 (22:25 -0700)]
Input: smtpe-ts - wait 50mS until polling for pen-up

Wait a little bit longer, 50mS instead of 20mS, until the driver starts
polling for pen-up. The problematic behavior before this patch is applied
is as follows. The behavior was observed on the STMPE610QTR controller.

Upon a physical pen-down event, the touchscreen reports one set of x-y-p
coordinates and a pen-down event. After that, the pen-up polling is
triggered and since the controller is not ready yet, the polling mistakenly
detects a pen-up event while the physical state is still such that the pen
is down on the touch surface.

The pen-up handling flushes the controller FIFO, so after that, all the
samples in the controller are discarded. The controller becomes ready
shortly after this bogus pen-up handling and does generate again a pen-down
interrupt. This time, the controller contains x-y-p samples which all read
as zero. Since pressure value is zero, this set of samples is effectively
ignored by userland.

In the end, the driver just bounces between pen-down and bogus pen-up
handling, generating no useful results. Fix this by giving the controller a
bit more time before polling it for pen-up.

Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
9 years agoInput: smtpe-ts - use msecs_to_jiffies() instead of HZ
Marek Vasut [Fri, 8 May 2015 05:24:58 +0000 (22:24 -0700)]
Input: smtpe-ts - use msecs_to_jiffies() instead of HZ

Use msecs_to_jiffies(20) instead of plain (HZ / 50), as the former is much
more explicit about it's behavior. We want to schedule the task 20 mS from
now, so make it explicit in the code.

Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
9 years agoMerge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Thu, 21 May 2015 23:57:50 +0000 (16:57 -0700)]
Merge tag 'clk-fixes-for-linus' of git://git./linux/kernel/git/clk/linux

Pull clk fixes from Michael Turquette:
 "The first set of clk fixes for 4.1 are all driver bugs, with the
  exception of a single locking fix in the core code.

  All driver fixes are for code that was merged recently.  The Samsung
  stuff is mostly fixes around suspend/resume, the Qualcomm fixes are
  for invalid hardware configuration data and the Silicon Labs patches
  are fixes following their move away from platform_data to Device Tree"

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  clk: si5351: Do not pass struct clk in platform_data
  clk: si5351: Mention clock-names in the binding documentation
  clk: add missing lock when call clk_core_enable in clk_set_parent
  clk: exynos5420: Restore GATE_BUS_TOP on suspend
  clk: qcom: Fix MSM8916 gfx3d_clk_src configuration
  clk: qcom: Fix MSM8916 venus divider value
  clk: exynos5433: Fix wrong PMS value of exynos5433_pll_rates
  clk: exynos5433: Fix wrong parent clock of sclk_apollo clock
  clk: exynos5433: Fix CLK_PCLK_MONOTONIC_CNT clk register assignment
  clk: exynos5433: Fix wrong offset of PCLK_MSCL_SECURE_SMMU_JPEG
  clk: Use CONFIG_ARCH_EXYNOS instead of CONFIG_ARCH_EXYNOS5433

9 years agoMerge tag 'hwmon-for-linus-v4.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Thu, 21 May 2015 23:38:14 +0000 (16:38 -0700)]
Merge tag 'hwmon-for-linus-v4.1-rc5' of git://git./linux/kernel/git/groeck/linux-staging

Pull hwmon fixlet from Guenter Roeck:
 "Update location of Jean Delvare's hwmon quilt tree"

* tag 'hwmon-for-linus-v4.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: Update the location of my quilt tree

9 years agoInput: joydev - don't classify the vmmouse as a joystick
Thomas Hellstrom [Wed, 20 May 2015 21:50:30 +0000 (14:50 -0700)]
Input: joydev - don't classify the vmmouse as a joystick

Joydev is currently thinking some absolute mice are joystick, and that
messes up games in VMware guests, as the cursor typically gets stuck in
the top left corner.

Try to detect the event signature of a VMmouse input device and back off
for such devices. We're still incorrectly detecting, for example, the
VMware absolute USB mouse as a joystick, but adding an event signature
matching also that device would be considerably more risky, so defer that
to a later merge window.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
9 years agonet: sched: fix call_rcu() race on classifier module unloads
Daniel Borkmann [Wed, 20 May 2015 15:13:33 +0000 (17:13 +0200)]
net: sched: fix call_rcu() race on classifier module unloads

Vijay reported that a loop as simple as ...

  while true; do
    tc qdisc add dev foo root handle 1: prio
    tc filter add dev foo parent 1: u32 match u32 0 0  flowid 1
    tc qdisc del dev foo root
    rmmod cls_u32
  done

... will panic the kernel. Moreover, he bisected the change
apparently introducing it to 78fd1d0ab072 ("netlink: Re-add
locking to netlink_lookup() and seq walker").

