2013-06-26 02:46:15

by Ben Hutchings

[permalink] [raw]
Subject: [00/26] 3.2.48-rc1 review

This is the start of the stable review cycle for the 3.2.48 release.
There are 26 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri Jun 28 12:00:00 UTC 2013.
Anything received after that time might be too late.

A combined patch relative to 3.2.47 will be posted as an additional
response to this. A shortlog and diffstat can be found below.

Ben.

-------------

Anders Hammarquist (1):
USB: serial: ti_usb_3410_5052: new device id for Abbot strip port cable
[35a2fbc941accd0e9f1bfadd669311786118d874]

Andy Lutomirski (1):
net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
[1be374a0518a288147c6a7398792583200a67261,
a7526eb5d06b0084ef12d7b168d008fcf516caab]

Ben Hutchings (2):
Revert "drm/i915: GFX_MODE Flush TLB Invalidate Mode must be '1' for scanline waits"
[not upstream; reverts a change that regressed 3.2 only]
x86/efi: Fix dummy variable buffer allocation
[b8cb62f82103083a6e8fa5470bfe634a2c06514d]

Chris Metcalf (1):
tilepro: work around module link error with gcc 4.7
[3cb3f839d306443f3d1e79b0bde1a2ad2c12b555]

Clemens Ladisch (1):
ALSA: usb-audio: work around Android accessory firmware bug
[342cda29343a6272c630f94ed56810a76740251b]

Daniel Borkmann (2):
net: sctp: fix NULL pointer dereference in socket destruction
[1abd165ed757db1afdefaac0a4bc8a70f97d258c]
packet: packet_getname_spkt: make sure string is always 0-terminated
[2dc85bf323515e59e15dfa858d1472bb25cad0fe]

Dave Chiluk (1):
ncpfs: fix rmdir returns Device or resource busy
[698b8223631472bf982ed570b0812faa61955683]

Eric Dumazet (5):
ip_tunnel: fix kernel panic with icmp_dest_unreach
[a622260254ee481747cceaaa8609985b29a31565]
ipv6: fix possible crashes in ip6_cork_release()
[284041ef21fdf2e0d216ab6b787bc9072b4eb58a]
net: force a reload of first item in hlist_nulls_for_each_entry_rcu
[c87a124a5d5e8cf8e21c4363c3372bcaf53ea190]
tcp: fix tcp_md5_hash_skb_data()
[54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e]
tcp: xps: fix reordering issues
[547669d483e5783d722772af1483fa474da7caf9]

Gao feng (1):
ipv6: assign rt6_info to inet6_ifaddr in init_loopback
[534c877928a16ae5f9776436a497109639bf67dc]

Guillaume Nault (2):
l2tp: Fix PPP header erasure and memory leak
[55b92b7a11690bc377b5d373872a6b650ae88e64]
l2tp: Fix sendmsg() return value
[a6f79d0f26704214b5b702bbac525cb72997f984]

Matthew Garrett (1):
Modify UEFI anti-bricking code
[f8b8404337de4e2466e2e1139ea68b1f8295974f]

Paul Moore (1):
netlabel: improve domain mapping validation
[6b21e1b77d1a3d58ebfd513264c885695e8a0ba5]

Randy Dunlap (1):
x86: fix build error and kconfig for ia32_emulation and binfmt
[d1603990ea626668c78527376d9ec084d634202d]

Simon Baatz (1):
ARM: 7755/1: handle user space mapped pages in flush_kernel_dcache_page
[1bc39742aab09248169ef9d3727c9def3528b3f3]

Stefan Bader, françois romieu (1):
r8169: fix 8168evl frame padding.
[e5195c1f31f399289347e043d6abf3ffa80f0005,
b423e9ae49d78ea3f53b131c8d5a6087aed16fd6]

Takashi Iwai (1):
ALSA: usb-audio: Fix invalid volume resolution for Logitech HD Webcam c310
[36691e1be6ec551eef4a5225f126a281f8c051c2]

Vivek Goyal (1):
virtio-blk: Call revalidate_disk() upon online disk resize
[e9986f303dc0f285401de28cf96f42f4dd23a4a1]

Wei Yongjun (1):
gianfar: add missing iounmap() on error in gianfar_ptp_probe()
[e5f5e380e0f3bb11f04ca5bc66a551e58e0ad26e]

Zhanghaoyu (1):
KVM: x86: remove vcpu's CPL check in host-invoked XCR set
[764bcbc5a6d7a2f3e75c9f0e4caa984e2926e346]

Makefile | 4 +-
arch/arm/include/asm/cacheflush.h | 4 +-
arch/arm/mm/flush.c | 33 +++++++++++
arch/tile/lib/exports.c | 2 +
arch/x86/Kconfig | 1 +
arch/x86/kvm/x86.c | 5 +-
arch/x86/platform/efi/efi.c | 80 +++++++++++++++++++++++---
drivers/block/virtio_blk.c | 1 +
drivers/gpu/drm/i915/intel_ringbuffer.c | 5 --
drivers/net/ethernet/freescale/gianfar_ptp.c | 1 +
drivers/net/ethernet/realtek/r8169.c | 33 +++++++++--
drivers/usb/serial/ti_usb_3410_5052.c | 3 +-
drivers/usb/serial/ti_usb_3410_5052.h | 4 +-
fs/ncpfs/dir.c | 9 ---
include/linux/rculist_nulls.h | 7 ++-
include/linux/socket.h | 3 +
net/compat.c | 13 ++++-
net/ipv4/ip_gre.c | 2 +-
net/ipv4/ipip.c | 2 +-
net/ipv4/tcp.c | 7 ++-
net/ipv4/tcp_output.c | 10 ++--
net/ipv6/addrconf.c | 4 +-
net/ipv6/ip6_output.c | 2 +-
net/l2tp/l2tp_ppp.c | 6 +-
net/netlabel/netlabel_domainhash.c | 69 ++++++++++++++++++++++
net/packet/af_packet.c | 5 +-
net/sctp/socket.c | 6 ++
net/socket.c | 67 ++++++++++++++-------
sound/usb/card.c | 22 ++++++-
sound/usb/mixer.c | 1 +
30 files changed, 329 insertions(+), 82 deletions(-)

--
Ben Hutchings
Knowledge is power. France is bacon.


2013-06-26 02:45:27

by Ben Hutchings

[permalink] [raw]
Subject: [06/26] x86: fix build error and kconfig for ia32_emulation and binfmt

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Randy Dunlap <[email protected]>

commit d1603990ea626668c78527376d9ec084d634202d upstream.

Fix kconfig warning and build errors on x86_64 by selecting BINFMT_ELF
when COMPAT_BINFMT_ELF is being selected.

warning: (IA32_EMULATION) selects COMPAT_BINFMT_ELF which has unmet direct dependencies (COMPAT && BINFMT_ELF)

fs/built-in.o: In function `elf_core_dump':
compat_binfmt_elf.c:(.text+0x3e093): undefined reference to `elf_core_extra_phdrs'
compat_binfmt_elf.c:(.text+0x3ebcd): undefined reference to `elf_core_extra_data_size'
compat_binfmt_elf.c:(.text+0x3eddd): undefined reference to `elf_core_write_extra_phdrs'
compat_binfmt_elf.c:(.text+0x3f004): undefined reference to `elf_core_write_extra_data'

[ hpa: This was sent to me for -next but it is a low risk build fix ]

Signed-off-by: Randy Dunlap <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: H. Peter Anvin <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/Kconfig | 1 +
1 file changed, 1 insertion(+)

--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2120,6 +2120,7 @@ source "fs/Kconfig.binfmt"
config IA32_EMULATION
bool "IA32 Emulation"
depends on X86_64
+ select BINFMT_ELF
select COMPAT_BINFMT_ELF
---help---
Include code to run 32-bit programs under a 64-bit kernel. You should

2013-06-26 02:45:33

by Ben Hutchings

[permalink] [raw]
Subject: [18/26] ip_tunnel: fix kernel panic with icmp_dest_unreach

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

[ Upstream commit a622260254ee481747cceaaa8609985b29a31565 ]

Daniel Petre reported crashes in icmp_dst_unreach() with following call
graph:

Daniel found a similar problem mentioned in
http://lkml.indiana.edu/hypermail/linux/kernel/1007.0/00961.html

And indeed this is the root cause : skb->cb[] contains data fooling IP
stack.

