commit 7773647c3ea250586c2ee44559f6f1bdc2a5c885 Author: Greg Kroah-Hartman Date: Thu Feb 14 10:57:59 2013 -0800 Linux 3.7.8 commit 330b8abd83d4af378953af708cc10ddf3a5877fd Author: Marcin Slusarz Date: Mon Feb 4 21:52:54 2013 +0100 drm/nouveau: add lockdep annotations commit 5f97ab913cf0fbc378ea8ffc3ee66f4890d11c55 upstream. 1) Lockdep thinks all nouveau subdevs belong to the same class and can be locked in arbitrary order, which is not true (at least in general case). Tell it to distinguish subdevs by (o)class type. 2) DRM client can be locked under user client lock - tell lockdep to put DRM client lock in a separate class. Reported-by: Arend van Spriel Reported-by: Peter Hurley Reported-by: Maarten Lankhorst Reported-by: Daniel J Blueman Signed-off-by: Marcin Slusarz Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit c7c40b35837b6ea218a5aec82169c93bdc68235f Author: Eric Dumazet Date: Fri Jan 11 14:46:37 2013 +0000 net: splice: fix __splice_segment() [ Upstream commit bc9540c637c3d8712ccbf9dcf28621f380ed5e64 ] commit 9ca1b22d6d2 (net: splice: avoid high order page splitting) forgot that skb->head could need a copy into several page frags. This could be the case for loopback traffic mostly. Also remove now useless skb argument from linear_to_page() and __splice_segment() prototypes. Signed-off-by: Eric Dumazet Cc: Willy Tarreau Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4dd53a6c90a9045524888de2930b56b7833175b2 Author: Eric Dumazet Date: Sat Jan 5 21:31:18 2013 +0000 net: splice: avoid high order page splitting [ Upstream commit 82bda6195615891181115f579a480aa5001ce7e9 ] splice() can handle pages of any order, but network code tries hard to split them in PAGE_SIZE units. Not quite successfully anyway, as __splice_segment() assumed poff < PAGE_SIZE. This is true for the skb->data part, not necessarily for the fragments. This patch removes this logic to give the pages as they are in the skb. Signed-off-by: Eric Dumazet Cc: Willy Tarreau Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0f0ac9b6a73fe6025723fa4a51c8da2ccead6bff Author: Eric Dumazet Date: Wed Jan 9 20:59:09 2013 +0000 tcp: fix splice() and tcp collapsing interaction [ Upstream commit f26845b43c75d3f32f98d194c1327b5b1e6b3fb0 ] Under unusual circumstances, TCP collapse can split a big GRO TCP packet while its being used in a splice(socket->pipe) operation. skb_splice_bits() releases the socket lock before calling splice_to_pipe(). [ 1081.353685] WARNING: at net/ipv4/tcp.c:1330 tcp_cleanup_rbuf+0x4d/0xfc() [ 1081.371956] Hardware name: System x3690 X5 -[7148Z68]- [ 1081.391820] cleanup rbuf bug: copied AD3BCF1 seq AD370AF rcvnxt AD3CF13 To fix this problem, we must eat skbs in tcp_recv_skb(). Remove the inline keyword from tcp_recv_skb() definition since it has three call sites. Reported-by: Christian Becker Cc: Willy Tarreau Signed-off-by: Eric Dumazet Tested-by: Willy Tarreau Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 09ea1383126d942a993b0895cec16e0961db5af9 Author: Eric Dumazet Date: Thu Jan 10 07:06:10 2013 +0000 tcp: splice: fix an infinite loop in tcp_read_sock() [ Upstream commit ff905b1e4aad8ccbbb0d42f7137f19482742ff07 ] commit 02275a2ee7c0 (tcp: don't abort splice() after small transfers) added a regression. [ 83.843570] INFO: rcu_sched self-detected stall on CPU [ 83.844575] INFO: rcu_sched detected stalls on CPUs/tasks: { 6} (detected by 0, t=21002 jiffies, g=4457, c=4456, q=13132) [ 83.844582] Task dump for CPU 6: [ 83.844584] netperf R running task 0 8966 8952 0x0000000c [ 83.844587] 0000000000000000 0000000000000006 0000000000006c6c 0000000000000000 [ 83.844589] 000000000000006c 0000000000000096 ffffffff819ce2bc ffffffffffffff10 [ 83.844592] ffffffff81088679 0000000000000010 0000000000000246 ffff880c4b9ddcd8 [ 83.844594] Call Trace: [ 83.844596] [] ? vprintk_emit+0x1c9/0x4c0 [ 83.844601] [] ? schedule+0x29/0x70 [ 83.844606] [] ? tcp_splice_data_recv+0x42/0x50 [ 83.844610] [] ? tcp_read_sock+0xda/0x260 [ 83.844613] [] ? tcp_prequeue_process+0xb0/0xb0 [ 83.844615] [] ? tcp_splice_read+0xc0/0x250 [ 83.844618] [] ? sock_splice_read+0x22/0x30 [ 83.844622] [] ? do_splice_to+0x7b/0xa0 [ 83.844627] [] ? sys_splice+0x59c/0x5d0 [ 83.844630] [] ? putname+0x2b/0x40 [ 83.844633] [] ? do_sys_open+0x174/0x1e0 [ 83.844636] [] ? system_call_fastpath+0x16/0x1b if recv_actor() returns 0, we should stop immediately, because looping wont give a chance to drain the pipe. Signed-off-by: Eric Dumazet Cc: Willy Tarreau Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 301008f5b5a734d5d1ddd5c4a95d69812ae4c7e7 Author: Willy Tarreau Date: Sun Dec 2 11:49:27 2012 +0000 tcp: don't abort splice() after small transfers [ Upstream commit 02275a2ee7c0ea475b6f4a6428f5df592bc9d30b ] TCP coalescing added a regression in splice(socket->pipe) performance, for some workloads because of the way tcp_read_sock() is implemented. The reason for this is the break when (offset + 1 != skb->len). As we released the socket lock, this condition is possible if TCP stack added a fragment to the skb, which can happen with TCP coalescing. So let's go back to the beginning of the loop when this happens, to give a chance to splice more frags per system call. Doing so fixes the issue and makes GRO 10% faster than LRO on CPU-bound splice() workloads instead of the opposite. Signed-off-by: Willy Tarreau Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fa237a5c85320c6597caaea5dfeff5e2d995e666 Author: Ilpo Järvinen Date: Mon Feb 4 02:14:25 2013 +0000 tcp: fix for zero packets_in_flight was too broad [ Upstream commit 6731d2095bd4aef18027c72ef845ab1087c3ba63 ] There are transients during normal FRTO procedure during which the packets_in_flight can go to zero between write_queue state updates and firing the resulting segments out. As FRTO processing occurs during that window the check must be more precise to not match "spuriously" :-). More specificly, e.g., when packets_in_flight is zero but FLAG_DATA_ACKED is true the problematic branch that set cwnd into zero would not be taken and