Nikolay Borisov [Fri, 16 Oct 2015 06:40:28 +0000 (09:40 +0300)]
netfilter: ipset: Fix sleeping memory allocation in atomic context
Commit
00590fdd5be0 introduced RCU locking in list type and in
doing so introduced a memory allocation in list_set_add, which
is done in an atomic context, due to the fact that ipset rcu
list modifications are serialised with a spin lock. The reason
why we can't use a mutex is that in addition to modifying the
list with ipset commands, it's also being modified when a
particular ipset rule timeout expires aka garbage collection.
This gc is triggered from set_cleanup_entries, which in turn
is invoked from a timer thus requiring the lock to be bh-safe.
Concretely the following call chain can lead to "sleeping function
called in atomic context" splat:
call_ad -> list_set_uadt -> list_set_uadd -> kzalloc(, GFP_KERNEL).
And since GFP_KERNEL allows initiating direct reclaim thus
potentially sleeping in the allocation path.
To fix the issue change the allocation type to GFP_ATOMIC, to
correctly reflect that it is occuring in an atomic context.
Fixes: 00590fdd5be0 ("netfilter: ipset: Introduce RCU locking in list type")
Signed-off-by: Nikolay Borisov <kernel@kyup.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Thu, 8 Oct 2015 21:38:07 +0000 (23:38 +0200)]
netfilter: sync with packet rx also after removing queue entries
We need to sync packet rx again after flushing the queue entries.
Otherwise, the following race could happen:
cpu1: nf_unregister_hook(H) called, H unliked from lists, calls
synchronize_net() to wait for packet rx completion.
Problem is that while no new nf_queue_entry structs that use H can be
allocated, another CPU might receive a verdict from userspace just before
cpu1 calls nf_queue_nf_hook_drop to remove this entry:
cpu2: receive verdict from userspace, lock queue
cpu2: unlink nf_queue_entry struct E, which references H, from queue list
cpu1: calls nf_queue_nf_hook_drop, blocks on queue spinlock
cpu2: unlock queue
cpu1: nf_queue_nf_hook_drop drops affected queue entries
cpu2: call nf_reinject for E
cpu1: kfree(H)
cpu2: potential use-after-free for H
Cc: Eric W. Biederman <ebiederm@xmission.com>
Fixes: 085db2c04557 ("netfilter: Per network namespace netfilter hooks.")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
lucien [Tue, 6 Oct 2015 13:03:07 +0000 (21:03 +0800)]
netfilter: ipt_rpfilter: remove the nh_scope test in rpfilter_lookup_reverse
--accept-local option works for res.type == RTN_LOCAL, which should be
from the local table, but there, the fib_info's nh->nh_scope =
RT_SCOPE_NOWHERE ( > RT_SCOPE_HOST). in fib_create_info().
if (cfg->fc_scope == RT_SCOPE_HOST) {
struct fib_nh *nh = fi->fib_nh;
/* Local address is added. */
if (nhs != 1 || nh->nh_gw)
goto err_inval;
nh->nh_scope = RT_SCOPE_NOWHERE; <===
nh->nh_dev = dev_get_by_index(net, fi->fib_nh->nh_oif);
err = -ENODEV;
if (!nh->nh_dev)
goto failure;
but in our rpfilter_lookup_reverse():
if (dev_match || flags & XT_RPFILTER_LOOSE)
return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
if nh->nh_scope > RT_SCOPE_HOST, it will fail. --accept-local option
will never be passed.
it seems the test is bogus and can be removed to fix this issue.
if (dev_match || flags & XT_RPFILTER_LOOSE)
return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
ipv6 does not have this issue.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Pablo Neira Ayuso [Tue, 29 Sep 2015 19:10:05 +0000 (21:10 +0200)]
netfilter: fix Kconfig dependencies for nf_dup_ipv{4,6}
net/built-in.o: In function `nf_dup_ipv4': (.text+0xed24d): undefined reference to `nf_conntrack_untracked'
net/built-in.o: In function `nf_dup_ipv4': (.text+0xed267): undefined reference to `nf_conntrack_untracked'
net/built-in.o: In function `nf_dup_ipv6': (.text+0x158aef): undefined reference to `nf_conntrack_untracked'
net/built-in.o: In function `nf_dup_ipv6': (.text+0x158b09): undefined reference to `nf_conntrack_untracked'
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
David Ahern [Wed, 30 Sep 2015 02:07:07 +0000 (19:07 -0700)]
net: Initialize flow flags in input path
The fib_table_lookup tracepoint found 2 places where the flowi4_flags is
not initialized.
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vivien Didelot [Tue, 29 Sep 2015 18:17:54 +0000 (14:17 -0400)]
net: dsa: fix preparation of a port STP update
Because of the default 0 value of ret in dsa_slave_port_attr_set, a
driver may return -EOPNOTSUPP from the commit phase of a STP state,
which triggers a WARN() from switchdev.
This happened on a 6185 switch which does not support hardware bridging.
Fixes: 3563606258cf ("switchdev: convert STP update to switchdev attr set")
Reported-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Thomas Huth [Tue, 29 Sep 2015 15:45:28 +0000 (17:45 +0200)]
testptp: Silence compiler warnings on ppc64
When compiling Documentation/ptp/testptp.c the following compiler
warnings are printed out:
Documentation/ptp/testptp.c: In function ‘main’:
Documentation/ptp/testptp.c:367:11: warning: format ‘%lld’ expects argument
of type ‘long long int’, but argument 3 has type ‘__s64’ [-Wformat=]
event.t.sec, event.t.nsec);
^
Documentation/ptp/testptp.c:505:5: warning: format ‘%lld’ expects argument
of type ‘long long int’, but argument 2 has type ‘__s64’ [-Wformat=]
(pct+2*i)->sec, (pct+2*i)->nsec);
^
Documentation/ptp/testptp.c:507:5: warning: format ‘%lld’ expects argument
of type ‘long long int’, but argument 2 has type ‘__s64’ [-Wformat=]
(pct+2*i+1)->sec, (pct+2*i+1)->nsec);
^
Documentation/ptp/testptp.c:509:5: warning: format ‘%lld’ expects argument
of type ‘long long int’, but argument 2 has type ‘__s64’ [-Wformat=]
(pct+2*i+2)->sec, (pct+2*i+2)->nsec);
This happens because __s64 is by default defined as "long" on ppc64,
not as "long long". However, to fix these warnings, it's possible to
define the __SANE_USERSPACE_TYPES__ so that __s64 gets defined to
"long long" on ppc64, too.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Robb Manes [Tue, 29 Sep 2015 15:03:37 +0000 (11:03 -0400)]
net/mlx4: Handle return codes in mlx4_qp_attach_common
Both new_steering_entry() and existing_steering_entry() return values
based on their success or failure, but currently they fall through
silently. This can make troubleshooting difficult, as we were unable
to tell which one of these two functions returned errors or
specifically what code was returned. This patch remedies that
situation by passing the return codes to err, which is returned by
mlx4_qp_attach_common() itself.
This also addresses a leak in the call to mlx4_bitmap_free() as well.
Signed-off-by: Robb Manes <rmanes@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andrew Lunn [Mon, 28 Sep 2015 23:50:56 +0000 (01:50 +0200)]
dsa: mv88e6xxx: Enable forwarding for unknown to the CPU port
Frames destined to an unknown address must be forwarded to the CPU
port. Otherwise incoming ARP, dhcp leases, etc, do not work.
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pravin B Shelar [Tue, 29 Sep 2015 00:24:25 +0000 (17:24 -0700)]
skbuff: Fix skb checksum partial check.
Earlier patch
6ae459bda tried to detect void ckecksum partial
skb by comparing pull length to checksum offset. But it does
not work for all cases since checksum-offset depends on
updates to skb->data.
Following patch fixes it by validating checksum start offset
after skb-data pointer is updated. Negative value of checksum
offset start means there is no need to checksum.
Fixes: 6ae459bda ("skbuff: Fix skb checksum flag on skb pull")
Reported-by: Andrew Vagin <avagin@odin.com>
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Ahern [Mon, 28 Sep 2015 17:12:13 +0000 (10:12 -0700)]
net: ipv6: Add RT6_LOOKUP_F_IFACE flag if oif is set
Wolfgang reported that IPv6 stack is ignoring oif in output route lookups:
With ipv6, ip -6 route get always returns the specific route.
$ ip -6 r
2001:db8:e2::1 dev enp2s0 proto kernel metric 256
2001:db8:e2::/64 dev enp2s0 metric 1024
2001:db8:e3::1 dev enp3s0 proto kernel metric 256
2001:db8:e3::/64 dev enp3s0 metric 1024
fe80::/64 dev enp3s0 proto kernel metric 256
default via 2001:db8:e3::255 dev enp3s0 metric 1024
$ ip -6 r get 2001:db8:e2::100
2001:db8:e2::100 from :: dev enp2s0 src 2001:db8:e3::1 metric 0
cache
$ ip -6 r get 2001:db8:e2::100 oif enp3s0
2001:db8:e2::100 from :: dev enp2s0 src 2001:db8:e3::1 metric 0
cache
The stack does consider the oif but a mismatch in rt6_device_match is not
considered fatal because RT6_LOOKUP_F_IFACE is not set in the flags.
Cc: Wolfgang Nothdurft <netdev@linux-dude.de>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexander Stein [Mon, 28 Sep 2015 13:05:33 +0000 (15:05 +0200)]
net sysfs: Print link speed as signed integer
Otherwise
4294967295 (MBit/s) (-1) will be printed when there is no link.
Documentation/ABI/testing/sysfs-class-net does not state if this shall be
signed or unsigned.
Also remove the now unused variable fmt_udec.
Signed-off-by: Alexander Stein <alexander.stein@systec-electronic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andrzej Hajda [Mon, 28 Sep 2015 08:49:48 +0000 (10:49 +0200)]
bna: fix error handling
Several functions can return negative value in case of error,
so their return type should be fixed as well as type of variables
to which this value is assigned.
The problem has been detected using proposed semantic patch
scripts/coccinelle/tests/assign_signed_to_unsigned.cocci [1].
[1]: http://permalink.gmane.org/gmane.linux.kernel/
2046107
Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 29 Sep 2015 20:47:08 +0000 (13:47 -0700)]
Merge branch 'af_unix_MSG_PEEK'
Aaron Conole says:
====================
af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag
This patch set implements a bugfix for kernel.org bugzilla #12323, allowing
MSG_PEEK to return all queued data on the unix domain socket, not just the
data contained in a single SKB.
This is the v3 version of this patch, which includes a suggested modification
by Eric Dumazet to convert the unix_sk() conversion macro to a static inline
function. These patches are independent and can be applied separately.
This set was tested over a 24-hour period, utilizing a loop continually
executing the bugzilla issue attached python code. It was instrumented with
a pr_err_once() ([ 13.798683] unix: went there at least one time).
v2->v3:
- Added Eric Dumazet's suggestion for #define to static inline
- Fixed an issue calling unix_state_lock() with an invalid argument
v3->v4:
- Eliminated an XXX comment
- Changed from goto unlock to explicit unix_state_unlock() and break
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Aaron Conole [Sat, 26 Sep 2015 22:50:43 +0000 (18:50 -0400)]
af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag
AF_UNIX sockets now return multiple skbs from recv() when MSG_PEEK flag
is set.
This is referenced in kernel bugzilla #12323 @
https://bugzilla.kernel.org/show_bug.cgi?id=12323
As described both in the BZ and lkml thread @
http://lkml.org/lkml/2008/1/8/444 calling recv() with MSG_PEEK on an
AF_UNIX socket only reads a single skb, where the desired effect is
to return as much skb data has been queued, until hitting the recv
buffer size (whichever comes first).
The modified MSG_PEEK path will now move to the next skb in the tree
and jump to the again: label, rather than following the natural loop
structure. This requires duplicating some of the loop head actions.
This was tested using the python socketpair python code attached to
the bugzilla issue.
