1. 01 Apr, 2013 6 commits
    • Anatol Pomozov's avatar
      loop: prevent bdev freeing while device in use · c1681bf8
      Anatol Pomozov authored
      struct block_device lifecycle is defined by its inode (see fs/block_dev.c) -
      block_device allocated first time we access /dev/loopXX and deallocated on
      bdev_destroy_inode. When we create the device "losetup /dev/loopXX afile"
      we want that block_device stay alive until we destroy the loop device
      with "losetup -d".
      
      But because we do not hold /dev/loopXX inode its counter goes 0, and
      inode/bdev can be destroyed at any moment. Usually it happens at memory
      pressure or when user drops inode cache (like in the test below). When later in
      loop_clr_fd() we want to use bdev we have use-after-free error with following
      stack:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000280
        bd_set_size+0x10/0xa0
        loop_clr_fd+0x1f8/0x420 [loop]
        lo_ioctl+0x200/0x7e0 [loop]
        lo_compat_ioctl+0x47/0xe0 [loop]
        compat_blkdev_ioctl+0x341/0x1290
        do_filp_open+0x42/0xa0
        compat_sys_ioctl+0xc1/0xf20
        do_sys_open+0x16e/0x1d0
        sysenter_dispatch+0x7/0x1a
      
      To prevent use-after-free we need to grab the device in loop_set_fd()
      and put it later in loop_clr_fd().
      
      The issue is reprodusible on current Linus head and v3.3. Here is the test:
      
        dd if=/dev/zero of=loop.file bs=1M count=1
        while [ true ]; do
          losetup /dev/loop0 loop.file
          echo 2 > /proc/sys/vm/drop_caches
          losetup -d /dev/loop0
        done
      
      [ Doing bdgrab/bput in loop_set_fd/loop_clr_fd is safe, because every
        time we call loop_set_fd() we check that loop_device->lo_state is
        Lo_unbound and set it to Lo_bound If somebody will try to set_fd again
        it will get EBUSY.  And if we try to loop_clr_fd() on unbound loop
        device we'll get ENXIO.
      
        loop_set_fd/loop_clr_fd (and any other loop ioctl) is called under
        loop_device->lo_ctl_mutex. ]
      Signed-off-by: default avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c1681bf8
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.linaro.org/people/mturquette/linux · aae92db9
      Linus Torvalds authored
      Pull tegra clock driver fix from Mike Turquette:
       "Missing base address in Tegra clock driver results in non-operational
        PCIe.  On some devices this means that Ethernet will go uninitialized
        and other devices will fail.  This pull request fixes it with a single
        patch to pass the proper base address in the Tegra clock driver."
      
      * tag 'clk-fixes-for-linus' of git://git.linaro.org/people/mturquette/linux:
        clk: tegra: Allow PLLE training to succeed
      aae92db9
    • Linus Torvalds's avatar
      Merge tag 'for-3.9-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rwlove/fcoe · dc543f9e
      Linus Torvalds authored
      Pull FCoE fixes from Robert Love:
       "Critical patches to fix FCoE VN2VN mode with new interfaces targeting
        3.9-rc"
      
      * tag 'for-3.9-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rwlove/fcoe:
        libfcoe: Fix fcoe_sysfs VN2VN mode
        libfc, fcoe, bnx2fc: Split fc_disc_init into fc_disc_{init, config}
        libfc, fcoe, bnx2fc: Always use fcoe_disc_init for discovery layer initialization
        fcoe: Fix deadlock between create and destroy paths
        bnx2fc: Make the fcoe_cltr the SCSI host parent
      dc543f9e
    • Thierry Reding's avatar
      clk: tegra: Allow PLLE training to succeed · 0f1bc12e
      Thierry Reding authored
      Under some circumstances the PLLE needs to be retrained, in which case
      access to the PMC registers is required. Fix this by passing a pointer
      to the PMC registers instead of NULL when registering the PLLE clock.
      Signed-off-by: default avatarThierry Reding <thierry.reding@avionic-design.de>
      Acked-By: default avatarPeter De Schrijver <pdeschrijver@nvidia.com>
      Signed-off-by: default avatarMike Turquette <mturquette@linaro.org>
      0f1bc12e
    • Linus Torvalds's avatar
      Merge branch 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile · 3658f360
      Linus Torvalds authored
      Pull arch/tile fix from Chris Metcalf:
       "This change allows newer Tilera boot tools to work correctly with
        current (and stable) kernels by using the right filename to get the
        initramfs from the Tilera hypervisor filesystem."
      
