Age | Commit message (Collapse) | Author |
|
We do not need to lookup a hashed negative directory since we have
already revalidated it before and have found it to be fine.
This also prevents a crash in cifs_lookup() when it attempts to rehash
the already hashed negative lookup dentry.
The patch has been tested using the reproducer at
https://bugzilla.redhat.com/show_bug.cgi?id=867344#c28
Cc: <stable@kernel.org> # 3.6.x
Reported-by: Vit Zahradka <vit.zahradka@tiscali.cz>
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
|
|
The userspace cifs.idmap program generally works with the wbclient libs
to generate binary SIDs in userspace. That program defines the struct
that holds these values as having a max of 15 subauthorities. The kernel
idmapping code however limits that value to 5.
When the kernel copies those values around though, it doesn't sanity
check the num_subauths value handed back from userspace or from the
server. It's possible therefore for userspace to hand us back a bogus
num_subauths value (or one that's valid, but greater than 5) that could
cause the kernel to walk off the end of the cifs_sid->sub_auths array.
Fix this by defining a new routine for copying sids and using that in
all of the places that copy it. If we end up with a sid that's longer
than expected then this approach will just lop off the "extra" subauths,
but that's basically what the code does today already. Better approaches
might be to fix this code to reject SIDs with >5 subauths, or fix it
to handle the subauths array dynamically.
At the same time, change the kernel to check the length of the data
returned by userspace. If it's shorter than struct cifs_sid, reject it
and return -EIO. If that happens we'll end up with fields that are
basically uninitialized.
Long term, it might make sense to redefine cifs_sid using a flexarray at
the end, to allow for variable-length subauth lists, and teach the code
to handle the case where the subauths array being passed in from
userspace is shorter than 5 elements.
Note too, that I don't consider this a security issue since you'd need
a compromised cifs.idmap program. If you have that, you can do all sorts
of nefarious stuff. Still, this is probably reasonable for stable.
Cc: stable@kernel.org
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Pull networking fixes from David Miller:
"First post-Sandy pull request"
1) Fix antenna gain handling and initialization of chan->max_reg_power
in wireless, from Felix Fietkau.
2) Fix nexthop handling in H.232 conntrack helper, from Julian
Anastasov.
3) Only process 80211 mesh config header in certain kinds of frames,
from Javier Cardona.
4) 80211 management frame header length needs to be validated, from
Johannes Berg.
5) Don't access free'd SKBs in ath9k driver, from Felix Fietkay.
6) Test for permanent state correctly in VXLAN driver, from Stephen
Hemminger.
7) BNX2X bug fixes from Yaniv Rosner and Dmitry Kravkov.
8) Fix off by one errors in bonding, from Nikolay ALeksandrov.
9) Fix divide by zero in TCP-Illinois congestion control. From Jesper
Dangaard Brouer.
10) TCP metrics code says "Yo dawg, I heard you like sizeof, so I did a
sizeof of a sizeof, so you can size your size" Fix from Julian
Anastasov.
11) Several drivers do mdiobus_free without first doing an
mdiobus_unregister leading to stray pointer references. Fix from
Peter Senna Tschudin.
12) Fix OOPS in l2tp_eth_create() error path, it's another danling
pointer kinda situation. Fix from Tom Parkin.
13) Hardware driven by the vmxnet driver can't handle larger than 16K
fragments, so split them up when necessary. From Eric Dumazet.
14) Handle zero length data length in tcp_send_rcvq() properly. Fix
from Pavel Emelyanov.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (38 commits)
tcp-repair: Handle zero-length data put in rcv queue
vmxnet3: must split too big fragments
l2tp: fix oops in l2tp_eth_create() error path
cxgb4: Fix unable to get UP event from the LLD
drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free
drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free
bnx2x: fix HW initialization using fw 7.8.x
tcp: Fix double sizeof in new tcp_metrics code
net: fix divide by zero in tcp algorithm illinois
net: sctp: Fix typo in net/sctp
bonding: fix second off-by-one error
bonding: fix off-by-one error
bnx2x: Disable FCoE for 57840 since not yet supported by FW
bnx2x: Fix no link on 577xx 10G-baseT
bnx2x: Fix unrecognized SFP+ module after driver is loaded
bnx2x: Fix potential incorrect link speed provision
bnx2x: Restore global registers back to default.
