summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2012-11-05cifs: Do not lookup hashed negative dentry in cifs_atomic_openSachin Prabhu
We do not need to lookup a hashed negative directory since we have already revalidated it before and have found it to be fine. This also prevents a crash in cifs_lookup() when it attempts to rehash the already hashed negative lookup dentry. The patch has been tested using the reproducer at https://bugzilla.redhat.com/show_bug.cgi?id=867344#c28 Cc: <stable@kernel.org> # 3.6.x Reported-by: Vit Zahradka <vit.zahradka@tiscali.cz> Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
2012-11-03cifs: fix potential buffer overrun in cifs.idmap handling codeJeff Layton
The userspace cifs.idmap program generally works with the wbclient libs to generate binary SIDs in userspace. That program defines the struct that holds these values as having a max of 15 subauthorities. The kernel idmapping code however limits that value to 5. When the kernel copies those values around though, it doesn't sanity check the num_subauths value handed back from userspace or from the server. It's possible therefore for userspace to hand us back a bogus num_subauths value (or one that's valid, but greater than 5) that could cause the kernel to walk off the end of the cifs_sid->sub_auths array. Fix this by defining a new routine for copying sids and using that in all of the places that copy it. If we end up with a sid that's longer than expected then this approach will just lop off the "extra" subauths, but that's basically what the code does today already. Better approaches might be to fix this code to reject SIDs with >5 subauths, or fix it to handle the subauths array dynamically. At the same time, change the kernel to check the length of the data returned by userspace. If it's shorter than struct cifs_sid, reject it and return -EIO. If that happens we'll end up with fields that are basically uninitialized. Long term, it might make sense to redefine cifs_sid using a flexarray at the end, to allow for variable-length subauth lists, and teach the code to handle the case where the subauths array being passed in from userspace is shorter than 5 elements. Note too, that I don't consider this a security issue since you'd need a compromised cifs.idmap program. If you have that, you can do all sorts of nefarious stuff. Still, this is probably reasonable for stable. Cc: stable@kernel.org Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Jeff Layton <jlayton@redhat.com>
2012-11-02Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds
Pull networking fixes from David Miller: "First post-Sandy pull request" 1) Fix antenna gain handling and initialization of chan->max_reg_power in wireless, from Felix Fietkau. 2) Fix nexthop handling in H.232 conntrack helper, from Julian Anastasov. 3) Only process 80211 mesh config header in certain kinds of frames, from Javier Cardona. 4) 80211 management frame header length needs to be validated, from Johannes Berg. 5) Don't access free'd SKBs in ath9k driver, from Felix Fietkay. 6) Test for permanent state correctly in VXLAN driver, from Stephen Hemminger. 7) BNX2X bug fixes from Yaniv Rosner and Dmitry Kravkov. 8) Fix off by one errors in bonding, from Nikolay ALeksandrov. 9) Fix divide by zero in TCP-Illinois congestion control. From Jesper Dangaard Brouer. 10) TCP metrics code says "Yo dawg, I heard you like sizeof, so I did a sizeof of a sizeof, so you can size your size" Fix from Julian Anastasov. 11) Several drivers do mdiobus_free without first doing an mdiobus_unregister leading to stray pointer references. Fix from Peter Senna Tschudin. 12) Fix OOPS in l2tp_eth_create() error path, it's another danling pointer kinda situation. Fix from Tom Parkin. 13) Hardware driven by the vmxnet driver can't handle larger than 16K fragments, so split them up when necessary. From Eric Dumazet. 14) Handle zero length data length in tcp_send_rcvq() properly. Fix from Pavel Emelyanov. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (38 commits) tcp-repair: Handle zero-length data put in rcv queue vmxnet3: must split too big fragments l2tp: fix oops in l2tp_eth_create() error path cxgb4: Fix unable to get UP event from the LLD drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free bnx2x: fix HW initialization using fw 7.8.x tcp: Fix double sizeof in new tcp_metrics code net: fix divide by zero in tcp algorithm illinois net: sctp: Fix typo in net/sctp bonding: fix second off-by-one error bonding: fix off-by-one error bnx2x: Disable FCoE for 57840 since not yet supported by FW bnx2x: Fix no link on 577xx 10G-baseT bnx2x: Fix unrecognized SFP+ module after driver is loaded bnx2x: Fix potential incorrect link speed provision bnx2x: Restore global registers back to default. bnx2x: Fix link down in 57712 following LFA bnx2x: Fix 57810 1G-KR link against certain switches. ixgbe: PTP get_ts_info missing software support ...
