Commit Graph

519789 Commits

Author SHA1 Message Date
Nathan Sullivan 6db99596d1 net: macb: Document zynq gem dt binding
Signed-off-by: Nathan Sullivan <nathan.sullivan@ni.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-22 14:58:09 -04:00
Michal Kubeček d4e64c2909 ipv4: fill in table id when replacing a route
When replacing an IPv4 route, tb_id member of the new fib_alias
structure is not set in the replace code path so that the new route is
ignored.

Fixes: 0ddcf43d5d ("ipv4: FIB Local/MAIN table collapse")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Acked-by: Alexander Duyck <alexander.h.duyck@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-22 14:33:17 -04:00
Bjørn Mork 44f6731d8b cdc_ncm: Fix tx_bytes statistics
The tx_curr_frame_payload field is u32. When we try to calculate a
small negative delta based on it, we end up with a positive integer
close to 2^32 instead.  So the tx_bytes pointer increases by about
2^32 for every transmitted frame.

Fix by calculating the delta as a signed long.

Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Reported-by: Florian Bruhin <me@the-compiler.org>
Fixes: 7a1e890e21 ("usbnet: Fix tx_bytes statistic running backward in cdc_ncm")
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-22 14:26:31 -04:00
David S. Miller 572152adfb Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contain Netfilter fixes for your net tree, they are:

1) Fix a race in nfnetlink_log and nfnetlink_queue that can lead to a crash.
   This problem is due to wrong order in the per-net registration and netlink
   socket events. Patch from Francesco Ruggeri.

2) Make sure that counters that userspace pass us are higher than 0 in all the
   x_tables frontends. Discovered via Trinity, patch from Dave Jones.

3) Revert a patch for br_netfilter to rely on the conntrack status bits. This
   breaks stateless IPv6 NAT transformations. Patch from Florian Westphal.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-22 14:25:45 -04:00
Eric W. Biederman 381c759d99 ipv4: Avoid crashing in ip_error
ip_error does not check if in_dev is NULL before dereferencing it.

IThe following sequence of calls is possible:
CPU A                          CPU B
ip_rcv_finish
    ip_route_input_noref()
        ip_route_input_slow()
                               inetdev_destroy()
    dst_input()

With the result that a network device can be destroyed while processing
an input packet.

A crash was triggered with only unicast packets in flight, and
forwarding enabled on the only network device.   The error condition
was created by the removal of the network device.

As such it is likely the that error code was -EHOSTUNREACH, and the
action taken by ip_error (if in_dev had been accessible) would have
been to not increment any counters and to have tried and likely failed
to send an icmp error as the network device is going away.

Therefore handle this weird case by just dropping the packet if
!in_dev.  It will result in dropping the packet sooner, and will not
result in an actual change of behavior.

Fixes: 251da41301 ("ipv4: Cache ip_error() routes even when not forwarding.")
Reported-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Tested-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-22 14:23:40 -04:00
Eric Dumazet d654976cbf tcp: fix a potential deadlock in tcp_get_info()
Taking socket spinlock in tcp_get_info() can deadlock, as
inet_diag_dump_icsk() holds the &hashinfo->ehash_locks[i],
while packet processing can use the reverse locking order.

We could avoid this locking for TCP_LISTEN states, but lockdep would
certainly get confused as all TCP sockets share same lockdep classes.

[  523.722504] ======================================================
[  523.728706] [ INFO: possible circular locking dependency detected ]
[  523.734990] 4.1.0-dbg-DEV #1676 Not tainted
[  523.739202] -------------------------------------------------------
[  523.745474] ss/18032 is trying to acquire lock:
[  523.750002]  (slock-AF_INET){+.-...}, at: [<ffffffff81669d44>] tcp_get_info+0x2c4/0x360
[  523.758129]
[  523.758129] but task is already holding lock:
[  523.763968]  (&(&hashinfo->ehash_locks[i])->rlock){+.-...}, at: [<ffffffff816bcb75>] inet_diag_dump_icsk+0x1d5/0x6c0
[  523.774661]
[  523.774661] which lock already depends on the new lock.
[  523.774661]
[  523.782850]
[  523.782850] the existing dependency chain (in reverse order) is:
[  523.790326]
-> #1 (&(&hashinfo->ehash_locks[i])->rlock){+.-...}:
[  523.796599]        [<ffffffff811126bb>] lock_acquire+0xbb/0x270
[  523.802565]        [<ffffffff816f5868>] _raw_spin_lock+0x38/0x50
[  523.808628]        [<ffffffff81665af8>] __inet_hash_nolisten+0x78/0x110
[  523.815273]        [<ffffffff816819db>] tcp_v4_syn_recv_sock+0x24b/0x350
[  523.822067]        [<ffffffff81684d41>] tcp_check_req+0x3c1/0x500
[  523.828199]        [<ffffffff81682d09>] tcp_v4_do_rcv+0x239/0x3d0
[  523.834331]        [<ffffffff816842fe>] tcp_v4_rcv+0xa8e/0xc10
[  523.840202]        [<ffffffff81658fa3>] ip_local_deliver_finish+0x133/0x3e0
[  523.847214]        [<ffffffff81659a9a>] ip_local_deliver+0xaa/0xc0
[  523.853440]        [<ffffffff816593b8>] ip_rcv_finish+0x168/0x5c0
[  523.859624]        [<ffffffff81659db7>] ip_rcv+0x307/0x420

Lets use u64_sync infrastructure instead. As a bonus, 64bit
arches get optimized, as these are nop for them.

Fixes: 0df48c26d8 ("tcp: add tcpi_bytes_acked to tcp_info")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-22 13:46:06 -04:00
Christoph Hellwig 5f1b670d0b block, dm: don't copy bios for request clones
Currently dm-multipath has to clone the bios for every request sent
to the lower devices, which wastes cpu cycles and ties down memory.

This patch instead adds a new REQ_CLONE flag that instructs req_bio_endio
to not complete bios attached to a request, which we set on clone
requests similar to bios in a flush sequence.  With this change I/O
errors on a path failure only get propagated to dm-multipath, which
can then either resubmit the I/O or complete the bios on the original
request.

I've done some basic testing of this on a Linux target with ALUA support,
and it survives path failures during I/O nicely.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2015-05-22 08:58:57 -06:00
Mike Snitzer 326e1dbb57 block: remove management of bi_remaining when restoring original bi_end_io
Commit c4cf5261 ("bio: skip atomic inc/dec of ->bi_remaining for
non-chains") regressed all existing callers that followed this pattern:
 1) saving a bio's original bi_end_io
 2) wiring up an intermediate bi_end_io
 3) restoring the original bi_end_io from intermediate bi_end_io
 4) calling bio_endio() to execute the restored original bi_end_io

The regression was due to BIO_CHAIN only ever getting set if
bio_inc_remaining() is called.  For the above pattern it isn't set until
step 3 above (step 2 would've needed to establish BIO_CHAIN).  As such
the first bio_endio(), in step 2 above, never decremented __bi_remaining
before calling the intermediate bi_end_io -- leaving __bi_remaining with
the value 1 instead of 0.  When bio_inc_remaining() occurred during step
3 it brought it to a value of 2.  When the second bio_endio() was
called, in step 4 above, it should've called the original bi_end_io but
it didn't because there was an extra reference that wasn't dropped (due
to atomic operations being optimized away since BIO_CHAIN wasn't set
upfront).

