Commit Graph

414268 Commits

Author SHA1 Message Date
Mel Gorman 5a6dac3ec5 mm: numa: do not clear PMD during PTE update scan
If the PMD is flushed then a parallel fault in handle_mm_fault() will
enter the pmd_none and do_huge_pmd_anonymous_page() path where it'll
attempt to insert a huge zero page.  This is wasteful so the patch
avoids clearing the PMD when setting pmd_numa.

Signed-off-by: Mel Gorman <mgorman@suse.de>
Reviewed-by: Rik van Riel <riel@redhat.com>
Cc: Alex Thorlton <athorlton@sgi.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-12-18 19:04:51 -08:00
Mel Gorman 67f87463d3 mm: clear pmd_numa before invalidating
On x86, PMD entries are similar to _PAGE_PROTNONE protection and are
handled as NUMA hinting faults.  The following two page table protection
bits are what defines them

	_PAGE_NUMA:set	_PAGE_PRESENT:clear

A PMD is considered present if any of the _PAGE_PRESENT, _PAGE_PROTNONE,
_PAGE_PSE or _PAGE_NUMA bits are set.  If pmdp_invalidate encounters a
pmd_numa, it clears the present bit leaving _PAGE_NUMA which will be
considered not present by the CPU but present by pmd_present.  The
existing caller of pmdp_invalidate should handle it but it's an
inconsistent state for a PMD.  This patch keeps the state consistent
when calling pmdp_invalidate.

Signed-off-by: Mel Gorman <mgorman@suse.de>
Reviewed-by: Rik van Riel <riel@redhat.com>
Cc: Alex Thorlton <athorlton@sgi.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-12-18 19:04:51 -08:00
Mel Gorman f714f4f20e mm: numa: call MMU notifiers on THP migration
MMU notifiers must be called on THP page migration or secondary MMUs
will get very confused.

Signed-off-by: Mel Gorman <mgorman@suse.de>
Reviewed-by: Rik van Riel <riel@redhat.com>
Cc: Alex Thorlton <athorlton@sgi.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-12-18 19:04:51 -08:00
Mel Gorman 2b4847e730 mm: numa: serialise parallel get_user_page against THP migration
Base pages are unmapped and flushed from cache and TLB during normal
page migration and replaced with a migration entry that causes any
parallel NUMA hinting fault or gup to block until migration completes.

THP does not unmap pages due to a lack of support for migration entries
at a PMD level.  This allows races with get_user_pages and
get_user_pages_fast which commit 3f926ab945 ("mm: Close races between
THP migration and PMD numa clearing") made worse by introducing a
pmd_clear_flush().

This patch forces get_user_page (fast and normal) on a pmd_numa page to
go through the slow get_user_page path where it will serialise against
THP migration and properly account for the NUMA hinting fault.  On the
migration side the page table lock is taken for each PTE update.

Signed-off-by: Mel Gorman <mgorman@suse.de>
Reviewed-by: Rik van Riel <riel@redhat.com>
Cc: Alex Thorlton <athorlton@sgi.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-12-18 19:04:50 -08:00
Vivek Goyal c97102ba96 kexec: migrate to reboot cpu
Commit 1b3a5d02ee ("reboot: move arch/x86 reboot= handling to generic
kernel") moved reboot= handling to generic code.  In the process it also
removed the code in native_machine_shutdown() which are moving reboot
process to reboot_cpu/cpu0.

I guess that thought must have been that all reboot paths are calling
migrate_to_reboot_cpu(), so we don't need this special handling.  But
kexec reboot path (kernel_kexec()) is not calling
migrate_to_reboot_cpu() so above change broke kexec.  Now reboot can
happen on non-boot cpu and when INIT is sent in second kerneo to bring
up BP, it brings down the machine.

So start calling migrate_to_reboot_cpu() in kexec reboot path to avoid
this problem.

Bisected by WANG Chao.

Reported-by: Matthew Whitehead <mwhitehe@redhat.com>
Reported-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Tested-by: Baoquan He <bhe@redhat.com>
Tested-by: WANG Chao <chaowang@redhat.com>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-12-18 19:04:50 -08:00
Eric Dumazet 58a4782449 ipv6: sit: update mtu check to take care of gso packets
While testing my changes for TSO support in SIT devices,
I was using sit0 tunnel which appears to include nopmtudisc flag.

But using :

ip tun add sittun mode sit remote $REMOTE_IPV4 local $LOCAL_IPV4 \
   dev $IFACE

We get a tunnel which rejects too long packets because of the mtu check
which is not yet GSO aware.

erd:~# ip tunnel
sittun: ipv6/ip  remote 10.246.17.84  local 10.246.17.83  ttl inherit  6rd-prefix 2002::/16
sit0: ipv6/ip  remote any  local any  ttl 64  nopmtudisc 6rd-prefix 2002::/16

This patch is based on an excellent report from
Michal Shmidt.

In the future, we probably want to extend the MTU check to do the
right thing for GSO packets...

Fixes: ("61c1db7fae21 ipv6: sit: add GSO/TSO support")
Reported-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Tested-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 17:55:24 -05:00
Hannes Frederic Sowa 4df98e76cd ipv6: pmtudisc setting not respected with UFO/CORK
Sockets marked with IPV6_PMTUDISC_PROBE (or later IPV6_PMTUDISC_INTERFACE)
don't respect this setting when the outgoing interface supports UFO.