2012-11-02tcp-repair: Handle zero-length data put in rcv queuePavel Emelyanov
When sending data into a tcp socket in repair state we should check for the amount of data being 0 explicitly. Otherwise we'll have an skb with seq == end_seq in rcv queue, but tcp doesn't expect this to happen (in particular a warn_on in tcp_recvmsg shoots). Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Reported-by: Giorgos Mavrikas <gmavrikas@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-02vmxnet3: must split too big fragmentsEric Dumazet
vmxnet3 has a 16Kbytes limit per tx descriptor, that happened to work as long as we provided PAGE_SIZE fragments. Our stack can now build larger fragments, so we need to split them to the 16kbytes boundary. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: jongman heo <jongman.heo@samsung.com> Tested-by: jongman heo <jongman.heo@samsung.com> Cc: Shreyas Bhatewara <sbhatewara@vmware.com> Reviewed-by: Bhavesh Davda <bhavesh@vmware.com> Signed-off-by: Shreyas Bhatewara <sbhatewara@vmware.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-02l2tp: fix oops in l2tp_eth_create() error pathTom Parkin
When creating an L2TPv3 Ethernet session, if register_netdev() should fail for any reason (for example, automatic naming for "l2tpeth%d" interfaces hits the 32k-interface limit), the netdev is freed in the error path. However, the l2tp_eth_sess structure's dev pointer is left uncleared, and this results in l2tp_eth_delete() then attempting to unregister the same netdev later in the session teardown. This results in an oops. To avoid this, clear the session dev pointer in the error path. Signed-off-by: Tom Parkin <tparkin@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-02cxgb4: Fix unable to get UP event from the LLDVipul Pandya
If T4 configuration file gets loaded from the /lib/firmware/cxgb4/ directory then offload capabilities of the cards were getting disabled during initialization. Hence ULDs do not get an UP event from the LLD. Signed-off-by: Jay Hernandez <jay@chelsio.com> Signed-off-by: Vipul Pandya <vipul@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-02drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_freePeter Senna Tschudin
Based on commit b27393aecf66199f5ddad37c302d3e0cfadbe6c0 Calling mdiobus_free without calling mdiobus_unregister causes BUG_ON(). This patch fixes the issue. The semantic patch that found this issue(http://coccinelle.lip6.fr/): // <smpl> @@ expression E; @@ ... when != mdiobus_unregister(E); + mdiobus_unregister(E); mdiobus_free(E); // </smpl> Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-02drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_freePeter Senna Tschudin
Based on commit b27393aecf66199f5ddad37c302d3e0cfadbe6c0 Calling mdiobus_free without calling mdiobus_unregister causes BUG_ON(). This patch fixes the issue. The semantic patch that found this issue(http://coccinelle.lip6.fr/): // <smpl> @@ expression E; @@ ... when != mdiobus_unregister(E); + mdiobus_unregister(E); mdiobus_free(E); // </smpl> Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com> Tested-by: Roland Stigge <stigge@antcom.de> Tested-by: Alexandre Pereira da Silva <aletes.xgr@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-02bnx2x: fix HW initialization using fw 7.8.xDmitry Kravkov
Since commit 96bed4b9 (use FW 7.8.2) BRB HW block needs to be initialized using fw values for all devices. Otherwise ETS on 57712/578xx will not work. Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: Ariel Elior <ariele@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-02Merge tag 'pm-for-3.7-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management update from Rafael J. Wysocki: "Change the email address of the powernow-k8 maintainer." * tag 'pm-for-3.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq / powernow-k8: Change maintainer's email address
2012-11-02Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input subsystem fixes from Dmitry Torokhov: "Just a few driver fixes." * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: tsc40 - remove wrong announcement of pressure support Input: lpc32xx-keys - select INPUT_MATRIXKMAP Input: pxa27x_keypad - clear pending interrupts on keypad config Input: wacom - correct bad Cintiq 24HD check Input: wacom - add INPUT_PROP_DIRECT flag to Cintiq 24HD Input: egalax_ts - get gpio from devicetree
