aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2013-02-11mwl8k: fix band for supported channelsJonas Gorski1-18/+18
The band field for the supported channels were left unpopulated, making them default to 0 == IEEE80211_BAND_2GHZ, even for the 5GHz channels. This resulted in null pointer accesses if anything tries to access wiphy->bands[channel->band] of a 5GHz channel on 5GHz only cards, since wiphy->bands[2GHZ] is NULL for them (e.g. cfg80211_chandef_usable does). Example kernel OOPS: [ 665.669993] Unable to handle kernel NULL pointer dereference at virtual address 00000016 [ 665.678194] pgd = c6d58000 [ 665.680941] [00000016] *pgd=06f8a831, *pte=00000000, *ppte=00000000 [ 665.687303] Internal error: Oops: 17 [#1] (...) [ 666.116373] Backtrace: [ 666.118866] [<bf0368dc>] (cfg80211_chandef_usable+0x0/0x1bc [cfg80211]) from [<bf025e64>] (nl80211_leave_mesh+0x244/0x264 [cfg80211]) [ 666.130919] r7:c6d12100 r6:0000143c r5:c0611c48 r4:c0611b98 [ 666.136668] [<bf025d84>] (nl80211_leave_mesh+0x164/0x264 [cfg80211]) from [<bf02634c>] (nl80211_remain_on_channel+0x2a0/0x358 [cfg80211]) [ 666.149074] r7:c6d12000 r6:c6d12000 r5:c6f4f368 r4:00000003 [ 666.154814] [<bf0262ec>] (nl80211_remain_on_channel+0x240/0x358 [cfg80211]) from [<bf02ddb0>] (nl80211_set_wiphy+0x264/0x560 [cfg80211]) [ 666.167150] [<bf02db4c>] (nl80211_set_wiphy+0x0/0x560 [cfg80211]) from [<c01f94e0>] (genl_rcv_msg+0x1b8/0x1f8) [ 666.177205] [<c01f9328>] (genl_rcv_msg+0x0/0x1f8) from [<c01f89a0>] (netlink_rcv_skb+0x58/0xb4) [ 666.185949] [<c01f8948>] (netlink_rcv_skb+0x0/0xb4) from [<c01f931c>] (genl_rcv+0x20/0x2c) [ 666.194251] r6:c6f70780 r5:0000002c r4:c6f70780 r3:00000001 [ 666.199973] [<c01f92fc>] (genl_rcv+0x0/0x2c) from [<c01f8418>] (netlink_unicast+0x154/0x1f4) [ 666.208449] r4:c785ea00 r3:c01f92fc [ 666.212057] [<c01f82c4>] (netlink_unicast+0x0/0x1f4) from [<c01f8790>] (netlink_sendmsg+0x230/0x2b0) [ 666.221240] [<c01f8560>] (netlink_sendmsg+0x0/0x2b0) from [<c01cccf8>] (sock_sendmsg+0x90/0xa4) [ 666.229986] [<c01ccc68>] (sock_sendmsg+0x0/0xa4) from [<c01cdcb0>] (__sys_sendmsg+0x290/0x298) [ 666.238637] r9:00000000 r8:c0611ec8 r6:0000002c r5:c0610000 r4:c0611f64 [ 666.245411] [<c01cda20>] (__sys_sendmsg+0x0/0x298) from [<c01cf52c>] (sys_sendmsg+0x44/0x6c) [ 666.253897] [<c01cf4e8>] (sys_sendmsg+0x0/0x6c) from [<c00090a0>] (ret_fast_syscall+0x0/0x2c) [ 666.262460] r6:00000000 r5:beeff96c r4:00000005 Signed-off-by: Jonas Gorski <jogo@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-02-11Merge branch 'for-john' of ↵John W. Linville2-5/+9
git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
2013-02-11bridge: set priority of STP packetsStephen Hemminger1-0/+2
Spanning Tree Protocol packets should have always been marked as control packets, this causes them to get queued in the high prirority FIFO. As Radia Perlman mentioned in her LCA talk, STP dies if bridge gets overloaded and can't communicate. This is a long-standing bug back to the first versions of Linux bridge. Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-11x86/apic: Work around boot failure on HP ProLiant DL980 G7 Server systemsStoney Wang1-10/+11
When a HP ProLiant DL980 G7 Server boots a regular kernel, there will be intermittent lost interrupts which could result in a hang or (in extreme cases) data loss. The reason is that this system only supports x2apic physical mode, while the kernel boots with a logical-cluster default setting. This bug can be worked around by specifying the "x2apic_phys" or "nox2apic" boot option, but we want to handle this system without requiring manual workarounds. The BIOS sets ACPI_FADT_APIC_PHYSICAL in FADT table. As all apicids are smaller than 255, BIOS need to pass the control to the OS with xapic mode, according to x2apic-spec, chapter 2.9. Current code handle x2apic when BIOS pass with xapic mode enabled: When user specifies x2apic_phys, or FADT indicates PHYSICAL: 1. During madt oem check, apic driver is set with xapic logical or xapic phys driver at first. 2. enable_IR_x2apic() will enable x2apic_mode. 3. if user specifies x2apic_phys on the boot line, x2apic_phys_probe() will install the correct x2apic phys driver and use x2apic phys mode. Otherwise it will skip the driver will let x2apic_cluster_probe to take over to install x2apic cluster driver (wrong one) even though FADT indicates PHYSICAL, because x2apic_phys_probe does not check FADT PHYSICAL. Add checking x2apic_fadt_phys in x2apic_phys_probe() to fix the problem. Signed-off-by: Stoney Wang <song-bo.wang@hp.com> [ updated the changelog and simplified the code ] Signed-off-by: Yinghai Lu <yinghai@kernel.org> Cc: stable@kernel.org Link: http://lkml.kernel.org/r/1360263182-16226-1-git-send-email-yinghai@kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
2013-02-11mac80211: fix channel selection bugJohannes Berg1-3/+3