We had the same problem in IPv4, which was fixed in commit
daba287b29 ("ipv4: fix DO and PROBE pmtu
mode regarding local fragmentation with UFO/CORK").

Also IPV6_DONTFRAG mode did not care about already corked data, thus
it may generate a fragmented frame even if this socket option was
specified. It also did not care about the length of the ipv6 header and
possible options.

In the error path allow the user to receive the pmtu notifications via
both, rxpmtu method or error queue. The user may opted in for both,
so deliver the notification to both error handlers (the handlers check
if the error needs to be enqueued).

Also report back consistent pmtu values when sending on an already
cork-appended socket.

Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 17:52:15 -05:00
Peter Korsgaard 4263c86dca dm9601: work around tx fifo sync issue on dm962x
Certain dm962x revisions contain an bug, where if a USB bulk transfer retry
(E.G. if bulk crc mismatch) happens right after a transfer with odd or
maxpacket length, the internal tx hardware fifo gets out of sync causing
the interface to stop working.

Work around it by adding up to 3 bytes of padding to ensure this situation
cannot trigger.

This workaround also means we never pass multiple-of-maxpacket size skb's
to usbnet, so the length adjustment to handle usbnet's padding of those can
be removed.

Cc: <stable@vger.kernel.org>
Reported-by: Joseph Chang <joseph_chang@davicom.com.tw>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 17:46:55 -05:00
Peter Korsgaard cabd0e3a38 dm9601: make it clear that dm9620/dm9621a are also supported
The driver nowadays also support dm9620/dm9621a based USB 2.0 ethernet
adapters, so adjust module/driver description and Kconfig help text to
match.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 17:46:55 -05:00
Peter Korsgaard 407900cfb5 dm9601: fix reception of full size ethernet frames on dm9620/dm9621a
dm9620/dm9621a require room for 4 byte padding even in dm9601 (3 byte
header) mode.

Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 17:46:55 -05:00
Peter Korsgaard 3b3878926c dm9601: add support for dm9621a based dongle
dm9621a is functionally identical to dm9620, so the existing handling can
directly be used.

Thanks to Davicom for sending me a dongle.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 17:46:55 -05:00
Timo Teräs 0e3da5bb8d ip_gre: fix msg_name parsing for recvfrom/recvmsg
ipgre_header_parse() needs to parse the tunnel's ip header and it
uses mac_header to locate the iphdr. This got broken when gre tunneling
was refactored as mac_header is no longer updated to point to iphdr.
Introduce skb_pop_mac_header() helper to do the mac_header assignment
and use it in ipgre_rcv() to fix msg_name parsing.

Bug introduced in commit c544193214 (GRE: Refactor GRE tunneling code.)

Cc: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 17:44:33 -05:00
Linus Torvalds a36c160cbb USB: fixes for 3.13-rc5
Here are a few USB fixes for things that have people have reported
 issues with recently.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iEYEABECAAYFAlKx3L0ACgkQMUfUDdst+ymhNwCfQkxBaaJzNAp9gIlt/KKoNxGY
 zd8An1Eve0qmA2BjsO/SRzOBwUg/H6Rg
 =RFoo
 -----END PGP SIGNATURE-----

Merge tag 'usb-3.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB fixes from Greg KH:
 "Here are a few USB fixes for things that have people have reported
  issues with recently"

* tag 'usb-3.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  usb: ohci-at91: fix irq and iomem resource retrieval
  usb: phy: fix driver dependencies
  phy: kconfig: add depends on "USB_PHY" to OMAP_USB2 and TWL4030_USB
  drivers: phy: tweaks to phy_create()
  drivers: phy: Fix memory leak
  xhci: Limit the spurious wakeup fix only to HP machines
  usb: chipidea: fix nobody cared IRQ when booting with host role
  usb: chipidea: host: Only disable the vbus regulator if it is not NULL
  usb: serial: zte_ev: move support for ZTE AC2726 from zte_ev back to option
  usb: cdc-wdm: manage_power should always set needs_remote_wakeup
  usb: phy-tegra-usb.c: wrong pointer check for remap UTMI
  usb: phy: twl6030-usb: signedness bug in twl6030_readb()
  usb: dwc3: power off usb phy in error path
  usb: dwc3: invoke phy_resume after phy_init
2013-12-18 14:35:00 -08:00
Linus Torvalds e523365820 TTY/Serial fixes for 3.13-rc5
Here are a few fixes for 3.13-rc5 that resolve a number of reported tty
 and serial driver issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iEYEABECAAYFAlKx3gwACgkQMUfUDdst+ymW2QCfY6G4f7J3ZBMKJAiceQtkV28Y
 mp4AoM6u81l+y+yT1VAKeK00jTJ/EvjJ
 =Ut64
 -----END PGP SIGNATURE-----

Merge tag 'tty-3.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty

Pull tty/serial fixes from Greg KH:
 "Here are a few fixes for 3.13-rc5 that resolve a number of reported
  tty and serial driver issues"

