Commit Graph

441917 Commits

Author SHA1 Message Date
David Miller
30321c7b65 slab: Fix off by one in object max number tests.
If freelist_idx_t is a byte, SLAB_OBJ_MAX_NUM should be 255 not 256, and
likewise if freelist_idx_t is a short, then it should be 65535 not
65536.

This was leading to all kinds of random crashes on sparc64 where
PAGE_SIZE is 8192.  One problem shown was that if spinlock debugging was
enabled, we'd get deadlocks in copy_pte_range() or do_wp_page() with the
same cpu already holding a lock it shouldn't hold, or the lock belonging
to a completely unrelated process.

Fixes: a41adfaa23 ("slab: introduce byte sized index for the freelist of a slab")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-05-05 20:38:49 -07:00
Joonsoo Kim
7cc68973c3 slab: fix the type of the index on freelist index accessor
Commit a41adfaa23 ("slab: introduce byte sized index for the freelist
of a slab") changes the size of freelist index and also changes
prototype of accessor function to freelist index.  And there was a
mistake.

The mistake is that although it changes the size of freelist index
correctly, it changes the size of the index of freelist index
incorrectly.  With patch, freelist index can be 1 byte or 2 bytes, that
means that num of object on on a slab can be more than 255.  So we need
more than 1 byte for the index to find the index of free object on
freelist.  But, above patch makes this index type 1 byte, so slab which
have more than 255 objects cannot work properly and in consequence of
it, the system cannot boot.

This issue was reported by Steven King on m68knommu which would use
2 bytes freelist index:

  https://lkml.org/lkml/2014/4/16/433

To fix is easy.  To change the type of the index of freelist index on
accessor functions is enough to fix this bug.  Although 2 bytes is
enough, I use 4 bytes since it have no bad effect and make things more
easier.  This fix was suggested and tested by Steven in his original
report.

Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Reported-and-acked-by: Steven King <sfking@fdwdc.com>
Acked-by: Christoph Lameter <cl@linux.com>
Tested-by: James Hogan <james.hogan@imgtec.com>
Tested-by: David Miller <davem@davemloft.net>
Cc: Pekka Enberg <penberg@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-05-05 20:38:49 -07:00
Linus Torvalds
2080cee435 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) e1000e computes header length incorrectly wrt vlans, fix from Vlad
    Yasevich.

 2) ns_capable() check in sock_diag netlink code, from Andrew
    Lutomirski.

 3) Fix invalid queue pairs handling in virtio_net, from Amos Kong.

 4) Checksum offloading busted in sxgbe driver due to incorrect
    descriptor layout, fix from Byungho An.

 5) Fix build failure with SMC_DEBUG set to 2 or larger, from Zi Shen
    Lim.

 6) Fix uninitialized A and X registers in BPF interpreter, from Alexei
    Starovoitov.

 7) Fix arch dependencies of candence driver.

 8) Fix netlink capabilities checking tree-wide, from Eric W Biederman.

 9) Don't dump IFLA_VF_PORTS if netlink request didn't ask for it in
    IFLA_EXT_MASK, from David Gibson.

10) IPV6 FIB dump restart doesn't handle table changes that happen
    meanwhile, causing the code to loop forever or emit dups, fix from
    Kumar Sandararajan.

11) Memory leak on VF removal in bnx2x, from Yuval Mintz.

12) Bug fixes for new Altera TSE driver from Vince Bridgers.

13) Fix route lookup key in SCTP, from Xugeng Zhang.

14) Use BH blocking spinlocks in SLIP, as per a similar fix to CAN/SLCAN
    driver.  From Oliver Hartkopp.

15) TCP doesn't bump retransmit counters in some code paths, fix from
    Eric Dumazet.

16) Clamp delayed_ack in tcp_cubic to prevent theoretical divides by
    zero.  Fix from Liu Yu.

17) Fix locking imbalance in error paths of HHF packet scheduler, from
    John Fastabend.

18) Properly reference the transport module when vsock_core_init() runs,
    from Andy King.

19) Fix buffer overflow in cdc_ncm driver, from Bjørn Mork.

20) IP_ECN_decapsulate() doesn't see a correct SKB network header in
    ip_tunnel_rcv(), fix from Ying Cai.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (132 commits)
  net: macb: Fix race between HW and driver
  net: macb: Remove 'unlikely' optimization
  net: macb: Re-enable RX interrupt only when RX is done
  net: macb: Clear interrupt flags
  net: macb: Pass same size to DMA_UNMAP as used for DMA_MAP
  ip_tunnel: Set network header properly for IP_ECN_decapsulate()
  e1000e: Restrict MDIO Slow Mode workaround to relevant parts
  e1000e: Fix issue with link flap on 82579
  e1000e: Expand workaround for 10Mb HD throughput bug
  e1000e: Workaround for dropped packets in Gig/100 speeds on 82579
  net/mlx4_core: Don't issue PCIe speed/width checks for VFs
  net/mlx4_core: Load the Eth driver first
  net/mlx4_core: Fix slave id computation for single port VF
  net/mlx4_core: Adjust port number in qp_attach wrapper when detaching
  net: cdc_ncm: fix buffer overflow
  Altera TSE: ALTERA_TSE should depend on HAS_DMA
  vsock: Make transport the proto owner
  net: sched: lock imbalance in hhf qdisc
  net: mvmdio: Check for a valid interrupt instead of an error
  net phy: Check for aneg completion before setting state to PHY_RUNNING
  ...
2014-05-05 15:59:46 -07:00
Linus Torvalds
783e9e8ede USB fixes for 3.15-rc4
Here are some small fixes and device ids for 3.15-rc4.
 