When trying to connect to an AP that advertises HT but not VHT, the mac80211 code erroneously uses the configuration from the AP as is instead of checking it against regulatory and local capabilities. This can lead to using an invalid or even inexistent channel (like 11/HT40+). Additionally, the return flags from downgrading must be ORed together, to collect them from all of the downgrades. Also clarify the message. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-02-10Merge branch 'master' of git://1984.lsi.us.es/nfDavid S. Miller3-22/+33
Pablo Neira Ayuso says: ==================== The following patchset contains Netfilter/IPVS fixes for 3.8-rc7, they are: * Fix oops in IPVS state-sync due to releasing a random memory area due to unitialized pointer, from Dan Carpenter. * Fix SCTP flow establishment due to bad checksumming mangling in IPVS, from Daniel Borkmann. * Three fixes for the recently added IPv6 NPT, all from YOSHIFUJI Hideaki, with an amendment collapsed into those patches from Ulrich Weber. They fiix adjustment calculation, fix prefix mangling and ensure LSB of prefixes are zeroes (as required by RFC). Specifically, it took me a while to validate the 1's complement arithmetics/ checksumming approach in the IPv6 NPT code. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-10arp: fix possible crash in arp_rcv()Eric Dumazet1-10/+11
We should call skb_share_check() before pskb_may_pull(), or we can crash in pskb_expand_head() Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-10Merge branch 'gso_type'David S. Miller3-10/+17
Michael S. Tsirkin says: ==================== At the moment, macvtap crashes are observed if macvtap is attached to an interface with LRO enabled. The crash in question is BUG() in macvtap_skb_to_vnet_hdr. This happens because several drivers set gso_size but not gso_type in incoming skbs. This didn't use to be the case: with intel cards on 3.2 and older kernels, with qlogic - on 3.4 and older kernels, so it's a regression if not a recent one. The following patches fix this for qlogic, broadcom and intel drivers. I tested that the patch fixes the crash for ixgbe but don't have qlogic/broadcom hardware to test. I also only tested TCPv4. Please review, and consider for 3.8. Changes from v1: - added missing htons as suggested by Eric - backported the relevant bits from cbf1de72324a8105ddcc3d9ce9acbc613faea17e for bnx2x ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-10bnx2x: set gso_typeMichael S. Tsirkin1-7/+5
In LRO mode, bnx2x set gso_size but not gso type. This leads to crashes in macvtap. Commit cbf1de72324a8105ddcc3d9ce9acbc613faea17e queued for 3.9 includes a more complete fix. This is a minimal patch to avoid the crash, for 3.8. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-10qlcnic: set gso_typeMichael S. Tsirkin1-1/+6
qlcnic set gso_size but not gso type. This leads to crashes in macvtap. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jitendra Kalsaria <jitendra.kalsaria@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-10ixgbe: fix gso typeMichael S. Tsirkin1-2/+6
ixgbe set gso_size but not gso_type. This leads to crashes in macvtap. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-10stmmac: mdio register has to fail if the phy is not foundGiuseppe CAVALLARO1-3/+7
With this patch the stmmac fails in case of the phy device is not found; w/o this fix the mdio can be register twice when do down/up the iface and this is not correct. Reported-by: Stas <stsp@list.ru> Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-10stmmac: fix macro used for debugging the xmitGiuseppe CAVALLARO1-1/+1
This patch fixes the name of the macro used for debugging the transmit process. I used STMMAC_TX_DEBUG instead of STMMAC_XMIT_DEBUG. Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-10Merge branch 'davem.r8169' of git://violet.fr.zoreil.com/romieu/linuxDavid S. Miller1-67/+19
Revert two power saving r8169 changes to fix some regressions reported. Reported-by: Jörg Otte <jrg.otte@gmail.com> Tested-by: Jörg Otte <jrg.otte@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-11Merge branch 'drm-nouveau-fixes-3.8' of ↵Dave Airlie6-9/+19
git://anongit.freedesktop.org/git/nouveau/linux-2.6 into drm-next Fixes for one major lockdep warning, one oops reported by a few people, and fix for a long hang on some gpu engines. * 'drm-nouveau-fixes-3.8' of git://anongit.freedesktop.org/git/nouveau/linux-2.6: drm/nouveau: add lockdep annotations drm/nv50/fb: Fix nullptr-deref on IGPs drm/nouveau: use different register to wait for secret scrubber
2013-02-09Merge tag 'highbank-fixes-for-3.8' of git://sources.calxeda.com/kernel/linux ↵Olof Johansson4-5/+12
into fixes From Rob Herring: highbank fixes for 3.8 -Compile fix for !SMP -More cpu cluster id related fixes * tag 'highbank-fixes-for-3.8' of git://sources.calxeda.com/kernel/linux: ARM: highbank: mask cluster id from cpu_logical_map ARM: scu: mask cluster id from cpu_logical_map ARM: scu: add empty scu_enable for !CONFIG_SMP
