1. 27 9月, 2013 16 次提交
    • A
      bcma: make bcma_core_pci_{up,down}() callable from atomic context · 2bedea8f
      Arend van Spriel 提交于
      This patch removes the bcma_core_pci_power_save() call from
      the bcma_core_pci_{up,down}() functions as it tries to schedule
      thus requiring to call them from non-atomic context. The function
      bcma_core_pci_power_save() is now exported so the calling module
      can explicitly use it in non-atomic context. This fixes the
      'scheduling while atomic' issue reported by Tod Jackson and
      Joe Perches.
      
      [   13.210710] BUG: scheduling while atomic: dhcpcd/1800/0x00000202
      [   13.210718] Modules linked in: brcmsmac nouveau coretemp kvm_intel kvm cordic brcmutil bcma dell_wmi atl1c ttm mxm_wmi wmi
      [   13.210756] CPU: 2 PID: 1800 Comm: dhcpcd Not tainted 3.11.0-wl #1
      [   13.210762] Hardware name: Alienware M11x R2/M11x R2, BIOS A04 11/23/2010
      [   13.210767]  ffff880177c92c40 ffff880170fd1948 ffffffff8169af5b 0000000000000007
      [   13.210777]  ffff880170fd1ab0 ffff880170fd1958 ffffffff81697ee2 ffff880170fd19d8
      [   13.210785]  ffffffff816a19f5 00000000000f4240 000000000000d080 ffff880170fd1fd8
      [   13.210794] Call Trace:
      [   13.210813]  [<ffffffff8169af5b>] dump_stack+0x4f/0x84
      [   13.210826]  [<ffffffff81697ee2>] __schedule_bug+0x43/0x51
      [   13.210837]  [<ffffffff816a19f5>] __schedule+0x6e5/0x810
      [   13.210845]  [<ffffffff816a1c34>] schedule+0x24/0x70
      [   13.210855]  [<ffffffff816a04fc>] schedule_hrtimeout_range_clock+0x10c/0x150
      [   13.210867]  [<ffffffff810684e0>] ? update_rmtp+0x60/0x60
      [   13.210877]  [<ffffffff8106915f>] ? hrtimer_start_range_ns+0xf/0x20
      [   13.210887]  [<ffffffff816a054e>] schedule_hrtimeout_range+0xe/0x10
      [   13.210897]  [<ffffffff8104f6fb>] usleep_range+0x3b/0x40
      [   13.210910]  [<ffffffffa00371af>] bcma_pcie_mdio_set_phy.isra.3+0x4f/0x80 [bcma]
      [   13.210921]  [<ffffffffa003729f>] bcma_pcie_mdio_write.isra.4+0xbf/0xd0 [bcma]
      [   13.210932]  [<ffffffffa0037498>] bcma_pcie_mdio_writeread.isra.6.constprop.13+0x18/0x30 [bcma]
      [   13.210942]  [<ffffffffa00374ee>] bcma_core_pci_power_save+0x3e/0x80 [bcma]
      [   13.210953]  [<ffffffffa003765d>] bcma_core_pci_up+0x2d/0x60 [bcma]
      [   13.210975]  [<ffffffffa03dc17c>] brcms_c_up+0xfc/0x430 [brcmsmac]
      [   13.210989]  [<ffffffffa03d1a7d>] brcms_up+0x1d/0x20 [brcmsmac]
      [   13.211003]  [<ffffffffa03d2498>] brcms_ops_start+0x298/0x340 [brcmsmac]
      [   13.211020]  [<ffffffff81600a12>] ? cfg80211_netdev_notifier_call+0xd2/0x5f0
      [   13.211030]  [<ffffffff815fa53d>] ? packet_notifier+0xad/0x1d0
      [   13.211064]  [<ffffffff81656e75>] ieee80211_do_open+0x325/0xf80
      [   13.211076]  [<ffffffff8106ac09>] ? __raw_notifier_call_chain+0x9/0x10
      [   13.211086]  [<ffffffff81657b41>] ieee80211_open+0x71/0x80
      [   13.211101]  [<ffffffff81526267>] __dev_open+0x87/0xe0
      [   13.211109]  [<ffffffff8152650c>] __dev_change_flags+0x9c/0x180
      [   13.211117]  [<ffffffff815266a3>] dev_change_flags+0x23/0x70
      [   13.211127]  [<ffffffff8158cd68>] devinet_ioctl+0x5b8/0x6a0
      [   13.211136]  [<ffffffff8158d5c5>] inet_ioctl+0x75/0x90
      [   13.211147]  [<ffffffff8150b38b>] sock_do_ioctl+0x2b/0x70
      [   13.211155]  [<ffffffff8150b681>] sock_ioctl+0x71/0x2a0
      [   13.211169]  [<ffffffff8114ed47>] do_vfs_ioctl+0x87/0x520
      [   13.211180]  [<ffffffff8113f159>] ? ____fput+0x9/0x10
      [   13.211198]  [<ffffffff8106228c>] ? task_work_run+0x9c/0xd0
      [   13.211202]  [<ffffffff8114f271>] SyS_ioctl+0x91/0xb0
      [   13.211208]  [<ffffffff816aa252>] system_call_fastpath+0x16/0x1b
      [   13.211217] NOHZ: local_softirq_pending 202
      
