openwrt/staging/blogic.git
11 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Linus Torvalds [Tue, 2 Jul 2013 16:28:37 +0000 (09:28 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/viro/vfs

Pull VFS patches (part 1) from Al Viro:
 "The major change in this pile is ->readdir() replacement with
  ->iterate(), dealing with ->f_pos races in ->readdir() instances for
  good.

  There's a lot more, but I'd prefer to split the pull request into
  several stages and this is the first obvious cutoff point."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (67 commits)
  [readdir] constify ->actor
  [readdir] ->readdir() is gone
  [readdir] convert ecryptfs
  [readdir] convert coda
  [readdir] convert ocfs2
  [readdir] convert fatfs
  [readdir] convert xfs
  [readdir] convert btrfs
  [readdir] convert hostfs
  [readdir] convert afs
  [readdir] convert ncpfs
  [readdir] convert hfsplus
  [readdir] convert hfs
  [readdir] convert befs
  [readdir] convert cifs
  [readdir] convert freevxfs
  [readdir] convert fuse
  [readdir] convert hpfs
  reiserfs: switch reiserfs_readdir_dentry to inode
  reiserfs: is_privroot_deh() needs only directory inode, actually
  ...

11 years agosync: don't block the flusher thread waiting on IO
Dave Chinner [Tue, 2 Jul 2013 12:38:35 +0000 (22:38 +1000)]
sync: don't block the flusher thread waiting on IO

When sync does it's WB_SYNC_ALL writeback, it issues data Io and
then immediately waits for IO completion. This is done in the
context of the flusher thread, and hence completely ties up the
flusher thread for the backing device until all the dirty inodes
have been synced. On filesystems that are dirtying inodes constantly
and quickly, this means the flusher thread can be tied up for
minutes per sync call and hence badly affect system level write IO
performance as the page cache cannot be cleaned quickly.

We already have a wait loop for IO completion for sync(2), so cut
this out of the flusher thread and delegate it to wait_sb_inodes().
Hence we can do rapid IO submission, and then wait for it all to
complete.

Effect of sync on fsmark before the patch:

FSUse%        Count         Size    Files/sec     App Overhead
.....
     0       640000         4096      35154.6          1026984
     0       720000         4096      36740.3          1023844
     0       800000         4096      36184.6           916599
     0       880000         4096       1282.7          1054367
     0       960000         4096       3951.3           918773
     0      1040000         4096      40646.2           996448
     0      1120000         4096      43610.1           895647
     0      1200000         4096      40333.1           921048

And a single sync pass took:

  real    0m52.407s
  user    0m0.000s
  sys     0m0.090s

After the patch, there is no impact on fsmark results, and each
individual sync(2) operation run concurrently with the same fsmark
workload takes roughly 7s:

  real    0m6.930s
  user    0m0.000s
  sys     0m0.039s

IOWs, sync is 7-8x faster on a busy filesystem and does not have an
adverse impact on ongoing async data write operations.

Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoLinux 3.10
Linus Torvalds [Sun, 30 Jun 2013 22:13:29 +0000 (15:13 -0700)]
Linux 3.10

11 years agoMerge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc
Linus Torvalds [Sun, 30 Jun 2013 22:08:15 +0000 (15:08 -0700)]
Merge branch 'merge' of git://git./linux/kernel/git/benh/powerpc

Pull another powerpc fix from Benjamin Herrenschmidt:
 "I mentioned that while we had fixed the kernel crashes, EEH error
  recovery didn't always recover...  It appears that I had a fix for
  that already in powerpc-next (with a stable CC).

  I cherry-picked it today and did a few tests and it seems that things
  now work quite well.  The patch is also pretty simple, so I see no
  reason to wait before merging it."

* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
  powerpc/eeh: Fix fetching bus for single-dev-PE

11 years agoMerge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Linus Torvalds [Sun, 30 Jun 2013 22:06:25 +0000 (15:06 -0700)]
Merge tag 'scsi-fixes' of git://git./linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "This is a set of seven bug fixes.  Several fcoe fixes for locking
  problems, initiator issues and a VLAN API change, all of which could
  eventually lead to data corruption, one fix for a qla2xxx locking
  problem which could lead to multiple completions of the same request
  (and subsequent data corruption) and a use after free in the ipr
  driver.  Plus one minor MAINTAINERS file update"

(only six bugfixes in this pull, since I had already pulled the fcoe API
fix directly from Robert Love)

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  [SCSI] ipr: Avoid target_destroy accessing memory after it was freed
  [SCSI] qla2xxx: Fix for locking issue between driver ISR and mailbox routines
  MAINTAINERS: Fix fcoe mailing list
  libfc: extend ex_lock to protect all of fc_seq_send
  libfc: Correct check for initiator role
  libfcoe: Fix Conflicting FCFs issue in the fabric

11 years agopowerpc/eeh: Fix fetching bus for single-dev-PE
Gavin Shan [Wed, 5 Jun 2013 07:34:02 +0000 (15:34 +0800)]
powerpc/eeh: Fix fetching bus for single-dev-PE

While running Linux as guest on top of phyp, we possiblly have
PE that includes single PCI device. However, we didn't return
its PCI bus correctly and it leads to failure on recovery from
EEH errors for single-dev-PE. The patch fixes the issue.