2013-02-09drm/nouveau: add lockdep annotationsMarcin Slusarz3-3/+9
1) Lockdep thinks all nouveau subdevs belong to the same class and can be locked in arbitrary order, which is not true (at least in general case). Tell it to distinguish subdevs by (o)class type. 2) DRM client can be locked under user client lock - tell lockdep to put DRM client lock in a separate class. Reported-by: Arend van Spriel <arend@broadcom.com> Reported-by: Peter Hurley <peter@hurleysoftware.com> Reported-by: Maarten Lankhorst <maarten.lankhorst@canonical.com> Reported-by: Daniel J Blueman <daniel@quora.org> Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com> Cc: stable@vger.kernel.org [3.7, but needs s/const ofuncs/ofuncs/ to build] Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2013-02-09Revert "r8169: enable internal ASPM and clock request settings".Francois Romieu1-21/+9
This reverts commit d64ec841517a25f6d468bde9f67e5b4cffdc67c7. Jörg Otte reported his 8168evl to increase boot time link detection from 1.6 to 10 s. Hayes suggests reverting it for the time being. Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> Cc: Hayes Wang <hayeswang@realtek.com> Cc: Jörg Otte <jrg.otte@gmail.com>
2013-02-08Revert "r8169: enable ALDPS for power saving".Francois Romieu1-46/+10
This reverts commit e0c075577965d1c01b30038d38bf637b027a1df3. Jörg Otte reported his 8168evl to fail boot time link detection. Hayes suggests reverting it for the time being. Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> Cc: Hayes Wang <hayeswang@realtek.com> Cc: Jörg Otte <jrg.otte@gmail.com>
2013-02-09Linux 3.8-rc7v3.8-rc7Linus Torvalds1-1/+1
2013-02-09Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-armLinus Torvalds4-5/+26
Pull ARM fixes from Russell King: "I was going to hold these off until v3.8 was out, and send them with a stable tag, but as everyone else is pushing much bigger fixes which Linus is accepting, let's save people from the hastle of having to patch v3.8 back into working or use a stable kernel. Looking at the diffstat, this really is high value for its size; this is miniscule compared to how the -rc6 to tip diffstat currently looks. So, four patches in this set: - Punit Agrawal reports that the kernel no longer boots on MPCore due to a new assumption made in the GIC code which isn't true of earlier GIC designs. This is the biggest change in this set. - Punit's boot log also revealed a bunch of WARN_ON() dumps caused by the DT-ification of the GIC support without fixing up non-DT Realview - which now sees a greater number of interrupts than it did before. - A fix for the DMA coherent code from Marek which uses the wrong check for atomic allocations; this can result in spinlock lockups or other nasty effects. - A fix from Will, which will affect all Android based platforms if not applied (which use the 2G:2G VM split) - this causes particularly 'make' to misbehave unless this bug is fixed." * 'fixes' of git://git.linaro.org/people/rmk/linux-arm: ARM: 7641/1: memory: fix broken mmap by ensuring TASK_UNMAPPED_BASE is aligned ARM: DMA mapping: fix bad atomic test ARM: realview: ensure that we have sufficient IRQs available ARM: GIC: fix GIC cpumask initialization
2013-02-09Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds68-348/+649
Pull networking fixes from David Miller: 1) Revert iwlwifi reclaimed packet tracking, it causes problems for a bunch of folks. From Emmanuel Grumbach. 2) Work limiting code in brcmsmac wifi driver can clear tx status without processing the event. From Arend van Spriel. 3) rtlwifi USB driver processes wrong SKB, fix from Larry Finger. 4) l2tp tunnel delete can race with close, fix from Tom Parkin. 5) pktgen_add_device() failures are not checked at all, fix from Cong Wang. 6) Fix unintentional removal of carrier off from tun_detach(), otherwise we confuse userspace, from Michael S. Tsirkin. 7) Don't leak socket reference counts and ubufs in vhost-net driver, from Jason Wang. 8) vmxnet3 driver gets it's initial carrier state wrong, fix from Neil Horman. 9) Protect against USB networking devices which spam the host with 0 length frames, from Bjørn Mork. 10) Prevent neighbour overflows in ipv6 for locally destined routes, from Marcelo Ricardo. This is the best short-term fix for this, a longer term fix has been implemented in net-next. 11) L2TP uses ipv4 datagram routines in it's ipv6 code, whoops. This mistake is largely because the ipv6 functions don't even have some kind of prefix in their names to suggest they are ipv6 specific. From Tom Parkin. 12) Check SYN packet drops properly in tcp_rcv_fastopen_synack(), from Yuchung Cheng. 13) Fix races and TX skb freeing bugs in via-rhine's NAPI support, from Francois Romieu and your's truly. 