1. 28 9月, 2013 3 次提交
    • D
      NFS: Use i_writecount to control whether to get an fscache cookie in nfs_open() · f1fe29b4
      David Howells 提交于
      Use i_writecount to control whether to get an fscache cookie in nfs_open() as
      NFS does not do write caching yet.  I *think* this is the cause of a problem
      encountered by Mark Moseley whereby __fscache_uncache_page() gets a NULL
      pointer dereference because cookie->def is NULL:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
      IP: [<ffffffff812a1903>] __fscache_uncache_page+0x23/0x160
      PGD 0
      Thread overran stack, or stack corrupted
      Oops: 0000 [#1] SMP
      Modules linked in: ...
      CPU: 7 PID: 18993 Comm: php Not tainted 3.11.1 #1
      Hardware name: Dell Inc. PowerEdge R420/072XWF, BIOS 1.3.5 08/21/2012
      task: ffff8804203460c0 ti: ffff880420346640
      RIP: 0010:[<ffffffff812a1903>] __fscache_uncache_page+0x23/0x160
      RSP: 0018:ffff8801053af878 EFLAGS: 00210286
      RAX: 0000000000000000 RBX: ffff8800be2f8780 RCX: ffff88022ffae5e8
      RDX: 0000000000004c66 RSI: ffffea00055ff440 RDI: ffff8800be2f8780
      RBP: ffff8801053af898 R08: 0000000000000001 R09: 0000000000000003
      R10: 0000000000000000 R11: 0000000000000000 R12: ffffea00055ff440
      R13: 0000000000001000 R14: ffff8800c50be538 R15: 0000000000000000
      FS: 0000000000000000(0000) GS:ffff88042fc60000(0063) knlGS:00000000e439c700
      CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
      CR2: 0000000000000010 CR3: 0000000001d8f000 CR4: 00000000000607f0
      Stack:
      ...
      Call Trace:
      [<ffffffff81365a72>] __nfs_fscache_invalidate_page+0x42/0x70
      [<ffffffff813553d5>] nfs_invalidate_page+0x75/0x90
      [<ffffffff811b8f5e>] truncate_inode_page+0x8e/0x90
      [<ffffffff811b90ad>] truncate_inode_pages_range.part.12+0x14d/0x620
      [<ffffffff81d6387d>] ? __mutex_lock_slowpath+0x1fd/0x2e0
      [<ffffffff811b95d3>] truncate_inode_pages_range+0x53/0x70
      [<ffffffff811b969d>] truncate_inode_pages+0x2d/0x40
      [<ffffffff811b96ff>] truncate_pagecache+0x4f/0x70
      [<ffffffff81356840>] nfs_setattr_update_inode+0xa0/0x120
      [<ffffffff81368de4>] nfs3_proc_setattr+0xc4/0xe0
      [<ffffffff81357f78>] nfs_setattr+0xc8/0x150
      [<ffffffff8122d95b>] notify_change+0x1cb/0x390
      [<ffffffff8120a55b>] do_truncate+0x7b/0xc0
      [<ffffffff8121f96c>] do_last+0xa4c/0xfd0
      [<ffffffff8121ffbc>] path_openat+0xcc/0x670
      [<ffffffff81220a0e>] do_filp_open+0x4e/0xb0
      [<ffffffff8120ba1f>] do_sys_open+0x13f/0x2b0
      [<ffffffff8126aaf6>] compat_SyS_open+0x36/0x50
      [<ffffffff81d7204c>] sysenter_dispatch+0x7/0x24
      
      The code at the instruction pointer was disassembled:
      
      > (gdb) disas __fscache_uncache_page
      > Dump of assembler code for function __fscache_uncache_page:
      > ...
      > 0xffffffff812a18ff <+31>: mov 0x48(%rbx),%rax
      > 0xffffffff812a1903 <+35>: cmpb $0x0,0x10(%rax)
      > 0xffffffff812a1907 <+39>: je 0xffffffff812a19cd <__fscache_uncache_page+237>
      
      These instructions make up:
      
      	ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
      
      That cmpb is the faulting instruction (%rax is 0).  So cookie->def is NULL -
      which presumably means that the cookie has already been at least partway
      through __fscache_relinquish_cookie().
      
