This is the start of the stable review cycle for the 2.6.25.7 release.
There are 47 patches in this series, all will be posted as a response to
this one. If anyone has any issues with these being applied, please let
us know. If anyone is a maintainer of the proper subsystem, and wants
to add a Signed-off-by: line to the patch, please respond with it.
These patches are sent out with a number of different people on the Cc:
line. If you wish to be a reviewer, please email [email protected] to
add your name to the list. If you want to be off the reviewer list,
also email us.
Responses should be made by Monday, Jun 16, 20:00:00 UTC. Anything
received after that time might be too late.
The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.25.7-rc1.gz
and the diffstat can be found below.
thanks,
the -stable release team
----------
Documentation/cciss.txt | 5 +
Makefile | 2
arch/x86/Kconfig | 23 +----
drivers/block/brd.c | 1
drivers/block/cciss.c | 21 +++--
drivers/char/pcmcia/ipwireless/hardware.c | 20 ++--
drivers/cpufreq/cpufreq.c | 2
drivers/infiniband/core/umem.c | 2
drivers/media/video/bt8xx/bttv-driver.c | 2
drivers/media/video/videobuf-core.c | 3
drivers/mmc/host/wbsd.c | 21 ++---
drivers/net/cassini.c | 11 +-
drivers/net/forcedeth.c | 20 ++++
drivers/net/pppol2tp.c | 124 +++++++++++++++++++++++-------
drivers/net/wireless/b43/main.c | 12 ++
drivers/serial/serial_core.c | 5 -
drivers/serial/sunhv.c | 1
drivers/ssb/driver_pcicore.c | 4
drivers/video/hgafb.c | 26 +++---
drivers/video/modedb.c | 1
fs/cifs/cifsfs.c | 21 ++---
fs/ecryptfs/crypto.c | 2
fs/ecryptfs/file.c | 2
fs/ecryptfs/inode.c | 15 +--
fs/pipe.c | 3
include/asm-m68k/bitops.h | 46 ++++++++++-
include/linux/pci_ids.h | 1
include/media/videobuf-core.h | 3
include/net/netlink.h | 11 +-
init/Kconfig | 1
net/8021q/vlan.c | 4
net/ax25/ax25_subr.c | 11 --
net/bluetooth/rfcomm/core.c | 2
net/can/raw.c | 21 ++---
net/core/dev.c | 2
net/ipv4/route.c | 2
net/ipv4/tcp_cong.c | 12 +-
net/ipv4/tcp_input.c | 65 ++++++++++-----
net/ipv4/tcp_output.c | 10 +-
net/ipv6/route.c | 2
net/key/af_key.c | 2
net/mac80211/ieee80211_sta.c | 5 +
net/sched/cls_api.c | 2
sound/pci/emu10k1/emu10k1_main.c | 15 +--
sound/pci/hda/patch_realtek.c | 1
45 files changed, 375 insertions(+), 192 deletions(-)
-stable review patch. If anyone has any objections, please let us know.
------------------
From: David Sterba <[email protected]>
upstream commit: eb4e545d4ac82d9018487edb4419b33b9930c857
Packet sending is driven by two flags, tx_ready and tx_queued.
It was possible, that there were queued data for sending and
hardware was flagged as blocked but in fact it was not.
The tx_queued was indicator but should be really a counter else
first fragmented packet resets tx_queued flag, but there may be
pending packets which do not get sent.
New semantics:
tx_ready - set, if hw is ready to send packet, no packet is being
transferred right now
set the flag right at the place where data are copied
into hw memory and not earlier without checking if it
was succesful
tx_queued - count of enqueued packets, including fragments
Tested-by: Michal Rokos <[email protected]>
Signed-off-by: David Sterba <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
drivers/char/pcmcia/ipwireless/hardware.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/drivers/char/pcmcia/ipwireless/hardware.c
+++ b/drivers/char/pcmcia/ipwireless/hardware.c
@@ -251,10 +251,11 @@ struct ipw_hardware {
int init_loops;
struct timer_list setup_timer;
+ /* Flag if hw is ready to send next packet */
int tx_ready;
- struct list_head tx_queue[NL_NUM_OF_PRIORITIES];
- /* True if any packets are queued for transmission */
+ /* Count of pending packets to be sent */
int tx_queued;
+ struct list_head tx_queue[NL_NUM_OF_PRIORITIES];
int rx_bytes_queued;
struct list_head rx_queue;
@@ -430,6 +431,8 @@ static int do_send_fragment(struct ipw_h
spin_lock_irqsave(&hw->spinlock, flags);
+ hw->tx_ready = 0;
+
if (hw->hw_version == HW_VERSION_1) {
outw((unsigned short) length, hw->base_port + IODWR);
@@ -518,6 +521,7 @@ static int do_send_packet(struct ipw_har
spin_lock_irqsave(&hw->spinlock, flags);
list_add(&packet->queue, &hw->tx_queue[0]);
+ hw->tx_queued++;
spin_unlock_irqrestore(&hw->spinlock, flags);
} else {
if (packet->packet_callback)
@@ -975,12 +979,10 @@ static int send_pending_packet(struct ip
unsigned long flags;
spin_lock_irqsave(&hw->spinlock, flags);
- if (hw->tx_queued && hw->tx_ready != 0) {
+ if (hw->tx_queued && hw->tx_ready) {
int priority;
struct ipw_tx_packet *packet = NULL;
- hw->tx_ready--;
-
/* Pick a packet */
for (priority = 0; priority < priority_limit; priority++) {
if (!list_empty(&hw->tx_queue[priority])) {
@@ -989,6 +991,7 @@ static int send_pending_packet(struct ip
struct ipw_tx_packet,
queue);
+ hw->tx_queued--;
list_del(&packet->queue);
break;
@@ -999,6 +1002,7 @@ static int send_pending_packet(struct ip
spin_unlock_irqrestore(&hw->spinlock, flags);
return 0;
}
+
spin_unlock_irqrestore(&hw->spinlock, flags);
/* Send */
@@ -1089,7 +1093,7 @@ static irqreturn_t ipwireless_handle_v1_
if (irqn & IR_TXINTR) {
ack |= IR_TXINTR;
spin_lock_irqsave(&hw->spinlock, flags);
- hw->tx_ready++;
+ hw->tx_ready = 1;
spin_unlock_irqrestore(&hw->spinlock, flags);
}
/* Received data */
@@ -1196,7 +1200,7 @@ static irqreturn_t ipwireless_handle_v2_
if (memrxdone & MEMRX_RX_DONE) {
writew(0, &hw->memory_info_regs->memreg_rx_done);
spin_lock_irqsave(&hw->spinlock, flags);
- hw->tx_ready++;
+ hw->tx_ready = 1;
spin_unlock_irqrestore(&hw->spinlock, flags);
tx = 1;
}
@@ -1260,7 +1264,7 @@ static void send_packet(struct ipw_hardw
spin_lock_irqsave(&hw->spinlock, flags);
list_add_tail(&packet->queue, &hw->tx_queue[priority]);
- hw->tx_queued = 1;
+ hw->tx_queued++;
spin_unlock_irqrestore(&hw->spinlock, flags);
flush_packets_to_hw(hw);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Michael Buesch <[email protected]>
upstream commit: 3bf0a32e22fedc0b46443699db2d61ac2a883ac4
This fixes a kernel crash on rmmod, in the case where the controller
was restarted before doing the rmmod.
Signed-off-by: Michael Buesch <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
drivers/net/wireless/b43/main.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/b43/main.c
+++ b/drivers/net/wireless/b43/main.c
@@ -3818,7 +3818,9 @@ static void b43_chip_reset(struct work_s
goto out;
}
}
- out:
+out:
+ if (err)
+ wl->current_dev = NULL; /* Failed to init the dev. */
mutex_unlock(&wl->mutex);
if (err)
b43err(wl, "Controller restart FAILED\n");
@@ -3967,9 +3969,11 @@ static void b43_one_core_detach(struct s
struct b43_wldev *wldev;
struct b43_wl *wl;
+ /* Do not cancel ieee80211-workqueue based work here.
+ * See comment in b43_remove(). */
+
wldev = ssb_get_drvdata(dev);
wl = wldev->wl;
- cancel_work_sync(&wldev->restart_work);
b43_debugfs_remove_device(wldev);
b43_wireless_core_detach(wldev);
list_del(&wldev->list);
@@ -4152,6 +4156,10 @@ static void b43_remove(struct ssb_device
struct b43_wl *wl = ssb_get_devtypedata(dev);
struct b43_wldev *wldev = ssb_get_drvdata(dev);
+ /* We must cancel any work here before unregistering from ieee80211,
+ * as the ieee80211 unreg will destroy the workqueue. */
+ cancel_work_sync(&wldev->restart_work);
+
B43_WARN_ON(!wl);
if (wl->current_dev == wldev)
ieee80211_unregister_hw(wl->hw);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Nick Piggin <[email protected]>
upstream commit: efedf51c866130945b5db755cb58670e60205d83
Alias brd to rd in the hope of helping legacy users. Suggested by Jan.
Signed-off-by: Nick Piggin <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
drivers/block/brd.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/block/brd.c
+++ b/drivers/block/brd.c
@@ -392,6 +392,7 @@ module_param(rd_size, int, 0);
MODULE_PARM_DESC(rd_size, "Size of each RAM disk in kbytes.");
MODULE_LICENSE("GPL");
MODULE_ALIAS_BLOCKDEV_MAJOR(RAMDISK_MAJOR);
+MODULE_ALIAS("rd");
#ifndef MODULE
/* Legacy boot options - nonmodular */
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Michael Buesch <[email protected]>
upstream commit: a3bafeedfff2ac5fa0a316bea4570e27900b6fcc
This fixes a context assertion in ssb that makes b44 print
out warnings on resume.
This fixes the following kernel oops:
http://www.kerneloops.org/oops.php?number=12732
http://www.kerneloops.org/oops.php?number=11410
Signed-off-by: Michael Buesch <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
drivers/ssb/driver_pcicore.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/ssb/driver_pcicore.c
+++ b/drivers/ssb/driver_pcicore.c
@@ -519,12 +519,12 @@ int ssb_pcicore_dev_irqvecs_enable(struc
int err = 0;
u32 tmp;
- might_sleep();
-
if (!pdev)
goto out;
bus = pdev->bus;
+ might_sleep_if(pdev->id.coreid != SSB_DEV_PCI);
+
/* Enable interrupts for this device. */
if (bus->host_pci &&
((pdev->id.revision >= 6) || (pdev->id.coreid == SSB_DEV_PCIE))) {
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Al Viro <[email protected]>
upstream commit: ed1524371716466e9c762808b02601d0d0276a92
Duh... Fortunately, the bug is quite recent (post-2.6.25) and, embarrassingly,
mine ;-/
http://bugzilla.kernel.org/show_bug.cgi?id=10878
Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
fs/pipe.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -988,7 +988,10 @@ struct file *create_write_pipe(void)
return f;
err_dentry:
+ free_pipe_info(inode);
dput(dentry);
+ return ERR_PTR(err);
+
err_inode:
free_pipe_info(inode);
iput(inode);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Takashi Iwai <[email protected]>
upstream commit: 07bc76dfa19b10017b518dd9aa1b2719e8c863de
The auto-config mode of Realtek ALC codecs has a bug since 2.6.25
that it cannot resume properly. The problem was the wrong assignment
of init_hook that overrides the whole initialization.
Relevant bug reports:
http://bugzilla.kernel.org/show_bug.cgi?id=10662
https://bugzilla.novell.com/show_bug.cgi?id=385473
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
sound/pci/hda/patch_realtek.c | 1 -
1 file changed, 1 deletion(-)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -940,7 +940,6 @@ do_sku:
AC_VERB_SET_UNSOLICITED_ENABLE,
AC_USRSP_EN | ALC880_HP_EVENT);
spec->unsol_event = alc_sku_unsol_event;
- spec->init_hook = alc_sku_automute;
}
/*
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Jaroslav Franek <[email protected]>
upstream commit: 868e15dbd2940f9453b4399117686f408dc77299
When the Linux kernel is compiled with CONFIG_DEBUG_SHIRQ=y,
the Soundblaster Audigy2 ZS Notebook PCMCIA card causes the
system hang during boot (udev stage) or when the card is hot-plug.
