Commit Graph

380214 Commits

Author SHA1 Message Date
Al Viro
52018855e6 [readdir] convert configfs
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:56:30 +04:00
Al Viro
3903b38ce7 [readdir] convert romfs
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:56:29 +04:00
Al Viro
5f6039ce69 [readdir] convert squashfs
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:56:28 +04:00
Al Viro
01122e0688 [readdir] convert ubifs
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:56:25 +04:00
Al Viro
5add2ee198 [readdir] convert udf
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:50 +04:00
Al Viro
5ded75ec4c [readdir] convert ext3
new helper: dir_relax(inode).  Call when you are in location that will
_not_ be invalidated by directory modifications (block boundary, in case
of ext*).  Returns whether the directory has survived (dropping i_mutex
allows rmdir to kill the sucker; if it returns false to us, ->iterate()
is obviously done)

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:49 +04:00
Al Viro
5f99f4e79a [readdir] switch dcache_readdir() users to ->iterate()
new helpers - dir_emit_dot(file, ctx, dentry), dir_emit_dotdot(file, ctx),
dir_emit_dots(file, ctx).

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:48 +04:00
Al Viro
80886298c0 [readdir] simple local unixlike: switch to ->iterate()
ext2, ufs, minix, sysv

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:47 +04:00
Al Viro
bb6f619b3a [readdir] introduce ->iterate(), ctx->pos, dir_emit()
New method - ->iterate(file, ctx).  That's the replacement for ->readdir();
it takes callback from ctx->actor, uses ctx->pos instead of file->f_pos and
calls dir_emit(ctx, ...) instead of filldir(data, ...).  It does *not*
update file->f_pos (or look at it, for that matter); iterate_dir() does the
update.

Note that dir_emit() takes the offset from ctx->pos (and eventually
filldir_t will lose that argument).

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:47 +04:00
Al Viro
5c0ba4e076 [readdir] introduce iterate_dir() and dir_context
iterate_dir(): new helper, replacing vfs_readdir().

struct dir_context: contains the readdir callback (and will get more stuff
in it), embedded into whatever data that callback wants to deal with;
eventually, we'll be passing it to ->readdir() replacement instead of
(data,filldir) pair.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:46 +04:00
Al Viro
83a8761142 move linux/loop.h to drivers/block
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:45 +04:00
Al Viro
e06aeb5716 compat.c: LOOP_CLR_FD is taken care of in loop.c itself...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:44 +04:00
Al Viro
5cfafbf951 pxa3xx: VM_IO is set by io_remap_pfn_range()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:43 +04:00
Al Viro
c607f450f6 au1100fb: VM_IO is set by io_remap_pfn_range()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:43 +04:00
Al Viro
1fca06fafb au1200fb: io_remap_pfn_range() sets VM_IO
... and single return is quite sufficient to get out of function, TYVM

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:42 +04:00
Al Viro
a47df1518e vfio: remap_pfn_range() sets all those flags...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:41 +04:00
Al Viro
80537965d0 i810: VM_IO is set by io_remap_pfn_range()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:40 +04:00
Al Viro
7922e2d279 drm: io_remap_pfn_range() sets VM_IO...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:39 +04:00
Al Viro
ecf48b669e sparc: __pci_mmap_set_flags() is useless
io_remap_pfn_range() does all we need

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:39 +04:00
Al Viro
e0bced54af mn10300: don't bother with VM_IO
io_remap_pfn_range() sets it

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:38 +04:00
Al Viro
1769ab6b1f hose_mmap_page_range(): io_remap_pfn_range() will set all those flags...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:37 +04:00
Al Viro
350226c20f samsung: don't bother with setting VM_IO
io_remap_pfn_range() will set it just fine

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:36 +04:00
Al Viro
40d158e618 consolidate io_remap_pfn_range definitions
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:46:35 +04:00
Artem Bityutskiy
605c912bb8 UBIFS: fix a horrid bug
Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
in the middle of 'ubifs_readdir()'.

This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
but this may corrupt memory and lead to all kinds of problems like crashes an
security holes.

This patch fixes the problem by using the 'file->f_version' field, which
'->llseek()' always unconditionally sets to zero. We set it to 1 in
'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
seek and it is time to clear the state saved in 'file->private_data'.

I tested this patch by writing a user-space program which runds readdir and
seek in parallell. I could easily crash the kernel without these patches, but
could not crash it with these patches.

Cc: stable@vger.kernel.org
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:45:37 +04:00
Artem Bityutskiy
33f1a63ae8 UBIFS: prepare to fix a horrid bug
Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
in the middle of 'ubifs_readdir()'.

First of all, this means that 'file->private_data' can be freed while
'ubifs_readdir()' uses it.  But this particular patch does not fix the problem.
This patch is only a preparation, and the fix will follow next.

In this patch we make 'ubifs_readdir()' stop using 'file->f_pos' directly,
because 'file->f_pos' can be changed by '->llseek()' at any point. This may
lead 'ubifs_readdir()' to returning inconsistent data: directory entry names
may correspond to incorrect file positions.

So here we introduce a local variable 'pos', read 'file->f_pose' once at very
the beginning, and then stick to 'pos'. The result of this is that when
'ubifs_dir_llseek()' changes 'file->f_pos' while we are in the middle of
'ubifs_readdir()', the latter "wins".

