Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Commits on Feb 8, 2013
  1. Linux 3.8-rc7

    authored
  2. Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm

    authored
    Pull ARM fixes from Russell King:
     "I was going to hold these off until v3.8 was out, and send them with a
      stable tag, but as everyone else is pushing much bigger fixes which
      Linus is accepting, let's save people from the hastle of having to
      patch v3.8 back into working or use a stable kernel.
    
      Looking at the diffstat, this really is high value for its size; this
      is miniscule compared to how the -rc6 to tip diffstat currently looks.
    
      So, four patches in this set:
       - Punit Agrawal reports that the kernel no longer boots on MPCore due
         to a new assumption made in the GIC code which isn't true of
         earlier GIC designs.  This is the biggest change in this set.
       - Punit's boot log also revealed a bunch of WARN_ON() dumps caused by
         the DT-ification of the GIC support without fixing up non-DT
         Realview - which now sees a greater number of interrupts than it
         did before.
       - A fix for the DMA coherent code from Marek which uses the wrong
         check for atomic allocations; this can result in spinlock lockups
         or other nasty effects.
       - A fix from Will, which will affect all Android based platforms if
         not applied (which use the 2G:2G VM split) - this causes
         particularly 'make' to misbehave unless this bug is fixed."
    
    * 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
      ARM: 7641/1: memory: fix broken mmap by ensuring TASK_UNMAPPED_BASE is aligned
      ARM: DMA mapping: fix bad atomic test
      ARM: realview: ensure that we have sufficient IRQs available
      ARM: GIC: fix GIC cpumask initialization
  3. Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

    authored
    Pull networking fixes from David Miller:
    
     1) Revert iwlwifi reclaimed packet tracking, it causes problems for a
        bunch of folks.  From Emmanuel Grumbach.
    
     2) Work limiting code in brcmsmac wifi driver can clear tx status
        without processing the event.  From Arend van Spriel.
    
     3) rtlwifi USB driver processes wrong SKB, fix from Larry Finger.
    
     4) l2tp tunnel delete can race with close, fix from Tom Parkin.
    
     5) pktgen_add_device() failures are not checked at all, fix from Cong
        Wang.
    
     6) Fix unintentional removal of carrier off from tun_detach(),
        otherwise we confuse userspace, from Michael S.  Tsirkin.
    
     7) Don't leak socket reference counts and ubufs in vhost-net driver,
        from Jason Wang.
    
     8) vmxnet3 driver gets it's initial carrier state wrong, fix from Neil
        Horman.
    
     9) Protect against USB networking devices which spam the host with 0
        length frames, from Bjørn Mork.
    
    10) Prevent neighbour overflows in ipv6 for locally destined routes,
        from Marcelo Ricardo.  This is the best short-term fix for this, a
        longer term fix has been implemented in net-next.
    
    11) L2TP uses ipv4 datagram routines in it's ipv6 code, whoops.  This
        mistake is largely because the ipv6 functions don't even have some
        kind of prefix in their names to suggest they are ipv6 specific.
        From Tom Parkin.
    
    12) Check SYN packet drops properly in tcp_rcv_fastopen_synack(), from
        Yuchung Cheng.
    
    13) Fix races and TX skb freeing bugs in via-rhine's NAPI support, from
        Francois Romieu and your's truly.
    
    14) Fix infinite loops and divides by zero in TCP congestion window
        handling, from Eric Dumazet, Neal Cardwell, and Ilpo Järvinen.
    
    15) AF_PACKET tx ring handling can leak kernel memory to userspace, fix
        from Phil Sutter.
    
    16) Fix error handling in ipv6 GRE tunnel transmit, from Tommi Rantala.
    
    17) Protect XEN netback driver against hostile frontend putting garbage
        into the rings, don't leak pages in TX GOP checking, and add proper
        resource releasing in error path of xen_netbk_get_requests().  From
        Ian Campbell.
    
    18) SCTP authentication keys should be cleared out and released with
        kzfree(), from Daniel Borkmann.
    
    19) L2TP is a bit too clever trying to maintain skb->truesize, and ends
        up corrupting socket memory accounting to the point where packet
        sending is halted indefinitely.  Just remove the adjustments
        entirely, they aren't really needed.  From Eric Dumazet.
    
    20) ATM Iphase driver uses a data type with the same name as the S390
        headers, rename to fix the build.  From Heiko Carstens.
    
    21) Fix a typo in copying the inner network header offset from one SKB
        to another, from Pravin B Shelar.
    
    * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (56 commits)
      net: sctp: sctp_endpoint_free: zero out secret key data
      net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree
      atm/iphase: rename fregt_t -> ffreg_t
      net: usb: fix regression from FLAG_NOARP code
      l2tp: dont play with skb->truesize
      net: sctp: sctp_auth_key_put: use kzfree instead of kfree
      netback: correct netbk_tx_err to handle wrap around.
      xen/netback: free already allocated memory on failure in xen_netbk_get_requests
      xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.
      xen/netback: shutdown the ring if it contains garbage.
      net: qmi_wwan: add more Huawei devices, including E320
      net: cdc_ncm: add another Huawei vendor specific device
      ipv6/ip6_gre: fix error case handling in ip6gre_tunnel_xmit()
      tcp: fix for zero packets_in_flight was too broad
      brcmsmac: rework of mac80211 .flush() callback operation
      ssb: unregister gpios before unloading ssb
      bcma: unregister gpios before unloading bcma
      rtlwifi: Fix scheduling while atomic bug
      net: usbnet: fix tx_dropped statistics
      tcp: ipv6: Update MIB counters for drops
      ...
  4. @davem330

    Merge branch 'sctp_keys'

    davem330 authored
    Daniel Borkmann says:
    
    ====================
    Cryptographically used keys should be zeroed out when our session
    ends resp. memory is freed, thus do not leave them somewhere in the
    memory.
    ====================
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
  5. @borkmann @davem330

    net: sctp: sctp_endpoint_free: zero out secret key data

    borkmann authored davem330 committed
    On sctp_endpoint_destroy, previously used sensitive keying material
    should be zeroed out before the memory is returned, as we already do
    with e.g. auth keys when released.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Vlad Yasevich <vyasevic@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  6. @borkmann @davem330

    net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree

    borkmann authored davem330 committed
    In sctp_setsockopt_auth_key, we create a temporary copy of the user
    passed shared auth key for the endpoint or association and after
    internal setup, we free it right away. Since it's sensitive data, we
    should zero out the key before returning the memory back to the
    allocator. Thus, use kzfree instead of kfree, just as we do in
    sctp_auth_key_put().
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  7. @davem330

    atm/iphase: rename fregt_t -> ffreg_t

    Heiko Carstens authored davem330 committed
    We have conflicting type qualifiers for "freg_t" in s390's ptrace.h and the
    iphase atm device driver, which causes the compile error below.
    Unfortunately the s390 typedef can't be renamed, since it's a user visible api,
    nor can I change the include order in s390 code to avoid the conflict.
    
    So simply rename the iphase typedef to a new name. Fixes this compile error:
    
    In file included from drivers/atm/iphase.c:66:0:
    drivers/atm/iphase.h:639:25: error: conflicting type qualifiers for 'freg_t'
    In file included from next/arch/s390/include/asm/ptrace.h:9:0,
                     from next/arch/s390/include/asm/lowcore.h:12,
                     from next/arch/s390/include/asm/thread_info.h:30,
                     from include/linux/thread_info.h:54,
                     from include/linux/preempt.h:9,
                     from include/linux/spinlock.h:50,
                     from include/linux/seqlock.h:29,
                     from include/linux/time.h:5,
                     from include/linux/stat.h:18,
                     from include/linux/module.h:10,
                     from drivers/atm/iphase.c:43:
    next/arch/s390/include/uapi/asm/ptrace.h:197:3: note: previous declaration of 'freg_t' was here
    
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Acked-by: chas williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  8. @wildea01

    ARM: 7641/1: memory: fix broken mmap by ensuring TASK_UNMAPPED_BASE i…

    wildea01 authored Russell King committed
    …s aligned
    
    We have received multiple reports of mmap failures when running with a
    2:2 vm split. These manifest as either -EINVAL with a non page-aligned
    address (ending 0xaaa) or a SEGV, depending on the application. The
    issue is commonly observed in children of make, which appears to use
    bottom-up mmap (assumedly because it changes the stack rlimit).
    
    Further investigation reveals that this regression was triggered by
    394ef64 ("mm: use vm_unmapped_area() on arm architecture"), whereby
    TASK_UNMAPPED_BASE is no longer page-aligned for bottom-up mmap, causing
    get_unmapped_area to choke on misaligned addressed.
    
    This patch fixes the problem by defining TASK_UNMAPPED_BASE in terms of
    TASK_SIZE and explicitly aligns the result to 16M, matching the other
    end of the heap.
    