We must clear IPCB in ip_tunnel_xmit() sooner in case dst_link_failure()
is called. Or else skb->cb[] might contain garbage from GSO segmentation
layer.

A similar fix was tested on linux-3.9, but gre code was refactored in
linux-3.10. I'll send patches for stable kernels as well.

Many thanks to Daniel for providing reports, patches and testing !

Reported-by: Daniel Petre <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/ip_gre.c | 2 +-
net/ipv4/ipip.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index d55110e..5f28fab 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -716,6 +716,7 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
tiph = &tunnel->parms.iph;
}

+ memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
if ((dst = tiph->daddr) == 0) {
/* NBMA tunnel */

@@ -851,7 +852,6 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
skb_reset_transport_header(skb);
skb_push(skb, gre_hlen);
skb_reset_network_header(skb);
- memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
IPSKB_REROUTED);
skb_dst_drop(skb);
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index 17ad951..5dc5137 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -448,6 +448,7 @@ static netdev_tx_t ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
if (tos & 1)
tos = old_iph->tos;

+ memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
if (!dst) {
/* NBMA tunnel */
if ((rt = skb_rtable(skb)) == NULL) {
@@ -531,7 +532,6 @@ static netdev_tx_t ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
skb->transport_header = skb->network_header;
skb_push(skb, sizeof(struct iphdr));
skb_reset_network_header(skb);
- memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
IPSKB_REROUTED);
skb_dst_drop(skb);

2013-06-26 02:45:32

by Ben Hutchings

[permalink] [raw]
Subject: [19/26] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <[email protected]>

[ Upstream commits 1be374a0518a288147c6a7398792583200a67261 and
a7526eb5d06b0084ef12d7b168d008fcf516caab ]

MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
it's a hack that steals a bit to indicate to other networking code
that a compat entry was used. So don't allow it from a non-compat
syscall.

This prevents an oops when running this code:

int main()
{
int s;
struct sockaddr_in addr;
struct msghdr *hdr;

char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
if (highpage == MAP_FAILED)
err(1, "mmap");

s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (s == -1)
err(1, "socket");

addr.sin_family = AF_INET;
addr.sin_port = htons(1);
addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
err(1, "connect");

void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
printf("Evil address is %p\n", evil);

if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
err(1, "sendmmsg");

return 0;
}

Cc: David S. Miller <[email protected]>
Signed-off-by: Andy Lutomirski <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
include/linux/socket.h | 3 +++
net/compat.c | 13 ++++++++--
net/socket.c | 67 +++++++++++++++++++++++++++++++++-----------------
3 files changed, 59 insertions(+), 24 deletions(-)

diff --git a/include/linux/socket.h b/include/linux/socket.h
index 2acd2e2..7e9f2d3 100644
--- a/include/linux/socket.h
+++ b/include/linux/socket.h
@@ -336,6 +336,9 @@ extern int put_cmsg(struct msghdr*, int level, int type, int len, void *data);

struct timespec;

+/* The __sys_...msg variants allow MSG_CMSG_COMPAT */
+extern long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags);
+extern long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags);
extern int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
unsigned int flags, struct timespec *timeout);
extern int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg,
diff --git a/net/compat.c b/net/compat.c
index 6def90e..8c979cc 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -733,19 +733,25 @@ static unsigned char nas[21] = {

asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned flags)
{
- return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
+ return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
}

asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg,
unsigned vlen, unsigned int flags)
{
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT);
}

asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
{
- return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
+ return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
}

asmlinkage long compat_sys_recv(int fd, void __user *buf, size_t len, unsigned flags)
@@ -767,6 +773,9 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
int datagrams;
struct timespec ktspec;

+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
+
if (timeout == NULL)
return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT, NULL);
diff --git a/net/socket.c b/net/socket.c
index 68879db..cf546a3 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1876,9 +1876,9 @@ struct used_address {
unsigned int name_len;
};

-static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
- struct msghdr *msg_sys, unsigned flags,
- struct used_address *used_address)
+static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+ struct msghdr *msg_sys, unsigned flags,
+ struct used_address *used_address)
{
struct compat_msghdr __user *msg_compat =
(struct compat_msghdr __user *)msg;
@@ -1998,22 +1998,30 @@ out:
* BSD sendmsg interface
*/

-SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
+long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
{
int fput_needed, err;
struct msghdr msg_sys;
- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ struct socket *sock;

+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
if (!sock)
goto out;

- err = __sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
+ err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL);

fput_light(sock->file, fput_needed);
out:
return err;
}

+SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags)
+{
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
+ return __sys_sendmsg(fd, msg, flags);
+}
+
/*
* Linux sendmmsg interface
*/
@@ -2044,15 +2052,16 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,

while (datagrams < vlen) {
if (MSG_CMSG_COMPAT & flags) {
- err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
- &msg_sys, flags, &used_address);
+ err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
+ &msg_sys, flags, &used_address);
if (err < 0)
break;
err = __put_user(err, &compat_entry->msg_len);
++compat_entry;
} else {
- err = __sys_sendmsg(sock, (struct msghdr __user *)entry,
- &msg_sys, flags, &used_address);
+ err = ___sys_sendmsg(sock,
+ (struct msghdr __user *)entry,
+ &msg_sys, flags, &used_address);
if (err < 0)
break;
err = put_user(err, &entry->msg_len);
@@ -2076,11 +2085,13 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,
unsigned int, vlen, unsigned int, flags)
{
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
return __sys_sendmmsg(fd, mmsg, vlen, flags);
}

-static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
- struct msghdr *msg_sys, unsigned flags, int nosec)
+static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+ struct msghdr *msg_sys, unsigned flags, int nosec)
{
struct compat_msghdr __user *msg_compat =
(struct compat_msghdr __user *)msg;
@@ -2177,23 +2188,31 @@ out:
* BSD recvmsg interface
*/

-SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
- unsigned int, flags)
+long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags)
{
int fput_needed, err;
struct msghdr msg_sys;
- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ struct socket *sock;

+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
if (!sock)
goto out;

- err = __sys_recvmsg(sock, msg, &msg_sys, flags, 0);
+ err = ___sys_recvmsg(sock, msg, &msg_sys, flags, 0);

fput_light(sock->file, fput_needed);
out:
return err;
}

+SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
+ unsigned int, flags)
+{
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
+ return __sys_recvmsg(fd, msg, flags);
+}
+
/*
* Linux recvmmsg interface
*/
@@ -2231,17 +2250,18 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
* No need to ask LSM for more than the first datagram.
*/
if (MSG_CMSG_COMPAT & flags) {
- err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
- &msg_sys, flags & ~MSG_WAITFORONE,
- datagrams);
+ err = ___sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
+ &msg_sys, flags & ~MSG_WAITFORONE,
+ datagrams);
if (err < 0)
break;
err = __put_user(err, &compat_entry->msg_len);
++compat_entry;
} else {
- err = __sys_recvmsg(sock, (struct msghdr __user *)entry,
- &msg_sys, flags & ~MSG_WAITFORONE,
- datagrams);
+ err = ___sys_recvmsg(sock,
+ (struct msghdr __user *)entry,
+ &msg_sys, flags & ~MSG_WAITFORONE,
+ datagrams);
if (err < 0)
break;
err = put_user(err, &entry->msg_len);
@@ -2308,6 +2328,9 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
int datagrams;
struct timespec timeout_sys;

+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
+
if (!timeout)
return __sys_recvmmsg(fd, mmsg, vlen, flags, NULL);

2013-06-26 02:45:30

by Ben Hutchings

[permalink] [raw]
Subject: [25/26] l2tp: Fix sendmsg() return value

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <[email protected]>

[ Upstream commit a6f79d0f26704214b5b702bbac525cb72997f984 ]

PPPoL2TP sockets should comply with the standard send*() return values
(i.e. return number of bytes sent instead of 0 upon success).

Signed-off-by: Guillaume Nault <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/l2tp/l2tp_ppp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 8ab041b..74410e6 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -362,7 +362,7 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
sock_put(ps->tunnel_sock);
sock_put(sk);

- return error;
+ return total_len;

error_put_sess_tun:
sock_put(ps->tunnel_sock);

2013-06-26 02:46:13

by Ben Hutchings

[permalink] [raw]
Subject: [16/26] r8169: fix 8168evl frame padding.

