Commit Graph

168505 Commits

Author SHA1 Message Date
David S. Miller 0c35565b46 Merge branch 'netback'
Ian Campbell says:

====================
The Xen netback implementation contains a couple of flaws which can
allow a guest to cause a DoS in the backend domain, potentially
affecting other domains in the system.

CVE-2013-0216 is a failure to sanity check the ring producer/consumer
pointers which can allow a guest to cause netback to loop for an
extended period preventing other work from occurring.

CVE-2013-0217 is a memory leak on an error path which is guest
triggerable.

The following series contains the fixes for these issues, as previously
included in Xen Security Advisory 39:
http://lists.xen.org/archives/html/xen-announce/2013-02/msg00001.html

Changes in v2:
 - Typo and block comment format fixes
 - Added stable Cc
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-07 23:31:47 -05:00
Ian Campbell b9149729eb netback: correct netbk_tx_err to handle wrap around.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-07 23:29:29 -05:00
Ian Campbell 4cc7c1cb7b xen/netback: free already allocated memory on failure in xen_netbk_get_requests
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-07 23:29:28 -05:00
Matthew Daley 7d5145d8eb xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-07 23:29:28 -05:00
Ian Campbell 48856286b6 xen/netback: shutdown the ring if it contains garbage.
A buggy or malicious frontend should not be able to confuse netback.
If we spot anything which is not as it should be then shutdown the
device and don't try to continue with the ring in a potentially
hostile state. Well behaved and non-hostile frontends will not be
penalised.

As well as making the existing checks for such errors fatal also add a
new check that ensures that there isn't an insane number of requests
on the ring (i.e. more than would fit in the ring). If the ring
contains garbage then previously is was possible to loop over this
insane number, getting an error each time and therefore not generating
any more pending requests and therefore not exiting the loop in
xen_netbk_tx_build_gops for an externded period.

Also turn various netdev_dbg calls which no precipitate a fatal error
into netdev_err, they are rate limited because the device is shutdown
afterwards.

This fixes at least one known DoS/softlockup of the backend domain.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-07 23:29:28 -05:00
Bjørn Mork e21b9d031f net: qmi_wwan: add more Huawei devices, including E320
Adding new class/subclass/protocol combinations based on the GPLed
out-of-tree Huawei driver. One of these has already appeared on a
device labelled as "E320".

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-06 16:09:40 -05:00
Bjørn Mork 96316c5956 net: cdc_ncm: add another Huawei vendor specific device
Adding a new vendor specific class/subclass/protocol combination
for CDC NCM devices based on information from a GPLed out-of-tree
driver from Huawei.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-06 16:09:40 -05:00
John W. Linville b3b66ae4c8 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem 2013-02-06 13:55:44 -05:00
Arend van Spriel 7b2385b953 brcmsmac: rework of mac80211 .flush() callback operation
This patch addresses a long standing issue of the driver with the
mac80211 .flush() callback. Since implementing the .flush() callback
a number of issues have been fixed, but a WARN_ON_ONCE() was still
triggered because the timeout on the flush could still occur.

This patch changes the awkward design using msleep() into one using
a waitqueue. The waiting flush() context will kick the transmit dma
when it is idle and the timeout used waiting for the event is set
to 500 ms. Worst case there can be 64 frames outstanding for transmit
in the driver. At a rate of 1Mbps that would take 1.5 seconds assuming
MTU is 1500 bytes and ignoring retries. The WARN_ON_ONCE() is also
removed as this was put in to indicate the flush timeout as a reason
for the driver to stall. That was not happening since fixing endless
AMPDU retries with following upstream commit:

commit 85091fc0a7
Author: Arend van Spriel <arend@broadcom.com>
Date:   Thu Feb 23 18:38:22 2012 +0100

    brcm80211: smac: fix endless retry of A-MPDU transmissions

bugzilla: 42840 <https://bugzilla.kernel.org/show_bug.cgi?id=42840>
bugzilla@redhat: <https://bugzilla.redhat.com/show_bug.cgi?id=799168>
bugzilla@redhat: <https://bugzilla.redhat.com/show_bug.cgi?id=787649>

