firefly-linux-kernel-4.4.55.git
11 years agork: enable synchronization framework, for support android 4.2 with mali gpu
黄涛 [Fri, 22 Feb 2013 10:03:43 +0000 (18:03 +0800)]
rk: enable synchronization framework, for support android 4.2 with mali gpu

11 years agosync: fix timeout = 0 wait behavior
Jamie Gennis [Wed, 20 Feb 2013 02:49:20 +0000 (18:49 -0800)]
sync: fix timeout = 0 wait behavior

Change-Id: I8b9254e92c26d9f44abbc0c77fb44624de947013
Signed-off-by: Jamie Gennis <jgennis@google.com>
11 years agobase: sync: Include seq_file.h in sync.h
Jonathan Hamilton [Fri, 8 Feb 2013 21:05:38 +0000 (13:05 -0800)]
base: sync: Include seq_file.h in sync.h

sync.h uses struct seq_file in some function table prototypes. This
causes compile failures when including the header in files that do not
otherwise include seq_file.h

Signed-off-by: Jonathan Hamilton <jonathan.hamilton@imgtec.com>
11 years agosync: don't log wait timeouts when timeout = 0
Erik Gilling [Mon, 4 Feb 2013 20:37:16 +0000 (12:37 -0800)]
sync: don't log wait timeouts when timeout = 0

Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: Fix race condition between merge and signal
Ørjan Eide [Wed, 5 Dec 2012 15:38:08 +0000 (16:38 +0100)]
sync: Fix race condition between merge and signal

The copied sync_pt was activated immediately. If the sync_pt was
signaled before the entire merge was completed, the new fence's pt_list
could be iterated over while it is still in the process of being
created.

Moving the the sync_pt_activate call for all new sync_pts to after both
the sync_fence_copy_pts and the sync_fence_merge_pts calls ensure that
the pt_list is complete and immutable before it can be reached from the
timeline's active list.

Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: add tracepoint support
Erik Gilling [Tue, 16 Oct 2012 23:14:48 +0000 (16:14 -0700)]
sync: add tracepoint support

Change-Id: I181326db4247009161557e45444c9b3548b83d25
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: refactor sync debug printing
Erik Gilling [Tue, 16 Oct 2012 22:16:55 +0000 (15:16 -0700)]
sync: refactor sync debug printing

Move driver callbacks to fill strings instead of using seq_files.  This
will allow those values to be used in a future tracepoint patch.

Change-Id: I9b706343e35b11124141fe520e520514a32003d2
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: use proper barriers when waiting indefinitely
Erik Gilling [Tue, 16 Oct 2012 00:58:46 +0000 (17:58 -0700)]
sync: use proper barriers when waiting indefinitely

The previous fix only addressed waiting with a timeout.

Change-Id: I8ad735d2d0dfdd53592904e8a54f5689cb5eaa5e
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: update new fence status with sync_fence_signal_pt
Erik Gilling [Tue, 16 Oct 2012 00:51:01 +0000 (17:51 -0700)]
sync: update new fence status with sync_fence_signal_pt

If a fence's pt is signaled before sync_fence_create is called, the fence
will never transition into the signaled state.  This also address a tiny
race if a merged fence's pt after sync_fence_get_status checks it's status
and before fence->status is updated.

Change-Id: Ic8e292a323db26c6f04cb4757d920278b3125ff6
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: protect unlocked access to fence status
Erik Gilling [Thu, 11 Oct 2012 19:35:22 +0000 (12:35 -0700)]
sync: protect unlocked access to fence status

Fence status is checked outside of locks in both sync_fence_wait and
sync_fence_poll.  This patch adds propper barrier protection in these
cases to avoid seeing stale status.

Change-Id: I9d8b6ce6accb415e797df58068a1ccd54e6be445
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: dump sync state of fence errors
Erik Gilling [Thu, 11 Oct 2012 01:08:11 +0000 (18:08 -0700)]
sync: dump sync state of fence errors

Change-Id: I297a43aadf83504993040ea875c7f22d988628f1
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: improve timeout dumps
Erik Gilling [Tue, 4 Sep 2012 22:29:09 +0000 (15:29 -0700)]
sync: improve timeout dumps

Change-Id: I3b378d63c324c7b5862dd214f380b5e91131cc2a
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: use correct signed type when handling SYNC_IOC_WAIT
Erik Gilling [Tue, 4 Sep 2012 22:28:52 +0000 (15:28 -0700)]
sync: use correct signed type when handling SYNC_IOC_WAIT

Change-Id: Ic7d5adf9b145765e52b23186b8c3c793ccf29be7
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: dump sync state to console on timeout
Erik Gilling [Fri, 24 Aug 2012 20:48:57 +0000 (13:48 -0700)]
sync: dump sync state to console on timeout

Change-Id: I74bca6b4a2afa7ed5b1f5233c5165d2edddf269a
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: clean up compiler warnings
Erik Gilling [Fri, 24 Aug 2012 20:48:34 +0000 (13:48 -0700)]
sync: clean up compiler warnings

Change-Id: I8a2ec5db652c61fd04571402067b37273b91e78f
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: fix erase-o in sync_fence_wait
Erik Gilling [Wed, 22 Aug 2012 01:43:21 +0000 (18:43 -0700)]
sync: fix erase-o in sync_fence_wait

Change-Id: I189707cf658a9f1f2943515c891b43961994e774
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: change wait timeout to mirror poll semantics
Erik Gilling [Wed, 22 Aug 2012 00:57:19 +0000 (17:57 -0700)]
sync: change wait timeout to mirror poll semantics

Change-Id: Ib38e6d339d41885a33027752690d65a52b6897f6
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: Fix error paths
Rebecca Schultz Zavin [Wed, 8 Aug 2012 20:46:22 +0000 (13:46 -0700)]
sync: Fix error paths

Check the return value of get_unused_fd to make sure a valid
file descriptor is returned.

Make sure to call put_unused_fd even if an error occurs before
the fd can be used.