Cc: <stable@vger.kernel.org> # v3.7+
Cc: Steve Best <sbest@us.ibm.com>
Signed-off-by: Gavin Shan <shangw@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
11 years agoMerge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc
Linus Torvalds [Sun, 30 Jun 2013 00:02:48 +0000 (17:02 -0700)]
Merge branch 'merge' of git://git./linux/kernel/git/benh/powerpc

Pull powerpc fixes from Ben Herrenschmidt:
 "We discovered some breakage in our "EEH" (PCI Error Handling) code
  while doing error injection, due to a couple of regressions.  One of
  them is due to a patch (37f02195bee9 "powerpc/pci: fix PCI-e devices
  rescan issue on powerpc platform") that, in hindsight, I shouldn't
  have merged considering that it caused more problems than it solved.

  Please pull those two fixes.  One for a simple EEH address cache
  initialization issue.  The other one is a patch from Guenter that I
  had originally planned to put in 3.11 but which happens to also fix
  that other regression (a kernel oops during EEH error handling and
  possibly hotplug).

  With those two, the couple of test machines I've hammered with error
  injection are remaining up now.  EEH appears to still fail to recover
  on some devices, so there is another problem that Gavin is looking
  into but at least it's no longer crashing the kernel."

* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
  powerpc/pci: Improve device hotplug initialization
  powerpc/eeh: Add eeh_dev to the cache during boot

11 years agoARM: dt: Only print warning, not WARN() on bad cpu map in device tree
Olof Johansson [Sat, 29 Jun 2013 23:25:14 +0000 (16:25 -0700)]
ARM: dt: Only print warning, not WARN() on bad cpu map in device tree

Due to recent changes and expecations of proper cpu bindings, there are
now cases for many of the in-tree devicetrees where a WARN() will hit
on boot due to badly formatted /cpus nodes.

Downgrade this to a pr_warn() to be less alarmist, since it's not a
new problem.

Tested on Arndale, Cubox, Seaboard and Panda ES. Panda hits the WARN
without this, the others do not.

Acked-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agopowerpc/pci: Improve device hotplug initialization
Guenter Roeck [Mon, 10 Jun 2013 17:18:08 +0000 (10:18 -0700)]
powerpc/pci: Improve device hotplug initialization

Commit 37f02195b (powerpc/pci: fix PCI-e devices rescan issue on powerpc
platform) fixes a problem with interrupt and DMA initialization on hot
plugged devices. With this commit, interrupt and DMA initialization for
hot plugged devices is handled in the pci device enable function.

This approach has a couple of drawbacks. First, it creates two code paths
for device initialization, one for hot plugged devices and another for devices
known during the initial PCI scan. Second, the initialization code for hot
plugged devices is only called when the device is enabled, ie typically
in the probe function. Also, the platform specific setup code is called each
time pci_enable_device() is called, not only once during device discovery,
meaning it is actually called multiple times, once for devices discovered
during the initial scan and again each time a driver is re-loaded.

The visible result is that interrupt pins are only assigned to hot plugged
devices when the device driver is loaded. Effectively this changes the PCI
probe API, since pci_dev->irq and the device's dma configuration will now
only be valid after pci_enable() was called at least once. A more subtle
change is that platform specific PCI device setup is moved from device
discovery into the driver's probe function, more specifically into the
pci_enable_device() call.

To fix the inconsistencies, add new function pcibios_add_device.
Call pcibios_setup_device from pcibios_setup_bus_devices if device setup
is not complete, and from pcibios_add_device if bus setup is complete.

With this change, device setup code is moved back into device initialization,
and called exactly once for both static and hot plugged devices.

[ This also fixes a regression introduced by the above patch which
  causes dev->irq to be overwritten under some cirumstances after
  MSIs have been enabled for the device which leads to crashes due
  to the MSI core "hijacking" dev->irq to store the base MSI number
  and not the LSI. --BenH
]

Cc: Yuanquan Chen <Yuanquan.Chen@freescale.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Hiroo Matsumoto <matsumoto.hiroo@jp.fujitsu.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
11 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Linus Torvalds [Sat, 29 Jun 2013 18:34:18 +0000 (11:34 -0700)]
Merge git://git./linux/kernel/git/herbert/crypto-2.6

Pull crypto fix from Herbert Xu:
 "This fixes a crash in the crypto layer exposed by an SCTP test tool"

* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: algboss - Hold ref count on larval

11 years agoMerge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Linus Torvalds [Sat, 29 Jun 2013 18:32:05 +0000 (11:32 -0700)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux

Pull drm/qxl fix from Dave Airlie:
 "Bad me forgot an access check, possible security issue, but since this
  is the first kernel with it, should be fine to just put it in now"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm/qxl: add missing access check for execbuffer ioctl

11 years agoFix: kernel/ptrace.c: ptrace_peek_siginfo() missing __put_user() validation
Mathieu Desnoyers [Fri, 28 Jun 2013 13:49:46 +0000 (09:49 -0400)]
Fix: kernel/ptrace.c: ptrace_peek_siginfo() missing __put_user() validation

This __put_user() could be used by unprivileged processes to write into
kernel memory.  The issue here is that even if copy_siginfo_to_user()
fails, the error code is not checked before __put_user() is executed.

Luckily, ptrace_peek_siginfo() has been added within the 3.10-rc cycle,
so it has not hit a stable release yet.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Andrey Vagin <avagin@openvz.org>
Cc: Roland McGrath <roland@redhat.com>
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Dave Jones <davej@redhat.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Cc: Pedro Alves <palves@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph...
Linus Torvalds [Sat, 29 Jun 2013 17:31:15 +0000 (10:31 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sage/ceph-client

Pull Ceph fix from Sage Weil:
 "This is a recently spotted regression in the snapshot behavior...

