1. 17 Apr, 2013 12 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client · 96d86834
      Linus Torvalds authored
      Pull Ceph fix from Sage Weil:
       "It's a simple fix for a hard to hit race, but low-risk and clearly
        correct"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
        rbd: do a safe list traversal in rbd_img_request_submit()
      96d86834
    • Marc Zyngier's avatar
      ARM: KVM: fix unbalanced get_cpu() in access_dcsw · 15bbc1b2
      Marc Zyngier authored
      In the very unlikely event where a guest would be foolish enough to
      *read* from a write-only cache maintainance register, we end up
      with preemption disabled, due to a misplaced get_cpu().
      
      Just move the "is_write" test outside of the critical section.
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarChristoffer Dall <cdall@cs.columbia.edu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      15bbc1b2
    • Alex Elder's avatar
      rbd: do a safe list traversal in rbd_img_request_submit() · 46faeed4
      Alex Elder authored
      It's possible that the reference to the object request dropped
      inside the loop in rbd_img_request_submit() will be the last
      one, in which case the content of the object pointer can't be
      trusted.
      
      Use a safe form of the object request list traversal to avoid
      problems.
      
      This resolves:
          http://tracker.ceph.com/issues/4705Signed-off-by: default avatarAlex Elder <elder@inktank.com>
      Reviewed-by: default avatarJosh Durgin <josh.durgin@inktank.com>
      46faeed4
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · fca83168
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix erroneous netfilter drop of SIP packets generated by some Cisco
          phones, from Patrick McHardy.
      
       2) Fix netfilter IPSET refcounting in list_set_add(), from Jozsef
          Kadlecsik.
      
       3) Fix TCP syncookies route lookup key, we don't use the same values we
          would use for the usual SYN receive processing, from Dmitry Popov.
      
       4) Fix NULL deref in bond_slave_netdev_event(), from Nikolay
          Aleksandrov.
      
       5) When bonding enslave fails, we can forget to clear the IFF_BONDING
          bit, fix also from Nikolay Aleksandrov.
      
       6) skb->csum_start is 16-bits, which is almost always just fine.  But
          if we reallocate the headroom of an SKB this can push the
          skb->csum_start value outside of it's valid range.  This can easily
          happen when collapsing multiple SKBs from the retransmit queue
          together.
      
          Fix from Thomas Graf.
      
       7) Fix NULL deref in be2net driver due to missing check of
          __vlan_put_tag() return value, from Ivan Vecera.
      
       8) tun_set_iff() returns zero instead of error code on failure, fix
          from Wei Yongjun.
      
       9) Like GARP, 802 MRP needs to hold the app->lock when adding MAD
          events and queueing PDUs.  Fix from David Ward.
      
      10) Build fix, MVMDIO needs PHYLIB, from Thomas Petazzoni..
      
      11) Fix mac80211 static with ipv6 modular build, from Cong Wang.
      
      12) If userland specifies a path cost explicitly, do not override it
          when the carrier state changes.  From Stephen Hemminger.
      
      13) mvnets calculates the TX queue to use incorrectly resulting in
          garbage pointer derefs and crashes, fix from Willy Tarreau.
      
      14) cdc_mbim does erroneous sizeof(ETH_HLEN).  Fix from Bjorn Mork.
      