* tag 'tty-3.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
  tty: xuartps: Properly guard sysrq specific code
  n_tty: Fix apparent order of echoed output
  serial: 8250_dw: add new ACPI IDs
  serial: 8250_dw: Fix LCR workaround regression
  tty: Fix hang at ldsem_down_read()
2013-12-18 14:34:27 -08:00
Linus Torvalds 1aba038bbb Staging driver fixes for 3.13-rc5
Here are a number of staging, and iio, fixes for 3.13-rc5 that resolve
 some reported issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iEYEABECAAYFAlKx3bAACgkQMUfUDdst+yn9HQCcC+rHeV3wybIo9DopYug0NwjK
 mxMAn349hfGJuCsdh8s34UeSbT3BgRqQ
 =cHKK
 -----END PGP SIGNATURE-----

Merge tag 'staging-3.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging driver fixes from Greg KH:
 "Here are a number of staging, and iio, fixes for 3.13-rc5 that resolve
  some reported issues"

* tag 'staging-3.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  imx-drm: imx-drm-core: improve safety of imx_drm_add_crtc()
  imx-drm: imx-drm-core: make imx_drm_crtc_register() safer
  imx-drm: imx-drm-core: use defined constant for number of CRTCs.
  imx-drm: imx-tve: don't call sleeping functions beneath enable_lock spinlock
  imx-drm: ipu-v3: fix potential CRTC device registration race
  imx-drm: imx-drm-core: fix DRM cleanup paths
  imx-drm: imx-drm-core: fix error cleanup path for imx_drm_add_crtc()
  staging: comedi: drivers: fix return value of comedi_load_firmware()
  staging: comedi: 8255_pci: fix for newer PCI-DIO48H
  iio:adc:ad7887 Fix channel reported endianness from cpu to big endian
  iio:imu:adis16400 fix pressure channel scan type
  staging:iio:mag:hmc5843 fix incorrect endianness of channel as a result of missuse of the IIO_ST macro.
  iio: cm36651: Changed return value of read function
2013-12-18 14:33:57 -08:00
Linus Torvalds 2516b61537 Driver core fix for 3.13-rc5
Here's a single sysfs fix for 3.13-rc5 that resolves a lockdep issue in
 sysfs that has been reported.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iEYEABECAAYFAlKx3T4ACgkQMUfUDdst+ykALQCfchxid3U9xydNKQMx51PwLiKX
 c08AnA1ZhDtQ6rfUi+49YJxhWLgUyYHD
 =glqF
 -----END PGP SIGNATURE-----

Merge tag 'driver-core-3.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core

Pull driver core fix from Greg KH:
 "Here's a single sysfs fix for 3.13-rc5 that resolves a lockdep issue
  in sysfs that has been reported"

* tag 'driver-core-3.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
  sysfs: give different locking key to regular and bin files
2013-12-18 14:33:23 -08:00
Linus Torvalds a81bddde96 Merge branch 'keys-devel' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
Pull crypto key patches from David Howells:
 "There are four items:

   - A patch to fix X.509 certificate gathering.  The problem was that I
     was coming up with a different path for signing_key.x509 in the
     build directory if it didn't exist to if it did exist.  This meant
     that the X.509 cert container object file would be rebuilt on the
     second rebuild in a build directory and the kernel would get
     relinked.

   - Unconditionally remove files generated by SYSTEM_TRUSTED_KEYRING=y
     when doing make mrproper.

   - Actually initialise the persistent-keyring semaphore for
     init_user_ns.  I have no idea why this works at all for users in
     the base user namespace unless it's something to do with systemd
     containerising the system.

   - Documentation for module signing"

* 'keys-devel' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
  Add Documentation/module-signing.txt file
  KEYS: fix uninitialized persistent_keyring_register_sem
  KEYS: Remove files generated when SYSTEM_TRUSTED_KEYRING=y
  X.509: Fix certificate gathering
2013-12-18 14:09:08 -08:00
Mugunthan V N a81d8762d7 drivers: net cpsw: Enable In Band mode in cpsw for 10 mbps
This patch adds support for enabling In Band mode in 10 mbps speed.
RGMII supports 1 Gig and 100 mbps mode for Forced mode of operation.
For 10mbps mode it should be configured to in band mode so that link
status, duplexity and speed are determined from the RGMII input data
stream

Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 16:54:19 -05:00
David S. Miller 405a96d6ea Merge branch 'bond_locking'
Ding Tianhong says:

====================
Jay Vosburgh said that the bond_3ad_adapter_speed_changed and
bond_3ad_adapter_duplex_changed is called with RTNL only, and
the functions will modify the port's information with no further
locking, they will not mutex against bond state machine and
incoming LACPDU which do not hold RTNL, So I add port lock to
protect the port information.

But they are not critical bugs, they exist since day one, and till
now they have never been hit and reported, because change for speed
and duplex is very rare, and will not occur critical problem.

The comments in the function is very old, cleanup the comments together.
====================

Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 16:52:34 -05:00
dingtianhong 108db73637 bonding: protect port for bond_3ad_handle_link_change()
The bond_3ad_handle_link_change is called with RTNL only,
and the function will modify the port's information with
no further locking, it will not mutex against bond state
machine and incoming LACPDU which do not hold RTNL, So I
add __get_state_machine_lock to protect the port.

But it is not a critical bug, it exist since day one, and till
now it has never been hit and reported, because changes to
speed is very rare, and will not occur critical problem.

The comments in the function is very old, cleanup it and
add a new pr_debug to debug the port message.

Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 16:52:26 -05:00
dingtianhong bca44a7341 bonding: protect port for bond_3ad_adapter_duplex_changed()
Jay Vosburgh said that the bond_3ad_adapter_duplex_changed is
called with RTNL only, and the function will modify the port's
information with no further locking, it will not mutex against
bond state machine and incoming LACPDU which do not hold RTNL,
So I add __get_state_machine_lock to protect the port.