Fix this issue by removing the __bi_remaining management complexity for
all callers that use the above pattern -- bio_chain() is the only
interface that _needs_ to be concerned with __bi_remaining.  For the
above pattern callers just expect the bi_end_io they set to get called!
Remove bio_endio_nodec() and also remove all bio_inc_remaining() calls
that aren't associated with the bio_chain() interface.

Also, the bio_inc_remaining() interface has been moved local to bio.c.

Fixes: c4cf5261 ("bio: skip atomic inc/dec of ->bi_remaining for non-chains")
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2015-05-22 08:58:55 -06:00
Dave Airlie a8106b147f Merge branch 'drm-fixes-4.1' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
Just two small DP fixes for 4.1

* 'drm-fixes-4.1' of git://people.freedesktop.org/~agd5f/linux:
  drm/radeon: fix error flag checking in native aux path
  drm/radeon: retry dcpd fetch
2015-05-22 13:31:54 +10:00
Dave Airlie bb4358973a Merge tag 'drm-intel-fixes-2015-05-21' of git://anongit.freedesktop.org/drm-intel into drm-fixes
There's a stable backport from Ander [1] that combines this and a few
other commits to fix the flickering on v4.0, reported in [2] among
others. Having this upstream is obviously a requirement for stable.

* tag 'drm-intel-fixes-2015-05-21' of git://anongit.freedesktop.org/drm-intel:
  drm/i915: fix screen flickering
2015-05-22 13:31:03 +10:00
Harald Freudenberger a1cae34e23 crypto: s390/ghash - Fix incorrect ghash icv buffer handling.
Multitheaded tests showed that the icv buffer in the current ghash
implementation is not handled correctly. A move of this working ghash
buffer value to the descriptor context fixed this. Code is tested and
verified with an multithreaded application via af_alg interface.

Cc: stable@vger.kernel.org
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
Signed-off-by: Gerald Schaefer <geraldsc@linux.vnet.ibm.com>
Reported-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22 11:23:03 +08:00
Linus Torvalds 865d872280 xen: bug fixes for 4.1-rc4
- Fix ARM build regression.
 - Fix VIRQ_CONSOLE related oops.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQEcBAABAgAGBQJVXGwGAAoJEFxbo/MsZsTR63EH/32TrMPyQXa/hkRbwhxAb63z
 6FyPLfoJ0I9eVS0VE+EICDQkhCX/6553dgTu3vJqLzVrB8Q3ULGqOywUA6yIJAed
 s/BPz6IcYl5sVaZt5S5KHdB3eCeF2SlFhWpyD52e3Ejs+Ykkd8F+YbS0XN2aIyDI
 VaSFQ9gW1gtBIOe/ie0nC7vhsZUTTysYctBspic4QrTJcVRv2rlvMbSb/XpZhb87
 S8DQ1PlPIvOFz/l3NVx0MH/rz281sS7ooaDc0QHTrlz5A+weIAc7YJtrUt0Hm9Vd
 HbPyhFNEwuPv6A1FlVO6XR6DeHqUW6Kbt83tgtnboly6Ye4UQfRBiGOD8rB7HuU=
 =Xsha
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-4.1b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Pull two xen bugfixes from David Vrabel:

 - fix ARM build regression.

 - fix VIRQ_CONSOLE related oops.

* tag 'for-linus-4.1b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen/events: don't bind non-percpu VIRQs with percpu chip
  xen/arm: Define xen_arch_suspend()
2015-05-21 20:19:38 -07:00
Linus Torvalds f0d8690ad4 This pull request includes a fix for two oopses, one on PPC
and on x86.  The rest is fixes for bugs with newer Intel
 processors.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJVXGLvAAoJEL/70l94x66DxOAH/270hZu3Rt0Tt04LYs0uy1B3
 6a91Hs4YsYALe0j6IVZUQ2ngO+N4DPsw/Lusutd82jWX13UG221w1rbUtUpNF46r
 bPf7Eh4AdGhNehGtkllRKrBmZEDkZVngZWsftFvzA+rmbV/HVzFU5SfuPdhzYAL5
 WpQTzou0w63c3Gh6hymLsq/x/zUScMRoFdyjIEJTRN+AOnnro9I/nj4O83OEF8uv
 Hp4VZ7TDG55xTloiC5WSimTCWPIZFDMiuim1iFo/OOOIGjfjdM8IBKwer4zIXa/S
 VD71lYu267yxIabYpbEOjd+dcZ5myJhy4ePWmWHZczsOeklbvMouWMD7/1U2Gpg=
 =x0LU
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Paolo Bonzini:
 "This includes a fix for two oopses, one on PPC and on x86.

  The rest is fixes for bugs with newer Intel processors"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  kvm/fpu: Enable eager restore kvm FPU for MPX
  Revert "KVM: x86: drop fpu_activate hook"
  kvm: fix crash in kvm_vcpu_reload_apic_access_page
  KVM: MMU: fix SMAP virtualization
  KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages
  KVM: MMU: fix smap permission check
  KVM: PPC: Book3S HV: Fix list traversal in error case
2015-05-21 20:15:16 -07:00
Linus Torvalds 2f8126e396 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 fixes from Martin Schwidefsky:
 "Bug fixes.

  Three for our crypto code, two for eBPF, and one memory management fix
  to get machines with memory > 8TB working"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/mm: correct return value of pmd_pfn
  s390/crypto: fix stckf loop
  s390/zcrypt: Fix invalid domain handling during ap module unload
  s390/bpf: Fix gcov stack space problem
  s390/zcrypt: fixed ap poll timer behavior
  s390/bpf: Adjust ALU64_DIV/MOD to match interpreter change
2015-05-21 19:54:50 -07:00
Linus Torvalds 0c68e5bf6a sound fixes for 4.1-rc5
This batch became slightly large, just because I've been on vacation
 for the last two weeks.  Nothing to scare much here, all device-specific
 fixes, mostly small patches.
 
 Majority of patches are for HD-audio, especially Dell machines.
 The rest are small ASoC fixes for various codecs, and a USB-audio
 quirk.
 