The CONFIG_DEBUG_SHIRQ flag is by default 'y' with all Fedora
kernels since 2.6.23. The problem was reported as
https://bugzilla.redhat.com/show_bug.cgi?id=326411
The issue was hunted down to the snd_emu10k1_create() routine:
/* pseudo-code */
snd_emu10k1_create(...) {
...
request_irq(... IRQF_SHARED ...) {
register the irq handler
#ifdef CONFIG_DEBUG_SHIRQ
call the irq handler: snd_emu10k1_interrupt() {
poll I/O port // <---- !! system hangs
...
}
#endif
}
...
snd_emu10k1_cardbus_init(...) {
initialize I/O ports
}
...
}
The early access to I/O port in the interrupt handler causes
the freeze. Obviously it is necessary to init the I/O ports
before accessing them. This patch moves the registration of
the irq handler after the initialization of the I/O ports.
Signed-off-by: Jaroslav Franek <[email protected]>
Acked-by: James Courtier-Dutton <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
sound/pci/emu10k1/emu10k1_main.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
--- a/sound/pci/emu10k1/emu10k1_main.c
+++ b/sound/pci/emu10k1/emu10k1_main.c
@@ -1817,13 +1817,6 @@ int __devinit snd_emu10k1_create(struct
}
emu->port = pci_resource_start(pci, 0);
- if (request_irq(pci->irq, snd_emu10k1_interrupt, IRQF_SHARED,
- "EMU10K1", emu)) {
- err = -EBUSY;
- goto error;
- }
- emu->irq = pci->irq;
-
emu->max_cache_pages = max_cache_bytes >> PAGE_SHIFT;
if (snd_dma_alloc_pages(SNDRV_DMA_TYPE_DEV, snd_dma_pci_data(pci),
32 * 1024, &emu->ptb_pages) < 0) {
@@ -1886,6 +1879,14 @@ int __devinit snd_emu10k1_create(struct
emu->fx8010.etram_pages.area = NULL;
emu->fx8010.etram_pages.bytes = 0;
+ /* irq handler must be registered after I/O ports are activated */
+ if (request_irq(pci->irq, snd_emu10k1_interrupt, IRQF_SHARED,
+ "EMU10K1", emu)) {
+ err = -EBUSY;
+ goto error;
+ }
+ emu->irq = pci->irq;
+
/*
* Init to 0x02109204 :
* Clock accuracy = 0 (1000ppm)
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Michael Halcrow <[email protected]>
upstream commit: 2f9b12a31fcb738ea8c9eb0d4ddf906c6f1d696c
Make sure crypt_stat->flags is protected with a lock in ecryptfs_open().
Signed-off-by: Michael Halcrow <[email protected]>
Cc: Al Viro <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
fs/ecryptfs/file.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/ecryptfs/file.c
+++ b/fs/ecryptfs/file.c
@@ -195,7 +195,9 @@ static int ecryptfs_open(struct inode *i
file, ecryptfs_inode_to_private(inode)->lower_file);
if (S_ISDIR(ecryptfs_dentry->d_inode->i_mode)) {
ecryptfs_printk(KERN_DEBUG, "This is a directory\n");
+ mutex_lock(&crypt_stat->cs_mutex);
crypt_stat->flags &= ~(ECRYPTFS_ENCRYPTED);
+ mutex_unlock(&crypt_stat->cs_mutex);
rc = 0;
goto out;
}
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Miklos Szeredi <[email protected]>
upstream commit: 9c3580aa52195699065bc2d7242b1c7e3e6903fa
Callers of notify_change() need to hold i_mutex.
Signed-off-by: Miklos Szeredi <[email protected]>
Cc: Michael Halcrow <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
fs/ecryptfs/inode.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -908,7 +908,9 @@ static int ecryptfs_setattr(struct dentr
if (ia->ia_valid & (ATTR_KILL_SUID | ATTR_KILL_SGID))
ia->ia_valid &= ~ATTR_MODE;
+ mutex_lock(&lower_dentry->d_inode->i_mutex);
rc = notify_change(lower_dentry, ia);
+ mutex_unlock(&lower_dentry->d_inode->i_mutex);
out:
fsstack_copy_attr_all(inode, lower_inode, NULL);
return rc;
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Miklos Szeredi <[email protected]>
upstream commit: 8dc4e37362a5dc910d704d52ac6542bfd49ddc2f
dget(dentry->d_parent) --> dget_parent(dentry)
unlock_parent() is racy and unnecessary. Replace single caller with
unlock_dir().
There are several other suspect uses of ->d_parent in ecryptfs...
Signed-off-by: Miklos Szeredi <[email protected]>
Cc: Michael Halcrow <[email protected]>
Cc: Christoph Hellwig <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
fs/ecryptfs/inode.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -37,17 +37,11 @@ static struct dentry *lock_parent(struct
{
struct dentry *dir;
- dir = dget(dentry->d_parent);
+ dir = dget_parent(dentry);
mutex_lock_nested(&(dir->d_inode->i_mutex), I_MUTEX_PARENT);
return dir;
}
-static void unlock_parent(struct dentry *dentry)
-{
- mutex_unlock(&(dentry->d_parent->d_inode->i_mutex));
- dput(dentry->d_parent);
-}
-
static void unlock_dir(struct dentry *dir)
{
mutex_unlock(&dir->d_inode->i_mutex);
@@ -426,8 +420,9 @@ static int ecryptfs_unlink(struct inode
int rc = 0;
struct dentry *lower_dentry = ecryptfs_dentry_to_lower(dentry);
struct inode *lower_dir_inode = ecryptfs_inode_to_lower(dir);
+ struct dentry *lower_dir_dentry;
- lock_parent(lower_dentry);
+ lower_dir_dentry = lock_parent(lower_dentry);
rc = vfs_unlink(lower_dir_inode, lower_dentry);
if (rc) {
printk(KERN_ERR "Error in vfs_unlink; rc = [%d]\n", rc);
@@ -439,7 +434,7 @@ static int ecryptfs_unlink(struct inode
dentry->d_inode->i_ctime = dir->i_ctime;
d_drop(dentry);
out_unlock:
- unlock_parent(lower_dentry);
+ unlock_dir(lower_dir_dentry);
return rc;
}
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Cyrill Gorcunov <[email protected]>
upstream commit: 71fd5179e8d1d4d503b517e0c5374f7c49540bfc
Cc: Michael Halcrow <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
fs/ecryptfs/crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ecryptfs/crypto.c
+++ b/fs/ecryptfs/crypto.c
@@ -1907,9 +1907,9 @@ int ecryptfs_get_tfm_and_mutex_for_ciphe
goto out;
}
}
- mutex_unlock(&key_tfm_list_mutex);
(*tfm) = key_tfm->key_tfm;
(*tfm_mutex) = &key_tfm->key_tfm_mutex;
out:
+ mutex_unlock(&key_tfm_list_mutex);
return rc;
}
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Geoff Levand <[email protected]>
upstream commit: 659179b28f15ab1b1db5f8767090f5e728f115a1
Frame buffer and mode setting drivers can be built as modules,
so fb_mode_option needs to be exported to support these.
Prevents this error:
ERROR: "fb_mode_option" [drivers/ps3/ps3av_mod.ko] undefined!
Signed-off-by: Geoff Levand <[email protected]>
Acked-by: Geert Uytterhoeven <[email protected]>
Cc: Krzysztof Helt <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
drivers/video/modedb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/video/modedb.c
+++ b/drivers/video/modedb.c
@@ -28,6 +28,7 @@
#endif
const char *fb_mode_option;
+EXPORT_SYMBOL_GPL(fb_mode_option);
/*
* Standard video mode definitions (taken from XFree86)
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: David S. Miller <[email protected]>
[ upstream commit: 3651751fff44ede58f65cbb1e39242139ead251b ]
This causes the lock to be taken twice, thus resulting in
a deadlock.
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
drivers/serial/sunhv.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/serial/sunhv.c
+++ b/drivers/serial/sunhv.c
@@ -499,7 +499,6 @@ static void sunhv_console_write_bychar(s
} else
spin_lock(&port->lock);
- spin_lock_irqsave(&port->lock, flags);
for (i = 0; i < n; i++) {
if (*s == '\n')
sunhv_console_putchar(port, '\r');
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Kazunori MIYAZAWA <[email protected]>
[ upstream commit: 4da5105687e0993a3bbdcffd89b2b94d9377faab ]
This propagates the xfrm_user fix made in commit
bcf0dda8d2408fe1c1040cdec5a98e5fcad2ac72 ("[XFRM]: xfrm_user: fix
selector family initialization")
Based upon a bug report from, and tested by, Alan Swanson.
Signed-off-by: Kazunori MIYAZAWA <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/key/af_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1219,7 +1219,7 @@ static struct xfrm_state * pfkey_msg2xfr
x->sel.prefixlen_s = addr->sadb_address_prefixlen;
}
- if (x->props.mode == XFRM_MODE_TRANSPORT)
+ if (!x->sel.family)
x->sel.family = x->props.family;
if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Jarek Poplawski <[email protected]>
[ Upstream commit: 7dccf1f4e1696c79bff064c3770867cc53cbc71c ]
There is only one function in AX25 calling skb_append(), and it really
looks suspicious: appends skb after previously enqueued one, but in
the meantime this previous skb could be removed from the queue.
This patch Fixes it the simple way, so this is not fully compatible with
the current method, but testing hasn't shown any problems.
Signed-off-by: Ralf Baechle <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/ax25/ax25_subr.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
--- a/net/ax25/ax25_subr.c
+++ b/net/ax25/ax25_subr.c
@@ -64,20 +64,15 @@ void ax25_frames_acked(ax25_cb *ax25, un
void ax25_requeue_frames(ax25_cb *ax25)
{
- struct sk_buff *skb, *skb_prev = NULL;
+ struct sk_buff *skb;
/*
* Requeue all the un-ack-ed frames on the output queue to be picked
* up by ax25_kick called from the timer. This arrangement handles the
* possibility of an empty output queue.
*/
- while ((skb = skb_dequeue(&ax25->ack_queue)) != NULL) {
- if (skb_prev == NULL)
- skb_queue_head(&ax25->write_queue, skb);
- else
- skb_append(skb_prev, skb, &ax25->write_queue);
- skb_prev = skb;
- }
+ while ((skb = skb_dequeue_tail(&ax25->ack_queue)) != NULL)
+ skb_queue_head(&ax25->write_queue, skb);
}
/*
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Arjan van de Ven <[email protected]>
[ Upstream commit: 7dccf1f4e1696c79bff064c3770867cc53cbc71c ]
in net/bluetooth/rfcomm/sock.c, rfcomm_sk_state_change() does the
following operation:
if (parent && sock_flag(sk, SOCK_ZAPPED)) {
/* We have to drop DLC lock here, otherwise
* rfcomm_sock_destruct() will dead lock. */
rfcomm_dlc_unlock(d);
rfcomm_sock_kill(sk);
rfcomm_dlc_lock(d);
}
}
which is fine, since rfcomm_sock_kill() will call sk_free() which will call
rfcomm_sock_destruct() which takes the rfcomm_dlc_lock()... so far so good.
HOWEVER, this assumes that the rfcomm_sk_state_change() function always gets
called with the rfcomm_dlc_lock() taken. This is the case for all but one
case, and in that case where we don't have the lock, we do a double unlock
followed by an attempt to take the lock, which due to underflow isn't
going anywhere fast.
This patch fixes this by moving the stragling case inside the lock, like
the other usages of the same call are doing in this code.
This was found with the help of the http://www.kerneloops.org project, where this
deadlock was observed 51 times at this point in time:
http://www.kerneloops.org/search.php?search=rfcomm_sock_destruct
Signed-off-by: Arjan van de Ven <[email protected]>
Acked-by: Marcel Holtmann <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/bluetooth/rfcomm/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -423,8 +423,8 @@ static int __rfcomm_dlc_close(struct rfc
rfcomm_dlc_lock(d);
d->state = BT_CLOSED;
- rfcomm_dlc_unlock(d);
d->state_change(d, err);
+ rfcomm_dlc_unlock(d);
skb_queue_purge(&d->tx_queue);
rfcomm_dlc_unlink(d);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Sam Ravnborg <[email protected]>
[ Upstream commit: 3f91bd420a955803421f2db17b2e04aacfbb2bb8 ]
Both copy_to_ and _from_user return the number of bytes, that failed to
reach their destination, not the 0/-EXXX values.