      15) IP fragmentation can leak a refcount-less route out from an RCU
          protected section.  This results in crashes and all sorts of hard to
          diagnose behavior.  Fix from Eric Dumazet.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (24 commits)
        qlcnic: fix beaconing test for 82xx adapter
        net: drop dst before queueing fragments
        net: fec: fix regression in link change accounting
        net: cdc_mbim: remove bogus sizeof()
        drivers: net: ethernet: cpsw: get slave VLAN id from slave node instead of cpsw node
        net: mvneta: fix improper tx queue usage in mvneta_tx()
        esp4: fix error return code in esp_output()
        bridge: make user modified path cost sticky
        ipv6: statically link register_inet6addr_notifier()
        net: mvmdio: add select PHYLIB
        net/802/mrp: fix possible race condition when calling mrp_pdu_queue()
        tuntap: fix error return code in tun_set_iff()
        be2net: take care of __vlan_put_tag return value
        can: sja1000: fix handling on dt properties on little endian systems
        can: mcp251x: add missing IRQF_ONESHOT to request_threaded_irq
        netfilter: nf_nat: fix race when unloading protocol modules
        tcp: Reallocate headroom if it would overflow csum_start
        stmmac: prevent interrupt loop with MMC RX IPC Counter
        bonding: IFF_BONDING is not stripped on enslave failure
        bonding: fix netdev event NULL pointer dereference
        ...
      fca83168
    • Linus Torvalds's avatar
      s390: move dummy io_remap_pfn_range() to asm/pgtable.h · 4f2e2903
      Linus Torvalds authored
      Commit b4cbb197 ("vm: add vm_iomap_memory() helper function") added
      a helper function wrapper around io_remap_pfn_range(), and every other
      architecture defined it in <asm/pgtable.h>.
      
      The s390 choice of <asm/io.h> may make sense, but is not very convenient
      for this case, and gratuitous differences like that cause unexpected errors like this:
      
         mm/memory.c: In function 'vm_iomap_memory':
         mm/memory.c:2439:2: error: implicit declaration of function 'io_remap_pfn_range' [-Werror=implicit-function-declaration]
      
      Glory be the kbuild test robot who noticed this, bisected it, and
      reported it to the guilty parties (ie me).
      
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4f2e2903
    • Himanshu Madhani's avatar
      qlcnic: fix beaconing test for 82xx adapter · 361cd29c
      Himanshu Madhani authored
      o Commit 319ecf12
        ("qlcnic: 83xx sysfs routines") introduced regression
        for beaconing test while refactoring 82xx code. This patch is to
        revert code to fix beaconing test for 82xx adapter.
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: default avatarShahed Shaikh <shahed.shaikh@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      361cd29c
    • Eric Dumazet's avatar
      net: drop dst before queueing fragments · 97599dc7
      Eric Dumazet authored
      Commit 4a94445c (net: Use ip_route_input_noref() in input path)
      added a bug in IP defragmentation handling, as non refcounted
      dst could escape an RCU protected section.
      
      Commit 64f3b9e2 (net: ip_expire() must revalidate route) fixed
      the case of timeouts, but not the general problem.
      
      Tom Parkin noticed crashes in UDP stack and provided a patch,
      but further analysis permitted us to pinpoint the root cause.
      
      Before queueing a packet into a frag list, we must drop its dst,
      as this dst has limited lifetime (RCU protected)
      
      When/if a packet is finally reassembled, we use the dst of the very
      last skb, still protected by RCU and valid, as the dst of the
      reassembled packet.
      
      Use same logic in IPv6, as there is no need to hold dst references.
      Reported-by: default avatarTom Parkin <tparkin@katalix.com>
      Tested-by: default avatarTom Parkin <tparkin@katalix.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      97599dc7
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm · 542a6724
      Linus Torvalds authored
      Pull ARM fix from Russell King:
       "A build fix for an incomplete change to the ARM cpu suspend code"
      
      * branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
        ARM: Do 15e0d9e3 (ARM: pm: let platforms select cpu_suspend support) properly
      542a6724
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/virt/kvm/kvm · 4be41343
      Linus Torvalds authored
      Pull kvm fixes from Marcelo Tosatti:
       "PPC and ARM KVM fixes"
      