 One PCM fix is included to ease the faulty condition checks in the
 case of two periods PCM buffers.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJVXHoVAAoJEGwxgFQ9KSmknxUP/1A2qg/Ern6ZBbanHX9bSbFm
 +XnfWnpRFgZrk+qjK/tYEVzPGiolqSHm15zS+kUM7t8K/R46hRH63JPSjmQTw4A/
 xtz4Xc1uV2VNSICn8boUMATiaH2ulDjnl3iqXHwmqwL/V/wH1tjwRHuaZ8c5qlzd
 e5dDxSkHUxwQXoJQSkT8ocDZ0Uzicgbs4GbmIuMwy1LVfOqpU42ffTwlAgR/Fr4R
 JK8juhf2QlTGCUOQytKkOYLiODt6StlLkLAU4Anqpcc+a9m4zW8n7P/C1qjTcTvF
 TSaNWbfiuzCLmcJthQJl9gw72/BMdl0PRwUCr/rjbBmWvxuDkCEt9ku9Vfr2kiLM
 0INm5pzRjH4R8cXrz4mmIHVdpL4sENQ8/yIXZqdGc89h4Wbg1hv5Dsetxj3eumBb
 MfvkQ668qq16mJkB6w4XnDqL0aQriE30tqf7Rsqm+3Rv2CXDBYmEzrJD6xEYra2+
 shtAYRl/GhfG+epJnBgcwLJRsMljP2QgJDmsTzK54HN44VXbwzNy+xvIAByN1YBY
 BRESO+Mk53y1jUiOsAf3/2Xm7No6F5xHKIMvmPo0ngdD9q8oE+Ty9RYGhm0YaCnO
 a+vTCShWodNdt9fYxWsanaGwugis0ux6rVQ59ADR/gqgzQuSobRJ6WZo11D5GMxN
 hCnjEcRyP+fNDcWyIg0E
 =uM2S
 -----END PGP SIGNATURE-----

Merge tag 'sound-4.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "This batch became slightly large, just because I've been on vacation
  for the last two weeks.  Nothing to scare much here, all
  device-specific fixes, mostly small patches.

  Majority of patches are for HD-audio, especially Dell machines.  The
  rest are small ASoC fixes for various codecs, and a USB-audio quirk.

  One PCM fix is included to ease the faulty condition checks in the
  case of two periods PCM buffers"

* tag 'sound-4.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda - Disable widget power-saving for ALC292 & co
  ALSA: hda - Reduce verbs by node power-saves
  ALSA: sound/atmel/ac97c.c: remove unused variable
  ALSA: usb-audio: Add quirk for MS LifeCam Studio
  ALSA: pcm: Modify double acknowledged interrupts check condition
  ALSA: hda/realtek - ALC292 dock fix for Thinkpad L450
  ALSA: hda - Add Conexant codecs CX20721, CX20722, CX20723 and CX20724
  ALSA: hda - Fix headset mic and mic-in for a Dell desktop
  ASoC: wm8994: correct BCLK DIV 348 to 384
  ASoC: wm8960: fix "RINPUT3" audio route error
  ASoC: dapm: Modify widget stream name according to prefix
  ALSA: hda - Add headset mic quirk for Dell Inspiron 5548
  ASoC: rt5645: Fix mask for setting RT5645_DMIC_2_DP_GPIO12 bit
  ASoC: rt5645: Add ACPI match ID
  ALSA: hda/realtek - Add ALC298 alias name for Dell
  ASoC: uda1380: Avoid accessing i2c bus when codec is disabled
  ALSA: hda/realtek - Fix typo for ALC286/ALC288
  ASoC: mc13783: Fix wrong mask value used in mc13xxx_reg_rmw() calls
  ALSA: hda - Add headphone quirk for Lifebook E752
  ASoC: davinci-mcasp: Correct pm status check in suspend callback
2015-05-21 17:54:00 -07:00
Linus Torvalds 18658921a2 Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux
Pull thermal fixes from Zhang Rui:
 "Three fixes for Armada (380) and TI (dra7 and OMAP5) thermal soc
  drivers"

* 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
  thermal: armada: Update Armada 380 thermal sensor coefficients
  thermal: ti-soc-thermal: OMAP5: Implement Workaround for Errata i813
  thermal: ti-soc-thermal: dra7: Implement Workaround for Errata i814
2015-05-21 17:42:54 -07:00
Linus Torvalds 83ee4121b1 Changes for 4.1-rc4
A number of small, well contained bug fixes for ocrdma driver
   A simple fix for the connection negotiation sequence on IB
   Fix for broken AF_IB address on UD queue pair support
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJVXOuOAAoJELgmozMOVy/drmIP/1ThcmvibO51h7zVW5X/w2n1
 7rDPIuNEgPYA0u0ZM5YpgsFXNydGZajgaypaUpKSNlNM0NLJqQpm3ieCE144xgtg
 qc04/kpASzfSHJFxieNaSZqSdMtKVu/6093lgGoVthWmUA2PsM5f/3r4P2ecim8G
 ysP2ZSbta1y995DzT6IYznkh3aKUDHH/HWVoa+Vm9QG/JVNQ5TDjbJyYybrk7YaD
 qmnWD8idV9Pg2kYn+2GpXej/Kk6qvL8DBuu8M2HX+rhMkTNM4QpUNbTyMrKyAD0/
 ru1HjWve5/fDPNnXvcbXQtK5slUXYPaxhXs2pRC8yG4IrFZba77u7iFhgX+fSUTF
 6OOlr6kd1a2qzPL1NpxyI22dsqF0aXDn6RIudEEBLMAQ7+K42jyIvzV5LjsMTjud
 6ld4TruAawDqpQ5UbW9M2q0RZFwryfAjVJVmDKQrHoUir5XZwjg+p9tU59nx5xxZ
 Tbb0yhordYJh+mfmoyPSSg6HCCvMrjah5843LHgJmcor2ZZlx1lZtTIC6Xuv0I1C
 9Q9B4asYBjfd6wv8Md1s1P1ixy24K2CVs0eijbI5w3cQ2GofEMKmdus3uNrKPHk2
 kFHwlwCtA221Nw43e1+ZOU8pushHSm9RsLY3ZlgzW4GJacQJvD8ZsabW2PlNWGOn
 CKYCp0xJ6KbfsvCoVVIf
 =L53a
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma

Pull infiniband/rdma fixes from Doug Ledford:
 "This should hopefully be the last request for 4.1-rc for the RDMA
  stack.  It contains some late ocrdma fixes that I'm including because
  they are small and self contained.  It also contains two bug fixes
  that are simple and easily verified.