14) Fix infinite loops and divides by zero in TCP congestion window handling, from Eric Dumazet, Neal Cardwell, and Ilpo Järvinen. 15) AF_PACKET tx ring handling can leak kernel memory to userspace, fix from Phil Sutter. 16) Fix error handling in ipv6 GRE tunnel transmit, from Tommi Rantala. 17) Protect XEN netback driver against hostile frontend putting garbage into the rings, don't leak pages in TX GOP checking, and add proper resource releasing in error path of xen_netbk_get_requests(). From Ian Campbell. 18) SCTP authentication keys should be cleared out and released with kzfree(), from Daniel Borkmann. 19) L2TP is a bit too clever trying to maintain skb->truesize, and ends up corrupting socket memory accounting to the point where packet sending is halted indefinitely. Just remove the adjustments entirely, they aren't really needed. From Eric Dumazet. 20) ATM Iphase driver uses a data type with the same name as the S390 headers, rename to fix the build. From Heiko Carstens. 21) Fix a typo in copying the inner network header offset from one SKB to another, from Pravin B Shelar. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (56 commits) net: sctp: sctp_endpoint_free: zero out secret key data net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree atm/iphase: rename fregt_t -> ffreg_t net: usb: fix regression from FLAG_NOARP code l2tp: dont play with skb->truesize net: sctp: sctp_auth_key_put: use kzfree instead of kfree netback: correct netbk_tx_err to handle wrap around. xen/netback: free already allocated memory on failure in xen_netbk_get_requests xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop. xen/netback: shutdown the ring if it contains garbage. net: qmi_wwan: add more Huawei devices, including E320 net: cdc_ncm: add another Huawei vendor specific device ipv6/ip6_gre: fix error case handling in ip6gre_tunnel_xmit() tcp: fix for zero packets_in_flight was too broad brcmsmac: rework of mac80211 .flush() callback operation ssb: unregister gpios before unloading ssb bcma: unregister gpios before unloading bcma rtlwifi: Fix scheduling while atomic bug net: usbnet: fix tx_dropped statistics tcp: ipv6: Update MIB counters for drops ...
2013-02-08Merge branch 'sctp_keys'David S. Miller2-1/+6
Daniel Borkmann says: ==================== Cryptographically used keys should be zeroed out when our session ends resp. memory is freed, thus do not leave them somewhere in the memory. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-08net: sctp: sctp_endpoint_free: zero out secret key dataDaniel Borkmann1-0/+5
On sctp_endpoint_destroy, previously used sensitive keying material should be zeroed out before the memory is returned, as we already do with e.g. auth keys when released. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Vlad Yasevich <vyasevic@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-08net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfreeDaniel Borkmann1-1/+1
In sctp_setsockopt_auth_key, we create a temporary copy of the user passed shared auth key for the endpoint or association and after internal setup, we free it right away. Since it's sensitive data, we should zero out the key before returning the memory back to the allocator. Thus, use kzfree instead of kfree, just as we do in sctp_auth_key_put(). Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-08unbreak automounter support on 64-bit kernel with 32-bit userspace (v2)Helge Deller1-17/+8
automount-support is broken on the parisc architecture, because the existing #if list does not include a check for defined(__hppa__). The HPPA (parisc) architecture is similiar to other 64bit Linux targets where we have to define autofs_wqt_t (which is passed back and forth to user space) as int type which has a size of 32bit across 32 and 64bit kernels. During the discussion on the mailing list, H. Peter Anvin suggested to invert the #if list since only specific platforms (specifically those who do not have a 32bit userspace, like IA64 and Alpha) should have autofs_wqt_t as unsigned long type. This suggestion is probably the best way to go, since Arm64 (and maybe others?) seems to have a non-working automounter. So in the long run even for other new upcoming architectures this inverted check seem to be the best solution, since it will not require them to change this #if again (unless they are 64bit only). Signed-off-by: Helge Deller <deller@gmx.de> Acked-by: H. Peter Anvin <hpa@zytor.com> Acked-by: Ian Kent <raven@themaw.net> Acked-by: Catalin Marinas <catalin.marinas@arm.com> CC: James Bottomley <James.Bottomley@HansenPartnership.com> CC: Rolf Eike Beer <eike-kernel@sf-tec.de>
2013-02-08atm/iphase: rename fregt_t -> ffreg_tHeiko Carstens1-73/+73