      The issue was introduced in v3.11 kernel by following commit:
      
      commit aa51e598
      Author: Hauke Mehrtens <hauke@hauke-m.de>
      Date:   Sat Aug 24 00:32:31 2013 +0200
      
          brcmsmac: use bcma PCIe up and down functions
      
          replace the calls to bcma_core_pci_extend_L1timer() by calls to the
          newly introduced bcma_core_pci_ip() and bcma_core_pci_down()
      Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
          Cc: Arend van Spriel <arend@broadcom.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      
      This fix has been discussed with Hauke Mehrtens [1] selection
      option 3) and is intended for v3.12.
      
      Ref:
      [1] http://mid.gmane.org/5239B12D.3040206@hauke-m.de
      
      Cc: <stable@vger.kernel.org> # 3.11.x
      Cc: Tod Jackson <tod.jackson@gmail.com>
      Cc: Joe Perches <joe@perches.com>
      Cc: Rafal Milecki <zajec5@gmail.com>
      Cc: Hauke Mehrtens <hauke@hauke-m.de>
      Reviewed-by: NHante Meuleman <meuleman@broadcom.com>
      Signed-off-by: NArend van Spriel <arend@broadcom.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      2bedea8f
    • A
      brcmfmac: obtain platform data upon module initialization · db4efbbe
      Arend van Spriel 提交于
      The driver uses platform_driver_probe() to obtain platform data
      if any. However, that function is placed in the .init section so
      it must be called upon driver module initialization.
      
      The problem was reported by Fenguang Wu resulting in a kernel
      oops because the .init section was already freed.
      