  Summary:

   - a number of small, well contained bug fixes for ocrdma driver

   - a simple fix for the connection negotiation sequence on IB

   - fix for broken AF_IB address on UD queue pair support"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
  IB/cma: Fix broken AF_IB UD support
  ib/cm: Change reject message type when destroying cm_id
  RDMA/ocrdma: Update ocrdma version number
  RDMA/ocrdma: Fail connection for MTU lesser than 512
  RDMA/ocrdma: Fix dmac resolution for link local address
  RDMA/ocrdma: Prevent allocation of DPP PDs if FW doesnt support it
  RDMA/ocrdma: Fix the request length for RDMA_QUERY_QP mailbox command to FW.
  RDMA/ocrdma: Use VID 0 if PFC is enabled and vlan is not configured
  RDMA/ocrdma: Fix QP state transition in destroy_qp
  RDMA/ocrdma: Report EQ full fatal error
  RDMA/ocrdma: Fix EQ destroy failure during driver unload
2015-05-21 17:36:23 -07:00
Linus Torvalds 97793a81b5 MMC host:
- atmel-mci: fix bad variable type for clkdiv
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJVWZYhAAoJEP4mhCVzWIwpJHwQAJX6NiFEVaKdVrDjOsW5wAOd
 xbg4vCOPM7hE0UeZ/IpBDC6yIFM5X9nynpD394/khW3IerFGVFlEPgkD5LCf27jV
 l3/W+CnR9YFLgBS/rsI0RVpRXqV1lmbcM8hvi6U1LRQjpqO3Fy5O6UuTMkbgd6eh
 xExcQ+WqpvJCAtqa93JpgvWlnubVHDthqVBErXGxi9Z5miqF00PTgUnrcmoDHa2+
 fIqjiCWJTBYBIhrJn8BXPH+xkJwMS4p+keYhe1Q1Zjm1Ooct2d9tJ+ddSyYKoxLj
 Ts1eQ3zoPnpyct0cbWU/s9+VMNFieHomS6BTvr2kGUyBRRuVRjWS9jqHFNcqhHSs
 ex+ebpFi4e6UPIf91mLJ9iB0H7D2coe5BB1kRl4ImJFep5c707QMfg6C9rpUv2GO
 eyJhxKtR++PlhmwLdgYjq4jVjhCgf+eNIejhdnsrldYG5A2w7P1kgVtHn86SiKSv
 Ofv7OHzq9Q+4NkV3x+WDA3z7mMWBdAVuhGoqiti8Si8pwq0lMFlTMBePo0kvIMDg
 ZM4rLwiuxPbjXHnPKcnF6vpDgi4Aw0I4rgAlRkMZ9K2aGEQufLkoKrq3GaVb9zTf
 Pons0sJcVOz531vWUmazaxVyJPCTWdo53wXlzcN1kzYWdgf9ZUc420ib2nYj45pD
 NlmH/Ob0jyYcRPpwoYNl
 =9Ju7
 -----END PGP SIGNATURE-----

Merge tag 'mmc-4.1-rc3' of git://git.linaro.org/people/ulf.hansson/mmc

Pull MMC fix from Ulf Hansson:
 "One more mmc fix intended for v4.1 rc5:

  MMC host:
   - atmel-mci: fix bad variable type for clkdiv"

* tag 'mmc-4.1-rc3' of git://git.linaro.org/people/ulf.hansson/mmc:
  mmc: atmel-mci: fix bad variable type for clkdiv
2015-05-21 17:31:31 -07:00
Linus Torvalds 6efdb114b4 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
Pull HID fixes from Jiri Kosina:
 "Bugfixes for HID subsystem that should go in 4.1.  Important
  highlights:

   - the patch that extended support for HID++ protocol for TK820
     touchpad turns out to be causing regressions due to firmware
     issues; patch reverting back to basic support from Benjamin
     Tissoires

   - Wacom driver can oops for devices that report non-touch data on
     touch interfaces.  Fix from Ping Cheng

   - gpiolib is not mandatory for i2c-hid, so the driver shouldn't fail
     if gpiolib is not enabled.  Fix from Mika Westerberg"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: wacom: fix an Oops caused by wacom_wac_finger_count_touches
  HID: usbhid: Add HID_QUIRK_NOGET for Aten DVI KVM switch
  HID: hid-sensor-hub: Fix debug lock warning
  Revert "HID: logitech-hidpp: support combo keyboard touchpad TK820"
  HID: i2c-hid: Do not fail probing if gpiolib is not enabled
2015-05-21 17:23:11 -07:00
Linus Torvalds e51a363056 Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto fix from Herbert Xu:
 "This fixes a the crash in the newly added algif_aead interface when it
  tries to link SG lists"

* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: algif_aead - fix invalid sgl linking
2015-05-21 17:16:49 -07:00
Marek Vasut 77b071e793 Input: smtpe-ts - wait 50mS until polling for pen-up
Wait a little bit longer, 50mS instead of 20mS, until the driver starts
polling for pen-up. The problematic behavior before this patch is applied
is as follows. The behavior was observed on the STMPE610QTR controller.

Upon a physical pen-down event, the touchscreen reports one set of x-y-p
coordinates and a pen-down event. After that, the pen-up polling is
triggered and since the controller is not ready yet, the polling mistakenly
detects a pen-up event while the physical state is still such that the pen
is down on the touch surface.

The pen-up handling flushes the controller FIFO, so after that, all the
samples in the controller are discarded. The controller becomes ready
shortly after this bogus pen-up handling and does generate again a pen-down
interrupt. This time, the controller contains x-y-p samples which all read
as zero. Since pressure value is zero, this set of samples is effectively
ignored by userland.

In the end, the driver just bounces between pen-down and bogus pen-up
handling, generating no useful results. Fix this by giving the controller a
bit more time before polling it for pen-up.

Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2015-05-21 17:06:13 -07:00
Marek Vasut e686e9e156 Input: smtpe-ts - use msecs_to_jiffies() instead of HZ
Use msecs_to_jiffies(20) instead of plain (HZ / 50), as the former is much
more explicit about it's behavior. We want to schedule the task 20 mS from
now, so make it explicit in the code.

Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2015-05-21 17:05:48 -07:00
Linus Torvalds 3d854120e9 The first set of clk fixes for 4.1 are all driver bugs, with the
exception of a single locking fix in the core code. All driver fixes are
 for code that was merged recently. The Samsung stuff is mostly fixes
 around suspend/resume, the Qualcomm fixes are for invalid hardware
 configuration data and the Silicon Labs patches are fixes following
 their move away from platform_data to Device Tree.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJVW/1LAAoJEKI6nJvDJaTUuTEP/i0mykL1zAXOoUDAVOsULkLq
 55MUnknjfoh4CHeLRru+XeBkGNDjLKPNg4y47NadrMvRsav3sqY9WR6HZasB3roa
 uGanJZRr1nVqaD3l2ki8twc4FgNfeEaFfY018Z3dDLSYbnsq990hWQChgTGLxuDN
 iz9fh8DdOALa9dp2qo604oUjVN9QU+rqRClA1d8JhtiEfeCkTjzUBO8pkJ5ZO8ve
 sRgQ6TkY0u69rVTYspot1cwkPLL8gCiX+nTazakhKNxEg6W1q7PrrHtZsWms47P5
 SpemNaSnwwRBy1wYnbZAxgsLOmg/g7seICN/uz/OyR9ZgzRJz66HeI9yPceaCbnz
 9eNxGtsDWvE5uejoqIBqivFULTtuUdo5ZOe5Xwz/b35Hy0l79T5Ag7NmPNwkAqOd
 WOSMuv581tnRpgHz3bG+PFknsjqzCKCoMfW3bjHIH56lZA9AMlJhKuV6g85XY3WA
 WAF+QtBWqD76TMzcf3DMg9egGn2321jvs5/I8jRMa9xCgV0Ycam0DwzDZ6G8KAhK
 nWWoUyQSJU0tElphfylqSFR+00anovbB/BORGwMhZ9gohDR4UCdtCK2FwOxRY7kg
 SWU1ruDpFSfLMstpwU9Rb+9F0TtSkxWWPtk23bto83erYXzx0ezwhLIA/pEPi+mO
 chOqdtgPvtfS3NeBwB/5
 =yjsw
 -----END PGP SIGNATURE-----

Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux

Pull clk fixes from Michael Turquette:
 "The first set of clk fixes for 4.1 are all driver bugs, with the
  exception of a single locking fix in the core code.

  All driver fixes are for code that was merged recently.  The Samsung
  stuff is mostly fixes around suspend/resume, the Qualcomm fixes are
  for invalid hardware configuration data and the Silicon Labs patches
  are fixes following their move away from platform_data to Device Tree"

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  clk: si5351: Do not pass struct clk in platform_data
  clk: si5351: Mention clock-names in the binding documentation
  clk: add missing lock when call clk_core_enable in clk_set_parent
  clk: exynos5420: Restore GATE_BUS_TOP on suspend
  clk: qcom: Fix MSM8916 gfx3d_clk_src configuration
  clk: qcom: Fix MSM8916 venus divider value
  clk: exynos5433: Fix wrong PMS value of exynos5433_pll_rates
  clk: exynos5433: Fix wrong parent clock of sclk_apollo clock
  clk: exynos5433: Fix CLK_PCLK_MONOTONIC_CNT clk register assignment
  clk: exynos5433: Fix wrong offset of PCLK_MSCL_SECURE_SMMU_JPEG
  clk: Use CONFIG_ARCH_EXYNOS instead of CONFIG_ARCH_EXYNOS5433
2015-05-21 16:57:50 -07:00
Linus Torvalds 4cce593f1b Update location of Jean Delvare's hwmon quilt tree
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJVW+/fAAoJEMsfJm/On5mBu3AP/RNLcfwlU+95E8coNDvhY23f
 0rouQ1r+/ssme8yKbug1Rs1f2AeOT/er4ST22eTTnIVy1Naa8VHm3TGnkEWjVhm3
 6yqWU4A423+zIwk7LF6Ka9D8rCtQ+GtuByAqwJhY9VJ8YYgSDE3JRN0UQky18jNq
 p+xAgf/tBg2KSn4+8YvF5ReiUa5sV2ojsQ0ZdI8aH6nAWOChBLfEXZBgmvw/hGve
 khuF8Zh57x0JLz25GlwVDtt5OArH0vP9DtqvevWHK5pGeYsxTsKo16tj+M7NrYxV
 r00GCxr7DnJcNSYw/kUbMWo/yThf5EJB5lIWektHnsZx4H9qsDZW8raG09eHiMD1
 dlt5sn7/XuthB/9Dp1HvDo4g9rElF4H89HLB7b1SRP8g+F7Z2s3MyXTrkTsxsN+4
 mR//cOMSNgT52J3vHR0H0SbpKQtyvkqs+uM9SxrOHnvVyeNLTeVY4SPTd8W7+7OY
 Vg0zTQ3h9ssmoXb/t5MM9cSCPtDV+voTzw7ZBmRq6oJlrQD5rzzeSfOYive0K5Uh
 5O0lUnsP0wvp/+oM8fLiDgffBhblYa0ieEOBjf4HphGUCD+9O+oHseJ5LCRCTAgH
 FIilJLLqgfcm7NcS2oEKs/4NrWXTEHd6VxK64E9owUy+qxFLlX75NR+Xy0s4suU3
 thGQBbm9vmqR4QqJBMUP
 =tvgu
 -----END PGP SIGNATURE-----

Merge tag 'hwmon-for-linus-v4.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull hwmon fixlet from Guenter Roeck:
 "Update location of Jean Delvare's hwmon quilt tree"

* tag 'hwmon-for-linus-v4.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: Update the location of my quilt tree
2015-05-21 16:38:14 -07:00
Thomas Hellstrom 15397f153c Input: joydev - don't classify the vmmouse as a joystick
Joydev is currently thinking some absolute mice are joystick, and that
messes up games in VMware guests, as the cursor typically gets stuck in
the top left corner.

Try to detect the event signature of a VMmouse input device and back off
for such devices. We're still incorrectly detecting, for example, the
VMware absolute USB mouse as a joystick, but adding an event signature
matching also that device would be considerably more risky, so defer that
to a later merge window.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2015-05-21 15:58:27 -07:00
Daniel Borkmann c78e1746d3 net: sched: fix call_rcu() race on classifier module unloads
Vijay reported that a loop as simple as ...

  while true; do
    tc qdisc add dev foo root handle 1: prio
    tc filter add dev foo parent 1: u32 match u32 0 0  flowid 1
    tc qdisc del dev foo root
    rmmod cls_u32
  done

... will panic the kernel. Moreover, he bisected the change
apparently introducing it to 78fd1d0ab0 ("netlink: Re-add
locking to netlink_lookup() and seq walker").

The removal of synchronize_net() from the netlink socket
triggering the qdisc to be removed, seems to have uncovered
an RCU resp. module reference count race from the tc API.
Given that RCU conversion was done after e341694e3e ("netlink:
Convert netlink_lookup() to use RCU protected hash table")
which added the synchronize_net() originally, occasion of
hitting the bug was less likely (not impossible though):

When qdiscs that i) support attaching classifiers and,
ii) have at least one of them attached, get deleted, they
invoke tcf_destroy_chain(), and thus call into ->destroy()
handler from a classifier module.

After RCU conversion, all classifier that have an internal
prio list, unlink them and initiate freeing via call_rcu()
deferral.

Meanhile, tcf_destroy() releases already reference to the
tp->ops->owner module before the queued RCU callback handler
has been invoked.

Subsequent rmmod on the classifier module is then not prevented
since all module references are already dropped.

By the time, the kernel invokes the RCU callback handler from
the module, that function address is then invalid.

One way to fix it would be to add an rcu_barrier() to
unregister_tcf_proto_ops() to wait for all pending call_rcu()s
to complete.

synchronize_rcu() is not appropriate as under heavy RCU
callback load, registered call_rcu()s could be deferred
longer than a grace period. In case we don't have any pending
call_rcu()s, the barrier is allowed to return immediately.