But it is not a critical bug, it exist since day one, and till
now it has never been hit and reported, because changes to
speed is very rare, and will not occur critical problem.

The comments in the function is very old, cleanup it.

Suggested-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 16:52:26 -05:00
dingtianhong 71a06c59d1 bonding: protect port for bond_3ad_adapter_speed_changed()
Jay Vosburgh said that the bond_3ad_adapter_speed_changed is
called with RTNL only, and the function will modify the port's
information with no further locking, it will not mutex against
bond state machine and incoming LACPDU which do not hold RTNL,
So I add __get_state_machine_lock to protect the port.

But it is not a critical bug, it exist since day one, and till
now it has never been hit and reported, because changes to
speed is very rare, and will not occur critical problem.

The comment in the function is very old, cleanup it.

Suggested-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 16:52:25 -05:00
Dan Williams 7787380336 net_dma: mark broken
net_dma can cause data to be copied to a stale mapping if a
copy-on-write fault occurs during dma.  The application sees missing
data.

The following trace is triggered by modifying the kernel to WARN if it
ever triggers copy-on-write on a page that is undergoing dma:

 WARNING: CPU: 24 PID: 2529 at lib/dma-debug.c:485 debug_dma_assert_idle+0xd2/0x120()
 ioatdma 0000:00:04.0: DMA-API: cpu touching an active dma mapped page [pfn=0x16bcd9]
 Modules linked in: iTCO_wdt iTCO_vendor_support ioatdma lpc_ich pcspkr dca
 CPU: 24 PID: 2529 Comm: linbug Tainted: G        W    3.13.0-rc1+ #353
  00000000000001e5 ffff88016f45f688 ffffffff81751041 ffff88017ab0ef70
  ffff88016f45f6d8 ffff88016f45f6c8 ffffffff8104ed9c ffffffff810f3646
  ffff8801768f4840 0000000000000282 ffff88016f6cca10 00007fa2bb699349
 Call Trace:
  [<ffffffff81751041>] dump_stack+0x46/0x58
  [<ffffffff8104ed9c>] warn_slowpath_common+0x8c/0xc0
  [<ffffffff810f3646>] ? ftrace_pid_func+0x26/0x30
  [<ffffffff8104ee86>] warn_slowpath_fmt+0x46/0x50
  [<ffffffff8139c062>] debug_dma_assert_idle+0xd2/0x120
  [<ffffffff81154a40>] do_wp_page+0xd0/0x790
  [<ffffffff811582ac>] handle_mm_fault+0x51c/0xde0
  [<ffffffff813830b9>] ? copy_user_enhanced_fast_string+0x9/0x20
  [<ffffffff8175fc2c>] __do_page_fault+0x19c/0x530
  [<ffffffff8175c196>] ? _raw_spin_lock_bh+0x16/0x40
  [<ffffffff810f3539>] ? trace_clock_local+0x9/0x10
  [<ffffffff810fa1f4>] ? rb_reserve_next_event+0x64/0x310
  [<ffffffffa0014c00>] ? ioat2_dma_prep_memcpy_lock+0x60/0x130 [ioatdma]
  [<ffffffff8175ffce>] do_page_fault+0xe/0x10
  [<ffffffff8175c862>] page_fault+0x22/0x30
  [<ffffffff81643991>] ? __kfree_skb+0x51/0xd0
  [<ffffffff813830b9>] ? copy_user_enhanced_fast_string+0x9/0x20
  [<ffffffff81388ea2>] ? memcpy_toiovec+0x52/0xa0
  [<ffffffff8164770f>] skb_copy_datagram_iovec+0x5f/0x2a0
  [<ffffffff8169d0f4>] tcp_rcv_established+0x674/0x7f0
  [<ffffffff816a68c5>] tcp_v4_do_rcv+0x2e5/0x4a0
  [..]
 ---[ end trace e30e3b01191b7617 ]---
 Mapped at:
  [<ffffffff8139c169>] debug_dma_map_page+0xb9/0x160
  [<ffffffff8142bf47>] dma_async_memcpy_pg_to_pg+0x127/0x210
  [<ffffffff8142cce9>] dma_memcpy_pg_to_iovec+0x119/0x1f0
  [<ffffffff81669d3c>] dma_skb_copy_datagram_iovec+0x11c/0x2b0
  [<ffffffff8169d1ca>] tcp_rcv_established+0x74a/0x7f0:

...the problem is that the receive path falls back to cpu-copy in
several locations and this trace is just one of the areas.  A few
options were considered to fix this:

1/ sync all dma whenever a cpu copy branch is taken

2/ modify the page fault handler to hold off while dma is in-flight

Option 1 adds yet more cpu overhead to an "offload" that struggles to compete
with cpu-copy.  Option 2 adds checks for behavior that is already documented as
broken when using get_user_pages().  At a minimum a debug mode is warranted to
catch and flag these violations of the dma-api vs get_user_pages().

Thanks to David for his reproducer.