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Stefan Bader <[email protected]>

[ Upstream commits e5195c1f31f399289347e043d6abf3ffa80f0005 and
b423e9ae49d78ea3f53b131c8d5a6087aed16fd6 ]

Signed-off-by: Stefan Bader <[email protected]>
Acked-by: Francois Romieu <[email protected]>
Cc: hayeswang <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/realtek/r8169.c | 33 +++++++++++++++++++++++++++------
1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
index f698183..ed7a5a6 100644
--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -5524,7 +5524,20 @@ err_out:
return -EIO;
}

-static inline void rtl8169_tso_csum(struct rtl8169_private *tp,
+static bool rtl_skb_pad(struct sk_buff *skb)
+{
+ if (skb_padto(skb, ETH_ZLEN))
+ return false;
+ skb_put(skb, ETH_ZLEN - skb->len);
+ return true;
+}
+
+static bool rtl_test_hw_pad_bug(struct rtl8169_private *tp, struct sk_buff *skb)
+{
+ return skb->len < ETH_ZLEN && tp->mac_version == RTL_GIGA_MAC_VER_34;
+}
+
+static inline bool rtl8169_tso_csum(struct rtl8169_private *tp,
struct sk_buff *skb, u32 *opts)
{
const struct rtl_tx_desc_info *info = tx_desc_info + tp->txd_version;
@@ -5537,13 +5550,20 @@ static inline void rtl8169_tso_csum(struct rtl8169_private *tp,
} else if (skb->ip_summed == CHECKSUM_PARTIAL) {
const struct iphdr *ip = ip_hdr(skb);

+ if (unlikely(rtl_test_hw_pad_bug(tp, skb)))
+ return skb_checksum_help(skb) == 0 && rtl_skb_pad(skb);
+
if (ip->protocol == IPPROTO_TCP)
opts[offset] |= info->checksum.tcp;
else if (ip->protocol == IPPROTO_UDP)
opts[offset] |= info->checksum.udp;
else
WARN_ON_ONCE(1);
+ } else {
+ if (unlikely(rtl_test_hw_pad_bug(tp, skb)))
+ return rtl_skb_pad(skb);
}
+ return true;
}

static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb,
@@ -5575,6 +5595,12 @@ static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb,
if (unlikely(le32_to_cpu(txd->opts1) & DescOwn))
goto err_stop_0;

+ opts[1] = cpu_to_le32(rtl8169_tx_vlan_tag(tp, skb));
+ opts[0] = DescOwn;
+
+ if (!rtl8169_tso_csum(tp, skb, opts))
+ goto err_update_stats;
+
len = skb_headlen(skb);
mapping = dma_map_single(d, skb->data, len, DMA_TO_DEVICE);
if (unlikely(dma_mapping_error(d, mapping))) {
@@ -5586,11 +5612,6 @@ static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb,
tp->tx_skb[entry].len = len;
txd->addr = cpu_to_le64(mapping);

- opts[1] = cpu_to_le32(rtl8169_tx_vlan_tag(tp, skb));
- opts[0] = DescOwn;
-
- rtl8169_tso_csum(tp, skb, opts);
-
frags = rtl8169_xmit_frags(tp, skb, opts);
if (frags < 0)
goto err_dma_1;

2013-06-26 02:46:12

by Ben Hutchings

[permalink] [raw]
Subject: [14/26] ipv6: fix possible crashes in ip6_cork_release()

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

[ Upstream commit 284041ef21fdf2e0d216ab6b787bc9072b4eb58a ]

commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
added some code duplication and bad error recovery, leading to potential
crash in ip6_cork_release() as kfree() could be called with garbage.

use kzalloc() to make sure this wont happen.

Signed-off-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Cc: Herbert Xu <[email protected]>
Cc: Hideaki YOSHIFUJI <[email protected]>
Cc: Neal Cardwell <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv6/ip6_output.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 3ccd9b2..6aadaa8 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1233,7 +1233,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
if (WARN_ON(np->cork.opt))
return -EINVAL;

- np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
+ np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation);
if (unlikely(np->cork.opt == NULL))
return -ENOBUFS;

2013-06-26 02:47:11

by Ben Hutchings

[permalink] [raw]
Subject: [20/26] net: force a reload of first item in hlist_nulls_for_each_entry_rcu

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

[ Upstream commit c87a124a5d5e8cf8e21c4363c3372bcaf53ea190 ]

Roman Gushchin discovered that udp4_lib_lookup2() was not reloading
first item in the rcu protected list, in case the loop was restarted.

This produced soft lockups as in https://lkml.org/lkml/2013/4/16/37

rcu_dereference(X)/ACCESS_ONCE(X) seem to not work as intended if X is
ptr->field :

In some cases, gcc caches the value or ptr->field in a register.

Use a barrier() to disallow such caching, as documented in
Documentation/atomic_ops.txt line 114

Thanks a lot to Roman for providing analysis and numerous patches.

Diagnosed-by: Roman Gushchin <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Reported-by: Boris Zhmurov <[email protected]>
Signed-off-by: Roman Gushchin <[email protected]>
Acked-by: Paul E. McKenney <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
include/linux/rculist_nulls.h | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/include/linux/rculist_nulls.h b/include/linux/rculist_nulls.h
index 2ae1371..1c33dd7 100644
--- a/include/linux/rculist_nulls.h
+++ b/include/linux/rculist_nulls.h
@@ -105,9 +105,14 @@ static inline void hlist_nulls_add_head_rcu(struct hlist_nulls_node *n,
* @head: the head for your list.
* @member: the name of the hlist_nulls_node within the struct.
*
+ * The barrier() is needed to make sure compiler doesn't cache first element [1],
+ * as this loop can be restarted [2]
+ * [1] Documentation/atomic_ops.txt around line 114
+ * [2] Documentation/RCU/rculist_nulls.txt around line 146
*/
#define hlist_nulls_for_each_entry_rcu(tpos, pos, head, member) \
- for (pos = rcu_dereference_raw(hlist_nulls_first_rcu(head)); \
+ for (({barrier();}), \
+ pos = rcu_dereference_raw(hlist_nulls_first_rcu(head)); \
(!is_a_nulls(pos)) && \
({ tpos = hlist_nulls_entry(pos, typeof(*tpos), member); 1; }); \
pos = rcu_dereference_raw(hlist_nulls_next_rcu(pos)))

2013-06-26 02:47:09

by Ben Hutchings

[permalink] [raw]
Subject: [22/26] net: sctp: fix NULL pointer dereference in socket destruction

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <[email protected]>

[ Upstream commit 1abd165ed757db1afdefaac0a4bc8a70f97d258c ]

While stress testing sctp sockets, I hit the following panic:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
PGD 7cead067 PUD 7ce76067 PMD 0
Oops: 0000 [#1] SMP
Modules linked in: sctp(F) libcrc32c(F) [...]
CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1
Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
RIP: 0010:[<ffffffffa0490c4e>] [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
RSP: 0018:ffff88007b569e08 EFLAGS: 00010292
RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Stack:
ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
Call Trace:
[<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
[<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
[<ffffffff814df36e>] inet_create+0x2ae/0x350
[<ffffffff81455a6f>] __sock_create+0x11f/0x240
[<ffffffff81455bf0>] sock_create+0x30/0x40
[<ffffffff8145696c>] SyS_socket+0x4c/0xc0
[<ffffffff815403be>] ? do_page_fault+0xe/0x10
[<ffffffff8153cb32>] ? page_fault+0x22/0x30
[<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
RIP [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
RSP <ffff88007b569e08>
CR2: 0000000000000020
---[ end trace e0d71ec1108c1dd9 ]---

I did not hit this with the lksctp-tools functional tests, but with a
small, multi-threaded test program, that heavily allocates, binds,
listens and waits in accept on sctp sockets, and then randomly kills
some of them (no need for an actual client in this case to hit this).
Then, again, allocating, binding, etc, and then killing child processes.

