Christoph Paasch [Sat, 28 Jun 2014 16:26:37 +0000 (18:26 +0200)]
tcp: Fix divide by zero when pushing during tcp-repair
When in repair-mode and TCP_RECV_QUEUE is set, we end up calling
tcp_push with mss_now being 0. If data is in the send-queue and
tcp_set_skb_tso_segs gets called, we crash because it will divide by
mss_now:
[ 347.151939] divide error: 0000 [#1] SMP
[ 347.152907] Modules linked in:
[ 347.152907] CPU: 1 PID: 1123 Comm: packetdrill Not tainted 3.16.0-rc2 #4
[ 347.152907] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 347.152907] task:
f5b88540 ti:
f3c82000 task.ti:
f3c82000
[ 347.152907] EIP: 0060:[<
c1601359>] EFLAGS:
00210246 CPU: 1
[ 347.152907] EIP is at tcp_set_skb_tso_segs+0x49/0xa0
[ 347.152907] EAX:
00000b67 EBX:
f5acd080 ECX:
00000000 EDX:
00000000
[ 347.152907] ESI:
f5a28f40 EDI:
f3c88f00 EBP:
f3c83d10 ESP:
f3c83d00
[ 347.152907] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 347.152907] CR0:
80050033 CR2:
083158b0 CR3:
35146000 CR4:
000006b0
[ 347.152907] Stack:
[ 347.152907]
c167f9d9 f5acd080 000005b4 00000002 f3c83d20 c16013e6 f3c88f00 f5acd080
[ 347.152907]
f3c83da0 c1603b5a f3c83d38 c10a0188 00000000 00000000 f3c83d84 c10acc85
[ 347.152907]
c1ad5ec0 00000000 00000000 c1ad679c 010003e0 00000000 00000000 f3c88fc8
[ 347.152907] Call Trace:
[ 347.152907] [<
c167f9d9>] ? apic_timer_interrupt+0x2d/0x34
[ 347.152907] [<
c16013e6>] tcp_init_tso_segs+0x36/0x50
[ 347.152907] [<
c1603b5a>] tcp_write_xmit+0x7a/0xbf0
[ 347.152907] [<
c10a0188>] ? up+0x28/0x40
[ 347.152907] [<
c10acc85>] ? console_unlock+0x295/0x480
[ 347.152907] [<
c10ad24f>] ? vprintk_emit+0x1ef/0x4b0
[ 347.152907] [<
c1605716>] __tcp_push_pending_frames+0x36/0xd0
[ 347.152907] [<
c15f4860>] tcp_push+0xf0/0x120
[ 347.152907] [<
c15f7641>] tcp_sendmsg+0xf1/0xbf0
[ 347.152907] [<
c116d920>] ? kmem_cache_free+0xf0/0x120
[ 347.152907] [<
c106a682>] ? __sigqueue_free+0x32/0x40
[ 347.152907] [<
c106a682>] ? __sigqueue_free+0x32/0x40
[ 347.152907] [<
c114f0f0>] ? do_wp_page+0x3e0/0x850
[ 347.152907] [<
c161c36a>] inet_sendmsg+0x4a/0xb0
[ 347.152907] [<
c1150269>] ? handle_mm_fault+0x709/0xfb0
[ 347.152907] [<
c15a006b>] sock_aio_write+0xbb/0xd0
[ 347.152907] [<
c1180b79>] do_sync_write+0x69/0xa0
[ 347.152907] [<
c1181023>] vfs_write+0x123/0x160
[ 347.152907] [<
c1181d55>] SyS_write+0x55/0xb0
[ 347.152907] [<
c167f0d8>] sysenter_do_call+0x12/0x28
This can easily be reproduced with the following packetdrill-script (the
"magic" with netem, sk_pacing and limit_output_bytes is done to prevent
the kernel from pushing all segments, because hitting the limit without
doing this is not so easy with packetdrill):
0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1) = 0
+0 < S 0:0(0) win 32792 <mss 1460>
+0 > S. 0:0(0) ack 1 <mss 1460>
+0.1 < . 1:1(0) ack 1 win 65000
+0 accept(3, ..., ...) = 4
// This forces that not all segments of the snd-queue will be pushed
+0 `tc qdisc add dev tun0 root netem delay 10ms`
+0 `sysctl -w net.ipv4.tcp_limit_output_bytes=2`
+0 setsockopt(4, SOL_SOCKET, 47, [2], 4) = 0
+0 write(4,...,10000) = 10000
+0 write(4,...,10000) = 10000
// Set tcp-repair stuff, particularly TCP_RECV_QUEUE
+0 setsockopt(4, SOL_TCP, 19, [1], 4) = 0
+0 setsockopt(4, SOL_TCP, 20, [1], 4) = 0
// This now will make the write push the remaining segments
+0 setsockopt(4, SOL_SOCKET, 47, [20000], 4) = 0
+0 `sysctl -w net.ipv4.tcp_limit_output_bytes=130000`
// Now we will crash
+0 write(4,...,1000) = 1000
This happens since
ec3423257508 (tcp: fix retransmission in repair
mode). Prior to that, the call to tcp_push was prevented by a check for
tp->repair.
The patch fixes it, by adding the new goto-label out_nopush. When exiting
tcp_sendmsg and a push is not required, which is the case for tp->repair,
we go to this label.
When repairing and calling send() with TCP_RECV_QUEUE, the data is
actually put in the receive-queue. So, no push is required because no
data has been added to the send-queue.
Cc: Andrew Vagin <avagin@openvz.org>
Cc: Pavel Emelyanov <xemul@parallels.com>
Fixes: ec3423257508 (tcp: fix retransmission in repair mode)
Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
Acked-by: Andrew Vagin <avagin@openvz.org>
Acked-by: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Wed, 2 Jul 2014 09:39:38 +0000 (02:39 -0700)]
net: fix sparse warning in sk_dst_set()
sk_dst_cache has __rcu annotation, so we need a cast to avoid
following sparse error :
include/net/sock.h:1774:19: warning: incorrect type in initializer (different address spaces)
include/net/sock.h:1774:19: expected struct dst_entry [noderef] <asn:4>*__ret
include/net/sock.h:1774:19: got struct dst_entry *dst
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Fixes: 7f502361531e ("ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix")
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Wed, 2 Jul 2014 09:25:15 +0000 (02:25 -0700)]
vlan: free percpu stats in device destructor
Madalin-Cristian reported crashs happening after a recent commit
(
5a4ae5f6e7d4 "vlan: unnecessary to check if vlan_pcpu_stats is NULL")
-----------------------------------------------------------------------
root@p5040ds:~# vconfig add eth8 1
root@p5040ds:~# vconfig rem eth8.1
Unable to handle kernel paging request for data at address 0x2bc88028
Faulting instruction address: 0xc058e950
Oops: Kernel access of bad area, sig: 11 [#1]
SMP NR_CPUS=8 CoreNet Generic
Modules linked in:
CPU: 3 PID: 2167 Comm: vconfig Tainted: G W
3.16.0-rc3-00346-g65e85bf #2
task:
e7264d90 ti:
e2c2c000 task.ti:
e2c2c000
NIP:
c058e950 LR:
c058ea30 CTR:
c058e900
REGS:
e2c2db20 TRAP: 0300 Tainted: G W (
3.16.0-rc3-00346-g65e85bf)
MSR:
00029002 <CE,EE,ME> CR:
48000428 XER:
20000000
DEAR:
2bc88028 ESR:
00000000
GPR00:
c047299c e2c2dbd0 e7264d90 00000000 2bc88000 00000000 ffffffff 00000000
GPR08:
0000000f 00000000 000000ff 00000000 28000422 10121928 10100000 10100000
GPR16:
10100000 00000000 c07c5968 00000000 00000000 00000000 e2c2dc48 e7838000
GPR24:
c07c5bac c07c58a8 e77290cc c07b0000 00000000 c05de6c0 e7838000 e2c2dc48
NIP [
c058e950] vlan_dev_get_stats64+0x50/0x170
LR [
c058ea30] vlan_dev_get_stats64+0x130/0x170
Call Trace:
[
e2c2dbd0] [
ffffffea] 0xffffffea (unreliable)
[
e2c2dc20] [
c047299c] dev_get_stats+0x4c/0x140
[
e2c2dc40] [
c0488ca8] rtnl_fill_ifinfo+0x3d8/0x960
[
e2c2dd70] [
c0489f4c] rtmsg_ifinfo+0x6c/0x110
[
e2c2dd90] [
c04731d4] rollback_registered_many+0x344/0x3b0
[
e2c2ddd0] [
c047332c] rollback_registered+0x2c/0x50
[
e2c2ddf0] [
c0476058] unregister_netdevice_queue+0x78/0xf0
[
e2c2de00] [
c058d800] unregister_vlan_dev+0xc0/0x160
[
e2c2de20] [
c058e360] vlan_ioctl_handler+0x1c0/0x550
[
e2c2de90] [
c045d11c] sock_ioctl+0x28c/0x2f0
[
e2c2deb0] [
c010d070] do_vfs_ioctl+0x90/0x7b0
[
e2c2df20] [
c010d7d0] SyS_ioctl+0x40/0x80
[
e2c2df40] [
c000f924] ret_from_syscall+0x0/0x3c
Fix this problem by freeing percpu stats from dev->destructor() instead
of ndo_uninit()
Reported-by: Madalin-Cristian Bucur <madalin.bucur@freescale.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Tested-by: Madalin-Cristian Bucur <madalin.bucur@freescale.com>
Fixes: 5a4ae5f6e7d4 ("vlan: unnecessary to check if vlan_pcpu_stats is NULL")
Cc: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Daniel Mack [Fri, 27 Jun 2014 23:23:35 +0000 (01:23 +0200)]
net: fix circular dependency in of_mdio code
Commit
86f6cf4127 (net: of_mdio: add of_mdiobus_link_phydev()) introduced a
circular dependency between libphy and of_mdio.
depmod: ERROR: <modroot>/kernel/drivers/net/phy/libphy.ko in
dependency cycle!
depmod: ERROR: <modroot>/kernel/drivers/of/of_mdio.ko in dependency cycle!
The problem is that of_mdio.c references &mdio_bus_type and libphy now
references of_mdiobus_link_phydev.
Fix this by not exporting of_mdiobus_link_phydev() from of_mdio.ko.
Make it a static function in mdio_bus.c instead.
Signed-off-by: Daniel Mack <zonque@gmail.com>
Reported-by: Jeff Mahoney <jeffm@suse.com>
Fixes: 86f6cf4127 (net: of_mdio: add of_mdiobus_link_phydev())
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 2 Jul 2014 06:47:33 +0000 (23:47 -0700)]
Merge branch 'for-davem' of git://git./linux/kernel/git/linville/wireless
John W. Linville says:
====================
pull request: wireless 2014-06-27
Please pull the following batch of fixes for the 3.16 stream...
For the mac80211 bits, Johannes says:
"We have a fix from Eliad for a time calculation, a fix from Max for
head/tailroom when sending authentication packets, a revert that Felix
requested since the patch in question broke regulatory and a fix from
myself for an issue with a new command that we advertised in the wrong
place."