  It turns out several tests weren't being run in the nightlies so this
  took a while to spot"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
  rbd: send snapshot context with writes

11 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Linus Torvalds [Sat, 29 Jun 2013 17:30:31 +0000 (10:30 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/viro/vfs

Pull ubifs fixes from Al Viro:
 "A couple of ubifs readdir/lseek race fixes.  Stable fodder, really
  nasty..."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  UBIFS: fix a horrid bug
  UBIFS: prepare to fix a horrid bug

11 years agoMerge tag 'for-linus-20130628' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowe...
Linus Torvalds [Sat, 29 Jun 2013 17:28:52 +0000 (10:28 -0700)]
Merge tag 'for-linus-20130628' of git://git./linux/kernel/git/dhowells/linux-mn10300

Pull two MN10300 fixes from David Howells:
 "The first fixes a problem with passing arrays rather than pointers to
  get_user() where __typeof__ then wants to declare and initialise an
  array variable which gcc doesn't like.

  The second fixes a problem whereby putting mem=xxx into the kernel
  command line causes init=xxx to get an incorrect value."

* tag 'for-linus-20130628' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-mn10300:
  mn10300: Use early_param() to parse "mem=" parameter
  mn10300: Allow to pass array name to get_user()

11 years agoMerge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sat, 29 Jun 2013 17:27:19 +0000 (10:27 -0700)]
Merge branch 'timers-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull timer fix from Thomas Gleixner:
 "Correct an ordering issue in the tick broadcast code.  I really wish
  we'd get compensation for pain and suffering for each line of code we
  write to work around dysfunctional timer hardware."

* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  tick: Fix tick_broadcast_pending_mask not cleared

11 years agoMerge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sat, 29 Jun 2013 17:26:50 +0000 (10:26 -0700)]
Merge branch 'perf-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull perf fix from Ingo Molnar:
 "One more fix for a recently discovered bug"

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf: Disable monitoring on setuid processes for regular users

11 years ago[readdir] constify ->actor
Al Viro [Thu, 23 May 2013 02:22:04 +0000 (22:22 -0400)]
[readdir] constify ->actor

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] ->readdir() is gone
Al Viro [Thu, 23 May 2013 01:44:23 +0000 (21:44 -0400)]
[readdir] ->readdir() is gone

everything's converted to ->iterate()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert ecryptfs
Al Viro [Thu, 23 May 2013 01:23:40 +0000 (21:23 -0400)]
[readdir] convert ecryptfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert coda
Al Viro [Thu, 23 May 2013 01:15:30 +0000 (21:15 -0400)]
[readdir] convert coda

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert ocfs2
Al Viro [Thu, 23 May 2013 01:06:00 +0000 (21:06 -0400)]
[readdir] convert ocfs2

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert fatfs
Al Viro [Wed, 22 May 2013 22:37:16 +0000 (18:37 -0400)]
[readdir] convert fatfs

... pox upon the idiotic ioctls; life would be much easier without
those.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert xfs
Al Viro [Wed, 22 May 2013 21:07:56 +0000 (17:07 -0400)]
[readdir] convert xfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert btrfs
Al Viro [Wed, 22 May 2013 20:48:09 +0000 (16:48 -0400)]
[readdir] convert btrfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert hostfs
Al Viro [Wed, 22 May 2013 20:34:19 +0000 (16:34 -0400)]
[readdir] convert hostfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert afs
Al Viro [Wed, 22 May 2013 20:31:14 +0000 (16:31 -0400)]
[readdir] convert afs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert ncpfs
Al Viro [Wed, 22 May 2013 19:11:27 +0000 (15:11 -0400)]
[readdir] convert ncpfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert hfsplus
Al Viro [Wed, 22 May 2013 18:59:39 +0000 (14:59 -0400)]
[readdir] convert hfsplus

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert hfs
Al Viro [Wed, 22 May 2013 18:29:35 +0000 (14:29 -0400)]
[readdir] convert hfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert befs
Al Viro [Wed, 22 May 2013 17:44:05 +0000 (13:44 -0400)]
[readdir] convert befs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert cifs
Al Viro [Wed, 22 May 2013 20:17:25 +0000 (16:17 -0400)]
[readdir] convert cifs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert freevxfs
Al Viro [Sat, 18 May 2013 07:15:00 +0000 (03:15 -0400)]
[readdir] convert freevxfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert fuse
Al Viro [Sat, 18 May 2013 07:03:58 +0000 (03:03 -0400)]
[readdir] convert fuse

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert hpfs
Al Viro [Sat, 18 May 2013 06:58:57 +0000 (02:58 -0400)]
[readdir] convert hpfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agoreiserfs: switch reiserfs_readdir_dentry to inode
Al Viro [Sat, 18 May 2013 02:58:58 +0000 (22:58 -0400)]
reiserfs: switch reiserfs_readdir_dentry to inode

... and clean the callers up a bit

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agoreiserfs: is_privroot_deh() needs only directory inode, actually
Al Viro [Sat, 18 May 2013 02:45:29 +0000 (22:45 -0400)]
reiserfs: is_privroot_deh() needs only directory inode, actually

... and that - only to get the superblock.  Privroot is a directory
and we don't allow hardlinks to those...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert reiserfs
Al Viro [Sat, 18 May 2013 02:42:17 +0000 (22:42 -0400)]
[readdir] convert reiserfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert ntfs
Al Viro [Sat, 18 May 2013 01:22:31 +0000 (21:22 -0400)]
[readdir] convert ntfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert isofs
Al Viro [Sat, 18 May 2013 01:11:59 +0000 (21:11 -0400)]
[readdir] convert isofs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert jffs2
Al Viro [Fri, 17 May 2013 22:08:49 +0000 (18:08 -0400)]
[readdir] convert jffs2