This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
is set. The cause for that is actually very simple: in sctp_endpoint_init()
we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
our crypto transforms through crypto_alloc_hash(). In our scenario,
it then can happen that crypto_alloc_hash() fails with -EINTR from
crypto_larval_wait(), thus we bail out and release the socket via
sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
dereference as soon as we try to access members in the endpoint during
sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
if we have that case, we do not need to do any cleanup work and just
leave the destruction handler.

Signed-off-by: Daniel Borkmann <[email protected]>
Acked-by: Neil Horman <[email protected]>
Acked-by: Vlad Yasevich <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/sctp/socket.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 5e0d86e..ba0108f 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3929,6 +3929,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk)

/* Release our hold on the endpoint. */
sp = sctp_sk(sk);
+ /* This could happen during socket init, thus we bail out
+ * early, since the rest of the below is not setup either.
+ */
+ if (sp->ep == NULL)
+ return;
+
if (sp->do_auto_asconf) {
sp->do_auto_asconf = 0;
list_del(&sp->auto_asconf_list);

2013-06-26 02:47:44

by Ben Hutchings

[permalink] [raw]
Subject: [11/26] virtio-blk: Call revalidate_disk() upon online disk resize

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vivek Goyal <[email protected]>

commit e9986f303dc0f285401de28cf96f42f4dd23a4a1 upstream.

If a virtio disk is open in guest and a disk resize operation is done,
(virsh blockresize), new size is not visible to tools like "fdisk -l".
This seems to be happening as we update only part->nr_sects and not
bdev->bd_inode size.

Call revalidate_disk() which should take care of it. I tested growing disk
size of already open disk and it works for me.

Signed-off-by: Vivek Goyal <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/block/virtio_blk.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/block/virtio_blk.c
+++ b/drivers/block/virtio_blk.c
@@ -343,6 +343,7 @@ static void virtblk_config_changed_work(
cap_str_10, cap_str_2);

set_capacity(vblk->disk, capacity);
+ revalidate_disk(vblk->disk);
done:
mutex_unlock(&vblk->config_lock);
}

2013-06-26 02:47:42

by Ben Hutchings

[permalink] [raw]
Subject: [21/26] ipv6: assign rt6_info to inet6_ifaddr in init_loopback

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Gao feng <[email protected]>

[ Upstream commit 534c877928a16ae5f9776436a497109639bf67dc ]

Commit 25fb6ca4ed9cad72f14f61629b68dc03c0d9713f
"net IPv6 : Fix broken IPv6 routing table after loopback down-up"
forgot to assign rt6_info to the inet6_ifaddr.
When disable the net device, the rt6_info which allocated
in init_loopback will not be destroied in __ipv6_ifa_notify.

This will trigger the waring message below
[23527.916091] unregister_netdevice: waiting for tap0 to become free. Usage count = 1

Reported-by: Arkadiusz Miskiewicz <[email protected]>
Signed-off-by: Gao feng <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv6/addrconf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index d84033b..d603caa 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2437,8 +2437,10 @@ static void init_loopback(struct net_device *dev)
sp_rt = addrconf_dst_alloc(idev, &sp_ifa->addr, 0);

/* Failure cases are ignored */
- if (!IS_ERR(sp_rt))
+ if (!IS_ERR(sp_rt)) {
+ sp_ifa->rt = sp_rt;
ip6_ins_rt(sp_rt);
+ }
}
read_unlock_bh(&idev->lock);
}

2013-06-26 02:45:26

by Ben Hutchings

[permalink] [raw]
Subject: [07/26] USB: serial: ti_usb_3410_5052: new device id for Abbot strip port cable

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Anders Hammarquist <[email protected]>

commit 35a2fbc941accd0e9f1bfadd669311786118d874 upstream.

Add product id for Abbott strip port cable for Precision meter which
uses the TI 3410 chip.

Signed-off-by: Anders Hammarquist <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/ti_usb_3410_5052.c | 3 ++-
drivers/usb/serial/ti_usb_3410_5052.h | 4 +++-
2 files changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -178,7 +178,8 @@ static struct usb_device_id ti_id_table_
{ USB_DEVICE(IBM_VENDOR_ID, IBM_4543_PRODUCT_ID) },
{ USB_DEVICE(IBM_VENDOR_ID, IBM_454B_PRODUCT_ID) },
{ USB_DEVICE(IBM_VENDOR_ID, IBM_454C_PRODUCT_ID) },
- { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_PRODUCT_ID) },
+ { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STEREO_PLUG_ID) },
+ { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STRIP_PORT_ID) },
{ USB_DEVICE(TI_VENDOR_ID, FRI2_PRODUCT_ID) },
};

--- a/drivers/usb/serial/ti_usb_3410_5052.h
+++ b/drivers/usb/serial/ti_usb_3410_5052.h
@@ -52,7 +52,9 @@

/* Abbott Diabetics vendor and product ids */
#define ABBOTT_VENDOR_ID 0x1a61
-#define ABBOTT_PRODUCT_ID 0x3410
+#define ABBOTT_STEREO_PLUG_ID 0x3410
+#define ABBOTT_PRODUCT_ID ABBOTT_STEREO_PLUG_ID
+#define ABBOTT_STRIP_PORT_ID 0x3420

/* Commands */
#define TI_GET_VERSION 0x01

2013-06-26 02:48:20

by Ben Hutchings

[permalink] [raw]
Subject: [02/26] ALSA: usb-audio: work around Android accessory firmware bug

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Clemens Ladisch <[email protected]>

commit 342cda29343a6272c630f94ed56810a76740251b upstream.

When the Android firmware enables the audio interfaces in accessory
mode, it always declares in the control interface's baInterfaceNr array
that interfaces 0 and 1 belong to the audio function. However, the
accessory interface itself, if also enabled, already is at index 0 and
shifts the actual audio interface numbers to 1 and 2, which prevents the
PCM streaming interface from being seen by the host driver.

To get the PCM interface interface to work, detect when the descriptors
point to the (for this driver useless) accessory interface, and redirect
to the correct one.

Reported-by: Jeremy Rosen <[email protected]>
Tested-by: Jeremy Rosen <[email protected]>
Signed-off-by: Clemens Ladisch <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/usb/card.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)

--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -149,14 +149,32 @@ static int snd_usb_create_stream(struct
return -EINVAL;
}

+ alts = &iface->altsetting[0];
+ altsd = get_iface_desc(alts);
+
+ /*
+ * Android with both accessory and audio interfaces enabled gets the
+ * interface numbers wrong.
+ */
+ if ((chip->usb_id == USB_ID(0x18d1, 0x2d04) ||
+ chip->usb_id == USB_ID(0x18d1, 0x2d05)) &&
+ interface == 0 &&
+ altsd->bInterfaceClass == USB_CLASS_VENDOR_SPEC &&
+ altsd->bInterfaceSubClass == USB_SUBCLASS_VENDOR_SPEC) {
+ interface = 2;
+ iface = usb_ifnum_to_if(dev, interface);
+ if (!iface)
+ return -EINVAL;
+ alts = &iface->altsetting[0];
+ altsd = get_iface_desc(alts);
+ }
+
if (usb_interface_claimed(iface)) {
snd_printdd(KERN_INFO "%d:%d:%d: skipping, already claimed\n",
dev->devnum, ctrlif, interface);
return -EINVAL;
}

- alts = &iface->altsetting[0];
- altsd = get_iface_desc(alts);
if ((altsd->bInterfaceClass == USB_CLASS_AUDIO ||
altsd->bInterfaceClass == USB_CLASS_VENDOR_SPEC) &&
altsd->bInterfaceSubClass == USB_SUBCLASS_MIDISTREAMING) {

2013-06-26 02:48:18

by Ben Hutchings

[permalink] [raw]
Subject: [09/26] x86/efi: Fix dummy variable buffer allocation

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <[email protected]>

commit b8cb62f82103083a6e8fa5470bfe634a2c06514d upstream.

1. Check for allocation failure
2. Clear the buffer contents, as they may actually be written to flash
3. Don't leak the buffer

Compile-tested only.