Based on patch from Pavel Emelyanov <[email protected]>
Signed-off-by: Sam Ravnborg <[email protected]>
Acked-by: Oliver Hartkopp <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/can/raw.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -435,15 +435,13 @@ static int raw_setsockopt(struct socket
if (!filter)
return -ENOMEM;
- err = copy_from_user(filter, optval, optlen);
- if (err) {
+ if (copy_from_user(filter, optval, optlen)) {
kfree(filter);
- return err;
+ return -EFAULT;
}
} else if (count == 1) {
- err = copy_from_user(&sfilter, optval, optlen);
- if (err)
- return err;
+ if (copy_from_user(&sfilter, optval, optlen))
+ return -EFAULT;
}
lock_sock(sk);
@@ -493,9 +491,8 @@ static int raw_setsockopt(struct socket
if (optlen != sizeof(err_mask))
return -EINVAL;
- err = copy_from_user(&err_mask, optval, optlen);
- if (err)
- return err;
+ if (copy_from_user(&err_mask, optval, optlen))
+ return -EFAULT;
err_mask &= CAN_ERR_MASK;
@@ -531,7 +528,8 @@ static int raw_setsockopt(struct socket
if (optlen != sizeof(ro->loopback))
return -EINVAL;
- err = copy_from_user(&ro->loopback, optval, optlen);
+ if (copy_from_user(&ro->loopback, optval, optlen))
+ return -EFAULT;
break;
@@ -539,7 +537,8 @@ static int raw_setsockopt(struct socket
if (optlen != sizeof(ro->recv_own_msgs))
return -EINVAL;
- err = copy_from_user(&ro->recv_own_msgs, optval, optlen);
+ if (copy_from_user(&ro->recv_own_msgs, optval, optlen))
+ return -EFAULT;
break;
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: David Woodhouse <[email protected]>
[ upstream commit: 0e91796eb46e29edc791131c832a2232bcaed9dd ]
Am I just being particularly dim today, or can the call to
dev->change_rx_flags(dev, IFF_MULTICAST) in dev_change_flags() never
happen?
We've just set dev->flags = flags & IFF_MULTICAST, effectively. So the
condition '(dev->flags ^ flags) & IFF_MULTICAST' is _never_ going to be
true.
Signed-off-by: David Woodhouse <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/core/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3132,7 +3132,7 @@ int dev_change_flags(struct net_device *
* Load in the correct multicast list now the flags have changed.
*/
- if (dev->change_rx_flags && (dev->flags ^ flags) & IFF_MULTICAST)
+ if (dev->change_rx_flags && (old_flags ^ flags) & IFF_MULTICAST)
dev->change_rx_flags(dev, IFF_MULTICAST);
dev_set_rx_mode(dev);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: David S. Miller <[email protected]>
[ upstream commit: b1443e2f6501f06930a162ff1ff08382a98bf23e ]
According to David Monro, at least with Natsemi Saturn chips the
cassini driver has some trouble with ipv6 checksums.
Until we have more information about what's going on here, only
use the chip checksums for ipv4.
This workaround was suggested and tested by David.
Update version and release date.
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
drivers/net/cassini.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/net/cassini.c
+++ b/drivers/net/cassini.c
@@ -142,8 +142,8 @@
#define DRV_MODULE_NAME "cassini"
#define PFX DRV_MODULE_NAME ": "
-#define DRV_MODULE_VERSION "1.5"
-#define DRV_MODULE_RELDATE "4 Jan 2008"
+#define DRV_MODULE_VERSION "1.6"
+#define DRV_MODULE_RELDATE "21 May 2008"
#define CAS_DEF_MSG_ENABLE \
(NETIF_MSG_DRV | \
@@ -2140,9 +2140,12 @@ end_copy_pkt:
if (addr)
cas_page_unmap(addr);
}
- skb->csum = csum_unfold(~csum);
- skb->ip_summed = CHECKSUM_COMPLETE;
skb->protocol = eth_type_trans(skb, cp->dev);
+ if (skb->protocol == htons(ETH_P_IP)) {
+ skb->csum = csum_unfold(~csum);
+ skb->ip_summed = CHECKSUM_COMPLETE;
+ } else
+ skb->ip_summed = CHECKSUM_NONE;
return len;
}
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Patrick McHardy <[email protected]>
[ upstream commit: f2df824948d559ea818e03486a8583e42ea6ab37 ]
cls_api should return ENOENT when the requested classifier doesn't
exist.
Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/sched/cls_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -220,7 +220,7 @@ replay:
tp = kzalloc(sizeof(*tp), GFP_KERNEL);
if (tp == NULL)
goto errout;
- err = -EINVAL;
+ err = -ENOENT;
tp_ops = tcf_proto_lookup_ops(tca[TCA_KIND]);
if (tp_ops == NULL) {
#ifdef CONFIG_KMOD
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Herbert Xu <[email protected]>
[ upstream commit: 1ac06e0306d0192a7a4d9ea1c9e06d355ce7e7d3 ]
Because the IPsec output function xfrm_output_resume does its
own dst_output call it should always call __ip_local_output
instead of ip_local_output as the latter may invoke dst_output
directly. Otherwise the return values from nf_hook and dst_output
may clash as they both use the value 1 but for different purposes.
When that clash occurs this can cause a packet to be used after
it has been freed which usually leads to a crash. Because the
offending value is only returned from dst_output with qdiscs
such as HTB, this bug is normally not visible.
Thanks to Marco Berizzi for his perseverance in tracking this
down.
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/ipv4/route.c | 2 +-
net/ipv6/route.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -162,7 +162,7 @@ static struct dst_ops ipv4_dst_ops = {
.negative_advice = ipv4_negative_advice,
.link_failure = ipv4_link_failure,
.update_pmtu = ip_rt_update_pmtu,
- .local_out = ip_local_out,
+ .local_out = __ip_local_out,
.entry_size = sizeof(struct rtable),
.entries = ATOMIC_INIT(0),
};
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -105,7 +105,7 @@ static struct dst_ops ip6_dst_ops = {
.negative_advice = ip6_negative_advice,
.link_failure = ip6_link_failure,
.update_pmtu = ip6_rt_update_pmtu,
- .local_out = ip6_local_out,
+ .local_out = __ip6_local_out,
.entry_size = sizeof(struct rt6_info),
.entries = ATOMIC_INIT(0),
};
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Thomas Graf <[email protected]>
[ upstream commit: b9a2f2e450b0f770bb4347ae8d48eb2dea701e24 ]
The purpose of nla_parse_nested_compat() is to parse attributes which
contain a struct followed by a stream of nested attributes. So far,
it called nla_parse_nested() to parse the stream of nested attributes
which was wrong, as nla_parse_nested() expects a container attribute
as data which holds the attribute stream. It needs to call
nla_parse() directly while pointing at the next possible alignment
point after the struct in the beginning of the attribute.
With this patch, I can no longer reproduce the reported leftover
warnings.
Signed-off-by: Thomas Graf <[email protected]>
Acked-by: Patrick McHardy <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
include/net/netlink.h | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -772,12 +772,13 @@ static inline int __nla_parse_nested_com
const struct nla_policy *policy,
int len)
{
- if (nla_len(nla) < len)
+ int nested_len = nla_len(nla) - NLA_ALIGN(len);
+
+ if (nested_len < 0)
return -1;
- if (nla_len(nla) >= NLA_ALIGN(len) + sizeof(struct nlattr))
- return nla_parse_nested(tb, maxtype,
- nla_data(nla) + NLA_ALIGN(len),
- policy);
+ if (nested_len >= nla_attr_size(0))
+ return nla_parse(tb, maxtype, nla_data(nla) + NLA_ALIGN(len),
+ nested_len, policy);
memset(tb, 0, sizeof(struct nlattr *) * (maxtype + 1));
return 0;
}
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: James Chapman <[email protected]>
[ upstream commit: 090c48d3dd5ea90b37350334aaed9a93b0c1e0a1 ]
A user reported seeing occasional bugs such as the following when
using the L2TP driver.
SKB BUG: Invalid truesize (272) len=72, sizeof(sk_buff)=208
When L2TP adds its header in the transmit path, it might need to
increase the headroom of the skb. In some cases, the increased
headroom trips a kernel bug when the skb is freed because the skb has
grown beyond its truesize value. The fix is to increase the truesize
by the amount of headroom added, after orphaning the skb.
While here, fix a misleading comment.
Thanks to Iouri Kharon <[email protected]> for the initial
report and testing the fix.
Signed-off-by: James Chapman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
drivers/net/pppol2tp.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/net/pppol2tp.c
+++ b/drivers/net/pppol2tp.c
@@ -980,6 +980,8 @@ static int pppol2tp_xmit(struct ppp_chan
__wsum csum = 0;
struct udphdr *uh;
unsigned int len;
+ int old_headroom;
+ int new_headroom;
if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
goto abort;
@@ -1001,16 +1003,18 @@ static int pppol2tp_xmit(struct ppp_chan
/* Check that there's enough headroom in the skb to insert IP,
* UDP and L2TP and PPP headers. If not enough, expand it to
- * make room. Note that a new skb (or a clone) is
- * allocated. If we return an error from this point on, make
- * sure we free the new skb but do not free the original skb
- * since that is done by the caller for the error case.
+ * make room. Adjust truesize.
*/
headroom = NET_SKB_PAD + sizeof(struct iphdr) +
sizeof(struct udphdr) + hdr_len + sizeof(ppph);
+ old_headroom = skb_headroom(skb);
if (skb_cow_head(skb, headroom))
goto abort;
+ new_headroom = skb_headroom(skb);
+ skb_orphan(skb);
+ skb->truesize += new_headroom - old_headroom;
+
/* Setup PPP header */
__skb_push(skb, sizeof(ppph));
skb->data[0] = ppph[0];
@@ -1065,7 +1069,6 @@ static int pppol2tp_xmit(struct ppp_chan
/* Get routing info from the tunnel socket */
dst_release(skb->dst);
skb->dst = dst_clone(__sk_dst_get(sk_tun));
- skb_orphan(skb);
skb->sk = sk_tun;
/* Queue the packet to IP for output */
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Sridhar Samudrala <[email protected]>
[ upstream commit: 7d227cd235c809c36c847d6a597956ad9e9d2bae ]
We are seeing an issue with TCP in handling an ICMP frag needed
message that is received after net.ipv4.tcp_retries1 retransmits.
The default value of retries1 is 3. So if the path mtu changes
and ICMP frag needed is lost for the first 3 retransmits or if
it gets delayed until 3 retransmits are done, TCP doesn't update
MSS correctly and continues to retransmit the orginal message
until it timesout after tcp_retries2 retransmits.
I am seeing this issue even with the latest 2.6.25.4 kernel.
In tcp_retransmit_timer(), when retransmits counter exceeds
tcp_retries1 value, the dst cache entry of the socket is reset.
At this time, if we receive an ICMP frag needed message, the
dst entry gets updated with the new MTU, but the TCP sockets
dst_cache entry remains NULL.
So the next time when we try to retransmit after the ICMP frag
needed is received, tcp_retransmit_skb() gets called. Here the
cur_mss value is calculated at the start of the routine with
a NULL sk_dst_cache. Instead we should call tcp_current_mss after
the rebuild_header that caches the dst entry with the updated mtu.
Also the rebuild_header should be called before tcp_fragment
so that skb is fragmented if the mss goes down.
Signed-off-by: Sridhar Samudrala <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/ipv4/tcp_output.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1836,7 +1836,7 @@ int tcp_retransmit_skb(struct sock *sk,
{
struct tcp_sock *tp = tcp_sk(sk);
struct inet_connection_sock *icsk = inet_csk(sk);
- unsigned int cur_mss = tcp_current_mss(sk, 0);
+ unsigned int cur_mss;
int err;
/* Inconslusive MTU probe */
@@ -1858,6 +1858,11 @@ int tcp_retransmit_skb(struct sock *sk,
return -ENOMEM;
}
+ if (inet_csk(sk)->icsk_af_ops->rebuild_header(sk))
+ return -EHOSTUNREACH; /* Routing failure or similar. */
+
+ cur_mss = tcp_current_mss(sk, 0);
+
/* If receiver has shrunk his window, and skb is out of
* new window, do not retransmit it. The exception is the
* case, when window is shrunk to zero. In this case
@@ -1884,9 +1889,6 @@ int tcp_retransmit_skb(struct sock *sk,
(sysctl_tcp_retrans_collapse != 0))
tcp_retrans_try_collapse(sk, skb, cur_mss);
- if (inet_csk(sk)->icsk_af_ops->rebuild_header(sk))
- return -EHOSTUNREACH; /* Routing failure or similar. */
-
/* Some Solaris stacks overoptimize and ignore the FIN on a
* retransmit when old data is attached. So strip it off
* since it is cheap to do so and saves bytes on the network.