Signed-off-by: Aaron Conole <aconole@bytheb.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Aaron Conole [Sat, 26 Sep 2015 22:50:42 +0000 (18:50 -0400)]
af_unix: Convert the unix_sk macro to an inline function for type safety
As suggested by Eric Dumazet this change replaces the
#define with a static inline function to enjoy
complaints by the compiler when misusing the API.
Signed-off-by: Aaron Conole <aconole@bytheb.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Denys Vlasenko [Mon, 28 Sep 2015 12:34:04 +0000 (14:34 +0200)]
net: sctp: Don't use 64 kilobyte lookup table for four elements
Seemingly innocuous sctp_trans_state_to_prio_map[] array
is way bigger than it looks, since
"[SCTP_UNKNOWN] = 2" expands into "[0xffff] = 2" !
This patch replaces it with switch() statement.
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
CC: Vlad Yasevich <vyasevich@gmail.com>
CC: Neil Horman <nhorman@tuxdriver.com>
CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
CC: linux-sctp@vger.kernel.org
CC: netdev@vger.kernel.org
CC: linux-kernel@vger.kernel.org
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexander Couzens [Mon, 28 Sep 2015 09:32:42 +0000 (11:32 +0200)]
l2tp: protect tunnel->del_work by ref_count
There is a small chance that tunnel_free() is called before tunnel->del_work scheduled
resulting in a zero pointer dereference.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Acked-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ivan Mikhaylov [Fri, 25 Sep 2015 07:52:27 +0000 (11:52 +0400)]
net/ibm/emac: bump version numbers for correct work with ethtool
The size of the MAC register dump used to be the size specified by the
reg property in the device tree. Userland has no good way of finding
out that size, and it was not specified consistently for each MAC type,
so ethtool would end up printing junk at the end of the register dump
if the device tree didn't match the size it assumed.
Using the new version numbers indicates unambiguously that the size of
the MAC register dump is dependent only on the MAC type.
Fixes: 5369c71f7ca2 ("net/ibm/emac: fix size of emac dump memory areas")
Signed-off-by: Ivan Mikhaylov <ivan@ru.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 29 Sep 2015 04:03:40 +0000 (21:03 -0700)]
Merge branch 'sctp-accept-deadlock'
Karl Heiss says:
====================
sctp: Fix SCTP deadlock
These patches fix a deadlock during accept() of an SCTP connection.
The first patch fixes whitespace issues.
The second patch actually fixes the deadlock race.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Karl Heiss [Thu, 24 Sep 2015 16:15:07 +0000 (12:15 -0400)]
sctp: Prevent soft lockup when sctp_accept() is called during a timeout event
A case can occur when sctp_accept() is called by the user during
a heartbeat timeout event after the 4-way handshake. Since
sctp_assoc_migrate() changes both assoc->base.sk and assoc->ep, the
bh_sock_lock in sctp_generate_heartbeat_event() will be taken with
the listening socket but released with the new association socket.
The result is a deadlock on any future attempts to take the listening
socket lock.
Note that this race can occur with other SCTP timeouts that take
the bh_lock_sock() in the event sctp_accept() is called.
BUG: soft lockup - CPU#9 stuck for 67s! [swapper:0]
...
RIP: 0010:[<
ffffffff8152d48e>] [<
ffffffff8152d48e>] _spin_lock+0x1e/0x30
RSP: 0018:
ffff880028323b20 EFLAGS:
00000206
RAX:
0000000000000002 RBX:
ffff880028323b20 RCX:
0000000000000000
RDX:
0000000000000000 RSI:
ffff880028323be0 RDI:
ffff8804632c4b48
RBP:
ffffffff8100bb93 R08:
0000000000000000 R09:
0000000000000000
R10:
ffff880610662280 R11:
0000000000000100 R12:
ffff880028323aa0
R13:
ffff8804383c3880 R14:
ffff880028323a90 R15:
ffffffff81534225
FS:
0000000000000000(0000) GS:
ffff880028320000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0018 ES: 0018 CR0:
000000008005003b
CR2:
00000000006df528 CR3:
0000000001a85000 CR4:
00000000000006e0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
Process swapper (pid: 0, threadinfo
ffff880616b70000, task
ffff880616b6cab0)
Stack:
ffff880028323c40 ffffffffa01c2582 ffff880614cfb020 0000000000000000
<d>
0100000000000000 00000014383a6c44 ffff8804383c3880 ffff880614e93c00
<d>
ffff880614e93c00 0000000000000000 ffff8804632c4b00 ffff8804383c38b8
Call Trace:
<IRQ>
[<
ffffffffa01c2582>] ? sctp_rcv+0x492/0xa10 [sctp]
[<
ffffffff8148c559>] ? nf_iterate+0x69/0xb0
[<
ffffffff814974a0>] ? ip_local_deliver_finish+0x0/0x2d0
[<
ffffffff8148c716>] ? nf_hook_slow+0x76/0x120
[<
ffffffff814974a0>] ? ip_local_deliver_finish+0x0/0x2d0
[<
ffffffff8149757d>] ? ip_local_deliver_finish+0xdd/0x2d0
[<
ffffffff81497808>] ? ip_local_deliver+0x98/0xa0
[<
ffffffff81496ccd>] ? ip_rcv_finish+0x12d/0x440
[<
ffffffff81497255>] ? ip_rcv+0x275/0x350
[<
ffffffff8145cfeb>] ? __netif_receive_skb+0x4ab/0x750
...
With lockdep debugging:
=====================================
[ BUG: bad unlock balance detected! ]
-------------------------------------
CslRx/12087 is trying to release lock (slock-AF_INET) at:
[<
ffffffffa01bcae0>] sctp_generate_timeout_event+0x40/0xe0 [sctp]
but there are no more locks to release!
other info that might help us debug this:
2 locks held by CslRx/12087:
#0: (&asoc->timers[i]){+.-...}, at: [<
ffffffff8108ce1f>] run_timer_softirq+0x16f/0x3e0
#1: (slock-AF_INET){+.-...}, at: [<
ffffffffa01bcac3>] sctp_generate_timeout_event+0x23/0xe0 [sctp]
Ensure the socket taken is also the same one that is released by
saving a copy of the socket before entering the timeout event
critical section.
Signed-off-by: Karl Heiss <kheiss@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Karl Heiss [Thu, 24 Sep 2015 16:15:06 +0000 (12:15 -0400)]
sctp: Whitespace fix
Fix indentation in sctp_generate_heartbeat_event.
Signed-off-by: Karl Heiss <kheiss@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mitch Williams [Tue, 29 Sep 2015 00:31:26 +0000 (17:31 -0700)]
i40e/i40evf: check for stopped admin queue
It's possible that while we are waiting for the spinlock, another
entity (that owns the spinlock) has shut down the admin queue.
If we then attempt to use the queue, we will panic.
Add a check for this condition on the receive side. This matches
an existing check on the send queue side.
Signed-off-by: Mitch Williams <mitch.a.williams@intel.com>
Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jesse Brandeburg [Mon, 28 Sep 2015 18:21:48 +0000 (11:21 -0700)]
i40e: fix VLAN inside VXLAN
Previously to this patch, the hardware was removing
VLAN tags from the inner header of VXLAN packets. The
hardware configuration can be changed to leave the
packet alone since that is what the linux stack
expects for this type of VLAN in VXLAN packet.
Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andrzej Hajda [Thu, 24 Sep 2015 14:00:24 +0000 (16:00 +0200)]
r8169: fix handling rtl_readphy result
The function can return negative value.
The problem has been detected using proposed semantic patch
scripts/coccinelle/tests/assign_signed_to_unsigned.cocci [1].
[1]: http://permalink.gmane.org/gmane.linux.kernel/
2046107
Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andrzej Hajda [Thu, 24 Sep 2015 14:00:15 +0000 (16:00 +0200)]
net: hisilicon: fix handling platform_get_irq result
The function can return negative value.
The problem has been detected using proposed semantic patch
scripts/coccinelle/tests/assign_signed_to_unsigned.cocci [1].
[1]: http://permalink.gmane.org/gmane.linux.kernel/
2046107
Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Sat, 26 Sep 2015 10:01:33 +0000 (06:01 -0400)]
Merge git://git./linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) When we run a tap on netlink sockets, we have to copy mmap'd SKBs
instead of cloning them. From Daniel Borkmann.
2) When converting classical BPF into eBPF, fix the setting of the
source reg to BPF_REG_X. From Tycho Andersen.
3) Fix igmpv3/mldv2 report parsing in the bridge multicast code, from
Linus Lussing.
4) Fix dst refcounting for ipv6 tunnels, from Martin KaFai Lau.
5) Set NLM_F_REPLACE flag properly when replacing ipv6 routes, from
Roopa Prabhu.
6) Add some new cxgb4 PCI device IDs, from Hariprasad Shenai.
7) Fix headroom tests and SKB leaks in ipv6 fragmentation code, from
Florian Westphal.
8) Check DMA mapping errors in bna driver, from Ivan Vecera.
9) Several 8139cp bug fixes (dev_kfree_skb_any in interrupt context,
misclearing of interrupt status in TX timeout handler, etc.) from
David Woodhouse.
10) In tipc, reset SKB header pointer after skb_linearize(), from Erik
Hugne.
11) Fix autobind races et al. in netlink code, from Herbert Xu with
help from Tejun Heo and others.
12) Missing SET_NETDEV_DEV in sunvnet driver, from Sowmini Varadhan.
13) Fix various races in timewait timer and reqsk_queue_hadh_req, from
Eric Dumazet.
14) Fix array overruns in mac80211, from Johannes Berg and Dan
Carpenter.
15) Fix data race in rhashtable_rehash_one(), from Dmitriy Vyukov.
16) Fix race between poll_one_napi and napi_disable, from Neil Horman.
17) Fix byte order in geneve tunnel port config, from John W Linville.
18) Fix handling of ARP replies over lightweight tunnels, from Jiri
Benc.
19) We can loop when fib rule dumps cross multiple SKBs, fix from Wilson
Kok and Roopa Prabhu.
20) Several reference count handling bug fixes in the PHY/MDIO layer
from Russel King.
21) Fix lockdep splat in ppp_dev_uninit(), from Guillaume Nault.
22) Fix crash in icmp_route_lookup(), from David Ahern.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (116 commits)
net: Fix panic in icmp_route_lookup
net: update docbook comment for __mdiobus_register()
ppp: fix lockdep splat in ppp_dev_uninit()
net: via/Kconfig: GENERIC_PCI_IOMAP required if PCI not selected
phy: marvell: add link partner advertised modes
net: fix net_device refcounting
phy: add phy_device_remove()
phy: fixed-phy: properly validate phy in fixed_phy_update_state()
net: fix phy refcounting in a bunch of drivers
of_mdio: fix MDIO phy device refcounting
phy: add proper phy struct device refcounting
phy: fix mdiobus module safety
net: dsa: fix of_mdio_find_bus() device refcount leak
phy: fix of_mdio_find_bus() device refcount leak
ip6_tunnel: Reduce log level in ip6_tnl_err() to debug
ip6_gre: Reduce log level in ip6gre_err() to debug
fib_rules: fix fib rule dumps across multiple skbs
bnx2x: byte swap rss_key to comply to Toeplitz specs
net: revert "net_sched: move tp->root allocation into fw_init()"
lwtunnel: remove source and destination UDP port config option
...
David Ahern [Thu, 24 Sep 2015 21:31:29 +0000 (15:31 -0600)]
net: Fix panic in icmp_route_lookup
Andrey reported a panic:
[ 7249.865507] BUG: unable to handle kernel pointer dereference at
000000b4
[ 7249.865559] IP: [<
c16afeca>] icmp_route_lookup+0xaa/0x320
[ 7249.865598] *pdpt =
0000000030f7f001 *pde =
0000000000000000
[ 7249.865637] Oops: 0000 [#1]
...
