1. 09 Mar, 2016 5 commits
    • Mark Rutland's avatar
      kasan: add functions to clear stack poison · e3ae1163
      Mark Rutland authored
      Functions which the compiler has instrumented for ASAN place poison on
      the stack shadow upon entry and remove this poison prior to returning.
      
      In some cases (e.g. hotplug and idle), CPUs may exit the kernel a
      number of levels deep in C code.  If there are any instrumented
      functions on this critical path, these will leave portions of the idle
      thread stack shadow poisoned.
      
      If a CPU returns to the kernel via a different path (e.g. a cold
      entry), then depending on stack frame layout subsequent calls to
      instrumented functions may use regions of the stack with stale poison,
      resulting in (spurious) KASAN splats to the console.
      
      Contemporary GCCs always add stack shadow poisoning when ASAN is
      enabled, even when asked to not instrument a function [1], so we can't
      simply annotate functions on the critical path to avoid poisoning.
      
      Instead, this series explicitly removes any stale poison before it can
      be hit.  In the common hotplug case we clear the entire stack shadow in
      common code, before a CPU is brought online.
      
      On architectures which perform a cold return as part of cpu idle may
      retain an architecture-specific amount of stack contents.  To retain the
      poison for this retained context, the arch code must call the core KASAN
      code, passing a "watermark" stack pointer value beyond which shadow will
      be cleared.  Architectures which don't perform a cold return as part of
      idle do not need any additional code.
      
      This patch (of 3):
      
      Functions which the compiler has instrumented for KASAN place poison on
      the stack shadow upon entry and remove this poision prior to returning.
      
      In some cases (e.g.  hotplug and idle), CPUs may exit the kernel a number
      of levels deep in C code.  If there are any instrumented functions on this
      critical path, these will leave portions of the stack shadow poisoned.
      
      If a CPU returns to the kernel via a different path (e.g.  a cold entry),
      then depending on stack frame layout subsequent calls to instrumented
      functions may use regions of the stack with stale poison, resulting in
      (spurious) KASAN splats to the console.
      
      To avoid this, we must clear stale poison from the stack prior to
      instrumented functions being called.  This patch adds functions to the
      KASAN core for removing poison from (portions of) a task's stack.  These
      will be used by subsequent patches to avoid problems with hotplug and
      idle.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Reviewed-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e3ae1163
    • Dan Williams's avatar
      mm: fix mixed zone detection in devm_memremap_pages · 5f29a77c
      Dan Williams authored
      The check for whether we overlap "System RAM" needs to be done at
      section granularity.  For example a system with the following mapping:
      
          100000000-37bffffff : System RAM
          37c000000-837ffffff : Persistent Memory
      
      ...is unable to use devm_memremap_pages() as it would result in two
      zones colliding within a given section.
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
      Reviewed-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5f29a77c
    • Dan Williams's avatar
      list: kill list_force_poison() · d77a117e
      Dan Williams authored
      Given we have uninitialized list_heads being passed to list_add() it
      will always be the case that those uninitialized values randomly trigger
      the poison value.  Especially since a list_add() operation will seed the
      stack with the poison value for later stack allocations to trip over.
      
      For example, see these two false positive reports:
      
        list_add attempted on force-poisoned entry
        WARNING: at lib/list_debug.c:34
        [..]
        NIP [c00000000043c390] __list_add+0xb0/0x150
        LR [c00000000043c38c] __list_add+0xac/0x150
        Call Trace:
          __list_add+0xac/0x150 (unreliable)
          __down+0x4c/0xf8
          down+0x68/0x70
          xfs_buf_lock+0x4c/0x150 [xfs]
      
        list_add attempted on force-poisoned entry(0000000000000500),
         new->next == d0000000059ecdb0, new->prev == 0000000000000500
        WARNING: at lib/list_debug.c:33
        [..]
        NIP [c00000000042db78] __list_add+0xa8/0x140
        LR [c00000000042db74] __list_add+0xa4/0x140
        Call Trace:
          __list_add+0xa4/0x140 (unreliable)
          rwsem_down_read_failed+0x6c/0x1a0
          down_read+0x58/0x60
          xfs_log_commit_cil+0x7c/0x600 [xfs]
      