Change-Id: I0fe8f78d9e30ecfc4d271c5d875424543dae2d0f
Signed-off-by: Rebecca Schultz Zavin <rebecca@android.com>
11 years agosync: add reference counting to timelines
Erik Gilling [Fri, 3 Aug 2012 00:26:45 +0000 (17:26 -0700)]
sync: add reference counting to timelines

If a timeline is destroyed while fences still hold pts on it, the reworked
fence release handler can cause the timeline to be freed before all it's points
are freed.

Change-Id: I1cd8ddb638eded7db9db446ff6b37f3dd165d6c4
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: add internal refcounting to fences
Erik Gilling [Mon, 23 Jul 2012 23:43:05 +0000 (16:43 -0700)]
sync: add internal refcounting to fences

If a fence is released while a timeline that one of it's pts is on is being
signaled, it is possible for that fence to be deleted before it is signaled.
This patch adds a refcount for internal references such as signaled pt
processing.

Change-Id: Ie8605e6fd2ac026c207220a03d84e1c1078ec719
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: optimize fence merges
Erik Gilling [Thu, 12 Jul 2012 00:13:50 +0000 (17:13 -0700)]
sync: optimize fence merges

If the two fences being merged contain sync_pts from the same timeline,
those two pts will be collapsed into a single pt representing the latter
of the two.

Change-Id: Iced7ebb7e5a17a0c8b1a2969ba3388a4edb9ecaf
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: reorder sync_fence_release
Erik Gilling [Thu, 12 Jul 2012 00:07:39 +0000 (17:07 -0700)]
sync: reorder sync_fence_release

Previously fence's pts were freed before the were the fence was removed from the
global fence list.  This led to a race with the debugfs support where it would
iterate over sync_pts that had been freed.

Change-Id: Ia3ddbf77de42ca593fc2dc353b5d04e42ddf3946
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: export sync API symbols
Erik Gilling [Wed, 16 May 2012 20:09:22 +0000 (13:09 -0700)]
sync: export sync API symbols

This is needed to allow modules to link against the sync subsystem

Change-Id: I15c1818de329f24e4113ef1d0923413b22fd0eff
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agosync: allow async waits to be canceled
Erik Gilling [Tue, 15 May 2012 23:23:26 +0000 (16:23 -0700)]
sync: allow async waits to be canceled

In order to allow drivers to cleanly handled teardown we need to allow them
to cancel pending async waits.  To do this cleanly, we move allocation of
sync_fence_waiter to the driver calling sync_async_wait().

Change-Id: Ifcd95648be6ec07026d67f810070a4310f099989
Signed-off-by: Erik Gilling <konkers@android.com>
11 years agomodule.h: split out the EXPORT_SYMBOL into export.h
Paul Gortmaker [Mon, 23 May 2011 18:11:39 +0000 (14:11 -0400)]
module.h: split out the EXPORT_SYMBOL into export.h

A lot of files pull in module.h when all they are really
looking for is the basic EXPORT_SYMBOL functionality. The
recent data from Ingo[1] shows that this is one of several
instances that has a significant impact on compile times,
and it should be targeted for factoring out (as done here).

Note that several commonly used header files in include/*
directly include <linux/module.h> themselves (some 34 of them!)
The most commonly used ones of these will have to be made
independent of module.h before the full benefit of this change
can be realized.

We also transition THIS_MODULE from module.h to export.h,
since there are lots of files with subsystem structs that
in turn will have a struct module *owner and only be doing:

.owner = THIS_MODULE;

and absolutely nothing else modular. So, we also want to have
the THIS_MODULE definition present in the lightweight header.

[1] https://lkml.org/lkml/2011/5/23/76

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
11 years agork3168_86v: xbw:delete SDCARD_DET_FROM_GPIO
hjc [Fri, 22 Feb 2013 08:19:32 +0000 (16:19 +0800)]
rk3168_86v: xbw:delete SDCARD_DET_FROM_GPIO

11 years agork3168_86v: xbw SDMMC IO voltage
hjc [Fri, 22 Feb 2013 08:11:06 +0000 (16:11 +0800)]
rk3168_86v: xbw SDMMC IO voltage

11 years agork3188 ds1006h: sync logo
wuhao [Fri, 22 Feb 2013 08:04:56 +0000 (16:04 +0800)]
rk3188 ds1006h: sync logo

11 years agork: Kconfig add RK3168M support, add SOC_RK3168M config, add RK3168M TB config
黄涛 [Fri, 22 Feb 2013 07:49:03 +0000 (15:49 +0800)]
rk: Kconfig add RK3168M support, add SOC_RK3168M config, add RK3168M TB config

11 years agork: power_supply: add rk_get_system_battery_capacity and rk_get_system_battery_status api
黄涛 [Fri, 22 Feb 2013 07:10:24 +0000 (15:10 +0800)]
rk: power_supply: add rk_get_system_battery_capacity and rk_get_system_battery_status api

11 years agork3168_86v: increase the arm and logic voltage
hjc [Fri, 22 Feb 2013 06:27:21 +0000 (14:27 +0800)]
rk3168_86v: increase the arm and logic voltage

11 years agork3168: dvfs support voltage diff = 0
chenxing [Fri, 22 Feb 2013 03:46:58 +0000 (11:46 +0800)]
rk3168: dvfs support voltage diff = 0

11 years agork3188 ds1006h : sync board-rk3188-ds1006h-sdmmc-config.c
wuhao [Fri, 22 Feb 2013 02:58:08 +0000 (10:58 +0800)]
rk3188 ds1006h : sync board-rk3188-ds1006h-sdmmc-config.c

11 years agoMT6620 wifi: add the support for MT6620 wifi in RK31XX porject.
xbw [Fri, 22 Feb 2013 01:26:15 +0000 (09:26 +0800)]
MT6620 wifi:  add the support for MT6620 wifi in RK31XX porject.