 All have been in linux-next just fine.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iEYEABECAAYFAlNoAMYACgkQMUfUDdst+ymm5QCgzEdgN+YTpuivw63Z/r4ZHGJW
 u/QAoLxnz5vjXk9bZDGfnUMEWHrw98Lu
 =epx3
 -----END PGP SIGNATURE-----

Merge tag 'usb-3.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB fixes from Greg KH:
 "Here are some small fixes and device ids for 3.15-rc4.

  All have been in linux-next just fine"

* tag 'usb-3.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  USB: Nokia 5300 should be treated as unusual dev
  USB: Nokia 305 should be treated as unusual dev
  fsl-usb: do not test for PHY_CLK_VALID bit on controller version 1.6
  usb: storage: shuttle_usbat: fix discs being detected twice
  usb: qcserial: add a number of Dell devices
  USB: OHCI: fix problem with global suspend on ATI controllers
  usb: gadget: at91-udc: fix irq and iomem resource retrieval
  usb: phy: fsm: change "|" to "||" for condition OTG_STATE_A_WAIT_BCON at statemachine
  usb: phy: fsm: update OTG HNP state transition
2014-05-05 15:51:17 -07:00
Linus Torvalds
df862f625d TTY/Serial fixes for 3.15-rc4
Here are some tty and serial driver fixes for things reported recently.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iEYEABECAAYFAlNn/10ACgkQMUfUDdst+ynKXgCg1BE7sLm2Nmxkm+nfYceWmRG2
 pQAAnRnY2wBwtpVa4mVy1ZR3ykiKPvmY
 =42O2
 -----END PGP SIGNATURE-----

Merge tag 'tty-3.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty

Pull tty/serial fixes from Greg KH:
 "Here are some tty and serial driver fixes for things reported
  recently"

* tag 'tty-3.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
  tty: Fix lockless tty buffer race
  Revert "tty: Fix race condition between __tty_buffer_request_room and flush_to_ldisc"
  drivers/tty/hvc: don't free hvc_console_setup after init
  n_tty: Fix n_tty_write crash when echoing in raw mode
  tty: serial: 8250_core.c Bug fix for Exar chips.
2014-05-05 15:50:16 -07:00
Linus Torvalds
a1e74464ff Staging / IIO fixes for 3.15-rc4
Here are some small IIO driver fixes for 3.15-rc4 that resolve some
 reported issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iEYEABECAAYFAlNn+48ACgkQMUfUDdst+yn06wCgzKTAHNtiZDir6xddEr4DfkH+
 XNsAoLRJAr+w9hdRuA9JcxnQBK1srTvq
 =vuRJ
 -----END PGP SIGNATURE-----

Merge tag 'staging-3.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging / iio fixes from Greg KH:
 "Here are some small IIO driver fixes for 3.15-rc4 that resolve some
  reported issues"

* tag 'staging-3.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  iio: adc: Nothing in ADC should be a bool CONFIG
  iio: exynos_adc: use indio_dev->dev structure to handle child nodes
  iio:imu:mpu6050: Fixed segfault in Invensens MPU driver due to null dereference
  staging:iio:ad2s1200 fix missing parenthesis in a for statment.
2014-05-05 15:49:38 -07:00
Linus Torvalds
03787ff6f9 Xtensa patchset for v3.15.
Fixes allmodconfig, allnoconfig builds
 Adds highmem support
 Enables build-time exception table sorting.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABAgAGBQJTZ7iuAAoJEI9vqH3mFV2snKYP/AqEdj9JtWxg0MfB+mllOBmu
 nyhBW/AuVnsymy+WkOomJkxrUFAK+XTMfiOs45tdiW1dN2uJXIJ388C9pKLKtf6K
 vWzetOE6PbVusHuOQp6G+/jpjMwFZWeVvfWZ/DuvayjrAf281UENAD/4Wlmzakgw
 Qu/Qx+iQHfseMj/WdQ6N4C+zH0fjqpI6LwKkrWQ4x51tB7H9fMq9qS49BJ7WlxNg
 s+BQ44Qc71a5YZVwuH2mk8UqWRgCLYao+Ptp2z+buRmyz04kXvNWeVAHw2oSdeTr
 ug4pPPlSAdcid5fWhFOgmkvCSs1pw+fdi7honUQHmpGZRiwUdXHctlzgf4OUZjnX
 bsGeQ/klAmni8Ufgu0Ue+WIg7hvJUoE+AY7qp+Q32d0ln09FA89fitlb9WTT9zdq
 Y+6q7C/QPSqEoGe8GaLrE2o7tWqOlQ4Gd8ukbhwLNK3nInluT4PJkuknD+0s0Gmx
 Dc6+YXrUxMu+w0QoQ1aHrMVoAg4V3EtG7pFav3vW8jwhRaLO0hwEBlDPcQsAdoTt
 250FYwL3TQoKRr3+j3OfjJBuQ61PfkEPjPfqJL5htkVQ2nZKsmyGnyWUs15ZbAiT
 bxT5CLrEH7rgvM1mL86TJqEu0IEYkaEnkCMHS7EYWRL7bRRHRRkNO8HmEJIwtWa0
 0Io96EHboIFq3J+kWTnn
 =mD84
 -----END PGP SIGNATURE-----

Merge tag 'xtensa-next-20140503' of git://github.com/czankel/xtensa-linux

Pull Xtensa fixes from Chris Zankel:
 - Fixes allmodconfig, allnoconfig builds
 - Adds highmem support
 - Enables build-time exception table sorting.