    Acked-by: Nicolas Pitre <nico@linaro.org>
    Reported-by: Steve Capper <steve.capper@arm.com>
    Reported-by: Jean-Francois Moine <moinejf@free.fr>
    Reported-by: Christoffer Dall <cdall@cs.columbia.edu>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
  9. ARM: DMA mapping: fix bad atomic test

    Russell King authored
    Realview fails to boot with this warning:
    BUG: spinlock lockup suspected on CPU#0, init/1
     lock: 0xcf8bde10, .magic: dead4ead, .owner: init/1, .owner_cpu: 0
    Backtrace:
    [<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:cf8bde10 r5:cf83d1c0 r4:cf8bde10 r3:cf83d1c0
    [<c03294d0>] (dump_stack+0x0/0x1c) from [<c018926c>] (spin_dump+0x84/0x98)
    [<c01891e8>] (spin_dump+0x0/0x98) from [<c0189460>] (do_raw_spin_lock+0x100/0x198)
    [<c0189360>] (do_raw_spin_lock+0x0/0x198) from [<c032cbac>] (_raw_spin_lock+0x3c/0x44)
    [<c032cb70>] (_raw_spin_lock+0x0/0x44) from [<c01c9224>] (pl011_console_write+0xe8/0x11c)
    [<c01c913c>] (pl011_console_write+0x0/0x11c) from [<c002aea8>] (call_console_drivers.clone.7+0xdc/0x104)
    [<c002adcc>] (call_console_drivers.clone.7+0x0/0x104) from [<c002b320>] (console_unlock+0x2e8/0x454)
    [<c002b038>] (console_unlock+0x0/0x454) from [<c002b8b4>] (vprintk_emit+0x2d8/0x594)
    [<c002b5dc>] (vprintk_emit+0x0/0x594) from [<c0329718>] (printk+0x3c/0x44)
    [<c03296dc>] (printk+0x0/0x44) from [<c002929c>] (warn_slowpath_common+0x28/0x6c)
    [<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029304>] (warn_slowpath_null+0x24/0x2c)
    [<c00292e0>] (warn_slowpath_null+0x0/0x2c) from [<c0070ab0>] (lockdep_trace_alloc+0xd8/0xf0)
    [<c00709d8>] (lockdep_trace_alloc+0x0/0xf0) from [<c00c0850>] (kmem_cache_alloc+0x24/0x11c)
    [<c00c082c>] (kmem_cache_alloc+0x0/0x11c) from [<c00bb044>] (__get_vm_area_node.clone.24+0x7c/0x16c)
    [<c00bafc8>] (__get_vm_area_node.clone.24+0x0/0x16c) from [<c00bb7b8>] (get_vm_area_caller+0x48/0x54)
    [<c00bb770>] (get_vm_area_caller+0x0/0x54) from [<c0020064>] (__alloc_remap_buffer.clone.15+0x38/0xb8)
    [<c002002c>] (__alloc_remap_buffer.clone.15+0x0/0xb8) from [<c0020244>] (__dma_alloc+0x160/0x2c8)
    [<c00200e4>] (__dma_alloc+0x0/0x2c8) from [<c00204d8>] (arm_dma_alloc+0x88/0xa0)[<c0020450>] (arm_dma_alloc+0x0/0xa0) from [<c00beb00>] (dma_pool_alloc+0xcc/0x1a8)
    [<c00bea34>] (dma_pool_alloc+0x0/0x1a8) from [<c01a9d14>] (pl08x_fill_llis_for_desc+0x28/0x568)
    [<c01a9cec>] (pl08x_fill_llis_for_desc+0x0/0x568) from [<c01aab8c>] (pl08x_prep_slave_sg+0x258/0x3b0)
    [<c01aa934>] (pl08x_prep_slave_sg+0x0/0x3b0) from [<c01c9f74>] (pl011_dma_tx_refill+0x140/0x288)
    [<c01c9e34>] (pl011_dma_tx_refill+0x0/0x288) from [<c01ca748>] (pl011_start_tx+0xe4/0x120)
    [<c01ca664>] (pl011_start_tx+0x0/0x120) from [<c01c54a4>] (__uart_start+0x48/0x4c)
    [<c01c545c>] (__uart_start+0x0/0x4c) from [<c01c632c>] (uart_start+0x2c/0x3c)
    [<c01c6300>] (uart_start+0x0/0x3c) from [<c01c795c>] (uart_write+0xcc/0xf4)
    [<c01c7890>] (uart_write+0x0/0xf4) from [<c01b0384>] (n_tty_write+0x1c0/0x3e4)
    [<c01b01c4>] (n_tty_write+0x0/0x3e4) from [<c01acfe8>] (tty_write+0x144/0x240)
    [<c01acea4>] (tty_write+0x0/0x240) from [<c01ad17c>] (redirected_tty_write+0x98/0xac)
    [<c01ad0e4>] (redirected_tty_write+0x0/0xac) from [<c00c371c>] (vfs_write+0xbc/0x150)
    [<c00c3660>] (vfs_write+0x0/0x150) from [<c00c39c0>] (sys_write+0x4c/0x78)
    [<c00c3974>] (sys_write+0x0/0x78) from [<c0014460>] (ret_fast_syscall+0x0/0x3c)
    
    This happens because the DMA allocation code is not respecting atomic
    allocations correctly.
    