bnx2x: Fix link down in 57712 following LFA
bnx2x: Fix 57810 1G-KR link against certain switches.
ixgbe: PTP get_ts_info missing software support
...
|
|
When sending data into a tcp socket in repair state we should check
for the amount of data being 0 explicitly. Otherwise we'll have an skb
with seq == end_seq in rcv queue, but tcp doesn't expect this to happen
(in particular a warn_on in tcp_recvmsg shoots).
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Reported-by: Giorgos Mavrikas <gmavrikas@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
vmxnet3 has a 16Kbytes limit per tx descriptor, that happened to work
as long as we provided PAGE_SIZE fragments.
Our stack can now build larger fragments, so we need to split them to
the 16kbytes boundary.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: jongman heo <jongman.heo@samsung.com>
Tested-by: jongman heo <jongman.heo@samsung.com>
Cc: Shreyas Bhatewara <sbhatewara@vmware.com>
Reviewed-by: Bhavesh Davda <bhavesh@vmware.com>
Signed-off-by: Shreyas Bhatewara <sbhatewara@vmware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
When creating an L2TPv3 Ethernet session, if register_netdev() should fail for
any reason (for example, automatic naming for "l2tpeth%d" interfaces hits the
32k-interface limit), the netdev is freed in the error path. However, the
l2tp_eth_sess structure's dev pointer is left uncleared, and this results in
l2tp_eth_delete() then attempting to unregister the same netdev later in the
session teardown. This results in an oops.
To avoid this, clear the session dev pointer in the error path.
Signed-off-by: Tom Parkin <tparkin@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
If T4 configuration file gets loaded from the /lib/firmware/cxgb4/ directory
then offload capabilities of the cards were getting disabled during
initialization. Hence ULDs do not get an UP event from the LLD.
Signed-off-by: Jay Hernandez <jay@chelsio.com>
Signed-off-by: Vipul Pandya <vipul@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Based on commit b27393aecf66199f5ddad37c302d3e0cfadbe6c0
Calling mdiobus_free without calling mdiobus_unregister causes
BUG_ON(). This patch fixes the issue.
The semantic patch that found this issue(http://coccinelle.lip6.fr/):
// <smpl>
@@
expression E;
@@
... when != mdiobus_unregister(E);
+ mdiobus_unregister(E);
mdiobus_free(E);
// </smpl>
Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Based on commit b27393aecf66199f5ddad37c302d3e0cfadbe6c0
Calling mdiobus_free without calling mdiobus_unregister causes
BUG_ON(). This patch fixes the issue.
The semantic patch that found this issue(http://coccinelle.lip6.fr/):
// <smpl>
@@
expression E;
@@
... when != mdiobus_unregister(E);
+ mdiobus_unregister(E);
mdiobus_free(E);
// </smpl>
Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com>
Tested-by: Roland Stigge <stigge@antcom.de>
Tested-by: Alexandre Pereira da Silva <aletes.xgr@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Since commit 96bed4b9 (use FW 7.8.2) BRB HW block needs to be
initialized using fw values for all devices.
Otherwise ETS on 57712/578xx will not work.
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull power management update from Rafael J. Wysocki:
"Change the email address of the powernow-k8 maintainer."
* tag 'pm-for-3.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
cpufreq / powernow-k8: Change maintainer's email address
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input subsystem fixes from Dmitry Torokhov:
"Just a few driver fixes."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: tsc40 - remove wrong announcement of pressure support
Input: lpc32xx-keys - select INPUT_MATRIXKMAP
Input: pxa27x_keypad - clear pending interrupts on keypad config
Input: wacom - correct bad Cintiq 24HD check
Input: wacom - add INPUT_PROP_DIRECT flag to Cintiq 24HD
Input: egalax_ts - get gpio from devicetree
|
|
Pull more scsi target fixes from Nicholas Bellinger:
"This series is a second round of target fixes for v3.7-rc4 that have
come into target-devel over the last days, and are important enough to
be applied ASAP.