      Fixes: commit 5c2c2587 ("mm, dax, pmem: introduce {get|put}_dev_pagemap() for dax-gup")
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Reported-by: default avatarEryu Guan <eguan@redhat.com>
      Tested-by: default avatarEryu Guan <eguan@redhat.com>
      Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d77a117e
    • Hugh Dickins's avatar
      mm: __delete_from_page_cache show Bad page if mapped · 06b241f3
      Hugh Dickins authored
      Commit e1534ae9 ("mm: differentiate page_mapped() from
      page_mapcount() for compound pages") changed the famous
      BUG_ON(page_mapped(page)) in __delete_from_page_cache() to
      VM_BUG_ON_PAGE(page_mapped(page)): which gives us more info when
      CONFIG_DEBUG_VM=y, but nothing at all when not.
      
      Although it has not usually been very helpul, being hit long after the
      error in question, we do need to know if it actually happens on users'
      systems; but reinstating a crash there is likely to be opposed :)
      
      In the non-debug case, pr_alert("BUG: Bad page cache") plus dump_page(),
      dump_stack(), add_taint() - I don't really believe LOCKDEP_NOW_UNRELIABLE,
      but that seems to be the standard procedure now.  Move that, or the
      VM_BUG_ON_PAGE(), up before the deletion from tree: so that the
      unNULLified page->mapping gives a little more information.
      
      If the inode is being evicted (rather than truncated), it won't have any
      vmas left, so it's safe(ish) to assume that the raised mapcount is
      erroneous, and we can discount it from page_count to avoid leaking the
      page (I'm less worried by leaking the occasional 4kB, than losing a
      potential 2MB page with each 4kB page leaked).
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Sasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      06b241f3
    • Geoffrey Thomas's avatar
      mm/hugetlb: hugetlb_no_page: rate-limit warning message · 910154d5
      Geoffrey Thomas authored
      The warning message "killed due to inadequate hugepage pool" simply
      indicates that SIGBUS was sent, not that the process was forcibly killed.
      If the process has a signal handler installed does not fix the problem,
      this message can rapidly spam the kernel log.
      
      On my amd64 dev machine that does not have hugepages configured, I can
      reproduce the repeated warnings easily by setting vm.nr_hugepages=2 (i.e.,
      4 megabytes of huge pages) and running something that sets a signal
      handler and forks, like
      
        #include <sys/mman.h>
        #include <signal.h>
        #include <stdlib.h>
        #include <unistd.h>
      
        sig_atomic_t counter = 10;
        void handler(int signal)
        {
            if (counter-- == 0)
               exit(0);
        }
      
        int main(void)
        {
            int status;
            char *addr = mmap(NULL, 4 * 1048576, PROT_READ | PROT_WRITE,
                    MAP_PRIVATE | MAP_ANONYMOUS | MAP_HUGETLB, -1, 0);
            if (addr == MAP_FAILED) {perror("mmap"); return 1;}
            *addr = 'x';
            switch (fork()) {
               case -1:
                  perror("fork"); return 1;
               case 0:
                  signal(SIGBUS, handler);
                  *addr = 'x';
                  break;
               default:
                  *addr = 'x';
                  wait(&status);
                  if (WIFSIGNALED(status)) {
                     psignal(WTERMSIG(status), "child");
                  }
                  break;
            }
        }
      Signed-off-by: default avatarGeoffrey Thomas <geofft@ldpreload.com>
      Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
      Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      910154d5
  2. 08 Mar, 2016 2 commits
    • Linus Torvalds's avatar
      Merge tag 'sound-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 7f02bf6b
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "It's always an ambivalent feeling to send a large pull request at the
        late stage like this, especially when most of patches came from me.
        Anyway, this is a collection of lots of small fixes that slipped from
        the previous pull request.
      
        All fixes are about ASoC, and the majority of changes are corrections
        of the wrong access types in ALSA ctl enum items.  They are mostly
        harmless on 32bit architectures, but actually buggy on 64bit.  So we
        addressed all these now in a shot.  The rest are various small ASoC
        driver fixes.
      