For the bluetooth bits, Gustavo says:
"A few fixes for 3.16. This pull request contains a NULL dereference fix,
and some security/pairing fixes."
For the iwlwifi bits, Emmanuel says:
"I have here a fix from Eliad for scheduled scan: it fixes a firmware
assertion. Arik reverts a patch I made that didn't take into account
that 3160 doesn't have UAPSD and hence, we can't assume that all
newer firmwares support the feature. Here too, the visible effect
is a firmware assertion. Along with that, we have a few fixes and
additions to the device list."
For the ath10k bits, Kalle says:
"Bartosz fixed an issue where we were not able to create 8 vdevs when
using DFS. Michal removed a false warning which was just confusing
people."
On top of that...
Arend van Spriel fixes a 'divide by zero' regression in brcmfmac.
Amitkumar Karwar corrects a transmit timeout in mwifiex.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Fainelli [Thu, 26 Jun 2014 17:26:22 +0000 (10:26 -0700)]
net: bcmgenet: do not set packet length for RX buffers
Hardware will provide this information as soon as we will start
processing incoming packets, so there is no need to set the RX buffer
length during buffer allocation.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Fainelli [Thu, 26 Jun 2014 17:26:21 +0000 (10:26 -0700)]
net: bcmgenet: start with carrier off
We use the PHY library which will determine the link state for us, make
sure we start with a carrier off until libphy has completed the link
training.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Fainelli [Thu, 26 Jun 2014 17:26:20 +0000 (10:26 -0700)]
net: bcmgenet: disable clock before register_netdev
As soon as register_netdev() is called, the network device notifiers are
running which means that other parts of the kernel, or user-space
programs can call the network device ndo_open() callback and use the
interface.
Disable the Ethernet device clock before we register the network device
such that we do not create the following situation:
CPU0 CPU1
register_netdev()
bcmgenet_open()
clk_prepare_enable()
clk_disable_unprepare()
and leave the hardware block gated off, while we think it should be
gated on.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Fainelli [Thu, 26 Jun 2014 17:06:46 +0000 (10:06 -0700)]
net: systemport: fix TX NAPI work done return value
Although we do not limit the number of packets the TX completion
function bcm_sysport_tx_reclaim() is allowed to reclaim, we were still
using its return value as-is. This means that we could hit the WARN() in
net/core/dev.c where work_done >= budget.
Make sure we do exit the NAPI context when the TX ring is empty, and
pretend there was no work to do.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Fainelli [Thu, 26 Jun 2014 17:06:45 +0000 (10:06 -0700)]
net: systemport: fix UniMAC reset logic
The UniMAC CMD_SW_RESET bit is not a self-clearing bit, so we need to
assert it, wait a bit and clear it manually. As a result, umac_reset()
is updated not to return any value. The previous version of the code
simply wrote 0 to the CMD register, which would make the busy-waiting
loop exit immediately, having zero effect.
By writing 0 to the CMD register, we were clearing all bits in the CMD
register, and not using the hardware reset default values which are
set on purpose.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Fainelli [Thu, 26 Jun 2014 17:06:44 +0000 (10:06 -0700)]
net: systemport: do not clear IFF_MULTICAST flag
The SYSTEMPORT Ethernet MAC supports multicast just fine, it just lacks
any sort of Unicast/Broadcast/Multicasting filtering at the Ethernet MAC
level since that is handled by the front end Ethernet switch, but that
is properly handled by bcm_sysport_set_rx_mode().
Some user-space applications might be relying on the presence of this
flag to prevent using multicast sockets, this also prevents that
interface from joining the IPv6 all-router mcast group.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Thu, 26 Jun 2014 07:44:02 +0000 (00:44 -0700)]
bnx2x: fix possible panic under memory stress
While it is legal to kfree(NULL), it is not wise to use :
put_page(virt_to_head_page(NULL))
BUG: unable to handle kernel paging request at
ffffeba400000000
IP: [<
ffffffffc01f5928>] virt_to_head_page+0x36/0x44 [bnx2x]
Reported-by: Michel Lespinasse <walken@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ariel Elior <ariel.elior@qlogic.com>
Fixes: d46d132cc021 ("bnx2x: use netdev_alloc_frag()")
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Mon, 30 Jun 2014 08:26:23 +0000 (01:26 -0700)]
ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix
We have two different ways to handle changes to sk->sk_dst
First way (used by TCP) assumes socket lock is owned by caller, and use
no extra lock : __sk_dst_set() & __sk_dst_reset()
Another way (used by UDP) uses sk_dst_lock because socket lock is not
always taken. Note that sk_dst_lock is not softirq safe.
These ways are not inter changeable for a given socket type.
ipv4_sk_update_pmtu(), added in linux-3.8, added a race, as it used
the socket lock as synchronization, but users might be UDP sockets.
Instead of converting sk_dst_lock to a softirq safe version, use xchg()
as we did for sk_rx_dst in commit
e47eb5dfb296b ("udp: ipv4: do not use
sk_dst_lock from softirq context")
In a follow up patch, we probably can remove sk_dst_lock, as it is
only used in IPv6.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Fixes: 9cb3a50c5f63e ("ipv4: Invalidate the socket cached route on pmtu events if possible")
Signed-off-by: David S. Miller <davem@davemloft.net>
Denis Kirjanov [Wed, 25 Jun 2014 17:34:57 +0000 (21:34 +0400)]
powerpc: bpf: Fix the broken LD_VLAN_TAG_PRESENT test
We have to return the boolean here if the tag presents
or not, not just ANDing the TCI with the mask which results to:
[ 709.412097] test_bpf: #18 LD_VLAN_TAG_PRESENT
[ 709.412245] ret 4096 != 1
[ 709.412332] ret 4096 != 1
[ 709.412333] FAIL (2 times)
Signed-off-by: Denis Kirjanov <kda@linux-powerpc.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Denis Kirjanov [Wed, 25 Jun 2014 17:34:56 +0000 (21:34 +0400)]
powerpc: bpf: Use correct mask while accessing the VLAN tag
To get a full tag (and not just a VID) we should access the TCI
except the VLAN_TAG_PRESENT field (which means that 802.1q header
is present). Also ensure that the VLAN_TAG_PRESENT stay on its place
Signed-off-by: Denis Kirjanov <kda@linux-powerpc.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
John W. Linville [Fri, 27 Jun 2014 17:35:56 +0000 (13:35 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless into for-davem
Hangbin Liu [Fri, 27 Jun 2014 01:57:53 +0000 (09:57 +0800)]
ipv6: Fix MLD Query message check
Based on RFC3810 6.2, we also need to check the hop limit and router alert
option besides source address.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
James M Leddy [Wed, 25 Jun 2014 21:38:13 +0000 (17:38 -0400)]
udp: Add MIB counters for rcvbuferrors
Add MIB counters for rcvbuferrors in UDP to help diagnose problems.
Signed-off-by: James M Leddy <james.leddy@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yijing Wang [Wed, 25 Jun 2014 04:22:56 +0000 (12:22 +0800)]
bnx2x: Fix the MSI flags
MSI-X should use PCI_MSIX_FLAGS not PCI_MSI_FLAGS.
Signed-off-by: Yijing Wang <wangyijing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
John W. Linville [Thu, 26 Jun 2014 15:39:36 +0000 (11:39 -0400)]
Merge branch 'ath-current' of git://github.com/kvalo/ath
Linus Torvalds [Thu, 26 Jun 2014 04:47:28 +0000 (21:47 -0700)]
Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6
Pull CIFS fixes from Steve French:
"Small set of misc cifs/smb3 fixes"
* 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
[CIFS] fix mount failure with broken pathnames when smb3 mount with mapchars option
cifs: revalidate mapping prior to satisfying read_iter request with cache=loose
fs/cifs: fix regression in cifs_create_mf_symlink()
Linus Torvalds [Thu, 26 Jun 2014 04:38:45 +0000 (21:38 -0700)]
Merge tag 'hwmon-for-linus' of git://git./linux/kernel/git/groeck/linux-staging
Pull hwmon fixes from Guenter Roeck:
"Various minor fixes"
* tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
hwmon: (gpio-fan) Change name used in hwmon_device_register_with_groups
hwmon: (emc1403) Fix missing 'select REGMAP_I2C' in Kconfig
hwmon: (ntc_thermistor) Use the manufacturer name properly
devicetree: bindings: Document murata vendor prefix
hwmon: (w83l786ng) Report correct minimum fan speed
Linus Torvalds [Thu, 26 Jun 2014 04:08:24 +0000 (21:08 -0700)]
Merge git://git./linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Fix crash in ipvs tot_stats estimator, from Julian Anastasov.
2) Fix OOPS in nf_nat on netns removal, from Florian Westphal.
3) Really really really fix locking issues in slip and slcan tty write
wakeups, from Tyler Hall.
4) Fix checksum offloading in fec driver, from Fugang Duan.
5) Off by one in BPF instruction limit test, from Kees Cook.
6) Need to clear all TSO capability flags when doing software TSO in
tg3 driver, from Prashant Sreedharan.
7) Fix memory leak in vlan_reorder_header() error path, from Li
RongQing.
8) Fix various bugs in xen-netfront and xen-netback multiqueue support,
from David Vrabel and Wei Liu.
9) Fix deadlock in cxgb4 driver, from Li RongQing.
10) Prevent double free of no-cache DST entries, from Eric Dumazet.
11) Bad csum_start handling in skb_segment() leads to crashes when
forwarding, from Tom Herbert.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (76 commits)
net: fix setting csum_start in skb_segment()
ipv4: fix dst race in sk_dst_get()
net: filter: Use kcalloc/kmalloc_array to allocate arrays
trivial: net: filter: Change kerneldoc parameter order
trivial: net: filter: Fix typo in comment
net: allwinner: emac: Add missing free_irq
cxgb4: use dev_port to identify ports
xen-netback: bookkeep number of active queues in our own module
tg3: Change nvram command timeout value to 50ms
cxgb4: Not need to hold the adap_rcu_lock lock when read adap_rcu_list
be2net: fix qnq mode detection on VFs
of: mdio: fixup of_phy_register_fixed_link parsing of new bindings
at86rf230: fix irq setup
net: phy: at803x: fix coccinelle warnings
net/mlx4_core: Fix the error flow when probing with invalid VF configuration
tulip: Poll link status more frequently for Comet chips
net: huawei_cdc_ncm: increase command buffer size
drivers: net: cpsw: fix dual EMAC stall when connected to same switch
xen-netfront: recreate queues correctly when reconnecting
xen-netfront: fix oops when disconnected from backend
...
Tom Herbert [Wed, 25 Jun 2014 19:51:01 +0000 (12:51 -0700)]
net: fix setting csum_start in skb_segment()
Dave Jones reported that a crash is occurring in
csum_partial
tcp_gso_segment
inet_gso_segment
? update_dl_migration
skb_mac_gso_segment
__skb_gso_segment
dev_hard_start_xmit
sch_direct_xmit
__dev_queue_xmit
? dev_hard_start_xmit
dev_queue_xmit
ip_finish_output
? ip_output
ip_output
ip_forward_finish
ip_forward
ip_rcv_finish
ip_rcv
__netif_receive_skb_core
? __netif_receive_skb_core
? trace_hardirqs_on
__netif_receive_skb
netif_receive_skb_internal
napi_gro_complete
? napi_gro_complete
dev_gro_receive
? dev_gro_receive
napi_gro_receive
It looks like a likely culprit is that SKB_GSO_CB()->csum_start is
not set correctly when doing non-scatter gather. We are using
offset as opposed to doffset.