[ 7249.866811] CPU: 0 PID: 0 Comm: swapper/0 Not tainted
4.3.0-999-generic #
201509220155
[ 7249.866876] Hardware name: MSI MS-7250/MS-7250, BIOS 080014 08/02/2006
[ 7249.866916] task:
c1a5ab00 ti:
c1a52000 task.ti:
c1a52000
[ 7249.866949] EIP: 0060:[<
c16afeca>] EFLAGS:
00210246 CPU: 0
[ 7249.866981] EIP is at icmp_route_lookup+0xaa/0x320
[ 7249.867012] EAX:
00000000 EBX:
f483ba48 ECX:
00000000 EDX:
f2e18a00
[ 7249.867045] ESI:
000000c0 EDI:
f483ba70 EBP:
f483b9ec ESP:
f483b974
[ 7249.867077] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 7249.867108] CR0:
8005003b CR2:
000000b4 CR3:
36ee07c0 CR4:
000006f0
[ 7249.867141] Stack:
[ 7249.867165]
320310ee 00000000 00000042 320310ee 00000000 c1aeca00
f3920240 f0c69180
[ 7249.867268]
f483ba04 f855058b a89b66cd f483ba44 f8962f4b 00000000
e659266c f483ba54
[ 7249.867361]
8004753c f483ba5c f8962f4b f2031140 000003c1 ffbd8fa0
c16b0e00 00000064
[ 7249.867448] Call Trace:
[ 7249.867494] [<
f855058b>] ? e1000_xmit_frame+0x87b/0xdc0 [e1000e]
[ 7249.867534] [<
f8962f4b>] ? tcp_in_window+0xeb/0xb10 [nf_conntrack]
[ 7249.867576] [<
f8962f4b>] ? tcp_in_window+0xeb/0xb10 [nf_conntrack]
[ 7249.867615] [<
c16b0e00>] ? icmp_send+0xa0/0x380
[ 7249.867648] [<
c16b102f>] icmp_send+0x2cf/0x380
[ 7249.867681] [<
f89c8126>] nf_send_unreach+0xa6/0xc0 [nf_reject_ipv4]
[ 7249.867714] [<
f89cd0da>] reject_tg+0x7a/0x9f [ipt_REJECT]
[ 7249.867746] [<
f88c29a7>] ipt_do_table+0x317/0x70c [ip_tables]
[ 7249.867780] [<
f895e0a6>] ? __nf_conntrack_find_get+0x166/0x3b0
[nf_conntrack]
[ 7249.867838] [<
f895eea8>] ? nf_conntrack_in+0x398/0x600 [nf_conntrack]
[ 7249.867889] [<
f84c0035>] iptable_filter_hook+0x35/0x80 [iptable_filter]
[ 7249.867933] [<
c16776a1>] nf_iterate+0x71/0x80
[ 7249.867970] [<
c1677715>] nf_hook_slow+0x65/0xc0
[ 7249.868002] [<
c1681811>] __ip_local_out_sk+0xc1/0xd0
[ 7249.868034] [<
c1680f30>] ? ip_forward_options+0x1a0/0x1a0
[ 7249.868066] [<
c1681836>] ip_local_out_sk+0x16/0x30
[ 7249.868097] [<
c1684054>] ip_send_skb+0x14/0x80
[ 7249.868129] [<
c16840f4>] ip_push_pending_frames+0x34/0x40
[ 7249.868163] [<
c16844a2>] ip_send_unicast_reply+0x282/0x310
[ 7249.868196] [<
c16a0863>] tcp_v4_send_reset+0x1b3/0x380
[ 7249.868227] [<
c16a1b63>] tcp_v4_rcv+0x323/0x990
[ 7249.868257] [<
c16776a1>] ? nf_iterate+0x71/0x80
[ 7249.868289] [<
c167dc2b>] ip_local_deliver_finish+0x8b/0x230
[ 7249.868322] [<
c167df4c>] ip_local_deliver+0x4c/0xa0
[ 7249.868353] [<
c167dba0>] ? ip_rcv_finish+0x390/0x390
[ 7249.868384] [<
c167d88c>] ip_rcv_finish+0x7c/0x390
[ 7249.868415] [<
c167e280>] ip_rcv+0x2e0/0x420
...
Prior to the VRF change the oif was not set in the flow struct, so the
VRF support should really have only added the vrf_master_ifindex lookup.
Fixes: 613d09b30f8b ("net: Use VRF device index for lookups on TX")
Cc: Andrey Melnikov <temnota.am@gmail.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Russell King [Fri, 25 Sep 2015 10:56:56 +0000 (11:56 +0100)]
net: update docbook comment for __mdiobus_register()
Update the docbook comment for __mdiobus_register() to include the new
module owner argument. This resolves a warning found by the 0-day
builder.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Fri, 25 Sep 2015 23:20:55 +0000 (16:20 -0700)]
Merge branch 'for-4.3-fixes' of git://git./linux/kernel/git/tj/cgroup
Pull another cgroup fix from Tejun Heo:
"The cgroup writeback support got inadvertently enabled for traditional
hierarchies revealing two regressions which are currently being worked
on. It shouldn't have been enabled on traditional hierarchies, so
disable it on them. This is enough to make the regressions go away
for people who aren't experimenting with cgroup"
* 'for-4.3-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
cgroup, writeback: don't enable cgroup writeback on traditional hierarchies
Guillaume Nault [Thu, 24 Sep 2015 10:54:01 +0000 (12:54 +0200)]
ppp: fix lockdep splat in ppp_dev_uninit()
ppp_dev_uninit() locks all_ppp_mutex while under rtnl mutex protection.
ppp_create_interface() must then lock these mutexes in that same order
to avoid possible deadlock.
[ 120.880011] ======================================================
[ 120.880011] [ INFO: possible circular locking dependency detected ]
[ 120.880011] 4.2.0 #1 Not tainted
[ 120.880011] -------------------------------------------------------
[ 120.880011] ppp-apitest/15827 is trying to acquire lock:
[ 120.880011] (&pn->all_ppp_mutex){+.+.+.}, at: [<
ffffffffa0145f56>] ppp_dev_uninit+0x64/0xb0 [ppp_generic]
[ 120.880011]
[ 120.880011] but task is already holding lock:
[ 120.880011] (rtnl_mutex){+.+.+.}, at: [<
ffffffff812e4255>] rtnl_lock+0x12/0x14
[ 120.880011]
[ 120.880011] which lock already depends on the new lock.
[ 120.880011]
[ 120.880011]
[ 120.880011] the existing dependency chain (in reverse order) is:
[ 120.880011]
[ 120.880011] -> #1 (rtnl_mutex){+.+.+.}:
[ 120.880011] [<
ffffffff81073a6f>] lock_acquire+0xcf/0x10e
[ 120.880011] [<
ffffffff813ab18a>] mutex_lock_nested+0x56/0x341
[ 120.880011] [<
ffffffff812e4255>] rtnl_lock+0x12/0x14
[ 120.880011] [<
ffffffff812d9d94>] register_netdev+0x11/0x27
[ 120.880011] [<
ffffffffa0147b17>] ppp_ioctl+0x289/0xc98 [ppp_generic]
[ 120.880011] [<
ffffffff8113b367>] do_vfs_ioctl+0x4ea/0x532
[ 120.880011] [<
ffffffff8113b3fd>] SyS_ioctl+0x4e/0x7d
[ 120.880011] [<
ffffffff813ad7d7>] entry_SYSCALL_64_fastpath+0x12/0x6f
[ 120.880011]
[ 120.880011] -> #0 (&pn->all_ppp_mutex){+.+.+.}:
[ 120.880011] [<
ffffffff8107334e>] __lock_acquire+0xb07/0xe76
[ 120.880011] [<
ffffffff81073a6f>] lock_acquire+0xcf/0x10e
[ 120.880011] [<
ffffffff813ab18a>] mutex_lock_nested+0x56/0x341
[ 120.880011] [<
ffffffffa0145f56>] ppp_dev_uninit+0x64/0xb0 [ppp_generic]
[ 120.880011] [<
ffffffff812d5263>] rollback_registered_many+0x19e/0x252
[ 120.880011] [<
ffffffff812d5381>] rollback_registered+0x29/0x38
[ 120.880011] [<
ffffffff812d53fa>] unregister_netdevice_queue+0x6a/0x77
[ 120.880011] [<
ffffffffa0146a94>] ppp_release+0x42/0x79 [ppp_generic]
[ 120.880011] [<
ffffffff8112d9f6>] __fput+0xec/0x192
[ 120.880011] [<
ffffffff8112dacc>] ____fput+0x9/0xb
[ 120.880011] [<
ffffffff8105447a>] task_work_run+0x66/0x80
[ 120.880011] [<
ffffffff81001801>] prepare_exit_to_usermode+0x8c/0xa7
[ 120.880011] [<
ffffffff81001900>] syscall_return_slowpath+0xe4/0x104
[ 120.880011] [<
ffffffff813ad931>] int_ret_from_sys_call+0x25/0x9f
[ 120.880011]
[ 120.880011] other info that might help us debug this:
[ 120.880011]
[ 120.880011] Possible unsafe locking scenario:
[ 120.880011]
[ 120.880011] CPU0 CPU1
[ 120.880011] ---- ----
[ 120.880011] lock(rtnl_mutex);
[ 120.880011] lock(&pn->all_ppp_mutex);
[ 120.880011] lock(rtnl_mutex);
[ 120.880011] lock(&pn->all_ppp_mutex);
[ 120.880011]
[ 120.880011] *** DEADLOCK ***
Fixes: 8cb775bc0a34 ("ppp: fix device unregistration upon netns deletion")
Reported-by: Sedat Dilek <sedat.dilek@gmail.com>
Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sudip Mukherjee [Thu, 24 Sep 2015 10:16:53 +0000 (15:46 +0530)]
net: via/Kconfig: GENERIC_PCI_IOMAP required if PCI not selected
The builds of allmodconfig of avr32 is failing with:
drivers/net/ethernet/via/via-rhine.c:1098:2: error: implicit declaration
of function 'pci_iomap' [-Werror=implicit-function-declaration]
drivers/net/ethernet/via/via-rhine.c:1119:2: error: implicit declaration
of function 'pci_iounmap' [-Werror=implicit-function-declaration]
The generic empty pci_iomap and pci_iounmap is used only if CONFIG_PCI
is not defined and CONFIG_GENERIC_PCI_IOMAP is defined.
Add GENERIC_PCI_IOMAP in the dependency list for VIA_RHINE as we are
getting build failure when CONFIG_PCI and CONFIG_GENERIC_PCI_IOMAP both
are not defined.
Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Russell King [Wed, 23 Sep 2015 23:07:17 +0000 (00:07 +0100)]
phy: marvell: add link partner advertised modes
Read the standard link partner advertisment registers and store it in
phydev->lp_advertising, so ethtool can report this information to
userspace via ethtool. Zero it as per genphy if autonegotiation is
disabled. Tested with a Marvell
88E1512 PHY.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Fri, 25 Sep 2015 19:08:41 +0000 (12:08 -0700)]
Merge branch 'for-linus-4.3' of git://git./linux/kernel/git/mason/linux-btrfs
Pull btrfs fixes from Chris Mason:
"This is an assorted set I've been queuing up:
Jeff Mahoney tracked down a tricky one where we ended up starting IO
on the wrong mapping for special files in btrfs_evict_inode. A few
people reported this one on the list.
Filipe found (and provided a test for) a difficult bug in reading
compressed extents, and Josef fixed up some quota record keeping with
snapshot deletion. Chandan killed off an accounting bug during DIO
that lead to WARN_ONs as we freed inodes"
* 'for-linus-4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
Btrfs: keep dropped roots in cache until transaction commit
Btrfs: Direct I/O: Fix space accounting
btrfs: skip waiting on ordered range for special files
Btrfs: fix read corruption of compressed and shared extents
Btrfs: remove unnecessary locking of cleaner_mutex to avoid deadlock
Btrfs: don't initialize a space info as full to prevent ENOSPC
Linus Torvalds [Fri, 25 Sep 2015 18:33:52 +0000 (11:33 -0700)]
Merge tag 'nfs-for-4.3-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs
Pull NFS client bugfixes from Trond Myklebust:
"Highlights include:
Stable patches:
- fix v4.2 SEEK on files over 2 gigs
- Fix a layout segment reference leak when pNFS I/O falls back to inband I/O.