We have conflicting type qualifiers for "freg_t" in s390's ptrace.h and the iphase atm device driver, which causes the compile error below. Unfortunately the s390 typedef can't be renamed, since it's a user visible api, nor can I change the include order in s390 code to avoid the conflict. So simply rename the iphase typedef to a new name. Fixes this compile error: In file included from drivers/atm/iphase.c:66:0: drivers/atm/iphase.h:639:25: error: conflicting type qualifiers for 'freg_t' In file included from next/arch/s390/include/asm/ptrace.h:9:0, from next/arch/s390/include/asm/lowcore.h:12, from next/arch/s390/include/asm/thread_info.h:30, from include/linux/thread_info.h:54, from include/linux/preempt.h:9, from include/linux/spinlock.h:50, from include/linux/seqlock.h:29, from include/linux/time.h:5, from include/linux/stat.h:18, from include/linux/module.h:10, from drivers/atm/iphase.c:43: next/arch/s390/include/uapi/asm/ptrace.h:197:3: note: previous declaration of 'freg_t' was here Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Acked-by: chas williams - CONTRACTOR <chas@cmf.nrl.navy.mil> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-08tile: tag some code with #ifdef CONFIG_COMPATChris Metcalf1-0/+4
This allows us to disable COMPAT mode without a link error. Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
2013-02-08tile: fix memcpy_*io functions for allnoconfigChris Metcalf1-1/+5
On tilepro without CONFIG_PCI, we can't provide inlines of these functions, as we don't have readl/writel. In addition, fix memset_io() signature to take a volatile void *. Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
2013-02-08tile: export a handful of symbols appropriatelyChris Metcalf6-0/+10
This was shown up by running with "allmodconfig". I used EXPORT_SYMBOL() to match existing conventions in files that were already exporting symbols, or that were exported that way by other architectures, and otherwise EXPORT_SYMBOL_GPL(). Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
2013-02-08x86, doc: Add a bootloader ID for OVMFH. Peter Anvin1-0/+1
OVMF (an implementation of UEFI based on TianoCore used in virtual environments) now has the ability to boot Linux natively; this is used for "qemu -kernel" and similar things in a UEFI environment. Accordingly, assign it a bootloader ID. Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> Cc: David Woodhouse <dwmw2@infradead.org>
2013-02-08ARM: 7641/1: memory: fix broken mmap by ensuring TASK_UNMAPPED_BASE is alignedWill Deacon1-1/+1
We have received multiple reports of mmap failures when running with a 2:2 vm split. These manifest as either -EINVAL with a non page-aligned address (ending 0xaaa) or a SEGV, depending on the application. The issue is commonly observed in children of make, which appears to use bottom-up mmap (assumedly because it changes the stack rlimit). Further investigation reveals that this regression was triggered by 394ef6403abc ("mm: use vm_unmapped_area() on arm architecture"), whereby TASK_UNMAPPED_BASE is no longer page-aligned for bottom-up mmap, causing get_unmapped_area to choke on misaligned addressed. This patch fixes the problem by defining TASK_UNMAPPED_BASE in terms of TASK_SIZE and explicitly aligns the result to 16M, matching the other end of the heap. Acked-by: Nicolas Pitre <nico@linaro.org> Reported-by: Steve Capper <steve.capper@arm.com> Reported-by: Jean-Francois Moine <moinejf@free.fr> Reported-by: Christoffer Dall <cdall@cs.columbia.edu> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-02-08ARM: DMA mapping: fix bad atomic testRussell King1-1/+1
Realview fails to boot with this warning: BUG: spinlock lockup suspected on CPU#0, init/1 lock: 0xcf8bde10, .magic: dead4ead, .owner: init/1, .owner_cpu: 0 Backtrace: [<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:cf8bde10 r5:cf83d1c0 r4:cf8bde10 r3:cf83d1c0 [<c03294d0>] (dump_stack+0x0/0x1c) from [<c018926c>] (spin_dump+0x84/0x98) [<c01891e8>] (spin_dump+0x0/0x98) from [<c0189460>] (do_raw_spin_lock+0x100/0x198) [<c0189360>] (do_raw_spin_lock+0x0/0x198) from [<c032cbac>] (_raw_spin_lock+0x3c/0x44) [<c032cb70>] (_raw_spin_lock+0x0/0x44) from [<c01c9224>] (pl011_console_write+0xe8/0x11c) [<c01c913c>] (pl011_console_write+0x0/0x11c) from [<c002aea8>] (call_console_drivers.clone.7+0xdc/0x104) [<c002adcc>] (call_console_drivers.clone.7+0x0/0x104) from [<c002b320>] (console_unlock+0x2e8/0x454) [<c002b038>] (console_unlock+0x0/0x454) from [<c002b8b4>] (vprintk_emit+0x2d8/0x594) [<c002b5dc>] (vprintk_emit+0x0/0x594) from [<c0329718>] (printk+0x3c/0x44) [<c03296dc>] (printk+0x0/0x44) from [<c002929c>] (warn_slowpath_common+0x28/0x6c) [<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029304>] (warn_slowpath_null+0x24/0x2c) [<c00292e0>] (warn_slowpath_null+0x0/0x2c) from [<c0070ab0>] (lockdep_trace_alloc+0xd8/0xf0) [<c00709d8>] (lockdep_trace_alloc+0x0/0xf0) from [<c00c0850>] (kmem_cache_alloc+0x24/0x11c) [<c00c082c>] (kmem_cache_alloc+0x0/0x11c) from [<c00bb044>] (__get_vm_area_node.clone.24+0x7c/0x16c) [<c00bafc8>] (__get_vm_area_node.clone.24+0x0/0x16c) from [<c00bb7b8>] (get_vm_area_caller+0x48/0x54) [<c00bb770>] (get_vm_area_caller+0x0/0x54) from [<c0020064>] (__alloc_remap_buffer.clone.15+0x38/0xb8) [<c002002c>] (__alloc_remap_buffer.clone.15+0x0/0xb8) from [<c0020244>] (__dma_alloc+0x160/0x2c8) [<c00200e4>] (__dma_alloc+0x0/0x2c8) from [<c00204d8>] (arm_dma_alloc+0x88/0xa0)[<c0020450>] (arm_dma_alloc+0x0/0xa0) from [<c00beb00>] (dma_pool_alloc+0xcc/0x1a8) [<c00bea34>] (dma_pool_alloc+0x0/0x1a8) from [<c01a9d14>] (pl08x_fill_llis_for_desc+0x28/0x568) [<c01a9cec>] (pl08x_fill_llis_for_desc+0x0/0x568) from [<c01aab8c>] (pl08x_prep_slave_sg+0x258/0x3b0) [<c01aa934>] (pl08x_prep_slave_sg+0x0/0x3b0) from [<c01c9f74>] (pl011_dma_tx_refill+0x140/0x288) [<c01c9e34>] (pl011_dma_tx_refill+0x0/0x288) from [<c01ca748>] (pl011_start_tx+0xe4/0x120) [<c01ca664>] (pl011_start_tx+0x0/0x120) from [<c01c54a4>] (__uart_start+0x48/0x4c) [<c01c545c>] (__uart_start+0x0/0x4c) from [<c01c632c>] (uart_start+0x2c/0x3c) [<c01c6300>] (uart_start+0x0/0x3c) from [<c01c795c>] (uart_write+0xcc/0xf4) [<c01c7890>] (uart_write+0x0/0xf4) from [<c01b0384>] (n_tty_write+0x1c0/0x3e4) [<c01b01c4>] (n_tty_write+0x0/0x3e4) from [<c01acfe8>] (tty_write+0x144/0x240) [<c01acea4>] (tty_write+0x0/0x240) from [<c01ad17c>] (redirected_tty_write+0x98/0xac) [<c01ad0e4>] (redirected_tty_write+0x0/0xac) from [<c00c371c>] (vfs_write+0xbc/0x150) [<c00c3660>] (vfs_write+0x0/0x150) from [<c00c39c0>] (sys_write+0x4c/0x78) [<c00c3974>] (sys_write+0x0/0x78) from [<c0014460>] (ret_fast_syscall+0x0/0x3c) This happens because the DMA allocation code is not respecting atomic allocations correctly. GFP flags should not be tested for GFP_ATOMIC to determine if an atomic allocation is being requested. GFP_ATOMIC is not a flag but a value. The GFP bitmask flags are all prefixed with __GFP_. The rest of the kernel tests for __GFP_WAIT not being set to indicate an atomic allocation. We need to do the same. Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-02-08ARM: realview: ensure that we have sufficient IRQs availableRussell King1-1/+1
Realview EB with a rev B MPcore tile results in lots of warnings at boot because it can't allocate enough IRQs. Fix this by increasing the number of available IRQs. WARNING: at /home/rmk/git/linux-rmk/arch/arm/common/gic.c:757 gic_init_bases+0x12c/0x2ec() Cannot allocate irq_descs @ IRQ96, assuming pre-allocated Modules linked in: Backtrace: [<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:000002f5 r5:c042c62c r4:c044ff40 r3:c045f240 [<c03294d0>] (dump_stack+0x0/0x1c) from [<c00292c8>] (warn_slowpath_common+0x54/0x6c) [<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029384>] (warn_slowpath_fmt+0x38/0x40) [<c002934c>] (warn_slowpath_fmt+0x0/0x40) from [<c042c62c>] (gic_init_bases+0x12c/0x2ec) [<c042c500>] (gic_init_bases+0x0/0x2ec) from [<c042cdc8>] (gic_init_irq+0x8c/0xd8) [<c042cd3c>] (gic_init_irq+0x0/0xd8) from [<c042827c>] (init_IRQ+0x1c/0x24) [<c0428260>] (init_IRQ+0x0/0x24) from [<c04256c8>] (start_kernel+0x1a4/0x300) [<c0425524>] (start_kernel+0x0/0x300) from [<70008070>] (0x70008070) ---[ end trace 1b75b31a2719ed1c ]--- ------------[ cut here ]------------ WARNING: at /home/rmk/git/linux-rmk/kernel/irq/irqdomain.c:234 irq_domain_add_legacy+0x80/0x140() Modules linked in: Backtrace: [<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:000000ea r5:c0081a38 r4:00000000 r3:c045f240 [<c03294d0>] (dump_stack+0x0/0x1c) from [<c00292c8>] (warn_slowpath_common+0x54/0x6c) [<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029304>] (warn_slowpath_null+0x24/0x2c) [<c00292e0>] (warn_slowpath_null+0x0/0x2c) from [<c0081a38>] (irq_domain_add_legacy+0x80/0x140) [<c00819b8>] (irq_domain_add_legacy+0x0/0x140) from [<c042c64c>] (gic_init_bases+0x14c/0x2ec) [<c042c500>] (gic_init_bases+0x0/0x2ec) from [<c042cdc8>] (gic_init_irq+0x8c/0xd8) [<c042cd3c>] (gic_init_irq+0x0/0xd8) from [<c042827c>] (init_IRQ+0x1c/0x24) [<c0428260>] (init_IRQ+0x0/0x24) from [<c04256c8>] (start_kernel+0x1a4/0x300) [<c0425524>] (start_kernel+0x0/0x300) from [<70008070>] (0x70008070) ---[ end trace 1b75b31a2719ed1d ]--- ------------[ cut here ]------------ WARNING: at /home/rmk/git/linux-rmk/arch/arm/common/gic.c:762 gic_init_bases+0x170/0x2ec() Modules linked in: Backtrace: [<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:000002fa r5:c042c670 r4:00000000 r3:c045f240 [<c03294d0>] (dump_stack+0x0/0x1c) from [<c00292c8>] (warn_slowpath_common+0x54/0x6c) [<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029304>] (warn_slowpath_null+0x24/0x2c) [<c00292e0>] (warn_slowpath_null+0x0/0x2c) from [<c042c670>] (gic_init_bases+0x170/0x2ec) [<c042c500>] (gic_init_bases+0x0/0x2ec) from [<c042cdc8>] (gic_init_irq+0x8c/0xd8) [<c042cd3c>] (gic_init_irq+0x0/0xd8) from [<c042827c>] (init_IRQ+0x1c/0x24) [<c0428260>] (init_IRQ+0x0/0x24) from [<c04256c8>] (start_kernel+0x1a4/0x300) [<c0425524>] (start_kernel+0x0/0x300) from [<70008070>] (0x70008070) ---[ end trace 1b75b31a2719ed1e ]--- Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-02-08ARM: GIC: fix GIC cpumask initializationRussell King1-2/+23