      * git://git.kernel.org/pub/scm/virt/kvm/kvm:
        ARM: KVM: fix L_PTE_S2_RDWR to actually be Read/Write
        ARM: KVM: fix KVM_CAP_ARM_SET_DEVICE_ADDR reporting
        kvm/ppc/e500: eliminate tlb_refs
        kvm/ppc/e500: g2h_tlb1_map: clear old bit before setting new bit
        kvm/ppc/e500: h2g_tlb1_rmap: esel 0 is valid
        kvm/powerpc/e500mc: fix tlb invalidation on cpu migration
      4be41343
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sfr/next-fixes · de0024b6
      Linus Torvalds authored
      Pull powerpc fixes from Stephen Rothwell:
       "Three regresions in the PowerPC code.  One from v3.7 the others from
        this merge window."
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sfr/next-fixes:
        powerpc: add a missing label in resume_kernel
        powerpc: Fix audit crash due to save/restore PPR changes
        powerpc: fix compiling CONFIG_PPC_TRANSACTIONAL_MEM when CONFIG_ALTIVEC=n
      de0024b6
    • Linus Torvalds's avatar
      Merge branch 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild · c208278c
      Linus Torvalds authored
      Pull kbuild fix from Michal Marek:
       "Fix for a missing dependency when generating scripts/mod/devicetable-offsets.h.
        This dependency got introduced in v3.9-rc1."
      
      * 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
        kbuild: generate generic headers before recursing into scripts
      c208278c
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 8665ffc9
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
       "Two small fixups to the Wacom driver"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: wacom - correct reported resolution for Intuos4 Wireless
        Input: wacom - fix "can not retrieve extra class descriptor" for 24HDT
      8665ffc9
  2. 16 Apr, 2013 6 commits
  3. 15 Apr, 2013 9 commits
  4. 14 Apr, 2013 11 commits
  5. 13 Apr, 2013 2 commits
    • Suleiman Souhlal's avatar
      vfs: Revert spurious fix to spinning prevention in prune_icache_sb · 5b55d708
      Suleiman Souhlal authored
      Revert commit 62a3ddef ("vfs: fix spinning prevention in prune_icache_sb").
      
      This commit doesn't look right: since we are looking at the tail of the
      list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
      it back at the head of the list instead of the tail, otherwise we will
      keep spinning on it.
      
      Discovered when investigating why prune_icache_sb came top in perf
      reports of a swapping load.
      Signed-off-by: default avatarSuleiman Souhlal <suleiman@google.com>
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: stable@vger.kernel.org # v3.2+
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5b55d708
    • Linus Torvalds's avatar
      kobject: fix kset_find_obj() race with concurrent last kobject_put() · a49b7e82
      Linus Torvalds authored
      Anatol Pomozov identified a race condition that hits module unloading
      and re-loading.  To quote Anatol:
      
       "This is a race codition that exists between kset_find_obj() and
        kobject_put().  kset_find_obj() might return kobject that has refcount
        equal to 0 if this kobject is freeing by kobject_put() in other
        thread.
      
        Here is timeline for the crash in case if kset_find_obj() searches for
        an object tht nobody holds and other thread is doing kobject_put() on
        the same kobject:
      
          THREAD A (calls kset_find_obj())     THREAD B (calls kobject_put())
          splin_lock()
                                               atomic_dec_return(kobj->kref), counter gets zero here
                                               ... starts kobject cleanup ....
                                               spin_lock() // WAIT thread A in kobj_kset_leave()
          iterate over kset->list
          atomic_inc(kobj->kref) (counter becomes 1)
          spin_unlock()
                                               spin_lock() // taken
                                               // it does not know that thread A increased counter so it
                                               remove obj from list
                                               spin_unlock()
                                               vfree(module) // frees module object with containing kobj
      
          // kobj points to freed memory area!!
          kobject_put(kobj) // OOPS!!!!
      
        The race above happens because module.c tries to use kset_find_obj()
        when somebody unloads module.  The module.c code was introduced in
        commit 6494a93d"
      
      Anatol supplied a patch specific for module.c that worked around the
      problem by simply not using kset_find_obj() at all, but rather than make
      a local band-aid, this just fixes kset_find_obj() to be thread-safe
      using the proper model of refusing the get a new reference if the
      refcount has already dropped to zero.
      
      See examples of this proper refcount handling not only in the kref
      documentation, but in various other equivalent uses of this pattern by
      grepping for atomic_inc_not_zero().
      
      [ Side note: the module race does indicate that module loading and
        unloading is not properly serialized wrt sysfs information using the
        module mutex.  That may require further thought, but this is the
        correct fix at the kobject layer regardless. ]
      Reported-analyzed-and-tested-by: default avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a49b7e82