- Fix recovery of recalled read delegations
Bugfixes:
- Fix a case where NFSv4 fails to send CLOSE after a server reboot
- Fix sunrpc to wait for connections to complete before retrying
- Fix sunrpc races between transport connect/disconnect and shutdown
- Fix an infinite loop when layoutget fail with BAD_STATEID
- nfs/filelayout: Fix NULL reference caused by double freeing of fh_array
- Fix a bogus WARN_ON_ONCE() in O_DIRECT when layout commit_through_mds is set
- Fix layoutreturn/close ordering issues"
* tag 'nfs-for-4.3-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
NFS41: make close wait for layoutreturn
NFS: Skip checking ds_cinfo.buckets when lseg's commit_through_mds is set
NFSv4.x/pnfs: Don't try to recover stateids twice in layoutget
NFSv4: Recovery of recalled read delegations is broken
NFS: Fix an infinite loop when layoutget fail with BAD_STATEID
NFS: Do cleanup before resetting pageio read/write to mds
SUNRPC: xs_sock_mark_closed() does not need to trigger socket autoclose
SUNRPC: Lock the transport layer on shutdown
nfs/filelayout: Fix NULL reference caused by double freeing of fh_array
SUNRPC: Ensure that we wait for connections to complete before retrying
SUNRPC: drop null test before destroy functions
nfs: fix v4.2 SEEK on files over 2 gigs
SUNRPC: Fix races between socket connection and destroy code
nfs: fix pg_test page count calculation
Failing to send a CLOSE if file is opened WRONLY and server reboots on a 4.x mount
Linus Torvalds [Fri, 25 Sep 2015 18:25:30 +0000 (11:25 -0700)]
Merge tag 'sound-4.3-rc3' of git://git./linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"This ended up with a larger set of fixes than wished, unfortunately.
As diffstat shows, the majority of changes are for various ASoC
drivers (Realtek, Wolfson codec drivers, etc), in addition to a couple
of HD-audio regression fixes. All these are reasonably small and
nothing to scare much"
* tag 'sound-4.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (29 commits)
ALSA: hda - Disable power_save_node for Thinkpads
ALSA: hda/tegra - async probe for avoiding module loading deadlock
ASoC: rt5645: Prevent the pop sound in case of playback and the jack is plugging
ASoC: rt5645: Increase the delay time to remove the pop sound
ASoC: rt5645: Use the type SOC_DAPM_SINGLE_AUTODISABLE to prevent the weird sound in runtime of power up
ASoC: pxa: pxa2xx-ac97: fix dma requestor lines
MAINTAINERS: Update website and git repo for Wolfson Microelectronics
ASoC: fsl_ssi: Fix checking of dai format for AC97 mode
ASoC: wm0010: fix error path
ASoC: wm0010: fix memory leak
ASoC: wm8960: correct the max register value of mic boost pga
ASoC: wm8962: remove 64k sample rate support
ASoC: davinci-mcasp: Fix devm_kasprintf format string
ASoC: fix broken pxa SoC support
ASoC: davinci-mcasp: Set .symmetric_rates = 1 in snd_soc_dai_driver
ASoC: au1x: psc-i2s: Fix unused variable 'ret' warning
ASoC: SPEAr: Make SND_SPEAR_SOC select SND_SOC_GENERIC_DMAENGINE_PCM
ASoC: mediatek: Increase periods_min in capture
ASoC: davinci-mcasp: Revise the FIFO threshold calculation
ASoC: wm8960: correct gain value for input PGA and add microphone PGA
...
Linus Torvalds [Fri, 25 Sep 2015 18:16:53 +0000 (11:16 -0700)]
Merge tag 'pci-v4.3-fixes-1' of git://git./linux/kernel/git/helgaas/pci
Pull PCI fixes from Bjorn Helgaas:
"These are fixes for things we merged for v4.3 (VPD, MSI, and bridge
window management), and a new Renesas R8A7794 SoC device ID.
Details:
Resource management:
- Revert pci_read_bridge_bases() unification (Bjorn Helgaas)
- Clear IORESOURCE_UNSET when clipping a bridge window (Bjorn
Helgaas)
MSI:
- Fix MSI IRQ domains for VFs on virtual buses (Alex Williamson)
Renesas R-Car host bridge driver:
- Add R8A7794 support (Sergei Shtylyov)
Miscellaneous:
- Fix devfn for VPD access through function 0 (Alex Williamson)
- Use function 0 VPD only for identical functions (Alex Williamson)"
* tag 'pci-v4.3-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
PCI: rcar: Add R8A7794 support
PCI: Use function 0 VPD for identical functions, regular VPD for others
PCI: Fix devfn for VPD access through function 0
PCI/MSI: Fix MSI IRQ domains for VFs on virtual buses
PCI: Clear IORESOURCE_UNSET when clipping a bridge window
PCI: Revert "PCI: Call pci_read_bridge_bases() from core instead of arch code"
Linus Torvalds [Fri, 25 Sep 2015 17:51:40 +0000 (10:51 -0700)]
Merge tag 'for-linus' of git://git./virt/kvm/kvm
Pull KVM fixes from Paolo Bonzini:
"AMD fixes for bugs introduced in the 4.2 merge window, and a few PPC
bug fixes too"
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: disable halt_poll_ns as default for s390x
KVM: x86: fix off-by-one in reserved bits check
KVM: x86: use correct page table format to check nested page table reserved bits
KVM: svm: do not call kvm_set_cr0 from init_vmcb
KVM: x86: trap AMD MSRs for the TSeg base and mask
KVM: PPC: Book3S: Take the kvm->srcu lock in kvmppc_h_logical_ci_load/store()
KVM: PPC: Book3S HV: Pass the correct trap argument to kvmhv_commence_exit
KVM: PPC: Book3S HV: Fix handling of interrupted VCPUs
kvm: svm: reset mmu on VCPU reset
Linus Torvalds [Fri, 25 Sep 2015 17:11:26 +0000 (10:11 -0700)]
Merge tag 'powerpc-4.3-3' of git://git./linux/kernel/git/powerpc/linux
Pull powerpc fixes from Michael Ellerman:
- Wire up sys_membarrier()
- cxl: Fix lockdep warning while creating afu_err_buff from Vaibhav
* tag 'powerpc-4.3-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
cxl: Fix lockdep warning while creating afu_err_buff attribute
powerpc: Wire up sys_membarrier()
David Hildenbrand [Fri, 18 Sep 2015 10:34:53 +0000 (12:34 +0200)]
KVM: disable halt_poll_ns as default for s390x
We observed some performance degradation on s390x with dynamic
halt polling. Until we can provide a proper fix, let's enable
halt_poll_ns as default only for supported architectures.
Architectures are now free to set their own halt_poll_ns
default value.
Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Tue, 22 Sep 2015 08:15:59 +0000 (10:15 +0200)]
KVM: x86: fix off-by-one in reserved bits check
29ecd6601904 ("KVM: x86: avoid uninitialized variable warning",
2015-09-06) introduced a not-so-subtle problem, which probably
escaped review because it was not part of the patch context.
Before the patch, leaf was always equal to iterator.level. After,
it is equal to iterator.level - 1 in the call to is_shadow_zero_bits_set,
and when is_shadow_zero_bits_set does another "-1" the check on
reserved bits becomes incorrect. Using "iterator.level" in the call
fixes this call trace:
WARNING: CPU: 2 PID: 17000 at arch/x86/kvm/mmu.c:3385 handle_mmio_page_fault.part.93+0x1a/0x20 [kvm]()
Modules linked in: tun sha256_ssse3 sha256_generic drbg binfmt_misc ipv6 vfat fat fuse dm_crypt dm_mod kvm_amd kvm crc32_pclmul aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd fam15h_power amd64_edac_mod k10temp edac_core amdkfd amd_iommu_v2 radeon acpi_cpufreq
[...]
Call Trace:
dump_stack+0x4e/0x84
warn_slowpath_common+0x95/0xe0
warn_slowpath_null+0x1a/0x20
handle_mmio_page_fault.part.93+0x1a/0x20 [kvm]
tdp_page_fault+0x231/0x290 [kvm]
? emulator_pio_in_out+0x6e/0xf0 [kvm]
kvm_mmu_page_fault+0x36/0x240 [kvm]
? svm_set_cr0+0x95/0xc0 [kvm_amd]
pf_interception+0xde/0x1d0 [kvm_amd]
handle_exit+0x181/0xa70 [kvm_amd]
? kvm_arch_vcpu_ioctl_run+0x68b/0x1730 [kvm]
kvm_arch_vcpu_ioctl_run+0x6f6/0x1730 [kvm]
? kvm_arch_vcpu_ioctl_run+0x68b/0x1730 [kvm]
? preempt_count_sub+0x9b/0xf0
? mutex_lock_killable_nested+0x26f/0x490
? preempt_count_sub+0x9b/0xf0
kvm_vcpu_ioctl+0x358/0x710 [kvm]
? __fget+0x5/0x210
? __fget+0x101/0x210
do_vfs_ioctl+0x2f4/0x560
? __fget_light+0x29/0x90
SyS_ioctl+0x4c/0x90
entry_SYSCALL_64_fastpath+0x16/0x73
---[ end trace
37901c8686d84de6 ]---
Reported-by: Borislav Petkov <bp@alien8.de>
Tested-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Tue, 22 Sep 2015 21:02:14 +0000 (23:02 +0200)]
KVM: x86: use correct page table format to check nested page table reserved bits
Intel CPUID on AMD host or vice versa is a weird case, but it can
happen. Handle it by checking the host CPU vendor instead of the
guest's in reset_tdp_shadow_zero_bits_mask. For speed, the
check uses the fact that Intel EPT has an X (executable) bit while
AMD NPT has NX.
Reported-by: Borislav Petkov <bp@alien8.de>
Tested-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Mon, 21 Sep 2015 05:46:55 +0000 (07:46 +0200)]
KVM: svm: do not call kvm_set_cr0 from init_vmcb
kvm_set_cr0 may want to call kvm_zap_gfn_range and thus access the
memslots array (SRCU protected). Using a mini SRCU critical section
is ugly, and adding it to kvm_arch_vcpu_create doesn't work because
the VMX vcpu_create callback calls synchronize_srcu.
Fixes this lockdep splat:
===============================
[ INFO: suspicious RCU usage. ]
4.3.0-rc1+ #1 Not tainted
-------------------------------
include/linux/kvm_host.h:488 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 0
1 lock held by qemu-system-i38/17000:
#0: (&(&kvm->mmu_lock)->rlock){+.+...}, at: kvm_zap_gfn_range+0x24/0x1a0 [kvm]
[...]
Call Trace:
dump_stack+0x4e/0x84
lockdep_rcu_suspicious+0xfd/0x130
kvm_zap_gfn_range+0x188/0x1a0 [kvm]
kvm_set_cr0+0xde/0x1e0 [kvm]
init_vmcb+0x760/0xad0 [kvm_amd]
svm_create_vcpu+0x197/0x250 [kvm_amd]
kvm_arch_vcpu_create+0x47/0x70 [kvm]
kvm_vm_ioctl+0x302/0x7e0 [kvm]
? __lock_is_held+0x51/0x70
? __fget+0x101/0x210
do_vfs_ioctl+0x2f4/0x560
? __fget_light+0x29/0x90
SyS_ioctl+0x4c/0x90
entry_SYSCALL_64_fastpath+0x16/0x73
Reported-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
David S. Miller [Fri, 25 Sep 2015 06:04:53 +0000 (23:04 -0700)]
Merge branch 'phy-mdio-refcnt'
Russell King says:
====================
Phy, mdiobus, and netdev struct device fixes
The third version of this series fixes the build error which David
identified, and drops the broken changes for the Cavium Thunger BGX
ethernet driver as this driver requires some complex changes to
resolve the leakage - and this is best done by people who can test
the driver.