      What I think may be happening is something like a three-way race on the same
      file:
      
      	PROCESS 1	PROCESS 2	PROCESS 3
      	===============	===============	===============
      	open(O_TRUNC|O_WRONLY)
      			open(O_RDONLY)
      					open(O_WRONLY)
      	-->nfs_open()
      	-->nfs_fscache_set_inode_cookie()
      	nfs_fscache_inode_lock()
      	nfs_fscache_disable_inode_cookie()
      	__fscache_relinquish_cookie()
      	nfs_inode->fscache = NULL
      	<--nfs_fscache_set_inode_cookie()
      
      			-->nfs_open()
      			-->nfs_fscache_set_inode_cookie()
      			nfs_fscache_inode_lock()
      			nfs_fscache_enable_inode_cookie()
      			__fscache_acquire_cookie()
      			nfs_inode->fscache = cookie
      			<--nfs_fscache_set_inode_cookie()
      	<--nfs_open()
      	-->nfs_setattr()
      	...
      	...
      	-->nfs_invalidate_page()
      	-->__nfs_fscache_invalidate_page()
      	cookie = nfsi->fscache
      					-->nfs_open()
      					-->nfs_fscache_set_inode_cookie()
      					nfs_fscache_inode_lock()
      					nfs_fscache_disable_inode_cookie()
      					-->__fscache_relinquish_cookie()
      	-->__fscache_uncache_page(cookie)
      	<crash>
      					<--__fscache_relinquish_cookie()
      					nfs_inode->fscache = NULL
      					<--nfs_fscache_set_inode_cookie()
      
      What is needed is something to prevent process #2 from reacquiring the cookie
      - and I think checking i_writecount should do the trick.
      
      It's also possible to have a two-way race on this if the file is opened
      O_TRUNC|O_RDONLY instead.
      Reported-by: NMark Moseley <moseleymark@gmail.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      f1fe29b4
    • D
      FS-Cache: Provide the ability to enable/disable cookies · 94d30ae9
      David Howells 提交于
      Provide the ability to enable and disable fscache cookies.  A disabled cookie
      will reject or ignore further requests to:
      
      	Acquire a child cookie
      	Invalidate and update backing objects
      	Check the consistency of a backing object
      	Allocate storage for backing page
      	Read backing pages
      	Write to backing pages
      
      but still allows:
      
      	Checks/waits on the completion of already in-progress objects
      	Uncaching of pages
      	Relinquishment of cookies
      
      Two new operations are provided:
      
       (1) Disable a cookie:
      
      	void fscache_disable_cookie(struct fscache_cookie *cookie,
      				    bool invalidate);
      
           If the cookie is not already disabled, this locks the cookie against other
           dis/enablement ops, marks the cookie as being disabled, discards or
           invalidates any backing objects and waits for cessation of activity on any
           associated object.
      
           This is a wrapper around a chunk split out of fscache_relinquish_cookie(),
           but it reinitialises the cookie such that it can be reenabled.
      
           All possible failures are handled internally.  The caller should consider
           calling fscache_uncache_all_inode_pages() afterwards to make sure all page
           markings are cleared up.
      
       (2) Enable a cookie:
      
      	void fscache_enable_cookie(struct fscache_cookie *cookie,
      				   bool (*can_enable)(void *data),
      				   void *data)
      
           If the cookie is not already enabled, this locks the cookie against other
           dis/enablement ops, invokes can_enable() and, if the cookie is not an
           index cookie, will begin the procedure of acquiring backing objects.
      
           The optional can_enable() function is passed the data argument and returns
           a ruling as to whether or not enablement should actually be permitted to
           begin.
      
           All possible failures are handled internally.  The cookie will only be
           marked as enabled if provisional backing objects are allocated.
      
      A later patch will introduce these to NFS.  Cookie enablement during nfs_open()
      is then contingent on i_writecount <= 0.  can_enable() checks for a race
      between open(O_RDONLY) and open(O_WRONLY/O_RDWR).  This simplifies NFS's cookie
      handling and allows us to get rid of open(O_RDONLY) accidentally introducing
      caching to an inode that's open for writing already.
      
      One operation has its API modified:
      
       (3) Acquire a cookie.
      
      	struct fscache_cookie *fscache_acquire_cookie(
      		struct fscache_cookie *parent,
      		const struct fscache_cookie_def *def,
      		void *netfs_data,
      		bool enable);
      
           This now has an additional argument that indicates whether the requested
           cookie should be enabled by default.  It doesn't need the can_enable()
           function because the caller must prevent multiple calls for the same netfs
           object and it doesn't need to take the enablement lock because no one else
           can get at the cookie before this returns.
      