new segments might be sent out later. Signed-off-by: Ilpo Järvinen Tested-by: Eric Dumazet Acked-by: Neal Cardwell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b80440945d3644f4dcc1d0817e2f07d9c8d1ef8a Author: Eric Dumazet Date: Sun Feb 3 09:13:05 2013 +0000 tcp: frto should not set snd_cwnd to 0 [ Upstream commit 2e5f421211ff76c17130b4597bc06df4eeead24f ] Commit 9dc274151a548 (tcp: fix ABC in tcp_slow_start()) uncovered a bug in FRTO code : tcp_process_frto() is setting snd_cwnd to 0 if the number of in flight packets is 0. As Neal pointed out, if no packet is in flight we lost our chance to disambiguate whether a loss timeout was spurious. We should assume it was a proper loss. Reported-by: Pasi Kärkkäinen Signed-off-by: Neal Cardwell Signed-off-by: Eric Dumazet Cc: Ilpo Järvinen Cc: Yuchung Cheng Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e90bb8480d31f54d1ccc12602e5800f7ff31dcc1 Author: Eric Dumazet Date: Sat Feb 2 05:23:16 2013 +0000 tcp: fix an infinite loop in tcp_slow_start() [ Upstream commit 973ec449bb4f2b8c514bacbcb4d9506fc31c8ce3 ] Since commit 9dc274151a548 (tcp: fix ABC in tcp_slow_start()), a nul snd_cwnd triggers an infinite loop in tcp_slow_start() Avoid this infinite loop and log a one time error for further analysis. FRTO code is suspected to cause this bug. Reported-by: Pasi Kärkkäinen Signed-off-by: Eric Dumazet Cc: Neal Cardwell Cc: Yuchung Cheng Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3005cf62aac8c1b68c0201ead876b30a6c0f9ddd Author: Yuchung Cheng Date: Thu Jan 31 11:16:46 2013 -0800 tcp: detect SYN/data drop when F-RTO is disabled [ Upstream commit 66555e92fb7a619188c02cceae4bbc414f15f96d ] On receiving the SYN-ACK, Fast Open checks icsk_retransmit for SYN retransmission to detect SYN/data drops. But if F-RTO is disabled, icsk_retransmit is reset at step D of tcp_fastretrans_alert() ( under tcp_ack()) before tcp_rcv_fastopen_synack(). The fix is to use total_retrans instead which accounts for SYN retransmission regardless the use of F-RTO. Signed-off-by: Yuchung Cheng Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3cea56174bd3d79f8bb9ec500dfc95c4660a6ca9 Author: Daniel Borkmann Date: Fri Feb 8 03:04:35 2013 +0000 net: sctp: sctp_endpoint_free: zero out secret key data [ Upstream commit b5c37fe6e24eec194bb29d22fdd55d73bcc709bf ] On sctp_endpoint_destroy, previously used sensitive keying material should be zeroed out before the memory is returned, as we already do with e.g. auth keys when released. Signed-off-by: Daniel Borkmann Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 86e4935c889c0e4aadd3f7cf86a22ea09f959600 Author: Daniel Borkmann Date: Fri Feb 8 03:04:34 2013 +0000 net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree [ Upstream commit 6ba542a291a5e558603ac51cda9bded347ce7627 ] In sctp_setsockopt_auth_key, we create a temporary copy of the user passed shared auth key for the endpoint or association and after internal setup, we free it right away. Since it's sensitive data, we should zero out the key before returning the memory back to the allocator. Thus, use kzfree instead of kfree, just as we do in sctp_auth_key_put(). Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2a64537939d88f55564c276c61b5c4660636d9d0 Author: Neil Horman Date: Thu Jan 17 11:15:08 2013 +0000 sctp: refactor sctp_outq_teardown to insure proper re-initalization [ Upstream commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 ] Jamie Parsons reported a problem recently, in which the re-initalization of an association (The duplicate init case), resulted in a loss of receive window space. He tracked down the root cause to sctp_outq_teardown, which discarded all the data on an outq during a re-initalization of the corresponding association, but never reset the outq->outstanding_data field to zero. I wrote, and he tested this fix, which does a proper full re-initalization of the outq, fixing this problem, and hopefully future proofing us from simmilar issues down the road. Signed-off-by: Neil Horman Reported-by: Jamie Parsons Tested-by: Jamie Parsons CC: Jamie Parsons CC: Vlad Yasevich CC: "David S. Miller" CC: netdev@vger.kernel.org Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4ad45ec2e4660a7643a0434b1db47085532afdb1 Author: Steffen Klassert Date: Tue Jan 22 00:01:28 2013 +0000 ipv4: Fix route refcount on pmtu discovery [ Upstream commit b44108dbdbaa07c609bb5755e8dd6c2035236251 ] git commit 9cb3a50c (ipv4: Invalidate the socket cached route on pmtu events if possible) introduced a refcount problem. We don't get a refcount on the route if we get it from__sk_dst_get(), but we need one if we want to reuse this route because __sk_dst_set() releases the refcount of the old route. This patch adds proper refcount handling for that case. We introduce a 'new' flag to indicate that we are going to use a new route and we release the old route only if we replace it by a new one. Reported-by: Julian Anastasov Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5874dd2fa88cc8b977b839a70679d61624e89ad4 Author: Steffen Klassert Date: Mon Jan 21 02:00:03 2013 +0000 ipv4: Add a socket release callback for datagram sockets [ Upstream commit 8141ed9fcedb278f4a3a78680591bef1e55f75fb ] This implements a socket release callback function to check if the socket cached route got invalid during the time we owned the socket. The function is used from udp, raw and ping sockets. Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1f35a1715c629c1756bf47a6166ead2754ed6d1d Author: Steffen Klassert Date: Mon Jan 21 01:59:11 2013 +0000 ipv4: Invalidate the socket cached route on pmtu events if possible [ Upstream commit 9cb3a50c5f63ed745702972f66eaee8767659acd ] The route lookup in ipv4_sk_update_pmtu() might return a route different from the route we cached at the socket. This is because standart routes are per cpu, so each cpu has it's own struct rtable. This means that we do not invalidate the socket cached route if the NET_RX_SOFTIRQ is not served by the same cpu that the sending socket uses. As a result, the cached route reused until we disconnect. With this patch we invalidate the socket cached route if possible. If the socket is owened by the user, we can't update the cached route directly. A followup patch will implement socket release callback functions for datagram sockets to handle this case. Reported-by: Yurij M. Plotnikov Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c88be877a5955ba10e7bd35c8be9dddeef84b116 Author: Steffen Klassert Date: Wed Jan 16 22:09:49 2013 +0000 ipv6: Add an error handler for icmp6 [ Upstream commit 6f809da27c94425e07be4a64d5093e1df95188e9 ] pmtu and redirect events are now handled in the protocols error handler, so add an error handler for icmp6 to do this. It is needed in the case when we have no socket context. Based on a patch by Duan Jiong. Reported-by: Duan Jiong Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b8291bbfa392773abe54aed10e6c5553d8cde8b3 Author: Steffen Klassert Date: Wed Jan 16 20:58:10 2013 +0000 ipv4: Don't update the pmtu on mtu locked routes [ Upstream commit fa1e492aa3cbafba9f8fc6d05e5b08a3091daf4a ] Routes with locked mtu should not use learned pmtu informations, so do not update the pmtu on these routes. Reported-by: Julian Anastasov Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0196923c77f46e98e38bc39e42e5f2c646c6733c Author: Steffen Klassert Date: Wed Jan 16 20:55:01 2013 +0000 ipv4: Remove output route check in ipv4_mtu [ Upstream commit 38d523e2948162776903349c89d65f7b9370dadb ] The output route check was introduced with git commit 261663b0 (ipv4: Don't use the cached pmtu informations for input routes) during times when we cached the pmtu informations on the inetpeer. Now the pmtu informations are back in the routes, so this check is obsolete. It also had some unwanted side effects, as reported by Timo Teras and Lukas Tribus. Signed-off-by: Steffen Klassert Acked-by: Timo Teräs Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8bd686bf8a379fe7fe0fb79b6e1ced508eddec4a Author: Ian Campbell Date: Wed Feb 6 23:41:38 2013 +0000 netback: correct netbk_tx_err to handle wrap around. [ Upstream commit b9149729ebdcfce63f853aa54a404c6a8f6ebbf3 ] Signed-off-by: Ian Campbell Acked-by: Jan Beulich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5847062310d46afd500e3177fdea8e710127f831 Author: Ian Campbell Date: Wed Feb 6 23:41:37 2013 +0000 xen/netback: free already allocated memory on failure in xen_netbk_get_requests [ Upstream commit 4cc7c1cb7b11b6f3515bd9075527576a1eecc4aa ] Signed-off-by: Ian Campbell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bf23a4d77d92acc048bd74c604e840ab3dd6bade Author: Matthew Daley Date: Wed Feb 6 23:41:36 2013 +0000 xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop. [ Upstream commit 7d5145d8eb2b9791533ffe4dc003b129b9696c48 ] Signed-off-by: Matthew Daley Reviewed-by: Konrad Rzeszutek Wilk Acked-by: Ian Campbell Acked-by: Jan Beulich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 036610027dd4ada9996ded5a80b75dd8911980af Author: Ian Campbell Date: Wed Feb 6 23:41:35 2013 +0000 xen/netback: shutdown the ring if it contains garbage. [ Upstream commit 48856286b64e4b66ec62b94e504d0b29c1ade664 ] A buggy or malicious frontend should not be able to confuse netback. If we spot anything which is not as it should be then shutdown the device and don't try to continue with the ring in a potentially hostile state. Well behaved and non-hostile frontends will not be penalised. As well as making the existing checks for such errors fatal also add a new check that ensures that there isn't an insane number of requests on the ring (i.e. more than would fit in the ring). If the ring contains garbage then previously is was possible to loop over this insane number, getting an error each time and therefore not generating any more pending requests and therefore not exiting the loop in xen_netbk_tx_build_gops for an externded period. Also turn various netdev_dbg calls which no precipitate a fatal error into netdev_err, they are rate limited because the device is shutdown afterwards. This fixes at least one known DoS/softlockup of the backend domain. Signed-off-by: Ian Campbell Reviewed-by: Konrad Rzeszutek Wilk Acked-by: Jan Beulich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3d96b3ff38e03ad8574f08fffd9d7e3657419670 Author: Heiko Carstens Date: Fri Feb 8 00:19:11 2013 +0000 atm/iphase: rename fregt_t -> ffreg_t [ Upstream commit ab54ee80aa7585f9666ff4dd665441d7ce41f1e8 ] We have conflicting type qualifiers for "freg_t" in s390's ptrace.h and the iphase atm device driver, which causes the compile error below. Unfortunately the s390 typedef can't be renamed, since it's a user visible api, nor can I change the include order in s390 code to avoid the conflict. So simply rename the iphase typedef to a new name. Fixes this compile error: In file included from drivers/atm/iphase.c:66:0: drivers/atm/iphase.h:639:25: error: conflicting type qualifiers for 'freg_t' In file included from next/arch/s390/include/asm/ptrace.h:9:0, from next/arch/s390/include/asm/lowcore.h:12, from next/arch/s390/include/asm/thread_info.h:30, from include/linux/thread_info.h:54, from include/linux/preempt.h:9, from include/linux/spinlock.h:50, from include/linux/seqlock.h:29, from include/linux/time.h:5, from include/linux/stat.h:18, from include/linux/module.h:10, from drivers/atm/iphase.c:43: next/arch/s390/include/uapi/asm/ptrace.h:197:3: note: previous declaration of 'freg_t' was here Signed-off-by: Heiko Carstens Acked-by: chas williams - CONTRACTOR Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ea6a9fca541b3dfdc8085f1493f4794f9baddfe9 Author: Tommi Rantala Date: Wed Feb 6 03:24:02 2013 +0000 ipv6/ip6_gre: fix error case handling in ip6gre_tunnel_xmit() [ Upstream commit 41ab3e31bd50b42c85ac0aa0469642866aee2a9a ] ip6gre_tunnel_xmit() is leaking the skb when we hit this error branch, and the -1 return value from this function is bogus. Use the error handling we already have in place in ip6gre_tunnel_xmit() for this error case to fix this. Signed-off-by: Tommi Rantala Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 29cb024d2df4072cba88d8c7e62cc7617fbb689d Author: Phil Sutter Date: Fri Feb 1 07:21:41 2013 +0000 packet: fix leakage of tx_ring memory [ Upstream commit 9665d5d62487e8e7b1f546c00e11107155384b9a ] When releasing a packet socket, the routine packet_set_ring() is reused to free rings instead of allocating them. But when calling it for the first time, it fills req->tp_block_nr with the value of rb->pg_vec_len which in the second invocation makes it bail out since req->tp_block_nr is greater zero but req->tp_block_size is zero. This patch solves the problem by passing a zeroed auto-variable to packet_set_ring() upon each invocation from packet_release(). As far as I can tell, this issue exists even since 69e3c75 (net: TX_RING and packet mmap), i.e. the original inclusion of TX ring support into af_packet, but applies only to sockets with both RX and TX ring allocated, which is probably why this was unnoticed all the time. Signed-off-by: Phil Sutter Cc: Johann Baudy Cc: Daniel Borkmann Acked-by: Daniel Borkmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bec1a03d483aa8e50657f2599d228fc879d385ea Author: David S. Miller Date: Tue Jan 29 22:58:04 2013 -0500 via-rhine: Fix bugs in NAPI support. [ Upstream commit 559bcac35facfed49ab4f408e162971612dcfdf3 ] 1) rhine_tx() should use dev_kfree_skb() not dev_kfree_skb_irq() 2) rhine_slow_event_task's NAPI triggering logic is racey, it should just hit the interrupt mask register. This is the same as commit 7dbb491878a2c51d372a8890fa45a8ff80358af1 ("r8169: avoid NAPI scheduling delay.") made to fix the same problem in the r8169 driver. From Francois Romieu. Reported-by: Jamie Gloudon Tested-by: Jamie Gloudon Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 854b033a4cd8c405731f7ddb26d3ab8d39225cf1 Author: Marcelo Ricardo Leitner Date: Tue Jan 29 22:26:08 2013 +0000 ipv6: do not create neighbor entries for local delivery [ Upstream commit bd30e947207e2ea0ff2c08f5b4a03025ddce48d3 ] They will be created at output, if ever needed. This avoids creating empty neighbor entries when TPROXYing/Forwarding packets for addresses that are not even directly reachable. Note that IPv4 already handles it this way. No neighbor entries are created for local input. Tested by myself and customer. Signed-off-by: Jiri Pirko Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit badaed3effae5565307a25a3692ebde36e25fa33 Author: Cong Wang Date: Sun Jan 27 21:14:08 2013 +0000 pktgen: correctly handle failures when adding a device [ Upstream commit 604dfd6efc9b79bce432f2394791708d8e8f6efc ] The return value of pktgen_add_device() is not checked, so even if we fail to add some device, for example, non-exist one, we still see "OK:...". This patch fixes it. After this patch, I got: # echo "add_device non-exist" > /proc/net/pktgen/kpktgend_0 -bash: echo: write error: No such device # cat /proc/net/pktgen/kpktgend_0 Running: Stopped: Result: ERROR: can not add device non-exist # echo "add_device eth0" > /proc/net/pktgen/kpktgend_0 # cat /proc/net/pktgen/kpktgend_0 Running: Stopped: eth0 Result: OK: add_device=eth0 (Candidate for -stable) Cc: David S. Miller Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 70b40e0ec5a61b7c073690c2a2fc1da13b520254 Author: Pravin B Shelar Date: Wed Jan 23 11:45:42 2013 +0000 IP_GRE: Fix kernel panic in IP_GRE with GRE csum. [ Upstream commit 5465740ace36f179de5bb0ccb5d46ddeb945e309 ] Due to IP_GRE GSO support, GRE can recieve non linear skb which results in panic in case of GRE_CSUM. Following patch fixes it by using correct csum API. Bug introduced in commit 6b78f16e4bdde3936b (gre: add GSO support) Signed-off-by: Pravin B Shelar Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit be730f3d2049d1161ea22ada338dd1aeaef20065 Author: Eric Dumazet Date: Fri Jan 25 07:44:41 2013 +0000 net: loopback: fix a dst refcounting issue [ Upstream commit 794ed393b707f01858f5ebe2ae5eabaf89d00022 ] Ben Greear reported crashes in ip_rcv_finish() on a stress test involving many macvlans. We tracked the bug to a dst use after free. ip_rcv_finish() was calling dst->input() and got garbage for dst->input value. It appears the bug is in loopback driver, lacking a skb_dst_force() before calling netif_rx(). As a result, a non refcounted dst, normally protected by a RCU read_lock section, was escaping this section and could be freed before the packet being processed. [] loopback_xmit+0x64/0x83 [] dev_hard_start_xmit+0x26c/0x35e [] dev_queue_xmit+0x2c4/0x37c [] ? dev_hard_start_xmit+0x35e/0x35e [] ? eth_header+0x28/0xb6 [] neigh_resolve_output+0x176/0x1a7 [] ip_finish_output2+0x297/0x30d [] ? ip_finish_output2+0x137/0x30d [] ip_finish_output+0x63/0x68 [] ip_output+0x61/0x67 [] dst_output+0x17/0x1b [] ip_local_out+0x1e/0x23 [] ip_queue_xmit+0x315/0x353 [] ? ip_send_unicast_reply+0x2cc/0x2cc [] tcp_transmit_skb+0x7ca/0x80b [] tcp_connect+0x53c/0x587 [] ? getnstimeofday+0x44/0x7d [] ? ktime_get_real+0x11/0x3e [] tcp_v4_connect+0x3c2/0x431 [] __inet_stream_connect+0x84/0x287 [] ? inet_stream_connect+0x22/0x49 [] ? _local_bh_enable_ip+0x84/0x9f [] ? local_bh_enable+0xd/0x11 [] ? lock_sock_nested+0x6e/0x79 [] ? inet_stream_connect+0x22/0x49 [] inet_stream_connect+0x33/0x49 [] sys_connect+0x75/0x98 This bug was introduced in linux-2.6.35, in commit 7fee226ad2397b (net: add a noref bit on skb dst) skb_dst_force() is enforced in dev_queue_xmit() for devices having a qdisc. Reported-by: Ben Greear Signed-off-by: Eric Dumazet Tested-by: Ben Greear Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d432256090663bd155fad2c0649cc2d9e0c56c99 Author: Timo Teräs Date: Mon Jan 21 22:30:35 2013 +0000 r8169: remove the obsolete and incorrect AMD workaround [ Upstream commit 5d0feaff230c0abfe4a112e6f09f096ed99e0b2d ] This was introduced in commit 6dccd16 "r8169: merge with version 6.001.00 of Realtek's r8169 driver". I did not find the version 6.001.00 online, but in 6.002.00 or any later r8169 from Realtek this hunk is no longer present. Also commit 