        Among them, only two changes have been done to ASoC core, and both of
        them are trivial.  The rest are all device-specific.  So overall, they
        should be safe to apply"
      
      * tag 'sound-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (33 commits)
        ASoC: wm_adsp: Fix enum ctl accesses in a wrong type
        ASoC: wm9081: Fix enum ctl accesses in a wrong type
        ASoC: wm8996: Fix enum ctl accesses in a wrong type
        ASoC: wm8994: Fix enum ctl accesses in a wrong type
        ASoC: wm8985: Fix enum ctl accesses in a wrong type
        ASoC: wm8983: Fix enum ctl accesses in a wrong type
        ASoC: wm8958: Fix enum ctl accesses in a wrong type
        ASoC: wm8904: Fix enum ctl accesses in a wrong type
        ASoC: wm8753: Fix enum ctl accesses in a wrong type
        ASoC: wl1273: Fix enum ctl accesses in a wrong type
        ASoC: tlv320dac33: Fix enum ctl accesses in a wrong type
        ASoC: max98095: Fix enum ctl accesses in a wrong type
        ASoC: max98088: Fix enum ctl accesses in a wrong type
        ASoC: ab8500: Fix enum ctl accesses in a wrong type
        ASoC: da732x: Fix enum ctl accesses in a wrong type
        ASoC: cs42l51: Fix enum ctl accesses in a wrong type
        ASoC: intel: mfld: Fix enum ctl accesses in a wrong type
        ASoC: omap: rx51: Fix enum ctl accesses in a wrong type
        ASoC: omap: n810: Fix enum ctl accesses in a wrong type
        ASoC: pxa: tosa: Fix enum ctl accesses in a wrong type
        ...
      7f02bf6b
    • Linus Torvalds's avatar
      Merge tag 'edac_fix_for_4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp · 1e2a4c7a
      Linus Torvalds authored
      Pull EDAC fix from Borislav Petkov:
       "Last minute fix for sb_edac which fixes DIMM detection on certain Xeon
        Phi configurations:
      
        A single fix to the Xeon Phi section of sb_edac.  The issue was
        introduced during this merge window"
      
      * tag 'edac_fix_for_4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp:
        EDAC, sb_edac: Fix logic when computing DIMM sizes on Xeon Phi
      1e2a4c7a
  3. 07 Mar, 2016 28 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · e2857b8f
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix ordering of WEXT netlink messages so we don't see a newlink
          after a dellink, from Johannes Berg.
      
       2) Out of bounds access in minstrel_ht_set_best_prob_rage, from
          Konstantin Khlebnikov.
      
       3) Paging buffer memory leak in iwlwifi, from Matti Gottlieb.
      
       4) Wrong units used to set initial TCP rto from cached metrics, also
          from Konstantin Khlebnikov.
      
       5) Fix stale IP options data in the SKB control block from leaking
          through layers of encapsulation, from Bernie Harris.
      
       6) Zero padding len miscalculated in bnxt_en, from Michael Chan.
      
       7) Only CHECKSUM_PARTIAL packets should be passed down through GSO, fix
          from Hannes Frederic Sowa.
      
       8) Fix suspend/resume with JME networking devices, from Diego Violat
          and Guo-Fu Tseng.
      
       9) Checksums not validated properly in bridge multicast support due to
          the placement of the SKB header pointers at the time of the check,
          fix from Álvaro Fernández Rojas.
      
      10) Fix hang/tiemout with r8169 if a stats fetch is done while the
          device is runtime suspended.  From Chun-Hao Lin.
      
      11) The forwarding database netlink dump facilities don't track the
          state of the dump properly, resulting in skipped/missed entries.
          From Minoura Makoto.
      
      12) Fix regression from a recent 3c59x bug fix, from Neil Horman.
      
      13) Fix list corruption in bna driver, from Ivan Vecera.
      
      14) Big endian machines crash on vlan add in bnx2x, fix from Michal
          Schmidt.
      
      15) Ethtool RSS configuration not propagated properly in mlx5 driver,
          from Tariq Toukan.
      
      16) Fix regression in PHY probing in stmmac driver, from Gabriel
          Fernandez.
      
      17) Fix SKB tailroom calculation in igmp/mld code, from Benjamin
          Poirier.
      
      18) A past change to skip empty routing headers in ipv6 extention header
          parsing accidently caused fragment headers to not be matched any
          longer.  Fix from Florian Westphal.
      
      19) eTSEC-106 erratum needs to be applied to more gianfar chips, from
          Atsushi Nemoto.
      