      Signed-off-by: David Howells <dhowells@redhat.com
      94d30ae9
    • D
      FS-Cache: Add use/unuse/wake cookie wrappers · 8fb883f3
      David Howells 提交于
      Add wrapper functions for dealing with cookie->n_active:
      
       (*) __fscache_use_cookie() to increment it.
      
       (*) __fscache_unuse_cookie() to decrement and test against zero.
      
       (*) __fscache_wake_unused_cookie() to wake up anyone waiting for it to reach
           zero.
      
      The second and third are split so that the third can be done after cookie->lock
      has been released in case the waiter wakes up whilst we're still holding it and
      tries to get it.
      
      We will need to wake-on-zero once the cookie disablement patch is applied
      because it will then be possible to see n_active become zero without the cookie
      being relinquished.
      
      Also move the cookie usement out of fscache_attr_changed_op() and into
      fscache_attr_changed() and the operation struct so that cookie disablement
      will be able to track it.
      
      Whilst we're at it, only increment n_active if we're about to do
      fscache_submit_op() so that we don't have to deal with undoing it if anything
      earlier fails.  Possibly this should be moved into fscache_submit_op() which
      could look at FSCACHE_OP_UNUSE_COOKIE.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      8fb883f3
  2. 21 9月, 2013 5 次提交
    • L
      Merge tag 'pm+acpi-3.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 2457aaf7
      Linus Torvalds 提交于
      Pull ACPI and power management fixes from Rafael Wysocki:
      
       1) Four fixes for cpufreq regressions introduced by the changes that
          removed Device Tree parsing for CPU device nodes from cpufreq
          drivers from Sudeep KarkadaNagesha.
      
       2) Two fixes for recent cpufreq regressions introduced by changes
          related to the preservation of sysfs attributes over system
          suspend/resume cycles from Viresh Kumar.
      
       3) Fix for ACPI-based wakeup signaling in the PCI subsystem that
          fails to stop PME polling for devices put into the D3cold power
          state from Rafael J Wysocki.
      
       4) Fix for bad interactions between cpufreq and udev on systems
          supporting intel_pstate where acpi-cpufreq is available as well
          from Yinghai Lu.
      
      * tag 'pm+acpi-3.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: return EEXIST instead of EBUSY for second registering
        PCI / ACPI / PM: Clear pme_poll for devices in D3cold on wakeup
        ARM: shmobile: change dev_id to cpu0 while registering cpu clock
        ARM: i.MX: change dev_id to cpu0 while registering cpu clock
        cpufreq: imx6q-cpufreq: assign cpu_dev correctly to cpu0 device
        cpufreq: cpufreq-cpu0: assign cpu_dev correctly to cpu0 device
        cpufreq: unlock correct rwsem while updating policy->cpu
        cpufreq: Clear policy->cpus bits in __cpufreq_remove_dev_finish()
      2457aaf7
    • L
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · d45004f9
      Linus Torvalds 提交于
      Pull vhost updates from Michael Tsirkin:
       "vhost: minor changes on top of 3.12-rc1
      
        This fixes module loading for vhost-scsi, and tweaks locking in vhost
        core a bit.  Both of these are not exactly release blockers but it's
        early in the cycle so I think it's a good idea to apply them now"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        vhost-scsi: whitespace tweak
        vhost/scsi: use vmalloc for order-10 allocation
        vhost: wake up worker outside spin_lock
      d45004f9
    • D
      CacheFiles: Don't try to dump the index key if the cookie has been cleared · 509bf24d
      David Howells 提交于
      Don't try to dump the index key that distinguishes an object if netfs
      data in the cookie the object refers to has been cleared (ie.  the
      cookie has passed most of the way through
      __fscache_relinquish_cookie()).
      
      Since the netfs holds the index key, we can't get at it once the ->def
      and ->netfs_data pointers have been cleared - and a NULL pointer
      exception will ensue, usually just after a:
      
      	CacheFiles: Error: Unexpected object collision
      
      error is reported.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      509bf24d
    • J
      CacheFiles: Fix memory leak in cachefiles_check_auxdata error paths · 607566ae
      Josh Boyer 提交于
      In cachefiles_check_auxdata(), we allocate auxbuf but fail to free it if
      we determine there's an error or that the data is stale.
      