Cc: Jonathan Nieder <jrnieder@gmail.com>
Cc: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Camaleón <noelamac@gmail.com>
Cc: Milan Bouchet-Valat <nalimilan@club-internet.fr>
Cc: Seth Forshee <seth.forshee@canonical.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Piotr Haber <phaber@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Acked-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-02-04 16:46:28 -05:00
Hauke Mehrtens 600485edae ssb: unregister gpios before unloading ssb
This patch unregisters the gpio chip before ssb gets unloaded.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-02-04 16:46:24 -05:00
Hauke Mehrtens c50ae9470e bcma: unregister gpios before unloading bcma
This patch unregisters the gpio chip before bcma gets unloaded.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Reported-by: Piotr Haber <phaber@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-02-04 16:46:24 -05:00
Larry Finger a5ffbe0a19 rtlwifi: Fix scheduling while atomic bug
Kernel commits 41affd5 and 6539306 changed the locking in rtl_lps_leave()
from a spinlock to a mutex by doing the calls indirectly from a work queue
to reduce the time that interrupts were disabled. This change was fine for
most systems; however a scheduling while atomic bug was reported in
https://bugzilla.redhat.com/show_bug.cgi?id=903881. The backtrace indicates
that routine rtl_is_special(), which calls rtl_lps_leave() in three places
was entered in atomic context. These direct calls are replaced by putting a
request on the appropriate work queue.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-and-tested-by: Nathaniel Doherty <ntdoherty@gmail.com>
Cc: Nathaniel Doherty <ntdoherty@gmail.com>
Cc: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-02-04 16:41:56 -05:00
Bjørn Mork bf414b369f net: usbnet: fix tx_dropped statistics
It is normal for minidrivers accumulating frames to return NULL
from their tx_fixup function. We do not want to count this as a
drop, or log any debug messages.  A different exit path is
therefore chosen for such drivers, skipping the debug message
and the tx_dropped increment.

The test for accumulating drivers was however completely bogus,
making the exit path selection depend on whether the user had
enabled tx_err logging or not. This would arbitrarily mess up
accounting for both accumulating and non-accumulating minidrivers,
and would result in unwanted debug messages for the accumulating
drivers.

Fix by testing for FLAG_MULTI_PACKET instead, which probably was
the intention from the beginning.  This usage match the documented
behaviour of this flag:

 Indicates to usbnet, that USB driver accumulates multiple IP packets.
 Affects statistic (counters) and short packet handling.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-04 13:07:31 -05:00
David S. Miller 59fa534874 Merge branch 'fixes-for-3.8' of git://gitorious.org/linux-can/linux-can
Marc Kleine-Budde says:

====================
here's a patch for net for the v3.8 release cycle. Alexander Stein noticed that
the c_can hardware has a fixed bit in the IFx_MASK2 register. His patch fixes
writing of this register by always setting this bit.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-02 23:09:32 -05:00
David S. Miller 559bcac35f via-rhine: Fix bugs in NAPI support.
1) rhine_tx() should use dev_kfree_skb() not dev_kfree_skb_irq()

2) rhine_slow_event_task's NAPI triggering logic is racey, it
   should just hit the interrupt mask register.  This is the
   same as commit 7dbb491878
   ("r8169: avoid NAPI scheduling delay.") made to fix the same
   problem in the r8169 driver.  From Francois Romieu.

Reported-by: Jamie Gloudon <jamie.gloudon@gmail.com>
Tested-by: Jamie Gloudon <jamie.gloudon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-02 22:58:25 -05:00
John W. Linville ed6882ac40 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem 2013-02-01 13:43:25 -05:00
Alexander Stein 2bd3bc4e84 can: c_can: Set reserved bit in IFx_MASK2 to 1 on write
According to C_CAN documentation, the reserved bit in IFx_MASK2 register is
fixed 1.

Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Alexander Stein <alexander.stein@systec-electronic.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2013-02-01 10:20:22 +01:00
Daniele Palmas 3d6d7ab588 NET: qmi_wwan: add Telit LE920 support
Add VID, PID and fixed interface for Telit LE920

Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Acked-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-30 20:28:00 -05:00
Bjørn Mork 70c37bf97f net: usbnet: prevent buggy devices from killing us
A device sending 0 length frames as fast as it can has been
observed killing the host system due to the resulting memory
pressure.

Temporarily disable RX skb allocation and URB submission when
the current error ratio is high, preventing us from trying to
allocate an infinite number of skbs.  Reenable as soon as we
are finished processing the done queue, allowing the device
to continue working after short error bursts.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-30 17:35:44 -05:00
Bing Zhao 8a7d7cbf7b mwifiex: fix incomplete scan in case of IE parsing error
A scan request is split into multiple scan commands queued in
scan_pending_q. Each scan command will be sent to firmware and
its response is handlded one after another.

If any error is detected while parsing IE in command response
buffer the remaining data will be ignored and error is returned.

We should check if there is any more scan commands pending in
the queue before returning error. This ensures that we will call
cfg80211_scan_done if this is the last scan command, or send
next scan command in scan_pending_q to firmware.

Cc: "3.6+" <stable@vger.kernel.org>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-01-30 14:13:09 -05:00
Neil Horman 6cdd20c380 vmxnet3: set carrier state properly on probe
vmxnet3 fails to set netif_carrier_off on probe, meaning that when an interface
is opened the __LINK_STATE_NOCARRIER bit is already cleared, and so
/sys/class/net/<ifname>/operstate remains in the unknown state.  Correct this by
setting netif_carrier_off on probe, like other drivers do.