Cc: stable@vger.kernel.org
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:45:37 +04:00
Akira Takeuchi
e3f12a5304 mn10300: Use early_param() to parse "mem=" parameter
This fixes the problem that "init=" options may not be passed to kernel
correctly.

parse_mem_cmdline() of mn10300 arch gets rid of "mem=" string from
redboot_command_line. Then init_setup() parses the "init=" options from
static_command_line, which is a copy of redboot_command_line, and keeps
the pointer to the init options in execute_command variable.

Since the commit 026cee0 upstream (params: <level>_initcall-like kernel
parameters), static_command_line becomes overwritten by saved_command_line at
do_initcall_level(). Notice that saved_command_line is a command line
which includes "mem=" string.

As a result, execute_command may point to weird string by the length of
"mem=" parameter.
I noticed this problem when using the command line like this:

    mem=128M console=ttyS0,115200 init=/bin/sh

Here is the processing flow of command line parameters.
    start_kernel()
      setup_arch(&command_line)
         parse_mem_cmdline(cmdline_p)
           * strcpy(boot_command_line, redboot_command_line);
           * Remove "mem=xxx" from redboot_command_line.
           * *cmdline_p = redboot_command_line;
      setup_command_line(command_line) <-- command_line is redboot_command_line
        * strcpy(saved_command_line, boot_command_line)
        * strcpy(static_command_line, command_line)
      parse_early_param()
        strlcpy(tmp_cmdline, boot_command_line, COMMAND_LINE_SIZE);
        parse_early_options(tmp_cmdline);
          parse_args("early options", cmdline, NULL, 0, 0, 0, do_early_param);
      parse_args("Booting ..", static_command_line, ...);
        init_setup() <-- save the pointer in execute_command
      rest_init()
        kernel_thread(kernel_init, NULL, CLONE_FS | CLONE_SIGHAND);

At this point, execute_command points to "/bin/sh" string.

    kernel_init()
      kernel_init_freeable()
        do_basic_setup()
          do_initcalls()
            do_initcall_level()
              (*) strcpy(static_command_line, saved_command_line);

Here, execute_command gets to point to "200" string !!

Signed-off-by: David Howells <dhowells@redhat.com>
2013-06-28 16:53:03 +01:00
Akira Takeuchi
c6dc9f0a4e mn10300: Allow to pass array name to get_user()
This fixes the following compile error:

CC block/scsi_ioctl.o
block/scsi_ioctl.c: In function 'sg_scsi_ioctl':
block/scsi_ioctl.c:449: error: invalid initializer

Signed-off-by: David Howells <dhowells@redhat.com>
2013-06-28 16:53:01 +01:00
Dave Airlie
18097b91aa drm/qxl: add missing access check for execbuffer ioctl
Reported-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2013-06-28 13:27:40 +10:00
Thadeu Lima de Souza Cascardo
1abd601864 powerpc/eeh: Add eeh_dev to the cache during boot
commit f8f7d63fd9 ("powerpc/eeh: Trace eeh
device from I/O cache") broke EEH on pseries for devices that were
present during boot and have not been hotplugged/DLPARed.

eeh_check_failure will get the eeh_dev from the cache, and will get
NULL. eeh_addr_cache_build adds the addresses to the cache, but eeh_dev
for the giving pci_device is not set yet. Just reordering the call to
eeh_addr_cache_insert_dev works fine. The ordering is similar to the one
in eeh_add_device_late.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Acked-by: Gavin Shan <shangw@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2013-06-28 12:02:07 +10:00
Bob Peterson
a01aedfe21 GFS2: Reserve journal space for quota change in do_grow
If a GFS2 file system is mounted with quotas and a file is grown
in such a way that its free blocks for the allocation are represented
in a secondary bitmap, GFS2 ran out of blocks in the transaction.
That resulted in "fatal: assertion "tr->tr_num_buf <= tr->tr_blocks".
This patch reserves extra blocks for the quota change so the
transaction has enough space.

Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
2013-06-27 18:16:27 +01:00
Arnd Bergmann
6b9a39de73 Several fixes for:
- external irq on non-DT boards
 - cpuidle code in some circumstances
 - PMC code in relation with PLLB/PLL_UTMI/USB:
   mainly for SAMA5D3 and AT91SAM9N12
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQEcBAABAgAGBQJRyuyOAAoJEAf03oE53VmQDOgIALT6Ql8reZiaLcB9cuhpPVy1
 vJAx8jxmJy0V1eXiD/Gl00261vb2tw7YJK9gt3zfLP0upqsYWrV5sV7f8UhR73RQ
 rrJSfWfLkPFPBORYyKiHw9kWQUMBczybz9hhv3HbbxdVHmpD7LnaPRWXat71u1u/
 Uh8UpF5d2s3lAE1BBqTr9Ec6n3r7vKqI/0MO2pWnyf11nfNZMI705zG9ehrQZHZx
 v8hovwjWuQ/o06GD45xMJuunEp6IVHl01A2ZRcppuvQD4CtNBXo3AnlNLQ6TK7iz
 9qOVhAiD8/1Td3CXSOOMiInCDBIVOXI/bbkKrAFJcTgGdL1jkAKEN3A1xUxXYVQ=
 =28Xo
 -----END PGP SIGNATURE-----

