1. 11 Apr, 2014 9 commits
    • Mugunthan V N's avatar
      drivers: net: cpsw: discard all packets received when interface is down · 16e5c57d
      Mugunthan V N authored
      When the Ethernet interface is brought down during high Ethernet traffic,
      then cpsw creates the following warn dump. When cpdma has already processed
      the packet then the status will be greater than 0, so the cpsw_rx_handler
      considers that the interface is up and try to resubmit one more rx buffer
      to cpdma which fails as the DMA is in teardown process. This can be avoided
      by checking the interface state and then process the received packet, if the
      interface is down just discard and free the skb and return.
      
      [ 2823.104591] WARNING: CPU: 0 PID: 1823 at drivers/net/ethernet/ti/cpsw.c:711 cpsw_rx_handler+0x148/0x164()
      [ 2823.114654] Modules linked in:
      [ 2823.117872] CPU: 0 PID: 1823 Comm: ifconfig Tainted: G        W     3.14.0-11992-gf34c4a35 #11
      [ 2823.126860] [<c0014b5c>] (unwind_backtrace) from [<c00117e4>] (show_stack+0x10/0x14)
      [ 2823.135030] [<c00117e4>] (show_stack) from [<c0533a9c>] (dump_stack+0x80/0x9c)
      [ 2823.142619] [<c0533a9c>] (dump_stack) from [<c003f0e0>] (warn_slowpath_common+0x6c/0x90)
      [ 2823.151141] [<c003f0e0>] (warn_slowpath_common) from [<c003f120>] (warn_slowpath_null+0x1c/0x24)
      [ 2823.160336] [<c003f120>] (warn_slowpath_null) from [<c03caeb0>] (cpsw_rx_handler+0x148/0x164)
      [ 2823.169314] [<c03caeb0>] (cpsw_rx_handler) from [<c03c730c>] (__cpdma_chan_free+0x90/0xa8)
      [ 2823.178028] [<c03c730c>] (__cpdma_chan_free) from [<c03c7418>] (__cpdma_chan_process+0xf4/0x134)
      [ 2823.187279] [<c03c7418>] (__cpdma_chan_process) from [<c03c7560>] (cpdma_chan_stop+0xb4/0x17c)
      [ 2823.196349] [<c03c7560>] (cpdma_chan_stop) from [<c03c766c>] (cpdma_ctlr_stop+0x44/0x9c)
      [ 2823.204872] [<c03c766c>] (cpdma_ctlr_stop) from [<c03cb708>] (cpsw_ndo_stop+0x154/0x188)
      [ 2823.213321] [<c03cb708>] (cpsw_ndo_stop) from [<c046f0ec>] (__dev_close_many+0x84/0xc8)
      [ 2823.221761] [<c046f0ec>] (__dev_close_many) from [<c046f158>] (__dev_close+0x28/0x3c)
      [ 2823.230012] [<c046f158>] (__dev_close) from [<c0474ca8>] (__dev_change_flags+0x88/0x160)
      [ 2823.238483] [<c0474ca8>] (__dev_change_flags) from [<c0474da0>] (dev_change_flags+0x18/0x48)
      [ 2823.247316] [<c0474da0>] (dev_change_flags) from [<c04d12c4>] (devinet_ioctl+0x61c/0x6e0)
      [ 2823.255884] [<c04d12c4>] (devinet_ioctl) from [<c045c660>] (sock_ioctl+0x68/0x2a4)
      [ 2823.263789] [<c045c660>] (sock_ioctl) from [<c0125fe4>] (do_vfs_ioctl+0x78/0x61c)
      [ 2823.271629] [<c0125fe4>] (do_vfs_ioctl) from [<c01265ec>] (SyS_ioctl+0x64/0x74)
      [ 2823.279284] [<c01265ec>] (SyS_ioctl) from [<c000e580>] (ret_fast_syscall+0x0/0x48)
      Signed-off-by: default avatarMugunthan V N <mugunthanvnm@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      16e5c57d
    • David S. Miller's avatar
      net: Fix use after free by removing length arg from sk_data_ready callbacks. · 676d2369
      David S. Miller authored
      Several spots in the kernel perform a sequence like:
      
      	skb_queue_tail(&sk->s_receive_queue, skb);
      	sk->sk_data_ready(sk, skb->len);
      
      But at the moment we place the SKB onto the socket receive queue it
      can be consumed and freed up.  So this skb->len access is potentially
      to freed up memory.
      
