1. 21 1月, 2015 5 次提交
    • M
      virtio/blk: verify device has config space · a4379fd8
      Michael S. Tsirkin 提交于
      Some devices might not implement config space access
      (e.g. remoteproc used not to - before 3.9).
      virtio/blk needs config space access so make it
      fail gracefully if not there.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      a4379fd8
    • M
      virtio/9p: verify device has config space · 7754f53e
      Michael S. Tsirkin 提交于
      Some devices might not implement config space access
      (e.g. remoteproc used not to - before 3.9).
      virtio/9p needs config space access so make it
      fail gracefully if not there.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      7754f53e
    • M
      virtio_pci: drop virtio_config dependency · 7f870c81
      Michael S. Tsirkin 提交于
      virtio_pci does not depend on virtio_config:
      let's not include it, users can pull it in as necessary.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      7f870c81
    • L
      Merge branch 'for-3.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · b97f880c
      Linus Torvalds 提交于
      Pull libata fixes from Tejun Heo:
      
       - Bartlomiej will be co-maintaining PATA portion of libata.  git
         workflow will stay the same.
      
       - sata_sil24 wasn't happy with tag ordered submission.  An option to
         restore the old tag allocation behavior is implemented for sil24.
      
       - a very old race condition in PIO host state machine which can trigger
         BUG fixed.
      
       - other driver-specific changes
      
      * 'for-3.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
        libata: prevent HSM state change race between ISR and PIO
        libata: allow sata_sil24 to opt-out of tag ordered submission
        ata: pata_at91: depend on !ARCH_MULTIPLATFORM
        ahci: Remove Device ID for Intel Sunrise Point PCH
        ahci: Use dev_info() to inform about the lack of Device Sleep support
        libata: Whitelist SSDs that are known to properly return zeroes after TRIM
        sata_dwc_460ex: fix resource leak on error path
        ata: add MAINTAINERS entry for libata PATA drivers
        libata: clean up MAINTAINERS entries
        libata: export ata_get_cmd_descript()
        ahci_xgene: Fix the DMA state machine lockup for the ATA_CMD_PACKET PIO mode command.
        ahci_xgene: Fix the endianess issue in APM X-Gene SoC AHCI SATA controller driver.
      b97f880c
    • L
      Merge branch 'for-3.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq · d4b2d006
      Linus Torvalds 提交于
      Pull workqueue fix from Tejun Heo:
       "The xfs folks have been running into weird and very rare lockups for
        some time now.  I didn't think this could have been from workqueue
        side because no one else was reporting it.  This time, Eric had a
        kdump which we looked into and it turned out this actually was a
        workqueue bug and the bug has been there since the beginning of
        concurrency managed workqueue.
      
        A worker pool ensures forward progress of the workqueues associated
        with it by always having at least one worker reserved from executing
        work items.  When the pool is under contention, the idle one tries to
        create more workers for the pool and if that doesn't succeed quickly
        enough, it calls the rescuers to the pool.
      
        This logic had a subtle race condition in an early exit path.  When a
        worker invokes this manager function, the function may return %false
        indicating that the caller may proceed to executing work items either
        because another worker is already performing the role or conditions
        have changed and the pool is no longer under contention.
      
        The latter part depended on the assumption that whether more workers
        are necessary or not remains stable while the pool is locked; however,
        pool->nr_running (concurrency count) may change asynchronously and it
        getting bumped from zero asynchronously could send off the last idle
        worker to execute work items.
      
        The race window is fairly narrow, and, even when it gets triggered,
        the pool deadlocks iff if all work items get blocked on pending work
        items of the pool, which is highly unlikely but can be triggered by
        xfs.
      
        The patch removes the race window by removing the early exit path,
        which doesn't server any purpose anymore anyway"
      
      * 'for-3.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
        workqueue: fix subtle pool management issue which can stall whole worker_pool
      d4b2d006
  2. 20 1月, 2015 15 次提交
    • L
      Merge tag 'pinctrl-v3.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 06efe0e5
      Linus Torvalds 提交于
      Pull pin control fixes from Linus Walleij:
       "Here is a (hopefully final) slew of pin control fixes for the v3.19
        series.  The deadlock fix is kind of serious and tagged for stable,
        the rest is business as usual.
      