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert f2fs
Al Viro [Fri, 17 May 2013 22:02:17 +0000 (18:02 -0400)]
[readdir] convert f2fs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert 9p
Al Viro [Fri, 17 May 2013 21:51:41 +0000 (17:51 -0400)]
[readdir] convert 9p

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert affs
Al Viro [Fri, 17 May 2013 21:44:42 +0000 (17:44 -0400)]
[readdir] convert affs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert adfs
Al Viro [Fri, 17 May 2013 21:30:10 +0000 (17:30 -0400)]
[readdir] convert adfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert logfs
Al Viro [Fri, 17 May 2013 21:06:34 +0000 (17:06 -0400)]
[readdir] convert logfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert jfs
Al Viro [Fri, 17 May 2013 21:00:34 +0000 (17:00 -0400)]
[readdir] convert jfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert ceph
Al Viro [Fri, 17 May 2013 20:52:26 +0000 (16:52 -0400)]
[readdir] convert ceph

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert nfs
Al Viro [Fri, 17 May 2013 20:34:50 +0000 (16:34 -0400)]
[readdir] convert nfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert ext4
Al Viro [Fri, 17 May 2013 20:08:53 +0000 (16:08 -0400)]
[readdir] convert ext4

and trim the living hell out bogosities in inline dir case

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert qnx6
Al Viro [Fri, 17 May 2013 19:32:10 +0000 (15:32 -0400)]
[readdir] convert qnx6

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert qnx4
Al Viro [Fri, 17 May 2013 19:17:59 +0000 (15:17 -0400)]
[readdir] convert qnx4

... and use strnlen() instead of strlen() - it's done on untrusted data,
after all.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert omfs
Al Viro [Fri, 17 May 2013 19:05:25 +0000 (15:05 -0400)]
[readdir] convert omfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert nilfs2
Al Viro [Thu, 16 May 2013 18:36:14 +0000 (14:36 -0400)]
[readdir] convert nilfs2

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert sysfs
Al Viro [Thu, 16 May 2013 18:31:02 +0000 (14:31 -0400)]
[readdir] convert sysfs

get rid of the kludges in sysfs_readdir()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert gfs2
Al Viro [Thu, 16 May 2013 18:14:48 +0000 (14:14 -0400)]
[readdir] convert gfs2

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert exofs
Al Viro [Thu, 16 May 2013 17:48:17 +0000 (13:48 -0400)]
[readdir] convert exofs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert bfs
Al Viro [Thu, 16 May 2013 17:41:48 +0000 (13:41 -0400)]
[readdir] convert bfs

... and get rid of that ridiculous mutex in bfs_readdir()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert procfs
Al Viro [Thu, 16 May 2013 16:07:31 +0000 (12:07 -0400)]
[readdir] convert procfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert openpromfs
Al Viro [Thu, 16 May 2013 05:52:12 +0000 (01:52 -0400)]
[readdir] convert openpromfs

what the hell is op_mutex for, BTW?

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert efs
Al Viro [Thu, 16 May 2013 05:41:10 +0000 (01:41 -0400)]
[readdir] convert efs

* sanity checks belong before risky operation, not after it
* don't quit as soon as we'd found an entry

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert configfs
Al Viro [Thu, 16 May 2013 05:28:34 +0000 (01:28 -0400)]
[readdir] convert configfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert romfs
Al Viro [Thu, 16 May 2013 05:22:00 +0000 (01:22 -0400)]
[readdir] convert romfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert squashfs
Al Viro [Thu, 16 May 2013 05:17:58 +0000 (01:17 -0400)]
[readdir] convert squashfs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert ubifs
Al Viro [Thu, 16 May 2013 05:14:46 +0000 (01:14 -0400)]
[readdir] convert ubifs

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert udf
Al Viro [Thu, 16 May 2013 05:09:37 +0000 (01:09 -0400)]
[readdir] convert udf

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] convert ext3
Al Viro [Thu, 16 May 2013 01:02:48 +0000 (21:02 -0400)]
[readdir] convert ext3

new helper: dir_relax(inode).  Call when you are in location that will
_not_ be invalidated by directory modifications (block boundary, in case
of ext*).  Returns whether the directory has survived (dropping i_mutex
allows rmdir to kill the sucker; if it returns false to us, ->iterate()
is obviously done)

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] switch dcache_readdir() users to ->iterate()
Al Viro [Thu, 16 May 2013 00:23:06 +0000 (20:23 -0400)]
[readdir] switch dcache_readdir() users to ->iterate()

new helpers - dir_emit_dot(file, ctx, dentry), dir_emit_dotdot(file, ctx),
dir_emit_dots(file, ctx).

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] simple local unixlike: switch to ->iterate()
Al Viro [Wed, 15 May 2013 22:51:49 +0000 (18:51 -0400)]
[readdir] simple local unixlike: switch to ->iterate()

ext2, ufs, minix, sysv

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] introduce ->iterate(), ctx->pos, dir_emit()
Al Viro [Wed, 15 May 2013 22:49:12 +0000 (18:49 -0400)]
[readdir] introduce ->iterate(), ctx->pos, dir_emit()

New method - ->iterate(file, ctx).  That's the replacement for ->readdir();
it takes callback from ctx->actor, uses ctx->pos instead of file->f_pos and
calls dir_emit(ctx, ...) instead of filldir(data, ...).  It does *not*
update file->f_pos (or look at it, for that matter); iterate_dir() does the
update.