      Further, assigning the output of vfs_getxattr() to auxbuf->len gives
      problems with checking for errors as auxbuf->len is a u16.  We don't
      actually need to set auxbuf->len, so keep the length in a variable for
      now.  We shouldn't need to check the upper limit of the buffer as an
      overflow there should be indicated by -ERANGE.
      
      While we're at it, fscache_check_aux() returns an enum value, not an
      int, so assign it to an appropriately typed variable rather than to ret.
      Signed-off-by: NJosh Boyer <jwboyer@fedoraproject.org>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      cc: Hongyi Jia <jiayisuse@gmail.com>
      cc: Milosz Tanski <milosz@adfin.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      607566ae
    • W
      lockref: use cmpxchg64 explicitly for lockless updates · 8f4c3446
      Will Deacon 提交于
      The cmpxchg() function tends not to support 64-bit arguments on 32-bit
      architectures.  This could be either due to use of unsigned long
      arguments (like on ARM) or lack of instruction support (cmpxchgq on
      x86).  However, these architectures may implement a specific cmpxchg64()
      function to provide 64-bit cmpxchg support instead.
      
      Since the lockref code requires a 64-bit cmpxchg and relies on the
      architecture selecting ARCH_USE_CMPXCHG_LOCKREF, move to using cmpxchg64
      instead of cmpxchg and allow 32-bit architectures to make use of the
      lockless lockref implementation.
      
      Cc: Waiman Long <Waiman.Long@hp.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      8f4c3446
  3. 20 9月, 2013 19 次提交
    • R
      Merge branch 'pm-cpufreq' · d831a005
      Rafael J. Wysocki 提交于
      * pm-cpufreq:
        cpufreq: return EEXIST instead of EBUSY for second registering
        ARM: shmobile: change dev_id to cpu0 while registering cpu clock
        ARM: i.MX: change dev_id to cpu0 while registering cpu clock
        cpufreq: imx6q-cpufreq: assign cpu_dev correctly to cpu0 device
        cpufreq: cpufreq-cpu0: assign cpu_dev correctly to cpu0 device
        cpufreq: unlock correct rwsem while updating policy->cpu
        cpufreq: Clear policy->cpus bits in __cpufreq_remove_dev_finish()
      d831a005
    • R
      Merge branch 'acpi-pci' · 09359c83
      Rafael J. Wysocki 提交于
      * acpi-pci:
        PCI / ACPI / PM: Clear pme_poll for devices in D3cold on wakeup
      09359c83
    • L
      Merge tag 'arm64-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64 · dcb30e65
      Linus Torvalds 提交于
      Pull ARM64 fixes from Catalin Marinas:
       - Compat register fault reporting fix
       - Documentation clarification on tagged pointers
       - hwcap widened to 64-bit (user space already reading it as 64-bit)
      
      * tag 'arm64-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64:
        arm64: Widen hwcap to be 64 bit
        arm64: Correctly report LR and SP for compat tasks
        arm64: documentation: tighten up tagged pointer documentation
        arm64: Make do_bad_area() function static
      dcb30e65
    • S
      arm64: Widen hwcap to be 64 bit · 25804e6a
      Steve Capper 提交于
      Under arm64 elf_hwcap is a 32 bit quantity, but it is stored in
      a 64 bit auxiliary ELF field and glibc reads hwcap as 64 bit.
      
      This patch widens elf_hwcap to be 64 bit.
      Signed-off-by: NSteve Capper <steve.capper@arm.com>
      Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com>
      25804e6a
    • C
      arm64: Correctly report LR and SP for compat tasks · 6ca68e80
      Catalin Marinas 提交于
      When a task crashes and we print debugging information, ensure that
      compat tasks show the actual AArch32 LR and SP registers rather than the
      AArch64 ones.
      Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com>
      6ca68e80
    • W
      arm64: documentation: tighten up tagged pointer documentation · 374ed9d1
      Will Deacon 提交于
      Commit d50240a5 ("arm64: mm: permit use of tagged pointers at EL0")
      added support for tagged pointers in userspace, but the corresponding
      update to Documentation/ contained some imprecise statements.
      