         - Fix two deadlocks around the pin control mutexes, a long-standing
           issue that manifest itself in plug/unplug of pin controllers.
           (Tagged for stable.)
      
         - Handle an error path with zero functions in the Qualcomm pin
           controller.
      
         - Drop a bogus second GPIO chip added in the Lantiq driver.
      
         - Fix sudden IRQ loss on Rockchip pin controllers.
      
         - Register the GIT tree in MAINTAINERS"
      
      * tag 'pinctrl-v3.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: MAINTAINERS: add git tree reference
        pinctrl: qcom: Don't iterate past end of function array
        pinctrl: lantiq: remove bogus of_gpio_chip_add
        pinctrl: Fix two deadlocks
        pinctrl: rockchip: Avoid losing interrupts when supporting both edges
      06efe0e5
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · eef8f4c2
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Socket addresses returned in the error queue need to be fully
          initialized before being passed on to userspace, fix from Willem de
          Bruijn.
      
       2) Interrupt handling fixes to davinci_emac driver from Tony Lindgren.
      
       3) Fix races between receive packet steering and cpu hotplug, from Eric
          Dumazet.
      
       4) Allowing netlink sockets to subscribe to unknown multicast groups
          leads to crashes, don't allow it.  From Johannes Berg.
      
       5) One to many socket races in SCTP fixed by Daniel Borkmann.
      
       6) Put in a guard against the mis-use of ipv6 atomic fragments, from
          Hagen Paul Pfeifer.
      
       7) Fix promisc mode and ethtool crashes in sh_eth driver, from Ben
          Hutchings.
      
       8) NULL deref and double kfree fix in sxgbe driver from Girish K.S and
          Byungho An.
      
       9) cfg80211 deadlock fix from Arik Nemtsov.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (36 commits)
        s2io: use snprintf() as a safety feature
        r8152: remove sram_read
        r8152: remove generic_ocp_read before writing
        bgmac: activate irqs only if there is nothing to poll
        bgmac: register napi before the device
        sh_eth: Fix ethtool operation crash when net device is down
        sh_eth: Fix promiscuous mode on chips without TSU
        ipv6: stop sending PTB packets for MTU < 1280
        net: sctp: fix race for one-to-many sockets in sendmsg's auto associate
        genetlink: synchronize socket closing and family removal
        genetlink: disallow subscribing to unknown mcast groups
        genetlink: document parallel_ops
        net: rps: fix cpu unplug
        net: davinci_emac: Add support for emac on dm816x
        net: davinci_emac: Fix ioremap for devices with MDIO within the EMAC address space
        net: davinci_emac: Fix incomplete code for getting the phy from device tree
        net: davinci_emac: Free clock after checking the frequency
        net: davinci_emac: Fix runtime pm calls for davinci_emac
        net: davinci_emac: Fix hangs with interrupts
        ip: zero sockaddr returned on error queue
        ...
      eef8f4c2
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 22628890
      Linus Torvalds 提交于
      Pull crypto fix from Herbert Xu:
       "This fixes a regression that arose from the change to add a crypto
        prefix to module names which was done to prevent the loading of
        arbitrary modules through the Crypto API.
      
        In particular, a number of modules were missing the crypto prefix
        which meant that they could no longer be autoloaded"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: add missing crypto module aliases
      22628890
    • D
      s2io: use snprintf() as a safety feature · a8c1d28a
      Dan Carpenter 提交于
      "sp->desc[i]" has 25 characters.  "dev->name" has 15 characters.  If we
      used all 15 characters then the sprintf() would overflow.
      
      I changed the "sprintf(sp->name, "%s Neterion %s"" to snprintf(), as
      well, even though it can't overflow just to be consistent.
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a8c1d28a
    • D
      Merge branch 'r8152' · ef5a1ba1
      David S. Miller 提交于
      Hayes Wang says:
      