Compared to v2, the only patch which has changed is patch 6
"net: fix phy refcounting in a bunch of drivers"
I _think_ I've been able to build-test all the drivers touched by
that patch to some degree now, though several of them needed the
Kconfig hacked to allow it (not all had || COMPILE_TEST clause on
their dependencies.)
Previous cover letters below:
This is the second version of the series, with the comments David had
on the first patch fixed up. Original series description with updated
diffstat below.
While looking at the DSA code, I noticed we have a
of_find_net_device_by_node(), and it looks like users of that are
similarly buggy - it looks like net/dsa/dsa.c is the only user. Fix
that too.
Hi,
While looking at the phy code, I identified a number of weaknesses
where refcounting on device structures was being leaked, where
modules could be removed while in-use, and where the fixed-phy could
end up having unintended consequences caused by incorrect calls to
fixed_phy_update_state().
This patch series resolves those issues, some of which were discovered
with testing on an Armada 388 board. Not all patches are fully tested,
particularly the one which touches several network drivers.
When resolving the struct device refcounting problems, several different
solutions were considered before settling on the implementation here -
one of the considerations was to avoid touching many network drivers.
The solution here is:
phy_attach*() - takes a refcount
phy_detach*() - drops the phy_attach refcount
Provided drivers always attach and detach their phys, which they should
already be doing, this should change nothing, even if they leak a refcount.
of_phy_find_device() and of_* functions which use that take
a refcount. Arrange for this refcount to be dropped once
the phy is attached.
This is the reason why the previous change is important - we can't drop
this refcount taken by of_phy_find_device() until something else holds
a reference on the device. This resolves the leaked refcount caused by
using of_phy_connect() or of_phy_attach().
Even without the above changes, these drivers are leaking by calling
of_phy_find_device(). These drivers are addressed by adding the
appropriate release of that refcount.
The mdiobus code also suffered from the same kind of leak, but thankfully
this only happened in one place - the mdio-mux code.
I also found that the try_module_get() in the phy layer code was utterly
useless: phydev->dev.driver was guaranteed to always be NULL, so
try_module_get() was always being called with a NULL argument. I proved
this with my SFP code, which declares its own MDIO bus - the module use
count was never incremented irrespective of how I set the MDIO bus up.
This allowed the MDIO bus code to be removed from the kernel while there
were still PHYs attached to it.
One other bug was discovered: while using in-band-status with mvneta, it
was found that if a real phy is attached with in-band-status enabled,
and another ethernet interface is using the fixed-phy infrastructure, the
interface using the fixed-phy infrastructure is configured according to
the other interface using the in-band-status - which is caused by the
fixed-phy code not verifying that the phy_device passed in is actually
a fixed-phy device, rather than a real MDIO phy.
Lastly, having mdio_bus reversing phy_device_register() internals seems
like a layering violation - it's trivial to move that code to the phy
device layer.
====================
Tested-by: Florian Fainelli <f.fainelli@gmail.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Russell King [Thu, 24 Sep 2015 19:36:33 +0000 (20:36 +0100)]
net: fix net_device refcounting
of_find_net_device_by_node() uses class_find_device() internally to
lookup the corresponding network device. class_find_device() returns
a reference to the embedded struct device, with its refcount
incremented.
Add a comment to the definition in net/core/net-sysfs.c indicating the
need to drop this refcount, and fix the DSA code to drop this refcount
when the OF-generated platform data is cleaned up and freed. Also
arrange for the ref to be dropped when handling errors.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Russell King [Thu, 24 Sep 2015 19:36:28 +0000 (20:36 +0100)]
phy: add phy_device_remove()
Add a phy_device_remove() function to complement phy_device_register(),
which undoes the effects of phy_device_register() by removing the phy
device from visibility, but not freeing it.
This allows these details to be moved out of the mdio bus code into
the phy code where this action belongs.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Russell King [Thu, 24 Sep 2015 19:36:23 +0000 (20:36 +0100)]
phy: fixed-phy: properly validate phy in fixed_phy_update_state()
Validate that the phy_device passed into fixed_phy_update_state() is a
fixed-phy device before walking the list of phys for a fixed phy at the
same address.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Russell King [Thu, 24 Sep 2015 19:36:18 +0000 (20:36 +0100)]
net: fix phy refcounting in a bunch of drivers
of_phy_find_device() increments the phy struct device refcount, which
we need to properly balance. Add code to network drivers using this
function to ensure that the struct device refcount is correctly
balanced.
For xgene, looking back in the history, we should be able to use
of_phy_connect() with a zero flags argument for the DT case as this is
how the driver used to operate prior to
de7b5b3d790a ("net: eth: xgene:
change APM X-Gene SoC platform ethernet to support ACPI").
This leaves the Cavium Thunder BGX unfixed; fixing this driver is a
complicated task, one which the maintainers need to be involved with.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Russell King [Thu, 24 Sep 2015 19:36:13 +0000 (20:36 +0100)]
of_mdio: fix MDIO phy device refcounting
bus_find_device() is defined as:
* This is similar to the bus_for_each_dev() function above, but it
* returns a reference to a device that is 'found' for later use, as
* determined by the @match callback.
and it does indeed return a reference-counted pointer to the device:
while ((dev = next_device(&i)))
if (match(dev, data) && get_device(dev))
^^^^^^^^^^^^^^^
break;
klist_iter_exit(&i);
return dev;
What that means is that when we're done with the struct device, we must
drop that reference. Neither of_phy_connect() nor of_phy_attach() did
this when phy_connect_direct() or phy_attach_direct() failed.
With our previous patch, phy_connect_direct() and phy_attach_direct()
take a new refcount on the phy device when successful, so we can drop
our local reference immediatley after these functions, whether or not
they succeeded.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Russell King [Thu, 24 Sep 2015 19:36:08 +0000 (20:36 +0100)]
phy: add proper phy struct device refcounting
Take a refcount on the phy struct device when the phy device is attached
to a network device, and drop it after it's detached. This ensures that
a refcount is held on the phy device while the device is being used by
a network device, thereby preventing the phy_device from being
unexpectedly kfree()'d by phy_device_release().
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Russell King [Thu, 24 Sep 2015 19:36:02 +0000 (20:36 +0100)]
phy: fix mdiobus module safety
Re-implement the mdiobus module refcounting to ensure that we actually
ensure that the mdiobus module code does not go away while we might call
into it.
The old scheme using bus->dev.driver was buggy, because bus->dev is a
class device which never has a struct device_driver associated with it,
and hence the associated code trying to obtain a refcount did nothing
useful.
Instead, take the approach that other subsystems do: pass the module
when calling mdiobus_register(), and record that in the mii_bus struct.
When we need to increment the module use count in the phy code, use
this stored pointer. When the phy is deteched, drop the module
refcount, remembering that the phy device might go away at that point.
This doesn't stop the mii_bus going away while there are in-use phys -
it merely stops the underlying code vanishing.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Russell King [Thu, 24 Sep 2015 19:35:57 +0000 (20:35 +0100)]
net: dsa: fix of_mdio_find_bus() device refcount leak
Current users of of_mdio_find_bus() leak a struct device refcount, as
they fail to clean up the reference obtained inside class_find_device().
Fix the DSA code to properly refcount the returned MDIO bus by:
1. taking a reference on the struct device whenever we assign it to
pd->chip[x].host_dev.
2. dropping the reference when we overwrite the existing reference.
3. dropping the reference when we free the data structure.
4. dropping the initial reference we obtained after setting up the
platform data structure, or on failure.
In step 2 above, where we obtain a new MDIO bus, there is no need to
take a reference on it as we would only have to drop it immediately
after assignment again, iow:
put_device(cd->host_dev); /* drop original assignment ref */
cd->host_dev = get_device(&mdio_bus_switch->dev); /* get our ref */
put_device(&mdio_bus_switch->dev); /* drop of_mdio_find_bus ref */
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Russell King [Thu, 24 Sep 2015 19:35:52 +0000 (20:35 +0100)]
phy: fix of_mdio_find_bus() device refcount leak
of_mdio_find_bus() leaks a struct device refcount, caused by using
class_find_device() and not realising that the device reference has
its refcount incremented:
* Note, you will need to drop the reference with put_device() after use.
...
while ((dev = class_dev_iter_next(&iter))) {
if (match(dev, data)) {
get_device(dev);
break;
}
Update the comment, and arrange for the phy code to drop this refcount
when disposing of a reference to it.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Fri, 25 Sep 2015 03:14:26 +0000 (20:14 -0700)]
Merge branch 'next' of git://git./linux/kernel/git/rzhang/linux
Pull thermal management fixes from Zhang Rui:
- Power allocator governor changes to allow binding on thermal zones
with missing power estimates information. From Javi Merino.
- Add compile test flags on thermal drivers that allow it without
producing compilation errors. From Eduardo Valentin.
- Fixes around memory allocation on cpu_cooling. From Javi Merino.
- Fix on db8500 cpufreq code to allow autoload. From Luis de
Bethencourt.
- Maintainer entries for cpu cooling device
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
thermal: power_allocator: exit early if there are no cooling devices
thermal: power_allocator: don't require tzp to be present for the thermal zone
thermal: power_allocator: relax the requirement of two passive trip points
thermal: power_allocator: relax the requirement of a sustainable_power in tzp
thermal: Add a function to get the minimum power
thermal: cpu_cooling: free power table on error or when unregistering
thermal: cpu_cooling: don't call kcalloc() under rcu_read_lock
thermal: db8500_cpufreq_cooling: Fix module autoload for OF platform driver
thermal: cpu_cooling: Add MAINTAINERS entry
thermal: ti-soc: Kconfig fix to avoid menu showing wrongly
thermal: ti-soc: allow compile test
thermal: qcom_spmi: allow compile test
thermal: exynos: allow compile test
thermal: armada: allow compile test
thermal: dove: allow compile test
thermal: kirkwood: allow compile test
thermal: rockchip: allow compile test
thermal: spear: allow compile test
thermal: hisi: allow compile test
thermal: Fix thermal_zone_of_sensor_register to match documentation
Linus Torvalds [Fri, 25 Sep 2015 00:46:38 +0000 (17:46 -0700)]
Merge tag 'devicetree-fixes-for-4.3' of git://git./linux/kernel/git/robh/linux
Pull DeviceTree fixes from Rob Herring:
- Silence bogus warning for of_irq_parse_pci
- Fix typo in ARM idle-states binding doc and dts files
- Various minor binding documentation updates
* tag 'devicetree-fixes-for-4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
Documentation: arm: Fix typo in the idle-states bindings examples
gpio: mention in DT binding doc that <name>-gpio is deprecated
of_pci_irq: Silence bogus "of_irq_parse_pci() failed ..." messages.
devicetree: bindings: Extend the bma180 bindings with bma250 info
of: thermal: Mark cooling-*-level properties optional
of: thermal: Fix inconsitency between cooling-*-state and cooling-*-level
Docs: dt: add #msi-cells to GICv3 ITS binding
of: add vendor prefix for Socionext Inc.
Matt Bennett [Thu, 24 Sep 2015 23:01:47 +0000 (11:01 +1200)]
ip6_tunnel: Reduce log level in ip6_tnl_err() to debug
Currently error log messages in ip6_tnl_err are printed at 'warn'
level. This is different to other tunnel types which don't print
any messages. These log messages don't provide any information that
couldn't be deduced with networking tools. Also it can be annoying
to have one end of the tunnel go down and have the logs fill with
pointless messages such as "Path to destination invalid or inactive!".
This patch reduces the log level of these messages to 'dbg' level to
bring the visible behaviour into line with other tunnel types.