* tag 'xtensa-next-20140503' of git://github.com/czankel/xtensa-linux:
  xtensa: ISS: don't depend on CONFIG_TTY
  xtensa: xt2000: drop redundant sysmem initialization
  xtensa: add support for KC705
  xtensa: xtfpga: introduce SoC I/O bus
  xtensa: add HIGHMEM support
  xtensa: optimize local_flush_tlb_kernel_range
  xtensa: dump sysmem from the bootmem_init
  xtensa: handle memmap kernel option
  xtensa: keep sysmem banks ordered in mem_reserve
  xtensa: keep sysmem banks ordered in add_sysmem_bank
  xtensa: split bootparam and kernel meminfo
  xtensa: enable sorting extable at build time
  xtensa: export __{invalidate,flush}_dcache_range
  xtensa: Export __invalidate_icache_range
2014-05-05 15:36:59 -07:00
Linus Torvalds
5575eeb7b9 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client
Pull Ceph fixes from Sage Weil:
 "First, there is a critical fix for the new primary-affinity function
  that went into -rc1.

  The second batch of patches from Zheng fix a range of problems with
  directory fragmentation, readdir, and a few odds and ends for cephfs"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
  ceph: reserve caps for file layout/lock MDS requests
  ceph: avoid releasing caps that are being used
  ceph: clear directory's completeness when creating file
  libceph: fix non-default values check in apply_primary_affinity()
  ceph: use fpos_cmp() to compare dentry positions
  ceph: check directory's completeness before emitting directory entry
2014-05-05 15:17:02 -07:00
Soren Brinkmann
c8ea5a22bd net: macb: Fix race between HW and driver
Under "heavy" RX load, the driver cannot handle the descriptors fast
enough. In detail, when a descriptor is consumed, its used flag is
cleared and once the RX budget is consumed all descriptors with a
cleared used flag are prepared to receive more data. Under load though,
the HW may constantly receive more data and use those descriptors with a
cleared used flag before they are actually prepared for next usage.

The head and tail pointers into the RX-ring should always be valid and
we can omit clearing and checking of the used flag.

Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 17:11:18 -04:00
Soren Brinkmann
504ad98df3 net: macb: Remove 'unlikely' optimization
Coverage data suggests that the unlikely case of receiving data while
the receive handler is running may not be that unlikely.
Coverage data after running iperf for a while:
    91320:  891:	work_done = bp->macbgem_ops.mog_rx(bp, budget);
    91320:  892:	if (work_done < budget) {
     2362:  893:		napi_complete(napi);
        -:  894:
        -:  895:		/* Packets received while interrupts were disabled */
     4724:  896:		status = macb_readl(bp, RSR);
     2362:  897:		if (unlikely(status)) {
      762:  898:			if (bp->caps & MACB_CAPS_ISR_CLEAR_ON_WRITE)
      762:  899:				macb_writel(bp, ISR, MACB_BIT(RCOMP));
        -:  900:			napi_reschedule(napi);
        -:  901:		} else {
     1600:  902:			macb_writel(bp, IER, MACB_RX_INT_FLAGS);
        -:  903:		}
        -:  904:	}

Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 17:11:18 -04:00
Soren Brinkmann
02f7a34f34 net: macb: Re-enable RX interrupt only when RX is done
When data is received during the driver processing received data the
NAPI is re-scheduled. In that case the RX interrupt should not be
re-enabled.

Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 17:11:18 -04:00
Soren Brinkmann
6a027b705f net: macb: Clear interrupt flags
A few interrupt flags were not cleared in the ISR, resulting in a sytem
trapped in the ISR in cases one of those interrupts occurred. Clear all
flags to avoid such situations.

Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 17:11:18 -04:00
Soren Brinkmann
ccd6d0a910 net: macb: Pass same size to DMA_UNMAP as used for DMA_MAP
Just as commit "net: macb: DMA-unmap full rx-buffer"
(48330e08fa), pass the size that
was used for mapping the memory also to the unmap routine to
avoid warnings from the DMA_API.

Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 17:11:18 -04:00
Ying Cai
e96f2e7c43 ip_tunnel: Set network header properly for IP_ECN_decapsulate()
In ip_tunnel_rcv(), set skb->network_header to inner IP header
before IP_ECN_decapsulate().

Without the fix, IP_ECN_decapsulate() takes outer IP header as
inner IP header, possibly causing error messages or packet drops.

Note that this skb_reset_network_header() call was in this spot when
the original feature for checking consistency of ECN bits through
tunnels was added in eccc1bb8d4 ("tunnel: drop packet if ECN present
with not-ECT"). It was only removed from this spot in 3d7b46cd20
("ip_tunnel: push generic protocol handling to ip_tunnel module.").

Fixes: 3d7b46cd20 ("ip_tunnel: push generic protocol handling to ip_tunnel module.")
Reported-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Ying Cai <ycai@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 16:32:17 -04:00
David S. Miller
780ce3a225 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net
Jeff Kirsher says:

====================
Intel Wired LAN Driver Updates

This series contains updates to e1000e only.

David provides four fixes for e1000e, first is a workaround for a hardware
erratum on 82579 devices which experienced packet loss in gigabit and 100
speeds when interconnect between the PHY and MAC is exiting K1 power saving
state.  Second expands the scope of a workaround to include i217 and i218
parts as well to address over aggressive transmit behavior when connecting
at 10Mbs half-duplex.  Next is to resolve a reported link flap issue on
82579 parts which was root caused as an interoperability problem between
82579 and at least some Broadcom PHYs in the Energy Efficient Ethernet wake
mechanism.  Lastly, restricts the workaround of putting the PHY into MDIO
slow mode to access the PHY id to relevant parts since this issue has been
fixed on the newer hardware.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 16:30:03 -04:00
David Ertman
2c9826243b e1000e: Restrict MDIO Slow Mode workaround to relevant parts
It has been determined that the workaround of putting the PHY into MDIO
slow mode to access the PHY id is not necessary with Lynx Point and newer
parts.  The issue that necessitated the workaround has been fixed on the
newer hardware.