Cc: <stable@vger.kernel.org>
Cc: Dave Jiang <dave.jiang@intel.com>
Cc: Vinod Koul <vinod.koul@intel.com>
Cc: Alexander Duyck <alexander.h.duyck@intel.com>
Reported-by: David Whipple <whipple@securedatainnovations.ch>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2013-12-18 12:53:43 -08:00
Gerhard Sittig bbca4d3917 powerpc/512x: dts: remove misplaced IRQ spec from 'soc' node (5125)
the 'soc' node in the MPC5125 "tower" board .dts has an '#interrupt-cells'
property although this node is not an interrupt controller

remove this erroneously placed property because starting with v3.13-rc1
lookup and resolution of 'interrupts' specs for peripherals gets misled
(tries to use the 'soc' as the interrupt parent which fails), emits
'no irq domain found' WARN() messages and breaks the boot process

[ best viewed with 'git diff -U5' to have DT node names in the context ]

Cc: Anatolij Gustschin <agust@denx.de>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: devicetree@vger.kernel.org
Signed-off-by: Gerhard Sittig <gsi@denx.de>
Signed-off-by: Anatolij Gustschin <agust@denx.de>
2013-12-18 20:50:16 +01:00
John W. Linville b7e0473584 Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth 2013-12-18 13:46:08 -05:00
Will Deacon 0baf8f6a2a dma: pl330: ensure DMA descriptors are zero-initialised
I see the following splat with 3.13-rc1 when attempting to perform DMA:

[  253.004516] Alignment trap: not handling instruction e1902f9f at [<c0204b40>]
[  253.004583] Unhandled fault: alignment exception (0x221) at 0xdfdfdfd7
[  253.004646] Internal error: : 221 [#1] PREEMPT SMP ARM
[  253.004691] Modules linked in: dmatest(+) [last unloaded: dmatest]
[  253.004798] CPU: 0 PID: 671 Comm: kthreadd Not tainted 3.13.0-rc1+ #2
[  253.004864] task: df9b0900 ti: df03e000 task.ti: df03e000
[  253.004937] PC is at dmaengine_unmap_put+0x14/0x34
[  253.005010] LR is at pl330_tasklet+0x3c8/0x550
[  253.005087] pc : [<c0204b44>]    lr : [<c0207478>]    psr: a00e0193
[  253.005087] sp : df03fe48  ip : 00000000  fp : df03bf18
[  253.005178] r10: bf00e108  r9 : 00000001  r8 : 00000000
[  253.005245] r7 : df837040  r6 : dfb41800  r5 : df837048  r4 : df837000
[  253.005316] r3 : dfdfdfcf  r2 : dfb41f80  r1 : df837048  r0 : dfdfdfd7
[  253.005384] Flags: NzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
[  253.005459] Control: 30c5387d  Table: 9fb9ba80  DAC: fffffffd
[  253.005520] Process kthreadd (pid: 671, stack limit = 0xdf03e248)

This is due to desc->txd.unmap containing garbage (uninitialised memory).

Rather than add another dummy initialisation to _init_desc, instead
ensure that the descriptors are zero-initialised during allocation and
remove the dummy, per-field initialisation.

Cc: Andriy Shevchenko <andriy.shevchenko@intel.com>
Acked-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2013-12-18 10:08:56 -08:00
Hui Wang 3a6c5d8ad0 ALSA: hda - Add Dell headset detection quirk for one more laptop model
On the Dell machines with codec whose Subsystem Id is 0x10280640,
no external microphone can be detected when plugging a 3-ring headset.
Using ALC255_FIXUP_DELL1_MIC_NO_PRESENCE can fix this problem.

The codec (Vendor ID: 0x10ec0255) on the machine belongs to alc_269
family.

BugLink: https://bugs.launchpad.net/bugs/1260303
Cc: David Henningsson <david.henningsson@canonical.com>
Cc: stable@vger.kernel.org
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2013-12-18 12:40:29 +01:00
Bo Shen f0199bc5e3 ASoC: wm8904: fix DSP mode B configuration
When wm8904 work in DSP mode B, we still need to configure it to
work in DSP mode. Or else, it will work in Right Justified mode.

Signed-off-by: Bo Shen <voice.shen@atmel.com>
Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Cc: stable@vger.kernel.org
2013-12-18 11:30:50 +00:00
Charles Keepax 939fd1e8d9 ASoC: wm_adsp: Add small delay while polling DSP RAM start
Some devices are getting very close to the limit whilst polling the RAM
start, this patch adds a small delay to this loop to give a longer
startup timeout.

Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Cc: stable@vger.kernel.org
2013-12-18 11:22:25 +00:00
Paul Mackerras df9059bb64 KVM: PPC: Book3S HV: Don't drop low-order page address bits
Commit caaa4c804f ("KVM: PPC: Book3S HV: Fix physical address
calculations") unfortunately resulted in some low-order address bits
getting dropped in the case where the guest is creating a 4k HPTE
and the host page size is 64k.  By getting the low-order bits from
hva rather than gpa we miss out on bits 12 - 15 in this case, since
hva is at page granularity.  This puts the missing bits back in.

Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
2013-12-18 11:30:35 +01:00
Aneesh Kumar K.V 36e7bb3802 powerpc: book3s: kvm: Don't abuse host r2 in exit path
We don't use PACATOC for PR. Avoid updating HOST_R2 with PR
KVM mode when both HV and PR are enabled in the kernel. Without this we
get the below crash

(qemu)
Unable to handle kernel paging request for data at address 0xffffffffffff8310
Faulting instruction address: 0xc00000000001d5a4
cpu 0x2: Vector: 300 (Data Access) at [c0000001dc53aef0]
    pc: c00000000001d5a4: .vtime_delta.isra.1+0x34/0x1d0
    lr: c00000000001d760: .vtime_account_system+0x20/0x60
    sp: c0000001dc53b170
   msr: 8000000000009032
   dar: ffffffffffff8310
 dsisr: 40000000
  current = 0xc0000001d76c62d0
  paca    = 0xc00000000fef1100   softe: 0        irq_happened: 0x01
    pid   = 4472, comm = qemu-system-ppc
enter ? for help
[c0000001dc53b200] c00000000001d760 .vtime_account_system+0x20/0x60
[c0000001dc53b290] c00000000008d050 .kvmppc_handle_exit_pr+0x60/0xa50
[c0000001dc53b340] c00000000008f51c kvm_start_lightweight+0xb4/0xc4
[c0000001dc53b510] c00000000008cdf0 .kvmppc_vcpu_run_pr+0x150/0x2e0
[c0000001dc53b9e0] c00000000008341c .kvmppc_vcpu_run+0x2c/0x40
[c0000001dc53ba50] c000000000080af4 .kvm_arch_vcpu_ioctl_run+0x54/0x1b0
[c0000001dc53bae0] c00000000007b4c8 .kvm_vcpu_ioctl+0x478/0x730
[c0000001dc53bca0] c0000000002140cc .do_vfs_ioctl+0x4ac/0x770
[c0000001dc53bd80] c0000000002143e8 .SyS_ioctl+0x58/0xb0
[c0000001dc53be30] c000000000009e58 syscall_exit+0x0/0x98

Signed-off-by: Alexander Graf <agraf@suse.de>
2013-12-18 11:29:31 +01:00
Don Skidmore 8f48f5bc75 ixgbe: fix for unused variable warning with certain config
If CONFIG_PCI_IOV isn't defined we get an "unused variable" warining so
now wrap the variable declaration like it's usage already was.

Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Acked-by: John Fastabend <john.r.fastabend@intel.com>
Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-12-17 22:52:40 -08:00
David Ertman 7509963c70 e1000e: Fix a compile flag mis-match for suspend/resume
This patch addresses a mis-match between the declaration and usage of
the e1000_suspend and e1000_resume functions.  Previously, these
functions were declared in a CONFIG_PM_SLEEP wrapper, and then utilized
within a CONFIG_PM wrapper.  Both the declaration and usage will now be
contained within CONFIG_PM wrappers.

Signed-off-by: Dave Ertman <davidx.m.ertman@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-12-17 22:45:03 -08:00
David Ertman 918a4308ba e1000e: fix compiler warning (maybe-unitialized variable)
This patch is to fix a compiler warning of maybe-uininitialized-variable
that is generated from gcc when the -O3 flag is used.  In the function
e1000_reset_hw_80003es2lan(), the variable krmn_reg_data is first given
a value by being passed to a register read function as a
pass-by-reference parameter.  But, the return value of that read
function was never checked to see if the read failed and the variable
not given an initial value.  The compiler was smart enough to spot
this.  This patch is to check the return value for that read function
and return it, if an error occurs, without trying to utilize the value
in kmrn_reg_data.

Signed-off-by: David Ertman <davidx.m.ertman@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-12-17 22:20:49 -08:00
David Ertman 9e6c3b6339 e1000e: fix compiler warnings
This patch is to fix a compiler warning of __bad_udelay due to a value
of >999 being passed as a parameter to udelay() in the function
e1000e_phy_has_link_generic().  This affects the gcc compiler when
it is given a flag of -O3 and the icc compiler.

This patch is also making the change from mdelay() to msleep() in the
same function, since it was determined though code inspection that this
function is never called in atomic context.

Signed-off-by: David Ertman <davidx.m.ertman@intel.com>
Acked-by: Bruce Allan <bruce.w.allan@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-12-17 21:52:39 -08:00
Jan Kara 34cf865d54 ext4: fix deadlock when writing in ENOSPC conditions
Akira-san has been reporting rare deadlocks of his machine when running
xfstests test 269 on ext4 filesystem. The problem turned out to be in
ext4_da_reserve_metadata() and ext4_da_reserve_space() which called
ext4_should_retry_alloc() while holding i_data_sem. Since
ext4_should_retry_alloc() can force a transaction commit, this is a
lock ordering violation and leads to deadlocks.

Fix the problem by just removing the retry loops. These functions should
just report ENOSPC to the caller (e.g. ext4_da_write_begin()) and that
function must take care of retrying after dropping all necessary locks.

Reported-and-tested-by: Akira Fujita <a-fujita@rs.jp.nec.com>
Reviewed-by: Zheng Liu <wenqing.lz@taobao.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org
2013-12-18 00:44:44 -05:00
John Fastabend 85328240c6 net: allow netdev_all_upper_get_next_dev_rcu with rtnl lock held
It is useful to be able to walk all upper devices when bringing
a device online where the RTNL lock is held. In this case it
is safe to walk the all_adj_list because the RTNL lock is used
to protect the write side as well.

This patch adds a check to see if the rtnl lock is held before
throwing a warning in netdev_all_upper_get_next_dev_rcu().

Also because we now have a call site for lockdep_rtnl_is_held()
outside COFIG_LOCK_PROVING an inline definition returning 1 is
needed. Similar to the rcu_read_lock_is_held().