11 years agoMT6620 wifi: mt6620 use 2.8v power.
xbw [Fri, 22 Feb 2013 01:20:58 +0000 (09:20 +0800)]
MT6620 wifi: mt6620 use 2.8v power.

11 years agoSDMMC IO voltage:
xbw [Fri, 22 Feb 2013 01:11:07 +0000 (09:11 +0800)]
SDMMC IO voltage:
  Modify a numerical definition of small flaws.Not suitable for the use of the original property is double.
  Please modify your own board-xxx-sdmmc-config.c youself, Reference to this example.

11 years agoSDMMC-RK31XX:
xbw [Thu, 21 Feb 2013 11:09:29 +0000 (19:09 +0800)]
SDMMC-RK31XX:
   Eliminate the problem of card as unidentified during the open-device or insert-removal in suspend-resume.

11 years agoSDMMC:
xbw [Thu, 21 Feb 2013 11:01:55 +0000 (19:01 +0800)]
SDMMC:
   For example, how to modify the voltage of sdmmc0-gpio group in RK CPU.
Please modify your board-xxx-sdmmc-config.c youself , if you want to use 1.8V for SDMMC0-PIN.

11 years agoSDMMC:
xbw [Thu, 21 Feb 2013 10:58:19 +0000 (18:58 +0800)]
SDMMC:
add the control for the voltage of sdmmc0-pin in RK-host gpio group.

11 years agork: rm video_state.c which replace by ddr_freq.c
黄涛 [Thu, 21 Feb 2013 10:30:03 +0000 (18:30 +0800)]
rk: rm video_state.c which replace by ddr_freq.c

11 years agohdmi: set hdmi probe later than codec,
yzq [Thu, 21 Feb 2013 09:27:06 +0000 (17:27 +0800)]
hdmi: set hdmi probe later than codec,
fix codec not close when system start with hdmi plug

11 years agoremove printk in last updateing
xxx [Thu, 21 Feb 2013 09:25:46 +0000 (17:25 +0800)]
remove printk in last updateing

11 years agodvfs support list regulator volt
xxx [Thu, 21 Feb 2013 09:17:49 +0000 (17:17 +0800)]
dvfs support list regulator volt

11 years agork3168_86v: deconfig add SDCARD_DET_FROM_GPIO and watchdog
hjc [Thu, 21 Feb 2013 09:00:55 +0000 (17:00 +0800)]
rk3168_86v: deconfig add SDCARD_DET_FROM_GPIO and watchdog

11 years agoadd rgb2mipi display drivers for tc358768 and ssd2828
hhb [Thu, 21 Feb 2013 07:45:14 +0000 (15:45 +0800)]
add rgb2mipi display drivers for tc358768 and ssd2828

11 years agoEHCI&HSIC support
yangkai [Thu, 21 Feb 2013 07:01:21 +0000 (15:01 +0800)]
EHCI&HSIC support

11 years agork3066b lcdc:support 1.8V io
yxj [Thu, 21 Feb 2013 06:46:04 +0000 (14:46 +0800)]
rk3066b lcdc:support 1.8V io

11 years agork3066b lcdc:enable color key for win1,this will be used in pcba for camera test
yxj [Thu, 21 Feb 2013 06:08:29 +0000 (14:08 +0800)]
rk3066b lcdc:enable color key for win1,this will be used in pcba for camera test

11 years agork fb:fix bug for one lcdc dual display
yxj [Wed, 20 Feb 2013 12:45:44 +0000 (20:45 +0800)]
rk fb:fix bug for one lcdc dual display

11 years agork3188 lcdc:modify DBG
yxj [Tue, 19 Feb 2013 08:34:21 +0000 (16:34 +0800)]
rk3188 lcdc:modify DBG

11 years agoiomux: default mode: uart2&uart3: add ctsn&rtsn
kfx [Thu, 21 Feb 2013 01:12:01 +0000 (09:12 +0800)]
iomux: default mode: uart2&uart3: add ctsn&rtsn

11 years agork_gps: fix bug when disable gps aclk
hhb [Wed, 20 Feb 2013 07:13:14 +0000 (15:13 +0800)]
rk_gps: fix bug when disable gps aclk

11 years agoit66121 hdmi: remove debug message
yzq [Wed, 20 Feb 2013 01:16:09 +0000 (09:16 +0800)]
it66121 hdmi: remove debug message

11 years agoLR097 defconfig:add camera GC2035 SP2518 support
yxj [Tue, 19 Feb 2013 06:34:47 +0000 (14:34 +0800)]
LR097 defconfig:add camera GC2035 SP2518 support

11 years agoboard LR097:update camera,charger,ddr freq
yxj [Tue, 19 Feb 2013 06:31:26 +0000 (14:31 +0800)]
board LR097:update camera,charger,ddr freq

11 years agoboard LR097:ddr 533MHZ
yxj [Tue, 19 Feb 2013 02:29:42 +0000 (10:29 +0800)]
board LR097:ddr 533MHZ

11 years agork3188 lcdc:add alpah config
yxj [Tue, 19 Feb 2013 02:29:08 +0000 (10:29 +0800)]
rk3188 lcdc:add alpah config

11 years agork3188 lcdc:support set fps by sys
yxj [Tue, 19 Feb 2013 02:18:21 +0000 (10:18 +0800)]
rk3188 lcdc:support set fps by sys

11 years agork3168_86v: front camera gc0308 turn upside down
hjc [Tue, 19 Feb 2013 02:06:13 +0000 (10:06 +0800)]
rk3168_86v: front camera gc0308 turn upside down

11 years agork3168_86v: deconfig delete HDMI
hjc [Tue, 19 Feb 2013 01:56:51 +0000 (09:56 +0800)]
rk3168_86v: deconfig delete HDMI

11 years agork610 codec : The headphone playback the probability of loss of a channel
邱建斌 [Mon, 18 Feb 2013 12:00:54 +0000 (20:00 +0800)]
rk610 codec : The headphone playback the probability of loss of a channel