Reported-by: Dave Jones <davej@redhat.com>
Tested-by: Dave Jones <davej@redhat.com>
Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: 7e2b10c1e52ca ("net: Support for multiple checksums with gso")
Acked-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Thu, 26 Jun 2014 03:06:06 +0000 (20:06 -0700)]
Merge tag 'nfs-for-3.16-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs
Pull NFS client fixes from Trond Myklebust:
"Highlights include:
- Stable fix for a data corruption case due to incorrect cache
validation
- Fix a couple of false positive cache invalidations
- Fix NFSv4 security negotiation issues"
* tag 'nfs-for-3.16-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
NFSv4: test SECINFO RPC_AUTH_GSS pseudoflavors for support
NFS Return -EPERM if no supported or matching SECINFO flavor
NFS check the return of nfs4_negotiate_security in nfs4_submount
NFS: Don't mark the data cache as invalid if it has been flushed
NFS: Clear NFS_INO_REVAL_PAGECACHE when we update the file size
nfs: Fix cache_validity check in nfs_write_pageuptodate()
Eric Dumazet [Tue, 24 Jun 2014 17:05:11 +0000 (10:05 -0700)]
ipv4: fix dst race in sk_dst_get()
When IP route cache had been removed in linux-3.6, we broke assumption
that dst entries were all freed after rcu grace period. DST_NOCACHE
dst were supposed to be freed from dst_release(). But it appears
we want to keep such dst around, either in UDP sockets or tunnels.
In sk_dst_get() we need to make sure dst refcount is not 0
before incrementing it, or else we might end up freeing a dst
twice.
DST_NOCACHE set on a dst does not mean this dst can not be attached
to a socket or a tunnel.
Then, before actual freeing, we need to observe a rcu grace period
to make sure all other cpus can catch the fact the dst is no longer
usable.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dormando <dormando@rydia.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tobias Klauser [Tue, 24 Jun 2014 13:33:22 +0000 (15:33 +0200)]
net: filter: Use kcalloc/kmalloc_array to allocate arrays
Use kcalloc/kmalloc_array to make it clear we're allocating arrays. No
integer overflow can actually happen here, since len/flen is guaranteed
to be less than BPF_MAXINSNS (4096). However, this changed makes sure
we're not going to get one if BPF_MAXINSNS were ever increased.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tobias Klauser [Tue, 24 Jun 2014 13:33:21 +0000 (15:33 +0200)]
trivial: net: filter: Change kerneldoc parameter order
Change the order of the parameters to sk_unattached_filter_create() in
the kerneldoc to reflect the order they appear in the actual function.
This fix is only cosmetic, in the generated doc they still appear in the
correct order without the fix.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tobias Klauser [Tue, 24 Jun 2014 13:33:20 +0000 (15:33 +0200)]
trivial: net: filter: Fix typo in comment
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Maxime Ripard [Mon, 23 Jun 2014 20:49:40 +0000 (22:49 +0200)]
net: allwinner: emac: Add missing free_irq
If the mdio probe function fails in emac_open, the interrupt we just requested
isn't freed. If emac_open is called again, for example because we try to set up
the interface again, the kernel will oops because the interrupt wasn't properly
released.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Cc: <stable@vger.kernel.org> # 3.11+
Signed-off-by: David S. Miller <davem@davemloft.net>
Thadeu Lima de Souza Cascardo [Sat, 21 Jun 2014 12:48:08 +0000 (09:48 -0300)]
cxgb4: use dev_port to identify ports
Commit
3f85944fe207d0225ef21a2c0951d4946fc9a95d ("net: Add sysfs file
for port number") introduce dev_port to network devices. cxgb4 adapters
have multiple ports on the same PCI function, and used dev_id to
identify those ports. That use was removed by commit
8c367fcbe6549195d2eb11e62bea233f811aad41 ("cxgb4: Do not set
net_device::dev_id to VI index"), since dev_id should be used only when
devices share the same MAC address.
Using dev_port for cxgb4 allows different ports on the same PCI function
to be identified.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Wei Liu [Mon, 23 Jun 2014 09:50:17 +0000 (10:50 +0100)]
xen-netback: bookkeep number of active queues in our own module
The original code uses netdev->real_num_tx_queues to bookkeep number of
queues and invokes netif_set_real_num_tx_queues to set the number of
queues. However, netif_set_real_num_tx_queues doesn't allow
real_num_tx_queues to be smaller than 1, which means setting the number
to 0 will not work and real_num_tx_queues is untouched.
This is bogus when xenvif_free is invoked before any number of queues is
allocated. That function needs to iterate through all queues to free
resources. Using the wrong number of queues results in NULL pointer
dereference.
So we bookkeep the number of queues in xen-netback to solve this
problem. This fixes a regression introduced by multiqueue patchset in
3.16-rc1.
There's another bug in original code that the real number of RX queues
is never set. In current Xen multiqueue design, the number of TX queues
and RX queues are in fact the same. We need to set the numbers of TX and
RX queues to the same value.
Also remove xenvif_select_queue and leave queue selection to core
driver, as suggested by David Miller.
Reported-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
CC: Ian Campbell <ian.campbell@citrix.com>
CC: Paul Durrant <paul.durrant@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Prashant Sreedharan [Sat, 21 Jun 2014 06:28:15 +0000 (23:28 -0700)]
tg3: Change nvram command timeout value to 50ms
Commit
506724c463fcd63477a5e404728a980b71f80bb7 "tg3: Override clock,
link aware and link idle mode during NVRAM dump" changed the timeout
value for nvram command execution from 100ms to 1ms. But the 1ms
timeout value was only sufficient for nvram read operations but not
write operations for most of the devices supported by tg3 driver.
This patch sets the MAX to 50ms. Also it uses usleep_range instead
of udelay.
Signed-off-by: Prashant Sreedharan <prashant@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Suggested-by: David Miller <davem@davemloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Julien D'Ascenzio [Wed, 25 Jun 2014 20:00:31 +0000 (22:00 +0200)]
hwmon: (gpio-fan) Change name used in hwmon_device_register_with_groups
Since commit
648cd48c9e566f53c5df30d79857e0937ae13b09
The hwmon name attributes must not include '-' so the name must be
rename from gpio-fan to gpio_fan
Signed-off-by: Julien D'Ascenzio <jdascenzio@yahoo.fr>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Linus Torvalds [Wed, 25 Jun 2014 19:19:01 +0000 (12:19 -0700)]
Merge tag 'fixes-for-linus' of git://git./linux/kernel/git/arm/arm-soc
Pull ARM SoC fixes from Arnd Bergmann:
"A new set of bug fixes for 3.16, containing patches for seven
platforms:
at91:
- drivers/misc fix for Kconfig PWM symbol
- correction of several values in DT after conversion to CCF
- fix at91sam9261/at91sam9261ek mistake in slow crystal vs. slow RC osc
imx:
- Use GPIO for card CD/WP on imx51-babbage and eukrea-mbimxsd51,
because controller base CD/WP is not working in esdhc driver due to
runtime PM support
- A couple of random ventana gw5xxx board fixes
- Add IMX_IPUV3_CORE back to defconfig, which gets lost when moving
IPUv3 driver out of staging tree
- Fix enet/fec clock selection on imx6sl
- Fix display node on imx53-m53evk board
- A couple of Cubox-i updates from Russell, which were omitted from
the merge window due to dependency
integrator:
- fix an OF-related regression against 3.15
mvebu:
- mvebu (v7)
- Fix broken SoC ID detection
- Select ARM_CPU_SUSPEND for v7
- Remove armada38x compatible string (no users yet)
- Enable Dove SoC in mvebu_v7_defconfig
- kirkwood
- Fix phy-connection-type on GuruPlug board
qcom:
- enable gsbi driver in defconfig
- fix section mismatch warning in serial driver
samsung:
- use WFI macro in platform_do_lowpower because exynos cpuhotplug
includes a hardcoded WFI instruction and it causes compile error
in Thumb-2 mode.
- fix GIC reg sizes for exynos4 SoCs
- remove reset timer counter value during boot and resume for mct
to fix a big jump in printk timestamps
- fix pm code to check cortex-A9 for another exynos SoCs
- don't rely on firmware's secondary_cpu_start for mcpm
sti:
- Ethernet clocks were wrongly defined for STiH415/416 platforms
- STiH416 B2020 revision E DTS file name contained uppercase, change to
lowercase"
* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (33 commits)
ARM: at91/dt: sam9261: remove slow RC osc
ARM: at91/dt: define sam9261ek slow crystal frequency
ARM: at91/dt: sam9261: correctly define mainck
ARM: at91/dt: sam9n12: correct PLLA ICPLL and OUT values
ARM: at91/dt: sam9x5: correct PLLA ICPLL and OUT values
misc: atmel_pwm: fix Kconfig symbols
ARM: integrator: fix OF-related regression
ARM: mvebu: Fix the improper use of the compatible string armada38x using a wildcard
ARM: dts: kirkwood: fix phy-connection-type for Guruplug
ARM: EXYNOS: Don't rely on firmware's secondary_cpu_start for mcpm
ARM: dts: imx51-eukrea-mbimxsd51-baseboard: unbreak esdhc.
ARM: dts: imx51-babbage: Fix esdhc setup
ARM: dts: mx5: Move the display out of soc {} node
ARM: dts: mx5: Fix IPU port node placement
ARM: mvebu: select ARM_CPU_SUSPEND for Marvell EBU v7 platforms
ARM: mvebu: Fix broken SoC ID detection
ARM: imx_v6_v7_defconfig: Enable CONFIG_IMX_IPUV3_CORE
ARM: multi_v7_defconfig: Add QCOM GSBI driver
ARM: stih41x: Rename stih416-b2020-revE.dts to stih416-b2020e.dts
tty: serial: msm: Fix section mismatch warning
...
Arend van Spriel [Fri, 20 Jun 2014 20:19:25 +0000 (22:19 +0200)]
brcmfmac: assign chip id and rev in bus interface after brcmf_usb_dlneeded
The function brcmf_usb_dlneeded() queries the device to obtain the chip
id and revision. So assigning these in bus interface before the call
resulted in chip id and revision being zero. This was introduced by:
commit
5b8045d484d0ef77d6aa9444023220c5671fa3fe
Author: Arend van Spriel <arend@broadcom.com>
Date: Tue May 27 12:56:23 2014 +0200
brcmfmac: use asynchronous firmware request in USB
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Amitkumar Karwar [Fri, 20 Jun 2014 18:45:25 +0000 (11:45 -0700)]
mwifiex: fix Tx timeout issue
https://bugzilla.kernel.org/show_bug.cgi?id=70191
https://bugzilla.kernel.org/show_bug.cgi?id=77581
It is observed that sometimes Tx packet is downloaded without
adding driver's txpd header. This results in firmware parsing
garbage data as packet length. Sometimes firmware is unable
to read the packet if length comes out as invalid. This stops
further traffic and timeout occurs.