      * 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile:
        tile: expect new initramfs name from hypervisor file system
      3658f360
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · ff3421de
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) sadb_msg prepared for IPSEC userspace forgets to initialize the
          satype field, fix from Nicolas Dichtel.
      
       2) Fix mac80211 synchronization during station removal, from Johannes
          Berg.
      
       3) Fix IPSEC sequence number notifications when they wrap, from Steffen
          Klassert.
      
       4) Fix cfg80211 wdev tracing crashes when add_virtual_intf() returns an
          error pointer, from Johannes Berg.
      
       5) In mac80211, don't call into the channel context code with the
          interface list mutex held.  From Johannes Berg.
      
       6) In mac80211, if we don't actually associate, do not restart the STA
          timer, otherwise we can crash.  From Ben Greear.
      
       7) Missing dma_mapping_error() check in e1000, ixgb, and e1000e.  From
          Christoph Paasch.
      
       8) Fix sja1000 driver defines to not conflict with SH port, from Marc
          Kleine-Budde.
      
       9) Don't call il4965_rs_use_green with a NULL station, from Colin Ian
          King.
      
      10) Suspend/Resume in the FEC driver fail because the buffer descriptors
          are not initialized at all the moments in which they should.  Fix
          from Frank Li.
      
      11) cpsw and davinci_emac drivers both use the wrong interface to
          restart a stopped TX queue.  Use netif_wake_queue not
          netif_start_queue, the latter is for initialization/bringup not
          active management of the queue.  From Mugunthan V N.
      
      12) Fix regression in rate calculations done by
          psched_ratecfg_precompute(), missing u64 type promotion.  From
          Sergey Popovich.
      
      13) Fix length overflow in tg3 VPD parsing, from Kees Cook.
      
      14) AOE driver fails to allocate enough headroom, resulting in crashes.
          Fix from Eric Dumazet.
      
      15) RX overflow happens too quickly in sky2 driver because pause packet
          thresholds are not programmed correctly.  From Mirko Lindner.
      
      16) Bonding driver manages arp_interval and miimon settings incorrectly,
          disabling one unintentionally disables both.  Fix from Nikolay
          Aleksandrov.
      
      17) smsc75xx drivers don't program the RX mac properly for jumbo frames.
          Fix from Steve Glendinning.
      
      18) Fix off-by-one in Codel packet scheduler.  From Vijay Subramanian.
      
      19) Fix packet corruption in atl1c by disabling MSI support, from Hannes
          Frederic Sowa.
      
      20) netdev_rx_handler_unregister() needs a synchronize_net() to fix
          crashes in bonding driver unload stress tests.  From Eric Dumazet.
      
      21) rxlen field of ks8851 RX packet descriptors not interpreted
          correctly (it is 12 bits not 16 bits, so needs to be masked after
          shifting the 32-bit value down 16 bits).  Fix from Max Nekludov.
      
      22) Fix missed RX/TX enable in sh_eth driver due to mishandling of link
          change indications.  From Sergei Shtylyov.
      
      23) Fix crashes during spurious ECI interrupts in sh_eth driver, also
          from Sergei Shtylyov.
      