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: John Heffner <[email protected]>
[ upstream commit: ce447eb91409225f8a488f6b7b2a1bdf7b2d884f ]
This changes the logic in tcp_is_cwnd_limited() so that cwnd may grow
up to tcp_max_burst() even when sk_can_gso() is false, or when
sysctl_tcp_tso_win_divisor != 0.
Signed-off-by: John Heffner <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/ipv4/tcp_cong.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -285,14 +285,11 @@ int tcp_is_cwnd_limited(const struct soc
if (in_flight >= tp->snd_cwnd)
return 1;
- if (!sk_can_gso(sk))
- return 0;
-
left = tp->snd_cwnd - in_flight;
- if (sysctl_tcp_tso_win_divisor)
- return left * sysctl_tcp_tso_win_divisor < tp->snd_cwnd;
- else
- return left <= tcp_max_burst(tp);
+ if (sk_can_gso(sk) &&
+ left * sysctl_tcp_tso_win_divisor < tp->snd_cwnd)
+ return 1;
+ return left <= tcp_max_burst(tp);
}
EXPORT_SYMBOL_GPL(tcp_is_cwnd_limited);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Patrick McHardy <[email protected]>
[ upstream commit: 81d85346b3fcd8b3167eac8b5fb415a210bd4345 ]
Commit 30688a9 ([VLAN]: Handle vlan devices net namespace changing)
changed the device notifier to special-case notifications for VLAN
devices, effectively disabling state propagation to underlying VLAN
devices. This is needed for layered VLANs though, so restore the
original behaviour.
Signed-off-by: Patrick McHardy <[email protected]>
Acked-by: Pavel Emelyanov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/8021q/vlan.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -397,10 +397,8 @@ static int vlan_device_event(struct noti
if (dev->nd_net != &init_net)
return NOTIFY_DONE;
- if (is_vlan_dev(dev)) {
+ if (is_vlan_dev(dev))
__vlan_device_event(dev, event);
- goto out;
- }
grp = __vlan_find_group(dev->ifindex);
if (!grp)
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: John Heffner <[email protected]>
[ upstream commit: 246eb2af060fc32650f07203c02bdc0456ad76c7 ]
This fixes inappropriately large cwnd growth on sender-limited flows
when GSO is enabled, limiting cwnd growth to 64k.
[ Backport to 2.6.25 by replacing sk->sk_gso_max_size with 65536 -DaveM ]
Signed-off-by: John Heffner <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/ipv4/tcp_cong.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -287,7 +287,8 @@ int tcp_is_cwnd_limited(const struct soc
left = tp->snd_cwnd - in_flight;
if (sk_can_gso(sk) &&
- left * sysctl_tcp_tso_win_divisor < tp->snd_cwnd)
+ left * sysctl_tcp_tso_win_divisor < tp->snd_cwnd &&
+ left * tp->mss_cache < 65536)
return 1;
return left <= tcp_max_burst(tp);
}
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: James Chapman <[email protected]>
[ upstream commit: 199f7d24ae59894243687a234a909f44a8724506 ]
If an L2TP daemon closes a tunnel socket while packets are queued in
the tunnel's reorder queue, a kernel warning is logged because the
socket is closed while skbs are still referencing it. The fix is to
purge the queue in the socket's release handler.
WARNING: at include/net/sock.h:351 udp_lib_unhash+0x41/0x68()
Pid: 12998, comm: openl2tpd Not tainted 2.6.25 #8
[<c0423c58>] warn_on_slowpath+0x41/0x51
[<c05d33a7>] udp_lib_unhash+0x41/0x68
[<c059424d>] sk_common_release+0x23/0x90
[<c05d16be>] udp_lib_close+0x8/0xa
[<c05d8684>] inet_release+0x42/0x48
[<c0592599>] sock_release+0x14/0x60
[<c059299f>] sock_close+0x29/0x30
[<c046ef52>] __fput+0xad/0x15b
[<c046f1d9>] fput+0x17/0x19
[<c046c8c4>] filp_close+0x50/0x5a
[<c046da06>] sys_close+0x69/0x9f
[<c04048ce>] syscall_call+0x7/0xb
Signed-off-by: James Chapman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
drivers/net/pppol2tp.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/net/pppol2tp.c
+++ b/drivers/net/pppol2tp.c
@@ -1279,6 +1279,7 @@ out:
static int pppol2tp_release(struct socket *sock)
{
struct sock *sk = sock->sk;
+ struct pppol2tp_session *session;
int error;
if (!sk)
@@ -1296,9 +1297,18 @@ static int pppol2tp_release(struct socke
sock_orphan(sk);
sock->sk = NULL;
+ session = pppol2tp_sock_to_session(sk);
+
/* Purge any queued data */
skb_queue_purge(&sk->sk_receive_queue);
skb_queue_purge(&sk->sk_write_queue);
+ if (session != NULL) {
+ struct sk_buff *skb;
+ while ((skb = skb_dequeue(&session->reorder_q))) {
+ kfree_skb(skb);
+ sock_put(sk);
+ }
+ }
release_sock(sk);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: James Chapman <[email protected]>
[ upstream commit: 24b95685ffcdb3dc28f64b9e8af6ea3e8360fbc5 ]
Some problems have been experienced in the field which cause an oops
in the pppol2tp driver if L2TP tunnels fail while passing data.
The pppol2tp driver uses private data that is referenced via the
sk->sk_user_data of its UDP and PPPoL2TP sockets. This patch makes
sure that the driver uses sock_hold() when it holds a reference to the
sk pointer. This affects its sendmsg(), recvmsg(), getname(),
[gs]etsockopt() and ioctl() handlers.
Tested by ISP where problem was seen. System has been up 10 days with
no oops since running this patch. Without the patch, an oops would
occur every 1-2 days.
Signed-off-by: James Chapman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
drivers/net/pppol2tp.c | 101 +++++++++++++++++++++++++++++++++++++------------
1 file changed, 78 insertions(+), 23 deletions(-)
--- a/drivers/net/pppol2tp.c
+++ b/drivers/net/pppol2tp.c
@@ -240,12 +240,15 @@ static inline struct pppol2tp_session *p
if (sk == NULL)
return NULL;
+ sock_hold(sk);
session = (struct pppol2tp_session *)(sk->sk_user_data);
- if (session == NULL)
- return NULL;
+ if (session == NULL) {
+ sock_put(sk);
+ goto out;
+ }
BUG_ON(session->magic != L2TP_SESSION_MAGIC);
-
+out:
return session;
}
@@ -256,12 +259,15 @@ static inline struct pppol2tp_tunnel *pp
if (sk == NULL)
return NULL;
+ sock_hold(sk);
tunnel = (struct pppol2tp_tunnel *)(sk->sk_user_data);
- if (tunnel == NULL)
- return NULL;
+ if (tunnel == NULL) {
+ sock_put(sk);
+ goto out;
+ }
BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
-
+out:
return tunnel;
}
@@ -716,12 +722,14 @@ discard:
session->stats.rx_errors++;
kfree_skb(skb);
sock_put(session->sock);
+ sock_put(sock);
return 0;
error:
/* Put UDP header back */
__skb_push(skb, sizeof(struct udphdr));
+ sock_put(sock);
no_tunnel:
return 1;
@@ -745,10 +753,13 @@ static int pppol2tp_udp_encap_recv(struc
"%s: received %d bytes\n", tunnel->name, skb->len);
if (pppol2tp_recv_core(sk, skb))
- goto pass_up;
+ goto pass_up_put;
+ sock_put(sk);
return 0;
+pass_up_put:
+ sock_put(sk);
pass_up:
return 1;
}
@@ -858,7 +869,7 @@ static int pppol2tp_sendmsg(struct kiocb
tunnel = pppol2tp_sock_to_tunnel(session->tunnel_sock);
if (tunnel == NULL)
- goto error;
+ goto error_put_sess;
/* What header length is configured for this session? */
hdr_len = pppol2tp_l2tp_header_len(session);
@@ -870,7 +881,7 @@ static int pppol2tp_sendmsg(struct kiocb
sizeof(ppph) + total_len,
0, GFP_KERNEL);
if (!skb)
- goto error;
+ goto error_put_sess_tun;
/* Reserve space for headers. */
skb_reserve(skb, NET_SKB_PAD);
@@ -900,7 +911,7 @@ static int pppol2tp_sendmsg(struct kiocb
error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
if (error < 0) {
kfree_skb(skb);
- goto error;
+ goto error_put_sess_tun;
}
skb_put(skb, total_len);
@@ -947,10 +958,33 @@ static int pppol2tp_sendmsg(struct kiocb
session->stats.tx_errors++;
}
+ return error;
+
+error_put_sess_tun:
+ sock_put(session->tunnel_sock);
+error_put_sess:
+ sock_put(sk);
error:
return error;
}
+/* Automatically called when the skb is freed.
+ */
+static void pppol2tp_sock_wfree(struct sk_buff *skb)
+{
+ sock_put(skb->sk);
+}
+
+/* For data skbs that we transmit, we associate with the tunnel socket
+ * but don't do accounting.
+ */
+static inline void pppol2tp_skb_set_owner_w(struct sk_buff *skb, struct sock *sk)
+{
+ sock_hold(sk);
+ skb->sk = sk;
+ skb->destructor = pppol2tp_sock_wfree;
+}
+
/* Transmit function called by generic PPP driver. Sends PPP frame
* over PPPoL2TP socket.