      This patch fixes up some minor ambiguities in the text, hopefully making
      it more clear about exactly what the kernel expects from user virtual
      addresses.
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com>
      374ed9d1
    • C
      arm64: Make do_bad_area() function static · 59f67e16
      Catalin Marinas 提交于
      This function is only called from arch/arm64/mm/fault.c.
      Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com>
      59f67e16
    • L
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 7b9e3a6a
      Linus Torvalds 提交于
      Pull ARM SoC fixes from Olof Johansson:
       "A set of fixes for ARM platforms for 3.12.  Among them:
      
         - A fix for build breakage in the MTD subsystem for some PXA devices.
           David Woodhouse has this patch in his for-next branch but has not
           been responding to our requests to send it up so here it is.  I
           should have amended the commit message to describe the build
           failure for CONFIG_OF=n setups, but forgot and now it's down in the
           stack of commits.
      
         - Added device-tree for the BeagleBone Black.  Turns out people have
           been using the older "regualar" bone DT for the newer boards, and
           there's risk of damaging hardware that way.
      
         - Misc DT and regular fixes for OMAP.
      
         - Fix to make the ST-Ericsson "snowball" boards boot with
           multi_v7_defconfig, and enable one of the ST-E reference boards on
           the same config.
      
         - Kconfig cleanup for u300 to hide submenus when the platform isn't
           enabled.
      
         - Enable ARM_ATAG_DTB_COMPAT to let firmware override command line
           when booting with an appended devicetree on non-DT-enabled firmware
           (needed to boot snowball)"
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (26 commits)
        ARM: multi_v7: add HREFv60 to multi_v7 defconfig
        ARM: OMAP2+: mux: fix trivial typo in name
        ARM: OMAP4 SMP: Corrected a typo fucntions to functions
        ARM: OMAP4: cpuidle: fix: call cpu_cluster_pm_exit conditionally
        mailbox: remove unnecessary platform_set_drvdata()
        ARM: mach-omap2: gpmc: Fix warning when CONFIG_ARM_LPAE=y
        ARM: OMAP: fix return value check in omap_device_build_from_dt()
        ARM: OMAP4: Fix clock_get error for GPMC during boot
        ARM: sa1100: collie.c: fall back to jedec_probe flash detection
        ARM: u300: hide submenus
        ARM: dts: igep00x0: Add pinmux configuration for MCBSP2
        ARM: dts: Fix muxing and regulator for wl12xx on the SDIO bus for blaze
        ARM: dts: Fix muxing and regulator for wl12xx on the SDIO bus for pandaboard
        mtd: nand: pxa3xx: Remove unneeded ifdef CONFIG_OF
        ARM: multi_v7_defconfig: enable ARM_ATAG_DTB_COMPAT
        ARM: ux500: disable outer cache debug
        ARM: dts: OMAP5: fix ocp2scp DTS data
        ARM: dts: OMAP5: fix reg property size
        ARM: dts: am335x-bone*: add DT for BeagleBone Black
        ARM: dts: omap3-beagle-xm: fix string error in compatible property
        ...
      7b9e3a6a
    • Y
      cpufreq: return EEXIST instead of EBUSY for second registering · 4dea5806
      Yinghai Lu 提交于
      On systems that support intel_pstate, acpi_cpufreq fails to load, and
      udev keeps trying until trace gets filled up and kernel crashes.
      
      The root cause is driver return ret from cpufreq_register_driver(),
      because when some other driver takes over before, it will return
      EBUSY and then udev will keep trying ...
      
      cpufreq_register_driver() should return EEXIST instead so that the
      system can boot without appending intel_pstate=disable and still use
      intel_pstate.
      Signed-off-by: NYinghai Lu <yinghai@kernel.org>
      Acked-by: NViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      4dea5806
    • R
      PCI / ACPI / PM: Clear pme_poll for devices in D3cold on wakeup · 83414515
      Rafael J. Wysocki 提交于
      Commit 448bd857 (PCI/PM: add PCIe runtime D3cold support) added a
      piece of code to pci_acpi_wake_dev() causing that function to behave
      in a special way for devices in D3cold (so that their configuration
      registers are not accessed before those devices are resumed).
      However, it didn't take the clearing of the pme_poll flag into
      account.  That has to be done for all devices, even if they are in
      D3cold, or pci_pme_list_scan() will not know that wakeup has been
      signaled for the device and will poll its PME Status bit
      unnecessarily.
      