    GFP flags should not be tested for GFP_ATOMIC to determine if an
    atomic allocation is being requested.  GFP_ATOMIC is not a flag but
    a value.  The GFP bitmask flags are all prefixed with __GFP_.
    
    The rest of the kernel tests for __GFP_WAIT not being set to indicate
    an atomic allocation.  We need to do the same.
    
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
  10. ARM: realview: ensure that we have sufficient IRQs available

    Russell King authored
    Realview EB with a rev B MPcore tile results in lots of warnings at
    boot because it can't allocate enough IRQs.  Fix this by increasing
    the number of available IRQs.
    
    WARNING: at /home/rmk/git/linux-rmk/arch/arm/common/gic.c:757 gic_init_bases+0x12c/0x2ec()
    Cannot allocate irq_descs @ IRQ96, assuming pre-allocated
    Modules linked in:
    Backtrace:
    [<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:000002f5 r5:c042c62c r4:c044ff40 r3:c045f240
    [<c03294d0>] (dump_stack+0x0/0x1c) from [<c00292c8>] (warn_slowpath_common+0x54/0x6c)
    [<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029384>] (warn_slowpath_fmt+0x38/0x40)
    [<c002934c>] (warn_slowpath_fmt+0x0/0x40) from [<c042c62c>] (gic_init_bases+0x12c/0x2ec)
    [<c042c500>] (gic_init_bases+0x0/0x2ec) from [<c042cdc8>] (gic_init_irq+0x8c/0xd8)
    [<c042cd3c>] (gic_init_irq+0x0/0xd8) from [<c042827c>] (init_IRQ+0x1c/0x24)
    [<c0428260>] (init_IRQ+0x0/0x24) from [<c04256c8>] (start_kernel+0x1a4/0x300)
    [<c0425524>] (start_kernel+0x0/0x300) from [<70008070>] (0x70008070)
    ---[ end trace 1b75b31a2719ed1c ]---
    ------------[ cut here ]------------
    WARNING: at /home/rmk/git/linux-rmk/kernel/irq/irqdomain.c:234 irq_domain_add_legacy+0x80/0x140()
    Modules linked in:
    Backtrace:
    [<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:000000ea r5:c0081a38 r4:00000000 r3:c045f240
    [<c03294d0>] (dump_stack+0x0/0x1c) from [<c00292c8>] (warn_slowpath_common+0x54/0x6c)
    [<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029304>] (warn_slowpath_null+0x24/0x2c)
    [<c00292e0>] (warn_slowpath_null+0x0/0x2c) from [<c0081a38>] (irq_domain_add_legacy+0x80/0x140)
    [<c00819b8>] (irq_domain_add_legacy+0x0/0x140) from [<c042c64c>] (gic_init_bases+0x14c/0x2ec)
    [<c042c500>] (gic_init_bases+0x0/0x2ec) from [<c042cdc8>] (gic_init_irq+0x8c/0xd8)
    [<c042cd3c>] (gic_init_irq+0x0/0xd8) from [<c042827c>] (init_IRQ+0x1c/0x24)
    [<c0428260>] (init_IRQ+0x0/0x24) from [<c04256c8>] (start_kernel+0x1a4/0x300)
    [<c0425524>] (start_kernel+0x0/0x300) from [<70008070>] (0x70008070)
    ---[ end trace 1b75b31a2719ed1d ]---
    ------------[ cut here ]------------
    WARNING: at /home/rmk/git/linux-rmk/arch/arm/common/gic.c:762 gic_init_bases+0x170/0x2ec()
    Modules linked in:
    Backtrace:
    [<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:000002fa r5:c042c670 r4:00000000 r3:c045f240
    [<c03294d0>] (dump_stack+0x0/0x1c) from [<c00292c8>] (warn_slowpath_common+0x54/0x6c)
    [<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029304>] (warn_slowpath_null+0x24/0x2c)
    [<c00292e0>] (warn_slowpath_null+0x0/0x2c) from [<c042c670>] (gic_init_bases+0x170/0x2ec)
    [<c042c500>] (gic_init_bases+0x0/0x2ec) from [<c042cdc8>] (gic_init_irq+0x8c/0xd8)
    [<c042cd3c>] (gic_init_irq+0x0/0xd8) from [<c042827c>] (init_IRQ+0x1c/0x24)
    [<c0428260>] (init_IRQ+0x0/0x24) from [<c04256c8>] (start_kernel+0x1a4/0x300)
    [<c0425524>] (start_kernel+0x0/0x300) from [<70008070>] (0x70008070)
    ---[ end trace 1b75b31a2719ed1e ]---
    
