1. 07 Dec, 2016 36 commits
  2. 06 Dec, 2016 4 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · bc3913a5
      Linus Torvalds authored
      Pull sparc fix from David Miller:
       "A use-before-NULL-check from Dan Carpenter"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        dbri: move dereference after check for NULL
      bc3913a5
    • Dan Carpenter's avatar
      dbri: move dereference after check for NULL · 163117e8
      Dan Carpenter authored
      We accidentally introduced a dereference before the NULL check in
      xmit_descs() as part of silencing a GCC warning.
      
      Fixes: 16f46050 ("dbri: Fix compiler warning")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      163117e8
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · da1b466f
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) When dcbnl_cee_fill() fails to be able to push a new netlink
          attribute, it return 0 instead of an error code. From Pan Bian.
      
       2) Two suffix handling fixes to FIB trie code, from Alexander Duyck.
      
       3) bnxt_hwrm_stat_ctx_alloc() goes through all the trouble of setting
          and maintaining a return code 'rc' but fails to actually return it.
          Also from Pan Bian.
      
       4) ping socket ICMP handler needs to validate ICMP header length, from
          Kees Cook.
      
       5) caif_sktinit_module() has this interesting logic:
      
              int err = sock_register(...);
              if (!err)
                      return err;
              return 0;
      
          Just return sock_register()'s return value directly which is the
          only possible correct thing to do.
      
       6) Two bnx2x driver fixes from Yuval Mintz, return a reasonable
          estimate from get_ringparam() ethtool op when interface is down and
          avoid trying to use UDP port based tunneling on 577xx chips.
      
       7) Fix ep93xx_eth crash on module unload from Florian Fainelli.
      
       8) Missing uapi exports, from Stephen Hemminger.
      
       9) Don't schedule work from sk_destruct(), because the socket will be
          freed upon return from that function. From Herbert Xu.
      
      10) Buggy drivers, of which we know there is at least one, can send a
          huge packet into the TCP stack but forget to set the gso_size in the
          SKB, which causes all kinds of problems.
      
          Correct this when it happens, and emit a one-time warning with the
          device name included so that it can be diagnosed more easily.
      
          From Marcelo Ricardo Leitner.
      
      11) virtio-net does DMA off the stack causes hiccups with VMAP_STACK,
          fix from Andy Lutomirski.
      
      12) Fix fec driver compilation with CONFIG_M5272, from Nikita
          Yushchenko.
      
      13) mlx5 fixes from Kamal Heib, Saeed Mahameed, and Mohamad Haj Yahia.
          (erroneously flushing queues on error, module parameter validation,
          etc)
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (34 commits)
        net/mlx5e: Change the SQ/RQ operational state to positive logic
        net/mlx5e: Don't flush SQ on error
        net/mlx5e: Don't notify HW when filling the edge of ICO SQ
        net/mlx5: Fix query ISSI flow
        net/mlx5: Remove duplicate pci dev name print
        net/mlx5: Verify module parameters
        net: fec: fix compile with CONFIG_M5272
        be2net: Add DEVSEC privilege to SET_HSW_CONFIG command.
        virtio-net: Fix DMA-from-the-stack in virtnet_set_mac_address()
        tcp: warn on bogus MSS and try to amend it
        uapi glibc compat: fix outer guard of net device flags enum
        net: stmmac: clear reset value of snps, wr_osr_lmt/snps, rd_osr_lmt before writing
        netlink: Do not schedule work from sk_destruct
        uapi: export nf_log.h
        uapi: export tc_skbmod.h
        net: ep93xx_eth: Do not crash unloading module
        bnx2x: Prevent tunnel config for 577xx
        bnx2x: Correct ringparam estimate when DOWN
        isdn: hisax: set error code on failure
        net: bnx2x: fix improper return value
        ...
      da1b466f
    • Linus Torvalds's avatar
      shmem: fix shm fallocate() list corruption · 10d20bd2
      Linus Torvalds authored
      The shmem hole punching with fallocate(FALLOC_FL_PUNCH_HOLE) does not
      want to race with generating new pages by faulting them in.
      
      However, the wait-queue used to delay the page faulting has a serious
      problem: the wait queue head (in shmem_fallocate()) is allocated on the
      stack, and the code expects that "wake_up_all()" will make sure that all
      the queue entries are gone before the stack frame is de-allocated.
      
      And that is not at all necessarily the case.
      
      Yes, a normal wake-up sequence will remove the wait-queue entry that
      caused the wakeup (see "autoremove_wake_function()"), but the key
      wording there is "that caused the wakeup".  When there are multiple
      possible wakeup sources, the wait queue entry may well stay around.
      
      And _particularly_ in a page fault path, we may be faulting in new pages
      from user space while we also have other things going on, and there may
      well be other pending wakeups.
      
      So despite the "wake_up_all()", it's not at all guaranteed that all list
      entries are removed from the wait queue head on the stack.
      
      Fix this by introducing a new wakeup function that removes the list
      entry unconditionally, even if the target process had already woken up
      for other reasons.  Use that "synchronous" function to set up the
      waiters in shmem_fault().
      
      This problem has never been seen in the wild afaik, but Dave Jones has
      reported it on and off while running trinity.  We thought we fixed the
      stack corruption with the blk-mq rq_list locking fix (commit
      7fe31130: "blk-mq: update hardware and software queues for sleeping
      alloc"), but it turns out there was _another_ stack corruptor hiding
      in the trinity runs.
      
      Vegard Nossum (also running trinity) was able to trigger this one fairly
      consistently, and made us look once again at the shmem code due to the
      faults often being in that area.
      
      Reported-and-tested-by: Vegard Nossum <vegard.nossum@oracle.com>.
      Reported-by: default avatarDave Jones <davej@codemonkey.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      10d20bd2