[ Tested successfully on my buggy ASUS machine - Matt ]

Signed-off-by: Ben Hutchings <[email protected]>
Signed-off-by: Matt Fleming <[email protected]>
---
arch/x86/platform/efi/efi.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

--- a/arch/x86/platform/efi/efi.c
+++ b/arch/x86/platform/efi/efi.c
@@ -875,7 +875,10 @@ efi_status_t efi_query_variable_store(u3
* that by attempting to use more space than is available.
*/
unsigned long dummy_size = remaining_size + 1024;
- void *dummy = kmalloc(dummy_size, GFP_ATOMIC);
+ void *dummy = kzalloc(dummy_size, GFP_ATOMIC);
+
+ if (!dummy)
+ return EFI_OUT_OF_RESOURCES;

status = efi.set_variable(efi_dummy_name, &EFI_DUMMY_GUID,
EFI_VARIABLE_NON_VOLATILE |
@@ -895,6 +898,8 @@ efi_status_t efi_query_variable_store(u3
0, dummy);
}

+ kfree(dummy);
+
/*
* The runtime code may now have triggered a garbage collection
* run, so check the variable info again

2013-06-26 02:48:16

by Ben Hutchings

[permalink] [raw]
Subject: [26/26] ncpfs: fix rmdir returns Device or resource busy

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dave Chiluk <[email protected]>

commit 698b8223631472bf982ed570b0812faa61955683 upstream.

1d2ef5901483004d74947bbf78d5146c24038fe7 caused a regression in ncpfs such that
directories could no longer be removed. This was because ncp_rmdir checked
to see if a dentry could be unhashed before allowing it to be removed. Since
1d2ef5901483004d74947bbf78d5146c24038fe7 introduced a change that incremented
dentry->d_count causing it to always be greater than 1 unhash would always
fail. Thus causing the error path in ncp_rmdir to always be taken. Removing
this error path is safe as unhashing is still accomplished by calls to dput
from vfs_rmdir.

Signed-off-by: Dave Chiluk <[email protected]>
Signed-off-by: Petr Vandrovec <[email protected]>
Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ncpfs/dir.c | 9 ---------
1 file changed, 9 deletions(-)

--- a/fs/ncpfs/dir.c
+++ b/fs/ncpfs/dir.c
@@ -1033,15 +1033,6 @@ static int ncp_rmdir(struct inode *dir,
DPRINTK("ncp_rmdir: removing %s/%s\n",
dentry->d_parent->d_name.name, dentry->d_name.name);

- /*
- * fail with EBUSY if there are still references to this
- * directory.
- */
- dentry_unhash(dentry);
- error = -EBUSY;
- if (!d_unhashed(dentry))
- goto out;
-
len = sizeof(__name);
error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
dentry->d_name.len, !ncp_preserve_case(dir));

2013-06-26 02:49:04

by Ben Hutchings

[permalink] [raw]
Subject: [13/26] gianfar: add missing iounmap() on error in gianfar_ptp_probe()

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Wei Yongjun <[email protected]>

[ Upstream commit e5f5e380e0f3bb11f04ca5bc66a551e58e0ad26e ]

Add the missing iounmap() before return from gianfar_ptp_probe()
in the error handling case.

Signed-off-by: Wei Yongjun <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/freescale/gianfar_ptp.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/freescale/gianfar_ptp.c b/drivers/net/ethernet/freescale/gianfar_ptp.c
index 69c3adf..c2ab21c 100644
--- a/drivers/net/ethernet/freescale/gianfar_ptp.c
+++ b/drivers/net/ethernet/freescale/gianfar_ptp.c
@@ -520,6 +520,7 @@ static int gianfar_ptp_probe(struct platform_device *dev)
return 0;

no_clock:
+ iounmap(etsects->regs);
no_ioremap:
release_resource(etsects->rsrc);
no_resource:

2013-06-26 02:49:30

by Ben Hutchings

[permalink] [raw]
Subject: [04/26] ARM: 7755/1: handle user space mapped pages in flush_kernel_dcache_page

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Simon Baatz <[email protected]>

commit 1bc39742aab09248169ef9d3727c9def3528b3f3 upstream.

Commit f8b63c1 made flush_kernel_dcache_page a no-op assuming that
the pages it needs to handle are kernel mapped only. However, for
example when doing direct I/O, pages with user space mappings may
occur.

Thus, continue to do lazy flushing if there are no user space
mappings. Otherwise, flush the kernel cache lines directly.

Signed-off-by: Simon Baatz <[email protected]>
Reviewed-by: Catalin Marinas <[email protected]>
Signed-off-by: Russell King <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/arm/include/asm/cacheflush.h | 4 +---
arch/arm/mm/flush.c | 33 +++++++++++++++++++++++++++++++++
2 files changed, 34 insertions(+), 3 deletions(-)

--- a/arch/arm/include/asm/cacheflush.h
+++ b/arch/arm/include/asm/cacheflush.h
@@ -301,9 +301,7 @@ static inline void flush_anon_page(struc
}

#define ARCH_HAS_FLUSH_KERNEL_DCACHE_PAGE
-static inline void flush_kernel_dcache_page(struct page *page)
-{
-}
+extern void flush_kernel_dcache_page(struct page *);

#define flush_dcache_mmap_lock(mapping) \
spin_lock_irq(&(mapping)->tree_lock)
--- a/arch/arm/mm/flush.c
+++ b/arch/arm/mm/flush.c
@@ -304,6 +304,39 @@ void flush_dcache_page(struct page *page
EXPORT_SYMBOL(flush_dcache_page);

/*
+ * Ensure cache coherency for the kernel mapping of this page. We can
+ * assume that the page is pinned via kmap.
+ *
+ * If the page only exists in the page cache and there are no user
+ * space mappings, this is a no-op since the page was already marked
+ * dirty at creation. Otherwise, we need to flush the dirty kernel
+ * cache lines directly.
+ */
+void flush_kernel_dcache_page(struct page *page)
+{
+ if (cache_is_vivt() || cache_is_vipt_aliasing()) {
+ struct address_space *mapping;
+
+ mapping = page_mapping(page);
+
+ if (!mapping || mapping_mapped(mapping)) {
+ void *addr;
+
+ addr = page_address(page);
+ /*
+ * kmap_atomic() doesn't set the page virtual
+ * address for highmem pages, and
+ * kunmap_atomic() takes care of cache
+ * flushing already.
+ */
+ if (!IS_ENABLED(CONFIG_HIGHMEM) || addr)
+ __cpuc_flush_dcache_area(addr, PAGE_SIZE);
+ }
+ }
+}
+EXPORT_SYMBOL(flush_kernel_dcache_page);
+
+/*
* Flush an anonymous page so that users of get_user_pages()
* can safely access the data. The expected sequence is:
*

2013-06-26 02:49:29

by Ben Hutchings

[permalink] [raw]
Subject: [24/26] l2tp: Fix PPP header erasure and memory leak

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <[email protected]>

[ Upstream commit 55b92b7a11690bc377b5d373872a6b650ae88e64 ]

Copy user data after PPP framing header. This prevents erasure of the
added PPP header and avoids leaking two bytes of uninitialised memory
at the end of skb's data buffer.

Signed-off-by: Guillaume Nault <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/l2tp/l2tp_ppp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 6f60175..8ab041b 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -350,12 +350,12 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
skb_put(skb, 2);

/* Copy user data into skb */
- error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
+ error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
+ total_len);
if (error < 0) {
kfree_skb(skb);
goto error_put_sess_tun;
}
- skb_put(skb, total_len);

l2tp_xmit_skb(session, skb, session->hdr_len);

2013-06-26 02:49:27

by Ben Hutchings

[permalink] [raw]
Subject: [15/26] netlabel: improve domain mapping validation

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paul Moore <[email protected]>

[ Upstream commit 6b21e1b77d1a3d58ebfd513264c885695e8a0ba5 ]

The net/netlabel/netlabel_domainhash.c:netlbl_domhsh_add() function
does not properly validate new domain hash entries resulting in
potential problems when an administrator attempts to add an invalid
entry. One such problem, as reported by Vlad Halilov, is a kernel
BUG (found in netlabel_domainhash.c:netlbl_domhsh_audit_add()) when
adding an IPv6 outbound mapping with a CIPSO configuration.

This patch corrects this problem by adding the necessary validation
code to netlbl_domhsh_add() via the newly created
netlbl_domhsh_validate() function.

Ideally this patch should also be pushed to the currently active
-stable trees.