2012-11-02Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pendingLinus Torvalds
Pull more scsi target fixes from Nicholas Bellinger: "This series is a second round of target fixes for v3.7-rc4 that have come into target-devel over the last days, and are important enough to be applied ASAP. All are being CC'ed to stable. The most important two are: - target: Re-add explict zeroing of INQUIRY bounce buffer memory to fix a regression for handling zero-length payloads, a bug that went during v3.7-rc1, and hit >= v3.6.3 stable. (nab + paolo) - iscsi-target: Fix a long-standing missed R2T wakeup race in TX thread processing when using a single queue slot. (Roland) Thanks to Roland & PureStorage team for helping to track down this long standing race with iscsi-target single queue slot operation. Also, the tcm_fc(FCoE) regression bug that was observed recently with -rc2 code has also been resolved with the cancel_delayed_work() return bugfix (commit c0158ca64da5: "workqueue: cancel_delayed_work() should return %false if work item is idle") now in -rc3. Thanks again to Yi Zou, MDR, Robert Love @ Intel for helping to track this down." * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: target: Fix incorrect usage of nested IRQ spinlocks in ABORT_TASK path iscsi-target: Fix missed wakeup race in TX thread target: Avoid integer overflow in se_dev_align_max_sectors() target: Don't return success from module_init() if setup fails target: Re-add explict zeroing of INQUIRY bounce buffer memory
2012-11-02Merge tag 'hwmon-for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: "An e-mail address update, and fix a compile error on SPARC" * tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: Only include of_match_table with CONFIG_OF_GPIO hwmon, fam15h_power: Change email address, MAINTAINERS entry
2012-11-02Merge tag 'frv-fixes-20121102' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-frv Pull FRV fixes from David Howells: "A collection of small fixes for the FRV architecture." * tag 'frv-fixes-20121102' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-frv: frv: fix the broken preempt frv: switch to saner kernel_execve() semantics FRV: Fix the new-style kernel_thread() stuff FRV: Fix the preemption handling FRV: gcc-4.1.2 also inlines weak functions FRV: Don't objcopy the GNU build_id note FRV: Add missing linux/export.h #inclusions
2012-11-02Merge tag 'stable/for-linus-3.7-rc4-tag' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen Pull Xen bugfixes from Konrad Rzeszutek Wilk: - Use appropriate macros instead of hand-rolling our own (ARM). - Fixes if FB/KBD closed unexpectedly. - Fix memory leak in /dev/gntdev ioctl calls. - Fix overflow check in xenbus_file_write. - Document cleanup. - Performance optimization when migrating guests. * tag 'stable/for-linus-3.7-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen: xen/mmu: Use Xen specific TLB flush instead of the generic one. xen/arm: use the __HVC macro xen/xenbus: fix overflow check in xenbus_file_write() xen-kbdfront: handle backend CLOSED without CLOSING xen-fbfront: handle backend CLOSED without CLOSING xen/gntdev: don't leak memory from IOCTL_GNTDEV_MAP_GRANT_REF x86: remove obsolete comment from asm/xen/hypervisor.h
2012-11-02hashtable: introduce a small and naive hashtableSasha Levin
This hashtable implementation is using hlist buckets to provide a simple hashtable to prevent it from getting reimplemented all over the kernel. Signed-off-by: Sasha Levin <levinsasha928@gmail.com> [ Merging this now, so that subsystems can start applying Sasha's patches that use this - Linus ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-11-02frv: fix the broken preemptAl Viro
Just get %icc2 into the state we would have after local_irq_disable() and physical IRQ having happened since then. Then we can simply use preempt_schedule_irq() and be done with the whole mess. Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-11-02frv: switch to saner kernel_execve() semanticsAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-11-02FRV: Fix the new-style kernel_thread() stuffDavid Howells