Fixes: 2a47fa45d4 ("ixgbe: enable l2 forwarding acceleration for macvlans")
CC: Veaceslav Falico <vfalico@redhat.com>
Reported-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-12-17 21:19:08 -08:00
Russell King fd6040ed57 imx-drm: imx-drm-core: improve safety of imx_drm_add_crtc()
We must not add more CRTCs than we have declared to the vblank
helpers, otherwise we overflow their arrays.  Force failure if we
exceed the number of CRTCs.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-17 17:12:55 -08:00
Russell King 9fe73d46ed imx-drm: imx-drm-core: make imx_drm_crtc_register() safer
imx_drm_crtc_register() doesn't clean up the CRTC upon failure, which
leaves the CRTC attached to the DRM device.  Also, it does setup after
attaching the CRTC to the DRM device.

Fix this by reordering the function such that we do the setup before
drm_crtc_init(): this fixes both issues.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-17 17:12:55 -08:00
Russell King 942325c8b2 imx-drm: imx-drm-core: use defined constant for number of CRTCs.
We have this definition, there's no reason not to use it.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-17 17:12:55 -08:00
Russell King bd5121bbb6 imx-drm: imx-tve: don't call sleeping functions beneath enable_lock spinlock
Enable lock claims that it is serializing tve_enable/disable calls.
However, DRM already serialises mode sets with a mutex, which prevents
encoder/connector functions being called concurrently.  Secondly,
holding a spinlock while calling clk_prepare_enable() is wrong; it
will cause a might_sleep() warning should that debugging be enabled.
So, let's just get rid of the enable_lock.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-17 17:12:55 -08:00
Russell King 4ae078d58a imx-drm: ipu-v3: fix potential CRTC device registration race
Clean up the IPUv3 CRTC device registration; we don't need a separate
function just to call platform_device_register_data(), and we don't
need the return value converted at all.

Update the IPU client id under a mutex, so that parallel probing
doesn't race.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-17 17:11:39 -08:00
Russell King 8007875f06 imx-drm: imx-drm-core: fix DRM cleanup paths
We must call drm_vblank_cleanup() on the error cleanup and unload paths
after we've had a successful call to drm_vblank_init().  Ensure that
the calls are in the reverse order to the initialisation order.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-17 17:09:52 -08:00
Russell King 82832046e2 imx-drm: imx-drm-core: fix error cleanup path for imx_drm_add_crtc()
imx_drm_add_crtc() was kfree'ing the imx_drm_crtc structure while
leaving it on the list of CRTCs.  Delete it from the list first.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-17 17:09:51 -08:00
Linus Torvalds 35eecf0522 Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
 "Definitely seems quieter this week,

  Radeon, intel, intel broadwell, vmwgfx, ttm, armada, and a couple of
  core fixes, one revert in radeon

  Most of these are either going to stable or fixes for things
  introduced in the merge window"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (30 commits)
  drm/edid: add quirk for BPC in Samsung NP700G7A-S01PL notebook
  drm/ttm: Fix accesses through vmas with only partial coverage
  drm/nouveau: only runtime suspend by default in optimus configuration
  drm: don't double-free on driver load error
  Revert "drm/radeon: Implement radeon_pci_shutdown"
  drm/radeon: add missing display tiling setup for oland
  drm/radeon: fix typo in cik_copy_dma
  drm/radeon/cik: plug in missing blit callback
  drm/radeon/dpm: Fix hwmon crash
  drm/radeon: Fix sideport problems on certain RS690 boards
  drm/i915: don't update the dri1 breadcrumb with modesetting
  DRM: Armada: prime refcounting bug fix
  DRM: Armada: fix printing of phys_addr_t/dma_addr_t
  DRM: Armada: destroy framebuffer after helper
  DRM: Armada: implement lastclose() for fbhelper
  drm/i915: Repeat eviction search after idling the GPU
  drm/vmwgfx: Add max surface memory param
  drm/i915: Fix use-after-free in do_switch
  drm/i915: fix pm init ordering
  drm/i915: Hold mutex across i915_gem_release
  ...
2013-12-17 16:59:59 -08:00
Tomi Valkeinen 130f769e81 Revert "ARM: OMAP2+: Remove legacy mux code for display.c"
Commit e30b06f4d5 (ARM: OMAP2+: Remove
legacy mux code for display.c) removed non-DT DSI and HDMI pinmuxing.
However, DSI pinmuxing is still needed, and removing that caused DSI
displays not to work.

This reverts the DSI parts of the commit.

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
2013-12-17 16:28:34 -08:00
Soren Brinkmann c2db11eca0 tty: xuartps: Properly guard sysrq specific code
Commit 'tty: xuartps: Implement BREAK detection, add SYSRQ support'
(0c0c47bc40) introduced sysrq support
without properly guarding sysrq specific code which results in build
errors when sysrq is disabled:
	DNAME=KBUILD_STR(xilinx_uartps)" -c -o
	drivers/tty/serial/.tmp_xilinx_uartps.o
	drivers/tty/serial/xilinx_uartps.c
	drivers/tty/serial/xilinx_uartps.c: In function 'xuartps_isr':
	drivers/tty/serial/xilinx_uartps.c:247:5: error: 'struct uart_port'
	has no member named 'sysrq'
	drivers/tty/serial/xilinx_uartps.c:247:5: error: 'struct uart_port'
	has no member named 'sysrq'
	drivers/tty/serial/xilinx_uartps.c:247:5: error: 'struct uart_port'
	has no member named 'sysrq'
	make[3]: *** [drivers/tty/serial/xilinx_uartps.o] Error 1

Reported-by: Masanari Iida <standby24x7@gmail.com>
Cc: Vlad Lungu <vlad.lungu@windriver.com>
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-17 16:02:25 -08:00
Linus Torvalds 8b80384169 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:
 "A quick batch of fixes, including the annoying bad lock stack problem
  introduced by udp_sk_rx_dst_set() locking change:

   1) Use xchg() instead of sk_dst_lock() in udp_sk_rx_dst_set(), from
      Eric Dumazet.