      Furthermore, the skb->len can be modified by the consumer so it is
      possible that the value isn't accurate.
      
      And finally, no actual implementation of this callback actually uses
      the length argument.  And since nobody actually cared about it's
      value, lots of call sites pass arbitrary values in such as '0' and
      even '1'.
      
      So just remove the length argument from the callback, that way there
      is no confusion whatsoever and all of these use-after-free cases get
      fixed as a side effect.
      
      Based upon a patch by Eric Dumazet and his suggestion to audit this
      issue tree-wide.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      676d2369
    • David S. Miller's avatar
      Merge branch 'hyperv' · ad20d5f6
      David S. Miller authored
      K. Y. Srinivasan says:
      
      ====================
      Fix issues with Heper-V network offload code
      
      WS2008 R2 does not support udp checksum offload. Furthermore, ws2012 and
      ws2012 r2 have issues offloading udp checksum from Linux guests.
      This patch-set addresses these issues as well as other bug fixes.
      Please apply.
      
      In this version, I have addressed the comment from David Miller with reagards
      to COWing the skb prior to modifying the header (patch 3/3).
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ad20d5f6
    • KY Srinivasan's avatar
      Drivers: net: hyperv: Address UDP checksum issues · af9893a3
      KY Srinivasan authored
      ws2008r2 does not support UDP checksum offload. Thus, we cannnot turn on
      UDP offload in the host. Also, on ws2012 and ws2012 r2, there appear to be
      an issue with UDP checksum offload.
      Fix this issue by computing the UDP checksum in the Hyper-V driver.
      
      Based on Dave Miller's comments, in this version, I have COWed the skb
      before modifying the UDP header (the checksum field).
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Reviewed-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af9893a3
    • KY Srinivasan's avatar
      Drivers: net: hyperv: Negotiate suitable ndis version for offload support · 1f73db49
      KY Srinivasan authored
      Ws2008R2 supports ndis_version 6.1 and 6.1 is the minimal version required
      for various offloads. Negotiate ndis_version 6.1 when on ws2008r2.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Reviewed-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f73db49
    • KY Srinivasan's avatar
      Drivers: net: hyperv: Allocate memory for all possible per-pecket information · 4276372f
      KY Srinivasan authored
      An outgoing packet can potentially need per-packet information for
      all the offloads and VLAN tagging. Fix this issue.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Reviewed-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4276372f
    • Toshiaki Makita's avatar
      bridge: Fix double free and memory leak around br_allowed_ingress · eb707618
      Toshiaki Makita authored
      br_allowed_ingress() has two problems.
      
      1. If br_allowed_ingress() is called by br_handle_frame_finish() and
      vlan_untag() in br_allowed_ingress() fails, skb will be freed by both
      vlan_untag() and br_handle_frame_finish().
      
      2. If br_allowed_ingress() is called by br_dev_xmit() and
      br_allowed_ingress() fails, the skb will not be freed.
      
      Fix these two problems by freeing the skb in br_allowed_ingress()
      if it fails.
      Signed-off-by: default avatarToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eb707618
    • Thomas Richter's avatar
      bonding: Remove debug_fs files when module init fails · db298686
      Thomas Richter authored
      Remove the bonding debug_fs entries when the
      module initialization fails. The debug_fs
      entries should be removed together with all other
      already allocated resources.
      Signed-off-by: default avatarThomas Richter <tmricht@linux.vnet.ibm.com>
      Signed-off-by: default avatarJay Vosburgh <j.vosburgh@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      db298686
    • Florian Westphal's avatar
      net: core: don't account for udp header size when computing seglen · 6d39d589
      Florian Westphal authored
      In case of tcp, gso_size contains the tcpmss.
      
      For UFO (udp fragmentation offloading) skbs, gso_size is the fragment
      payload size, i.e. we must not account for udp header size.
      
      Otherwise, when using virtio drivers, a to-be-forwarded UFO GSO packet
      will be needlessly fragmented in the forward path, because we think its
      individual segments are too large for the outgoing link.
      