All are being CC'ed to stable. The most important two are:
- target: Re-add explict zeroing of INQUIRY bounce buffer memory to
fix a regression for handling zero-length payloads, a bug that went
during v3.7-rc1, and hit >= v3.6.3 stable. (nab + paolo)
- iscsi-target: Fix a long-standing missed R2T wakeup race in TX
thread processing when using a single queue slot. (Roland)
Thanks to Roland & PureStorage team for helping to track down this
long standing race with iscsi-target single queue slot operation.
Also, the tcm_fc(FCoE) regression bug that was observed recently with
-rc2 code has also been resolved with the cancel_delayed_work() return
bugfix (commit c0158ca64da5: "workqueue: cancel_delayed_work() should
return %false if work item is idle") now in -rc3. Thanks again to Yi
Zou, MDR, Robert Love @ Intel for helping to track this down."
* git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
target: Fix incorrect usage of nested IRQ spinlocks in ABORT_TASK path
iscsi-target: Fix missed wakeup race in TX thread
target: Avoid integer overflow in se_dev_align_max_sectors()
target: Don't return success from module_init() if setup fails
target: Re-add explict zeroing of INQUIRY bounce buffer memory
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
Pull hwmon fixes from Guenter Roeck:
"An e-mail address update, and fix a compile error on SPARC"
* tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
hwmon: Only include of_match_table with CONFIG_OF_GPIO
hwmon, fam15h_power: Change email address, MAINTAINERS entry
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-frv
Pull FRV fixes from David Howells:
"A collection of small fixes for the FRV architecture."
* tag 'frv-fixes-20121102' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-frv:
frv: fix the broken preempt
frv: switch to saner kernel_execve() semantics
FRV: Fix the new-style kernel_thread() stuff
FRV: Fix the preemption handling
FRV: gcc-4.1.2 also inlines weak functions
FRV: Don't objcopy the GNU build_id note
FRV: Add missing linux/export.h #inclusions
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen
Pull Xen bugfixes from Konrad Rzeszutek Wilk:
- Use appropriate macros instead of hand-rolling our own (ARM).
- Fixes if FB/KBD closed unexpectedly.
- Fix memory leak in /dev/gntdev ioctl calls.
- Fix overflow check in xenbus_file_write.
- Document cleanup.
- Performance optimization when migrating guests.
* tag 'stable/for-linus-3.7-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
xen/mmu: Use Xen specific TLB flush instead of the generic one.
xen/arm: use the __HVC macro
xen/xenbus: fix overflow check in xenbus_file_write()
xen-kbdfront: handle backend CLOSED without CLOSING
xen-fbfront: handle backend CLOSED without CLOSING
xen/gntdev: don't leak memory from IOCTL_GNTDEV_MAP_GRANT_REF
x86: remove obsolete comment from asm/xen/hypervisor.h
|
|
This hashtable implementation is using hlist buckets to provide a simple
hashtable to prevent it from getting reimplemented all over the kernel.
Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
[ Merging this now, so that subsystems can start applying Sasha's
patches that use this - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Just get %icc2 into the state we would have after local_irq_disable()
and physical IRQ having happened since then. Then we can simply
use preempt_schedule_irq() and be done with the whole mess.
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
|
The kernel_thread() changes for FRV don't work, and FRV fails to boot,
starting with:
commit 02ce496f152df87be081a64796498942c433a2fd
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue Sep 18 22:18:51 2012 -0400
Subject: frv: split ret_from_fork, simplify kernel_thread() a lot
The problem is that the userspace registers are completely cleared when a
kernel thread is created and all subsequent user threads are then copied from
that. Unfortunately, however, the TBR and PSR registers are restored from the
pt_regs and the values they should be set to are clobbered by the memset.
Instead, copy across the old user registers as normal, and then merely alter
GR8 and GR9 in it if we're going to execute a kernel thread.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
Fix the preemption handling in FRV code where the PREEMPT_ACTIVE value is
incorrectly loaded into the threadinfo flags rather than the threadinfo
preemption count.