*
@@ -993,10 +1027,10 @@ static int pppol2tp_xmit(struct ppp_chan
sk_tun = session->tunnel_sock;
if (sk_tun == NULL)
- goto abort;
+ goto abort_put_sess;
tunnel = pppol2tp_sock_to_tunnel(sk_tun);
if (tunnel == NULL)
- goto abort;
+ goto abort_put_sess;
/* What header length is configured for this session? */
hdr_len = pppol2tp_l2tp_header_len(session);
@@ -1009,7 +1043,7 @@ static int pppol2tp_xmit(struct ppp_chan
sizeof(struct udphdr) + hdr_len + sizeof(ppph);
old_headroom = skb_headroom(skb);
if (skb_cow_head(skb, headroom))
- goto abort;
+ goto abort_put_sess_tun;
new_headroom = skb_headroom(skb);
skb_orphan(skb);
@@ -1069,7 +1103,7 @@ static int pppol2tp_xmit(struct ppp_chan
/* Get routing info from the tunnel socket */
dst_release(skb->dst);
skb->dst = dst_clone(__sk_dst_get(sk_tun));
- skb->sk = sk_tun;
+ pppol2tp_skb_set_owner_w(skb, sk_tun);
/* Queue the packet to IP for output */
len = skb->len;
@@ -1086,8 +1120,14 @@ static int pppol2tp_xmit(struct ppp_chan
session->stats.tx_errors++;
}
+ sock_put(sk_tun);
+ sock_put(sk);
return 1;
+abort_put_sess_tun:
+ sock_put(sk_tun);
+abort_put_sess:
+ sock_put(sk);
abort:
/* Free the original skb */
kfree_skb(skb);
@@ -1191,7 +1231,7 @@ static void pppol2tp_tunnel_destruct(str
{
struct pppol2tp_tunnel *tunnel;
- tunnel = pppol2tp_sock_to_tunnel(sk);
+ tunnel = sk->sk_user_data;
if (tunnel == NULL)
goto end;
@@ -1230,10 +1270,12 @@ static void pppol2tp_session_destruct(st
if (sk->sk_user_data != NULL) {
struct pppol2tp_tunnel *tunnel;
- session = pppol2tp_sock_to_session(sk);
+ session = sk->sk_user_data;
if (session == NULL)
goto out;
+ BUG_ON(session->magic != L2TP_SESSION_MAGIC);
+
/* Don't use pppol2tp_sock_to_tunnel() here to
* get the tunnel context because the tunnel
* socket might have already been closed (its
@@ -1611,7 +1653,7 @@ static int pppol2tp_connect(struct socke
error = ppp_register_channel(&po->chan);
if (error)
- goto end;
+ goto end_put_tun;
/* This is how we get the session context from the socket. */
sk->sk_user_data = session;
@@ -1631,6 +1673,8 @@ out_no_ppp:
PRINTK(session->debug, PPPOL2TP_MSG_CONTROL, KERN_INFO,
"%s: created\n", session->name);
+end_put_tun:
+ sock_put(tunnel_sock);
end:
release_sock(sk);
@@ -1671,6 +1715,7 @@ static int pppol2tp_getname(struct socke
*usockaddr_len = len;
error = 0;
+ sock_put(sock->sk);
end:
return error;
@@ -1909,14 +1954,17 @@ static int pppol2tp_ioctl(struct socket
err = -EBADF;
tunnel = pppol2tp_sock_to_tunnel(session->tunnel_sock);
if (tunnel == NULL)
- goto end;
+ goto end_put_sess;
err = pppol2tp_tunnel_ioctl(tunnel, cmd, arg);
- goto end;
+ sock_put(session->tunnel_sock);
+ goto end_put_sess;
}
err = pppol2tp_session_ioctl(session, cmd, arg);
+end_put_sess:
+ sock_put(sk);
end:
return err;
}
@@ -2062,14 +2110,17 @@ static int pppol2tp_setsockopt(struct so
err = -EBADF;
tunnel = pppol2tp_sock_to_tunnel(session->tunnel_sock);
if (tunnel == NULL)
- goto end;
+ goto end_put_sess;
err = pppol2tp_tunnel_setsockopt(sk, tunnel, optname, val);
+ sock_put(session->tunnel_sock);
} else
err = pppol2tp_session_setsockopt(sk, session, optname, val);
err = 0;
+end_put_sess:
+ sock_put(sk);
end:
return err;
}
@@ -2184,20 +2235,24 @@ static int pppol2tp_getsockopt(struct so
err = -EBADF;
tunnel = pppol2tp_sock_to_tunnel(session->tunnel_sock);
if (tunnel == NULL)
- goto end;
+ goto end_put_sess;
err = pppol2tp_tunnel_getsockopt(sk, tunnel, optname, &val);
+ sock_put(session->tunnel_sock);
} else
err = pppol2tp_session_getsockopt(sk, session, optname, &val);
err = -EFAULT;
if (put_user(len, (int __user *) optlen))
- goto end;
+ goto end_put_sess;
if (copy_to_user((void __user *) optval, &val, len))
- goto end;
+ goto end_put_sess;
err = 0;
+
+end_put_sess:
+ sock_put(sk);
end:
return err;
}
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Ilpo J?rvinen <[email protected]>
[ upstream commit: a6604471db5e7a33474a7f16c64d6b118fae3e74 ]
This bug is able to corrupt fackets_out in very rare cases.
In order for this to cause corruption:
1) DSACK in the middle of previous SACK block must be generated.
2) In order to take that particular branch, part or all of the
DSACKed segment must already be SACKed so that we have that
in cache in the first place.
3) The new info must be top enough so that fackets_out will be
updated on this iteration.
...then fack_count is updated while skb wasn't, then we walk again
that particular segment thus updating fack_count twice for
a single skb and finally that value is assigned to fackets_out
by tcp_sacktag_one.
It is safe to call tcp_sacktag_one just once for a segment (at
DSACK), no need to call again for plain SACK.
Potential problem of the miscount are limited to premature entry
to recovery and to inflated reordering metric (which could even
cancel each other out in the most the luckiest scenarios :-)).
Both are quite insignificant in worst case too and there exists
also code to reset them (fackets_out once sacked_out becomes zero
and reordering metric on RTO).
This has been reported by a number of people, because it occurred
quite rarely, it has been very evasive. Andy Furniss was able to
get it to occur couple of times so that a bit more info was
collected about the problem using a debug patch, though it still
required lot of checking around. Thanks also to others who have
tried to help here.
This is listed as Bugzilla #10346. The bug was introduced by
me in commit 68f8353b48 ([TCP]: Rewrite SACK block processing &
sack_recv_cache use), I probably thought back then that there's
need to scan that entry twice or didn't dare to make it go
through it just once there. Going through twice would have
required restoring fack_count after the walk but as noted above,
I chose to drop the additional walk step altogether here.
Signed-off-by: Ilpo J?rvinen <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/ipv4/tcp_input.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1393,9 +1393,9 @@ static struct sk_buff *tcp_maybe_skippin
if (before(next_dup->start_seq, skip_to_seq)) {
skb = tcp_sacktag_skip(skb, sk, next_dup->start_seq, fack_count);
- tcp_sacktag_walk(skb, sk, NULL,
- next_dup->start_seq, next_dup->end_seq,
- 1, fack_count, reord, flag);
+ skb = tcp_sacktag_walk(skb, sk, NULL,
+ next_dup->start_seq, next_dup->end_seq,
+ 1, fack_count, reord, flag);
}
return skb;
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Ilpo J?rvinen <[email protected]>
[ upstream commit: a1c1f281b84a751fdb5ff919da3b09df7297619f ]
It seems that commit 009a2e3e4ec ("[TCP] FRTO: Improve
interoperability with other undo_marker users") run into
another land-mine which caused fallback to conventional
recovery to break:
1. Cumulative ACK arrives after FRTO retransmission
2. tcp_try_to_open sees zero retrans_out, clears retrans_stamp
which should be kept like in CA_Loss state it would be
3. undo_marker change allowed tcp_packet_delayed to return
true because of the cleared retrans_stamp once FRTO is
terminated causing LossUndo to occur, which means all loss
markings FRTO made are reverted.
This means that the conventional recovery basically recovered
one loss per RTT, which is not that efficient. It was quite
unobvious that the undo_marker change broken something like
this, I had a quite long session to track it down because of
the non-intuitiviness of the bug (luckily I had a trivial
reproducer at hand and I was also able to learn to use kprobes
in the process as well :-)).
This together with the NewReno+FRTO fix and FRTO in-order
workaround this fixes Damon's problems, this and the first
mentioned are enough to fix Bugzilla #10063.
Signed-off-by: Ilpo J?rvinen <[email protected]>
Reported-by: Damon L. Chesser <[email protected]>
Tested-by: Damon L. Chesser <[email protected]>
Tested-by: Sebastian Hyrwall <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/ipv4/tcp_input.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2465,7 +2465,7 @@ static void tcp_try_to_open(struct sock
tcp_verify_left_out(tp);
- if (tp->retrans_out == 0)
+ if (!tp->frto_counter && tp->retrans_out == 0)
tp->retrans_stamp = 0;
if (flag & FLAG_ECE)
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Ilpo J?rvinen <[email protected]>
[ upstream commit: 62ab22278308a40bcb7f4079e9719ab8b7fe11b5 ]
Note: there's actually another bug in FRTO's SACK variant, which
is the causing failure in NewReno case because of the error
that's fixed here. I'll fix the SACK case separately (it's
a separate bug really, though related, but in order to fix that
I need to audit tp->snd_nxt usage a bit).
There were two places where SACK variant of FRTO is getting
incorrectly used even if SACK wasn't negotiated by the TCP flow.
This leads to incorrect setting of frto_highmark with NewReno
if a previous recovery was interrupted by another RTO.
An eventual fallback to conventional recovery then incorrectly
considers one or couple of segments as forward transmissions
though they weren't, which then are not LOST marked during
fallback making them "non-retransmittable" until the next RTO.
In a bad case, those segments are really lost and are the only
one left in the window. Thus TCP needs another RTO to continue.
The next FRTO, however, could again repeat the same events
making the progress of the TCP flow extremely slow.
In order for these events to occur at all, FRTO must occur
again in FRTOs step 3 while the key segments must be lost as
well, which is not too likely in practice. It seems to most
frequently with some small devices such as network printers
that *seem* to accept TCP segments only in-order. In cases
were key segments weren't lost, things get automatically
resolved because those wrongly marked segments don't need to be
retransmitted in order to continue.
I found a reproducer after digging up relevant reports (few
reports in total, none at netdev or lkml I know of), some
cases seemed to indicate middlebox issues which seems now
to be a false assumption some people had made. Bugzilla
#10063 _might_ be related. Damon L. Chesser <[email protected]>
had a reproducable case and was kind enough to tcpdump it
for me. With the tcpdump log it was quite trivial to figure
out.
Signed-off-by: Ilpo J?rvinen <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/ipv4/tcp_input.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -113,8 +113,6 @@ int sysctl_tcp_abc __read_mostly;
#define FLAG_FORWARD_PROGRESS (FLAG_ACKED|FLAG_DATA_SACKED)
#define FLAG_ANY_PROGRESS (FLAG_FORWARD_PROGRESS|FLAG_SND_UNA_ADVANCED)
-#define IsSackFrto() (sysctl_tcp_frto == 0x2)
-
#define TCP_REMNANT (TCP_FLAG_FIN|TCP_FLAG_URG|TCP_FLAG_SYN|TCP_FLAG_PSH)
#define TCP_HP_BITS (~(TCP_RESERVED_BITS|TCP_FLAG_PSH))
@@ -1685,6 +1683,11 @@ static inline void tcp_reset_reno_sack(s
tp->sacked_out = 0;
}
+static int tcp_is_sackfrto(const struct tcp_sock *tp)
+{
+ return (sysctl_tcp_frto == 0x2) && !tcp_is_reno(tp);
+}
+
/* F-RTO can only be used if TCP has never retransmitted anything other than
* head (SACK enhanced variant from Appendix B of RFC4138 is more robust here)
*/
@@ -1701,7 +1704,7 @@ int tcp_use_frto(struct sock *sk)
if (icsk->icsk_mtup.probe_size)
return 0;
- if (IsSackFrto())
+ if (tcp_is_sackfrto(tp))
return 1;
/* Avoid expensive walking of rexmit queue if possible */
@@ -1791,7 +1794,7 @@ void tcp_enter_frto(struct sock *sk)
/* Earlier loss recovery underway (see RFC4138; Appendix B).
* The last condition is necessary at least in tp->frto_counter case.
*/
- if (IsSackFrto() && (tp->frto_counter ||
+ if (tcp_is_sackfrto(tp) && (tp->frto_counter ||
((1 << icsk->icsk_ca_state) & (TCPF_CA_Recovery|TCPF_CA_Loss))) &&
after(tp->high_seq, tp->snd_una)) {
tp->frto_highmark = tp->high_seq;
@@ -3110,7 +3113,7 @@ static int tcp_process_frto(struct sock
return 1;
}
- if (!IsSackFrto() || tcp_is_reno(tp)) {
+ if (!tcp_is_sackfrto(tp)) {
/* RFC4138 shortcoming in step 2; should also have case c):
* ACK isn't duplicate nor advances window, e.g., opposite dir
* data, winupdate
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Ilpo J?rvinen <[email protected]>
[ upstream commit: 79d44516b4b178ffb6e2159c75584cfcfc097914 ]
If receiver consumes segments successfully only in-order, FRTO
fallback to conventional recovery produces RTO loop because
FRTO's forward transmissions will always get dropped and need to
be resent, yet by default they're not marked as lost (which are
the only segments we will retransmit in CA_Loss).
Price to pay about this is occassionally unnecessarily
retransmitting the forward transmission(s). SACK blocks help
a bit to avoid this, so it's mainly a concern for NewReno case
though SACK is not fully immune either.
This change has a side-effect of fixing SACKFRTO problem where
it didn't have snd_nxt of the RTO time available anymore when
fallback become necessary (this problem would have only occured
when RTO would occur for two or more segments and ECE arrives
in step 3; no need to figure out how to fix that unless the
TODO item of selective behavior is considered in future).
Signed-off-by: Ilpo J?rvinen <[email protected]>
Reported-by: Damon L. Chesser <[email protected]>
Tested-by: Damon L. Chesser <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/ipv4/tcp_input.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1841,9 +1841,16 @@ static void tcp_enter_frto_loss(struct s
TCP_SKB_CB(skb)->sacked &= ~TCPCB_SACKED_RETRANS;
}
- /* Don't lost mark skbs that were fwd transmitted after RTO */
- if (!(TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_ACKED) &&
- !after(TCP_SKB_CB(skb)->end_seq, tp->frto_highmark)) {
+ /* Marking forward transmissions that were made after RTO lost
+ * can cause unnecessary retransmissions in some scenarios,
+ * SACK blocks will mitigate that in some but not in all cases.