The root cause is uninitialized fields in tx_info(skb->cb) of
packet used to get garbage values. In this case if
MWIFIEX_BUF_FLAG_REQUEUED_PKT flag is mistakenly set, txpd
header was skipped. This patch makes sure that tx_info is
correctly initialized to fix the problem.
Cc: <stable@vger.kernel.org>
Reported-by: Andrew Wiley <wiley.andrew.j@gmail.com>
Reported-by: Linus Gasser <list@markas-al-nour.org>
Reported-by: Michael Hirsch <hirsch@teufel.de>
Tested-by: Xinming Hu <huxm@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Maithili Hinge <maithili@marvell.com>
Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Arnd Bergmann [Wed, 25 Jun 2014 18:27:15 +0000 (20:27 +0200)]
Merge tag 'at91-fixes' of git://github.com/at91linux/linux-at91 into fixes
Merge "First AT91 fixes batch for 3.16" from Nicolas Ferre:
- drivers/misc fix for Kconfig PWM symbol
- correction of several values in DT after conversion to CCF
- fix at91sam9261/at91sam9261ek mistake in slow crystal vs. slow RC osc
* tag 'at91-fixes' of git://github.com/at91linux/linux-at91:
ARM: at91/dt: sam9261: remove slow RC osc
ARM: at91/dt: define sam9261ek slow crystal frequency
ARM: at91/dt: sam9261: correctly define mainck
ARM: at91/dt: sam9n12: correct PLLA ICPLL and OUT values
ARM: at91/dt: sam9x5: correct PLLA ICPLL and OUT values
misc: atmel_pwm: fix Kconfig symbols
Arnd Bergmann [Wed, 25 Jun 2014 13:34:00 +0000 (15:34 +0200)]
Merge tag 'mvebu-fixes-3.16' of git://git.infradead.org/linux-mvebu into fixes
Merge "mvebu fixes for v3.16" from Jason Cooper:
- mvebu
- Fix broken SoC ID detection
- Select ARM_CPU_SUSPEND for v7
- Remove armada38x compatible string (no users yet)
- kirkwood
- Fix phy-connection-type on GuruPlug board
* tag 'mvebu-fixes-3.16' of git://git.infradead.org/linux-mvebu:
ARM: mvebu: Fix the improper use of the compatible string armada38x using a wildcard
ARM: dts: kirkwood: fix phy-connection-type for Guruplug
ARM: mvebu: select ARM_CPU_SUSPEND for Marvell EBU v7 platforms
ARM: mvebu: Fix broken SoC ID detection
John W. Linville [Wed, 25 Jun 2014 18:22:35 +0000 (14:22 -0400)]
Merge branch 'for-upstream' of git://git./linux/kernel/git/bluetooth/bluetooth
John W. Linville [Wed, 25 Jun 2014 18:20:22 +0000 (14:20 -0400)]
Merge branch 'for-john' of git://git./linux/kernel/git/iwlwifi/iwlwifi-fixes
John W. Linville [Wed, 25 Jun 2014 18:17:50 +0000 (14:17 -0400)]
Merge git://git./linux/kernel/git/jberg/mac80211
Linus Torvalds [Wed, 25 Jun 2014 17:34:17 +0000 (10:34 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sage/ceph-client
Pull Ceph fix from Sage Weil:
"This fixes a corner case for cloned RBD images"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
rbd: handle parent_overlap on writes correctly
Alexandre Belloni [Mon, 23 Jun 2014 06:51:41 +0000 (08:51 +0200)]
ARM: at91/dt: sam9261: remove slow RC osc
The at91sam9261 doesn't actually have a slow RC oscillator, remove it from the
dtsi.
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Acked-by: Boris BREZILLON <boris.brezillon@free-electrons.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Alexandre Belloni [Sat, 14 Jun 2014 00:10:43 +0000 (02:10 +0200)]
ARM: at91/dt: define sam9261ek slow crystal frequency
Define at91sam9261ek's slow crystal frequencies.
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Acked-by: Boris BREZILLON <boris.brezillon@free-electrons.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Alexandre Belloni [Fri, 13 Jun 2014 12:02:29 +0000 (14:02 +0200)]
ARM: at91/dt: sam9261: correctly define mainck
mainck (CKGR_MCFR register) is actually using main_osc (CKGR_MOR register).
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Acked-by: Boris BREZILLON <boris.brezillon@free-electrons.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Alexandre Belloni [Fri, 13 Jun 2014 11:28:12 +0000 (13:28 +0200)]
ARM: at91/dt: sam9n12: correct PLLA ICPLL and OUT values
ICPLL can only take 0 or 1, it got mixed with OUT which can be in the [0-3]
range.
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Acked-by: Boris BREZILLON <boris.brezillon@free-electrons.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Alexandre Belloni [Fri, 13 Jun 2014 11:25:34 +0000 (13:25 +0200)]
ARM: at91/dt: sam9x5: correct PLLA ICPLL and OUT values
ICPLL can only take 0 or 1, it got mixed with OUT which can be in the [0-3]
range.
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Acked-by: Boris BREZILLON <boris.brezillon@free-electrons.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Josef Gajdusek [Wed, 25 Jun 2014 14:21:21 +0000 (16:21 +0200)]
hwmon: (emc1403) Fix missing 'select REGMAP_I2C' in Kconfig
In commit
4cab259f, the emc1403 driver was converted to use regmap but the
necessary Kconfig option was not added.
Signed-off-by: Josef Gajdusek <atx@atx.name>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Naveen Krishna Chatradhi [Wed, 25 Jun 2014 06:29:31 +0000 (11:59 +0530)]
hwmon: (ntc_thermistor) Use the manufacturer name properly
Murata Manufacturing Co., Ltd is the vendor for
NTC (Negative Temperature coefficient) based Thermistors.
But, the driver extensively uses "NTC" as the vendor name.
This patch corrects the vendor name also updates the
compatibility strings according to the vendor-prefix.txt
Note: Drivers continue to support the previous compatible strings
but further addition of these compatible strings in device tree
is deprecated.
Signed-off-by: Naveen Krishna Chatradhi <ch.naveen@samsung.com>
Reviewed-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Naveen Krishna Chatradhi [Wed, 25 Jun 2014 06:29:30 +0000 (11:59 +0530)]
devicetree: bindings: Document murata vendor prefix
Add Murata Manufacturing Co., Ltd. to the list of device tree
vendor prefixes.
Murata manufactures NTC (Negative Temperature Coefficient) based
Thermistors for small scale applications like Mobiles and PDAs.
Signed-off-by: Naveen Krishna Chatradhi <ch.naveen@samsung.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Axel Lin [Wed, 25 Jun 2014 01:02:32 +0000 (09:02 +0800)]
hwmon: (w83l786ng) Report correct minimum fan speed
Current code is buggy, it shows the current fan speed as minimum fan speed.
Fix up show_fan_reg macro to correctly report fan and fan_min speed.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Acked-by: Kevin Lo <kevlo@kevlo.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Linus Torvalds [Wed, 25 Jun 2014 12:44:17 +0000 (05:44 -0700)]
Merge branch 'merge' of git://git./linux/kernel/git/benh/powerpc
Pull powerpc fixes and cleanups from Ben Herrenschmidt:
"Here are a handful or two of powerpc fixes and simple/trivial
cleanups. A bunch of them fix ftrace with the new ABI v2 in Little
Endian, the rest is a scattering of fairly simple things"
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
powerpc: Don't skip ePAPR spin-table CPUs
powerpc/module: Fix TOC symbol CRC
powerpc/powernv: Remove OPAL v1 takeover
powerpc/kmemleak: Do not scan the DART table
selftests/powerpc: Use the test harness for the TM DSCR test
powerpc/cell: cbe_thermal.c: Cleaning up a variable is of the wrong type
powerpc/kprobes: Fix jprobes on ABI v2 (LE)
powerpc/ftrace: Use pr_fmt() to namespace error messages
powerpc/ftrace: Fix nop of modules on 64bit LE (ABIv2)
powerpc/ftrace: Fix inverted check of create_branch()
powerpc/ftrace: Fix typo in mask of opcode
powerpc: Add ppc_global_function_entry()
powerpc/macintosh/smu.c: Fix closing brace followed by if
powerpc: Remove __arch_swab*
powerpc: Remove ancient DEBUG_SIG code
powerpc/kerenl: Enable EEH for IO accessors
Linus Torvalds [Wed, 25 Jun 2014 12:30:20 +0000 (05:30 -0700)]
Merge tag 'for_linus' of git://git./linux/kernel/git/mst/vhost
Pull vhost cleanups from Michael S Tsirkin:
"Two cleanup patches removing code duplication that got introduced by
changes in rc1. Not fixing crashes, but I'd rather not carry the
duplicate code until the next merge window"
* tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
vhost-scsi: don't open-code kvfree
vhost-net: don't open-code kvfree
Linus Torvalds [Wed, 25 Jun 2014 12:08:09 +0000 (05:08 -0700)]
Merge tag 'trace-fixes-v3.16-rc1-v2' of git://git./linux/kernel/git/rostedt/linux-trace
Pull tracing cleanups and fixes from Steven Rostedt:
"This includes three patches from Oleg Nesterov. The first is a fix to
a race condition that happens between enabling/disabling syscall
tracepoints and new process creations (the check to go into the ptrace
path for a process can be set when it shouldn't, or not set when it
should). Not a major bug but one that should be fixed and even
applied to stable.
The other two patches are cleanup/fixes that are not that critical,
but for an -rc1 release would be nice to have. They both deal with
syscall tracepoints.
It also includes a patch to introduce a new macro for the
TRACE_EVENT() format called __field_struct(). Originally, __field()
was used to record any variable into a trace event, but with the
addition of setting the "is signed" attribute, the check causes
anything but a primitive variable to fail to compile. That is,
structs and unions can't be used as they once were. When the "is
signed" check was introduce there were only primitive variables being
recorded. But that will change soon and it was reported that
__field() causes build failures.
To solve the __field() issue, __field_struct() is introduced to allow
trace_events to be able to record complex types too"
* tag 'trace-fixes-v3.16-rc1-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
tracing: Add __field_struct macro for TRACE_EVENT()
tracing: syscall_regfunc() should not skip kernel threads
tracing: Change syscall_*regfunc() to check PF_KTHREAD and use for_each_process_thread()
tracing: Fix syscall_*regfunc() vs copy_process() race
Nicolas Ferre [Wed, 25 Jun 2014 09:33:44 +0000 (11:33 +0200)]
misc: atmel_pwm: fix Kconfig symbols
AT91 symbols AT91SAM9263, AT91SAM9RL, and AT91SAM9G45 do not exist and this
patch changes them to their correct ARCH_* version.
These symbols are chosen instead of the SOC_* ones because this driver is not
converted to DT.
Anyway, the ATMEL_PWM symbol and the associated driver will be removed soon,
during the move to the PWM sub-system.