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
  11. ARM: GIC: fix GIC cpumask initialization

    Russell King authored
    Punit Agrawal reports:
    > I was trying to boot 3.8-rc5 on Realview EB 11MPCore using
    > realview-smp_defconfig as a starting point but the kernel failed to
    > progress past the log below (config attached).
    >
    > Pawel suggested I try reverting 384a290 - "ARM: gic: use a private
    > mapping for CPU target interfaces" that you've authored. With this
    > commit reverted the kernel boots.
    >
    > I am not quite sure why the commit breaks 11MPCore but Pawel (cc'd)
    > might be able to shed light on that.
    
    Some early GIC implementations return zero for the first distributor
    CPU routing register.  This means we can't rely on that telling us
    which CPU interface we're connected to.  We know that these platforms
    implement PPIs for IRQs 29-31 - but we shouldn't assume that these
    will always be populated.
    
    So, instead, scan for a non-zero CPU routing register in the first
    32 IRQs and use that as our CPU mask.
    
    Reported-by: Punit Agrawal <punit.agrawal@arm.com>
    Reviewed-by: Nicolas Pitre <nico@linaro.org>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
  12. Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux

    authored
    Pull drm regression fix from Dave Airlie:
     "This one fixes a sleep while locked regression that was introduced
      earlier in 3.8."
    
    * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
      drm/ttm: fix fence locking in ttm_buffer_object_transfer, 2nd try
  13. @lynxeye-dev @davem330

    net: usb: fix regression from FLAG_NOARP code

    lynxeye-dev authored davem330 committed
    In commit 6509141 ("usbnet: add new
    flag FLAG_NOARP for usb net devices"), the newly added flag NOARP was
    using an already defined value, which broke drivers using flag
    MULTI_PACKET.
    
    Signed-off-by: Lucas Stach <dev@lynxeye.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  14. @davem330

    l2tp: dont play with skb->truesize

    Eric Dumazet authored davem330 committed
    Andrew Savchenko reported a DNS failure and we diagnosed that
    some UDP sockets were unable to send more packets because their
    sk_wmem_alloc was corrupted after a while (tx_queue column in
    following trace)
    
    $ cat /proc/net/udp
      sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode ref pointer drops
    ...
      459: 00000000:0270 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4507 2 ffff88003d612380 0
      466: 00000000:0277 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4802 2 ffff88003d613180 0
      470: 076A070A:007B 00000000:0000 07 FFFF4600:00000000 00:00000000 00000000   123        0 5552 2 ffff880039974380 0
      470: 010213AC:007B 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4986 2 ffff88003dbd3180 0
      470: 010013AC:007B 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4985 2 ffff88003dbd2e00 0
      470: 00FCA8C0:007B 00000000:0000 07 FFFFFB00:00000000 00:00000000 00000000     0        0 4984 2 ffff88003dbd2a80 0
    ...
    
    Playing with skb->truesize is tricky, especially when
    skb is attached to a socket, as we can fool memory charging.
    
    Just remove this code, its not worth trying to be ultra
    precise in xmit path.
    
    Reported-by: Andrew Savchenko <bircoph@gmail.com>
    Tested-by: Andrew Savchenko <bircoph@gmail.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: James Chapman <jchapman@katalix.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  15. @borkmann @davem330

    net: sctp: sctp_auth_key_put: use kzfree instead of kfree

    borkmann authored davem330 committed
    For sensitive data like keying material, it is common practice to zero
    out keys before returning the memory back to the allocator. Thus, use
    kzfree instead of kfree.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  16. @davem330

    Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git…

    davem330 authored
    …/jesse/openvswitch into openvswitch
    
    Jesse Gross says:
    
    ====================
    One bug fix for net/3.8 for a long standing problem that was reported a few
    times recently.
    ====================
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
  17. @davem330

    Merge branch 'netback'

    davem330 authored
    Ian Campbell says:
    
    ====================
    The Xen netback implementation contains a couple of flaws which can
    allow a guest to cause a DoS in the backend domain, potentially
    affecting other domains in the system.
    
    CVE-2013-0216 is a failure to sanity check the ring producer/consumer
    pointers which can allow a guest to cause netback to loop for an
    extended period preventing other work from occurring.
    
    CVE-2013-0217 is a memory leak on an error path which is guest
    triggerable.
    