      Fix the problem by moving the clearing of the pme_poll flag in
      pci_acpi_wake_dev() before the code introduced by commit 448bd857.
      Reported-and-tested-by: NDavid E. Box <david.e.box@intel.com>
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Acked-by: NBjorn Helgaas <bhelgaas@google.com>
      Cc: 3.6+ <stable@vger.kernel.org> # 3.6+
      83414515
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · b75ff5e8
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) If the local_df boolean is set on an SKB we have to allocate a
          unique ID even if IP_DF is set in the ipv4 headers, from Ansis
          Atteka.
      
       2) Some fixups for the new chipset support that went into the sfc
          driver, from Ben Hutchings.
      
       3) Because SCTP bypasses a good chunk of, and actually duplicates, the
          logic of the ipv6 output path, some IPSEC things don't get done
          properly.  Integrate SCTP better into the ipv6 output path so that
          these problems are fixed and such issues don't get missed in the
          future either.  From Daniel Borkmann.
      
       4) Fix skge regressions added by the DMA mapping error return checking
          added in v3.10, from Mikulas Patocka.
      
       5) Kill some more IRQF_DISABLED references, from Michael Opdenacker.
      
       6) Fix races and deadlocks in the bridging code, from Hong Zhiguo.
      
       7) Fix error handling in tun_set_iff(), in particular don't leak
          resources.  From Jason Wang.
      
       8) Prevent format-string injection into xen-netback driver, from Kees
          Cook.
      
       9) Fix regression added to netpoll ARP packet handling, in particular
          check for the right ETH_P_ARP protocol code.  From Sonic Zhang.
      
      10) Try to deal with AMD IOMMU errors when using r8169 chips, from
          Francois Romieu.
      
      11) Cure freezes due to recent changes in the rt2x00 wireless driver,
          from Stanislaw Gruszka.
      
      12) Don't do SPI transfers (which can sleep) in interrupt context in
          cw1200 driver, from Solomon Peachy.
      
      13) Fix LEDs handling bug in 5720 tg3 chips already handled for 5719.
          From Nithin Sujir.
      
      14) Make xen_netbk_count_skb_slots() count the actual number of slots
          that will be used, taking into consideration packing and other
          issues that the transmit path will run into.  From David Vrabel.
      
      15) Use the correct maximum age when calculating the bridge
          message_age_timer, from Chris Healy.
      
      16) Get rid of memory leaks in mcs7780 IRDA driver, from Alexey
          Khoroshilov.
      
      17) Netfilter conntrack extensions were converted to RCU but are not
          always freed properly using kfree_rcu().  Fix from Michal Kubecek.
      
      18) VF reset recovery not being done correctly in qlcnic driver, from
          Manish Chopra.
      
      19) Fix inverted test in ATM nicstar driver, from Andy Shevchenko.
      
      20) Missing workqueue destroy in cxgb4 error handling, from Wei Yang.
      
      21) Internal switch not initialized properly in bgmac driver, from Rafał
          Miłecki.
      
      22) Netlink messages report wrong local and remote addresses in IPv6
          tunneling, from Ding Zhi.
      
      23) ICMP redirects should not generate socket errors in DCCP and SCTP.
          We're still working out how this should be handled for RAW and UDP
          sockets.  From Daniel Borkmann and Duan Jiong.
      
      24) We've had several bugs wherein the network namespace's loopback
          device gets accessed after it is free'd, NULL it out so that we can
          catch these problems more readily.  From Eric W Biederman.
      
      25) Fix regression in TCP RTO calculations, from Neal Cardwell.
      