Note that dir_emit() takes the offset from ctx->pos (and eventually
filldir_t will lose that argument).

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years ago[readdir] introduce iterate_dir() and dir_context
Al Viro [Wed, 15 May 2013 17:52:59 +0000 (13:52 -0400)]
[readdir] introduce iterate_dir() and dir_context

iterate_dir(): new helper, replacing vfs_readdir().

struct dir_context: contains the readdir callback (and will get more stuff
in it), embedded into whatever data that callback wants to deal with;
eventually, we'll be passing it to ->readdir() replacement instead of
(data,filldir) pair.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agomove linux/loop.h to drivers/block
Al Viro [Sun, 12 May 2013 14:14:07 +0000 (10:14 -0400)]
move linux/loop.h to drivers/block

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agocompat.c: LOOP_CLR_FD is taken care of in loop.c itself...
Al Viro [Sun, 12 May 2013 14:12:11 +0000 (10:12 -0400)]
compat.c: LOOP_CLR_FD is taken care of in loop.c itself...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agopxa3xx: VM_IO is set by io_remap_pfn_range()
Al Viro [Sat, 11 May 2013 16:39:26 +0000 (12:39 -0400)]
pxa3xx: VM_IO is set by io_remap_pfn_range()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agoau1100fb: VM_IO is set by io_remap_pfn_range()
Al Viro [Sat, 11 May 2013 16:38:38 +0000 (12:38 -0400)]
au1100fb: VM_IO is set by io_remap_pfn_range()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agoau1200fb: io_remap_pfn_range() sets VM_IO
Al Viro [Sat, 11 May 2013 16:37:38 +0000 (12:37 -0400)]
au1200fb: io_remap_pfn_range() sets VM_IO

... and single return is quite sufficient to get out of function, TYVM

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agovfio: remap_pfn_range() sets all those flags...
Al Viro [Sat, 11 May 2013 16:33:31 +0000 (12:33 -0400)]
vfio: remap_pfn_range() sets all those flags...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agoi810: VM_IO is set by io_remap_pfn_range()
Al Viro [Sat, 11 May 2013 16:27:16 +0000 (12:27 -0400)]
i810: VM_IO is set by io_remap_pfn_range()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agodrm: io_remap_pfn_range() sets VM_IO...
Al Viro [Sat, 11 May 2013 16:23:17 +0000 (12:23 -0400)]
drm: io_remap_pfn_range() sets VM_IO...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agosparc: __pci_mmap_set_flags() is useless
Al Viro [Sat, 11 May 2013 16:21:55 +0000 (12:21 -0400)]
sparc: __pci_mmap_set_flags() is useless

io_remap_pfn_range() does all we need

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agomn10300: don't bother with VM_IO
Al Viro [Sat, 11 May 2013 16:19:34 +0000 (12:19 -0400)]
mn10300: don't bother with VM_IO

io_remap_pfn_range() sets it

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agohose_mmap_page_range(): io_remap_pfn_range() will set all those flags...
Al Viro [Sat, 11 May 2013 16:18:01 +0000 (12:18 -0400)]
hose_mmap_page_range(): io_remap_pfn_range() will set all those flags...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agosamsung: don't bother with setting VM_IO
Al Viro [Sat, 11 May 2013 16:15:47 +0000 (12:15 -0400)]
samsung: don't bother with setting VM_IO

io_remap_pfn_range() will set it just fine

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agoconsolidate io_remap_pfn_range definitions
Al Viro [Sat, 11 May 2013 16:13:10 +0000 (12:13 -0400)]
consolidate io_remap_pfn_range definitions

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agoUBIFS: fix a horrid bug
Artem Bityutskiy [Fri, 28 Jun 2013 11:15:15 +0000 (14:15 +0300)]
UBIFS: fix a horrid bug

Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
in the middle of 'ubifs_readdir()'.

This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
but this may corrupt memory and lead to all kinds of problems like crashes an
security holes.

This patch fixes the problem by using the 'file->f_version' field, which
'->llseek()' always unconditionally sets to zero. We set it to 1 in
'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
seek and it is time to clear the state saved in 'file->private_data'.

I tested this patch by writing a user-space program which runds readdir and
seek in parallell. I could easily crash the kernel without these patches, but
could not crash it with these patches.

Cc: stable@vger.kernel.org
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agoUBIFS: prepare to fix a horrid bug
Artem Bityutskiy [Fri, 28 Jun 2013 11:15:14 +0000 (14:15 +0300)]
UBIFS: prepare to fix a horrid bug

Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
in the middle of 'ubifs_readdir()'.

First of all, this means that 'file->private_data' can be freed while
'ubifs_readdir()' uses it.  But this particular patch does not fix the problem.
This patch is only a preparation, and the fix will follow next.

In this patch we make 'ubifs_readdir()' stop using 'file->f_pos' directly,
because 'file->f_pos' can be changed by '->llseek()' at any point. This may
lead 'ubifs_readdir()' to returning inconsistent data: directory entry names
may correspond to incorrect file positions.

So here we introduce a local variable 'pos', read 'file->f_pose' once at very
the beginning, and then stick to 'pos'. The result of this is that when
'ubifs_dir_llseek()' changes 'file->f_pos' while we are in the middle of
'ubifs_readdir()', the latter "wins".