      20) Fix netdev reference after free via workqueues in usb networking
          drivers, from Oliver Neukum and Bjørn Mork.
      
      21) mdio->irq is now an array rather than a pointer to dynamic memory,
          but several drivers were still trying to free it :-/ Fixes from
          Colin Ian King.
      
      22) act_ipt iptables action forgets to set the family field, thus LOG
          netfilter targets don't work with it.  Fix from Phil Sutter.
      
      23) SKB leak in ibmveth when skb_linearize() fails, from Thomas Falcon.
      
      24) pskb_may_pull() cannot be called with interrupts disabled, fix code
          that tries to do this in vmxnet3 driver, from Neil Horman.
      
      25) be2net driver leaks iomap'd memory on removal, fix from Douglas
          Miller.
      
      26) Forgotton RTNL mutex unlock in ppp_create_interface() error paths,
          from Guillaume Nault.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (97 commits)
        ppp: release rtnl mutex when interface creation fails
        cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
        tcp: fix tcpi_segs_in after connection establishment
        net: hns: fix the bug about loopback
        jme: Fix device PM wakeup API usage
        jme: Do not enable NIC WoL functions on S0
        udp6: fix UDP/IPv6 encap resubmit path
        be2net: Don't leak iomapped memory on removal.
        vmxnet3: avoid calling pskb_may_pull with interrupts disabled
        net: ethernet: Add missing MFD_SYSCON dependency on HAS_IOMEM
        ibmveth: check return of skb_linearize in ibmveth_start_xmit
        cdc_ncm: toggle altsetting to force reset before setup
        usbnet: cleanup after bind() in probe()
        mlxsw: pci: Correctly determine if descriptor queue is full
        mlxsw: spectrum: Always decrement bridge's ref count
        tipc: fix nullptr crash during subscription cancel
        net: eth: altera: do not free array priv->mdio->irq
        net/ethoc: do not free array priv->mdio->irq
        net: sched: fix act_ipt for LOG target
        asix: do not free array priv->mdio->irq
        ...
      e2857b8f
    • Linus Torvalds's avatar
      Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs · 01ffa3df
      Linus Torvalds authored
      Pull overlayfs fixes from Miklos Szeredi:
       "Overlayfs bug fixes.  All marked as -stable material"
      
      * 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
        ovl: copy new uid/gid into overlayfs runtime inode
        ovl: ignore lower entries when checking purity of non-directory entries
        ovl: fix getcwd() failure after unsuccessful rmdir
        ovl: fix working on distributed fs as lower layer
      01ffa3df
    • Linus Torvalds's avatar
      Revert "drm/radeon: call hpd_irq_event on resume" · 256faedc
      Linus Torvalds authored
      This reverts commit dbb17a21.
      
      It turns out that commit can cause problems for systems with multiple
      GPUs, and causes X to hang on at least a HP Pavilion dv7 with hybrid
      graphics.
      
      This got noticed originally in 4.4.4, where this patch had already
      gotten back-ported, but 4.5-rc7 was verified to have the same problem.
      
      Alexander Deucher says:
       "It looks like you have a muxed system so I suspect what's happening is
        that one of the display is being reported as connected for both the
        IGP and the dGPU and then the desktop environment gets confused or
        there some sort problem in the detect functions since the mux is not
        switched to the dGPU.  I don't see an easy fix unless Dave has any
        ideas.  I'd say just revert for now"
      Reported-by: default avatarJörg-Volker Peetz <jvpeetz@web.de>
      Acked-by: default avatarAlexander Deucher <Alexander.Deucher@amd.com>
      Cc: Dave Airlie <airlied@gmail.com>
      Cc: stable@kernel.org  # wherever dbb17a21 got back-ported
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      256faedc
    • Guillaume Nault's avatar
      ppp: release rtnl mutex when interface creation fails · 6faac63a
      Guillaume Nault authored
      Add missing rtnl_unlock() in the error path of ppp_create_interface().
      
      Fixes: 58a89eca ("ppp: fix lockdep splat in ppp_dev_uninit()")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6faac63a
    • Bjørn Mork's avatar
      cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind · 4d06dd53
      Bjørn Mork authored
      usbnet_link_change will call schedule_work and should be
      avoided if bind is failing. Otherwise we will end up with
      scheduled work referring to a netdev which has gone away.
      