      26) Fix too early free of xen-netback network device when VIFs still
          exist.  From Paul Durrant.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits)
        netconsole: fix a deadlock with rtnl and netconsole's mutex
        netpoll: fix NULL pointer dereference in netpoll_cleanup
        skge: fix broken driver
        ip: generate unique IP identificator if local fragmentation is allowed
        ip: use ip_hdr() in __ip_make_skb() to retrieve IP header
        xen-netback: Don't destroy the netdev until the vif is shut down
        net:dccp: do not report ICMP redirects to user space
        cnic: Fix crash in cnic_bnx2x_service_kcq()
        bnx2x, cnic, bnx2i, bnx2fc: Fix bnx2i and bnx2fc regressions.
        vxlan: Avoid creating fdb entry with NULL destination
        tcp: fix RTO calculated from cached RTT
        drivers: net: phy: cicada.c: clears warning Use #include <linux/io.h> instead of <asm/io.h>
        net loopback: Set loopback_dev to NULL when freed
        batman-adv: set the TAG flag for the vid passed to BLA
        netfilter: nfnetlink_queue: use network skb for sequence adjustment
        net: sctp: rfc4443: do not report ICMP redirects to user space
        net: usb: cdc_ether: use usb.h macros whenever possible
        net: usb: cdc_ether: fix checkpatch errors and warnings
        net: usb: cdc_ether: Use wwan interface for Telit modules
        ip6_tunnels: raddr and laddr are inverted in nl msg
        ...
      b75ff5e8
    • N
      netconsole: fix a deadlock with rtnl and netconsole's mutex · c71380ff
      Nikolay Aleksandrov 提交于
      This bug was introduced by commit
      7a163bfb ("netconsole: avoid a crash with
      multiple sysfs writers"). In store_enabled() we have the following
      sequence: acquire nt->mutex then rtnl, but in the netconsole netdev
      notifier we have rtnl then nt->mutex effectively leading to a deadlock.
      The NULL pointer dereference that the above commit tries to fix is
      actually due to another bug in netpoll_cleanup(). This is fixed by dropping
      the mutex from the netdev notifier as it's already protected by rtnl.
      Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c71380ff
    • N
      netpoll: fix NULL pointer dereference in netpoll_cleanup · d0fe8c88
      Nikolay Aleksandrov 提交于
      I've been hitting a NULL ptr deref while using netconsole because the
      np->dev check and the pointer manipulation in netpoll_cleanup are done
      without rtnl and the following sequence happens when having a netconsole
      over a vlan and we remove the vlan while disabling the netconsole:
      	CPU 1					CPU2
      					removes vlan and calls the notifier
      enters store_enabled(), calls
      netdev_cleanup which checks np->dev
      and then waits for rtnl
      					executes the netconsole netdev
      					release notifier making np->dev
      					== NULL and releases rtnl
      continues to dereference a member of
      np->dev which at this point is == NULL
      Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d0fe8c88
    • M
      skge: fix broken driver · c194992c
      Mikulas Patocka 提交于
      The patch 136d8f37 broke the skge driver.
      Note this part of the patch:
      +               if (skge_rx_setup(skge, e, nskb, skge->rx_buf_size) < 0) {
      +                       dev_kfree_skb(nskb);
      +                       goto resubmit;
      +               }
      +
                      pci_unmap_single(skge->hw->pdev,
                                       dma_unmap_addr(e, mapaddr),
                                       dma_unmap_len(e, maplen),
                                       PCI_DMA_FROMDEVICE);
                      skb = e->skb;
                      prefetch(skb->data);
      -               skge_rx_setup(skge, e, nskb, skge->rx_buf_size);
      
      The function skge_rx_setup modifies e->skb to point to the new skb. Thus,
      after this change, the new buffer, not the old, is returned to the
      networking stack.
      
      This bug is present in kernels 3.11, 3.11.1 and 3.12-rc1. The patch should
      be queued for 3.11-stable.
      Signed-off-by: NMikulas Patocka <mpatocka@redhat.com>
      Reported-by: NMikulas Patocka <mpatocka@redhat.com>
      Reported-by: NVasiliy Glazov <vascom2@gmail.com>
      Tested-by: NMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c194992c
    • A
      ip: generate unique IP identificator if local fragmentation is allowed · 703133de
      Ansis Atteka 提交于
      If local fragmentation is allowed, then ip_select_ident() and
      ip_select_ident_more() need to generate unique IDs to ensure
      correct defragmentation on the peer.
      