05af214 "r8169: fix Ethernet Hangup for RTL8110SC rev d" claims to have fixed this issue otherwise. The magic compare mask of 0xfffe000 is dubious as it masks parts of the Reserved part, and parts of the VLAN tag. But this does not make much sense as the VLAN tag parts are perfectly valid there. In matter of fact this seems to be triggered with any VLAN tagged packet as RxVlanTag bit is matched. I would suspect 0xfffe0000 was intended to test reserved part only. Finally, this hunk is evil as it can cause more packets to be handled than what was NAPI quota causing net/core/dev.c: net_rx_action(): WARN_ON_ONCE(work > weight) to trigger, and mess up the NAPI state causing device to hang. As result, any system using VLANs and having high receive traffic (so that NAPI poll budget limits rtl_rx) would result in device hang. Signed-off-by: Timo Teräs Acked-by: Francois Romieu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b463269054078fbb6d9a0b4d86ff3ceafd4b28b4 Author: Eric Dumazet Date: Tue Jan 22 06:33:05 2013 +0000 netxen: fix off by one bug in netxen_release_tx_buffer() [ Upstream commit a05948f296ce103989b28a2606e47d2e287c3c89 ] Christoph Paasch found netxen could trigger a BUG in its dismantle phase, in netxen_release_tx_buffer(), using full size TSO packets. cmd_buf->frag_count includes the skb->data part, so the loop must start at index 1 instead of 0, or else we can make an out of bound access to cmd_buff->frag_array[MAX_SKB_FRAGS + 2] Christoph provided the fixes in netxen_map_tx_skb() function. In case of a dma mapping error, its better to clear the dma fields so that we don't try to unmap them again in netxen_release_tx_buffer() Reported-by: Christoph Paasch Signed-off-by: Eric Dumazet Tested-by: Christoph Paasch Cc: Sony Chacko Cc: Rajesh Borundia Signed-off-by: Christoph Paasch Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fdab75e4f3b49683ab917717ea5183c6dbce708d Author: Tilman Schmidt Date: Mon Jan 21 11:57:21 2013 +0000 isdn/gigaset: fix zero size border case in debug dump [ Upstream commit d721a1752ba544df8d7d36959038b26bc92bdf80 ] If subtracting 12 from l leaves zero we'd do a zero size allocation, leading to an oops later when we try to set the NUL terminator. Reported-by: Dan Carpenter Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0e3fd03bdeb3cc0ce601723d2406be53b829be25 Author: Eric Dumazet Date: Sat Jan 19 16:10:37 2013 +0000 tcp: fix incorrect LOCKDROPPEDICMPS counter [ Upstream commit b74aa930ef49a3c0d8e4c1987f89decac768fb2c ] commit 563d34d057 (tcp: dont drop MTU reduction indications) added an error leading to incorrect accounting of LINUX_MIB_LOCKDROPPEDICMPS If socket is owned by the user, we want to increment this SNMP counter, unless the message is a (ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED) one. Reported-by: Maciej ¯enczykowski Signed-off-by: Eric Dumazet Cc: Neal Cardwell Signed-off-by: Maciej ¯enczykowski Acked-by: Neal Cardwell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ec9336e3e7dc3f048f2c4d42e1b9851ea3211c35 Author: Or Gerlitz Date: Thu Jan 17 05:30:43 2013 +0000 net/mlx4_core: Set number of msix vectors under SRIOV mode to firmware defaults [ Upstream commit ca4c7b35f75492de7fbf5ee95be07481c348caee ] The lines if (mlx4_is_mfunc(dev)) { nreq = 2; } else { which hard code the number of requested msi-x vectors under multi-function mode to two can be removed completely, since the firmware sets num_eqs and reserved_eqs appropriately Thus, the code line: nreq = min_t(int, dev->caps.num_eqs - dev->caps.reserved_eqs, nreq); is by itself sufficient and correct for all cases. Currently, for mfunc mode num_eqs = 32 and reserved_eqs = 28, hence four vectors will be enabled. This triples (one vector is used for the async events and commands EQ) the horse power provided for processing of incoming packets on netdev RSS scheme, IO initiators/targets commands processing flows, etc. Reviewed-by: Jack Morgenstein Signed-off-by: Amir Vadai Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cef928e94f080a5b54bab3401b2611b9fc77b53e Author: Yan Burman Date: Thu Jan 17 05:30:42 2013 +0000 net/mlx4_en: Fix bridged vSwitch configuration for non SRIOV mode [ Upstream commit 213815a1e6ae70b9648483b110bc5081795f99e8 ] Commit 5b4c4d36860e "mlx4_en: Allow communication between functions on same host" introduced a regression under which a bridge acting as vSwitch whose uplink is an mlx4 Ethernet device become non-operative in native (non sriov) mode. This happens since broadcast ARP requests sent by VMs were loopback-ed by the HW and hence the bridge learned VM source MACs on both the VM and the uplink ports. The fix is to place the DMAC in the send WQE only under SRIOV/eSwitch configuration or when the device is in selftest. Reviewed-by: Or Gerlitz Signed-off-by: Yan Burman Signed-off-by: Amir Vadai Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 665dbf232cda5132238a4c525f8ab62d65fa0cf9 Author: Rob Herring Date: Wed Jan 16 13:36:37 2013 +0000 net: calxedaxgmac: throw away overrun frames [ Upstream commit d6fb3be544b46a7611a3373fcaa62b5b0be01888 ] The xgmac driver assumes 1 frame per descriptor. If a frame larger than the descriptor's buffer size is received, the frame will spill over into the next descriptor. So check for received frames that span more than one descriptor and discard them. This prevents a crash if we receive erroneous large packets. Signed-off-by: Rob Herring Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6a56fc1543efd880e4b26cb44e230328c2e97c66 Author: Eric Dumazet Date: Thu Jan 17 13:30:49 2013 -0800 macvlan: fix macvlan_get_size() [ Upstream commit 01fe944f1024bd4e5c327ddbe8d657656b66af2f ] commit df8ef8f3aaa (macvlan: add FDB bridge ops and macvlan flags) forgot to update macvlan_get_size() after the addition of IFLA_MACVLAN_FLAGS Signed-off-by: Eric Dumazet Cc: John Fastabend Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c716ba51a90f43e58aeda9cc7afb937977592ffc Author: Romain KUNTZ Date: Wed Jan 16 12:47:40 2013 +0000 ipv6: fix header length calculation