      Instead of making the call conditional, we can just defer
      it to usbnet_probe, using the driver_info flag made for
      this purpose.
      
      Fixes: 8a34b0ae ("usbnet: cdc_ncm: apply usbnet_link_change")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@gmail.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4d06dd53
    • Eric Dumazet's avatar
      tcp: fix tcpi_segs_in after connection establishment · a9d99ce2
      Eric Dumazet authored
      If final packet (ACK) of 3WHS is lost, it appears we do not properly
      account the following incoming segment into tcpi_segs_in
      
      While we are at it, starts segs_in with one, to count the SYN packet.
      
      We do not yet count number of SYN we received for a request sock, we
      might add this someday.
      
      packetdrill script showing proper behavior after fix :
      
      // Tests tcpi_segs_in when 3rd packet (ACK) of 3WHS is lost
      0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
         +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
         +0 bind(3, ..., ...) = 0
         +0 listen(3, 1) = 0
      
         +0 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop>
         +0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK>
      +.020 < P. 1:1001(1000) ack 1 win 32792
      
         +0 accept(3, ..., ...) = 4
      
      +.000 %{ assert tcpi_segs_in == 2, 'tcpi_segs_in=%d' % tcpi_segs_in }%
      
      Fixes: 2efd055c ("tcp: add tcpi_segs_in and tcpi_segs_out to tcp_info")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a9d99ce2
    • yankejian's avatar
      net: hns: fix the bug about loopback · 68c222a6
      yankejian authored
      It will always be passed if the soc is tested the loopback cases. This
      patch will fix this bug.
      Signed-off-by: default avatarKejian Yan <yankejian@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      68c222a6
    • Guo-Fu Tseng's avatar
      jme: Fix device PM wakeup API usage · 81422e67
      Guo-Fu Tseng authored
      According to Documentation/power/devices.txt
      
      The driver should not use device_set_wakeup_enable() which is the policy
      for user to decide.
      
      Using device_init_wakeup() to initialize dev->power.should_wakeup and
      dev->power.can_wakeup on driver initialization.
      
      And use device_may_wakeup() on suspend to decide if WoL function should
      be enabled on NIC.
      Reported-by: default avatarDiego Viola <diego.viola@gmail.com>
      Signed-off-by: default avatarGuo-Fu Tseng <cooldavid@cooldavid.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      81422e67
    • Guo-Fu Tseng's avatar
      jme: Do not enable NIC WoL functions on S0 · 0772a99b
      Guo-Fu Tseng authored
      Otherwise it might be back on resume right after going to suspend in
      some hardware.
      Reported-by: default avatarDiego Viola <diego.viola@gmail.com>
      Signed-off-by: default avatarGuo-Fu Tseng <cooldavid@cooldavid.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0772a99b
    • Bill Sommerfeld's avatar
      udp6: fix UDP/IPv6 encap resubmit path · 59dca1d8
      Bill Sommerfeld authored
      IPv4 interprets a negative return value from a protocol handler as a
      request to redispatch to a new protocol.  In contrast, IPv6 interprets a
      negative value as an error, and interprets a positive value as a request
      for redispatch.
      
      UDP for IPv6 was unaware of this difference.  Change __udp6_lib_rcv() to
      return a positive value for redispatch.  Note that the socket's
      encap_rcv hook still needs to return a negative value to request
      dispatch, and in the case of IPv6 packets, adjust IP6CB(skb)->nhoff to
      identify the byte containing the next protocol.
      Signed-off-by: default avatarBill Sommerfeld <wsommerfeld@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      59dca1d8
    • Douglas Miller's avatar
      be2net: Don't leak iomapped memory on removal. · a69bf3c5
      Douglas Miller authored
      The adapter->pcicfg resource is either mapped via pci_iomap() or
      derived from adapter->db. During be_remove() this resource was ignored
      and so could remain mapped after remove.
      
      Add a flag to track whether adapter->pcicfg was mapped or not, then
      use that flag in be_unmap_pci_bars() to unmap if required.
      