      24) dm9000 driver initialization is done wrong for revision B devices
          with DSP PHY, from Joseph CHANG.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (53 commits)
        DM9000B: driver initialization upgrade
        sh_eth: make 'link' field of 'struct sh_eth_private' *int*
        sh_eth: workaround for spurious ECI interrupt
        sh_eth: fix handling of no LINK signal
        ks8851: Fix interpretation of rxlen field.
        net: add a synchronize_net() in netdev_rx_handler_unregister()
        MAINTAINERS: Update netxen_nic maintainers list
        atl1e: drop pci-msi support because of packet corruption
        net: fq_codel: Fix off-by-one error
        net: calxedaxgmac: Wake-on-LAN fixes
        net: calxedaxgmac: fix rx ring handling when OOM
        net: core: Remove redundant call to 'nf_reset' in 'dev_forward_skb'
        smsc75xx: fix jumbo frame support
        net: fix the use of this_cpu_ptr
        bonding: fix disabling of arp_interval and miimon
        ipv6: don't accept node local multicast traffic from the wire
        sky2: Threshold for Pause Packet is set wrong
        sky2: Receive Overflows not counted
        aoe: reserve enough headroom on skbs
        line up comment for ndo_bridge_getlink
        ...
      ff3421de
  2. 31 Mar, 2013 9 commits
    • Joseph CHANG's avatar
      DM9000B: driver initialization upgrade · 6741f40d
      Joseph CHANG authored
      Fix bug for DM9000 revision B which contain a DSP PHY
      
      DM9000B use DSP PHY instead previouse DM9000 revisions' analog PHY,
      So need extra change in initialization, For
      explicity PHY Reset and PHY init parameter, and
      first DM9000_NCR reset need NCR_MAC_LBK bit by dm9000_probe().
      
      Following DM9000_NCR reset cause by dm9000_open() clear the
      NCR_MAC_LBK bit.
      
      Without this fix, Power-up FIFO pointers error happen around 2%
      rate among Davicom's customers' boards. With this fix, All above
      cases can be solved.
      Signed-off-by: default avatarJoseph CHANG <josright123@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6741f40d
    • Sergei Shtylyov's avatar
      sh_eth: make 'link' field of 'struct sh_eth_private' *int* · 3340d2aa
      Sergei Shtylyov authored
      The 'link' field of 'struct sh_eth_private' has type 'enum phy_state' while the
      'link' field of 'struct phy_device' is merely *int* (having values 0 and 1) and
      the former field gets assigned from the latter. Make the field match, getting
      rid of incorrectly used PHY_DOWN value in assignments/comparisons.
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3340d2aa
    • Sergei Shtylyov's avatar
      sh_eth: workaround for spurious ECI interrupt · 3893b273
      Sergei Shtylyov authored
      At least on Renesas R8A7778, EESR.ECI interrupt seems to fire regardless of its
      mask in EESIPR register. I can 100% reproduce it with the following scenario:
      target is booted with 'ip=on' option, and so IP-Config opens SoC Ether device
      but doesn't get a proper reply and then succeeds with on-board SMC chip; then
      I login and try to bring up the SoC Ether device with 'ifconfig', and I get
      an ECI interrupt once request_irq() is called by sh_eth_open() (while interrupt
      mask in EESIPR register is all 0), if that interrupt is accompanied by a pending
      EESR.FRC (frame receive completion) interrupt, I get kernel oops in sh_eth_rx()
      because sh_eth_ring_init() hasn't been called yet!
      
      The solution I worked out is the following: in sh_eth_interrupt(), mask the
      interrupt status from EESR register with the interrupt mask from EESIPR register
      in order not to handle the disabled interrupts -- but forcing EESIPR.M_ECI bit
      in this mask set because we always need to fully handle EESR.ECI interrupt in
      sh_eth_error() in order to quench it (as it doesn't get cleared by just writing
      1 to the this bit as all the other interrupts).
      