We will maintains, as a last ditch attempt, the conversion to MDIO Slow
Mode in the failure branch when attempting to access the PHY id so as to
cover all contingencies.

Signed-off-by: Dave Ertman <davidx.m.ertman@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2014-05-05 13:03:27 -07:00
David Ertman
7142a55c3c e1000e: Fix issue with link flap on 82579
Several customers have reported a link flap issue on 82579. The symptoms
are random and intermittent link losses when 82579 is connected to specific
link partners. Issue has been root caused as interoperability problem
between 82579 and at least some Broadcom PHYs in the Energy Efficient
Ethernet wake mechanism.

To fix the issue, we are disabling the Phase Locked Loop shutdown in 100M
Low Power Idle.  This solution will cause an increase of power in 100M EEE
link. It will cost additional 28mW in this specific mode.

Cc: Lukasz Adamczuk <lukasz.adamczuk@intel.com>
Signed-off-by: Dave Ertman <davidx.m.ertman@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2014-05-05 13:02:57 -07:00
David Ertman
fbb9ab10a2 e1000e: Expand workaround for 10Mb HD throughput bug
In commit 772d05c51c "e1000e: slow performance
between two 82579 connected via 10Mbit hub", a workaround was put into place
to address the overaggressive transmit behavior of 82579 parts when connecting
at 10Mbs half-duplex.

This same behavior is seen on i217 and i218 parts as well.  This patch expands
the original workaround to encompass these parts.

Signed-off-by: Dave Ertman <davidx.m.ertman@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2014-05-05 12:54:39 -07:00
David Ertman
77e61146c6 e1000e: Workaround for dropped packets in Gig/100 speeds on 82579
This is a workaround for a HW erratum on 82579 devices.
Erratum is #23 in Intel 6 Series Chipset and Intel C200 Series Chipset
specification Update June 2013.

Problem: 82579 parts experience packet loss in Gig and 100 speeds
when interconnect between PHY and MAC is exiting K1 power saving state.
This was previously believed to only affect 1Gig speed, but has been observed
at 100Mbs also.

Workaround: Disable K1 for 82579 devices at Gig and 100 speeds.

Signed-off-by: Dave Ertman <davidx.m.ertman@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2014-05-05 12:54:33 -07:00
David S. Miller
eaff82929c Merge branch 'mlx4'
Or Gerlitz says:

====================
This series contains fixes for 3.15-rc, mostly around SRIOV. The patches by Jack,
Matan and myself fix few issues related to mlx4 SRIOV support for RoCE and single
port VFs, and the patch from Eyal eliminates checking PCI caps for VFs which is misleading.

Patches done against the net tree, commit 014f1b2 "net: bonding: Fix format string
mismatch in bond_sysfs.c"

We'd be happy to get Eyal's patch queued in your -stable list for 3.14.y
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 15:49:29 -04:00
Eyal Perry
83d3459a59 net/mlx4_core: Don't issue PCIe speed/width checks for VFs
Carrying out PCI speed/width checks through pcie_get_minimum_link()
on VFs yield wrong results, so remove them.

Fixes: b912b2f ('net/mlx4_core: Warn if device doesn't have enough PCI bandwidth')
Signed-off-by: Eyal Perry <eyalpe@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 15:48:22 -04:00
Or Gerlitz
f24f790f8e net/mlx4_core: Load the Eth driver first
When running in SRIOV mode, VM that is assigned with a non-provisioned
Ethernet VFs get themselves a random mac when the Eth driver starts. In
this case, if the IB driver startup code that deals with RoCE runs first,
it will use a zero mac as the source mac for the Para-Virtual CM MADs
which is buggy. To handle that, we change the order of loading.

Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 15:48:22 -04:00
Matan Barak
0254bc8205 net/mlx4_core: Fix slave id computation for single port VF
The code that deals with computing the slave id based on a given GID
gave wrong results when the number of single port VFs wasn't the
same for port 1 vs. port 2 and the relevant VF is single ported on
port 2. As a result, incoming CM MADs were dispatched to the wrong VF.
Fixed that and added documentation to clarify the computation steps.

Fixes: 449fc48 ('net/mlx4: Adapt code for N-Port VF')
Signed-off-by: Matan Barak <matanb@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 15:48:21 -04:00
Jack Morgenstein
531d9014d5 net/mlx4_core: Adjust port number in qp_attach wrapper when detaching
When using single ported VFs and the VF is using port 2, we need
to adjust the port accordingly (change it from 1 to 2).

Fixes: 449fc48 ('net/mlx4: Adapt code for N-Port VF')
Signed-off-by: Matan Barak <matanb@mellanox.com>
Signed-off-by: Jack Morgenstein <jackm@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 15:48:21 -04:00
Bjørn Mork
9becd70784 net: cdc_ncm: fix buffer overflow
Commit 4d619f625a ("net: cdc_ncm: no point in filling up the NTBs
if we send ZLPs") changed the padding logic for devices with the ZLP
flag set.  This meant that frames of any size will be sent without
additional padding, except for the single byte added if the size is
a multiple of the USB packet size. But if the unpadded size is
identical to the maximum frame size, and the maximum size is a
multiplum of the USB packet size, then this one-byte padding will
overflow the buffer.

Prevent padding if already at maximum frame size, letting usbnet
transmit a ZLP instead in this case.