      [   48.966342] Switched to clocksource tsc
      [   48.970002] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
      [   48.970851] BUG: unable to handle kernel paging request at ffffffff82196446
      [   48.970957] IP: [<ffffffff82196446>] classes_init+0x26/0x26
      [   48.970957] PGD 1e76067 PUD 1e77063 PMD f388063 PTE 8000000002196163
      [   48.970957] Oops: 0011 [#1]
      [   48.970957] CPU: 0 PID: 17 Comm: kworker/0:1 Not tainted 3.11.0-rc7-00444-gc52dd7f #23
      [   48.970957] Workqueue: events brcmf_driver_init
      [   48.970957] task: ffff8800001d2000 ti: ffff8800001d4000 task.ti: ffff8800001d4000
      [   48.970957] RIP: 0010:[<ffffffff82196446>]  [<ffffffff82196446>] classes_init+0x26/0x26
      [   48.970957] RSP: 0000:ffff8800001d5d40  EFLAGS: 00000286
      [   48.970957] RAX: 0000000000000001 RBX: ffffffff820c5620 RCX: 0000000000000000
      [   48.970957] RDX: 0000000000000001 RSI: ffffffff816f7380 RDI: ffffffff820c56c0
      [   48.970957] RBP: ffff8800001d5d50 R08: ffff8800001d2508 R09: 0000000000000002
      [   48.970957] R10: 0000000000000000 R11: 0001f7ce298c5620 R12: ffff8800001c76b0
      [   48.970957] R13: ffffffff81e91d40 R14: 0000000000000000 R15: ffff88000e0ce300
      [   48.970957] FS:  0000000000000000(0000) GS:ffffffff81e84000(0000) knlGS:0000000000000000
      [   48.970957] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [   48.970957] CR2: ffffffff82196446 CR3: 0000000001e75000 CR4: 00000000000006b0
      [   48.970957] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   48.970957] DR3: 0000000000000000 DR6: 0000000000000000 DR7: 0000000000000000
      [   48.970957] Stack:
      [   48.970957]  ffffffff816f7df8 ffffffff820c5620 ffff8800001d5d60 ffffffff816eeec9
      [   48.970957]  ffff8800001d5de0 ffffffff81073dc5 ffffffff81073d68 ffff8800001d5db8
      [   48.970957]  0000000000000086 ffffffff820c5620 ffffffff824f7fd0 0000000000000000
      [   48.970957] Call Trace:
      [   48.970957]  [<ffffffff816f7df8>] ? brcmf_sdio_init+0x18/0x70
      [   48.970957]  [<ffffffff816eeec9>] brcmf_driver_init+0x9/0x10
      [   48.970957]  [<ffffffff81073dc5>] process_one_work+0x1d5/0x480
      [   48.970957]  [<ffffffff81073d68>] ? process_one_work+0x178/0x480
      [   48.970957]  [<ffffffff81074188>] worker_thread+0x118/0x3a0
      [   48.970957]  [<ffffffff81074070>] ? process_one_work+0x480/0x480
      [   48.970957]  [<ffffffff8107aa17>] kthread+0xe7/0xf0
      [   48.970957]  [<ffffffff810829f7>] ? finish_task_switch.constprop.57+0x37/0xd0
      [   48.970957]  [<ffffffff8107a930>] ? __kthread_parkme+0x80/0x80
      [   48.970957]  [<ffffffff81a6923a>] ret_from_fork+0x7a/0xb0
      [   48.970957]  [<ffffffff8107a930>] ? __kthread_parkme+0x80/0x80
      [   48.970957] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
      cc cc cc cc cc cc <cc> cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
      [   48.970957] RIP  [<ffffffff82196446>] classes_init+0x26/0x26
      [   48.970957]  RSP <ffff8800001d5d40>
      [   48.970957] CR2: ffffffff82196446
      [   48.970957] ---[ end trace 62980817cd525f14 ]---
      
      Cc: <stable@vger.kernel.org> # 3.10.x, 3.11.x
      Reported-by: NFengguang Wu <fengguang.wu@intel.com>
      Reviewed-by: NHante Meuleman <meuleman@broadcom.com>
      Reviewed-by: NPieter-Paul Giesberts <pieterpg@broadcom.com>
      Tested-by: NFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: NArend van Spriel <arend@broadcom.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      db4efbbe
    • B
      mwifiex: fix NULL pointer dereference in usb suspend handler · 346ece0b
      Bing Zhao 提交于
      Bug 60815 - Interface hangs in mwifiex_usb
      https://bugzilla.kernel.org/show_bug.cgi?id=60815
      
      [ 2.883807] BUG: unable to handle kernel NULL pointer dereference
                  at 0000000000000048
      [ 2.883813] IP: [<ffffffff815a65e0>] pfifo_fast_enqueue+0x90/0x90
      
      [ 2.883834] CPU: 1 PID: 3220 Comm: kworker/u8:90 Not tainted
                  3.11.1-monotone-l0 #6
      [ 2.883834] Hardware name: Microsoft Corporation Surface with
                  Windows 8 Pro/Surface with Windows 8 Pro,
                  BIOS 1.03.0450 03/29/2013
      
      On Surface Pro, suspend to ram gives a NULL pointer dereference in
      pfifo_fast_enqueue(). The stack trace reveals that the offending
      call is clearing carrier in mwifiex_usb suspend handler.
      
      Since commit 1499d9fa "mwifiex: don't drop carrier flag over suspend"
      has removed the carrier flag handling over suspend/resume in SDIO
      and PCIe drivers, I'm removing it in USB driver too. This also fixes
      the bug for Surface Pro.
      