Also, while we're at it, lets remove the netif_carrier_ok checks from the
link_state_update function, as that check is atomically contained within the
netif_carrier_[on|off] functions anyway

Tested successfully by myself

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: "VMware, Inc." <pv-drivers@vmware.com>
CC: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-29 16:29:22 -05:00
Bruce Allan 286003048a e1000e: enable ECC on I217/I218 to catch packet buffer memory errors
In rare instances, memory errors have been detected in the internal packet
buffer memory on I217/I218 when stressed under certain environmental
conditions.  Enable Error Correcting Code (ECC) in hardware to catch both
correctable and uncorrectable errors.  Correctable errors will be handled
by the hardware.  Uncorrectable errors in the packet buffer will cause the
packet to be received with an error indication in the buffer descriptor
causing the packet to be discarded.  If the uncorrectable error is in the
descriptor itself, the hardware will stop and interrupt the driver
indicating the error.  The driver will then reset the hardware in order to
clear the error and restart.

Both types of errors will be accounted for in statistics counters.

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Cc: <stable@vger.kernel.org> # 3.5.x & 3.6.x
Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-29 16:01:33 -05:00
Milos Vyletel eb492f7443 bonding: unset primary slave via sysfs
When bonding module is loaded with primary parameter and one decides to unset
primary slave using sysfs these settings are not preserved during bond device
restart. Primary slave is only unset once and it's not remembered in
bond->params structure. Below is example of recreation.

 grep OPTS /etc/sysconfig/network-scripts/ifcfg-bond0
BONDING_OPTS="mode=active-backup miimon=100 primary=eth01"
 grep "Primary Slave" /proc/net/bonding/bond0
Primary Slave: eth01 (primary_reselect always)

 echo "" > /sys/class/net/bond0/bonding/primary
 grep "Primary Slave" /proc/net/bonding/bond0
Primary Slave: None

 sed -i -e 's/primary=eth01//' /etc/sysconfig/network-scripts/ifcfg-bond0
 grep OPTS /etc/sysconfig/network-scripts/ifcfg-bond
BONDING_OPTS="mode=active-backup miimon=100 "
 ifdown bond0 && ifup bond0

without patch:
 grep "Primary Slave" /proc/net/bonding/bond0
Primary Slave: eth01 (primary_reselect always)

with patch:
 grep "Primary Slave" /proc/net/bonding/bond0
Primary Slave: None

Reviewed-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Milos Vyletel <milos.vyletel@sde.cz>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-29 15:43:35 -05:00
Sarveshwar Bandi 00d3d51e9d be2net: Updating Module Author string and log message string to "Emulex Corporation"
Signed-off-by: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-29 15:43:04 -05:00
Jason Wang 9e85722d58 tuntap: allow polling/writing/reading when detached
We forbid polling, writing and reading when the file were detached, this may
complex the user in several cases:

- when guest pass some buffers to vhost/qemu and then disable some queues,
  host/qemu needs to do its own cleanup on those buffers which is complex
  sometimes. We can do this simply by allowing a user can still write to an
  disabled queue. Write to an disabled queue will cause the packet pass to the
  kernel and read will get nothing.
- align the polling behavior with macvtap which never fails when the queue is
  created. This can simplify the polling errors handling of its user (e.g vhost)

We can simply achieve this by don't assign NULL to tfile->tun when detached.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-29 15:43:04 -05:00
Jason Wang 2b8b328b61 vhost_net: handle polling errors when setting backend
Currently, the polling errors were ignored, which can lead following issues:

- vhost remove itself unconditionally from waitqueue when stopping the poll,
  this may crash the kernel since the previous attempt of starting may fail to
  add itself to the waitqueue
- userspace may think the backend were successfully set even when the polling
  failed.

Solve this by:

- check poll->wqh before trying to remove from waitqueue
- report polling errors in vhost_poll_start(), tx_poll_start(), the return value
  will be checked and returned when userspace want to set the backend

After this fix, there still could be a polling failure after backend is set, it
will addressed by the next patch.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-29 15:43:03 -05:00
Jason Wang 692a998b90 vhost_net: correct error handling in vhost_net_set_backend()
Currently, when vhost_init_used() fails the sock refcnt and ubufs were
leaked. Correct this by calling vhost_init_used() before assign ubufs and
restore the oldsock when it fails.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-29 15:43:03 -05:00
Michael S. Tsirkin af668b3c27 tun: fix carrier on/off status
Commit c8d68e6be1 removed carrier off call
from tun_detach since it's now called on queue disable and not only on
tun close.  This confuses userspace which used this flag to detect a
free tun. To fix, put this back but under if (clean).