Fixes: 4d619f625a ("net: cdc_ncm: no point in filling up the NTBs if we send ZLPs")
Reported by: Yu-an Shih <yshih@nvidia.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 15:19:31 -04:00
Geert Uytterhoeven
9d4619c492 Altera TSE: ALTERA_TSE should depend on HAS_DMA
If NO_DMA=y:

drivers/built-in.o: In function `altera_tse_probe':
altera_tse_main.c:(.text+0x25ec2e): undefined reference to `dma_set_mask'
altera_tse_main.c:(.text+0x25ec78): undefined reference to `dma_supported'
altera_tse_main.c:(.text+0x25ecb6): undefined reference to `dma_supported'
drivers/built-in.o: In function `sgdma_async_read':
altera_sgdma.c:(.text+0x25f620): undefined reference to `dma_sync_single_for_cpu'
drivers/built-in.o: In function `sgdma_uninitialize':
(.text+0x25f678): undefined reference to `dma_unmap_single'
drivers/built-in.o: In function `sgdma_uninitialize':
(.text+0x25f696): undefined reference to `dma_unmap_single'
drivers/built-in.o: In function `sgdma_initialize':
(.text+0x25f6f0): undefined reference to `dma_map_single'
drivers/built-in.o: In function `sgdma_initialize':
(.text+0x25f702): undefined reference to `dma_mapping_error'
drivers/built-in.o: In function `sgdma_tx_buffer':
(.text+0x25f92a): undefined reference to `dma_sync_single_for_cpu'
drivers/built-in.o: In function `sgdma_rx_status':
(.text+0x25fa24): undefined reference to `dma_sync_single_for_cpu'
make[3]: *** [vmlinux] Error 1

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Vince Bridgers <vbridgers2013@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 13:16:22 -04:00
Andy King
2c4a336e0a vsock: Make transport the proto owner
Right now the core vsock module is the owner of the proto family. This
means there's nothing preventing the transport module from unloading if
there are open sockets, which results in a panic. Fix that by allowing
the transport to be the owner, which will refcount it properly.

Includes version bump to 1.0.1.0-k

Passes checkpatch this time, I swear...

Acked-by: Dmitry Torokhov <dtor@vmware.com>
Signed-off-by: Andy King <acking@vmware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 13:13:50 -04:00
David S. Miller
b8dff4e60c Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
John W. Linville says:

====================
pull request: wireless 2014-05-01

Please pull the following batch of fixes intended for the 3.15 stream!

For the Bluetooth bits, Gustavo says:

"Some fixes for 3.15. There is a revert for the intel driver, a new
device id, and two important SSP fixes from Johan."

On top of that...

Ben Hutchings gives us a fix for an unbalanced irq enable in an
rtl8192cu error path.

Colin Ian King provides an rtlwifi fix for an uninitialized variable.

Felix Fietkau brings a pair of ath9k fixes, one that corrects a
hardware initialization value and another that removes an (unnecessary)
flag that was being used in a way that led to a software tx queue
hang in ath9k.

Gertjan van Wingerde pushes a MAINTAINERS change to remove himself
from the rt2x00 maintainer team.

Hans de Goede fixes a brcmfmac firmware load hang.

Larry Finger changes rtlwifi to use the correct queue for V0 traffic
on rtl8192se.

Rajkumar Manoharan corrects a race in ath9k driver initialization.

Stanislaw Gruszka fixes an rt2x00 bug in which disabling beaconing
once on USB devices led to permanently disabling beaconing for those
devices.

Tim Harvey provides fixes for a pair of ath9k issues that can lead
to soft lockups in that driver.

Please let me know if there are problems!
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-05 13:06:01 -04:00
Max Filippov
55b441be5c xtensa: ISS: don't depend on CONFIG_TTY
Build console support only when CONFIG_TTY is selected.
This restores ISS as the default platform for allnoconfig builds.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Chris Zankel <chris@zankel.net>
2014-05-05 09:04:10 -07:00
Christoph Hellwig
0624bcaaf0 fix quoting of Ted's name in MAINTAINERS
Unpaired quotes really confuse mutt when copy & pasting it into the To:
form.

Signed-off-by: Christoph Hellwig <hch@lst.de>
[ I'm going to remove all silly quotes entirely one day, but that day is
  not today.  So I'll just apply this  - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-05-05 08:03:33 -07:00
Linus Torvalds
cae1d2cab4 This pull request includes the following fixes:
* 2 real bug-fixes from Tanya for the still "experimental" UBI fastmap feature
 * a one-liner from Kees which hardens kernel security
 * a small error-path fix, where we forget to free various resources in case of
   failure - spotted by the "smatch" tool
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJTZ0MSAAoJECmIfjd9wqK0D5kQAI5Njzu9k56jJO9oBxLxhWpj
 9JhDGbbGG3pztchYkC8+DwhfoYgmZ44xWtDT665xfto/Uqh9O5kzdhN4QB75tPmg
 5paPJQjoohKTLYufDJbr3q+NLcSdLHBD2pJOSUV0d0VeE05UYSoBxrUZ0jsFE1LX
 4VmJCFrKzpKIMLhjExyCTpy9yIcgZTm1t/QYxNRe5tDB7epKFPevYAg2mmc8RZQh
 bw2iXI6GA8tYYb9uF6pxldE2QKHPjLKzafjwF8EceGATDBXc8r4QacD6xdEvxwXF
 DyEylLz22Fr0BXaTuK606ffOGGQLdojLMsSkkRALrLzpS11+GCaMqP85ts4Q9yGp
 KEj9pk67AkMGSOXx3h0fTQZU7sAded6rmSfbwH1hGUmnGy3R9DZCxFnmXFi3ktAq
 z5E1i6Nz0ibdmPxzxd+gPYBX85VzZ53iXmsRj63KQFMJBcZYd5UXoifyJ1QfCy/6
 9+f22UF1+6tLti//KYNeVG+9GBP0UA27BaiVw90irNPIWph3OKk+SnwQuBdH36nn
 ekbJNzGeStK2sk3NJJLL0Xs+QN4oliBRMk/BhgPyKXD51FkohLTtN2ihZ6EjXYD0
 Q/VOmhw29ZpDaF/XoVQAMRsesKYihztdtO2bZjTHKkeg/mI+Y8CRx8v8miSxMO23
 77wQyy7w+FM4FXYA7NfH
 =L0f1
 -----END PGP SIGNATURE-----