      Fixes: fe6cc55f ("net: ip, ipv6: handle gso skbs in forwarding path")
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Reported-by: default avatarTobias Brunner <tobias@strongswan.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6d39d589
  2. 09 Apr, 2014 4 commits
    • Dmitry Petukhov's avatar
      l2tp: take PMTU from tunnel UDP socket · f34c4a35
      Dmitry Petukhov authored
      When l2tp driver tries to get PMTU for the tunnel destination, it uses
      the pointer to struct sock that represents PPPoX socket, while it
      should use the pointer that represents UDP socket of the tunnel.
      Signed-off-by: default avatarDmitry Petukhov <dmgenp@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f34c4a35
    • Mugunthan V N's avatar
      drivers: net: cpsw: Add default vlan for dual emac case also · 629c9a8f
      Mugunthan V N authored
      Dual EMAC works with VLAN segregation of the ports, so default vlan needs
      to be added in dual EMAC case else default vlan will be tagged for all
      egress packets and vlan unaware switches/servers will drop packets
      from the EVM.
      Signed-off-by: default avatarMugunthan V N <mugunthanvnm@ti.com>
      Tested-by: default avatarYegor Yefremov <yegorslists@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      629c9a8f
    • Balakumaran Kannan's avatar
      net phylib: Remove unnecessary condition check in phy · fa8cddaf
      Balakumaran Kannan authored
      This condition check makes no difference in the code flow since 3.10
      Signed-off-by: default avatarBalakumaran Kannan <kumaran.4353@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fa8cddaf
    • Daniel Borkmann's avatar
      net: sctp: test if association is dead in sctp_wake_up_waiters · 1e1cdf8a
      Daniel Borkmann authored
      In function sctp_wake_up_waiters(), we need to involve a test
      if the association is declared dead. If so, we don't have any
      reference to a possible sibling association anymore and need
      to invoke sctp_write_space() instead, and normally walk the
      socket's associations and notify them of new wmem space. The
      reason for special casing is that otherwise, we could run
      into the following issue when a sctp_primitive_SEND() call
      from sctp_sendmsg() fails, and tries to flush an association's
      outq, i.e. in the following way:
      
      sctp_association_free()
      `-> list_del(&asoc->asocs)         <-- poisons list pointer
          asoc->base.dead = true
          sctp_outq_free(&asoc->outqueue)
          `-> __sctp_outq_teardown()
           `-> sctp_chunk_free()
            `-> consume_skb()
             `-> sctp_wfree()
              `-> sctp_wake_up_waiters() <-- dereferences poisoned pointers
                                             if asoc->ep->sndbuf_policy=0
      
      Therefore, only walk the list in an 'optimized' way if we find
      that the current association is still active. We could also use
      list_del_init() in addition when we call sctp_association_free(),
      but as Vlad suggests, we want to trap such bugs and thus leave
      it poisoned as is.
      
      Why is it safe to resolve the issue by testing for asoc->base.dead?
      Parallel calls to sctp_sendmsg() are protected under socket lock,
      that is lock_sock()/release_sock(). Only within that path under
      lock held, we're setting skb/chunk owner via sctp_set_owner_w().
      Eventually, chunks are freed directly by an association still
      under that lock. So when traversing association list on destruction
      time from sctp_wake_up_waiters() via sctp_wfree(), a different
      CPU can't be running sctp_wfree() while another one calls
      sctp_association_free() as both happens under the same lock.
      Therefore, this can also not race with setting/testing against
      asoc->base.dead as we are guaranteed for this to happen in order,
      under lock. Further, Vlad says: the times we check asoc->base.dead
      is when we've cached an association pointer for later processing.
      In between cache and processing, the association may have been
      freed and is simply still around due to reference counts. We check
      asoc->base.dead under a lock, so it should always be safe to check
      and not race against sctp_association_free(). Stress-testing seems
      fine now, too.
      
      Fixes: cd253f9f357d ("net: sctp: wake up all assocs if sndbuf policy is per socket")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Vlad Yasevich <vyasevic@redhat.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1e1cdf8a
  3. 08 Apr, 2014 14 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · ce7613db
      Linus Torvalds authored
      Pull more networking updates from David Miller:
      
       1) If a VXLAN interface is created with no groups, we can crash on
          reception of packets.  Fix from Mike Rapoport.
      