Since we came here via unregister_tcf_proto_ops(), there
are no users of a given classifier anymore. Further nested
call_rcu()s pointing into the module space are not being
done anywhere.

Only cls_bpf_delete_prog() may schedule a work item, to
unlock pages eventually, but that is not in the range/context
of cls_bpf anymore.

Fixes: 25d8c0d55f ("net: rcu-ify tcf_proto")
Fixes: 9888faefe1 ("net: sched: cls_basic use RCU")
Reported-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: John Fastabend <john.r.fastabend@intel.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Thomas Graf <tgraf@suug.ch>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Tested-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-21 18:48:18 -04:00
Alex Deucher 6ca121351b drm/radeon: fix error flag checking in native aux path
That atom table does not check these bits.  Fixes aux
regressions on some boards.

Reported-by: Malte Schröder <malte@tnxip.de>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
2015-05-21 12:43:21 -04:00
Alex Deucher 0f28d1281b drm/radeon: retry dcpd fetch
Retry the dpcd fetch several times.  Some eDP panels
fail several times before the fetch is successful.

bug:
https://bugs.freedesktop.org/show_bug.cgi?id=73530

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
2015-05-21 12:43:21 -04:00
Stephane Viau 755c814a7d drm/msm/mdp5: fix incorrect parameter for msm_framebuffer_iova()
The index of ->planes[] array (3rd parameter) cannot be equal to MAX_PLANE.
This looks like a typo that is now fixed.

Signed-off-by: Stephane Viau <sviau@codeaurora.org>
Acked-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2015-05-21 14:31:45 +10:00
NeilBrown 8532e34390 md/bitmap: remove rcu annotation from pointer arithmetic.
Evaluating  "&mddev->disks" is simple pointer arithmetic, so
it does not need 'rcu' annotations - no dereferencing is happening.

Also enhance the comment to explain that 'rdev' in that case
is not actually a pointer to an rdev.

Reported-by: Patrick Marlier <patrick.marlier@gmail.com>
Signed-off-by: NeilBrown <neilb@suse.de>
2015-05-21 09:14:41 +10:00
Eric Work a81157768a md/raid0: fix restore to sector variable in raid0_make_request
The variable "sector" in "raid0_make_request()" was improperly updated
by a call to "sector_div()" which modifies its first argument in place.
Commit 47d68979cc restored this variable
after the call for later re-use.  Unfortunetly the restore was done after
the referenced variable "bio" was advanced.  This lead to the original
value and the restored value being different.  Here we move this line to
the proper place.

One observed side effect of this bug was discarding a file though
unlinking would cause an unrelated file's contents to be discarded.

Signed-off-by: NeilBrown <neilb@suse.de>
Fixes: 47d68979cc ("md/raid0: fix bug with chunksize not a power of 2.")
Cc: stable@vger.kernel.org (any that received above backport)
URL: https://bugzilla.kernel.org/show_bug.cgi?id=98501
2015-05-21 09:14:25 +10:00
Shaohua Li 487696957e raid5: fix broken async operation chain
ops_run_reconstruct6() doesn't correctly chain asyn operations. The tx returned
by async_gen_syndrome should be added as the dependent tx of next stripe.

The issue is introduced by commit 59fc630b8b
    RAID5: batch adjacent full stripe write

Reported-and-tested-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: NeilBrown <neilb@suse.de>
2015-05-21 09:14:20 +10:00
Thomas Hellstrom 412dbad2c7 Input: vmmouse - do not reference non-existing version of X driver
The vmmouse Kconfig help text was referring to an incorrect user-space
driver version. Fix this.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2015-05-20 14:47:26 -07:00
Hans de Goede 72eceab743 Input: alps - fix finger jumps on lifting 2 fingers on v7 touchpad
On v7 touchpads sometimes when 2 fingers are moved down on the touchpad
until they "fall of" the touchpad, the second touch will report 0 for y
(max y really since the y axis is inverted) and max x as coordinates,
rather then reporting 0, 0 as is expected for a non touching finger.

This commit detects this and treats these touches as non touching.

See the evemu-recording here:
https://bugzilla.redhat.com/attachment.cgi?id=1025058

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1221200
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2015-05-20 14:46:02 -07:00
Matthew Finlay c07678bb01 IB/cma: Fix broken AF_IB UD support
Support for using UD and AF_IB is currently broken.  The
IB_CM_SIDR_REQ_RECEIVED message is not handled properly in
cma_save_net_info() and we end up falling into code that will try and
process the request as ipv4/ipv6, which will end up failing.

The resolution is to add a check for the SIDR_REQ and call
cma_save_ib_info() with a NULL path record.  Change cma_save_ib_info()
to copy the src sib info from the listen_id when the path record is NULL.

Reported-by: Hari Shankar <Hari.Shankar@netapp.com>
Signed-off-by: Matt Finlay <matt@mellanox.com>
Acked-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2015-05-20 16:15:56 -04:00
Minghuan Lian 3ad2a5f576 irqchip/gicv3-its: ITS table size should not be smaller than PSZ
When allocating a device table, if the requested allocation is smaller
than the default granule size of the ITS then, we need to round up to
the default size.

Signed-off-by: Minghuan Lian <Minghuan.Lian@freescale.com>
[ stuart: Added comments and massaged changelog ]
Signed-off-by: Stuart Yoder <stuart.yoder@freescale.com>
Reviewed-by: Marc Zygnier <marc.zyngier@arm.com>
Cc: <linux-arm-kernel@lists.infradead.org>
Cc: <jason@lakedaemon.net>
Link: http://lkml.kernel.org/r/1432134795-661-1-git-send-email-stuart.yoder@freescale.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2015-05-20 22:13:37 +02:00
Chris Mason 153c35b6cc Btrfs: fix regression in raid level conversion
Commit 2f0810880f changed
btrfs_set_block_group_ro to avoid trying to allocate new chunks with the
new raid profile during conversion.  This fixed failures when there was
no space on the drive to allocate a new chunk, but the metadata
reserves were sufficient to continue the conversion.

But this ended up causing a regression when the drive had plenty of
space to allocate new chunks, mostly because reduce_alloc_profile isn't
using the new raid profile.

Fixing btrfs_reduce_alloc_profile is a bigger patch.  For now, do a
partial revert of 2f0810880, and don't error out if we hit ENOSPC.

Signed-off-by: Chris Mason <clm@fb.com>
Tested-by: Dave Sterba <dsterba@suse.cz>
Reported-by: Holger Hoffstaette <holger.hoffstaette@googlemail.com>
2015-05-20 11:03:38 -07:00
Ilya Dryomov 521a04d06a Revert "libceph: clear r_req_lru_item in __unregister_linger_request()"
This reverts commit ba9d114ec5.