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Jason Wang <jasowang@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Tested-by: Toralf Förster <toralf.foerster@gmx.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-29 15:43:03 -05:00
Linus Torvalds f94d4fe0b5 Just one fix for md in 3.8
dmraid assess redundancy and replacements slightly inaccurately which
 could lead to some degraded arrays failing to assemble.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQIVAwUAUQb0OTnsnt1WYoG5AQJ4qg/8DIs0eWaJWF5lqF8qJBeMQrUDkqe7glqe
 ezwVlO48uxVzJUxCMd1aZdxjTI/AIvqZ1U5DBC62SlB/RqWlrwIQIIok5odWfnG4
 eAII5hUnktWqL4Ksqz4mgdI+WWwSc3JR7verqS4wOvcsN4qU5t8vL6dj2b0cNYCQ
 I7B+fkMZE1KE4Y2DOf8dEO9gbNIO1ZllZapLRolrsGOr8Ggo1prEoMxBYF5HZNoE
 J1As2N6NA7/kadtsfkCSs+f//5t1uMZluMjEUe4lDmgeqzqz/93kFmJ2OfSdqO4J
 wuuTHbCL+NSjjAZuByluSO98O0h87xXGVMv/c7gadVQtOn6I1DA2i4wTaiHOzr4K
 cdALvbteVCAPYLMA+s8ee6YYbB5pnlblT8FShG+3O6ae1KmbqKex1LlZLpwEoS8y
 VxI1WCSQbBr/ejAnhxLFQPo5OAcoeHomlZHKPtCBSbwQ0f0pOHHPYlZyX2PtX6hF
 U9bmtMq0XZulDORdLmIsEEpwzRKQ+b89+RrYXM7AhkJTxRP59RVwqFHy9SybcFBS
 S5XFKqpCE+ioBvLp9HK189xMe0Nel2g7KWd34v5LcvQ21rzATezAh5TsWIzN3oV8
 9/phd6nZa0hhcELykOTmK5b6+ks2tBfEN2FuyKfSq4Z2nz46rfD4wYVTY2+Qjh+D
 hmUDBgguejo=
 =bJyL
 -----END PGP SIGNATURE-----

Merge tag 'md-3.8-fixes' of git://neil.brown.name/md

Pull dmraid fix from NeilBrown:
 "Just one fix for md in 3.8

  dmraid assess redundancy and replacements slightly inaccurately which
  could lead to some degraded arrays failing to assemble."

* tag 'md-3.8-fixes' of git://neil.brown.name/md:
  DM-RAID: Fix RAID10's check for sufficient redundancy
2013-01-28 15:15:34 -08:00
Linus Torvalds ae2c3d95fa IOMMU fixes for Linux v3.8-rc5
One fix for the AMD IOMMU driver to work around broken BIOSes found in
 the field. Some BIOSes forget to enable a workaround for a hardware
 problem which might cause the IOMMU to stop working under high load
 conditions. The fix makes sure this workaround is enabled.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJRBpTXAAoJECvwRC2XARrjGDUQAKsNxpN2iD0BEvVUqCzTR7ha
 BTwxwKnMwxBr0vZZZzCCT9JnNXcPKKfJYLEWqW5QE7m/qlvYiBxS8Cg8uAfGVw0n
 y/y/SQPww7jeImyOCvAN9Axl+SZ8sHmKJTmS4343+CqpQ1e6PilC4WV5ogmOz/Gy
 nc9bj9rJGIMEP76bCYY7rMz7xVOaHmIOE+XcEA8TTj37AOk8t9PTUqLno+APTqWd
 X3jhgjRTQuisCiy+sTiGllXoa+CdH7+gmDOvd4S8CRzrhIznPDNI+x7UNfq8n5A0
 KBqwUEzeQ5fyqqopJQaSaK8+6eTZ8dUxcfpqjyD/sxe7dLY0V+1KBNcNZrOolz/w
 juLbV+dTfSJcaJHjjvh1NEqvN4ky/6zuNF50KexaL0DSqpUkPf62heXd+P60l5DE
 Tj+h3d8xX/mI1Ap2q14/4Bggvpdz3I+GPWnmyISOI7ZklxB0DlYeQiY+ZYDdO5Bl
 4aNvCRRRPEG6TsZzkJR60+iSjUnGEN7PSdrDkFymvmG0U0hH73xcy5Xc4Z3mRffx
 HNyK4uAnUNIgPzdZA2K9uctGLOj14Z1n/iREc2FhrGhPeyoaMhXMyWPbTVCQ0Fdx
 7cV6sBzuh/RzFD/S8r+VHP4umRg8uf2+22FaAVOaOD1wtO5ug9WAZQ+nqwcOTHNc
 YVO8wlC8XyybzM2+Xb7E
 =X83i
 -----END PGP SIGNATURE-----

Merge tag 'iommu-fixes-v3.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu

Pull IOMMU fix from Joerg Roedel:
 "One fix for the AMD IOMMU driver to work around broken BIOSes found in
  the field.  Some BIOSes forget to enable a workaround for a hardware
  problem which might cause the IOMMU to stop working under high load
  conditions.  The fix makes sure this workaround is enabled."

* tag 'iommu-fixes-v3.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
  IOMMU, AMD Family15h Model10-1Fh erratum 746 Workaround
2013-01-28 11:52:56 -08:00
Linus Torvalds 325a86b65c This is the first pull request for MFD fixes for 3.8
We have some build failure fixes (twl4030, vexpress, abx500 and tps65910),
 some actual runtime oops and lockup fixes (rtsx, da9052), and some more
 hypothetical NULL pointers dereferences fixes for pcf50633 and max776xx.
 