Reported-by: Vlad Halilov <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/netlabel/netlabel_domainhash.c | 69 ++++++++++++++++++++++++++++++++++++++
1 file changed, 69 insertions(+)

diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c
index e5330ed..bf99567 100644
--- a/net/netlabel/netlabel_domainhash.c
+++ b/net/netlabel/netlabel_domainhash.c
@@ -245,6 +245,71 @@ static void netlbl_domhsh_audit_add(struct netlbl_dom_map *entry,
}
}

+/**
+ * netlbl_domhsh_validate - Validate a new domain mapping entry
+ * @entry: the entry to validate
+ *
+ * This function validates the new domain mapping entry to ensure that it is
+ * a valid entry. Returns zero on success, negative values on failure.
+ *
+ */
+static int netlbl_domhsh_validate(const struct netlbl_dom_map *entry)
+{
+ struct netlbl_af4list *iter4;
+ struct netlbl_domaddr4_map *map4;
+#if IS_ENABLED(CONFIG_IPV6)
+ struct netlbl_af6list *iter6;
+ struct netlbl_domaddr6_map *map6;
+#endif /* IPv6 */
+
+ if (entry == NULL)
+ return -EINVAL;
+
+ switch (entry->type) {
+ case NETLBL_NLTYPE_UNLABELED:
+ if (entry->type_def.cipsov4 != NULL ||
+ entry->type_def.addrsel != NULL)
+ return -EINVAL;
+ break;
+ case NETLBL_NLTYPE_CIPSOV4:
+ if (entry->type_def.cipsov4 == NULL)
+ return -EINVAL;
+ break;
+ case NETLBL_NLTYPE_ADDRSELECT:
+ netlbl_af4list_foreach(iter4, &entry->type_def.addrsel->list4) {
+ map4 = netlbl_domhsh_addr4_entry(iter4);
+ switch (map4->type) {
+ case NETLBL_NLTYPE_UNLABELED:
+ if (map4->type_def.cipsov4 != NULL)
+ return -EINVAL;
+ break;
+ case NETLBL_NLTYPE_CIPSOV4:
+ if (map4->type_def.cipsov4 == NULL)
+ return -EINVAL;
+ break;
+ default:
+ return -EINVAL;
+ }
+ }
+#if IS_ENABLED(CONFIG_IPV6)
+ netlbl_af6list_foreach(iter6, &entry->type_def.addrsel->list6) {
+ map6 = netlbl_domhsh_addr6_entry(iter6);
+ switch (map6->type) {
+ case NETLBL_NLTYPE_UNLABELED:
+ break;
+ default:
+ return -EINVAL;
+ }
+ }
+#endif /* IPv6 */
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
/*
* Domain Hash Table Functions
*/
@@ -311,6 +376,10 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
struct netlbl_af6list *tmp6;
#endif /* IPv6 */

+ ret_val = netlbl_domhsh_validate(entry);
+ if (ret_val != 0)
+ return ret_val;
+
/* XXX - we can remove this RCU read lock as the spinlock protects the
* entire function, but before we do we need to fixup the
* netlbl_af[4,6]list RCU functions to do "the right thing" with

2013-06-26 02:49:25

by Ben Hutchings

[permalink] [raw]
Subject: [17/26] tcp: xps: fix reordering issues

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

[ Upstream commit 547669d483e5783d722772af1483fa474da7caf9 ]

commit 3853b5841c01a ("xps: Improvements in TX queue selection")
introduced ooo_okay flag, but the condition to set it is slightly wrong.

In our traces, we have seen ACK packets being received out of order,
and RST packets sent in response.

We should test if we have any packets still in host queue.

Signed-off-by: Eric Dumazet <[email protected]>
Cc: Tom Herbert <[email protected]>
Cc: Yuchung Cheng <[email protected]>
Cc: Neal Cardwell <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/tcp_output.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 5c1807c..3add486 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -835,11 +835,13 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
&md5);
tcp_header_size = tcp_options_size + sizeof(struct tcphdr);

- if (tcp_packets_in_flight(tp) == 0) {
+ if (tcp_packets_in_flight(tp) == 0)
tcp_ca_event(sk, CA_EVENT_TX_START);
- skb->ooo_okay = 1;
- } else
- skb->ooo_okay = 0;
+
+ /* if no packet is in qdisc/device queue, then allow XPS to select
+ * another queue.
+ */
+ skb->ooo_okay = sk_wmem_alloc_get(sk) == 0;

skb_push(skb, tcp_header_size);
skb_reset_transport_header(skb);

2013-06-26 02:45:23

by Ben Hutchings

[permalink] [raw]
Subject: [01/26] tilepro: work around module link error with gcc 4.7

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Chris Metcalf <[email protected]>

commit 3cb3f839d306443f3d1e79b0bde1a2ad2c12b555 upstream.

gcc 4.7.x is emitting calls to __ffsdi2 where previously
it used to inline the appropriate ctz instructions.
While this needs to be fixed in gcc, it's also easy to avoid
having it cause build failures when building with those
compilers by exporting __ffsdi2 to modules.

Signed-off-by: Chris Metcalf <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/tile/lib/exports.c | 2 ++
1 file changed, 2 insertions(+)

--- a/arch/tile/lib/exports.c
+++ b/arch/tile/lib/exports.c
@@ -90,4 +90,6 @@ uint64_t __ashrdi3(uint64_t, unsigned in
EXPORT_SYMBOL(__ashrdi3);
uint64_t __ashldi3(uint64_t, unsigned int);
EXPORT_SYMBOL(__ashldi3);
+int __ffsdi2(uint64_t);
+EXPORT_SYMBOL(__ffsdi2);
#endif

2013-06-26 02:50:36

by Ben Hutchings

[permalink] [raw]
Subject: [10/26] Revert "drm/i915: GFX_MODE Flush TLB Invalidate Mode must be '1' for scanline waits"

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <[email protected]>

This reverts commit 393143615d9f2f581d87387268dc11b95adc339c, which
was commit f05bb0c7b624252a5e768287e340e8e45df96e42 upstream.

This has been found to cause GPU hangs when backported to 3.2, though
not in mainline.

References: http://bugs.launchpad.net/bugs/1140716
Cc: Steve Conklin <[email protected]>
Cc: Stefan Bader <[email protected]>
Cc: Bradd Figg <[email protected]>
Cc: Luis Henriques <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/i915/intel_ringbuffer.c | 5 -----
1 file changed, 5 deletions(-)

diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c
index 4fddd21..38a7793 100644
--- a/drivers/gpu/drm/i915/intel_ringbuffer.c
+++ b/drivers/gpu/drm/i915/intel_ringbuffer.c
@@ -408,11 +408,6 @@ static int init_render_ring(struct intel_ring_buffer *ring)
if (INTEL_INFO(dev)->gen >= 6)
I915_WRITE(MI_MODE, GFX_MODE_ENABLE(ASYNC_FLIP_PERF_DISABLE));

- /* Required for the hardware to program scanline values for waiting */
- if (INTEL_INFO(dev)->gen == 6)
- I915_WRITE(GFX_MODE,
- GFX_MODE_ENABLE(GFX_TLB_INVALIDATE_ALWAYS));
-
if (IS_GEN7(dev))
I915_WRITE(GFX_MODE_GEN7,
GFX_MODE_DISABLE(GFX_TLB_INVALIDATE_ALWAYS) |

2013-06-26 02:50:35

by Ben Hutchings

[permalink] [raw]
Subject: [12/26] tcp: fix tcp_md5_hash_skb_data()

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

[ Upstream commit 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e ]

TCP md5 communications fail [1] for some devices, because sg/crypto code
assume page offsets are below PAGE_SIZE.

This was discovered using mlx4 driver [2], but I suspect loopback
might trigger the same bug now we use order-3 pages in tcp_sendmsg()

[1] Failure is giving following messages.

huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
exited with 00000101?

[2] mlx4 driver uses order-2 pages to allocate RX frags

Reported-by: Matt Schnall <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Cc: Bernhard Beck <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/tcp.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index fe381c2..ec8b4b7e 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3037,8 +3037,11 @@ int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp,

for (i = 0; i < shi->nr_frags; ++i) {
const struct skb_frag_struct *f = &shi->frags[i];
- struct page *page = skb_frag_page(f);
- sg_set_page(&sg, page, skb_frag_size(f), f->page_offset);
+ unsigned int offset = f->page_offset;
+ struct page *page = skb_frag_page(f) + (offset >> PAGE_SHIFT);
+
+ sg_set_page(&sg, page, skb_frag_size(f),
+ offset_in_page(offset));
if (crypto_hash_update(desc, &sg, skb_frag_size(f)))
return 1;
}

2013-06-26 02:51:12

by Ben Hutchings

[permalink] [raw]
Subject: [05/26] KVM: x86: remove vcpu's CPL check in host-invoked XCR set

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Zhanghaoyu (A)" <[email protected]>

commit 764bcbc5a6d7a2f3e75c9f0e4caa984e2926e346 upstream.