.. which introduced a regression that prevented all lingering requests
requeued in kick_requests() from ever being sent to the OSDs, resulting
in a lot of missed notifies.  In retrospect it's pretty obvious that
r_req_lru_item item in the case of lingering requests can be used not
only for notarget, but also for unsent linkage due to how tightly
actual map and enqueue operations are coupled in __map_request().

The assertion that was being silenced is taken care of in the previous
("libceph: request a new osdmap if lingering request maps to no osd")
commit: by always kicking homeless lingering requests we ensure that
none of them ends up on the notarget list outside of the critical
section guarded by request_mutex.

Cc: stable@vger.kernel.org # 3.18+, needs b049453221 "libceph: request a new osdmap if lingering request maps to no osd"
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
2015-05-20 21:02:46 +03:00
Ilya Dryomov b049453221 libceph: request a new osdmap if lingering request maps to no osd
This commit does two things.  First, if there are any homeless
lingering requests, we now request a new osdmap even if the osdmap that
is being processed brought no changes, i.e. if a given lingering
request turned homeless in one of the previous epochs and remained
homeless in the current epoch.  Not doing so leaves us with a stale
osdmap and as a result we may miss our window for reestablishing the
watch and lose notifies.

MON=1 OSD=1:

    # cat linger-needmap.sh
    #!/bin/bash
    rbd create --size 1 test
    DEV=$(rbd map test)
    ceph osd out 0
    rbd map dne/dne # obtain a new osdmap as a side effect (!)
    sleep 1
    ceph osd in 0
    rbd resize --size 2 test
    # rbd info test | grep size -> 2M
    # blockdev --getsize $DEV -> 1M

N.B.: Not obtaining a new osdmap in between "osd out" and "osd in"
above is enough to make it miss that resize notify, but that is a
bug^Wlimitation of ceph watch/notify v1.

Second, homeless lingering requests are now kicked just like those
lingering requests whose mapping has changed.  This is mainly to
recognize that a homeless lingering request makes no sense and to
preserve the invariant that a registered lingering request is not
sitting on any of r_req_lru_item lists.  This spares us a WARN_ON,
which commit ba9d114ec5 ("libceph: clear r_req_lru_item in
__unregister_linger_request()") tried to fix the _wrong_ way.

Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
2015-05-20 21:02:14 +03:00
Ted Kim c29ed5a456 ib/cm: Change reject message type when destroying cm_id
Problem reported by: Ted Kim <ted.h.kim@oracle.com>:

We have a case where a Linux system and a non-Linux system are
trying to interoperate.  The Linux host is the active side and
starts the connection establishment, but later decides to not go
through with the connection setup and does rdma_destroy_id().

The rdma_destroy_id() eventually works its way down to cm_destroy_id()
in core/cm.c, where a REJ is sent. The non-Linux system
has some trouble recognizing the REJ because of:

A. CM states which can't receive the REJ
B. Some issues about REJ formatting (missing comm ID)

ISSUE A: That part of the spec says, a Consumer Reject REJ can be
sent for a connection abort, but it goes further
and says: can send a REJ message with a "Consumer Reject"
Reason code if they are in a CM state (i.e. REP
Rcvd, MRA(REP) Sent, REQ Rcvd, MRA Sent) that allows
a REJ to be sent (lines 35-38).

Of the states listed there in that sentence, it would
seem to limit the active side to using the Consumer Reject
(for the abort case) in just the REP-Rcvd and MRA-REP-Sent
states. That is basically only after the active side
sees a REP (or alternatively goes down the state transitions
to timeout in which case a Timeout REJ is sent).

As a fix, in cm-destroy-id() move the IB-CM-MRA-REQ-RCVD case
to the same as REQ-SENT.  Essentially, make a REJ sent after
getting an MRA on active side a timeout rather than Consumer-
Reject, which is arguably more correct with the CM state
diagrams previous to getting a REP.

Signed-off-by: Ted Kim <ted.h.kim@oracle.com>
Signed-off-by: Sean Hefty <sean.hefty@intel.com>
2015-05-20 12:41:38 -04:00
Tim Beale c15e10e71c net: phy: Make sure phy_start() always re-enables the phy interrupts
This is an alternative way of fixing:
 commit db9683fb41 ("net: phy: Make sure PHY_RESUMING state change
                      is always processed")

When the PHY state transitions from PHY_HALTED to PHY_RESUMING, there are
two things we need to do:
1). Re-enable interrupts (and power up the physical link, if powered down)
2). Update the PHY state and net-device based on the link status.

There's no strict reason why #1 has to be done from within the main
phy_state_machine() function. There is a risk that other changes to the
PHY (e.g. setting speed/duplex, which calls phy_start_aneg()) could cause
a subsequent state transition before phy_state_machine() has processed
the PHY_RESUMING state change. This would leave the PHY with interrupts
disabled and/or still in the BMCR_PDOWN/low-power mode.

Moving enabling the interrupts and phy_resume() into phy_start() will
guarantee this work always gets done. As the PHY is already in the HALTED
state and interrupts are disabled, it shouldn't conflict with any work
being done in phy_state_machine(). The downside of this change is that if
the PHY_RESUMING state is ever entered from anywhere else, it'll also have
to repeat this work.

Signed-off-by: Tim Beale <tim.beale@alliedtelesis.co.nz>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-20 12:22:08 -04:00
David S. Miller 7764b9dd38 Merge branch 'ipv6_ecmp_fixes'
Michal Kubecek says:

====================
IPv6 ECMP route add/replace fixes

(1) When adding a nexthop of a multipath route fails (e.g. because of a
conflict with an existing route), we are supposed to delete nexthops
already added. However, currently we try to also delete all nexthops we
haven't even tried to add yet so that a "ip route add" command can
actually remove pre-existing routes if it fails.

(2) Attempt to replace a multipath route results in a broken siblings
linked list. Following commands (like "ip route del") can then either
follow a link into freed memory or end in an infinite loop (if the slab
object has been reused).

v2: fix an omission in first patch

v3: change the semantics of replace operation to better match IPv4
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-20 12:02:26 -04:00
Michal Kubeček 2759647247 ipv6: fix ECMP route replacement
When replacing an IPv6 multipath route with "ip route replace", i.e.
NLM_F_CREATE | NLM_F_REPLACE, fib6_add_rt2node() replaces only first
matching route without fixing its siblings, resulting in corrupted
siblings linked list; removing one of the siblings can then end in an
infinite loop.

IPv6 ECMP implementation is a bit different from IPv4 so that route
replacement cannot work in exactly the same way. This should be a
reasonable approximation:

1. If the new route is ECMP-able and there is a matching ECMP-able one
already, replace it and all its siblings (if any).

2. If the new route is ECMP-able and no matching ECMP-able route exists,
replace first matching non-ECMP-able (if any) or just add the new one.