      For example, if IPsec (tunnel mode) has to encrypt large skbs
      that have local_df bit set, then all IP fragments that belonged
      to different ESP datagrams would have used the same identificator.
      If one of these IP fragments would get lost or reordered, then
      peer could possibly stitch together wrong IP fragments that did
      not belong to the same datagram. This would lead to a packet loss
      or data corruption.
      Signed-off-by: NAnsis Atteka <aatteka@nicira.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      703133de
    • A
      ip: use ip_hdr() in __ip_make_skb() to retrieve IP header · 749154aa
      Ansis Atteka 提交于
      skb->data already points to IP header, but for the sake of
      consistency we can also use ip_hdr() to retrieve it.
      Signed-off-by: NAnsis Atteka <aatteka@nicira.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      749154aa
    • P
      xen-netback: Don't destroy the netdev until the vif is shut down · 279f438e
      Paul Durrant 提交于
      Without this patch, if a frontend cycles through states Closing
      and Closed (which Windows frontends need to do) then the netdev
      will be destroyed and requires re-invocation of hotplug scripts
      to restore state before the frontend can move to Connected. Thus
      when udev is not in use the backend gets stuck in InitWait.
      
      With this patch, the netdev is left alone whilst the backend is
      still online and is only de-registered and freed just prior to
      destroying the vif (which is also nicely symmetrical with the
      netdev allocation and registration being done during probe) so
      no re-invocation of hotplug scripts is required.
      Signed-off-by: NPaul Durrant <paul.durrant@citrix.com>
      Cc: David Vrabel <david.vrabel@citrix.com>
      Cc: Wei Liu <wei.liu2@citrix.com>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Acked-by: NWei Liu <wei.liu2@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      279f438e
    • L
      Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus · f05f8198
      Linus Torvalds 提交于
      Pull MIPS updates from Ralf Baechle:
       - Minor updates and fixes to the Octeon ethernet driver in staging
       - A fix to VGA_MAP_MEM() for 64 bit platforms
       - Fix a workaround for 74K/1074K processors
       - The symlink arch/mips/boot/dts/include/dt-bindings was pointing to a
         a file with a name ending in \n.  I think this may have been caused
         by a git bug with with patches sent by email
       - A build fix for VGA console on BCM1480-based systems
       - Fix PCI device access via "/sys/bus/pci/.../resource0" or similar
         work for Alchemy platforms
       - Fix potential data leak on MIPS R5 cores.  This doesn't add proper
         support for any R5 features, just ensures a kernel without such
         support will be secure to run
       - Adding a macros for the CP0 Config5 register to be used by the R5 fix
       - Make get_cycles() actually return something useful where possible
         This also requires a preparatory patch for performance sake
       - Fix a warning about the use of smp_processor_id() in preemptible
         code.  Again this includes a preparatory patch adding the
         infrastructure to be used by the actual patch
       - Finally remove pointless one-line comment
      
      * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
        MIPS: Fix invalid symbolic link file
        MIPS: PCI: pci-bcm1480: Include missing vt.h header
        MIPS: Disable usermode switching of the FR bit for MIPS R5 CPUs.
        MIPS: Add MIPS R5 config5 register.
        MIPS: PCI: Use pci_resource_to_user to map pci memory space properly
        MIPS: 74K/1074K: Correct erratum workaround.
        MIPS: Cleanup CP0 PRId and CP1 FPIR register access masks
        MIPS: Remove useless comment about kprobe from arch/mips/Makefile
        MIPS: Fix VGA_MAP_MEM macro.
        MIPS: Reimplement get_cycles().
        MIPS: Optimize current_cpu_type() for better code.
        MIPS: Fix accessing to per-cpu data when flushing the cache
        MIPS: Provide nice way to access boot CPU's data.
        staging: octeon-ethernet: rgmii: enable interrupts that we can handle
        staging: octeon-ethernet: remove skb alloc failure warnings
        staging: octeon-ethernet: make dropped packets to consume NAPI budget
      f05f8198
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client · e9ff04dd
      Linus Torvalds 提交于
      Pull ceph fixes from Sage Weil:
       "These fix several bugs with RBD from 3.11 that didn't get tested in
        time for the merge window: some error handling, a use-after-free, and
        a sequencing issue when unmapping and image races with a notify
        operation.
      
        There is also a patch fixing a problem with the new ceph + fscache
        code that just went in"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
        fscache: check consistency does not decrement refcount
        rbd: fix error handling from rbd_snap_name()
        rbd: ignore unmapped snapshots that no longer exist
        rbd: fix use-after free of rbd_dev->disk
        rbd: make rbd_obj_notify_ack() synchronous
        rbd: complete notifies before cleaning up osd_client and rbd_dev
        libceph: add function to ensure notifies are complete
      e9ff04dd
  4. 19 9月, 2013 13 次提交