Reported-by: Paul Bolle <pebolle@tiscali.nl>
Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Scott Wood [Wed, 25 Jun 2014 01:15:51 +0000 (20:15 -0500)]
powerpc: Don't skip ePAPR spin-table CPUs
Commit
59a53afe70fd530040bdc69581f03d880157f15a "powerpc: Don't setup
CPUs with bad status" broke ePAPR SMP booting. ePAPR says that CPUs
that aren't presently running shall have status of disabled, with
enable-method being used to determine whether the CPU can be enabled.
Fix by checking for spin-table, which is currently the only supported
enable-method.
Signed-off-by: Scott Wood <scottwood@freescale.com>
Cc: Michael Neuling <mikey@neuling.org>
Cc: Emil Medve <Emilian.Medve@Freescale.com>
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Laurent Dufour [Tue, 24 Jun 2014 08:53:59 +0000 (10:53 +0200)]
powerpc/module: Fix TOC symbol CRC
The commit
71ec7c55ed91 introduced the magic symbol ".TOC." for ELFv2 ABI.
This symbol is built manually and has no CRC value computed. A zero value
is put in the CRC section to avoid modpost complaining about a missing CRC.
Unfortunately, this breaks the kernel module loading when the kernel is
relocated (kdump case for instance) because of the relocation applied to
the kcrctab values.
This patch compute a CRC value for the TOC symbol which will match the one
compute by the kernel when it is relocated - aka '0 - relocate_start' done in
maybe_relocated called by check_version (module.c).
Signed-off-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Cc: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Michael Ellerman [Tue, 24 Jun 2014 07:17:47 +0000 (17:17 +1000)]
powerpc/powernv: Remove OPAL v1 takeover
In commit
27f4488872d9 "Add OPAL takeover from PowerVM" we added support
for "takeover" on OPAL v1 machines.
This was a mode of operation where we would boot under pHyp, and query
for the presence of OPAL. If detected we would then do a special
sequence to take over the machine, and the kernel would end up running
in hypervisor mode.
OPAL v1 was never a supported product, and was never shipped outside
IBM. As far as we know no one is still using it.
Newer versions of OPAL do not use the takeover mechanism. Although the
query for OPAL should be harmless on machines with newer OPAL, we have
seen a machine where it causes a crash in Open Firmware.
The code in early_init_devtree() to copy boot_command_line into cmd_line
was added in commit
817c21ad9a1f "Get kernel command line accross OPAL
takeover", and AFAIK is only used by takeover, so should also be
removed.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Li RongQing [Fri, 20 Jun 2014 09:32:36 +0000 (17:32 +0800)]
cxgb4: Not need to hold the adap_rcu_lock lock when read adap_rcu_list
cxgb4_netdev maybe lead to dead lock, since it uses a spin lock, and be called
in both thread and softirq context, but not disable BH, the lockdep report is
below; In fact, cxgb4_netdev only reads adap_rcu_list with RCU protection, so
not need to hold spin lock again.
=================================
[ INFO: inconsistent lock state ]
3.14.7+ #24 Tainted: G C O
---------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
radvd/3794 [HC0[0]:SC1[1]:HE1:SE0] takes:
(adap_rcu_lock){+.?...}, at: [<
ffffffffa09989ea>] clip_add+0x2c/0x116 [cxgb4]
{SOFTIRQ-ON-W} state was registered at:
[<
ffffffff810fca81>] __lock_acquire+0x34a/0xe48
[<
ffffffff810fd98b>] lock_acquire+0x82/0x9d
[<
ffffffff815d6ff8>] _raw_spin_lock+0x34/0x43
[<
ffffffffa09989ea>] clip_add+0x2c/0x116 [cxgb4]
[<
ffffffffa0998beb>] cxgb4_inet6addr_handler+0x117/0x12c [cxgb4]
[<
ffffffff815da98b>] notifier_call_chain+0x32/0x5c
[<
ffffffff815da9f9>] __atomic_notifier_call_chain+0x44/0x6e
[<
ffffffff815daa32>] atomic_notifier_call_chain+0xf/0x11
[<
ffffffff815b1356>] inet6addr_notifier_call_chain+0x16/0x18
[<
ffffffffa01f72e5>] ipv6_add_addr+0x404/0x46e [ipv6]
[<
ffffffffa01f8df0>] addrconf_add_linklocal+0x5f/0x95 [ipv6]
[<
ffffffffa01fc3e9>] addrconf_notify+0x632/0x841 [ipv6]
[<
ffffffff815da98b>] notifier_call_chain+0x32/0x5c
[<
ffffffff810e09a1>] __raw_notifier_call_chain+0x9/0xb
[<
ffffffff810e09b2>] raw_notifier_call_chain+0xf/0x11
[<
ffffffff8151b3b7>] call_netdevice_notifiers_info+0x4e/0x56
[<
ffffffff8151b3d0>] call_netdevice_notifiers+0x11/0x13
[<
ffffffff8151c0a6>] netdev_state_change+0x1f/0x38
[<
ffffffff8152f004>] linkwatch_do_dev+0x3b/0x49
[<
ffffffff8152f184>] __linkwatch_run_queue+0x10b/0x144
[<
ffffffff8152f1dd>] linkwatch_event+0x20/0x27
[<
ffffffff810d7bc0>] process_one_work+0x1cb/0x2ee
[<
ffffffff810d7e3b>] worker_thread+0x12e/0x1fc
[<
ffffffff810dd391>] kthread+0xc4/0xcc
[<
ffffffff815dc48c>] ret_from_fork+0x7c/0xb0
irq event stamp: 3388
hardirqs last enabled at (3388): [<
ffffffff810c6c85>]
__local_bh_enable_ip+0xaa/0xd9
hardirqs last disabled at (3387): [<
ffffffff810c6c2d>]
__local_bh_enable_ip+0x52/0xd9
softirqs last enabled at (3288): [<
ffffffffa01f1d5b>]
rcu_read_unlock_bh+0x0/0x2f [ipv6]
softirqs last disabled at (3289): [<
ffffffff815ddafc>]
do_softirq_own_stack+0x1c/0x30
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(adap_rcu_lock);
<Interrupt>
lock(adap_rcu_lock);
*** DEADLOCK ***
5 locks held by radvd/3794:
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<
ffffffffa020b85a>]
rawv6_sendmsg+0x74b/0xa4d [ipv6]
#1: (rcu_read_lock){.+.+..}, at: [<
ffffffff8151ac6b>]
rcu_lock_acquire+0x0/0x29
#2: (rcu_read_lock){.+.+..}, at: [<
ffffffffa01f4cca>]
rcu_lock_acquire.constprop.16+0x0/0x30 [ipv6]
#3: (rcu_read_lock){.+.+..}, at: [<
ffffffff810e09b4>]
rcu_lock_acquire+0x0/0x29
#4: (rcu_read_lock){.+.+..}, at: [<
ffffffffa0998782>]
rcu_lock_acquire.constprop.40+0x0/0x30 [cxgb4]
stack backtrace:
CPU: 7 PID: 3794 Comm: radvd Tainted: G C O 3.14.7+ #24
Hardware name: Supermicro X7DBU/X7DBU, BIOS 6.00 12/03/2007
ffffffff81f15990 ffff88012fdc36a8 ffffffff815d0016 0000000000000006
ffff8800c80dc2a0 ffff88012fdc3708 ffffffff815cc727 0000000000000001
0000000000000001 ffff880100000000 ffffffff81015b02 ffff8800c80dcb58
Call Trace:
<IRQ> [<
ffffffff815d0016>] dump_stack+0x4e/0x71
[<
ffffffff815cc727>] print_usage_bug+0x1ec/0x1fd
[<
ffffffff81015b02>] ? save_stack_trace+0x27/0x44
[<
ffffffff810fbfaa>] ? check_usage_backwards+0xa0/0xa0
[<
ffffffff810fc640>] mark_lock+0x11b/0x212
[<
ffffffff810fca0b>] __lock_acquire+0x2d4/0xe48
[<
ffffffff810fbfaa>] ? check_usage_backwards+0xa0/0xa0
[<
ffffffff810fbff6>] ? check_usage_forwards+0x4c/0xa6
[<
ffffffff810c6c8a>] ? __local_bh_enable_ip+0xaf/0xd9
[<
ffffffff810fd98b>] lock_acquire+0x82/0x9d
[<
ffffffffa09989ea>] ? clip_add+0x2c/0x116 [cxgb4]
[<
ffffffffa0998782>] ? rcu_read_unlock+0x23/0x23 [cxgb4]
[<
ffffffff815d6ff8>] _raw_spin_lock+0x34/0x43
[<
ffffffffa09989ea>] ? clip_add+0x2c/0x116 [cxgb4]
[<
ffffffffa09987b0>] ? rcu_lock_acquire.constprop.40+0x2e/0x30 [cxgb4]
[<
ffffffffa0998782>] ? rcu_read_unlock+0x23/0x23 [cxgb4]
[<
ffffffffa09989ea>] clip_add+0x2c/0x116 [cxgb4]
[<
ffffffffa0998beb>] cxgb4_inet6addr_handler+0x117/0x12c [cxgb4]
[<
ffffffff810fd99d>] ? lock_acquire+0x94/0x9d
[<
ffffffff810e09b4>] ? raw_notifier_call_chain+0x11/0x11
[<
ffffffff815da98b>] notifier_call_chain+0x32/0x5c
[<
ffffffff815da9f9>] __atomic_notifier_call_chain+0x44/0x6e
[<
ffffffff815daa32>] atomic_notifier_call_chain+0xf/0x11
[<
ffffffff815b1356>] inet6addr_notifier_call_chain+0x16/0x18
[<
ffffffffa01f72e5>] ipv6_add_addr+0x404/0x46e [ipv6]
[<
ffffffff810fde6a>] ? trace_hardirqs_on+0xd/0xf
[<
ffffffffa01fb634>] addrconf_prefix_rcv+0x385/0x6ea [ipv6]
[<
ffffffffa0207950>] ndisc_rcv+0x9d3/0xd76 [ipv6]
[<
ffffffffa020d536>] icmpv6_rcv+0x592/0x67b [ipv6]
[<
ffffffff810c6c85>] ? __local_bh_enable_ip+0xaa/0xd9
[<
ffffffff810c6c85>] ? __local_bh_enable_ip+0xaa/0xd9
[<
ffffffff810fd8dc>] ? lock_release+0x14e/0x17b
[<
ffffffffa020df97>] ? rcu_read_unlock+0x21/0x23 [ipv6]
[<
ffffffff8150df52>] ? rcu_read_unlock+0x23/0x23
[<
ffffffffa01f4ede>] ip6_input_finish+0x1e4/0x2fc [ipv6]
[<
ffffffffa01f540b>] ip6_input+0x33/0x38 [ipv6]
[<
ffffffffa01f5557>] ip6_mc_input+0x147/0x160 [ipv6]
[<
ffffffffa01f4ba3>] ip6_rcv_finish+0x7c/0x81 [ipv6]
[<
ffffffffa01f5397>] ipv6_rcv+0x3a1/0x3e2 [ipv6]
[<
ffffffff8151ef96>] __netif_receive_skb_core+0x4ab/0x511
[<
ffffffff810fdc94>] ? mark_held_locks+0x71/0x99
[<
ffffffff8151f0c0>] ? process_backlog+0x69/0x15e
[<
ffffffff8151f045>] __netif_receive_skb+0x49/0x5b
[<
ffffffff8151f0cf>] process_backlog+0x78/0x15e
[<
ffffffff8151f571>] ? net_rx_action+0x1a2/0x1cc
[<
ffffffff8151f47b>] net_rx_action+0xac/0x1cc
[<
ffffffff810c69b7>] ? __do_softirq+0xad/0x218
[<
ffffffff810c69ff>] __do_softirq+0xf5/0x218
[<
ffffffff815ddafc>] do_softirq_own_stack+0x1c/0x30
<EOI> [<
ffffffff810c6bb6>] do_softirq+0x38/0x5d
[<
ffffffffa01f1d5b>] ? ip6_copy_metadata+0x156/0x156 [ipv6]
[<
ffffffff810c6c78>] __local_bh_enable_ip+0x9d/0xd9
[<
ffffffffa01f1d88>] rcu_read_unlock_bh+0x2d/0x2f [ipv6]
[<
ffffffffa01f28b4>] ip6_finish_output2+0x381/0x3d8 [ipv6]