Merge tag 'at91-fixes' of git://github.com/at91linux/linux-at91 into next/fixes-non-critical

From Nicolas Ferre:

Several fixes for:
- external irq on non-DT boards
- cpuidle code in some circumstances
- PMC code in relation with PLLB/PLL_UTMI/USB:
  mainly for SAMA5D3 and AT91SAM9N12

* tag 'at91-fixes' of git://github.com/at91linux/linux-at91:
  ARM: at91/PMC: use at91_usb_rate() for UTMI PLL
  ARM: at91/PMC: fix at91sam9n12 USB FS init
  ARM: at91/PMC: at91sam9n12 family has a PLLB
  ARM: at91/PMC: sama5d3 family doesn't have a PLLB
  ARM: at91: cpuidle: Fix target_residency
  ARM: at91: fix at91_extern_irq usage for non-dt boards

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2013-06-27 15:03:13 +02:00
Josh Durgin
d2d1f17a0d rbd: send snapshot context with writes
Sending the right snapshot context with each write is required for
snapshots to work. Due to the ordering of calls, the snapshot context
is never set for any requests. This causes writes to the current
version of the image to be reflected in all snapshots, which are
supposed to be read-only.

This happens because rbd_osd_req_format_write() sets the snapshot
context based on obj_request->img_request. At this point, however,
obj_request->img_request has not been set yet, to the snapshot context
is set to NULL. Fix this by moving rbd_img_obj_request_add(), which
sets obj_request->img_request, before the osd request formatting
calls.

This resolves:
    http://tracker.ceph.com/issues/5465

Reported-by: Karol Jurak <karol.jurak@gmail.com>
Signed-off-by: Josh Durgin <josh.durgin@inktank.com>
Reviewed-by: Sage Weil <sage@inktank.com>
Reviewed-by: Alex Elder <elder@linaro.org>
2013-06-27 05:55:29 -07:00
Linus Walleij
1eb92b24e2 ARM: integrator: let pciv3 use mem/premem from device tree
Instead of relying on the hard-coded mem/premem bases for
the PCI side, read in these from the device tree in the
DT probe path. Hard-code the old values on the non-DT probe
path. Introduce some static locals to hold these addresses
instead of the earlier static #defines.

Reported-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2013-06-27 14:19:54 +02:00
Linus Walleij
56ce3ffbd5 ARM: integrator: set local side PCI addresses right
This alters the local side address of the iospace to zero,
non prefetchable memory local side address to 0x00000000 and
prefetchable memory local side address to 0x10000000,
so as to match the values actually poked in by the driver.

Reported-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2013-06-27 14:19:12 +02:00
James Bottomley
a9e94ec350 This patch fixes a critical bug that was introduced in 3.9
related to VLAN tagging FCoE frames.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJRyfSGAAoJEEajxTw9cn4HezEP/3wE3j+Ra+3OcH5hQhFdViLZ
 MWzxZ+p3R115OlkPMl2RAcvNfkaBywsfGoBIN2zJWCmlfYwFgHp6XXiLE3NBbRxb
 BZDNoiUO2Gr5fkWdS+IopAhyQaM1uaJFmDgoRATCe8+0m7i8yD7VI6lnKtnJ12RR
 dJUZbRChvzvWfNFNHx4fi+8qPupBj9ahHqtisbbyoP34ZuljTPzlcUrl5AldkHL1
 RsklezD9ENwSCDlP0OAoTXLf6RYfVhaNvUVWOFrCg+VXI+LFEi+Nl0WX271axH3T
 r7LqaDfX9TVRHZ1o37HwsZ/ic1eLQDaRIR1lmAB6ksF+WIohIcCic6SsNbmIux4D
 3TybtbTrqT9/3EOg4YQxwnx8ppaHXdWDCk6BAfg7pJsLmFAr+DwVfHifEypqYExU
 T+QPScCXqqXHp/ziAdVSx2ft8Pzm8BWzWEaNm0IN74nbjd+GpBbQ8Lq3yaoSOlij
 PxxSDzrSmFr7EImcwrqcaxru86rKTgvufjeakxTQ73GJKvYcXrGsnvT5K7iPlt06
 IZjIHpfa6U+OFL5Ah8k2QvQ7xcl7AzgmFIORMxXCtYmdweu/6Ite+3NffgcrapZo
 0sFHxE7vCrMk20Us05SSpOzML3TMYBptmU5MsnbhLl+gcMmSVLZA8lq2QUDTfSQO
 /ARHI2Gm7EYDjDU21mZk
 =Sbz8
 -----END PGP SIGNATURE-----