Unfortunately, the code cannot be simply converted to use
preempt_schedule_irq() as is because FRV uses virtual interrupt disablement to
cut down on the cost of actually disabling interrupts and thus
local_irq_enable() doesn't actually enable interrupts.
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Al Viro <viro@ZenIV.linux.org.uk>
|
|
gcc-4.1.2 inlines weak functions, which causes FRV to fail when the dummy
thread_info_cache_init() gets inlined into start_kernel().
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
Don't let objcopy transfer the GNU build_id note into the loadable image as it
is located at address 0 and the image ends up >3G in size.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
Add missing linux/export.h #inclusions to the FRV arch.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
Pull Xtensa fixes from Chris Zankel:
"Some important bug fixes.
With the change to uapi, there was a bug introduced that results in an
empty syscall table (mult-inclusion bug). Switching to the generic
thread/execve allowed us to fix a bug we had in vfork()."
* tag 'xtensa-next-20121101' of git://github.com/czankel/xtensa-linux:
xtensa: switch to generic sys_execve()
xtensa: switch to generic kernel_execve()
xtensa: switch to generic kernel_thread()
xtensa: reset windowbase/windowstart when cloning the VM
xtensa: use physical addresses for bus addresses
xtensa: allow multi-inclusion for uapi/unistd.h
|
|
The following fixes build errors on sparc. Without any DT support,
of_match_ptr is NULL and the below is a no-op. However, if just
CONFIG_OF is defined then so is of_match_ptr.
All useful parts of the gpio-fan DT support rely on CONFIG_OF_GPIO
anyway, so of_match_table should too.
Signed-off-by: Jamie Lentin <jm@lentin.co.uk>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
|
|
Fix double sizeof when parsing IPv6 address from
user space because it breaks get/del by specific IPv6 address.
Problem noticed by David Binderman:
https://bugzilla.kernel.org/show_bug.cgi?id=49171
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Reading TCP stats when using TCP Illinois congestion control algorithm
can cause a divide by zero kernel oops.
The division by zero occur in tcp_illinois_info() at:
do_div(t, ca->cnt_rtt);
where ca->cnt_rtt can become zero (when rtt_reset is called)
Steps to Reproduce:
1. Register tcp_illinois:
# sysctl -w net.ipv4.tcp_congestion_control=illinois
2. Monitor internal TCP information via command "ss -i"
# watch -d ss -i
3. Establish new TCP conn to machine
Either it fails at the initial conn, or else it needs to wait
for a loss or a reset.
This is only related to reading stats. The function avg_delay() also
performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its
calling point in update_params(). Thus, simply fix tcp_illinois_info().
Function tcp_illinois_info() / get_info() is called without
socket lock. Thus, eliminate any race condition on ca->cnt_rtt
by using a local stack variable. Simply reuse info.tcpv_rttcnt,
as its already set to ca->cnt_rtt.
Function avg_delay() is not affected by this race condition, as
its called with the socket lock.
Cc: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Correct spelling typo in net/sctp/socket.c
Signed-off-by: Masanari Iida <standby24x7@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Fix off-by-one error because IFNAMSIZ == 16 and when this
code gets executed we stick a NULL byte where we should not.
How to reproduce:
with CONFIG_CC_STACKPROTECTOR=y (otherwise it may pass by silently)
modprobe bonding; echo 1 > /sys/class/net/bond0/bonding/mode;
echo "AAAAAAAAAAAAAAAA" > /sys/class/net/bond0/bonding/active_slave;
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Note: Sorry for the second patch but I missed this one while checking
the file. You can squash them into one patch.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Fix off-by-one error because IFNAMSIZ == 16 and when this
code gets executed we stick a NULL byte where we should not.