      Fixes: 25848c90 ("use PCI MMIO read instead of config read for errors")
      Signed-off-by: default avatarDouglas Miller <dougmill@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a69bf3c5
    • Neil Horman's avatar
      vmxnet3: avoid calling pskb_may_pull with interrupts disabled · cec05562
      Neil Horman authored
      vmxnet3 has a function vmxnet3_parse_and_copy_hdr which, among other operations,
      uses pskb_may_pull to linearize the header portion of an skb.  That operation
      eventually uses local_bh_disable/enable to ensure that it doesn't race with the
      drivers bottom half handler.  Unfortunately, vmxnet3 preforms this
      parse_and_copy operation with a spinlock held and interrupts disabled.  This
      causes us to run afoul of the WARN_ON_ONCE(irqs_disabled()) warning in
      local_bh_enable, resulting in this:
      
      WARNING: at kernel/softirq.c:159 local_bh_enable+0x59/0x90() (Not tainted)
      Hardware name: VMware Virtual Platform
      Modules linked in: ipv6 ppdev parport_pc parport microcode e1000 vmware_balloon
      vmxnet3 i2c_piix4 sg ext4 jbd2 mbcache sd_mod crc_t10dif sr_mod cdrom mptspi
      mptscsih mptbase scsi_transport_spi pata_acpi ata_generic ata_piix vmwgfx ttm
      drm_kms_helper drm i2c_core dm_mirror dm_region_hash dm_log dm_mod [last
      unloaded: mperf]
      Pid: 6229, comm: sshd Not tainted 2.6.32-616.el6.i686 #1
      Call Trace:
       [<c04624d9>] ? warn_slowpath_common+0x89/0xe0
       [<c0469e99>] ? local_bh_enable+0x59/0x90
       [<c046254b>] ? warn_slowpath_null+0x1b/0x20
       [<c0469e99>] ? local_bh_enable+0x59/0x90
       [<c07bb936>] ? skb_copy_bits+0x126/0x210
       [<f8d1d9fe>] ? ext4_ext_find_extent+0x24e/0x2d0 [ext4]
       [<c07bc49e>] ? __pskb_pull_tail+0x6e/0x2b0
       [<f95a6164>] ? vmxnet3_xmit_frame+0xba4/0xef0 [vmxnet3]
       [<c05d15a6>] ? selinux_ip_postroute+0x56/0x320
       [<c0615988>] ? cfq_add_rq_rb+0x98/0x110
       [<c0852df8>] ? packet_rcv+0x48/0x350
       [<c07c5839>] ? dev_queue_xmit_nit+0xc9/0x140
      ...
      
      Fix it by splitting vmxnet3_parse_and_copy_hdr into two functions:
      
      vmxnet3_parse_hdr, which sets up the internal/on stack ctx datastructure, and
      pulls the skb (both of which can be done without holding the spinlock with irqs
      disabled
      
      and
      
      vmxnet3_copy_header, which just copies the skb to the tx ring under the lock
      safely.
      
      tested and shown to correct the described problem.  Applies cleanly to the head
      of the net tree
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      CC: Shrikrishna Khare <skhare@vmware.com>
      CC: "VMware, Inc." <pv-drivers@vmware.com>
      CC: "David S. Miller" <davem@davemloft.net>
      Acked-by: default avatarShrikrishna Khare <skhare@vmware.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cec05562
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2016-03-04' of... · 7024b68e
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2016-03-04' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 4.5
      
      iwlwifi
      
      * free firmware paging memory when the module is unloaded or device removed
      * fix pending frames counter to fix an issue when removing stations
      
      ssb
      
      * fix a build problem related to ssb_fill_sprom_with_fallback()
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7024b68e
    • Krzysztof Kozlowski's avatar
      net: ethernet: Add missing MFD_SYSCON dependency on HAS_IOMEM · 979d804e
      Krzysztof Kozlowski authored
      The MFD_SYSCON depends on HAS_IOMEM so when selecting it avoid unmet
      direct dependencies.
      Signed-off-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      979d804e
    • Thomas Falcon's avatar
      ibmveth: check return of skb_linearize in ibmveth_start_xmit · 2c42bf4b
      Thomas Falcon authored
      If skb_linearize fails, the driver should drop the packet
      instead of trying to copy it into the bounce buffer.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2c42bf4b
    • Bjørn Mork's avatar
      cdc_ncm: toggle altsetting to force reset before setup · 48906f62
      Bjørn Mork authored
      Some devices will silently fail setup unless they are reset first.
      This is necessary even if the data interface is already in
      altsetting 0, which it will be when the device is probed for the
      first time.  Briefly toggling the altsetting forces a function
      reset regardless of the initial state.
      