       2) Missing includes in CPTS driver, from Alexei Starovoitov.
      
       3) Fix string validations in isdnloop driver, from YOSHIFUJI Hideaki
          and Dan Carpenter.
      
       4) Missing irq.h include in bnxw2x, enic, and qlcnic drivers.  From
          Josh Boyer.
      
       5) AF_PACKET transmit doesn't statistically count TX drops, from Daniel
          Borkmann.
      
       6) Byte-Queue-Limit enabled drivers aren't handled properly in
          AF_PACKET transmit path, also from Daniel Borkmann.
      
          Same problem exists in pktgen, and Daniel fixed it there too.
      
       7) Fix resource leaks in driver probe error paths of new sxgbe driver,
          from Francois Romieu.
      
       8) Truesize of SKBs can gradually get more and more corrupted in NAPI
          packet recycling path, fix from Eric Dumazet.
      
       9) Fix uniprocessor netfilter build, from Florian Westphal.  In the
          longer term we should perhaps try to find a way for ARRAY_SIZE() to
          work even with zero sized array elements.
      
      10) Fix crash in netfilter conntrack extensions due to mis-estimation of
          required extension space.  From Andrey Vagin.
      
      11) Since we commit table rule updates before trying to copy the
          counters back to userspace (it's the last action we perform), we
          really can't signal the user copy with an error as we are beyond the
          point from which we can unwind everything.  This causes all kinds of
          use after free crashes and other mysterious behavior.
      
          From Thomas Graf.
      
      12) Restore previous behvaior of div/mod by zero in BPF filter
          processing.  From Daniel Borkmann.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (38 commits)
        net: sctp: wake up all assocs if sndbuf policy is per socket
        isdnloop: several buffer overflows
        netdev: remove potentially harmful checks
        pktgen: fix xmit test for BQL enabled devices
        net/at91_ether: avoid NULL pointer dereference
        tipc: Let tipc_release() return 0
        at86rf230: fix MAX_CSMA_RETRIES parameter
        mac802154: fix duplicate #include headers
        sxgbe: fix duplicate #include headers
        net: filter: be more defensive on div/mod by X==0
        netfilter: Can't fail and free after table replacement
        xen-netback: Trivial format string fix
        net: bcmgenet: Remove unnecessary version.h inclusion
        net: smc911x: Remove unused local variable
        bonding: Inactive slaves should keep inactive flag's value
        netfilter: nf_tables: fix wrong format in request_module()
        netfilter: nf_tables: set names cannot be larger than 15 bytes
        netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len
        netfilter: Add {ipt,ip6t}_osf aliases for xt_osf
        netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf hooks
        ...
      ce7613db
    • Linus Torvalds's avatar
      Merge tag 'staging-3.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 0afccc4c
      Linus Torvalds authored
      Pull more staging patches from Greg KH:
       "Here are some more staging patches for 3.15-rc1.
      
        They include a late-submission of a wireless driver that a bunch of
        people seem to have the hardware for now.  As it's stand-alone, it
        should be fine (now passes the 0-day random build bot tests).
      
        There are also some fixes for the unisys drivers, as they were causing
        havoc on a number of different machines.  To resolve all of those
        issues, we just mark the driver as BROKEN now, and we can fix it up
        "properly" over time"
      
      * tag 'staging-3.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: rtl8723au: The 8723 only has two paths
        Staging: unisys: mark drivers as BROKEN
        Staging: unisys: verify that a control channel exists
        staging: unisys: Add missing close parentheses in filexfer.c
        staging: r8723au: Fix build problem when RFKILL is not selected
        staging: r8723au: Fix randconfig build errors
        staging: r8723au: Turn on build of new driver
        staging: r8723au: Additional source patches
        staging: r8723au: Add source files for new driver - part 4
        staging: r8723au: Add source files for new driver - part 3
        staging: r8723au: Add source files for new driver - part 2
        staging: r8723au: Add source files for new driver - part 1
      0afccc4c
    • Linus Torvalds's avatar
      Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · e4f30545
      Linus Torvalds authored
      Pull second set of arm64 updates from Catalin Marinas:
       "A second pull request for this merging window, mainly with fixes and
        docs clarification:
      