in ip6_append_data() [ Upstream commit 7efdba5bd9a2f3e2059beeb45c9fa55eefe1bced ] Commit 299b0767 (ipv6: Fix IPsec slowpath fragmentation problem) has introduced a error in the header length calculation that provokes corrupted packets when non-fragmentable extensions headers (Destination Option or Routing Header Type 2) are used. rt->rt6i_nfheader_len is the length of the non-fragmentable extension header, and it should be substracted to rt->dst.header_len, and not to exthdrlen, as it was done before commit 299b0767. This patch reverts to the original and correct behavior. It has been successfully tested with and without IPsec on packets that include non-fragmentable extensions headers. Signed-off-by: Romain Kuntz Acked-by: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 042e1808bea6a9751a106d4ed0e1f44b7fa136ce Author: Stephen Hemminger Date: Wed Jan 16 09:55:57 2013 -0800 MAINTAINERS: Stephen Hemminger email change [ Upstream commit adbbf69d1a54abf424e91875746a610dcc80017d ] I changed my email because the vyatta.com mail server is now redirected to brocade.com; and the Brocade mail system is not friendly to Linux desktop users. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d0f5d39ef79b9b4023f51664e15a5373ea3ea9eb Author: Eric Dumazet Date: Sun Jan 13 18:21:51 2013 +0000 tcp: fix a panic on UP machines in reqsk_fastopen_remove [ Upstream commit cce894bb824429fd312706c7012acae43e725865 ] spin_is_locked() on a non !SMP build is kind of useless. BUG_ON(!spin_is_locked(xx)) is guaranteed to crash. Just remove this check in reqsk_fastopen_remove() as the callers do hold the socket lock. Reported-by: Ketan Kulkarni Signed-off-by: Eric Dumazet Cc: Jerry Chu Cc: Yuchung Cheng Cc: Dave Taht Acked-by: H.K. Jerry Chu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 10bff21d37cd8751f4fd445dbffd3603f45ff453 Author: Stanislaw Gruszka Date: Thu Jan 10 23:19:10 2013 +0000 net, wireless: overwrite default_ethtool_ops [ Upstream commit d07d7507bfb4e23735c9b83e397c43e1e8a173e8 ] Since: commit 2c60db037034d27f8c636403355d52872da92f81 Author: Eric Dumazet Date: Sun Sep 16 09:17:26 2012 +0000 net: provide a default dev->ethtool_ops wireless core does not correctly assign ethtool_ops. After alloc_netdev*() call, some cfg80211 drivers provide they own ethtool_ops, but some do not. For them, wireless core provide generic cfg80211_ethtool_ops, which is assigned in NETDEV_REGISTER notify call: if (!dev->ethtool_ops) dev->ethtool_ops = &cfg80211_ethtool_ops; But after Eric's commit, dev->ethtool_ops is no longer NULL (on cfg80211 drivers without custom ethtool_ops), but points to &default_ethtool_ops. In order to fix the problem, provide function which will overwrite default_ethtool_ops and use it by wireless core. Signed-off-by: Stanislaw Gruszka Acked-by: Johannes Berg Acked-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0e352e0658b3093553aabc80ef8caf6d0024c968 Author: Romain Kuntz Date: Wed Jan 9 15:02:26 2013 +0100 ipv6: fix the noflags test in addrconf_get_prefix_route [ Upstream commit 85da53bf1c336bb07ac038fb951403ab0478d2c5 ] The tests on the flags in addrconf_get_prefix_route() does no make much sense: the 'noflags' parameter contains the set of flags that must not match with the route flags, so the test must be done against 'noflags', and not against 'flags'. Signed-off-by: Romain Kuntz Acked-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dcc1565d8eb4abeebe8910c564cd601f953a7a1f Author: Cong Wang Date: Mon Jan 7 21:17:00 2013 +0000 net: prevent setting ttl=0 via IP_TTL [ Upstream commit c9be4a5c49cf51cc70a993f004c5bb30067a65ce ] A regression is introduced by the following commit: commit 4d52cfbef6266092d535237ba5a4b981458ab171 Author: Eric Dumazet Date: Tue Jun 2 00:42:16 2009 -0700 net: ipv4/ip_sockglue.c cleanups Pure cleanups but it is not a pure cleanup... - if (val != -1 && (val < 1 || val>255)) + if (val != -1 && (val < 0 || val > 255)) Since there is no reason provided to allow ttl=0, change it back. Reported-by: nitin padalia Cc: nitin padalia Cc: Eric Dumazet Cc: David S. Miller Signed-off-by: Cong Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 99de47aaa41e7da936fb73380b120ed0c05c5b10 Author: Mike Snitzer Date: Thu Jan 31 14:11:14 2013 +0000 dm thin: fix queue limits stacking commit 0f640dca08330dfc7820d610578e5935b5e654b2 upstream. thin_io_hints() is blindly copying the queue limits from the thin-pool which can lead to incorrect limits being set. The fix here simply deletes the thin_io_hints() hook which leaves the existing stacking infrastructure to set the limits correctly. When a thin-pool uses an MD device for the data device a thin device from the thin-pool must respect MD's constraints about disallowing a bio from spanning multiple chunks. Otherwise we can see problems. If the raid0 chunksize is 1152K and thin-pool chunksize is 256K I see the following md/raid0 error (with extra debug tracing added to thin_endio) when mkfs.xfs is executed against the thin device: md/raid0:md99: make_request bug: can't convert block across chunks or bigger than 1152k 6688 127 device-mapper: thin: bio sector=2080 err=-5 bi_size=130560 bi_rw=17 bi_vcnt=32 bi_idx=0 This extra DM debugging shows that the failing bio is spanning across the first and second logical 1152K chunk (sector 2080 + 255 takes the bio beyond the first chunk's boundary of sector 2304). So the bio splitting that DM is doing clearly isn't respecting the MD limits. max_hw_sectors_kb is 127 for both the thin-pool and thin device (queue_max_hw_sectors returns 255 so we'll excuse sysfs's lack of precision). So this explains why bi_size is 130560. But the thin device's max_hw_sectors_kb should be 4 (PAGE_SIZE) given that it doesn't have a .merge function (for bio_add_page to consult indirectly via dm_merge_bvec) yet the thin-pool does sit above an MD device that has a compulsory merge_bvec_fn. This scenario is exactly why DM must resort to sending single PAGE_SIZE bios to the underlying layer. Some additional context for this is available in the