Signed-off-by: Matt Bennett <matt.bennett@alliedtelesis.co.nz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Lorenzo Pieralisi [Thu, 24 Sep 2015 14:53:56 +0000 (15:53 +0100)]
Documentation: arm: Fix typo in the idle-states bindings examples
The idle-states bindings mandate that the entry-method string
in the idle-states node must be "psci" for ARM v8 64-bit systems,
but the examples in the bindings report a wrong entry-method string.
Owing to this typo, some dts in the kernel wrongly defined the
entry-method property, since they likely cut and pasted the example
definition without paying attention to the bindings definitions.
This patch fixes the typo in the DT idle states bindings examples and
respective dts in the kernel so that the bindings and related dts
files are made compliant.
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: Howard Chen <howard.chen@linaro.org>
Cc: Rob Herring <robh+dt@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Rob Herring <robh@kernel.org>
Javier Martinez Canillas [Mon, 21 Sep 2015 12:57:25 +0000 (14:57 +0200)]
gpio: mention in DT binding doc that <name>-gpio is deprecated
The gpiolib supports parsing DT properties of the form <name>-gpio but it
was only added for compatibility with older DT bindings that got it wrong
and should not be used in newer bindings.
The commit that added support for this was:
dd34c37aa3e8 ("gpio: of: Allow -gpio suffix for property names")
but didn't update the documentation to explain this so it's been a source
of confusion. So let's make this clear in the GPIO DT binding doc.
Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
Signed-off-by: Rob Herring <robh@kernel.org>
Linus Torvalds [Thu, 24 Sep 2015 22:37:06 +0000 (15:37 -0700)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
"Most of the GPU drivers people were at XDC last week, so I didn't get
much to send, so I let it rollover until this week.
Also Alex was away for 3 weeks so amdgpu/radeon got a bit more stuff
than usual in one go.
I've been trying to figure out some 4.2 issues with i915 still (that
are fixed in 4.3, but bisecting ends up in a merge commit). Hopefully
next week I or i915 people can work that out"
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (46 commits)
drm: Allow also control clients to check the drm version
drm/vmwgfx: Fix uninitialized return in vmw_kms_helper_dirty()
drm/vmwgfx: Fix uninitialized return in vmw_cotable_unbind()
drm/layerscape: fix handling fsl_dcu_drm_plane_index result
drm/mgag200: Fix driver_load error handling
drm/mgag200: Fix error handling paths in fbdev driver
drm/qxl: only report first monitor as connected if we have no state
drm/radeon: add quirk for MSI R7 370
drm/amdgpu: Sprinkle drm_modeset_lock_all to appease locking checks
drm/radeon: Sprinkle drm_modeset_lock_all to appease locking checks
drm/amdgpu: sync ce and me with SWITCH_BUFFER(2)
drm/amdgpu: integer overflow in amdgpu_mode_dumb_create()
drm/amdgpu: info leak in amdgpu_gem_metadata_ioctl()
drm/amdgpu: integer overflow in amdgpu_info_ioctl()
drm/amdgpu: unwind properly in amdgpu_cs_parser_init()
drm/amdgpu: Fix max_vblank_count value for current display engines
drm/amdgpu: use kmemdup rather than duplicating its implementation
drm/amdgpu: fix UVD suspend and resume for VI APU
drm/amdgpu: fix the UVD suspend sequence order
drm/amdgpu: make UVD handle checking more strict
...
David S. Miller [Thu, 24 Sep 2015 22:36:20 +0000 (15:36 -0700)]
Merge tag 'mac80211-for-davem-2015-09-22' of git://git./linux/kernel/git/jberg/mac80211
Johannes Berg says:
====================
Just two small fixes:
* VHT MCS mask array overrun, reported by Dan Carpenter
* reset CQM history to always get a notification, from Sara Sharon
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Bennett [Wed, 23 Sep 2015 04:58:31 +0000 (16:58 +1200)]
ip6_gre: Reduce log level in ip6gre_err() to debug
Currently error log messages in ip6gre_err are printed at 'warn'
level. This is different to most other tunnel types which don't
print any messages. These log messages don't provide any information
that couldn't be deduced with networking tools. Also it can be annoying
to have one end of the tunnel go down and have the logs fill with
pointless messages such as "Path to destination invalid or inactive!".
This patch reduces the log level of these messages to 'dbg' level to
bring the visible behaviour into line with other tunnel types.
Signed-off-by: Matt Bennett <matt.bennett@alliedtelesis.co.nz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Wilson Kok [Wed, 23 Sep 2015 04:40:22 +0000 (21:40 -0700)]
fib_rules: fix fib rule dumps across multiple skbs
dump_rules returns skb length and not error.
But when family == AF_UNSPEC, the caller of dump_rules
assumes that it returns an error. Hence, when family == AF_UNSPEC,
we continue trying to dump on -EMSGSIZE errors resulting in
incorrect dump idx carried between skbs belonging to the same dump.
This results in fib rule dump always only dumping rules that fit
into the first skb.
This patch fixes dump_rules to return error so that we exit correctly
and idx is correctly maintained between skbs that are part of the
same dump.
Signed-off-by: Wilson Kok <wkok@cumulusnetworks.com>
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sergei Shtylyov [Fri, 11 Sep 2015 23:06:09 +0000 (02:06 +0300)]
PCI: rcar: Add R8A7794 support
Add Renesas R8A7794 SoC support to the Renesas R-Car gen2 PCI driver.
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Bjorn Helgaas <helgaas@kernel.org>
Acked-by: Simon Horman <horms+renesas@verge.net.au>
Alex Williamson [Wed, 16 Sep 2015 04:24:46 +0000 (22:24 -0600)]
PCI: Use function 0 VPD for identical functions, regular VPD for others
932c435caba8 ("PCI: Add dev_flags bit to access VPD through function 0")
added PCI_DEV_FLAGS_VPD_REF_F0. Previously, we set the flag on every
non-zero function of quirked devices. If a function turned out to be
different from function 0, i.e., it had a different class, vendor ID, or
device ID, the flag remained set but we didn't make VPD accessible at all.
Flip this around so we only set PCI_DEV_FLAGS_VPD_REF_F0 for functions that
are identical to function 0, and allow regular VPD access for any other
functions.
[bhelgaas: changelog, stable tag]
Fixes: 932c435caba8 ("PCI: Add dev_flags bit to access VPD through function 0")
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Bjorn Helgaas <helgaas@kernel.org>
Acked-by: Myron Stowe <myron.stowe@redhat.com>
Acked-by: Mark Rustad <mark.d.rustad@intel.com>
CC: stable@vger.kernel.org
Alex Williamson [Tue, 15 Sep 2015 17:17:21 +0000 (11:17 -0600)]
PCI: Fix devfn for VPD access through function 0
Commit
932c435caba8 ("PCI: Add dev_flags bit to access VPD through function
0") passes PCI_SLOT(devfn) for the devfn parameter of pci_get_slot().
Generally this works because we're fairly well guaranteed that a PCIe
device is at slot address 0, but for the general case, including
conventional PCI, it's incorrect. We need to get the slot and then convert
it back into a devfn.
Fixes: 932c435caba8 ("PCI: Add dev_flags bit to access VPD through function 0")
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Bjorn Helgaas <helgaas@kernel.org>
Acked-by: Myron Stowe <myron.stowe@redhat.com>
Acked-by: Mark Rustad <mark.d.rustad@intel.com>
CC: stable@vger.kernel.org
Alex Williamson [Fri, 18 Sep 2015 21:08:54 +0000 (15:08 -0600)]
PCI/MSI: Fix MSI IRQ domains for VFs on virtual buses
SR-IOV creates a virtual bus where bus->self is NULL. When we add VFs and
scan for an MSI domain, pci_set_bus_msi_domain() dereferences bus->self,
which causes a kernel NULL pointer dereference oops.
Scan up to the parent bus until we find a real bridge where we can get the
MSI domain.
[bhelgaas: changelog]
Fixes: 44aa0c657e3e ("PCI/MSI: Add hooks to populate the msi_domain field")
Tested-by: Joerg Roedel <joro@8bytes.org>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Bjorn Helgaas <helgaas@kernel.org>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Eric Dumazet [Wed, 23 Sep 2015 00:04:58 +0000 (17:04 -0700)]
bnx2x: byte swap rss_key to comply to Toeplitz specs
After a good amount of debugging, I found bnx2x was byte swaping
the 40 bytes of rss_key.
If we byte swap the key, then bnx2x generates hashes matching
MSDN specs as documented in (Verifying the RSS Hash Calculation)
https://msdn.microsoft.com/en-us/library/windows/hardware/
ff571021%
28v=vs.85%29.aspx
It is mostly a non issue, unless we want to mix different NIC
in a host, and want consistent hashing among all of them, ie
if they all use the boot time generated rss key, or if some application
is choosing specific tuple(s) so that incoming traffic lands into known
rx queue(s).
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
WANG Cong [Wed, 23 Sep 2015 00:01:11 +0000 (17:01 -0700)]
net: revert "net_sched: move tp->root allocation into fw_init()"
fw filter uses tp->root==NULL to check if it is the old method,
so it doesn't need allocation at all in this case. This patch
reverts the offending commit and adds some comments for old
method to make it obvious.
Fixes: 33f8b9ecdb15 ("net_sched: move tp->root allocation into fw_init()")
Reported-by: Akshat Kakkar <akshat.1984@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Thu, 24 Sep 2015 21:31:40 +0000 (14:31 -0700)]
Merge branch 'akpm' (patches from Andrew)
Merge misc fixes from Andrew Morton:
"15 fixes"
* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
ocfs2/dlm: fix deadlock when dispatch assert master
membarrier: clean up selftest
vmscan: fix sane_reclaim helper for legacy memcg
lib/iommu-common.c: do not try to deref a null iommu->lazy_flush() pointer when n < pool->hint
x86, efi, kasan: #undef memset/memcpy/memmove per arch
mm: migrate: hugetlb: putback destination hugepage to active list
mm, dax: VMA with vm_ops->pfn_mkwrite wants to be write-notified
userfaultfd: register uapi generic syscall (aarch64)
userfaultfd: selftest: don't error out if pthread_mutex_t isn't identical
userfaultfd: selftest: return an error if BOUNCE_VERIFY fails
userfaultfd: selftest: avoid my_bcmp false positives with powerpc
userfaultfd: selftest: only warn if __NR_userfaultfd is undefined
userfaultfd: selftest: headers fixup
userfaultfd: selftests: vm: pick up sanitized kernel headers
userfaultfd: revert "userfaultfd: waitqueue: add nr wake parameter to __wake_up_locked_key"
David S. Miller [Thu, 24 Sep 2015 21:31:37 +0000 (14:31 -0700)]
Merge branch 'lwt_arp'
Jiri Benc says:
====================
lwtunnel: make it really work, for IPv4
One of the selling points of lwtunnel was the ability to specify the tunnel
destination using routes. However, this doesn't really work currently, as
ARP and ndisc replies are not handled correctly. ARP and ndisc replies won't
have tunnel metadata attached, thus they will be sent out with the default
parameters or not sent at all, either way never reaching the requester.
Most of the egress tunnel parameters can be inferred from the ingress
metada. The only and important exception is UDP ports. This patchset infers
the egress data from the ingress data and disallow settings of UDP ports in
tunnel routes. If there's a need for different UDP ports, a new interface
needs to be created for each port combination. Note that it's still possible
to specify the UDP ports to use, it just needs to be done while creating the
vxlan/geneve interface.
This covers only ARPs. IPv6 ndisc has the same problem but is harder to
solve, as there's already dst attached to outgoing skbs. Ideas to solve this
are welcome.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Benc [Tue, 22 Sep 2015 16:12:12 +0000 (18:12 +0200)]
lwtunnel: remove source and destination UDP port config option
The UDP tunnel config is asymmetric wrt. to the ports used. The source and
destination ports from one direction of the tunnel are not related to the
ports of the other direction. We need to be able to respond to ARP requests
using the correct ports without involving routing.