How to reproduce:
with CONFIG_CC_STACKPROTECTOR=y (otherwise it may pass by silently)
modprobe bonding; echo 1 > /sys/class/net/bond0/bonding/mode;
echo "AAAAAAAAAAAAAAAA" > /sys/class/net/bond0/bonding/primary;
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Since the Warpcore supports various link types, need to set only the correct
supported modes for XFI which is the serdes interface for the 10G-baseT PHY.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Barak Witkowski <barak@broadcom.com>
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
When SFP+ module is plugged in after driver is already loaded, it may not be
recognized, so set SFP module recognition time up to 300ms, without resetting
the module power in the middle.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Barak Witkowski <barak@broadcom.com>
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Fix possible incorrect link speed provision following rapid link speed change.
Clear link speed mask after each link change, and not only after link down.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Barak Witkowski <barak@broadcom.com>
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Several KR registers were not set correctly back to default after
loopback test, so set those global registers over the global WC lane (zero)
rather than the current lane.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Barak Witkowski <barak@broadcom.com>
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
In case of link flap avoidance between PXE boot and bnx2x, set the appropriate
PHY DEVAD even if LFA kicks in.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Barak Witkowski <barak@broadcom.com>
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Fix 1G KR link by restoring CL72 misc control register to default value rather
than 0.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Barak Witkowski <barak@broadcom.com>
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Pull KVM fix from Marcelo Tosatti.
* git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: x86: fix vcpu->mmio_fragments overflow
|
|
This patch corrects the ethtool get_ts_info functon which did not state that
software timestamping was supported, even though it is.
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
CC: Stable <stable@vger.kernel.org> [3.5]
Tested-by: Stephen Ko <stephen.s.ko@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
This patch changes core_tmr_abort_task() to use spin_lock -> spin_unlock
around se_cmd->t_state_lock while spin_lock_irqsave is held via
se_sess->sess_cmd_lock.
Signed-off-by: Steve Hodgson <steve@purestorage.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
|
The sleeping code in iscsi_target_tx_thread() is susceptible to the classic
missed wakeup race:
- TX thread finishes handle_immediate_queue() and handle_response_queue(),
thinks both queues are empty.
- Another thread adds a queue entry and does wake_up_process(), which does
nothing because the TX thread is still awake.
- TX thread does schedule_timeout() and sleeps forever.
In practice this can kill an iSCSI connection if for example an initiator
does single-threaded writes and the target misses the wakeup window when
queueing an R2T; in this case the connection will be stuck until the
initiator loses patience and does some task management operation (or kills
the connection entirely).
Fix this by converting to wait_event_interruptible(), which does not
suffer from this sort of race.
Signed-off-by: Roland Dreier <roland@purestorage.com>
Cc: Andy Grover <agrover@redhat.com>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
|
The expression (max_sectors * block_size) might overflow a u32
(indeed, since iblock sets max_hw_sectors to UINT_MAX, it is
guaranteed to overflow and end up with a much-too-small result in many
common cases). Fix this by doing an equivalent calculation that
doesn't require multiplication.
While we're touching this code, avoid splitting a printk format across
two lines and use pr_info(...) instead of printk(KERN_INFO ...).
Signed-off-by: Roland Dreier <roland@purestorage.com>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
|
If the call to core_dev_release_virtual_lun0() fails, then nothing
sets ret to anything other than 0, so even though everything is
torn down and freed, target_core_init_configfs() will seem to succeed
and the module will be loaded. Fix this by passing the return value
on up the chain.
Signed-off-by: Roland Dreier <roland@purestorage.com>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
|
This patch fixes a regression in spc_emulate_inquiry() code where the
local scope bounce buffer was no longer getting it's memory zeroed,
causing various problems with SCSI initiators that depend upon areas
of INQUIRY EVPD=0x83 payload having been zeroed.
This bug was introduced with the following v3.7-rc1 patch + CC'ed
stable commit:
commit ffe7b0e9326d9c68f5688bef691dd49f1e0d3651
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: Fri Sep 7 17:30:38 2012 +0200
target: support zero allocation length in INQUIRY
Go ahead and re-add the missing memset of bounce buffer memory to be
copied into the outgoing se_cmd descriptor kmapped SGL payload.
Reported-by: Kelsey Prantis <kelsey.prantis@intel.com>
Cc: Kelsey Prantis <kelsey.prantis@intel.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Andy Grover <agrover@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
|
Pull scsi target fixes from Nicholas Bellinger:
"These are the current target pending fixes headed for v3.7-rc4 code.