11 years agort5631 : fix RT5631 high frequency indicators
邱建斌 [Mon, 18 Feb 2013 11:45:18 +0000 (19:45 +0800)]
rt5631 : fix RT5631 high frequency indicators

11 years agoadd light sensor cm3232 support
luowei [Mon, 18 Feb 2013 08:23:38 +0000 (16:23 +0800)]
add light sensor cm3232 support

11 years agowifi: update mt5931 driver to 2.09
hwg [Mon, 18 Feb 2013 06:28:34 +0000 (14:28 +0800)]
wifi: update mt5931 driver to 2.09

11 years agoMerge remote-tracking branch 'stable/linux-3.0.y' into develop-3.0
黄涛 [Mon, 18 Feb 2013 04:31:44 +0000 (12:31 +0800)]
Merge remote-tracking branch 'stable/linux-3.0.y' into develop-3.0

Merge v3.0.65
Conflicts:
Makefile
drivers/net/wireless/ath/ath9k/beacon.c
drivers/net/wireless/ath/ath9k/htc_hst.c

11 years agoadd sensor version info
luowei [Mon, 18 Feb 2013 03:52:49 +0000 (11:52 +0800)]
add sensor version info

11 years agoMerge remote-tracking branch 'aosp/android-3.0' into develop-3.0
黄涛 [Mon, 18 Feb 2013 03:08:41 +0000 (11:08 +0800)]
Merge remote-tracking branch 'aosp/android-3.0' into develop-3.0

Conflicts:
drivers/net/wireless/bcmdhd/Makefile
drivers/net/wireless/bcmdhd/dhd.h
drivers/net/wireless/bcmdhd/dhd_common.c
drivers/net/wireless/bcmdhd/dhd_linux.c
drivers/net/wireless/bcmdhd/include/epivers.h
drivers/net/wireless/bcmdhd/wl_cfg80211.c
drivers/net/wireless/bcmdhd/wl_cfgp2p.c

11 years agork3188: Kconfig: enable RK_SRAM_DMA
黄涛 [Mon, 18 Feb 2013 02:46:05 +0000 (10:46 +0800)]
rk3188: Kconfig: enable RK_SRAM_DMA

11 years agork3188: Kconfig: depends on ARCH_RK3188
黄涛 [Mon, 18 Feb 2013 02:32:41 +0000 (10:32 +0800)]
rk3188: Kconfig: depends on ARCH_RK3188

11 years agoLinux 3.0.65
Greg Kroah-Hartman [Sun, 17 Feb 2013 18:46:34 +0000 (10:46 -0800)]
Linux 3.0.65

11 years agoigb: Remove artificial restriction on RQDPC stat reading
Alexander Duyck [Wed, 8 Aug 2012 05:23:22 +0000 (05:23 +0000)]
igb: Remove artificial restriction on RQDPC stat reading

commit ae1c07a6b7ced6c0c94c99e3b53f4e7856fa8bff upstream.

For some reason the reading of the RQDPC register was being artificially
limited to 4K.  Instead of limiting the value we should read the value and
add the full amount.  Otherwise this can lead to a misleading number of
dropped packets when the actual value is in fact much higher.

Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Cc: Vinson Lee <vlee@twitter.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoPCI/PM: Clean up PME state when removing a device
Rafael J. Wysocki [Mon, 11 Feb 2013 19:49:49 +0000 (20:49 +0100)]
PCI/PM: Clean up PME state when removing a device

commit 249bfb83cf8ba658955f0245ac3981d941f746ee upstream.

Devices are added to pci_pme_list when drivers use pci_enable_wake()
or pci_wake_from_d3(), but they aren't removed from the list unless
the driver explicitly disables wakeup.  Many drivers never disable
wakeup, so their devices remain on the list even after they are
removed, e.g., via hotplug.  A subsequent PME poll will oops when
it tries to touch the device.

This patch disables PME# on a device before removing it, which removes
the device from pci_pme_list.  This is safe even if the device never
had PME# enabled.

This oops can be triggered by unplugging a Thunderbolt ethernet adapter
on a Macbook Pro, as reported by Daniel below.

[bhelgaas: changelog]
Reference: http://lkml.kernel.org/r/CAMVG2svG21yiM1wkH4_2pen2n+cr2-Zv7TbH3Gj+8MwevZjDbw@mail.gmail.com
Reported-and-tested-by: Daniel J Blueman <daniel@quora.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agox86/xen: don't assume %ds is usable in xen_iret for 32-bit PVOPS.
Jan Beulich [Thu, 24 Jan 2013 13:11:10 +0000 (13:11 +0000)]
x86/xen: don't assume %ds is usable in xen_iret for 32-bit PVOPS.

commit 13d2b4d11d69a92574a55bfd985cfb0ca77aebdc upstream.

This fixes CVE-2013-0228 / XSA-42

Drew Jones while working on CVE-2013-0190 found that that unprivileged guest user
in 32bit PV guest can use to crash the > guest with the panic like this:

-------------
general protection fault: 0000 [#1] SMP
last sysfs file: /sys/devices/vbd-51712/block/xvda/dev
Modules linked in: sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4
iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6
xt_state nf_conntrack ip6table_filter ip6_tables ipv6 xen_netfront ext4
mbcache jbd2 xen_blkfront dm_mirror dm_region_hash dm_log dm_mod [last
unloaded: scsi_wait_scan]