      ====================
      r8152: couldn't read OCP_SRAM_DATA
      
      Read OCP_SRAM_DATA would read additional bytes and may let
      the hw abnormal.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ef5a1ba1
    • H
      r8152: remove sram_read · b4d99def
      hayeswang 提交于
      Read OCP register 0xa43a~0xa43b would clear some flags which the hw
      would use, and it may let the device lost. However, the unit of
      reading is 4 bytes. That is, it would read 0xa438~0xa43b when calling
      sram_read() to read OCP_SRAM_DATA.
      Signed-off-by: NHayes Wang <hayeswang@realtek.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b4d99def
    • H
      r8152: remove generic_ocp_read before writing · 8cb3db24
      hayeswang 提交于
      For ocp_write_word() and ocp_write_byte(), there is a generic_ocp_read()
      which is used to read the whole 4 byte data, keep the unchanged bytes,
      and modify the expected bytes. However, the "byen" could be used to
      determine which bytes of the 4 bytes to write, so the action could be
      removed.
      Signed-off-by: NHayes Wang <hayeswang@realtek.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8cb3db24
    • D
      Merge branch 'bgmac' · e60bf806
      David S. Miller 提交于
      Hauke Mehrtens says:
      
      ====================
      bgmac: some fixes to napi usage
      
      I compared the napi documentation with the bgmac driver and found some
      problems in that driver. These two patches should fix the problems.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e60bf806
    • H
      bgmac: activate irqs only if there is nothing to poll · 43f159c6
      Hauke Mehrtens 提交于
      IRQs should only get activated when there is nothing to poll in the
      queue any more and to after every poll.
      Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      43f159c6
    • H
      bgmac: register napi before the device · 6216642f
      Hauke Mehrtens 提交于
      napi should get registered before the netdev and not after.
      Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6216642f
    • D
      Merge branch 'sh_eth' · 852c5d9c
      David S. Miller 提交于
      Ben Hutchings says:
      
      ====================
      sh_eth fixes
      
      I'm currently looking at Ethernet support on the R-Car H2 chip,
      reviewing and testing the sh_eth driver.  Here are fixes for two fairly
      obvious bugs in the driver; I will probably have some more later.
      
      These are not tested on any of the other supported chips.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      852c5d9c
    • B
      sh_eth: Fix ethtool operation crash when net device is down · 4f9dce23
      Ben Hutchings 提交于
      The driver connects and disconnects the PHY device whenever the
      net device is brought up and down.  The ethtool get_settings,
      set_settings and nway_reset operations will dereference a null
      or dangling pointer if called while it is down.
      
      I think it would be preferable to keep the PHY connected, but there
      may be good reasons not to.
      
      As an immediate fix for this bug:
      - Set the phydev pointer to NULL after disconnecting the PHY
      - Change those three operations to return -ENODEV while the PHY is
        not connected
      Signed-off-by: NBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4f9dce23
    • B
      sh_eth: Fix promiscuous mode on chips without TSU · b37feed7
      Ben Hutchings 提交于
      Currently net_device_ops::set_rx_mode is only implemented for
      chips with a TSU (multiple address table).  However we do need
      to turn the PRM (promiscuous) flag on and off for other chips.
      
      - Remove the unlikely() from the TSU functions that we may safely
        call for chips without a TSU
      - Make setting of the MCT flag conditional on the tsu capability flag
      - Rename sh_eth_set_multicast_list() to sh_eth_set_rx_mode() and plumb
        it into both net_device_ops structures
      - Remove the previously-unreachable branch in sh_eth_rx_mode() that
        would otherwise reset the flags to defaults for non-TSU chips
      Signed-off-by: NBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b37feed7
    • H
      ipv6: stop sending PTB packets for MTU < 1280 · 9d289715
      Hagen Paul Pfeifer 提交于
      Reduce the attack vector and stop generating IPv6 Fragment Header for
      paths with an MTU smaller than the minimum required IPv6 MTU
      size (1280 byte) - called atomic fragments.
      
      See IETF I-D "Deprecating the Generation of IPv6 Atomic Fragments" [1]
      for more information and how this "feature" can be misused.
      
      [1] https://tools.ietf.org/html/draft-ietf-6man-deprecate-atomfrag-generation-00Signed-off-by: NFernando Gont <fgont@si6networks.com>
      Signed-off-by: NHagen Paul Pfeifer <hagen@jauu.net>
      Acked-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9d289715
    • D
      libata: prevent HSM state change race between ISR and PIO · ce751452
      David Jeffery 提交于
      It is possible for ata_sff_flush_pio_task() to set ap->hsm_task_state to
      HSM_ST_IDLE in between the time __ata_sff_port_intr() checks for HSM_ST_IDLE
      and before it calls ata_sff_hsm_move() causing ata_sff_hsm_move() to BUG().
      
      This problem is hard to reproduce making this patch hard to verify, but this
      fix will prevent the race.
      