[<
ffffffffa01f49ef>] ip6_finish_output+0x6e/0x73 [ipv6]
[<
ffffffffa01f4a70>] ip6_output+0x7c/0xa8 [ipv6]
[<
ffffffff815b1bfa>] dst_output+0x18/0x1c
[<
ffffffff815b1c9e>] ip6_local_out+0x1c/0x21
[<
ffffffffa01f2489>] ip6_push_pending_frames+0x37d/0x427 [ipv6]
[<
ffffffff81558af8>] ? skb_orphan+0x39/0x39
[<
ffffffffa020b85a>] ? rawv6_sendmsg+0x74b/0xa4d [ipv6]
[<
ffffffffa020ba51>] rawv6_sendmsg+0x942/0xa4d [ipv6]
[<
ffffffff81584cd2>] inet_sendmsg+0x3d/0x66
[<
ffffffff81508930>] __sock_sendmsg_nosec+0x25/0x27
[<
ffffffff8150b0d7>] sock_sendmsg+0x5a/0x7b
[<
ffffffff810fd8dc>] ? lock_release+0x14e/0x17b
[<
ffffffff8116d756>] ? might_fault+0x9e/0xa5
[<
ffffffff8116d70d>] ? might_fault+0x55/0xa5
[<
ffffffff81508cb1>] ? copy_from_user+0x2a/0x2c
[<
ffffffff8150b70c>] ___sys_sendmsg+0x226/0x2d9
[<
ffffffff810fcd25>] ? __lock_acquire+0x5ee/0xe48
[<
ffffffff810fde01>] ? trace_hardirqs_on_caller+0x145/0x1a1
[<
ffffffff8118efcb>] ? slab_free_hook.isra.71+0x50/0x59
[<
ffffffff8115c81f>] ? release_pages+0xbc/0x181
[<
ffffffff810fd99d>] ? lock_acquire+0x94/0x9d
[<
ffffffff81115e97>] ? read_seqcount_begin.constprop.25+0x73/0x90
[<
ffffffff8150c408>] __sys_sendmsg+0x3d/0x5b
[<
ffffffff8150c433>] SyS_sendmsg+0xd/0x19
[<
ffffffff815dc53d>] system_call_fastpath+0x1a/0x1f
Reported-by: Ben Greear <greearb@candelatech.com>
Cc: Casey Leedom <leedom@chelsio.com>
Cc: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Casey Leedom <leedom@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andy Adamson [Thu, 12 Jun 2014 19:02:32 +0000 (15:02 -0400)]
NFSv4: test SECINFO RPC_AUTH_GSS pseudoflavors for support
Fix nfs4_negotiate_security to create an rpc_clnt used to test each SECINFO
returned pseudoflavor. Check credential creation (and gss_context creation)
which is important for RPC_AUTH_GSS pseudoflavors which can fail for multiple
reasons including mis-configuration.
Don't call nfs4_negotiate in nfs4_submount as it was just called by
nfs4_proc_lookup_mountpoint (nfs4_proc_lookup_common)
Signed-off-by: Andy Adamson <andros@netapp.com>
[Trond: fix corrupt return value from nfs_find_best_sec()]
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Andy Adamson [Mon, 9 Jun 2014 19:33:20 +0000 (15:33 -0400)]
NFS Return -EPERM if no supported or matching SECINFO flavor
Do not return RPC_AUTH_UNIX if SEINFO reply tests fail. This
prevents an infinite loop of NFS4ERR_WRONGSEC for non RPC_AUTH_UNIX mounts.
Without this patch, a mount with no sec= option to a server
that does not include RPC_AUTH_UNIX in the
SECINFO return can be presented with an attemtp to use RPC_AUTH_UNIX
which will result in an NFS4ERR_WRONG_SEC which will prompt the SECINFO
call which will again try RPC_AUTH_UNIX....
Signed-off-by: Andy Adamson <andros@netapp.com>
Tested-By: Steve Dickson <steved@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Andy Adamson [Mon, 9 Jun 2014 19:33:19 +0000 (15:33 -0400)]
NFS check the return of nfs4_negotiate_security in nfs4_submount
Signed-off-by: Andy Adamson <andros@netapp.com>
Tested-By: Steve Dickson <steved@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Trond Myklebust [Fri, 20 Jun 2014 17:11:01 +0000 (13:11 -0400)]
NFS: Don't mark the data cache as invalid if it has been flushed
Now that we have functions such as nfs_write_pageuptodate() that use
the cache_validity flags to check if the data cache is valid or not,
it is a little more important to keep the flags in sync with the
state of the data cache.
In particular, we'd like to ensure that if the data cache is empty, we
don't start marking it as needing revalidation.
Reported-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Trond Myklebust [Fri, 20 Jun 2014 17:16:38 +0000 (13:16 -0400)]
NFS: Clear NFS_INO_REVAL_PAGECACHE when we update the file size
In nfs_update_inode(), if the change attribute is seen to change on
the server, then we set NFS_INO_REVAL_PAGECACHE in order to make
sure that we check the file size.
However, if we also update the file size in the same function, we
don't need to check it again. So make sure that we clear the
NFS_INO_REVAL_PAGECACHE that was set earlier.
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Scott Mayhew [Fri, 20 Jun 2014 12:44:42 +0000 (08:44 -0400)]
nfs: Fix cache_validity check in nfs_write_pageuptodate()
NFS_INO_INVALID_DATA cannot be ignored, even if we have a delegation.
We're still having some problems with data corruption when multiple
clients are appending to a file and those clients are being granted
write delegations on open.
To reproduce:
Client A:
vi /mnt/`hostname -s`
while :; do echo "XXXXXXXXXXXXXXX" >>/mnt/file; sleep $(( $RANDOM % 5 )); done
Client B:
vi /mnt/`hostname -s`
while :; do echo "YYYYYYYYYYYYYYY" >>/mnt/file; sleep $(( $RANDOM % 5 )); done
What's happening is that in nfs_update_inode() we're recognizing that
the file size has changed and we're setting NFS_INO_INVALID_DATA
accordingly, but then we ignore the cache_validity flags in
nfs_write_pageuptodate() because we have a delegation. As a result,
in nfs_updatepage() we're extending the write to cover the full page
even though we've not read in the data to begin with.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Cc: <stable@vger.kernel.org> # v3.11+
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Linus Torvalds [Tue, 24 Jun 2014 21:00:13 +0000 (14:00 -0700)]
Merge git://git.kvack.org/~bcrl/aio-fixes
Pull aio fixes from Ben LaHaise:
"These fix a kernel memory disclosure issue (arbitrary kmap() &
copy_to_user()) revealed in CVE-2014-0206 by changes that were
introduced in v3.10"
* git://git.kvack.org/~bcrl/aio-fixes:
aio: fix kernel memory disclosure in io_getevents() introduced in v3.10
aio: fix aio request leak when events are reaped by userspace
Linus Torvalds [Tue, 24 Jun 2014 20:59:00 +0000 (13:59 -0700)]
Merge branch 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm
Pull ARM fixes from Russell King:
"A number of low impact fixes, the most noticable one is the thumb2
frame pointer fix. We also fix a regression caused during this merge
window with ARM925 CPUs running with caches disabled, and fix a number
of warnings"
* 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
ARM: arm925: ensure assembly sets up writethrough mapping
ARM: perf: fix compiler warning with gcc 4.6.4 (and tidy code)
ARM: l2c: fix dependencies on PL310 errata symbols
ARM: 8069/1: Make thread_save_fp macro aware of THUMB2 mode
ARM: 8068/1: scoop: Remove unused variable
Arik Nemtsov [Thu, 8 May 2014 13:17:31 +0000 (16:17 +0300)]
Revert "iwlwifi: remove IWL_UCODE_TLV_FLAGS_UAPSD_SUPPORT flag"
This reverts commit
dc9a19296a872644f19a06d8eeb5db222d327b41.
3610 cards don't support UAPSD.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Oren Givon [Sun, 25 May 2014 13:31:58 +0000 (16:31 +0300)]
iwlwifi: update the 7265 series HW IDs
Add one more 7265 series HW ID.
Edit one existing 7265 series HW ID.
CC: <stable@vger.kernel.org> [3.13+]
Signed-off-by: Oren Givon <oren.givon@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Benjamin LaHaise [Tue, 24 Jun 2014 17:32:51 +0000 (13:32 -0400)]
aio: fix kernel memory disclosure in io_getevents() introduced in v3.10
A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
by commit
a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to
aio_read_events_ring() failed to correctly limit the index into
ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
an arbitrary page with a copy_to_user() to copy the contents into userspace.
This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and
Petr for disclosing this issue.
This patch applies to v3.12+. A separate backport is needed for 3.10/3.11.
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Cc: Mateusz Guzik <mguzik@redhat.com>
Cc: Petr Matousek <pmatouse@redhat.com>
Cc: Kent Overstreet <kmo@daterainc.com>
Cc: Jeff Moyer <jmoyer@redhat.com>
Cc: stable@vger.kernel.org
Benjamin LaHaise [Tue, 24 Jun 2014 17:12:55 +0000 (13:12 -0400)]
aio: fix aio request leak when events are reaped by userspace
The aio cleanups and optimizations by kmo that were merged into the 3.10
tree added a regression for userspace event reaping. Specifically, the
reference counts are not decremented if the event is reaped in userspace,
leading to the application being unable to submit further aio requests.
This patch applies to 3.12+. A separate backport is required for 3.10/3.11.
This issue was uncovered as part of CVE-2014-0206.
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Cc: stable@vger.kernel.org
Cc: Kent Overstreet <kmo@daterainc.com>
Cc: Mateusz Guzik <mguzik@redhat.com>
Cc: Petr Matousek <pmatouse@redhat.com>
Johannes Berg [Tue, 10 Jun 2014 12:06:25 +0000 (14:06 +0200)]
nl80211: move set_qos_map command into split state
The non-split wiphy state shouldn't be increased in size
so move the new set_qos_map command into the split if
statement.