Pid: 1250, comm: r Not tainted 2.6.32-356.el6.i686 #1
EIP: 0061:[<c0407462>] EFLAGS: 00010086 CPU: 0
EIP is at xen_iret+0x12/0x2b
EAX: eb8d0000 EBX: 00000001 ECX: 08049860 EDX: 00000010
ESI: 00000000 EDI: 003d0f00 EBP: b77f8388 ESP: eb8d1fe0
 DS: 0000 ES: 007b FS: 0000 GS: 00e0 SS: 0069
Process r (pid: 1250, ti=eb8d0000 task=c2953550 task.ti=eb8d0000)
Stack:
 00000000 0027f416 00000073 00000206 b77f8364 0000007b 00000000 00000000
Call Trace:
Code: c3 8b 44 24 18 81 4c 24 38 00 02 00 00 8d 64 24 30 e9 03 00 00 00
8d 76 00 f7 44 24 08 00 00 02 80 75 33 50 b8 00 e0 ff ff 21 e0 <8b> 40
10 8b 04 85 a0 f6 ab c0 8b 80 0c b0 b3 c0 f6 44 24 0d 02
EIP: [<c0407462>] xen_iret+0x12/0x2b SS:ESP 0069:eb8d1fe0
general protection fault: 0000 [#2]
---[ end trace ab0d29a492dcd330 ]---
Kernel panic - not syncing: Fatal exception
Pid: 1250, comm: r Tainted: G      D    ---------------
2.6.32-356.el6.i686 #1
Call Trace:
 [<c08476df>] ? panic+0x6e/0x122
 [<c084b63c>] ? oops_end+0xbc/0xd0
 [<c084b260>] ? do_general_protection+0x0/0x210
 [<c084a9b7>] ? error_code+0x73/
-------------

Petr says: "
 I've analysed the bug and I think that xen_iret() cannot cope with
 mangled DS, in this case zeroed out (null selector/descriptor) by either
 xen_failsafe_callback() or RESTORE_REGS because the corresponding LDT
 entry was invalidated by the reproducer. "

Jan took a look at the preliminary patch and came up a fix that solves
this problem:

"This code gets called after all registers other than those handled by
IRET got already restored, hence a null selector in %ds or a non-null
one that got loaded from a code or read-only data descriptor would
cause a kernel mode fault (with the potential of crashing the kernel
as a whole, if panic_on_oops is set)."

The way to fix this is to realize that the we can only relay on the
registers that IRET restores. The two that are guaranteed are the
%cs and %ss as they are always fixed GDT selectors. Also they are
inaccessible from user mode - so they cannot be altered. This is
the approach taken in this patch.

Another alternative option suggested by Jan would be to relay on
the subtle realization that using the %ebp or %esp relative references uses
the %ss segment.  In which case we could switch from using %eax to %ebp and
would not need the %ss over-rides. That would also require one extra
instruction to compensate for the one place where the register is used
as scaled index. However Andrew pointed out that is too subtle and if
further work was to be done in this code-path it could escape folks attention
and lead to accidents.

Reviewed-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Petr Matousek <pmatouse@redhat.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agox86/mm: Check if PUD is large when validating a kernel address
Mel Gorman [Mon, 11 Feb 2013 14:52:36 +0000 (14:52 +0000)]
x86/mm: Check if PUD is large when validating a kernel address

commit 0ee364eb316348ddf3e0dfcd986f5f13f528f821 upstream.

A user reported the following oops when a backup process reads
/proc/kcore:

 BUG: unable to handle kernel paging request at ffffbb00ff33b000
 IP: [<ffffffff8103157e>] kern_addr_valid+0xbe/0x110
 [...]

 Call Trace:
  [<ffffffff811b8aaa>] read_kcore+0x17a/0x370
  [<ffffffff811ad847>] proc_reg_read+0x77/0xc0
  [<ffffffff81151687>] vfs_read+0xc7/0x130
  [<ffffffff811517f3>] sys_read+0x53/0xa0
  [<ffffffff81449692>] system_call_fastpath+0x16/0x1b

Investigation determined that the bug triggered when reading
system RAM at the 4G mark. On this system, that was the first
address using 1G pages for the virt->phys direct mapping so the
PUD is pointing to a physical address, not a PMD page.

The problem is that the page table walker in kern_addr_valid() is
not checking pud_large() and treats the physical address as if
it was a PMD.  If it happens to look like pmd_none then it'll
silently fail, probably returning zeros instead of real data. If
the data happens to look like a present PMD though, it will be
walked resulting in the oops above.

This patch adds the necessary pud_large() check.

Unfortunately the problem was not readily reproducible and now
they are running the backup program without accessing
/proc/kcore so the patch has not been validated but I think it
makes sense.

Signed-off-by: Mel Gorman <mgorman@suse.de>
Reviewed-by: Rik van Riel <riel@redhat.coM>
Reviewed-by: Michal Hocko <mhocko@suse.cz>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/20130211145236.GX21389@suse.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agork3188 ds1006h : boot logo use linux default
Cody Xie [Sat, 16 Feb 2013 03:28:07 +0000 (11:28 +0800)]
rk3188 ds1006h : boot logo use linux default

11 years agork3188 lr097: defconfig add support charger display
Cody Xie [Fri, 15 Feb 2013 08:31:33 +0000 (16:31 +0800)]
rk3188 lr097: defconfig add support charger display

11 years agork3188 ds1006h : do no invoke act8846_device_shutdown when shutdown without charger...
Cody Xie [Fri, 15 Feb 2013 08:22:36 +0000 (16:22 +0800)]
rk3188 ds1006h : do no invoke act8846_device_shutdown when shutdown without charger pluged in.
                 this would cause tablet cannot boot while plug in charger
                 and it can boot normally by press power button

11 years agork3188 ds1006h: defconfig add support usb uart and charger display
Cody Xie [Fri, 15 Feb 2013 07:53:00 +0000 (15:53 +0800)]
rk3188 ds1006h: defconfig add support usb uart and charger display

11 years agoLinux 3.0.64
Greg Kroah-Hartman [Thu, 14 Feb 2013 18:50:09 +0000 (10:50 -0800)]
Linux 3.0.64

11 years agonetback: correct netbk_tx_err to handle wrap around.
Ian Campbell [Wed, 6 Feb 2013 23:41:38 +0000 (23:41 +0000)]
netback: correct netbk_tx_err to handle wrap around.