 Then we also have additional rtsx fixes for a correct switch output voltage
 and clock divider correctness for rtl8411 (rtsx driver), and irqdomain fix for
 db8550-prcmu, and some more cosmetic fixes for arizona and wm5102.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABAgAGBQJRBIBuAAoJEIqAPN1PVmxKCZYP/3EP7I6nTnHfmMJHr6KhL9F8
 h/PFzSJiYC5DHoYpvcD6ESkDtqgZTOgt/R8VzbzcfCoSAlARCyo3WenCjUhREspW
 2vCb+rVqBXc3+pn/Hed5WlTx3a231iSYiQd4OMbDkG22TuTKdf4GOWcl4KnAVMjp
 NMqD3wCkDeMkutxRO7eWc+B/eXmYDp38abiYU+xJCMfmpvRwiPp7/RQTw/9kHgF/
 VHGqzH91YPJmcF9OcDDzsvJ2zGwPsXPhtsOnwxL7KkjI4WM4EZv8Nr0NwTsuIgNJ
 liqs4QO1XpTF+bAPKW/aT4VVLxYmLrzVao+bg6A9Vn5Q6Wt+N4McectvN7yndfOQ
 GuSPI+LqcZvDEHaKGybRFdsbN+sh95f7Qz6dbFedJ3nWBhlFd7YiXgkQF3Yg38sX
 rbK66F0PuH7F010a3cbhZ4jsHUb1MxzU6YSCLwUvukF1ijitPP89md0K9YaN9cbT
 YbBdZpphaiFePz9CjRyyYJvo4DC9i9BTgC8Ac3qiG1TELhb/Dl064d4o0oDDEfzH
 qVo21yUWeJ9jsHMnFvJuaDe9IbfxyDWJSLXFPlwaW/1qdbDPKzCr1Sro4v+lmOh5
 1RIiHfu52RSPDewo0ACZPPOd8h8/Jfra37CDiGPGnjbEkUJTxC7XfHie6M9034ov
 m/ORqHJOi6Wh9Iy7YHM3
 =rxug
 -----END PGP SIGNATURE-----

Merge tag 'mfd-for-linus-3.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6

Pull MFD fixes from Samuel Ortiz:
 "This is the first pull request for MFD fixes for 3.8

  We have some build failure fixes (twl4030, vexpress, abx500 and
  tps65910), some actual runtime oops and lockup fixes (rtsx, da9052),
  and some more hypothetical NULL pointers dereferences fixes for
  pcf50633 and max776xx.

  Then we also have additional rtsx fixes for a correct switch output
  voltage and clock divider correctness for rtl8411 (rtsx driver), and
  irqdomain fix for db8550-prcmu, and some more cosmetic fixes for
  arizona and wm5102."

* tag 'mfd-for-linus-3.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6:
  mfd: rtsx: Fix oops when rtsx_pci_sdmmc is not probed
  mfd: wm5102: Fix definition of WM5102_MAX_REGISTER
  mfd: twl4030: Don't warn about uninitialized return code
  mfd: da9052/53 lockup fix
  mfd: rtsx: Add clock divider hook
  mmc: rtsx: Call MFD hook to switch output voltage
  mfd: rtsx: Add output voltage switch hook
  mfd: Fix compile errors and warnings when !CONFIG_AB8500_BM
  mfd: vexpress: Export global functions to fix build error
  mfd: arizona: Check errors from regcache_sync()
  mfd: tc3589x: Use simple irqdomain
  mfd: pcf50633: Init pcf->dev before using it
  mfd: max77693: Init max77693->dev before using it
  mfd: max77686: Init max77686->dev before using it
  mfd: db8500-prcmu: Fix irqdomain usage
  mfd: tps65910: Select REGMAP_IRQ in Kconfig to fix build error
  mfd: arizona: Disable control interface reporting for WM5102 and WM5110
2013-01-28 11:51:57 -08:00
Larry Finger 0a06ad8e3a rtlwifi: Fix the usage of the wrong variable in usb.c
In routine _rtl_rx_pre_process(), skb_dequeue() is called to get an skb;
however, the wrong variable name is used in subsequent calls.

Reported-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-01-28 14:48:53 -05:00
Rafał Miłecki 6b112decb7 bcma: fix NAND flash validation
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-01-28 14:48:53 -05:00
Arend van Spriel 0e33e48ddc brcmsmac: fix tx status processing
This issue was reported on the wireless list (see [1]) in which
brcmsmac ran into a fatal error:

[  588.284074] brcmsmac bcma0:0: frameid != txh->TxFrameID
[  588.284098] brcmsmac bcma0:0: MI_TFS: fatal
[  588.284103] brcmsmac bcma0:0: wl0: fatal error, reinitializing
[  588.286208] ieee80211 phy0: Hardware restart was requested

The tx status feedback is processed in a loop limiting the number of
frames processed in one run. The code terminate processing when the
limit is reached regardless the txstatus value read from the device
register. When that status is is flagged as being valid it must be
processed as the hardware will clear it after is has been read.