Punit Agrawal reports: > I was trying to boot 3.8-rc5 on Realview EB 11MPCore using > realview-smp_defconfig as a starting point but the kernel failed to > progress past the log below (config attached). > > Pawel suggested I try reverting 384a290283f - "ARM: gic: use a private > mapping for CPU target interfaces" that you've authored. With this > commit reverted the kernel boots. > > I am not quite sure why the commit breaks 11MPCore but Pawel (cc'd) > might be able to shed light on that. Some early GIC implementations return zero for the first distributor CPU routing register. This means we can't rely on that telling us which CPU interface we're connected to. We know that these platforms implement PPIs for IRQs 29-31 - but we shouldn't assume that these will always be populated. So, instead, scan for a non-zero CPU routing register in the first 32 IRQs and use that as our CPU mask. Reported-by: Punit Agrawal <punit.agrawal@arm.com> Reviewed-by: Nicolas Pitre <nico@linaro.org> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-02-08Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linuxLinus Torvalds1-5/+8
Pull drm regression fix from Dave Airlie: "This one fixes a sleep while locked regression that was introduced earlier in 3.8." * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: drm/ttm: fix fence locking in ttm_buffer_object_transfer, 2nd try
2013-02-08net: usb: fix regression from FLAG_NOARP codeLucas Stach1-1/+1
In commit 6509141f9c2ba74df6cc72ec35cd1865276ae3a4 ("usbnet: add new flag FLAG_NOARP for usb net devices"), the newly added flag NOARP was using an already defined value, which broke drivers using flag MULTI_PACKET. Signed-off-by: Lucas Stach <dev@lynxeye.de> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-08l2tp: dont play with skb->truesizeEric Dumazet2-12/+0
Andrew Savchenko reported a DNS failure and we diagnosed that some UDP sockets were unable to send more packets because their sk_wmem_alloc was corrupted after a while (tx_queue column in following trace) $ cat /proc/net/udp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref pointer drops ... 459: 00000000:0270 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 4507 2 ffff88003d612380 0 466: 00000000:0277 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 4802 2 ffff88003d613180 0 470: 076A070A:007B 00000000:0000 07 FFFF4600:00000000 00:00000000 00000000 123 0 5552 2 ffff880039974380 0 470: 010213AC:007B 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 4986 2 ffff88003dbd3180 0 470: 010013AC:007B 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 4985 2 ffff88003dbd2e00 0 470: 00FCA8C0:007B 00000000:0000 07 FFFFFB00:00000000 00:00000000 00000000 0 0 4984 2 ffff88003dbd2a80 0 ... Playing with skb->truesize is tricky, especially when skb is attached to a socket, as we can fool memory charging. Just remove this code, its not worth trying to be ultra precise in xmit path. Reported-by: Andrew Savchenko <bircoph@gmail.com> Tested-by: Andrew Savchenko <bircoph@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-07net: sctp: sctp_auth_key_put: use kzfree instead of kfreeDaniel Borkmann1-1/+1
For sensitive data like keying material, it is common practice to zero out keys before returning the memory back to the allocator. Thus, use kzfree instead of kfree. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-07Merge branch 'fixes' of ↵David S. Miller1-7/+9
git://git.kernel.org/pub/scm/linux/kernel/git/jesse/openvswitch into openvswitch Jesse Gross says: ==================== One bug fix for net/3.8 for a long standing problem that was reported a few times recently. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-07Merge branch 'netback'David S. Miller3-53/+88
Ian Campbell says: ==================== The Xen netback implementation contains a couple of flaws which can allow a guest to cause a DoS in the backend domain, potentially affecting other domains in the system. CVE-2013-0216 is a failure to sanity check the ring producer/consumer pointers which can allow a guest to cause netback to loop for an extended period preventing other work from occurring. CVE-2013-0217 is a memory leak on an error path which is guest triggerable. The following series contains the fixes for these issues, as previously included in Xen Security Advisory 39: http://lists.xen.org/archives/html/xen-announce/2013-02/msg00001.html Changes in v2: - Typo and block comment format fixes - Added stable Cc ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-07netback: correct netbk_tx_err to handle wrap around.Ian Campbell1-1/+1
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Jan Beulich <JBeulich@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-07xen/netback: free already allocated memory on failure in xen_netbk_get_requestsIan Campbell1-1/+12