The kernel_thread() changes for FRV don't work, and FRV fails to boot, starting with: commit 02ce496f152df87be081a64796498942c433a2fd Author: Al Viro <viro@zeniv.linux.org.uk> Date: Tue Sep 18 22:18:51 2012 -0400 Subject: frv: split ret_from_fork, simplify kernel_thread() a lot The problem is that the userspace registers are completely cleared when a kernel thread is created and all subsequent user threads are then copied from that. Unfortunately, however, the TBR and PSR registers are restored from the pt_regs and the values they should be set to are clobbered by the memset. Instead, copy across the old user registers as normal, and then merely alter GR8 and GR9 in it if we're going to execute a kernel thread. Signed-off-by: David Howells <dhowells@redhat.com>
2012-11-02FRV: Fix the preemption handlingDavid Howells
Fix the preemption handling in FRV code where the PREEMPT_ACTIVE value is incorrectly loaded into the threadinfo flags rather than the threadinfo preemption count. Unfortunately, the code cannot be simply converted to use preempt_schedule_irq() as is because FRV uses virtual interrupt disablement to cut down on the cost of actually disabling interrupts and thus local_irq_enable() doesn't actually enable interrupts. Reported-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: David Howells <dhowells@redhat.com> cc: Al Viro <viro@ZenIV.linux.org.uk>
2012-11-02FRV: gcc-4.1.2 also inlines weak functionsDavid Howells
gcc-4.1.2 inlines weak functions, which causes FRV to fail when the dummy thread_info_cache_init() gets inlined into start_kernel(). Signed-off-by: David Howells <dhowells@redhat.com>
2012-11-02FRV: Don't objcopy the GNU build_id noteDavid Howells
Don't let objcopy transfer the GNU build_id note into the loadable image as it is located at address 0 and the image ends up >3G in size. Signed-off-by: David Howells <dhowells@redhat.com>
2012-11-02FRV: Add missing linux/export.h #inclusionsDavid Howells
Add missing linux/export.h #inclusions to the FRV arch. Signed-off-by: David Howells <dhowells@redhat.com>
2012-11-01Merge tag 'xtensa-next-20121101' of git://github.com/czankel/xtensa-linuxLinus Torvalds
Pull Xtensa fixes from Chris Zankel: "Some important bug fixes. With the change to uapi, there was a bug introduced that results in an empty syscall table (mult-inclusion bug). Switching to the generic thread/execve allowed us to fix a bug we had in vfork()." * tag 'xtensa-next-20121101' of git://github.com/czankel/xtensa-linux: xtensa: switch to generic sys_execve() xtensa: switch to generic kernel_execve() xtensa: switch to generic kernel_thread() xtensa: reset windowbase/windowstart when cloning the VM xtensa: use physical addresses for bus addresses xtensa: allow multi-inclusion for uapi/unistd.h
2012-11-01hwmon: Only include of_match_table with CONFIG_OF_GPIOJamie Lentin
The following fixes build errors on sparc. Without any DT support, of_match_ptr is NULL and the below is a no-op. However, if just CONFIG_OF is defined then so is of_match_ptr. All useful parts of the gpio-fan DT support rely on CONFIG_OF_GPIO anyway, so of_match_table should too. Signed-off-by: Jamie Lentin <jm@lentin.co.uk> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2012-11-01tcp: Fix double sizeof in new tcp_metrics codeJulian Anastasov
Fix double sizeof when parsing IPv6 address from user space because it breaks get/del by specific IPv6 address. Problem noticed by David Binderman: https://bugzilla.kernel.org/show_bug.cgi?id=49171 Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01net: fix divide by zero in tcp algorithm illinoisJesper Dangaard Brouer