         - Documentation clarification on CPU topology and booting
           requirements
         - Additional cache flushing during boot (needed in the presence of
           external caches or under virtualisation)
         - DMA range invalidation fix for non cache line aligned buffers
         - Build failure fix with !COMPAT
         - Kconfig update for STRICT_DEVMEM"
      
      * tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: Fix DMA range invalidation for cache line unaligned buffers
        arm64: Add missing Kconfig for CONFIG_STRICT_DEVMEM
        arm64: fix !CONFIG_COMPAT build failures
        Revert "arm64: virt: ensure visibility of __boot_cpu_mode"
        arm64: Relax the kernel cache requirements for boot
        arm64: Update the TCR_EL1 translation granule definitions for 16K pages
        ARM: topology: Make it clear that all CPUs need to be described
      e4f30545
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · d586c86d
      Linus Torvalds authored
      Pull second set of s390 patches from Martin Schwidefsky:
       "The second part of Heikos uaccess rework, the page table walker for
        uaccess is now a thing of the past (yay!)
      
        The code change to fix the theoretical TLB flush problem allows us to
        add a TLB flush optimization for zEC12, this machine has new
        instructions that allow to do CPU local TLB flushes for single pages
        and for all pages of a specific address space.
      
        Plus the usual bug fixing and some more cleanup"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/uaccess: rework uaccess code - fix locking issues
        s390/mm,tlb: optimize TLB flushing for zEC12
        s390/mm,tlb: safeguard against speculative TLB creation
        s390/irq: Use defines for external interruption codes
        s390/irq: Add defines for external interruption codes
        s390/sclp: add timeout for queued requests
        kvm/s390: also set guest pages back to stable on kexec/kdump
        lcs: Add missing destroy_timer_on_stack()
        s390/tape: Add missing destroy_timer_on_stack()
        s390/tape: Use del_timer_sync()
        s390/3270: fix crash with multiple reset device requests
        s390/bitops,atomic: add missing memory barriers
        s390/zcrypt: add length check for aligned data to avoid overflow in msg-type 6
      d586c86d
    • Daniel Borkmann's avatar
      net: sctp: wake up all assocs if sndbuf policy is per socket · 52c35bef
      Daniel Borkmann authored
      SCTP charges chunks for wmem accounting via skb->truesize in
      sctp_set_owner_w(), and sctp_wfree() respectively as the
      reverse operation. If a sender runs out of wmem, it needs to
      wait via sctp_wait_for_sndbuf(), and gets woken up by a call
      to __sctp_write_space() mostly via sctp_wfree().
      
      __sctp_write_space() is being called per association. Although
      we assign sk->sk_write_space() to sctp_write_space(), which
      is then being done per socket, it is only used if send space
      is increased per socket option (SO_SNDBUF), as SOCK_USE_WRITE_QUEUE
      is set and therefore not invoked in sock_wfree().
      
      Commit 4c3a5bda ("sctp: Don't charge for data in sndbuf
      again when transmitting packet") fixed an issue where in case
      sctp_packet_transmit() manages to queue up more than sndbuf
      bytes, sctp_wait_for_sndbuf() will never be woken up again
      unless it is interrupted by a signal. However, a still
      remaining issue is that if net.sctp.sndbuf_policy=0, that is
      accounting per socket, and one-to-many sockets are in use,
      the reclaimed write space from sctp_wfree() is 'unfairly'
      handed back on the server to the association that is the lucky
      one to be woken up again via __sctp_write_space(), while
      the remaining associations are never be woken up again
      (unless by a signal).
      
      The effect disappears with net.sctp.sndbuf_policy=1, that
      is wmem accounting per association, as it guarantees a fair
      share of wmem among associations.
      
      Therefore, if we have reclaimed memory in case of per socket
      accounting, wake all related associations to a socket in a
      fair manner, that is, traverse the socket association list
      starting from the current neighbour of the association and
      issue a __sctp_write_space() to everyone until we end up
      waking ourselves. This guarantees that no association is
      preferred over another and even if more associations are
      taken into the one-to-many session, all receivers will get
      messages from the server and are not stalled forever on
      high load. This setting still leaves the advantage of per
      socket accounting in touch as an association can still use
      up global limits if unused by others.
      