Bisecting was done by Seth Forshee and showed following commit as the
culprit:

commit 57fe504817
Author: Piotr Haber <phaber@broadcom.com>
Date:   Wed Nov 28 21:44:07 2012 +0100

    brcmsmac: fix bounds checking in tx/rx

[1] http://www.spinics.net/lists/linux-wireless/msg101293.html

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Tested-by: Seth Forshee <seth.forshee@canonical.com>
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-01-28 14:48:52 -05:00
John W. Linville 006da9ebba Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes 2013-01-28 14:47:43 -05:00
Linus Torvalds 22f8379815 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking updates from David Miller:
 "Much more accumulated than I would have liked due to an unexpected
  bout with a nasty flu:

   1) AH and ESP input don't set ECN field correctly because the
      transport head of the SKB isn't set correctly, fix from Li
      RongQing.

   2) If netfilter conntrack zones are disabled, we can return an
      uninitialized variable instead of the proper error code.  Fix from
      Borislav Petkov.

   3) Fix double SKB free in ath9k driver beacon handling, from Felix
      Feitkau.

   4) Remove bogus assumption about netns cleanup ordering in
      nf_conntrack, from Pablo Neira Ayuso.

   5) Remove a bogus BUG_ON in the new TCP fastopen code, from Eric
      Dumazet.  It uses spin_is_locked() in it's test and is therefore
      unsuitable for UP.

   6) Fix SELINUX labelling regressions added by the tuntap multiqueue
      changes, from Paul Moore.

   7) Fix CRC errors with jumbo frame receive in tg3 driver, from Nithin
      Nayak Sujir.

   8) CXGB4 driver sets interrupt coalescing parameters only on first
      queue, rather than all of them.  Fix from Thadeu Lima de Souza
      Cascardo.

   9) Fix regression in the dispatch of read/write registers in dm9601
      driver, from Tushar Behera.

  10) ipv6_append_data miscalculates header length, from Romain KUNTZ.

  11) Fix PMTU handling regressions on ipv4 routes, from Steffen
      Klassert, Timo Teräs, and Julian Anastasov.

  12) In 3c574_cs driver, add necessary parenthesis to "x << y & z"
      expression.  From Nickolai Zeldovich.

  13) macvlan_get_size() causes underallocation netlink message space,
      fix from Eric Dumazet.

  14) Avoid division by zero in xfrm_replay_advance_bmp(), from Nickolai
      Zeldovich.  Amusingly the zero check was already there, we were
      just performing it after the modulus :-)

  15) Some more splice bug fixes from Eric Dumazet, which fix things
      mostly eminating from how we now more aggressively use high-order
      pages in SKBs.

  16) Fix size calculation bug when freeing hash tables in the IPSEC
      xfrm code, from Michal Kubecek.

  17) Fix PMTU event propagation into socket cached routes, from Steffen
      Klassert.

  18) Fix off by one in TX buffer release in netxen driver, from Eric
      Dumazet.

  19) Fix rediculous memory allocation requirements introduced by the
      tuntap multiqueue changes, from Jason Wang.

  20) Remove bogus AMD platform workaround in r8169 driver that causes
      major problems in normal operation, from Timo Teräs.

  21) virtio-net set affinity and select queue don't handle
      discontiguous cpu numbers properly, fix from Wanlong Gao.

  22) Fix a route refcounting issue in loopback driver, from Eric
      Dumazet.  There's a similar fix coming that we might add to the
      macvlan driver as well.

  23) Fix SKB leaks in batman-adv's distributed arp table code, from
      Matthias Schiffer.

  24) r8169 driver gives descriptor ownership back the hardware before
      we're done reading the VLAN tag out of it, fix from Francois
      Romieu.

  25) Checksums not calculated properly in GRE tunnel driver fix from
      Pravin B Shelar.

26) Fix SCTP memory leak on namespace exit."

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (101 commits)
  dm9601: support dm9620 variant
  SCTP: Free the per-net sysctl table on net exit. v2
  net: phy: icplus: fix broken INTR pin settings
  net: phy: icplus: Use the RGMII interface mode to configure clock delays
  IP_GRE: Fix kernel panic in IP_GRE with GRE csum.
  sctp: set association state to established in dupcook_a handler
  ip6mr: limit IPv6 MRT_TABLE identifiers
  r8169: fix vlan tag read ordering.
  net: cdc_ncm: use IAD provided by the USB core
  batman-adv: filter ARP packets with invalid MAC addresses in DAT
  batman-adv: check for more types of invalid IP addresses in DAT
  batman-adv: fix skb leak in batadv_dat_snoop_incoming_arp_reply()
  net: loopback: fix a dst refcounting issue
  virtio-net: reset virtqueue affinity when doing cpu hotplug
  virtio-net: split out clean affinity function
  virtio-net: fix the set affinity bug when CPU IDs are not consecutive
  can: pch_can: fix invalid error codes
  can: ti_hecc: fix invalid error codes
  can: c_can: fix invalid error codes
  r8169: remove the obsolete and incorrect AMD workaround
  ...
2013-01-28 11:41:37 -08:00
Suravee Suthikulpanit 318fe78253 IOMMU, AMD Family15h Model10-1Fh erratum 746 Workaround
The IOMMU may stop processing page translations due to a perceived lack
of credits for writing upstream peripheral page service request (PPR)
or event logs. If the L2B miscellaneous clock gating feature is enabled
the IOMMU does not properly register credits after the log request has
completed, leading to a potential system hang.