Merge tag 'fcoe1' into fixes

This patch fixes a critical bug that was introduced in 3.9
related to VLAN tagging FCoE frames.
2013-06-26 23:08:22 -07:00
James Bottomley
36a279686b 3.10 fixes
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJRm7ALAAoJEEajxTw9cn4Hv0wP/2N8BJUYhzPguRS+d0GrFDD6
 Zdhwyul+uZobqFVgqM9yZR/zF2R49vmd9cWfM+PKVXZkm1mPD2HNmCHsoj74MfTH
 NFellPnDtr2WPLeIEYSwhuSws01UvahZM8nAJlU988U1TgU6Ztr70xy3u0I7Duw9
 07ou4Dw8+BLh1nMVbXHzKP02h0pu4oyB01e1EponGpDBvsEMjgi0gMd4IH4LboUz
 hkvsmHcjTh13W4Byx3xp7aSDxSI7bTU7iss7UAnqI8G59d7y6GFMD82ar/mwVp8T
 TilJzYEGO1cQaIq7yYhcH5ZoqLPYXvoi6uVWkXG7Kex5/kt6woi6SN8as9XoQ3cg
 stl83VLbnNXQl68xWvRyfFXTsvukVqqk3ZDpOLYvWai7OyBOjjPeTwHU4tjZWCva
 d/uq3LF9zf+BDZFin3Iw4VY6J/qLARamUXi8b6TMYO3ScCnFk9rmMhJ7Av9b7for
 sQSeeIVmbxEn+8hRSqXQAEUGJ3mchEkcX6s3h2aNz/cGtWCweNe05ykROtLRDggK
 JrnHicsDZyKpv5g+UWX5qQQrL4xLc2VV2F6wtgcmNkyhc9M9/OS/RgIvXfv3j5bh
 TRrEymsQ/99R/XYnVy/OVPNSCyfa3FIWrrW2cD4/RjgIJnD326IgKzp42bYJIeBj
 u0sNqarvvO0BBbjsuij3
 =+dRk
 -----END PGP SIGNATURE-----

Merge tag 'fcoe' into fixes

3.10 fixes
2013-06-26 23:07:53 -07:00
Linus Torvalds
98b6ed0f2b Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) Found via trinity:

    If you connect up an ipv6 socket to an ipv4 mapped address then an
    ipv6 one, sendmsg() can croak because ip6_sk_dst_check() assumes the
    route cached in the socket is an ipv6 one.  In this case there is an
    ipv4 route attached, so it gets stomped on.

    Reported by Dave Jones and Hannes Frederic Sowa, fixed by Eric
    Dumazet.

 2) AF_KEY notifications leak some kernel memory to userspace, fix from
    Mathias Krause.

 3) DLCI calls __dev_get_by_name() without proper locking, and dlci_del
    doesn't validate that the device being deleted is actually a DLCI
    one.  Fixes from Li Zefan.

 4) Length check on bluetooth l2cap information responses is wrong, each
    response type has a different lenth, so we should make sure it's in
    a given range rather than enforce one single valid length.  From
    Jaganath Kanakkassery.

 5) Receive FIFO overflow is really easy to trigger in stress scenerios
    in the sh_eth driver, but the event isn't being handled properly at
    all.  Specifically, the mask of error interrupts doesn't include the
    event so we never clear it, resulting in the driver becomming wedged
    processing an interrupt that never gets cleared.

    Fix from Sergei Shtylyov.

 6) qlcnic sleeps while holding a spinlock, use mdelay() instead of
    msleep().  From Shahed Shaikh.

 7) Missing curly braces causes SIP netfilter NAT module to always drop
    packets.  Fix from Balazs Peter Odor.

 8) ipt_ULOG in netfilter passes the wrong value to timer setup, causing
    the timer to dereference crap when it fires.  Fix from Gao Feng.

 9) Missing RCU protection around txq->axq_acq traversal in
    ath_txq_schedule().  Fix from Felix Fietkau.

10) Idle state transition test in ath9k_htc_config() is reversed, fix
    from Sujith Manoharan.

11) IPV6 forwarding handles unicast Router Alert packets incorrectly.
    It tests the wrong option state.  Previously opt->ra being non-zero
    indicated a router alert marking in the SKB, but now it's indicated
    by a bit in opt->flags.  Fix from YOSHIFUJI Hideaki.

12) SKB leak in GRE tunnel GSO handling, from Eric Dumazet.

13) get_user_pages_fast() error handling in TUN and MACVTAP use the same
    local variable for the base index and the loop iterator for page
    traversal, oops! Fix from Michael S Tsirkin.

14) ipv6_get_lladdr() can fail, and we must therefore check it's return
    value in inet6_set_iftoken().  For from Hannes Frederic Sowa.

15) If you change an interface name and meanwhile can sneak in something
    that looks up the name (like SO_BINDTODEVICE or SIOCGIFNAME) we can
    deadlock with CONFIG_PREEMPT=n.  Fix this by providing a helper
    function that properly uses raw_seqcount_begin().  From Nicolas
    Schichan.

16) Chain noise calibration test is inverted in iwlwifi, fix from
    Nikolay Martynov.

17) Properly set TX iwlwifi descriptor flags for back requests.  Fix
    from Emmanuel Grumbach.

18) We can't assume skb_transport_header() is set in xt_TCPOPTSTRAP
    module, fix from Pablo Neira Ayuso.

19) Some crummy APs don't provide the proper High Throughput info in
    association response frames.  Add a workaround by assume we'll use
    whatever is in the beacon/probe.  Fix from Johannes Berg.

20) mac80211 call to rate_idx_match_mask() swaps two arguments (mask and
    channel width).  Fix from Simon Wunderlich.

21) xt_TCPMSS (like xt_TCPOPTSTRAP) must not try to handle fragmented
    frames.  Fix from Phil Oester.

22) Fix rate control regression causing iwlwifi/iwlegacy chips to use
    1Mbit/s on pre-11n networks.  From Moshe Benji and Stanslaw Gruszka.