Cc: stable@vger.kernel.org
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
11 years agomn10300: Use early_param() to parse "mem=" parameter
Akira Takeuchi [Fri, 28 Jun 2013 15:53:03 +0000 (16:53 +0100)]
mn10300: Use early_param() to parse "mem=" parameter

This fixes the problem that "init=" options may not be passed to kernel
correctly.

parse_mem_cmdline() of mn10300 arch gets rid of "mem=" string from
redboot_command_line. Then init_setup() parses the "init=" options from
static_command_line, which is a copy of redboot_command_line, and keeps
the pointer to the init options in execute_command variable.

Since the commit 026cee0 upstream (params: <level>_initcall-like kernel
parameters), static_command_line becomes overwritten by saved_command_line at
do_initcall_level(). Notice that saved_command_line is a command line
which includes "mem=" string.

As a result, execute_command may point to weird string by the length of
"mem=" parameter.
I noticed this problem when using the command line like this:

    mem=128M console=ttyS0,115200 init=/bin/sh

Here is the processing flow of command line parameters.
    start_kernel()
      setup_arch(&command_line)
         parse_mem_cmdline(cmdline_p)
           * strcpy(boot_command_line, redboot_command_line);
           * Remove "mem=xxx" from redboot_command_line.
           * *cmdline_p = redboot_command_line;
      setup_command_line(command_line) <-- command_line is redboot_command_line
        * strcpy(saved_command_line, boot_command_line)
        * strcpy(static_command_line, command_line)
      parse_early_param()
        strlcpy(tmp_cmdline, boot_command_line, COMMAND_LINE_SIZE);
        parse_early_options(tmp_cmdline);
          parse_args("early options", cmdline, NULL, 0, 0, 0, do_early_param);
      parse_args("Booting ..", static_command_line, ...);
        init_setup() <-- save the pointer in execute_command
      rest_init()
        kernel_thread(kernel_init, NULL, CLONE_FS | CLONE_SIGHAND);

At this point, execute_command points to "/bin/sh" string.

    kernel_init()
      kernel_init_freeable()
        do_basic_setup()
          do_initcalls()
            do_initcall_level()
              (*) strcpy(static_command_line, saved_command_line);

Here, execute_command gets to point to "200" string !!

Signed-off-by: David Howells <dhowells@redhat.com>
11 years agomn10300: Allow to pass array name to get_user()
Akira Takeuchi [Fri, 28 Jun 2013 15:53:01 +0000 (16:53 +0100)]
mn10300: Allow to pass array name to get_user()

This fixes the following compile error:

CC block/scsi_ioctl.o
block/scsi_ioctl.c: In function 'sg_scsi_ioctl':
block/scsi_ioctl.c:449: error: invalid initializer

Signed-off-by: David Howells <dhowells@redhat.com>
11 years agodrm/qxl: add missing access check for execbuffer ioctl
Dave Airlie [Fri, 28 Jun 2013 03:27:40 +0000 (13:27 +1000)]
drm/qxl: add missing access check for execbuffer ioctl

Reported-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
11 years agopowerpc/eeh: Add eeh_dev to the cache during boot
Thadeu Lima de Souza Cascardo [Thu, 27 Jun 2013 21:00:10 +0000 (18:00 -0300)]
powerpc/eeh: Add eeh_dev to the cache during boot

commit f8f7d63fd96ead101415a1302035137a866f8998 ("powerpc/eeh: Trace eeh
device from I/O cache") broke EEH on pseries for devices that were
present during boot and have not been hotplugged/DLPARed.

eeh_check_failure will get the eeh_dev from the cache, and will get
NULL. eeh_addr_cache_build adds the addresses to the cache, but eeh_dev
for the giving pci_device is not set yet. Just reordering the call to
eeh_addr_cache_insert_dev works fine. The ordering is similar to the one
in eeh_add_device_late.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Acked-by: Gavin Shan <shangw@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
11 years agorbd: send snapshot context with writes
Josh Durgin [Wed, 26 Jun 2013 19:56:17 +0000 (12:56 -0700)]
rbd: send snapshot context with writes

Sending the right snapshot context with each write is required for
snapshots to work. Due to the ordering of calls, the snapshot context
is never set for any requests. This causes writes to the current
version of the image to be reflected in all snapshots, which are
supposed to be read-only.

This happens because rbd_osd_req_format_write() sets the snapshot
context based on obj_request->img_request. At this point, however,
obj_request->img_request has not been set yet, to the snapshot context
is set to NULL. Fix this by moving rbd_img_obj_request_add(), which
sets obj_request->img_request, before the osd request formatting
calls.

This resolves:
    http://tracker.ceph.com/issues/5465

Reported-by: Karol Jurak <karol.jurak@gmail.com>
Signed-off-by: Josh Durgin <josh.durgin@inktank.com>
Reviewed-by: Sage Weil <sage@inktank.com>
Reviewed-by: Alex Elder <elder@linaro.org>
11 years agoMerge tag 'fcoe1' into fixes
James Bottomley [Thu, 27 Jun 2013 06:08:22 +0000 (23:08 -0700)]
Merge tag 'fcoe1' into fixes

This patch fixes a critical bug that was introduced in 3.9
related to VLAN tagging FCoE frames.

11 years agoMerge tag 'fcoe' into fixes
James Bottomley [Thu, 27 Jun 2013 06:07:53 +0000 (23:07 -0700)]
Merge tag 'fcoe' into fixes

3.10 fixes

11 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Linus Torvalds [Thu, 27 Jun 2013 05:24:37 +0000 (19:24 -1000)]
Merge git://git./linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Found via trinity:

    If you connect up an ipv6 socket to an ipv4 mapped address then an
    ipv6 one, sendmsg() can croak because ip6_sk_dst_check() assumes the
    route cached in the socket is an ipv6 one.  In this case there is an
    ipv4 route attached, so it gets stomped on.