      While at it, remove unneeded initializer for 'intr_status' variable and give it
      *unsigned long* type, matching the type of sh_eth_read()'s result; fix comment.
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Reviewed-by: default avatarMax Filippov <max.filippov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3893b273
    • Sergei Shtylyov's avatar
      sh_eth: fix handling of no LINK signal · 1e1b812b
      Sergei Shtylyov authored
      The code handling the absent LINK signal (or the absent PSR register -- which
      reflects the state of this signal) is quite naive and has probably never really
      worked.  It's probably enough to say that this code is executed only on the LINK
      change interrupt (sic!) but even if we actually have the signal and choose to
      ignore it (it might be connected to PHY's link/activity LED output as on the
      Renesas BOCK-W board), sh_eth_adjust_link() on which this code relies to update
      'mdp->link' gets executed later than the LINK change interrupt where it is
      checked, and so RX/TX never get enabled via ECMR register.
      
      So, ignore the LINK changed interrupt iff LINK signal is absent (or just chosen
      not to be used) or PSR register is absent, and enable/disable RX/TX directly in
      sh_eth_adjust_link() in this case.
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1e1b812b
    • Linus Torvalds's avatar
      Linux 3.9-rc5 · 07961ac7
      Linus Torvalds authored
      07961ac7
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma · 0bb44280
      Linus Torvalds authored
      Pull slave-dmaengine fixes from Vinod Koul:
       "Two fixes for slave-dmaengine.
      
        The first one is for making slave_id value correct for dw_dmac and
        the other one fixes the endieness in DT parsing"
      
      * 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
        dw_dmac: adjust slave_id accordingly to request line base
        dmaengine: dw_dma: fix endianess for DT xlate function
      0bb44280
    • Linus Torvalds's avatar
      Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · a7b436d3
      Linus Torvalds authored
      Pull media fixes from Mauro Carvalho Chehab:
       "For a some fixes for Kernel 3.9:
         - subsystem build fix when VIDEO_DEV=y, VIDEO_V4L2=m and I2C=m
         - compilation fix for arm multiarch preventing IR_RX51 to be selected
         - regression fix at bttv crop logic
         - s5p-mfc/m5mols/exynos: a few fixes for cameras on exynos hardware"
      
      * 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        [media] [REGRESSION] bt8xx: Fix too large height in cropcap
        [media] fix compilation with both V4L2 and I2C as 'm'
        [media] m5mols: Fix bug in stream on handler
        [media] s5p-fimc: Do not attempt to disable not enabled media pipeline
        [media] s5p-mfc: Fix encoder control 15 issue
        [media] s5p-mfc: Fix frame skip bug
        [media] s5p-fimc: send valid m2m ctx to fimc_m2m_job_finish
        [media] exynos-gsc: send valid m2m ctx to gsc_m2m_job_finish
        [media] fimc-lite: Fix the variable type to avoid possible crash
        [media] fimc-lite: Initialize 'step' field in fimc_lite_ctrl structure
        [media] ir: IR_RX51 only works on OMAP2
      a7b436d3
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20130331' of git://git.kernel.dk/linux-block · d299c290
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Alright, this time from 10K up in the air.
      
        Collection of fixes that have been queued up since the merge window
        opened, hence postponed until later in the cycle.  The pull request
        contains:
      
         - A bunch of fixes for the xen blk front/back driver.
      
         - A round of fixes for the new IBM RamSan driver, fixing various
           nasty issues.
      
         - Fixes for multiple drives from Wei Yongjun, bad handling of return
           values and wrong pointer math.
      
         - A fix for loop properly killing partitions when being detached."
      
      * tag 'for-linus-20130331' of git://git.kernel.dk/linux-block: (25 commits)
        mg_disk: fix error return code in mg_probe()
        rsxx: remove unused variable
        rsxx: enable error return of rsxx_eeh_save_issued_dmas()
        block: removes dynamic allocation on stack
        Block: blk-flush: Fixed indent code style
        cciss: fix invalid use of sizeof in cciss_find_cfgtables()
        loop: cleanup partitions when detaching loop device
        loop: fix error return code in loop_add()
        mtip32xx: fix error return code in mtip_pci_probe()
        xen-blkfront: remove frame list from blk_shadow
        xen-blkfront: pre-allocate pages for requests
        xen-blkback: don't store dev_bus_addr
        xen-blkfront: switch from llist to list
        xen-blkback: fix foreach_grant_safe to handle empty lists
        xen-blkfront: replace kmalloc and then memcpy with kmemdup
        xen-blkback: fix dispatch_rw_block_io() error path
        rsxx: fix missing unlock on error return in rsxx_eeh_remap_dmas()
        Adding in EEH support to the IBM FlashSystem 70/80 device driver
        block: IBM RamSan 70/80 error message bug fix.
        block: IBM RamSan 70/80 branding changes.
        ...
      d299c290
    • Paul Walmsley's avatar
      Revert "lockdep: check that no locks held at freeze time" · dbf520a9
      Paul Walmsley authored
      This reverts commit 6aa97070.
      