[ Upstream commit b9149729ebdcfce63f853aa54a404c6a8f6ebbf3 ]

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoxen/netback: free already allocated memory on failure in xen_netbk_get_requests
Ian Campbell [Wed, 6 Feb 2013 23:41:37 +0000 (23:41 +0000)]
xen/netback: free already allocated memory on failure in xen_netbk_get_requests

[ Upstream commit 4cc7c1cb7b11b6f3515bd9075527576a1eecc4aa ]

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoxen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.
Matthew Daley [Wed, 6 Feb 2013 23:41:36 +0000 (23:41 +0000)]
xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.

[ Upstream commit 7d5145d8eb2b9791533ffe4dc003b129b9696c48 ]

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoxen/netback: shutdown the ring if it contains garbage.
Ian Campbell [Wed, 6 Feb 2013 23:41:35 +0000 (23:41 +0000)]
xen/netback: shutdown the ring if it contains garbage.

[ Upstream commit 48856286b64e4b66ec62b94e504d0b29c1ade664 ]

A buggy or malicious frontend should not be able to confuse netback.
If we spot anything which is not as it should be then shutdown the
device and don't try to continue with the ring in a potentially
hostile state. Well behaved and non-hostile frontends will not be
penalised.

As well as making the existing checks for such errors fatal also add a
new check that ensures that there isn't an insane number of requests
on the ring (i.e. more than would fit in the ring). If the ring
contains garbage then previously is was possible to loop over this
insane number, getting an error each time and therefore not generating
any more pending requests and therefore not exiting the loop in
xen_netbk_tx_build_gops for an externded period.

Also turn various netdev_dbg calls which no precipitate a fatal error
into netdev_err, they are rate limited because the device is shutdown
afterwards.

This fixes at least one known DoS/softlockup of the backend domain.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agotg3: Fix crc errors on jumbo frame receive
Nithin Nayak Sujir [Mon, 14 Jan 2013 17:11:00 +0000 (17:11 +0000)]
tg3: Fix crc errors on jumbo frame receive

[ Upstream commit daf3ec688e057f6060fb9bb0819feac7a8bbf45c ]

TG3_PHY_AUXCTL_SMDSP_ENABLE/DISABLE macros do a blind write to the phy
auxiliary control register and overwrite the EXT_PKT_LEN (bit 14) resulting
in intermittent crc errors on jumbo frames with some link partners. Change
the code to do a read/modify/write.

Signed-off-by: Nithin Nayak Sujir <nsujir@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agotg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode
Nithin Nayak Sujir [Mon, 14 Jan 2013 17:10:59 +0000 (17:10 +0000)]
tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode

[ Upstream commit 9c13cb8bb477a83b9a3c9e5a5478a4e21294a760 ]

When netconsole is enabled, logging messages generated during tg3_open
can result in a null pointer dereference for the uninitialized tg3
status block. Use the irq_sync flag to disable polling in the early
stages. irq_sync is cleared when the driver is enabling interrupts after
all initialization is completed.

Signed-off-by: Nithin Nayak Sujir <nsujir@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agobridge: Pull ip header into skb->data before looking into ip header.
Sarveshwar Bandi [Wed, 10 Oct 2012 01:15:01 +0000 (01:15 +0000)]
bridge: Pull ip header into skb->data before looking into ip header.

[ Upstream commit 6caab7b0544e83e6c160b5e80f5a4a7dd69545c7 ]

If lower layer driver leaves the ip header in the skb fragment, it needs to
be first pulled into skb->data before inspecting ip header length or ip version
number.

Signed-off-by: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agotcp: fix MSG_SENDPAGE_NOTLAST logic
Eric Dumazet [Sun, 6 Jan 2013 18:21:49 +0000 (18:21 +0000)]
tcp: fix MSG_SENDPAGE_NOTLAST logic

[ Upstream commit ae62ca7b03217be5e74759dc6d7698c95df498b3 ]

commit 35f9c09fe9c72e (tcp: tcp_sendpages() should call tcp_push() once)
added an internal flag : MSG_SENDPAGE_NOTLAST meant to be set on all
frags but the last one for a splice() call.

The condition used to set the flag in pipe_to_sendpage() relied on
splice() user passing the exact number of bytes present in the pipe,
or a smaller one.

But some programs pass an arbitrary high value, and the test fails.

The effect of this bug is a lack of tcp_push() at the end of a
splice(pipe -> socket) call, and possibly very slow or erratic TCP
sessions.

We should both test sd->total_len and fact that another fragment
is in the pipe (pipe->nrbufs > 1)

Many thanks to Willy for providing very clear bug report, bisection
and test programs.

Reported-by: Willy Tarreau <w@1wt.eu>
Bisected-by: Willy Tarreau <w@1wt.eu>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agotcp: fix for zero packets_in_flight was too broad
Ilpo Järvinen [Mon, 4 Feb 2013 02:14:25 +0000 (02:14 +0000)]
tcp: fix for zero packets_in_flight was too broad

[ Upstream commit 6731d2095bd4aef18027c72ef845ab1087c3ba63 ]

There are transients during normal FRTO procedure during which
the packets_in_flight can go to zero between write_queue state
updates and firing the resulting segments out. As FRTO processing
occurs during that window the check must be more precise to
not match "spuriously" :-). More specificly, e.g., when
packets_in_flight is zero but FLAG_DATA_ACKED is true the problematic
branch that set cwnd into zero would not be taken and new segments
might be sent out later.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Tested-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agotcp: frto should not set snd_cwnd to 0
Eric Dumazet [Sun, 3 Feb 2013 09:13:05 +0000 (09:13 +0000)]
tcp: frto should not set snd_cwnd to 0

[ Upstream commit 2e5f421211ff76c17130b4597bc06df4eeead24f ]

Commit 9dc274151a548 (tcp: fix ABC in tcp_slow_start())
uncovered a bug in FRTO code :
tcp_process_frto() is setting snd_cwnd to 0 if the number
of in flight packets is 0.