      I have not been able to reproduce the problem, but here is a crash dump from
      a 2.6.32 kernel.
      
      On examining the ata port's state, its hsm_task_state field has a value of HSM_ST_IDLE:
      
      crash> struct ata_port.hsm_task_state ffff881c1121c000
        hsm_task_state = 0
      
      Normally, this should not be possible as ata_sff_hsm_move() was called from ata_sff_host_intr(),
      which checks hsm_task_state and won't call ata_sff_hsm_move() if it has a HSM_ST_IDLE value.
      
      PID: 11053  TASK: ffff8816e846cae0  CPU: 0   COMMAND: "sshd"
       #0 [ffff88008ba03960] machine_kexec at ffffffff81038f3b
       #1 [ffff88008ba039c0] crash_kexec at ffffffff810c5d92
       #2 [ffff88008ba03a90] oops_end at ffffffff8152b510
       #3 [ffff88008ba03ac0] die at ffffffff81010e0b
       #4 [ffff88008ba03af0] do_trap at ffffffff8152ad74
       #5 [ffff88008ba03b50] do_invalid_op at ffffffff8100cf95
       #6 [ffff88008ba03bf0] invalid_op at ffffffff8100bf9b
          [exception RIP: ata_sff_hsm_move+317]
          RIP: ffffffff813a77ad  RSP: ffff88008ba03ca0  RFLAGS: 00010097
          RAX: 0000000000000000  RBX: ffff881c1121dc60  RCX: 0000000000000000
          RDX: ffff881c1121dd10  RSI: ffff881c1121dc60  RDI: ffff881c1121c000
          RBP: ffff88008ba03d00   R8: 0000000000000000   R9: 000000000000002e
          R10: 000000000001003f  R11: 000000000000009b  R12: ffff881c1121c000
          R13: 0000000000000000  R14: 0000000000000050  R15: ffff881c1121dd78
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
       #7 [ffff88008ba03d08] ata_sff_host_intr at ffffffff813a7fbd
       #8 [ffff88008ba03d38] ata_sff_interrupt at ffffffff813a821e
       #9 [ffff88008ba03d78] handle_IRQ_event at ffffffff810e6ec0
      --- <IRQ stack> ---
          [exception RIP: pipe_poll+48]
          RIP: ffffffff81192780  RSP: ffff880f26d459b8  RFLAGS: 00000246
          RAX: 0000000000000000  RBX: ffff880f26d459c8  RCX: 0000000000000000
          RDX: 0000000000000001  RSI: 0000000000000000  RDI: ffff881a0539fa80
          RBP: ffffffff8100bb8e   R8: ffff8803b23324a0   R9: 0000000000000000
          R10: ffff880f26d45dd0  R11: 0000000000000008  R12: ffffffff8109b646
          R13: ffff880f26d45948  R14: 0000000000000246  R15: 0000000000000246
          ORIG_RAX: ffffffffffffff10  CS: 0010  SS: 0018
          RIP: 00007f26017435c3  RSP: 00007fffe020c420  RFLAGS: 00000206
          RAX: 0000000000000017  RBX: ffffffff8100b072  RCX: 00007fffe020c45c
          RDX: 00007f2604a3f120  RSI: 00007f2604a3f140  RDI: 000000000000000d
          RBP: 0000000000000000   R8: 00007fffe020e570   R9: 0101010101010101
          R10: 0000000000000000  R11: 0000000000000246  R12: 00007fffe020e5f0
          R13: 00007fffe020e5f4  R14: 00007f26045f373c  R15: 00007fffe020e5e0
          ORIG_RAX: 0000000000000017  CS: 0033  SS: 002b
      
      Somewhere between the ata_sff_hsm_move() check and the ata_sff_host_intr() check, the value changed.
      On examining the other cpus to see what else was running, another cpu was running the error handler
      routines:
      