      Commit 6aa97070 ("lockdep: check that no locks held at freeze time")
      causes problems with NFS root filesystems.  The failures were noticed on
      OMAP2 and 3 boards during kernel init:
      
        [ BUG: swapper/0/1 still has locks held! ]
        3.9.0-rc3-00344-ga937536b #1 Not tainted
        -------------------------------------
        1 lock held by swapper/0/1:
         #0:  (&type->s_umount_key#13/1){+.+.+.}, at: [<c011e84c>] sget+0x248/0x574
      
        stack backtrace:
          rpc_wait_bit_killable
          __wait_on_bit
          out_of_line_wait_on_bit
          __rpc_execute
          rpc_run_task
          rpc_call_sync
          nfs_proc_get_root
          nfs_get_root
          nfs_fs_mount_common
          nfs_try_mount
          nfs_fs_mount
          mount_fs
          vfs_kern_mount
          do_mount
          sys_mount
          do_mount_root
          mount_root
          prepare_namespace
          kernel_init_freeable
          kernel_init
      
      Although the rootfs mounts, the system is unstable.  Here's a transcript
      from a PM test:
      
        http://www.pwsan.com/omap/testlogs/test_v3.9-rc3/20130317194234/pm/37xxevm/37xxevm_log.txt
      
      Here's what the test log should look like:
      
        http://www.pwsan.com/omap/testlogs/test_v3.8/20130218214403/pm/37xxevm/37xxevm_log.txt
      
      Mailing list discussion is here:
      
        http://lkml.org/lkml/2013/3/4/221
      
      Deal with this for v3.9 by reverting the problem commit, until folks can
      figure out the right long-term course of action.
      Signed-off-by: default avatarPaul Walmsley <paul@pwsan.com>
      Cc: Mandeep Singh Baines <msb@chromium.org>
      Cc: Jeff Layton <jlayton@redhat.com>
      Cc: Shawn Guo <shawn.guo@linaro.org>
      Cc: <maciej.rutecki@gmail.com>
      Cc: Fengguang Wu <fengguang.wu@intel.com>
      Cc: Trond Myklebust <Trond.Myklebust@netapp.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Ben Chan <benchan@chromium.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Rafael J. Wysocki <rjw@sisk.pl>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      dbf520a9
  3. 30 Mar, 2013 1 commit
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending · 13d2080d
      Linus Torvalds authored
      Pull SCSI target fixes from Nicholas Bellinger:
       "This includes the bug-fix for a >= v3.8-rc1 regression specific to
        iscsi-target persistent reservation conflict handling (CC'ed to
        stable), and a tcm_vhost patch to drop VIRTIO_RING_F_EVENT_IDX usage
        so that in-flight qemu vhost-scsi-pci device code can detect the
        proper vhost feature bits.
      
        Also, there are two more tcm_vhost patches still being discussed by
        MST and Asias for v3.9 that will be required for the in-flight qemu
        vhost-scsi-pci device patch to function properly, and that should
        (hopefully) be the last target fixes for this round."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
        target: Fix RESERVATION_CONFLICT status regression for iscsi-target special case
        tcm_vhost: Avoid VIRTIO_RING_F_EVENT_IDX feature bit
      13d2080d
  4. 29 Mar, 2013 24 commits