The removal of synchronize_net() from the netlink socket
triggering the qdisc to be removed, seems to have uncovered
an RCU resp. module reference count race from the tc API.
Given that RCU conversion was done after e341694e3eb5 ("netlink:
Convert netlink_lookup() to use RCU protected hash table")
which added the synchronize_net() originally, occasion of
hitting the bug was less likely (not impossible though):

When qdiscs that i) support attaching classifiers and,
ii) have at least one of them attached, get deleted, they
invoke tcf_destroy_chain(), and thus call into ->destroy()
handler from a classifier module.

After RCU conversion, all classifier that have an internal
prio list, unlink them and initiate freeing via call_rcu()
deferral.

Meanhile, tcf_destroy() releases already reference to the
tp->ops->owner module before the queued RCU callback handler
has been invoked.

Subsequent rmmod on the classifier module is then not prevented
since all module references are already dropped.

By the time, the kernel invokes the RCU callback handler from
the module, that function address is then invalid.

One way to fix it would be to add an rcu_barrier() to
unregister_tcf_proto_ops() to wait for all pending call_rcu()s
to complete.

synchronize_rcu() is not appropriate as under heavy RCU
callback load, registered call_rcu()s could be deferred
longer than a grace period. In case we don't have any pending
call_rcu()s, the barrier is allowed to return immediately.

Since we came here via unregister_tcf_proto_ops(), there
are no users of a given classifier anymore. Further nested
call_rcu()s pointing into the module space are not being
done anywhere.

Only cls_bpf_delete_prog() may schedule a work item, to
unlock pages eventually, but that is not in the range/context
of cls_bpf anymore.

Fixes: 25d8c0d55f24 ("net: rcu-ify tcf_proto")
Fixes: 9888faefe132 ("net: sched: cls_basic use RCU")
Reported-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: John Fastabend <john.r.fastabend@intel.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Thomas Graf <tgraf@suug.ch>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Tested-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoiwlwifi: mvm: avoid use-after-free on iwl_mvm_d0i3_enable_tx()
Eliad Peller [Tue, 14 Apr 2015 08:36:23 +0000 (11:36 +0300)]
iwlwifi: mvm: avoid use-after-free on iwl_mvm_d0i3_enable_tx()

qos_seq points (to a struct) inside the command response data.

Make sure to free the response only after qos_seq is not
needed anymore.

Reported-by: Heng Luo <heng.luo@intel.com>
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
9 years agoiwlwifi: mvm: clean net-detect info if device was reset during suspend
Luciano Coelho [Mon, 4 May 2015 14:03:17 +0000 (17:03 +0300)]
iwlwifi: mvm: clean net-detect info if device was reset during suspend

If the device is reset during suspend with net-detect enabled, we
leave the net-detect information dangling and this causes the next
suspend to fail with a warning:

[21795.351010] WARNING: at /root/iwlwifi/iwlwifi-stack-dev/drivers/net/wireless/iwlwifi/mvm/d3.c:989 __iwl_mvm_suspend.isra.6+0x2be/0x460 [iwlmvm]()
[21795.353253] Modules linked in: iwlmvm(O) iwlwifi(O) mac80211(O) cfg80211(O) compat(O) [...]
[21795.366168] CPU: 1 PID: 3645 Comm: bash Tainted: G           O 3.10.29-dev #1
[21795.368785] Hardware name: Dell Inc. Latitude E6430/0CPWYR, BIOS A09 12/13/2012
[21795.371441]  f8ec6748 f8ec6748 e51f3ce8 c168aa62 e51f3d10 c103a824 c1871238 f8ec6748
[21795.374228]  000003dd f8eb982e f8eb982e 00000000 c3408ed4 c41edbbc e51f3d20 c103a862
[21795.377006]  00000009 00000000 e51f3da8 f8eb982e c41ee3dc 00000004 e7970000 e51f3d74
[21795.379792] Call Trace:
[21795.382461]  [<c168aa62>] dump_stack+0x16/0x18
[21795.385133]  [<c103a824>] warn_slowpath_common+0x64/0x80
[21795.387803]  [<f8eb982e>] ? __iwl_mvm_suspend.isra.6+0x2be/0x460 [iwlmvm]
[21795.390485]  [<f8eb982e>] ? __iwl_mvm_suspend.isra.6+0x2be/0x460 [iwlmvm]
[21795.393124]  [<c103a862>] warn_slowpath_null+0x22/0x30
[21795.395787]  [<f8eb982e>] __iwl_mvm_suspend.isra.6+0x2be/0x460 [iwlmvm]
[21795.398464]  [<f8eb9d7c>] iwl_mvm_suspend+0xec/0x140 [iwlmvm]
[21795.401127]  [<c104be11>] ? del_timer_sync+0xa1/0xc0
[21795.403800]  [<f8d4107e>] __ieee80211_suspend+0x1de/0xff0 [mac80211]
[21795.406459]  [<c168e43d>] ? mutex_lock_nested+0x25d/0x350
[21795.409084]  [<c1586b64>] ? rtnl_lock+0x14/0x20
[21795.411685]  [<f8cf0076>] ieee80211_suspend+0x16/0x20 [mac80211]
[21795.414318]  [<f8c4e014>] wiphy_suspend+0x74/0x710 [cfg80211]
[21795.416916]  [<c141e612>] __device_suspend+0x1e2/0x220
[21795.419521]  [<f8c4dfa0>] ? addresses_show+0xa0/0xa0 [cfg80211]
[21795.422097]  [<c141f997>] dpm_suspend+0x67/0x210
[21795.424661]  [<c141fd6f>] dpm_suspend_start+0x4f/0x60
[21795.427219]  [<c108d8e0>] suspend_devices_and_enter+0x60/0x480
[21795.429768]  [<c168646a>] ? printk+0x4d/0x4f
[21795.432295]  [<c108de76>] pm_suspend+0x176/0x210
[21795.434830]  [<c108ca5d>] state_store+0x5d/0xb0
[21795.437410]  [<c108ca00>] ? wakeup_count_show+0x50/0x50
[21795.439961]  [<c13208db>] kobj_attr_store+0x1b/0x30
[21795.442514]  [<c11e3a4b>] sysfs_write_file+0xab/0x100
[21795.445088]  [<c11e39a0>] ? sysfs_poll+0xa0/0xa0
[21795.447659]  [<c1179655>] vfs_write+0xa5/0x1c0
[21795.450212]  [<c1179af7>] SyS_write+0x57/0xa0
[21795.452699]  [<c1699ec1>] sysenter_do_call+0x12/0x32
[21795.455146] ---[ end trace faf5321baba2bfdb ]---

To fix this, call the iwl_mvm_free_nd() function in case of any error
during resume.  Additionally, rename the "out_unlock" label to err to
make it clearer that it's only called in error conditions.

Cc: stable@vger.kernel.org [3.19+]
Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
9 years agoiwlwifi: mvm: take the UCODE_DOWN reference when resuming
Luciano Coelho [Tue, 28 Apr 2015 05:41:55 +0000 (08:41 +0300)]
iwlwifi: mvm: take the UCODE_DOWN reference when resuming

The __iwl_mvm_resume() function always returns 1, which causes
mac80211 to do a reconfig with IEEE80211_RECONFIG_TYPE_RESTART.  This
type of reconfig calls iwl_mvm_restart_complete(), where we unref the
IWL_MVM_REF_UCODE_DOWN, so we should always take the reference in this
case.

This prevents this kind of warning from happening:

[40026.103025] WARNING: at /root/iwlwifi/iwlwifi-stack-dev/drivers/net/wireless/iwlwifi/mvm/mac80211.c:236 iwl_mvm_unref+0xc9/0xd0 [iwlmvm]()
[40026.105145] Modules linked in: iwlmvm(O) iwlwifi(O) mac80211(O) cfg80211(O) compat(O) ctr ccm arc4 autofs4 snd_hda_codec_hdmi snd_hda_codec_idt joydev coretemp kvm_intel kvm aesni_intel ablk_helper cryptd lrw aes_i586 snd_hda_intel xts snd_hda_codec gf128mul snd_hwdep snd_pcm snd_seq_midi dell_wmi snd_rawmidi sparse_keymap snd_seq_midi_event snd_seq uvcvideo dell_laptop videobuf2_core dcdbas microcode videodev psmouse snd_timer videobuf2_vmalloc videobuf2_memops serio_raw snd_seq_device btusb i915 snd bluetooth lpc_ich drm_kms_helper soundcore snd_page_alloc drm i2c_algo_bit wmi parport_pc ppdev video binfmt_misc rpcsec_gss_krb5 nfsd mac_hid nfs_acl nfsv4 auth_rpcgss nfs fscache lockd sunrpc msdos lp parport sdhci_pci sdhci ahci libahci e1000e mmc_core ptp pps_core [last unloaded: compat]
[40026.117640] CPU: 2 PID: 3827 Comm: bash Tainted: G        W  O 3.10.29-dev #1
[40026.120216] Hardware name: Dell Inc. Latitude E6430/0CPWYR, BIOS A09 12/13/2012
[40026.122815]  f8effd18 f8effd18 e740fd18 c168aa62 e740fd40 c103a824 c1871238 f8effd18
[40026.125527]  000000ec f8ec79c9 f8ec79c9 d5d29ba4 d5d2a20c 00000000 e740fd50 c103a862
[40026.128209]  00000009 00000000 e740fd7c f8ec79c9 f1c591c4 00000400 00000000 f8efb490
[40026.130886] Call Trace:
[40026.133506]  [<c168aa62>] dump_stack+0x16/0x18
[40026.136115]  [<c103a824>] warn_slowpath_common+0x64/0x80
[40026.138727]  [<f8ec79c9>] ? iwl_mvm_unref+0xc9/0xd0 [iwlmvm]
[40026.141319]  [<f8ec79c9>] ? iwl_mvm_unref+0xc9/0xd0 [iwlmvm]
[40026.143881]  [<c103a862>] warn_slowpath_null+0x22/0x30
[40026.146453]  [<f8ec79c9>] iwl_mvm_unref+0xc9/0xd0 [iwlmvm]
[40026.149030]  [<f8ec7a4d>] iwl_mvm_mac_reconfig_complete+0x7d/0x210 [iwlmvm]
[40026.151645]  [<f8b74b20>] ? ftrace_raw_event_drv_reconfig_complete+0xc0/0xe0 [mac80211]
[40026.154291]  [<f8b6769e>] ieee80211_reconfig+0x28e/0x2620 [mac80211]
[40026.156920]  [<c10ef0ea>] ? ring_buffer_unlock_commit+0xba/0x100
[40026.159585]  [<f8b4a04d>] ieee80211_resume+0x6d/0x80 [mac80211]
[40026.162206]  [<f8a79722>] wiphy_resume+0x72/0x260 [cfg80211]
[40026.164799]  [<c141e2e7>] ? device_resume+0x57/0x150
[40026.167425]  [<f8a796b0>] ? wiphy_suspend+0x710/0x710 [cfg80211]
[40026.170075]  [<c141e26e>] dpm_run_callback+0x2e/0x50
[40026.172695]  [<c141e321>] device_resume+0x91/0x150
[40026.175334]  [<c141f636>] dpm_resume+0xf6/0x200
[40026.177922]  [<c141f920>] dpm_resume_end+0x10/0x20
[40026.180489]  [<c108d9f7>] suspend_devices_and_enter+0x177/0x480
[40026.183037]  [<c168646a>] ? printk+0x4d/0x4f
[40026.185559]  [<c108de76>] pm_suspend+0x176/0x210
[40026.188065]  [<c108ca5d>] state_store+0x5d/0xb0
[40026.190581]  [<c108ca00>] ? wakeup_count_show+0x50/0x50
[40026.193052]  [<c13208db>] kobj_attr_store+0x1b/0x30
[40026.195608]  [<c11e3a4b>] sysfs_write_file+0xab/0x100
[40026.198055]  [<c11e39a0>] ? sysfs_poll+0xa0/0xa0
[40026.200469]  [<c1179655>] vfs_write+0xa5/0x1c0
[40026.202893]  [<c1179af7>] SyS_write+0x57/0xa0
[40026.205245]  [<c1699ec1>] sysenter_do_call+0x12/0x32
[40026.207619] ---[ end trace db1d5a72a0381b0a ]---

Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
Reviewed-by: EliadX Peller <eliad@wizery.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
9 years agoiwlwifi: mvm: BT Coex - duplicate the command if sent ASYNC
Emmanuel Grumbach [Mon, 4 May 2015 08:20:52 +0000 (11:20 +0300)]
iwlwifi: mvm: BT Coex - duplicate the command if sent ASYNC

There are buses that can't handle ASYNC command without
copying them. Duplicate the host command instead.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
9 years agoiwlwifi: nvm: force mac from otp in case nvm mac is reserved
Liad Kaufman [Wed, 20 May 2015 12:50:07 +0000 (15:50 +0300)]
iwlwifi: nvm: force mac from otp in case nvm mac is reserved

Take the MAC address from the OTP even if one is present in
the NVM, if that MAC address happens to be a reserved one.

Signed-off-by: Liad Kaufman <liad.kaufman@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
9 years agoiwlwifi: mvm: Free fw_status after use to avoid memory leak
Haim Dreyfuss [Wed, 20 May 2015 05:10:43 +0000 (08:10 +0300)]
iwlwifi: mvm: Free fw_status after use to avoid memory leak

fw_status is the only pointer pointing to a block of memory
allocated above and should be freed after use.
Note: this come from Klockwork static analyzer.

Cc: stable@vger.kernel.org [3.19+]
Fixes: 2021a89d7b8a ("iwlwifi: mvm: treat netdetect wake up separately")
Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>