+ * We used to not mark them but it was causing break-ups with
+ * receivers that do only in-order receival.
+ *
+ * TODO: we could detect presence of such receiver and select
+ * different behavior per flow.
+ */
+ if (!(TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_ACKED)) {
TCP_SKB_CB(skb)->sacked |= TCPCB_LOST;
tp->lost_out += tcp_skb_pcount(skb);
}
@@ -1859,7 +1866,7 @@ static void tcp_enter_frto_loss(struct s
tp->reordering = min_t(unsigned int, tp->reordering,
sysctl_tcp_reordering);
tcp_set_ca_state(sk, TCP_CA_Loss);
- tp->high_seq = tp->frto_highmark;
+ tp->high_seq = tp->snd_nxt;
TCP_ECN_queue_cwr(tp);
tcp_clear_retrans_hints_partial(tp);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Chuck Ebbert <[email protected]>
commit cef33400d0349fb24b6f8b7dea79b66e3144fd8b upstream
With CONFIG_DEBUG_SHIRQ set we will get an interrupt as soon as we
allocate one. Tasklets may be scheduled in the interrupt handler but they
will be initialized after the handler returns, causing a BUG() in
kernel/softirq.c when they run.
Should fix this Fedora bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=449817
Signed-off-by: Chuck Ebbert <[email protected]>
Acked-by: Pierre Ossman <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/mmc/host/wbsd.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
--- a/drivers/mmc/host/wbsd.c
+++ b/drivers/mmc/host/wbsd.c
@@ -1457,17 +1457,7 @@ static int __devinit wbsd_request_irq(st
int ret;
/*
- * Allocate interrupt.
- */
-
- ret = request_irq(irq, wbsd_irq, IRQF_SHARED, DRIVER_NAME, host);
- if (ret)
- return ret;
-
- host->irq = irq;
-
- /*
- * Set up tasklets.
+ * Set up tasklets. Must be done before requesting interrupt.
*/
tasklet_init(&host->card_tasklet, wbsd_tasklet_card,
(unsigned long)host);
@@ -1480,6 +1470,15 @@ static int __devinit wbsd_request_irq(st
tasklet_init(&host->finish_tasklet, wbsd_tasklet_finish,
(unsigned long)host);
+ /*
+ * Allocate interrupt.
+ */
+ ret = request_irq(irq, wbsd_irq, IRQF_SHARED, DRIVER_NAME, host);
+ if (ret)
+ return ret;
+
+ host->irq = irq;
+
return 0;
}
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Mike Miller <[email protected]>
commit 24aac480e76c6f5d1391ac05c5e9c0eb9b0cd302 upstream
Date: Thu, 12 Jun 2008 15:21:34 -0700
Subject: [patch 35/47] cciss: add new hardware support
Add support for the next generation of HP Smart Array SAS/SATA
controllers. Shipping date is late Fall 2008.
Bump the driver version to 3.6.20 to reflect the new hardware support from
patch 1 of this set.
Signed-off-by: Mike Miller <[email protected]>
Cc: Jens Axboe <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
Documentation/cciss.txt | 5 +++++
drivers/block/cciss.c | 21 ++++++++++++++++-----
include/linux/pci_ids.h | 1 +
3 files changed, 22 insertions(+), 5 deletions(-)
--- a/Documentation/cciss.txt
+++ b/Documentation/cciss.txt
@@ -21,6 +21,11 @@ This driver is known to work with the fo
* SA E200
* SA E200i
* SA E500
+ * SA P212
+ * SA P410
+ * SA P410i
+ * SA P411
+ * SA P812
Detecting drive failures:
-------------------------
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -53,15 +53,16 @@
#include <linux/scatterlist.h>
#define CCISS_DRIVER_VERSION(maj,min,submin) ((maj<<16)|(min<<8)|(submin))
-#define DRIVER_NAME "HP CISS Driver (v 3.6.14)"
-#define DRIVER_VERSION CCISS_DRIVER_VERSION(3,6,14)
+#define DRIVER_NAME "HP CISS Driver (v 3.6.20)"
+#define DRIVER_VERSION CCISS_DRIVER_VERSION(3, 6, 20)
/* Embedded module documentation macros - see modules.h */
MODULE_AUTHOR("Hewlett-Packard Company");
-MODULE_DESCRIPTION("Driver for HP Controller SA5xxx SA6xxx version 3.6.14");
+MODULE_DESCRIPTION("Driver for HP Smart Array Controllers");
MODULE_SUPPORTED_DEVICE("HP SA5i SA5i+ SA532 SA5300 SA5312 SA641 SA642 SA6400"
- " SA6i P600 P800 P400 P400i E200 E200i E500");
-MODULE_VERSION("3.6.14");
+ " SA6i P600 P800 P400 P400i E200 E200i E500 P700m"
+ " Smart Array G2 Series SAS/SATA Controllers");
+MODULE_VERSION("3.6.20");
MODULE_LICENSE("GPL");
#include "cciss_cmd.h"
@@ -90,6 +91,11 @@ static const struct pci_device_id cciss_
{PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSD, 0x103C, 0x3215},
{PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSC, 0x103C, 0x3237},
{PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSC, 0x103C, 0x323D},
+ {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSE, 0x103C, 0x3241},
+ {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSE, 0x103C, 0x3243},
+ {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSE, 0x103C, 0x3245},
+ {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSE, 0x103C, 0x3247},
+ {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSE, 0x103C, 0x3249},
{PCI_VENDOR_ID_HP, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
PCI_CLASS_STORAGE_RAID << 8, 0xffff << 8, 0},
{0,}
@@ -123,6 +129,11 @@ static struct board_type products[] = {
{0x3215103C, "Smart Array E200i", &SA5_access, 120},
{0x3237103C, "Smart Array E500", &SA5_access, 512},
{0x323D103C, "Smart Array P700m", &SA5_access, 512},
+ {0x3241103C, "Smart Array P212", &SA5_access, 384},
+ {0x3243103C, "Smart Array P410", &SA5_access, 384},
+ {0x3245103C, "Smart Array P410i", &SA5_access, 384},
+ {0x3247103C, "Smart Array P411", &SA5_access, 384},
+ {0x3249103C, "Smart Array P812", &SA5_access, 384},
{0xFFFF103C, "Unknown Smart Array", &SA5_access, 120},
};
--- a/include/linux/pci_ids.h
+++ b/include/linux/pci_ids.h
@@ -716,6 +716,7 @@
#define PCI_DEVICE_ID_HP_CISSA 0x3220
#define PCI_DEVICE_ID_HP_CISSC 0x3230
#define PCI_DEVICE_ID_HP_CISSD 0x3238
+#define PCI_DEVICE_ID_HP_CISSE 0x323a
#define PCI_DEVICE_ID_HP_ZX2_IOC 0x4031
#define PCI_VENDOR_ID_PCTECH 0x1042
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Krzysztof Helt <[email protected]>
commit 630c270183133ac25bef8c8d726ac448df9b169a upstream
Date: Thu, 12 Jun 2008 15:21:29 -0700
Subject: [patch 36/47] hgafb: resource management fix
Release ports which are requested during detection which are not freed if
there is no hga card. Otherwise there is a crash during cat /proc/ioports
command.
Signed-off-by: Krzysztof Helt <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/video/hgafb.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
--- a/drivers/video/hgafb.c
+++ b/drivers/video/hgafb.c
@@ -279,7 +279,7 @@ static void hga_blank(int blank_mode)
static int __init hga_card_detect(void)
{
- int count=0;
+ int count = 0;
void __iomem *p, *q;
unsigned short p_save, q_save;
@@ -303,20 +303,18 @@ static int __init hga_card_detect(void)
writew(0x55aa, p); if (readw(p) == 0x55aa) count++;
writew(p_save, p);
- if (count != 2) {
- return 0;
- }
+ if (count != 2)
+ goto error;
/* Ok, there is definitely a card registering at the correct
* memory location, so now we do an I/O port test.
*/
- if (!test_hga_b(0x66, 0x0f)) { /* cursor low register */
- return 0;
- }
- if (!test_hga_b(0x99, 0x0f)) { /* cursor low register */
- return 0;
- }
+ if (!test_hga_b(0x66, 0x0f)) /* cursor low register */
+ goto error;
+
+ if (!test_hga_b(0x99, 0x0f)) /* cursor low register */
+ goto error;
/* See if the card is a Hercules, by checking whether the vsync
* bit of the status register is changing. This test lasts for
@@ -331,7 +329,7 @@ static int __init hga_card_detect(void)
}
if (p_save == q_save)
- return 0;
+ goto error;
switch (inb_p(HGA_STATUS_PORT) & 0x70) {
case 0x10:
@@ -348,6 +346,12 @@ static int __init hga_card_detect(void)
break;
}
return 1;
+error:
+ if (release_io_ports)
+ release_region(0x3b0, 12);
+ if (release_io_port)
+ release_region(0x3bf, 1);
+ return 0;
}
/**
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Ayaz Abdulla <[email protected]>
commit 4db0ee176e256444695ee2d7b004552e82fec987 upstream
Add a workaround for lost MSI interrupts. There is a race condition in
the HW in which future interrupts could be missed. The workaround is to
toggle the MSI irq mask.
Added cleanup based on comments from Andrew Morton.
Signed-off-by: Ayaz Abdulla <[email protected]>
Cc: Manfred Spraul <[email protected]>
Cc: Jeff Garzik <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Jeff Garzik <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/forcedeth.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
--- a/drivers/net/forcedeth.c
+++ b/drivers/net/forcedeth.c
@@ -3111,6 +3111,20 @@ static void nv_link_irq(struct net_devic
dprintk(KERN_DEBUG "%s: link change notification done.\n", dev->name);
}
+static void nv_msi_workaround(struct fe_priv *np)
+{
+
+ /* Need to toggle the msi irq mask within the ethernet device,
+ * otherwise, future interrupts will not be detected.
+ */
+ if (np->msi_flags & NV_MSI_ENABLED) {
+ u8 __iomem *base = np->base;
+
+ writel(0, base + NvRegMSIIrqMask);
+ writel(NVREG_MSI_VECTOR_0_ENABLED, base + NvRegMSIIrqMask);
+ }
+}
+
static irqreturn_t nv_nic_irq(int foo, void *data)
{
struct net_device *dev = (struct net_device *) data;
@@ -3133,6 +3147,8 @@ static irqreturn_t nv_nic_irq(int foo, v
if (!(events & np->irqmask))
break;
+ nv_msi_workaround(np);
+
spin_lock(&np->lock);
nv_tx_done(dev);
spin_unlock(&np->lock);
@@ -3248,6 +3264,8 @@ static irqreturn_t nv_nic_irq_optimized(
if (!(events & np->irqmask))
break;
+ nv_msi_workaround(np);
+
spin_lock(&np->lock);
nv_tx_done_optimized(dev, TX_WORK_PER_LOOP);
spin_unlock(&np->lock);
@@ -3588,6 +3606,8 @@ static irqreturn_t nv_nic_irq_test(int f
if (!(events & NVREG_IRQ_TIMER))
return IRQ_RETVAL(0);
+ nv_msi_workaround(np);
+
spin_lock(&np->lock);
np->intr_test = 1;
spin_unlock(&np->lock);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Ilpo J?rvinen <[email protected]>
[ upstream commit: 8aca6cb1179ed9bef9351028c8d8af852903eae2 ]
It is possible that this skip path causes TCP to end up into an
invalid state where ca_state was left to CA_Open while some
segments already came into sacked_out. If next valid ACK doesn't
contain new SACK information TCP fails to enter into
tcp_fastretrans_alert(). Thus at least high_seq is set
incorrectly to a too high seqno because some new data segments
could be sent in between (and also, limited transmit is not
being correctly invoked there). Reordering in both directions
can easily cause this situation to occur.