Cc: stable@vger.kernel.org (3.14+)
Fixes: fa9ffc745610 ("cfg80211: Add support for QoS mapping")
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Steve French [Mon, 23 Jun 2014 01:38:49 +0000 (20:38 -0500)]
[CIFS] fix mount failure with broken pathnames when smb3 mount with mapchars option
When we SMB3 mounted with mapchars (to allow reserved characters : \ / > < * ?
via the Unicode Windows to POSIX remap range) empty paths
(eg when we open "" to query the root of the SMB3 directory on mount) were not
null terminated so we sent garbarge as a path name on empty paths which caused
SMB2/SMB2.1/SMB3 mounts to fail when mapchars was specified. mapchars is
particularly important since Unix Extensions for SMB3 are not supported (yet)
Signed-off-by: Steve French <smfrench@gmail.com>
Cc: <stable@vger.kernel.org>
Reviewed-by: David Disseldorp <ddiss@suse.de>
Linus Walleij [Tue, 24 Jun 2014 12:08:07 +0000 (14:08 +0200)]
ARM: integrator: fix OF-related regression
Commit
07e461cd7e73a84f0e3757932b93cc80976fd749
"of: Ensure unique names without sacrificing determinism"
caused a boot failure regression on the Integrator machines.
The problem is probably caused by fiddling too much with
the device tree population in the OF init function, such
as passing the SoC bus device as parent when populating
the device tree.
This patch fixes the problem by:
- Avoiding to explicitly look up the tree root
- Look up devices needed before device population from
the match only, passing NULL as root
- Passing NULL as root and parent when calling
of_platform_populate()
After this the Integrators boot again. Tested on
Integrator/AP and Integrator/CP.
Cc: Grant Likely <grant.likely@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Gregory CLEMENT [Mon, 23 Jun 2014 14:16:51 +0000 (16:16 +0200)]
ARM: mvebu: Fix the improper use of the compatible string armada38x using a wildcard
Wildcards in compatible strings should be avoid. "marvell,armada38x"
was recently introduced but was not yet used.
The armada 385 SoC is a superset of the armada 380 SoC (with more CPUs
and more PCIe slots). So this patch replaces the use of
"marvell,armada38x" by the "marvell,armada380" string.
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Link: https://lkml.kernel.org/r/1403533011-21339-1-git-send-email-gregory.clement@free-electrons.com
Acked-by: Andrew Lunn <andrew@lunn.ch>
Cc: <stable@vger.kernel.org> # v3.15+
Signed-off-by: Jason Cooper <jason@lakedaemon.net>
Eliad Peller [Mon, 26 May 2014 15:44:35 +0000 (18:44 +0300)]
iwlwifi: mvm: rework sched scan channel configuration
The current sched scan channel configuration code
configures all the supported channels for scanning.
However, this can result in SYSASSERT in some cases,
when the configured channel is disabled.
Instead, configure only the channels given in the
req struct, and set the channel_count field appropriately.
While on it, change the code to use channel->hw_value
instead of recalculating the channel number.
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Catalin Marinas [Fri, 13 Jun 2014 08:44:21 +0000 (09:44 +0100)]
powerpc/kmemleak: Do not scan the DART table
The DART table allocation is registered to kmemleak via the
memblock_alloc_base() call. However, the DART table is later unmapped
and dart_tablebase VA no longer accessible. This patch tells kmemleak
not to scan this block and avoid an unhandled paging request.
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Michael Ellerman [Fri, 13 Jun 2014 11:16:04 +0000 (21:16 +1000)]
selftests/powerpc: Use the test harness for the TM DSCR test
This gives us standardised success/failure output and also handles
killing the test if it runs forever (2 minutes).
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Rickard Strandqvist [Sat, 14 Jun 2014 16:25:11 +0000 (18:25 +0200)]
powerpc/cell: cbe_thermal.c: Cleaning up a variable is of the wrong type
This variable is of the wrong type, everywhere it is used it
should be an unsigned int rather than a int.
Signed-off-by: Rickard Strandqvist <rickard_strandqvist@spectrumdigital.se>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Michael Ellerman [Mon, 23 Jun 2014 03:23:31 +0000 (13:23 +1000)]
powerpc/kprobes: Fix jprobes on ABI v2 (LE)
In commit
721aeaa9 "Build little endian ppc64 kernel with ABIv2", we
missed some updates required in the kprobes code to make jprobes work
when the kernel is built with ABI v2.
Firstly update arch_deref_entry_point() to do the right thing. Now that
we have added ppc_global_function_entry() we can just always use that, it
will do the right thing for 32 & 64 bit and ABI v1 & v2.
Secondly we need to update the code that sets up the register state before
calling the jprobe handler. On ABI v1 we setup r2 to hold the TOC, on ABI
v2 we need to populate r12 with the function entry point address.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Michael Ellerman [Tue, 17 Jun 2014 06:15:36 +0000 (16:15 +1000)]
powerpc/ftrace: Use pr_fmt() to namespace error messages
The printks() in our ftrace code have no prefix, so they appear on the
console with very little context, eg:
Branch out of range
Use pr_fmt() & pr_err() to add a prefix. While we're at it, collapse a
few split lines that don't need to be, and add a missing newline to one
message.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Michael Ellerman [Tue, 17 Jun 2014 06:15:35 +0000 (16:15 +1000)]
powerpc/ftrace: Fix nop of modules on 64bit LE (ABIv2)
There is a bug in the handling of the function entry when we are nopping
out a branch from a module in ftrace.
We compare the result of module_trampoline_target() with the value of
ppc_function_entry(), and expect them to be true. But they never will
be.
module_trampoline_target() will always return the global entry point of
the function, whereas ppc_function_entry() will always return the local.
Fix it by using the newly added ppc_global_function_entry().
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Michael Ellerman [Tue, 17 Jun 2014 06:15:34 +0000 (16:15 +1000)]
powerpc/ftrace: Fix inverted check of create_branch()
In commit
24a1bdc35, "Fix ABIv2 issues with __ftrace_make_call", Anton
changed the logic that creates and patches the branch, and added a
thinko in the check of create_branch(). create_branch() returns the
instruction that was generated, so if we get zero then it succeeded.
The result is we can't ftrace modules:
Branch out of range
WARNING: at ../kernel/trace/ftrace.c:1638
ftrace failed to modify [<
d000000004ba001c>] fuse_req_init_context+0x1c/0x90 [fuse]
We should probably fix patch_instruction() to do that check and make the
API saner, but that's a separate patch. For now just invert the test.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Michael Ellerman [Tue, 17 Jun 2014 06:15:33 +0000 (16:15 +1000)]
powerpc/ftrace: Fix typo in mask of opcode
In commit
24a1bdc35, "Fix ABIv2 issues with __ftrace_make_call", Anton
changed the logic that checks for the expected code sequence when
patching a module.
We missed the typo in the mask, 0xffff00000 should be 0xffff0000, which
has the effect of making the test always true.
That makes it impossible to ftrace against modules, eg:
Unexpected call sequence:
48000008 e8410018
WARNING: at ../kernel/trace/ftrace.c:1638
ftrace failed to modify [<
d000000007cf001c>] rng_dev_open+0x1c/0x70 [rng_core]
Reported-by: David Binderman <dcb314@hotmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Michael Ellerman [Tue, 17 Jun 2014 06:15:32 +0000 (16:15 +1000)]
powerpc: Add ppc_global_function_entry()
ABIv2 has the concept of a global and local entry point to a function.
In most cases we are interested in the local entry point, and so that is
what ppc_function_entry() returns.
However we have a case in the ftrace code where we want the global entry
point, and there may be other places we need it too. Rather than special
casing each, add an accessor.
For ABIv1 and 32-bit there is only a single entry point, so we return
that. That means it's safe for the caller to use this without also
checking the ABI version.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Rasmus Villemoes [Fri, 20 Jun 2014 19:44:27 +0000 (21:44 +0200)]
powerpc/macintosh/smu.c: Fix closing brace followed by if
A closing brace followed by "if" is almost certainly a mistake. Maybe
"else if" was meant, but in this case it doesn't really matter.
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Benjamin Herrenschmidt [Tue, 24 Jun 2014 02:28:56 +0000 (12:28 +1000)]
powerpc: Remove __arch_swab*
The generic code uses gcc built-ins which work fine so there's no benefit
in implementing our own anymore.
We can't completely remove the ld/st_le* functions as some historical
cruft still uses them, but that's next on the radar
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Michael Ellerman [Mon, 23 Jun 2014 04:17:47 +0000 (14:17 +1000)]
powerpc: Remove ancient DEBUG_SIG code
We have some compile-time disabled debug code in signal_xx.c. It's from
some ancient time BG, almost certainly part of the original port, given
the very similar code on other arches.
The show_unhandled_signal logic, added in
d0c3d534a438 (2.6.24) is
cleaner and prints more useful information, so drop the debug code.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Gavin Shan [Mon, 23 Jun 2014 00:56:22 +0000 (10:56 +1000)]
powerpc/kerenl: Enable EEH for IO accessors
In arch/powerpc/kernel/iomap.c, lots of IO reading accessors missed
to check EEH error as Ben pointed. The patch fixes it.
For the writing accessors, we change the called functions only for
making them look similar to the reading counterparts.
Suggested-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Linus Torvalds [Tue, 24 Jun 2014 00:05:28 +0000 (17:05 -0700)]
Merge tag 'compress-3.16-rc3' of git://git./linux/kernel/git/gregkh/driver-core
Pull compress bugfixes from Greg KH:
"Here are two bugfixes for some compression functions that resolve some
errors when uncompressing some pathalogical data. Both were found by
Don A Bailey"
* tag 'compress-3.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
lz4: ensure length does not wrap
lzo: properly check for overruns
Linus Torvalds [Mon, 23 Jun 2014 23:48:14 +0000 (16:48 -0700)]
Merge branch 'akpm' (patches from Andrew Morton)
Merge fixes from Andrew Morton:
"The nmi patch and watchdog patch aren't actually fixes - they're
features which needed a few last-minutes touchups.
Otherwise, a rather large batch of fixes - ocfs2 review takes a while
and I got distracted and missed last week's batch"
* emailed patches from Andrew Morton <akpm@linux-foundation.org>: (31 commits)
ocfs2/dlm: do not purge lockres that is queued for assert master
ocfs2: do not return DLM_MIGRATE_RESPONSE_MASTERY_REF to avoid endless,loop during umount
ocfs2: manually do the iput once ocfs2_add_entry failed in ocfs2_symlink and ocfs2_mknod
ocfs2: fix a tiny race when running dirop_fileop_racer
ocfs2/dlm: fix misuse of list_move_tail() in dlm_run_purge_list()
ocfs2: refcount: take rw_lock in ocfs2_reflink
ocfs2: revert "ocfs2: fix NULL pointer dereference when dismount and ocfs2rec simultaneously"
ocfs2: fix deadlock when two nodes are converting same lock from PR to EX and idletimeout closes conn
ocfs2: should add inode into orphan dir after updating entry in ocfs2_rename()
mm: fix crashes from mbind() merging vmas
checkpatch: reduce false positives when checking void function return statements
ia64: arch/ia64/include/uapi/asm/fcntl.h needs personality.h
DMA, CMA: fix possible memory leak
slab: fix oops when reading /proc/slab_allocators
shmem: fix faulting into a hole while it's punched
mm: let mm_find_pmd fix buggy race with THP fault
mm: thp: fix DEBUG_PAGEALLOC oops in copy_page_rep()
kernel/watchdog.c: print traces for all cpus on lockup detection
nmi: provide the option to issue an NMI back trace to every cpu but current
Documentation/accounting/getdelays.c: add missing null-terminate after strncpy call
...