   2) qlcnic bug fixes from Himanshu Madhani and Manish Chopra.

   3) Update IPSEC MAINTAINERS entry, from Steffen Klassert.

   4) Administrative neigh entry changes should generate netlink
      notifications the same as event generated ones.  From Bob
      Gilligan.

   5) Netfilter SYNPROXY fixes from Patrick McHardy.

   6) Netfilter nft_reject endianness fixes from Eric Leblond"

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
  qlcnic: Dump mailbox registers when mailbox command times out.
  qlcnic: Fix mailbox processing during diagnostic test
  qlcnic: Allow firmware dump collection when auto firmware recovery is disabled
  qlcnic: Fix memory allocation
  qlcnic: Fix TSS/RSS validation for 83xx/84xx series adapter.
  qlcnic: Fix TSS/RSS ring validation logic.
  qlcnic: Fix diagnostic test for all adapters.
  qlcnic: Fix usage of netif_tx_{wake, stop} api during link change.
  xen-netback: fix fragments error handling in checksum_setup_ip()
  neigh: Netlink notification for administrative NUD state change
  ipv4: improve documentation of ip_no_pmtu_disc
  net: unix: allow bind to fail on mutex lock
  MAINTAINERS: Update the IPsec maintainer entry
  udp: ipv4: do not use sk_dst_lock from softirq context
  netvsc: don't flush peers notifying work during setting mtu
  can: peak_usb: fix mem leak in pcan_usb_pro_init()
  can: ems_usb: fix urb leaks on failure paths
  sctp: loading sctp when load sctp_probe
  netfilter: nft_reject: fix endianness in dump function
  netfilter: SYNPROXY target: restrict to INPUT/FORWARD
2013-12-17 15:53:24 -08:00
David S. Miller 781069279f Merge branch 'fixes-for-3.13' of git://gitorious.org/linux-can/linux-can
Marc Kleine-Budde says:

====================
this is a pull request with two fixes for net/master, the current release
cycle.

It consists of a patch by Alexey Khoroshilov from the Linux Driver Verification
project, which fixes a memory leak in ems_usb's failure patch. And a patch by
me which fixes a memory leak in the peak usb driver.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-17 17:21:30 -05:00
Gao feng 45c2aff645 netfilter: nfnetlink_log: unset nf_loggers for netns when unloading module
Steven Rostedt and Arnaldo Carvalho de Melo reported a panic
when access the files /proc/sys/net/netfilter/nf_log/*.

This problem will occur when we do:

 echo nfnetlink_log > /proc/sys/net/netfilter/nf_log/any_file
 rmmod nfnetlink_log

and then access the files.

Since the nf_loggers of netns hasn't been unset, it will point
to the memory that has been freed.

This bug is introduced by commit 9368a53c ("netfilter: nfnetlink_log:
add net namespace support for nfnetlink_log").

[17261.822047] BUG: unable to handle kernel paging request at ffffffffa0d49090
[17261.822056] IP: [<ffffffff8157aba0>] nf_log_proc_dostring+0xf0/0x1d0
[...]
[17261.822226] Call Trace:
[17261.822235]  [<ffffffff81297b98>] ? security_capable+0x18/0x20
[17261.822240]  [<ffffffff8106fa09>] ? ns_capable+0x29/0x50
[17261.822247]  [<ffffffff8163d25f>] ? net_ctl_permissions+0x1f/0x90
[17261.822254]  [<ffffffff81216613>] proc_sys_call_handler+0xb3/0xc0
[17261.822258]  [<ffffffff81216651>] proc_sys_read+0x11/0x20
[17261.822265]  [<ffffffff811a80de>] vfs_read+0x9e/0x170
[17261.822270]  [<ffffffff811a8c09>] SyS_read+0x49/0xa0
[17261.822276]  [<ffffffff810e6496>] ? __audit_syscall_exit+0x1f6/0x2a0
[17261.822283]  [<ffffffff81656e99>] system_call_fastpath+0x16/0x1b
[17261.822285] Code: cc 81 4d 63 e4 4c 89 45 88 48 89 4d 90 e8 19 03 0d 00 4b 8b 84 e5 28 08 00 00 48 8b 4d 90 4c 8b 45 88 48 85 c0 0f 84 a8 00 00 00 <48> 8b 40 10 48 89 43 08 48 89 df 4c 89 f2 31 f6 e8 4b 35 af ff
[17261.822329] RIP  [<ffffffff8157aba0>] nf_log_proc_dostring+0xf0/0x1d0
[17261.822334]  RSP <ffff880274d3fe28>
[17261.822336] CR2: ffffffffa0d49090
[17261.822340] ---[ end trace a14ce54c0897a90d ]---

Reported-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Reported-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-12-17 23:19:03 +01:00