Reading TCP stats when using TCP Illinois congestion control algorithm can cause a divide by zero kernel oops. The division by zero occur in tcp_illinois_info() at: do_div(t, ca->cnt_rtt); where ca->cnt_rtt can become zero (when rtt_reset is called) Steps to Reproduce: 1. Register tcp_illinois: # sysctl -w net.ipv4.tcp_congestion_control=illinois 2. Monitor internal TCP information via command "ss -i" # watch -d ss -i 3. Establish new TCP conn to machine Either it fails at the initial conn, or else it needs to wait for a loss or a reset. This is only related to reading stats. The function avg_delay() also performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its calling point in update_params(). Thus, simply fix tcp_illinois_info(). Function tcp_illinois_info() / get_info() is called without socket lock. Thus, eliminate any race condition on ca->cnt_rtt by using a local stack variable. Simply reuse info.tcpv_rttcnt, as its already set to ca->cnt_rtt. Function avg_delay() is not affected by this race condition, as its called with the socket lock. Cc: Petr Matousek <pmatouse@redhat.com> Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01net: sctp: Fix typo in net/sctpMasanari Iida
Correct spelling typo in net/sctp/socket.c Signed-off-by: Masanari Iida <standby24x7@gmail.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01bonding: fix second off-by-one errornikolay@redhat.com
Fix off-by-one error because IFNAMSIZ == 16 and when this code gets executed we stick a NULL byte where we should not. How to reproduce: with CONFIG_CC_STACKPROTECTOR=y (otherwise it may pass by silently) modprobe bonding; echo 1 > /sys/class/net/bond0/bonding/mode; echo "AAAAAAAAAAAAAAAA" > /sys/class/net/bond0/bonding/active_slave; Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> Note: Sorry for the second patch but I missed this one while checking the file. You can squash them into one patch. Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01bonding: fix off-by-one errornikolay@redhat.com
Fix off-by-one error because IFNAMSIZ == 16 and when this code gets executed we stick a NULL byte where we should not. How to reproduce: with CONFIG_CC_STACKPROTECTOR=y (otherwise it may pass by silently) modprobe bonding; echo 1 > /sys/class/net/bond0/bonding/mode; echo "AAAAAAAAAAAAAAAA" > /sys/class/net/bond0/bonding/primary; Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01bnx2x: Disable FCoE for 57840 since not yet supported by FWDmitry Kravkov
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01bnx2x: Fix no link on 577xx 10G-baseTYaniv Rosner
Since the Warpcore supports various link types, need to set only the correct supported modes for XFI which is the serdes interface for the 10G-baseT PHY. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Barak Witkowski <barak@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01bnx2x: Fix unrecognized SFP+ module after driver is loadedYaniv Rosner
When SFP+ module is plugged in after driver is already loaded, it may not be recognized, so set SFP module recognition time up to 300ms, without resetting the module power in the middle. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Barak Witkowski <barak@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01bnx2x: Fix potential incorrect link speed provisionYaniv Rosner
Fix possible incorrect link speed provision following rapid link speed change. Clear link speed mask after each link change, and not only after link down. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Barak Witkowski <barak@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01bnx2x: Restore global registers back to default.Yaniv Rosner
Several KR registers were not set correctly back to default after loopback test, so set those global registers over the global WC lane (zero) rather than the current lane. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Barak Witkowski <barak@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01bnx2x: Fix link down in 57712 following LFAYaniv Rosner
In case of link flap avoidance between PXE boot and bnx2x, set the appropriate PHY DEVAD even if LFA kicks in. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Barak Witkowski <barak@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01bnx2x: Fix 57810 1G-KR link against certain switches.Yaniv Rosner
Fix 1G KR link by restoring CL72 misc control register to default value rather than 0. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Barak Witkowski <barak@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01Merge git://git.kernel.org/pub/scm/virt/kvm/kvmLinus Torvalds
Pull KVM fix from Marcelo Tosatti. * git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: x86: fix vcpu->mmio_fragments overflow
2012-11-01ixgbe: PTP get_ts_info missing software supportJacob Keller
This patch corrects the ethtool get_ts_info functon which did not state that software timestamping was supported, even though it is. Signed-off-by: Jacob Keller <jacob.e.keller@intel.com> CC: Stable <stable@vger.kernel.org> [3.5] Tested-by: Stephen Ko <stephen.s.ko@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01target: Fix incorrect usage of nested IRQ spinlocks in ABORT_TASK pathSteve Hodgson
This patch changes core_tmr_abort_task() to use spin_lock -> spin_unlock around se_cmd->t_state_lock while spin_lock_irqsave is held via se_sess->sess_cmd_lock. Signed-off-by: Steve Hodgson <steve@purestorage.com> Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2012-11-01iscsi-target: Fix missed wakeup race in TX threadRoland Dreier
The sleeping code in iscsi_target_tx_thread() is susceptible to the classic missed wakeup race: - TX thread finishes handle_immediate_queue() and handle_response_queue(), thinks both queues are empty. - Another thread adds a queue entry and does wake_up_process(), which does nothing because the TX thread is still awake. - TX thread does schedule_timeout() and sleeps forever. In practice this can kill an iSCSI connection if for example an initiator does single-threaded writes and the target misses the wakeup window when queueing an R2T; in this case the connection will be stuck until the initiator loses patience and does some task management operation (or kills the connection entirely). Fix this by converting to wait_event_interruptible(), which does not suffer from this sort of race. Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: Andy Grover <agrover@redhat.com> Cc: Hannes Reinecke <hare@suse.de> Cc: Christoph Hellwig <hch@lst.de> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2012-11-01target: Avoid integer overflow in se_dev_align_max_sectors()Roland Dreier
The expression (max_sectors * block_size) might overflow a u32 (indeed, since iblock sets max_hw_sectors to UINT_MAX, it is guaranteed to overflow and end up with a much-too-small result in many common cases). Fix this by doing an equivalent calculation that doesn't require multiplication. While we're touching this code, avoid splitting a printk format across two lines and use pr_info(...) instead of printk(KERN_INFO ...). Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2012-11-01target: Don't return success from module_init() if setup failsRoland Dreier
If the call to core_dev_release_virtual_lun0() fails, then nothing sets ret to anything other than 0, so even though everything is torn down and freed, target_core_init_configfs() will seem to succeed and the module will be loaded. Fix this by passing the return value on up the chain. Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2012-10-31target: Re-add explict zeroing of INQUIRY bounce buffer memoryNicholas Bellinger
This patch fixes a regression in spc_emulate_inquiry() code where the local scope bounce buffer was no longer getting it's memory zeroed, causing various problems with SCSI initiators that depend upon areas of INQUIRY EVPD=0x83 payload having been zeroed. This bug was introduced with the following v3.7-rc1 patch + CC'ed stable commit: commit ffe7b0e9326d9c68f5688bef691dd49f1e0d3651 Author: Paolo Bonzini <pbonzini@redhat.com> Date: Fri Sep 7 17:30:38 2012 +0200 target: support zero allocation length in INQUIRY Go ahead and re-add the missing memset of bounce buffer memory to be copied into the outgoing se_cmd descriptor kmapped SGL payload. Reported-by: Kelsey Prantis <kelsey.prantis@intel.com> Cc: Kelsey Prantis <kelsey.prantis@intel.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Andy Grover <agrover@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2012-10-31Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pendingLinus Torvalds