This includes the following highlights:
- Fix long-standing qla2xxx target bug where certain fc_port_t state
transitions could cause the internal session b-tree list to become
out-of-sync. (Roland)
- Fix task management double free of se_cmd descriptor in exception
path for users of target_submit_tmr(). (nab)
- Re-introduce simple NOP emulation of REZERO_UNIT, SEEK_6, and
SEEK_10 SCSI-2 commands in order to support legacy initiators that
still require them. (Bernhard)
Note these three patches are also CC'ed to stable.
Also, there a couple of outstanding (external) regressions that are
still being tracked down for tcm_fc(FCoE) and tcm_vhost fabrics for
v3.7.0 code, so please expect another PULL as these issues identified
-> resolved."
* git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
target: reintroduce some obsolete SCSI-2 commands
target: Fix double-free of se_cmd in target_complete_tmr_failure
qla2xxx: Update target lookup session tables when a target session changes
tcm_qla2xxx: Format VPD page 83h SCSI name string according to SPC
qla2xxx: Add missing ->vport_slock while calling qlt_update_vp_map
|
|
Pull nouveau fixes from Dave Airlie:
"Just a nouveau set, since we have a couple of reports on lkml and
dri-devel of regressions that this should fix I sent it along on its
own."
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/nouveau: headless mode by default if pci class != vga display
drm/nouveau: resurrect headless mode since rework
drm/nv50/fb: prevent oops on chipsets without compression tags
drm/nouveau: allow creation of zero-sized mm
drm/nouveau/i2c: fix typo when checking nvio i2c port validity
drm/nouveau: silence modesetting spam on pre-gf8 chipsets
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
Pull HID updates from Jiri Kosina:
"This contains fixes for two devices by Jiri Slaby and Xianhan Yu, new
device IDs for MacBook Pro 10,2 from Dirk Hohndel and generic
multitouch code fix from Alan Cox."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: Add support for the MacBook Pro 10,2 keyboard / touchpad
HID: multitouch: fix maxcontacts problem on GeneralTouch
HID: multitouch: put the case in the right switch statement
HID: microsoft: fix invalid rdesc for 3k kbd
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"This contains unexpectedly many changes in a wide range due to the
fixes for races at disconnection of USB audio devices. In the end, we
end up covering fairly core parts of sound subsystem.
Other than that, just a few usual small fixes."
* tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: ice1724: Fix rate setup after resume
ALSA: Avoid endless sleep after disconnect
ALSA: Add a reference counter to card instance
ALSA: usb-audio: Fix races at disconnection in mixer_quirks.c
ALSA: usb-audio: Use rwsem for disconnect protection
ALSA: usb-audio: Fix races at disconnection
ALSA: PCM: Fix some races at disconnection
ASoC: omap-dmic: Correct functional clock name
ASoC: zoom2: Fix compile error by including correct header files
ALSA: hda - Fix mute-LED setup for HP dv5 laptop
|
|
After commit b3356bf0dbb349 (KVM: emulator: optimize "rep ins" handling),
the pieces of io data can be collected and write them to the guest memory
or MMIO together
Unfortunately, kvm splits the mmio access into 8 bytes and store them to
vcpu->mmio_fragments. If the guest uses "rep ins" to move large data, it
will cause vcpu->mmio_fragments overflow
The bug can be exposed by isapc (-M isapc):
[23154.818733] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
[ ......]
[23154.858083] Call Trace:
[23154.859874] [<ffffffffa04f0e17>] kvm_get_cr8+0x1d/0x28 [kvm]
[23154.861677] [<ffffffffa04fa6d4>] kvm_arch_vcpu_ioctl_run+0xcda/0xe45 [kvm]
[23154.863604] [<ffffffffa04f5a1a>] ? kvm_arch_vcpu_load+0x17b/0x180 [kvm]
Actually, we can use one mmio_fragment to store a large mmio access then
split it when we pass the mmio-exit-info to userspace. After that, we only
need two entries to store mmio info for the cross-mmio pages access
Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|