Xue jiufei [Mon, 23 Jun 2014 20:22:09 +0000 (13:22 -0700)]
ocfs2/dlm: do not purge lockres that is queued for assert master
When workqueue is delayed, it may occur that a lockres is purged while it
is still queued for master assert. it may trigger BUG() as follows.
N1 N2
dlm_get_lockres()
->dlm_do_master_requery
is the master of lockres,
so queue assert_master work
dlm_thread() start running
and purge the lockres
dlm_assert_master_worker()
send assert master message
to other nodes
receiving the assert_master
message, set master to N2
dlmlock_remote() send create_lock message to N2, but receive DLM_IVLOCKID,
if it is RECOVERY lockres, it triggers the BUG().
Another BUG() is triggered when N3 become the new master and send
assert_master to N1, N1 will trigger the BUG() because owner doesn't
match. So we should not purge lockres when it is queued for assert
master.
Signed-off-by: joyce.xue <xuejiufei@huawei.com>
Reviewed-by: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
jiangyiwen [Mon, 23 Jun 2014 20:22:09 +0000 (13:22 -0700)]
ocfs2: do not return DLM_MIGRATE_RESPONSE_MASTERY_REF to avoid endless,loop during umount
The following case may lead to endless loop during umount.
node A node B node C node D
umount volume,
migrate lockres1
to B
want to lock lockres1,
send
MASTER_REQUEST_MSG
to C
init block mle
send
MIGRATE_REQUEST_MSG
to C
find a block
mle, and then
return
DLM_MIGRATE_RESPONSE_MASTERY_REF
to B
set C in refmap
umount successfully
try to umount, endless
loop occurs when migrate
lockres1 since C is in
refmap
So we can fix this endless loop case by only returning
DLM_MIGRATE_RESPONSE_MASTERY_REF if it has a mastery mle when receiving
MIGRATE_REQUEST_MSG.
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: jiangyiwen <jiangyiwen@huawei.com>
Reviewed-by: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Xue jiufei <xuejiufei@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
jiangyiwen [Mon, 23 Jun 2014 20:22:09 +0000 (13:22 -0700)]
ocfs2: manually do the iput once ocfs2_add_entry failed in ocfs2_symlink and ocfs2_mknod
When the call to ocfs2_add_entry() failed in ocfs2_symlink() and
ocfs2_mknod(), iput() will not be called during dput(dentry) because no
d_instantiate(), and this will lead to umount hung.
Signed-off-by: jiangyiwen <jiangyiwen@huawei.com>
Cc: Joel Becker <jlbec@evilplan.org>
Reviewed-by: Mark Fasheh <mfasheh@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Yiwen Jiang [Mon, 23 Jun 2014 20:22:09 +0000 (13:22 -0700)]
ocfs2: fix a tiny race when running dirop_fileop_racer
When running dirop_fileop_racer we found a dead lock case.
2 nodes, say Node A and Node B, mount the same ocfs2 volume. Create
/race/16/1 in the filesystem, and let the inode number of dir 16 is less
than the inode number of dir race.
Node A Node B
mv /race/16/1 /race/
right after Node A has got the
EX mode of /race/16/, and tries to
get EX mode of /race
ls /race/16/
In this case, Node A has got the EX mode of /race/16/, and wants to get EX
mode of /race/. Node B has got the PR mode of /race/, and wants to get
the PR mode of /race/16/. Since EX and PR are mutually exclusive, dead
lock happens.
This patch fixes this case by locking in ancestor order before trying
inode number order.
Signed-off-by: Yiwen Jiang <jiangyiwen@huawei.com>
Signed-off-by: Joseph Qi <joseph.qi@huawei.com>
Cc: Joel Becker <jlbec@evilplan.org>
Reviewed-by: Mark Fasheh <mfasheh@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Xue jiufei [Mon, 23 Jun 2014 20:22:08 +0000 (13:22 -0700)]
ocfs2/dlm: fix misuse of list_move_tail() in dlm_run_purge_list()
When a lockres in purge list but is still in use, it should be moved to
the tail of purge list. dlm_thread will continue to check next lockres in
purge list. However, code list_move_tail(&dlm->purge_list,
&lockres->purge) will do *no* movements, so dlm_thread will purge the same
lockres in this loop again and again. If it is in use for a long time,
other lockres will not be processed.
Signed-off-by: Yiwen Jiang <jiangyiwen@huawei.com>
Signed-off-by: joyce.xue <xuejiufei@huawei.com>
Reviewed-by: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Wengang Wang [Mon, 23 Jun 2014 20:22:08 +0000 (13:22 -0700)]
ocfs2: refcount: take rw_lock in ocfs2_reflink
This patch tries to fix this crash:
#5 [
ffff88003c1cd690] do_invalid_op at
ffffffff810166d5
#6 [
ffff88003c1cd730] invalid_op at
ffffffff8159b2de
[exception RIP: ocfs2_direct_IO_get_blocks+359]
RIP:
ffffffffa05dfa27 RSP:
ffff88003c1cd7e8 RFLAGS:
00010202
RAX:
0000000000000000 RBX:
ffff88003c1cdaa8 RCX:
0000000000000000
RDX:
000000000000000c RSI:
ffff880027a95000 RDI:
ffff88003c79b540
RBP:
ffff88003c1cd858 R8:
0000000000000000 R9:
ffffffff815f6ba0
R10:
00000000000001c9 R11:
00000000000001c9 R12:
ffff88002d271500
R13:
0000000000000001 R14:
0000000000000000 R15:
0000000000001000
ORIG_RAX:
ffffffffffffffff CS: 0010 SS: 0018
#7 [
ffff88003c1cd860] do_direct_IO at
ffffffff811cd31b
#8 [
ffff88003c1cd950] direct_IO_iovec at
ffffffff811cde9c
#9 [
ffff88003c1cd9b0] do_blockdev_direct_IO at
ffffffff811ce764
#10 [
ffff88003c1cdb80] __blockdev_direct_IO at
ffffffff811ce7cc
#11 [
ffff88003c1cdbb0] ocfs2_direct_IO at
ffffffffa05df756 [ocfs2]
#12 [
ffff88003c1cdbe0] generic_file_direct_write_iter at
ffffffff8112f935
#13 [
ffff88003c1cdc40] ocfs2_file_write_iter at
ffffffffa0600ccc [ocfs2]
#14 [
ffff88003c1cdd50] do_aio_write at
ffffffff8119126c
#15 [
ffff88003c1cddc0] aio_rw_vect_retry at
ffffffff811d9bb4
#16 [
ffff88003c1cddf0] aio_run_iocb at
ffffffff811db880
#17 [
ffff88003c1cde30] io_submit_one at
ffffffff811dc238
#18 [
ffff88003c1cde80] do_io_submit at
ffffffff811dc437
#19 [
ffff88003c1cdf70] sys_io_submit at
ffffffff811dc530
#20 [
ffff88003c1cdf80] system_call_fastpath at
ffffffff8159a159
It crashes at
BUG_ON(create && (ext_flags & OCFS2_EXT_REFCOUNTED));
in ocfs2_direct_IO_get_blocks.
ocfs2_direct_IO_get_blocks is expecting the OCFS2_EXT_REFCOUNTED be removed in
ocfs2_prepare_inode_for_write() if it was there. But no cluster lock is taken
during the time before (or inside) ocfs2_prepare_inode_for_write() and after
ocfs2_direct_IO_get_blocks().
It can happen in this case:
Node A(which crashes) Node B
------------------------ ---------------------------
ocfs2_file_aio_write
ocfs2_prepare_inode_for_write
ocfs2_inode_lock
...
ocfs2_inode_unlock
#no refcount found
.... ocfs2_reflink
ocfs2_inode_lock
...
ocfs2_inode_unlock
#now, refcount flag set on extent
...
flush change to disk
ocfs2_direct_IO_get_blocks
ocfs2_get_clusters
#extent map miss
#buffer_head miss
read extents from disk
found refcount flag on extent
crash..
Fix:
Take rw_lock in ocfs2_reflink path
Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
Reviewed-by: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Xue jiufei [Mon, 23 Jun 2014 20:22:08 +0000 (13:22 -0700)]
ocfs2: revert "ocfs2: fix NULL pointer dereference when dismount and ocfs2rec simultaneously"
75f82eaa502c ("ocfs2: fix NULL pointer dereference when dismount and
ocfs2rec simultaneously") may cause umount hang while shutting down
truncate log.
The situation is as followes:
ocfs2_dismout_volume
-> ocfs2_recovery_exit
-> free osb->recovery_map
-> ocfs2_truncate_shutdown
-> lock global bitmap inode
-> ocfs2_wait_for_recovery
-> check whether osb->recovery_map->rm_used is zero
Because osb->recovery_map is already freed, rm_used can be any other
values, so it may yield umount hang.
Signed-off-by: joyce.xue <xuejiufei@huawei.com>
Reviewed-by: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Tariq Saeed [Mon, 23 Jun 2014 20:22:08 +0000 (13:22 -0700)]
ocfs2: fix deadlock when two nodes are converting same lock from PR to EX and idletimeout closes conn
Orabug:
18639535
Two node cluster and both nodes hold a lock at PR level and both want to
convert to EX at the same time. Master node 1 has sent BAST and then
closes the connection due to idletime out. Node 0 receives BAST, sends
unlock req with cancel flag but gets error -ENOTCONN. The problem is
this error is ignored in dlm_send_remote_unlock_request() on the
**incorrect** assumption that the master is dead. See NOTE in comment
why it returns DLM_NORMAL. Upon getting DLM_NORMAL, node 0 proceeds to
sends convert (without cancel flg) which fails with -ENOTCONN. waits 5
sec and resends.
This time gets DLM_IVLOCKID from the master since lock not found in
grant, it had been moved to converting queue in response to conv PR->EX
req. No way out.
Node 1 (master) Node 0
============== ======
lock mode PR PR
convert PR -> EX
mv grant -> convert and que BAST
...
<-------- convert PR -> EX
convert que looks like this: ((node 1, PR -> EX) (node 0, PR -> EX))
...
BAST (want PR -> NL)
------------------>
...
idle timout, conn closed
...
In response to BAST,
sends unlock with cancel convert flag
gets -ENOTCONN. Ignores and
sends remote convert request
gets -ENOTCONN, waits 5 Sec, retries
...
reconnects
<----------------- convert req goes through on next try
does not find lock on grant que
status DLM_IVLOCKID
------------------>
...
No way out. Fix is to keep retrying unlock with cancel flag until it
succeeds or the master dies.
Signed-off-by: Tariq Saeed <tariq.x.saeed@oracle.com>
Reviewed-by: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>