Merge tag 'upstream-3.15-rc5' of git://git.infradead.org/linux-ubifs

Pull ubifs fixes from Artem Bityutskiy:
 "This includes the following fixes:

   - two real bug-fixes from Tanya for the still "experimental" UBI
     fastmap feature
   - a one-liner from Kees which hardens kernel security
   - a small error-path fix, where we forget to free various resources
     in case of failure - spotted by the 'smatch' tool"

* tag 'upstream-3.15-rc5' of git://git.infradead.org/linux-ubifs:
  UBI: avoid workqueue format string leak
  UBI: fix ubi free PEBs count calculation
  UBI: fix error path in __wl_get_peb
  UBIFS: fix remount error path
2014-05-05 07:48:50 -07:00
Matthew Daley
2145e15e05 floppy: don't write kernel-only members to FDRAWCMD ioctl output
Do not leak kernel-only floppy_raw_cmd structure members to userspace.
This includes the linked-list pointer and the pointer to the allocated
DMA space.

Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-05-05 07:46:56 -07:00
Matthew Daley
ef87dbe761 floppy: ignore kernel-only members in FDRAWCMD ioctl input
Always clear out these floppy_raw_cmd struct members after copying the
entire structure from userspace so that the in-kernel version is always
valid and never left in an interdeterminate state.

Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-05-05 07:46:55 -07:00
Kees Cook
bebfef150e UBI: avoid workqueue format string leak
When building the name for the workqueue thread, make sure a format
string cannot leak in from the disk name.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
2014-05-05 09:31:33 +03:00
Tanya Brokhman
3d21bb7667 UBI: fix ubi free PEBs count calculation
The ubi->free_count should be updated with every insert/remove to/from
the ubi->free list.

Signed-off-by: Tanya Brokhman <tlinder@codeaurora.org>
Reviewed-by: Dolev Raviv <draviv@codeaurora.org>
Acked-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
2014-05-05 09:31:33 +03:00
Tanya Brokhman
87ed89d21e UBI: fix error path in __wl_get_peb
In case of an error (if there are not free PEB's for example),
__wl_get_peb will return a negative value. In order to prevent access
violation we need to test the returned value prior to using it later on.

Signed-off-by: Tatyana Brokhman <tlinder@codeaurora.org>
Reviewed-by: Dolev Raviv <draviv@codeaurora.org>
Acked-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
2014-05-05 09:31:33 +03:00
Artem Bityutskiy
fcdd57c890 UBIFS: fix remount error path
Dan's "smatch" checker found out that there was a bug in the error path of the
'ubifs_remount_rw()' function. Instead of jumping to the "out" label which
cleans-things up, we just returned.

This patch fixes the problem.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
2014-05-05 09:31:33 +03:00
Linus Torvalds
89ca3b8819 Linux 3.15-rc4 2014-05-04 18:14:42 -07:00
John Fastabend
f6a082fed1 net: sched: lock imbalance in hhf qdisc
hhf_change() takes the sch_tree_lock and releases it but misses the
error cases. Fix the missed case here.

To reproduce try a command like this,

# tc qdisc change dev p3p2 root hhf quantum 40960 non_hh_weight 300000

Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-04 19:41:45 -04:00
Linus Torvalds
164c09978c File locking related changes for v3.15 (pile #3)
- only an email address change to the MAINTAINERS file
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJTZjv8AAoJEAAOaEEZVoIVo2gQAJr3WA+VGZXFXhhdmSqcGyqo
 rtJWUWiVfiJyW52YiXTbySDtTFj9YFCi2Z4GFVJY7m74+rNyWBhdPXd1x30HUXuX
 imUTGeJ739fSEj1DOL49E/R9KDuTi4lmgoEBwvwLdjnP3gjpPOXRjezjY8D+fhhh
 WxKlSIQab5qwrcjBr7FqV/dA6MvRmwvTHYYfSXx1H3HALyi1rJcqVo9W3FeRhWvY
 qivT4+2a6A78ZBnxSZ4kA187w9ThBDaMpF76Scmh51YK+iDUOZQWcqVBvOiK3mBJ
 A7qNfB+1BN8/YWlMCi2eHwbwNxPHUiGrBL9DVHiHk6wKHkI8cM7m8GH7G8JNbQ4C
 oBgzUj9jkK2aA5WMcFJ+Y/QeRy2Ls/gujZHU7ziVHcS/j+T6uPRjCAzr8eoZp9Xj
 WMCew7UQaxTG//UtUOBYSblqR1cjtH6WGzhqlmceBdl+haanK27zUwwG0VgLLIIC
 6VIXnLMHFNfiG+l4S7Yrfam5kXY/BEbjZXP0Et66cpQ60B6PRsg/p6RvTiLlnW+F
 cenbmtm3xGg9OPZoz4TvIPfXJRD5jkXHkuWOV4pTyVnI76CitBhzeIXjgGlO9ei7
 4g17+dQkoFKpU61Jc/L2O6zn+C4bl7UWBgZLHabiyxEIqQAAspuJpBx/CBCMaCv6
 NNUDew91UH0NBn14eNmU
 =JLHy
 -----END PGP SIGNATURE-----