      Cc: <stable@vger.kernel.org> # 3.5+
      Tested-by: NDmitry Khromov <icechrome@gmail.com>
      Signed-off-by: NBing Zhao <bzhao@marvell.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      346ece0b
    • A
      mwifiex: fix hang issue for USB chipsets · bd1c6142
      Amitkumar Karwar 提交于
      Bug 60815 - Interface hangs in mwifiex_usb
      https://bugzilla.kernel.org/show_bug.cgi?id=60815
      
      We have 4 bytes of interface header for packets delivered to SDIO
      and PCIe, but not for USB interface.
      
      In Tx AMSDU case, currently 4 bytes of garbage data is unnecessarily
      appended for USB packets. This sometimes leads to a firmware hang,
      because it may not interpret the data packet correctly.
      
      Problem is fixed by removing this redundant headroom for USB.
      
      Cc: <stable@vger.kernel.org> # 3.5+
      Tested-by: NDmitry Khromov <icechrome@gmail.com>
      Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com>
      Signed-off-by: NBing Zhao <bzhao@marvell.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      bd1c6142
    • C
      p54usb: add USB ID for Corega WLUSB2GTST USB adapter · 1e43692c
      Christian Lamparter 提交于
      Added USB ID for Corega WLUSB2GTST USB adapter.
      
      Cc: <stable@vger.kernel.org>
      Reported-by: NJoerg Kalisch <the_force@gmx.de>
      Signed-off-by: NChristian Lamparter <chunkeey@googlemail.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      1e43692c
    • S
      cw1200: Use a threaded oneshot irq handler for cw1200_spi · 87421cb6
      Solomon Peachy 提交于
      This supercedes the older patch ("cw1200: Don't perform SPI transfers in
      interrupt context") that badly attempted to fix this problem.
      
      This is a far simpler solution, which has the added benefit of
      actually working.
      Signed-off-by: NSolomon Peachy <pizza@shaftnet.org>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      87421cb6
    • S
      Revert "cw1200: Don't perform SPI transfers in interrupt context" · c4fb19d2
      Solomon Peachy 提交于
      This reverts commit aec8e88c.
      
      This solution turned out to cause interrupt delivery problems, and
      rather than trying to fix this approach, it has been scrapped in favor
      of an alternative (and far simpler) implementation.
      Signed-off-by: NSolomon Peachy <pizza@shaftnet.org>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      c4fb19d2
    • B
      mwifiex: fix PCIe hs_cfg cancel cmd timeout · b7be1522
      Bing Zhao 提交于
      For pcie8897, the hs_cfg cancel command (0xe5) times out when host
      comes out of suspend. This is caused by an incompleted host sleep
      handshake between driver and firmware.
      
      Like SDIO interface, PCIe also needs to go through firmware power
      save events to complete the handshake for host sleep configuration.
      Only USB interface doesn't require power save events for hs_cfg.
      
      Cc: <stable@vger.kernel.org> # 3.10+
      Signed-off-by: NBing Zhao <bzhao@marvell.com>
      Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      b7be1522
    • L
      rtlwifi: Align private space in rtl_priv struct · 60ce314d
      Larry Finger 提交于
      The private array at the end of the rtl_priv struct is not aligned.
      On ARM architecture, this causes an alignment trap and is fixed by aligning
      that array with __align(sizeof(void *)). That should properly align that
      space according to the requirements of all architectures.
      Reported-by: NJason Andrews <jasona@cadence.com>
      Tested-by: NJason Andrews <jasona@cadence.com>
      Signed-off-by: NLarry Finger <Larry.Finger@lwfinger.net>
      Cc: Stable <stable@vger.kernel.org>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      60ce314d
    • F
      ath9k: add txq locking for ath_tx_aggr_start · 919123d2
      Felix Fietkau 提交于
      Prevents race conditions when un-aggregated frames are pending in the
      driver.
      Signed-off-by: NFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      919123d2
    • A
      p54usb: fix leak at failure path in p54u_load_firmware() · e78641c1
      Alexey Khoroshilov 提交于
      If request_firmware_nowait() fails in p54u_load_firmware(),
      p54u_load_firmware_cb is not called and no one decrements usb_dev refcnt.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: NAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      e78641c1
    • F
      ath9k: don't use BAW tracking on PS responses for non-AMPDU packets · 20e6e55a
      Felix Fietkau 提交于
      When .release_buffered_frames was implemented, only A-MPDU packets were
      buffered internally. Now that this has changed, the BUF_AMPDU flag needs
      to be checked before calling ath_tx_addto_baw
      Signed-off-by: NFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      20e6e55a
    • S
      ath9k: Fix regression in LNA diversity · d29a5fd8
      Sujith Manoharan 提交于
      The commit "ath9k: Optimize LNA check" tried
      to use the "rs_firstaggr" flag to optimize the LNA
      combining algorithm when processing subframes in
      an A-MPDU. This doesn't appear to work well in practice,
      so revert it and use the old method of relying on
      "rs_moreaggr".
      