BIOSes are supposed to disable L2B micellaneous clock gating by setting
L2_L2B_CK_GATE_CONTROL[CKGateL2BMiscDisable](D0F2xF4_x90[2]) = 1b. This
patch corrects that for those which do not enable this workaround.

Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Acked-by: Borislav Petkov <bp@suse.de>
Cc: stable@vger.kernel.org
Signed-off-by: Joerg Roedel <joro@8bytes.org>
2013-01-28 15:26:54 +01:00
Peter Korsgaard 6642f91c92 dm9601: support dm9620 variant
dm9620 is a newer variant of dm9601 with more features (usb 2.0, checksum
offload, ..), but it can also be put in a dm9601 compatible mode, allowing
us to reuse the existing driver.

This does mean that the extended features like checksum offload cannot be
used, but that's hardly critical on a 100mbps interface.

Thanks to Sławek Wernikowski <slawek@wernikowski.net> for providing me
with a dm9620 based device to test.

Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-28 00:18:04 -05:00
Giuseppe CAVALLARO 014f2ffdf6 net: phy: icplus: fix broken INTR pin settings
This patch fixes the setting of the INTR pin that is
valid for IP101 A/G device and not for the IP1001.

Reported-by: Anunay Saxena <anunay.saxena@st.com>
Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-28 00:08:22 -05:00
Stuart Menefy b4a496319f net: phy: icplus: Use the RGMII interface mode to configure clock delays
Like several other PHY devices which support RGMII, the IC+1001 allows
additional delays to by added to the RX_CLK and TX_CLK signals to
compensate for skew between the clock and data signals. Previously this
was always enabled, but this change makes use of the different RGMII
interface modes to allow the user to specify whether this should be
enabled.

Signed-off-by: Stuart Menefy <stuart.menefy@st.com>
Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-28 00:08:22 -05:00
françois romieu ce11ff5e59 r8169: fix vlan tag read ordering.
Control of receive descriptor must not be returned to ethernet chipset
before vlan tag processing is done.

VLAN tag receive word is now reset both in normal and error path.

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Spotted-by: Timo Teras <timo.teras@iki.fi>
Cc: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-27 19:28:58 -05:00
Bjørn Mork 56a666dcfc net: cdc_ncm: use IAD provided by the USB core
commit 9992c2e (net: cdc_ncm: workaround for missing CDC Union)
added code to lookup an IAD for the interface we are probing.
This is redundant.  The USB core has already done the lookup
and saved the result in the USB interface struct.  Use that
instead.

Cc: Greg Suarez <gsuarez@smithmicro.com>
Cc: Alexey Orishko <alexey.orishko@stericsson.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-27 19:27:39 -05:00
David S. Miller 1591ab6740 Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
John W. Linville says:

====================
This is a batch of fixes intende for the 3.8 stream.

Regarding the iwlwifi bits, Johannes says this:

"Please pull to get a single fix from Emmanuel for a bug I introduced due
to misunderstanding the code."

Regarding the mac80211 bits, Johannes says this:

"I have a few small fixes for you:
 * some mesh frames would cause encryption warnings -- fixes from Bob
 * scanning would pretty much break an association if we transmitted
   anything to the AP while scanning -- fix from Stanislaw
 * mode injection was broken by channel contexts -- fix from Felix
 * FT roaming was broken: hardware crypto would get disabled by it"

Along with that, a handful of other fixes confined to specific drivers.

Avinash Patil fixes a typo in a NULL check in mwifiex.

Larry Finger fixes a build warning in rtlwifi.  Seems safe...

Stanislaw Gruszka fixes iwlegacy to prevent microcode errors when
switching from IBSS mode to STA mode.

Felix Fietkau provides a trio of ath9k fixes related to proper tuning.

Please let me know if there are problems!
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-27 01:37:22 -05:00
Eric Dumazet 794ed393b7 net: loopback: fix a dst refcounting issue
Ben Greear reported crashes in ip_rcv_finish() on a stress
test involving many macvlans.

We tracked the bug to a dst use after free. ip_rcv_finish()
was calling dst->input() and got garbage for dst->input value.

It appears the bug is in loopback driver, lacking
a skb_dst_force() before calling netif_rx().

As a result, a non refcounted dst, normally protected by a
RCU read_lock section, was escaping this section and could
be freed before the packet being processed.