As Neal pointed out, if no packet is in flight we lost our
chance to disambiguate whether a loss timeout was spurious.

We should assume it was a proper loss.

Reported-by: Pasi Kärkkäinen <pasik@iki.fi>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agonet: sctp: sctp_endpoint_free: zero out secret key data
Daniel Borkmann [Fri, 8 Feb 2013 03:04:35 +0000 (03:04 +0000)]
net: sctp: sctp_endpoint_free: zero out secret key data

[ Upstream commit b5c37fe6e24eec194bb29d22fdd55d73bcc709bf ]

On sctp_endpoint_destroy, previously used sensitive keying material
should be zeroed out before the memory is returned, as we already do
with e.g. auth keys when released.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agonet: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree
Daniel Borkmann [Fri, 8 Feb 2013 03:04:34 +0000 (03:04 +0000)]
net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree

[ Upstream commit 6ba542a291a5e558603ac51cda9bded347ce7627 ]

In sctp_setsockopt_auth_key, we create a temporary copy of the user
passed shared auth key for the endpoint or association and after
internal setup, we free it right away. Since it's sensitive data, we
should zero out the key before returning the memory back to the
allocator. Thus, use kzfree instead of kfree, just as we do in
sctp_auth_key_put().

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agosctp: refactor sctp_outq_teardown to insure proper re-initalization
Neil Horman [Thu, 17 Jan 2013 11:15:08 +0000 (11:15 +0000)]
sctp: refactor sctp_outq_teardown to insure proper re-initalization

[ Upstream commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 ]

Jamie Parsons reported a problem recently, in which the re-initalization of an
association (The duplicate init case), resulted in a loss of receive window
space.  He tracked down the root cause to sctp_outq_teardown, which discarded
all the data on an outq during a re-initalization of the corresponding
association, but never reset the outq->outstanding_data field to zero.  I wrote,
and he tested this fix, which does a proper full re-initalization of the outq,
fixing this problem, and hopefully future proofing us from simmilar issues down
the road.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Jamie Parsons <Jamie.Parsons@metaswitch.com>
Tested-by: Jamie Parsons <Jamie.Parsons@metaswitch.com>
CC: Jamie Parsons <Jamie.Parsons@metaswitch.com>
CC: Vlad Yasevich <vyasevich@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: netdev@vger.kernel.org
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoatm/iphase: rename fregt_t -> ffreg_t
Heiko Carstens [Fri, 8 Feb 2013 00:19:11 +0000 (00:19 +0000)]
atm/iphase: rename fregt_t -> ffreg_t

[ Upstream commit ab54ee80aa7585f9666ff4dd665441d7ce41f1e8 ]

We have conflicting type qualifiers for "freg_t" in s390's ptrace.h and the
iphase atm device driver, which causes the compile error below.
Unfortunately the s390 typedef can't be renamed, since it's a user visible api,
nor can I change the include order in s390 code to avoid the conflict.

So simply rename the iphase typedef to a new name. Fixes this compile error:

In file included from drivers/atm/iphase.c:66:0:
drivers/atm/iphase.h:639:25: error: conflicting type qualifiers for 'freg_t'
In file included from next/arch/s390/include/asm/ptrace.h:9:0,
                 from next/arch/s390/include/asm/lowcore.h:12,
                 from next/arch/s390/include/asm/thread_info.h:30,
                 from include/linux/thread_info.h:54,
                 from include/linux/preempt.h:9,
                 from include/linux/spinlock.h:50,
                 from include/linux/seqlock.h:29,
                 from include/linux/time.h:5,
                 from include/linux/stat.h:18,
                 from include/linux/module.h:10,
                 from drivers/atm/iphase.c:43:
next/arch/s390/include/uapi/asm/ptrace.h:197:3: note: previous declaration of 'freg_t' was here

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Acked-by: chas williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agopacket: fix leakage of tx_ring memory
Phil Sutter [Fri, 1 Feb 2013 07:21:41 +0000 (07:21 +0000)]
packet: fix leakage of tx_ring memory

[ Upstream commit 9665d5d62487e8e7b1f546c00e11107155384b9a ]

When releasing a packet socket, the routine packet_set_ring() is reused
to free rings instead of allocating them. But when calling it for the
first time, it fills req->tp_block_nr with the value of rb->pg_vec_len
which in the second invocation makes it bail out since req->tp_block_nr
is greater zero but req->tp_block_size is zero.

This patch solves the problem by passing a zeroed auto-variable to
packet_set_ring() upon each invocation from packet_release().

As far as I can tell, this issue exists even since 69e3c75 (net: TX_RING
and packet mmap), i.e. the original inclusion of TX ring support into
af_packet, but applies only to sockets with both RX and TX ring
allocated, which is probably why this was unnoticed all the time.

Signed-off-by: Phil Sutter <phil.sutter@viprinet.com>
Cc: Johann Baudy <johann.baudy@gnu-log.net>
Cc: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoipv6: do not create neighbor entries for local delivery
Marcelo Ricardo Leitner [Tue, 29 Jan 2013 22:26:08 +0000 (22:26 +0000)]
ipv6: do not create neighbor entries for local delivery

[ Upstream commit bd30e947207e2ea0ff2c08f5b4a03025ddce48d3 ]

They will be created at output, if ever needed. This avoids creating
empty neighbor entries when TPROXYing/Forwarding packets for addresses
that are not even directly reachable.

Note that IPv4 already handles it this way. No neighbor entries are
created for local input.

Tested by myself and customer.

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agopktgen: correctly handle failures when adding a device
Cong Wang [Sun, 27 Jan 2013 21:14:08 +0000 (21:14 +0000)]
pktgen: correctly handle failures when adding a device

[ Upstream commit 604dfd6efc9b79bce432f2394791708d8e8f6efc ]

The return value of pktgen_add_device() is not checked, so
even if we fail to add some device, for example, non-exist one,
we still see "OK:...". This patch fixes it.