      Cc: stable@vger.kernel.org # 3.11
      Signed-off-by: NSujith Manoharan <c_manoha@qca.qualcomm.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      d29a5fd8
    • F
      ath9k: do not link bf_next across multiple A-MPDUs · 440c1c87
      Felix Fietkau 提交于
      This might trip up tx completion processing, although the condition that
      triggers this should not (yet) occur in practice.
      Signed-off-by: NFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      440c1c87
    • F
      ath9k: fix stale flag handling on buffer clone · 86c7d8d4
      Felix Fietkau 提交于
      Fixes a regression from commit
      "ath9k: shrink a few data structures by reordering fields"
      
      When cloning a buffer, the stale flag (part of bf_state now) needs to be
      reset after copying the state to prevent tx processing hangs.
      Signed-off-by: NFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      86c7d8d4
    • J
  2. 24 9月, 2013 1 次提交
    • K
      Bluetooth: btusb: Add support for Belkin F8065bf · 5bcecf32
      Ken O'Brien 提交于
      Add generic rule on encountering Belkin bluetooth usb device F8065bf.
      
      Relevant section from /sys/kernel/debug/usb/devices:
      
      T:  Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=050d ProdID=065a Rev= 1.12
      S:  Manufacturer=Broadcom Corp
      S:  Product=BCM20702A0
      S:  SerialNumber=0002723E2D29
      C:* #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=100mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      Signed-off-by: NKen O'Brien <kernel@kenobrien.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      5bcecf32
  3. 21 9月, 2013 1 次提交
    • G
      Bluetooth: don't release the port in rfcomm_dev_state_change() · 29cd718b
      Gianluca Anzolin 提交于
      When the dlc is closed, rfcomm_dev_state_change() tries to release the
      port in the case it cannot get a reference to the tty. However this is
      racy and not even needed.
      
      Infact as Peter Hurley points out:
      
      1. Only consider dlcs that are 'stolen' from a connected socket, ie.
         reused. Allocated dlcs cannot have been closed prior to port
         activate and so for these dlcs a tty reference will always be avail
         in rfcomm_dev_state_change() -- except for the conditions covered by
         #2b below.
      2. If a tty was at some point previously created for this rfcomm, then
         either
         (a) the tty reference is still avail, so rfcomm_dev_state_change()
             will perform a hangup. So nothing to do, or,
         (b) the tty reference is no longer avail, and the tty_port will be
             destroyed by the last tty_port_put() in rfcomm_tty_cleanup.
             Again, no action required.
      3. Prior to obtaining the dlc lock in rfcomm_dev_add(),
         rfcomm_dev_state_change() will not 'see' a rfcomm_dev so nothing to
         do here.
      4. After releasing the dlc lock in rfcomm_dev_add(),
         rfcomm_dev_state_change() will 'see' an incomplete rfcomm_dev if a
         tty reference could not be obtained. Again, the best thing to do here
         is nothing. Any future attempted open() will block on
         rfcomm_dev_carrier_raised(). The unconnected device will exist until
         released by ioctl(RFCOMMRELEASEDEV).
      
      The patch removes the aforementioned code and uses the
      tty_port_tty_hangup() helper to hangup the tty.
      Signed-off-by: NGianluca Anzolin <gianluca@sottospazio.it>
      Reviewed-by: NPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      29cd718b
  4. 20 9月, 2013 9 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · b75ff5e8
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) If the local_df boolean is set on an SKB we have to allocate a
          unique ID even if IP_DF is set in the ipv4 headers, from Ansis
          Atteka.
      