    Reported by Dave Jones and Hannes Frederic Sowa, fixed by Eric
    Dumazet.

 2) AF_KEY notifications leak some kernel memory to userspace, fix from
    Mathias Krause.

 3) DLCI calls __dev_get_by_name() without proper locking, and dlci_del
    doesn't validate that the device being deleted is actually a DLCI
    one.  Fixes from Li Zefan.

 4) Length check on bluetooth l2cap information responses is wrong, each
    response type has a different lenth, so we should make sure it's in
    a given range rather than enforce one single valid length.  From
    Jaganath Kanakkassery.

 5) Receive FIFO overflow is really easy to trigger in stress scenerios
    in the sh_eth driver, but the event isn't being handled properly at
    all.  Specifically, the mask of error interrupts doesn't include the
    event so we never clear it, resulting in the driver becomming wedged
    processing an interrupt that never gets cleared.

    Fix from Sergei Shtylyov.

 6) qlcnic sleeps while holding a spinlock, use mdelay() instead of
    msleep().  From Shahed Shaikh.

 7) Missing curly braces causes SIP netfilter NAT module to always drop
    packets.  Fix from Balazs Peter Odor.

 8) ipt_ULOG in netfilter passes the wrong value to timer setup, causing
    the timer to dereference crap when it fires.  Fix from Gao Feng.

 9) Missing RCU protection around txq->axq_acq traversal in
    ath_txq_schedule().  Fix from Felix Fietkau.

10) Idle state transition test in ath9k_htc_config() is reversed, fix
    from Sujith Manoharan.

11) IPV6 forwarding handles unicast Router Alert packets incorrectly.
    It tests the wrong option state.  Previously opt->ra being non-zero
    indicated a router alert marking in the SKB, but now it's indicated
    by a bit in opt->flags.  Fix from YOSHIFUJI Hideaki.

12) SKB leak in GRE tunnel GSO handling, from Eric Dumazet.

13) get_user_pages_fast() error handling in TUN and MACVTAP use the same
    local variable for the base index and the loop iterator for page
    traversal, oops! Fix from Michael S Tsirkin.

14) ipv6_get_lladdr() can fail, and we must therefore check it's return
    value in inet6_set_iftoken().  For from Hannes Frederic Sowa.

15) If you change an interface name and meanwhile can sneak in something
    that looks up the name (like SO_BINDTODEVICE or SIOCGIFNAME) we can
    deadlock with CONFIG_PREEMPT=n.  Fix this by providing a helper
    function that properly uses raw_seqcount_begin().  From Nicolas
    Schichan.

16) Chain noise calibration test is inverted in iwlwifi, fix from
    Nikolay Martynov.

17) Properly set TX iwlwifi descriptor flags for back requests.  Fix
    from Emmanuel Grumbach.

18) We can't assume skb_transport_header() is set in xt_TCPOPTSTRAP
    module, fix from Pablo Neira Ayuso.

19) Some crummy APs don't provide the proper High Throughput info in
    association response frames.  Add a workaround by assume we'll use
    whatever is in the beacon/probe.  Fix from Johannes Berg.

20) mac80211 call to rate_idx_match_mask() swaps two arguments (mask and
    channel width).  Fix from Simon Wunderlich.

21) xt_TCPMSS (like xt_TCPOPTSTRAP) must not try to handle fragmented
    frames.  Fix from Phil Oester.

22) Fix rate control regression causing iwlwifi/iwlegacy chips to use
    1Mbit/s on pre-11n networks.  From Moshe Benji and Stanslaw Gruszka.

23) Disable brcmsmac power-save functions, they cause regressions.  From
    Arend van Spriel.

24) Enforce a sane minimum MTU in l2cap_build_cmd() otherwise we can
    easily crash.  Fix from Anderson Lizardo.

25) If a learning packet arrives during vxlan_stop() we crash, easily
    fixed by checking netif_running().  From Stephen Hemminger.

26) Static vxlan FDB entries should not be migrated, also from Stephen.

27) skb_clone() failures not handled in vxlan_xmit(), oops.  Also from
    Stephen.

28) Add minimal driver for AR816x/AR817x ethernet chips, from Johannes
    Berg.

29) Fix regression in userspace VLAN acceleration control, added by the
    802.1ad support changes.  Fix from Fernando Luis Vazquez Cao.

30) Interval selection for MLD queries in the bridging code was
    reversed.  Fix from Linus Lüssing.

31) ipv6's ndisc_send_redirect() erroneously writes to the packet we
    received not the packet we are building to send out.  Fix from
    Matthias Schiffer.

32) Don't free netdev before unregistering it, in usb_8dev can driver.
    From Marc Kleine-Budde.

33) Fix nl80211 attribute buffer races, from Johannes Berg.

34) Although netlink_diag.h is under uapi/ it isn't present in Kbuild.
    From Stephen Hemminger.

35) Wrong address and family passed to MD5 key lookups in TCP, from
    Aydin Arik.

36) phy_type attribute created by SFC driver should not be writable.
    From Ben Hutchings.

37) Receive/Transmit queue allocations in pxa168_eth and mv643xx_eth
    should use kzalloc().  Otherwise if setup fails half-way, we'll
    dereference garbage when trying to teardown the rings.  From Lubomir
    Rintel.