    The following series contains the fixes for these issues, as previously
    included in Xen Security Advisory 39:
    http://lists.xen.org/archives/html/xen-announce/2013-02/msg00001.html
    
    Changes in v2:
     - Typo and block comment format fixes
     - Added stable Cc
    ====================
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
  18. @davem330

    netback: correct netbk_tx_err to handle wrap around.

    Ian Campbell authored davem330 committed
    Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
    Acked-by: Jan Beulich <JBeulich@suse.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  19. @davem330

    xen/netback: free already allocated memory on failure in xen_netbk_ge…

    Ian Campbell authored davem330 committed
    …t_requests
    
    Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  20. @davem330

    xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.

    Matthew Daley authored davem330 committed
    Signed-off-by: Matthew Daley <mattjd@gmail.com>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Acked-by: Ian Campbell <ian.campbell@citrix.com>
    Acked-by: Jan Beulich <JBeulich@suse.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  21. @davem330

    xen/netback: shutdown the ring if it contains garbage.

    Ian Campbell authored davem330 committed
    A buggy or malicious frontend should not be able to confuse netback.
    If we spot anything which is not as it should be then shutdown the
    device and don't try to continue with the ring in a potentially
    hostile state. Well behaved and non-hostile frontends will not be
    penalised.
    
    As well as making the existing checks for such errors fatal also add a
    new check that ensures that there isn't an insane number of requests
    on the ring (i.e. more than would fit in the ring). If the ring
    contains garbage then previously is was possible to loop over this
    insane number, getting an error each time and therefore not generating
    any more pending requests and therefore not exiting the loop in
    xen_netbk_tx_build_gops for an externded period.
    
    Also turn various netdev_dbg calls which no precipitate a fatal error
    into netdev_err, they are rate limited because the device is shutdown
    afterwards.
    
    This fixes at least one known DoS/softlockup of the backend domain.
    
    Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Acked-by: Jan Beulich <JBeulich@suse.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  22. Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/ker…

    authored
    …nel/git/rusty/linux
    
    Pull virtio fix from Rusty Russell:
     "Obviously I forgot to push this before linux.conf.au..."
    
    * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux:
      virtio_console: Don't access uninitialized data.
  23. Merge tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kern…

    authored
    …el/git/roland/infiniband
    
    Pull IB regression fixes from Roland Dreier:
    
     - Fix mlx4 VFs not working on old guests because of 64B CQE changes
    
     - Fix ill-considered sparse fix for qib
    
     - Fix IPoIB crash due to skb double destruct introduced in 3.8-rc1
    
    * tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
      IB/qib: Fix for broken sparse warning fix
      mlx4_core: Fix advertisement of wrong PF context behaviour
      IPoIB: Fix crash due to skb double destruct
  24. Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel…

    authored
    …/git/mason/linux-btrfs
    
    Pull btrfs fixes from Chris Mason:
     "We've got corner cases for updating i_size that ceph was hitting,
      error handling for quotas when we run out of space, a very subtle
      snapshot deletion race, a crash while removing devices, and one
      deadlock between subvolume creation and the sb_internal code (thanks
      lockdep)."
    
    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
      Btrfs: move d_instantiate outside the transaction during mksubvol
      Btrfs: fix EDQUOT handling in btrfs_delalloc_reserve_metadata
      Btrfs: fix possible stale data exposure
      Btrfs: fix missing i_size update
      Btrfs: fix race between snapshot deletion and getting inode
      Btrfs: fix missing release of the space/qgroup reservation in start_transaction()
      Btrfs: fix wrong sync_writers decrement in btrfs_file_aio_write()
      Btrfs: do not merge logged extents if we've removed them from the tree
      btrfs: don't try to notify udev about missing devices
  25. Merge tag 'pinctrl-for-v3.8-late' of git://git.kernel.org/pub/scm/lin…

    authored
    …ux/kernel/git/linusw/linux-pinctrl
    
    Pull late pinctrl fixes from Linus Walleij:
     "Two patches appeared as of late, one was completely news to me, the
      other one was rotated in -next for the next merge window but turned
      out to be a showstopper.
    
       - Exynos Kconfig fixup
       - SIRF DT translation bug"
    
    * tag 'pinctrl-for-v3.8-late' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
      pinctrl: sirf: replace of_gpio_simple_xlate by sirf specific of_xlate
      pinctrl: exynos: change PINCTRL_EXYNOS option
  26. Merge tag 'stable/for-linus-3.8-rc6-tag' of git://git.kernel.org/pub/…

    authored
    …scm/linux/kernel/git/konrad/xen
    
    Pull Xen fixes from Konrad Rzeszutek Wilk:
     "This has two fixes.  One is a security fix wherein we would spam the
      kernel printk buffer if one of the guests was misbehaving.  The other
      is much tamer and it was us only checking for one type of error from
      the IRQ subsystem (when allocating new IRQs) instead of for all of
      them.
    