I guess we would want to use tcp_moderate_cwnd(tp) there as well
as it may be possible to use this to trigger oversized burst to
network by sending an old ACK with huge amount of SACK info, but
I'm a bit unsure about its effects (mainly to FlightSize), so to
be on the safe side I just currently fixed it minimally to keep
TCP's state consistent (obviously, such nasty ACKs have been
possible this far). Though it seems that FlightSize is already
underestimated by some amount, so probably on the long term we
might want to trigger recovery there too, if appropriate, to make
FlightSize calculation to resemble reality at the time when the
losses where discovered (but such change scares me too much now
and requires some more thinking anyway how to do that as it
likely involves some code shuffling).
This bug was found by Brian Vowell while running my TCP debug
patch to find cause of another TCP issue (fackets_out
miscount).
Signed-off-by: Ilpo J?rvinen <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/tcp_input.c | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2469,6 +2469,20 @@ static inline void tcp_complete_cwr(stru
tcp_ca_event(sk, CA_EVENT_COMPLETE_CWR);
}
+static void tcp_try_keep_open(struct sock *sk)
+{
+ struct tcp_sock *tp = tcp_sk(sk);
+ int state = TCP_CA_Open;
+
+ if (tcp_left_out(tp) || tp->retrans_out || tp->undo_marker)
+ state = TCP_CA_Disorder;
+
+ if (inet_csk(sk)->icsk_ca_state != state) {
+ tcp_set_ca_state(sk, state);
+ tp->high_seq = tp->snd_nxt;
+ }
+}
+
static void tcp_try_to_open(struct sock *sk, int flag)
{
struct tcp_sock *tp = tcp_sk(sk);
@@ -2482,15 +2496,7 @@ static void tcp_try_to_open(struct sock
tcp_enter_cwr(sk, 1);
if (inet_csk(sk)->icsk_ca_state != TCP_CA_CWR) {
- int state = TCP_CA_Open;
-
- if (tcp_left_out(tp) || tp->retrans_out || tp->undo_marker)
- state = TCP_CA_Disorder;
-
- if (inet_csk(sk)->icsk_ca_state != state) {
- tcp_set_ca_state(sk, state);
- tp->high_seq = tp->snd_nxt;
- }
+ tcp_try_keep_open(sk);
tcp_moderate_cwnd(tp);
} else {
tcp_cwnd_down(sk, flag);
@@ -3296,8 +3302,11 @@ no_queue:
return 1;
old_ack:
- if (TCP_SKB_CB(skb)->sacked)
+ if (TCP_SKB_CB(skb)->sacked) {
tcp_sacktag_write_queue(sk, skb, prior_snd_una);
+ if (icsk->icsk_ca_state == TCP_CA_Open)
+ tcp_try_keep_open(sk);
+ }
uninteresting_ack:
SOCK_DEBUG(sk, "Ack %u out of %u:%u\n", ack, tp->snd_una, tp->snd_nxt);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Roland Dreier <[email protected]>
commit 8079ffa0e18baaf2940e52e0c118eef420a473a4 upstream
On a 64-bit architecture, if ib_umem_get() is called with a size value
that is so big that npages is negative when cast to int, then the
length of the page list passed to get_user_pages(), namely
min_t(int, npages, PAGE_SIZE / sizeof (struct page *))
will be negative, and get_user_pages() will immediately return 0 (at
least since 900cf086, "Be more robust about bad arguments in
get_user_pages()"). This leads to an infinite loop in ib_umem_get(),
since the code boils down to:
while (npages) {
ret = get_user_pages(...);
npages -= ret;
}
Fix this by taking the minimum as unsigned longs, so that the value of
npages is never truncated.
The impact of this bug isn't too severe, since the value of npages is
checked against RLIMIT_MEMLOCK, so a process would need to have an
astronomical limit or have CAP_IPC_LOCK to be able to trigger this,
and such a process could already cause lots of mischief. But it does
let buggy userspace code cause a kernel lock-up; for example I hit
this with code that passes a negative value into a memory registartion
function where it is promoted to a huge u64 value.
Signed-off-by: Roland Dreier <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/infiniband/core/umem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -144,7 +144,7 @@ struct ib_umem *ib_umem_get(struct ib_uc
ret = 0;
while (npages) {
ret = get_user_pages(current, current->mm, cur_base,
- min_t(int, npages,
+ min_t(unsigned long, npages,
PAGE_SIZE / sizeof (struct page *)),
1, !umem->writable, page_list, vma_list);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Aneesh Kumar K.V <[email protected]>
commit 69c5ddf58a03da3686691ad2f293bc79fd977c10 upstream
Add ext2_find_{first,next}_bit(), which are needed for ext4.
They're derived out of the ext2_find_next_zero_bit found in the same file.
Compile tested with crosstools
[Reworked to preserve all symmetry with ext2_find_{first,next}_zero_bit()]
This fixes http://bugzilla.kernel.org/show_bug.cgi?id=10393
Signed-off-by: Geert Uytterhoeven <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/asm-m68k/bitops.h | 46 ++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 44 insertions(+), 2 deletions(-)
--- a/include/asm-m68k/bitops.h
+++ b/include/asm-m68k/bitops.h
@@ -410,8 +410,50 @@ static inline int ext2_find_next_zero_bi
res = ext2_find_first_zero_bit (p, size - 32 * (p - addr));
return (p - addr) * 32 + res;
}
-#define ext2_find_next_bit(addr, size, off) \
- generic_find_next_le_bit((unsigned long *)(addr), (size), (off))
+
+static inline int ext2_find_first_bit(const void *vaddr, unsigned size)
+{
+ const unsigned long *p = vaddr, *addr = vaddr;
+ int res;
+
+ if (!size)
+ return 0;
+
+ size = (size >> 5) + ((size & 31) > 0);
+ while (*p++ == 0UL)
+ {
+ if (--size == 0)
+ return (p - addr) << 5;
+ }
+
+ --p;
+ for (res = 0; res < 32; res++)
+ if (ext2_test_bit(res, p))
+ break;
+ return (p - addr) * 32 + res;
+}
+
+static inline int ext2_find_next_bit(const void *vaddr, unsigned size,
+ unsigned offset)
+{
+ const unsigned long *addr = vaddr;
+ const unsigned long *p = addr + (offset >> 5);
+ int bit = offset & 31UL, res;
+
+ if (offset >= size)
+ return size;
+
+ if (bit) {
+ /* Look for one in first longword */
+ for (res = bit; res < 32; res++)
+ if (ext2_test_bit(res, p))
+ return (p - addr) * 32 + res;
+ p++;
+ }
+ /* No set bit yet, search remaining full bytes for a set bit */
+ res = ext2_find_first_bit(p, size - 32 * (p - addr));
+ return (p - addr) * 32 + res;
+}
#endif /* __KERNEL__ */
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Marcin Slusarz <[email protected]>
simple "mount -t cifs //xxx /mnt" oopsed on strlen of options
http://kerneloops.org/guilty.php?guilty=cifs_get_sb&version=2.6.25-release&start=16711 \
68&end=1703935&class=oops
Signed-off-by: Marcin Slusarz <[email protected]>
Acked-by: Jeff Layton <[email protected]>
Signed-off-by: Steve French <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/cifs/cifsfs.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -97,9 +97,6 @@ cifs_read_super(struct super_block *sb,
{
struct inode *inode;
struct cifs_sb_info *cifs_sb;
-#ifdef CONFIG_CIFS_DFS_UPCALL
- int len;
-#endif
int rc = 0;
/* BB should we make this contingent on mount parm? */
@@ -117,15 +114,17 @@ cifs_read_super(struct super_block *sb,
* complex operation (mount), and in case of fail
* just exit instead of doing mount and attempting
* undo it if this copy fails?*/
- len = strlen(data);
- cifs_sb->mountdata = kzalloc(len + 1, GFP_KERNEL);
- if (cifs_sb->mountdata == NULL) {
- kfree(sb->s_fs_info);
- sb->s_fs_info = NULL;
- return -ENOMEM;
+ if (data) {
+ int len = strlen(data);
+ cifs_sb->mountdata = kzalloc(len + 1, GFP_KERNEL);
+ if (cifs_sb->mountdata == NULL) {
+ kfree(sb->s_fs_info);
+ sb->s_fs_info = NULL;
+ return -ENOMEM;
+ }
+ strncpy(cifs_sb->mountdata, data, len + 1);
+ cifs_sb->mountdata[len] = '\0';
}
- strncpy(cifs_sb->mountdata, data, len + 1);
- cifs_sb->mountdata[len] = '\0';
#endif
rc = cifs_mount(sb, cifs_sb, data, devname);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Chris Wright <[email protected]>
commit 326f6a5c9c9e1a62aec37bdc0c3f8d53adabe77b upstream
Format string bug. Not exploitable, as this is only writable by root,
but worth fixing all the same.
From: Chris Wright <[email protected]>
Spotted-by: Ilja van Sprundel <[email protected]>
Signed-off-by: Dave Jones <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/cpufreq/cpufreq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -410,7 +410,7 @@ static int cpufreq_parse_governor (char
int ret;
mutex_unlock(&cpufreq_governor_mutex);
- ret = request_module(name);
+ ret = request_module("%s", name);
mutex_lock(&cpufreq_governor_mutex);
if (ret == 0)
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Arjan van de Ven <[email protected]>
commit 03a74dcc7eebe6edd778317e82fafdf71e68488c in mainline.
enable_irq_wake() and disable_irq_wake() need to be balanced. However,
serial_core.c calls these for different conditions during the suspend and
resume functions...
This is causing a regular WARN_ON() as found at
http://www.kerneloops.org/search.php?search=set_irq_wake
This patch makes the conditions for triggering the _wake enable/disable
sequence identical.
Signed-off-by: Arjan van de Ven <[email protected]>
Cc: Alan Cox <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/serial/serial_core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/serial/serial_core.c
+++ b/drivers/serial/serial_core.c
@@ -2022,6 +2022,8 @@ int uart_suspend_port(struct uart_driver
int uart_resume_port(struct uart_driver *drv, struct uart_port *port)
{
struct uart_state *state = drv->state + port->line;
+ struct device *tty_dev;
+ struct uart_match match = {port, drv};
mutex_lock(&state->mutex);
@@ -2031,7 +2033,8 @@ int uart_resume_port(struct uart_driver
return 0;
}
- if (!port->suspended) {
+ tty_dev = device_find_child(port->dev, &match, serial_match_port);
+ if (!port->suspended && device_may_wakeup(tty_dev)) {
disable_irq_wake(port->irq);
mutex_unlock(&state->mutex);
return 0;
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Sam Ravnborg <[email protected]>
commit 73531905ed53576d9e8707659a761e7046a60497 in mainline.
init/Kconfig contains a list of configs that are searched
for if 'make *config' are used with no .config present.
Extend this list to look at the config identified by
ARCH_DEFCONFIG.
With this change we now try the defconfig targets last.
This fixes a regression reported
by: Linus Torvalds <[email protected]>
Signed-off-by: Sam Ravnborg <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Ingo Molnar <[email protected]>
Cc: "H. Peter Anvin" <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/Kconfig | 13 +++----------
init/Kconfig | 1 +
2 files changed, 4 insertions(+), 10 deletions(-)
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -24,17 +24,10 @@ config X86
select HAVE_KRETPROBES
select HAVE_KVM if ((X86_32 && !X86_VOYAGER && !X86_VISWS && !X86_NUMAQ) || X86_64)
-config DEFCONFIG_LIST
+config ARCH_DEFCONFIG
string
- depends on X86_32
- option defconfig_list
- default "arch/x86/configs/i386_defconfig"
-
-config DEFCONFIG_LIST
- string
- depends on X86_64
- option defconfig_list
- default "arch/x86/configs/x86_64_defconfig"
+ default "arch/x86/configs/i386_defconfig" if X86_32
+ default "arch/x86/configs/x86_64_defconfig" if X86_64
config GENERIC_LOCKBREAK
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -13,6 +13,7 @@ config DEFCONFIG_LIST
default "/lib/modules/$UNAME_RELEASE/.config"
default "/etc/kernel-config"
default "/boot/config-$UNAME_RELEASE"
+ default "$ARCH_DEFCONFIG"
default "arch/$ARCH/defconfig"
menu "General setup"
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Arjan van de Ven <[email protected]>
commit 81b2dbcad86732ffc02bad87aa25c4651199fc77 in mainline.
vidiocgmbuf() does this:
mutex_lock(&fh->cap.vb_lock);
retval = videobuf_mmap_setup(&fh->cap, gbuffers, gbufsize,
V4L2_MEMORY_MMAP);
and videobuf_mmap_setup() then just does
mutex_lock(&q->vb_lock);
ret = __videobuf_mmap_setup(q, bcount, bsize, memory);
mutex_unlock(&q->vb_lock);
which is an obvious double-take deadlock.