      PID: 326    TASK: ffff881c11014aa0  CPU: 1   COMMAND: "scsi_eh_1"
       #0 [ffff88008ba27e90] crash_nmi_callback at ffffffff8102fee6
       #1 [ffff88008ba27ea0] notifier_call_chain at ffffffff8152d515
       #2 [ffff88008ba27ee0] atomic_notifier_call_chain at ffffffff8152d57a
       #3 [ffff88008ba27ef0] notify_die at ffffffff810a154e
       #4 [ffff88008ba27f20] do_nmi at ffffffff8152b1db
       #5 [ffff88008ba27f50] nmi at ffffffff8152aaa0
          [exception RIP: _spin_lock_irqsave+47]
          RIP: ffffffff8152a1ff  RSP: ffff881c11a73aa0  RFLAGS: 00000006
          RAX: 0000000000000001  RBX: ffff881c1121deb8  RCX: 0000000000000000
          RDX: 0000000000000246  RSI: 0000000000000020  RDI: ffff881c122612d8
          RBP: ffff881c11a73aa0   R8: ffff881c17083800   R9: 0000000000000000
          R10: 0000000000000000  R11: 0000000000000000  R12: ffff881c1121c000
          R13: 000000000000001f  R14: ffff881c1121dd50  R15: ffff881c1121dc60
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0000
      --- <NMI exception stack> ---
       #6 [ffff881c11a73aa0] _spin_lock_irqsave at ffffffff8152a1ff
       #7 [ffff881c11a73aa8] ata_exec_internal_sg at ffffffff81396fb5
       #8 [ffff881c11a73b58] ata_exec_internal at ffffffff81397109
       #9 [ffff881c11a73bd8] atapi_eh_request_sense at ffffffff813a34eb
      
      Before it tried to acquire a spinlock, ata_exec_internal_sg() called ata_sff_flush_pio_task().
      This function will set ap->hsm_task_state to HSM_ST_IDLE, and has no locking around setting this
      value. ata_sff_flush_pio_task() can then race with the interrupt handler and potentially set
      HSM_ST_IDLE at a fatal moment, which will trigger a kernel BUG.
      
      v2: Fixup comment in ata_sff_flush_pio_task()
      
      tj: Further updated comment.  Use ap->lock instead of shost lock and
          use the [un]lock_irq variant instead of the irqsave/restore one.
      Signed-off-by: NDavid Milburn <dmilburn@redhat.com>
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Cc: stable@vger.kernel.org
      ce751452
  3. 19 1月, 2015 5 次提交
  4. 18 1月, 2015 10 次提交
    • L
      Linux 3.19-rc5 · ec6f34e5
      Linus Torvalds 提交于
      ec6f34e5
    • L
      Merge tag 'armsoc-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · d0ac5d8e
      Linus Torvalds 提交于
      Pull ARM SoC fixes from Olof Johansson:
       "We've been sitting on our fixes branch for a while, so this batch is
        unfortunately on the large side.
      
        A lot of these are tweaks and fixes to device trees, fixing various
        bugs around clocks, reg ranges, etc.  There's also a few defconfig
        updates (which are on the late side, no more of those).
      
        All in all the diffstat is bigger than ideal at this time, but nothing
        in here seems particularly risky"
      
      * tag 'armsoc-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (31 commits)
        reset: sunxi: fix spinlock initialization
        ARM: dts: disable CCI on exynos5420 based arndale-octa
        drivers: bus: check cci device tree node status
        ARM: rockchip: disable jtag/sdmmc autoswitching on rk3288
        ARM: nomadik: fix up leftover device tree pins
        ARM: at91: board-dt-sama5: add phy_fixup to override NAND_Tree
        ARM: at91/dt: sam9263: Add missing clocks to lcdc node
        ARM: at91: sama5d3: dt: correct the sound route
        ARM: at91/dt: sama5d4: fix the timer reg length
        ARM: exynos_defconfig: Enable LM90 driver
        ARM: exynos_defconfig: Enable options for display panel support
        arm: dts: Use pmu_system_controller phandle for dp phy
        ARM: shmobile: sh73a0 legacy: Set .control_parent for all irqpin instances
        ARM: dts: berlin: correct BG2Q's SM GPIO location.
        ARM: dts: berlin: add broken-cd and set bus width for eMMC in Marvell DMP DT
        ARM: dts: berlin: fix io clk and add missing core clk for BG2Q sdhci2 host
        ARM: dts: Revert disabling of smc91x for n900
        ARM: dts: imx51-babbage: Fix ULPI PHY reset modelling
        ARM: dts: dra7-evm: fix qspi device tree partition size
        ARM: omap2plus_defconfig: use CONFIG_CPUFREQ_DT
        ...
      d0ac5d8e
    • D
      net: sctp: fix race for one-to-many sockets in sendmsg's auto associate · 2061dcd6
      Daniel Borkmann 提交于
      I.e. one-to-many sockets in SCTP are not required to explicitly
      call into connect(2) or sctp_connectx(2) prior to data exchange.
      Instead, they can directly invoke sendmsg(2) and the SCTP stack
      will automatically trigger connection establishment through 4WHS
      via sctp_primitive_ASSOCIATE(). However, this in its current
      implementation is racy: INIT is being sent out immediately (as
      it cannot be bundled anyway) and the rest of the DATA chunks are
      queued up for later xmit when connection is established, meaning
      sendmsg(2) will return successfully. This behaviour can result
      in an undesired side-effect that the kernel made the application
      think the data has already been transmitted, although none of it
      has actually left the machine, worst case even after close(2)'ing
      the socket.
      