As the consequence, UDP ports need to be fixed property of the tunnel
interface and cannot be set per route. Remove the ability to set ports per
route. This is still okay to do, as no kernel has been released with these
attributes yet.
Note that the ability to specify source and destination ports is preserved
for other users of the lwtunnel API which don't use routes for tunnel key
specification (like openvswitch).
If in the future we rework ARP handling to allow port specification, the
attributes can be added back.
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Benc [Tue, 22 Sep 2015 16:12:11 +0000 (18:12 +0200)]
ipv4: send arp replies to the correct tunnel
When using ip lwtunnels, the additional data for xmit (basically, the actual
tunnel to use) are carried in ip_tunnel_info either in dst->lwtstate or in
metadata dst. When replying to ARP requests, we need to send the reply to
the same tunnel the request came from. This means we need to construct
proper metadata dst for ARP replies.
We could perform another route lookup to get a dst entry with the correct
lwtstate. However, this won't always ensure that the outgoing tunnel is the
same as the incoming one, and it won't work anyway for IPv4 duplicate
address detection.
The only thing to do is to "reverse" the ip_tunnel_info.
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sudeep Holla [Mon, 21 Sep 2015 15:47:09 +0000 (16:47 +0100)]
net: gianfar: remove misuse of IRQF_NO_SUSPEND flag
The device is set as wakeup capable using proper wakeup API but the
driver misuses IRQF_NO_SUSPEND to set the interrupt as wakeup source
which is incorrect.
This patch removes the use of IRQF_NO_SUSPEND flags replacing it with
enable_irq_wake instead.
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Claudiu Manoil <claudiu.manoil@freescale.com>
Cc: Kevin Hao <haokexin@gmail.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Acked-by: Claudiu Manoil <claudiu.manoil@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pravin B Shelar [Tue, 22 Sep 2015 19:57:53 +0000 (12:57 -0700)]
skbuff: Fix skb checksum flag on skb pull
VXLAN device can receive skb with checksum partial. But the checksum
offset could be in outer header which is pulled on receive. This results
in negative checksum offset for the skb. Such skb can cause the assert
failure in skb_checksum_help(). Following patch fixes the bug by setting
checksum-none while pulling outer header.
Following is the kernel panic msg from old kernel hitting the bug.
------------[ cut here ]------------
kernel BUG at net/core/dev.c:1906!
RIP: 0010:[<
ffffffff81518034>] skb_checksum_help+0x144/0x150
Call Trace:
<IRQ>
[<
ffffffffa0164c28>] queue_userspace_packet+0x408/0x470 [openvswitch]
[<
ffffffffa016614d>] ovs_dp_upcall+0x5d/0x60 [openvswitch]
[<
ffffffffa0166236>] ovs_dp_process_packet_with_key+0xe6/0x100 [openvswitch]
[<
ffffffffa016629b>] ovs_dp_process_received_packet+0x4b/0x80 [openvswitch]
[<
ffffffffa016c51a>] ovs_vport_receive+0x2a/0x30 [openvswitch]
[<
ffffffffa0171383>] vxlan_rcv+0x53/0x60 [openvswitch]
[<
ffffffffa01734cb>] vxlan_udp_encap_recv+0x8b/0xf0 [openvswitch]
[<
ffffffff8157addc>] udp_queue_rcv_skb+0x2dc/0x3b0
[<
ffffffff8157b56f>] __udp4_lib_rcv+0x1cf/0x6c0
[<
ffffffff8157ba7a>] udp_rcv+0x1a/0x20
[<
ffffffff8154fdbd>] ip_local_deliver_finish+0xdd/0x280
[<
ffffffff81550128>] ip_local_deliver+0x88/0x90
[<
ffffffff8154fa7d>] ip_rcv_finish+0x10d/0x370
[<
ffffffff81550365>] ip_rcv+0x235/0x300
[<
ffffffff8151ba1d>] __netif_receive_skb+0x55d/0x620
[<
ffffffff8151c360>] netif_receive_skb+0x80/0x90
[<
ffffffff81459935>] virtnet_poll+0x555/0x6f0
[<
ffffffff8151cd04>] net_rx_action+0x134/0x290
[<
ffffffff810683d8>] __do_softirq+0xa8/0x210
[<
ffffffff8162fe6c>] call_softirq+0x1c/0x30
[<
ffffffff810161a5>] do_softirq+0x65/0xa0
[<
ffffffff810687be>] irq_exit+0x8e/0xb0
[<
ffffffff81630733>] do_IRQ+0x63/0xe0
[<
ffffffff81625f2e>] common_interrupt+0x6e/0x6e
Reported-by: Anupam Chanda <achanda@vmware.com>
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Tom Herbert <tom@herbertland.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dave Airlie [Thu, 24 Sep 2015 20:52:37 +0000 (06:52 +1000)]
Merge tag 'drm-intel-fixes-2015-09-24' of git://anongit.freedesktop.org/drm-intel into drm-fixes
a few drm/i915 fixes, including a fix to the recent regression
reported by Sedat Dilek
* tag 'drm-intel-fixes-2015-09-24' of git://anongit.freedesktop.org/drm-intel:
drm/i915/bios: handle MIPI Sequence Block v3+ gracefully
drm/i915: Add primary plane to mask if it's visible
drm/i915: workaround bad DSL readout v3
drm/i915: fix kernel-doc warnings in intel_audio.c
Tejun Heo [Wed, 23 Sep 2015 21:07:29 +0000 (17:07 -0400)]
cgroup, writeback: don't enable cgroup writeback on traditional hierarchies
inode_cgwb_enabled() gates cgroup writeback support. If it returns
true, each inode is attached to the corresponding memory domain which
gets mapped to io domain. It currently only tests whether the
filesystem and bdi support cgroup writeback; however, cgroup writeback
support doesn't work on traditional hierarchies and thus it should
also test whether memcg and iocg are on the default hierarchy.
This caused traditional hierarchy setups to hit the cgroup writeback
path inadvertently and ended up creating separate writeback domains
for each memcg and mapping them all to the root iocg uncovering a
couple issues in the cgroup writeback path.
cgroup writeback was never meant to be enabled on traditional
hierarchies. Make inode_cgwb_enabled() test whether both memcg and
iocg are on the default hierarchy.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Artem Bityutskiy <dedekind1@gmail.com>
Reported-by: Dexuan Cui <decui@microsoft.com>
Link: http://lkml.kernel.org/g/1443012552.19983.209.camel@gmail.com
Link: http://lkml.kernel.org/g/f30d4a6aa8a546ff88f73021d026a453@SIXPR30MB031.064d.mgd.msft.net
Herbert Xu [Tue, 22 Sep 2015 03:38:56 +0000 (11:38 +0800)]
netlink: Replace rhash_portid with bound
On Mon, Sep 21, 2015 at 02:20:22PM -0400, Tejun Heo wrote:
>
> store_release and load_acquire are different from the usual memory
> barriers and can't be paired this way. You have to pair store_release
> and load_acquire. Besides, it isn't a particularly good idea to
OK I've decided to drop the acquire/release helpers as they don't
help us at all and simply pessimises the code by using full memory
barriers (on some architectures) where only a write or read barrier
is needed.
> depend on memory barriers embedded in other data structures like the
> above. Here, especially, rhashtable_insert() would have write barrier
> *before* the entry is hashed not necessarily *after*, which means that
> in the above case, a socket which appears to have set bound to a
> reader might not visible when the reader tries to look up the socket
> on the hashtable.
But you are right we do need an explicit write barrier here to
ensure that the hashing is visible.
> There's no reason to be overly smart here. This isn't a crazy hot
> path, write barriers tend to be very cheap, store_release more so.
> Please just do smp_store_release() and note what it's paired with.
It's not about being overly smart. It's about actually understanding
what's going on with the code. I've seen too many instances of
people simply sprinkling synchronisation primitives around without
any knowledge of what is happening underneath, which is just a recipe
for creating hard-to-debug races.
> > @@ -1539,7 +1546,7 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
> > }
> > }
> >
> > - if (!nlk->portid) {
> > + if (!nlk->bound) {
>
> I don't think you can skip load_acquire here just because this is the
> second deref of the variable. That doesn't change anything. Race
> condition could still happen between the first and second tests and
> skipping the second would lead to the same kind of bug.
The reason this one is OK is because we do not use nlk->portid or
try to get nlk from the hash table before we return to user-space.
However, there is a real bug here that none of these acquire/release
helpers discovered. The two bound tests here used to be a single
one. Now that they are separate it is entirely possible for another
thread to come in the middle and bind the socket. So we need to
repeat the portid check in order to maintain consistency.
> > @@ -1587,7 +1594,7 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
> > !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
> > return -EPERM;
> >
> > - if (!nlk->portid)
> > + if (!nlk->bound)
>
> Don't we need load_acquire here too? Is this path holding a lock
> which makes that unnecessary?
Ditto.
---8<---
The commit
1f770c0a09da855a2b51af6d19de97fb955eca85 ("netlink:
Fix autobind race condition that leads to zero port ID") created
some new races that can occur due to inconcsistencies between the
two port IDs.
Tejun is right that a barrier is unavoidable. Therefore I am
reverting to the original patch that used a boolean to indicate
that a user netlink socket has been bound.
Barriers have been added where necessary to ensure that a valid
portid and the hashed socket is visible.
I have also changed netlink_insert to only return EBUSY if the
socket is bound to a portid different to the requested one. This
combined with only reading nlk->bound once in netlink_bind fixes
a race where two threads that bind the socket at the same time
with different port IDs may both succeed.
Fixes: 1f770c0a09da ("netlink: Fix autobind race condition that leads to zero port ID")
Reported-by: Tejun Heo <tj@kernel.org>
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Nacked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Takashi Iwai [Thu, 24 Sep 2015 15:36:51 +0000 (17:36 +0200)]
ALSA: hda - Disable power_save_node for Thinkpads
Lenovo Thinkpads with recent Realtek codecs seem suffering from click
noises at power transition since the introduction of widget power
saving in 4.1 kernel. Although this might be solved by some delays in
appropriate points, as a quick workaround, just disable the
power_save_node feature for now. The gain it gives is relatively
small, and this makes the situation back to pre 4.1 time.
This patch ended up with a bit more code changes than usual because
the existing fixup for Thinkpads is highly chained. Instead of adding
yet another chain, combine a few of them into a single fixup entry, as
a gratis cleanup.
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=943982
Cc: <stable@vger.kernel.org> # v4.1+
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Takashi Iwai [Thu, 24 Sep 2015 18:48:01 +0000 (20:48 +0200)]
Merge tag 'asoc-fix-v4.3-rc2' of git://git./linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v4.3
A disappointingly large set of fixes, though none of them very big and
very widely spread over many different drivers. Nothing especially
stands out, it's mostly all device specific and relatively minor.
Linus Torvalds [Thu, 24 Sep 2015 18:40:58 +0000 (11:40 -0700)]
Merge tag 'spi-fix-v4.3-rc2' of git://git./linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"A disappointingly large collection of fixes for SPI issues, though
almost all in drivers (and there mainly the newly added Mediatek
driver) and the core fixes are documentation and error handling.