       - Fix an IRQ allocation where we only check for a specific error (-1).
       - CVE-2013-0231 / XSA-43.  Make xen-pciback rate limit error messages
         from xen_pcibk_enable_msi{,x}()"
    
    * tag 'stable/for-linus-3.8-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
      xen: fix error handling path if xen_allocate_irq_dynamic fails
      xen-pciback: rate limit error messages from xen_pcibk_enable_msi{,x}()
  27. Merge tag 'regulator-v3.8-rc6' of git://git.kernel.org/pub/scm/linux/…

    authored
    …kernel/git/broonie/regulator
    
    Pull regulator fixes from Mark Brown:
     "Mostly driver specific fixes here, though one of them uncovered the
      issue Stephen Warren fixed with multiple OF matches getting upset due
      to a lack of cleanup."
    
    * tag 'regulator-v3.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
      regulator: s2mps11: fix incorrect register for buck10
      regulator: clear state each invocation of of_regulator_match
      regulator: max8997: Fix using wrong dev argument at various places
      regulator: max77686: Fix using wrong dev argument at various places
      regulator: max8907: Fix using wrong dev argument for calling of_regulator_match
      regulator: max8998: fix incorrect min_uV value for ldo10
      regulator: tps65910: Fix using wrong dev argument for calling of_regulator_match
      regulator: tps65217: Fix using wrong dev argument for calling of_regulator_match
  28. @danvet

    drm/ttm: fix fence locking in ttm_buffer_object_transfer, 2nd try

    danvet authored Dave Airlie committed
    This fixes up
    
    commit e8e8962
    Author: Daniel Vetter <daniel.vetter@ffwll.ch>
    Date:   Tue Dec 18 22:25:11 2012 +0100
    
        drm/ttm: fix fence locking in ttm_buffer_object_transfer
    
    which leaves behind a might_sleep in atomic context, since the
    fence_lock spinlock is held over a kmalloc(GFP_KERNEL) call. The fix
    is to revert the above commit and only take the lock where we need it,
    around the call to ->sync_obj_ref.
    
    v2: Fixup things noticed by Maarten Lankhorst:
    - Brown paper bag locking bug.
    - No need for kzalloc if we clear the entire thing on the next line.
    - check for bo->sync_obj (totally unlikely race, but still someone
      else could have snuck in) and clear fbo->sync_obj if it's cleared
      already.
    
    Reported-by: Dave Airlie <airlied@gmail.com>
    Cc: Jerome Glisse <jglisse@redhat.com>
    Cc: Maarten Lankhorst <maarten.lankhorst@canonical.com>
    Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
Commits on Feb 7, 2013
  1. @rustyrussell

    virtio_console: Don't access uninitialized data.

    Sjur Brændeland authored rustyrussell committed
    Don't access uninitialized work-queue when removing device.
    The work queue is initialized only if the device multi-queue.
    So don't call cancel_work unless this is a multi-queue device.
    
    This fixes the following panic:
    
    Kernel panic - not syncing: BUG!
    Call Trace:
    62031b28:  [<6026085d>] panic+0x16b/0x2d3
    62031b30:  [<6004ef5e>] flush_work+0x0/0x1d7
    62031b60:  [<602606f2>] panic+0x0/0x2d3
    62031b68:  [<600333b0>] memcpy+0x0/0x140
    62031b80:  [<6002d58a>] unblock_signals+0x0/0x84
    62031ba0:  [<602609c5>] printk+0x0/0xa0
    62031bd8:  [<60264e51>] __mutex_unlock_slowpath+0x13d/0x148
    62031c10:  [<6004ef5e>] flush_work+0x0/0x1d7
    62031c18:  [<60050234>] try_to_grab_pending+0x0/0x17e
    62031c38:  [<6004e984>] get_work_gcwq+0x71/0x8f
    62031c48:  [<60050539>] __cancel_work_timer+0x5b/0x115
    62031c78:  [<628acc85>] unplug_port+0x0/0x191 [virtio_console]
    62031c98:  [<6005061c>] cancel_work_sync+0x12/0x14
    62031ca8:  [<628ace96>] virtcons_remove+0x80/0x15c [virtio_console]
    62031ce8:  [<628191de>] virtio_dev_remove+0x1e/0x7e [virtio]
    62031d08:  [<601cf242>] __device_release_driver+0x75/0xe4
    62031d28:  [<601cf2dd>] device_release_driver+0x2c/0x40
    62031d48:  [<601ce0dd>] driver_unbind+0x7d/0xc6
    62031d88:  [<601cd5d9>] drv_attr_store+0x27/0x29
    62031d98:  [<60115f61>] sysfs_write_file+0x100/0x14d
    62031df8:  [<600b737d>] vfs_write+0xcb/0x184
    62031e08:  [<600b58b8>] filp_close+0x88/0x94
    62031e38:  [<600b7686>] sys_write+0x59/0x88
    62031e88:  [<6001ced1>] handle_syscall+0x5d/0x80
    62031ea8:  [<60030a74>] userspace+0x405/0x531
    62031f08:  [<600d32cc>] sys_dup+0x0/0x5e
    62031f28:  [<601b11d6>] strcpy+0x0/0x18
    62031f38:  [<600be46c>] do_execve+0x10/0x12
    62031f48:  [<600184c7>] run_init_process+0x43/0x45
    62031fd8:  [<60019a91>] new_thread_handler+0xba/0xbc
    
    Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
    Cc: stable@kernel.org
    Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Commits on Feb 6, 2013
  1. Merge tag 'sound-3.8' of git://git.kernel.org/pub/scm/linux/kernel/gi…

    authored
    …t/tiwai/sound
    
    Pull sound fixes from Takashi Iwai:
     "Just a couple of build regression fixes for ASoC fsl stuff.  It
      doesn't look too trivial, but neither intrusive, so hopefully I can
      avoid your curse..."
    
    Hey, Takashi has a good track record, I think he gets a pass..
    
    * tag 'sound-3.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
      ASoC: fsl: fix snd-soc-imx-pcm module build
      Revert "ASoC: fsl: fix multiple definition of init_module"
  2. Merge branch 'for-linus' of git://git.kernel.dk/linux-block

    authored
    Pull block layer updates from Jens Axboe:
     "I've got a few bits pending for 3.8 final, that I better get sent out.
      It's all been sitting for a while, I consider it safe.
    
      It contains:
    
       - Two bug fixes for mtip32xx, fixing a driver hang and a crash.
    
       - A few-liner protocol error fix for drbd.
    
       - A few fixes for the xen block front/back driver, fixing a potential
         data corruption issue.
    
       - A race fix for disk_clear_events(), causing spurious warnings.  Out
         of the Chrome OS base.
    
       - A deadlock fix for disk_clear_events(), moving it to the a
         unfreezable workqueue.  Also from the Chrome OS base."
    
    * 'for-linus' of git://git.kernel.dk/linux-block:
      drbd: fix potential protocol error and resulting disconnect/reconnect
      mtip32xx: fix for crash when the device surprise removed during rebuild
      mtip32xx: fix for driver hang after a command timeout
      block: prevent race/cleanup
      block: remove deadlock in disk_clear_events
      xen-blkfront: handle bvecs with partial data
      llist/xen-blkfront: implement safe version of llist_for_each_entry
      xen-blkback: implement safe iterator for the list of persistent grants
  3. @bmork @davem330

    net: qmi_wwan: add more Huawei devices, including E320

    bmork authored davem330 committed
    Adding new class/subclass/protocol combinations based on the GPLed
    out-of-tree Huawei driver. One of these has already appeared on a
    device labelled as "E320".
    
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  4. @bmork @davem330

    net: cdc_ncm: add another Huawei vendor specific device

    bmork authored davem330 committed
    Adding a new vendor specific class/subclass/protocol combination
    for CDC NCM devices based on information from a GPLed out-of-tree
    driver from Huawei.
    
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  5. @rantala @davem330

    ipv6/ip6_gre: fix error case handling in ip6gre_tunnel_xmit()

    rantala authored davem330 committed
    ip6gre_tunnel_xmit() is leaking the skb when we hit this error branch,
    and the -1 return value from this function is bogus. Use the error
    handling we already have in place in ip6gre_tunnel_xmit() for this error
    case to fix this.
    
    Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  6. @davem330

    tcp: fix for zero packets_in_flight was too broad

    Ilpo Järvinen authored davem330 committed
    There are transients during normal FRTO procedure during which
    the packets_in_flight can go to zero between write_queue state
    updates and firing the resulting segments out. As FRTO processing
    occurs during that window the check must be more precise to
    not match "spuriously" :-). More specificly, e.g., when
    packets_in_flight is zero but FLAG_DATA_ACKED is true the problematic
    branch that set cwnd into zero would not be taken and new segments
    might be sent out later.
    
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
    Tested-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
Something went wrong with that request. Please try again.