38) Fix double-allocation of dst (resulting in unfreeable net device) in
    ipv6's init_loopback().  From Gao Feng.

39) Fix fragmentation handling SKB leak in netfilter conntrack, we were
    freeing the wrong skb pointer.  From Phil Oester.

40) Don't report "-1" (SPEED_UNKNOWN) in bond_miimon_commit(), from
    Nikolay Aleksandrov.

41) davinci_cpdma doesn't check for DMA mapping errors, letting the
    device scribble to random addresses.  From Sebastian Siewior.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (69 commits)
  dlci: validate the net device in dlci_del()
  dlci: acquire rtnl_lock before calling __dev_get_by_name()
  af_key: fix info leaks in notify messages
  ipv6: ip6_sk_dst_check() must not assume ipv6 dst
  net: fix kernel deadlock with interface rename and netdev name retrieval.
  net/tg3: Avoid delay during MMIO access
  ipv6: check return value of ipv6_get_lladdr
  macvtap: fix recovery from gup errors
  tun: fix recovery from gup errors
  gre: fix a possible skb leak
  ipv6: Process unicast packet with Router Alert by checking flag in skb.
  ath9k_htc: Handle IDLE state transition properly
  ath9k: fix an RCU issue in calling ieee80211_get_tx_rates
  netfilter: ipt_ULOG: fix incorrect setting of ulog timer
  netfilter: ctnetlink: send event when conntrack label was modified
  netfilter: nf_nat_sip: fix mangling
  qlcnic: Do not sleep while holding spinlock
  drivers: net: cpsw: fix compilation error with cpsw driver
  tcp: doc : fix the syncookies default value
  sh_eth: fix misreporting of transmit abort
  ...

11 years agoMerge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Linus Torvalds [Thu, 27 Jun 2013 05:23:15 +0000 (19:23 -1000)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux

Pull i915 drm fixes from Dave Airlie:
 "These should be the last two fixes for i915, one is for a fence leak
  killing X on some older GPUs, and one is a late regression partial
  revert for an swiotlb/xen/i915 interaction, Konrad has promised to
  figure out the proper answer, and this patch is the best thing to do
  at this stage to avoid regressing"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm/i915: make compact dma scatter lists creation work with SWIOTLB backend.
  drm/i915: Restore fences after resume and GPU resets

11 years agodlci: validate the net device in dlci_del()
Zefan Li [Wed, 26 Jun 2013 07:31:58 +0000 (15:31 +0800)]
dlci: validate the net device in dlci_del()

We triggered an oops while running trinity with 3.4 kernel:

BUG: unable to handle kernel paging request at 0000000100000d07
IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
PGD 640c0d067 PUD 0
Oops: 0000 [#1] PREEMPT SMP
CPU 3
...
Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285          /BC11BTSA
RIP: 0010:[<ffffffffa0109738>]  [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
...
Call Trace:
  [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
  [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
  [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
  [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
  [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
...

It's because the net device is not a dlci device.

Reported-by: Li Jinyue <lijinyue@huawei.com>
Signed-off-by: Li Zefan <lizefan@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agodlci: acquire rtnl_lock before calling __dev_get_by_name()
Zefan Li [Wed, 26 Jun 2013 07:29:54 +0000 (15:29 +0800)]
dlci: acquire rtnl_lock before calling __dev_get_by_name()

Otherwise the net device returned can be freed at anytime.

Signed-off-by: Li Zefan <lizefan@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoaf_key: fix info leaks in notify messages
Mathias Krause [Wed, 26 Jun 2013 21:52:30 +0000 (23:52 +0200)]
af_key: fix info leaks in notify messages

key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
the sadb_msg_reserved member of the broadcasted message and thereby
leak 2 bytes of heap memory to listeners. Fix that.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agoipv6: ip6_sk_dst_check() must not assume ipv6 dst
Eric Dumazet [Wed, 26 Jun 2013 11:15:07 +0000 (04:15 -0700)]
ipv6: ip6_sk_dst_check() must not assume ipv6 dst

It's possible to use AF_INET6 sockets and to connect to an IPv4
destination. After this, socket dst cache is a pointer to a rtable,
not rt6_info.

ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
various corruptions/crashes can happen.

Dave Jones can reproduce immediate crash with
trinity -q -l off -n -c sendmsg -c connect

With help from Hannes Frederic Sowa

Reported-by: Dave Jones <davej@redhat.com>
Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
11 years agonet: fix kernel deadlock with interface rename and netdev name retrieval.
Nicolas Schichan [Wed, 26 Jun 2013 15:23:42 +0000 (17:23 +0200)]
net: fix kernel deadlock with interface rename and netdev name retrieval.

When the kernel (compiled with CONFIG_PREEMPT=n) is performing the
rename of a network interface, it can end up waiting for a workqueue
to complete. If userland is able to invoke a SIOCGIFNAME ioctl or a
SO_BINDTODEVICE getsockopt in between, the kernel will deadlock due to
the fact that read_secklock_begin() will spin forever waiting for the
writer process (the one doing the interface rename) to update the
devnet_rename_seq sequence.

This patch fixes the problem by adding a helper (netdev_get_name())
and using it in the code handling the SIOCGIFNAME ioctl and
SO_BINDTODEVICE setsockopt.

The netdev_get_name() helper uses raw_seqcount_begin() to avoid
spinning forever, waiting for devnet_rename_seq->sequence to become
even. cond_resched() is used in the contended case, before retrying
the access to give the writer process a chance to finish.

The use of raw_seqcount_begin() will incur some unneeded work in the
reader process in the contended case, but this is better than
deadlocking the system.

Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>