header for commit 8cbeb67a ("dm: avoid unsupported spanning of md stripe boundaries"). Long story short, the reason a thin device doesn't properly get configured to have a max_hw_sectors_kb of 4 (PAGE_SIZE) is that thin_io_hints() is blindly copying the queue limits from the thin-pool device directly to the thin device's queue limits. Fix this by eliminating thin_io_hints. Doing so is safe because the block layer's queue limits stacking already enables the upper level thin device to inherit the thin-pool device's discard and minimum_io_size and optimal_io_size limits that get set in pool_io_hints. But avoiding the queue limits copy allows the thin and thin-pool limits to be different where it is important, namely max_hw_sectors_kb. Reported-by: Daniel Browning Signed-off-by: Mike Snitzer Cc: stable@vger.kernel.org Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 7422eb949449d1b069357b61825679349e18ff8e Author: Linus Walleij Date: Thu Dec 20 10:20:15 2012 +0100 mfd: db8500-prcmu: Fix irqdomain usage commit 89d9b1c99374997d68910ba49d5b7df80e7f2061 upstream. This fixes two issues with the DB8500 PRCMU irqdomain: - You have to state the irq base 0 to get a linear domain for the DT case from irq_domain_add_simple() - The irqdomain was not used to translate the initial irq request using irq_create_mapping() making the linear case fail as it was lacking a proper descriptor. I took this opportunity to fix two lines of whitespace errors in related code as I was anyway messing around with it. Acked-by Lee Jones Signed-off-by: Linus Walleij Signed-off-by: Samuel Ortiz Signed-off-by: CAI Qian Signed-off-by: Greg Kroah-Hartman commit 15e81f0b10fc9d7d9be7af46b3e80bc8c361963c Author: Felix Fietkau Date: Sun Jan 20 21:55:20 2013 +0100 ath9k_hw: fix calibration issues on chainmask that don't include chain 0 commit 4a8f199508d79ff8a7d1e22f47b912baaf225336 upstream. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: CAI Qian Signed-off-by: Greg Kroah-Hartman commit 0dc2f4dcf99e372f49538e6c9949891d08d3091d Author: Mauro Carvalho Chehab Date: Sat Oct 27 14:26:25 2012 -0300 media: pwc-if: must check vb2_queue_init() success commit eda94710d6502672c5ee7de198fa78a63ddfae3a upstream. drivers/media/usb/pwc/pwc-if.c: In function 'usb_pwc_probe': drivers/media/usb/pwc/pwc-if.c:1003:16: warning: ignoring return value of 'vb2_queue_init', declared with attribute warn_unused_result [-Wunused-result] In the past, it used to have a logic there at queue init that would BUG() on errors. This logic got removed. Drivers are now required to explicitly handle the queue initialization errors, or very bad things may happen. Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Paul Bolle commit 6d468d117d8853f9235480cf6329b99868290b23 Author: Bruce Allan Date: Mon Jan 28 00:43:48 2013 +0000 e1000e: enable ECC on I217/I218 to catch packet buffer memory errors commit 286003048aaef49b26bb9d93611dc69085e8982e upstream. In rare instances, memory errors have been detected in the internal packet buffer memory on I217/I218 when stressed under certain environmental conditions. Enable Error Correcting Code (ECC) in hardware to catch both correctable and uncorrectable errors. Correctable errors will be handled by the hardware. Uncorrectable errors in the packet buffer will cause the packet to be received with an error indication in the buffer descriptor causing the packet to be discarded. If the uncorrectable error is in the descriptor itself, the hardware will stop and interrupt the driver indicating the error. The driver will then reset the hardware in order to clear the error and restart. Both types of errors will be accounted for in statistics counters. Signed-off-by: Bruce Allan Tested-by: Jeff Pieper Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ff888473a24be9e8761e6baabbc73386b5f747b9 Author: Bing Zhao Date: Tue Jan 29 14:38:02 2013 -0800 mwifiex: fix incomplete scan in case of IE parsing error commit 8a7d7cbf7b5ff9912ef50b3e94c9ad9f37b1c75f upstream. A scan request is split into multiple scan commands queued in scan_pending_q. Each scan command will be sent to firmware and its response is handlded one after another. If any error is detected while parsing IE in command response buffer the remaining data will be ignored and error is returned. We should check if there is any more scan commands pending in the queue before returning error. This ensures that we will call cfg80211_scan_done if this is the last scan command, or send next scan command in scan_pending_q to firmware. Signed-off-by: Bing Zhao Signed-off-by: Amitkumar Karwar Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 10755f7e244ef8ed49d278db4aafd50d9f15fd4c Author: Alexander Stein Date: Thu Dec 13 10:06:10 2012 +0100 can: c_can: Set reserved bit in IFx_MASK2 to 1 on write commit 2bd3bc4e8472424f1a6009825397639a8968920a upstream. According to C_CAN documentation, the reserved bit in IFx_MASK2 register is fixed 1. Signed-off-by: Alexander Stein Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 55cfe9ec97cadf1a54486b1e3f516304f1473e20 Author: Emmanuel Grumbach Date: Mon Jan 21 13:12:57 2013 +0200 Revert "iwlwifi: fix the reclaimed packet tracking upon flush queue" commit ae023b2795d36f0f077e157428eb7eafa29ee412 upstream. This reverts commit f590dcec944552f9a4a61155810f3abd17d6465d which has been reported to cause issues. See https://lkml.org/lkml/2013/1/20/4 for further details. Signed-off-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 524c0f23f7feff47470de9dff0f49ad018897782 Author: Johan Hedberg Date: Tue Jan 29 10:44:23 2013 -0600 Bluetooth: Fix handling of unexpected SMP PDUs commit 8cf9fa1240229cbdd888236c0c43fcbad680cf00 upstream. The conn->smp_chan pointer can be NULL if SMP PDUs arrive at unexpected moments. To avoid NULL pointer dereferences the code should be checking for this and disconnect if an unexpected SMP PDU arrives. This patch fixes the issue by adding a check for conn->smp_chan for all other PDUs except pairing request and security request (which are are the first PDUs