__kvm_set_xcr function does the CPL check when set xcr. __kvm_set_xcr is
called in two flows, one is invoked by guest, call stack shown as below,

handle_xsetbv(or xsetbv_interception)
kvm_set_xcr
__kvm_set_xcr

the other one is invoked by host, for example during system reset:

kvm_arch_vcpu_ioctl
kvm_vcpu_ioctl_x86_set_xcrs
__kvm_set_xcr

The former does need the CPL check, but the latter does not.

Signed-off-by: Zhang Haoyu <[email protected]>
[Tweaks to commit message. - Paolo]
Signed-off-by: Paolo Bonzini <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/kvm/x86.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -551,8 +551,6 @@ int __kvm_set_xcr(struct kvm_vcpu *vcpu,
if (index != XCR_XFEATURE_ENABLED_MASK)
return 1;
xcr0 = xcr;
- if (kvm_x86_ops->get_cpl(vcpu) != 0)
- return 1;
if (!(xcr0 & XSTATE_FP))
return 1;
if ((xcr0 & XSTATE_YMM) && !(xcr0 & XSTATE_SSE))
@@ -566,7 +564,8 @@ int __kvm_set_xcr(struct kvm_vcpu *vcpu,

int kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr)
{
- if (__kvm_set_xcr(vcpu, index, xcr)) {
+ if (kvm_x86_ops->get_cpl(vcpu) != 0 ||
+ __kvm_set_xcr(vcpu, index, xcr)) {
kvm_inject_gp(vcpu, 0);
return 1;
}

2013-06-26 02:51:10

by Ben Hutchings

[permalink] [raw]
Subject: [03/26] ALSA: usb-audio: Fix invalid volume resolution for Logitech HD Webcam c310

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit 36691e1be6ec551eef4a5225f126a281f8c051c2 upstream.

Just like the previous fix for LogitechHD Webcam c270 in commit
11e7064f35bb87da8f427d1aa4bbd8b7473a3993, c310 model also requires the
same workaround for avoiding the kernel warning.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=59741
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/usb/mixer.c | 1 +
1 file changed, 1 insertion(+)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -821,6 +821,7 @@ static void volume_control_quirks(struct

case USB_ID(0x046d, 0x0808):
case USB_ID(0x046d, 0x0809):
+ case USB_ID(0x046d, 0x081b): /* HD Webcam c310 */
case USB_ID(0x046d, 0x081d): /* HD Webcam c510 */
case USB_ID(0x046d, 0x0825): /* HD Webcam c270 */
case USB_ID(0x046d, 0x0991):

2013-06-26 02:51:42

by Ben Hutchings

[permalink] [raw]
Subject: [23/26] packet: packet_getname_spkt: make sure string is always 0-terminated

3.2.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <[email protected]>

[ Upstream commit 2dc85bf323515e59e15dfa858d1472bb25cad0fe ]

uaddr->sa_data is exactly of size 14, which is hard-coded here and
passed as a size argument to strncpy(). A device name can be of size
IFNAMSIZ (== 16), meaning we might leave the destination string
unterminated. Thus, use strlcpy() and also sizeof() while we're
at it. We need to memset the data area beforehand, since strlcpy
does not padd the remaining buffer with zeroes for user space, so
that we do not possibly leak anything.

Signed-off-by: Daniel Borkmann <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/packet/af_packet.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 5a70215..a2ac2c3 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2820,12 +2820,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
return -EOPNOTSUPP;

uaddr->sa_family = AF_PACKET;
+ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
rcu_read_lock();
dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
if (dev)
- strncpy(uaddr->sa_data, dev->name, 14);
- else
- memset(uaddr->sa_data, 0, 14);
+ strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
rcu_read_unlock();
*uaddr_len = sizeof(*uaddr);

2013-06-26 08:23:39

by Anders Hammarquist

[permalink] [raw]
Subject: Re: [07/26] USB: serial: ti_usb_3410_5052: new device id for Abbot strip port cable

In a message of Wed, 26 Jun 2013 03:35:58 +0100, Ben Hutchings writes:
>3.2.48-rc1 review patch. If anyone has any objections, please let me know.
>
>------------------
>
>From: Anders Hammarquist <[email protected]>
>
>commit 35a2fbc941accd0e9f1bfadd669311786118d874 upstream.
>
>Add product id for Abbott strip port cable for Precision meter which
>uses the TI 3410 chip.

It needs to be paired with later patches that fix the statically sized
usb_device_id array, so I don't think it should go in alone.

/Anders

2013-06-26 08:51:45

by Stefan Bader

[permalink] [raw]
Subject: Re: [16/26] r8169: fix 8168evl frame padding.

On 26.06.2013 04:35, Ben Hutchings wrote:
> 3.2.48-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Stefan Bader <[email protected]>
>
> [ Upstream commits e5195c1f31f399289347e043d6abf3ffa80f0005 and
> b423e9ae49d78ea3f53b131c8d5a6087aed16fd6 ]
>
> Signed-off-by: Stefan Bader <[email protected]>
> Acked-by: Francois Romieu <[email protected]>
> Cc: hayeswang <[email protected]>
> Signed-off-by: David S. Miller <[email protected]>
> Signed-off-by: Ben Hutchings <[email protected]>
> ---
> drivers/net/ethernet/realtek/r8169.c | 33 +++++++++++++++++++++++++++------

No abjection, just make sure that

commit b423e9ae49d78ea3f53b131c8d5a6087aed16fd6
Author: françois romieu <[email protected]>
Date: Sat May 18 01:24:46 2013 +0000

r8169: fix offloaded tx checksum for small packets.

8168evl offloaded checksums are wrong since commit
e5195c1f31f399289347e043d6abf3ffa80f0005 ("r8169: fix 8168evl frame padding.
pads small packets to 60 bytes (without ethernet checksum). Typical symptoms
appear as UDP checksums which are wrong by the count of added bytes.

It isn't worth compensating. Let the driver checksum.

Due to the skb length changes, TSO code is moved before the Tx descriptor ge
written.

Signed-off-by: Francois Romieu <[email protected]>
Tested-by: Holger Hoffstätte <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

is included as well.

-Stefan


Attachments:
signature.asc (899.00 B)
OpenPGP digital signature

2013-06-26 09:04:17

by Luis Henriques

[permalink] [raw]
Subject: Re: [04/26] ARM: 7755/1: handle user space mapped pages in flush_kernel_dcache_page

Ben Hutchings <[email protected]> writes:

> 3.2.48-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Simon Baatz <[email protected]>
>
> commit 1bc39742aab09248169ef9d3727c9def3528b3f3 upstream.

Simon suggested Greg not to queue this patch for stable kernels as it
breaks no-MMU ARM configs. He will provide a follow-up patch that
should go together with this one.