      Fixes: 4eb701df ("[SCTP] Fix SCTP sendbuffer accouting.")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Thomas Graf <tgraf@suug.ch>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Cc: Vlad Yasevich <vyasevic@redhat.com>
      Acked-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      52c35bef
    • Linus Torvalds's avatar
      Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux · e9f37d3a
      Linus Torvalds authored
      Pull drm updates from Dave Airlie:
       "Highlights:
      
         - drm:
      
           Generic display port aux features, primary plane support, drm
           master management fixes, logging cleanups, enforced locking checks
           (instead of docs), documentation improvements, minor number
           handling cleanup, pseudofs for shared inodes.
      
         - ttm:
      
           add ability to allocate from both ends
      
         - i915:
      
           broadwell features, power domain and runtime pm, per-process
           address space infrastructure (not enabled)
      
         - msm:
      
           power management, hdmi audio support
      
         - nouveau:
      
           ongoing GPU fault recovery, initial maxwell support, random fixes
      
         - exynos:
      
           refactored driver to clean up a lot of abstraction, DP support
           moved into drm, LVDS bridge support added, parallel panel support
      
         - gma500:
      
           SGX MMU support, SGX irq handling, asle irq work fixes
      
         - radeon:
      
           video engine bringup, ring handling fixes, use dp aux helpers
      
         - vmwgfx:
      
           add rendernode support"
      
      * 'drm-next' of git://people.freedesktop.org/~airlied/linux: (849 commits)
        DRM: armada: fix corruption while loading cursors
        drm/dp_helper: don't return EPROTO for defers (v2)
        drm/bridge: export ptn3460_init function
        drm/exynos: remove MODULE_DEVICE_TABLE definitions
        ARM: dts: exynos4412-trats2: enable exynos/fimd node
        ARM: dts: exynos4210-trats: enable exynos/fimd node
        ARM: dts: exynos4412-trats2: add panel node
        ARM: dts: exynos4210-trats: add panel node
        ARM: dts: exynos4: add MIPI DSI Master node
        drm/panel: add S6E8AA0 driver
        ARM: dts: exynos4210-universal_c210: add proper panel node
        drm/panel: add ld9040 driver
        panel/ld9040: add DT bindings
        panel/s6e8aa0: add DT bindings
        drm/exynos: add DSIM driver
        exynos/dsim: add DT bindings
        drm/exynos: disallow fbdev initialization if no device is connected
        drm/mipi_dsi: create dsi devices only for nodes with reg property
        drm/mipi_dsi: add flags to DSI messages
        Skip intel_crt_init for Dell XPS 8700
        ...
      e9f37d3a
    • Dan Carpenter's avatar
      isdnloop: several buffer overflows · 7563487c
      Dan Carpenter authored
      There are three buffer overflows addressed in this patch.
      
      1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
      then copy it into a 60 character buffer.  I have made the destination
      buffer 64 characters and I'm changed the sprintf() to a snprintf().
      
      2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
      character buffer so we have 54 characters.  The ->eazlist[] is 11
      characters long.  I have modified the code to return if the source
      buffer is too long.
      
      3) In isdnloop_command() the cbuf[] array was 60 characters long but the
      max length of the string then can be up to 79 characters.  I made the
      cbuf array 80 characters long and changed the sprintf() to snprintf().
      I also removed the temporary "dial" buffer and changed it to use "p"
      directly.
      
      Unfortunately, we pass the "cbuf" string from isdnloop_command() to
      isdnloop_writecmd() which truncates anything over 60 characters to make
      it fit in card->omsg[].  (It can accept values up to 255 characters so
      long as there is a '\n' character every 60 characters).  For now I have
      just fixed the memory corruption bug and left the other problems in this
      driver alone.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7563487c
    • Heiko Carstens's avatar
    • Catalin Marinas's avatar
      arm64: Fix DMA range invalidation for cache line unaligned buffers · ebf81a93
      Catalin Marinas authored
      If the buffer needing cache invalidation for inbound DMA does start or
      end on a cache line aligned address, we need to use the non-destructive
      clean&invalidate operation. This issue was introduced by commit
      7363590d (arm64: Implement coherent DMA API based on swiotlb).
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Reported-by: default avatarJon Medhurst (Tixy) <tixy@linaro.org>
      ebf81a93
    • Linus Torvalds's avatar
      Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · a7963eb7
      Linus Torvalds authored
      Pull ext3 improvements, cleanups, reiserfs fix from Jan Kara:
       "various cleanups for ext2, ext3, udf, isofs, a documentation update
        for quota, and a fix of a race in reiserfs readdir implementation"
      