23) Disable brcmsmac power-save functions, they cause regressions.  From
    Arend van Spriel.

24) Enforce a sane minimum MTU in l2cap_build_cmd() otherwise we can
    easily crash.  Fix from Anderson Lizardo.

25) If a learning packet arrives during vxlan_stop() we crash, easily
    fixed by checking netif_running().  From Stephen Hemminger.

26) Static vxlan FDB entries should not be migrated, also from Stephen.

27) skb_clone() failures not handled in vxlan_xmit(), oops.  Also from
    Stephen.

28) Add minimal driver for AR816x/AR817x ethernet chips, from Johannes
    Berg.

29) Fix regression in userspace VLAN acceleration control, added by the
    802.1ad support changes.  Fix from Fernando Luis Vazquez Cao.

30) Interval selection for MLD queries in the bridging code was
    reversed.  Fix from Linus Lüssing.

31) ipv6's ndisc_send_redirect() erroneously writes to the packet we
    received not the packet we are building to send out.  Fix from
    Matthias Schiffer.

32) Don't free netdev before unregistering it, in usb_8dev can driver.
    From Marc Kleine-Budde.

33) Fix nl80211 attribute buffer races, from Johannes Berg.

34) Although netlink_diag.h is under uapi/ it isn't present in Kbuild.
    From Stephen Hemminger.

35) Wrong address and family passed to MD5 key lookups in TCP, from
    Aydin Arik.

36) phy_type attribute created by SFC driver should not be writable.
    From Ben Hutchings.

37) Receive/Transmit queue allocations in pxa168_eth and mv643xx_eth
    should use kzalloc().  Otherwise if setup fails half-way, we'll
    dereference garbage when trying to teardown the rings.  From Lubomir
    Rintel.

38) Fix double-allocation of dst (resulting in unfreeable net device) in
    ipv6's init_loopback().  From Gao Feng.

39) Fix fragmentation handling SKB leak in netfilter conntrack, we were
    freeing the wrong skb pointer.  From Phil Oester.

40) Don't report "-1" (SPEED_UNKNOWN) in bond_miimon_commit(), from
    Nikolay Aleksandrov.

41) davinci_cpdma doesn't check for DMA mapping errors, letting the
    device scribble to random addresses.  From Sebastian Siewior.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (69 commits)
  dlci: validate the net device in dlci_del()
  dlci: acquire rtnl_lock before calling __dev_get_by_name()
  af_key: fix info leaks in notify messages
  ipv6: ip6_sk_dst_check() must not assume ipv6 dst
  net: fix kernel deadlock with interface rename and netdev name retrieval.
  net/tg3: Avoid delay during MMIO access
  ipv6: check return value of ipv6_get_lladdr
  macvtap: fix recovery from gup errors
  tun: fix recovery from gup errors
  gre: fix a possible skb leak
  ipv6: Process unicast packet with Router Alert by checking flag in skb.
  ath9k_htc: Handle IDLE state transition properly
  ath9k: fix an RCU issue in calling ieee80211_get_tx_rates
  netfilter: ipt_ULOG: fix incorrect setting of ulog timer
  netfilter: ctnetlink: send event when conntrack label was modified
  netfilter: nf_nat_sip: fix mangling
  qlcnic: Do not sleep while holding spinlock
  drivers: net: cpsw: fix compilation error with cpsw driver
  tcp: doc : fix the syncookies default value
  sh_eth: fix misreporting of transmit abort
  ...
2013-06-26 19:24:37 -10:00
Linus Torvalds
1a506e4735 Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull i915 drm fixes from Dave Airlie:
 "These should be the last two fixes for i915, one is for a fence leak
  killing X on some older GPUs, and one is a late regression partial
  revert for an swiotlb/xen/i915 interaction, Konrad has promised to
  figure out the proper answer, and this patch is the best thing to do
  at this stage to avoid regressing"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm/i915: make compact dma scatter lists creation work with SWIOTLB backend.
  drm/i915: Restore fences after resume and GPU resets
2013-06-26 19:23:15 -10:00
Zefan Li
578a1310f2 dlci: validate the net device in dlci_del()
We triggered an oops while running trinity with 3.4 kernel:

BUG: unable to handle kernel paging request at 0000000100000d07
IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
PGD 640c0d067 PUD 0
Oops: 0000 [#1] PREEMPT SMP
CPU 3
...
Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285          /BC11BTSA
RIP: 0010:[<ffffffffa0109738>]  [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
...
Call Trace:
  [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
  [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
  [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
  [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
  [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
...

It's because the net device is not a dlci device.

Reported-by: Li Jinyue <lijinyue@huawei.com>
Signed-off-by: Li Zefan <lizefan@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-06-26 15:36:42 -07:00
Zefan Li
11eb2645cb dlci: acquire rtnl_lock before calling __dev_get_by_name()
Otherwise the net device returned can be freed at anytime.

Signed-off-by: Li Zefan <lizefan@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-06-26 15:36:42 -07:00
Mathias Krause
a5cc68f3d6 af_key: fix info leaks in notify messages
key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
the sadb_msg_reserved member of the broadcasted message and thereby
leak 2 bytes of heap memory to listeners. Fix that.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-06-26 15:15:54 -07:00
Eric Dumazet
a963a37d38 ipv6: ip6_sk_dst_check() must not assume ipv6 dst
It's possible to use AF_INET6 sockets and to connect to an IPv4
destination. After this, socket dst cache is a pointer to a rtable,
not rt6_info.

ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
various corruptions/crashes can happen.

Dave Jones can reproduce immediate crash with
trinity -q -l off -n -c sendmsg -c connect

With help from Hannes Frederic Sowa

Reported-by: Dave Jones <davej@redhat.com>
Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-06-26 15:13:47 -07:00
Nicolas Schichan
5dbe7c178d net: fix kernel deadlock with interface rename and netdev name retrieval.
When the kernel (compiled with CONFIG_PREEMPT=n) is performing the
rename of a network interface, it can end up waiting for a workqueue
to complete. If userland is able to invoke a SIOCGIFNAME ioctl or a
SO_BINDTODEVICE getsockopt in between, the kernel will deadlock due to
the fact that read_secklock_begin() will spin forever waiting for the
writer process (the one doing the interface rename) to update the
devnet_rename_seq sequence.

This patch fixes the problem by adding a helper (netdev_get_name())
and using it in the code handling the SIOCGIFNAME ioctl and
SO_BINDTODEVICE setsockopt.

The netdev_get_name() helper uses raw_seqcount_begin() to avoid
spinning forever, waiting for devnet_rename_seq->sequence to become
even. cond_resched() is used in the contended case, before retrying
the access to give the writer process a chance to finish.

The use of raw_seqcount_begin() will incur some unneeded work in the
reader process in the contended case, but this is better than
deadlocking the system.

Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-06-26 13:42:54 -07:00
Linus Torvalds
34a0868183 regulator: Fix module loading for tps6586x
A simple one liner fix to make module loading work for distros (product
 specific kernels tend to have things built in).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABAgAGBQJRywmMAAoJELSic+t+oim9gkgP/jcubLPg/SxW9Z3BOod7fFhm
 y0YjVKd1t36bwA8ZvyKQZTkvCHQHRFXmGtzINYzIsz+Hu1vmdIGi2GAsG8t+6ikY
 q56+f/Dvsy7GeGs03bYXrJZMoUP82IaVFV/X9qv0MPAlBPJiSvg/H1BU/pdhXXYJ
 fjHETay4XKXCUhe2l93yXyl5k+bDc/bey8k7eNcv8LxZKDwu6IUyZuHUzZOpXMhp
 4D9OWkHozX1mw/7dFr3ZFoEXHm2YM7BnrfAD7nu8JXoTmrIfBhItR1ksdxMT7Q98
 Q0hWMqR+wXGuw6wRvmM/1nfPvO+YXD2RqO2jmBLRqkiguwKfKn3FsZsFqgqIdZsA
 MpfS47zmr4r56yZBtMXWLe4nRiJ94C+EtePJWiSrnzYxn/10udwEJA8iT99mKCT2
 4wU3XqWfm+ve9+pZBcLDW4Kb/G/1clBVovrVYlemqefKjj2FE3PzImtWOUdLyWvG
 EgjsWQIYonJ6TmOvx8EC9tAcyiQE/tzf7Hp21bz7l9fcbpydfGRPqasChylcswta
 T75x0tlQg9Tm6YrvvDUwjMfkLZIQiXnV00Ts3rZrR6Hd2uqKx9LIY3+7I773WPyo
 igYZdt2pgVhH7AHOrj/Y66dNTicwMk8PR3UvJr1h7ac6H+nJE1ChHSpPB6vAhNWJ
 HPxWKF4mGGKxOVAav3ev
 =MFf4
 -----END PGP SIGNATURE-----

Merge tag 'regulator-v3.10-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

Pull regulator fix from Mark Brown:
 "Fix module loading for tps6586x.

  A simple one liner fix to make module loading work for distros
  (product specific kernels tend to have things built in)"

* tag 'regulator-v3.10-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  mfd: tps6586x: correct device name of the regulator cell
2013-06-26 09:18:37 -10:00
Linus Torvalds
6b935ca295 Fix for omap1 GPIO breaking regression
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABAgAGBQJRyrXkAAoJEEFnBt12D9kBcPsQAIeDYC7zC1bkNFlm7JyJon0c
 3vfHwBo0ioDw9Pqej8CLuKr/WgND5Gke4fEi5hj8SKdvw7NNSPgWSccDAIclWP40
 qGxGuhCpJ5+13L2ll0b7BcBmaInh/q2VmPGD3LfpG8W9nQl6oIEacJ81815dTTTc
 LOJz2p8tzzf49yj9pcZBKWMaqo+1nb4h8aEYi6vbkvSmWOmRrgO17JVluxpLe2Ij
 qG68OsXMZhIYDJ7TAnx4oBAcMyKnTEhyo9mr30FVytFsLcdbS6+Um9/xeVjQ+AjY
 bGrmg+XDdBXPEqzSKR3ZZKgBttYhvsGCOqXcqh582yk0bBMDkqGa5WqkeFddR5oe
 AZ+7cUlfcojs2z/Xo/Qbwj64VFh/dL8SIuX05GTWzy2F6OFTyx/i5Yfg1CK2z/fZ
 XVFxTMjVDfCsy1fz64Zhs3PsSPjXDzQ3NDEqTodiizUswcw1rvrAuuS7DD8WumwE
 eLRC6QHBylRsLPVShNmStIuXx3M4rpFKDlKMidb4TOYCxPAj8EWBt33PLrNkGAM7
 A7PS/Q/K2YvRp/hNxKgm2SWa15fA554fIbgqAU4EAQGDEfDNTO/stNl7tynVmBsh
 i7qwJIvh77158adyJMxTsDldmO2ONgA9snM1LM7rABo81sDt3y6FngnaujA2faje
 KnnXvAP9O7UzaGLF67+5
 =Z12u
 -----END PGP SIGNATURE-----