      This fixes a setup problem observed on a number of Huawei devices,
      appearing to operate in NTB-32 mode even if we explicitly set them
      to NTB-16 mode.
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      48906f62
    • Hubert Chrzaniuk's avatar
      EDAC, sb_edac: Fix logic when computing DIMM sizes on Xeon Phi · 83bdaad4
      Hubert Chrzaniuk authored
      Correct a typo introduced by
      
        d0cdf900 ("EDAC, sb_edac: Add Knights Landing (Xeon Phi gen 2) support")
      
      As a result under some configurations DIMMs were not correctly
      recognized. Problem affects only Xeon Phi architecture.
      Signed-off-by: default avatarHubert Chrzaniuk <hubert.chrzaniuk@intel.com>
      Acked-by: default avatarAristeu Rozanski <aris@redhat.com>
      Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
      Cc: linux-edac <linux-edac@vger.kernel.org>
      Cc: lukasz.anaczkowski@intel.com
      Link: http://lkml.kernel.org/r/1457361045-26221-1-git-send-email-hubert.chrzaniuk@intel.comSigned-off-by: default avatarBorislav Petkov <bp@suse.de>
      83bdaad4
    • Oliver Neukum's avatar
      usbnet: cleanup after bind() in probe() · 1666984c
      Oliver Neukum authored
      In case bind() works, but a later error forces bailing
      in probe() in error cases work and a timer may be scheduled.
      They must be killed. This fixes an error case related to
      the double free reported in
      http://www.spinics.net/lists/netdev/msg367669.html
      and needs to go on top of Linus' fix to cdc-ncm.
      Signed-off-by: default avatarOliver Neukum <ONeukum@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1666984c
    • David S. Miller's avatar
      Merge branch 'mlxsw-fixes' · a383b7f0
      David S. Miller authored
      Jiri Pirko says:
      
      ====================
      mlxsw: couple of fixes
      
      Couple of fixes from Ido.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a383b7f0
    • Ido Schimmel's avatar
      mlxsw: pci: Correctly determine if descriptor queue is full · 5091730d
      Ido Schimmel authored
      The descriptor queues for sending (SDQs) and receiving (RDQs) packets
      are managed by two counters - producer and consumer - which are both
      16-bit in size. A queue is considered full when the difference between
      the two equals the queue's maximum number of descriptors.
      
      However, if the producer counter overflows, then it's possible for the
      full queue check to fail, as it doesn't take the overflow into account.
      In such a case, descriptors already passed to the device - but for which
      a completion has yet to be posted - will be overwritten, thereby causing
      undefined behavior. The above can be achieved under heavy load (~30
      netperf instances).
      
      Fix that by casting the subtraction result to u16, preventing it from
      being treated as a signed integer.
      
      Fixes: eda6500a ("mlxsw: Add PCI bus implementation")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5091730d
    • Ido Schimmel's avatar
      mlxsw: spectrum: Always decrement bridge's ref count · 912b1c89
      Ido Schimmel authored
      Since we only support one VLAN filtering bridge we need to associate a
      reference count with it, so that when the last port netdev leaves it, we
      would know that a different bridge can be offloaded to hardware.
      
      When a LAG device is memeber in a bridge and port netdevs are leaving
      the LAG, we should always decrement the bridge's reference count, as it's
      incremented for any port in the LAG.
      
      Fixes: 4dc236c3 ("mlxsw: spectrum: Handle port leaving LAG while bridged")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      912b1c89
    • Takashi Iwai's avatar
      Merge tag 'asoc-fix-v4.5-rc6' of... · ad09ef2c
      Takashi Iwai authored
      Merge tag 'asoc-fix-v4.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: Fixes for v4.5
      
      This is far too big a set of fixes for this late in the release cycle
      but the overwhelming bulk is essentially the same simple fix from
      Takashi for a cut'n'pasted 64 bit cleanliness issue in the userspace
      interface where drivers were accessing things using the wrong element in
      a union which worked OK on 32 bit platforms as the correct element
      happened to be aligned the same way but with 64 bit platforms ABIs are
      different and the two members of the union are laid out in different
      places.  They aren't all tagged to stable since some of these chips have
      vanishingly little chance of being used in 64 bit systems.
      