  [<ffffffff813a3c4d>] loopback_xmit+0x64/0x83
  [<ffffffff81477364>] dev_hard_start_xmit+0x26c/0x35e
  [<ffffffff8147771a>] dev_queue_xmit+0x2c4/0x37c
  [<ffffffff81477456>] ? dev_hard_start_xmit+0x35e/0x35e
  [<ffffffff8148cfa6>] ? eth_header+0x28/0xb6
  [<ffffffff81480f09>] neigh_resolve_output+0x176/0x1a7
  [<ffffffff814ad835>] ip_finish_output2+0x297/0x30d
  [<ffffffff814ad6d5>] ? ip_finish_output2+0x137/0x30d
  [<ffffffff814ad90e>] ip_finish_output+0x63/0x68
  [<ffffffff814ae412>] ip_output+0x61/0x67
  [<ffffffff814ab904>] dst_output+0x17/0x1b
  [<ffffffff814adb6d>] ip_local_out+0x1e/0x23
  [<ffffffff814ae1c4>] ip_queue_xmit+0x315/0x353
  [<ffffffff814adeaf>] ? ip_send_unicast_reply+0x2cc/0x2cc
  [<ffffffff814c018f>] tcp_transmit_skb+0x7ca/0x80b
  [<ffffffff814c3571>] tcp_connect+0x53c/0x587
  [<ffffffff810c2f0c>] ? getnstimeofday+0x44/0x7d
  [<ffffffff810c2f56>] ? ktime_get_real+0x11/0x3e
  [<ffffffff814c6f9b>] tcp_v4_connect+0x3c2/0x431
  [<ffffffff814d6913>] __inet_stream_connect+0x84/0x287
  [<ffffffff814d6b38>] ? inet_stream_connect+0x22/0x49
  [<ffffffff8108d695>] ? _local_bh_enable_ip+0x84/0x9f
  [<ffffffff8108d6c8>] ? local_bh_enable+0xd/0x11
  [<ffffffff8146763c>] ? lock_sock_nested+0x6e/0x79
  [<ffffffff814d6b38>] ? inet_stream_connect+0x22/0x49
  [<ffffffff814d6b49>] inet_stream_connect+0x33/0x49
  [<ffffffff814632c6>] sys_connect+0x75/0x98

This bug was introduced in linux-2.6.35, in commit
7fee226ad2 (net: add a noref bit on skb dst)

skb_dst_force() is enforced in dev_queue_xmit() for devices having a
qdisc.

Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-27 01:30:35 -05:00
Wanlong Gao 8de4b2f3ae virtio-net: reset virtqueue affinity when doing cpu hotplug
Add a cpu notifier to virtio-net, so that we can reset the
virtqueue affinity if the cpu hotplug happens. It improve
the performance through enabling or disabling the virtqueue
affinity after doing cpu hotplug.

Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Eric Dumazet <erdnetdev@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: virtualization@lists.linux-foundation.org
Cc: netdev@vger.kernel.org
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-27 01:22:51 -05:00
Wanlong Gao 8898c21cf3 virtio-net: split out clean affinity function
Split out the clean affinity function to virtnet_clean_affinity().

Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Eric Dumazet <erdnetdev@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: virtualization@lists.linux-foundation.org
Cc: netdev@vger.kernel.org
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-27 01:22:51 -05:00
Wanlong Gao 47be24796c virtio-net: fix the set affinity bug when CPU IDs are not consecutive
As Michael mentioned, set affinity and select queue will not work very
well when CPU IDs are not consecutive, this can happen with hot unplug.
Fix this bug by traversal the online CPUs, and create a per cpu variable
to find the mapping from CPU to the preferable virtual-queue.

Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Eric Dumazet <erdnetdev@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: virtualization@lists.linux-foundation.org
Cc: netdev@vger.kernel.org
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-27 01:22:51 -05:00
Wei WANG 2d1484f599 mfd: rtsx: Fix oops when rtsx_pci_sdmmc is not probed
If rtsx_pci_sdmmc is not probed, function pointer pcr->slots[].card_event
will point to NULL, and thus rtsx_pci_card_detect will reference a NULL
pointer.
Check card_event pointer before referencing it can avoid kernel panic.

Signed-off-by: Wei WANG <wei_wang@realsil.com.cn>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-01-27 02:18:07 +01:00
Mark Brown ff0decd493 mfd: wm5102: Fix definition of WM5102_MAX_REGISTER
Updated in latest datasheet.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-01-27 02:18:07 +01:00
Arnd Bergmann f65e9eacfa mfd: twl4030: Don't warn about uninitialized return code
If the twl4030_write_script function gets called with
a zero length argument, its return value does not
get set. We know that all scripts have a nonzero
length, but returning an error in case they ever
do is probably appropriate.

Without this patch, building omap2plus_defconfig results in:

drivers/mfd/twl4030-power.c: In function 'load_twl4030_script':
drivers/mfd/twl4030-power.c:414:5: error: 'err' may be used uninitialized in this function

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Reviewed-by: Amit Kucheria <amit.kucheria@linaro.org>
Cc: Kevin Hilman <khilman@deeprootsystems.com>
Cc: "Kristo, Tero" <t-kristo@ti.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-01-27 02:18:01 +01:00