Cheers,
--
Luis

>
> Commit f8b63c1 made flush_kernel_dcache_page a no-op assuming that
> the pages it needs to handle are kernel mapped only. However, for
> example when doing direct I/O, pages with user space mappings may
> occur.
>
> Thus, continue to do lazy flushing if there are no user space
> mappings. Otherwise, flush the kernel cache lines directly.
>
> Signed-off-by: Simon Baatz <[email protected]>
> Reviewed-by: Catalin Marinas <[email protected]>
> Signed-off-by: Russell King <[email protected]>
> Signed-off-by: Ben Hutchings <[email protected]>
> ---
> arch/arm/include/asm/cacheflush.h | 4 +---
> arch/arm/mm/flush.c | 33 +++++++++++++++++++++++++++++++++
> 2 files changed, 34 insertions(+), 3 deletions(-)
>
> --- a/arch/arm/include/asm/cacheflush.h
> +++ b/arch/arm/include/asm/cacheflush.h
> @@ -301,9 +301,7 @@ static inline void flush_anon_page(struc
> }
>
> #define ARCH_HAS_FLUSH_KERNEL_DCACHE_PAGE
> -static inline void flush_kernel_dcache_page(struct page *page)
> -{
> -}
> +extern void flush_kernel_dcache_page(struct page *);
>
> #define flush_dcache_mmap_lock(mapping) \
> spin_lock_irq(&(mapping)->tree_lock)
> --- a/arch/arm/mm/flush.c
> +++ b/arch/arm/mm/flush.c
> @@ -304,6 +304,39 @@ void flush_dcache_page(struct page *page
> EXPORT_SYMBOL(flush_dcache_page);
>
> /*
> + * Ensure cache coherency for the kernel mapping of this page. We can
> + * assume that the page is pinned via kmap.
> + *
> + * If the page only exists in the page cache and there are no user
> + * space mappings, this is a no-op since the page was already marked
> + * dirty at creation. Otherwise, we need to flush the dirty kernel
> + * cache lines directly.
> + */
> +void flush_kernel_dcache_page(struct page *page)
> +{
> + if (cache_is_vivt() || cache_is_vipt_aliasing()) {
> + struct address_space *mapping;
> +
> + mapping = page_mapping(page);
> +
> + if (!mapping || mapping_mapped(mapping)) {
> + void *addr;
> +
> + addr = page_address(page);
> + /*
> + * kmap_atomic() doesn't set the page virtual
> + * address for highmem pages, and
> + * kunmap_atomic() takes care of cache
> + * flushing already.
> + */
> + if (!IS_ENABLED(CONFIG_HIGHMEM) || addr)
> + __cpuc_flush_dcache_area(addr, PAGE_SIZE);
> + }
> + }
> +}
> +EXPORT_SYMBOL(flush_kernel_dcache_page);
> +
> +/*
> * Flush an anonymous page so that users of get_user_pages()
> * can safely access the data. The expected sequence is:
> *
>
> --
> To unsubscribe from this list: send the line "unsubscribe stable" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html

2013-06-26 17:22:10

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [07/26] USB: serial: ti_usb_3410_5052: new device id for Abbot strip port cable

On Wed, Jun 26, 2013 at 10:21:22AM +0200, Anders Hammarquist wrote:
> In a message of Wed, 26 Jun 2013 03:35:58 +0100, Ben Hutchings writes:
> >3.2.48-rc1 review patch. If anyone has any objections, please let me know.
> >
> >------------------
> >
> >From: Anders Hammarquist <[email protected]>
> >
> >commit 35a2fbc941accd0e9f1bfadd669311786118d874 upstream.
> >
> >Add product id for Abbott strip port cable for Precision meter which
> >uses the TI 3410 chip.
>
> It needs to be paired with later patches that fix the statically sized
> usb_device_id array, so I don't think it should go in alone.

See my other response as to why I think this patch, as-is, is fine to go
in.

thanks,

greg k-h

2013-06-26 18:37:14

by David Miller

[permalink] [raw]
Subject: Re: [16/26] r8169: fix 8168evl frame padding.

From: Stefan Bader <[email protected]>
Date: Wed, 26 Jun 2013 10:51:36 +0200

>> [ Upstream commits e5195c1f31f399289347e043d6abf3ffa80f0005 and
>> b423e9ae49d78ea3f53b131c8d5a6087aed16fd6 ]
...
> No abjection, just make sure that
>
> commit b423e9ae49d78ea3f53b131c8d5a6087aed16fd6
...
> is included as well.

Read the commit message carefully, the two commits were folded into
one exactly to deal with this issue.

2013-06-26 20:01:03

by Stefan Bader

[permalink] [raw]
Subject: Re: [16/26] r8169: fix 8168evl frame padding.

On 26.06.2013 20:37, David Miller wrote:
> From: Stefan Bader <[email protected]>
> Date: Wed, 26 Jun 2013 10:51:36 +0200
>
>>> [ Upstream commits e5195c1f31f399289347e043d6abf3ffa80f0005 and
>>> b423e9ae49d78ea3f53b131c8d5a6087aed16fd6 ]
> ...
>> No abjection, just make sure that
>>
>> commit b423e9ae49d78ea3f53b131c8d5a6087aed16fd6
> ...
>> is included as well.
>
> Read the commit message carefully, the two commits were folded into
> one exactly to deal with this issue.
>
Oops, yeah you are right. Sorry for the noise. Should not reply while coffee has
not kicked in.

-Stefan


Attachments:
signature.asc (899.00 B)
OpenPGP digital signature

2013-06-26 22:36:02

by Simon Baatz

[permalink] [raw]
Subject: Re: [04/26] ARM: 7755/1: handle user space mapped pages in flush_kernel_dcache_page

Hi Ben, Luis,

On Wed, Jun 26, 2013 at 10:04:11AM +0100, Luis Henriques wrote:
> Ben Hutchings <[email protected]> writes:
>
> > 3.2.48-rc1 review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Simon Baatz <[email protected]>
> >
> > commit 1bc39742aab09248169ef9d3727c9def3528b3f3 upstream.
>
> Simon suggested Greg not to queue this patch for stable kernels as it
> breaks no-MMU ARM configs. He will provide a follow-up patch that
> should go together with this one.

Fortunately, the follow-up patch is upstream now. It is commit
63384fd0b1509acf522a8a8fcede09087eedb7df (ARM: 7772/1: Fix missing
flush_kernel_dcache_page() for noMMU).

Thus, please add that patch as well. If it is too late to do this, my
suggestion would be to queue both of them together for the next cycle.

- Simon

2013-06-27 08:21:39

by Luis Henriques

[permalink] [raw]
Subject: Re: [04/26] ARM: 7755/1: handle user space mapped pages in flush_kernel_dcache_page

Simon Baatz <[email protected]> writes:

> Hi Ben, Luis,
>
> On Wed, Jun 26, 2013 at 10:04:11AM +0100, Luis Henriques wrote:
>> Ben Hutchings <[email protected]> writes:
>>
>> > 3.2.48-rc1 review patch. If anyone has any objections, please let me know.
>> >
>> > ------------------
>> >
>> > From: Simon Baatz <[email protected]>
>> >
>> > commit 1bc39742aab09248169ef9d3727c9def3528b3f3 upstream.
>>
>> Simon suggested Greg not to queue this patch for stable kernels as it
>> breaks no-MMU ARM configs. He will provide a follow-up patch that
>> should go together with this one.
>
> Fortunately, the follow-up patch is upstream now. It is commit
> 63384fd0b1509acf522a8a8fcede09087eedb7df (ARM: 7772/1: Fix missing
> flush_kernel_dcache_page() for noMMU).
>
> Thus, please add that patch as well. If it is too late to do this, my
> suggestion would be to queue both of them together for the next cycle.

Thanks Simon, I'll queue both for the 3.5 kernel.

Cheers,
--
Luis

2013-06-29 03:01:41

by Ben Hutchings

[permalink] [raw]
Subject: Re: [04/26] ARM: 7755/1: handle user space mapped pages in flush_kernel_dcache_page

On Thu, 2013-06-27 at 00:35 +0200, Simon Baatz wrote:
> Hi Ben, Luis,
>
> On Wed, Jun 26, 2013 at 10:04:11AM +0100, Luis Henriques wrote:
> > Ben Hutchings <[email protected]> writes:
> >
> > > 3.2.48-rc1 review patch. If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > From: Simon Baatz <[email protected]>
> > >
> > > commit 1bc39742aab09248169ef9d3727c9def3528b3f3 upstream.
> >
> > Simon suggested Greg not to queue this patch for stable kernels as it
> > breaks no-MMU ARM configs. He will provide a follow-up patch that
> > should go together with this one.
>
> Fortunately, the follow-up patch is upstream now. It is commit
> 63384fd0b1509acf522a8a8fcede09087eedb7df (ARM: 7772/1: Fix missing
> flush_kernel_dcache_page() for noMMU).
>
> Thus, please add that patch as well. If it is too late to do this, my
> suggestion would be to queue both of them together for the next cycle.

I'm including the noMMU fix in 3.2.48, thanks.

Ben.

--
Ben Hutchings
Knowledge is power. France is bacon.


Attachments:
signature.asc (828.00 B)
This is a digitally signed message part