Merge tag 'gpio-for-linus' of git://git.secretlab.ca/git/linux

Pull GPIO regression fix from Grant Likely:
 "It took a while to work out the correct solution to this regression.
  It is sorted now.  This branch was constructed and tested by Tony.
  I've verified that it builds and signed the tag"

* tag 'gpio-for-linus' of git://git.secretlab.ca/git/linux:
  gpio/omap: don't use linear domain mapping for OMAP1
2013-06-26 09:08:58 -10:00
Linus Torvalds
687058aed4 Late power management and ACPI fixes for 3.10
- Fix for an ACPI dock regression introduced by the recent rework of
   the ACPI-based PCI hotplug code (acpiphp) that caused it to be
   initialized before the ACPI dock driver from Jiang Liu.
 
 - Fix for PCI resources allocation in the ACPI-based PCI hotplug code
   (acpiphp) that makes it use the same PCI resources assignment rules
   during runtime hotplug that are used during boot from Jiang Liu.
 
 - Fix for ordering and synchronization issues during hot-removal of
   PCI devices on docking stations from Rafael J Wysocki.
 
 - Fix for a regression that removed the code to register a hotplug
   notificaion handler for for ATA ports/devices inadvertently from
   Aaron Lu.
 
 - Fix for a recent cpufreq regression causing a NULL pointer
   dereference to trigger in od_set_powersave_bias() in some
   situations from Jacob Shin.
 
 /
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQIcBAABAgAGBQJRyuC3AAoJEKhOf7ml8uNsOFkP/ROHM2vtBf2PXIH5EQiTKwAz
 Vmy+sUuAeYBsExuObUtvn5KhCgCed8bJxPO2g4SdIC6XZPDIErN4QKJSoeeQFKb6
 4uxOJgZaP6bZ5cOdnTBvWdq679O7aKXUwZzzjzfOsC0d0APURLZhvHRZ31BaH4Yy
 GBZMq5EeY/w+N46h7y/mGDwzj4OcDbceYWGcaQLX0FtNftqnAXdcsDqCjC0UM32J
 2sTAbaTem0nEm2cuzQkIfhBO+ixa/4MTX6a/cWKOxSVM9BMIxvKdQs2WOuZVebRY
 CoOWvj820DpdG9lVs9g8+8LNFtBtiyJMJy6NR9Lwx0f5lLYHJbTp2V8htQDP6TR+
 3HWXzYnwSi0j2FszwXnBS9OUrnnQAywzl8GulCH8vsQKlS+HQCT1K6V6PKPmi4nW
 31DmV6iQPwLTlFhiUBhRov/fsTMT1Ao7iP/HgBYOIQH7zXYaJmIq2X9gdQtybkYS
 IUICjwlSyTcN2XXs6RXCSMJ4+bwLfX5NU3yVJYWu0whyXevpbpmM0A7VHm82njcX
 C4CNSDeGsTH4M36ANO9HJKgciMnJJFua68TomqQJ2FkDCeK1QNbrI+4W8dSs2WNj
 5YY7DFfuUEp8xDoHG3AjizCw0llVAbPmmBa9ox6BZ/jtH9cbdZ/A32K95ECh51oT
 G0QFX+FCN1pC9gb2uKdw
 =QGmL
 -----END PGP SIGNATURE-----

Merge tag 'pm+acpi-3.10-late' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull late power management and ACPI fixes from Rafael Wysocki:
 "Sorry about the timing of this, but ACPI-based docking stations with
  PCI devices on them and ATA bays would be hardly usable with 3.10
  without it.  We've been working on these fixes for the last couple of
  weeks and everyone involved appears to be reasonably comfortable with
  them now.

  The PM part is one fix for a cpufreq regression introduced recently

   - Fix for an ACPI dock regression introduced by the recent rework of
     the ACPI-based PCI hotplug code (acpiphp) that caused it to be
     initialized before the ACPI dock driver, which is incorrect (ACPI
     dock has to be initialized before acpiphp so that acpiphp can
     register PCI devices on docking stations with it for PCI hotplug on
     re-dock to work).  From Jiang Liu.

   - Fix for PCI resources allocation in the ACPI-based PCI hotplug code
     (acpiphp) that makes it use the same PCI resources assignment rules
     during runtime hotplug that are used during boot (the BIOS' choices
     are now respected in both cases).  This prevents PCI resource
     allocation failures during hotplug from happening in some cases.
     From Jiang Liu.

   - Fix for ordering and synchronization issues during hot-removal of
     PCI devices on docking stations.  It makes the ACPI dock code carry
     out the PCI devices removal synchronously during undock instead of
     spawning a separate asynchronous work item to remove each of them
     without even bothering to wait for all those work items to
     complete.  The hot-addition part is changed analogously.