After this patch, I got:

# echo "add_device non-exist" > /proc/net/pktgen/kpktgend_0
-bash: echo: write error: No such device
# cat /proc/net/pktgen/kpktgend_0
Running:
Stopped:
Result: ERROR: can not add device non-exist
# echo "add_device eth0" > /proc/net/pktgen/kpktgend_0
# cat /proc/net/pktgen/kpktgend_0
Running:
Stopped: eth0
Result: OK: add_device=eth0

(Candidate for -stable)

Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agonet: loopback: fix a dst refcounting issue
Eric Dumazet [Fri, 25 Jan 2013 07:44:41 +0000 (07:44 +0000)]
net: loopback: fix a dst refcounting issue

[ Upstream commit 794ed393b707f01858f5ebe2ae5eabaf89d00022 ]

Ben Greear reported crashes in ip_rcv_finish() on a stress
test involving many macvlans.

We tracked the bug to a dst use after free. ip_rcv_finish()
was calling dst->input() and got garbage for dst->input value.

It appears the bug is in loopback driver, lacking
a skb_dst_force() before calling netif_rx().

As a result, a non refcounted dst, normally protected by a
RCU read_lock section, was escaping this section and could
be freed before the packet being processed.

  [<ffffffff813a3c4d>] loopback_xmit+0x64/0x83
  [<ffffffff81477364>] dev_hard_start_xmit+0x26c/0x35e
  [<ffffffff8147771a>] dev_queue_xmit+0x2c4/0x37c
  [<ffffffff81477456>] ? dev_hard_start_xmit+0x35e/0x35e
  [<ffffffff8148cfa6>] ? eth_header+0x28/0xb6
  [<ffffffff81480f09>] neigh_resolve_output+0x176/0x1a7
  [<ffffffff814ad835>] ip_finish_output2+0x297/0x30d
  [<ffffffff814ad6d5>] ? ip_finish_output2+0x137/0x30d
  [<ffffffff814ad90e>] ip_finish_output+0x63/0x68
  [<ffffffff814ae412>] ip_output+0x61/0x67
  [<ffffffff814ab904>] dst_output+0x17/0x1b
  [<ffffffff814adb6d>] ip_local_out+0x1e/0x23
  [<ffffffff814ae1c4>] ip_queue_xmit+0x315/0x353
  [<ffffffff814adeaf>] ? ip_send_unicast_reply+0x2cc/0x2cc
  [<ffffffff814c018f>] tcp_transmit_skb+0x7ca/0x80b
  [<ffffffff814c3571>] tcp_connect+0x53c/0x587
  [<ffffffff810c2f0c>] ? getnstimeofday+0x44/0x7d
  [<ffffffff810c2f56>] ? ktime_get_real+0x11/0x3e
  [<ffffffff814c6f9b>] tcp_v4_connect+0x3c2/0x431
  [<ffffffff814d6913>] __inet_stream_connect+0x84/0x287
  [<ffffffff814d6b38>] ? inet_stream_connect+0x22/0x49
  [<ffffffff8108d695>] ? _local_bh_enable_ip+0x84/0x9f
  [<ffffffff8108d6c8>] ? local_bh_enable+0xd/0x11
  [<ffffffff8146763c>] ? lock_sock_nested+0x6e/0x79
  [<ffffffff814d6b38>] ? inet_stream_connect+0x22/0x49
  [<ffffffff814d6b49>] inet_stream_connect+0x33/0x49
  [<ffffffff814632c6>] sys_connect+0x75/0x98

This bug was introduced in linux-2.6.35, in commit
7fee226ad2397b (net: add a noref bit on skb dst)

skb_dst_force() is enforced in dev_queue_xmit() for devices having a
qdisc.

Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agor8169: remove the obsolete and incorrect AMD workaround
Timo Teräs [Mon, 21 Jan 2013 22:30:35 +0000 (22:30 +0000)]
r8169: remove the obsolete and incorrect AMD workaround

[ Upstream commit 5d0feaff230c0abfe4a112e6f09f096ed99e0b2d ]

This was introduced in commit 6dccd16 "r8169: merge with version
6.001.00 of Realtek's r8169 driver". I did not find the version
6.001.00 online, but in 6.002.00 or any later r8169 from Realtek
this hunk is no longer present.

Also commit 05af214 "r8169: fix Ethernet Hangup for RTL8110SC
rev d" claims to have fixed this issue otherwise.

The magic compare mask of 0xfffe000 is dubious as it masks
parts of the Reserved part, and parts of the VLAN tag. But this
does not make much sense as the VLAN tag parts are perfectly
valid there. In matter of fact this seems to be triggered with
any VLAN tagged packet as RxVlanTag bit is matched. I would
suspect 0xfffe0000 was intended to test reserved part only.

Finally, this hunk is evil as it can cause more packets to be
handled than what was NAPI quota causing net/core/dev.c:
net_rx_action(): WARN_ON_ONCE(work > weight) to trigger, and
mess up the NAPI state causing device to hang.

As result, any system using VLANs and having high receive
traffic (so that NAPI poll budget limits rtl_rx) would result
in device hang.

Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Acked-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoisdn/gigaset: fix zero size border case in debug dump
Tilman Schmidt [Mon, 21 Jan 2013 11:57:21 +0000 (11:57 +0000)]
isdn/gigaset: fix zero size border case in debug dump

[ Upstream commit d721a1752ba544df8d7d36959038b26bc92bdf80 ]

If subtracting 12 from l leaves zero we'd do a zero size allocation,
leading to an oops later when we try to set the NUL terminator.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoMAINTAINERS: Stephen Hemminger email change
Stephen Hemminger [Wed, 16 Jan 2013 17:55:57 +0000 (09:55 -0800)]
MAINTAINERS: Stephen Hemminger email change

[ Upstream commit adbbf69d1a54abf424e91875746a610dcc80017d ]

I changed my email because the vyatta.com mail server is now
redirected to brocade.com; and the Brocade mail system
is not friendly to Linux desktop users.

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>