       2) Some fixups for the new chipset support that went into the sfc
          driver, from Ben Hutchings.
      
       3) Because SCTP bypasses a good chunk of, and actually duplicates, the
          logic of the ipv6 output path, some IPSEC things don't get done
          properly.  Integrate SCTP better into the ipv6 output path so that
          these problems are fixed and such issues don't get missed in the
          future either.  From Daniel Borkmann.
      
       4) Fix skge regressions added by the DMA mapping error return checking
          added in v3.10, from Mikulas Patocka.
      
       5) Kill some more IRQF_DISABLED references, from Michael Opdenacker.
      
       6) Fix races and deadlocks in the bridging code, from Hong Zhiguo.
      
       7) Fix error handling in tun_set_iff(), in particular don't leak
          resources.  From Jason Wang.
      
       8) Prevent format-string injection into xen-netback driver, from Kees
          Cook.
      
       9) Fix regression added to netpoll ARP packet handling, in particular
          check for the right ETH_P_ARP protocol code.  From Sonic Zhang.
      
      10) Try to deal with AMD IOMMU errors when using r8169 chips, from
          Francois Romieu.
      
      11) Cure freezes due to recent changes in the rt2x00 wireless driver,
          from Stanislaw Gruszka.
      
      12) Don't do SPI transfers (which can sleep) in interrupt context in
          cw1200 driver, from Solomon Peachy.
      
      13) Fix LEDs handling bug in 5720 tg3 chips already handled for 5719.
          From Nithin Sujir.
      
      14) Make xen_netbk_count_skb_slots() count the actual number of slots
          that will be used, taking into consideration packing and other
          issues that the transmit path will run into.  From David Vrabel.
      
      15) Use the correct maximum age when calculating the bridge
          message_age_timer, from Chris Healy.
      
      16) Get rid of memory leaks in mcs7780 IRDA driver, from Alexey
          Khoroshilov.
      
      17) Netfilter conntrack extensions were converted to RCU but are not
          always freed properly using kfree_rcu().  Fix from Michal Kubecek.
      
      18) VF reset recovery not being done correctly in qlcnic driver, from
          Manish Chopra.
      
      19) Fix inverted test in ATM nicstar driver, from Andy Shevchenko.
      
      20) Missing workqueue destroy in cxgb4 error handling, from Wei Yang.
      
      21) Internal switch not initialized properly in bgmac driver, from Rafał
          Miłecki.
      
      22) Netlink messages report wrong local and remote addresses in IPv6
          tunneling, from Ding Zhi.
      
      23) ICMP redirects should not generate socket errors in DCCP and SCTP.
          We're still working out how this should be handled for RAW and UDP
          sockets.  From Daniel Borkmann and Duan Jiong.
      
      24) We've had several bugs wherein the network namespace's loopback
          device gets accessed after it is free'd, NULL it out so that we can
          catch these problems more readily.  From Eric W Biederman.
      
      25) Fix regression in TCP RTO calculations, from Neal Cardwell.
      