Pull scsi target fixes from Nicholas Bellinger: "These are the current target pending fixes headed for v3.7-rc4 code. This includes the following highlights: - Fix long-standing qla2xxx target bug where certain fc_port_t state transitions could cause the internal session b-tree list to become out-of-sync. (Roland) - Fix task management double free of se_cmd descriptor in exception path for users of target_submit_tmr(). (nab) - Re-introduce simple NOP emulation of REZERO_UNIT, SEEK_6, and SEEK_10 SCSI-2 commands in order to support legacy initiators that still require them. (Bernhard) Note these three patches are also CC'ed to stable. Also, there a couple of outstanding (external) regressions that are still being tracked down for tcm_fc(FCoE) and tcm_vhost fabrics for v3.7.0 code, so please expect another PULL as these issues identified -> resolved." * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: target: reintroduce some obsolete SCSI-2 commands target: Fix double-free of se_cmd in target_complete_tmr_failure qla2xxx: Update target lookup session tables when a target session changes tcm_qla2xxx: Format VPD page 83h SCSI name string according to SPC qla2xxx: Add missing ->vport_slock while calling qlt_update_vp_map
2012-10-31Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linuxLinus Torvalds
Pull nouveau fixes from Dave Airlie: "Just a nouveau set, since we have a couple of reports on lkml and dri-devel of regressions that this should fix I sent it along on its own." * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: drm/nouveau: headless mode by default if pci class != vga display drm/nouveau: resurrect headless mode since rework drm/nv50/fb: prevent oops on chipsets without compression tags drm/nouveau: allow creation of zero-sized mm drm/nouveau/i2c: fix typo when checking nvio i2c port validity drm/nouveau: silence modesetting spam on pre-gf8 chipsets
2012-10-31Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid Pull HID updates from Jiri Kosina: "This contains fixes for two devices by Jiri Slaby and Xianhan Yu, new device IDs for MacBook Pro 10,2 from Dirk Hohndel and generic multitouch code fix from Alan Cox." * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: HID: Add support for the MacBook Pro 10,2 keyboard / touchpad HID: multitouch: fix maxcontacts problem on GeneralTouch HID: multitouch: put the case in the right switch statement HID: microsoft: fix invalid rdesc for 3k kbd
2012-10-31Merge tag 'sound-3.7' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "This contains unexpectedly many changes in a wide range due to the fixes for races at disconnection of USB audio devices. In the end, we end up covering fairly core parts of sound subsystem. Other than that, just a few usual small fixes." * tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: ice1724: Fix rate setup after resume ALSA: Avoid endless sleep after disconnect ALSA: Add a reference counter to card instance ALSA: usb-audio: Fix races at disconnection in mixer_quirks.c ALSA: usb-audio: Use rwsem for disconnect protection ALSA: usb-audio: Fix races at disconnection ALSA: PCM: Fix some races at disconnection ASoC: omap-dmic: Correct functional clock name ASoC: zoom2: Fix compile error by including correct header files ALSA: hda - Fix mute-LED setup for HP dv5 laptop
2012-10-31KVM: x86: fix vcpu->mmio_fragments overflowXiao Guangrong
After commit b3356bf0dbb349 (KVM: emulator: optimize "rep ins" handling), the pieces of io data can be collected and write them to the guest memory or MMIO together Unfortunately, kvm splits the mmio access into 8 bytes and store them to vcpu->mmio_fragments. If the guest uses "rep ins" to move large data, it will cause vcpu->mmio_fragments overflow The bug can be exposed by isapc (-M isapc): [23154.818733] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC [ ......] [23154.858083] Call Trace: [23154.859874] [<ffffffffa04f0e17>] kvm_get_cr8+0x1d/0x28 [kvm] [23154.861677] [<ffffffffa04fa6d4>] kvm_arch_vcpu_ioctl_run+0xcda/0xe45 [kvm] [23154.863604] [<ffffffffa04f5a1a>] ? kvm_arch_vcpu_load+0x17b/0x180 [kvm] Actually, we can use one mmio_fragment to store a large mmio access then split it when we pass the mmio-exit-info to userspace. After that, we only need two entries to store mmio info for the cross-mmio pages access Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>