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-07xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.Matthew Daley1-25/+13
Signed-off-by: Matthew Daley <mattjd@gmail.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Jan Beulich <JBeulich@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-07xen/netback: shutdown the ring if it contains garbage.Ian Campbell3-26/+62
A buggy or malicious frontend should not be able to confuse netback. If we spot anything which is not as it should be then shutdown the device and don't try to continue with the ring in a potentially hostile state. Well behaved and non-hostile frontends will not be penalised. As well as making the existing checks for such errors fatal also add a new check that ensures that there isn't an insane number of requests on the ring (i.e. more than would fit in the ring). If the ring contains garbage then previously is was possible to loop over this insane number, getting an error each time and therefore not generating any more pending requests and therefore not exiting the loop in xen_netbk_tx_build_gops for an externded period. Also turn various netdev_dbg calls which no precipitate a fatal error into netdev_err, they are rate limited because the device is shutdown afterwards. This fixes at least one known DoS/softlockup of the backend domain. Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Jan Beulich <JBeulich@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-08Merge tag 'fixes-for-linus' of ↵Linus Torvalds1-1/+2
git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux Pull virtio fix from Rusty Russell: "Obviously I forgot to push this before linux.conf.au..." * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux: virtio_console: Don't access uninitialized data.
2013-02-08Merge tag 'rdma-for-linus' of ↵Linus Torvalds4-15/+10
git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband Pull IB regression fixes from Roland Dreier: - Fix mlx4 VFs not working on old guests because of 64B CQE changes - Fix ill-considered sparse fix for qib - Fix IPoIB crash due to skb double destruct introduced in 3.8-rc1 * tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband: IB/qib: Fix for broken sparse warning fix mlx4_core: Fix advertisement of wrong PF context behaviour IPoIB: Fix crash due to skb double destruct
2013-02-08Merge branch 'for-linus' of ↵Linus Torvalds8-36/+87
git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs Pull btrfs fixes from Chris Mason: "We've got corner cases for updating i_size that ceph was hitting, error handling for quotas when we run out of space, a very subtle snapshot deletion race, a crash while removing devices, and one deadlock between subvolume creation and the sb_internal code (thanks lockdep)." * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: Btrfs: move d_instantiate outside the transaction during mksubvol Btrfs: fix EDQUOT handling in btrfs_delalloc_reserve_metadata Btrfs: fix possible stale data exposure Btrfs: fix missing i_size update Btrfs: fix race between snapshot deletion and getting inode Btrfs: fix missing release of the space/qgroup reservation in start_transaction() Btrfs: fix wrong sync_writers decrement in btrfs_file_aio_write() Btrfs: do not merge logged extents if we've removed them from the tree btrfs: don't try to notify udev about missing devices
2013-02-08Merge tag 'pinctrl-for-v3.8-late' of ↵Linus Torvalds4-4/+22
git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull late pinctrl fixes from Linus Walleij: "Two patches appeared as of late, one was completely news to me, the other one was rotated in -next for the next merge window but turned out to be a showstopper. - Exynos Kconfig fixup - SIRF DT translation bug" * tag 'pinctrl-for-v3.8-late' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: sirf: replace of_gpio_simple_xlate by sirf specific of_xlate pinctrl: exynos: change PINCTRL_EXYNOS option
2013-02-08Merge tag 'stable/for-linus-3.8-rc6-tag' of ↵Linus Torvalds2-9/+9
git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen Pull Xen fixes from Konrad Rzeszutek Wilk: "This has two fixes. One is a security fix wherein we would spam the kernel printk buffer if one of the guests was misbehaving. The other is much tamer and it was us only checking for one type of error from the IRQ subsystem (when allocating new IRQs) instead of for all of them. - Fix an IRQ allocation where we only check for a specific error (-1). - CVE-2013-0231 / XSA-43. Make xen-pciback rate limit error messages from xen_pcibk_enable_msi{,x}()" * tag 'stable/for-linus-3.8-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen: xen: fix error handling path if xen_allocate_irq_dynamic fails xen-pciback: rate limit error messages from xen_pcibk_enable_msi{,x}()