The driver fixes are all of the usual 'important if you see them'
variety"
* tag 'spi-fix-v4.3-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: xtensa-xtfpga: fix register endianness
spi: meson: Fix module autoload for OF platform driver
spi: mediatek: fix wrong error return value on probe
spi: fix kernel-doc warnings in spi.h
spi: spidev: fix possible NULL dereference
spi: atmel: remove warning when !CONFIG_PM_SLEEP
spi: bcm2835: BUG: fix wrong use of PAGE_MASK
spi: mediatek: fix spi cs polarity error
spi: Fix documentation of spi_alloc_master()
spi: spi-pxa2xx: Check status register to determine if SSSR_TINT is disabled
spi: Mediatek: Document devicetree bindings update for spi bus
spi: mediatek: fix spi clock usage error
spi: mediatek: remove clk_disable_unprepare()
Linus Torvalds [Thu, 24 Sep 2015 18:10:03 +0000 (11:10 -0700)]
Merge tag 'regulator-fix-v4.3-rc2' of git://git./linux/kernel/git/broonie/regulator
Pull regulator fixes from Mark Brown:
"A collection of fixes that came in since I tagged the merge window
pull request for v4.3:
- Error handling fixes in the core
- Fixes to a couple of TI drivers for device specific issues
- Several fixes for module autoloading"
* tag 'regulator-fix-v4.3-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: vexpress: Fix module autoload for OF platform driver
regulator: gpio: Fix module autoload for OF platform driver
regulator: anatop: Fix module autoload for OF platform driver
regulator: core: Correct return value check in regulator_resolve_supply
regulator: tps65218: Fix missing zero typo
regulator: pbias: program pbias register offset in pbias driver
regulator: core: fix possible NULL dereference
Linus Torvalds [Thu, 24 Sep 2015 18:04:22 +0000 (11:04 -0700)]
Merge tag 'dm-4.3-fixes' of git://git./linux/kernel/git/device-mapper/linux-dm
Pull device mapper fixes from Mike Snitzer:
"Two stable@ fixes:
- DM thinp fix to properly advertise discard support as disabled for
thin devices backed by a thin-pool with discard support disabled.
- DM crypt fix to prevent the creation of bios that violate the
underlying block device's max_segments limits. This fixes a
relatively long-standing NCQ SSD corruption issue reported against
dm-crypt ever since the dm-crypt cpu parallelization patches were
merged back in 4.0"
* tag 'dm-4.3-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
dm crypt: constrain crypt device's max_segment_size to PAGE_SIZE
dm thin: disable discard support for thin devices if pool's is disabled
Takashi Iwai [Thu, 24 Sep 2015 09:00:18 +0000 (11:00 +0200)]
ALSA: hda/tegra - async probe for avoiding module loading deadlock
The Tegra HD-audio controller driver causes deadlocks when loaded as a
module since the driver invokes request_module() at binding with the
codec driver. This patch works around it by deferring the probe in a
work like Intel HD-audio controller driver does. Although hovering
the codec probe stuff into udev would be a better solution, it may
cause other regressions, so let's try this band-aid fix until the more
proper solution gets landed.
Reported-by: Thierry Reding <treding@nvidia.com>
Tested-by: Thierry Reding <treding@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Dave Airlie [Thu, 24 Sep 2015 08:36:04 +0000 (18:36 +1000)]
Merge tag 'vmwgfx-fixes-4.3-150924' of git://people.freedesktop.org/~thomash/linux into drm-fixes
Pull request of 2015-09-24
Vmwgfx fixes for 4.3:
- A couple of uninitialized variable fixes by Christian Engelmayer
- A TTM fix for a bug that causes problems with the new vmwgfx device init
- A vmwgfx refcounting fix
- A vmwgfx iomem caching fix
- A DRM change to allow also control clients to read the drm driver version.
* tag 'vmwgfx-fixes-4.3-150924' of git://people.freedesktop.org/~thomash/linux:
drm: Allow also control clients to check the drm version
drm/vmwgfx: Fix uninitialized return in vmw_kms_helper_dirty()
drm/vmwgfx: Fix uninitialized return in vmw_cotable_unbind()
drm/vmwgfx: Only build on X86
drm/ttm: Fix memory space allocation v2
drm/vmwgfx: Map the fifo as cached
drm/vmwgfx: Fix up user_dmabuf refcounting
Thomas Hellstrom [Tue, 15 Sep 2015 08:11:42 +0000 (01:11 -0700)]
drm: Allow also control clients to check the drm version
This should be harmless.
Vmware will, due to old infrastructure reasons, be using a privileged
control client to supply GUI layout information rather than obtaining
it from the device. That control client will be needing access to DRM
version information.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Acked-by: David Herrmann <dh.herrmann@gmail.com>
Christian Engelmayer [Fri, 18 Sep 2015 22:32:24 +0000 (00:32 +0200)]
drm/vmwgfx: Fix uninitialized return in vmw_kms_helper_dirty()
Function vmw_kms_helper_dirty() uses the uninitialized variable ret as
return value. Make the result deterministic and directly return as the
variable is unused anyway. Detected by Coverity CID
1324255.
Signed-off-by: Christian Engelmayer <cengelma@gmx.at>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
Christian Engelmayer [Fri, 18 Sep 2015 22:31:10 +0000 (00:31 +0200)]
drm/vmwgfx: Fix uninitialized return in vmw_cotable_unbind()
Function vmw_cotable_unbind() uses the uninitialized variable ret as
return value. Make the result deterministic and directly return as
the variable is unused anyway. Detected by Coverity CID
1324256.
Signed-off-by: Christian Engelmayer <cengelma@gmx.at>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
John W. Linville [Tue, 22 Sep 2015 17:09:32 +0000 (13:09 -0400)]
geneve: use network byte order for destination port config parameter
This is primarily for consistancy with vxlan and other tunnels which
use network byte order for similar parameters.
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dave Airlie [Wed, 23 Sep 2015 22:13:34 +0000 (08:13 +1000)]
Merge branch 'drm-fixes-4.3' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
radeon and amdgpu fixes for 4.3. It's a bit bigger than usual since
it's 3 weeks worth of fixes since I was on vacation, then at XDC.
- lots of stability fixes
- suspend and resume fixes
- GPU scheduler fixes
- Misc other fixes
* 'drm-fixes-4.3' of git://people.freedesktop.org/~agd5f/linux: (31 commits)
drm/radeon: add quirk for MSI R7 370
drm/amdgpu: Sprinkle drm_modeset_lock_all to appease locking checks
drm/radeon: Sprinkle drm_modeset_lock_all to appease locking checks
drm/amdgpu: sync ce and me with SWITCH_BUFFER(2)
drm/amdgpu: integer overflow in amdgpu_mode_dumb_create()
drm/amdgpu: info leak in amdgpu_gem_metadata_ioctl()
drm/amdgpu: integer overflow in amdgpu_info_ioctl()
drm/amdgpu: unwind properly in amdgpu_cs_parser_init()
drm/amdgpu: Fix max_vblank_count value for current display engines
drm/amdgpu: use kmemdup rather than duplicating its implementation
drm/amdgpu: fix UVD suspend and resume for VI APU
drm/amdgpu: fix the UVD suspend sequence order
drm/amdgpu: make UVD handle checking more strict
drm/amdgpu: Disable UVD PG
drm/amdgpu: more scheduler cleanups v2
drm/amdgpu: cleanup fence queue init v2
drm/amdgpu: rename fence->scheduler to sched v2
drm/amdgpu: cleanup entity init
drm/amdgpu: refine the scheduler job type conversion
drm/amdgpu: refine the job naming for amdgpu_job and amdgpu_sched_job
...
Andrzej Hajda [Mon, 21 Sep 2015 13:33:47 +0000 (15:33 +0200)]
drm/layerscape: fix handling fsl_dcu_drm_plane_index result
The function can return negative value.
The problem has been detected using proposed semantic patch
scripts/coccinelle/tests/unsigned_lesser_than_zero.cocci [1].
[1]: http://permalink.gmane.org/gmane.linux.kernel/
2038576
Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Archit Taneja [Thu, 17 Sep 2015 11:00:55 +0000 (16:30 +0530)]
drm/mgag200: Fix driver_load error handling
mgag200_driver_load's error path just calls the drm driver's
driver_unload op. It isn't safe to call this because it doesn't handle
things well if driver_load fails somewhere mid way.
Replace the call to mgag200_driver_unload with a more finegrained
error handling path.
Link: http://lkml.kernel.org/r/55F6E68D.8070800@codeaurora.org
Reported-by: Ingo Molnar <mingo@kernel.org>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Dave Airlie <airlied@gmail.com>
Cc: David Airlie <airlied@linux.ie>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dri-devel <dri-devel@lists.freedesktop.org>
Signed-off-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Archit Taneja [Thu, 17 Sep 2015 11:00:54 +0000 (16:30 +0530)]
drm/mgag200: Fix error handling paths in fbdev driver
Set up error handling in mgag200_fbdev_init and mgag200fb_create such that
they release the things they allocate, rather than relying on someone
calling mga_fbdev_destroy.
Based on a patch by Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Link: http://lkml.kernel.org/r/55F6E68D.8070800@codeaurora.org
Reported-by: Ingo Molnar <mingo@kernel.org>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Dave Airlie <airlied@gmail.com>
Cc: David Airlie <airlied@linux.ie>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dri-devel <dri-devel@lists.freedesktop.org>
Signed-off-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Dave Airlie [Mon, 14 Sep 2015 00:28:34 +0000 (10:28 +1000)]
drm/qxl: only report first monitor as connected if we have no state
If the server isn't new enough to give us state, report the first
monitor as always connected, otherwise believe the server side.
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
David Woodhouse [Wed, 23 Sep 2015 08:45:31 +0000 (09:45 +0100)]
8139cp: Dump contents of descriptor ring on TX timeout
We are seeing unexplained TX timeouts under heavy load. Let's try to get
a better idea of what's going on.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Woodhouse [Wed, 23 Sep 2015 08:45:16 +0000 (09:45 +0100)]
8139cp: Fix DMA unmapping of transmitted buffers
The low 16 bits of the 'opts1' field in the TX descriptor are supposed
to still contain the buffer length when the descriptor is handed back to
us. In practice, at least on my hardware, they don't. So stash the
original value of the opts1 field and get the length to unmap from
there.
There are other ways we could have worked out the length, but I actually
want a stash of the opts1 field anyway so that I can dump it alongside
the contents of the descriptor ring when we suffer a TX timeout.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Woodhouse [Wed, 23 Sep 2015 08:44:57 +0000 (09:44 +0100)]
8139cp: Reduce duplicate csum/tso code in cp_start_xmit()
We calculate the value of the opts1 descriptor field in three different
places. With two different behaviours when given an invalid packet to
be checksummed — none of them correct. Sort that out.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Woodhouse [Wed, 23 Sep 2015 08:44:38 +0000 (09:44 +0100)]
8139cp: Fix TSO/scatter-gather descriptor setup
When sending a TSO frame in multiple buffers, we were neglecting to set
the first descriptor up in TSO mode.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Woodhouse [Wed, 23 Sep 2015 08:44:06 +0000 (09:44 +0100)]
8139cp: Fix tx_queued debug message to print correct slot numbers
After a certain amount of staring at the debug output of this driver, I
realised it was lying to me.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Woodhouse [Wed, 23 Sep 2015 08:43:41 +0000 (09:43 +0100)]
8139cp: Do not re-enable RX interrupts in cp_tx_timeout()
If an RX interrupt was already received but NAPI has not yet run when
the RX timeout happens, we end up in cp_tx_timeout() with RX interrupts
already disabled. Blindly re-enabling them will cause an IRQ storm.
(This is made particularly horrid by the fact that cp_interrupt() always
returns that it's handled the interrupt, even when it hasn't actually
done anything. If it didn't do that, the core IRQ code would have
detected the storm and handled it, I'd have had a clear smoking gun
backtrace instead of just a spontaneously resetting router, and I'd have
at *least* two days of my life back. Changing the return value of
cp_interrupt() will be argued about under separate cover.)
Unconditionally leave RX interrupts disabled after the reset, and
schedule NAPI to check the receive ring and re-enable them.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 23 Sep 2015 21:37:38 +0000 (14:37 -0700)]
Merge branch 'netcp-fixes'
Murali Karicheri says:
====================
net: netcp: a set of bug fixes
This patch series fixes a set of issues in netcp driver seen during internal
testing of the driver. While at it, do some clean up as well.
The fixes are tested on K2HK, K2L and K2E EVMs and the boot up logs can be
seen at
http://pastebin.ubuntu.com/
12533100/
====================
Signed-off-by: David S. Miller <davem@davemloft.net>