      Instead, when the association from client side has been shut down
      e.g. first gracefully through SCTP_EOF and then close(2), the
      client could afterwards still receive the server's INIT_ACK due
      to a connection with higher latency. This INIT_ACK is then considered
      out of the blue and hence responded with ABORT as there was no
      alive assoc found anymore. This can be easily reproduced f.e.
      with sctp_test application from lksctp. One way to fix this race
      is to wait for the handshake to actually complete.
      
      The fix defers waiting after sctp_primitive_ASSOCIATE() and
      sctp_primitive_SEND() succeeded, so that DATA chunks cooked up
      from sctp_sendmsg() have already been placed into the output
      queue through the side-effect interpreter, and therefore can then
      be bundeled together with COOKIE_ECHO control chunks.
      
      strace from example application (shortened):
      
      socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP) = 3
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(0)=[], msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */, cmsg_type=, ...},
                 msg_flags=0}, 0) = 0 // graceful shutdown for SOCK_SEQPACKET via SCTP_EOF
      close(3) = 0
      
      tcpdump before patch (fooling the application):
      
      22:33:36.306142 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 3879023686] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3139201684]
      22:33:36.316619 IP 192.168.1.115.8888 > 192.168.1.114.41462: sctp (1) [INIT ACK] [init tag: 3345394793] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 3380109591]
      22:33:36.317600 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [ABORT]
      
      tcpdump after patch:
      
      14:28:58.884116 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 438593213] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3092969729]
      14:28:58.888414 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [INIT ACK] [init tag: 381429855] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 2141904492]
      14:28:58.888638 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [COOKIE ECHO] , (2) [DATA] (B)(E) [TSN: 3092969729] [...]
      14:28:58.893278 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [COOKIE ACK] , (2) [SACK] [cum ack 3092969729] [a_rwnd 106491] [#gap acks 0] [#dup tsns 0]
      14:28:58.893591 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969730] [...]
      14:28:59.096963 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969730] [a_rwnd 106496] [#gap acks 0] [#dup tsns 0]
      14:28:59.097086 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969731] [...] , (2) [DATA] (B)(E) [TSN: 3092969732] [...]
      14:28:59.103218 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969732] [a_rwnd 106486] [#gap acks 0] [#dup tsns 0]
      14:28:59.103330 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN]
      14:28:59.107793 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SHUTDOWN ACK]
      14:28:59.107890 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN COMPLETE]
      
      Looks like this bug is from the pre-git history museum. ;)
      
      Fixes: 08707d5482df ("lksctp-2_5_31-0_5_1.patch")
      Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
      Acked-by: NVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2061dcd6
    • L
      Merge tag 'clk-fixes-for-linus' of git://git.linaro.org/people/mike.turquette/linux · 12ba8571
      Linus Torvalds 提交于
      Pull clock driver fixes from Mike Turquette:
       "Small number of fixes for clock drivers and a single null pointer
        dereference fix in the framework core code.
      