   - Fix for a regression (introduced a few releases ago) that removed
     the code to register a hotplug notificaion handler for for ATA
     ports/devices inadvertently which prevented ATA bays hotplug from
     working.  The missing code is added back with some improvements.
     From Aaron Lu.

   - Fix for a recent cpufreq regression causing a NULL pointer
     dereference to trigger in od_set_powersave_bias() in some
     situations from Jacob Shin"

* tag 'pm+acpi-3.10-late' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  cpufreq: fix NULL pointer deference at od_set_powersave_bias()
  libata-acpi: add back ACPI based hotplug functionality
  ACPI / dock / PCI: Synchronous handling of dock events for PCI devices
  PCI / ACPI: Use boot-time resource allocation rules during hotplug
  ACPI / dock: Initialize ACPI dock subsystem upfront
2013-06-26 08:55:03 -10:00
Linus Torvalds
54faf77d06 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf fixes from Ingo Molnar:
 "Three small fixlets"

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  hw_breakpoint: Use cpu_possible_mask in {reserve,release}_bp_slot()
  hw_breakpoint: Fix cpu check in task_bp_pinned(cpu)
  kprobes: Fix arch_prepare_kprobe to handle copy insn failures
2013-06-26 08:51:44 -10:00
Linus Torvalds
e3ff91143e Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm
Pull ARM fixes from Russell King:
 "Another round of ARM fixes.  Largest one is the second half of the
  PJ4B fix which was pushed in the previous -rc - this one was delayed
  because its original caused a build regression while trying to fix a
  regression!

  As ever, noMMU gets forgotten when fixing problems on MMU, so we have
  a noMMU fix for a previous fix included in this set.

  A couple of fixes from Lorenzo for problems with the ARM DT CPU code,
  and a one liner to remove the buggy 'wait for interrupt' with FA526
  cores"

* 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
  ARM: 7773/1: PJ4B: Add support for errata 4742
  ARM: 7772/1: Fix missing flush_kernel_dcache_page() for noMMU
  ARM: 7763/1: kernel: fix __cpu_logical_map default initialization
  ARM: 7762/1: kernel: fix arm_dt_init_cpu_maps() to skip non-cpu nodes
  ARM: 7760/1: cpu_fa526_do_idle: remove WFI
2013-06-26 08:50:39 -10:00
Linus Torvalds
de6e1317f7 This patch fixes a critical bug that was introduced in 3.9
related to VLAN tagging FCoE frames.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJRyfSGAAoJEEajxTw9cn4HezEP/3wE3j+Ra+3OcH5hQhFdViLZ
 MWzxZ+p3R115OlkPMl2RAcvNfkaBywsfGoBIN2zJWCmlfYwFgHp6XXiLE3NBbRxb
 BZDNoiUO2Gr5fkWdS+IopAhyQaM1uaJFmDgoRATCe8+0m7i8yD7VI6lnKtnJ12RR
 dJUZbRChvzvWfNFNHx4fi+8qPupBj9ahHqtisbbyoP34ZuljTPzlcUrl5AldkHL1
 RsklezD9ENwSCDlP0OAoTXLf6RYfVhaNvUVWOFrCg+VXI+LFEi+Nl0WX271axH3T
 r7LqaDfX9TVRHZ1o37HwsZ/ic1eLQDaRIR1lmAB6ksF+WIohIcCic6SsNbmIux4D
 3TybtbTrqT9/3EOg4YQxwnx8ppaHXdWDCk6BAfg7pJsLmFAr+DwVfHifEypqYExU
 T+QPScCXqqXHp/ziAdVSx2ft8Pzm8BWzWEaNm0IN74nbjd+GpBbQ8Lq3yaoSOlij
 PxxSDzrSmFr7EImcwrqcaxru86rKTgvufjeakxTQ73GJKvYcXrGsnvT5K7iPlt06
 IZjIHpfa6U+OFL5Ah8k2QvQ7xcl7AzgmFIORMxXCtYmdweu/6Ite+3NffgcrapZo
 0sFHxE7vCrMk20Us05SSpOzML3TMYBptmU5MsnbhLl+gcMmSVLZA8lq2QUDTfSQO
 /ARHI2Gm7EYDjDU21mZk
 =Sbz8
 -----END PGP SIGNATURE-----

Merge tag 'critical_fix_for_3.9' of git://git.kernel.org/pub/scm/linux/kernel/git/rwlove/fcoe

Pull FCoE fix from Robert W Love:
 "This patch fixes a critical bug that was introduced in 3.9 related to
  VLAN tagging FCoE frames"

* tag 'critical_fix_for_3.9' of git://git.kernel.org/pub/scm/linux/kernel/git/rwlove/fcoe:
  fcoe: Use correct API to set vlan tag for FCoE Ethertype skbs
2013-06-26 08:48:53 -10:00
Linus Torvalds
78750f1908 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client
Pull Ceph fix from Sage Weil:
 "This fixes another problem with using v2 images on 3.10 due to the
  order in which fields are read from the image header.

  Hopefully this is the last one"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
  rbd: fetch object order before using it
2013-06-26 08:47:46 -10:00