This patch fixes this by having vidiocgmbuf() just call the
__videobuf_mmap_setup function instead.
Acked-by: Mauro Carvalho Chehab <[email protected]>
Reported-by: Koos Vriezen <[email protected]>
Signed-off-by: Arjan van de Ven <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/media/video/bt8xx/bttv-driver.c | 2 +-
drivers/media/video/videobuf-core.c | 3 ++-
include/media/videobuf-core.h | 3 +++
3 files changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/media/video/bt8xx/bttv-driver.c
+++ b/drivers/media/video/bt8xx/bttv-driver.c
@@ -2613,7 +2613,7 @@ static int vidiocgmbuf(struct file *file
struct bttv_fh *fh = priv;
mutex_lock(&fh->cap.vb_lock);
- retval = videobuf_mmap_setup(&fh->cap, gbuffers, gbufsize,
+ retval = __videobuf_mmap_setup(&fh->cap, gbuffers, gbufsize,
V4L2_MEMORY_MMAP);
if (retval < 0) {
mutex_unlock(&fh->cap.vb_lock);
--- a/drivers/media/video/videobuf-core.c
+++ b/drivers/media/video/videobuf-core.c
@@ -335,7 +335,7 @@ int videobuf_mmap_free(struct videobuf_q
}
/* Locking: Caller holds q->vb_lock */
-static int __videobuf_mmap_setup(struct videobuf_queue *q,
+int __videobuf_mmap_setup(struct videobuf_queue *q,
unsigned int bcount, unsigned int bsize,
enum v4l2_memory memory)
{
@@ -1093,6 +1093,7 @@ EXPORT_SYMBOL_GPL(videobuf_read_stream);
EXPORT_SYMBOL_GPL(videobuf_read_one);
EXPORT_SYMBOL_GPL(videobuf_poll_stream);
+EXPORT_SYMBOL_GPL(__videobuf_mmap_setup);
EXPORT_SYMBOL_GPL(videobuf_mmap_setup);
EXPORT_SYMBOL_GPL(videobuf_mmap_free);
EXPORT_SYMBOL_GPL(videobuf_mmap_mapper);
--- a/include/media/videobuf-core.h
+++ b/include/media/videobuf-core.h
@@ -227,6 +227,9 @@ unsigned int videobuf_poll_stream(struct
int videobuf_mmap_setup(struct videobuf_queue *q,
unsigned int bcount, unsigned int bsize,
enum v4l2_memory memory);
+int __videobuf_mmap_setup(struct videobuf_queue *q,
+ unsigned int bcount, unsigned int bsize,
+ enum v4l2_memory memory);
int videobuf_mmap_free(struct videobuf_queue *q);
int videobuf_mmap_mapper(struct videobuf_queue *q,
struct vm_area_struct *vma);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Roman Zippel <[email protected]>
commit 823c248e7cc75b4f22da914b01f8e5433cff197e in mainline
The proper dependency check uncovered a few dependency problems,
the subarchitecture used a mixture of selects and depends on SMP
and PCI dependency was messed up.
Signed-off-by: Roman Zippel <[email protected]>
Signed-off-by: Ingo Molnar <[email protected]>
Signed-off-by: Ravikiran Thirumalai <[email protected]>
---
arch/x86/Kconfig | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -246,8 +246,7 @@ config X86_ELAN
config X86_VOYAGER
bool "Voyager (NCR)"
- depends on X86_32
- select SMP if !BROKEN
+ depends on X86_32 && (SMP || BROKEN)
help
Voyager is an MCA-based 32-way capable SMP architecture proprietary
to NCR Corp. Machine classes 345x/35xx/4100/51xx are Voyager-based.
@@ -259,9 +258,8 @@ config X86_VOYAGER
config X86_NUMAQ
bool "NUMAQ (IBM/Sequent)"
- select SMP
+ depends on SMP && X86_32
select NUMA
- depends on X86_32
help
This option is used for getting Linux to run on a (IBM/Sequent) NUMA
multiquad box. This changes the way that processors are bootstrapped,
@@ -332,7 +330,7 @@ config X86_RDC321X
config X86_VSMP
bool "Support for ScaleMP vSMP"
- depends on X86_64 && PCI
+ depends on X86_64
help
Support for ScaleMP vSMP systems. Say 'Y' here if this kernel is
supposed to run on these EM64T-based machines. Only choose this option
@@ -1384,7 +1382,7 @@ endmenu
menu "Bus options (PCI etc.)"
config PCI
- bool "PCI support" if !X86_VISWS
+ bool "PCI support" if !X86_VISWS && !X86_VSMP
depends on !X86_VOYAGER
default y
select ARCH_SUPPORTS_MSI if (X86_LOCAL_APIC && X86_IO_APIC)
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Dan Williams <[email protected]>
patch 507b06d0622480f8026d49a94f86068bb0fd6ed6 upstream
Otherwise userspace has no idea the IBSS creation succeeded.
Signed-off-by: Dan Williams <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/mac80211/ieee80211_sta.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/mac80211/ieee80211_sta.c
+++ b/net/mac80211/ieee80211_sta.c
@@ -2723,6 +2723,7 @@ static int ieee80211_sta_join_ibss(struc
struct rate_selection ratesel;
u8 *pos;
struct ieee80211_sub_if_data *sdata;
+ union iwreq_data wrqu;
/* Remove possible STA entries from other IBSS networks. */
sta_info_flush(local, NULL);
@@ -2863,6 +2864,10 @@ static int ieee80211_sta_join_ibss(struc
ieee80211_rx_bss_put(dev, bss);
+ memset(&wrqu, 0, sizeof(wrqu));
+ memcpy(wrqu.ap_addr.sa_data, bss->bssid, ETH_ALEN);
+ wireless_send_event(dev, SIOCGIWAP, &wrqu, NULL);
+
return res;
}
--
On Sat, Jun 14, 2008 at 8:10 AM, Greg KH <[email protected]> wrote:
> -stable review patch. If anyone has any objections, please let us know.
>
> ------------------
> From: Arjan van de Ven <[email protected]>
>
> [ Upstream commit: 7dccf1f4e1696c79bff064c3770867cc53cbc71c ]
Hi greg
Please including following commit as well because it will cause another bug:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=537d59af73d894750cff14f90fe2b6d77fbab15b
>
> in net/bluetooth/rfcomm/sock.c, rfcomm_sk_state_change() does the
> following operation:
>
> if (parent && sock_flag(sk, SOCK_ZAPPED)) {
> /* We have to drop DLC lock here, otherwise
> * rfcomm_sock_destruct() will dead lock. */
> rfcomm_dlc_unlock(d);
> rfcomm_sock_kill(sk);
> rfcomm_dlc_lock(d);
> }
> }
>
> which is fine, since rfcomm_sock_kill() will call sk_free() which will call
> rfcomm_sock_destruct() which takes the rfcomm_dlc_lock()... so far so good.
>
> HOWEVER, this assumes that the rfcomm_sk_state_change() function always gets
> called with the rfcomm_dlc_lock() taken. This is the case for all but one
> case, and in that case where we don't have the lock, we do a double unlock
> followed by an attempt to take the lock, which due to underflow isn't
> going anywhere fast.
>
> This patch fixes this by moving the stragling case inside the lock, like
> the other usages of the same call are doing in this code.
>
> This was found with the help of the http://www.kerneloops.org project, where this
> deadlock was observed 51 times at this point in time:
> http://www.kerneloops.org/search.php?search=rfcomm_sock_destruct
>
> Signed-off-by: Arjan van de Ven <[email protected]>
> Acked-by: Marcel Holtmann <[email protected]>
> Signed-off-by: David S. Miller <[email protected]>
> Signed-off-by: Chris Wright <[email protected]>
> ---
> net/bluetooth/rfcomm/core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- a/net/bluetooth/rfcomm/core.c
> +++ b/net/bluetooth/rfcomm/core.c
> @@ -423,8 +423,8 @@ static int __rfcomm_dlc_close(struct rfc
>
> rfcomm_dlc_lock(d);
> d->state = BT_CLOSED;
> - rfcomm_dlc_unlock(d);
> d->state_change(d, err);
> + rfcomm_dlc_unlock(d);
>
> skb_queue_purge(&d->tx_queue);
> rfcomm_dlc_unlink(d);
>
> --
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
--
Regards
dave
From: "Dave Young" <[email protected]>
Date: Sat, 14 Jun 2008 10:50:51 +0800
> On Sat, Jun 14, 2008 at 8:10 AM, Greg KH <[email protected]> wrote:
> > -stable review patch. If anyone has any objections, please let us know.
> >
> > ------------------
> > From: Arjan van de Ven <[email protected]>
> >
> > [ Upstream commit: 7dccf1f4e1696c79bff064c3770867cc53cbc71c ]
>
> Hi greg
> Please including following commit as well because it will cause another bug:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=537d59af73d894750cff14f90fe2b6d77fbab15b
Acked-by: David S. Miller <[email protected]>
Hi Dave,
> > Signed-off-by: Arjan van de Ven <[email protected]>
> > Acked-by: Marcel Holtmann <[email protected]>
> > Signed-off-by: David S. Miller <[email protected]>
> > Signed-off-by: Chris Wright <[email protected]>
> > ---
> > net/bluetooth/rfcomm/core.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > --- a/net/bluetooth/rfcomm/core.c
> > +++ b/net/bluetooth/rfcomm/core.c
> > @@ -423,8 +423,8 @@ static int __rfcomm_dlc_close(struct rfc
> >
> > rfcomm_dlc_lock(d);
> > d->state = BT_CLOSED;
> > - rfcomm_dlc_unlock(d);
> > d->state_change(d, err);
> > + rfcomm_dlc_unlock(d);
> >
> > skb_queue_purge(&d->tx_queue);
> > rfcomm_dlc_unlink(d);
did we screw up the tabs during the review process here.
Regards
Marcel
On Sat, Jun 14, 2008 at 8:26 PM, Marcel Holtmann <[email protected]> wrote:
> Hi Dave,
>
>> > Signed-off-by: Arjan van de Ven <[email protected]>
>> > Acked-by: Marcel Holtmann <[email protected]>
>> > Signed-off-by: David S. Miller <[email protected]>
>> > Signed-off-by: Chris Wright <[email protected]>
>> > ---
>> > net/bluetooth/rfcomm/core.c | 2 +-
>> > 1 file changed, 1 insertion(+), 1 deletion(-)
>> >
>> > --- a/net/bluetooth/rfcomm/core.c
>> > +++ b/net/bluetooth/rfcomm/core.c
>> > @@ -423,8 +423,8 @@ static int __rfcomm_dlc_close(struct rfc
>> >
>> > rfcomm_dlc_lock(d);
>> > d->state = BT_CLOSED;
>> > - rfcomm_dlc_unlock(d);
>> > d->state_change(d, err);
>> > + rfcomm_dlc_unlock(d);
>> >
>> > skb_queue_purge(&d->tx_queue);
>> > rfcomm_dlc_unlink(d);
>
> did we screw up the tabs during the review process here.
Yes, it's due to my use of gmail web interface.
But please don't worry. I usually post patches by mutt, and reply by
gmail web client to easily quote the original message.
On Fri, Jun 13, 2008 at 08:46:28PM -0700, David Miller wrote:
> From: "Dave Young" <[email protected]>
> Date: Sat, 14 Jun 2008 10:50:51 +0800
>
> > On Sat, Jun 14, 2008 at 8:10 AM, Greg KH <[email protected]> wrote:
> > > -stable review patch. If anyone has any objections, please let us know.
> > >
> > > ------------------
> > > From: Arjan van de Ven <[email protected]>
> > >
> > > [ Upstream commit: 7dccf1f4e1696c79bff064c3770867cc53cbc71c ]
> >
> > Hi greg
> > Please including following commit as well because it will cause another bug:
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=537d59af73d894750cff14f90fe2b6d77fbab15b
>
> Acked-by: David S. Miller <[email protected]>
Thanks, I'll go add it to the tree for this release.
greg k-h