Merge tag 'locks-v3.15-3' of git://git.samba.org/jlayton/linux

Pull file locking change from Jeff Layton:
 "Only an email address change to the MAINTAINERS file"

* tag 'locks-v3.15-3' of git://git.samba.org/jlayton/linux:
  MAINTAINERS: email address change for Jeff Layton
2014-05-04 14:36:52 -07:00
Linus Torvalds
8a9f5ecd48 - vexpress platform clocks initialisation moved earlier following the
arm64 move of of_clk_init() call in a previous commit
 - Default DMA ops changed to non-coherent to preserve compatibility with
   32-bit ARM DT files. The "dma-coherent" property can be used to
   explicitly mark a device coherent. The Applied Micro DT file has been
   updated to avoid DMA cache maintenance for the X-Gene SATA controller
   (the only arm64 related driver with such assumption in -rc mainline)
 - Fixmap correction for earlyprintk
 - kern_addr_valid() fix for huge pages
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (GNU/Linux)
 
 iQIcBAABAgAGBQJTZhiPAAoJEGvWsS0AyF7xGBUQAIthlCZGjq3yFh+P3YbZBbfh
 8HEg3xQIEunaUTMLxrZ9c32rHdOwWMivmaStb7XfIzYc6XIGGnFwk0VFnxlBtOS/
 yOw6khNy3d5b+R2yVVXJdOwGDvUJ7ZlZ4G35RbpFXqmHVOiT2JP5Pv/8hp/Ct3UE
 eBoLjLYkvrnBgZyjBafTjc+ExjtViMdACNUCZ+fPfvWVF2pWesB72P9/+QT4DZ4Q
 g+QXmtTviysFJPzi2LqVukPL5HzxrOcJql9F0lPEdCVypRHDQtNZfMf7aftZVRue
 8z6IaqgwQuOkHko50RFcrPF1AbEnQWbbA//Mfm1YaJLtlaUwgEXS8jryP4MVGM/s
 wjJD42tY80ysTFFiWjlqYx6wumtSjkZzLQIo7K+MjvleGaciRMsM5u2OyQJ6o8sR
 GMLButOfZj1GOFPE56Xn6R27MzONS1eiCFR99dsnPPwNlqGuY7KEacAHGYRfEe75
 g0Qwzj1sM6d+RHQKidWFRvvMQg5bxAENt1rpFJJ1cCge/jL2QqgbPhVPzMCM4nrW
 xGQzSKO+5L1CLtH4gRd7Jdyg7tUrRBFzC8HXk/o6moO+lOebKzCpq4tNiW/MOwPG
 sGCzmr2TpN6ImEjOhjYUByqa+XGUsz1n7d53Itkz8+pxsXhYHvd8iC1hOpNwakVM
 h/0rfXwD782k1N3S++MH
 =kRLA
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Catalin Marinas:
 "These are mostly arm64 fixes with an additional arm(64) platform fix
  for the initialisation of vexpress clocks (the latter only affecting
  arm64; the arch/arm64 code is SoC agnostic and does not rely on early
  SoC-specific calls)

   - vexpress platform clocks initialisation moved earlier following the
     arm64 move of of_clk_init() call in a previous commit
   - Default DMA ops changed to non-coherent to preserve compatibility
     with 32-bit ARM DT files.  The "dma-coherent" property can be used
     to explicitly mark a device coherent.  The Applied Micro DT file
     has been updated to avoid DMA cache maintenance for the X-Gene SATA
     controller (the only arm64 related driver with such assumption in
     -rc mainline)
   - Fixmap correction for earlyprintk
   - kern_addr_valid() fix for huge pages"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  vexpress: Initialise the sysregs before setting up the clocks
  arm64: Mark the Applied Micro X-Gene SATA controller as DMA coherent
  arm64: Use bus notifiers to set per-device coherent DMA ops
  arm64: Make default dma_ops to be noncoherent
  arm64: fixmap: fix missing sub-page offset for earlyprintk
  arm64: Fix for the arm64 kern_addr_valid() function
2014-05-04 14:34:50 -07:00
Linus Torvalds
e3fb7d4cc0 SCSI fixes on 20140503
This is two patches both fixing bugs in drivers (virtio-scsi and mpt2sas)
 causing an oops in certain circumstances.
 
 Signed-off-by: James Bottomley <JBottomley@Parallels.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJTZdBVAAoJEDeqqVYsXL0MIYMIAI/rDIV/MeF0OZd3nzTaEAIG
 i8HPPgBTmSKmK3q04Pjjtc1CHW3unH6cr1tG1L4r1tyoxwcnZ0+x87fi3KcLIpBb
 G6o/31QpniNQ/3LNdwCHtyl760XVZhWz6XpJ/NCmWuYeKx1RmT3W+ggnXD+fznNs
 3h347rIrr4efkgRJIzzfi6pYa55VmvI6M7J/RpXmMg/IcfF+GBJfyEp0AsmIoYno
 YVwFBB8h9cVsgvhROn8i1pYq1YOf9jo298LLMULMIvu9iZWHp57GOzA4HzyEa9kp
 T1I6AzwJGbmirJsm0yD1hKgJns3Za+ZA3FeP5qQ7BX38YI7EKkkd+qtCMzT1YfY=
 =whLk
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "This is two patches both fixing bugs in drivers (virtio-scsi and
  mpt2sas) causing an oops in certain circumstances"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  [SCSI] virtio-scsi: Skip setting affinity on uninitialized vq
  [SCSI] mpt2sas: Don't disable device twice at suspend.
2014-05-04 14:31:51 -07:00
Catalin Marinas
e715eb2e73 vexpress: Initialise the sysregs before setting up the clocks
Following arm64 commit bc3ee18a7a (arm64: init: Move of_clk_init to
time_init()), vexpress_osc_of_setup() is called via of_clk_init() long
before initcalls are issued. Initialising the vexpress oscillators
requires the vespress sysregs to be already initialised, so this patch
adds an explicit call to vexpress_sysreg_of_early_init() in vexpress
oscillator setup function.

Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Will Deacon <will.deacon@arm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Tested-by: Pawel Moll <pawel.moll@arm.com>
Acked-by: Pawel Moll <pawel.moll@arm.com>
Cc: Mike Turquette <mturquette@linaro.org>
2014-05-04 11:35:29 +01:00
Daniele Forsi
6ed07d45d0 USB: Nokia 5300 should be treated as unusual dev
Signed-off-by: Daniele Forsi <dforsi@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-05-03 19:41:07 -04:00
Victor A. Santos
f0ef5d4179 USB: Nokia 305 should be treated as unusual dev
Signed-off-by: Victor A. Santos <victoraur.santos@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-05-03 19:41:07 -04:00
Peter Hurley
62a0d8d7c2 tty: Fix lockless tty buffer race
Commit 6a20dbd6ca,
"tty: Fix race condition between __tty_buffer_request_room and flush_to_ldisc"
correctly identifies an unsafe race condition between
__tty_buffer_request_room() and flush_to_ldisc(), where the consumer
flush_to_ldisc() prematurely advances the head before consuming the
last of the data committed. For example:

           CPU 0                     |            CPU 1
__tty_buffer_request_room            | flush_to_ldisc
  ...                                |   ...
                                     |   count = head->commit - head->read
  n = tty_buffer_alloc()             |
  b->commit = b->used                |
  b->next = n                        |
                                     |   if (!count)                /* T */
                                     |     if (head->next == NULL)  /* F */
                                     |     buf->head = head->next

In this case, buf->head has been advanced but head->commit may have
been updated with a new value.

Instead of reintroducing an unnecessary lock, fix the race locklessly.
Read the commit-next pair in the reverse order of writing, which guarantees
the commit value read is the latest value written if the head is
advancing.

Reported-by: Manfred Schlaegl <manfred.schlaegl@gmx.at>
Cc: <stable@vger.kernel.org> # 3.12.x+
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-05-03 18:14:28 -04:00
Peter Hurley
5fbf1a65dd Revert "tty: Fix race condition between __tty_buffer_request_room and flush_to_ldisc"
This reverts commit 6a20dbd6ca.

Although the commit correctly identifies an unsafe race condition
between __tty_buffer_request_room() and flush_to_ldisc(), the commit
fixes the race with an unnecessary spinlock in a lockless algorithm.

The follow-on commit, "tty: Fix lockless tty buffer race" fixes
the race locklessly.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-05-03 18:14:28 -04:00
Tomoki Sekiyama
501fed45b7 drivers/tty/hvc: don't free hvc_console_setup after init
When 'console=hvc0' is specified to the kernel parameter in x86 KVM guest,
hvc console is setup within a kthread. However, that will cause SEGV
and the boot will fail when the driver is builtin to the kernel,
because currently hvc_console_setup() is annotated with '__init'. This
patch removes '__init' to boot the guest successfully with 'console=hvc0'.

Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama@hds.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-05-03 18:14:28 -04:00
Peter Hurley
4291086b1f n_tty: Fix n_tty_write crash when echoing in raw mode
The tty atomic_write_lock does not provide an exclusion guarantee for
the tty driver if the termios settings are LECHO & !OPOST.  And since
it is unexpected and not allowed to call TTY buffer helpers like
tty_insert_flip_string concurrently, this may lead to crashes when
concurrect writers call pty_write. In that case the following two
writers:
* the ECHOing from a workqueue and
* pty_write from the process
race and can overflow the corresponding TTY buffer like follows.

If we look into tty_insert_flip_string_fixed_flag, there is:
  int space = __tty_buffer_request_room(port, goal, flags);
  struct tty_buffer *tb = port->buf.tail;
  ...
  memcpy(char_buf_ptr(tb, tb->used), chars, space);
  ...
  tb->used += space;

so the race of the two can result in something like this:
              A                                B
__tty_buffer_request_room
                                  __tty_buffer_request_room
memcpy(buf(tb->used), ...)
tb->used += space;
                                  memcpy(buf(tb->used), ...) ->BOOM

B's memcpy is past the tty_buffer due to the previous A's tb->used
increment.

Since the N_TTY line discipline input processing can output
concurrently with a tty write, obtain the N_TTY ldisc output_lock to
serialize echo output with normal tty writes.  This ensures the tty
buffer helper tty_insert_flip_string is not called concurrently and
everything is fine.

Note that this is nicely reproducible by an ordinary user using
forkpty and some setup around that (raw termios + ECHO). And it is
present in kernels at least after commit
d945cb9cce (pty: Rework the pty layer to
use the normal buffering logic) in 2.6.31-rc3.

js: add more info to the commit log
js: switch to bool
js: lock unconditionally
js: lock only the tty->ops->write call

References: CVE-2014-0196
Reported-and-tested-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-05-03 18:13:05 -04:00
Michael Welling
b790f210fe tty: serial: 8250_core.c Bug fix for Exar chips.
The sleep function was updated to put the serial port to sleep only when necessary.
This appears to resolve the errant behavior of the driver as described in
Kernel Bug 61961 – "My Exar Corp. XR17C/D152 Dual PCI UART modem does not
work with 3.8.0".

Signed-off-by: Michael Welling <mwelling@ieee.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-05-03 18:13:05 -04:00