3. If the new route is not ECMP-able, replace first matching
non-ECMP-able route (if any) or add the new route.

We also need to remove the NLM_F_REPLACE flag after replacing old
route(s) by first nexthop of an ECMP route so that each subsequent
nexthop does not replace previous one.

Fixes: 51ebd31815 ("ipv6: add support of equal cost multipath (ECMP)")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-20 12:02:26 -04:00
Michal Kubeček 35f1b4e96b ipv6: do not delete previously existing ECMP routes if add fails
If adding a nexthop of an IPv6 multipath route fails, comment in
ip6_route_multipath() says we are going to delete all nexthops already
added. However, current implementation deletes even the routes it
hasn't even tried to add yet. For example, running

  ip route add 1234:5678::/64 \
      nexthop via fe80::aa dev dummy1 \
      nexthop via fe80::bb dev dummy1 \
      nexthop via fe80::cc dev dummy1

twice results in removing all routes first command added.

Limit the second (delete) run to nexthops that succeeded in the first
(add) run.

Fixes: 51ebd31815 ("ipv6: add support of equal cost multipath (ECMP)")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-20 12:02:25 -04:00
Ming Lei b04a5636a6 block: replace trylock with mutex_lock in blkdev_reread_part()
The only possible problem of using mutex_lock() instead of trylock
is about deadlock.

If there aren't any locks held before calling blkdev_reread_part(),
deadlock can't be caused by this conversion.

If there are locks held before calling blkdev_reread_part(),
and if these locks arn't required in open, close handler and I/O
path, deadlock shouldn't be caused too.

Both user space's ioctl(BLKRRPART) and md_setup_drive() from
init/do_mounts_md.c belongs to the 1st case, so the conversion is safe
for the two cases.

For loop, the previous patches in this pathset has fixed the ABBA lock
dependency, so the conversion is OK.

For nbd, tx_lock is held when calling the function:

	- both open and release won't hold the lock
	- when blkdev_reread_part() is run, I/O thread has been stopped
	already, so tx_lock won't be acquired in I/O path at that time.
	- so the conversion won't cause deadlock for nbd

For dasd, both dasd_open(), dasd_release() and request function don't
acquire any mutex/semphone, so the conversion should be safe.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Tested-by: Jarod Wilson <jarod@redhat.com>
Acked-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2015-05-20 09:05:45 -06:00
Jarod Wilson be32417796 block: export blkdev_reread_part() and __blkdev_reread_part()
This patch exports blkdev_reread_part() for block drivers, also
introduce __blkdev_reread_part().

For some drivers, such as loop, reread of partitions can be run
from the release path, and bd_mutex may already be held prior to
calling ioctl_by_bdev(bdev, BLKRRPART, 0), so introduce
__blkdev_reread_part for use in such cases.

CC: Christoph Hellwig <hch@lst.de>
CC: Jens Axboe <axboe@kernel.dk>
CC: Tejun Heo <tj@kernel.org>
CC: Alexander Viro <viro@zeniv.linux.org.uk>
CC: Markus Pargmann <mpa@pengutronix.de>
CC: Stefan Weinhuber <wein@de.ibm.com>
CC: Stefan Haberland <stefan.haberland@de.ibm.com>
CC: Sebastian Ott <sebott@linux.vnet.ibm.com>
CC: Fabian Frederick <fabf@skynet.be>
CC: Ming Lei <ming.lei@canonical.com>
CC: David Herrmann <dh.herrmann@gmail.com>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: Peter Zijlstra <peterz@infradead.org>
CC: nbd-general@lists.sourceforge.net
CC: linux-s390@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2015-05-20 09:05:42 -06:00
Florian Westphal faecbb45eb Revert "netfilter: bridge: query conntrack about skb dnat"
This reverts commit c055d5b03b.

There are two issues:
'dnat_took_place' made me think that this is related to
-j DNAT/MASQUERADE.

But thats only one part of the story.  This is also relevant for SNAT
when we undo snat translation in reverse/reply direction.

Furthermore, I originally wanted to do this mainly to avoid
storing ipv6 addresses once we make DNAT/REDIRECT work
for ipv6 on bridges.

However, I forgot about SNPT/DNPT which is stateless.

So we can't escape storing address for ipv6 anyway. Might as
well do it for ipv4 too.

Reported-and-tested-by: Bernhard Thaler <bernhard.thaler@wvnet.at>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-05-20 13:51:25 +02:00
Dave Jones 1086bbe97a netfilter: ensure number of counters is >0 in do_replace()
After improving setsockopt() coverage in trinity, I started triggering
vmalloc failures pretty reliably from this code path:

warn_alloc_failed+0xe9/0x140
__vmalloc_node_range+0x1be/0x270
vzalloc+0x4b/0x50
__do_replace+0x52/0x260 [ip_tables]
do_ipt_set_ctl+0x15d/0x1d0 [ip_tables]
nf_setsockopt+0x65/0x90
ip_setsockopt+0x61/0xa0
raw_setsockopt+0x16/0x60
sock_common_setsockopt+0x14/0x20
SyS_setsockopt+0x71/0xd0

It turns out we don't validate that the num_counters field in the
struct we pass in from userspace is initialized.

The same problem also exists in ebtables, arptables, ipv6, and the
compat variants.

Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-05-20 13:46:49 +02:00
Francesco Ruggeri 3bfe049807 netfilter: nfnetlink_{log,queue}: Register pernet in first place
nfnetlink_{log,queue}_init() register the netlink callback nf*_rcv_nl_event
before registering the pernet_subsys, but the callback relies on data
structures allocated by pernet init functions.

When nfnetlink_{log,queue} is loaded, if a netlink message is received after
the netlink callback is registered but before the pernet_subsys is registered,
the kernel will panic in the sequence

nfulnl_rcv_nl_event
  nfnl_log_pernet
    net_generic
      BUG_ON(id == 0)  where id is nfnl_log_net_id.

The panic can be easily reproduced in 4.0.3 by:

while true ;do modprobe nfnetlink_log ; rmmod nfnetlink_log ; done &
while true ;do ip netns add dummy ; ip netns del dummy ; done &

This patch moves register_pernet_subsys to earlier in nfnetlink_log_init.

Notice that the BUG_ON hit in 4.0.3 was recently removed in 2591ffd308
["netns: remove BUG_ONs from net_generic()"].

Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-05-20 13:46:48 +02:00
Liang Li c447e76b4c kvm/fpu: Enable eager restore kvm FPU for MPX
The MPX feature requires eager KVM FPU restore support. We have verified
that MPX cannot work correctly with the current lazy KVM FPU restore
mechanism. Eager KVM FPU restore should be enabled if the MPX feature is
exposed to VM.

Signed-off-by: Yang Zhang <yang.z.zhang@intel.com>
Signed-off-by: Liang Li <liang.z.li@intel.com>
[Also activate the FPU on AMD processors. - Paolo]
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-05-20 12:30:26 +02:00