      26) Fix too early free of xen-netback network device when VIFs still
          exist.  From Paul Durrant.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits)
        netconsole: fix a deadlock with rtnl and netconsole's mutex
        netpoll: fix NULL pointer dereference in netpoll_cleanup
        skge: fix broken driver
        ip: generate unique IP identificator if local fragmentation is allowed
        ip: use ip_hdr() in __ip_make_skb() to retrieve IP header
        xen-netback: Don't destroy the netdev until the vif is shut down
        net:dccp: do not report ICMP redirects to user space
        cnic: Fix crash in cnic_bnx2x_service_kcq()
        bnx2x, cnic, bnx2i, bnx2fc: Fix bnx2i and bnx2fc regressions.
        vxlan: Avoid creating fdb entry with NULL destination
        tcp: fix RTO calculated from cached RTT
        drivers: net: phy: cicada.c: clears warning Use #include <linux/io.h> instead of <asm/io.h>
        net loopback: Set loopback_dev to NULL when freed
        batman-adv: set the TAG flag for the vid passed to BLA
        netfilter: nfnetlink_queue: use network skb for sequence adjustment
        net: sctp: rfc4443: do not report ICMP redirects to user space
        net: usb: cdc_ether: use usb.h macros whenever possible
        net: usb: cdc_ether: fix checkpatch errors and warnings
        net: usb: cdc_ether: Use wwan interface for Telit modules
        ip6_tunnels: raddr and laddr are inverted in nl msg
        ...
      b75ff5e8
    • N
      netconsole: fix a deadlock with rtnl and netconsole's mutex · c71380ff
      Nikolay Aleksandrov 提交于
      This bug was introduced by commit
      7a163bfb ("netconsole: avoid a crash with
      multiple sysfs writers"). In store_enabled() we have the following
      sequence: acquire nt->mutex then rtnl, but in the netconsole netdev
      notifier we have rtnl then nt->mutex effectively leading to a deadlock.
      The NULL pointer dereference that the above commit tries to fix is
      actually due to another bug in netpoll_cleanup(). This is fixed by dropping
      the mutex from the netdev notifier as it's already protected by rtnl.
      Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c71380ff
    • N
      netpoll: fix NULL pointer dereference in netpoll_cleanup · d0fe8c88
      Nikolay Aleksandrov 提交于
      I've been hitting a NULL ptr deref while using netconsole because the
      np->dev check and the pointer manipulation in netpoll_cleanup are done
      without rtnl and the following sequence happens when having a netconsole
      over a vlan and we remove the vlan while disabling the netconsole:
      	CPU 1					CPU2
      					removes vlan and calls the notifier
      enters store_enabled(), calls
      netdev_cleanup which checks np->dev
      and then waits for rtnl
      					executes the netconsole netdev
      					release notifier making np->dev
      					== NULL and releases rtnl
      continues to dereference a member of
      np->dev which at this point is == NULL
      Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d0fe8c88
    • M
      skge: fix broken driver · c194992c
      Mikulas Patocka 提交于
      The patch 136d8f37 broke the skge driver.
      Note this part of the patch:
      +               if (skge_rx_setup(skge, e, nskb, skge->rx_buf_size) < 0) {
      +                       dev_kfree_skb(nskb);
      +                       goto resubmit;
      +               }
      +
                      pci_unmap_single(skge->hw->pdev,
                                       dma_unmap_addr(e, mapaddr),
                                       dma_unmap_len(e, maplen),
                                       PCI_DMA_FROMDEVICE);
                      skb = e->skb;
                      prefetch(skb->data);
      -               skge_rx_setup(skge, e, nskb, skge->rx_buf_size);
      
      The function skge_rx_setup modifies e->skb to point to the new skb. Thus,
      after this change, the new buffer, not the old, is returned to the
      networking stack.
      
      This bug is present in kernels 3.11, 3.11.1 and 3.12-rc1. The patch should
      be queued for 3.11-stable.
      Signed-off-by: NMikulas Patocka <mpatocka@redhat.com>
      Reported-by: NMikulas Patocka <mpatocka@redhat.com>
      Reported-by: NVasiliy Glazov <vascom2@gmail.com>
      Tested-by: NMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c194992c
    • A
      ip: generate unique IP identificator if local fragmentation is allowed · 703133de
      Ansis Atteka 提交于
      If local fragmentation is allowed, then ip_select_ident() and
      ip_select_ident_more() need to generate unique IDs to ensure
      correct defragmentation on the peer.
      
      For example, if IPsec (tunnel mode) has to encrypt large skbs
      that have local_df bit set, then all IP fragments that belonged
      to different ESP datagrams would have used the same identificator.
      If one of these IP fragments would get lost or reordered, then
      peer could possibly stitch together wrong IP fragments that did
      not belong to the same datagram. This would lead to a packet loss
      or data corruption.
      Signed-off-by: NAnsis Atteka <aatteka@nicira.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      703133de
    • A
      ip: use ip_hdr() in __ip_make_skb() to retrieve IP header · 749154aa
      Ansis Atteka 提交于
      skb->data already points to IP header, but for the sake of
      consistency we can also use ip_hdr() to retrieve it.
      Signed-off-by: NAnsis Atteka <aatteka@nicira.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      749154aa
    • P
      xen-netback: Don't destroy the netdev until the vif is shut down · 279f438e
      Paul Durrant 提交于
      Without this patch, if a frontend cycles through states Closing
      and Closed (which Windows frontends need to do) then the netdev
      will be destroyed and requires re-invocation of hotplug scripts
      to restore state before the frontend can move to Connected. Thus
      when udev is not in use the backend gets stuck in InitWait.
      