        The driver fixes vary from fixing section mismatch warnings to
        preventing machines from hanging (and preventing developers from
        crying)"
      
      * tag 'clk-fixes-for-linus' of git://git.linaro.org/people/mike.turquette/linux:
        clk: fix possible null pointer dereference
        Revert "clk: ppc-corenet: Fix Section mismatch warning"
        clk: rockchip: fix deadlock possibility in cpuclk
        clk: berlin: bg2q: remove non-exist "smemc" gate clock
        clk: at91: keep slow clk enabled to prevent system hang
        clk: rockchip: fix rk3288 cpuclk core dividers
        clk: rockchip: fix rk3066 pll lock bit location
        clk: rockchip: Fix clock gate for rk3188 hclk_emem_peri
        clk: rockchip: add CLK_IGNORE_UNUSED flag to fix rk3066/rk3188 USB Host
      12ba8571
    • L
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 901b2082
      Linus Torvalds 提交于
      Pull SCSI fixes from James Bottomley:
       "This is one fix for a Multiqueue sleeping in invalid context problem
        and a MAINTAINER file update for Qlogic"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: ->queue_rq can't sleep
        MAINTAINERS: Update maintainer list for qla4xxx
      901b2082
    • S
      clk: fix possible null pointer dereference · c7662fc5
      Stanimir Varbanov 提交于
      The commit 646cafc6 (clk: Change clk_ops->determine_rate to
      return a clk_hw as the best parent) opens a possibility for
      null pointer dereference, fix this.
      Signed-off-by: NStanimir Varbanov <svarbanov@mm-sol.com>
      Reviewed-by: NStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: NMichael Turquette <mturquette@linaro.org>
      c7662fc5
    • K
      Revert "clk: ppc-corenet: Fix Section mismatch warning" · 176a107b
      Kevin Hao 提交于
      This reverts commit da788acb.
      
      That commit tried to fix the section mismatch warning by moving the
      ppc_corenet_clk_driver struct to init section. This is definitely wrong
      because the kernel would free the memories occupied by this struct
      after boot while this driver is still registered in the driver core.
      The kernel would panic when accessing this driver struct.
      
      Cc: stable@vger.kernel.org # 3.17
      Signed-off-by: NKevin Hao <haokexin@gmail.com>
      Acked-by: NScott Wood <scottwood@freescale.com>
      Signed-off-by: NMichael Turquette <mturquette@linaro.org>
      176a107b
    • H
      clk: rockchip: fix deadlock possibility in cpuclk · a5e1baf7
      Heiko Stübner 提交于
      Lockdep reported a possible deadlock between the cpuclk lock and for example
      the i2c driver.
      
             CPU0                    CPU1
             ----                    ----
        lock(clk_lock);
                                     local_irq_disable();
                                     lock(&(&i2c->lock)->rlock);
                                     lock(clk_lock);
        <Interrupt>
          lock(&(&i2c->lock)->rlock);
      
       *** DEADLOCK ***
      
      The generic clock-types of the core ccf already use spin_lock_irqsave when
      touching clock registers, so do the same for the cpuclk.
      Signed-off-by: NHeiko Stuebner <heiko@sntech.de>
      Reviewed-by: NDoug Anderson <dianders@chromium.org>
      Signed-off-by: NMichael Turquette <mturquette@linaro.org>
      [mturquette@linaro.org: removed initialization of "flags"]
      a5e1baf7
    • L
      Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma · 298e3204
      Linus Torvalds 提交于
      Pull dmaengine fixes from Vinod Koul:
       "Two patches, the first by Andy to fix dw dmac runtime pm and second
        one by me to fix the dmaengine headers in MAINTAINERS"
      
      * 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: dw: balance PM runtime calls
        MAINTAINERS: dmaengine: fix the header file for dmaengine
      298e3204
    • L
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 59b2858f
      Linus Torvalds 提交于
      Pull perf fixes from Ingo Molnar:
       "Mostly tooling fixes, but also two PMU driver fixes"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf tools powerpc: Use dwfl_report_elf() instead of offline.
        perf tools: Fix segfault for symbol annotation on TUI
        perf test: Fix dwarf unwind using libunwind.
        perf tools: Avoid build splat for syscall numbers with uclibc
        perf tools: Elide strlcpy warning with uclibc
        perf tools: Fix statfs.f_type data type mismatch build error with uclibc
        tools: Remove bitops/hweight usage of bits in tools/perf
        perf machine: Fix __machine__findnew_thread() error path
        perf tools: Fix building error in x86_64 when dwarf unwind is on
        perf probe: Propagate error code when write(2) failed
        perf/x86/intel: Fix bug for "cycles:p" and "cycles:pp" on SLM
        perf/rapl: Fix sysfs_show() initialization for RAPL PMU
      59b2858f
  5. 17 1月, 2015 5 次提交