      The other changes are:
       - A fix for Qualcomm devices to work on big endian systems.  The
         original change is actually correct but triggered a bug in regmap
         which is too invasive to fix for this cycle and can be worked around
         by just letting regmap pick the default.
       - A fix for the Samsung I2S driver locking which wasn't using IRQ safe
         spinlocks when it needed to.
       - A fix for the new Intel Sky Lake driver forgetting that C pointer
         arithmetic takes the type of the pointer into consideration.
       - A revert of a change to the FSL SSI driver that broke some systems.
       - A fix for the cleanup path of the wm9713 driver.
       - A fix for some incorrect register definitions in the ADAU17x1 driver
         that caused misclocking in some configurations.
       - A fix for the tracepoints for jack detection to avoid using an
         internal field of the core jack structure which is no longer present
         in all configurations.
       - A fix for another of the new Intel drivers which tried to write to a
         string literal.
      ad09ef2c
    • Parthasarathy Bhuvaragan's avatar
      tipc: fix nullptr crash during subscription cancel · 4de13d7e
      Parthasarathy Bhuvaragan authored
      commit 4d5cfcba ('tipc: fix connection abort during subscription
      cancel'), removes the check for a valid subscription before calling
      tipc_nametbl_subscribe().
      
      This will lead to a nullptr exception when we process a
      subscription cancel request. For a cancel request, a null
      subscription is passed to tipc_nametbl_subscribe() resulting
      in exception.
      
      In this commit, we call tipc_nametbl_subscribe() only for
      a valid subscription.
      
      Fixes: 4d5cfcba ('tipc: fix connection abort during subscription cancel')
      Reported-by: default avatarAnders Widell <anders.widell@ericsson.com>
      Signed-off-by: default avatarParthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4de13d7e
    • Colin Ian King's avatar
      net: eth: altera: do not free array priv->mdio->irq · 11f7f79b
      Colin Ian King authored
      priv->mdio->irq used to be allocated and required freeing, but it
      is now a fixed sized array and should no longer be free'd.
      
      Issue detected using static analysis with CoverityScan
      
      Fixes: e7f4dc35 ("mdio: Move allocation of interrupts into core")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      11f7f79b
    • Colin Ian King's avatar
      net/ethoc: do not free array priv->mdio->irq · 57a0f367
      Colin Ian King authored
      priv->mdio->irq used to be allocated and required freeing, but it
      is now a fixed sized array and should no longer be free'd.
      
      Issue detected using static analysis with CoverityScan
      
      Fixes: e7f4dc35 ("mdio: Move allocation of interrupts into core")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarTobias Klauser <tklauser@distanz.ch>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      57a0f367
    • Phil Sutter's avatar
      net: sched: fix act_ipt for LOG target · 44ef548f
      Phil Sutter authored
      Before calling the destroy() or target() callbacks, the family parameter
      field has to be initialized. Otherwise at least the LOG target will
      refuse to work and upon removal oops the kernel.
      
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44ef548f
    • Colin Ian King's avatar
      asix: do not free array priv->mdio->irq · eb1f4202
      Colin Ian King authored
      Used to be allocated and required freeing, but now
      priv->mdio->irq is now a fixed sized array and should no longer be
      free'd.
      
      Issue detected using static analysis with CoverityScan
      
      Fixes: e7f4dc35 ("mdio: Move allocation of interrupts into core")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eb1f4202
    • Atsushi Nemoto's avatar
      gianfar: Enable eTSEC-106 erratum w/a for MPC8548E Rev2 · 7bfc6082
      Atsushi Nemoto authored
      Enable workaround for MPC8548E erratum eTSEC 106,
      "Excess delays when transmitting TOE=1 large frames".
      (see commit 53fad773 "gianfar: Enable eTSEC-20 erratum w/a
      for P2020 Rev1")
      
      This erratum was fixed in Rev 3.1.x.
      Signed-off-by: default avatarAtsushi Nemoto <nemoto@toshiba-tops.co.jp>
      Acked-by: default avatarClaudiu Manoil <claudiu.manoil@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7bfc6082
  4. 06 Mar, 2016 5 commits