      With this patch, the netdev is left alone whilst the backend is
      still online and is only de-registered and freed just prior to
      destroying the vif (which is also nicely symmetrical with the
      netdev allocation and registration being done during probe) so
      no re-invocation of hotplug scripts is required.
      Signed-off-by: NPaul Durrant <paul.durrant@citrix.com>
      Cc: David Vrabel <david.vrabel@citrix.com>
      Cc: Wei Liu <wei.liu2@citrix.com>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Acked-by: NWei Liu <wei.liu2@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      279f438e
    • L
      Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus · f05f8198
      Linus Torvalds 提交于
      Pull MIPS updates from Ralf Baechle:
       - Minor updates and fixes to the Octeon ethernet driver in staging
       - A fix to VGA_MAP_MEM() for 64 bit platforms
       - Fix a workaround for 74K/1074K processors
       - The symlink arch/mips/boot/dts/include/dt-bindings was pointing to a
         a file with a name ending in \n.  I think this may have been caused
         by a git bug with with patches sent by email
       - A build fix for VGA console on BCM1480-based systems
       - Fix PCI device access via "/sys/bus/pci/.../resource0" or similar
         work for Alchemy platforms
       - Fix potential data leak on MIPS R5 cores.  This doesn't add proper
         support for any R5 features, just ensures a kernel without such
         support will be secure to run
       - Adding a macros for the CP0 Config5 register to be used by the R5 fix
       - Make get_cycles() actually return something useful where possible
         This also requires a preparatory patch for performance sake
       - Fix a warning about the use of smp_processor_id() in preemptible
         code.  Again this includes a preparatory patch adding the
         infrastructure to be used by the actual patch
       - Finally remove pointless one-line comment
      
      * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
        MIPS: Fix invalid symbolic link file
        MIPS: PCI: pci-bcm1480: Include missing vt.h header
        MIPS: Disable usermode switching of the FR bit for MIPS R5 CPUs.
        MIPS: Add MIPS R5 config5 register.
        MIPS: PCI: Use pci_resource_to_user to map pci memory space properly
        MIPS: 74K/1074K: Correct erratum workaround.
        MIPS: Cleanup CP0 PRId and CP1 FPIR register access masks
        MIPS: Remove useless comment about kprobe from arch/mips/Makefile
        MIPS: Fix VGA_MAP_MEM macro.
        MIPS: Reimplement get_cycles().
        MIPS: Optimize current_cpu_type() for better code.
        MIPS: Fix accessing to per-cpu data when flushing the cache
        MIPS: Provide nice way to access boot CPU's data.
        staging: octeon-ethernet: rgmii: enable interrupts that we can handle
        staging: octeon-ethernet: remove skb alloc failure warnings
        staging: octeon-ethernet: make dropped packets to consume NAPI budget
      f05f8198
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client · e9ff04dd
      Linus Torvalds 提交于
      Pull ceph fixes from Sage Weil:
       "These fix several bugs with RBD from 3.11 that didn't get tested in
        time for the merge window: some error handling, a use-after-free, and
        a sequencing issue when unmapping and image races with a notify
        operation.
      
        There is also a patch fixing a problem with the new ceph + fscache
        code that just went in"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
        fscache: check consistency does not decrement refcount
        rbd: fix error handling from rbd_snap_name()
        rbd: ignore unmapped snapshots that no longer exist
        rbd: fix use-after free of rbd_dev->disk
        rbd: make rbd_obj_notify_ack() synchronous
        rbd: complete notifies before cleaning up osd_client and rbd_dev
        libceph: add function to ensure notifies are complete
      e9ff04dd
  5. 19 9月, 2013 13 次提交