      * 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        reiserfs: fix race in readdir
        ext2: acl: remove unneeded include of linux/capability.h
        ext3: explicitly remove inode from orphan list after failed direct io
        fs/isofs/inode.c add __init to init_inodecache()
        ext3: Speedup WB_SYNC_ALL pass
        fs/quota/Kconfig: Update filesystems
        ext3: Update outdated comment before ext3_ordered_writepage()
        ext3: Update PF_MEMALLOC handling in ext3_write_inode()
        ext2/3: use prandom_u32() instead of get_random_bytes()
        ext3: remove an unneeded check in ext3_new_blocks()
        ext3: remove unneeded check in ext3_ordered_writepage()
        fs: Mark function as static in ext3/xattr_security.c
        fs: Mark function as static in ext3/dir.c
        fs: Mark function as static in ext2/xattr_security.c
        ext3: Add __init macro to init_inodecache
        ext2: Add __init macro to init_inodecache
        udf: Add __init macro to init_inodecache
        fs: udf: parse_options: blocksize check
      a7963eb7
    • Linus Torvalds's avatar
      Merge branch 'kbuild' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild · b003d770
      Linus Torvalds authored
      Pull kbuild changes from Michal Marek:
       - cleanups in the main Makefiles and Documentation/DocBook/Makefile
       - make O=...  directory is automatically created if needed
       - mrproper/distclean removes the old include/linux/version.h to make
         life easier when bisecting across the commit that moved the version.h
         file
      
      * 'kbuild' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
        kbuild: docbook: fix the include error when executing "make help"
        kbuild: create a build directory automatically for out-of-tree build
        kbuild: remove redundant '.*.cmd' pattern from make distclean
        kbuild: move "quote" to Kbuild.include to be consistent
        kbuild: docbook: use $(obj) and $(src) rather than specific path
        kbuild: unconditionally clobber include/linux/version.h on distclean
        kbuild: docbook: specify KERNELDOC dependency correctly
        kbuild: docbook: include cmd files more simply
        kbuild: specify build_docproc as a phony target
      b003d770
    • Linus Torvalds's avatar
      Merge tag 'arc-v3.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc · 3573d386
      Linus Torvalds authored
      Pull ARC changes from Vineet Gupta:
       - Support for external initrd from Noam
       - Fix broken serial console in nsimosci Virtual Platform
       - Reuse of ENTRY/END assembler macros across hand asm code
       - Other minor fixes here and there
      
      * tag 'arc-v3.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
        ARC: [nsimosci] Unbork console
        ARC: [nsimosci] Change .dts to use generic 8250 UART
        ARC: [SMP] General Fixes
        ARC: Remove unused DT template file
        ARC: [clockevent] simplify timer ISR
        ARC: [clockevent] can't be SoC specific
        ARC: Remove ARC_HAS_COH_RTSC
        ARC: switch to generic ENTRY/END assembler annotations
        ARC: support external initrd
        ARC: add uImage to .gitignore
        ARC: [arcfpga] Fix __initconst data const-correctness
      3573d386
    • Russell King's avatar
      DRM: armada: fix corruption while loading cursors · c39b0695
      Russell King authored
      Loading cursors to the LCD controller's SRAM can be corrupted when the
      configured pixel clock is relatively slow.  This seems to be caused
      when we write back-to-back to the SRAM registers.
      
      There doesn't appear to be any status register we can read to check
      when an access has completed.
      
      Inserting a dummy read between the writes appears to fix the problem.
      
      Cc: <stable@vger.kernel.org> # 3.13
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      c39b0695
    • Linus Torvalds's avatar
      Merge tag 'stable/for-linus-3.15-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · c8d9762a
      Linus Torvalds authored
      Pull Xen build fix from David Vrabel:
       "Fix arm build of drivers/xen/events/
      
        The merge of irq-core-for-linus branch broke it"
      
      * tag 'stable/for-linus-3.15-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        Xen: do hv callback accounting only on x86
      c8d9762a
  4. 07 Apr, 2014 13 commits