to come to initialize the SMP context). Signed-off-by: Johan Hedberg Acked-by: Marcel Holtmann Signed-off-by: Gustavo Padovan Signed-off-by: Greg Kroah-Hartman commit cbadbcec8966fe7efa16786a5080013398a5d332 Author: Sjur Brændeland Date: Tue Jan 22 09:50:26 2013 +1030 virtio_console: Don't access uninitialized data. commit aded024a12b32fc1ed9a80639681daae2d07ec25 upstream. Don't access uninitialized work-queue when removing device. The work queue is initialized only if the device multi-queue. So don't call cancel_work unless this is a multi-queue device. This fixes the following panic: Kernel panic - not syncing: BUG! Call Trace: 62031b28: [<6026085d>] panic+0x16b/0x2d3 62031b30: [<6004ef5e>] flush_work+0x0/0x1d7 62031b60: [<602606f2>] panic+0x0/0x2d3 62031b68: [<600333b0>] memcpy+0x0/0x140 62031b80: [<6002d58a>] unblock_signals+0x0/0x84 62031ba0: [<602609c5>] printk+0x0/0xa0 62031bd8: [<60264e51>] __mutex_unlock_slowpath+0x13d/0x148 62031c10: [<6004ef5e>] flush_work+0x0/0x1d7 62031c18: [<60050234>] try_to_grab_pending+0x0/0x17e 62031c38: [<6004e984>] get_work_gcwq+0x71/0x8f 62031c48: [<60050539>] __cancel_work_timer+0x5b/0x115 62031c78: [<628acc85>] unplug_port+0x0/0x191 [virtio_console] 62031c98: [<6005061c>] cancel_work_sync+0x12/0x14 62031ca8: [<628ace96>] virtcons_remove+0x80/0x15c [virtio_console] 62031ce8: [<628191de>] virtio_dev_remove+0x1e/0x7e [virtio] 62031d08: [<601cf242>] __device_release_driver+0x75/0xe4 62031d28: [<601cf2dd>] device_release_driver+0x2c/0x40 62031d48: [<601ce0dd>] driver_unbind+0x7d/0xc6 62031d88: [<601cd5d9>] drv_attr_store+0x27/0x29 62031d98: [<60115f61>] sysfs_write_file+0x100/0x14d 62031df8: [<600b737d>] vfs_write+0xcb/0x184 62031e08: [<600b58b8>] filp_close+0x88/0x94 62031e38: [<600b7686>] sys_write+0x59/0x88 62031e88: [<6001ced1>] handle_syscall+0x5d/0x80 62031ea8: [<60030a74>] userspace+0x405/0x531 62031f08: [<600d32cc>] sys_dup+0x0/0x5e 62031f28: [<601b11d6>] strcpy+0x0/0x18 62031f38: [<600be46c>] do_execve+0x10/0x12 62031f48: [<600184c7>] run_init_process+0x43/0x45 62031fd8: [<60019a91>] new_thread_handler+0xba/0xbc Signed-off-by: Sjur Brændeland Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman commit 2803d6bda44c70f3bf48a22eb66277c8ffefa0a9 Author: Mike Marciniszyn Date: Thu Jan 24 18:59:34 2013 +0000 IB/qib: Fix for broken sparse warning fix commit d359f35430c4ea4dd4e24d809aeaeff1fa54c314 upstream. Commit 1fb9fed6d489 ("IB/qib: Fix QP RCU sparse warning") broke QP hash list deletion in qp_remove() badly. This patch restores the former for loop behavior, while still fixing the sparse warnings. Reviewed-by: Gary Leshner Signed-off-by: Mike Marciniszyn Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 9ba54b84e8d588c6403275ed3835820e04ff4cf5 Author: Alim Akhtar Date: Wed Jan 30 08:02:27 2013 -0500 regulator: s2mps11: fix incorrect register for buck10 commit c76edd52bf19c9d01da7edc4ff04d3707c299779 upstream. For BUCK10 the control registers are wrongly set as buck9 control register This patch corrects the control registers for buck10 Signed-off-by: Alim Akhtar Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 7e027c2b4a655e7864f3d8e99e7bff6c5c518c0a Author: Stephen Warren Date: Tue Jan 29 12:01:13 2013 -0700 regulator: clear state each invocation of of_regulator_match commit a2f95c363701deba2205f81929b40222ea6f4f80 upstream. of_regulator_match() saves some dynamcially allocated state into the match table that's passed to it. By implementation and not contract, for each match table entry, if non-NULL state is already present, of_regulator_match() will not overwrite it. of_regulator_match() is typically called each time a regulator is probe()d. This means it is called with the same match table over and over again if a regulator triggers deferred probe. This results in stale, kfree()d data being left in the match table from probe to probe, which causes a variety of crashes or use of invalid data. Explicitly free all output state from of_regulator_match() before generating new results in order to avoid this. Signed-off-by: Stephen Warren Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 42e14e4033ccc1f2093c4cd2f85272923dbdb893 Author: Marek Szyprowski Date: Fri Jan 25 09:25:40 2013 +0100 regulator: max8998: fix incorrect min_uV value for ldo10 commit 36a6f8c035760dcbd0c3acb4c2fd56268588a9cb upstream. Correct value for minimal voltage for ldo10 output is 950000 uV. This patch fixes the typo introduced by patch adf6178ad5552a7f2f742a8c85343c50 ("regulator: max8998: Use uV in voltage_map_desc"), what solves broken probe of max8998 in v3.8-rc4. Signed-off-by: Marek Szyprowski Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 1174e03b914aa8120e1dfedb3dfa5121757d4d90 Author: Larry Finger Date: Sat Feb 2 15:55:00 2013 -0600 rtlwifi: Fix scheduling while atomic bug commit a5ffbe0a1993a27072742ef7db6cf9839956fce9 upstream. Kernel commits 41affd5 and 6539306 changed the locking in rtl_lps_leave() from a spinlock to a mutex by doing the calls indirectly from a work queue to reduce the time that interrupts were disabled. This change was fine for most systems; however a scheduling while atomic bug was reported in https://bugzilla.redhat.com/show_bug.cgi?id=903881. The backtrace indicates that routine rtl_is_special(), which calls rtl_lps_leave() in three places was entered in atomic context. These direct calls are replaced by putting a request on the appropriate work queue. Signed-off-by: Larry Finger Reported-and-tested-by: Nathaniel Doherty Cc: Nathaniel Doherty Cc: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 5b1c796c15bb53d927b0c40fa2231b89d942ebb9 Author: Larry Finger Date: Sun Jan 27 16:24:25 2013 -0600 rtlwifi: Fix the usage of the wrong variable in usb.c commit 0a06ad8e3a1cb5311b7dbafde45410aa1bce9d40 upstream. In routine _rtl_rx_pre_process(), skb_dequeue() is called to get an skb; however, the wrong variable name is used in subsequent calls. Reported-by: Guenter Roeck Signed-off-by: Larry Finger Cc: Guenter Roeck Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman